From: Greg Kroah-Hartman Date: Fri, 9 Jun 2017 10:27:14 +0000 (+0200) Subject: 4.11-stable patches X-Git-Tag: v3.18.57~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f318ab7e0d8072743181e86a6a235889a8e85ecc;p=thirdparty%2Fkernel%2Fstable-queue.git 4.11-stable patches added patches: ftrace-fix-memory-leak-in-ftrace_graph_release.patch ptrace-properly-initialize-ptracer_cred-on-fork.patch serial-core-fix-crash-in-uart_suspend_port.patch serial-exar-fix-stuck-msis.patch serial-ifx6x60-fix-use-after-free-on-module-unload.patch --- diff --git a/queue-4.11/ftrace-fix-memory-leak-in-ftrace_graph_release.patch b/queue-4.11/ftrace-fix-memory-leak-in-ftrace_graph_release.patch new file mode 100644 index 00000000000..8d98df8de62 --- /dev/null +++ b/queue-4.11/ftrace-fix-memory-leak-in-ftrace_graph_release.patch @@ -0,0 +1,55 @@ +From f9797c2f20c0160edd718aa467101f3301e57e59 Mon Sep 17 00:00:00 2001 +From: Luis Henriques +Date: Thu, 25 May 2017 16:20:38 +0100 +Subject: ftrace: Fix memory leak in ftrace_graph_release() + +From: Luis Henriques + +commit f9797c2f20c0160edd718aa467101f3301e57e59 upstream. + +ftrace_hash is being kfree'ed in ftrace_graph_release(), however the +->buckets field is not. This results in a memory leak that is easily +captured by kmemleak: + +unreferenced object 0xffff880038afe000 (size 8192): + comm "trace-cmd", pid 238, jiffies 4294916898 (age 9.736s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmemleak_alloc+0x4e/0xb0 + [] __kmalloc+0x12d/0x1a0 + [] alloc_ftrace_hash+0x51/0x80 + [] __ftrace_graph_open.isra.39.constprop.46+0xa3/0x100 + [] ftrace_graph_open+0x68/0xa0 + [] do_dentry_open.isra.1+0x1bd/0x2d0 + [] vfs_open+0x47/0x60 + [] path_openat+0x2a5/0x1020 + [] do_filp_open+0x8a/0xf0 + [] do_sys_open+0x12f/0x200 + [] SyS_open+0x1e/0x20 + [] entry_SYSCALL_64_fastpath+0x13/0x94 + [] 0xffffffffffffffff + +Link: http://lkml.kernel.org/r/20170525152038.7661-1-lhenriques@suse.com + +Fixes: b9b0c831bed2 ("ftrace: Convert graph filter to use hash tables") +Signed-off-by: Luis Henriques +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -4859,7 +4859,7 @@ ftrace_graph_release(struct inode *inode + } + + out: +- kfree(fgd->new_hash); ++ free_ftrace_hash(fgd->new_hash); + kfree(fgd); + + return ret; diff --git a/queue-4.11/ptrace-properly-initialize-ptracer_cred-on-fork.patch b/queue-4.11/ptrace-properly-initialize-ptracer_cred-on-fork.patch new file mode 100644 index 00000000000..344fd283fd5 --- /dev/null +++ b/queue-4.11/ptrace-properly-initialize-ptracer_cred-on-fork.patch @@ -0,0 +1,117 @@ +From c70d9d809fdeecedb96972457ee45c49a232d97f Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Mon, 22 May 2017 15:40:12 -0500 +Subject: ptrace: Properly initialize ptracer_cred on fork + +From: Eric W. Biederman + +commit c70d9d809fdeecedb96972457ee45c49a232d97f upstream. + +When I introduced ptracer_cred I failed to consider the weirdness of +fork where the task_struct copies the old value by default. This +winds up leaving ptracer_cred set even when a process forks and +the child process does not wind up being ptraced. + +Because ptracer_cred is not set on non-ptraced processes whose +parents were ptraced this has broken the ability of the enlightenment +window manager to start setuid children. + +Fix this by properly initializing ptracer_cred in ptrace_init_task + +This must be done with a little bit of care to preserve the current value +of ptracer_cred when ptrace carries through fork. Re-reading the +ptracer_cred from the ptracing process at this point is inconsistent +with how PT_PTRACE_CAP has been maintained all of these years. + +Tested-by: Takashi Iwai +Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP") +Signed-off-by: "Eric W. Biederman" +Cc: Ralph Sennhauser +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/ptrace.h | 7 +++++-- + kernel/ptrace.c | 20 +++++++++++++------- + 2 files changed, 18 insertions(+), 9 deletions(-) + +--- a/include/linux/ptrace.h ++++ b/include/linux/ptrace.h +@@ -54,7 +54,8 @@ extern int ptrace_request(struct task_st + unsigned long addr, unsigned long data); + extern void ptrace_notify(int exit_code); + extern void __ptrace_link(struct task_struct *child, +- struct task_struct *new_parent); ++ struct task_struct *new_parent, ++ const struct cred *ptracer_cred); + extern void __ptrace_unlink(struct task_struct *child); + extern void exit_ptrace(struct task_struct *tracer, struct list_head *dead); + #define PTRACE_MODE_READ 0x01 +@@ -206,7 +207,7 @@ static inline void ptrace_init_task(stru + + if (unlikely(ptrace) && current->ptrace) { + child->ptrace = current->ptrace; +- __ptrace_link(child, current->parent); ++ __ptrace_link(child, current->parent, current->ptracer_cred); + + if (child->ptrace & PT_SEIZED) + task_set_jobctl_pending(child, JOBCTL_TRAP_STOP); +@@ -215,6 +216,8 @@ static inline void ptrace_init_task(stru + + set_tsk_thread_flag(child, TIF_SIGPENDING); + } ++ else ++ child->ptracer_cred = NULL; + } + + /** +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -60,19 +60,25 @@ int ptrace_access_vm(struct task_struct + } + + ++void __ptrace_link(struct task_struct *child, struct task_struct *new_parent, ++ const struct cred *ptracer_cred) ++{ ++ BUG_ON(!list_empty(&child->ptrace_entry)); ++ list_add(&child->ptrace_entry, &new_parent->ptraced); ++ child->parent = new_parent; ++ child->ptracer_cred = get_cred(ptracer_cred); ++} ++ + /* + * ptrace a task: make the debugger its new parent and + * move it to the ptrace list. + * + * Must be called with the tasklist lock write-held. + */ +-void __ptrace_link(struct task_struct *child, struct task_struct *new_parent) ++static void ptrace_link(struct task_struct *child, struct task_struct *new_parent) + { +- BUG_ON(!list_empty(&child->ptrace_entry)); +- list_add(&child->ptrace_entry, &new_parent->ptraced); +- child->parent = new_parent; + rcu_read_lock(); +- child->ptracer_cred = get_cred(__task_cred(new_parent)); ++ __ptrace_link(child, new_parent, __task_cred(new_parent)); + rcu_read_unlock(); + } + +@@ -386,7 +392,7 @@ static int ptrace_attach(struct task_str + flags |= PT_SEIZED; + task->ptrace = flags; + +- __ptrace_link(task, current); ++ ptrace_link(task, current); + + /* SEIZE doesn't trap tracee on attach */ + if (!seize) +@@ -459,7 +465,7 @@ static int ptrace_traceme(void) + */ + if (!ret && !(current->real_parent->flags & PF_EXITING)) { + current->ptrace = PT_PTRACED; +- __ptrace_link(current, current->real_parent); ++ ptrace_link(current, current->real_parent); + } + } + write_unlock_irq(&tasklist_lock); diff --git a/queue-4.11/serial-core-fix-crash-in-uart_suspend_port.patch b/queue-4.11/serial-core-fix-crash-in-uart_suspend_port.patch new file mode 100644 index 00000000000..3655148c91c --- /dev/null +++ b/queue-4.11/serial-core-fix-crash-in-uart_suspend_port.patch @@ -0,0 +1,35 @@ +From 88e2582e90bb89fe895ff0dceeb5d5ab65d07997 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Thu, 11 May 2017 12:56:14 +0200 +Subject: serial: core: fix crash in uart_suspend_port + +From: Lucas Stach + +commit 88e2582e90bb89fe895ff0dceeb5d5ab65d07997 upstream. + +With serdev we might end up with serial ports that have no cdev exported +to userspace, as they are used as the bus interface to other devices. In +that case serial_match_port() won't be able to find a matching tty_dev. + +Skip the irq wakeup enabling in that case, as serdev will make sure to +keep the port active, as long as there are devices depending on it. + +Fixes: 8ee3fde04758 (tty_port: register tty ports with serdev bus) +Signed-off-by: Lucas Stach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/serial_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -2083,7 +2083,7 @@ int uart_suspend_port(struct uart_driver + mutex_lock(&port->mutex); + + tty_dev = device_find_child(uport->dev, &match, serial_match_port); +- if (device_may_wakeup(tty_dev)) { ++ if (tty_dev && device_may_wakeup(tty_dev)) { + if (!enable_irq_wake(uport->irq)) + uport->irq_wake = 1; + put_device(tty_dev); diff --git a/queue-4.11/serial-exar-fix-stuck-msis.patch b/queue-4.11/serial-exar-fix-stuck-msis.patch new file mode 100644 index 00000000000..e87dec21923 --- /dev/null +++ b/queue-4.11/serial-exar-fix-stuck-msis.patch @@ -0,0 +1,84 @@ +From 2c0ac5b48a3586f612b85755b041ed7733dc8e6b Mon Sep 17 00:00:00 2001 +From: Jan Kiszka +Date: Mon, 24 Apr 2017 12:30:15 +0200 +Subject: serial: exar: Fix stuck MSIs + +From: Jan Kiszka + +commit 2c0ac5b48a3586f612b85755b041ed7733dc8e6b upstream. + +After migrating 8250_exar to MSI in 172c33cb61da, we can get stuck +without further interrupts because of the special wake-up event these +chips send. They are only cleared by reading INT0. As we fail to do so +during startup and shutdown, we can leave the interrupt line asserted, +which is fatal with edge-triggered MSIs. + +Add the required reading of INT0 to startup and shutdown. Also account +for the fact that a pending wake-up interrupt means we have to return 1 +from exar_handle_irq. Drop the unneeded reading of INT1..3 along with +this - those never reset anything. + +An alternative approach would have been disabling the wake-up interrupt. +Unfortunately, this feature (REGB[17] = 1) is not available on the +XR17D15X. + +Fixes: 172c33cb61da ("serial: exar: Enable MSI support") +Signed-off-by: Jan Kiszka +Reviewed-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_port.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -47,6 +47,7 @@ + /* + * These are definitions for the Exar XR17V35X and XR17(C|D)15X + */ ++#define UART_EXAR_INT0 0x80 + #define UART_EXAR_SLEEP 0x8b /* Sleep mode */ + #define UART_EXAR_DVID 0x8d /* Device identification */ + +@@ -1869,17 +1870,13 @@ static int serial8250_default_handle_irq + static int exar_handle_irq(struct uart_port *port) + { + unsigned int iir = serial_port_in(port, UART_IIR); +- int ret; ++ int ret = 0; + +- ret = serial8250_handle_irq(port, iir); ++ if (((port->type == PORT_XR17V35X) || (port->type == PORT_XR17D15X)) && ++ serial_port_in(port, UART_EXAR_INT0) != 0) ++ ret = 1; + +- if ((port->type == PORT_XR17V35X) || +- (port->type == PORT_XR17D15X)) { +- serial_port_in(port, 0x80); +- serial_port_in(port, 0x81); +- serial_port_in(port, 0x82); +- serial_port_in(port, 0x83); +- } ++ ret |= serial8250_handle_irq(port, iir); + + return ret; + } +@@ -2177,6 +2174,8 @@ int serial8250_do_startup(struct uart_po + serial_port_in(port, UART_RX); + serial_port_in(port, UART_IIR); + serial_port_in(port, UART_MSR); ++ if ((port->type == PORT_XR17V35X) || (port->type == PORT_XR17D15X)) ++ serial_port_in(port, UART_EXAR_INT0); + + /* + * At this point, there's no way the LSR could still be 0xff; +@@ -2335,6 +2334,8 @@ dont_test_tx_en: + serial_port_in(port, UART_RX); + serial_port_in(port, UART_IIR); + serial_port_in(port, UART_MSR); ++ if ((port->type == PORT_XR17V35X) || (port->type == PORT_XR17D15X)) ++ serial_port_in(port, UART_EXAR_INT0); + up->lsr_saved_flags = 0; + up->msr_saved_flags = 0; + diff --git a/queue-4.11/serial-ifx6x60-fix-use-after-free-on-module-unload.patch b/queue-4.11/serial-ifx6x60-fix-use-after-free-on-module-unload.patch new file mode 100644 index 00000000000..5b11789a08c --- /dev/null +++ b/queue-4.11/serial-ifx6x60-fix-use-after-free-on-module-unload.patch @@ -0,0 +1,35 @@ +From 1e948479b3d63e3ac0ecca13cbf4921c7d17c168 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 26 Apr 2017 12:24:21 +0200 +Subject: serial: ifx6x60: fix use-after-free on module unload + +From: Johan Hovold + +commit 1e948479b3d63e3ac0ecca13cbf4921c7d17c168 upstream. + +Make sure to deregister the SPI driver before releasing the tty driver +to avoid use-after-free in the SPI remove callback where the tty +devices are deregistered. + +Fixes: 72d4724ea54c ("serial: ifx6x60: Add modem power off function in the platform reboot process") +Cc: Jun Chen +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/ifx6x60.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/ifx6x60.c ++++ b/drivers/tty/serial/ifx6x60.c +@@ -1382,9 +1382,9 @@ static struct spi_driver ifx_spi_driver + static void __exit ifx_spi_exit(void) + { + /* unregister */ ++ spi_unregister_driver(&ifx_spi_driver); + tty_unregister_driver(tty_drv); + put_tty_driver(tty_drv); +- spi_unregister_driver(&ifx_spi_driver); + unregister_reboot_notifier(&ifx_modem_reboot_notifier_block); + } + diff --git a/queue-4.11/series b/queue-4.11/series index 836d71eb8e8..2303787c4a9 100644 --- a/queue-4.11/series +++ b/queue-4.11/series @@ -28,3 +28,8 @@ sparc64-add-per-cpu-mm-of-secondary-contexts.patch sparc64-new-context-wrap.patch sparc64-delete-old-wrap-code.patch arch-sparc-support-nr_cpus-4096.patch +ftrace-fix-memory-leak-in-ftrace_graph_release.patch +serial-exar-fix-stuck-msis.patch +serial-ifx6x60-fix-use-after-free-on-module-unload.patch +serial-core-fix-crash-in-uart_suspend_port.patch +ptrace-properly-initialize-ptracer_cred-on-fork.patch