From: Greg Kroah-Hartman Date: Thu, 7 Mar 2019 12:49:48 +0000 (+0100) Subject: 4.20-stable patches X-Git-Tag: v5.0.1~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f5ea2224ed32ca5229a241f7ca7ff302ecb40083;p=thirdparty%2Fkernel%2Fstable-queue.git 4.20-stable patches added patches: binder-create-node-flag-to-request-sender-s-security-context.patch usb-serial-cp210x-add-id-for-ingenico-3070.patch usb-serial-ftdi_sio-add-id-for-hjelmslund-electronics-usb485.patch usb-serial-option-add-telit-me910-ecm-composition.patch --- diff --git a/queue-4.20/binder-create-node-flag-to-request-sender-s-security-context.patch b/queue-4.20/binder-create-node-flag-to-request-sender-s-security-context.patch new file mode 100644 index 00000000000..e8c9d9cb813 --- /dev/null +++ b/queue-4.20/binder-create-node-flag-to-request-sender-s-security-context.patch @@ -0,0 +1,332 @@ +From ec74136ded792deed80780a2f8baf3521eeb72f9 Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Mon, 14 Jan 2019 09:10:21 -0800 +Subject: binder: create node flag to request sender's security context + +From: Todd Kjos + +commit ec74136ded792deed80780a2f8baf3521eeb72f9 upstream. + +To allow servers to verify client identity, allow a node +flag to be set that causes the sender's security context +to be delivered with the transaction. The BR_TRANSACTION +command is extended in BR_TRANSACTION_SEC_CTX to +contain a pointer to the security context string. + +Signed-off-by: Todd Kjos +Reviewed-by: Joel Fernandes (Google) +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 106 ++++++++++++++++++++++++++++-------- + include/uapi/linux/android/binder.h | 19 ++++++ + 2 files changed, 102 insertions(+), 23 deletions(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -356,6 +356,8 @@ struct binder_error { + * (invariant after initialized) + * @min_priority: minimum scheduling priority + * (invariant after initialized) ++ * @txn_security_ctx: require sender's security context ++ * (invariant after initialized) + * @async_todo: list of async work items + * (protected by @proc->inner_lock) + * +@@ -392,6 +394,7 @@ struct binder_node { + * invariant after initialization + */ + u8 accept_fds:1; ++ u8 txn_security_ctx:1; + u8 min_priority; + }; + bool has_async_transaction; +@@ -642,6 +645,7 @@ struct binder_transaction { + long saved_priority; + kuid_t sender_euid; + struct list_head fd_fixups; ++ binder_uintptr_t security_ctx; + /** + * @lock: protects @from, @to_proc, and @to_thread + * +@@ -1165,6 +1169,7 @@ static struct binder_node *binder_init_n + node->work.type = BINDER_WORK_NODE; + node->min_priority = flags & FLAT_BINDER_FLAG_PRIORITY_MASK; + node->accept_fds = !!(flags & FLAT_BINDER_FLAG_ACCEPTS_FDS); ++ node->txn_security_ctx = !!(flags & FLAT_BINDER_FLAG_TXN_SECURITY_CTX); + spin_lock_init(&node->lock); + INIT_LIST_HEAD(&node->work.entry); + INIT_LIST_HEAD(&node->async_todo); +@@ -2777,6 +2782,8 @@ static void binder_transaction(struct bi + binder_size_t last_fixup_min_off = 0; + struct binder_context *context = proc->context; + int t_debug_id = atomic_inc_return(&binder_last_id); ++ char *secctx = NULL; ++ u32 secctx_sz = 0; + + e = binder_transaction_log_add(&binder_transaction_log); + e->debug_id = t_debug_id; +@@ -3017,6 +3024,20 @@ static void binder_transaction(struct bi + t->flags = tr->flags; + t->priority = task_nice(current); + ++ if (target_node && target_node->txn_security_ctx) { ++ u32 secid; ++ ++ security_task_getsecid(proc->tsk, &secid); ++ ret = security_secid_to_secctx(secid, &secctx, &secctx_sz); ++ if (ret) { ++ return_error = BR_FAILED_REPLY; ++ return_error_param = ret; ++ return_error_line = __LINE__; ++ goto err_get_secctx_failed; ++ } ++ extra_buffers_size += ALIGN(secctx_sz, sizeof(u64)); ++ } ++ + trace_binder_transaction(reply, t, target_node); + + t->buffer = binder_alloc_new_buf(&target_proc->alloc, tr->data_size, +@@ -3033,6 +3054,19 @@ static void binder_transaction(struct bi + t->buffer = NULL; + goto err_binder_alloc_buf_failed; + } ++ if (secctx) { ++ size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) + ++ ALIGN(tr->offsets_size, sizeof(void *)) + ++ ALIGN(extra_buffers_size, sizeof(void *)) - ++ ALIGN(secctx_sz, sizeof(u64)); ++ char *kptr = t->buffer->data + buf_offset; ++ ++ t->security_ctx = (uintptr_t)kptr + ++ binder_alloc_get_user_buffer_offset(&target_proc->alloc); ++ memcpy(kptr, secctx, secctx_sz); ++ security_release_secctx(secctx, secctx_sz); ++ secctx = NULL; ++ } + t->buffer->debug_id = t->debug_id; + t->buffer->transaction = t; + t->buffer->target_node = target_node; +@@ -3302,6 +3336,9 @@ err_copy_data_failed: + t->buffer->transaction = NULL; + binder_alloc_free_buf(&target_proc->alloc, t->buffer); + err_binder_alloc_buf_failed: ++ if (secctx) ++ security_release_secctx(secctx, secctx_sz); ++err_get_secctx_failed: + kfree(tcomplete); + binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); + err_alloc_tcomplete_failed: +@@ -4033,11 +4070,13 @@ retry: + + while (1) { + uint32_t cmd; +- struct binder_transaction_data tr; ++ struct binder_transaction_data_secctx tr; ++ struct binder_transaction_data *trd = &tr.transaction_data; + struct binder_work *w = NULL; + struct list_head *list = NULL; + struct binder_transaction *t = NULL; + struct binder_thread *t_from; ++ size_t trsize = sizeof(*trd); + + binder_inner_proc_lock(proc); + if (!binder_worklist_empty_ilocked(&thread->todo)) +@@ -4232,8 +4271,8 @@ retry: + if (t->buffer->target_node) { + struct binder_node *target_node = t->buffer->target_node; + +- tr.target.ptr = target_node->ptr; +- tr.cookie = target_node->cookie; ++ trd->target.ptr = target_node->ptr; ++ trd->cookie = target_node->cookie; + t->saved_priority = task_nice(current); + if (t->priority < target_node->min_priority && + !(t->flags & TF_ONE_WAY)) +@@ -4243,22 +4282,23 @@ retry: + binder_set_nice(target_node->min_priority); + cmd = BR_TRANSACTION; + } else { +- tr.target.ptr = 0; +- tr.cookie = 0; ++ trd->target.ptr = 0; ++ trd->cookie = 0; + cmd = BR_REPLY; + } +- tr.code = t->code; +- tr.flags = t->flags; +- tr.sender_euid = from_kuid(current_user_ns(), t->sender_euid); ++ trd->code = t->code; ++ trd->flags = t->flags; ++ trd->sender_euid = from_kuid(current_user_ns(), t->sender_euid); + + t_from = binder_get_txn_from(t); + if (t_from) { + struct task_struct *sender = t_from->proc->tsk; + +- tr.sender_pid = task_tgid_nr_ns(sender, +- task_active_pid_ns(current)); ++ trd->sender_pid = ++ task_tgid_nr_ns(sender, ++ task_active_pid_ns(current)); + } else { +- tr.sender_pid = 0; ++ trd->sender_pid = 0; + } + + ret = binder_apply_fd_fixups(t); +@@ -4289,15 +4329,20 @@ retry: + } + continue; + } +- tr.data_size = t->buffer->data_size; +- tr.offsets_size = t->buffer->offsets_size; +- tr.data.ptr.buffer = (binder_uintptr_t) ++ trd->data_size = t->buffer->data_size; ++ trd->offsets_size = t->buffer->offsets_size; ++ trd->data.ptr.buffer = (binder_uintptr_t) + ((uintptr_t)t->buffer->data + + binder_alloc_get_user_buffer_offset(&proc->alloc)); +- tr.data.ptr.offsets = tr.data.ptr.buffer + ++ trd->data.ptr.offsets = trd->data.ptr.buffer + + ALIGN(t->buffer->data_size, + sizeof(void *)); + ++ tr.secctx = t->security_ctx; ++ if (t->security_ctx) { ++ cmd = BR_TRANSACTION_SEC_CTX; ++ trsize = sizeof(tr); ++ } + if (put_user(cmd, (uint32_t __user *)ptr)) { + if (t_from) + binder_thread_dec_tmpref(t_from); +@@ -4308,7 +4353,7 @@ retry: + return -EFAULT; + } + ptr += sizeof(uint32_t); +- if (copy_to_user(ptr, &tr, sizeof(tr))) { ++ if (copy_to_user(ptr, &tr, trsize)) { + if (t_from) + binder_thread_dec_tmpref(t_from); + +@@ -4317,7 +4362,7 @@ retry: + + return -EFAULT; + } +- ptr += sizeof(tr); ++ ptr += trsize; + + trace_binder_transaction_received(t); + binder_stat_br(proc, thread, cmd); +@@ -4325,16 +4370,18 @@ retry: + "%d:%d %s %d %d:%d, cmd %d size %zd-%zd ptr %016llx-%016llx\n", + proc->pid, thread->pid, + (cmd == BR_TRANSACTION) ? "BR_TRANSACTION" : +- "BR_REPLY", ++ (cmd == BR_TRANSACTION_SEC_CTX) ? ++ "BR_TRANSACTION_SEC_CTX" : "BR_REPLY", + t->debug_id, t_from ? t_from->proc->pid : 0, + t_from ? t_from->pid : 0, cmd, + t->buffer->data_size, t->buffer->offsets_size, +- (u64)tr.data.ptr.buffer, (u64)tr.data.ptr.offsets); ++ (u64)trd->data.ptr.buffer, ++ (u64)trd->data.ptr.offsets); + + if (t_from) + binder_thread_dec_tmpref(t_from); + t->buffer->allow_user_free = 1; +- if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) { ++ if (cmd != BR_REPLY && !(t->flags & TF_ONE_WAY)) { + binder_inner_proc_lock(thread->proc); + t->to_parent = thread->transaction_stack; + t->to_thread = thread; +@@ -4676,7 +4723,8 @@ out: + return ret; + } + +-static int binder_ioctl_set_ctx_mgr(struct file *filp) ++static int binder_ioctl_set_ctx_mgr(struct file *filp, ++ struct flat_binder_object *fbo) + { + int ret = 0; + struct binder_proc *proc = filp->private_data; +@@ -4705,7 +4753,7 @@ static int binder_ioctl_set_ctx_mgr(stru + } else { + context->binder_context_mgr_uid = curr_euid; + } +- new_node = binder_new_node(proc, NULL); ++ new_node = binder_new_node(proc, fbo); + if (!new_node) { + ret = -ENOMEM; + goto out; +@@ -4828,8 +4876,20 @@ static long binder_ioctl(struct file *fi + binder_inner_proc_unlock(proc); + break; + } ++ case BINDER_SET_CONTEXT_MGR_EXT: { ++ struct flat_binder_object fbo; ++ ++ if (copy_from_user(&fbo, ubuf, sizeof(fbo))) { ++ ret = -EINVAL; ++ goto err; ++ } ++ ret = binder_ioctl_set_ctx_mgr(filp, &fbo); ++ if (ret) ++ goto err; ++ break; ++ } + case BINDER_SET_CONTEXT_MGR: +- ret = binder_ioctl_set_ctx_mgr(filp); ++ ret = binder_ioctl_set_ctx_mgr(filp, NULL); + if (ret) + goto err; + break; +--- a/include/uapi/linux/android/binder.h ++++ b/include/uapi/linux/android/binder.h +@@ -41,6 +41,14 @@ enum { + enum { + FLAT_BINDER_FLAG_PRIORITY_MASK = 0xff, + FLAT_BINDER_FLAG_ACCEPTS_FDS = 0x100, ++ ++ /** ++ * @FLAT_BINDER_FLAG_TXN_SECURITY_CTX: request security contexts ++ * ++ * Only when set, causes senders to include their security ++ * context ++ */ ++ FLAT_BINDER_FLAG_TXN_SECURITY_CTX = 0x1000, + }; + + #ifdef BINDER_IPC_32BIT +@@ -218,6 +226,7 @@ struct binder_node_info_for_ref { + #define BINDER_VERSION _IOWR('b', 9, struct binder_version) + #define BINDER_GET_NODE_DEBUG_INFO _IOWR('b', 11, struct binder_node_debug_info) + #define BINDER_GET_NODE_INFO_FOR_REF _IOWR('b', 12, struct binder_node_info_for_ref) ++#define BINDER_SET_CONTEXT_MGR_EXT _IOW('b', 13, struct flat_binder_object) + + /* + * NOTE: Two special error codes you should check for when calling +@@ -276,6 +285,11 @@ struct binder_transaction_data { + } data; + }; + ++struct binder_transaction_data_secctx { ++ struct binder_transaction_data transaction_data; ++ binder_uintptr_t secctx; ++}; ++ + struct binder_transaction_data_sg { + struct binder_transaction_data transaction_data; + binder_size_t buffers_size; +@@ -311,6 +325,11 @@ enum binder_driver_return_protocol { + BR_OK = _IO('r', 1), + /* No parameters! */ + ++ BR_TRANSACTION_SEC_CTX = _IOR('r', 2, ++ struct binder_transaction_data_secctx), ++ /* ++ * binder_transaction_data_secctx: the received command. ++ */ + BR_TRANSACTION = _IOR('r', 2, struct binder_transaction_data), + BR_REPLY = _IOR('r', 3, struct binder_transaction_data), + /* diff --git a/queue-4.20/series b/queue-4.20/series index 7ab46c5b0b0..779a9076bba 100644 --- a/queue-4.20/series +++ b/queue-4.20/series @@ -1,2 +1,6 @@ cpufreq-use-struct-kobj_attribute-instead-of-struct-global_attr.patch staging-erofs-fix-mis-acted-tail-merging-behavior.patch +binder-create-node-flag-to-request-sender-s-security-context.patch +usb-serial-option-add-telit-me910-ecm-composition.patch +usb-serial-cp210x-add-id-for-ingenico-3070.patch +usb-serial-ftdi_sio-add-id-for-hjelmslund-electronics-usb485.patch diff --git a/queue-4.20/usb-serial-cp210x-add-id-for-ingenico-3070.patch b/queue-4.20/usb-serial-cp210x-add-id-for-ingenico-3070.patch new file mode 100644 index 00000000000..024d7252081 --- /dev/null +++ b/queue-4.20/usb-serial-cp210x-add-id-for-ingenico-3070.patch @@ -0,0 +1,39 @@ +From dd9d3d86b08d6a106830364879c42c78db85389c Mon Sep 17 00:00:00 2001 +From: Ivan Mironov +Date: Wed, 6 Feb 2019 21:14:13 +0500 +Subject: USB: serial: cp210x: add ID for Ingenico 3070 + +From: Ivan Mironov + +commit dd9d3d86b08d6a106830364879c42c78db85389c upstream. + +Here is how this device appears in kernel log: + + usb 3-1: new full-speed USB device number 18 using xhci_hcd + usb 3-1: New USB device found, idVendor=0b00, idProduct=3070 + usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 + usb 3-1: Product: Ingenico 3070 + usb 3-1: Manufacturer: Silicon Labs + usb 3-1: SerialNumber: 0001 + +Apparently this is a POS terminal with embedded USB-to-Serial converter. + +Cc: stable@vger.kernel.org +Signed-off-by: Ivan Mironov +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -61,6 +61,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x08e6, 0x5501) }, /* Gemalto Prox-PU/CU contactless smartcard reader */ + { USB_DEVICE(0x08FD, 0x000A) }, /* Digianswer A/S , ZigBee/802.15.4 MAC Device */ + { USB_DEVICE(0x0908, 0x01FF) }, /* Siemens RUGGEDCOM USB Serial Console */ ++ { USB_DEVICE(0x0B00, 0x3070) }, /* Ingenico 3070 */ + { USB_DEVICE(0x0BED, 0x1100) }, /* MEI (TM) Cashflow-SC Bill/Voucher Acceptor */ + { USB_DEVICE(0x0BED, 0x1101) }, /* MEI series 2000 Combo Acceptor */ + { USB_DEVICE(0x0FCF, 0x1003) }, /* Dynastream ANT development board */ diff --git a/queue-4.20/usb-serial-ftdi_sio-add-id-for-hjelmslund-electronics-usb485.patch b/queue-4.20/usb-serial-ftdi_sio-add-id-for-hjelmslund-electronics-usb485.patch new file mode 100644 index 00000000000..365bae1ea3b --- /dev/null +++ b/queue-4.20/usb-serial-ftdi_sio-add-id-for-hjelmslund-electronics-usb485.patch @@ -0,0 +1,47 @@ +From 8d7fa3d4ea3f0ca69554215e87411494e6346fdc Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Thu, 14 Feb 2019 19:45:33 +0000 +Subject: USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485 + +From: Mans Rullgard + +commit 8d7fa3d4ea3f0ca69554215e87411494e6346fdc upstream. + +This adds the USB ID of the Hjelmslund Electronics USB485 Iso stick. + +Signed-off-by: Mans Rullgard +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 2 ++ + drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++ + 2 files changed, 8 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1025,6 +1025,8 @@ static const struct usb_device_id id_tab + { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_BT_USB_PID) }, + { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_WL_USB_PID) }, + { USB_DEVICE(AIRBUS_DS_VID, AIRBUS_DS_P8GR) }, ++ /* EZPrototypes devices */ ++ { USB_DEVICE(EZPROTOTYPES_VID, HJELMSLUND_USB485_ISO_PID) }, + { } /* Terminating entry */ + }; + +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -1309,6 +1309,12 @@ + #define IONICS_PLUGCOMPUTER_PID 0x0102 + + /* ++ * EZPrototypes (PID reseller) ++ */ ++#define EZPROTOTYPES_VID 0x1c40 ++#define HJELMSLUND_USB485_ISO_PID 0x0477 ++ ++/* + * Dresden Elektronik Sensor Terminal Board + */ + #define DE_VID 0x1cf1 /* Vendor ID */ diff --git a/queue-4.20/usb-serial-option-add-telit-me910-ecm-composition.patch b/queue-4.20/usb-serial-option-add-telit-me910-ecm-composition.patch new file mode 100644 index 00000000000..0d05b946e34 --- /dev/null +++ b/queue-4.20/usb-serial-option-add-telit-me910-ecm-composition.patch @@ -0,0 +1,31 @@ +From 6431866b6707d27151be381252d6eef13025cfce Mon Sep 17 00:00:00 2001 +From: Daniele Palmas +Date: Wed, 20 Feb 2019 11:43:17 +0100 +Subject: USB: serial: option: add Telit ME910 ECM composition + +From: Daniele Palmas + +commit 6431866b6707d27151be381252d6eef13025cfce upstream. + +This patch adds Telit ME910 family ECM composition 0x1102. + +Signed-off-by: Daniele Palmas +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1148,6 +1148,8 @@ static const struct usb_device_id option + .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM), + .driver_info = NCTRL(0) | RSVD(3) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1102, 0xff), /* Telit ME910 (ECM) */ ++ .driver_info = NCTRL(0) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910), + .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),