From 80e8a4fe75c84f396c1f1c780f00170f1f37f3d8 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 11 Dec 2019 15:28:04 +0100 Subject: [PATCH] 4.14-stable patches added patches: binder-handle-start-null-in-binder_update_page_range.patch iomap-fix-pipe-page-leakage-during-splicing.patch thermal-fix-deadlock-in-thermal-thermal_zone_device_check.patch --- ...art-null-in-binder_update_page_range.patch | 65 +++++++++++++ ...ix-pipe-page-leakage-during-splicing.patch | 52 ++++++++++ queue-4.14/series | 3 + ...in-thermal-thermal_zone_device_check.patch | 96 +++++++++++++++++++ 4 files changed, 216 insertions(+) create mode 100644 queue-4.14/binder-handle-start-null-in-binder_update_page_range.patch create mode 100644 queue-4.14/iomap-fix-pipe-page-leakage-during-splicing.patch create mode 100644 queue-4.14/thermal-fix-deadlock-in-thermal-thermal_zone_device_check.patch diff --git a/queue-4.14/binder-handle-start-null-in-binder_update_page_range.patch b/queue-4.14/binder-handle-start-null-in-binder_update_page_range.patch new file mode 100644 index 00000000000..212659bd8e4 --- /dev/null +++ b/queue-4.14/binder-handle-start-null-in-binder_update_page_range.patch @@ -0,0 +1,65 @@ +From 2a9edd056ed4fbf9d2e797c3fc06335af35bccc4 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Fri, 18 Oct 2019 22:56:31 +0200 +Subject: binder: Handle start==NULL in binder_update_page_range() + +From: Jann Horn + +commit 2a9edd056ed4fbf9d2e797c3fc06335af35bccc4 upstream. + +The old loop wouldn't stop when reaching `start` if `start==NULL`, instead +continuing backwards to index -1 and crashing. + +Luckily you need to be highly privileged to map things at NULL, so it's not +a big problem. + +Fix it by adjusting the loop so that the loop variable is always in bounds. + +This patch is deliberately minimal to simplify backporting, but IMO this +function could use a refactor. The jump labels in the second loop body are +horrible (the error gotos should be jumping to free_range instead), and +both loops would look nicer if they just iterated upwards through indices. +And the up_read()+mmput() shouldn't be duplicated like that. + +Cc: stable@vger.kernel.org +Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") +Signed-off-by: Jann Horn +Acked-by: Christian Brauner +Link: https://lore.kernel.org/r/20191018205631.248274-3-jannh@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder_alloc.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -289,8 +289,7 @@ static int binder_update_page_range(stru + return 0; + + free_range: +- for (page_addr = end - PAGE_SIZE; page_addr >= start; +- page_addr -= PAGE_SIZE) { ++ for (page_addr = end - PAGE_SIZE; 1; page_addr -= PAGE_SIZE) { + bool ret; + size_t index; + +@@ -303,6 +302,8 @@ free_range: + WARN_ON(!ret); + + trace_binder_free_lru_end(alloc, index); ++ if (page_addr == start) ++ break; + continue; + + err_vm_insert_page_failed: +@@ -312,7 +313,8 @@ err_map_kernel_failed: + page->page_ptr = NULL; + err_alloc_page_failed: + err_page_ptr_cleared: +- ; ++ if (page_addr == start) ++ break; + } + err_no_vma: + if (mm) { diff --git a/queue-4.14/iomap-fix-pipe-page-leakage-during-splicing.patch b/queue-4.14/iomap-fix-pipe-page-leakage-during-splicing.patch new file mode 100644 index 00000000000..cc86a5e5f00 --- /dev/null +++ b/queue-4.14/iomap-fix-pipe-page-leakage-during-splicing.patch @@ -0,0 +1,52 @@ +From 419e9c38aa075ed0cd3c13d47e15954b686bcdb6 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 21 Nov 2019 16:14:38 -0800 +Subject: iomap: Fix pipe page leakage during splicing + +From: Jan Kara + +commit 419e9c38aa075ed0cd3c13d47e15954b686bcdb6 upstream. + +When splicing using iomap_dio_rw() to a pipe, we may leak pipe pages +because bio_iov_iter_get_pages() records that the pipe will have full +extent worth of data however if file size is not block size aligned +iomap_dio_rw() returns less than what bio_iov_iter_get_pages() set up +and splice code gets confused leaking a pipe page with the file tail. + +Handle the situation similarly to the old direct IO implementation and +revert iter to actually returned read amount which makes iter consistent +with value returned from iomap_dio_rw() and thus the splice code is +happy. + +Fixes: ff6a9292e6f6 ("iomap: implement direct I/O") +CC: stable@vger.kernel.org +Reported-by: syzbot+991400e8eba7e00a26e1@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman + +--- + fs/iomap.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/iomap.c ++++ b/fs/iomap.c +@@ -1053,8 +1053,15 @@ iomap_dio_rw(struct kiocb *iocb, struct + } + pos += ret; + +- if (iov_iter_rw(iter) == READ && pos >= dio->i_size) ++ if (iov_iter_rw(iter) == READ && pos >= dio->i_size) { ++ /* ++ * We only report that we've read data up to i_size. ++ * Revert iter to a state corresponding to that as ++ * some callers (such as splice code) rely on it. ++ */ ++ iov_iter_revert(iter, pos - dio->i_size); + break; ++ } + } while ((count = iov_iter_count(iter)) > 0); + blk_finish_plug(&plug); + diff --git a/queue-4.14/series b/queue-4.14/series index 2a435fbf9fe..6f9c539652a 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -147,3 +147,6 @@ crypto-ecdh-fix-big-endian-bug-in-ecc-library.patch crypto-user-fix-memory-leak-in-crypto_report.patch spi-atmel-fix-cs-high-support.patch rdma-qib-validate-show-store-callbacks-before-calling-them.patch +iomap-fix-pipe-page-leakage-during-splicing.patch +thermal-fix-deadlock-in-thermal-thermal_zone_device_check.patch +binder-handle-start-null-in-binder_update_page_range.patch diff --git a/queue-4.14/thermal-fix-deadlock-in-thermal-thermal_zone_device_check.patch b/queue-4.14/thermal-fix-deadlock-in-thermal-thermal_zone_device_check.patch new file mode 100644 index 00000000000..9c2d2919a7a --- /dev/null +++ b/queue-4.14/thermal-fix-deadlock-in-thermal-thermal_zone_device_check.patch @@ -0,0 +1,96 @@ +From 163b00cde7cf2206e248789d2780121ad5e6a70b Mon Sep 17 00:00:00 2001 +From: Wei Wang +Date: Tue, 12 Nov 2019 12:42:23 -0800 +Subject: thermal: Fix deadlock in thermal thermal_zone_device_check + +From: Wei Wang + +commit 163b00cde7cf2206e248789d2780121ad5e6a70b upstream. + +1851799e1d29 ("thermal: Fix use-after-free when unregistering thermal zone +device") changed cancel_delayed_work to cancel_delayed_work_sync to avoid +a use-after-free issue. However, cancel_delayed_work_sync could be called +insides the WQ causing deadlock. + +[54109.642398] c0 1162 kworker/u17:1 D 0 11030 2 0x00000000 +[54109.642437] c0 1162 Workqueue: thermal_passive_wq thermal_zone_device_check +[54109.642447] c0 1162 Call trace: +[54109.642456] c0 1162 __switch_to+0x138/0x158 +[54109.642467] c0 1162 __schedule+0xba4/0x1434 +[54109.642480] c0 1162 schedule_timeout+0xa0/0xb28 +[54109.642492] c0 1162 wait_for_common+0x138/0x2e8 +[54109.642511] c0 1162 flush_work+0x348/0x40c +[54109.642522] c0 1162 __cancel_work_timer+0x180/0x218 +[54109.642544] c0 1162 handle_thermal_trip+0x2c4/0x5a4 +[54109.642553] c0 1162 thermal_zone_device_update+0x1b4/0x25c +[54109.642563] c0 1162 thermal_zone_device_check+0x18/0x24 +[54109.642574] c0 1162 process_one_work+0x3cc/0x69c +[54109.642583] c0 1162 worker_thread+0x49c/0x7c0 +[54109.642593] c0 1162 kthread+0x17c/0x1b0 +[54109.642602] c0 1162 ret_from_fork+0x10/0x18 +[54109.643051] c0 1162 kworker/u17:2 D 0 16245 2 0x00000000 +[54109.643067] c0 1162 Workqueue: thermal_passive_wq thermal_zone_device_check +[54109.643077] c0 1162 Call trace: +[54109.643085] c0 1162 __switch_to+0x138/0x158 +[54109.643095] c0 1162 __schedule+0xba4/0x1434 +[54109.643104] c0 1162 schedule_timeout+0xa0/0xb28 +[54109.643114] c0 1162 wait_for_common+0x138/0x2e8 +[54109.643122] c0 1162 flush_work+0x348/0x40c +[54109.643131] c0 1162 __cancel_work_timer+0x180/0x218 +[54109.643141] c0 1162 handle_thermal_trip+0x2c4/0x5a4 +[54109.643150] c0 1162 thermal_zone_device_update+0x1b4/0x25c +[54109.643159] c0 1162 thermal_zone_device_check+0x18/0x24 +[54109.643167] c0 1162 process_one_work+0x3cc/0x69c +[54109.643177] c0 1162 worker_thread+0x49c/0x7c0 +[54109.643186] c0 1162 kthread+0x17c/0x1b0 +[54109.643195] c0 1162 ret_from_fork+0x10/0x18 +[54109.644500] c0 1162 cat D 0 7766 1 0x00000001 +[54109.644515] c0 1162 Call trace: +[54109.644524] c0 1162 __switch_to+0x138/0x158 +[54109.644536] c0 1162 __schedule+0xba4/0x1434 +[54109.644546] c0 1162 schedule_preempt_disabled+0x80/0xb0 +[54109.644555] c0 1162 __mutex_lock+0x3a8/0x7f0 +[54109.644563] c0 1162 __mutex_lock_slowpath+0x14/0x20 +[54109.644575] c0 1162 thermal_zone_get_temp+0x84/0x360 +[54109.644586] c0 1162 temp_show+0x30/0x78 +[54109.644609] c0 1162 dev_attr_show+0x5c/0xf0 +[54109.644628] c0 1162 sysfs_kf_seq_show+0xcc/0x1a4 +[54109.644636] c0 1162 kernfs_seq_show+0x48/0x88 +[54109.644656] c0 1162 seq_read+0x1f4/0x73c +[54109.644664] c0 1162 kernfs_fop_read+0x84/0x318 +[54109.644683] c0 1162 __vfs_read+0x50/0x1bc +[54109.644692] c0 1162 vfs_read+0xa4/0x140 +[54109.644701] c0 1162 SyS_read+0xbc/0x144 +[54109.644708] c0 1162 el0_svc_naked+0x34/0x38 +[54109.845800] c0 1162 D 720.000s 1->7766->7766 cat [panic] + +Fixes: 1851799e1d29 ("thermal: Fix use-after-free when unregistering thermal zone device") +Cc: stable@vger.kernel.org +Signed-off-by: Wei Wang +Signed-off-by: Zhang Rui +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/thermal/thermal_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -299,7 +299,7 @@ static void thermal_zone_device_set_poll + mod_delayed_work(system_freezable_wq, &tz->poll_queue, + msecs_to_jiffies(delay)); + else +- cancel_delayed_work_sync(&tz->poll_queue); ++ cancel_delayed_work(&tz->poll_queue); + } + + static void monitor_thermal_zone(struct thermal_zone_device *tz) +@@ -1350,7 +1350,7 @@ void thermal_zone_device_unregister(stru + + mutex_unlock(&thermal_list_lock); + +- thermal_zone_device_set_polling(tz, 0); ++ cancel_delayed_work_sync(&tz->poll_queue); + + thermal_set_governor(tz, NULL); + -- 2.47.3