From 81812b5ad7a5d4f86c32bc083261266a42038e2d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 4 Jul 2018 13:54:11 +0200 Subject: [PATCH] 3.18-stable patches added patches: n_tty-fix-stall-at-n_tty_receive_char_special.patch staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch --- ...-stall-at-n_tty_receive_char_special.patch | 83 +++++++++++++++++++ queue-3.18/series | 2 + ...-return-an-err_ptr-in-ion_map_kernel.patch | 33 ++++++++ queue-4.14/series | 19 +++++ queue-4.17/series | 22 +++++ queue-4.4/series | 6 ++ queue-4.9/series | 9 ++ 7 files changed, 174 insertions(+) create mode 100644 queue-3.18/n_tty-fix-stall-at-n_tty_receive_char_special.patch create mode 100644 queue-3.18/series create mode 100644 queue-3.18/staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch create mode 100644 queue-4.14/series create mode 100644 queue-4.17/series create mode 100644 queue-4.4/series create mode 100644 queue-4.9/series diff --git a/queue-3.18/n_tty-fix-stall-at-n_tty_receive_char_special.patch b/queue-3.18/n_tty-fix-stall-at-n_tty_receive_char_special.patch new file mode 100644 index 00000000000..88e8a57279a --- /dev/null +++ b/queue-3.18/n_tty-fix-stall-at-n_tty_receive_char_special.patch @@ -0,0 +1,83 @@ +From 3d63b7e4ae0dc5e02d28ddd2fa1f945defc68d81 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sat, 26 May 2018 09:53:13 +0900 +Subject: n_tty: Fix stall at n_tty_receive_char_special(). + +From: Tetsuo Handa + +commit 3d63b7e4ae0dc5e02d28ddd2fa1f945defc68d81 upstream. + +syzbot is reporting stalls at n_tty_receive_char_special() [1]. This is +because comparison is not working as expected since ldata->read_head can +change at any moment. Mitigate this by explicitly masking with buffer size +when checking condition for "while" loops. + +[1] https://syzkaller.appspot.com/bug?id=3d7481a346958d9469bebbeb0537d5f056bdd6e8 + +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Fixes: bc5a5e3f45d04784 ("n_tty: Don't wrap input buffer indices at buffer size") +Cc: stable +Cc: Peter Hurley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/n_tty.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -127,6 +127,8 @@ struct n_tty_data { + struct mutex output_lock; + }; + ++#define MASK(x) ((x) & (N_TTY_BUF_SIZE - 1)) ++ + static inline size_t read_cnt(struct n_tty_data *ldata) + { + return ldata->read_head - ldata->read_tail; +@@ -1032,14 +1034,15 @@ static void eraser(unsigned char c, stru + } + + seen_alnums = 0; +- while (ldata->read_head != ldata->canon_head) { ++ while (MASK(ldata->read_head) != MASK(ldata->canon_head)) { + head = ldata->read_head; + + /* erase a single possibly multibyte character */ + do { + head--; + c = read_buf(ldata, head); +- } while (is_continuation(c, tty) && head != ldata->canon_head); ++ } while (is_continuation(c, tty) && ++ MASK(head) != MASK(ldata->canon_head)); + + /* do not partially erase */ + if (is_continuation(c, tty)) +@@ -1081,7 +1084,7 @@ static void eraser(unsigned char c, stru + * This info is used to go back the correct + * number of columns. + */ +- while (tail != ldata->canon_head) { ++ while (MASK(tail) != MASK(ldata->canon_head)) { + tail--; + c = read_buf(ldata, tail); + if (c == '\t') { +@@ -1341,7 +1344,7 @@ n_tty_receive_char_special(struct tty_st + finish_erasing(ldata); + echo_char(c, tty); + echo_char_raw('\n', ldata); +- while (tail != ldata->read_head) { ++ while (MASK(tail) != MASK(ldata->read_head)) { + echo_char(read_buf(ldata, tail), tty); + tail++; + } +@@ -2505,7 +2508,7 @@ static unsigned long inq_canon(struct n_ + tail = ldata->read_tail; + nr = head - tail; + /* Skip EOF-chars.. */ +- while (head != tail) { ++ while (MASK(head) != MASK(tail)) { + if (test_bit(tail & (N_TTY_BUF_SIZE - 1), ldata->read_flags) && + read_buf(ldata, tail) == __DISABLED_CHAR) + nr--; diff --git a/queue-3.18/series b/queue-3.18/series new file mode 100644 index 00000000000..d2efd4a7bc0 --- /dev/null +++ b/queue-3.18/series @@ -0,0 +1,2 @@ +n_tty-fix-stall-at-n_tty_receive_char_special.patch +staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch diff --git a/queue-3.18/staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch b/queue-3.18/staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch new file mode 100644 index 00000000000..a469a095f35 --- /dev/null +++ b/queue-3.18/staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch @@ -0,0 +1,33 @@ +From 0a2bc00341dcfcc793c0dbf4f8d43adf60458b05 Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Mon, 11 Jun 2018 11:06:53 -0700 +Subject: staging: android: ion: Return an ERR_PTR in ion_map_kernel + +From: Laura Abbott + +commit 0a2bc00341dcfcc793c0dbf4f8d43adf60458b05 upstream. + +The expected return value from ion_map_kernel is an ERR_PTR. The error +path for a vmalloc failure currently just returns NULL, triggering +a warning in ion_buffer_kmap_get. Encode the vmalloc failure as an ERR_PTR. + +Reported-by: syzbot+55b1d9f811650de944c6@syzkaller.appspotmail.com +Signed-off-by: Laura Abbott +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/android/ion/ion_heap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/android/ion/ion_heap.c ++++ b/drivers/staging/android/ion/ion_heap.c +@@ -38,7 +38,7 @@ void *ion_heap_map_kernel(struct ion_hea + struct page **tmp = pages; + + if (!pages) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + if (buffer->flags & ION_FLAG_CACHED) + pgprot = PAGE_KERNEL; diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..7ff71a47441 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,19 @@ +usb-cdc_acm-add-quirk-for-uniden-ubc125-scanner.patch +usb-serial-cp210x-add-cesinel-device-ids.patch +usb-serial-cp210x-add-silicon-labs-ids-for-windows-update.patch +usb-dwc2-fix-the-incorrect-bitmaps-for-the-ports-of-multi_tt-hub.patch +acpi-add-helper-for-deactivating-memory-region.patch +usb-typec-ucsi-acpi-workaround-for-cache-mode-issue.patch +usb-typec-ucsi-fix-for-incorrect-status-data-issue.patch +xhci-fix-perceived-dead-host-due-to-runtime-suspend-race-with-event-handler.patch +xhci-fix-kernel-oops-in-trace_xhci_free_virt_device.patch +n_tty-fix-stall-at-n_tty_receive_char_special.patch +n_tty-access-echo_-variables-carefully.patch +staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch +serial-8250_pci-remove-stalled-entries-in-blacklist.patch +serdev-fix-memleak-on-module-unload.patch +vt-prevent-leaking-uninitialized-data-to-userspace-via-dev-vcs.patch +drm-amdgpu-add-apu-support-in-vi_set_uvd_clocks.patch +drm-amdgpu-add-apu-support-in-vi_set_vce_clocks.patch +drm-amdgpu-fix-the-missed-vcn-fw-version-report.patch +drm-amdgpu-fix-clear_all-and-replace-handling-in-the-vm-v2.patch diff --git a/queue-4.17/series b/queue-4.17/series new file mode 100644 index 00000000000..c94869e35b8 --- /dev/null +++ b/queue-4.17/series @@ -0,0 +1,22 @@ +usb-cdc_acm-add-quirk-for-uniden-ubc125-scanner.patch +usb-serial-cp210x-add-cesinel-device-ids.patch +usb-serial-cp210x-add-silicon-labs-ids-for-windows-update.patch +usb-dwc2-fix-the-incorrect-bitmaps-for-the-ports-of-multi_tt-hub.patch +usb-typec-tcpm-fix-logbuffer-index-is-wrong-if-_tcpm_log-is-re-entered.patch +acpi-add-helper-for-deactivating-memory-region.patch +usb-typec-ucsi-acpi-workaround-for-cache-mode-issue.patch +usb-typec-ucsi-fix-for-incorrect-status-data-issue.patch +xhci-fix-perceived-dead-host-due-to-runtime-suspend-race-with-event-handler.patch +xhci-fix-kernel-oops-in-trace_xhci_free_virt_device.patch +n_tty-fix-stall-at-n_tty_receive_char_special.patch +n_tty-access-echo_-variables-carefully.patch +staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch +iio-mma8452-fix-ignoring-mma8452_int_drdy.patch +serial-8250_pci-remove-stalled-entries-in-blacklist.patch +serdev-fix-memleak-on-module-unload.patch +vt-prevent-leaking-uninitialized-data-to-userspace-via-dev-vcs.patch +drm-amdgpu-add-apu-support-in-vi_set_uvd_clocks.patch +drm-amdgpu-add-apu-support-in-vi_set_vce_clocks.patch +drm-amdgpu-fix-the-missed-vcn-fw-version-report.patch +drm-amdgpu-grab-put-runtime-pm-references-in-atomic_commit_tail.patch +drm-amdgpu-fix-clear_all-and-replace-handling-in-the-vm-v2.patch diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..7d992fdb115 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,6 @@ +usb-cdc_acm-add-quirk-for-uniden-ubc125-scanner.patch +usb-serial-cp210x-add-cesinel-device-ids.patch +usb-serial-cp210x-add-silicon-labs-ids-for-windows-update.patch +xhci-fix-perceived-dead-host-due-to-runtime-suspend-race-with-event-handler.patch +n_tty-fix-stall-at-n_tty_receive_char_special.patch +staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..dc964544d0b --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,9 @@ +usb-cdc_acm-add-quirk-for-uniden-ubc125-scanner.patch +usb-serial-cp210x-add-cesinel-device-ids.patch +usb-serial-cp210x-add-silicon-labs-ids-for-windows-update.patch +usb-dwc2-fix-the-incorrect-bitmaps-for-the-ports-of-multi_tt-hub.patch +xhci-fix-perceived-dead-host-due-to-runtime-suspend-race-with-event-handler.patch +n_tty-fix-stall-at-n_tty_receive_char_special.patch +n_tty-access-echo_-variables-carefully.patch +staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch +vt-prevent-leaking-uninitialized-data-to-userspace-via-dev-vcs.patch -- 2.47.3