From: Greg Kroah-Hartman Date: Sun, 20 Aug 2017 19:04:21 +0000 (-0700) Subject: 3.18-stable patches X-Git-Tag: v3.18.67~15 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2358361e99500c0fccc15ebc5e45c9238460d074;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: irqchip-atmel-aic-fix-unbalanced-of_node_put-in-aic_common_irq_fixup.patch irqchip-atmel-aic-fix-unbalanced-refcount-in-aic_common_rtc_irq_fixup.patch mm-mempolicy-fix-use-after-free-when-calling-get_mempolicy.patch --- diff --git a/queue-3.18/irqchip-atmel-aic-fix-unbalanced-of_node_put-in-aic_common_irq_fixup.patch b/queue-3.18/irqchip-atmel-aic-fix-unbalanced-of_node_put-in-aic_common_irq_fixup.patch new file mode 100644 index 00000000000..dd62c174ca0 --- /dev/null +++ b/queue-3.18/irqchip-atmel-aic-fix-unbalanced-of_node_put-in-aic_common_irq_fixup.patch @@ -0,0 +1,32 @@ +From 469bcef53c546bb792aa66303933272991b7831d Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Tue, 4 Jul 2017 11:10:39 +0200 +Subject: irqchip/atmel-aic: Fix unbalanced of_node_put() in aic_common_irq_fixup() + +From: Boris Brezillon + +commit 469bcef53c546bb792aa66303933272991b7831d upstream. + +aic_common_irq_fixup() is calling twice of_node_put() on the same node +thus leading to an unbalanced refcount on the root node. + +Signed-off-by: Boris Brezillon +Reported-by: Alexandre Belloni +Fixes: b2f579b58e93 ("irqchip: atmel-aic: Add irq fixup infrastructure") +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-atmel-aic-common.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/irqchip/irq-atmel-aic-common.c ++++ b/drivers/irqchip/irq-atmel-aic-common.c +@@ -176,7 +176,6 @@ void __init aic_common_irq_fixup(const s + return; + + match = of_match_node(matches, root); +- of_node_put(root); + + if (match) { + void (*fixup)(struct device_node *) = match->data; diff --git a/queue-3.18/irqchip-atmel-aic-fix-unbalanced-refcount-in-aic_common_rtc_irq_fixup.patch b/queue-3.18/irqchip-atmel-aic-fix-unbalanced-refcount-in-aic_common_rtc_irq_fixup.patch new file mode 100644 index 00000000000..b75a9c21243 --- /dev/null +++ b/queue-3.18/irqchip-atmel-aic-fix-unbalanced-refcount-in-aic_common_rtc_irq_fixup.patch @@ -0,0 +1,40 @@ +From 277867ade8262583f4280cadbe90e0031a3706a7 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Tue, 4 Jul 2017 11:10:40 +0200 +Subject: irqchip/atmel-aic: Fix unbalanced refcount in aic_common_rtc_irq_fixup() + +From: Boris Brezillon + +commit 277867ade8262583f4280cadbe90e0031a3706a7 upstream. + +of_find_compatible_node() is calling of_node_put() on its first argument +thus leading to an unbalanced of_node_get/put() issue if the node has not +been retained before that. + +Instead of passing the root node, pass NULL, which does exactly the same: +iterate over all DT nodes, starting from the root node. + +Signed-off-by: Boris Brezillon +Reported-by: Alexandre Belloni +Fixes: 3d61467f9bab ("irqchip: atmel-aic: Implement RTC irq fixup") +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-atmel-aic-common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/irqchip/irq-atmel-aic-common.c ++++ b/drivers/irqchip/irq-atmel-aic-common.c +@@ -148,9 +148,9 @@ void __init aic_common_rtc_irq_fixup(str + struct device_node *np; + void __iomem *regs; + +- np = of_find_compatible_node(root, NULL, "atmel,at91rm9200-rtc"); ++ np = of_find_compatible_node(NULL, NULL, "atmel,at91rm9200-rtc"); + if (!np) +- np = of_find_compatible_node(root, NULL, ++ np = of_find_compatible_node(NULL, NULL, + "atmel,at91sam9x5-rtc"); + + if (!np) diff --git a/queue-3.18/mm-mempolicy-fix-use-after-free-when-calling-get_mempolicy.patch b/queue-3.18/mm-mempolicy-fix-use-after-free-when-calling-get_mempolicy.patch new file mode 100644 index 00000000000..952d4f6e327 --- /dev/null +++ b/queue-3.18/mm-mempolicy-fix-use-after-free-when-calling-get_mempolicy.patch @@ -0,0 +1,83 @@ +From 73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 Mon Sep 17 00:00:00 2001 +From: zhong jiang +Date: Fri, 18 Aug 2017 15:16:24 -0700 +Subject: mm/mempolicy: fix use after free when calling get_mempolicy + +From: zhong jiang + +commit 73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 upstream. + +I hit a use after free issue when executing trinity and repoduced it +with KASAN enabled. The related call trace is as follows. + + BUG: KASan: use after free in SyS_get_mempolicy+0x3c8/0x960 at addr ffff8801f582d766 + Read of size 2 by task syz-executor1/798 + + INFO: Allocated in mpol_new.part.2+0x74/0x160 age=3 cpu=1 pid=799 + __slab_alloc+0x768/0x970 + kmem_cache_alloc+0x2e7/0x450 + mpol_new.part.2+0x74/0x160 + mpol_new+0x66/0x80 + SyS_mbind+0x267/0x9f0 + system_call_fastpath+0x16/0x1b + INFO: Freed in __mpol_put+0x2b/0x40 age=4 cpu=1 pid=799 + __slab_free+0x495/0x8e0 + kmem_cache_free+0x2f3/0x4c0 + __mpol_put+0x2b/0x40 + SyS_mbind+0x383/0x9f0 + system_call_fastpath+0x16/0x1b + INFO: Slab 0xffffea0009cb8dc0 objects=23 used=8 fp=0xffff8801f582de40 flags=0x200000000004080 + INFO: Object 0xffff8801f582d760 @offset=5984 fp=0xffff8801f582d600 + + Bytes b4 ffff8801f582d750: ae 01 ff ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ + Object ffff8801f582d760: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk + Object ffff8801f582d770: 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkk. + Redzone ffff8801f582d778: bb bb bb bb bb bb bb bb ........ + Padding ffff8801f582d8b8: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ + Memory state around the buggy address: + ffff8801f582d600: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff8801f582d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + >ffff8801f582d700: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fc + +!shared memory policy is not protected against parallel removal by other +thread which is normally protected by the mmap_sem. do_get_mempolicy, +however, drops the lock midway while we can still access it later. + +Early premature up_read is a historical artifact from times when +put_user was called in this path see https://lwn.net/Articles/124754/ +but that is gone since 8bccd85ffbaf ("[PATCH] Implement sys_* do_* +layering in the memory policy layer."). but when we have the the +current mempolicy ref count model. The issue was introduced +accordingly. + +Fix the issue by removing the premature release. + +Link: http://lkml.kernel.org/r/1502950924-27521-1-git-send-email-zhongjiang@huawei.com +Signed-off-by: zhong jiang +Acked-by: Michal Hocko +Cc: Minchan Kim +Cc: Vlastimil Babka +Cc: David Rientjes +Cc: Mel Gorman +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/mempolicy.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -944,11 +944,6 @@ static long do_get_mempolicy(int *policy + *policy |= (pol->flags & MPOL_MODE_FLAGS); + } + +- if (vma) { +- up_read(¤t->mm->mmap_sem); +- vma = NULL; +- } +- + err = 0; + if (nmask) { + if (mpol_store_user_nodemask(pol)) { diff --git a/queue-3.18/series b/queue-3.18/series index 48ad04e378e..347fdd79588 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -2,3 +2,6 @@ netfilter-nf_ct_ext-fix-possible-panic-after-nf_ct_extend_unregister.patch audit-fix-use-after-free-in-audit_remove_watch_rule.patch parisc-pci-memory-bar-assignment-fails-with-64bit-kernels-on-dino-cujo.patch alsa-usb-audio-apply-sample-rate-quirk-to-sennheiser-headset.patch +mm-mempolicy-fix-use-after-free-when-calling-get_mempolicy.patch +irqchip-atmel-aic-fix-unbalanced-of_node_put-in-aic_common_irq_fixup.patch +irqchip-atmel-aic-fix-unbalanced-refcount-in-aic_common_rtc_irq_fixup.patch