From 7ab18d80a1f775cf1d3f5a36cca54ed6000ff0e4 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 23 Feb 2018 10:49:28 +0100 Subject: [PATCH] 4.4-stable patches added patches: binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch staging-iio-adc-ad7192-fix-external-frequency-setting.patch usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch --- ...ad-allocation-failure-in-binder_poll.patch | 37 +++++++++ queue-4.4/series | 4 + ...m-fix-a-race-condition-in-pin-ioctls.patch | 72 +++++++++++++++++ ...d7192-fix-external-frequency-setting.patch | 81 +++++++++++++++++++ ...sockfd-state-in-sync-with-tcp_socket.patch | 65 +++++++++++++++ 5 files changed, 259 insertions(+) create mode 100644 queue-4.4/binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch create mode 100644 queue-4.4/staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch create mode 100644 queue-4.4/staging-iio-adc-ad7192-fix-external-frequency-setting.patch create mode 100644 queue-4.4/usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch diff --git a/queue-4.4/binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch b/queue-4.4/binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch new file mode 100644 index 00000000000..0bc6fc86d46 --- /dev/null +++ b/queue-4.4/binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch @@ -0,0 +1,37 @@ +From f88982679f54f75daa5b8eff3da72508f1e7422f Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 30 Jan 2018 23:11:24 -0800 +Subject: binder: check for binder_thread allocation failure in binder_poll() + +From: Eric Biggers + +commit f88982679f54f75daa5b8eff3da72508f1e7422f upstream. + +If the kzalloc() in binder_get_thread() fails, binder_poll() +dereferences the resulting NULL pointer. + +Fix it by returning POLLERR if the memory allocation failed. + +This bug was found by syzkaller using fault injection. + +Reported-by: syzbot +Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2622,6 +2622,8 @@ static unsigned int binder_poll(struct f + binder_lock(__func__); + + thread = binder_get_thread(proc); ++ if (!thread) ++ return POLLERR; + + wait_for_proc_work = thread->transaction_stack == NULL && + list_empty(&thread->todo) && thread->return_error == BR_OK; diff --git a/queue-4.4/series b/queue-4.4/series index cf13ee4f8fd..a4d9aff4f5c 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -23,3 +23,7 @@ video-fbdev-mmp-add-module_license.patch arm64-dts-add-cooling-cells-to-cpu-nodes.patch make-dst_cache-a-silent-config-option.patch dn_getsockoptdecnet-move-nf_-get-set-sockopt-outside-sock-lock.patch +staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch +binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch +staging-iio-adc-ad7192-fix-external-frequency-setting.patch +usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch diff --git a/queue-4.4/staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch b/queue-4.4/staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch new file mode 100644 index 00000000000..86628ca957c --- /dev/null +++ b/queue-4.4/staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch @@ -0,0 +1,72 @@ +From ce8a3a9e76d0193e2e8d74a06d275b3c324ca652 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Sun, 4 Feb 2018 02:06:27 +0000 +Subject: staging: android: ashmem: Fix a race condition in pin ioctls + +From: Ben Hutchings + +commit ce8a3a9e76d0193e2e8d74a06d275b3c324ca652 upstream. + +ashmem_pin_unpin() reads asma->file and asma->size before taking the +ashmem_mutex, so it can race with other operations that modify them. + +Build-tested only. + +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/android/ashmem.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/drivers/staging/android/ashmem.c ++++ b/drivers/staging/android/ashmem.c +@@ -704,30 +704,32 @@ static int ashmem_pin_unpin(struct ashme + size_t pgstart, pgend; + int ret = -EINVAL; + ++ mutex_lock(&ashmem_mutex); ++ + if (unlikely(!asma->file)) +- return -EINVAL; ++ goto out_unlock; + +- if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) +- return -EFAULT; ++ if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) { ++ ret = -EFAULT; ++ goto out_unlock; ++ } + + /* per custom, you can pass zero for len to mean "everything onward" */ + if (!pin.len) + pin.len = PAGE_ALIGN(asma->size) - pin.offset; + + if (unlikely((pin.offset | pin.len) & ~PAGE_MASK)) +- return -EINVAL; ++ goto out_unlock; + + if (unlikely(((__u32)-1) - pin.offset < pin.len)) +- return -EINVAL; ++ goto out_unlock; + + if (unlikely(PAGE_ALIGN(asma->size) < pin.offset + pin.len)) +- return -EINVAL; ++ goto out_unlock; + + pgstart = pin.offset / PAGE_SIZE; + pgend = pgstart + (pin.len / PAGE_SIZE) - 1; + +- mutex_lock(&ashmem_mutex); +- + switch (cmd) { + case ASHMEM_PIN: + ret = ashmem_pin(asma, pgstart, pgend); +@@ -740,6 +742,7 @@ static int ashmem_pin_unpin(struct ashme + break; + } + ++out_unlock: + mutex_unlock(&ashmem_mutex); + + return ret; diff --git a/queue-4.4/staging-iio-adc-ad7192-fix-external-frequency-setting.patch b/queue-4.4/staging-iio-adc-ad7192-fix-external-frequency-setting.patch new file mode 100644 index 00000000000..c0e66c1d198 --- /dev/null +++ b/queue-4.4/staging-iio-adc-ad7192-fix-external-frequency-setting.patch @@ -0,0 +1,81 @@ +From e31b617d0a63c6558485aaa730fd162faa95a766 Mon Sep 17 00:00:00 2001 +From: Alexandru Ardelean +Date: Mon, 22 Jan 2018 11:53:12 +0200 +Subject: staging: iio: adc: ad7192: fix external frequency setting + +From: Alexandru Ardelean + +commit e31b617d0a63c6558485aaa730fd162faa95a766 upstream. + +The external clock frequency was set only when selecting +the internal clock, which is fixed at 4.9152 Mhz. + +This is incorrect, since it should be set when any of +the external clock or crystal settings is selected. + +Added range validation for the external (crystal/clock) +frequency setting. +Valid values are between 2.4576 and 5.12 Mhz. + +Signed-off-by: Alexandru Ardelean +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/iio/adc/ad7192.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +--- a/drivers/staging/iio/adc/ad7192.c ++++ b/drivers/staging/iio/adc/ad7192.c +@@ -124,6 +124,8 @@ + #define AD7192_GPOCON_P1DAT BIT(1) /* P1 state */ + #define AD7192_GPOCON_P0DAT BIT(0) /* P0 state */ + ++#define AD7192_EXT_FREQ_MHZ_MIN 2457600 ++#define AD7192_EXT_FREQ_MHZ_MAX 5120000 + #define AD7192_INT_FREQ_MHZ 4915200 + + /* NOTE: +@@ -199,6 +201,12 @@ static int ad7192_calibrate_all(struct a + ARRAY_SIZE(ad7192_calib_arr)); + } + ++static inline bool ad7192_valid_external_frequency(u32 freq) ++{ ++ return (freq >= AD7192_EXT_FREQ_MHZ_MIN && ++ freq <= AD7192_EXT_FREQ_MHZ_MAX); ++} ++ + static int ad7192_setup(struct ad7192_state *st, + const struct ad7192_platform_data *pdata) + { +@@ -224,17 +232,20 @@ static int ad7192_setup(struct ad7192_st + id); + + switch (pdata->clock_source_sel) { +- case AD7192_CLK_EXT_MCLK1_2: +- case AD7192_CLK_EXT_MCLK2: +- st->mclk = AD7192_INT_FREQ_MHZ; +- break; + case AD7192_CLK_INT: + case AD7192_CLK_INT_CO: +- if (pdata->ext_clk_hz) +- st->mclk = pdata->ext_clk_hz; +- else +- st->mclk = AD7192_INT_FREQ_MHZ; ++ st->mclk = AD7192_INT_FREQ_MHZ; + break; ++ case AD7192_CLK_EXT_MCLK1_2: ++ case AD7192_CLK_EXT_MCLK2: ++ if (ad7192_valid_external_frequency(pdata->ext_clk_hz)) { ++ st->mclk = pdata->ext_clk_hz; ++ break; ++ } ++ dev_err(&st->sd.spi->dev, "Invalid frequency setting %u\n", ++ pdata->ext_clk_hz); ++ ret = -EINVAL; ++ goto out; + default: + ret = -EINVAL; + goto out; diff --git a/queue-4.4/usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch b/queue-4.4/usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch new file mode 100644 index 00000000000..ab76626f514 --- /dev/null +++ b/queue-4.4/usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch @@ -0,0 +1,65 @@ +From 009f41aed4b3e11e6dc1e3c07377a10c20f1a5ed Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Fri, 26 Jan 2018 11:56:50 -0700 +Subject: usbip: keep usbip_device sockfd state in sync with tcp_socket + +From: Shuah Khan + +commit 009f41aed4b3e11e6dc1e3c07377a10c20f1a5ed upstream. + +Keep usbip_device sockfd state in sync with tcp_socket. When tcp_socket +is reset to null, reset sockfd to -1 to keep it in sync. + +Signed-off-by: Shuah Khan +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/stub_dev.c | 3 +++ + drivers/usb/usbip/vhci_hcd.c | 2 ++ + 2 files changed, 5 insertions(+) + +--- a/drivers/usb/usbip/stub_dev.c ++++ b/drivers/usb/usbip/stub_dev.c +@@ -87,6 +87,7 @@ static ssize_t store_sockfd(struct devic + goto err; + + sdev->ud.tcp_socket = socket; ++ sdev->ud.sockfd = sockfd; + + spin_unlock_irq(&sdev->ud.lock); + +@@ -186,6 +187,7 @@ static void stub_shutdown_connection(str + if (ud->tcp_socket) { + sockfd_put(ud->tcp_socket); + ud->tcp_socket = NULL; ++ ud->sockfd = -1; + } + + /* 3. free used data */ +@@ -280,6 +282,7 @@ static struct stub_device *stub_device_a + sdev->ud.status = SDEV_ST_AVAILABLE; + spin_lock_init(&sdev->ud.lock); + sdev->ud.tcp_socket = NULL; ++ sdev->ud.sockfd = -1; + + INIT_LIST_HEAD(&sdev->priv_init); + INIT_LIST_HEAD(&sdev->priv_tx); +--- a/drivers/usb/usbip/vhci_hcd.c ++++ b/drivers/usb/usbip/vhci_hcd.c +@@ -797,6 +797,7 @@ static void vhci_shutdown_connection(str + if (vdev->ud.tcp_socket) { + sockfd_put(vdev->ud.tcp_socket); + vdev->ud.tcp_socket = NULL; ++ vdev->ud.sockfd = -1; + } + pr_info("release socket\n"); + +@@ -844,6 +845,7 @@ static void vhci_device_reset(struct usb + if (ud->tcp_socket) { + sockfd_put(ud->tcp_socket); + ud->tcp_socket = NULL; ++ ud->sockfd = -1; + } + ud->status = VDEV_ST_NULL; + -- 2.47.3