binder: remove patch flagged for 4.14

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

3 files changed, 6 insertions, 154 deletions

diff --git a/queue/binder-fix-proc-files-use-after-free.patch b/queue/binder-fix-proc-files-use-after-free.patch
deleted file mode 100644
index 07430b5..0000000
--- a/queue/binder-fix-proc-files-use-after-free.patch
+++ /dev/null
@@ -1,148 +0,0 @@
-From 7f3dc0088b98533f17128058fac73cd8b2752ef1 Mon Sep 17 00:00:00 2001
-From: Todd Kjos <tkjos@android.com>
-Date: Mon, 27 Nov 2017 09:32:33 -0800
-Subject: [PATCH] binder: fix proc->files use-after-free
-
-commit 7f3dc0088b98533f17128058fac73cd8b2752ef1 upstream.
-
-proc->files cleanup is initiated by binder_vma_close. Therefore
-a reference on the binder_proc is not enough to prevent the
-files_struct from being released while the binder_proc still has
-a reference. This can lead to an attempt to dereference the
-stale pointer obtained from proc->files prior to proc->files
-cleanup. This has been seen once in task_get_unused_fd_flags()
-when __alloc_fd() is called with a stale "files".
-
-The fix is to protect proc->files with a mutex to prevent cleanup
-while in use.
-
-Signed-off-by: Todd Kjos <tkjos@google.com>
-Cc: stable <stable@vger.kernel.org> # 4.14
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
-diff --git a/drivers/android/binder.c b/drivers/android/binder.c
-index bccec9de0533..a7ecfde66b7b 100644
---- a/drivers/android/binder.c
-+++ b/drivers/android/binder.c
-@@ -482,7 +482,8 @@ enum binder_deferred_state {
-  * @tsk                   task_struct for group_leader of process
-  *                        (invariant after initialized)
-  * @files                 files_struct for process
-- *                        (invariant after initialized)
-+ *                        (protected by @files_lock)
-+ * @files_lock            mutex to protect @files
-  * @deferred_work_node:   element for binder_deferred_list
-  *                        (protected by binder_deferred_lock)
-  * @deferred_work:        bitmap of deferred work to perform
-@@ -530,6 +531,7 @@ struct binder_proc {
- 	int pid;
- 	struct task_struct *tsk;
- 	struct files_struct *files;
-+	struct mutex files_lock;
- 	struct hlist_node deferred_work_node;
- 	int deferred_work;
- 	bool is_dead;
-@@ -877,20 +879,26 @@ static void binder_inc_node_tmpref_ilocked(struct binder_node *node);
- 
- static int task_get_unused_fd_flags(struct binder_proc *proc, int flags)
- {
--	struct files_struct *files = proc->files;
- 	unsigned long rlim_cur;
- 	unsigned long irqs;
-+	int ret;
- 
--	if (files == NULL)
--		return -ESRCH;
--
--	if (!lock_task_sighand(proc->tsk, &irqs))
--		return -EMFILE;
--
-+	mutex_lock(&proc->files_lock);
-+	if (proc->files == NULL) {
-+		ret = -ESRCH;
-+		goto err;
-+	}
-+	if (!lock_task_sighand(proc->tsk, &irqs)) {
-+		ret = -EMFILE;
-+		goto err;
-+	}
- 	rlim_cur = task_rlimit(proc->tsk, RLIMIT_NOFILE);
- 	unlock_task_sighand(proc->tsk, &irqs);
- 
--	return __alloc_fd(files, 0, rlim_cur, flags);
-+	ret = __alloc_fd(proc->files, 0, rlim_cur, flags);
-+err:
-+	mutex_unlock(&proc->files_lock);
-+	return ret;
- }
- 
- /*
-@@ -899,8 +907,10 @@ static int task_get_unused_fd_flags(struct binder_proc *proc, int flags)
- static void task_fd_install(
- 	struct binder_proc *proc, unsigned int fd, struct file *file)
- {
-+	mutex_lock(&proc->files_lock);
- 	if (proc->files)
- 		__fd_install(proc->files, fd, file);
-+	mutex_unlock(&proc->files_lock);
- }
- 
- /*
-@@ -910,9 +920,11 @@ static long task_close_fd(struct binder_proc *proc, unsigned int fd)
- {
- 	int retval;
- 
--	if (proc->files == NULL)
--		return -ESRCH;
--
-+	mutex_lock(&proc->files_lock);
-+	if (proc->files == NULL) {
-+		retval = -ESRCH;
-+		goto err;
-+	}
- 	retval = __close_fd(proc->files, fd);
- 	/* can't restart close syscall because file table entry was cleared */
- 	if (unlikely(retval == -ERESTARTSYS ||
-@@ -920,7 +932,8 @@ static long task_close_fd(struct binder_proc *proc, unsigned int fd)
- 		     retval == -ERESTARTNOHAND ||
- 		     retval == -ERESTART_RESTARTBLOCK))
- 		retval = -EINTR;
--
-+err:
-+	mutex_unlock(&proc->files_lock);
- 	return retval;
- }
- 
-@@ -4627,7 +4640,9 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
- 	ret = binder_alloc_mmap_handler(&proc->alloc, vma);
- 	if (ret)
- 		return ret;
-+	mutex_lock(&proc->files_lock);
- 	proc->files = get_files_struct(current);
-+	mutex_unlock(&proc->files_lock);
- 	return 0;
- 
- err_bad_arg:
-@@ -4651,6 +4666,7 @@ static int binder_open(struct inode *nodp, struct file *filp)
- 	spin_lock_init(&proc->outer_lock);
- 	get_task_struct(current->group_leader);
- 	proc->tsk = current->group_leader;
-+	mutex_init(&proc->files_lock);
- 	INIT_LIST_HEAD(&proc->todo);
- 	proc->default_priority = task_nice(current);
- 	binder_dev = container_of(filp->private_data, struct binder_device,
-@@ -4903,9 +4919,11 @@ static void binder_deferred_func(struct work_struct *work)
- 
- 		files = NULL;
- 		if (defer & BINDER_DEFERRED_PUT_FILES) {
-+			mutex_lock(&proc->files_lock);
- 			files = proc->files;
- 			if (files)
- 				proc->files = NULL;
-+			mutex_unlock(&proc->files_lock);
- 		}
- 
- 		if (defer & BINDER_DEFERRED_FLUSH)
--- 
-2.15.0
-
diff --git a/queue/series b/queue/series
index c0b38fd..777141e 100644
--- a/queue/series
+++ b/queue/series
@@ -70,7 +70,6 @@ usb-xhci-Add-XHCI_TRUST_TX_LENGTH-for-Renesas-uPD720.patch
 timers-Use-deferrable-base-independent-of-base-nohz_.patch
 timers-Invoke-timer_start_debug-where-it-makes-sense.patch
 timers-Reinitialize-per-cpu-bases-on-hotplug.patch
-binder-fix-proc-files-use-after-free.patch
 phy-tegra-fix-device-tree-node-lookups.patch
 drivers-base-cacheinfo-fix-cache-type-for-non-archit.patch
 staging-android-ion-Fix-dma-direction-for-dma_sync_s.patch
diff --git a/queue/timers-Invoke-timer_start_debug-where-it-makes-sense.patch b/queue/timers-Invoke-timer_start_debug-where-it-makes-sense.patch
index ff09554..f7fb2c1 100644
--- a/queue/timers-Invoke-timer_start_debug-where-it-makes-sense.patch
+++ b/queue/timers-Invoke-timer_start_debug-where-it-makes-sense.patch
@@ -1,4 +1,4 @@
-From fd45bb77ad682be728d1002431d77b8c73342836 Mon Sep 17 00:00:00 2001
+From e91090225903514e0ac6a86fd45c6216acf24d1d Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Fri, 22 Dec 2017 15:51:14 +0100
 Subject: [PATCH] timers: Invoke timer_start_debug() where it makes sense
@@ -21,13 +21,14 @@ Cc: rt@linutronix.de
 Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
 Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
 Link: https://lkml.kernel.org/r/20171222145337.792907137@linutronix.de
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
 
 diff --git a/kernel/time/timer.c b/kernel/time/timer.c
-index 6be576e02209..89a9e1b4264a 100644
+index 882473e7fe2e..d35f58b8d938 100644
 --- a/kernel/time/timer.c
 +++ b/kernel/time/timer.c
-@@ -1007,8 +1007,6 @@ __mod_timer(struct timer_list *timer, unsigned long expires, unsigned int option
- 	if (!ret && (options & MOD_TIMER_PENDING_ONLY))
+@@ -982,8 +982,6 @@ __mod_timer(struct timer_list *timer, unsigned long expires, bool pending_only)
+ 	if (!ret && pending_only)
  		goto out_unlock;
  
 -	debug_activate(timer, expires);
@@ -35,7 +36,7 @@ index 6be576e02209..89a9e1b4264a 100644
  	new_base = get_target_base(base, timer->flags);
  
  	if (base != new_base) {
-@@ -1032,6 +1030,8 @@ __mod_timer(struct timer_list *timer, unsigned long expires, unsigned int option
+@@ -1007,6 +1005,8 @@ __mod_timer(struct timer_list *timer, unsigned long expires, bool pending_only)
  		}
  	}