diff options
author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2018-08-24 15:26:42 -0400 |
---|---|---|
committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2018-08-24 15:26:42 -0400 |
commit | 6bffbff41541525ff4e7b9395357934914709b63 (patch) | |
tree | 8284ba456091efb378625cb2510805916660d833 | |
parent | 35e18a4bd7bf99486bc45c61425c564e96de69a9 (diff) | |
download | longterm-queue-4.12-6bffbff41541525ff4e7b9395357934914709b63.tar.gz |
binder: remove patch flagged for 4.14
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
-rw-r--r-- | queue/binder-fix-proc-files-use-after-free.patch | 148 | ||||
-rw-r--r-- | queue/series | 1 | ||||
-rw-r--r-- | queue/timers-Invoke-timer_start_debug-where-it-makes-sense.patch | 11 |
3 files changed, 6 insertions, 154 deletions
diff --git a/queue/binder-fix-proc-files-use-after-free.patch b/queue/binder-fix-proc-files-use-after-free.patch deleted file mode 100644 index 07430b5..0000000 --- a/queue/binder-fix-proc-files-use-after-free.patch +++ /dev/null @@ -1,148 +0,0 @@ -From 7f3dc0088b98533f17128058fac73cd8b2752ef1 Mon Sep 17 00:00:00 2001 -From: Todd Kjos <tkjos@android.com> -Date: Mon, 27 Nov 2017 09:32:33 -0800 -Subject: [PATCH] binder: fix proc->files use-after-free - -commit 7f3dc0088b98533f17128058fac73cd8b2752ef1 upstream. - -proc->files cleanup is initiated by binder_vma_close. Therefore -a reference on the binder_proc is not enough to prevent the -files_struct from being released while the binder_proc still has -a reference. This can lead to an attempt to dereference the -stale pointer obtained from proc->files prior to proc->files -cleanup. This has been seen once in task_get_unused_fd_flags() -when __alloc_fd() is called with a stale "files". - -The fix is to protect proc->files with a mutex to prevent cleanup -while in use. - -Signed-off-by: Todd Kjos <tkjos@google.com> -Cc: stable <stable@vger.kernel.org> # 4.14 -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - -diff --git a/drivers/android/binder.c b/drivers/android/binder.c -index bccec9de0533..a7ecfde66b7b 100644 ---- a/drivers/android/binder.c -+++ b/drivers/android/binder.c -@@ -482,7 +482,8 @@ enum binder_deferred_state { - * @tsk task_struct for group_leader of process - * (invariant after initialized) - * @files files_struct for process -- * (invariant after initialized) -+ * (protected by @files_lock) -+ * @files_lock mutex to protect @files - * @deferred_work_node: element for binder_deferred_list - * (protected by binder_deferred_lock) - * @deferred_work: bitmap of deferred work to perform -@@ -530,6 +531,7 @@ struct binder_proc { - int pid; - struct task_struct *tsk; - struct files_struct *files; -+ struct mutex files_lock; - struct hlist_node deferred_work_node; - int deferred_work; - bool is_dead; -@@ -877,20 +879,26 @@ static void binder_inc_node_tmpref_ilocked(struct binder_node *node); - - static int task_get_unused_fd_flags(struct binder_proc *proc, int flags) - { -- struct files_struct *files = proc->files; - unsigned long rlim_cur; - unsigned long irqs; -+ int ret; - -- if (files == NULL) -- return -ESRCH; -- -- if (!lock_task_sighand(proc->tsk, &irqs)) -- return -EMFILE; -- -+ mutex_lock(&proc->files_lock); -+ if (proc->files == NULL) { -+ ret = -ESRCH; -+ goto err; -+ } -+ if (!lock_task_sighand(proc->tsk, &irqs)) { -+ ret = -EMFILE; -+ goto err; -+ } - rlim_cur = task_rlimit(proc->tsk, RLIMIT_NOFILE); - unlock_task_sighand(proc->tsk, &irqs); - -- return __alloc_fd(files, 0, rlim_cur, flags); -+ ret = __alloc_fd(proc->files, 0, rlim_cur, flags); -+err: -+ mutex_unlock(&proc->files_lock); -+ return ret; - } - - /* -@@ -899,8 +907,10 @@ static int task_get_unused_fd_flags(struct binder_proc *proc, int flags) - static void task_fd_install( - struct binder_proc *proc, unsigned int fd, struct file *file) - { -+ mutex_lock(&proc->files_lock); - if (proc->files) - __fd_install(proc->files, fd, file); -+ mutex_unlock(&proc->files_lock); - } - - /* -@@ -910,9 +920,11 @@ static long task_close_fd(struct binder_proc *proc, unsigned int fd) - { - int retval; - -- if (proc->files == NULL) -- return -ESRCH; -- -+ mutex_lock(&proc->files_lock); -+ if (proc->files == NULL) { -+ retval = -ESRCH; -+ goto err; -+ } - retval = __close_fd(proc->files, fd); - /* can't restart close syscall because file table entry was cleared */ - if (unlikely(retval == -ERESTARTSYS || -@@ -920,7 +932,8 @@ static long task_close_fd(struct binder_proc *proc, unsigned int fd) - retval == -ERESTARTNOHAND || - retval == -ERESTART_RESTARTBLOCK)) - retval = -EINTR; -- -+err: -+ mutex_unlock(&proc->files_lock); - return retval; - } - -@@ -4627,7 +4640,9 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma) - ret = binder_alloc_mmap_handler(&proc->alloc, vma); - if (ret) - return ret; -+ mutex_lock(&proc->files_lock); - proc->files = get_files_struct(current); -+ mutex_unlock(&proc->files_lock); - return 0; - - err_bad_arg: -@@ -4651,6 +4666,7 @@ static int binder_open(struct inode *nodp, struct file *filp) - spin_lock_init(&proc->outer_lock); - get_task_struct(current->group_leader); - proc->tsk = current->group_leader; -+ mutex_init(&proc->files_lock); - INIT_LIST_HEAD(&proc->todo); - proc->default_priority = task_nice(current); - binder_dev = container_of(filp->private_data, struct binder_device, -@@ -4903,9 +4919,11 @@ static void binder_deferred_func(struct work_struct *work) - - files = NULL; - if (defer & BINDER_DEFERRED_PUT_FILES) { -+ mutex_lock(&proc->files_lock); - files = proc->files; - if (files) - proc->files = NULL; -+ mutex_unlock(&proc->files_lock); - } - - if (defer & BINDER_DEFERRED_FLUSH) --- -2.15.0 - diff --git a/queue/series b/queue/series index c0b38fd..777141e 100644 --- a/queue/series +++ b/queue/series @@ -70,7 +70,6 @@ usb-xhci-Add-XHCI_TRUST_TX_LENGTH-for-Renesas-uPD720.patch timers-Use-deferrable-base-independent-of-base-nohz_.patch timers-Invoke-timer_start_debug-where-it-makes-sense.patch timers-Reinitialize-per-cpu-bases-on-hotplug.patch -binder-fix-proc-files-use-after-free.patch phy-tegra-fix-device-tree-node-lookups.patch drivers-base-cacheinfo-fix-cache-type-for-non-archit.patch staging-android-ion-Fix-dma-direction-for-dma_sync_s.patch diff --git a/queue/timers-Invoke-timer_start_debug-where-it-makes-sense.patch b/queue/timers-Invoke-timer_start_debug-where-it-makes-sense.patch index ff09554..f7fb2c1 100644 --- a/queue/timers-Invoke-timer_start_debug-where-it-makes-sense.patch +++ b/queue/timers-Invoke-timer_start_debug-where-it-makes-sense.patch @@ -1,4 +1,4 @@ -From fd45bb77ad682be728d1002431d77b8c73342836 Mon Sep 17 00:00:00 2001 +From e91090225903514e0ac6a86fd45c6216acf24d1d Mon Sep 17 00:00:00 2001 From: Thomas Gleixner <tglx@linutronix.de> Date: Fri, 22 Dec 2017 15:51:14 +0100 Subject: [PATCH] timers: Invoke timer_start_debug() where it makes sense @@ -21,13 +21,14 @@ Cc: rt@linutronix.de Cc: Paul McKenney <paulmck@linux.vnet.ibm.com> Cc: Anna-Maria Gleixner <anna-maria@linutronix.de> Link: https://lkml.kernel.org/r/20171222145337.792907137@linutronix.de +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> diff --git a/kernel/time/timer.c b/kernel/time/timer.c -index 6be576e02209..89a9e1b4264a 100644 +index 882473e7fe2e..d35f58b8d938 100644 --- a/kernel/time/timer.c +++ b/kernel/time/timer.c -@@ -1007,8 +1007,6 @@ __mod_timer(struct timer_list *timer, unsigned long expires, unsigned int option - if (!ret && (options & MOD_TIMER_PENDING_ONLY)) +@@ -982,8 +982,6 @@ __mod_timer(struct timer_list *timer, unsigned long expires, bool pending_only) + if (!ret && pending_only) goto out_unlock; - debug_activate(timer, expires); @@ -35,7 +36,7 @@ index 6be576e02209..89a9e1b4264a 100644 new_base = get_target_base(base, timer->flags); if (base != new_base) { -@@ -1032,6 +1030,8 @@ __mod_timer(struct timer_list *timer, unsigned long expires, unsigned int option +@@ -1007,6 +1005,8 @@ __mod_timer(struct timer_list *timer, unsigned long expires, bool pending_only) } } |