linux-toradex.git/drivers/staging, branch v4.16 Linux kernel for Apalis and Colibri modules staging: ncpfs: memory corruption in ncp_read_kernel() 2018-03-19T15:31:39+00:00 Dan Carpenter dan.carpenter@oracle.com 2018-03-19T11:07:45+00:00 4c41aa24baa4ed338241d05494f2c595c885af8f If the server is malicious then *bytes_read could be larger than the size of the "target" buffer. It would lead to memory corruption when we do the memcpy(). Reported-by: Dr Silvio Cesare of InfoSect <Silvio Cesare <silvio.cesare@gmail.com> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
If the server is malicious then *bytes_read could be larger than the
size of the "target" buffer.  It would lead to memory corruption when we
do the memcpy().

Reported-by: Dr Silvio Cesare of InfoSect <Silvio Cesare <silvio.cesare@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: android: ashmem: Fix possible deadlock in ashmem_ioctl 2018-03-06T15:21:10+00:00 Yisheng Xie xieyisheng1@huawei.com 2018-02-28T06:59:22+00:00 740a5759bf222332fbb5eda42f89aa25ba38f9b2 ashmem_mutex may create a chain of dependencies like: CPU0 CPU1 mmap syscall ioctl syscall -> mmap_sem (acquired) -> ashmem_ioctl -> ashmem_mmap -> ashmem_mutex (acquired) -> ashmem_mutex (try to acquire) -> copy_from_user -> mmap_sem (try to acquire) There is a lock odering problem between mmap_sem and ashmem_mutex causing a lockdep splat[1] during a syzcaller test. This patch fixes the problem by move copy_from_user out of ashmem_mutex. [1] https://www.spinics.net/lists/kernel/msg2733200.html Fixes: ce8a3a9e76d0 (staging: android: ashmem: Fix a race condition in pin ioctls) Reported-by: syzbot+d7a918a7a8e1c952bc36@syzkaller.appspotmail.com Signed-off-by: Yisheng Xie <xieyisheng1@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
ashmem_mutex may create a chain of dependencies like:

CPU0                                    CPU1
 mmap syscall                           ioctl syscall
 -> mmap_sem (acquired)                 -> ashmem_ioctl
 -> ashmem_mmap                            -> ashmem_mutex (acquired)
    -> ashmem_mutex (try to acquire)       -> copy_from_user
                                              -> mmap_sem (try to acquire)

There is a lock odering problem between mmap_sem and ashmem_mutex causing
a lockdep splat[1] during a syzcaller test. This patch fixes the problem
by move copy_from_user out of ashmem_mutex.

[1] https://www.spinics.net/lists/kernel/msg2733200.html

Fixes: ce8a3a9e76d0 (staging: android: ashmem: Fix a race condition in pin ioctls)
Reported-by: syzbot+d7a918a7a8e1c952bc36@syzkaller.appspotmail.com
Signed-off-by: Yisheng Xie <xieyisheng1@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: fix comedi_nsamples_left. 2018-03-06T15:21:10+00:00 Frank Mori Hess fmh6jj@gmail.com 2018-02-15T20:13:42+00:00 a42ae5905140c324362fe5036ae1dbb16e4d359c A rounding error was causing comedi_nsamples_left to return the wrong value when nsamples was not a multiple of the scan length. Cc: <stable@vger.kernel.org> # v4.4+ Signed-off-by: Frank Mori Hess <fmh6jj@gmail.com> Reviewed-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
A rounding error was causing comedi_nsamples_left to
return the wrong value when nsamples was not a multiple
of the scan length.

Cc: <stable@vger.kernel.org> # v4.4+
Signed-off-by: Frank Mori Hess <fmh6jj@gmail.com>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: android: ashmem: Fix lockdep issue during llseek 2018-03-01T16:37:07+00:00 Joel Fernandes joelaf@google.com 2018-02-16T19:02:01+00:00 cb57469c9573f6018cd1302953dd45d6e05aba7b ashmem_mutex create a chain of dependencies like so: (1) mmap syscall -> mmap_sem -> (acquired) ashmem_mmap ashmem_mutex (try to acquire) (block) (2) llseek syscall -> ashmem_llseek -> ashmem_mutex -> (acquired) inode_lock -> inode->i_rwsem (try to acquire) (block) (3) getdents -> iterate_dir -> inode_lock -> inode->i_rwsem (acquired) copy_to_user -> mmap_sem (try to acquire) There is a lock ordering created between mmap_sem and inode->i_rwsem causing a lockdep splat [2] during a syzcaller test, this patch fixes the issue by unlocking the mutex earlier. Functionally that's Ok since we don't need to protect vfs_llseek. [1] https://patchwork.kernel.org/patch/10185031/ [2] https://lkml.org/lkml/2018/1/10/48 Acked-by: Todd Kjos <tkjos@google.com> Cc: Arve Hjonnevag <arve@android.com> Cc: stable@vger.kernel.org Reported-by: syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com Signed-off-by: Joel Fernandes <joelaf@google.com> Acked-by: Greg Hackmann <ghackmann@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
ashmem_mutex create a chain of dependencies like so:

(1)
mmap syscall ->
  mmap_sem ->  (acquired)
  ashmem_mmap
  ashmem_mutex (try to acquire)
  (block)

(2)
llseek syscall ->
  ashmem_llseek ->
  ashmem_mutex ->  (acquired)
  inode_lock ->
  inode->i_rwsem (try to acquire)
  (block)

(3)
getdents ->
  iterate_dir ->
  inode_lock ->
  inode->i_rwsem   (acquired)
  copy_to_user ->
  mmap_sem         (try to acquire)

There is a lock ordering created between mmap_sem and inode->i_rwsem
causing a lockdep splat [2] during a syzcaller test, this patch fixes
the issue by unlocking the mutex earlier. Functionally that's Ok since
we don't need to protect vfs_llseek.

[1] https://patchwork.kernel.org/patch/10185031/
[2] https://lkml.org/lkml/2018/1/10/48

Acked-by: Todd Kjos <tkjos@google.com>
Cc: Arve Hjonnevag <arve@android.com>
Cc: stable@vger.kernel.org
Reported-by: syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com
Signed-off-by: Joel Fernandes <joelaf@google.com>
Acked-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge tag 'staging-4.16-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging 2018-02-22T20:05:43+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-02-22T20:05:43+00:00 77f892eb46aa2e8680fe6b3ba68b53c3ca2067d4 Pull staging/IIO fixes from Greg KH: "Here are a small number of staging and iio driver fixes for 4.16-rc2. The IIO fixes are all for reported things, and the android driver fixes also resolve some reported problems. The remaining fsl-mc Kconfig change resolves a build testing error that Arnd reported. All of these have been in linux-next with no reported issues" * tag 'staging-4.16-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: iio: buffer: check if a buffer has been set up when poll is called iio: adis_lib: Initialize trigger before requesting interrupt staging: android: ion: Zero CMA allocated memory staging: android: ashmem: Fix a race condition in pin ioctls staging: fsl-mc: fix build testing on x86 iio: srf08: fix link error "devm_iio_triggered_buffer_setup" undefined staging: iio: ad5933: switch buffer mode to software iio: adc: stm32: fix stm32h7_adc_enable error handling staging: iio: adc: ad7192: fix external frequency setting iio: adc: aspeed: Fix error handling path 
Pull staging/IIO fixes from Greg KH:
 "Here are a small number of staging and iio driver fixes for 4.16-rc2.

  The IIO fixes are all for reported things, and the android driver
  fixes also resolve some reported problems. The remaining fsl-mc
  Kconfig change resolves a build testing error that Arnd reported.

  All of these have been in linux-next with no reported issues"

* tag 'staging-4.16-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
  iio: buffer: check if a buffer has been set up when poll is called
  iio: adis_lib: Initialize trigger before requesting interrupt
  staging: android: ion: Zero CMA allocated memory
  staging: android: ashmem: Fix a race condition in pin ioctls
  staging: fsl-mc: fix build testing on x86
  iio: srf08: fix link error "devm_iio_triggered_buffer_setup" undefined
  staging: iio: ad5933: switch buffer mode to software
  iio: adc: stm32: fix stm32h7_adc_enable error handling
  staging: iio: adc: ad7192: fix external frequency setting
  iio: adc: aspeed: Fix error handling path
Merge tag 'iio-fixes-for-4.16a' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus 2018-02-20T09:03:22+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2018-02-20T09:03:22+00:00 c6754712e05317923e3f67ac01d45c7d5ec6f79f Jonathan writes: First round of IIO fixes for the 4.16 cycle. One nasty very old crash around polling for buffers that aren't there - though that can only cause effects on drivers that support events but not buffers. * buffer / kfifo handling in the core. - Check there is a buffer and return 0 from poll directly if there isn't. Poll doesn't make sense in this circumstances, but best to close the hole. * ad5933 - Change the marked buffer mode to a software buffer as the meaning of the hardware buffer label has long since changed and this uses a front end software buffer anyway. * ad7192 - Fix the fact the external clock frequency was only set when using the internal clock which was less than helpful. * adis_lib - Initialize the trigger before requesting the interrupt. Some newer parts can power up with interrupt generation enabled so ordering now matters. * aspeed-adc - Fix an errror handling path as labels and general ordering were wrong. * srf08 - Fix a link error due to undefined devm_iio_triggered_buffer_setup. * stm32-adc - Fix error handling unwind squence in stm32h7_adc_enable. 
Jonathan writes:

First round of IIO fixes for the 4.16 cycle.

One nasty very old crash around polling for buffers that aren't there
- though that can only cause effects on drivers that support events
but not buffers.

* buffer / kfifo handling in the core.
  - Check there is a buffer and return 0 from poll directly if there
    isn't.  Poll doesn't make sense in this circumstances, but best to close
    the hole.
* ad5933
  - Change the marked buffer mode to a software buffer as the meaning of
    the hardware buffer label has long since changed and this uses a front
    end software buffer anyway.
* ad7192
  - Fix the fact the external clock frequency was only set when using the
    internal clock which was less than helpful.
* adis_lib
  - Initialize the trigger before requesting the interrupt.  Some newer
    parts can power up with interrupt generation enabled so ordering now
    matters.
* aspeed-adc
  - Fix an errror handling path as labels and general ordering were wrong.
* srf08
  - Fix a link error due to undefined devm_iio_triggered_buffer_setup.
* stm32-adc
  - Fix error handling unwind squence in stm32h7_adc_enable.
staging: android: ion: Zero CMA allocated memory 2018-02-16T16:50:09+00:00 Liam Mark lmark@codeaurora.org 2018-01-26T17:48:18+00:00 6d79bd5bb6c79a9dba4842040c9adf39e7806330 Since commit 204f672255c2 ("staging: android: ion: Use CMA APIs directly") the CMA API is now used directly and therefore the allocated memory is no longer automatically zeroed. Explicitly zero CMA allocated memory to ensure that no data is exposed to userspace. Fixes: 204f672255c2 ("staging: android: ion: Use CMA APIs directly") Signed-off-by: Liam Mark <lmark@codeaurora.org> Acked-by: Laura Abbott <labbott@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Since commit 204f672255c2 ("staging: android: ion: Use CMA APIs directly")
the CMA API is now used directly and therefore the allocated memory is no
longer automatically zeroed.

Explicitly zero CMA allocated memory to ensure that no data is exposed to
userspace.

Fixes: 204f672255c2 ("staging: android: ion: Use CMA APIs directly")
Signed-off-by: Liam Mark <lmark@codeaurora.org>
Acked-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: android: ashmem: Fix a race condition in pin ioctls 2018-02-16T16:50:09+00:00 Ben Hutchings ben@decadent.org.uk 2018-02-04T02:06:27+00:00 ce8a3a9e76d0193e2e8d74a06d275b3c324ca652 ashmem_pin_unpin() reads asma->file and asma->size before taking the ashmem_mutex, so it can race with other operations that modify them. Build-tested only. Cc: stable@vger.kernel.org Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
ashmem_pin_unpin() reads asma->file and asma->size before taking the
ashmem_mutex, so it can race with other operations that modify them.

Build-tested only.

Cc: stable@vger.kernel.org
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: fsl-mc: fix build testing on x86 2018-02-16T16:50:09+00:00 Arnd Bergmann arnd@arndb.de 2018-02-16T15:36:04+00:00 02b7b2844c2ffd3b614ec2b9293e8c7f041d60da Selecting GENERIC_MSI_IRQ_DOMAIN on x86 causes a compile-time error in some configurations: drivers/base/platform-msi.c:37:19: error: field 'arg' has incomplete type On the other architectures, we are fine, but here we should have an additional dependency on X86_LOCAL_APIC so we can get the PCI_MSI_IRQ_DOMAIN symbol. Cc: stable@vger.kernel.org Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Selecting GENERIC_MSI_IRQ_DOMAIN on x86 causes a compile-time error in
some configurations:

drivers/base/platform-msi.c:37:19: error: field 'arg' has incomplete type

On the other architectures, we are fine, but here we should have an additional
dependency on X86_LOCAL_APIC so we can get the PCI_MSI_IRQ_DOMAIN symbol.

Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
irqchip/gic-v3: Ignore disabled ITS nodes 2018-02-16T13:47:58+00:00 Stephen Boyd sboyd@codeaurora.org 2018-02-01T17:03:29+00:00 95a2562590c2f64a0398183f978d5cf3db6d0284 On some platforms there's an ITS available but it's not enabled because reading or writing the registers is denied by the firmware. In fact, reading or writing them will cause the system to reset. We could remove the node from DT in such a case, but it's better to skip nodes that are marked as "disabled" in DT so that we can describe the hardware that exists and use the status property to indicate how the firmware has configured things. Cc: Stuart Yoder <stuyoder@gmail.com> Cc: Laurentiu Tudor <laurentiu.tudor@nxp.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Marc Zyngier <marc.zyngier@arm.com> Cc: Rajendra Nayak <rnayak@codeaurora.org> Signed-off-by: Stephen Boyd <sboyd@codeaurora.org> Signed-off-by: Marc Zyngier <marc.zyngier@arm.com> 
On some platforms there's an ITS available but it's not enabled
because reading or writing the registers is denied by the
firmware. In fact, reading or writing them will cause the system
to reset. We could remove the node from DT in such a case, but
it's better to skip nodes that are marked as "disabled" in DT so
that we can describe the hardware that exists and use the status
property to indicate how the firmware has configured things.

Cc: Stuart Yoder <stuyoder@gmail.com>
Cc: Laurentiu Tudor <laurentiu.tudor@nxp.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: Rajendra Nayak <rnayak@codeaurora.org>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>