ARM: CVE-2018-9415

ARM: amba: Fix race condition with driver_override

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=272c99cf85a371401b78f3c56a18745bf07817a3

Change-Id: I0c3cb9be270970fc21a11773c3710cfc61079d69
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>

2 files changed, 82 insertions, 0 deletions

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 788052b..491ffe4 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -6,3 +6,6 @@ SRC_URI += "file://CVE-2018-8781-drm-udl-Properly-check-framebuffer-mmap-offsets
 
 #CVEs fixed in 4.9.96:
 SRC_URI += "file://CVE-2018-1108-random-fix-crng_ready-test.patch"
+
+#CVEs fixed in 4.9.98:
+SRC_URI += "file://CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch"
diff --git a/patches/cve/CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch b/patches/cve/CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch
new file mode 100644
index 0000000..b488bae
--- /dev/null
+++ b/patches/cve/CVE-2018-9415-ARM-amba-Fix-race-condition-with-driver_override.patch
@@ -0,0 +1,79 @@
+From 1869844a1fe2365f5f56513e610b912f0744722a Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Thu, 25 Oct 2018 14:57:58 +0200
+Subject: [PATCH] ARM: amba: Fix race condition with driver_override
+
+commit 6a7228d90d42bcacfe38786756ba62762b91c20a upstream.
+
+The driver_override implementation is susceptible to a race condition
+when different threads are reading vs storing a different driver
+override.  Add locking to avoid this race condition.
+
+Cfr. commits 6265539776a0810b ("driver core: platform: fix race
+condition with driver_override") and 9561475db680f714 ("PCI: Fix race
+condition with driver_override").
+
+Fixes: 3cf385713460eb2b ("ARM: 8256/1: driver coamba: add device binding path 'driver_override'")
+
+CVE: CVE-2018-9415
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=272c99cf85a371401b78f3c56a18745bf07817a3]
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Todd Kjos <tkjos@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+
+---
+ drivers/amba/bus.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c
+index a56fa2a1e9aa..6234a0fda40e 100644
+--- a/drivers/amba/bus.c
++++ b/drivers/amba/bus.c
+@@ -69,11 +69,15 @@ static ssize_t driver_override_show(struct device *_dev,
+                                    struct device_attribute *attr, char *buf)
+ {
+        struct amba_device *dev = to_amba_device(_dev);
++       ssize_t len;
+ 
+        if (!dev->driver_override)
+                return 0;
+ 
+-       return sprintf(buf, "%s\n", dev->driver_override);
++       device_lock(_dev);
++       len = sprintf(buf, "%s\n", dev->driver_override);
++       device_unlock(_dev);
++       return len;
+ }
+ 
+ static ssize_t driver_override_store(struct device *_dev,
+@@ -81,7 +85,7 @@ static ssize_t driver_override_store(struct device *_dev,
+                                     const char *buf, size_t count)
+ {
+        struct amba_device *dev = to_amba_device(_dev);
+-       char *driver_override, *old = dev->driver_override, *cp;
++       char *driver_override, *old, *cp;
+ 
+        if (count > PATH_MAX)
+                return -EINVAL;
+@@ -94,12 +98,15 @@ static ssize_t driver_override_store(struct device *_dev,
+        if (cp)
+                *cp = '\0';
+ 
++       device_lock(_dev);
++       old = dev->driver_override;
+        if (strlen(driver_override)) {
+                dev->driver_override = driver_override;
+        } else {
+               kfree(driver_override);
+               dev->driver_override = NULL;
+        }
++       device_unlock(_dev);
+ 
+        kfree(old);
+ 
+
+