kernel: tty: n_hdlc, fix lockdep false positive

We need this patch to be able to cherry-pick the patch for CVE-2017-2636 from later version. Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-04-19 08:06:17 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-04-19 11:35:12 +0200
commit: 5b9e3eb40ae58e2e489961686b4b317e83f37577 (patch)
tree: 310ba82055020b0b80c6595269cb6dd7f91e6e9f
parent: 4f88be3f5aca8b19343fe093ac2790890e0c36f0 (diff)
download: meta-enea-bsp-arm-5b9e3eb40ae58e2e489961686b4b317e83f37577.tar.gz
2 files changed, 109 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-ls1/0001-CVE-2017-2636.patch b/recipes-kernel/linux/linux-ls1/0001-CVE-2017-2636.patch
new file mode 100644
index 0000000..1149e4e
--- /dev/null
+++ b/recipes-kernel/linux/linux-ls1/0001-CVE-2017-2636.patch
@@ -0,0 +1,108 @@
+From aa1655b3ee03db5fde1bdfd4a64e6fa8c9011d53 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Thu, 26 Nov 2015 19:28:26 +0100
+Subject: [PATCH 1/2] TTY: n_hdlc, fix lockdep false positive
+commit e9b736d88af1a143530565929390cadf036dc799 upstream.
+The class of 4 n_hdls buf locks is the same because a single function
+n_hdlc_buf_list_init is used to init all the locks. But since
+flush_tx_queue takes n_hdlc->tx_buf_list.spinlock and then calls
+n_hdlc_buf_put which takes n_hdlc->tx_free_buf_list.spinlock, lockdep
+emits a warning:
+=============================================
+[ INFO: possible recursive locking detected ]
+4.3.0-25.g91e30a7-default #1 Not tainted
+---------------------------------------------
+a.out/1248 is trying to acquire lock:
+ (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
+but task is already holding lock:
+ (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+       CPU0
+       ----
+  lock(&(&list->spinlock)->rlock);
+  lock(&(&list->spinlock)->rlock);
+ *** DEADLOCK ***
+ May be due to missing lock nesting notation
+2 locks held by a.out/1248:
+ #0:  (&tty->ldisc_sem){++++++}, at: [<ffffffff814c9eb0>] tty_ldisc_ref_wait+0x20/0x50
+ #1:  (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
+...
+Call Trace:
+...
+ [<ffffffff81738fd0>] _raw_spin_lock_irqsave+0x50/0x70
+ [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
+ [<ffffffffa01fdc24>] n_hdlc_tty_ioctl+0x144/0x1d0 [n_hdlc]
+ [<ffffffff814c25c1>] tty_ioctl+0x3f1/0xe40
+...
+Fix it by initializing the spin_locks separately. This removes also
+reduntand memset of a freshly kzallocated space.
+Upstream-Status: Backport
+[We need this patch to be able to cherry-pick the patch for
+CVE-2017-2636 from later version.]
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/tty/n_hdlc.c | 19 ++++---------------
+ 1 file changed, 4 insertions(+), 15 deletions(-)
+diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
+index 1b2db9a..f26657c 100644
+--- a/drivers/tty/n_hdlc.c
+++ b/drivers/tty/n_hdlc.c
+@@ -159,7 +159,6 @@ struct n_hdlc {
+ /*
+  * HDLC buffer list manipulation functions
+  */
+-static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list);
+ static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
+                           struct n_hdlc_buf *buf);
+ static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list);
+@@ -855,10 +854,10 @@ static struct n_hdlc *n_hdlc_alloc(void)
+ 
+        memset(n_hdlc, 0, sizeof(*n_hdlc));
+ 
+-       n_hdlc_buf_list_init(&n_hdlc->rx_free_buf_list);
+-       n_hdlc_buf_list_init(&n_hdlc->tx_free_buf_list);
+-       n_hdlc_buf_list_init(&n_hdlc->rx_buf_list);
+-       n_hdlc_buf_list_init(&n_hdlc->tx_buf_list);
+       spin_lock_init(&n_hdlc->rx_free_buf_list.spinlock);
+       spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock);
+       spin_lock_init(&n_hdlc->rx_buf_list.spinlock);
+       spin_lock_init(&n_hdlc->tx_buf_list.spinlock);
+        
+        /* allocate free rx buffer list */
+        for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) {
+@@ -887,16 +886,6 @@ static struct n_hdlc *n_hdlc_alloc(void)
+ }      /* end of n_hdlc_alloc() */
+ 
+ /**
+- * n_hdlc_buf_list_init - initialize specified HDLC buffer list
+- * @list - pointer to buffer list
+- */
+-static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list)
+-{
+-       memset(list, 0, sizeof(*list));
+-       spin_lock_init(&list->spinlock);
+-}      /* end of n_hdlc_buf_list_init() */
+-
+-/**
+  * n_hdlc_buf_put - add specified HDLC buffer to tail of specified list
+  * @list - pointer to buffer list
+  * @buf        - pointer to buffer
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-ls1_3.12.bbappend b/recipes-kernel/linux/linux-ls1_3.12.bbappend
index 2bfa59c..acf04cf 100644
--- a/recipes-kernel/linux/linux-ls1_3.12.bbappend
+++ b/recipes-kernel/linux/linux-ls1_3.12.bbappend
@@ -10,6 +10,7 @@ SRC_URI += "file://ls1021aiot.dts \
            file://CVE-2016-3136.patch \
            file://CVE-2016-5195.patch \
            file://CVE-2016-6480.patch \
+            file://0001-CVE-2017-2636.patch \
           "
 # fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-04-19 08:06:17 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-04-19 11:35:12 +0200
commit	5b9e3eb40ae58e2e489961686b4b317e83f37577 (patch)
tree	310ba82055020b0b80c6595269cb6dd7f91e6e9f
parent	4f88be3f5aca8b19343fe093ac2790890e0c36f0 (diff)
download	meta-enea-bsp-arm-5b9e3eb40ae58e2e489961686b4b317e83f37577.tar.gz

diff --git a/recipes-kernel/linux/linux-ls1/0001-CVE-2017-2636.patch b/recipes-kernel/linux/linux-ls1/0001-CVE-2017-2636.patch new file mode 100644 index 0000000..1149e4e --- /dev/null +++ b/recipes-kernel/linux/linux-ls1/0001-CVE-2017-2636.patch
@@ -0,0 +1,108 @@
		1	From aa1655b3ee03db5fde1bdfd4a64e6fa8c9011d53 Mon Sep 17 00:00:00 2001
		2	From: Jiri Slaby <jslaby@suse.cz>
		3	Date: Thu, 26 Nov 2015 19:28:26 +0100
		4	Subject: [PATCH 1/2] TTY: n_hdlc, fix lockdep false positive
		5
		6	commit e9b736d88af1a143530565929390cadf036dc799 upstream.
		7
		8	The class of 4 n_hdls buf locks is the same because a single function
		9	n_hdlc_buf_list_init is used to init all the locks. But since
		10	flush_tx_queue takes n_hdlc->tx_buf_list.spinlock and then calls
		11	n_hdlc_buf_put which takes n_hdlc->tx_free_buf_list.spinlock, lockdep
		12	emits a warning:
		13	=============================================
		14	[ INFO: possible recursive locking detected ]
		15	4.3.0-25.g91e30a7-default #1 Not tainted
		16	---------------------------------------------
		17	a.out/1248 is trying to acquire lock:
		18	(&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
		19
		20	but task is already holding lock:
		21	(&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
		22
		23	other info that might help us debug this:
		24	Possible unsafe locking scenario:
		25
		26	CPU0
		27	----
		28	lock(&(&list->spinlock)->rlock);
		29	lock(&(&list->spinlock)->rlock);
		30
		31	* DEADLOCK *
		32
		33	May be due to missing lock nesting notation
		34
		35	2 locks held by a.out/1248:
		36	#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff814c9eb0>] tty_ldisc_ref_wait+0x20/0x50
		37	#1: (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
		38	...
		39	Call Trace:
		40	...
		41	[<ffffffff81738fd0>] _raw_spin_lock_irqsave+0x50/0x70
		42	[<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
		43	[<ffffffffa01fdc24>] n_hdlc_tty_ioctl+0x144/0x1d0 [n_hdlc]
		44	[<ffffffff814c25c1>] tty_ioctl+0x3f1/0xe40
		45	...
		46
		47	Fix it by initializing the spin_locks separately. This removes also
		48	reduntand memset of a freshly kzallocated space.
		49
		50	Upstream-Status: Backport
		51	[We need this patch to be able to cherry-pick the patch for
		52	CVE-2017-2636 from later version.]
		53
		54	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		55	Reported-by: Dmitry Vyukov <dvyukov@google.com>
		56	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		57	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		58	---
		59	drivers/tty/n_hdlc.c \| 19 ++++---------------
		60	1 file changed, 4 insertions(+), 15 deletions(-)
		61
		62	diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
		63	index 1b2db9a..f26657c 100644
		64	--- a/drivers/tty/n_hdlc.c
		65	+++ b/drivers/tty/n_hdlc.c
		66	@@ -159,7 +159,6 @@ struct n_hdlc {
		67	/*
		68	* HDLC buffer list manipulation functions
		69	*/
		70	-static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list);
		71	static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
		72	struct n_hdlc_buf *buf);
		73	static struct n_hdlc_buf n_hdlc_buf_get(struct n_hdlc_buf_list list);
		74	@@ -855,10 +854,10 @@ static struct n_hdlc *n_hdlc_alloc(void)
		75
		76	memset(n_hdlc, 0, sizeof(*n_hdlc));
		77
		78	- n_hdlc_buf_list_init(&n_hdlc->rx_free_buf_list);
		79	- n_hdlc_buf_list_init(&n_hdlc->tx_free_buf_list);
		80	- n_hdlc_buf_list_init(&n_hdlc->rx_buf_list);
		81	- n_hdlc_buf_list_init(&n_hdlc->tx_buf_list);
		82	+ spin_lock_init(&n_hdlc->rx_free_buf_list.spinlock);
		83	+ spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock);
		84	+ spin_lock_init(&n_hdlc->rx_buf_list.spinlock);
		85	+ spin_lock_init(&n_hdlc->tx_buf_list.spinlock);
		86
		87	/* allocate free rx buffer list */
		88	for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) {
		89	@@ -887,16 +886,6 @@ static struct n_hdlc *n_hdlc_alloc(void)
		90	} /* end of n_hdlc_alloc() */
		91
		92	/**
		93	- * n_hdlc_buf_list_init - initialize specified HDLC buffer list
		94	- * @list - pointer to buffer list
		95	- */
		96	-static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list)
		97	-{
		98	- memset(list, 0, sizeof(*list));
		99	- spin_lock_init(&list->spinlock);
		100	-} /* end of n_hdlc_buf_list_init() */
		101	-
		102	-/**
		103	* n_hdlc_buf_put - add specified HDLC buffer to tail of specified list
		104	* @list - pointer to buffer list
		105	* @buf - pointer to buffer
		106	--
		107	1.9.1
		108


diff --git a/recipes-kernel/linux/linux-ls1_3.12.bbappend b/recipes-kernel/linux/linux-ls1_3.12.bbappend index 2bfa59c..acf04cf 100644 --- a/recipes-kernel/linux/linux-ls1_3.12.bbappend +++ b/recipes-kernel/linux/linux-ls1_3.12.bbappend
@@ -10,6 +10,7 @@ SRC_URI += "file://ls1021aiot.dts \
10	file://CVE-2016-3136.patch \	10	file://CVE-2016-3136.patch \
11	file://CVE-2016-5195.patch \	11	file://CVE-2016-5195.patch \
12	file://CVE-2016-6480.patch \	12	file://CVE-2016-6480.patch \
		13	file://0001-CVE-2017-2636.patch \
13	"	14	"
14		15
15	# fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch"	16	# fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch"