diff options
Diffstat (limited to 'recipes-kernel')
-rw-r--r-- | recipes-kernel/linux/linux-ls1/0001-CVE-2017-2636.patch | 108 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-ls1_3.12.bbappend | 1 |
2 files changed, 109 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-ls1/0001-CVE-2017-2636.patch b/recipes-kernel/linux/linux-ls1/0001-CVE-2017-2636.patch new file mode 100644 index 0000000..1149e4e --- /dev/null +++ b/recipes-kernel/linux/linux-ls1/0001-CVE-2017-2636.patch | |||
@@ -0,0 +1,108 @@ | |||
1 | From aa1655b3ee03db5fde1bdfd4a64e6fa8c9011d53 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jiri Slaby <jslaby@suse.cz> | ||
3 | Date: Thu, 26 Nov 2015 19:28:26 +0100 | ||
4 | Subject: [PATCH 1/2] TTY: n_hdlc, fix lockdep false positive | ||
5 | |||
6 | commit e9b736d88af1a143530565929390cadf036dc799 upstream. | ||
7 | |||
8 | The class of 4 n_hdls buf locks is the same because a single function | ||
9 | n_hdlc_buf_list_init is used to init all the locks. But since | ||
10 | flush_tx_queue takes n_hdlc->tx_buf_list.spinlock and then calls | ||
11 | n_hdlc_buf_put which takes n_hdlc->tx_free_buf_list.spinlock, lockdep | ||
12 | emits a warning: | ||
13 | ============================================= | ||
14 | [ INFO: possible recursive locking detected ] | ||
15 | 4.3.0-25.g91e30a7-default #1 Not tainted | ||
16 | --------------------------------------------- | ||
17 | a.out/1248 is trying to acquire lock: | ||
18 | (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc] | ||
19 | |||
20 | but task is already holding lock: | ||
21 | (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc] | ||
22 | |||
23 | other info that might help us debug this: | ||
24 | Possible unsafe locking scenario: | ||
25 | |||
26 | CPU0 | ||
27 | ---- | ||
28 | lock(&(&list->spinlock)->rlock); | ||
29 | lock(&(&list->spinlock)->rlock); | ||
30 | |||
31 | *** DEADLOCK *** | ||
32 | |||
33 | May be due to missing lock nesting notation | ||
34 | |||
35 | 2 locks held by a.out/1248: | ||
36 | #0: (&tty->ldisc_sem){++++++}, at: [<ffffffff814c9eb0>] tty_ldisc_ref_wait+0x20/0x50 | ||
37 | #1: (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc] | ||
38 | ... | ||
39 | Call Trace: | ||
40 | ... | ||
41 | [<ffffffff81738fd0>] _raw_spin_lock_irqsave+0x50/0x70 | ||
42 | [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc] | ||
43 | [<ffffffffa01fdc24>] n_hdlc_tty_ioctl+0x144/0x1d0 [n_hdlc] | ||
44 | [<ffffffff814c25c1>] tty_ioctl+0x3f1/0xe40 | ||
45 | ... | ||
46 | |||
47 | Fix it by initializing the spin_locks separately. This removes also | ||
48 | reduntand memset of a freshly kzallocated space. | ||
49 | |||
50 | Upstream-Status: Backport | ||
51 | [We need this patch to be able to cherry-pick the patch for | ||
52 | CVE-2017-2636 from later version.] | ||
53 | |||
54 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
55 | Reported-by: Dmitry Vyukov <dvyukov@google.com> | ||
56 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
57 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
58 | --- | ||
59 | drivers/tty/n_hdlc.c | 19 ++++--------------- | ||
60 | 1 file changed, 4 insertions(+), 15 deletions(-) | ||
61 | |||
62 | diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c | ||
63 | index 1b2db9a..f26657c 100644 | ||
64 | --- a/drivers/tty/n_hdlc.c | ||
65 | +++ b/drivers/tty/n_hdlc.c | ||
66 | @@ -159,7 +159,6 @@ struct n_hdlc { | ||
67 | /* | ||
68 | * HDLC buffer list manipulation functions | ||
69 | */ | ||
70 | -static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list); | ||
71 | static void n_hdlc_buf_put(struct n_hdlc_buf_list *list, | ||
72 | struct n_hdlc_buf *buf); | ||
73 | static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list); | ||
74 | @@ -855,10 +854,10 @@ static struct n_hdlc *n_hdlc_alloc(void) | ||
75 | |||
76 | memset(n_hdlc, 0, sizeof(*n_hdlc)); | ||
77 | |||
78 | - n_hdlc_buf_list_init(&n_hdlc->rx_free_buf_list); | ||
79 | - n_hdlc_buf_list_init(&n_hdlc->tx_free_buf_list); | ||
80 | - n_hdlc_buf_list_init(&n_hdlc->rx_buf_list); | ||
81 | - n_hdlc_buf_list_init(&n_hdlc->tx_buf_list); | ||
82 | + spin_lock_init(&n_hdlc->rx_free_buf_list.spinlock); | ||
83 | + spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock); | ||
84 | + spin_lock_init(&n_hdlc->rx_buf_list.spinlock); | ||
85 | + spin_lock_init(&n_hdlc->tx_buf_list.spinlock); | ||
86 | |||
87 | /* allocate free rx buffer list */ | ||
88 | for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) { | ||
89 | @@ -887,16 +886,6 @@ static struct n_hdlc *n_hdlc_alloc(void) | ||
90 | } /* end of n_hdlc_alloc() */ | ||
91 | |||
92 | /** | ||
93 | - * n_hdlc_buf_list_init - initialize specified HDLC buffer list | ||
94 | - * @list - pointer to buffer list | ||
95 | - */ | ||
96 | -static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list) | ||
97 | -{ | ||
98 | - memset(list, 0, sizeof(*list)); | ||
99 | - spin_lock_init(&list->spinlock); | ||
100 | -} /* end of n_hdlc_buf_list_init() */ | ||
101 | - | ||
102 | -/** | ||
103 | * n_hdlc_buf_put - add specified HDLC buffer to tail of specified list | ||
104 | * @list - pointer to buffer list | ||
105 | * @buf - pointer to buffer | ||
106 | -- | ||
107 | 1.9.1 | ||
108 | |||
diff --git a/recipes-kernel/linux/linux-ls1_3.12.bbappend b/recipes-kernel/linux/linux-ls1_3.12.bbappend index 2bfa59c..acf04cf 100644 --- a/recipes-kernel/linux/linux-ls1_3.12.bbappend +++ b/recipes-kernel/linux/linux-ls1_3.12.bbappend | |||
@@ -10,6 +10,7 @@ SRC_URI += "file://ls1021aiot.dts \ | |||
10 | file://CVE-2016-3136.patch \ | 10 | file://CVE-2016-3136.patch \ |
11 | file://CVE-2016-5195.patch \ | 11 | file://CVE-2016-5195.patch \ |
12 | file://CVE-2016-6480.patch \ | 12 | file://CVE-2016-6480.patch \ |
13 | file://0001-CVE-2017-2636.patch \ | ||
13 | " | 14 | " |
14 | 15 | ||
15 | # fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch" | 16 | # fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch" |