diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-04-03 14:17:23 +0200 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-04-05 17:26:02 +0200 |
commit | 6e4fc17f9f61ea63b1241f4d348ea38804ebb74b (patch) | |
tree | 35ab1e394efcf4829aa975c51d56084ea12e4d94 | |
parent | cde07a93953ec678d45b873e02e51810448a776a (diff) | |
download | meta-enea-bsp-ppc-6e4fc17f9f61ea63b1241f4d348ea38804ebb74b.tar.gz |
kernel: tty: n_hdlc, fix lockdep false positive
We need this patch to be able to cherry-pick the patch for
CVE-2017-2636 from later version.
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
-rw-r--r-- | recipes-kernel/linux/files/0001-CVE-2017-2636.patch | 106 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-qoriq_3.12.bbappend | 1 |
2 files changed, 107 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0001-CVE-2017-2636.patch b/recipes-kernel/linux/files/0001-CVE-2017-2636.patch new file mode 100644 index 0000000..a25dabe --- /dev/null +++ b/recipes-kernel/linux/files/0001-CVE-2017-2636.patch | |||
@@ -0,0 +1,106 @@ | |||
1 | From aa1655b3ee03db5fde1bdfd4a64e6fa8c9011d53 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jiri Slaby <jslaby@suse.cz> | ||
3 | Date: Thu, 26 Nov 2015 19:28:26 +0100 | ||
4 | Subject: [PATCH 1/2] TTY: n_hdlc, fix lockdep false positive | ||
5 | |||
6 | commit e9b736d88af1a143530565929390cadf036dc799 upstream. | ||
7 | |||
8 | The class of 4 n_hdls buf locks is the same because a single function | ||
9 | n_hdlc_buf_list_init is used to init all the locks. But since | ||
10 | flush_tx_queue takes n_hdlc->tx_buf_list.spinlock and then calls | ||
11 | n_hdlc_buf_put which takes n_hdlc->tx_free_buf_list.spinlock, lockdep | ||
12 | emits a warning: | ||
13 | ============================================= | ||
14 | [ INFO: possible recursive locking detected ] | ||
15 | 4.3.0-25.g91e30a7-default #1 Not tainted | ||
16 | --------------------------------------------- | ||
17 | a.out/1248 is trying to acquire lock: | ||
18 | (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc] | ||
19 | |||
20 | but task is already holding lock: | ||
21 | (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc] | ||
22 | |||
23 | other info that might help us debug this: | ||
24 | Possible unsafe locking scenario: | ||
25 | |||
26 | CPU0 | ||
27 | ---- | ||
28 | lock(&(&list->spinlock)->rlock); | ||
29 | lock(&(&list->spinlock)->rlock); | ||
30 | |||
31 | *** DEADLOCK *** | ||
32 | |||
33 | May be due to missing lock nesting notation | ||
34 | |||
35 | 2 locks held by a.out/1248: | ||
36 | #0: (&tty->ldisc_sem){++++++}, at: [<ffffffff814c9eb0>] tty_ldisc_ref_wait+0x20/0x50 | ||
37 | #1: (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc] | ||
38 | ... | ||
39 | Call Trace: | ||
40 | ... | ||
41 | [<ffffffff81738fd0>] _raw_spin_lock_irqsave+0x50/0x70 | ||
42 | [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc] | ||
43 | [<ffffffffa01fdc24>] n_hdlc_tty_ioctl+0x144/0x1d0 [n_hdlc] | ||
44 | [<ffffffff814c25c1>] tty_ioctl+0x3f1/0xe40 | ||
45 | ... | ||
46 | |||
47 | Fix it by initializing the spin_locks separately. This removes also | ||
48 | reduntand memset of a freshly kzallocated space. | ||
49 | |||
50 | Upstream-Status: Backport | ||
51 | |||
52 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
53 | Reported-by: Dmitry Vyukov <dvyukov@google.com> | ||
54 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
55 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
56 | --- | ||
57 | drivers/tty/n_hdlc.c | 19 ++++--------------- | ||
58 | 1 file changed, 4 insertions(+), 15 deletions(-) | ||
59 | |||
60 | diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c | ||
61 | index 1b2db9a..f26657c 100644 | ||
62 | --- a/drivers/tty/n_hdlc.c | ||
63 | +++ b/drivers/tty/n_hdlc.c | ||
64 | @@ -159,7 +159,6 @@ struct n_hdlc { | ||
65 | /* | ||
66 | * HDLC buffer list manipulation functions | ||
67 | */ | ||
68 | -static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list); | ||
69 | static void n_hdlc_buf_put(struct n_hdlc_buf_list *list, | ||
70 | struct n_hdlc_buf *buf); | ||
71 | static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list); | ||
72 | @@ -855,10 +854,10 @@ static struct n_hdlc *n_hdlc_alloc(void) | ||
73 | |||
74 | memset(n_hdlc, 0, sizeof(*n_hdlc)); | ||
75 | |||
76 | - n_hdlc_buf_list_init(&n_hdlc->rx_free_buf_list); | ||
77 | - n_hdlc_buf_list_init(&n_hdlc->tx_free_buf_list); | ||
78 | - n_hdlc_buf_list_init(&n_hdlc->rx_buf_list); | ||
79 | - n_hdlc_buf_list_init(&n_hdlc->tx_buf_list); | ||
80 | + spin_lock_init(&n_hdlc->rx_free_buf_list.spinlock); | ||
81 | + spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock); | ||
82 | + spin_lock_init(&n_hdlc->rx_buf_list.spinlock); | ||
83 | + spin_lock_init(&n_hdlc->tx_buf_list.spinlock); | ||
84 | |||
85 | /* allocate free rx buffer list */ | ||
86 | for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) { | ||
87 | @@ -887,16 +886,6 @@ static struct n_hdlc *n_hdlc_alloc(void) | ||
88 | } /* end of n_hdlc_alloc() */ | ||
89 | |||
90 | /** | ||
91 | - * n_hdlc_buf_list_init - initialize specified HDLC buffer list | ||
92 | - * @list - pointer to buffer list | ||
93 | - */ | ||
94 | -static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list) | ||
95 | -{ | ||
96 | - memset(list, 0, sizeof(*list)); | ||
97 | - spin_lock_init(&list->spinlock); | ||
98 | -} /* end of n_hdlc_buf_list_init() */ | ||
99 | - | ||
100 | -/** | ||
101 | * n_hdlc_buf_put - add specified HDLC buffer to tail of specified list | ||
102 | * @list - pointer to buffer list | ||
103 | * @buf - pointer to buffer | ||
104 | -- | ||
105 | 1.9.1 | ||
106 | |||
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bbappend b/recipes-kernel/linux/linux-qoriq_3.12.bbappend index 703bdc0..6b173cd 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bbappend +++ b/recipes-kernel/linux/linux-qoriq_3.12.bbappend | |||
@@ -12,5 +12,6 @@ SRC_URI += "file://ppp-CVE-2015-8569.patch \ | |||
12 | file://ring-buffer-CVE-2016-9754.patch \ | 12 | file://ring-buffer-CVE-2016-9754.patch \ |
13 | file://tmpfs-CVE-2016-7097.patch \ | 13 | file://tmpfs-CVE-2016-7097.patch \ |
14 | file://tmpfs-CVE-2017-5551.patch \ | 14 | file://tmpfs-CVE-2017-5551.patch \ |
15 | file://0001-CVE-2017-2636.patch \ | ||
15 | " | 16 | " |
16 | 17 | ||