kernel: tty: n_hdlc, fix lockdep false positive

We need this patch to be able to cherry-pick the patch for CVE-2017-2636 from later version. Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-04-03 14:17:23 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-04-05 17:26:02 +0200
commit: 6e4fc17f9f61ea63b1241f4d348ea38804ebb74b (patch)
tree: 35ab1e394efcf4829aa975c51d56084ea12e4d94
parent: cde07a93953ec678d45b873e02e51810448a776a (diff)
download: meta-enea-bsp-ppc-6e4fc17f9f61ea63b1241f4d348ea38804ebb74b.tar.gz
2 files changed, 107 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0001-CVE-2017-2636.patch b/recipes-kernel/linux/files/0001-CVE-2017-2636.patch
new file mode 100644
index 0000000..a25dabe
--- /dev/null
+++ b/recipes-kernel/linux/files/0001-CVE-2017-2636.patch
@@ -0,0 +1,106 @@
+From aa1655b3ee03db5fde1bdfd4a64e6fa8c9011d53 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Thu, 26 Nov 2015 19:28:26 +0100
+Subject: [PATCH 1/2] TTY: n_hdlc, fix lockdep false positive
+commit e9b736d88af1a143530565929390cadf036dc799 upstream.
+The class of 4 n_hdls buf locks is the same because a single function
+n_hdlc_buf_list_init is used to init all the locks. But since
+flush_tx_queue takes n_hdlc->tx_buf_list.spinlock and then calls
+n_hdlc_buf_put which takes n_hdlc->tx_free_buf_list.spinlock, lockdep
+emits a warning:
+=============================================
+[ INFO: possible recursive locking detected ]
+4.3.0-25.g91e30a7-default #1 Not tainted
+---------------------------------------------
+a.out/1248 is trying to acquire lock:
+ (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
+but task is already holding lock:
+ (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+       CPU0
+       ----
+  lock(&(&list->spinlock)->rlock);
+  lock(&(&list->spinlock)->rlock);
+ *** DEADLOCK ***
+ May be due to missing lock nesting notation
+2 locks held by a.out/1248:
+ #0:  (&tty->ldisc_sem){++++++}, at: [<ffffffff814c9eb0>] tty_ldisc_ref_wait+0x20/0x50
+ #1:  (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
+...
+Call Trace:
+...
+ [<ffffffff81738fd0>] _raw_spin_lock_irqsave+0x50/0x70
+ [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
+ [<ffffffffa01fdc24>] n_hdlc_tty_ioctl+0x144/0x1d0 [n_hdlc]
+ [<ffffffff814c25c1>] tty_ioctl+0x3f1/0xe40
+...
+Fix it by initializing the spin_locks separately. This removes also
+reduntand memset of a freshly kzallocated space.
+Upstream-Status: Backport
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/tty/n_hdlc.c | 19 ++++---------------
+ 1 file changed, 4 insertions(+), 15 deletions(-)
+diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
+index 1b2db9a..f26657c 100644
+--- a/drivers/tty/n_hdlc.c
+++ b/drivers/tty/n_hdlc.c
+@@ -159,7 +159,6 @@ struct n_hdlc {
+ /*
+  * HDLC buffer list manipulation functions
+  */
+-static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list);
+ static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
+                           struct n_hdlc_buf *buf);
+ static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list);
+@@ -855,10 +854,10 @@ static struct n_hdlc *n_hdlc_alloc(void)
+ 
+        memset(n_hdlc, 0, sizeof(*n_hdlc));
+ 
+-       n_hdlc_buf_list_init(&n_hdlc->rx_free_buf_list);
+-       n_hdlc_buf_list_init(&n_hdlc->tx_free_buf_list);
+-       n_hdlc_buf_list_init(&n_hdlc->rx_buf_list);
+-       n_hdlc_buf_list_init(&n_hdlc->tx_buf_list);
+       spin_lock_init(&n_hdlc->rx_free_buf_list.spinlock);
+       spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock);
+       spin_lock_init(&n_hdlc->rx_buf_list.spinlock);
+       spin_lock_init(&n_hdlc->tx_buf_list.spinlock);
+        
+        /* allocate free rx buffer list */
+        for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) {
+@@ -887,16 +886,6 @@ static struct n_hdlc *n_hdlc_alloc(void)
+ }      /* end of n_hdlc_alloc() */
+ 
+ /**
+- * n_hdlc_buf_list_init - initialize specified HDLC buffer list
+- * @list - pointer to buffer list
+- */
+-static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list)
+-{
+-       memset(list, 0, sizeof(*list));
+-       spin_lock_init(&list->spinlock);
+-}      /* end of n_hdlc_buf_list_init() */
+-
+-/**
+  * n_hdlc_buf_put - add specified HDLC buffer to tail of specified list
+  * @list - pointer to buffer list
+  * @buf        - pointer to buffer
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bbappend b/recipes-kernel/linux/linux-qoriq_3.12.bbappend
index 703bdc0..6b173cd 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bbappend
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bbappend
@@ -12,5 +12,6 @@ SRC_URI += "file://ppp-CVE-2015-8569.patch \
            file://ring-buffer-CVE-2016-9754.patch \
            file://tmpfs-CVE-2016-7097.patch \
            file://tmpfs-CVE-2017-5551.patch \
+            file://0001-CVE-2017-2636.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-04-03 14:17:23 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-04-05 17:26:02 +0200
commit	6e4fc17f9f61ea63b1241f4d348ea38804ebb74b (patch)
tree	35ab1e394efcf4829aa975c51d56084ea12e4d94
parent	cde07a93953ec678d45b873e02e51810448a776a (diff)
download	meta-enea-bsp-ppc-6e4fc17f9f61ea63b1241f4d348ea38804ebb74b.tar.gz

diff --git a/recipes-kernel/linux/files/0001-CVE-2017-2636.patch b/recipes-kernel/linux/files/0001-CVE-2017-2636.patch new file mode 100644 index 0000000..a25dabe --- /dev/null +++ b/recipes-kernel/linux/files/0001-CVE-2017-2636.patch
@@ -0,0 +1,106 @@
		1	From aa1655b3ee03db5fde1bdfd4a64e6fa8c9011d53 Mon Sep 17 00:00:00 2001
		2	From: Jiri Slaby <jslaby@suse.cz>
		3	Date: Thu, 26 Nov 2015 19:28:26 +0100
		4	Subject: [PATCH 1/2] TTY: n_hdlc, fix lockdep false positive
		5
		6	commit e9b736d88af1a143530565929390cadf036dc799 upstream.
		7
		8	The class of 4 n_hdls buf locks is the same because a single function
		9	n_hdlc_buf_list_init is used to init all the locks. But since
		10	flush_tx_queue takes n_hdlc->tx_buf_list.spinlock and then calls
		11	n_hdlc_buf_put which takes n_hdlc->tx_free_buf_list.spinlock, lockdep
		12	emits a warning:
		13	=============================================
		14	[ INFO: possible recursive locking detected ]
		15	4.3.0-25.g91e30a7-default #1 Not tainted
		16	---------------------------------------------
		17	a.out/1248 is trying to acquire lock:
		18	(&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
		19
		20	but task is already holding lock:
		21	(&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
		22
		23	other info that might help us debug this:
		24	Possible unsafe locking scenario:
		25
		26	CPU0
		27	----
		28	lock(&(&list->spinlock)->rlock);
		29	lock(&(&list->spinlock)->rlock);
		30
		31	* DEADLOCK *
		32
		33	May be due to missing lock nesting notation
		34
		35	2 locks held by a.out/1248:
		36	#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff814c9eb0>] tty_ldisc_ref_wait+0x20/0x50
		37	#1: (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
		38	...
		39	Call Trace:
		40	...
		41	[<ffffffff81738fd0>] _raw_spin_lock_irqsave+0x50/0x70
		42	[<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
		43	[<ffffffffa01fdc24>] n_hdlc_tty_ioctl+0x144/0x1d0 [n_hdlc]
		44	[<ffffffff814c25c1>] tty_ioctl+0x3f1/0xe40
		45	...
		46
		47	Fix it by initializing the spin_locks separately. This removes also
		48	reduntand memset of a freshly kzallocated space.
		49
		50	Upstream-Status: Backport
		51
		52	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		53	Reported-by: Dmitry Vyukov <dvyukov@google.com>
		54	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		55	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		56	---
		57	drivers/tty/n_hdlc.c \| 19 ++++---------------
		58	1 file changed, 4 insertions(+), 15 deletions(-)
		59
		60	diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
		61	index 1b2db9a..f26657c 100644
		62	--- a/drivers/tty/n_hdlc.c
		63	+++ b/drivers/tty/n_hdlc.c
		64	@@ -159,7 +159,6 @@ struct n_hdlc {
		65	/*
		66	* HDLC buffer list manipulation functions
		67	*/
		68	-static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list);
		69	static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
		70	struct n_hdlc_buf *buf);
		71	static struct n_hdlc_buf n_hdlc_buf_get(struct n_hdlc_buf_list list);
		72	@@ -855,10 +854,10 @@ static struct n_hdlc *n_hdlc_alloc(void)
		73
		74	memset(n_hdlc, 0, sizeof(*n_hdlc));
		75
		76	- n_hdlc_buf_list_init(&n_hdlc->rx_free_buf_list);
		77	- n_hdlc_buf_list_init(&n_hdlc->tx_free_buf_list);
		78	- n_hdlc_buf_list_init(&n_hdlc->rx_buf_list);
		79	- n_hdlc_buf_list_init(&n_hdlc->tx_buf_list);
		80	+ spin_lock_init(&n_hdlc->rx_free_buf_list.spinlock);
		81	+ spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock);
		82	+ spin_lock_init(&n_hdlc->rx_buf_list.spinlock);
		83	+ spin_lock_init(&n_hdlc->tx_buf_list.spinlock);
		84
		85	/* allocate free rx buffer list */
		86	for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) {
		87	@@ -887,16 +886,6 @@ static struct n_hdlc *n_hdlc_alloc(void)
		88	} /* end of n_hdlc_alloc() */
		89
		90	/**
		91	- * n_hdlc_buf_list_init - initialize specified HDLC buffer list
		92	- * @list - pointer to buffer list
		93	- */
		94	-static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list)
		95	-{
		96	- memset(list, 0, sizeof(*list));
		97	- spin_lock_init(&list->spinlock);
		98	-} /* end of n_hdlc_buf_list_init() */
		99	-
		100	-/**
		101	* n_hdlc_buf_put - add specified HDLC buffer to tail of specified list
		102	* @list - pointer to buffer list
		103	* @buf - pointer to buffer
		104	--
		105	1.9.1
		106


diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bbappend b/recipes-kernel/linux/linux-qoriq_3.12.bbappend index 703bdc0..6b173cd 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bbappend +++ b/recipes-kernel/linux/linux-qoriq_3.12.bbappend
@@ -12,5 +12,6 @@ SRC_URI += "file://ppp-CVE-2015-8569.patch \
12	file://ring-buffer-CVE-2016-9754.patch \	12	file://ring-buffer-CVE-2016-9754.patch \
13	file://tmpfs-CVE-2016-7097.patch \	13	file://tmpfs-CVE-2016-7097.patch \
14	file://tmpfs-CVE-2017-5551.patch \	14	file://tmpfs-CVE-2017-5551.patch \
		15	file://0001-CVE-2017-2636.patch \
15	"	16	"
16		17