Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.19.77 2018-11-27T15:13:09+00:00 2018-11-27T15:13:09+00:00 Dan Carpenter dan.carpenter@oracle.com 2018-10-26T07:19:51+00:00 urn:sha1:8600660ce149b32961d0f298eb6cd1c22a161fb1 commit 432798195bbce1f8cd33d1c0284d0538835e25fb upstream. I was trying to solve a double free but I introduced a more serious NULL dereference bug. The problem is that if there is an IRQ which triggers immediately, then we need "info->uio_dev" but it's not set yet. This patch puts the original initialization back to how it was and just sets info->uio_dev to NULL on the error path so it should solve both the Oops and the double free. Fixes: f019f07ecf6a ("uio: potential double frees if __uio_register_device() fails") Reported-by: Mathias Thore <Mathias.Thore@infinera.com> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable <stable@vger.kernel.org> Tested-by: Mathias Thore <Mathias.Thore@infinera.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-11-13T19:08:37+00:00 Alexandre Belloni alexandre.belloni@bootlin.com 2018-08-16T07:39:41+00:00 urn:sha1:c21099be02331a82c28a7bad1d956b6cd64a3782 [ Upstream commit ae61cf5b9913027c6953a79ed3894da4f47061bd ] When both uio and the uio drivers are built in the kernel, it is possible for a driver to register devices before the uio class is registered. This may result in a NULL pointer dereference later on in get_device_parent() when accessing the class glue_dirs spinlock. The trace looks like that: Unable to handle kernel NULL pointer dereference at virtual address 00000140 [...] [<ffff0000089cc234>] _raw_spin_lock+0x14/0x48 [<ffff0000084f56bc>] device_add+0x154/0x6a0 [<ffff0000084f5e48>] device_create_groups_vargs+0x120/0x128 [<ffff0000084f5edc>] device_create+0x54/0x60 [<ffff0000086e72c0>] __uio_register_device+0x120/0x4a8 [<ffff000008528b7c>] jaguar2_pci_probe+0x2d4/0x558 [<ffff0000083fc18c>] local_pci_probe+0x3c/0xb8 [<ffff0000083fd81c>] pci_device_probe+0x11c/0x180 [<ffff0000084f88bc>] driver_probe_device+0x22c/0x2d8 [<ffff0000084f8a24>] __driver_attach+0xbc/0xc0 [<ffff0000084f69fc>] bus_for_each_dev+0x4c/0x98 [<ffff0000084f81b8>] driver_attach+0x20/0x28 [<ffff0000084f7d08>] bus_add_driver+0x1b8/0x228 [<ffff0000084f93c0>] driver_register+0x60/0xf8 [<ffff0000083fb918>] __pci_register_driver+0x40/0x48 Return EPROBE_DEFER in that case so the driver can register the device later. Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-08-19T16:30:44+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-08-19T16:30:44+00:00 urn:sha1:1d0926e99de7b486321e3db924b445531eea5e18 Pull UIO fix from Greg KH: "Here is a single UIO fix that I forgot to send before 4.18-final came out. It reverts a UIO patch that went in the 4.18 development window that was causing problems. This patch has been in linux-next for a while with no problems, I just forgot to send it earlier, or as part of the larger char/misc patch series from yesterday, my fault" * tag 'char-misc-4.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: Revert "uio: use request_threaded_irq instead" 2018-08-12T15:30:58+00:00 Xiubo Li xiubli@redhat.com 2018-08-12T11:58:23+00:00 urn:sha1:3d27c4de8d4fb2d4099ff324671792aa2578c6f9 Since mutex lock in irq hanler is useless currently, here will remove it together with it. This reverts commit 9421e45f5ff3d558cf8b75a8cc0824530caf3453. Reported-by: james.r.harris@intel.com CC: Ahsan Atta <ahsan.atta@intel.com> Signed-off-by: Xiubo Li <xiubli@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-08-02T08:42:25+00:00 Dan Carpenter dan.carpenter@oracle.com 2018-08-02T08:24:47+00:00 urn:sha1:f019f07ecf6a6b8bd6d7853bce70925d90af02d1 The uio_unregister_device() function assumes that if "info->uio_dev" is non-NULL that means "info" is fully allocated. Setting info->uio_de has to be the last thing in the function. In the current code, if request_threaded_irq() fails then we return with info->uio_dev set to non-NULL but info is not fully allocated and it can lead to double frees. Fixes: beafc54c4e2f ("UIO: Add the User IO core code") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-08-02T08:14:26+00:00 Xiubo Li xiubli@redhat.com 2018-07-30T07:11:48+00:00 urn:sha1:b34e9a15b37b8ddbf06a4da142b0c39c74211eb4 The call trace: XXX/1910 is trying to acquire lock: (&mm->mmap_sem){++++++}, at: [<ffffffff97008c87>] might_fault+0x57/0xb0 but task is already holding lock: (&idev->info_lock){+.+...}, at: [<ffffffffc0638a06>] uio_write+0x46/0x130 [uio] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&idev->info_lock){+.+...}: [<ffffffff96f31fc9>] lock_acquire+0x99/0x1e0 [<ffffffff975edad3>] mutex_lock_nested+0x93/0x410 [<ffffffffc063873d>] uio_mmap+0x2d/0x170 [uio] [<ffffffff97016b58>] mmap_region+0x428/0x650 [<ffffffff97017138>] do_mmap+0x3b8/0x4e0 [<ffffffff96ffaba3>] vm_mmap_pgoff+0xd3/0x120 [<ffffffff97015261>] SyS_mmap_pgoff+0x1f1/0x270 [<ffffffff96e387c2>] SyS_mmap+0x22/0x30 [<ffffffff975ff315>] system_call_fastpath+0x1c/0x21 -> #0 (&mm->mmap_sem){++++++}: [<ffffffff96f30e9c>] __lock_acquire+0xdac/0x15f0 [<ffffffff96f31fc9>] lock_acquire+0x99/0x1e0 [<ffffffff97008cb4>] might_fault+0x84/0xb0 [<ffffffffc0638a74>] uio_write+0xb4/0x130 [uio] [<ffffffff9706ffa3>] vfs_write+0xc3/0x1f0 [<ffffffff97070e2a>] SyS_write+0x8a/0x100 [<ffffffff975ff315>] system_call_fastpath+0x1c/0x21 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&idev->info_lock); lock(&mm->mmap_sem); lock(&idev->info_lock); lock(&mm->mmap_sem); *** DEADLOCK *** 1 lock held by XXX/1910: #0: (&idev->info_lock){+.+...}, at: [<ffffffffc0638a06>] uio_write+0x46/0x130 [uio] stack backtrace: CPU: 0 PID: 1910 Comm: XXX Kdump: loaded Not tainted #1 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017 Call Trace: [<ffffffff975e9211>] dump_stack+0x19/0x1b [<ffffffff975e260a>] print_circular_bug+0x1f9/0x207 [<ffffffff96f2f6a7>] check_prevs_add+0x957/0x960 [<ffffffff96f30e9c>] __lock_acquire+0xdac/0x15f0 [<ffffffff96f2fb19>] ? mark_held_locks+0xb9/0x140 [<ffffffff96f31fc9>] lock_acquire+0x99/0x1e0 [<ffffffff97008c87>] ? might_fault+0x57/0xb0 [<ffffffff97008cb4>] might_fault+0x84/0xb0 [<ffffffff97008c87>] ? might_fault+0x57/0xb0 [<ffffffffc0638a74>] uio_write+0xb4/0x130 [uio] [<ffffffff9706ffa3>] vfs_write+0xc3/0x1f0 [<ffffffff9709349c>] ? fget_light+0xfc/0x510 [<ffffffff97070e2a>] SyS_write+0x8a/0x100 [<ffffffff975ff315>] system_call_fastpath+0x1c/0x21 Signed-off-by: Xiubo Li <xiubli@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-08-02T08:14:26+00:00 Dan Carpenter dan.carpenter@oracle.com 2018-08-02T07:15:58+00:00 urn:sha1:95883676e34ab93f600787cc9831707bcdad4398 There are two bugs here. First the error codes weren't set on several paths. And second, if the call to request_threaded_irq() inside uio_register_device() fails then it would lead to a double free when we call uio_unregister_device() inside pruss_cleanup(). Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-07-21T13:41:20+00:00 Stephen Hemminger stephen@networkplumber.org 2018-07-21T13:31:39+00:00 urn:sha1:bce5c2ea350f5a57353295534faba00b28cadf14 For those without any license text present or short reference to GPL, add SPDX tag. Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-07-21T06:45:24+00:00 Hailong Liu liu.hailong6@zte.com.cn 2018-07-20T00:31:56+00:00 urn:sha1:e7de2590f18a272e63732b9d519250d1b522b2c4 uio_mmap has multiple fail paths to set return value to nonzero then goto out. However, it always returns *0* from the *out* at end, and this will mislead callers who check the return value of this function. Fixes: 57c5f4df0a5a0ee ("uio: fix crash after the device is unregistered") CC: Xiubo Li <xiubli@redhat.com> Signed-off-by: Hailong Liu <liu.hailong6@zte.com.cn> Cc: stable <stable@vger.kernel.org> Signed-off-by: Jiang Biao <jiang.biao2@zte.com.cn> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-07-21T06:44:08+00:00 Stephen Hemminger stephen@networkplumber.org 2018-07-20T22:11:26+00:00 urn:sha1:fbb5858c1467ef8feccc910ac9e9f529186a9f9d Replace short statement in comment with proper SPDX license tag. Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>