<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/staging/android, branch linux-3.18.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>staging: ion: Set minimum carveout heap allocation order to PAGE_SHIFT</title>
<updated>2019-04-03T04:22:09+00:00</updated>
<author>
<name>Rajmal Menariya</name>
<email>rajmal.menariya@spreadtrum.com</email>
</author>
<published>2016-01-30T06:07:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5b96c46521e2d5faa1f6ecfeb16b3fb5758fb59a'/>
<id>5b96c46521e2d5faa1f6ecfeb16b3fb5758fb59a</id>
<content type='text'>
[ Upstream commit 1328d8efef17d5e16bd6e9cfe59130a833674534 ]

In carveout heap, change minimum allocation order from 12 to
PAGE_SHIFT. After this change each bit in bitmap (genalloc -
General purpose special memory pool) represents one page size
memory.

Cc: sprd-ind-kernel-group@googlegroups.com
Cc: sanjeev.yadav@spreadtrum.com
Cc: Colin Cross &lt;ccross@android.com&gt;
Cc: Android Kernel Team &lt;kernel-team@android.com&gt;
Cc: Greg KH &lt;gregkh@linuxfoundation.org&gt;
Cc: Sumit Semwal &lt;sumit.semwal@linaro.org&gt;
Signed-off-by: Rajmal Menariya &lt;rajmal.menariya@spreadtrum.com&gt;
[jstultz: Reworked commit message]
Signed-off-by: John Stultz &lt;john.stultz@linaro.org&gt;
Acked-by: Laura Abbott &lt;labbott@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 1328d8efef17d5e16bd6e9cfe59130a833674534 ]

In carveout heap, change minimum allocation order from 12 to
PAGE_SHIFT. After this change each bit in bitmap (genalloc -
General purpose special memory pool) represents one page size
memory.

Cc: sprd-ind-kernel-group@googlegroups.com
Cc: sanjeev.yadav@spreadtrum.com
Cc: Colin Cross &lt;ccross@android.com&gt;
Cc: Android Kernel Team &lt;kernel-team@android.com&gt;
Cc: Greg KH &lt;gregkh@linuxfoundation.org&gt;
Cc: Sumit Semwal &lt;sumit.semwal@linaro.org&gt;
Signed-off-by: Rajmal Menariya &lt;rajmal.menariya@spreadtrum.com&gt;
[jstultz: Reworked commit message]
Signed-off-by: John Stultz &lt;john.stultz@linaro.org&gt;
Acked-by: Laura Abbott &lt;labbott@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: ashmem: Add missing include</title>
<updated>2019-04-03T04:22:09+00:00</updated>
<author>
<name>Rom Lemarchand</name>
<email>romlem@android.com</email>
</author>
<published>2016-01-30T06:07:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=113e4806435d97621817b98faf56972dd7f037db'/>
<id>113e4806435d97621817b98faf56972dd7f037db</id>
<content type='text'>
[ Upstream commit 90a2f171383b5ae43b33ab4d9d566b9765622ac7 ]

Include &lt;linux/types.h&gt; into ashmem.h to ensure referenced types
are defined

Cc: Android Kernel Team &lt;kernel-team@android.com&gt;
Cc: Greg KH &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Rom Lemarchand &lt;romlem@android.com&gt;
[jstultz: Minor commit message tweaks]
Signed-off-by: John Stultz &lt;john.stultz@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 90a2f171383b5ae43b33ab4d9d566b9765622ac7 ]

Include &lt;linux/types.h&gt; into ashmem.h to ensure referenced types
are defined

Cc: Android Kernel Team &lt;kernel-team@android.com&gt;
Cc: Greg KH &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Rom Lemarchand &lt;romlem@android.com&gt;
[jstultz: Minor commit message tweaks]
Signed-off-by: John Stultz &lt;john.stultz@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: ashmem: Avoid deadlock with mmap/shrink</title>
<updated>2019-04-03T04:22:09+00:00</updated>
<author>
<name>Laura Abbott</name>
<email>lauraa@codeaurora.org</email>
</author>
<published>2016-01-30T06:07:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0d9aeed2703d9c3eadacd28374eaa6990ca84f40'/>
<id>0d9aeed2703d9c3eadacd28374eaa6990ca84f40</id>
<content type='text'>
[ Upstream commit 18e77054de741ef3ed2a2489bc9bf82a318b2d5e ]

Both ashmem_mmap and ashmem_shrink take the ashmem_lock. It may
be possible for ashmem_mmap to invoke ashmem_shrink:

-000|mutex_lock(lock = 0x0)
-001|ashmem_shrink(?, sc = 0x0) &lt;--- try to take ashmem_mutex again
-002|shrink_slab(shrink = 0xDA5F1CC0, nr_pages_scanned = 0, lru_pages
-002|=
-002|124)
-003|try_to_free_pages(zonelist = 0x0, ?, ?, ?)
-004|__alloc_pages_nodemask(gfp_mask = 21200, order = 1, zonelist =
-004|0xC11D0940,
-005|new_slab(s = 0xE4841E80, ?, node = -1)
-006|__slab_alloc.isra.43.constprop.50(s = 0xE4841E80, gfpflags =
-006|2148925462, ad
-007|kmem_cache_alloc(s = 0xE4841E80, gfpflags = 208)
-008|shmem_alloc_inode(?)
-009|alloc_inode(sb = 0xE480E800)
-010|new_inode_pseudo(?)
-011|new_inode(?)
-012|shmem_get_inode(sb = 0xE480E800, dir = 0x0, ?, dev = 0, flags =
-012|187)
-013|shmem_file_setup(?, ?, flags = 187)
-014|ashmem_mmap(?, vma = 0xC5D64210) &lt;---- Acquire ashmem_mutex
-015|mmap_region(file = 0xDF8E2C00, addr = 1772974080, len = 233472,
-015|flags = 57,
-016|sys_mmap_pgoff(addr = 0, len = 230400, prot = 3, flags = 1, fd =
-016|157, pgoff
-017|ret_fast_syscall(asm)
--&gt;|exception
-018|NUR:0x40097508(asm)
---|end of frame

Avoid this deadlock by using mutex_trylock in ashmem_shrink; if the mutex
is already held, do not attempt to shrink.

Cc: Greg KH &lt;gregkh@linuxfoundation.org&gt;
Cc: Android Kernel Team &lt;kernel-team@android.com&gt;
Reported-by: Matt Wagantall &lt;mattw@codeaurora.org&gt;
Reported-by: Syed Rameez Mustafa &lt;rameezmustafa@codeaurora.org&gt;
Reported-by: Osvaldo Banuelos &lt;osvaldob@codeaurora.org&gt;
Reported-by: Subbaraman Narayanamurthy &lt;subbaram@codeaurora.org&gt;
Signed-off-by: Laura Abbott &lt;lauraa@codeaurora.org&gt;
[jstultz: Minor commit message tweaks]
Signed-off-by: John Stultz &lt;john.stultz@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 18e77054de741ef3ed2a2489bc9bf82a318b2d5e ]

Both ashmem_mmap and ashmem_shrink take the ashmem_lock. It may
be possible for ashmem_mmap to invoke ashmem_shrink:

-000|mutex_lock(lock = 0x0)
-001|ashmem_shrink(?, sc = 0x0) &lt;--- try to take ashmem_mutex again
-002|shrink_slab(shrink = 0xDA5F1CC0, nr_pages_scanned = 0, lru_pages
-002|=
-002|124)
-003|try_to_free_pages(zonelist = 0x0, ?, ?, ?)
-004|__alloc_pages_nodemask(gfp_mask = 21200, order = 1, zonelist =
-004|0xC11D0940,
-005|new_slab(s = 0xE4841E80, ?, node = -1)
-006|__slab_alloc.isra.43.constprop.50(s = 0xE4841E80, gfpflags =
-006|2148925462, ad
-007|kmem_cache_alloc(s = 0xE4841E80, gfpflags = 208)
-008|shmem_alloc_inode(?)
-009|alloc_inode(sb = 0xE480E800)
-010|new_inode_pseudo(?)
-011|new_inode(?)
-012|shmem_get_inode(sb = 0xE480E800, dir = 0x0, ?, dev = 0, flags =
-012|187)
-013|shmem_file_setup(?, ?, flags = 187)
-014|ashmem_mmap(?, vma = 0xC5D64210) &lt;---- Acquire ashmem_mutex
-015|mmap_region(file = 0xDF8E2C00, addr = 1772974080, len = 233472,
-015|flags = 57,
-016|sys_mmap_pgoff(addr = 0, len = 230400, prot = 3, flags = 1, fd =
-016|157, pgoff
-017|ret_fast_syscall(asm)
--&gt;|exception
-018|NUR:0x40097508(asm)
---|end of frame

Avoid this deadlock by using mutex_trylock in ashmem_shrink; if the mutex
is already held, do not attempt to shrink.

Cc: Greg KH &lt;gregkh@linuxfoundation.org&gt;
Cc: Android Kernel Team &lt;kernel-team@android.com&gt;
Reported-by: Matt Wagantall &lt;mattw@codeaurora.org&gt;
Reported-by: Syed Rameez Mustafa &lt;rameezmustafa@codeaurora.org&gt;
Reported-by: Osvaldo Banuelos &lt;osvaldob@codeaurora.org&gt;
Reported-by: Subbaraman Narayanamurthy &lt;subbaram@codeaurora.org&gt;
Signed-off-by: Laura Abbott &lt;lauraa@codeaurora.org&gt;
[jstultz: Minor commit message tweaks]
Signed-off-by: John Stultz &lt;john.stultz@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>android: unconditionally remove callbacks in sync_fence_free()</title>
<updated>2019-04-03T04:22:09+00:00</updated>
<author>
<name>Dmitry Torokhov</name>
<email>dtor@chromium.org</email>
</author>
<published>2015-12-15T01:34:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=60bb79a488db4f9872a85cf9ba89dee92af8708f'/>
<id>60bb79a488db4f9872a85cf9ba89dee92af8708f</id>
<content type='text'>
[ Upstream commit 699f685569434510d944e419f4048c4e3ba8d631 ]

Using fence-&gt;status to determine whether or not there are callbacks
remaining on the sync_fence is racy since fence-&gt;status may have been
decremented to 0 on another CPU before fence_check_cb_func() has
completed.  By unconditionally calling fence_remove_callback() for each
fence in the sync_fence, we guarantee that each callback has either
completed (since fence_remove_callback() grabs the fence lock) or been
removed.

Signed-off-by: Andrew Bresticker &lt;abrestic@chromium.org&gt;
Signed-off-by: Dmitry Torokhov &lt;dtor@chromium.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 699f685569434510d944e419f4048c4e3ba8d631 ]

Using fence-&gt;status to determine whether or not there are callbacks
remaining on the sync_fence is racy since fence-&gt;status may have been
decremented to 0 on another CPU before fence_check_cb_func() has
completed.  By unconditionally calling fence_remove_callback() for each
fence in the sync_fence, we guarantee that each callback has either
completed (since fence_remove_callback() grabs the fence lock) or been
removed.

Signed-off-by: Andrew Bresticker &lt;abrestic@chromium.org&gt;
Signed-off-by: Dmitry Torokhov &lt;dtor@chromium.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free</title>
<updated>2018-10-13T07:09:28+00:00</updated>
<author>
<name>Greg Hackmann</name>
<email>ghackmann@android.com</email>
</author>
<published>2018-09-04T16:33:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d82ad70e8aff4435baf4f5fe1abe54870a13436a'/>
<id>d82ad70e8aff4435baf4f5fe1abe54870a13436a</id>
<content type='text'>
commit 2c155709e4ef2d86d0176aac82e44c048a7e0255 upstream.

The ION_IOC_{MAP,SHARE} ioctls drop and reacquire client-&gt;lock several
times while operating on one of the client's ion_handles.  This creates
windows where userspace can call ION_IOC_FREE on the same client with
the same handle, and effectively make the kernel drop its own reference.
For example:

- thread A: ION_IOC_ALLOC creates an ion_handle with refcount 1
- thread A: starts ION_IOC_MAP and increments the refcount to 2
- thread B: ION_IOC_FREE decrements the refcount to 1
- thread B: ION_IOC_FREE decrements the refcount to 0 and frees the
            handle
- thread A: continues ION_IOC_MAP with a dangling ion_handle * to
            freed memory

Fix this by holding client-&gt;lock for the duration of
ION_IOC_{MAP,SHARE}, preventing the concurrent ION_IOC_FREE.  Also
remove ion_handle_get_by_id(), since there's literally no way to use it
safely.

This patch is applied on top of 4.4.y, and applies to older kernels
too.  4.9.y was fixed separately.  Kernels 4.12 and later are
unaffected, since all the underlying ion_handle infrastructure has been
ripped out.

Cc: stable@vger.kernel.org # v4.4-
Signed-off-by: Greg Hackmann &lt;ghackmann@google.com&gt;
Acked-by: Laura Abbott &lt;labbott@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 2c155709e4ef2d86d0176aac82e44c048a7e0255 upstream.

The ION_IOC_{MAP,SHARE} ioctls drop and reacquire client-&gt;lock several
times while operating on one of the client's ion_handles.  This creates
windows where userspace can call ION_IOC_FREE on the same client with
the same handle, and effectively make the kernel drop its own reference.
For example:

- thread A: ION_IOC_ALLOC creates an ion_handle with refcount 1
- thread A: starts ION_IOC_MAP and increments the refcount to 2
- thread B: ION_IOC_FREE decrements the refcount to 1
- thread B: ION_IOC_FREE decrements the refcount to 0 and frees the
            handle
- thread A: continues ION_IOC_MAP with a dangling ion_handle * to
            freed memory

Fix this by holding client-&gt;lock for the duration of
ION_IOC_{MAP,SHARE}, preventing the concurrent ION_IOC_FREE.  Also
remove ion_handle_get_by_id(), since there's literally no way to use it
safely.

This patch is applied on top of 4.4.y, and applies to older kernels
too.  4.9.y was fixed separately.  Kernels 4.12 and later are
unaffected, since all the underlying ion_handle infrastructure has been
ripped out.

Cc: stable@vger.kernel.org # v4.4-
Signed-off-by: Greg Hackmann &lt;ghackmann@google.com&gt;
Acked-by: Laura Abbott &lt;labbott@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>staging: android: ashmem: Fix mmap size validation</title>
<updated>2018-10-13T07:09:26+00:00</updated>
<author>
<name>Alistair Strachan</name>
<email>astrachan@google.com</email>
</author>
<published>2018-06-20T00:57:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=59c5b0c0265aa726d8ef7c4bbd5fdc3b4c0915d4'/>
<id>59c5b0c0265aa726d8ef7c4bbd5fdc3b4c0915d4</id>
<content type='text'>
[ Upstream commit 8632c614565d0c5fdde527889601c018e97b6384 ]

The ashmem driver did not check that the size/offset of the vma passed
to its .mmap() function was not larger than the ashmem object being
mapped. This could cause mmap() to succeed, even though accessing parts
of the mapping would later fail with a segmentation fault.

Ensure an error is returned by the ashmem_mmap() function if the vma
size is larger than the ashmem object size. This enables safer handling
of the problem in userspace.

Cc: Todd Kjos &lt;tkjos@android.com&gt;
Cc: devel@driverdev.osuosl.org
Cc: linux-kernel@vger.kernel.org
Cc: kernel-team@android.com
Cc: Joel Fernandes &lt;joel@joelfernandes.org&gt;
Signed-off-by: Alistair Strachan &lt;astrachan@google.com&gt;
Acked-by: Joel Fernandes (Google) &lt;joel@joelfernandes.org&gt;
Reviewed-by: Martijn Coenen &lt;maco@android.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 8632c614565d0c5fdde527889601c018e97b6384 ]

The ashmem driver did not check that the size/offset of the vma passed
to its .mmap() function was not larger than the ashmem object being
mapped. This could cause mmap() to succeed, even though accessing parts
of the mapping would later fail with a segmentation fault.

Ensure an error is returned by the ashmem_mmap() function if the vma
size is larger than the ashmem object size. This enables safer handling
of the problem in userspace.

Cc: Todd Kjos &lt;tkjos@android.com&gt;
Cc: devel@driverdev.osuosl.org
Cc: linux-kernel@vger.kernel.org
Cc: kernel-team@android.com
Cc: Joel Fernandes &lt;joel@joelfernandes.org&gt;
Signed-off-by: Alistair Strachan &lt;astrachan@google.com&gt;
Acked-by: Joel Fernandes (Google) &lt;joel@joelfernandes.org&gt;
Reviewed-by: Martijn Coenen &lt;maco@android.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: android: ion: check for kref overflow</title>
<updated>2018-08-28T05:21:37+00:00</updated>
<author>
<name>Daniel Rosenberg</name>
<email>drosen@google.com</email>
</author>
<published>2018-08-21T20:31:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5554e8fc645c4e20d9356135d35b185a62a99eb2'/>
<id>5554e8fc645c4e20d9356135d35b185a62a99eb2</id>
<content type='text'>
This patch is against 4.4. It does not apply to master due to a large
rework of ion in 4.12 which removed the affected functions altogther.
4c23cbff073f3b9b ("staging: android: ion: Remove import interface")

Userspace can cause the kref to handles to increment
arbitrarily high. Ensure it does not overflow.

Signed-off-by: Daniel Rosenberg &lt;drosen@google.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch is against 4.4. It does not apply to master due to a large
rework of ion in 4.12 which removed the affected functions altogther.
4c23cbff073f3b9b ("staging: android: ion: Remove import interface")

Userspace can cause the kref to handles to increment
arbitrarily high. Ensure it does not overflow.

Signed-off-by: Daniel Rosenberg &lt;drosen@google.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: android: ion: Return an ERR_PTR in ion_map_kernel</title>
<updated>2018-07-11T13:42:24+00:00</updated>
<author>
<name>Laura Abbott</name>
<email>labbott@redhat.com</email>
</author>
<published>2018-06-11T18:06:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=61377422d011c37515dc4c39ab91830cdcc1ed44'/>
<id>61377422d011c37515dc4c39ab91830cdcc1ed44</id>
<content type='text'>
commit 0a2bc00341dcfcc793c0dbf4f8d43adf60458b05 upstream.

The expected return value from ion_map_kernel is an ERR_PTR. The error
path for a vmalloc failure currently just returns NULL, triggering
a warning in ion_buffer_kmap_get. Encode the vmalloc failure as an ERR_PTR.

Reported-by: syzbot+55b1d9f811650de944c6@syzkaller.appspotmail.com
Signed-off-by: Laura Abbott &lt;labbott@redhat.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 0a2bc00341dcfcc793c0dbf4f8d43adf60458b05 upstream.

The expected return value from ion_map_kernel is an ERR_PTR. The error
path for a vmalloc failure currently just returns NULL, triggering
a warning in ion_buffer_kmap_get. Encode the vmalloc failure as an ERR_PTR.

Reported-by: syzbot+55b1d9f811650de944c6@syzkaller.appspotmail.com
Signed-off-by: Laura Abbott &lt;labbott@redhat.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>staging: android: ashmem: Fix lockdep issue during llseek</title>
<updated>2018-03-18T10:15:44+00:00</updated>
<author>
<name>Joel Fernandes</name>
<email>joelaf@google.com</email>
</author>
<published>2018-02-16T19:02:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0a40db9bb69656032e48df4b8d611f162bbb91ee'/>
<id>0a40db9bb69656032e48df4b8d611f162bbb91ee</id>
<content type='text'>
commit cb57469c9573f6018cd1302953dd45d6e05aba7b upstream.

ashmem_mutex create a chain of dependencies like so:

(1)
mmap syscall -&gt;
  mmap_sem -&gt;  (acquired)
  ashmem_mmap
  ashmem_mutex (try to acquire)
  (block)

(2)
llseek syscall -&gt;
  ashmem_llseek -&gt;
  ashmem_mutex -&gt;  (acquired)
  inode_lock -&gt;
  inode-&gt;i_rwsem (try to acquire)
  (block)

(3)
getdents -&gt;
  iterate_dir -&gt;
  inode_lock -&gt;
  inode-&gt;i_rwsem   (acquired)
  copy_to_user -&gt;
  mmap_sem         (try to acquire)

There is a lock ordering created between mmap_sem and inode-&gt;i_rwsem
causing a lockdep splat [2] during a syzcaller test, this patch fixes
the issue by unlocking the mutex earlier. Functionally that's Ok since
we don't need to protect vfs_llseek.

[1] https://patchwork.kernel.org/patch/10185031/
[2] https://lkml.org/lkml/2018/1/10/48

Acked-by: Todd Kjos &lt;tkjos@google.com&gt;
Cc: Arve Hjonnevag &lt;arve@android.com&gt;
Cc: stable@vger.kernel.org
Reported-by: syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com
Signed-off-by: Joel Fernandes &lt;joelaf@google.com&gt;
Acked-by: Greg Hackmann &lt;ghackmann@google.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit cb57469c9573f6018cd1302953dd45d6e05aba7b upstream.

ashmem_mutex create a chain of dependencies like so:

(1)
mmap syscall -&gt;
  mmap_sem -&gt;  (acquired)
  ashmem_mmap
  ashmem_mutex (try to acquire)
  (block)

(2)
llseek syscall -&gt;
  ashmem_llseek -&gt;
  ashmem_mutex -&gt;  (acquired)
  inode_lock -&gt;
  inode-&gt;i_rwsem (try to acquire)
  (block)

(3)
getdents -&gt;
  iterate_dir -&gt;
  inode_lock -&gt;
  inode-&gt;i_rwsem   (acquired)
  copy_to_user -&gt;
  mmap_sem         (try to acquire)

There is a lock ordering created between mmap_sem and inode-&gt;i_rwsem
causing a lockdep splat [2] during a syzcaller test, this patch fixes
the issue by unlocking the mutex earlier. Functionally that's Ok since
we don't need to protect vfs_llseek.

[1] https://patchwork.kernel.org/patch/10185031/
[2] https://lkml.org/lkml/2018/1/10/48

Acked-by: Todd Kjos &lt;tkjos@google.com&gt;
Cc: Arve Hjonnevag &lt;arve@android.com&gt;
Cc: stable@vger.kernel.org
Reported-by: syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com
Signed-off-by: Joel Fernandes &lt;joelaf@google.com&gt;
Acked-by: Greg Hackmann &lt;ghackmann@google.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl</title>
<updated>2018-01-17T08:29:31+00:00</updated>
<author>
<name>Viktor Slavkovic</name>
<email>viktors@google.com</email>
</author>
<published>2018-01-08T18:43:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6dc42f889217a0a077bc75c6fa5239ade762fff4'/>
<id>6dc42f889217a0a077bc75c6fa5239ade762fff4</id>
<content type='text'>
commit 443064cb0b1fb4569fe0a71209da7625129fb760 upstream.

A lock-unlock is missing in ASHMEM_SET_SIZE ioctl which can result in a
race condition when mmap is called. After the !asma-&gt;file check, before
setting asma-&gt;size, asma-&gt;file can be set in mmap. That would result in
having different asma-&gt;size than the mapped memory size. Combined with
ASHMEM_UNPIN ioctl and shrinker invocation, this can result in memory
corruption.

Signed-off-by: Viktor Slavkovic &lt;viktors@google.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 443064cb0b1fb4569fe0a71209da7625129fb760 upstream.

A lock-unlock is missing in ASHMEM_SET_SIZE ioctl which can result in a
race condition when mmap is called. After the !asma-&gt;file check, before
setting asma-&gt;size, asma-&gt;file can be set in mmap. That would result in
having different asma-&gt;size than the mapped memory size. Combined with
ASHMEM_UNPIN ioctl and shrinker invocation, this can result in memory
corruption.

Signed-off-by: Viktor Slavkovic &lt;viktors@google.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
