kernel-team Digest, Vol 104, Issue 5

장군수 skysuffer at gmail.com
Mon Sep 2 12:34:10 UTC 2013




내 Vega에서 보냄

-------- 원본 메일 --------
제목: kernel-team Digest, Vol 104, Issue 5
보낸사람: kernel-team-request at lists.ubuntu.com
보낸날짜: 월, 2013-09-02 17:57
받는사람: kernel-team at lists.ubuntu.com
참조: 

>Send kernel-team mailing list submissions to
>	kernel-team at lists.ubuntu.com
>
>To subscribe or unsubscribe via the World Wide Web, visit
>	https://lists.ubuntu.com/mailman/listinfo/kernel-team
>or, via email, send a message with subject or body 'help' to
>	kernel-team-request at lists.ubuntu.com
>
>You can reach the person managing the list at
>	kernel-team-owner at lists.ubuntu.com
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of kernel-team digest..."
>
>
>Today's Topics:
>
>   1. [PATCH 53/58] jfs: fix readdir cookie incompatibility with
>      NFSv4 (Luis Henriques)
>   2. [PATCH 14/58] USB-Serial: Fix error handling of usb_wwan
>      (Luis Henriques)
>   3. [PATCH 16/58] USB: adutux: fix big-endian device-type
>      reporting (Luis Henriques)
>   4. [PATCH 19/58] m68k/atari: ARAnyM - Fix NatFeat module support
>      (Luis Henriques)
>   5. [PATCH 23/58] USB: keyspan: fix null-deref at disconnect and
>      release (Luis Henriques)
>   6. [PATCH 26/58] sound: Fix make allmodconfig on MIPS
>      (Luis Henriques)
>   7. [PATCH 27/58] sound: Fix make allmodconfig on MIPS correctly
>      (Luis Henriques)
>   8. [PATCH 32/58] ARM: 7810/1: perf: Fix array out of bounds
>      access in armpmu_map_hw_event() (Luis Henriques)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Mon,  2 Sep 2013 09:54:38 +0100
>From: Luis Henriques <luis.henriques at canonical.com>
>To: linux-kernel at vger.kernel.org, stable at vger.kernel.org,
>	kernel-team at lists.ubuntu.com
>Cc: Dave Kleikamp <dave.kleikamp at oracle.com>
>Subject: [PATCH 53/58] jfs: fix readdir cookie incompatibility with
>	NFSv4
>Message-ID:
>	<1378112083-9475-54-git-send-email-luis.henriques at canonical.com>
>
>3.5.7.21 -stable review patch.  If anyone has any objections, please let me know.
>
>------------------
>
>From: Dave Kleikamp <dave.kleikamp at oracle.com>
>
>commit 44512449c0ab368889dd13ae0031fba74ee7e1d2 upstream.
>
>NFSv4 reserves readdir cookie values 0-2 for special entries (. and ..),
>but jfs allows a value of 2 for a non-special entry. This incompatibility
>can result in the nfs client reporting a readdir loop.
>
>This patch doesn't change the value stored internally, but adds one to
>the value exposed to the iterate method.
>
>Signed-off-by: Dave Kleikamp <dave.kleikamp at oracle.com>
>Tested-by: Christian Kujau <lists at nerdbynature.de>
>Cc: Dave Kleikamp <dave.kleikamp at oracle.com>
>Cc: Ben Hutchings <ben at decadent.org.uk>
>[ luis: backported to 3.5 (based on bwh's backport to 3.2):
>  - adjusted context
>  - replaced usage of ctx->pos by filp->f_pos ]
>Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
>---
> fs/jfs/jfs_dtree.c | 31 +++++++++++++++++++++++--------
> 1 file changed, 23 insertions(+), 8 deletions(-)
>
>diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
>index 9197a1b..9f7c758 100644
>--- a/fs/jfs/jfs_dtree.c
>+++ b/fs/jfs/jfs_dtree.c
>@@ -3047,6 +3047,14 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
> 
> 		dir_index = (u32) filp->f_pos;
> 
>+		/*
>+		 * NFSv4 reserves cookies 1 and 2 for . and .. so the value
>+		 * we return to the vfs is one greater than the one we use
>+		 * internally.
>+		 */
>+		if (dir_index)
>+			dir_index--;
>+
> 		if (dir_index > 1) {
> 			struct dir_table_slot dirtab_slot;
> 
>@@ -3086,7 +3094,7 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
> 			if (p->header.flag & BT_INTERNAL) {
> 				jfs_err("jfs_readdir: bad index table");
> 				DT_PUTPAGE(mp);
>-				filp->f_pos = -1;
>+				filp->f_pos = DIREND;
> 				return 0;
> 			}
> 		} else {
>@@ -3094,7 +3102,7 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
> 				/*
> 				 * self "."
> 				 */
>-				filp->f_pos = 0;
>+				filp->f_pos = 1;
> 				if (filldir(dirent, ".", 1, 0, ip->i_ino,
> 					    DT_DIR))
> 					return 0;
>@@ -3102,7 +3110,7 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
> 			/*
> 			 * parent ".."
> 			 */
>-			filp->f_pos = 1;
>+			filp->f_pos = 2;
> 			if (filldir(dirent, "..", 2, 1, PARENT(ip), DT_DIR))
> 				return 0;
> 
>@@ -3123,24 +3131,25 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
> 		/*
> 		 * Legacy filesystem - OS/2 & Linux JFS < 0.3.6
> 		 *
>-		 * pn = index = 0:	First entry "."
>-		 * pn = 0; index = 1:	Second entry ".."
>+		 * pn = 0; index = 1:	First entry "."
>+		 * pn = 0; index = 2:	Second entry ".."
> 		 * pn > 0:		Real entries, pn=1 -> leftmost page
> 		 * pn = index = -1:	No more entries
> 		 */
> 		dtpos = filp->f_pos;
>-		if (dtpos == 0) {
>+		if (dtpos < 2) {
> 			/* build "." entry */
> 
>+			filp->f_pos = 1;
> 			if (filldir(dirent, ".", 1, filp->f_pos, ip->i_ino,
> 				    DT_DIR))
> 				return 0;
>-			dtoffset->index = 1;
>+			dtoffset->index = 2;
> 			filp->f_pos = dtpos;
> 		}
> 
> 		if (dtoffset->pn == 0) {
>-			if (dtoffset->index == 1) {
>+			if (dtoffset->index == 2) {
> 				/* build ".." entry */
> 
> 				if (filldir(dirent, "..", 2, filp->f_pos,
>@@ -3233,6 +3242,12 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
> 					}
> 					jfs_dirent->position = unique_pos++;
> 				}
>+				/*
>+				 * We add 1 to the index because we may
>+				 * use a value of 2 internally, and NFSv4
>+				 * doesn't like that.
>+				 */
>+				jfs_dirent->position++;
> 			} else {
> 				jfs_dirent->position = dtpos;
> 				len = min(d_namleft, DTLHDRDATALEN_LEGACY);
>-- 
>1.8.3.2
>
>
>
>
>------------------------------
>
>Message: 2
>Date: Mon,  2 Sep 2013 09:53:59 +0100
>From: Luis Henriques <luis.henriques at canonical.com>
>To: linux-kernel at vger.kernel.org, stable at vger.kernel.org,
>	kernel-team at lists.ubuntu.com
>Cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>, Matt Burtch
>	<matt at grid-net.com>
>Subject: [PATCH 14/58] USB-Serial: Fix error handling of usb_wwan
>Message-ID:
>	<1378112083-9475-15-git-send-email-luis.henriques at canonical.com>
>
>3.5.7.21 -stable review patch.  If anyone has any objections, please let me know.
>
>------------------
>
>From: Matt Burtch <matt at grid-net.com>
>
>commit 6c1ee66a0b2bdbd64c078fba684d640cf2fd38a9 upstream.
>
>This fixes an issue where the bulk-in urb used for incoming data transfer
>is not resubmitted if the packet recieved contains an error status.  This
>results in the driver locking until the port is closed and re-opened.
>
>Tested on a custom board with a Cinterion GSM module.
>
>Signed-off-by: Matt Burtch <matt at grid-net.com>
>Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
>[ luis: backported to 3.5:
>  - adjusted context
>  - replaced dev_err() by printk() ]
>Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
>---
> drivers/usb/serial/usb_wwan.c | 20 ++++++++++----------
> 1 file changed, 10 insertions(+), 10 deletions(-)
>
>diff --git a/drivers/usb/serial/usb_wwan.c b/drivers/usb/serial/usb_wwan.c
>index 25c8ee9..2956414 100644
>--- a/drivers/usb/serial/usb_wwan.c
>+++ b/drivers/usb/serial/usb_wwan.c
>@@ -297,18 +297,18 @@ static void usb_wwan_indat_callback(struct urb *urb)
> 			tty_kref_put(tty);
> 		}
> 
>-		/* Resubmit urb so we continue receiving */
>-		err = usb_submit_urb(urb, GFP_ATOMIC);
>-		if (err) {
>-			if (err != -EPERM) {
>-				printk(KERN_ERR "%s: resubmit read urb failed. "
>-					"(%d)", __func__, err);
>-				/* busy also in error unless we are killed */
>-				usb_mark_last_busy(port->serial->dev);
>-			}
>-		} else {
>+	}
>+	/* Resubmit urb so we continue receiving */
>+	err = usb_submit_urb(urb, GFP_ATOMIC);
>+	if (err) {
>+		if (err != -EPERM) {
>+			printk(KERN_ERR "%s: resubmit read urb failed. (%d)\n",
>+				__func__, err);
>+			/* busy also in error unless we are killed */
> 			usb_mark_last_busy(port->serial->dev);
> 		}
>+	} else {
>+		usb_mark_last_busy(port->serial->dev);
> 	}
> }
> 
>-- 
>1.8.3.2
>
>
>
>
>------------------------------
>
>Message: 3
>Date: Mon,  2 Sep 2013 09:54:01 +0100
>From: Luis Henriques <luis.henriques at canonical.com>
>To: linux-kernel at vger.kernel.org, stable at vger.kernel.org,
>	kernel-team at lists.ubuntu.com
>Cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>, Johan Hovold
>	<jhovold at gmail.com>
>Subject: [PATCH 16/58] USB: adutux: fix big-endian device-type
>	reporting
>Message-ID:
>	<1378112083-9475-17-git-send-email-luis.henriques at canonical.com>
>
>3.5.7.21 -stable review patch.  If anyone has any objections, please let me know.
>
>------------------
>
>From: Johan Hovold <jhovold at gmail.com>
>
>commit d482b9d558602a9cacab063b1c8779f9b5214da7 upstream.
>
>Make sure the reported device-type on big-endian machines is the same as
>on little-endian ones.
>
>Signed-off-by: Johan Hovold <jhovold at gmail.com>
>Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
>[ luis: backported to 3.5: adjusted context ]
>Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
>---
> drivers/usb/misc/adutux.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/drivers/usb/misc/adutux.c b/drivers/usb/misc/adutux.c
>index 284b854..14d9142 100644
>--- a/drivers/usb/misc/adutux.c
>+++ b/drivers/usb/misc/adutux.c
>@@ -829,7 +829,7 @@ static int adu_probe(struct usb_interface *interface,
> 
> 	/* let the user know what node this device is now attached to */
> 	dev_info(&interface->dev, "ADU%d %s now attached to /dev/usb/adutux%d\n",
>-		 udev->descriptor.idProduct, dev->serial_number,
>+		 le16_to_cpu(udev->descriptor.idProduct), dev->serial_number,
> 		 (dev->minor - ADU_MINOR_BASE));
> exit:
> 	dbg(2," %s : leave, return value %p (dev)", __func__, dev);
>-- 
>1.8.3.2
>
>
>
>
>------------------------------
>
>Message: 4
>Date: Mon,  2 Sep 2013 09:54:04 +0100
>From: Luis Henriques <luis.henriques at canonical.com>
>To: linux-kernel at vger.kernel.org, stable at vger.kernel.org,
>	kernel-team at lists.ubuntu.com
>Cc: Geert Uytterhoeven <geert at linux-m68k.org>
>Subject: [PATCH 19/58] m68k/atari: ARAnyM - Fix NatFeat module support
>Message-ID:
>	<1378112083-9475-20-git-send-email-luis.henriques at canonical.com>
>
>3.5.7.21 -stable review patch.  If anyone has any objections, please let me know.
>
>------------------
>
>From: Geert Uytterhoeven <geert at linux-m68k.org>
>
>commit e8184e10f89736a23ea6eea8e24cd524c5c513d2 upstream.
>
>As pointed out by Andreas Schwab, pointers passed to ARAnyM NatFeat calls
>should be physical addresses, not virtual addresses.
>
>Fortunately on Atari, physical and virtual kernel addresses are the same,
>as long as normal kernel memory is concerned, so this usually worked fine
>without conversion.
>
>But for modules, pointers to literal strings are located in vmalloc()ed
>memory. Depending on the version of ARAnyM, this causes the nf_get_id()
>call to just fail, or worse, crash ARAnyM itself with e.g.
>
>    Gotcha! Illegal memory access. Atari PC = $968c
>
>This is a big issue for distro kernels, who want to have all drivers as
>loadable modules in an initrd.
>
>Add a wrapper for nf_get_id() that copies the literal to the stack to
>work around this issue.
>
>Reported-by: Thorsten Glaser <tg at debian.org>
>Signed-off-by: Geert Uytterhoeven <geert at linux-m68k.org>
>Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
>---
> arch/m68k/emu/natfeat.c | 23 +++++++++++++++++++----
> 1 file changed, 19 insertions(+), 4 deletions(-)
>
>diff --git a/arch/m68k/emu/natfeat.c b/arch/m68k/emu/natfeat.c
>index 2291a7d..fa277ae 100644
>--- a/arch/m68k/emu/natfeat.c
>+++ b/arch/m68k/emu/natfeat.c
>@@ -18,9 +18,11 @@
> #include <asm/machdep.h>
> #include <asm/natfeat.h>
> 
>+extern long nf_get_id2(const char *feature_name);
>+
> asm("\n"
>-"	.global nf_get_id,nf_call\n"
>-"nf_get_id:\n"
>+"	.global nf_get_id2,nf_call\n"
>+"nf_get_id2:\n"
> "	.short	0x7300\n"
> "	rts\n"
> "nf_call:\n"
>@@ -29,12 +31,25 @@ asm("\n"
> "1:	moveq.l	#0,%d0\n"
> "	rts\n"
> "	.section __ex_table,\"a\"\n"
>-"	.long	nf_get_id,1b\n"
>+"	.long	nf_get_id2,1b\n"
> "	.long	nf_call,1b\n"
> "	.previous");
>-EXPORT_SYMBOL_GPL(nf_get_id);
> EXPORT_SYMBOL_GPL(nf_call);
> 
>+long nf_get_id(const char *feature_name)
>+{
>+	/* feature_name may be in vmalloc()ed memory, so make a copy */
>+	char name_copy[32];
>+	size_t n;
>+
>+	n = strlcpy(name_copy, feature_name, sizeof(name_copy));
>+	if (n >= sizeof(name_copy))
>+		return 0;
>+
>+	return nf_get_id2(name_copy);
>+}
>+EXPORT_SYMBOL_GPL(nf_get_id);
>+
> void nfprint(const char *fmt, ...)
> {
> 	static char buf[256];
>-- 
>1.8.3.2
>
>
>
>
>------------------------------
>
>Message: 5
>Date: Mon,  2 Sep 2013 09:54:08 +0100
>From: Luis Henriques <luis.henriques at canonical.com>
>To: linux-kernel at vger.kernel.org, stable at vger.kernel.org,
>	kernel-team at lists.ubuntu.com
>Cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>, Johan Hovold
>	<jhovold at gmail.com>
>Subject: [PATCH 23/58] USB: keyspan: fix null-deref at disconnect and
>	release
>Message-ID:
>	<1378112083-9475-24-git-send-email-luis.henriques at canonical.com>
>
>3.5.7.21 -stable review patch.  If anyone has any objections, please let me know.
>
>------------------
>
>From: Johan Hovold <jhovold at gmail.com>
>
>commit ff8a43c10f1440f07a5faca0c1556921259f7f76 upstream.
>
>Make sure to fail properly if the device is not accepted during attach
>in order to avoid null-pointer derefs (of missing interface private
>data) at disconnect or release.
>
>Signed-off-by: Johan Hovold <jhovold at gmail.com>
>Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
>Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
>---
> drivers/usb/serial/keyspan.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c
>index 2d35ad4..9b55796 100644
>--- a/drivers/usb/serial/keyspan.c
>+++ b/drivers/usb/serial/keyspan.c
>@@ -2439,7 +2439,7 @@ static int keyspan_startup(struct usb_serial *serial)
> 	if (d_details == NULL) {
> 		dev_err(&serial->dev->dev, "%s - unknown product id %x\n",
> 		    __func__, le16_to_cpu(serial->dev->descriptor.idProduct));
>-		return 1;
>+		return -ENODEV;
> 	}
> 
> 	/* Setup private data for serial driver */
>-- 
>1.8.3.2
>
>
>
>
>------------------------------
>
>Message: 6
>Date: Mon,  2 Sep 2013 09:54:11 +0100
>From: Luis Henriques <luis.henriques at canonical.com>
>To: linux-kernel at vger.kernel.org, stable at vger.kernel.org,
>	kernel-team at lists.ubuntu.com
>Cc: Takashi Iwai <tiwai at suse.de>, Ralf Baechle <ralf at linux-mips.org>
>Subject: [PATCH 26/58] sound: Fix make allmodconfig on MIPS
>Message-ID:
>	<1378112083-9475-27-git-send-email-luis.henriques at canonical.com>
>
>3.5.7.21 -stable review patch.  If anyone has any objections, please let me know.
>
>------------------
>
>From: Takashi Iwai <tiwai at suse.de>
>
>commit d4702b189c6b951c1cb3260036ff998f719bfb62 upstream.
>
>The compile of soundcard.c is broken on MIPS when allmodconfig is used
>because of the missing MAX_DMA_CHANNELS definition.  As a simple
>workaround, just add a Kconfig dependency.
>
>Reported-by: Andrew Morton <akpm at linux-foundation.org>
>Cc: Ralf Baechle <ralf at linux-mips.org>
>Signed-off-by: Takashi Iwai <tiwai at suse.de>
>Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
>---
> sound/oss/Kconfig | 1 +
> 1 file changed, 1 insertion(+)
>
>diff --git a/sound/oss/Kconfig b/sound/oss/Kconfig
>index 5849b12..51c4ba9 100644
>--- a/sound/oss/Kconfig
>+++ b/sound/oss/Kconfig
>@@ -250,6 +250,7 @@ config MSND_FIFOSIZE
> menuconfig SOUND_OSS
> 	tristate "OSS sound modules"
> 	depends on ISA_DMA_API && VIRT_TO_BUS
>+	depends on !ISA_DMA_SUPPORT_BROKEN
> 	help
> 	  OSS is the Open Sound System suite of sound card drivers.  They make
> 	  sound programming easier since they provide a common API.  Say Y or
>-- 
>1.8.3.2
>
>
>
>
>------------------------------
>
>Message: 7
>Date: Mon,  2 Sep 2013 09:54:12 +0100
>From: Luis Henriques <luis.henriques at canonical.com>
>To: linux-kernel at vger.kernel.org, stable at vger.kernel.org,
>	kernel-team at lists.ubuntu.com
>Cc: Takashi Iwai <tiwai at suse.de>, Paul Bolle <pebolle at tiscali.nl>
>Subject: [PATCH 27/58] sound: Fix make allmodconfig on MIPS correctly
>Message-ID:
>	<1378112083-9475-28-git-send-email-luis.henriques at canonical.com>
>
>3.5.7.21 -stable review patch.  If anyone has any objections, please let me know.
>
>------------------
>
>From: Paul Bolle <pebolle at tiscali.nl>
>
>commit a62ee234a572b4c98fe98cf5fb18e4e8b0f6e43d upstream.
>
>Commit d4702b189c ("sound: Fix make allmodconfig on MIPS") added a
>(negative) dependency on ISA_DMA_SUPPORT_BROKEN. Since that Kconfig
>symbol doesn't exist, this dependency will always evaluate to true.
>Apparently GENERIC_ISA_DMA_SUPPORT_BROKEN was meant to be used here.
>
>Signed-off-by: Paul Bolle <pebolle at tiscali.nl>
>Signed-off-by: Takashi Iwai <tiwai at suse.de>
>Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
>---
> sound/oss/Kconfig | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/sound/oss/Kconfig b/sound/oss/Kconfig
>index 51c4ba9..1a96402 100644
>--- a/sound/oss/Kconfig
>+++ b/sound/oss/Kconfig
>@@ -250,7 +250,7 @@ config MSND_FIFOSIZE
> menuconfig SOUND_OSS
> 	tristate "OSS sound modules"
> 	depends on ISA_DMA_API && VIRT_TO_BUS
>-	depends on !ISA_DMA_SUPPORT_BROKEN
>+	depends on !GENERIC_ISA_DMA_SUPPORT_BROKEN
> 	help
> 	  OSS is the Open Sound System suite of sound card drivers.  They make
> 	  sound programming easier since they provide a common API.  Say Y or
>-- 
>1.8.3.2
>
>
>
>
>------------------------------
>
>Message: 8
>Date: Mon,  2 Sep 2013 09:54:17 +0100
>From: Luis Henriques <luis.henriques at canonical.com>
>To: linux-kernel at vger.kernel.org, stable at vger.kernel.org,
>	kernel-team at lists.ubuntu.com
>Cc: Russell King <rmk+kernel at arm.linux.org.uk>, Stephen Boyd
>	<sboyd at codeaurora.org>
>Subject: [PATCH 32/58] ARM: 7810/1: perf: Fix array out of bounds
>	access in armpmu_map_hw_event()
>Message-ID:
>	<1378112083-9475-33-git-send-email-luis.henriques at canonical.com>
>
>3.5.7.21 -stable review patch.  If anyone has any objections, please let me know.
>
>------------------
>
>From: Stephen Boyd <sboyd at codeaurora.org>
>
>commit d9f966357b14e356dbd83b8f4a197a287ab4ff83 upstream.
>
>Vince Weaver reports an oops in the ARM perf event code while
>running his perf_fuzzer tool on a pandaboard running v3.11-rc4.
>
>Unable to handle kernel paging request at virtual address 73fd14cc
>pgd = eca6c000
>[73fd14cc] *pgd=00000000
>Internal error: Oops: 5 [#1] SMP ARM
>Modules linked in: snd_soc_omap_hdmi omapdss snd_soc_omap_abe_twl6040 snd_soc_twl6040 snd_soc_omap snd_soc_omap_hdmi_card snd_soc_omap_mcpdm snd_soc_omap_mcbsp snd_soc_core snd_compress regmap_spi snd_pcm snd_page_alloc snd_timer snd soundcore
>CPU: 1 PID: 2790 Comm: perf_fuzzer Not tainted 3.11.0-rc4 #6
>task: eddcab80 ti: ed892000 task.ti: ed892000
>PC is at armpmu_map_event+0x20/0x88
>LR is at armpmu_event_init+0x38/0x280
>pc : [<c001c3e4>]    lr : [<c001c17c>]    psr: 60000013
>sp : ed893e40  ip : ecececec  fp : edfaec00
>r10: 00000000  r9 : 00000000  r8 : ed8c3ac0
>r7 : ed8c3b5c  r6 : edfaec00  r5 : 00000000  r4 : 00000000
>r3 : 000000ff  r2 : c0496144  r1 : c049611c  r0 : edfaec00
>Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
>Control: 10c5387d  Table: aca6c04a  DAC: 00000015
>Process perf_fuzzer (pid: 2790, stack limit = 0xed892240)
>Stack: (0xed893e40 to 0xed894000)
>3e40: 00000800 c001c17c 00000002 c008a748 00000001 00000000 00000000 c00bf078
>3e60: 00000000 edfaee50 00000000 00000000 00000000 edfaec00 ed8c3ac0 edfaec00
>3e80: 00000000 c073ffac ed893f20 c00bf180 00000001 00000000 c00bf078 ed893f20
>3ea0: 00000000 ed8c3ac0 00000000 00000000 00000000 c0cb0818 eddcab80 c00bf440
>3ec0: ed893f20 00000000 eddcab80 eca76800 00000000 eca76800 00000000 00000000
>3ee0: 00000000 ec984c80 eddcab80 c00bfe68 00000000 00000000 00000000 00000080
>3f00: 00000000 ed892000 00000000 ed892030 00000004 ecc7e3c8 ecc7e3c8 00000000
>3f20: 00000000 00000048 ecececec 00000000 00000000 00000000 00000000 00000000
>3f40: 00000000 00000000 00297810 00000000 00000000 00000000 00000000 00000000
>3f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
>3f80: 00000002 00000002 000103a4 00000002 0000016c c00128e8 ed892000 00000000
>3fa0: 00090998 c0012700 00000002 000103a4 00090ab8 00000000 00000000 0000000f
>3fc0: 00000002 000103a4 00000002 0000016c 00090ab0 00090ab8 000107a0 00090998
>3fe0: bed92be0 bed92bd0 0000b785 b6e8f6d0 40000010 00090ab8 00000000 00000000
>[<c001c3e4>] (armpmu_map_event+0x20/0x88) from [<c001c17c>] (armpmu_event_init+0x38/0x280)
>[<c001c17c>] (armpmu_event_init+0x38/0x280) from [<c00bf180>] (perf_init_event+0x108/0x180)
>[<c00bf180>] (perf_init_event+0x108/0x180) from [<c00bf440>] (perf_event_alloc+0x248/0x40c)
>[<c00bf440>] (perf_event_alloc+0x248/0x40c) from [<c00bfe68>] (SyS_perf_event_open+0x4f4/0x8fc)
>[<c00bfe68>] (SyS_perf_event_open+0x4f4/0x8fc) from [<c0012700>] (ret_fast_syscall+0x0/0x48)
>Code: 0a000005 e3540004 0a000016 e3540000 (0791010c)
>
>This is because event->attr.config in armpmu_event_init()
>contains a very large number copied directly from userspace and
>is never checked against the size of the array indexed in
>armpmu_map_hw_event(). Fix the problem by checking the value of
>config before indexing the array and rejecting invalid config
>values.
>
>Reported-by: Vince Weaver <vincent.weaver at maine.edu>
>Tested-by: Vince Weaver <vincent.weaver at maine.edu>
>Acked-by: Will Deacon <will.deacon at arm.com>
>Signed-off-by: Stephen Boyd <sboyd at codeaurora.org>
>Signed-off-by: Russell King <rmk+kernel at arm.linux.org.uk>
>Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
>---
> arch/arm/kernel/perf_event.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
>diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c
>index 522c11d..54fbd46 100644
>--- a/arch/arm/kernel/perf_event.c
>+++ b/arch/arm/kernel/perf_event.c
>@@ -109,7 +109,12 @@ armpmu_map_cache_event(const unsigned (*cache_map)
> static int
> armpmu_map_event(const unsigned (*event_map)[PERF_COUNT_HW_MAX], u64 config)
> {
>-	int mapping = (*event_map)[config];
>+	int mapping;
>+
>+	if (config >= PERF_COUNT_HW_MAX)
>+		return -EINVAL;
>+
>+	mapping = (*event_map)[config];
> 	return mapping == HW_OP_UNSUPPORTED ? -ENOENT : mapping;
> }
> 
>-- 
>1.8.3.2
>
>
>
>
>------------------------------
>
>-- 
>kernel-team mailing list
>kernel-team at lists.ubuntu.com
>https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
>
>End of kernel-team Digest, Vol 104, Issue 5
>*******************************************


More information about the kernel-team mailing list