kernel-team Digest, Vol 104, Issue 5
장군수
skysuffer at gmail.com
Mon Sep 2 12:34:10 UTC 2013
내 Vega에서 보냄
-------- 원본 메일 --------
제목: kernel-team Digest, Vol 104, Issue 5
보낸사람: kernel-team-request at lists.ubuntu.com
보낸날짜: 월, 2013-09-02 17:57
받는사람: kernel-team at lists.ubuntu.com
참조:
>Send kernel-team mailing list submissions to
> kernel-team at lists.ubuntu.com
>
>To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>or, via email, send a message with subject or body 'help' to
> kernel-team-request at lists.ubuntu.com
>
>You can reach the person managing the list at
> kernel-team-owner at lists.ubuntu.com
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of kernel-team digest..."
>
>
>Today's Topics:
>
> 1. [PATCH 53/58] jfs: fix readdir cookie incompatibility with
> NFSv4 (Luis Henriques)
> 2. [PATCH 14/58] USB-Serial: Fix error handling of usb_wwan
> (Luis Henriques)
> 3. [PATCH 16/58] USB: adutux: fix big-endian device-type
> reporting (Luis Henriques)
> 4. [PATCH 19/58] m68k/atari: ARAnyM - Fix NatFeat module support
> (Luis Henriques)
> 5. [PATCH 23/58] USB: keyspan: fix null-deref at disconnect and
> release (Luis Henriques)
> 6. [PATCH 26/58] sound: Fix make allmodconfig on MIPS
> (Luis Henriques)
> 7. [PATCH 27/58] sound: Fix make allmodconfig on MIPS correctly
> (Luis Henriques)
> 8. [PATCH 32/58] ARM: 7810/1: perf: Fix array out of bounds
> access in armpmu_map_hw_event() (Luis Henriques)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Mon, 2 Sep 2013 09:54:38 +0100
>From: Luis Henriques <luis.henriques at canonical.com>
>To: linux-kernel at vger.kernel.org, stable at vger.kernel.org,
> kernel-team at lists.ubuntu.com
>Cc: Dave Kleikamp <dave.kleikamp at oracle.com>
>Subject: [PATCH 53/58] jfs: fix readdir cookie incompatibility with
> NFSv4
>Message-ID:
> <1378112083-9475-54-git-send-email-luis.henriques at canonical.com>
>
>3.5.7.21 -stable review patch. If anyone has any objections, please let me know.
>
>------------------
>
>From: Dave Kleikamp <dave.kleikamp at oracle.com>
>
>commit 44512449c0ab368889dd13ae0031fba74ee7e1d2 upstream.
>
>NFSv4 reserves readdir cookie values 0-2 for special entries (. and ..),
>but jfs allows a value of 2 for a non-special entry. This incompatibility
>can result in the nfs client reporting a readdir loop.
>
>This patch doesn't change the value stored internally, but adds one to
>the value exposed to the iterate method.
>
>Signed-off-by: Dave Kleikamp <dave.kleikamp at oracle.com>
>Tested-by: Christian Kujau <lists at nerdbynature.de>
>Cc: Dave Kleikamp <dave.kleikamp at oracle.com>
>Cc: Ben Hutchings <ben at decadent.org.uk>
>[ luis: backported to 3.5 (based on bwh's backport to 3.2):
> - adjusted context
> - replaced usage of ctx->pos by filp->f_pos ]
>Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
>---
> fs/jfs/jfs_dtree.c | 31 +++++++++++++++++++++++--------
> 1 file changed, 23 insertions(+), 8 deletions(-)
>
>diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
>index 9197a1b..9f7c758 100644
>--- a/fs/jfs/jfs_dtree.c
>+++ b/fs/jfs/jfs_dtree.c
>@@ -3047,6 +3047,14 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
>
> dir_index = (u32) filp->f_pos;
>
>+ /*
>+ * NFSv4 reserves cookies 1 and 2 for . and .. so the value
>+ * we return to the vfs is one greater than the one we use
>+ * internally.
>+ */
>+ if (dir_index)
>+ dir_index--;
>+
> if (dir_index > 1) {
> struct dir_table_slot dirtab_slot;
>
>@@ -3086,7 +3094,7 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
> if (p->header.flag & BT_INTERNAL) {
> jfs_err("jfs_readdir: bad index table");
> DT_PUTPAGE(mp);
>- filp->f_pos = -1;
>+ filp->f_pos = DIREND;
> return 0;
> }
> } else {
>@@ -3094,7 +3102,7 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
> /*
> * self "."
> */
>- filp->f_pos = 0;
>+ filp->f_pos = 1;
> if (filldir(dirent, ".", 1, 0, ip->i_ino,
> DT_DIR))
> return 0;
>@@ -3102,7 +3110,7 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
> /*
> * parent ".."
> */
>- filp->f_pos = 1;
>+ filp->f_pos = 2;
> if (filldir(dirent, "..", 2, 1, PARENT(ip), DT_DIR))
> return 0;
>
>@@ -3123,24 +3131,25 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
> /*
> * Legacy filesystem - OS/2 & Linux JFS < 0.3.6
> *
>- * pn = index = 0: First entry "."
>- * pn = 0; index = 1: Second entry ".."
>+ * pn = 0; index = 1: First entry "."
>+ * pn = 0; index = 2: Second entry ".."
> * pn > 0: Real entries, pn=1 -> leftmost page
> * pn = index = -1: No more entries
> */
> dtpos = filp->f_pos;
>- if (dtpos == 0) {
>+ if (dtpos < 2) {
> /* build "." entry */
>
>+ filp->f_pos = 1;
> if (filldir(dirent, ".", 1, filp->f_pos, ip->i_ino,
> DT_DIR))
> return 0;
>- dtoffset->index = 1;
>+ dtoffset->index = 2;
> filp->f_pos = dtpos;
> }
>
> if (dtoffset->pn == 0) {
>- if (dtoffset->index == 1) {
>+ if (dtoffset->index == 2) {
> /* build ".." entry */
>
> if (filldir(dirent, "..", 2, filp->f_pos,
>@@ -3233,6 +3242,12 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
> }
> jfs_dirent->position = unique_pos++;
> }
>+ /*
>+ * We add 1 to the index because we may
>+ * use a value of 2 internally, and NFSv4
>+ * doesn't like that.
>+ */
>+ jfs_dirent->position++;
> } else {
> jfs_dirent->position = dtpos;
> len = min(d_namleft, DTLHDRDATALEN_LEGACY);
>--
>1.8.3.2
>
>
>
>
>------------------------------
>
>Message: 2
>Date: Mon, 2 Sep 2013 09:53:59 +0100
>From: Luis Henriques <luis.henriques at canonical.com>
>To: linux-kernel at vger.kernel.org, stable at vger.kernel.org,
> kernel-team at lists.ubuntu.com
>Cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>, Matt Burtch
> <matt at grid-net.com>
>Subject: [PATCH 14/58] USB-Serial: Fix error handling of usb_wwan
>Message-ID:
> <1378112083-9475-15-git-send-email-luis.henriques at canonical.com>
>
>3.5.7.21 -stable review patch. If anyone has any objections, please let me know.
>
>------------------
>
>From: Matt Burtch <matt at grid-net.com>
>
>commit 6c1ee66a0b2bdbd64c078fba684d640cf2fd38a9 upstream.
>
>This fixes an issue where the bulk-in urb used for incoming data transfer
>is not resubmitted if the packet recieved contains an error status. This
>results in the driver locking until the port is closed and re-opened.
>
>Tested on a custom board with a Cinterion GSM module.
>
>Signed-off-by: Matt Burtch <matt at grid-net.com>
>Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
>[ luis: backported to 3.5:
> - adjusted context
> - replaced dev_err() by printk() ]
>Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
>---
> drivers/usb/serial/usb_wwan.c | 20 ++++++++++----------
> 1 file changed, 10 insertions(+), 10 deletions(-)
>
>diff --git a/drivers/usb/serial/usb_wwan.c b/drivers/usb/serial/usb_wwan.c
>index 25c8ee9..2956414 100644
>--- a/drivers/usb/serial/usb_wwan.c
>+++ b/drivers/usb/serial/usb_wwan.c
>@@ -297,18 +297,18 @@ static void usb_wwan_indat_callback(struct urb *urb)
> tty_kref_put(tty);
> }
>
>- /* Resubmit urb so we continue receiving */
>- err = usb_submit_urb(urb, GFP_ATOMIC);
>- if (err) {
>- if (err != -EPERM) {
>- printk(KERN_ERR "%s: resubmit read urb failed. "
>- "(%d)", __func__, err);
>- /* busy also in error unless we are killed */
>- usb_mark_last_busy(port->serial->dev);
>- }
>- } else {
>+ }
>+ /* Resubmit urb so we continue receiving */
>+ err = usb_submit_urb(urb, GFP_ATOMIC);
>+ if (err) {
>+ if (err != -EPERM) {
>+ printk(KERN_ERR "%s: resubmit read urb failed. (%d)\n",
>+ __func__, err);
>+ /* busy also in error unless we are killed */
> usb_mark_last_busy(port->serial->dev);
> }
>+ } else {
>+ usb_mark_last_busy(port->serial->dev);
> }
> }
>
>--
>1.8.3.2
>
>
>
>
>------------------------------
>
>Message: 3
>Date: Mon, 2 Sep 2013 09:54:01 +0100
>From: Luis Henriques <luis.henriques at canonical.com>
>To: linux-kernel at vger.kernel.org, stable at vger.kernel.org,
> kernel-team at lists.ubuntu.com
>Cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>, Johan Hovold
> <jhovold at gmail.com>
>Subject: [PATCH 16/58] USB: adutux: fix big-endian device-type
> reporting
>Message-ID:
> <1378112083-9475-17-git-send-email-luis.henriques at canonical.com>
>
>3.5.7.21 -stable review patch. If anyone has any objections, please let me know.
>
>------------------
>
>From: Johan Hovold <jhovold at gmail.com>
>
>commit d482b9d558602a9cacab063b1c8779f9b5214da7 upstream.
>
>Make sure the reported device-type on big-endian machines is the same as
>on little-endian ones.
>
>Signed-off-by: Johan Hovold <jhovold at gmail.com>
>Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
>[ luis: backported to 3.5: adjusted context ]
>Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
>---
> drivers/usb/misc/adutux.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/drivers/usb/misc/adutux.c b/drivers/usb/misc/adutux.c
>index 284b854..14d9142 100644
>--- a/drivers/usb/misc/adutux.c
>+++ b/drivers/usb/misc/adutux.c
>@@ -829,7 +829,7 @@ static int adu_probe(struct usb_interface *interface,
>
> /* let the user know what node this device is now attached to */
> dev_info(&interface->dev, "ADU%d %s now attached to /dev/usb/adutux%d\n",
>- udev->descriptor.idProduct, dev->serial_number,
>+ le16_to_cpu(udev->descriptor.idProduct), dev->serial_number,
> (dev->minor - ADU_MINOR_BASE));
> exit:
> dbg(2," %s : leave, return value %p (dev)", __func__, dev);
>--
>1.8.3.2
>
>
>
>
>------------------------------
>
>Message: 4
>Date: Mon, 2 Sep 2013 09:54:04 +0100
>From: Luis Henriques <luis.henriques at canonical.com>
>To: linux-kernel at vger.kernel.org, stable at vger.kernel.org,
> kernel-team at lists.ubuntu.com
>Cc: Geert Uytterhoeven <geert at linux-m68k.org>
>Subject: [PATCH 19/58] m68k/atari: ARAnyM - Fix NatFeat module support
>Message-ID:
> <1378112083-9475-20-git-send-email-luis.henriques at canonical.com>
>
>3.5.7.21 -stable review patch. If anyone has any objections, please let me know.
>
>------------------
>
>From: Geert Uytterhoeven <geert at linux-m68k.org>
>
>commit e8184e10f89736a23ea6eea8e24cd524c5c513d2 upstream.
>
>As pointed out by Andreas Schwab, pointers passed to ARAnyM NatFeat calls
>should be physical addresses, not virtual addresses.
>
>Fortunately on Atari, physical and virtual kernel addresses are the same,
>as long as normal kernel memory is concerned, so this usually worked fine
>without conversion.
>
>But for modules, pointers to literal strings are located in vmalloc()ed
>memory. Depending on the version of ARAnyM, this causes the nf_get_id()
>call to just fail, or worse, crash ARAnyM itself with e.g.
>
> Gotcha! Illegal memory access. Atari PC = $968c
>
>This is a big issue for distro kernels, who want to have all drivers as
>loadable modules in an initrd.
>
>Add a wrapper for nf_get_id() that copies the literal to the stack to
>work around this issue.
>
>Reported-by: Thorsten Glaser <tg at debian.org>
>Signed-off-by: Geert Uytterhoeven <geert at linux-m68k.org>
>Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
>---
> arch/m68k/emu/natfeat.c | 23 +++++++++++++++++++----
> 1 file changed, 19 insertions(+), 4 deletions(-)
>
>diff --git a/arch/m68k/emu/natfeat.c b/arch/m68k/emu/natfeat.c
>index 2291a7d..fa277ae 100644
>--- a/arch/m68k/emu/natfeat.c
>+++ b/arch/m68k/emu/natfeat.c
>@@ -18,9 +18,11 @@
> #include <asm/machdep.h>
> #include <asm/natfeat.h>
>
>+extern long nf_get_id2(const char *feature_name);
>+
> asm("\n"
>-" .global nf_get_id,nf_call\n"
>-"nf_get_id:\n"
>+" .global nf_get_id2,nf_call\n"
>+"nf_get_id2:\n"
> " .short 0x7300\n"
> " rts\n"
> "nf_call:\n"
>@@ -29,12 +31,25 @@ asm("\n"
> "1: moveq.l #0,%d0\n"
> " rts\n"
> " .section __ex_table,\"a\"\n"
>-" .long nf_get_id,1b\n"
>+" .long nf_get_id2,1b\n"
> " .long nf_call,1b\n"
> " .previous");
>-EXPORT_SYMBOL_GPL(nf_get_id);
> EXPORT_SYMBOL_GPL(nf_call);
>
>+long nf_get_id(const char *feature_name)
>+{
>+ /* feature_name may be in vmalloc()ed memory, so make a copy */
>+ char name_copy[32];
>+ size_t n;
>+
>+ n = strlcpy(name_copy, feature_name, sizeof(name_copy));
>+ if (n >= sizeof(name_copy))
>+ return 0;
>+
>+ return nf_get_id2(name_copy);
>+}
>+EXPORT_SYMBOL_GPL(nf_get_id);
>+
> void nfprint(const char *fmt, ...)
> {
> static char buf[256];
>--
>1.8.3.2
>
>
>
>
>------------------------------
>
>Message: 5
>Date: Mon, 2 Sep 2013 09:54:08 +0100
>From: Luis Henriques <luis.henriques at canonical.com>
>To: linux-kernel at vger.kernel.org, stable at vger.kernel.org,
> kernel-team at lists.ubuntu.com
>Cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>, Johan Hovold
> <jhovold at gmail.com>
>Subject: [PATCH 23/58] USB: keyspan: fix null-deref at disconnect and
> release
>Message-ID:
> <1378112083-9475-24-git-send-email-luis.henriques at canonical.com>
>
>3.5.7.21 -stable review patch. If anyone has any objections, please let me know.
>
>------------------
>
>From: Johan Hovold <jhovold at gmail.com>
>
>commit ff8a43c10f1440f07a5faca0c1556921259f7f76 upstream.
>
>Make sure to fail properly if the device is not accepted during attach
>in order to avoid null-pointer derefs (of missing interface private
>data) at disconnect or release.
>
>Signed-off-by: Johan Hovold <jhovold at gmail.com>
>Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
>Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
>---
> drivers/usb/serial/keyspan.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c
>index 2d35ad4..9b55796 100644
>--- a/drivers/usb/serial/keyspan.c
>+++ b/drivers/usb/serial/keyspan.c
>@@ -2439,7 +2439,7 @@ static int keyspan_startup(struct usb_serial *serial)
> if (d_details == NULL) {
> dev_err(&serial->dev->dev, "%s - unknown product id %x\n",
> __func__, le16_to_cpu(serial->dev->descriptor.idProduct));
>- return 1;
>+ return -ENODEV;
> }
>
> /* Setup private data for serial driver */
>--
>1.8.3.2
>
>
>
>
>------------------------------
>
>Message: 6
>Date: Mon, 2 Sep 2013 09:54:11 +0100
>From: Luis Henriques <luis.henriques at canonical.com>
>To: linux-kernel at vger.kernel.org, stable at vger.kernel.org,
> kernel-team at lists.ubuntu.com
>Cc: Takashi Iwai <tiwai at suse.de>, Ralf Baechle <ralf at linux-mips.org>
>Subject: [PATCH 26/58] sound: Fix make allmodconfig on MIPS
>Message-ID:
> <1378112083-9475-27-git-send-email-luis.henriques at canonical.com>
>
>3.5.7.21 -stable review patch. If anyone has any objections, please let me know.
>
>------------------
>
>From: Takashi Iwai <tiwai at suse.de>
>
>commit d4702b189c6b951c1cb3260036ff998f719bfb62 upstream.
>
>The compile of soundcard.c is broken on MIPS when allmodconfig is used
>because of the missing MAX_DMA_CHANNELS definition. As a simple
>workaround, just add a Kconfig dependency.
>
>Reported-by: Andrew Morton <akpm at linux-foundation.org>
>Cc: Ralf Baechle <ralf at linux-mips.org>
>Signed-off-by: Takashi Iwai <tiwai at suse.de>
>Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
>---
> sound/oss/Kconfig | 1 +
> 1 file changed, 1 insertion(+)
>
>diff --git a/sound/oss/Kconfig b/sound/oss/Kconfig
>index 5849b12..51c4ba9 100644
>--- a/sound/oss/Kconfig
>+++ b/sound/oss/Kconfig
>@@ -250,6 +250,7 @@ config MSND_FIFOSIZE
> menuconfig SOUND_OSS
> tristate "OSS sound modules"
> depends on ISA_DMA_API && VIRT_TO_BUS
>+ depends on !ISA_DMA_SUPPORT_BROKEN
> help
> OSS is the Open Sound System suite of sound card drivers. They make
> sound programming easier since they provide a common API. Say Y or
>--
>1.8.3.2
>
>
>
>
>------------------------------
>
>Message: 7
>Date: Mon, 2 Sep 2013 09:54:12 +0100
>From: Luis Henriques <luis.henriques at canonical.com>
>To: linux-kernel at vger.kernel.org, stable at vger.kernel.org,
> kernel-team at lists.ubuntu.com
>Cc: Takashi Iwai <tiwai at suse.de>, Paul Bolle <pebolle at tiscali.nl>
>Subject: [PATCH 27/58] sound: Fix make allmodconfig on MIPS correctly
>Message-ID:
> <1378112083-9475-28-git-send-email-luis.henriques at canonical.com>
>
>3.5.7.21 -stable review patch. If anyone has any objections, please let me know.
>
>------------------
>
>From: Paul Bolle <pebolle at tiscali.nl>
>
>commit a62ee234a572b4c98fe98cf5fb18e4e8b0f6e43d upstream.
>
>Commit d4702b189c ("sound: Fix make allmodconfig on MIPS") added a
>(negative) dependency on ISA_DMA_SUPPORT_BROKEN. Since that Kconfig
>symbol doesn't exist, this dependency will always evaluate to true.
>Apparently GENERIC_ISA_DMA_SUPPORT_BROKEN was meant to be used here.
>
>Signed-off-by: Paul Bolle <pebolle at tiscali.nl>
>Signed-off-by: Takashi Iwai <tiwai at suse.de>
>Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
>---
> sound/oss/Kconfig | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/sound/oss/Kconfig b/sound/oss/Kconfig
>index 51c4ba9..1a96402 100644
>--- a/sound/oss/Kconfig
>+++ b/sound/oss/Kconfig
>@@ -250,7 +250,7 @@ config MSND_FIFOSIZE
> menuconfig SOUND_OSS
> tristate "OSS sound modules"
> depends on ISA_DMA_API && VIRT_TO_BUS
>- depends on !ISA_DMA_SUPPORT_BROKEN
>+ depends on !GENERIC_ISA_DMA_SUPPORT_BROKEN
> help
> OSS is the Open Sound System suite of sound card drivers. They make
> sound programming easier since they provide a common API. Say Y or
>--
>1.8.3.2
>
>
>
>
>------------------------------
>
>Message: 8
>Date: Mon, 2 Sep 2013 09:54:17 +0100
>From: Luis Henriques <luis.henriques at canonical.com>
>To: linux-kernel at vger.kernel.org, stable at vger.kernel.org,
> kernel-team at lists.ubuntu.com
>Cc: Russell King <rmk+kernel at arm.linux.org.uk>, Stephen Boyd
> <sboyd at codeaurora.org>
>Subject: [PATCH 32/58] ARM: 7810/1: perf: Fix array out of bounds
> access in armpmu_map_hw_event()
>Message-ID:
> <1378112083-9475-33-git-send-email-luis.henriques at canonical.com>
>
>3.5.7.21 -stable review patch. If anyone has any objections, please let me know.
>
>------------------
>
>From: Stephen Boyd <sboyd at codeaurora.org>
>
>commit d9f966357b14e356dbd83b8f4a197a287ab4ff83 upstream.
>
>Vince Weaver reports an oops in the ARM perf event code while
>running his perf_fuzzer tool on a pandaboard running v3.11-rc4.
>
>Unable to handle kernel paging request at virtual address 73fd14cc
>pgd = eca6c000
>[73fd14cc] *pgd=00000000
>Internal error: Oops: 5 [#1] SMP ARM
>Modules linked in: snd_soc_omap_hdmi omapdss snd_soc_omap_abe_twl6040 snd_soc_twl6040 snd_soc_omap snd_soc_omap_hdmi_card snd_soc_omap_mcpdm snd_soc_omap_mcbsp snd_soc_core snd_compress regmap_spi snd_pcm snd_page_alloc snd_timer snd soundcore
>CPU: 1 PID: 2790 Comm: perf_fuzzer Not tainted 3.11.0-rc4 #6
>task: eddcab80 ti: ed892000 task.ti: ed892000
>PC is at armpmu_map_event+0x20/0x88
>LR is at armpmu_event_init+0x38/0x280
>pc : [<c001c3e4>] lr : [<c001c17c>] psr: 60000013
>sp : ed893e40 ip : ecececec fp : edfaec00
>r10: 00000000 r9 : 00000000 r8 : ed8c3ac0
>r7 : ed8c3b5c r6 : edfaec00 r5 : 00000000 r4 : 00000000
>r3 : 000000ff r2 : c0496144 r1 : c049611c r0 : edfaec00
>Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
>Control: 10c5387d Table: aca6c04a DAC: 00000015
>Process perf_fuzzer (pid: 2790, stack limit = 0xed892240)
>Stack: (0xed893e40 to 0xed894000)
>3e40: 00000800 c001c17c 00000002 c008a748 00000001 00000000 00000000 c00bf078
>3e60: 00000000 edfaee50 00000000 00000000 00000000 edfaec00 ed8c3ac0 edfaec00
>3e80: 00000000 c073ffac ed893f20 c00bf180 00000001 00000000 c00bf078 ed893f20
>3ea0: 00000000 ed8c3ac0 00000000 00000000 00000000 c0cb0818 eddcab80 c00bf440
>3ec0: ed893f20 00000000 eddcab80 eca76800 00000000 eca76800 00000000 00000000
>3ee0: 00000000 ec984c80 eddcab80 c00bfe68 00000000 00000000 00000000 00000080
>3f00: 00000000 ed892000 00000000 ed892030 00000004 ecc7e3c8 ecc7e3c8 00000000
>3f20: 00000000 00000048 ecececec 00000000 00000000 00000000 00000000 00000000
>3f40: 00000000 00000000 00297810 00000000 00000000 00000000 00000000 00000000
>3f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
>3f80: 00000002 00000002 000103a4 00000002 0000016c c00128e8 ed892000 00000000
>3fa0: 00090998 c0012700 00000002 000103a4 00090ab8 00000000 00000000 0000000f
>3fc0: 00000002 000103a4 00000002 0000016c 00090ab0 00090ab8 000107a0 00090998
>3fe0: bed92be0 bed92bd0 0000b785 b6e8f6d0 40000010 00090ab8 00000000 00000000
>[<c001c3e4>] (armpmu_map_event+0x20/0x88) from [<c001c17c>] (armpmu_event_init+0x38/0x280)
>[<c001c17c>] (armpmu_event_init+0x38/0x280) from [<c00bf180>] (perf_init_event+0x108/0x180)
>[<c00bf180>] (perf_init_event+0x108/0x180) from [<c00bf440>] (perf_event_alloc+0x248/0x40c)
>[<c00bf440>] (perf_event_alloc+0x248/0x40c) from [<c00bfe68>] (SyS_perf_event_open+0x4f4/0x8fc)
>[<c00bfe68>] (SyS_perf_event_open+0x4f4/0x8fc) from [<c0012700>] (ret_fast_syscall+0x0/0x48)
>Code: 0a000005 e3540004 0a000016 e3540000 (0791010c)
>
>This is because event->attr.config in armpmu_event_init()
>contains a very large number copied directly from userspace and
>is never checked against the size of the array indexed in
>armpmu_map_hw_event(). Fix the problem by checking the value of
>config before indexing the array and rejecting invalid config
>values.
>
>Reported-by: Vince Weaver <vincent.weaver at maine.edu>
>Tested-by: Vince Weaver <vincent.weaver at maine.edu>
>Acked-by: Will Deacon <will.deacon at arm.com>
>Signed-off-by: Stephen Boyd <sboyd at codeaurora.org>
>Signed-off-by: Russell King <rmk+kernel at arm.linux.org.uk>
>Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
>---
> arch/arm/kernel/perf_event.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
>diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c
>index 522c11d..54fbd46 100644
>--- a/arch/arm/kernel/perf_event.c
>+++ b/arch/arm/kernel/perf_event.c
>@@ -109,7 +109,12 @@ armpmu_map_cache_event(const unsigned (*cache_map)
> static int
> armpmu_map_event(const unsigned (*event_map)[PERF_COUNT_HW_MAX], u64 config)
> {
>- int mapping = (*event_map)[config];
>+ int mapping;
>+
>+ if (config >= PERF_COUNT_HW_MAX)
>+ return -EINVAL;
>+
>+ mapping = (*event_map)[config];
> return mapping == HW_OP_UNSUPPORTED ? -ENOENT : mapping;
> }
>
>--
>1.8.3.2
>
>
>
>
>------------------------------
>
>--
>kernel-team mailing list
>kernel-team at lists.ubuntu.com
>https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
>
>End of kernel-team Digest, Vol 104, Issue 5
>*******************************************
More information about the kernel-team
mailing list