diff options
author | Greg Kroah-Hartman <gregkh@google.com> | 2020-06-11 09:37:43 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@google.com> | 2020-06-11 09:37:43 +0200 |
commit | 8d6de4a1be6fd0bd60324751eedd32cb7c3d4c61 (patch) | |
tree | c641777c074ef875ce4da930c3d3c355f137a5c6 /kernel | |
parent | 9fe854df0eac27f6cad5dbdd149cfd499872c493 (diff) | |
parent | b850307b279cbd12ab8c654d1a3dfe55319cc475 (diff) |
Merge 4.14.184 into android-4.14-stable
Changes in 4.14.184
scsi: scsi_devinfo: fixup string compare
libnvdimm: Fix endian conversion issuesÂ
scsi: hisi_sas: Check sas_port before using it
spi: dw: use "smp_mb()" to avoid sending spi data error
s390/ftrace: save traced function caller
pppoe: only process PADT targeted at local interfaces
ARC: Fix ICCM & DCCM runtime size checks
ARC: [plat-eznps]: Restrict to CONFIG_ISA_ARCOMPACT
i2c: altera: Fix race between xfer_msg and isr thread
x86/mmiotrace: Use cpumask_available() for cpumask_var_t variables
net: bmac: Fix read of MAC address from ROM
net/ethernet/freescale: rework quiesce/activate for ucc_geth
net: ethernet: stmmac: Enable interface clocks on probe for IPQ806x
net: smsc911x: Fix runtime PM imbalance on error
mm: Fix mremap not considering huge pmd devmap
HID: sony: Fix for broken buttons on DS3 USB dongles
HID: i2c-hid: add Schneider SCL142ALM to descriptor override
p54usb: add AirVasT USB stick device-id
kernel/relay.c: handle alloc_percpu returning NULL in relay_open
mmc: fix compilation of user API
scsi: ufs: Release clock if DMA map fails
airo: Fix read overflows sending packets
devinet: fix memleak in inetdev_init()
l2tp: do not use inet_hash()/inet_unhash()
net: usb: qmi_wwan: add Telit LE910C1-EUX composition
NFC: st21nfca: add missed kfree_skb() in an error path
vsock: fix timeout in vsock_accept()
net: check untrusted gso_size at kernel entry
l2tp: add sk_family checks to l2tp_validate_socket
USB: serial: qcserial: add DW5816e QDL support
USB: serial: usb_wwan: do not resubmit rx urb on fatal errors
USB: serial: option: add Telit LE910C1-EUX compositions
usb: musb: start session in resume for host port
usb: musb: Fix runtime PM imbalance on error
vt: keyboard: avoid signed integer overflow in k_ascii
tty: hvc_console, fix crashes on parallel open/close
staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK
CDC-ACM: heed quirk also in error handling
nvmem: qfprom: remove incorrect write support
x86/cpu: Add a steppings field to struct x86_cpu_id
x86/cpu: Add 'table' argument to cpu_matches()
x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation
x86/speculation: Add SRBDS vulnerability and mitigation documentation
x86/speculation: Add Ivy Bridge to affected list
iio: vcnl4000: Fix i2c swapped word reading.
uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned
Linux 4.14.184
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I3d4d0f186e858b744255fcbd1d3eb9ee89603774
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/events/uprobes.c | 14 | ||||
-rw-r--r-- | kernel/relay.c | 5 |
2 files changed, 15 insertions, 4 deletions
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c index c74fc9826250..82270a41acce 100644 --- a/kernel/events/uprobes.c +++ b/kernel/events/uprobes.c @@ -612,10 +612,6 @@ static int prepare_uprobe(struct uprobe *uprobe, struct file *file, if (ret) goto out; - /* uprobe_write_opcode() assumes we don't cross page boundary */ - BUG_ON((uprobe->offset & ~PAGE_MASK) + - UPROBE_SWBP_INSN_SIZE > PAGE_SIZE); - smp_wmb(); /* pairs with the smp_rmb() in handle_swbp() */ set_bit(UPROBE_COPY_INSN, &uprobe->flags); @@ -894,6 +890,13 @@ int uprobe_register(struct inode *inode, loff_t offset, struct uprobe_consumer * if (offset > i_size_read(inode)) return -EINVAL; + /* + * This ensures that copy_from_page() and copy_to_page() + * can't cross page boundary. + */ + if (!IS_ALIGNED(offset, UPROBE_SWBP_INSN_SIZE)) + return -EINVAL; + retry: uprobe = alloc_uprobe(inode, offset); if (!uprobe) @@ -1704,6 +1707,9 @@ static int is_trap_at_addr(struct mm_struct *mm, unsigned long vaddr) uprobe_opcode_t opcode; int result; + if (WARN_ON_ONCE(!IS_ALIGNED(vaddr, UPROBE_SWBP_INSN_SIZE))) + return -EINVAL; + pagefault_disable(); result = __get_user(opcode, (uprobe_opcode_t __user *)vaddr); pagefault_enable(); diff --git a/kernel/relay.c b/kernel/relay.c index 61d37e6da22d..b141ce697679 100644 --- a/kernel/relay.c +++ b/kernel/relay.c @@ -580,6 +580,11 @@ struct rchan *relay_open(const char *base_filename, return NULL; chan->buf = alloc_percpu(struct rchan_buf *); + if (!chan->buf) { + kfree(chan); + return NULL; + } + chan->version = RELAYFS_CHANNEL_VERSION; chan->n_subbufs = n_subbufs; chan->subbuf_size = subbuf_size; |