Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit da5c9d2f authored by Greg Kroah-Hartman's avatar Greg Kroah-Hartman
Browse files

Merge 3.18.55 into android-3.18 



Changes in 3.18.55
	USB: ene_usb6250: fix DMA to the stack
	watchdog: pcwd_usb: fix NULL-deref at probe
	char: lp: fix possible integer overflow in lp_setup()
	USB: core: replace %p with %pK
	dm btree: fix for dm_btree_find_lowest_key()
	dm bufio: avoid a possible ABBA deadlock
	dm thin metadata: call precommit before saving the roots
	dm space map disk: fix some book keeping in the disk space map
	mwifiex: pcie: fix cmd_buf use-after-free in remove/reset
	ima: accept previously set IMA_NEW_FILE
	regulator: tps65023: Fix inverted core enable logic.
	ath9k_htc: fix NULL-deref at probe
	cdc-acm: fix possible invalid access when processing notification
	of: fix sparse warning in of_pci_range_parser_one
	of: fdt: add missing allocation-failure check
	iio: dac: ad7303: fix channel description
	pid_ns: Sleep in TASK_INTERRUPTIBLE in zap_pid_ns_processes
	USB: serial: ftdi_sio: fix setting latency for unprivileged users
	USB: serial: ftdi_sio: add Olimex ARM-USB-TINY(H) PIDs
	usb: host: xhci-plat: propagate return value of platform_get_irq()
	usb: host: xhci-mem: allocate zeroed Scratchpad Buffer
	net: irda: irda-usb: fix firmware name on big-endian hosts
	usbvision: fix NULL-deref at probe
	mceusb: fix NULL-deref at probe
	ttusb2: limit messages to buffer size
	usb: musb: tusb6010_omap: Do not reset the other direction's packet size
	USB: iowarrior: fix info ioctl on big-endian hosts
	usb: serial: option: add Telit ME910 support
	USB: serial: qcserial: add more Lenovo EM74xx device IDs
	USB: serial: mct_u232: fix big-endian baud-rate handling
	USB: serial: io_ti: fix div-by-zero in set_termios
	USB: hub: fix SS hub-descriptor handling
	USB: hub: fix non-SS hub-descriptor handling
	tty: Prevent ldisc drivers from re-using stale tty fields
	ipx: call ipxitf_put() in ioctl error path
	iio: proximity: as3935: fix as3935_write
	gspca: konica: add missing endpoint sanity check
	s5p-mfc: Fix unbalanced call to clock management
	dib0700: fix NULL-deref at probe
	zr364xx: enforce minimum size when reading header
	cx231xx-cards: fix NULL-deref at probe
	cx231xx-audio: fix NULL-deref at probe
	powerpc/pseries: Fix of_node_put() underflow during DLPAR remove
	ARM: dts: at91: sama5d3_xplained: fix ADC vref
	ARM: dts: at91: sama5d3_xplained: not all ADC channels are available
	arm64: uaccess: ensure extension of access_ok() addr
	arm64: documentation: document tagged pointer stack constraints
	xc2028: Fix use-after-free bug properly
	mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp
	metag/uaccess: Fix access_ok()
	metag/uaccess: Check access_ok in strncpy_from_user
	stackprotector: Increase the per-task stack canary's random range from 32 bits to 64 bits on 64-bit platforms
	uwb: fix device quirk on big-endian hosts
	osf_wait4(): fix infoleak
	tracing/kprobes: Enforce kprobes teardown after testing
	PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms
	PCI: Freeze PME scan before suspending devices
	drivers: char: mem: Check for address space wraparound with mmap()
	usb: misc: legousbtower: Fix memory leak
	Linux 3.18.55

Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@google.com>
parents 2277c64a 6b65a8f6

Documentation/arm64/tagged-pointers.txt

+47 −15
Original line number Diff line number Diff line
@@ -11,24 +11,56 @@ in AArch64 Linux. 
The kernel configures the translation tables so that translations made

via TTBR0 (i.e. userspace mappings) have the top byte (bits 63:56) of

the virtual address ignored by the translation hardware. This frees up

this byte for application use, with the following caveats:

this byte for application use.



	(1) The kernel requires that all user addresses passed to EL1

	    are tagged with tag 0x00. This means that any syscall

	    parameters containing user virtual addresses *must* have

	    their top byte cleared before trapping to the kernel.



	(2) Non-zero tags are not preserved when delivering signals.

	    This means that signal handlers in applications making use

	    of tags cannot rely on the tag information for user virtual

	    addresses being maintained for fields inside siginfo_t.

	    One exception to this rule is for signals raised in response

	    to watchpoint debug exceptions, where the tag information

	    will be preserved.

Passing tagged addresses to the kernel

--------------------------------------



	(3) Special care should be taken when using tagged pointers,

	    since it is likely that C compilers will not hazard two

	    virtual addresses differing only in the upper byte.

All interpretation of userspace memory addresses by the kernel assumes

an address tag of 0x00.



This includes, but is not limited to, addresses found in:



 - pointer arguments to system calls, including pointers in structures

   passed to system calls,



 - the stack pointer (sp), e.g. when interpreting it to deliver a

   signal,



 - the frame pointer (x29) and frame records, e.g. when interpreting

   them to generate a backtrace or call graph.



Using non-zero address tags in any of these locations may result in an

error code being returned, a (fatal) signal being raised, or other modes

of failure.



For these reasons, passing non-zero address tags to the kernel via

system calls is forbidden, and using a non-zero address tag for sp is

strongly discouraged.



Programs maintaining a frame pointer and frame records that use non-zero

address tags may suffer impaired or inaccurate debug and profiling

visibility.





Preserving tags

---------------



Non-zero tags are not preserved when delivering signals. This means that

signal handlers in applications making use of tags cannot rely on the

tag information for user virtual addresses being maintained for fields

inside siginfo_t. One exception to this rule is for signals raised in

response to watchpoint debug exceptions, where the tag information will

be preserved.



The architecture prevents the use of a tagged PC, so the upper byte will

be set to a sign-extension of bit 55 on exception return.





Other considerations

--------------------



Special care should be taken when using tagged pointers, since it is

likely that C compilers will not hazard two virtual addresses differing

only in the upper byte.

Makefile

+1 −1
Original line number Diff line number Diff line 
VERSION = 3

PATCHLEVEL = 18

SUBLEVEL = 54

SUBLEVEL = 55

EXTRAVERSION =

NAME = Diseased Newt

arch/alpha/kernel/osf_sys.c

+4 −2
Original line number Diff line number Diff line
@@ -1183,8 +1183,10 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, int __user *, ustatus, int, options, 
	if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))

		return -EFAULT;



	err = 0;

	err |= put_user(status, ustatus);

	err = put_user(status, ustatus);

	if (ret < 0)

		return err ? err : ret;



	err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);

	err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);

	err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);

arch/arm/boot/dts/at91-sama5d3_xplained.dts

+2 −3
Original line number Diff line number Diff line
@@ -143,9 +143,10 @@ 
			};



			adc0: adc@f8018000 {

				atmel,adc-vref = <3300>;

				atmel,adc-channels-used = <0xfe>;

				pinctrl-0 = <

					&pinctrl_adc0_adtrg

					&pinctrl_adc0_ad0

					&pinctrl_adc0_ad1

					&pinctrl_adc0_ad2

					&pinctrl_adc0_ad3
@@ -153,8 +154,6 @@ 
					&pinctrl_adc0_ad5

					&pinctrl_adc0_ad6

					&pinctrl_adc0_ad7

					&pinctrl_adc0_ad8

					&pinctrl_adc0_ad9

					>;

				status = "okay";

			};

arch/arm64/include/asm/uaccess.h

+2 −1
Original line number Diff line number Diff line
@@ -106,11 +106,12 @@ static inline void set_fs(mm_segment_t fs) 
 */

#define __range_ok(addr, size)						\

({									\

	unsigned long __addr = (unsigned long __force)(addr);		\

	unsigned long flag, roksum;					\

	__chk_user_ptr(addr);						\

	asm("adds %1, %1, %3; ccmp %1, %4, #2, cc; cset %0, ls"		\

		: "=&r" (flag), "=&r" (roksum)				\

		: "1" (addr), "Ir" (size),				\

		: "1" (__addr), "Ir" (size),				\

		  "r" (current_thread_info()->addr_limit)		\

		: "cc");						\

	flag;								\