This patch corrects a buffer overflow in kernels from 3.0 to 3.4 when calling
log_prefix() function from call_console_drivers().
This bug existed in previous releases but has been revealed with commit
162a7e7500 (2.6.39 => 3.0) that made changes
about how to allocate memory for early printk buffer (use of memblock_alloc).
It disappears with commit 7ff9554bb578ba02166071d2d487b7fc7d860d62 (3.4 => 3.5)
that does a refactoring of printk buffer management.
In log_prefix(), the access to "p[0]", "p[1]", "p[2]" or
"simple_strtoul(&p[1], &endp, 10)" may cause a buffer overflow as this
function is called from call_console_drivers by passing "&LOG_BUF(cur_index)"
where the index must be masked to do not exceed the buffer's boundary.
The trick is to prepare in call_console_drivers() a buffer with the necessary
data (PRI field of syslog message) to be safely evaluated in log_prefix().
This patch can be applied to stable kernel branches 3.0.y, 3.2.y and 3.4.y.
Without this patch, one can freeze a server running this loop from shell :
$ export DUMMY=`cat /dev/urandom | tr -dc '12345AZERTYUIOPQSDFGHJKLMWXCVBNazertyuiopqsdfghjklmwxcvbn' | head -c255`
$ while true do ; echo $DUMMY > /dev/kmsg ; done
The "server freeze" depends on where memblock_alloc does allocate printk buffer :
if the buffer overflow is inside another kernel allocation the problem may not
be revealed, else the server may hangs up.
Signed-off-by: Alexandre SIMON <Alexandre.Simon@univ-lorraine.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
When the new signal handlers are set up, the location of sa_restorer is
not cleared, leaking a parent process's address space location to
children. This allows for a potential bypass of the parent's ASLR by
examining the sa_restorer value returned when calling sigaction().
Based on what should be considered "secret" about addresses, it only
matters across the exec not the fork (since the VMAs haven't changed
until the exec). But since exec sets SIG_DFL and keeps sa_restorer,
this is where it should be fixed.
Given the few uses of sa_restorer, a "set" function was not written
since this would be the only use. Instead, we use
__ARCH_HAS_SA_RESTORER, as already done in other places.
Example of the leak before applying this patch:
$ cat /proc/$$/maps
...
7fb9f3083000-7fb9f3238000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
...
$ ./leak
...
7f278bc74000-7f278be29000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
...
1 0 (nil) 0x7fb9f30b94a0
2 4000000 (nil) 0x7f278bcaa4a0
3 4000000 (nil) 0x7f278bcaa4a0
4 0 (nil) 0x7fb9f30b94a0
...
[akpm@linux-foundation.org: use SA_RESTORER for backportability]
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Emese Revfy <re.emese@gmail.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: PaX Team <pageexec@freemail.hu>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Julien Tinnes <jln@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
wake_up_process() should never wakeup a TASK_STOPPED/TRACED task.
Change it to use TASK_NORMAL and add the WARN_ON().
TASK_ALL has no other users, probably can be killed.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
putreg() assumes that the tracee is not running and pt_regs_access() can
safely play with its stack. However a killed tracee can return from
ptrace_stop() to the low-level asm code and do RESTORE_REST, this means
that debugger can actually read/modify the kernel stack until the tracee
does SAVE_REST again.
set_task_blockstep() can race with SIGKILL too and in some sense this
race is even worse, the very fact the tracee can be woken up breaks the
logic.
As Linus suggested we can clear TASK_WAKEKILL around the arch_ptrace()
call, this ensures that nobody can ever wakeup the tracee while the
debugger looks at it. Not only this fixes the mentioned problems, we
can do some cleanups/simplifications in arch_ptrace() paths.
Probably ptrace_unfreeze_traced() needs more callers, for example it
makes sense to make the tracee killable for oom-killer before
access_process_vm().
While at it, add the comment into may_ptrace_stop() to explain why
ptrace_stop() still can't rely on SIGKILL and signal_pending_state().
Reported-by: Salman Qazi <sqazi@google.com>
Reported-by: Suleiman Souhlal <suleiman@google.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Iliyan Malchev <malchev@google.com>
Conflicts:
arch/x86/kernel/step.c
Cleanup and preparation for the next change.
signal_wake_up(resume => true) is overused. None of ptrace/jctl callers
actually want to wakeup a TASK_WAKEKILL task, but they can't specify the
necessary mask.
Turn signal_wake_up() into signal_wake_up_state(state), reintroduce
signal_wake_up() as a trivial helper, and add ptrace_signal_wake_up()
which adds __TASK_TRACED.
This way ptrace_signal_wake_up() can work "inside" ptrace_request()
even if the tracee doesn't have the TASK_WAKEKILL bit set.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
get_monotonic_boottime adds three nanonsecond values stored
in longs, followed by an s64. If the long values are all
close to 1e9 the first three additions can overflow and
become negative when added to the s64. Cast the first
value to s64 so that all additions are 64 bit.
Change-Id: Ic996d8b6fbef0b72f2d027b0d8ef5259b5c1a540
Signed-off-by: Colin Cross <ccross@android.com>
Add code to calculate the run queue depth of a cpu and iowait
depth of the cpu.
The scheduler calls in to sched_update_nr_prod whenever there
is a runqueue change. This function maintains the runqueue average
and the iowait of that cpu in that time interval.
Whoever wants to know the runqueue average is expected to call
sched_get_nr_running_avg periodically to get the accumulated
runqueue and iowait averages for all the cpus.
Signed-off-by: Jeff Ohlstein <johlstei@codeaurora.org>
(cherry picked from commit 0299fcaaad80e2c0ac9aa583c95107f6edc27750)
Signed-off-by: Ram Kumar Chakravarthy Chebathini <rcheba@codeaurora.org>
(cherry picked from commit 5325d8a44f8296170cd8f42e245dd79f7b7347bf)
Change-Id: I92875789886c3f7c2457a063de4b3b6d8c893718
Signed-off-by: Sudhir Sharma <sudsha@codeaurora.org>
A killed task can stay in the task list long after its
memory has been returned to the system, therefore
ignore any tasks whose mm struct has been freed.
Change-Id: I76394b203b4ab2312437c839976f0ecb7b6dde4e
CRs-fixed: 450383
Signed-off-by: Liam Mark <lmark@codeaurora.org>
Calling coresight_abort() on kernel panic will stop/disable the
current sink and dump other necessary info to aid post crash
analysis.
Change-Id: I9d1b0ab2ba9d1a665727ea436df0c906fc80dab7
Signed-off-by: Pratik Patel <pratikp@codeaurora.org>
Since we can use ftrace event to also log printk to STM, remove
direct logging of printk to STM.
Change-Id: I903e2584b40565513342864827455f0a6cbf2260
Signed-off-by: Pratik Patel <pratikp@codeaurora.org>
Adding two (or more) timers with large values for "expires" (they have
to reside within tv5 in the same list) leads to endless looping
between cascade() and internal_add_timer() in case CONFIG_BASE_SMALL
is one and jiffies are crossing the value 1 << 18. The bug was
introduced between 2.6.11 and 2.6.12 (and survived for quite some
time).
This patch ensures that when cascade() is called timers within tv5 are
not added endlessly to their own list again, instead they are added to
the next lower tv level tv4 (as expected).
Change-Id: Ia4e9b79767a4d255f676ecbb739b537bbe7033af
Signed-off-by: Christian Hildner <christian.hildner@siemens.com>
Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
Link: http://lkml.kernel.org/r/98673C87CB31274881CFFE0B65ECC87B0F5FC1963E@DEFTHW99EA4MSX.ww902.siemens.net
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
worker_enter_idle() has WARN_ON_ONCE() which triggers if nr_running
isn't zero when every worker is idle. This can trigger spuriously
while a cpu is going down due to the way trustee sets %WORKER_ROGUE
and zaps nr_running.
It first sets %WORKER_ROGUE on all workers without updating
nr_running, releases gcwq->lock, schedules, regrabs gcwq->lock and
then zaps nr_running. If the last running worker enters idle
inbetween, it would see stale nr_running which hasn't been zapped yet
and trigger the WARN_ON_ONCE().
Fix it by performing the sanity check iff the trustee is idle.
Change-Id: I78c6300647a9e14a5f5f27fee0679d9072481188
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Cc: stable@vger.kernel.org
The min/max call needed to have explicit types on some architectures
(e.g. mn10300). Use clamp_t instead to avoid the warning:
kernel/sys.c: In function 'override_release':
kernel/sys.c:1287:10: warning: comparison of distinct pointer types lacks a cast [enabled by default]
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Dup ftrace event traffic (including writes to trace_marker file from
userspace) to STM. Also dup printk traffic to STM. This allows Linux
tracing and log data to be correlated with other data transported over
STM.
Change-Id: Ieb0b856447f7667eb0005a6a884211dc46f50217
Signed-off-by: Pratik Patel <pratikp@codeaurora.org>
Fix NR_IPI to be 7 instead of 6 because both googly and core add
an IPI.
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Conflicts:
arch/arm/Kconfig
arch/arm/common/Makefile
arch/arm/include/asm/hardware/cache-l2x0.h
arch/arm/mm/cache-l2x0.c
arch/arm/mm/mmu.c
include/linux/wakelock.h
kernel/power/Kconfig
kernel/power/Makefile
kernel/power/main.c
kernel/power/power.h
To prevent overflow near 4GB memory address, the rounding down of
memory addresses needs to be propagated to the memory hotplug logic.
Checking if a given pfn is part of physical ram allows us to do this.
Also while walking through system ram, we need to take care of
overflow at high memory address.
Change-Id: Id962cf93906888783a807fe89f2be4ba91b2c5d6
Signed-off-by: Hanumant Singh <hanumant@codeaurora.org>
(cherry picked from commit 28976a80e961f491e51c1cb627311efc4981b69a)
Conflicts:
drivers/base/memory.c
Adding a new ioctl to support sanitize operation in eMMC
cards version 4.5.
The sanitize ioctl support helps performing this operation
via user application.
Change-Id: I79aa4163e7753a75bed5a26a9a92de902b4b9c21
Signed-off-by: Yaniv Gardi <ygardi@codeaurora.org>
Signed-off-by: Maya Erez <merez@codeaurora.org>
(cherry picked from commit 73937f5face75e05ec2a72966d04f4e20aa18379)
Conflicts:
block/blk-core.c
block/elevator.c
include/linux/blk_types.h
include/linux/blkdev.h
include/linux/fs.h
vt_waitactive now needs a 1 based console number
Change-Id: I07ab9a3773c93d67c09d928c8d5494ce823ffa2e
(cherry picked from commit b28a6a111c2c4779f92f310cfefe10606df4999f)
Avoids a problem where the device sometimes hangs for 20 seconds
before the screen is turned on.
Change-Id: Ib24dad1f0f56d280a80be820200ee9e9aea7a911
(cherry picked from commit 044fb1a352b4d367048b24c8c39abc2e572dc0e7)
Conflicts:
kernel/power/process.c
Use DEBUG_WAKEUP flag to show wakelocks that abort suspend, in
addition to showing wakelocks held during system resume.
DEBUG_WAKEUP is enabled by default.
Change-Id: If6fa68e8afbc482a5300ffab2964694b02b34f41
Signed-off-by: Todd Poynor <toddpoynor@google.com>
(cherry picked from commit ca64b0cd3a12d7704f4e98f4f5d51f41eb5047a2)
If the wakelock driver aborts suspend due to an already-held
wakelock, don't report the next wakelock held as the "wake up
wakelock".
Change-Id: I582ffbb87a3c361739a77d839a0c62921cff11a6
Signed-off-by: Todd Poynor <toddpoynor@google.com>
(cherry picked from commit ed27e538aa97278e26a6c00f14f6e2e076a1a2ae)
When DEBUG_SUSPEND is enabled print active wakelocks when we check
if there are any active wakelocks.
In print_active_locks(), print expired wakelocks if DEBUG_EXPIRE is enabled
Change-Id: Ib1cb795555e71ff23143a2bac7c8a58cbce16547
Signed-off-by: Mike Chan <mike@android.com>
(cherry picked from commit af62b25adba1fe01c91aa88c95d1584371ab2bf9)
Since the workqueue code deletes the work before executing it,
checking for no work item being currently queued to the workqueue
is not sufficient to guarantee that all the works have finished
execution.
Use a counter to guarantee that all the pending suspend_sys_sync()
works have finished execution before returning from
suspend_sys_sync_wait().
CRs-Fixed: 293595
Signed-off-by: Pratik Patel <pratikp@codeaurora.org>
Conflicts:
kernel/power/wakelock.c
(cherry picked from commit 529461b70c7dc20b0371e54a63844edae905d7a2)
Conflicts:
kernel/power/wakelock.c
Change-Id: I501743b6b76e492e1598df83ebc1178835ae8405
Wakeup the userspace poll on change of display status. The
userspace then may take action to change the
power/performance characteristics of the device.
Change-Id: I9bd11f3d895d3d83230104f5d8dcd1deeaa754cd
Signed-off-by: Amar Singhal <asinghal@codeaurora.org>
(cherry picked from commit 2fb0354486e2d7b8d73622cbdbb941748a921240)
This fixes the issue where LCD takes a long time to come back up
since the execution of backlight on and late_resume works by the
suspend worker thread is delayed due to one (or more) of the
sys_sync calls in early_suspend and suspend paths taking a long
time (sometimes 15sec or more) for the below reported scenario(s):
Scenario 1 (copy with usb connected):
1. plug usb
2. adb shell
3. busybox cp /sdcard/file1 /sdcard/file2 (copy >= 100MB file1
in sdcard/emmc to file2 in sdcard/emmc)
4. press end key to suspend
5. press end key again and it takes a long time for LCD to come
back up
Scenario 2 (background copy):
1. plug usb
2. adb shell
3. busybox cp /sdcard/file1 /sdcard/file2 & (copy >= 100MB file1
in sdcard/emmc to file2 in sdcard/emmc)
4. disconnect usb
5. press end key to suspend
6. press end key again and it takes a long time for LCD to come
back up
A more common form of Scenario 2 is for the user to just use the
copy function on the UI to copy large file(s).
We address this by moving sys_sync calls to a separate workqueue
and having a timeout polling based mechanism to bail out of suspend
in case of user invoking a wakeup event (like end key press) while
we are waiting for the sys_sync completion at the synchronization
point in suspend worker thread context.
CRs-Fixed: 283994
Change-Id: I6b54af8432e58fd5442817b7388ce2e0b83354b6
Signed-off-by: Pratik Patel <pratikp@codeaurora.org>
(cherry picked from commit 8564b5ebeafa2be276e0004d7d32bd101642fb3d)
Conflicts:
kernel/power/process.c
when enabled, prints out the function of each handler as they are called
Change-Id: I5ed251867e0e3aa3cd05f030ff3579808cedd0c2
Signed-off-by: Erik Gilling <konkers@android.com>
(cherry picked from commit fec502d9a18bbe8045c67bd4f9d3a1ade4e78555)
If EARLYSUSPEND is enabled then writes to /sys/power/state no longer
blocks, and the kernel will try to enter the requested state every
time no wakelocks are held. Write "on" to resume normal operation.
Change-Id: Icbe3c6fe6f5e0f4a3f948f1495546690ac9fd6e6
(cherry picked from commit 219955f707852f68f5118a515fc43ad067728ab9)
Sysfs_notify takes a mutex and therefore cannot be called from atomic
context like interrupt handler in this case. Use a workqueue to schedule
the work instead.
Change-Id: I0a5230fe379aa51f1065df4af9b27f471aa22440
Signed-off-by: Amar Singhal <asinghal@codeaurora.org>
(cherry picked from commit 97d68a8b69e87480c436dd8365b438c3d18fed47)
Conflicts:
kernel/power/main.c
Provide userspace with a pollable sysfs entry that it can poll
on waiting for touch event notifiction. Once it
is woken up, the userspace can take action to change the
power/performance characteristics of the device for the duration
of the event.
Change-Id: Iab84f729f2ea3a5352c4e5173f78544023a276c1
Signed-off-by: Amar Singhal <asinghal@codeaurora.org>
(cherry picked from commit ac2a6d6453c50db7ba7c0b3aa328a3ba48a84abf)
This adds /sys/power/wake_lock and /sys/power/wake_unlock.
Writing a string to wake_lock creates a wake lock the
first time is sees a string and locks it. Optionally, the
string can be followed by a timeout.
To unlock the wake lock, write the same string to wake_unlock.
Change-Id: I66c6e3fe6487d17f9c2fafde1174042e57d15cd7
(cherry picked from commit 025ff0ad2f)
Conflicts:
kernel/power/Makefile
kernel/power/power.h
Rather than signaling a full update of the display from userspace via a
console switch, this patch introduces 2 files int /sys/power,
wait_for_fb_sleep and wait_for_fb_wake. Reading these files will block
until the requested state has been entered. When a read from
wait_for_fb_sleep returns userspace should stop drawing. When
wait_for_fb_wake returns, it should do a full update. If either are called
when the fb driver is already in the requested state, they will return
immediately.
Signed-off-by: Rebecca Schultz <rschultz@google.com>
Signed-off-by: Arve Hjønnevåg <arve@android.com>
(cherry picked from commit 4b0ea27fc8202b21ce338c82b55eee9c281bd7da)
PM: wakelock: Replace expire work with a timer
The expire work function did not work in the normal case.
Signed-off-by: Arve Hjønnevåg <arve@android.com>
(cherry picked from commit fe6cd633efb6d6070507deee0116be43cf4bc76b)
