evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers
History
Coly Li 8b47af927e bcache: fix stack corruption by PRECEDING_KEY() 
commit 31b90956b124240aa8c63250243ae1a53585c5e2 upstream.

Recently people report bcache code compiled with gcc9 is broken, one of
the buggy behavior I observe is that two adjacent 4KB I/Os should merge
into one but they don't. Finally it turns out to be a stack corruption
caused by macro PRECEDING_KEY().

See how PRECEDING_KEY() is defined in bset.h,
437 #define PRECEDING_KEY(_k)                                       \
438 ({                                                              \
439         struct bkey *_ret = NULL;                               \
440                                                                 \
441         if (KEY_INODE(_k) || KEY_OFFSET(_k)) {                  \
442                 _ret = &KEY(KEY_INODE(_k), KEY_OFFSET(_k), 0);  \
443                                                                 \
444                 if (!_ret->low)                                 \
445                         _ret->high--;                           \
446                 _ret->low--;                                    \
447         }                                                       \
448                                                                 \
449         _ret;                                                   \
450 })

At line 442, _ret points to address of a on-stack variable combined by
KEY(), the life range of this on-stack variable is in line 442-446,
once _ret is returned to bch_btree_insert_key(), the returned address
points to an invalid stack address and this address is overwritten in
the following called bch_btree_iter_init(). Then argument 'search' of
bch_btree_iter_init() points to some address inside stackframe of
bch_btree_iter_init(), exact address depends on how the compiler
allocates stack space. Now the stack is corrupted.

Fixes: 0eacac2203 ("bcache: PRECEDING_KEY()")
Signed-off-by: Coly Li <colyli@suse.de>
Reviewed-by: Rolf Fokkens <rolf@rolffokkens.nl>
Reviewed-by: Pierre JUHEN <pierre.juhen@orange.fr>
Tested-by: Shenghui Wang <shhuiw@foxmail.com>
Tested-by: Pierre JUHEN <pierre.juhen@orange.fr>
Cc: Kent Overstreet <kent.overstreet@gmail.com>
Cc: Nix <nix@esperi.org.uk>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-22 08:18:23 +02:00
..
accessibility
acpi ACPI / SBS: Fix GPE storm on recent MacBookPro's 2019-04-27 09:33:58 +02:00
amba
android binder: replace "%p" with "%pK" 2019-06-11 12:24:10 +02:00
ata libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk 2019-06-22 08:18:22 +02:00
atm atm: he: fix sign-extension overflow on large shift 2019-03-23 08:44:16 +01:00
auxdisplay
base PM / core: Propagate dev->power.wakeup_path when no callbacks 2019-06-11 12:24:00 +02:00
bcma
block xsysace: Fix error handling in ace_setup 2019-05-16 19:45:02 +02:00
bluetooth Revert "Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV" 2018-11-27 16:08:01 +01:00
bus
cdrom cdrom: Fix race condition in cdrom_sysctl_register 2019-04-27 09:33:52 +02:00
char virtio_console: initialize vtermno value for ports 2019-06-11 12:24:04 +02:00
clk clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288 2019-06-22 08:18:20 +02:00
clocksource clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown 2019-03-23 08:44:35 +01:00
connector
cpufreq cpufreq: pmac32: fix possible object reference leak 2019-06-11 12:24:01 +02:00
cpuidle cpuidle: big.LITTLE: fix refcount leak 2019-02-20 10:13:09 +01:00
crypto crypto: vmx - ghash: do nosimd fallback manually 2019-06-11 12:24:07 +02:00
dca
devfreq PM / devfreq: tegra: fix error return code in tegra_devfreq_probe() 2018-11-10 07:41:40 -08:00
dio
dma dmaengine: idma64: Use actual device for DMA transfers 2019-06-22 08:18:21 +02:00
dma-buf
edac
eisa
extcon extcon: arizona: Disable mic detect if running when driver is removed 2019-06-11 12:24:01 +02:00
firewire
firmware efi: stub: define DISABLE_BRANCH_PROFILING for all architectures 2019-04-03 06:23:20 +02:00
fmc
fpga
gpio gpio: gpio-omap: add check for off wake capable gpios 2019-06-22 08:18:21 +02:00
gpu drm/bridge: adv7511: Fix low refresh rate selection 2019-06-22 08:18:19 +02:00
hid HID: core: move Usage Page concatenation to Main item 2019-06-11 12:24:03 +02:00
hsi
hv Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels 2019-01-13 10:05:27 +01:00
hwmon hwmon: (f71805f) Use request_muxed_region for Super-IO accesses 2019-06-11 12:24:00 +02:00
hwspinlock
hwtracing intel_th: msu: Fix single mode with IOMMU 2019-06-11 12:23:44 +02:00
i2c i2c: acorn: fix i2c warning 2019-06-22 08:18:22 +02:00
ide ide: pmac: add of_node_put() 2018-12-21 14:09:52 +01:00
idle
iio iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data 2019-06-11 12:24:02 +02:00
infiniband RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure 2019-06-11 12:23:59 +02:00
input Input: snvs_pwrkey - initialize necessary driver data before enabling IRQ 2019-05-16 19:45:03 +02:00
iommu iommu/vt-d: Set intel_iommu_gfx_mapped correctly 2019-06-22 08:18:19 +02:00
ipack
irqchip irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable 2019-03-23 08:44:27 +01:00
isdn mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S 2019-04-03 06:23:25 +02:00
leds leds: lp55xx: fix null deref on firmware load failure 2019-04-27 09:33:51 +02:00
lguest
lightnvm
macintosh
mailbox
mcb
md bcache: fix stack corruption by PRECEDING_KEY() 2019-06-22 08:18:23 +02:00
media media: uvcvideo: Fix uvc_alloc_entity() allocation alignment 2019-06-11 12:24:12 +02:00
memory memory: tegra: Fix integer overflow on tick value calculation 2019-06-11 12:23:46 +02:00
memstick memstick: Prevent memstick host from getting runtime suspended during card detection 2019-02-20 10:13:09 +01:00
message
mfd mfd: twl6040: Fix device init errors for ACCCTL register 2019-06-22 08:18:19 +02:00
misc genwqe: Prevent an integer overflow in the ioctl 2019-06-11 12:24:13 +02:00
mmc mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support 2019-06-11 12:24:00 +02:00
mtd mtd: rawnand: gpmi: fix MX28 bus master lockup problem 2019-02-20 10:13:17 +01:00
net net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query 2019-06-11 12:24:12 +02:00
nfc NFC: nxp-nci: Include unaligned.h instead of access_ok.h 2019-02-20 10:13:20 +01:00
ntb
nubus
nvdimm libnvdimm/btt: Fix a kmemdup failure check 2019-05-16 19:45:05 +02:00
nvme
nvmem nvmem: core: fix read buffer in place 2019-06-22 08:18:20 +02:00
of of: add helper to lookup compatible child node 2018-12-01 09:46:35 +01:00
oprofile
parisc parisc: Use implicit space register selection for loading the coherence index of I/O pdirs 2019-06-11 12:24:13 +02:00
parport parport_pc: fix find_superio io compare code, should use equal test. 2019-03-23 08:44:37 +01:00
pci PCI: xilinx: Check for __get_free_pages() failure 2019-06-22 08:18:21 +02:00
pcmcia pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges 2018-11-21 09:27:30 +01:00
perf
phy
pinctrl pinctrl: pistachio: fix leaked of_node references 2019-06-11 12:23:57 +02:00
platform platform/chrome: cros_ec_proto: check for NULL transfer function 2019-06-22 08:18:20 +02:00
pnp
power power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG 2019-06-11 12:23:49 +02:00
powercap
pps
ps3
ptp ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl 2019-02-20 10:13:05 +01:00
pwm pwm: Fix deadlock warning when removing PWM device 2019-06-22 08:18:21 +02:00
rapidio
ras
regulator regulator: act8865: Fix act8600_sudcdc_voltage_ranges setting 2019-04-27 09:33:53 +02:00
remoteproc
reset
rpmsg
rtc rtc: 88pm860x: prevent use-after-free on device remove 2019-06-11 12:23:54 +02:00
s390 scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs) 2019-06-11 12:24:09 +02:00
sbus drivers/sbus/char: add of_node_put() 2018-12-21 14:09:52 +01:00
scsi scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices 2019-06-11 12:24:05 +02:00
sfi
sh
sn
soc soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher 2019-06-22 08:18:20 +02:00
spi dmaengine: idma64: Use actual device for DMA transfers 2019-06-22 08:18:21 +02:00
spmi
ssb ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit 2019-06-11 12:23:53 +02:00
staging iio: hmc5843: fix potential NULL pointer dereferences 2019-06-11 12:24:02 +02:00
target scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock 2019-03-23 08:44:35 +01:00
tc TC: Set DMA masks for devices 2018-11-21 09:27:36 +01:00
thermal thermal/int340x_thermal: fix mode setting 2019-04-27 09:33:57 +02:00
thunderbolt
tty dmaengine: idma64: Use actual device for DMA transfers 2019-06-22 08:18:21 +02:00
uio uio: Fix an Oops on load 2018-11-27 16:08:02 +01:00
usb USB: rio500: fix memory leak in close after disconnect 2019-06-11 12:24:09 +02:00
uwb
vfio vfio/pci: use correct format characters 2019-05-16 19:45:01 +02:00
vhost vhost: make sure used idx is seen before log in vhost_add_used_n() 2019-01-13 10:05:28 +01:00
video video: imsttfb: fix potential NULL pointer dereferences 2019-06-22 08:18:21 +02:00
virt drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl 2019-05-16 19:45:18 +02:00
virtio
vlynq
vme
w1 w1: fix the resume command API 2019-06-11 12:23:55 +02:00
watchdog
xen fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock 2019-06-11 12:24:13 +02:00
zorro
Kconfig
Makefile