Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-5.1.y 2019-07-26T07:13:08Z 2019-07-26T07:13:08Z Norbert Manthey nmanthey@amazon.de 2019-07-05T13:06:00Z urn:sha1:09afa9e360259e8c797c5778df73c9bb645a0725 commit 4c6d80e1144bdf48cae6b602ae30d41f3e5c76a9 upstream. The pstore_mkfile() function is passed a pointer to a struct pstore_record. On success it consumes this 'record' pointer and references it from the created inode. On failure, however, it may or may not free the record. There are even two different code paths which return -ENOMEM -- one of which does and the other doesn't free the record. Make the behaviour deterministic by never consuming and freeing the record when returning failure, allowing the caller to do the cleanup consistently. Signed-off-by: Norbert Manthey <nmanthey@amazon.de> Link: https://lore.kernel.org/r/1562331960-26198-1-git-send-email-nmanthey@amazon.de Fixes: 83f70f0769ddd ("pstore: Do not duplicate record metadata") Fixes: 1dfff7dd67d1a ("pstore: Pass record contents instead of copying") Cc: stable@vger.kernel.org [kees: also move "private" allocation location, rename inode cleanup label] Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-06-11T10:19:16Z Kees Cook keescook@chromium.org 2019-05-31T06:37:29Z urn:sha1:e66c7cd0e2649b7105ff53e7cbed4df8120aa40d commit 8880fa32c557600f5f624084152668ed3c2ea51e upstream. The ram pstore backend has always had the crash dumper frontend enabled unconditionally. However, it was possible to effectively disable it by setting a record_size=0. All the machinery would run (storing dumps to the temporary crash buffer), but 0 bytes would ultimately get stored due to there being no przs allocated for dumps. Commit 89d328f637b9 ("pstore/ram: Correctly calculate usable PRZ bytes"), however, assumed that there would always be at least one allocated dprz for calculating the size of the temporary crash buffer. This was, of course, not the case when record_size=0, and would lead to a NULL deref trying to find the dprz buffer size: BUG: unable to handle kernel NULL pointer dereference at (null) ... IP: ramoops_probe+0x285/0x37e (fs/pstore/ram.c:808) cxt->pstore.bufsize = cxt->dprzs[0]->buffer_size; Instead, we need to only enable the frontends based on the success of the prz initialization and only take the needed actions when those zones are available. (This also fixes a possible error in detecting if the ftrace frontend should be enabled.) Reported-and-tested-by: Yaro Slav <yaro330@gmail.com> Fixes: 89d328f637b9 ("pstore/ram: Correctly calculate usable PRZ bytes") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-06-11T10:19:16Z Pi-Hsun Shih pihsun@chromium.org 2019-05-20T06:51:19Z urn:sha1:3d388ad42027b8155c635aa3b9699eba76e4585b commit a9fb94a99bb515d8720ba8440ce3aba84aec80f8 upstream. Set tfm to NULL on free_buf_for_compression() after crypto_free_comp(). This avoid a use-after-free when allocate_buf_for_compression() and free_buf_for_compression() are called twice. Although free_buf_for_compression() freed the tfm, allocate_buf_for_compression() won't reinitialize the tfm since the tfm pointer is not NULL. Fixes: 95047b0519c1 ("pstore: Refactor compression initialization") Signed-off-by: Pi-Hsun Shih <pihsun@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-02-12T21:45:53Z Kees Cook keescook@chromium.org 2019-02-12T21:09:36Z urn:sha1:93ee4b7d9f0632690713aee604c49e298e634094 Since the header is a fixed small maximum size, just use a stack variable to avoid memory allocation in the write path. Signed-off-by: Kees Cook <keescook@chromium.org> 2019-02-12T20:38:54Z Yue Hu huyue2@yulong.com 2019-02-01T03:27:32Z urn:sha1:47afd7ae65c737bfef67e9eb1424723d13b06787 If zero-length header happened in ramoops_write_kmsg_hdr(), that means we will not be able to read back dmesg record later, since it will be treated as invalid header in ramoops_pstore_read(). So we should not execute the following code but return the error. Signed-off-by: Yue Hu <huyue2@yulong.com> Signed-off-by: Kees Cook <keescook@chromium.org> 2019-02-12T20:10:43Z Yue Hu huyue2@yulong.com 2019-01-23T08:56:48Z urn:sha1:1e0f67a96aedd0b5fbd3ae743e68a26606ea98e8 Since only one single ramoops area allowed at a time, other probes (like device tree) are meaningless, as it will waste CPU resources. So let's check for being already initialized first. Signed-off-by: Yue Hu <huyue2@yulong.com> Signed-off-by: Kees Cook <keescook@chromium.org> 2019-02-12T20:09:49Z Yue Hu huyue2@yulong.com 2019-01-31T10:12:46Z urn:sha1:4c6c4d34536744f2c9e171ef5bb548a06a525501 Sometimes pstore_console_write() will write records with zero size to persistent ram zone, which is unnecessary. It will only increase resource consumption. Also adjust ramoops_write_kmsg_hdr() to have same logic if memory allocation fails. Signed-off-by: Yue Hu <huyue2@yulong.com> Signed-off-by: Kees Cook <keescook@chromium.org> 2019-01-22T03:32:17Z Yue Hu huyue2@yulong.com 2019-01-21T10:20:41Z urn:sha1:182ca6e0ae23550cf98d05daeab8dcb7fdc0a928 In ramoops_register_dummy() dummy_data is allocated via kzalloc() then it will always occupy the heap space after register platform device via platform_device_register_data(), but it will not be used any more. So let's free it for system usage, replace it with stack memory is better due to small size. Signed-off-by: Yue Hu <huyue2@yulong.com> [kees: add required memset and adjust sizeof() argument] Signed-off-by: Kees Cook <keescook@chromium.org> 2019-01-20T22:44:52Z Kees Cook keescook@chromium.org 2019-01-20T22:33:34Z urn:sha1:5631e8576a3caf606cdc375f97425a67983b420c Yue Hu noticed that when parsing device tree the allocated platform data was never freed. Since it's not used beyond the function scope, this switches to using a stack variable instead. Reported-by: Yue Hu <huyue2@yulong.com> Fixes: 35da60941e44 ("pstore/ram: add Device Tree bindings") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> 2019-01-17T17:14:06Z Sai Prakash Ranjan saiprakash.ranjan@codeaurora.org 2019-01-17T17:09:29Z urn:sha1:6a4c9ab13feeacd3072175d7d1f1fcfabbb9fc90 commit b05c950698fe ("pstore/ram: Simplify ramoops_get_next_prz() arguments") changed update assignment in getting next persistent ram zone by adding a check for record type. But the check always returns true since the record type is assigned 0. And this breaks console ramoops by showing current console log instead of previous log on warm reset and hard reset (actually hard reset should not be showing any logs). Fix this by having persistent ram zone type check instead of record type check. Tested this on SDM845 MTP and dragonboard 410c. Reproducing this issue is simple as below: 1. Trigger hard reset and mount pstore. Will see console-ramoops record in the mounted location which is the current log. 2. Trigger warm reset and mount pstore. Will see the current console-ramoops record instead of previous record. Fixes: b05c950698fe ("pstore/ram: Simplify ramoops_get_next_prz() arguments") Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org> Acked-by: Joel Fernandes (Google) <joel@joelfernandes.org> [kees: dropped local variable usage] Signed-off-by: Kees Cook <keescook@chromium.org>