--- /dev/null
+From 60adcfde92fa40fcb2dbf7cc52f9b096e0cd109a Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 15 Jan 2020 21:37:33 +0100
+Subject: ALSA: seq: Fix racy access for queue timer in proc read
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 60adcfde92fa40fcb2dbf7cc52f9b096e0cd109a upstream.
+
+snd_seq_info_timer_read() reads the information of the timer assigned
+for each queue, but it's done in a racy way which may lead to UAF as
+spotted by syzkaller.
+
+This patch applies the missing q->timer_mutex lock while accessing the
+timer object as well as a slight code change to adapt the standard
+coding style.
+
+Reported-by: syzbot+2b2ef983f973e5c40943@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200115203733.26530-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_timer.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/sound/core/seq/seq_timer.c
++++ b/sound/core/seq/seq_timer.c
+@@ -479,15 +479,19 @@ void snd_seq_info_timer_read(struct snd_
+ q = queueptr(idx);
+ if (q == NULL)
+ continue;
+- if ((tmr = q->timer) == NULL ||
+- (ti = tmr->timeri) == NULL) {
+- queuefree(q);
+- continue;
+- }
++ mutex_lock(&q->timer_mutex);
++ tmr = q->timer;
++ if (!tmr)
++ goto unlock;
++ ti = tmr->timeri;
++ if (!ti)
++ goto unlock;
+ snd_iprintf(buffer, "Timer for queue %i : %s\n", q->queue, ti->timer->name);
+ resolution = snd_timer_resolution(ti) * tmr->ticks;
+ snd_iprintf(buffer, " Period time : %lu.%09lu\n", resolution / 1000000000, resolution % 1000000000);
+ snd_iprintf(buffer, " Skew : %u / %u\n", tmr->skew, tmr->skew_base);
++unlock:
++ mutex_unlock(&q->timer_mutex);
+ queuefree(q);
+ }
+ }
--- /dev/null
+From ad6bf88a6c19a39fb3b0045d78ea880325dfcf15 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 15 Jan 2020 08:35:25 -0500
+Subject: block: fix an integer overflow in logical block size
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit ad6bf88a6c19a39fb3b0045d78ea880325dfcf15 upstream.
+
+Logical block size has type unsigned short. That means that it can be at
+most 32768. However, there are architectures that can run with 64k pages
+(for example arm64) and on these architectures, it may be possible to
+create block devices with 64k block size.
+
+For exmaple (run this on an architecture with 64k pages):
+
+Mount will fail with this error because it tries to read the superblock using 2-sector
+access:
+ device-mapper: writecache: I/O is not aligned, sector 2, size 1024, block size 65536
+ EXT4-fs (dm-0): unable to read superblock
+
+This patch changes the logical block size from unsigned short to unsigned
+int to avoid the overflow.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-settings.c | 2 +-
+ drivers/md/dm-snap-persistent.c | 2 +-
+ drivers/md/raid0.c | 2 +-
+ include/linux/blkdev.h | 8 ++++----
+ 4 files changed, 7 insertions(+), 7 deletions(-)
+
+--- a/block/blk-settings.c
++++ b/block/blk-settings.c
+@@ -349,7 +349,7 @@ EXPORT_SYMBOL(blk_queue_max_segment_size
+ * storage device can address. The default of 512 covers most
+ * hardware.
+ **/
+-void blk_queue_logical_block_size(struct request_queue *q, unsigned short size)
++void blk_queue_logical_block_size(struct request_queue *q, unsigned int size)
+ {
+ q->limits.logical_block_size = size;
+
+--- a/drivers/md/dm-snap-persistent.c
++++ b/drivers/md/dm-snap-persistent.c
+@@ -17,7 +17,7 @@
+ #include "dm-bufio.h"
+
+ #define DM_MSG_PREFIX "persistent snapshot"
+-#define DM_CHUNK_SIZE_DEFAULT_SECTORS 32 /* 16KB */
++#define DM_CHUNK_SIZE_DEFAULT_SECTORS 32U /* 16KB */
+
+ #define DM_PREFETCH_CHUNKS 12
+
+--- a/drivers/md/raid0.c
++++ b/drivers/md/raid0.c
+@@ -82,7 +82,7 @@ static int create_strip_zones(struct mdd
+ char b[BDEVNAME_SIZE];
+ char b2[BDEVNAME_SIZE];
+ struct r0conf *conf = kzalloc(sizeof(*conf), GFP_KERNEL);
+- unsigned short blksize = 512;
++ unsigned blksize = 512;
+
+ *private_conf = ERR_PTR(-ENOMEM);
+ if (!conf)
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -277,6 +277,7 @@ struct queue_limits {
+ unsigned int max_sectors;
+ unsigned int max_segment_size;
+ unsigned int physical_block_size;
++ unsigned int logical_block_size;
+ unsigned int alignment_offset;
+ unsigned int io_min;
+ unsigned int io_opt;
+@@ -286,7 +287,6 @@ struct queue_limits {
+ unsigned int discard_granularity;
+ unsigned int discard_alignment;
+
+- unsigned short logical_block_size;
+ unsigned short max_segments;
+ unsigned short max_integrity_segments;
+
+@@ -996,7 +996,7 @@ extern void blk_queue_max_discard_sector
+ unsigned int max_discard_sectors);
+ extern void blk_queue_max_write_same_sectors(struct request_queue *q,
+ unsigned int max_write_same_sectors);
+-extern void blk_queue_logical_block_size(struct request_queue *, unsigned short);
++extern void blk_queue_logical_block_size(struct request_queue *, unsigned int);
+ extern void blk_queue_physical_block_size(struct request_queue *, unsigned int);
+ extern void blk_queue_alignment_offset(struct request_queue *q,
+ unsigned int alignment);
+@@ -1221,7 +1221,7 @@ static inline unsigned int queue_max_seg
+ return q->limits.max_segment_size;
+ }
+
+-static inline unsigned short queue_logical_block_size(struct request_queue *q)
++static inline unsigned queue_logical_block_size(struct request_queue *q)
+ {
+ int retval = 512;
+
+@@ -1231,7 +1231,7 @@ static inline unsigned short queue_logic
+ return retval;
+ }
+
+-static inline unsigned short bdev_logical_block_size(struct block_device *bdev)
++static inline unsigned int bdev_logical_block_size(struct block_device *bdev)
+ {
+ return queue_logical_block_size(bdev_get_queue(bdev));
+ }
--- /dev/null
+From 12ead77432f2ce32dea797742316d15c5800cb32 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Wed, 25 Dec 2019 08:34:29 -0800
+Subject: clk: Don't try to enable critical clocks if prepare failed
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 12ead77432f2ce32dea797742316d15c5800cb32 upstream.
+
+The following traceback is seen if a critical clock fails to prepare.
+
+bcm2835-clk 3f101000.cprman: plld: couldn't lock PLL
+------------[ cut here ]------------
+Enabling unprepared plld_per
+WARNING: CPU: 1 PID: 1 at drivers/clk/clk.c:1014 clk_core_enable+0xcc/0x2c0
+...
+Call trace:
+ clk_core_enable+0xcc/0x2c0
+ __clk_register+0x5c4/0x788
+ devm_clk_hw_register+0x4c/0xb0
+ bcm2835_register_pll_divider+0xc0/0x150
+ bcm2835_clk_probe+0x134/0x1e8
+ platform_drv_probe+0x50/0xa0
+ really_probe+0xd4/0x308
+ driver_probe_device+0x54/0xe8
+ device_driver_attach+0x6c/0x78
+ __driver_attach+0x54/0xd8
+...
+
+Check return values from clk_core_prepare() and clk_core_enable() and
+bail out if any of those functions returns an error.
+
+Cc: Jerome Brunet <jbrunet@baylibre.com>
+Fixes: 99652a469df1 ("clk: migrate the count of orphaned clocks at init")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lkml.kernel.org/r/20191225163429.29694-1-linux@roeck-us.net
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/clk.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/clk/clk.c
++++ b/drivers/clk/clk.c
+@@ -2448,11 +2448,17 @@ static int __clk_core_init(struct clk_co
+ if (core->flags & CLK_IS_CRITICAL) {
+ unsigned long flags;
+
+- clk_core_prepare(core);
++ ret = clk_core_prepare(core);
++ if (ret)
++ goto out;
+
+ flags = clk_enable_lock();
+- clk_core_enable(core);
++ ret = clk_core_enable(core);
+ clk_enable_unlock(flags);
++ if (ret) {
++ clk_core_unprepare(core);
++ goto out;
++ }
+ }
+
+ /*
--- /dev/null
+From 4881873f4cc1460f63d85fa81363d56be328ccdc Mon Sep 17 00:00:00 2001
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Sat, 30 Nov 2019 19:53:37 +0100
+Subject: dt-bindings: reset: meson8b: fix duplicate reset IDs
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+commit 4881873f4cc1460f63d85fa81363d56be328ccdc upstream.
+
+According to the public S805 datasheet the RESET2 register uses the
+following bits for the PIC_DC, PSC and NAND reset lines:
+- PIC_DC is at bit 3 (meaning: RESET_VD_RMEM + 3)
+- PSC is at bit 4 (meaning: RESET_VD_RMEM + 4)
+- NAND is at bit 5 (meaning: RESET_VD_RMEM + 4)
+
+Update the reset IDs of these three reset lines so they don't conflict
+with PIC_DC and map to the actual hardware reset lines.
+
+Fixes: 79795e20a184eb ("dt-bindings: reset: Add bindings for the Meson SoC Reset Controller")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/dt-bindings/reset/amlogic,meson8b-reset.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/include/dt-bindings/reset/amlogic,meson8b-reset.h
++++ b/include/dt-bindings/reset/amlogic,meson8b-reset.h
+@@ -95,9 +95,9 @@
+ #define RESET_VD_RMEM 64
+ #define RESET_AUDIN 65
+ #define RESET_DBLK 66
+-#define RESET_PIC_DC 66
+-#define RESET_PSC 66
+-#define RESET_NAND 66
++#define RESET_PIC_DC 67
++#define RESET_PSC 68
++#define RESET_NAND 69
+ #define RESET_GE2D 70
+ #define RESET_PARSER_REG 71
+ #define RESET_PARSER_FETCH 72
--- /dev/null
+From f5ae2ea6347a308cfe91f53b53682ce635497d0d Mon Sep 17 00:00:00 2001
+From: Jari Ruusu <jari.ruusu@gmail.com>
+Date: Sun, 12 Jan 2020 15:00:53 +0200
+Subject: Fix built-in early-load Intel microcode alignment
+
+From: Jari Ruusu <jari.ruusu@gmail.com>
+
+commit f5ae2ea6347a308cfe91f53b53682ce635497d0d upstream.
+
+Intel Software Developer's Manual, volume 3, chapter 9.11.6 says:
+
+ "Note that the microcode update must be aligned on a 16-byte boundary
+ and the size of the microcode update must be 1-KByte granular"
+
+When early-load Intel microcode is loaded from initramfs, userspace tool
+'iucode_tool' has already 16-byte aligned those microcode bits in that
+initramfs image. Image that was created something like this:
+
+ iucode_tool --write-earlyfw=FOO.cpio microcode-files...
+
+However, when early-load Intel microcode is loaded from built-in
+firmware BLOB using CONFIG_EXTRA_FIRMWARE= kernel config option, that
+16-byte alignment is not guaranteed.
+
+Fix this by forcing all built-in firmware BLOBs to 16-byte alignment.
+
+[ If we end up having other firmware with much bigger alignment
+ requirements, we might need to introduce some method for the firmware
+ to specify it, this is the minimal "just increase the alignment a bit
+ to account for this one special case" patch - Linus ]
+
+Signed-off-by: Jari Ruusu <jari.ruusu@gmail.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Luis Chamberlain <mcgrof@kernel.org>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ firmware/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/firmware/Makefile
++++ b/firmware/Makefile
+@@ -156,7 +156,7 @@ quiet_cmd_fwbin = MK_FW $@
+ PROGBITS=$(if $(CONFIG_ARM),%,@)progbits; \
+ echo "/* Generated by firmware/Makefile */" > $@;\
+ echo " .section .rodata" >>$@;\
+- echo " .p2align $${ASM_ALIGN}" >>$@;\
++ echo " .p2align 4" >>$@;\
+ echo "_fw_$${FWSTR}_bin:" >>$@;\
+ echo " .incbin \"$(2)\"" >>$@;\
+ echo "_fw_end:" >>$@;\
projects / thirdparty / kernel / stable-queue.git / commitdiff
