--- /dev/null
+From a820ccbe21e8ce8e86c39cd1d3bc8c7d1cbb949b Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 2 Apr 2018 22:41:43 +0200
+Subject: ALSA: pcm: Fix UAF at PCM release via PCM timer access
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit a820ccbe21e8ce8e86c39cd1d3bc8c7d1cbb949b upstream.
+
+The PCM runtime object is created and freed dynamically at PCM stream
+open / close time. This is tracked via substream->runtime, and it's
+cleared at snd_pcm_detach_substream().
+
+The runtime object assignment is protected by PCM open_mutex, so for
+all PCM operations, it's safely handled. However, each PCM substream
+provides also an ALSA timer interface, and user-space can access to
+this while closing a PCM substream. This may eventually lead to a
+UAF, as snd_pcm_timer_resolution() tries to access the runtime while
+clearing it in other side.
+
+Fortunately, it's the only concurrent access from the PCM timer, and
+it merely reads runtime->timer_resolution field. So, we can avoid the
+race by reordering kfree() and wrapping the substream->runtime
+clearance with the corresponding timer lock.
+
+Reported-by: syzbot+8e62ff4e07aa2ce87826@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/sound/core/pcm.c
++++ b/sound/core/pcm.c
+@@ -28,6 +28,7 @@
+ #include <sound/core.h>
+ #include <sound/minors.h>
+ #include <sound/pcm.h>
++#include <sound/timer.h>
+ #include <sound/control.h>
+ #include <sound/info.h>
+
+@@ -1025,8 +1026,13 @@ void snd_pcm_detach_substream(struct snd
+ snd_free_pages((void*)runtime->control,
+ PAGE_ALIGN(sizeof(struct snd_pcm_mmap_control)));
+ kfree(runtime->hw_constraints.rules);
+- kfree(runtime);
++ /* Avoid concurrent access to runtime via PCM timer interface */
++ if (substream->timer)
++ spin_lock_irq(&substream->timer->lock);
+ substream->runtime = NULL;
++ if (substream->timer)
++ spin_unlock_irq(&substream->timer->lock);
++ kfree(runtime);
+ put_pid(substream->pid);
+ substream->pid = NULL;
+ substream->pstr->substream_opened--;
--- /dev/null
+From c5637476bbf9bb86c7f0413b8f4822a73d8d2d07 Mon Sep 17 00:00:00 2001
+From: Maxime Jayat <maxime.jayat@mobile-devices.fr>
+Date: Thu, 22 Feb 2018 12:39:55 +0100
+Subject: dmaengine: at_xdmac: fix rare residue corruption
+
+From: Maxime Jayat <maxime.jayat@mobile-devices.fr>
+
+commit c5637476bbf9bb86c7f0413b8f4822a73d8d2d07 upstream.
+
+Despite the efforts made to correctly read the NDA and CUBC registers,
+the order in which the registers are read could sometimes lead to an
+inconsistent state.
+
+Re-using the timeline from the comments, this following timing of
+registers reads could lead to reading NDA with value "@desc2" and
+CUBC with value "MAX desc1":
+
+ INITD -------- ------------
+ |____________________|
+ _______________________ _______________
+ NDA @desc2 \/ @desc3
+ _______________________/\_______________
+ __________ ___________ _______________
+ CUBC 0 \/ MAX desc1 \/ MAX desc2
+ __________/\___________/\_______________
+ | | | |
+Events:(1)(2) (3)(4)
+
+(1) check_nda = @desc2
+(2) initd = 1
+(3) cur_ubc = MAX desc1
+(4) cur_nda = @desc2
+
+This is allowed by the condition ((check_nda == cur_nda) && initd),
+despite cur_ubc and cur_nda being in the precise state we don't want.
+
+This error leads to incorrect residue computation.
+
+Fix it by inversing the order in which CUBC and INITD are read. This
+makes sure that NDA and CUBC are always read together either _before_
+INITD goes to 0 or _after_ it is back at 1.
+The case where NDA is read before INITD is at 0 and CUBC is read after
+INITD is back at 1 will be rejected by check_nda and cur_nda being
+different.
+
+Fixes: 53398f488821 ("dmaengine: at_xdmac: fix residue corruption")
+Cc: stable@vger.kernel.org
+Signed-off-by: Maxime Jayat <maxime.jayat@mobile-devices.fr>
+Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/at_xdmac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/dma/at_xdmac.c
++++ b/drivers/dma/at_xdmac.c
+@@ -1473,10 +1473,10 @@ at_xdmac_tx_status(struct dma_chan *chan
+ for (retry = 0; retry < AT_XDMAC_RESIDUE_MAX_RETRIES; retry++) {
+ check_nda = at_xdmac_chan_read(atchan, AT_XDMAC_CNDA) & 0xfffffffc;
+ rmb();
+- initd = !!(at_xdmac_chan_read(atchan, AT_XDMAC_CC) & AT_XDMAC_CC_INITD);
+- rmb();
+ cur_ubc = at_xdmac_chan_read(atchan, AT_XDMAC_CUBC);
+ rmb();
++ initd = !!(at_xdmac_chan_read(atchan, AT_XDMAC_CC) & AT_XDMAC_CC_INITD);
++ rmb();
+ cur_nda = at_xdmac_chan_read(atchan, AT_XDMAC_CNDA) & 0xfffffffc;
+ rmb();
+
--- /dev/null
+From 3a148896b24adf8688dc0c59af54531931677a40 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Mon, 12 Feb 2018 09:50:25 -0800
+Subject: IB/srp: Fix completion vector assignment algorithm
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+commit 3a148896b24adf8688dc0c59af54531931677a40 upstream.
+
+Ensure that cv_end is equal to ibdev->num_comp_vectors for the
+NUMA node with the highest index. This patch improves spreading
+of RDMA channels over completion vectors and thereby improves
+performance, especially on systems with only a single NUMA node.
+This patch drops support for the comp_vector login parameter by
+ignoring the value of that parameter since I have not found a
+good way to combine support for that parameter and automatic
+spreading of RDMA channels over completion vectors.
+
+Fixes: d92c0da71a35 ("IB/srp: Add multichannel support")
+Reported-by: Alexander Schmid <alex@modula-shop-systems.de>
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: Alexander Schmid <alex@modula-shop-systems.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srp/ib_srp.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -3311,12 +3311,10 @@ static ssize_t srp_create_target(struct
+ num_online_nodes());
+ const int ch_end = ((node_idx + 1) * target->ch_count /
+ num_online_nodes());
+- const int cv_start = (node_idx * ibdev->num_comp_vectors /
+- num_online_nodes() + target->comp_vector)
+- % ibdev->num_comp_vectors;
+- const int cv_end = ((node_idx + 1) * ibdev->num_comp_vectors /
+- num_online_nodes() + target->comp_vector)
+- % ibdev->num_comp_vectors;
++ const int cv_start = node_idx * ibdev->num_comp_vectors /
++ num_online_nodes();
++ const int cv_end = (node_idx + 1) * ibdev->num_comp_vectors /
++ num_online_nodes();
+ int cpu_idx = 0;
+
+ for_each_online_cpu(cpu) {
--- /dev/null
+From e68088e78d82920632eba112b968e49d588d02a2 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Fri, 23 Feb 2018 14:09:24 -0800
+Subject: IB/srp: Fix srp_abort()
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+commit e68088e78d82920632eba112b968e49d588d02a2 upstream.
+
+Before commit e494f6a72839 ("[SCSI] improved eh timeout handler") it
+did not really matter whether or not abort handlers like srp_abort()
+called .scsi_done() when returning another value than SUCCESS. Since
+that commit however this matters. Hence only call .scsi_done() when
+returning SUCCESS.
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srp/ib_srp.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -2581,9 +2581,11 @@ static int srp_abort(struct scsi_cmnd *s
+ ret = FAST_IO_FAIL;
+ else
+ ret = FAILED;
+- srp_free_req(ch, req, scmnd, 0);
+- scmnd->result = DID_ABORT << 16;
+- scmnd->scsi_done(scmnd);
++ if (ret == SUCCESS) {
++ srp_free_req(ch, req, scmnd, 0);
++ scmnd->result = DID_ABORT << 16;
++ scmnd->scsi_done(scmnd);
++ }
+
+ return ret;
+ }
--- /dev/null
+From 8435168d50e66fa5eae01852769d20a36f9e5e83 Mon Sep 17 00:00:00 2001
+From: Roland Dreier <roland@purestorage.com>
+Date: Tue, 3 Apr 2018 15:33:01 -0700
+Subject: RDMA/ucma: Don't allow setting RDMA_OPTION_IB_PATH without an RDMA device
+
+From: Roland Dreier <roland@purestorage.com>
+
+commit 8435168d50e66fa5eae01852769d20a36f9e5e83 upstream.
+
+Check to make sure that ctx->cm_id->device is set before we use it.
+Otherwise userspace can trigger a NULL dereference by doing
+RDMA_USER_CM_CMD_SET_OPTION on an ID that is not bound to a device.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: <syzbot+a67bc93e14682d92fc2f@syzkaller.appspotmail.com>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/ucma.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -1230,6 +1230,9 @@ static int ucma_set_ib_path(struct ucma_
+ if (!optlen)
+ return -EINVAL;
+
++ if (!ctx->cm_id->device)
++ return -EINVAL;
++
+ memset(&sa_path, 0, sizeof(sa_path));
+
+ ib_sa_unpack_path(path_data->path_rec, &sa_path);
ext4-don-t-update-checksum-of-new-initialized-bitmaps.patch
ext4-add-validity-checks-for-bitmap-block-numbers.patch
ext4-fail-ext4_iget-for-root-directory-if-unallocated.patch
+rdma-ucma-don-t-allow-setting-rdma_option_ib_path-without-an-rdma-device.patch
+alsa-pcm-fix-uaf-at-pcm-release-via-pcm-timer-access.patch
+ib-srp-fix-srp_abort.patch
+ib-srp-fix-completion-vector-assignment-algorithm.patch
+dmaengine-at_xdmac-fix-rare-residue-corruption.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
