4.9-stable patches

added patches:
	rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch
	rt286-add-thinkpad-helix-2-to-force_combo_jack_table.patch

diff --git a/queue-4.9/rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch b/queue-4.9/rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch
new file mode 100644 (file)
index 0000000..20ee0e6
--- /dev/null
+++ b/queue-4.9/rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch
@@ -0,0 +1,61 @@
+From 5ecce4c9b17bed4dc9cb58bfb10447307569b77b Mon Sep 17 00:00:00 2001
+From: Boris Pismenny <borisp@mellanox.com>
+Date: Tue, 27 Jun 2017 15:09:13 +0300
+Subject: RDMA/uverbs: Check port number supplied by user verbs cmds
+
+From: Boris Pismenny <borisp@mellanox.com>
+
+commit 5ecce4c9b17bed4dc9cb58bfb10447307569b77b upstream.
+
+The ib_uverbs_create_ah() ind ib_uverbs_modify_qp() calls receive
+the port number from user input as part of its attributes and assumes
+it is valid. Down on the stack, that parameter is used to access kernel
+data structures.  If the value is invalid, the kernel accesses memory
+it should not.  To prevent this, verify the port number before using it.
+
+BUG: KASAN: use-after-free in ib_uverbs_create_ah+0x6d5/0x7b0
+Read of size 4 at addr ffff880018d67ab8 by task syz-executor/313
+
+BUG: KASAN: slab-out-of-bounds in modify_qp.isra.4+0x19d0/0x1ef0
+Read of size 4 at addr ffff88006c40ec58 by task syz-executor/819
+
+Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands")
+Cc: Yevgeny Kliteynik <kliteyn@mellanox.com>
+Cc: Tziporet Koren <tziporet@mellanox.com>
+Cc: Alex Polak <alexpo@mellanox.com>
+Signed-off-by: Boris Pismenny <borisp@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+
+Modified from upstream commit: helper function rdma_is_port_valid does not
+exist in these kernel versions, so use manual comparisons instead.
+
+ drivers/infiniband/core/uverbs_cmd.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -2342,6 +2342,10 @@ ssize_t ib_uverbs_modify_qp(struct ib_uv
+       if (copy_from_user(&cmd, buf, sizeof cmd))
+               return -EFAULT;
+ 
++      if (cmd.port_num < rdma_start_port(ib_dev) ||
++          cmd.port_num > rdma_end_port(ib_dev))
++              return -EINVAL;
++
+       INIT_UDATA(&udata, buf + sizeof cmd, NULL, in_len - sizeof cmd,
+                  out_len);
+ 
+@@ -2882,6 +2886,10 @@ ssize_t ib_uverbs_create_ah(struct ib_uv
+       if (copy_from_user(&cmd, buf, sizeof cmd))
+               return -EFAULT;
+ 
++      if (cmd.attr.port_num < rdma_start_port(ib_dev) ||
++          cmd.attr.port_num > rdma_end_port(ib_dev))
++              return -EINVAL;
++
+       uobj = kmalloc(sizeof *uobj, GFP_KERNEL);
+       if (!uobj)
+               return -ENOMEM;

diff --git a/queue-4.9/rt286-add-thinkpad-helix-2-to-force_combo_jack_table.patch b/queue-4.9/rt286-add-thinkpad-helix-2-to-force_combo_jack_table.patch
new file mode 100644 (file)
index 0000000..74cc165
--- /dev/null
+++ b/queue-4.9/rt286-add-thinkpad-helix-2-to-force_combo_jack_table.patch
@@ -0,0 +1,52 @@
+From fe0dfd6358a17c79bd7d6996af7512ba452a7059 Mon Sep 17 00:00:00 2001
+From: Yifeng Li <tomli@tomli.me>
+Date: Thu, 4 May 2017 01:34:14 +0800
+Subject: rt286: add Thinkpad Helix 2 to force_combo_jack_table
+
+From: Yifeng Li <tomli@tomli.me>
+
+commit fe0dfd6358a17c79bd7d6996af7512ba452a7059 upstream.
+
+Thinkpad Helix 2 is a tablet PC, the audio is powered by Core M
+broadwell-audio and rt286 codec. For all versions of Linux kernel,
+the stereo output doesn't work properly when earphones are plugged
+in, the sound was coming out from both channels even if the audio
+contains only the left or right channel. Furthermore, if a music
+recorded in stereo is played, the two channels cancle out each other
+out, as a result, no voice but only distorted background music can be
+heard, like a sound card with builtin a Karaoke sount effect.
+
+Apparently this tablet uses a combo jack with polarity incorrectly
+set by rt286 driver. This patch adds DMI information of Thinkpad Helix 2
+to force_combo_jack_table[] and the issue is resolved. The microphone
+input doesn't work regardless to the presence of this patch and still
+needs help from other developers to investigate.
+
+This is my first patch to LKML directly, sorry for CC-ing too many
+people here.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=93841
+Signed-off-by: Yifeng Li <tomli@tomli.me>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/rt286.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/sound/soc/codecs/rt286.c
++++ b/sound/soc/codecs/rt286.c
+@@ -1108,6 +1108,13 @@ static const struct dmi_system_id force_
+                       DMI_MATCH(DMI_PRODUCT_NAME, "Kabylake Client platform")
+               }
+       },
++      {
++              .ident = "Thinkpad Helix 2nd",
++              .matches = {
++                      DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++                      DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad Helix 2nd")
++              }
++      },
+ 
+       { }
+ };

diff --git a/queue-4.9/series b/queue-4.9/series
index 41b0b5566a2c80766e0c5da9c098774271428244..46153f320c0900bc9982e831acdabba66b6fde2a 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -37,3 +37,5 @@ x86-uaccess-optimize-copy_user_enhanced_fast_string-for-short-strings.patch
 ath10k-override-ce5-config-for-qca9377.patch
 keys-fix-an-error-code-in-request_master_key.patch
 crypto-drbg-fixes-panic-in-wait_for_completion-call.patch
+rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch
+rt286-add-thinkpad-helix-2-to-force_combo_jack_table.patch