--- /dev/null
+From 88a06d6fd6b369d88cec46c62db3e2604a2f50d5 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 6 Dec 2020 09:35:27 +0100
+Subject: ALSA: rawmidi: Access runtime->avail always in spinlock
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 88a06d6fd6b369d88cec46c62db3e2604a2f50d5 upstream.
+
+The runtime->avail field may be accessed concurrently while some
+places refer to it without taking the runtime->lock spinlock, as
+detected by KCSAN. Usually this isn't a big problem, but for
+consistency and safety, we should take the spinlock at each place
+referencing this field.
+
+Reported-by: syzbot+a23a6f1215c84756577c@syzkaller.appspotmail.com
+Reported-by: syzbot+3d367d1df1d2b67f5c19@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20201206083527.21163-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/rawmidi.c | 49 +++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 35 insertions(+), 14 deletions(-)
+
+--- a/sound/core/rawmidi.c
++++ b/sound/core/rawmidi.c
+@@ -87,11 +87,21 @@ static inline unsigned short snd_rawmidi
+ }
+ }
+
+-static inline int snd_rawmidi_ready(struct snd_rawmidi_substream *substream)
++static inline bool __snd_rawmidi_ready(struct snd_rawmidi_runtime *runtime)
++{
++ return runtime->avail >= runtime->avail_min;
++}
++
++static bool snd_rawmidi_ready(struct snd_rawmidi_substream *substream)
+ {
+ struct snd_rawmidi_runtime *runtime = substream->runtime;
++ unsigned long flags;
++ bool ready;
+
+- return runtime->avail >= runtime->avail_min;
++ spin_lock_irqsave(&runtime->lock, flags);
++ ready = __snd_rawmidi_ready(runtime);
++ spin_unlock_irqrestore(&runtime->lock, flags);
++ return ready;
+ }
+
+ static inline int snd_rawmidi_ready_append(struct snd_rawmidi_substream *substream,
+@@ -960,7 +970,7 @@ int snd_rawmidi_receive(struct snd_rawmi
+ if (result > 0) {
+ if (runtime->event)
+ schedule_work(&runtime->event_work);
+- else if (snd_rawmidi_ready(substream))
++ else if (__snd_rawmidi_ready(runtime))
+ wake_up(&runtime->sleep);
+ }
+ spin_unlock_irqrestore(&runtime->lock, flags);
+@@ -1039,7 +1049,7 @@ static ssize_t snd_rawmidi_read(struct f
+ result = 0;
+ while (count > 0) {
+ spin_lock_irq(&runtime->lock);
+- while (!snd_rawmidi_ready(substream)) {
++ while (!__snd_rawmidi_ready(runtime)) {
+ wait_queue_entry_t wait;
+
+ if ((file->f_flags & O_NONBLOCK) != 0 || result > 0) {
+@@ -1056,9 +1066,11 @@ static ssize_t snd_rawmidi_read(struct f
+ return -ENODEV;
+ if (signal_pending(current))
+ return result > 0 ? result : -ERESTARTSYS;
+- if (!runtime->avail)
+- return result > 0 ? result : -EIO;
+ spin_lock_irq(&runtime->lock);
++ if (!runtime->avail) {
++ spin_unlock_irq(&runtime->lock);
++ return result > 0 ? result : -EIO;
++ }
+ }
+ spin_unlock_irq(&runtime->lock);
+ count1 = snd_rawmidi_kernel_read1(substream,
+@@ -1196,7 +1208,7 @@ int __snd_rawmidi_transmit_ack(struct sn
+ runtime->avail += count;
+ substream->bytes += count;
+ if (count > 0) {
+- if (runtime->drain || snd_rawmidi_ready(substream))
++ if (runtime->drain || __snd_rawmidi_ready(runtime))
+ wake_up(&runtime->sleep);
+ }
+ return count;
+@@ -1363,9 +1375,11 @@ static ssize_t snd_rawmidi_write(struct
+ return -ENODEV;
+ if (signal_pending(current))
+ return result > 0 ? result : -ERESTARTSYS;
+- if (!runtime->avail && !timeout)
+- return result > 0 ? result : -EIO;
+ spin_lock_irq(&runtime->lock);
++ if (!runtime->avail && !timeout) {
++ spin_unlock_irq(&runtime->lock);
++ return result > 0 ? result : -EIO;
++ }
+ }
+ spin_unlock_irq(&runtime->lock);
+ count1 = snd_rawmidi_kernel_write1(substream, buf, NULL, count);
+@@ -1445,6 +1459,7 @@ static void snd_rawmidi_proc_info_read(s
+ struct snd_rawmidi *rmidi;
+ struct snd_rawmidi_substream *substream;
+ struct snd_rawmidi_runtime *runtime;
++ unsigned long buffer_size, avail, xruns;
+
+ rmidi = entry->private_data;
+ snd_iprintf(buffer, "%s\n\n", rmidi->name);
+@@ -1463,13 +1478,16 @@ static void snd_rawmidi_proc_info_read(s
+ " Owner PID : %d\n",
+ pid_vnr(substream->pid));
+ runtime = substream->runtime;
++ spin_lock_irq(&runtime->lock);
++ buffer_size = runtime->buffer_size;
++ avail = runtime->avail;
++ spin_unlock_irq(&runtime->lock);
+ snd_iprintf(buffer,
+ " Mode : %s\n"
+ " Buffer size : %lu\n"
+ " Avail : %lu\n",
+ runtime->oss ? "OSS compatible" : "native",
+- (unsigned long) runtime->buffer_size,
+- (unsigned long) runtime->avail);
++ buffer_size, avail);
+ }
+ }
+ }
+@@ -1487,13 +1505,16 @@ static void snd_rawmidi_proc_info_read(s
+ " Owner PID : %d\n",
+ pid_vnr(substream->pid));
+ runtime = substream->runtime;
++ spin_lock_irq(&runtime->lock);
++ buffer_size = runtime->buffer_size;
++ avail = runtime->avail;
++ xruns = runtime->xruns;
++ spin_unlock_irq(&runtime->lock);
+ snd_iprintf(buffer,
+ " Buffer size : %lu\n"
+ " Avail : %lu\n"
+ " Overruns : %lu\n",
+- (unsigned long) runtime->buffer_size,
+- (unsigned long) runtime->avail,
+- (unsigned long) runtime->xruns);
++ buffer_size, avail, xruns);
+ }
+ }
+ }
--- /dev/null
+From 4ebd47037027c4beae99680bff3b20fdee5d7c1e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 6 Dec 2020 09:34:56 +0100
+Subject: ALSA: seq: Use bool for snd_seq_queue internal flags
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 4ebd47037027c4beae99680bff3b20fdee5d7c1e upstream.
+
+The snd_seq_queue struct contains various flags in the bit fields.
+Those are categorized to two different use cases, both of which are
+protected by different spinlocks. That implies that there are still
+potential risks of the bad operations for bit fields by concurrent
+accesses.
+
+For addressing the problem, this patch rearranges those flags to be
+a standard bool instead of a bit field.
+
+Reported-by: syzbot+63cbe31877bb80ef58f5@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20201206083456.21110-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_queue.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/sound/core/seq/seq_queue.h
++++ b/sound/core/seq/seq_queue.h
+@@ -40,10 +40,10 @@ struct snd_seq_queue {
+
+ struct snd_seq_timer *timer; /* time keeper for this queue */
+ int owner; /* client that 'owns' the timer */
+- unsigned int locked:1, /* timer is only accesibble by owner if set */
+- klocked:1, /* kernel lock (after START) */
+- check_again:1,
+- check_blocked:1;
++ bool locked; /* timer is only accesibble by owner if set */
++ bool klocked; /* kernel lock (after START) */
++ bool check_again; /* concurrent access happened during check */
++ bool check_blocked; /* queue being checked */
+
+ unsigned int flags; /* status flags */
+ unsigned int info_flags; /* info for sync */
--- /dev/null
+From 70f259a3f4276b71db365b1d6ff1eab805ea6ec3 Mon Sep 17 00:00:00 2001
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Date: Wed, 30 Sep 2020 00:28:15 +0530
+Subject: Bluetooth: hci_h5: close serdev device and free hu in h5_close
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+commit 70f259a3f4276b71db365b1d6ff1eab805ea6ec3 upstream.
+
+When h5_close() gets called, the memory allocated for the hu gets
+freed only if hu->serdev doesn't exist. This leads to a memory leak.
+So when h5_close() is requested, close the serdev device instance and
+free the memory allocated to the hu entirely instead.
+
+Fixes: https://syzkaller.appspot.com/bug?extid=6ce141c55b2f7aafd1c4
+Reported-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com
+Tested-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/hci_h5.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/bluetooth/hci_h5.c
++++ b/drivers/bluetooth/hci_h5.c
+@@ -263,8 +263,12 @@ static int h5_close(struct hci_uart *hu)
+ if (h5->vnd && h5->vnd->close)
+ h5->vnd->close(h5);
+
+- if (!hu->serdev)
+- kfree(h5);
++ if (hu->serdev)
++ serdev_device_close(hu->serdev);
++
++ kfree_skb(h5->rx_skb);
++ kfree(h5);
++ h5 = NULL;
+
+ return 0;
+ }
--- /dev/null
+From 8d1ddb5e79374fb277985a6b3faa2ed8631c5b4c Mon Sep 17 00:00:00 2001
+From: Boqun Feng <boqun.feng@gmail.com>
+Date: Thu, 5 Nov 2020 14:23:51 +0800
+Subject: fcntl: Fix potential deadlock in send_sig{io, urg}()
+
+From: Boqun Feng <boqun.feng@gmail.com>
+
+commit 8d1ddb5e79374fb277985a6b3faa2ed8631c5b4c upstream.
+
+Syzbot reports a potential deadlock found by the newly added recursive
+read deadlock detection in lockdep:
+
+[...] ========================================================
+[...] WARNING: possible irq lock inversion dependency detected
+[...] 5.9.0-rc2-syzkaller #0 Not tainted
+[...] --------------------------------------------------------
+[...] syz-executor.1/10214 just changed the state of lock:
+[...] ffff88811f506338 (&f->f_owner.lock){.+..}-{2:2}, at: send_sigurg+0x1d/0x200
+[...] but this lock was taken by another, HARDIRQ-safe lock in the past:
+[...] (&dev->event_lock){-...}-{2:2}
+[...]
+[...]
+[...] and interrupts could create inverse lock ordering between them.
+[...]
+[...]
+[...] other info that might help us debug this:
+[...] Chain exists of:
+[...] &dev->event_lock --> &new->fa_lock --> &f->f_owner.lock
+[...]
+[...] Possible interrupt unsafe locking scenario:
+[...]
+[...] CPU0 CPU1
+[...] ---- ----
+[...] lock(&f->f_owner.lock);
+[...] local_irq_disable();
+[...] lock(&dev->event_lock);
+[...] lock(&new->fa_lock);
+[...] <Interrupt>
+[...] lock(&dev->event_lock);
+[...]
+[...] *** DEADLOCK ***
+
+The corresponding deadlock case is as followed:
+
+ CPU 0 CPU 1 CPU 2
+ read_lock(&fown->lock);
+ spin_lock_irqsave(&dev->event_lock, ...)
+ write_lock_irq(&filp->f_owner.lock); // wait for the lock
+ read_lock(&fown-lock); // have to wait until the writer release
+ // due to the fairness
+ <interrupted>
+ spin_lock_irqsave(&dev->event_lock); // wait for the lock
+
+The lock dependency on CPU 1 happens if there exists a call sequence:
+
+ input_inject_event():
+ spin_lock_irqsave(&dev->event_lock,...);
+ input_handle_event():
+ input_pass_values():
+ input_to_handler():
+ handler->event(): // evdev_event()
+ evdev_pass_values():
+ spin_lock(&client->buffer_lock);
+ __pass_event():
+ kill_fasync():
+ kill_fasync_rcu():
+ read_lock(&fa->fa_lock);
+ send_sigio():
+ read_lock(&fown->lock);
+
+To fix this, make the reader in send_sigurg() and send_sigio() use
+read_lock_irqsave() and read_lock_irqrestore().
+
+Reported-by: syzbot+22e87cdf94021b984aa6@syzkaller.appspotmail.com
+Reported-by: syzbot+c5e32344981ad9f33750@syzkaller.appspotmail.com
+Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fcntl.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/fs/fcntl.c
++++ b/fs/fcntl.c
+@@ -779,9 +779,10 @@ void send_sigio(struct fown_struct *fown
+ {
+ struct task_struct *p;
+ enum pid_type type;
++ unsigned long flags;
+ struct pid *pid;
+
+- read_lock(&fown->lock);
++ read_lock_irqsave(&fown->lock, flags);
+
+ type = fown->pid_type;
+ pid = fown->pid;
+@@ -802,7 +803,7 @@ void send_sigio(struct fown_struct *fown
+ read_unlock(&tasklist_lock);
+ }
+ out_unlock_fown:
+- read_unlock(&fown->lock);
++ read_unlock_irqrestore(&fown->lock, flags);
+ }
+
+ static void send_sigurg_to_task(struct task_struct *p,
+@@ -817,9 +818,10 @@ int send_sigurg(struct fown_struct *fown
+ struct task_struct *p;
+ enum pid_type type;
+ struct pid *pid;
++ unsigned long flags;
+ int ret = 0;
+
+- read_lock(&fown->lock);
++ read_lock_irqsave(&fown->lock, flags);
+
+ type = fown->pid_type;
+ pid = fown->pid;
+@@ -842,7 +844,7 @@ int send_sigurg(struct fown_struct *fown
+ read_unlock(&tasklist_lock);
+ }
+ out_unlock_fown:
+- read_unlock(&fown->lock);
++ read_unlock_irqrestore(&fown->lock, flags);
+ return ret;
+ }
+
--- /dev/null
+From d0ac1a26ed5943127cb0156148735f5f52a07075 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Fri, 27 Nov 2020 07:40:21 +0100
+Subject: media: gp8psk: initialize stats at power control logic
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit d0ac1a26ed5943127cb0156148735f5f52a07075 upstream.
+
+As reported on:
+ https://lore.kernel.org/linux-media/20190627222020.45909-1-willemdebruijn.kernel@gmail.com/
+
+if gp8psk_usb_in_op() returns an error, the status var is not
+initialized. Yet, this var is used later on, in order to
+identify:
+ - if the device was already started;
+ - if firmware has loaded;
+ - if the LNBf was powered on.
+
+Using status = 0 seems to ensure that everything will be
+properly powered up.
+
+So, instead of the proposed solution, let's just set
+status = 0.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reported-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/gp8psk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/dvb-usb/gp8psk.c
++++ b/drivers/media/usb/dvb-usb/gp8psk.c
+@@ -185,7 +185,7 @@ out_rel_fw:
+
+ static int gp8psk_power_ctrl(struct dvb_usb_device *d, int onoff)
+ {
+- u8 status, buf;
++ u8 status = 0, buf;
+ int gp_product_id = le16_to_cpu(d->udev->descriptor.idProduct);
+
+ if (onoff) {
--- /dev/null
+From 31dcb6c30a26d32650ce134820f27de3c675a45a Mon Sep 17 00:00:00 2001
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Date: Mon, 23 Nov 2020 04:15:34 +0530
+Subject: misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells()
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+commit 31dcb6c30a26d32650ce134820f27de3c675a45a upstream.
+
+A kernel-infoleak was reported by syzbot, which was caused because
+dbells was left uninitialized.
+Using kzalloc() instead of kmalloc() fixes this issue.
+
+Reported-by: syzbot+a79e17c39564bedf0930@syzkaller.appspotmail.com
+Tested-by: syzbot+a79e17c39564bedf0930@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Link: https://lore.kernel.org/r/20201122224534.333471-1-anant.thazhemadam@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/vmw_vmci/vmci_context.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/vmw_vmci/vmci_context.c
++++ b/drivers/misc/vmw_vmci/vmci_context.c
+@@ -751,7 +751,7 @@ static int vmci_ctx_get_chkpt_doorbells(
+ return VMCI_ERROR_MORE_DATA;
+ }
+
+- dbells = kmalloc(data_size, GFP_ATOMIC);
++ dbells = kzalloc(data_size, GFP_ATOMIC);
+ if (!dbells)
+ return VMCI_ERROR_NO_MEM;
+
--- /dev/null
+From d24396c5290ba8ab04ba505176874c4e04a2d53c Mon Sep 17 00:00:00 2001
+From: Rustam Kovhaev <rkovhaev@gmail.com>
+Date: Sun, 1 Nov 2020 06:09:58 -0800
+Subject: reiserfs: add check for an invalid ih_entry_count
+
+From: Rustam Kovhaev <rkovhaev@gmail.com>
+
+commit d24396c5290ba8ab04ba505176874c4e04a2d53c upstream.
+
+when directory item has an invalid value set for ih_entry_count it might
+trigger use-after-free or out-of-bounds read in bin_search_in_dir_item()
+
+ih_entry_count * IH_SIZE for directory item should not be larger than
+ih_item_len
+
+Link: https://lore.kernel.org/r/20201101140958.3650143-1-rkovhaev@gmail.com
+Reported-and-tested-by: syzbot+83b6f7cf9922cae5c4d7@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=83b6f7cf9922cae5c4d7
+Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/reiserfs/stree.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/reiserfs/stree.c
++++ b/fs/reiserfs/stree.c
+@@ -454,6 +454,12 @@ static int is_leaf(char *buf, int blocks
+ "(second one): %h", ih);
+ return 0;
+ }
++ if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) {
++ reiserfs_warning(NULL, "reiserfs-5093",
++ "item entry count seems wrong %h",
++ ih);
++ return 0;
++ }
+ prev_location = ih_location(ih);
+ }
+
powerpc-mmu_gather-enable-rcu_table_free-even-for-smp-case.patch
mm-mmu_gather-invalidate-tlb-correctly-on-batch-allocation-failure-and-flush.patch
asm-generic-tlb-avoid-potential-double-flush.patch
+bluetooth-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch
+reiserfs-add-check-for-an-invalid-ih_entry_count.patch
+misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch
+media-gp8psk-initialize-stats-at-power-control-logic.patch
+alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch
+alsa-rawmidi-access-runtime-avail-always-in-spinlock.patch
+fcntl-fix-potential-deadlock-in-send_sig-io-urg.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
