From: Greg Kroah-Hartman Date: Thu, 10 Jan 2019 20:08:06 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.20.2~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1c2a5bc7df465aa42159a7784e16297b7deede6d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-cs46xx-potential-null-dereference-in-probe.patch alsa-usb-audio-avoid-access-before-blength-check-in-build_audio_procunit.patch alsa-usb-audio-fix-an-out-of-bound-read-in-create_composite_quirks.patch b43-fix-error-in-cordic-routine.patch dlm-fixed-memory-leaks-after-failed-ls_remove_names-allocation.patch dlm-lost-put_lkb-on-error-path-in-receive_convert-and-receive_unlock.patch dlm-memory-leaks-on-error-path-in-dlm_user_request.patch dlm-possible-memory-leak-on-error-path-in-create_lkb.patch gfs2-fix-loop-in-gfs2_rbm_find.patch gfs2-get-rid-of-potential-double-freeing-in-gfs2_create_inode.patch --- diff --git a/queue-4.9/alsa-cs46xx-potential-null-dereference-in-probe.patch b/queue-4.9/alsa-cs46xx-potential-null-dereference-in-probe.patch new file mode 100644 index 00000000000..9c9d59008f8 --- /dev/null +++ b/queue-4.9/alsa-cs46xx-potential-null-dereference-in-probe.patch @@ -0,0 +1,34 @@ +From 1524f4e47f90b27a3ac84efbdd94c63172246a6f Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 8 Jan 2019 10:43:30 +0300 +Subject: ALSA: cs46xx: Potential NULL dereference in probe + +From: Dan Carpenter + +commit 1524f4e47f90b27a3ac84efbdd94c63172246a6f upstream. + +The "chip->dsp_spos_instance" can be NULL on some of the ealier error +paths in snd_cs46xx_create(). + +Reported-by: "Yavuz, Tuba" +Signed-off-by: Dan Carpenter +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/cs46xx/dsp_spos.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/pci/cs46xx/dsp_spos.c ++++ b/sound/pci/cs46xx/dsp_spos.c +@@ -899,6 +899,9 @@ int cs46xx_dsp_proc_done (struct snd_cs4 + struct dsp_spos_instance * ins = chip->dsp_spos_instance; + int i; + ++ if (!ins) ++ return 0; ++ + snd_info_free_entry(ins->proc_sym_info_entry); + ins->proc_sym_info_entry = NULL; + diff --git a/queue-4.9/alsa-usb-audio-avoid-access-before-blength-check-in-build_audio_procunit.patch b/queue-4.9/alsa-usb-audio-avoid-access-before-blength-check-in-build_audio_procunit.patch new file mode 100644 index 00000000000..f59e3116e3c --- /dev/null +++ b/queue-4.9/alsa-usb-audio-avoid-access-before-blength-check-in-build_audio_procunit.patch @@ -0,0 +1,48 @@ +From f4351a199cc120ff9d59e06d02e8657d08e6cc46 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 19 Dec 2018 12:36:27 +0100 +Subject: ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() + +From: Takashi Iwai + +commit f4351a199cc120ff9d59e06d02e8657d08e6cc46 upstream. + +The parser for the processing unit reads bNrInPins field before the +bLength sanity check, which may lead to an out-of-bound access when a +malformed descriptor is given. Fix it by assignment after the bLength +check. + +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1882,7 +1882,7 @@ static int build_audio_procunit(struct m + char *name) + { + struct uac_processing_unit_descriptor *desc = raw_desc; +- int num_ins = desc->bNrInPins; ++ int num_ins; + struct usb_mixer_elem_info *cval; + struct snd_kcontrol *kctl; + int i, err, nameid, type, len; +@@ -1897,7 +1897,13 @@ static int build_audio_procunit(struct m + 0, NULL, default_value_info + }; + +- if (desc->bLength < 13 || desc->bLength < 13 + num_ins || ++ if (desc->bLength < 13) { ++ usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid); ++ return -EINVAL; ++ } ++ ++ num_ins = desc->bNrInPins; ++ if (desc->bLength < 13 + num_ins || + desc->bLength < num_ins + uac_processing_unit_bControlSize(desc, state->mixer->protocol)) { + usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid); + return -EINVAL; diff --git a/queue-4.9/alsa-usb-audio-fix-an-out-of-bound-read-in-create_composite_quirks.patch b/queue-4.9/alsa-usb-audio-fix-an-out-of-bound-read-in-create_composite_quirks.patch new file mode 100644 index 00000000000..36534cc2d1e --- /dev/null +++ b/queue-4.9/alsa-usb-audio-fix-an-out-of-bound-read-in-create_composite_quirks.patch @@ -0,0 +1,45 @@ +From cbb2ebf70daf7f7d97d3811a2ff8e39655b8c184 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Tue, 25 Dec 2018 18:11:52 -0500 +Subject: ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks + +From: Hui Peng + +commit cbb2ebf70daf7f7d97d3811a2ff8e39655b8c184 upstream. + +In `create_composite_quirk`, the terminating condition of for loops is +`quirk->ifnum < 0`. So any composite quirks should end with `struct +snd_usb_audio_quirk` object with ifnum < 0. + + for (quirk = quirk_comp->data; quirk->ifnum >= 0; ++quirk) { + + ..... + } + +the data field of Bower's & Wilkins PX headphones usb device device quirks +do not end with {.ifnum = -1}, wihch may result in out-of-bound read. + +This Patch fix the bug by adding an ending quirk object. + +Fixes: 240a8af929c7 ("ALSA: usb-audio: Add a quirck for B&W PX headphones") +Signed-off-by: Hui Peng +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks-table.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3321,6 +3321,9 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge + } + } + }, ++ { ++ .ifnum = -1 ++ }, + } + } + }, diff --git a/queue-4.9/b43-fix-error-in-cordic-routine.patch b/queue-4.9/b43-fix-error-in-cordic-routine.patch new file mode 100644 index 00000000000..0f20b7587ea --- /dev/null +++ b/queue-4.9/b43-fix-error-in-cordic-routine.patch @@ -0,0 +1,43 @@ +From 8ea3819c0bbef57a51d8abe579e211033e861677 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Mon, 19 Nov 2018 20:01:24 +0200 +Subject: b43: Fix error in cordic routine +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Larry Finger + +commit 8ea3819c0bbef57a51d8abe579e211033e861677 upstream. + +The cordic routine for calculating sines and cosines that was added in +commit 6f98e62a9f1b ("b43: update cordic code to match current specs") +contains an error whereby a quantity declared u32 can in fact go negative. + +This problem was detected by Priit Laes who is switching b43 to use the +routine in the library functions of the kernel. + +Fixes: 986504540306 ("b43: make cordic common (LP-PHY and N-PHY need it)") +Reported-by: Priit Laes +Cc: Rafał Miłecki +Cc: Stable # 2.6.34 +Signed-off-by: Larry Finger +Signed-off-by: Priit Laes +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/b43/phy_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/b43/phy_common.c ++++ b/drivers/net/wireless/broadcom/b43/phy_common.c +@@ -616,7 +616,7 @@ struct b43_c32 b43_cordic(int theta) + u8 i; + s32 tmp; + s8 signx = 1; +- u32 angle = 0; ++ s32 angle = 0; + struct b43_c32 ret = { .i = 39797, .q = 0, }; + + while (theta > (180 << 16)) diff --git a/queue-4.9/dlm-fixed-memory-leaks-after-failed-ls_remove_names-allocation.patch b/queue-4.9/dlm-fixed-memory-leaks-after-failed-ls_remove_names-allocation.patch new file mode 100644 index 00000000000..9135b79cad9 --- /dev/null +++ b/queue-4.9/dlm-fixed-memory-leaks-after-failed-ls_remove_names-allocation.patch @@ -0,0 +1,40 @@ +From b982896cdb6e6a6b89d86dfb39df489d9df51e14 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Thu, 15 Nov 2018 13:15:05 +0300 +Subject: dlm: fixed memory leaks after failed ls_remove_names allocation + +From: Vasily Averin + +commit b982896cdb6e6a6b89d86dfb39df489d9df51e14 upstream. + +If allocation fails on last elements of array need to free already +allocated elements. + +v2: just move existing out_rsbtbl label to right place + +Fixes 789924ba635f ("dlm: fix race between remove and lookup") +Cc: stable@kernel.org # 3.6 + +Signed-off-by: Vasily Averin +Signed-off-by: David Teigland +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dlm/lockspace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/dlm/lockspace.c ++++ b/fs/dlm/lockspace.c +@@ -673,11 +673,11 @@ static int new_lockspace(const char *nam + kfree(ls->ls_recover_buf); + out_lkbidr: + idr_destroy(&ls->ls_lkbidr); ++ out_rsbtbl: + for (i = 0; i < DLM_REMOVE_NAMES_MAX; i++) { + if (ls->ls_remove_names[i]) + kfree(ls->ls_remove_names[i]); + } +- out_rsbtbl: + vfree(ls->ls_rsbtbl); + out_lsfree: + if (do_unreg) diff --git a/queue-4.9/dlm-lost-put_lkb-on-error-path-in-receive_convert-and-receive_unlock.patch b/queue-4.9/dlm-lost-put_lkb-on-error-path-in-receive_convert-and-receive_unlock.patch new file mode 100644 index 00000000000..e95216a355b --- /dev/null +++ b/queue-4.9/dlm-lost-put_lkb-on-error-path-in-receive_convert-and-receive_unlock.patch @@ -0,0 +1,38 @@ +From c0174726c3976e67da8649ac62cae43220ae173a Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Thu, 15 Nov 2018 13:18:24 +0300 +Subject: dlm: lost put_lkb on error path in receive_convert() and receive_unlock() + +From: Vasily Averin + +commit c0174726c3976e67da8649ac62cae43220ae173a upstream. + +Fixes 6d40c4a708e0 ("dlm: improve error and debug messages") +Cc: stable@kernel.org # 3.5 + +Signed-off-by: Vasily Averin +Signed-off-by: David Teigland +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dlm/lock.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -4178,6 +4178,7 @@ static int receive_convert(struct dlm_ls + (unsigned long long)lkb->lkb_recover_seq, + ms->m_header.h_nodeid, ms->m_lkid); + error = -ENOENT; ++ dlm_put_lkb(lkb); + goto fail; + } + +@@ -4231,6 +4232,7 @@ static int receive_unlock(struct dlm_ls + lkb->lkb_id, lkb->lkb_remid, + ms->m_header.h_nodeid, ms->m_lkid); + error = -ENOENT; ++ dlm_put_lkb(lkb); + goto fail; + } + diff --git a/queue-4.9/dlm-memory-leaks-on-error-path-in-dlm_user_request.patch b/queue-4.9/dlm-memory-leaks-on-error-path-in-dlm_user_request.patch new file mode 100644 index 00000000000..64ececac6df --- /dev/null +++ b/queue-4.9/dlm-memory-leaks-on-error-path-in-dlm_user_request.patch @@ -0,0 +1,56 @@ +From d47b41aceeadc6b58abc9c7c6485bef7cfb75636 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Thu, 15 Nov 2018 13:18:56 +0300 +Subject: dlm: memory leaks on error path in dlm_user_request() + +From: Vasily Averin + +commit d47b41aceeadc6b58abc9c7c6485bef7cfb75636 upstream. + +According to comment in dlm_user_request() ua should be freed +in dlm_free_lkb() after successful attach to lkb. + +However ua is attached to lkb not in set_lock_args() but later, +inside request_lock(). + +Fixes 597d0cae0f99 ("[DLM] dlm: user locks") +Cc: stable@kernel.org # 2.6.19 + +Signed-off-by: Vasily Averin +Signed-off-by: David Teigland +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dlm/lock.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -5795,20 +5795,20 @@ int dlm_user_request(struct dlm_ls *ls, + goto out; + } + } +- +- /* After ua is attached to lkb it will be freed by dlm_free_lkb(). +- When DLM_IFL_USER is set, the dlm knows that this is a userspace +- lock and that lkb_astparam is the dlm_user_args structure. */ +- + error = set_lock_args(mode, &ua->lksb, flags, namelen, timeout_cs, + fake_astfn, ua, fake_bastfn, &args); +- lkb->lkb_flags |= DLM_IFL_USER; +- + if (error) { ++ kfree(ua->lksb.sb_lvbptr); ++ ua->lksb.sb_lvbptr = NULL; ++ kfree(ua); + __put_lkb(ls, lkb); + goto out; + } + ++ /* After ua is attached to lkb it will be freed by dlm_free_lkb(). ++ When DLM_IFL_USER is set, the dlm knows that this is a userspace ++ lock and that lkb_astparam is the dlm_user_args structure. */ ++ lkb->lkb_flags |= DLM_IFL_USER; + error = request_lock(ls, lkb, name, namelen, &args); + + switch (error) { diff --git a/queue-4.9/dlm-possible-memory-leak-on-error-path-in-create_lkb.patch b/queue-4.9/dlm-possible-memory-leak-on-error-path-in-create_lkb.patch new file mode 100644 index 00000000000..fd58df42830 --- /dev/null +++ b/queue-4.9/dlm-possible-memory-leak-on-error-path-in-create_lkb.patch @@ -0,0 +1,30 @@ +From 23851e978f31eda8b2d01bd410d3026659ca06c7 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Thu, 15 Nov 2018 13:18:18 +0300 +Subject: dlm: possible memory leak on error path in create_lkb() + +From: Vasily Averin + +commit 23851e978f31eda8b2d01bd410d3026659ca06c7 upstream. + +Fixes 3d6aa675fff9 ("dlm: keep lkbs in idr") +Cc: stable@kernel.org # 3.1 + +Signed-off-by: Vasily Averin +Signed-off-by: David Teigland +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dlm/lock.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -1210,6 +1210,7 @@ static int create_lkb(struct dlm_ls *ls, + + if (rv < 0) { + log_error(ls, "create_lkb idr error %d", rv); ++ dlm_free_lkb(lkb); + return rv; + } + diff --git a/queue-4.9/gfs2-fix-loop-in-gfs2_rbm_find.patch b/queue-4.9/gfs2-fix-loop-in-gfs2_rbm_find.patch new file mode 100644 index 00000000000..c1e375ed94c --- /dev/null +++ b/queue-4.9/gfs2-fix-loop-in-gfs2_rbm_find.patch @@ -0,0 +1,37 @@ +From 2d29f6b96d8f80322ed2dd895bca590491c38d34 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Tue, 4 Dec 2018 15:06:27 +0100 +Subject: gfs2: Fix loop in gfs2_rbm_find + +From: Andreas Gruenbacher + +commit 2d29f6b96d8f80322ed2dd895bca590491c38d34 upstream. + +Fix the resource group wrap-around logic in gfs2_rbm_find that commit +e579ed4f44 broke. The bug can lead to unnecessary repeated scanning of the +same bitmaps; there is a risk that future changes will turn this into an +endless loop. + +Fixes: e579ed4f44 ("GFS2: Introduce rbm field bii") +Cc: stable@vger.kernel.org # v3.13+ +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Bob Peterson +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/rgrp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -1705,9 +1705,9 @@ static int gfs2_rbm_find(struct gfs2_rbm + goto next_iter; + } + if (ret == -E2BIG) { ++ n += rbm->bii - initial_bii; + rbm->bii = 0; + rbm->offset = 0; +- n += (rbm->bii - initial_bii); + goto res_covered_end_of_rgrp; + } + return ret; diff --git a/queue-4.9/gfs2-get-rid-of-potential-double-freeing-in-gfs2_create_inode.patch b/queue-4.9/gfs2-get-rid-of-potential-double-freeing-in-gfs2_create_inode.patch new file mode 100644 index 00000000000..0779a00fd45 --- /dev/null +++ b/queue-4.9/gfs2-get-rid-of-potential-double-freeing-in-gfs2_create_inode.patch @@ -0,0 +1,70 @@ +From 6ff9b09e00a441599f3aacdf577254455a048bc9 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Mon, 26 Nov 2018 18:45:35 +0100 +Subject: gfs2: Get rid of potential double-freeing in gfs2_create_inode + +From: Andreas Gruenbacher + +commit 6ff9b09e00a441599f3aacdf577254455a048bc9 upstream. + +In gfs2_create_inode, after setting and releasing the acl / default_acl, the +acl / default_acl pointers are not set to NULL as they should be. In that +state, when the function reaches label fail_free_acls, gfs2_create_inode will +try to release the same acls again. + +Fix that by setting the pointers to NULL after releasing the acls. Slightly +simplify the logic. Also, posix_acl_release checks for NULL already, so +there is no need to duplicate those checks here. + +Fixes: e01580bf9e4d ("gfs2: use generic posix ACL infrastructure") +Reported-by: Pan Bian +Cc: Christoph Hellwig +Cc: stable@vger.kernel.org # v4.9+ +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Bob Peterson +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/inode.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/fs/gfs2/inode.c ++++ b/fs/gfs2/inode.c +@@ -740,17 +740,19 @@ static int gfs2_create_inode(struct inod + the gfs2 structures. */ + if (default_acl) { + error = __gfs2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT); ++ if (error) ++ goto fail_gunlock3; + posix_acl_release(default_acl); ++ default_acl = NULL; + } + if (acl) { +- if (!error) +- error = __gfs2_set_acl(inode, acl, ACL_TYPE_ACCESS); ++ error = __gfs2_set_acl(inode, acl, ACL_TYPE_ACCESS); ++ if (error) ++ goto fail_gunlock3; + posix_acl_release(acl); ++ acl = NULL; + } + +- if (error) +- goto fail_gunlock3; +- + error = security_inode_init_security(&ip->i_inode, &dip->i_inode, name, + &gfs2_initxattrs, NULL); + if (error) +@@ -783,10 +785,8 @@ fail_free_inode: + gfs2_glock_put(ip->i_gl); + gfs2_rsqa_delete(ip, NULL); + fail_free_acls: +- if (default_acl) +- posix_acl_release(default_acl); +- if (acl) +- posix_acl_release(acl); ++ posix_acl_release(default_acl); ++ posix_acl_release(acl); + fail_gunlock: + gfs2_dir_no_add(&da); + gfs2_glock_dq_uninit(ghs); diff --git a/queue-4.9/series b/queue-4.9/series index 27702594219..ab45d368b14 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -42,3 +42,13 @@ mips-math-emu-write-protect-delay-slot-emulation-pages.patch crypto-x86-chacha20-avoid-sleeping-with-preemption-disabled.patch vhost-vsock-fix-uninitialized-vhost_vsock-guest_cid.patch ib-hfi1-incorrect-sizing-of-sge-for-pio-will-oops.patch +alsa-cs46xx-potential-null-dereference-in-probe.patch +alsa-usb-audio-avoid-access-before-blength-check-in-build_audio_procunit.patch +alsa-usb-audio-fix-an-out-of-bound-read-in-create_composite_quirks.patch +dlm-fixed-memory-leaks-after-failed-ls_remove_names-allocation.patch +dlm-possible-memory-leak-on-error-path-in-create_lkb.patch +dlm-lost-put_lkb-on-error-path-in-receive_convert-and-receive_unlock.patch +dlm-memory-leaks-on-error-path-in-dlm_user_request.patch +gfs2-get-rid-of-potential-double-freeing-in-gfs2_create_inode.patch +gfs2-fix-loop-in-gfs2_rbm_find.patch +b43-fix-error-in-cordic-routine.patch