From: Greg Kroah-Hartman Date: Sun, 27 Oct 2019 08:44:22 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.198~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2851a03ccf38df64fb357e72d013acd9485e624c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch cfg80211-wext-avoid-copying-malformed-ssids.patch drm-edid-add-6-bpc-quirk-for-sdc-panel-in-lenovo-g50.patch mac80211-reject-malformed-ssid-elements.patch scsi-core-try-to-get-module-before-removing-device.patch --- diff --git a/queue-4.4/asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch b/queue-4.4/asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch new file mode 100644 index 00000000000..12258028c29 --- /dev/null +++ b/queue-4.4/asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch @@ -0,0 +1,42 @@ +From 22e58665a01006d05f0239621f7d41cacca96cc4 Mon Sep 17 00:00:00 2001 +From: Junya Monden +Date: Wed, 16 Oct 2019 14:42:55 +0200 +Subject: ASoC: rsnd: Reinitialize bit clock inversion flag for every format setting + +From: Junya Monden + +commit 22e58665a01006d05f0239621f7d41cacca96cc4 upstream. + +Unlike other format-related DAI parameters, rdai->bit_clk_inv flag +is not properly re-initialized when setting format for new stream +processing. The inversion, if requested, is then applied not to default, +but to a previous value, which leads to SCKP bit in SSICR register being +set incorrectly. +Fix this by re-setting the flag to its initial value, determined by format. + +Fixes: 1a7889ca8aba3 ("ASoC: rsnd: fixup SND_SOC_DAIFMT_xB_xF behavior") +Cc: Andrew Gabbasov +Cc: Jiada Wang +Cc: Timo Wischer +Cc: stable@vger.kernel.org # v3.17+ +Signed-off-by: Junya Monden +Signed-off-by: Eugeniu Rosca +Acked-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/20191016124255.7442-1-erosca@de.adit-jv.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/sh/rcar/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/soc/sh/rcar/core.c ++++ b/sound/soc/sh/rcar/core.c +@@ -524,6 +524,7 @@ static int rsnd_soc_dai_set_fmt(struct s + } + + /* set format */ ++ rdai->bit_clk_inv = 0; + switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) { + case SND_SOC_DAIFMT_I2S: + rdai->sys_delay = 0; diff --git a/queue-4.4/cfg80211-wext-avoid-copying-malformed-ssids.patch b/queue-4.4/cfg80211-wext-avoid-copying-malformed-ssids.patch new file mode 100644 index 00000000000..ee29214d0b6 --- /dev/null +++ b/queue-4.4/cfg80211-wext-avoid-copying-malformed-ssids.patch @@ -0,0 +1,56 @@ +From 4ac2813cc867ae563a1ba5a9414bfb554e5796fa Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 4 Oct 2019 10:51:32 +0100 +Subject: cfg80211: wext: avoid copying malformed SSIDs + +From: Will Deacon + +commit 4ac2813cc867ae563a1ba5a9414bfb554e5796fa upstream. + +Ensure the SSID element is bounds-checked prior to invoking memcpy() +with its length field, when copying to userspace. + +Cc: +Cc: Kees Cook +Reported-by: Nicolas Waisman +Signed-off-by: Will Deacon +Link: https://lore.kernel.org/r/20191004095132.15777-2-will@kernel.org +[adjust commit log a bit] +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/wext-sme.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/wireless/wext-sme.c ++++ b/net/wireless/wext-sme.c +@@ -225,6 +225,7 @@ int cfg80211_mgd_wext_giwessid(struct ne + struct iw_point *data, char *ssid) + { + struct wireless_dev *wdev = dev->ieee80211_ptr; ++ int ret = 0; + + /* call only for station! */ + if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION)) +@@ -242,7 +243,10 @@ int cfg80211_mgd_wext_giwessid(struct ne + if (ie) { + data->flags = 1; + data->length = ie[1]; +- memcpy(ssid, ie + 2, data->length); ++ if (data->length > IW_ESSID_MAX_SIZE) ++ ret = -EINVAL; ++ else ++ memcpy(ssid, ie + 2, data->length); + } + rcu_read_unlock(); + } else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid_len) { +@@ -252,7 +256,7 @@ int cfg80211_mgd_wext_giwessid(struct ne + } + wdev_unlock(wdev); + +- return 0; ++ return ret; + } + + int cfg80211_mgd_wext_siwap(struct net_device *dev, diff --git a/queue-4.4/drm-edid-add-6-bpc-quirk-for-sdc-panel-in-lenovo-g50.patch b/queue-4.4/drm-edid-add-6-bpc-quirk-for-sdc-panel-in-lenovo-g50.patch new file mode 100644 index 00000000000..58a24ea49e6 --- /dev/null +++ b/queue-4.4/drm-edid-add-6-bpc-quirk-for-sdc-panel-in-lenovo-g50.patch @@ -0,0 +1,35 @@ +From 11bcf5f78905b90baae8fb01e16650664ed0cb00 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Tue, 2 Apr 2019 11:30:37 +0800 +Subject: drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50 + +From: Kai-Heng Feng + +commit 11bcf5f78905b90baae8fb01e16650664ed0cb00 upstream. + +Another panel that needs 6BPC quirk. + +BugLink: https://bugs.launchpad.net/bugs/1819968 +Cc: # v4.8+ +Reviewed-by: Alex Deucher +Signed-off-by: Kai-Heng Feng +Signed-off-by: Alex Deucher +Link: https://patchwork.freedesktop.org/patch/msgid/20190402033037.21877-1-kai.heng.feng@canonical.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_edid.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -150,6 +150,9 @@ static struct edid_quirk { + /* Medion MD 30217 PG */ + { "MED", 0x7b8, EDID_QUIRK_PREFER_LARGE_75 }, + ++ /* Lenovo G50 */ ++ { "SDC", 18514, EDID_QUIRK_FORCE_6BPC }, ++ + /* Panel in Samsung NP700G7A-S01PL notebook reports 6bpc */ + { "SEC", 0xd033, EDID_QUIRK_FORCE_8BPC }, + diff --git a/queue-4.4/mac80211-reject-malformed-ssid-elements.patch b/queue-4.4/mac80211-reject-malformed-ssid-elements.patch new file mode 100644 index 00000000000..b23a7126e03 --- /dev/null +++ b/queue-4.4/mac80211-reject-malformed-ssid-elements.patch @@ -0,0 +1,46 @@ +From 4152561f5da3fca92af7179dd538ea89e248f9d0 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 4 Oct 2019 10:51:31 +0100 +Subject: mac80211: Reject malformed SSID elements + +From: Will Deacon + +commit 4152561f5da3fca92af7179dd538ea89e248f9d0 upstream. + +Although this shouldn't occur in practice, it's a good idea to bounds +check the length field of the SSID element prior to using it for things +like allocations or memcpy operations. + +Cc: +Cc: Kees Cook +Reported-by: Nicolas Waisman +Signed-off-by: Will Deacon +Link: https://lore.kernel.org/r/20191004095132.15777-1-will@kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -2431,7 +2431,8 @@ struct sk_buff *ieee80211_ap_probereq_ge + + rcu_read_lock(); + ssid = ieee80211_bss_get_ie(cbss, WLAN_EID_SSID); +- if (WARN_ON_ONCE(ssid == NULL)) ++ if (WARN_ONCE(!ssid || ssid[1] > IEEE80211_MAX_SSID_LEN, ++ "invalid SSID element (len=%d)", ssid ? ssid[1] : -1)) + ssid_len = 0; + else + ssid_len = ssid[1]; +@@ -4669,7 +4670,7 @@ int ieee80211_mgd_assoc(struct ieee80211 + + rcu_read_lock(); + ssidie = ieee80211_bss_get_ie(req->bss, WLAN_EID_SSID); +- if (!ssidie) { ++ if (!ssidie || ssidie[1] > sizeof(assoc_data->ssid)) { + rcu_read_unlock(); + kfree(assoc_data); + return -EINVAL; diff --git a/queue-4.4/scsi-core-try-to-get-module-before-removing-device.patch b/queue-4.4/scsi-core-try-to-get-module-before-removing-device.patch new file mode 100644 index 00000000000..b39ee2d77b6 --- /dev/null +++ b/queue-4.4/scsi-core-try-to-get-module-before-removing-device.patch @@ -0,0 +1,94 @@ +From 77c301287ebae86cc71d03eb3806f271cb14da79 Mon Sep 17 00:00:00 2001 +From: Yufen Yu +Date: Tue, 15 Oct 2019 21:05:56 +0800 +Subject: scsi: core: try to get module before removing device + +From: Yufen Yu + +commit 77c301287ebae86cc71d03eb3806f271cb14da79 upstream. + +We have a test case like block/001 in blktests, which will create a scsi +device by loading scsi_debug module and then try to delete the device by +sysfs interface. At the same time, it may remove the scsi_debug module. + +And getting a invalid paging request BUG_ON as following: + +[ 34.625854] BUG: unable to handle page fault for address: ffffffffa0016bb8 +[ 34.629189] Oops: 0000 [#1] SMP PTI +[ 34.629618] CPU: 1 PID: 450 Comm: bash Tainted: G W 5.4.0-rc3+ #473 +[ 34.632524] RIP: 0010:scsi_proc_hostdir_rm+0x5/0xa0 +[ 34.643555] CR2: ffffffffa0016bb8 CR3: 000000012cd88000 CR4: 00000000000006e0 +[ 34.644545] Call Trace: +[ 34.644907] scsi_host_dev_release+0x6b/0x1f0 +[ 34.645511] device_release+0x74/0x110 +[ 34.646046] kobject_put+0x116/0x390 +[ 34.646559] put_device+0x17/0x30 +[ 34.647041] scsi_target_dev_release+0x2b/0x40 +[ 34.647652] device_release+0x74/0x110 +[ 34.648186] kobject_put+0x116/0x390 +[ 34.648691] put_device+0x17/0x30 +[ 34.649157] scsi_device_dev_release_usercontext+0x2e8/0x360 +[ 34.649953] execute_in_process_context+0x29/0x80 +[ 34.650603] scsi_device_dev_release+0x20/0x30 +[ 34.651221] device_release+0x74/0x110 +[ 34.651732] kobject_put+0x116/0x390 +[ 34.652230] sysfs_unbreak_active_protection+0x3f/0x50 +[ 34.652935] sdev_store_delete.cold.4+0x71/0x8f +[ 34.653579] dev_attr_store+0x1b/0x40 +[ 34.654103] sysfs_kf_write+0x3d/0x60 +[ 34.654603] kernfs_fop_write+0x174/0x250 +[ 34.655165] __vfs_write+0x1f/0x60 +[ 34.655639] vfs_write+0xc7/0x280 +[ 34.656117] ksys_write+0x6d/0x140 +[ 34.656591] __x64_sys_write+0x1e/0x30 +[ 34.657114] do_syscall_64+0xb1/0x400 +[ 34.657627] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 34.658335] RIP: 0033:0x7f156f337130 + +During deleting scsi target, the scsi_debug module have been removed. Then, +sdebug_driver_template belonged to the module cannot be accessd, resulting +in scsi_proc_hostdir_rm() BUG_ON. + +To fix the bug, we add scsi_device_get() in sdev_store_delete() to try to +increase refcount of module, avoiding the module been removed. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191015130556.18061-1-yuyufen@huawei.com +Signed-off-by: Yufen Yu +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_sysfs.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -679,6 +679,14 @@ sdev_store_delete(struct device *dev, st + const char *buf, size_t count) + { + struct kernfs_node *kn; ++ struct scsi_device *sdev = to_scsi_device(dev); ++ ++ /* ++ * We need to try to get module, avoiding the module been removed ++ * during delete. ++ */ ++ if (scsi_device_get(sdev)) ++ return -ENODEV; + + kn = sysfs_break_active_protection(&dev->kobj, &attr->attr); + WARN_ON_ONCE(!kn); +@@ -693,9 +701,10 @@ sdev_store_delete(struct device *dev, st + * state into SDEV_DEL. + */ + device_remove_file(dev, attr); +- scsi_remove_device(to_scsi_device(dev)); ++ scsi_remove_device(sdev); + if (kn) + sysfs_unbreak_active_protection(kn); ++ scsi_device_put(sdev); + return count; + }; + static DEVICE_ATTR(delete, S_IWUSR, NULL, sdev_store_delete); diff --git a/queue-4.4/series b/queue-4.4/series index 1aaa38091ef..bcc21370e88 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -22,3 +22,8 @@ usb-serial-ti_usb_3410_5052-fix-port-close-races.patch usb-ldusb-fix-memleak-on-disconnect.patch usb-usblp-fix-use-after-free-on-disconnect.patch usb-ldusb-fix-read-info-leaks.patch +scsi-core-try-to-get-module-before-removing-device.patch +asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch +cfg80211-wext-avoid-copying-malformed-ssids.patch +mac80211-reject-malformed-ssid-elements.patch +drm-edid-add-6-bpc-quirk-for-sdc-panel-in-lenovo-g50.patch diff --git a/queue-4.4/usb-ldusb-fix-read-info-leaks.patch b/queue-4.4/usb-ldusb-fix-read-info-leaks.patch index fd307669c40..e6451df07d1 100644 --- a/queue-4.4/usb-ldusb-fix-read-info-leaks.patch +++ b/queue-4.4/usb-ldusb-fix-read-info-leaks.patch @@ -30,8 +30,8 @@ Link: https://lore.kernel.org/r/20191018151955.25135-2-johan@kernel.org Signed-off-by: Greg Kroah-Hartman --- - drivers/usb/misc/ldusb.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) + drivers/usb/misc/ldusb.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) --- a/drivers/usb/misc/ldusb.c +++ b/drivers/usb/misc/ldusb.c @@ -44,11 +44,13 @@ Signed-off-by: Greg Kroah-Hartman dev->interrupt_in_done = 0; spin_unlock_irq(&dev->rbsl); if (file->f_flags & O_NONBLOCK) { -@@ -479,11 +479,16 @@ static ssize_t ld_usb_read(struct file * +@@ -478,12 +478,17 @@ static ssize_t ld_usb_read(struct file * + retval = wait_event_interruptible(dev->read_wait, dev->interrupt_in_done); if (retval < 0) goto unlock_exit; - } else { +- } else { - spin_unlock_irq(&dev->rbsl); ++ + spin_lock_irq(&dev->rbsl); } + spin_unlock_irq(&dev->rbsl);