From: Greg Kroah-Hartman Date: Mon, 8 Oct 2018 17:57:24 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.160~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2c067dba5165fd7f9cca3f24e3151921864c0a28;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-hda-realtek-cannot-adjust-speaker-s-volume-on-dell-xps-27-7760.patch crypto-mxs-dcp-fix-wait-logic-on-chan-threads.patch crypto-qat-fix-kasan-stack-out-of-bounds-bug-in-adf_probe.patch gpiolib-free-the-last-requested-descriptor.patch ocfs2-fix-locking-for-res-tracking-and-dlm-tracking_list.patch proc-restrict-kernel-stack-dumps-to-root.patch smb2-fix-missing-files-in-root-share-directory-listing.patch sysfs-do-not-return-posix-acl-xattrs-via-listxattr.patch --- diff --git a/queue-4.9/alsa-hda-realtek-cannot-adjust-speaker-s-volume-on-dell-xps-27-7760.patch b/queue-4.9/alsa-hda-realtek-cannot-adjust-speaker-s-volume-on-dell-xps-27-7760.patch new file mode 100644 index 00000000000..9870ab78f7d --- /dev/null +++ b/queue-4.9/alsa-hda-realtek-cannot-adjust-speaker-s-volume-on-dell-xps-27-7760.patch @@ -0,0 +1,35 @@ +From 709ae62e8e6d9ac4df7dadb3b8ae432675c45ef9 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Thu, 4 Oct 2018 11:39:42 +0800 +Subject: ALSA: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760 + +From: Kai-Heng Feng + +commit 709ae62e8e6d9ac4df7dadb3b8ae432675c45ef9 upstream. + +The issue is the same as commit dd9aa335c880 ("ALSA: hda/realtek - Can't +adjust speaker's volume on a Dell AIO"), the output requires to connect +to a node with Amp-out capability. + +Applying the same fixup ALC298_FIXUP_SPK_VOLUME can fix the issue. + +BugLink: https://bugs.launchpad.net/bugs/1775068 +Signed-off-by: Kai-Heng Feng +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5698,6 +5698,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1028, 0x0706, "Dell Inspiron 7559", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER), + SND_PCI_QUIRK(0x1028, 0x0725, "Dell Inspiron 3162", ALC255_FIXUP_DELL_SPK_NOISE), + SND_PCI_QUIRK(0x1028, 0x075b, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE), ++ SND_PCI_QUIRK(0x1028, 0x075c, "Dell XPS 27 7760", ALC298_FIXUP_SPK_VOLUME), + SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME), + SND_PCI_QUIRK(0x1028, 0x07b0, "Dell Precision 7520", ALC295_FIXUP_DISABLE_DAC3), + SND_PCI_QUIRK(0x1028, 0x0798, "Dell Inspiron 17 7000 Gaming", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER), diff --git a/queue-4.9/crypto-mxs-dcp-fix-wait-logic-on-chan-threads.patch b/queue-4.9/crypto-mxs-dcp-fix-wait-logic-on-chan-threads.patch new file mode 100644 index 00000000000..41a4272de8b --- /dev/null +++ b/queue-4.9/crypto-mxs-dcp-fix-wait-logic-on-chan-threads.patch @@ -0,0 +1,154 @@ +From d80771c08363ad7fbf0f56f5301e7ca65065c582 Mon Sep 17 00:00:00 2001 +From: Leonard Crestez +Date: Fri, 21 Sep 2018 18:03:18 +0300 +Subject: crypto: mxs-dcp - Fix wait logic on chan threads + +From: Leonard Crestez + +commit d80771c08363ad7fbf0f56f5301e7ca65065c582 upstream. + +When compiling with CONFIG_DEBUG_ATOMIC_SLEEP=y the mxs-dcp driver +prints warnings such as: + +WARNING: CPU: 0 PID: 120 at kernel/sched/core.c:7736 __might_sleep+0x98/0x9c +do not call blocking ops when !TASK_RUNNING; state=1 set at [<8081978c>] dcp_chan_thread_sha+0x3c/0x2ec + +The problem is that blocking ops will manipulate current->state +themselves so it is not allowed to call them between +set_current_state(TASK_INTERRUPTIBLE) and schedule(). + +Fix this by converting the per-chan mutex to a spinlock (it only +protects tiny list ops anyway) and rearranging the wait logic so that +callbacks are called current->state as TASK_RUNNING. Those callbacks +will indeed call blocking ops themselves so this is required. + +Cc: +Signed-off-by: Leonard Crestez +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/mxs-dcp.c | 53 ++++++++++++++++++++++++++--------------------- + 1 file changed, 30 insertions(+), 23 deletions(-) + +--- a/drivers/crypto/mxs-dcp.c ++++ b/drivers/crypto/mxs-dcp.c +@@ -63,7 +63,7 @@ struct dcp { + struct dcp_coherent_block *coh; + + struct completion completion[DCP_MAX_CHANS]; +- struct mutex mutex[DCP_MAX_CHANS]; ++ spinlock_t lock[DCP_MAX_CHANS]; + struct task_struct *thread[DCP_MAX_CHANS]; + struct crypto_queue queue[DCP_MAX_CHANS]; + }; +@@ -349,13 +349,20 @@ static int dcp_chan_thread_aes(void *dat + + int ret; + +- do { +- __set_current_state(TASK_INTERRUPTIBLE); ++ while (!kthread_should_stop()) { ++ set_current_state(TASK_INTERRUPTIBLE); + +- mutex_lock(&sdcp->mutex[chan]); ++ spin_lock(&sdcp->lock[chan]); + backlog = crypto_get_backlog(&sdcp->queue[chan]); + arq = crypto_dequeue_request(&sdcp->queue[chan]); +- mutex_unlock(&sdcp->mutex[chan]); ++ spin_unlock(&sdcp->lock[chan]); ++ ++ if (!backlog && !arq) { ++ schedule(); ++ continue; ++ } ++ ++ set_current_state(TASK_RUNNING); + + if (backlog) + backlog->complete(backlog, -EINPROGRESS); +@@ -363,11 +370,8 @@ static int dcp_chan_thread_aes(void *dat + if (arq) { + ret = mxs_dcp_aes_block_crypt(arq); + arq->complete(arq, ret); +- continue; + } +- +- schedule(); +- } while (!kthread_should_stop()); ++ } + + return 0; + } +@@ -409,9 +413,9 @@ static int mxs_dcp_aes_enqueue(struct ab + rctx->ecb = ecb; + actx->chan = DCP_CHAN_CRYPTO; + +- mutex_lock(&sdcp->mutex[actx->chan]); ++ spin_lock(&sdcp->lock[actx->chan]); + ret = crypto_enqueue_request(&sdcp->queue[actx->chan], &req->base); +- mutex_unlock(&sdcp->mutex[actx->chan]); ++ spin_unlock(&sdcp->lock[actx->chan]); + + wake_up_process(sdcp->thread[actx->chan]); + +@@ -640,13 +644,20 @@ static int dcp_chan_thread_sha(void *dat + struct ahash_request *req; + int ret, fini; + +- do { +- __set_current_state(TASK_INTERRUPTIBLE); ++ while (!kthread_should_stop()) { ++ set_current_state(TASK_INTERRUPTIBLE); + +- mutex_lock(&sdcp->mutex[chan]); ++ spin_lock(&sdcp->lock[chan]); + backlog = crypto_get_backlog(&sdcp->queue[chan]); + arq = crypto_dequeue_request(&sdcp->queue[chan]); +- mutex_unlock(&sdcp->mutex[chan]); ++ spin_unlock(&sdcp->lock[chan]); ++ ++ if (!backlog && !arq) { ++ schedule(); ++ continue; ++ } ++ ++ set_current_state(TASK_RUNNING); + + if (backlog) + backlog->complete(backlog, -EINPROGRESS); +@@ -658,12 +669,8 @@ static int dcp_chan_thread_sha(void *dat + ret = dcp_sha_req_to_buf(arq); + fini = rctx->fini; + arq->complete(arq, ret); +- if (!fini) +- continue; + } +- +- schedule(); +- } while (!kthread_should_stop()); ++ } + + return 0; + } +@@ -721,9 +728,9 @@ static int dcp_sha_update_fx(struct ahas + rctx->init = 1; + } + +- mutex_lock(&sdcp->mutex[actx->chan]); ++ spin_lock(&sdcp->lock[actx->chan]); + ret = crypto_enqueue_request(&sdcp->queue[actx->chan], &req->base); +- mutex_unlock(&sdcp->mutex[actx->chan]); ++ spin_unlock(&sdcp->lock[actx->chan]); + + wake_up_process(sdcp->thread[actx->chan]); + mutex_unlock(&actx->mutex); +@@ -979,7 +986,7 @@ static int mxs_dcp_probe(struct platform + platform_set_drvdata(pdev, sdcp); + + for (i = 0; i < DCP_MAX_CHANS; i++) { +- mutex_init(&sdcp->mutex[i]); ++ spin_lock_init(&sdcp->lock[i]); + init_completion(&sdcp->completion[i]); + crypto_init_queue(&sdcp->queue[i], 50); + } diff --git a/queue-4.9/crypto-qat-fix-kasan-stack-out-of-bounds-bug-in-adf_probe.patch b/queue-4.9/crypto-qat-fix-kasan-stack-out-of-bounds-bug-in-adf_probe.patch new file mode 100644 index 00000000000..14a29cb1bff --- /dev/null +++ b/queue-4.9/crypto-qat-fix-kasan-stack-out-of-bounds-bug-in-adf_probe.patch @@ -0,0 +1,219 @@ +From ba439a6cbfa2936a6713f64cb499de7943673fe3 Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Sat, 22 Sep 2018 20:41:55 -0400 +Subject: crypto: qat - Fix KASAN stack-out-of-bounds bug in adf_probe() + +From: Waiman Long + +commit ba439a6cbfa2936a6713f64cb499de7943673fe3 upstream. + +The following KASAN warning was printed when booting a 64-bit kernel +on some systems with Intel CPUs: + +[ 44.512826] ================================================================== +[ 44.520165] BUG: KASAN: stack-out-of-bounds in find_first_bit+0xb0/0xc0 +[ 44.526786] Read of size 8 at addr ffff88041e02fc50 by task kworker/0:2/124 + +[ 44.535253] CPU: 0 PID: 124 Comm: kworker/0:2 Tainted: G X --------- --- 4.18.0-12.el8.x86_64+debug #1 +[ 44.545858] Hardware name: Intel Corporation PURLEY/PURLEY, BIOS BKVDTRL1.86B.0005.D08.1712070559 12/07/2017 +[ 44.555682] Workqueue: events work_for_cpu_fn +[ 44.560043] Call Trace: +[ 44.562502] dump_stack+0x9a/0xe9 +[ 44.565832] print_address_description+0x65/0x22e +[ 44.570683] ? find_first_bit+0xb0/0xc0 +[ 44.570689] kasan_report.cold.6+0x92/0x19f +[ 44.578726] find_first_bit+0xb0/0xc0 +[ 44.578737] adf_probe+0x9eb/0x19a0 [qat_c62x] +[ 44.578751] ? adf_remove+0x110/0x110 [qat_c62x] +[ 44.591490] ? mark_held_locks+0xc8/0x140 +[ 44.591498] ? _raw_spin_unlock+0x30/0x30 +[ 44.591505] ? trace_hardirqs_on_caller+0x381/0x570 +[ 44.604418] ? adf_remove+0x110/0x110 [qat_c62x] +[ 44.604427] local_pci_probe+0xd4/0x180 +[ 44.604432] ? pci_device_shutdown+0x110/0x110 +[ 44.617386] work_for_cpu_fn+0x51/0xa0 +[ 44.621145] process_one_work+0x8fe/0x16e0 +[ 44.625263] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 +[ 44.629799] ? lock_acquire+0x14c/0x400 +[ 44.633645] ? move_linked_works+0x12e/0x2a0 +[ 44.637928] worker_thread+0x536/0xb50 +[ 44.641690] ? __kthread_parkme+0xb6/0x180 +[ 44.645796] ? process_one_work+0x16e0/0x16e0 +[ 44.650160] kthread+0x30c/0x3d0 +[ 44.653400] ? kthread_create_worker_on_cpu+0xc0/0xc0 +[ 44.658457] ret_from_fork+0x3a/0x50 + +[ 44.663557] The buggy address belongs to the page: +[ 44.668350] page:ffffea0010780bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 +[ 44.676356] flags: 0x17ffffc0000000() +[ 44.680023] raw: 0017ffffc0000000 ffffea0010780bc8 ffffea0010780bc8 0000000000000000 +[ 44.687769] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +[ 44.695510] page dumped because: kasan: bad access detected + +[ 44.702578] Memory state around the buggy address: +[ 44.707372] ffff88041e02fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 44.714593] ffff88041e02fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 44.721810] >ffff88041e02fc00: 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 +[ 44.729028] ^ +[ 44.734864] ffff88041e02fc80: f2 f2 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 +[ 44.742082] ffff88041e02fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 44.749299] ================================================================== + +Looking into the code: + + int ret, bar_mask; + : + for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask, + +It is casting a 32-bit integer pointer to a 64-bit unsigned long +pointer. There are two problems here. First, the 32-bit pointer address +may not be 64-bit aligned. Secondly, it is accessing an extra 4 bytes. + +This is fixed by changing the bar_mask type to unsigned long. + +Cc: +Signed-off-by: Waiman Long +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/qat/qat_c3xxx/adf_drv.c | 6 +++--- + drivers/crypto/qat/qat_c3xxxvf/adf_drv.c | 6 +++--- + drivers/crypto/qat/qat_c62x/adf_drv.c | 6 +++--- + drivers/crypto/qat/qat_c62xvf/adf_drv.c | 6 +++--- + drivers/crypto/qat/qat_dh895xcc/adf_drv.c | 6 +++--- + drivers/crypto/qat/qat_dh895xccvf/adf_drv.c | 6 +++--- + 6 files changed, 18 insertions(+), 18 deletions(-) + +--- a/drivers/crypto/qat/qat_c3xxx/adf_drv.c ++++ b/drivers/crypto/qat/qat_c3xxx/adf_drv.c +@@ -123,7 +123,8 @@ static int adf_probe(struct pci_dev *pde + struct adf_hw_device_data *hw_data; + char name[ADF_DEVICE_NAME_LENGTH]; + unsigned int i, bar_nr; +- int ret, bar_mask; ++ unsigned long bar_mask; ++ int ret; + + switch (ent->device) { + case ADF_C3XXX_PCI_DEVICE_ID: +@@ -235,8 +236,7 @@ static int adf_probe(struct pci_dev *pde + /* Find and map all the device's BARS */ + i = 0; + bar_mask = pci_select_bars(pdev, IORESOURCE_MEM); +- for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask, +- ADF_PCI_MAX_BARS * 2) { ++ for_each_set_bit(bar_nr, &bar_mask, ADF_PCI_MAX_BARS * 2) { + struct adf_bar *bar = &accel_pci_dev->pci_bars[i++]; + + bar->base_addr = pci_resource_start(pdev, bar_nr); +--- a/drivers/crypto/qat/qat_c3xxxvf/adf_drv.c ++++ b/drivers/crypto/qat/qat_c3xxxvf/adf_drv.c +@@ -125,7 +125,8 @@ static int adf_probe(struct pci_dev *pde + struct adf_hw_device_data *hw_data; + char name[ADF_DEVICE_NAME_LENGTH]; + unsigned int i, bar_nr; +- int ret, bar_mask; ++ unsigned long bar_mask; ++ int ret; + + switch (ent->device) { + case ADF_C3XXXIOV_PCI_DEVICE_ID: +@@ -215,8 +216,7 @@ static int adf_probe(struct pci_dev *pde + /* Find and map all the device's BARS */ + i = 0; + bar_mask = pci_select_bars(pdev, IORESOURCE_MEM); +- for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask, +- ADF_PCI_MAX_BARS * 2) { ++ for_each_set_bit(bar_nr, &bar_mask, ADF_PCI_MAX_BARS * 2) { + struct adf_bar *bar = &accel_pci_dev->pci_bars[i++]; + + bar->base_addr = pci_resource_start(pdev, bar_nr); +--- a/drivers/crypto/qat/qat_c62x/adf_drv.c ++++ b/drivers/crypto/qat/qat_c62x/adf_drv.c +@@ -123,7 +123,8 @@ static int adf_probe(struct pci_dev *pde + struct adf_hw_device_data *hw_data; + char name[ADF_DEVICE_NAME_LENGTH]; + unsigned int i, bar_nr; +- int ret, bar_mask; ++ unsigned long bar_mask; ++ int ret; + + switch (ent->device) { + case ADF_C62X_PCI_DEVICE_ID: +@@ -235,8 +236,7 @@ static int adf_probe(struct pci_dev *pde + /* Find and map all the device's BARS */ + i = (hw_data->fuses & ADF_DEVICE_FUSECTL_MASK) ? 1 : 0; + bar_mask = pci_select_bars(pdev, IORESOURCE_MEM); +- for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask, +- ADF_PCI_MAX_BARS * 2) { ++ for_each_set_bit(bar_nr, &bar_mask, ADF_PCI_MAX_BARS * 2) { + struct adf_bar *bar = &accel_pci_dev->pci_bars[i++]; + + bar->base_addr = pci_resource_start(pdev, bar_nr); +--- a/drivers/crypto/qat/qat_c62xvf/adf_drv.c ++++ b/drivers/crypto/qat/qat_c62xvf/adf_drv.c +@@ -125,7 +125,8 @@ static int adf_probe(struct pci_dev *pde + struct adf_hw_device_data *hw_data; + char name[ADF_DEVICE_NAME_LENGTH]; + unsigned int i, bar_nr; +- int ret, bar_mask; ++ unsigned long bar_mask; ++ int ret; + + switch (ent->device) { + case ADF_C62XIOV_PCI_DEVICE_ID: +@@ -215,8 +216,7 @@ static int adf_probe(struct pci_dev *pde + /* Find and map all the device's BARS */ + i = 0; + bar_mask = pci_select_bars(pdev, IORESOURCE_MEM); +- for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask, +- ADF_PCI_MAX_BARS * 2) { ++ for_each_set_bit(bar_nr, &bar_mask, ADF_PCI_MAX_BARS * 2) { + struct adf_bar *bar = &accel_pci_dev->pci_bars[i++]; + + bar->base_addr = pci_resource_start(pdev, bar_nr); +--- a/drivers/crypto/qat/qat_dh895xcc/adf_drv.c ++++ b/drivers/crypto/qat/qat_dh895xcc/adf_drv.c +@@ -123,7 +123,8 @@ static int adf_probe(struct pci_dev *pde + struct adf_hw_device_data *hw_data; + char name[ADF_DEVICE_NAME_LENGTH]; + unsigned int i, bar_nr; +- int ret, bar_mask; ++ unsigned long bar_mask; ++ int ret; + + switch (ent->device) { + case ADF_DH895XCC_PCI_DEVICE_ID: +@@ -237,8 +238,7 @@ static int adf_probe(struct pci_dev *pde + /* Find and map all the device's BARS */ + i = 0; + bar_mask = pci_select_bars(pdev, IORESOURCE_MEM); +- for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask, +- ADF_PCI_MAX_BARS * 2) { ++ for_each_set_bit(bar_nr, &bar_mask, ADF_PCI_MAX_BARS * 2) { + struct adf_bar *bar = &accel_pci_dev->pci_bars[i++]; + + bar->base_addr = pci_resource_start(pdev, bar_nr); +--- a/drivers/crypto/qat/qat_dh895xccvf/adf_drv.c ++++ b/drivers/crypto/qat/qat_dh895xccvf/adf_drv.c +@@ -125,7 +125,8 @@ static int adf_probe(struct pci_dev *pde + struct adf_hw_device_data *hw_data; + char name[ADF_DEVICE_NAME_LENGTH]; + unsigned int i, bar_nr; +- int ret, bar_mask; ++ unsigned long bar_mask; ++ int ret; + + switch (ent->device) { + case ADF_DH895XCCIOV_PCI_DEVICE_ID: +@@ -215,8 +216,7 @@ static int adf_probe(struct pci_dev *pde + /* Find and map all the device's BARS */ + i = 0; + bar_mask = pci_select_bars(pdev, IORESOURCE_MEM); +- for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask, +- ADF_PCI_MAX_BARS * 2) { ++ for_each_set_bit(bar_nr, &bar_mask, ADF_PCI_MAX_BARS * 2) { + struct adf_bar *bar = &accel_pci_dev->pci_bars[i++]; + + bar->base_addr = pci_resource_start(pdev, bar_nr); diff --git a/queue-4.9/gpiolib-free-the-last-requested-descriptor.patch b/queue-4.9/gpiolib-free-the-last-requested-descriptor.patch new file mode 100644 index 00000000000..f062f89a1eb --- /dev/null +++ b/queue-4.9/gpiolib-free-the-last-requested-descriptor.patch @@ -0,0 +1,37 @@ +From 19a4fbffc94e41abaa2a623a25ce2641d69eccf0 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda Delgado +Date: Thu, 13 Sep 2018 15:37:04 +0200 +Subject: gpiolib: Free the last requested descriptor + +From: Ricardo Ribalda Delgado + +commit 19a4fbffc94e41abaa2a623a25ce2641d69eccf0 upstream. + +The current code only frees N-1 gpios if an error occurs during +gpiod_set_transitory, gpiod_direction_output or gpiod_direction_input. +Leading to gpios that cannot be used by userspace nor other drivers. + +Cc: Timur Tabi +Cc: stable@vger.kernel.org +Fixes: ab3dbcf78f60f46d ("gpioib: do not free unrequested descriptors) +Reported-by: Jan Lorenzen +Reported-by: Jim Paris +Signed-off-by: Ricardo Ribalda Delgado +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -471,7 +471,7 @@ static int linehandle_create(struct gpio + if (ret) + goto out_free_descs; + lh->descs[i] = desc; +- count = i; ++ count = i + 1; + + if (lflags & GPIOHANDLE_REQUEST_ACTIVE_LOW) + set_bit(FLAG_ACTIVE_LOW, &desc->flags); diff --git a/queue-4.9/ocfs2-fix-locking-for-res-tracking-and-dlm-tracking_list.patch b/queue-4.9/ocfs2-fix-locking-for-res-tracking-and-dlm-tracking_list.patch new file mode 100644 index 00000000000..257ce721440 --- /dev/null +++ b/queue-4.9/ocfs2-fix-locking-for-res-tracking-and-dlm-tracking_list.patch @@ -0,0 +1,47 @@ +From cbe355f57c8074bc4f452e5b6e35509044c6fa23 Mon Sep 17 00:00:00 2001 +From: Ashish Samant +Date: Fri, 5 Oct 2018 15:52:15 -0700 +Subject: ocfs2: fix locking for res->tracking and dlm->tracking_list + +From: Ashish Samant + +commit cbe355f57c8074bc4f452e5b6e35509044c6fa23 upstream. + +In dlm_init_lockres() we access and modify res->tracking and +dlm->tracking_list without holding dlm->track_lock. This can cause list +corruptions and can end up in kernel panic. + +Fix this by locking res->tracking and dlm->tracking_list with +dlm->track_lock instead of dlm->spinlock. + +Link: http://lkml.kernel.org/r/1529951192-4686-1-git-send-email-ashish.samant@oracle.com +Signed-off-by: Ashish Samant +Reviewed-by: Changwei Ge +Acked-by: Joseph Qi +Acked-by: Jun Piao +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/dlm/dlmmaster.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/dlm/dlmmaster.c ++++ b/fs/ocfs2/dlm/dlmmaster.c +@@ -589,9 +589,9 @@ static void dlm_init_lockres(struct dlm_ + + res->last_used = 0; + +- spin_lock(&dlm->spinlock); ++ spin_lock(&dlm->track_lock); + list_add_tail(&res->tracking, &dlm->tracking_list); +- spin_unlock(&dlm->spinlock); ++ spin_unlock(&dlm->track_lock); + + memset(res->lvb, 0, DLM_LVB_LEN); + memset(res->refmap, 0, sizeof(res->refmap)); diff --git a/queue-4.9/proc-restrict-kernel-stack-dumps-to-root.patch b/queue-4.9/proc-restrict-kernel-stack-dumps-to-root.patch new file mode 100644 index 00000000000..0fb541aa4b0 --- /dev/null +++ b/queue-4.9/proc-restrict-kernel-stack-dumps-to-root.patch @@ -0,0 +1,73 @@ +From f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Fri, 5 Oct 2018 15:51:58 -0700 +Subject: proc: restrict kernel stack dumps to root + +From: Jann Horn + +commit f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 upstream. + +Currently, you can use /proc/self/task/*/stack to cause a stack walk on +a task you control while it is running on another CPU. That means that +the stack can change under the stack walker. The stack walker does +have guards against going completely off the rails and into random +kernel memory, but it can interpret random data from your kernel stack +as instruction pointers and stack pointers. This can cause exposure of +kernel stack contents to userspace. + +Restrict the ability to inspect kernel stacks of arbitrary tasks to root +in order to prevent a local attacker from exploiting racy stack unwinding +to leak kernel task stack contents. See the added comment for a longer +rationale. + +There don't seem to be any users of this userspace API that can't +gracefully bail out if reading from the file fails. Therefore, I believe +that this change is unlikely to break things. In the case that this patch +does end up needing a revert, the next-best solution might be to fake a +single-entry stack based on wchan. + +Link: http://lkml.kernel.org/r/20180927153316.200286-1-jannh@google.com +Fixes: 2ec220e27f50 ("proc: add /proc/*/stack") +Signed-off-by: Jann Horn +Acked-by: Kees Cook +Cc: Alexey Dobriyan +Cc: Ken Chen +Cc: Will Deacon +Cc: Laura Abbott +Cc: Andy Lutomirski +Cc: Catalin Marinas +Cc: Josh Poimboeuf +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: "H . Peter Anvin" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/base.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -454,6 +454,20 @@ static int proc_pid_stack(struct seq_fil + int err; + int i; + ++ /* ++ * The ability to racily run the kernel stack unwinder on a running task ++ * and then observe the unwinder output is scary; while it is useful for ++ * debugging kernel issues, it can also allow an attacker to leak kernel ++ * stack contents. ++ * Doing this in a manner that is at least safe from races would require ++ * some work to ensure that the remote task can not be scheduled; and ++ * even then, this would still expose the unwinder as local attack ++ * surface. ++ * Therefore, this interface is restricted to root. ++ */ ++ if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN)) ++ return -EACCES; ++ + entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL); + if (!entries) + return -ENOMEM; diff --git a/queue-4.9/series b/queue-4.9/series index b304f011053..3e8f93d0b3b 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -49,3 +49,11 @@ cifs-read-overflow-in-is_valid_oplock_break.patch xen-manage-don-t-complain-about-an-empty-value-in-control-sysrq-node.patch xen-avoid-crash-in-disable_hotplug_cpu.patch xen-fix-gcc-warning-and-remove-duplicate-evtchn_row-evtchn_col-usage.patch +sysfs-do-not-return-posix-acl-xattrs-via-listxattr.patch +smb2-fix-missing-files-in-root-share-directory-listing.patch +alsa-hda-realtek-cannot-adjust-speaker-s-volume-on-dell-xps-27-7760.patch +crypto-qat-fix-kasan-stack-out-of-bounds-bug-in-adf_probe.patch +crypto-mxs-dcp-fix-wait-logic-on-chan-threads.patch +gpiolib-free-the-last-requested-descriptor.patch +proc-restrict-kernel-stack-dumps-to-root.patch +ocfs2-fix-locking-for-res-tracking-and-dlm-tracking_list.patch diff --git a/queue-4.9/smb2-fix-missing-files-in-root-share-directory-listing.patch b/queue-4.9/smb2-fix-missing-files-in-root-share-directory-listing.patch new file mode 100644 index 00000000000..7f9c95d20e4 --- /dev/null +++ b/queue-4.9/smb2-fix-missing-files-in-root-share-directory-listing.patch @@ -0,0 +1,175 @@ +From 0595751f267994c3c7027377058e4185b3a28e75 Mon Sep 17 00:00:00 2001 +From: Aurelien Aptel +Date: Thu, 17 May 2018 16:35:07 +0200 +Subject: smb2: fix missing files in root share directory listing + +From: Aurelien Aptel + +commit 0595751f267994c3c7027377058e4185b3a28e75 upstream. + +When mounting a Windows share that is the root of a drive (eg. C$) +the server does not return . and .. directory entries. This results in +the smb2 code path erroneously skipping the 2 first entries. + +Pseudo-code of the readdir() code path: + +cifs_readdir(struct file, struct dir_context) + initiate_cifs_search <-- if no reponse cached yet + server->ops->query_dir_first + + dir_emit_dots + dir_emit <-- adds "." and ".." if we're at pos=0 + + find_cifs_entry + initiate_cifs_search <-- if pos < start of current response + (restart search) + server->ops->query_dir_next <-- if pos > end of current response + (fetch next search res) + + for(...) <-- loops over cur response entries + starting at pos + cifs_filldir <-- skip . and .., emit entry + cifs_fill_dirent + dir_emit + pos++ + +A) dir_emit_dots() always adds . & .. + and sets the current dir pos to 2 (0 and 1 are done). + +Therefore we always want the index_to_find to be 2 regardless of if +the response has . and .. + +B) smb1 code initializes index_of_last_entry with a +2 offset + + in cifssmb.c CIFSFindFirst(): + psrch_inf->index_of_last_entry = 2 /* skip . and .. */ + + psrch_inf->entries_in_buffer; + +Later in find_cifs_entry() we want to find the next dir entry at pos=2 +as a result of (A) + + first_entry_in_buffer = cfile->srch_inf.index_of_last_entry - + cfile->srch_inf.entries_in_buffer; + +This var is the dir pos that the first entry in the buffer will +have therefore it must be 2 in the first call. + +If we don't offset index_of_last_entry by 2 (like in (B)), +first_entry_in_buffer=0 but we were instructed to get pos=2 so this +code in find_cifs_entry() skips the 2 first which is ok for non-root +shares, as it skips . and .. from the response but is not ok for root +shares where the 2 first are actual files + + pos_in_buf = index_to_find - first_entry_in_buffer; + // pos_in_buf=2 + // we skip 2 first response entries :( + for (i = 0; (i < (pos_in_buf)) && (cur_ent != NULL); i++) { + /* go entry by entry figuring out which is first */ + cur_ent = nxt_dir_entry(cur_ent, end_of_smb, + cfile->srch_inf.info_level); + } + +C) cifs_filldir() skips . and .. so we can safely ignore them for now. + +Sample program: + +int main(int argc, char **argv) +{ + const char *path = argc >= 2 ? argv[1] : "."; + DIR *dh; + struct dirent *de; + + printf("listing path <%s>\n", path); + dh = opendir(path); + if (!dh) { + printf("opendir error %d\n", errno); + return 1; + } + + while (1) { + de = readdir(dh); + if (!de) { + if (errno) { + printf("readdir error %d\n", errno); + return 1; + } + printf("end of listing\n"); + break; + } + printf("off=%lu <%s>\n", de->d_off, de->d_name); + } + + return 0; +} + +Before the fix with SMB1 on root shares: + +<.> off=1 +<..> off=2 +<$Recycle.Bin> off=3 + off=4 + +and on non-root shares: + +<.> off=1 +<..> off=4 <-- after adding .., the offsets jumps to +2 because +<2536> off=5 we skipped . and .. from response buffer (C) +<411> off=6 but still incremented pos + off=7 + off=8 + +Therefore the fix for smb2 is to mimic smb1 behaviour and offset the +index_of_last_entry by 2. + +Test results comparing smb1 and smb2 before/after the fix on root +share, non-root shares and on large directories (ie. multi-response +dir listing): + +PRE FIX +======= +pre-1-root VS pre-2-root: + ERR pre-2-root is missing [bootmgr, $Recycle.Bin] +pre-1-nonroot VS pre-2-nonroot: + OK~ same files, same order, different offsets +pre-1-nonroot-large VS pre-2-nonroot-large: + OK~ same files, same order, different offsets + +POST FIX +======== +post-1-root VS post-2-root: + OK same files, same order, same offsets +post-1-nonroot VS post-2-nonroot: + OK same files, same order, same offsets +post-1-nonroot-large VS post-2-nonroot-large: + OK same files, same order, same offsets + +REGRESSION? +=========== +pre-1-root VS post-1-root: + OK same files, same order, same offsets +pre-1-nonroot VS post-1-nonroot: + OK same files, same order, same offsets + +BugLink: https://bugzilla.samba.org/show_bug.cgi?id=13107 +Signed-off-by: Aurelien Aptel +Signed-off-by: Paulo Alcantara +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -989,7 +989,7 @@ smb2_query_dir_first(const unsigned int + } + + srch_inf->entries_in_buffer = 0; +- srch_inf->index_of_last_entry = 0; ++ srch_inf->index_of_last_entry = 2; + + rc = SMB2_query_directory(xid, tcon, fid->persistent_fid, + fid->volatile_fid, 0, srch_inf); diff --git a/queue-4.9/sysfs-do-not-return-posix-acl-xattrs-via-listxattr.patch b/queue-4.9/sysfs-do-not-return-posix-acl-xattrs-via-listxattr.patch new file mode 100644 index 00000000000..9a8b52051b9 --- /dev/null +++ b/queue-4.9/sysfs-do-not-return-posix-acl-xattrs-via-listxattr.patch @@ -0,0 +1,67 @@ +From ffc4c92227db5699493e43eb140b4cb5904c30ff Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Tue, 18 Sep 2018 00:36:36 -0400 +Subject: sysfs: Do not return POSIX ACL xattrs via listxattr +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andreas Gruenbacher + +commit ffc4c92227db5699493e43eb140b4cb5904c30ff upstream. + +Commit 786534b92f3c introduced a regression that caused listxattr to +return the POSIX ACL attribute names even though sysfs doesn't support +POSIX ACLs. This happens because simple_xattr_list checks for NULL +i_acl / i_default_acl, but inode_init_always initializes those fields +to ACL_NOT_CACHED ((void *)-1). For example: + $ getfattr -m- -d /sys + /sys: system.posix_acl_access: Operation not supported + /sys: system.posix_acl_default: Operation not supported +Fix this in simple_xattr_list by checking if the filesystem supports POSIX ACLs. + +Fixes: 786534b92f3c ("tmpfs: listxattr should include POSIX ACL xattrs") +Reported-by: Marc Aurèle La France +Tested-by: Marc Aurèle La France +Signed-off-by: Andreas Gruenbacher +Cc: stable@vger.kernel.org # v4.5+ +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xattr.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/fs/xattr.c ++++ b/fs/xattr.c +@@ -953,17 +953,19 @@ ssize_t simple_xattr_list(struct inode * + int err = 0; + + #ifdef CONFIG_FS_POSIX_ACL +- if (inode->i_acl) { +- err = xattr_list_one(&buffer, &remaining_size, +- XATTR_NAME_POSIX_ACL_ACCESS); +- if (err) +- return err; +- } +- if (inode->i_default_acl) { +- err = xattr_list_one(&buffer, &remaining_size, +- XATTR_NAME_POSIX_ACL_DEFAULT); +- if (err) +- return err; ++ if (IS_POSIXACL(inode)) { ++ if (inode->i_acl) { ++ err = xattr_list_one(&buffer, &remaining_size, ++ XATTR_NAME_POSIX_ACL_ACCESS); ++ if (err) ++ return err; ++ } ++ if (inode->i_default_acl) { ++ err = xattr_list_one(&buffer, &remaining_size, ++ XATTR_NAME_POSIX_ACL_DEFAULT); ++ if (err) ++ return err; ++ } + } + #endif +