From: Greg Kroah-Hartman Date: Sat, 18 Jan 2020 15:12:39 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.211~67 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2d02df322fc88ada20e5fd1cb36b9cb467c03b5e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch block-fix-an-integer-overflow-in-logical-block-size.patch fix-built-in-early-load-intel-microcode-alignment.patch --- diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..1affa2d5df0 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,8 @@ +dt-bindings-reset-meson8b-fix-duplicate-reset-ids.patch +clk-don-t-try-to-enable-critical-clocks-if-prepare-failed.patch +asoc-msm8916-wcd-digital-reset-rx-interpolation-path-after-use.patch +asoc-msm8916-wcd-analog-fix-selected-events-for-mic-bias-external1.patch +alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch +fix-built-in-early-load-intel-microcode-alignment.patch +block-fix-an-integer-overflow-in-logical-block-size.patch +arm-dts-am571x-idk-fix-gpios-property-to-have-the-correct-gpio-number.patch diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..377495a7abb --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,16 @@ +arm-dts-meson8-fix-the-size-of-the-pmu-registers.patch +clk-qcom-gcc-sdm845-add-missing-flag-to-votable-gdscs.patch +dt-bindings-reset-meson8b-fix-duplicate-reset-ids.patch +arm-dts-imx6q-dhcom-fix-rtc-compatible.patch +clk-don-t-try-to-enable-critical-clocks-if-prepare-failed.patch +asoc-msm8916-wcd-digital-reset-rx-interpolation-path-after-use.patch +asoc-msm8916-wcd-analog-fix-selected-events-for-mic-bias-external1.patch +asoc-msm8916-wcd-analog-fix-mic-bias-internal1.patch +arm-dts-imx6q-dhcom-fix-sgtl5000-vddio-regulator-connection.patch +alsa-dice-fix-fallback-from-protocol-extension-into-limited-functionality.patch +alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch +alsa-usb-audio-fix-sync-ep-altsetting-sanity-check.patch +arm64-dts-allwinner-a64-olinuxino-fix-sdio-supply-regulator.patch +fix-built-in-early-load-intel-microcode-alignment.patch +block-fix-an-integer-overflow-in-logical-block-size.patch +arm-dts-am571x-idk-fix-gpios-property-to-have-the-correct-gpio-number.patch diff --git a/queue-4.4/alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch b/queue-4.4/alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch new file mode 100644 index 00000000000..4fd2a8b5a99 --- /dev/null +++ b/queue-4.4/alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch @@ -0,0 +1,54 @@ +From 60adcfde92fa40fcb2dbf7cc52f9b096e0cd109a Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 15 Jan 2020 21:37:33 +0100 +Subject: ALSA: seq: Fix racy access for queue timer in proc read + +From: Takashi Iwai + +commit 60adcfde92fa40fcb2dbf7cc52f9b096e0cd109a upstream. + +snd_seq_info_timer_read() reads the information of the timer assigned +for each queue, but it's done in a racy way which may lead to UAF as +spotted by syzkaller. + +This patch applies the missing q->timer_mutex lock while accessing the +timer object as well as a slight code change to adapt the standard +coding style. + +Reported-by: syzbot+2b2ef983f973e5c40943@syzkaller.appspotmail.com +Cc: +Link: https://lore.kernel.org/r/20200115203733.26530-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_timer.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/sound/core/seq/seq_timer.c ++++ b/sound/core/seq/seq_timer.c +@@ -484,15 +484,19 @@ void snd_seq_info_timer_read(struct snd_ + q = queueptr(idx); + if (q == NULL) + continue; +- if ((tmr = q->timer) == NULL || +- (ti = tmr->timeri) == NULL) { +- queuefree(q); +- continue; +- } ++ mutex_lock(&q->timer_mutex); ++ tmr = q->timer; ++ if (!tmr) ++ goto unlock; ++ ti = tmr->timeri; ++ if (!ti) ++ goto unlock; + snd_iprintf(buffer, "Timer for queue %i : %s\n", q->queue, ti->timer->name); + resolution = snd_timer_resolution(ti) * tmr->ticks; + snd_iprintf(buffer, " Period time : %lu.%09lu\n", resolution / 1000000000, resolution % 1000000000); + snd_iprintf(buffer, " Skew : %u / %u\n", tmr->skew, tmr->skew_base); ++unlock: ++ mutex_unlock(&q->timer_mutex); + queuefree(q); + } + } diff --git a/queue-4.4/block-fix-an-integer-overflow-in-logical-block-size.patch b/queue-4.4/block-fix-an-integer-overflow-in-logical-block-size.patch new file mode 100644 index 00000000000..d7bae6467bb --- /dev/null +++ b/queue-4.4/block-fix-an-integer-overflow-in-logical-block-size.patch @@ -0,0 +1,116 @@ +From ad6bf88a6c19a39fb3b0045d78ea880325dfcf15 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 15 Jan 2020 08:35:25 -0500 +Subject: block: fix an integer overflow in logical block size + +From: Mikulas Patocka + +commit ad6bf88a6c19a39fb3b0045d78ea880325dfcf15 upstream. + +Logical block size has type unsigned short. That means that it can be at +most 32768. However, there are architectures that can run with 64k pages +(for example arm64) and on these architectures, it may be possible to +create block devices with 64k block size. + +For exmaple (run this on an architecture with 64k pages): + +Mount will fail with this error because it tries to read the superblock using 2-sector +access: + device-mapper: writecache: I/O is not aligned, sector 2, size 1024, block size 65536 + EXT4-fs (dm-0): unable to read superblock + +This patch changes the logical block size from unsigned short to unsigned +int to avoid the overflow. + +Cc: stable@vger.kernel.org +Reviewed-by: Martin K. Petersen +Reviewed-by: Ming Lei +Signed-off-by: Mikulas Patocka +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-settings.c | 2 +- + drivers/md/dm-snap-persistent.c | 2 +- + drivers/md/raid0.c | 2 +- + include/linux/blkdev.h | 8 ++++---- + 4 files changed, 7 insertions(+), 7 deletions(-) + +--- a/block/blk-settings.c ++++ b/block/blk-settings.c +@@ -349,7 +349,7 @@ EXPORT_SYMBOL(blk_queue_max_segment_size + * storage device can address. The default of 512 covers most + * hardware. + **/ +-void blk_queue_logical_block_size(struct request_queue *q, unsigned short size) ++void blk_queue_logical_block_size(struct request_queue *q, unsigned int size) + { + q->limits.logical_block_size = size; + +--- a/drivers/md/dm-snap-persistent.c ++++ b/drivers/md/dm-snap-persistent.c +@@ -17,7 +17,7 @@ + #include "dm-bufio.h" + + #define DM_MSG_PREFIX "persistent snapshot" +-#define DM_CHUNK_SIZE_DEFAULT_SECTORS 32 /* 16KB */ ++#define DM_CHUNK_SIZE_DEFAULT_SECTORS 32U /* 16KB */ + + #define DM_PREFETCH_CHUNKS 12 + +--- a/drivers/md/raid0.c ++++ b/drivers/md/raid0.c +@@ -83,7 +83,7 @@ static int create_strip_zones(struct mdd + char b[BDEVNAME_SIZE]; + char b2[BDEVNAME_SIZE]; + struct r0conf *conf = kzalloc(sizeof(*conf), GFP_KERNEL); +- unsigned short blksize = 512; ++ unsigned blksize = 512; + + if (!conf) + return -ENOMEM; +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -264,6 +264,7 @@ struct queue_limits { + unsigned int max_sectors; + unsigned int max_segment_size; + unsigned int physical_block_size; ++ unsigned int logical_block_size; + unsigned int alignment_offset; + unsigned int io_min; + unsigned int io_opt; +@@ -273,7 +274,6 @@ struct queue_limits { + unsigned int discard_granularity; + unsigned int discard_alignment; + +- unsigned short logical_block_size; + unsigned short max_segments; + unsigned short max_integrity_segments; + +@@ -975,7 +975,7 @@ extern void blk_queue_max_discard_sector + unsigned int max_discard_sectors); + extern void blk_queue_max_write_same_sectors(struct request_queue *q, + unsigned int max_write_same_sectors); +-extern void blk_queue_logical_block_size(struct request_queue *, unsigned short); ++extern void blk_queue_logical_block_size(struct request_queue *, unsigned int); + extern void blk_queue_physical_block_size(struct request_queue *, unsigned int); + extern void blk_queue_alignment_offset(struct request_queue *q, + unsigned int alignment); +@@ -1193,7 +1193,7 @@ static inline unsigned int queue_max_seg + return q->limits.max_segment_size; + } + +-static inline unsigned short queue_logical_block_size(struct request_queue *q) ++static inline unsigned queue_logical_block_size(struct request_queue *q) + { + int retval = 512; + +@@ -1203,7 +1203,7 @@ static inline unsigned short queue_logic + return retval; + } + +-static inline unsigned short bdev_logical_block_size(struct block_device *bdev) ++static inline unsigned int bdev_logical_block_size(struct block_device *bdev) + { + return queue_logical_block_size(bdev_get_queue(bdev)); + } diff --git a/queue-4.4/fix-built-in-early-load-intel-microcode-alignment.patch b/queue-4.4/fix-built-in-early-load-intel-microcode-alignment.patch new file mode 100644 index 00000000000..5ccdf8b9141 --- /dev/null +++ b/queue-4.4/fix-built-in-early-load-intel-microcode-alignment.patch @@ -0,0 +1,54 @@ +From f5ae2ea6347a308cfe91f53b53682ce635497d0d Mon Sep 17 00:00:00 2001 +From: Jari Ruusu +Date: Sun, 12 Jan 2020 15:00:53 +0200 +Subject: Fix built-in early-load Intel microcode alignment + +From: Jari Ruusu + +commit f5ae2ea6347a308cfe91f53b53682ce635497d0d upstream. + +Intel Software Developer's Manual, volume 3, chapter 9.11.6 says: + + "Note that the microcode update must be aligned on a 16-byte boundary + and the size of the microcode update must be 1-KByte granular" + +When early-load Intel microcode is loaded from initramfs, userspace tool +'iucode_tool' has already 16-byte aligned those microcode bits in that +initramfs image. Image that was created something like this: + + iucode_tool --write-earlyfw=FOO.cpio microcode-files... + +However, when early-load Intel microcode is loaded from built-in +firmware BLOB using CONFIG_EXTRA_FIRMWARE= kernel config option, that +16-byte alignment is not guaranteed. + +Fix this by forcing all built-in firmware BLOBs to 16-byte alignment. + +[ If we end up having other firmware with much bigger alignment + requirements, we might need to introduce some method for the firmware + to specify it, this is the minimal "just increase the alignment a bit + to account for this one special case" patch - Linus ] + +Signed-off-by: Jari Ruusu +Cc: Borislav Petkov +Cc: Fenghua Yu +Cc: Luis Chamberlain +Cc: stable@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + firmware/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/firmware/Makefile ++++ b/firmware/Makefile +@@ -156,7 +156,7 @@ quiet_cmd_fwbin = MK_FW $@ + PROGBITS=$(if $(CONFIG_ARM),%,@)progbits; \ + echo "/* Generated by firmware/Makefile */" > $@;\ + echo " .section .rodata" >>$@;\ +- echo " .p2align $${ASM_ALIGN}" >>$@;\ ++ echo " .p2align 4" >>$@;\ + echo "_fw_$${FWSTR}_bin:" >>$@;\ + echo " .incbin \"$(2)\"" >>$@;\ + echo "_fw_end:" >>$@;\ diff --git a/queue-4.4/ocfs2-call-journal-flush-to-mark-journal-as-empty-af.patch b/queue-4.4/ocfs2-call-journal-flush-to-mark-journal-as-empty-af.patch index ae004db51e2..0c327f2fe2a 100644 --- a/queue-4.4/ocfs2-call-journal-flush-to-mark-journal-as-empty-af.patch +++ b/queue-4.4/ocfs2-call-journal-flush-to-mark-journal-as-empty-af.patch @@ -111,14 +111,12 @@ Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- - fs/ocfs2/journal.c | 8 ++++++++ + fs/ocfs2/journal.c | 8 ++++++++ 1 file changed, 8 insertions(+) -diff --git a/fs/ocfs2/journal.c b/fs/ocfs2/journal.c -index 2301011428a1..bbf1634ff427 100644 --- a/fs/ocfs2/journal.c +++ b/fs/ocfs2/journal.c -@@ -1080,6 +1080,14 @@ int ocfs2_journal_load(struct ocfs2_journal *journal, int local, int replayed) +@@ -1080,6 +1080,14 @@ int ocfs2_journal_load(struct ocfs2_jour ocfs2_clear_journal_error(osb->sb, journal->j_journal, osb->slot_num); @@ -133,6 +131,3 @@ index 2301011428a1..bbf1634ff427 100644 status = ocfs2_journal_toggle_dirty(osb, 1, replayed); if (status < 0) { mlog_errno(status); --- -2.20.1 - diff --git a/queue-4.4/series b/queue-4.4/series index d760d4619ac..f490716f9c7 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -37,3 +37,6 @@ rtc-msm6242-fix-reading-of-10-hour-digit.patch rseq-selftests-turn-off-timeout-setting.patch hexagon-work-around-compiler-crash.patch ocfs2-call-journal-flush-to-mark-journal-as-empty-af.patch +alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch +fix-built-in-early-load-intel-microcode-alignment.patch +block-fix-an-integer-overflow-in-logical-block-size.patch diff --git a/queue-4.9/series b/queue-4.9/series index e0b7af439f1..a6e9b66f3ed 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -48,3 +48,8 @@ ioat-ioat_alloc_ring-failure-handling.patch hexagon-parenthesize-registers-in-asm-predicates.patch hexagon-work-around-compiler-crash.patch ocfs2-call-journal-flush-to-mark-journal-as-empty-af.patch +dt-bindings-reset-meson8b-fix-duplicate-reset-ids.patch +clk-don-t-try-to-enable-critical-clocks-if-prepare-failed.patch +alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch +fix-built-in-early-load-intel-microcode-alignment.patch +block-fix-an-integer-overflow-in-logical-block-size.patch diff --git a/queue-5.4/series b/queue-5.4/series new file mode 100644 index 00000000000..81b38eef00f --- /dev/null +++ b/queue-5.4/series @@ -0,0 +1,36 @@ +arm-dts-meson8-fix-the-size-of-the-pmu-registers.patch +clk-qcom-gcc-sdm845-add-missing-flag-to-votable-gdscs.patch +soc-amlogic-meson-ee-pwrc-propagate-pd-provider-registration-errors.patch +soc-amlogic-meson-ee-pwrc-propagate-errors-from-pm_genpd_init.patch +dt-bindings-reset-meson8b-fix-duplicate-reset-ids.patch +arm-dts-imx6q-dhcom-fix-rtc-compatible.patch +arm64-dts-ls1028a-fix-endian-setting-for-dcfg.patch +arm64-dts-imx8mm-change-sdma1-ahb-clock-for-imx8mm.patch +bus-ti-sysc-fix-iterating-over-clocks.patch +clk-don-t-try-to-enable-critical-clocks-if-prepare-failed.patch +revert-gpio-thunderx-switch-to-gpiolib_irqchip.patch +arm64-dts-imx8mq-librem5-devkit-use-correct-interrupt-for-the-magnetometer.patch +asoc-msm8916-wcd-digital-reset-rx-interpolation-path-after-use.patch +asoc-stm32-sai-fix-possible-circular-locking.patch +asoc-stm32-dfsdm-fix-16-bits-record.patch +asoc-msm8916-wcd-analog-fix-selected-events-for-mic-bias-external1.patch +asoc-msm8916-wcd-analog-fix-mic-bias-internal1.patch +arm-omap2-fix-ti_sysc_find_one_clockdomain-to-check-for-to_clk_hw_omap.patch +arm-dts-imx7ulp-fix-reg-of-cpu-node.patch +arm-dts-imx6q-dhcom-fix-sgtl5000-vddio-regulator-connection.patch +asoc-intel-bytcht_es8316-fix-irbis-nb41-netbook-quirk.patch +alsa-dice-fix-fallback-from-protocol-extension-into-limited-functionality.patch +alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch +alsa-firewire-tascam-fix-corruption-due-to-spin-lock-without-restoration-in-softirq-context.patch +alsa-usb-audio-fix-sync-ep-altsetting-sanity-check.patch +arm64-dts-allwinner-a64-olinuxino-fix-sdio-supply-regulator.patch +arm64-dts-allwinner-a64-olinuxino-fix-emmc-supply-regulator.patch +arm64-dts-agilex-stratix10-fix-pmu-interrupt-numbers.patch +fix-built-in-early-load-intel-microcode-alignment.patch +clk-sunxi-ng-r40-allow-setting-parent-rate-for-external-clock-outputs.patch +block-fix-an-integer-overflow-in-logical-block-size.patch +fuse-fix-fuse_send_readpages-in-the-syncronous-read-case.patch +io_uring-only-allow-submit-from-owning-task.patch +cpuidle-teo-fix-intervals-array-indexing-bug.patch +arm-dts-am571x-idk-fix-gpios-property-to-have-the-correct-gpio-number.patch +arm-davinci-select-config_reset_controller.patch