From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 25 Mar 2019 20:35:20 +0000 (+0900)
Subject: 4.9-stable patches
X-Git-Tag: v4.9.166~24
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=317253aacbee0aca91e7120f526866f92b30bea8;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	bluetooth-fix-decrementing-reference-count-twice-in-releasing-socket.patch
	locking-lockdep-add-debug_locks-check-in-__lock_downgrade.patch
	media-v4l2-ctrls.c-uvc-zero-v4l2_event.patch
---

diff --git a/queue-4.9/bluetooth-fix-decrementing-reference-count-twice-in-releasing-socket.patch b/queue-4.9/bluetooth-fix-decrementing-reference-count-twice-in-releasing-socket.patch
new file mode 100644
index 00000000000..7287989bbf6
--- /dev/null
+++ b/queue-4.9/bluetooth-fix-decrementing-reference-count-twice-in-releasing-socket.patch
@@ -0,0 +1,46 @@
+From e20a2e9c42c9e4002d9e338d74e7819e88d77162 Mon Sep 17 00:00:00 2001
+From: Myungho Jung <mhjungk@gmail.com>
+Date: Sat, 2 Feb 2019 16:56:36 -0800
+Subject: Bluetooth: Fix decrementing reference count twice in releasing socket
+
+From: Myungho Jung <mhjungk@gmail.com>
+
+commit e20a2e9c42c9e4002d9e338d74e7819e88d77162 upstream.
+
+When releasing socket, it is possible to enter hci_sock_release() and
+hci_sock_dev_event(HCI_DEV_UNREG) at the same time in different thread.
+The reference count of hdev should be decremented only once from one of
+them but if storing hdev to local variable in hci_sock_release() before
+detached from socket and setting to NULL in hci_sock_dev_event(),
+hci_dev_put(hdev) is unexpectedly called twice. This is resolved by
+referencing hdev from socket after bt_sock_unlink() in
+hci_sock_release().
+
+Reported-by: syzbot+fdc00003f4efff43bc5b@syzkaller.appspotmail.com
+Signed-off-by: Myungho Jung <mhjungk@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hci_sock.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -826,8 +826,6 @@ static int hci_sock_release(struct socke
+ 	if (!sk)
+ 		return 0;
+ 
+-	hdev = hci_pi(sk)->hdev;
+-
+ 	switch (hci_pi(sk)->channel) {
+ 	case HCI_CHANNEL_MONITOR:
+ 		atomic_dec(&monitor_promisc);
+@@ -849,6 +847,7 @@ static int hci_sock_release(struct socke
+ 
+ 	bt_sock_unlink(&hci_sk_list, sk);
+ 
++	hdev = hci_pi(sk)->hdev;
+ 	if (hdev) {
+ 		if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
+ 			/* When releasing an user channel exclusive access,
diff --git a/queue-4.9/locking-lockdep-add-debug_locks-check-in-__lock_downgrade.patch b/queue-4.9/locking-lockdep-add-debug_locks-check-in-__lock_downgrade.patch
new file mode 100644
index 00000000000..65ee0566a3f
--- /dev/null
+++ b/queue-4.9/locking-lockdep-add-debug_locks-check-in-__lock_downgrade.patch
@@ -0,0 +1,48 @@
+From 71492580571467fb7177aade19c18ce7486267f5 Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Wed, 9 Jan 2019 23:03:25 -0500
+Subject: locking/lockdep: Add debug_locks check in __lock_downgrade()
+
+From: Waiman Long <longman@redhat.com>
+
+commit 71492580571467fb7177aade19c18ce7486267f5 upstream.
+
+Tetsuo Handa had reported he saw an incorrect "downgrading a read lock"
+warning right after a previous lockdep warning. It is likely that the
+previous warning turned off lock debugging causing the lockdep to have
+inconsistency states leading to the lock downgrade warning.
+
+Fix that by add a check for debug_locks at the beginning of
+__lock_downgrade().
+
+Debugged-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Reported-by: syzbot+53383ae265fb161ef488@syzkaller.appspotmail.com
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Link: https://lkml.kernel.org/r/1547093005-26085-1-git-send-email-longman@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/locking/lockdep.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/locking/lockdep.c
++++ b/kernel/locking/lockdep.c
+@@ -3446,6 +3446,9 @@ __lock_set_class(struct lockdep_map *loc
+ 	unsigned int depth;
+ 	int i;
+ 
++	if (unlikely(!debug_locks))
++		return 0;
++
+ 	depth = curr->lockdep_depth;
+ 	/*
+ 	 * This function is about (re)setting the class of a held lock,
diff --git a/queue-4.9/media-v4l2-ctrls.c-uvc-zero-v4l2_event.patch b/queue-4.9/media-v4l2-ctrls.c-uvc-zero-v4l2_event.patch
new file mode 100644
index 00000000000..6b158d14ef0
--- /dev/null
+++ b/queue-4.9/media-v4l2-ctrls.c-uvc-zero-v4l2_event.patch
@@ -0,0 +1,49 @@
+From f45f3f753b0a3d739acda8e311b4f744d82dc52a Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Tue, 18 Dec 2018 08:37:08 -0500
+Subject: media: v4l2-ctrls.c/uvc: zero v4l2_event
+
+From: Hans Verkuil <hverkuil@xs4all.nl>
+
+commit f45f3f753b0a3d739acda8e311b4f744d82dc52a upstream.
+
+Control events can leak kernel memory since they do not fully zero the
+event. The same code is present in both v4l2-ctrls.c and uvc_ctrl.c, so
+fix both.
+
+It appears that all other event code is properly zeroing the structure,
+it's these two places.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: syzbot+4f021cf3697781dbd9fb@syzkaller.appspotmail.com
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/uvc/uvc_ctrl.c     |    2 +-
+ drivers/media/v4l2-core/v4l2-ctrls.c |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/uvc/uvc_ctrl.c
++++ b/drivers/media/usb/uvc/uvc_ctrl.c
+@@ -1203,7 +1203,7 @@ static void uvc_ctrl_fill_event(struct u
+ 
+ 	__uvc_query_v4l2_ctrl(chain, ctrl, mapping, &v4l2_ctrl);
+ 
+-	memset(ev->reserved, 0, sizeof(ev->reserved));
++	memset(ev, 0, sizeof(*ev));
+ 	ev->type = V4L2_EVENT_CTRL;
+ 	ev->id = v4l2_ctrl.id;
+ 	ev->u.ctrl.value = value;
+--- a/drivers/media/v4l2-core/v4l2-ctrls.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls.c
+@@ -1231,7 +1231,7 @@ static u32 user_flags(const struct v4l2_
+ 
+ static void fill_event(struct v4l2_event *ev, struct v4l2_ctrl *ctrl, u32 changes)
+ {
+-	memset(ev->reserved, 0, sizeof(ev->reserved));
++	memset(ev, 0, sizeof(*ev));
+ 	ev->type = V4L2_EVENT_CTRL;
+ 	ev->id = ctrl->id;
+ 	ev->u.ctrl.changes = changes;
diff --git a/queue-4.9/series b/queue-4.9/series
index c3a36f0b50b..1f98436f0e1 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -11,3 +11,6 @@ objtool-move-objtool_file-struct-off-the-stack.patch
 ext4-fix-null-pointer-dereference-while-journal-is-aborted.patch
 ext4-fix-data-corruption-caused-by-unaligned-direct-aio.patch
 ext4-brelse-all-indirect-buffer-in-ext4_ind_remove_space.patch
+media-v4l2-ctrls.c-uvc-zero-v4l2_event.patch
+bluetooth-fix-decrementing-reference-count-twice-in-releasing-socket.patch
+locking-lockdep-add-debug_locks-check-in-__lock_downgrade.patch