From: Greg Kroah-Hartman Date: Fri, 10 Nov 2017 13:43:48 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v3.18.81~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3de05e7ffa5314083c380a4dc65e0fd0d13ee798;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: alsa-seq-avoid-invalid-lockdep-class-warning.patch alsa-seq-fix-oss-sysex-delivery-in-oss-emulation.patch arm-8720-1-ensure-dump_instr-checks-addr_limit.patch crypto-x86-sha1-mb-fix-panic-due-to-unaligned-access.patch keys-fix-null-pointer-dereference-during-asn.1-parsing.patch mips-fix-cm-region-target-definitions.patch mips-micromips-fix-incorrect-mask-in-insn_table_mm.patch workqueue-fix-null-pointer-dereference.patch --- diff --git a/queue-3.18/alsa-seq-avoid-invalid-lockdep-class-warning.patch b/queue-3.18/alsa-seq-avoid-invalid-lockdep-class-warning.patch new file mode 100644 index 00000000000..9f7972df1f5 --- /dev/null +++ b/queue-3.18/alsa-seq-avoid-invalid-lockdep-class-warning.patch @@ -0,0 +1,43 @@ +From 3510c7aa069aa83a2de6dab2b41401a198317bdc Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 6 Nov 2017 20:16:50 +0100 +Subject: ALSA: seq: Avoid invalid lockdep class warning + +From: Takashi Iwai + +commit 3510c7aa069aa83a2de6dab2b41401a198317bdc upstream. + +The recent fix for adding rwsem nesting annotation was using the given +"hop" argument as the lock subclass key. Although the idea itself +works, it may trigger a kernel warning like: + BUG: looking up invalid subclass: 8 + .... +since the lockdep has a smaller number of subclasses (8) than we +currently allow for the hops there (10). + +The current definition is merely a sanity check for avoiding the too +deep delivery paths, and the 8 hops are already enough. So, as a +quick fix, just follow the max hops as same as the max lockdep +subclasses. + +Fixes: 1f20f9ff57ca ("ALSA: seq: Fix nested rwsem annotation for lockdep splat") +Reported-by: syzbot +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + include/sound/seq_kernel.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/sound/seq_kernel.h ++++ b/include/sound/seq_kernel.h +@@ -55,7 +55,8 @@ typedef union snd_seq_timestamp snd_seq_ + #define SNDRV_SEQ_DEFAULT_CLIENT_EVENTS 200 + + /* max delivery path length */ +-#define SNDRV_SEQ_MAX_HOPS 10 ++/* NOTE: this shouldn't be greater than MAX_LOCKDEP_SUBCLASSES */ ++#define SNDRV_SEQ_MAX_HOPS 8 + + /* max size of event size */ + #define SNDRV_SEQ_MAX_EVENT_LEN 0x3fffffff diff --git a/queue-3.18/alsa-seq-fix-oss-sysex-delivery-in-oss-emulation.patch b/queue-3.18/alsa-seq-fix-oss-sysex-delivery-in-oss-emulation.patch new file mode 100644 index 00000000000..fbbb9a9ca4e --- /dev/null +++ b/queue-3.18/alsa-seq-fix-oss-sysex-delivery-in-oss-emulation.patch @@ -0,0 +1,94 @@ +From 132d358b183ac6ad8b3fea32ad5e0663456d18d1 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 7 Nov 2017 16:05:24 +0100 +Subject: ALSA: seq: Fix OSS sysex delivery in OSS emulation + +From: Takashi Iwai + +commit 132d358b183ac6ad8b3fea32ad5e0663456d18d1 upstream. + +The SYSEX event delivery in OSS sequencer emulation assumed that the +event is encoded in the variable-length data with the straight +buffering. This was the normal behavior in the past, but during the +development, the chained buffers were introduced for carrying more +data, while the OSS code was left intact. As a result, when a SYSEX +event with the chained buffer data is passed to OSS sequencer port, +it may end up with the wrong memory access, as if it were having a too +large buffer. + +This patch addresses the bug, by applying the buffer data expansion by +the generic snd_seq_dump_var_event() helper function. + +Reported-by: syzbot +Reported-by: Mark Salyzyn +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/oss/seq_oss_midi.c | 4 +--- + sound/core/seq/oss/seq_oss_readq.c | 29 +++++++++++++++++++++++++++++ + sound/core/seq/oss/seq_oss_readq.h | 2 ++ + 3 files changed, 32 insertions(+), 3 deletions(-) + +--- a/sound/core/seq/oss/seq_oss_midi.c ++++ b/sound/core/seq/oss/seq_oss_midi.c +@@ -615,9 +615,7 @@ send_midi_event(struct seq_oss_devinfo * + if (!dp->timer->running) + len = snd_seq_oss_timer_start(dp->timer); + if (ev->type == SNDRV_SEQ_EVENT_SYSEX) { +- if ((ev->flags & SNDRV_SEQ_EVENT_LENGTH_MASK) == SNDRV_SEQ_EVENT_LENGTH_VARIABLE) +- snd_seq_oss_readq_puts(dp->readq, mdev->seq_device, +- ev->data.ext.ptr, ev->data.ext.len); ++ snd_seq_oss_readq_sysex(dp->readq, mdev->seq_device, ev); + } else { + len = snd_midi_event_decode(mdev->coder, msg, sizeof(msg), ev); + if (len > 0) +--- a/sound/core/seq/oss/seq_oss_readq.c ++++ b/sound/core/seq/oss/seq_oss_readq.c +@@ -120,6 +120,35 @@ snd_seq_oss_readq_puts(struct seq_oss_re + } + + /* ++ * put MIDI sysex bytes; the event buffer may be chained, thus it has ++ * to be expanded via snd_seq_dump_var_event(). ++ */ ++struct readq_sysex_ctx { ++ struct seq_oss_readq *readq; ++ int dev; ++}; ++ ++static int readq_dump_sysex(void *ptr, void *buf, int count) ++{ ++ struct readq_sysex_ctx *ctx = ptr; ++ ++ return snd_seq_oss_readq_puts(ctx->readq, ctx->dev, buf, count); ++} ++ ++int snd_seq_oss_readq_sysex(struct seq_oss_readq *q, int dev, ++ struct snd_seq_event *ev) ++{ ++ struct readq_sysex_ctx ctx = { ++ .readq = q, ++ .dev = dev ++ }; ++ ++ if ((ev->flags & SNDRV_SEQ_EVENT_LENGTH_MASK) != SNDRV_SEQ_EVENT_LENGTH_VARIABLE) ++ return 0; ++ return snd_seq_dump_var_event(ev, readq_dump_sysex, &ctx); ++} ++ ++/* + * copy an event to input queue: + * return zero if enqueued + */ +--- a/sound/core/seq/oss/seq_oss_readq.h ++++ b/sound/core/seq/oss/seq_oss_readq.h +@@ -44,6 +44,8 @@ void snd_seq_oss_readq_delete(struct seq + void snd_seq_oss_readq_clear(struct seq_oss_readq *readq); + unsigned int snd_seq_oss_readq_poll(struct seq_oss_readq *readq, struct file *file, poll_table *wait); + int snd_seq_oss_readq_puts(struct seq_oss_readq *readq, int dev, unsigned char *data, int len); ++int snd_seq_oss_readq_sysex(struct seq_oss_readq *q, int dev, ++ struct snd_seq_event *ev); + int snd_seq_oss_readq_put_event(struct seq_oss_readq *readq, union evrec *ev); + int snd_seq_oss_readq_put_timestamp(struct seq_oss_readq *readq, unsigned long curt, int seq_mode); + int snd_seq_oss_readq_pick(struct seq_oss_readq *q, union evrec *rec); diff --git a/queue-3.18/arm-8720-1-ensure-dump_instr-checks-addr_limit.patch b/queue-3.18/arm-8720-1-ensure-dump_instr-checks-addr_limit.patch new file mode 100644 index 00000000000..70d1dd0af08 --- /dev/null +++ b/queue-3.18/arm-8720-1-ensure-dump_instr-checks-addr_limit.patch @@ -0,0 +1,88 @@ +From b9dd05c7002ee0ca8b676428b2268c26399b5e31 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Thu, 2 Nov 2017 18:44:28 +0100 +Subject: ARM: 8720/1: ensure dump_instr() checks addr_limit + +From: Mark Rutland + +commit b9dd05c7002ee0ca8b676428b2268c26399b5e31 upstream. + +When CONFIG_DEBUG_USER is enabled, it's possible for a user to +deliberately trigger dump_instr() with a chosen kernel address. + +Let's avoid problems resulting from this by using get_user() rather than +__get_user(), ensuring that we don't erroneously access kernel memory. + +So that we can use the same code to dump user instructions and kernel +instructions, the common dumping code is factored out to __dump_instr(), +with the fs manipulated appropriately in dump_instr() around calls to +this. + +Signed-off-by: Mark Rutland +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/traps.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +--- a/arch/arm/kernel/traps.c ++++ b/arch/arm/kernel/traps.c +@@ -132,30 +132,26 @@ static void dump_mem(const char *lvl, co + set_fs(fs); + } + +-static void dump_instr(const char *lvl, struct pt_regs *regs) ++static void __dump_instr(const char *lvl, struct pt_regs *regs) + { + unsigned long addr = instruction_pointer(regs); + const int thumb = thumb_mode(regs); + const int width = thumb ? 4 : 8; +- mm_segment_t fs; + char str[sizeof("00000000 ") * 5 + 2 + 1], *p = str; + int i; + + /* +- * We need to switch to kernel mode so that we can use __get_user +- * to safely read from kernel space. Note that we now dump the +- * code first, just in case the backtrace kills us. ++ * Note that we now dump the code first, just in case the backtrace ++ * kills us. + */ +- fs = get_fs(); +- set_fs(KERNEL_DS); + + for (i = -4; i < 1 + !!thumb; i++) { + unsigned int val, bad; + + if (thumb) +- bad = __get_user(val, &((u16 *)addr)[i]); ++ bad = get_user(val, &((u16 *)addr)[i]); + else +- bad = __get_user(val, &((u32 *)addr)[i]); ++ bad = get_user(val, &((u32 *)addr)[i]); + + if (!bad) + p += sprintf(p, i == 0 ? "(%0*x) " : "%0*x ", +@@ -166,8 +162,20 @@ static void dump_instr(const char *lvl, + } + } + printk("%sCode: %s\n", lvl, str); ++} + +- set_fs(fs); ++static void dump_instr(const char *lvl, struct pt_regs *regs) ++{ ++ mm_segment_t fs; ++ ++ if (!user_mode(regs)) { ++ fs = get_fs(); ++ set_fs(KERNEL_DS); ++ __dump_instr(lvl, regs); ++ set_fs(fs); ++ } else { ++ __dump_instr(lvl, regs); ++ } + } + + #ifdef CONFIG_ARM_UNWIND diff --git a/queue-3.18/crypto-x86-sha1-mb-fix-panic-due-to-unaligned-access.patch b/queue-3.18/crypto-x86-sha1-mb-fix-panic-due-to-unaligned-access.patch new file mode 100644 index 00000000000..afc9aee931a --- /dev/null +++ b/queue-3.18/crypto-x86-sha1-mb-fix-panic-due-to-unaligned-access.patch @@ -0,0 +1,63 @@ +From d041b557792c85677f17e08eee535eafbd6b9aa2 Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin +Date: Mon, 16 Oct 2017 18:51:31 +0300 +Subject: crypto: x86/sha1-mb - fix panic due to unaligned access + +From: Andrey Ryabinin + +commit d041b557792c85677f17e08eee535eafbd6b9aa2 upstream. + +struct sha1_ctx_mgr allocated in sha1_mb_mod_init() via kzalloc() +and later passed in sha1_mb_flusher_mgr_flush_avx2() function where +instructions vmovdqa used to access the struct. vmovdqa requires +16-bytes aligned argument, but nothing guarantees that struct +sha1_ctx_mgr will have that alignment. Unaligned vmovdqa will +generate GP fault. + +Fix this by replacing vmovdqa with vmovdqu which doesn't have alignment +requirements. + +Fixes: 2249cbb53ead ("crypto: sha-mb - SHA1 multibuffer submit and flush routines for AVX2") +Signed-off-by: Andrey Ryabinin +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/crypto/sha-mb/sha1_mb_mgr_flush_avx2.S | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/x86/crypto/sha-mb/sha1_mb_mgr_flush_avx2.S ++++ b/arch/x86/crypto/sha-mb/sha1_mb_mgr_flush_avx2.S +@@ -174,8 +174,8 @@ LABEL skip_ %I + .endr + + # Find min length +- vmovdqa _lens+0*16(state), %xmm0 +- vmovdqa _lens+1*16(state), %xmm1 ++ vmovdqu _lens+0*16(state), %xmm0 ++ vmovdqu _lens+1*16(state), %xmm1 + + vpminud %xmm1, %xmm0, %xmm2 # xmm2 has {D,C,B,A} + vpalignr $8, %xmm2, %xmm3, %xmm3 # xmm3 has {x,x,D,C} +@@ -195,8 +195,8 @@ LABEL skip_ %I + vpsubd %xmm2, %xmm0, %xmm0 + vpsubd %xmm2, %xmm1, %xmm1 + +- vmovdqa %xmm0, _lens+0*16(state) +- vmovdqa %xmm1, _lens+1*16(state) ++ vmovdqu %xmm0, _lens+0*16(state) ++ vmovdqu %xmm1, _lens+1*16(state) + + # "state" and "args" are the same address, arg1 + # len is arg2 +@@ -260,8 +260,8 @@ ENTRY(sha1_mb_mgr_get_comp_job_avx2) + jc .return_null + + # Find min length +- vmovdqa _lens(state), %xmm0 +- vmovdqa _lens+1*16(state), %xmm1 ++ vmovdqu _lens(state), %xmm0 ++ vmovdqu _lens+1*16(state), %xmm1 + + vpminud %xmm1, %xmm0, %xmm2 # xmm2 has {D,C,B,A} + vpalignr $8, %xmm2, %xmm3, %xmm3 # xmm3 has {x,x,D,C} diff --git a/queue-3.18/keys-fix-null-pointer-dereference-during-asn.1-parsing.patch b/queue-3.18/keys-fix-null-pointer-dereference-during-asn.1-parsing.patch new file mode 100644 index 00000000000..f6852807adc --- /dev/null +++ b/queue-3.18/keys-fix-null-pointer-dereference-during-asn.1-parsing.patch @@ -0,0 +1,103 @@ +From 624f5ab8720b3371367327a822c267699c1823b8 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 7 Nov 2017 22:29:02 +0000 +Subject: KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2] + +From: Eric Biggers + +commit 624f5ab8720b3371367327a822c267699c1823b8 upstream. + +syzkaller reported a NULL pointer dereference in asn1_ber_decoder(). It +can be reproduced by the following command, assuming +CONFIG_PKCS7_TEST_KEY=y: + + keyctl add pkcs7_test desc '' @s + +The bug is that if the data buffer is empty, an integer underflow occurs +in the following check: + + if (unlikely(dp >= datalen - 1)) + goto data_overrun_error; + +This results in the NULL data pointer being dereferenced. + +Fix it by checking for 'datalen - dp < 2' instead. + +Also fix the similar check for 'dp >= datalen - n' later in the same +function. That one possibly could result in a buffer overread. + +The NULL pointer dereference was reproducible using the "pkcs7_test" key +type but not the "asymmetric" key type because the "asymmetric" key type +checks for a 0-length payload before calling into the ASN.1 decoder but +the "pkcs7_test" key type does not. + +The bug report was: + + BUG: unable to handle kernel NULL pointer dereference at (null) + IP: asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233 + PGD 7b708067 P4D 7b708067 PUD 7b6ee067 PMD 0 + Oops: 0000 [#1] SMP + Modules linked in: + CPU: 0 PID: 522 Comm: syz-executor1 Not tainted 4.14.0-rc8 #7 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.3-20171021_125229-anatol 04/01/2014 + task: ffff9b6b3798c040 task.stack: ffff9b6b37970000 + RIP: 0010:asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233 + RSP: 0018:ffff9b6b37973c78 EFLAGS: 00010216 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000021c + RDX: ffffffff814a04ed RSI: ffffb1524066e000 RDI: ffffffff910759e0 + RBP: ffff9b6b37973d60 R08: 0000000000000001 R09: ffff9b6b3caa4180 + R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002 + R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + FS: 00007f10ed1f2700(0000) GS:ffff9b6b3ea00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 000000007b6f3000 CR4: 00000000000006f0 + Call Trace: + pkcs7_parse_message+0xee/0x240 crypto/asymmetric_keys/pkcs7_parser.c:139 + verify_pkcs7_signature+0x33/0x180 certs/system_keyring.c:216 + pkcs7_preparse+0x41/0x70 crypto/asymmetric_keys/pkcs7_key_type.c:63 + key_create_or_update+0x180/0x530 security/keys/key.c:855 + SYSC_add_key security/keys/keyctl.c:122 [inline] + SyS_add_key+0xbf/0x250 security/keys/keyctl.c:62 + entry_SYSCALL_64_fastpath+0x1f/0xbe + RIP: 0033:0x4585c9 + RSP: 002b:00007f10ed1f1bd8 EFLAGS: 00000216 ORIG_RAX: 00000000000000f8 + RAX: ffffffffffffffda RBX: 00007f10ed1f2700 RCX: 00000000004585c9 + RDX: 0000000020000000 RSI: 0000000020008ffb RDI: 0000000020008000 + RBP: 0000000000000000 R08: ffffffffffffffff R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000216 R12: 00007fff1b2260ae + R13: 00007fff1b2260af R14: 00007f10ed1f2700 R15: 0000000000000000 + Code: dd ca ff 48 8b 45 88 48 83 e8 01 4c 39 f0 0f 86 a8 07 00 00 e8 53 dd ca ff 49 8d 46 01 48 89 85 58 ff ff ff 48 8b 85 60 ff ff ff <42> 0f b6 0c 30 89 c8 88 8d 75 ff ff ff 83 e0 1f 89 8d 28 ff ff + RIP: asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233 RSP: ffff9b6b37973c78 + CR2: 0000000000000000 + +Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder") +Reported-by: syzbot +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + lib/asn1_decoder.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/lib/asn1_decoder.c ++++ b/lib/asn1_decoder.c +@@ -220,7 +220,7 @@ next_op: + hdr = 2; + + /* Extract a tag from the data */ +- if (unlikely(dp >= datalen - 1)) ++ if (unlikely(datalen - dp < 2)) + goto data_overrun_error; + tag = data[dp++]; + if (unlikely((tag & 0x1f) == ASN1_LONG_TAG)) +@@ -266,7 +266,7 @@ next_op: + int n = len - 0x80; + if (unlikely(n > 2)) + goto length_too_long; +- if (unlikely(dp >= datalen - n)) ++ if (unlikely(n > datalen - dp)) + goto data_overrun_error; + hdr += n; + for (len = 0; n > 0; n--) { diff --git a/queue-3.18/mips-fix-cm-region-target-definitions.patch b/queue-3.18/mips-fix-cm-region-target-definitions.patch new file mode 100644 index 00000000000..e3b9cd82639 --- /dev/null +++ b/queue-3.18/mips-fix-cm-region-target-definitions.patch @@ -0,0 +1,55 @@ +From 6a6cba1d945a7511cdfaf338526871195e420762 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Tue, 31 Oct 2017 15:09:22 -0700 +Subject: MIPS: Fix CM region target definitions + +From: Paul Burton + +commit 6a6cba1d945a7511cdfaf338526871195e420762 upstream. + +The default CM target field in the GCR_BASE register is encoded with 0 +meaning memory & 1 being reserved. However the definitions we use for +those bits effectively get these two values backwards - likely because +they were copied from the definitions for the CM regions where the +target is encoded differently. This results in use setting up GCR_BASE +with the reserved target value by default, rather than targeting memory +as intended. Although we currently seem to get away with this it's not a +great idea to rely upon. + +Fix this by changing our macros to match the documentated target values. + +The incorrect encoding became used as of commit 9f98f3dd0c51 ("MIPS: Add +generic CM probe & access code") in the Linux v3.15 cycle, and was +likely carried forwards from older but unused code introduced by +commit 39b8d5254246 ("[MIPS] Add support for MIPS CMP platform.") in the +v2.6.26 cycle. + +Fixes: 9f98f3dd0c51 ("MIPS: Add generic CM probe & access code") +Signed-off-by: Paul Burton +Reported-by: Matt Redfearn +Reviewed-by: James Hogan +Cc: Matt Redfearn +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: # v3.15+ +Patchwork: https://patchwork.linux-mips.org/patch/17562/ +Signed-off-by: James Hogan +[jhogan@kernel.org: Backported 3.15..4.13] +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/mips-cm.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/mips/include/asm/mips-cm.h ++++ b/arch/mips/include/asm/mips-cm.h +@@ -173,8 +173,8 @@ BUILD_CM_Cx_R_(tcid_8_priority, 0x80) + #define CM_GCR_BASE_GCRBASE_MSK (_ULCAST_(0x1ffff) << 15) + #define CM_GCR_BASE_CMDEFTGT_SHF 0 + #define CM_GCR_BASE_CMDEFTGT_MSK (_ULCAST_(0x3) << 0) +-#define CM_GCR_BASE_CMDEFTGT_DISABLED 0 +-#define CM_GCR_BASE_CMDEFTGT_MEM 1 ++#define CM_GCR_BASE_CMDEFTGT_MEM 0 ++#define CM_GCR_BASE_CMDEFTGT_RESERVED 1 + #define CM_GCR_BASE_CMDEFTGT_IOCU0 2 + #define CM_GCR_BASE_CMDEFTGT_IOCU1 3 + diff --git a/queue-3.18/mips-micromips-fix-incorrect-mask-in-insn_table_mm.patch b/queue-3.18/mips-micromips-fix-incorrect-mask-in-insn_table_mm.patch new file mode 100644 index 00000000000..c07454ab22b --- /dev/null +++ b/queue-3.18/mips-micromips-fix-incorrect-mask-in-insn_table_mm.patch @@ -0,0 +1,38 @@ +From 77238e76b9156d28d86c1e31c00ed2960df0e4de Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 31 Oct 2017 00:35:03 -0500 +Subject: MIPS: microMIPS: Fix incorrect mask in insn_table_MM + +From: Gustavo A. R. Silva + +commit 77238e76b9156d28d86c1e31c00ed2960df0e4de upstream. + +It seems that this is a typo error and the proper bit masking is +"RT | RS" instead of "RS | RS". + +This issue was detected with the help of Coccinelle. + +Fixes: d6b3314b49e1 ("MIPS: uasm: Add lh uam instruction") +Reported-by: Julia Lawall +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: James Hogan +Patchwork: https://patchwork.linux-mips.org/patch/17551/ +Signed-off-by: James Hogan +[jhogan@kernel.org: Backported 3.16..4.12] +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/mm/uasm-micromips.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/mm/uasm-micromips.c ++++ b/arch/mips/mm/uasm-micromips.c +@@ -83,7 +83,7 @@ static struct insn insn_table_MM[] = { + { insn_jr, M(mm_pool32a_op, 0, 0, 0, mm_jalr_op, mm_pool32axf_op), RS }, + { insn_lb, M(mm_lb32_op, 0, 0, 0, 0, 0), RT | RS | SIMM }, + { insn_ld, 0, 0 }, +- { insn_lh, M(mm_lh32_op, 0, 0, 0, 0, 0), RS | RS | SIMM }, ++ { insn_lh, M(mm_lh32_op, 0, 0, 0, 0, 0), RT | RS | SIMM }, + { insn_ll, M(mm_pool32c_op, 0, 0, (mm_ll_func << 1), 0, 0), RS | RT | SIMM }, + { insn_lld, 0, 0 }, + { insn_lui, M(mm_pool32i_op, mm_lui_op, 0, 0, 0, 0), RS | SIMM }, diff --git a/queue-3.18/series b/queue-3.18/series index 9f5cd75741d..faacf72af0f 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -14,3 +14,11 @@ input-mpr121-handle-multiple-bits-change-of-status-register.patch input-mpr121-set-missing-event-capability.patch ib-ipoib-change-list_del-to-list_del_init-in-the-tx-object.patch keys-trusted-sanitize-all-key-material.patch +workqueue-fix-null-pointer-dereference.patch +crypto-x86-sha1-mb-fix-panic-due-to-unaligned-access.patch +keys-fix-null-pointer-dereference-during-asn.1-parsing.patch +arm-8720-1-ensure-dump_instr-checks-addr_limit.patch +alsa-seq-fix-oss-sysex-delivery-in-oss-emulation.patch +alsa-seq-avoid-invalid-lockdep-class-warning.patch +mips-micromips-fix-incorrect-mask-in-insn_table_mm.patch +mips-fix-cm-region-target-definitions.patch diff --git a/queue-3.18/workqueue-fix-null-pointer-dereference.patch b/queue-3.18/workqueue-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..112bcad4733 --- /dev/null +++ b/queue-3.18/workqueue-fix-null-pointer-dereference.patch @@ -0,0 +1,67 @@ +From cef572ad9bd7f85035ba8272e5352040e8be0152 Mon Sep 17 00:00:00 2001 +From: Li Bin +Date: Sat, 28 Oct 2017 11:07:28 +0800 +Subject: workqueue: Fix NULL pointer dereference + +From: Li Bin + +commit cef572ad9bd7f85035ba8272e5352040e8be0152 upstream. + +When queue_work() is used in irq (not in task context), there is +a potential case that trigger NULL pointer dereference. +---------------------------------------------------------------- +worker_thread() +|-spin_lock_irq() +|-process_one_work() + |-worker->current_pwq = pwq + |-spin_unlock_irq() + |-worker->current_func(work) + |-spin_lock_irq() + |-worker->current_pwq = NULL +|-spin_unlock_irq() + + //interrupt here + |-irq_handler + |-__queue_work() + //assuming that the wq is draining + |-is_chained_work(wq) + |-current_wq_worker() + //Here, 'current' is the interrupted worker! + |-current->current_pwq is NULL here! +|-schedule() +---------------------------------------------------------------- + +Avoid it by checking for task context in current_wq_worker(), and +if not in task context, we shouldn't use the 'current' to check the +condition. + +Reported-by: Xiaofei Tan +Signed-off-by: Li Bin +Reviewed-by: Lai Jiangshan +Signed-off-by: Tejun Heo +Fixes: 8d03ecfe4718 ("workqueue: reimplement is_chained_work() using current_wq_worker()") +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/workqueue_internal.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/workqueue_internal.h ++++ b/kernel/workqueue_internal.h +@@ -9,6 +9,7 @@ + + #include + #include ++#include + + struct worker_pool; + +@@ -59,7 +60,7 @@ struct worker { + */ + static inline struct worker *current_wq_worker(void) + { +- if (current->flags & PF_WQ_WORKER) ++ if (in_task() && (current->flags & PF_WQ_WORKER)) + return kthread_data(current); + return NULL; + }