From: Greg Kroah-Hartman Date: Tue, 23 Apr 2019 20:51:46 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.139~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=45c56c0615283da3a328167454752ccf6b8d1263;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: alsa-core-fix-card-races-between-register-and-disconnect.patch iio-ad_sigma_delta-select-channel-when-reading-register.patch iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch kprobes-fix-error-check-when-reusing-optimized-probes.patch kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch mac80211-do-not-call-driver-wake_tx_queue-op-during-reconfig.patch staging-comedi-ni_usb6501-fix-possible-double-free-of-usb_rx_buf.patch staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch x86-kprobes-verify-stack-frame-on-kretprobe.patch --- diff --git a/queue-3.18/alsa-core-fix-card-races-between-register-and-disconnect.patch b/queue-3.18/alsa-core-fix-card-races-between-register-and-disconnect.patch new file mode 100644 index 00000000000..6d7711af99b --- /dev/null +++ b/queue-3.18/alsa-core-fix-card-races-between-register-and-disconnect.patch @@ -0,0 +1,76 @@ +From 2a3f7221acddfe1caa9ff09b3a8158c39b2fdeac Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 16 Apr 2019 17:06:33 +0200 +Subject: ALSA: core: Fix card races between register and disconnect + +From: Takashi Iwai + +commit 2a3f7221acddfe1caa9ff09b3a8158c39b2fdeac upstream. + +There is a small race window in the card disconnection code that +allows the registration of another card with the very same card id. +This leads to a warning in procfs creation as caught by syzkaller. + +The problem is that we delete snd_cards and snd_cards_lock entries at +the very beginning of the disconnection procedure. This makes the +slot available to be assigned for another card object while the +disconnection procedure is being processed. Then it becomes possible +to issue a procfs registration with the existing file name although we +check the conflict beforehand. + +The fix is simply to move the snd_cards and snd_cards_lock clearances +at the end of the disconnection procedure. The references to these +entries are merely either from the global proc files like +/proc/asound/cards or from the card registration / disconnection, so +it should be fine to shift at the very end. + +Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/init.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/sound/core/init.c ++++ b/sound/core/init.c +@@ -389,14 +389,7 @@ int snd_card_disconnect(struct snd_card + card->shutdown = 1; + spin_unlock(&card->files_lock); + +- /* phase 1: disable fops (user space) operations for ALSA API */ +- mutex_lock(&snd_card_mutex); +- snd_cards[card->number] = NULL; +- clear_bit(card->number, snd_cards_lock); +- mutex_unlock(&snd_card_mutex); +- +- /* phase 2: replace file->f_op with special dummy operations */ +- ++ /* replace file->f_op with special dummy operations */ + spin_lock(&card->files_lock); + list_for_each_entry(mfile, &card->files_list, list) { + /* it's critical part, use endless loop */ +@@ -412,7 +405,7 @@ int snd_card_disconnect(struct snd_card + } + spin_unlock(&card->files_lock); + +- /* phase 3: notify all connected devices about disconnection */ ++ /* notify all connected devices about disconnection */ + /* at this point, they cannot respond to any calls except release() */ + + #if IS_ENABLED(CONFIG_SND_MIXER_OSS) +@@ -430,6 +423,13 @@ int snd_card_disconnect(struct snd_card + device_del(&card->card_dev); + card->registered = false; + } ++ ++ /* disable fops (user space) operations for ALSA API */ ++ mutex_lock(&snd_card_mutex); ++ snd_cards[card->number] = NULL; ++ clear_bit(card->number, snd_cards_lock); ++ mutex_unlock(&snd_card_mutex); ++ + #ifdef CONFIG_PM + wake_up(&card->power_sleep); + #endif diff --git a/queue-3.18/iio-ad_sigma_delta-select-channel-when-reading-register.patch b/queue-3.18/iio-ad_sigma_delta-select-channel-when-reading-register.patch new file mode 100644 index 00000000000..000c09d3e87 --- /dev/null +++ b/queue-3.18/iio-ad_sigma_delta-select-channel-when-reading-register.patch @@ -0,0 +1,35 @@ +From fccfb9ce70ed4ea7a145f77b86de62e38178517f Mon Sep 17 00:00:00 2001 +From: Dragos Bogdan +Date: Tue, 19 Mar 2019 12:47:00 +0200 +Subject: iio: ad_sigma_delta: select channel when reading register + +From: Dragos Bogdan + +commit fccfb9ce70ed4ea7a145f77b86de62e38178517f upstream. + +The desired channel has to be selected in order to correctly fill the +buffer with the corresponding data. +The `ad_sd_write_reg()` already does this, but for the +`ad_sd_read_reg_raw()` this was omitted. + +Fixes: af3008485ea03 ("iio:adc: Add common code for ADI Sigma Delta devices") +Signed-off-by: Dragos Bogdan +Signed-off-by: Alexandru Ardelean +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ad_sigma_delta.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/adc/ad_sigma_delta.c ++++ b/drivers/iio/adc/ad_sigma_delta.c +@@ -121,6 +121,7 @@ static int ad_sd_read_reg_raw(struct ad_ + if (sigma_delta->info->has_registers) { + data[0] = reg << sigma_delta->info->addr_shift; + data[0] |= sigma_delta->info->read_mask; ++ data[0] |= sigma_delta->comm; + spi_message_add_tail(&t[0], &m); + } + spi_message_add_tail(&t[1], &m); diff --git a/queue-3.18/iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch b/queue-3.18/iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch new file mode 100644 index 00000000000..139a8cfc7e5 --- /dev/null +++ b/queue-3.18/iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch @@ -0,0 +1,69 @@ +From 09c6bdee51183a575bf7546890c8c137a75a2b44 Mon Sep 17 00:00:00 2001 +From: Georg Ottinger +Date: Wed, 30 Jan 2019 14:42:02 +0100 +Subject: iio: adc: at91: disable adc channel interrupt in timeout case + +From: Georg Ottinger + +commit 09c6bdee51183a575bf7546890c8c137a75a2b44 upstream. + +Having a brief look at at91_adc_read_raw() it is obvious that in the case +of a timeout the setting of AT91_ADC_CHDR and AT91_ADC_IDR registers is +omitted. If 2 different channels are queried we can end up with a +situation where two interrupts are enabled, but only one interrupt is +cleared in the interrupt handler. Resulting in a interrupt loop and a +system hang. + +Signed-off-by: Georg Ottinger +Acked-by: Ludovic Desroches +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/at91_adc.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -703,23 +703,29 @@ static int at91_adc_read_raw(struct iio_ + ret = wait_event_interruptible_timeout(st->wq_data_avail, + st->done, + msecs_to_jiffies(1000)); +- if (ret == 0) +- ret = -ETIMEDOUT; +- if (ret < 0) { +- mutex_unlock(&st->lock); +- return ret; +- } +- +- *val = st->last_value; + ++ /* Disable interrupts, regardless if adc conversion was ++ * successful or not ++ */ + at91_adc_writel(st, AT91_ADC_CHDR, + AT91_ADC_CH(chan->channel)); + at91_adc_writel(st, AT91_ADC_IDR, BIT(chan->channel)); + +- st->last_value = 0; +- st->done = false; ++ if (ret > 0) { ++ /* a valid conversion took place */ ++ *val = st->last_value; ++ st->last_value = 0; ++ st->done = false; ++ ret = IIO_VAL_INT; ++ } else if (ret == 0) { ++ /* conversion timeout */ ++ dev_err(&idev->dev, "ADC Channel %d timeout.\n", ++ chan->channel); ++ ret = -ETIMEDOUT; ++ } ++ + mutex_unlock(&st->lock); +- return IIO_VAL_INT; ++ return ret; + + case IIO_CHAN_INFO_SCALE: + *val = st->vref_mv; diff --git a/queue-3.18/kprobes-fix-error-check-when-reusing-optimized-probes.patch b/queue-3.18/kprobes-fix-error-check-when-reusing-optimized-probes.patch new file mode 100644 index 00000000000..c384c9c1522 --- /dev/null +++ b/queue-3.18/kprobes-fix-error-check-when-reusing-optimized-probes.patch @@ -0,0 +1,82 @@ +From 5f843ed415581cfad4ef8fefe31c138a8346ca8a Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Mon, 15 Apr 2019 15:01:25 +0900 +Subject: kprobes: Fix error check when reusing optimized probes + +From: Masami Hiramatsu + +commit 5f843ed415581cfad4ef8fefe31c138a8346ca8a upstream. + +The following commit introduced a bug in one of our error paths: + + 819319fc9346 ("kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()") + +it missed to handle the return value of kprobe_optready() as +error-value. In reality, the kprobe_optready() returns a bool +result, so "true" case must be passed instead of 0. + +This causes some errors on kprobe boot-time selftests on ARM: + + [ ] Beginning kprobe tests... + [ ] Probe ARM code + [ ] kprobe + [ ] kretprobe + [ ] ARM instruction simulation + [ ] Check decoding tables + [ ] Run test cases + [ ] FAIL: test_case_handler not run + [ ] FAIL: Test andge r10, r11, r14, asr r7 + [ ] FAIL: Scenario 11 + ... + [ ] FAIL: Scenario 7 + [ ] Total instruction simulation tests=1631, pass=1433 fail=198 + [ ] kprobe tests failed + +This can happen if an optimized probe is unregistered and next +kprobe is registered on same address until the previous probe +is not reclaimed. + +If this happens, a hidden aggregated probe may be kept in memory, +and no new kprobe can probe same address. Also, in that case +register_kprobe() will return "1" instead of minus error value, +which can mislead caller logic. + +Signed-off-by: Masami Hiramatsu +Cc: Anil S Keshavamurthy +Cc: David S . Miller +Cc: Linus Torvalds +Cc: Naveen N . Rao +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org # v5.0+ +Fixes: 819319fc9346 ("kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()") +Link: http://lkml.kernel.org/r/155530808559.32517.539898325433642204.stgit@devnote2 +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kprobes.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -668,7 +668,6 @@ static void unoptimize_kprobe(struct kpr + static int reuse_unused_kprobe(struct kprobe *ap) + { + struct optimized_kprobe *op; +- int ret; + + BUG_ON(!kprobe_unused(ap)); + /* +@@ -682,9 +681,8 @@ static int reuse_unused_kprobe(struct kp + /* Enable the probe again */ + ap->flags &= ~KPROBE_FLAG_DISABLED; + /* Optimize it again (remove from op->list) */ +- ret = kprobe_optready(ap); +- if (ret) +- return ret; ++ if (!kprobe_optready(ap)) ++ return -EINVAL; + + optimize_kprobe(ap); + return 0; diff --git a/queue-3.18/kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch b/queue-3.18/kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch new file mode 100644 index 00000000000..cb6701fef0e --- /dev/null +++ b/queue-3.18/kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch @@ -0,0 +1,72 @@ +From fabe38ab6b2bd9418350284c63825f13b8a6abba Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Sun, 24 Feb 2019 01:50:20 +0900 +Subject: kprobes: Mark ftrace mcount handler functions nokprobe + +From: Masami Hiramatsu + +commit fabe38ab6b2bd9418350284c63825f13b8a6abba upstream. + +Mark ftrace mcount handler functions nokprobe since +probing on these functions with kretprobe pushes +return address incorrectly on kretprobe shadow stack. + +Reported-by: Francis Deslauriers +Tested-by: Andrea Righi +Signed-off-by: Masami Hiramatsu +Acked-by: Steven Rostedt +Acked-by: Steven Rostedt (VMware) +Cc: Linus Torvalds +Cc: Mathieu Desnoyers +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/155094062044.6137.6419622920568680640.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + + #include + +@@ -4878,7 +4879,7 @@ static struct ftrace_ops control_ops = { + INIT_OPS_HASH(control_ops) + }; + +-static inline void ++static nokprobe_inline void + __ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip, + struct ftrace_ops *ignored, struct pt_regs *regs) + { +@@ -4927,11 +4928,13 @@ static void ftrace_ops_list_func(unsigne + { + __ftrace_ops_list_func(ip, parent_ip, NULL, regs); + } ++NOKPROBE_SYMBOL(ftrace_ops_list_func); + #else + static void ftrace_ops_no_ops(unsigned long ip, unsigned long parent_ip) + { + __ftrace_ops_list_func(ip, parent_ip, NULL, NULL); + } ++NOKPROBE_SYMBOL(ftrace_ops_no_ops); + #endif + + /* +@@ -4952,6 +4955,7 @@ static void ftrace_ops_recurs_func(unsig + + trace_clear_recursion(bit); + } ++NOKPROBE_SYMBOL(ftrace_ops_assist_func); + + /** + * ftrace_ops_get_func - get the function a trampoline should call diff --git a/queue-3.18/mac80211-do-not-call-driver-wake_tx_queue-op-during-reconfig.patch b/queue-3.18/mac80211-do-not-call-driver-wake_tx_queue-op-during-reconfig.patch new file mode 100644 index 00000000000..1a45419e521 --- /dev/null +++ b/queue-3.18/mac80211-do-not-call-driver-wake_tx_queue-op-during-reconfig.patch @@ -0,0 +1,43 @@ +From 4856bfd230985e43e84c26473c91028ff0a533bd Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Fri, 1 Mar 2019 14:48:37 +0100 +Subject: mac80211: do not call driver wake_tx_queue op during reconfig + +From: Felix Fietkau + +commit 4856bfd230985e43e84c26473c91028ff0a533bd upstream. + +There are several scenarios in which mac80211 can call drv_wake_tx_queue +after ieee80211_restart_hw has been called and has not yet completed. +Driver private structs are considered uninitialized until mac80211 has +uploaded the vifs, stations and keys again, so using private tx queue +data during that time is not safe. + +The driver can also not rely on drv_reconfig_complete to figure out when +it is safe to accept drv_wake_tx_queue calls again, because it is only +called after all tx queues are woken again. + +To fix this, bail out early in drv_wake_tx_queue if local->in_reconfig +is set. + +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/driver-ops.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/mac80211/driver-ops.h ++++ b/net/mac80211/driver-ops.h +@@ -1122,6 +1122,9 @@ static inline int drv_start_ap(struct ie + { + int ret = 0; + ++ if (local->in_reconfig) ++ return; ++ + if (!check_sdata_in_driver(sdata)) + return -EIO; + diff --git a/queue-3.18/series b/queue-3.18/series index ecbd07a49bf..48b72e9acaa 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -92,3 +92,13 @@ net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier ipv4-recompile-ip-options-in-ipv4_link_failure.patch ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch tcp-tcp_grow_window-needs-to-respect-tcp_space.patch +iio-ad_sigma_delta-select-channel-when-reading-register.patch +iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch +staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch +staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch +staging-comedi-ni_usb6501-fix-possible-double-free-of-usb_rx_buf.patch +alsa-core-fix-card-races-between-register-and-disconnect.patch +x86-kprobes-verify-stack-frame-on-kretprobe.patch +kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch +kprobes-fix-error-check-when-reusing-optimized-probes.patch +mac80211-do-not-call-driver-wake_tx_queue-op-during-reconfig.patch diff --git a/queue-3.18/staging-comedi-ni_usb6501-fix-possible-double-free-of-usb_rx_buf.patch b/queue-3.18/staging-comedi-ni_usb6501-fix-possible-double-free-of-usb_rx_buf.patch new file mode 100644 index 00000000000..4b615ae4498 --- /dev/null +++ b/queue-3.18/staging-comedi-ni_usb6501-fix-possible-double-free-of-usb_rx_buf.patch @@ -0,0 +1,44 @@ +From af4b54a2e5ba18259ff9aac445bf546dd60d037e Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 15 Apr 2019 12:43:02 +0100 +Subject: staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf + +From: Ian Abbott + +commit af4b54a2e5ba18259ff9aac445bf546dd60d037e upstream. + +`ni6501_alloc_usb_buffers()` is called from `ni6501_auto_attach()` to +allocate RX and TX buffers for USB transfers. It allocates +`devpriv->usb_rx_buf` followed by `devpriv->usb_tx_buf`. If the +allocation of `devpriv->usb_tx_buf` fails, it frees +`devpriv->usb_rx_buf`, leaving the pointer set dangling, and returns an +error. Later, `ni6501_detach()` will be called from the core comedi +module code to clean up. `ni6501_detach()` also frees both +`devpriv->usb_rx_buf` and `devpriv->usb_tx_buf`, but +`devpriv->usb_rx_buf` may have already beed freed, leading to a +double-free error. Fix it bu removing the call to +`kfree(devpriv->usb_rx_buf)` from `ni6501_alloc_usb_buffers()`, relying +on `ni6501_detach()` to free the memory. + +Signed-off-by: Ian Abbott +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/ni_usb6501.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/staging/comedi/drivers/ni_usb6501.c ++++ b/drivers/staging/comedi/drivers/ni_usb6501.c +@@ -478,10 +478,8 @@ static int ni6501_alloc_usb_buffers(stru + + size = le16_to_cpu(devpriv->ep_tx->wMaxPacketSize); + devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); +- if (!devpriv->usb_tx_buf) { +- kfree(devpriv->usb_rx_buf); ++ if (!devpriv->usb_tx_buf) + return -ENOMEM; +- } + + return 0; + } diff --git a/queue-3.18/staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch b/queue-3.18/staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch new file mode 100644 index 00000000000..10122474c47 --- /dev/null +++ b/queue-3.18/staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch @@ -0,0 +1,44 @@ +From 663d294b4768bfd89e529e069bffa544a830b5bf Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 15 Apr 2019 12:52:30 +0100 +Subject: staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf + +From: Ian Abbott + +commit 663d294b4768bfd89e529e069bffa544a830b5bf upstream. + +`vmk80xx_alloc_usb_buffers()` is called from `vmk80xx_auto_attach()` to +allocate RX and TX buffers for USB transfers. It allocates +`devpriv->usb_rx_buf` followed by `devpriv->usb_tx_buf`. If the +allocation of `devpriv->usb_tx_buf` fails, it frees +`devpriv->usb_rx_buf`, leaving the pointer set dangling, and returns an +error. Later, `vmk80xx_detach()` will be called from the core comedi +module code to clean up. `vmk80xx_detach()` also frees both +`devpriv->usb_rx_buf` and `devpriv->usb_tx_buf`, but +`devpriv->usb_rx_buf` may have already been freed, leading to a +double-free error. Fix it by removing the call to +`kfree(devpriv->usb_rx_buf)` from `vmk80xx_alloc_usb_buffers()`, relying +on `vmk80xx_detach()` to free the memory. + +Signed-off-by: Ian Abbott +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/vmk80xx.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -757,10 +757,8 @@ static int vmk80xx_alloc_usb_buffers(str + + size = le16_to_cpu(devpriv->ep_tx->wMaxPacketSize); + devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); +- if (!devpriv->usb_tx_buf) { +- kfree(devpriv->usb_rx_buf); ++ if (!devpriv->usb_tx_buf) + return -ENOMEM; +- } + + return 0; + } diff --git a/queue-3.18/staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch b/queue-3.18/staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch new file mode 100644 index 00000000000..a8351b401e3 --- /dev/null +++ b/queue-3.18/staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch @@ -0,0 +1,109 @@ +From 08b7c2f9208f0e2a32159e4e7a4831b7adb10a3e Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 15 Apr 2019 12:10:14 +0100 +Subject: staging: comedi: vmk80xx: Fix use of uninitialized semaphore + +From: Ian Abbott + +commit 08b7c2f9208f0e2a32159e4e7a4831b7adb10a3e upstream. + +If `vmk80xx_auto_attach()` returns an error, the core comedi module code +will call `vmk80xx_detach()` to clean up. If `vmk80xx_auto_attach()` +successfully allocated the comedi device private data, +`vmk80xx_detach()` assumes that a `struct semaphore limit_sem` contained +in the private data has been initialized and uses it. Unfortunately, +there are a couple of places where `vmk80xx_auto_attach()` can return an +error after allocating the device private data but before initializing +the semaphore, so this assumption is invalid. Fix it by initializing +the semaphore just after allocating the private data in +`vmk80xx_auto_attach()` before any other errors can be returned. + +I believe this was the cause of the following syzbot crash report +: + +usb 1-1: config 0 has no interface number 0 +usb 1-1: New USB device found, idVendor=10cf, idProduct=8068, bcdDevice=e6.8d +usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 +usb 1-1: config 0 descriptor?? +vmk80xx 1-1:0.117: driver 'vmk80xx' failed to auto-configure device. +INFO: trying to register non-static key. +the code is fine but needs lockdep annotation. +turning off the locking correctness validator. +CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: usb_hub_wq hub_event +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xe8/0x16e lib/dump_stack.c:113 + assign_lock_key kernel/locking/lockdep.c:786 [inline] + register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095 + __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582 + lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x44/0x60 kernel/locking/spinlock.c:152 + down+0x12/0x80 kernel/locking/semaphore.c:58 + vmk80xx_detach+0x59/0x100 drivers/staging/comedi/drivers/vmk80xx.c:829 + comedi_device_detach+0xed/0x800 drivers/staging/comedi/drivers.c:204 + comedi_device_cleanup.part.0+0x68/0x140 drivers/staging/comedi/comedi_fops.c:156 + comedi_device_cleanup drivers/staging/comedi/comedi_fops.c:187 [inline] + comedi_free_board_dev.part.0+0x16/0x90 drivers/staging/comedi/comedi_fops.c:190 + comedi_free_board_dev drivers/staging/comedi/comedi_fops.c:189 [inline] + comedi_release_hardware_device+0x111/0x140 drivers/staging/comedi/comedi_fops.c:2880 + comedi_auto_config.cold+0x124/0x1b0 drivers/staging/comedi/drivers.c:1068 + usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361 + really_probe+0x2da/0xb10 drivers/base/dd.c:509 + driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 + __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 + bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 + __device_attach+0x223/0x3a0 drivers/base/dd.c:844 + bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 + device_add+0xad2/0x16e0 drivers/base/core.c:2106 + usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021 + generic_probe+0xa2/0xda drivers/usb/core/generic.c:210 + usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266 + really_probe+0x2da/0xb10 drivers/base/dd.c:509 + driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 + __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 + bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 + __device_attach+0x223/0x3a0 drivers/base/dd.c:844 + bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 + device_add+0xad2/0x16e0 drivers/base/core.c:2106 + usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534 + hub_port_connect drivers/usb/core/hub.c:5089 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] + port_event drivers/usb/core/hub.c:5350 [inline] + hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432 + process_one_work+0x90f/0x1580 kernel/workqueue.c:2269 + worker_thread+0x9b/0xe20 kernel/workqueue.c:2415 + kthread+0x313/0x420 kernel/kthread.c:253 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 + +Reported-by: syzbot+54c2f58f15fe6876b6ad@syzkaller.appspotmail.com +Signed-off-by: Ian Abbott +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/vmk80xx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -872,6 +872,8 @@ static int vmk80xx_auto_attach(struct co + + devpriv->model = boardinfo->model; + ++ sema_init(&devpriv->limit_sem, 8); ++ + ret = vmk80xx_find_usb_endpoints(dev); + if (ret) + return ret; +@@ -880,8 +882,6 @@ static int vmk80xx_auto_attach(struct co + if (ret) + return ret; + +- sema_init(&devpriv->limit_sem, 8); +- + usb_set_intfdata(intf, devpriv); + + if (devpriv->model == VMK8061_MODEL) { diff --git a/queue-3.18/x86-kprobes-verify-stack-frame-on-kretprobe.patch b/queue-3.18/x86-kprobes-verify-stack-frame-on-kretprobe.patch new file mode 100644 index 00000000000..757e34f52fa --- /dev/null +++ b/queue-3.18/x86-kprobes-verify-stack-frame-on-kretprobe.patch @@ -0,0 +1,112 @@ +From 3ff9c075cc767b3060bdac12da72fc94dd7da1b8 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Sun, 24 Feb 2019 01:49:52 +0900 +Subject: x86/kprobes: Verify stack frame on kretprobe + +From: Masami Hiramatsu + +commit 3ff9c075cc767b3060bdac12da72fc94dd7da1b8 upstream. + +Verify the stack frame pointer on kretprobe trampoline handler, +If the stack frame pointer does not match, it skips the wrong +entry and tries to find correct one. + +This can happen if user puts the kretprobe on the function +which can be used in the path of ftrace user-function call. +Such functions should not be probed, so this adds a warning +message that reports which function should be blacklisted. + +Tested-by: Andrea Righi +Signed-off-by: Masami Hiramatsu +Acked-by: Steven Rostedt +Cc: Linus Torvalds +Cc: Mathieu Desnoyers +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/155094059185.6137.15527904013362842072.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/kprobes/core.c | 26 ++++++++++++++++++++++++++ + include/linux/kprobes.h | 1 + + 2 files changed, 27 insertions(+) + +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -500,6 +500,7 @@ void arch_prepare_kretprobe(struct kretp + unsigned long *sara = stack_addr(regs); + + ri->ret_addr = (kprobe_opcode_t *) *sara; ++ ri->fp = sara; + + /* Replace the return addr with trampoline addr */ + *sara = (unsigned long) &kretprobe_trampoline; +@@ -701,15 +702,21 @@ __visible __used void *trampoline_handle + unsigned long flags, orig_ret_address = 0; + unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline; + kprobe_opcode_t *correct_ret_addr = NULL; ++ void *frame_pointer; ++ bool skipped = false; + + INIT_HLIST_HEAD(&empty_rp); + kretprobe_hash_lock(current, &head, &flags); + /* fixup registers */ + #ifdef CONFIG_X86_64 + regs->cs = __KERNEL_CS; ++ /* On x86-64, we use pt_regs->sp for return address holder. */ ++ frame_pointer = ®s->sp; + #else + regs->cs = __KERNEL_CS | get_kernel_rpl(); + regs->gs = 0; ++ /* On x86-32, we use pt_regs->flags for return address holder. */ ++ frame_pointer = ®s->flags; + #endif + regs->ip = trampoline_address; + regs->orig_ax = ~0UL; +@@ -731,8 +738,25 @@ __visible __used void *trampoline_handle + if (ri->task != current) + /* another task is sharing our hash bucket */ + continue; ++ /* ++ * Return probes must be pushed on this hash list correct ++ * order (same as return order) so that it can be poped ++ * correctly. However, if we find it is pushed it incorrect ++ * order, this means we find a function which should not be ++ * probed, because the wrong order entry is pushed on the ++ * path of processing other kretprobe itself. ++ */ ++ if (ri->fp != frame_pointer) { ++ if (!skipped) ++ pr_warn("kretprobe is stacked incorrectly. Trying to fixup.\n"); ++ skipped = true; ++ continue; ++ } + + orig_ret_address = (unsigned long)ri->ret_addr; ++ if (skipped) ++ pr_warn("%ps must be blacklisted because of incorrect kretprobe order\n", ++ ri->rp->kp.addr); + + if (orig_ret_address != trampoline_address) + /* +@@ -750,6 +774,8 @@ __visible __used void *trampoline_handle + if (ri->task != current) + /* another task is sharing our hash bucket */ + continue; ++ if (ri->fp != frame_pointer) ++ continue; + + orig_ret_address = (unsigned long)ri->ret_addr; + if (ri->rp && ri->rp->handler) { +--- a/include/linux/kprobes.h ++++ b/include/linux/kprobes.h +@@ -197,6 +197,7 @@ struct kretprobe_instance { + struct kretprobe *rp; + kprobe_opcode_t *ret_addr; + struct task_struct *task; ++ void *fp; + char data[0]; + }; +