From: Greg Kroah-Hartman Date: Fri, 20 Apr 2018 16:23:12 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.106~52 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5410f905f65f963add91bf33ee593d37e823091c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-pcm-fix-uaf-at-pcm-release-via-pcm-timer-access.patch dmaengine-at_xdmac-fix-rare-residue-corruption.patch ib-srp-fix-completion-vector-assignment-algorithm.patch ib-srp-fix-srp_abort.patch rdma-ucma-don-t-allow-setting-rdma_option_ib_path-without-an-rdma-device.patch --- diff --git a/queue-4.4/alsa-pcm-fix-uaf-at-pcm-release-via-pcm-timer-access.patch b/queue-4.4/alsa-pcm-fix-uaf-at-pcm-release-via-pcm-timer-access.patch new file mode 100644 index 00000000000..6db569a1726 --- /dev/null +++ b/queue-4.4/alsa-pcm-fix-uaf-at-pcm-release-via-pcm-timer-access.patch @@ -0,0 +1,59 @@ +From a820ccbe21e8ce8e86c39cd1d3bc8c7d1cbb949b Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 2 Apr 2018 22:41:43 +0200 +Subject: ALSA: pcm: Fix UAF at PCM release via PCM timer access + +From: Takashi Iwai + +commit a820ccbe21e8ce8e86c39cd1d3bc8c7d1cbb949b upstream. + +The PCM runtime object is created and freed dynamically at PCM stream +open / close time. This is tracked via substream->runtime, and it's +cleared at snd_pcm_detach_substream(). + +The runtime object assignment is protected by PCM open_mutex, so for +all PCM operations, it's safely handled. However, each PCM substream +provides also an ALSA timer interface, and user-space can access to +this while closing a PCM substream. This may eventually lead to a +UAF, as snd_pcm_timer_resolution() tries to access the runtime while +clearing it in other side. + +Fortunately, it's the only concurrent access from the PCM timer, and +it merely reads runtime->timer_resolution field. So, we can avoid the +race by reordering kfree() and wrapping the substream->runtime +clearance with the corresponding timer lock. + +Reported-by: syzbot+8e62ff4e07aa2ce87826@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/sound/core/pcm.c ++++ b/sound/core/pcm.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -1025,8 +1026,13 @@ void snd_pcm_detach_substream(struct snd + snd_free_pages((void*)runtime->control, + PAGE_ALIGN(sizeof(struct snd_pcm_mmap_control))); + kfree(runtime->hw_constraints.rules); +- kfree(runtime); ++ /* Avoid concurrent access to runtime via PCM timer interface */ ++ if (substream->timer) ++ spin_lock_irq(&substream->timer->lock); + substream->runtime = NULL; ++ if (substream->timer) ++ spin_unlock_irq(&substream->timer->lock); ++ kfree(runtime); + put_pid(substream->pid); + substream->pid = NULL; + substream->pstr->substream_opened--; diff --git a/queue-4.4/dmaengine-at_xdmac-fix-rare-residue-corruption.patch b/queue-4.4/dmaengine-at_xdmac-fix-rare-residue-corruption.patch new file mode 100644 index 00000000000..1523d78625a --- /dev/null +++ b/queue-4.4/dmaengine-at_xdmac-fix-rare-residue-corruption.patch @@ -0,0 +1,71 @@ +From c5637476bbf9bb86c7f0413b8f4822a73d8d2d07 Mon Sep 17 00:00:00 2001 +From: Maxime Jayat +Date: Thu, 22 Feb 2018 12:39:55 +0100 +Subject: dmaengine: at_xdmac: fix rare residue corruption + +From: Maxime Jayat + +commit c5637476bbf9bb86c7f0413b8f4822a73d8d2d07 upstream. + +Despite the efforts made to correctly read the NDA and CUBC registers, +the order in which the registers are read could sometimes lead to an +inconsistent state. + +Re-using the timeline from the comments, this following timing of +registers reads could lead to reading NDA with value "@desc2" and +CUBC with value "MAX desc1": + + INITD -------- ------------ + |____________________| + _______________________ _______________ + NDA @desc2 \/ @desc3 + _______________________/\_______________ + __________ ___________ _______________ + CUBC 0 \/ MAX desc1 \/ MAX desc2 + __________/\___________/\_______________ + | | | | +Events:(1)(2) (3)(4) + +(1) check_nda = @desc2 +(2) initd = 1 +(3) cur_ubc = MAX desc1 +(4) cur_nda = @desc2 + +This is allowed by the condition ((check_nda == cur_nda) && initd), +despite cur_ubc and cur_nda being in the precise state we don't want. + +This error leads to incorrect residue computation. + +Fix it by inversing the order in which CUBC and INITD are read. This +makes sure that NDA and CUBC are always read together either _before_ +INITD goes to 0 or _after_ it is back at 1. +The case where NDA is read before INITD is at 0 and CUBC is read after +INITD is back at 1 will be rejected by check_nda and cur_nda being +different. + +Fixes: 53398f488821 ("dmaengine: at_xdmac: fix residue corruption") +Cc: stable@vger.kernel.org +Signed-off-by: Maxime Jayat +Acked-by: Ludovic Desroches +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/at_xdmac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -1473,10 +1473,10 @@ at_xdmac_tx_status(struct dma_chan *chan + for (retry = 0; retry < AT_XDMAC_RESIDUE_MAX_RETRIES; retry++) { + check_nda = at_xdmac_chan_read(atchan, AT_XDMAC_CNDA) & 0xfffffffc; + rmb(); +- initd = !!(at_xdmac_chan_read(atchan, AT_XDMAC_CC) & AT_XDMAC_CC_INITD); +- rmb(); + cur_ubc = at_xdmac_chan_read(atchan, AT_XDMAC_CUBC); + rmb(); ++ initd = !!(at_xdmac_chan_read(atchan, AT_XDMAC_CC) & AT_XDMAC_CC_INITD); ++ rmb(); + cur_nda = at_xdmac_chan_read(atchan, AT_XDMAC_CNDA) & 0xfffffffc; + rmb(); + diff --git a/queue-4.4/ib-srp-fix-completion-vector-assignment-algorithm.patch b/queue-4.4/ib-srp-fix-completion-vector-assignment-algorithm.patch new file mode 100644 index 00000000000..26abae2288b --- /dev/null +++ b/queue-4.4/ib-srp-fix-completion-vector-assignment-algorithm.patch @@ -0,0 +1,49 @@ +From 3a148896b24adf8688dc0c59af54531931677a40 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Mon, 12 Feb 2018 09:50:25 -0800 +Subject: IB/srp: Fix completion vector assignment algorithm + +From: Bart Van Assche + +commit 3a148896b24adf8688dc0c59af54531931677a40 upstream. + +Ensure that cv_end is equal to ibdev->num_comp_vectors for the +NUMA node with the highest index. This patch improves spreading +of RDMA channels over completion vectors and thereby improves +performance, especially on systems with only a single NUMA node. +This patch drops support for the comp_vector login parameter by +ignoring the value of that parameter since I have not found a +good way to combine support for that parameter and automatic +spreading of RDMA channels over completion vectors. + +Fixes: d92c0da71a35 ("IB/srp: Add multichannel support") +Reported-by: Alexander Schmid +Signed-off-by: Bart Van Assche +Cc: Alexander Schmid +Cc: stable@vger.kernel.org +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srp/ib_srp.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -3311,12 +3311,10 @@ static ssize_t srp_create_target(struct + num_online_nodes()); + const int ch_end = ((node_idx + 1) * target->ch_count / + num_online_nodes()); +- const int cv_start = (node_idx * ibdev->num_comp_vectors / +- num_online_nodes() + target->comp_vector) +- % ibdev->num_comp_vectors; +- const int cv_end = ((node_idx + 1) * ibdev->num_comp_vectors / +- num_online_nodes() + target->comp_vector) +- % ibdev->num_comp_vectors; ++ const int cv_start = node_idx * ibdev->num_comp_vectors / ++ num_online_nodes(); ++ const int cv_end = (node_idx + 1) * ibdev->num_comp_vectors / ++ num_online_nodes(); + int cpu_idx = 0; + + for_each_online_cpu(cpu) { diff --git a/queue-4.4/ib-srp-fix-srp_abort.patch b/queue-4.4/ib-srp-fix-srp_abort.patch new file mode 100644 index 00000000000..0b1cd8bfee8 --- /dev/null +++ b/queue-4.4/ib-srp-fix-srp_abort.patch @@ -0,0 +1,41 @@ +From e68088e78d82920632eba112b968e49d588d02a2 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Fri, 23 Feb 2018 14:09:24 -0800 +Subject: IB/srp: Fix srp_abort() + +From: Bart Van Assche + +commit e68088e78d82920632eba112b968e49d588d02a2 upstream. + +Before commit e494f6a72839 ("[SCSI] improved eh timeout handler") it +did not really matter whether or not abort handlers like srp_abort() +called .scsi_done() when returning another value than SUCCESS. Since +that commit however this matters. Hence only call .scsi_done() when +returning SUCCESS. + +Signed-off-by: Bart Van Assche +Cc: stable@vger.kernel.org +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srp/ib_srp.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -2581,9 +2581,11 @@ static int srp_abort(struct scsi_cmnd *s + ret = FAST_IO_FAIL; + else + ret = FAILED; +- srp_free_req(ch, req, scmnd, 0); +- scmnd->result = DID_ABORT << 16; +- scmnd->scsi_done(scmnd); ++ if (ret == SUCCESS) { ++ srp_free_req(ch, req, scmnd, 0); ++ scmnd->result = DID_ABORT << 16; ++ scmnd->scsi_done(scmnd); ++ } + + return ret; + } diff --git a/queue-4.4/rdma-ucma-don-t-allow-setting-rdma_option_ib_path-without-an-rdma-device.patch b/queue-4.4/rdma-ucma-don-t-allow-setting-rdma_option_ib_path-without-an-rdma-device.patch new file mode 100644 index 00000000000..c755615f0e5 --- /dev/null +++ b/queue-4.4/rdma-ucma-don-t-allow-setting-rdma_option_ib_path-without-an-rdma-device.patch @@ -0,0 +1,35 @@ +From 8435168d50e66fa5eae01852769d20a36f9e5e83 Mon Sep 17 00:00:00 2001 +From: Roland Dreier +Date: Tue, 3 Apr 2018 15:33:01 -0700 +Subject: RDMA/ucma: Don't allow setting RDMA_OPTION_IB_PATH without an RDMA device + +From: Roland Dreier + +commit 8435168d50e66fa5eae01852769d20a36f9e5e83 upstream. + +Check to make sure that ctx->cm_id->device is set before we use it. +Otherwise userspace can trigger a NULL dereference by doing +RDMA_USER_CM_CMD_SET_OPTION on an ID that is not bound to a device. + +Cc: +Reported-by: +Signed-off-by: Roland Dreier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/ucma.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1230,6 +1230,9 @@ static int ucma_set_ib_path(struct ucma_ + if (!optlen) + return -EINVAL; + ++ if (!ctx->cm_id->device) ++ return -EINVAL; ++ + memset(&sa_path, 0, sizeof(sa_path)); + + ib_sa_unpack_path(path_data->path_rec, &sa_path); diff --git a/queue-4.4/series b/queue-4.4/series index f012d91e1cd..ae2b00c2127 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -49,3 +49,8 @@ jbd2-if-the-journal-is-aborted-then-don-t-allow-update-of-the-log-tail.patch ext4-don-t-update-checksum-of-new-initialized-bitmaps.patch ext4-add-validity-checks-for-bitmap-block-numbers.patch ext4-fail-ext4_iget-for-root-directory-if-unallocated.patch +rdma-ucma-don-t-allow-setting-rdma_option_ib_path-without-an-rdma-device.patch +alsa-pcm-fix-uaf-at-pcm-release-via-pcm-timer-access.patch +ib-srp-fix-srp_abort.patch +ib-srp-fix-completion-vector-assignment-algorithm.patch +dmaengine-at_xdmac-fix-rare-residue-corruption.patch