From: Greg Kroah-Hartman Date: Wed, 27 Nov 2019 10:46:24 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.4.204~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5bcc94a322994741e83527ff1e518937bf7ab332;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: cpufreq-add-null-checks-to-show-and-store-methods-of-cpufreq.patch media-usbvision-fix-invalid-accesses-after-device-disconnect.patch media-usbvision-fix-races-among-open-close-and-disconnect.patch media-vivid-fix-wrong-locking-that-causes-race-conditions-on-streaming-stop.patch media-vivid-set-vid_cap_streaming-and-vid_out_streaming-to-true.patch --- diff --git a/queue-5.4/cpufreq-add-null-checks-to-show-and-store-methods-of-cpufreq.patch b/queue-5.4/cpufreq-add-null-checks-to-show-and-store-methods-of-cpufreq.patch new file mode 100644 index 00000000000..e66633be2ef --- /dev/null +++ b/queue-5.4/cpufreq-add-null-checks-to-show-and-store-methods-of-cpufreq.patch @@ -0,0 +1,56 @@ +From e6e8df07268c1f75dd9215536e2ce4587b70f977 Mon Sep 17 00:00:00 2001 +From: Kai Shen +Date: Thu, 7 Nov 2019 05:08:17 +0000 +Subject: cpufreq: Add NULL checks to show() and store() methods of cpufreq + +From: Kai Shen + +commit e6e8df07268c1f75dd9215536e2ce4587b70f977 upstream. + +Add NULL checks to show() and store() in cpufreq.c to avoid attempts +to invoke a NULL callback. + +Though some interfaces of cpufreq are set as read-only, users can +still get write permission using chmod which can lead to a kernel +crash, as follows: + +chmod +w /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq +echo 1 > /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq + +This bug was found in linux 4.19. + +Signed-off-by: Kai Shen +Reported-by: Feilong Lin +Reviewed-by: Feilong Lin +Acked-by: Viresh Kumar +[ rjw: Subject & changelog ] +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/cpufreq.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -933,6 +933,9 @@ static ssize_t show(struct kobject *kobj + struct freq_attr *fattr = to_attr(attr); + ssize_t ret; + ++ if (!fattr->show) ++ return -EIO; ++ + down_read(&policy->rwsem); + ret = fattr->show(policy, buf); + up_read(&policy->rwsem); +@@ -947,6 +950,9 @@ static ssize_t store(struct kobject *kob + struct freq_attr *fattr = to_attr(attr); + ssize_t ret = -EINVAL; + ++ if (!fattr->store) ++ return -EIO; ++ + /* + * cpus_read_trylock() is used here to work around a circular lock + * dependency problem with respect to the cpufreq_register_driver(). diff --git a/queue-5.4/media-usbvision-fix-invalid-accesses-after-device-disconnect.patch b/queue-5.4/media-usbvision-fix-invalid-accesses-after-device-disconnect.patch new file mode 100644 index 00000000000..54eeca1d5a3 --- /dev/null +++ b/queue-5.4/media-usbvision-fix-invalid-accesses-after-device-disconnect.patch @@ -0,0 +1,62 @@ +From c7a191464078262bf799136317c95824e26a222b Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 7 Oct 2019 12:09:04 -0300 +Subject: media: usbvision: Fix invalid accesses after device disconnect + +From: Alan Stern + +commit c7a191464078262bf799136317c95824e26a222b upstream. + +The syzbot fuzzer found two invalid-access bugs in the usbvision +driver. These bugs occur when userspace keeps the device file open +after the device has been disconnected and usbvision_disconnect() has +set usbvision->dev to NULL: + + When the device file is closed, usbvision_radio_close() tries + to issue a usb_set_interface() call, passing the NULL pointer + as its first argument. + + If userspace performs a querycap ioctl call, vidioc_querycap() + calls usb_make_path() with the same NULL pointer. + +This patch fixes the problems by making the appropriate tests +beforehand. Note that vidioc_querycap() is protected by +usbvision->v4l2_lock, acquired in a higher layer of the V4L2 +subsystem. + +Reported-and-tested-by: syzbot+7fa38a608b1075dfd634@syzkaller.appspotmail.com + +Signed-off-by: Alan Stern +CC: +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/usbvision/usbvision-video.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/usbvision/usbvision-video.c ++++ b/drivers/media/usb/usbvision/usbvision-video.c +@@ -453,6 +453,9 @@ static int vidioc_querycap(struct file * + { + struct usb_usbvision *usbvision = video_drvdata(file); + ++ if (!usbvision->dev) ++ return -ENODEV; ++ + strscpy(vc->driver, "USBVision", sizeof(vc->driver)); + strscpy(vc->card, + usbvision_device_data[usbvision->dev_model].model_string, +@@ -1099,8 +1102,9 @@ static int usbvision_radio_close(struct + mutex_lock(&usbvision->v4l2_lock); + /* Set packet size to 0 */ + usbvision->iface_alt = 0; +- usb_set_interface(usbvision->dev, usbvision->iface, +- usbvision->iface_alt); ++ if (usbvision->dev) ++ usb_set_interface(usbvision->dev, usbvision->iface, ++ usbvision->iface_alt); + + usbvision_audio_off(usbvision); + usbvision->radio = 0; diff --git a/queue-5.4/media-usbvision-fix-races-among-open-close-and-disconnect.patch b/queue-5.4/media-usbvision-fix-races-among-open-close-and-disconnect.patch new file mode 100644 index 00000000000..58adb6d6d0a --- /dev/null +++ b/queue-5.4/media-usbvision-fix-races-among-open-close-and-disconnect.patch @@ -0,0 +1,131 @@ +From 9e08117c9d4efc1e1bc6fce83dab856d9fd284b6 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 7 Oct 2019 12:09:53 -0300 +Subject: media: usbvision: Fix races among open, close, and disconnect + +From: Alan Stern + +commit 9e08117c9d4efc1e1bc6fce83dab856d9fd284b6 upstream. + +Visual inspection of the usbvision driver shows that it suffers from +three races between its open, close, and disconnect handlers. In +particular, the driver is careful to update its usbvision->user and +usbvision->remove_pending flags while holding the private mutex, but: + + usbvision_v4l2_close() and usbvision_radio_close() don't hold + the mutex while they check the value of + usbvision->remove_pending; + + usbvision_disconnect() doesn't hold the mutex while checking + the value of usbvision->user; and + + also, usbvision_v4l2_open() and usbvision_radio_open() don't + check whether the device has been unplugged before allowing + the user to open the device files. + +Each of these can potentially lead to usbvision_release() being called +twice and use-after-free errors. + +This patch fixes the races by reading the flags while the mutex is +still held and checking for pending removes before allowing an open to +succeed. + +Signed-off-by: Alan Stern +CC: +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/usbvision/usbvision-video.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/media/usb/usbvision/usbvision-video.c ++++ b/drivers/media/usb/usbvision/usbvision-video.c +@@ -314,6 +314,10 @@ static int usbvision_v4l2_open(struct fi + if (mutex_lock_interruptible(&usbvision->v4l2_lock)) + return -ERESTARTSYS; + ++ if (usbvision->remove_pending) { ++ err_code = -ENODEV; ++ goto unlock; ++ } + if (usbvision->user) { + err_code = -EBUSY; + } else { +@@ -377,6 +381,7 @@ unlock: + static int usbvision_v4l2_close(struct file *file) + { + struct usb_usbvision *usbvision = video_drvdata(file); ++ int r; + + PDEBUG(DBG_IO, "close"); + +@@ -391,9 +396,10 @@ static int usbvision_v4l2_close(struct f + usbvision_scratch_free(usbvision); + + usbvision->user--; ++ r = usbvision->remove_pending; + mutex_unlock(&usbvision->v4l2_lock); + +- if (usbvision->remove_pending) { ++ if (r) { + printk(KERN_INFO "%s: Final disconnect\n", __func__); + usbvision_release(usbvision); + return 0; +@@ -1064,6 +1070,11 @@ static int usbvision_radio_open(struct f + + if (mutex_lock_interruptible(&usbvision->v4l2_lock)) + return -ERESTARTSYS; ++ ++ if (usbvision->remove_pending) { ++ err_code = -ENODEV; ++ goto out; ++ } + err_code = v4l2_fh_open(file); + if (err_code) + goto out; +@@ -1096,6 +1107,7 @@ out: + static int usbvision_radio_close(struct file *file) + { + struct usb_usbvision *usbvision = video_drvdata(file); ++ int r; + + PDEBUG(DBG_IO, ""); + +@@ -1109,9 +1121,10 @@ static int usbvision_radio_close(struct + usbvision_audio_off(usbvision); + usbvision->radio = 0; + usbvision->user--; ++ r = usbvision->remove_pending; + mutex_unlock(&usbvision->v4l2_lock); + +- if (usbvision->remove_pending) { ++ if (r) { + printk(KERN_INFO "%s: Final disconnect\n", __func__); + v4l2_fh_release(file); + usbvision_release(usbvision); +@@ -1543,6 +1556,7 @@ err_usb: + static void usbvision_disconnect(struct usb_interface *intf) + { + struct usb_usbvision *usbvision = to_usbvision(usb_get_intfdata(intf)); ++ int u; + + PDEBUG(DBG_PROBE, ""); + +@@ -1559,13 +1573,14 @@ static void usbvision_disconnect(struct + v4l2_device_disconnect(&usbvision->v4l2_dev); + usbvision_i2c_unregister(usbvision); + usbvision->remove_pending = 1; /* Now all ISO data will be ignored */ ++ u = usbvision->user; + + usb_put_dev(usbvision->dev); + usbvision->dev = NULL; /* USB device is no more */ + + mutex_unlock(&usbvision->v4l2_lock); + +- if (usbvision->user) { ++ if (u) { + printk(KERN_INFO "%s: In use, disconnect pending\n", + __func__); + wake_up_interruptible(&usbvision->wait_frame); diff --git a/queue-5.4/media-vivid-fix-wrong-locking-that-causes-race-conditions-on-streaming-stop.patch b/queue-5.4/media-vivid-fix-wrong-locking-that-causes-race-conditions-on-streaming-stop.patch new file mode 100644 index 00000000000..065640c6fe8 --- /dev/null +++ b/queue-5.4/media-vivid-fix-wrong-locking-that-causes-race-conditions-on-streaming-stop.patch @@ -0,0 +1,122 @@ +From 6dcd5d7a7a29c1e4b8016a06aed78cd650cd8c27 Mon Sep 17 00:00:00 2001 +From: Alexander Popov +Date: Sun, 3 Nov 2019 23:17:19 +0100 +Subject: media: vivid: Fix wrong locking that causes race conditions on streaming stop + +From: Alexander Popov + +commit 6dcd5d7a7a29c1e4b8016a06aed78cd650cd8c27 upstream. + +There is the same incorrect approach to locking implemented in +vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out() and +sdr_cap_stop_streaming(). + +These functions are called during streaming stopping with vivid_dev.mutex +locked. And they all do the same mistake while stopping their kthreads, +which need to lock this mutex as well. See the example from +vivid_stop_generating_vid_cap(): + /* shutdown control thread */ + vivid_grab_controls(dev, false); + mutex_unlock(&dev->mutex); + kthread_stop(dev->kthread_vid_cap); + dev->kthread_vid_cap = NULL; + mutex_lock(&dev->mutex); + +But when this mutex is unlocked, another vb2_fop_read() can lock it +instead of vivid_thread_vid_cap() and manipulate the buffer queue. +That causes a use-after-free access later. + +To fix those issues let's: + 1. avoid unlocking the mutex in vivid_stop_generating_vid_cap(), +vivid_stop_generating_vid_out() and sdr_cap_stop_streaming(); + 2. use mutex_trylock() with schedule_timeout_uninterruptible() in +the loops of the vivid kthread handlers. + +Signed-off-by: Alexander Popov +Acked-by: Linus Torvalds +Tested-by: Hans Verkuil +Signed-off-by: Hans Verkuil +Cc: # for v3.18 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/vivid/vivid-kthread-cap.c | 8 +++++--- + drivers/media/platform/vivid/vivid-kthread-out.c | 8 +++++--- + drivers/media/platform/vivid/vivid-sdr-cap.c | 8 +++++--- + 3 files changed, 15 insertions(+), 9 deletions(-) + +--- a/drivers/media/platform/vivid/vivid-kthread-cap.c ++++ b/drivers/media/platform/vivid/vivid-kthread-cap.c +@@ -796,7 +796,11 @@ static int vivid_thread_vid_cap(void *da + if (kthread_should_stop()) + break; + +- mutex_lock(&dev->mutex); ++ if (!mutex_trylock(&dev->mutex)) { ++ schedule_timeout_uninterruptible(1); ++ continue; ++ } ++ + cur_jiffies = jiffies; + if (dev->cap_seq_resync) { + dev->jiffies_vid_cap = cur_jiffies; +@@ -956,8 +960,6 @@ void vivid_stop_generating_vid_cap(struc + + /* shutdown control thread */ + vivid_grab_controls(dev, false); +- mutex_unlock(&dev->mutex); + kthread_stop(dev->kthread_vid_cap); + dev->kthread_vid_cap = NULL; +- mutex_lock(&dev->mutex); + } +--- a/drivers/media/platform/vivid/vivid-kthread-out.c ++++ b/drivers/media/platform/vivid/vivid-kthread-out.c +@@ -143,7 +143,11 @@ static int vivid_thread_vid_out(void *da + if (kthread_should_stop()) + break; + +- mutex_lock(&dev->mutex); ++ if (!mutex_trylock(&dev->mutex)) { ++ schedule_timeout_uninterruptible(1); ++ continue; ++ } ++ + cur_jiffies = jiffies; + if (dev->out_seq_resync) { + dev->jiffies_vid_out = cur_jiffies; +@@ -301,8 +305,6 @@ void vivid_stop_generating_vid_out(struc + + /* shutdown control thread */ + vivid_grab_controls(dev, false); +- mutex_unlock(&dev->mutex); + kthread_stop(dev->kthread_vid_out); + dev->kthread_vid_out = NULL; +- mutex_lock(&dev->mutex); + } +--- a/drivers/media/platform/vivid/vivid-sdr-cap.c ++++ b/drivers/media/platform/vivid/vivid-sdr-cap.c +@@ -141,7 +141,11 @@ static int vivid_thread_sdr_cap(void *da + if (kthread_should_stop()) + break; + +- mutex_lock(&dev->mutex); ++ if (!mutex_trylock(&dev->mutex)) { ++ schedule_timeout_uninterruptible(1); ++ continue; ++ } ++ + cur_jiffies = jiffies; + if (dev->sdr_cap_seq_resync) { + dev->jiffies_sdr_cap = cur_jiffies; +@@ -303,10 +307,8 @@ static void sdr_cap_stop_streaming(struc + } + + /* shutdown control thread */ +- mutex_unlock(&dev->mutex); + kthread_stop(dev->kthread_sdr_cap); + dev->kthread_sdr_cap = NULL; +- mutex_lock(&dev->mutex); + } + + static void sdr_cap_buf_request_complete(struct vb2_buffer *vb) diff --git a/queue-5.4/media-vivid-set-vid_cap_streaming-and-vid_out_streaming-to-true.patch b/queue-5.4/media-vivid-set-vid_cap_streaming-and-vid_out_streaming-to-true.patch new file mode 100644 index 00000000000..c3ce820dd3a --- /dev/null +++ b/queue-5.4/media-vivid-set-vid_cap_streaming-and-vid_out_streaming-to-true.patch @@ -0,0 +1,52 @@ +From b4add02d2236fd5f568db141cfd8eb4290972eb3 Mon Sep 17 00:00:00 2001 +From: Vandana BN +Date: Mon, 9 Sep 2019 06:43:31 -0300 +Subject: media: vivid: Set vid_cap_streaming and vid_out_streaming to true + +From: Vandana BN + +commit b4add02d2236fd5f568db141cfd8eb4290972eb3 upstream. + +When vbi stream is started, followed by video streaming, +the vid_cap_streaming and vid_out_streaming were not being set to true, +which would cause the video stream to stop when vbi stream is stopped. +This patch allows to set vid_cap_streaming and vid_out_streaming to true. +According to Hans Verkuil it appears that these 'if (dev->kthread_vid_cap)' +checks are a left-over from the original vivid development and should never +have been there. + +Signed-off-by: Vandana BN +Cc: # for v3.18 and up +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/vivid/vivid-vid-cap.c | 3 --- + drivers/media/platform/vivid/vivid-vid-out.c | 3 --- + 2 files changed, 6 deletions(-) + +--- a/drivers/media/platform/vivid/vivid-vid-cap.c ++++ b/drivers/media/platform/vivid/vivid-vid-cap.c +@@ -223,9 +223,6 @@ static int vid_cap_start_streaming(struc + if (vb2_is_streaming(&dev->vb_vid_out_q)) + dev->can_loop_video = vivid_vid_can_loop(dev); + +- if (dev->kthread_vid_cap) +- return 0; +- + dev->vid_cap_seq_count = 0; + dprintk(dev, 1, "%s\n", __func__); + for (i = 0; i < VIDEO_MAX_FRAME; i++) +--- a/drivers/media/platform/vivid/vivid-vid-out.c ++++ b/drivers/media/platform/vivid/vivid-vid-out.c +@@ -161,9 +161,6 @@ static int vid_out_start_streaming(struc + if (vb2_is_streaming(&dev->vb_vid_cap_q)) + dev->can_loop_video = vivid_vid_can_loop(dev); + +- if (dev->kthread_vid_out) +- return 0; +- + dev->vid_out_seq_count = 0; + dprintk(dev, 1, "%s\n", __func__); + if (dev->start_streaming_error) { diff --git a/queue-5.4/series b/queue-5.4/series index 4041eaaf816..226d8c3285c 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -29,3 +29,8 @@ futex-prevent-robust-futex-exit-race.patch futex-prevent-exit-livelock.patch alsa-usb-audio-fix-null-dereference-at-parsing-badd.patch alsa-usb-audio-fix-scarlett-6i6-gen-2-port-data.patch +media-vivid-set-vid_cap_streaming-and-vid_out_streaming-to-true.patch +media-vivid-fix-wrong-locking-that-causes-race-conditions-on-streaming-stop.patch +media-usbvision-fix-invalid-accesses-after-device-disconnect.patch +media-usbvision-fix-races-among-open-close-and-disconnect.patch +cpufreq-add-null-checks-to-show-and-store-methods-of-cpufreq.patch