From: Greg Kroah-Hartman Date: Wed, 27 Nov 2019 10:45:21 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.204~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=704174b882485858bbded0e7eb495bdafc3f5853;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: cpufreq-add-null-checks-to-show-and-store-methods-of-cpufreq.patch media-usbvision-fix-races-among-open-close-and-disconnect.patch media-vivid-fix-wrong-locking-that-causes-race-conditions-on-streaming-stop.patch media-vivid-set-vid_cap_streaming-and-vid_out_streaming-to-true.patch --- diff --git a/queue-4.9/cpufreq-add-null-checks-to-show-and-store-methods-of-cpufreq.patch b/queue-4.9/cpufreq-add-null-checks-to-show-and-store-methods-of-cpufreq.patch new file mode 100644 index 00000000000..4f63e2e6a5a --- /dev/null +++ b/queue-4.9/cpufreq-add-null-checks-to-show-and-store-methods-of-cpufreq.patch @@ -0,0 +1,56 @@ +From e6e8df07268c1f75dd9215536e2ce4587b70f977 Mon Sep 17 00:00:00 2001 +From: Kai Shen +Date: Thu, 7 Nov 2019 05:08:17 +0000 +Subject: cpufreq: Add NULL checks to show() and store() methods of cpufreq + +From: Kai Shen + +commit e6e8df07268c1f75dd9215536e2ce4587b70f977 upstream. + +Add NULL checks to show() and store() in cpufreq.c to avoid attempts +to invoke a NULL callback. + +Though some interfaces of cpufreq are set as read-only, users can +still get write permission using chmod which can lead to a kernel +crash, as follows: + +chmod +w /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq +echo 1 > /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq + +This bug was found in linux 4.19. + +Signed-off-by: Kai Shen +Reported-by: Feilong Lin +Reviewed-by: Feilong Lin +Acked-by: Viresh Kumar +[ rjw: Subject & changelog ] +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/cpufreq.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -875,6 +875,9 @@ static ssize_t show(struct kobject *kobj + struct freq_attr *fattr = to_attr(attr); + ssize_t ret; + ++ if (!fattr->show) ++ return -EIO; ++ + down_read(&policy->rwsem); + ret = fattr->show(policy, buf); + up_read(&policy->rwsem); +@@ -1107,6 +1110,9 @@ static void cpufreq_policy_put_kobj(stru + up_write(&policy->rwsem); + kobject_put(kobj); + ++ if (!fattr->store) ++ return -EIO; ++ + /* + * We need to make sure that the underlying kobj is + * actually not referenced anymore by anybody before we diff --git a/queue-4.9/media-usbvision-fix-races-among-open-close-and-disconnect.patch b/queue-4.9/media-usbvision-fix-races-among-open-close-and-disconnect.patch new file mode 100644 index 00000000000..5c56e83071a --- /dev/null +++ b/queue-4.9/media-usbvision-fix-races-among-open-close-and-disconnect.patch @@ -0,0 +1,131 @@ +From 9e08117c9d4efc1e1bc6fce83dab856d9fd284b6 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 7 Oct 2019 12:09:53 -0300 +Subject: media: usbvision: Fix races among open, close, and disconnect + +From: Alan Stern + +commit 9e08117c9d4efc1e1bc6fce83dab856d9fd284b6 upstream. + +Visual inspection of the usbvision driver shows that it suffers from +three races between its open, close, and disconnect handlers. In +particular, the driver is careful to update its usbvision->user and +usbvision->remove_pending flags while holding the private mutex, but: + + usbvision_v4l2_close() and usbvision_radio_close() don't hold + the mutex while they check the value of + usbvision->remove_pending; + + usbvision_disconnect() doesn't hold the mutex while checking + the value of usbvision->user; and + + also, usbvision_v4l2_open() and usbvision_radio_open() don't + check whether the device has been unplugged before allowing + the user to open the device files. + +Each of these can potentially lead to usbvision_release() being called +twice and use-after-free errors. + +This patch fixes the races by reading the flags while the mutex is +still held and checking for pending removes before allowing an open to +succeed. + +Signed-off-by: Alan Stern +CC: +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/usbvision/usbvision-video.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/media/usb/usbvision/usbvision-video.c ++++ b/drivers/media/usb/usbvision/usbvision-video.c +@@ -332,6 +332,10 @@ static int usbvision_v4l2_open(struct fi + if (mutex_lock_interruptible(&usbvision->v4l2_lock)) + return -ERESTARTSYS; + ++ if (usbvision->remove_pending) { ++ err_code = -ENODEV; ++ goto unlock; ++ } + if (usbvision->user) { + err_code = -EBUSY; + } else { +@@ -395,6 +399,7 @@ unlock: + static int usbvision_v4l2_close(struct file *file) + { + struct usb_usbvision *usbvision = video_drvdata(file); ++ int r; + + PDEBUG(DBG_IO, "close"); + +@@ -409,9 +414,10 @@ static int usbvision_v4l2_close(struct f + usbvision_scratch_free(usbvision); + + usbvision->user--; ++ r = usbvision->remove_pending; + mutex_unlock(&usbvision->v4l2_lock); + +- if (usbvision->remove_pending) { ++ if (r) { + printk(KERN_INFO "%s: Final disconnect\n", __func__); + usbvision_release(usbvision); + return 0; +@@ -1095,6 +1101,11 @@ static int usbvision_radio_open(struct f + + if (mutex_lock_interruptible(&usbvision->v4l2_lock)) + return -ERESTARTSYS; ++ ++ if (usbvision->remove_pending) { ++ err_code = -ENODEV; ++ goto out; ++ } + err_code = v4l2_fh_open(file); + if (err_code) + goto out; +@@ -1127,6 +1138,7 @@ out: + static int usbvision_radio_close(struct file *file) + { + struct usb_usbvision *usbvision = video_drvdata(file); ++ int r; + + PDEBUG(DBG_IO, ""); + +@@ -1139,9 +1151,10 @@ static int usbvision_radio_close(struct + usbvision_audio_off(usbvision); + usbvision->radio = 0; + usbvision->user--; ++ r = usbvision->remove_pending; + mutex_unlock(&usbvision->v4l2_lock); + +- if (usbvision->remove_pending) { ++ if (r) { + printk(KERN_INFO "%s: Final disconnect\n", __func__); + v4l2_fh_release(file); + usbvision_release(usbvision); +@@ -1568,6 +1581,7 @@ err_usb: + static void usbvision_disconnect(struct usb_interface *intf) + { + struct usb_usbvision *usbvision = to_usbvision(usb_get_intfdata(intf)); ++ int u; + + PDEBUG(DBG_PROBE, ""); + +@@ -1584,13 +1598,14 @@ static void usbvision_disconnect(struct + v4l2_device_disconnect(&usbvision->v4l2_dev); + usbvision_i2c_unregister(usbvision); + usbvision->remove_pending = 1; /* Now all ISO data will be ignored */ ++ u = usbvision->user; + + usb_put_dev(usbvision->dev); + usbvision->dev = NULL; /* USB device is no more */ + + mutex_unlock(&usbvision->v4l2_lock); + +- if (usbvision->user) { ++ if (u) { + printk(KERN_INFO "%s: In use, disconnect pending\n", + __func__); + wake_up_interruptible(&usbvision->wait_frame); diff --git a/queue-4.9/media-vivid-fix-wrong-locking-that-causes-race-conditions-on-streaming-stop.patch b/queue-4.9/media-vivid-fix-wrong-locking-that-causes-race-conditions-on-streaming-stop.patch new file mode 100644 index 00000000000..03b066eaf24 --- /dev/null +++ b/queue-4.9/media-vivid-fix-wrong-locking-that-causes-race-conditions-on-streaming-stop.patch @@ -0,0 +1,122 @@ +From 6dcd5d7a7a29c1e4b8016a06aed78cd650cd8c27 Mon Sep 17 00:00:00 2001 +From: Alexander Popov +Date: Sun, 3 Nov 2019 23:17:19 +0100 +Subject: media: vivid: Fix wrong locking that causes race conditions on streaming stop + +From: Alexander Popov + +commit 6dcd5d7a7a29c1e4b8016a06aed78cd650cd8c27 upstream. + +There is the same incorrect approach to locking implemented in +vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out() and +sdr_cap_stop_streaming(). + +These functions are called during streaming stopping with vivid_dev.mutex +locked. And they all do the same mistake while stopping their kthreads, +which need to lock this mutex as well. See the example from +vivid_stop_generating_vid_cap(): + /* shutdown control thread */ + vivid_grab_controls(dev, false); + mutex_unlock(&dev->mutex); + kthread_stop(dev->kthread_vid_cap); + dev->kthread_vid_cap = NULL; + mutex_lock(&dev->mutex); + +But when this mutex is unlocked, another vb2_fop_read() can lock it +instead of vivid_thread_vid_cap() and manipulate the buffer queue. +That causes a use-after-free access later. + +To fix those issues let's: + 1. avoid unlocking the mutex in vivid_stop_generating_vid_cap(), +vivid_stop_generating_vid_out() and sdr_cap_stop_streaming(); + 2. use mutex_trylock() with schedule_timeout_uninterruptible() in +the loops of the vivid kthread handlers. + +Signed-off-by: Alexander Popov +Acked-by: Linus Torvalds +Tested-by: Hans Verkuil +Signed-off-by: Hans Verkuil +Cc: # for v3.18 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/vivid/vivid-kthread-cap.c | 8 +++++--- + drivers/media/platform/vivid/vivid-kthread-out.c | 8 +++++--- + drivers/media/platform/vivid/vivid-sdr-cap.c | 8 +++++--- + 3 files changed, 15 insertions(+), 9 deletions(-) + +--- a/drivers/media/platform/vivid/vivid-kthread-cap.c ++++ b/drivers/media/platform/vivid/vivid-kthread-cap.c +@@ -777,7 +777,11 @@ static int vivid_thread_vid_cap(void *da + if (kthread_should_stop()) + break; + +- mutex_lock(&dev->mutex); ++ if (!mutex_trylock(&dev->mutex)) { ++ schedule_timeout_uninterruptible(1); ++ continue; ++ } ++ + cur_jiffies = jiffies; + if (dev->cap_seq_resync) { + dev->jiffies_vid_cap = cur_jiffies; +@@ -930,8 +934,6 @@ void vivid_stop_generating_vid_cap(struc + + /* shutdown control thread */ + vivid_grab_controls(dev, false); +- mutex_unlock(&dev->mutex); + kthread_stop(dev->kthread_vid_cap); + dev->kthread_vid_cap = NULL; +- mutex_lock(&dev->mutex); + } +--- a/drivers/media/platform/vivid/vivid-kthread-out.c ++++ b/drivers/media/platform/vivid/vivid-kthread-out.c +@@ -147,7 +147,11 @@ static int vivid_thread_vid_out(void *da + if (kthread_should_stop()) + break; + +- mutex_lock(&dev->mutex); ++ if (!mutex_trylock(&dev->mutex)) { ++ schedule_timeout_uninterruptible(1); ++ continue; ++ } ++ + cur_jiffies = jiffies; + if (dev->out_seq_resync) { + dev->jiffies_vid_out = cur_jiffies; +@@ -301,8 +305,6 @@ void vivid_stop_generating_vid_out(struc + + /* shutdown control thread */ + vivid_grab_controls(dev, false); +- mutex_unlock(&dev->mutex); + kthread_stop(dev->kthread_vid_out); + dev->kthread_vid_out = NULL; +- mutex_lock(&dev->mutex); + } +--- a/drivers/media/platform/vivid/vivid-sdr-cap.c ++++ b/drivers/media/platform/vivid/vivid-sdr-cap.c +@@ -149,7 +149,11 @@ static int vivid_thread_sdr_cap(void *da + if (kthread_should_stop()) + break; + +- mutex_lock(&dev->mutex); ++ if (!mutex_trylock(&dev->mutex)) { ++ schedule_timeout_uninterruptible(1); ++ continue; ++ } ++ + cur_jiffies = jiffies; + if (dev->sdr_cap_seq_resync) { + dev->jiffies_sdr_cap = cur_jiffies; +@@ -309,10 +313,8 @@ static void sdr_cap_stop_streaming(struc + } + + /* shutdown control thread */ +- mutex_unlock(&dev->mutex); + kthread_stop(dev->kthread_sdr_cap); + dev->kthread_sdr_cap = NULL; +- mutex_lock(&dev->mutex); + } + + const struct vb2_ops vivid_sdr_cap_qops = { diff --git a/queue-4.9/media-vivid-set-vid_cap_streaming-and-vid_out_streaming-to-true.patch b/queue-4.9/media-vivid-set-vid_cap_streaming-and-vid_out_streaming-to-true.patch new file mode 100644 index 00000000000..2afffd5a4fb --- /dev/null +++ b/queue-4.9/media-vivid-set-vid_cap_streaming-and-vid_out_streaming-to-true.patch @@ -0,0 +1,52 @@ +From b4add02d2236fd5f568db141cfd8eb4290972eb3 Mon Sep 17 00:00:00 2001 +From: Vandana BN +Date: Mon, 9 Sep 2019 06:43:31 -0300 +Subject: media: vivid: Set vid_cap_streaming and vid_out_streaming to true + +From: Vandana BN + +commit b4add02d2236fd5f568db141cfd8eb4290972eb3 upstream. + +When vbi stream is started, followed by video streaming, +the vid_cap_streaming and vid_out_streaming were not being set to true, +which would cause the video stream to stop when vbi stream is stopped. +This patch allows to set vid_cap_streaming and vid_out_streaming to true. +According to Hans Verkuil it appears that these 'if (dev->kthread_vid_cap)' +checks are a left-over from the original vivid development and should never +have been there. + +Signed-off-by: Vandana BN +Cc: # for v3.18 and up +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/vivid/vivid-vid-cap.c | 3 --- + drivers/media/platform/vivid/vivid-vid-out.c | 3 --- + 2 files changed, 6 deletions(-) + +--- a/drivers/media/platform/vivid/vivid-vid-cap.c ++++ b/drivers/media/platform/vivid/vivid-vid-cap.c +@@ -236,9 +236,6 @@ static int vid_cap_start_streaming(struc + if (vb2_is_streaming(&dev->vb_vid_out_q)) + dev->can_loop_video = vivid_vid_can_loop(dev); + +- if (dev->kthread_vid_cap) +- return 0; +- + dev->vid_cap_seq_count = 0; + dprintk(dev, 1, "%s\n", __func__); + for (i = 0; i < VIDEO_MAX_FRAME; i++) +--- a/drivers/media/platform/vivid/vivid-vid-out.c ++++ b/drivers/media/platform/vivid/vivid-vid-out.c +@@ -158,9 +158,6 @@ static int vid_out_start_streaming(struc + if (vb2_is_streaming(&dev->vb_vid_cap_q)) + dev->can_loop_video = vivid_vid_can_loop(dev); + +- if (dev->kthread_vid_out) +- return 0; +- + dev->vid_out_seq_count = 0; + dprintk(dev, 1, "%s\n", __func__); + if (dev->start_streaming_error) { diff --git a/queue-4.9/series b/queue-4.9/series index 8a46aee6860..07a2c6d71aa 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -121,3 +121,7 @@ x86-speculation-fix-incorrect-mds-taa-mitigation-status.patch x86-speculation-fix-redundant-mds-mitigation-message.patch nfc-port100-handle-command-failure-cleanly.patch l2tp-don-t-use-l2tp_tunnel_find-in-l2tp_ip-and-l2tp_ip6.patch +media-vivid-set-vid_cap_streaming-and-vid_out_streaming-to-true.patch +media-vivid-fix-wrong-locking-that-causes-race-conditions-on-streaming-stop.patch +media-usbvision-fix-races-among-open-close-and-disconnect.patch +cpufreq-add-null-checks-to-show-and-store-methods-of-cpufreq.patch