From: Greg Kroah-Hartman Date: Sun, 6 May 2018 00:08:27 +0000 (-0700) Subject: 4.4-stable patches X-Git-Tag: v4.9.99~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7a7bb5b7b30711ec09d6ead0b95230c82e1fad2e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch alsa-aloop-mark-paused-device-as-inactive.patch alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch ib-mlx5-use-unlimited-rate-when-static-rate-is-not-supported.patch input-atmel_mxt_ts-add-touchpad-button-mapping-for-samsung-chromebook-pro.patch input-leds-fix-out-of-bound-access.patch net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch rdma-mlx5-protect-from-shift-operand-overflow.patch rdma-ucma-allow-resolving-address-w-o-specifying-source-address.patch tracepoint-do-not-warn-on-enomem.patch xfs-prevent-creating-negative-sized-file-via-insert_range.patch --- diff --git a/queue-4.4/alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch b/queue-4.4/alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch new file mode 100644 index 00000000000..875d3533997 --- /dev/null +++ b/queue-4.4/alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch @@ -0,0 +1,112 @@ +From 76b3421b39bd610546931fc923edcf90c18fa395 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 30 Apr 2018 10:06:48 +0200 +Subject: ALSA: aloop: Add missing cable lock to ctl API callbacks + +From: Takashi Iwai + +commit 76b3421b39bd610546931fc923edcf90c18fa395 upstream. + +Some control API callbacks in aloop driver are too lazy to take the +loopback->cable_lock and it results in possible races of cable access +while it's being freed. It eventually lead to a UAF, as reported by +fuzzer recently. + +This patch covers such control API callbacks and add the proper mutex +locks. + +Reported-by: DaeRyong Jeong +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/drivers/aloop.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/sound/drivers/aloop.c ++++ b/sound/drivers/aloop.c +@@ -832,9 +832,11 @@ static int loopback_rate_shift_get(struc + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); + ++ mutex_lock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].rate_shift; ++ mutex_unlock(&loopback->cable_lock); + return 0; + } + +@@ -866,9 +868,11 @@ static int loopback_notify_get(struct sn + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); + ++ mutex_lock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].notify; ++ mutex_unlock(&loopback->cable_lock); + return 0; + } + +@@ -880,12 +884,14 @@ static int loopback_notify_put(struct sn + int change = 0; + + val = ucontrol->value.integer.value[0] ? 1 : 0; ++ mutex_lock(&loopback->cable_lock); + if (val != loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].notify) { + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].notify = val; + change = 1; + } ++ mutex_unlock(&loopback->cable_lock); + return change; + } + +@@ -893,15 +899,18 @@ static int loopback_active_get(struct sn + struct snd_ctl_elem_value *ucontrol) + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); +- struct loopback_cable *cable = loopback->cables +- [kcontrol->id.subdevice][kcontrol->id.device ^ 1]; ++ struct loopback_cable *cable; ++ + unsigned int val = 0; + ++ mutex_lock(&loopback->cable_lock); ++ cable = loopback->cables[kcontrol->id.subdevice][kcontrol->id.device ^ 1]; + if (cable != NULL) { + unsigned int running = cable->running ^ cable->pause; + + val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0; + } ++ mutex_unlock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = val; + return 0; + } +@@ -944,9 +953,11 @@ static int loopback_rate_get(struct snd_ + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); + ++ mutex_lock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].rate; ++ mutex_unlock(&loopback->cable_lock); + return 0; + } + +@@ -966,9 +977,11 @@ static int loopback_channels_get(struct + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); + ++ mutex_lock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].channels; ++ mutex_unlock(&loopback->cable_lock); + return 0; + } + diff --git a/queue-4.4/alsa-aloop-mark-paused-device-as-inactive.patch b/queue-4.4/alsa-aloop-mark-paused-device-as-inactive.patch new file mode 100644 index 00000000000..8355dcfc3ec --- /dev/null +++ b/queue-4.4/alsa-aloop-mark-paused-device-as-inactive.patch @@ -0,0 +1,59 @@ +From 306a4f3ca7f3c7dfa473ebd19d66e40e59d99734 Mon Sep 17 00:00:00 2001 +From: Robert Rosengren +Date: Mon, 26 Mar 2018 07:24:49 +0200 +Subject: ALSA: aloop: Mark paused device as inactive + +From: Robert Rosengren + +commit 306a4f3ca7f3c7dfa473ebd19d66e40e59d99734 upstream. + +Show paused ALSA aloop device as inactive, i.e. the control +"PCM Slave Active" set as false. Notification sent upon state change. + +This makes it possible for client capturing from aloop device to know if +data is expected. Without it the client expects data even if playback +is paused. + +Signed-off-by: Robert Rosengren +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/drivers/aloop.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/sound/drivers/aloop.c ++++ b/sound/drivers/aloop.c +@@ -296,6 +296,8 @@ static int loopback_trigger(struct snd_p + cable->pause |= stream; + loopback_timer_stop(dpcm); + spin_unlock(&cable->lock); ++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) ++ loopback_active_notify(dpcm); + break; + case SNDRV_PCM_TRIGGER_PAUSE_RELEASE: + case SNDRV_PCM_TRIGGER_RESUME: +@@ -304,6 +306,8 @@ static int loopback_trigger(struct snd_p + cable->pause &= ~stream; + loopback_timer_start(dpcm); + spin_unlock(&cable->lock); ++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) ++ loopback_active_notify(dpcm); + break; + default: + return -EINVAL; +@@ -893,9 +897,11 @@ static int loopback_active_get(struct sn + [kcontrol->id.subdevice][kcontrol->id.device ^ 1]; + unsigned int val = 0; + +- if (cable != NULL) +- val = (cable->running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? +- 1 : 0; ++ if (cable != NULL) { ++ unsigned int running = cable->running ^ cable->pause; ++ ++ val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0; ++ } + ucontrol->value.integer.value[0] = val; + return 0; + } diff --git a/queue-4.4/alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch b/queue-4.4/alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch new file mode 100644 index 00000000000..c9309ae3488 --- /dev/null +++ b/queue-4.4/alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch @@ -0,0 +1,38 @@ +From f13876e2c33a657a71bcbb10f767c0951b165020 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 2 May 2018 08:48:46 +0200 +Subject: ALSA: pcm: Check PCM state at xfern compat ioctl + +From: Takashi Iwai + +commit f13876e2c33a657a71bcbb10f767c0951b165020 upstream. + +Since snd_pcm_ioctl_xfern_compat() has no PCM state check, it may go +further and hit the sanity check pcm_sanity_check() when the ioctl is +called right after open. It may eventually spew a kernel warning, as +triggered by syzbot, depending on kconfig. + +The lack of PCM state check there was just an oversight. Although +it's no real crash, the spurious kernel warning is annoying, so let's +add the proper check. + +Reported-by: syzbot+1dac3a4f6bc9c1c675d4@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm_compat.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/core/pcm_compat.c ++++ b/sound/core/pcm_compat.c +@@ -426,6 +426,8 @@ static int snd_pcm_ioctl_xfern_compat(st + return -ENOTTY; + if (substream->stream != dir) + return -EINVAL; ++ if (substream->runtime->status->state == SNDRV_PCM_STATE_OPEN) ++ return -EBADFD; + + if ((ch = substream->runtime->channels) > 128) + return -EINVAL; diff --git a/queue-4.4/alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch b/queue-4.4/alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch new file mode 100644 index 00000000000..98af4cabd0f --- /dev/null +++ b/queue-4.4/alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch @@ -0,0 +1,53 @@ +From 8f22e52528cc372b218b5f100457469615c733ce Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 26 Apr 2018 09:17:45 +0200 +Subject: ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger() + +From: Takashi Iwai + +commit 8f22e52528cc372b218b5f100457469615c733ce upstream. + +The sequencer virmidi code has an open race at its output trigger +callback: namely, virmidi keeps only one event packet for processing +while it doesn't protect for concurrent output trigger calls. + +snd_virmidi_output_trigger() tries to process the previously +unfinished event before starting encoding the given MIDI stream, but +this is done without any lock. Meanwhile, if another rawmidi stream +starts the output trigger, this proceeds further, and overwrites the +event package that is being processed in another thread. This +eventually corrupts and may lead to the invalid memory access if the +event type is like SYSEX. + +The fix is just to move the spinlock to cover both the pending event +and the new stream. + +The bug was spotted by a new fuzzer, RaceFuzzer. + +BugLink: http://lkml.kernel.org/r/20180426045223.GA15307@dragonet.kaist.ac.kr +Reported-by: DaeRyong Jeong +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_virmidi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/core/seq/seq_virmidi.c ++++ b/sound/core/seq/seq_virmidi.c +@@ -174,12 +174,12 @@ static void snd_virmidi_output_trigger(s + } + return; + } ++ spin_lock_irqsave(&substream->runtime->lock, flags); + if (vmidi->event.type != SNDRV_SEQ_EVENT_NONE) { + if (snd_seq_kernel_client_dispatch(vmidi->client, &vmidi->event, in_atomic(), 0) < 0) +- return; ++ goto out; + vmidi->event.type = SNDRV_SEQ_EVENT_NONE; + } +- spin_lock_irqsave(&substream->runtime->lock, flags); + while (1) { + count = __snd_rawmidi_transmit_peek(substream, buf, sizeof(buf)); + if (count <= 0) diff --git a/queue-4.4/ib-mlx5-use-unlimited-rate-when-static-rate-is-not-supported.patch b/queue-4.4/ib-mlx5-use-unlimited-rate-when-static-rate-is-not-supported.patch new file mode 100644 index 00000000000..ed5ae753d08 --- /dev/null +++ b/queue-4.4/ib-mlx5-use-unlimited-rate-when-static-rate-is-not-supported.patch @@ -0,0 +1,58 @@ +From 4f32ac2e452c2180cd2df581cbadac183e27ecd0 Mon Sep 17 00:00:00 2001 +From: Danit Goldberg +Date: Mon, 23 Apr 2018 17:01:54 +0300 +Subject: IB/mlx5: Use unlimited rate when static rate is not supported + +From: Danit Goldberg + +commit 4f32ac2e452c2180cd2df581cbadac183e27ecd0 upstream. + +Before the change, if the user passed a static rate value different +than zero and the FW doesn't support static rate, +it would end up configuring rate of 2.5 GBps. + +Fix this by using rate 0; unlimited, in cases where FW +doesn't support static rate configuration. + +Cc: # 3.10 +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Reviewed-by: Majd Dibbiny +Signed-off-by: Danit Goldberg +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/qp.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -1352,18 +1352,18 @@ enum { + + static int ib_rate_to_mlx5(struct mlx5_ib_dev *dev, u8 rate) + { +- if (rate == IB_RATE_PORT_CURRENT) { ++ if (rate == IB_RATE_PORT_CURRENT) + return 0; +- } else if (rate < IB_RATE_2_5_GBPS || rate > IB_RATE_300_GBPS) { ++ ++ if (rate < IB_RATE_2_5_GBPS || rate > IB_RATE_300_GBPS) + return -EINVAL; +- } else { +- while (rate != IB_RATE_2_5_GBPS && +- !(1 << (rate + MLX5_STAT_RATE_OFFSET) & +- MLX5_CAP_GEN(dev->mdev, stat_rate_support))) +- --rate; +- } + +- return rate + MLX5_STAT_RATE_OFFSET; ++ while (rate != IB_RATE_PORT_CURRENT && ++ !(1 << (rate + MLX5_STAT_RATE_OFFSET) & ++ MLX5_CAP_GEN(dev->mdev, stat_rate_support))) ++ --rate; ++ ++ return rate ? rate + MLX5_STAT_RATE_OFFSET : rate; + } + + static int mlx5_set_path(struct mlx5_ib_dev *dev, const struct ib_ah_attr *ah, diff --git a/queue-4.4/input-atmel_mxt_ts-add-touchpad-button-mapping-for-samsung-chromebook-pro.patch b/queue-4.4/input-atmel_mxt_ts-add-touchpad-button-mapping-for-samsung-chromebook-pro.patch new file mode 100644 index 00000000000..6499bd5e6bf --- /dev/null +++ b/queue-4.4/input-atmel_mxt_ts-add-touchpad-button-mapping-for-samsung-chromebook-pro.patch @@ -0,0 +1,46 @@ +From f372b81101e6895252298e563d634d5e44ae81e7 Mon Sep 17 00:00:00 2001 +From: "Vittorio Gambaletta (VittGam)" +Date: Wed, 25 Apr 2018 15:22:13 -0700 +Subject: Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook Pro + +From: Vittorio Gambaletta (VittGam) + +commit f372b81101e6895252298e563d634d5e44ae81e7 upstream. + +This patch adds the correct platform data information for the Caroline +Chromebook, so that the mouse button does not get stuck in pressed state +after the first click. + +The Samus button keymap and platform data definition are the correct +ones for Caroline, so they have been reused here. + +Signed-off-by: Vittorio Gambaletta +Signed-off-by: Salvatore Bellizzi +Tested-by: Guenter Roeck +Cc: stable@vger.kernel.org +[dtor: adjusted vendor spelling to match shipping firmware] +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/atmel_mxt_ts.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/input/touchscreen/atmel_mxt_ts.c ++++ b/drivers/input/touchscreen/atmel_mxt_ts.c +@@ -2523,6 +2523,15 @@ static const struct dmi_system_id mxt_dm + .driver_data = samus_platform_data, + }, + { ++ /* Samsung Chromebook Pro */ ++ .ident = "Samsung Chromebook Pro", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Google"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Caroline"), ++ }, ++ .driver_data = samus_platform_data, ++ }, ++ { + /* Other Google Chromebooks */ + .ident = "Chromebook", + .matches = { diff --git a/queue-4.4/input-leds-fix-out-of-bound-access.patch b/queue-4.4/input-leds-fix-out-of-bound-access.patch new file mode 100644 index 00000000000..1371b0e50af --- /dev/null +++ b/queue-4.4/input-leds-fix-out-of-bound-access.patch @@ -0,0 +1,56 @@ +From 6bd6ae639683c0b41f46990d5c64ff9fbfa019dc Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Fri, 6 Apr 2018 10:23:05 -0700 +Subject: Input: leds - fix out of bound access + +From: Dmitry Torokhov + +commit 6bd6ae639683c0b41f46990d5c64ff9fbfa019dc upstream. + +UI_SET_LEDBIT ioctl() causes the following KASAN splat when used with +led > LED_CHARGING: + +[ 1274.663418] BUG: KASAN: slab-out-of-bounds in input_leds_connect+0x611/0x730 [input_leds] +[ 1274.663426] Write of size 8 at addr ffff88003377b2c0 by task ckb-next-daemon/5128 + +This happens because we were writing to the led structure before making +sure that it exists. + +Reported-by: Tasos Sahanidis +Tested-by: Tasos Sahanidis +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/input-leds.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/input/input-leds.c ++++ b/drivers/input/input-leds.c +@@ -88,6 +88,7 @@ static int input_leds_connect(struct inp + const struct input_device_id *id) + { + struct input_leds *leds; ++ struct input_led *led; + unsigned int num_leds; + unsigned int led_code; + int led_no; +@@ -119,14 +120,13 @@ static int input_leds_connect(struct inp + + led_no = 0; + for_each_set_bit(led_code, dev->ledbit, LED_CNT) { +- struct input_led *led = &leds->leds[led_no]; ++ if (!input_led_info[led_code].name) ++ continue; + ++ led = &leds->leds[led_no]; + led->handle = &leds->handle; + led->code = led_code; + +- if (!input_led_info[led_code].name) +- continue; +- + led->cdev.name = kasprintf(GFP_KERNEL, "%s::%s", + dev_name(&dev->dev), + input_led_info[led_code].name); diff --git a/queue-4.4/net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch b/queue-4.4/net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch new file mode 100644 index 00000000000..259e42e970c --- /dev/null +++ b/queue-4.4/net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch @@ -0,0 +1,43 @@ +From 9306b38e42cb266f98bff6f6f4c1c652aa79ba45 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?SZ=20Lin=20=28=E6=9E=97=E4=B8=8A=E6=99=BA=29?= + +Date: Thu, 26 Apr 2018 14:30:13 +0800 +Subject: NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: SZ Lin (林上智) + +commit 9306b38e42cb266f98bff6f6f4c1c652aa79ba45 upstream. + +This patch adds support for PID 0x90b2 of ublox R410M. + +qmicli -d /dev/cdc-wdm0 --dms-get-manufacturer +[/dev/cdc-wdm0] Device manufacturer retrieved: + Manufacturer: 'u-blox' + +qmicli -d /dev/cdc-wdm0 --dms-get-model +[/dev/cdc-wdm0] Device model retrieved: + Model: 'SARA-R410M-02B' + +Signed-off-by: SZ Lin (林上智) +Cc: stable +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -631,6 +631,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x05c6, 0x9080, 8)}, + {QMI_FIXED_INTF(0x05c6, 0x9083, 3)}, + {QMI_FIXED_INTF(0x05c6, 0x9084, 4)}, ++ {QMI_FIXED_INTF(0x05c6, 0x90b2, 3)}, /* ublox R410M */ + {QMI_FIXED_INTF(0x05c6, 0x920d, 0)}, + {QMI_FIXED_INTF(0x05c6, 0x920d, 5)}, + {QMI_FIXED_INTF(0x0846, 0x68a2, 8)}, diff --git a/queue-4.4/rdma-mlx5-protect-from-shift-operand-overflow.patch b/queue-4.4/rdma-mlx5-protect-from-shift-operand-overflow.patch new file mode 100644 index 00000000000..a3ad49d8a00 --- /dev/null +++ b/queue-4.4/rdma-mlx5-protect-from-shift-operand-overflow.patch @@ -0,0 +1,62 @@ +From 002bf2282b2d7318e444dca9ffcb994afc5d5f15 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Mon, 23 Apr 2018 17:01:53 +0300 +Subject: RDMA/mlx5: Protect from shift operand overflow + +From: Leon Romanovsky + +commit 002bf2282b2d7318e444dca9ffcb994afc5d5f15 upstream. + +Ensure that user didn't supply values too large that can cause overflow. + +UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/qp.c:263:23 +shift exponent -2147483648 is negative +CPU: 0 PID: 292 Comm: syzkaller612609 Not tainted 4.16.0-rc1+ #131 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014 Call +Trace: +dump_stack+0xde/0x164 +ubsan_epilogue+0xe/0x81 +set_rq_size+0x7c2/0xa90 +create_qp_common+0xc18/0x43c0 +mlx5_ib_create_qp+0x379/0x1ca0 +create_qp.isra.5+0xc94/0x2260 +ib_uverbs_create_qp+0x21b/0x2a0 +ib_uverbs_write+0xc2c/0x1010 +vfs_write+0x1b0/0x550 +SyS_write+0xc7/0x1a0 +do_syscall_64+0x1aa/0x740 +entry_SYSCALL_64_after_hwframe+0x26/0x9b +RIP: 0033:0x433569 +RSP: 002b:00007ffc6e62f448 EFLAGS: 00000217 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00000000004002f8 RCX: 0000000000433569 +RDX: 0000000000000070 RSI: 00000000200042c0 RDI: 0000000000000003 +RBP: 00000000006d5018 R08: 00000000004002f8 R09: 00000000004002f8 +R10: 00000000004002f8 R11: 0000000000000217 R12: 0000000000000000 +R13: 000000000040c9f0 R14: 000000000040ca80 R15: 0000000000000006 + +Cc: # 3.10 +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Cc: syzkaller +Reported-by: Noa Osherovich +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/qp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -231,7 +231,11 @@ static int set_rq_size(struct mlx5_ib_de + } else { + if (ucmd) { + qp->rq.wqe_cnt = ucmd->rq_wqe_count; ++ if (ucmd->rq_wqe_shift > BITS_PER_BYTE * sizeof(ucmd->rq_wqe_shift)) ++ return -EINVAL; + qp->rq.wqe_shift = ucmd->rq_wqe_shift; ++ if ((1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) < qp->wq_sig) ++ return -EINVAL; + qp->rq.max_gs = (1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) - qp->wq_sig; + qp->rq.max_post = qp->rq.wqe_cnt; + } else { diff --git a/queue-4.4/rdma-ucma-allow-resolving-address-w-o-specifying-source-address.patch b/queue-4.4/rdma-ucma-allow-resolving-address-w-o-specifying-source-address.patch new file mode 100644 index 00000000000..a4ee529fbb7 --- /dev/null +++ b/queue-4.4/rdma-ucma-allow-resolving-address-w-o-specifying-source-address.patch @@ -0,0 +1,39 @@ +From 09abfe7b5b2f442a85f4c4d59ecf582ad76088d7 Mon Sep 17 00:00:00 2001 +From: Roland Dreier +Date: Thu, 19 Apr 2018 08:28:11 -0700 +Subject: RDMA/ucma: Allow resolving address w/o specifying source address + +From: Roland Dreier + +commit 09abfe7b5b2f442a85f4c4d59ecf582ad76088d7 upstream. + +The RDMA CM will select a source device and address by consulting +the routing table if no source address is passed into +rdma_resolve_address(). Userspace will ask for this by passing an +all-zero source address in the RESOLVE_IP command. Unfortunately +the new check for non-zero address size rejects this with EINVAL, +which breaks valid userspace applications. + +Fix this by explicitly allowing a zero address family for the source. + +Fixes: 2975d5de6428 ("RDMA/ucma: Check AF family prior resolving address") +Cc: +Signed-off-by: Roland Dreier +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/ucma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -675,7 +675,7 @@ static ssize_t ucma_resolve_ip(struct uc + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + +- if (!rdma_addr_size_in6(&cmd.src_addr) || ++ if ((cmd.src_addr.sin6_family && !rdma_addr_size_in6(&cmd.src_addr)) || + !rdma_addr_size_in6(&cmd.dst_addr)) + return -EINVAL; + diff --git a/queue-4.4/series b/queue-4.4/series index db8ba297ab9..89855748aa6 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -9,3 +9,15 @@ ath10k-fix-rfc1042-header-retrieval-in-qca4019-with-eth-decap-mode.patch ath10k-rebuild-crypto-header-in-rx-data-frames.patch gpmi-nand-handle-ecc-errors-in-erased-pages.patch usb-serial-option-add-support-for-quectel-ep06.patch +alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch +alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch +alsa-aloop-mark-paused-device-as-inactive.patch +alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch +tracepoint-do-not-warn-on-enomem.patch +input-leds-fix-out-of-bound-access.patch +input-atmel_mxt_ts-add-touchpad-button-mapping-for-samsung-chromebook-pro.patch +xfs-prevent-creating-negative-sized-file-via-insert_range.patch +rdma-ucma-allow-resolving-address-w-o-specifying-source-address.patch +rdma-mlx5-protect-from-shift-operand-overflow.patch +net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch +ib-mlx5-use-unlimited-rate-when-static-rate-is-not-supported.patch diff --git a/queue-4.4/tracepoint-do-not-warn-on-enomem.patch b/queue-4.4/tracepoint-do-not-warn-on-enomem.patch new file mode 100644 index 00000000000..979d41a610a --- /dev/null +++ b/queue-4.4/tracepoint-do-not-warn-on-enomem.patch @@ -0,0 +1,60 @@ +From d66a270be3310d7aa132fec0cea77d3d32a0ff75 Mon Sep 17 00:00:00 2001 +From: Mathieu Desnoyers +Date: Thu, 15 Mar 2018 08:44:24 -0400 +Subject: tracepoint: Do not warn on ENOMEM + +From: Mathieu Desnoyers + +commit d66a270be3310d7aa132fec0cea77d3d32a0ff75 upstream. + +Tracepoint should only warn when a kernel API user does not respect the +required preconditions (e.g. same tracepoint enabled twice, or called +to remove a tracepoint that does not exist). + +Silence warning in out-of-memory conditions, given that the error is +returned to the caller. + +This ensures that out-of-memory error-injection testing does not trigger +warnings in tracepoint.c, which were seen by syzbot. + +Link: https://lkml.kernel.org/r/001a114465e241a8720567419a72@google.com +Link: https://lkml.kernel.org/r/001a1140e0de15fc910567464190@google.com +Link: http://lkml.kernel.org/r/20180315124424.32319-1-mathieu.desnoyers@efficios.com + +CC: Peter Zijlstra +CC: Jiri Olsa +CC: Arnaldo Carvalho de Melo +CC: Alexander Shishkin +CC: Namhyung Kim +CC: stable@vger.kernel.org +Fixes: de7b2973903c6 ("tracepoint: Use struct pointer instead of name hash for reg/unreg tracepoints") +Reported-by: syzbot+9c0d616860575a73166a@syzkaller.appspotmail.com +Reported-by: syzbot+4e9ae7fa46233396f64d@syzkaller.appspotmail.com +Signed-off-by: Mathieu Desnoyers +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/tracepoint.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/tracepoint.c ++++ b/kernel/tracepoint.c +@@ -202,7 +202,7 @@ static int tracepoint_add_func(struct tr + lockdep_is_held(&tracepoints_mutex)); + old = func_add(&tp_funcs, func, prio); + if (IS_ERR(old)) { +- WARN_ON_ONCE(1); ++ WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM); + return PTR_ERR(old); + } + +@@ -235,7 +235,7 @@ static int tracepoint_remove_func(struct + lockdep_is_held(&tracepoints_mutex)); + old = func_remove(&tp_funcs, func); + if (IS_ERR(old)) { +- WARN_ON_ONCE(1); ++ WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM); + return PTR_ERR(old); + } + diff --git a/queue-4.4/xfs-prevent-creating-negative-sized-file-via-insert_range.patch b/queue-4.4/xfs-prevent-creating-negative-sized-file-via-insert_range.patch new file mode 100644 index 00000000000..118b69c5186 --- /dev/null +++ b/queue-4.4/xfs-prevent-creating-negative-sized-file-via-insert_range.patch @@ -0,0 +1,70 @@ +From 7d83fb14258b9961920cd86f0b921caaeb3ebe85 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Mon, 16 Apr 2018 23:07:45 -0700 +Subject: xfs: prevent creating negative-sized file via INSERT_RANGE + +From: Darrick J. Wong + +commit 7d83fb14258b9961920cd86f0b921caaeb3ebe85 upstream. + +During the "insert range" fallocate operation, i_size grows by the +specified 'len' bytes. XFS verifies that i_size + len < s_maxbytes, as +it should. But this comparison is done using the signed 'loff_t', and +'i_size + len' can wrap around to a negative value, causing the check to +incorrectly pass, resulting in an inode with "negative" i_size. This is +possible on 64-bit platforms, where XFS sets s_maxbytes = LLONG_MAX. +ext4 and f2fs don't run into this because they set a smaller s_maxbytes. + +Fix it by using subtraction instead. + +Reproducer: + xfs_io -f file -c "truncate $(((1<<63)-1))" -c "finsert 0 4096" + +Fixes: a904b1ca5751 ("xfs: Add support FALLOC_FL_INSERT_RANGE for fallocate") +Cc: # v4.1+ +Originally-From: Eric Biggers +Signed-off-by: Eric Biggers +Reviewed-by: Christoph Hellwig +Reviewed-by: Darrick J. Wong +[darrick: fix signed integer addition overflow too] +Signed-off-by: Darrick J. Wong +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/xfs_file.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/fs/xfs/xfs_file.c ++++ b/fs/xfs/xfs_file.c +@@ -969,22 +969,26 @@ xfs_file_fallocate( + if (error) + goto out_unlock; + } else if (mode & FALLOC_FL_INSERT_RANGE) { +- unsigned int blksize_mask = i_blocksize(inode) - 1; ++ unsigned int blksize_mask = i_blocksize(inode) - 1; ++ loff_t isize = i_size_read(inode); + +- new_size = i_size_read(inode) + len; + if (offset & blksize_mask || len & blksize_mask) { + error = -EINVAL; + goto out_unlock; + } + +- /* check the new inode size does not wrap through zero */ +- if (new_size > inode->i_sb->s_maxbytes) { ++ /* ++ * New inode size must not exceed ->s_maxbytes, accounting for ++ * possible signed overflow. ++ */ ++ if (inode->i_sb->s_maxbytes - isize < len) { + error = -EFBIG; + goto out_unlock; + } ++ new_size = isize + len; + + /* Offset should be less than i_size */ +- if (offset >= i_size_read(inode)) { ++ if (offset >= isize) { + error = -EINVAL; + goto out_unlock; + }