From: Greg Kroah-Hartman Date: Mon, 2 May 2016 16:29:23 +0000 (-0700) Subject: 4.4-stable patches X-Git-Tag: v3.14.68~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=85b0ffbe72a14b7432ffa3dfb0d37e1beba8577e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: usb-usbip-fix-potential-out-of-bounds-write.patch videobuf2-core-check-user-space-planes-array-in-dqbuf.patch videobuf2-v4l2-verify-planes-array-in-buffer-dequeueing.patch --- diff --git a/queue-4.4/drm-i915-exit-cherryview_irq_handler-after-one-pass.patch b/queue-4.4/drm-i915-exit-cherryview_irq_handler-after-one-pass.patch deleted file mode 100644 index 850baef3965..00000000000 --- a/queue-4.4/drm-i915-exit-cherryview_irq_handler-after-one-pass.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 9dbaab56ac09f07a73fe83bf69bec3e31060080a Mon Sep 17 00:00:00 2001 -From: Chris Wilson -Date: Mon, 14 Mar 2016 09:01:57 +0000 -Subject: drm/i915: Exit cherryview_irq_handler() after one pass -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Chris Wilson - -commit 9dbaab56ac09f07a73fe83bf69bec3e31060080a upstream. - -This effectively reverts - -commit 8e5fd599eb219f1054e39b40d18b217af669eea9 -Author: Ville Syrjälä -Date: Wed Apr 9 13:28:50 2014 +0300 - - drm/i915/chv: Make CHV irq handler loop until all interrupts are consumed - -as under continuous execlists load we can saturate the IRQ handler, -destablising the tsc clock and triggering the NMI watchdog to declare a hung -CPU. - -[ 552.756051] clocksource: timekeeping watchdog on CPU0: Marking clocksource 'tsc' as unstable because the skew is too large: -[ 552.756080] clocksource: 'refined-jiffies' wd_now: 10003b480 wd_last: 10003b28c mask: ffffffff -[ 552.756091] clocksource: 'tsc' cs_now: d55d31aa50 cs_last: d17446166c mask: ffffffffffffffff -[ 552.756210] clocksource: Switched to clocksource refined-jiffies -[ 575.217870] NMI watchdog: Watchdog detected hard LOCKUP on cpu 1 -[ 575.217893] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.5.0-rc7+ #18 -[ 575.217905] Hardware name: /NUC5CPYB, BIOS PYBSWCEL.86A.0027.2015.0507.1758 05/07/2015 -[ 575.217915] 0000000000000000 ffff88027fd05bc0 ffffffff81288c6d 0000000000000000 -[ 575.217935] 0000000000000001 ffff88027fd05be0 ffffffff810e72d1 0000000000000000 -[ 575.217951] ffff88027fd05c80 ffff88027fd05c20 ffffffff81114b60 0000000181015f1e -[ 575.217967] Call Trace: -[ 575.217973] [] dump_stack+0x4f/0x72 -[ 575.217994] [] watchdog_overflow_callback+0x151/0x160 -[ 575.218003] [] __perf_event_overflow+0xa0/0x1e0 -[ 575.218016] [] perf_event_overflow+0x14/0x20 -[ 575.218028] [] intel_pmu_handle_irq+0x1da/0x460 -[ 575.218042] [] ? poll_idle+0x3e/0x70 -[ 575.218052] [] ? poll_idle+0x3e/0x70 -[ 575.218064] [] perf_event_nmi_handler+0x28/0x50 -[ 575.218075] [] nmi_handle+0x60/0x130 -[ 575.218086] [] ? poll_idle+0x3e/0x70 -[ 575.218096] [] do_nmi+0x140/0x470 -[ 575.218108] [] end_repeat_nmi+0x1a/0x1e -[ 575.218119] [] ? poll_idle+0x3e/0x70 -[ 575.218129] [] ? poll_idle+0x3e/0x70 -[ 575.218139] [] ? poll_idle+0x3e/0x70 -[ 575.218148] <> [] cpuidle_enter_state+0xf3/0x2f0 -[ 575.218164] [] cpuidle_enter+0x17/0x20 -[ 575.218175] [] call_cpuidle+0x2a/0x40 -[ 575.218185] [] cpu_startup_entry+0x273/0x330 -[ 575.218196] [] start_secondary+0x10e/0x130 - -However, not servicing all available IIR within the handler does hurt the -throughput of pathological nop execbuf by about 20%, with a similar effect -upon the dispatch latency of a series of execbuf. - -v2: use do {} while(0) for a smaller patch, and easier to revert again - -I have reasonable confidence that we do not miss GT interrupts (as -execlists provides a stress case with a failure mechanism easily -detected by igt), however I have less confidence about all the other -sources of interrupts and worry that may lose a display hotplug -interrupt, for example. - -Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93467 -Testcase: igt/gem_exec_nop/basic # requires NMI watchdog -Signed-off-by: Chris Wilson -Cc: Ville Syrjälä -Cc: Antti Koskipää -Cc: Tvrtko Ursulin -Reviewed-by: Tvrtko Ursulin -Reviewed-by: Ville Syrjälä -Link: http://patchwork.freedesktop.org/patch/msgid/1457946117-6714-1-git-send-email-chris@chris-wilson.co.uk -(cherry picked from commit 579de73b048a0a4c66c25a033ac76a2836e0cf73) -Signed-off-by: Jani Nikula -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/gpu/drm/i915/i915_irq.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/gpu/drm/i915/i915_irq.c -+++ b/drivers/gpu/drm/i915/i915_irq.c -@@ -1788,7 +1788,7 @@ static irqreturn_t cherryview_irq_handle - if (!intel_irqs_enabled(dev_priv)) - return IRQ_NONE; - -- for (;;) { -+ do { - master_ctl = I915_READ(GEN8_MASTER_IRQ) & ~GEN8_MASTER_IRQ_CONTROL; - iir = I915_READ(VLV_IIR); - -@@ -1816,7 +1816,7 @@ static irqreturn_t cherryview_irq_handle - - I915_WRITE(GEN8_MASTER_IRQ, DE_MASTER_IRQ_CONTROL); - POSTING_READ(GEN8_MASTER_IRQ); -- } -+ } while (0); - - return ret; - } diff --git a/queue-4.4/series b/queue-4.4/series index 958fba76259..22a83625e6b 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -38,7 +38,6 @@ futex-handle-unlock_pi-race-gracefully.patch futex-acknowledge-a-new-waiter-in-counter-before-plist.patch drm-nouveau-core-use-vzalloc-for-allocating-ramht.patch drm-qxl-fix-cursor-position-with-non-zero-hotspot.patch -drm-i915-exit-cherryview_irq_handler-after-one-pass.patch drm-i915-fix-race-condition-in-intel_dp_destroy_mst_connector.patch revert-drm-radeon-disable-runtime-pm-on-px-laptops-without-dgpu-power-control.patch revert-drm-amdgpu-disable-runtime-pm-on-px-laptops-without-dgpu-power-control.patch @@ -108,3 +107,6 @@ numa-fix-proc-pid-numa_maps-for-thp.patch mm-vmscan-reclaim-highmem-zone-if-buffer_heads-is-over-limit.patch mm-hwpoison-fix-wrong-num_poisoned_pages-accounting.patch cgroup-make-sure-a-parent-css-isn-t-freed-before-its-children.patch +usb-usbip-fix-potential-out-of-bounds-write.patch +videobuf2-core-check-user-space-planes-array-in-dqbuf.patch +videobuf2-v4l2-verify-planes-array-in-buffer-dequeueing.patch diff --git a/queue-4.4/usb-usbip-fix-potential-out-of-bounds-write.patch b/queue-4.4/usb-usbip-fix-potential-out-of-bounds-write.patch new file mode 100644 index 00000000000..a60274c05c5 --- /dev/null +++ b/queue-4.4/usb-usbip-fix-potential-out-of-bounds-write.patch @@ -0,0 +1,47 @@ +From b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb Mon Sep 17 00:00:00 2001 +From: Ignat Korchagin +Date: Thu, 17 Mar 2016 18:00:29 +0000 +Subject: USB: usbip: fix potential out-of-bounds write + +From: Ignat Korchagin + +commit b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb upstream. + +Fix potential out-of-bounds write to urb->transfer_buffer +usbip handles network communication directly in the kernel. When receiving a +packet from its peer, usbip code parses headers according to protocol. As +part of this parsing urb->actual_length is filled. Since the input for +urb->actual_length comes from the network, it should be treated as untrusted. +Any entity controlling the network may put any value in the input and the +preallocated urb->transfer_buffer may not be large enough to hold the data. +Thus, the malicious entity is able to write arbitrary data to kernel memory. + +Signed-off-by: Ignat Korchagin +Cc: Sasha Levin +Signed-off-by: Paul Gortmaker +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/usbip_common.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/usb/usbip/usbip_common.c ++++ b/drivers/usb/usbip/usbip_common.c +@@ -741,6 +741,17 @@ int usbip_recv_xbuff(struct usbip_device + if (!(size > 0)) + return 0; + ++ if (size > urb->transfer_buffer_length) { ++ /* should not happen, probably malicious packet */ ++ if (ud->side == USBIP_STUB) { ++ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); ++ return 0; ++ } else { ++ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); ++ return -EPIPE; ++ } ++ } ++ + ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size); + if (ret != size) { + dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret); diff --git a/queue-4.4/videobuf2-core-check-user-space-planes-array-in-dqbuf.patch b/queue-4.4/videobuf2-core-check-user-space-planes-array-in-dqbuf.patch new file mode 100644 index 00000000000..2303464c969 --- /dev/null +++ b/queue-4.4/videobuf2-core-check-user-space-planes-array-in-dqbuf.patch @@ -0,0 +1,71 @@ +From e7e0c3e26587749b62d17b9dd0532874186c77f7 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Sun, 3 Apr 2016 16:15:00 -0300 +Subject: [media] videobuf2-core: Check user space planes array in dqbuf + +From: Sakari Ailus + +commit e7e0c3e26587749b62d17b9dd0532874186c77f7 upstream. + +The number of planes in videobuf2 is specific to a buffer. In order to +verify that the planes array provided by the user is long enough, a new +vb2_buf_op is required. + +Call __verify_planes_array() when the dequeued buffer is known. Return an +error to the caller if there was one, otherwise remove the buffer from the +done list. + +Signed-off-by: Sakari Ailus +Acked-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/videobuf2-core.c | 10 +++++----- + include/media/videobuf2-core.h | 1 + + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/media/v4l2-core/videobuf2-core.c ++++ b/drivers/media/v4l2-core/videobuf2-core.c +@@ -1502,7 +1502,7 @@ static int __vb2_wait_for_done_vb(struct + * Will sleep if required for nonblocking == false. + */ + static int __vb2_get_done_vb(struct vb2_queue *q, struct vb2_buffer **vb, +- int nonblocking) ++ void *pb, int nonblocking) + { + unsigned long flags; + int ret; +@@ -1523,10 +1523,10 @@ static int __vb2_get_done_vb(struct vb2_ + /* + * Only remove the buffer from done_list if v4l2_buffer can handle all + * the planes. +- * Verifying planes is NOT necessary since it already has been checked +- * before the buffer is queued/prepared. So it can never fail. + */ +- list_del(&(*vb)->done_entry); ++ ret = call_bufop(q, verify_planes_array, *vb, pb); ++ if (!ret) ++ list_del(&(*vb)->done_entry); + spin_unlock_irqrestore(&q->done_lock, flags); + + return ret; +@@ -1604,7 +1604,7 @@ int vb2_core_dqbuf(struct vb2_queue *q, + struct vb2_buffer *vb = NULL; + int ret; + +- ret = __vb2_get_done_vb(q, &vb, nonblocking); ++ ret = __vb2_get_done_vb(q, &vb, pb, nonblocking); + if (ret < 0) + return ret; + +--- a/include/media/videobuf2-core.h ++++ b/include/media/videobuf2-core.h +@@ -363,6 +363,7 @@ struct vb2_ops { + }; + + struct vb2_buf_ops { ++ int (*verify_planes_array)(struct vb2_buffer *vb, const void *pb); + int (*fill_user_buffer)(struct vb2_buffer *vb, void *pb); + int (*fill_vb2_buffer)(struct vb2_buffer *vb, const void *pb, + struct vb2_plane *planes); diff --git a/queue-4.4/videobuf2-v4l2-verify-planes-array-in-buffer-dequeueing.patch b/queue-4.4/videobuf2-v4l2-verify-planes-array-in-buffer-dequeueing.patch new file mode 100644 index 00000000000..47115b7ff8c --- /dev/null +++ b/queue-4.4/videobuf2-v4l2-verify-planes-array-in-buffer-dequeueing.patch @@ -0,0 +1,55 @@ +From 2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Sun, 3 Apr 2016 16:31:03 -0300 +Subject: [media] videobuf2-v4l2: Verify planes array in buffer dequeueing + +From: Sakari Ailus + +commit 2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab upstream. + +When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer +which will be dequeued is not known until the buffer has been removed from +the queue. The number of planes is specific to a buffer, not to the queue. + +This does lead to the situation where multi-plane buffers may be requested +and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument +struct with fewer planes. + +__fill_v4l2_buffer() however uses the number of planes from the dequeued +videobuf2 buffer, overwriting kernel memory (the m.planes array allocated +in video_usercopy() in v4l2-ioctl.c) if the user provided fewer +planes than the dequeued buffer had. Oops! + +Fixes: b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2") + +Signed-off-by: Sakari Ailus +Acked-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/videobuf2-v4l2.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/media/v4l2-core/videobuf2-v4l2.c ++++ b/drivers/media/v4l2-core/videobuf2-v4l2.c +@@ -67,6 +67,11 @@ static int __verify_planes_array(struct + return 0; + } + ++static int __verify_planes_array_core(struct vb2_buffer *vb, const void *pb) ++{ ++ return __verify_planes_array(vb, pb); ++} ++ + /** + * __verify_length() - Verify that the bytesused value for each plane fits in + * the plane length and that the data offset doesn't exceed the bytesused value. +@@ -432,6 +437,7 @@ static int __fill_vb2_buffer(struct vb2_ + } + + static const struct vb2_buf_ops v4l2_buf_ops = { ++ .verify_planes_array = __verify_planes_array_core, + .fill_user_buffer = __fill_v4l2_buffer, + .fill_vb2_buffer = __fill_vb2_buffer, + .set_timestamp = __set_timestamp,