From: Greg Kroah-Hartman Date: Mon, 6 Jan 2020 20:09:47 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.14.163~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=94dd4a8abf0cf43a6437cb63a73c5adda164a1d9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch alsa-firewire-motu-correct-a-typo-in-the-clock-proc-string.patch apparmor-fix-aa_xattrs_match-may-sleep-while-holding-a-rcu-lock.patch exit-panic-before-exit_mm-on-global-init-exit.patch --- diff --git a/queue-4.19/alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch b/queue-4.19/alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch new file mode 100644 index 00000000000..131ab0de2fb --- /dev/null +++ b/queue-4.19/alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch @@ -0,0 +1,37 @@ +From d60229d84846a8399257006af9c5444599f64361 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Fri, 22 Nov 2019 13:13:54 +0000 +Subject: ALSA: cs4236: fix error return comparison of an unsigned integer + +From: Colin Ian King + +commit d60229d84846a8399257006af9c5444599f64361 upstream. + +The return from pnp_irq is an unsigned integer type resource_size_t +and hence the error check for a positive non-error code is always +going to be true. A check for a non-failure return from pnp_irq +should in fact be for (resource_size_t)-1 rather than >= 0. + +Addresses-Coverity: ("Unsigned compared against 0") +Fixes: a9824c868a2c ("[ALSA] Add CS4232 PnP BIOS support") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20191122131354.58042-1-colin.king@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/isa/cs423x/cs4236.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/isa/cs423x/cs4236.c ++++ b/sound/isa/cs423x/cs4236.c +@@ -293,7 +293,8 @@ static int snd_cs423x_pnp_init_mpu(int d + } else { + mpu_port[dev] = pnp_port_start(pdev, 0); + if (mpu_irq[dev] >= 0 && +- pnp_irq_valid(pdev, 0) && pnp_irq(pdev, 0) >= 0) { ++ pnp_irq_valid(pdev, 0) && ++ pnp_irq(pdev, 0) != (resource_size_t)-1) { + mpu_irq[dev] = pnp_irq(pdev, 0); + } else { + mpu_irq[dev] = -1; /* disable interrupt */ diff --git a/queue-4.19/alsa-firewire-motu-correct-a-typo-in-the-clock-proc-string.patch b/queue-4.19/alsa-firewire-motu-correct-a-typo-in-the-clock-proc-string.patch new file mode 100644 index 00000000000..ebec5f48244 --- /dev/null +++ b/queue-4.19/alsa-firewire-motu-correct-a-typo-in-the-clock-proc-string.patch @@ -0,0 +1,32 @@ +From 0929249e3be3bb82ee6cfec0025f4dde952210b3 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 30 Oct 2019 11:09:21 +0100 +Subject: ALSA: firewire-motu: Correct a typo in the clock proc string + +From: Takashi Iwai + +commit 0929249e3be3bb82ee6cfec0025f4dde952210b3 upstream. + +Just fix a typo of "S/PDIF" in the clock name string. + +Fixes: 4638ec6ede08 ("ALSA: firewire-motu: add proc node to show current statuc of clock and packet formats") +Acked-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20191030100921.3826-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/motu/motu-proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/motu/motu-proc.c ++++ b/sound/firewire/motu/motu-proc.c +@@ -17,7 +17,7 @@ static const char *const clock_names[] = + [SND_MOTU_CLOCK_SOURCE_SPDIF_ON_OPT] = "S/PDIF on optical interface", + [SND_MOTU_CLOCK_SOURCE_SPDIF_ON_OPT_A] = "S/PDIF on optical interface A", + [SND_MOTU_CLOCK_SOURCE_SPDIF_ON_OPT_B] = "S/PDIF on optical interface B", +- [SND_MOTU_CLOCK_SOURCE_SPDIF_ON_COAX] = "S/PCIF on coaxial interface", ++ [SND_MOTU_CLOCK_SOURCE_SPDIF_ON_COAX] = "S/PDIF on coaxial interface", + [SND_MOTU_CLOCK_SOURCE_AESEBU_ON_XLR] = "AESEBU on XLR interface", + [SND_MOTU_CLOCK_SOURCE_WORD_ON_BNC] = "Word clock on BNC interface", + }; diff --git a/queue-4.19/apparmor-fix-aa_xattrs_match-may-sleep-while-holding-a-rcu-lock.patch b/queue-4.19/apparmor-fix-aa_xattrs_match-may-sleep-while-holding-a-rcu-lock.patch new file mode 100644 index 00000000000..4efb513ceec --- /dev/null +++ b/queue-4.19/apparmor-fix-aa_xattrs_match-may-sleep-while-holding-a-rcu-lock.patch @@ -0,0 +1,207 @@ +From 8c62ed27a12c00e3db1c9f04bc0f272bdbb06734 Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Thu, 2 Jan 2020 05:31:22 -0800 +Subject: apparmor: fix aa_xattrs_match() may sleep while holding a RCU lock + +From: John Johansen + +commit 8c62ed27a12c00e3db1c9f04bc0f272bdbb06734 upstream. + +aa_xattrs_match() is unfortunately calling vfs_getxattr_alloc() from a +context protected by an rcu_read_lock. This can not be done as +vfs_getxattr_alloc() may sleep regardles of the gfp_t value being +passed to it. + +Fix this by breaking the rcu_read_lock on the policy search when the +xattr match feature is requested and restarting the search if a policy +changes occur. + +Fixes: 8e51f9087f40 ("apparmor: Add support for attaching profiles via xattr, presence and value") +Reported-by: Jia-Ju Bai +Reported-by: Al Viro +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman + +--- + security/apparmor/apparmorfs.c | 2 - + security/apparmor/domain.c | 80 +++++++++++++++++++++-------------------- + security/apparmor/policy.c | 4 +- + 3 files changed, 45 insertions(+), 41 deletions(-) + +--- a/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c +@@ -593,7 +593,7 @@ static __poll_t ns_revision_poll(struct + + void __aa_bump_ns_revision(struct aa_ns *ns) + { +- ns->revision++; ++ WRITE_ONCE(ns->revision, ns->revision + 1); + wake_up_interruptible(&ns->wait); + } + +--- a/security/apparmor/domain.c ++++ b/security/apparmor/domain.c +@@ -321,6 +321,7 @@ static int aa_xattrs_match(const struct + + if (!bprm || !profile->xattr_count) + return 0; ++ might_sleep(); + + /* transition from exec match to xattr set */ + state = aa_dfa_null_transition(profile->xmatch, state); +@@ -365,10 +366,11 @@ out: + } + + /** +- * __attach_match_ - find an attachment match ++ * find_attach - do attachment search for unconfined processes + * @bprm - binprm structure of transitioning task +- * @name - to match against (NOT NULL) ++ * @ns: the current namespace (NOT NULL) + * @head - profile list to walk (NOT NULL) ++ * @name - to match against (NOT NULL) + * @info - info message if there was an error (NOT NULL) + * + * Do a linear search on the profiles in the list. There is a matching +@@ -378,12 +380,11 @@ out: + * + * Requires: @head not be shared or have appropriate locks held + * +- * Returns: profile or NULL if no match found ++ * Returns: label or NULL if no match found + */ +-static struct aa_profile *__attach_match(const struct linux_binprm *bprm, +- const char *name, +- struct list_head *head, +- const char **info) ++static struct aa_label *find_attach(const struct linux_binprm *bprm, ++ struct aa_ns *ns, struct list_head *head, ++ const char *name, const char **info) + { + int candidate_len = 0, candidate_xattrs = 0; + bool conflict = false; +@@ -392,6 +393,8 @@ static struct aa_profile *__attach_match + AA_BUG(!name); + AA_BUG(!head); + ++ rcu_read_lock(); ++restart: + list_for_each_entry_rcu(profile, head, base.list) { + if (profile->label.flags & FLAG_NULL && + &profile->label == ns_unconfined(profile->ns)) +@@ -417,16 +420,32 @@ static struct aa_profile *__attach_match + perm = dfa_user_allow(profile->xmatch, state); + /* any accepting state means a valid match. */ + if (perm & MAY_EXEC) { +- int ret; ++ int ret = 0; + + if (count < candidate_len) + continue; + +- ret = aa_xattrs_match(bprm, profile, state); +- /* Fail matching if the xattrs don't match */ +- if (ret < 0) +- continue; ++ if (bprm && profile->xattr_count) { ++ long rev = READ_ONCE(ns->revision); + ++ if (!aa_get_profile_not0(profile)) ++ goto restart; ++ rcu_read_unlock(); ++ ret = aa_xattrs_match(bprm, profile, ++ state); ++ rcu_read_lock(); ++ aa_put_profile(profile); ++ if (rev != ++ READ_ONCE(ns->revision)) ++ /* policy changed */ ++ goto restart; ++ /* ++ * Fail matching if the xattrs don't ++ * match ++ */ ++ if (ret < 0) ++ continue; ++ } + /* + * TODO: allow for more flexible best match + * +@@ -449,43 +468,28 @@ static struct aa_profile *__attach_match + candidate_xattrs = ret; + conflict = false; + } +- } else if (!strcmp(profile->base.name, name)) ++ } else if (!strcmp(profile->base.name, name)) { + /* + * old exact non-re match, without conditionals such + * as xattrs. no more searching required + */ +- return profile; ++ candidate = profile; ++ goto out; ++ } + } + +- if (conflict) { +- *info = "conflicting profile attachments"; ++ if (!candidate || conflict) { ++ if (conflict) ++ *info = "conflicting profile attachments"; ++ rcu_read_unlock(); + return NULL; + } + +- return candidate; +-} +- +-/** +- * find_attach - do attachment search for unconfined processes +- * @bprm - binprm structure of transitioning task +- * @ns: the current namespace (NOT NULL) +- * @list: list to search (NOT NULL) +- * @name: the executable name to match against (NOT NULL) +- * @info: info message if there was an error +- * +- * Returns: label or NULL if no match found +- */ +-static struct aa_label *find_attach(const struct linux_binprm *bprm, +- struct aa_ns *ns, struct list_head *list, +- const char *name, const char **info) +-{ +- struct aa_profile *profile; +- +- rcu_read_lock(); +- profile = aa_get_profile(__attach_match(bprm, name, list, info)); ++out: ++ candidate = aa_get_newest_profile(candidate); + rcu_read_unlock(); + +- return profile ? &profile->label : NULL; ++ return &candidate->label; + } + + static const char *next_name(int xtype, const char *name) +--- a/security/apparmor/policy.c ++++ b/security/apparmor/policy.c +@@ -1126,8 +1126,8 @@ ssize_t aa_remove_profiles(struct aa_ns + if (!name) { + /* remove namespace - can only happen if fqname[0] == ':' */ + mutex_lock_nested(&ns->parent->lock, ns->level); +- __aa_remove_ns(ns); + __aa_bump_ns_revision(ns); ++ __aa_remove_ns(ns); + mutex_unlock(&ns->parent->lock); + } else { + /* remove profile */ +@@ -1139,9 +1139,9 @@ ssize_t aa_remove_profiles(struct aa_ns + goto fail_ns_lock; + } + name = profile->base.hname; ++ __aa_bump_ns_revision(ns); + __remove_profile(profile); + __aa_labelset_update_subtree(ns); +- __aa_bump_ns_revision(ns); + mutex_unlock(&ns->lock); + } + diff --git a/queue-4.19/exit-panic-before-exit_mm-on-global-init-exit.patch b/queue-4.19/exit-panic-before-exit_mm-on-global-init-exit.patch new file mode 100644 index 00000000000..9a7b23789df --- /dev/null +++ b/queue-4.19/exit-panic-before-exit_mm-on-global-init-exit.patch @@ -0,0 +1,62 @@ +From 43cf75d96409a20ef06b756877a2e72b10a026fc Mon Sep 17 00:00:00 2001 +From: chenqiwu +Date: Thu, 19 Dec 2019 14:29:53 +0800 +Subject: exit: panic before exit_mm() on global init exit + +From: chenqiwu + +commit 43cf75d96409a20ef06b756877a2e72b10a026fc upstream. + +Currently, when global init and all threads in its thread-group have exited +we panic via: +do_exit() +-> exit_notify() + -> forget_original_parent() + -> find_child_reaper() +This makes it hard to extract a useable coredump for global init from a +kernel crashdump because by the time we panic exit_mm() will have already +released global init's mm. +This patch moves the panic futher up before exit_mm() is called. As was the +case previously, we only panic when global init and all its threads in the +thread-group have exited. + +Signed-off-by: chenqiwu +Acked-by: Christian Brauner +Acked-by: Oleg Nesterov +[christian.brauner@ubuntu.com: fix typo, rewrite commit message] +Link: https://lore.kernel.org/r/1576736993-10121-1-git-send-email-qiwuchen55@gmail.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/exit.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -578,10 +578,6 @@ static struct task_struct *find_child_re + } + + write_unlock_irq(&tasklist_lock); +- if (unlikely(pid_ns == &init_pid_ns)) { +- panic("Attempted to kill init! exitcode=0x%08x\n", +- father->signal->group_exit_code ?: father->exit_code); +- } + + list_for_each_entry_safe(p, n, dead, ptrace_entry) { + list_del_init(&p->ptrace_entry); +@@ -845,6 +841,14 @@ void __noreturn do_exit(long code) + acct_update_integrals(tsk); + group_dead = atomic_dec_and_test(&tsk->signal->live); + if (group_dead) { ++ /* ++ * If the last thread of global init has exited, panic ++ * immediately to get a useable coredump. ++ */ ++ if (unlikely(is_global_init(tsk))) ++ panic("Attempted to kill init! exitcode=0x%08x\n", ++ tsk->signal->group_exit_code ?: (int)code); ++ + #ifdef CONFIG_POSIX_TIMERS + hrtimer_cancel(&tsk->signal->real_timer); + exit_itimers(tsk->signal); diff --git a/queue-4.19/series b/queue-4.19/series index dd99c9abeb6..8397d3b13d3 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -69,3 +69,7 @@ tracing-fix-lock-inversion-in-trace_event_enable_tgid_record.patch tracing-avoid-memory-leak-in-process_system_preds.patch tracing-have-the-histogram-compare-functions-convert-to-u64-first.patch tracing-fix-endianness-bug-in-histogram-trigger.patch +apparmor-fix-aa_xattrs_match-may-sleep-while-holding-a-rcu-lock.patch +alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch +alsa-firewire-motu-correct-a-typo-in-the-clock-proc-string.patch +exit-panic-before-exit_mm-on-global-init-exit.patch