From: Greg Kroah-Hartman Date: Thu, 13 Jun 2019 09:13:55 +0000 (+0200) Subject: 5.1-stable patches X-Git-Tag: v5.1.10~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b36b0b9b3b389910273cfd665dc33954b0144fed;p=thirdparty%2Fkernel%2Fstable-queue.git 5.1-stable patches added patches: alsa-seq-cover-unsubscribe_port-in-list_mutex.patch io_uring-fix-failure-to-verify-sq_aff-cpu.patch --- diff --git a/queue-5.1/alsa-seq-cover-unsubscribe_port-in-list_mutex.patch b/queue-5.1/alsa-seq-cover-unsubscribe_port-in-list_mutex.patch new file mode 100644 index 00000000000..9ee4b66a050 --- /dev/null +++ b/queue-5.1/alsa-seq-cover-unsubscribe_port-in-list_mutex.patch @@ -0,0 +1,37 @@ +From 7c32ae35fbf9cffb7aa3736f44dec10c944ca18e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 12 Apr 2019 11:37:19 +0200 +Subject: ALSA: seq: Cover unsubscribe_port() in list_mutex + +From: Takashi Iwai + +commit 7c32ae35fbf9cffb7aa3736f44dec10c944ca18e upstream. + +The call of unsubscribe_port() which manages the group count and +module refcount from delete_and_unsubscribe_port() looks racy; it's +not covered by the group list lock, and it's likely a cause of the +reported unbalance at port deletion. Let's move the call inside the +group list_mutex to plug the hole. + +Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_ports.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/core/seq/seq_ports.c ++++ b/sound/core/seq/seq_ports.c +@@ -550,10 +550,10 @@ static void delete_and_unsubscribe_port( + list_del_init(list); + grp->exclusive = 0; + write_unlock_irq(&grp->list_lock); +- up_write(&grp->list_mutex); + + if (!empty) + unsubscribe_port(client, port, grp, &subs->info, ack); ++ up_write(&grp->list_mutex); + } + + /* connect two ports */ diff --git a/queue-5.1/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch b/queue-5.1/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch deleted file mode 100644 index 6fa8c79aa29..00000000000 --- a/queue-5.1/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch +++ /dev/null @@ -1,53 +0,0 @@ -From b9ab7c8a9ce76312d4696c6f9004dd8de29ec702 Mon Sep 17 00:00:00 2001 -From: Takashi Iwai -Date: Tue, 9 Apr 2019 17:35:22 +0200 -Subject: ALSA: seq: Protect in-kernel ioctl calls with mutex - -[ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ] - -ALSA OSS sequencer calls the ioctl function indirectly via -snd_seq_kernel_client_ctl(). While we already applied the protection -against races between the normal ioctls and writes via the client's -ioctl_mutex, this code path was left untouched. And this seems to be -the cause of still remaining some rare UAF as spontaneously triggered -by syzkaller. - -For the sake of robustness, wrap the ioctl_mutex also for the call via -snd_seq_kernel_client_ctl(), too. - -Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin ---- - sound/core/seq/seq_clientmgr.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c -index 38e7deab6384..b3280e81bfd1 100644 ---- a/sound/core/seq/seq_clientmgr.c -+++ b/sound/core/seq/seq_clientmgr.c -@@ -2343,14 +2343,19 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg) - { - const struct ioctl_handler *handler; - struct snd_seq_client *client; -+ int err; - - client = clientptr(clientid); - if (client == NULL) - return -ENXIO; - - for (handler = ioctl_handlers; handler->cmd > 0; ++handler) { -- if (handler->cmd == cmd) -- return handler->func(client, arg); -+ if (handler->cmd == cmd) { -+ mutex_lock(&client->ioctl_mutex); -+ err = handler->func(client, arg); -+ mutex_unlock(&client->ioctl_mutex); -+ return err; -+ } - } - - pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n", --- -2.20.1 - diff --git a/queue-5.1/io_uring-fix-failure-to-verify-sq_aff-cpu.patch b/queue-5.1/io_uring-fix-failure-to-verify-sq_aff-cpu.patch new file mode 100644 index 00000000000..da02dc02053 --- /dev/null +++ b/queue-5.1/io_uring-fix-failure-to-verify-sq_aff-cpu.patch @@ -0,0 +1,47 @@ +From 44a9bd18a0f06bba19d155aeaa11e2edce898293 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 14 May 2019 20:00:30 -0600 +Subject: io_uring: fix failure to verify SQ_AFF cpu + +From: Jens Axboe + +commit 44a9bd18a0f06bba19d155aeaa11e2edce898293 upstream. + +The test case we have is rightfully failing with the current kernel: + +io_uring_setup(1, 0x7ffe2cafebe0), flags: IORING_SETUP_SQPOLL|IORING_SETUP_SQ_AFF, resv: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000, sq_thread_cpu: 4 +expected -1, got 3 + +This is in a vm, and CPU3 is the last valid one, hence asking for 4 +should fail the setup with -EINVAL, not succeed. The problem is that +we're using array_index_nospec() with nr_cpu_ids as the index, hence we +wrap and end up using CPU0 instead of CPU4. This makes the setup +succeed where it should be failing. + +We don't need to use array_index_nospec() as we're not indexing any +array with this. Instead just compare with nr_cpu_ids directly. This +is fine as we're checking with cpu_online() afterwards. + +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/io_uring.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -2330,10 +2330,11 @@ static int io_sq_offload_start(struct io + ctx->sq_thread_idle = HZ; + + if (p->flags & IORING_SETUP_SQ_AFF) { +- int cpu = array_index_nospec(p->sq_thread_cpu, +- nr_cpu_ids); ++ int cpu = p->sq_thread_cpu; + + ret = -EINVAL; ++ if (cpu >= nr_cpu_ids) ++ goto err; + if (!cpu_online(cpu)) + goto err; + diff --git a/queue-5.1/series b/queue-5.1/series index 3102370abeb..3a8ae5cc022 100644 --- a/queue-5.1/series +++ b/queue-5.1/series @@ -114,7 +114,6 @@ arm-dts-imx6qdl-specify-imx6qdl_clk_ipg-as-ipg-clock.patch pci-rpadlpar-fix-leaked-device_node-references-in-ad.patch drm-amd-display-disable-link-before-changing-link-se.patch drm-amd-display-use-plane-color_space-for-dpp-if-spe.patch -alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch arm-omap2-pm33xx-core-do-not-turn-off-cefuse-as-ppa-.patch pinctrl-pinctrl-intel-move-gpio-suspend-resume-to-no.patch platform-x86-intel_pmc_ipc-adding-error-handling.patch @@ -153,3 +152,5 @@ revert-bluetooth-align-minimum-encryption-key-size-for-le-and-br-edr-connections revert-drm-nouveau-add-kconfig-option-to-turn-off-nouveau-legacy-contexts.-v3.patch ovl-check-the-capability-before-cred-overridden.patch ovl-support-stacked-seek_hole-seek_data.patch +alsa-seq-cover-unsubscribe_port-in-list_mutex.patch +io_uring-fix-failure-to-verify-sq_aff-cpu.patch