From 01e516eab08954f872a53e02ed351315b4c786f3 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 13 May 2019 09:53:42 +0200 Subject: [PATCH] 5.1-stable patches added patches: hwmon-occ-fix-extended-status-bits.patch hwmon-pwm-fan-disable-pwm-if-fetching-cooling-data-fails.patch i2c-core-ratelimit-transfer-when-suspended-errors.patch kernfs-fix-barrier-usage-in-__kernfs_new_node.patch platform-x86-dell-laptop-fix-rfkill-functionality.patch platform-x86-sony-laptop-fix-unintentional-fall-through.patch platform-x86-thinkpad_acpi-disable-bluetooth-for-some-machines.patch selftests-seccomp-handle-namespace-failures-gracefully.patch virt-vbox-sanity-check-parameter-types-for-hgcm-calls-coming-from-userspace.patch --- .../hwmon-occ-fix-extended-status-bits.patch | 47 +++++ ...e-pwm-if-fetching-cooling-data-fails.patch | 34 ++++ ...limit-transfer-when-suspended-errors.patch | 57 ++++++ ...x-barrier-usage-in-__kernfs_new_node.patch | 38 ++++ ...dell-laptop-fix-rfkill-functionality.patch | 57 ++++++ ...aptop-fix-unintentional-fall-through.patch | 53 +++++ ...-disable-bluetooth-for-some-machines.patch | 119 +++++++++++ ...handle-namespace-failures-gracefully.patch | 189 ++++++++++++++++++ queue-5.1/series | 9 + ...for-hgcm-calls-coming-from-userspace.patch | 73 +++++++ 10 files changed, 676 insertions(+) create mode 100644 queue-5.1/hwmon-occ-fix-extended-status-bits.patch create mode 100644 queue-5.1/hwmon-pwm-fan-disable-pwm-if-fetching-cooling-data-fails.patch create mode 100644 queue-5.1/i2c-core-ratelimit-transfer-when-suspended-errors.patch create mode 100644 queue-5.1/kernfs-fix-barrier-usage-in-__kernfs_new_node.patch create mode 100644 queue-5.1/platform-x86-dell-laptop-fix-rfkill-functionality.patch create mode 100644 queue-5.1/platform-x86-sony-laptop-fix-unintentional-fall-through.patch create mode 100644 queue-5.1/platform-x86-thinkpad_acpi-disable-bluetooth-for-some-machines.patch create mode 100644 queue-5.1/selftests-seccomp-handle-namespace-failures-gracefully.patch create mode 100644 queue-5.1/virt-vbox-sanity-check-parameter-types-for-hgcm-calls-coming-from-userspace.patch diff --git a/queue-5.1/hwmon-occ-fix-extended-status-bits.patch b/queue-5.1/hwmon-occ-fix-extended-status-bits.patch new file mode 100644 index 00000000000..7b4370f3a42 --- /dev/null +++ b/queue-5.1/hwmon-occ-fix-extended-status-bits.patch @@ -0,0 +1,47 @@ +From b88c5049219a7f322bb1fd65fc30d17472a23563 Mon Sep 17 00:00:00 2001 +From: Lei YU +Date: Mon, 15 Apr 2019 18:37:20 +0800 +Subject: hwmon: (occ) Fix extended status bits + +From: Lei YU + +commit b88c5049219a7f322bb1fd65fc30d17472a23563 upstream. + +The occ's extended status is checked and shown as sysfs attributes. But +the code was incorrectly checking the "status" bits. +Fix it by checking the "ext_status" bits. + +Cc: stable@vger.kernel.org +Fixes: df04ced684d4 ("hwmon (occ): Add sysfs attributes for additional OCC data") +Signed-off-by: Lei YU +Reviewed-by: Eddie James +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/occ/sysfs.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/hwmon/occ/sysfs.c ++++ b/drivers/hwmon/occ/sysfs.c +@@ -42,16 +42,16 @@ static ssize_t occ_sysfs_show(struct dev + val = !!(header->status & OCC_STAT_ACTIVE); + break; + case 2: +- val = !!(header->status & OCC_EXT_STAT_DVFS_OT); ++ val = !!(header->ext_status & OCC_EXT_STAT_DVFS_OT); + break; + case 3: +- val = !!(header->status & OCC_EXT_STAT_DVFS_POWER); ++ val = !!(header->ext_status & OCC_EXT_STAT_DVFS_POWER); + break; + case 4: +- val = !!(header->status & OCC_EXT_STAT_MEM_THROTTLE); ++ val = !!(header->ext_status & OCC_EXT_STAT_MEM_THROTTLE); + break; + case 5: +- val = !!(header->status & OCC_EXT_STAT_QUICK_DROP); ++ val = !!(header->ext_status & OCC_EXT_STAT_QUICK_DROP); + break; + case 6: + val = header->occ_state; diff --git a/queue-5.1/hwmon-pwm-fan-disable-pwm-if-fetching-cooling-data-fails.patch b/queue-5.1/hwmon-pwm-fan-disable-pwm-if-fetching-cooling-data-fails.patch new file mode 100644 index 00000000000..d35c37b842b --- /dev/null +++ b/queue-5.1/hwmon-pwm-fan-disable-pwm-if-fetching-cooling-data-fails.patch @@ -0,0 +1,34 @@ +From 53f1647da3e8fb3e89066798f0fdc045064d353d Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Wed, 3 Apr 2019 14:48:33 +0200 +Subject: hwmon: (pwm-fan) Disable PWM if fetching cooling data fails + +From: Stefan Wahren + +commit 53f1647da3e8fb3e89066798f0fdc045064d353d upstream. + +In case pwm_fan_of_get_cooling_data() fails we should disable the PWM +just like in the other error cases. + +Fixes: 2e5219c77183 ("hwmon: (pwm-fan) Read PWM FAN configuration from device tree") +Cc: # 4.14+ +Reported-by: Guenter Rock +Signed-off-by: Stefan Wahren +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/pwm-fan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/pwm-fan.c ++++ b/drivers/hwmon/pwm-fan.c +@@ -271,7 +271,7 @@ static int pwm_fan_probe(struct platform + + ret = pwm_fan_of_get_cooling_data(&pdev->dev, ctx); + if (ret) +- return ret; ++ goto err_pwm_disable; + + ctx->pwm_fan_state = ctx->pwm_fan_max_state; + if (IS_ENABLED(CONFIG_THERMAL)) { diff --git a/queue-5.1/i2c-core-ratelimit-transfer-when-suspended-errors.patch b/queue-5.1/i2c-core-ratelimit-transfer-when-suspended-errors.patch new file mode 100644 index 00000000000..181bfe5df7f --- /dev/null +++ b/queue-5.1/i2c-core-ratelimit-transfer-when-suspended-errors.patch @@ -0,0 +1,57 @@ +From 4db61c2a16fce2ef85d82751de4ba43a39347cfb Mon Sep 17 00:00:00 2001 +From: Wolfram Sang +Date: Thu, 25 Apr 2019 16:19:47 +0200 +Subject: i2c: core: ratelimit 'transfer when suspended' errors + +From: Wolfram Sang + +commit 4db61c2a16fce2ef85d82751de4ba43a39347cfb upstream. + +There are two problems with WARN_ON() here. One: It is not ratelimited. +Two: We don't see which adapter was used when trying to transfer +something when already suspended. Implement a custom ratelimit once per +adapter and use dev_WARN there. This fixes both issues. Drawback is that +we don't see if multiple drivers are trying to transfer with the same +adapter while suspended. They need to be discovered one after the other +now. This is better than a high CPU load because a really broken driver +might try to resend endlessly. + +Fixes: 9ac6cb5fbb17 ("i2c: add suspended flag and accessors for i2c adapters") +Signed-off-by: Wolfram Sang +Reviewed-by: Simon Horman +Signed-off-by: Wolfram Sang +Cc: stable@vger.kernel.org # v5.1+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/i2c-core-base.c | 5 ++++- + include/linux/i2c.h | 3 ++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/i2c-core-base.c ++++ b/drivers/i2c/i2c-core-base.c +@@ -1871,8 +1871,11 @@ int __i2c_transfer(struct i2c_adapter *a + + if (WARN_ON(!msgs || num < 1)) + return -EINVAL; +- if (WARN_ON(test_bit(I2C_ALF_IS_SUSPENDED, &adap->locked_flags))) ++ if (test_bit(I2C_ALF_IS_SUSPENDED, &adap->locked_flags)) { ++ if (!test_and_set_bit(I2C_ALF_SUSPEND_REPORTED, &adap->locked_flags)) ++ dev_WARN(&adap->dev, "Transfer while suspended\n"); + return -ESHUTDOWN; ++ } + + if (adap->quirks && i2c_check_for_quirks(adap, msgs, num)) + return -EOPNOTSUPP; +--- a/include/linux/i2c.h ++++ b/include/linux/i2c.h +@@ -682,7 +682,8 @@ struct i2c_adapter { + int retries; + struct device dev; /* the adapter device */ + unsigned long locked_flags; /* owned by the I2C core */ +-#define I2C_ALF_IS_SUSPENDED 0 ++#define I2C_ALF_IS_SUSPENDED 0 ++#define I2C_ALF_SUSPEND_REPORTED 1 + + int nr; + char name[48]; diff --git a/queue-5.1/kernfs-fix-barrier-usage-in-__kernfs_new_node.patch b/queue-5.1/kernfs-fix-barrier-usage-in-__kernfs_new_node.patch new file mode 100644 index 00000000000..48e95eae268 --- /dev/null +++ b/queue-5.1/kernfs-fix-barrier-usage-in-__kernfs_new_node.patch @@ -0,0 +1,38 @@ +From 998267900cee901c5d1dfa029a6304d00acbc29f Mon Sep 17 00:00:00 2001 +From: Andrea Parri +Date: Tue, 16 Apr 2019 14:17:11 +0200 +Subject: kernfs: fix barrier usage in __kernfs_new_node() + +From: Andrea Parri + +commit 998267900cee901c5d1dfa029a6304d00acbc29f upstream. + +smp_mb__before_atomic() can not be applied to atomic_set(). Remove the +barrier and rely on RELEASE synchronization. + +Fixes: ba16b2846a8c6 ("kernfs: add an API to get kernfs node from inode number") +Cc: stable@vger.kernel.org +Signed-off-by: Andrea Parri +Acked-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + fs/kernfs/dir.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/fs/kernfs/dir.c ++++ b/fs/kernfs/dir.c +@@ -650,11 +650,10 @@ static struct kernfs_node *__kernfs_new_ + kn->id.generation = gen; + + /* +- * set ino first. This barrier is paired with atomic_inc_not_zero in ++ * set ino first. This RELEASE is paired with atomic_inc_not_zero in + * kernfs_find_and_get_node_by_ino + */ +- smp_mb__before_atomic(); +- atomic_set(&kn->count, 1); ++ atomic_set_release(&kn->count, 1); + atomic_set(&kn->active, KN_DEACTIVATED_BIAS); + RB_CLEAR_NODE(&kn->rb); + diff --git a/queue-5.1/platform-x86-dell-laptop-fix-rfkill-functionality.patch b/queue-5.1/platform-x86-dell-laptop-fix-rfkill-functionality.patch new file mode 100644 index 00000000000..d786a47922e --- /dev/null +++ b/queue-5.1/platform-x86-dell-laptop-fix-rfkill-functionality.patch @@ -0,0 +1,57 @@ +From 6cc13c28da5beee0f706db6450e190709700b34a Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 27 Mar 2019 09:25:34 -0500 +Subject: platform/x86: dell-laptop: fix rfkill functionality +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Limonciello + +commit 6cc13c28da5beee0f706db6450e190709700b34a upstream. + +When converting the driver two arguments were transposed leading +to rfkill not working. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=201427 +Reported-by: Pepijn de Vos +Fixes: 549b49 ("platform/x86: dell-smbios: Introduce dispatcher for SMM calls") +Signed-off-by: Mario Limonciello +Acked-by: Pali Rohár +Cc: # 4.14.x +Signed-off-by: Darren Hart (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/dell-laptop.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/platform/x86/dell-laptop.c ++++ b/drivers/platform/x86/dell-laptop.c +@@ -531,7 +531,7 @@ static void dell_rfkill_query(struct rfk + return; + } + +- dell_fill_request(&buffer, 0, 0x2, 0, 0); ++ dell_fill_request(&buffer, 0x2, 0, 0, 0); + ret = dell_send_request(&buffer, CLASS_INFO, SELECT_RFKILL); + hwswitch = buffer.output[1]; + +@@ -562,7 +562,7 @@ static int dell_debugfs_show(struct seq_ + return ret; + status = buffer.output[1]; + +- dell_fill_request(&buffer, 0, 0x2, 0, 0); ++ dell_fill_request(&buffer, 0x2, 0, 0, 0); + hwswitch_ret = dell_send_request(&buffer, CLASS_INFO, SELECT_RFKILL); + if (hwswitch_ret) + return hwswitch_ret; +@@ -647,7 +647,7 @@ static void dell_update_rfkill(struct wo + if (ret != 0) + return; + +- dell_fill_request(&buffer, 0, 0x2, 0, 0); ++ dell_fill_request(&buffer, 0x2, 0, 0, 0); + ret = dell_send_request(&buffer, CLASS_INFO, SELECT_RFKILL); + + if (ret == 0 && (status & BIT(0))) diff --git a/queue-5.1/platform-x86-sony-laptop-fix-unintentional-fall-through.patch b/queue-5.1/platform-x86-sony-laptop-fix-unintentional-fall-through.patch new file mode 100644 index 00000000000..318025af46a --- /dev/null +++ b/queue-5.1/platform-x86-sony-laptop-fix-unintentional-fall-through.patch @@ -0,0 +1,53 @@ +From 1cbd7a64959d33e7a2a1fa2bf36a62b350a9fcbd Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Wed, 24 Apr 2019 13:09:34 -0500 +Subject: platform/x86: sony-laptop: Fix unintentional fall-through + +From: Gustavo A. R. Silva + +commit 1cbd7a64959d33e7a2a1fa2bf36a62b350a9fcbd upstream. + +It seems that the default case should return AE_CTRL_TERMINATE, instead +of falling through to case ACPI_RESOURCE_TYPE_END_TAG and returning AE_OK; +otherwise the line of code at the end of the function is unreachable and +makes no sense: + +return AE_CTRL_TERMINATE; + +This fix is based on the following thread of discussion: + +https://lore.kernel.org/patchwork/patch/959782/ + +Fixes: 33a04454527e ("sony-laptop: Add SNY6001 device handling (sonypi reimplementation)") +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Kees Cook +Signed-off-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/sony-laptop.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/platform/x86/sony-laptop.c ++++ b/drivers/platform/x86/sony-laptop.c +@@ -4424,14 +4424,16 @@ sony_pic_read_possible_resource(struct a + } + return AE_OK; + } ++ ++ case ACPI_RESOURCE_TYPE_END_TAG: ++ return AE_OK; ++ + default: + dprintk("Resource %d isn't an IRQ nor an IO port\n", + resource->type); ++ return AE_CTRL_TERMINATE; + +- case ACPI_RESOURCE_TYPE_END_TAG: +- return AE_OK; + } +- return AE_CTRL_TERMINATE; + } + + static int sony_pic_possible_resources(struct acpi_device *device) diff --git a/queue-5.1/platform-x86-thinkpad_acpi-disable-bluetooth-for-some-machines.patch b/queue-5.1/platform-x86-thinkpad_acpi-disable-bluetooth-for-some-machines.patch new file mode 100644 index 00000000000..3935a36fd65 --- /dev/null +++ b/queue-5.1/platform-x86-thinkpad_acpi-disable-bluetooth-for-some-machines.patch @@ -0,0 +1,119 @@ +From f7db839fccf087664e5587966220821289b6a9cb Mon Sep 17 00:00:00 2001 +From: Jiaxun Yang +Date: Thu, 7 Mar 2019 17:37:16 +0800 +Subject: platform/x86: thinkpad_acpi: Disable Bluetooth for some machines + +From: Jiaxun Yang + +commit f7db839fccf087664e5587966220821289b6a9cb upstream. + +Some AMD based ThinkPads have a firmware bug that calling +"GBDC" will cause Bluetooth on Intel wireless cards blocked. + +Probe these models by DMI match and disable Bluetooth subdriver +if specified Intel wireless card exist. + +Cc: stable # 4.14+ +Signed-off-by: Jiaxun Yang +Signed-off-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/thinkpad_acpi.c | 72 ++++++++++++++++++++++++++++++++++- + 1 file changed, 70 insertions(+), 2 deletions(-) + +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -79,7 +79,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +@@ -4501,6 +4501,74 @@ static void bluetooth_exit(void) + bluetooth_shutdown(); + } + ++static const struct dmi_system_id bt_fwbug_list[] __initconst = { ++ { ++ .ident = "ThinkPad E485", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_BOARD_NAME, "20KU"), ++ }, ++ }, ++ { ++ .ident = "ThinkPad E585", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_BOARD_NAME, "20KV"), ++ }, ++ }, ++ { ++ .ident = "ThinkPad A285 - 20MW", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_BOARD_NAME, "20MW"), ++ }, ++ }, ++ { ++ .ident = "ThinkPad A285 - 20MX", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_BOARD_NAME, "20MX"), ++ }, ++ }, ++ { ++ .ident = "ThinkPad A485 - 20MU", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_BOARD_NAME, "20MU"), ++ }, ++ }, ++ { ++ .ident = "ThinkPad A485 - 20MV", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_BOARD_NAME, "20MV"), ++ }, ++ }, ++ {} ++}; ++ ++static const struct pci_device_id fwbug_cards_ids[] __initconst = { ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x24F3) }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x24FD) }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x2526) }, ++ {} ++}; ++ ++ ++static int __init have_bt_fwbug(void) ++{ ++ /* ++ * Some AMD based ThinkPads have a firmware bug that calling ++ * "GBDC" will cause bluetooth on Intel wireless cards blocked ++ */ ++ if (dmi_check_system(bt_fwbug_list) && pci_dev_present(fwbug_cards_ids)) { ++ vdbg_printk(TPACPI_DBG_INIT | TPACPI_DBG_RFKILL, ++ FW_BUG "disable bluetooth subdriver for Intel cards\n"); ++ return 1; ++ } else ++ return 0; ++} ++ + static int __init bluetooth_init(struct ibm_init_struct *iibm) + { + int res; +@@ -4513,7 +4581,7 @@ static int __init bluetooth_init(struct + + /* bluetooth not supported on 570, 600e/x, 770e, 770x, A21e, A2xm/p, + G4x, R30, R31, R40e, R50e, T20-22, X20-21 */ +- tp_features.bluetooth = hkey_handle && ++ tp_features.bluetooth = !have_bt_fwbug() && hkey_handle && + acpi_evalf(hkey_handle, &status, "GBDC", "qd"); + + vdbg_printk(TPACPI_DBG_INIT | TPACPI_DBG_RFKILL, diff --git a/queue-5.1/selftests-seccomp-handle-namespace-failures-gracefully.patch b/queue-5.1/selftests-seccomp-handle-namespace-failures-gracefully.patch new file mode 100644 index 00000000000..b94504a842f --- /dev/null +++ b/queue-5.1/selftests-seccomp-handle-namespace-failures-gracefully.patch @@ -0,0 +1,189 @@ +From 9dd3fcb0ab73cb1e00b8562ef027a38521aaff87 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 11 Apr 2019 16:56:31 -0700 +Subject: selftests/seccomp: Handle namespace failures gracefully + +From: Kees Cook + +commit 9dd3fcb0ab73cb1e00b8562ef027a38521aaff87 upstream. + +When running without USERNS or PIDNS the seccomp test would hang since +it was waiting forever for the child to trigger the user notification +since it seems the glibc() abort handler makes a call to getpid(), +which would trap again. This changes the getpid filter to getppid, and +makes sure ASSERTs execute to stop from spawning the listener. + +Reported-by: Shuah Khan +Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace") +Cc: stable@vger.kernel.org # > 5.0 +Signed-off-by: Kees Cook +Reviewed-by: Tycho Andersen +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/seccomp/seccomp_bpf.c | 43 +++++++++++++------------- + 1 file changed, 23 insertions(+), 20 deletions(-) + +--- a/tools/testing/selftests/seccomp/seccomp_bpf.c ++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c +@@ -3095,9 +3095,9 @@ TEST(user_notification_basic) + + /* Check that we get -ENOSYS with no listener attached */ + if (pid == 0) { +- if (user_trap_syscall(__NR_getpid, 0) < 0) ++ if (user_trap_syscall(__NR_getppid, 0) < 0) + exit(1); +- ret = syscall(__NR_getpid); ++ ret = syscall(__NR_getppid); + exit(ret >= 0 || errno != ENOSYS); + } + +@@ -3112,12 +3112,12 @@ TEST(user_notification_basic) + EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0); + + /* Check that the basic notification machinery works */ +- listener = user_trap_syscall(__NR_getpid, ++ listener = user_trap_syscall(__NR_getppid, + SECCOMP_FILTER_FLAG_NEW_LISTENER); + ASSERT_GE(listener, 0); + + /* Installing a second listener in the chain should EBUSY */ +- EXPECT_EQ(user_trap_syscall(__NR_getpid, ++ EXPECT_EQ(user_trap_syscall(__NR_getppid, + SECCOMP_FILTER_FLAG_NEW_LISTENER), + -1); + EXPECT_EQ(errno, EBUSY); +@@ -3126,7 +3126,7 @@ TEST(user_notification_basic) + ASSERT_GE(pid, 0); + + if (pid == 0) { +- ret = syscall(__NR_getpid); ++ ret = syscall(__NR_getppid); + exit(ret != USER_NOTIF_MAGIC); + } + +@@ -3144,7 +3144,7 @@ TEST(user_notification_basic) + EXPECT_GT(poll(&pollfd, 1, -1), 0); + EXPECT_EQ(pollfd.revents, POLLOUT); + +- EXPECT_EQ(req.data.nr, __NR_getpid); ++ EXPECT_EQ(req.data.nr, __NR_getppid); + + resp.id = req.id; + resp.error = 0; +@@ -3176,7 +3176,7 @@ TEST(user_notification_kill_in_middle) + TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); + } + +- listener = user_trap_syscall(__NR_getpid, ++ listener = user_trap_syscall(__NR_getppid, + SECCOMP_FILTER_FLAG_NEW_LISTENER); + ASSERT_GE(listener, 0); + +@@ -3188,7 +3188,7 @@ TEST(user_notification_kill_in_middle) + ASSERT_GE(pid, 0); + + if (pid == 0) { +- ret = syscall(__NR_getpid); ++ ret = syscall(__NR_getppid); + exit(ret != USER_NOTIF_MAGIC); + } + +@@ -3298,7 +3298,7 @@ TEST(user_notification_closed_listener) + TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); + } + +- listener = user_trap_syscall(__NR_getpid, ++ listener = user_trap_syscall(__NR_getppid, + SECCOMP_FILTER_FLAG_NEW_LISTENER); + ASSERT_GE(listener, 0); + +@@ -3309,7 +3309,7 @@ TEST(user_notification_closed_listener) + ASSERT_GE(pid, 0); + if (pid == 0) { + close(listener); +- ret = syscall(__NR_getpid); ++ ret = syscall(__NR_getppid); + exit(ret != -1 && errno != ENOSYS); + } + +@@ -3332,14 +3332,15 @@ TEST(user_notification_child_pid_ns) + + ASSERT_EQ(unshare(CLONE_NEWUSER | CLONE_NEWPID), 0); + +- listener = user_trap_syscall(__NR_getpid, SECCOMP_FILTER_FLAG_NEW_LISTENER); ++ listener = user_trap_syscall(__NR_getppid, ++ SECCOMP_FILTER_FLAG_NEW_LISTENER); + ASSERT_GE(listener, 0); + + pid = fork(); + ASSERT_GE(pid, 0); + + if (pid == 0) +- exit(syscall(__NR_getpid) != USER_NOTIF_MAGIC); ++ exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC); + + EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0); + EXPECT_EQ(req.pid, pid); +@@ -3371,7 +3372,8 @@ TEST(user_notification_sibling_pid_ns) + TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); + } + +- listener = user_trap_syscall(__NR_getpid, SECCOMP_FILTER_FLAG_NEW_LISTENER); ++ listener = user_trap_syscall(__NR_getppid, ++ SECCOMP_FILTER_FLAG_NEW_LISTENER); + ASSERT_GE(listener, 0); + + pid = fork(); +@@ -3384,7 +3386,7 @@ TEST(user_notification_sibling_pid_ns) + ASSERT_GE(pid2, 0); + + if (pid2 == 0) +- exit(syscall(__NR_getpid) != USER_NOTIF_MAGIC); ++ exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC); + + EXPECT_EQ(waitpid(pid2, &status, 0), pid2); + EXPECT_EQ(true, WIFEXITED(status)); +@@ -3393,11 +3395,11 @@ TEST(user_notification_sibling_pid_ns) + } + + /* Create the sibling ns, and sibling in it. */ +- EXPECT_EQ(unshare(CLONE_NEWPID), 0); +- EXPECT_EQ(errno, 0); ++ ASSERT_EQ(unshare(CLONE_NEWPID), 0); ++ ASSERT_EQ(errno, 0); + + pid2 = fork(); +- EXPECT_GE(pid2, 0); ++ ASSERT_GE(pid2, 0); + + if (pid2 == 0) { + ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0); +@@ -3405,7 +3407,7 @@ TEST(user_notification_sibling_pid_ns) + * The pid should be 0, i.e. the task is in some namespace that + * we can't "see". + */ +- ASSERT_EQ(req.pid, 0); ++ EXPECT_EQ(req.pid, 0); + + resp.id = req.id; + resp.error = 0; +@@ -3435,14 +3437,15 @@ TEST(user_notification_fault_recv) + + ASSERT_EQ(unshare(CLONE_NEWUSER), 0); + +- listener = user_trap_syscall(__NR_getpid, SECCOMP_FILTER_FLAG_NEW_LISTENER); ++ listener = user_trap_syscall(__NR_getppid, ++ SECCOMP_FILTER_FLAG_NEW_LISTENER); + ASSERT_GE(listener, 0); + + pid = fork(); + ASSERT_GE(pid, 0); + + if (pid == 0) +- exit(syscall(__NR_getpid) != USER_NOTIF_MAGIC); ++ exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC); + + /* Do a bad recv() */ + EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, NULL), -1); diff --git a/queue-5.1/series b/queue-5.1/series index e69de29bb2d..df6edeff6f1 100644 --- a/queue-5.1/series +++ b/queue-5.1/series @@ -0,0 +1,9 @@ +platform-x86-sony-laptop-fix-unintentional-fall-through.patch +platform-x86-thinkpad_acpi-disable-bluetooth-for-some-machines.patch +platform-x86-dell-laptop-fix-rfkill-functionality.patch +hwmon-pwm-fan-disable-pwm-if-fetching-cooling-data-fails.patch +hwmon-occ-fix-extended-status-bits.patch +selftests-seccomp-handle-namespace-failures-gracefully.patch +i2c-core-ratelimit-transfer-when-suspended-errors.patch +kernfs-fix-barrier-usage-in-__kernfs_new_node.patch +virt-vbox-sanity-check-parameter-types-for-hgcm-calls-coming-from-userspace.patch diff --git a/queue-5.1/virt-vbox-sanity-check-parameter-types-for-hgcm-calls-coming-from-userspace.patch b/queue-5.1/virt-vbox-sanity-check-parameter-types-for-hgcm-calls-coming-from-userspace.patch new file mode 100644 index 00000000000..47848d95f8d --- /dev/null +++ b/queue-5.1/virt-vbox-sanity-check-parameter-types-for-hgcm-calls-coming-from-userspace.patch @@ -0,0 +1,73 @@ +From cf4f2ad6b87dda2dbe0573b1ebeb0273f8d4aac6 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 4 Apr 2019 14:39:09 +0200 +Subject: virt: vbox: Sanity-check parameter types for hgcm-calls coming from userspace + +From: Hans de Goede + +commit cf4f2ad6b87dda2dbe0573b1ebeb0273f8d4aac6 upstream. + +Userspace can make host function calls, called hgcm-calls through the +/dev/vboxguest device. + +In this case we should not accept all hgcm-function-parameter-types, some +are only valid for in kernel calls. + +This commit adds proper hgcm-function-parameter-type validation to the +ioctl for doing a hgcm-call from userspace. + +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virt/vboxguest/vboxguest_core.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +--- a/drivers/virt/vboxguest/vboxguest_core.c ++++ b/drivers/virt/vboxguest/vboxguest_core.c +@@ -1298,6 +1298,20 @@ static int vbg_ioctl_hgcm_disconnect(str + return ret; + } + ++static bool vbg_param_valid(enum vmmdev_hgcm_function_parameter_type type) ++{ ++ switch (type) { ++ case VMMDEV_HGCM_PARM_TYPE_32BIT: ++ case VMMDEV_HGCM_PARM_TYPE_64BIT: ++ case VMMDEV_HGCM_PARM_TYPE_LINADDR: ++ case VMMDEV_HGCM_PARM_TYPE_LINADDR_IN: ++ case VMMDEV_HGCM_PARM_TYPE_LINADDR_OUT: ++ return true; ++ default: ++ return false; ++ } ++} ++ + static int vbg_ioctl_hgcm_call(struct vbg_dev *gdev, + struct vbg_session *session, bool f32bit, + struct vbg_ioctl_hgcm_call *call) +@@ -1333,6 +1347,23 @@ static int vbg_ioctl_hgcm_call(struct vb + } + call->hdr.size_out = actual_size; + ++ /* Validate parameter types */ ++ if (f32bit) { ++ struct vmmdev_hgcm_function_parameter32 *parm = ++ VBG_IOCTL_HGCM_CALL_PARMS32(call); ++ ++ for (i = 0; i < call->parm_count; i++) ++ if (!vbg_param_valid(parm[i].type)) ++ return -EINVAL; ++ } else { ++ struct vmmdev_hgcm_function_parameter *parm = ++ VBG_IOCTL_HGCM_CALL_PARMS(call); ++ ++ for (i = 0; i < call->parm_count; i++) ++ if (!vbg_param_valid(parm[i].type)) ++ return -EINVAL; ++ } ++ + /* + * Validate the client id. + */ -- 2.47.2