From 03422ec326e6790619e377d39a930986baebcb1c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 4 Jan 2021 15:15:30 +0100 Subject: [PATCH] 5.4-stable patches added patches: alsa-rawmidi-access-runtime-avail-always-in-spinlock.patch alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch bfs-don-t-use-warning-string-when-it-s-just-info.patch bluetooth-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch cgroup-fix-memory-leak-when-parsing-multiple-source-parameters.patch f2fs-fix-shift-out-of-bounds-in-sanity_check_raw_super.patch fcntl-fix-potential-deadlock-in-send_sig-io-urg.patch media-gp8psk-initialize-stats-at-power-control-logic.patch misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch reiserfs-add-check-for-an-invalid-ih_entry_count.patch scsi-cxgb4i-fix-tls-dependency.patch --- ...ess-runtime-avail-always-in-spinlock.patch | 153 ++++++++++++++++++ ...ool-for-snd_seq_queue-internal-flags.patch | 44 +++++ ...e-warning-string-when-it-s-just-info.patch | 42 +++++ ...erdev-device-and-free-hu-in-h5_close.patch | 42 +++++ ...n-parsing-multiple-source-parameters.patch | 49 ++++++ ...-of-bounds-in-sanity_check_raw_super.patch | 67 ++++++++ ...otential-deadlock-in-send_sig-io-urg.patch | 127 +++++++++++++++ ...tialize-stats-at-power-control-logic.patch | 45 ++++++ ...ells-in-vmci_ctx_get_chkpt_doorbells.patch | 34 ++++ ...-check-for-an-invalid-ih_entry_count.patch | 41 +++++ .../scsi-cxgb4i-fix-tls-dependency.patch | 45 ++++++ queue-5.4/series | 11 ++ 12 files changed, 700 insertions(+) create mode 100644 queue-5.4/alsa-rawmidi-access-runtime-avail-always-in-spinlock.patch create mode 100644 queue-5.4/alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch create mode 100644 queue-5.4/bfs-don-t-use-warning-string-when-it-s-just-info.patch create mode 100644 queue-5.4/bluetooth-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch create mode 100644 queue-5.4/cgroup-fix-memory-leak-when-parsing-multiple-source-parameters.patch create mode 100644 queue-5.4/f2fs-fix-shift-out-of-bounds-in-sanity_check_raw_super.patch create mode 100644 queue-5.4/fcntl-fix-potential-deadlock-in-send_sig-io-urg.patch create mode 100644 queue-5.4/media-gp8psk-initialize-stats-at-power-control-logic.patch create mode 100644 queue-5.4/misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch create mode 100644 queue-5.4/reiserfs-add-check-for-an-invalid-ih_entry_count.patch create mode 100644 queue-5.4/scsi-cxgb4i-fix-tls-dependency.patch diff --git a/queue-5.4/alsa-rawmidi-access-runtime-avail-always-in-spinlock.patch b/queue-5.4/alsa-rawmidi-access-runtime-avail-always-in-spinlock.patch new file mode 100644 index 00000000000..da1d0d3b064 --- /dev/null +++ b/queue-5.4/alsa-rawmidi-access-runtime-avail-always-in-spinlock.patch @@ -0,0 +1,153 @@ +From 88a06d6fd6b369d88cec46c62db3e2604a2f50d5 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 6 Dec 2020 09:35:27 +0100 +Subject: ALSA: rawmidi: Access runtime->avail always in spinlock + +From: Takashi Iwai + +commit 88a06d6fd6b369d88cec46c62db3e2604a2f50d5 upstream. + +The runtime->avail field may be accessed concurrently while some +places refer to it without taking the runtime->lock spinlock, as +detected by KCSAN. Usually this isn't a big problem, but for +consistency and safety, we should take the spinlock at each place +referencing this field. + +Reported-by: syzbot+a23a6f1215c84756577c@syzkaller.appspotmail.com +Reported-by: syzbot+3d367d1df1d2b67f5c19@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20201206083527.21163-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/rawmidi.c | 49 +++++++++++++++++++++++++++++++++++-------------- + 1 file changed, 35 insertions(+), 14 deletions(-) + +--- a/sound/core/rawmidi.c ++++ b/sound/core/rawmidi.c +@@ -72,11 +72,21 @@ static inline unsigned short snd_rawmidi + } + } + +-static inline int snd_rawmidi_ready(struct snd_rawmidi_substream *substream) ++static inline bool __snd_rawmidi_ready(struct snd_rawmidi_runtime *runtime) ++{ ++ return runtime->avail >= runtime->avail_min; ++} ++ ++static bool snd_rawmidi_ready(struct snd_rawmidi_substream *substream) + { + struct snd_rawmidi_runtime *runtime = substream->runtime; ++ unsigned long flags; ++ bool ready; + +- return runtime->avail >= runtime->avail_min; ++ spin_lock_irqsave(&runtime->lock, flags); ++ ready = __snd_rawmidi_ready(runtime); ++ spin_unlock_irqrestore(&runtime->lock, flags); ++ return ready; + } + + static inline int snd_rawmidi_ready_append(struct snd_rawmidi_substream *substream, +@@ -945,7 +955,7 @@ int snd_rawmidi_receive(struct snd_rawmi + if (result > 0) { + if (runtime->event) + schedule_work(&runtime->event_work); +- else if (snd_rawmidi_ready(substream)) ++ else if (__snd_rawmidi_ready(runtime)) + wake_up(&runtime->sleep); + } + spin_unlock_irqrestore(&runtime->lock, flags); +@@ -1024,7 +1034,7 @@ static ssize_t snd_rawmidi_read(struct f + result = 0; + while (count > 0) { + spin_lock_irq(&runtime->lock); +- while (!snd_rawmidi_ready(substream)) { ++ while (!__snd_rawmidi_ready(runtime)) { + wait_queue_entry_t wait; + + if ((file->f_flags & O_NONBLOCK) != 0 || result > 0) { +@@ -1041,9 +1051,11 @@ static ssize_t snd_rawmidi_read(struct f + return -ENODEV; + if (signal_pending(current)) + return result > 0 ? result : -ERESTARTSYS; +- if (!runtime->avail) +- return result > 0 ? result : -EIO; + spin_lock_irq(&runtime->lock); ++ if (!runtime->avail) { ++ spin_unlock_irq(&runtime->lock); ++ return result > 0 ? result : -EIO; ++ } + } + spin_unlock_irq(&runtime->lock); + count1 = snd_rawmidi_kernel_read1(substream, +@@ -1181,7 +1193,7 @@ int __snd_rawmidi_transmit_ack(struct sn + runtime->avail += count; + substream->bytes += count; + if (count > 0) { +- if (runtime->drain || snd_rawmidi_ready(substream)) ++ if (runtime->drain || __snd_rawmidi_ready(runtime)) + wake_up(&runtime->sleep); + } + return count; +@@ -1370,9 +1382,11 @@ static ssize_t snd_rawmidi_write(struct + return -ENODEV; + if (signal_pending(current)) + return result > 0 ? result : -ERESTARTSYS; +- if (!runtime->avail && !timeout) +- return result > 0 ? result : -EIO; + spin_lock_irq(&runtime->lock); ++ if (!runtime->avail && !timeout) { ++ spin_unlock_irq(&runtime->lock); ++ return result > 0 ? result : -EIO; ++ } + } + spin_unlock_irq(&runtime->lock); + count1 = snd_rawmidi_kernel_write1(substream, buf, NULL, count); +@@ -1452,6 +1466,7 @@ static void snd_rawmidi_proc_info_read(s + struct snd_rawmidi *rmidi; + struct snd_rawmidi_substream *substream; + struct snd_rawmidi_runtime *runtime; ++ unsigned long buffer_size, avail, xruns; + + rmidi = entry->private_data; + snd_iprintf(buffer, "%s\n\n", rmidi->name); +@@ -1470,13 +1485,16 @@ static void snd_rawmidi_proc_info_read(s + " Owner PID : %d\n", + pid_vnr(substream->pid)); + runtime = substream->runtime; ++ spin_lock_irq(&runtime->lock); ++ buffer_size = runtime->buffer_size; ++ avail = runtime->avail; ++ spin_unlock_irq(&runtime->lock); + snd_iprintf(buffer, + " Mode : %s\n" + " Buffer size : %lu\n" + " Avail : %lu\n", + runtime->oss ? "OSS compatible" : "native", +- (unsigned long) runtime->buffer_size, +- (unsigned long) runtime->avail); ++ buffer_size, avail); + } + } + } +@@ -1494,13 +1512,16 @@ static void snd_rawmidi_proc_info_read(s + " Owner PID : %d\n", + pid_vnr(substream->pid)); + runtime = substream->runtime; ++ spin_lock_irq(&runtime->lock); ++ buffer_size = runtime->buffer_size; ++ avail = runtime->avail; ++ xruns = runtime->xruns; ++ spin_unlock_irq(&runtime->lock); + snd_iprintf(buffer, + " Buffer size : %lu\n" + " Avail : %lu\n" + " Overruns : %lu\n", +- (unsigned long) runtime->buffer_size, +- (unsigned long) runtime->avail, +- (unsigned long) runtime->xruns); ++ buffer_size, avail, xruns); + } + } + } diff --git a/queue-5.4/alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch b/queue-5.4/alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch new file mode 100644 index 00000000000..eb845d9dbff --- /dev/null +++ b/queue-5.4/alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch @@ -0,0 +1,44 @@ +From 4ebd47037027c4beae99680bff3b20fdee5d7c1e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 6 Dec 2020 09:34:56 +0100 +Subject: ALSA: seq: Use bool for snd_seq_queue internal flags + +From: Takashi Iwai + +commit 4ebd47037027c4beae99680bff3b20fdee5d7c1e upstream. + +The snd_seq_queue struct contains various flags in the bit fields. +Those are categorized to two different use cases, both of which are +protected by different spinlocks. That implies that there are still +potential risks of the bad operations for bit fields by concurrent +accesses. + +For addressing the problem, this patch rearranges those flags to be +a standard bool instead of a bit field. + +Reported-by: syzbot+63cbe31877bb80ef58f5@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20201206083456.21110-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_queue.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/sound/core/seq/seq_queue.h ++++ b/sound/core/seq/seq_queue.h +@@ -26,10 +26,10 @@ struct snd_seq_queue { + + struct snd_seq_timer *timer; /* time keeper for this queue */ + int owner; /* client that 'owns' the timer */ +- unsigned int locked:1, /* timer is only accesibble by owner if set */ +- klocked:1, /* kernel lock (after START) */ +- check_again:1, +- check_blocked:1; ++ bool locked; /* timer is only accesibble by owner if set */ ++ bool klocked; /* kernel lock (after START) */ ++ bool check_again; /* concurrent access happened during check */ ++ bool check_blocked; /* queue being checked */ + + unsigned int flags; /* status flags */ + unsigned int info_flags; /* info for sync */ diff --git a/queue-5.4/bfs-don-t-use-warning-string-when-it-s-just-info.patch b/queue-5.4/bfs-don-t-use-warning-string-when-it-s-just-info.patch new file mode 100644 index 00000000000..83e0272ef14 --- /dev/null +++ b/queue-5.4/bfs-don-t-use-warning-string-when-it-s-just-info.patch @@ -0,0 +1,42 @@ +From dc889b8d4a8122549feabe99eead04e6b23b6513 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Tue, 15 Dec 2020 20:45:44 -0800 +Subject: bfs: don't use WARNING: string when it's just info. + +From: Randy Dunlap + +commit dc889b8d4a8122549feabe99eead04e6b23b6513 upstream. + +Make the printk() [bfs "printf" macro] seem less severe by changing +"WARNING:" to "NOTE:". + + warns us about using WARNING or BUG in a format string +other than in WARN() or BUG() family macros. bfs/inode.c is doing just +that in a normal printk() call, so change the "WARNING" string to be +"NOTE". + +Link: https://lkml.kernel.org/r/20201203212634.17278-1-rdunlap@infradead.org +Reported-by: syzbot+3fd34060f26e766536ff@syzkaller.appspotmail.com +Signed-off-by: Randy Dunlap +Cc: Dmitry Vyukov +Cc: Al Viro +Cc: "Tigran A. Aivazian" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/bfs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/bfs/inode.c ++++ b/fs/bfs/inode.c +@@ -351,7 +351,7 @@ static int bfs_fill_super(struct super_b + + info->si_lasti = (le32_to_cpu(bfs_sb->s_start) - BFS_BSIZE) / sizeof(struct bfs_inode) + BFS_ROOT_INO - 1; + if (info->si_lasti == BFS_MAX_LASTI) +- printf("WARNING: filesystem %s was created with 512 inodes, the real maximum is 511, mounting anyway\n", s->s_id); ++ printf("NOTE: filesystem %s was created with 512 inodes, the real maximum is 511, mounting anyway\n", s->s_id); + else if (info->si_lasti > BFS_MAX_LASTI) { + printf("Impossible last inode number %lu > %d on %s\n", info->si_lasti, BFS_MAX_LASTI, s->s_id); + goto out1; diff --git a/queue-5.4/bluetooth-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch b/queue-5.4/bluetooth-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch new file mode 100644 index 00000000000..75048ae2a33 --- /dev/null +++ b/queue-5.4/bluetooth-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch @@ -0,0 +1,42 @@ +From 70f259a3f4276b71db365b1d6ff1eab805ea6ec3 Mon Sep 17 00:00:00 2001 +From: Anant Thazhemadam +Date: Wed, 30 Sep 2020 00:28:15 +0530 +Subject: Bluetooth: hci_h5: close serdev device and free hu in h5_close + +From: Anant Thazhemadam + +commit 70f259a3f4276b71db365b1d6ff1eab805ea6ec3 upstream. + +When h5_close() gets called, the memory allocated for the hu gets +freed only if hu->serdev doesn't exist. This leads to a memory leak. +So when h5_close() is requested, close the serdev device instance and +free the memory allocated to the hu entirely instead. + +Fixes: https://syzkaller.appspot.com/bug?extid=6ce141c55b2f7aafd1c4 +Reported-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com +Tested-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com +Signed-off-by: Anant Thazhemadam +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/hci_h5.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/bluetooth/hci_h5.c ++++ b/drivers/bluetooth/hci_h5.c +@@ -250,8 +250,12 @@ static int h5_close(struct hci_uart *hu) + if (h5->vnd && h5->vnd->close) + h5->vnd->close(h5); + +- if (!hu->serdev) +- kfree(h5); ++ if (hu->serdev) ++ serdev_device_close(hu->serdev); ++ ++ kfree_skb(h5->rx_skb); ++ kfree(h5); ++ h5 = NULL; + + return 0; + } diff --git a/queue-5.4/cgroup-fix-memory-leak-when-parsing-multiple-source-parameters.patch b/queue-5.4/cgroup-fix-memory-leak-when-parsing-multiple-source-parameters.patch new file mode 100644 index 00000000000..1d2063943f4 --- /dev/null +++ b/queue-5.4/cgroup-fix-memory-leak-when-parsing-multiple-source-parameters.patch @@ -0,0 +1,49 @@ +From 2d18e54dd8662442ef5898c6bdadeaf90b3cebbc Mon Sep 17 00:00:00 2001 +From: Qinglang Miao +Date: Thu, 10 Dec 2020 09:29:43 +0800 +Subject: cgroup: Fix memory leak when parsing multiple source parameters + +From: Qinglang Miao + +commit 2d18e54dd8662442ef5898c6bdadeaf90b3cebbc upstream. + +A memory leak is found in cgroup1_parse_param() when multiple source +parameters overwrite fc->source in the fs_context struct without free. + +unreferenced object 0xffff888100d930e0 (size 16): + comm "mount", pid 520, jiffies 4303326831 (age 152.783s) + hex dump (first 16 bytes): + 74 65 73 74 6c 65 61 6b 00 00 00 00 00 00 00 00 testleak........ + backtrace: + [<000000003e5023ec>] kmemdup_nul+0x2d/0xa0 + [<00000000377dbdaa>] vfs_parse_fs_string+0xc0/0x150 + [<00000000cb2b4882>] generic_parse_monolithic+0x15a/0x1d0 + [<000000000f750198>] path_mount+0xee1/0x1820 + [<0000000004756de2>] do_mount+0xea/0x100 + [<0000000094cafb0a>] __x64_sys_mount+0x14b/0x1f0 + +Fix this bug by permitting a single source parameter and rejecting with +an error all subsequent ones. + +Fixes: 8d2451f4994f ("cgroup1: switch to option-by-option parsing") +Reported-by: Hulk Robot +Signed-off-by: Qinglang Miao +Reviewed-by: Zefan Li +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup/cgroup-v1.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/cgroup/cgroup-v1.c ++++ b/kernel/cgroup/cgroup-v1.c +@@ -914,6 +914,8 @@ int cgroup1_parse_param(struct fs_contex + opt = fs_parse(fc, &cgroup1_fs_parameters, param, &result); + if (opt == -ENOPARAM) { + if (strcmp(param->key, "source") == 0) { ++ if (fc->source) ++ return invalf(fc, "Multiple sources not supported"); + fc->source = param->string; + param->string = NULL; + return 0; diff --git a/queue-5.4/f2fs-fix-shift-out-of-bounds-in-sanity_check_raw_super.patch b/queue-5.4/f2fs-fix-shift-out-of-bounds-in-sanity_check_raw_super.patch new file mode 100644 index 00000000000..146f7e80083 --- /dev/null +++ b/queue-5.4/f2fs-fix-shift-out-of-bounds-in-sanity_check_raw_super.patch @@ -0,0 +1,67 @@ +From e584bbe821229a3e7cc409eecd51df66f9268c21 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Wed, 9 Dec 2020 16:49:36 +0800 +Subject: f2fs: fix shift-out-of-bounds in sanity_check_raw_super() + +From: Chao Yu + +commit e584bbe821229a3e7cc409eecd51df66f9268c21 upstream. + +syzbot reported a bug which could cause shift-out-of-bounds issue, +fix it. + +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x107/0x163 lib/dump_stack.c:120 + ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 + __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395 + sanity_check_raw_super fs/f2fs/super.c:2812 [inline] + read_raw_super_block fs/f2fs/super.c:3267 [inline] + f2fs_fill_super.cold+0x16c9/0x16f6 fs/f2fs/super.c:3519 + mount_bdev+0x34d/0x410 fs/super.c:1366 + legacy_get_tree+0x105/0x220 fs/fs_context.c:592 + vfs_get_tree+0x89/0x2f0 fs/super.c:1496 + do_new_mount fs/namespace.c:2896 [inline] + path_mount+0x12ae/0x1e70 fs/namespace.c:3227 + do_mount fs/namespace.c:3240 [inline] + __do_sys_mount fs/namespace.c:3448 [inline] + __se_sys_mount fs/namespace.c:3425 [inline] + __x64_sys_mount+0x27f/0x300 fs/namespace.c:3425 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Reported-by: syzbot+ca9a785f8ac472085994@syzkaller.appspotmail.com +Signed-off-by: Anant Thazhemadam +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman + +--- + fs/f2fs/super.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -2523,7 +2523,6 @@ static int sanity_check_raw_super(struct + block_t total_sections, blocks_per_seg; + struct f2fs_super_block *raw_super = (struct f2fs_super_block *) + (bh->b_data + F2FS_SUPER_OFFSET); +- unsigned int blocksize; + size_t crc_offset = 0; + __u32 crc = 0; + +@@ -2557,10 +2556,10 @@ static int sanity_check_raw_super(struct + } + + /* Currently, support only 4KB block size */ +- blocksize = 1 << le32_to_cpu(raw_super->log_blocksize); +- if (blocksize != F2FS_BLKSIZE) { +- f2fs_info(sbi, "Invalid blocksize (%u), supports only 4KB", +- blocksize); ++ if (le32_to_cpu(raw_super->log_blocksize) != F2FS_BLKSIZE_BITS) { ++ f2fs_info(sbi, "Invalid log_blocksize (%u), supports only %u", ++ le32_to_cpu(raw_super->log_blocksize), ++ F2FS_BLKSIZE_BITS); + return -EFSCORRUPTED; + } + diff --git a/queue-5.4/fcntl-fix-potential-deadlock-in-send_sig-io-urg.patch b/queue-5.4/fcntl-fix-potential-deadlock-in-send_sig-io-urg.patch new file mode 100644 index 00000000000..df22750e9e2 --- /dev/null +++ b/queue-5.4/fcntl-fix-potential-deadlock-in-send_sig-io-urg.patch @@ -0,0 +1,127 @@ +From 8d1ddb5e79374fb277985a6b3faa2ed8631c5b4c Mon Sep 17 00:00:00 2001 +From: Boqun Feng +Date: Thu, 5 Nov 2020 14:23:51 +0800 +Subject: fcntl: Fix potential deadlock in send_sig{io, urg}() + +From: Boqun Feng + +commit 8d1ddb5e79374fb277985a6b3faa2ed8631c5b4c upstream. + +Syzbot reports a potential deadlock found by the newly added recursive +read deadlock detection in lockdep: + +[...] ======================================================== +[...] WARNING: possible irq lock inversion dependency detected +[...] 5.9.0-rc2-syzkaller #0 Not tainted +[...] -------------------------------------------------------- +[...] syz-executor.1/10214 just changed the state of lock: +[...] ffff88811f506338 (&f->f_owner.lock){.+..}-{2:2}, at: send_sigurg+0x1d/0x200 +[...] but this lock was taken by another, HARDIRQ-safe lock in the past: +[...] (&dev->event_lock){-...}-{2:2} +[...] +[...] +[...] and interrupts could create inverse lock ordering between them. +[...] +[...] +[...] other info that might help us debug this: +[...] Chain exists of: +[...] &dev->event_lock --> &new->fa_lock --> &f->f_owner.lock +[...] +[...] Possible interrupt unsafe locking scenario: +[...] +[...] CPU0 CPU1 +[...] ---- ---- +[...] lock(&f->f_owner.lock); +[...] local_irq_disable(); +[...] lock(&dev->event_lock); +[...] lock(&new->fa_lock); +[...] +[...] lock(&dev->event_lock); +[...] +[...] *** DEADLOCK *** + +The corresponding deadlock case is as followed: + + CPU 0 CPU 1 CPU 2 + read_lock(&fown->lock); + spin_lock_irqsave(&dev->event_lock, ...) + write_lock_irq(&filp->f_owner.lock); // wait for the lock + read_lock(&fown-lock); // have to wait until the writer release + // due to the fairness + + spin_lock_irqsave(&dev->event_lock); // wait for the lock + +The lock dependency on CPU 1 happens if there exists a call sequence: + + input_inject_event(): + spin_lock_irqsave(&dev->event_lock,...); + input_handle_event(): + input_pass_values(): + input_to_handler(): + handler->event(): // evdev_event() + evdev_pass_values(): + spin_lock(&client->buffer_lock); + __pass_event(): + kill_fasync(): + kill_fasync_rcu(): + read_lock(&fa->fa_lock); + send_sigio(): + read_lock(&fown->lock); + +To fix this, make the reader in send_sigurg() and send_sigio() use +read_lock_irqsave() and read_lock_irqrestore(). + +Reported-by: syzbot+22e87cdf94021b984aa6@syzkaller.appspotmail.com +Reported-by: syzbot+c5e32344981ad9f33750@syzkaller.appspotmail.com +Signed-off-by: Boqun Feng +Signed-off-by: Jeff Layton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fcntl.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/fs/fcntl.c ++++ b/fs/fcntl.c +@@ -779,9 +779,10 @@ void send_sigio(struct fown_struct *fown + { + struct task_struct *p; + enum pid_type type; ++ unsigned long flags; + struct pid *pid; + +- read_lock(&fown->lock); ++ read_lock_irqsave(&fown->lock, flags); + + type = fown->pid_type; + pid = fown->pid; +@@ -802,7 +803,7 @@ void send_sigio(struct fown_struct *fown + read_unlock(&tasklist_lock); + } + out_unlock_fown: +- read_unlock(&fown->lock); ++ read_unlock_irqrestore(&fown->lock, flags); + } + + static void send_sigurg_to_task(struct task_struct *p, +@@ -817,9 +818,10 @@ int send_sigurg(struct fown_struct *fown + struct task_struct *p; + enum pid_type type; + struct pid *pid; ++ unsigned long flags; + int ret = 0; + +- read_lock(&fown->lock); ++ read_lock_irqsave(&fown->lock, flags); + + type = fown->pid_type; + pid = fown->pid; +@@ -842,7 +844,7 @@ int send_sigurg(struct fown_struct *fown + read_unlock(&tasklist_lock); + } + out_unlock_fown: +- read_unlock(&fown->lock); ++ read_unlock_irqrestore(&fown->lock, flags); + return ret; + } + diff --git a/queue-5.4/media-gp8psk-initialize-stats-at-power-control-logic.patch b/queue-5.4/media-gp8psk-initialize-stats-at-power-control-logic.patch new file mode 100644 index 00000000000..96e8764d203 --- /dev/null +++ b/queue-5.4/media-gp8psk-initialize-stats-at-power-control-logic.patch @@ -0,0 +1,45 @@ +From d0ac1a26ed5943127cb0156148735f5f52a07075 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Fri, 27 Nov 2020 07:40:21 +0100 +Subject: media: gp8psk: initialize stats at power control logic + +From: Mauro Carvalho Chehab + +commit d0ac1a26ed5943127cb0156148735f5f52a07075 upstream. + +As reported on: + https://lore.kernel.org/linux-media/20190627222020.45909-1-willemdebruijn.kernel@gmail.com/ + +if gp8psk_usb_in_op() returns an error, the status var is not +initialized. Yet, this var is used later on, in order to +identify: + - if the device was already started; + - if firmware has loaded; + - if the LNBf was powered on. + +Using status = 0 seems to ensure that everything will be +properly powered up. + +So, instead of the proposed solution, let's just set +status = 0. + +Reported-by: syzbot +Reported-by: Willem de Bruijn +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/gp8psk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/dvb-usb/gp8psk.c ++++ b/drivers/media/usb/dvb-usb/gp8psk.c +@@ -182,7 +182,7 @@ out_rel_fw: + + static int gp8psk_power_ctrl(struct dvb_usb_device *d, int onoff) + { +- u8 status, buf; ++ u8 status = 0, buf; + int gp_product_id = le16_to_cpu(d->udev->descriptor.idProduct); + + if (onoff) { diff --git a/queue-5.4/misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch b/queue-5.4/misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch new file mode 100644 index 00000000000..19ce496921b --- /dev/null +++ b/queue-5.4/misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch @@ -0,0 +1,34 @@ +From 31dcb6c30a26d32650ce134820f27de3c675a45a Mon Sep 17 00:00:00 2001 +From: Anant Thazhemadam +Date: Mon, 23 Nov 2020 04:15:34 +0530 +Subject: misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() + +From: Anant Thazhemadam + +commit 31dcb6c30a26d32650ce134820f27de3c675a45a upstream. + +A kernel-infoleak was reported by syzbot, which was caused because +dbells was left uninitialized. +Using kzalloc() instead of kmalloc() fixes this issue. + +Reported-by: syzbot+a79e17c39564bedf0930@syzkaller.appspotmail.com +Tested-by: syzbot+a79e17c39564bedf0930@syzkaller.appspotmail.com +Signed-off-by: Anant Thazhemadam +Link: https://lore.kernel.org/r/20201122224534.333471-1-anant.thazhemadam@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/vmw_vmci/vmci_context.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/vmw_vmci/vmci_context.c ++++ b/drivers/misc/vmw_vmci/vmci_context.c +@@ -743,7 +743,7 @@ static int vmci_ctx_get_chkpt_doorbells( + return VMCI_ERROR_MORE_DATA; + } + +- dbells = kmalloc(data_size, GFP_ATOMIC); ++ dbells = kzalloc(data_size, GFP_ATOMIC); + if (!dbells) + return VMCI_ERROR_NO_MEM; + diff --git a/queue-5.4/reiserfs-add-check-for-an-invalid-ih_entry_count.patch b/queue-5.4/reiserfs-add-check-for-an-invalid-ih_entry_count.patch new file mode 100644 index 00000000000..5c6e46ad098 --- /dev/null +++ b/queue-5.4/reiserfs-add-check-for-an-invalid-ih_entry_count.patch @@ -0,0 +1,41 @@ +From d24396c5290ba8ab04ba505176874c4e04a2d53c Mon Sep 17 00:00:00 2001 +From: Rustam Kovhaev +Date: Sun, 1 Nov 2020 06:09:58 -0800 +Subject: reiserfs: add check for an invalid ih_entry_count + +From: Rustam Kovhaev + +commit d24396c5290ba8ab04ba505176874c4e04a2d53c upstream. + +when directory item has an invalid value set for ih_entry_count it might +trigger use-after-free or out-of-bounds read in bin_search_in_dir_item() + +ih_entry_count * IH_SIZE for directory item should not be larger than +ih_item_len + +Link: https://lore.kernel.org/r/20201101140958.3650143-1-rkovhaev@gmail.com +Reported-and-tested-by: syzbot+83b6f7cf9922cae5c4d7@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=83b6f7cf9922cae5c4d7 +Signed-off-by: Rustam Kovhaev +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/stree.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/reiserfs/stree.c ++++ b/fs/reiserfs/stree.c +@@ -454,6 +454,12 @@ static int is_leaf(char *buf, int blocks + "(second one): %h", ih); + return 0; + } ++ if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) { ++ reiserfs_warning(NULL, "reiserfs-5093", ++ "item entry count seems wrong %h", ++ ih); ++ return 0; ++ } + prev_location = ih_location(ih); + } + diff --git a/queue-5.4/scsi-cxgb4i-fix-tls-dependency.patch b/queue-5.4/scsi-cxgb4i-fix-tls-dependency.patch new file mode 100644 index 00000000000..fac868fd2fa --- /dev/null +++ b/queue-5.4/scsi-cxgb4i-fix-tls-dependency.patch @@ -0,0 +1,45 @@ +From cb5253198f10a4cd79b7523c581e6173c7d49ddb Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Tue, 8 Dec 2020 14:05:05 -0800 +Subject: scsi: cxgb4i: Fix TLS dependency + +From: Randy Dunlap + +commit cb5253198f10a4cd79b7523c581e6173c7d49ddb upstream. + +SCSI_CXGB4_ISCSI selects CHELSIO_T4. The latter depends on TLS || TLS=n, so +since 'select' does not check dependencies of the selected symbol, +SCSI_CXGB4_ISCSI should also depend on TLS || TLS=n. + +This prevents the following kconfig warning and restricts SCSI_CXGB4_ISCSI +to 'm' whenever TLS=m. + +WARNING: unmet direct dependencies detected for CHELSIO_T4 + Depends on [m]: NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_CHELSIO [=y] && PCI [=y] && (IPV6 [=y] || IPV6 [=y]=n) && (TLS [=m] || TLS [=m]=n) + Selected by [y]: + - SCSI_CXGB4_ISCSI [=y] && SCSI_LOWLEVEL [=y] && SCSI [=y] && PCI [=y] && INET [=y] && (IPV6 [=y] || IPV6 [=y]=n) && ETHERNET [=y] + +Link: https://lore.kernel.org/r/20201208220505.24488-1-rdunlap@infradead.org +Fixes: 7b36b6e03b0d ("[SCSI] cxgb4i v5: iscsi driver") +Cc: Karen Xie +Cc: linux-scsi@vger.kernel.org +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Signed-off-by: Randy Dunlap +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/cxgbi/cxgb4i/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/cxgbi/cxgb4i/Kconfig ++++ b/drivers/scsi/cxgbi/cxgb4i/Kconfig +@@ -4,6 +4,7 @@ config SCSI_CXGB4_ISCSI + depends on PCI && INET && (IPV6 || IPV6=n) + depends on THERMAL || !THERMAL + depends on ETHERNET ++ depends on TLS || TLS=n + select NET_VENDOR_CHELSIO + select CHELSIO_T4 + select CHELSIO_LIB diff --git a/queue-5.4/series b/queue-5.4/series index e90456d4c02..b51748ded65 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -20,3 +20,14 @@ uapi-move-constants-from-linux-kernel.h-to-linux-const.h.patch tools-headers-uapi-sync-linux-const.h-with-the-kernel-headers.patch null_blk-fix-zone-size-initialization.patch of-fix-linker-section-match-table-corruption.patch +cgroup-fix-memory-leak-when-parsing-multiple-source-parameters.patch +scsi-cxgb4i-fix-tls-dependency.patch +bluetooth-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch +reiserfs-add-check-for-an-invalid-ih_entry_count.patch +misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch +media-gp8psk-initialize-stats-at-power-control-logic.patch +f2fs-fix-shift-out-of-bounds-in-sanity_check_raw_super.patch +alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch +alsa-rawmidi-access-runtime-avail-always-in-spinlock.patch +bfs-don-t-use-warning-string-when-it-s-just-info.patch +fcntl-fix-potential-deadlock-in-send_sig-io-urg.patch -- 2.47.3