From 2b01f33ed482d3545fb1247fe5651149f29d2324 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 5 May 2018 17:08:01 -0700 Subject: [PATCH] 3.18-stable patches added patches: alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch alsa-aloop-mark-paused-device-as-inactive.patch alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch rdma-mlx5-protect-from-shift-operand-overflow.patch --- ...sing-cable-lock-to-ctl-api-callbacks.patch | 112 ++++++++++++++++++ ...aloop-mark-paused-device-as-inactive.patch | 59 +++++++++ ...heck-pcm-state-at-xfern-compat-ioctl.patch | 38 ++++++ ...coding-in-snd_virmidi_output_trigger.patch | 53 +++++++++ ...d-support-for-ublox-r410m-pid-0x90b2.patch | 43 +++++++ ...-protect-from-shift-operand-overflow.patch | 62 ++++++++++ queue-3.18/series | 6 + 7 files changed, 373 insertions(+) create mode 100644 queue-3.18/alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch create mode 100644 queue-3.18/alsa-aloop-mark-paused-device-as-inactive.patch create mode 100644 queue-3.18/alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch create mode 100644 queue-3.18/alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch create mode 100644 queue-3.18/net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch create mode 100644 queue-3.18/rdma-mlx5-protect-from-shift-operand-overflow.patch diff --git a/queue-3.18/alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch b/queue-3.18/alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch new file mode 100644 index 00000000000..232daf68980 --- /dev/null +++ b/queue-3.18/alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch @@ -0,0 +1,112 @@ +From 76b3421b39bd610546931fc923edcf90c18fa395 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 30 Apr 2018 10:06:48 +0200 +Subject: ALSA: aloop: Add missing cable lock to ctl API callbacks + +From: Takashi Iwai + +commit 76b3421b39bd610546931fc923edcf90c18fa395 upstream. + +Some control API callbacks in aloop driver are too lazy to take the +loopback->cable_lock and it results in possible races of cable access +while it's being freed. It eventually lead to a UAF, as reported by +fuzzer recently. + +This patch covers such control API callbacks and add the proper mutex +locks. + +Reported-by: DaeRyong Jeong +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/drivers/aloop.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/sound/drivers/aloop.c ++++ b/sound/drivers/aloop.c +@@ -833,9 +833,11 @@ static int loopback_rate_shift_get(struc + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); + ++ mutex_lock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].rate_shift; ++ mutex_unlock(&loopback->cable_lock); + return 0; + } + +@@ -867,9 +869,11 @@ static int loopback_notify_get(struct sn + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); + ++ mutex_lock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].notify; ++ mutex_unlock(&loopback->cable_lock); + return 0; + } + +@@ -881,12 +885,14 @@ static int loopback_notify_put(struct sn + int change = 0; + + val = ucontrol->value.integer.value[0] ? 1 : 0; ++ mutex_lock(&loopback->cable_lock); + if (val != loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].notify) { + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].notify = val; + change = 1; + } ++ mutex_unlock(&loopback->cable_lock); + return change; + } + +@@ -894,15 +900,18 @@ static int loopback_active_get(struct sn + struct snd_ctl_elem_value *ucontrol) + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); +- struct loopback_cable *cable = loopback->cables +- [kcontrol->id.subdevice][kcontrol->id.device ^ 1]; ++ struct loopback_cable *cable; ++ + unsigned int val = 0; + ++ mutex_lock(&loopback->cable_lock); ++ cable = loopback->cables[kcontrol->id.subdevice][kcontrol->id.device ^ 1]; + if (cable != NULL) { + unsigned int running = cable->running ^ cable->pause; + + val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0; + } ++ mutex_unlock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = val; + return 0; + } +@@ -945,9 +954,11 @@ static int loopback_rate_get(struct snd_ + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); + ++ mutex_lock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].rate; ++ mutex_unlock(&loopback->cable_lock); + return 0; + } + +@@ -967,9 +978,11 @@ static int loopback_channels_get(struct + { + struct loopback *loopback = snd_kcontrol_chip(kcontrol); + ++ mutex_lock(&loopback->cable_lock); + ucontrol->value.integer.value[0] = + loopback->setup[kcontrol->id.subdevice] + [kcontrol->id.device].channels; ++ mutex_unlock(&loopback->cable_lock); + return 0; + } + diff --git a/queue-3.18/alsa-aloop-mark-paused-device-as-inactive.patch b/queue-3.18/alsa-aloop-mark-paused-device-as-inactive.patch new file mode 100644 index 00000000000..841baec5f4c --- /dev/null +++ b/queue-3.18/alsa-aloop-mark-paused-device-as-inactive.patch @@ -0,0 +1,59 @@ +From 306a4f3ca7f3c7dfa473ebd19d66e40e59d99734 Mon Sep 17 00:00:00 2001 +From: Robert Rosengren +Date: Mon, 26 Mar 2018 07:24:49 +0200 +Subject: ALSA: aloop: Mark paused device as inactive + +From: Robert Rosengren + +commit 306a4f3ca7f3c7dfa473ebd19d66e40e59d99734 upstream. + +Show paused ALSA aloop device as inactive, i.e. the control +"PCM Slave Active" set as false. Notification sent upon state change. + +This makes it possible for client capturing from aloop device to know if +data is expected. Without it the client expects data even if playback +is paused. + +Signed-off-by: Robert Rosengren +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/drivers/aloop.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/sound/drivers/aloop.c ++++ b/sound/drivers/aloop.c +@@ -297,6 +297,8 @@ static int loopback_trigger(struct snd_p + cable->pause |= stream; + loopback_timer_stop(dpcm); + spin_unlock(&cable->lock); ++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) ++ loopback_active_notify(dpcm); + break; + case SNDRV_PCM_TRIGGER_PAUSE_RELEASE: + case SNDRV_PCM_TRIGGER_RESUME: +@@ -305,6 +307,8 @@ static int loopback_trigger(struct snd_p + cable->pause &= ~stream; + loopback_timer_start(dpcm); + spin_unlock(&cable->lock); ++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) ++ loopback_active_notify(dpcm); + break; + default: + return -EINVAL; +@@ -894,9 +898,11 @@ static int loopback_active_get(struct sn + [kcontrol->id.subdevice][kcontrol->id.device ^ 1]; + unsigned int val = 0; + +- if (cable != NULL) +- val = (cable->running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? +- 1 : 0; ++ if (cable != NULL) { ++ unsigned int running = cable->running ^ cable->pause; ++ ++ val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0; ++ } + ucontrol->value.integer.value[0] = val; + return 0; + } diff --git a/queue-3.18/alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch b/queue-3.18/alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch new file mode 100644 index 00000000000..092b93848fa --- /dev/null +++ b/queue-3.18/alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch @@ -0,0 +1,38 @@ +From f13876e2c33a657a71bcbb10f767c0951b165020 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 2 May 2018 08:48:46 +0200 +Subject: ALSA: pcm: Check PCM state at xfern compat ioctl + +From: Takashi Iwai + +commit f13876e2c33a657a71bcbb10f767c0951b165020 upstream. + +Since snd_pcm_ioctl_xfern_compat() has no PCM state check, it may go +further and hit the sanity check pcm_sanity_check() when the ioctl is +called right after open. It may eventually spew a kernel warning, as +triggered by syzbot, depending on kconfig. + +The lack of PCM state check there was just an oversight. Although +it's no real crash, the spurious kernel warning is annoying, so let's +add the proper check. + +Reported-by: syzbot+1dac3a4f6bc9c1c675d4@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm_compat.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/core/pcm_compat.c ++++ b/sound/core/pcm_compat.c +@@ -333,6 +333,8 @@ static int snd_pcm_ioctl_xfern_compat(st + return -ENOTTY; + if (substream->stream != dir) + return -EINVAL; ++ if (substream->runtime->status->state == SNDRV_PCM_STATE_OPEN) ++ return -EBADFD; + + if ((ch = substream->runtime->channels) > 128) + return -EINVAL; diff --git a/queue-3.18/alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch b/queue-3.18/alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch new file mode 100644 index 00000000000..98af4cabd0f --- /dev/null +++ b/queue-3.18/alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch @@ -0,0 +1,53 @@ +From 8f22e52528cc372b218b5f100457469615c733ce Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 26 Apr 2018 09:17:45 +0200 +Subject: ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger() + +From: Takashi Iwai + +commit 8f22e52528cc372b218b5f100457469615c733ce upstream. + +The sequencer virmidi code has an open race at its output trigger +callback: namely, virmidi keeps only one event packet for processing +while it doesn't protect for concurrent output trigger calls. + +snd_virmidi_output_trigger() tries to process the previously +unfinished event before starting encoding the given MIDI stream, but +this is done without any lock. Meanwhile, if another rawmidi stream +starts the output trigger, this proceeds further, and overwrites the +event package that is being processed in another thread. This +eventually corrupts and may lead to the invalid memory access if the +event type is like SYSEX. + +The fix is just to move the spinlock to cover both the pending event +and the new stream. + +The bug was spotted by a new fuzzer, RaceFuzzer. + +BugLink: http://lkml.kernel.org/r/20180426045223.GA15307@dragonet.kaist.ac.kr +Reported-by: DaeRyong Jeong +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_virmidi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/core/seq/seq_virmidi.c ++++ b/sound/core/seq/seq_virmidi.c +@@ -174,12 +174,12 @@ static void snd_virmidi_output_trigger(s + } + return; + } ++ spin_lock_irqsave(&substream->runtime->lock, flags); + if (vmidi->event.type != SNDRV_SEQ_EVENT_NONE) { + if (snd_seq_kernel_client_dispatch(vmidi->client, &vmidi->event, in_atomic(), 0) < 0) +- return; ++ goto out; + vmidi->event.type = SNDRV_SEQ_EVENT_NONE; + } +- spin_lock_irqsave(&substream->runtime->lock, flags); + while (1) { + count = __snd_rawmidi_transmit_peek(substream, buf, sizeof(buf)); + if (count <= 0) diff --git a/queue-3.18/net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch b/queue-3.18/net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch new file mode 100644 index 00000000000..6cd3d2ed4a7 --- /dev/null +++ b/queue-3.18/net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch @@ -0,0 +1,43 @@ +From 9306b38e42cb266f98bff6f6f4c1c652aa79ba45 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?SZ=20Lin=20=28=E6=9E=97=E4=B8=8A=E6=99=BA=29?= + +Date: Thu, 26 Apr 2018 14:30:13 +0800 +Subject: NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: SZ Lin (林上智) + +commit 9306b38e42cb266f98bff6f6f4c1c652aa79ba45 upstream. + +This patch adds support for PID 0x90b2 of ublox R410M. + +qmicli -d /dev/cdc-wdm0 --dms-get-manufacturer +[/dev/cdc-wdm0] Device manufacturer retrieved: + Manufacturer: 'u-blox' + +qmicli -d /dev/cdc-wdm0 --dms-get-model +[/dev/cdc-wdm0] Device model retrieved: + Model: 'SARA-R410M-02B' + +Signed-off-by: SZ Lin (林上智) +Cc: stable +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -673,6 +673,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x05c6, 0x9080, 8)}, + {QMI_FIXED_INTF(0x05c6, 0x9083, 3)}, + {QMI_FIXED_INTF(0x05c6, 0x9084, 4)}, ++ {QMI_FIXED_INTF(0x05c6, 0x90b2, 3)}, /* ublox R410M */ + {QMI_FIXED_INTF(0x05c6, 0x920d, 0)}, + {QMI_FIXED_INTF(0x05c6, 0x920d, 5)}, + {QMI_FIXED_INTF(0x0846, 0x68a2, 8)}, diff --git a/queue-3.18/rdma-mlx5-protect-from-shift-operand-overflow.patch b/queue-3.18/rdma-mlx5-protect-from-shift-operand-overflow.patch new file mode 100644 index 00000000000..6341e894574 --- /dev/null +++ b/queue-3.18/rdma-mlx5-protect-from-shift-operand-overflow.patch @@ -0,0 +1,62 @@ +From 002bf2282b2d7318e444dca9ffcb994afc5d5f15 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Mon, 23 Apr 2018 17:01:53 +0300 +Subject: RDMA/mlx5: Protect from shift operand overflow + +From: Leon Romanovsky + +commit 002bf2282b2d7318e444dca9ffcb994afc5d5f15 upstream. + +Ensure that user didn't supply values too large that can cause overflow. + +UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/qp.c:263:23 +shift exponent -2147483648 is negative +CPU: 0 PID: 292 Comm: syzkaller612609 Not tainted 4.16.0-rc1+ #131 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014 Call +Trace: +dump_stack+0xde/0x164 +ubsan_epilogue+0xe/0x81 +set_rq_size+0x7c2/0xa90 +create_qp_common+0xc18/0x43c0 +mlx5_ib_create_qp+0x379/0x1ca0 +create_qp.isra.5+0xc94/0x2260 +ib_uverbs_create_qp+0x21b/0x2a0 +ib_uverbs_write+0xc2c/0x1010 +vfs_write+0x1b0/0x550 +SyS_write+0xc7/0x1a0 +do_syscall_64+0x1aa/0x740 +entry_SYSCALL_64_after_hwframe+0x26/0x9b +RIP: 0033:0x433569 +RSP: 002b:00007ffc6e62f448 EFLAGS: 00000217 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00000000004002f8 RCX: 0000000000433569 +RDX: 0000000000000070 RSI: 00000000200042c0 RDI: 0000000000000003 +RBP: 00000000006d5018 R08: 00000000004002f8 R09: 00000000004002f8 +R10: 00000000004002f8 R11: 0000000000000217 R12: 0000000000000000 +R13: 000000000040c9f0 R14: 000000000040ca80 R15: 0000000000000006 + +Cc: # 3.10 +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Cc: syzkaller +Reported-by: Noa Osherovich +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/qp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -174,7 +174,11 @@ static int set_rq_size(struct mlx5_ib_de + } else { + if (ucmd) { + qp->rq.wqe_cnt = ucmd->rq_wqe_count; ++ if (ucmd->rq_wqe_shift > BITS_PER_BYTE * sizeof(ucmd->rq_wqe_shift)) ++ return -EINVAL; + qp->rq.wqe_shift = ucmd->rq_wqe_shift; ++ if ((1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) < qp->wq_sig) ++ return -EINVAL; + qp->rq.max_gs = (1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) - qp->wq_sig; + qp->rq.max_post = qp->rq.wqe_cnt; + } else { diff --git a/queue-3.18/series b/queue-3.18/series index d6c9d2fd61c..c7e28fda092 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -1,3 +1,9 @@ percpu-include-linux-sched.h-for-cond_resched.patch perf-core-fix-the-perf_cpu_time_max_percent-check.patch perf-session-fix-undeclared-oe.patch +alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch +alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch +alsa-aloop-mark-paused-device-as-inactive.patch +alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch +rdma-mlx5-protect-from-shift-operand-overflow.patch +net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch -- 2.47.3