From 472a87284de0166ef3e5c7bb62d15d13c4771249 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 14 Aug 2019 16:51:28 +0200 Subject: [PATCH] 4.19-stable patches added patches: alsa-usb-audio-fix-a-memory-leak-bug.patch hid-sony-fix-race-condition-between-rumble-and-device-remove.patch x86-purgatory-do-not-use-__builtin_memcpy-and-__builtin_memset.patch --- ...alsa-usb-audio-fix-a-memory-leak-bug.patch | 36 +++++ ...ion-between-rumble-and-device-remove.patch | 79 +++++++++++ queue-4.19/series | 3 + ..._builtin_memcpy-and-__builtin_memset.patch | 124 ++++++++++++++++++ 4 files changed, 242 insertions(+) create mode 100644 queue-4.19/alsa-usb-audio-fix-a-memory-leak-bug.patch create mode 100644 queue-4.19/hid-sony-fix-race-condition-between-rumble-and-device-remove.patch create mode 100644 queue-4.19/x86-purgatory-do-not-use-__builtin_memcpy-and-__builtin_memset.patch diff --git a/queue-4.19/alsa-usb-audio-fix-a-memory-leak-bug.patch b/queue-4.19/alsa-usb-audio-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..ccbf42eff74 --- /dev/null +++ b/queue-4.19/alsa-usb-audio-fix-a-memory-leak-bug.patch @@ -0,0 +1,36 @@ +From a67060201b746a308b1674f66bf289c9faef6d09 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Tue, 6 Aug 2019 03:00:27 -0400 +Subject: ALSA: usb-audio: fix a memory leak bug + +From: Wenwen Wang + +commit a67060201b746a308b1674f66bf289c9faef6d09 upstream. + +In snd_usb_get_audioformat_uac3(), a structure for channel maps 'chmap' is +allocated through kzalloc() before the execution goto 'found_clock'. +However, this structure is not deallocated if the memory allocation for +'pd' fails, leading to a memory leak bug. + +To fix the above issue, free 'fp->chmap' before returning NULL. + +Fixes: 7edf3b5e6a45 ("ALSA: usb-audio: AudioStreaming Power Domain parsing") +Signed-off-by: Wenwen Wang +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/stream.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -1053,6 +1053,7 @@ found_clock: + + pd = kzalloc(sizeof(*pd), GFP_KERNEL); + if (!pd) { ++ kfree(fp->chmap); + kfree(fp->rate_table); + kfree(fp); + return NULL; diff --git a/queue-4.19/hid-sony-fix-race-condition-between-rumble-and-device-remove.patch b/queue-4.19/hid-sony-fix-race-condition-between-rumble-and-device-remove.patch new file mode 100644 index 00000000000..c03b78d10ca --- /dev/null +++ b/queue-4.19/hid-sony-fix-race-condition-between-rumble-and-device-remove.patch @@ -0,0 +1,79 @@ +From e0f6974a54d3f7f1b5fdf5a593bd43ce9206ec04 Mon Sep 17 00:00:00 2001 +From: Roderick Colenbrander +Date: Fri, 2 Aug 2019 15:50:19 -0700 +Subject: HID: sony: Fix race condition between rumble and device remove. + +From: Roderick Colenbrander + +commit e0f6974a54d3f7f1b5fdf5a593bd43ce9206ec04 upstream. + +Valve reported a kernel crash on Ubuntu 18.04 when disconnecting a DS4 +gamepad while rumble is enabled. This issue is reproducible with a +frequency of 1 in 3 times in the game Borderlands 2 when using an +automatic weapon, which triggers many rumble operations. + +We found the issue to be a race condition between sony_remove and the +final device destruction by the HID / input system. The problem was +that sony_remove didn't clean some of its work_item state in +"struct sony_sc". After sony_remove work, the corresponding evdev +node was around for sufficient time for applications to still queue +rumble work after "sony_remove". + +On pre-4.19 kernels the race condition caused a kernel crash due to a +NULL-pointer dereference as "sc->output_report_dmabuf" got freed during +sony_remove. On newer kernels this crash doesn't happen due the buffer +now being allocated using devm_kzalloc. However we can still queue work, +while the driver is an undefined state. + +This patch fixes the described problem, by guarding the work_item +"state_worker" with an initialized variable, which we are setting back +to 0 on cleanup. + +Signed-off-by: Roderick Colenbrander +CC: stable@vger.kernel.org +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-sony.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/hid/hid-sony.c ++++ b/drivers/hid/hid-sony.c +@@ -587,10 +587,14 @@ static void sony_set_leds(struct sony_sc + static inline void sony_schedule_work(struct sony_sc *sc, + enum sony_worker which) + { ++ unsigned long flags; ++ + switch (which) { + case SONY_WORKER_STATE: +- if (!sc->defer_initialization) ++ spin_lock_irqsave(&sc->lock, flags); ++ if (!sc->defer_initialization && sc->state_worker_initialized) + schedule_work(&sc->state_worker); ++ spin_unlock_irqrestore(&sc->lock, flags); + break; + case SONY_WORKER_HOTPLUG: + if (sc->hotplug_worker_initialized) +@@ -2553,13 +2557,18 @@ static inline void sony_init_output_repo + + static inline void sony_cancel_work_sync(struct sony_sc *sc) + { ++ unsigned long flags; ++ + if (sc->hotplug_worker_initialized) + cancel_work_sync(&sc->hotplug_worker); +- if (sc->state_worker_initialized) ++ if (sc->state_worker_initialized) { ++ spin_lock_irqsave(&sc->lock, flags); ++ sc->state_worker_initialized = 0; ++ spin_unlock_irqrestore(&sc->lock, flags); + cancel_work_sync(&sc->state_worker); ++ } + } + +- + static int sony_input_configured(struct hid_device *hdev, + struct hid_input *hidinput) + { diff --git a/queue-4.19/series b/queue-4.19/series index b9a6ca01e1d..736cda83075 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -67,3 +67,6 @@ test_firmware-fix-a-memory-leak-bug.patch tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch perf-core-fix-creating-kernel-counters-for-pmus-that.patch s390-dma-provide-proper-arch_zone_dma_bits-value.patch +hid-sony-fix-race-condition-between-rumble-and-device-remove.patch +x86-purgatory-do-not-use-__builtin_memcpy-and-__builtin_memset.patch +alsa-usb-audio-fix-a-memory-leak-bug.patch diff --git a/queue-4.19/x86-purgatory-do-not-use-__builtin_memcpy-and-__builtin_memset.patch b/queue-4.19/x86-purgatory-do-not-use-__builtin_memcpy-and-__builtin_memset.patch new file mode 100644 index 00000000000..4946105fc45 --- /dev/null +++ b/queue-4.19/x86-purgatory-do-not-use-__builtin_memcpy-and-__builtin_memset.patch @@ -0,0 +1,124 @@ +From 4ce97317f41d38584fb93578e922fcd19e535f5b Mon Sep 17 00:00:00 2001 +From: Nick Desaulniers +Date: Wed, 7 Aug 2019 15:15:32 -0700 +Subject: x86/purgatory: Do not use __builtin_memcpy and __builtin_memset + +From: Nick Desaulniers + +commit 4ce97317f41d38584fb93578e922fcd19e535f5b upstream. + +Implementing memcpy and memset in terms of __builtin_memcpy and +__builtin_memset is problematic. + +GCC at -O2 will replace calls to the builtins with calls to memcpy and +memset (but will generate an inline implementation at -Os). Clang will +replace the builtins with these calls regardless of optimization level. +$ llvm-objdump -dr arch/x86/purgatory/string.o | tail + +0000000000000339 memcpy: + 339: 48 b8 00 00 00 00 00 00 00 00 movabsq $0, %rax + 000000000000033b: R_X86_64_64 memcpy + 343: ff e0 jmpq *%rax + +0000000000000345 memset: + 345: 48 b8 00 00 00 00 00 00 00 00 movabsq $0, %rax + 0000000000000347: R_X86_64_64 memset + 34f: ff e0 + +Such code results in infinite recursion at runtime. This is observed +when doing kexec. + +Instead, reuse an implementation from arch/x86/boot/compressed/string.c. +This requires to implement a stub function for warn(). Also, Clang may +lower memcmp's that compare against 0 to bcmp's, so add a small definition, +too. See also: commit 5f074f3e192f ("lib/string.c: implement a basic bcmp") + +Fixes: 8fc5b4d4121c ("purgatory: core purgatory functionality") +Reported-by: Vaibhav Rustagi +Debugged-by: Vaibhav Rustagi +Debugged-by: Manoj Gupta +Suggested-by: Alistair Delva +Signed-off-by: Nick Desaulniers +Signed-off-by: Thomas Gleixner +Tested-by: Vaibhav Rustagi +Cc: stable@vger.kernel.org +Link: https://bugs.chromium.org/p/chromium/issues/detail?id=984056 +Link: https://lkml.kernel.org/r/20190807221539.94583-1-ndesaulniers@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/boot/string.c | 8 ++++++++ + arch/x86/purgatory/Makefile | 3 +++ + arch/x86/purgatory/purgatory.c | 6 ++++++ + arch/x86/purgatory/string.c | 25 ------------------------- + 4 files changed, 17 insertions(+), 25 deletions(-) + +--- a/arch/x86/boot/string.c ++++ b/arch/x86/boot/string.c +@@ -34,6 +34,14 @@ int memcmp(const void *s1, const void *s + return diff; + } + ++/* ++ * Clang may lower `memcmp == 0` to `bcmp == 0`. ++ */ ++int bcmp(const void *s1, const void *s2, size_t len) ++{ ++ return memcmp(s1, s2, len); ++} ++ + int strcmp(const char *str1, const char *str2) + { + const unsigned char *s1 = (const unsigned char *)str1; +--- a/arch/x86/purgatory/Makefile ++++ b/arch/x86/purgatory/Makefile +@@ -6,6 +6,9 @@ purgatory-y := purgatory.o stack.o setup + targets += $(purgatory-y) + PURGATORY_OBJS = $(addprefix $(obj)/,$(purgatory-y)) + ++$(obj)/string.o: $(srctree)/arch/x86/boot/compressed/string.c FORCE ++ $(call if_changed_rule,cc_o_c) ++ + $(obj)/sha256.o: $(srctree)/lib/sha256.c FORCE + $(call if_changed_rule,cc_o_c) + +--- a/arch/x86/purgatory/purgatory.c ++++ b/arch/x86/purgatory/purgatory.c +@@ -70,3 +70,9 @@ void purgatory(void) + } + copy_backup_region(); + } ++ ++/* ++ * Defined in order to reuse memcpy() and memset() from ++ * arch/x86/boot/compressed/string.c ++ */ ++void warn(const char *msg) {} +--- a/arch/x86/purgatory/string.c ++++ /dev/null +@@ -1,25 +0,0 @@ +-/* +- * Simple string functions. +- * +- * Copyright (C) 2014 Red Hat Inc. +- * +- * Author: +- * Vivek Goyal +- * +- * This source code is licensed under the GNU General Public License, +- * Version 2. See the file COPYING for more details. +- */ +- +-#include +- +-#include "../boot/string.c" +- +-void *memcpy(void *dst, const void *src, size_t len) +-{ +- return __builtin_memcpy(dst, src, len); +-} +- +-void *memset(void *dst, int c, size_t len) +-{ +- return __builtin_memset(dst, c, len); +-} -- 2.47.2