From 67a1723a7d4e6101bca26fb7bfb0fca544fe82a7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 10 Jul 2017 19:08:56 +0200 Subject: [PATCH] 4.9-stable patches added patches: rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch rt286-add-thinkpad-helix-2-to-force_combo_jack_table.patch --- ...t-number-supplied-by-user-verbs-cmds.patch | 61 +++++++++++++++++++ ...ad-helix-2-to-force_combo_jack_table.patch | 52 ++++++++++++++++ queue-4.9/series | 2 + 3 files changed, 115 insertions(+) create mode 100644 queue-4.9/rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch create mode 100644 queue-4.9/rt286-add-thinkpad-helix-2-to-force_combo_jack_table.patch diff --git a/queue-4.9/rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch b/queue-4.9/rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch new file mode 100644 index 00000000000..20ee0e6fd6c --- /dev/null +++ b/queue-4.9/rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch @@ -0,0 +1,61 @@ +From 5ecce4c9b17bed4dc9cb58bfb10447307569b77b Mon Sep 17 00:00:00 2001 +From: Boris Pismenny +Date: Tue, 27 Jun 2017 15:09:13 +0300 +Subject: RDMA/uverbs: Check port number supplied by user verbs cmds + +From: Boris Pismenny + +commit 5ecce4c9b17bed4dc9cb58bfb10447307569b77b upstream. + +The ib_uverbs_create_ah() ind ib_uverbs_modify_qp() calls receive +the port number from user input as part of its attributes and assumes +it is valid. Down on the stack, that parameter is used to access kernel +data structures. If the value is invalid, the kernel accesses memory +it should not. To prevent this, verify the port number before using it. + +BUG: KASAN: use-after-free in ib_uverbs_create_ah+0x6d5/0x7b0 +Read of size 4 at addr ffff880018d67ab8 by task syz-executor/313 + +BUG: KASAN: slab-out-of-bounds in modify_qp.isra.4+0x19d0/0x1ef0 +Read of size 4 at addr ffff88006c40ec58 by task syz-executor/819 + +Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands") +Cc: Yevgeny Kliteynik +Cc: Tziporet Koren +Cc: Alex Polak +Signed-off-by: Boris Pismenny +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman +--- + +Modified from upstream commit: helper function rdma_is_port_valid does not +exist in these kernel versions, so use manual comparisons instead. + + drivers/infiniband/core/uverbs_cmd.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -2342,6 +2342,10 @@ ssize_t ib_uverbs_modify_qp(struct ib_uv + if (copy_from_user(&cmd, buf, sizeof cmd)) + return -EFAULT; + ++ if (cmd.port_num < rdma_start_port(ib_dev) || ++ cmd.port_num > rdma_end_port(ib_dev)) ++ return -EINVAL; ++ + INIT_UDATA(&udata, buf + sizeof cmd, NULL, in_len - sizeof cmd, + out_len); + +@@ -2882,6 +2886,10 @@ ssize_t ib_uverbs_create_ah(struct ib_uv + if (copy_from_user(&cmd, buf, sizeof cmd)) + return -EFAULT; + ++ if (cmd.attr.port_num < rdma_start_port(ib_dev) || ++ cmd.attr.port_num > rdma_end_port(ib_dev)) ++ return -EINVAL; ++ + uobj = kmalloc(sizeof *uobj, GFP_KERNEL); + if (!uobj) + return -ENOMEM; diff --git a/queue-4.9/rt286-add-thinkpad-helix-2-to-force_combo_jack_table.patch b/queue-4.9/rt286-add-thinkpad-helix-2-to-force_combo_jack_table.patch new file mode 100644 index 00000000000..74cc1655468 --- /dev/null +++ b/queue-4.9/rt286-add-thinkpad-helix-2-to-force_combo_jack_table.patch @@ -0,0 +1,52 @@ +From fe0dfd6358a17c79bd7d6996af7512ba452a7059 Mon Sep 17 00:00:00 2001 +From: Yifeng Li +Date: Thu, 4 May 2017 01:34:14 +0800 +Subject: rt286: add Thinkpad Helix 2 to force_combo_jack_table + +From: Yifeng Li + +commit fe0dfd6358a17c79bd7d6996af7512ba452a7059 upstream. + +Thinkpad Helix 2 is a tablet PC, the audio is powered by Core M +broadwell-audio and rt286 codec. For all versions of Linux kernel, +the stereo output doesn't work properly when earphones are plugged +in, the sound was coming out from both channels even if the audio +contains only the left or right channel. Furthermore, if a music +recorded in stereo is played, the two channels cancle out each other +out, as a result, no voice but only distorted background music can be +heard, like a sound card with builtin a Karaoke sount effect. + +Apparently this tablet uses a combo jack with polarity incorrectly +set by rt286 driver. This patch adds DMI information of Thinkpad Helix 2 +to force_combo_jack_table[] and the issue is resolved. The microphone +input doesn't work regardless to the presence of this patch and still +needs help from other developers to investigate. + +This is my first patch to LKML directly, sorry for CC-ing too many +people here. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=93841 +Signed-off-by: Yifeng Li +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/rt286.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/soc/codecs/rt286.c ++++ b/sound/soc/codecs/rt286.c +@@ -1108,6 +1108,13 @@ static const struct dmi_system_id force_ + DMI_MATCH(DMI_PRODUCT_NAME, "Kabylake Client platform") + } + }, ++ { ++ .ident = "Thinkpad Helix 2nd", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad Helix 2nd") ++ } ++ }, + + { } + }; diff --git a/queue-4.9/series b/queue-4.9/series index 41b0b5566a2..46153f320c0 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -37,3 +37,5 @@ x86-uaccess-optimize-copy_user_enhanced_fast_string-for-short-strings.patch ath10k-override-ce5-config-for-qca9377.patch keys-fix-an-error-code-in-request_master_key.patch crypto-drbg-fixes-panic-in-wait_for_completion-call.patch +rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch +rt286-add-thinkpad-helix-2-to-force_combo_jack_table.patch -- 2.47.3