From 89d401d66d364bb688c87a239a24b31293df38aa Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 5 Jul 2019 10:58:57 +0200 Subject: [PATCH] 4.9-stable patches added patches: alsa-firewire-lib-fireworks-fix-miss-detection-of-received-midi-messages.patch alsa-line6-fix-write-on-zero-sized-buffer.patch alsa-seq-fix-incorrect-order-of-dest_client-dest_ports-arguments.patch alsa-usb-audio-fix-sign-unintended-sign-extension-on-left-shifts.patch crypto-user-prevent-operating-on-larval-algorithms.patch drm-imx-notify-drm-core-before-sending-event-during-crtc-disable.patch drm-imx-only-send-event-on-crtc-disable-if-kept-disabled.patch lib-mpi-fix-karactx-leak-in-mpi_powm.patch ptrace-fix-ptracer_cred-handling-for-ptrace_traceme.patch --- ...-detection-of-received-midi-messages.patch | 54 +++++++++++++++ ...line6-fix-write-on-zero-sized-buffer.patch | 41 ++++++++++++ ...-of-dest_client-dest_ports-arguments.patch | 46 +++++++++++++ ...tended-sign-extension-on-left-shifts.patch | 45 +++++++++++++ ...event-operating-on-larval-algorithms.patch | 55 +++++++++++++++ ...re-sending-event-during-crtc-disable.patch | 56 ++++++++++++++++ ...ent-on-crtc-disable-if-kept-disabled.patch | 34 ++++++++++ ...lib-mpi-fix-karactx-leak-in-mpi_powm.patch | 67 +++++++++++++++++++ ...cer_cred-handling-for-ptrace_traceme.patch | 57 ++++++++++++++++ queue-4.9/series | 9 +++ 10 files changed, 464 insertions(+) create mode 100644 queue-4.9/alsa-firewire-lib-fireworks-fix-miss-detection-of-received-midi-messages.patch create mode 100644 queue-4.9/alsa-line6-fix-write-on-zero-sized-buffer.patch create mode 100644 queue-4.9/alsa-seq-fix-incorrect-order-of-dest_client-dest_ports-arguments.patch create mode 100644 queue-4.9/alsa-usb-audio-fix-sign-unintended-sign-extension-on-left-shifts.patch create mode 100644 queue-4.9/crypto-user-prevent-operating-on-larval-algorithms.patch create mode 100644 queue-4.9/drm-imx-notify-drm-core-before-sending-event-during-crtc-disable.patch create mode 100644 queue-4.9/drm-imx-only-send-event-on-crtc-disable-if-kept-disabled.patch create mode 100644 queue-4.9/lib-mpi-fix-karactx-leak-in-mpi_powm.patch create mode 100644 queue-4.9/ptrace-fix-ptracer_cred-handling-for-ptrace_traceme.patch diff --git a/queue-4.9/alsa-firewire-lib-fireworks-fix-miss-detection-of-received-midi-messages.patch b/queue-4.9/alsa-firewire-lib-fireworks-fix-miss-detection-of-received-midi-messages.patch new file mode 100644 index 00000000000..c2dd9b510f1 --- /dev/null +++ b/queue-4.9/alsa-firewire-lib-fireworks-fix-miss-detection-of-received-midi-messages.patch @@ -0,0 +1,54 @@ +From 7fbd1753b64eafe21cf842348a40a691d0dee440 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Mon, 1 Jul 2019 23:43:53 +0900 +Subject: ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages + +From: Takashi Sakamoto + +commit 7fbd1753b64eafe21cf842348a40a691d0dee440 upstream. + +In IEC 61883-6, 8 MIDI data streams are multiplexed into single +MIDI conformant data channel. The index of stream is calculated by +modulo 8 of the value of data block counter. + +In fireworks, the value of data block counter in CIP header has a quirk +with firmware version v5.0.0, v5.7.3 and v5.8.0. This brings ALSA +IEC 61883-1/6 packet streaming engine to miss detection of MIDI +messages. + +This commit fixes the miss detection to modify the value of data block +counter for the modulo calculation. + +For maintainers, this bug exists since a commit 18f5ed365d3f ("ALSA: +fireworks/firewire-lib: add support for recent firmware quirk") in Linux +kernel v4.2. There're many changes since the commit. This fix can be +backported to Linux kernel v4.4 or later. I tagged a base commit to the +backport for your convenience. + +Besides, my work for Linux kernel v5.3 brings heavy code refactoring and +some structure members are renamed in 'sound/firewire/amdtp-stream.h'. +The content of this patch brings conflict when merging -rc tree with +this patch and the latest tree. I request maintainers to solve the +conflict to replace 'tx_first_dbc' with 'ctx_data.tx.first_dbc'. + +Fixes: df075feefbd3 ("ALSA: firewire-lib: complete AM824 data block processing layer") +Cc: # v4.4+ +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/amdtp-am824.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/amdtp-am824.c ++++ b/sound/firewire/amdtp-am824.c +@@ -388,7 +388,7 @@ static void read_midi_messages(struct am + u8 *b; + + for (f = 0; f < frames; f++) { +- port = (s->data_block_counter + f) % 8; ++ port = (8 - s->tx_first_dbc + s->data_block_counter + f) % 8; + b = (u8 *)&buffer[p->midi_position]; + + len = b[0] - 0x80; diff --git a/queue-4.9/alsa-line6-fix-write-on-zero-sized-buffer.patch b/queue-4.9/alsa-line6-fix-write-on-zero-sized-buffer.patch new file mode 100644 index 00000000000..07fce38db51 --- /dev/null +++ b/queue-4.9/alsa-line6-fix-write-on-zero-sized-buffer.patch @@ -0,0 +1,41 @@ +From 3450121997ce872eb7f1248417225827ea249710 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 2 Jul 2019 20:07:21 +0200 +Subject: ALSA: line6: Fix write on zero-sized buffer + +From: Takashi Iwai + +commit 3450121997ce872eb7f1248417225827ea249710 upstream. + +LINE6 drivers allocate the buffers based on the value returned from +usb_maxpacket() calls. The manipulated device may return zero for +this, and this results in the kmalloc() with zero size (and it may +succeed) while the other part of the driver code writes the packet +data with the fixed size -- which eventually overwrites. + +This patch adds a simple sanity check for the invalid buffer size for +avoiding that problem. + +Reported-by: syzbot+219f00fb49874dcaea17@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/line6/pcm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/usb/line6/pcm.c ++++ b/sound/usb/line6/pcm.c +@@ -558,6 +558,11 @@ int line6_init_pcm(struct usb_line6 *lin + line6pcm->max_packet_size_out = + usb_maxpacket(line6->usbdev, + usb_sndisocpipe(line6->usbdev, ep_write), 1); ++ if (!line6pcm->max_packet_size_in || !line6pcm->max_packet_size_out) { ++ dev_err(line6pcm->line6->ifcdev, ++ "cannot get proper max packet size\n"); ++ return -EINVAL; ++ } + + spin_lock_init(&line6pcm->out.lock); + spin_lock_init(&line6pcm->in.lock); diff --git a/queue-4.9/alsa-seq-fix-incorrect-order-of-dest_client-dest_ports-arguments.patch b/queue-4.9/alsa-seq-fix-incorrect-order-of-dest_client-dest_ports-arguments.patch new file mode 100644 index 00000000000..a5bea5ab713 --- /dev/null +++ b/queue-4.9/alsa-seq-fix-incorrect-order-of-dest_client-dest_ports-arguments.patch @@ -0,0 +1,46 @@ +From c3ea60c231446663afd6ea1054da6b7f830855ca Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Fri, 28 Jun 2019 10:54:29 +0100 +Subject: ALSA: seq: fix incorrect order of dest_client/dest_ports arguments + +From: Colin Ian King + +commit c3ea60c231446663afd6ea1054da6b7f830855ca upstream. + +There are two occurrances of a call to snd_seq_oss_fill_addr where +the dest_client and dest_port arguments are in the wrong order. Fix +this by swapping them around. + +Addresses-Coverity: ("Arguments in wrong order") +Signed-off-by: Colin Ian King +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/oss/seq_oss_ioctl.c | 2 +- + sound/core/seq/oss/seq_oss_rw.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/core/seq/oss/seq_oss_ioctl.c ++++ b/sound/core/seq/oss/seq_oss_ioctl.c +@@ -62,7 +62,7 @@ static int snd_seq_oss_oob_user(struct s + if (copy_from_user(ev, arg, 8)) + return -EFAULT; + memset(&tmpev, 0, sizeof(tmpev)); +- snd_seq_oss_fill_addr(dp, &tmpev, dp->addr.port, dp->addr.client); ++ snd_seq_oss_fill_addr(dp, &tmpev, dp->addr.client, dp->addr.port); + tmpev.time.tick = 0; + if (! snd_seq_oss_process_event(dp, (union evrec *)ev, &tmpev)) { + snd_seq_oss_dispatch(dp, &tmpev, 0, 0); +--- a/sound/core/seq/oss/seq_oss_rw.c ++++ b/sound/core/seq/oss/seq_oss_rw.c +@@ -174,7 +174,7 @@ insert_queue(struct seq_oss_devinfo *dp, + memset(&event, 0, sizeof(event)); + /* set dummy -- to be sure */ + event.type = SNDRV_SEQ_EVENT_NOTEOFF; +- snd_seq_oss_fill_addr(dp, &event, dp->addr.port, dp->addr.client); ++ snd_seq_oss_fill_addr(dp, &event, dp->addr.client, dp->addr.port); + + if (snd_seq_oss_process_event(dp, rec, &event)) + return 0; /* invalid event - no need to insert queue */ diff --git a/queue-4.9/alsa-usb-audio-fix-sign-unintended-sign-extension-on-left-shifts.patch b/queue-4.9/alsa-usb-audio-fix-sign-unintended-sign-extension-on-left-shifts.patch new file mode 100644 index 00000000000..c76548c7a4f --- /dev/null +++ b/queue-4.9/alsa-usb-audio-fix-sign-unintended-sign-extension-on-left-shifts.patch @@ -0,0 +1,45 @@ +From 2acf5a3e6e9371e63c9e4ff54d84d08f630467a0 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Thu, 27 Jun 2019 17:43:08 +0100 +Subject: ALSA: usb-audio: fix sign unintended sign extension on left shifts + +From: Colin Ian King + +commit 2acf5a3e6e9371e63c9e4ff54d84d08f630467a0 upstream. + +There are a couple of left shifts of unsigned 8 bit values that +first get promoted to signed ints and hence get sign extended +on the shift if the top bit of the 8 bit values are set. Fix +this by casting the 8 bit values to unsigned ints to stop the +unintentional sign extension. + +Addresses-Coverity: ("Unintended sign extension") +Signed-off-by: Colin Ian King +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer_quirks.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -753,7 +753,7 @@ static int snd_ni_control_init_val(struc + return err; + } + +- kctl->private_value |= (value << 24); ++ kctl->private_value |= ((unsigned int)value << 24); + return 0; + } + +@@ -914,7 +914,7 @@ static int snd_ftu_eff_switch_init(struc + if (err < 0) + return err; + +- kctl->private_value |= value[0] << 24; ++ kctl->private_value |= (unsigned int)value[0] << 24; + return 0; + } + diff --git a/queue-4.9/crypto-user-prevent-operating-on-larval-algorithms.patch b/queue-4.9/crypto-user-prevent-operating-on-larval-algorithms.patch new file mode 100644 index 00000000000..52fdc0cf363 --- /dev/null +++ b/queue-4.9/crypto-user-prevent-operating-on-larval-algorithms.patch @@ -0,0 +1,55 @@ +From 21d4120ec6f5b5992b01b96ac484701163917b63 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 2 Jul 2019 14:17:00 -0700 +Subject: crypto: user - prevent operating on larval algorithms + +From: Eric Biggers + +commit 21d4120ec6f5b5992b01b96ac484701163917b63 upstream. + +Michal Suchanek reported [1] that running the pcrypt_aead01 test from +LTP [2] in a loop and holding Ctrl-C causes a NULL dereference of +alg->cra_users.next in crypto_remove_spawns(), via crypto_del_alg(). +The test repeatedly uses CRYPTO_MSG_NEWALG and CRYPTO_MSG_DELALG. + +The crash occurs when the instance that CRYPTO_MSG_DELALG is trying to +unregister isn't a real registered algorithm, but rather is a "test +larval", which is a special "algorithm" added to the algorithms list +while the real algorithm is still being tested. Larvals don't have +initialized cra_users, so that causes the crash. Normally pcrypt_aead01 +doesn't trigger this because CRYPTO_MSG_NEWALG waits for the algorithm +to be tested; however, CRYPTO_MSG_NEWALG returns early when interrupted. + +Everything else in the "crypto user configuration" API has this same bug +too, i.e. it inappropriately allows operating on larval algorithms +(though it doesn't look like the other cases can cause a crash). + +Fix this by making crypto_alg_match() exclude larval algorithms. + +[1] https://lkml.kernel.org/r/20190625071624.27039-1-msuchanek@suse.de +[2] https://github.com/linux-test-project/ltp/blob/20190517/testcases/kernel/crypto/pcrypt_aead01.c + +Reported-by: Michal Suchanek +Fixes: a38f7907b926 ("crypto: Add userspace configuration API") +Cc: # v3.2+ +Cc: Steffen Klassert +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/crypto_user.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/crypto/crypto_user.c ++++ b/crypto/crypto_user.c +@@ -55,6 +55,9 @@ static struct crypto_alg *crypto_alg_mat + list_for_each_entry(q, &crypto_alg_list, cra_list) { + int match = 0; + ++ if (crypto_is_larval(q)) ++ continue; ++ + if ((q->cra_flags ^ p->cru_type) & p->cru_mask) + continue; + diff --git a/queue-4.9/drm-imx-notify-drm-core-before-sending-event-during-crtc-disable.patch b/queue-4.9/drm-imx-notify-drm-core-before-sending-event-during-crtc-disable.patch new file mode 100644 index 00000000000..0f45e5b34ce --- /dev/null +++ b/queue-4.9/drm-imx-notify-drm-core-before-sending-event-during-crtc-disable.patch @@ -0,0 +1,56 @@ +From 78c68e8f5cd24bd32ba4ca1cdfb0c30cf0642685 Mon Sep 17 00:00:00 2001 +From: Robert Beckett +Date: Tue, 25 Jun 2019 18:59:13 +0100 +Subject: drm/imx: notify drm core before sending event during crtc disable + +From: Robert Beckett + +commit 78c68e8f5cd24bd32ba4ca1cdfb0c30cf0642685 upstream. + +Notify drm core before sending pending events during crtc disable. +This fixes the first event after disable having an old stale timestamp +by having drm_crtc_vblank_off update the timestamp to now. + +This was seen while debugging weston log message: +Warning: computed repaint delay is insane: -8212 msec + +This occurred due to: +1. driver starts up +2. fbcon comes along and restores fbdev, enabling vblank +3. vblank_disable_fn fires via timer disabling vblank, keeping vblank +seq number and time set at current value +(some time later) +4. weston starts and does a modeset +5. atomic commit disables crtc while it does the modeset +6. ipu_crtc_atomic_disable sends vblank with old seq number and time + +Fixes: a474478642d5 ("drm/imx: fix crtc vblank state regression") + +Signed-off-by: Robert Beckett +Reviewed-by: Daniel Vetter +Signed-off-by: Philipp Zabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/imx/ipuv3-crtc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/imx/ipuv3-crtc.c ++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c +@@ -76,14 +76,14 @@ static void ipu_crtc_atomic_disable(stru + drm_atomic_helper_disable_planes_on_crtc(old_crtc_state, false); + ipu_dc_disable(ipu); + ++ drm_crtc_vblank_off(crtc); ++ + spin_lock_irq(&crtc->dev->event_lock); + if (crtc->state->event) { + drm_crtc_send_vblank_event(crtc, crtc->state->event); + crtc->state->event = NULL; + } + spin_unlock_irq(&crtc->dev->event_lock); +- +- drm_crtc_vblank_off(crtc); + } + + static void imx_drm_crtc_reset(struct drm_crtc *crtc) diff --git a/queue-4.9/drm-imx-only-send-event-on-crtc-disable-if-kept-disabled.patch b/queue-4.9/drm-imx-only-send-event-on-crtc-disable-if-kept-disabled.patch new file mode 100644 index 00000000000..b59c75433b3 --- /dev/null +++ b/queue-4.9/drm-imx-only-send-event-on-crtc-disable-if-kept-disabled.patch @@ -0,0 +1,34 @@ +From 5aeab2bfc9ffa72d3ca73416635cb3785dfc076f Mon Sep 17 00:00:00 2001 +From: Robert Beckett +Date: Tue, 25 Jun 2019 18:59:15 +0100 +Subject: drm/imx: only send event on crtc disable if kept disabled + +From: Robert Beckett + +commit 5aeab2bfc9ffa72d3ca73416635cb3785dfc076f upstream. + +The event will be sent as part of the vblank enable during the modeset +if the crtc is not being kept disabled. + +Fixes: 5f2f911578fb ("drm/imx: atomic phase 3 step 1: Use atomic configuration") + +Signed-off-by: Robert Beckett +Reviewed-by: Daniel Vetter +Signed-off-by: Philipp Zabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/imx/ipuv3-crtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/imx/ipuv3-crtc.c ++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c +@@ -79,7 +79,7 @@ static void ipu_crtc_atomic_disable(stru + drm_crtc_vblank_off(crtc); + + spin_lock_irq(&crtc->dev->event_lock); +- if (crtc->state->event) { ++ if (crtc->state->event && !crtc->state->active) { + drm_crtc_send_vblank_event(crtc, crtc->state->event); + crtc->state->event = NULL; + } diff --git a/queue-4.9/lib-mpi-fix-karactx-leak-in-mpi_powm.patch b/queue-4.9/lib-mpi-fix-karactx-leak-in-mpi_powm.patch new file mode 100644 index 00000000000..dc477091910 --- /dev/null +++ b/queue-4.9/lib-mpi-fix-karactx-leak-in-mpi_powm.patch @@ -0,0 +1,67 @@ +From c8ea9fce2baf7b643384f36f29e4194fa40d33a6 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Mon, 24 Jun 2019 18:32:26 +0800 +Subject: lib/mpi: Fix karactx leak in mpi_powm + +From: Herbert Xu + +commit c8ea9fce2baf7b643384f36f29e4194fa40d33a6 upstream. + +Sometimes mpi_powm will leak karactx because a memory allocation +failure causes a bail-out that skips the freeing of karactx. This +patch moves the freeing of karactx to the end of the function like +everything else so that it can't be skipped. + +Reported-by: syzbot+f7baccc38dcc1e094e77@syzkaller.appspotmail.com +Fixes: cdec9cb5167a ("crypto: GnuPG based MPI lib - source files...") +Cc: +Signed-off-by: Herbert Xu +Reviewed-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + lib/mpi/mpi-pow.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/lib/mpi/mpi-pow.c ++++ b/lib/mpi/mpi-pow.c +@@ -37,6 +37,7 @@ + int mpi_powm(MPI res, MPI base, MPI exp, MPI mod) + { + mpi_ptr_t mp_marker = NULL, bp_marker = NULL, ep_marker = NULL; ++ struct karatsuba_ctx karactx = {}; + mpi_ptr_t xp_marker = NULL; + mpi_ptr_t tspace = NULL; + mpi_ptr_t rp, ep, mp, bp; +@@ -164,13 +165,11 @@ int mpi_powm(MPI res, MPI base, MPI exp, + int c; + mpi_limb_t e; + mpi_limb_t carry_limb; +- struct karatsuba_ctx karactx; + + xp = xp_marker = mpi_alloc_limb_space(2 * (msize + 1)); + if (!xp) + goto enomem; + +- memset(&karactx, 0, sizeof karactx); + negative_result = (ep[0] & 1) && base->sign; + + i = esize - 1; +@@ -295,8 +294,6 @@ int mpi_powm(MPI res, MPI base, MPI exp, + if (mod_shift_cnt) + mpihelp_rshift(rp, rp, rsize, mod_shift_cnt); + MPN_NORMALIZE(rp, rsize); +- +- mpihelp_release_karatsuba_ctx(&karactx); + } + + if (negative_result && rsize) { +@@ -313,6 +310,7 @@ int mpi_powm(MPI res, MPI base, MPI exp, + leave: + rc = 0; + enomem: ++ mpihelp_release_karatsuba_ctx(&karactx); + if (assign_rp) + mpi_assign_limb_space(res, rp, size); + if (mp_marker) diff --git a/queue-4.9/ptrace-fix-ptracer_cred-handling-for-ptrace_traceme.patch b/queue-4.9/ptrace-fix-ptracer_cred-handling-for-ptrace_traceme.patch new file mode 100644 index 00000000000..049c1f2efc9 --- /dev/null +++ b/queue-4.9/ptrace-fix-ptracer_cred-handling-for-ptrace_traceme.patch @@ -0,0 +1,57 @@ +From 6994eefb0053799d2e07cd140df6c2ea106c41ee Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Thu, 4 Jul 2019 17:32:23 +0200 +Subject: ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME + +From: Jann Horn + +commit 6994eefb0053799d2e07cd140df6c2ea106c41ee upstream. + +Fix two issues: + +When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU +reference to the parent's objective credentials, then give that pointer +to get_cred(). However, the object lifetime rules for things like +struct cred do not permit unconditionally turning an RCU reference into +a stable reference. + +PTRACE_TRACEME records the parent's credentials as if the parent was +acting as the subject, but that's not the case. If a malicious +unprivileged child uses PTRACE_TRACEME and the parent is privileged, and +at a later point, the parent process becomes attacker-controlled +(because it drops privileges and calls execve()), the attacker ends up +with control over two processes with a privileged ptrace relationship, +which can be abused to ptrace a suid binary and obtain root privileges. + +Fix both of these by always recording the credentials of the process +that is requesting the creation of the ptrace relationship: +current_cred() can't change under us, and current is the proper subject +for access control. + +This change is theoretically userspace-visible, but I am not aware of +any code that it will actually break. + +Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP") +Signed-off-by: Jann Horn +Acked-by: Oleg Nesterov +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/ptrace.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -74,9 +74,7 @@ void __ptrace_link(struct task_struct *c + */ + static void ptrace_link(struct task_struct *child, struct task_struct *new_parent) + { +- rcu_read_lock(); +- __ptrace_link(child, new_parent, __task_cred(new_parent)); +- rcu_read_unlock(); ++ __ptrace_link(child, new_parent, current_cred()); + } + + /** diff --git a/queue-4.9/series b/queue-4.9/series index 75cd5da08cb..b56c32a48b7 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -80,3 +80,12 @@ arc-fix-allnoconfig-build-warning.patch bug.h-work-around-gcc-pr82365-in-bug.patch drm-i915-dmc-protect-against-reading-random-memory.patch mips-workaround-gcc-__builtin_unreachable-reordering.patch +ptrace-fix-ptracer_cred-handling-for-ptrace_traceme.patch +crypto-user-prevent-operating-on-larval-algorithms.patch +alsa-seq-fix-incorrect-order-of-dest_client-dest_ports-arguments.patch +alsa-firewire-lib-fireworks-fix-miss-detection-of-received-midi-messages.patch +alsa-line6-fix-write-on-zero-sized-buffer.patch +alsa-usb-audio-fix-sign-unintended-sign-extension-on-left-shifts.patch +lib-mpi-fix-karactx-leak-in-mpi_powm.patch +drm-imx-notify-drm-core-before-sending-event-during-crtc-disable.patch +drm-imx-only-send-event-on-crtc-disable-if-kept-disabled.patch -- 2.47.3