From b3c170766e738cec7428cef7a0dcefa742801a77 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 4 Jan 2021 15:14:00 +0100 Subject: [PATCH] 4.4-stable patches added patches: alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch media-gp8psk-initialize-stats-at-power-control-logic.patch misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch reiserfs-add-check-for-an-invalid-ih_entry_count.patch --- ...ool-for-snd_seq_queue-internal-flags.patch | 44 ++++++++++++++++++ ...tialize-stats-at-power-control-logic.patch | 45 +++++++++++++++++++ ...ells-in-vmci_ctx_get_chkpt_doorbells.patch | 34 ++++++++++++++ ...-check-for-an-invalid-ih_entry_count.patch | 41 +++++++++++++++++ queue-4.4/series | 4 ++ 5 files changed, 168 insertions(+) create mode 100644 queue-4.4/alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch create mode 100644 queue-4.4/media-gp8psk-initialize-stats-at-power-control-logic.patch create mode 100644 queue-4.4/misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch create mode 100644 queue-4.4/reiserfs-add-check-for-an-invalid-ih_entry_count.patch diff --git a/queue-4.4/alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch b/queue-4.4/alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch new file mode 100644 index 00000000000..85025d8616e --- /dev/null +++ b/queue-4.4/alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch @@ -0,0 +1,44 @@ +From 4ebd47037027c4beae99680bff3b20fdee5d7c1e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 6 Dec 2020 09:34:56 +0100 +Subject: ALSA: seq: Use bool for snd_seq_queue internal flags + +From: Takashi Iwai + +commit 4ebd47037027c4beae99680bff3b20fdee5d7c1e upstream. + +The snd_seq_queue struct contains various flags in the bit fields. +Those are categorized to two different use cases, both of which are +protected by different spinlocks. That implies that there are still +potential risks of the bad operations for bit fields by concurrent +accesses. + +For addressing the problem, this patch rearranges those flags to be +a standard bool instead of a bit field. + +Reported-by: syzbot+63cbe31877bb80ef58f5@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20201206083456.21110-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_queue.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/sound/core/seq/seq_queue.h ++++ b/sound/core/seq/seq_queue.h +@@ -40,10 +40,10 @@ struct snd_seq_queue { + + struct snd_seq_timer *timer; /* time keeper for this queue */ + int owner; /* client that 'owns' the timer */ +- unsigned int locked:1, /* timer is only accesibble by owner if set */ +- klocked:1, /* kernel lock (after START) */ +- check_again:1, +- check_blocked:1; ++ bool locked; /* timer is only accesibble by owner if set */ ++ bool klocked; /* kernel lock (after START) */ ++ bool check_again; /* concurrent access happened during check */ ++ bool check_blocked; /* queue being checked */ + + unsigned int flags; /* status flags */ + unsigned int info_flags; /* info for sync */ diff --git a/queue-4.4/media-gp8psk-initialize-stats-at-power-control-logic.patch b/queue-4.4/media-gp8psk-initialize-stats-at-power-control-logic.patch new file mode 100644 index 00000000000..c6eb2c62fec --- /dev/null +++ b/queue-4.4/media-gp8psk-initialize-stats-at-power-control-logic.patch @@ -0,0 +1,45 @@ +From d0ac1a26ed5943127cb0156148735f5f52a07075 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Fri, 27 Nov 2020 07:40:21 +0100 +Subject: media: gp8psk: initialize stats at power control logic + +From: Mauro Carvalho Chehab + +commit d0ac1a26ed5943127cb0156148735f5f52a07075 upstream. + +As reported on: + https://lore.kernel.org/linux-media/20190627222020.45909-1-willemdebruijn.kernel@gmail.com/ + +if gp8psk_usb_in_op() returns an error, the status var is not +initialized. Yet, this var is used later on, in order to +identify: + - if the device was already started; + - if firmware has loaded; + - if the LNBf was powered on. + +Using status = 0 seems to ensure that everything will be +properly powered up. + +So, instead of the proposed solution, let's just set +status = 0. + +Reported-by: syzbot +Reported-by: Willem de Bruijn +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/gp8psk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/dvb-usb/gp8psk.c ++++ b/drivers/media/usb/dvb-usb/gp8psk.c +@@ -163,7 +163,7 @@ out_rel_fw: + + static int gp8psk_power_ctrl(struct dvb_usb_device *d, int onoff) + { +- u8 status, buf; ++ u8 status = 0, buf; + int gp_product_id = le16_to_cpu(d->udev->descriptor.idProduct); + + if (onoff) { diff --git a/queue-4.4/misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch b/queue-4.4/misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch new file mode 100644 index 00000000000..94eed79ab39 --- /dev/null +++ b/queue-4.4/misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch @@ -0,0 +1,34 @@ +From 31dcb6c30a26d32650ce134820f27de3c675a45a Mon Sep 17 00:00:00 2001 +From: Anant Thazhemadam +Date: Mon, 23 Nov 2020 04:15:34 +0530 +Subject: misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() + +From: Anant Thazhemadam + +commit 31dcb6c30a26d32650ce134820f27de3c675a45a upstream. + +A kernel-infoleak was reported by syzbot, which was caused because +dbells was left uninitialized. +Using kzalloc() instead of kmalloc() fixes this issue. + +Reported-by: syzbot+a79e17c39564bedf0930@syzkaller.appspotmail.com +Tested-by: syzbot+a79e17c39564bedf0930@syzkaller.appspotmail.com +Signed-off-by: Anant Thazhemadam +Link: https://lore.kernel.org/r/20201122224534.333471-1-anant.thazhemadam@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/vmw_vmci/vmci_context.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/vmw_vmci/vmci_context.c ++++ b/drivers/misc/vmw_vmci/vmci_context.c +@@ -750,7 +750,7 @@ static int vmci_ctx_get_chkpt_doorbells( + return VMCI_ERROR_MORE_DATA; + } + +- dbells = kmalloc(data_size, GFP_ATOMIC); ++ dbells = kzalloc(data_size, GFP_ATOMIC); + if (!dbells) + return VMCI_ERROR_NO_MEM; + diff --git a/queue-4.4/reiserfs-add-check-for-an-invalid-ih_entry_count.patch b/queue-4.4/reiserfs-add-check-for-an-invalid-ih_entry_count.patch new file mode 100644 index 00000000000..0b0b1aa58a9 --- /dev/null +++ b/queue-4.4/reiserfs-add-check-for-an-invalid-ih_entry_count.patch @@ -0,0 +1,41 @@ +From d24396c5290ba8ab04ba505176874c4e04a2d53c Mon Sep 17 00:00:00 2001 +From: Rustam Kovhaev +Date: Sun, 1 Nov 2020 06:09:58 -0800 +Subject: reiserfs: add check for an invalid ih_entry_count + +From: Rustam Kovhaev + +commit d24396c5290ba8ab04ba505176874c4e04a2d53c upstream. + +when directory item has an invalid value set for ih_entry_count it might +trigger use-after-free or out-of-bounds read in bin_search_in_dir_item() + +ih_entry_count * IH_SIZE for directory item should not be larger than +ih_item_len + +Link: https://lore.kernel.org/r/20201101140958.3650143-1-rkovhaev@gmail.com +Reported-and-tested-by: syzbot+83b6f7cf9922cae5c4d7@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=83b6f7cf9922cae5c4d7 +Signed-off-by: Rustam Kovhaev +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/stree.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/reiserfs/stree.c ++++ b/fs/reiserfs/stree.c +@@ -453,6 +453,12 @@ static int is_leaf(char *buf, int blocks + "(second one): %h", ih); + return 0; + } ++ if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) { ++ reiserfs_warning(NULL, "reiserfs-5093", ++ "item entry count seems wrong %h", ++ ih); ++ return 0; ++ } + prev_location = ih_location(ih); + } + diff --git a/queue-4.4/series b/queue-4.4/series index a54ca5b8ccc..fe04c971c16 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -10,3 +10,7 @@ s390-dasd-fix-hanging-device-offline-processing.patch usb-serial-digi_acceleport-fix-write-wakeup-deadlock.patch uapi-move-constants-from-linux-kernel.h-to-linux-const.h.patch of-fix-linker-section-match-table-corruption.patch +reiserfs-add-check-for-an-invalid-ih_entry_count.patch +misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch +media-gp8psk-initialize-stats-at-power-control-logic.patch +alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch -- 2.47.3