From b7640df57c972627cc8e80f67c18580682ce5700 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 13 Nov 2021 14:21:07 +0100 Subject: [PATCH] 4.9-stable patches added patches: alsa-6fire-fix-control-and-bulk-message-timeouts.patch alsa-line6-fix-control-and-interrupt-message-timeouts.patch alsa-synth-missing-check-for-possible-null-after-the-call-to-kstrdup.patch alsa-timer-fix-use-after-free-problem.patch alsa-timer-unconditionally-unlink-slave-instances-too.patch alsa-ua101-fix-division-by-zero-at-probe.patch fuse-fix-page-stealing.patch x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch --- ...ix-control-and-bulk-message-timeouts.patch | 63 ++++++++ ...ntrol-and-interrupt-message-timeouts.patch | 138 ++++++++++++++++++ ...sible-null-after-the-call-to-kstrdup.patch | 35 +++++ ...lsa-timer-fix-use-after-free-problem.patch | 53 +++++++ ...itionally-unlink-slave-instances-too.patch | 55 +++++++ ...-ua101-fix-division-by-zero-at-probe.patch | 48 ++++++ queue-4.9/fuse-fix-page-stealing.patch | 64 ++++++++ queue-4.9/series | 8 + ...is-unregistered-before-module-unload.patch | 43 ++++++ 9 files changed, 507 insertions(+) create mode 100644 queue-4.9/alsa-6fire-fix-control-and-bulk-message-timeouts.patch create mode 100644 queue-4.9/alsa-line6-fix-control-and-interrupt-message-timeouts.patch create mode 100644 queue-4.9/alsa-synth-missing-check-for-possible-null-after-the-call-to-kstrdup.patch create mode 100644 queue-4.9/alsa-timer-fix-use-after-free-problem.patch create mode 100644 queue-4.9/alsa-timer-unconditionally-unlink-slave-instances-too.patch create mode 100644 queue-4.9/alsa-ua101-fix-division-by-zero-at-probe.patch create mode 100644 queue-4.9/fuse-fix-page-stealing.patch create mode 100644 queue-4.9/x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch diff --git a/queue-4.9/alsa-6fire-fix-control-and-bulk-message-timeouts.patch b/queue-4.9/alsa-6fire-fix-control-and-bulk-message-timeouts.patch new file mode 100644 index 00000000000..f1da1abe163 --- /dev/null +++ b/queue-4.9/alsa-6fire-fix-control-and-bulk-message-timeouts.patch @@ -0,0 +1,63 @@ +From 9b371c6cc37f954360989eec41c2ddc5a6b83917 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 14:11:41 +0200 +Subject: ALSA: 6fire: fix control and bulk message timeouts + +From: Johan Hovold + +commit 9b371c6cc37f954360989eec41c2ddc5a6b83917 upstream. + +USB control and bulk message timeouts are specified in milliseconds and +should specifically not vary with CONFIG_HZ. + +Fixes: c6d43ba816d1 ("ALSA: usb/6fire - Driver for TerraTec DMX 6Fire USB") +Cc: stable@vger.kernel.org # 2.6.39 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211025121142.6531-2-johan@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/6fire/comm.c | 2 +- + sound/usb/6fire/firmware.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/sound/usb/6fire/comm.c ++++ b/sound/usb/6fire/comm.c +@@ -99,7 +99,7 @@ static int usb6fire_comm_send_buffer(u8 + int actual_len; + + ret = usb_interrupt_msg(dev, usb_sndintpipe(dev, COMM_EP), +- buffer, buffer[1] + 2, &actual_len, HZ); ++ buffer, buffer[1] + 2, &actual_len, 1000); + if (ret < 0) + return ret; + else if (actual_len != buffer[1] + 2) +--- a/sound/usb/6fire/firmware.c ++++ b/sound/usb/6fire/firmware.c +@@ -166,7 +166,7 @@ static int usb6fire_fw_ezusb_write(struc + + ret = usb_control_msg(device, usb_sndctrlpipe(device, 0), type, + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- value, 0, data, len, HZ); ++ value, 0, data, len, 1000); + if (ret < 0) + return ret; + else if (ret != len) +@@ -179,7 +179,7 @@ static int usb6fire_fw_ezusb_read(struct + { + int ret = usb_control_msg(device, usb_rcvctrlpipe(device, 0), type, + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, value, +- 0, data, len, HZ); ++ 0, data, len, 1000); + if (ret < 0) + return ret; + else if (ret != len) +@@ -194,7 +194,7 @@ static int usb6fire_fw_fpga_write(struct + int ret; + + ret = usb_bulk_msg(device, usb_sndbulkpipe(device, FPGA_EP), data, len, +- &actual_len, HZ); ++ &actual_len, 1000); + if (ret < 0) + return ret; + else if (actual_len != len) diff --git a/queue-4.9/alsa-line6-fix-control-and-interrupt-message-timeouts.patch b/queue-4.9/alsa-line6-fix-control-and-interrupt-message-timeouts.patch new file mode 100644 index 00000000000..a751a6969d2 --- /dev/null +++ b/queue-4.9/alsa-line6-fix-control-and-interrupt-message-timeouts.patch @@ -0,0 +1,138 @@ +From f4000b58b64344871d7b27c05e73932f137cfef6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 14:11:42 +0200 +Subject: ALSA: line6: fix control and interrupt message timeouts + +From: Johan Hovold + +commit f4000b58b64344871d7b27c05e73932f137cfef6 upstream. + +USB control and interrupt message timeouts are specified in milliseconds +and should specifically not vary with CONFIG_HZ. + +Fixes: 705ececd1c60 ("Staging: add line6 usb driver") +Cc: stable@vger.kernel.org # 2.6.30 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211025121142.6531-3-johan@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/line6/driver.c | 14 +++++++------- + sound/usb/line6/driver.h | 2 +- + sound/usb/line6/podhd.c | 6 +++--- + sound/usb/line6/toneport.c | 2 +- + 4 files changed, 12 insertions(+), 12 deletions(-) + +--- a/sound/usb/line6/driver.c ++++ b/sound/usb/line6/driver.c +@@ -110,12 +110,12 @@ static int line6_send_raw_message(struct + retval = usb_interrupt_msg(line6->usbdev, + usb_sndintpipe(line6->usbdev, properties->ep_ctrl_w), + (char *)frag_buf, frag_size, +- &partial, LINE6_TIMEOUT * HZ); ++ &partial, LINE6_TIMEOUT); + } else { + retval = usb_bulk_msg(line6->usbdev, + usb_sndbulkpipe(line6->usbdev, properties->ep_ctrl_w), + (char *)frag_buf, frag_size, +- &partial, LINE6_TIMEOUT * HZ); ++ &partial, LINE6_TIMEOUT); + } + + if (retval) { +@@ -351,7 +351,7 @@ int line6_read_data(struct usb_line6 *li + ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, + (datalen << 8) | 0x21, address, +- NULL, 0, LINE6_TIMEOUT * HZ); ++ NULL, 0, LINE6_TIMEOUT); + + if (ret < 0) { + dev_err(line6->ifcdev, "read request failed (error %d)\n", ret); +@@ -366,7 +366,7 @@ int line6_read_data(struct usb_line6 *li + USB_TYPE_VENDOR | USB_RECIP_DEVICE | + USB_DIR_IN, + 0x0012, 0x0000, len, 1, +- LINE6_TIMEOUT * HZ); ++ LINE6_TIMEOUT); + if (ret < 0) { + dev_err(line6->ifcdev, + "receive length failed (error %d)\n", ret); +@@ -394,7 +394,7 @@ int line6_read_data(struct usb_line6 *li + ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, + 0x0013, 0x0000, data, datalen, +- LINE6_TIMEOUT * HZ); ++ LINE6_TIMEOUT); + + if (ret < 0) + dev_err(line6->ifcdev, "read failed (error %d)\n", ret); +@@ -426,7 +426,7 @@ int line6_write_data(struct usb_line6 *l + ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, + 0x0022, address, data, datalen, +- LINE6_TIMEOUT * HZ); ++ LINE6_TIMEOUT); + + if (ret < 0) { + dev_err(line6->ifcdev, +@@ -442,7 +442,7 @@ int line6_write_data(struct usb_line6 *l + USB_TYPE_VENDOR | USB_RECIP_DEVICE | + USB_DIR_IN, + 0x0012, 0x0000, +- status, 1, LINE6_TIMEOUT * HZ); ++ status, 1, LINE6_TIMEOUT); + + if (ret < 0) { + dev_err(line6->ifcdev, +--- a/sound/usb/line6/driver.h ++++ b/sound/usb/line6/driver.h +@@ -31,7 +31,7 @@ + #define LINE6_FALLBACK_INTERVAL 10 + #define LINE6_FALLBACK_MAXPACKETSIZE 16 + +-#define LINE6_TIMEOUT 1 ++#define LINE6_TIMEOUT 1000 + #define LINE6_BUFSIZE_LISTEN 64 + #define LINE6_MIDI_MESSAGE_MAXLEN 256 + +--- a/sound/usb/line6/podhd.c ++++ b/sound/usb/line6/podhd.c +@@ -232,7 +232,7 @@ static int podhd_dev_start(struct usb_li + ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), + 0x67, USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, + 0x11, 0, +- NULL, 0, LINE6_TIMEOUT * HZ); ++ NULL, 0, LINE6_TIMEOUT); + if (ret < 0) { + dev_err(pod->line6.ifcdev, "read request failed (error %d)\n", ret); + goto exit; +@@ -242,7 +242,7 @@ static int podhd_dev_start(struct usb_li + ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, + 0x11, 0x0, +- init_bytes, 3, LINE6_TIMEOUT * HZ); ++ init_bytes, 3, LINE6_TIMEOUT); + if (ret < 0) { + dev_err(pod->line6.ifcdev, + "receive length failed (error %d)\n", ret); +@@ -262,7 +262,7 @@ static int podhd_dev_start(struct usb_li + USB_REQ_SET_FEATURE, + USB_TYPE_STANDARD | USB_RECIP_DEVICE | USB_DIR_OUT, + 1, 0, +- NULL, 0, LINE6_TIMEOUT * HZ); ++ NULL, 0, LINE6_TIMEOUT); + exit: + kfree(init_bytes); + return ret; +--- a/sound/usb/line6/toneport.c ++++ b/sound/usb/line6/toneport.c +@@ -133,7 +133,7 @@ static int toneport_send_cmd(struct usb_ + + ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, +- cmd1, cmd2, NULL, 0, LINE6_TIMEOUT * HZ); ++ cmd1, cmd2, NULL, 0, LINE6_TIMEOUT); + + if (ret < 0) { + dev_err(&usbdev->dev, "send failed (error %d)\n", ret); diff --git a/queue-4.9/alsa-synth-missing-check-for-possible-null-after-the-call-to-kstrdup.patch b/queue-4.9/alsa-synth-missing-check-for-possible-null-after-the-call-to-kstrdup.patch new file mode 100644 index 00000000000..a75dd27e78f --- /dev/null +++ b/queue-4.9/alsa-synth-missing-check-for-possible-null-after-the-call-to-kstrdup.patch @@ -0,0 +1,35 @@ +From d159037abbe3412285c271bdfb9cdf19e62678ff Mon Sep 17 00:00:00 2001 +From: Austin Kim +Date: Tue, 9 Nov 2021 00:37:42 +0000 +Subject: ALSA: synth: missing check for possible NULL after the call to kstrdup + +From: Austin Kim + +commit d159037abbe3412285c271bdfb9cdf19e62678ff upstream. + +If kcalloc() return NULL due to memory starvation, it is possible for +kstrdup() to return NULL in similar case. So add null check after the call +to kstrdup() is made. + +[ minor coding-style fix by tiwai ] + +Signed-off-by: Austin Kim +Cc: +Link: https://lore.kernel.org/r/20211109003742.GA5423@raspberrypi +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/synth/emux/emux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/synth/emux/emux.c ++++ b/sound/synth/emux/emux.c +@@ -101,7 +101,7 @@ int snd_emux_register(struct snd_emux *e + emu->name = kstrdup(name, GFP_KERNEL); + emu->voices = kcalloc(emu->max_voices, sizeof(struct snd_emux_voice), + GFP_KERNEL); +- if (emu->voices == NULL) ++ if (emu->name == NULL || emu->voices == NULL) + return -ENOMEM; + + /* create soundfont list */ diff --git a/queue-4.9/alsa-timer-fix-use-after-free-problem.patch b/queue-4.9/alsa-timer-fix-use-after-free-problem.patch new file mode 100644 index 00000000000..f97a7a6ac1a --- /dev/null +++ b/queue-4.9/alsa-timer-fix-use-after-free-problem.patch @@ -0,0 +1,53 @@ +From c0317c0e87094f5b5782b6fdef5ae0a4b150496c Mon Sep 17 00:00:00 2001 +From: Wang Wensheng +Date: Wed, 3 Nov 2021 03:35:17 +0000 +Subject: ALSA: timer: Fix use-after-free problem + +From: Wang Wensheng + +commit c0317c0e87094f5b5782b6fdef5ae0a4b150496c upstream. + +When the timer instance was add into ack_list but was not currently in +process, the user could stop it via snd_timer_stop1() without delete it +from the ack_list. Then the user could free the timer instance and when +it was actually processed UAF occurred. + +This issue could be reproduced via testcase snd_timer01 in ltp - running +several instances of that testcase at the same time. + +What I actually met was that the ack_list of the timer broken and the +kernel went into deadloop with irqoff. That could be detected by +hardlockup detector on board or when we run it on qemu, we could use gdb +to dump the ack_list when the console has no response. + +To fix this issue, we delete the timer instance from ack_list and +active_list unconditionally in snd_timer_stop1(). + +Signed-off-by: Wang Wensheng +Suggested-by: Takashi Iwai +Cc: +Link: https://lore.kernel.org/r/20211103033517.80531-1-wangwensheng4@huawei.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/timer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -581,13 +581,13 @@ static int snd_timer_stop1(struct snd_ti + if (!timer) + return -EINVAL; + spin_lock_irqsave(&timer->lock, flags); ++ list_del_init(&timeri->ack_list); ++ list_del_init(&timeri->active_list); + if (!(timeri->flags & (SNDRV_TIMER_IFLG_RUNNING | + SNDRV_TIMER_IFLG_START))) { + result = -EBUSY; + goto unlock; + } +- list_del_init(&timeri->ack_list); +- list_del_init(&timeri->active_list); + if (timer->card && timer->card->shutdown) + goto unlock; + if (stop) { diff --git a/queue-4.9/alsa-timer-unconditionally-unlink-slave-instances-too.patch b/queue-4.9/alsa-timer-unconditionally-unlink-slave-instances-too.patch new file mode 100644 index 00000000000..21b70ee234d --- /dev/null +++ b/queue-4.9/alsa-timer-unconditionally-unlink-slave-instances-too.patch @@ -0,0 +1,55 @@ +From ffdd98277f0a1d15a67a74ae09bee713df4c0dbc Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 5 Nov 2021 10:15:17 +0100 +Subject: ALSA: timer: Unconditionally unlink slave instances, too + +From: Takashi Iwai + +commit ffdd98277f0a1d15a67a74ae09bee713df4c0dbc upstream. + +Like the previous fix (commit c0317c0e8709 "ALSA: timer: Fix +use-after-free problem"), we have to unlink slave timer instances +immediately at snd_timer_stop(), too. Otherwise it may leave a stale +entry in the list if the slave instance is freed before actually +running. + +Cc: +Link: https://lore.kernel.org/r/20211105091517.21733-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/timer.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -622,23 +622,22 @@ static int snd_timer_stop1(struct snd_ti + static int snd_timer_stop_slave(struct snd_timer_instance *timeri, bool stop) + { + unsigned long flags; ++ bool running; + + spin_lock_irqsave(&slave_active_lock, flags); +- if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) { +- spin_unlock_irqrestore(&slave_active_lock, flags); +- return -EBUSY; +- } ++ running = timeri->flags & SNDRV_TIMER_IFLG_RUNNING; + timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING; + if (timeri->timer) { + spin_lock(&timeri->timer->lock); + list_del_init(&timeri->ack_list); + list_del_init(&timeri->active_list); +- snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP : +- SNDRV_TIMER_EVENT_PAUSE); ++ if (running) ++ snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP : ++ SNDRV_TIMER_EVENT_PAUSE); + spin_unlock(&timeri->timer->lock); + } + spin_unlock_irqrestore(&slave_active_lock, flags); +- return 0; ++ return running ? 0 : -EBUSY; + } + + /* diff --git a/queue-4.9/alsa-ua101-fix-division-by-zero-at-probe.patch b/queue-4.9/alsa-ua101-fix-division-by-zero-at-probe.patch new file mode 100644 index 00000000000..1926e287d1f --- /dev/null +++ b/queue-4.9/alsa-ua101-fix-division-by-zero-at-probe.patch @@ -0,0 +1,48 @@ +From 55f261b73a7e1cb254577c3536cef8f415de220a Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 26 Oct 2021 11:54:01 +0200 +Subject: ALSA: ua101: fix division by zero at probe + +From: Johan Hovold + +commit 55f261b73a7e1cb254577c3536cef8f415de220a upstream. + +Add the missing endpoint max-packet sanity check to probe() to avoid +division by zero in alloc_stream_buffers() in case a malicious device +has broken descriptors (or when doing descriptor fuzz testing). + +Note that USB core will reject URBs submitted for endpoints with zero +wMaxPacketSize but that drivers doing packet-size calculations still +need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip +endpoint descriptors with maxpacket=0")). + +Fixes: 63978ab3e3e9 ("sound: add Edirol UA-101 support") +Cc: stable@vger.kernel.org # 2.6.34 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211026095401.26522-1-johan@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/misc/ua101.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/usb/misc/ua101.c ++++ b/sound/usb/misc/ua101.c +@@ -1032,7 +1032,7 @@ static int detect_usb_format(struct ua10 + fmt_playback->bSubframeSize * ua->playback.channels; + + epd = &ua->intf[INTF_CAPTURE]->altsetting[1].endpoint[0].desc; +- if (!usb_endpoint_is_isoc_in(epd)) { ++ if (!usb_endpoint_is_isoc_in(epd) || usb_endpoint_maxp(epd) == 0) { + dev_err(&ua->dev->dev, "invalid capture endpoint\n"); + return -ENXIO; + } +@@ -1040,7 +1040,7 @@ static int detect_usb_format(struct ua10 + ua->capture.max_packet_bytes = usb_endpoint_maxp(epd); + + epd = &ua->intf[INTF_PLAYBACK]->altsetting[1].endpoint[0].desc; +- if (!usb_endpoint_is_isoc_out(epd)) { ++ if (!usb_endpoint_is_isoc_out(epd) || usb_endpoint_maxp(epd) == 0) { + dev_err(&ua->dev->dev, "invalid playback endpoint\n"); + return -ENXIO; + } diff --git a/queue-4.9/fuse-fix-page-stealing.patch b/queue-4.9/fuse-fix-page-stealing.patch new file mode 100644 index 00000000000..d9157c784e6 --- /dev/null +++ b/queue-4.9/fuse-fix-page-stealing.patch @@ -0,0 +1,64 @@ +From 712a951025c0667ff00b25afc360f74e639dfabe Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Tue, 2 Nov 2021 11:10:37 +0100 +Subject: fuse: fix page stealing + +From: Miklos Szeredi + +commit 712a951025c0667ff00b25afc360f74e639dfabe upstream. + +It is possible to trigger a crash by splicing anon pipe bufs to the fuse +device. + +The reason for this is that anon_pipe_buf_release() will reuse buf->page if +the refcount is 1, but that page might have already been stolen and its +flags modified (e.g. PG_lru added). + +This happens in the unlikely case of fuse_dev_splice_write() getting around +to calling pipe_buf_release() after a page has been stolen, added to the +page cache and removed from the page cache. + +Fix by calling pipe_buf_release() right after the page was inserted into +the page cache. In this case the page has an elevated refcount so any +release function will know that the page isn't reusable. + +Reported-by: Frank Dinoff +Link: https://lore.kernel.org/r/CAAmZXrsGg2xsP1CK+cbuEMumtrqdvD-NKnWzhNcvn71RV3c1yw@mail.gmail.com/ +Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device") +Cc: # v2.6.35 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dev.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -898,6 +898,12 @@ static int fuse_try_move_page(struct fus + goto out_put_old; + } + ++ /* ++ * Release while we have extra ref on stolen page. Otherwise ++ * anon_pipe_buf_release() might think the page can be reused. ++ */ ++ pipe_buf_release(cs->pipe, buf); ++ + get_page(newpage); + + if (!(buf->flags & PIPE_BUF_FLAG_LRU)) +@@ -2040,8 +2046,12 @@ static ssize_t fuse_dev_splice_write(str + + pipe_lock(pipe); + out_free: +- for (idx = 0; idx < nbuf; idx++) +- pipe_buf_release(pipe, &bufs[idx]); ++ for (idx = 0; idx < nbuf; idx++) { ++ struct pipe_buffer *buf = &bufs[idx]; ++ ++ if (buf->ops) ++ pipe_buf_release(pipe, buf); ++ } + pipe_unlock(pipe); + + kfree(bufs); diff --git a/queue-4.9/series b/queue-4.9/series index 7bca4816616..314195317f0 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -8,3 +8,11 @@ ocfs2-fix-data-corruption-on-truncate.patch mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch parisc-fix-ptrace-check-on-syscall-return.patch media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch +alsa-ua101-fix-division-by-zero-at-probe.patch +alsa-6fire-fix-control-and-bulk-message-timeouts.patch +alsa-line6-fix-control-and-interrupt-message-timeouts.patch +alsa-synth-missing-check-for-possible-null-after-the-call-to-kstrdup.patch +alsa-timer-fix-use-after-free-problem.patch +alsa-timer-unconditionally-unlink-slave-instances-too.patch +fuse-fix-page-stealing.patch +x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch diff --git a/queue-4.9/x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch b/queue-4.9/x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch new file mode 100644 index 00000000000..7b44a4776ed --- /dev/null +++ b/queue-4.9/x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch @@ -0,0 +1,43 @@ +From 6ff53f6a438f72998f56e82e76694a1df9d1ea2c Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 8 Oct 2021 17:11:04 -0700 +Subject: x86/irq: Ensure PI wakeup handler is unregistered before module unload + +From: Sean Christopherson + +commit 6ff53f6a438f72998f56e82e76694a1df9d1ea2c upstream. + +Add a synchronize_rcu() after clearing the posted interrupt wakeup handler +to ensure all readers, i.e. in-flight IRQ handlers, see the new handler +before returning to the caller. If the caller is an exiting module and +is unregistering its handler, failure to wait could result in the IRQ +handler jumping into an unloaded module. + +The registration path doesn't require synchronization, as it's the +caller's responsibility to not generate interrupts it cares about until +after its handler is registered. + +Fixes: f6b3c72c2366 ("x86/irq: Define a global vector for VT-d Posted-Interrupts") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20211009001107.3936588-2-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/irq.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/irq.c ++++ b/arch/x86/kernel/irq.c +@@ -284,8 +284,10 @@ void kvm_set_posted_intr_wakeup_handler( + { + if (handler) + kvm_posted_intr_wakeup_handler = handler; +- else ++ else { + kvm_posted_intr_wakeup_handler = dummy_handler; ++ synchronize_rcu(); ++ } + } + EXPORT_SYMBOL_GPL(kvm_set_posted_intr_wakeup_handler); + -- 2.47.2