From ecc3c9208e0db0d06d7e7ffa389f4514c54c33fc Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 21 Aug 2018 07:28:40 +0200 Subject: [PATCH] 4.9-stable patches added patches: bluetooth-avoid-killing-an-already-killed-socket.patch x86-mm-simplify-pd_page-macros.patch --- .../alsa-seq-fix-poll-error-return.patch | 46 ----- ...oid-killing-an-already-killed-socket.patch | 195 ++++++++++++++++++ queue-4.9/series | 3 +- .../x86-mm-simplify-pd_page-macros.patch | 96 +++++++++ 4 files changed, 293 insertions(+), 47 deletions(-) delete mode 100644 queue-4.9/alsa-seq-fix-poll-error-return.patch create mode 100644 queue-4.9/bluetooth-avoid-killing-an-already-killed-socket.patch create mode 100644 queue-4.9/x86-mm-simplify-pd_page-macros.patch diff --git a/queue-4.9/alsa-seq-fix-poll-error-return.patch b/queue-4.9/alsa-seq-fix-poll-error-return.patch deleted file mode 100644 index d57dcbeee53..00000000000 --- a/queue-4.9/alsa-seq-fix-poll-error-return.patch +++ /dev/null @@ -1,46 +0,0 @@ -From a49a71f6e25da2acc637fcd31e73debd96ca18f8 Mon Sep 17 00:00:00 2001 -From: Takashi Iwai -Date: Wed, 25 Jul 2018 16:34:12 +0200 -Subject: ALSA: seq: Fix poll() error return - -From: Takashi Iwai - -commit a49a71f6e25da2acc637fcd31e73debd96ca18f8 upstream. - -The sanity checks in ALSA sequencer and OSS sequencer emulation codes -return falsely -ENXIO from poll callback. They should be EPOLLERR -instead. - -This was caught thanks to the recent change to the return value. - -Cc: -Signed-off-by: Takashi Iwai -Signed-off-by: Greg Kroah-Hartman - ---- - sound/core/seq/oss/seq_oss.c | 2 +- - sound/core/seq/seq_clientmgr.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - ---- a/sound/core/seq/oss/seq_oss.c -+++ b/sound/core/seq/oss/seq_oss.c -@@ -203,7 +203,7 @@ odev_poll(struct file *file, poll_table - struct seq_oss_devinfo *dp; - dp = file->private_data; - if (snd_BUG_ON(!dp)) -- return -ENXIO; -+ return EPOLLERR; - return snd_seq_oss_poll(dp, file, wait); - } - ---- a/sound/core/seq/seq_clientmgr.c -+++ b/sound/core/seq/seq_clientmgr.c -@@ -1097,7 +1097,7 @@ static unsigned int snd_seq_poll(struct - - /* check client structures are in place */ - if (snd_BUG_ON(!client)) -- return -ENXIO; -+ return EPOLLERR; - - if ((snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_INPUT) && - client->data.user.fifo) { diff --git a/queue-4.9/bluetooth-avoid-killing-an-already-killed-socket.patch b/queue-4.9/bluetooth-avoid-killing-an-already-killed-socket.patch new file mode 100644 index 00000000000..1f49f98bf83 --- /dev/null +++ b/queue-4.9/bluetooth-avoid-killing-an-already-killed-socket.patch @@ -0,0 +1,195 @@ +From 4e1a720d0312fd510699032c7694a362a010170f Mon Sep 17 00:00:00 2001 +From: Sudip Mukherjee +Date: Sun, 15 Jul 2018 20:36:50 +0100 +Subject: Bluetooth: avoid killing an already killed socket + +From: Sudip Mukherjee + +commit 4e1a720d0312fd510699032c7694a362a010170f upstream. + +slub debug reported: + +[ 440.648642] ============================================================================= +[ 440.648649] BUG kmalloc-1024 (Tainted: G BU O ): Poison overwritten +[ 440.648651] ----------------------------------------------------------------------------- + +[ 440.648655] INFO: 0xe70f4bec-0xe70f4bec. First byte 0x6a instead of 0x6b +[ 440.648665] INFO: Allocated in sk_prot_alloc+0x6b/0xc6 age=33155 cpu=1 pid=1047 +[ 440.648671] ___slab_alloc.constprop.24+0x1fc/0x292 +[ 440.648675] __slab_alloc.isra.18.constprop.23+0x1c/0x25 +[ 440.648677] __kmalloc+0xb6/0x17f +[ 440.648680] sk_prot_alloc+0x6b/0xc6 +[ 440.648683] sk_alloc+0x1e/0xa1 +[ 440.648700] sco_sock_alloc.constprop.6+0x26/0xaf [bluetooth] +[ 440.648716] sco_connect_cfm+0x166/0x281 [bluetooth] +[ 440.648731] hci_conn_request_evt.isra.53+0x258/0x281 [bluetooth] +[ 440.648746] hci_event_packet+0x28b/0x2326 [bluetooth] +[ 440.648759] hci_rx_work+0x161/0x291 [bluetooth] +[ 440.648764] process_one_work+0x163/0x2b2 +[ 440.648767] worker_thread+0x1a9/0x25c +[ 440.648770] kthread+0xf8/0xfd +[ 440.648774] ret_from_fork+0x2e/0x38 +[ 440.648779] INFO: Freed in __sk_destruct+0xd3/0xdf age=3815 cpu=1 pid=1047 +[ 440.648782] __slab_free+0x4b/0x27a +[ 440.648784] kfree+0x12e/0x155 +[ 440.648787] __sk_destruct+0xd3/0xdf +[ 440.648790] sk_destruct+0x27/0x29 +[ 440.648793] __sk_free+0x75/0x91 +[ 440.648795] sk_free+0x1c/0x1e +[ 440.648810] sco_sock_kill+0x5a/0x5f [bluetooth] +[ 440.648825] sco_conn_del+0x8e/0xba [bluetooth] +[ 440.648840] sco_disconn_cfm+0x3a/0x41 [bluetooth] +[ 440.648855] hci_event_packet+0x45e/0x2326 [bluetooth] +[ 440.648868] hci_rx_work+0x161/0x291 [bluetooth] +[ 440.648872] process_one_work+0x163/0x2b2 +[ 440.648875] worker_thread+0x1a9/0x25c +[ 440.648877] kthread+0xf8/0xfd +[ 440.648880] ret_from_fork+0x2e/0x38 +[ 440.648884] INFO: Slab 0xf4718580 objects=27 used=27 fp=0x (null) flags=0x40008100 +[ 440.648886] INFO: Object 0xe70f4b88 @offset=19336 fp=0xe70f54f8 + +When KASAN was enabled, it reported: + +[ 210.096613] ================================================================== +[ 210.096634] BUG: KASAN: use-after-free in ex_handler_refcount+0x5b/0x127 +[ 210.096641] Write of size 4 at addr ffff880107e17160 by task kworker/u9:1/2040 + +[ 210.096651] CPU: 1 PID: 2040 Comm: kworker/u9:1 Tainted: G U O 4.14.47-20180606+ #2 +[ 210.096654] Hardware name: , BIOS 2017.01-00087-g43e04de 08/30/2017 +[ 210.096693] Workqueue: hci0 hci_rx_work [bluetooth] +[ 210.096698] Call Trace: +[ 210.096711] dump_stack+0x46/0x59 +[ 210.096722] print_address_description+0x6b/0x23b +[ 210.096729] ? ex_handler_refcount+0x5b/0x127 +[ 210.096736] kasan_report+0x220/0x246 +[ 210.096744] ex_handler_refcount+0x5b/0x127 +[ 210.096751] ? ex_handler_clear_fs+0x85/0x85 +[ 210.096757] fixup_exception+0x8c/0x96 +[ 210.096766] do_trap+0x66/0x2c1 +[ 210.096773] do_error_trap+0x152/0x180 +[ 210.096781] ? fixup_bug+0x78/0x78 +[ 210.096817] ? hci_debugfs_create_conn+0x244/0x26a [bluetooth] +[ 210.096824] ? __schedule+0x113b/0x1453 +[ 210.096830] ? sysctl_net_exit+0xe/0xe +[ 210.096837] ? __wake_up_common+0x343/0x343 +[ 210.096843] ? insert_work+0x107/0x163 +[ 210.096850] invalid_op+0x1b/0x40 +[ 210.096888] RIP: 0010:hci_debugfs_create_conn+0x244/0x26a [bluetooth] +[ 210.096892] RSP: 0018:ffff880094a0f970 EFLAGS: 00010296 +[ 210.096898] RAX: 0000000000000000 RBX: ffff880107e170e8 RCX: ffff880107e17160 +[ 210.096902] RDX: 000000000000002f RSI: ffff88013b80ed40 RDI: ffffffffa058b940 +[ 210.096906] RBP: ffff88011b2b0578 R08: 00000000852f0ec9 R09: ffffffff81cfcf9b +[ 210.096909] R10: 00000000d21bdad7 R11: 0000000000000001 R12: ffff8800967b0488 +[ 210.096913] R13: ffff880107e17168 R14: 0000000000000068 R15: ffff8800949c0008 +[ 210.096920] ? __sk_destruct+0x2c6/0x2d4 +[ 210.096959] hci_event_packet+0xff5/0x7de2 [bluetooth] +[ 210.096969] ? __local_bh_enable_ip+0x43/0x5b +[ 210.097004] ? l2cap_sock_recv_cb+0x158/0x166 [bluetooth] +[ 210.097039] ? hci_le_meta_evt+0x2bb3/0x2bb3 [bluetooth] +[ 210.097075] ? l2cap_ertm_init+0x94e/0x94e [bluetooth] +[ 210.097093] ? xhci_urb_enqueue+0xbd8/0xcf5 [xhci_hcd] +[ 210.097102] ? __accumulate_pelt_segments+0x24/0x33 +[ 210.097109] ? __accumulate_pelt_segments+0x24/0x33 +[ 210.097115] ? __update_load_avg_se.isra.2+0x217/0x3a4 +[ 210.097122] ? set_next_entity+0x7c3/0x12cd +[ 210.097128] ? pick_next_entity+0x25e/0x26c +[ 210.097135] ? pick_next_task_fair+0x2ca/0xc1a +[ 210.097141] ? switch_mm_irqs_off+0x346/0xb4f +[ 210.097147] ? __switch_to+0x769/0xbc4 +[ 210.097153] ? compat_start_thread+0x66/0x66 +[ 210.097188] ? hci_conn_check_link_mode+0x1cd/0x1cd [bluetooth] +[ 210.097195] ? finish_task_switch+0x392/0x431 +[ 210.097228] ? hci_rx_work+0x154/0x487 [bluetooth] +[ 210.097260] hci_rx_work+0x154/0x487 [bluetooth] +[ 210.097269] process_one_work+0x579/0x9e9 +[ 210.097277] worker_thread+0x68f/0x804 +[ 210.097285] kthread+0x31c/0x32b +[ 210.097292] ? rescuer_thread+0x70c/0x70c +[ 210.097299] ? kthread_create_on_node+0xa3/0xa3 +[ 210.097306] ret_from_fork+0x35/0x40 + +[ 210.097314] Allocated by task 2040: +[ 210.097323] kasan_kmalloc.part.1+0x51/0xc7 +[ 210.097328] __kmalloc+0x17f/0x1b6 +[ 210.097335] sk_prot_alloc+0xf2/0x1a3 +[ 210.097340] sk_alloc+0x22/0x297 +[ 210.097375] sco_sock_alloc.constprop.7+0x23/0x202 [bluetooth] +[ 210.097410] sco_connect_cfm+0x2d0/0x566 [bluetooth] +[ 210.097443] hci_conn_request_evt.isra.53+0x6d3/0x762 [bluetooth] +[ 210.097476] hci_event_packet+0x85e/0x7de2 [bluetooth] +[ 210.097507] hci_rx_work+0x154/0x487 [bluetooth] +[ 210.097512] process_one_work+0x579/0x9e9 +[ 210.097517] worker_thread+0x68f/0x804 +[ 210.097523] kthread+0x31c/0x32b +[ 210.097529] ret_from_fork+0x35/0x40 + +[ 210.097533] Freed by task 2040: +[ 210.097539] kasan_slab_free+0xb3/0x15e +[ 210.097544] kfree+0x103/0x1a9 +[ 210.097549] __sk_destruct+0x2c6/0x2d4 +[ 210.097584] sco_conn_del.isra.1+0xba/0x10e [bluetooth] +[ 210.097617] hci_event_packet+0xff5/0x7de2 [bluetooth] +[ 210.097648] hci_rx_work+0x154/0x487 [bluetooth] +[ 210.097653] process_one_work+0x579/0x9e9 +[ 210.097658] worker_thread+0x68f/0x804 +[ 210.097663] kthread+0x31c/0x32b +[ 210.097670] ret_from_fork+0x35/0x40 + +[ 210.097676] The buggy address belongs to the object at ffff880107e170e8 + which belongs to the cache kmalloc-1024 of size 1024 +[ 210.097681] The buggy address is located 120 bytes inside of + 1024-byte region [ffff880107e170e8, ffff880107e174e8) +[ 210.097683] The buggy address belongs to the page: +[ 210.097689] page:ffffea00041f8400 count:1 mapcount:0 mapping: (null) index:0xffff880107e15b68 compound_mapcount: 0 +[ 210.110194] flags: 0x8000000000008100(slab|head) +[ 210.115441] raw: 8000000000008100 0000000000000000 ffff880107e15b68 0000000100170016 +[ 210.115448] raw: ffffea0004a47620 ffffea0004b48e20 ffff88013b80ed40 0000000000000000 +[ 210.115451] page dumped because: kasan: bad access detected + +[ 210.115454] Memory state around the buggy address: +[ 210.115460] ffff880107e17000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 210.115465] ffff880107e17080: fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb +[ 210.115469] >ffff880107e17100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 210.115472] ^ +[ 210.115477] ffff880107e17180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 210.115481] ffff880107e17200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 210.115483] ================================================================== + +And finally when BT_DBG() and ftrace was enabled it showed: + + <...>-14979 [001] .... 186.104191: sco_sock_kill <-sco_sock_close + <...>-14979 [001] .... 186.104191: sco_sock_kill <-sco_sock_release + <...>-14979 [001] .... 186.104192: sco_sock_kill: sk ef0497a0 state 9 + <...>-14979 [001] .... 186.104193: bt_sock_unlink <-sco_sock_kill +kworker/u9:2-792 [001] .... 186.104246: sco_sock_kill <-sco_conn_del +kworker/u9:2-792 [001] .... 186.104248: sco_sock_kill: sk ef0497a0 state 9 +kworker/u9:2-792 [001] .... 186.104249: bt_sock_unlink <-sco_sock_kill +kworker/u9:2-792 [001] .... 186.104250: sco_sock_destruct <-__sk_destruct +kworker/u9:2-792 [001] .... 186.104250: sco_sock_destruct: sk ef0497a0 +kworker/u9:2-792 [001] .... 186.104860: hci_conn_del <-hci_event_packet +kworker/u9:2-792 [001] .... 186.104864: hci_conn_del: hci0 hcon ef0484c0 handle 266 + +Only in the failed case, sco_sock_kill() gets called with the same sock +pointer two times. Add a check for SOCK_DEAD to avoid continue killing +a socket which has already been killed. + +Signed-off-by: Sudip Mukherjee +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/sco.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -392,7 +392,8 @@ static void sco_sock_cleanup_listen(stru + */ + static void sco_sock_kill(struct sock *sk) + { +- if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) ++ if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket || ++ sock_flag(sk, SOCK_DEAD)) + return; + + BT_DBG("sk %p state %d", sk, sk->sk_state); diff --git a/queue-4.9/series b/queue-4.9/series index eadb16e2c6f..8611a742799 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -13,10 +13,11 @@ alsa-cs5535audio-fix-invalid-endian-conversion.patch alsa-hda-correct-asrock-b85m-itx-power_save-blacklist-entry.patch alsa-memalloc-don-t-exceed-over-the-requested-size.patch alsa-vxpocket-fix-invalid-endian-conversions.patch -alsa-seq-fix-poll-error-return.patch usb-serial-sierra-fix-potential-deadlock-at-close.patch usb-option-add-support-for-dw5821e.patch acpi-pm-save-nvs-memory-for-asus-1025c-laptop.patch tty-serial-8250-revert-nxp-sc16c2552-workaround.patch serial-8250_dw-always-set-baud-rate-in-dw8250_set_termios.patch serial-8250_dw-add-acpi-support-for-uart-on-broadcom-soc.patch +x86-mm-simplify-pd_page-macros.patch +bluetooth-avoid-killing-an-already-killed-socket.patch diff --git a/queue-4.9/x86-mm-simplify-pd_page-macros.patch b/queue-4.9/x86-mm-simplify-pd_page-macros.patch new file mode 100644 index 00000000000..1f1353b2da2 --- /dev/null +++ b/queue-4.9/x86-mm-simplify-pd_page-macros.patch @@ -0,0 +1,96 @@ +From fd7e315988b784509ba3f1b42f539bd0b1fca9bb Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Mon, 17 Jul 2017 16:10:06 -0500 +Subject: x86/mm: Simplify p[g4um]d_page() macros +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tom Lendacky + +commit fd7e315988b784509ba3f1b42f539bd0b1fca9bb upstream. + +Create a pgd_pfn() macro similar to the p[4um]d_pfn() macros and then +use the p[g4um]d_pfn() macros in the p[g4um]d_page() macros instead of +duplicating the code. + +Signed-off-by: Tom Lendacky +Reviewed-by: Thomas Gleixner +Reviewed-by: Borislav Petkov +Cc: Alexander Potapenko +Cc: Andrey Ryabinin +Cc: Andy Lutomirski +Cc: Arnd Bergmann +Cc: Borislav Petkov +Cc: Brijesh Singh +Cc: Dave Young +Cc: Dmitry Vyukov +Cc: Jonathan Corbet +Cc: Konrad Rzeszutek Wilk +Cc: Larry Woodman +Cc: Linus Torvalds +Cc: Matt Fleming +Cc: Michael S. Tsirkin +Cc: Paolo Bonzini +Cc: Peter Zijlstra +Cc: Radim Krčmář +Cc: Rik van Riel +Cc: Toshimitsu Kani +Cc: kasan-dev@googlegroups.com +Cc: kvm@vger.kernel.org +Cc: linux-arch@vger.kernel.org +Cc: linux-doc@vger.kernel.org +Cc: linux-efi@vger.kernel.org +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/e61eb533a6d0aac941db2723d8aa63ef6b882dee.1500319216.git.thomas.lendacky@amd.com +Signed-off-by: Ingo Molnar +[Backported to 4.9 stable by AK, suggested by Michael Hocko] +Signed-off-by: Andi Kleen +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/pgtable.h | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/arch/x86/include/asm/pgtable.h ++++ b/arch/x86/include/asm/pgtable.h +@@ -190,6 +190,11 @@ static inline unsigned long pud_pfn(pud_ + return (pfn & pud_pfn_mask(pud)) >> PAGE_SHIFT; + } + ++static inline unsigned long pgd_pfn(pgd_t pgd) ++{ ++ return (pgd_val(pgd) & PTE_PFN_MASK) >> PAGE_SHIFT; ++} ++ + #define pte_page(pte) pfn_to_page(pte_pfn(pte)) + + static inline int pmd_large(pmd_t pte) +@@ -621,8 +626,7 @@ static inline unsigned long pmd_page_vad + * Currently stuck as a macro due to indirect forward reference to + * linux/mmzone.h's __section_mem_map_addr() definition: + */ +-#define pmd_page(pmd) \ +- pfn_to_page((pmd_val(pmd) & pmd_pfn_mask(pmd)) >> PAGE_SHIFT) ++#define pmd_page(pmd) pfn_to_page(pmd_pfn(pmd)) + + /* + * the pmd page can be thought of an array like this: pmd_t[PTRS_PER_PMD] +@@ -690,8 +694,7 @@ static inline unsigned long pud_page_vad + * Currently stuck as a macro due to indirect forward reference to + * linux/mmzone.h's __section_mem_map_addr() definition: + */ +-#define pud_page(pud) \ +- pfn_to_page((pud_val(pud) & pud_pfn_mask(pud)) >> PAGE_SHIFT) ++#define pud_page(pud) pfn_to_page(pud_pfn(pud)) + + /* Find an entry in the second-level page table.. */ + static inline pmd_t *pmd_offset(pud_t *pud, unsigned long address) +@@ -731,7 +734,7 @@ static inline unsigned long pgd_page_vad + * Currently stuck as a macro due to indirect forward reference to + * linux/mmzone.h's __section_mem_map_addr() definition: + */ +-#define pgd_page(pgd) pfn_to_page(pgd_val(pgd) >> PAGE_SHIFT) ++#define pgd_page(pgd) pfn_to_page(pgd_pfn(pgd)) + + /* to find an entry in a page-table-directory. */ + static inline unsigned long pud_index(unsigned long address) -- 2.47.3