--- /dev/null
+From 7c32ae35fbf9cffb7aa3736f44dec10c944ca18e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 12 Apr 2019 11:37:19 +0200
+Subject: ALSA: seq: Cover unsubscribe_port() in list_mutex
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 7c32ae35fbf9cffb7aa3736f44dec10c944ca18e upstream.
+
+The call of unsubscribe_port() which manages the group count and
+module refcount from delete_and_unsubscribe_port() looks racy; it's
+not covered by the group list lock, and it's likely a cause of the
+reported unbalance at port deletion. Let's move the call inside the
+group list_mutex to plug the hole.
+
+Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_ports.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/seq/seq_ports.c
++++ b/sound/core/seq/seq_ports.c
+@@ -550,10 +550,10 @@ static void delete_and_unsubscribe_port(
+ list_del_init(list);
+ grp->exclusive = 0;
+ write_unlock_irq(&grp->list_lock);
+- up_write(&grp->list_mutex);
+
+ if (!empty)
+ unsubscribe_port(client, port, grp, &subs->info, ack);
++ up_write(&grp->list_mutex);
+ }
+
+ /* connect two ports */
+++ /dev/null
-From b9ab7c8a9ce76312d4696c6f9004dd8de29ec702 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Tue, 9 Apr 2019 17:35:22 +0200
-Subject: ALSA: seq: Protect in-kernel ioctl calls with mutex
-
-[ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ]
-
-ALSA OSS sequencer calls the ioctl function indirectly via
-snd_seq_kernel_client_ctl(). While we already applied the protection
-against races between the normal ioctls and writes via the client's
-ioctl_mutex, this code path was left untouched. And this seems to be
-the cause of still remaining some rare UAF as spontaneously triggered
-by syzkaller.
-
-For the sake of robustness, wrap the ioctl_mutex also for the call via
-snd_seq_kernel_client_ctl(), too.
-
-Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- sound/core/seq/seq_clientmgr.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
-index 38e7deab6384..b3280e81bfd1 100644
---- a/sound/core/seq/seq_clientmgr.c
-+++ b/sound/core/seq/seq_clientmgr.c
-@@ -2343,14 +2343,19 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg)
- {
- const struct ioctl_handler *handler;
- struct snd_seq_client *client;
-+ int err;
-
- client = clientptr(clientid);
- if (client == NULL)
- return -ENXIO;
-
- for (handler = ioctl_handlers; handler->cmd > 0; ++handler) {
-- if (handler->cmd == cmd)
-- return handler->func(client, arg);
-+ if (handler->cmd == cmd) {
-+ mutex_lock(&client->ioctl_mutex);
-+ err = handler->func(client, arg);
-+ mutex_unlock(&client->ioctl_mutex);
-+ return err;
-+ }
- }
-
- pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n",
---
-2.20.1
-
--- /dev/null
+From 44a9bd18a0f06bba19d155aeaa11e2edce898293 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Tue, 14 May 2019 20:00:30 -0600
+Subject: io_uring: fix failure to verify SQ_AFF cpu
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 44a9bd18a0f06bba19d155aeaa11e2edce898293 upstream.
+
+The test case we have is rightfully failing with the current kernel:
+
+io_uring_setup(1, 0x7ffe2cafebe0), flags: IORING_SETUP_SQPOLL|IORING_SETUP_SQ_AFF, resv: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000, sq_thread_cpu: 4
+expected -1, got 3
+
+This is in a vm, and CPU3 is the last valid one, hence asking for 4
+should fail the setup with -EINVAL, not succeed. The problem is that
+we're using array_index_nospec() with nr_cpu_ids as the index, hence we
+wrap and end up using CPU0 instead of CPU4. This makes the setup
+succeed where it should be failing.
+
+We don't need to use array_index_nospec() as we're not indexing any
+array with this. Instead just compare with nr_cpu_ids directly. This
+is fine as we're checking with cpu_online() afterwards.
+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/io_uring.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -2330,10 +2330,11 @@ static int io_sq_offload_start(struct io
+ ctx->sq_thread_idle = HZ;
+
+ if (p->flags & IORING_SETUP_SQ_AFF) {
+- int cpu = array_index_nospec(p->sq_thread_cpu,
+- nr_cpu_ids);
++ int cpu = p->sq_thread_cpu;
+
+ ret = -EINVAL;
++ if (cpu >= nr_cpu_ids)
++ goto err;
+ if (!cpu_online(cpu))
+ goto err;
+
pci-rpadlpar-fix-leaked-device_node-references-in-ad.patch
drm-amd-display-disable-link-before-changing-link-se.patch
drm-amd-display-use-plane-color_space-for-dpp-if-spe.patch
-alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch
arm-omap2-pm33xx-core-do-not-turn-off-cefuse-as-ppa-.patch
pinctrl-pinctrl-intel-move-gpio-suspend-resume-to-no.patch
platform-x86-intel_pmc_ipc-adding-error-handling.patch
revert-drm-nouveau-add-kconfig-option-to-turn-off-nouveau-legacy-contexts.-v3.patch
ovl-check-the-capability-before-cred-overridden.patch
ovl-support-stacked-seek_hole-seek_data.patch
+alsa-seq-cover-unsubscribe_port-in-list_mutex.patch
+io_uring-fix-failure-to-verify-sq_aff-cpu.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
