--- /dev/null
+From 1c826792586f526a5a5cd21d55aad388f5bb0b23 Mon Sep 17 00:00:00 2001
+From: Alexander Tsoy <alexander@tsoy.me>
+Date: Sat, 18 Apr 2020 20:58:15 +0300
+Subject: ALSA: usb-audio: Filter out unsupported sample rates on Focusrite devices
+
+From: Alexander Tsoy <alexander@tsoy.me>
+
+commit 1c826792586f526a5a5cd21d55aad388f5bb0b23 upstream.
+
+Many Focusrite devices supports a limited set of sample rates per
+altsetting. These includes audio interfaces with ADAT ports:
+ - Scarlett 18i6, 18i8 1st gen, 18i20 1st gen;
+ - Scarlett 18i8 2nd gen, 18i20 2nd gen;
+ - Scarlett 18i8 3rd gen, 18i20 3rd gen;
+ - Clarett 2Pre USB, 4Pre USB, 8Pre USB.
+
+Maximum rate is exposed in the last 4 bytes of Format Type descriptor
+which has a non-standard bLength = 10.
+
+Tested-by: Alexey Skobkin <skobkin-ru@ya.ru>
+Signed-off-by: Alexander Tsoy <alexander@tsoy.me>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200418175815.12211-1-alexander@tsoy.me
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/format.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 52 insertions(+)
+
+--- a/sound/usb/format.c
++++ b/sound/usb/format.c
+@@ -223,6 +223,52 @@ static int parse_audio_format_rates_v1(s
+ }
+
+ /*
++ * Many Focusrite devices supports a limited set of sampling rates per
++ * altsetting. Maximum rate is exposed in the last 4 bytes of Format Type
++ * descriptor which has a non-standard bLength = 10.
++ */
++static bool focusrite_valid_sample_rate(struct snd_usb_audio *chip,
++ struct audioformat *fp,
++ unsigned int rate)
++{
++ struct usb_interface *iface;
++ struct usb_host_interface *alts;
++ unsigned char *fmt;
++ unsigned int max_rate;
++
++ iface = usb_ifnum_to_if(chip->dev, fp->iface);
++ if (!iface)
++ return true;
++
++ alts = &iface->altsetting[fp->altset_idx];
++ fmt = snd_usb_find_csint_desc(alts->extra, alts->extralen,
++ NULL, UAC_FORMAT_TYPE);
++ if (!fmt)
++ return true;
++
++ if (fmt[0] == 10) { /* bLength */
++ max_rate = combine_quad(&fmt[6]);
++
++ /* Validate max rate */
++ if (max_rate != 48000 &&
++ max_rate != 96000 &&
++ max_rate != 192000 &&
++ max_rate != 384000) {
++
++ usb_audio_info(chip,
++ "%u:%d : unexpected max rate: %u\n",
++ fp->iface, fp->altsetting, max_rate);
++
++ return true;
++ }
++
++ return rate <= max_rate;
++ }
++
++ return true;
++}
++
++/*
+ * Helper function to walk the array of sample rate triplets reported by
+ * the device. The problem is that we need to parse whole array first to
+ * get to know how many sample rates we have to expect.
+@@ -258,6 +304,11 @@ static int parse_uac2_sample_rate_range(
+ }
+
+ for (rate = min; rate <= max; rate += res) {
++ /* Filter out invalid rates on Focusrite devices */
++ if (USB_ID_VENDOR(chip->usb_id) == 0x1235 &&
++ !focusrite_valid_sample_rate(chip, fp, rate))
++ goto skip_rate;
++
+ if (fp->rate_table)
+ fp->rate_table[nr_rates] = rate;
+ if (!fp->rate_min || rate < fp->rate_min)
+@@ -272,6 +323,7 @@ static int parse_uac2_sample_rate_range(
+ break;
+ }
+
++skip_rate:
+ /* avoid endless loop */
+ if (res == 0)
+ break;
--- /dev/null
+From 59e1947ca09ebd1cae147c08c7c41f3141233c84 Mon Sep 17 00:00:00 2001
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Thu, 23 Apr 2020 12:54:19 +0800
+Subject: ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+commit 59e1947ca09ebd1cae147c08c7c41f3141233c84 upstream.
+
+snd_microii_spdif_default_get() invokes snd_usb_lock_shutdown(), which
+increases the refcount of the snd_usb_audio object "chip".
+
+When snd_microii_spdif_default_get() returns, local variable "chip"
+becomes invalid, so the refcount should be decreased to keep refcount
+balanced.
+
+The reference counting issue happens in several exception handling paths
+of snd_microii_spdif_default_get(). When those error scenarios occur
+such as usb_ifnum_to_if() returns NULL, the function forgets to decrease
+the refcnt increased by snd_usb_lock_shutdown(), causing a refcnt leak.
+
+Fix this issue by jumping to "end" label when those error scenarios
+occur.
+
+Fixes: 447d6275f0c2 ("ALSA: usb-audio: Add sanity checks for endpoint accesses")
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1587617711-13200-1-git-send-email-xiyuyang19@fudan.edu.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer_quirks.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -1519,11 +1519,15 @@ static int snd_microii_spdif_default_get
+
+ /* use known values for that card: interface#1 altsetting#1 */
+ iface = usb_ifnum_to_if(chip->dev, 1);
+- if (!iface || iface->num_altsetting < 2)
+- return -EINVAL;
++ if (!iface || iface->num_altsetting < 2) {
++ err = -EINVAL;
++ goto end;
++ }
+ alts = &iface->altsetting[1];
+- if (get_iface_desc(alts)->bNumEndpoints < 1)
+- return -EINVAL;
++ if (get_iface_desc(alts)->bNumEndpoints < 1) {
++ err = -EINVAL;
++ goto end;
++ }
+ ep = get_endpoint(alts, 0)->bEndpointAddress;
+
+ err = snd_usb_ctl_msg(chip->dev,
--- /dev/null
+From 7686e3485253635c529cdd5f416fc640abaf076f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 20 Apr 2020 09:55:29 +0200
+Subject: ALSA: usx2y: Fix potential NULL dereference
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 7686e3485253635c529cdd5f416fc640abaf076f upstream.
+
+The error handling code in usX2Y_rate_set() may hit a potential NULL
+dereference when an error occurs before allocating all us->urb[].
+Add a proper NULL check for fixing the corner case.
+
+Reported-by: Lin Yi <teroincn@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200420075529.27203-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/usx2y/usbusx2yaudio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/usb/usx2y/usbusx2yaudio.c
++++ b/sound/usb/usx2y/usbusx2yaudio.c
+@@ -691,6 +691,8 @@ static int usX2Y_rate_set(struct usX2Yde
+ us->submitted = 2*NOOF_SETRATE_URBS;
+ for (i = 0; i < NOOF_SETRATE_URBS; ++i) {
+ struct urb *urb = us->urb[i];
++ if (!urb)
++ continue;
+ if (urb->status) {
+ if (!err)
+ err = -ENODEV;
--- /dev/null
+From ebf1474745b4373fdde0fcf32d9d1f369b50b212 Mon Sep 17 00:00:00 2001
+From: Gyeongtaek Lee <gt82.lee@samsung.com>
+Date: Sat, 18 Apr 2020 13:13:20 +0900
+Subject: ASoC: dapm: fixup dapm kcontrol widget
+
+From: Gyeongtaek Lee <gt82.lee@samsung.com>
+
+commit ebf1474745b4373fdde0fcf32d9d1f369b50b212 upstream.
+
+snd_soc_dapm_kcontrol widget which is created by autodisable control
+should contain correct on_val, mask and shift because it is set when the
+widget is powered and changed value is applied on registers by following
+code in dapm_seq_run_coalesced().
+
+ mask |= w->mask << w->shift;
+ if (w->power)
+ value |= w->on_val << w->shift;
+ else
+ value |= w->off_val << w->shift;
+
+Shift on the mask in dapm_kcontrol_data_alloc() is removed to prevent
+double shift.
+And, on_val in dapm_kcontrol_set_value() is modified to get correct
+value in the dapm_seq_run_coalesced().
+
+Signed-off-by: Gyeongtaek Lee <gt82.lee@samsung.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/000001d61537$b212f620$1638e260$@samsung.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/soc-dapm.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -384,7 +384,7 @@ static int dapm_kcontrol_data_alloc(stru
+
+ memset(&template, 0, sizeof(template));
+ template.reg = e->reg;
+- template.mask = e->mask << e->shift_l;
++ template.mask = e->mask;
+ template.shift = e->shift_l;
+ template.off_val = snd_soc_enum_item_to_val(e, 0);
+ template.on_val = template.off_val;
+@@ -510,8 +510,22 @@ static bool dapm_kcontrol_set_value(cons
+ if (data->value == value)
+ return false;
+
+- if (data->widget)
+- data->widget->on_val = value;
++ if (data->widget) {
++ switch (dapm_kcontrol_get_wlist(kcontrol)->widgets[0]->id) {
++ case snd_soc_dapm_switch:
++ case snd_soc_dapm_mixer:
++ case snd_soc_dapm_mixer_named_ctl:
++ data->widget->on_val = value & data->widget->mask;
++ break;
++ case snd_soc_dapm_demux:
++ case snd_soc_dapm_mux:
++ data->widget->on_val = value >> data->widget->shift;
++ break;
++ default:
++ data->widget->on_val = value;
++ break;
++ }
++ }
+
+ data->value = value;
+
--- /dev/null
+From 763dafc520add02a1f4639b500c509acc0ea8e5b Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Mon, 20 Apr 2020 16:24:34 -0400
+Subject: audit: check the length of userspace generated audit records
+
+From: Paul Moore <paul@paul-moore.com>
+
+commit 763dafc520add02a1f4639b500c509acc0ea8e5b upstream.
+
+Commit 756125289285 ("audit: always check the netlink payload length
+in audit_receive_msg()") fixed a number of missing message length
+checks, but forgot to check the length of userspace generated audit
+records. The good news is that you need CAP_AUDIT_WRITE to submit
+userspace audit records, which is generally only given to trusted
+processes, so the impact should be limited.
+
+Cc: stable@vger.kernel.org
+Fixes: 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()")
+Reported-by: syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -919,6 +919,9 @@ static int audit_receive_msg(struct sk_b
+ case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
+ if (!audit_enabled && msg_type != AUDIT_USER_AVC)
+ return 0;
++ /* exit early if there isn't at least one character to print */
++ if (data_len < 2)
++ return -EINVAL;
+
+ err = audit_filter_user(msg_type);
+ if (err == 1) { /* match or error */
--- /dev/null
+From b6467ab142b708dd076f6186ca274f14af379c72 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Tue, 7 Apr 2020 23:40:58 -0700
+Subject: KVM: Check validity of resolved slot when searching memslots
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit b6467ab142b708dd076f6186ca274f14af379c72 upstream.
+
+Check that the resolved slot (somewhat confusingly named 'start') is a
+valid/allocated slot before doing the final comparison to see if the
+specified gfn resides in the associated slot. The resolved slot can be
+invalid if the binary search loop terminated because the search index
+was incremented beyond the number of used slots.
+
+This bug has existed since the binary search algorithm was introduced,
+but went unnoticed because KVM statically allocated memory for the max
+number of slots, i.e. the access would only be truly out-of-bounds if
+all possible slots were allocated and the specified gfn was less than
+the base of the lowest memslot. Commit 36947254e5f98 ("KVM: Dynamically
+size memslot array based on number of used slots") eliminated the "all
+possible slots allocated" condition and made the bug embarrasingly easy
+to hit.
+
+Fixes: 9c1a5d38780e6 ("kvm: optimize GFN to memslot lookup with large slots amount")
+Reported-by: syzbot+d889b59b2bb87d4047a2@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Message-Id: <20200408064059.8957-2-sean.j.christopherson@intel.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/kvm_host.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -934,7 +934,7 @@ search_memslots(struct kvm_memslots *slo
+ start = slot + 1;
+ }
+
+- if (gfn >= memslots[start].base_gfn &&
++ if (start < slots->used_slots && gfn >= memslots[start].base_gfn &&
+ gfn < memslots[start].base_gfn + memslots[start].npages) {
+ atomic_set(&slots->lru_slot, start);
+ return &memslots[start];
--- /dev/null
+From fb56baae5ea509e63c2a068d66a4d8ea91969fca Mon Sep 17 00:00:00 2001
+From: Uros Bizjak <ubizjak@gmail.com>
+Date: Tue, 14 Apr 2020 09:14:14 +0200
+Subject: KVM: VMX: Enable machine check support for 32bit targets
+
+From: Uros Bizjak <ubizjak@gmail.com>
+
+commit fb56baae5ea509e63c2a068d66a4d8ea91969fca upstream.
+
+There is no reason to limit the use of do_machine_check
+to 64bit targets. MCE handling works for both target familes.
+
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: stable@vger.kernel.org
+Fixes: a0861c02a981 ("KVM: Add VT-x machine check support")
+Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
+Message-Id: <20200414071414.45636-1-ubizjak@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -5441,7 +5441,7 @@ static int handle_rmode_exception(struct
+ */
+ static void kvm_machine_check(void)
+ {
+-#if defined(CONFIG_X86_MCE) && defined(CONFIG_X86_64)
++#if defined(CONFIG_X86_MCE)
+ struct pt_regs regs = {
+ .cs = 3, /* Fake ring 3 no matter what the guest ran on */
+ .flags = X86_EFLAGS_IF,
drivers-usb-core-minimize-irq-disabling-in-usb_sg_cancel.patch
usb-core-fix-free-while-in-use-bug-in-the-usb-s-glibrary.patch
usb-hub-fix-handling-of-connect-changes-during-sleep.patch
+alsa-usx2y-fix-potential-null-dereference.patch
+alsa-usb-audio-fix-usb-audio-refcnt-leak-when-getting-spdif.patch
+alsa-usb-audio-filter-out-unsupported-sample-rates-on-focusrite-devices.patch
+kvm-check-validity-of-resolved-slot-when-searching-memslots.patch
+kvm-vmx-enable-machine-check-support-for-32bit-targets.patch
+tty-hvc-fix-buffer-overflow-during-hvc_alloc.patch
+tty-rocket-avoid-oob-access.patch
+usb-storage-add-unusual_devs-entry-for-jmicron-jms566.patch
+signal-avoid-corrupting-si_pid-and-si_uid-in-do_notify_parent.patch
+audit-check-the-length-of-userspace-generated-audit-records.patch
+asoc-dapm-fixup-dapm-kcontrol-widget.patch
--- /dev/null
+From 61e713bdca3678e84815f2427f7a063fc353a1fc Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Mon, 20 Apr 2020 11:41:50 -0500
+Subject: signal: Avoid corrupting si_pid and si_uid in do_notify_parent
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit 61e713bdca3678e84815f2427f7a063fc353a1fc upstream.
+
+Christof Meerwald <cmeerw@cmeerw.org> writes:
+> Hi,
+>
+> this is probably related to commit
+> 7a0cf094944e2540758b7f957eb6846d5126f535 (signal: Correct namespace
+> fixups of si_pid and si_uid).
+>
+> With a 5.6.5 kernel I am seeing SIGCHLD signals that don't include a
+> properly set si_pid field - this seems to happen for multi-threaded
+> child processes.
+>
+> A simple test program (based on the sample from the signalfd man page):
+>
+> #include <sys/signalfd.h>
+> #include <signal.h>
+> #include <unistd.h>
+> #include <spawn.h>
+> #include <stdlib.h>
+> #include <stdio.h>
+>
+> #define handle_error(msg) \
+> do { perror(msg); exit(EXIT_FAILURE); } while (0)
+>
+> int main(int argc, char *argv[])
+> {
+> sigset_t mask;
+> int sfd;
+> struct signalfd_siginfo fdsi;
+> ssize_t s;
+>
+> sigemptyset(&mask);
+> sigaddset(&mask, SIGCHLD);
+>
+> if (sigprocmask(SIG_BLOCK, &mask, NULL) == -1)
+> handle_error("sigprocmask");
+>
+> pid_t chldpid;
+> char *chldargv[] = { "./sfdclient", NULL };
+> posix_spawn(&chldpid, "./sfdclient", NULL, NULL, chldargv, NULL);
+>
+> sfd = signalfd(-1, &mask, 0);
+> if (sfd == -1)
+> handle_error("signalfd");
+>
+> for (;;) {
+> s = read(sfd, &fdsi, sizeof(struct signalfd_siginfo));
+> if (s != sizeof(struct signalfd_siginfo))
+> handle_error("read");
+>
+> if (fdsi.ssi_signo == SIGCHLD) {
+> printf("Got SIGCHLD %d %d %d %d\n",
+> fdsi.ssi_status, fdsi.ssi_code,
+> fdsi.ssi_uid, fdsi.ssi_pid);
+> return 0;
+> } else {
+> printf("Read unexpected signal\n");
+> }
+> }
+> }
+>
+>
+> and a multi-threaded client to test with:
+>
+> #include <unistd.h>
+> #include <pthread.h>
+>
+> void *f(void *arg)
+> {
+> sleep(100);
+> }
+>
+> int main()
+> {
+> pthread_t t[8];
+>
+> for (int i = 0; i != 8; ++i)
+> {
+> pthread_create(&t[i], NULL, f, NULL);
+> }
+> }
+>
+> I tried to do a bit of debugging and what seems to be happening is
+> that
+>
+> /* From an ancestor pid namespace? */
+> if (!task_pid_nr_ns(current, task_active_pid_ns(t))) {
+>
+> fails inside task_pid_nr_ns because the check for "pid_alive" fails.
+>
+> This code seems to be called from do_notify_parent and there we
+> actually have "tsk != current" (I am assuming both are threads of the
+> current process?)
+
+I instrumented the code with a warning and received the following backtrace:
+> WARNING: CPU: 0 PID: 777 at kernel/pid.c:501 __task_pid_nr_ns.cold.6+0xc/0x15
+> Modules linked in:
+> CPU: 0 PID: 777 Comm: sfdclient Not tainted 5.7.0-rc1userns+ #2924
+> Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+> RIP: 0010:__task_pid_nr_ns.cold.6+0xc/0x15
+> Code: ff 66 90 48 83 ec 08 89 7c 24 04 48 8d 7e 08 48 8d 74 24 04 e8 9a b6 44 00 48 83 c4 08 c3 48 c7 c7 59 9f ac 82 e8 c2 c4 04 00 <0f> 0b e9 3fd
+> RSP: 0018:ffffc9000042fbf8 EFLAGS: 00010046
+> RAX: 000000000000000c RBX: 0000000000000000 RCX: ffffc9000042faf4
+> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff81193d29
+> RBP: ffffc9000042fc18 R08: 0000000000000000 R09: 0000000000000001
+> R10: 000000100f938416 R11: 0000000000000309 R12: ffff8880b941c140
+> R13: 0000000000000000 R14: 0000000000000000 R15: ffff8880b941c140
+> FS: 0000000000000000(0000) GS:ffff8880bca00000(0000) knlGS:0000000000000000
+> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+> CR2: 00007f2e8c0a32e0 CR3: 0000000002e10000 CR4: 00000000000006f0
+> Call Trace:
+> send_signal+0x1c8/0x310
+> do_notify_parent+0x50f/0x550
+> release_task.part.21+0x4fd/0x620
+> do_exit+0x6f6/0xaf0
+> do_group_exit+0x42/0xb0
+> get_signal+0x13b/0xbb0
+> do_signal+0x2b/0x670
+> ? __audit_syscall_exit+0x24d/0x2b0
+> ? rcu_read_lock_sched_held+0x4d/0x60
+> ? kfree+0x24c/0x2b0
+> do_syscall_64+0x176/0x640
+> ? trace_hardirqs_off_thunk+0x1a/0x1c
+> entry_SYSCALL_64_after_hwframe+0x49/0xb3
+
+The immediate problem is as Christof noticed that "pid_alive(current) == false".
+This happens because do_notify_parent is called from the last thread to exit
+in a process after that thread has been reaped.
+
+The bigger issue is that do_notify_parent can be called from any
+process that manages to wait on a thread of a multi-threaded process
+from wait_task_zombie. So any logic based upon current for
+do_notify_parent is just nonsense, as current can be pretty much
+anything.
+
+So change do_notify_parent to call __send_signal directly.
+
+Inspecting the code it appears this problem has existed since the pid
+namespace support started handling this case in 2.6.30. This fix only
+backports to 7a0cf094944e ("signal: Correct namespace fixups of si_pid and si_uid")
+where the problem logic was moved out of __send_signal and into send_signal.
+
+Cc: stable@vger.kernel.org
+Fixes: 6588c1e3ff01 ("signals: SI_USER: Masquerade si_pid when crossing pid ns boundary")
+Ref: 921cf9f63089 ("signals: protect cinit from unblocked SIG_DFL signals")
+Link: https://lore.kernel.org/lkml/20200419201336.GI22017@edge.cmeerw.net/
+Reported-by: Christof Meerwald <cmeerw@cmeerw.org>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/signal.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1721,8 +1721,12 @@ bool do_notify_parent(struct task_struct
+ if (psig->action[SIGCHLD-1].sa.sa_handler == SIG_IGN)
+ sig = 0;
+ }
++ /*
++ * Send with __send_signal as si_pid and si_uid are in the
++ * parent's namespaces.
++ */
+ if (valid_signal(sig) && sig)
+- __group_send_sig_info(sig, &info, tsk->parent);
++ __send_signal(sig, &info, tsk->parent, PIDTYPE_TGID, false);
+ __wake_up_parent(tsk, tsk->parent);
+ spin_unlock_irqrestore(&psig->siglock, flags);
+
--- /dev/null
+From 9a9fc42b86c06120744555fea43fdcabe297c656 Mon Sep 17 00:00:00 2001
+From: Andrew Melnychenko <andrew@daynix.com>
+Date: Tue, 14 Apr 2020 22:15:03 +0300
+Subject: tty: hvc: fix buffer overflow during hvc_alloc().
+
+From: Andrew Melnychenko <andrew@daynix.com>
+
+commit 9a9fc42b86c06120744555fea43fdcabe297c656 upstream.
+
+If there is a lot(more then 16) of virtio-console devices
+or virtio_console module is reloaded
+- buffers 'vtermnos' and 'cons_ops' are overflowed.
+In older kernels it overruns spinlock which leads to kernel freezing:
+https://bugzilla.redhat.com/show_bug.cgi?id=1786239
+
+To reproduce the issue, you can try simple script that
+loads/unloads module. Something like this:
+while [ 1 ]
+do
+ modprobe virtio_console
+ sleep 2
+ modprobe -r virtio_console
+ sleep 2
+done
+
+Description of problem:
+Guest get 'Call Trace' when loading module "virtio_console"
+and unloading it frequently - clearly reproduced on kernel-4.18.0:
+
+[ 81.498208] ------------[ cut here ]------------
+[ 81.499263] pvqspinlock: lock 0xffffffff92080020 has corrupted value 0xc0774ca0!
+[ 81.501000] WARNING: CPU: 0 PID: 785 at kernel/locking/qspinlock_paravirt.h:500 __pv_queued_spin_unlock_slowpath+0xc0/0xd0
+[ 81.503173] Modules linked in: virtio_console fuse xt_CHECKSUM ipt_MASQUERADE xt_conntrack ipt_REJECT nft_counter nf_nat_tftp nft_objref nf_conntrack_tftp tun bridge stp llc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nf_tables_set nft_chain_nat_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 nft_chain_route_ipv6 nft_chain_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack nft_chain_route_ipv4 ip6_tables nft_compat ip_set nf_tables nfnetlink sunrpc bochs_drm drm_vram_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm i2c_piix4 pcspkr crct10dif_pclmul crc32_pclmul joydev ghash_clmulni_intel ip_tables xfs libcrc32c sd_mod sg ata_generic ata_piix virtio_net libata crc32c_intel net_failover failover serio_raw virtio_scsi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: virtio_console]
+[ 81.517019] CPU: 0 PID: 785 Comm: kworker/0:2 Kdump: loaded Not tainted 4.18.0-167.el8.x86_64 #1
+[ 81.518639] Hardware name: Red Hat KVM, BIOS 1.12.0-5.scrmod+el8.2.0+5159+d8aa4d83 04/01/2014
+[ 81.520205] Workqueue: events control_work_handler [virtio_console]
+[ 81.521354] RIP: 0010:__pv_queued_spin_unlock_slowpath+0xc0/0xd0
+[ 81.522450] Code: 07 00 48 63 7a 10 e8 bf 64 f5 ff 66 90 c3 8b 05 e6 cf d6 01 85 c0 74 01 c3 8b 17 48 89 fe 48 c7 c7 38 4b 29 91 e8 3a 6c fa ff <0f> 0b c3 0f 0b 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48
+[ 81.525830] RSP: 0018:ffffb51a01ffbd70 EFLAGS: 00010282
+[ 81.526798] RAX: 0000000000000000 RBX: 0000000000000010 RCX: 0000000000000000
+[ 81.528110] RDX: ffff9e66f1826480 RSI: ffff9e66f1816a08 RDI: ffff9e66f1816a08
+[ 81.529437] RBP: ffffffff9153ff10 R08: 000000000000026c R09: 0000000000000053
+[ 81.530732] R10: 0000000000000000 R11: ffffb51a01ffbc18 R12: ffff9e66cd682200
+[ 81.532133] R13: ffffffff9153ff10 R14: ffff9e6685569500 R15: ffff9e66cd682000
+[ 81.533442] FS: 0000000000000000(0000) GS:ffff9e66f1800000(0000) knlGS:0000000000000000
+[ 81.534914] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 81.535971] CR2: 00005624c55b14d0 CR3: 00000003a023c000 CR4: 00000000003406f0
+[ 81.537283] Call Trace:
+[ 81.537763] __raw_callee_save___pv_queued_spin_unlock_slowpath+0x11/0x20
+[ 81.539011] .slowpath+0x9/0xe
+[ 81.539585] hvc_alloc+0x25e/0x300
+[ 81.540237] init_port_console+0x28/0x100 [virtio_console]
+[ 81.541251] handle_control_message.constprop.27+0x1c4/0x310 [virtio_console]
+[ 81.542546] control_work_handler+0x70/0x10c [virtio_console]
+[ 81.543601] process_one_work+0x1a7/0x3b0
+[ 81.544356] worker_thread+0x30/0x390
+[ 81.545025] ? create_worker+0x1a0/0x1a0
+[ 81.545749] kthread+0x112/0x130
+[ 81.546358] ? kthread_flush_work_fn+0x10/0x10
+[ 81.547183] ret_from_fork+0x22/0x40
+[ 81.547842] ---[ end trace aa97649bd16c8655 ]---
+[ 83.546539] general protection fault: 0000 [#1] SMP NOPTI
+[ 83.547422] CPU: 5 PID: 3225 Comm: modprobe Kdump: loaded Tainted: G W --------- - - 4.18.0-167.el8.x86_64 #1
+[ 83.549191] Hardware name: Red Hat KVM, BIOS 1.12.0-5.scrmod+el8.2.0+5159+d8aa4d83 04/01/2014
+[ 83.550544] RIP: 0010:__pv_queued_spin_lock_slowpath+0x19a/0x2a0
+[ 83.551504] Code: c4 c1 ea 12 41 be 01 00 00 00 4c 8d 6d 14 41 83 e4 03 8d 42 ff 49 c1 e4 05 48 98 49 81 c4 40 a5 02 00 4c 03 24 c5 60 48 34 91 <49> 89 2c 24 b8 00 80 00 00 eb 15 84 c0 75 0a 41 0f b6 54 24 14 84
+[ 83.554449] RSP: 0018:ffffb51a0323fdb0 EFLAGS: 00010202
+[ 83.555290] RAX: 000000000000301c RBX: ffffffff92080020 RCX: 0000000000000001
+[ 83.556426] RDX: 000000000000301d RSI: 0000000000000000 RDI: 0000000000000000
+[ 83.557556] RBP: ffff9e66f196a540 R08: 000000000000028a R09: ffff9e66d2757788
+[ 83.558688] R10: 0000000000000000 R11: 0000000000000000 R12: 646e61725f770b07
+[ 83.559821] R13: ffff9e66f196a554 R14: 0000000000000001 R15: 0000000000180000
+[ 83.560958] FS: 00007fd5032e8740(0000) GS:ffff9e66f1940000(0000) knlGS:0000000000000000
+[ 83.562233] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 83.563149] CR2: 00007fd5022b0da0 CR3: 000000038c334000 CR4: 00000000003406e0
+
+Signed-off-by: Andrew Melnychenko <andrew@daynix.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200414191503.3471783-1-andrew@daynix.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/hvc/hvc_console.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/drivers/tty/hvc/hvc_console.c
++++ b/drivers/tty/hvc/hvc_console.c
+@@ -289,10 +289,6 @@ int hvc_instantiate(uint32_t vtermno, in
+ vtermnos[index] = vtermno;
+ cons_ops[index] = ops;
+
+- /* reserve all indices up to and including this index */
+- if (last_hvc < index)
+- last_hvc = index;
+-
+ /* check if we need to re-register the kernel console */
+ hvc_check_console(index);
+
+@@ -896,13 +892,22 @@ struct hvc_struct *hvc_alloc(uint32_t vt
+ cons_ops[i] == hp->ops)
+ break;
+
+- /* no matching slot, just use a counter */
+- if (i >= MAX_NR_HVC_CONSOLES)
+- i = ++last_hvc;
++ if (i >= MAX_NR_HVC_CONSOLES) {
++
++ /* find 'empty' slot for console */
++ for (i = 0; i < MAX_NR_HVC_CONSOLES && vtermnos[i] != -1; i++) {
++ }
++
++ /* no matching slot, just use a counter */
++ if (i == MAX_NR_HVC_CONSOLES)
++ i = ++last_hvc + MAX_NR_HVC_CONSOLES;
++ }
+
+ hp->index = i;
+- cons_ops[i] = ops;
+- vtermnos[i] = vtermno;
++ if (i < MAX_NR_HVC_CONSOLES) {
++ cons_ops[i] = ops;
++ vtermnos[i] = vtermno;
++ }
+
+ list_add_tail(&(hp->next), &hvc_structs);
+ spin_unlock(&hvc_structs_lock);
--- /dev/null
+From 7127d24372bf23675a36edc64d092dc7fd92ebe8 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Fri, 17 Apr 2020 12:59:59 +0200
+Subject: tty: rocket, avoid OOB access
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit 7127d24372bf23675a36edc64d092dc7fd92ebe8 upstream.
+
+init_r_port can access pc104 array out of bounds. pc104 is a 2D array
+defined to have 4 members. Each member has 8 submembers.
+* we can have more than 4 (PCI) boards, i.e. [board] can be OOB
+* line is not modulo-ed by anything, so the first line on the second
+ board can be 4, on the 3rd 12 or alike (depending on previously
+ registered boards). It's zero only on the first line of the first
+ board. So even [line] can be OOB, quite soon (with the 2nd registered
+ board already).
+
+This code is broken for ages, so just avoid the OOB accesses and don't
+try to fix it as we would need to find out the correct line number. Use
+the default: RS232, if we are out.
+
+Generally, if anyone needs to set the interface types, a module parameter
+is past the last thing that should be used for this purpose. The
+parameters' description says it's for ISA cards anyway.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Cc: stable <stable@vger.kernel.org>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Link: https://lore.kernel.org/r/20200417105959.15201-2-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/rocket.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+--- a/drivers/tty/rocket.c
++++ b/drivers/tty/rocket.c
+@@ -645,18 +645,21 @@ static void init_r_port(int board, int a
+ info->port.ops = &rocket_port_ops;
+ init_completion(&info->close_wait);
+ info->flags &= ~ROCKET_MODE_MASK;
+- switch (pc104[board][line]) {
+- case 422:
+- info->flags |= ROCKET_MODE_RS422;
+- break;
+- case 485:
+- info->flags |= ROCKET_MODE_RS485;
+- break;
+- case 232:
+- default:
++ if (board < ARRAY_SIZE(pc104) && line < ARRAY_SIZE(pc104_1))
++ switch (pc104[board][line]) {
++ case 422:
++ info->flags |= ROCKET_MODE_RS422;
++ break;
++ case 485:
++ info->flags |= ROCKET_MODE_RS485;
++ break;
++ case 232:
++ default:
++ info->flags |= ROCKET_MODE_RS232;
++ break;
++ }
++ else
+ info->flags |= ROCKET_MODE_RS232;
+- break;
+- }
+
+ info->intmask = RXF_TRIG | TXFIFO_MT | SRC_INT | DELTA_CD | DELTA_CTS | DELTA_DSR;
+ if (sInitChan(ctlp, &info->channel, aiop, chan) == 0) {
--- /dev/null
+From 94f9c8c3c404ee1f7aaff81ad4f24aec4e34a78b Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 22 Apr 2020 16:14:57 -0400
+Subject: usb-storage: Add unusual_devs entry for JMicron JMS566
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 94f9c8c3c404ee1f7aaff81ad4f24aec4e34a78b upstream.
+
+Cyril Roelandt reports that his JMicron JMS566 USB-SATA bridge fails
+to handle WRITE commands with the FUA bit set, even though it claims
+to support FUA. (Oddly enough, a later version of the same bridge,
+version 2.03 as opposed to 1.14, doesn't claim to support FUA. Also
+oddly, the bridge _does_ support FUA when using the UAS transport
+instead of the Bulk-Only transport -- but this device was blacklisted
+for uas in commit bc3bdb12bbb3 ("usb-storage: Disable UAS on JMicron
+SATA enclosure") for apparently unrelated reasons.)
+
+This patch adds a usb-storage unusual_devs entry with the BROKEN_FUA
+flag. This allows the bridge to work properly with usb-storage.
+
+Reported-and-tested-by: Cyril Roelandt <tipecaml@gmail.com>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+CC: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2004221613110.11262-100000@iolanthe.rowland.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/unusual_devs.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -2208,6 +2208,13 @@ UNUSUAL_DEV( 0x3340, 0xffff, 0x0000, 0x
+ USB_SC_DEVICE,USB_PR_DEVICE,NULL,
+ US_FL_MAX_SECTORS_64 ),
+
++/* Reported by Cyril Roelandt <tipecaml@gmail.com> */
++UNUSUAL_DEV( 0x357d, 0x7788, 0x0114, 0x0114,
++ "JMicron",
++ "USB to ATA/ATAPI Bridge",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_BROKEN_FUA ),
++
+ /* Reported by Andrey Rahmatullin <wrar@altlinux.org> */
+ UNUSUAL_DEV( 0x4102, 0x1020, 0x0100, 0x0100,
+ "iRiver",
projects / thirdparty / kernel / stable-queue.git / commitdiff
