From: Greg Kroah-Hartman Date: Mon, 27 Apr 2020 15:45:10 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.19.119~22 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0f81d7add267de1ceb76e67261bd38c0e16985e0;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-usb-audio-filter-out-unsupported-sample-rates-on-focusrite-devices.patch alsa-usb-audio-fix-usb-audio-refcnt-leak-when-getting-spdif.patch alsa-usx2y-fix-potential-null-dereference.patch asoc-dapm-fixup-dapm-kcontrol-widget.patch audit-check-the-length-of-userspace-generated-audit-records.patch kvm-check-validity-of-resolved-slot-when-searching-memslots.patch kvm-vmx-enable-machine-check-support-for-32bit-targets.patch signal-avoid-corrupting-si_pid-and-si_uid-in-do_notify_parent.patch tty-hvc-fix-buffer-overflow-during-hvc_alloc.patch tty-rocket-avoid-oob-access.patch usb-storage-add-unusual_devs-entry-for-jmicron-jms566.patch --- diff --git a/queue-4.4/alsa-usb-audio-filter-out-unsupported-sample-rates-on-focusrite-devices.patch b/queue-4.4/alsa-usb-audio-filter-out-unsupported-sample-rates-on-focusrite-devices.patch new file mode 100644 index 00000000000..94d10d5d8c7 --- /dev/null +++ b/queue-4.4/alsa-usb-audio-filter-out-unsupported-sample-rates-on-focusrite-devices.patch @@ -0,0 +1,105 @@ +From 1c826792586f526a5a5cd21d55aad388f5bb0b23 Mon Sep 17 00:00:00 2001 +From: Alexander Tsoy +Date: Sat, 18 Apr 2020 20:58:15 +0300 +Subject: ALSA: usb-audio: Filter out unsupported sample rates on Focusrite devices + +From: Alexander Tsoy + +commit 1c826792586f526a5a5cd21d55aad388f5bb0b23 upstream. + +Many Focusrite devices supports a limited set of sample rates per +altsetting. These includes audio interfaces with ADAT ports: + - Scarlett 18i6, 18i8 1st gen, 18i20 1st gen; + - Scarlett 18i8 2nd gen, 18i20 2nd gen; + - Scarlett 18i8 3rd gen, 18i20 3rd gen; + - Clarett 2Pre USB, 4Pre USB, 8Pre USB. + +Maximum rate is exposed in the last 4 bytes of Format Type descriptor +which has a non-standard bLength = 10. + +Tested-by: Alexey Skobkin +Signed-off-by: Alexander Tsoy +Cc: +Link: https://lore.kernel.org/r/20200418175815.12211-1-alexander@tsoy.me +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/format.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 52 insertions(+) + +--- a/sound/usb/format.c ++++ b/sound/usb/format.c +@@ -223,6 +223,52 @@ static int parse_audio_format_rates_v1(s + } + + /* ++ * Many Focusrite devices supports a limited set of sampling rates per ++ * altsetting. Maximum rate is exposed in the last 4 bytes of Format Type ++ * descriptor which has a non-standard bLength = 10. ++ */ ++static bool focusrite_valid_sample_rate(struct snd_usb_audio *chip, ++ struct audioformat *fp, ++ unsigned int rate) ++{ ++ struct usb_interface *iface; ++ struct usb_host_interface *alts; ++ unsigned char *fmt; ++ unsigned int max_rate; ++ ++ iface = usb_ifnum_to_if(chip->dev, fp->iface); ++ if (!iface) ++ return true; ++ ++ alts = &iface->altsetting[fp->altset_idx]; ++ fmt = snd_usb_find_csint_desc(alts->extra, alts->extralen, ++ NULL, UAC_FORMAT_TYPE); ++ if (!fmt) ++ return true; ++ ++ if (fmt[0] == 10) { /* bLength */ ++ max_rate = combine_quad(&fmt[6]); ++ ++ /* Validate max rate */ ++ if (max_rate != 48000 && ++ max_rate != 96000 && ++ max_rate != 192000 && ++ max_rate != 384000) { ++ ++ usb_audio_info(chip, ++ "%u:%d : unexpected max rate: %u\n", ++ fp->iface, fp->altsetting, max_rate); ++ ++ return true; ++ } ++ ++ return rate <= max_rate; ++ } ++ ++ return true; ++} ++ ++/* + * Helper function to walk the array of sample rate triplets reported by + * the device. The problem is that we need to parse whole array first to + * get to know how many sample rates we have to expect. +@@ -258,6 +304,11 @@ static int parse_uac2_sample_rate_range( + } + + for (rate = min; rate <= max; rate += res) { ++ /* Filter out invalid rates on Focusrite devices */ ++ if (USB_ID_VENDOR(chip->usb_id) == 0x1235 && ++ !focusrite_valid_sample_rate(chip, fp, rate)) ++ goto skip_rate; ++ + if (fp->rate_table) + fp->rate_table[nr_rates] = rate; + if (!fp->rate_min || rate < fp->rate_min) +@@ -272,6 +323,7 @@ static int parse_uac2_sample_rate_range( + break; + } + ++skip_rate: + /* avoid endless loop */ + if (res == 0) + break; diff --git a/queue-4.4/alsa-usb-audio-fix-usb-audio-refcnt-leak-when-getting-spdif.patch b/queue-4.4/alsa-usb-audio-fix-usb-audio-refcnt-leak-when-getting-spdif.patch new file mode 100644 index 00000000000..e30fc4fec58 --- /dev/null +++ b/queue-4.4/alsa-usb-audio-fix-usb-audio-refcnt-leak-when-getting-spdif.patch @@ -0,0 +1,58 @@ +From 59e1947ca09ebd1cae147c08c7c41f3141233c84 Mon Sep 17 00:00:00 2001 +From: Xiyu Yang +Date: Thu, 23 Apr 2020 12:54:19 +0800 +Subject: ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif + +From: Xiyu Yang + +commit 59e1947ca09ebd1cae147c08c7c41f3141233c84 upstream. + +snd_microii_spdif_default_get() invokes snd_usb_lock_shutdown(), which +increases the refcount of the snd_usb_audio object "chip". + +When snd_microii_spdif_default_get() returns, local variable "chip" +becomes invalid, so the refcount should be decreased to keep refcount +balanced. + +The reference counting issue happens in several exception handling paths +of snd_microii_spdif_default_get(). When those error scenarios occur +such as usb_ifnum_to_if() returns NULL, the function forgets to decrease +the refcnt increased by snd_usb_lock_shutdown(), causing a refcnt leak. + +Fix this issue by jumping to "end" label when those error scenarios +occur. + +Fixes: 447d6275f0c2 ("ALSA: usb-audio: Add sanity checks for endpoint accesses") +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Cc: +Link: https://lore.kernel.org/r/1587617711-13200-1-git-send-email-xiyuyang19@fudan.edu.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer_quirks.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -1519,11 +1519,15 @@ static int snd_microii_spdif_default_get + + /* use known values for that card: interface#1 altsetting#1 */ + iface = usb_ifnum_to_if(chip->dev, 1); +- if (!iface || iface->num_altsetting < 2) +- return -EINVAL; ++ if (!iface || iface->num_altsetting < 2) { ++ err = -EINVAL; ++ goto end; ++ } + alts = &iface->altsetting[1]; +- if (get_iface_desc(alts)->bNumEndpoints < 1) +- return -EINVAL; ++ if (get_iface_desc(alts)->bNumEndpoints < 1) { ++ err = -EINVAL; ++ goto end; ++ } + ep = get_endpoint(alts, 0)->bEndpointAddress; + + err = snd_usb_ctl_msg(chip->dev, diff --git a/queue-4.4/alsa-usx2y-fix-potential-null-dereference.patch b/queue-4.4/alsa-usx2y-fix-potential-null-dereference.patch new file mode 100644 index 00000000000..600404f9614 --- /dev/null +++ b/queue-4.4/alsa-usx2y-fix-potential-null-dereference.patch @@ -0,0 +1,34 @@ +From 7686e3485253635c529cdd5f416fc640abaf076f Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 20 Apr 2020 09:55:29 +0200 +Subject: ALSA: usx2y: Fix potential NULL dereference + +From: Takashi Iwai + +commit 7686e3485253635c529cdd5f416fc640abaf076f upstream. + +The error handling code in usX2Y_rate_set() may hit a potential NULL +dereference when an error occurs before allocating all us->urb[]. +Add a proper NULL check for fixing the corner case. + +Reported-by: Lin Yi +Cc: +Link: https://lore.kernel.org/r/20200420075529.27203-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/usx2y/usbusx2yaudio.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/usx2y/usbusx2yaudio.c ++++ b/sound/usb/usx2y/usbusx2yaudio.c +@@ -691,6 +691,8 @@ static int usX2Y_rate_set(struct usX2Yde + us->submitted = 2*NOOF_SETRATE_URBS; + for (i = 0; i < NOOF_SETRATE_URBS; ++i) { + struct urb *urb = us->urb[i]; ++ if (!urb) ++ continue; + if (urb->status) { + if (!err) + err = -ENODEV; diff --git a/queue-4.4/asoc-dapm-fixup-dapm-kcontrol-widget.patch b/queue-4.4/asoc-dapm-fixup-dapm-kcontrol-widget.patch new file mode 100644 index 00000000000..8a691e68320 --- /dev/null +++ b/queue-4.4/asoc-dapm-fixup-dapm-kcontrol-widget.patch @@ -0,0 +1,71 @@ +From ebf1474745b4373fdde0fcf32d9d1f369b50b212 Mon Sep 17 00:00:00 2001 +From: Gyeongtaek Lee +Date: Sat, 18 Apr 2020 13:13:20 +0900 +Subject: ASoC: dapm: fixup dapm kcontrol widget + +From: Gyeongtaek Lee + +commit ebf1474745b4373fdde0fcf32d9d1f369b50b212 upstream. + +snd_soc_dapm_kcontrol widget which is created by autodisable control +should contain correct on_val, mask and shift because it is set when the +widget is powered and changed value is applied on registers by following +code in dapm_seq_run_coalesced(). + + mask |= w->mask << w->shift; + if (w->power) + value |= w->on_val << w->shift; + else + value |= w->off_val << w->shift; + +Shift on the mask in dapm_kcontrol_data_alloc() is removed to prevent +double shift. +And, on_val in dapm_kcontrol_set_value() is modified to get correct +value in the dapm_seq_run_coalesced(). + +Signed-off-by: Gyeongtaek Lee +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/000001d61537$b212f620$1638e260$@samsung.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-dapm.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -384,7 +384,7 @@ static int dapm_kcontrol_data_alloc(stru + + memset(&template, 0, sizeof(template)); + template.reg = e->reg; +- template.mask = e->mask << e->shift_l; ++ template.mask = e->mask; + template.shift = e->shift_l; + template.off_val = snd_soc_enum_item_to_val(e, 0); + template.on_val = template.off_val; +@@ -510,8 +510,22 @@ static bool dapm_kcontrol_set_value(cons + if (data->value == value) + return false; + +- if (data->widget) +- data->widget->on_val = value; ++ if (data->widget) { ++ switch (dapm_kcontrol_get_wlist(kcontrol)->widgets[0]->id) { ++ case snd_soc_dapm_switch: ++ case snd_soc_dapm_mixer: ++ case snd_soc_dapm_mixer_named_ctl: ++ data->widget->on_val = value & data->widget->mask; ++ break; ++ case snd_soc_dapm_demux: ++ case snd_soc_dapm_mux: ++ data->widget->on_val = value >> data->widget->shift; ++ break; ++ default: ++ data->widget->on_val = value; ++ break; ++ } ++ } + + data->value = value; + diff --git a/queue-4.4/audit-check-the-length-of-userspace-generated-audit-records.patch b/queue-4.4/audit-check-the-length-of-userspace-generated-audit-records.patch new file mode 100644 index 00000000000..a2f1869d6b1 --- /dev/null +++ b/queue-4.4/audit-check-the-length-of-userspace-generated-audit-records.patch @@ -0,0 +1,38 @@ +From 763dafc520add02a1f4639b500c509acc0ea8e5b Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Mon, 20 Apr 2020 16:24:34 -0400 +Subject: audit: check the length of userspace generated audit records + +From: Paul Moore + +commit 763dafc520add02a1f4639b500c509acc0ea8e5b upstream. + +Commit 756125289285 ("audit: always check the netlink payload length +in audit_receive_msg()") fixed a number of missing message length +checks, but forgot to check the length of userspace generated audit +records. The good news is that you need CAP_AUDIT_WRITE to submit +userspace audit records, which is generally only given to trusted +processes, so the impact should be limited. + +Cc: stable@vger.kernel.org +Fixes: 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()") +Reported-by: syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -919,6 +919,9 @@ static int audit_receive_msg(struct sk_b + case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2: + if (!audit_enabled && msg_type != AUDIT_USER_AVC) + return 0; ++ /* exit early if there isn't at least one character to print */ ++ if (data_len < 2) ++ return -EINVAL; + + err = audit_filter_user(msg_type); + if (err == 1) { /* match or error */ diff --git a/queue-4.4/kvm-check-validity-of-resolved-slot-when-searching-memslots.patch b/queue-4.4/kvm-check-validity-of-resolved-slot-when-searching-memslots.patch new file mode 100644 index 00000000000..d13a937eb15 --- /dev/null +++ b/queue-4.4/kvm-check-validity-of-resolved-slot-when-searching-memslots.patch @@ -0,0 +1,48 @@ +From b6467ab142b708dd076f6186ca274f14af379c72 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 7 Apr 2020 23:40:58 -0700 +Subject: KVM: Check validity of resolved slot when searching memslots + +From: Sean Christopherson + +commit b6467ab142b708dd076f6186ca274f14af379c72 upstream. + +Check that the resolved slot (somewhat confusingly named 'start') is a +valid/allocated slot before doing the final comparison to see if the +specified gfn resides in the associated slot. The resolved slot can be +invalid if the binary search loop terminated because the search index +was incremented beyond the number of used slots. + +This bug has existed since the binary search algorithm was introduced, +but went unnoticed because KVM statically allocated memory for the max +number of slots, i.e. the access would only be truly out-of-bounds if +all possible slots were allocated and the specified gfn was less than +the base of the lowest memslot. Commit 36947254e5f98 ("KVM: Dynamically +size memslot array based on number of used slots") eliminated the "all +possible slots allocated" condition and made the bug embarrasingly easy +to hit. + +Fixes: 9c1a5d38780e6 ("kvm: optimize GFN to memslot lookup with large slots amount") +Reported-by: syzbot+d889b59b2bb87d4047a2@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20200408064059.8957-2-sean.j.christopherson@intel.com> +Reviewed-by: Cornelia Huck +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/kvm_host.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -934,7 +934,7 @@ search_memslots(struct kvm_memslots *slo + start = slot + 1; + } + +- if (gfn >= memslots[start].base_gfn && ++ if (start < slots->used_slots && gfn >= memslots[start].base_gfn && + gfn < memslots[start].base_gfn + memslots[start].npages) { + atomic_set(&slots->lru_slot, start); + return &memslots[start]; diff --git a/queue-4.4/kvm-vmx-enable-machine-check-support-for-32bit-targets.patch b/queue-4.4/kvm-vmx-enable-machine-check-support-for-32bit-targets.patch new file mode 100644 index 00000000000..f8fc4f14f7a --- /dev/null +++ b/queue-4.4/kvm-vmx-enable-machine-check-support-for-32bit-targets.patch @@ -0,0 +1,36 @@ +From fb56baae5ea509e63c2a068d66a4d8ea91969fca Mon Sep 17 00:00:00 2001 +From: Uros Bizjak +Date: Tue, 14 Apr 2020 09:14:14 +0200 +Subject: KVM: VMX: Enable machine check support for 32bit targets + +From: Uros Bizjak + +commit fb56baae5ea509e63c2a068d66a4d8ea91969fca upstream. + +There is no reason to limit the use of do_machine_check +to 64bit targets. MCE handling works for both target familes. + +Cc: Paolo Bonzini +Cc: Sean Christopherson +Cc: stable@vger.kernel.org +Fixes: a0861c02a981 ("KVM: Add VT-x machine check support") +Signed-off-by: Uros Bizjak +Message-Id: <20200414071414.45636-1-ubizjak@gmail.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -5441,7 +5441,7 @@ static int handle_rmode_exception(struct + */ + static void kvm_machine_check(void) + { +-#if defined(CONFIG_X86_MCE) && defined(CONFIG_X86_64) ++#if defined(CONFIG_X86_MCE) + struct pt_regs regs = { + .cs = 3, /* Fake ring 3 no matter what the guest ran on */ + .flags = X86_EFLAGS_IF, diff --git a/queue-4.4/series b/queue-4.4/series index 6b05e87dfd2..9ab14acb9c5 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -33,3 +33,14 @@ drivers-usb-core-don-t-disable-irqs-in-usb_sg_wait-during-urb-submit.patch drivers-usb-core-minimize-irq-disabling-in-usb_sg_cancel.patch usb-core-fix-free-while-in-use-bug-in-the-usb-s-glibrary.patch usb-hub-fix-handling-of-connect-changes-during-sleep.patch +alsa-usx2y-fix-potential-null-dereference.patch +alsa-usb-audio-fix-usb-audio-refcnt-leak-when-getting-spdif.patch +alsa-usb-audio-filter-out-unsupported-sample-rates-on-focusrite-devices.patch +kvm-check-validity-of-resolved-slot-when-searching-memslots.patch +kvm-vmx-enable-machine-check-support-for-32bit-targets.patch +tty-hvc-fix-buffer-overflow-during-hvc_alloc.patch +tty-rocket-avoid-oob-access.patch +usb-storage-add-unusual_devs-entry-for-jmicron-jms566.patch +signal-avoid-corrupting-si_pid-and-si_uid-in-do_notify_parent.patch +audit-check-the-length-of-userspace-generated-audit-records.patch +asoc-dapm-fixup-dapm-kcontrol-widget.patch diff --git a/queue-4.4/signal-avoid-corrupting-si_pid-and-si_uid-in-do_notify_parent.patch b/queue-4.4/signal-avoid-corrupting-si_pid-and-si_uid-in-do_notify_parent.patch new file mode 100644 index 00000000000..1c669fdef7d --- /dev/null +++ b/queue-4.4/signal-avoid-corrupting-si_pid-and-si_uid-in-do_notify_parent.patch @@ -0,0 +1,180 @@ +From 61e713bdca3678e84815f2427f7a063fc353a1fc Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Mon, 20 Apr 2020 11:41:50 -0500 +Subject: signal: Avoid corrupting si_pid and si_uid in do_notify_parent + +From: Eric W. Biederman + +commit 61e713bdca3678e84815f2427f7a063fc353a1fc upstream. + +Christof Meerwald writes: +> Hi, +> +> this is probably related to commit +> 7a0cf094944e2540758b7f957eb6846d5126f535 (signal: Correct namespace +> fixups of si_pid and si_uid). +> +> With a 5.6.5 kernel I am seeing SIGCHLD signals that don't include a +> properly set si_pid field - this seems to happen for multi-threaded +> child processes. +> +> A simple test program (based on the sample from the signalfd man page): +> +> #include +> #include +> #include +> #include +> #include +> #include +> +> #define handle_error(msg) \ +> do { perror(msg); exit(EXIT_FAILURE); } while (0) +> +> int main(int argc, char *argv[]) +> { +> sigset_t mask; +> int sfd; +> struct signalfd_siginfo fdsi; +> ssize_t s; +> +> sigemptyset(&mask); +> sigaddset(&mask, SIGCHLD); +> +> if (sigprocmask(SIG_BLOCK, &mask, NULL) == -1) +> handle_error("sigprocmask"); +> +> pid_t chldpid; +> char *chldargv[] = { "./sfdclient", NULL }; +> posix_spawn(&chldpid, "./sfdclient", NULL, NULL, chldargv, NULL); +> +> sfd = signalfd(-1, &mask, 0); +> if (sfd == -1) +> handle_error("signalfd"); +> +> for (;;) { +> s = read(sfd, &fdsi, sizeof(struct signalfd_siginfo)); +> if (s != sizeof(struct signalfd_siginfo)) +> handle_error("read"); +> +> if (fdsi.ssi_signo == SIGCHLD) { +> printf("Got SIGCHLD %d %d %d %d\n", +> fdsi.ssi_status, fdsi.ssi_code, +> fdsi.ssi_uid, fdsi.ssi_pid); +> return 0; +> } else { +> printf("Read unexpected signal\n"); +> } +> } +> } +> +> +> and a multi-threaded client to test with: +> +> #include +> #include +> +> void *f(void *arg) +> { +> sleep(100); +> } +> +> int main() +> { +> pthread_t t[8]; +> +> for (int i = 0; i != 8; ++i) +> { +> pthread_create(&t[i], NULL, f, NULL); +> } +> } +> +> I tried to do a bit of debugging and what seems to be happening is +> that +> +> /* From an ancestor pid namespace? */ +> if (!task_pid_nr_ns(current, task_active_pid_ns(t))) { +> +> fails inside task_pid_nr_ns because the check for "pid_alive" fails. +> +> This code seems to be called from do_notify_parent and there we +> actually have "tsk != current" (I am assuming both are threads of the +> current process?) + +I instrumented the code with a warning and received the following backtrace: +> WARNING: CPU: 0 PID: 777 at kernel/pid.c:501 __task_pid_nr_ns.cold.6+0xc/0x15 +> Modules linked in: +> CPU: 0 PID: 777 Comm: sfdclient Not tainted 5.7.0-rc1userns+ #2924 +> Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 +> RIP: 0010:__task_pid_nr_ns.cold.6+0xc/0x15 +> Code: ff 66 90 48 83 ec 08 89 7c 24 04 48 8d 7e 08 48 8d 74 24 04 e8 9a b6 44 00 48 83 c4 08 c3 48 c7 c7 59 9f ac 82 e8 c2 c4 04 00 <0f> 0b e9 3fd +> RSP: 0018:ffffc9000042fbf8 EFLAGS: 00010046 +> RAX: 000000000000000c RBX: 0000000000000000 RCX: ffffc9000042faf4 +> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff81193d29 +> RBP: ffffc9000042fc18 R08: 0000000000000000 R09: 0000000000000001 +> R10: 000000100f938416 R11: 0000000000000309 R12: ffff8880b941c140 +> R13: 0000000000000000 R14: 0000000000000000 R15: ffff8880b941c140 +> FS: 0000000000000000(0000) GS:ffff8880bca00000(0000) knlGS:0000000000000000 +> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +> CR2: 00007f2e8c0a32e0 CR3: 0000000002e10000 CR4: 00000000000006f0 +> Call Trace: +> send_signal+0x1c8/0x310 +> do_notify_parent+0x50f/0x550 +> release_task.part.21+0x4fd/0x620 +> do_exit+0x6f6/0xaf0 +> do_group_exit+0x42/0xb0 +> get_signal+0x13b/0xbb0 +> do_signal+0x2b/0x670 +> ? __audit_syscall_exit+0x24d/0x2b0 +> ? rcu_read_lock_sched_held+0x4d/0x60 +> ? kfree+0x24c/0x2b0 +> do_syscall_64+0x176/0x640 +> ? trace_hardirqs_off_thunk+0x1a/0x1c +> entry_SYSCALL_64_after_hwframe+0x49/0xb3 + +The immediate problem is as Christof noticed that "pid_alive(current) == false". +This happens because do_notify_parent is called from the last thread to exit +in a process after that thread has been reaped. + +The bigger issue is that do_notify_parent can be called from any +process that manages to wait on a thread of a multi-threaded process +from wait_task_zombie. So any logic based upon current for +do_notify_parent is just nonsense, as current can be pretty much +anything. + +So change do_notify_parent to call __send_signal directly. + +Inspecting the code it appears this problem has existed since the pid +namespace support started handling this case in 2.6.30. This fix only +backports to 7a0cf094944e ("signal: Correct namespace fixups of si_pid and si_uid") +where the problem logic was moved out of __send_signal and into send_signal. + +Cc: stable@vger.kernel.org +Fixes: 6588c1e3ff01 ("signals: SI_USER: Masquerade si_pid when crossing pid ns boundary") +Ref: 921cf9f63089 ("signals: protect cinit from unblocked SIG_DFL signals") +Link: https://lore.kernel.org/lkml/20200419201336.GI22017@edge.cmeerw.net/ +Reported-by: Christof Meerwald +Acked-by: Oleg Nesterov +Acked-by: Christian Brauner +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/signal.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1721,8 +1721,12 @@ bool do_notify_parent(struct task_struct + if (psig->action[SIGCHLD-1].sa.sa_handler == SIG_IGN) + sig = 0; + } ++ /* ++ * Send with __send_signal as si_pid and si_uid are in the ++ * parent's namespaces. ++ */ + if (valid_signal(sig) && sig) +- __group_send_sig_info(sig, &info, tsk->parent); ++ __send_signal(sig, &info, tsk->parent, PIDTYPE_TGID, false); + __wake_up_parent(tsk, tsk->parent); + spin_unlock_irqrestore(&psig->siglock, flags); + diff --git a/queue-4.4/tty-hvc-fix-buffer-overflow-during-hvc_alloc.patch b/queue-4.4/tty-hvc-fix-buffer-overflow-during-hvc_alloc.patch new file mode 100644 index 00000000000..02ad8619beb --- /dev/null +++ b/queue-4.4/tty-hvc-fix-buffer-overflow-during-hvc_alloc.patch @@ -0,0 +1,126 @@ +From 9a9fc42b86c06120744555fea43fdcabe297c656 Mon Sep 17 00:00:00 2001 +From: Andrew Melnychenko +Date: Tue, 14 Apr 2020 22:15:03 +0300 +Subject: tty: hvc: fix buffer overflow during hvc_alloc(). + +From: Andrew Melnychenko + +commit 9a9fc42b86c06120744555fea43fdcabe297c656 upstream. + +If there is a lot(more then 16) of virtio-console devices +or virtio_console module is reloaded +- buffers 'vtermnos' and 'cons_ops' are overflowed. +In older kernels it overruns spinlock which leads to kernel freezing: +https://bugzilla.redhat.com/show_bug.cgi?id=1786239 + +To reproduce the issue, you can try simple script that +loads/unloads module. Something like this: +while [ 1 ] +do + modprobe virtio_console + sleep 2 + modprobe -r virtio_console + sleep 2 +done + +Description of problem: +Guest get 'Call Trace' when loading module "virtio_console" +and unloading it frequently - clearly reproduced on kernel-4.18.0: + +[ 81.498208] ------------[ cut here ]------------ +[ 81.499263] pvqspinlock: lock 0xffffffff92080020 has corrupted value 0xc0774ca0! +[ 81.501000] WARNING: CPU: 0 PID: 785 at kernel/locking/qspinlock_paravirt.h:500 __pv_queued_spin_unlock_slowpath+0xc0/0xd0 +[ 81.503173] Modules linked in: virtio_console fuse xt_CHECKSUM ipt_MASQUERADE xt_conntrack ipt_REJECT nft_counter nf_nat_tftp nft_objref nf_conntrack_tftp tun bridge stp llc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nf_tables_set nft_chain_nat_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 nft_chain_route_ipv6 nft_chain_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack nft_chain_route_ipv4 ip6_tables nft_compat ip_set nf_tables nfnetlink sunrpc bochs_drm drm_vram_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm i2c_piix4 pcspkr crct10dif_pclmul crc32_pclmul joydev ghash_clmulni_intel ip_tables xfs libcrc32c sd_mod sg ata_generic ata_piix virtio_net libata crc32c_intel net_failover failover serio_raw virtio_scsi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: virtio_console] +[ 81.517019] CPU: 0 PID: 785 Comm: kworker/0:2 Kdump: loaded Not tainted 4.18.0-167.el8.x86_64 #1 +[ 81.518639] Hardware name: Red Hat KVM, BIOS 1.12.0-5.scrmod+el8.2.0+5159+d8aa4d83 04/01/2014 +[ 81.520205] Workqueue: events control_work_handler [virtio_console] +[ 81.521354] RIP: 0010:__pv_queued_spin_unlock_slowpath+0xc0/0xd0 +[ 81.522450] Code: 07 00 48 63 7a 10 e8 bf 64 f5 ff 66 90 c3 8b 05 e6 cf d6 01 85 c0 74 01 c3 8b 17 48 89 fe 48 c7 c7 38 4b 29 91 e8 3a 6c fa ff <0f> 0b c3 0f 0b 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 +[ 81.525830] RSP: 0018:ffffb51a01ffbd70 EFLAGS: 00010282 +[ 81.526798] RAX: 0000000000000000 RBX: 0000000000000010 RCX: 0000000000000000 +[ 81.528110] RDX: ffff9e66f1826480 RSI: ffff9e66f1816a08 RDI: ffff9e66f1816a08 +[ 81.529437] RBP: ffffffff9153ff10 R08: 000000000000026c R09: 0000000000000053 +[ 81.530732] R10: 0000000000000000 R11: ffffb51a01ffbc18 R12: ffff9e66cd682200 +[ 81.532133] R13: ffffffff9153ff10 R14: ffff9e6685569500 R15: ffff9e66cd682000 +[ 81.533442] FS: 0000000000000000(0000) GS:ffff9e66f1800000(0000) knlGS:0000000000000000 +[ 81.534914] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 81.535971] CR2: 00005624c55b14d0 CR3: 00000003a023c000 CR4: 00000000003406f0 +[ 81.537283] Call Trace: +[ 81.537763] __raw_callee_save___pv_queued_spin_unlock_slowpath+0x11/0x20 +[ 81.539011] .slowpath+0x9/0xe +[ 81.539585] hvc_alloc+0x25e/0x300 +[ 81.540237] init_port_console+0x28/0x100 [virtio_console] +[ 81.541251] handle_control_message.constprop.27+0x1c4/0x310 [virtio_console] +[ 81.542546] control_work_handler+0x70/0x10c [virtio_console] +[ 81.543601] process_one_work+0x1a7/0x3b0 +[ 81.544356] worker_thread+0x30/0x390 +[ 81.545025] ? create_worker+0x1a0/0x1a0 +[ 81.545749] kthread+0x112/0x130 +[ 81.546358] ? kthread_flush_work_fn+0x10/0x10 +[ 81.547183] ret_from_fork+0x22/0x40 +[ 81.547842] ---[ end trace aa97649bd16c8655 ]--- +[ 83.546539] general protection fault: 0000 [#1] SMP NOPTI +[ 83.547422] CPU: 5 PID: 3225 Comm: modprobe Kdump: loaded Tainted: G W --------- - - 4.18.0-167.el8.x86_64 #1 +[ 83.549191] Hardware name: Red Hat KVM, BIOS 1.12.0-5.scrmod+el8.2.0+5159+d8aa4d83 04/01/2014 +[ 83.550544] RIP: 0010:__pv_queued_spin_lock_slowpath+0x19a/0x2a0 +[ 83.551504] Code: c4 c1 ea 12 41 be 01 00 00 00 4c 8d 6d 14 41 83 e4 03 8d 42 ff 49 c1 e4 05 48 98 49 81 c4 40 a5 02 00 4c 03 24 c5 60 48 34 91 <49> 89 2c 24 b8 00 80 00 00 eb 15 84 c0 75 0a 41 0f b6 54 24 14 84 +[ 83.554449] RSP: 0018:ffffb51a0323fdb0 EFLAGS: 00010202 +[ 83.555290] RAX: 000000000000301c RBX: ffffffff92080020 RCX: 0000000000000001 +[ 83.556426] RDX: 000000000000301d RSI: 0000000000000000 RDI: 0000000000000000 +[ 83.557556] RBP: ffff9e66f196a540 R08: 000000000000028a R09: ffff9e66d2757788 +[ 83.558688] R10: 0000000000000000 R11: 0000000000000000 R12: 646e61725f770b07 +[ 83.559821] R13: ffff9e66f196a554 R14: 0000000000000001 R15: 0000000000180000 +[ 83.560958] FS: 00007fd5032e8740(0000) GS:ffff9e66f1940000(0000) knlGS:0000000000000000 +[ 83.562233] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 83.563149] CR2: 00007fd5022b0da0 CR3: 000000038c334000 CR4: 00000000003406e0 + +Signed-off-by: Andrew Melnychenko +Cc: stable +Link: https://lore.kernel.org/r/20200414191503.3471783-1-andrew@daynix.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/hvc/hvc_console.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/drivers/tty/hvc/hvc_console.c ++++ b/drivers/tty/hvc/hvc_console.c +@@ -289,10 +289,6 @@ int hvc_instantiate(uint32_t vtermno, in + vtermnos[index] = vtermno; + cons_ops[index] = ops; + +- /* reserve all indices up to and including this index */ +- if (last_hvc < index) +- last_hvc = index; +- + /* check if we need to re-register the kernel console */ + hvc_check_console(index); + +@@ -896,13 +892,22 @@ struct hvc_struct *hvc_alloc(uint32_t vt + cons_ops[i] == hp->ops) + break; + +- /* no matching slot, just use a counter */ +- if (i >= MAX_NR_HVC_CONSOLES) +- i = ++last_hvc; ++ if (i >= MAX_NR_HVC_CONSOLES) { ++ ++ /* find 'empty' slot for console */ ++ for (i = 0; i < MAX_NR_HVC_CONSOLES && vtermnos[i] != -1; i++) { ++ } ++ ++ /* no matching slot, just use a counter */ ++ if (i == MAX_NR_HVC_CONSOLES) ++ i = ++last_hvc + MAX_NR_HVC_CONSOLES; ++ } + + hp->index = i; +- cons_ops[i] = ops; +- vtermnos[i] = vtermno; ++ if (i < MAX_NR_HVC_CONSOLES) { ++ cons_ops[i] = ops; ++ vtermnos[i] = vtermno; ++ } + + list_add_tail(&(hp->next), &hvc_structs); + spin_unlock(&hvc_structs_lock); diff --git a/queue-4.4/tty-rocket-avoid-oob-access.patch b/queue-4.4/tty-rocket-avoid-oob-access.patch new file mode 100644 index 00000000000..c058000ade3 --- /dev/null +++ b/queue-4.4/tty-rocket-avoid-oob-access.patch @@ -0,0 +1,72 @@ +From 7127d24372bf23675a36edc64d092dc7fd92ebe8 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Fri, 17 Apr 2020 12:59:59 +0200 +Subject: tty: rocket, avoid OOB access + +From: Jiri Slaby + +commit 7127d24372bf23675a36edc64d092dc7fd92ebe8 upstream. + +init_r_port can access pc104 array out of bounds. pc104 is a 2D array +defined to have 4 members. Each member has 8 submembers. +* we can have more than 4 (PCI) boards, i.e. [board] can be OOB +* line is not modulo-ed by anything, so the first line on the second + board can be 4, on the 3rd 12 or alike (depending on previously + registered boards). It's zero only on the first line of the first + board. So even [line] can be OOB, quite soon (with the 2nd registered + board already). + +This code is broken for ages, so just avoid the OOB accesses and don't +try to fix it as we would need to find out the correct line number. Use +the default: RS232, if we are out. + +Generally, if anyone needs to set the interface types, a module parameter +is past the last thing that should be used for this purpose. The +parameters' description says it's for ISA cards anyway. + +Signed-off-by: Jiri Slaby +Cc: stable +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://lore.kernel.org/r/20200417105959.15201-2-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/rocket.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +--- a/drivers/tty/rocket.c ++++ b/drivers/tty/rocket.c +@@ -645,18 +645,21 @@ static void init_r_port(int board, int a + info->port.ops = &rocket_port_ops; + init_completion(&info->close_wait); + info->flags &= ~ROCKET_MODE_MASK; +- switch (pc104[board][line]) { +- case 422: +- info->flags |= ROCKET_MODE_RS422; +- break; +- case 485: +- info->flags |= ROCKET_MODE_RS485; +- break; +- case 232: +- default: ++ if (board < ARRAY_SIZE(pc104) && line < ARRAY_SIZE(pc104_1)) ++ switch (pc104[board][line]) { ++ case 422: ++ info->flags |= ROCKET_MODE_RS422; ++ break; ++ case 485: ++ info->flags |= ROCKET_MODE_RS485; ++ break; ++ case 232: ++ default: ++ info->flags |= ROCKET_MODE_RS232; ++ break; ++ } ++ else + info->flags |= ROCKET_MODE_RS232; +- break; +- } + + info->intmask = RXF_TRIG | TXFIFO_MT | SRC_INT | DELTA_CD | DELTA_CTS | DELTA_DSR; + if (sInitChan(ctlp, &info->channel, aiop, chan) == 0) { diff --git a/queue-4.4/usb-storage-add-unusual_devs-entry-for-jmicron-jms566.patch b/queue-4.4/usb-storage-add-unusual_devs-entry-for-jmicron-jms566.patch new file mode 100644 index 00000000000..2317fdf99c7 --- /dev/null +++ b/queue-4.4/usb-storage-add-unusual_devs-entry-for-jmicron-jms566.patch @@ -0,0 +1,47 @@ +From 94f9c8c3c404ee1f7aaff81ad4f24aec4e34a78b Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 22 Apr 2020 16:14:57 -0400 +Subject: usb-storage: Add unusual_devs entry for JMicron JMS566 + +From: Alan Stern + +commit 94f9c8c3c404ee1f7aaff81ad4f24aec4e34a78b upstream. + +Cyril Roelandt reports that his JMicron JMS566 USB-SATA bridge fails +to handle WRITE commands with the FUA bit set, even though it claims +to support FUA. (Oddly enough, a later version of the same bridge, +version 2.03 as opposed to 1.14, doesn't claim to support FUA. Also +oddly, the bridge _does_ support FUA when using the UAS transport +instead of the Bulk-Only transport -- but this device was blacklisted +for uas in commit bc3bdb12bbb3 ("usb-storage: Disable UAS on JMicron +SATA enclosure") for apparently unrelated reasons.) + +This patch adds a usb-storage unusual_devs entry with the BROKEN_FUA +flag. This allows the bridge to work properly with usb-storage. + +Reported-and-tested-by: Cyril Roelandt +Signed-off-by: Alan Stern +CC: +Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2004221613110.11262-100000@iolanthe.rowland.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/unusual_devs.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2208,6 +2208,13 @@ UNUSUAL_DEV( 0x3340, 0xffff, 0x0000, 0x + USB_SC_DEVICE,USB_PR_DEVICE,NULL, + US_FL_MAX_SECTORS_64 ), + ++/* Reported by Cyril Roelandt */ ++UNUSUAL_DEV( 0x357d, 0x7788, 0x0114, 0x0114, ++ "JMicron", ++ "USB to ATA/ATAPI Bridge", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_BROKEN_FUA ), ++ + /* Reported by Andrey Rahmatullin */ + UNUSUAL_DEV( 0x4102, 0x1020, 0x0100, 0x0100, + "iRiver",