From: Greg Kroah-Hartman Date: Wed, 12 May 2021 08:33:19 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.4.119~93 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=750939ae78ee70df6762ffaf3282b93bd0359d65;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: bluetooth-eliminate-the-potential-race-condition-when-removing-the-hci-controller.patch bluetooth-verify-amp-hci_chan-before-amp_destroy.patch hsr-use-netdev_err-instead-of-warn_once.patch net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch revert-usb-cdc-acm-fix-rounding-error-in-tiocsserial.patch staging-fwserial-fix-tiocsserial-jiffies-conversions.patch staging-fwserial-fix-tiocsserial-permission-check.patch staging-greybus-uart-fix-tiocsserial-jiffies-conversions.patch tty-amiserial-fix-tiocsserial-permission-check.patch tty-moxa-fix-tiocsserial-jiffies-conversions.patch tty-moxa-fix-tiocsserial-permission-check.patch usb-serial-ti_usb_3410_5052-fix-tiocsserial-permission-check.patch usb-serial-usb_wwan-fix-tiocsserial-jiffies-conversions.patch --- diff --git a/queue-5.4/bluetooth-eliminate-the-potential-race-condition-when-removing-the-hci-controller.patch b/queue-5.4/bluetooth-eliminate-the-potential-race-condition-when-removing-the-hci-controller.patch new file mode 100644 index 00000000000..2e5b7aaf499 --- /dev/null +++ b/queue-5.4/bluetooth-eliminate-the-potential-race-condition-when-removing-the-hci-controller.patch @@ -0,0 +1,53 @@ +From e2cb6b891ad2b8caa9131e3be70f45243df82a80 Mon Sep 17 00:00:00 2001 +From: Lin Ma +Date: Mon, 12 Apr 2021 19:17:57 +0800 +Subject: bluetooth: eliminate the potential race condition when removing the HCI controller + +From: Lin Ma + +commit e2cb6b891ad2b8caa9131e3be70f45243df82a80 upstream. + +There is a possible race condition vulnerability between issuing a HCI +command and removing the cont. Specifically, functions hci_req_sync() +and hci_dev_do_close() can race each other like below: + +thread-A in hci_req_sync() | thread-B in hci_dev_do_close() + | hci_req_sync_lock(hdev); +test_bit(HCI_UP, &hdev->flags); | +... | test_and_clear_bit(HCI_UP, &hdev->flags) +hci_req_sync_lock(hdev); | + | +In this commit we alter the sequence in function hci_req_sync(). Hence, +the thread-A cannot issue th. + +Signed-off-by: Lin Ma +Cc: Marcel Holtmann +Fixes: 7c6a329e4447 ("[Bluetooth] Fix regression from using default link policy") +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_request.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/bluetooth/hci_request.c ++++ b/net/bluetooth/hci_request.c +@@ -271,12 +271,16 @@ int hci_req_sync(struct hci_dev *hdev, i + { + int ret; + +- if (!test_bit(HCI_UP, &hdev->flags)) +- return -ENETDOWN; +- + /* Serialize all requests */ + hci_req_sync_lock(hdev); +- ret = __hci_req_sync(hdev, req, opt, timeout, hci_status); ++ /* check the state after obtaing the lock to protect the HCI_UP ++ * against any races from hci_dev_do_close when the controller ++ * gets removed. ++ */ ++ if (test_bit(HCI_UP, &hdev->flags)) ++ ret = __hci_req_sync(hdev, req, opt, timeout, hci_status); ++ else ++ ret = -ENETDOWN; + hci_req_sync_unlock(hdev); + + return ret; diff --git a/queue-5.4/bluetooth-verify-amp-hci_chan-before-amp_destroy.patch b/queue-5.4/bluetooth-verify-amp-hci_chan-before-amp_destroy.patch new file mode 100644 index 00000000000..37a041b46b9 --- /dev/null +++ b/queue-5.4/bluetooth-verify-amp-hci_chan-before-amp_destroy.patch @@ -0,0 +1,138 @@ +From 5c4c8c9544099bb9043a10a5318130a943e32fc3 Mon Sep 17 00:00:00 2001 +From: Archie Pusaka +Date: Mon, 22 Mar 2021 14:03:11 +0800 +Subject: Bluetooth: verify AMP hci_chan before amp_destroy + +From: Archie Pusaka + +commit 5c4c8c9544099bb9043a10a5318130a943e32fc3 upstream. + +hci_chan can be created in 2 places: hci_loglink_complete_evt() if +it is an AMP hci_chan, or l2cap_conn_add() otherwise. In theory, +Only AMP hci_chan should be removed by a call to +hci_disconn_loglink_complete_evt(). However, the controller might mess +up, call that function, and destroy an hci_chan which is not initiated +by hci_loglink_complete_evt(). + +This patch adds a verification that the destroyed hci_chan must have +been init'd by hci_loglink_complete_evt(). + +Example crash call trace: +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xe3/0x144 lib/dump_stack.c:118 + print_address_description+0x67/0x22a mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report mm/kasan/report.c:412 [inline] + kasan_report+0x251/0x28f mm/kasan/report.c:396 + hci_send_acl+0x3b/0x56e net/bluetooth/hci_core.c:4072 + l2cap_send_cmd+0x5af/0x5c2 net/bluetooth/l2cap_core.c:877 + l2cap_send_move_chan_cfm_icid+0x8e/0xb1 net/bluetooth/l2cap_core.c:4661 + l2cap_move_fail net/bluetooth/l2cap_core.c:5146 [inline] + l2cap_move_channel_rsp net/bluetooth/l2cap_core.c:5185 [inline] + l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:5464 [inline] + l2cap_sig_channel net/bluetooth/l2cap_core.c:5799 [inline] + l2cap_recv_frame+0x1d12/0x51aa net/bluetooth/l2cap_core.c:7023 + l2cap_recv_acldata+0x2ea/0x693 net/bluetooth/l2cap_core.c:7596 + hci_acldata_packet net/bluetooth/hci_core.c:4606 [inline] + hci_rx_work+0x2bd/0x45e net/bluetooth/hci_core.c:4796 + process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175 + worker_thread+0x4fc/0x670 kernel/workqueue.c:2321 + kthread+0x2f0/0x304 kernel/kthread.c:253 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415 + +Allocated by task 38: + set_track mm/kasan/kasan.c:460 [inline] + kasan_kmalloc+0x8d/0x9a mm/kasan/kasan.c:553 + kmem_cache_alloc_trace+0x102/0x129 mm/slub.c:2787 + kmalloc include/linux/slab.h:515 [inline] + kzalloc include/linux/slab.h:709 [inline] + hci_chan_create+0x86/0x26d net/bluetooth/hci_conn.c:1674 + l2cap_conn_add.part.0+0x1c/0x814 net/bluetooth/l2cap_core.c:7062 + l2cap_conn_add net/bluetooth/l2cap_core.c:7059 [inline] + l2cap_connect_cfm+0x134/0x852 net/bluetooth/l2cap_core.c:7381 + hci_connect_cfm+0x9d/0x122 include/net/bluetooth/hci_core.h:1404 + hci_remote_ext_features_evt net/bluetooth/hci_event.c:4161 [inline] + hci_event_packet+0x463f/0x72fa net/bluetooth/hci_event.c:5981 + hci_rx_work+0x197/0x45e net/bluetooth/hci_core.c:4791 + process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175 + worker_thread+0x4fc/0x670 kernel/workqueue.c:2321 + kthread+0x2f0/0x304 kernel/kthread.c:253 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415 + +Freed by task 1732: + set_track mm/kasan/kasan.c:460 [inline] + __kasan_slab_free mm/kasan/kasan.c:521 [inline] + __kasan_slab_free+0x106/0x128 mm/kasan/kasan.c:493 + slab_free_hook mm/slub.c:1409 [inline] + slab_free_freelist_hook+0xaa/0xf6 mm/slub.c:1436 + slab_free mm/slub.c:3009 [inline] + kfree+0x182/0x21e mm/slub.c:3972 + hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:4891 [inline] + hci_event_packet+0x6a1c/0x72fa net/bluetooth/hci_event.c:6050 + hci_rx_work+0x197/0x45e net/bluetooth/hci_core.c:4791 + process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175 + worker_thread+0x4fc/0x670 kernel/workqueue.c:2321 + kthread+0x2f0/0x304 kernel/kthread.c:253 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415 + +The buggy address belongs to the object at ffff8881d7af9180 + which belongs to the cache kmalloc-128 of size 128 +The buggy address is located 24 bytes inside of + 128-byte region [ffff8881d7af9180, ffff8881d7af9200) +The buggy address belongs to the page: +page:ffffea00075ebe40 count:1 mapcount:0 mapping:ffff8881da403200 index:0x0 +flags: 0x8000000000000200(slab) +raw: 8000000000000200 dead000000000100 dead000000000200 ffff8881da403200 +raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8881d7af9080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb + ffff8881d7af9100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +>ffff8881d7af9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8881d7af9200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff8881d7af9280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Signed-off-by: Archie Pusaka +Reported-by: syzbot+98228e7407314d2d4ba2@syzkaller.appspotmail.com +Reviewed-by: Alain Michaud +Reviewed-by: Abhishek Pandit-Subedi +Signed-off-by: Marcel Holtmann +Cc: George Kennedy +Signed-off-by: Greg Kroah-Hartman +--- + include/net/bluetooth/hci_core.h | 1 + + net/bluetooth/hci_event.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -540,6 +540,7 @@ struct hci_chan { + struct sk_buff_head data_q; + unsigned int sent; + __u8 state; ++ bool amp; + }; + + struct hci_conn_params { +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -4840,6 +4840,7 @@ static void hci_loglink_complete_evt(str + return; + + hchan->handle = le16_to_cpu(ev->handle); ++ hchan->amp = true; + + BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan); + +@@ -4872,7 +4873,7 @@ static void hci_disconn_loglink_complete + hci_dev_lock(hdev); + + hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle)); +- if (!hchan) ++ if (!hchan || !hchan->amp) + goto unlock; + + amp_destroy_logical_link(hchan, ev->reason); diff --git a/queue-5.4/hsr-use-netdev_err-instead-of-warn_once.patch b/queue-5.4/hsr-use-netdev_err-instead-of-warn_once.patch new file mode 100644 index 00000000000..695ba479066 --- /dev/null +++ b/queue-5.4/hsr-use-netdev_err-instead-of-warn_once.patch @@ -0,0 +1,35 @@ +From 4b793acdca0050739b99ace6a8b9e7f717f57c6b Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Fri, 28 Feb 2020 18:01:46 +0000 +Subject: hsr: use netdev_err() instead of WARN_ONCE() + +From: Taehee Yoo + +commit 4b793acdca0050739b99ace6a8b9e7f717f57c6b upstream. + +When HSR interface is sending a frame, it finds a node with +the destination ethernet address from the list. +If there is no node, it calls WARN_ONCE(). +But, using WARN_ONCE() for this situation is a little bit overdoing. +So, in this patch, the netdev_err() is used instead. + +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Cc: George Kennedy +Signed-off-by: Greg Kroah-Hartman +--- + net/hsr/hsr_framereg.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/hsr/hsr_framereg.c ++++ b/net/hsr/hsr_framereg.c +@@ -318,7 +318,8 @@ void hsr_addr_subst_dest(struct hsr_node + node_dst = find_node_by_addr_A(&port->hsr->node_db, + eth_hdr(skb)->h_dest); + if (!node_dst) { +- WARN_ONCE(1, "%s: Unknown node\n", __func__); ++ if (net_ratelimit()) ++ netdev_err(skb->dev, "%s: Unknown node\n", __func__); + return; + } + if (port->type != node_dst->addr_B_port) diff --git a/queue-5.4/net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch b/queue-5.4/net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch new file mode 100644 index 00000000000..25c57d1789c --- /dev/null +++ b/queue-5.4/net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch @@ -0,0 +1,73 @@ +From c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6 Mon Sep 17 00:00:00 2001 +From: Or Cohen +Date: Tue, 4 May 2021 10:16:46 +0300 +Subject: net/nfc: fix use-after-free llcp_sock_bind/connect + +From: Or Cohen + +commit c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6 upstream. + +Commits 8a4cd82d ("nfc: fix refcount leak in llcp_sock_connect()") +and c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()") +fixed a refcount leak bug in bind/connect but introduced a +use-after-free if the same local is assigned to 2 different sockets. + +This can be triggered by the following simple program: + int sock1 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP ); + int sock2 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP ); + memset( &addr, 0, sizeof(struct sockaddr_nfc_llcp) ); + addr.sa_family = AF_NFC; + addr.nfc_protocol = NFC_PROTO_NFC_DEP; + bind( sock1, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) ) + bind( sock2, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) ) + close(sock1); + close(sock2); + +Fix this by assigning NULL to llcp_sock->local after calling +nfc_llcp_local_put. + +This addresses CVE-2021-23134. + +Reported-by: Or Cohen +Reported-by: Nadav Markus +Fixes: c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()") +Signed-off-by: Or Cohen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_sock.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -109,12 +109,14 @@ static int llcp_sock_bind(struct socket + GFP_KERNEL); + if (!llcp_sock->service_name) { + nfc_llcp_local_put(llcp_sock->local); ++ llcp_sock->local = NULL; + ret = -ENOMEM; + goto put_dev; + } + llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock); + if (llcp_sock->ssap == LLCP_SAP_MAX) { + nfc_llcp_local_put(llcp_sock->local); ++ llcp_sock->local = NULL; + kfree(llcp_sock->service_name); + llcp_sock->service_name = NULL; + ret = -EADDRINUSE; +@@ -709,6 +711,7 @@ static int llcp_sock_connect(struct sock + llcp_sock->ssap = nfc_llcp_get_local_ssap(local); + if (llcp_sock->ssap == LLCP_SAP_MAX) { + nfc_llcp_local_put(llcp_sock->local); ++ llcp_sock->local = NULL; + ret = -ENOMEM; + goto put_dev; + } +@@ -756,6 +759,7 @@ sock_unlink: + sock_llcp_release: + nfc_llcp_put_ssap(local, llcp_sock->ssap); + nfc_llcp_local_put(llcp_sock->local); ++ llcp_sock->local = NULL; + + put_dev: + nfc_put_device(dev); diff --git a/queue-5.4/revert-usb-cdc-acm-fix-rounding-error-in-tiocsserial.patch b/queue-5.4/revert-usb-cdc-acm-fix-rounding-error-in-tiocsserial.patch new file mode 100644 index 00000000000..61ccd1edbb2 --- /dev/null +++ b/queue-5.4/revert-usb-cdc-acm-fix-rounding-error-in-tiocsserial.patch @@ -0,0 +1,69 @@ +From 729f7955cb987c5b7d7e54c87c5ad71c789934f7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 8 Apr 2021 15:16:00 +0200 +Subject: Revert "USB: cdc-acm: fix rounding error in TIOCSSERIAL" + +From: Johan Hovold + +commit 729f7955cb987c5b7d7e54c87c5ad71c789934f7 upstream. + +This reverts commit b401f8c4f492cbf74f3f59c9141e5be3071071bb. + +The offending commit claimed that trying to set the values reported back +by TIOCGSERIAL as a regular user could result in an -EPERM error when HZ +is 250, but that was never the case. + +With HZ=250, the default 0.5 second value of close_delay is converted to +125 jiffies when set and is converted back to 50 centiseconds by +TIOCGSERIAL as expected (not 12 cs as was claimed, even if that was the +case before an earlier fix). + +Comparing the internal current and new jiffies values is just fine to +determine if the value is about to change so drop the bogus workaround +(which was also backported to stable). + +For completeness: With different default values for these parameters or +with a HZ value not divisible by two, the lack of rounding when setting +the default values in tty_port_init() could result in an -EPERM being +returned, but this is hardly something we need to worry about. + +Cc: Anthony Mallet +Cc: stable@vger.kernel.org +Acked-by: Oliver Neukum +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210408131602.27956-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-acm.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -941,7 +941,6 @@ static int set_serial_info(struct tty_st + { + struct acm *acm = tty->driver_data; + unsigned int closing_wait, close_delay; +- unsigned int old_closing_wait, old_close_delay; + int retval = 0; + + close_delay = msecs_to_jiffies(ss->close_delay * 10); +@@ -949,17 +948,11 @@ static int set_serial_info(struct tty_st + ASYNC_CLOSING_WAIT_NONE : + msecs_to_jiffies(ss->closing_wait * 10); + +- /* we must redo the rounding here, so that the values match */ +- old_close_delay = jiffies_to_msecs(acm->port.close_delay) / 10; +- old_closing_wait = acm->port.closing_wait == ASYNC_CLOSING_WAIT_NONE ? +- ASYNC_CLOSING_WAIT_NONE : +- jiffies_to_msecs(acm->port.closing_wait) / 10; +- + mutex_lock(&acm->port.mutex); + + if (!capable(CAP_SYS_ADMIN)) { +- if ((ss->close_delay != old_close_delay) || +- (ss->closing_wait != old_closing_wait)) ++ if ((close_delay != acm->port.close_delay) || ++ (closing_wait != acm->port.closing_wait)) + retval = -EPERM; + else + retval = -EOPNOTSUPP; diff --git a/queue-5.4/staging-fwserial-fix-tiocsserial-jiffies-conversions.patch b/queue-5.4/staging-fwserial-fix-tiocsserial-jiffies-conversions.patch new file mode 100644 index 00000000000..865e83b486f --- /dev/null +++ b/queue-5.4/staging-fwserial-fix-tiocsserial-jiffies-conversions.patch @@ -0,0 +1,45 @@ +From 7a3791afdbd5a951b09a7689bba856bd9f6c6a9f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Apr 2021 12:23:19 +0200 +Subject: staging: fwserial: fix TIOCSSERIAL jiffies conversions + +From: Johan Hovold + +commit 7a3791afdbd5a951b09a7689bba856bd9f6c6a9f upstream. + +The port close_delay parameter set by TIOCSSERIAL is specified in +jiffies, while the value returned by TIOCGSERIAL is specified in +centiseconds. + +Add the missing conversions so that TIOCGSERIAL works as expected also +when HZ is not 100. + +Fixes: 7355ba3445f2 ("staging: fwserial: Add TTY-over-Firewire serial driver") +Cc: stable@vger.kernel.org # 3.8 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210407102334.32361-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/fwserial/fwserial.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/fwserial/fwserial.c ++++ b/drivers/staging/fwserial/fwserial.c +@@ -1223,7 +1223,7 @@ static int get_serial_info(struct tty_st + ss->flags = port->port.flags; + ss->xmit_fifo_size = FWTTY_PORT_TXFIFO_LEN; + ss->baud_base = 400000000; +- ss->close_delay = port->port.close_delay; ++ ss->close_delay = jiffies_to_msecs(port->port.close_delay) / 10; + mutex_unlock(&port->port.mutex); + return 0; + } +@@ -1245,7 +1245,7 @@ static int set_serial_info(struct tty_st + return -EPERM; + } + } +- port->port.close_delay = ss->close_delay * HZ / 100; ++ port->port.close_delay = msecs_to_jiffies(ss->close_delay * 10); + mutex_unlock(&port->port.mutex); + + return 0; diff --git a/queue-5.4/staging-fwserial-fix-tiocsserial-permission-check.patch b/queue-5.4/staging-fwserial-fix-tiocsserial-permission-check.patch new file mode 100644 index 00000000000..52f3cdb9516 --- /dev/null +++ b/queue-5.4/staging-fwserial-fix-tiocsserial-permission-check.patch @@ -0,0 +1,50 @@ +From 2104eb283df66a482b60254299acbe3c68c03412 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Apr 2021 12:23:20 +0200 +Subject: staging: fwserial: fix TIOCSSERIAL permission check + +From: Johan Hovold + +commit 2104eb283df66a482b60254299acbe3c68c03412 upstream. + +Changing the port close-delay parameter is a privileged operation so +make sure to return -EPERM if a regular user tries to change it. + +Fixes: 7355ba3445f2 ("staging: fwserial: Add TTY-over-Firewire serial driver") +Cc: stable@vger.kernel.org # 3.8 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210407102334.32361-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/fwserial/fwserial.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/staging/fwserial/fwserial.c ++++ b/drivers/staging/fwserial/fwserial.c +@@ -1232,20 +1232,24 @@ static int set_serial_info(struct tty_st + struct serial_struct *ss) + { + struct fwtty_port *port = tty->driver_data; ++ unsigned int cdelay; + + if (ss->irq != 0 || ss->port != 0 || ss->custom_divisor != 0 || + ss->baud_base != 400000000) + return -EPERM; + ++ cdelay = msecs_to_jiffies(ss->close_delay * 10); ++ + mutex_lock(&port->port.mutex); + if (!capable(CAP_SYS_ADMIN)) { +- if (((ss->flags & ~ASYNC_USR_MASK) != ++ if (cdelay != port->port.close_delay || ++ ((ss->flags & ~ASYNC_USR_MASK) != + (port->port.flags & ~ASYNC_USR_MASK))) { + mutex_unlock(&port->port.mutex); + return -EPERM; + } + } +- port->port.close_delay = msecs_to_jiffies(ss->close_delay * 10); ++ port->port.close_delay = cdelay; + mutex_unlock(&port->port.mutex); + + return 0; diff --git a/queue-5.4/staging-greybus-uart-fix-tiocsserial-jiffies-conversions.patch b/queue-5.4/staging-greybus-uart-fix-tiocsserial-jiffies-conversions.patch new file mode 100644 index 00000000000..ed9e16b727f --- /dev/null +++ b/queue-5.4/staging-greybus-uart-fix-tiocsserial-jiffies-conversions.patch @@ -0,0 +1,54 @@ +From b71e571adaa58be4fd289abebc8997e05b4c6b40 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Apr 2021 12:23:23 +0200 +Subject: staging: greybus: uart: fix TIOCSSERIAL jiffies conversions + +From: Johan Hovold + +commit b71e571adaa58be4fd289abebc8997e05b4c6b40 upstream. + +The port close_delay and closing_wait parameters set by TIOCSSERIAL are +specified in jiffies and not milliseconds. + +Add the missing conversions so that TIOCSSERIAL works as expected also +when HZ is not 1000. + +Fixes: e68453ed28c5 ("greybus: uart-gb: now builds, more framework added") +Cc: stable@vger.kernel.org # 4.9 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210407102334.32361-6-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/greybus/uart.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/staging/greybus/uart.c ++++ b/drivers/staging/greybus/uart.c +@@ -625,10 +625,12 @@ static int get_serial_info(struct tty_st + ss->line = gb_tty->minor; + ss->xmit_fifo_size = 16; + ss->baud_base = 9600; +- ss->close_delay = gb_tty->port.close_delay / 10; ++ ss->close_delay = jiffies_to_msecs(gb_tty->port.close_delay) / 10; + ss->closing_wait = + gb_tty->port.closing_wait == ASYNC_CLOSING_WAIT_NONE ? +- ASYNC_CLOSING_WAIT_NONE : gb_tty->port.closing_wait / 10; ++ ASYNC_CLOSING_WAIT_NONE : ++ jiffies_to_msecs(gb_tty->port.closing_wait) / 10; ++ + return 0; + } + +@@ -640,9 +642,10 @@ static int set_serial_info(struct tty_st + unsigned int close_delay; + int retval = 0; + +- close_delay = ss->close_delay * 10; ++ close_delay = msecs_to_jiffies(ss->close_delay * 10); + closing_wait = ss->closing_wait == ASYNC_CLOSING_WAIT_NONE ? +- ASYNC_CLOSING_WAIT_NONE : ss->closing_wait * 10; ++ ASYNC_CLOSING_WAIT_NONE : ++ msecs_to_jiffies(ss->closing_wait * 10); + + mutex_lock(&gb_tty->port.mutex); + if (!capable(CAP_SYS_ADMIN)) { diff --git a/queue-5.4/tty-amiserial-fix-tiocsserial-permission-check.patch b/queue-5.4/tty-amiserial-fix-tiocsserial-permission-check.patch new file mode 100644 index 00000000000..af0f24bfd3d --- /dev/null +++ b/queue-5.4/tty-amiserial-fix-tiocsserial-permission-check.patch @@ -0,0 +1,32 @@ +From 1d31a831cc04f5f942de3e7d91edaa52310d3c99 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Apr 2021 12:23:26 +0200 +Subject: tty: amiserial: fix TIOCSSERIAL permission check + +From: Johan Hovold + +commit 1d31a831cc04f5f942de3e7d91edaa52310d3c99 upstream. + +Changing the port closing_wait parameter is a privileged operation. + +Add the missing check to TIOCSSERIAL so that -EPERM is returned in case +an unprivileged user tries to change the closing-wait setting. + +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210407102334.32361-9-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/amiserial.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/amiserial.c ++++ b/drivers/tty/amiserial.c +@@ -1032,6 +1032,7 @@ static int set_serial_info(struct tty_st + if (!serial_isroot()) { + if ((ss->baud_base != state->baud_base) || + (ss->close_delay != port->close_delay) || ++ (ss->closing_wait != port->closing_wait) || + (ss->xmit_fifo_size != state->xmit_fifo_size) || + ((ss->flags & ~ASYNC_USR_MASK) != + (port->flags & ~ASYNC_USR_MASK))) { diff --git a/queue-5.4/tty-moxa-fix-tiocsserial-jiffies-conversions.patch b/queue-5.4/tty-moxa-fix-tiocsserial-jiffies-conversions.patch new file mode 100644 index 00000000000..0d8d557c15e --- /dev/null +++ b/queue-5.4/tty-moxa-fix-tiocsserial-jiffies-conversions.patch @@ -0,0 +1,44 @@ +From 6e70b73ca5240c0059a1fbf8ccd4276d6cf71956 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Apr 2021 12:23:28 +0200 +Subject: tty: moxa: fix TIOCSSERIAL jiffies conversions + +From: Johan Hovold + +commit 6e70b73ca5240c0059a1fbf8ccd4276d6cf71956 upstream. + +The port close_delay parameter set by TIOCSSERIAL is specified in +jiffies, while the value returned by TIOCGSERIAL is specified in +centiseconds. + +Add the missing conversions so that TIOCGSERIAL works as expected also +when HZ is not 100. + +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210407102334.32361-11-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/moxa.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/moxa.c ++++ b/drivers/tty/moxa.c +@@ -2040,7 +2040,7 @@ static int moxa_get_serial_info(struct t + ss->line = info->port.tty->index, + ss->flags = info->port.flags, + ss->baud_base = 921600, +- ss->close_delay = info->port.close_delay; ++ ss->close_delay = jiffies_to_msecs(info->port.close_delay) / 10; + mutex_unlock(&info->port.mutex); + return 0; + } +@@ -2069,7 +2069,7 @@ static int moxa_set_serial_info(struct t + return -EPERM; + } + } +- info->port.close_delay = ss->close_delay * HZ / 100; ++ info->port.close_delay = msecs_to_jiffies(ss->close_delay * 10); + + MoxaSetFifo(info, ss->type == PORT_16550A); + diff --git a/queue-5.4/tty-moxa-fix-tiocsserial-permission-check.patch b/queue-5.4/tty-moxa-fix-tiocsserial-permission-check.patch new file mode 100644 index 00000000000..f497aad1ded --- /dev/null +++ b/queue-5.4/tty-moxa-fix-tiocsserial-permission-check.patch @@ -0,0 +1,60 @@ +From dc8c8437658667be9b11ec25c4b5482ed2becdaa Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Apr 2021 12:23:29 +0200 +Subject: tty: moxa: fix TIOCSSERIAL permission check + +From: Johan Hovold + +commit dc8c8437658667be9b11ec25c4b5482ed2becdaa upstream. + +Changing the port close delay or type are privileged operations so make +sure to return -EPERM if a regular user tries to change them. + +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210407102334.32361-12-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/moxa.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/tty/moxa.c ++++ b/drivers/tty/moxa.c +@@ -2050,6 +2050,7 @@ static int moxa_set_serial_info(struct t + struct serial_struct *ss) + { + struct moxa_port *info = tty->driver_data; ++ unsigned int close_delay; + + if (tty->index == MAX_PORTS) + return -EINVAL; +@@ -2061,19 +2062,24 @@ static int moxa_set_serial_info(struct t + ss->baud_base != 921600) + return -EPERM; + ++ close_delay = msecs_to_jiffies(ss->close_delay * 10); ++ + mutex_lock(&info->port.mutex); + if (!capable(CAP_SYS_ADMIN)) { +- if (((ss->flags & ~ASYNC_USR_MASK) != ++ if (close_delay != info->port.close_delay || ++ ss->type != info->type || ++ ((ss->flags & ~ASYNC_USR_MASK) != + (info->port.flags & ~ASYNC_USR_MASK))) { + mutex_unlock(&info->port.mutex); + return -EPERM; + } +- } +- info->port.close_delay = msecs_to_jiffies(ss->close_delay * 10); ++ } else { ++ info->port.close_delay = close_delay; + +- MoxaSetFifo(info, ss->type == PORT_16550A); ++ MoxaSetFifo(info, ss->type == PORT_16550A); + +- info->type = ss->type; ++ info->type = ss->type; ++ } + mutex_unlock(&info->port.mutex); + return 0; + } diff --git a/queue-5.4/usb-serial-ti_usb_3410_5052-fix-tiocsserial-permission-check.patch b/queue-5.4/usb-serial-ti_usb_3410_5052-fix-tiocsserial-permission-check.patch new file mode 100644 index 00000000000..99ca5236ed3 --- /dev/null +++ b/queue-5.4/usb-serial-ti_usb_3410_5052-fix-tiocsserial-permission-check.patch @@ -0,0 +1,44 @@ +From d370c90dcd64e427a79a093a070117a1571d4cd8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Apr 2021 12:39:15 +0200 +Subject: USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL permission check + +From: Johan Hovold + +commit d370c90dcd64e427a79a093a070117a1571d4cd8 upstream. + +Changing the port closing-wait parameter is a privileged operation so +make sure to return -EPERM if a regular user tries to change it. + +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/ti_usb_3410_5052.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/ti_usb_3410_5052.c ++++ b/drivers/usb/serial/ti_usb_3410_5052.c +@@ -1420,14 +1420,19 @@ static int ti_set_serial_info(struct tty + struct serial_struct *ss) + { + struct usb_serial_port *port = tty->driver_data; +- struct ti_port *tport = usb_get_serial_port_data(port); ++ struct tty_port *tport = &port->port; + unsigned cwait; + + cwait = ss->closing_wait; + if (cwait != ASYNC_CLOSING_WAIT_NONE) + cwait = msecs_to_jiffies(10 * ss->closing_wait); + +- tport->tp_port->port.closing_wait = cwait; ++ if (!capable(CAP_SYS_ADMIN)) { ++ if (cwait != tport->closing_wait) ++ return -EPERM; ++ } ++ ++ tport->closing_wait = cwait; + + return 0; + } diff --git a/queue-5.4/usb-serial-usb_wwan-fix-tiocsserial-jiffies-conversions.patch b/queue-5.4/usb-serial-usb_wwan-fix-tiocsserial-jiffies-conversions.patch new file mode 100644 index 00000000000..9db81df9835 --- /dev/null +++ b/queue-5.4/usb-serial-usb_wwan-fix-tiocsserial-jiffies-conversions.patch @@ -0,0 +1,52 @@ +From 3d732690d2267f4d0e19077b178dffbedafdf0c9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Apr 2021 12:39:16 +0200 +Subject: USB: serial: usb_wwan: fix TIOCSSERIAL jiffies conversions + +From: Johan Hovold + +commit 3d732690d2267f4d0e19077b178dffbedafdf0c9 upstream. + +The port close_delay and closing_wait parameters set by TIOCSSERIAL are +specified in jiffies and not milliseconds. + +Add the missing conversions so that the TIOCSSERIAL works as expected +also when HZ is not 1000. + +Fixes: 02303f73373a ("usb-wwan: implement TIOCGSERIAL and TIOCSSERIAL to avoid blocking close(2)") +Cc: stable@vger.kernel.org # 2.6.38 +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/usb_wwan.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/usb/serial/usb_wwan.c ++++ b/drivers/usb/serial/usb_wwan.c +@@ -140,10 +140,10 @@ int usb_wwan_get_serial_info(struct tty_ + ss->line = port->minor; + ss->port = port->port_number; + ss->baud_base = tty_get_baud_rate(port->port.tty); +- ss->close_delay = port->port.close_delay / 10; ++ ss->close_delay = jiffies_to_msecs(port->port.close_delay) / 10; + ss->closing_wait = port->port.closing_wait == ASYNC_CLOSING_WAIT_NONE ? + ASYNC_CLOSING_WAIT_NONE : +- port->port.closing_wait / 10; ++ jiffies_to_msecs(port->port.closing_wait) / 10; + return 0; + } + EXPORT_SYMBOL(usb_wwan_get_serial_info); +@@ -155,9 +155,10 @@ int usb_wwan_set_serial_info(struct tty_ + unsigned int closing_wait, close_delay; + int retval = 0; + +- close_delay = ss->close_delay * 10; ++ close_delay = msecs_to_jiffies(ss->close_delay * 10); + closing_wait = ss->closing_wait == ASYNC_CLOSING_WAIT_NONE ? +- ASYNC_CLOSING_WAIT_NONE : ss->closing_wait * 10; ++ ASYNC_CLOSING_WAIT_NONE : ++ msecs_to_jiffies(ss->closing_wait * 10); + + mutex_lock(&port->port.mutex); +