From: Greg Kroah-Hartman Date: Tue, 20 Feb 2018 15:48:11 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v4.15.5~21 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=81983112de5ce004776ec31cb8994450b06d8b48;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: alsa-seq-fix-racy-pool-initializations.patch alsa-usb-audio-fix-uac2-get_ctl-request-with-a-range-attribute.patch btrfs-fix-crash-due-to-not-cleaning-up-tree-log-block-s-dirty-bits.patch btrfs-fix-deadlock-in-run_delalloc_nocow.patch --- diff --git a/queue-3.18/alsa-seq-fix-racy-pool-initializations.patch b/queue-3.18/alsa-seq-fix-racy-pool-initializations.patch new file mode 100644 index 00000000000..4cf4dec6bd6 --- /dev/null +++ b/queue-3.18/alsa-seq-fix-racy-pool-initializations.patch @@ -0,0 +1,60 @@ +From d15d662e89fc667b90cd294b0eb45694e33144da Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 12 Feb 2018 15:20:51 +0100 +Subject: ALSA: seq: Fix racy pool initializations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +commit d15d662e89fc667b90cd294b0eb45694e33144da upstream. + +ALSA sequencer core initializes the event pool on demand by invoking +snd_seq_pool_init() when the first write happens and the pool is +empty. Meanwhile user can reset the pool size manually via ioctl +concurrently, and this may lead to UAF or out-of-bound accesses since +the function tries to vmalloc / vfree the buffer. + +A simple fix is to just wrap the snd_seq_pool_init() call with the +recently introduced client->ioctl_mutex; as the calls for +snd_seq_pool_init() from other side are always protected with this +mutex, we can avoid the race. + +Reported-by: 范龙飞 +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_clientmgr.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1012,7 +1012,7 @@ static ssize_t snd_seq_write(struct file + { + struct snd_seq_client *client = file->private_data; + int written = 0, len; +- int err = -EINVAL; ++ int err; + struct snd_seq_event event; + + if (!(snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_OUTPUT)) +@@ -1027,11 +1027,15 @@ static ssize_t snd_seq_write(struct file + + /* allocate the pool now if the pool is not allocated yet */ + if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) { +- if (snd_seq_pool_init(client->pool) < 0) ++ mutex_lock(&client->ioctl_mutex); ++ err = snd_seq_pool_init(client->pool); ++ mutex_unlock(&client->ioctl_mutex); ++ if (err < 0) + return -ENOMEM; + } + + /* only process whole events */ ++ err = -EINVAL; + while (count >= sizeof(struct snd_seq_event)) { + /* Read in the event header from the user */ + len = sizeof(event); diff --git a/queue-3.18/alsa-usb-audio-fix-uac2-get_ctl-request-with-a-range-attribute.patch b/queue-3.18/alsa-usb-audio-fix-uac2-get_ctl-request-with-a-range-attribute.patch new file mode 100644 index 00000000000..4a7647fc452 --- /dev/null +++ b/queue-3.18/alsa-usb-audio-fix-uac2-get_ctl-request-with-a-range-attribute.patch @@ -0,0 +1,78 @@ +From 447cae58cecd69392b74a4a42cd0ab9cabd816af Mon Sep 17 00:00:00 2001 +From: Kirill Marinushkin +Date: Mon, 29 Jan 2018 06:37:55 +0100 +Subject: ALSA: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute + +From: Kirill Marinushkin + +commit 447cae58cecd69392b74a4a42cd0ab9cabd816af upstream. + +The layout of the UAC2 Control request and response varies depending on +the request type. With the current implementation, only the Layout 2 +Parameter Block (with the 2-byte sized RANGE attribute) is handled +properly. For the Control requests with the 1-byte sized RANGE attribute +(Bass Control, Mid Control, Tremble Control), the response is parsed +incorrectly. + +This commit: +* fixes the wLength field value in the request +* fixes parsing the range values from the response + +Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0") +Signed-off-by: Kirill Marinushkin +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -328,17 +328,20 @@ static int get_ctl_value_v2(struct usb_m + int validx, int *value_ret) + { + struct snd_usb_audio *chip = cval->mixer->chip; +- unsigned char buf[2 + 3 * sizeof(__u16)]; /* enough space for one range */ ++ /* enough space for one range */ ++ unsigned char buf[sizeof(__u16) + 3 * sizeof(__u32)]; + unsigned char *val; +- int idx = 0, ret, size; ++ int idx = 0, ret, val_size, size; + __u8 bRequest; + ++ val_size = uac2_ctl_value_size(cval->val_type); ++ + if (request == UAC_GET_CUR) { + bRequest = UAC2_CS_CUR; +- size = sizeof(__u16); ++ size = val_size; + } else { + bRequest = UAC2_CS_RANGE; +- size = sizeof(buf); ++ size = sizeof(__u16) + 3 * val_size; + } + + memset(buf, 0, sizeof(buf)); +@@ -377,16 +380,17 @@ error: + val = buf + sizeof(__u16); + break; + case UAC_GET_MAX: +- val = buf + sizeof(__u16) * 2; ++ val = buf + sizeof(__u16) + val_size; + break; + case UAC_GET_RES: +- val = buf + sizeof(__u16) * 3; ++ val = buf + sizeof(__u16) + val_size * 2; + break; + default: + return -EINVAL; + } + +- *value_ret = convert_signed_value(cval, snd_usb_combine_bytes(val, sizeof(__u16))); ++ *value_ret = convert_signed_value(cval, ++ snd_usb_combine_bytes(val, val_size)); + + return 0; + } diff --git a/queue-3.18/btrfs-fix-crash-due-to-not-cleaning-up-tree-log-block-s-dirty-bits.patch b/queue-3.18/btrfs-fix-crash-due-to-not-cleaning-up-tree-log-block-s-dirty-bits.patch new file mode 100644 index 00000000000..ddc532ec3c6 --- /dev/null +++ b/queue-3.18/btrfs-fix-crash-due-to-not-cleaning-up-tree-log-block-s-dirty-bits.patch @@ -0,0 +1,65 @@ +From 1846430c24d66e85cc58286b3319c82cd54debb2 Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Thu, 25 Jan 2018 11:02:51 -0700 +Subject: Btrfs: fix crash due to not cleaning up tree log block's dirty bits + +From: Liu Bo + +commit 1846430c24d66e85cc58286b3319c82cd54debb2 upstream. + +In cases that the whole fs flips into readonly status due to failures in +critical sections, then log tree's blocks are still dirty, and this leads +to a crash during umount time, the crash is about use-after-free, + +umount + -> close_ctree + -> stop workers + -> iput(btree_inode) + -> iput_final + -> write_inode_now + -> ... + -> queue job on stop'd workers + +cc: v3.12+ +Fixes: 681ae50917df ("Btrfs: cleanup reserved space when freeing tree log on error") +Signed-off-by: Liu Bo +Reviewed-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/tree-log.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -2201,6 +2201,9 @@ static noinline int walk_down_log_tree(s + clean_tree_block(trans, root, next); + btrfs_wait_tree_block_writeback(next); + btrfs_tree_unlock(next); ++ } else { ++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags)) ++ clear_extent_buffer_dirty(next); + } + + WARN_ON(root_owner != +@@ -2279,6 +2282,9 @@ static noinline int walk_up_log_tree(str + clean_tree_block(trans, root, next); + btrfs_wait_tree_block_writeback(next); + btrfs_tree_unlock(next); ++ } else { ++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags)) ++ clear_extent_buffer_dirty(next); + } + + WARN_ON(root_owner != BTRFS_TREE_LOG_OBJECTID); +@@ -2355,6 +2361,9 @@ static int walk_log_tree(struct btrfs_tr + clean_tree_block(trans, log, next); + btrfs_wait_tree_block_writeback(next); + btrfs_tree_unlock(next); ++ } else { ++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags)) ++ clear_extent_buffer_dirty(next); + } + + WARN_ON(log->root_key.objectid != diff --git a/queue-3.18/btrfs-fix-deadlock-in-run_delalloc_nocow.patch b/queue-3.18/btrfs-fix-deadlock-in-run_delalloc_nocow.patch new file mode 100644 index 00000000000..d744a4c4e5f --- /dev/null +++ b/queue-3.18/btrfs-fix-deadlock-in-run_delalloc_nocow.patch @@ -0,0 +1,38 @@ +From e89166990f11c3f21e1649d760dd35f9e410321c Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Thu, 25 Jan 2018 11:02:50 -0700 +Subject: Btrfs: fix deadlock in run_delalloc_nocow + +From: Liu Bo + +commit e89166990f11c3f21e1649d760dd35f9e410321c upstream. + +@cur_offset is not set back to what it should be (@cow_start) if +btrfs_next_leaf() returns something wrong, and the range [cow_start, +cur_offset) remains locked forever. + +cc: +Signed-off-by: Liu Bo +Reviewed-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/inode.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -1256,8 +1256,11 @@ next_slot: + leaf = path->nodes[0]; + if (path->slots[0] >= btrfs_header_nritems(leaf)) { + ret = btrfs_next_leaf(root, path); +- if (ret < 0) ++ if (ret < 0) { ++ if (cow_start != (u64)-1) ++ cur_offset = cow_start; + goto error; ++ } + if (ret > 0) + break; + leaf = path->nodes[0]; diff --git a/queue-3.18/series b/queue-3.18/series index ebcf55b73bd..70be103d48c 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -10,3 +10,7 @@ ext4-save-error-to-disk-in-__ext4_grp_locked_error.patch ext4-correct-documentation-for-grpid-mount-option.patch video-fbdev-atmel_lcdfb-fix-display-timings-lookup.patch console-dummy-leave-.con_font_get-set-to-null.patch +btrfs-fix-deadlock-in-run_delalloc_nocow.patch +btrfs-fix-crash-due-to-not-cleaning-up-tree-log-block-s-dirty-bits.patch +alsa-usb-audio-fix-uac2-get_ctl-request-with-a-range-attribute.patch +alsa-seq-fix-racy-pool-initializations.patch