From e887844fe1cf57a5058f63026b3cabd7a32e89cd Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 18 Dec 2017 12:43:29 +0100 Subject: [PATCH] 4.4-stable patches added patches: autofs-fix-careless-error-in-recent-commit.patch bluetooth-btusb-driver-to-enable-the-usb-wakeup-feature.patch ceph-drop-negative-child-dentries-before-try-pruning-inode-s-alias.patch tracing-allocate-mask_str-buffer-dynamically.patch usb-core-prevent-malicious-bnuminterfaces-overflow.patch usb-uas-and-storage-add-us_fl_broken_fua-for-another-jmicron-jms567-id.patch usbip-fix-stub_send_ret_submit-vulnerability-to-null-transfer_buffer.patch --- ...-fix-careless-error-in-recent-commit.patch | 36 +++++++ ...ver-to-enable-the-usb-wakeup-feature.patch | 57 +++++++++++ ...ies-before-try-pruning-inode-s-alias.patch | 85 ++++++++++++++++ queue-4.4/series | 7 ++ ...allocate-mask_str-buffer-dynamically.patch | 97 +++++++++++++++++++ ...nt-malicious-bnuminterfaces-overflow.patch | 47 +++++++++ ...en_fua-for-another-jmicron-jms567-id.patch | 65 +++++++++++++ ...ulnerability-to-null-transfer_buffer.patch | 38 ++++++++ 8 files changed, 432 insertions(+) create mode 100644 queue-4.4/autofs-fix-careless-error-in-recent-commit.patch create mode 100644 queue-4.4/bluetooth-btusb-driver-to-enable-the-usb-wakeup-feature.patch create mode 100644 queue-4.4/ceph-drop-negative-child-dentries-before-try-pruning-inode-s-alias.patch create mode 100644 queue-4.4/tracing-allocate-mask_str-buffer-dynamically.patch create mode 100644 queue-4.4/usb-core-prevent-malicious-bnuminterfaces-overflow.patch create mode 100644 queue-4.4/usb-uas-and-storage-add-us_fl_broken_fua-for-another-jmicron-jms567-id.patch create mode 100644 queue-4.4/usbip-fix-stub_send_ret_submit-vulnerability-to-null-transfer_buffer.patch diff --git a/queue-4.4/autofs-fix-careless-error-in-recent-commit.patch b/queue-4.4/autofs-fix-careless-error-in-recent-commit.patch new file mode 100644 index 00000000000..75fdb594762 --- /dev/null +++ b/queue-4.4/autofs-fix-careless-error-in-recent-commit.patch @@ -0,0 +1,36 @@ +From 302ec300ef8a545a7fc7f667e5fd743b091c2eeb Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Thu, 14 Dec 2017 15:32:38 -0800 +Subject: autofs: fix careless error in recent commit + +From: NeilBrown + +commit 302ec300ef8a545a7fc7f667e5fd743b091c2eeb upstream. + +Commit ecc0c469f277 ("autofs: don't fail mount for transient error") was +meant to replace an 'if' with a 'switch', but instead added the 'switch' +leaving the case in place. + +Link: http://lkml.kernel.org/r/87zi6wstmw.fsf@notabene.neil.brown.name +Fixes: ecc0c469f277 ("autofs: don't fail mount for transient error") +Reported-by: Ben Hutchings +Signed-off-by: NeilBrown +Cc: Ian Kent +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/autofs4/waitq.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/autofs4/waitq.c ++++ b/fs/autofs4/waitq.c +@@ -174,7 +174,6 @@ static void autofs4_notify_daemon(struct + + mutex_unlock(&sbi->wq_mutex); + +- if (autofs4_write(sbi, pipe, &pkt, pktsz)) + switch (ret = autofs4_write(sbi, pipe, &pkt, pktsz)) { + case 0: + break; diff --git a/queue-4.4/bluetooth-btusb-driver-to-enable-the-usb-wakeup-feature.patch b/queue-4.4/bluetooth-btusb-driver-to-enable-the-usb-wakeup-feature.patch new file mode 100644 index 00000000000..b151f0e566f --- /dev/null +++ b/queue-4.4/bluetooth-btusb-driver-to-enable-the-usb-wakeup-feature.patch @@ -0,0 +1,57 @@ +From a0085f2510e8976614ad8f766b209448b385492f Mon Sep 17 00:00:00 2001 +From: Sukumar Ghorai +Date: Wed, 16 Aug 2017 14:46:55 -0700 +Subject: Bluetooth: btusb: driver to enable the usb-wakeup feature + +From: Sukumar Ghorai + +commit a0085f2510e8976614ad8f766b209448b385492f upstream. + +BT-Controller connected as platform non-root-hub device and +usb-driver initialize such device with wakeup disabled, +Ref. usb_new_device(). + +At present wakeup-capability get enabled by hid-input device from usb +function driver(e.g. BT HID device) at runtime. Again some functional +driver does not set usb-wakeup capability(e.g LE HID device implement +as HID-over-GATT), and can't wakeup the host on USB. + +Most of the device operation (such as mass storage) initiated from host +(except HID) and USB wakeup aligned with host resume procedure. For BT +device, usb-wakeup capability need to enable form btusc driver as a +generic solution for multiple profile use case and required for USB remote +wakeup (in-bus wakeup) while host is suspended. Also usb-wakeup feature +need to enable/disable with HCI interface up and down. + +Signed-off-by: Sukumar Ghorai +Signed-off-by: Amit K Bag +Acked-by: Oliver Neukum +Signed-off-by: Marcel Holtmann +Cc: Matthias Kaehlcke +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/btusb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -1050,6 +1050,10 @@ static int btusb_open(struct hci_dev *hd + return err; + + data->intf->needs_remote_wakeup = 1; ++ /* device specific wakeup source enabled and required for USB ++ * remote wakeup while host is suspended ++ */ ++ device_wakeup_enable(&data->udev->dev); + + if (test_and_set_bit(BTUSB_INTR_RUNNING, &data->flags)) + goto done; +@@ -1113,6 +1117,7 @@ static int btusb_close(struct hci_dev *h + goto failed; + + data->intf->needs_remote_wakeup = 0; ++ device_wakeup_disable(&data->udev->dev); + usb_autopm_put_interface(data->intf); + + failed: diff --git a/queue-4.4/ceph-drop-negative-child-dentries-before-try-pruning-inode-s-alias.patch b/queue-4.4/ceph-drop-negative-child-dentries-before-try-pruning-inode-s-alias.patch new file mode 100644 index 00000000000..b2d12a48d2c --- /dev/null +++ b/queue-4.4/ceph-drop-negative-child-dentries-before-try-pruning-inode-s-alias.patch @@ -0,0 +1,85 @@ +From 040d786032bf59002d374b86d75b04d97624005c Mon Sep 17 00:00:00 2001 +From: "Yan, Zheng" +Date: Thu, 30 Nov 2017 11:59:22 +0800 +Subject: ceph: drop negative child dentries before try pruning inode's alias + +From: Yan, Zheng + +commit 040d786032bf59002d374b86d75b04d97624005c upstream. + +Negative child dentry holds reference on inode's alias, it makes +d_prune_aliases() do nothing. + +Signed-off-by: "Yan, Zheng" +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/mds_client.c | 42 ++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 38 insertions(+), 4 deletions(-) + +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -1400,6 +1400,29 @@ static int __close_session(struct ceph_m + return request_close_session(mdsc, session); + } + ++static bool drop_negative_children(struct dentry *dentry) ++{ ++ struct dentry *child; ++ bool all_negative = true; ++ ++ if (!d_is_dir(dentry)) ++ goto out; ++ ++ spin_lock(&dentry->d_lock); ++ list_for_each_entry(child, &dentry->d_subdirs, d_child) { ++ if (d_really_is_positive(child)) { ++ all_negative = false; ++ break; ++ } ++ } ++ spin_unlock(&dentry->d_lock); ++ ++ if (all_negative) ++ shrink_dcache_parent(dentry); ++out: ++ return all_negative; ++} ++ + /* + * Trim old(er) caps. + * +@@ -1445,16 +1468,27 @@ static int trim_caps_cb(struct inode *in + if ((used | wanted) & ~oissued & mine) + goto out; /* we need these caps */ + +- session->s_trim_caps--; + if (oissued) { + /* we aren't the only cap.. just remove us */ + __ceph_remove_cap(cap, true); ++ session->s_trim_caps--; + } else { ++ struct dentry *dentry; + /* try dropping referring dentries */ + spin_unlock(&ci->i_ceph_lock); +- d_prune_aliases(inode); +- dout("trim_caps_cb %p cap %p pruned, count now %d\n", +- inode, cap, atomic_read(&inode->i_count)); ++ dentry = d_find_any_alias(inode); ++ if (dentry && drop_negative_children(dentry)) { ++ int count; ++ dput(dentry); ++ d_prune_aliases(inode); ++ count = atomic_read(&inode->i_count); ++ if (count == 1) ++ session->s_trim_caps--; ++ dout("trim_caps_cb %p cap %p pruned, count now %d\n", ++ inode, cap, count); ++ } else { ++ dput(dentry); ++ } + return 0; + } + diff --git a/queue-4.4/series b/queue-4.4/series index 484306d7a39..354b01f556e 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -1,2 +1,9 @@ crypto-hmac-require-that-the-underlying-hash-algorithm-is-unkeyed.patch crypto-salsa20-fix-blkcipher_walk-api-usage.patch +autofs-fix-careless-error-in-recent-commit.patch +tracing-allocate-mask_str-buffer-dynamically.patch +usb-uas-and-storage-add-us_fl_broken_fua-for-another-jmicron-jms567-id.patch +usb-core-prevent-malicious-bnuminterfaces-overflow.patch +usbip-fix-stub_send_ret_submit-vulnerability-to-null-transfer_buffer.patch +ceph-drop-negative-child-dentries-before-try-pruning-inode-s-alias.patch +bluetooth-btusb-driver-to-enable-the-usb-wakeup-feature.patch diff --git a/queue-4.4/tracing-allocate-mask_str-buffer-dynamically.patch b/queue-4.4/tracing-allocate-mask_str-buffer-dynamically.patch new file mode 100644 index 00000000000..b44494623b7 --- /dev/null +++ b/queue-4.4/tracing-allocate-mask_str-buffer-dynamically.patch @@ -0,0 +1,97 @@ +From 90e406f96f630c07d631a021fd4af10aac913e77 Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Thu, 30 Nov 2017 11:39:43 +0800 +Subject: tracing: Allocate mask_str buffer dynamically + +From: Changbin Du + +commit 90e406f96f630c07d631a021fd4af10aac913e77 upstream. + +The default NR_CPUS can be very large, but actual possible nr_cpu_ids +usually is very small. For my x86 distribution, the NR_CPUS is 8192 and +nr_cpu_ids is 4. About 2 pages are wasted. + +Most machines don't have so many CPUs, so define a array with NR_CPUS +just wastes memory. So let's allocate the buffer dynamically when need. + +With this change, the mutext tracing_cpumask_update_lock also can be +removed now, which was used to protect mask_str. + +Link: http://lkml.kernel.org/r/1512013183-19107-1-git-send-email-changbin.du@intel.com + +Fixes: 36dfe9252bd4c ("ftrace: make use of tracing_cpumask") +Signed-off-by: Changbin Du +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 29 +++++++++-------------------- + 1 file changed, 9 insertions(+), 20 deletions(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -3384,37 +3384,30 @@ static const struct file_operations show + .llseek = seq_lseek, + }; + +-/* +- * The tracer itself will not take this lock, but still we want +- * to provide a consistent cpumask to user-space: +- */ +-static DEFINE_MUTEX(tracing_cpumask_update_lock); +- +-/* +- * Temporary storage for the character representation of the +- * CPU bitmask (and one more byte for the newline): +- */ +-static char mask_str[NR_CPUS + 1]; +- + static ssize_t + tracing_cpumask_read(struct file *filp, char __user *ubuf, + size_t count, loff_t *ppos) + { + struct trace_array *tr = file_inode(filp)->i_private; ++ char *mask_str; + int len; + +- mutex_lock(&tracing_cpumask_update_lock); ++ len = snprintf(NULL, 0, "%*pb\n", ++ cpumask_pr_args(tr->tracing_cpumask)) + 1; ++ mask_str = kmalloc(len, GFP_KERNEL); ++ if (!mask_str) ++ return -ENOMEM; + +- len = snprintf(mask_str, count, "%*pb\n", ++ len = snprintf(mask_str, len, "%*pb\n", + cpumask_pr_args(tr->tracing_cpumask)); + if (len >= count) { + count = -EINVAL; + goto out_err; + } +- count = simple_read_from_buffer(ubuf, count, ppos, mask_str, NR_CPUS+1); ++ count = simple_read_from_buffer(ubuf, count, ppos, mask_str, len); + + out_err: +- mutex_unlock(&tracing_cpumask_update_lock); ++ kfree(mask_str); + + return count; + } +@@ -3434,8 +3427,6 @@ tracing_cpumask_write(struct file *filp, + if (err) + goto err_unlock; + +- mutex_lock(&tracing_cpumask_update_lock); +- + local_irq_disable(); + arch_spin_lock(&tr->max_lock); + for_each_tracing_cpu(cpu) { +@@ -3458,8 +3449,6 @@ tracing_cpumask_write(struct file *filp, + local_irq_enable(); + + cpumask_copy(tr->tracing_cpumask, tracing_cpumask_new); +- +- mutex_unlock(&tracing_cpumask_update_lock); + free_cpumask_var(tracing_cpumask_new); + + return count; diff --git a/queue-4.4/usb-core-prevent-malicious-bnuminterfaces-overflow.patch b/queue-4.4/usb-core-prevent-malicious-bnuminterfaces-overflow.patch new file mode 100644 index 00000000000..50c84ad0f51 --- /dev/null +++ b/queue-4.4/usb-core-prevent-malicious-bnuminterfaces-overflow.patch @@ -0,0 +1,47 @@ +From 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Tue, 12 Dec 2017 14:25:13 -0500 +Subject: USB: core: prevent malicious bNumInterfaces overflow + +From: Alan Stern + +commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 upstream. + +A malicious USB device with crafted descriptors can cause the kernel +to access unallocated memory by setting the bNumInterfaces value too +high in a configuration descriptor. Although the value is adjusted +during parsing, this adjustment is skipped in one of the error return +paths. + +This patch prevents the problem by setting bNumInterfaces to 0 +initially. The existing code already sets it to the proper value +after parsing is complete. + +Signed-off-by: Alan Stern +Reported-by: Andrey Konovalov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/config.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -521,6 +521,9 @@ static int usb_parse_configuration(struc + unsigned iad_num = 0; + + memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE); ++ nintf = nintf_orig = config->desc.bNumInterfaces; ++ config->desc.bNumInterfaces = 0; // Adjusted later ++ + if (config->desc.bDescriptorType != USB_DT_CONFIG || + config->desc.bLength < USB_DT_CONFIG_SIZE || + config->desc.bLength > size) { +@@ -534,7 +537,6 @@ static int usb_parse_configuration(struc + buffer += config->desc.bLength; + size -= config->desc.bLength; + +- nintf = nintf_orig = config->desc.bNumInterfaces; + if (nintf > USB_MAXINTERFACES) { + dev_warn(ddev, "config %d has too many interfaces: %d, " + "using maximum allowed: %d\n", diff --git a/queue-4.4/usb-uas-and-storage-add-us_fl_broken_fua-for-another-jmicron-jms567-id.patch b/queue-4.4/usb-uas-and-storage-add-us_fl_broken_fua-for-another-jmicron-jms567-id.patch new file mode 100644 index 00000000000..70d93c27817 --- /dev/null +++ b/queue-4.4/usb-uas-and-storage-add-us_fl_broken_fua-for-another-jmicron-jms567-id.patch @@ -0,0 +1,65 @@ +From 62354454625741f0569c2cbe45b2d192f8fd258e Mon Sep 17 00:00:00 2001 +From: David Kozub +Date: Tue, 5 Dec 2017 22:40:04 +0100 +Subject: USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID + +From: David Kozub + +commit 62354454625741f0569c2cbe45b2d192f8fd258e upstream. + +There is another JMS567-based USB3 UAS enclosure (152d:0578) that fails +with the following error: + +[sda] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE +[sda] tag#0 Sense Key : Illegal Request [current] +[sda] tag#0 Add. Sense: Invalid field in cdb + +The issue occurs both with UAS (occasionally) and mass storage +(immediately after mounting a FS on a disk in the enclosure). + +Enabling US_FL_BROKEN_FUA quirk solves this issue. + +This patch adds an UNUSUAL_DEV with US_FL_BROKEN_FUA for the enclosure +for both UAS and mass storage. + +Signed-off-by: David Kozub +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/unusual_devs.h | 7 +++++++ + drivers/usb/storage/unusual_uas.h | 7 +++++++ + 2 files changed, 14 insertions(+) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2149,6 +2149,13 @@ UNUSUAL_DEV(0x152d, 0x9561, 0x0000, 0x99 + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_NO_REPORT_OPCODES), + ++/* Reported by David Kozub */ ++UNUSUAL_DEV(0x152d, 0x0578, 0x0000, 0x9999, ++ "JMicron", ++ "JMS567", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_BROKEN_FUA), ++ + /* + * Patch by Constantin Baranov + * Report by Andreas Koenecke. +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -141,6 +141,13 @@ UNUSUAL_DEV(0x152d, 0x0567, 0x0000, 0x99 + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_BROKEN_FUA | US_FL_NO_REPORT_OPCODES), + ++/* Reported-by: David Kozub */ ++UNUSUAL_DEV(0x152d, 0x0578, 0x0000, 0x9999, ++ "JMicron", ++ "JMS567", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_BROKEN_FUA), ++ + /* Reported-by: Hans de Goede */ + UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999, + "VIA", diff --git a/queue-4.4/usbip-fix-stub_send_ret_submit-vulnerability-to-null-transfer_buffer.patch b/queue-4.4/usbip-fix-stub_send_ret_submit-vulnerability-to-null-transfer_buffer.patch new file mode 100644 index 00000000000..b20bdec31dc --- /dev/null +++ b/queue-4.4/usbip-fix-stub_send_ret_submit-vulnerability-to-null-transfer_buffer.patch @@ -0,0 +1,38 @@ +From be6123df1ea8f01ee2f896a16c2b7be3e4557a5a Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Thu, 7 Dec 2017 14:16:50 -0700 +Subject: usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer + +From: Shuah Khan + +commit be6123df1ea8f01ee2f896a16c2b7be3e4557a5a upstream. + +stub_send_ret_submit() handles urb with a potential null transfer_buffer, +when it replays a packet with potential malicious data that could contain +a null buffer. Add a check for the condition when actual_length > 0 and +transfer_buffer is null. + +Reported-by: Secunia Research +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/stub_tx.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/usbip/stub_tx.c ++++ b/drivers/usb/usbip/stub_tx.c +@@ -178,6 +178,13 @@ static int stub_send_ret_submit(struct s + memset(&pdu_header, 0, sizeof(pdu_header)); + memset(&msg, 0, sizeof(msg)); + ++ if (urb->actual_length > 0 && !urb->transfer_buffer) { ++ dev_err(&sdev->udev->dev, ++ "urb: actual_length %d transfer_buffer null\n", ++ urb->actual_length); ++ return -1; ++ } ++ + if (usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS) + iovnum = 2 + urb->number_of_packets; + else -- 2.47.3