--- /dev/null
+From 113ce08109f8e3b091399e7cc32486df1cff48e7 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 25 Mar 2019 10:38:58 +0100
+Subject: ALSA: pcm: Don't suspend stream in unrecoverable PCM state
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 113ce08109f8e3b091399e7cc32486df1cff48e7 upstream.
+
+Currently PCM core sets each opened stream forcibly to SUSPENDED state
+via snd_pcm_suspend_all() call, and the user-space is responsible for
+re-triggering the resume manually either via snd_pcm_resume() or
+prepare call. The scheme works fine usually, but there are corner
+cases where the stream can't be resumed by that call: the streams
+still in OPEN state before finishing hw_params. When they are
+suspended, user-space cannot perform resume or prepare because they
+haven't been set up yet. The only possible recovery is to re-open the
+device, which isn't nice at all. Similarly, when a stream is in
+DISCONNECTED state, it makes no sense to change it to SUSPENDED
+state. Ditto for in SETUP state; which you can re-prepare directly.
+
+So, this patch addresses these issues by filtering the PCM streams to
+be suspended by checking the PCM state. When a stream is in either
+OPEN, SETUP or DISCONNECTED as well as already SUSPENDED, the suspend
+action is skipped.
+
+To be noted, this problem was originally reported for the PCM runtime
+PM on HD-audio. And, the runtime PM problem itself was already
+addressed (although not intended) by the code refactoring commits
+3d21ef0b49f8 ("ALSA: pcm: Suspend streams globally via device type PM
+ops") and 17bc4815de58 ("ALSA: pci: Remove superfluous
+snd_pcm_suspend*() calls"). These commits eliminated the
+snd_pcm_suspend*() calls from the runtime PM suspend callback code
+path, hence the racy OPEN state won't appear while runtime PM.
+(FWIW, the race window is between snd_pcm_open_substream() and the
+first power up in azx_pcm_open().)
+
+Although the runtime PM issue was already "fixed", the same problem is
+still present for the system PM, hence this patch is still needed.
+And for stable trees, this patch alone should suffice for fixing the
+runtime PM problem, too.
+
+Reported-and-tested-by: Jon Hunter <jonathanh@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_native.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -1258,8 +1258,15 @@ static int snd_pcm_pause(struct snd_pcm_
+ static int snd_pcm_pre_suspend(struct snd_pcm_substream *substream, int state)
+ {
+ struct snd_pcm_runtime *runtime = substream->runtime;
+- if (runtime->status->state == SNDRV_PCM_STATE_SUSPENDED)
++ switch (runtime->status->state) {
++ case SNDRV_PCM_STATE_SUSPENDED:
+ return -EBUSY;
++ /* unresumable PCM state; return -EBUSY for skipping suspend */
++ case SNDRV_PCM_STATE_OPEN:
++ case SNDRV_PCM_STATE_SETUP:
++ case SNDRV_PCM_STATE_DISCONNECTED:
++ return -EBUSY;
++ }
+ runtime->trigger_master = substream;
+ return 0;
+ }
--- /dev/null
+From ca0214ee2802dd47239a4e39fb21c5b00ef61b22 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 22 Mar 2019 16:00:54 +0100
+Subject: ALSA: pcm: Fix possible OOB access in PCM oss plugins
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit ca0214ee2802dd47239a4e39fb21c5b00ef61b22 upstream.
+
+The PCM OSS emulation converts and transfers the data on the fly via
+"plugins". The data is converted over the dynamically allocated
+buffer for each plugin, and recently syzkaller caught OOB in this
+flow.
+
+Although the bisection by syzbot pointed out to the commit
+65766ee0bf7f ("ALSA: oss: Use kvzalloc() for local buffer
+allocations"), this is merely a commit to replace vmalloc() with
+kvmalloc(), hence it can't be the cause. The further debug action
+revealed that this happens in the case where a slave PCM doesn't
+support only the stereo channels while the OSS stream is set up for a
+mono channel. Below is a brief explanation:
+
+At each OSS parameter change, the driver sets up the PCM hw_params
+again in snd_pcm_oss_change_params_lock(). This is also the place
+where plugins are created and local buffers are allocated. The
+problem is that the plugins are created before the final hw_params is
+determined. Namely, two snd_pcm_hw_param_near() calls for setting the
+period size and periods may influence on the final result of channels,
+rates, etc, too, while the current code has already created plugins
+beforehand with the premature values. So, the plugin believes that
+channels=1, while the actual I/O is with channels=2, which makes the
+driver reading/writing over the allocated buffer size.
+
+The fix is simply to move the plugin allocation code after the final
+hw_params call.
+
+Reported-by: syzbot+d4503ae45b65c5bc1194@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/oss/pcm_oss.c | 43 ++++++++++++++++++++++---------------------
+ 1 file changed, 22 insertions(+), 21 deletions(-)
+
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -951,6 +951,28 @@ static int snd_pcm_oss_change_params_loc
+ oss_frame_size = snd_pcm_format_physical_width(params_format(params)) *
+ params_channels(params) / 8;
+
++ err = snd_pcm_oss_period_size(substream, params, sparams);
++ if (err < 0)
++ goto failure;
++
++ n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size);
++ err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL);
++ if (err < 0)
++ goto failure;
++
++ err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS,
++ runtime->oss.periods, NULL);
++ if (err < 0)
++ goto failure;
++
++ snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL);
++
++ err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams);
++ if (err < 0) {
++ pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err);
++ goto failure;
++ }
++
+ #ifdef CONFIG_SND_PCM_OSS_PLUGINS
+ snd_pcm_oss_plugin_clear(substream);
+ if (!direct) {
+@@ -985,27 +1007,6 @@ static int snd_pcm_oss_change_params_loc
+ }
+ #endif
+
+- err = snd_pcm_oss_period_size(substream, params, sparams);
+- if (err < 0)
+- goto failure;
+-
+- n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size);
+- err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL);
+- if (err < 0)
+- goto failure;
+-
+- err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS,
+- runtime->oss.periods, NULL);
+- if (err < 0)
+- goto failure;
+-
+- snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL);
+-
+- if ((err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams)) < 0) {
+- pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err);
+- goto failure;
+- }
+-
+ if (runtime->oss.trigger) {
+ sw_params->start_threshold = 1;
+ } else {
--- /dev/null
+From 2b1d9c8f87235f593826b9cf46ec10247741fff9 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Wed, 20 Mar 2019 16:15:24 -0500
+Subject: ALSA: rawmidi: Fix potential Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 2b1d9c8f87235f593826b9cf46ec10247741fff9 upstream.
+
+info->stream is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+sound/core/rawmidi.c:604 __snd_rawmidi_info_select() warn: potential spectre issue 'rmidi->streams' [r] (local cap)
+
+Fix this by sanitizing info->stream before using it to index
+rmidi->streams.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/rawmidi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/core/rawmidi.c
++++ b/sound/core/rawmidi.c
+@@ -29,6 +29,7 @@
+ #include <linux/mutex.h>
+ #include <linux/module.h>
+ #include <linux/delay.h>
++#include <linux/nospec.h>
+ #include <sound/rawmidi.h>
+ #include <sound/info.h>
+ #include <sound/control.h>
+@@ -591,6 +592,7 @@ static int __snd_rawmidi_info_select(str
+ return -ENXIO;
+ if (info->stream < 0 || info->stream > 1)
+ return -EINVAL;
++ info->stream = array_index_nospec(info->stream, 2);
+ pstr = &rmidi->streams[info->stream];
+ if (pstr->substream_count == 0)
+ return -ENOENT;
--- /dev/null
+From c709f14f0616482b67f9fbcb965e1493a03ff30b Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Wed, 20 Mar 2019 18:42:01 -0500
+Subject: ALSA: seq: oss: Fix Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit c709f14f0616482b67f9fbcb965e1493a03ff30b upstream.
+
+dev is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+sound/core/seq/oss/seq_oss_synth.c:626 snd_seq_oss_synth_make_info() warn: potential spectre issue 'dp->synths' [w] (local cap)
+
+Fix this by sanitizing dev before using it to index dp->synths.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/oss/seq_oss_synth.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/sound/core/seq/oss/seq_oss_synth.c
++++ b/sound/core/seq/oss/seq_oss_synth.c
+@@ -617,13 +617,14 @@ int
+ snd_seq_oss_synth_make_info(struct seq_oss_devinfo *dp, int dev, struct synth_info *inf)
+ {
+ struct seq_oss_synth *rec;
++ struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev);
+
+- if (dev < 0 || dev >= dp->max_synthdev)
++ if (!info)
+ return -ENXIO;
+
+- if (dp->synths[dev].is_midi) {
++ if (info->is_midi) {
+ struct midi_info minf;
+- snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf);
++ snd_seq_oss_midi_make_info(dp, info->midi_mapped, &minf);
+ inf->synth_type = SYNTH_TYPE_MIDI;
+ inf->synth_subtype = 0;
+ inf->nr_voices = 16;
powerpc-bpf-fix-generation-of-load-store-dw-instructions.patch
nfsv4.1-don-t-free-interrupted-slot-on-open.patch
net-dsa-qca8k-remove-leftover-phy-accessors.patch
+alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch
+alsa-seq-oss-fix-spectre-v1-vulnerability.patch
+alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch
+alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
