--- /dev/null
+From b41c15f4e1c1f1657da15c482fa837c1b7384452 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 7 Oct 2020 10:49:28 +0300
+Subject: ALSA: bebob: potential info leak in hwdep_read()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit b41c15f4e1c1f1657da15c482fa837c1b7384452 upstream.
+
+The "count" variable needs to be capped on every path so that we don't
+copy too much information to the user.
+
+Fixes: 618eabeae711 ("ALSA: bebob: Add hwdep interface")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201007074928.GA2529578@mwanda
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/bebob/bebob_hwdep.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/sound/firewire/bebob/bebob_hwdep.c
++++ b/sound/firewire/bebob/bebob_hwdep.c
+@@ -36,12 +36,11 @@ hwdep_read(struct snd_hwdep *hwdep, char
+ }
+
+ memset(&event, 0, sizeof(event));
++ count = min_t(long, count, sizeof(event.lock_status));
+ if (bebob->dev_lock_changed) {
+ event.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS;
+ event.lock_status.status = (bebob->dev_lock_count > 0);
+ bebob->dev_lock_changed = false;
+-
+- count = min_t(long, count, sizeof(event.lock_status));
+ }
+
+ spin_unlock_irq(&bebob->lock);
--- /dev/null
+From a6e7d0a4bdb02a7a3ffe0b44aaa8842b7efdd056 Mon Sep 17 00:00:00 2001
+From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Date: Mon, 12 Oct 2020 13:27:04 +0300
+Subject: ALSA: hda: fix jack detection with Realtek codecs when in D3
+
+From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+
+commit a6e7d0a4bdb02a7a3ffe0b44aaa8842b7efdd056 upstream.
+
+In case HDA controller becomes active, but codec is runtime suspended,
+jack detection is not successful and no interrupt is raised. This has
+been observed with multiple Realtek codecs and HDA controllers from
+different vendors. Bug does not occur if both codec and controller are
+active, or both are in suspend. Bug can be easily hit on desktop systems
+with no built-in speaker.
+
+The problem can be fixed by powering up the codec once after every
+controller runtime resume. Even if codec goes back to suspend later, the
+jack detection will continue to work. Add a flag to 'hda_codec' to
+describe codecs that require this flow from the controller driver.
+Modify __azx_runtime_resume() to use pm_request_resume() to make the
+intent clearer.
+
+Mark all Realtek codecs with the new forced_resume flag.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=209379
+Cc: Kailang Yang <kailang@realtek.com>
+Co-developed-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201012102704.794423-1-kai.vehmanen@linux.intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/sound/hda_codec.h | 1 +
+ sound/pci/hda/hda_intel.c | 14 ++++++++------
+ sound/pci/hda/patch_realtek.c | 1 +
+ 3 files changed, 10 insertions(+), 6 deletions(-)
+
+--- a/include/sound/hda_codec.h
++++ b/include/sound/hda_codec.h
+@@ -253,6 +253,7 @@ struct hda_codec {
+ unsigned int force_pin_prefix:1; /* Add location prefix */
+ unsigned int link_down_at_suspend:1; /* link down at runtime suspend */
+ unsigned int relaxed_resume:1; /* don't resume forcibly for jack */
++ unsigned int forced_resume:1; /* forced resume for jack */
+ unsigned int mst_no_extra_pcms:1; /* no backup PCMs for DP-MST */
+
+ #ifdef CONFIG_PM
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -1001,12 +1001,14 @@ static void __azx_runtime_resume(struct
+ azx_init_pci(chip);
+ hda_intel_init_chip(chip, true);
+
+- if (status && from_rt) {
+- list_for_each_codec(codec, &chip->bus)
+- if (!codec->relaxed_resume &&
+- (status & (1 << codec->addr)))
+- schedule_delayed_work(&codec->jackpoll_work,
+- codec->jackpoll_interval);
++ if (from_rt) {
++ list_for_each_codec(codec, &chip->bus) {
++ if (codec->relaxed_resume)
++ continue;
++
++ if (codec->forced_resume || (status & (1 << codec->addr)))
++ pm_request_resume(hda_codec_dev(codec));
++ }
+ }
+
+ /* power down again for link-controlled chips */
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -1150,6 +1150,7 @@ static int alc_alloc_spec(struct hda_cod
+ codec->single_adc_amp = 1;
+ /* FIXME: do we need this for all Realtek codec models? */
+ codec->spdif_status_reset = 1;
++ codec->forced_resume = 1;
+ codec->patch_ops = alc_patch_ops;
+
+ err = alc_codec_rename_from_preset(codec);
--- /dev/null
+From ce1558c285f9ad04c03b46833a028230771cc0a7 Mon Sep 17 00:00:00 2001
+From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Date: Tue, 13 Oct 2020 18:26:28 +0300
+Subject: ALSA: hda/hdmi: fix incorrect locking in hdmi_pcm_close
+
+From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+
+commit ce1558c285f9ad04c03b46833a028230771cc0a7 upstream.
+
+A race exists between closing a PCM and update of ELD data. In
+hdmi_pcm_close(), hinfo->nid value is modified without taking
+spec->pcm_lock. If this happens concurrently while processing an ELD
+update in hdmi_pcm_setup_pin(), converter assignment may be done
+incorrectly.
+
+This bug was found by hitting a WARN_ON in snd_hda_spdif_ctls_assign()
+in a HDMI receiver connection stress test:
+
+[2739.684569] WARNING: CPU: 5 PID: 2090 at sound/pci/hda/patch_hdmi.c:1898 check_non_pcm_per_cvt+0x41/0x50 [snd_hda_codec_hdmi]
+...
+[2739.684707] Call Trace:
+[2739.684720] update_eld+0x121/0x5a0 [snd_hda_codec_hdmi]
+[2739.684736] hdmi_present_sense+0x21e/0x3b0 [snd_hda_codec_hdmi]
+[2739.684750] check_presence_and_report+0x81/0xd0 [snd_hda_codec_hdmi]
+[2739.684842] intel_audio_codec_enable+0x122/0x190 [i915]
+
+Fixes: 42b2987079ec ("ALSA: hda - hdmi playback without monitor in dynamic pcm bind mode")
+Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201013152628.920764-1-kai.vehmanen@linux.intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_hdmi.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -2046,22 +2046,25 @@ static int hdmi_pcm_close(struct hda_pcm
+ int pinctl;
+ int err = 0;
+
++ mutex_lock(&spec->pcm_lock);
+ if (hinfo->nid) {
+ pcm_idx = hinfo_to_pcm_index(codec, hinfo);
+- if (snd_BUG_ON(pcm_idx < 0))
+- return -EINVAL;
++ if (snd_BUG_ON(pcm_idx < 0)) {
++ err = -EINVAL;
++ goto unlock;
++ }
+ cvt_idx = cvt_nid_to_cvt_index(codec, hinfo->nid);
+- if (snd_BUG_ON(cvt_idx < 0))
+- return -EINVAL;
++ if (snd_BUG_ON(cvt_idx < 0)) {
++ err = -EINVAL;
++ goto unlock;
++ }
+ per_cvt = get_cvt(spec, cvt_idx);
+-
+ snd_BUG_ON(!per_cvt->assigned);
+ per_cvt->assigned = 0;
+ hinfo->nid = 0;
+
+ azx_stream(get_azx_dev(substream))->stripe = 0;
+
+- mutex_lock(&spec->pcm_lock);
+ snd_hda_spdif_ctls_unassign(codec, pcm_idx);
+ clear_bit(pcm_idx, &spec->pcm_in_use);
+ pin_idx = hinfo_to_pin_index(codec, hinfo);
+@@ -2091,10 +2094,11 @@ static int hdmi_pcm_close(struct hda_pcm
+ per_pin->setup = false;
+ per_pin->channels = 0;
+ mutex_unlock(&per_pin->lock);
+- unlock:
+- mutex_unlock(&spec->pcm_lock);
+ }
+
++unlock:
++ mutex_unlock(&spec->pcm_lock);
++
+ return err;
+ }
+
--- /dev/null
+From f3277cbfba763cd2826396521b9296de67cf1bbc Mon Sep 17 00:00:00 2001
+From: Todd Kjos <tkjos@google.com>
+Date: Fri, 9 Oct 2020 16:24:55 -0700
+Subject: binder: fix UAF when releasing todo list
+
+From: Todd Kjos <tkjos@google.com>
+
+commit f3277cbfba763cd2826396521b9296de67cf1bbc upstream.
+
+When releasing a thread todo list when tearing down
+a binder_proc, the following race was possible which
+could result in a use-after-free:
+
+1. Thread 1: enter binder_release_work from binder_thread_release
+2. Thread 2: binder_update_ref_for_handle() -> binder_dec_node_ilocked()
+3. Thread 2: dec nodeA --> 0 (will free node)
+4. Thread 1: ACQ inner_proc_lock
+5. Thread 2: block on inner_proc_lock
+6. Thread 1: dequeue work (BINDER_WORK_NODE, part of nodeA)
+7. Thread 1: REL inner_proc_lock
+8. Thread 2: ACQ inner_proc_lock
+9. Thread 2: todo list cleanup, but work was already dequeued
+10. Thread 2: free node
+11. Thread 2: REL inner_proc_lock
+12. Thread 1: deref w->type (UAF)
+
+The problem was that for a BINDER_WORK_NODE, the binder_work element
+must not be accessed after releasing the inner_proc_lock while
+processing the todo list elements since another thread might be
+handling a deref on the node containing the binder_work element
+leading to the node being freed.
+
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Link: https://lore.kernel.org/r/20201009232455.4054810-1-tkjos@google.com
+Cc: <stable@vger.kernel.org> # 4.14, 4.19, 5.4, 5.8
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 35 ++++++++++-------------------------
+ 1 file changed, 10 insertions(+), 25 deletions(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -223,7 +223,7 @@ static struct binder_transaction_log_ent
+ struct binder_work {
+ struct list_head entry;
+
+- enum {
++ enum binder_work_type {
+ BINDER_WORK_TRANSACTION = 1,
+ BINDER_WORK_TRANSACTION_COMPLETE,
+ BINDER_WORK_RETURN_ERROR,
+@@ -885,27 +885,6 @@ static struct binder_work *binder_dequeu
+ return w;
+ }
+
+-/**
+- * binder_dequeue_work_head() - Dequeues the item at head of list
+- * @proc: binder_proc associated with list
+- * @list: list to dequeue head
+- *
+- * Removes the head of the list if there are items on the list
+- *
+- * Return: pointer dequeued binder_work, NULL if list was empty
+- */
+-static struct binder_work *binder_dequeue_work_head(
+- struct binder_proc *proc,
+- struct list_head *list)
+-{
+- struct binder_work *w;
+-
+- binder_inner_proc_lock(proc);
+- w = binder_dequeue_work_head_ilocked(list);
+- binder_inner_proc_unlock(proc);
+- return w;
+-}
+-
+ static void
+ binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer);
+ static void binder_free_thread(struct binder_thread *thread);
+@@ -4587,13 +4566,17 @@ static void binder_release_work(struct b
+ struct list_head *list)
+ {
+ struct binder_work *w;
++ enum binder_work_type wtype;
+
+ while (1) {
+- w = binder_dequeue_work_head(proc, list);
++ binder_inner_proc_lock(proc);
++ w = binder_dequeue_work_head_ilocked(list);
++ wtype = w ? w->type : 0;
++ binder_inner_proc_unlock(proc);
+ if (!w)
+ return;
+
+- switch (w->type) {
++ switch (wtype) {
+ case BINDER_WORK_TRANSACTION: {
+ struct binder_transaction *t;
+
+@@ -4627,9 +4610,11 @@ static void binder_release_work(struct b
+ kfree(death);
+ binder_stats_deleted(BINDER_STAT_DEATH);
+ } break;
++ case BINDER_WORK_NODE:
++ break;
+ default:
+ pr_err("unexpected work type, %d, not freed\n",
+- w->type);
++ wtype);
+ break;
+ }
+ }
can-m_can_platform-don-t-call-m_can_class_suspend-in-runtime-suspend.patch
can-j1935-j1939_tp_tx_dat_new-fix-missing-initialization-of-skbcnt.patch
net-j1939-j1939_session_fresh_new-fix-missing-initialization-of-skbcnt.patch
+binder-fix-uaf-when-releasing-todo-list.patch
+alsa-bebob-potential-info-leak-in-hwdep_read.patch
+alsa-hda-fix-jack-detection-with-realtek-codecs-when-in-d3.patch
+alsa-hda-hdmi-fix-incorrect-locking-in-hdmi_pcm_close.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
