--- /dev/null
+From 4ebd47037027c4beae99680bff3b20fdee5d7c1e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 6 Dec 2020 09:34:56 +0100
+Subject: ALSA: seq: Use bool for snd_seq_queue internal flags
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 4ebd47037027c4beae99680bff3b20fdee5d7c1e upstream.
+
+The snd_seq_queue struct contains various flags in the bit fields.
+Those are categorized to two different use cases, both of which are
+protected by different spinlocks. That implies that there are still
+potential risks of the bad operations for bit fields by concurrent
+accesses.
+
+For addressing the problem, this patch rearranges those flags to be
+a standard bool instead of a bit field.
+
+Reported-by: syzbot+63cbe31877bb80ef58f5@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20201206083456.21110-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_queue.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/sound/core/seq/seq_queue.h
++++ b/sound/core/seq/seq_queue.h
+@@ -40,10 +40,10 @@ struct snd_seq_queue {
+
+ struct snd_seq_timer *timer; /* time keeper for this queue */
+ int owner; /* client that 'owns' the timer */
+- unsigned int locked:1, /* timer is only accesibble by owner if set */
+- klocked:1, /* kernel lock (after START) */
+- check_again:1,
+- check_blocked:1;
++ bool locked; /* timer is only accesibble by owner if set */
++ bool klocked; /* kernel lock (after START) */
++ bool check_again; /* concurrent access happened during check */
++ bool check_blocked; /* queue being checked */
+
+ unsigned int flags; /* status flags */
+ unsigned int info_flags; /* info for sync */
--- /dev/null
+From d0ac1a26ed5943127cb0156148735f5f52a07075 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Fri, 27 Nov 2020 07:40:21 +0100
+Subject: media: gp8psk: initialize stats at power control logic
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit d0ac1a26ed5943127cb0156148735f5f52a07075 upstream.
+
+As reported on:
+ https://lore.kernel.org/linux-media/20190627222020.45909-1-willemdebruijn.kernel@gmail.com/
+
+if gp8psk_usb_in_op() returns an error, the status var is not
+initialized. Yet, this var is used later on, in order to
+identify:
+ - if the device was already started;
+ - if firmware has loaded;
+ - if the LNBf was powered on.
+
+Using status = 0 seems to ensure that everything will be
+properly powered up.
+
+So, instead of the proposed solution, let's just set
+status = 0.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reported-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/gp8psk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/dvb-usb/gp8psk.c
++++ b/drivers/media/usb/dvb-usb/gp8psk.c
+@@ -163,7 +163,7 @@ out_rel_fw:
+
+ static int gp8psk_power_ctrl(struct dvb_usb_device *d, int onoff)
+ {
+- u8 status, buf;
++ u8 status = 0, buf;
+ int gp_product_id = le16_to_cpu(d->udev->descriptor.idProduct);
+
+ if (onoff) {
--- /dev/null
+From 31dcb6c30a26d32650ce134820f27de3c675a45a Mon Sep 17 00:00:00 2001
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Date: Mon, 23 Nov 2020 04:15:34 +0530
+Subject: misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells()
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+commit 31dcb6c30a26d32650ce134820f27de3c675a45a upstream.
+
+A kernel-infoleak was reported by syzbot, which was caused because
+dbells was left uninitialized.
+Using kzalloc() instead of kmalloc() fixes this issue.
+
+Reported-by: syzbot+a79e17c39564bedf0930@syzkaller.appspotmail.com
+Tested-by: syzbot+a79e17c39564bedf0930@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Link: https://lore.kernel.org/r/20201122224534.333471-1-anant.thazhemadam@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/vmw_vmci/vmci_context.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/vmw_vmci/vmci_context.c
++++ b/drivers/misc/vmw_vmci/vmci_context.c
+@@ -750,7 +750,7 @@ static int vmci_ctx_get_chkpt_doorbells(
+ return VMCI_ERROR_MORE_DATA;
+ }
+
+- dbells = kmalloc(data_size, GFP_ATOMIC);
++ dbells = kzalloc(data_size, GFP_ATOMIC);
+ if (!dbells)
+ return VMCI_ERROR_NO_MEM;
+
--- /dev/null
+From d24396c5290ba8ab04ba505176874c4e04a2d53c Mon Sep 17 00:00:00 2001
+From: Rustam Kovhaev <rkovhaev@gmail.com>
+Date: Sun, 1 Nov 2020 06:09:58 -0800
+Subject: reiserfs: add check for an invalid ih_entry_count
+
+From: Rustam Kovhaev <rkovhaev@gmail.com>
+
+commit d24396c5290ba8ab04ba505176874c4e04a2d53c upstream.
+
+when directory item has an invalid value set for ih_entry_count it might
+trigger use-after-free or out-of-bounds read in bin_search_in_dir_item()
+
+ih_entry_count * IH_SIZE for directory item should not be larger than
+ih_item_len
+
+Link: https://lore.kernel.org/r/20201101140958.3650143-1-rkovhaev@gmail.com
+Reported-and-tested-by: syzbot+83b6f7cf9922cae5c4d7@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=83b6f7cf9922cae5c4d7
+Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/reiserfs/stree.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/reiserfs/stree.c
++++ b/fs/reiserfs/stree.c
+@@ -453,6 +453,12 @@ static int is_leaf(char *buf, int blocks
+ "(second one): %h", ih);
+ return 0;
+ }
++ if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) {
++ reiserfs_warning(NULL, "reiserfs-5093",
++ "item entry count seems wrong %h",
++ ih);
++ return 0;
++ }
+ prev_location = ih_location(ih);
+ }
+
usb-serial-digi_acceleport-fix-write-wakeup-deadlock.patch
uapi-move-constants-from-linux-kernel.h-to-linux-const.h.patch
of-fix-linker-section-match-table-corruption.patch
+reiserfs-add-check-for-an-invalid-ih_entry_count.patch
+misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch
+media-gp8psk-initialize-stats-at-power-control-logic.patch
+alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
