From: Greg Kroah-Hartman Date: Sat, 5 Jan 2019 08:35:06 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.9.149~61 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=199205774df4fe196065c5a6bb016158d673ea1f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: alsa-emu10k1-fix-potential-spectre-v1-vulnerabilities.patch alsa-emux-fix-potential-spectre-v1-vulnerabilities.patch alsa-fireface-fix-for-state-to-fetch-pcm-frames.patch alsa-firewire-lib-fix-wrong-assignment-for-out_packet_without_header-tracepoint.patch alsa-firewire-lib-fix-wrong-handling-payload_length-as-payload_quadlet.patch alsa-firewire-lib-use-the-same-print-format-for-without_header-tracepoints.patch alsa-hda-add-mute-led-support-for-hp-elitebook-840-g4.patch alsa-hda-realtek-enable-audio-jacks-of-asus-ux391ua-with-alc294.patch alsa-hda-tegra-clear-pending-irq-handlers.patch alsa-pcm-fix-potential-spectre-v1-vulnerability.patch alsa-rme9652-fix-potential-spectre-v1-vulnerability.patch ib-hfi1-incorrect-sizing-of-sge-for-pio-will-oops.patch mtd-atmel-quadspi-disallow-building-on-ebsa110.patch usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch usb-serial-option-add-fibocom-nl678-series.patch usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch --- diff --git a/queue-4.14/alsa-emu10k1-fix-potential-spectre-v1-vulnerabilities.patch b/queue-4.14/alsa-emu10k1-fix-potential-spectre-v1-vulnerabilities.patch new file mode 100644 index 00000000000..300585c5255 --- /dev/null +++ b/queue-4.14/alsa-emu10k1-fix-potential-spectre-v1-vulnerabilities.patch @@ -0,0 +1,62 @@ +From 5ae4f61f012a097df93de2285070ec8e34716d29 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 18 Dec 2018 11:52:16 -0600 +Subject: ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities + +From: Gustavo A. R. Silva + +commit 5ae4f61f012a097df93de2285070ec8e34716d29 upstream. + +ipcm->substream is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +sound/pci/emu10k1/emufx.c:1031 snd_emu10k1_ipcm_poke() warn: potential spectre issue 'emu->fx8010.pcm' [r] (local cap) +sound/pci/emu10k1/emufx.c:1075 snd_emu10k1_ipcm_peek() warn: potential spectre issue 'emu->fx8010.pcm' [r] (local cap) + +Fix this by sanitizing ipcm->substream before using it to index emu->fx8010.pcm + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/emu10k1/emufx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/pci/emu10k1/emufx.c ++++ b/sound/pci/emu10k1/emufx.c +@@ -36,6 +36,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -1033,6 +1034,8 @@ static int snd_emu10k1_ipcm_poke(struct + + if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT) + return -EINVAL; ++ ipcm->substream = array_index_nospec(ipcm->substream, ++ EMU10K1_FX8010_PCM_COUNT); + if (ipcm->channels > 32) + return -EINVAL; + pcm = &emu->fx8010.pcm[ipcm->substream]; +@@ -1079,6 +1082,8 @@ static int snd_emu10k1_ipcm_peek(struct + + if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT) + return -EINVAL; ++ ipcm->substream = array_index_nospec(ipcm->substream, ++ EMU10K1_FX8010_PCM_COUNT); + pcm = &emu->fx8010.pcm[ipcm->substream]; + mutex_lock(&emu->fx8010.lock); + spin_lock_irq(&emu->reg_lock); diff --git a/queue-4.14/alsa-emux-fix-potential-spectre-v1-vulnerabilities.patch b/queue-4.14/alsa-emux-fix-potential-spectre-v1-vulnerabilities.patch new file mode 100644 index 00000000000..3eded9009f1 --- /dev/null +++ b/queue-4.14/alsa-emux-fix-potential-spectre-v1-vulnerabilities.patch @@ -0,0 +1,69 @@ +From 4aea96f4237cea0c51a8bc87c0db31f0f932f1f0 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Wed, 12 Dec 2018 11:20:49 -0600 +Subject: ALSA: emux: Fix potential Spectre v1 vulnerabilities + +From: Gustavo A. R. Silva + +commit 4aea96f4237cea0c51a8bc87c0db31f0f932f1f0 upstream. + +info.mode and info.port are indirectly controlled by user-space, +hence leading to a potential exploitation of the Spectre variant 1 +vulnerability. + +These issues were detected with the help of Smatch: + +sound/synth/emux/emux_hwdep.c:72 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs[i]->ctrls' [w] (local cap) +sound/synth/emux/emux_hwdep.c:75 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs' [w] (local cap) +sound/synth/emux/emux_hwdep.c:75 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs[info.port]->ctrls' [w] (local cap) + +Fix this by sanitizing both info.mode and info.port before using them +to index emu->portptrs[i]->ctrls, emu->portptrs[info.port]->ctrls and +emu->portptrs. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Signed-off-by: Gustavo A. R. Silva +Cc: stable@vger.kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/synth/emux/emux_hwdep.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/sound/synth/emux/emux_hwdep.c ++++ b/sound/synth/emux/emux_hwdep.c +@@ -22,9 +22,9 @@ + #include + #include + #include ++#include + #include "emux_voice.h" + +- + #define TMP_CLIENT_ID 0x1001 + + /* +@@ -66,13 +66,16 @@ snd_emux_hwdep_misc_mode(struct snd_emux + return -EFAULT; + if (info.mode < 0 || info.mode >= EMUX_MD_END) + return -EINVAL; ++ info.mode = array_index_nospec(info.mode, EMUX_MD_END); + + if (info.port < 0) { + for (i = 0; i < emu->num_ports; i++) + emu->portptrs[i]->ctrls[info.mode] = info.value; + } else { +- if (info.port < emu->num_ports) ++ if (info.port < emu->num_ports) { ++ info.port = array_index_nospec(info.port, emu->num_ports); + emu->portptrs[info.port]->ctrls[info.mode] = info.value; ++ } + } + return 0; + } diff --git a/queue-4.14/alsa-fireface-fix-for-state-to-fetch-pcm-frames.patch b/queue-4.14/alsa-fireface-fix-for-state-to-fetch-pcm-frames.patch new file mode 100644 index 00000000000..97fbebe8755 --- /dev/null +++ b/queue-4.14/alsa-fireface-fix-for-state-to-fetch-pcm-frames.patch @@ -0,0 +1,37 @@ +From 3d16200a3e55a39caa1c88419cb559c00316f721 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Sat, 15 Dec 2018 19:06:48 +0900 +Subject: ALSA: fireface: fix for state to fetch PCM frames + +From: Takashi Sakamoto + +commit 3d16200a3e55a39caa1c88419cb559c00316f721 upstream. + +According to my memo at hand and saved records, writing 0x00000001 to +SND_FF_REG_FETCH_PCM_FRAMES disables fetching PCM frames in corresponding +channel, however current implement uses reversed logic. This results in +muted volume in device side during playback. + +This commit corrects the bug. + +Cc: # v4.12+ +Fixes: 76fdb3a9e13a ('ALSA: fireface: add support for Fireface 400') +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/fireface/ff-protocol-ff400.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/fireface/ff-protocol-ff400.c ++++ b/sound/firewire/fireface/ff-protocol-ff400.c +@@ -152,7 +152,7 @@ static int ff400_switch_fetching_mode(st + if (reg == NULL) + return -ENOMEM; + +- if (enable) { ++ if (!enable) { + /* + * Each quadlet is corresponding to data channels in a data + * blocks in reverse order. Precisely, quadlets for available diff --git a/queue-4.14/alsa-firewire-lib-fix-wrong-assignment-for-out_packet_without_header-tracepoint.patch b/queue-4.14/alsa-firewire-lib-fix-wrong-assignment-for-out_packet_without_header-tracepoint.patch new file mode 100644 index 00000000000..f7c885e03d2 --- /dev/null +++ b/queue-4.14/alsa-firewire-lib-fix-wrong-assignment-for-out_packet_without_header-tracepoint.patch @@ -0,0 +1,36 @@ +From aa9a9e39b4f65733bf19d90cbd026e85a74efb99 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Sat, 15 Dec 2018 19:03:20 +0900 +Subject: ALSA: firewire-lib: fix wrong assignment for 'out_packet_without_header' tracepoint + +From: Takashi Sakamoto + +commit aa9a9e39b4f65733bf19d90cbd026e85a74efb99 upstream. + +An initial commit to add tracepoints for packets without CIP headers +introduces a wrong assignment to 'data_blocks' value of +'out_packet_without_header' tracepoint. + +This commit fixes the bug. + +Cc: # v4.12+ +Fixes: b164d2fd6e49 ('ALSA: firewire_lib: add tracepoints for packets without CIP headers') +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/amdtp-stream-trace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/amdtp-stream-trace.h ++++ b/sound/firewire/amdtp-stream-trace.h +@@ -169,7 +169,7 @@ TRACE_EVENT(out_packet_without_header, + __entry->dest = fw_parent_device(s->unit)->node_id; + __entry->payload_quadlets = payload_length / 4; + __entry->data_blocks = data_blocks, +- __entry->data_blocks = s->data_block_counter, ++ __entry->data_block_counter = s->data_block_counter, + __entry->packet_index = s->packet_index; + __entry->irq = !!in_interrupt(); + __entry->index = index; diff --git a/queue-4.14/alsa-firewire-lib-fix-wrong-handling-payload_length-as-payload_quadlet.patch b/queue-4.14/alsa-firewire-lib-fix-wrong-handling-payload_length-as-payload_quadlet.patch new file mode 100644 index 00000000000..a477aa9fa3e --- /dev/null +++ b/queue-4.14/alsa-firewire-lib-fix-wrong-handling-payload_length-as-payload_quadlet.patch @@ -0,0 +1,49 @@ +From ada79fa5a0b374dd2c2262137c734da7524a8263 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Sat, 15 Dec 2018 19:03:19 +0900 +Subject: ALSA: firewire-lib: fix wrong handling payload_length as payload_quadlet + +From: Takashi Sakamoto + +commit ada79fa5a0b374dd2c2262137c734da7524a8263 upstream. + +In IEC 61883-1/6 engine of ALSA firewire stack, a packet handler has a +second argument for 'the number of bytes in payload of isochronous +packet'. However, an incoming packet handler without CIP header uses the +value as 'the number of quadlets in the payload'. This brings userspace +applications to receive the number of PCM frames as four times against +real time. + +This commit fixes the bug. + +Cc: # v4.12+ +Fixes: 3b196c394dd ('ALSA: firewire-lib: add no-header packet processing') +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/amdtp-stream.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/firewire/amdtp-stream.c ++++ b/sound/firewire/amdtp-stream.c +@@ -629,15 +629,17 @@ end: + } + + static int handle_in_packet_without_header(struct amdtp_stream *s, +- unsigned int payload_quadlets, unsigned int cycle, ++ unsigned int payload_length, unsigned int cycle, + unsigned int index) + { + __be32 *buffer; ++ unsigned int payload_quadlets; + unsigned int data_blocks; + struct snd_pcm_substream *pcm; + unsigned int pcm_frames; + + buffer = s->buffer.packets[s->packet_index].buffer; ++ payload_quadlets = payload_length / 4; + data_blocks = payload_quadlets / s->data_block_quadlets; + + trace_in_packet_without_header(s, cycle, payload_quadlets, data_blocks, diff --git a/queue-4.14/alsa-firewire-lib-use-the-same-print-format-for-without_header-tracepoints.patch b/queue-4.14/alsa-firewire-lib-use-the-same-print-format-for-without_header-tracepoints.patch new file mode 100644 index 00000000000..e815fdf911d --- /dev/null +++ b/queue-4.14/alsa-firewire-lib-use-the-same-print-format-for-without_header-tracepoints.patch @@ -0,0 +1,36 @@ +From 5ef108c53e6efd695e32aad969638ccbc35b4be9 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Sat, 15 Dec 2018 19:03:21 +0900 +Subject: ALSA: firewire-lib: use the same print format for 'without_header' tracepoints + +From: Takashi Sakamoto + +commit 5ef108c53e6efd695e32aad969638ccbc35b4be9 upstream. + +An initial commit to add tracepoints for packets without CIP headers +uses different print formats for added tracepoints. However this is not +convenient for users/developers to prepare debug tools. + +This commit uses the same format for the two tracepoints. + +Cc: # v4.12+ +Fixes: b164d2fd6e49 ('ALSA: firewire_lib: add tracepoints for packets without CIP headers') +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/amdtp-stream-trace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/amdtp-stream-trace.h ++++ b/sound/firewire/amdtp-stream-trace.h +@@ -131,7 +131,7 @@ TRACE_EVENT(in_packet_without_header, + __entry->index = index; + ), + TP_printk( +- "%02u %04u %04x %04x %02d %03u %3u %3u %02u %01u %02u", ++ "%02u %04u %04x %04x %02d %03u %02u %03u %02u %01u %02u", + __entry->second, + __entry->cycle, + __entry->src, diff --git a/queue-4.14/alsa-hda-add-mute-led-support-for-hp-elitebook-840-g4.patch b/queue-4.14/alsa-hda-add-mute-led-support-for-hp-elitebook-840-g4.patch new file mode 100644 index 00000000000..195864436de --- /dev/null +++ b/queue-4.14/alsa-hda-add-mute-led-support-for-hp-elitebook-840-g4.patch @@ -0,0 +1,36 @@ +From 40906ebe3af6a48457151b3c6726b480f6a6cb13 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mantas=20Mikul=C4=97nas?= +Date: Sun, 16 Dec 2018 15:44:47 +0200 +Subject: ALSA: hda: add mute LED support for HP EliteBook 840 G4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mantas Mikulėnas + +commit 40906ebe3af6a48457151b3c6726b480f6a6cb13 upstream. + +Tested with 4.19.9. + +v2: Changed from CXT_FIXUP_MUTE_LED_GPIO to CXT_FIXUP_HP_DOCK because + that's what the existing fixups for EliteBooks use. + +Signed-off-by: Mantas Mikulėnas +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -961,6 +961,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK), ++ SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), diff --git a/queue-4.14/alsa-hda-realtek-enable-audio-jacks-of-asus-ux391ua-with-alc294.patch b/queue-4.14/alsa-hda-realtek-enable-audio-jacks-of-asus-ux391ua-with-alc294.patch new file mode 100644 index 00000000000..e38b886a217 --- /dev/null +++ b/queue-4.14/alsa-hda-realtek-enable-audio-jacks-of-asus-ux391ua-with-alc294.patch @@ -0,0 +1,36 @@ +From 9cf6533e8060d3896b88ea14b27f620e6504b84b Mon Sep 17 00:00:00 2001 +From: Wandrille RONCE +Date: Wed, 19 Dec 2018 14:52:44 +0100 +Subject: ALSA: hda/realtek: Enable audio jacks of ASUS UX391UA with ALC294 + +From: Wandrille RONCE + +commit 9cf6533e8060d3896b88ea14b27f620e6504b84b upstream. + +By default, there is no sound on Asus UX391UA on Linux. + +This patch adds sound support on Asus UX391UA. Tested working by three +different users. + +The problem has also been described at +https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1784485 + +Signed-off-by: Wandrille RONCE +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6378,6 +6378,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300), + SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), ++ SND_PCI_QUIRK(0x1043, 0x10a1, "ASUS UX391UA", ALC294_FIXUP_ASUS_SPK), + SND_PCI_QUIRK(0x1043, 0x10c0, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x10d0, "ASUS X540LA/X540LJ", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x115d, "Asus 1015E", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), diff --git a/queue-4.14/alsa-hda-tegra-clear-pending-irq-handlers.patch b/queue-4.14/alsa-hda-tegra-clear-pending-irq-handlers.patch new file mode 100644 index 00000000000..de68b5b334b --- /dev/null +++ b/queue-4.14/alsa-hda-tegra-clear-pending-irq-handlers.patch @@ -0,0 +1,43 @@ +From 63d2a9ec310d8bcc955574220d4631aa55c1a80c Mon Sep 17 00:00:00 2001 +From: Sameer Pujar +Date: Wed, 26 Dec 2018 16:04:49 +0530 +Subject: ALSA: hda/tegra: clear pending irq handlers + +From: Sameer Pujar + +commit 63d2a9ec310d8bcc955574220d4631aa55c1a80c upstream. + +Even after disabling interrupts on the module, it could be possible +that irq handlers are still running. System hang is seen during +suspend path. It was found that, there were pending writes on the +HDA bus and clock was disabled by that time. + +Above mentioned issue is fixed by clearing any pending irq handlers +before disabling clocks and returning from hda suspend. + +Suggested-by: Mohan Kumar +Suggested-by: Dara Ramesh +Signed-off-by: Sameer Pujar +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_tegra.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/hda_tegra.c ++++ b/sound/pci/hda/hda_tegra.c +@@ -249,10 +249,12 @@ static int hda_tegra_suspend(struct devi + struct snd_card *card = dev_get_drvdata(dev); + struct azx *chip = card->private_data; + struct hda_tegra *hda = container_of(chip, struct hda_tegra, chip); ++ struct hdac_bus *bus = azx_bus(chip); + + snd_power_change_state(card, SNDRV_CTL_POWER_D3hot); + + azx_stop_chip(chip); ++ synchronize_irq(bus->irq); + azx_enter_link_reset(chip); + hda_tegra_disable_clocks(hda); + diff --git a/queue-4.14/alsa-pcm-fix-potential-spectre-v1-vulnerability.patch b/queue-4.14/alsa-pcm-fix-potential-spectre-v1-vulnerability.patch new file mode 100644 index 00000000000..c8332b07cdd --- /dev/null +++ b/queue-4.14/alsa-pcm-fix-potential-spectre-v1-vulnerability.patch @@ -0,0 +1,51 @@ +From 94ffb030b6d31ec840bb811be455dd2e26a4f43e Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Wed, 12 Dec 2018 15:36:28 -0600 +Subject: ALSA: pcm: Fix potential Spectre v1 vulnerability + +From: Gustavo A. R. Silva + +commit 94ffb030b6d31ec840bb811be455dd2e26a4f43e upstream. + +stream is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +sound/core/pcm.c:140 snd_pcm_control_ioctl() warn: potential spectre issue 'pcm->streams' [r] (local cap) + +Fix this by sanitizing stream before using it to index pcm->streams + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Signed-off-by: Gustavo A. R. Silva +Cc: stable@vger.kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/core/pcm.c ++++ b/sound/core/pcm.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -129,6 +130,7 @@ static int snd_pcm_control_ioctl(struct + return -EFAULT; + if (stream < 0 || stream > 1) + return -EINVAL; ++ stream = array_index_nospec(stream, 2); + if (get_user(subdevice, &info->subdevice)) + return -EFAULT; + mutex_lock(®ister_mutex); diff --git a/queue-4.14/alsa-rme9652-fix-potential-spectre-v1-vulnerability.patch b/queue-4.14/alsa-rme9652-fix-potential-spectre-v1-vulnerability.patch new file mode 100644 index 00000000000..12be992eb11 --- /dev/null +++ b/queue-4.14/alsa-rme9652-fix-potential-spectre-v1-vulnerability.patch @@ -0,0 +1,71 @@ +From 0b84304ef5da92add8dc75a1b07879c5374cdb05 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 18 Dec 2018 11:18:34 -0600 +Subject: ALSA: rme9652: Fix potential Spectre v1 vulnerability + +From: Gustavo A. R. Silva + +commit 0b84304ef5da92add8dc75a1b07879c5374cdb05 upstream. + +info->channel is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +sound/pci/rme9652/hdsp.c:4100 snd_hdsp_channel_info() warn: potential spectre issue 'hdsp->channel_map' [r] (local cap) + +Fix this by sanitizing info->channel before using it to index hdsp->channel_map + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +Also, notice that I refactored the code a bit in order to get rid of the +following checkpatch warning: + +ERROR: do not use assignment in if condition +FILE: sound/pci/rme9652/hdsp.c:4103: + if ((mapped_channel = hdsp->channel_map[info->channel]) < 0) + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/rme9652/hdsp.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/sound/pci/rme9652/hdsp.c ++++ b/sound/pci/rme9652/hdsp.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -4092,15 +4093,16 @@ static int snd_hdsp_channel_info(struct + struct snd_pcm_channel_info *info) + { + struct hdsp *hdsp = snd_pcm_substream_chip(substream); +- int mapped_channel; ++ unsigned int channel = info->channel; + +- if (snd_BUG_ON(info->channel >= hdsp->max_channels)) ++ if (snd_BUG_ON(channel >= hdsp->max_channels)) + return -EINVAL; ++ channel = array_index_nospec(channel, hdsp->max_channels); + +- if ((mapped_channel = hdsp->channel_map[info->channel]) < 0) ++ if (hdsp->channel_map[channel] < 0) + return -EINVAL; + +- info->offset = mapped_channel * HDSP_CHANNEL_BUFFER_BYTES; ++ info->offset = hdsp->channel_map[channel] * HDSP_CHANNEL_BUFFER_BYTES; + info->first = 0; + info->step = 32; + return 0; diff --git a/queue-4.14/ib-hfi1-incorrect-sizing-of-sge-for-pio-will-oops.patch b/queue-4.14/ib-hfi1-incorrect-sizing-of-sge-for-pio-will-oops.patch new file mode 100644 index 00000000000..ff0d2d10de7 --- /dev/null +++ b/queue-4.14/ib-hfi1-incorrect-sizing-of-sge-for-pio-will-oops.patch @@ -0,0 +1,56 @@ +From dbc2970caef74e8ff41923d302aa6fb5a4812d0e Mon Sep 17 00:00:00 2001 +From: "Michael J. Ruhl" +Date: Wed, 28 Nov 2018 10:19:36 -0800 +Subject: IB/hfi1: Incorrect sizing of sge for PIO will OOPs + +From: Michael J. Ruhl + +commit dbc2970caef74e8ff41923d302aa6fb5a4812d0e upstream. + +An incorrect sge sizing in the HFI PIO path will cause an OOPs similar to +this: + +BUG: unable to handle kernel NULL pointer dereference at (null) +IP: [] hfi1_verbs_send_pio+0x3d8/0x530 [hfi1] +PGD 0 +Oops: 0000 1 SMP + Call Trace: + ? hfi1_verbs_send_dma+0xad0/0xad0 [hfi1] + hfi1_verbs_send+0xdf/0x250 [hfi1] + ? make_rc_ack+0xa80/0xa80 [hfi1] + hfi1_do_send+0x192/0x430 [hfi1] + hfi1_do_send_from_rvt+0x10/0x20 [hfi1] + rvt_post_send+0x369/0x820 [rdmavt] + ib_uverbs_post_send+0x317/0x570 [ib_uverbs] + ib_uverbs_write+0x26f/0x420 [ib_uverbs] + ? security_file_permission+0x21/0xa0 + vfs_write+0xbd/0x1e0 + ? mntput+0x24/0x40 + SyS_write+0x7f/0xe0 + system_call_fastpath+0x16/0x1b + +Fix by adding the missing sizing check to correctly determine the sge +length. + +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Reviewed-by: Mike Marciniszyn +Signed-off-by: Michael J. Ruhl +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/verbs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/infiniband/hw/hfi1/verbs.c ++++ b/drivers/infiniband/hw/hfi1/verbs.c +@@ -1123,6 +1123,8 @@ int hfi1_verbs_send_pio(struct rvt_qp *q + + if (slen > len) + slen = len; ++ if (slen > ss->sge.sge_length) ++ slen = ss->sge.sge_length; + rvt_update_sge(ss, slen, false); + seg_pio_copy_mid(pbuf, addr, slen); + len -= slen; diff --git a/queue-4.14/mtd-atmel-quadspi-disallow-building-on-ebsa110.patch b/queue-4.14/mtd-atmel-quadspi-disallow-building-on-ebsa110.patch new file mode 100644 index 00000000000..86b7da91e3d --- /dev/null +++ b/queue-4.14/mtd-atmel-quadspi-disallow-building-on-ebsa110.patch @@ -0,0 +1,46 @@ +From 2a9d92fb3a1282a4659f1bb6d5684018846537b7 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 10 Dec 2018 21:38:16 +0100 +Subject: mtd: atmel-quadspi: disallow building on ebsa110 + +From: Arnd Bergmann + +commit 2a9d92fb3a1282a4659f1bb6d5684018846537b7 upstream. + +I ran into a link-time error with the atmel-quadspi driver on the +EBSA110 platform: + +drivers/mtd/built-in.o: In function `atmel_qspi_run_command': +:(.text+0x1ee3c): undefined reference to `_memcpy_toio' +:(.text+0x1ee48): undefined reference to `_memcpy_fromio' + +The problem is that _memcpy_toio/_memcpy_fromio are not available on +that platform, and we have to prevent building the driver there. + +In case we want to backport this to older kernels: between linux-4.8 +and linux-4.20, the Kconfig entry was in drivers/mtd/spi-nor/Kconfig +but had the same problem. + +Link: https://lore.kernel.org/patchwork/patch/812860/ +Fixes: 161aaab8a067 ("mtd: atmel-quadspi: add driver for Atmel QSPI controller") +Signed-off-by: Arnd Bergmann +Reviewed-by: Boris Brezillon +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/spi-nor/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/spi-nor/Kconfig ++++ b/drivers/mtd/spi-nor/Kconfig +@@ -41,7 +41,7 @@ config SPI_ASPEED_SMC + + config SPI_ATMEL_QUADSPI + tristate "Atmel Quad SPI Controller" +- depends on ARCH_AT91 || (ARM && COMPILE_TEST) ++ depends on ARCH_AT91 || (ARM && COMPILE_TEST && !ARCH_EBSA110) + depends on OF && HAS_IOMEM + help + This enables support for the Quad SPI controller in master mode. diff --git a/queue-4.14/series b/queue-4.14/series index 4c0da70ff42..c691a5f2168 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -34,3 +34,19 @@ qmi_wwan-added-support-for-fibocom-nl668-series.patch qmi_wwan-add-support-for-fibocom-nl678-series.patch net-smc-fix-tcp-fallback-socket-release.patch sock-make-sock-sk_stamp-thread-safe.patch +ib-hfi1-incorrect-sizing-of-sge-for-pio-will-oops.patch +alsa-rme9652-fix-potential-spectre-v1-vulnerability.patch +alsa-emu10k1-fix-potential-spectre-v1-vulnerabilities.patch +alsa-pcm-fix-potential-spectre-v1-vulnerability.patch +alsa-emux-fix-potential-spectre-v1-vulnerabilities.patch +mtd-atmel-quadspi-disallow-building-on-ebsa110.patch +alsa-hda-add-mute-led-support-for-hp-elitebook-840-g4.patch +alsa-hda-realtek-enable-audio-jacks-of-asus-ux391ua-with-alc294.patch +alsa-fireface-fix-for-state-to-fetch-pcm-frames.patch +alsa-firewire-lib-fix-wrong-handling-payload_length-as-payload_quadlet.patch +alsa-firewire-lib-fix-wrong-assignment-for-out_packet_without_header-tracepoint.patch +alsa-firewire-lib-use-the-same-print-format-for-without_header-tracepoints.patch +alsa-hda-tegra-clear-pending-irq-handlers.patch +usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch +usb-serial-option-add-fibocom-nl678-series.patch +usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch diff --git a/queue-4.14/usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch b/queue-4.14/usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch new file mode 100644 index 00000000000..6bb995236bd --- /dev/null +++ b/queue-4.14/usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch @@ -0,0 +1,67 @@ +From c85400f886e3d41e69966470879f635a2b50084c Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Tue, 18 Dec 2018 20:04:25 +0800 +Subject: usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() + +From: Jia-Ju Bai + +commit c85400f886e3d41e69966470879f635a2b50084c upstream. + +The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may +be concurrently executed. +The two functions both access a possible shared variable "hep->hcpriv". + +This shared variable is freed by r8a66597_endpoint_disable() via the +call path: +r8a66597_endpoint_disable + kfree(hep->hcpriv) (line 1995 in Linux-4.19) + +This variable is read by r8a66597_urb_enqueue() via the call path: +r8a66597_urb_enqueue + spin_lock_irqsave(&r8a66597->lock) + init_pipe_info + enable_r8a66597_pipe + pipe = hep->hcpriv (line 802 in Linux-4.19) + +The read operation is protected by a spinlock, but the free operation +is not protected by this spinlock, thus a concurrency use-after-free bug +may occur. + +To fix this bug, the spin-lock and spin-unlock function calls in +r8a66597_endpoint_disable() are moved to protect the free operation. + +Signed-off-by: Jia-Ju Bai +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/r8a66597-hcd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/r8a66597-hcd.c ++++ b/drivers/usb/host/r8a66597-hcd.c +@@ -1990,6 +1990,8 @@ static int r8a66597_urb_dequeue(struct u + + static void r8a66597_endpoint_disable(struct usb_hcd *hcd, + struct usb_host_endpoint *hep) ++__acquires(r8a66597->lock) ++__releases(r8a66597->lock) + { + struct r8a66597 *r8a66597 = hcd_to_r8a66597(hcd); + struct r8a66597_pipe *pipe = (struct r8a66597_pipe *)hep->hcpriv; +@@ -2002,13 +2004,14 @@ static void r8a66597_endpoint_disable(st + return; + pipenum = pipe->info.pipenum; + ++ spin_lock_irqsave(&r8a66597->lock, flags); + if (pipenum == 0) { + kfree(hep->hcpriv); + hep->hcpriv = NULL; ++ spin_unlock_irqrestore(&r8a66597->lock, flags); + return; + } + +- spin_lock_irqsave(&r8a66597->lock, flags); + pipe_stop(r8a66597, pipe); + pipe_irq_disable(r8a66597, pipenum); + disable_irq_empty(r8a66597, pipenum); diff --git a/queue-4.14/usb-serial-option-add-fibocom-nl678-series.patch b/queue-4.14/usb-serial-option-add-fibocom-nl678-series.patch new file mode 100644 index 00000000000..044efdc05b2 --- /dev/null +++ b/queue-4.14/usb-serial-option-add-fibocom-nl678-series.patch @@ -0,0 +1,67 @@ +From 4b2c01ad902ec02fa962b233decd2f14be3714ba Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= +Date: Fri, 21 Dec 2018 14:40:44 +0100 +Subject: USB: serial: option: add Fibocom NL678 series +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jörgen Storvist + +commit 4b2c01ad902ec02fa962b233decd2f14be3714ba upstream. + +Added USB serial option driver support for Fibocom NL678 series cellular +module: VID 2cb7 and PIDs 0x0104 and 0x0105. +Reserved network and ADB interfaces. + +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2cb7 ProdID=0104 Rev=03.10 +S: Manufacturer=Fibocom +S: Product=Fibocom NL678-E Modem +S: SerialNumber=12345678 +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) + +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2cb7 ProdID=0105 Rev=03.10 +S: Manufacturer=Fibocom +S: Product=Fibocom NL678-E Modem +S: SerialNumber=12345678 +C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether +I: If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) + +Signed-off-by: Jörgen Storvist +Cc: stable +Acked-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1957,6 +1957,10 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) }, + { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 */ + .driver_info = RSVD(4) | RSVD(5) | RSVD(6) }, ++ { USB_DEVICE(0x2cb7, 0x0104), /* Fibocom NL678 series */ ++ .driver_info = RSVD(4) | RSVD(5) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0105, 0xff), /* Fibocom NL678 series */ ++ .driver_info = RSVD(6) }, + { } /* Terminating entry */ + }; + MODULE_DEVICE_TABLE(usb, option_ids); diff --git a/queue-4.14/usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch b/queue-4.14/usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch new file mode 100644 index 00000000000..948c86e3e92 --- /dev/null +++ b/queue-4.14/usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch @@ -0,0 +1,61 @@ +From 8d503f206c336677954160ac62f0c7d9c219cd89 Mon Sep 17 00:00:00 2001 +From: Scott Chen +Date: Thu, 13 Dec 2018 06:01:47 -0500 +Subject: USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays + +From: Scott Chen + +commit 8d503f206c336677954160ac62f0c7d9c219cd89 upstream. + +Add device ids to pl2303 for the HP POS pole displays: +LM920: 03f0:026b +TD620: 03f0:0956 +LD960TA: 03f0:4439 +LD220TA: 03f0:4349 +LM940: 03f0:5039 + +Signed-off-by: Scott Chen +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/pl2303.c | 5 +++++ + drivers/usb/serial/pl2303.h | 5 +++++ + 2 files changed, 10 insertions(+) + +--- a/drivers/usb/serial/pl2303.c ++++ b/drivers/usb/serial/pl2303.c +@@ -94,9 +94,14 @@ static const struct usb_device_id id_tab + { USB_DEVICE(YCCABLE_VENDOR_ID, YCCABLE_PRODUCT_ID) }, + { USB_DEVICE(SUPERIAL_VENDOR_ID, SUPERIAL_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LD220_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LD220TA_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LD960_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LD960TA_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LCM220_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LCM960_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LM920_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LM940_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_TD620_PRODUCT_ID) }, + { USB_DEVICE(CRESSI_VENDOR_ID, CRESSI_EDY_PRODUCT_ID) }, + { USB_DEVICE(ZEAGLE_VENDOR_ID, ZEAGLE_N2ITION3_PRODUCT_ID) }, + { USB_DEVICE(SONY_VENDOR_ID, SONY_QN3USB_PRODUCT_ID) }, +--- a/drivers/usb/serial/pl2303.h ++++ b/drivers/usb/serial/pl2303.h +@@ -124,10 +124,15 @@ + + /* Hewlett-Packard POS Pole Displays */ + #define HP_VENDOR_ID 0x03f0 ++#define HP_LM920_PRODUCT_ID 0x026b ++#define HP_TD620_PRODUCT_ID 0x0956 + #define HP_LD960_PRODUCT_ID 0x0b39 + #define HP_LCM220_PRODUCT_ID 0x3139 + #define HP_LCM960_PRODUCT_ID 0x3239 + #define HP_LD220_PRODUCT_ID 0x3524 ++#define HP_LD220TA_PRODUCT_ID 0x4349 ++#define HP_LD960TA_PRODUCT_ID 0x4439 ++#define HP_LM940_PRODUCT_ID 0x5039 + + /* Cressi Edy (diving computer) PC interface */ + #define CRESSI_VENDOR_ID 0x04b8