From: Greg Kroah-Hartman Date: Mon, 7 Nov 2022 09:00:06 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.9.333~63 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=27843f5b52d71a3803e09f76be21b349512b4e0c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: alsa-usb-audio-add-quirks-for-macrosilicon-ms2100-ms2106-devices.patch block-bfq-protect-bfqd-queued-by-bfqd-lock.patch bluetooth-l2cap-fix-accepting-connection-request-for-invalid-spsm.patch bluetooth-l2cap-fix-attempting-to-access-uninitialized-memory.patch --- diff --git a/queue-5.10/alsa-usb-audio-add-quirks-for-macrosilicon-ms2100-ms2106-devices.patch b/queue-5.10/alsa-usb-audio-add-quirks-for-macrosilicon-ms2100-ms2106-devices.patch new file mode 100644 index 00000000000..804c494fac7 --- /dev/null +++ b/queue-5.10/alsa-usb-audio-add-quirks-for-macrosilicon-ms2100-ms2106-devices.patch @@ -0,0 +1,93 @@ +From 6e2c9105e0b743c92a157389d40f00b81bdd09fe Mon Sep 17 00:00:00 2001 +From: John Veness +Date: Fri, 24 Jun 2022 15:07:57 +0100 +Subject: ALSA: usb-audio: Add quirks for MacroSilicon MS2100/MS2106 devices + +From: John Veness + +commit 6e2c9105e0b743c92a157389d40f00b81bdd09fe upstream. + +Treat the claimed 96kHz 1ch in the descriptors as 48kHz 2ch, so that +the audio stream doesn't sound mono. Also fix initial stream +alignment, so that left and right channels are in the correct order. + +Signed-off-by: John Veness +Link: https://lore.kernel.org/r/20220624140757.28758-1-john-linux@pelago.org.uk +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks-table.h | 52 +++++++++++++++++++++++++++++++++++++++++++++++ + sound/usb/quirks.c | 1 + 2 files changed, 53 insertions(+) + +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3657,6 +3657,58 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge + }, + + /* ++ * MacroSilicon MS2100/MS2106 based AV capture cards ++ * ++ * These claim 96kHz 1ch in the descriptors, but are actually 48kHz 2ch. ++ * They also need QUIRK_AUDIO_ALIGN_TRANSFER, which makes one wonder if ++ * they pretend to be 96kHz mono as a workaround for stereo being broken ++ * by that... ++ * ++ * They also have an issue with initial stream alignment that causes the ++ * channels to be swapped and out of phase, which is dealt with in quirks.c. ++ */ ++{ ++ USB_AUDIO_DEVICE(0x534d, 0x0021), ++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { ++ .vendor_name = "MacroSilicon", ++ .product_name = "MS210x", ++ .ifnum = QUIRK_ANY_INTERFACE, ++ .type = QUIRK_COMPOSITE, ++ .data = &(const struct snd_usb_audio_quirk[]) { ++ { ++ .ifnum = 2, ++ .type = QUIRK_AUDIO_ALIGN_TRANSFER, ++ }, ++ { ++ .ifnum = 2, ++ .type = QUIRK_AUDIO_STANDARD_MIXER, ++ }, ++ { ++ .ifnum = 3, ++ .type = QUIRK_AUDIO_FIXED_ENDPOINT, ++ .data = &(const struct audioformat) { ++ .formats = SNDRV_PCM_FMTBIT_S16_LE, ++ .channels = 2, ++ .iface = 3, ++ .altsetting = 1, ++ .altset_idx = 1, ++ .attributes = 0, ++ .endpoint = 0x82, ++ .ep_attr = USB_ENDPOINT_XFER_ISOC | ++ USB_ENDPOINT_SYNC_ASYNC, ++ .rates = SNDRV_PCM_RATE_CONTINUOUS, ++ .rate_min = 48000, ++ .rate_max = 48000, ++ } ++ }, ++ { ++ .ifnum = -1 ++ } ++ } ++ } ++}, ++ ++/* + * MacroSilicon MS2109 based HDMI capture cards + * + * These claim 96kHz 1ch in the descriptors, but are actually 48kHz 2ch. +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1508,6 +1508,7 @@ void snd_usb_set_format_quirk(struct snd + case USB_ID(0x2b73, 0x0017): /* Pioneer DJ DJM-250MK2 */ + pioneer_djm_set_format_quirk(subs); + break; ++ case USB_ID(0x534d, 0x0021): /* MacroSilicon MS2100/MS2106 */ + case USB_ID(0x534d, 0x2109): /* MacroSilicon MS2109 */ + subs->stream_offset_adj = 2; + break; diff --git a/queue-5.10/block-bfq-protect-bfqd-queued-by-bfqd-lock.patch b/queue-5.10/block-bfq-protect-bfqd-queued-by-bfqd-lock.patch new file mode 100644 index 00000000000..b38bf34562c --- /dev/null +++ b/queue-5.10/block-bfq-protect-bfqd-queued-by-bfqd-lock.patch @@ -0,0 +1,47 @@ +From 181490d5321806e537dc5386db5ea640b826bf78 Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Fri, 13 May 2022 10:35:06 +0800 +Subject: block, bfq: protect 'bfqd->queued' by 'bfqd->lock' + +From: Yu Kuai + +commit 181490d5321806e537dc5386db5ea640b826bf78 upstream. + +If bfq_schedule_dispatch() is called from bfq_idle_slice_timer_body(), +then 'bfqd->queued' is read without holding 'bfqd->lock'. This is +wrong since it can be wrote concurrently. + +Fix the problem by holding 'bfqd->lock' in such case. + +Signed-off-by: Yu Kuai +Reviewed-by: Jan Kara +Reviewed-by: Chaitanya Kulkarni +Link: https://lore.kernel.org/r/20220513023507.2625717-2-yukuai3@huawei.com +Signed-off-by: Jens Axboe +Cc: Khazhy Kumykov +Signed-off-by: Greg Kroah-Hartman +--- + block/bfq-iosched.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -421,6 +421,8 @@ static struct bfq_io_cq *bfq_bic_lookup( + */ + void bfq_schedule_dispatch(struct bfq_data *bfqd) + { ++ lockdep_assert_held(&bfqd->lock); ++ + if (bfqd->queued != 0) { + bfq_log(bfqd, "schedule dispatch"); + blk_mq_run_hw_queues(bfqd->queue, true); +@@ -6269,8 +6271,8 @@ bfq_idle_slice_timer_body(struct bfq_dat + bfq_bfqq_expire(bfqd, bfqq, true, reason); + + schedule_dispatch: +- spin_unlock_irqrestore(&bfqd->lock, flags); + bfq_schedule_dispatch(bfqd); ++ spin_unlock_irqrestore(&bfqd->lock, flags); + } + + /* diff --git a/queue-5.10/bluetooth-l2cap-fix-accepting-connection-request-for-invalid-spsm.patch b/queue-5.10/bluetooth-l2cap-fix-accepting-connection-request-for-invalid-spsm.patch new file mode 100644 index 00000000000..65677789fad --- /dev/null +++ b/queue-5.10/bluetooth-l2cap-fix-accepting-connection-request-for-invalid-spsm.patch @@ -0,0 +1,70 @@ +From 711f8c3fb3db61897080468586b970c87c61d9e4 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Mon, 31 Oct 2022 16:10:32 -0700 +Subject: Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luiz Augusto von Dentz + +commit 711f8c3fb3db61897080468586b970c87c61d9e4 upstream. + +The Bluetooth spec states that the valid range for SPSM is from +0x0001-0x00ff so it is invalid to accept values outside of this range: + + BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A + page 1059: + Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges + +CVE: CVE-2022-42896 +CC: stable@vger.kernel.org +Reported-by: Tamás Koczka +Signed-off-by: Luiz Augusto von Dentz +Reviewed-by: Tedd Ho-Jeong An +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_core.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -5808,6 +5808,19 @@ static int l2cap_le_connect_req(struct l + BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm), + scid, mtu, mps); + ++ /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A ++ * page 1059: ++ * ++ * Valid range: 0x0001-0x00ff ++ * ++ * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges ++ */ ++ if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { ++ result = L2CAP_CR_LE_BAD_PSM; ++ chan = NULL; ++ goto response; ++ } ++ + /* Check if we have socket listening on psm */ + pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, + &conn->hcon->dst, LE_LINK); +@@ -5988,6 +6001,18 @@ static inline int l2cap_ecred_conn_req(s + + psm = req->psm; + ++ /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A ++ * page 1059: ++ * ++ * Valid range: 0x0001-0x00ff ++ * ++ * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges ++ */ ++ if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { ++ result = L2CAP_CR_LE_BAD_PSM; ++ goto response; ++ } ++ + BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps); + + memset(&pdu, 0, sizeof(pdu)); diff --git a/queue-5.10/bluetooth-l2cap-fix-attempting-to-access-uninitialized-memory.patch b/queue-5.10/bluetooth-l2cap-fix-attempting-to-access-uninitialized-memory.patch new file mode 100644 index 00000000000..9819ebb5991 --- /dev/null +++ b/queue-5.10/bluetooth-l2cap-fix-attempting-to-access-uninitialized-memory.patch @@ -0,0 +1,37 @@ +From b1a2cd50c0357f243b7435a732b4e62ba3157a2e Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Mon, 31 Oct 2022 16:10:52 -0700 +Subject: Bluetooth: L2CAP: Fix attempting to access uninitialized memory +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luiz Augusto von Dentz + +commit b1a2cd50c0357f243b7435a732b4e62ba3157a2e upstream. + +On l2cap_parse_conf_req the variable efs is only initialized if +remote_efs has been set. + +CVE: CVE-2022-42895 +CC: stable@vger.kernel.org +Reported-by: Tamás Koczka +Signed-off-by: Luiz Augusto von Dentz +Reviewed-by: Tedd Ho-Jeong An +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -3760,7 +3760,8 @@ done: + l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, + sizeof(rfc), (unsigned long) &rfc, endptr - ptr); + +- if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) { ++ if (remote_efs && ++ test_bit(FLAG_EFS_ENABLE, &chan->flags)) { + chan->remote_id = efs.id; + chan->remote_stype = efs.stype; + chan->remote_msdu = le16_to_cpu(efs.msdu); diff --git a/queue-5.10/series b/queue-5.10/series index 5b46e991090..052659157d7 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -74,3 +74,7 @@ firmware-arm_scmi-suppress-the-driver-s-bind-attribu.patch firmware-arm_scmi-make-rx-chan_setup-fail-on-memory-.patch arm64-dts-juno-add-thermal-critical-trip-points.patch i2c-piix4-fix-adapter-not-be-removed-in-piix4_remove.patch +bluetooth-l2cap-fix-accepting-connection-request-for-invalid-spsm.patch +bluetooth-l2cap-fix-attempting-to-access-uninitialized-memory.patch +block-bfq-protect-bfqd-queued-by-bfqd-lock.patch +alsa-usb-audio-add-quirks-for-macrosilicon-ms2100-ms2106-devices.patch