From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 17 Oct 2020 11:30:36 +0000 (+0200)
Subject: 5.9-stable patches
X-Git-Tag: v4.4.241~55
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4fdc30198b86194d32e61347e9e7753c00ca83ae;p=thirdparty%2Fkernel%2Fstable-queue.git

5.9-stable patches

added patches:
	alsa-bebob-potential-info-leak-in-hwdep_read.patch
	alsa-hda-fix-jack-detection-with-realtek-codecs-when-in-d3.patch
	alsa-hda-hdmi-fix-incorrect-locking-in-hdmi_pcm_close.patch
	binder-fix-uaf-when-releasing-todo-list.patch
---

diff --git a/queue-5.9/alsa-bebob-potential-info-leak-in-hwdep_read.patch b/queue-5.9/alsa-bebob-potential-info-leak-in-hwdep_read.patch
new file mode 100644
index 00000000000..9cc8a062e8d
--- /dev/null
+++ b/queue-5.9/alsa-bebob-potential-info-leak-in-hwdep_read.patch
@@ -0,0 +1,40 @@
+From b41c15f4e1c1f1657da15c482fa837c1b7384452 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 7 Oct 2020 10:49:28 +0300
+Subject: ALSA: bebob: potential info leak in hwdep_read()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit b41c15f4e1c1f1657da15c482fa837c1b7384452 upstream.
+
+The "count" variable needs to be capped on every path so that we don't
+copy too much information to the user.
+
+Fixes: 618eabeae711 ("ALSA: bebob: Add hwdep interface")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201007074928.GA2529578@mwanda
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/bebob/bebob_hwdep.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/sound/firewire/bebob/bebob_hwdep.c
++++ b/sound/firewire/bebob/bebob_hwdep.c
+@@ -36,12 +36,11 @@ hwdep_read(struct snd_hwdep *hwdep, char
+ 	}
+ 
+ 	memset(&event, 0, sizeof(event));
++	count = min_t(long, count, sizeof(event.lock_status));
+ 	if (bebob->dev_lock_changed) {
+ 		event.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS;
+ 		event.lock_status.status = (bebob->dev_lock_count > 0);
+ 		bebob->dev_lock_changed = false;
+-
+-		count = min_t(long, count, sizeof(event.lock_status));
+ 	}
+ 
+ 	spin_unlock_irq(&bebob->lock);
diff --git a/queue-5.9/alsa-hda-fix-jack-detection-with-realtek-codecs-when-in-d3.patch b/queue-5.9/alsa-hda-fix-jack-detection-with-realtek-codecs-when-in-d3.patch
new file mode 100644
index 00000000000..8543aedc0c9
--- /dev/null
+++ b/queue-5.9/alsa-hda-fix-jack-detection-with-realtek-codecs-when-in-d3.patch
@@ -0,0 +1,84 @@
+From a6e7d0a4bdb02a7a3ffe0b44aaa8842b7efdd056 Mon Sep 17 00:00:00 2001
+From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Date: Mon, 12 Oct 2020 13:27:04 +0300
+Subject: ALSA: hda: fix jack detection with Realtek codecs when in D3
+
+From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+
+commit a6e7d0a4bdb02a7a3ffe0b44aaa8842b7efdd056 upstream.
+
+In case HDA controller becomes active, but codec is runtime suspended,
+jack detection is not successful and no interrupt is raised. This has
+been observed with multiple Realtek codecs and HDA controllers from
+different vendors. Bug does not occur if both codec and controller are
+active, or both are in suspend. Bug can be easily hit on desktop systems
+with no built-in speaker.
+
+The problem can be fixed by powering up the codec once after every
+controller runtime resume. Even if codec goes back to suspend later, the
+jack detection will continue to work. Add a flag to 'hda_codec' to
+describe codecs that require this flow from the controller driver.
+Modify __azx_runtime_resume() to use pm_request_resume() to make the
+intent clearer.
+
+Mark all Realtek codecs with the new forced_resume flag.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=209379
+Cc: Kailang Yang <kailang@realtek.com>
+Co-developed-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201012102704.794423-1-kai.vehmanen@linux.intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/sound/hda_codec.h     |    1 +
+ sound/pci/hda/hda_intel.c     |   14 ++++++++------
+ sound/pci/hda/patch_realtek.c |    1 +
+ 3 files changed, 10 insertions(+), 6 deletions(-)
+
+--- a/include/sound/hda_codec.h
++++ b/include/sound/hda_codec.h
+@@ -253,6 +253,7 @@ struct hda_codec {
+ 	unsigned int force_pin_prefix:1; /* Add location prefix */
+ 	unsigned int link_down_at_suspend:1; /* link down at runtime suspend */
+ 	unsigned int relaxed_resume:1;	/* don't resume forcibly for jack */
++	unsigned int forced_resume:1; /* forced resume for jack */
+ 	unsigned int mst_no_extra_pcms:1; /* no backup PCMs for DP-MST */
+ 
+ #ifdef CONFIG_PM
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -1001,12 +1001,14 @@ static void __azx_runtime_resume(struct
+ 	azx_init_pci(chip);
+ 	hda_intel_init_chip(chip, true);
+ 
+-	if (status && from_rt) {
+-		list_for_each_codec(codec, &chip->bus)
+-			if (!codec->relaxed_resume &&
+-			    (status & (1 << codec->addr)))
+-				schedule_delayed_work(&codec->jackpoll_work,
+-						      codec->jackpoll_interval);
++	if (from_rt) {
++		list_for_each_codec(codec, &chip->bus) {
++			if (codec->relaxed_resume)
++				continue;
++
++			if (codec->forced_resume || (status & (1 << codec->addr)))
++				pm_request_resume(hda_codec_dev(codec));
++		}
+ 	}
+ 
+ 	/* power down again for link-controlled chips */
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -1150,6 +1150,7 @@ static int alc_alloc_spec(struct hda_cod
+ 	codec->single_adc_amp = 1;
+ 	/* FIXME: do we need this for all Realtek codec models? */
+ 	codec->spdif_status_reset = 1;
++	codec->forced_resume = 1;
+ 	codec->patch_ops = alc_patch_ops;
+ 
+ 	err = alc_codec_rename_from_preset(codec);
diff --git a/queue-5.9/alsa-hda-hdmi-fix-incorrect-locking-in-hdmi_pcm_close.patch b/queue-5.9/alsa-hda-hdmi-fix-incorrect-locking-in-hdmi_pcm_close.patch
new file mode 100644
index 00000000000..069d0fe150e
--- /dev/null
+++ b/queue-5.9/alsa-hda-hdmi-fix-incorrect-locking-in-hdmi_pcm_close.patch
@@ -0,0 +1,85 @@
+From ce1558c285f9ad04c03b46833a028230771cc0a7 Mon Sep 17 00:00:00 2001
+From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Date: Tue, 13 Oct 2020 18:26:28 +0300
+Subject: ALSA: hda/hdmi: fix incorrect locking in hdmi_pcm_close
+
+From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+
+commit ce1558c285f9ad04c03b46833a028230771cc0a7 upstream.
+
+A race exists between closing a PCM and update of ELD data. In
+hdmi_pcm_close(), hinfo->nid value is modified without taking
+spec->pcm_lock. If this happens concurrently while processing an ELD
+update in hdmi_pcm_setup_pin(), converter assignment may be done
+incorrectly.
+
+This bug was found by hitting a WARN_ON in snd_hda_spdif_ctls_assign()
+in a HDMI receiver connection stress test:
+
+[2739.684569] WARNING: CPU: 5 PID: 2090 at sound/pci/hda/patch_hdmi.c:1898 check_non_pcm_per_cvt+0x41/0x50 [snd_hda_codec_hdmi]
+...
+[2739.684707] Call Trace:
+[2739.684720]  update_eld+0x121/0x5a0 [snd_hda_codec_hdmi]
+[2739.684736]  hdmi_present_sense+0x21e/0x3b0 [snd_hda_codec_hdmi]
+[2739.684750]  check_presence_and_report+0x81/0xd0 [snd_hda_codec_hdmi]
+[2739.684842]  intel_audio_codec_enable+0x122/0x190 [i915]
+
+Fixes: 42b2987079ec ("ALSA: hda - hdmi playback without monitor in dynamic pcm bind mode")
+Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201013152628.920764-1-kai.vehmanen@linux.intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_hdmi.c |   20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -2046,22 +2046,25 @@ static int hdmi_pcm_close(struct hda_pcm
+ 	int pinctl;
+ 	int err = 0;
+ 
++	mutex_lock(&spec->pcm_lock);
+ 	if (hinfo->nid) {
+ 		pcm_idx = hinfo_to_pcm_index(codec, hinfo);
+-		if (snd_BUG_ON(pcm_idx < 0))
+-			return -EINVAL;
++		if (snd_BUG_ON(pcm_idx < 0)) {
++			err = -EINVAL;
++			goto unlock;
++		}
+ 		cvt_idx = cvt_nid_to_cvt_index(codec, hinfo->nid);
+-		if (snd_BUG_ON(cvt_idx < 0))
+-			return -EINVAL;
++		if (snd_BUG_ON(cvt_idx < 0)) {
++			err = -EINVAL;
++			goto unlock;
++		}
+ 		per_cvt = get_cvt(spec, cvt_idx);
+-
+ 		snd_BUG_ON(!per_cvt->assigned);
+ 		per_cvt->assigned = 0;
+ 		hinfo->nid = 0;
+ 
+ 		azx_stream(get_azx_dev(substream))->stripe = 0;
+ 
+-		mutex_lock(&spec->pcm_lock);
+ 		snd_hda_spdif_ctls_unassign(codec, pcm_idx);
+ 		clear_bit(pcm_idx, &spec->pcm_in_use);
+ 		pin_idx = hinfo_to_pin_index(codec, hinfo);
+@@ -2091,10 +2094,11 @@ static int hdmi_pcm_close(struct hda_pcm
+ 		per_pin->setup = false;
+ 		per_pin->channels = 0;
+ 		mutex_unlock(&per_pin->lock);
+-	unlock:
+-		mutex_unlock(&spec->pcm_lock);
+ 	}
+ 
++unlock:
++	mutex_unlock(&spec->pcm_lock);
++
+ 	return err;
+ }
+ 
diff --git a/queue-5.9/binder-fix-uaf-when-releasing-todo-list.patch b/queue-5.9/binder-fix-uaf-when-releasing-todo-list.patch
new file mode 100644
index 00000000000..13e6dfdc954
--- /dev/null
+++ b/queue-5.9/binder-fix-uaf-when-releasing-todo-list.patch
@@ -0,0 +1,113 @@
+From f3277cbfba763cd2826396521b9296de67cf1bbc Mon Sep 17 00:00:00 2001
+From: Todd Kjos <tkjos@google.com>
+Date: Fri, 9 Oct 2020 16:24:55 -0700
+Subject: binder: fix UAF when releasing todo list
+
+From: Todd Kjos <tkjos@google.com>
+
+commit f3277cbfba763cd2826396521b9296de67cf1bbc upstream.
+
+When releasing a thread todo list when tearing down
+a binder_proc, the following race was possible which
+could result in a use-after-free:
+
+1.  Thread 1: enter binder_release_work from binder_thread_release
+2.  Thread 2: binder_update_ref_for_handle() -> binder_dec_node_ilocked()
+3.  Thread 2: dec nodeA --> 0 (will free node)
+4.  Thread 1: ACQ inner_proc_lock
+5.  Thread 2: block on inner_proc_lock
+6.  Thread 1: dequeue work (BINDER_WORK_NODE, part of nodeA)
+7.  Thread 1: REL inner_proc_lock
+8.  Thread 2: ACQ inner_proc_lock
+9.  Thread 2: todo list cleanup, but work was already dequeued
+10. Thread 2: free node
+11. Thread 2: REL inner_proc_lock
+12. Thread 1: deref w->type (UAF)
+
+The problem was that for a BINDER_WORK_NODE, the binder_work element
+must not be accessed after releasing the inner_proc_lock while
+processing the todo list elements since another thread might be
+handling a deref on the node containing the binder_work element
+leading to the node being freed.
+
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Link: https://lore.kernel.org/r/20201009232455.4054810-1-tkjos@google.com
+Cc: <stable@vger.kernel.org> # 4.14, 4.19, 5.4, 5.8
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c |   35 ++++++++++-------------------------
+ 1 file changed, 10 insertions(+), 25 deletions(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -223,7 +223,7 @@ static struct binder_transaction_log_ent
+ struct binder_work {
+ 	struct list_head entry;
+ 
+-	enum {
++	enum binder_work_type {
+ 		BINDER_WORK_TRANSACTION = 1,
+ 		BINDER_WORK_TRANSACTION_COMPLETE,
+ 		BINDER_WORK_RETURN_ERROR,
+@@ -885,27 +885,6 @@ static struct binder_work *binder_dequeu
+ 	return w;
+ }
+ 
+-/**
+- * binder_dequeue_work_head() - Dequeues the item at head of list
+- * @proc:         binder_proc associated with list
+- * @list:         list to dequeue head
+- *
+- * Removes the head of the list if there are items on the list
+- *
+- * Return: pointer dequeued binder_work, NULL if list was empty
+- */
+-static struct binder_work *binder_dequeue_work_head(
+-					struct binder_proc *proc,
+-					struct list_head *list)
+-{
+-	struct binder_work *w;
+-
+-	binder_inner_proc_lock(proc);
+-	w = binder_dequeue_work_head_ilocked(list);
+-	binder_inner_proc_unlock(proc);
+-	return w;
+-}
+-
+ static void
+ binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer);
+ static void binder_free_thread(struct binder_thread *thread);
+@@ -4587,13 +4566,17 @@ static void binder_release_work(struct b
+ 				struct list_head *list)
+ {
+ 	struct binder_work *w;
++	enum binder_work_type wtype;
+ 
+ 	while (1) {
+-		w = binder_dequeue_work_head(proc, list);
++		binder_inner_proc_lock(proc);
++		w = binder_dequeue_work_head_ilocked(list);
++		wtype = w ? w->type : 0;
++		binder_inner_proc_unlock(proc);
+ 		if (!w)
+ 			return;
+ 
+-		switch (w->type) {
++		switch (wtype) {
+ 		case BINDER_WORK_TRANSACTION: {
+ 			struct binder_transaction *t;
+ 
+@@ -4627,9 +4610,11 @@ static void binder_release_work(struct b
+ 			kfree(death);
+ 			binder_stats_deleted(BINDER_STAT_DEATH);
+ 		} break;
++		case BINDER_WORK_NODE:
++			break;
+ 		default:
+ 			pr_err("unexpected work type, %d, not freed\n",
+-			       w->type);
++			       wtype);
+ 			break;
+ 		}
+ 	}
diff --git a/queue-5.9/series b/queue-5.9/series
index 3a69c271a1b..a91be119df0 100644
--- a/queue-5.9/series
+++ b/queue-5.9/series
@@ -22,3 +22,7 @@ socket-don-t-clear-sock_tstamp_new-when-so_timestampns-is-disabled.patch
 can-m_can_platform-don-t-call-m_can_class_suspend-in-runtime-suspend.patch
 can-j1935-j1939_tp_tx_dat_new-fix-missing-initialization-of-skbcnt.patch
 net-j1939-j1939_session_fresh_new-fix-missing-initialization-of-skbcnt.patch
+binder-fix-uaf-when-releasing-todo-list.patch
+alsa-bebob-potential-info-leak-in-hwdep_read.patch
+alsa-hda-fix-jack-detection-with-realtek-codecs-when-in-d3.patch
+alsa-hda-hdmi-fix-incorrect-locking-in-hdmi_pcm_close.patch