From: Greg Kroah-Hartman Date: Sat, 24 May 2025 15:50:47 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v6.12.31~63 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6d322a6e992988f95904e0dadade1ab60d9f13a4;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: alsa-pcm-fix-race-of-buffer-access-at-pcm-oss-layer.patch llc-fix-data-loss-when-reading-from-a-socket-in-llc_ui_recvmsg.patch --- diff --git a/queue-5.4/alsa-pcm-fix-race-of-buffer-access-at-pcm-oss-layer.patch b/queue-5.4/alsa-pcm-fix-race-of-buffer-access-at-pcm-oss-layer.patch new file mode 100644 index 0000000000..676ed25838 --- /dev/null +++ b/queue-5.4/alsa-pcm-fix-race-of-buffer-access-at-pcm-oss-layer.patch @@ -0,0 +1,74 @@ +From 93a81ca0657758b607c3f4ba889ae806be9beb73 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 16 May 2025 10:08:16 +0200 +Subject: ALSA: pcm: Fix race of buffer access at PCM OSS layer + +From: Takashi Iwai + +commit 93a81ca0657758b607c3f4ba889ae806be9beb73 upstream. + +The PCM OSS layer tries to clear the buffer with the silence data at +initialization (or reconfiguration) of a stream with the explicit call +of snd_pcm_format_set_silence() with runtime->dma_area. But this may +lead to a UAF because the accessed runtime->dma_area might be freed +concurrently, as it's performed outside the PCM ops. + +For avoiding it, move the code into the PCM core and perform it inside +the buffer access lock, so that it won't be changed during the +operation. + +Reported-by: syzbot+32d4647f551007595173@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/68164d8e.050a0220.11da1b.0019.GAE@google.com +Cc: +Link: https://patch.msgid.link/20250516080817.20068-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + include/sound/pcm.h | 2 ++ + sound/core/oss/pcm_oss.c | 3 +-- + sound/core/pcm_native.c | 11 +++++++++++ + 3 files changed, 14 insertions(+), 2 deletions(-) + +--- a/include/sound/pcm.h ++++ b/include/sound/pcm.h +@@ -1319,6 +1319,8 @@ int snd_pcm_lib_mmap_iomem(struct snd_pc + #define snd_pcm_lib_mmap_iomem NULL + #endif + ++void snd_pcm_runtime_buffer_set_silence(struct snd_pcm_runtime *runtime); ++ + /** + * snd_pcm_limit_isa_dma_size - Get the max size fitting with ISA DMA transfer + * @dma: DMA number +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -1081,8 +1081,7 @@ static int snd_pcm_oss_change_params_loc + runtime->oss.params = 0; + runtime->oss.prepare = 1; + runtime->oss.buffer_used = 0; +- if (runtime->dma_area) +- snd_pcm_format_set_silence(runtime->format, runtime->dma_area, bytes_to_samples(runtime, runtime->dma_bytes)); ++ snd_pcm_runtime_buffer_set_silence(runtime); + + runtime->oss.period_frames = snd_pcm_alsa_frames(substream, oss_period_size); + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -648,6 +648,17 @@ static void snd_pcm_buffer_access_unlock + atomic_inc(&runtime->buffer_accessing); + } + ++/* fill the PCM buffer with the current silence format; called from pcm_oss.c */ ++void snd_pcm_runtime_buffer_set_silence(struct snd_pcm_runtime *runtime) ++{ ++ snd_pcm_buffer_access_lock(runtime); ++ if (runtime->dma_area) ++ snd_pcm_format_set_silence(runtime->format, runtime->dma_area, ++ bytes_to_samples(runtime, runtime->dma_bytes)); ++ snd_pcm_buffer_access_unlock(runtime); ++} ++EXPORT_SYMBOL_GPL(snd_pcm_runtime_buffer_set_silence); ++ + #if IS_ENABLED(CONFIG_SND_PCM_OSS) + #define is_oss_stream(substream) ((substream)->oss.oss) + #else diff --git a/queue-5.4/llc-fix-data-loss-when-reading-from-a-socket-in-llc_ui_recvmsg.patch b/queue-5.4/llc-fix-data-loss-when-reading-from-a-socket-in-llc_ui_recvmsg.patch new file mode 100644 index 0000000000..ff0917332c --- /dev/null +++ b/queue-5.4/llc-fix-data-loss-when-reading-from-a-socket-in-llc_ui_recvmsg.patch @@ -0,0 +1,49 @@ +From 239af1970bcb039a1551d2c438d113df0010c149 Mon Sep 17 00:00:00 2001 +From: Ilia Gavrilov +Date: Thu, 15 May 2025 12:20:15 +0000 +Subject: llc: fix data loss when reading from a socket in llc_ui_recvmsg() + +From: Ilia Gavrilov + +commit 239af1970bcb039a1551d2c438d113df0010c149 upstream. + +For SOCK_STREAM sockets, if user buffer size (len) is less +than skb size (skb->len), the remaining data from skb +will be lost after calling kfree_skb(). + +To fix this, move the statement for partial reading +above skb deletion. + +Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) + +Fixes: 30a584d944fb ("[LLX]: SOCK_DGRAM interface fixes") +Cc: stable@vger.kernel.org +Signed-off-by: Ilia Gavrilov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/llc/af_llc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -885,15 +885,15 @@ static int llc_ui_recvmsg(struct socket + if (sk->sk_type != SOCK_STREAM) + goto copy_uaddr; + ++ /* Partial read */ ++ if (used + offset < skb_len) ++ continue; ++ + if (!(flags & MSG_PEEK)) { + skb_unlink(skb, &sk->sk_receive_queue); + kfree_skb(skb); + *seq = 0; + } +- +- /* Partial read */ +- if (used + offset < skb_len) +- continue; + } while (len > 0); + + out: diff --git a/queue-5.4/series b/queue-5.4/series index 29d8b197df..8ef7b1911f 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -175,3 +175,5 @@ sch_hfsc-fix-qlen-accounting-bug-when-using-peek-in-.patch crypto-algif_hash-fix-double-free-in-hash_accept.patch can-bcm-add-locking-for-bcm_op-runtime-updates.patch can-bcm-add-missing-rcu-read-protection-for-procfs-content.patch +alsa-pcm-fix-race-of-buffer-access-at-pcm-oss-layer.patch +llc-fix-data-loss-when-reading-from-a-socket-in-llc_ui_recvmsg.patch