From: Greg Kroah-Hartman Date: Sat, 13 Nov 2021 13:20:42 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v5.4.160~150 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=97a6454bc1359e1945ecbd5688455c563e4a0d80;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-6fire-fix-control-and-bulk-message-timeouts.patch alsa-line6-fix-control-and-interrupt-message-timeouts.patch alsa-synth-missing-check-for-possible-null-after-the-call-to-kstrdup.patch alsa-timer-fix-use-after-free-problem.patch alsa-timer-unconditionally-unlink-slave-instances-too.patch alsa-ua101-fix-division-by-zero-at-probe.patch x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch --- diff --git a/queue-4.4/alsa-6fire-fix-control-and-bulk-message-timeouts.patch b/queue-4.4/alsa-6fire-fix-control-and-bulk-message-timeouts.patch new file mode 100644 index 00000000000..f1da1abe163 --- /dev/null +++ b/queue-4.4/alsa-6fire-fix-control-and-bulk-message-timeouts.patch @@ -0,0 +1,63 @@ +From 9b371c6cc37f954360989eec41c2ddc5a6b83917 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 14:11:41 +0200 +Subject: ALSA: 6fire: fix control and bulk message timeouts + +From: Johan Hovold + +commit 9b371c6cc37f954360989eec41c2ddc5a6b83917 upstream. + +USB control and bulk message timeouts are specified in milliseconds and +should specifically not vary with CONFIG_HZ. + +Fixes: c6d43ba816d1 ("ALSA: usb/6fire - Driver for TerraTec DMX 6Fire USB") +Cc: stable@vger.kernel.org # 2.6.39 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211025121142.6531-2-johan@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/6fire/comm.c | 2 +- + sound/usb/6fire/firmware.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/sound/usb/6fire/comm.c ++++ b/sound/usb/6fire/comm.c +@@ -99,7 +99,7 @@ static int usb6fire_comm_send_buffer(u8 + int actual_len; + + ret = usb_interrupt_msg(dev, usb_sndintpipe(dev, COMM_EP), +- buffer, buffer[1] + 2, &actual_len, HZ); ++ buffer, buffer[1] + 2, &actual_len, 1000); + if (ret < 0) + return ret; + else if (actual_len != buffer[1] + 2) +--- a/sound/usb/6fire/firmware.c ++++ b/sound/usb/6fire/firmware.c +@@ -166,7 +166,7 @@ static int usb6fire_fw_ezusb_write(struc + + ret = usb_control_msg(device, usb_sndctrlpipe(device, 0), type, + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- value, 0, data, len, HZ); ++ value, 0, data, len, 1000); + if (ret < 0) + return ret; + else if (ret != len) +@@ -179,7 +179,7 @@ static int usb6fire_fw_ezusb_read(struct + { + int ret = usb_control_msg(device, usb_rcvctrlpipe(device, 0), type, + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, value, +- 0, data, len, HZ); ++ 0, data, len, 1000); + if (ret < 0) + return ret; + else if (ret != len) +@@ -194,7 +194,7 @@ static int usb6fire_fw_fpga_write(struct + int ret; + + ret = usb_bulk_msg(device, usb_sndbulkpipe(device, FPGA_EP), data, len, +- &actual_len, HZ); ++ &actual_len, 1000); + if (ret < 0) + return ret; + else if (actual_len != len) diff --git a/queue-4.4/alsa-line6-fix-control-and-interrupt-message-timeouts.patch b/queue-4.4/alsa-line6-fix-control-and-interrupt-message-timeouts.patch new file mode 100644 index 00000000000..25af31583e6 --- /dev/null +++ b/queue-4.4/alsa-line6-fix-control-and-interrupt-message-timeouts.patch @@ -0,0 +1,102 @@ +From f4000b58b64344871d7b27c05e73932f137cfef6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 14:11:42 +0200 +Subject: ALSA: line6: fix control and interrupt message timeouts + +From: Johan Hovold + +commit f4000b58b64344871d7b27c05e73932f137cfef6 upstream. + +USB control and interrupt message timeouts are specified in milliseconds +and should specifically not vary with CONFIG_HZ. + +Fixes: 705ececd1c60 ("Staging: add line6 usb driver") +Cc: stable@vger.kernel.org # 2.6.30 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211025121142.6531-3-johan@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/line6/driver.c | 12 ++++++------ + sound/usb/line6/driver.h | 2 +- + sound/usb/line6/toneport.c | 2 +- + 3 files changed, 8 insertions(+), 8 deletions(-) + +--- a/sound/usb/line6/driver.c ++++ b/sound/usb/line6/driver.c +@@ -101,7 +101,7 @@ static int line6_send_raw_message(struct + usb_sndintpipe(line6->usbdev, + line6->properties->ep_ctrl_w), + (char *)frag_buf, frag_size, +- &partial, LINE6_TIMEOUT * HZ); ++ &partial, LINE6_TIMEOUT); + + if (retval) { + dev_err(line6->ifcdev, +@@ -321,7 +321,7 @@ int line6_read_data(struct usb_line6 *li + ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, + (datalen << 8) | 0x21, address, +- NULL, 0, LINE6_TIMEOUT * HZ); ++ NULL, 0, LINE6_TIMEOUT); + + if (ret < 0) { + dev_err(line6->ifcdev, "read request failed (error %d)\n", ret); +@@ -336,7 +336,7 @@ int line6_read_data(struct usb_line6 *li + USB_TYPE_VENDOR | USB_RECIP_DEVICE | + USB_DIR_IN, + 0x0012, 0x0000, len, 1, +- LINE6_TIMEOUT * HZ); ++ LINE6_TIMEOUT); + if (ret < 0) { + dev_err(line6->ifcdev, + "receive length failed (error %d)\n", ret); +@@ -364,7 +364,7 @@ int line6_read_data(struct usb_line6 *li + ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, + 0x0013, 0x0000, data, datalen, +- LINE6_TIMEOUT * HZ); ++ LINE6_TIMEOUT); + + if (ret < 0) + dev_err(line6->ifcdev, "read failed (error %d)\n", ret); +@@ -396,7 +396,7 @@ int line6_write_data(struct usb_line6 *l + ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, + 0x0022, address, data, datalen, +- LINE6_TIMEOUT * HZ); ++ LINE6_TIMEOUT); + + if (ret < 0) { + dev_err(line6->ifcdev, +@@ -412,7 +412,7 @@ int line6_write_data(struct usb_line6 *l + USB_TYPE_VENDOR | USB_RECIP_DEVICE | + USB_DIR_IN, + 0x0012, 0x0000, +- status, 1, LINE6_TIMEOUT * HZ); ++ status, 1, LINE6_TIMEOUT); + + if (ret < 0) { + dev_err(line6->ifcdev, +--- a/sound/usb/line6/driver.h ++++ b/sound/usb/line6/driver.h +@@ -24,7 +24,7 @@ + #define LINE6_FALLBACK_INTERVAL 10 + #define LINE6_FALLBACK_MAXPACKETSIZE 16 + +-#define LINE6_TIMEOUT 1 ++#define LINE6_TIMEOUT 1000 + #define LINE6_BUFSIZE_LISTEN 32 + #define LINE6_MESSAGE_MAXLEN 256 + +--- a/sound/usb/line6/toneport.c ++++ b/sound/usb/line6/toneport.c +@@ -133,7 +133,7 @@ static int toneport_send_cmd(struct usb_ + + ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, +- cmd1, cmd2, NULL, 0, LINE6_TIMEOUT * HZ); ++ cmd1, cmd2, NULL, 0, LINE6_TIMEOUT); + + if (ret < 0) { + dev_err(&usbdev->dev, "send failed (error %d)\n", ret); diff --git a/queue-4.4/alsa-synth-missing-check-for-possible-null-after-the-call-to-kstrdup.patch b/queue-4.4/alsa-synth-missing-check-for-possible-null-after-the-call-to-kstrdup.patch new file mode 100644 index 00000000000..a75dd27e78f --- /dev/null +++ b/queue-4.4/alsa-synth-missing-check-for-possible-null-after-the-call-to-kstrdup.patch @@ -0,0 +1,35 @@ +From d159037abbe3412285c271bdfb9cdf19e62678ff Mon Sep 17 00:00:00 2001 +From: Austin Kim +Date: Tue, 9 Nov 2021 00:37:42 +0000 +Subject: ALSA: synth: missing check for possible NULL after the call to kstrdup + +From: Austin Kim + +commit d159037abbe3412285c271bdfb9cdf19e62678ff upstream. + +If kcalloc() return NULL due to memory starvation, it is possible for +kstrdup() to return NULL in similar case. So add null check after the call +to kstrdup() is made. + +[ minor coding-style fix by tiwai ] + +Signed-off-by: Austin Kim +Cc: +Link: https://lore.kernel.org/r/20211109003742.GA5423@raspberrypi +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/synth/emux/emux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/synth/emux/emux.c ++++ b/sound/synth/emux/emux.c +@@ -101,7 +101,7 @@ int snd_emux_register(struct snd_emux *e + emu->name = kstrdup(name, GFP_KERNEL); + emu->voices = kcalloc(emu->max_voices, sizeof(struct snd_emux_voice), + GFP_KERNEL); +- if (emu->voices == NULL) ++ if (emu->name == NULL || emu->voices == NULL) + return -ENOMEM; + + /* create soundfont list */ diff --git a/queue-4.4/alsa-timer-fix-use-after-free-problem.patch b/queue-4.4/alsa-timer-fix-use-after-free-problem.patch new file mode 100644 index 00000000000..9f9a7a408cf --- /dev/null +++ b/queue-4.4/alsa-timer-fix-use-after-free-problem.patch @@ -0,0 +1,53 @@ +From c0317c0e87094f5b5782b6fdef5ae0a4b150496c Mon Sep 17 00:00:00 2001 +From: Wang Wensheng +Date: Wed, 3 Nov 2021 03:35:17 +0000 +Subject: ALSA: timer: Fix use-after-free problem + +From: Wang Wensheng + +commit c0317c0e87094f5b5782b6fdef5ae0a4b150496c upstream. + +When the timer instance was add into ack_list but was not currently in +process, the user could stop it via snd_timer_stop1() without delete it +from the ack_list. Then the user could free the timer instance and when +it was actually processed UAF occurred. + +This issue could be reproduced via testcase snd_timer01 in ltp - running +several instances of that testcase at the same time. + +What I actually met was that the ack_list of the timer broken and the +kernel went into deadloop with irqoff. That could be detected by +hardlockup detector on board or when we run it on qemu, we could use gdb +to dump the ack_list when the console has no response. + +To fix this issue, we delete the timer instance from ack_list and +active_list unconditionally in snd_timer_stop1(). + +Signed-off-by: Wang Wensheng +Suggested-by: Takashi Iwai +Cc: +Link: https://lore.kernel.org/r/20211103033517.80531-1-wangwensheng4@huawei.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/timer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -525,13 +525,13 @@ static int snd_timer_stop1(struct snd_ti + if (!timer) + return -EINVAL; + spin_lock_irqsave(&timer->lock, flags); ++ list_del_init(&timeri->ack_list); ++ list_del_init(&timeri->active_list); + if (!(timeri->flags & (SNDRV_TIMER_IFLG_RUNNING | + SNDRV_TIMER_IFLG_START))) { + result = -EBUSY; + goto unlock; + } +- list_del_init(&timeri->ack_list); +- list_del_init(&timeri->active_list); + if (timer->card && timer->card->shutdown) + goto unlock; + if (stop) { diff --git a/queue-4.4/alsa-timer-unconditionally-unlink-slave-instances-too.patch b/queue-4.4/alsa-timer-unconditionally-unlink-slave-instances-too.patch new file mode 100644 index 00000000000..760829004f8 --- /dev/null +++ b/queue-4.4/alsa-timer-unconditionally-unlink-slave-instances-too.patch @@ -0,0 +1,55 @@ +From ffdd98277f0a1d15a67a74ae09bee713df4c0dbc Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 5 Nov 2021 10:15:17 +0100 +Subject: ALSA: timer: Unconditionally unlink slave instances, too + +From: Takashi Iwai + +commit ffdd98277f0a1d15a67a74ae09bee713df4c0dbc upstream. + +Like the previous fix (commit c0317c0e8709 "ALSA: timer: Fix +use-after-free problem"), we have to unlink slave timer instances +immediately at snd_timer_stop(), too. Otherwise it may leave a stale +entry in the list if the slave instance is freed before actually +running. + +Cc: +Link: https://lore.kernel.org/r/20211105091517.21733-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/timer.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -566,23 +566,22 @@ static int snd_timer_stop1(struct snd_ti + static int snd_timer_stop_slave(struct snd_timer_instance *timeri, bool stop) + { + unsigned long flags; ++ bool running; + + spin_lock_irqsave(&slave_active_lock, flags); +- if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) { +- spin_unlock_irqrestore(&slave_active_lock, flags); +- return -EBUSY; +- } ++ running = timeri->flags & SNDRV_TIMER_IFLG_RUNNING; + timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING; + if (timeri->timer) { + spin_lock(&timeri->timer->lock); + list_del_init(&timeri->ack_list); + list_del_init(&timeri->active_list); +- snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP : +- SNDRV_TIMER_EVENT_PAUSE); ++ if (running) ++ snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP : ++ SNDRV_TIMER_EVENT_PAUSE); + spin_unlock(&timeri->timer->lock); + } + spin_unlock_irqrestore(&slave_active_lock, flags); +- return 0; ++ return running ? 0 : -EBUSY; + } + + /* diff --git a/queue-4.4/alsa-ua101-fix-division-by-zero-at-probe.patch b/queue-4.4/alsa-ua101-fix-division-by-zero-at-probe.patch new file mode 100644 index 00000000000..0036131fc3b --- /dev/null +++ b/queue-4.4/alsa-ua101-fix-division-by-zero-at-probe.patch @@ -0,0 +1,48 @@ +From 55f261b73a7e1cb254577c3536cef8f415de220a Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 26 Oct 2021 11:54:01 +0200 +Subject: ALSA: ua101: fix division by zero at probe + +From: Johan Hovold + +commit 55f261b73a7e1cb254577c3536cef8f415de220a upstream. + +Add the missing endpoint max-packet sanity check to probe() to avoid +division by zero in alloc_stream_buffers() in case a malicious device +has broken descriptors (or when doing descriptor fuzz testing). + +Note that USB core will reject URBs submitted for endpoints with zero +wMaxPacketSize but that drivers doing packet-size calculations still +need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip +endpoint descriptors with maxpacket=0")). + +Fixes: 63978ab3e3e9 ("sound: add Edirol UA-101 support") +Cc: stable@vger.kernel.org # 2.6.34 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211026095401.26522-1-johan@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/misc/ua101.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/usb/misc/ua101.c ++++ b/sound/usb/misc/ua101.c +@@ -1032,7 +1032,7 @@ static int detect_usb_format(struct ua10 + fmt_playback->bSubframeSize * ua->playback.channels; + + epd = &ua->intf[INTF_CAPTURE]->altsetting[1].endpoint[0].desc; +- if (!usb_endpoint_is_isoc_in(epd)) { ++ if (!usb_endpoint_is_isoc_in(epd) || usb_endpoint_maxp(epd) == 0) { + dev_err(&ua->dev->dev, "invalid capture endpoint\n"); + return -ENXIO; + } +@@ -1040,7 +1040,7 @@ static int detect_usb_format(struct ua10 + ua->capture.max_packet_bytes = le16_to_cpu(epd->wMaxPacketSize); + + epd = &ua->intf[INTF_PLAYBACK]->altsetting[1].endpoint[0].desc; +- if (!usb_endpoint_is_isoc_out(epd)) { ++ if (!usb_endpoint_is_isoc_out(epd) || usb_endpoint_maxp(epd) == 0) { + dev_err(&ua->dev->dev, "invalid playback endpoint\n"); + return -ENXIO; + } diff --git a/queue-4.4/series b/queue-4.4/series index 7bca4816616..6ec827f718b 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -8,3 +8,10 @@ ocfs2-fix-data-corruption-on-truncate.patch mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch parisc-fix-ptrace-check-on-syscall-return.patch media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch +alsa-ua101-fix-division-by-zero-at-probe.patch +alsa-6fire-fix-control-and-bulk-message-timeouts.patch +alsa-line6-fix-control-and-interrupt-message-timeouts.patch +alsa-synth-missing-check-for-possible-null-after-the-call-to-kstrdup.patch +alsa-timer-fix-use-after-free-problem.patch +alsa-timer-unconditionally-unlink-slave-instances-too.patch +x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch diff --git a/queue-4.4/x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch b/queue-4.4/x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch new file mode 100644 index 00000000000..9de5b7abca9 --- /dev/null +++ b/queue-4.4/x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch @@ -0,0 +1,43 @@ +From 6ff53f6a438f72998f56e82e76694a1df9d1ea2c Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 8 Oct 2021 17:11:04 -0700 +Subject: x86/irq: Ensure PI wakeup handler is unregistered before module unload + +From: Sean Christopherson + +commit 6ff53f6a438f72998f56e82e76694a1df9d1ea2c upstream. + +Add a synchronize_rcu() after clearing the posted interrupt wakeup handler +to ensure all readers, i.e. in-flight IRQ handlers, see the new handler +before returning to the caller. If the caller is an exiting module and +is unregistering its handler, failure to wait could result in the IRQ +handler jumping into an unloaded module. + +The registration path doesn't require synchronization, as it's the +caller's responsibility to not generate interrupts it cares about until +after its handler is registered. + +Fixes: f6b3c72c2366 ("x86/irq: Define a global vector for VT-d Posted-Interrupts") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20211009001107.3936588-2-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/irq.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/irq.c ++++ b/arch/x86/kernel/irq.c +@@ -283,8 +283,10 @@ void kvm_set_posted_intr_wakeup_handler( + { + if (handler) + kvm_posted_intr_wakeup_handler = handler; +- else ++ else { + kvm_posted_intr_wakeup_handler = dummy_handler; ++ synchronize_rcu(); ++ } + } + EXPORT_SYMBOL_GPL(kvm_set_posted_intr_wakeup_handler); +