From: Greg Kroah-Hartman Date: Sat, 30 Mar 2019 09:59:12 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v3.18.138~53 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bea4f87429f35a6617a2a19d866052ab69dfdefe;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-compress-add-support-for-32bit-calls-in-a-64bit-kernel.patch alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch alsa-seq-oss-fix-spectre-v1-vulnerability.patch --- diff --git a/queue-4.4/alsa-compress-add-support-for-32bit-calls-in-a-64bit-kernel.patch b/queue-4.4/alsa-compress-add-support-for-32bit-calls-in-a-64bit-kernel.patch new file mode 100644 index 00000000000..2f406fe7813 --- /dev/null +++ b/queue-4.4/alsa-compress-add-support-for-32bit-calls-in-a-64bit-kernel.patch @@ -0,0 +1,59 @@ +From c10368897e104c008c610915a218f0fe5fa4ec96 Mon Sep 17 00:00:00 2001 +From: Ravindra Lokhande +Date: Mon, 7 Dec 2015 12:08:31 +0530 +Subject: ALSA: compress: add support for 32bit calls in a 64bit kernel + +From: Ravindra Lokhande + +commit c10368897e104c008c610915a218f0fe5fa4ec96 upstream. + +Compress offload does not support ioctl calls from a 32bit userspace +in a 64 bit kernel. This patch adds support for ioctls from a 32bit +userspace in a 64bit kernel + +Signed-off-by: Ravindra Lokhande +Acked-by: Vinod Koul +Signed-off-by: Takashi Iwai +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/compress_offload.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -38,6 +38,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -859,6 +860,15 @@ static long snd_compr_ioctl(struct file + return retval; + } + ++/* support of 32bit userspace on 64bit platforms */ ++#ifdef CONFIG_COMPAT ++static long snd_compr_ioctl_compat(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ return snd_compr_ioctl(file, cmd, (unsigned long)compat_ptr(arg)); ++} ++#endif ++ + static const struct file_operations snd_compr_file_ops = { + .owner = THIS_MODULE, + .open = snd_compr_open, +@@ -866,6 +876,9 @@ static const struct file_operations snd_ + .write = snd_compr_write, + .read = snd_compr_read, + .unlocked_ioctl = snd_compr_ioctl, ++#ifdef CONFIG_COMPAT ++ .compat_ioctl = snd_compr_ioctl_compat, ++#endif + .mmap = snd_compr_mmap, + .poll = snd_compr_poll, + }; diff --git a/queue-4.4/alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch b/queue-4.4/alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch new file mode 100644 index 00000000000..eace4e2d426 --- /dev/null +++ b/queue-4.4/alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch @@ -0,0 +1,70 @@ +From 113ce08109f8e3b091399e7cc32486df1cff48e7 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 25 Mar 2019 10:38:58 +0100 +Subject: ALSA: pcm: Don't suspend stream in unrecoverable PCM state + +From: Takashi Iwai + +commit 113ce08109f8e3b091399e7cc32486df1cff48e7 upstream. + +Currently PCM core sets each opened stream forcibly to SUSPENDED state +via snd_pcm_suspend_all() call, and the user-space is responsible for +re-triggering the resume manually either via snd_pcm_resume() or +prepare call. The scheme works fine usually, but there are corner +cases where the stream can't be resumed by that call: the streams +still in OPEN state before finishing hw_params. When they are +suspended, user-space cannot perform resume or prepare because they +haven't been set up yet. The only possible recovery is to re-open the +device, which isn't nice at all. Similarly, when a stream is in +DISCONNECTED state, it makes no sense to change it to SUSPENDED +state. Ditto for in SETUP state; which you can re-prepare directly. + +So, this patch addresses these issues by filtering the PCM streams to +be suspended by checking the PCM state. When a stream is in either +OPEN, SETUP or DISCONNECTED as well as already SUSPENDED, the suspend +action is skipped. + +To be noted, this problem was originally reported for the PCM runtime +PM on HD-audio. And, the runtime PM problem itself was already +addressed (although not intended) by the code refactoring commits +3d21ef0b49f8 ("ALSA: pcm: Suspend streams globally via device type PM +ops") and 17bc4815de58 ("ALSA: pci: Remove superfluous +snd_pcm_suspend*() calls"). These commits eliminated the +snd_pcm_suspend*() calls from the runtime PM suspend callback code +path, hence the racy OPEN state won't appear while runtime PM. +(FWIW, the race window is between snd_pcm_open_substream() and the +first power up in azx_pcm_open().) + +Although the runtime PM issue was already "fixed", the same problem is +still present for the system PM, hence this patch is still needed. +And for stable trees, this patch alone should suffice for fixing the +runtime PM problem, too. + +Reported-and-tested-by: Jon Hunter +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm_native.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -1254,8 +1254,15 @@ static int snd_pcm_pause(struct snd_pcm_ + static int snd_pcm_pre_suspend(struct snd_pcm_substream *substream, int state) + { + struct snd_pcm_runtime *runtime = substream->runtime; +- if (runtime->status->state == SNDRV_PCM_STATE_SUSPENDED) ++ switch (runtime->status->state) { ++ case SNDRV_PCM_STATE_SUSPENDED: + return -EBUSY; ++ /* unresumable PCM state; return -EBUSY for skipping suspend */ ++ case SNDRV_PCM_STATE_OPEN: ++ case SNDRV_PCM_STATE_SETUP: ++ case SNDRV_PCM_STATE_DISCONNECTED: ++ return -EBUSY; ++ } + runtime->trigger_master = substream; + return 0; + } diff --git a/queue-4.4/alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch b/queue-4.4/alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch new file mode 100644 index 00000000000..e20d190a6db --- /dev/null +++ b/queue-4.4/alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch @@ -0,0 +1,104 @@ +From ca0214ee2802dd47239a4e39fb21c5b00ef61b22 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 22 Mar 2019 16:00:54 +0100 +Subject: ALSA: pcm: Fix possible OOB access in PCM oss plugins + +From: Takashi Iwai + +commit ca0214ee2802dd47239a4e39fb21c5b00ef61b22 upstream. + +The PCM OSS emulation converts and transfers the data on the fly via +"plugins". The data is converted over the dynamically allocated +buffer for each plugin, and recently syzkaller caught OOB in this +flow. + +Although the bisection by syzbot pointed out to the commit +65766ee0bf7f ("ALSA: oss: Use kvzalloc() for local buffer +allocations"), this is merely a commit to replace vmalloc() with +kvmalloc(), hence it can't be the cause. The further debug action +revealed that this happens in the case where a slave PCM doesn't +support only the stereo channels while the OSS stream is set up for a +mono channel. Below is a brief explanation: + +At each OSS parameter change, the driver sets up the PCM hw_params +again in snd_pcm_oss_change_params_lock(). This is also the place +where plugins are created and local buffers are allocated. The +problem is that the plugins are created before the final hw_params is +determined. Namely, two snd_pcm_hw_param_near() calls for setting the +period size and periods may influence on the final result of channels, +rates, etc, too, while the current code has already created plugins +beforehand with the premature values. So, the plugin believes that +channels=1, while the actual I/O is with channels=2, which makes the +driver reading/writing over the allocated buffer size. + +The fix is simply to move the plugin allocation code after the final +hw_params call. + +Reported-by: syzbot+d4503ae45b65c5bc1194@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/oss/pcm_oss.c | 43 ++++++++++++++++++++++--------------------- + 1 file changed, 22 insertions(+), 21 deletions(-) + +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -950,6 +950,28 @@ static int snd_pcm_oss_change_params_loc + oss_frame_size = snd_pcm_format_physical_width(params_format(params)) * + params_channels(params) / 8; + ++ err = snd_pcm_oss_period_size(substream, params, sparams); ++ if (err < 0) ++ goto failure; ++ ++ n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size); ++ err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL); ++ if (err < 0) ++ goto failure; ++ ++ err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS, ++ runtime->oss.periods, NULL); ++ if (err < 0) ++ goto failure; ++ ++ snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); ++ ++ err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams); ++ if (err < 0) { ++ pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err); ++ goto failure; ++ } ++ + #ifdef CONFIG_SND_PCM_OSS_PLUGINS + snd_pcm_oss_plugin_clear(substream); + if (!direct) { +@@ -984,27 +1006,6 @@ static int snd_pcm_oss_change_params_loc + } + #endif + +- err = snd_pcm_oss_period_size(substream, params, sparams); +- if (err < 0) +- goto failure; +- +- n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size); +- err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL); +- if (err < 0) +- goto failure; +- +- err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS, +- runtime->oss.periods, NULL); +- if (err < 0) +- goto failure; +- +- snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); +- +- if ((err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams)) < 0) { +- pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err); +- goto failure; +- } +- + if (runtime->oss.trigger) { + sw_params->start_threshold = 1; + } else { diff --git a/queue-4.4/alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch b/queue-4.4/alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch new file mode 100644 index 00000000000..73dbed191f7 --- /dev/null +++ b/queue-4.4/alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch @@ -0,0 +1,52 @@ +From 2b1d9c8f87235f593826b9cf46ec10247741fff9 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Wed, 20 Mar 2019 16:15:24 -0500 +Subject: ALSA: rawmidi: Fix potential Spectre v1 vulnerability + +From: Gustavo A. R. Silva + +commit 2b1d9c8f87235f593826b9cf46ec10247741fff9 upstream. + +info->stream is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +sound/core/rawmidi.c:604 __snd_rawmidi_info_select() warn: potential spectre issue 'rmidi->streams' [r] (local cap) + +Fix this by sanitizing info->stream before using it to index +rmidi->streams. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/rawmidi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/core/rawmidi.c ++++ b/sound/core/rawmidi.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -591,6 +592,7 @@ static int __snd_rawmidi_info_select(str + return -ENXIO; + if (info->stream < 0 || info->stream > 1) + return -EINVAL; ++ info->stream = array_index_nospec(info->stream, 2); + pstr = &rmidi->streams[info->stream]; + if (pstr->substream_count == 0) + return -ENOENT; diff --git a/queue-4.4/alsa-seq-oss-fix-spectre-v1-vulnerability.patch b/queue-4.4/alsa-seq-oss-fix-spectre-v1-vulnerability.patch new file mode 100644 index 00000000000..90fa940aa5d --- /dev/null +++ b/queue-4.4/alsa-seq-oss-fix-spectre-v1-vulnerability.patch @@ -0,0 +1,53 @@ +From c709f14f0616482b67f9fbcb965e1493a03ff30b Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Wed, 20 Mar 2019 18:42:01 -0500 +Subject: ALSA: seq: oss: Fix Spectre v1 vulnerability + +From: Gustavo A. R. Silva + +commit c709f14f0616482b67f9fbcb965e1493a03ff30b upstream. + +dev is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +sound/core/seq/oss/seq_oss_synth.c:626 snd_seq_oss_synth_make_info() warn: potential spectre issue 'dp->synths' [w] (local cap) + +Fix this by sanitizing dev before using it to index dp->synths. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/oss/seq_oss_synth.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/sound/core/seq/oss/seq_oss_synth.c ++++ b/sound/core/seq/oss/seq_oss_synth.c +@@ -617,13 +617,14 @@ int + snd_seq_oss_synth_make_info(struct seq_oss_devinfo *dp, int dev, struct synth_info *inf) + { + struct seq_oss_synth *rec; ++ struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev); + +- if (dev < 0 || dev >= dp->max_synthdev) ++ if (!info) + return -ENXIO; + +- if (dp->synths[dev].is_midi) { ++ if (info->is_midi) { + struct midi_info minf; +- snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf); ++ snd_seq_oss_midi_make_info(dp, info->midi_mapped, &minf); + inf->synth_type = SYNTH_TYPE_MIDI; + inf->synth_subtype = 0; + inf->nr_voices = 16; diff --git a/queue-4.4/series b/queue-4.4/series index 947557ddb5e..0d333e0a0c6 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -100,3 +100,8 @@ mac8390-fix-mmio-access-size-probe.patch btrfs-remove-warn_on-in-log_dir_items.patch btrfs-raid56-properly-unmap-parity-page-in-finish_parity_scrub.patch arm-imx6q-cpuidle-fix-bug-that-cpu-might-not-wake-up-at-expected-time.patch +alsa-compress-add-support-for-32bit-calls-in-a-64bit-kernel.patch +alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch +alsa-seq-oss-fix-spectre-v1-vulnerability.patch +alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch +alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch