From: Greg Kroah-Hartman Date: Sun, 12 Dec 2021 12:41:40 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.295~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cbca7828208b5c31aedadbe71cf3525c6202a92a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-ctl-fix-copy-of-updated-id-with-element-read-write.patch alsa-pcm-oss-fix-negative-period-buffer-sizes.patch alsa-pcm-oss-handle-missing-errors-in-snd_pcm_oss_change_params.patch alsa-pcm-oss-limit-the-period-size-to-16mb.patch --- diff --git a/queue-4.4/alsa-ctl-fix-copy-of-updated-id-with-element-read-write.patch b/queue-4.4/alsa-ctl-fix-copy-of-updated-id-with-element-read-write.patch new file mode 100644 index 00000000000..31bf65f32e3 --- /dev/null +++ b/queue-4.4/alsa-ctl-fix-copy-of-updated-id-with-element-read-write.patch @@ -0,0 +1,51 @@ +From b6409dd6bdc03aa178bbff0d80db2a30d29b63ac Mon Sep 17 00:00:00 2001 +From: Alan Young +Date: Thu, 2 Dec 2021 15:06:07 +0000 +Subject: ALSA: ctl: Fix copy of updated id with element read/write + +From: Alan Young + +commit b6409dd6bdc03aa178bbff0d80db2a30d29b63ac upstream. + +When control_compat.c:copy_ctl_value_to_user() is used, by +ctl_elem_read_user() & ctl_elem_write_user(), it must also copy back the +snd_ctl_elem_id value that may have been updated (filled in) by the call +to snd_ctl_elem_read/snd_ctl_elem_write(). + +This matches the functionality provided by snd_ctl_elem_read_user() and +snd_ctl_elem_write_user(), via snd_ctl_build_ioff(). + +Without this, and without making additional calls to snd_ctl_info() +which are unnecessary when using the non-compat calls, a userspace +application will not know the numid value for the element and +consequently will not be able to use the poll/read interface on the +control file to determine which elements have updates. + +Signed-off-by: Alan Young +Cc: +Link: https://lore.kernel.org/r/20211202150607.543389-1-consult.awy@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/control_compat.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/core/control_compat.c ++++ b/sound/core/control_compat.c +@@ -281,6 +281,7 @@ static int copy_ctl_value_to_user(void _ + struct snd_ctl_elem_value *data, + int type, int count) + { ++ struct snd_ctl_elem_value32 __user *data32 = userdata; + int i, size; + + if (type == SNDRV_CTL_ELEM_TYPE_BOOLEAN || +@@ -297,6 +298,8 @@ static int copy_ctl_value_to_user(void _ + if (copy_to_user(valuep, data->value.bytes.data, size)) + return -EFAULT; + } ++ if (copy_to_user(&data32->id, &data->id, sizeof(data32->id))) ++ return -EFAULT; + return 0; + } + diff --git a/queue-4.4/alsa-pcm-oss-fix-negative-period-buffer-sizes.patch b/queue-4.4/alsa-pcm-oss-fix-negative-period-buffer-sizes.patch new file mode 100644 index 00000000000..b90094dfea4 --- /dev/null +++ b/queue-4.4/alsa-pcm-oss-fix-negative-period-buffer-sizes.patch @@ -0,0 +1,96 @@ +From 9d2479c960875ca1239bcb899f386970c13d9cfe Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 1 Dec 2021 08:36:04 +0100 +Subject: ALSA: pcm: oss: Fix negative period/buffer sizes + +From: Takashi Iwai + +commit 9d2479c960875ca1239bcb899f386970c13d9cfe upstream. + +The period size calculation in OSS layer may receive a negative value +as an error, but the code there assumes only the positive values and +handle them with size_t. Due to that, a too big value may be passed +to the lower layers. + +This patch changes the code to handle with ssize_t and adds the proper +error checks appropriately. + +Reported-by: syzbot+bb348e9f9a954d42746f@syzkaller.appspotmail.com +Reported-by: Bixuan Cui +Cc: +Link: https://lore.kernel.org/r/1638270978-42412-1-git-send-email-cuibixuan@linux.alibaba.com +Link: https://lore.kernel.org/r/20211201073606.11660-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/oss/pcm_oss.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -172,7 +172,7 @@ snd_pcm_hw_param_value_min(const struct + * + * Return the maximum value for field PAR. + */ +-static unsigned int ++static int + snd_pcm_hw_param_value_max(const struct snd_pcm_hw_params *params, + snd_pcm_hw_param_t var, int *dir) + { +@@ -707,18 +707,24 @@ static int snd_pcm_oss_period_size(struc + struct snd_pcm_hw_params *oss_params, + struct snd_pcm_hw_params *slave_params) + { +- size_t s; +- size_t oss_buffer_size, oss_period_size, oss_periods; +- size_t min_period_size, max_period_size; ++ ssize_t s; ++ ssize_t oss_buffer_size; ++ ssize_t oss_period_size, oss_periods; ++ ssize_t min_period_size, max_period_size; + struct snd_pcm_runtime *runtime = substream->runtime; + size_t oss_frame_size; + + oss_frame_size = snd_pcm_format_physical_width(params_format(oss_params)) * + params_channels(oss_params) / 8; + ++ oss_buffer_size = snd_pcm_hw_param_value_max(slave_params, ++ SNDRV_PCM_HW_PARAM_BUFFER_SIZE, ++ NULL); ++ if (oss_buffer_size <= 0) ++ return -EINVAL; + oss_buffer_size = snd_pcm_plug_client_size(substream, +- snd_pcm_hw_param_value_max(slave_params, SNDRV_PCM_HW_PARAM_BUFFER_SIZE, NULL)) * oss_frame_size; +- if (!oss_buffer_size) ++ oss_buffer_size * oss_frame_size); ++ if (oss_buffer_size <= 0) + return -EINVAL; + oss_buffer_size = rounddown_pow_of_two(oss_buffer_size); + if (atomic_read(&substream->mmap_count)) { +@@ -755,7 +761,7 @@ static int snd_pcm_oss_period_size(struc + + min_period_size = snd_pcm_plug_client_size(substream, + snd_pcm_hw_param_value_min(slave_params, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, NULL)); +- if (min_period_size) { ++ if (min_period_size > 0) { + min_period_size *= oss_frame_size; + min_period_size = roundup_pow_of_two(min_period_size); + if (oss_period_size < min_period_size) +@@ -764,7 +770,7 @@ static int snd_pcm_oss_period_size(struc + + max_period_size = snd_pcm_plug_client_size(substream, + snd_pcm_hw_param_value_max(slave_params, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, NULL)); +- if (max_period_size) { ++ if (max_period_size > 0) { + max_period_size *= oss_frame_size; + max_period_size = rounddown_pow_of_two(max_period_size); + if (oss_period_size > max_period_size) +@@ -777,7 +783,7 @@ static int snd_pcm_oss_period_size(struc + oss_periods = substream->oss.setup.periods; + + s = snd_pcm_hw_param_value_max(slave_params, SNDRV_PCM_HW_PARAM_PERIODS, NULL); +- if (runtime->oss.maxfrags && s > runtime->oss.maxfrags) ++ if (s > 0 && runtime->oss.maxfrags && s > runtime->oss.maxfrags) + s = runtime->oss.maxfrags; + if (oss_periods > s) + oss_periods = s; diff --git a/queue-4.4/alsa-pcm-oss-handle-missing-errors-in-snd_pcm_oss_change_params.patch b/queue-4.4/alsa-pcm-oss-handle-missing-errors-in-snd_pcm_oss_change_params.patch new file mode 100644 index 00000000000..5c918251155 --- /dev/null +++ b/queue-4.4/alsa-pcm-oss-handle-missing-errors-in-snd_pcm_oss_change_params.patch @@ -0,0 +1,41 @@ +From 6665bb30a6b1a4a853d52557c05482ee50e71391 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 1 Dec 2021 08:36:06 +0100 +Subject: ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*() + +From: Takashi Iwai + +commit 6665bb30a6b1a4a853d52557c05482ee50e71391 upstream. + +A couple of calls in snd_pcm_oss_change_params_locked() ignore the +possible errors. Catch those errors and abort the operation for +avoiding further problems. + +Cc: +Link: https://lore.kernel.org/r/20211201073606.11660-4-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/oss/pcm_oss.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -909,8 +909,15 @@ static int snd_pcm_oss_change_params_loc + err = -EINVAL; + goto failure; + } +- choose_rate(substream, sparams, runtime->oss.rate); +- snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_CHANNELS, runtime->oss.channels, NULL); ++ ++ err = choose_rate(substream, sparams, runtime->oss.rate); ++ if (err < 0) ++ goto failure; ++ err = snd_pcm_hw_param_near(substream, sparams, ++ SNDRV_PCM_HW_PARAM_CHANNELS, ++ runtime->oss.channels, NULL); ++ if (err < 0) ++ goto failure; + + format = snd_pcm_oss_format_from(runtime->oss.format); + diff --git a/queue-4.4/alsa-pcm-oss-limit-the-period-size-to-16mb.patch b/queue-4.4/alsa-pcm-oss-limit-the-period-size-to-16mb.patch new file mode 100644 index 00000000000..f500f2d37b1 --- /dev/null +++ b/queue-4.4/alsa-pcm-oss-limit-the-period-size-to-16mb.patch @@ -0,0 +1,38 @@ +From 8839c8c0f77ab8fc0463f4ab8b37fca3f70677c2 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 1 Dec 2021 08:36:05 +0100 +Subject: ALSA: pcm: oss: Limit the period size to 16MB + +From: Takashi Iwai + +commit 8839c8c0f77ab8fc0463f4ab8b37fca3f70677c2 upstream. + +Set the practical limit to the period size (the fragment shift in OSS) +instead of a full 31bit; a too large value could lead to the exhaust +of memory as we allocate temporary buffers of the period size, too. + +As of this patch, we set to 16MB limit, which should cover all use +cases. + +Reported-by: syzbot+bb348e9f9a954d42746f@syzkaller.appspotmail.com +Reported-by: Bixuan Cui +Cc: +Link: https://lore.kernel.org/r/1638270978-42412-1-git-send-email-cuibixuan@linux.alibaba.com +Link: https://lore.kernel.org/r/20211201073606.11660-3-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/oss/pcm_oss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -2018,7 +2018,7 @@ static int snd_pcm_oss_set_fragment1(str + if (runtime->oss.subdivision || runtime->oss.fragshift) + return -EINVAL; + fragshift = val & 0xffff; +- if (fragshift >= 31) ++ if (fragshift >= 25) /* should be large enough */ + return -EINVAL; + runtime->oss.fragshift = fragshift; + runtime->oss.maxfrags = (val >> 16) & 0xffff; diff --git a/queue-4.4/series b/queue-4.4/series index 63e63843a24..16b6d9739e2 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -8,3 +8,7 @@ hid-check-for-valid-usb-device-for-many-hid-drivers.patch can-sja1000-fix-use-after-free-in-ems_pcmcia_add_card.patch nfc-fix-potential-null-pointer-deref-in-nfc_genl_dump_ses_done.patch mm-bdi-initialize-bdi_min_ratio-when-bdi-is-unregistered.patch +alsa-ctl-fix-copy-of-updated-id-with-element-read-write.patch +alsa-pcm-oss-fix-negative-period-buffer-sizes.patch +alsa-pcm-oss-limit-the-period-size-to-16mb.patch +alsa-pcm-oss-handle-missing-errors-in-snd_pcm_oss_change_params.patch