From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 27 Nov 2021 13:11:47 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v5.15.6~72
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d2dcfe038afed7559ba6c7c97009160168d97c17;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	alsa-ctxfi-fix-out-of-range-access.patch
	binder-fix-test-regression-due-to-sender_euid-change.patch
	fuse-fix-page-stealing.patch
	staging-rtl8192e-fix-use-after-free-in-_rtl92e_pci_disconnect.patch
---

diff --git a/queue-4.9/alsa-ctxfi-fix-out-of-range-access.patch b/queue-4.9/alsa-ctxfi-fix-out-of-range-access.patch
new file mode 100644
index 00000000000..c2af8599c2e
--- /dev/null
+++ b/queue-4.9/alsa-ctxfi-fix-out-of-range-access.patch
@@ -0,0 +1,181 @@
+From 76c47183224c86e4011048b80f0e2d0d166f01c2 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 18 Nov 2021 22:57:29 +0100
+Subject: ALSA: ctxfi: Fix out-of-range access
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 76c47183224c86e4011048b80f0e2d0d166f01c2 upstream.
+
+The master and next_conj of rcs_ops are used for iterating the
+resource list entries, and currently those are supposed to return the
+current value.  The problem is that next_conf may go over the last
+entry before the loop abort condition is evaluated, and it may return
+the "current" value that is beyond the array size.  It was caught
+recently as a GPF, for example.
+
+Those return values are, however, never actually evaluated, hence
+basically we don't have to consider the current value as the return at
+all.  By dropping those return values, the potential out-of-range
+access above is also fixed automatically.
+
+This patch changes the return type of master and next_conj callbacks
+to void and drop the superfluous code accordingly.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214985
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211118215729.26257-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/ctxfi/ctamixer.c   |   14 ++++++--------
+ sound/pci/ctxfi/ctdaio.c     |   16 ++++++++--------
+ sound/pci/ctxfi/ctresource.c |    7 +++----
+ sound/pci/ctxfi/ctresource.h |    4 ++--
+ sound/pci/ctxfi/ctsrc.c      |    7 +++----
+ 5 files changed, 22 insertions(+), 26 deletions(-)
+
+--- a/sound/pci/ctxfi/ctamixer.c
++++ b/sound/pci/ctxfi/ctamixer.c
+@@ -27,16 +27,15 @@
+ 
+ #define BLANK_SLOT		4094
+ 
+-static int amixer_master(struct rsc *rsc)
++static void amixer_master(struct rsc *rsc)
+ {
+ 	rsc->conj = 0;
+-	return rsc->idx = container_of(rsc, struct amixer, rsc)->idx[0];
++	rsc->idx = container_of(rsc, struct amixer, rsc)->idx[0];
+ }
+ 
+-static int amixer_next_conj(struct rsc *rsc)
++static void amixer_next_conj(struct rsc *rsc)
+ {
+ 	rsc->conj++;
+-	return container_of(rsc, struct amixer, rsc)->idx[rsc->conj];
+ }
+ 
+ static int amixer_index(const struct rsc *rsc)
+@@ -335,16 +334,15 @@ int amixer_mgr_destroy(struct amixer_mgr
+ 
+ /* SUM resource management */
+ 
+-static int sum_master(struct rsc *rsc)
++static void sum_master(struct rsc *rsc)
+ {
+ 	rsc->conj = 0;
+-	return rsc->idx = container_of(rsc, struct sum, rsc)->idx[0];
++	rsc->idx = container_of(rsc, struct sum, rsc)->idx[0];
+ }
+ 
+-static int sum_next_conj(struct rsc *rsc)
++static void sum_next_conj(struct rsc *rsc)
+ {
+ 	rsc->conj++;
+-	return container_of(rsc, struct sum, rsc)->idx[rsc->conj];
+ }
+ 
+ static int sum_index(const struct rsc *rsc)
+--- a/sound/pci/ctxfi/ctdaio.c
++++ b/sound/pci/ctxfi/ctdaio.c
+@@ -55,12 +55,12 @@ static struct daio_rsc_idx idx_20k2[NUM_
+ 	[SPDIFIO] = {.left = 0x05, .right = 0x85},
+ };
+ 
+-static int daio_master(struct rsc *rsc)
++static void daio_master(struct rsc *rsc)
+ {
+ 	/* Actually, this is not the resource index of DAIO.
+ 	 * For DAO, it is the input mapper index. And, for DAI,
+ 	 * it is the output time-slot index. */
+-	return rsc->conj = rsc->idx;
++	rsc->conj = rsc->idx;
+ }
+ 
+ static int daio_index(const struct rsc *rsc)
+@@ -68,19 +68,19 @@ static int daio_index(const struct rsc *
+ 	return rsc->conj;
+ }
+ 
+-static int daio_out_next_conj(struct rsc *rsc)
++static void daio_out_next_conj(struct rsc *rsc)
+ {
+-	return rsc->conj += 2;
++	rsc->conj += 2;
+ }
+ 
+-static int daio_in_next_conj_20k1(struct rsc *rsc)
++static void daio_in_next_conj_20k1(struct rsc *rsc)
+ {
+-	return rsc->conj += 0x200;
++	rsc->conj += 0x200;
+ }
+ 
+-static int daio_in_next_conj_20k2(struct rsc *rsc)
++static void daio_in_next_conj_20k2(struct rsc *rsc)
+ {
+-	return rsc->conj += 0x100;
++	rsc->conj += 0x100;
+ }
+ 
+ static const struct rsc_ops daio_out_rsc_ops = {
+--- a/sound/pci/ctxfi/ctresource.c
++++ b/sound/pci/ctxfi/ctresource.c
+@@ -113,18 +113,17 @@ static int audio_ring_slot(const struct
+     return (rsc->conj << 4) + offset_in_audio_slot_block[rsc->type];
+ }
+ 
+-static int rsc_next_conj(struct rsc *rsc)
++static void rsc_next_conj(struct rsc *rsc)
+ {
+ 	unsigned int i;
+ 	for (i = 0; (i < 8) && (!(rsc->msr & (0x1 << i))); )
+ 		i++;
+ 	rsc->conj += (AUDIO_SLOT_BLOCK_NUM >> i);
+-	return rsc->conj;
+ }
+ 
+-static int rsc_master(struct rsc *rsc)
++static void rsc_master(struct rsc *rsc)
+ {
+-	return rsc->conj = rsc->idx;
++	rsc->conj = rsc->idx;
+ }
+ 
+ static const struct rsc_ops rsc_generic_ops = {
+--- a/sound/pci/ctxfi/ctresource.h
++++ b/sound/pci/ctxfi/ctresource.h
+@@ -43,8 +43,8 @@ struct rsc {
+ };
+ 
+ struct rsc_ops {
+-	int (*master)(struct rsc *rsc);	/* Move to master resource */
+-	int (*next_conj)(struct rsc *rsc); /* Move to next conjugate resource */
++	void (*master)(struct rsc *rsc); /* Move to master resource */
++	void (*next_conj)(struct rsc *rsc); /* Move to next conjugate resource */
+ 	int (*index)(const struct rsc *rsc); /* Return the index of resource */
+ 	/* Return the output slot number */
+ 	int (*output_slot)(const struct rsc *rsc);
+--- a/sound/pci/ctxfi/ctsrc.c
++++ b/sound/pci/ctxfi/ctsrc.c
+@@ -594,16 +594,15 @@ int src_mgr_destroy(struct src_mgr *src_
+ 
+ /* SRCIMP resource manager operations */
+ 
+-static int srcimp_master(struct rsc *rsc)
++static void srcimp_master(struct rsc *rsc)
+ {
+ 	rsc->conj = 0;
+-	return rsc->idx = container_of(rsc, struct srcimp, rsc)->idx[0];
++	rsc->idx = container_of(rsc, struct srcimp, rsc)->idx[0];
+ }
+ 
+-static int srcimp_next_conj(struct rsc *rsc)
++static void srcimp_next_conj(struct rsc *rsc)
+ {
+ 	rsc->conj++;
+-	return container_of(rsc, struct srcimp, rsc)->idx[rsc->conj];
+ }
+ 
+ static int srcimp_index(const struct rsc *rsc)
diff --git a/queue-4.9/binder-fix-test-regression-due-to-sender_euid-change.patch b/queue-4.9/binder-fix-test-regression-due-to-sender_euid-change.patch
new file mode 100644
index 00000000000..e44f7990c8f
--- /dev/null
+++ b/queue-4.9/binder-fix-test-regression-due-to-sender_euid-change.patch
@@ -0,0 +1,37 @@
+From c21a80ca0684ec2910344d72556c816cb8940c01 Mon Sep 17 00:00:00 2001
+From: Todd Kjos <tkjos@google.com>
+Date: Fri, 12 Nov 2021 10:07:20 -0800
+Subject: binder: fix test regression due to sender_euid change
+
+From: Todd Kjos <tkjos@google.com>
+
+commit c21a80ca0684ec2910344d72556c816cb8940c01 upstream.
+
+This is a partial revert of commit
+29bc22ac5e5b ("binder: use euid from cred instead of using task").
+Setting sender_euid using proc->cred caused some Android system test
+regressions that need further investigation. It is a partial
+reversion because subsequent patches rely on proc->cred.
+
+Fixes: 29bc22ac5e5b ("binder: use euid from cred instead of using task")
+Cc: stable@vger.kernel.org # 4.4+
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Change-Id: I9b1769a3510fed250bb21859ef8beebabe034c66
+Link: https://lore.kernel.org/r/20211112180720.2858135-1-tkjos@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -1506,7 +1506,7 @@ static void binder_transaction(struct bi
+ 		t->from = thread;
+ 	else
+ 		t->from = NULL;
+-	t->sender_euid = proc->cred->euid;
++	t->sender_euid = task_euid(proc->tsk);
+ 	t->to_proc = target_proc;
+ 	t->to_thread = target_thread;
+ 	t->code = tr->code;
diff --git a/queue-4.9/fuse-fix-page-stealing.patch b/queue-4.9/fuse-fix-page-stealing.patch
new file mode 100644
index 00000000000..d9157c784e6
--- /dev/null
+++ b/queue-4.9/fuse-fix-page-stealing.patch
@@ -0,0 +1,64 @@
+From 712a951025c0667ff00b25afc360f74e639dfabe Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Tue, 2 Nov 2021 11:10:37 +0100
+Subject: fuse: fix page stealing
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 712a951025c0667ff00b25afc360f74e639dfabe upstream.
+
+It is possible to trigger a crash by splicing anon pipe bufs to the fuse
+device.
+
+The reason for this is that anon_pipe_buf_release() will reuse buf->page if
+the refcount is 1, but that page might have already been stolen and its
+flags modified (e.g. PG_lru added).
+
+This happens in the unlikely case of fuse_dev_splice_write() getting around
+to calling pipe_buf_release() after a page has been stolen, added to the
+page cache and removed from the page cache.
+
+Fix by calling pipe_buf_release() right after the page was inserted into
+the page cache.  In this case the page has an elevated refcount so any
+release function will know that the page isn't reusable.
+
+Reported-by: Frank Dinoff <fdinoff@google.com>
+Link: https://lore.kernel.org/r/CAAmZXrsGg2xsP1CK+cbuEMumtrqdvD-NKnWzhNcvn71RV3c1yw@mail.gmail.com/
+Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
+Cc: <stable@vger.kernel.org> # v2.6.35
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/dev.c |   14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -898,6 +898,12 @@ static int fuse_try_move_page(struct fus
+ 		goto out_put_old;
+ 	}
+ 
++	/*
++	 * Release while we have extra ref on stolen page.  Otherwise
++	 * anon_pipe_buf_release() might think the page can be reused.
++	 */
++	pipe_buf_release(cs->pipe, buf);
++
+ 	get_page(newpage);
+ 
+ 	if (!(buf->flags & PIPE_BUF_FLAG_LRU))
+@@ -2040,8 +2046,12 @@ static ssize_t fuse_dev_splice_write(str
+ 
+ 	pipe_lock(pipe);
+ out_free:
+-	for (idx = 0; idx < nbuf; idx++)
+-		pipe_buf_release(pipe, &bufs[idx]);
++	for (idx = 0; idx < nbuf; idx++) {
++		struct pipe_buffer *buf = &bufs[idx];
++
++		if (buf->ops)
++			pipe_buf_release(pipe, buf);
++	}
+ 	pipe_unlock(pipe);
+ 
+ 	kfree(bufs);
diff --git a/queue-4.9/series b/queue-4.9/series
index a5c2655d3b4..ae9b4d72c24 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -3,3 +3,7 @@ usb-serial-option-add-telit-le910s1-0x9200-composition.patch
 usb-serial-option-add-fibocom-fm101-gl-variants.patch
 usb-hub-fix-usb-enumeration-issue-due-to-address0-race.patch
 usb-hub-fix-locking-issues-with-address0_mutex.patch
+binder-fix-test-regression-due-to-sender_euid-change.patch
+alsa-ctxfi-fix-out-of-range-access.patch
+staging-rtl8192e-fix-use-after-free-in-_rtl92e_pci_disconnect.patch
+fuse-fix-page-stealing.patch
diff --git a/queue-4.9/staging-rtl8192e-fix-use-after-free-in-_rtl92e_pci_disconnect.patch b/queue-4.9/staging-rtl8192e-fix-use-after-free-in-_rtl92e_pci_disconnect.patch
new file mode 100644
index 00000000000..b747404a91e
--- /dev/null
+++ b/queue-4.9/staging-rtl8192e-fix-use-after-free-in-_rtl92e_pci_disconnect.patch
@@ -0,0 +1,39 @@
+From b535917c51acc97fb0761b1edec85f1f3d02bda4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 17 Nov 2021 10:20:16 +0300
+Subject: staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit b535917c51acc97fb0761b1edec85f1f3d02bda4 upstream.
+
+The free_rtllib() function frees the "dev" pointer so there is use
+after free on the next line.  Re-arrange things to avoid that.
+
+Fixes: 66898177e7e5 ("staging: rtl8192e: Fix unload/reload problem")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20211117072016.GA5237@kili
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8192e/rtl8192e/rtl_core.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
++++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
+@@ -2710,13 +2710,14 @@ static void _rtl92e_pci_disconnect(struc
+ 			free_irq(dev->irq, dev);
+ 			priv->irq = 0;
+ 		}
+-		free_rtllib(dev);
+ 
+ 		if (dev->mem_start != 0) {
+ 			iounmap((void __iomem *)dev->mem_start);
+ 			release_mem_region(pci_resource_start(pdev, 1),
+ 					pci_resource_len(pdev, 1));
+ 		}
++
++		free_rtllib(dev);
+ 	} else {
+ 		priv = rtllib_priv(dev);
+ 	}