From: Greg Kroah-Hartman Date: Sat, 30 Mar 2019 10:00:50 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v3.18.138~51 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dae93bc1791b3e944c53ff7c262c5eab826d6f5b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: alsa-hda-realtek-add-support-headset-mode-for-dell-wyse-aio.patch alsa-hda-realtek-add-support-headset-mode-for-new-dell-wyse-nb.patch alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch alsa-seq-oss-fix-spectre-v1-vulnerability.patch --- diff --git a/queue-4.14/alsa-hda-realtek-add-support-headset-mode-for-dell-wyse-aio.patch b/queue-4.14/alsa-hda-realtek-add-support-headset-mode-for-dell-wyse-aio.patch new file mode 100644 index 00000000000..89320091915 --- /dev/null +++ b/queue-4.14/alsa-hda-realtek-add-support-headset-mode-for-dell-wyse-aio.patch @@ -0,0 +1,68 @@ +From 136824efaab2c095fc911048f7c7ddeda258c965 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Thu, 14 Mar 2019 16:22:45 +0800 +Subject: ALSA: hda/realtek - Add support headset mode for DELL WYSE AIO + +From: Kailang Yang + +commit 136824efaab2c095fc911048f7c7ddeda258c965 upstream. + +This patch will enable WYSE AIO for Headset mode. + +Signed-off-by: Kailang Yang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5436,6 +5436,9 @@ enum { + ALC298_FIXUP_TPT470_DOCK, + ALC255_FIXUP_DUMMY_LINEOUT_VERB, + ALC255_FIXUP_DELL_HEADSET_MIC, ++ ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE, ++ ALC225_FIXUP_WYSE_AUTO_MUTE, ++ ALC225_FIXUP_WYSE_DISABLE_MIC_VREF, + }; + + static const struct hda_fixup alc269_fixups[] = { +@@ -6311,6 +6314,28 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC269_FIXUP_HEADSET_MIC + }, ++ [ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x16, 0x01011020 }, /* Rear Line out */ ++ { 0x19, 0x01a1913c }, /* use as Front headset mic, without its own jack detect */ ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC225_FIXUP_WYSE_AUTO_MUTE ++ }, ++ [ALC225_FIXUP_WYSE_AUTO_MUTE] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc_fixup_auto_mute_via_amp, ++ .chained = true, ++ .chain_id = ALC225_FIXUP_WYSE_DISABLE_MIC_VREF ++ }, ++ [ALC225_FIXUP_WYSE_DISABLE_MIC_VREF] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc_fixup_disable_mic_vref, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -6369,6 +6394,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1028, 0x0871, "Dell Precision 3630", ALC255_FIXUP_DELL_HEADSET_MIC), + SND_PCI_QUIRK(0x1028, 0x0872, "Dell Precision 3630", ALC255_FIXUP_DELL_HEADSET_MIC), + SND_PCI_QUIRK(0x1028, 0x0873, "Dell Precision 3930", ALC255_FIXUP_DUMMY_LINEOUT_VERB), ++ SND_PCI_QUIRK(0x1028, 0x08ad, "Dell WYSE AIO", ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x0935, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB), + SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), diff --git a/queue-4.14/alsa-hda-realtek-add-support-headset-mode-for-new-dell-wyse-nb.patch b/queue-4.14/alsa-hda-realtek-add-support-headset-mode-for-new-dell-wyse-nb.patch new file mode 100644 index 00000000000..738536567ee --- /dev/null +++ b/queue-4.14/alsa-hda-realtek-add-support-headset-mode-for-new-dell-wyse-nb.patch @@ -0,0 +1,29 @@ +From da484d00f020af3dd7cfcc6c4b69a7f856832883 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Thu, 14 Mar 2019 15:50:59 +0800 +Subject: ALSA: hda/realtek - Add support headset mode for New DELL WYSE NB + +From: Kailang Yang + +commit da484d00f020af3dd7cfcc6c4b69a7f856832883 upstream. + +Enable headset mode support for new WYSE NB platform. + +Signed-off-by: Kailang Yang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6395,6 +6395,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1028, 0x0872, "Dell Precision 3630", ALC255_FIXUP_DELL_HEADSET_MIC), + SND_PCI_QUIRK(0x1028, 0x0873, "Dell Precision 3930", ALC255_FIXUP_DUMMY_LINEOUT_VERB), + SND_PCI_QUIRK(0x1028, 0x08ad, "Dell WYSE AIO", ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1028, 0x08ae, "Dell WYSE NB", ALC225_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x0935, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB), + SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), diff --git a/queue-4.14/alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch b/queue-4.14/alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch new file mode 100644 index 00000000000..83378cd98aa --- /dev/null +++ b/queue-4.14/alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch @@ -0,0 +1,70 @@ +From 113ce08109f8e3b091399e7cc32486df1cff48e7 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 25 Mar 2019 10:38:58 +0100 +Subject: ALSA: pcm: Don't suspend stream in unrecoverable PCM state + +From: Takashi Iwai + +commit 113ce08109f8e3b091399e7cc32486df1cff48e7 upstream. + +Currently PCM core sets each opened stream forcibly to SUSPENDED state +via snd_pcm_suspend_all() call, and the user-space is responsible for +re-triggering the resume manually either via snd_pcm_resume() or +prepare call. The scheme works fine usually, but there are corner +cases where the stream can't be resumed by that call: the streams +still in OPEN state before finishing hw_params. When they are +suspended, user-space cannot perform resume or prepare because they +haven't been set up yet. The only possible recovery is to re-open the +device, which isn't nice at all. Similarly, when a stream is in +DISCONNECTED state, it makes no sense to change it to SUSPENDED +state. Ditto for in SETUP state; which you can re-prepare directly. + +So, this patch addresses these issues by filtering the PCM streams to +be suspended by checking the PCM state. When a stream is in either +OPEN, SETUP or DISCONNECTED as well as already SUSPENDED, the suspend +action is skipped. + +To be noted, this problem was originally reported for the PCM runtime +PM on HD-audio. And, the runtime PM problem itself was already +addressed (although not intended) by the code refactoring commits +3d21ef0b49f8 ("ALSA: pcm: Suspend streams globally via device type PM +ops") and 17bc4815de58 ("ALSA: pci: Remove superfluous +snd_pcm_suspend*() calls"). These commits eliminated the +snd_pcm_suspend*() calls from the runtime PM suspend callback code +path, hence the racy OPEN state won't appear while runtime PM. +(FWIW, the race window is between snd_pcm_open_substream() and the +first power up in azx_pcm_open().) + +Although the runtime PM issue was already "fixed", the same problem is +still present for the system PM, hence this patch is still needed. +And for stable trees, this patch alone should suffice for fixing the +runtime PM problem, too. + +Reported-and-tested-by: Jon Hunter +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm_native.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -1395,8 +1395,15 @@ static int snd_pcm_pause(struct snd_pcm_ + static int snd_pcm_pre_suspend(struct snd_pcm_substream *substream, int state) + { + struct snd_pcm_runtime *runtime = substream->runtime; +- if (runtime->status->state == SNDRV_PCM_STATE_SUSPENDED) ++ switch (runtime->status->state) { ++ case SNDRV_PCM_STATE_SUSPENDED: + return -EBUSY; ++ /* unresumable PCM state; return -EBUSY for skipping suspend */ ++ case SNDRV_PCM_STATE_OPEN: ++ case SNDRV_PCM_STATE_SETUP: ++ case SNDRV_PCM_STATE_DISCONNECTED: ++ return -EBUSY; ++ } + runtime->trigger_master = substream; + return 0; + } diff --git a/queue-4.14/alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch b/queue-4.14/alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch new file mode 100644 index 00000000000..2296895dbdb --- /dev/null +++ b/queue-4.14/alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch @@ -0,0 +1,104 @@ +From ca0214ee2802dd47239a4e39fb21c5b00ef61b22 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 22 Mar 2019 16:00:54 +0100 +Subject: ALSA: pcm: Fix possible OOB access in PCM oss plugins + +From: Takashi Iwai + +commit ca0214ee2802dd47239a4e39fb21c5b00ef61b22 upstream. + +The PCM OSS emulation converts and transfers the data on the fly via +"plugins". The data is converted over the dynamically allocated +buffer for each plugin, and recently syzkaller caught OOB in this +flow. + +Although the bisection by syzbot pointed out to the commit +65766ee0bf7f ("ALSA: oss: Use kvzalloc() for local buffer +allocations"), this is merely a commit to replace vmalloc() with +kvmalloc(), hence it can't be the cause. The further debug action +revealed that this happens in the case where a slave PCM doesn't +support only the stereo channels while the OSS stream is set up for a +mono channel. Below is a brief explanation: + +At each OSS parameter change, the driver sets up the PCM hw_params +again in snd_pcm_oss_change_params_lock(). This is also the place +where plugins are created and local buffers are allocated. The +problem is that the plugins are created before the final hw_params is +determined. Namely, two snd_pcm_hw_param_near() calls for setting the +period size and periods may influence on the final result of channels, +rates, etc, too, while the current code has already created plugins +beforehand with the premature values. So, the plugin believes that +channels=1, while the actual I/O is with channels=2, which makes the +driver reading/writing over the allocated buffer size. + +The fix is simply to move the plugin allocation code after the final +hw_params call. + +Reported-by: syzbot+d4503ae45b65c5bc1194@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/oss/pcm_oss.c | 43 ++++++++++++++++++++++--------------------- + 1 file changed, 22 insertions(+), 21 deletions(-) + +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -940,6 +940,28 @@ static int snd_pcm_oss_change_params_loc + oss_frame_size = snd_pcm_format_physical_width(params_format(params)) * + params_channels(params) / 8; + ++ err = snd_pcm_oss_period_size(substream, params, sparams); ++ if (err < 0) ++ goto failure; ++ ++ n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size); ++ err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL); ++ if (err < 0) ++ goto failure; ++ ++ err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS, ++ runtime->oss.periods, NULL); ++ if (err < 0) ++ goto failure; ++ ++ snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); ++ ++ err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams); ++ if (err < 0) { ++ pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err); ++ goto failure; ++ } ++ + #ifdef CONFIG_SND_PCM_OSS_PLUGINS + snd_pcm_oss_plugin_clear(substream); + if (!direct) { +@@ -974,27 +996,6 @@ static int snd_pcm_oss_change_params_loc + } + #endif + +- err = snd_pcm_oss_period_size(substream, params, sparams); +- if (err < 0) +- goto failure; +- +- n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size); +- err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL); +- if (err < 0) +- goto failure; +- +- err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS, +- runtime->oss.periods, NULL); +- if (err < 0) +- goto failure; +- +- snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); +- +- if ((err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams)) < 0) { +- pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err); +- goto failure; +- } +- + if (runtime->oss.trigger) { + sw_params->start_threshold = 1; + } else { diff --git a/queue-4.14/alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch b/queue-4.14/alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch new file mode 100644 index 00000000000..73dbed191f7 --- /dev/null +++ b/queue-4.14/alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch @@ -0,0 +1,52 @@ +From 2b1d9c8f87235f593826b9cf46ec10247741fff9 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Wed, 20 Mar 2019 16:15:24 -0500 +Subject: ALSA: rawmidi: Fix potential Spectre v1 vulnerability + +From: Gustavo A. R. Silva + +commit 2b1d9c8f87235f593826b9cf46ec10247741fff9 upstream. + +info->stream is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +sound/core/rawmidi.c:604 __snd_rawmidi_info_select() warn: potential spectre issue 'rmidi->streams' [r] (local cap) + +Fix this by sanitizing info->stream before using it to index +rmidi->streams. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/rawmidi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/core/rawmidi.c ++++ b/sound/core/rawmidi.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -591,6 +592,7 @@ static int __snd_rawmidi_info_select(str + return -ENXIO; + if (info->stream < 0 || info->stream > 1) + return -EINVAL; ++ info->stream = array_index_nospec(info->stream, 2); + pstr = &rmidi->streams[info->stream]; + if (pstr->substream_count == 0) + return -ENOENT; diff --git a/queue-4.14/alsa-seq-oss-fix-spectre-v1-vulnerability.patch b/queue-4.14/alsa-seq-oss-fix-spectre-v1-vulnerability.patch new file mode 100644 index 00000000000..90fa940aa5d --- /dev/null +++ b/queue-4.14/alsa-seq-oss-fix-spectre-v1-vulnerability.patch @@ -0,0 +1,53 @@ +From c709f14f0616482b67f9fbcb965e1493a03ff30b Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Wed, 20 Mar 2019 18:42:01 -0500 +Subject: ALSA: seq: oss: Fix Spectre v1 vulnerability + +From: Gustavo A. R. Silva + +commit c709f14f0616482b67f9fbcb965e1493a03ff30b upstream. + +dev is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +sound/core/seq/oss/seq_oss_synth.c:626 snd_seq_oss_synth_make_info() warn: potential spectre issue 'dp->synths' [w] (local cap) + +Fix this by sanitizing dev before using it to index dp->synths. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/oss/seq_oss_synth.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/sound/core/seq/oss/seq_oss_synth.c ++++ b/sound/core/seq/oss/seq_oss_synth.c +@@ -617,13 +617,14 @@ int + snd_seq_oss_synth_make_info(struct seq_oss_devinfo *dp, int dev, struct synth_info *inf) + { + struct seq_oss_synth *rec; ++ struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev); + +- if (dev < 0 || dev >= dp->max_synthdev) ++ if (!info) + return -ENXIO; + +- if (dp->synths[dev].is_midi) { ++ if (info->is_midi) { + struct midi_info minf; +- snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf); ++ snd_seq_oss_midi_make_info(dp, info->midi_mapped, &minf); + inf->synth_type = SYNTH_TYPE_MIDI; + inf->synth_subtype = 0; + inf->nr_voices = 16; diff --git a/queue-4.14/series b/queue-4.14/series index 4b6986911aa..5cbe2798447 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -60,3 +60,9 @@ arm-imx6q-cpuidle-fix-bug-that-cpu-might-not-wake-up-at-expected-time.patch powerpc-bpf-fix-generation-of-load-store-dw-instructions.patch nfsv4.1-don-t-free-interrupted-slot-on-open.patch net-dsa-qca8k-remove-leftover-phy-accessors.patch +alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch +alsa-seq-oss-fix-spectre-v1-vulnerability.patch +alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch +alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch +alsa-hda-realtek-add-support-headset-mode-for-dell-wyse-aio.patch +alsa-hda-realtek-add-support-headset-mode-for-new-dell-wyse-nb.patch