From: Greg Kroah-Hartman Date: Sun, 14 Nov 2021 13:56:06 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v5.4.160~97 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=de2004c0e6f05220ebfeac0278078f049614a27a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-mixer-fix-deadlock-in-snd_mixer_oss_set_volume.patch alsa-mixer-oss-fix-racy-access-to-slots.patch quota-check-block-number-when-reading-the-block-in-quota-file.patch quota-correct-error-number-in-free_dqentry.patch --- diff --git a/queue-4.4/alsa-mixer-fix-deadlock-in-snd_mixer_oss_set_volume.patch b/queue-4.4/alsa-mixer-fix-deadlock-in-snd_mixer_oss_set_volume.patch new file mode 100644 index 00000000000..b7f3bc2b3d9 --- /dev/null +++ b/queue-4.4/alsa-mixer-fix-deadlock-in-snd_mixer_oss_set_volume.patch @@ -0,0 +1,35 @@ +From 3ab7992018455ac63c33e9b3eaa7264e293e40f4 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Sun, 24 Oct 2021 17:03:15 +0300 +Subject: ALSA: mixer: fix deadlock in snd_mixer_oss_set_volume + +From: Pavel Skripkin + +commit 3ab7992018455ac63c33e9b3eaa7264e293e40f4 upstream. + +In commit 411cef6adfb3 ("ALSA: mixer: oss: Fix racy access to slots") +added mutex protection in snd_mixer_oss_set_volume(). Second +mutex_lock() in same function looks like typo, fix it. + +Reported-by: syzbot+ace149a75a9a0a399ac7@syzkaller.appspotmail.com +Fixes: 411cef6adfb3 ("ALSA: mixer: oss: Fix racy access to slots") +Cc: +Signed-off-by: Pavel Skripkin +Link: https://lore.kernel.org/r/20211024140315.16704-1-paskripkin@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/oss/mixer_oss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/core/oss/mixer_oss.c ++++ b/sound/core/oss/mixer_oss.c +@@ -327,7 +327,7 @@ static int snd_mixer_oss_set_volume(stru + pslot->volume[1] = right; + result = (left & 0xff) | ((right & 0xff) << 8); + unlock: +- mutex_lock(&mixer->reg_mutex); ++ mutex_unlock(&mixer->reg_mutex); + return result; + } + diff --git a/queue-4.4/alsa-mixer-oss-fix-racy-access-to-slots.patch b/queue-4.4/alsa-mixer-oss-fix-racy-access-to-slots.patch new file mode 100644 index 00000000000..b026e0e7f21 --- /dev/null +++ b/queue-4.4/alsa-mixer-oss-fix-racy-access-to-slots.patch @@ -0,0 +1,176 @@ +From 411cef6adfb38a5bb6bd9af3941b28198e7fb680 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 20 Oct 2021 18:48:46 +0200 +Subject: ALSA: mixer: oss: Fix racy access to slots + +From: Takashi Iwai + +commit 411cef6adfb38a5bb6bd9af3941b28198e7fb680 upstream. + +The OSS mixer can reassign the mapping slots dynamically via proc +file. Although the addition and deletion of those slots are protected +by mixer->reg_mutex, the access to slots aren't, hence this may cause +UAF when the slots in use are deleted concurrently. + +This patch applies the mixer->reg_mutex in all appropriate code paths +(i.e. the ioctl functions) that may access slots. + +Reported-by: syzbot+9988f17cf72a1045a189@syzkaller.appspotmail.com +Reviewed-by: Jaroslav Kysela +Cc: +Link: https://lore.kernel.org/r/00000000000036adc005ceca9175@google.com +Link: https://lore.kernel.org/r/20211020164846.922-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/oss/mixer_oss.c | 43 +++++++++++++++++++++++++++++++++---------- + 1 file changed, 33 insertions(+), 10 deletions(-) + +--- a/sound/core/oss/mixer_oss.c ++++ b/sound/core/oss/mixer_oss.c +@@ -144,11 +144,13 @@ static int snd_mixer_oss_devmask(struct + + if (mixer == NULL) + return -EIO; ++ mutex_lock(&mixer->reg_mutex); + for (chn = 0; chn < 31; chn++) { + pslot = &mixer->slots[chn]; + if (pslot->put_volume || pslot->put_recsrc) + result |= 1 << chn; + } ++ mutex_unlock(&mixer->reg_mutex); + return result; + } + +@@ -160,11 +162,13 @@ static int snd_mixer_oss_stereodevs(stru + + if (mixer == NULL) + return -EIO; ++ mutex_lock(&mixer->reg_mutex); + for (chn = 0; chn < 31; chn++) { + pslot = &mixer->slots[chn]; + if (pslot->put_volume && pslot->stereo) + result |= 1 << chn; + } ++ mutex_unlock(&mixer->reg_mutex); + return result; + } + +@@ -175,6 +179,7 @@ static int snd_mixer_oss_recmask(struct + + if (mixer == NULL) + return -EIO; ++ mutex_lock(&mixer->reg_mutex); + if (mixer->put_recsrc && mixer->get_recsrc) { /* exclusive */ + result = mixer->mask_recsrc; + } else { +@@ -186,6 +191,7 @@ static int snd_mixer_oss_recmask(struct + result |= 1 << chn; + } + } ++ mutex_unlock(&mixer->reg_mutex); + return result; + } + +@@ -196,11 +202,12 @@ static int snd_mixer_oss_get_recsrc(stru + + if (mixer == NULL) + return -EIO; ++ mutex_lock(&mixer->reg_mutex); + if (mixer->put_recsrc && mixer->get_recsrc) { /* exclusive */ +- int err; + unsigned int index; +- if ((err = mixer->get_recsrc(fmixer, &index)) < 0) +- return err; ++ result = mixer->get_recsrc(fmixer, &index); ++ if (result < 0) ++ goto unlock; + result = 1 << index; + } else { + struct snd_mixer_oss_slot *pslot; +@@ -215,7 +222,10 @@ static int snd_mixer_oss_get_recsrc(stru + } + } + } +- return mixer->oss_recsrc = result; ++ mixer->oss_recsrc = result; ++ unlock: ++ mutex_unlock(&mixer->reg_mutex); ++ return result; + } + + static int snd_mixer_oss_set_recsrc(struct snd_mixer_oss_file *fmixer, int recsrc) +@@ -228,6 +238,7 @@ static int snd_mixer_oss_set_recsrc(stru + + if (mixer == NULL) + return -EIO; ++ mutex_lock(&mixer->reg_mutex); + if (mixer->get_recsrc && mixer->put_recsrc) { /* exclusive input */ + if (recsrc & ~mixer->oss_recsrc) + recsrc &= ~mixer->oss_recsrc; +@@ -253,6 +264,7 @@ static int snd_mixer_oss_set_recsrc(stru + } + } + } ++ mutex_unlock(&mixer->reg_mutex); + return result; + } + +@@ -264,6 +276,7 @@ static int snd_mixer_oss_get_volume(stru + + if (mixer == NULL || slot > 30) + return -EIO; ++ mutex_lock(&mixer->reg_mutex); + pslot = &mixer->slots[slot]; + left = pslot->volume[0]; + right = pslot->volume[1]; +@@ -271,15 +284,21 @@ static int snd_mixer_oss_get_volume(stru + result = pslot->get_volume(fmixer, pslot, &left, &right); + if (!pslot->stereo) + right = left; +- if (snd_BUG_ON(left < 0 || left > 100)) +- return -EIO; +- if (snd_BUG_ON(right < 0 || right > 100)) +- return -EIO; ++ if (snd_BUG_ON(left < 0 || left > 100)) { ++ result = -EIO; ++ goto unlock; ++ } ++ if (snd_BUG_ON(right < 0 || right > 100)) { ++ result = -EIO; ++ goto unlock; ++ } + if (result >= 0) { + pslot->volume[0] = left; + pslot->volume[1] = right; + result = (left & 0xff) | ((right & 0xff) << 8); + } ++ unlock: ++ mutex_unlock(&mixer->reg_mutex); + return result; + } + +@@ -292,6 +311,7 @@ static int snd_mixer_oss_set_volume(stru + + if (mixer == NULL || slot > 30) + return -EIO; ++ mutex_lock(&mixer->reg_mutex); + pslot = &mixer->slots[slot]; + if (left > 100) + left = 100; +@@ -302,10 +322,13 @@ static int snd_mixer_oss_set_volume(stru + if (pslot->put_volume) + result = pslot->put_volume(fmixer, pslot, left, right); + if (result < 0) +- return result; ++ goto unlock; + pslot->volume[0] = left; + pslot->volume[1] = right; +- return (left & 0xff) | ((right & 0xff) << 8); ++ result = (left & 0xff) | ((right & 0xff) << 8); ++ unlock: ++ mutex_lock(&mixer->reg_mutex); ++ return result; + } + + static int snd_mixer_oss_ioctl1(struct snd_mixer_oss_file *fmixer, unsigned int cmd, unsigned long arg) diff --git a/queue-4.4/quota-check-block-number-when-reading-the-block-in-quota-file.patch b/queue-4.4/quota-check-block-number-when-reading-the-block-in-quota-file.patch new file mode 100644 index 00000000000..285cc7614d8 --- /dev/null +++ b/queue-4.4/quota-check-block-number-when-reading-the-block-in-quota-file.patch @@ -0,0 +1,54 @@ +From 9bf3d20331295b1ecb81f4ed9ef358c51699a050 Mon Sep 17 00:00:00 2001 +From: Zhang Yi +Date: Fri, 8 Oct 2021 17:38:20 +0800 +Subject: quota: check block number when reading the block in quota file + +From: Zhang Yi + +commit 9bf3d20331295b1ecb81f4ed9ef358c51699a050 upstream. + +The block number in the quota tree on disk should be smaller than the +v2_disk_dqinfo.dqi_blocks. If the quota file was corrupted, we may be +allocating an 'allocated' block and that would lead to a loop in a tree, +which will probably trigger oops later. This patch adds a check for the +block number in the quota tree to prevent such potential issue. + +Link: https://lore.kernel.org/r/20211008093821.1001186-2-yi.zhang@huawei.com +Signed-off-by: Zhang Yi +Cc: stable@kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/quota/quota_tree.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/fs/quota/quota_tree.c ++++ b/fs/quota/quota_tree.c +@@ -481,6 +481,13 @@ static int remove_tree(struct qtree_mem_ + goto out_buf; + } + newblk = le32_to_cpu(ref[get_index(info, dquot->dq_id, depth)]); ++ if (newblk < QT_TREEOFF || newblk >= info->dqi_blocks) { ++ quota_error(dquot->dq_sb, "Getting block too big (%u >= %u)", ++ newblk, info->dqi_blocks); ++ ret = -EUCLEAN; ++ goto out_buf; ++ } ++ + if (depth == info->dqi_qtree_depth - 1) { + ret = free_dqentry(info, dquot, newblk); + newblk = 0; +@@ -580,6 +587,13 @@ static loff_t find_tree_dqentry(struct q + blk = le32_to_cpu(ref[get_index(info, dquot->dq_id, depth)]); + if (!blk) /* No reference? */ + goto out_buf; ++ if (blk < QT_TREEOFF || blk >= info->dqi_blocks) { ++ quota_error(dquot->dq_sb, "Getting block too big (%u >= %u)", ++ blk, info->dqi_blocks); ++ ret = -EUCLEAN; ++ goto out_buf; ++ } ++ + if (depth < info->dqi_qtree_depth - 1) + ret = find_tree_dqentry(info, dquot, blk, depth+1); + else diff --git a/queue-4.4/quota-correct-error-number-in-free_dqentry.patch b/queue-4.4/quota-correct-error-number-in-free_dqentry.patch new file mode 100644 index 00000000000..b30c3cf8684 --- /dev/null +++ b/queue-4.4/quota-correct-error-number-in-free_dqentry.patch @@ -0,0 +1,32 @@ +From d0e36a62bd4c60c09acc40e06ba4831a4d0bc75b Mon Sep 17 00:00:00 2001 +From: Zhang Yi +Date: Fri, 8 Oct 2021 17:38:21 +0800 +Subject: quota: correct error number in free_dqentry() + +From: Zhang Yi + +commit d0e36a62bd4c60c09acc40e06ba4831a4d0bc75b upstream. + +Fix the error path in free_dqentry(), pass out the error number if the +block to free is not correct. + +Fixes: 1ccd14b9c271 ("quota: Split off quota tree handling into a separate file") +Link: https://lore.kernel.org/r/20211008093821.1001186-3-yi.zhang@huawei.com +Signed-off-by: Zhang Yi +Cc: stable@kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/quota/quota_tree.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/quota/quota_tree.c ++++ b/fs/quota/quota_tree.c +@@ -416,6 +416,7 @@ static int free_dqentry(struct qtree_mem + quota_error(dquot->dq_sb, "Quota structure has offset to " + "other block (%u) than it should (%u)", blk, + (uint)(dquot->dq_off >> info->dqi_blocksize_bits)); ++ ret = -EIO; + goto out_buf; + } + ret = read_blk(info, blk, buf); diff --git a/queue-4.4/series b/queue-4.4/series index 235743c1e71..eee452be7e2 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -32,3 +32,7 @@ mwifiex-read-a-pci-register-after-writing-the-tx-ring-write-pointer.patch signal-remove-the-bogus-sigkill_pending-in-ptrace_stop.patch power-supply-max17042_battery-prevent-int-underflow-in-set_soc_threshold.patch power-supply-max17042_battery-use-vfsoc-for-capacity-when-no-rsns.patch +alsa-mixer-oss-fix-racy-access-to-slots.patch +alsa-mixer-fix-deadlock-in-snd_mixer_oss_set_volume.patch +quota-check-block-number-when-reading-the-block-in-quota-file.patch +quota-correct-error-number-in-free_dqentry.patch