From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 18 Apr 2022 09:24:40 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v4.9.311~26
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e8c035234f1fdadd33ecf78c4ec6277a7fe386ae;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	alsa-pcm-test-for-silence-field-in-struct-pcm_format_data.patch
	arm-davinci-da850-evm-avoid-null-pointer-dereference.patch
---

diff --git a/queue-4.14/alsa-pcm-test-for-silence-field-in-struct-pcm_format_data.patch b/queue-4.14/alsa-pcm-test-for-silence-field-in-struct-pcm_format_data.patch
new file mode 100644
index 00000000000..425548700b5
--- /dev/null
+++ b/queue-4.14/alsa-pcm-test-for-silence-field-in-struct-pcm_format_data.patch
@@ -0,0 +1,40 @@
+From 2f7a26abb8241a0208c68d22815aa247c5ddacab Mon Sep 17 00:00:00 2001
+From: "Fabio M. De Francesco" <fmdefrancesco@gmail.com>
+Date: Sat, 9 Apr 2022 03:26:55 +0200
+Subject: ALSA: pcm: Test for "silence" field in struct "pcm_format_data"
+
+From: Fabio M. De Francesco <fmdefrancesco@gmail.com>
+
+commit 2f7a26abb8241a0208c68d22815aa247c5ddacab upstream.
+
+Syzbot reports "KASAN: null-ptr-deref Write in
+snd_pcm_format_set_silence".[1]
+
+It is due to missing validation of the "silence" field of struct
+"pcm_format_data" in "pcm_formats" array.
+
+Add a test for valid "pat" and, if it is not so, return -EINVAL.
+
+[1] https://lore.kernel.org/lkml/000000000000d188ef05dc2c7279@google.com/
+
+Reported-and-tested-by: syzbot+205eb15961852c2c5974@syzkaller.appspotmail.com
+Signed-off-by: Fabio M. De Francesco <fmdefrancesco@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20220409012655.9399-1-fmdefrancesco@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/pcm_misc.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/pcm_misc.c
++++ b/sound/core/pcm_misc.c
+@@ -406,7 +406,7 @@ int snd_pcm_format_set_silence(snd_pcm_f
+ 		return 0;
+ 	width = pcm_formats[(INT)format].phys; /* physical width */
+ 	pat = pcm_formats[(INT)format].silence;
+-	if (! width)
++	if (!width || !pat)
+ 		return -EINVAL;
+ 	/* signed or 1 byte data */
+ 	if (pcm_formats[(INT)format].signd == 1 || width <= 8) {
diff --git a/queue-4.14/arm-davinci-da850-evm-avoid-null-pointer-dereference.patch b/queue-4.14/arm-davinci-da850-evm-avoid-null-pointer-dereference.patch
new file mode 100644
index 00000000000..4295ca2c575
--- /dev/null
+++ b/queue-4.14/arm-davinci-da850-evm-avoid-null-pointer-dereference.patch
@@ -0,0 +1,58 @@
+From 83a1cde5c74bfb44b49cb2a940d044bb2380f4ea Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Thu, 23 Dec 2021 15:21:41 -0700
+Subject: ARM: davinci: da850-evm: Avoid NULL pointer dereference
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 83a1cde5c74bfb44b49cb2a940d044bb2380f4ea upstream.
+
+With newer versions of GCC, there is a panic in da850_evm_config_emac()
+when booting multi_v5_defconfig in QEMU under the palmetto-bmc machine:
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000020
+pgd = (ptrval)
+[00000020] *pgd=00000000
+Internal error: Oops: 5 [#1] PREEMPT ARM
+Modules linked in:
+CPU: 0 PID: 1 Comm: swapper Not tainted 5.15.0 #1
+Hardware name: Generic DT based system
+PC is at da850_evm_config_emac+0x1c/0x120
+LR is at do_one_initcall+0x50/0x1e0
+
+The emac_pdata pointer in soc_info is NULL because davinci_soc_info only
+gets populated on davinci machines but da850_evm_config_emac() is called
+on all machines via device_initcall().
+
+Move the rmii_en assignment below the machine check so that it is only
+dereferenced when running on a supported SoC.
+
+Fixes: bae105879f2f ("davinci: DA850/OMAP-L138 EVM: implement autodetect of RMII PHY")
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Bartosz Golaszewski <brgl@bgdev.pl>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/YcS4xVWs6bQlQSPC@archlinux-ax161/
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-davinci/board-da850-evm.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/mach-davinci/board-da850-evm.c
++++ b/arch/arm/mach-davinci/board-da850-evm.c
+@@ -1035,11 +1035,13 @@ static int __init da850_evm_config_emac(
+ 	int ret;
+ 	u32 val;
+ 	struct davinci_soc_info *soc_info = &davinci_soc_info;
+-	u8 rmii_en = soc_info->emac_pdata->rmii_en;
++	u8 rmii_en;
+ 
+ 	if (!machine_is_davinci_da850_evm())
+ 		return 0;
+ 
++	rmii_en = soc_info->emac_pdata->rmii_en;
++
+ 	cfg_chip3_base = DA8XX_SYSCFG0_VIRT(DA8XX_CFGCHIP3_REG);
+ 
+ 	val = __raw_readl(cfg_chip3_base);
diff --git a/queue-4.14/series b/queue-4.14/series
index fb5fba206ea..c1d17ccb0d4 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -278,3 +278,5 @@ drivers-net-slip-fix-npd-bug-in-sl_tx_timeout.patch
 mm-page_alloc-fix-build_zonerefs_node.patch
 mm-kmemleak-take-a-full-lowmem-check-in-kmemleak_-_phys.patch
 gcc-plugins-latent_entropy-use-dev-urandom.patch
+alsa-pcm-test-for-silence-field-in-struct-pcm_format_data.patch
+arm-davinci-da850-evm-avoid-null-pointer-dereference.patch