From: Greg Kroah-Hartman Date: Mon, 17 Aug 2020 10:24:46 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.19.140~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f5dc6f7663673fffe6735878c925578781d8d872;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-usb-audio-add-quirk-for-pioneer-ddj-rb.patch alsa-usb-audio-creative-usb-x-fi-pro-sb1095-volume-knob-support.patch alsa-usb-audio-fix-overeager-device-match-for-macrosilicon-ms2109.patch crypto-qat-fix-double-free-in-qat_uclo_create_batch_init_list.patch fs-minix-check-return-value-of-sb_getblk.patch fs-minix-don-t-allow-getting-deleted-inodes.patch fs-minix-reject-too-large-maximum-file-size.patch --- diff --git a/queue-4.4/alsa-usb-audio-add-quirk-for-pioneer-ddj-rb.patch b/queue-4.4/alsa-usb-audio-add-quirk-for-pioneer-ddj-rb.patch new file mode 100644 index 00000000000..42cd70abf8b --- /dev/null +++ b/queue-4.4/alsa-usb-audio-add-quirk-for-pioneer-ddj-rb.patch @@ -0,0 +1,86 @@ +From 6e8596172ee1cd46ec0bfd5adcf4ff86371478b6 Mon Sep 17 00:00:00 2001 +From: Hector Martin +Date: Mon, 10 Aug 2020 17:25:02 +0900 +Subject: ALSA: usb-audio: add quirk for Pioneer DDJ-RB + +From: Hector Martin + +commit 6e8596172ee1cd46ec0bfd5adcf4ff86371478b6 upstream. + +This is just another Pioneer device with fixed endpoints. Input is dummy +but used as feedback (it always returns silence). + +Cc: stable@vger.kernel.org +Signed-off-by: Hector Martin +Link: https://lore.kernel.org/r/20200810082502.225979-1-marcan@marcan.st +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks-table.h | 56 +++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3380,5 +3380,61 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge + } + } + }, ++{ ++ /* ++ * PIONEER DJ DDJ-RB ++ * PCM is 4 channels out, 2 dummy channels in @ 44.1 fixed ++ * The feedback for the output is the dummy input. ++ */ ++ USB_DEVICE_VENDOR_SPEC(0x2b73, 0x000e), ++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { ++ .ifnum = QUIRK_ANY_INTERFACE, ++ .type = QUIRK_COMPOSITE, ++ .data = (const struct snd_usb_audio_quirk[]) { ++ { ++ .ifnum = 0, ++ .type = QUIRK_AUDIO_FIXED_ENDPOINT, ++ .data = &(const struct audioformat) { ++ .formats = SNDRV_PCM_FMTBIT_S24_3LE, ++ .channels = 4, ++ .iface = 0, ++ .altsetting = 1, ++ .altset_idx = 1, ++ .endpoint = 0x01, ++ .ep_attr = USB_ENDPOINT_XFER_ISOC| ++ USB_ENDPOINT_SYNC_ASYNC, ++ .rates = SNDRV_PCM_RATE_44100, ++ .rate_min = 44100, ++ .rate_max = 44100, ++ .nr_rates = 1, ++ .rate_table = (unsigned int[]) { 44100 } ++ } ++ }, ++ { ++ .ifnum = 0, ++ .type = QUIRK_AUDIO_FIXED_ENDPOINT, ++ .data = &(const struct audioformat) { ++ .formats = SNDRV_PCM_FMTBIT_S24_3LE, ++ .channels = 2, ++ .iface = 0, ++ .altsetting = 1, ++ .altset_idx = 1, ++ .endpoint = 0x82, ++ .ep_attr = USB_ENDPOINT_XFER_ISOC| ++ USB_ENDPOINT_SYNC_ASYNC| ++ USB_ENDPOINT_USAGE_IMPLICIT_FB, ++ .rates = SNDRV_PCM_RATE_44100, ++ .rate_min = 44100, ++ .rate_max = 44100, ++ .nr_rates = 1, ++ .rate_table = (unsigned int[]) { 44100 } ++ } ++ }, ++ { ++ .ifnum = -1 ++ } ++ } ++ } ++}, + + #undef USB_DEVICE_VENDOR_SPEC diff --git a/queue-4.4/alsa-usb-audio-creative-usb-x-fi-pro-sb1095-volume-knob-support.patch b/queue-4.4/alsa-usb-audio-creative-usb-x-fi-pro-sb1095-volume-knob-support.patch new file mode 100644 index 00000000000..c01143503f9 --- /dev/null +++ b/queue-4.4/alsa-usb-audio-creative-usb-x-fi-pro-sb1095-volume-knob-support.patch @@ -0,0 +1,34 @@ +From fec9008828cde0076aae595ac031bfcf49d335a4 Mon Sep 17 00:00:00 2001 +From: Mirko Dietrich +Date: Thu, 6 Aug 2020 14:48:50 +0200 +Subject: ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob support + +From: Mirko Dietrich + +commit fec9008828cde0076aae595ac031bfcf49d335a4 upstream. + +Adds an entry for Creative USB X-Fi to the rc_config array in +mixer_quirks.c to allow use of volume knob on the device. +Adds support for newer X-Fi Pro card, known as "Model No. SB1095" +with USB ID "041e:3263" + +Signed-off-by: Mirko Dietrich +Cc: +Link: https://lore.kernel.org/r/20200806124850.20334-1-buzz@l4m1.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer_quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -195,6 +195,7 @@ static const struct rc_config { + { USB_ID(0x041e, 0x3042), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 */ + { USB_ID(0x041e, 0x30df), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */ + { USB_ID(0x041e, 0x3237), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */ ++ { USB_ID(0x041e, 0x3263), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */ + { USB_ID(0x041e, 0x3048), 2, 2, 6, 6, 2, 0x6e91 }, /* Toshiba SB0500 */ + }; + diff --git a/queue-4.4/alsa-usb-audio-fix-overeager-device-match-for-macrosilicon-ms2109.patch b/queue-4.4/alsa-usb-audio-fix-overeager-device-match-for-macrosilicon-ms2109.patch new file mode 100644 index 00000000000..d64f64e2988 --- /dev/null +++ b/queue-4.4/alsa-usb-audio-fix-overeager-device-match-for-macrosilicon-ms2109.patch @@ -0,0 +1,40 @@ +From 14a720dc1f5332f3bdf30a23a3bc549e81be974c Mon Sep 17 00:00:00 2001 +From: Hector Martin +Date: Mon, 10 Aug 2020 13:53:19 +0900 +Subject: ALSA: usb-audio: fix overeager device match for MacroSilicon MS2109 + +From: Hector Martin + +commit 14a720dc1f5332f3bdf30a23a3bc549e81be974c upstream. + +Matching by device matches all interfaces, which breaks the video/HID +portions of the device depending on module load order. + +Fixes: e337bf19f6af ("ALSA: usb-audio: add quirk for MacroSilicon MS2109") +Cc: stable@vger.kernel.org +Signed-off-by: Hector Martin +Link: https://lore.kernel.org/r/20200810045319.128745-1-marcan@marcan.st +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks-table.h | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3335,7 +3335,13 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge + * with. + */ + { +- USB_DEVICE(0x534d, 0x2109), ++ .match_flags = USB_DEVICE_ID_MATCH_DEVICE | ++ USB_DEVICE_ID_MATCH_INT_CLASS | ++ USB_DEVICE_ID_MATCH_INT_SUBCLASS, ++ .idVendor = 0x534d, ++ .idProduct = 0x2109, ++ .bInterfaceClass = USB_CLASS_AUDIO, ++ .bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL, + .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { + .vendor_name = "MacroSilicon", + .product_name = "MS2109", diff --git a/queue-4.4/crypto-qat-fix-double-free-in-qat_uclo_create_batch_init_list.patch b/queue-4.4/crypto-qat-fix-double-free-in-qat_uclo_create_batch_init_list.patch new file mode 100644 index 00000000000..a288dcad4bd --- /dev/null +++ b/queue-4.4/crypto-qat-fix-double-free-in-qat_uclo_create_batch_init_list.patch @@ -0,0 +1,91 @@ +From c06c76602e03bde24ee69a2022a829127e504202 Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Mon, 13 Jul 2020 07:06:34 -0700 +Subject: crypto: qat - fix double free in qat_uclo_create_batch_init_list + +From: Tom Rix + +commit c06c76602e03bde24ee69a2022a829127e504202 upstream. + +clang static analysis flags this error + +qat_uclo.c:297:3: warning: Attempt to free released memory + [unix.Malloc] + kfree(*init_tab_base); + ^~~~~~~~~~~~~~~~~~~~~ + +When input *init_tab_base is null, the function allocates memory for +the head of the list. When there is problem allocating other list +elements the list is unwound and freed. Then a check is made if the +list head was allocated and is also freed. + +Keeping track of the what may need to be freed is the variable 'tail_old'. +The unwinding/freeing block is + + while (tail_old) { + mem_init = tail_old->next; + kfree(tail_old); + tail_old = mem_init; + } + +The problem is that the first element of tail_old is also what was +allocated for the list head + + init_header = kzalloc(sizeof(*init_header), GFP_KERNEL); + ... + *init_tab_base = init_header; + flag = 1; + } + tail_old = init_header; + +So *init_tab_base/init_header are freed twice. + +There is another problem. +When the input *init_tab_base is non null the tail_old is calculated by +traveling down the list to first non null entry. + + tail_old = init_header; + while (tail_old->next) + tail_old = tail_old->next; + +When the unwinding free happens, the last entry of the input list will +be freed. + +So the freeing needs a general changed. +If locally allocated the first element of tail_old is freed, else it +is skipped. As a bit of cleanup, reset *init_tab_base if it came in +as null. + +Fixes: b4b7e67c917f ("crypto: qat - Intel(R) QAT ucode part of fw loader") +Cc: +Signed-off-by: Tom Rix +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/qat/qat_common/qat_uclo.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/qat/qat_common/qat_uclo.c ++++ b/drivers/crypto/qat/qat_common/qat_uclo.c +@@ -307,13 +307,18 @@ static int qat_uclo_create_batch_init_li + } + return 0; + out_err: ++ /* Do not free the list head unless we allocated it. */ ++ tail_old = tail_old->next; ++ if (flag) { ++ kfree(*init_tab_base); ++ *init_tab_base = NULL; ++ } ++ + while (tail_old) { + mem_init = tail_old->next; + kfree(tail_old); + tail_old = mem_init; + } +- if (flag) +- kfree(*init_tab_base); + return -ENOMEM; + } + diff --git a/queue-4.4/fs-minix-check-return-value-of-sb_getblk.patch b/queue-4.4/fs-minix-check-return-value-of-sb_getblk.patch new file mode 100644 index 00000000000..8678eed2372 --- /dev/null +++ b/queue-4.4/fs-minix-check-return-value-of-sb_getblk.patch @@ -0,0 +1,78 @@ +From da27e0a0e5f655f0d58d4e153c3182bb2b290f64 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 11 Aug 2020 18:35:24 -0700 +Subject: fs/minix: check return value of sb_getblk() + +From: Eric Biggers + +commit da27e0a0e5f655f0d58d4e153c3182bb2b290f64 upstream. + +Patch series "fs/minix: fix syzbot bugs and set s_maxbytes". + +This series fixes all syzbot bugs in the minix filesystem: + + KASAN: null-ptr-deref Write in get_block + KASAN: use-after-free Write in get_block + KASAN: use-after-free Read in get_block + WARNING in inc_nlink + KMSAN: uninit-value in get_block + WARNING in drop_nlink + +It also fixes the minix filesystem to set s_maxbytes correctly, so that +userspace sees the correct behavior when exceeding the max file size. + +This patch (of 6): + +sb_getblk() can fail, so check its return value. + +This fixes a NULL pointer dereference. + +Originally from Qiujun Huang. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+4a88b2b9dc280f47baf4@syzkaller.appspotmail.com +Signed-off-by: Eric Biggers +Signed-off-by: Andrew Morton +Cc: Qiujun Huang +Cc: Alexander Viro +Cc: +Link: http://lkml.kernel.org/r/20200628060846.682158-1-ebiggers@kernel.org +Link: http://lkml.kernel.org/r/20200628060846.682158-2-ebiggers@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/minix/itree_common.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/minix/itree_common.c ++++ b/fs/minix/itree_common.c +@@ -74,6 +74,7 @@ static int alloc_branch(struct inode *in + int n = 0; + int i; + int parent = minix_new_block(inode); ++ int err = -ENOSPC; + + branch[0].key = cpu_to_block(parent); + if (parent) for (n = 1; n < num; n++) { +@@ -84,6 +85,11 @@ static int alloc_branch(struct inode *in + break; + branch[n].key = cpu_to_block(nr); + bh = sb_getblk(inode->i_sb, parent); ++ if (!bh) { ++ minix_free_block(inode, nr); ++ err = -ENOMEM; ++ break; ++ } + lock_buffer(bh); + memset(bh->b_data, 0, bh->b_size); + branch[n].bh = bh; +@@ -102,7 +108,7 @@ static int alloc_branch(struct inode *in + bforget(branch[i].bh); + for (i = 0; i < n; i++) + minix_free_block(inode, block_to_cpu(branch[i].key)); +- return -ENOSPC; ++ return err; + } + + static inline int splice_branch(struct inode *inode, diff --git a/queue-4.4/fs-minix-don-t-allow-getting-deleted-inodes.patch b/queue-4.4/fs-minix-don-t-allow-getting-deleted-inodes.patch new file mode 100644 index 00000000000..5ed3a0507f3 --- /dev/null +++ b/queue-4.4/fs-minix-don-t-allow-getting-deleted-inodes.patch @@ -0,0 +1,59 @@ +From facb03dddec04e4aac1bb2139accdceb04deb1f3 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 11 Aug 2020 18:35:27 -0700 +Subject: fs/minix: don't allow getting deleted inodes + +From: Eric Biggers + +commit facb03dddec04e4aac1bb2139accdceb04deb1f3 upstream. + +If an inode has no links, we need to mark it bad rather than allowing it +to be accessed. This avoids WARNINGs in inc_nlink() and drop_nlink() when +doing directory operations on a fuzzed filesystem. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+a9ac3de1b5de5fb10efc@syzkaller.appspotmail.com +Reported-by: syzbot+df958cf5688a96ad3287@syzkaller.appspotmail.com +Signed-off-by: Eric Biggers +Signed-off-by: Andrew Morton +Cc: Alexander Viro +Cc: Qiujun Huang +Cc: +Link: http://lkml.kernel.org/r/20200628060846.682158-3-ebiggers@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/minix/inode.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/fs/minix/inode.c ++++ b/fs/minix/inode.c +@@ -472,6 +472,13 @@ static struct inode *V1_minix_iget(struc + iget_failed(inode); + return ERR_PTR(-EIO); + } ++ if (raw_inode->i_nlinks == 0) { ++ printk("MINIX-fs: deleted inode referenced: %lu\n", ++ inode->i_ino); ++ brelse(bh); ++ iget_failed(inode); ++ return ERR_PTR(-ESTALE); ++ } + inode->i_mode = raw_inode->i_mode; + i_uid_write(inode, raw_inode->i_uid); + i_gid_write(inode, raw_inode->i_gid); +@@ -505,6 +512,13 @@ static struct inode *V2_minix_iget(struc + iget_failed(inode); + return ERR_PTR(-EIO); + } ++ if (raw_inode->i_nlinks == 0) { ++ printk("MINIX-fs: deleted inode referenced: %lu\n", ++ inode->i_ino); ++ brelse(bh); ++ iget_failed(inode); ++ return ERR_PTR(-ESTALE); ++ } + inode->i_mode = raw_inode->i_mode; + i_uid_write(inode, raw_inode->i_uid); + i_gid_write(inode, raw_inode->i_gid); diff --git a/queue-4.4/fs-minix-reject-too-large-maximum-file-size.patch b/queue-4.4/fs-minix-reject-too-large-maximum-file-size.patch new file mode 100644 index 00000000000..3d9d628f9e5 --- /dev/null +++ b/queue-4.4/fs-minix-reject-too-large-maximum-file-size.patch @@ -0,0 +1,76 @@ +From 270ef41094e9fa95273f288d7d785313ceab2ff3 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 11 Aug 2020 18:35:30 -0700 +Subject: fs/minix: reject too-large maximum file size + +From: Eric Biggers + +commit 270ef41094e9fa95273f288d7d785313ceab2ff3 upstream. + +If the minix filesystem tries to map a very large logical block number to +its on-disk location, block_to_path() can return offsets that are too +large, causing out-of-bounds memory accesses when accessing indirect index +blocks. This should be prevented by the check against the maximum file +size, but this doesn't work because the maximum file size is read directly +from the on-disk superblock and isn't validated itself. + +Fix this by validating the maximum file size at mount time. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com +Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com +Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com +Signed-off-by: Eric Biggers +Signed-off-by: Andrew Morton +Cc: Alexander Viro +Cc: Qiujun Huang +Cc: +Link: http://lkml.kernel.org/r/20200628060846.682158-4-ebiggers@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/minix/inode.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +--- a/fs/minix/inode.c ++++ b/fs/minix/inode.c +@@ -155,6 +155,23 @@ static int minix_remount (struct super_b + return 0; + } + ++static bool minix_check_superblock(struct minix_sb_info *sbi) ++{ ++ if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0) ++ return false; ++ ++ /* ++ * s_max_size must not exceed the block mapping limitation. This check ++ * is only needed for V1 filesystems, since V2/V3 support an extra level ++ * of indirect blocks which places the limit well above U32_MAX. ++ */ ++ if (sbi->s_version == MINIX_V1 && ++ sbi->s_max_size > (7 + 512 + 512*512) * BLOCK_SIZE) ++ return false; ++ ++ return true; ++} ++ + static int minix_fill_super(struct super_block *s, void *data, int silent) + { + struct buffer_head *bh; +@@ -233,11 +250,12 @@ static int minix_fill_super(struct super + } else + goto out_no_fs; + ++ if (!minix_check_superblock(sbi)) ++ goto out_illegal_sb; ++ + /* + * Allocate the buffer map to keep the superblock small. + */ +- if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0) +- goto out_illegal_sb; + i = (sbi->s_imap_blocks + sbi->s_zmap_blocks) * sizeof(bh); + map = kzalloc(i, GFP_KERNEL); + if (!map) diff --git a/queue-4.4/series b/queue-4.4/series index 818f6602e8f..f0419b6571a 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -104,3 +104,10 @@ pinctrl-single-fix-pcs_parse_pinconf-return-value.patch drivers-net-wan-lapbether-added-needed_headroom-and-a-skb-len-check.patch net-nfc-rawsock.c-add-cap_net_raw-check.patch net-set-fput_needed-iff-fdput_fput-is-set.patch +alsa-usb-audio-creative-usb-x-fi-pro-sb1095-volume-knob-support.patch +alsa-usb-audio-fix-overeager-device-match-for-macrosilicon-ms2109.patch +alsa-usb-audio-add-quirk-for-pioneer-ddj-rb.patch +crypto-qat-fix-double-free-in-qat_uclo_create_batch_init_list.patch +fs-minix-check-return-value-of-sb_getblk.patch +fs-minix-don-t-allow-getting-deleted-inodes.patch +fs-minix-reject-too-large-maximum-file-size.patch