From: Greg Kroah-Hartman Date: Sat, 13 Aug 2022 09:42:34 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v5.15.61~194 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=67926e8ed952f6966776c68f1c061cfc69a7af48;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-hda-cirrus-support-for-imac-12-1-model.patch alsa-hda-conexant-add-quirk-for-lenovo-20149-notebook-model.patch usbnet-fix-linkwatch-use-after-free-on-disconnect.patch vfs-check-the-truncate-maximum-size-in-inode_newsize_ok.patch --- diff --git a/queue-4.9/alsa-hda-cirrus-support-for-imac-12-1-model.patch b/queue-4.9/alsa-hda-cirrus-support-for-imac-12-1-model.patch new file mode 100644 index 00000000000..887fd5b8d61 --- /dev/null +++ b/queue-4.9/alsa-hda-cirrus-support-for-imac-12-1-model.patch @@ -0,0 +1,34 @@ +From 74bba640d69914cf832b87f6bbb700e5ba430672 Mon Sep 17 00:00:00 2001 +From: Allen Ballway +Date: Wed, 10 Aug 2022 15:27:22 +0000 +Subject: ALSA: hda/cirrus - support for iMac 12,1 model + +From: Allen Ballway + +commit 74bba640d69914cf832b87f6bbb700e5ba430672 upstream. + +The 12,1 model requires the same configuration as the 12,2 model +to enable headphones but has a different codec SSID. Adds +12,1 SSID for matching quirk. + +[ re-sorted in SSID order by tiwai ] + +Signed-off-by: Allen Ballway +Cc: +Link: https://lore.kernel.org/r/20220810152701.1.I902c2e591bbf8de9acb649d1322fa1f291849266@changeid +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_cirrus.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_cirrus.c ++++ b/sound/pci/hda/patch_cirrus.c +@@ -409,6 +409,7 @@ static const struct snd_pci_quirk cs420x + + /* codec SSID */ + SND_PCI_QUIRK(0x106b, 0x0600, "iMac 14,1", CS420X_IMAC27_122), ++ SND_PCI_QUIRK(0x106b, 0x0900, "iMac 12,1", CS420X_IMAC27_122), + SND_PCI_QUIRK(0x106b, 0x1c00, "MacBookPro 8,1", CS420X_MBP81), + SND_PCI_QUIRK(0x106b, 0x2000, "iMac 12,2", CS420X_IMAC27_122), + SND_PCI_QUIRK(0x106b, 0x2800, "MacBookPro 10,1", CS420X_MBP101), diff --git a/queue-4.9/alsa-hda-conexant-add-quirk-for-lenovo-20149-notebook-model.patch b/queue-4.9/alsa-hda-conexant-add-quirk-for-lenovo-20149-notebook-model.patch new file mode 100644 index 00000000000..63aa65ece69 --- /dev/null +++ b/queue-4.9/alsa-hda-conexant-add-quirk-for-lenovo-20149-notebook-model.patch @@ -0,0 +1,57 @@ +From f83bb2592482fe94c6eea07a8121763c80f36ce5 Mon Sep 17 00:00:00 2001 +From: Meng Tang +Date: Mon, 8 Aug 2022 15:34:06 +0800 +Subject: ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model + +From: Meng Tang + +commit f83bb2592482fe94c6eea07a8121763c80f36ce5 upstream. + +There is another LENOVO 20149 (Type1Sku0) Notebook model with +CX20590, the device PCI SSID is 17aa:3977, which headphones are +not responding, that requires the quirk CXT_PINCFG_LENOVO_NOTEBOOK. +Add the corresponding entry to the quirk table. + +Signed-off-by: Meng Tang +Cc: +Link: https://lore.kernel.org/r/20220808073406.19460-1-tangmeng@uniontech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_conexant.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -238,6 +238,7 @@ enum { + CXT_PINCFG_LEMOTE_A1205, + CXT_PINCFG_COMPAQ_CQ60, + CXT_FIXUP_STEREO_DMIC, ++ CXT_PINCFG_LENOVO_NOTEBOOK, + CXT_FIXUP_INC_MIC_BOOST, + CXT_FIXUP_HEADPHONE_MIC_PIN, + CXT_FIXUP_HEADPHONE_MIC, +@@ -698,6 +699,14 @@ static const struct hda_fixup cxt_fixups + .type = HDA_FIXUP_FUNC, + .v.func = cxt_fixup_stereo_dmic, + }, ++ [CXT_PINCFG_LENOVO_NOTEBOOK] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x1a, 0x05d71030 }, ++ { } ++ }, ++ .chain_id = CXT_FIXUP_STEREO_DMIC, ++ }, + [CXT_FIXUP_INC_MIC_BOOST] = { + .type = HDA_FIXUP_FUNC, + .v.func = cxt5066_increase_mic_boost, +@@ -860,7 +869,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x17aa, 0x3905, "Lenovo G50-30", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x17aa, 0x390b, "Lenovo G50-80", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x17aa, 0x3975, "Lenovo U300s", CXT_FIXUP_STEREO_DMIC), +- SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_FIXUP_STEREO_DMIC), ++ SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_PINCFG_LENOVO_NOTEBOOK), + SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo G50-70", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x17aa, 0x397b, "Lenovo S205", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK_VENDOR(0x17aa, "Thinkpad", CXT_FIXUP_THINKPAD_ACPI), diff --git a/queue-4.9/series b/queue-4.9/series index 5eb784418ac..64f19d4dd66 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -28,3 +28,7 @@ alsa-bcd2000-fix-a-uaf-bug-on-the-error-path-of-probing.patch add-barriers-to-buffer_uptodate-and-set_buffer_uptodate.patch kvm-svm-don-t-bug-if-userspace-injects-an-interrupt-with-gif-0.patch kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-all-fault-checks.patch +alsa-hda-conexant-add-quirk-for-lenovo-20149-notebook-model.patch +alsa-hda-cirrus-support-for-imac-12-1-model.patch +vfs-check-the-truncate-maximum-size-in-inode_newsize_ok.patch +usbnet-fix-linkwatch-use-after-free-on-disconnect.patch diff --git a/queue-4.9/usbnet-fix-linkwatch-use-after-free-on-disconnect.patch b/queue-4.9/usbnet-fix-linkwatch-use-after-free-on-disconnect.patch new file mode 100644 index 00000000000..ca87363cbfc --- /dev/null +++ b/queue-4.9/usbnet-fix-linkwatch-use-after-free-on-disconnect.patch @@ -0,0 +1,85 @@ +From a69e617e533edddf3fa3123149900f36e0a6dc74 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Thu, 23 Jun 2022 14:50:59 +0200 +Subject: usbnet: Fix linkwatch use-after-free on disconnect + +From: Lukas Wunner + +commit a69e617e533edddf3fa3123149900f36e0a6dc74 upstream. + +usbnet uses the work usbnet_deferred_kevent() to perform tasks which may +sleep. On disconnect, completion of the work was originally awaited in +->ndo_stop(). But in 2003, that was moved to ->disconnect() by historic +commit "[PATCH] USB: usbnet, prevent exotic rtnl deadlock": + + https://git.kernel.org/tglx/history/c/0f138bbfd83c + +The change was made because back then, the kernel's workqueue +implementation did not allow waiting for a single work. One had to wait +for completion of *all* work by calling flush_scheduled_work(), and that +could deadlock when waiting for usbnet_deferred_kevent() with rtnl_mutex +held in ->ndo_stop(). + +The commit solved one problem but created another: It causes a +use-after-free in USB Ethernet drivers aqc111.c, asix_devices.c, +ax88179_178a.c, ch9200.c and smsc75xx.c: + +* If the drivers receive a link change interrupt immediately before + disconnect, they raise EVENT_LINK_RESET in their (non-sleepable) + ->status() callback and schedule usbnet_deferred_kevent(). +* usbnet_deferred_kevent() invokes the driver's ->link_reset() callback, + which calls netif_carrier_{on,off}(). +* That in turn schedules the work linkwatch_event(). + +Because usbnet_deferred_kevent() is awaited after unregister_netdev(), +netif_carrier_{on,off}() may operate on an unregistered netdev and +linkwatch_event() may run after free_netdev(), causing a use-after-free. + +In 2010, usbnet was changed to only wait for a single instance of +usbnet_deferred_kevent() instead of *all* work by commit 23f333a2bfaf +("drivers/net: don't use flush_scheduled_work()"). + +Unfortunately the commit neglected to move the wait back to +->ndo_stop(). Rectify that omission at long last. + +Reported-by: Jann Horn +Link: https://lore.kernel.org/netdev/CAG48ez0MHBbENX5gCdHAUXZ7h7s20LnepBF-pa5M=7Bi-jZrEA@mail.gmail.com/ +Reported-by: Oleksij Rempel +Link: https://lore.kernel.org/netdev/20220315113841.GA22337@pengutronix.de/ +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org +Acked-by: Oliver Neukum +Link: https://lore.kernel.org/r/d1c87ebe9fc502bffcd1576e238d685ad08321e4.1655987888.git.lukas@wunner.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -847,13 +847,11 @@ int usbnet_stop (struct net_device *net) + + mpn = !test_and_clear_bit(EVENT_NO_RUNTIME_PM, &dev->flags); + +- /* deferred work (task, timer, softirq) must also stop. +- * can't flush_scheduled_work() until we drop rtnl (later), +- * else workers could deadlock; so make workers a NOP. +- */ ++ /* deferred work (timer, softirq, task) must also stop */ + dev->flags = 0; + del_timer_sync (&dev->delay); + tasklet_kill (&dev->bh); ++ cancel_work_sync(&dev->kevent); + if (!pm) + usb_autopm_put_interface(dev->intf); + +@@ -1577,8 +1575,6 @@ void usbnet_disconnect (struct usb_inter + net = dev->net; + unregister_netdev (net); + +- cancel_work_sync(&dev->kevent); +- + usb_scuttle_anchored_urbs(&dev->deferred); + + if (dev->driver_info->unbind) diff --git a/queue-4.9/vfs-check-the-truncate-maximum-size-in-inode_newsize_ok.patch b/queue-4.9/vfs-check-the-truncate-maximum-size-in-inode_newsize_ok.patch new file mode 100644 index 00000000000..979d77698c1 --- /dev/null +++ b/queue-4.9/vfs-check-the-truncate-maximum-size-in-inode_newsize_ok.patch @@ -0,0 +1,68 @@ +From e2ebff9c57fe4eb104ce4768f6ebcccf76bef849 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Mon, 8 Aug 2022 09:52:35 +0100 +Subject: vfs: Check the truncate maximum size in inode_newsize_ok() + +From: David Howells + +commit e2ebff9c57fe4eb104ce4768f6ebcccf76bef849 upstream. + +If something manages to set the maximum file size to MAX_OFFSET+1, this +can cause the xfs and ext4 filesystems at least to become corrupt. + +Ordinarily, the kernel protects against userspace trying this by +checking the value early in the truncate() and ftruncate() system calls +calls - but there are at least two places that this check is bypassed: + + (1) Cachefiles will round up the EOF of the backing file to DIO block + size so as to allow DIO on the final block - but this might push + the offset negative. It then calls notify_change(), but this + inadvertently bypasses the checking. This can be triggered if + someone puts an 8EiB-1 file on a server for someone else to try and + access by, say, nfs. + + (2) ksmbd doesn't check the value it is given in set_end_of_file_info() + and then calls vfs_truncate() directly - which also bypasses the + check. + +In both cases, it is potentially possible for a network filesystem to +cause a disk filesystem to be corrupted: cachefiles in the client's +cache filesystem; ksmbd in the server's filesystem. + +nfsd is okay as it checks the value, but we can then remove this check +too. + +Fix this by adding a check to inode_newsize_ok(), as called from +setattr_prepare(), thereby catching the issue as filesystems set up to +perform the truncate with minimal opportunity for bypassing the new +check. + +Fixes: 1f08c925e7a3 ("cachefiles: Implement backing file wrangling") +Fixes: f44158485826 ("cifsd: add file operations") +Signed-off-by: David Howells +Reported-by: Jeff Layton +Tested-by: Jeff Layton +Reviewed-by: Namjae Jeon +Cc: stable@kernel.org +Acked-by: Alexander Viro +cc: Steve French +cc: Hyunchul Lee +cc: Chuck Lever +cc: Dave Wysochanski +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/attr.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/attr.c ++++ b/fs/attr.c +@@ -111,6 +111,8 @@ EXPORT_SYMBOL(setattr_prepare); + */ + int inode_newsize_ok(const struct inode *inode, loff_t offset) + { ++ if (offset < 0) ++ return -EINVAL; + if (inode->i_size < offset) { + unsigned long limit; +