--- /dev/null
+From e6c8c8839d1dca4dbd186e2e5c432e9591d0fb1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Apr 2020 09:19:26 +0200
+Subject: ALSA: hda: Remove ASUS ROG Zenith from the blacklist
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit a8cf44f085ac12c0b5b8750ebb3b436c7f455419 ]
+
+The commit 3c6fd1f07ed0 ("ALSA: hda: Add driver blacklist") added a
+new blacklist for the devices that are known to have empty codecs, and
+one of the entries was ASUS ROG Zenith II (PCI SSID 1043:874f).
+However, it turned out that the very same PCI SSID is used for the
+previous model that does have the valid HD-audio codecs and the change
+broke the sound on it.
+
+This patch reverts the corresponding entry as a temporary solution.
+Although Zenith II and co will see get the empty HD-audio bus again,
+it'd be merely resource wastes and won't affect the functionality,
+so it's no end of the world. We'll need to address this later,
+e.g. by either switching to DMI string matching or using PCI ID &
+SSID pairs.
+
+Fixes: 3c6fd1f07ed0 ("ALSA: hda: Add driver blacklist")
+Reported-by: Johnathan Smithinovic <johnathan.smithinovic@gmx.at>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200419071926.22683-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_intel.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index d392c1ec0b282..46670da047074 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2173,7 +2173,6 @@ static const struct hdac_io_ops pci_hda_io_ops = {
+ * should be ignored from the beginning.
+ */
+ static const struct snd_pci_quirk driver_blacklist[] = {
+- SND_PCI_QUIRK(0x1043, 0x874f, "ASUS ROG Zenith II / Strix", 0),
+ SND_PCI_QUIRK(0x1462, 0xcb59, "MSI TRX40 Creator", 0),
+ SND_PCI_QUIRK(0x1462, 0xcb60, "MSI TRX40", 0),
+ {}
+--
+2.20.1
+
--- /dev/null
+From bf4806e45d21e8a3203897f9cc8d0b1e357ce3d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Mar 2020 21:11:25 -0400
+Subject: KEYS: Avoid false positive ENOMEM error on key read
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit 4f0882491a148059a52480e753b7f07fc550e188 ]
+
+By allocating a kernel buffer with a user-supplied buffer length, it
+is possible that a false positive ENOMEM error may be returned because
+the user-supplied length is just too large even if the system do have
+enough memory to hold the actual key data.
+
+Moreover, if the buffer length is larger than the maximum amount of
+memory that can be returned by kmalloc() (2^(MAX_ORDER-1) number of
+pages), a warning message will also be printed.
+
+To reduce this possibility, we set a threshold (PAGE_SIZE) over which we
+do check the actual key length first before allocating a buffer of the
+right size to hold it. The threshold is arbitrary, it is just used to
+trigger a buffer length check. It does not limit the actual key length
+as long as there is enough memory to satisfy the memory request.
+
+To further avoid large buffer allocation failure due to page
+fragmentation, kvmalloc() is used to allocate the buffer so that vmapped
+pages can be used when there is not a large enough contiguous set of
+pages available for allocation.
+
+In the extremely unlikely scenario that the key keeps on being changed
+and made longer (still <= buflen) in between 2 __keyctl_read_key()
+calls, the __keyctl_read_key() calling loop in keyctl_read_key() may
+have to be iterated a large number of times, but definitely not infinite.
+
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/keys/internal.h | 12 +++++++++
+ security/keys/keyctl.c | 58 +++++++++++++++++++++++++++++-----------
+ 2 files changed, 55 insertions(+), 15 deletions(-)
+
+diff --git a/security/keys/internal.h b/security/keys/internal.h
+index e3a5738401866..124273e500cfa 100644
+--- a/security/keys/internal.h
++++ b/security/keys/internal.h
+@@ -20,6 +20,8 @@
+ #include <linux/keyctl.h>
+ #include <linux/refcount.h>
+ #include <linux/compat.h>
++#include <linux/mm.h>
++#include <linux/vmalloc.h>
+
+ struct iovec;
+
+@@ -305,4 +307,14 @@ static inline void key_check(const struct key *key)
+
+ #endif
+
++/*
++ * Helper function to clear and free a kvmalloc'ed memory object.
++ */
++static inline void __kvzfree(const void *addr, size_t len)
++{
++ if (addr) {
++ memset((void *)addr, 0, len);
++ kvfree(addr);
++ }
++}
+ #endif /* _INTERNAL_H */
+diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
+index 4b6a084e323b5..c07c2e2b24783 100644
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -330,7 +330,7 @@ long keyctl_update_key(key_serial_t id,
+ payload = NULL;
+ if (plen) {
+ ret = -ENOMEM;
+- payload = kmalloc(plen, GFP_KERNEL);
++ payload = kvmalloc(plen, GFP_KERNEL);
+ if (!payload)
+ goto error;
+
+@@ -351,7 +351,7 @@ long keyctl_update_key(key_serial_t id,
+
+ key_ref_put(key_ref);
+ error2:
+- kzfree(payload);
++ __kvzfree(payload, plen);
+ error:
+ return ret;
+ }
+@@ -772,7 +772,8 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
+ struct key *key;
+ key_ref_t key_ref;
+ long ret;
+- char *key_data;
++ char *key_data = NULL;
++ size_t key_data_len;
+
+ /* find the key first */
+ key_ref = lookup_user_key(keyid, 0, 0);
+@@ -823,24 +824,51 @@ can_read_key:
+ * Allocating a temporary buffer to hold the keys before
+ * transferring them to user buffer to avoid potential
+ * deadlock involving page fault and mmap_sem.
++ *
++ * key_data_len = (buflen <= PAGE_SIZE)
++ * ? buflen : actual length of key data
++ *
++ * This prevents allocating arbitrary large buffer which can
++ * be much larger than the actual key length. In the latter case,
++ * at least 2 passes of this loop is required.
+ */
+- key_data = kmalloc(buflen, GFP_KERNEL);
++ key_data_len = (buflen <= PAGE_SIZE) ? buflen : 0;
++ for (;;) {
++ if (key_data_len) {
++ key_data = kvmalloc(key_data_len, GFP_KERNEL);
++ if (!key_data) {
++ ret = -ENOMEM;
++ goto key_put_out;
++ }
++ }
+
+- if (!key_data) {
+- ret = -ENOMEM;
+- goto key_put_out;
+- }
+- ret = __keyctl_read_key(key, key_data, buflen);
++ ret = __keyctl_read_key(key, key_data, key_data_len);
++
++ /*
++ * Read methods will just return the required length without
++ * any copying if the provided length isn't large enough.
++ */
++ if (ret <= 0 || ret > buflen)
++ break;
++
++ /*
++ * The key may change (unlikely) in between 2 consecutive
++ * __keyctl_read_key() calls. In this case, we reallocate
++ * a larger buffer and redo the key read when
++ * key_data_len < ret <= buflen.
++ */
++ if (ret > key_data_len) {
++ if (unlikely(key_data))
++ __kvzfree(key_data, key_data_len);
++ key_data_len = ret;
++ continue; /* Allocate buffer */
++ }
+
+- /*
+- * Read methods will just return the required length without
+- * any copying if the provided length isn't large enough.
+- */
+- if (ret > 0 && ret <= buflen) {
+ if (copy_to_user(buffer, key_data, ret))
+ ret = -EFAULT;
++ break;
+ }
+- kzfree(key_data);
++ __kvzfree(key_data, key_data_len);
+
+ key_put_out:
+ key_put(key);
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
