5.10-stable patches

added patches:
	alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch
	xsk-inherit-need_wakeup-flag-for-shared-sockets.patch

diff --git a/queue-5.10/alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch b/queue-5.10/alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch
new file mode 100644 (file)
index 0000000..8002510
--- /dev/null
+++ b/queue-5.10/alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch
@@ -0,0 +1,51 @@
+From 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 5 Sep 2022 08:07:14 +0200
+Subject: ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d upstream.
+
+There is a small race window at snd_pcm_oss_sync() that is called from
+OSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls
+snd_pcm_oss_make_ready() at first, then takes the params_lock mutex
+for the rest.  When the stream is set up again by another thread
+between them, it leads to inconsistency, and may result in unexpected
+results such as NULL dereference of OSS buffer as a fuzzer spotted
+recently.
+
+The fix is simply to cover snd_pcm_oss_make_ready() call into the same
+params_lock mutex with snd_pcm_oss_make_ready_locked() variant.
+
+Reported-and-tested-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
+Reviewed-by: Jaroslav Kysela <perex@perex.cz>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com
+Link: https://lore.kernel.org/r/20220905060714.22549-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Zubin Mithra <zsm@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/oss/pcm_oss.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -1662,13 +1662,14 @@ static int snd_pcm_oss_sync(struct snd_p
+               runtime = substream->runtime;
+               if (atomic_read(&substream->mmap_count))
+                       goto __direct;
+-              if ((err = snd_pcm_oss_make_ready(substream)) < 0)
+-                      return err;
+               atomic_inc(&runtime->oss.rw_ref);
+               if (mutex_lock_interruptible(&runtime->oss.params_lock)) {
+                       atomic_dec(&runtime->oss.rw_ref);
+                       return -ERESTARTSYS;
+               }
++              err = snd_pcm_oss_make_ready_locked(substream);
++              if (err < 0)
++                      goto unlock;
+               format = snd_pcm_oss_format_from(runtime->oss.format);
+               width = snd_pcm_format_physical_width(format);
+               if (runtime->oss.buffer_used > 0) {

diff --git a/queue-5.10/series b/queue-5.10/series
index 639d64bf76a59e03c1acca5a2c03dbfcb5a8b10f..93badcde7aa0b02a4e4bab5817908035c61ea136 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -1,6 +1,8 @@
 makefile.extrawarn-move-wcast-function-type-strict-to-w-1.patch
 docs-update-mediator-information-in-coc-docs.patch
 perf-tools-fixup-get_current_dir_name-compilation.patch
+xsk-inherit-need_wakeup-flag-for-shared-sockets.patch
+alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch
 mm-gup-fix-the-fast-gup-race-against-thp-collapse.patch
 powerpc-64s-radix-don-t-need-to-broadcast-ipi-for-radix-pmd-collapse-flush.patch
 wait_on_bit-add-an-acquire-memory-barrier.patch

diff --git a/queue-5.10/xsk-inherit-need_wakeup-flag-for-shared-sockets.patch b/queue-5.10/xsk-inherit-need_wakeup-flag-for-shared-sockets.patch
new file mode 100644 (file)
index 0000000..60f888a
--- /dev/null
+++ b/queue-5.10/xsk-inherit-need_wakeup-flag-for-shared-sockets.patch
@@ -0,0 +1,73 @@
+From 60240bc26114543fcbfcd8a28466e67e77b20388 Mon Sep 17 00:00:00 2001
+From: Jalal Mostafa <jalal.a.mostapha@gmail.com>
+Date: Wed, 21 Sep 2022 13:57:01 +0000
+Subject: xsk: Inherit need_wakeup flag for shared sockets
+
+From: Jalal Mostafa <jalal.a.mostapha@gmail.com>
+
+commit 60240bc26114543fcbfcd8a28466e67e77b20388 upstream.
+
+The flag for need_wakeup is not set for xsks with `XDP_SHARED_UMEM`
+flag and of different queue ids and/or devices. They should inherit
+the flag from the first socket buffer pool since no flags can be
+specified once `XDP_SHARED_UMEM` is specified.
+
+Fixes: b5aea28dca134 ("xsk: Add shared umem support between queue ids")
+Signed-off-by: Jalal Mostafa <jalal.a.mostapha@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Link: https://lore.kernel.org/bpf/20220921135701.10199-1-jalal.a.mostapha@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/xsk_buff_pool.h |    2 +-
+ net/xdp/xsk.c               |    4 ++--
+ net/xdp/xsk_buff_pool.c     |    5 +++--
+ 3 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/include/net/xsk_buff_pool.h
++++ b/include/net/xsk_buff_pool.h
+@@ -86,7 +86,7 @@ struct xsk_buff_pool *xp_create_and_assi
+                                               struct xdp_umem *umem);
+ int xp_assign_dev(struct xsk_buff_pool *pool, struct net_device *dev,
+                 u16 queue_id, u16 flags);
+-int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_umem *umem,
++int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_sock *umem_xs,
+                        struct net_device *dev, u16 queue_id);
+ void xp_destroy(struct xsk_buff_pool *pool);
+ void xp_release(struct xdp_buff_xsk *xskb);
+--- a/net/xdp/xsk.c
++++ b/net/xdp/xsk.c
+@@ -742,8 +742,8 @@ static int xsk_bind(struct socket *sock,
+                               goto out_unlock;
+                       }
+ 
+-                      err = xp_assign_dev_shared(xs->pool, umem_xs->umem,
+-                                                 dev, qid);
++                      err = xp_assign_dev_shared(xs->pool, umem_xs, dev,
++                                                 qid);
+                       if (err) {
+                               xp_destroy(xs->pool);
+                               xs->pool = NULL;
+--- a/net/xdp/xsk_buff_pool.c
++++ b/net/xdp/xsk_buff_pool.c
+@@ -198,17 +198,18 @@ int xp_assign_dev(struct xsk_buff_pool *
+       return __xp_assign_dev(pool, dev, queue_id, flags);
+ }
+ 
+-int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_umem *umem,
++int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_sock *umem_xs,
+                        struct net_device *dev, u16 queue_id)
+ {
+       u16 flags;
++      struct xdp_umem *umem = umem_xs->umem;
+ 
+       /* One fill and completion ring required for each queue id. */
+       if (!pool->fq || !pool->cq)
+               return -EINVAL;
+ 
+       flags = umem->zc ? XDP_ZEROCOPY : XDP_COPY;
+-      if (pool->uses_need_wakeup)
++      if (umem_xs->pool->uses_need_wakeup)
+               flags |= XDP_USE_NEED_WAKEUP;
+ 
+       return __xp_assign_dev(pool, dev, queue_id, flags);