4.9-stable patches

added patches:
	alsa-aloop-fix-initialization-of-controls.patch
	asoc-intel-atom-stop-advertising-non-working-s24le-support.patch
	nfc-avoid-endless-loops-caused-by-repeated-llcp_sock_connect.patch
	nfc-fix-memory-leak-in-llcp_sock_connect.patch
	nfc-fix-refcount-leak-in-llcp_sock_bind.patch
	nfc-fix-refcount-leak-in-llcp_sock_connect.patch
	xen-evtchn-change-irq_info-lock-to-raw_spinlock_t.patch

diff --git a/queue-4.9/alsa-aloop-fix-initialization-of-controls.patch b/queue-4.9/alsa-aloop-fix-initialization-of-controls.patch
new file mode 100644 (file)
index 0000000..d9653e2
--- /dev/null
+++ b/queue-4.9/alsa-aloop-fix-initialization-of-controls.patch
@@ -0,0 +1,51 @@
+From 168632a495f49f33a18c2d502fc249d7610375e9 Mon Sep 17 00:00:00 2001
+From: Jonas Holmberg <jonashg@axis.com>
+Date: Wed, 7 Apr 2021 09:54:28 +0200
+Subject: ALSA: aloop: Fix initialization of controls
+
+From: Jonas Holmberg <jonashg@axis.com>
+
+commit 168632a495f49f33a18c2d502fc249d7610375e9 upstream.
+
+Add a control to the card before copying the id so that the numid field
+is initialized in the copy. Otherwise the numid field of active_id,
+format_id, rate_id and channels_id will be the same (0) and
+snd_ctl_notify() will not queue the events properly.
+
+Signed-off-by: Jonas Holmberg <jonashg@axis.com>
+Reviewed-by: Jaroslav Kysela <perex@perex.cz>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210407075428.2666787-1-jonashg@axis.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/drivers/aloop.c |   11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/sound/drivers/aloop.c
++++ b/sound/drivers/aloop.c
+@@ -1062,6 +1062,14 @@ static int loopback_mixer_new(struct loo
+                                       return -ENOMEM;
+                               kctl->id.device = dev;
+                               kctl->id.subdevice = substr;
++
++                              /* Add the control before copying the id so that
++                               * the numid field of the id is set in the copy.
++                               */
++                              err = snd_ctl_add(card, kctl);
++                              if (err < 0)
++                                      return err;
++
+                               switch (idx) {
+                               case ACTIVE_IDX:
+                                       setup->active_id = kctl->id;
+@@ -1078,9 +1086,6 @@ static int loopback_mixer_new(struct loo
+                               default:
+                                       break;
+                               }
+-                              err = snd_ctl_add(card, kctl);
+-                              if (err < 0)
+-                                      return err;
+                       }
+               }
+       }

diff --git a/queue-4.9/asoc-intel-atom-stop-advertising-non-working-s24le-support.patch b/queue-4.9/asoc-intel-atom-stop-advertising-non-working-s24le-support.patch
new file mode 100644 (file)
index 0000000..4f36e37
--- /dev/null
+++ b/queue-4.9/asoc-intel-atom-stop-advertising-non-working-s24le-support.patch
@@ -0,0 +1,61 @@
+From aa65bacdb70e549a81de03ec72338e1047842883 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 24 Mar 2021 14:27:10 +0100
+Subject: ASoC: intel: atom: Stop advertising non working S24LE support
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit aa65bacdb70e549a81de03ec72338e1047842883 upstream.
+
+The SST firmware's media and deep-buffer inputs are hardcoded to
+S16LE, the corresponding DAIs don't have a hw_params callback and
+their prepare callback also does not take the format into account.
+
+So far the advertising of non working S24LE support has not caused
+issues because pulseaudio defaults to S16LE, but changing pulse-audio's
+config to use S24LE will result in broken sound.
+
+Pipewire is replacing pulse now and pipewire prefers S24LE over S16LE
+when available, causing the problem of the broken S24LE support to
+come to the surface now.
+
+Cc: stable@vger.kernel.org
+BugLink: https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/866
+Fixes: 098c2cd281409 ("ASoC: Intel: Atom: add 24-bit support for media playback and capture")
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20210324132711.216152-2-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/intel/atom/sst-mfld-platform-pcm.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/sound/soc/intel/atom/sst-mfld-platform-pcm.c
++++ b/sound/soc/intel/atom/sst-mfld-platform-pcm.c
+@@ -508,14 +508,14 @@ static struct snd_soc_dai_driver sst_pla
+               .channels_min = SST_STEREO,
+               .channels_max = SST_STEREO,
+               .rates = SNDRV_PCM_RATE_44100|SNDRV_PCM_RATE_48000,
+-              .formats = SNDRV_PCM_FMTBIT_S16_LE | SNDRV_PCM_FMTBIT_S24_LE,
++              .formats = SNDRV_PCM_FMTBIT_S16_LE,
+       },
+       .capture = {
+               .stream_name = "Headset Capture",
+               .channels_min = 1,
+               .channels_max = 2,
+               .rates = SNDRV_PCM_RATE_44100|SNDRV_PCM_RATE_48000,
+-              .formats = SNDRV_PCM_FMTBIT_S16_LE | SNDRV_PCM_FMTBIT_S24_LE,
++              .formats = SNDRV_PCM_FMTBIT_S16_LE,
+       },
+ },
+ {
+@@ -526,7 +526,7 @@ static struct snd_soc_dai_driver sst_pla
+               .channels_min = SST_STEREO,
+               .channels_max = SST_STEREO,
+               .rates = SNDRV_PCM_RATE_44100|SNDRV_PCM_RATE_48000,
+-              .formats = SNDRV_PCM_FMTBIT_S16_LE | SNDRV_PCM_FMTBIT_S24_LE,
++              .formats = SNDRV_PCM_FMTBIT_S16_LE,
+       },
+ },
+ {

diff --git a/queue-4.9/nfc-avoid-endless-loops-caused-by-repeated-llcp_sock_connect.patch b/queue-4.9/nfc-avoid-endless-loops-caused-by-repeated-llcp_sock_connect.patch
new file mode 100644 (file)
index 0000000..9149613
--- /dev/null
+++ b/queue-4.9/nfc-avoid-endless-loops-caused-by-repeated-llcp_sock_connect.patch
@@ -0,0 +1,44 @@
+From 4b5db93e7f2afbdfe3b78e37879a85290187e6f1 Mon Sep 17 00:00:00 2001
+From: Xiaoming Ni <nixiaoming@huawei.com>
+Date: Thu, 25 Mar 2021 11:51:13 +0800
+Subject: nfc: Avoid endless loops caused by repeated llcp_sock_connect()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xiaoming Ni <nixiaoming@huawei.com>
+
+commit 4b5db93e7f2afbdfe3b78e37879a85290187e6f1 upstream.
+
+When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is
+ LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked,
+ nfc_llcp_sock_link() will add sk to local->connecting_sockets twice.
+ sk->sk_node->next will point to itself, that will make an endless loop
+ and hang-up the system.
+To fix it, check whether sk->sk_state is LLCP_CONNECTING in
+ llcp_sock_connect() to avoid repeated invoking.
+
+Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
+Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
+Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
+Cc: <stable@vger.kernel.org> #v3.11
+Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp_sock.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -685,6 +685,10 @@ static int llcp_sock_connect(struct sock
+               ret = -EISCONN;
+               goto error;
+       }
++      if (sk->sk_state == LLCP_CONNECTING) {
++              ret = -EINPROGRESS;
++              goto error;
++      }
+ 
+       dev = nfc_get_device(addr->dev_idx);
+       if (dev == NULL) {

diff --git a/queue-4.9/nfc-fix-memory-leak-in-llcp_sock_connect.patch b/queue-4.9/nfc-fix-memory-leak-in-llcp_sock_connect.patch
new file mode 100644 (file)
index 0000000..b314065
--- /dev/null
+++ b/queue-4.9/nfc-fix-memory-leak-in-llcp_sock_connect.patch
@@ -0,0 +1,41 @@
+From 7574fcdbdcb335763b6b322f6928dc0fd5730451 Mon Sep 17 00:00:00 2001
+From: Xiaoming Ni <nixiaoming@huawei.com>
+Date: Thu, 25 Mar 2021 11:51:12 +0800
+Subject: nfc: fix memory leak in llcp_sock_connect()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xiaoming Ni <nixiaoming@huawei.com>
+
+commit 7574fcdbdcb335763b6b322f6928dc0fd5730451 upstream.
+
+In llcp_sock_connect(), use kmemdup to allocate memory for
+ "llcp_sock->service_name". The memory is not released in the sock_unlink
+label of the subsequent failure branch.
+As a result, memory leakage occurs.
+
+fix CVE-2020-25672
+
+Fixes: d646960f7986 ("NFC: Initial LLCP support")
+Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
+Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
+Cc: <stable@vger.kernel.org> #v3.3
+Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp_sock.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -757,6 +757,8 @@ sock_unlink:
+       nfc_llcp_local_put(llcp_sock->local);
+ 
+       nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
++      kfree(llcp_sock->service_name);
++      llcp_sock->service_name = NULL;
+ 
+ put_dev:
+       nfc_put_device(dev);

diff --git a/queue-4.9/nfc-fix-refcount-leak-in-llcp_sock_bind.patch b/queue-4.9/nfc-fix-refcount-leak-in-llcp_sock_bind.patch
new file mode 100644 (file)
index 0000000..07509e1
--- /dev/null
+++ b/queue-4.9/nfc-fix-refcount-leak-in-llcp_sock_bind.patch
@@ -0,0 +1,45 @@
+From c33b1cc62ac05c1dbb1cdafe2eb66da01c76ca8d Mon Sep 17 00:00:00 2001
+From: Xiaoming Ni <nixiaoming@huawei.com>
+Date: Thu, 25 Mar 2021 11:51:10 +0800
+Subject: nfc: fix refcount leak in llcp_sock_bind()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xiaoming Ni <nixiaoming@huawei.com>
+
+commit c33b1cc62ac05c1dbb1cdafe2eb66da01c76ca8d upstream.
+
+nfc_llcp_local_get() is invoked in llcp_sock_bind(),
+but nfc_llcp_local_put() is not invoked in subsequent failure branches.
+As a result, refcount leakage occurs.
+To fix it, add calling nfc_llcp_local_put().
+
+fix CVE-2020-25670
+Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket")
+Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
+Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
+Cc: <stable@vger.kernel.org> #v3.6
+Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp_sock.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -119,11 +119,13 @@ static int llcp_sock_bind(struct socket
+                                         llcp_sock->service_name_len,
+                                         GFP_KERNEL);
+       if (!llcp_sock->service_name) {
++              nfc_llcp_local_put(llcp_sock->local);
+               ret = -ENOMEM;
+               goto put_dev;
+       }
+       llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock);
+       if (llcp_sock->ssap == LLCP_SAP_MAX) {
++              nfc_llcp_local_put(llcp_sock->local);
+               kfree(llcp_sock->service_name);
+               llcp_sock->service_name = NULL;
+               ret = -EADDRINUSE;

diff --git a/queue-4.9/nfc-fix-refcount-leak-in-llcp_sock_connect.patch b/queue-4.9/nfc-fix-refcount-leak-in-llcp_sock_connect.patch
new file mode 100644 (file)
index 0000000..ecf2d3c
--- /dev/null
+++ b/queue-4.9/nfc-fix-refcount-leak-in-llcp_sock_connect.patch
@@ -0,0 +1,47 @@
+From 8a4cd82d62b5ec7e5482333a72b58a4eea4979f0 Mon Sep 17 00:00:00 2001
+From: Xiaoming Ni <nixiaoming@huawei.com>
+Date: Thu, 25 Mar 2021 11:51:11 +0800
+Subject: nfc: fix refcount leak in llcp_sock_connect()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xiaoming Ni <nixiaoming@huawei.com>
+
+commit 8a4cd82d62b5ec7e5482333a72b58a4eea4979f0 upstream.
+
+nfc_llcp_local_get() is invoked in llcp_sock_connect(),
+but nfc_llcp_local_put() is not invoked in subsequent failure branches.
+As a result, refcount leakage occurs.
+To fix it, add calling nfc_llcp_local_put().
+
+fix CVE-2020-25671
+Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket")
+Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
+Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
+Cc: <stable@vger.kernel.org> #v3.6
+Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp_sock.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -716,6 +716,7 @@ static int llcp_sock_connect(struct sock
+       llcp_sock->local = nfc_llcp_local_get(local);
+       llcp_sock->ssap = nfc_llcp_get_local_ssap(local);
+       if (llcp_sock->ssap == LLCP_SAP_MAX) {
++              nfc_llcp_local_put(llcp_sock->local);
+               ret = -ENOMEM;
+               goto put_dev;
+       }
+@@ -753,6 +754,7 @@ static int llcp_sock_connect(struct sock
+ 
+ sock_unlink:
+       nfc_llcp_put_ssap(local, llcp_sock->ssap);
++      nfc_llcp_local_put(llcp_sock->local);
+ 
+       nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
+ 

diff --git a/queue-4.9/series b/queue-4.9/series
index 3cdf23c4ebcdd057f020145a9d914cc4c4cad40b..1c6797c810c4d9829892397354d4a5afe7ac10de 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -1,2 +1,9 @@
 arm-8723-2-always-assume-the-unified-syntax-for-assembly-code.patch
 iio-hid-sensor-prox-fix-scale-not-correct-issue.patch
+alsa-aloop-fix-initialization-of-controls.patch
+asoc-intel-atom-stop-advertising-non-working-s24le-support.patch
+nfc-fix-refcount-leak-in-llcp_sock_bind.patch
+nfc-fix-refcount-leak-in-llcp_sock_connect.patch
+nfc-fix-memory-leak-in-llcp_sock_connect.patch
+nfc-avoid-endless-loops-caused-by-repeated-llcp_sock_connect.patch
+xen-evtchn-change-irq_info-lock-to-raw_spinlock_t.patch

diff --git a/queue-4.9/xen-evtchn-change-irq_info-lock-to-raw_spinlock_t.patch b/queue-4.9/xen-evtchn-change-irq_info-lock-to-raw_spinlock_t.patch
new file mode 100644 (file)
index 0000000..5c2265c
--- /dev/null
+++ b/queue-4.9/xen-evtchn-change-irq_info-lock-to-raw_spinlock_t.patch
@@ -0,0 +1,83 @@
+From d120198bd5ff1d41808b6914e1eb89aff937415c Mon Sep 17 00:00:00 2001
+From: Luca Fancellu <luca.fancellu@arm.com>
+Date: Tue, 6 Apr 2021 11:51:04 +0100
+Subject: xen/evtchn: Change irq_info lock to raw_spinlock_t
+
+From: Luca Fancellu <luca.fancellu@arm.com>
+
+commit d120198bd5ff1d41808b6914e1eb89aff937415c upstream.
+
+Unmask operation must be called with interrupt disabled,
+on preempt_rt spin_lock_irqsave/spin_unlock_irqrestore
+don't disable/enable interrupts, so use raw_* implementation
+and change lock variable in struct irq_info from spinlock_t
+to raw_spinlock_t
+
+Cc: stable@vger.kernel.org
+Fixes: 25da4618af24 ("xen/events: don't unmask an event channel when an eoi is pending")
+Signed-off-by: Luca Fancellu <luca.fancellu@arm.com>
+Reviewed-by: Julien Grall <jgrall@amazon.com>
+Reviewed-by: Wei Liu <wei.liu@kernel.org>
+Link: https://lore.kernel.org/r/20210406105105.10141-1-luca.fancellu@arm.com
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/events/events_base.c     |   10 +++++-----
+ drivers/xen/events/events_internal.h |    2 +-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/xen/events/events_base.c
++++ b/drivers/xen/events/events_base.c
+@@ -222,7 +222,7 @@ static int xen_irq_info_common_setup(str
+       info->evtchn = evtchn;
+       info->cpu = cpu;
+       info->mask_reason = EVT_MASK_REASON_EXPLICIT;
+-      spin_lock_init(&info->lock);
++      raw_spin_lock_init(&info->lock);
+ 
+       ret = set_evtchn_to_irq(evtchn, irq);
+       if (ret < 0)
+@@ -374,28 +374,28 @@ static void do_mask(struct irq_info *inf
+ {
+       unsigned long flags;
+ 
+-      spin_lock_irqsave(&info->lock, flags);
++      raw_spin_lock_irqsave(&info->lock, flags);
+ 
+       if (!info->mask_reason)
+               mask_evtchn(info->evtchn);
+ 
+       info->mask_reason |= reason;
+ 
+-      spin_unlock_irqrestore(&info->lock, flags);
++      raw_spin_unlock_irqrestore(&info->lock, flags);
+ }
+ 
+ static void do_unmask(struct irq_info *info, u8 reason)
+ {
+       unsigned long flags;
+ 
+-      spin_lock_irqsave(&info->lock, flags);
++      raw_spin_lock_irqsave(&info->lock, flags);
+ 
+       info->mask_reason &= ~reason;
+ 
+       if (!info->mask_reason)
+               unmask_evtchn(info->evtchn);
+ 
+-      spin_unlock_irqrestore(&info->lock, flags);
++      raw_spin_unlock_irqrestore(&info->lock, flags);
+ }
+ 
+ #ifdef CONFIG_X86
+--- a/drivers/xen/events/events_internal.h
++++ b/drivers/xen/events/events_internal.h
+@@ -47,7 +47,7 @@ struct irq_info {
+       unsigned short eoi_cpu; /* EOI must happen on this cpu */
+       unsigned int irq_epoch; /* If eoi_cpu valid: irq_epoch of event */
+       u64 eoi_time;           /* Time in jiffies when to EOI. */
+-      spinlock_t lock;
++      raw_spinlock_t lock;
+ 
+       union {
+               unsigned short virq;