5.10-stable patches

added patches:
	asoc-meson-axg-card-fix-use-after-free.patch

diff --git a/queue-5.10/asoc-meson-axg-card-fix-use-after-free.patch b/queue-5.10/asoc-meson-axg-card-fix-use-after-free.patch
new file mode 100644 (file)
index 0000000..079dc43
--- /dev/null
+++ b/queue-5.10/asoc-meson-axg-card-fix-use-after-free.patch
@@ -0,0 +1,82 @@
+From 4f9a71435953f941969a4f017e2357db62d85a86 Mon Sep 17 00:00:00 2001
+From: Arseniy Krasnov <avkrasnov@salutedevices.com>
+Date: Wed, 11 Sep 2024 17:24:25 +0300
+Subject: ASoC: meson: axg-card: fix 'use-after-free'
+
+From: Arseniy Krasnov <avkrasnov@salutedevices.com>
+
+commit 4f9a71435953f941969a4f017e2357db62d85a86 upstream.
+
+Buffer 'card->dai_link' is reallocated in 'meson_card_reallocate_links()',
+so move 'pad' pointer initialization after this function when memory is
+already reallocated.
+
+Kasan bug report:
+
+==================================================================
+BUG: KASAN: slab-use-after-free in axg_card_add_link+0x76c/0x9bc
+Read of size 8 at addr ffff000000e8b260 by task modprobe/356
+
+CPU: 0 PID: 356 Comm: modprobe Tainted: G O 6.9.12-sdkernel #1
+Call trace:
+ dump_backtrace+0x94/0xec
+ show_stack+0x18/0x24
+ dump_stack_lvl+0x78/0x90
+ print_report+0xfc/0x5c0
+ kasan_report+0xb8/0xfc
+ __asan_load8+0x9c/0xb8
+ axg_card_add_link+0x76c/0x9bc [snd_soc_meson_axg_sound_card]
+ meson_card_probe+0x344/0x3b8 [snd_soc_meson_card_utils]
+ platform_probe+0x8c/0xf4
+ really_probe+0x110/0x39c
+ __driver_probe_device+0xb8/0x18c
+ driver_probe_device+0x108/0x1d8
+ __driver_attach+0xd0/0x25c
+ bus_for_each_dev+0xe0/0x154
+ driver_attach+0x34/0x44
+ bus_add_driver+0x134/0x294
+ driver_register+0xa8/0x1e8
+ __platform_driver_register+0x44/0x54
+ axg_card_pdrv_init+0x20/0x1000 [snd_soc_meson_axg_sound_card]
+ do_one_initcall+0xdc/0x25c
+ do_init_module+0x10c/0x334
+ load_module+0x24c4/0x26cc
+ init_module_from_file+0xd4/0x128
+ __arm64_sys_finit_module+0x1f4/0x41c
+ invoke_syscall+0x60/0x188
+ el0_svc_common.constprop.0+0x78/0x13c
+ do_el0_svc+0x30/0x40
+ el0_svc+0x38/0x78
+ el0t_64_sync_handler+0x100/0x12c
+ el0t_64_sync+0x190/0x194
+
+Fixes: 7864a79f37b5 ("ASoC: meson: add axg sound card support")
+Cc: Stable@vger.kernel.org
+Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
+Reviewed-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://patch.msgid.link/20240911142425.598631-1-avkrasnov@salutedevices.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/meson/axg-card.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/soc/meson/axg-card.c
++++ b/sound/soc/meson/axg-card.c
+@@ -104,7 +104,7 @@ static int axg_card_add_tdm_loopback(str
+                                    int *index)
+ {
+       struct meson_card *priv = snd_soc_card_get_drvdata(card);
+-      struct snd_soc_dai_link *pad = &card->dai_link[*index];
++      struct snd_soc_dai_link *pad;
+       struct snd_soc_dai_link *lb;
+       struct snd_soc_dai_link_component *dlc;
+       int ret;
+@@ -114,6 +114,7 @@ static int axg_card_add_tdm_loopback(str
+       if (ret)
+               return ret;
+ 
++      pad = &card->dai_link[*index];
+       lb = &card->dai_link[*index + 1];
+ 
+       lb->name = devm_kasprintf(card->dev, GFP_KERNEL, "%s-lb", pad->name);

diff --git a/queue-5.10/series b/queue-5.10/series
index a8f93a2a90550b043710197451587e38553f24a3..5ee8c43f5dcc489c6e15b42095a8a2100aa422bc 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -24,3 +24,4 @@ net-ftgmac100-enable-tx-interrupt-to-avoid-tx-timeou.patch
 net-dpaa-pad-packets-to-eth_zlen.patch
 spi-nxp-fspi-fix-the-kasan-report-out-of-bounds-bug.patch
 soundwire-stream-revert-soundwire-stream-fix-programming-slave-ports-for-non-continous-port-maps.patch
+asoc-meson-axg-card-fix-use-after-free.patch