From: Greg Kroah-Hartman Date: Wed, 7 Aug 2024 14:34:51 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v6.1.104~19 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=00b75d482108820f90b57cfaac23bf9920a5ce6b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: alsa-usb-audio-correct-surround-channels-in-uac1-channel-map.patch net-usb-sr9700-fix-uninitialized-variable-use-in-sr_mdio_read.patch protect-the-fetch-of-fd-in-do_dup2-from-mispredictions.patch --- diff --git a/queue-4.19/alsa-usb-audio-correct-surround-channels-in-uac1-channel-map.patch b/queue-4.19/alsa-usb-audio-correct-surround-channels-in-uac1-channel-map.patch new file mode 100644 index 00000000000..6c960e54c92 --- /dev/null +++ b/queue-4.19/alsa-usb-audio-correct-surround-channels-in-uac1-channel-map.patch @@ -0,0 +1,41 @@ +From b7b7e1ab7619deb3b299b5e5c619c3e6f183a12d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 31 Jul 2024 16:19:41 +0200 +Subject: ALSA: usb-audio: Correct surround channels in UAC1 channel map + +From: Takashi Iwai + +commit b7b7e1ab7619deb3b299b5e5c619c3e6f183a12d upstream. + +USB-audio driver puts SNDRV_CHMAP_SL and _SR as left and right +surround channels for UAC1 channel map, respectively. But they should +have been SNDRV_CHMAP_RL and _RR; the current value *_SL and _SR are +rather "side" channels, not "surround". I guess I took those +mistakenly when I read the spec mentioning "surround left". + +This patch corrects those entries to be the right channels. + +Suggested-by: Sylvain BERTRAND +Closes: https://lore.kernel.orgZ/qIyJD8lhd8hFhlC@freedom +Fixes: 04324ccc75f9 ("ALSA: usb-audio: add channel map support") +Cc: +Link: https://patch.msgid.link/20240731142018.24750-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/stream.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -250,8 +250,8 @@ static struct snd_pcm_chmap_elem *conver + SNDRV_CHMAP_FR, /* right front */ + SNDRV_CHMAP_FC, /* center front */ + SNDRV_CHMAP_LFE, /* LFE */ +- SNDRV_CHMAP_SL, /* left surround */ +- SNDRV_CHMAP_SR, /* right surround */ ++ SNDRV_CHMAP_RL, /* left surround */ ++ SNDRV_CHMAP_RR, /* right surround */ + SNDRV_CHMAP_FLC, /* left of center */ + SNDRV_CHMAP_FRC, /* right of center */ + SNDRV_CHMAP_RC, /* surround */ diff --git a/queue-4.19/ipv6-fix-ndisc_is_useropt-handling-for-pio.patch b/queue-4.19/ipv6-fix-ndisc_is_useropt-handling-for-pio.patch index fbe2d40d5e0..a7b742ff037 100644 --- a/queue-4.19/ipv6-fix-ndisc_is_useropt-handling-for-pio.patch +++ b/queue-4.19/ipv6-fix-ndisc_is_useropt-handling-for-pio.patch @@ -32,14 +32,12 @@ Link: https://patch.msgid.link/20240730001748.147636-1-maze@google.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin --- - net/ipv6/ndisc.c | 34 ++++++++++++++++++---------------- + net/ipv6/ndisc.c | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) -diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c -index a640deb9ab14d..0961596bb085e 100644 --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c -@@ -223,6 +223,7 @@ struct ndisc_options *ndisc_parse_options(const struct net_device *dev, +@@ -223,6 +223,7 @@ struct ndisc_options *ndisc_parse_option return NULL; memset(ndopts, 0, sizeof(*ndopts)); while (opt_len) { @@ -47,7 +45,7 @@ index a640deb9ab14d..0961596bb085e 100644 int l; if (opt_len < sizeof(struct nd_opt_hdr)) return NULL; -@@ -258,22 +259,23 @@ struct ndisc_options *ndisc_parse_options(const struct net_device *dev, +@@ -258,22 +259,23 @@ struct ndisc_options *ndisc_parse_option break; #endif default: @@ -87,6 +85,3 @@ index a640deb9ab14d..0961596bb085e 100644 } next_opt: opt_len -= l; --- -2.43.0 - diff --git a/queue-4.19/net-usb-sr9700-fix-uninitialized-variable-use-in-sr_mdio_read.patch b/queue-4.19/net-usb-sr9700-fix-uninitialized-variable-use-in-sr_mdio_read.patch new file mode 100644 index 00000000000..fb04939bb84 --- /dev/null +++ b/queue-4.19/net-usb-sr9700-fix-uninitialized-variable-use-in-sr_mdio_read.patch @@ -0,0 +1,60 @@ +From 08f3a5c38087d1569e982a121aad1e6acbf145ce Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Thu, 25 Jul 2024 10:29:42 +0800 +Subject: net: usb: sr9700: fix uninitialized variable use in sr_mdio_read + +From: Ma Ke + +commit 08f3a5c38087d1569e982a121aad1e6acbf145ce upstream. + +It could lead to error happen because the variable res is not updated if +the call to sr_share_read_word returns an error. In this particular case +error code was returned and res stayed uninitialized. Same issue also +applies to sr_read_reg. + +This can be avoided by checking the return value of sr_share_read_word +and sr_read_reg, and propagating the error if the read operation failed. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support") +Signed-off-by: Ma Ke +Reviewed-by: Shigeru Yoshida +Reviewed-by: Hariprasad Kelam +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/sr9700.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/usb/sr9700.c ++++ b/drivers/net/usb/sr9700.c +@@ -178,6 +178,7 @@ static int sr_mdio_read(struct net_devic + struct usbnet *dev = netdev_priv(netdev); + __le16 res; + int rc = 0; ++ int err; + + if (phy_id) { + netdev_dbg(netdev, "Only internal phy supported\n"); +@@ -188,11 +189,17 @@ static int sr_mdio_read(struct net_devic + if (loc == MII_BMSR) { + u8 value; + +- sr_read_reg(dev, SR_NSR, &value); ++ err = sr_read_reg(dev, SR_NSR, &value); ++ if (err < 0) ++ return err; ++ + if (value & NSR_LINKST) + rc = 1; + } +- sr_share_read_word(dev, 1, loc, &res); ++ err = sr_share_read_word(dev, 1, loc, &res); ++ if (err < 0) ++ return err; ++ + if (rc == 1) + res = le16_to_cpu(res) | BMSR_LSTATUS; + else diff --git a/queue-4.19/protect-the-fetch-of-fd-in-do_dup2-from-mispredictions.patch b/queue-4.19/protect-the-fetch-of-fd-in-do_dup2-from-mispredictions.patch new file mode 100644 index 00000000000..01dd380fee3 --- /dev/null +++ b/queue-4.19/protect-the-fetch-of-fd-in-do_dup2-from-mispredictions.patch @@ -0,0 +1,34 @@ +From 8aa37bde1a7b645816cda8b80df4753ecf172bf1 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 1 Aug 2024 15:22:22 -0400 +Subject: protect the fetch of ->fd[fd] in do_dup2() from mispredictions + +From: Al Viro + +commit 8aa37bde1a7b645816cda8b80df4753ecf172bf1 upstream. + +both callers have verified that fd is not greater than ->max_fds; +however, misprediction might end up with + tofree = fdt->fd[fd]; +being speculatively executed. That's wrong for the same reasons +why it's wrong in close_fd()/file_close_fd_locked(); the same +solution applies - array_index_nospec(fd, fdt->max_fds) could differ +from fd only in case of speculative execution on mispredicted path. + +Cc: stable@vger.kernel.org +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman +--- + fs/file.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/file.c ++++ b/fs/file.c +@@ -879,6 +879,7 @@ __releases(&files->file_lock) + * tables and this condition does not arise without those. + */ + fdt = files_fdtable(files); ++ fd = array_index_nospec(fd, fdt->max_fds); + tofree = fdt->fd[fd]; + if (!tofree && fd_is_open(fd, fdt)) + goto Ebusy; diff --git a/queue-4.19/series b/queue-4.19/series index 817a2d67049..b6e532b8703 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -123,3 +123,6 @@ remoteproc-imx_rproc-skip-over-memory-region-when-no.patch drm-vmwgfx-fix-overlay-when-using-screen-targets.patch net-iucv-fix-use-after-free-in-iucv_sock_close.patch ipv6-fix-ndisc_is_useropt-handling-for-pio.patch +protect-the-fetch-of-fd-in-do_dup2-from-mispredictions.patch +alsa-usb-audio-correct-surround-channels-in-uac1-channel-map.patch +net-usb-sr9700-fix-uninitialized-variable-use-in-sr_mdio_read.patch