From: Greg Kroah-Hartman Date: Sat, 10 Apr 2021 13:29:26 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.19.187~78 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1ad462782f6c285c0c18dc18ad5ff88af369a703;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-aloop-fix-initialization-of-controls.patch nfc-avoid-endless-loops-caused-by-repeated-llcp_sock_connect.patch nfc-fix-memory-leak-in-llcp_sock_connect.patch nfc-fix-refcount-leak-in-llcp_sock_bind.patch nfc-fix-refcount-leak-in-llcp_sock_connect.patch xen-evtchn-change-irq_info-lock-to-raw_spinlock_t.patch --- diff --git a/queue-4.4/alsa-aloop-fix-initialization-of-controls.patch b/queue-4.4/alsa-aloop-fix-initialization-of-controls.patch new file mode 100644 index 00000000000..d9653e2509d --- /dev/null +++ b/queue-4.4/alsa-aloop-fix-initialization-of-controls.patch @@ -0,0 +1,51 @@ +From 168632a495f49f33a18c2d502fc249d7610375e9 Mon Sep 17 00:00:00 2001 +From: Jonas Holmberg +Date: Wed, 7 Apr 2021 09:54:28 +0200 +Subject: ALSA: aloop: Fix initialization of controls + +From: Jonas Holmberg + +commit 168632a495f49f33a18c2d502fc249d7610375e9 upstream. + +Add a control to the card before copying the id so that the numid field +is initialized in the copy. Otherwise the numid field of active_id, +format_id, rate_id and channels_id will be the same (0) and +snd_ctl_notify() will not queue the events properly. + +Signed-off-by: Jonas Holmberg +Reviewed-by: Jaroslav Kysela +Cc: +Link: https://lore.kernel.org/r/20210407075428.2666787-1-jonashg@axis.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/drivers/aloop.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/sound/drivers/aloop.c ++++ b/sound/drivers/aloop.c +@@ -1062,6 +1062,14 @@ static int loopback_mixer_new(struct loo + return -ENOMEM; + kctl->id.device = dev; + kctl->id.subdevice = substr; ++ ++ /* Add the control before copying the id so that ++ * the numid field of the id is set in the copy. ++ */ ++ err = snd_ctl_add(card, kctl); ++ if (err < 0) ++ return err; ++ + switch (idx) { + case ACTIVE_IDX: + setup->active_id = kctl->id; +@@ -1078,9 +1086,6 @@ static int loopback_mixer_new(struct loo + default: + break; + } +- err = snd_ctl_add(card, kctl); +- if (err < 0) +- return err; + } + } + } diff --git a/queue-4.4/nfc-avoid-endless-loops-caused-by-repeated-llcp_sock_connect.patch b/queue-4.4/nfc-avoid-endless-loops-caused-by-repeated-llcp_sock_connect.patch new file mode 100644 index 00000000000..55d67c815cb --- /dev/null +++ b/queue-4.4/nfc-avoid-endless-loops-caused-by-repeated-llcp_sock_connect.patch @@ -0,0 +1,44 @@ +From 4b5db93e7f2afbdfe3b78e37879a85290187e6f1 Mon Sep 17 00:00:00 2001 +From: Xiaoming Ni +Date: Thu, 25 Mar 2021 11:51:13 +0800 +Subject: nfc: Avoid endless loops caused by repeated llcp_sock_connect() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xiaoming Ni + +commit 4b5db93e7f2afbdfe3b78e37879a85290187e6f1 upstream. + +When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is + LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked, + nfc_llcp_sock_link() will add sk to local->connecting_sockets twice. + sk->sk_node->next will point to itself, that will make an endless loop + and hang-up the system. +To fix it, check whether sk->sk_state is LLCP_CONNECTING in + llcp_sock_connect() to avoid repeated invoking. + +Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections") +Reported-by: "kiyin(尹亮)" +Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 +Cc: #v3.11 +Signed-off-by: Xiaoming Ni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_sock.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -679,6 +679,10 @@ static int llcp_sock_connect(struct sock + ret = -EISCONN; + goto error; + } ++ if (sk->sk_state == LLCP_CONNECTING) { ++ ret = -EINPROGRESS; ++ goto error; ++ } + + dev = nfc_get_device(addr->dev_idx); + if (dev == NULL) { diff --git a/queue-4.4/nfc-fix-memory-leak-in-llcp_sock_connect.patch b/queue-4.4/nfc-fix-memory-leak-in-llcp_sock_connect.patch new file mode 100644 index 00000000000..506eeb2b587 --- /dev/null +++ b/queue-4.4/nfc-fix-memory-leak-in-llcp_sock_connect.patch @@ -0,0 +1,41 @@ +From 7574fcdbdcb335763b6b322f6928dc0fd5730451 Mon Sep 17 00:00:00 2001 +From: Xiaoming Ni +Date: Thu, 25 Mar 2021 11:51:12 +0800 +Subject: nfc: fix memory leak in llcp_sock_connect() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xiaoming Ni + +commit 7574fcdbdcb335763b6b322f6928dc0fd5730451 upstream. + +In llcp_sock_connect(), use kmemdup to allocate memory for + "llcp_sock->service_name". The memory is not released in the sock_unlink +label of the subsequent failure branch. +As a result, memory leakage occurs. + +fix CVE-2020-25672 + +Fixes: d646960f7986 ("NFC: Initial LLCP support") +Reported-by: "kiyin(尹亮)" +Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 +Cc: #v3.3 +Signed-off-by: Xiaoming Ni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_sock.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -751,6 +751,8 @@ sock_unlink: + nfc_llcp_local_put(llcp_sock->local); + + nfc_llcp_sock_unlink(&local->connecting_sockets, sk); ++ kfree(llcp_sock->service_name); ++ llcp_sock->service_name = NULL; + + put_dev: + nfc_put_device(dev); diff --git a/queue-4.4/nfc-fix-refcount-leak-in-llcp_sock_bind.patch b/queue-4.4/nfc-fix-refcount-leak-in-llcp_sock_bind.patch new file mode 100644 index 00000000000..07509e1e16c --- /dev/null +++ b/queue-4.4/nfc-fix-refcount-leak-in-llcp_sock_bind.patch @@ -0,0 +1,45 @@ +From c33b1cc62ac05c1dbb1cdafe2eb66da01c76ca8d Mon Sep 17 00:00:00 2001 +From: Xiaoming Ni +Date: Thu, 25 Mar 2021 11:51:10 +0800 +Subject: nfc: fix refcount leak in llcp_sock_bind() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xiaoming Ni + +commit c33b1cc62ac05c1dbb1cdafe2eb66da01c76ca8d upstream. + +nfc_llcp_local_get() is invoked in llcp_sock_bind(), +but nfc_llcp_local_put() is not invoked in subsequent failure branches. +As a result, refcount leakage occurs. +To fix it, add calling nfc_llcp_local_put(). + +fix CVE-2020-25670 +Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket") +Reported-by: "kiyin(尹亮)" +Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 +Cc: #v3.6 +Signed-off-by: Xiaoming Ni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_sock.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -119,11 +119,13 @@ static int llcp_sock_bind(struct socket + llcp_sock->service_name_len, + GFP_KERNEL); + if (!llcp_sock->service_name) { ++ nfc_llcp_local_put(llcp_sock->local); + ret = -ENOMEM; + goto put_dev; + } + llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock); + if (llcp_sock->ssap == LLCP_SAP_MAX) { ++ nfc_llcp_local_put(llcp_sock->local); + kfree(llcp_sock->service_name); + llcp_sock->service_name = NULL; + ret = -EADDRINUSE; diff --git a/queue-4.4/nfc-fix-refcount-leak-in-llcp_sock_connect.patch b/queue-4.4/nfc-fix-refcount-leak-in-llcp_sock_connect.patch new file mode 100644 index 00000000000..9165b6b7eb2 --- /dev/null +++ b/queue-4.4/nfc-fix-refcount-leak-in-llcp_sock_connect.patch @@ -0,0 +1,47 @@ +From 8a4cd82d62b5ec7e5482333a72b58a4eea4979f0 Mon Sep 17 00:00:00 2001 +From: Xiaoming Ni +Date: Thu, 25 Mar 2021 11:51:11 +0800 +Subject: nfc: fix refcount leak in llcp_sock_connect() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xiaoming Ni + +commit 8a4cd82d62b5ec7e5482333a72b58a4eea4979f0 upstream. + +nfc_llcp_local_get() is invoked in llcp_sock_connect(), +but nfc_llcp_local_put() is not invoked in subsequent failure branches. +As a result, refcount leakage occurs. +To fix it, add calling nfc_llcp_local_put(). + +fix CVE-2020-25671 +Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket") +Reported-by: "kiyin(尹亮)" +Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 +Cc: #v3.6 +Signed-off-by: Xiaoming Ni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_sock.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -710,6 +710,7 @@ static int llcp_sock_connect(struct sock + llcp_sock->local = nfc_llcp_local_get(local); + llcp_sock->ssap = nfc_llcp_get_local_ssap(local); + if (llcp_sock->ssap == LLCP_SAP_MAX) { ++ nfc_llcp_local_put(llcp_sock->local); + ret = -ENOMEM; + goto put_dev; + } +@@ -747,6 +748,7 @@ static int llcp_sock_connect(struct sock + + sock_unlink: + nfc_llcp_put_ssap(local, llcp_sock->ssap); ++ nfc_llcp_local_put(llcp_sock->local); + + nfc_llcp_sock_unlink(&local->connecting_sockets, sk); + diff --git a/queue-4.4/series b/queue-4.4/series index a4acd38ee17..fd227612e7a 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -1 +1,7 @@ iio-hid-sensor-prox-fix-scale-not-correct-issue.patch +alsa-aloop-fix-initialization-of-controls.patch +nfc-fix-refcount-leak-in-llcp_sock_bind.patch +nfc-fix-refcount-leak-in-llcp_sock_connect.patch +nfc-fix-memory-leak-in-llcp_sock_connect.patch +nfc-avoid-endless-loops-caused-by-repeated-llcp_sock_connect.patch +xen-evtchn-change-irq_info-lock-to-raw_spinlock_t.patch diff --git a/queue-4.4/xen-evtchn-change-irq_info-lock-to-raw_spinlock_t.patch b/queue-4.4/xen-evtchn-change-irq_info-lock-to-raw_spinlock_t.patch new file mode 100644 index 00000000000..5c2265c7857 --- /dev/null +++ b/queue-4.4/xen-evtchn-change-irq_info-lock-to-raw_spinlock_t.patch @@ -0,0 +1,83 @@ +From d120198bd5ff1d41808b6914e1eb89aff937415c Mon Sep 17 00:00:00 2001 +From: Luca Fancellu +Date: Tue, 6 Apr 2021 11:51:04 +0100 +Subject: xen/evtchn: Change irq_info lock to raw_spinlock_t + +From: Luca Fancellu + +commit d120198bd5ff1d41808b6914e1eb89aff937415c upstream. + +Unmask operation must be called with interrupt disabled, +on preempt_rt spin_lock_irqsave/spin_unlock_irqrestore +don't disable/enable interrupts, so use raw_* implementation +and change lock variable in struct irq_info from spinlock_t +to raw_spinlock_t + +Cc: stable@vger.kernel.org +Fixes: 25da4618af24 ("xen/events: don't unmask an event channel when an eoi is pending") +Signed-off-by: Luca Fancellu +Reviewed-by: Julien Grall +Reviewed-by: Wei Liu +Link: https://lore.kernel.org/r/20210406105105.10141-1-luca.fancellu@arm.com +Signed-off-by: Boris Ostrovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/events/events_base.c | 10 +++++----- + drivers/xen/events/events_internal.h | 2 +- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -222,7 +222,7 @@ static int xen_irq_info_common_setup(str + info->evtchn = evtchn; + info->cpu = cpu; + info->mask_reason = EVT_MASK_REASON_EXPLICIT; +- spin_lock_init(&info->lock); ++ raw_spin_lock_init(&info->lock); + + ret = set_evtchn_to_irq(evtchn, irq); + if (ret < 0) +@@ -374,28 +374,28 @@ static void do_mask(struct irq_info *inf + { + unsigned long flags; + +- spin_lock_irqsave(&info->lock, flags); ++ raw_spin_lock_irqsave(&info->lock, flags); + + if (!info->mask_reason) + mask_evtchn(info->evtchn); + + info->mask_reason |= reason; + +- spin_unlock_irqrestore(&info->lock, flags); ++ raw_spin_unlock_irqrestore(&info->lock, flags); + } + + static void do_unmask(struct irq_info *info, u8 reason) + { + unsigned long flags; + +- spin_lock_irqsave(&info->lock, flags); ++ raw_spin_lock_irqsave(&info->lock, flags); + + info->mask_reason &= ~reason; + + if (!info->mask_reason) + unmask_evtchn(info->evtchn); + +- spin_unlock_irqrestore(&info->lock, flags); ++ raw_spin_unlock_irqrestore(&info->lock, flags); + } + + #ifdef CONFIG_X86 +--- a/drivers/xen/events/events_internal.h ++++ b/drivers/xen/events/events_internal.h +@@ -47,7 +47,7 @@ struct irq_info { + unsigned short eoi_cpu; /* EOI must happen on this cpu */ + unsigned int irq_epoch; /* If eoi_cpu valid: irq_epoch of event */ + u64 eoi_time; /* Time in jiffies when to EOI. */ +- spinlock_t lock; ++ raw_spinlock_t lock; + + union { + unsigned short virq;