From: Sasha Levin Date: Mon, 27 Apr 2020 13:11:45 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.19.119~31 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=30a7ccbf192439622c97af7e8e9e7f998af93049;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/alsa-hda-remove-asus-rog-zenith-from-the-blacklist.patch b/queue-4.14/alsa-hda-remove-asus-rog-zenith-from-the-blacklist.patch new file mode 100644 index 00000000000..4cb210c37c6 --- /dev/null +++ b/queue-4.14/alsa-hda-remove-asus-rog-zenith-from-the-blacklist.patch @@ -0,0 +1,48 @@ +From e6c8c8839d1dca4dbd186e2e5c432e9591d0fb1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Apr 2020 09:19:26 +0200 +Subject: ALSA: hda: Remove ASUS ROG Zenith from the blacklist + +From: Takashi Iwai + +[ Upstream commit a8cf44f085ac12c0b5b8750ebb3b436c7f455419 ] + +The commit 3c6fd1f07ed0 ("ALSA: hda: Add driver blacklist") added a +new blacklist for the devices that are known to have empty codecs, and +one of the entries was ASUS ROG Zenith II (PCI SSID 1043:874f). +However, it turned out that the very same PCI SSID is used for the +previous model that does have the valid HD-audio codecs and the change +broke the sound on it. + +This patch reverts the corresponding entry as a temporary solution. +Although Zenith II and co will see get the empty HD-audio bus again, +it'd be merely resource wastes and won't affect the functionality, +so it's no end of the world. We'll need to address this later, +e.g. by either switching to DMI string matching or using PCI ID & +SSID pairs. + +Fixes: 3c6fd1f07ed0 ("ALSA: hda: Add driver blacklist") +Reported-by: Johnathan Smithinovic +Cc: +Link: https://lore.kernel.org/r/20200419071926.22683-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index d392c1ec0b282..46670da047074 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2173,7 +2173,6 @@ static const struct hdac_io_ops pci_hda_io_ops = { + * should be ignored from the beginning. + */ + static const struct snd_pci_quirk driver_blacklist[] = { +- SND_PCI_QUIRK(0x1043, 0x874f, "ASUS ROG Zenith II / Strix", 0), + SND_PCI_QUIRK(0x1462, 0xcb59, "MSI TRX40 Creator", 0), + SND_PCI_QUIRK(0x1462, 0xcb60, "MSI TRX40", 0), + {} +-- +2.20.1 + diff --git a/queue-4.14/keys-avoid-false-positive-enomem-error-on-key-read.patch b/queue-4.14/keys-avoid-false-positive-enomem-error-on-key-read.patch new file mode 100644 index 00000000000..b7399ff8d41 --- /dev/null +++ b/queue-4.14/keys-avoid-false-positive-enomem-error-on-key-read.patch @@ -0,0 +1,169 @@ +From bf4806e45d21e8a3203897f9cc8d0b1e357ce3d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Mar 2020 21:11:25 -0400 +Subject: KEYS: Avoid false positive ENOMEM error on key read + +From: Waiman Long + +[ Upstream commit 4f0882491a148059a52480e753b7f07fc550e188 ] + +By allocating a kernel buffer with a user-supplied buffer length, it +is possible that a false positive ENOMEM error may be returned because +the user-supplied length is just too large even if the system do have +enough memory to hold the actual key data. + +Moreover, if the buffer length is larger than the maximum amount of +memory that can be returned by kmalloc() (2^(MAX_ORDER-1) number of +pages), a warning message will also be printed. + +To reduce this possibility, we set a threshold (PAGE_SIZE) over which we +do check the actual key length first before allocating a buffer of the +right size to hold it. The threshold is arbitrary, it is just used to +trigger a buffer length check. It does not limit the actual key length +as long as there is enough memory to satisfy the memory request. + +To further avoid large buffer allocation failure due to page +fragmentation, kvmalloc() is used to allocate the buffer so that vmapped +pages can be used when there is not a large enough contiguous set of +pages available for allocation. + +In the extremely unlikely scenario that the key keeps on being changed +and made longer (still <= buflen) in between 2 __keyctl_read_key() +calls, the __keyctl_read_key() calling loop in keyctl_read_key() may +have to be iterated a large number of times, but definitely not infinite. + +Signed-off-by: Waiman Long +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + security/keys/internal.h | 12 +++++++++ + security/keys/keyctl.c | 58 +++++++++++++++++++++++++++++----------- + 2 files changed, 55 insertions(+), 15 deletions(-) + +diff --git a/security/keys/internal.h b/security/keys/internal.h +index e3a5738401866..124273e500cfa 100644 +--- a/security/keys/internal.h ++++ b/security/keys/internal.h +@@ -20,6 +20,8 @@ + #include + #include + #include ++#include ++#include + + struct iovec; + +@@ -305,4 +307,14 @@ static inline void key_check(const struct key *key) + + #endif + ++/* ++ * Helper function to clear and free a kvmalloc'ed memory object. ++ */ ++static inline void __kvzfree(const void *addr, size_t len) ++{ ++ if (addr) { ++ memset((void *)addr, 0, len); ++ kvfree(addr); ++ } ++} + #endif /* _INTERNAL_H */ +diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c +index 4b6a084e323b5..c07c2e2b24783 100644 +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -330,7 +330,7 @@ long keyctl_update_key(key_serial_t id, + payload = NULL; + if (plen) { + ret = -ENOMEM; +- payload = kmalloc(plen, GFP_KERNEL); ++ payload = kvmalloc(plen, GFP_KERNEL); + if (!payload) + goto error; + +@@ -351,7 +351,7 @@ long keyctl_update_key(key_serial_t id, + + key_ref_put(key_ref); + error2: +- kzfree(payload); ++ __kvzfree(payload, plen); + error: + return ret; + } +@@ -772,7 +772,8 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) + struct key *key; + key_ref_t key_ref; + long ret; +- char *key_data; ++ char *key_data = NULL; ++ size_t key_data_len; + + /* find the key first */ + key_ref = lookup_user_key(keyid, 0, 0); +@@ -823,24 +824,51 @@ can_read_key: + * Allocating a temporary buffer to hold the keys before + * transferring them to user buffer to avoid potential + * deadlock involving page fault and mmap_sem. ++ * ++ * key_data_len = (buflen <= PAGE_SIZE) ++ * ? buflen : actual length of key data ++ * ++ * This prevents allocating arbitrary large buffer which can ++ * be much larger than the actual key length. In the latter case, ++ * at least 2 passes of this loop is required. + */ +- key_data = kmalloc(buflen, GFP_KERNEL); ++ key_data_len = (buflen <= PAGE_SIZE) ? buflen : 0; ++ for (;;) { ++ if (key_data_len) { ++ key_data = kvmalloc(key_data_len, GFP_KERNEL); ++ if (!key_data) { ++ ret = -ENOMEM; ++ goto key_put_out; ++ } ++ } + +- if (!key_data) { +- ret = -ENOMEM; +- goto key_put_out; +- } +- ret = __keyctl_read_key(key, key_data, buflen); ++ ret = __keyctl_read_key(key, key_data, key_data_len); ++ ++ /* ++ * Read methods will just return the required length without ++ * any copying if the provided length isn't large enough. ++ */ ++ if (ret <= 0 || ret > buflen) ++ break; ++ ++ /* ++ * The key may change (unlikely) in between 2 consecutive ++ * __keyctl_read_key() calls. In this case, we reallocate ++ * a larger buffer and redo the key read when ++ * key_data_len < ret <= buflen. ++ */ ++ if (ret > key_data_len) { ++ if (unlikely(key_data)) ++ __kvzfree(key_data, key_data_len); ++ key_data_len = ret; ++ continue; /* Allocate buffer */ ++ } + +- /* +- * Read methods will just return the required length without +- * any copying if the provided length isn't large enough. +- */ +- if (ret > 0 && ret <= buflen) { + if (copy_to_user(buffer, key_data, ret)) + ret = -EFAULT; ++ break; + } +- kzfree(key_data); ++ __kvzfree(key_data, key_data_len); + + key_put_out: + key_put(key); +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 480df8c552a..8aa0ffbbf60 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -33,3 +33,5 @@ team-fix-hang-in-team_mode_get.patch net-dsa-b53-fix-arl-register-definitions.patch xfrm-always-set-xfrm_transformed-in-xfrm-4-6-_output_finish.patch vrf-check-skb-for-xfrm_transformed-flag.patch +keys-avoid-false-positive-enomem-error-on-key-read.patch +alsa-hda-remove-asus-rog-zenith-from-the-blacklist.patch