From: Greg Kroah-Hartman Date: Sat, 8 May 2021 11:36:16 +0000 (+0200) Subject: 5.12-stable patches X-Git-Tag: v5.4.118~66 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5d2c23aebab631d0d9c298defb78c777143161f8;p=thirdparty%2Fkernel%2Fstable-queue.git 5.12-stable patches added patches: alsa-emu8000-fix-a-use-after-free-in-snd_emu8000_create_mixer.patch alsa-hda-conexant-re-order-cx5066-quirk-table-entries.patch alsa-sb-fix-two-use-after-free-in-snd_sb_qsound_build.patch alsa-usb-audio-add-db-range-mapping-for-sennheiser-communications-headset-pc-8.patch alsa-usb-audio-explicitly-set-up-the-clock-selector.patch --- diff --git a/queue-5.12/alsa-emu8000-fix-a-use-after-free-in-snd_emu8000_create_mixer.patch b/queue-5.12/alsa-emu8000-fix-a-use-after-free-in-snd_emu8000_create_mixer.patch new file mode 100644 index 00000000000..1a891a0f883 --- /dev/null +++ b/queue-5.12/alsa-emu8000-fix-a-use-after-free-in-snd_emu8000_create_mixer.patch @@ -0,0 +1,44 @@ +From 1c98f574403dbcf2eb832d5535a10d967333ef2d Mon Sep 17 00:00:00 2001 +From: Lv Yunlong +Date: Mon, 26 Apr 2021 06:11:29 -0700 +Subject: ALSA: emu8000: Fix a use after free in snd_emu8000_create_mixer + +From: Lv Yunlong + +commit 1c98f574403dbcf2eb832d5535a10d967333ef2d upstream. + +Our code analyzer reported a uaf. + +In snd_emu8000_create_mixer, the callee snd_ctl_add(..,emu->controls[i]) +calls snd_ctl_add_replace(.., kcontrol,..). Inside snd_ctl_add_replace(), +if error happens, kcontrol will be freed by snd_ctl_free_one(kcontrol). +Then emu->controls[i] points to a freed memory, and the execution comes +to __error branch of snd_emu8000_create_mixer. The freed emu->controls[i] +is used in snd_ctl_remove(card, emu->controls[i]). + +My patch set emu->controls[i] to NULL if snd_ctl_add() failed to avoid +the uaf. + +Signed-off-by: Lv Yunlong +Cc: +Link: https://lore.kernel.org/r/20210426131129.4796-1-lyl2019@mail.ustc.edu.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/isa/sb/emu8000.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/isa/sb/emu8000.c ++++ b/sound/isa/sb/emu8000.c +@@ -1029,8 +1029,10 @@ snd_emu8000_create_mixer(struct snd_card + + memset(emu->controls, 0, sizeof(emu->controls)); + for (i = 0; i < EMU8000_NUM_CONTROLS; i++) { +- if ((err = snd_ctl_add(card, emu->controls[i] = snd_ctl_new1(mixer_defs[i], emu))) < 0) ++ if ((err = snd_ctl_add(card, emu->controls[i] = snd_ctl_new1(mixer_defs[i], emu))) < 0) { ++ emu->controls[i] = NULL; + goto __error; ++ } + } + return 0; + diff --git a/queue-5.12/alsa-hda-conexant-re-order-cx5066-quirk-table-entries.patch b/queue-5.12/alsa-hda-conexant-re-order-cx5066-quirk-table-entries.patch new file mode 100644 index 00000000000..ceaa89d12af --- /dev/null +++ b/queue-5.12/alsa-hda-conexant-re-order-cx5066-quirk-table-entries.patch @@ -0,0 +1,51 @@ +From 2e6a731296be9d356fdccee9fb6ae345dad96438 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 28 Apr 2021 13:27:04 +0200 +Subject: ALSA: hda/conexant: Re-order CX5066 quirk table entries + +From: Takashi Iwai + +commit 2e6a731296be9d356fdccee9fb6ae345dad96438 upstream. + +Just re-order the cx5066_fixups[] entries for HP devices for avoiding +the oversight of the duplicated or unapplied item in future. +No functional changes. + +Also Cc-to-stable for the further patch applications. + +Cc: +Link: https://lore.kernel.org/r/20210428112704.23967-14-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_conexant.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -930,18 +930,18 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK), +- SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK), +- SND_PCI_QUIRK(0x103c, 0x83b2, "HP EliteBook 840 G5", CXT_FIXUP_HP_DOCK), +- SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK), +- SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK), +- SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), + SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC), + SND_PCI_QUIRK(0x103c, 0x814f, "HP ZBook 15u G3", CXT_FIXUP_MUTE_LED_GPIO), ++ SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), + SND_PCI_QUIRK(0x103c, 0x822e, "HP ProBook 440 G4", CXT_FIXUP_MUTE_LED_GPIO), +- SND_PCI_QUIRK(0x103c, 0x836e, "HP ProBook 455 G5", CXT_FIXUP_MUTE_LED_GPIO), +- SND_PCI_QUIRK(0x103c, 0x837f, "HP ProBook 470 G5", CXT_FIXUP_MUTE_LED_GPIO), ++ SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x103c, 0x836e, "HP ProBook 455 G5", CXT_FIXUP_MUTE_LED_GPIO), ++ SND_PCI_QUIRK(0x103c, 0x837f, "HP ProBook 470 G5", CXT_FIXUP_MUTE_LED_GPIO), ++ SND_PCI_QUIRK(0x103c, 0x83b2, "HP EliteBook 840 G5", CXT_FIXUP_HP_DOCK), ++ SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK), ++ SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8402, "HP ProBook 645 G4", CXT_FIXUP_MUTE_LED_GPIO), + SND_PCI_QUIRK(0x103c, 0x8427, "HP ZBook Studio G5", CXT_FIXUP_HP_ZBOOK_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x844f, "HP ZBook Studio G5", CXT_FIXUP_HP_ZBOOK_MUTE_LED), diff --git a/queue-5.12/alsa-sb-fix-two-use-after-free-in-snd_sb_qsound_build.patch b/queue-5.12/alsa-sb-fix-two-use-after-free-in-snd_sb_qsound_build.patch new file mode 100644 index 00000000000..0a86362ad46 --- /dev/null +++ b/queue-5.12/alsa-sb-fix-two-use-after-free-in-snd_sb_qsound_build.patch @@ -0,0 +1,50 @@ +From 4fb44dd2c1dda18606348acdfdb97e8759dde9df Mon Sep 17 00:00:00 2001 +From: Lv Yunlong +Date: Mon, 26 Apr 2021 07:55:41 -0700 +Subject: ALSA: sb: Fix two use after free in snd_sb_qsound_build + +From: Lv Yunlong + +commit 4fb44dd2c1dda18606348acdfdb97e8759dde9df upstream. + +In snd_sb_qsound_build, snd_ctl_add(..,p->qsound_switch...) and +snd_ctl_add(..,p->qsound_space..) are called. But the second +arguments of snd_ctl_add() could be freed via snd_ctl_add_replace() +->snd_ctl_free_one(). After the error code is returned, +snd_sb_qsound_destroy(p) is called in __error branch. + +But in snd_sb_qsound_destroy(), the freed p->qsound_switch and +p->qsound_space are still used by snd_ctl_remove(). + +My patch set p->qsound_switch and p->qsound_space to NULL if +snd_ctl_add() failed to avoid the uaf bugs. But these codes need +to further be improved with the code style. + +Signed-off-by: Lv Yunlong +Cc: +Link: https://lore.kernel.org/r/20210426145541.8070-1-lyl2019@mail.ustc.edu.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/isa/sb/sb16_csp.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/sound/isa/sb/sb16_csp.c ++++ b/sound/isa/sb/sb16_csp.c +@@ -1045,10 +1045,14 @@ static int snd_sb_qsound_build(struct sn + + spin_lock_init(&p->q_lock); + +- if ((err = snd_ctl_add(card, p->qsound_switch = snd_ctl_new1(&snd_sb_qsound_switch, p))) < 0) ++ if ((err = snd_ctl_add(card, p->qsound_switch = snd_ctl_new1(&snd_sb_qsound_switch, p))) < 0) { ++ p->qsound_switch = NULL; + goto __error; +- if ((err = snd_ctl_add(card, p->qsound_space = snd_ctl_new1(&snd_sb_qsound_space, p))) < 0) ++ } ++ if ((err = snd_ctl_add(card, p->qsound_space = snd_ctl_new1(&snd_sb_qsound_space, p))) < 0) { ++ p->qsound_space = NULL; + goto __error; ++ } + + return 0; + diff --git a/queue-5.12/alsa-usb-audio-add-db-range-mapping-for-sennheiser-communications-headset-pc-8.patch b/queue-5.12/alsa-usb-audio-add-db-range-mapping-for-sennheiser-communications-headset-pc-8.patch new file mode 100644 index 00000000000..b66700d1b0f --- /dev/null +++ b/queue-5.12/alsa-usb-audio-add-db-range-mapping-for-sennheiser-communications-headset-pc-8.patch @@ -0,0 +1,54 @@ +From ab2165e2e6ed17345ffa8ee88ca764e8788ebcd7 Mon Sep 17 00:00:00 2001 +From: Timo Gurr +Date: Mon, 3 May 2021 13:08:22 +0200 +Subject: ALSA: usb-audio: Add dB range mapping for Sennheiser Communications Headset PC 8 + +From: Timo Gurr + +commit ab2165e2e6ed17345ffa8ee88ca764e8788ebcd7 upstream. + +The decibel volume range contains a negative maximum value resulting in +pipewire complaining about the device and effectivly having no sound +output. The wrong values also resulted in the headset sounding muted +already at a mixer level of about ~25%. + +PipeWire BugLink: https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/1049 + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=212897 +Signed-off-by: Timo Gurr +Cc: +Link: https://lore.kernel.org/r/20210503110822.10222-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer_maps.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/sound/usb/mixer_maps.c ++++ b/sound/usb/mixer_maps.c +@@ -337,6 +337,13 @@ static const struct usbmix_name_map bose + { 0 } /* terminator */ + }; + ++/* Sennheiser Communications Headset [PC 8], the dB value is reported as -6 negative maximum */ ++static const struct usbmix_dB_map sennheiser_pc8_dB = {-9500, 0}; ++static const struct usbmix_name_map sennheiser_pc8_map[] = { ++ { 9, NULL, .dB = &sennheiser_pc8_dB }, ++ { 0 } /* terminator */ ++}; ++ + /* + * Dell usb dock with ALC4020 codec had a firmware problem where it got + * screwed up when zero volume is passed; just skip it as a workaround +@@ -593,6 +600,11 @@ static const struct usbmix_ctl_map usbmi + .id = USB_ID(0x17aa, 0x1046), + .map = lenovo_p620_rear_map, + }, ++ { ++ /* Sennheiser Communications Headset [PC 8] */ ++ .id = USB_ID(0x1395, 0x0025), ++ .map = sennheiser_pc8_map, ++ }, + { 0 } /* terminator */ + }; + diff --git a/queue-5.12/alsa-usb-audio-explicitly-set-up-the-clock-selector.patch b/queue-5.12/alsa-usb-audio-explicitly-set-up-the-clock-selector.patch new file mode 100644 index 00000000000..8951b097015 --- /dev/null +++ b/queue-5.12/alsa-usb-audio-explicitly-set-up-the-clock-selector.patch @@ -0,0 +1,86 @@ +From d2e8f641257d0d3af6e45d6ac2d6f9d56b8ea964 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 13 Apr 2021 10:41:52 +0200 +Subject: ALSA: usb-audio: Explicitly set up the clock selector + +From: Takashi Iwai + +commit d2e8f641257d0d3af6e45d6ac2d6f9d56b8ea964 upstream. + +In the current code, we have some assumption that the audio clock +selector has been set up implicitly and don't want to touch it unless +it's really needed for the fallback autoclock setup. This works for +most devices but some seem having a problem. Partially this was +covered for the devices with a single connector at the initialization +phase (commit 086b957cc17f "ALSA: usb-audio: Skip the clock selector +inquiry for single connections"), but also there are cases where the +wrong clock set up is kept silently. The latter seems to be the cause +of the noises on Behringer devices. + +In this patch, we explicitly set up the audio clock selector whenever +the appropriate node is found. + +Reported-by: Geraldo Nascimento +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199327 +Link: https://lore.kernel.org/r/CAEsQvcvF7LnO8PxyyCxuRCx=7jNeSCvFAd-+dE0g_rd1rOxxdw@mail.gmail.com +Cc: +Link: https://lore.kernel.org/r/20210413084152.32325-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/clock.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/sound/usb/clock.c ++++ b/sound/usb/clock.c +@@ -296,7 +296,7 @@ static int __uac_clock_find_source(struc + + selector = snd_usb_find_clock_selector(chip->ctrl_intf, entity_id); + if (selector) { +- int ret, i, cur; ++ int ret, i, cur, err; + + if (selector->bNrInPins == 1) { + ret = 1; +@@ -324,13 +324,17 @@ static int __uac_clock_find_source(struc + ret = __uac_clock_find_source(chip, fmt, + selector->baCSourceID[ret - 1], + visited, validate); ++ if (ret > 0) { ++ err = uac_clock_selector_set_val(chip, entity_id, cur); ++ if (err < 0) ++ return err; ++ } ++ + if (!validate || ret > 0 || !chip->autoclock) + return ret; + + /* The current clock source is invalid, try others. */ + for (i = 1; i <= selector->bNrInPins; i++) { +- int err; +- + if (i == cur) + continue; + +@@ -396,7 +400,7 @@ static int __uac3_clock_find_source(stru + + selector = snd_usb_find_clock_selector_v3(chip->ctrl_intf, entity_id); + if (selector) { +- int ret, i, cur; ++ int ret, i, cur, err; + + /* the entity ID we are looking for is a selector. + * find out what it currently selects */ +@@ -418,6 +422,12 @@ static int __uac3_clock_find_source(stru + ret = __uac3_clock_find_source(chip, fmt, + selector->baCSourceID[ret - 1], + visited, validate); ++ if (ret > 0) { ++ err = uac_clock_selector_set_val(chip, entity_id, cur); ++ if (err < 0) ++ return err; ++ } ++ + if (!validate || ret > 0 || !chip->autoclock) + return ret; + diff --git a/queue-5.12/series b/queue-5.12/series index a6dad5a84fc..845e6cd88c5 100644 --- a/queue-5.12/series +++ b/queue-5.12/series @@ -270,3 +270,8 @@ s390-archrandom-add-parameter-check-for-s390_arch_ra.patch sched-psi-handle-potential-task-count-underflow-bugs.patch nvmet-avoid-queuing-keep-alive-timer-if-it-is-disabl.patch power-supply-cpcap-battery-fix-invalid-usage-of-list.patch +alsa-emu8000-fix-a-use-after-free-in-snd_emu8000_create_mixer.patch +alsa-hda-conexant-re-order-cx5066-quirk-table-entries.patch +alsa-sb-fix-two-use-after-free-in-snd_sb_qsound_build.patch +alsa-usb-audio-explicitly-set-up-the-clock-selector.patch +alsa-usb-audio-add-db-range-mapping-for-sennheiser-communications-headset-pc-8.patch