From: Greg Kroah-Hartman Date: Wed, 14 Aug 2024 17:55:44 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v4.19.320~48 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6ee216ef8ce0a5074da5d6b6c8925c104bf902cc;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: asoc-topology-clean-up-route-loading.patch asoc-topology-fix-route-memory-corruption.patch --- diff --git a/queue-6.6/asoc-topology-clean-up-route-loading.patch b/queue-6.6/asoc-topology-clean-up-route-loading.patch new file mode 100644 index 00000000000..67b6bb9b712 --- /dev/null +++ b/queue-6.6/asoc-topology-clean-up-route-loading.patch @@ -0,0 +1,82 @@ +From e0e7bc2cbee93778c4ad7d9a792d425ffb5af6f7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= + +Date: Mon, 3 Jun 2024 12:28:18 +0200 +Subject: ASoC: topology: Clean up route loading +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Amadeusz Sławiński + +commit e0e7bc2cbee93778c4ad7d9a792d425ffb5af6f7 upstream. + +Instead of using very long macro name, assign it to shorter variable +and use it instead. While doing that, we can reduce multiple if checks +using this define to one. + +Reviewed-by: Cezary Rojewski +Signed-off-by: Amadeusz Sławiński +Link: https://lore.kernel.org/r/20240603102818.36165-5-amadeuszx.slawinski@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-topology.c | 26 ++++++++------------------ + 1 file changed, 8 insertions(+), 18 deletions(-) + +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -1021,6 +1021,7 @@ static int soc_tplg_dapm_graph_elems_loa + struct snd_soc_tplg_hdr *hdr) + { + struct snd_soc_dapm_context *dapm = &tplg->comp->dapm; ++ const size_t maxlen = SNDRV_CTL_ELEM_ID_NAME_MAXLEN; + struct snd_soc_tplg_dapm_graph_elem *elem; + struct snd_soc_dapm_route *route; + int count, i; +@@ -1044,38 +1045,27 @@ static int soc_tplg_dapm_graph_elems_loa + tplg->pos += sizeof(struct snd_soc_tplg_dapm_graph_elem); + + /* validate routes */ +- if (strnlen(elem->source, SNDRV_CTL_ELEM_ID_NAME_MAXLEN) == +- SNDRV_CTL_ELEM_ID_NAME_MAXLEN) { +- ret = -EINVAL; +- break; +- } +- if (strnlen(elem->sink, SNDRV_CTL_ELEM_ID_NAME_MAXLEN) == +- SNDRV_CTL_ELEM_ID_NAME_MAXLEN) { +- ret = -EINVAL; +- break; +- } +- if (strnlen(elem->control, SNDRV_CTL_ELEM_ID_NAME_MAXLEN) == +- SNDRV_CTL_ELEM_ID_NAME_MAXLEN) { ++ if ((strnlen(elem->source, maxlen) == maxlen) || ++ (strnlen(elem->sink, maxlen) == maxlen) || ++ (strnlen(elem->control, maxlen) == maxlen)) { + ret = -EINVAL; + break; + } + + route->source = devm_kmemdup(tplg->dev, elem->source, +- min(strlen(elem->source), +- SNDRV_CTL_ELEM_ID_NAME_MAXLEN), ++ min(strlen(elem->source), maxlen), + GFP_KERNEL); + route->sink = devm_kmemdup(tplg->dev, elem->sink, +- min(strlen(elem->sink), SNDRV_CTL_ELEM_ID_NAME_MAXLEN), ++ min(strlen(elem->sink), maxlen), + GFP_KERNEL); + if (!route->source || !route->sink) { + ret = -ENOMEM; + break; + } + +- if (strnlen(elem->control, SNDRV_CTL_ELEM_ID_NAME_MAXLEN) != 0) { ++ if (strnlen(elem->control, maxlen) != 0) { + route->control = devm_kmemdup(tplg->dev, elem->control, +- min(strlen(elem->control), +- SNDRV_CTL_ELEM_ID_NAME_MAXLEN), ++ min(strlen(elem->control), maxlen), + GFP_KERNEL); + if (!route->control) { + ret = -ENOMEM; diff --git a/queue-6.6/asoc-topology-fix-route-memory-corruption.patch b/queue-6.6/asoc-topology-fix-route-memory-corruption.patch new file mode 100644 index 00000000000..32eee27ba74 --- /dev/null +++ b/queue-6.6/asoc-topology-fix-route-memory-corruption.patch @@ -0,0 +1,56 @@ +From 0298f51652be47b79780833e0b63194e1231fa34 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= + +Date: Thu, 13 Jun 2024 11:01:26 +0200 +Subject: ASoC: topology: Fix route memory corruption +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Amadeusz Sławiński + +commit 0298f51652be47b79780833e0b63194e1231fa34 upstream. + +It was reported that recent fix for memory corruption during topology +load, causes corruption in other cases. Instead of being overeager with +checking topology, assume that it is properly formatted and just +duplicate strings. + +Reported-by: Pierre-Louis Bossart +Closes: https://lore.kernel.org/linux-sound/171812236450.201359.3019210915105428447.b4-ty@kernel.org/T/#m8c4bd5abf453960fde6f826c4b7f84881da63e9d +Suggested-by: Péter Ujfalusi +Signed-off-by: Amadeusz Sławiński +Link: https://lore.kernel.org/r/20240613090126.841189-1-amadeuszx.slawinski@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-topology.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -1052,21 +1052,15 @@ static int soc_tplg_dapm_graph_elems_loa + break; + } + +- route->source = devm_kmemdup(tplg->dev, elem->source, +- min(strlen(elem->source), maxlen), +- GFP_KERNEL); +- route->sink = devm_kmemdup(tplg->dev, elem->sink, +- min(strlen(elem->sink), maxlen), +- GFP_KERNEL); ++ route->source = devm_kstrdup(tplg->dev, elem->source, GFP_KERNEL); ++ route->sink = devm_kstrdup(tplg->dev, elem->sink, GFP_KERNEL); + if (!route->source || !route->sink) { + ret = -ENOMEM; + break; + } + + if (strnlen(elem->control, maxlen) != 0) { +- route->control = devm_kmemdup(tplg->dev, elem->control, +- min(strlen(elem->control), maxlen), +- GFP_KERNEL); ++ route->control = devm_kstrdup(tplg->dev, elem->control, GFP_KERNEL); + if (!route->control) { + ret = -ENOMEM; + break; diff --git a/queue-6.6/series b/queue-6.6/series index 01bd35578b3..f1c51061243 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -1 +1,3 @@ exec-fix-toctou-between-perm-check-and-set-uid-gid-usage.patch +asoc-topology-clean-up-route-loading.patch +asoc-topology-fix-route-memory-corruption.patch