From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 12 Aug 2024 09:32:17 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v6.1.105~95
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=70a1da4466e946552b0b26b4033335aa44ebbee7;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	alsa-line6-fix-racy-access-to-midibuf.patch
	usb-vhci-hcd-do-not-drop-references-before-new-references-are-gained.patch
---

diff --git a/queue-4.19/alsa-line6-fix-racy-access-to-midibuf.patch b/queue-4.19/alsa-line6-fix-racy-access-to-midibuf.patch
new file mode 100644
index 00000000000..fcad80ed92d
--- /dev/null
+++ b/queue-4.19/alsa-line6-fix-racy-access-to-midibuf.patch
@@ -0,0 +1,60 @@
+From 15b7a03205b31bc5623378c190d22b7ff60026f1 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 5 Aug 2024 15:01:28 +0200
+Subject: ALSA: line6: Fix racy access to midibuf
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 15b7a03205b31bc5623378c190d22b7ff60026f1 upstream.
+
+There can be concurrent accesses to line6 midibuf from both the URB
+completion callback and the rawmidi API access.  This could be a cause
+of KMSAN warning triggered by syzkaller below (so put as reported-by
+here).
+
+This patch protects the midibuf call of the former code path with a
+spinlock for avoiding the possible races.
+
+Reported-by: syzbot+78eccfb8b3c9a85fc6c5@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/00000000000000949c061df288c5@google.com
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20240805130129.10872-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/line6/driver.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/sound/usb/line6/driver.c
++++ b/sound/usb/line6/driver.c
+@@ -300,12 +300,14 @@ static void line6_data_received(struct u
+ {
+ 	struct usb_line6 *line6 = (struct usb_line6 *)urb->context;
+ 	struct midi_buffer *mb = &line6->line6midi->midibuf_in;
++	unsigned long flags;
+ 	int done;
+ 
+ 	if (urb->status == -ESHUTDOWN)
+ 		return;
+ 
+ 	if (line6->properties->capabilities & LINE6_CAP_CONTROL_MIDI) {
++		spin_lock_irqsave(&line6->line6midi->lock, flags);
+ 		done =
+ 			line6_midibuf_write(mb, urb->transfer_buffer, urb->actual_length);
+ 
+@@ -314,12 +316,15 @@ static void line6_data_received(struct u
+ 			dev_dbg(line6->ifcdev, "%d %d buffer overflow - message skipped\n",
+ 				done, urb->actual_length);
+ 		}
++		spin_unlock_irqrestore(&line6->line6midi->lock, flags);
+ 
+ 		for (;;) {
++			spin_lock_irqsave(&line6->line6midi->lock, flags);
+ 			done =
+ 				line6_midibuf_read(mb, line6->buffer_message,
+ 						   LINE6_MIDI_MESSAGE_MAXLEN,
+ 						   LINE6_MIDIBUF_READ_RX);
++			spin_unlock_irqrestore(&line6->line6midi->lock, flags);
+ 
+ 			if (done <= 0)
+ 				break;
diff --git a/queue-4.19/series b/queue-4.19/series
index 84893b39a31..ce9081312a9 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -169,3 +169,5 @@ spi-lpspi-add-i.mx8-boards-support-for-lpspi.patch
 spi-lpspi-add-the-error-info-of-transfer-speed-setti.patch
 spi-fsl-lpspi-remove-unneeded-array.patch
 spi-spi-fsl-lpspi-fix-scldiv-calculation.patch
+alsa-line6-fix-racy-access-to-midibuf.patch
+usb-vhci-hcd-do-not-drop-references-before-new-references-are-gained.patch
diff --git a/queue-4.19/spi-spi-fsl-lpspi-fix-scldiv-calculation.patch b/queue-4.19/spi-spi-fsl-lpspi-fix-scldiv-calculation.patch
index c3dad39673d..d280c1621be 100644
--- a/queue-4.19/spi-spi-fsl-lpspi-fix-scldiv-calculation.patch
+++ b/queue-4.19/spi-spi-fsl-lpspi-fix-scldiv-calculation.patch
@@ -24,14 +24,12 @@ Link: https://patch.msgid.link/20240804113611.83613-1-wahrenst@gmx.net
 Signed-off-by: Mark Brown <broonie@kernel.org>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
- drivers/spi/spi-fsl-lpspi.c | 6 ++++--
+ drivers/spi/spi-fsl-lpspi.c |    6 ++++--
  1 file changed, 4 insertions(+), 2 deletions(-)
 
-diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c
-index 21c8866ebbd12..695034e076c5e 100644
 --- a/drivers/spi/spi-fsl-lpspi.c
 +++ b/drivers/spi/spi-fsl-lpspi.c
-@@ -257,7 +257,7 @@ static void fsl_lpspi_set_watermark(struct fsl_lpspi_data *fsl_lpspi)
+@@ -257,7 +257,7 @@ static void fsl_lpspi_set_watermark(stru
  static int fsl_lpspi_set_bitrate(struct fsl_lpspi_data *fsl_lpspi)
  {
  	struct lpspi_config config = fsl_lpspi->config;
@@ -40,7 +38,7 @@ index 21c8866ebbd12..695034e076c5e 100644
  	u8 prescale;
  
  	perclk_rate = clk_get_rate(fsl_lpspi->clk_per);
-@@ -268,8 +268,10 @@ static int fsl_lpspi_set_bitrate(struct fsl_lpspi_data *fsl_lpspi)
+@@ -268,8 +268,10 @@ static int fsl_lpspi_set_bitrate(struct
  		return -EINVAL;
  	}
  
@@ -52,6 +50,3 @@ index 21c8866ebbd12..695034e076c5e 100644
  		if (scldiv < 256) {
  			fsl_lpspi->config.prescale = prescale;
  			break;
--- 
-2.43.0
-
diff --git a/queue-4.19/usb-vhci-hcd-do-not-drop-references-before-new-references-are-gained.patch b/queue-4.19/usb-vhci-hcd-do-not-drop-references-before-new-references-are-gained.patch
new file mode 100644
index 00000000000..d5366aac2e1
--- /dev/null
+++ b/queue-4.19/usb-vhci-hcd-do-not-drop-references-before-new-references-are-gained.patch
@@ -0,0 +1,78 @@
+From afdcfd3d6fcdeca2735ca8d994c5f2d24a368f0a Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 9 Jul 2024 13:38:41 +0200
+Subject: usb: vhci-hcd: Do not drop references before new references are gained
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit afdcfd3d6fcdeca2735ca8d994c5f2d24a368f0a upstream.
+
+At a few places the driver carries stale pointers
+to references that can still be used. Make sure that does not happen.
+This strictly speaking closes ZDI-CAN-22273, though there may be
+similar races in the driver.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@kernel.org>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20240709113851.14691-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/vhci_hcd.c |    9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/usbip/vhci_hcd.c
++++ b/drivers/usb/usbip/vhci_hcd.c
+@@ -751,6 +751,7 @@ static int vhci_urb_enqueue(struct usb_h
+ 	 *
+ 	 */
+ 	if (usb_pipedevice(urb->pipe) == 0) {
++		struct usb_device *old;
+ 		__u8 type = usb_pipetype(urb->pipe);
+ 		struct usb_ctrlrequest *ctrlreq =
+ 			(struct usb_ctrlrequest *) urb->setup_packet;
+@@ -761,14 +762,15 @@ static int vhci_urb_enqueue(struct usb_h
+ 			goto no_need_xmit;
+ 		}
+ 
++		old = vdev->udev;
+ 		switch (ctrlreq->bRequest) {
+ 		case USB_REQ_SET_ADDRESS:
+ 			/* set_address may come when a device is reset */
+ 			dev_info(dev, "SetAddress Request (%d) to port %d\n",
+ 				 ctrlreq->wValue, vdev->rhport);
+ 
+-			usb_put_dev(vdev->udev);
+ 			vdev->udev = usb_get_dev(urb->dev);
++			usb_put_dev(old);
+ 
+ 			spin_lock(&vdev->ud.lock);
+ 			vdev->ud.status = VDEV_ST_USED;
+@@ -787,8 +789,8 @@ static int vhci_urb_enqueue(struct usb_h
+ 				usbip_dbg_vhci_hc(
+ 					"Not yet?:Get_Descriptor to device 0 (get max pipe size)\n");
+ 
+-			usb_put_dev(vdev->udev);
+ 			vdev->udev = usb_get_dev(urb->dev);
++			usb_put_dev(old);
+ 			goto out;
+ 
+ 		default:
+@@ -1095,6 +1097,7 @@ static void vhci_shutdown_connection(str
+ static void vhci_device_reset(struct usbip_device *ud)
+ {
+ 	struct vhci_device *vdev = container_of(ud, struct vhci_device, ud);
++	struct usb_device *old = vdev->udev;
+ 	unsigned long flags;
+ 
+ 	spin_lock_irqsave(&ud->lock, flags);
+@@ -1102,8 +1105,8 @@ static void vhci_device_reset(struct usb
+ 	vdev->speed  = 0;
+ 	vdev->devid  = 0;
+ 
+-	usb_put_dev(vdev->udev);
+ 	vdev->udev = NULL;
++	usb_put_dev(old);
+ 
+ 	if (ud->tcp_socket) {
+ 		sockfd_put(ud->tcp_socket);