From: Greg Kroah-Hartman Date: Sun, 15 Sep 2024 13:27:06 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.1.111~10 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fdb70ca6ae25ed21f7cd1b84cb1c68822e1fcf4d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: asoc-meson-axg-card-fix-use-after-free.patch --- diff --git a/queue-5.10/asoc-meson-axg-card-fix-use-after-free.patch b/queue-5.10/asoc-meson-axg-card-fix-use-after-free.patch new file mode 100644 index 00000000000..079dc439333 --- /dev/null +++ b/queue-5.10/asoc-meson-axg-card-fix-use-after-free.patch @@ -0,0 +1,82 @@ +From 4f9a71435953f941969a4f017e2357db62d85a86 Mon Sep 17 00:00:00 2001 +From: Arseniy Krasnov +Date: Wed, 11 Sep 2024 17:24:25 +0300 +Subject: ASoC: meson: axg-card: fix 'use-after-free' + +From: Arseniy Krasnov + +commit 4f9a71435953f941969a4f017e2357db62d85a86 upstream. + +Buffer 'card->dai_link' is reallocated in 'meson_card_reallocate_links()', +so move 'pad' pointer initialization after this function when memory is +already reallocated. + +Kasan bug report: + +================================================================== +BUG: KASAN: slab-use-after-free in axg_card_add_link+0x76c/0x9bc +Read of size 8 at addr ffff000000e8b260 by task modprobe/356 + +CPU: 0 PID: 356 Comm: modprobe Tainted: G O 6.9.12-sdkernel #1 +Call trace: + dump_backtrace+0x94/0xec + show_stack+0x18/0x24 + dump_stack_lvl+0x78/0x90 + print_report+0xfc/0x5c0 + kasan_report+0xb8/0xfc + __asan_load8+0x9c/0xb8 + axg_card_add_link+0x76c/0x9bc [snd_soc_meson_axg_sound_card] + meson_card_probe+0x344/0x3b8 [snd_soc_meson_card_utils] + platform_probe+0x8c/0xf4 + really_probe+0x110/0x39c + __driver_probe_device+0xb8/0x18c + driver_probe_device+0x108/0x1d8 + __driver_attach+0xd0/0x25c + bus_for_each_dev+0xe0/0x154 + driver_attach+0x34/0x44 + bus_add_driver+0x134/0x294 + driver_register+0xa8/0x1e8 + __platform_driver_register+0x44/0x54 + axg_card_pdrv_init+0x20/0x1000 [snd_soc_meson_axg_sound_card] + do_one_initcall+0xdc/0x25c + do_init_module+0x10c/0x334 + load_module+0x24c4/0x26cc + init_module_from_file+0xd4/0x128 + __arm64_sys_finit_module+0x1f4/0x41c + invoke_syscall+0x60/0x188 + el0_svc_common.constprop.0+0x78/0x13c + do_el0_svc+0x30/0x40 + el0_svc+0x38/0x78 + el0t_64_sync_handler+0x100/0x12c + el0t_64_sync+0x190/0x194 + +Fixes: 7864a79f37b5 ("ASoC: meson: add axg sound card support") +Cc: Stable@vger.kernel.org +Signed-off-by: Arseniy Krasnov +Reviewed-by: Jerome Brunet +Link: https://patch.msgid.link/20240911142425.598631-1-avkrasnov@salutedevices.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/meson/axg-card.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/soc/meson/axg-card.c ++++ b/sound/soc/meson/axg-card.c +@@ -104,7 +104,7 @@ static int axg_card_add_tdm_loopback(str + int *index) + { + struct meson_card *priv = snd_soc_card_get_drvdata(card); +- struct snd_soc_dai_link *pad = &card->dai_link[*index]; ++ struct snd_soc_dai_link *pad; + struct snd_soc_dai_link *lb; + struct snd_soc_dai_link_component *dlc; + int ret; +@@ -114,6 +114,7 @@ static int axg_card_add_tdm_loopback(str + if (ret) + return ret; + ++ pad = &card->dai_link[*index]; + lb = &card->dai_link[*index + 1]; + + lb->name = devm_kasprintf(card->dev, GFP_KERNEL, "%s-lb", pad->name); diff --git a/queue-5.10/series b/queue-5.10/series index a8f93a2a905..5ee8c43f5dc 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -24,3 +24,4 @@ net-ftgmac100-enable-tx-interrupt-to-avoid-tx-timeou.patch net-dpaa-pad-packets-to-eth_zlen.patch spi-nxp-fspi-fix-the-kasan-report-out-of-bounds-bug.patch soundwire-stream-revert-soundwire-stream-fix-programming-slave-ports-for-non-continous-port-maps.patch +asoc-meson-axg-card-fix-use-after-free.patch