From 5a1b737c904762fbdfd7bfcf0b16a2c69a734365 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 7 Oct 2022 08:49:45 +0200
Subject: [PATCH] 5.10-stable patches

added patches:
	alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch
	xsk-inherit-need_wakeup-flag-for-shared-sockets.patch
---
 ...-pcm-oss-fix-race-at-sndctl_dsp_sync.patch | 51 +++++++++++++
 queue-5.10/series                             |  2 +
 ...-need_wakeup-flag-for-shared-sockets.patch | 73 +++++++++++++++++++
 3 files changed, 126 insertions(+)
 create mode 100644 queue-5.10/alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch
 create mode 100644 queue-5.10/xsk-inherit-need_wakeup-flag-for-shared-sockets.patch

diff --git a/queue-5.10/alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch b/queue-5.10/alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch
new file mode 100644
index 00000000000..8002510e2bc
--- /dev/null
+++ b/queue-5.10/alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch
@@ -0,0 +1,51 @@
+From 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 5 Sep 2022 08:07:14 +0200
+Subject: ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d upstream.
+
+There is a small race window at snd_pcm_oss_sync() that is called from
+OSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls
+snd_pcm_oss_make_ready() at first, then takes the params_lock mutex
+for the rest.  When the stream is set up again by another thread
+between them, it leads to inconsistency, and may result in unexpected
+results such as NULL dereference of OSS buffer as a fuzzer spotted
+recently.
+
+The fix is simply to cover snd_pcm_oss_make_ready() call into the same
+params_lock mutex with snd_pcm_oss_make_ready_locked() variant.
+
+Reported-and-tested-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
+Reviewed-by: Jaroslav Kysela <perex@perex.cz>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com
+Link: https://lore.kernel.org/r/20220905060714.22549-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Zubin Mithra <zsm@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/oss/pcm_oss.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -1662,13 +1662,14 @@ static int snd_pcm_oss_sync(struct snd_p
+ 		runtime = substream->runtime;
+ 		if (atomic_read(&substream->mmap_count))
+ 			goto __direct;
+-		if ((err = snd_pcm_oss_make_ready(substream)) < 0)
+-			return err;
+ 		atomic_inc(&runtime->oss.rw_ref);
+ 		if (mutex_lock_interruptible(&runtime->oss.params_lock)) {
+ 			atomic_dec(&runtime->oss.rw_ref);
+ 			return -ERESTARTSYS;
+ 		}
++		err = snd_pcm_oss_make_ready_locked(substream);
++		if (err < 0)
++			goto unlock;
+ 		format = snd_pcm_oss_format_from(runtime->oss.format);
+ 		width = snd_pcm_format_physical_width(format);
+ 		if (runtime->oss.buffer_used > 0) {
diff --git a/queue-5.10/series b/queue-5.10/series
index 639d64bf76a..93badcde7aa 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -1,6 +1,8 @@
 makefile.extrawarn-move-wcast-function-type-strict-to-w-1.patch
 docs-update-mediator-information-in-coc-docs.patch
 perf-tools-fixup-get_current_dir_name-compilation.patch
+xsk-inherit-need_wakeup-flag-for-shared-sockets.patch
+alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch
 mm-gup-fix-the-fast-gup-race-against-thp-collapse.patch
 powerpc-64s-radix-don-t-need-to-broadcast-ipi-for-radix-pmd-collapse-flush.patch
 wait_on_bit-add-an-acquire-memory-barrier.patch
diff --git a/queue-5.10/xsk-inherit-need_wakeup-flag-for-shared-sockets.patch b/queue-5.10/xsk-inherit-need_wakeup-flag-for-shared-sockets.patch
new file mode 100644
index 00000000000..60f888abaad
--- /dev/null
+++ b/queue-5.10/xsk-inherit-need_wakeup-flag-for-shared-sockets.patch
@@ -0,0 +1,73 @@
+From 60240bc26114543fcbfcd8a28466e67e77b20388 Mon Sep 17 00:00:00 2001
+From: Jalal Mostafa <jalal.a.mostapha@gmail.com>
+Date: Wed, 21 Sep 2022 13:57:01 +0000
+Subject: xsk: Inherit need_wakeup flag for shared sockets
+
+From: Jalal Mostafa <jalal.a.mostapha@gmail.com>
+
+commit 60240bc26114543fcbfcd8a28466e67e77b20388 upstream.
+
+The flag for need_wakeup is not set for xsks with `XDP_SHARED_UMEM`
+flag and of different queue ids and/or devices. They should inherit
+the flag from the first socket buffer pool since no flags can be
+specified once `XDP_SHARED_UMEM` is specified.
+
+Fixes: b5aea28dca134 ("xsk: Add shared umem support between queue ids")
+Signed-off-by: Jalal Mostafa <jalal.a.mostapha@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Link: https://lore.kernel.org/bpf/20220921135701.10199-1-jalal.a.mostapha@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/xsk_buff_pool.h |    2 +-
+ net/xdp/xsk.c               |    4 ++--
+ net/xdp/xsk_buff_pool.c     |    5 +++--
+ 3 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/include/net/xsk_buff_pool.h
++++ b/include/net/xsk_buff_pool.h
+@@ -86,7 +86,7 @@ struct xsk_buff_pool *xp_create_and_assi
+ 						struct xdp_umem *umem);
+ int xp_assign_dev(struct xsk_buff_pool *pool, struct net_device *dev,
+ 		  u16 queue_id, u16 flags);
+-int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_umem *umem,
++int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_sock *umem_xs,
+ 			 struct net_device *dev, u16 queue_id);
+ void xp_destroy(struct xsk_buff_pool *pool);
+ void xp_release(struct xdp_buff_xsk *xskb);
+--- a/net/xdp/xsk.c
++++ b/net/xdp/xsk.c
+@@ -742,8 +742,8 @@ static int xsk_bind(struct socket *sock,
+ 				goto out_unlock;
+ 			}
+ 
+-			err = xp_assign_dev_shared(xs->pool, umem_xs->umem,
+-						   dev, qid);
++			err = xp_assign_dev_shared(xs->pool, umem_xs, dev,
++						   qid);
+ 			if (err) {
+ 				xp_destroy(xs->pool);
+ 				xs->pool = NULL;
+--- a/net/xdp/xsk_buff_pool.c
++++ b/net/xdp/xsk_buff_pool.c
+@@ -198,17 +198,18 @@ int xp_assign_dev(struct xsk_buff_pool *
+ 	return __xp_assign_dev(pool, dev, queue_id, flags);
+ }
+ 
+-int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_umem *umem,
++int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_sock *umem_xs,
+ 			 struct net_device *dev, u16 queue_id)
+ {
+ 	u16 flags;
++	struct xdp_umem *umem = umem_xs->umem;
+ 
+ 	/* One fill and completion ring required for each queue id. */
+ 	if (!pool->fq || !pool->cq)
+ 		return -EINVAL;
+ 
+ 	flags = umem->zc ? XDP_ZEROCOPY : XDP_COPY;
+-	if (pool->uses_need_wakeup)
++	if (umem_xs->pool->uses_need_wakeup)
+ 		flags |= XDP_USE_NEED_WAKEUP;
+ 
+ 	return __xp_assign_dev(pool, dev, queue_id, flags);
-- 
2.47.3