From 8a04af50bc75246504e85ec10c42144b6c5eb1d6 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 17 Oct 2021 12:34:28 +0200 Subject: [PATCH] 4.9-stable patches added patches: alsa-seq-fix-a-potential-uaf-by-wrong-private_free-call-order.patch --- queue-4.19/series | 4 ++ ...uaf-by-wrong-private_free-call-order.patch | 59 +++++++++++++++++++ queue-4.9/series | 1 + queue-5.10/series | 11 ++++ queue-5.14/series | 12 ++++ 5 files changed, 87 insertions(+) create mode 100644 queue-4.19/series create mode 100644 queue-4.9/alsa-seq-fix-a-potential-uaf-by-wrong-private_free-call-order.patch create mode 100644 queue-4.9/series create mode 100644 queue-5.10/series create mode 100644 queue-5.14/series diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..3bef3e2be61 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,4 @@ +alsa-seq-fix-a-potential-uaf-by-wrong-private_free-call-order.patch +alsa-hda-realtek-complete-partial-device-name-to-avoid-ambiguity.patch +alsa-hda-realtek-add-quirk-for-clevo-x170km-g.patch +alsa-hda-realtek-alc236-headset-mic-recording-issue.patch diff --git a/queue-4.9/alsa-seq-fix-a-potential-uaf-by-wrong-private_free-call-order.patch b/queue-4.9/alsa-seq-fix-a-potential-uaf-by-wrong-private_free-call-order.patch new file mode 100644 index 00000000000..e85019935b7 --- /dev/null +++ b/queue-4.9/alsa-seq-fix-a-potential-uaf-by-wrong-private_free-call-order.patch @@ -0,0 +1,59 @@ +From 1f8763c59c4ec6254d629fe77c0a52220bd907aa Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 30 Sep 2021 13:41:14 +0200 +Subject: ALSA: seq: Fix a potential UAF by wrong private_free call order + +From: Takashi Iwai + +commit 1f8763c59c4ec6254d629fe77c0a52220bd907aa upstream. + +John Keeping reported and posted a patch for a potential UAF in +rawmidi sequencer destruction: the snd_rawmidi_dev_seq_free() may be +called after the associated rawmidi object got already freed. +After a deeper look, it turned out that the bug is rather the +incorrect private_free call order for a snd_seq_device. The +snd_seq_device private_free gets called at the release callback of the +sequencer device object, while this was rather expected to be executed +at the snd_device call chains that runs at the beginning of the whole +card-free procedure. It's been broken since the rewrite of +sequencer-device binding (although it hasn't surfaced because the +sequencer device release happens usually right along with the card +device release). + +This patch corrects the private_free call to be done in the right +place, at snd_seq_device_dev_free(). + +Fixes: 7c37ae5c625a ("ALSA: seq: Rewrite sequencer device binding with standard bus") +Reported-and-tested-by: John Keeping +Cc: +Link: https://lore.kernel.org/r/20210930114114.8645-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/seq/seq_device.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/sound/core/seq/seq_device.c ++++ b/sound/core/seq/seq_device.c +@@ -162,6 +162,8 @@ static int snd_seq_device_dev_free(struc + struct snd_seq_device *dev = device->device_data; + + cancel_autoload_drivers(); ++ if (dev->private_free) ++ dev->private_free(dev); + put_device(&dev->dev); + return 0; + } +@@ -189,11 +191,7 @@ static int snd_seq_device_dev_disconnect + + static void snd_seq_dev_release(struct device *dev) + { +- struct snd_seq_device *sdev = to_seq_dev(dev); +- +- if (sdev->private_free) +- sdev->private_free(sdev); +- kfree(sdev); ++ kfree(to_seq_dev(dev)); + } + + /* diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..8e5147a4f01 --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1 @@ +alsa-seq-fix-a-potential-uaf-by-wrong-private_free-call-order.patch diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 00000000000..495c9de25b7 --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,11 @@ +alsa-usb-audio-add-quirk-for-vf0770.patch +alsa-pcm-workaround-for-a-wrong-offset-in-sync_ptr-compat-ioctl.patch +alsa-seq-fix-a-potential-uaf-by-wrong-private_free-call-order.patch +alsa-hda-realtek-enable-4-speaker-output-for-dell-precision-5560-laptop.patch +alsa-hda-enable-headphone-mic-on-dell-latitude-laptops-with-alc3254.patch +alsa-hda-realtek-complete-partial-device-name-to-avoid-ambiguity.patch +alsa-hda-realtek-add-quirk-for-clevo-x170km-g.patch +alsa-hda-realtek-alc236-headset-mic-recording-issue.patch +alsa-hda-realtek-add-quirk-for-tongfang-phxtxx1.patch +alsa-hda-realtek-fix-for-quirk-to-enable-speaker-output-on-the-lenovo-13s-gen2.patch +alsa-hda-realtek-fix-the-mic-type-detection-issue-for-asus-g551jw.patch diff --git a/queue-5.14/series b/queue-5.14/series new file mode 100644 index 00000000000..0066de0e9a5 --- /dev/null +++ b/queue-5.14/series @@ -0,0 +1,12 @@ +alsa-usb-audio-add-quirk-for-vf0770.patch +alsa-pcm-workaround-for-a-wrong-offset-in-sync_ptr-compat-ioctl.patch +alsa-usb-audio-fix-a-missing-error-check-in-scarlett-gen2-mixer.patch +alsa-seq-fix-a-potential-uaf-by-wrong-private_free-call-order.patch +alsa-hda-realtek-enable-4-speaker-output-for-dell-precision-5560-laptop.patch +alsa-hda-enable-headphone-mic-on-dell-latitude-laptops-with-alc3254.patch +alsa-hda-realtek-complete-partial-device-name-to-avoid-ambiguity.patch +alsa-hda-realtek-add-quirk-for-clevo-x170km-g.patch +alsa-hda-realtek-alc236-headset-mic-recording-issue.patch +alsa-hda-realtek-add-quirk-for-tongfang-phxtxx1.patch +alsa-hda-realtek-fix-for-quirk-to-enable-speaker-output-on-the-lenovo-13s-gen2.patch +alsa-hda-realtek-fix-the-mic-type-detection-issue-for-asus-g551jw.patch -- 2.47.3