1. 24 Mar, 2018 20 commits
  2. 22 Mar, 2018 20 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.123 · 3753696b
      Greg Kroah-Hartman authored
      3753696b
    • Jann Horn's avatar
      bpf: fix incorrect sign extension in check_alu_op() · a6132276
      Jann Horn authored
      commit 95a762e2 upstream.
      
      Distinguish between
      BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit)
      and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit);
      only perform sign extension in the first case.
      
      This patch differs from the mainline one because the verifier's internals
      have changed in the meantime. Mainline tracks register values as 64-bit
      values; however, 4.4 still stores tracked register values as 32-bit
      values with sign extension. Therefore, in the case of a 32-bit op with
      negative immediate, the value can't be tracked; leave the register as
      UNKNOWN_VALUE (set by the preceding check_reg_arg() call).
      
      
      I have manually tested this patch on top of 4.4.122. For the following BPF
      bytecode:
      
              BPF_MOV64_IMM(BPF_REG_1, 1),
              BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
              BPF_EXIT_INSN(),
      
              BPF_MOV32_IMM(BPF_REG_1, 1),
              BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
              BPF_EXIT_INSN(),
      
              BPF_MOV64_IMM(BPF_REG_1, -1),
              BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, -1, 1),
              BPF_EXIT_INSN(),
      
              BPF_MOV32_IMM(BPF_REG_1, -1),
              BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, -1, 2),
              BPF_MOV32_IMM(BPF_REG_0, 42),
              BPF_EXIT_INSN(),
      
              BPF_MOV32_IMM(BPF_REG_0, 43),
              BPF_EXIT_INSN()
      
      Verifier output on 4.4.122 without this patch:
      
      0: (b7) r1 = 1
      1: (15) if r1 == 0x1 goto pc+1
      3: (b4) (u32) r1 = (u32) 1
      4: (15) if r1 == 0x1 goto pc+1
      6: (b7) r1 = -1
      7: (15) if r1 == 0xffffffff goto pc+1
      9: (b4) (u32) r1 = (u32) -1
      10: (15) if r1 == 0xffffffff goto pc+2
      13: (b4) (u32) r0 = (u32) 43
      14: (95) exit
      
      Verifier output on 4.4.122+ with this patch:
      
      0: (b7) r1 = 1
      1: (15) if r1 == 0x1 goto pc+1
      3: (b4) (u32) r1 = (u32) 1
      4: (15) if r1 == 0x1 goto pc+1
      6: (b7) r1 = -1
      7: (15) if r1 == 0xffffffff goto pc+1
      9: (b4) (u32) r1 = (u32) -1
      10: (15) if r1 == 0xffffffff goto pc+2
       R1=inv R10=fp
      11: (b4) (u32) r0 = (u32) 42
      12: (95) exit
      
      from 10 to 13: R1=imm-1 R10=fp
      13: (b4) (u32) r0 = (u32) 43
      14: (95) exit
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a6132276
    • Srinath Mannam's avatar
      usb: gadget: bdc: 64-bit pointer capability check · 5a876e87
      Srinath Mannam authored
      commit c8e4e5bd upstream.
      
      Corrected the register to check the 64-bit pointer
      capability state. 64-bit pointer implementation capability
      was checking in wrong register, which causes the BDC
      enumeration failure in 64-bit memory address.
      
      Fixes: efed421a ("usb: gadget: Add UDC driver for
      Broadcom USB3.0 device controller IP BDC")
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarSrinath Mannam <srinath.mannam@broadcom.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a876e87
    • Wei Yongjun's avatar
      USB: gadget: udc: Add missing platform_device_put() on error in bdc_pci_probe() · a52a0a6c
      Wei Yongjun authored
      commit 8874ae5f upstream.
      
      Add the missing platform_device_put() before return from bdc_pci_probe()
      in the platform_device_add_resources() error handling case.
      
      Fixes: efed421a ("usb: gadget: Add UDC driver for Broadcom USB3.0 device controller IP BDC")
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a52a0a6c
    • Nikolay Borisov's avatar
      btrfs: Fix use-after-free when cleaning up fs_devs with a single stale device · e1994e4d
      Nikolay Borisov authored
      commit fd649f10 upstream.
      
      Commit 4fde46f0 ("Btrfs: free the stale device") introduced
      btrfs_free_stale_device which iterates the device lists for all
      registered btrfs filesystems and deletes those devices which aren't
      mounted. In a btrfs_devices structure has only 1 device attached to it
      and it is unused then btrfs_free_stale_devices will proceed to also free
      the btrfs_fs_devices struct itself. Currently this leads to a use after
      free since list_for_each_entry will try to perform a check on the
      already freed memory to see if it has to terminate the loop.
      
      The fix is to use 'break' when we know we are freeing the current
      fs_devs.
      
      Fixes: 4fde46f0 ("Btrfs: free the stale device")
      Signed-off-by: default avatarNikolay Borisov <nborisov@suse.com>
      Reviewed-by: default avatarAnand Jain <anand.jain@oracle.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e1994e4d
    • Hans van Kranenburg's avatar
      btrfs: alloc_chunk: fix DUP stripe size handling · 97c3e46e
      Hans van Kranenburg authored
      commit 92e222df upstream.
      
      In case of using DUP, we search for enough unallocated disk space on a
      device to hold two stripes.
      
      The devices_info[ndevs-1].max_avail that holds the amount of unallocated
      space found is directly assigned to stripe_size, while it's actually
      twice the stripe size.
      
      Later on in the code, an unconditional division of stripe_size by
      dev_stripes corrects the value, but in the meantime there's a check to
      see if the stripe_size does not exceed max_chunk_size. Since during this
      check stripe_size is twice the amount as intended, the check will reduce
      the stripe_size to max_chunk_size if the actual correct to be used
      stripe_size is more than half the amount of max_chunk_size.
      
      The unconditional division later tries to correct stripe_size, but will
      actually make sure we can't allocate more than half the max_chunk_size.
      
      Fix this by moving the division by dev_stripes before the max chunk size
      check, so it always contains the right value, instead of putting a duct
      tape division in further on to get it fixed again.
      
      Since in all other cases than DUP, dev_stripes is 1, this change only
      affects DUP.
      
      Other attempts in the past were made to fix this:
      * 37db63a4 "Btrfs: fix max chunk size check in chunk allocator" tried
      to fix the same problem, but still resulted in part of the code acting
      on a wrongly doubled stripe_size value.
      * 86db2578 "Btrfs: fix max chunk size on raid5/6" unintentionally
      broke this fix again.
      
      The real problem was already introduced with the rest of the code in
      73c5de00.
      
      The user visible result however will be that the max chunk size for DUP
      will suddenly double, while it's actually acting according to the limits
      in the code again like it was 5 years ago.
      Reported-by: default avatarNaohiro Aota <naohiro.aota@wdc.com>
      Link: https://www.spinics.net/lists/linux-btrfs/msg69752.html
      Fixes: 73c5de00 ("btrfs: quasi-round-robin for chunk allocation")
      Fixes: 86db2578 ("Btrfs: fix max chunk size on raid5/6")
      Signed-off-by: default avatarHans van Kranenburg <hans.van.kranenburg@mendix.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      [ update comment ]
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      97c3e46e
    • Adam Ford's avatar
      ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux · 29b20311
      Adam Ford authored
      commit 74402055 upstream.
      
      The pinmuxing was missing for I2C1 which was causing intermittent issues
      with the PMIC which is connected to I2C1.  The bootloader did not quite
      configure the I2C1 either, so when running at 2.6MHz, it was generating
      errors at time.
      
      This correctly sets the I2C1 pinmuxing so it can operate at 2.6MHz
      
      Fixes: 687c2767 ("ARM: dts: Add minimal support for LogicPD Torpedo
      DM3730 devkit")
      Signed-off-by: default avatarAdam Ford <aford173@gmail.com>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      29b20311
    • Johannes Thumshirn's avatar
      scsi: sg: only check for dxfer_len greater than 256M · 036c4bdd
      Johannes Thumshirn authored
      commit f930c704 upstream.
      
      Don't make any assumptions on the sg_io_hdr_t::dxfer_direction or the
      sg_io_hdr_t::dxferp in order to determine if it is a valid request. The
      only way we can check for bad requests is by checking if the length
      exceeds 256M.
      Signed-off-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Fixes: 28676d86 (scsi: sg: check for valid direction before starting the request)
      Reported-by: default avatarJason L Tibbitts III <tibbs@math.uh.edu>
      Tested-by: default avatarJason L Tibbitts III <tibbs@math.uh.edu>
      Suggested-by: default avatarDoug Gilbert <dgilbert@interlog.com>
      Cc: Doug Gilbert <dgilbert@interlog.com>
      Cc: <stable@vger.kernel.org>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      036c4bdd
    • Johannes Thumshirn's avatar
      scsi: sg: fix static checker warning in sg_is_valid_dxfer · db259b67
      Johannes Thumshirn authored
      commit 14074aba upstream.
      
      dxfer_len is an unsigned int and we always assign a value > 0 to it, so
      it doesn't make any sense to check if it is < 0. We can't really check
      dxferp as well as we have both NULL and not NULL cases in the possible
      call paths.
      
      So just return true for SG_DXFER_FROM_DEV transfer in
      sg_is_valid_dxfer().
      Signed-off-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Reported-by: default avatarColin Ian King <colin.king@canonical.com>
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: Douglas Gilbert <dgilbert@interlog.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      db259b67
    • Johannes Thumshirn's avatar
      scsi: sg: fix SG_DXFER_FROM_DEV transfers · 6d858350
      Johannes Thumshirn authored
      commit 68c59fce upstream.
      
      SG_DXFER_FROM_DEV transfers do not necessarily have a dxferp as we set
      it to NULL for the old sg_io read/write interface, but must have a
      length bigger than 0. This fixes a regression introduced by commit
      28676d86 ("scsi: sg: check for valid direction before starting the
      request")
      Signed-off-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Fixes: 28676d86 ("scsi: sg: check for valid direction before starting the request")
      Reported-by: default avatarChris Clayton <chris2553@googlemail.com>
      Tested-by: default avatarChris Clayton <chris2553@googlemail.com>
      Cc: Douglas Gilbert <dgilbert@interlog.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Tested-by: default avatarChris Clayton <chris2553@googlemail.com>
      Acked-by: default avatarDouglas Gilbert <dgilbert@interlog.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Cc: Cristian Crinteanu <crinteanu.cristian@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6d858350
    • Ard Biesheuvel's avatar
      irqchip/gic-v3-its: Ensure nr_ites >= nr_lpis · abca4633
      Ard Biesheuvel authored
      commit 4f2c7583 upstream.
      
      When struct its_device instances are created, the nr_ites member
      will be set to a power of 2 that equals or exceeds the requested
      number of MSIs passed to the msi_prepare() callback. At the same
      time, the LPI map is allocated to be some multiple of 32 in size,
      where the allocated size may be less than the requested size
      depending on whether a contiguous range of sufficient size is
      available in the global LPI bitmap.
      
      This may result in the situation where the nr_ites < nr_lpis, and
      since nr_ites is what we program into the hardware when we map the
      device, the additional LPIs will be non-functional.
      
      For bog standard hardware, this does not really matter. However,
      in cases where ITS device IDs are shared between different PCIe
      devices, we may end up allocating these additional LPIs without
      taking into account that they don't actually work.
      
      So let's make nr_ites at least 32. This ensures that all allocated
      LPIs are 'live', and that its_alloc_device_irq() will fail when
      attempts are made to allocate MSIs beyond what was allocated in
      the first place.
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      [maz: updated comment]
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      [ardb: trivial tweak of unrelated context]
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      abca4633
    • Tejun Heo's avatar
      fs/aio: Use RCU accessors for kioctx_table->table[] · 5ae91b40
      Tejun Heo authored
      commit d0264c01 upstream.
      
      While converting ioctx index from a list to a table, db446a08
      ("aio: convert the ioctx list to table lookup v3") missed tagging
      kioctx_table->table[] as an array of RCU pointers and using the
      appropriate RCU accessors.  This introduces a small window in the
      lookup path where init and access may race.
      
      Mark kioctx_table->table[] with __rcu and use the approriate RCU
      accessors when using the field.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarJann Horn <jannh@google.com>
      Fixes: db446a08 ("aio: convert the ioctx list to table lookup v3")
      Cc: Benjamin LaHaise <bcrl@kvack.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: stable@vger.kernel.org # v3.12+
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5ae91b40
    • Tejun Heo's avatar
      fs/aio: Add explicit RCU grace period when freeing kioctx · c68e1f44
      Tejun Heo authored
      commit a6d7cff4 upstream.
      
      While fixing refcounting, e34ecee2 ("aio: Fix a trinity splat")
      incorrectly removed explicit RCU grace period before freeing kioctx.
      The intention seems to be depending on the internal RCU grace periods
      of percpu_ref; however, percpu_ref uses a different flavor of RCU,
      sched-RCU.  This can lead to kioctx being freed while RCU read
      protected dereferences are still in progress.
      
      Fix it by updating free_ioctx() to go through call_rcu() explicitly.
      
      v2: Comment added to explain double bouncing.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarJann Horn <jannh@google.com>
      Fixes: e34ecee2 ("aio: Fix a trinity splat")
      Cc: Kent Overstreet <kent.overstreet@gmail.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: stable@vger.kernel.org # v3.13+
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c68e1f44
    • Al Viro's avatar
      lock_parent() needs to recheck if dentry got __dentry_kill'ed under it · 8dc6893e
      Al Viro authored
      commit 3b821409 upstream.
      
      In case when dentry passed to lock_parent() is protected from freeing only
      by the fact that it's on a shrink list and trylock of parent fails, we
      could get hit by __dentry_kill() (and subsequent dentry_kill(parent))
      between unlocking dentry and locking presumed parent.  We need to recheck
      that dentry is alive once we lock both it and parent *and* postpone
      rcu_read_unlock() until after that point.  Otherwise we could return
      a pointer to struct dentry that already is rcu-scheduled for freeing, with
      ->d_lock held on it; caller's subsequent attempt to unlock it can end
      up with memory corruption.
      
      Cc: stable@vger.kernel.org # 3.12+, counting backports
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8dc6893e
    • Eric W. Biederman's avatar
      fs: Teach path_connected to handle nfs filesystems with multiple roots. · c8c71406
      Eric W. Biederman authored
      commit 95dd7758 upstream.
      
      On nfsv2 and nfsv3 the nfs server can export subsets of the same
      filesystem and report the same filesystem identifier, so that the nfs
      client can know they are the same filesystem.  The subsets can be from
      disjoint directory trees.  The nfsv2 and nfsv3 filesystems provides no
      way to find the common root of all directory trees exported form the
      server with the same filesystem identifier.
      
      The practical result is that in struct super s_root for nfs s_root is
      not necessarily the root of the filesystem.  The nfs mount code sets
      s_root to the root of the first subset of the nfs filesystem that the
      kernel mounts.
      
      This effects the dcache invalidation code in generic_shutdown_super
      currently called shrunk_dcache_for_umount and that code for years
      has gone through an additional list of dentries that might be dentry
      trees that need to be freed to accomodate nfs.
      
      When I wrote path_connected I did not realize nfs was so special, and
      it's hueristic for avoiding calling is_subdir can fail.
      
      The practical case where this fails is when there is a move of a
      directory from the subtree exposed by one nfs mount to the subtree
      exposed by another nfs mount.  This move can happen either locally or
      remotely.  With the remote case requiring that the move directory be cached
      before the move and that after the move someone walks the path
      to where the move directory now exists and in so doing causes the
      already cached directory to be moved in the dcache through the magic
      of d_splice_alias.
      
      If someone whose working directory is in the move directory or a
      subdirectory and now starts calling .. from the initial mount of nfs
      (where s_root == mnt_root), then path_connected as a heuristic will
      not bother with the is_subdir check.  As s_root really is not the root
      of the nfs filesystem this heuristic is wrong, and the path may
      actually not be connected and path_connected can fail.
      
      The is_subdir function might be cheap enough that we can call it
      unconditionally.  Verifying that will take some benchmarking and
      the result may not be the same on all kernels this fix needs
      to be backported to.  So I am avoiding that for now.
      
      Filesystems with snapshots such as nilfs and btrfs do something
      similar.  But as the directory tree of the snapshots are disjoint
      from one another and from the main directory tree rename won't move
      things between them and this problem will not occur.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarAl Viro <viro@ZenIV.linux.org.uk>
      Fixes: 397d425d ("vfs: Test for and handle paths that are unreachable from their mnt_root")
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c8c71406
    • Michel Dänzer's avatar
      drm/amdgpu/dce: Don't turn off DP sink when disconnected · 89a42b03
      Michel Dänzer authored
      commit 7d617264 upstream.
      
      Turning off the sink in this case causes various issues, because
      userspace expects it to stay on until it turns it off explicitly.
      
      Instead, turn the sink off and back on when a display is connected
      again. This dance seems necessary for link training to work correctly.
      
      Bugzilla: https://bugs.freedesktop.org/105308
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarMichel Dänzer <michel.daenzer@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      89a42b03
    • Takashi Iwai's avatar
      ALSA: seq: Clear client entry before deleting else at closing · b6412935
      Takashi Iwai authored
      commit a2ff19f7 upstream.
      
      When releasing a client, we need to clear the clienttab[] entry at
      first, then call snd_seq_queue_client_leave().  Otherwise, the
      in-flight cell in the queue might be picked up by the timer interrupt
      via snd_seq_check_queue() before calling snd_seq_queue_client_leave(),
      and it's delivered to another queue while the client is clearing
      queues.  This may eventually result in an uncleared cell remaining in
      a queue, and the later snd_seq_pool_delete() may need to wait for a
      long time until the event gets really processed.
      
      By moving the clienttab[] clearance at the beginning of release, any
      event delivery of a cell belonging to this client will fail at a later
      point, since snd_seq_client_ptr() returns NULL.  Thus the cell that
      was picked up by the timer interrupt will be returned immediately
      without further delivery, and the long stall of snd_seq_delete_pool()
      can be avoided, too.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b6412935
    • Takashi Iwai's avatar
      ALSA: seq: Fix possible UAF in snd_seq_check_queue() · f0b0e342
      Takashi Iwai authored
      commit d0f83306 upstream.
      
      Although we've covered the races between concurrent write() and
      ioctl() in the previous patch series, there is still a possible UAF in
      the following scenario:
      
      A: user client closed		B: timer irq
        -> snd_seq_release()		  -> snd_seq_timer_interrupt()
          -> snd_seq_free_client()	    -> snd_seq_check_queue()
      				      -> cell = snd_seq_prioq_cell_peek()
            -> snd_seq_prioq_leave()
               .... removing all cells
            -> snd_seq_pool_done()
               .... vfree()
      				      -> snd_seq_compare_tick_time(cell)
      				         ... Oops
      
      So the problem is that a cell is peeked and accessed without any
      protection until it's retrieved from the queue again via
      snd_seq_prioq_cell_out().
      
      This patch tries to address it, also cleans up the code by a slight
      refactoring.  snd_seq_prioq_cell_out() now receives an extra pointer
      argument.  When it's non-NULL, the function checks the event timestamp
      with the given pointer.  The caller needs to pass the right reference
      either to snd_seq_tick or snd_seq_realtime depending on the event
      timestamp type.
      
      A good news is that the above change allows us to remove the
      snd_seq_prioq_cell_peek(), too, thus the patch actually reduces the
      code size.
      Reviewed-by: default avatarNicolai Stange <nstange@suse.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f0b0e342
    • Takashi Iwai's avatar
      ALSA: hda - Revert power_save option default value · 996ecf93
      Takashi Iwai authored
      commit 40088dc4 upstream.
      
      With the commit 1ba8f9d3 ("ALSA: hda: Add a power_save
      blacklist"), we changed the default value of power_save option to -1
      for processing the power-save blacklist.
      Unfortunately, this seems breaking user-space applications that
      actually read the power_save parameter value via sysfs and judge /
      adjust the power-saving status.  They see the value -1 as if the
      power-save is turned off, although the actual value is taken from
      CONFIG_SND_HDA_POWER_SAVE_DEFAULT and it can be a positive.
      
      So, overall, passing -1 there was no good idea.  Let's partially
      revert it -- at least for power_save option default value is restored
      again to CONFIG_SND_HDA_POWER_SAVE_DEFAULT.  Meanwhile, in this patch,
      we keep the blacklist behavior and make is adjustable via the new
      option, pm_blacklist.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199073
      Fixes: 1ba8f9d3 ("ALSA: hda: Add a power_save blacklist")
      Acked-by: default avatarHans de Goede <hdegoede@redhat.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      996ecf93
    • Takashi Iwai's avatar
      ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats() · 422d4f1c
      Takashi Iwai authored
      commit 01c0b426 upstream.
      
      snd_pcm_oss_get_formats() has an obvious use-after-free around
      snd_mask_test() calls, as spotted by syzbot.  The passed format_mask
      argument is a pointer to the hw_params object that is freed before the
      loop.  What a surprise that it has been present since the original
      code of decades ago...
      
      Reported-by: syzbot+4090700a4f13fccaf648@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      422d4f1c