- 05 Dec, 2018 40 commits
-
-
Larry Finger authored
commit 8561fb31 upstream. With Androidx86 8.1, wificond returns "failed to get nl80211_sta_info_tx_failed" and wificondControl returns "Invalid signal poll result from wificond". The fix is to OR sinfo->filled with BIT_ULL(NL80211_STA_INFO_TX_FAILED). This missing bit is apparently not needed with NetworkManager, but it does no harm in that case. Reported-and-Tested-by:
youling257 <youling257@gmail.com> Cc: linux-wireless@vger.kernel.org Cc: youling257 <youling257@gmail.com> Signed-off-by:
Larry Finger <Larry.Finger@lwfinger.net> Cc: stable <stable@vger.kernel.org> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
Larry Finger authored
commit c948c691 upstream. In commit b37f9e1c ("staging: rtl8723bs: Fix lines too long in update_recvframe_attrib()."), the refactoring involved replacing two memcmp() calls with ether_addr_equal() calls. What the author missed is that memcmp() returns false when the two strings are equal, whereas ether_addr_equal() returns true when the two addresses are equal. One side effect of this error is that the strength of an unassociated AP was much stronger than the same AP after association. This bug is reported at bko#201611. Fixes: b37f9e1c ("staging: rtl8723bs: Fix lines too long in update_recvframe_attrib().") Cc: Stable <stable@vger.kernel.org> Cc: youling257 <youling257@gmail.com> Cc: u.srikant.patnaik@gmail.com Reported-and-tested-by:
-
Colin Ian King authored
commit cd56a514 upstream. Currently the for_each_node_with_property loop us incrementing variable ngroups however it was not initialized and hence will contain garbage. Fix this by initializing ngroups to zero. Detected with static analysis with cppcheck: drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c:89]: (error) Uninitialized variable: ngroups Fixes: e12a1a6e ("staging: mt7621-pinctrl: refactor rt2880_pinctrl_dt_node_to_map function") Signed-off-by:
Colin Ian King <colin.king@canonical.com> Reviewed-by:
Sergio Paracuellos <sergio.paracuellos@gmail.com> Cc: stable <stable@vger.kernel.org> Signed-off-by:
-
Sergio Paracuellos authored
commit 354e3796 upstream. Function 'mtk_hsdma_start_transfer' uses 'tx_desc' pointer which can be dereferenced before it is initializated. Initializate pointer before avoiding the problem. Fixes: 0853c7a5 ("staging: mt7621-dma: ralink: add rt2880 dma engine") Reported-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Ben Wolsieffer authored
commit 5a96b2d3 upstream. The compatibility ioctl wrapper for VCHIQ_IOC_AWAIT_COMPLETION assumes that the native ioctl always uses a message buffer and decrements msgbufcount. Certain message types do not use a message buffer and in this case msgbufcount is not decremented, and completion->header for the message is NULL. Because the wrapper unconditionally decrements msgbufcount, the calling process may assume that a message buffer has been used even when it has not. This results in a memory leak in the userspace code that interfaces with this driver. When msgbufcount is decremented, the userspace code assumes that the buffer can be freed though the reference in completion->header, which cannot happen when the reference is NULL. This patch causes the wrapper to only decrement msgbufcount when the native ioctl decrements it. Note that we cannot simply copy the native ioctl's value of msgbufcount, because the wrapper only retrieves messages from the native ioctl one at a time, while userspace may request multiple messages. See https://github.com/raspberrypi/linux/pull/2703 for more discussion of this patch. Fixes: 5569a126 ("staging: vchiq_arm: Add compatibility wrappers for ioctls") Signed-off-by:
Ben Wolsieffer <benwolsieffer@gmail.com> Acked-by:
Stefan Wahren <stefan.wahren@i2se.com> Cc: stable <stable@vger.kernel.org> Signed-off-by:
-
Colin Ian King authored
commit 13c45007 upstream. Passing string ch_data_type[i].name as the format specifier is potentially hazardous because it could (although very unlikely to) have a format specifier embedded in it causing issues when parsing the non-existent arguments to these. Follow best practice by using the "%s" format string for the string. Cleans up clang warning: format string is not a string literal (potentially insecure) [-Wformat-security] Fixes: e7f2b70f ("staging: most: replace multiple if..else with table lookup") Signed-off-by:
-
Richard Genoud authored
commit 77e75fda upstream. of_dma_controller_free() was not called on module onloading. This lead to a soft lockup: watchdog: BUG: soft lockup - CPU#0 stuck for 23s! Modules linked in: at_hdmac [last unloaded: at_hdmac] when of_dma_request_slave_channel() tried to call ofdma->of_dma_xlate(). Cc: stable@vger.kernel.org Fixes: bbe89c8e ("at_hdmac: move to generic DMA binding") Acked-by:
Ludovic Desroches <ludovic.desroches@microchip.com> Signed-off-by:
Richard Genoud <richard.genoud@gmail.com> Signed-off-by:
Vinod Koul <vkoul@kernel.org> Signed-off-by:
-
Richard Genoud authored
commit 98f5f932 upstream. The leak was found when opening/closing a serial port a great number of time, increasing kmalloc-32 in slabinfo. Each time the port was opened, dma_request_slave_channel() was called. Then, in at_dma_xlate(), atslave was allocated with devm_kzalloc() and never freed. (Well, it was free at module unload, but that's not what we want). So, here, kzalloc is more suited for the job since it has to be freed in atc_free_chan_resources(). Cc: stable@vger.kernel.org Fixes: bbe89c8e ("at_hdmac: move to generic DMA binding") Reported-by:
Mario Forner <m.forner@be4energy.com> Suggested-by:
Alexandre Belloni <alexandre.belloni@bootlin.com> Acked-by:
-
Heiko Stuebner authored
commit 672e60b7 upstream. The Coreboot version on veyron ChromeOS devices seems to ignore memory@0 nodes when updating the available memory and instead inserts another memory node without the address. This leads to 4GB systems only ever be using 2GB as the memory@0 node takes precedence. So remove the @0 for veyron devices. Fixes: 0b639b81 ("ARM: dts: rockchip: Add missing unit name to memory nodes in rk3288 boards") Cc: stable@vger.kernel.org Reported-by:
Heikki Lindholm <holin@iki.fi> Signed-off-by:
Heiko Stuebner <heiko@sntech.de> Signed-off-by:
-
Andreas Dannenberg authored
commit 52777156 upstream. According to the current device datasheet (TI Lit # SLAS831D, revised March 2018) the value written to the device's PAGE register to trigger a complete register reset should be 0xfe, not 0xff. So go ahead and update to the correct value. Reported-by:
Stephane Le Provost <stephane.leprovost@mediatek.com> Tested-by:
Andreas Dannenberg <dannenberg@ti.com> Acked-by:
Andrew F. Davis <afd@ti.com> Signed-off-by:
Mark Brown <broonie@kernel.org> Cc: stable@vger.kernel.org Signed-off-by:
-
Hans de Goede authored
commit a182ecd3 upstream. Some boards such as the Swanky model Chromebooks use pmc_plt_clk_0 for the mclk instead of pmc_plt_clk_3. This commit adds a DMI based quirk for this. This fixing audio no longer working on these devices after commit 648e9218 ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL") that commit fixes us unnecessary keeping unused clocks on, but in case of the Swanky that was breaking audio support since we were not using the right clock in the cht_bsw_max98090_ti machine driver. Cc: stable@vger.kernel.org Fixes: 648e9218 ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL") Reported-and-tested-by:
Dean Wallace <duffydack73@gmail.com> Signed-off-by:
Hans de Goede <hdegoede@redhat.com> Signed-off-by:
-
Pan Bian authored
commit ecebf55d upstream. The function ext2_xattr_set calls brelse(bh) to drop the reference count of bh. After that, bh may be freed. However, following brelse(bh), it reads bh->b_data via macro HDR(bh). This may result in a use-after-free bug. This patch moves brelse(bh) after reading field. CC: stable@vger.kernel.org Signed-off-by:
Pan Bian <bianpan2016@163.com> Signed-off-by:
Jan Kara <jack@suse.cz> Signed-off-by:
-
xingaopeng authored
commit e5f5b717 upstream. We need to initialize opts.s_mount_opt as zero before using it, else we may get some unexpected mount options. Fixes: 08851957 ("ext2: Parse mount options into a dedicated structure") CC: stable@vger.kernel.org Signed-off-by:
xingaopeng <xingaopeng@huawei.com> Signed-off-by:
-
Todd Kjos authored
commit 7bada55a upstream. Malicious code can attempt to free buffers using the BC_FREE_BUFFER ioctl to binder. There are protections against a user freeing a buffer while in use by the kernel, however there was a window where BC_FREE_BUFFER could be used to free a recently allocated buffer that was not completely initialized. This resulted in a use-after-free detected by KASAN with a malicious test program. This window is closed by setting the buffer's allow_user_free attribute to 0 when the buffer is allocated or when the user has previously freed it instead of waiting for the caller to set it. The problem was that when the struct buffer was recycled, allow_user_free was stale and set to 1 allowing a free to go through. Signed-off-by:
Todd Kjos <tkjos@google.com> Acked-by:
Arve Hjønnevåg <arve@android.com> Cc: stable <stable@vger.kernel.org> # 4.14 Signed-off-by:
-
Steven Rostedt (VMware) authored
commit 7c6ea35e upstream. The function graph profiler uses the ret_stack to store the "subtime" and reuse it by nested functions and also on the return. But the current logic has the profiler callback called before the ret_stack is updated, and it is just modifying the ret_stack that will later be allocated (it's just lucky that the "subtime" is not touched when it is allocated). This could also cause a crash if we are at the end of the ret_stack when this happens. By reversing the order of the allocating the ret_stack and then calling the callbacks attached to a function being traced, the ret_stack entry is no longer used before it is allocated. Cc: stable@kernel.org Fixes: 03274a3f ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Reviewed-by:
Masami Hiramatsu <mhiramat@kernel.org> Signed-off-by:
Steven Rostedt (VMware) <rostedt@goodmis.org> Signed-off-by:
-
Steven Rostedt (VMware) authored
commit 552701dd upstream. In the past, curr_ret_stack had two functions. One was to denote the depth of the call graph, the other is to keep track of where on the ret_stack the data is used. Although they may be slightly related, there are two cases where they need to be used differently. The one case is that it keeps the ret_stack data from being corrupted by an interrupt coming in and overwriting the data still in use. The other is just to know where the depth of the stack currently is. The function profiler uses the ret_stack to save a "subtime" variable that is part of the data on the ret_stack. If curr_ret_stack is modified too early, then this variable can be corrupted. The "max_depth" option, when set to 1, will record the first functions going into the kernel. To see all top functions (when dealing with timings), the depth variable needs to be lowered before calling the return hook. But by lowering the curr_ret_stack, it makes the data on the ret_stack still being used by the return hook susceptible to being overwritten. Now that there's two variables to handle both cases (curr_ret_depth), we can move them to the locations where they can handle both cases. Cc: stable@kernel.org Fixes: 03274a3f ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Reviewed-by:
-
Steven Rostedt (VMware) authored
commit b1b35f2e upstream. The profiler uses trace->depth to find its entry on the ret_stack, but the depth may not match the actual location of where its entry is (if an interrupt were to preempt the processing of the profiler for another function, the depth and the curr_ret_stack will be different). Have it use the curr_ret_stack as the index to find its ret_stack entry instead of using the depth variable, as that is no longer guaranteed to be the same. Cc: stable@kernel.org Fixes: 03274a3f ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Reviewed-by:
-
Steven Rostedt (VMware) authored
commit 39eb456d upstream. Currently, the depth of the ret_stack is determined by curr_ret_stack index. The issue is that there's a race between setting of the curr_ret_stack and calling of the callback attached to the return of the function. Commit 03274a3f ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") moved the calling of the callback to after the setting of the curr_ret_stack, even stating that it was safe to do so, when in fact, it was the reason there was a barrier() there (yes, I should have commented that barrier()). Not only does the curr_ret_stack keep track of the current call graph depth, it also keeps the ret_stack content from being overwritten by new data. The function profiler, uses the "subtime" variable of ret_stack structure and by moving the curr_ret_stack, it allows for interrupts to use the same structure it was using, corrupting the data, and breaking the profiler. To fix this, there needs to be two variables to handle the call stack depth and the pointer to where the ret_stack is being used, as they need to change at two different locations. Cc: stable@kernel.org Fixes: 03274a3f ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Reviewed-by:
-
Steven Rostedt (VMware) authored
commit d125f3f8 upstream. As all architectures now call function_graph_enter() to do the entry work, no architecture should ever call ftrace_push_return_trace(). Make it static. This is needed to prepare for a fix of a design bug on how the curr_ret_stack is used. Cc: stable@kernel.org Fixes: 03274a3f ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Reviewed-by:
-
Steven Rostedt (VMware) authored
commit 8712b27c upstream. The function_graph_enter() function does the work of calling the function graph hook function and the management of the shadow stack, simplifying the work done in the architecture dependent prepare_ftrace_return(). Have MIPS use the new code, and remove the shadow stack management as well as having to set up the trace structure. This is needed to prepare for a fix of a design bug on how the curr_ret_stack is used. Cc: Ralf Baechle <ralf@linux-mips.org> Cc: Paul Burton <paul.burton@mips.com> Cc: James Hogan <jhogan@kernel.org> Cc: linux-mips@linux-mips.org Cc: stable@kernel.org Fixes: 03274a3f ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Reviewed-by:
-
Steven Rostedt (VMware) authored
commit 01e0ab2c upstream. The function_graph_enter() function does the work of calling the function graph hook function and the management of the shadow stack, simplifying the work done in the architecture dependent prepare_ftrace_return(). Have arm64 use the new code, and remove the shadow stack management as well as having to set up the trace structure. This is needed to prepare for a fix of a design bug on how the curr_ret_stack is used. Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: linux-arm-kernel@lists.infradead.org Cc: stable@kernel.org Fixes: 03274a3f ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Acked-by:
Will Deacon <will.deacon@arm.com> Reviewed-by:
-
Steven Rostedt (VMware) authored
commit 18588e14 upstream. The function_graph_enter() function does the work of calling the function graph hook function and the management of the shadow stack, simplifying the work done in the architecture dependent prepare_ftrace_return(). Have s390 use the new code, and remove the shadow stack management as well as having to set up the trace structure. This is needed to prepare for a fix of a design bug on how the curr_ret_stack is used. Acked-by:
Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Cc: Julian Wiedmann <jwi@linux.ibm.com> Cc: linux-s390@vger.kernel.org Cc: stable@kernel.org Fixes: 03274a3f ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Reviewed-by:
-
Steven Rostedt (VMware) authored
commit e949b6db upstream. The function_graph_enter() function does the work of calling the function graph hook function and the management of the shadow stack, simplifying the work done in the architecture dependent prepare_ftrace_return(). Have riscv use the new code, and remove the shadow stack management as well as having to set up the trace structure. This is needed to prepare for a fix of a design bug on how the curr_ret_stack is used. Cc: Greentime Hu <greentime@andestech.com> Cc: Alan Kao <alankao@andestech.com> Cc: stable@kernel.org Fixes: 03274a3f ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Reviewed-by:
Palmer Dabbelt <palmer@sifive.com> Reviewed-by:
-
Steven Rostedt (VMware) authored
commit a87532c7 upstream. The function_graph_enter() function does the work of calling the function graph hook function and the management of the shadow stack, simplifying the work done in the architecture dependent prepare_ftrace_return(). Have parisc use the new code, and remove the shadow stack management as well as having to set up the trace structure. This is needed to prepare for a fix of a design bug on how the curr_ret_stack is used. Cc: "James E.J. Bottomley" <jejb@parisc-linux.org> Cc: Helge Deller <deller@gmx.de> Cc: linux-parisc@vger.kernel.org Cc: stable@kernel.org Fixes: 03274a3f ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Reviewed-by:
-
Steven Rostedt (VMware) authored
commit 9c4bf5e0 upstream. The function_graph_enter() function does the work of calling the function graph hook function and the management of the shadow stack, simplifying the work done in the architecture dependent prepare_ftrace_return(). Have sparc use the new code, and remove the shadow stack management as well as having to set up the trace structure. This is needed to prepare for a fix of a design bug on how the curr_ret_stack is used. Cc: "David S. Miller" <davem@davemloft.net> Cc: sparclinux@vger.kernel.org Cc: stable@kernel.org Fixes: 03274a3f ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Reviewed-by:
-
Steven Rostedt (VMware) authored
commit bc715ee4 upstream. The function_graph_enter() function does the work of calling the function graph hook function and the management of the shadow stack, simplifying the work done in the architecture dependent prepare_ftrace_return(). Have superh use the new code, and remove the shadow stack management as well as having to set up the trace structure. This is needed to prepare for a fix of a design bug on how the curr_ret_stack is used. Cc: Yoshinori Sato <ysato@users.sourceforge.jp> Cc: Rich Felker <dalias@libc.org> Cc: linux-sh@vger.kernel.org Cc: stable@kernel.org Fixes: 03274a3f ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Reviewed-by:
-
Steven Rostedt (VMware) authored
commit fe60522e upstream. The function_graph_enter() function does the work of calling the function graph hook function and the management of the shadow stack, simplifying the work done in the architecture dependent prepare_ftrace_return(). Have powerpc use the new code, and remove the shadow stack management as well as having to set up the trace structure. This is needed to prepare for a fix of a design bug on how the curr_ret_stack is used. Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Paul Mackerras <paulus@samba.org> Cc: Michael Ellerman <mpe@ellerman.id.au> Cc: linuxppc-dev@lists.ozlabs.org Cc: stable@kernel.org Fixes: 03274a3f ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Reviewed-by:
-
Steven Rostedt (VMware) authored
commit d48ebb24 upstream. The function_graph_enter() function does the work of calling the function graph hook function and the management of the shadow stack, simplifying the work done in the architecture dependent prepare_ftrace_return(). Have nds32 use the new code, and remove the shadow stack management as well as having to set up the trace structure. This is needed to prepare for a fix of a design bug on how the curr_ret_stack is used. Cc: Greentime Hu <greentime@andestech.com> Cc: stable@kernel.org Fixes: 03274a3f ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Reviewed-by:
-
Steven Rostedt (VMware) authored
commit 07f7175b upstream. The function_graph_enter() function does the work of calling the function graph hook function and the management of the shadow stack, simplifying the work done in the architecture dependent prepare_ftrace_return(). Have x86 use the new code, and remove the shadow stack management as well as having to set up the trace structure. This is needed to prepare for a fix of a design bug on how the curr_ret_stack is used. Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: x86@kernel.org Cc: stable@kernel.org Fixes: 03274a3f ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Reviewed-by:
-
Steven Rostedt (VMware) authored
commit 556763e5 upstream. The function_graph_enter() function does the work of calling the function graph hook function and the management of the shadow stack, simplifying the work done in the architecture dependent prepare_ftrace_return(). Have microblaze use the new code, and remove the shadow stack management as well as having to set up the trace structure. This is needed to prepare for a fix of a design bug on how the curr_ret_stack is used. Cc: Michal Simek <monstr@monstr.eu> Cc: stable@kernel.org Fixes: 03274a3f ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Reviewed-by:
-
Steven Rostedt (VMware) authored
commit f1f5b14a upstream. The function_graph_enter() function does the work of calling the function graph hook function and the management of the shadow stack, simplifying the work done in the architecture dependent prepare_ftrace_return(). Have ARM use the new code, and remove the shadow stack management as well as having to set up the trace structure. This is needed to prepare for a fix of a design bug on how the curr_ret_stack is used. Cc: Russell King <linux@armlinux.org.uk> Cc: linux-arm-kernel@lists.infradead.org Cc: stable@kernel.org Fixes: 03274a3f ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Reviewed-by:
-
Steven Rostedt (VMware) authored
commit 8114865f upstream. Currently all the architectures do basically the same thing in preparing the function graph tracer on entry to a function. This code can be pulled into a generic location and then this will allow the function graph tracer to be fixed, as well as extended. Create a new function graph helper function_graph_enter() that will call the hook function (ftrace_graph_entry) and the shadow stack operation (ftrace_push_return_trace), and remove the need of the architecture code to manage the shadow stack. This is needed to prepare for a fix of a design bug on how the curr_ret_stack is used. Cc: stable@kernel.org Fixes: 03274a3f ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Reviewed-by:
-
Girija Kumar Kasinadhuni authored
commit e8ed64b0 upstream. This device makes a loud buzzing sound when a headphone is inserted while playing audio at full volume through the speaker. Fixes: bbf8ff6b ("ALSA: hda/realtek - Fixup for HP x360 laptops with B&O speakers") Signed-off-by:
Girija Kumar Kasinadhuni <gkumar@neverware.com> Cc: <stable@vger.kernel.org> Signed-off-by:
Takashi Iwai <tiwai@suse.de> Signed-off-by:
-
Hui Wang authored
commit c4cfcf6f upstream. We have several Lenovo laptops with the codec alc285, when playing sound via headphone, we can hear click/pop noise in the headphone, if we let the headphone share the DAC of NID 0x2 with the speaker, the noise disappears. The Lenovo laptops here include P52, P72, X1 yoda2 and X1 carbon. I have tried to set preferred_dacs and override_conn, but neither of them worked. Thanks for Kailang, he told me to invalidate the NID 0x3 through override_wcaps. BugLink: https://bugs.launchpad.net/bugs/1805079 Cc: <stable@vger.kernel.org> Signed-off-by:
Kailang Yang <kailang@realtek.com> Signed-off-by:
Hui Wang <hui.wang@canonical.com> Signed-off-by:
-
Anisse Astier authored
commit 8cd65271 upstream. MSI Cubi N 8GL (MS-B171) needs the same fixup as its older model, the MS-B120, in order for the headset mic to be properly detected. They both use a single 3-way jack for both mic and headset with an ALC283 codec, with the same pins used. Cc: stable@vger.kernel.org Signed-off-by:
Anisse Astier <anisse@astier.eu> Signed-off-by:
-
Kailang Yang authored
commit 1078bef0 upstream. This patch will enable ALC300. [ It's almost equivalent with other ALC269-compatible ones, and apparently has no loopback mixer -- tiwai ] Signed-off-by:
-
Hans de Goede authored
commit 39070a98 upstream. Power-saving is causing plops on audio start/stop on the built-in audio of the nForce 430 based ASRock N68C-S UCC motherboard, add this model to the power_save blacklist. BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1525104 Cc: <stable@vger.kernel.org> Signed-off-by:
-
Takashi Iwai authored
commit 9a20332a upstream. Some spurious calls of snd_free_pages() have been overlooked and remain in the error paths of sparc cs4231 driver code. Since runtime->dma_area is managed by the PCM core helper, we shouldn't release manually. Drop the superfluous calls. Reviewed-by:
Takashi Sakamoto <o-takashi@sakamocchi.jp> Cc: <stable@vger.kernel.org> Signed-off-by:
-
Takashi Iwai authored
commit e1a7bfe3 upstream. The procedure for adding a user control element has some window opened for race against the concurrent removal of a user element. This was caught by syzkaller, hitting a KASAN use-after-free error. This patch addresses the bug by wrapping the whole procedure to add a user control element with the card->controls_rwsem, instead of only around the increment of card->user_ctl_count. This required a slight code refactoring, too. The function snd_ctl_add() is split to two parts: a core function to add the control element and a part calling it. The former is called from the function for adding a user control element inside the controls_rwsem. One change to be noted is that snd_ctl_notify() for adding a control element gets called inside the controls_rwsem as well while it was called outside the rwsem. But this should be OK, as snd_ctl_notify() takes another (finer) rwlock instead of rwsem, and the call of snd_ctl_notify() inside rwsem is already done in another code path. Reported-by: syzbot+dc09047bce3820621ba2@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> Signed-off-by:
-
Takashi Iwai authored
commit 7194eda1 upstream. The function snd_ac97_put_spsa() gets the bit shift value from the associated private_value, but it extracts too much; the current code extracts 8 bit values in bits 8-15, but this is a combination of two nibbles (bits 8-11 and bits 12-15) for left and right shifts. Due to the incorrect bits extraction, the actual shift may go beyond the 32bit value, as spotted recently by UBSAN check: UBSAN: Undefined behaviour in sound/pci/ac97/ac97_codec.c:836:7 shift exponent 68 is too large for 32-bit type 'int' This patch fixes the shift value extraction by masking the properly with 0x0f instead of 0xff. Reported-and-tested-by:
Meelis Roos <mroos@linux.ee> Cc: <stable@vger.kernel.org> Signed-off-by:
-
