Sound correction patches have been applied for testing build

5 months ago · 54cd799122
parent cb71960583
commit 54cd799122
4 changed files with 156 additions and 1 deletions
--- a/SOURCES/0101-patch-5.14-bluetooth-hci_sysfs-Fix-attempting-to-call-device_ad.patch
+++ b/SOURCES/0101-patch-5.14-bluetooth-hci_sysfs-Fix-attempting-to-call-device_ad.patch
@ -0,0 +1,51 @@
+bluetooth: hci_sysfs: Fix attempting to call device_add multiple times
+
+device_add shall not be called multiple times as stated in its
+documentation:
+
+ 'Do not call this routine or device_register() more than once for
+ any device structure'
+
+Syzkaller reports a bug as follows [1]:
+------------[ cut here ]------------
+kernel BUG at lib/list_debug.c:33!
+invalid opcode: 0000 [#1] PREEMPT SMP KASAN
+[...]
+Call Trace:
+ <TASK>
+ __list_add include/linux/list.h:69 [inline]
+ list_add_tail include/linux/list.h:102 [inline]
+ kobj_kset_join lib/kobject.c:164 [inline]
+ kobject_add_internal+0x18f/0x8f0 lib/kobject.c:214
+ kobject_add_varg lib/kobject.c:358 [inline]
+ kobject_add+0x150/0x1c0 lib/kobject.c:410
+ device_add+0x368/0x1e90 drivers/base/core.c:3452
+ hci_conn_add_sysfs+0x9b/0x1b0 net/bluetooth/hci_sysfs.c:53
+ hci_le_cis_estabilished_evt+0x57c/0xae0 net/bluetooth/hci_event.c:6799
+ hci_le_meta_evt+0x2b8/0x510 net/bluetooth/hci_event.c:7110
+ hci_event_func net/bluetooth/hci_event.c:7440 [inline]
+ hci_event_packet+0x63d/0xfd0 net/bluetooth/hci_event.c:7495
+ hci_rx_work+0xae7/0x1230 net/bluetooth/hci_core.c:4007
+ process_one_work+0x991/0x1610 kernel/workqueue.c:2289
+ worker_thread+0x665/0x1080 kernel/workqueue.c:2436
+ kthread+0x2e4/0x3a0 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
+ </TASK>
+
+Link: https://syzkaller.appspot.com/bug?id=da3246e2d33afdb92d66bc166a0934c5b146404a
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Tested-by: Hawkins Jiawei <yin31149@gmail.com>
+---
+diff -ruN linux-5.14.0-427.18.orig/net/bluetooth/hci_sysfs.c linux-5.14.0-427.18/net/bluetooth/hci_sysfs.c
+--- linux-5.14.0-427.18.orig/net/bluetooth/hci_sysfs.c
+++ linux-5.14.0-427.18/net/bluetooth/hci_sysfs.c
+@@ -48,6 +48,9 @@ void hci_conn_add_sysfs(struct hci_conn *conn)
+ 
+ 	bt_dev_dbg(hdev, "conn %p", conn);
+ 
+	if (device_is_registered(&conn->dev))
+		return;
+
+ 	if (device_is_registered(&conn->dev))
+ 		return;
+
--- a/SOURCES/0102-patch-5.14-can-j1939-j1939_netdev_start-fix-UAF-for-rx_kref-of-.patch
+++ b/SOURCES/0102-patch-5.14-can-j1939-j1939_netdev_start-fix-UAF-for-rx_kref-of-.patch
@ -0,0 +1,70 @@
+can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv
+
+It will trigger UAF for rx_kref of j1939_priv as following.
+
+        cpu0                                    cpu1
+j1939_sk_bind(socket0, ndev0, ...)
+j1939_netdev_start
+                                        j1939_sk_bind(socket1, ndev0, ...)
+                                        j1939_netdev_start
+j1939_priv_set
+                                        j1939_priv_get_by_ndev_locked
+j1939_jsk_add
+.....
+j1939_netdev_stop
+kref_put_lock(&priv->rx_kref, ...)
+                                        kref_get(&priv->rx_kref, ...)
+                                        REFCOUNT_WARN("addition on 0;...")
+
+====================================================
+refcount_t: addition on 0; use-after-free.
+WARNING: CPU: 1 PID: 20874 at lib/refcount.c:25 refcount_warn_saturate+0x169/0x1e0
+RIP: 0010:refcount_warn_saturate+0x169/0x1e0
+Call Trace:
+ j1939_netdev_start+0x68b/0x920
+ j1939_sk_bind+0x426/0xeb0
+ ? security_socket_bind+0x83/0xb0
+
+The rx_kref's kref_get() and kref_put() should use j1939_netdev_lock to
+protect.
+
+Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol")
+Link: https://lore.kernel.org/all/20210926104757.2021540-1-william.xuanziyang@huawei.com
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+85d9878b19c94f9019ad@syzkaller.appspotmail.com
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+---
+diff -ruN  linux-5.14.0-427.18.orig/net/can/j1939/main.c linux-5.14.0-427.18/net/can/j1939/main.c
+index 0e9af9075..0cf84b7e5 100644
+--- linux-5.14.0-427.18.orig/net/can/j1939/main.c
+++ linux-5.14.0-427.18/net/can/j1939/main.c
+@@ -253,11 +253,14 @@ struct j1939_priv *j1939_netdev_start(struct net_device *ndev)
+ 	struct j1939_priv *priv, *priv_new;
+ 	int ret;
+ 
+-	priv = j1939_priv_get_by_ndev(ndev);
+	spin_lock(&j1939_netdev_lock);
+	priv = j1939_priv_get_by_ndev_locked(ndev);
+ 	if (priv) {
+ 		kref_get(&priv->rx_kref);
+		spin_unlock(&j1939_netdev_lock);
+ 		return priv;
+ 	}
+	spin_unlock(&j1939_netdev_lock);
+ 
+ 	priv = j1939_priv_create(ndev);
+ 	if (!priv)
+@@ -273,10 +276,10 @@ struct j1939_priv *j1939_netdev_start(struct net_device *ndev)
+ 		/* Someone was faster than us, use their priv and roll
+ 		 * back our's.
+ 		 */
+		kref_get(&priv_new->rx_kref);
+ 		spin_unlock(&j1939_netdev_lock);
+ 		dev_put(ndev);
+ 		kfree(priv);
+-		kref_get(&priv_new->rx_kref);
+ 		return priv_new;
+ 	}
+ 	j1939_priv_set(ndev, priv);
--- a/SOURCES/0201-5.14.0-mic-fix.patch
+++ b/SOURCES/0201-5.14.0-mic-fix.patch
@ -0,0 +1,12 @@
+diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
+index e8209178d..79ddaf58c 100644
+--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
+@@ -967,6 +967,7 @@
+ 	SND_PCI_QUIRK(0x103c, 0x8457, "HP Z2 G4 mini", CXT_FIXUP_HP_MIC_NO_PRESENCE),
+ 	SND_PCI_QUIRK(0x103c, 0x8458, "HP Z2 G4 mini premium", CXT_FIXUP_HP_MIC_NO_PRESENCE),
+ 	SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
+	SND_PCI_QUIRK(0x14f1, 0x0226, "Inferit Compact", CXT_FIXUP_HP_GATE_MIC),
+ 	SND_PCI_QUIRK(0x152d, 0x0833, "OLPC XO-1.5", CXT_FIXUP_OLPC_XO),
+ 	SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo T400", CXT_PINCFG_LENOVO_TP410),
+ 	SND_PCI_QUIRK(0x17aa, 0x215e, "Lenovo T410", CXT_PINCFG_LENOVO_TP410),
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@ -630,7 +630,7 @@ Name: kernel
 License: ((GPL-2.0-only WITH Linux-syscall-note) OR BSD-2-Clause) AND ((GPL-2.0-only WITH Linux-syscall-note) OR BSD-3-Clause) AND ((GPL-2.0-only WITH Linux-syscall-note) OR CDDL-1.0) AND ((GPL-2.0-only WITH Linux-syscall-note) OR Linux-OpenIB) AND ((GPL-2.0-only WITH Linux-syscall-note) OR MIT) AND ((GPL-2.0-or-later WITH Linux-syscall-note) OR BSD-3-Clause) AND ((GPL-2.0-or-later WITH Linux-syscall-note) OR MIT) AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSD-3-Clause-Clear AND GFDL-1.1-no-invariants-or-later AND GPL-1.0-or-later AND (GPL-1.0-or-later OR BSD-3-Clause) AND (GPL-1.0-or-later WITH Linux-syscall-note) AND GPL-2.0-only AND (GPL-2.0-only OR Apache-2.0) AND (GPL-2.0-only OR BSD-2-Clause) AND (GPL-2.0-only OR BSD-3-Clause) AND (GPL-2.0-only OR CDDL-1.0) AND (GPL-2.0-only OR GFDL-1.1-no-invariants-or-later) AND (GPL-2.0-only OR GFDL-1.2-no-invariants-only) AND (GPL-2.0-only WITH Linux-syscall-note) AND GPL-2.0-or-later AND (GPL-2.0-or-later OR BSD-2-Clause) AND (GPL-2.0-or-later OR BSD-3-Clause) AND (GPL-2.0-or-later OR CC-BY-4.0) AND (GPL-2.0-or-later WITH GCC-exception-2.0) AND (GPL-2.0-or-later WITH Linux-syscall-note) AND ISC AND LGPL-2.0-or-later AND (LGPL-2.0-or-later OR BSD-2-Clause) AND (LGPL-2.0-or-later WITH Linux-syscall-note) AND LGPL-2.1-only AND (LGPL-2.1-only OR BSD-2-Clause) AND (LGPL-2.1-only WITH Linux-syscall-note) AND LGPL-2.1-or-later AND (LGPL-2.1-or-later WITH Linux-syscall-note) AND (Linux-OpenIB OR GPL-2.0-only) AND (Linux-OpenIB OR GPL-2.0-only OR BSD-2-Clause) AND Linux-man-pages-copyleft AND MIT AND (MIT OR GPL-2.0-only) AND (MIT OR GPL-2.0-or-later) AND (MIT OR LGPL-2.1-only) AND (MPL-1.1 OR GPL-2.0-only) AND (X11 OR GPL-2.0-only) AND (X11 OR GPL-2.0-or-later) AND Zlib
 URL: https://www.kernel.org/
 Version: %{specversion}
-Release: %{pkg_release}
+Release: %{pkg_release}.1
 # DO NOT CHANGE THE 'ExclusiveArch' LINE TO TEMPORARILY EXCLUDE AN ARCHITECTURE BUILD.
 # SET %%nobuildarches (ABOVE) INSTEAD
 %if 0%{?fedora}
@ -957,6 +957,13 @@ Patch2005: 0005-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
 Patch2006: 0006-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
 Patch2007: 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch

+# Backported by Inferit
+Patch3001: 0101-patch-5.14-bluetooth-hci_sysfs-Fix-attempting-to-call-device_ad.patch
+Patch3002: 0102-patch-5.14-can-j1939-j1939_netdev_start-fix-UAF-for-rx_kref-of-.patch
+
+# Inferit hardware support
+Patch3101: 0201-5.14.0-mic-fix.patch
+
 # empty final patch to facilitate testing of kernel patches
 Patch999999: linux-kernel-test.patch

@ -1691,6 +1698,10 @@ ApplyPatch 0005-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
 ApplyPatch 0006-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
 ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch

+ApplyPatch 0101-patch-5.14-bluetooth-hci_sysfs-Fix-attempting-to-call-device_ad.patch
+ApplyPatch 0102-patch-5.14-can-j1939-j1939_netdev_start-fix-UAF-for-rx_kref-of-.patch
+ApplyPatch 0201-5.14.0-mic-fix.patch
+
 ApplyOptionalPatch patch-%{patchversion}-redhat.patch
 %endif

@ -3717,6 +3728,10 @@ fi
 #
 #
 %changelog
+* Thu Jun 27 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 5.14.0-427.22.1.1
+- Sound correction patches by Dmitry Antipov <dantipov@msvsphere-os.ru> have been applied
+- Rebuilt for MSVSphere 9.4 testing
+
 * Mon Jun 10 2024 Scott Weaver <scweaver@redhat.com> [5.14.0-427.22.1.el9_4]
 - dpll: fix dpll_pin_on_pin_register() for multiple parent pins (Petr Oros) [RHEL-36572 RHEL-32098]
 - dpll: indent DPLL option type by a tab (Petr Oros) [RHEL-36572 RHEL-32098]
@ -3762,6 +3777,9 @@ fi
 - smb: client: fix parsing of source mount option (Jay Shin) [RHEL-38904 RHEL-28739]
 - integrity: eliminate unnecessary "Problem loading X.509 certificate" msg (Coiby Xu) [RHEL-39933 RHEL-12346]

+* Thu Jun 06 2024 Dmitry Antipov <dantipov@msvsphere-os.ru>
+- snd-hda-intel: fix microphone on Inferit Silver laptop
+
 * Mon Jun 03 2024 Scott Weaver <scweaver@redhat.com> [5.14.0-427.21.1.el9_4]
 - drm/i915/display: Increase number of fast wake precharge pulses (Mika Penttilä) [RHEL-36534 RHEL-20439]
 - drm/i915/psr: Improve fast and IO wake lines calculation (Mika Penttilä) [RHEL-36534 RHEL-20439]
@ -3769,6 +3787,10 @@ fi
 - smb: client: improve DFS mount check (Jay Shin) [RHEL-36743 RHEL-28739]
 - net: mana: Fix Rx DMA datasize and skb_over_panic (Cathy Avery) [RHEL-37622 RHEL-9872]

+* Wed May 29 2024 Dmitry Antipov <dantipov@msvsphere-os.ru>
+- bluetooth: do not call device_add() multiple times
+- can: fix use-after-free for rx_kref of j1939_priv
+
 * Thu May 23 2024 Scott Weaver <scweaver@redhat.com> [5.14.0-427.20.1.el9_4]
 - ipv6: sr: fix possible use-after-free and null-ptr-deref (Hangbin Liu) [RHEL-33968 RHEL-31732] {CVE-2024-26735}
 - idpf: fix kernel panic on unknown packet types (Michal Schmidt) [RHEL-36145 RHEL-29035]