When writing out a stereo control we discard the change notification from
the first channel, meaning that events are only generated based on changes
to the second channel. Ensure that we report a change if either channel
has changed.
Signed-off-by: Mark Brown <broonie(a)kernel.org>
Cc: stable(a)vger.kernel.org
---
sound/soc/soc-ops.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
index fefd4f34cbc1..6b922d12afb5 100644
--- a/sound/soc/soc-ops.c
+++ b/sound/soc/soc-ops.c
@@ -874,6 +874,7 @@ int snd_soc_put_xr_sx(struct snd_kcontrol *kcontrol,
unsigned long mask = (1UL<<mc->nbits)-1;
long max = mc->max;
long val = ucontrol->value.integer.value[0];
+ int ret = 0;
unsigned int i;
if (invert)
@@ -886,9 +887,11 @@ int snd_soc_put_xr_sx(struct snd_kcontrol *kcontrol,
regmask, regval);
if (err < 0)
return err;
+ if (err > 0)
+ ret = err;
}
- return 0;
+ return ret;
}
EXPORT_SYMBOL_GPL(snd_soc_put_xr_sx);
--
2.30.2
When writing out a stereo control we discard the change notification from
the first channel, meaning that events are only generated based on changes
to the second channel. Ensure that we report a change if either channel
has changed.
Signed-off-by: Mark Brown <broonie(a)kernel.org>
Cc: stable(a)vger.kernel.org
---
sound/soc/soc-ops.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
index f0d1aeb38346..fefd4f34cbc1 100644
--- a/sound/soc/soc-ops.c
+++ b/sound/soc/soc-ops.c
@@ -498,7 +498,7 @@ int snd_soc_put_volsw_range(struct snd_kcontrol *kcontrol,
unsigned int mask = (1 << fls(max)) - 1;
unsigned int invert = mc->invert;
unsigned int val, val_mask;
- int ret;
+ int err, ret;
if (invert)
val = (max - ucontrol->value.integer.value[0]) & mask;
@@ -507,9 +507,10 @@ int snd_soc_put_volsw_range(struct snd_kcontrol *kcontrol,
val_mask = mask << shift;
val = val << shift;
- ret = snd_soc_component_update_bits(component, reg, val_mask, val);
- if (ret < 0)
- return ret;
+ err = snd_soc_component_update_bits(component, reg, val_mask, val);
+ if (err < 0)
+ return err;
+ ret = err;
if (snd_soc_volsw_is_stereo(mc)) {
if (invert)
@@ -519,8 +520,12 @@ int snd_soc_put_volsw_range(struct snd_kcontrol *kcontrol,
val_mask = mask << shift;
val = val << shift;
- ret = snd_soc_component_update_bits(component, rreg, val_mask,
+ err = snd_soc_component_update_bits(component, rreg, val_mask,
val);
+ /* Don't discard any error code or drop change flag */
+ if (ret == 0 || err < 0) {
+ ret = err;
+ }
}
return ret;
--
2.30.2
When writing out a stereo control we discard the change notification from
the first channel, meaning that events are only generated based on changes
to the second channel. Ensure that we report a change if either channel
has changed.
Signed-off-by: Mark Brown <broonie(a)kernel.org>
Cc: stable(a)vger.kernel.org
---
sound/soc/soc-ops.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
index 08eaa9ddf191..73c9d53de25b 100644
--- a/sound/soc/soc-ops.c
+++ b/sound/soc/soc-ops.c
@@ -308,7 +308,7 @@ int snd_soc_put_volsw(struct snd_kcontrol *kcontrol,
unsigned int sign_bit = mc->sign_bit;
unsigned int mask = (1 << fls(max)) - 1;
unsigned int invert = mc->invert;
- int err;
+ int err, ret;
bool type_2r = false;
unsigned int val2 = 0;
unsigned int val, val_mask;
@@ -336,12 +336,18 @@ int snd_soc_put_volsw(struct snd_kcontrol *kcontrol,
err = snd_soc_component_update_bits(component, reg, val_mask, val);
if (err < 0)
return err;
+ ret = err;
- if (type_2r)
+ if (type_2r) {
err = snd_soc_component_update_bits(component, reg2, val_mask,
- val2);
+ val2);
+ /* Don't discard any error code or drop change flag */
+ if (ret == 0 || err < 0) {
+ ret = err;
+ }
+ }
- return err;
+ return ret;
}
EXPORT_SYMBOL_GPL(snd_soc_put_volsw);
--
2.30.2
This is the start of the stable review cycle for the 5.4.176 release.
There are 64 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 02 Feb 2022 10:51:59 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.176-rc…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 5.4.176-rc1
OGAWA Hirofumi <hirofumi(a)mail.parknet.co.jp>
block: Fix wrong offset in bio_truncate()
Amir Goldstein <amir73il(a)gmail.com>
fsnotify: invalidate dcache before IN_DELETE event
Marc Kleine-Budde <mkl(a)pengutronix.de>
dt-bindings: can: tcan4x5x: fix mram-cfg RX FIFO config
Eric Dumazet <edumazet(a)google.com>
ipv4: remove sparse error in ip_neigh_gw4()
Eric Dumazet <edumazet(a)google.com>
ipv4: tcp: send zero IPID in SYNACK messages
Eric Dumazet <edumazet(a)google.com>
ipv4: raw: lock the socket in raw_bind()
Yufeng Mo <moyufeng(a)huawei.com>
net: hns3: handle empty unknown interrupt for VF
Hangyu Hua <hbh25y(a)gmail.com>
yam: fix a memory leak in yam_siocdevprivate()
Miaoqian Lin <linmq006(a)gmail.com>
drm/msm/hdmi: Fix missing put_device() call in msm_hdmi_get_phy
Sukadev Bhattiprolu <sukadev(a)linux.ibm.com>
ibmvnic: don't spin in tasklet
Sukadev Bhattiprolu <sukadev(a)linux.ibm.com>
ibmvnic: init ->running_cap_crqs early
Guenter Roeck <linux(a)roeck-us.net>
hwmon: (lm90) Mark alert as broken for MAX6654
David Howells <dhowells(a)redhat.com>
rxrpc: Adjust retransmission backoff
Marek Behún <kabel(a)kernel.org>
phylib: fix potential use-after-free
Robert Hancock <robert.hancock(a)calian.com>
net: phy: broadcom: hook up soft_reset for BCM54616S
Florian Westphal <fw(a)strlen.de>
netfilter: conntrack: don't increment invalid counter on NF_REPEAT
Trond Myklebust <trond.myklebust(a)hammerspace.com>
NFS: Ensure the server has an up to date ctime before renaming
Trond Myklebust <trond.myklebust(a)hammerspace.com>
NFS: Ensure the server has an up to date ctime before hardlinking
Eric Dumazet <edumazet(a)google.com>
ipv6: annotate accesses to fn->fn_sernum
José Expósito <jose.exposito89(a)gmail.com>
drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable
Miaoqian Lin <linmq006(a)gmail.com>
drm/msm/dsi: Fix missing put_device() call in dsi_get_phy
Xianting Tian <xianting.tian(a)linux.alibaba.com>
drm/msm: Fix wrong size calculation
Jianguo Wu <wujianguo(a)chinatelecom.cn>
net-procfs: show net devices bound packet types
Trond Myklebust <trond.myklebust(a)hammerspace.com>
NFSv4: nfs_atomic_open() can race when looking up a non-regular file
Trond Myklebust <trond.myklebust(a)hammerspace.com>
NFSv4: Handle case where the lookup of a directory fails
Guenter Roeck <linux(a)roeck-us.net>
hwmon: (lm90) Reduce maximum conversion rate for G781
Eric Dumazet <edumazet(a)google.com>
ipv4: avoid using shared IP generator for connected sockets
Xin Long <lucien.xin(a)gmail.com>
ping: fix the sk_bound_dev_if match in ping_lookup
Guenter Roeck <linux(a)roeck-us.net>
hwmon: (lm90) Mark alert as broken for MAX6680
Guenter Roeck <linux(a)roeck-us.net>
hwmon: (lm90) Mark alert as broken for MAX6646/6647/6649
Congyu Liu <liu3101(a)purdue.edu>
net: fix information leakage in /proc/net/ptype
sparkhuang <huangshaobo6(a)huawei.com>
ARM: 9170/1: fix panic when kasan and kprobe are enabled
Ido Schimmel <idosch(a)nvidia.com>
ipv6_tunnel: Rate limit warning messages
John Meneghini <jmeneghi(a)redhat.com>
scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put()
Matthias Kaehlcke <mka(a)chromium.org>
rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev
Sujit Kautkar <sujitka(a)chromium.org>
rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev
Joe Damato <jdamato(a)fastly.com>
i40e: fix unsigned stat widths
Sylwester Dziedziuch <sylwesterx.dziedziuch(a)intel.com>
i40e: Fix queues reservation for XDP
Jedrzej Jagielski <jedrzej.jagielski(a)intel.com>
i40e: Fix issue when maximum queues is exceeded
Jedrzej Jagielski <jedrzej.jagielski(a)intel.com>
i40e: Increase delay to 1 s after global EMP reset
Christophe Leroy <christophe.leroy(a)csgroup.eu>
powerpc/32: Fix boot failure with GCC latent entropy plugin
Marek Behún <kabel(a)kernel.org>
net: sfp: ignore disabled SFP node
Sing-Han Chen <singhanc(a)nvidia.com>
ucsi_ccg: Check DEV_INT bit only when starting CCG4
Badhri Jagan Sridharan <badhri(a)google.com>
usb: typec: tcpm: Do not disconnect while receiving VBUS off
Alan Stern <stern(a)rowland.harvard.edu>
USB: core: Fix hang in usb_kill_urb by adding memory barriers
Pavankumar Kondeti <quic_pkondeti(a)quicinc.com>
usb: gadget: f_sourcesink: Fix isoc transfer for USB_SPEED_SUPER_PLUS
Jon Hunter <jonathanh(a)nvidia.com>
usb: common: ulpi: Fix crash in ulpi_match()
Alan Stern <stern(a)rowland.harvard.edu>
usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge
Cameron Williams <cang1(a)live.co.uk>
tty: Add support for Brainboxes UC cards.
daniel.starke(a)siemens.com <daniel.starke(a)siemens.com>
tty: n_gsm: fix SW flow control encoding/handling
Valentin Caron <valentin.caron(a)foss.st.com>
serial: stm32: fix software flow control transfer
Robert Hancock <robert.hancock(a)calian.com>
serial: 8250: of: Fix mapped region size when using reg-offset property
Pablo Neira Ayuso <pablo(a)netfilter.org>
netfilter: nft_payload: do not update layer 4 checksum when mangling fragments
D Scott Phillips <scott(a)os.amperecomputing.com>
arm64: errata: Fix exec handling in erratum 1418040 workaround
Lucas Stach <l.stach(a)pengutronix.de>
drm/etnaviv: relax submit size limits
Amir Goldstein <amir73il(a)gmail.com>
fsnotify: fix fsnotify hooks in pseudo filesystems
Tom Zanussi <zanussi(a)kernel.org>
tracing: Don't inc err_log entry count if entry allocation fails
Xiaoke Wang <xkernel.wang(a)foxmail.com>
tracing/histogram: Fix a potential memory leak for kstrdup()
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
PM: wakeup: simplify the output logic of pm_show_wakelocks()
Jan Kara <jack(a)suse.cz>
udf: Fix NULL ptr deref when converting from inline format
Jan Kara <jack(a)suse.cz>
udf: Restore i_lenAlloc when inode expansion fails
Steffen Maier <maier(a)linux.ibm.com>
scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP devices
Vasily Gorbik <gor(a)linux.ibm.com>
s390/hypfs: include z/VM guests with access control group set
Brian Gix <brian.gix(a)intel.com>
Bluetooth: refactor malicious adv data check
-------------
Diffstat:
.../devicetree/bindings/net/can/tcan4x5x.txt | 2 +-
Makefile | 4 +-
arch/arm/probes/kprobes/Makefile | 3 +
arch/arm64/kernel/process.c | 39 +++----
arch/powerpc/kernel/Makefile | 1 +
arch/powerpc/lib/Makefile | 3 +
arch/s390/hypfs/hypfs_vm.c | 6 +-
block/bio.c | 3 +-
drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c | 4 +-
drivers/gpu/drm/msm/dsi/dsi.c | 7 +-
drivers/gpu/drm/msm/dsi/phy/dsi_phy.c | 4 +-
drivers/gpu/drm/msm/hdmi/hdmi.c | 7 +-
drivers/gpu/drm/msm/msm_drv.c | 2 +-
drivers/hwmon/lm90.c | 7 +-
.../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 3 +-
drivers/net/ethernet/ibm/ibmvnic.c | 112 +++++++++++++--------
drivers/net/ethernet/intel/i40e/i40e.h | 9 +-
drivers/net/ethernet/intel/i40e/i40e_debugfs.c | 2 +-
drivers/net/ethernet/intel/i40e/i40e_main.c | 44 ++++----
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 59 +++++++++++
drivers/net/hamradio/yam.c | 4 +-
drivers/net/phy/broadcom.c | 1 +
drivers/net/phy/phy_device.c | 6 +-
drivers/net/phy/phylink.c | 5 +
drivers/rpmsg/rpmsg_char.c | 22 +---
drivers/s390/scsi/zfcp_fc.c | 13 ++-
drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 20 +---
drivers/tty/n_gsm.c | 4 +-
drivers/tty/serial/8250/8250_of.c | 11 +-
drivers/tty/serial/8250/8250_pci.c | 100 +++++++++++++++++-
drivers/tty/serial/stm32-usart.c | 2 +-
drivers/usb/common/ulpi.c | 7 +-
drivers/usb/core/hcd.c | 14 +++
drivers/usb/core/urb.c | 12 +++
drivers/usb/gadget/function/f_sourcesink.c | 1 +
drivers/usb/storage/unusual_devs.h | 10 ++
drivers/usb/typec/tcpm/tcpm.c | 3 +-
drivers/usb/typec/ucsi/ucsi_ccg.c | 2 +-
fs/btrfs/ioctl.c | 6 +-
fs/configfs/dir.c | 6 +-
fs/devpts/inode.c | 2 +-
fs/namei.c | 10 +-
fs/nfs/dir.c | 22 ++++
fs/nfsd/nfsctl.c | 5 +-
fs/udf/inode.c | 9 +-
include/linux/fsnotify.h | 48 +++++++--
include/linux/netdevice.h | 1 +
include/net/ip.h | 21 ++--
include/net/ip6_fib.h | 2 +-
include/net/route.h | 2 +-
kernel/power/wakelock.c | 11 +-
kernel/trace/trace.c | 3 +-
kernel/trace/trace_events_hist.c | 1 +
net/bluetooth/hci_event.c | 10 +-
net/core/net-procfs.c | 38 ++++++-
net/ipv4/ip_output.c | 11 +-
net/ipv4/ping.c | 3 +-
net/ipv4/raw.c | 5 +-
net/ipv6/ip6_fib.c | 23 +++--
net/ipv6/ip6_tunnel.c | 8 +-
net/ipv6/route.c | 2 +-
net/netfilter/nf_conntrack_core.c | 8 +-
net/netfilter/nft_payload.c | 3 +
net/packet/af_packet.c | 2 +
net/rxrpc/call_event.c | 8 +-
net/rxrpc/output.c | 2 +-
net/sunrpc/rpc_pipe.c | 4 +-
67 files changed, 589 insertions(+), 245 deletions(-)
In several other operating systems, it is a hard requirement that the
second argument to execve(2) be the name of a program, thus prohibiting
a scenario where argc < 1. POSIX 2017 also recommends this behaviour,
but it is not an explicit requirement[0]:
The argument arg0 should point to a filename string that is
associated with the process being started by one of the exec
functions.
To ensure that execve(2) with argc < 1 is not a useful tool for
shellcode to use, we can validate this in do_execveat_common() and
fail for this scenario, effectively blocking successful exploitation
of CVE-2021-4034 and similar bugs which depend on execve(2) working
with argc < 1.
We use -EINVAL for this case, mirroring recent changes to FreeBSD and
OpenBSD. -EINVAL is also used by QNX for this, while Solaris uses
-EFAULT.
In earlier versions of the patch, it was proposed that we create a
fake argv for applications to use when argc < 1, but it was concluded
that it would be better to just fail the execve(2) in these cases, as
launching a process with an empty or NULL argv[0] was likely to just
cause more problems.
Interestingly, Michael Kerrisk opened an issue about this in 2008[1],
but there was no consensus to support fixing this issue then.
Hopefully now that CVE-2021-4034 shows practical exploitative use[2]
of this bug in a shellcode, we can reconsider.
This issue is being tracked in the KSPP issue tracker[3].
There are a few[4][5] minor edge cases (primarily in test suites) that
are caught by this, but we plan to work with the projects to fix those
edge cases.
[0]: https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
[1]: https://bugzilla.kernel.org/show_bug.cgi?id=8408
[2]: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
[3]: https://github.com/KSPP/linux/issues/176
[4]: https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+…
[5]: https://codesearch.debian.net/search?q=execlp%3F%5Cs*%5C%28%5B%5E%2C%5D%2B%…
Changes from v2:
- Switch to using -EINVAL as the error code for this.
- Use pr_warn_once() to warn when an execve(2) is rejected due to NULL
argv.
Changes from v1:
- Rework commit message significantly.
- Make the argv[0] check explicit rather than hijacking the error-check
for count().
Reported-by: Michael Kerrisk <mtk.manpages(a)gmail.com>
To: Andrew Morton <akpm(a)linux-foundation.org>
Cc: Matthew Wilcox <willy(a)infradead.org>
Cc: Christian Brauner <brauner(a)kernel.org>
Cc: Rich Felker <dalias(a)libc.org>
Cc: Eric Biederman <ebiederm(a)xmission.com>
Cc: Alexander Viro <viro(a)zeniv.linux.org.uk>
Cc: Kees Cook <keescook(a)chromium.org>
Cc: linux-fsdevel(a)vger.kernel.org
Cc: linux-mm(a)kvack.org
Cc: stable(a)vger.kernel.org
Signed-off-by: Ariadne Conill <ariadne(a)dereferenced.org>
---
fs/exec.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/exec.c b/fs/exec.c
index 79f2c9483302..982730cfe3b8 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1897,6 +1897,10 @@ static int do_execveat_common(int fd, struct filename *filename,
}
retval = count(argv, MAX_ARG_STRINGS);
+ if (retval == 0) {
+ pr_warn_once("Attempted to run process '%s' with NULL argv\n", bprm->filename);
+ retval = -EINVAL;
+ }
if (retval < 0)
goto out_free;
bprm->argc = retval;
--
2.34.1