CVE-2021-46926
Libin Yang (1): ALSA: hda: intel-sdw-acpi: harden detection of controller
Pierre-Louis Bossart (1): soundwire: intel: filter SoundWire controller device search
drivers/soundwire/intel_init.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-)
From: Pierre-Louis Bossart pierre-louis.bossart@linux.intel.com
mainline inclusion from mainline-v5.3-rc1 commit 6f11586f4896ee448262747788a0a3faf0fe9066 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I947TK CVE: CVE-2021-46926
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
The convention is that the SoundWire controller device is a child of the HDAudio controller. However there can be more than one child exposed in the DSDT table, and the current namespace walk returns the last (incorrect) device.
Intel documentation states that bits 28..31 of the _ADR field represent the link type, with SoundWire assigned the value 4.
Add a filter and terminate early when a valid _ADR is provided, otherwise keep iterating to find the next child.
Signed-off-by: Pierre-Louis Bossart pierre-louis.bossart@linux.intel.com Signed-off-by: Vinod Koul vkoul@kernel.org Signed-off-by: Liu Mingrui liumingrui@huawei.com --- drivers/soundwire/intel_init.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/drivers/soundwire/intel_init.c b/drivers/soundwire/intel_init.c index 5c8a20d99878..203192840e0b 100644 --- a/drivers/soundwire/intel_init.c +++ b/drivers/soundwire/intel_init.c @@ -12,6 +12,7 @@ #include <linux/soundwire/sdw_intel.h> #include "intel.h"
+#define SDW_LINK_TYPE 4 /* from Intel ACPI documentation */ #define SDW_MAX_LINKS 4 #define SDW_SHIM_LCAP 0x0 #define SDW_SHIM_BASE 0x2C000 @@ -149,6 +150,12 @@ static acpi_status sdw_intel_acpi_cb(acpi_handle handle, u32 level, { struct sdw_intel_res *res = cdata; struct acpi_device *adev; + acpi_status status; + u64 adr; + + status = acpi_evaluate_integer(handle, METHOD_NAME__ADR, NULL, &adr); + if (ACPI_FAILURE(status)) + return AE_OK; /* keep going */
if (acpi_bus_get_device(handle, &adev)) { pr_err("%s: Couldn't find ACPI handle\n", __func__); @@ -156,7 +163,19 @@ static acpi_status sdw_intel_acpi_cb(acpi_handle handle, u32 level, }
res->handle = handle; - return AE_OK; + + /* + * On some Intel platforms, multiple children of the HDAS + * device can be found, but only one of them is the SoundWire + * controller. The SNDW device is always exposed with + * Name(_ADR, 0x40000000), with bits 31..28 representing the + * SoundWire link so filter accordingly + */ + if ((adr & GENMASK(31, 28)) >> 28 != SDW_LINK_TYPE) + return AE_OK; /* keep going */ + + /* device found, stop namespace walk */ + return AE_CTRL_TERMINATE; }
/**
From: Libin Yang libin.yang@intel.com
mainline inclusion from mainline-v5.16-rc7 commit 385f287f9853da402d94278e59f594501c1d1dad category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I947TK CVE: CVE-2021-46926
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to issues where the graph walk continues and eventually fails, but the pointer was set already.
This patch changes the logic so that the information provided to the caller is set when a controller is found.
Reviewed-by: Péter Ujfalusi peter.ujfalusi@linux.intel.com Signed-off-by: Libin Yang libin.yang@intel.com Signed-off-by: Pierre-Louis Bossart pierre-louis.bossart@linux.intel.com Signed-off-by: Bard Liao yung-chuan.liao@linux.intel.com Link: https://lore.kernel.org/r/20211221010817.23636-2-yung-chuan.liao@linux.intel... Signed-off-by: Takashi Iwai tiwai@suse.de Conflicts: sound/hda/intel-sdw-acpi.c Signed-off-by: Liu Mingrui liumingrui@huawei.com --- drivers/soundwire/intel_init.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/soundwire/intel_init.c b/drivers/soundwire/intel_init.c index 203192840e0b..6bd689d6a138 100644 --- a/drivers/soundwire/intel_init.c +++ b/drivers/soundwire/intel_init.c @@ -162,8 +162,6 @@ static acpi_status sdw_intel_acpi_cb(acpi_handle handle, u32 level, return AE_NOT_FOUND; }
- res->handle = handle; - /* * On some Intel platforms, multiple children of the HDAS * device can be found, but only one of them is the SoundWire @@ -174,6 +172,9 @@ static acpi_status sdw_intel_acpi_cb(acpi_handle handle, u32 level, if ((adr & GENMASK(31, 28)) >> 28 != SDW_LINK_TYPE) return AE_OK; /* keep going */
+ /* found the correct SoundWire controller */ + res->handle = handle; + /* device found, stop namespace walk */ return AE_CTRL_TERMINATE; }
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/5133 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/G...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/5133 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/G...