Drop alsa-usb-audio-sanity-checks-for-each-pipe-and-ep-types.patch

It has a fix that was not pulled by Linus yet, so we will requeue this
patch and the fix once it does.

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.2/alsa-usb-audio-sanity-checks-for-each-pipe-and-ep-types.patch b/queue-5.2/alsa-usb-audio-sanity-checks-for-each-pipe-and-ep-types.patch
deleted file mode 100644 (file)
index 6f56ad7..0000000
--- a/queue-5.2/alsa-usb-audio-sanity-checks-for-each-pipe-and-ep-types.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From 801ebf1043ae7b182588554cc9b9ad3c14bc2ab5 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Mon, 24 Jun 2019 15:08:28 +0200
-Subject: ALSA: usb-audio: Sanity checks for each pipe and EP types
-
-From: Takashi Iwai <tiwai@suse.de>
-
-commit 801ebf1043ae7b182588554cc9b9ad3c14bc2ab5 upstream.
-
-The recent USB core code performs sanity checks for the given pipe and
-EP types, and it can be hit by manipulated USB descriptors by syzbot.
-For making syzbot happier, this patch introduces a local helper for a
-sanity check in the driver side and calls it at each place before the
-message handling, so that we can avoid the WARNING splats.
-
-Reported-by: syzbot+d952e5e28f5fb7718d23@syzkaller.appspotmail.com
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- sound/usb/helper.c |   17 +++++++++++++++++
- sound/usb/helper.h |    1 +
- sound/usb/quirks.c |   18 +++++++++++++++---
- 3 files changed, 33 insertions(+), 3 deletions(-)
-
---- a/sound/usb/helper.c
-+++ b/sound/usb/helper.c
-@@ -63,6 +63,20 @@ void *snd_usb_find_csint_desc(void *buff
-       return NULL;
- }
- 
-+/* check the validity of pipe and EP types */
-+int snd_usb_pipe_sanity_check(struct usb_device *dev, unsigned int pipe)
-+{
-+      static const int pipetypes[4] = {
-+              PIPE_CONTROL, PIPE_ISOCHRONOUS, PIPE_BULK, PIPE_INTERRUPT
-+      };
-+      struct usb_host_endpoint *ep;
-+
-+      ep = usb_pipe_endpoint(dev, pipe);
-+      if (usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
-+              return -EINVAL;
-+      return 0;
-+}
-+
- /*
-  * Wrapper for usb_control_msg().
-  * Allocates a temp buffer to prevent dmaing from/to the stack.
-@@ -75,6 +89,9 @@ int snd_usb_ctl_msg(struct usb_device *d
-       void *buf = NULL;
-       int timeout;
- 
-+      if (snd_usb_pipe_sanity_check(dev, pipe))
-+              return -EINVAL;
-+
-       if (size > 0) {
-               buf = kmemdup(data, size, GFP_KERNEL);
-               if (!buf)
---- a/sound/usb/helper.h
-+++ b/sound/usb/helper.h
-@@ -7,6 +7,7 @@ unsigned int snd_usb_combine_bytes(unsig
- void *snd_usb_find_desc(void *descstart, int desclen, void *after, u8 dtype);
- void *snd_usb_find_csint_desc(void *descstart, int desclen, void *after, u8 dsubtype);
- 
-+int snd_usb_pipe_sanity_check(struct usb_device *dev, unsigned int pipe);
- int snd_usb_ctl_msg(struct usb_device *dev, unsigned int pipe,
-                   __u8 request, __u8 requesttype, __u16 value, __u16 index,
-                   void *data, __u16 size);
---- a/sound/usb/quirks.c
-+++ b/sound/usb/quirks.c
-@@ -828,11 +828,13 @@ static int snd_usb_novation_boot_quirk(s
- static int snd_usb_accessmusic_boot_quirk(struct usb_device *dev)
- {
-       int err, actual_length;
--
-       /* "midi send" enable */
-       static const u8 seq[] = { 0x4e, 0x73, 0x52, 0x01 };
-+      void *buf;
- 
--      void *buf = kmemdup(seq, ARRAY_SIZE(seq), GFP_KERNEL);
-+      if (snd_usb_pipe_sanity_check(dev, usb_sndintpipe(dev, 0x05)))
-+              return -EINVAL;
-+      buf = kmemdup(seq, ARRAY_SIZE(seq), GFP_KERNEL);
-       if (!buf)
-               return -ENOMEM;
-       err = usb_interrupt_msg(dev, usb_sndintpipe(dev, 0x05), buf,
-@@ -857,7 +859,11 @@ static int snd_usb_accessmusic_boot_quir
- 
- static int snd_usb_nativeinstruments_boot_quirk(struct usb_device *dev)
- {
--      int ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
-+      int ret;
-+
-+      if (snd_usb_pipe_sanity_check(dev, usb_sndctrlpipe(dev, 0)))
-+              return -EINVAL;
-+      ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
-                                 0xaf, USB_TYPE_VENDOR | USB_RECIP_DEVICE,
-                                 1, 0, NULL, 0, 1000);
- 
-@@ -964,6 +970,8 @@ static int snd_usb_axefx3_boot_quirk(str
- 
-       dev_dbg(&dev->dev, "Waiting for Axe-Fx III to boot up...\n");
- 
-+      if (snd_usb_pipe_sanity_check(dev, usb_sndctrlpipe(dev, 0)))
-+              return -EINVAL;
-       /* If the Axe-Fx III has not fully booted, it will timeout when trying
-        * to enable the audio streaming interface. A more generous timeout is
-        * used here to detect when the Axe-Fx III has finished booting as the
-@@ -996,6 +1004,8 @@ static int snd_usb_motu_microbookii_comm
- {
-       int err, actual_length;
- 
-+      if (snd_usb_pipe_sanity_check(dev, usb_sndintpipe(dev, 0x01)))
-+              return -EINVAL;
-       err = usb_interrupt_msg(dev, usb_sndintpipe(dev, 0x01), buf, *length,
-                               &actual_length, 1000);
-       if (err < 0)
-@@ -1006,6 +1016,8 @@ static int snd_usb_motu_microbookii_comm
- 
-       memset(buf, 0, buf_size);
- 
-+      if (snd_usb_pipe_sanity_check(dev, usb_rcvintpipe(dev, 0x82)))
-+              return -EINVAL;
-       err = usb_interrupt_msg(dev, usb_rcvintpipe(dev, 0x82), buf, buf_size,
-                               &actual_length, 1000);
-       if (err < 0)

diff --git a/queue-5.2/series b/queue-5.2/series
index fbb8279c22542df0cd8a2d0dbcf710308127c8ef..07a055f0d674525f0f5b201baada374404f0c4f0 100644 (file)
--- a/queue-5.2/series
+++ b/queue-5.2/series
@@ -1,6 +1,5 @@
 vsock-correct-removal-of-socket-from-the-list.patch
 isdn-hfcsusb-checking-idx-of-ep-configuration.patch
-alsa-usb-audio-sanity-checks-for-each-pipe-and-ep-types.patch
 bpf-fix-null-deref-in-btf_type_is_resolve_source_only.patch
 media-au0828-fix-null-dereference-in-error-path.patch
 ath10k-change-the-warning-message-string.patch