--- /dev/null
+From c0bcdbdff3ff73a54161fca3cb8b6cdbd0bb8762 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 18 Jan 2016 14:12:40 +0100
+Subject: ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit c0bcdbdff3ff73a54161fca3cb8b6cdbd0bb8762 upstream.
+
+When a TLV ioctl with numid zero is handled, the driver may spew a
+kernel warning with a stack trace at each call. The check was
+intended obviously only for a kernel driver, but not for a user
+interaction. Let's fix it.
+
+This was spotted by syzkaller fuzzer.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/control.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -1405,6 +1405,8 @@ static int snd_ctl_tlv_ioctl(struct snd_
+ return -EFAULT;
+ if (tlv.length < sizeof(unsigned int) * 2)
+ return -EINVAL;
++ if (!tlv.numid)
++ return -EINVAL;
+ down_read(&card->controls_rwsem);
+ kctl = snd_ctl_find_numid(card, tlv.numid);
+ if (kctl == NULL) {
--- /dev/null
+From db8948e653e12b218058bb6696f4a33fa7845f64 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 18 Jan 2016 09:17:30 +0100
+Subject: ALSA: hda - Fix bass pin fixup for ASUS N550JX
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit db8948e653e12b218058bb6696f4a33fa7845f64 upstream.
+
+ASUS N550JX (PCI SSID 1043:13df) requires the same fixup for a bass
+speaker output pin as other N550 models.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=110001
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6526,6 +6526,7 @@ static const struct snd_pci_quirk alc662
+ SND_PCI_QUIRK(0x1028, 0x069f, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800),
+ SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_BASS_1A),
++ SND_PCI_QUIRK(0x1043, 0x13df, "Asus N550JX", ALC662_FIXUP_BASS_1A),
+ SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_BASS_MODE4_CHMAP),
+ SND_PCI_QUIRK(0x1043, 0x15a7, "ASUS UX51VZH", ALC662_FIXUP_BASS_16),
+ SND_PCI_QUIRK(0x1043, 0x1b73, "ASUS N55SF", ALC662_FIXUP_BASS_16),
--- /dev/null
+From 0a1f90a982e85f4921bed606a6b41a24f4de2ae1 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Wed, 13 Jan 2016 11:51:38 +0800
+Subject: ALSA: hda - fix the headset mic detection problem for a Dell laptop
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 0a1f90a982e85f4921bed606a6b41a24f4de2ae1 upstream.
+
+The machine uses codec alc255, and the pin configuration value for
+pin 0x14 on this machine is 0x90171130 which is not in the pin quirk
+table yet.
+
+BugLink: https://bugs.launchpad.net/bugs/1533461
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5496,6 +5496,10 @@ static const struct snd_hda_pin_quirk al
+ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+ ALC255_STANDARD_PINS,
+ {0x12, 0x90a60170},
++ {0x14, 0x90171130},
++ {0x21, 0x02211040}),
++ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
++ {0x12, 0x90a60170},
+ {0x14, 0x90170140},
+ {0x17, 0x40000000},
+ {0x1d, 0x40700001},
--- /dev/null
+From 98070576c4f77509459c83cd2358617ef0769a38 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 12 Jan 2016 21:06:39 +0100
+Subject: ALSA: hda - Fix white noise on Dell Latitude E5550
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 98070576c4f77509459c83cd2358617ef0769a38 upstream.
+
+Dell Latitude E5550 (1028:062c) has a white noise problem like other
+Latitude E models, and it gets fixed by the very same quirk as well.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=110591
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5161,6 +5161,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1028, 0x05f6, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x0615, "Dell Vostro 5470", ALC290_FIXUP_SUBWOOFER_HSJACK),
+ SND_PCI_QUIRK(0x1028, 0x0616, "Dell Vostro 5470", ALC290_FIXUP_SUBWOOFER_HSJACK),
++ SND_PCI_QUIRK(0x1028, 0x062c, "Dell Latitude E5550", ALC292_FIXUP_DELL_E7X),
+ SND_PCI_QUIRK(0x1028, 0x062e, "Dell Latitude E7450", ALC292_FIXUP_DELL_E7X),
+ SND_PCI_QUIRK(0x1028, 0x0638, "Dell Inspiron 5439", ALC290_FIXUP_MONO_SPEAKERS_HSJACK),
+ SND_PCI_QUIRK(0x1028, 0x064a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
--- /dev/null
+From 991f86d7ae4e1f8c15806e62f97af519e3cdd860 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 20 Jan 2016 17:19:02 +0100
+Subject: ALSA: hda - Flush the pending probe work at remove
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 991f86d7ae4e1f8c15806e62f97af519e3cdd860 upstream.
+
+As HD-audio driver does deferred probe internally via workqueue, the
+driver might go into the mixed state doing both probe and remove when
+the module gets unloaded during the probe work. This eventually
+triggers an Oops, unsurprisingly.
+
+For avoiding this race, we just need to flush the pending probe work
+explicitly before actually starting the resource release.
+
+Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=960710
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_intel.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -1972,9 +1972,17 @@ out_free:
+ static void azx_remove(struct pci_dev *pci)
+ {
+ struct snd_card *card = pci_get_drvdata(pci);
++ struct azx *chip;
++ struct hda_intel *hda;
++
++ if (card) {
++ /* flush the pending probing work */
++ chip = card->private_data;
++ hda = container_of(chip, struct hda_intel, chip);
++ flush_work(&hda->probe_work);
+
+- if (card)
+ snd_card_free(card);
++ }
+ }
+
+ static void azx_shutdown(struct pci_dev *pci)
--- /dev/null
+From 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 18 Jan 2016 13:52:47 +0100
+Subject: ALSA: hrtimer: Fix stall by hrtimer_cancel()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3 upstream.
+
+hrtimer_cancel() waits for the completion from the callback, thus it
+must not be called inside the callback itself. This was already a
+problem in the past with ALSA hrtimer driver, and the early commit
+[fcfdebe70759: ALSA: hrtimer - Fix lock-up] tried to address it.
+
+However, the previous fix is still insufficient: it may still cause a
+lockup when the ALSA timer instance reprograms itself in its callback.
+Then it invokes the start function even in snd_timer_interrupt() that
+is called in hrtimer callback itself, results in a CPU stall. This is
+no hypothetical problem but actually triggered by syzkaller fuzzer.
+
+This patch tries to fix the issue again. Now we call
+hrtimer_try_to_cancel() at both start and stop functions so that it
+won't fall into a deadlock, yet giving some chance to cancel the queue
+if the functions have been called outside the callback. The proper
+hrtimer_cancel() is called in anyway at closing, so this should be
+enough.
+
+Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/hrtimer.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/core/hrtimer.c
++++ b/sound/core/hrtimer.c
+@@ -90,7 +90,7 @@ static int snd_hrtimer_start(struct snd_
+ struct snd_hrtimer *stime = t->private_data;
+
+ atomic_set(&stime->running, 0);
+- hrtimer_cancel(&stime->hrt);
++ hrtimer_try_to_cancel(&stime->hrt);
+ hrtimer_start(&stime->hrt, ns_to_ktime(t->sticks * resolution),
+ HRTIMER_MODE_REL);
+ atomic_set(&stime->running, 1);
+@@ -101,6 +101,7 @@ static int snd_hrtimer_stop(struct snd_t
+ {
+ struct snd_hrtimer *stime = t->private_data;
+ atomic_set(&stime->running, 0);
++ hrtimer_try_to_cancel(&stime->hrt);
+ return 0;
+ }
+
--- /dev/null
+From 43c54b8c7cfe22f868a751ba8a59abf1724160b1 Mon Sep 17 00:00:00 2001
+From: Nicolas Boichat <drinkcat@chromium.org>
+Date: Mon, 18 Jan 2016 21:35:00 +0800
+Subject: ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode
+
+From: Nicolas Boichat <drinkcat@chromium.org>
+
+commit 43c54b8c7cfe22f868a751ba8a59abf1724160b1 upstream.
+
+This reverts one hunk of
+commit ef44a1ec6eee ("ALSA: sound/core: use memdup_user()"), which
+replaced a number of kmalloc followed by memcpy with memdup calls.
+
+In this case, we are copying from a struct snd_pcm_hw_params32 to
+a struct snd_pcm_hw_params, but the latter is 4 bytes longer than
+the 32-bit version, so we need to separate kmalloc and copy calls.
+
+This actually leads to an out-of-bounds memory access later on
+in sound/soc/soc-pcm.c:soc_pcm_hw_params() (detected using KASan).
+
+Fixes: ef44a1ec6eee ('ALSA: sound/core: use memdup_user()')
+Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_compat.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/sound/core/pcm_compat.c
++++ b/sound/core/pcm_compat.c
+@@ -255,10 +255,15 @@ static int snd_pcm_ioctl_hw_params_compa
+ if (! (runtime = substream->runtime))
+ return -ENOTTY;
+
+- /* only fifo_size is different, so just copy all */
+- data = memdup_user(data32, sizeof(*data32));
+- if (IS_ERR(data))
+- return PTR_ERR(data);
++ data = kmalloc(sizeof(*data), GFP_KERNEL);
++ if (!data)
++ return -ENOMEM;
++
++ /* only fifo_size (RO from userspace) is different, so just copy all */
++ if (copy_from_user(data, data32, sizeof(*data32))) {
++ err = -EFAULT;
++ goto error;
++ }
+
+ if (refine)
+ err = snd_pcm_hw_refine(substream, data);
--- /dev/null
+From 030e2c78d3a91dd0d27fef37e91950dde333eba1 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 12 Jan 2016 12:38:02 +0100
+Subject: ALSA: seq: Fix missing NULL check at remove_events ioctl
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 030e2c78d3a91dd0d27fef37e91950dde333eba1 upstream.
+
+snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear()
+unconditionally even if there is no FIFO assigned, and this leads to
+an Oops due to NULL dereference. The fix is just to add a proper NULL
+check.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_clientmgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -1962,7 +1962,7 @@ static int snd_seq_ioctl_remove_events(s
+ * No restrictions so for a user client we can clear
+ * the whole fifo
+ */
+- if (client->type == USER_CLIENT)
++ if (client->type == USER_CLIENT && client->data.user.fifo)
+ snd_seq_fifo_clear(client->data.user.fifo);
+ }
+
--- /dev/null
+From 3567eb6af614dac436c4b16a8d426f9faed639b3 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 12 Jan 2016 15:36:27 +0100
+Subject: ALSA: seq: Fix race at timer setup and close
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 3567eb6af614dac436c4b16a8d426f9faed639b3 upstream.
+
+ALSA sequencer code has an open race between the timer setup ioctl and
+the close of the client. This was triggered by syzkaller fuzzer, and
+a use-after-free was caught there as a result.
+
+This patch papers over it by adding a proper queue->timer_mutex lock
+around the timer-related calls in the relevant code path.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_queue.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/core/seq/seq_queue.c
++++ b/sound/core/seq/seq_queue.c
+@@ -142,8 +142,10 @@ static struct snd_seq_queue *queue_new(i
+ static void queue_delete(struct snd_seq_queue *q)
+ {
+ /* stop and release the timer */
++ mutex_lock(&q->timer_mutex);
+ snd_seq_timer_stop(q->timer);
+ snd_seq_timer_close(q);
++ mutex_unlock(&q->timer_mutex);
+ /* wait until access free */
+ snd_use_lock_sync(&q->use_lock);
+ /* release resources... */
--- /dev/null
+From 9586495dc3011a80602329094e746dbce16cb1f1 Mon Sep 17 00:00:00 2001
+From: Nicolas Boichat <drinkcat@chromium.org>
+Date: Mon, 18 Jan 2016 21:35:01 +0800
+Subject: ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode
+
+From: Nicolas Boichat <drinkcat@chromium.org>
+
+commit 9586495dc3011a80602329094e746dbce16cb1f1 upstream.
+
+This reverts one hunk of
+commit ef44a1ec6eee ("ALSA: sound/core: use memdup_user()"), which
+replaced a number of kmalloc followed by memcpy with memdup calls.
+
+In this case, we are copying from a struct snd_seq_port_info32 to a
+struct snd_seq_port_info, but the latter is 4 bytes longer than the
+32-bit version, so we need to separate kmalloc and copy calls.
+
+Fixes: ef44a1ec6eee ('ALSA: sound/core: use memdup_user()')
+Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_compat.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/sound/core/seq/seq_compat.c
++++ b/sound/core/seq/seq_compat.c
+@@ -49,11 +49,12 @@ static int snd_seq_call_port_info_ioctl(
+ struct snd_seq_port_info *data;
+ mm_segment_t fs;
+
+- data = memdup_user(data32, sizeof(*data32));
+- if (IS_ERR(data))
+- return PTR_ERR(data);
++ data = kmalloc(sizeof(*data), GFP_KERNEL);
++ if (!data)
++ return -ENOMEM;
+
+- if (get_user(data->flags, &data32->flags) ||
++ if (copy_from_user(data, data32, sizeof(*data32)) ||
++ get_user(data->flags, &data32->flags) ||
+ get_user(data->time_queue, &data32->time_queue))
+ goto error;
+ data->kernel = NULL;
--- /dev/null
+From ee8413b01045c74340aa13ad5bdf905de32be736 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 13 Jan 2016 21:35:06 +0100
+Subject: ALSA: timer: Fix double unlink of active_list
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit ee8413b01045c74340aa13ad5bdf905de32be736 upstream.
+
+ALSA timer instance object has a couple of linked lists and they are
+unlinked unconditionally at snd_timer_stop(). Meanwhile
+snd_timer_interrupt() unlinks it, but it calls list_del() which leaves
+the element list itself unchanged. This ends up with unlinking twice,
+and it was caught by syzkaller fuzzer.
+
+The fix is to use list_del_init() variant properly there, too.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -704,7 +704,7 @@ void snd_timer_interrupt(struct snd_time
+ } else {
+ ti->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
+ if (--timer->running)
+- list_del(&ti->active_list);
++ list_del_init(&ti->active_list);
+ }
+ if ((timer->hw.flags & SNDRV_TIMER_HW_TASKLET) ||
+ (ti->flags & SNDRV_TIMER_IFLG_FAST))
--- /dev/null
+From af368027a49a751d6ff4ee9e3f9961f35bb4fede Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 13 Jan 2016 17:48:01 +0100
+Subject: ALSA: timer: Fix race among timer ioctls
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit af368027a49a751d6ff4ee9e3f9961f35bb4fede upstream.
+
+ALSA timer ioctls have an open race and this may lead to a
+use-after-free of timer instance object. A simplistic fix is to make
+each ioctl exclusive. We have already tread_sem for controlling the
+tread, and extend this as a global mutex to be applied to each ioctl.
+
+The downside is, of course, the worse concurrency. But these ioctls
+aren't to be parallel accessible, in anyway, so it should be fine to
+serialize there.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 32 +++++++++++++++++++-------------
+ 1 file changed, 19 insertions(+), 13 deletions(-)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -73,7 +73,7 @@ struct snd_timer_user {
+ struct timespec tstamp; /* trigger tstamp */
+ wait_queue_head_t qchange_sleep;
+ struct fasync_struct *fasync;
+- struct mutex tread_sem;
++ struct mutex ioctl_lock;
+ };
+
+ /* list of timers */
+@@ -1263,7 +1263,7 @@ static int snd_timer_user_open(struct in
+ return -ENOMEM;
+ spin_lock_init(&tu->qlock);
+ init_waitqueue_head(&tu->qchange_sleep);
+- mutex_init(&tu->tread_sem);
++ mutex_init(&tu->ioctl_lock);
+ tu->ticks = 1;
+ tu->queue_size = 128;
+ tu->queue = kmalloc(tu->queue_size * sizeof(struct snd_timer_read),
+@@ -1283,8 +1283,10 @@ static int snd_timer_user_release(struct
+ if (file->private_data) {
+ tu = file->private_data;
+ file->private_data = NULL;
++ mutex_lock(&tu->ioctl_lock);
+ if (tu->timeri)
+ snd_timer_close(tu->timeri);
++ mutex_unlock(&tu->ioctl_lock);
+ kfree(tu->queue);
+ kfree(tu->tqueue);
+ kfree(tu);
+@@ -1522,7 +1524,6 @@ static int snd_timer_user_tselect(struct
+ int err = 0;
+
+ tu = file->private_data;
+- mutex_lock(&tu->tread_sem);
+ if (tu->timeri) {
+ snd_timer_close(tu->timeri);
+ tu->timeri = NULL;
+@@ -1566,7 +1567,6 @@ static int snd_timer_user_tselect(struct
+ }
+
+ __err:
+- mutex_unlock(&tu->tread_sem);
+ return err;
+ }
+
+@@ -1779,7 +1779,7 @@ enum {
+ SNDRV_TIMER_IOCTL_PAUSE_OLD = _IO('T', 0x23),
+ };
+
+-static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
++static long __snd_timer_user_ioctl(struct file *file, unsigned int cmd,
+ unsigned long arg)
+ {
+ struct snd_timer_user *tu;
+@@ -1796,17 +1796,11 @@ static long snd_timer_user_ioctl(struct
+ {
+ int xarg;
+
+- mutex_lock(&tu->tread_sem);
+- if (tu->timeri) { /* too late */
+- mutex_unlock(&tu->tread_sem);
++ if (tu->timeri) /* too late */
+ return -EBUSY;
+- }
+- if (get_user(xarg, p)) {
+- mutex_unlock(&tu->tread_sem);
++ if (get_user(xarg, p))
+ return -EFAULT;
+- }
+ tu->tread = xarg ? 1 : 0;
+- mutex_unlock(&tu->tread_sem);
+ return 0;
+ }
+ case SNDRV_TIMER_IOCTL_GINFO:
+@@ -1839,6 +1833,18 @@ static long snd_timer_user_ioctl(struct
+ return -ENOTTY;
+ }
+
++static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
++ unsigned long arg)
++{
++ struct snd_timer_user *tu = file->private_data;
++ long ret;
++
++ mutex_lock(&tu->ioctl_lock);
++ ret = __snd_timer_user_ioctl(file, cmd, arg);
++ mutex_unlock(&tu->ioctl_lock);
++ return ret;
++}
++
+ static int snd_timer_user_fasync(int fd, struct file * file, int on)
+ {
+ struct snd_timer_user *tu;
--- /dev/null
+From 230323dac060123c340cf75997971145a42661ee Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 21 Jan 2016 17:19:31 +0100
+Subject: ALSA: timer: Handle disconnection more safely
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 230323dac060123c340cf75997971145a42661ee upstream.
+
+Currently ALSA timer device doesn't take the disconnection into
+account very well; it merely unlinks the timer device at disconnection
+callback but does nothing else. Because of this, when an application
+accessing the timer device is disconnected, it may release the
+resource before actually closed. In most cases, it results in a
+warning message indicating a leftover timer instance like:
+ ALSA: timer xxxx is busy?
+But basically this is an open race.
+
+This patch tries to address it. The strategy is like other ALSA
+devices: namely,
+- Manage card's refcount at each open/close
+- Wake up the pending tasks at disconnection
+- Check the shutdown flag appropriately at each possible call
+
+Note that this patch has one ugly hack to handle the wakeup of pending
+tasks. It'd be cleaner to introduce a new disconnect op to
+snd_timer_instance ops. But since it would lead to internal ABI
+breakage and it eventually increase my own work when backporting to
+stable kernels, I took a different path to implement locally in
+timer.c. A cleanup patch will follow at next for 4.5 kernel.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=109431
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 48 insertions(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -65,6 +65,7 @@ struct snd_timer_user {
+ int qtail;
+ int qused;
+ int queue_size;
++ bool disconnected;
+ struct snd_timer_read *queue;
+ struct snd_timer_tread *tqueue;
+ spinlock_t qlock;
+@@ -290,6 +291,9 @@ int snd_timer_open(struct snd_timer_inst
+ mutex_unlock(®ister_mutex);
+ return -ENOMEM;
+ }
++ /* take a card refcount for safe disconnection */
++ if (timer->card)
++ get_device(&timer->card->card_dev);
+ timeri->slave_class = tid->dev_sclass;
+ timeri->slave_id = slave_id;
+ if (list_empty(&timer->open_list_head) && timer->hw.open)
+@@ -360,6 +364,9 @@ int snd_timer_close(struct snd_timer_ins
+ }
+ spin_unlock(&timer->lock);
+ spin_unlock_irq(&slave_active_lock);
++ /* release a card refcount for safe disconnection */
++ if (timer->card)
++ put_device(&timer->card->card_dev);
+ mutex_unlock(®ister_mutex);
+ }
+ out:
+@@ -475,6 +482,8 @@ int snd_timer_start(struct snd_timer_ins
+ timer = timeri->timer;
+ if (timer == NULL)
+ return -EINVAL;
++ if (timer->card && timer->card->shutdown)
++ return -ENODEV;
+ spin_lock_irqsave(&timer->lock, flags);
+ timeri->ticks = timeri->cticks = ticks;
+ timeri->pticks = 0;
+@@ -509,6 +518,10 @@ static int _snd_timer_stop(struct snd_ti
+ spin_lock_irqsave(&timer->lock, flags);
+ list_del_init(&timeri->ack_list);
+ list_del_init(&timeri->active_list);
++ if (timer->card && timer->card->shutdown) {
++ spin_unlock_irqrestore(&timer->lock, flags);
++ return 0;
++ }
+ if ((timeri->flags & SNDRV_TIMER_IFLG_RUNNING) &&
+ !(--timer->running)) {
+ timer->hw.stop(timer);
+@@ -571,6 +584,8 @@ int snd_timer_continue(struct snd_timer_
+ timer = timeri->timer;
+ if (! timer)
+ return -EINVAL;
++ if (timer->card && timer->card->shutdown)
++ return -ENODEV;
+ spin_lock_irqsave(&timer->lock, flags);
+ if (!timeri->cticks)
+ timeri->cticks = 1;
+@@ -634,6 +649,9 @@ static void snd_timer_tasklet(unsigned l
+ unsigned long resolution, ticks;
+ unsigned long flags;
+
++ if (timer->card && timer->card->shutdown)
++ return;
++
+ spin_lock_irqsave(&timer->lock, flags);
+ /* now process all callbacks */
+ while (!list_empty(&timer->sack_list_head)) {
+@@ -674,6 +692,9 @@ void snd_timer_interrupt(struct snd_time
+ if (timer == NULL)
+ return;
+
++ if (timer->card && timer->card->shutdown)
++ return;
++
+ spin_lock_irqsave(&timer->lock, flags);
+
+ /* remember the current resolution */
+@@ -884,11 +905,28 @@ static int snd_timer_dev_register(struct
+ return 0;
+ }
+
++/* just for reference in snd_timer_dev_disconnect() below */
++static void snd_timer_user_ccallback(struct snd_timer_instance *timeri,
++ int event, struct timespec *tstamp,
++ unsigned long resolution);
++
+ static int snd_timer_dev_disconnect(struct snd_device *device)
+ {
+ struct snd_timer *timer = device->device_data;
++ struct snd_timer_instance *ti;
++
+ mutex_lock(®ister_mutex);
+ list_del_init(&timer->device_list);
++ /* wake up pending sleepers */
++ list_for_each_entry(ti, &timer->open_list_head, open_list) {
++ /* FIXME: better to have a ti.disconnect() op */
++ if (ti->ccallback == snd_timer_user_ccallback) {
++ struct snd_timer_user *tu = ti->callback_data;
++
++ tu->disconnected = true;
++ wake_up(&tu->qchange_sleep);
++ }
++ }
+ mutex_unlock(®ister_mutex);
+ return 0;
+ }
+@@ -899,6 +937,8 @@ void snd_timer_notify(struct snd_timer *
+ unsigned long resolution = 0;
+ struct snd_timer_instance *ti, *ts;
+
++ if (timer->card && timer->card->shutdown)
++ return;
+ if (! (timer->hw.flags & SNDRV_TIMER_HW_SLAVE))
+ return;
+ if (snd_BUG_ON(event < SNDRV_TIMER_EVENT_MSTART ||
+@@ -1057,6 +1097,8 @@ static void snd_timer_proc_read(struct s
+
+ mutex_lock(®ister_mutex);
+ list_for_each_entry(timer, &snd_timer_list, device_list) {
++ if (timer->card && timer->card->shutdown)
++ continue;
+ switch (timer->tmr_class) {
+ case SNDRV_TIMER_CLASS_GLOBAL:
+ snd_iprintf(buffer, "G%i: ", timer->tmr_device);
+@@ -1882,6 +1924,10 @@ static ssize_t snd_timer_user_read(struc
+
+ remove_wait_queue(&tu->qchange_sleep, &wait);
+
++ if (tu->disconnected) {
++ err = -ENODEV;
++ break;
++ }
+ if (signal_pending(current)) {
+ err = -ERESTARTSYS;
+ break;
+@@ -1931,6 +1977,8 @@ static unsigned int snd_timer_user_poll(
+ mask = 0;
+ if (tu->qused)
+ mask |= POLLIN | POLLRDNORM;
++ if (tu->disconnected)
++ mask |= POLLERR;
+
+ return mask;
+ }
--- /dev/null
+From b5a663aa426f4884c71cd8580adae73f33570f0d Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 14 Jan 2016 16:30:58 +0100
+Subject: ALSA: timer: Harden slave timer list handling
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit b5a663aa426f4884c71cd8580adae73f33570f0d upstream.
+
+A slave timer instance might be still accessible in a racy way while
+operating the master instance as it lacks of locking. Since the
+master operation is mostly protected with timer->lock, we should cope
+with it while changing the slave instance, too. Also, some linked
+lists (active_list and ack_list) of slave instances aren't unlinked
+immediately at stopping or closing, and this may lead to unexpected
+accesses.
+
+This patch tries to address these issues. It adds spin lock of
+timer->lock (either from master or slave, which is equivalent) in a
+few places. For avoiding a deadlock, we ensure that the global
+slave_active_lock is always locked at first before each timer lock.
+
+Also, ack and active_list of slave instances are properly unlinked at
+snd_timer_stop() and snd_timer_close().
+
+Last but not least, remove the superfluous call of _snd_timer_stop()
+at removing slave links. This is a noop, and calling it may confuse
+readers wrt locking. Further cleanup will follow in a later patch.
+
+Actually we've got reports of use-after-free by syzkaller fuzzer, and
+this hopefully fixes these issues.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -215,11 +215,13 @@ static void snd_timer_check_master(struc
+ slave->slave_id == master->slave_id) {
+ list_move_tail(&slave->open_list, &master->slave_list_head);
+ spin_lock_irq(&slave_active_lock);
++ spin_lock(&master->timer->lock);
+ slave->master = master;
+ slave->timer = master->timer;
+ if (slave->flags & SNDRV_TIMER_IFLG_RUNNING)
+ list_add_tail(&slave->active_list,
+ &master->slave_active_head);
++ spin_unlock(&master->timer->lock);
+ spin_unlock_irq(&slave_active_lock);
+ }
+ }
+@@ -346,15 +348,18 @@ int snd_timer_close(struct snd_timer_ins
+ timer->hw.close)
+ timer->hw.close(timer);
+ /* remove slave links */
++ spin_lock_irq(&slave_active_lock);
++ spin_lock(&timer->lock);
+ list_for_each_entry_safe(slave, tmp, &timeri->slave_list_head,
+ open_list) {
+- spin_lock_irq(&slave_active_lock);
+- _snd_timer_stop(slave, 1, SNDRV_TIMER_EVENT_RESOLUTION);
+ list_move_tail(&slave->open_list, &snd_timer_slave_list);
+ slave->master = NULL;
+ slave->timer = NULL;
+- spin_unlock_irq(&slave_active_lock);
++ list_del_init(&slave->ack_list);
++ list_del_init(&slave->active_list);
+ }
++ spin_unlock(&timer->lock);
++ spin_unlock_irq(&slave_active_lock);
+ mutex_unlock(®ister_mutex);
+ }
+ out:
+@@ -441,9 +446,12 @@ static int snd_timer_start_slave(struct
+
+ spin_lock_irqsave(&slave_active_lock, flags);
+ timeri->flags |= SNDRV_TIMER_IFLG_RUNNING;
+- if (timeri->master)
++ if (timeri->master && timeri->timer) {
++ spin_lock(&timeri->timer->lock);
+ list_add_tail(&timeri->active_list,
+ &timeri->master->slave_active_head);
++ spin_unlock(&timeri->timer->lock);
++ }
+ spin_unlock_irqrestore(&slave_active_lock, flags);
+ return 1; /* delayed start */
+ }
+@@ -489,6 +497,8 @@ static int _snd_timer_stop(struct snd_ti
+ if (!keep_flag) {
+ spin_lock_irqsave(&slave_active_lock, flags);
+ timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
++ list_del_init(&timeri->ack_list);
++ list_del_init(&timeri->active_list);
+ spin_unlock_irqrestore(&slave_active_lock, flags);
+ }
+ goto __end;
--- /dev/null
+From a4eae3a506ea4a7d4474cd74e20b423fa8053d91 Mon Sep 17 00:00:00 2001
+From: Jurgen Kramer <gtmkramer@xs4all.nl>
+Date: Mon, 11 Jan 2016 08:16:58 +0100
+Subject: ALSA: usb: Add native DSD support for Oppo HA-1
+
+From: Jurgen Kramer <gtmkramer@xs4all.nl>
+
+commit a4eae3a506ea4a7d4474cd74e20b423fa8053d91 upstream.
+
+This patch adds native DSD support for the Oppo HA-1. It uses a XMOS chipset
+but they use their own vendor ID.
+
+Signed-off-by: Jurgen Kramer <gtmkramer@xs4all.nl>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1266,6 +1266,7 @@ u64 snd_usb_interface_dsd_format_quirks(
+ case USB_ID(0x20b1, 0x3008): /* iFi Audio micro/nano iDSD */
+ case USB_ID(0x20b1, 0x2008): /* Matrix Audio X-Sabre */
+ case USB_ID(0x20b1, 0x300a): /* Matrix Audio Mini-i Pro */
++ case USB_ID(0x22d8, 0x0416): /* OPPO HA-1*/
+ if (fp->altsetting == 2)
+ return SNDRV_PCM_FMTBIT_DSD_U32_BE;
+ break;
--- /dev/null
+From c4a359a0049f2e17b012b31e801e96566f6391e5 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 13 Jan 2016 07:20:13 +0100
+Subject: ALSA: usb-audio: Fix mixer ctl regression of Native Instrument devices
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit c4a359a0049f2e17b012b31e801e96566f6391e5 upstream.
+
+The commit [da6d276957ea: ALSA: usb-audio: Add resume support for
+Native Instruments controls] brought a regression where the Native
+Instrument audio devices don't get the correct value at update due to
+the missing shift at writing. This patch addresses it.
+
+Fixes: da6d276957ea ('ALSA: usb-audio: Add resume support for Native Instruments controls')
+Reported-and-tested-by: Owen Williams <owilliams@mixxx.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer_quirks.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -803,7 +803,7 @@ static int snd_nativeinstruments_control
+ return 0;
+
+ kcontrol->private_value &= ~(0xff << 24);
+- kcontrol->private_value |= newval;
++ kcontrol->private_value |= (unsigned int)newval << 24;
+ err = snd_ni_update_cur_val(list);
+ return err < 0 ? err : 1;
+ }
--- /dev/null
+From 021c5d9469960b8c68aa1d1825f7bfd8d61e157d Mon Sep 17 00:00:00 2001
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Date: Thu, 5 Nov 2015 23:53:03 +0000
+Subject: ASoC: rsnd: fixup SCU_SYS_INT_EN1 address
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+commit 021c5d9469960b8c68aa1d1825f7bfd8d61e157d upstream.
+
+cfcefe0126 ("ASoC: rsnd: add recovery support for under/over flow
+error on SRC") added SCU_SYS_INT_EN1 address, but it should be
+0x1d4, not 0x1c4. This patch fixup it.
+
+Fixes: cfcefe0126 ("ASoC: rsnd: add recovery support for under/over flow error on SRC")
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/sh/rcar/gen.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/sh/rcar/gen.c
++++ b/sound/soc/sh/rcar/gen.c
+@@ -214,7 +214,7 @@ static int rsnd_gen2_probe(struct platfo
+ RSND_GEN_S_REG(SCU_SYS_STATUS0, 0x1c8),
+ RSND_GEN_S_REG(SCU_SYS_INT_EN0, 0x1cc),
+ RSND_GEN_S_REG(SCU_SYS_STATUS1, 0x1d0),
+- RSND_GEN_S_REG(SCU_SYS_INT_EN1, 0x1c4),
++ RSND_GEN_S_REG(SCU_SYS_INT_EN1, 0x1d4),
+ RSND_GEN_M_REG(SRC_SWRSR, 0x200, 0x40),
+ RSND_GEN_M_REG(SRC_SRCIR, 0x204, 0x40),
+ RSND_GEN_M_REG(SRC_ADINR, 0x214, 0x40),
--- /dev/null
+From e9f96bc53c1b959859599cb30ce6fd4fbb4448c2 Mon Sep 17 00:00:00 2001
+From: Sachin Pandhare <sachinpandhare@gmail.com>
+Date: Tue, 10 Nov 2015 23:38:02 +0530
+Subject: ASoC: wm8962: correct addresses for HPF_C_0/1
+
+From: Sachin Pandhare <sachinpandhare@gmail.com>
+
+commit e9f96bc53c1b959859599cb30ce6fd4fbb4448c2 upstream.
+
+From datasheet:
+R17408 (4400h) HPF_C_1
+R17409 (4401h) HPF_C_0
+17048 -> 17408 (0x4400)
+17049 -> 17409 (0x4401)
+
+Signed-off-by: Sachin Pandhare <sachinpandhare@gmail.com>
+Acked-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/wm8962.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/codecs/wm8962.c
++++ b/sound/soc/codecs/wm8962.c
+@@ -365,8 +365,8 @@ static struct reg_default wm8962_reg[] =
+ { 16924, 0x0059 }, /* R16924 - HDBASS_PG_1 */
+ { 16925, 0x999A }, /* R16925 - HDBASS_PG_0 */
+
+- { 17048, 0x0083 }, /* R17408 - HPF_C_1 */
+- { 17049, 0x98AD }, /* R17409 - HPF_C_0 */
++ { 17408, 0x0083 }, /* R17408 - HPF_C_1 */
++ { 17409, 0x98AD }, /* R17409 - HPF_C_0 */
+
+ { 17920, 0x007F }, /* R17920 - ADCL_RETUNE_C1_1 */
+ { 17921, 0xFFFF }, /* R17921 - ADCL_RETUNE_C1_0 */
alsa-usb-audio-add-sample-rate-inquiry-quirk-for-audioquest-dragonfly.patch
alsa-hda-set-skl-hda-controller-power-at-freeze-and-thaw.patch
alsa-hda-realtek-fix-silent-headphone-output-on-macpro-4-1-v2.patch
+alsa-usb-add-native-dsd-support-for-oppo-ha-1.patch
+alsa-seq-fix-missing-null-check-at-remove_events-ioctl.patch
+alsa-seq-fix-race-at-timer-setup-and-close.patch
+alsa-hda-fix-white-noise-on-dell-latitude-e5550.patch
+alsa-usb-audio-fix-mixer-ctl-regression-of-native-instrument-devices.patch
+alsa-timer-harden-slave-timer-list-handling.patch
+alsa-hda-fix-the-headset-mic-detection-problem-for-a-dell-laptop.patch
+alsa-timer-fix-race-among-timer-ioctls.patch
+alsa-timer-fix-double-unlink-of-active_list.patch
+alsa-seq-fix-snd_seq_call_port_info_ioctl-in-compat-mode.patch
+alsa-pcm-fix-snd_pcm_hw_params-struct-copy-in-compat-mode.patch
+alsa-hrtimer-fix-stall-by-hrtimer_cancel.patch
+alsa-control-avoid-kernel-warnings-from-tlv-ioctl-with-numid-0.patch
+alsa-hda-fix-bass-pin-fixup-for-asus-n550jx.patch
+alsa-hda-flush-the-pending-probe-work-at-remove.patch
+alsa-timer-handle-disconnection-more-safely.patch
+asoc-rsnd-fixup-scu_sys_int_en1-address.patch
+asoc-wm8962-correct-addresses-for-hpf_c_0-1.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
