--- /dev/null
+From 5ae4f61f012a097df93de2285070ec8e34716d29 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 18 Dec 2018 11:52:16 -0600
+Subject: ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 5ae4f61f012a097df93de2285070ec8e34716d29 upstream.
+
+ipcm->substream is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+sound/pci/emu10k1/emufx.c:1031 snd_emu10k1_ipcm_poke() warn: potential spectre issue 'emu->fx8010.pcm' [r] (local cap)
+sound/pci/emu10k1/emufx.c:1075 snd_emu10k1_ipcm_peek() warn: potential spectre issue 'emu->fx8010.pcm' [r] (local cap)
+
+Fix this by sanitizing ipcm->substream before using it to index emu->fx8010.pcm
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/emu10k1/emufx.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/sound/pci/emu10k1/emufx.c
++++ b/sound/pci/emu10k1/emufx.c
+@@ -36,6 +36,7 @@
+ #include <linux/init.h>
+ #include <linux/mutex.h>
+ #include <linux/moduleparam.h>
++#include <linux/nospec.h>
+
+ #include <sound/core.h>
+ #include <sound/tlv.h>
+@@ -1033,6 +1034,8 @@ static int snd_emu10k1_ipcm_poke(struct
+
+ if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT)
+ return -EINVAL;
++ ipcm->substream = array_index_nospec(ipcm->substream,
++ EMU10K1_FX8010_PCM_COUNT);
+ if (ipcm->channels > 32)
+ return -EINVAL;
+ pcm = &emu->fx8010.pcm[ipcm->substream];
+@@ -1079,6 +1082,8 @@ static int snd_emu10k1_ipcm_peek(struct
+
+ if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT)
+ return -EINVAL;
++ ipcm->substream = array_index_nospec(ipcm->substream,
++ EMU10K1_FX8010_PCM_COUNT);
+ pcm = &emu->fx8010.pcm[ipcm->substream];
+ mutex_lock(&emu->fx8010.lock);
+ spin_lock_irq(&emu->reg_lock);
--- /dev/null
+From 4aea96f4237cea0c51a8bc87c0db31f0f932f1f0 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Wed, 12 Dec 2018 11:20:49 -0600
+Subject: ALSA: emux: Fix potential Spectre v1 vulnerabilities
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 4aea96f4237cea0c51a8bc87c0db31f0f932f1f0 upstream.
+
+info.mode and info.port are indirectly controlled by user-space,
+hence leading to a potential exploitation of the Spectre variant 1
+vulnerability.
+
+These issues were detected with the help of Smatch:
+
+sound/synth/emux/emux_hwdep.c:72 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs[i]->ctrls' [w] (local cap)
+sound/synth/emux/emux_hwdep.c:75 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs' [w] (local cap)
+sound/synth/emux/emux_hwdep.c:75 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs[info.port]->ctrls' [w] (local cap)
+
+Fix this by sanitizing both info.mode and info.port before using them
+to index emu->portptrs[i]->ctrls, emu->portptrs[info.port]->ctrls and
+emu->portptrs.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/synth/emux/emux_hwdep.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/sound/synth/emux/emux_hwdep.c
++++ b/sound/synth/emux/emux_hwdep.c
+@@ -22,9 +22,9 @@
+ #include <sound/core.h>
+ #include <sound/hwdep.h>
+ #include <linux/uaccess.h>
++#include <linux/nospec.h>
+ #include "emux_voice.h"
+
+-
+ #define TMP_CLIENT_ID 0x1001
+
+ /*
+@@ -66,13 +66,16 @@ snd_emux_hwdep_misc_mode(struct snd_emux
+ return -EFAULT;
+ if (info.mode < 0 || info.mode >= EMUX_MD_END)
+ return -EINVAL;
++ info.mode = array_index_nospec(info.mode, EMUX_MD_END);
+
+ if (info.port < 0) {
+ for (i = 0; i < emu->num_ports; i++)
+ emu->portptrs[i]->ctrls[info.mode] = info.value;
+ } else {
+- if (info.port < emu->num_ports)
++ if (info.port < emu->num_ports) {
++ info.port = array_index_nospec(info.port, emu->num_ports);
+ emu->portptrs[info.port]->ctrls[info.mode] = info.value;
++ }
+ }
+ return 0;
+ }
--- /dev/null
+From 3d16200a3e55a39caa1c88419cb559c00316f721 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Sat, 15 Dec 2018 19:06:48 +0900
+Subject: ALSA: fireface: fix for state to fetch PCM frames
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 3d16200a3e55a39caa1c88419cb559c00316f721 upstream.
+
+According to my memo at hand and saved records, writing 0x00000001 to
+SND_FF_REG_FETCH_PCM_FRAMES disables fetching PCM frames in corresponding
+channel, however current implement uses reversed logic. This results in
+muted volume in device side during playback.
+
+This commit corrects the bug.
+
+Cc: <stable@vger.kernel.org> # v4.12+
+Fixes: 76fdb3a9e13a ('ALSA: fireface: add support for Fireface 400')
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/fireface/ff-protocol-ff400.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/firewire/fireface/ff-protocol-ff400.c
++++ b/sound/firewire/fireface/ff-protocol-ff400.c
+@@ -152,7 +152,7 @@ static int ff400_switch_fetching_mode(st
+ if (reg == NULL)
+ return -ENOMEM;
+
+- if (enable) {
++ if (!enable) {
+ /*
+ * Each quadlet is corresponding to data channels in a data
+ * blocks in reverse order. Precisely, quadlets for available
--- /dev/null
+From aa9a9e39b4f65733bf19d90cbd026e85a74efb99 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Sat, 15 Dec 2018 19:03:20 +0900
+Subject: ALSA: firewire-lib: fix wrong assignment for 'out_packet_without_header' tracepoint
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit aa9a9e39b4f65733bf19d90cbd026e85a74efb99 upstream.
+
+An initial commit to add tracepoints for packets without CIP headers
+introduces a wrong assignment to 'data_blocks' value of
+'out_packet_without_header' tracepoint.
+
+This commit fixes the bug.
+
+Cc: <stable@vger.kernel.org> # v4.12+
+Fixes: b164d2fd6e49 ('ALSA: firewire_lib: add tracepoints for packets without CIP headers')
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/amdtp-stream-trace.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/firewire/amdtp-stream-trace.h
++++ b/sound/firewire/amdtp-stream-trace.h
+@@ -169,7 +169,7 @@ TRACE_EVENT(out_packet_without_header,
+ __entry->dest = fw_parent_device(s->unit)->node_id;
+ __entry->payload_quadlets = payload_length / 4;
+ __entry->data_blocks = data_blocks,
+- __entry->data_blocks = s->data_block_counter,
++ __entry->data_block_counter = s->data_block_counter,
+ __entry->packet_index = s->packet_index;
+ __entry->irq = !!in_interrupt();
+ __entry->index = index;
--- /dev/null
+From ada79fa5a0b374dd2c2262137c734da7524a8263 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Sat, 15 Dec 2018 19:03:19 +0900
+Subject: ALSA: firewire-lib: fix wrong handling payload_length as payload_quadlet
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit ada79fa5a0b374dd2c2262137c734da7524a8263 upstream.
+
+In IEC 61883-1/6 engine of ALSA firewire stack, a packet handler has a
+second argument for 'the number of bytes in payload of isochronous
+packet'. However, an incoming packet handler without CIP header uses the
+value as 'the number of quadlets in the payload'. This brings userspace
+applications to receive the number of PCM frames as four times against
+real time.
+
+This commit fixes the bug.
+
+Cc: <stable@vger.kernel.org> # v4.12+
+Fixes: 3b196c394dd ('ALSA: firewire-lib: add no-header packet processing')
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/amdtp-stream.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/firewire/amdtp-stream.c
++++ b/sound/firewire/amdtp-stream.c
+@@ -629,15 +629,17 @@ end:
+ }
+
+ static int handle_in_packet_without_header(struct amdtp_stream *s,
+- unsigned int payload_quadlets, unsigned int cycle,
++ unsigned int payload_length, unsigned int cycle,
+ unsigned int index)
+ {
+ __be32 *buffer;
++ unsigned int payload_quadlets;
+ unsigned int data_blocks;
+ struct snd_pcm_substream *pcm;
+ unsigned int pcm_frames;
+
+ buffer = s->buffer.packets[s->packet_index].buffer;
++ payload_quadlets = payload_length / 4;
+ data_blocks = payload_quadlets / s->data_block_quadlets;
+
+ trace_in_packet_without_header(s, cycle, payload_quadlets, data_blocks,
--- /dev/null
+From 5ef108c53e6efd695e32aad969638ccbc35b4be9 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Sat, 15 Dec 2018 19:03:21 +0900
+Subject: ALSA: firewire-lib: use the same print format for 'without_header' tracepoints
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 5ef108c53e6efd695e32aad969638ccbc35b4be9 upstream.
+
+An initial commit to add tracepoints for packets without CIP headers
+uses different print formats for added tracepoints. However this is not
+convenient for users/developers to prepare debug tools.
+
+This commit uses the same format for the two tracepoints.
+
+Cc: <stable@vger.kernel.org> # v4.12+
+Fixes: b164d2fd6e49 ('ALSA: firewire_lib: add tracepoints for packets without CIP headers')
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/amdtp-stream-trace.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/firewire/amdtp-stream-trace.h
++++ b/sound/firewire/amdtp-stream-trace.h
+@@ -131,7 +131,7 @@ TRACE_EVENT(in_packet_without_header,
+ __entry->index = index;
+ ),
+ TP_printk(
+- "%02u %04u %04x %04x %02d %03u %3u %3u %02u %01u %02u",
++ "%02u %04u %04x %04x %02d %03u %02u %03u %02u %01u %02u",
+ __entry->second,
+ __entry->cycle,
+ __entry->src,
--- /dev/null
+From 40906ebe3af6a48457151b3c6726b480f6a6cb13 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mantas=20Mikul=C4=97nas?= <grawity@gmail.com>
+Date: Sun, 16 Dec 2018 15:44:47 +0200
+Subject: ALSA: hda: add mute LED support for HP EliteBook 840 G4
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mantas Mikulėnas <grawity@gmail.com>
+
+commit 40906ebe3af6a48457151b3c6726b480f6a6cb13 upstream.
+
+Tested with 4.19.9.
+
+v2: Changed from CXT_FIXUP_MUTE_LED_GPIO to CXT_FIXUP_HP_DOCK because
+ that's what the existing fixups for EliteBooks use.
+
+Signed-off-by: Mantas Mikulėnas <grawity@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -961,6 +961,7 @@ static const struct snd_pci_quirk cxt506
+ SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK),
++ SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
--- /dev/null
+From 9cf6533e8060d3896b88ea14b27f620e6504b84b Mon Sep 17 00:00:00 2001
+From: Wandrille RONCE <w@ndrille.fr>
+Date: Wed, 19 Dec 2018 14:52:44 +0100
+Subject: ALSA: hda/realtek: Enable audio jacks of ASUS UX391UA with ALC294
+
+From: Wandrille RONCE <w@ndrille.fr>
+
+commit 9cf6533e8060d3896b88ea14b27f620e6504b84b upstream.
+
+By default, there is no sound on Asus UX391UA on Linux.
+
+This patch adds sound support on Asus UX391UA. Tested working by three
+different users.
+
+The problem has also been described at
+https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1784485
+
+Signed-off-by: Wandrille RONCE <w@ndrille.fr>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6378,6 +6378,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC),
+ SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300),
+ SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
++ SND_PCI_QUIRK(0x1043, 0x10a1, "ASUS UX391UA", ALC294_FIXUP_ASUS_SPK),
+ SND_PCI_QUIRK(0x1043, 0x10c0, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC),
+ SND_PCI_QUIRK(0x1043, 0x10d0, "ASUS X540LA/X540LJ", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1043, 0x115d, "Asus 1015E", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
--- /dev/null
+From 63d2a9ec310d8bcc955574220d4631aa55c1a80c Mon Sep 17 00:00:00 2001
+From: Sameer Pujar <spujar@nvidia.com>
+Date: Wed, 26 Dec 2018 16:04:49 +0530
+Subject: ALSA: hda/tegra: clear pending irq handlers
+
+From: Sameer Pujar <spujar@nvidia.com>
+
+commit 63d2a9ec310d8bcc955574220d4631aa55c1a80c upstream.
+
+Even after disabling interrupts on the module, it could be possible
+that irq handlers are still running. System hang is seen during
+suspend path. It was found that, there were pending writes on the
+HDA bus and clock was disabled by that time.
+
+Above mentioned issue is fixed by clearing any pending irq handlers
+before disabling clocks and returning from hda suspend.
+
+Suggested-by: Mohan Kumar <mkumard@nvidia.com>
+Suggested-by: Dara Ramesh <dramesh@nvidia.com>
+Signed-off-by: Sameer Pujar <spujar@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_tegra.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/hda_tegra.c
++++ b/sound/pci/hda/hda_tegra.c
+@@ -249,10 +249,12 @@ static int hda_tegra_suspend(struct devi
+ struct snd_card *card = dev_get_drvdata(dev);
+ struct azx *chip = card->private_data;
+ struct hda_tegra *hda = container_of(chip, struct hda_tegra, chip);
++ struct hdac_bus *bus = azx_bus(chip);
+
+ snd_power_change_state(card, SNDRV_CTL_POWER_D3hot);
+
+ azx_stop_chip(chip);
++ synchronize_irq(bus->irq);
+ azx_enter_link_reset(chip);
+ hda_tegra_disable_clocks(hda);
+
--- /dev/null
+From 94ffb030b6d31ec840bb811be455dd2e26a4f43e Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Wed, 12 Dec 2018 15:36:28 -0600
+Subject: ALSA: pcm: Fix potential Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 94ffb030b6d31ec840bb811be455dd2e26a4f43e upstream.
+
+stream is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+sound/core/pcm.c:140 snd_pcm_control_ioctl() warn: potential spectre issue 'pcm->streams' [r] (local cap)
+
+Fix this by sanitizing stream before using it to index pcm->streams
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/core/pcm.c
++++ b/sound/core/pcm.c
+@@ -25,6 +25,7 @@
+ #include <linux/time.h>
+ #include <linux/mutex.h>
+ #include <linux/device.h>
++#include <linux/nospec.h>
+ #include <sound/core.h>
+ #include <sound/minors.h>
+ #include <sound/pcm.h>
+@@ -129,6 +130,7 @@ static int snd_pcm_control_ioctl(struct
+ return -EFAULT;
+ if (stream < 0 || stream > 1)
+ return -EINVAL;
++ stream = array_index_nospec(stream, 2);
+ if (get_user(subdevice, &info->subdevice))
+ return -EFAULT;
+ mutex_lock(®ister_mutex);
--- /dev/null
+From 0b84304ef5da92add8dc75a1b07879c5374cdb05 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 18 Dec 2018 11:18:34 -0600
+Subject: ALSA: rme9652: Fix potential Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 0b84304ef5da92add8dc75a1b07879c5374cdb05 upstream.
+
+info->channel is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+sound/pci/rme9652/hdsp.c:4100 snd_hdsp_channel_info() warn: potential spectre issue 'hdsp->channel_map' [r] (local cap)
+
+Fix this by sanitizing info->channel before using it to index hdsp->channel_map
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+Also, notice that I refactored the code a bit in order to get rid of the
+following checkpatch warning:
+
+ERROR: do not use assignment in if condition
+FILE: sound/pci/rme9652/hdsp.c:4103:
+ if ((mapped_channel = hdsp->channel_map[info->channel]) < 0)
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/rme9652/hdsp.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/sound/pci/rme9652/hdsp.c
++++ b/sound/pci/rme9652/hdsp.c
+@@ -30,6 +30,7 @@
+ #include <linux/math64.h>
+ #include <linux/vmalloc.h>
+ #include <linux/io.h>
++#include <linux/nospec.h>
+
+ #include <sound/core.h>
+ #include <sound/control.h>
+@@ -4092,15 +4093,16 @@ static int snd_hdsp_channel_info(struct
+ struct snd_pcm_channel_info *info)
+ {
+ struct hdsp *hdsp = snd_pcm_substream_chip(substream);
+- int mapped_channel;
++ unsigned int channel = info->channel;
+
+- if (snd_BUG_ON(info->channel >= hdsp->max_channels))
++ if (snd_BUG_ON(channel >= hdsp->max_channels))
+ return -EINVAL;
++ channel = array_index_nospec(channel, hdsp->max_channels);
+
+- if ((mapped_channel = hdsp->channel_map[info->channel]) < 0)
++ if (hdsp->channel_map[channel] < 0)
+ return -EINVAL;
+
+- info->offset = mapped_channel * HDSP_CHANNEL_BUFFER_BYTES;
++ info->offset = hdsp->channel_map[channel] * HDSP_CHANNEL_BUFFER_BYTES;
+ info->first = 0;
+ info->step = 32;
+ return 0;
--- /dev/null
+From dbc2970caef74e8ff41923d302aa6fb5a4812d0e Mon Sep 17 00:00:00 2001
+From: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
+Date: Wed, 28 Nov 2018 10:19:36 -0800
+Subject: IB/hfi1: Incorrect sizing of sge for PIO will OOPs
+
+From: Michael J. Ruhl <michael.j.ruhl@intel.com>
+
+commit dbc2970caef74e8ff41923d302aa6fb5a4812d0e upstream.
+
+An incorrect sge sizing in the HFI PIO path will cause an OOPs similar to
+this:
+
+BUG: unable to handle kernel NULL pointer dereference at (null)
+IP: [] hfi1_verbs_send_pio+0x3d8/0x530 [hfi1]
+PGD 0
+Oops: 0000 1 SMP
+ Call Trace:
+ ? hfi1_verbs_send_dma+0xad0/0xad0 [hfi1]
+ hfi1_verbs_send+0xdf/0x250 [hfi1]
+ ? make_rc_ack+0xa80/0xa80 [hfi1]
+ hfi1_do_send+0x192/0x430 [hfi1]
+ hfi1_do_send_from_rvt+0x10/0x20 [hfi1]
+ rvt_post_send+0x369/0x820 [rdmavt]
+ ib_uverbs_post_send+0x317/0x570 [ib_uverbs]
+ ib_uverbs_write+0x26f/0x420 [ib_uverbs]
+ ? security_file_permission+0x21/0xa0
+ vfs_write+0xbd/0x1e0
+ ? mntput+0x24/0x40
+ SyS_write+0x7f/0xe0
+ system_call_fastpath+0x16/0x1b
+
+Fix by adding the missing sizing check to correctly determine the sge
+length.
+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/verbs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/infiniband/hw/hfi1/verbs.c
++++ b/drivers/infiniband/hw/hfi1/verbs.c
+@@ -1123,6 +1123,8 @@ int hfi1_verbs_send_pio(struct rvt_qp *q
+
+ if (slen > len)
+ slen = len;
++ if (slen > ss->sge.sge_length)
++ slen = ss->sge.sge_length;
+ rvt_update_sge(ss, slen, false);
+ seg_pio_copy_mid(pbuf, addr, slen);
+ len -= slen;
--- /dev/null
+From 2a9d92fb3a1282a4659f1bb6d5684018846537b7 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 10 Dec 2018 21:38:16 +0100
+Subject: mtd: atmel-quadspi: disallow building on ebsa110
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 2a9d92fb3a1282a4659f1bb6d5684018846537b7 upstream.
+
+I ran into a link-time error with the atmel-quadspi driver on the
+EBSA110 platform:
+
+drivers/mtd/built-in.o: In function `atmel_qspi_run_command':
+:(.text+0x1ee3c): undefined reference to `_memcpy_toio'
+:(.text+0x1ee48): undefined reference to `_memcpy_fromio'
+
+The problem is that _memcpy_toio/_memcpy_fromio are not available on
+that platform, and we have to prevent building the driver there.
+
+In case we want to backport this to older kernels: between linux-4.8
+and linux-4.20, the Kconfig entry was in drivers/mtd/spi-nor/Kconfig
+but had the same problem.
+
+Link: https://lore.kernel.org/patchwork/patch/812860/
+Fixes: 161aaab8a067 ("mtd: atmel-quadspi: add driver for Atmel QSPI controller")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/spi-nor/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/spi-nor/Kconfig
++++ b/drivers/mtd/spi-nor/Kconfig
+@@ -41,7 +41,7 @@ config SPI_ASPEED_SMC
+
+ config SPI_ATMEL_QUADSPI
+ tristate "Atmel Quad SPI Controller"
+- depends on ARCH_AT91 || (ARM && COMPILE_TEST)
++ depends on ARCH_AT91 || (ARM && COMPILE_TEST && !ARCH_EBSA110)
+ depends on OF && HAS_IOMEM
+ help
+ This enables support for the Quad SPI controller in master mode.
qmi_wwan-add-support-for-fibocom-nl678-series.patch
net-smc-fix-tcp-fallback-socket-release.patch
sock-make-sock-sk_stamp-thread-safe.patch
+ib-hfi1-incorrect-sizing-of-sge-for-pio-will-oops.patch
+alsa-rme9652-fix-potential-spectre-v1-vulnerability.patch
+alsa-emu10k1-fix-potential-spectre-v1-vulnerabilities.patch
+alsa-pcm-fix-potential-spectre-v1-vulnerability.patch
+alsa-emux-fix-potential-spectre-v1-vulnerabilities.patch
+mtd-atmel-quadspi-disallow-building-on-ebsa110.patch
+alsa-hda-add-mute-led-support-for-hp-elitebook-840-g4.patch
+alsa-hda-realtek-enable-audio-jacks-of-asus-ux391ua-with-alc294.patch
+alsa-fireface-fix-for-state-to-fetch-pcm-frames.patch
+alsa-firewire-lib-fix-wrong-handling-payload_length-as-payload_quadlet.patch
+alsa-firewire-lib-fix-wrong-assignment-for-out_packet_without_header-tracepoint.patch
+alsa-firewire-lib-use-the-same-print-format-for-without_header-tracepoints.patch
+alsa-hda-tegra-clear-pending-irq-handlers.patch
+usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch
+usb-serial-option-add-fibocom-nl678-series.patch
+usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch
--- /dev/null
+From c85400f886e3d41e69966470879f635a2b50084c Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Tue, 18 Dec 2018 20:04:25 +0800
+Subject: usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+commit c85400f886e3d41e69966470879f635a2b50084c upstream.
+
+The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may
+be concurrently executed.
+The two functions both access a possible shared variable "hep->hcpriv".
+
+This shared variable is freed by r8a66597_endpoint_disable() via the
+call path:
+r8a66597_endpoint_disable
+ kfree(hep->hcpriv) (line 1995 in Linux-4.19)
+
+This variable is read by r8a66597_urb_enqueue() via the call path:
+r8a66597_urb_enqueue
+ spin_lock_irqsave(&r8a66597->lock)
+ init_pipe_info
+ enable_r8a66597_pipe
+ pipe = hep->hcpriv (line 802 in Linux-4.19)
+
+The read operation is protected by a spinlock, but the free operation
+is not protected by this spinlock, thus a concurrency use-after-free bug
+may occur.
+
+To fix this bug, the spin-lock and spin-unlock function calls in
+r8a66597_endpoint_disable() are moved to protect the free operation.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/r8a66597-hcd.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/r8a66597-hcd.c
++++ b/drivers/usb/host/r8a66597-hcd.c
+@@ -1990,6 +1990,8 @@ static int r8a66597_urb_dequeue(struct u
+
+ static void r8a66597_endpoint_disable(struct usb_hcd *hcd,
+ struct usb_host_endpoint *hep)
++__acquires(r8a66597->lock)
++__releases(r8a66597->lock)
+ {
+ struct r8a66597 *r8a66597 = hcd_to_r8a66597(hcd);
+ struct r8a66597_pipe *pipe = (struct r8a66597_pipe *)hep->hcpriv;
+@@ -2002,13 +2004,14 @@ static void r8a66597_endpoint_disable(st
+ return;
+ pipenum = pipe->info.pipenum;
+
++ spin_lock_irqsave(&r8a66597->lock, flags);
+ if (pipenum == 0) {
+ kfree(hep->hcpriv);
+ hep->hcpriv = NULL;
++ spin_unlock_irqrestore(&r8a66597->lock, flags);
+ return;
+ }
+
+- spin_lock_irqsave(&r8a66597->lock, flags);
+ pipe_stop(r8a66597, pipe);
+ pipe_irq_disable(r8a66597, pipenum);
+ disable_irq_empty(r8a66597, pipenum);
--- /dev/null
+From 4b2c01ad902ec02fa962b233decd2f14be3714ba Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= <jorgen.storvist@gmail.com>
+Date: Fri, 21 Dec 2018 14:40:44 +0100
+Subject: USB: serial: option: add Fibocom NL678 series
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jörgen Storvist <jorgen.storvist@gmail.com>
+
+commit 4b2c01ad902ec02fa962b233decd2f14be3714ba upstream.
+
+Added USB serial option driver support for Fibocom NL678 series cellular
+module: VID 2cb7 and PIDs 0x0104 and 0x0105.
+Reserved network and ADB interfaces.
+
+T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=2cb7 ProdID=0104 Rev=03.10
+S: Manufacturer=Fibocom
+S: Product=Fibocom NL678-E Modem
+S: SerialNumber=12345678
+C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+
+T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=2cb7 ProdID=0105 Rev=03.10
+S: Manufacturer=Fibocom
+S: Product=Fibocom NL678-E Modem
+S: SerialNumber=12345678
+C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
+I: If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
+I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+
+Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1957,6 +1957,10 @@ static const struct usb_device_id option
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) },
+ { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 */
+ .driver_info = RSVD(4) | RSVD(5) | RSVD(6) },
++ { USB_DEVICE(0x2cb7, 0x0104), /* Fibocom NL678 series */
++ .driver_info = RSVD(4) | RSVD(5) },
++ { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0105, 0xff), /* Fibocom NL678 series */
++ .driver_info = RSVD(6) },
+ { } /* Terminating entry */
+ };
+ MODULE_DEVICE_TABLE(usb, option_ids);
--- /dev/null
+From 8d503f206c336677954160ac62f0c7d9c219cd89 Mon Sep 17 00:00:00 2001
+From: Scott Chen <scott@labau.com.tw>
+Date: Thu, 13 Dec 2018 06:01:47 -0500
+Subject: USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays
+
+From: Scott Chen <scott@labau.com.tw>
+
+commit 8d503f206c336677954160ac62f0c7d9c219cd89 upstream.
+
+Add device ids to pl2303 for the HP POS pole displays:
+LM920: 03f0:026b
+TD620: 03f0:0956
+LD960TA: 03f0:4439
+LD220TA: 03f0:4349
+LM940: 03f0:5039
+
+Signed-off-by: Scott Chen <scott@labau.com.tw>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/pl2303.c | 5 +++++
+ drivers/usb/serial/pl2303.h | 5 +++++
+ 2 files changed, 10 insertions(+)
+
+--- a/drivers/usb/serial/pl2303.c
++++ b/drivers/usb/serial/pl2303.c
+@@ -94,9 +94,14 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(YCCABLE_VENDOR_ID, YCCABLE_PRODUCT_ID) },
+ { USB_DEVICE(SUPERIAL_VENDOR_ID, SUPERIAL_PRODUCT_ID) },
+ { USB_DEVICE(HP_VENDOR_ID, HP_LD220_PRODUCT_ID) },
++ { USB_DEVICE(HP_VENDOR_ID, HP_LD220TA_PRODUCT_ID) },
+ { USB_DEVICE(HP_VENDOR_ID, HP_LD960_PRODUCT_ID) },
++ { USB_DEVICE(HP_VENDOR_ID, HP_LD960TA_PRODUCT_ID) },
+ { USB_DEVICE(HP_VENDOR_ID, HP_LCM220_PRODUCT_ID) },
+ { USB_DEVICE(HP_VENDOR_ID, HP_LCM960_PRODUCT_ID) },
++ { USB_DEVICE(HP_VENDOR_ID, HP_LM920_PRODUCT_ID) },
++ { USB_DEVICE(HP_VENDOR_ID, HP_LM940_PRODUCT_ID) },
++ { USB_DEVICE(HP_VENDOR_ID, HP_TD620_PRODUCT_ID) },
+ { USB_DEVICE(CRESSI_VENDOR_ID, CRESSI_EDY_PRODUCT_ID) },
+ { USB_DEVICE(ZEAGLE_VENDOR_ID, ZEAGLE_N2ITION3_PRODUCT_ID) },
+ { USB_DEVICE(SONY_VENDOR_ID, SONY_QN3USB_PRODUCT_ID) },
+--- a/drivers/usb/serial/pl2303.h
++++ b/drivers/usb/serial/pl2303.h
+@@ -124,10 +124,15 @@
+
+ /* Hewlett-Packard POS Pole Displays */
+ #define HP_VENDOR_ID 0x03f0
++#define HP_LM920_PRODUCT_ID 0x026b
++#define HP_TD620_PRODUCT_ID 0x0956
+ #define HP_LD960_PRODUCT_ID 0x0b39
+ #define HP_LCM220_PRODUCT_ID 0x3139
+ #define HP_LCM960_PRODUCT_ID 0x3239
+ #define HP_LD220_PRODUCT_ID 0x3524
++#define HP_LD220TA_PRODUCT_ID 0x4349
++#define HP_LD960TA_PRODUCT_ID 0x4439
++#define HP_LM940_PRODUCT_ID 0x5039
+
+ /* Cressi Edy (diving computer) PC interface */
+ #define CRESSI_VENDOR_ID 0x04b8
projects / thirdparty / kernel / stable-queue.git / commitdiff
