--- /dev/null
+From 1524f4e47f90b27a3ac84efbdd94c63172246a6f Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 8 Jan 2019 10:43:30 +0300
+Subject: ALSA: cs46xx: Potential NULL dereference in probe
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 1524f4e47f90b27a3ac84efbdd94c63172246a6f upstream.
+
+The "chip->dsp_spos_instance" can be NULL on some of the ealier error
+paths in snd_cs46xx_create().
+
+Reported-by: "Yavuz, Tuba" <tuba@ece.ufl.edu>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/cs46xx/dsp_spos.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/pci/cs46xx/dsp_spos.c
++++ b/sound/pci/cs46xx/dsp_spos.c
+@@ -899,6 +899,9 @@ int cs46xx_dsp_proc_done (struct snd_cs4
+ struct dsp_spos_instance * ins = chip->dsp_spos_instance;
+ int i;
+
++ if (!ins)
++ return 0;
++
+ snd_info_free_entry(ins->proc_sym_info_entry);
+ ins->proc_sym_info_entry = NULL;
+
--- /dev/null
+From f4351a199cc120ff9d59e06d02e8657d08e6cc46 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 19 Dec 2018 12:36:27 +0100
+Subject: ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f4351a199cc120ff9d59e06d02e8657d08e6cc46 upstream.
+
+The parser for the processing unit reads bNrInPins field before the
+bLength sanity check, which may lead to an out-of-bound access when a
+malformed descriptor is given. Fix it by assignment after the bLength
+check.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1882,7 +1882,7 @@ static int build_audio_procunit(struct m
+ char *name)
+ {
+ struct uac_processing_unit_descriptor *desc = raw_desc;
+- int num_ins = desc->bNrInPins;
++ int num_ins;
+ struct usb_mixer_elem_info *cval;
+ struct snd_kcontrol *kctl;
+ int i, err, nameid, type, len;
+@@ -1897,7 +1897,13 @@ static int build_audio_procunit(struct m
+ 0, NULL, default_value_info
+ };
+
+- if (desc->bLength < 13 || desc->bLength < 13 + num_ins ||
++ if (desc->bLength < 13) {
++ usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid);
++ return -EINVAL;
++ }
++
++ num_ins = desc->bNrInPins;
++ if (desc->bLength < 13 + num_ins ||
+ desc->bLength < num_ins + uac_processing_unit_bControlSize(desc, state->mixer->protocol)) {
+ usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid);
+ return -EINVAL;
--- /dev/null
+From cbb2ebf70daf7f7d97d3811a2ff8e39655b8c184 Mon Sep 17 00:00:00 2001
+From: Hui Peng <benquike@163.com>
+Date: Tue, 25 Dec 2018 18:11:52 -0500
+Subject: ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks
+
+From: Hui Peng <benquike@163.com>
+
+commit cbb2ebf70daf7f7d97d3811a2ff8e39655b8c184 upstream.
+
+In `create_composite_quirk`, the terminating condition of for loops is
+`quirk->ifnum < 0`. So any composite quirks should end with `struct
+snd_usb_audio_quirk` object with ifnum < 0.
+
+ for (quirk = quirk_comp->data; quirk->ifnum >= 0; ++quirk) {
+
+ .....
+ }
+
+the data field of Bower's & Wilkins PX headphones usb device device quirks
+do not end with {.ifnum = -1}, wihch may result in out-of-bound read.
+
+This Patch fix the bug by adding an ending quirk object.
+
+Fixes: 240a8af929c7 ("ALSA: usb-audio: Add a quirck for B&W PX headphones")
+Signed-off-by: Hui Peng <benquike@163.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks-table.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -3321,6 +3321,9 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge
+ }
+ }
+ },
++ {
++ .ifnum = -1
++ },
+ }
+ }
+ },
--- /dev/null
+From 8ea3819c0bbef57a51d8abe579e211033e861677 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Mon, 19 Nov 2018 20:01:24 +0200
+Subject: b43: Fix error in cordic routine
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 8ea3819c0bbef57a51d8abe579e211033e861677 upstream.
+
+The cordic routine for calculating sines and cosines that was added in
+commit 6f98e62a9f1b ("b43: update cordic code to match current specs")
+contains an error whereby a quantity declared u32 can in fact go negative.
+
+This problem was detected by Priit Laes who is switching b43 to use the
+routine in the library functions of the kernel.
+
+Fixes: 986504540306 ("b43: make cordic common (LP-PHY and N-PHY need it)")
+Reported-by: Priit Laes <plaes@plaes.org>
+Cc: Rafał Miłecki <zajec5@gmail.com>
+Cc: Stable <stable@vger.kernel.org> # 2.6.34
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Priit Laes <plaes@plaes.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/b43/phy_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/b43/phy_common.c
++++ b/drivers/net/wireless/broadcom/b43/phy_common.c
+@@ -616,7 +616,7 @@ struct b43_c32 b43_cordic(int theta)
+ u8 i;
+ s32 tmp;
+ s8 signx = 1;
+- u32 angle = 0;
++ s32 angle = 0;
+ struct b43_c32 ret = { .i = 39797, .q = 0, };
+
+ while (theta > (180 << 16))
--- /dev/null
+From b982896cdb6e6a6b89d86dfb39df489d9df51e14 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 15 Nov 2018 13:15:05 +0300
+Subject: dlm: fixed memory leaks after failed ls_remove_names allocation
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit b982896cdb6e6a6b89d86dfb39df489d9df51e14 upstream.
+
+If allocation fails on last elements of array need to free already
+allocated elements.
+
+v2: just move existing out_rsbtbl label to right place
+
+Fixes 789924ba635f ("dlm: fix race between remove and lookup")
+Cc: stable@kernel.org # 3.6
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dlm/lockspace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/dlm/lockspace.c
++++ b/fs/dlm/lockspace.c
+@@ -673,11 +673,11 @@ static int new_lockspace(const char *nam
+ kfree(ls->ls_recover_buf);
+ out_lkbidr:
+ idr_destroy(&ls->ls_lkbidr);
++ out_rsbtbl:
+ for (i = 0; i < DLM_REMOVE_NAMES_MAX; i++) {
+ if (ls->ls_remove_names[i])
+ kfree(ls->ls_remove_names[i]);
+ }
+- out_rsbtbl:
+ vfree(ls->ls_rsbtbl);
+ out_lsfree:
+ if (do_unreg)
--- /dev/null
+From c0174726c3976e67da8649ac62cae43220ae173a Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 15 Nov 2018 13:18:24 +0300
+Subject: dlm: lost put_lkb on error path in receive_convert() and receive_unlock()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit c0174726c3976e67da8649ac62cae43220ae173a upstream.
+
+Fixes 6d40c4a708e0 ("dlm: improve error and debug messages")
+Cc: stable@kernel.org # 3.5
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dlm/lock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -4178,6 +4178,7 @@ static int receive_convert(struct dlm_ls
+ (unsigned long long)lkb->lkb_recover_seq,
+ ms->m_header.h_nodeid, ms->m_lkid);
+ error = -ENOENT;
++ dlm_put_lkb(lkb);
+ goto fail;
+ }
+
+@@ -4231,6 +4232,7 @@ static int receive_unlock(struct dlm_ls
+ lkb->lkb_id, lkb->lkb_remid,
+ ms->m_header.h_nodeid, ms->m_lkid);
+ error = -ENOENT;
++ dlm_put_lkb(lkb);
+ goto fail;
+ }
+
--- /dev/null
+From d47b41aceeadc6b58abc9c7c6485bef7cfb75636 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 15 Nov 2018 13:18:56 +0300
+Subject: dlm: memory leaks on error path in dlm_user_request()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit d47b41aceeadc6b58abc9c7c6485bef7cfb75636 upstream.
+
+According to comment in dlm_user_request() ua should be freed
+in dlm_free_lkb() after successful attach to lkb.
+
+However ua is attached to lkb not in set_lock_args() but later,
+inside request_lock().
+
+Fixes 597d0cae0f99 ("[DLM] dlm: user locks")
+Cc: stable@kernel.org # 2.6.19
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dlm/lock.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -5795,20 +5795,20 @@ int dlm_user_request(struct dlm_ls *ls,
+ goto out;
+ }
+ }
+-
+- /* After ua is attached to lkb it will be freed by dlm_free_lkb().
+- When DLM_IFL_USER is set, the dlm knows that this is a userspace
+- lock and that lkb_astparam is the dlm_user_args structure. */
+-
+ error = set_lock_args(mode, &ua->lksb, flags, namelen, timeout_cs,
+ fake_astfn, ua, fake_bastfn, &args);
+- lkb->lkb_flags |= DLM_IFL_USER;
+-
+ if (error) {
++ kfree(ua->lksb.sb_lvbptr);
++ ua->lksb.sb_lvbptr = NULL;
++ kfree(ua);
+ __put_lkb(ls, lkb);
+ goto out;
+ }
+
++ /* After ua is attached to lkb it will be freed by dlm_free_lkb().
++ When DLM_IFL_USER is set, the dlm knows that this is a userspace
++ lock and that lkb_astparam is the dlm_user_args structure. */
++ lkb->lkb_flags |= DLM_IFL_USER;
+ error = request_lock(ls, lkb, name, namelen, &args);
+
+ switch (error) {
--- /dev/null
+From 23851e978f31eda8b2d01bd410d3026659ca06c7 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 15 Nov 2018 13:18:18 +0300
+Subject: dlm: possible memory leak on error path in create_lkb()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 23851e978f31eda8b2d01bd410d3026659ca06c7 upstream.
+
+Fixes 3d6aa675fff9 ("dlm: keep lkbs in idr")
+Cc: stable@kernel.org # 3.1
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dlm/lock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -1210,6 +1210,7 @@ static int create_lkb(struct dlm_ls *ls,
+
+ if (rv < 0) {
+ log_error(ls, "create_lkb idr error %d", rv);
++ dlm_free_lkb(lkb);
+ return rv;
+ }
+
--- /dev/null
+From 2d29f6b96d8f80322ed2dd895bca590491c38d34 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Tue, 4 Dec 2018 15:06:27 +0100
+Subject: gfs2: Fix loop in gfs2_rbm_find
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit 2d29f6b96d8f80322ed2dd895bca590491c38d34 upstream.
+
+Fix the resource group wrap-around logic in gfs2_rbm_find that commit
+e579ed4f44 broke. The bug can lead to unnecessary repeated scanning of the
+same bitmaps; there is a risk that future changes will turn this into an
+endless loop.
+
+Fixes: e579ed4f44 ("GFS2: Introduce rbm field bii")
+Cc: stable@vger.kernel.org # v3.13+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/rgrp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/gfs2/rgrp.c
++++ b/fs/gfs2/rgrp.c
+@@ -1705,9 +1705,9 @@ static int gfs2_rbm_find(struct gfs2_rbm
+ goto next_iter;
+ }
+ if (ret == -E2BIG) {
++ n += rbm->bii - initial_bii;
+ rbm->bii = 0;
+ rbm->offset = 0;
+- n += (rbm->bii - initial_bii);
+ goto res_covered_end_of_rgrp;
+ }
+ return ret;
--- /dev/null
+From 6ff9b09e00a441599f3aacdf577254455a048bc9 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Mon, 26 Nov 2018 18:45:35 +0100
+Subject: gfs2: Get rid of potential double-freeing in gfs2_create_inode
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit 6ff9b09e00a441599f3aacdf577254455a048bc9 upstream.
+
+In gfs2_create_inode, after setting and releasing the acl / default_acl, the
+acl / default_acl pointers are not set to NULL as they should be. In that
+state, when the function reaches label fail_free_acls, gfs2_create_inode will
+try to release the same acls again.
+
+Fix that by setting the pointers to NULL after releasing the acls. Slightly
+simplify the logic. Also, posix_acl_release checks for NULL already, so
+there is no need to duplicate those checks here.
+
+Fixes: e01580bf9e4d ("gfs2: use generic posix ACL infrastructure")
+Reported-by: Pan Bian <bianpan2016@163.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: stable@vger.kernel.org # v4.9+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/inode.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/fs/gfs2/inode.c
++++ b/fs/gfs2/inode.c
+@@ -740,17 +740,19 @@ static int gfs2_create_inode(struct inod
+ the gfs2 structures. */
+ if (default_acl) {
+ error = __gfs2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
++ if (error)
++ goto fail_gunlock3;
+ posix_acl_release(default_acl);
++ default_acl = NULL;
+ }
+ if (acl) {
+- if (!error)
+- error = __gfs2_set_acl(inode, acl, ACL_TYPE_ACCESS);
++ error = __gfs2_set_acl(inode, acl, ACL_TYPE_ACCESS);
++ if (error)
++ goto fail_gunlock3;
+ posix_acl_release(acl);
++ acl = NULL;
+ }
+
+- if (error)
+- goto fail_gunlock3;
+-
+ error = security_inode_init_security(&ip->i_inode, &dip->i_inode, name,
+ &gfs2_initxattrs, NULL);
+ if (error)
+@@ -783,10 +785,8 @@ fail_free_inode:
+ gfs2_glock_put(ip->i_gl);
+ gfs2_rsqa_delete(ip, NULL);
+ fail_free_acls:
+- if (default_acl)
+- posix_acl_release(default_acl);
+- if (acl)
+- posix_acl_release(acl);
++ posix_acl_release(default_acl);
++ posix_acl_release(acl);
+ fail_gunlock:
+ gfs2_dir_no_add(&da);
+ gfs2_glock_dq_uninit(ghs);
crypto-x86-chacha20-avoid-sleeping-with-preemption-disabled.patch
vhost-vsock-fix-uninitialized-vhost_vsock-guest_cid.patch
ib-hfi1-incorrect-sizing-of-sge-for-pio-will-oops.patch
+alsa-cs46xx-potential-null-dereference-in-probe.patch
+alsa-usb-audio-avoid-access-before-blength-check-in-build_audio_procunit.patch
+alsa-usb-audio-fix-an-out-of-bound-read-in-create_composite_quirks.patch
+dlm-fixed-memory-leaks-after-failed-ls_remove_names-allocation.patch
+dlm-possible-memory-leak-on-error-path-in-create_lkb.patch
+dlm-lost-put_lkb-on-error-path-in-receive_convert-and-receive_unlock.patch
+dlm-memory-leaks-on-error-path-in-dlm_user_request.patch
+gfs2-get-rid-of-potential-double-freeing-in-gfs2_create_inode.patch
+gfs2-fix-loop-in-gfs2_rbm_find.patch
+b43-fix-error-in-cordic-routine.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
