--- /dev/null
+From 76b3421b39bd610546931fc923edcf90c18fa395 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 30 Apr 2018 10:06:48 +0200
+Subject: ALSA: aloop: Add missing cable lock to ctl API callbacks
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 76b3421b39bd610546931fc923edcf90c18fa395 upstream.
+
+Some control API callbacks in aloop driver are too lazy to take the
+loopback->cable_lock and it results in possible races of cable access
+while it's being freed. It eventually lead to a UAF, as reported by
+fuzzer recently.
+
+This patch covers such control API callbacks and add the proper mutex
+locks.
+
+Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/drivers/aloop.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/sound/drivers/aloop.c
++++ b/sound/drivers/aloop.c
+@@ -833,9 +833,11 @@ static int loopback_rate_shift_get(struc
+ {
+ struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+
++ mutex_lock(&loopback->cable_lock);
+ ucontrol->value.integer.value[0] =
+ loopback->setup[kcontrol->id.subdevice]
+ [kcontrol->id.device].rate_shift;
++ mutex_unlock(&loopback->cable_lock);
+ return 0;
+ }
+
+@@ -867,9 +869,11 @@ static int loopback_notify_get(struct sn
+ {
+ struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+
++ mutex_lock(&loopback->cable_lock);
+ ucontrol->value.integer.value[0] =
+ loopback->setup[kcontrol->id.subdevice]
+ [kcontrol->id.device].notify;
++ mutex_unlock(&loopback->cable_lock);
+ return 0;
+ }
+
+@@ -881,12 +885,14 @@ static int loopback_notify_put(struct sn
+ int change = 0;
+
+ val = ucontrol->value.integer.value[0] ? 1 : 0;
++ mutex_lock(&loopback->cable_lock);
+ if (val != loopback->setup[kcontrol->id.subdevice]
+ [kcontrol->id.device].notify) {
+ loopback->setup[kcontrol->id.subdevice]
+ [kcontrol->id.device].notify = val;
+ change = 1;
+ }
++ mutex_unlock(&loopback->cable_lock);
+ return change;
+ }
+
+@@ -894,15 +900,18 @@ static int loopback_active_get(struct sn
+ struct snd_ctl_elem_value *ucontrol)
+ {
+ struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+- struct loopback_cable *cable = loopback->cables
+- [kcontrol->id.subdevice][kcontrol->id.device ^ 1];
++ struct loopback_cable *cable;
++
+ unsigned int val = 0;
+
++ mutex_lock(&loopback->cable_lock);
++ cable = loopback->cables[kcontrol->id.subdevice][kcontrol->id.device ^ 1];
+ if (cable != NULL) {
+ unsigned int running = cable->running ^ cable->pause;
+
+ val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0;
+ }
++ mutex_unlock(&loopback->cable_lock);
+ ucontrol->value.integer.value[0] = val;
+ return 0;
+ }
+@@ -945,9 +954,11 @@ static int loopback_rate_get(struct snd_
+ {
+ struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+
++ mutex_lock(&loopback->cable_lock);
+ ucontrol->value.integer.value[0] =
+ loopback->setup[kcontrol->id.subdevice]
+ [kcontrol->id.device].rate;
++ mutex_unlock(&loopback->cable_lock);
+ return 0;
+ }
+
+@@ -967,9 +978,11 @@ static int loopback_channels_get(struct
+ {
+ struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+
++ mutex_lock(&loopback->cable_lock);
+ ucontrol->value.integer.value[0] =
+ loopback->setup[kcontrol->id.subdevice]
+ [kcontrol->id.device].channels;
++ mutex_unlock(&loopback->cable_lock);
+ return 0;
+ }
+
--- /dev/null
+From 306a4f3ca7f3c7dfa473ebd19d66e40e59d99734 Mon Sep 17 00:00:00 2001
+From: Robert Rosengren <robert.rosengren@axis.com>
+Date: Mon, 26 Mar 2018 07:24:49 +0200
+Subject: ALSA: aloop: Mark paused device as inactive
+
+From: Robert Rosengren <robert.rosengren@axis.com>
+
+commit 306a4f3ca7f3c7dfa473ebd19d66e40e59d99734 upstream.
+
+Show paused ALSA aloop device as inactive, i.e. the control
+"PCM Slave Active" set as false. Notification sent upon state change.
+
+This makes it possible for client capturing from aloop device to know if
+data is expected. Without it the client expects data even if playback
+is paused.
+
+Signed-off-by: Robert Rosengren <robert.rosengren@axis.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/drivers/aloop.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/sound/drivers/aloop.c
++++ b/sound/drivers/aloop.c
+@@ -297,6 +297,8 @@ static int loopback_trigger(struct snd_p
+ cable->pause |= stream;
+ loopback_timer_stop(dpcm);
+ spin_unlock(&cable->lock);
++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
++ loopback_active_notify(dpcm);
+ break;
+ case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
+ case SNDRV_PCM_TRIGGER_RESUME:
+@@ -305,6 +307,8 @@ static int loopback_trigger(struct snd_p
+ cable->pause &= ~stream;
+ loopback_timer_start(dpcm);
+ spin_unlock(&cable->lock);
++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
++ loopback_active_notify(dpcm);
+ break;
+ default:
+ return -EINVAL;
+@@ -894,9 +898,11 @@ static int loopback_active_get(struct sn
+ [kcontrol->id.subdevice][kcontrol->id.device ^ 1];
+ unsigned int val = 0;
+
+- if (cable != NULL)
+- val = (cable->running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ?
+- 1 : 0;
++ if (cable != NULL) {
++ unsigned int running = cable->running ^ cable->pause;
++
++ val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0;
++ }
+ ucontrol->value.integer.value[0] = val;
+ return 0;
+ }
--- /dev/null
+From f13876e2c33a657a71bcbb10f767c0951b165020 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 2 May 2018 08:48:46 +0200
+Subject: ALSA: pcm: Check PCM state at xfern compat ioctl
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f13876e2c33a657a71bcbb10f767c0951b165020 upstream.
+
+Since snd_pcm_ioctl_xfern_compat() has no PCM state check, it may go
+further and hit the sanity check pcm_sanity_check() when the ioctl is
+called right after open. It may eventually spew a kernel warning, as
+triggered by syzbot, depending on kconfig.
+
+The lack of PCM state check there was just an oversight. Although
+it's no real crash, the spurious kernel warning is annoying, so let's
+add the proper check.
+
+Reported-by: syzbot+1dac3a4f6bc9c1c675d4@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_compat.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/core/pcm_compat.c
++++ b/sound/core/pcm_compat.c
+@@ -333,6 +333,8 @@ static int snd_pcm_ioctl_xfern_compat(st
+ return -ENOTTY;
+ if (substream->stream != dir)
+ return -EINVAL;
++ if (substream->runtime->status->state == SNDRV_PCM_STATE_OPEN)
++ return -EBADFD;
+
+ if ((ch = substream->runtime->channels) > 128)
+ return -EINVAL;
--- /dev/null
+From 8f22e52528cc372b218b5f100457469615c733ce Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 26 Apr 2018 09:17:45 +0200
+Subject: ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8f22e52528cc372b218b5f100457469615c733ce upstream.
+
+The sequencer virmidi code has an open race at its output trigger
+callback: namely, virmidi keeps only one event packet for processing
+while it doesn't protect for concurrent output trigger calls.
+
+snd_virmidi_output_trigger() tries to process the previously
+unfinished event before starting encoding the given MIDI stream, but
+this is done without any lock. Meanwhile, if another rawmidi stream
+starts the output trigger, this proceeds further, and overwrites the
+event package that is being processed in another thread. This
+eventually corrupts and may lead to the invalid memory access if the
+event type is like SYSEX.
+
+The fix is just to move the spinlock to cover both the pending event
+and the new stream.
+
+The bug was spotted by a new fuzzer, RaceFuzzer.
+
+BugLink: http://lkml.kernel.org/r/20180426045223.GA15307@dragonet.kaist.ac.kr
+Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_virmidi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/core/seq/seq_virmidi.c
++++ b/sound/core/seq/seq_virmidi.c
+@@ -174,12 +174,12 @@ static void snd_virmidi_output_trigger(s
+ }
+ return;
+ }
++ spin_lock_irqsave(&substream->runtime->lock, flags);
+ if (vmidi->event.type != SNDRV_SEQ_EVENT_NONE) {
+ if (snd_seq_kernel_client_dispatch(vmidi->client, &vmidi->event, in_atomic(), 0) < 0)
+- return;
++ goto out;
+ vmidi->event.type = SNDRV_SEQ_EVENT_NONE;
+ }
+- spin_lock_irqsave(&substream->runtime->lock, flags);
+ while (1) {
+ count = __snd_rawmidi_transmit_peek(substream, buf, sizeof(buf));
+ if (count <= 0)
--- /dev/null
+From 9306b38e42cb266f98bff6f6f4c1c652aa79ba45 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?SZ=20Lin=20=28=E6=9E=97=E4=B8=8A=E6=99=BA=29?=
+ <sz.lin@moxa.com>
+Date: Thu, 26 Apr 2018 14:30:13 +0800
+Subject: NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: SZ Lin (林上智) <sz.lin@moxa.com>
+
+commit 9306b38e42cb266f98bff6f6f4c1c652aa79ba45 upstream.
+
+This patch adds support for PID 0x90b2 of ublox R410M.
+
+qmicli -d /dev/cdc-wdm0 --dms-get-manufacturer
+[/dev/cdc-wdm0] Device manufacturer retrieved:
+ Manufacturer: 'u-blox'
+
+qmicli -d /dev/cdc-wdm0 --dms-get-model
+[/dev/cdc-wdm0] Device model retrieved:
+ Model: 'SARA-R410M-02B'
+
+Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -673,6 +673,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x05c6, 0x9080, 8)},
+ {QMI_FIXED_INTF(0x05c6, 0x9083, 3)},
+ {QMI_FIXED_INTF(0x05c6, 0x9084, 4)},
++ {QMI_FIXED_INTF(0x05c6, 0x90b2, 3)}, /* ublox R410M */
+ {QMI_FIXED_INTF(0x05c6, 0x920d, 0)},
+ {QMI_FIXED_INTF(0x05c6, 0x920d, 5)},
+ {QMI_FIXED_INTF(0x0846, 0x68a2, 8)},
--- /dev/null
+From 002bf2282b2d7318e444dca9ffcb994afc5d5f15 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Mon, 23 Apr 2018 17:01:53 +0300
+Subject: RDMA/mlx5: Protect from shift operand overflow
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit 002bf2282b2d7318e444dca9ffcb994afc5d5f15 upstream.
+
+Ensure that user didn't supply values too large that can cause overflow.
+
+UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/qp.c:263:23
+shift exponent -2147483648 is negative
+CPU: 0 PID: 292 Comm: syzkaller612609 Not tainted 4.16.0-rc1+ #131
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014 Call
+Trace:
+dump_stack+0xde/0x164
+ubsan_epilogue+0xe/0x81
+set_rq_size+0x7c2/0xa90
+create_qp_common+0xc18/0x43c0
+mlx5_ib_create_qp+0x379/0x1ca0
+create_qp.isra.5+0xc94/0x2260
+ib_uverbs_create_qp+0x21b/0x2a0
+ib_uverbs_write+0xc2c/0x1010
+vfs_write+0x1b0/0x550
+SyS_write+0xc7/0x1a0
+do_syscall_64+0x1aa/0x740
+entry_SYSCALL_64_after_hwframe+0x26/0x9b
+RIP: 0033:0x433569
+RSP: 002b:00007ffc6e62f448 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00000000004002f8 RCX: 0000000000433569
+RDX: 0000000000000070 RSI: 00000000200042c0 RDI: 0000000000000003
+RBP: 00000000006d5018 R08: 00000000004002f8 R09: 00000000004002f8
+R10: 00000000004002f8 R11: 0000000000000217 R12: 0000000000000000
+R13: 000000000040c9f0 R14: 000000000040ca80 R15: 0000000000000006
+
+Cc: <stable@vger.kernel.org> # 3.10
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Cc: syzkaller <syzkaller@googlegroups.com>
+Reported-by: Noa Osherovich <noaos@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/qp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -174,7 +174,11 @@ static int set_rq_size(struct mlx5_ib_de
+ } else {
+ if (ucmd) {
+ qp->rq.wqe_cnt = ucmd->rq_wqe_count;
++ if (ucmd->rq_wqe_shift > BITS_PER_BYTE * sizeof(ucmd->rq_wqe_shift))
++ return -EINVAL;
+ qp->rq.wqe_shift = ucmd->rq_wqe_shift;
++ if ((1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) < qp->wq_sig)
++ return -EINVAL;
+ qp->rq.max_gs = (1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) - qp->wq_sig;
+ qp->rq.max_post = qp->rq.wqe_cnt;
+ } else {
percpu-include-linux-sched.h-for-cond_resched.patch
perf-core-fix-the-perf_cpu_time_max_percent-check.patch
perf-session-fix-undeclared-oe.patch
+alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch
+alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch
+alsa-aloop-mark-paused-device-as-inactive.patch
+alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch
+rdma-mlx5-protect-from-shift-operand-overflow.patch
+net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
