--- /dev/null
+From a67060201b746a308b1674f66bf289c9faef6d09 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Tue, 6 Aug 2019 03:00:27 -0400
+Subject: ALSA: usb-audio: fix a memory leak bug
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+commit a67060201b746a308b1674f66bf289c9faef6d09 upstream.
+
+In snd_usb_get_audioformat_uac3(), a structure for channel maps 'chmap' is
+allocated through kzalloc() before the execution goto 'found_clock'.
+However, this structure is not deallocated if the memory allocation for
+'pd' fails, leading to a memory leak bug.
+
+To fix the above issue, free 'fp->chmap' before returning NULL.
+
+Fixes: 7edf3b5e6a45 ("ALSA: usb-audio: AudioStreaming Power Domain parsing")
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/stream.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/usb/stream.c
++++ b/sound/usb/stream.c
+@@ -1053,6 +1053,7 @@ found_clock:
+
+ pd = kzalloc(sizeof(*pd), GFP_KERNEL);
+ if (!pd) {
++ kfree(fp->chmap);
+ kfree(fp->rate_table);
+ kfree(fp);
+ return NULL;
--- /dev/null
+From e0f6974a54d3f7f1b5fdf5a593bd43ce9206ec04 Mon Sep 17 00:00:00 2001
+From: Roderick Colenbrander <roderick@gaikai.com>
+Date: Fri, 2 Aug 2019 15:50:19 -0700
+Subject: HID: sony: Fix race condition between rumble and device remove.
+
+From: Roderick Colenbrander <roderick@gaikai.com>
+
+commit e0f6974a54d3f7f1b5fdf5a593bd43ce9206ec04 upstream.
+
+Valve reported a kernel crash on Ubuntu 18.04 when disconnecting a DS4
+gamepad while rumble is enabled. This issue is reproducible with a
+frequency of 1 in 3 times in the game Borderlands 2 when using an
+automatic weapon, which triggers many rumble operations.
+
+We found the issue to be a race condition between sony_remove and the
+final device destruction by the HID / input system. The problem was
+that sony_remove didn't clean some of its work_item state in
+"struct sony_sc". After sony_remove work, the corresponding evdev
+node was around for sufficient time for applications to still queue
+rumble work after "sony_remove".
+
+On pre-4.19 kernels the race condition caused a kernel crash due to a
+NULL-pointer dereference as "sc->output_report_dmabuf" got freed during
+sony_remove. On newer kernels this crash doesn't happen due the buffer
+now being allocated using devm_kzalloc. However we can still queue work,
+while the driver is an undefined state.
+
+This patch fixes the described problem, by guarding the work_item
+"state_worker" with an initialized variable, which we are setting back
+to 0 on cleanup.
+
+Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-sony.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/hid/hid-sony.c
++++ b/drivers/hid/hid-sony.c
+@@ -587,10 +587,14 @@ static void sony_set_leds(struct sony_sc
+ static inline void sony_schedule_work(struct sony_sc *sc,
+ enum sony_worker which)
+ {
++ unsigned long flags;
++
+ switch (which) {
+ case SONY_WORKER_STATE:
+- if (!sc->defer_initialization)
++ spin_lock_irqsave(&sc->lock, flags);
++ if (!sc->defer_initialization && sc->state_worker_initialized)
+ schedule_work(&sc->state_worker);
++ spin_unlock_irqrestore(&sc->lock, flags);
+ break;
+ case SONY_WORKER_HOTPLUG:
+ if (sc->hotplug_worker_initialized)
+@@ -2553,13 +2557,18 @@ static inline void sony_init_output_repo
+
+ static inline void sony_cancel_work_sync(struct sony_sc *sc)
+ {
++ unsigned long flags;
++
+ if (sc->hotplug_worker_initialized)
+ cancel_work_sync(&sc->hotplug_worker);
+- if (sc->state_worker_initialized)
++ if (sc->state_worker_initialized) {
++ spin_lock_irqsave(&sc->lock, flags);
++ sc->state_worker_initialized = 0;
++ spin_unlock_irqrestore(&sc->lock, flags);
+ cancel_work_sync(&sc->state_worker);
++ }
+ }
+
+-
+ static int sony_input_configured(struct hid_device *hdev,
+ struct hid_input *hidinput)
+ {
tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch
perf-core-fix-creating-kernel-counters-for-pmus-that.patch
s390-dma-provide-proper-arch_zone_dma_bits-value.patch
+hid-sony-fix-race-condition-between-rumble-and-device-remove.patch
+x86-purgatory-do-not-use-__builtin_memcpy-and-__builtin_memset.patch
+alsa-usb-audio-fix-a-memory-leak-bug.patch
--- /dev/null
+From 4ce97317f41d38584fb93578e922fcd19e535f5b Mon Sep 17 00:00:00 2001
+From: Nick Desaulniers <ndesaulniers@google.com>
+Date: Wed, 7 Aug 2019 15:15:32 -0700
+Subject: x86/purgatory: Do not use __builtin_memcpy and __builtin_memset
+
+From: Nick Desaulniers <ndesaulniers@google.com>
+
+commit 4ce97317f41d38584fb93578e922fcd19e535f5b upstream.
+
+Implementing memcpy and memset in terms of __builtin_memcpy and
+__builtin_memset is problematic.
+
+GCC at -O2 will replace calls to the builtins with calls to memcpy and
+memset (but will generate an inline implementation at -Os). Clang will
+replace the builtins with these calls regardless of optimization level.
+$ llvm-objdump -dr arch/x86/purgatory/string.o | tail
+
+0000000000000339 memcpy:
+ 339: 48 b8 00 00 00 00 00 00 00 00 movabsq $0, %rax
+ 000000000000033b: R_X86_64_64 memcpy
+ 343: ff e0 jmpq *%rax
+
+0000000000000345 memset:
+ 345: 48 b8 00 00 00 00 00 00 00 00 movabsq $0, %rax
+ 0000000000000347: R_X86_64_64 memset
+ 34f: ff e0
+
+Such code results in infinite recursion at runtime. This is observed
+when doing kexec.
+
+Instead, reuse an implementation from arch/x86/boot/compressed/string.c.
+This requires to implement a stub function for warn(). Also, Clang may
+lower memcmp's that compare against 0 to bcmp's, so add a small definition,
+too. See also: commit 5f074f3e192f ("lib/string.c: implement a basic bcmp")
+
+Fixes: 8fc5b4d4121c ("purgatory: core purgatory functionality")
+Reported-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
+Debugged-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
+Debugged-by: Manoj Gupta <manojgupta@google.com>
+Suggested-by: Alistair Delva <adelva@google.com>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
+Cc: stable@vger.kernel.org
+Link: https://bugs.chromium.org/p/chromium/issues/detail?id=984056
+Link: https://lkml.kernel.org/r/20190807221539.94583-1-ndesaulniers@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/boot/string.c | 8 ++++++++
+ arch/x86/purgatory/Makefile | 3 +++
+ arch/x86/purgatory/purgatory.c | 6 ++++++
+ arch/x86/purgatory/string.c | 25 -------------------------
+ 4 files changed, 17 insertions(+), 25 deletions(-)
+
+--- a/arch/x86/boot/string.c
++++ b/arch/x86/boot/string.c
+@@ -34,6 +34,14 @@ int memcmp(const void *s1, const void *s
+ return diff;
+ }
+
++/*
++ * Clang may lower `memcmp == 0` to `bcmp == 0`.
++ */
++int bcmp(const void *s1, const void *s2, size_t len)
++{
++ return memcmp(s1, s2, len);
++}
++
+ int strcmp(const char *str1, const char *str2)
+ {
+ const unsigned char *s1 = (const unsigned char *)str1;
+--- a/arch/x86/purgatory/Makefile
++++ b/arch/x86/purgatory/Makefile
+@@ -6,6 +6,9 @@ purgatory-y := purgatory.o stack.o setup
+ targets += $(purgatory-y)
+ PURGATORY_OBJS = $(addprefix $(obj)/,$(purgatory-y))
+
++$(obj)/string.o: $(srctree)/arch/x86/boot/compressed/string.c FORCE
++ $(call if_changed_rule,cc_o_c)
++
+ $(obj)/sha256.o: $(srctree)/lib/sha256.c FORCE
+ $(call if_changed_rule,cc_o_c)
+
+--- a/arch/x86/purgatory/purgatory.c
++++ b/arch/x86/purgatory/purgatory.c
+@@ -70,3 +70,9 @@ void purgatory(void)
+ }
+ copy_backup_region();
+ }
++
++/*
++ * Defined in order to reuse memcpy() and memset() from
++ * arch/x86/boot/compressed/string.c
++ */
++void warn(const char *msg) {}
+--- a/arch/x86/purgatory/string.c
++++ /dev/null
+@@ -1,25 +0,0 @@
+-/*
+- * Simple string functions.
+- *
+- * Copyright (C) 2014 Red Hat Inc.
+- *
+- * Author:
+- * Vivek Goyal <vgoyal@redhat.com>
+- *
+- * This source code is licensed under the GNU General Public License,
+- * Version 2. See the file COPYING for more details.
+- */
+-
+-#include <linux/types.h>
+-
+-#include "../boot/string.c"
+-
+-void *memcpy(void *dst, const void *src, size_t len)
+-{
+- return __builtin_memcpy(dst, src, len);
+-}
+-
+-void *memset(void *dst, int c, size_t len)
+-{
+- return __builtin_memset(dst, c, len);
+-}
projects / thirdparty / kernel / stable-queue.git / commitdiff
