--- /dev/null
+From 7fbd1753b64eafe21cf842348a40a691d0dee440 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Mon, 1 Jul 2019 23:43:53 +0900
+Subject: ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 7fbd1753b64eafe21cf842348a40a691d0dee440 upstream.
+
+In IEC 61883-6, 8 MIDI data streams are multiplexed into single
+MIDI conformant data channel. The index of stream is calculated by
+modulo 8 of the value of data block counter.
+
+In fireworks, the value of data block counter in CIP header has a quirk
+with firmware version v5.0.0, v5.7.3 and v5.8.0. This brings ALSA
+IEC 61883-1/6 packet streaming engine to miss detection of MIDI
+messages.
+
+This commit fixes the miss detection to modify the value of data block
+counter for the modulo calculation.
+
+For maintainers, this bug exists since a commit 18f5ed365d3f ("ALSA:
+fireworks/firewire-lib: add support for recent firmware quirk") in Linux
+kernel v4.2. There're many changes since the commit. This fix can be
+backported to Linux kernel v4.4 or later. I tagged a base commit to the
+backport for your convenience.
+
+Besides, my work for Linux kernel v5.3 brings heavy code refactoring and
+some structure members are renamed in 'sound/firewire/amdtp-stream.h'.
+The content of this patch brings conflict when merging -rc tree with
+this patch and the latest tree. I request maintainers to solve the
+conflict to replace 'tx_first_dbc' with 'ctx_data.tx.first_dbc'.
+
+Fixes: df075feefbd3 ("ALSA: firewire-lib: complete AM824 data block processing layer")
+Cc: <stable@vger.kernel.org> # v4.4+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/amdtp-am824.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/firewire/amdtp-am824.c
++++ b/sound/firewire/amdtp-am824.c
+@@ -388,7 +388,7 @@ static void read_midi_messages(struct am
+ u8 *b;
+
+ for (f = 0; f < frames; f++) {
+- port = (s->data_block_counter + f) % 8;
++ port = (8 - s->tx_first_dbc + s->data_block_counter + f) % 8;
+ b = (u8 *)&buffer[p->midi_position];
+
+ len = b[0] - 0x80;
--- /dev/null
+From 3450121997ce872eb7f1248417225827ea249710 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 2 Jul 2019 20:07:21 +0200
+Subject: ALSA: line6: Fix write on zero-sized buffer
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 3450121997ce872eb7f1248417225827ea249710 upstream.
+
+LINE6 drivers allocate the buffers based on the value returned from
+usb_maxpacket() calls. The manipulated device may return zero for
+this, and this results in the kmalloc() with zero size (and it may
+succeed) while the other part of the driver code writes the packet
+data with the fixed size -- which eventually overwrites.
+
+This patch adds a simple sanity check for the invalid buffer size for
+avoiding that problem.
+
+Reported-by: syzbot+219f00fb49874dcaea17@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/line6/pcm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/sound/usb/line6/pcm.c
++++ b/sound/usb/line6/pcm.c
+@@ -558,6 +558,11 @@ int line6_init_pcm(struct usb_line6 *lin
+ line6pcm->max_packet_size_out =
+ usb_maxpacket(line6->usbdev,
+ usb_sndisocpipe(line6->usbdev, ep_write), 1);
++ if (!line6pcm->max_packet_size_in || !line6pcm->max_packet_size_out) {
++ dev_err(line6pcm->line6->ifcdev,
++ "cannot get proper max packet size\n");
++ return -EINVAL;
++ }
+
+ spin_lock_init(&line6pcm->out.lock);
+ spin_lock_init(&line6pcm->in.lock);
--- /dev/null
+From c3ea60c231446663afd6ea1054da6b7f830855ca Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 28 Jun 2019 10:54:29 +0100
+Subject: ALSA: seq: fix incorrect order of dest_client/dest_ports arguments
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit c3ea60c231446663afd6ea1054da6b7f830855ca upstream.
+
+There are two occurrances of a call to snd_seq_oss_fill_addr where
+the dest_client and dest_port arguments are in the wrong order. Fix
+this by swapping them around.
+
+Addresses-Coverity: ("Arguments in wrong order")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/oss/seq_oss_ioctl.c | 2 +-
+ sound/core/seq/oss/seq_oss_rw.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/core/seq/oss/seq_oss_ioctl.c
++++ b/sound/core/seq/oss/seq_oss_ioctl.c
+@@ -62,7 +62,7 @@ static int snd_seq_oss_oob_user(struct s
+ if (copy_from_user(ev, arg, 8))
+ return -EFAULT;
+ memset(&tmpev, 0, sizeof(tmpev));
+- snd_seq_oss_fill_addr(dp, &tmpev, dp->addr.port, dp->addr.client);
++ snd_seq_oss_fill_addr(dp, &tmpev, dp->addr.client, dp->addr.port);
+ tmpev.time.tick = 0;
+ if (! snd_seq_oss_process_event(dp, (union evrec *)ev, &tmpev)) {
+ snd_seq_oss_dispatch(dp, &tmpev, 0, 0);
+--- a/sound/core/seq/oss/seq_oss_rw.c
++++ b/sound/core/seq/oss/seq_oss_rw.c
+@@ -174,7 +174,7 @@ insert_queue(struct seq_oss_devinfo *dp,
+ memset(&event, 0, sizeof(event));
+ /* set dummy -- to be sure */
+ event.type = SNDRV_SEQ_EVENT_NOTEOFF;
+- snd_seq_oss_fill_addr(dp, &event, dp->addr.port, dp->addr.client);
++ snd_seq_oss_fill_addr(dp, &event, dp->addr.client, dp->addr.port);
+
+ if (snd_seq_oss_process_event(dp, rec, &event))
+ return 0; /* invalid event - no need to insert queue */
--- /dev/null
+From 2acf5a3e6e9371e63c9e4ff54d84d08f630467a0 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 27 Jun 2019 17:43:08 +0100
+Subject: ALSA: usb-audio: fix sign unintended sign extension on left shifts
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 2acf5a3e6e9371e63c9e4ff54d84d08f630467a0 upstream.
+
+There are a couple of left shifts of unsigned 8 bit values that
+first get promoted to signed ints and hence get sign extended
+on the shift if the top bit of the 8 bit values are set. Fix
+this by casting the 8 bit values to unsigned ints to stop the
+unintentional sign extension.
+
+Addresses-Coverity: ("Unintended sign extension")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer_quirks.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -753,7 +753,7 @@ static int snd_ni_control_init_val(struc
+ return err;
+ }
+
+- kctl->private_value |= (value << 24);
++ kctl->private_value |= ((unsigned int)value << 24);
+ return 0;
+ }
+
+@@ -914,7 +914,7 @@ static int snd_ftu_eff_switch_init(struc
+ if (err < 0)
+ return err;
+
+- kctl->private_value |= value[0] << 24;
++ kctl->private_value |= (unsigned int)value[0] << 24;
+ return 0;
+ }
+
--- /dev/null
+From 21d4120ec6f5b5992b01b96ac484701163917b63 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 2 Jul 2019 14:17:00 -0700
+Subject: crypto: user - prevent operating on larval algorithms
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 21d4120ec6f5b5992b01b96ac484701163917b63 upstream.
+
+Michal Suchanek reported [1] that running the pcrypt_aead01 test from
+LTP [2] in a loop and holding Ctrl-C causes a NULL dereference of
+alg->cra_users.next in crypto_remove_spawns(), via crypto_del_alg().
+The test repeatedly uses CRYPTO_MSG_NEWALG and CRYPTO_MSG_DELALG.
+
+The crash occurs when the instance that CRYPTO_MSG_DELALG is trying to
+unregister isn't a real registered algorithm, but rather is a "test
+larval", which is a special "algorithm" added to the algorithms list
+while the real algorithm is still being tested. Larvals don't have
+initialized cra_users, so that causes the crash. Normally pcrypt_aead01
+doesn't trigger this because CRYPTO_MSG_NEWALG waits for the algorithm
+to be tested; however, CRYPTO_MSG_NEWALG returns early when interrupted.
+
+Everything else in the "crypto user configuration" API has this same bug
+too, i.e. it inappropriately allows operating on larval algorithms
+(though it doesn't look like the other cases can cause a crash).
+
+Fix this by making crypto_alg_match() exclude larval algorithms.
+
+[1] https://lkml.kernel.org/r/20190625071624.27039-1-msuchanek@suse.de
+[2] https://github.com/linux-test-project/ltp/blob/20190517/testcases/kernel/crypto/pcrypt_aead01.c
+
+Reported-by: Michal Suchanek <msuchanek@suse.de>
+Fixes: a38f7907b926 ("crypto: Add userspace configuration API")
+Cc: <stable@vger.kernel.org> # v3.2+
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/crypto_user.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/crypto/crypto_user.c
++++ b/crypto/crypto_user.c
+@@ -55,6 +55,9 @@ static struct crypto_alg *crypto_alg_mat
+ list_for_each_entry(q, &crypto_alg_list, cra_list) {
+ int match = 0;
+
++ if (crypto_is_larval(q))
++ continue;
++
+ if ((q->cra_flags ^ p->cru_type) & p->cru_mask)
+ continue;
+
--- /dev/null
+From 78c68e8f5cd24bd32ba4ca1cdfb0c30cf0642685 Mon Sep 17 00:00:00 2001
+From: Robert Beckett <bob.beckett@collabora.com>
+Date: Tue, 25 Jun 2019 18:59:13 +0100
+Subject: drm/imx: notify drm core before sending event during crtc disable
+
+From: Robert Beckett <bob.beckett@collabora.com>
+
+commit 78c68e8f5cd24bd32ba4ca1cdfb0c30cf0642685 upstream.
+
+Notify drm core before sending pending events during crtc disable.
+This fixes the first event after disable having an old stale timestamp
+by having drm_crtc_vblank_off update the timestamp to now.
+
+This was seen while debugging weston log message:
+Warning: computed repaint delay is insane: -8212 msec
+
+This occurred due to:
+1. driver starts up
+2. fbcon comes along and restores fbdev, enabling vblank
+3. vblank_disable_fn fires via timer disabling vblank, keeping vblank
+seq number and time set at current value
+(some time later)
+4. weston starts and does a modeset
+5. atomic commit disables crtc while it does the modeset
+6. ipu_crtc_atomic_disable sends vblank with old seq number and time
+
+Fixes: a474478642d5 ("drm/imx: fix crtc vblank state regression")
+
+Signed-off-by: Robert Beckett <bob.beckett@collabora.com>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/imx/ipuv3-crtc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/imx/ipuv3-crtc.c
++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c
+@@ -76,14 +76,14 @@ static void ipu_crtc_atomic_disable(stru
+ drm_atomic_helper_disable_planes_on_crtc(old_crtc_state, false);
+ ipu_dc_disable(ipu);
+
++ drm_crtc_vblank_off(crtc);
++
+ spin_lock_irq(&crtc->dev->event_lock);
+ if (crtc->state->event) {
+ drm_crtc_send_vblank_event(crtc, crtc->state->event);
+ crtc->state->event = NULL;
+ }
+ spin_unlock_irq(&crtc->dev->event_lock);
+-
+- drm_crtc_vblank_off(crtc);
+ }
+
+ static void imx_drm_crtc_reset(struct drm_crtc *crtc)
--- /dev/null
+From 5aeab2bfc9ffa72d3ca73416635cb3785dfc076f Mon Sep 17 00:00:00 2001
+From: Robert Beckett <bob.beckett@collabora.com>
+Date: Tue, 25 Jun 2019 18:59:15 +0100
+Subject: drm/imx: only send event on crtc disable if kept disabled
+
+From: Robert Beckett <bob.beckett@collabora.com>
+
+commit 5aeab2bfc9ffa72d3ca73416635cb3785dfc076f upstream.
+
+The event will be sent as part of the vblank enable during the modeset
+if the crtc is not being kept disabled.
+
+Fixes: 5f2f911578fb ("drm/imx: atomic phase 3 step 1: Use atomic configuration")
+
+Signed-off-by: Robert Beckett <bob.beckett@collabora.com>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/imx/ipuv3-crtc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/imx/ipuv3-crtc.c
++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c
+@@ -79,7 +79,7 @@ static void ipu_crtc_atomic_disable(stru
+ drm_crtc_vblank_off(crtc);
+
+ spin_lock_irq(&crtc->dev->event_lock);
+- if (crtc->state->event) {
++ if (crtc->state->event && !crtc->state->active) {
+ drm_crtc_send_vblank_event(crtc, crtc->state->event);
+ crtc->state->event = NULL;
+ }
--- /dev/null
+From c8ea9fce2baf7b643384f36f29e4194fa40d33a6 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Mon, 24 Jun 2019 18:32:26 +0800
+Subject: lib/mpi: Fix karactx leak in mpi_powm
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit c8ea9fce2baf7b643384f36f29e4194fa40d33a6 upstream.
+
+Sometimes mpi_powm will leak karactx because a memory allocation
+failure causes a bail-out that skips the freeing of karactx. This
+patch moves the freeing of karactx to the end of the function like
+everything else so that it can't be skipped.
+
+Reported-by: syzbot+f7baccc38dcc1e094e77@syzkaller.appspotmail.com
+Fixes: cdec9cb5167a ("crypto: GnuPG based MPI lib - source files...")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Reviewed-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/mpi/mpi-pow.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/lib/mpi/mpi-pow.c
++++ b/lib/mpi/mpi-pow.c
+@@ -37,6 +37,7 @@
+ int mpi_powm(MPI res, MPI base, MPI exp, MPI mod)
+ {
+ mpi_ptr_t mp_marker = NULL, bp_marker = NULL, ep_marker = NULL;
++ struct karatsuba_ctx karactx = {};
+ mpi_ptr_t xp_marker = NULL;
+ mpi_ptr_t tspace = NULL;
+ mpi_ptr_t rp, ep, mp, bp;
+@@ -164,13 +165,11 @@ int mpi_powm(MPI res, MPI base, MPI exp,
+ int c;
+ mpi_limb_t e;
+ mpi_limb_t carry_limb;
+- struct karatsuba_ctx karactx;
+
+ xp = xp_marker = mpi_alloc_limb_space(2 * (msize + 1));
+ if (!xp)
+ goto enomem;
+
+- memset(&karactx, 0, sizeof karactx);
+ negative_result = (ep[0] & 1) && base->sign;
+
+ i = esize - 1;
+@@ -295,8 +294,6 @@ int mpi_powm(MPI res, MPI base, MPI exp,
+ if (mod_shift_cnt)
+ mpihelp_rshift(rp, rp, rsize, mod_shift_cnt);
+ MPN_NORMALIZE(rp, rsize);
+-
+- mpihelp_release_karatsuba_ctx(&karactx);
+ }
+
+ if (negative_result && rsize) {
+@@ -313,6 +310,7 @@ int mpi_powm(MPI res, MPI base, MPI exp,
+ leave:
+ rc = 0;
+ enomem:
++ mpihelp_release_karatsuba_ctx(&karactx);
+ if (assign_rp)
+ mpi_assign_limb_space(res, rp, size);
+ if (mp_marker)
--- /dev/null
+From 6994eefb0053799d2e07cd140df6c2ea106c41ee Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Thu, 4 Jul 2019 17:32:23 +0200
+Subject: ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME
+
+From: Jann Horn <jannh@google.com>
+
+commit 6994eefb0053799d2e07cd140df6c2ea106c41ee upstream.
+
+Fix two issues:
+
+When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU
+reference to the parent's objective credentials, then give that pointer
+to get_cred(). However, the object lifetime rules for things like
+struct cred do not permit unconditionally turning an RCU reference into
+a stable reference.
+
+PTRACE_TRACEME records the parent's credentials as if the parent was
+acting as the subject, but that's not the case. If a malicious
+unprivileged child uses PTRACE_TRACEME and the parent is privileged, and
+at a later point, the parent process becomes attacker-controlled
+(because it drops privileges and calls execve()), the attacker ends up
+with control over two processes with a privileged ptrace relationship,
+which can be abused to ptrace a suid binary and obtain root privileges.
+
+Fix both of these by always recording the credentials of the process
+that is requesting the creation of the ptrace relationship:
+current_cred() can't change under us, and current is the proper subject
+for access control.
+
+This change is theoretically userspace-visible, but I am not aware of
+any code that it will actually break.
+
+Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP")
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/ptrace.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -74,9 +74,7 @@ void __ptrace_link(struct task_struct *c
+ */
+ static void ptrace_link(struct task_struct *child, struct task_struct *new_parent)
+ {
+- rcu_read_lock();
+- __ptrace_link(child, new_parent, __task_cred(new_parent));
+- rcu_read_unlock();
++ __ptrace_link(child, new_parent, current_cred());
+ }
+
+ /**
bug.h-work-around-gcc-pr82365-in-bug.patch
drm-i915-dmc-protect-against-reading-random-memory.patch
mips-workaround-gcc-__builtin_unreachable-reordering.patch
+ptrace-fix-ptracer_cred-handling-for-ptrace_traceme.patch
+crypto-user-prevent-operating-on-larval-algorithms.patch
+alsa-seq-fix-incorrect-order-of-dest_client-dest_ports-arguments.patch
+alsa-firewire-lib-fireworks-fix-miss-detection-of-received-midi-messages.patch
+alsa-line6-fix-write-on-zero-sized-buffer.patch
+alsa-usb-audio-fix-sign-unintended-sign-extension-on-left-shifts.patch
+lib-mpi-fix-karactx-leak-in-mpi_powm.patch
+drm-imx-notify-drm-core-before-sending-event-during-crtc-disable.patch
+drm-imx-only-send-event-on-crtc-disable-if-kept-disabled.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
