--- /dev/null
+From 9b371c6cc37f954360989eec41c2ddc5a6b83917 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 25 Oct 2021 14:11:41 +0200
+Subject: ALSA: 6fire: fix control and bulk message timeouts
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 9b371c6cc37f954360989eec41c2ddc5a6b83917 upstream.
+
+USB control and bulk message timeouts are specified in milliseconds and
+should specifically not vary with CONFIG_HZ.
+
+Fixes: c6d43ba816d1 ("ALSA: usb/6fire - Driver for TerraTec DMX 6Fire USB")
+Cc: stable@vger.kernel.org # 2.6.39
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211025121142.6531-2-johan@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/6fire/comm.c | 2 +-
+ sound/usb/6fire/firmware.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/sound/usb/6fire/comm.c
++++ b/sound/usb/6fire/comm.c
+@@ -99,7 +99,7 @@ static int usb6fire_comm_send_buffer(u8
+ int actual_len;
+
+ ret = usb_interrupt_msg(dev, usb_sndintpipe(dev, COMM_EP),
+- buffer, buffer[1] + 2, &actual_len, HZ);
++ buffer, buffer[1] + 2, &actual_len, 1000);
+ if (ret < 0)
+ return ret;
+ else if (actual_len != buffer[1] + 2)
+--- a/sound/usb/6fire/firmware.c
++++ b/sound/usb/6fire/firmware.c
+@@ -166,7 +166,7 @@ static int usb6fire_fw_ezusb_write(struc
+
+ ret = usb_control_msg(device, usb_sndctrlpipe(device, 0), type,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+- value, 0, data, len, HZ);
++ value, 0, data, len, 1000);
+ if (ret < 0)
+ return ret;
+ else if (ret != len)
+@@ -179,7 +179,7 @@ static int usb6fire_fw_ezusb_read(struct
+ {
+ int ret = usb_control_msg(device, usb_rcvctrlpipe(device, 0), type,
+ USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, value,
+- 0, data, len, HZ);
++ 0, data, len, 1000);
+ if (ret < 0)
+ return ret;
+ else if (ret != len)
+@@ -194,7 +194,7 @@ static int usb6fire_fw_fpga_write(struct
+ int ret;
+
+ ret = usb_bulk_msg(device, usb_sndbulkpipe(device, FPGA_EP), data, len,
+- &actual_len, HZ);
++ &actual_len, 1000);
+ if (ret < 0)
+ return ret;
+ else if (actual_len != len)
--- /dev/null
+From f4000b58b64344871d7b27c05e73932f137cfef6 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 25 Oct 2021 14:11:42 +0200
+Subject: ALSA: line6: fix control and interrupt message timeouts
+
+From: Johan Hovold <johan@kernel.org>
+
+commit f4000b58b64344871d7b27c05e73932f137cfef6 upstream.
+
+USB control and interrupt message timeouts are specified in milliseconds
+and should specifically not vary with CONFIG_HZ.
+
+Fixes: 705ececd1c60 ("Staging: add line6 usb driver")
+Cc: stable@vger.kernel.org # 2.6.30
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211025121142.6531-3-johan@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/line6/driver.c | 12 ++++++------
+ sound/usb/line6/driver.h | 2 +-
+ sound/usb/line6/toneport.c | 2 +-
+ 3 files changed, 8 insertions(+), 8 deletions(-)
+
+--- a/sound/usb/line6/driver.c
++++ b/sound/usb/line6/driver.c
+@@ -101,7 +101,7 @@ static int line6_send_raw_message(struct
+ usb_sndintpipe(line6->usbdev,
+ line6->properties->ep_ctrl_w),
+ (char *)frag_buf, frag_size,
+- &partial, LINE6_TIMEOUT * HZ);
++ &partial, LINE6_TIMEOUT);
+
+ if (retval) {
+ dev_err(line6->ifcdev,
+@@ -321,7 +321,7 @@ int line6_read_data(struct usb_line6 *li
+ ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
+ (datalen << 8) | 0x21, address,
+- NULL, 0, LINE6_TIMEOUT * HZ);
++ NULL, 0, LINE6_TIMEOUT);
+
+ if (ret < 0) {
+ dev_err(line6->ifcdev, "read request failed (error %d)\n", ret);
+@@ -336,7 +336,7 @@ int line6_read_data(struct usb_line6 *li
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE |
+ USB_DIR_IN,
+ 0x0012, 0x0000, len, 1,
+- LINE6_TIMEOUT * HZ);
++ LINE6_TIMEOUT);
+ if (ret < 0) {
+ dev_err(line6->ifcdev,
+ "receive length failed (error %d)\n", ret);
+@@ -364,7 +364,7 @@ int line6_read_data(struct usb_line6 *li
+ ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), 0x67,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
+ 0x0013, 0x0000, data, datalen,
+- LINE6_TIMEOUT * HZ);
++ LINE6_TIMEOUT);
+
+ if (ret < 0)
+ dev_err(line6->ifcdev, "read failed (error %d)\n", ret);
+@@ -396,7 +396,7 @@ int line6_write_data(struct usb_line6 *l
+ ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
+ 0x0022, address, data, datalen,
+- LINE6_TIMEOUT * HZ);
++ LINE6_TIMEOUT);
+
+ if (ret < 0) {
+ dev_err(line6->ifcdev,
+@@ -412,7 +412,7 @@ int line6_write_data(struct usb_line6 *l
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE |
+ USB_DIR_IN,
+ 0x0012, 0x0000,
+- status, 1, LINE6_TIMEOUT * HZ);
++ status, 1, LINE6_TIMEOUT);
+
+ if (ret < 0) {
+ dev_err(line6->ifcdev,
+--- a/sound/usb/line6/driver.h
++++ b/sound/usb/line6/driver.h
+@@ -24,7 +24,7 @@
+ #define LINE6_FALLBACK_INTERVAL 10
+ #define LINE6_FALLBACK_MAXPACKETSIZE 16
+
+-#define LINE6_TIMEOUT 1
++#define LINE6_TIMEOUT 1000
+ #define LINE6_BUFSIZE_LISTEN 32
+ #define LINE6_MESSAGE_MAXLEN 256
+
+--- a/sound/usb/line6/toneport.c
++++ b/sound/usb/line6/toneport.c
+@@ -133,7 +133,7 @@ static int toneport_send_cmd(struct usb_
+
+ ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
+- cmd1, cmd2, NULL, 0, LINE6_TIMEOUT * HZ);
++ cmd1, cmd2, NULL, 0, LINE6_TIMEOUT);
+
+ if (ret < 0) {
+ dev_err(&usbdev->dev, "send failed (error %d)\n", ret);
--- /dev/null
+From d159037abbe3412285c271bdfb9cdf19e62678ff Mon Sep 17 00:00:00 2001
+From: Austin Kim <austin.kim@lge.com>
+Date: Tue, 9 Nov 2021 00:37:42 +0000
+Subject: ALSA: synth: missing check for possible NULL after the call to kstrdup
+
+From: Austin Kim <austin.kim@lge.com>
+
+commit d159037abbe3412285c271bdfb9cdf19e62678ff upstream.
+
+If kcalloc() return NULL due to memory starvation, it is possible for
+kstrdup() to return NULL in similar case. So add null check after the call
+to kstrdup() is made.
+
+[ minor coding-style fix by tiwai ]
+
+Signed-off-by: Austin Kim <austin.kim@lge.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211109003742.GA5423@raspberrypi
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/synth/emux/emux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/synth/emux/emux.c
++++ b/sound/synth/emux/emux.c
+@@ -101,7 +101,7 @@ int snd_emux_register(struct snd_emux *e
+ emu->name = kstrdup(name, GFP_KERNEL);
+ emu->voices = kcalloc(emu->max_voices, sizeof(struct snd_emux_voice),
+ GFP_KERNEL);
+- if (emu->voices == NULL)
++ if (emu->name == NULL || emu->voices == NULL)
+ return -ENOMEM;
+
+ /* create soundfont list */
--- /dev/null
+From c0317c0e87094f5b5782b6fdef5ae0a4b150496c Mon Sep 17 00:00:00 2001
+From: Wang Wensheng <wangwensheng4@huawei.com>
+Date: Wed, 3 Nov 2021 03:35:17 +0000
+Subject: ALSA: timer: Fix use-after-free problem
+
+From: Wang Wensheng <wangwensheng4@huawei.com>
+
+commit c0317c0e87094f5b5782b6fdef5ae0a4b150496c upstream.
+
+When the timer instance was add into ack_list but was not currently in
+process, the user could stop it via snd_timer_stop1() without delete it
+from the ack_list. Then the user could free the timer instance and when
+it was actually processed UAF occurred.
+
+This issue could be reproduced via testcase snd_timer01 in ltp - running
+several instances of that testcase at the same time.
+
+What I actually met was that the ack_list of the timer broken and the
+kernel went into deadloop with irqoff. That could be detected by
+hardlockup detector on board or when we run it on qemu, we could use gdb
+to dump the ack_list when the console has no response.
+
+To fix this issue, we delete the timer instance from ack_list and
+active_list unconditionally in snd_timer_stop1().
+
+Signed-off-by: Wang Wensheng <wangwensheng4@huawei.com>
+Suggested-by: Takashi Iwai <tiwai@suse.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211103033517.80531-1-wangwensheng4@huawei.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/timer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -525,13 +525,13 @@ static int snd_timer_stop1(struct snd_ti
+ if (!timer)
+ return -EINVAL;
+ spin_lock_irqsave(&timer->lock, flags);
++ list_del_init(&timeri->ack_list);
++ list_del_init(&timeri->active_list);
+ if (!(timeri->flags & (SNDRV_TIMER_IFLG_RUNNING |
+ SNDRV_TIMER_IFLG_START))) {
+ result = -EBUSY;
+ goto unlock;
+ }
+- list_del_init(&timeri->ack_list);
+- list_del_init(&timeri->active_list);
+ if (timer->card && timer->card->shutdown)
+ goto unlock;
+ if (stop) {
--- /dev/null
+From ffdd98277f0a1d15a67a74ae09bee713df4c0dbc Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 5 Nov 2021 10:15:17 +0100
+Subject: ALSA: timer: Unconditionally unlink slave instances, too
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit ffdd98277f0a1d15a67a74ae09bee713df4c0dbc upstream.
+
+Like the previous fix (commit c0317c0e8709 "ALSA: timer: Fix
+use-after-free problem"), we have to unlink slave timer instances
+immediately at snd_timer_stop(), too. Otherwise it may leave a stale
+entry in the list if the slave instance is freed before actually
+running.
+
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211105091517.21733-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/timer.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -566,23 +566,22 @@ static int snd_timer_stop1(struct snd_ti
+ static int snd_timer_stop_slave(struct snd_timer_instance *timeri, bool stop)
+ {
+ unsigned long flags;
++ bool running;
+
+ spin_lock_irqsave(&slave_active_lock, flags);
+- if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) {
+- spin_unlock_irqrestore(&slave_active_lock, flags);
+- return -EBUSY;
+- }
++ running = timeri->flags & SNDRV_TIMER_IFLG_RUNNING;
+ timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
+ if (timeri->timer) {
+ spin_lock(&timeri->timer->lock);
+ list_del_init(&timeri->ack_list);
+ list_del_init(&timeri->active_list);
+- snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP :
+- SNDRV_TIMER_EVENT_PAUSE);
++ if (running)
++ snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP :
++ SNDRV_TIMER_EVENT_PAUSE);
+ spin_unlock(&timeri->timer->lock);
+ }
+ spin_unlock_irqrestore(&slave_active_lock, flags);
+- return 0;
++ return running ? 0 : -EBUSY;
+ }
+
+ /*
--- /dev/null
+From 55f261b73a7e1cb254577c3536cef8f415de220a Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 26 Oct 2021 11:54:01 +0200
+Subject: ALSA: ua101: fix division by zero at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 55f261b73a7e1cb254577c3536cef8f415de220a upstream.
+
+Add the missing endpoint max-packet sanity check to probe() to avoid
+division by zero in alloc_stream_buffers() in case a malicious device
+has broken descriptors (or when doing descriptor fuzz testing).
+
+Note that USB core will reject URBs submitted for endpoints with zero
+wMaxPacketSize but that drivers doing packet-size calculations still
+need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
+endpoint descriptors with maxpacket=0")).
+
+Fixes: 63978ab3e3e9 ("sound: add Edirol UA-101 support")
+Cc: stable@vger.kernel.org # 2.6.34
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211026095401.26522-1-johan@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/misc/ua101.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/misc/ua101.c
++++ b/sound/usb/misc/ua101.c
+@@ -1032,7 +1032,7 @@ static int detect_usb_format(struct ua10
+ fmt_playback->bSubframeSize * ua->playback.channels;
+
+ epd = &ua->intf[INTF_CAPTURE]->altsetting[1].endpoint[0].desc;
+- if (!usb_endpoint_is_isoc_in(epd)) {
++ if (!usb_endpoint_is_isoc_in(epd) || usb_endpoint_maxp(epd) == 0) {
+ dev_err(&ua->dev->dev, "invalid capture endpoint\n");
+ return -ENXIO;
+ }
+@@ -1040,7 +1040,7 @@ static int detect_usb_format(struct ua10
+ ua->capture.max_packet_bytes = le16_to_cpu(epd->wMaxPacketSize);
+
+ epd = &ua->intf[INTF_PLAYBACK]->altsetting[1].endpoint[0].desc;
+- if (!usb_endpoint_is_isoc_out(epd)) {
++ if (!usb_endpoint_is_isoc_out(epd) || usb_endpoint_maxp(epd) == 0) {
+ dev_err(&ua->dev->dev, "invalid playback endpoint\n");
+ return -ENXIO;
+ }
mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch
parisc-fix-ptrace-check-on-syscall-return.patch
media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch
+alsa-ua101-fix-division-by-zero-at-probe.patch
+alsa-6fire-fix-control-and-bulk-message-timeouts.patch
+alsa-line6-fix-control-and-interrupt-message-timeouts.patch
+alsa-synth-missing-check-for-possible-null-after-the-call-to-kstrdup.patch
+alsa-timer-fix-use-after-free-problem.patch
+alsa-timer-unconditionally-unlink-slave-instances-too.patch
+x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch
--- /dev/null
+From 6ff53f6a438f72998f56e82e76694a1df9d1ea2c Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 8 Oct 2021 17:11:04 -0700
+Subject: x86/irq: Ensure PI wakeup handler is unregistered before module unload
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 6ff53f6a438f72998f56e82e76694a1df9d1ea2c upstream.
+
+Add a synchronize_rcu() after clearing the posted interrupt wakeup handler
+to ensure all readers, i.e. in-flight IRQ handlers, see the new handler
+before returning to the caller. If the caller is an exiting module and
+is unregistering its handler, failure to wait could result in the IRQ
+handler jumping into an unloaded module.
+
+The registration path doesn't require synchronization, as it's the
+caller's responsibility to not generate interrupts it cares about until
+after its handler is registered.
+
+Fixes: f6b3c72c2366 ("x86/irq: Define a global vector for VT-d Posted-Interrupts")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20211009001107.3936588-2-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/irq.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/irq.c
++++ b/arch/x86/kernel/irq.c
+@@ -283,8 +283,10 @@ void kvm_set_posted_intr_wakeup_handler(
+ {
+ if (handler)
+ kvm_posted_intr_wakeup_handler = handler;
+- else
++ else {
+ kvm_posted_intr_wakeup_handler = dummy_handler;
++ synchronize_rcu();
++ }
+ }
+ EXPORT_SYMBOL_GPL(kvm_set_posted_intr_wakeup_handler);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
