--- /dev/null
+From 167beb1756791e0806365a3f86a0da10d7a327ee Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sat, 9 Nov 2019 19:16:58 +0100
+Subject: ALSA: usb-audio: Fix missing error check at mixer resolution test
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 167beb1756791e0806365a3f86a0da10d7a327ee upstream.
+
+A check of the return value from get_cur_mix_raw() is missing at the
+resolution test code in get_min_max_with_quirks(), which may leave the
+variable untouched, leading to a random uninitialized value, as
+detected by syzkaller fuzzer.
+
+Add the missing return error check for fixing that.
+
+Reported-and-tested-by: syzbot+abe1ab7afc62c6bb6377@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191109181658.30368-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1045,7 +1045,8 @@ static int get_min_max_with_quirks(struc
+ if (cval->min + cval->res < cval->max) {
+ int last_valid_res = cval->res;
+ int saved, test, check;
+- get_cur_mix_raw(cval, minchn, &saved);
++ if (get_cur_mix_raw(cval, minchn, &saved) < 0)
++ goto no_res_check;
+ for (;;) {
+ test = saved;
+ if (test < cval->max)
+@@ -1065,6 +1066,7 @@ static int get_min_max_with_quirks(struc
+ snd_usb_set_cur_mix_value(cval, minchn, 0, saved);
+ }
+
++no_res_check:
+ cval->initialized = 1;
+ }
+
--- /dev/null
+From 528699317dd6dc722dccc11b68800cf945109390 Mon Sep 17 00:00:00 2001
+From: Henry Lin <henryl@nvidia.com>
+Date: Wed, 13 Nov 2019 10:14:19 +0800
+Subject: ALSA: usb-audio: not submit urb for stopped endpoint
+
+From: Henry Lin <henryl@nvidia.com>
+
+commit 528699317dd6dc722dccc11b68800cf945109390 upstream.
+
+While output urb's snd_complete_urb() is executing, calling
+prepare_outbound_urb() may cause endpoint stopped before
+prepare_outbound_urb() returns and result in next urb submitted
+to stopped endpoint. usb-audio driver cannot re-use it afterwards as
+the urb is still hold by usb stack.
+
+This change checks EP_FLAG_RUNNING flag after prepare_outbound_urb() again
+to let snd_complete_urb() know the endpoint already stopped and does not
+submit next urb. Below kind of error will be fixed:
+
+[ 213.153103] usb 1-2: timeout: still 1 active urbs on EP #1
+[ 213.164121] usb 1-2: cannot submit urb 0, error -16: unknown error
+
+Signed-off-by: Henry Lin <henryl@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191113021420.13377-1-henryl@nvidia.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/endpoint.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -403,6 +403,9 @@ static void snd_complete_urb(struct urb
+ }
+
+ prepare_outbound_urb(ep, ctx);
++ /* can be stopped during prepare callback */
++ if (unlikely(!test_bit(EP_FLAG_RUNNING, &ep->flags)))
++ goto exit_clear;
+ } else {
+ retire_inbound_urb(ep, ctx);
+ /* can be stopped during retire callback */
--- /dev/null
+From fa3a5a1880c91bb92594ad42dfe9eedad7996b86 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Fri, 15 Nov 2019 11:35:05 -0800
+Subject: Input: ff-memless - kill timer in destroy()
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit fa3a5a1880c91bb92594ad42dfe9eedad7996b86 upstream.
+
+No timer must be left running when the device goes away.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-and-tested-by: syzbot+b6c55daa701fc389e286@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/1573726121.17351.3.camel@suse.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/ff-memless.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/input/ff-memless.c
++++ b/drivers/input/ff-memless.c
+@@ -501,6 +501,15 @@ static void ml_ff_destroy(struct ff_devi
+ {
+ struct ml_device *ml = ff->private;
+
++ /*
++ * Even though we stop all playing effects when tearing down
++ * an input device (via input_device_flush() that calls into
++ * input_ff_flush() that stops and erases all effects), we
++ * do not actually stop the timer, and therefore we should
++ * do it here.
++ */
++ del_timer_sync(&ml->timer);
++
+ kfree(ml->private);
+ }
+
slip-fix-memory-leak-in-slip_open-error-path.patch
ax88172a-fix-information-leak-on-short-answers.patch
+alsa-usb-audio-fix-missing-error-check-at-mixer-resolution-test.patch
+alsa-usb-audio-not-submit-urb-for-stopped-endpoint.patch
+input-ff-memless-kill-timer-in-destroy.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
