--- /dev/null
+From 8e6b1a72a75bb5067ccb6b56d8ca4aa3a300a64e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 22 Mar 2018 10:40:27 +0100
+Subject: ALSA: aloop: Fix access to not-yet-ready substream via cable
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8e6b1a72a75bb5067ccb6b56d8ca4aa3a300a64e upstream.
+
+In loopback_open() and loopback_close(), we assign and release the
+substream object to the corresponding cable in a racy way. It's
+neither locked nor done in the right position. The open callback
+assigns the substream before its preparation finishes, hence the other
+side of the cable may pick it up, which may lead to the invalid memory
+access.
+
+This patch addresses these: move the assignment to the end of the open
+callback, and wrap with cable->lock for avoiding concurrent accesses.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/drivers/aloop.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/sound/drivers/aloop.c
++++ b/sound/drivers/aloop.c
+@@ -667,7 +667,9 @@ static void free_cable(struct snd_pcm_su
+ return;
+ if (cable->streams[!substream->stream]) {
+ /* other stream is still alive */
++ spin_lock_irq(&cable->lock);
+ cable->streams[substream->stream] = NULL;
++ spin_unlock_irq(&cable->lock);
+ } else {
+ /* free the cable */
+ loopback->cables[substream->number][dev] = NULL;
+@@ -707,7 +709,6 @@ static int loopback_open(struct snd_pcm_
+ loopback->cables[substream->number][dev] = cable;
+ }
+ dpcm->cable = cable;
+- cable->streams[substream->stream] = dpcm;
+
+ snd_pcm_hw_constraint_integer(runtime, SNDRV_PCM_HW_PARAM_PERIODS);
+
+@@ -739,6 +740,11 @@ static int loopback_open(struct snd_pcm_
+ runtime->hw = loopback_pcm_hardware;
+ else
+ runtime->hw = cable->hw;
++
++ spin_lock_irq(&cable->lock);
++ cable->streams[substream->stream] = dpcm;
++ spin_unlock_irq(&cable->lock);
++
+ unlock:
+ if (err < 0) {
+ free_cable(substream);
--- /dev/null
+From 67a01afaf3d34893cf7d2ea19b34555d6abb7cb0 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 22 Mar 2018 08:56:06 +0100
+Subject: ALSA: aloop: Sync stale timer before release
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 67a01afaf3d34893cf7d2ea19b34555d6abb7cb0 upstream.
+
+The aloop driver tries to stop the pending timer via timer_del() in
+the trigger callback and in the close callback. The former is
+correct, as it's an atomic operation, while the latter expects that
+the timer gets really removed and proceeds the resource releases after
+that. But timer_del() doesn't synchronize, hence the running timer
+may still access the released resources.
+
+A similar situation can be also seen in the prepare callback after
+trigger(STOP) where the prepare tries to re-initialize the things
+while a timer is still running.
+
+The problems like the above are seen indirectly in some syzkaller
+reports (although it's not 100% clear whether this is the only cause,
+as the race condition is quite narrow and not always easy to
+trigger).
+
+For addressing these issues, this patch adds the explicit alls of
+timer_del_sync() in some places, so that the pending timer is properly
+killed / synced.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/drivers/aloop.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/sound/drivers/aloop.c
++++ b/sound/drivers/aloop.c
+@@ -193,6 +193,11 @@ static inline void loopback_timer_stop(s
+ dpcm->timer.expires = 0;
+ }
+
++static inline void loopback_timer_stop_sync(struct loopback_pcm *dpcm)
++{
++ del_timer_sync(&dpcm->timer);
++}
++
+ #define CABLE_VALID_PLAYBACK (1 << SNDRV_PCM_STREAM_PLAYBACK)
+ #define CABLE_VALID_CAPTURE (1 << SNDRV_PCM_STREAM_CAPTURE)
+ #define CABLE_VALID_BOTH (CABLE_VALID_PLAYBACK|CABLE_VALID_CAPTURE)
+@@ -327,6 +332,8 @@ static int loopback_prepare(struct snd_p
+ struct loopback_cable *cable = dpcm->cable;
+ int bps, salign;
+
++ loopback_timer_stop_sync(dpcm);
++
+ salign = (snd_pcm_format_width(runtime->format) *
+ runtime->channels) / 8;
+ bps = salign * runtime->rate;
+@@ -746,7 +753,7 @@ static int loopback_close(struct snd_pcm
+ struct loopback *loopback = substream->private_data;
+ struct loopback_pcm *dpcm = substream->runtime->private_data;
+
+- loopback_timer_stop(dpcm);
++ loopback_timer_stop_sync(dpcm);
+ mutex_lock(&loopback->cable_lock);
+ free_cable(substream);
+ mutex_unlock(&loopback->cable_lock);
--- /dev/null
+From a6618f4aedb2b60932d766bd82ae7ce866e842aa Mon Sep 17 00:00:00 2001
+From: Kirill Marinushkin <k.marinushkin@gmail.com>
+Date: Mon, 19 Mar 2018 07:11:08 +0100
+Subject: ALSA: usb-audio: Fix parsing descriptor of UAC2 processing unit
+
+From: Kirill Marinushkin <k.marinushkin@gmail.com>
+
+commit a6618f4aedb2b60932d766bd82ae7ce866e842aa upstream.
+
+Currently, the offsets in the UAC2 processing unit descriptor are
+calculated incorrectly. It causes an issue when connecting the device which
+provides such a feature:
+
+~~~~
+[84126.724420] usb 1-1.3.1: invalid Processing Unit descriptor (id 18)
+~~~~
+
+After this patch is applied, the UAC2 processing unit inits w/o this error.
+
+Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0")
+Signed-off-by: Kirill Marinushkin <k.marinushkin@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/uapi/linux/usb/audio.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/uapi/linux/usb/audio.h
++++ b/include/uapi/linux/usb/audio.h
+@@ -369,7 +369,7 @@ static inline __u8 uac_processing_unit_b
+ {
+ return (protocol == UAC_VERSION_1) ?
+ desc->baSourceID[desc->bNrInPins + 4] :
+- desc->baSourceID[desc->bNrInPins + 6];
++ 2; /* in UAC2, this value is constant */
+ }
+
+ static inline __u8 *uac_processing_unit_bmControls(struct uac_processing_unit_descriptor *desc,
+@@ -377,7 +377,7 @@ static inline __u8 *uac_processing_unit_
+ {
+ return (protocol == UAC_VERSION_1) ?
+ &desc->baSourceID[desc->bNrInPins + 5] :
+- &desc->baSourceID[desc->bNrInPins + 7];
++ &desc->baSourceID[desc->bNrInPins + 6];
+ }
+
+ static inline __u8 uac_processing_unit_iProcessing(struct uac_processing_unit_descriptor *desc,
--- /dev/null
+alsa-usb-audio-fix-parsing-descriptor-of-uac2-processing-unit.patch
+alsa-aloop-sync-stale-timer-before-release.patch
+alsa-aloop-fix-access-to-not-yet-ready-substream-via-cable.patch
--- /dev/null
+mips-ralink-remove-ralink_halt.patch
+mips-ralink-fix-booting-on-mt7621.patch
+mips-lantiq-fix-danube-usb-clock.patch
+mips-lantiq-enable-ahb-bus-for-usb.patch
+mips-lantiq-ase-enable-mfd_syscon.patch
+iio-chemical-ccs811-corrected-firmware-boot-application-mode-transition.patch
+iio-st_pressure-st_accel-pass-correct-platform-data-to-init.patch
+iio-adc-meson-saradc-unlock-on-error-in-meson_sar_adc_lock.patch
+alsa-usb-audio-fix-parsing-descriptor-of-uac2-processing-unit.patch
+alsa-aloop-sync-stale-timer-before-release.patch
+alsa-aloop-fix-access-to-not-yet-ready-substream-via-cable.patch
+alsa-hda-force-polling-mode-on-cfl-for-fixing-codec-communication.patch
+alsa-hda-realtek-fix-speaker-no-sound-after-system-resume.patch
+alsa-hda-realtek-fix-dell-headset-mic-can-t-record.patch
+alsa-hda-realtek-always-immediately-update-mute-led-with-pin-vref.patch
+mmc-core-fix-tracepoint-print-of-blk_addr-and-blksz.patch
+mmc-core-disable-hpi-for-certain-micron-numonyx-emmc-cards.patch
+mmc-block-fix-updating-ext_csd-caches-on-ioctl-call.patch
+mmc-dw_mmc-fix-the-dto-cto-timeout-overflow-calculation-for-32-bit-systems.patch
+mmc-dw_mmc-exynos-fix-the-suspend-resume-issue-for-exynos5433.patch
+mmc-dw_mmc-fix-falling-from-idmac-to-pio-mode-when-dw_mci_reset-occurs.patch
+pci-add-function-1-dma-alias-quirk-for-highpoint-rocketraid-644l.patch
+ahci-add-pci-id-for-the-highpoint-rocketraid-644l-card.patch
+lockdep-fix-fs_reclaim-warning.patch
+clk-bcm2835-fix-ana-maskx-definitions.patch
+clk-bcm2835-protect-sections-updating-shared-registers.patch
+clk-sunxi-ng-a31-fix-clk_out_-clock-ops.patch
+rdma-mlx5-fix-crash-while-accessing-garbage-pointer-and-freed-memory.patch
+drivers-hv-vmbus-fix-ring-buffer-signaling.patch
--- /dev/null
+mips-ralink-remove-ralink_halt.patch
+mips-ralink-fix-booting-on-mt7621.patch
+mips-lantiq-fix-danube-usb-clock.patch
+mips-lantiq-enable-ahb-bus-for-usb.patch
+mips-lantiq-ase-enable-mfd_syscon.patch
+iio-chemical-ccs811-corrected-firmware-boot-application-mode-transition.patch
+iio-st_pressure-st_accel-pass-correct-platform-data-to-init.patch
+iio-adc-meson-saradc-unlock-on-error-in-meson_sar_adc_lock.patch
+alsa-usb-audio-fix-parsing-descriptor-of-uac2-processing-unit.patch
+alsa-aloop-sync-stale-timer-before-release.patch
+alsa-aloop-fix-access-to-not-yet-ready-substream-via-cable.patch
+alsa-hda-force-polling-mode-on-cfl-for-fixing-codec-communication.patch
+alsa-hda-realtek-fix-speaker-no-sound-after-system-resume.patch
+alsa-hda-realtek-fix-dell-headset-mic-can-t-record.patch
+alsa-hda-realtek-always-immediately-update-mute-led-with-pin-vref.patch
+mmc-core-fix-tracepoint-print-of-blk_addr-and-blksz.patch
+mmc-core-disable-hpi-for-certain-micron-numonyx-emmc-cards.patch
+mmc-block-fix-updating-ext_csd-caches-on-ioctl-call.patch
+mmc-dw_mmc-fix-the-dto-cto-timeout-overflow-calculation-for-32-bit-systems.patch
+mmc-dw_mmc-exynos-fix-the-suspend-resume-issue-for-exynos5433.patch
+mmc-dw_mmc-fix-falling-from-idmac-to-pio-mode-when-dw_mci_reset-occurs.patch
+pci-add-function-1-dma-alias-quirk-for-highpoint-rocketraid-644l.patch
+ahci-add-pci-id-for-the-highpoint-rocketraid-644l-card.patch
+lockdep-fix-fs_reclaim-warning.patch
+clk-bcm2835-fix-ana-maskx-definitions.patch
+clk-bcm2835-protect-sections-updating-shared-registers.patch
+clk-sunxi-ng-a31-fix-clk_out_-clock-ops.patch
+rdma-mlx5-fix-crash-while-accessing-garbage-pointer-and-freed-memory.patch
+drivers-hv-vmbus-fix-ring-buffer-signaling.patch
--- /dev/null
+mips-ralink-remove-ralink_halt.patch
+iio-st_pressure-st_accel-pass-correct-platform-data-to-init.patch
+alsa-usb-audio-fix-parsing-descriptor-of-uac2-processing-unit.patch
+alsa-aloop-sync-stale-timer-before-release.patch
+alsa-aloop-fix-access-to-not-yet-ready-substream-via-cable.patch
+alsa-hda-realtek-always-immediately-update-mute-led-with-pin-vref.patch
+mmc-dw_mmc-fix-falling-from-idmac-to-pio-mode-when-dw_mci_reset-occurs.patch
+pci-add-function-1-dma-alias-quirk-for-highpoint-rocketraid-644l.patch
+ahci-add-pci-id-for-the-highpoint-rocketraid-644l-card.patch
+clk-bcm2835-protect-sections-updating-shared-registers.patch
--- /dev/null
+mips-ralink-remove-ralink_halt.patch
+iio-st_pressure-st_accel-pass-correct-platform-data-to-init.patch
+alsa-usb-audio-fix-parsing-descriptor-of-uac2-processing-unit.patch
+alsa-aloop-sync-stale-timer-before-release.patch
+alsa-aloop-fix-access-to-not-yet-ready-substream-via-cable.patch
+alsa-hda-realtek-always-immediately-update-mute-led-with-pin-vref.patch
+mmc-dw_mmc-fix-falling-from-idmac-to-pio-mode-when-dw_mci_reset-occurs.patch
+pci-add-function-1-dma-alias-quirk-for-highpoint-rocketraid-644l.patch
+ahci-add-pci-id-for-the-highpoint-rocketraid-644l-card.patch
+clk-bcm2835-fix-ana-maskx-definitions.patch
+clk-bcm2835-protect-sections-updating-shared-registers.patch
+clk-sunxi-ng-a31-fix-clk_out_-clock-ops.patch
+mmc-core-disable-hpi-for-certain-micron-numonyx-emmc-cards.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
