--- /dev/null
+From f853dcaae2f5bbe021161e421bd1576845bae8f6 Mon Sep 17 00:00:00 2001
+From: David Henningsson <diwic@ubuntu.com>
+Date: Sat, 21 Apr 2018 14:57:40 +0200
+Subject: ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr
+
+From: David Henningsson <diwic@ubuntu.com>
+
+commit f853dcaae2f5bbe021161e421bd1576845bae8f6 upstream.
+
+It looks like a simple mistake that this struct member
+was forgotten.
+
+Audio_tstamp isn't used much, and on some archs (such as x86) this
+ioctl is not used by default, so that might be the reason why this
+has slipped for so long.
+
+Fixes: 4eeaaeaea1ce ("ALSA: core: add hooks for audio timestamps")
+Signed-off-by: David Henningsson <diwic@ubuntu.com>
+Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Cc: <stable@vger.kernel.org> # v3.8+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_native.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -2695,6 +2695,7 @@ static int snd_pcm_sync_ptr(struct snd_p
+ sync_ptr.s.status.hw_ptr = status->hw_ptr;
+ sync_ptr.s.status.tstamp = status->tstamp;
+ sync_ptr.s.status.suspended_state = status->suspended_state;
++ sync_ptr.s.status.audio_tstamp = status->audio_tstamp;
+ snd_pcm_stream_unlock_irq(substream);
+ if (copy_to_user(_sync_ptr, &sync_ptr, sizeof(sync_ptr)))
+ return -EFAULT;
+++ /dev/null
-From 7f054a5bee0987f1e2d4e59daea462421c76f2cb Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Tue, 24 Apr 2018 07:56:07 +0200
-Subject: ALSA: opl3: Hardening for potential Spectre v1
-
-From: Takashi Iwai <tiwai@suse.de>
-
-commit 7f054a5bee0987f1e2d4e59daea462421c76f2cb upstream.
-
-As recently Smatch suggested, one place in OPL3 driver may expand the
-array directly from the user-space value with speculation:
- sound/drivers/opl3/opl3_synth.c:476 snd_opl3_set_voice() warn: potential spectre issue 'snd_opl3_regmap'
-
-This patch puts array_index_nospec() for hardening against it.
-
-BugLink: https://marc.info/?l=linux-kernel&m=152411496503418&w=2
-Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- sound/drivers/opl3/opl3_synth.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
---- a/sound/drivers/opl3/opl3_synth.c
-+++ b/sound/drivers/opl3/opl3_synth.c
-@@ -21,6 +21,7 @@
-
- #include <linux/slab.h>
- #include <linux/export.h>
-+#include <linux/nospec.h>
- #include <sound/opl3.h>
- #include <sound/asound_fm.h>
-
-@@ -448,7 +449,7 @@ static int snd_opl3_set_voice(struct snd
- {
- unsigned short reg_side;
- unsigned char op_offset;
-- unsigned char voice_offset;
-+ unsigned char voice_offset, voice_op;
-
- unsigned short opl3_reg;
- unsigned char reg_val;
-@@ -473,7 +474,9 @@ static int snd_opl3_set_voice(struct snd
- voice_offset = voice->voice - MAX_OPL2_VOICES;
- }
- /* Get register offset of operator */
-- op_offset = snd_opl3_regmap[voice_offset][voice->op];
-+ voice_offset = array_index_nospec(voice_offset, MAX_OPL2_VOICES);
-+ voice_op = array_index_nospec(voice->op, 4);
-+ op_offset = snd_opl3_regmap[voice_offset][voice_op];
-
- reg_val = 0x00;
- /* Set amplitude modulation (tremolo) effect */
--- /dev/null
+From f5e94b4c6ebdabe0f602d796e0430180927521a0 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 24 Apr 2018 07:26:59 +0200
+Subject: ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f5e94b4c6ebdabe0f602d796e0430180927521a0 upstream.
+
+When get_synthdev() is called for a MIDI device, it returns the fixed
+midi_synth_dev without the use refcounting. OTOH, the caller is
+supposed to unreference unconditionally after the usage, so this would
+lead to unbalanced refcount.
+
+This patch corrects the behavior and keep up the refcount balance also
+for the MIDI synth device.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/oss/seq_oss_synth.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/sound/core/seq/oss/seq_oss_synth.c
++++ b/sound/core/seq/oss/seq_oss_synth.c
+@@ -363,10 +363,14 @@ get_synthdev(struct seq_oss_devinfo *dp,
+ return NULL;
+ if (! dp->synths[dev].opened)
+ return NULL;
+- if (dp->synths[dev].is_midi)
+- return &midi_synth_dev;
+- if ((rec = get_sdev(dev)) == NULL)
+- return NULL;
++ if (dp->synths[dev].is_midi) {
++ rec = &midi_synth_dev;
++ snd_use_lock_use(&rec->use_lock);
++ } else {
++ rec = get_sdev(dev);
++ if (!rec)
++ return NULL;
++ }
+ if (! rec->opened) {
+ snd_use_lock_free(&rec->use_lock);
+ return NULL;
--- /dev/null
+From 6510bbc88e3258631831ade49033537081950605 Mon Sep 17 00:00:00 2001
+From: Joakim Tjernlund <joakim.tjernlund@transmode.se>
+Date: Thu, 1 Mar 2018 14:39:39 +0100
+Subject: mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block.
+
+From: Joakim Tjernlund <joakim.tjernlund@transmode.se>
+
+commit 6510bbc88e3258631831ade49033537081950605 upstream.
+
+Currently it is possible to read and/or write to suspend EB's.
+Writing /dev/mtdX or /dev/mtdblockX from several processes may
+break the flash state machine.
+
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/cfi_cmdset_0001.c | 16 +++++++++++-----
+ include/linux/mtd/flashchip.h | 1 +
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+--- a/drivers/mtd/chips/cfi_cmdset_0001.c
++++ b/drivers/mtd/chips/cfi_cmdset_0001.c
+@@ -825,21 +825,25 @@ static int chip_ready (struct map_info *
+ (mode == FL_WRITING && (cfip->SuspendCmdSupport & 1))))
+ goto sleep;
+
++ /* Do not allow suspend iff read/write to EB address */
++ if ((adr & chip->in_progress_block_mask) ==
++ chip->in_progress_block_addr)
++ goto sleep;
+
+ /* Erase suspend */
+- map_write(map, CMD(0xB0), adr);
++ map_write(map, CMD(0xB0), chip->in_progress_block_addr);
+
+ /* If the flash has finished erasing, then 'erase suspend'
+ * appears to make some (28F320) flash devices switch to
+ * 'read' mode. Make sure that we switch to 'read status'
+ * mode so we get the right data. --rmk
+ */
+- map_write(map, CMD(0x70), adr);
++ map_write(map, CMD(0x70), chip->in_progress_block_addr);
+ chip->oldstate = FL_ERASING;
+ chip->state = FL_ERASE_SUSPENDING;
+ chip->erase_suspended = 1;
+ for (;;) {
+- status = map_read(map, adr);
++ status = map_read(map, chip->in_progress_block_addr);
+ if (map_word_andequal(map, status, status_OK, status_OK))
+ break;
+
+@@ -1035,8 +1039,8 @@ static void put_chip(struct map_info *ma
+ sending the 0x70 (Read Status) command to an erasing
+ chip and expecting it to be ignored, that's what we
+ do. */
+- map_write(map, CMD(0xd0), adr);
+- map_write(map, CMD(0x70), adr);
++ map_write(map, CMD(0xd0), chip->in_progress_block_addr);
++ map_write(map, CMD(0x70), chip->in_progress_block_addr);
+ chip->oldstate = FL_READY;
+ chip->state = FL_ERASING;
+ break;
+@@ -1927,6 +1931,8 @@ static int __xipram do_erase_oneblock(st
+ map_write(map, CMD(0xD0), adr);
+ chip->state = FL_ERASING;
+ chip->erase_suspended = 0;
++ chip->in_progress_block_addr = adr;
++ chip->in_progress_block_mask = ~(len - 1);
+
+ ret = INVAL_CACHE_AND_WAIT(map, chip, adr,
+ adr, len,
+--- a/include/linux/mtd/flashchip.h
++++ b/include/linux/mtd/flashchip.h
+@@ -85,6 +85,7 @@ struct flchip {
+ unsigned int write_suspended:1;
+ unsigned int erase_suspended:1;
+ unsigned long in_progress_block_addr;
++ unsigned long in_progress_block_mask;
+
+ struct mutex mutex;
+ wait_queue_head_t wq; /* Wait on here when we're waiting for the chip
--- /dev/null
+From 46a16a2283f9e678a4e26829175e0c37a5191860 Mon Sep 17 00:00:00 2001
+From: Joakim Tjernlund <joakim.tjernlund@transmode.se>
+Date: Thu, 1 Mar 2018 14:39:40 +0100
+Subject: mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug.
+
+From: Joakim Tjernlund <joakim.tjernlund@transmode.se>
+
+commit 46a16a2283f9e678a4e26829175e0c37a5191860 upstream.
+
+Some Micron chips does not work well wrt Erase suspend for
+boot blocks. This avoids the issue by not allowing Erase suspend
+for the boot blocks for the 28F00AP30(1GBit) chip.
+
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/cfi_cmdset_0001.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/drivers/mtd/chips/cfi_cmdset_0001.c
++++ b/drivers/mtd/chips/cfi_cmdset_0001.c
+@@ -45,6 +45,7 @@
+ #define I82802AB 0x00ad
+ #define I82802AC 0x00ac
+ #define PF38F4476 0x881c
++#define M28F00AP30 0x8963
+ /* STMicroelectronics chips */
+ #define M50LPW080 0x002F
+ #define M50FLW080A 0x0080
+@@ -375,6 +376,17 @@ static void cfi_fixup_major_minor(struct
+ extp->MinorVersion = '1';
+ }
+
++static int cfi_is_micron_28F00AP30(struct cfi_private *cfi, struct flchip *chip)
++{
++ /*
++ * Micron(was Numonyx) 1Gbit bottom boot are buggy w.r.t
++ * Erase Supend for their small Erase Blocks(0x8000)
++ */
++ if (cfi->mfr == CFI_MFR_INTEL && cfi->id == M28F00AP30)
++ return 1;
++ return 0;
++}
++
+ static inline struct cfi_pri_intelext *
+ read_pri_intelext(struct map_info *map, __u16 adr)
+ {
+@@ -830,6 +842,11 @@ static int chip_ready (struct map_info *
+ chip->in_progress_block_addr)
+ goto sleep;
+
++ /* do not suspend small EBs, buggy Micron Chips */
++ if (cfi_is_micron_28F00AP30(cfi, chip) &&
++ (chip->in_progress_block_mask == ~(0x8000-1)))
++ goto sleep;
++
+ /* Erase suspend */
+ map_write(map, CMD(0xB0), chip->in_progress_block_addr);
+
--- /dev/null
+From 7b70eb14392a7cf505f9b358d06c33b5af73d1e7 Mon Sep 17 00:00:00 2001
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Date: Thu, 1 Mar 2018 14:39:41 +0100
+Subject: mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block.
+
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+
+commit 7b70eb14392a7cf505f9b358d06c33b5af73d1e7 upstream.
+
+Currently it is possible to read and/or write to suspend EB's.
+Writing /dev/mtdX or /dev/mtdblockX from several processes may
+break the flash state machine.
+
+Taken from cfi_cmdset_0001 driver.
+
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -814,9 +814,10 @@ static int get_chip(struct map_info *map
+ (mode == FL_WRITING && (cfip->EraseSuspend & 0x2))))
+ goto sleep;
+
+- /* We could check to see if we're trying to access the sector
+- * that is currently being erased. However, no user will try
+- * anything like that so we just wait for the timeout. */
++ /* Do not allow suspend iff read/write to EB address */
++ if ((adr & chip->in_progress_block_mask) ==
++ chip->in_progress_block_addr)
++ goto sleep;
+
+ /* Erase suspend */
+ /* It's harmless to issue the Erase-Suspend and Erase-Resume
+@@ -2265,6 +2266,7 @@ static int __xipram do_erase_chip(struct
+ chip->state = FL_ERASING;
+ chip->erase_suspended = 0;
+ chip->in_progress_block_addr = adr;
++ chip->in_progress_block_mask = ~(map->size - 1);
+
+ INVALIDATE_CACHE_UDELAY(map, chip,
+ adr, map->size,
+@@ -2354,6 +2356,7 @@ static int __xipram do_erase_oneblock(st
+ chip->state = FL_ERASING;
+ chip->erase_suspended = 0;
+ chip->in_progress_block_addr = adr;
++ chip->in_progress_block_mask = ~(len - 1);
+
+ INVALIDATE_CACHE_UDELAY(map, chip,
+ adr, len,
tty-n_gsm-fix-long-delays-with-control-frame-timeouts-in-adm-mode.patch
tty-n_gsm-fix-dlci-handling-for-adm-mode-if-debug-2-is-not-set.patch
tty-use-__gfp_nofail-for-tty_ldisc_get.patch
-alsa-opl3-hardening-for-potential-spectre-v1.patch
+alsa-core-report-audio_tstamp-in-snd_pcm_sync_ptr.patch
+alsa-seq-oss-fix-unbalanced-use-lock-for-synth-midi-device.patch
+mtd-cfi-cmdset_0001-do-not-allow-read-write-to-suspend-erase-block.patch
+mtd-cfi-cmdset_0001-workaround-micron-erase-suspend-bug.patch
+mtd-cfi-cmdset_0002-do-not-allow-read-write-to-suspend-erase-block.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
