--- /dev/null
+From a931b9ce93841a5b66b709ba5a244276e345e63b Mon Sep 17 00:00:00 2001
+From: Guneshwor Singh <guneshwor.o.singh@intel.com>
+Date: Thu, 14 Sep 2017 17:49:40 +0530
+Subject: ALSA: compress: Remove unused variable
+
+From: Guneshwor Singh <guneshwor.o.singh@intel.com>
+
+commit a931b9ce93841a5b66b709ba5a244276e345e63b upstream.
+
+Commit 04c5d5a430fc ("ALSA: compress: Embed struct device") removed
+the statement that used 'str' but didn't remove the variable itself.
+So remove it.
+
+[Adding stable to Cc since pr_debug() may refer to the uninitialized
+ buffer -- tiwai]
+
+Fixes: 04c5d5a430fc ("ALSA: compress: Embed struct device")
+Signed-off-by: Guneshwor Singh <guneshwor.o.singh@intel.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/compress_offload.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/sound/core/compress_offload.c
++++ b/sound/core/compress_offload.c
+@@ -872,14 +872,13 @@ static const struct file_operations snd_
+ static int snd_compress_dev_register(struct snd_device *device)
+ {
+ int ret = -EINVAL;
+- char str[16];
+ struct snd_compr *compr;
+
+ if (snd_BUG_ON(!device || !device->device_data))
+ return -EBADFD;
+ compr = device->device_data;
+
+- pr_debug("reg %s for device %s, direction %d\n", str, compr->name,
++ pr_debug("reg device %s, direction %d\n", compr->name,
+ compr->direction);
+ /* register compressed device */
+ ret = snd_register_device(SNDRV_DEVICE_TYPE_COMPRESS,
--- /dev/null
+From 7682e399485fe19622b6fd82510b1f4551e48a25 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 2 Oct 2017 14:06:43 +0200
+Subject: ALSA: usx2y: Suppress kernel warning at page allocation failures
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 7682e399485fe19622b6fd82510b1f4551e48a25 upstream.
+
+The usx2y driver allocates the stream read/write buffers in continuous
+pages depending on the stream setup, and this may spew the kernel
+warning messages with a stack trace like:
+ WARNING: CPU: 1 PID: 1846 at mm/page_alloc.c:3883
+ __alloc_pages_slowpath+0x1ef2/0x2d70
+ Modules linked in:
+ CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted
+ ....
+
+It may confuse user as if it were any serious error, although this is
+no fatal error and the driver handles the error case gracefully.
+Since the driver has already some sanity check of the given size (128
+and 256 pages), it can't pass any crazy value. So it's merely page
+fragmentation.
+
+This patch adds __GFP_NOWARN to each caller for suppressing such
+kernel warnings. The original issue was spotted by syzkaller.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/usx2y/usb_stream.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/usx2y/usb_stream.c
++++ b/sound/usb/usx2y/usb_stream.c
+@@ -191,7 +191,8 @@ struct usb_stream *usb_stream_new(struct
+ }
+
+ pg = get_order(read_size);
+- sk->s = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO, pg);
++ sk->s = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO|
++ __GFP_NOWARN, pg);
+ if (!sk->s) {
+ snd_printk(KERN_WARNING "couldn't __get_free_pages()\n");
+ goto out;
+@@ -211,7 +212,8 @@ struct usb_stream *usb_stream_new(struct
+ pg = get_order(write_size);
+
+ sk->write_page =
+- (void *)__get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO, pg);
++ (void *)__get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO|
++ __GFP_NOWARN, pg);
+ if (!sk->write_page) {
+ snd_printk(KERN_WARNING "couldn't __get_free_pages()\n");
+ usb_stream_free(sk);
--- /dev/null
+From 57e7ba04d422c3d41c8426380303ec9b7533ded9 Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Tue, 19 Sep 2017 09:39:08 -0700
+Subject: lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
+
+From: Casey Schaufler <casey@schaufler-ca.com>
+
+commit 57e7ba04d422c3d41c8426380303ec9b7533ded9 upstream.
+
+security_inode_getsecurity() provides the text string value
+of a security attribute. It does not provide a "secctx".
+The code in xattr_getsecurity() that calls security_inode_getsecurity()
+and then calls security_release_secctx() happened to work because
+SElinux and Smack treat the attribute and the secctx the same way.
+It fails for cap_inode_getsecurity(), because that module has no
+secctx that ever needs releasing. It turns out that Smack is the
+one that's doing things wrong by not allocating memory when instructed
+to do so by the "alloc" parameter.
+
+The fix is simple enough. Change the security_release_secctx() to
+kfree() because it isn't a secctx being returned by
+security_inode_getsecurity(). Change Smack to allocate the string when
+told to do so.
+
+Note: this also fixes memory leaks for LSMs which implement
+inode_getsecurity but not release_secctx, such as capabilities.
+
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Reported-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xattr.c | 2 -
+ security/smack/smack_lsm.c | 59 ++++++++++++++++++++-------------------------
+ 2 files changed, 28 insertions(+), 33 deletions(-)
+
+--- a/fs/xattr.c
++++ b/fs/xattr.c
+@@ -163,7 +163,7 @@ xattr_getsecurity(struct inode *inode, c
+ }
+ memcpy(value, buffer, len);
+ out:
+- security_release_secctx(buffer, len);
++ kfree(buffer);
+ out_noalloc:
+ return len;
+ }
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1459,7 +1459,7 @@ static int smack_inode_removexattr(struc
+ * @inode: the object
+ * @name: attribute name
+ * @buffer: where to put the result
+- * @alloc: unused
++ * @alloc: duplicate memory
+ *
+ * Returns the size of the attribute or an error code
+ */
+@@ -1472,43 +1472,38 @@ static int smack_inode_getsecurity(const
+ struct super_block *sbp;
+ struct inode *ip = (struct inode *)inode;
+ struct smack_known *isp;
+- int ilen;
+- int rc = 0;
+
+- if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
++ if (strcmp(name, XATTR_SMACK_SUFFIX) == 0)
+ isp = smk_of_inode(inode);
+- ilen = strlen(isp->smk_known);
+- *buffer = isp->smk_known;
+- return ilen;
++ else {
++ /*
++ * The rest of the Smack xattrs are only on sockets.
++ */
++ sbp = ip->i_sb;
++ if (sbp->s_magic != SOCKFS_MAGIC)
++ return -EOPNOTSUPP;
++
++ sock = SOCKET_I(ip);
++ if (sock == NULL || sock->sk == NULL)
++ return -EOPNOTSUPP;
++
++ ssp = sock->sk->sk_security;
++
++ if (strcmp(name, XATTR_SMACK_IPIN) == 0)
++ isp = ssp->smk_in;
++ else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
++ isp = ssp->smk_out;
++ else
++ return -EOPNOTSUPP;
+ }
+
+- /*
+- * The rest of the Smack xattrs are only on sockets.
+- */
+- sbp = ip->i_sb;
+- if (sbp->s_magic != SOCKFS_MAGIC)
+- return -EOPNOTSUPP;
+-
+- sock = SOCKET_I(ip);
+- if (sock == NULL || sock->sk == NULL)
+- return -EOPNOTSUPP;
+-
+- ssp = sock->sk->sk_security;
+-
+- if (strcmp(name, XATTR_SMACK_IPIN) == 0)
+- isp = ssp->smk_in;
+- else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
+- isp = ssp->smk_out;
+- else
+- return -EOPNOTSUPP;
+-
+- ilen = strlen(isp->smk_known);
+- if (rc == 0) {
+- *buffer = isp->smk_known;
+- rc = ilen;
++ if (alloc) {
++ *buffer = kstrdup(isp->smk_known, GFP_KERNEL);
++ if (*buffer == NULL)
++ return -ENOMEM;
+ }
+
+- return rc;
++ return strlen(isp->smk_known);
+ }
+
+
usb-devio-don-t-corrupt-user-memory.patch
usb-gadget-mass_storage-set-msg_registered-after-msg-registered.patch
usb-g_mass_storage-fix-deadlock-when-driver-is-unbound.patch
+lsm-fix-smack_inode_removexattr-and-xattr_getsecurity-memleak.patch
+alsa-compress-remove-unused-variable.patch
+alsa-usx2y-suppress-kernel-warning-at-page-allocation-failures.patch
usb-uas-fix-bug-in-handling-of-alternate-settings.patch
usb-core-harden-cdc_parse_cdc_header.patch
usb-increase-quirk-delay-for-usb-devices.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
