From: Greg Kroah-Hartman Date: Sat, 24 Mar 2018 17:23:46 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v4.15.14~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aab93d8091c8a3273f25d5a3722ecb3f9f4604c0;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: alsa-aloop-fix-access-to-not-yet-ready-substream-via-cable.patch alsa-aloop-sync-stale-timer-before-release.patch alsa-usb-audio-fix-parsing-descriptor-of-uac2-processing-unit.patch --- diff --git a/queue-3.18/alsa-aloop-fix-access-to-not-yet-ready-substream-via-cable.patch b/queue-3.18/alsa-aloop-fix-access-to-not-yet-ready-substream-via-cable.patch new file mode 100644 index 00000000000..ddd00a2f4c6 --- /dev/null +++ b/queue-3.18/alsa-aloop-fix-access-to-not-yet-ready-substream-via-cable.patch @@ -0,0 +1,59 @@ +From 8e6b1a72a75bb5067ccb6b56d8ca4aa3a300a64e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 22 Mar 2018 10:40:27 +0100 +Subject: ALSA: aloop: Fix access to not-yet-ready substream via cable + +From: Takashi Iwai + +commit 8e6b1a72a75bb5067ccb6b56d8ca4aa3a300a64e upstream. + +In loopback_open() and loopback_close(), we assign and release the +substream object to the corresponding cable in a racy way. It's +neither locked nor done in the right position. The open callback +assigns the substream before its preparation finishes, hence the other +side of the cable may pick it up, which may lead to the invalid memory +access. + +This patch addresses these: move the assignment to the end of the open +callback, and wrap with cable->lock for avoiding concurrent accesses. + +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/drivers/aloop.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/sound/drivers/aloop.c ++++ b/sound/drivers/aloop.c +@@ -667,7 +667,9 @@ static void free_cable(struct snd_pcm_su + return; + if (cable->streams[!substream->stream]) { + /* other stream is still alive */ ++ spin_lock_irq(&cable->lock); + cable->streams[substream->stream] = NULL; ++ spin_unlock_irq(&cable->lock); + } else { + /* free the cable */ + loopback->cables[substream->number][dev] = NULL; +@@ -707,7 +709,6 @@ static int loopback_open(struct snd_pcm_ + loopback->cables[substream->number][dev] = cable; + } + dpcm->cable = cable; +- cable->streams[substream->stream] = dpcm; + + snd_pcm_hw_constraint_integer(runtime, SNDRV_PCM_HW_PARAM_PERIODS); + +@@ -739,6 +740,11 @@ static int loopback_open(struct snd_pcm_ + runtime->hw = loopback_pcm_hardware; + else + runtime->hw = cable->hw; ++ ++ spin_lock_irq(&cable->lock); ++ cable->streams[substream->stream] = dpcm; ++ spin_unlock_irq(&cable->lock); ++ + unlock: + if (err < 0) { + free_cable(substream); diff --git a/queue-3.18/alsa-aloop-sync-stale-timer-before-release.patch b/queue-3.18/alsa-aloop-sync-stale-timer-before-release.patch new file mode 100644 index 00000000000..be1d48d8a26 --- /dev/null +++ b/queue-3.18/alsa-aloop-sync-stale-timer-before-release.patch @@ -0,0 +1,69 @@ +From 67a01afaf3d34893cf7d2ea19b34555d6abb7cb0 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 22 Mar 2018 08:56:06 +0100 +Subject: ALSA: aloop: Sync stale timer before release + +From: Takashi Iwai + +commit 67a01afaf3d34893cf7d2ea19b34555d6abb7cb0 upstream. + +The aloop driver tries to stop the pending timer via timer_del() in +the trigger callback and in the close callback. The former is +correct, as it's an atomic operation, while the latter expects that +the timer gets really removed and proceeds the resource releases after +that. But timer_del() doesn't synchronize, hence the running timer +may still access the released resources. + +A similar situation can be also seen in the prepare callback after +trigger(STOP) where the prepare tries to re-initialize the things +while a timer is still running. + +The problems like the above are seen indirectly in some syzkaller +reports (although it's not 100% clear whether this is the only cause, +as the race condition is quite narrow and not always easy to +trigger). + +For addressing these issues, this patch adds the explicit alls of +timer_del_sync() in some places, so that the pending timer is properly +killed / synced. + +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/drivers/aloop.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/sound/drivers/aloop.c ++++ b/sound/drivers/aloop.c +@@ -193,6 +193,11 @@ static inline void loopback_timer_stop(s + dpcm->timer.expires = 0; + } + ++static inline void loopback_timer_stop_sync(struct loopback_pcm *dpcm) ++{ ++ del_timer_sync(&dpcm->timer); ++} ++ + #define CABLE_VALID_PLAYBACK (1 << SNDRV_PCM_STREAM_PLAYBACK) + #define CABLE_VALID_CAPTURE (1 << SNDRV_PCM_STREAM_CAPTURE) + #define CABLE_VALID_BOTH (CABLE_VALID_PLAYBACK|CABLE_VALID_CAPTURE) +@@ -327,6 +332,8 @@ static int loopback_prepare(struct snd_p + struct loopback_cable *cable = dpcm->cable; + int bps, salign; + ++ loopback_timer_stop_sync(dpcm); ++ + salign = (snd_pcm_format_width(runtime->format) * + runtime->channels) / 8; + bps = salign * runtime->rate; +@@ -746,7 +753,7 @@ static int loopback_close(struct snd_pcm + struct loopback *loopback = substream->private_data; + struct loopback_pcm *dpcm = substream->runtime->private_data; + +- loopback_timer_stop(dpcm); ++ loopback_timer_stop_sync(dpcm); + mutex_lock(&loopback->cable_lock); + free_cable(substream); + mutex_unlock(&loopback->cable_lock); diff --git a/queue-3.18/alsa-usb-audio-fix-parsing-descriptor-of-uac2-processing-unit.patch b/queue-3.18/alsa-usb-audio-fix-parsing-descriptor-of-uac2-processing-unit.patch new file mode 100644 index 00000000000..1bd600cbccf --- /dev/null +++ b/queue-3.18/alsa-usb-audio-fix-parsing-descriptor-of-uac2-processing-unit.patch @@ -0,0 +1,49 @@ +From a6618f4aedb2b60932d766bd82ae7ce866e842aa Mon Sep 17 00:00:00 2001 +From: Kirill Marinushkin +Date: Mon, 19 Mar 2018 07:11:08 +0100 +Subject: ALSA: usb-audio: Fix parsing descriptor of UAC2 processing unit + +From: Kirill Marinushkin + +commit a6618f4aedb2b60932d766bd82ae7ce866e842aa upstream. + +Currently, the offsets in the UAC2 processing unit descriptor are +calculated incorrectly. It causes an issue when connecting the device which +provides such a feature: + +~~~~ +[84126.724420] usb 1-1.3.1: invalid Processing Unit descriptor (id 18) +~~~~ + +After this patch is applied, the UAC2 processing unit inits w/o this error. + +Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0") +Signed-off-by: Kirill Marinushkin +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/usb/audio.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/uapi/linux/usb/audio.h ++++ b/include/uapi/linux/usb/audio.h +@@ -369,7 +369,7 @@ static inline __u8 uac_processing_unit_b + { + return (protocol == UAC_VERSION_1) ? + desc->baSourceID[desc->bNrInPins + 4] : +- desc->baSourceID[desc->bNrInPins + 6]; ++ 2; /* in UAC2, this value is constant */ + } + + static inline __u8 *uac_processing_unit_bmControls(struct uac_processing_unit_descriptor *desc, +@@ -377,7 +377,7 @@ static inline __u8 *uac_processing_unit_ + { + return (protocol == UAC_VERSION_1) ? + &desc->baSourceID[desc->bNrInPins + 5] : +- &desc->baSourceID[desc->bNrInPins + 7]; ++ &desc->baSourceID[desc->bNrInPins + 6]; + } + + static inline __u8 uac_processing_unit_iProcessing(struct uac_processing_unit_descriptor *desc, diff --git a/queue-3.18/series b/queue-3.18/series new file mode 100644 index 00000000000..51404f379b3 --- /dev/null +++ b/queue-3.18/series @@ -0,0 +1,3 @@ +alsa-usb-audio-fix-parsing-descriptor-of-uac2-processing-unit.patch +alsa-aloop-sync-stale-timer-before-release.patch +alsa-aloop-fix-access-to-not-yet-ready-substream-via-cable.patch diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..075a38cc134 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,29 @@ +mips-ralink-remove-ralink_halt.patch +mips-ralink-fix-booting-on-mt7621.patch +mips-lantiq-fix-danube-usb-clock.patch +mips-lantiq-enable-ahb-bus-for-usb.patch +mips-lantiq-ase-enable-mfd_syscon.patch +iio-chemical-ccs811-corrected-firmware-boot-application-mode-transition.patch +iio-st_pressure-st_accel-pass-correct-platform-data-to-init.patch +iio-adc-meson-saradc-unlock-on-error-in-meson_sar_adc_lock.patch +alsa-usb-audio-fix-parsing-descriptor-of-uac2-processing-unit.patch +alsa-aloop-sync-stale-timer-before-release.patch +alsa-aloop-fix-access-to-not-yet-ready-substream-via-cable.patch +alsa-hda-force-polling-mode-on-cfl-for-fixing-codec-communication.patch +alsa-hda-realtek-fix-speaker-no-sound-after-system-resume.patch +alsa-hda-realtek-fix-dell-headset-mic-can-t-record.patch +alsa-hda-realtek-always-immediately-update-mute-led-with-pin-vref.patch +mmc-core-fix-tracepoint-print-of-blk_addr-and-blksz.patch +mmc-core-disable-hpi-for-certain-micron-numonyx-emmc-cards.patch +mmc-block-fix-updating-ext_csd-caches-on-ioctl-call.patch +mmc-dw_mmc-fix-the-dto-cto-timeout-overflow-calculation-for-32-bit-systems.patch +mmc-dw_mmc-exynos-fix-the-suspend-resume-issue-for-exynos5433.patch +mmc-dw_mmc-fix-falling-from-idmac-to-pio-mode-when-dw_mci_reset-occurs.patch +pci-add-function-1-dma-alias-quirk-for-highpoint-rocketraid-644l.patch +ahci-add-pci-id-for-the-highpoint-rocketraid-644l-card.patch +lockdep-fix-fs_reclaim-warning.patch +clk-bcm2835-fix-ana-maskx-definitions.patch +clk-bcm2835-protect-sections-updating-shared-registers.patch +clk-sunxi-ng-a31-fix-clk_out_-clock-ops.patch +rdma-mlx5-fix-crash-while-accessing-garbage-pointer-and-freed-memory.patch +drivers-hv-vmbus-fix-ring-buffer-signaling.patch diff --git a/queue-4.15/series b/queue-4.15/series new file mode 100644 index 00000000000..075a38cc134 --- /dev/null +++ b/queue-4.15/series @@ -0,0 +1,29 @@ +mips-ralink-remove-ralink_halt.patch +mips-ralink-fix-booting-on-mt7621.patch +mips-lantiq-fix-danube-usb-clock.patch +mips-lantiq-enable-ahb-bus-for-usb.patch +mips-lantiq-ase-enable-mfd_syscon.patch +iio-chemical-ccs811-corrected-firmware-boot-application-mode-transition.patch +iio-st_pressure-st_accel-pass-correct-platform-data-to-init.patch +iio-adc-meson-saradc-unlock-on-error-in-meson_sar_adc_lock.patch +alsa-usb-audio-fix-parsing-descriptor-of-uac2-processing-unit.patch +alsa-aloop-sync-stale-timer-before-release.patch +alsa-aloop-fix-access-to-not-yet-ready-substream-via-cable.patch +alsa-hda-force-polling-mode-on-cfl-for-fixing-codec-communication.patch +alsa-hda-realtek-fix-speaker-no-sound-after-system-resume.patch +alsa-hda-realtek-fix-dell-headset-mic-can-t-record.patch +alsa-hda-realtek-always-immediately-update-mute-led-with-pin-vref.patch +mmc-core-fix-tracepoint-print-of-blk_addr-and-blksz.patch +mmc-core-disable-hpi-for-certain-micron-numonyx-emmc-cards.patch +mmc-block-fix-updating-ext_csd-caches-on-ioctl-call.patch +mmc-dw_mmc-fix-the-dto-cto-timeout-overflow-calculation-for-32-bit-systems.patch +mmc-dw_mmc-exynos-fix-the-suspend-resume-issue-for-exynos5433.patch +mmc-dw_mmc-fix-falling-from-idmac-to-pio-mode-when-dw_mci_reset-occurs.patch +pci-add-function-1-dma-alias-quirk-for-highpoint-rocketraid-644l.patch +ahci-add-pci-id-for-the-highpoint-rocketraid-644l-card.patch +lockdep-fix-fs_reclaim-warning.patch +clk-bcm2835-fix-ana-maskx-definitions.patch +clk-bcm2835-protect-sections-updating-shared-registers.patch +clk-sunxi-ng-a31-fix-clk_out_-clock-ops.patch +rdma-mlx5-fix-crash-while-accessing-garbage-pointer-and-freed-memory.patch +drivers-hv-vmbus-fix-ring-buffer-signaling.patch diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..3ddbb6e375e --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,10 @@ +mips-ralink-remove-ralink_halt.patch +iio-st_pressure-st_accel-pass-correct-platform-data-to-init.patch +alsa-usb-audio-fix-parsing-descriptor-of-uac2-processing-unit.patch +alsa-aloop-sync-stale-timer-before-release.patch +alsa-aloop-fix-access-to-not-yet-ready-substream-via-cable.patch +alsa-hda-realtek-always-immediately-update-mute-led-with-pin-vref.patch +mmc-dw_mmc-fix-falling-from-idmac-to-pio-mode-when-dw_mci_reset-occurs.patch +pci-add-function-1-dma-alias-quirk-for-highpoint-rocketraid-644l.patch +ahci-add-pci-id-for-the-highpoint-rocketraid-644l-card.patch +clk-bcm2835-protect-sections-updating-shared-registers.patch diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..f64e5677aa7 --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,13 @@ +mips-ralink-remove-ralink_halt.patch +iio-st_pressure-st_accel-pass-correct-platform-data-to-init.patch +alsa-usb-audio-fix-parsing-descriptor-of-uac2-processing-unit.patch +alsa-aloop-sync-stale-timer-before-release.patch +alsa-aloop-fix-access-to-not-yet-ready-substream-via-cable.patch +alsa-hda-realtek-always-immediately-update-mute-led-with-pin-vref.patch +mmc-dw_mmc-fix-falling-from-idmac-to-pio-mode-when-dw_mci_reset-occurs.patch +pci-add-function-1-dma-alias-quirk-for-highpoint-rocketraid-644l.patch +ahci-add-pci-id-for-the-highpoint-rocketraid-644l-card.patch +clk-bcm2835-fix-ana-maskx-definitions.patch +clk-bcm2835-protect-sections-updating-shared-registers.patch +clk-sunxi-ng-a31-fix-clk_out_-clock-ops.patch +mmc-core-disable-hpi-for-certain-micron-numonyx-emmc-cards.patch