From 3b3fd7f6f5e37d0ac3eb012f02ed64fb01947a38 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 25 Jan 2016 16:38:22 -0800 Subject: [PATCH] 4.4-stable patches added patches: alsa-control-avoid-kernel-warnings-from-tlv-ioctl-with-numid-0.patch alsa-hda-add-fixup-for-dell-latitidue-e6540.patch alsa-hda-fix-bass-pin-fixup-for-asus-n550jx.patch alsa-hda-fix-missing-module-loading-with-model-generic-option.patch alsa-hda-fix-the-headset-mic-detection-problem-for-a-dell-laptop.patch alsa-hda-fix-white-noise-on-dell-latitude-e5550.patch alsa-hda-fixup-inverted-internal-mic-for-lenovo-e50-80.patch alsa-hda-flush-the-pending-probe-work-at-remove.patch alsa-hrtimer-fix-stall-by-hrtimer_cancel.patch alsa-pcm-fix-snd_pcm_hw_params-struct-copy-in-compat-mode.patch alsa-seq-fix-missing-null-check-at-remove_events-ioctl.patch alsa-seq-fix-race-at-timer-setup-and-close.patch alsa-seq-fix-snd_seq_call_port_info_ioctl-in-compat-mode.patch alsa-timer-fix-double-unlink-of-active_list.patch alsa-timer-fix-race-among-timer-ioctls.patch alsa-timer-handle-disconnection-more-safely.patch alsa-timer-harden-slave-timer-list-handling.patch alsa-usb-add-native-dsd-support-for-oppo-ha-1.patch alsa-usb-audio-avoid-calling-usb_autopm_put_interface-at-disconnect.patch alsa-usb-audio-fix-mixer-ctl-regression-of-native-instrument-devices.patch --- ...warnings-from-tlv-ioctl-with-numid-0.patch | 35 ++++ ...a-add-fixup-for-dell-latitidue-e6540.patch | 30 +++ ...a-fix-bass-pin-fixup-for-asus-n550jx.patch | 30 +++ ...le-loading-with-model-generic-option.patch | 92 +++++++++ ...-detection-problem-for-a-dell-laptop.patch | 35 ++++ ...x-white-noise-on-dell-latitude-e5550.patch | 30 +++ ...erted-internal-mic-for-lenovo-e50-80.patch | 55 ++++++ ...ush-the-pending-probe-work-at-remove.patch | 46 +++++ ...-hrtimer-fix-stall-by-hrtimer_cancel.patch | 54 +++++ ...hw_params-struct-copy-in-compat-mode.patch | 51 +++++ ...ng-null-check-at-remove_events-ioctl.patch | 34 ++++ ...eq-fix-race-at-timer-setup-and-close.patch | 38 ++++ ..._call_port_info_ioctl-in-compat-mode.patch | 45 +++++ ...mer-fix-double-unlink-of-active_list.patch | 37 ++++ ...sa-timer-fix-race-among-timer-ioctls.patch | 122 ++++++++++++ ...mer-handle-disconnection-more-safely.patch | 185 ++++++++++++++++++ ...mer-harden-slave-timer-list-handling.patch | 101 ++++++++++ ...add-native-dsd-support-for-oppo-ha-1.patch | 30 +++ ...b_autopm_put_interface-at-disconnect.patch | 62 ++++++ ...ression-of-native-instrument-devices.patch | 34 ++++ queue-4.4/series | 20 ++ 21 files changed, 1166 insertions(+) create mode 100644 queue-4.4/alsa-control-avoid-kernel-warnings-from-tlv-ioctl-with-numid-0.patch create mode 100644 queue-4.4/alsa-hda-add-fixup-for-dell-latitidue-e6540.patch create mode 100644 queue-4.4/alsa-hda-fix-bass-pin-fixup-for-asus-n550jx.patch create mode 100644 queue-4.4/alsa-hda-fix-missing-module-loading-with-model-generic-option.patch create mode 100644 queue-4.4/alsa-hda-fix-the-headset-mic-detection-problem-for-a-dell-laptop.patch create mode 100644 queue-4.4/alsa-hda-fix-white-noise-on-dell-latitude-e5550.patch create mode 100644 queue-4.4/alsa-hda-fixup-inverted-internal-mic-for-lenovo-e50-80.patch create mode 100644 queue-4.4/alsa-hda-flush-the-pending-probe-work-at-remove.patch create mode 100644 queue-4.4/alsa-hrtimer-fix-stall-by-hrtimer_cancel.patch create mode 100644 queue-4.4/alsa-pcm-fix-snd_pcm_hw_params-struct-copy-in-compat-mode.patch create mode 100644 queue-4.4/alsa-seq-fix-missing-null-check-at-remove_events-ioctl.patch create mode 100644 queue-4.4/alsa-seq-fix-race-at-timer-setup-and-close.patch create mode 100644 queue-4.4/alsa-seq-fix-snd_seq_call_port_info_ioctl-in-compat-mode.patch create mode 100644 queue-4.4/alsa-timer-fix-double-unlink-of-active_list.patch create mode 100644 queue-4.4/alsa-timer-fix-race-among-timer-ioctls.patch create mode 100644 queue-4.4/alsa-timer-handle-disconnection-more-safely.patch create mode 100644 queue-4.4/alsa-timer-harden-slave-timer-list-handling.patch create mode 100644 queue-4.4/alsa-usb-add-native-dsd-support-for-oppo-ha-1.patch create mode 100644 queue-4.4/alsa-usb-audio-avoid-calling-usb_autopm_put_interface-at-disconnect.patch create mode 100644 queue-4.4/alsa-usb-audio-fix-mixer-ctl-regression-of-native-instrument-devices.patch diff --git a/queue-4.4/alsa-control-avoid-kernel-warnings-from-tlv-ioctl-with-numid-0.patch b/queue-4.4/alsa-control-avoid-kernel-warnings-from-tlv-ioctl-with-numid-0.patch new file mode 100644 index 00000000000..44838d42843 --- /dev/null +++ b/queue-4.4/alsa-control-avoid-kernel-warnings-from-tlv-ioctl-with-numid-0.patch @@ -0,0 +1,35 @@ +From c0bcdbdff3ff73a54161fca3cb8b6cdbd0bb8762 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 18 Jan 2016 14:12:40 +0100 +Subject: ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0 + +From: Takashi Iwai + +commit c0bcdbdff3ff73a54161fca3cb8b6cdbd0bb8762 upstream. + +When a TLV ioctl with numid zero is handled, the driver may spew a +kernel warning with a stack trace at each call. The check was +intended obviously only for a kernel driver, but not for a user +interaction. Let's fix it. + +This was spotted by syzkaller fuzzer. + +Reported-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/control.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/core/control.c ++++ b/sound/core/control.c +@@ -1405,6 +1405,8 @@ static int snd_ctl_tlv_ioctl(struct snd_ + return -EFAULT; + if (tlv.length < sizeof(unsigned int) * 2) + return -EINVAL; ++ if (!tlv.numid) ++ return -EINVAL; + down_read(&card->controls_rwsem); + kctl = snd_ctl_find_numid(card, tlv.numid); + if (kctl == NULL) { diff --git a/queue-4.4/alsa-hda-add-fixup-for-dell-latitidue-e6540.patch b/queue-4.4/alsa-hda-add-fixup-for-dell-latitidue-e6540.patch new file mode 100644 index 00000000000..920c9b0cf77 --- /dev/null +++ b/queue-4.4/alsa-hda-add-fixup-for-dell-latitidue-e6540.patch @@ -0,0 +1,30 @@ +From cf52103a218744f3fd18111325c28e95aa9cd226 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 15 Jan 2016 12:59:25 +0100 +Subject: ALSA: hda - Add fixup for Dell Latitidue E6540 + +From: Takashi Iwai + +commit cf52103a218744f3fd18111325c28e95aa9cd226 upstream. + +Another Dell model, another fixup entry: Latitude E6540 needs the same +fixup as other Latitude E series as workaround for noise problems. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=104341 +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5331,6 +5331,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1028, 0x0470, "Dell M101z", ALC269_FIXUP_DELL_M101Z), + SND_PCI_QUIRK(0x1028, 0x054b, "Dell XPS one 2710", ALC275_FIXUP_DELL_XPS), + SND_PCI_QUIRK(0x1028, 0x05bd, "Dell Latitude E6440", ALC292_FIXUP_DELL_E7X), ++ SND_PCI_QUIRK(0x1028, 0x05be, "Dell Latitude E6540", ALC292_FIXUP_DELL_E7X), + SND_PCI_QUIRK(0x1028, 0x05ca, "Dell Latitude E7240", ALC292_FIXUP_DELL_E7X), + SND_PCI_QUIRK(0x1028, 0x05cb, "Dell Latitude E7440", ALC292_FIXUP_DELL_E7X), + SND_PCI_QUIRK(0x1028, 0x05da, "Dell Vostro 5460", ALC290_FIXUP_SUBWOOFER), diff --git a/queue-4.4/alsa-hda-fix-bass-pin-fixup-for-asus-n550jx.patch b/queue-4.4/alsa-hda-fix-bass-pin-fixup-for-asus-n550jx.patch new file mode 100644 index 00000000000..626b514e636 --- /dev/null +++ b/queue-4.4/alsa-hda-fix-bass-pin-fixup-for-asus-n550jx.patch @@ -0,0 +1,30 @@ +From db8948e653e12b218058bb6696f4a33fa7845f64 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 18 Jan 2016 09:17:30 +0100 +Subject: ALSA: hda - Fix bass pin fixup for ASUS N550JX + +From: Takashi Iwai + +commit db8948e653e12b218058bb6696f4a33fa7845f64 upstream. + +ASUS N550JX (PCI SSID 1043:13df) requires the same fixup for a bass +speaker output pin as other N550 models. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=110001 +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6566,6 +6566,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x1028, 0x069f, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800), + SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_BASS_1A), ++ SND_PCI_QUIRK(0x1043, 0x13df, "Asus N550JX", ALC662_FIXUP_BASS_1A), + SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_BASS_MODE4_CHMAP), + SND_PCI_QUIRK(0x1043, 0x15a7, "ASUS UX51VZH", ALC662_FIXUP_BASS_16), + SND_PCI_QUIRK(0x1043, 0x1b73, "ASUS N55SF", ALC662_FIXUP_BASS_16), diff --git a/queue-4.4/alsa-hda-fix-missing-module-loading-with-model-generic-option.patch b/queue-4.4/alsa-hda-fix-missing-module-loading-with-model-generic-option.patch new file mode 100644 index 00000000000..481ad237c39 --- /dev/null +++ b/queue-4.4/alsa-hda-fix-missing-module-loading-with-model-generic-option.patch @@ -0,0 +1,92 @@ +From bca8e988043e39483afd7872a2641f03ed7201a6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 20 Jan 2016 15:46:44 +0100 +Subject: ALSA: hda - Fix missing module loading with model=generic option + +From: Takashi Iwai + +commit bca8e988043e39483afd7872a2641f03ed7201a6 upstream. + +When the generic codec driver is specified via model option or such, +the hda driver doesn't try to load the generic driver module but still +loads the codec-specific driver, and this ends up with the binding +failure. + +This patch fixes it by moving the generic module request in the common +helper code. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=111021 +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_bind.c | 42 ++++++++++++++++++++++++++++++++---------- + 1 file changed, 32 insertions(+), 10 deletions(-) + +--- a/sound/pci/hda/hda_bind.c ++++ b/sound/pci/hda/hda_bind.c +@@ -174,14 +174,40 @@ static inline bool codec_probed(struct h + return device_attach(hda_codec_dev(codec)) > 0 && codec->preset; + } + +-/* try to auto-load and bind the codec module */ +-static void codec_bind_module(struct hda_codec *codec) ++/* try to auto-load codec module */ ++static void request_codec_module(struct hda_codec *codec) + { + #ifdef MODULE + char modalias[32]; ++ const char *mod = NULL; ++ ++ switch (codec->probe_id) { ++ case HDA_CODEC_ID_GENERIC_HDMI: ++#if IS_MODULE(CONFIG_SND_HDA_CODEC_HDMI) ++ mod = "snd-hda-codec-hdmi"; ++#endif ++ break; ++ case HDA_CODEC_ID_GENERIC: ++#if IS_MODULE(CONFIG_SND_HDA_GENERIC) ++ mod = "snd-hda-codec-generic"; ++#endif ++ break; ++ default: ++ snd_hdac_codec_modalias(&codec->core, modalias, sizeof(modalias)); ++ mod = modalias; ++ break; ++ } ++ ++ if (mod) ++ request_module(mod); ++#endif /* MODULE */ ++} + +- snd_hdac_codec_modalias(&codec->core, modalias, sizeof(modalias)); +- request_module(modalias); ++/* try to auto-load and bind the codec module */ ++static void codec_bind_module(struct hda_codec *codec) ++{ ++#ifdef MODULE ++ request_codec_module(codec); + if (codec_probed(codec)) + return; + #endif +@@ -218,17 +244,13 @@ static int codec_bind_generic(struct hda + + if (is_likely_hdmi_codec(codec)) { + codec->probe_id = HDA_CODEC_ID_GENERIC_HDMI; +-#if IS_MODULE(CONFIG_SND_HDA_CODEC_HDMI) +- request_module("snd-hda-codec-hdmi"); +-#endif ++ request_codec_module(codec); + if (codec_probed(codec)) + return 0; + } + + codec->probe_id = HDA_CODEC_ID_GENERIC; +-#if IS_MODULE(CONFIG_SND_HDA_GENERIC) +- request_module("snd-hda-codec-generic"); +-#endif ++ request_codec_module(codec); + if (codec_probed(codec)) + return 0; + return -ENODEV; diff --git a/queue-4.4/alsa-hda-fix-the-headset-mic-detection-problem-for-a-dell-laptop.patch b/queue-4.4/alsa-hda-fix-the-headset-mic-detection-problem-for-a-dell-laptop.patch new file mode 100644 index 00000000000..583b4407f0a --- /dev/null +++ b/queue-4.4/alsa-hda-fix-the-headset-mic-detection-problem-for-a-dell-laptop.patch @@ -0,0 +1,35 @@ +From 0a1f90a982e85f4921bed606a6b41a24f4de2ae1 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Wed, 13 Jan 2016 11:51:38 +0800 +Subject: ALSA: hda - fix the headset mic detection problem for a Dell laptop + +From: Hui Wang + +commit 0a1f90a982e85f4921bed606a6b41a24f4de2ae1 upstream. + +The machine uses codec alc255, and the pin configuration value for +pin 0x14 on this machine is 0x90171130 which is not in the pin quirk +table yet. + +BugLink: https://bugs.launchpad.net/bugs/1533461 +Signed-off-by: Hui Wang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5626,6 +5626,10 @@ static const struct snd_hda_pin_quirk al + {0x21, 0x02211040}), + SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + {0x12, 0x90a60170}, ++ {0x14, 0x90171130}, ++ {0x21, 0x02211040}), ++ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, ++ {0x12, 0x90a60170}, + {0x14, 0x90170140}, + {0x21, 0x02211050}), + SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell Inspiron 5548", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, diff --git a/queue-4.4/alsa-hda-fix-white-noise-on-dell-latitude-e5550.patch b/queue-4.4/alsa-hda-fix-white-noise-on-dell-latitude-e5550.patch new file mode 100644 index 00000000000..ebdca3c3795 --- /dev/null +++ b/queue-4.4/alsa-hda-fix-white-noise-on-dell-latitude-e5550.patch @@ -0,0 +1,30 @@ +From 98070576c4f77509459c83cd2358617ef0769a38 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 12 Jan 2016 21:06:39 +0100 +Subject: ALSA: hda - Fix white noise on Dell Latitude E5550 + +From: Takashi Iwai + +commit 98070576c4f77509459c83cd2358617ef0769a38 upstream. + +Dell Latitude E5550 (1028:062c) has a white noise problem like other +Latitude E models, and it gets fixed by the very same quirk as well. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=110591 +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5339,6 +5339,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1028, 0x05f6, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x0615, "Dell Vostro 5470", ALC290_FIXUP_SUBWOOFER_HSJACK), + SND_PCI_QUIRK(0x1028, 0x0616, "Dell Vostro 5470", ALC290_FIXUP_SUBWOOFER_HSJACK), ++ SND_PCI_QUIRK(0x1028, 0x062c, "Dell Latitude E5550", ALC292_FIXUP_DELL_E7X), + SND_PCI_QUIRK(0x1028, 0x062e, "Dell Latitude E7450", ALC292_FIXUP_DELL_E7X), + SND_PCI_QUIRK(0x1028, 0x0638, "Dell Inspiron 5439", ALC290_FIXUP_MONO_SPEAKERS_HSJACK), + SND_PCI_QUIRK(0x1028, 0x064a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), diff --git a/queue-4.4/alsa-hda-fixup-inverted-internal-mic-for-lenovo-e50-80.patch b/queue-4.4/alsa-hda-fixup-inverted-internal-mic-for-lenovo-e50-80.patch new file mode 100644 index 00000000000..524862201ef --- /dev/null +++ b/queue-4.4/alsa-hda-fixup-inverted-internal-mic-for-lenovo-e50-80.patch @@ -0,0 +1,55 @@ +From 56f27013482c0803d978b667fe85de04ce9357cd Mon Sep 17 00:00:00 2001 +From: David Henningsson +Date: Mon, 11 Jan 2016 09:33:14 +0100 +Subject: ALSA: hda - Fixup inverted internal mic for Lenovo E50-80 + +From: David Henningsson + +commit 56f27013482c0803d978b667fe85de04ce9357cd upstream. + +Inform userspace that one channel of the internal mic has reversed +polarity, so it does not attempt to add both channels together and +end up with silence. + +Reported-by: Andrzej Mendel +Alsa-info: http://www.alsa-project.org/db/?f=3088f82a0cf977855f92af9db8ad406c04f71efa +BugLink: https://bugs.launchpad.net/bugs/1529624 +Signed-off-by: David Henningsson +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4666,6 +4666,7 @@ enum { + ALC290_FIXUP_SUBWOOFER, + ALC290_FIXUP_SUBWOOFER_HSJACK, + ALC269_FIXUP_THINKPAD_ACPI, ++ ALC269_FIXUP_DMIC_THINKPAD_ACPI, + ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC255_FIXUP_DELL2_MIC_NO_PRESENCE, + ALC255_FIXUP_HEADSET_MODE, +@@ -5103,6 +5104,12 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = hda_fixup_thinkpad_acpi, + }, ++ [ALC269_FIXUP_DMIC_THINKPAD_ACPI] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc_fixup_inv_dmic, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_THINKPAD_ACPI, ++ }, + [ALC255_FIXUP_DELL1_MIC_NO_PRESENCE] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +@@ -5457,6 +5464,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x2226, "ThinkPad X250", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2233, "Thinkpad", ALC293_FIXUP_LENOVO_SPK_NOISE), + SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), ++ SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC), + SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP), + SND_PCI_QUIRK(0x17aa, 0x5013, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), diff --git a/queue-4.4/alsa-hda-flush-the-pending-probe-work-at-remove.patch b/queue-4.4/alsa-hda-flush-the-pending-probe-work-at-remove.patch new file mode 100644 index 00000000000..987adcbd9cb --- /dev/null +++ b/queue-4.4/alsa-hda-flush-the-pending-probe-work-at-remove.patch @@ -0,0 +1,46 @@ +From 991f86d7ae4e1f8c15806e62f97af519e3cdd860 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 20 Jan 2016 17:19:02 +0100 +Subject: ALSA: hda - Flush the pending probe work at remove + +From: Takashi Iwai + +commit 991f86d7ae4e1f8c15806e62f97af519e3cdd860 upstream. + +As HD-audio driver does deferred probe internally via workqueue, the +driver might go into the mixed state doing both probe and remove when +the module gets unloaded during the probe work. This eventually +triggers an Oops, unsurprisingly. + +For avoiding this race, we just need to flush the pending probe work +explicitly before actually starting the resource release. + +Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=960710 +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2126,9 +2126,17 @@ i915_power_fail: + static void azx_remove(struct pci_dev *pci) + { + struct snd_card *card = pci_get_drvdata(pci); ++ struct azx *chip; ++ struct hda_intel *hda; ++ ++ if (card) { ++ /* flush the pending probing work */ ++ chip = card->private_data; ++ hda = container_of(chip, struct hda_intel, chip); ++ flush_work(&hda->probe_work); + +- if (card) + snd_card_free(card); ++ } + } + + static void azx_shutdown(struct pci_dev *pci) diff --git a/queue-4.4/alsa-hrtimer-fix-stall-by-hrtimer_cancel.patch b/queue-4.4/alsa-hrtimer-fix-stall-by-hrtimer_cancel.patch new file mode 100644 index 00000000000..fa8cad1ec90 --- /dev/null +++ b/queue-4.4/alsa-hrtimer-fix-stall-by-hrtimer_cancel.patch @@ -0,0 +1,54 @@ +From 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 18 Jan 2016 13:52:47 +0100 +Subject: ALSA: hrtimer: Fix stall by hrtimer_cancel() + +From: Takashi Iwai + +commit 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3 upstream. + +hrtimer_cancel() waits for the completion from the callback, thus it +must not be called inside the callback itself. This was already a +problem in the past with ALSA hrtimer driver, and the early commit +[fcfdebe70759: ALSA: hrtimer - Fix lock-up] tried to address it. + +However, the previous fix is still insufficient: it may still cause a +lockup when the ALSA timer instance reprograms itself in its callback. +Then it invokes the start function even in snd_timer_interrupt() that +is called in hrtimer callback itself, results in a CPU stall. This is +no hypothetical problem but actually triggered by syzkaller fuzzer. + +This patch tries to fix the issue again. Now we call +hrtimer_try_to_cancel() at both start and stop functions so that it +won't fall into a deadlock, yet giving some chance to cancel the queue +if the functions have been called outside the callback. The proper +hrtimer_cancel() is called in anyway at closing, so this should be +enough. + +Reported-and-tested-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/hrtimer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/core/hrtimer.c ++++ b/sound/core/hrtimer.c +@@ -90,7 +90,7 @@ static int snd_hrtimer_start(struct snd_ + struct snd_hrtimer *stime = t->private_data; + + atomic_set(&stime->running, 0); +- hrtimer_cancel(&stime->hrt); ++ hrtimer_try_to_cancel(&stime->hrt); + hrtimer_start(&stime->hrt, ns_to_ktime(t->sticks * resolution), + HRTIMER_MODE_REL); + atomic_set(&stime->running, 1); +@@ -101,6 +101,7 @@ static int snd_hrtimer_stop(struct snd_t + { + struct snd_hrtimer *stime = t->private_data; + atomic_set(&stime->running, 0); ++ hrtimer_try_to_cancel(&stime->hrt); + return 0; + } + diff --git a/queue-4.4/alsa-pcm-fix-snd_pcm_hw_params-struct-copy-in-compat-mode.patch b/queue-4.4/alsa-pcm-fix-snd_pcm_hw_params-struct-copy-in-compat-mode.patch new file mode 100644 index 00000000000..be58c678a0d --- /dev/null +++ b/queue-4.4/alsa-pcm-fix-snd_pcm_hw_params-struct-copy-in-compat-mode.patch @@ -0,0 +1,51 @@ +From 43c54b8c7cfe22f868a751ba8a59abf1724160b1 Mon Sep 17 00:00:00 2001 +From: Nicolas Boichat +Date: Mon, 18 Jan 2016 21:35:00 +0800 +Subject: ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode + +From: Nicolas Boichat + +commit 43c54b8c7cfe22f868a751ba8a59abf1724160b1 upstream. + +This reverts one hunk of +commit ef44a1ec6eee ("ALSA: sound/core: use memdup_user()"), which +replaced a number of kmalloc followed by memcpy with memdup calls. + +In this case, we are copying from a struct snd_pcm_hw_params32 to +a struct snd_pcm_hw_params, but the latter is 4 bytes longer than +the 32-bit version, so we need to separate kmalloc and copy calls. + +This actually leads to an out-of-bounds memory access later on +in sound/soc/soc-pcm.c:soc_pcm_hw_params() (detected using KASan). + +Fixes: ef44a1ec6eee ('ALSA: sound/core: use memdup_user()') +Signed-off-by: Nicolas Boichat +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm_compat.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/sound/core/pcm_compat.c ++++ b/sound/core/pcm_compat.c +@@ -255,10 +255,15 @@ static int snd_pcm_ioctl_hw_params_compa + if (! (runtime = substream->runtime)) + return -ENOTTY; + +- /* only fifo_size is different, so just copy all */ +- data = memdup_user(data32, sizeof(*data32)); +- if (IS_ERR(data)) +- return PTR_ERR(data); ++ data = kmalloc(sizeof(*data), GFP_KERNEL); ++ if (!data) ++ return -ENOMEM; ++ ++ /* only fifo_size (RO from userspace) is different, so just copy all */ ++ if (copy_from_user(data, data32, sizeof(*data32))) { ++ err = -EFAULT; ++ goto error; ++ } + + if (refine) + err = snd_pcm_hw_refine(substream, data); diff --git a/queue-4.4/alsa-seq-fix-missing-null-check-at-remove_events-ioctl.patch b/queue-4.4/alsa-seq-fix-missing-null-check-at-remove_events-ioctl.patch new file mode 100644 index 00000000000..faa4646ff8c --- /dev/null +++ b/queue-4.4/alsa-seq-fix-missing-null-check-at-remove_events-ioctl.patch @@ -0,0 +1,34 @@ +From 030e2c78d3a91dd0d27fef37e91950dde333eba1 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 12 Jan 2016 12:38:02 +0100 +Subject: ALSA: seq: Fix missing NULL check at remove_events ioctl + +From: Takashi Iwai + +commit 030e2c78d3a91dd0d27fef37e91950dde333eba1 upstream. + +snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear() +unconditionally even if there is no FIFO assigned, and this leads to +an Oops due to NULL dereference. The fix is just to add a proper NULL +check. + +Reported-by: Dmitry Vyukov +Tested-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_clientmgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1962,7 +1962,7 @@ static int snd_seq_ioctl_remove_events(s + * No restrictions so for a user client we can clear + * the whole fifo + */ +- if (client->type == USER_CLIENT) ++ if (client->type == USER_CLIENT && client->data.user.fifo) + snd_seq_fifo_clear(client->data.user.fifo); + } + diff --git a/queue-4.4/alsa-seq-fix-race-at-timer-setup-and-close.patch b/queue-4.4/alsa-seq-fix-race-at-timer-setup-and-close.patch new file mode 100644 index 00000000000..f6b1e76b663 --- /dev/null +++ b/queue-4.4/alsa-seq-fix-race-at-timer-setup-and-close.patch @@ -0,0 +1,38 @@ +From 3567eb6af614dac436c4b16a8d426f9faed639b3 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 12 Jan 2016 15:36:27 +0100 +Subject: ALSA: seq: Fix race at timer setup and close + +From: Takashi Iwai + +commit 3567eb6af614dac436c4b16a8d426f9faed639b3 upstream. + +ALSA sequencer code has an open race between the timer setup ioctl and +the close of the client. This was triggered by syzkaller fuzzer, and +a use-after-free was caught there as a result. + +This patch papers over it by adding a proper queue->timer_mutex lock +around the timer-related calls in the relevant code path. + +Reported-by: Dmitry Vyukov +Tested-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_queue.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/core/seq/seq_queue.c ++++ b/sound/core/seq/seq_queue.c +@@ -142,8 +142,10 @@ static struct snd_seq_queue *queue_new(i + static void queue_delete(struct snd_seq_queue *q) + { + /* stop and release the timer */ ++ mutex_lock(&q->timer_mutex); + snd_seq_timer_stop(q->timer); + snd_seq_timer_close(q); ++ mutex_unlock(&q->timer_mutex); + /* wait until access free */ + snd_use_lock_sync(&q->use_lock); + /* release resources... */ diff --git a/queue-4.4/alsa-seq-fix-snd_seq_call_port_info_ioctl-in-compat-mode.patch b/queue-4.4/alsa-seq-fix-snd_seq_call_port_info_ioctl-in-compat-mode.patch new file mode 100644 index 00000000000..1d55a006631 --- /dev/null +++ b/queue-4.4/alsa-seq-fix-snd_seq_call_port_info_ioctl-in-compat-mode.patch @@ -0,0 +1,45 @@ +From 9586495dc3011a80602329094e746dbce16cb1f1 Mon Sep 17 00:00:00 2001 +From: Nicolas Boichat +Date: Mon, 18 Jan 2016 21:35:01 +0800 +Subject: ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode + +From: Nicolas Boichat + +commit 9586495dc3011a80602329094e746dbce16cb1f1 upstream. + +This reverts one hunk of +commit ef44a1ec6eee ("ALSA: sound/core: use memdup_user()"), which +replaced a number of kmalloc followed by memcpy with memdup calls. + +In this case, we are copying from a struct snd_seq_port_info32 to a +struct snd_seq_port_info, but the latter is 4 bytes longer than the +32-bit version, so we need to separate kmalloc and copy calls. + +Fixes: ef44a1ec6eee ('ALSA: sound/core: use memdup_user()') +Signed-off-by: Nicolas Boichat +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_compat.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/sound/core/seq/seq_compat.c ++++ b/sound/core/seq/seq_compat.c +@@ -49,11 +49,12 @@ static int snd_seq_call_port_info_ioctl( + struct snd_seq_port_info *data; + mm_segment_t fs; + +- data = memdup_user(data32, sizeof(*data32)); +- if (IS_ERR(data)) +- return PTR_ERR(data); ++ data = kmalloc(sizeof(*data), GFP_KERNEL); ++ if (!data) ++ return -ENOMEM; + +- if (get_user(data->flags, &data32->flags) || ++ if (copy_from_user(data, data32, sizeof(*data32)) || ++ get_user(data->flags, &data32->flags) || + get_user(data->time_queue, &data32->time_queue)) + goto error; + data->kernel = NULL; diff --git a/queue-4.4/alsa-timer-fix-double-unlink-of-active_list.patch b/queue-4.4/alsa-timer-fix-double-unlink-of-active_list.patch new file mode 100644 index 00000000000..f448968668b --- /dev/null +++ b/queue-4.4/alsa-timer-fix-double-unlink-of-active_list.patch @@ -0,0 +1,37 @@ +From ee8413b01045c74340aa13ad5bdf905de32be736 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 13 Jan 2016 21:35:06 +0100 +Subject: ALSA: timer: Fix double unlink of active_list + +From: Takashi Iwai + +commit ee8413b01045c74340aa13ad5bdf905de32be736 upstream. + +ALSA timer instance object has a couple of linked lists and they are +unlinked unconditionally at snd_timer_stop(). Meanwhile +snd_timer_interrupt() unlinks it, but it calls list_del() which leaves +the element list itself unchanged. This ends up with unlinking twice, +and it was caught by syzkaller fuzzer. + +The fix is to use list_del_init() variant properly there, too. + +Reported-by: Dmitry Vyukov +Tested-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -704,7 +704,7 @@ void snd_timer_interrupt(struct snd_time + } else { + ti->flags &= ~SNDRV_TIMER_IFLG_RUNNING; + if (--timer->running) +- list_del(&ti->active_list); ++ list_del_init(&ti->active_list); + } + if ((timer->hw.flags & SNDRV_TIMER_HW_TASKLET) || + (ti->flags & SNDRV_TIMER_IFLG_FAST)) diff --git a/queue-4.4/alsa-timer-fix-race-among-timer-ioctls.patch b/queue-4.4/alsa-timer-fix-race-among-timer-ioctls.patch new file mode 100644 index 00000000000..da35899f462 --- /dev/null +++ b/queue-4.4/alsa-timer-fix-race-among-timer-ioctls.patch @@ -0,0 +1,122 @@ +From af368027a49a751d6ff4ee9e3f9961f35bb4fede Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 13 Jan 2016 17:48:01 +0100 +Subject: ALSA: timer: Fix race among timer ioctls + +From: Takashi Iwai + +commit af368027a49a751d6ff4ee9e3f9961f35bb4fede upstream. + +ALSA timer ioctls have an open race and this may lead to a +use-after-free of timer instance object. A simplistic fix is to make +each ioctl exclusive. We have already tread_sem for controlling the +tread, and extend this as a global mutex to be applied to each ioctl. + +The downside is, of course, the worse concurrency. But these ioctls +aren't to be parallel accessible, in anyway, so it should be fine to +serialize there. + +Reported-by: Dmitry Vyukov +Tested-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 32 +++++++++++++++++++------------- + 1 file changed, 19 insertions(+), 13 deletions(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -73,7 +73,7 @@ struct snd_timer_user { + struct timespec tstamp; /* trigger tstamp */ + wait_queue_head_t qchange_sleep; + struct fasync_struct *fasync; +- struct mutex tread_sem; ++ struct mutex ioctl_lock; + }; + + /* list of timers */ +@@ -1263,7 +1263,7 @@ static int snd_timer_user_open(struct in + return -ENOMEM; + spin_lock_init(&tu->qlock); + init_waitqueue_head(&tu->qchange_sleep); +- mutex_init(&tu->tread_sem); ++ mutex_init(&tu->ioctl_lock); + tu->ticks = 1; + tu->queue_size = 128; + tu->queue = kmalloc(tu->queue_size * sizeof(struct snd_timer_read), +@@ -1283,8 +1283,10 @@ static int snd_timer_user_release(struct + if (file->private_data) { + tu = file->private_data; + file->private_data = NULL; ++ mutex_lock(&tu->ioctl_lock); + if (tu->timeri) + snd_timer_close(tu->timeri); ++ mutex_unlock(&tu->ioctl_lock); + kfree(tu->queue); + kfree(tu->tqueue); + kfree(tu); +@@ -1522,7 +1524,6 @@ static int snd_timer_user_tselect(struct + int err = 0; + + tu = file->private_data; +- mutex_lock(&tu->tread_sem); + if (tu->timeri) { + snd_timer_close(tu->timeri); + tu->timeri = NULL; +@@ -1566,7 +1567,6 @@ static int snd_timer_user_tselect(struct + } + + __err: +- mutex_unlock(&tu->tread_sem); + return err; + } + +@@ -1779,7 +1779,7 @@ enum { + SNDRV_TIMER_IOCTL_PAUSE_OLD = _IO('T', 0x23), + }; + +-static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, ++static long __snd_timer_user_ioctl(struct file *file, unsigned int cmd, + unsigned long arg) + { + struct snd_timer_user *tu; +@@ -1796,17 +1796,11 @@ static long snd_timer_user_ioctl(struct + { + int xarg; + +- mutex_lock(&tu->tread_sem); +- if (tu->timeri) { /* too late */ +- mutex_unlock(&tu->tread_sem); ++ if (tu->timeri) /* too late */ + return -EBUSY; +- } +- if (get_user(xarg, p)) { +- mutex_unlock(&tu->tread_sem); ++ if (get_user(xarg, p)) + return -EFAULT; +- } + tu->tread = xarg ? 1 : 0; +- mutex_unlock(&tu->tread_sem); + return 0; + } + case SNDRV_TIMER_IOCTL_GINFO: +@@ -1839,6 +1833,18 @@ static long snd_timer_user_ioctl(struct + return -ENOTTY; + } + ++static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ struct snd_timer_user *tu = file->private_data; ++ long ret; ++ ++ mutex_lock(&tu->ioctl_lock); ++ ret = __snd_timer_user_ioctl(file, cmd, arg); ++ mutex_unlock(&tu->ioctl_lock); ++ return ret; ++} ++ + static int snd_timer_user_fasync(int fd, struct file * file, int on) + { + struct snd_timer_user *tu; diff --git a/queue-4.4/alsa-timer-handle-disconnection-more-safely.patch b/queue-4.4/alsa-timer-handle-disconnection-more-safely.patch new file mode 100644 index 00000000000..9f34021da83 --- /dev/null +++ b/queue-4.4/alsa-timer-handle-disconnection-more-safely.patch @@ -0,0 +1,185 @@ +From 230323dac060123c340cf75997971145a42661ee Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 21 Jan 2016 17:19:31 +0100 +Subject: ALSA: timer: Handle disconnection more safely + +From: Takashi Iwai + +commit 230323dac060123c340cf75997971145a42661ee upstream. + +Currently ALSA timer device doesn't take the disconnection into +account very well; it merely unlinks the timer device at disconnection +callback but does nothing else. Because of this, when an application +accessing the timer device is disconnected, it may release the +resource before actually closed. In most cases, it results in a +warning message indicating a leftover timer instance like: + ALSA: timer xxxx is busy? +But basically this is an open race. + +This patch tries to address it. The strategy is like other ALSA +devices: namely, +- Manage card's refcount at each open/close +- Wake up the pending tasks at disconnection +- Check the shutdown flag appropriately at each possible call + +Note that this patch has one ugly hack to handle the wakeup of pending +tasks. It'd be cleaner to introduce a new disconnect op to +snd_timer_instance ops. But since it would lead to internal ABI +breakage and it eventually increase my own work when backporting to +stable kernels, I took a different path to implement locally in +timer.c. A cleanup patch will follow at next for 4.5 kernel. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=109431 +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 48 insertions(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -65,6 +65,7 @@ struct snd_timer_user { + int qtail; + int qused; + int queue_size; ++ bool disconnected; + struct snd_timer_read *queue; + struct snd_timer_tread *tqueue; + spinlock_t qlock; +@@ -290,6 +291,9 @@ int snd_timer_open(struct snd_timer_inst + mutex_unlock(®ister_mutex); + return -ENOMEM; + } ++ /* take a card refcount for safe disconnection */ ++ if (timer->card) ++ get_device(&timer->card->card_dev); + timeri->slave_class = tid->dev_sclass; + timeri->slave_id = slave_id; + if (list_empty(&timer->open_list_head) && timer->hw.open) +@@ -360,6 +364,9 @@ int snd_timer_close(struct snd_timer_ins + } + spin_unlock(&timer->lock); + spin_unlock_irq(&slave_active_lock); ++ /* release a card refcount for safe disconnection */ ++ if (timer->card) ++ put_device(&timer->card->card_dev); + mutex_unlock(®ister_mutex); + } + out: +@@ -475,6 +482,8 @@ int snd_timer_start(struct snd_timer_ins + timer = timeri->timer; + if (timer == NULL) + return -EINVAL; ++ if (timer->card && timer->card->shutdown) ++ return -ENODEV; + spin_lock_irqsave(&timer->lock, flags); + timeri->ticks = timeri->cticks = ticks; + timeri->pticks = 0; +@@ -509,6 +518,10 @@ static int _snd_timer_stop(struct snd_ti + spin_lock_irqsave(&timer->lock, flags); + list_del_init(&timeri->ack_list); + list_del_init(&timeri->active_list); ++ if (timer->card && timer->card->shutdown) { ++ spin_unlock_irqrestore(&timer->lock, flags); ++ return 0; ++ } + if ((timeri->flags & SNDRV_TIMER_IFLG_RUNNING) && + !(--timer->running)) { + timer->hw.stop(timer); +@@ -571,6 +584,8 @@ int snd_timer_continue(struct snd_timer_ + timer = timeri->timer; + if (! timer) + return -EINVAL; ++ if (timer->card && timer->card->shutdown) ++ return -ENODEV; + spin_lock_irqsave(&timer->lock, flags); + if (!timeri->cticks) + timeri->cticks = 1; +@@ -634,6 +649,9 @@ static void snd_timer_tasklet(unsigned l + unsigned long resolution, ticks; + unsigned long flags; + ++ if (timer->card && timer->card->shutdown) ++ return; ++ + spin_lock_irqsave(&timer->lock, flags); + /* now process all callbacks */ + while (!list_empty(&timer->sack_list_head)) { +@@ -674,6 +692,9 @@ void snd_timer_interrupt(struct snd_time + if (timer == NULL) + return; + ++ if (timer->card && timer->card->shutdown) ++ return; ++ + spin_lock_irqsave(&timer->lock, flags); + + /* remember the current resolution */ +@@ -884,11 +905,28 @@ static int snd_timer_dev_register(struct + return 0; + } + ++/* just for reference in snd_timer_dev_disconnect() below */ ++static void snd_timer_user_ccallback(struct snd_timer_instance *timeri, ++ int event, struct timespec *tstamp, ++ unsigned long resolution); ++ + static int snd_timer_dev_disconnect(struct snd_device *device) + { + struct snd_timer *timer = device->device_data; ++ struct snd_timer_instance *ti; ++ + mutex_lock(®ister_mutex); + list_del_init(&timer->device_list); ++ /* wake up pending sleepers */ ++ list_for_each_entry(ti, &timer->open_list_head, open_list) { ++ /* FIXME: better to have a ti.disconnect() op */ ++ if (ti->ccallback == snd_timer_user_ccallback) { ++ struct snd_timer_user *tu = ti->callback_data; ++ ++ tu->disconnected = true; ++ wake_up(&tu->qchange_sleep); ++ } ++ } + mutex_unlock(®ister_mutex); + return 0; + } +@@ -899,6 +937,8 @@ void snd_timer_notify(struct snd_timer * + unsigned long resolution = 0; + struct snd_timer_instance *ti, *ts; + ++ if (timer->card && timer->card->shutdown) ++ return; + if (! (timer->hw.flags & SNDRV_TIMER_HW_SLAVE)) + return; + if (snd_BUG_ON(event < SNDRV_TIMER_EVENT_MSTART || +@@ -1057,6 +1097,8 @@ static void snd_timer_proc_read(struct s + + mutex_lock(®ister_mutex); + list_for_each_entry(timer, &snd_timer_list, device_list) { ++ if (timer->card && timer->card->shutdown) ++ continue; + switch (timer->tmr_class) { + case SNDRV_TIMER_CLASS_GLOBAL: + snd_iprintf(buffer, "G%i: ", timer->tmr_device); +@@ -1882,6 +1924,10 @@ static ssize_t snd_timer_user_read(struc + + remove_wait_queue(&tu->qchange_sleep, &wait); + ++ if (tu->disconnected) { ++ err = -ENODEV; ++ break; ++ } + if (signal_pending(current)) { + err = -ERESTARTSYS; + break; +@@ -1931,6 +1977,8 @@ static unsigned int snd_timer_user_poll( + mask = 0; + if (tu->qused) + mask |= POLLIN | POLLRDNORM; ++ if (tu->disconnected) ++ mask |= POLLERR; + + return mask; + } diff --git a/queue-4.4/alsa-timer-harden-slave-timer-list-handling.patch b/queue-4.4/alsa-timer-harden-slave-timer-list-handling.patch new file mode 100644 index 00000000000..89acb1f0f56 --- /dev/null +++ b/queue-4.4/alsa-timer-harden-slave-timer-list-handling.patch @@ -0,0 +1,101 @@ +From b5a663aa426f4884c71cd8580adae73f33570f0d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 14 Jan 2016 16:30:58 +0100 +Subject: ALSA: timer: Harden slave timer list handling + +From: Takashi Iwai + +commit b5a663aa426f4884c71cd8580adae73f33570f0d upstream. + +A slave timer instance might be still accessible in a racy way while +operating the master instance as it lacks of locking. Since the +master operation is mostly protected with timer->lock, we should cope +with it while changing the slave instance, too. Also, some linked +lists (active_list and ack_list) of slave instances aren't unlinked +immediately at stopping or closing, and this may lead to unexpected +accesses. + +This patch tries to address these issues. It adds spin lock of +timer->lock (either from master or slave, which is equivalent) in a +few places. For avoiding a deadlock, we ensure that the global +slave_active_lock is always locked at first before each timer lock. + +Also, ack and active_list of slave instances are properly unlinked at +snd_timer_stop() and snd_timer_close(). + +Last but not least, remove the superfluous call of _snd_timer_stop() +at removing slave links. This is a noop, and calling it may confuse +readers wrt locking. Further cleanup will follow in a later patch. + +Actually we've got reports of use-after-free by syzkaller fuzzer, and +this hopefully fixes these issues. + +Reported-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -215,11 +215,13 @@ static void snd_timer_check_master(struc + slave->slave_id == master->slave_id) { + list_move_tail(&slave->open_list, &master->slave_list_head); + spin_lock_irq(&slave_active_lock); ++ spin_lock(&master->timer->lock); + slave->master = master; + slave->timer = master->timer; + if (slave->flags & SNDRV_TIMER_IFLG_RUNNING) + list_add_tail(&slave->active_list, + &master->slave_active_head); ++ spin_unlock(&master->timer->lock); + spin_unlock_irq(&slave_active_lock); + } + } +@@ -346,15 +348,18 @@ int snd_timer_close(struct snd_timer_ins + timer->hw.close) + timer->hw.close(timer); + /* remove slave links */ ++ spin_lock_irq(&slave_active_lock); ++ spin_lock(&timer->lock); + list_for_each_entry_safe(slave, tmp, &timeri->slave_list_head, + open_list) { +- spin_lock_irq(&slave_active_lock); +- _snd_timer_stop(slave, 1, SNDRV_TIMER_EVENT_RESOLUTION); + list_move_tail(&slave->open_list, &snd_timer_slave_list); + slave->master = NULL; + slave->timer = NULL; +- spin_unlock_irq(&slave_active_lock); ++ list_del_init(&slave->ack_list); ++ list_del_init(&slave->active_list); + } ++ spin_unlock(&timer->lock); ++ spin_unlock_irq(&slave_active_lock); + mutex_unlock(®ister_mutex); + } + out: +@@ -441,9 +446,12 @@ static int snd_timer_start_slave(struct + + spin_lock_irqsave(&slave_active_lock, flags); + timeri->flags |= SNDRV_TIMER_IFLG_RUNNING; +- if (timeri->master) ++ if (timeri->master && timeri->timer) { ++ spin_lock(&timeri->timer->lock); + list_add_tail(&timeri->active_list, + &timeri->master->slave_active_head); ++ spin_unlock(&timeri->timer->lock); ++ } + spin_unlock_irqrestore(&slave_active_lock, flags); + return 1; /* delayed start */ + } +@@ -489,6 +497,8 @@ static int _snd_timer_stop(struct snd_ti + if (!keep_flag) { + spin_lock_irqsave(&slave_active_lock, flags); + timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING; ++ list_del_init(&timeri->ack_list); ++ list_del_init(&timeri->active_list); + spin_unlock_irqrestore(&slave_active_lock, flags); + } + goto __end; diff --git a/queue-4.4/alsa-usb-add-native-dsd-support-for-oppo-ha-1.patch b/queue-4.4/alsa-usb-add-native-dsd-support-for-oppo-ha-1.patch new file mode 100644 index 00000000000..15d9f1e785a --- /dev/null +++ b/queue-4.4/alsa-usb-add-native-dsd-support-for-oppo-ha-1.patch @@ -0,0 +1,30 @@ +From a4eae3a506ea4a7d4474cd74e20b423fa8053d91 Mon Sep 17 00:00:00 2001 +From: Jurgen Kramer +Date: Mon, 11 Jan 2016 08:16:58 +0100 +Subject: ALSA: usb: Add native DSD support for Oppo HA-1 + +From: Jurgen Kramer + +commit a4eae3a506ea4a7d4474cd74e20b423fa8053d91 upstream. + +This patch adds native DSD support for the Oppo HA-1. It uses a XMOS chipset +but they use their own vendor ID. + +Signed-off-by: Jurgen Kramer +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1269,6 +1269,7 @@ u64 snd_usb_interface_dsd_format_quirks( + case USB_ID(0x20b1, 0x3008): /* iFi Audio micro/nano iDSD */ + case USB_ID(0x20b1, 0x2008): /* Matrix Audio X-Sabre */ + case USB_ID(0x20b1, 0x300a): /* Matrix Audio Mini-i Pro */ ++ case USB_ID(0x22d8, 0x0416): /* OPPO HA-1*/ + if (fp->altsetting == 2) + return SNDRV_PCM_FMTBIT_DSD_U32_BE; + break; diff --git a/queue-4.4/alsa-usb-audio-avoid-calling-usb_autopm_put_interface-at-disconnect.patch b/queue-4.4/alsa-usb-audio-avoid-calling-usb_autopm_put_interface-at-disconnect.patch new file mode 100644 index 00000000000..05c01a3ef54 --- /dev/null +++ b/queue-4.4/alsa-usb-audio-avoid-calling-usb_autopm_put_interface-at-disconnect.patch @@ -0,0 +1,62 @@ +From 5c06d68bc2a174a6b82dce9f100f55173b9a5189 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 12 Jan 2016 14:03:33 +0100 +Subject: ALSA: usb-audio: Avoid calling usb_autopm_put_interface() at disconnect + +From: Takashi Iwai + +commit 5c06d68bc2a174a6b82dce9f100f55173b9a5189 upstream. + +ALSA PCM may still have a leftover instance after disconnection and +it delays its release. The problem is that the PCM close code path of +USB-audio driver has a call of snd_usb_autosuspend(). This involves +with the call of usb_autopm_put_interface() and it may lead to a +kernel Oops due to the NULL object like: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000190 + IP: [] usb_autopm_put_interface+0xf/0x30 PGD 0 + Call Trace: + [] snd_usb_autosuspend+0x14/0x20 + [] snd_usb_pcm_close.isra.14+0x5c/0x90 + [] snd_usb_playback_close+0xf/0x20 + [] snd_pcm_release_substream.part.36+0x3a/0x90 + [] snd_pcm_release+0xa3/0xb0 + [] snd_disconnect_release+0xd0/0xe0 + [] __fput+0x97/0x1d0 + [] ____fput+0x9/0x10 + [] task_work_run+0x72/0x90 + [] do_exit+0x280/0xa80 + [] do_group_exit+0x3a/0xa0 + [] get_signal+0x1df/0x540 + [] do_signal+0x23/0x620 + [] ? do_readv_writev+0x128/0x200 + [] prepare_exit_to_usermode+0x91/0xd0 + [] syscall_return_slowpath+0x9a/0x120 + [] ? __sys_recvmsg+0x5d/0x70 + [] ? ktime_get_ts64+0x45/0xe0 + [] ? SyS_poll+0x60/0xf0 + [] int_ret_from_sys_call+0x25/0x8f + +We have already a check of disconnection in snd_usb_autoresume(), but +the check is missing its counterpart. The fix is just to put the same +check in snd_usb_autosuspend(), too. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=109431 +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/card.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/card.c ++++ b/sound/usb/card.c +@@ -675,6 +675,8 @@ int snd_usb_autoresume(struct snd_usb_au + + void snd_usb_autosuspend(struct snd_usb_audio *chip) + { ++ if (atomic_read(&chip->shutdown)) ++ return; + if (atomic_dec_and_test(&chip->active)) + usb_autopm_put_interface(chip->pm_intf); + } diff --git a/queue-4.4/alsa-usb-audio-fix-mixer-ctl-regression-of-native-instrument-devices.patch b/queue-4.4/alsa-usb-audio-fix-mixer-ctl-regression-of-native-instrument-devices.patch new file mode 100644 index 00000000000..90cf0a995b2 --- /dev/null +++ b/queue-4.4/alsa-usb-audio-fix-mixer-ctl-regression-of-native-instrument-devices.patch @@ -0,0 +1,34 @@ +From c4a359a0049f2e17b012b31e801e96566f6391e5 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 13 Jan 2016 07:20:13 +0100 +Subject: ALSA: usb-audio: Fix mixer ctl regression of Native Instrument devices + +From: Takashi Iwai + +commit c4a359a0049f2e17b012b31e801e96566f6391e5 upstream. + +The commit [da6d276957ea: ALSA: usb-audio: Add resume support for +Native Instruments controls] brought a regression where the Native +Instrument audio devices don't get the correct value at update due to +the missing shift at writing. This patch addresses it. + +Fixes: da6d276957ea ('ALSA: usb-audio: Add resume support for Native Instruments controls') +Reported-and-tested-by: Owen Williams +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer_quirks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -793,7 +793,7 @@ static int snd_nativeinstruments_control + return 0; + + kcontrol->private_value &= ~(0xff << 24); +- kcontrol->private_value |= newval; ++ kcontrol->private_value |= (unsigned int)newval << 24; + err = snd_ni_update_cur_val(list); + return err < 0 ? err : 1; + } diff --git a/queue-4.4/series b/queue-4.4/series index ce80e98f204..27c22baa907 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -7,3 +7,23 @@ x86-reboot-quirks-add-imac10-1-to-pci_reboot_dmi_table.patch x86-boot-double-boot_heap_size-to-64kb.patch x86-mm-add-barriers-and-document-switch_mm-vs-flush-synchronization.patch x86-mm-improve-switch_mm-barrier-comments.patch +alsa-usb-add-native-dsd-support-for-oppo-ha-1.patch +alsa-hda-fixup-inverted-internal-mic-for-lenovo-e50-80.patch +alsa-seq-fix-missing-null-check-at-remove_events-ioctl.patch +alsa-usb-audio-avoid-calling-usb_autopm_put_interface-at-disconnect.patch +alsa-seq-fix-race-at-timer-setup-and-close.patch +alsa-hda-fix-white-noise-on-dell-latitude-e5550.patch +alsa-usb-audio-fix-mixer-ctl-regression-of-native-instrument-devices.patch +alsa-timer-harden-slave-timer-list-handling.patch +alsa-hda-fix-the-headset-mic-detection-problem-for-a-dell-laptop.patch +alsa-timer-fix-race-among-timer-ioctls.patch +alsa-timer-fix-double-unlink-of-active_list.patch +alsa-hda-add-fixup-for-dell-latitidue-e6540.patch +alsa-seq-fix-snd_seq_call_port_info_ioctl-in-compat-mode.patch +alsa-pcm-fix-snd_pcm_hw_params-struct-copy-in-compat-mode.patch +alsa-hrtimer-fix-stall-by-hrtimer_cancel.patch +alsa-control-avoid-kernel-warnings-from-tlv-ioctl-with-numid-0.patch +alsa-hda-fix-bass-pin-fixup-for-asus-n550jx.patch +alsa-hda-fix-missing-module-loading-with-model-generic-option.patch +alsa-hda-flush-the-pending-probe-work-at-remove.patch +alsa-timer-handle-disconnection-more-safely.patch -- 2.47.3