From a0d811fa8569f4b0b9747eea5c696e544a5de97a Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 18 Nov 2019 16:33:30 +0100
Subject: [PATCH] 4.4-stable patches

added patches:
	alsa-usb-audio-fix-missing-error-check-at-mixer-resolution-test.patch
	alsa-usb-audio-not-submit-urb-for-stopped-endpoint.patch
	input-ff-memless-kill-timer-in-destroy.patch
---
 ...error-check-at-mixer-resolution-test.patch | 46 +++++++++++++++++++
 ...-not-submit-urb-for-stopped-endpoint.patch | 44 ++++++++++++++++++
 ...put-ff-memless-kill-timer-in-destroy.patch | 40 ++++++++++++++++
 queue-4.4/series                              |  3 ++
 4 files changed, 133 insertions(+)
 create mode 100644 queue-4.4/alsa-usb-audio-fix-missing-error-check-at-mixer-resolution-test.patch
 create mode 100644 queue-4.4/alsa-usb-audio-not-submit-urb-for-stopped-endpoint.patch
 create mode 100644 queue-4.4/input-ff-memless-kill-timer-in-destroy.patch

diff --git a/queue-4.4/alsa-usb-audio-fix-missing-error-check-at-mixer-resolution-test.patch b/queue-4.4/alsa-usb-audio-fix-missing-error-check-at-mixer-resolution-test.patch
new file mode 100644
index 00000000000..842d9d9d192
--- /dev/null
+++ b/queue-4.4/alsa-usb-audio-fix-missing-error-check-at-mixer-resolution-test.patch
@@ -0,0 +1,46 @@
+From 167beb1756791e0806365a3f86a0da10d7a327ee Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sat, 9 Nov 2019 19:16:58 +0100
+Subject: ALSA: usb-audio: Fix missing error check at mixer resolution test
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 167beb1756791e0806365a3f86a0da10d7a327ee upstream.
+
+A check of the return value from get_cur_mix_raw() is missing at the
+resolution test code in get_min_max_with_quirks(), which may leave the
+variable untouched, leading to a random uninitialized value, as
+detected by syzkaller fuzzer.
+
+Add the missing return error check for fixing that.
+
+Reported-and-tested-by: syzbot+abe1ab7afc62c6bb6377@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191109181658.30368-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1045,7 +1045,8 @@ static int get_min_max_with_quirks(struc
+ 		if (cval->min + cval->res < cval->max) {
+ 			int last_valid_res = cval->res;
+ 			int saved, test, check;
+-			get_cur_mix_raw(cval, minchn, &saved);
++			if (get_cur_mix_raw(cval, minchn, &saved) < 0)
++				goto no_res_check;
+ 			for (;;) {
+ 				test = saved;
+ 				if (test < cval->max)
+@@ -1065,6 +1066,7 @@ static int get_min_max_with_quirks(struc
+ 			snd_usb_set_cur_mix_value(cval, minchn, 0, saved);
+ 		}
+ 
++no_res_check:
+ 		cval->initialized = 1;
+ 	}
+ 
diff --git a/queue-4.4/alsa-usb-audio-not-submit-urb-for-stopped-endpoint.patch b/queue-4.4/alsa-usb-audio-not-submit-urb-for-stopped-endpoint.patch
new file mode 100644
index 00000000000..d42af6932af
--- /dev/null
+++ b/queue-4.4/alsa-usb-audio-not-submit-urb-for-stopped-endpoint.patch
@@ -0,0 +1,44 @@
+From 528699317dd6dc722dccc11b68800cf945109390 Mon Sep 17 00:00:00 2001
+From: Henry Lin <henryl@nvidia.com>
+Date: Wed, 13 Nov 2019 10:14:19 +0800
+Subject: ALSA: usb-audio: not submit urb for stopped endpoint
+
+From: Henry Lin <henryl@nvidia.com>
+
+commit 528699317dd6dc722dccc11b68800cf945109390 upstream.
+
+While output urb's snd_complete_urb() is executing, calling
+prepare_outbound_urb() may cause endpoint stopped before
+prepare_outbound_urb() returns and result in next urb submitted
+to stopped endpoint. usb-audio driver cannot re-use it afterwards as
+the urb is still hold by usb stack.
+
+This change checks EP_FLAG_RUNNING flag after prepare_outbound_urb() again
+to let snd_complete_urb() know the endpoint already stopped and does not
+submit next urb. Below kind of error will be fixed:
+
+[  213.153103] usb 1-2: timeout: still 1 active urbs on EP #1
+[  213.164121] usb 1-2: cannot submit urb 0, error -16: unknown error
+
+Signed-off-by: Henry Lin <henryl@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191113021420.13377-1-henryl@nvidia.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/endpoint.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -403,6 +403,9 @@ static void snd_complete_urb(struct urb
+ 		}
+ 
+ 		prepare_outbound_urb(ep, ctx);
++		/* can be stopped during prepare callback */
++		if (unlikely(!test_bit(EP_FLAG_RUNNING, &ep->flags)))
++			goto exit_clear;
+ 	} else {
+ 		retire_inbound_urb(ep, ctx);
+ 		/* can be stopped during retire callback */
diff --git a/queue-4.4/input-ff-memless-kill-timer-in-destroy.patch b/queue-4.4/input-ff-memless-kill-timer-in-destroy.patch
new file mode 100644
index 00000000000..f909816c56d
--- /dev/null
+++ b/queue-4.4/input-ff-memless-kill-timer-in-destroy.patch
@@ -0,0 +1,40 @@
+From fa3a5a1880c91bb92594ad42dfe9eedad7996b86 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Fri, 15 Nov 2019 11:35:05 -0800
+Subject: Input: ff-memless - kill timer in destroy()
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit fa3a5a1880c91bb92594ad42dfe9eedad7996b86 upstream.
+
+No timer must be left running when the device goes away.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-and-tested-by: syzbot+b6c55daa701fc389e286@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/1573726121.17351.3.camel@suse.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/ff-memless.c |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/input/ff-memless.c
++++ b/drivers/input/ff-memless.c
+@@ -501,6 +501,15 @@ static void ml_ff_destroy(struct ff_devi
+ {
+ 	struct ml_device *ml = ff->private;
+ 
++	/*
++	 * Even though we stop all playing effects when tearing down
++	 * an input device (via input_device_flush() that calls into
++	 * input_ff_flush() that stops and erases all effects), we
++	 * do not actually stop the timer, and therefore we should
++	 * do it here.
++	 */
++	del_timer_sync(&ml->timer);
++
+ 	kfree(ml->private);
+ }
+ 
diff --git a/queue-4.4/series b/queue-4.4/series
index a6c833112f5..1bb1d19387b 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -1,2 +1,5 @@
 slip-fix-memory-leak-in-slip_open-error-path.patch
 ax88172a-fix-information-leak-on-short-answers.patch
+alsa-usb-audio-fix-missing-error-check-at-mixer-resolution-test.patch
+alsa-usb-audio-not-submit-urb-for-stopped-endpoint.patch
+input-ff-memless-kill-timer-in-destroy.patch
-- 
2.47.3