--- /dev/null
+From d15d662e89fc667b90cd294b0eb45694e33144da Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 12 Feb 2018 15:20:51 +0100
+Subject: ALSA: seq: Fix racy pool initializations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d15d662e89fc667b90cd294b0eb45694e33144da upstream.
+
+ALSA sequencer core initializes the event pool on demand by invoking
+snd_seq_pool_init() when the first write happens and the pool is
+empty. Meanwhile user can reset the pool size manually via ioctl
+concurrently, and this may lead to UAF or out-of-bound accesses since
+the function tries to vmalloc / vfree the buffer.
+
+A simple fix is to just wrap the snd_seq_pool_init() call with the
+recently introduced client->ioctl_mutex; as the calls for
+snd_seq_pool_init() from other side are always protected with this
+mutex, we can avoid the race.
+
+Reported-by: 范龙飞 <long7573@126.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_clientmgr.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -1012,7 +1012,7 @@ static ssize_t snd_seq_write(struct file
+ {
+ struct snd_seq_client *client = file->private_data;
+ int written = 0, len;
+- int err = -EINVAL;
++ int err;
+ struct snd_seq_event event;
+
+ if (!(snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_OUTPUT))
+@@ -1027,11 +1027,15 @@ static ssize_t snd_seq_write(struct file
+
+ /* allocate the pool now if the pool is not allocated yet */
+ if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) {
+- if (snd_seq_pool_init(client->pool) < 0)
++ mutex_lock(&client->ioctl_mutex);
++ err = snd_seq_pool_init(client->pool);
++ mutex_unlock(&client->ioctl_mutex);
++ if (err < 0)
+ return -ENOMEM;
+ }
+
+ /* only process whole events */
++ err = -EINVAL;
+ while (count >= sizeof(struct snd_seq_event)) {
+ /* Read in the event header from the user */
+ len = sizeof(event);
--- /dev/null
+From 447cae58cecd69392b74a4a42cd0ab9cabd816af Mon Sep 17 00:00:00 2001
+From: Kirill Marinushkin <k.marinushkin@gmail.com>
+Date: Mon, 29 Jan 2018 06:37:55 +0100
+Subject: ALSA: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute
+
+From: Kirill Marinushkin <k.marinushkin@gmail.com>
+
+commit 447cae58cecd69392b74a4a42cd0ab9cabd816af upstream.
+
+The layout of the UAC2 Control request and response varies depending on
+the request type. With the current implementation, only the Layout 2
+Parameter Block (with the 2-byte sized RANGE attribute) is handled
+properly. For the Control requests with the 1-byte sized RANGE attribute
+(Bass Control, Mid Control, Tremble Control), the response is parsed
+incorrectly.
+
+This commit:
+* fixes the wLength field value in the request
+* fixes parsing the range values from the response
+
+Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0")
+Signed-off-by: Kirill Marinushkin <k.marinushkin@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -328,17 +328,20 @@ static int get_ctl_value_v2(struct usb_m
+ int validx, int *value_ret)
+ {
+ struct snd_usb_audio *chip = cval->mixer->chip;
+- unsigned char buf[2 + 3 * sizeof(__u16)]; /* enough space for one range */
++ /* enough space for one range */
++ unsigned char buf[sizeof(__u16) + 3 * sizeof(__u32)];
+ unsigned char *val;
+- int idx = 0, ret, size;
++ int idx = 0, ret, val_size, size;
+ __u8 bRequest;
+
++ val_size = uac2_ctl_value_size(cval->val_type);
++
+ if (request == UAC_GET_CUR) {
+ bRequest = UAC2_CS_CUR;
+- size = sizeof(__u16);
++ size = val_size;
+ } else {
+ bRequest = UAC2_CS_RANGE;
+- size = sizeof(buf);
++ size = sizeof(__u16) + 3 * val_size;
+ }
+
+ memset(buf, 0, sizeof(buf));
+@@ -377,16 +380,17 @@ error:
+ val = buf + sizeof(__u16);
+ break;
+ case UAC_GET_MAX:
+- val = buf + sizeof(__u16) * 2;
++ val = buf + sizeof(__u16) + val_size;
+ break;
+ case UAC_GET_RES:
+- val = buf + sizeof(__u16) * 3;
++ val = buf + sizeof(__u16) + val_size * 2;
+ break;
+ default:
+ return -EINVAL;
+ }
+
+- *value_ret = convert_signed_value(cval, snd_usb_combine_bytes(val, sizeof(__u16)));
++ *value_ret = convert_signed_value(cval,
++ snd_usb_combine_bytes(val, val_size));
+
+ return 0;
+ }
--- /dev/null
+From 1846430c24d66e85cc58286b3319c82cd54debb2 Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Thu, 25 Jan 2018 11:02:51 -0700
+Subject: Btrfs: fix crash due to not cleaning up tree log block's dirty bits
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+commit 1846430c24d66e85cc58286b3319c82cd54debb2 upstream.
+
+In cases that the whole fs flips into readonly status due to failures in
+critical sections, then log tree's blocks are still dirty, and this leads
+to a crash during umount time, the crash is about use-after-free,
+
+umount
+ -> close_ctree
+ -> stop workers
+ -> iput(btree_inode)
+ -> iput_final
+ -> write_inode_now
+ -> ...
+ -> queue job on stop'd workers
+
+cc: <stable@vger.kernel.org> v3.12+
+Fixes: 681ae50917df ("Btrfs: cleanup reserved space when freeing tree log on error")
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/tree-log.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -2201,6 +2201,9 @@ static noinline int walk_down_log_tree(s
+ clean_tree_block(trans, root, next);
+ btrfs_wait_tree_block_writeback(next);
+ btrfs_tree_unlock(next);
++ } else {
++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
++ clear_extent_buffer_dirty(next);
+ }
+
+ WARN_ON(root_owner !=
+@@ -2279,6 +2282,9 @@ static noinline int walk_up_log_tree(str
+ clean_tree_block(trans, root, next);
+ btrfs_wait_tree_block_writeback(next);
+ btrfs_tree_unlock(next);
++ } else {
++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
++ clear_extent_buffer_dirty(next);
+ }
+
+ WARN_ON(root_owner != BTRFS_TREE_LOG_OBJECTID);
+@@ -2355,6 +2361,9 @@ static int walk_log_tree(struct btrfs_tr
+ clean_tree_block(trans, log, next);
+ btrfs_wait_tree_block_writeback(next);
+ btrfs_tree_unlock(next);
++ } else {
++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
++ clear_extent_buffer_dirty(next);
+ }
+
+ WARN_ON(log->root_key.objectid !=
--- /dev/null
+From e89166990f11c3f21e1649d760dd35f9e410321c Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Thu, 25 Jan 2018 11:02:50 -0700
+Subject: Btrfs: fix deadlock in run_delalloc_nocow
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+commit e89166990f11c3f21e1649d760dd35f9e410321c upstream.
+
+@cur_offset is not set back to what it should be (@cow_start) if
+btrfs_next_leaf() returns something wrong, and the range [cow_start,
+cur_offset) remains locked forever.
+
+cc: <stable@vger.kernel.org>
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/inode.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -1256,8 +1256,11 @@ next_slot:
+ leaf = path->nodes[0];
+ if (path->slots[0] >= btrfs_header_nritems(leaf)) {
+ ret = btrfs_next_leaf(root, path);
+- if (ret < 0)
++ if (ret < 0) {
++ if (cow_start != (u64)-1)
++ cur_offset = cow_start;
+ goto error;
++ }
+ if (ret > 0)
+ break;
+ leaf = path->nodes[0];
ext4-correct-documentation-for-grpid-mount-option.patch
video-fbdev-atmel_lcdfb-fix-display-timings-lookup.patch
console-dummy-leave-.con_font_get-set-to-null.patch
+btrfs-fix-deadlock-in-run_delalloc_nocow.patch
+btrfs-fix-crash-due-to-not-cleaning-up-tree-log-block-s-dirty-bits.patch
+alsa-usb-audio-fix-uac2-get_ctl-request-with-a-range-attribute.patch
+alsa-seq-fix-racy-pool-initializations.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
