--- /dev/null
+From 97d917879d7f92df09c3f21fd54609a8bcd654b2 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 11 Oct 2022 09:01:47 +0200
+Subject: ALSA: oss: Fix potential deadlock at unregistration
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 97d917879d7f92df09c3f21fd54609a8bcd654b2 upstream.
+
+We took sound_oss_mutex around the calls of unregister_sound_special()
+at unregistering OSS devices. This may, however, lead to a deadlock,
+because we manage the card release via the card's device object, and
+the release may happen at unregister_sound_special() call -- which
+will take sound_oss_mutex again in turn.
+
+Although the deadlock might be fixed by relaxing the rawmidi mutex in
+the previous commit, it's safer to move unregister_sound_special()
+calls themselves out of the sound_oss_mutex, too. The call is
+race-safe as the function has a spinlock protection by itself.
+
+Link: https://lore.kernel.org/r/CAB7eexJP7w1B0mVgDF0dQ+gWor7UdkiwPczmL7pn91xx8xpzOA@mail.gmail.com
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20221011070147.7611-2-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/sound_oss.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/sound/core/sound_oss.c
++++ b/sound/core/sound_oss.c
+@@ -177,7 +177,6 @@ int snd_unregister_oss_device(int type,
+ mutex_unlock(&sound_oss_mutex);
+ return -ENOENT;
+ }
+- unregister_sound_special(minor);
+ switch (SNDRV_MINOR_OSS_DEVICE(minor)) {
+ case SNDRV_MINOR_OSS_PCM:
+ track2 = SNDRV_MINOR_OSS(cidx, SNDRV_MINOR_OSS_AUDIO);
+@@ -189,12 +188,18 @@ int snd_unregister_oss_device(int type,
+ track2 = SNDRV_MINOR_OSS(cidx, SNDRV_MINOR_OSS_DMMIDI1);
+ break;
+ }
+- if (track2 >= 0) {
+- unregister_sound_special(track2);
++ if (track2 >= 0)
+ snd_oss_minors[track2] = NULL;
+- }
+ snd_oss_minors[minor] = NULL;
+ mutex_unlock(&sound_oss_mutex);
++
++ /* call unregister_sound_special() outside sound_oss_mutex;
++ * otherwise may deadlock, as it can trigger the release of a card
++ */
++ unregister_sound_special(minor);
++ if (track2 >= 0)
++ unregister_sound_special(track2);
++
+ kfree(mptr);
+ return 0;
+ }
--- /dev/null
+From a70aef7982b012e86dfd39fbb235e76a21ae778a Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 11 Oct 2022 09:01:46 +0200
+Subject: ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit a70aef7982b012e86dfd39fbb235e76a21ae778a upstream.
+
+The register_mutex taken around the dev_unregister callback call in
+snd_rawmidi_free() may potentially lead to a mutex deadlock, when OSS
+emulation and a hot unplug are involved.
+
+Since the mutex doesn't protect the actual race (as the registration
+itself is already protected by another means), let's drop it.
+
+Link: https://lore.kernel.org/r/CAB7eexJP7w1B0mVgDF0dQ+gWor7UdkiwPczmL7pn91xx8xpzOA@mail.gmail.com
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20221011070147.7611-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/rawmidi.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/sound/core/rawmidi.c
++++ b/sound/core/rawmidi.c
+@@ -1633,10 +1633,8 @@ static int snd_rawmidi_free(struct snd_r
+
+ snd_info_free_entry(rmidi->proc_entry);
+ rmidi->proc_entry = NULL;
+- mutex_lock(®ister_mutex);
+ if (rmidi->ops && rmidi->ops->dev_unregister)
+ rmidi->ops->dev_unregister(rmidi);
+- mutex_unlock(®ister_mutex);
+
+ snd_rawmidi_free_substreams(&rmidi->streams[SNDRV_RAWMIDI_STREAM_INPUT]);
+ snd_rawmidi_free_substreams(&rmidi->streams[SNDRV_RAWMIDI_STREAM_OUTPUT]);
--- /dev/null
+From 568be8aaf8a535f79c4db76cabe17b035aa2584d Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 30 Sep 2022 12:01:29 +0200
+Subject: ALSA: usb-audio: Fix NULL dererence at error path
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 568be8aaf8a535f79c4db76cabe17b035aa2584d upstream.
+
+At an error path to release URB buffers and contexts, the driver might
+hit a NULL dererence for u->urb pointer, when u->buffer_size has been
+already set but the actual URB allocation failed.
+
+Fix it by adding the NULL check of urb. Also, make sure that
+buffer_size is cleared after the error path or the close.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: Sabri N. Ferreiro <snferreiro1@gmail.com>
+Link: https://lore.kernel.org/r/CAKG+3NRjTey+fFfUEGwuxL-pi_=T4cUskYG9OzpzHytF+tzYng@mail.gmail.com
+Link: https://lore.kernel.org/r/20220930100129.19445-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/endpoint.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -86,12 +86,13 @@ static inline unsigned get_usb_high_spee
+ */
+ static void release_urb_ctx(struct snd_urb_ctx *u)
+ {
+- if (u->buffer_size)
++ if (u->urb && u->buffer_size)
+ usb_free_coherent(u->ep->chip->dev, u->buffer_size,
+ u->urb->transfer_buffer,
+ u->urb->transfer_dma);
+ usb_free_urb(u->urb);
+ u->urb = NULL;
++ u->buffer_size = 0;
+ }
+
+ static const char *usb_error_string(int err)
--- /dev/null
+From 6382da0828995af87aa8b8bef28cc61aceb4aff3 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 30 Sep 2022 12:01:51 +0200
+Subject: ALSA: usb-audio: Fix potential memory leaks
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 6382da0828995af87aa8b8bef28cc61aceb4aff3 upstream.
+
+When the driver hits -ENOMEM at allocating a URB or a buffer, it
+aborts and goes to the error path that releases the all previously
+allocated resources. However, when -ENOMEM hits at the middle of the
+sync EP URB allocation loop, the partially allocated URBs might be
+left without released, because ep->nurbs is still zero at that point.
+
+Fix it by setting ep->nurbs at first, so that the error handler loops
+over the full URB list.
+
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20220930100151.19461-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/endpoint.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -818,6 +818,7 @@ static int sync_ep_set_params(struct snd
+ if (!ep->syncbuf)
+ return -ENOMEM;
+
++ ep->nurbs = SYNC_URBS;
+ for (i = 0; i < SYNC_URBS; i++) {
+ struct snd_urb_ctx *u = &ep->urb[i];
+ u->index = i;
+@@ -837,8 +838,6 @@ static int sync_ep_set_params(struct snd
+ u->urb->complete = snd_complete_urb;
+ }
+
+- ep->nurbs = SYNC_URBS;
+-
+ return 0;
+
+ out_of_memory:
input-xpad-add-supported-devices-as-contributed-on-github.patch
input-xpad-fix-wireless-360-controller-breaking-after-suspend.patch
random-use-expired-timer-rather-than-wq-for-mixing-fast-pool.patch
+alsa-oss-fix-potential-deadlock-at-unregistration.patch
+alsa-rawmidi-drop-register_mutex-in-snd_rawmidi_free.patch
+alsa-usb-audio-fix-potential-memory-leaks.patch
+alsa-usb-audio-fix-null-dererence-at-error-path.patch
revert-fs-check-fmode_lseek-to-control-internal-pipe.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
