From: Greg Kroah-Hartman Date: Tue, 26 Jan 2016 00:47:13 +0000 (-0800) Subject: 3.10-stable patches X-Git-Tag: v3.10.96~33 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7b8fc8f0f7ed9fb3093314d55fc246b500c61332;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: alsa-control-avoid-kernel-warnings-from-tlv-ioctl-with-numid-0.patch alsa-hrtimer-fix-stall-by-hrtimer_cancel.patch alsa-pcm-fix-snd_pcm_hw_params-struct-copy-in-compat-mode.patch alsa-seq-fix-missing-null-check-at-remove_events-ioctl.patch alsa-seq-fix-race-at-timer-setup-and-close.patch alsa-seq-fix-snd_seq_call_port_info_ioctl-in-compat-mode.patch alsa-timer-fix-double-unlink-of-active_list.patch alsa-timer-fix-race-among-timer-ioctls.patch alsa-timer-harden-slave-timer-list-handling.patch asoc-wm8962-correct-addresses-for-hpf_c_0-1.patch --- diff --git a/queue-3.10/alsa-control-avoid-kernel-warnings-from-tlv-ioctl-with-numid-0.patch b/queue-3.10/alsa-control-avoid-kernel-warnings-from-tlv-ioctl-with-numid-0.patch new file mode 100644 index 00000000000..6102a5042ff --- /dev/null +++ b/queue-3.10/alsa-control-avoid-kernel-warnings-from-tlv-ioctl-with-numid-0.patch @@ -0,0 +1,35 @@ +From c0bcdbdff3ff73a54161fca3cb8b6cdbd0bb8762 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 18 Jan 2016 14:12:40 +0100 +Subject: ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0 + +From: Takashi Iwai + +commit c0bcdbdff3ff73a54161fca3cb8b6cdbd0bb8762 upstream. + +When a TLV ioctl with numid zero is handled, the driver may spew a +kernel warning with a stack trace at each call. The check was +intended obviously only for a kernel driver, but not for a user +interaction. Let's fix it. + +This was spotted by syzkaller fuzzer. + +Reported-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/control.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/core/control.c ++++ b/sound/core/control.c +@@ -1325,6 +1325,8 @@ static int snd_ctl_tlv_ioctl(struct snd_ + return -EFAULT; + if (tlv.length < sizeof(unsigned int) * 2) + return -EINVAL; ++ if (!tlv.numid) ++ return -EINVAL; + down_read(&card->controls_rwsem); + kctl = snd_ctl_find_numid(card, tlv.numid); + if (kctl == NULL) { diff --git a/queue-3.10/alsa-hrtimer-fix-stall-by-hrtimer_cancel.patch b/queue-3.10/alsa-hrtimer-fix-stall-by-hrtimer_cancel.patch new file mode 100644 index 00000000000..fa8cad1ec90 --- /dev/null +++ b/queue-3.10/alsa-hrtimer-fix-stall-by-hrtimer_cancel.patch @@ -0,0 +1,54 @@ +From 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 18 Jan 2016 13:52:47 +0100 +Subject: ALSA: hrtimer: Fix stall by hrtimer_cancel() + +From: Takashi Iwai + +commit 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3 upstream. + +hrtimer_cancel() waits for the completion from the callback, thus it +must not be called inside the callback itself. This was already a +problem in the past with ALSA hrtimer driver, and the early commit +[fcfdebe70759: ALSA: hrtimer - Fix lock-up] tried to address it. + +However, the previous fix is still insufficient: it may still cause a +lockup when the ALSA timer instance reprograms itself in its callback. +Then it invokes the start function even in snd_timer_interrupt() that +is called in hrtimer callback itself, results in a CPU stall. This is +no hypothetical problem but actually triggered by syzkaller fuzzer. + +This patch tries to fix the issue again. Now we call +hrtimer_try_to_cancel() at both start and stop functions so that it +won't fall into a deadlock, yet giving some chance to cancel the queue +if the functions have been called outside the callback. The proper +hrtimer_cancel() is called in anyway at closing, so this should be +enough. + +Reported-and-tested-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/hrtimer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/core/hrtimer.c ++++ b/sound/core/hrtimer.c +@@ -90,7 +90,7 @@ static int snd_hrtimer_start(struct snd_ + struct snd_hrtimer *stime = t->private_data; + + atomic_set(&stime->running, 0); +- hrtimer_cancel(&stime->hrt); ++ hrtimer_try_to_cancel(&stime->hrt); + hrtimer_start(&stime->hrt, ns_to_ktime(t->sticks * resolution), + HRTIMER_MODE_REL); + atomic_set(&stime->running, 1); +@@ -101,6 +101,7 @@ static int snd_hrtimer_stop(struct snd_t + { + struct snd_hrtimer *stime = t->private_data; + atomic_set(&stime->running, 0); ++ hrtimer_try_to_cancel(&stime->hrt); + return 0; + } + diff --git a/queue-3.10/alsa-pcm-fix-snd_pcm_hw_params-struct-copy-in-compat-mode.patch b/queue-3.10/alsa-pcm-fix-snd_pcm_hw_params-struct-copy-in-compat-mode.patch new file mode 100644 index 00000000000..1580ae7427c --- /dev/null +++ b/queue-3.10/alsa-pcm-fix-snd_pcm_hw_params-struct-copy-in-compat-mode.patch @@ -0,0 +1,51 @@ +From 43c54b8c7cfe22f868a751ba8a59abf1724160b1 Mon Sep 17 00:00:00 2001 +From: Nicolas Boichat +Date: Mon, 18 Jan 2016 21:35:00 +0800 +Subject: ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode + +From: Nicolas Boichat + +commit 43c54b8c7cfe22f868a751ba8a59abf1724160b1 upstream. + +This reverts one hunk of +commit ef44a1ec6eee ("ALSA: sound/core: use memdup_user()"), which +replaced a number of kmalloc followed by memcpy with memdup calls. + +In this case, we are copying from a struct snd_pcm_hw_params32 to +a struct snd_pcm_hw_params, but the latter is 4 bytes longer than +the 32-bit version, so we need to separate kmalloc and copy calls. + +This actually leads to an out-of-bounds memory access later on +in sound/soc/soc-pcm.c:soc_pcm_hw_params() (detected using KASan). + +Fixes: ef44a1ec6eee ('ALSA: sound/core: use memdup_user()') +Signed-off-by: Nicolas Boichat +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm_compat.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/sound/core/pcm_compat.c ++++ b/sound/core/pcm_compat.c +@@ -236,10 +236,15 @@ static int snd_pcm_ioctl_hw_params_compa + if (! (runtime = substream->runtime)) + return -ENOTTY; + +- /* only fifo_size is different, so just copy all */ +- data = memdup_user(data32, sizeof(*data32)); +- if (IS_ERR(data)) +- return PTR_ERR(data); ++ data = kmalloc(sizeof(*data), GFP_KERNEL); ++ if (!data) ++ return -ENOMEM; ++ ++ /* only fifo_size (RO from userspace) is different, so just copy all */ ++ if (copy_from_user(data, data32, sizeof(*data32))) { ++ err = -EFAULT; ++ goto error; ++ } + + if (refine) + err = snd_pcm_hw_refine(substream, data); diff --git a/queue-3.10/alsa-seq-fix-missing-null-check-at-remove_events-ioctl.patch b/queue-3.10/alsa-seq-fix-missing-null-check-at-remove_events-ioctl.patch new file mode 100644 index 00000000000..e7f8fb27413 --- /dev/null +++ b/queue-3.10/alsa-seq-fix-missing-null-check-at-remove_events-ioctl.patch @@ -0,0 +1,34 @@ +From 030e2c78d3a91dd0d27fef37e91950dde333eba1 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 12 Jan 2016 12:38:02 +0100 +Subject: ALSA: seq: Fix missing NULL check at remove_events ioctl + +From: Takashi Iwai + +commit 030e2c78d3a91dd0d27fef37e91950dde333eba1 upstream. + +snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear() +unconditionally even if there is no FIFO assigned, and this leads to +an Oops due to NULL dereference. The fix is just to add a proper NULL +check. + +Reported-by: Dmitry Vyukov +Tested-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_clientmgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1950,7 +1950,7 @@ static int snd_seq_ioctl_remove_events(s + * No restrictions so for a user client we can clear + * the whole fifo + */ +- if (client->type == USER_CLIENT) ++ if (client->type == USER_CLIENT && client->data.user.fifo) + snd_seq_fifo_clear(client->data.user.fifo); + } + diff --git a/queue-3.10/alsa-seq-fix-race-at-timer-setup-and-close.patch b/queue-3.10/alsa-seq-fix-race-at-timer-setup-and-close.patch new file mode 100644 index 00000000000..f475cca956a --- /dev/null +++ b/queue-3.10/alsa-seq-fix-race-at-timer-setup-and-close.patch @@ -0,0 +1,38 @@ +From 3567eb6af614dac436c4b16a8d426f9faed639b3 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 12 Jan 2016 15:36:27 +0100 +Subject: ALSA: seq: Fix race at timer setup and close + +From: Takashi Iwai + +commit 3567eb6af614dac436c4b16a8d426f9faed639b3 upstream. + +ALSA sequencer code has an open race between the timer setup ioctl and +the close of the client. This was triggered by syzkaller fuzzer, and +a use-after-free was caught there as a result. + +This patch papers over it by adding a proper queue->timer_mutex lock +around the timer-related calls in the relevant code path. + +Reported-by: Dmitry Vyukov +Tested-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_queue.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/core/seq/seq_queue.c ++++ b/sound/core/seq/seq_queue.c +@@ -144,8 +144,10 @@ static struct snd_seq_queue *queue_new(i + static void queue_delete(struct snd_seq_queue *q) + { + /* stop and release the timer */ ++ mutex_lock(&q->timer_mutex); + snd_seq_timer_stop(q->timer); + snd_seq_timer_close(q); ++ mutex_unlock(&q->timer_mutex); + /* wait until access free */ + snd_use_lock_sync(&q->use_lock); + /* release resources... */ diff --git a/queue-3.10/alsa-seq-fix-snd_seq_call_port_info_ioctl-in-compat-mode.patch b/queue-3.10/alsa-seq-fix-snd_seq_call_port_info_ioctl-in-compat-mode.patch new file mode 100644 index 00000000000..1d55a006631 --- /dev/null +++ b/queue-3.10/alsa-seq-fix-snd_seq_call_port_info_ioctl-in-compat-mode.patch @@ -0,0 +1,45 @@ +From 9586495dc3011a80602329094e746dbce16cb1f1 Mon Sep 17 00:00:00 2001 +From: Nicolas Boichat +Date: Mon, 18 Jan 2016 21:35:01 +0800 +Subject: ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode + +From: Nicolas Boichat + +commit 9586495dc3011a80602329094e746dbce16cb1f1 upstream. + +This reverts one hunk of +commit ef44a1ec6eee ("ALSA: sound/core: use memdup_user()"), which +replaced a number of kmalloc followed by memcpy with memdup calls. + +In this case, we are copying from a struct snd_seq_port_info32 to a +struct snd_seq_port_info, but the latter is 4 bytes longer than the +32-bit version, so we need to separate kmalloc and copy calls. + +Fixes: ef44a1ec6eee ('ALSA: sound/core: use memdup_user()') +Signed-off-by: Nicolas Boichat +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_compat.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/sound/core/seq/seq_compat.c ++++ b/sound/core/seq/seq_compat.c +@@ -49,11 +49,12 @@ static int snd_seq_call_port_info_ioctl( + struct snd_seq_port_info *data; + mm_segment_t fs; + +- data = memdup_user(data32, sizeof(*data32)); +- if (IS_ERR(data)) +- return PTR_ERR(data); ++ data = kmalloc(sizeof(*data), GFP_KERNEL); ++ if (!data) ++ return -ENOMEM; + +- if (get_user(data->flags, &data32->flags) || ++ if (copy_from_user(data, data32, sizeof(*data32)) || ++ get_user(data->flags, &data32->flags) || + get_user(data->time_queue, &data32->time_queue)) + goto error; + data->kernel = NULL; diff --git a/queue-3.10/alsa-timer-fix-double-unlink-of-active_list.patch b/queue-3.10/alsa-timer-fix-double-unlink-of-active_list.patch new file mode 100644 index 00000000000..d74c93e2e25 --- /dev/null +++ b/queue-3.10/alsa-timer-fix-double-unlink-of-active_list.patch @@ -0,0 +1,37 @@ +From ee8413b01045c74340aa13ad5bdf905de32be736 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 13 Jan 2016 21:35:06 +0100 +Subject: ALSA: timer: Fix double unlink of active_list + +From: Takashi Iwai + +commit ee8413b01045c74340aa13ad5bdf905de32be736 upstream. + +ALSA timer instance object has a couple of linked lists and they are +unlinked unconditionally at snd_timer_stop(). Meanwhile +snd_timer_interrupt() unlinks it, but it calls list_del() which leaves +the element list itself unchanged. This ends up with unlinking twice, +and it was caught by syzkaller fuzzer. + +The fix is to use list_del_init() variant properly there, too. + +Reported-by: Dmitry Vyukov +Tested-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -703,7 +703,7 @@ void snd_timer_interrupt(struct snd_time + } else { + ti->flags &= ~SNDRV_TIMER_IFLG_RUNNING; + if (--timer->running) +- list_del(&ti->active_list); ++ list_del_init(&ti->active_list); + } + if ((timer->hw.flags & SNDRV_TIMER_HW_TASKLET) || + (ti->flags & SNDRV_TIMER_IFLG_FAST)) diff --git a/queue-3.10/alsa-timer-fix-race-among-timer-ioctls.patch b/queue-3.10/alsa-timer-fix-race-among-timer-ioctls.patch new file mode 100644 index 00000000000..9e8a5abd5e3 --- /dev/null +++ b/queue-3.10/alsa-timer-fix-race-among-timer-ioctls.patch @@ -0,0 +1,122 @@ +From af368027a49a751d6ff4ee9e3f9961f35bb4fede Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 13 Jan 2016 17:48:01 +0100 +Subject: ALSA: timer: Fix race among timer ioctls + +From: Takashi Iwai + +commit af368027a49a751d6ff4ee9e3f9961f35bb4fede upstream. + +ALSA timer ioctls have an open race and this may lead to a +use-after-free of timer instance object. A simplistic fix is to make +each ioctl exclusive. We have already tread_sem for controlling the +tread, and extend this as a global mutex to be applied to each ioctl. + +The downside is, of course, the worse concurrency. But these ioctls +aren't to be parallel accessible, in anyway, so it should be fine to +serialize there. + +Reported-by: Dmitry Vyukov +Tested-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 32 +++++++++++++++++++------------- + 1 file changed, 19 insertions(+), 13 deletions(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -73,7 +73,7 @@ struct snd_timer_user { + struct timespec tstamp; /* trigger tstamp */ + wait_queue_head_t qchange_sleep; + struct fasync_struct *fasync; +- struct mutex tread_sem; ++ struct mutex ioctl_lock; + }; + + /* list of timers */ +@@ -1266,7 +1266,7 @@ static int snd_timer_user_open(struct in + return -ENOMEM; + spin_lock_init(&tu->qlock); + init_waitqueue_head(&tu->qchange_sleep); +- mutex_init(&tu->tread_sem); ++ mutex_init(&tu->ioctl_lock); + tu->ticks = 1; + tu->queue_size = 128; + tu->queue = kmalloc(tu->queue_size * sizeof(struct snd_timer_read), +@@ -1286,8 +1286,10 @@ static int snd_timer_user_release(struct + if (file->private_data) { + tu = file->private_data; + file->private_data = NULL; ++ mutex_lock(&tu->ioctl_lock); + if (tu->timeri) + snd_timer_close(tu->timeri); ++ mutex_unlock(&tu->ioctl_lock); + kfree(tu->queue); + kfree(tu->tqueue); + kfree(tu); +@@ -1525,7 +1527,6 @@ static int snd_timer_user_tselect(struct + int err = 0; + + tu = file->private_data; +- mutex_lock(&tu->tread_sem); + if (tu->timeri) { + snd_timer_close(tu->timeri); + tu->timeri = NULL; +@@ -1569,7 +1570,6 @@ static int snd_timer_user_tselect(struct + } + + __err: +- mutex_unlock(&tu->tread_sem); + return err; + } + +@@ -1782,7 +1782,7 @@ enum { + SNDRV_TIMER_IOCTL_PAUSE_OLD = _IO('T', 0x23), + }; + +-static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, ++static long __snd_timer_user_ioctl(struct file *file, unsigned int cmd, + unsigned long arg) + { + struct snd_timer_user *tu; +@@ -1799,17 +1799,11 @@ static long snd_timer_user_ioctl(struct + { + int xarg; + +- mutex_lock(&tu->tread_sem); +- if (tu->timeri) { /* too late */ +- mutex_unlock(&tu->tread_sem); ++ if (tu->timeri) /* too late */ + return -EBUSY; +- } +- if (get_user(xarg, p)) { +- mutex_unlock(&tu->tread_sem); ++ if (get_user(xarg, p)) + return -EFAULT; +- } + tu->tread = xarg ? 1 : 0; +- mutex_unlock(&tu->tread_sem); + return 0; + } + case SNDRV_TIMER_IOCTL_GINFO: +@@ -1842,6 +1836,18 @@ static long snd_timer_user_ioctl(struct + return -ENOTTY; + } + ++static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ struct snd_timer_user *tu = file->private_data; ++ long ret; ++ ++ mutex_lock(&tu->ioctl_lock); ++ ret = __snd_timer_user_ioctl(file, cmd, arg); ++ mutex_unlock(&tu->ioctl_lock); ++ return ret; ++} ++ + static int snd_timer_user_fasync(int fd, struct file * file, int on) + { + struct snd_timer_user *tu; diff --git a/queue-3.10/alsa-timer-harden-slave-timer-list-handling.patch b/queue-3.10/alsa-timer-harden-slave-timer-list-handling.patch new file mode 100644 index 00000000000..2652dd8ed0e --- /dev/null +++ b/queue-3.10/alsa-timer-harden-slave-timer-list-handling.patch @@ -0,0 +1,101 @@ +From b5a663aa426f4884c71cd8580adae73f33570f0d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 14 Jan 2016 16:30:58 +0100 +Subject: ALSA: timer: Harden slave timer list handling + +From: Takashi Iwai + +commit b5a663aa426f4884c71cd8580adae73f33570f0d upstream. + +A slave timer instance might be still accessible in a racy way while +operating the master instance as it lacks of locking. Since the +master operation is mostly protected with timer->lock, we should cope +with it while changing the slave instance, too. Also, some linked +lists (active_list and ack_list) of slave instances aren't unlinked +immediately at stopping or closing, and this may lead to unexpected +accesses. + +This patch tries to address these issues. It adds spin lock of +timer->lock (either from master or slave, which is equivalent) in a +few places. For avoiding a deadlock, we ensure that the global +slave_active_lock is always locked at first before each timer lock. + +Also, ack and active_list of slave instances are properly unlinked at +snd_timer_stop() and snd_timer_close(). + +Last but not least, remove the superfluous call of _snd_timer_stop() +at removing slave links. This is a noop, and calling it may confuse +readers wrt locking. Further cleanup will follow in a later patch. + +Actually we've got reports of use-after-free by syzkaller fuzzer, and +this hopefully fixes these issues. + +Reported-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -215,11 +215,13 @@ static void snd_timer_check_master(struc + slave->slave_id == master->slave_id) { + list_move_tail(&slave->open_list, &master->slave_list_head); + spin_lock_irq(&slave_active_lock); ++ spin_lock(&master->timer->lock); + slave->master = master; + slave->timer = master->timer; + if (slave->flags & SNDRV_TIMER_IFLG_RUNNING) + list_add_tail(&slave->active_list, + &master->slave_active_head); ++ spin_unlock(&master->timer->lock); + spin_unlock_irq(&slave_active_lock); + } + } +@@ -345,15 +347,18 @@ int snd_timer_close(struct snd_timer_ins + timer->hw.close) + timer->hw.close(timer); + /* remove slave links */ ++ spin_lock_irq(&slave_active_lock); ++ spin_lock(&timer->lock); + list_for_each_entry_safe(slave, tmp, &timeri->slave_list_head, + open_list) { +- spin_lock_irq(&slave_active_lock); +- _snd_timer_stop(slave, 1, SNDRV_TIMER_EVENT_RESOLUTION); + list_move_tail(&slave->open_list, &snd_timer_slave_list); + slave->master = NULL; + slave->timer = NULL; +- spin_unlock_irq(&slave_active_lock); ++ list_del_init(&slave->ack_list); ++ list_del_init(&slave->active_list); + } ++ spin_unlock(&timer->lock); ++ spin_unlock_irq(&slave_active_lock); + mutex_unlock(®ister_mutex); + } + out: +@@ -440,9 +445,12 @@ static int snd_timer_start_slave(struct + + spin_lock_irqsave(&slave_active_lock, flags); + timeri->flags |= SNDRV_TIMER_IFLG_RUNNING; +- if (timeri->master) ++ if (timeri->master && timeri->timer) { ++ spin_lock(&timeri->timer->lock); + list_add_tail(&timeri->active_list, + &timeri->master->slave_active_head); ++ spin_unlock(&timeri->timer->lock); ++ } + spin_unlock_irqrestore(&slave_active_lock, flags); + return 1; /* delayed start */ + } +@@ -488,6 +496,8 @@ static int _snd_timer_stop(struct snd_ti + if (!keep_flag) { + spin_lock_irqsave(&slave_active_lock, flags); + timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING; ++ list_del_init(&timeri->ack_list); ++ list_del_init(&timeri->active_list); + spin_unlock_irqrestore(&slave_active_lock, flags); + } + goto __end; diff --git a/queue-3.10/asoc-wm8962-correct-addresses-for-hpf_c_0-1.patch b/queue-3.10/asoc-wm8962-correct-addresses-for-hpf_c_0-1.patch new file mode 100644 index 00000000000..5de0c9e5c31 --- /dev/null +++ b/queue-3.10/asoc-wm8962-correct-addresses-for-hpf_c_0-1.patch @@ -0,0 +1,37 @@ +From e9f96bc53c1b959859599cb30ce6fd4fbb4448c2 Mon Sep 17 00:00:00 2001 +From: Sachin Pandhare +Date: Tue, 10 Nov 2015 23:38:02 +0530 +Subject: ASoC: wm8962: correct addresses for HPF_C_0/1 + +From: Sachin Pandhare + +commit e9f96bc53c1b959859599cb30ce6fd4fbb4448c2 upstream. + +From datasheet: +R17408 (4400h) HPF_C_1 +R17409 (4401h) HPF_C_0 +17048 -> 17408 (0x4400) +17049 -> 17409 (0x4401) + +Signed-off-by: Sachin Pandhare +Acked-by: Charles Keepax +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm8962.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/codecs/wm8962.c ++++ b/sound/soc/codecs/wm8962.c +@@ -363,8 +363,8 @@ static struct reg_default wm8962_reg[] = + { 16924, 0x0059 }, /* R16924 - HDBASS_PG_1 */ + { 16925, 0x999A }, /* R16925 - HDBASS_PG_0 */ + +- { 17048, 0x0083 }, /* R17408 - HPF_C_1 */ +- { 17049, 0x98AD }, /* R17409 - HPF_C_0 */ ++ { 17408, 0x0083 }, /* R17408 - HPF_C_1 */ ++ { 17409, 0x98AD }, /* R17409 - HPF_C_0 */ + + { 17920, 0x007F }, /* R17920 - ADCL_RETUNE_C1_1 */ + { 17921, 0xFFFF }, /* R17921 - ADCL_RETUNE_C1_0 */ diff --git a/queue-3.10/series b/queue-3.10/series index d00f6c3efde..a773e0fc03f 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -12,3 +12,13 @@ alsa-rme96-fix-unexpected-volume-reset-after-rate-changes.patch alsa-hda-add-inverted-dmic-for-packard-bell-dots.patch alsa-hda-set-skl-hda-controller-power-at-freeze-and-thaw.patch alsa-hda-realtek-fix-silent-headphone-output-on-macpro-4-1-v2.patch +alsa-seq-fix-missing-null-check-at-remove_events-ioctl.patch +alsa-seq-fix-race-at-timer-setup-and-close.patch +alsa-timer-harden-slave-timer-list-handling.patch +alsa-timer-fix-race-among-timer-ioctls.patch +alsa-timer-fix-double-unlink-of-active_list.patch +alsa-seq-fix-snd_seq_call_port_info_ioctl-in-compat-mode.patch +alsa-pcm-fix-snd_pcm_hw_params-struct-copy-in-compat-mode.patch +alsa-hrtimer-fix-stall-by-hrtimer_cancel.patch +alsa-control-avoid-kernel-warnings-from-tlv-ioctl-with-numid-0.patch +asoc-wm8962-correct-addresses-for-hpf_c_0-1.patch