From 3998076c76b4ae7f70439473fdd76b7575b169d5 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 16 Oct 2022 08:57:21 +0200
Subject: [PATCH] 4.9-stable patches

added patches:
	alsa-oss-fix-potential-deadlock-at-unregistration.patch
	alsa-rawmidi-drop-register_mutex-in-snd_rawmidi_free.patch
	alsa-usb-audio-fix-null-dererence-at-error-path.patch
	alsa-usb-audio-fix-potential-memory-leaks.patch
---
 ...potential-deadlock-at-unregistration.patch | 61 +++++++++++++++++++
 ...p-register_mutex-in-snd_rawmidi_free.patch | 38 ++++++++++++
 ...dio-fix-null-dererence-at-error-path.patch | 43 +++++++++++++
 ...usb-audio-fix-potential-memory-leaks.patch | 45 ++++++++++++++
 queue-4.9/series                              |  4 ++
 5 files changed, 191 insertions(+)
 create mode 100644 queue-4.9/alsa-oss-fix-potential-deadlock-at-unregistration.patch
 create mode 100644 queue-4.9/alsa-rawmidi-drop-register_mutex-in-snd_rawmidi_free.patch
 create mode 100644 queue-4.9/alsa-usb-audio-fix-null-dererence-at-error-path.patch
 create mode 100644 queue-4.9/alsa-usb-audio-fix-potential-memory-leaks.patch

diff --git a/queue-4.9/alsa-oss-fix-potential-deadlock-at-unregistration.patch b/queue-4.9/alsa-oss-fix-potential-deadlock-at-unregistration.patch
new file mode 100644
index 00000000000..f444d5a4663
--- /dev/null
+++ b/queue-4.9/alsa-oss-fix-potential-deadlock-at-unregistration.patch
@@ -0,0 +1,61 @@
+From 97d917879d7f92df09c3f21fd54609a8bcd654b2 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 11 Oct 2022 09:01:47 +0200
+Subject: ALSA: oss: Fix potential deadlock at unregistration
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 97d917879d7f92df09c3f21fd54609a8bcd654b2 upstream.
+
+We took sound_oss_mutex around the calls of unregister_sound_special()
+at unregistering OSS devices.  This may, however, lead to a deadlock,
+because we manage the card release via the card's device object, and
+the release may happen at unregister_sound_special() call -- which
+will take sound_oss_mutex again in turn.
+
+Although the deadlock might be fixed by relaxing the rawmidi mutex in
+the previous commit, it's safer to move unregister_sound_special()
+calls themselves out of the sound_oss_mutex, too.  The call is
+race-safe as the function has a spinlock protection by itself.
+
+Link: https://lore.kernel.org/r/CAB7eexJP7w1B0mVgDF0dQ+gWor7UdkiwPczmL7pn91xx8xpzOA@mail.gmail.com
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20221011070147.7611-2-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/sound_oss.c |   13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/sound/core/sound_oss.c
++++ b/sound/core/sound_oss.c
+@@ -179,7 +179,6 @@ int snd_unregister_oss_device(int type,
+ 		mutex_unlock(&sound_oss_mutex);
+ 		return -ENOENT;
+ 	}
+-	unregister_sound_special(minor);
+ 	switch (SNDRV_MINOR_OSS_DEVICE(minor)) {
+ 	case SNDRV_MINOR_OSS_PCM:
+ 		track2 = SNDRV_MINOR_OSS(cidx, SNDRV_MINOR_OSS_AUDIO);
+@@ -191,12 +190,18 @@ int snd_unregister_oss_device(int type,
+ 		track2 = SNDRV_MINOR_OSS(cidx, SNDRV_MINOR_OSS_DMMIDI1);
+ 		break;
+ 	}
+-	if (track2 >= 0) {
+-		unregister_sound_special(track2);
++	if (track2 >= 0)
+ 		snd_oss_minors[track2] = NULL;
+-	}
+ 	snd_oss_minors[minor] = NULL;
+ 	mutex_unlock(&sound_oss_mutex);
++
++	/* call unregister_sound_special() outside sound_oss_mutex;
++	 * otherwise may deadlock, as it can trigger the release of a card
++	 */
++	unregister_sound_special(minor);
++	if (track2 >= 0)
++		unregister_sound_special(track2);
++
+ 	kfree(mptr);
+ 	return 0;
+ }
diff --git a/queue-4.9/alsa-rawmidi-drop-register_mutex-in-snd_rawmidi_free.patch b/queue-4.9/alsa-rawmidi-drop-register_mutex-in-snd_rawmidi_free.patch
new file mode 100644
index 00000000000..64c33507ad6
--- /dev/null
+++ b/queue-4.9/alsa-rawmidi-drop-register_mutex-in-snd_rawmidi_free.patch
@@ -0,0 +1,38 @@
+From a70aef7982b012e86dfd39fbb235e76a21ae778a Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 11 Oct 2022 09:01:46 +0200
+Subject: ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit a70aef7982b012e86dfd39fbb235e76a21ae778a upstream.
+
+The register_mutex taken around the dev_unregister callback call in
+snd_rawmidi_free() may potentially lead to a mutex deadlock, when OSS
+emulation and a hot unplug are involved.
+
+Since the mutex doesn't protect the actual race (as the registration
+itself is already protected by another means), let's drop it.
+
+Link: https://lore.kernel.org/r/CAB7eexJP7w1B0mVgDF0dQ+gWor7UdkiwPczmL7pn91xx8xpzOA@mail.gmail.com
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20221011070147.7611-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/rawmidi.c |    2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/sound/core/rawmidi.c
++++ b/sound/core/rawmidi.c
+@@ -1633,10 +1633,8 @@ static int snd_rawmidi_free(struct snd_r
+ 
+ 	snd_info_free_entry(rmidi->proc_entry);
+ 	rmidi->proc_entry = NULL;
+-	mutex_lock(&register_mutex);
+ 	if (rmidi->ops && rmidi->ops->dev_unregister)
+ 		rmidi->ops->dev_unregister(rmidi);
+-	mutex_unlock(&register_mutex);
+ 
+ 	snd_rawmidi_free_substreams(&rmidi->streams[SNDRV_RAWMIDI_STREAM_INPUT]);
+ 	snd_rawmidi_free_substreams(&rmidi->streams[SNDRV_RAWMIDI_STREAM_OUTPUT]);
diff --git a/queue-4.9/alsa-usb-audio-fix-null-dererence-at-error-path.patch b/queue-4.9/alsa-usb-audio-fix-null-dererence-at-error-path.patch
new file mode 100644
index 00000000000..88b42538c88
--- /dev/null
+++ b/queue-4.9/alsa-usb-audio-fix-null-dererence-at-error-path.patch
@@ -0,0 +1,43 @@
+From 568be8aaf8a535f79c4db76cabe17b035aa2584d Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 30 Sep 2022 12:01:29 +0200
+Subject: ALSA: usb-audio: Fix NULL dererence at error path
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 568be8aaf8a535f79c4db76cabe17b035aa2584d upstream.
+
+At an error path to release URB buffers and contexts, the driver might
+hit a NULL dererence for u->urb pointer, when u->buffer_size has been
+already set but the actual URB allocation failed.
+
+Fix it by adding the NULL check of urb.  Also, make sure that
+buffer_size is cleared after the error path or the close.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: Sabri N. Ferreiro <snferreiro1@gmail.com>
+Link: https://lore.kernel.org/r/CAKG+3NRjTey+fFfUEGwuxL-pi_=T4cUskYG9OzpzHytF+tzYng@mail.gmail.com
+Link: https://lore.kernel.org/r/20220930100129.19445-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/endpoint.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -86,12 +86,13 @@ static inline unsigned get_usb_high_spee
+  */
+ static void release_urb_ctx(struct snd_urb_ctx *u)
+ {
+-	if (u->buffer_size)
++	if (u->urb && u->buffer_size)
+ 		usb_free_coherent(u->ep->chip->dev, u->buffer_size,
+ 				  u->urb->transfer_buffer,
+ 				  u->urb->transfer_dma);
+ 	usb_free_urb(u->urb);
+ 	u->urb = NULL;
++	u->buffer_size = 0;
+ }
+ 
+ static const char *usb_error_string(int err)
diff --git a/queue-4.9/alsa-usb-audio-fix-potential-memory-leaks.patch b/queue-4.9/alsa-usb-audio-fix-potential-memory-leaks.patch
new file mode 100644
index 00000000000..d7bd11c1f49
--- /dev/null
+++ b/queue-4.9/alsa-usb-audio-fix-potential-memory-leaks.patch
@@ -0,0 +1,45 @@
+From 6382da0828995af87aa8b8bef28cc61aceb4aff3 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 30 Sep 2022 12:01:51 +0200
+Subject: ALSA: usb-audio: Fix potential memory leaks
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 6382da0828995af87aa8b8bef28cc61aceb4aff3 upstream.
+
+When the driver hits -ENOMEM at allocating a URB or a buffer, it
+aborts and goes to the error path that releases the all previously
+allocated resources.  However, when -ENOMEM hits at the middle of the
+sync EP URB allocation loop, the partially allocated URBs might be
+left without released, because ep->nurbs is still zero at that point.
+
+Fix it by setting ep->nurbs at first, so that the error handler loops
+over the full URB list.
+
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20220930100151.19461-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/endpoint.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -804,6 +804,7 @@ static int sync_ep_set_params(struct snd
+ 	if (!ep->syncbuf)
+ 		return -ENOMEM;
+ 
++	ep->nurbs = SYNC_URBS;
+ 	for (i = 0; i < SYNC_URBS; i++) {
+ 		struct snd_urb_ctx *u = &ep->urb[i];
+ 		u->index = i;
+@@ -823,8 +824,6 @@ static int sync_ep_set_params(struct snd
+ 		u->urb->complete = snd_complete_urb;
+ 	}
+ 
+-	ep->nurbs = SYNC_URBS;
+-
+ 	return 0;
+ 
+ out_of_memory:
diff --git a/queue-4.9/series b/queue-4.9/series
index c87cd46d4d3..e8225e91911 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -38,3 +38,7 @@ random-restore-o_nonblock-support.patch
 input-xpad-add-supported-devices-as-contributed-on-github.patch
 input-xpad-fix-wireless-360-controller-breaking-after-suspend.patch
 random-use-expired-timer-rather-than-wq-for-mixing-fast-pool.patch
+alsa-oss-fix-potential-deadlock-at-unregistration.patch
+alsa-rawmidi-drop-register_mutex-in-snd_rawmidi_free.patch
+alsa-usb-audio-fix-potential-memory-leaks.patch
+alsa-usb-audio-fix-null-dererence-at-error-path.patch
-- 
2.47.3