From 57077591f78f365ff377b130b6d6f70dd1225b6c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 24 May 2021 11:00:44 +0200 Subject: [PATCH] 4.19-stable patches added patches: alsa-dice-fix-stream-format-for-tc-electronic-konnekt-live-at-high-sampling-transfer-frequency.patch alsa-line6-fix-racy-initialization-of-line6-midi.patch cifs-fix-memory-leak-in-smb2_copychunk_range.patch --- ...-at-high-sampling-transfer-frequency.patch | 37 ++++++++ ...ix-racy-initialization-of-line6-midi.patch | 85 +++++++++++++++++++ ...-memory-leak-in-smb2_copychunk_range.patch | 36 ++++++++ queue-4.19/series | 3 + 4 files changed, 161 insertions(+) create mode 100644 queue-4.19/alsa-dice-fix-stream-format-for-tc-electronic-konnekt-live-at-high-sampling-transfer-frequency.patch create mode 100644 queue-4.19/alsa-line6-fix-racy-initialization-of-line6-midi.patch create mode 100644 queue-4.19/cifs-fix-memory-leak-in-smb2_copychunk_range.patch diff --git a/queue-4.19/alsa-dice-fix-stream-format-for-tc-electronic-konnekt-live-at-high-sampling-transfer-frequency.patch b/queue-4.19/alsa-dice-fix-stream-format-for-tc-electronic-konnekt-live-at-high-sampling-transfer-frequency.patch new file mode 100644 index 00000000000..4367366079f --- /dev/null +++ b/queue-4.19/alsa-dice-fix-stream-format-for-tc-electronic-konnekt-live-at-high-sampling-transfer-frequency.patch @@ -0,0 +1,37 @@ +From 4c6fe8c547e3c9e8c15dabdd23c569ee0df3adb1 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Tue, 18 May 2021 10:26:12 +0900 +Subject: ALSA: dice: fix stream format for TC Electronic Konnekt Live at high sampling transfer frequency + +From: Takashi Sakamoto + +commit 4c6fe8c547e3c9e8c15dabdd23c569ee0df3adb1 upstream. + +At high sampling transfer frequency, TC Electronic Konnekt Live +transfers/receives 6 audio data frames in multi bit linear audio data +channel of data block in CIP payload. Current hard-coded stream format +is wrong. + +Cc: +Fixes: f1f0f330b1d0 ("ALSA: dice: add parameters of stream formats for models produced by TC Electronic") +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20210518012612.37268-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/firewire/dice/dice-tcelectronic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/firewire/dice/dice-tcelectronic.c ++++ b/sound/firewire/dice/dice-tcelectronic.c +@@ -38,8 +38,8 @@ static const struct dice_tc_spec konnekt + }; + + static const struct dice_tc_spec konnekt_live = { +- .tx_pcm_chs = {{16, 16, 16}, {0, 0, 0} }, +- .rx_pcm_chs = {{16, 16, 16}, {0, 0, 0} }, ++ .tx_pcm_chs = {{16, 16, 6}, {0, 0, 0} }, ++ .rx_pcm_chs = {{16, 16, 6}, {0, 0, 0} }, + .has_midi = true, + }; + diff --git a/queue-4.19/alsa-line6-fix-racy-initialization-of-line6-midi.patch b/queue-4.19/alsa-line6-fix-racy-initialization-of-line6-midi.patch new file mode 100644 index 00000000000..84889df052e --- /dev/null +++ b/queue-4.19/alsa-line6-fix-racy-initialization-of-line6-midi.patch @@ -0,0 +1,85 @@ +From 05ca447630334c323c9e2b788b61133ab75d60d3 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 18 May 2021 10:39:39 +0200 +Subject: ALSA: line6: Fix racy initialization of LINE6 MIDI + +From: Takashi Iwai + +commit 05ca447630334c323c9e2b788b61133ab75d60d3 upstream. + +The initialization of MIDI devices that are found on some LINE6 +drivers are currently done in a racy way; namely, the MIDI buffer +instance is allocated and initialized in each private_init callback +while the communication with the interface is already started via +line6_init_cap_control() call before that point. This may lead to +Oops in line6_data_received() when a spurious event is received, as +reported by syzkaller. + +This patch moves the MIDI initialization to line6_init_cap_control() +as well instead of the too-lately-called private_init for avoiding the +race. Also this reduces slightly more lines, so it's a win-win +change. + +Reported-by: syzbot+0d2b3feb0a2887862e06@syzkallerlkml..appspotmail.com +Link: https://lore.kernel.org/r/000000000000a4be9405c28520de@google.com +Link: https://lore.kernel.org/r/20210517132725.GA50495@hyeyoo +Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com> +Cc: +Link: https://lore.kernel.org/r/20210518083939.1927-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/line6/driver.c | 4 ++++ + sound/usb/line6/pod.c | 5 ----- + sound/usb/line6/variax.c | 6 ------ + 3 files changed, 4 insertions(+), 11 deletions(-) + +--- a/sound/usb/line6/driver.c ++++ b/sound/usb/line6/driver.c +@@ -705,6 +705,10 @@ static int line6_init_cap_control(struct + line6->buffer_message = kmalloc(LINE6_MIDI_MESSAGE_MAXLEN, GFP_KERNEL); + if (!line6->buffer_message) + return -ENOMEM; ++ ++ ret = line6_init_midi(line6); ++ if (ret < 0) ++ return ret; + } else { + ret = line6_hwdep_init(line6); + if (ret < 0) +--- a/sound/usb/line6/pod.c ++++ b/sound/usb/line6/pod.c +@@ -420,11 +420,6 @@ static int pod_init(struct usb_line6 *li + if (err < 0) + return err; + +- /* initialize MIDI subsystem: */ +- err = line6_init_midi(line6); +- if (err < 0) +- return err; +- + /* initialize PCM subsystem: */ + err = line6_init_pcm(line6, &pod_pcm_properties); + if (err < 0) +--- a/sound/usb/line6/variax.c ++++ b/sound/usb/line6/variax.c +@@ -217,7 +217,6 @@ static int variax_init(struct usb_line6 + const struct usb_device_id *id) + { + struct usb_line6_variax *variax = (struct usb_line6_variax *) line6; +- int err; + + line6->process_message = line6_variax_process_message; + line6->disconnect = line6_variax_disconnect; +@@ -233,11 +232,6 @@ static int variax_init(struct usb_line6 + if (variax->buffer_activate == NULL) + return -ENOMEM; + +- /* initialize MIDI subsystem: */ +- err = line6_init_midi(&variax->line6); +- if (err < 0) +- return err; +- + /* initiate startup procedure: */ + variax_startup1(variax); + return 0; diff --git a/queue-4.19/cifs-fix-memory-leak-in-smb2_copychunk_range.patch b/queue-4.19/cifs-fix-memory-leak-in-smb2_copychunk_range.patch new file mode 100644 index 00000000000..6b46a1f9fef --- /dev/null +++ b/queue-4.19/cifs-fix-memory-leak-in-smb2_copychunk_range.patch @@ -0,0 +1,36 @@ +From d201d7631ca170b038e7f8921120d05eec70d7c5 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Wed, 19 May 2021 08:40:11 +1000 +Subject: cifs: fix memory leak in smb2_copychunk_range + +From: Ronnie Sahlberg + +commit d201d7631ca170b038e7f8921120d05eec70d7c5 upstream. + +When using smb2_copychunk_range() for large ranges we will +run through several iterations of a loop calling SMB2_ioctl() +but never actually free the returned buffer except for the final +iteration. +This leads to memory leaks everytime a large copychunk is requested. + +Fixes: 9bf0c9cd4314 ("CIFS: Fix SMB2/SMB3 Copy offload support (refcopy) for large files") +Cc: +Reviewed-by: Aurelien Aptel +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2ops.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1174,6 +1174,8 @@ smb2_copychunk_range(const unsigned int + cpu_to_le32(min_t(u32, len, tcon->max_bytes_chunk)); + + /* Request server copy to target from src identified by key */ ++ kfree(retbuf); ++ retbuf = NULL; + rc = SMB2_ioctl(xid, tcon, trgtfile->fid.persistent_fid, + trgtfile->fid.volatile_fid, FSCTL_SRV_COPYCHUNK_WRITE, + true /* is_fsctl */, (char *)pcchunk, diff --git a/queue-4.19/series b/queue-4.19/series index 31edcd352a9..0ecea78ce9d 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -7,3 +7,6 @@ platform-x86-dell-smbios-wmi-fix-oops-on-rmmod-dell_.patch ptrace-make-ptrace-fail-if-the-tracee-changed-its-pi.patch nvmet-seset-ns-file-when-open-fails.patch locking-mutex-clear-mutex_flags-if-wait_list-is-empt.patch +cifs-fix-memory-leak-in-smb2_copychunk_range.patch +alsa-dice-fix-stream-format-for-tc-electronic-konnekt-live-at-high-sampling-transfer-frequency.patch +alsa-line6-fix-racy-initialization-of-line6-midi.patch -- 2.47.3