diff options
author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2018-07-04 16:19:13 -0400 |
---|---|---|
committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2018-07-04 16:19:13 -0400 |
commit | c4a7d8f2e5dc7a3c6dc285f7994dc0e3f6ad9232 (patch) | |
tree | 9a7fcf6245292d91936a4a5e23a32d807b8cfe8b | |
parent | f6f9df28be105740b123ab8a0ebcd38c33a3f713 (diff) | |
download | longterm-queue-4.12-c4a7d8f2e5dc7a3c6dc285f7994dc0e3f6ad9232.tar.gz |
add Fixes: of what is selected so far
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
-rw-r--r-- | queue/ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch | 76 | ||||
-rw-r--r-- | queue/sctp-return-error-if-the-asoc-has-been-peeled-off-in.patch | 87 | ||||
-rw-r--r-- | queue/series | 2 |
3 files changed, 165 insertions, 0 deletions
diff --git a/queue/ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch b/queue/ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch new file mode 100644 index 0000000..a78102e --- /dev/null +++ b/queue/ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch @@ -0,0 +1,76 @@ +From 7e05e996f77c02365f72cf8a4f023d1d8d6d67a2 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Mon, 18 Dec 2017 23:36:57 +0100 +Subject: [PATCH] ALSA: usb-audio: Fix the missing ctl name suffix at parsing + SU + +commit 5a15f289ee87eaf33f13f08a4909ec99d837ec5f upstream. + +The commit 89b89d121ffc ("ALSA: usb-audio: Add check return value for +usb_string()") added the check of the return value from +snd_usb_copy_string_desc(), which is correct per se, but it introduced +a regression. In the original code, either the "Clock Source", +"Playback Source" or "Capture Source" suffix is added after the +terminal string, while the commit changed it to add the suffix only +when get_term_name() is failing. It ended up with an incorrect ctl +name like "PCM" instead of "PCM Capture Source". + +Also, even the original code has a similar bug: when the ctl name is +generated from snd_usb_copy_string_desc() for the given iSelector, it +also doesn't put the suffix. + +This patch addresses these issues: the suffix is added always when no +static mapping is found. Also the patch tries to put more comments +and cleans up the if/else block for better readability in order to +avoid the same pitfall again. + +Fixes: 89b89d121ffc ("ALSA: usb-audio: Add check return value for usb_string()") +Reported-and-tested-by: Mauro Santos <registo.mailling@gmail.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index 6c36ff411ad0..a09d519c106e 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -2167,20 +2167,25 @@ static int parse_audio_selector_unit(struct mixer_build *state, int unitid, + kctl->private_value = (unsigned long)namelist; + kctl->private_free = usb_mixer_selector_elem_free; + +- nameid = uac_selector_unit_iSelector(desc); ++ /* check the static mapping table at first */ + len = check_mapped_name(map, kctl->id.name, sizeof(kctl->id.name)); +- if (len) +- ; +- else if (nameid) +- len = snd_usb_copy_string_desc(state, nameid, kctl->id.name, +- sizeof(kctl->id.name)); +- else +- len = get_term_name(state, &state->oterm, +- kctl->id.name, sizeof(kctl->id.name), 0); +- + if (!len) { +- strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name)); ++ /* no mapping ? */ ++ /* if iSelector is given, use it */ ++ nameid = uac_selector_unit_iSelector(desc); ++ if (nameid) ++ len = snd_usb_copy_string_desc(state, nameid, ++ kctl->id.name, ++ sizeof(kctl->id.name)); ++ /* ... or pick up the terminal name at next */ ++ if (!len) ++ len = get_term_name(state, &state->oterm, ++ kctl->id.name, sizeof(kctl->id.name), 0); ++ /* ... or use the fixed string "USB" as the last resort */ ++ if (!len) ++ strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name)); + ++ /* and add the proper suffix */ + if (desc->bDescriptorSubtype == UAC2_CLOCK_SELECTOR) + append_ctl_name(kctl, " Clock Source"); + else if ((state->oterm.type & 0xff00) == 0x0100) +-- +2.15.0 + diff --git a/queue/sctp-return-error-if-the-asoc-has-been-peeled-off-in.patch b/queue/sctp-return-error-if-the-asoc-has-been-peeled-off-in.patch new file mode 100644 index 0000000..6355895 --- /dev/null +++ b/queue/sctp-return-error-if-the-asoc-has-been-peeled-off-in.patch @@ -0,0 +1,87 @@ +From 71341cb7552c396229d4cad46bdcff9b94cb8211 Mon Sep 17 00:00:00 2001 +From: Xin Long <lucien.xin@gmail.com> +Date: Mon, 15 Jan 2018 17:01:36 +0800 +Subject: [PATCH] sctp: return error if the asoc has been peeled off in + sctp_wait_for_sndbuf + +commit a0ff660058b88d12625a783ce9e5c1371c87951f upstream. + +After commit cea0cc80a677 ("sctp: use the right sk after waking up from +wait_buf sleep"), it may change to lock another sk if the asoc has been +peeled off in sctp_wait_for_sndbuf. + +However, the asoc's new sk could be already closed elsewhere, as it's in +the sendmsg context of the old sk that can't avoid the new sk's closing. +If the sk's last one refcnt is held by this asoc, later on after putting +this asoc, the new sk will be freed, while under it's own lock. + +This patch is to revert that commit, but fix the old issue by returning +error under the old sk's lock. + +Fixes: cea0cc80a677 ("sctp: use the right sk after waking up from wait_buf sleep") +Reported-by: syzbot+ac6ea7baa4432811eb50@syzkaller.appspotmail.com +Signed-off-by: Xin Long <lucien.xin@gmail.com> +Acked-by: Neil Horman <nhorman@tuxdriver.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 1e77b24088b8..f79df5115dc7 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -84,7 +84,7 @@ + static int sctp_writeable(struct sock *sk); + static void sctp_wfree(struct sk_buff *skb); + static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, +- size_t msg_len, struct sock **orig_sk); ++ size_t msg_len); + static int sctp_wait_for_packet(struct sock *sk, int *err, long *timeo_p); + static int sctp_wait_for_connect(struct sctp_association *, long *timeo_p); + static int sctp_wait_for_accept(struct sock *sk, long timeo); +@@ -1961,7 +1961,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) + timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT); + if (!sctp_wspace(asoc)) { + /* sk can be changed by peel off when waiting for buf. */ +- err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len, &sk); ++ err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len); + if (err) { + if (err == -ESRCH) { + /* asoc is already dead. */ +@@ -7753,12 +7753,12 @@ void sctp_sock_rfree(struct sk_buff *skb) + + /* Helper function to wait for space in the sndbuf. */ + static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, +- size_t msg_len, struct sock **orig_sk) ++ size_t msg_len) + { + struct sock *sk = asoc->base.sk; +- int err = 0; + long current_timeo = *timeo_p; + DEFINE_WAIT(wait); ++ int err = 0; + + pr_debug("%s: asoc:%p, timeo:%ld, msg_len:%zu\n", __func__, asoc, + *timeo_p, msg_len); +@@ -7898,17 +7898,13 @@ static int sctp_wait_for_connect(struct sctp_association *asoc, long *timeo_p) + release_sock(sk); + current_timeo = schedule_timeout(current_timeo); + lock_sock(sk); +- if (sk != asoc->base.sk) { +- release_sock(sk); +- sk = asoc->base.sk; +- lock_sock(sk); +- } ++ if (sk != asoc->base.sk) ++ goto do_error; + + *timeo_p = current_timeo; + } + + out: +- *orig_sk = sk; + finish_wait(&asoc->wait, &wait); + + /* Release the association's refcnt. */ +-- +2.15.0 + diff --git a/queue/series b/queue/series index 9ebca60..9985174 100644 --- a/queue/series +++ b/queue/series @@ -40,6 +40,7 @@ ALSA-pcm-prevent-UAF-in-snd_pcm_info.patch ALSA-seq-Remove-spurious-WARN_ON-at-timer-check.patch ALSA-usb-audio-Fix-out-of-bound-error.patch ALSA-usb-audio-Add-check-return-value-for-usb_string.patch +ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch iommu-vt-d-Fix-scatterlist-offset-handling.patch smp-hotplug-Move-step-CPUHP_AP_SMPCFD_DYING-to-the-c.patch s390-always-save-and-restore-all-registers-on-contex.patch @@ -82,6 +83,7 @@ zsmalloc-calling-zs_map_object-from-irq-is-a-bug.patch slub-fix-sysfs-duplicate-filename-creation-when-slub.patch sctp-do-not-free-asoc-when-it-is-already-dead-in-sct.patch sctp-use-the-right-sk-after-waking-up-from-wait_buf-.patch +sctp-return-error-if-the-asoc-has-been-peeled-off-in.patch geneve-fix-fill_info-when-link-down.patch clk-qcom-common-fix-legacy-board-clock-registration.patch clk-uniphier-fix-DAPLL2-clock-rate-of-Pro5.patch |