--- /dev/null
+From 9b371c6cc37f954360989eec41c2ddc5a6b83917 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 25 Oct 2021 14:11:41 +0200
+Subject: ALSA: 6fire: fix control and bulk message timeouts
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 9b371c6cc37f954360989eec41c2ddc5a6b83917 upstream.
+
+USB control and bulk message timeouts are specified in milliseconds and
+should specifically not vary with CONFIG_HZ.
+
+Fixes: c6d43ba816d1 ("ALSA: usb/6fire - Driver for TerraTec DMX 6Fire USB")
+Cc: stable@vger.kernel.org # 2.6.39
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211025121142.6531-2-johan@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/6fire/comm.c | 2 +-
+ sound/usb/6fire/firmware.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/sound/usb/6fire/comm.c
++++ b/sound/usb/6fire/comm.c
+@@ -99,7 +99,7 @@ static int usb6fire_comm_send_buffer(u8
+ int actual_len;
+
+ ret = usb_interrupt_msg(dev, usb_sndintpipe(dev, COMM_EP),
+- buffer, buffer[1] + 2, &actual_len, HZ);
++ buffer, buffer[1] + 2, &actual_len, 1000);
+ if (ret < 0)
+ return ret;
+ else if (actual_len != buffer[1] + 2)
+--- a/sound/usb/6fire/firmware.c
++++ b/sound/usb/6fire/firmware.c
+@@ -166,7 +166,7 @@ static int usb6fire_fw_ezusb_write(struc
+
+ ret = usb_control_msg(device, usb_sndctrlpipe(device, 0), type,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+- value, 0, data, len, HZ);
++ value, 0, data, len, 1000);
+ if (ret < 0)
+ return ret;
+ else if (ret != len)
+@@ -179,7 +179,7 @@ static int usb6fire_fw_ezusb_read(struct
+ {
+ int ret = usb_control_msg(device, usb_rcvctrlpipe(device, 0), type,
+ USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, value,
+- 0, data, len, HZ);
++ 0, data, len, 1000);
+ if (ret < 0)
+ return ret;
+ else if (ret != len)
+@@ -194,7 +194,7 @@ static int usb6fire_fw_fpga_write(struct
+ int ret;
+
+ ret = usb_bulk_msg(device, usb_sndbulkpipe(device, FPGA_EP), data, len,
+- &actual_len, HZ);
++ &actual_len, 1000);
+ if (ret < 0)
+ return ret;
+ else if (actual_len != len)
--- /dev/null
+From dbfe83507cf4ea66ce4efee2ac14c5ad420e31d3 Mon Sep 17 00:00:00 2001
+From: Tim Crawford <tcrawford@system76.com>
+Date: Mon, 1 Nov 2021 10:21:34 -0600
+Subject: ALSA: hda/realtek: Add quirk for Clevo PC70HS
+
+From: Tim Crawford <tcrawford@system76.com>
+
+commit dbfe83507cf4ea66ce4efee2ac14c5ad420e31d3 upstream.
+
+Apply the PB51ED PCI quirk to the Clevo PC70HS. Fixes audio output from
+the internal speakers.
+
+Signed-off-by: Tim Crawford <tcrawford@system76.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211101162134.5336-1-tcrawford@system76.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -2525,6 +2525,7 @@ static const struct snd_pci_quirk alc882
+ SND_PCI_QUIRK(0x1558, 0x67d1, "Clevo PB71[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+ SND_PCI_QUIRK(0x1558, 0x67e1, "Clevo PB71[DE][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+ SND_PCI_QUIRK(0x1558, 0x67e5, "Clevo PC70D[PRS](?:-D|-G)?", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
++ SND_PCI_QUIRK(0x1558, 0x67f1, "Clevo PC70H[PRS]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+ SND_PCI_QUIRK(0x1558, 0x70d1, "Clevo PC70[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+ SND_PCI_QUIRK(0x1558, 0x7714, "Clevo X170SM", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+ SND_PCI_QUIRK(0x1558, 0x7715, "Clevo X170KM-G", ALC1220_FIXUP_CLEVO_PB51ED),
--- /dev/null
+From f4000b58b64344871d7b27c05e73932f137cfef6 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 25 Oct 2021 14:11:42 +0200
+Subject: ALSA: line6: fix control and interrupt message timeouts
+
+From: Johan Hovold <johan@kernel.org>
+
+commit f4000b58b64344871d7b27c05e73932f137cfef6 upstream.
+
+USB control and interrupt message timeouts are specified in milliseconds
+and should specifically not vary with CONFIG_HZ.
+
+Fixes: 705ececd1c60 ("Staging: add line6 usb driver")
+Cc: stable@vger.kernel.org # 2.6.30
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211025121142.6531-3-johan@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/line6/driver.c | 14 +++++++-------
+ sound/usb/line6/driver.h | 2 +-
+ sound/usb/line6/podhd.c | 6 +++---
+ sound/usb/line6/toneport.c | 2 +-
+ 4 files changed, 12 insertions(+), 12 deletions(-)
+
+--- a/sound/usb/line6/driver.c
++++ b/sound/usb/line6/driver.c
+@@ -117,12 +117,12 @@ static int line6_send_raw_message(struct
+ retval = usb_interrupt_msg(line6->usbdev,
+ usb_sndintpipe(line6->usbdev, properties->ep_ctrl_w),
+ (char *)frag_buf, frag_size,
+- &partial, LINE6_TIMEOUT * HZ);
++ &partial, LINE6_TIMEOUT);
+ } else {
+ retval = usb_bulk_msg(line6->usbdev,
+ usb_sndbulkpipe(line6->usbdev, properties->ep_ctrl_w),
+ (char *)frag_buf, frag_size,
+- &partial, LINE6_TIMEOUT * HZ);
++ &partial, LINE6_TIMEOUT);
+ }
+
+ if (retval) {
+@@ -365,7 +365,7 @@ int line6_read_data(struct usb_line6 *li
+ ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
+ (datalen << 8) | 0x21, address,
+- NULL, 0, LINE6_TIMEOUT * HZ);
++ NULL, 0, LINE6_TIMEOUT);
+
+ if (ret < 0) {
+ dev_err(line6->ifcdev, "read request failed (error %d)\n", ret);
+@@ -380,7 +380,7 @@ int line6_read_data(struct usb_line6 *li
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE |
+ USB_DIR_IN,
+ 0x0012, 0x0000, len, 1,
+- LINE6_TIMEOUT * HZ);
++ LINE6_TIMEOUT);
+ if (ret < 0) {
+ dev_err(line6->ifcdev,
+ "receive length failed (error %d)\n", ret);
+@@ -408,7 +408,7 @@ int line6_read_data(struct usb_line6 *li
+ ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), 0x67,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
+ 0x0013, 0x0000, data, datalen,
+- LINE6_TIMEOUT * HZ);
++ LINE6_TIMEOUT);
+
+ if (ret < 0)
+ dev_err(line6->ifcdev, "read failed (error %d)\n", ret);
+@@ -440,7 +440,7 @@ int line6_write_data(struct usb_line6 *l
+ ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
+ 0x0022, address, data, datalen,
+- LINE6_TIMEOUT * HZ);
++ LINE6_TIMEOUT);
+
+ if (ret < 0) {
+ dev_err(line6->ifcdev,
+@@ -456,7 +456,7 @@ int line6_write_data(struct usb_line6 *l
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE |
+ USB_DIR_IN,
+ 0x0012, 0x0000,
+- status, 1, LINE6_TIMEOUT * HZ);
++ status, 1, LINE6_TIMEOUT);
+
+ if (ret < 0) {
+ dev_err(line6->ifcdev,
+--- a/sound/usb/line6/driver.h
++++ b/sound/usb/line6/driver.h
+@@ -31,7 +31,7 @@
+ #define LINE6_FALLBACK_INTERVAL 10
+ #define LINE6_FALLBACK_MAXPACKETSIZE 16
+
+-#define LINE6_TIMEOUT 1
++#define LINE6_TIMEOUT 1000
+ #define LINE6_BUFSIZE_LISTEN 64
+ #define LINE6_MIDI_MESSAGE_MAXLEN 256
+
+--- a/sound/usb/line6/podhd.c
++++ b/sound/usb/line6/podhd.c
+@@ -236,7 +236,7 @@ static int podhd_dev_start(struct usb_li
+ ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0),
+ 0x67, USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
+ 0x11, 0,
+- NULL, 0, LINE6_TIMEOUT * HZ);
++ NULL, 0, LINE6_TIMEOUT);
+ if (ret < 0) {
+ dev_err(pod->line6.ifcdev, "read request failed (error %d)\n", ret);
+ goto exit;
+@@ -246,7 +246,7 @@ static int podhd_dev_start(struct usb_li
+ ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), 0x67,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
+ 0x11, 0x0,
+- init_bytes, 3, LINE6_TIMEOUT * HZ);
++ init_bytes, 3, LINE6_TIMEOUT);
+ if (ret < 0) {
+ dev_err(pod->line6.ifcdev,
+ "receive length failed (error %d)\n", ret);
+@@ -266,7 +266,7 @@ static int podhd_dev_start(struct usb_li
+ USB_REQ_SET_FEATURE,
+ USB_TYPE_STANDARD | USB_RECIP_DEVICE | USB_DIR_OUT,
+ 1, 0,
+- NULL, 0, LINE6_TIMEOUT * HZ);
++ NULL, 0, LINE6_TIMEOUT);
+ exit:
+ kfree(init_bytes);
+ return ret;
+--- a/sound/usb/line6/toneport.c
++++ b/sound/usb/line6/toneport.c
+@@ -130,7 +130,7 @@ static int toneport_send_cmd(struct usb_
+
+ ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
+- cmd1, cmd2, NULL, 0, LINE6_TIMEOUT * HZ);
++ cmd1, cmd2, NULL, 0, LINE6_TIMEOUT);
+
+ if (ret < 0) {
+ dev_err(&usbdev->dev, "send failed (error %d)\n", ret);
--- /dev/null
+From d159037abbe3412285c271bdfb9cdf19e62678ff Mon Sep 17 00:00:00 2001
+From: Austin Kim <austin.kim@lge.com>
+Date: Tue, 9 Nov 2021 00:37:42 +0000
+Subject: ALSA: synth: missing check for possible NULL after the call to kstrdup
+
+From: Austin Kim <austin.kim@lge.com>
+
+commit d159037abbe3412285c271bdfb9cdf19e62678ff upstream.
+
+If kcalloc() return NULL due to memory starvation, it is possible for
+kstrdup() to return NULL in similar case. So add null check after the call
+to kstrdup() is made.
+
+[ minor coding-style fix by tiwai ]
+
+Signed-off-by: Austin Kim <austin.kim@lge.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211109003742.GA5423@raspberrypi
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/synth/emux/emux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/synth/emux/emux.c
++++ b/sound/synth/emux/emux.c
+@@ -101,7 +101,7 @@ int snd_emux_register(struct snd_emux *e
+ emu->name = kstrdup(name, GFP_KERNEL);
+ emu->voices = kcalloc(emu->max_voices, sizeof(struct snd_emux_voice),
+ GFP_KERNEL);
+- if (emu->voices == NULL)
++ if (emu->name == NULL || emu->voices == NULL)
+ return -ENOMEM;
+
+ /* create soundfont list */
--- /dev/null
+From c0317c0e87094f5b5782b6fdef5ae0a4b150496c Mon Sep 17 00:00:00 2001
+From: Wang Wensheng <wangwensheng4@huawei.com>
+Date: Wed, 3 Nov 2021 03:35:17 +0000
+Subject: ALSA: timer: Fix use-after-free problem
+
+From: Wang Wensheng <wangwensheng4@huawei.com>
+
+commit c0317c0e87094f5b5782b6fdef5ae0a4b150496c upstream.
+
+When the timer instance was add into ack_list but was not currently in
+process, the user could stop it via snd_timer_stop1() without delete it
+from the ack_list. Then the user could free the timer instance and when
+it was actually processed UAF occurred.
+
+This issue could be reproduced via testcase snd_timer01 in ltp - running
+several instances of that testcase at the same time.
+
+What I actually met was that the ack_list of the timer broken and the
+kernel went into deadloop with irqoff. That could be detected by
+hardlockup detector on board or when we run it on qemu, we could use gdb
+to dump the ack_list when the console has no response.
+
+To fix this issue, we delete the timer instance from ack_list and
+active_list unconditionally in snd_timer_stop1().
+
+Signed-off-by: Wang Wensheng <wangwensheng4@huawei.com>
+Suggested-by: Takashi Iwai <tiwai@suse.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211103033517.80531-1-wangwensheng4@huawei.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/timer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -593,13 +593,13 @@ static int snd_timer_stop1(struct snd_ti
+ if (!timer)
+ return -EINVAL;
+ spin_lock_irqsave(&timer->lock, flags);
++ list_del_init(&timeri->ack_list);
++ list_del_init(&timeri->active_list);
+ if (!(timeri->flags & (SNDRV_TIMER_IFLG_RUNNING |
+ SNDRV_TIMER_IFLG_START))) {
+ result = -EBUSY;
+ goto unlock;
+ }
+- list_del_init(&timeri->ack_list);
+- list_del_init(&timeri->active_list);
+ if (timer->card && timer->card->shutdown)
+ goto unlock;
+ if (stop) {
--- /dev/null
+From ffdd98277f0a1d15a67a74ae09bee713df4c0dbc Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 5 Nov 2021 10:15:17 +0100
+Subject: ALSA: timer: Unconditionally unlink slave instances, too
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit ffdd98277f0a1d15a67a74ae09bee713df4c0dbc upstream.
+
+Like the previous fix (commit c0317c0e8709 "ALSA: timer: Fix
+use-after-free problem"), we have to unlink slave timer instances
+immediately at snd_timer_stop(), too. Otherwise it may leave a stale
+entry in the list if the slave instance is freed before actually
+running.
+
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211105091517.21733-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/timer.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -634,23 +634,22 @@ static int snd_timer_stop1(struct snd_ti
+ static int snd_timer_stop_slave(struct snd_timer_instance *timeri, bool stop)
+ {
+ unsigned long flags;
++ bool running;
+
+ spin_lock_irqsave(&slave_active_lock, flags);
+- if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) {
+- spin_unlock_irqrestore(&slave_active_lock, flags);
+- return -EBUSY;
+- }
++ running = timeri->flags & SNDRV_TIMER_IFLG_RUNNING;
+ timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
+ if (timeri->timer) {
+ spin_lock(&timeri->timer->lock);
+ list_del_init(&timeri->ack_list);
+ list_del_init(&timeri->active_list);
+- snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP :
+- SNDRV_TIMER_EVENT_PAUSE);
++ if (running)
++ snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP :
++ SNDRV_TIMER_EVENT_PAUSE);
+ spin_unlock(&timeri->timer->lock);
+ }
+ spin_unlock_irqrestore(&slave_active_lock, flags);
+- return 0;
++ return running ? 0 : -EBUSY;
+ }
+
+ /*
--- /dev/null
+From 55f261b73a7e1cb254577c3536cef8f415de220a Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 26 Oct 2021 11:54:01 +0200
+Subject: ALSA: ua101: fix division by zero at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 55f261b73a7e1cb254577c3536cef8f415de220a upstream.
+
+Add the missing endpoint max-packet sanity check to probe() to avoid
+division by zero in alloc_stream_buffers() in case a malicious device
+has broken descriptors (or when doing descriptor fuzz testing).
+
+Note that USB core will reject URBs submitted for endpoints with zero
+wMaxPacketSize but that drivers doing packet-size calculations still
+need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
+endpoint descriptors with maxpacket=0")).
+
+Fixes: 63978ab3e3e9 ("sound: add Edirol UA-101 support")
+Cc: stable@vger.kernel.org # 2.6.34
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211026095401.26522-1-johan@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/misc/ua101.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/misc/ua101.c
++++ b/sound/usb/misc/ua101.c
+@@ -1030,7 +1030,7 @@ static int detect_usb_format(struct ua10
+ fmt_playback->bSubframeSize * ua->playback.channels;
+
+ epd = &ua->intf[INTF_CAPTURE]->altsetting[1].endpoint[0].desc;
+- if (!usb_endpoint_is_isoc_in(epd)) {
++ if (!usb_endpoint_is_isoc_in(epd) || usb_endpoint_maxp(epd) == 0) {
+ dev_err(&ua->dev->dev, "invalid capture endpoint\n");
+ return -ENXIO;
+ }
+@@ -1038,7 +1038,7 @@ static int detect_usb_format(struct ua10
+ ua->capture.max_packet_bytes = usb_endpoint_maxp(epd);
+
+ epd = &ua->intf[INTF_PLAYBACK]->altsetting[1].endpoint[0].desc;
+- if (!usb_endpoint_is_isoc_out(epd)) {
++ if (!usb_endpoint_is_isoc_out(epd) || usb_endpoint_maxp(epd) == 0) {
+ dev_err(&ua->dev->dev, "invalid playback endpoint\n");
+ return -ENXIO;
+ }
--- /dev/null
+From 763d92ed5dece7d439fc28a88b2d2728d525ffd9 Mon Sep 17 00:00:00 2001
+From: Alexander Tsoy <alexander@tsoy.me>
+Date: Sat, 30 Oct 2021 20:43:08 +0300
+Subject: ALSA: usb-audio: Add registration quirk for JBL Quantum 400
+
+From: Alexander Tsoy <alexander@tsoy.me>
+
+commit 763d92ed5dece7d439fc28a88b2d2728d525ffd9 upstream.
+
+Add another device ID for JBL Quantum 400. It requires the same quirk as
+other JBL Quantum devices.
+
+Signed-off-by: Alexander Tsoy <alexander@tsoy.me>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211030174308.1011825-1-alexander@tsoy.me
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/quirks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1555,6 +1555,7 @@ static const struct registration_quirk r
+ REG_QUIRK_ENTRY(0x0951, 0x16ea, 2), /* Kingston HyperX Cloud Flight S */
+ REG_QUIRK_ENTRY(0x0ecb, 0x1f46, 2), /* JBL Quantum 600 */
+ REG_QUIRK_ENTRY(0x0ecb, 0x1f47, 2), /* JBL Quantum 800 */
++ REG_QUIRK_ENTRY(0x0ecb, 0x1f4c, 2), /* JBL Quantum 400 */
+ REG_QUIRK_ENTRY(0x0ecb, 0x2039, 2), /* JBL Quantum 400 */
+ REG_QUIRK_ENTRY(0x0ecb, 0x203c, 2), /* JBL Quantum 600 */
+ REG_QUIRK_ENTRY(0x0ecb, 0x203e, 2), /* JBL Quantum 800 */
--- /dev/null
+From 712a951025c0667ff00b25afc360f74e639dfabe Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Tue, 2 Nov 2021 11:10:37 +0100
+Subject: fuse: fix page stealing
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 712a951025c0667ff00b25afc360f74e639dfabe upstream.
+
+It is possible to trigger a crash by splicing anon pipe bufs to the fuse
+device.
+
+The reason for this is that anon_pipe_buf_release() will reuse buf->page if
+the refcount is 1, but that page might have already been stolen and its
+flags modified (e.g. PG_lru added).
+
+This happens in the unlikely case of fuse_dev_splice_write() getting around
+to calling pipe_buf_release() after a page has been stolen, added to the
+page cache and removed from the page cache.
+
+Fix by calling pipe_buf_release() right after the page was inserted into
+the page cache. In this case the page has an elevated refcount so any
+release function will know that the page isn't reusable.
+
+Reported-by: Frank Dinoff <fdinoff@google.com>
+Link: https://lore.kernel.org/r/CAAmZXrsGg2xsP1CK+cbuEMumtrqdvD-NKnWzhNcvn71RV3c1yw@mail.gmail.com/
+Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
+Cc: <stable@vger.kernel.org> # v2.6.35
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/dev.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -905,6 +905,12 @@ static int fuse_try_move_page(struct fus
+ goto out_put_old;
+ }
+
++ /*
++ * Release while we have extra ref on stolen page. Otherwise
++ * anon_pipe_buf_release() might think the page can be reused.
++ */
++ pipe_buf_release(cs->pipe, buf);
++
+ get_page(newpage);
+
+ if (!(buf->flags & PIPE_BUF_FLAG_LRU))
+@@ -2054,8 +2060,12 @@ static ssize_t fuse_dev_splice_write(str
+
+ pipe_lock(pipe);
+ out_free:
+- for (idx = 0; idx < nbuf; idx++)
+- pipe_buf_release(pipe, &bufs[idx]);
++ for (idx = 0; idx < nbuf; idx++) {
++ struct pipe_buffer *buf = &bufs[idx];
++
++ if (buf->ops)
++ pipe_buf_release(pipe, buf);
++ }
+ pipe_unlock(pipe);
+
+ kvfree(bufs);
crypto-s5p-sss-add-error-handling-in-s5p_aes_probe.patch
media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch
media-ir-kbd-i2c-improve-responsiveness-of-hauppauge-zilog-receivers.patch
+alsa-hda-realtek-add-quirk-for-clevo-pc70hs.patch
+alsa-ua101-fix-division-by-zero-at-probe.patch
+alsa-6fire-fix-control-and-bulk-message-timeouts.patch
+alsa-line6-fix-control-and-interrupt-message-timeouts.patch
+alsa-usb-audio-add-registration-quirk-for-jbl-quantum-400.patch
+alsa-synth-missing-check-for-possible-null-after-the-call-to-kstrdup.patch
+alsa-timer-fix-use-after-free-problem.patch
+alsa-timer-unconditionally-unlink-slave-instances-too.patch
+fuse-fix-page-stealing.patch
+x86-sme-use-define-use_early_pgtable_l5-in-mem_encrypt_identity.c.patch
+x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch
--- /dev/null
+From 6ff53f6a438f72998f56e82e76694a1df9d1ea2c Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 8 Oct 2021 17:11:04 -0700
+Subject: x86/irq: Ensure PI wakeup handler is unregistered before module unload
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 6ff53f6a438f72998f56e82e76694a1df9d1ea2c upstream.
+
+Add a synchronize_rcu() after clearing the posted interrupt wakeup handler
+to ensure all readers, i.e. in-flight IRQ handlers, see the new handler
+before returning to the caller. If the caller is an exiting module and
+is unregistering its handler, failure to wait could result in the IRQ
+handler jumping into an unloaded module.
+
+The registration path doesn't require synchronization, as it's the
+caller's responsibility to not generate interrupts it cares about until
+after its handler is registered.
+
+Fixes: f6b3c72c2366 ("x86/irq: Define a global vector for VT-d Posted-Interrupts")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20211009001107.3936588-2-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/irq.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/irq.c
++++ b/arch/x86/kernel/irq.c
+@@ -290,8 +290,10 @@ void kvm_set_posted_intr_wakeup_handler(
+ {
+ if (handler)
+ kvm_posted_intr_wakeup_handler = handler;
+- else
++ else {
+ kvm_posted_intr_wakeup_handler = dummy_handler;
++ synchronize_rcu();
++ }
+ }
+ EXPORT_SYMBOL_GPL(kvm_set_posted_intr_wakeup_handler);
+
--- /dev/null
+From e7d445ab26db833d6640d4c9a08bee176777cc82 Mon Sep 17 00:00:00 2001
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Fri, 15 Oct 2021 12:24:16 -0500
+Subject: x86/sme: Use #define USE_EARLY_PGTABLE_L5 in mem_encrypt_identity.c
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+commit e7d445ab26db833d6640d4c9a08bee176777cc82 upstream.
+
+When runtime support for converting between 4-level and 5-level pagetables
+was added to the kernel, the SME code that built pagetables was updated
+to use the pagetable functions, e.g. p4d_offset(), etc., in order to
+simplify the code. However, the use of the pagetable functions in early
+boot code requires the use of the USE_EARLY_PGTABLE_L5 #define in order to
+ensure that the proper definition of pgtable_l5_enabled() is used.
+
+Without the #define, pgtable_l5_enabled() is #defined as
+cpu_feature_enabled(X86_FEATURE_LA57). In early boot, the CPU features
+have not yet been discovered and populated, so pgtable_l5_enabled() will
+return false even when 5-level paging is enabled. This causes the SME code
+to always build 4-level pagetables to perform the in-place encryption.
+If 5-level paging is enabled, switching to the SME pagetables results in
+a page-fault that kills the boot.
+
+Adding the #define results in pgtable_l5_enabled() using the
+__pgtable_l5_enabled variable set in early boot and the SME code building
+pagetables for the proper paging level.
+
+Fixes: aad983913d77 ("x86/mm/encrypt: Simplify sme_populate_pgd() and sme_populate_pgd_large()")
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: <stable@vger.kernel.org> # 4.18.x
+Link: https://lkml.kernel.org/r/2cb8329655f5c753905812d951e212022a480475.1634318656.git.thomas.lendacky@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/mem_encrypt_identity.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/arch/x86/mm/mem_encrypt_identity.c
++++ b/arch/x86/mm/mem_encrypt_identity.c
+@@ -29,6 +29,15 @@
+ #undef CONFIG_PARAVIRT
+ #undef CONFIG_PARAVIRT_SPINLOCKS
+
++/*
++ * This code runs before CPU feature bits are set. By default, the
++ * pgtable_l5_enabled() function uses bit X86_FEATURE_LA57 to determine if
++ * 5-level paging is active, so that won't work here. USE_EARLY_PGTABLE_L5
++ * is provided to handle this situation and, instead, use a variable that
++ * has been set by the early boot code.
++ */
++#define USE_EARLY_PGTABLE_L5
++
+ #include <linux/kernel.h>
+ #include <linux/mm.h>
+ #include <linux/mem_encrypt.h>
projects / thirdparty / kernel / stable-queue.git / commitdiff
