--- /dev/null
+From 0b04fbe886b4274c8e5855011233aaa69fec6e75 Mon Sep 17 00:00:00 2001
+From: Christoffer Sandberg <cs@tuxedo.de>
+Date: Tue, 29 Oct 2024 16:16:52 +0100
+Subject: ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3
+
+From: Christoffer Sandberg <cs@tuxedo.de>
+
+commit 0b04fbe886b4274c8e5855011233aaa69fec6e75 upstream.
+
+Quirk is needed to enable headset microphone on missing pin 0x19.
+
+Signed-off-by: Christoffer Sandberg <cs@tuxedo.de>
+Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20241029151653.80726-1-wse@tuxedocomputers.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10015,6 +10015,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1558, 0x1403, "Clevo N140CU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x1404, "Clevo N150CU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x14a1, "Clevo L141MU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0x1558, 0x28c1, "Clevo V370VND", ALC2XX_FIXUP_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1558, 0x4018, "Clevo NV40M[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x4019, "Clevo NV40MZ", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x4020, "Clevo NV40MB", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
--- /dev/null
+From dabc44c28f118910dea96244d903f0c270225669 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 5 Nov 2024 13:02:17 +0100
+Subject: ALSA: usb-audio: Add quirk for HP 320 FHD Webcam
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit dabc44c28f118910dea96244d903f0c270225669 upstream.
+
+HP 320 FHD Webcam (03f0:654a) seems to have flaky firmware like other
+webcam devices that don't like the frequency inquiries. Also, Mic
+Capture Volume has an invalid resolution, hence fix it to be 16 (as a
+blind shot).
+
+Link: https://bugzilla.suse.com/show_bug.cgi?id=1232768
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20241105120220.5740-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/mixer.c | 1 +
+ sound/usb/quirks.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1205,6 +1205,7 @@ static void volume_control_quirks(struct
+ }
+ break;
+ case USB_ID(0x1bcf, 0x2283): /* NexiGo N930AF FHD Webcam */
++ case USB_ID(0x03f0, 0x654a): /* HP 320 FHD Webcam */
+ if (!strcmp(kctl->id.name, "Mic Capture Volume")) {
+ usb_audio_info(chip,
+ "set resolution quirk: cval->res = 16\n");
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -2014,6 +2014,8 @@ struct usb_audio_quirk_flags_table {
+
+ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
+ /* Device matches */
++ DEVICE_FLG(0x03f0, 0x654a, /* HP 320 FHD Webcam */
++ QUIRK_FLAG_GET_SAMPLE_RATE),
+ DEVICE_FLG(0x041e, 0x3000, /* Creative SB Extigy */
+ QUIRK_FLAG_IGNORE_CTL_ERROR),
+ DEVICE_FLG(0x041e, 0x4080, /* Creative Live Cam VF0610 */
--- /dev/null
+From 235d2e739fcbe964c9ce179b4c991025662dcdb6 Mon Sep 17 00:00:00 2001
+From: Ming-Hung Tsai <mtsai@redhat.com>
+Date: Tue, 22 Oct 2024 15:12:22 +0800
+Subject: dm cache: correct the number of origin blocks to match the target length
+
+From: Ming-Hung Tsai <mtsai@redhat.com>
+
+commit 235d2e739fcbe964c9ce179b4c991025662dcdb6 upstream.
+
+When creating a cache device, the actual size of the cache origin might
+be greater than the specified cache target length. In such case, the
+number of origin blocks should match the cache target length, not the
+full size of the origin device, since access beyond the cache target is
+not possible. This issue occurs when reducing the origin device size
+using lvm, as lvreduce preloads the new cache table before resuming the
+cache origin, which can result in incorrect sizes for the discard bitset
+and smq hotspot blocks.
+
+Reproduce steps:
+
+1. create a cache device consists of 4096 origin blocks
+
+dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
+dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
+dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
+dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
+dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \
+/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
+
+2. reduce the cache origin to 2048 oblocks, in lvreduce's approach
+
+dmsetup reload corig --table "0 262144 linear /dev/sdc 262144"
+dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
+/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
+dmsetup suspend cache
+dmsetup suspend corig
+dmsetup suspend cdata
+dmsetup suspend cmeta
+dmsetup resume corig
+dmsetup resume cdata
+dmsetup resume cmeta
+dmsetup resume cache
+
+3. shutdown the cache, and check the number of discard blocks in
+ superblock. The value is expected to be 2048, but actually is 4096.
+
+dmsetup remove cache corig cdata cmeta
+dd if=/dev/sdc bs=1c count=8 skip=224 2>/dev/null | hexdump -e '1/8 "%u\n"'
+
+Fix by correcting the origin_blocks initialization in cache_create and
+removing the unused origin_sectors from struct cache_args accordingly.
+
+Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
+Fixes: c6b4fcbad044 ("dm: add cache target")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Acked-by: Joe Thornber <thornber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-cache-target.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/md/dm-cache-target.c
++++ b/drivers/md/dm-cache-target.c
+@@ -1980,7 +1980,6 @@ struct cache_args {
+ sector_t cache_sectors;
+
+ struct dm_dev *origin_dev;
+- sector_t origin_sectors;
+
+ uint32_t block_size;
+
+@@ -2061,6 +2060,7 @@ static int parse_cache_dev(struct cache_
+ static int parse_origin_dev(struct cache_args *ca, struct dm_arg_set *as,
+ char **error)
+ {
++ sector_t origin_sectors;
+ int r;
+
+ if (!at_least_one_arg(as, error))
+@@ -2073,8 +2073,8 @@ static int parse_origin_dev(struct cache
+ return r;
+ }
+
+- ca->origin_sectors = get_dev_size(ca->origin_dev);
+- if (ca->ti->len > ca->origin_sectors) {
++ origin_sectors = get_dev_size(ca->origin_dev);
++ if (ca->ti->len > origin_sectors) {
+ *error = "Device size larger than cached device";
+ return -EINVAL;
+ }
+@@ -2384,7 +2384,7 @@ static int cache_create(struct cache_arg
+
+ ca->metadata_dev = ca->origin_dev = ca->cache_dev = NULL;
+
+- origin_blocks = cache->origin_sectors = ca->origin_sectors;
++ origin_blocks = cache->origin_sectors = ti->len;
+ origin_blocks = block_div(origin_blocks, ca->block_size);
+ cache->origin_blocks = to_oblock(origin_blocks);
+
--- /dev/null
+From 135496c208ba26fd68cdef10b64ed7a91ac9a7ff Mon Sep 17 00:00:00 2001
+From: Ming-Hung Tsai <mtsai@redhat.com>
+Date: Tue, 22 Oct 2024 15:12:49 +0800
+Subject: dm cache: fix flushing uninitialized delayed_work on cache_ctr error
+
+From: Ming-Hung Tsai <mtsai@redhat.com>
+
+commit 135496c208ba26fd68cdef10b64ed7a91ac9a7ff upstream.
+
+An unexpected WARN_ON from flush_work() may occur when cache creation
+fails, caused by destroying the uninitialized delayed_work waker in the
+error path of cache_create(). For example, the warning appears on the
+superblock checksum error.
+
+Reproduce steps:
+
+dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
+dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
+dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
+dd if=/dev/urandom of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
+dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \
+/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
+
+Kernel logs:
+
+(snip)
+WARNING: CPU: 0 PID: 84 at kernel/workqueue.c:4178 __flush_work+0x5d4/0x890
+
+Fix by pulling out the cancel_delayed_work_sync() from the constructor's
+error path. This patch doesn't affect the use-after-free fix for
+concurrent dm_resume and dm_destroy (commit 6a459d8edbdb ("dm cache: Fix
+UAF in destroy()")) as cache_dtr is not changed.
+
+Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
+Fixes: 6a459d8edbdb ("dm cache: Fix UAF in destroy()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Acked-by: Joe Thornber <thornber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-cache-target.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+--- a/drivers/md/dm-cache-target.c
++++ b/drivers/md/dm-cache-target.c
+@@ -1882,16 +1882,13 @@ static void check_migrations(struct work
+ * This function gets called on the error paths of the constructor, so we
+ * have to cope with a partially initialised struct.
+ */
+-static void destroy(struct cache *cache)
++static void __destroy(struct cache *cache)
+ {
+- unsigned int i;
+-
+ mempool_exit(&cache->migration_pool);
+
+ if (cache->prison)
+ dm_bio_prison_destroy_v2(cache->prison);
+
+- cancel_delayed_work_sync(&cache->waker);
+ if (cache->wq)
+ destroy_workqueue(cache->wq);
+
+@@ -1919,13 +1916,22 @@ static void destroy(struct cache *cache)
+ if (cache->policy)
+ dm_cache_policy_destroy(cache->policy);
+
++ bioset_exit(&cache->bs);
++
++ kfree(cache);
++}
++
++static void destroy(struct cache *cache)
++{
++ unsigned int i;
++
++ cancel_delayed_work_sync(&cache->waker);
++
+ for (i = 0; i < cache->nr_ctr_args ; i++)
+ kfree(cache->ctr_args[i]);
+ kfree(cache->ctr_args);
+
+- bioset_exit(&cache->bs);
+-
+- kfree(cache);
++ __destroy(cache);
+ }
+
+ static void cache_dtr(struct dm_target *ti)
+@@ -2538,7 +2544,7 @@ static int cache_create(struct cache_arg
+ *result = cache;
+ return 0;
+ bad:
+- destroy(cache);
++ __destroy(cache);
+ return r;
+ }
+
+@@ -2589,7 +2595,7 @@ static int cache_ctr(struct dm_target *t
+
+ r = copy_ctr_args(cache, argc - 3, (const char **)argv + 3);
+ if (r) {
+- destroy(cache);
++ __destroy(cache);
+ goto out;
+ }
+
--- /dev/null
+From 792227719725497ce10a8039803bec13f89f8910 Mon Sep 17 00:00:00 2001
+From: Ming-Hung Tsai <mtsai@redhat.com>
+Date: Tue, 22 Oct 2024 15:13:16 +0800
+Subject: dm cache: fix out-of-bounds access to the dirty bitset when resizing
+
+From: Ming-Hung Tsai <mtsai@redhat.com>
+
+commit 792227719725497ce10a8039803bec13f89f8910 upstream.
+
+dm-cache checks the dirty bits of the cache blocks to be dropped when
+shrinking the fast device, but an index bug in bitset iteration causes
+out-of-bounds access.
+
+Reproduce steps:
+
+1. create a cache device of 1024 cache blocks (128 bytes dirty bitset)
+
+dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
+dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
+dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
+dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
+dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \
+/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
+
+2. shrink the fast device to 512 cache blocks, triggering out-of-bounds
+ access to the dirty bitset (offset 0x80)
+
+dmsetup suspend cache
+dmsetup reload cdata --table "0 65536 linear /dev/sdc 8192"
+dmsetup resume cdata
+dmsetup resume cache
+
+KASAN reports:
+
+ BUG: KASAN: vmalloc-out-of-bounds in cache_preresume+0x269/0x7b0
+ Read of size 8 at addr ffffc900000f3080 by task dmsetup/131
+
+ (...snip...)
+ The buggy address belongs to the virtual mapping at
+ [ffffc900000f3000, ffffc900000f5000) created by:
+ cache_ctr+0x176a/0x35f0
+
+ (...snip...)
+ Memory state around the buggy address:
+ ffffc900000f2f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+ ffffc900000f3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ >ffffc900000f3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+ ^
+ ffffc900000f3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+ ffffc900000f3180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+
+Fix by making the index post-incremented.
+
+Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
+Fixes: f494a9c6b1b6 ("dm cache: cache shrinking support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Acked-by: Joe Thornber <thornber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-cache-target.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-cache-target.c
++++ b/drivers/md/dm-cache-target.c
+@@ -2889,13 +2889,13 @@ static bool can_resize(struct cache *cac
+ * We can't drop a dirty block when shrinking the cache.
+ */
+ while (from_cblock(new_size) < from_cblock(cache->cache_size)) {
+- new_size = to_cblock(from_cblock(new_size) + 1);
+ if (is_dirty(cache, new_size)) {
+ DMERR("%s: unable to shrink cache; cache block %llu is dirty",
+ cache_device_name(cache),
+ (unsigned long long) from_cblock(new_size));
+ return false;
+ }
++ new_size = to_cblock(from_cblock(new_size) + 1);
+ }
+
+ return true;
--- /dev/null
+From c0ade5d98979585d4f5a93e4514c2e9a65afa08d Mon Sep 17 00:00:00 2001
+From: Ming-Hung Tsai <mtsai@redhat.com>
+Date: Tue, 22 Oct 2024 15:13:54 +0800
+Subject: dm cache: fix potential out-of-bounds access on the first resume
+
+From: Ming-Hung Tsai <mtsai@redhat.com>
+
+commit c0ade5d98979585d4f5a93e4514c2e9a65afa08d upstream.
+
+Out-of-bounds access occurs if the fast device is expanded unexpectedly
+before the first-time resume of the cache table. This happens because
+expanding the fast device requires reloading the cache table for
+cache_create to allocate new in-core data structures that fit the new
+size, and the check in cache_preresume is not performed during the
+first resume, leading to the issue.
+
+Reproduce steps:
+
+1. prepare component devices:
+
+dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
+dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
+dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
+dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
+
+2. load a cache table of 512 cache blocks, and deliberately expand the
+ fast device before resuming the cache, making the in-core data
+ structures inadequate.
+
+dmsetup create cache --notable
+dmsetup reload cache --table "0 524288 cache /dev/mapper/cmeta \
+/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
+dmsetup reload cdata --table "0 131072 linear /dev/sdc 8192"
+dmsetup resume cdata
+dmsetup resume cache
+
+3. suspend the cache to write out the in-core dirty bitset and hint
+ array, leading to out-of-bounds access to the dirty bitset at offset
+ 0x40:
+
+dmsetup suspend cache
+
+KASAN reports:
+
+ BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80
+ Read of size 8 at addr ffffc90000085040 by task dmsetup/90
+
+ (...snip...)
+ The buggy address belongs to the virtual mapping at
+ [ffffc90000085000, ffffc90000087000) created by:
+ cache_ctr+0x176a/0x35f0
+
+ (...snip...)
+ Memory state around the buggy address:
+ ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+ ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+ >ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8
+ ^
+ ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+ ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+
+Fix by checking the size change on the first resume.
+
+Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
+Fixes: f494a9c6b1b6 ("dm cache: cache shrinking support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Acked-by: Joe Thornber <thornber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-cache-target.c | 37 ++++++++++++++++---------------------
+ 1 file changed, 16 insertions(+), 21 deletions(-)
+
+--- a/drivers/md/dm-cache-target.c
++++ b/drivers/md/dm-cache-target.c
+@@ -2878,24 +2878,24 @@ static dm_cblock_t get_cache_dev_size(st
+ static bool can_resize(struct cache *cache, dm_cblock_t new_size)
+ {
+ if (from_cblock(new_size) > from_cblock(cache->cache_size)) {
+- if (cache->sized) {
+- DMERR("%s: unable to extend cache due to missing cache table reload",
+- cache_device_name(cache));
+- return false;
+- }
++ DMERR("%s: unable to extend cache due to missing cache table reload",
++ cache_device_name(cache));
++ return false;
+ }
+
+ /*
+ * We can't drop a dirty block when shrinking the cache.
+ */
+- new_size = to_cblock(find_next_bit(cache->dirty_bitset,
+- from_cblock(cache->cache_size),
+- from_cblock(new_size)));
+- if (new_size != cache->cache_size) {
+- DMERR("%s: unable to shrink cache; cache block %llu is dirty",
+- cache_device_name(cache),
+- (unsigned long long) from_cblock(new_size));
+- return false;
++ if (cache->loaded_mappings) {
++ new_size = to_cblock(find_next_bit(cache->dirty_bitset,
++ from_cblock(cache->cache_size),
++ from_cblock(new_size)));
++ if (new_size != cache->cache_size) {
++ DMERR("%s: unable to shrink cache; cache block %llu is dirty",
++ cache_device_name(cache),
++ (unsigned long long) from_cblock(new_size));
++ return false;
++ }
+ }
+
+ return true;
+@@ -2926,20 +2926,15 @@ static int cache_preresume(struct dm_tar
+ /*
+ * Check to see if the cache has resized.
+ */
+- if (!cache->sized) {
+- r = resize_cache_dev(cache, csize);
+- if (r)
+- return r;
+-
+- cache->sized = true;
+-
+- } else if (csize != cache->cache_size) {
++ if (!cache->sized || csize != cache->cache_size) {
+ if (!can_resize(cache, csize))
+ return -EINVAL;
+
+ r = resize_cache_dev(cache, csize);
+ if (r)
+ return r;
++
++ cache->sized = true;
+ }
+
+ if (!cache->loaded_mappings) {
--- /dev/null
+From f484697e619a83ecc370443a34746379ad99d204 Mon Sep 17 00:00:00 2001
+From: Ming-Hung Tsai <mtsai@redhat.com>
+Date: Tue, 22 Oct 2024 15:13:39 +0800
+Subject: dm cache: optimize dirty bit checking with find_next_bit when resizing
+
+From: Ming-Hung Tsai <mtsai@redhat.com>
+
+commit f484697e619a83ecc370443a34746379ad99d204 upstream.
+
+When shrinking the fast device, dm-cache iteratively searches for a
+dirty bit among the cache blocks to be dropped, which is less efficient.
+Use find_next_bit instead, as it is twice as fast as the iterative
+approach with test_bit.
+
+Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
+Fixes: f494a9c6b1b6 ("dm cache: cache shrinking support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Acked-by: Joe Thornber <thornber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-cache-target.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/md/dm-cache-target.c
++++ b/drivers/md/dm-cache-target.c
+@@ -2888,14 +2888,14 @@ static bool can_resize(struct cache *cac
+ /*
+ * We can't drop a dirty block when shrinking the cache.
+ */
+- while (from_cblock(new_size) < from_cblock(cache->cache_size)) {
+- if (is_dirty(cache, new_size)) {
+- DMERR("%s: unable to shrink cache; cache block %llu is dirty",
+- cache_device_name(cache),
+- (unsigned long long) from_cblock(new_size));
+- return false;
+- }
+- new_size = to_cblock(from_cblock(new_size) + 1);
++ new_size = to_cblock(find_next_bit(cache->dirty_bitset,
++ from_cblock(cache->cache_size),
++ from_cblock(new_size)));
++ if (new_size != cache->cache_size) {
++ DMERR("%s: unable to shrink cache; cache block %llu is dirty",
++ cache_device_name(cache),
++ (unsigned long long) from_cblock(new_size));
++ return false;
+ }
+
+ return true;
--- /dev/null
+From 5a4510c762fc04c74cff264cd4d9e9f5bf364bae Mon Sep 17 00:00:00 2001
+From: Zichen Xie <zichenxie0106@gmail.com>
+Date: Mon, 21 Oct 2024 14:54:45 -0500
+Subject: dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow
+
+From: Zichen Xie <zichenxie0106@gmail.com>
+
+commit 5a4510c762fc04c74cff264cd4d9e9f5bf364bae upstream.
+
+This was found by a static analyzer.
+There may be a potential integer overflow issue in
+unstripe_ctr(). uc->unstripe_offset and uc->unstripe_width are
+defined as "sector_t"(uint64_t), while uc->unstripe,
+uc->chunk_size and uc->stripes are all defined as "uint32_t".
+The result of the calculation will be limited to "uint32_t"
+without correct casting.
+So, we recommend adding an extra cast to prevent potential
+integer overflow.
+
+Fixes: 18a5bf270532 ("dm: add unstriped target")
+Signed-off-by: Zichen Xie <zichenxie0106@gmail.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-unstripe.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm-unstripe.c
++++ b/drivers/md/dm-unstripe.c
+@@ -84,8 +84,8 @@ static int unstripe_ctr(struct dm_target
+ }
+ uc->physical_start = start;
+
+- uc->unstripe_offset = uc->unstripe * uc->chunk_size;
+- uc->unstripe_width = (uc->stripes - 1) * uc->chunk_size;
++ uc->unstripe_offset = (sector_t)uc->unstripe * uc->chunk_size;
++ uc->unstripe_width = (sector_t)(uc->stripes - 1) * uc->chunk_size;
+ uc->chunk_shift = is_power_of_2(uc->chunk_size) ? fls(uc->chunk_size) - 1 : 0;
+
+ tmp_len = ti->len;
--- /dev/null
+From 4d75b9468021c73108b4439794d69e892b1d24e3 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 23 Oct 2024 16:52:08 -0400
+Subject: drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 4d75b9468021c73108b4439794d69e892b1d24e3 upstream.
+
+Avoid a possible buffer overflow if size is larger than 4K.
+
+Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit f5d873f5825b40d886d03bd2aede91d4cf002434)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
+@@ -419,7 +419,7 @@ static ssize_t amdgpu_debugfs_regs_pcie_
+ ssize_t result = 0;
+ int r;
+
+- if (size & 0x3 || *pos & 0x3)
++ if (size > 4096 || size & 0x3 || *pos & 0x3)
+ return -EINVAL;
+
+ r = pm_runtime_get_sync(adev_to_drm(adev)->dev);
--- /dev/null
+From f790a2c494c4ef587eeeb9fca20124de76a1646f Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 23 Oct 2024 16:39:36 -0400
+Subject: drm/amdgpu: Adjust debugfs eviction and IB access permissions
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit f790a2c494c4ef587eeeb9fca20124de76a1646f upstream.
+
+Users should not be able to run these.
+
+Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 7ba9395430f611cfc101b1c2687732baafa239d5)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
+@@ -2009,11 +2009,11 @@ int amdgpu_debugfs_init(struct amdgpu_de
+ amdgpu_securedisplay_debugfs_init(adev);
+ amdgpu_fw_attestation_debugfs_init(adev);
+
+- debugfs_create_file("amdgpu_evict_vram", 0444, root, adev,
++ debugfs_create_file("amdgpu_evict_vram", 0400, root, adev,
+ &amdgpu_evict_vram_fops);
+- debugfs_create_file("amdgpu_evict_gtt", 0444, root, adev,
++ debugfs_create_file("amdgpu_evict_gtt", 0400, root, adev,
+ &amdgpu_evict_gtt_fops);
+- debugfs_create_file("amdgpu_test_ib", 0444, root, adev,
++ debugfs_create_file("amdgpu_test_ib", 0400, root, adev,
+ &amdgpu_debugfs_test_ib_fops);
+ debugfs_create_file("amdgpu_vm_info", 0444, root, adev,
+ &amdgpu_debugfs_vm_info_fops);
--- /dev/null
+From a6dd15981c03f2cdc9a351a278f09b5479d53d2e Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <antonio@mandelbit.com>
+Date: Thu, 31 Oct 2024 16:28:48 +0100
+Subject: drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported
+
+From: Antonio Quartulli <antonio@mandelbit.com>
+
+commit a6dd15981c03f2cdc9a351a278f09b5479d53d2e upstream.
+
+acpi_evaluate_object() may return AE_NOT_FOUND (failure), which
+would result in dereferencing buffer.pointer (obj) while being NULL.
+
+Although this case may be unrealistic for the current code, it is
+still better to protect against possible bugs.
+
+Bail out also when status is AE_NOT_FOUND.
+
+This fixes 1 FORWARD_NULL issue reported by Coverity
+Report: CID 1600951: Null pointer dereferences (FORWARD_NULL)
+
+Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
+Fixes: c9b7c809b89f ("drm/amd: Guard against bad data for ATIF ACPI method")
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://lore.kernel.org/r/20241031152848.4716-1-antonio@mandelbit.com
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 91c9e221fe2553edf2db71627d8453f083de87a1)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
+@@ -132,8 +132,8 @@ static union acpi_object *amdgpu_atif_ca
+ &buffer);
+ obj = (union acpi_object *)buffer.pointer;
+
+- /* Fail if calling the method fails and ATIF is supported */
+- if (ACPI_FAILURE(status) && status != AE_NOT_FOUND) {
++ /* Fail if calling the method fails */
++ if (ACPI_FAILURE(status)) {
+ DRM_DEBUG_DRIVER("failed to evaluate ATIF got %s\n",
+ acpi_format_exception(status));
+ kfree(obj);
--- /dev/null
+From cc6a931d1f3b412263d515fd93b21fc0ca5147fe Mon Sep 17 00:00:00 2001
+From: Erik Schumacher <erik.schumacher@iris-sensing.com>
+Date: Fri, 25 Oct 2024 08:37:00 +0000
+Subject: pwm: imx-tpm: Use correct MODULO value for EPWM mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Erik Schumacher <erik.schumacher@iris-sensing.com>
+
+commit cc6a931d1f3b412263d515fd93b21fc0ca5147fe upstream.
+
+The modulo register defines the period of the edge-aligned PWM mode
+(which is the only mode implemented). The reference manual states:
+"The EPWM period is determined by (MOD + 0001h) ..." So the value that
+is written to the MOD register must therefore be one less than the
+calculated period length. Return -EINVAL if the calculated length is
+already zero.
+A correct MODULO value is particularly relevant if the PWM has to output
+a high frequency due to a low period value.
+
+Fixes: 738a1cfec2ed ("pwm: Add i.MX TPM PWM driver support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Erik Schumacher <erik.schumacher@iris-sensing.com>
+Link: https://lore.kernel.org/r/1a3890966d68b9f800d457cbf095746627495e18.camel@iris-sensing.com
+Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pwm/pwm-imx-tpm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/pwm/pwm-imx-tpm.c
++++ b/drivers/pwm/pwm-imx-tpm.c
+@@ -106,7 +106,9 @@ static int pwm_imx_tpm_round_state(struc
+ p->prescale = prescale;
+
+ period_count = (clock_unit + ((1 << prescale) >> 1)) >> prescale;
+- p->mod = period_count;
++ if (period_count == 0)
++ return -EINVAL;
++ p->mod = period_count - 1;
+
+ /* calculate real period HW can support */
+ tmp = (u64)period_count << prescale;
ksmbd-fix-slab-use-after-free-in-ksmbd_smb2_session_create.patch
ksmbd-fix-the-missing-xa_store-error-check.patch
ksmbd-fix-slab-use-after-free-in-smb3_preauth_hash_rsp.patch
+pwm-imx-tpm-use-correct-modulo-value-for-epwm-mode.patch
+drm-amdgpu-adjust-debugfs-eviction-and-ib-access-permissions.patch
+drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch
+drm-amdgpu-prevent-null-pointer-dereference-if-atif-is-not-supported.patch
+thermal-drivers-qcom-lmh-remove-false-lockdep-backtrace.patch
+dm-cache-correct-the-number-of-origin-blocks-to-match-the-target-length.patch
+dm-cache-fix-flushing-uninitialized-delayed_work-on-cache_ctr-error.patch
+dm-cache-fix-out-of-bounds-access-to-the-dirty-bitset-when-resizing.patch
+dm-cache-optimize-dirty-bit-checking-with-find_next_bit-when-resizing.patch
+dm-cache-fix-potential-out-of-bounds-access-on-the-first-resume.patch
+dm-unstriped-cast-an-operand-to-sector_t-to-prevent-potential-uint32_t-overflow.patch
+alsa-usb-audio-add-quirk-for-hp-320-fhd-webcam.patch
+alsa-hda-realtek-fix-headset-mic-on-tuxedo-gemini-17-gen3.patch
--- /dev/null
+From f16beaaee248eaa37ad40b5905924fcf70ae02e3 Mon Sep 17 00:00:00 2001
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Date: Fri, 11 Oct 2024 08:48:39 +0300
+Subject: thermal/drivers/qcom/lmh: Remove false lockdep backtrace
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+commit f16beaaee248eaa37ad40b5905924fcf70ae02e3 upstream.
+
+Annotate LMH IRQs with lockdep classes so that the lockdep doesn't
+report possible recursive locking issue between LMH and GIC interrupts.
+
+For the reference:
+
+ CPU0
+ ----
+ lock(&irq_desc_lock_class);
+ lock(&irq_desc_lock_class);
+
+ *** DEADLOCK ***
+
+Call trace:
+ dump_backtrace+0x98/0xf0
+ show_stack+0x18/0x24
+ dump_stack_lvl+0x90/0xd0
+ dump_stack+0x18/0x24
+ print_deadlock_bug+0x258/0x348
+ __lock_acquire+0x1078/0x1f44
+ lock_acquire+0x1fc/0x32c
+ _raw_spin_lock_irqsave+0x60/0x88
+ __irq_get_desc_lock+0x58/0x98
+ enable_irq+0x38/0xa0
+ lmh_enable_interrupt+0x2c/0x38
+ irq_enable+0x40/0x8c
+ __irq_startup+0x78/0xa4
+ irq_startup+0x78/0x168
+ __enable_irq+0x70/0x7c
+ enable_irq+0x4c/0xa0
+ qcom_cpufreq_ready+0x20/0x2c
+ cpufreq_online+0x2a8/0x988
+ cpufreq_add_dev+0x80/0x98
+ subsys_interface_register+0x104/0x134
+ cpufreq_register_driver+0x150/0x234
+ qcom_cpufreq_hw_driver_probe+0x2a8/0x388
+ platform_probe+0x68/0xc0
+ really_probe+0xbc/0x298
+ __driver_probe_device+0x78/0x12c
+ driver_probe_device+0x3c/0x160
+ __device_attach_driver+0xb8/0x138
+ bus_for_each_drv+0x84/0xe0
+ __device_attach+0x9c/0x188
+ device_initial_probe+0x14/0x20
+ bus_probe_device+0xac/0xb0
+ deferred_probe_work_func+0x8c/0xc8
+ process_one_work+0x20c/0x62c
+ worker_thread+0x1bc/0x36c
+ kthread+0x120/0x124
+ ret_from_fork+0x10/0x20
+
+Fixes: 53bca371cdf7 ("thermal/drivers/qcom: Add support for LMh driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20241011-lmh-lockdep-v1-1-495cbbe6fef1@linaro.org
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/qcom/lmh.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/thermal/qcom/lmh.c
++++ b/drivers/thermal/qcom/lmh.c
+@@ -73,7 +73,14 @@ static struct irq_chip lmh_irq_chip = {
+ static int lmh_irq_map(struct irq_domain *d, unsigned int irq, irq_hw_number_t hw)
+ {
+ struct lmh_hw_data *lmh_data = d->host_data;
++ static struct lock_class_key lmh_lock_key;
++ static struct lock_class_key lmh_request_key;
+
++ /*
++ * This lock class tells lockdep that GPIO irqs are in a different
++ * category than their parents, so it won't report false recursion.
++ */
++ irq_set_lockdep_class(irq, &lmh_lock_key, &lmh_request_key);
+ irq_set_chip_and_handler(irq, &lmh_irq_chip, handle_simple_irq);
+ irq_set_chip_data(irq, lmh_data);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
