--- /dev/null
+From b09c551c77c7e01dc6e4f3c8bf06b5ffa7b06db5 Mon Sep 17 00:00:00 2001
+From: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
+Date: Wed, 5 Apr 2023 22:12:20 +0200
+Subject: ALSA: emu10k1: fix capture interrupt handler unlinking
+
+From: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
+
+commit b09c551c77c7e01dc6e4f3c8bf06b5ffa7b06db5 upstream.
+
+Due to two copy/pastos, closing the MIC or EFX capture device would
+make a running ADC capture hang due to unsetting its interrupt handler.
+In principle, this would have also allowed dereferencing dangling
+pointers, but we're actually rather thorough at disabling and flushing
+the ints.
+
+While it may sound like one, this actually wasn't a hypothetical bug:
+PortAudio will open a capture stream at startup (and close it right
+away) even if not asked to. If the first device is busy, it will just
+proceed with the next one ... thus killing a concurrent capture.
+
+Signed-off-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230405201220.2197923-1-oswald.buddenhagen@gmx.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/emu10k1/emupcm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/pci/emu10k1/emupcm.c
++++ b/sound/pci/emu10k1/emupcm.c
+@@ -1258,7 +1258,7 @@ static int snd_emu10k1_capture_mic_close
+ {
+ struct snd_emu10k1 *emu = snd_pcm_substream_chip(substream);
+
+- emu->capture_interrupt = NULL;
++ emu->capture_mic_interrupt = NULL;
+ emu->pcm_capture_mic_substream = NULL;
+ return 0;
+ }
+@@ -1366,7 +1366,7 @@ static int snd_emu10k1_capture_efx_close
+ {
+ struct snd_emu10k1 *emu = snd_pcm_substream_chip(substream);
+
+- emu->capture_interrupt = NULL;
++ emu->capture_efx_interrupt = NULL;
+ emu->pcm_capture_efx_substream = NULL;
+ return 0;
+ }
--- /dev/null
+From c17f8fd31700392b1bb9e7b66924333568cb3700 Mon Sep 17 00:00:00 2001
+From: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
+Date: Wed, 5 Apr 2023 22:12:19 +0200
+Subject: ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard
+
+From: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
+
+commit c17f8fd31700392b1bb9e7b66924333568cb3700 upstream.
+
+Like the other boards from the D*45* series, this one sets up the
+outputs not quite correctly.
+
+Signed-off-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230405201220.2197826-1-oswald.buddenhagen@gmx.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/sound/hd-audio/models.rst | 2 +-
+ sound/pci/hda/patch_sigmatel.c | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/Documentation/sound/hd-audio/models.rst
++++ b/Documentation/sound/hd-audio/models.rst
+@@ -691,7 +691,7 @@ ref
+ no-jd
+ BIOS setup but without jack-detection
+ intel
+- Intel DG45* mobos
++ Intel D*45* mobos
+ dell-m6-amic
+ Dell desktops/laptops with analog mics
+ dell-m6-dmic
+--- a/sound/pci/hda/patch_sigmatel.c
++++ b/sound/pci/hda/patch_sigmatel.c
+@@ -1971,6 +1971,8 @@ static const struct snd_pci_quirk stac92
+ "DFI LanParty", STAC_92HD73XX_REF),
+ SND_PCI_QUIRK(PCI_VENDOR_ID_DFI, 0x3101,
+ "DFI LanParty", STAC_92HD73XX_REF),
++ SND_PCI_QUIRK(PCI_VENDOR_ID_INTEL, 0x5001,
++ "Intel DP45SG", STAC_92HD73XX_INTEL),
+ SND_PCI_QUIRK(PCI_VENDOR_ID_INTEL, 0x5002,
+ "Intel DG45ID", STAC_92HD73XX_INTEL),
+ SND_PCI_QUIRK(PCI_VENDOR_ID_INTEL, 0x5003,
--- /dev/null
+From f342ac00da1064eb4f94b1f4bcacbdfea955797a Mon Sep 17 00:00:00 2001
+From: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
+Date: Wed, 5 Apr 2023 22:12:20 +0200
+Subject: ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards
+
+From: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
+
+commit f342ac00da1064eb4f94b1f4bcacbdfea955797a upstream.
+
+The BIOS botches this one completely - it says the 2nd S/PDIF output is
+used, while in fact it's the 1st one. This is tested on DP45SG, but I'm
+assuming it's valid for the other boards in the series as well.
+
+Also add some comments regarding the pins.
+FWIW, the codec is apparently still sold by Tempo Semiconductor, Inc.,
+where one can download the documentation.
+
+Signed-off-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230405201220.2197826-2-oswald.buddenhagen@gmx.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_sigmatel.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/sound/pci/hda/patch_sigmatel.c
++++ b/sound/pci/hda/patch_sigmatel.c
+@@ -1723,6 +1723,7 @@ static const struct snd_pci_quirk stac92
+ };
+
+ static const struct hda_pintbl ref92hd73xx_pin_configs[] = {
++ // Port A-H
+ { 0x0a, 0x02214030 },
+ { 0x0b, 0x02a19040 },
+ { 0x0c, 0x01a19020 },
+@@ -1731,9 +1732,12 @@ static const struct hda_pintbl ref92hd73
+ { 0x0f, 0x01014010 },
+ { 0x10, 0x01014020 },
+ { 0x11, 0x01014030 },
++ // CD in
+ { 0x12, 0x02319040 },
++ // Digial Mic ins
+ { 0x13, 0x90a000f0 },
+ { 0x14, 0x90a000f0 },
++ // Digital outs
+ { 0x22, 0x01452050 },
+ { 0x23, 0x01452050 },
+ {}
+@@ -1774,6 +1778,7 @@ static const struct hda_pintbl alienware
+ };
+
+ static const struct hda_pintbl intel_dg45id_pin_configs[] = {
++ // Analog outputs
+ { 0x0a, 0x02214230 },
+ { 0x0b, 0x02A19240 },
+ { 0x0c, 0x01013214 },
+@@ -1781,6 +1786,9 @@ static const struct hda_pintbl intel_dg4
+ { 0x0e, 0x01A19250 },
+ { 0x0f, 0x01011212 },
+ { 0x10, 0x01016211 },
++ // Digital output
++ { 0x22, 0x01451380 },
++ { 0x23, 0x40f000f0 },
+ {}
+ };
+
--- /dev/null
+From e98e7a82bca2b6dce3e03719cff800ec913f9af7 Mon Sep 17 00:00:00 2001
+From: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
+Date: Wed, 5 Apr 2023 22:12:19 +0200
+Subject: ALSA: i2c/cs8427: fix iec958 mixer control deactivation
+
+From: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
+
+commit e98e7a82bca2b6dce3e03719cff800ec913f9af7 upstream.
+
+snd_cs8427_iec958_active() would always delete
+SNDRV_CTL_ELEM_ACCESS_INACTIVE, even though the function has an
+argument `active`.
+
+Signed-off-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230405201219.2197811-1-oswald.buddenhagen@gmx.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/i2c/cs8427.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/sound/i2c/cs8427.c
++++ b/sound/i2c/cs8427.c
+@@ -568,10 +568,13 @@ int snd_cs8427_iec958_active(struct snd_
+ if (snd_BUG_ON(!cs8427))
+ return -ENXIO;
+ chip = cs8427->private_data;
+- if (active)
++ if (active) {
+ memcpy(chip->playback.pcm_status,
+ chip->playback.def_status, 24);
+- chip->playback.pcm_ctl->vd[0].access &= ~SNDRV_CTL_ELEM_ACCESS_INACTIVE;
++ chip->playback.pcm_ctl->vd[0].access &= ~SNDRV_CTL_ELEM_ACCESS_INACTIVE;
++ } else {
++ chip->playback.pcm_ctl->vd[0].access |= SNDRV_CTL_ELEM_ACCESS_INACTIVE;
++ }
+ snd_ctl_notify(cs8427->bus->card,
+ SNDRV_CTL_EVENT_MASK_VALUE | SNDRV_CTL_EVENT_MASK_INFO,
+ &chip->playback.pcm_ctl->id);
--- /dev/null
+From c95930abd687fcd1aa040dc4fe90dff947916460 Mon Sep 17 00:00:00 2001
+From: Min Li <lm0963hack@gmail.com>
+Date: Sat, 4 Mar 2023 22:23:30 +0800
+Subject: Bluetooth: Fix race condition in hidp_session_thread
+
+From: Min Li <lm0963hack@gmail.com>
+
+commit c95930abd687fcd1aa040dc4fe90dff947916460 upstream.
+
+There is a potential race condition in hidp_session_thread that may
+lead to use-after-free. For instance, the timer is active while
+hidp_del_timer is called in hidp_session_thread(). After hidp_session_put,
+then 'session' will be freed, causing kernel panic when hidp_idle_timeout
+is running.
+
+The solution is to use del_timer_sync instead of del_timer.
+
+Here is the call trace:
+
+? hidp_session_probe+0x780/0x780
+call_timer_fn+0x2d/0x1e0
+__run_timers.part.0+0x569/0x940
+hidp_session_probe+0x780/0x780
+call_timer_fn+0x1e0/0x1e0
+ktime_get+0x5c/0xf0
+lapic_next_deadline+0x2c/0x40
+clockevents_program_event+0x205/0x320
+run_timer_softirq+0xa9/0x1b0
+__do_softirq+0x1b9/0x641
+__irq_exit_rcu+0xdc/0x190
+irq_exit_rcu+0xe/0x20
+sysvec_apic_timer_interrupt+0xa1/0xc0
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Min Li <lm0963hack@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hidp/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -428,7 +428,7 @@ static void hidp_set_timer(struct hidp_s
+ static void hidp_del_timer(struct hidp_session *session)
+ {
+ if (session->idle_to > 0)
+- del_timer(&session->timer);
++ del_timer_sync(&session->timer);
+ }
+
+ static void hidp_process_report(struct hidp_session *session, int type,
--- /dev/null
+From a2a9339e1c9deb7e1e079e12e27a0265aea8421a Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Thu, 6 Apr 2023 09:33:09 -0700
+Subject: Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit a2a9339e1c9deb7e1e079e12e27a0265aea8421a upstream.
+
+Similar to commit d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free
+caused by l2cap_chan_put"), just use l2cap_chan_hold_unless_zero to
+prevent referencing a channel that is about to be destroyed.
+
+Cc: stable@kernel.org
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Min Li <lm0963hack@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_core.c | 24 ++++++------------------
+ 1 file changed, 6 insertions(+), 18 deletions(-)
+
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -4350,33 +4350,27 @@ static inline int l2cap_disconnect_req(s
+
+ BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
+
+- mutex_lock(&conn->chan_lock);
+-
+- chan = __l2cap_get_chan_by_scid(conn, dcid);
++ chan = l2cap_get_chan_by_scid(conn, dcid);
+ if (!chan) {
+- mutex_unlock(&conn->chan_lock);
+ cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
+ return 0;
+ }
+
+- l2cap_chan_hold(chan);
+- l2cap_chan_lock(chan);
+-
+ rsp.dcid = cpu_to_le16(chan->scid);
+ rsp.scid = cpu_to_le16(chan->dcid);
+ l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
+
+ chan->ops->set_shutdown(chan);
+
++ mutex_lock(&conn->chan_lock);
+ l2cap_chan_del(chan, ECONNRESET);
++ mutex_unlock(&conn->chan_lock);
+
+ chan->ops->close(chan);
+
+ l2cap_chan_unlock(chan);
+ l2cap_chan_put(chan);
+
+- mutex_unlock(&conn->chan_lock);
+-
+ return 0;
+ }
+
+@@ -4396,33 +4390,27 @@ static inline int l2cap_disconnect_rsp(s
+
+ BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
+
+- mutex_lock(&conn->chan_lock);
+-
+- chan = __l2cap_get_chan_by_scid(conn, scid);
++ chan = l2cap_get_chan_by_scid(conn, scid);
+ if (!chan) {
+ mutex_unlock(&conn->chan_lock);
+ return 0;
+ }
+
+- l2cap_chan_hold(chan);
+- l2cap_chan_lock(chan);
+-
+ if (chan->state != BT_DISCONN) {
+ l2cap_chan_unlock(chan);
+ l2cap_chan_put(chan);
+- mutex_unlock(&conn->chan_lock);
+ return 0;
+ }
+
++ mutex_lock(&conn->chan_lock);
+ l2cap_chan_del(chan, 0);
++ mutex_unlock(&conn->chan_lock);
+
+ chan->ops->close(chan);
+
+ l2cap_chan_unlock(chan);
+ l2cap_chan_put(chan);
+
+- mutex_unlock(&conn->chan_lock);
+-
+ return 0;
+ }
+
ring-buffer-fix-race-while-reader-and-writer-are-on-the-same-page.patch
mm-swap-fix-swap_info_struct-race-between-swapoff-and-get_swap_pages.patch
revert-pinctrl-amd-disable-and-mask-interrupts-on-resume.patch
+alsa-emu10k1-fix-capture-interrupt-handler-unlinking.patch
+alsa-hda-sigmatel-add-pin-overrides-for-intel-dp45sg-motherboard.patch
+alsa-i2c-cs8427-fix-iec958-mixer-control-deactivation.patch
+alsa-hda-sigmatel-fix-s-pdif-out-on-intel-d-45-motherboards.patch
+bluetooth-l2cap-fix-use-after-free-in-l2cap_disconnect_-req-rsp.patch
+bluetooth-fix-race-condition-in-hidp_session_thread.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
