--- /dev/null
+From 76c47183224c86e4011048b80f0e2d0d166f01c2 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 18 Nov 2021 22:57:29 +0100
+Subject: ALSA: ctxfi: Fix out-of-range access
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 76c47183224c86e4011048b80f0e2d0d166f01c2 upstream.
+
+The master and next_conj of rcs_ops are used for iterating the
+resource list entries, and currently those are supposed to return the
+current value. The problem is that next_conf may go over the last
+entry before the loop abort condition is evaluated, and it may return
+the "current" value that is beyond the array size. It was caught
+recently as a GPF, for example.
+
+Those return values are, however, never actually evaluated, hence
+basically we don't have to consider the current value as the return at
+all. By dropping those return values, the potential out-of-range
+access above is also fixed automatically.
+
+This patch changes the return type of master and next_conj callbacks
+to void and drop the superfluous code accordingly.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214985
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211118215729.26257-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/ctxfi/ctamixer.c | 14 ++++++--------
+ sound/pci/ctxfi/ctdaio.c | 16 ++++++++--------
+ sound/pci/ctxfi/ctresource.c | 7 +++----
+ sound/pci/ctxfi/ctresource.h | 4 ++--
+ sound/pci/ctxfi/ctsrc.c | 7 +++----
+ 5 files changed, 22 insertions(+), 26 deletions(-)
+
+--- a/sound/pci/ctxfi/ctamixer.c
++++ b/sound/pci/ctxfi/ctamixer.c
+@@ -23,16 +23,15 @@
+
+ #define BLANK_SLOT 4094
+
+-static int amixer_master(struct rsc *rsc)
++static void amixer_master(struct rsc *rsc)
+ {
+ rsc->conj = 0;
+- return rsc->idx = container_of(rsc, struct amixer, rsc)->idx[0];
++ rsc->idx = container_of(rsc, struct amixer, rsc)->idx[0];
+ }
+
+-static int amixer_next_conj(struct rsc *rsc)
++static void amixer_next_conj(struct rsc *rsc)
+ {
+ rsc->conj++;
+- return container_of(rsc, struct amixer, rsc)->idx[rsc->conj];
+ }
+
+ static int amixer_index(const struct rsc *rsc)
+@@ -331,16 +330,15 @@ int amixer_mgr_destroy(struct amixer_mgr
+
+ /* SUM resource management */
+
+-static int sum_master(struct rsc *rsc)
++static void sum_master(struct rsc *rsc)
+ {
+ rsc->conj = 0;
+- return rsc->idx = container_of(rsc, struct sum, rsc)->idx[0];
++ rsc->idx = container_of(rsc, struct sum, rsc)->idx[0];
+ }
+
+-static int sum_next_conj(struct rsc *rsc)
++static void sum_next_conj(struct rsc *rsc)
+ {
+ rsc->conj++;
+- return container_of(rsc, struct sum, rsc)->idx[rsc->conj];
+ }
+
+ static int sum_index(const struct rsc *rsc)
+--- a/sound/pci/ctxfi/ctdaio.c
++++ b/sound/pci/ctxfi/ctdaio.c
+@@ -51,12 +51,12 @@ static const struct daio_rsc_idx idx_20k
+ [SPDIFIO] = {.left = 0x05, .right = 0x85},
+ };
+
+-static int daio_master(struct rsc *rsc)
++static void daio_master(struct rsc *rsc)
+ {
+ /* Actually, this is not the resource index of DAIO.
+ * For DAO, it is the input mapper index. And, for DAI,
+ * it is the output time-slot index. */
+- return rsc->conj = rsc->idx;
++ rsc->conj = rsc->idx;
+ }
+
+ static int daio_index(const struct rsc *rsc)
+@@ -64,19 +64,19 @@ static int daio_index(const struct rsc *
+ return rsc->conj;
+ }
+
+-static int daio_out_next_conj(struct rsc *rsc)
++static void daio_out_next_conj(struct rsc *rsc)
+ {
+- return rsc->conj += 2;
++ rsc->conj += 2;
+ }
+
+-static int daio_in_next_conj_20k1(struct rsc *rsc)
++static void daio_in_next_conj_20k1(struct rsc *rsc)
+ {
+- return rsc->conj += 0x200;
++ rsc->conj += 0x200;
+ }
+
+-static int daio_in_next_conj_20k2(struct rsc *rsc)
++static void daio_in_next_conj_20k2(struct rsc *rsc)
+ {
+- return rsc->conj += 0x100;
++ rsc->conj += 0x100;
+ }
+
+ static const struct rsc_ops daio_out_rsc_ops = {
+--- a/sound/pci/ctxfi/ctresource.c
++++ b/sound/pci/ctxfi/ctresource.c
+@@ -109,18 +109,17 @@ static int audio_ring_slot(const struct
+ return (rsc->conj << 4) + offset_in_audio_slot_block[rsc->type];
+ }
+
+-static int rsc_next_conj(struct rsc *rsc)
++static void rsc_next_conj(struct rsc *rsc)
+ {
+ unsigned int i;
+ for (i = 0; (i < 8) && (!(rsc->msr & (0x1 << i))); )
+ i++;
+ rsc->conj += (AUDIO_SLOT_BLOCK_NUM >> i);
+- return rsc->conj;
+ }
+
+-static int rsc_master(struct rsc *rsc)
++static void rsc_master(struct rsc *rsc)
+ {
+- return rsc->conj = rsc->idx;
++ rsc->conj = rsc->idx;
+ }
+
+ static const struct rsc_ops rsc_generic_ops = {
+--- a/sound/pci/ctxfi/ctresource.h
++++ b/sound/pci/ctxfi/ctresource.h
+@@ -39,8 +39,8 @@ struct rsc {
+ };
+
+ struct rsc_ops {
+- int (*master)(struct rsc *rsc); /* Move to master resource */
+- int (*next_conj)(struct rsc *rsc); /* Move to next conjugate resource */
++ void (*master)(struct rsc *rsc); /* Move to master resource */
++ void (*next_conj)(struct rsc *rsc); /* Move to next conjugate resource */
+ int (*index)(const struct rsc *rsc); /* Return the index of resource */
+ /* Return the output slot number */
+ int (*output_slot)(const struct rsc *rsc);
+--- a/sound/pci/ctxfi/ctsrc.c
++++ b/sound/pci/ctxfi/ctsrc.c
+@@ -590,16 +590,15 @@ int src_mgr_destroy(struct src_mgr *src_
+
+ /* SRCIMP resource manager operations */
+
+-static int srcimp_master(struct rsc *rsc)
++static void srcimp_master(struct rsc *rsc)
+ {
+ rsc->conj = 0;
+- return rsc->idx = container_of(rsc, struct srcimp, rsc)->idx[0];
++ rsc->idx = container_of(rsc, struct srcimp, rsc)->idx[0];
+ }
+
+-static int srcimp_next_conj(struct rsc *rsc)
++static void srcimp_next_conj(struct rsc *rsc)
+ {
+ rsc->conj++;
+- return container_of(rsc, struct srcimp, rsc)->idx[rsc->conj];
+ }
+
+ static int srcimp_index(const struct rsc *rsc)
--- /dev/null
+From 174a7fb3859ae75b0f0e35ef852459d8882b55b5 Mon Sep 17 00:00:00 2001
+From: Werner Sembach <wse@tuxedocomputers.com>
+Date: Fri, 12 Nov 2021 12:07:04 +0100
+Subject: ALSA: hda/realtek: Add quirk for ASRock NUC Box 1100
+
+From: Werner Sembach <wse@tuxedocomputers.com>
+
+commit 174a7fb3859ae75b0f0e35ef852459d8882b55b5 upstream.
+
+This applies a SND_PCI_QUIRK(...) to the ASRock NUC Box 1100 series. This
+fixes the issue of the headphone jack not being detected unless warm
+rebooted from a certain other OS.
+
+When booting a certain other OS some coeff settings are changed that enable
+the audio jack. These settings are preserved on a warm reboot and can be
+easily dumped.
+
+The relevant indexes and values where gathered by naively diff-ing and
+reading a working and a non-working coeff dump.
+
+Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211112110704.1022501-1-wse@tuxedocomputers.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6467,6 +6467,27 @@ static void alc256_fixup_tongfang_reset_
+ alc_write_coef_idx(codec, 0x45, 0x5089);
+ }
+
++static const struct coef_fw alc233_fixup_no_audio_jack_coefs[] = {
++ WRITE_COEF(0x1a, 0x9003), WRITE_COEF(0x1b, 0x0e2b), WRITE_COEF(0x37, 0xfe06),
++ WRITE_COEF(0x38, 0x4981), WRITE_COEF(0x45, 0xd489), WRITE_COEF(0x46, 0x0074),
++ WRITE_COEF(0x49, 0x0149),
++ {}
++};
++
++static void alc233_fixup_no_audio_jack(struct hda_codec *codec,
++ const struct hda_fixup *fix,
++ int action)
++{
++ /*
++ * The audio jack input and output is not detected on the ASRock NUC Box
++ * 1100 series when cold booting without this fix. Warm rebooting from a
++ * certain other OS makes the audio functional, as COEF settings are
++ * preserved in this case. This fix sets these altered COEF values as
++ * the default.
++ */
++ alc_process_coef_fw(codec, alc233_fixup_no_audio_jack_coefs);
++}
++
+ enum {
+ ALC269_FIXUP_GPIO2,
+ ALC269_FIXUP_SONY_VAIO,
+@@ -6685,6 +6706,7 @@ enum {
+ ALC287_FIXUP_13S_GEN2_SPEAKERS,
+ ALC256_FIXUP_TONGFANG_RESET_PERSISTENT_SETTINGS,
+ ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE,
++ ALC233_FIXUP_NO_AUDIO_JACK,
+ };
+
+ static const struct hda_fixup alc269_fixups[] = {
+@@ -8399,6 +8421,10 @@ static const struct hda_fixup alc269_fix
+ .chained = true,
+ .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC,
+ },
++ [ALC233_FIXUP_NO_AUDIO_JACK] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc233_fixup_no_audio_jack,
++ },
+ };
+
+ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+@@ -8831,6 +8857,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x17aa, 0x511e, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x511f, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x9e54, "LENOVO NB", ALC269_FIXUP_LENOVO_EAPD),
++ SND_PCI_QUIRK(0x1849, 0x1233, "ASRock NUC Box 1100", ALC233_FIXUP_NO_AUDIO_JACK),
+ SND_PCI_QUIRK(0x19e5, 0x3204, "Huawei MACH-WX9", ALC256_FIXUP_HUAWEI_MACH_WX9_PINS),
+ SND_PCI_QUIRK(0x1b35, 0x1235, "CZC B20", ALC269_FIXUP_CZC_B20),
+ SND_PCI_QUIRK(0x1b35, 0x1236, "CZC TMI", ALC269_FIXUP_CZC_TMI),
--- /dev/null
+From 05ec7161084565365ecf267e9909a897a95f243a Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 18 Nov 2021 08:16:36 +0100
+Subject: ALSA: hda/realtek: Fix LED on HP ProBook 435 G7
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 05ec7161084565365ecf267e9909a897a95f243a upstream.
+
+HP ProBook 435 G7 (SSID 103c:8735) needs the similar quirk as another
+HP ProBook for enabling the mute and the mic-mute LEDs.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=215021
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211118071636.14738-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -8604,6 +8604,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x8728, "HP EliteBook 840 G7", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8729, "HP", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8730, "HP ProBook 445 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
++ SND_PCI_QUIRK(0x103c, 0x8735, "HP ProBook 435 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x8760, "HP", ALC285_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x877a, "HP", ALC285_FIXUP_HP_MUTE_LED),
--- /dev/null
+From c21a80ca0684ec2910344d72556c816cb8940c01 Mon Sep 17 00:00:00 2001
+From: Todd Kjos <tkjos@google.com>
+Date: Fri, 12 Nov 2021 10:07:20 -0800
+Subject: binder: fix test regression due to sender_euid change
+
+From: Todd Kjos <tkjos@google.com>
+
+commit c21a80ca0684ec2910344d72556c816cb8940c01 upstream.
+
+This is a partial revert of commit
+29bc22ac5e5b ("binder: use euid from cred instead of using task").
+Setting sender_euid using proc->cred caused some Android system test
+regressions that need further investigation. It is a partial
+reversion because subsequent patches rely on proc->cred.
+
+Fixes: 29bc22ac5e5b ("binder: use euid from cred instead of using task")
+Cc: stable@vger.kernel.org # 4.4+
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Change-Id: I9b1769a3510fed250bb21859ef8beebabe034c66
+Link: https://lore.kernel.org/r/20211112180720.2858135-1-tkjos@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -3091,7 +3091,7 @@ static void binder_transaction(struct bi
+ t->from = thread;
+ else
+ t->from = NULL;
+- t->sender_euid = proc->cred->euid;
++ t->sender_euid = task_euid(proc->tsk);
+ t->to_proc = target_proc;
+ t->to_thread = target_thread;
+ t->code = tr->code;
--- /dev/null
+From 473441720c8616dfaf4451f9c7ea14f0eb5e5d65 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Thu, 25 Nov 2021 14:05:18 +0100
+Subject: fuse: release pipe buf after last use
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 473441720c8616dfaf4451f9c7ea14f0eb5e5d65 upstream.
+
+Checking buf->flags should be done before the pipe_buf_release() is called
+on the pipe buffer, since releasing the buffer might modify the flags.
+
+This is exactly what page_cache_pipe_buf_release() does, and which results
+in the same VM_BUG_ON_PAGE(PageLRU(page)) that the original patch was
+trying to fix.
+
+Reported-by: Justin Forbes <jmforbes@linuxtx.org>
+Fixes: 712a951025c0 ("fuse: fix page stealing")
+Cc: <stable@vger.kernel.org> # v2.6.35
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/dev.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -851,17 +851,17 @@ static int fuse_try_move_page(struct fus
+ goto out_put_old;
+ }
+
++ get_page(newpage);
++
++ if (!(buf->flags & PIPE_BUF_FLAG_LRU))
++ lru_cache_add(newpage);
++
+ /*
+ * Release while we have extra ref on stolen page. Otherwise
+ * anon_pipe_buf_release() might think the page can be reused.
+ */
+ pipe_buf_release(cs->pipe, buf);
+
+- get_page(newpage);
+-
+- if (!(buf->flags & PIPE_BUF_FLAG_LRU))
+- lru_cache_add(newpage);
+-
+ err = 0;
+ spin_lock(&cs->req->waitq.lock);
+ if (test_bit(FR_ABORTED, &cs->req->flags))
--- /dev/null
+From 7fb0413baa7f8a04caef0c504df9af7e0623d296 Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <killertofu@gmail.com>
+Date: Mon, 8 Nov 2021 16:31:01 -0800
+Subject: HID: wacom: Use "Confidence" flag to prevent reporting invalid contacts
+
+From: Jason Gerecke <killertofu@gmail.com>
+
+commit 7fb0413baa7f8a04caef0c504df9af7e0623d296 upstream.
+
+The HID descriptor of many of Wacom's touch input devices include a
+"Confidence" usage that signals if a particular touch collection contains
+useful data. The driver does not look at this flag, however, which causes
+even invalid contacts to be reported to userspace. A lucky combination of
+kernel event filtering and device behavior (specifically: contact ID 0 ==
+invalid, contact ID >0 == valid; and order all data so that all valid
+contacts are reported before any invalid contacts) spare most devices from
+any visibly-bad behavior.
+
+The DTH-2452 is one example of an unlucky device that misbehaves. It uses
+ID 0 for both the first valid contact and all invalid contacts. Because
+we report both the valid and invalid contacts, the kernel reports that
+contact 0 first goes down (valid) and then goes up (invalid) in every
+report. This causes ~100 clicks per second simply by touching the screen.
+
+This patch inroduces new `confidence` flag in our `hid_data` structure.
+The value is initially set to `true` at the start of a report and can be
+set to `false` if an invalid touch usage is seen.
+
+Link: https://github.com/linuxwacom/input-wacom/issues/270
+Fixes: f8b6a74719b5 ("HID: wacom: generic: Support multiple tools per report")
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Tested-by: Joshua Dickens <joshua.dickens@wacom.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/wacom_wac.c | 8 +++++++-
+ drivers/hid/wacom_wac.h | 1 +
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -2578,6 +2578,9 @@ static void wacom_wac_finger_event(struc
+ return;
+
+ switch (equivalent_usage) {
++ case HID_DG_CONFIDENCE:
++ wacom_wac->hid_data.confidence = value;
++ break;
+ case HID_GD_X:
+ wacom_wac->hid_data.x = value;
+ break;
+@@ -2610,7 +2613,8 @@ static void wacom_wac_finger_event(struc
+ }
+
+ if (usage->usage_index + 1 == field->report_count) {
+- if (equivalent_usage == wacom_wac->hid_data.last_slot_field)
++ if (equivalent_usage == wacom_wac->hid_data.last_slot_field &&
++ wacom_wac->hid_data.confidence)
+ wacom_wac_finger_slot(wacom_wac, wacom_wac->touch_input);
+ }
+ }
+@@ -2625,6 +2629,8 @@ static void wacom_wac_finger_pre_report(
+
+ wacom_wac->is_invalid_bt_frame = false;
+
++ hid_data->confidence = true;
++
+ for (i = 0; i < report->maxfield; i++) {
+ struct hid_field *field = report->field[i];
+ int j;
+--- a/drivers/hid/wacom_wac.h
++++ b/drivers/hid/wacom_wac.h
+@@ -300,6 +300,7 @@ struct hid_data {
+ bool tipswitch;
+ bool barrelswitch;
+ bool barrelswitch2;
++ bool confidence;
+ int x;
+ int y;
+ int pressure;
--- /dev/null
+From 13cbaa4c2b7bf9f8285e1164d005dbf08244ecd5 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Tue, 2 Nov 2021 12:24:26 +0000
+Subject: media: cec: copy sequence field for the reply
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit 13cbaa4c2b7bf9f8285e1164d005dbf08244ecd5 upstream.
+
+When the reply for a non-blocking transmit arrives, the sequence
+field for that reply was never filled in, so userspace would have no
+way of associating the reply to the original transmit.
+
+Copy the sequence field to ensure that this is now possible.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Fixes: 0dbacebede1e ([media] cec: move the CEC framework out of staging and to media)
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/cec/core/cec-adap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/cec/core/cec-adap.c
++++ b/drivers/media/cec/core/cec-adap.c
+@@ -1199,6 +1199,7 @@ void cec_received_msg_ts(struct cec_adap
+ if (abort)
+ dst->rx_status |= CEC_RX_STATUS_FEATURE_ABORT;
+ msg->flags = dst->flags;
++ msg->sequence = dst->sequence;
+ /* Remove it from the wait_queue */
+ list_del_init(&data->list);
+
--- /dev/null
+From 98400ad75e95860e9a10ec78b0b90ab66184a2ce Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sun, 21 Nov 2021 11:10:55 +0100
+Subject: Revert "parisc: Fix backtrace to always include init funtion names"
+
+From: Helge Deller <deller@gmx.de>
+
+commit 98400ad75e95860e9a10ec78b0b90ab66184a2ce upstream.
+
+This reverts commit 279917e27edc293eb645a25428c6ab3f3bca3f86.
+
+With the CONFIG_HARDENED_USERCOPY option enabled, this patch triggers
+kernel bugs at runtime:
+
+ usercopy: Kernel memory overwrite attempt detected to kernel text (offset 2084839, size 6)!
+ kernel BUG at mm/usercopy.c:99!
+ Backtrace:
+ IAOQ[0]: usercopy_abort+0xc4/0xe8
+ [<00000000406ed1c8>] __check_object_size+0x174/0x238
+ [<00000000407086d4>] copy_strings.isra.0+0x3e8/0x708
+ [<0000000040709a20>] do_execveat_common.isra.0+0x1bc/0x328
+ [<000000004070b760>] compat_sys_execve+0x7c/0xb8
+ [<0000000040303eb8>] syscall_exit+0x0/0x14
+
+The problem is, that we have an init section of at least 2MB size which
+starts at _stext and is freed after bootup.
+
+If then later some kernel data is (temporarily) stored in this free
+memory, check_kernel_text_object() will trigger a bug since the data
+appears to be inside the kernel text (>=_stext) area:
+ if (overlaps(ptr, len, _stext, _etext))
+ usercopy_abort("kernel text");
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@kernel.org # 5.4+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/vmlinux.lds.S | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/parisc/kernel/vmlinux.lds.S
++++ b/arch/parisc/kernel/vmlinux.lds.S
+@@ -57,8 +57,6 @@ SECTIONS
+ {
+ . = KERNEL_BINARY_TEXT_START;
+
+- _stext = .; /* start of kernel text, includes init code & data */
+-
+ __init_begin = .;
+ HEAD_TEXT_SECTION
+ MLONGCALL_DISCARD(INIT_TEXT_SECTION(8))
+@@ -82,6 +80,7 @@ SECTIONS
+ /* freed after init ends here */
+
+ _text = .; /* Text and read-only data */
++ _stext = .;
+ MLONGCALL_KEEP(INIT_TEXT_SECTION(8))
+ .text ALIGN(PAGE_SIZE) : {
+ TEXT_TEXT
usb-typec-fusb302-fix-masking-of-comparator-and-bc_lvl-interrupts.patch
usb-hub-fix-usb-enumeration-issue-due-to-address0-race.patch
usb-hub-fix-locking-issues-with-address0_mutex.patch
+binder-fix-test-regression-due-to-sender_euid-change.patch
+alsa-ctxfi-fix-out-of-range-access.patch
+alsa-hda-realtek-add-quirk-for-asrock-nuc-box-1100.patch
+alsa-hda-realtek-fix-led-on-hp-probook-435-g7.patch
+media-cec-copy-sequence-field-for-the-reply.patch
+revert-parisc-fix-backtrace-to-always-include-init-funtion-names.patch
+hid-wacom-use-confidence-flag-to-prevent-reporting-invalid-contacts.patch
+staging-fbtft-fix-backlight.patch
+staging-greybus-add-missing-rwsem-around-snd_ctl_remove-calls.patch
+staging-rtl8192e-fix-use-after-free-in-_rtl92e_pci_disconnect.patch
+fuse-release-pipe-buf-after-last-use.patch
--- /dev/null
+From 7865dd24934ad580d1bcde8f63c39f324211a23b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= <noralf@tronnes.org>
+Date: Fri, 5 Nov 2021 21:43:58 +0100
+Subject: staging/fbtft: Fix backlight
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Noralf Trønnes <noralf@tronnes.org>
+
+commit 7865dd24934ad580d1bcde8f63c39f324211a23b upstream.
+
+Commit b4a1ed0cd18b ("fbdev: make FB_BACKLIGHT a tristate") forgot to
+update fbtft breaking its backlight support when FB_BACKLIGHT is a module.
+
+Since FB_TFT selects FB_BACKLIGHT there's no need for this conditional
+so just remove it and we're good.
+
+Fixes: b4a1ed0cd18b ("fbdev: make FB_BACKLIGHT a tristate")
+Cc: <stable@vger.kernel.org>
+Acked-by: Sam Ravnborg <sam@ravnborg.org>
+Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
+Link: https://lore.kernel.org/r/20211105204358.2991-1-noralf@tronnes.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/fbtft/fb_ssd1351.c | 4 ----
+ drivers/staging/fbtft/fbtft-core.c | 9 +--------
+ 2 files changed, 1 insertion(+), 12 deletions(-)
+
+--- a/drivers/staging/fbtft/fb_ssd1351.c
++++ b/drivers/staging/fbtft/fb_ssd1351.c
+@@ -187,7 +187,6 @@ static struct fbtft_display display = {
+ },
+ };
+
+-#ifdef CONFIG_FB_BACKLIGHT
+ static int update_onboard_backlight(struct backlight_device *bd)
+ {
+ struct fbtft_par *par = bl_get_data(bd);
+@@ -231,9 +230,6 @@ static void register_onboard_backlight(s
+ if (!par->fbtftops.unregister_backlight)
+ par->fbtftops.unregister_backlight = fbtft_unregister_backlight;
+ }
+-#else
+-static void register_onboard_backlight(struct fbtft_par *par) { };
+-#endif
+
+ FBTFT_REGISTER_DRIVER(DRVNAME, "solomon,ssd1351", &display);
+
+--- a/drivers/staging/fbtft/fbtft-core.c
++++ b/drivers/staging/fbtft/fbtft-core.c
+@@ -128,7 +128,6 @@ static int fbtft_request_gpios(struct fb
+ return 0;
+ }
+
+-#ifdef CONFIG_FB_BACKLIGHT
+ static int fbtft_backlight_update_status(struct backlight_device *bd)
+ {
+ struct fbtft_par *par = bl_get_data(bd);
+@@ -161,6 +160,7 @@ void fbtft_unregister_backlight(struct f
+ par->info->bl_dev = NULL;
+ }
+ }
++EXPORT_SYMBOL(fbtft_unregister_backlight);
+
+ static const struct backlight_ops fbtft_bl_ops = {
+ .get_brightness = fbtft_backlight_get_brightness,
+@@ -198,12 +198,7 @@ void fbtft_register_backlight(struct fbt
+ if (!par->fbtftops.unregister_backlight)
+ par->fbtftops.unregister_backlight = fbtft_unregister_backlight;
+ }
+-#else
+-void fbtft_register_backlight(struct fbtft_par *par) { };
+-void fbtft_unregister_backlight(struct fbtft_par *par) { };
+-#endif
+ EXPORT_SYMBOL(fbtft_register_backlight);
+-EXPORT_SYMBOL(fbtft_unregister_backlight);
+
+ static void fbtft_set_addr_win(struct fbtft_par *par, int xs, int ys, int xe,
+ int ye)
+@@ -853,13 +848,11 @@ int fbtft_register_framebuffer(struct fb
+ fb_info->fix.smem_len >> 10, text1,
+ HZ / fb_info->fbdefio->delay, text2);
+
+-#ifdef CONFIG_FB_BACKLIGHT
+ /* Turn on backlight if available */
+ if (fb_info->bl_dev) {
+ fb_info->bl_dev->props.power = FB_BLANK_UNBLANK;
+ fb_info->bl_dev->ops->update_status(fb_info->bl_dev);
+ }
+-#endif
+
+ return 0;
+
--- /dev/null
+From ffcf7ae90f4489047d7b076539ba207024dea5f6 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 16 Nov 2021 08:20:27 +0100
+Subject: staging: greybus: Add missing rwsem around snd_ctl_remove() calls
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit ffcf7ae90f4489047d7b076539ba207024dea5f6 upstream.
+
+snd_ctl_remove() has to be called with card->controls_rwsem held (when
+called after the card instantiation). This patch adds the missing
+rwsem calls around it.
+
+Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio modules")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://lore.kernel.org/r/20211116072027.18466-1-tiwai@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/greybus/audio_helper.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/greybus/audio_helper.c
++++ b/drivers/staging/greybus/audio_helper.c
+@@ -192,7 +192,11 @@ int gbaudio_remove_component_controls(st
+ unsigned int num_controls)
+ {
+ struct snd_card *card = component->card->snd_card;
++ int err;
+
+- return gbaudio_remove_controls(card, component->dev, controls,
+- num_controls, component->name_prefix);
++ down_write(&card->controls_rwsem);
++ err = gbaudio_remove_controls(card, component->dev, controls,
++ num_controls, component->name_prefix);
++ up_write(&card->controls_rwsem);
++ return err;
+ }
--- /dev/null
+From b535917c51acc97fb0761b1edec85f1f3d02bda4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 17 Nov 2021 10:20:16 +0300
+Subject: staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit b535917c51acc97fb0761b1edec85f1f3d02bda4 upstream.
+
+The free_rtllib() function frees the "dev" pointer so there is use
+after free on the next line. Re-arrange things to avoid that.
+
+Fixes: 66898177e7e5 ("staging: rtl8192e: Fix unload/reload problem")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20211117072016.GA5237@kili
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8192e/rtl8192e/rtl_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
++++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
+@@ -2551,13 +2551,14 @@ static void _rtl92e_pci_disconnect(struc
+ free_irq(dev->irq, dev);
+ priv->irq = 0;
+ }
+- free_rtllib(dev);
+
+ if (dev->mem_start != 0) {
+ iounmap((void __iomem *)dev->mem_start);
+ release_mem_region(pci_resource_start(pdev, 1),
+ pci_resource_len(pdev, 1));
+ }
++
++ free_rtllib(dev);
+ } else {
+ priv = rtllib_priv(dev);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
