--- /dev/null
+From b6409dd6bdc03aa178bbff0d80db2a30d29b63ac Mon Sep 17 00:00:00 2001
+From: Alan Young <consult.awy@gmail.com>
+Date: Thu, 2 Dec 2021 15:06:07 +0000
+Subject: ALSA: ctl: Fix copy of updated id with element read/write
+
+From: Alan Young <consult.awy@gmail.com>
+
+commit b6409dd6bdc03aa178bbff0d80db2a30d29b63ac upstream.
+
+When control_compat.c:copy_ctl_value_to_user() is used, by
+ctl_elem_read_user() & ctl_elem_write_user(), it must also copy back the
+snd_ctl_elem_id value that may have been updated (filled in) by the call
+to snd_ctl_elem_read/snd_ctl_elem_write().
+
+This matches the functionality provided by snd_ctl_elem_read_user() and
+snd_ctl_elem_write_user(), via snd_ctl_build_ioff().
+
+Without this, and without making additional calls to snd_ctl_info()
+which are unnecessary when using the non-compat calls, a userspace
+application will not know the numid value for the element and
+consequently will not be able to use the poll/read interface on the
+control file to determine which elements have updates.
+
+Signed-off-by: Alan Young <consult.awy@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211202150607.543389-1-consult.awy@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/control_compat.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/core/control_compat.c
++++ b/sound/core/control_compat.c
+@@ -266,6 +266,7 @@ static int copy_ctl_value_to_user(void _
+ struct snd_ctl_elem_value *data,
+ int type, int count)
+ {
++ struct snd_ctl_elem_value32 __user *data32 = userdata;
+ int i, size;
+
+ if (type == SNDRV_CTL_ELEM_TYPE_BOOLEAN ||
+@@ -282,6 +283,8 @@ static int copy_ctl_value_to_user(void _
+ if (copy_to_user(valuep, data->value.bytes.data, size))
+ return -EFAULT;
+ }
++ if (copy_to_user(&data32->id, &data->id, sizeof(data32->id)))
++ return -EFAULT;
+ return 0;
+ }
+
--- /dev/null
+From d7f32791a9fcf0dae8b073cdea9b79e29098c5f4 Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Tue, 23 Nov 2021 16:32:44 +0800
+Subject: ALSA: hda/realtek - Add headset Mic support for Lenovo ALC897 platform
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit d7f32791a9fcf0dae8b073cdea9b79e29098c5f4 upstream.
+
+Lenovo ALC897 platform had headset Mic.
+This patch enable supported headset Mic.
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/baab2c2536cb4cc18677a862c6f6d840@realtek.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 40 ++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9620,6 +9620,27 @@ static void alc671_fixup_hp_headset_mic2
+ }
+ }
+
++static void alc897_hp_automute_hook(struct hda_codec *codec,
++ struct hda_jack_callback *jack)
++{
++ struct alc_spec *spec = codec->spec;
++ int vref;
++
++ snd_hda_gen_hp_automute(codec, jack);
++ vref = spec->gen.hp_jack_present ? (PIN_HP | AC_PINCTL_VREF_100) : PIN_HP;
++ snd_hda_codec_write(codec, 0x1b, 0, AC_VERB_SET_PIN_WIDGET_CONTROL,
++ vref);
++}
++
++static void alc897_fixup_lenovo_headset_mic(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ struct alc_spec *spec = codec->spec;
++ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
++ spec->gen.hp_automute_hook = alc897_hp_automute_hook;
++ }
++}
++
+ static const struct coef_fw alc668_coefs[] = {
+ WRITE_COEF(0x01, 0xbebe), WRITE_COEF(0x02, 0xaaaa), WRITE_COEF(0x03, 0x0),
+ WRITE_COEF(0x04, 0x0180), WRITE_COEF(0x06, 0x0), WRITE_COEF(0x07, 0x0f80),
+@@ -9700,6 +9721,8 @@ enum {
+ ALC668_FIXUP_ASUS_NO_HEADSET_MIC,
+ ALC668_FIXUP_HEADSET_MIC,
+ ALC668_FIXUP_MIC_DET_COEF,
++ ALC897_FIXUP_LENOVO_HEADSET_MIC,
++ ALC897_FIXUP_HEADSET_MIC_PIN,
+ };
+
+ static const struct hda_fixup alc662_fixups[] = {
+@@ -10106,6 +10129,19 @@ static const struct hda_fixup alc662_fix
+ {}
+ },
+ },
++ [ALC897_FIXUP_LENOVO_HEADSET_MIC] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc897_fixup_lenovo_headset_mic,
++ },
++ [ALC897_FIXUP_HEADSET_MIC_PIN] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x1a, 0x03a11050 },
++ { }
++ },
++ .chained = true,
++ .chain_id = ALC897_FIXUP_LENOVO_HEADSET_MIC
++ },
+ };
+
+ static const struct snd_pci_quirk alc662_fixup_tbl[] = {
+@@ -10150,6 +10186,10 @@ static const struct snd_pci_quirk alc662
+ SND_PCI_QUIRK(0x144d, 0xc051, "Samsung R720", ALC662_FIXUP_IDEAPAD),
+ SND_PCI_QUIRK(0x14cd, 0x5003, "USI", ALC662_FIXUP_USI_HEADSET_MODE),
+ SND_PCI_QUIRK(0x17aa, 0x1036, "Lenovo P520", ALC662_FIXUP_LENOVO_MULTI_CODECS),
++ SND_PCI_QUIRK(0x17aa, 0x32ca, "Lenovo ThinkCentre M80", ALC897_FIXUP_HEADSET_MIC_PIN),
++ SND_PCI_QUIRK(0x17aa, 0x32cb, "Lenovo ThinkCentre M70", ALC897_FIXUP_HEADSET_MIC_PIN),
++ SND_PCI_QUIRK(0x17aa, 0x32cf, "Lenovo ThinkCentre M950", ALC897_FIXUP_HEADSET_MIC_PIN),
++ SND_PCI_QUIRK(0x17aa, 0x32f7, "Lenovo ThinkCentre M90", ALC897_FIXUP_HEADSET_MIC_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo Ideapad Y550P", ALC662_FIXUP_IDEAPAD),
+ SND_PCI_QUIRK(0x17aa, 0x3a0d, "Lenovo Ideapad Y550", ALC662_FIXUP_IDEAPAD),
+ SND_PCI_QUIRK(0x1849, 0x5892, "ASRock B150M", ALC892_FIXUP_ASROCK_MOBO),
--- /dev/null
+From 9d2479c960875ca1239bcb899f386970c13d9cfe Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 1 Dec 2021 08:36:04 +0100
+Subject: ALSA: pcm: oss: Fix negative period/buffer sizes
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 9d2479c960875ca1239bcb899f386970c13d9cfe upstream.
+
+The period size calculation in OSS layer may receive a negative value
+as an error, but the code there assumes only the positive values and
+handle them with size_t. Due to that, a too big value may be passed
+to the lower layers.
+
+This patch changes the code to handle with ssize_t and adds the proper
+error checks appropriately.
+
+Reported-by: syzbot+bb348e9f9a954d42746f@syzkaller.appspotmail.com
+Reported-by: Bixuan Cui <cuibixuan@linux.alibaba.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1638270978-42412-1-git-send-email-cuibixuan@linux.alibaba.com
+Link: https://lore.kernel.org/r/20211201073606.11660-2-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/oss/pcm_oss.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -147,7 +147,7 @@ snd_pcm_hw_param_value_min(const struct
+ *
+ * Return the maximum value for field PAR.
+ */
+-static unsigned int
++static int
+ snd_pcm_hw_param_value_max(const struct snd_pcm_hw_params *params,
+ snd_pcm_hw_param_t var, int *dir)
+ {
+@@ -682,18 +682,24 @@ static int snd_pcm_oss_period_size(struc
+ struct snd_pcm_hw_params *oss_params,
+ struct snd_pcm_hw_params *slave_params)
+ {
+- size_t s;
+- size_t oss_buffer_size, oss_period_size, oss_periods;
+- size_t min_period_size, max_period_size;
++ ssize_t s;
++ ssize_t oss_buffer_size;
++ ssize_t oss_period_size, oss_periods;
++ ssize_t min_period_size, max_period_size;
+ struct snd_pcm_runtime *runtime = substream->runtime;
+ size_t oss_frame_size;
+
+ oss_frame_size = snd_pcm_format_physical_width(params_format(oss_params)) *
+ params_channels(oss_params) / 8;
+
++ oss_buffer_size = snd_pcm_hw_param_value_max(slave_params,
++ SNDRV_PCM_HW_PARAM_BUFFER_SIZE,
++ NULL);
++ if (oss_buffer_size <= 0)
++ return -EINVAL;
+ oss_buffer_size = snd_pcm_plug_client_size(substream,
+- snd_pcm_hw_param_value_max(slave_params, SNDRV_PCM_HW_PARAM_BUFFER_SIZE, NULL)) * oss_frame_size;
+- if (!oss_buffer_size)
++ oss_buffer_size * oss_frame_size);
++ if (oss_buffer_size <= 0)
+ return -EINVAL;
+ oss_buffer_size = rounddown_pow_of_two(oss_buffer_size);
+ if (atomic_read(&substream->mmap_count)) {
+@@ -730,7 +736,7 @@ static int snd_pcm_oss_period_size(struc
+
+ min_period_size = snd_pcm_plug_client_size(substream,
+ snd_pcm_hw_param_value_min(slave_params, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, NULL));
+- if (min_period_size) {
++ if (min_period_size > 0) {
+ min_period_size *= oss_frame_size;
+ min_period_size = roundup_pow_of_two(min_period_size);
+ if (oss_period_size < min_period_size)
+@@ -739,7 +745,7 @@ static int snd_pcm_oss_period_size(struc
+
+ max_period_size = snd_pcm_plug_client_size(substream,
+ snd_pcm_hw_param_value_max(slave_params, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, NULL));
+- if (max_period_size) {
++ if (max_period_size > 0) {
+ max_period_size *= oss_frame_size;
+ max_period_size = rounddown_pow_of_two(max_period_size);
+ if (oss_period_size > max_period_size)
+@@ -752,7 +758,7 @@ static int snd_pcm_oss_period_size(struc
+ oss_periods = substream->oss.setup.periods;
+
+ s = snd_pcm_hw_param_value_max(slave_params, SNDRV_PCM_HW_PARAM_PERIODS, NULL);
+- if (runtime->oss.maxfrags && s > runtime->oss.maxfrags)
++ if (s > 0 && runtime->oss.maxfrags && s > runtime->oss.maxfrags)
+ s = runtime->oss.maxfrags;
+ if (oss_periods > s)
+ oss_periods = s;
--- /dev/null
+From 6665bb30a6b1a4a853d52557c05482ee50e71391 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 1 Dec 2021 08:36:06 +0100
+Subject: ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 6665bb30a6b1a4a853d52557c05482ee50e71391 upstream.
+
+A couple of calls in snd_pcm_oss_change_params_locked() ignore the
+possible errors. Catch those errors and abort the operation for
+avoiding further problems.
+
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211201073606.11660-4-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/oss/pcm_oss.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -884,8 +884,15 @@ static int snd_pcm_oss_change_params_loc
+ err = -EINVAL;
+ goto failure;
+ }
+- choose_rate(substream, sparams, runtime->oss.rate);
+- snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_CHANNELS, runtime->oss.channels, NULL);
++
++ err = choose_rate(substream, sparams, runtime->oss.rate);
++ if (err < 0)
++ goto failure;
++ err = snd_pcm_hw_param_near(substream, sparams,
++ SNDRV_PCM_HW_PARAM_CHANNELS,
++ runtime->oss.channels, NULL);
++ if (err < 0)
++ goto failure;
+
+ format = snd_pcm_oss_format_from(runtime->oss.format);
+
--- /dev/null
+From 8839c8c0f77ab8fc0463f4ab8b37fca3f70677c2 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 1 Dec 2021 08:36:05 +0100
+Subject: ALSA: pcm: oss: Limit the period size to 16MB
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8839c8c0f77ab8fc0463f4ab8b37fca3f70677c2 upstream.
+
+Set the practical limit to the period size (the fragment shift in OSS)
+instead of a full 31bit; a too large value could lead to the exhaust
+of memory as we allocate temporary buffers of the period size, too.
+
+As of this patch, we set to 16MB limit, which should cover all use
+cases.
+
+Reported-by: syzbot+bb348e9f9a954d42746f@syzkaller.appspotmail.com
+Reported-by: Bixuan Cui <cuibixuan@linux.alibaba.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1638270978-42412-1-git-send-email-cuibixuan@linux.alibaba.com
+Link: https://lore.kernel.org/r/20211201073606.11660-3-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/oss/pcm_oss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -1952,7 +1952,7 @@ static int snd_pcm_oss_set_fragment1(str
+ if (runtime->oss.subdivision || runtime->oss.fragshift)
+ return -EINVAL;
+ fragshift = val & 0xffff;
+- if (fragshift >= 31)
++ if (fragshift >= 25) /* should be large enough */
+ return -EINVAL;
+ runtime->oss.fragshift = fragshift;
+ runtime->oss.maxfrags = (val >> 16) & 0xffff;
--- /dev/null
+From c2e39305299f0118298c2201f6d6cc7d3485f29e Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Wed, 24 Nov 2021 14:14:23 -0500
+Subject: btrfs: clear extent buffer uptodate when we fail to write it
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit c2e39305299f0118298c2201f6d6cc7d3485f29e upstream.
+
+I got dmesg errors on generic/281 on our overnight fstests. Looking at
+the history this happens occasionally, with errors like this
+
+ WARNING: CPU: 0 PID: 673217 at fs/btrfs/extent_io.c:6848 assert_eb_page_uptodate+0x3f/0x50
+ CPU: 0 PID: 673217 Comm: kworker/u4:13 Tainted: G W 5.16.0-rc2+ #469
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014
+ Workqueue: btrfs-cache btrfs_work_helper
+ RIP: 0010:assert_eb_page_uptodate+0x3f/0x50
+ RSP: 0018:ffffae598230bc60 EFLAGS: 00010246
+ RAX: 0017ffffc0002112 RBX: ffffebaec4100900 RCX: 0000000000001000
+ RDX: ffffebaec45733c7 RSI: ffffebaec4100900 RDI: ffff9fd98919f340
+ RBP: 0000000000000d56 R08: ffff9fd98e300000 R09: 0000000000000000
+ R10: 0001207370a91c50 R11: 0000000000000000 R12: 00000000000007b0
+ R13: ffff9fd98919f340 R14: 0000000001500000 R15: 0000000001cb0000
+ FS: 0000000000000000(0000) GS:ffff9fd9fbc00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f549fcf8940 CR3: 0000000114908004 CR4: 0000000000370ef0
+ Call Trace:
+
+ extent_buffer_test_bit+0x3f/0x70
+ free_space_test_bit+0xa6/0xc0
+ load_free_space_tree+0x1d6/0x430
+ caching_thread+0x454/0x630
+ ? rcu_read_lock_sched_held+0x12/0x60
+ ? rcu_read_lock_sched_held+0x12/0x60
+ ? rcu_read_lock_sched_held+0x12/0x60
+ ? lock_release+0x1f0/0x2d0
+ btrfs_work_helper+0xf2/0x3e0
+ ? lock_release+0x1f0/0x2d0
+ ? finish_task_switch.isra.0+0xf9/0x3a0
+ process_one_work+0x270/0x5a0
+ worker_thread+0x55/0x3c0
+ ? process_one_work+0x5a0/0x5a0
+ kthread+0x174/0x1a0
+ ? set_kthread_struct+0x40/0x40
+ ret_from_fork+0x1f/0x30
+
+This happens because we're trying to read from a extent buffer page that
+is !PageUptodate. This happens because we will clear the page uptodate
+when we have an IO error, but we don't clear the extent buffer uptodate.
+If we do a read later and find this extent buffer we'll think its valid
+and not return an error, and then trip over this warning.
+
+Fix this by also clearing uptodate on the extent buffer when this
+happens, so that we get an error when we do a btrfs_search_slot() and
+find this block later.
+
+CC: stable@vger.kernel.org # 5.4+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent_io.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -3755,6 +3755,12 @@ static void set_btree_ioerr(struct page
+ return;
+
+ /*
++ * A read may stumble upon this buffer later, make sure that it gets an
++ * error and knows there was an error.
++ */
++ clear_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags);
++
++ /*
+ * If we error out, we should add back the dirty_metadata_bytes
+ * to make it consistent.
+ */
--- /dev/null
+From 8289ed9f93bef2762f9184e136d994734b16d997 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Wed, 1 Dec 2021 19:56:17 +0800
+Subject: btrfs: replace the BUG_ON in btrfs_del_root_ref with proper error handling
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit 8289ed9f93bef2762f9184e136d994734b16d997 upstream.
+
+I hit the BUG_ON() with generic/475 test case, and to my surprise, all
+callers of btrfs_del_root_ref() are already aborting transaction, thus
+there is not need for such BUG_ON(), just go to @out label and caller
+will properly handle the error.
+
+CC: stable@vger.kernel.org # 5.4+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/root-tree.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/root-tree.c
++++ b/fs/btrfs/root-tree.c
+@@ -371,7 +371,8 @@ int btrfs_del_root_ref(struct btrfs_tran
+ key.offset = ref_id;
+ again:
+ ret = btrfs_search_slot(trans, tree_root, &key, path, -1, 1);
+- BUG_ON(ret < 0);
++ if (ret < 0)
++ goto out;
+ if (ret == 0) {
+ leaf = path->nodes[0];
+ ref = btrfs_item_ptr(leaf, path->slots[0],
iavf-fix-reporting-when-setting-descriptor-count.patch
ib-hfi1-correct-guard-on-eager-buffer-deallocation.patch
mm-bdi-initialize-bdi_min_ratio-when-bdi-is-unregistered.patch
+alsa-ctl-fix-copy-of-updated-id-with-element-read-write.patch
+alsa-hda-realtek-add-headset-mic-support-for-lenovo-alc897-platform.patch
+alsa-pcm-oss-fix-negative-period-buffer-sizes.patch
+alsa-pcm-oss-limit-the-period-size-to-16mb.patch
+alsa-pcm-oss-handle-missing-errors-in-snd_pcm_oss_change_params.patch
+btrfs-clear-extent-buffer-uptodate-when-we-fail-to-write-it.patch
+btrfs-replace-the-bug_on-in-btrfs_del_root_ref-with-proper-error-handling.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
