--- /dev/null
+From 0112f822f8a6d8039c94e0bc9b264d7ffc5d4704 Mon Sep 17 00:00:00 2001
+From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+Date: Sun, 27 Mar 2022 14:08:22 +0800
+Subject: ALSA: cs4236: fix an incorrect NULL check on list iterator
+
+From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+
+commit 0112f822f8a6d8039c94e0bc9b264d7ffc5d4704 upstream.
+
+The bug is here:
+ err = snd_card_cs423x_pnp(dev, card->private_data, pdev, cdev);
+
+The list iterator value 'cdev' will *always* be set and non-NULL
+by list_for_each_entry(), so it is incorrect to assume that the
+iterator value will be NULL if the list is empty or no element
+is found.
+
+To fix the bug, use a new variable 'iter' as the list iterator,
+while use the original variable 'cdev' as a dedicated pointer
+to point to the found element. And snd_card_cs423x_pnp() itself
+has NULL check for cdev.
+
+Cc: stable@vger.kernel.org
+Fixes: c2b73d1458014 ("ALSA: cs4236: cs4232 and cs4236 driver merge to solve PnP BIOS detection")
+Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+Link: https://lore.kernel.org/r/20220327060822.4735-1-xiam0nd.tong@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/isa/cs423x/cs4236.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/sound/isa/cs423x/cs4236.c
++++ b/sound/isa/cs423x/cs4236.c
+@@ -544,7 +544,7 @@ static int snd_cs423x_pnpbios_detect(str
+ static int dev;
+ int err;
+ struct snd_card *card;
+- struct pnp_dev *cdev;
++ struct pnp_dev *cdev, *iter;
+ char cid[PNP_ID_LEN];
+
+ if (pnp_device_is_isapnp(pdev))
+@@ -560,9 +560,11 @@ static int snd_cs423x_pnpbios_detect(str
+ strcpy(cid, pdev->id[0].id);
+ cid[5] = '1';
+ cdev = NULL;
+- list_for_each_entry(cdev, &(pdev->protocol->devices), protocol_list) {
+- if (!strcmp(cdev->id[0].id, cid))
++ list_for_each_entry(iter, &(pdev->protocol->devices), protocol_list) {
++ if (!strcmp(iter->id[0].id, cid)) {
++ cdev = iter;
+ break;
++ }
+ }
+ err = snd_cs423x_card_new(&pdev->dev, dev, &card);
+ if (err < 0)
--- /dev/null
+From 6ddc2f749621d5d45ca03edc9f0616bcda136d29 Mon Sep 17 00:00:00 2001
+From: Mohan Kumar <mkumard@nvidia.com>
+Date: Tue, 29 Mar 2022 21:29:40 +0530
+Subject: ALSA: hda: Avoid unsol event during RPM suspending
+
+From: Mohan Kumar <mkumard@nvidia.com>
+
+commit 6ddc2f749621d5d45ca03edc9f0616bcda136d29 upstream.
+
+There is a corner case with unsol event handling during codec runtime
+suspending state. When the codec runtime suspend call initiated, the
+codec->in_pm atomic variable would be 0, currently the codec runtime
+suspend function calls snd_hdac_enter_pm() which will just increments
+the codec->in_pm atomic variable. Consider unsol event happened just
+after this step and before snd_hdac_leave_pm() in the codec runtime
+suspend function. The snd_hdac_power_up_pm() in the unsol event
+flow in hdmi_present_sense_via_verbs() function would just increment
+the codec->in_pm atomic variable without calling pm_runtime_get_sync
+function.
+
+As codec runtime suspend flow is already in progress and in parallel
+unsol event is also accessing the codec verbs, as soon as codec
+suspend flow completes and clocks are switched off before completing
+the unsol event handling as both functions doesn't wait for each other.
+This will result in below errors
+
+[ 589.428020] tegra-hda 3510000.hda: azx_get_response timeout, switching
+to polling mode: last cmd=0x505f2f57
+[ 589.428344] tegra-hda 3510000.hda: spurious response 0x80000074:0x5,
+last cmd=0x505f2f57
+[ 589.428547] tegra-hda 3510000.hda: spurious response 0x80000065:0x5,
+last cmd=0x505f2f57
+
+To avoid this, the unsol event flow should not perform any codec verb
+related operations during RPM_SUSPENDING state.
+
+Signed-off-by: Mohan Kumar <mkumard@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20220329155940.26331-1-mkumard@nvidia.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_hdmi.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -1608,6 +1608,7 @@ static void hdmi_present_sense_via_verbs
+ struct hda_codec *codec = per_pin->codec;
+ struct hdmi_spec *spec = codec->spec;
+ struct hdmi_eld *eld = &spec->temp_eld;
++ struct device *dev = hda_codec_dev(codec);
+ hda_nid_t pin_nid = per_pin->pin_nid;
+ int dev_id = per_pin->dev_id;
+ /*
+@@ -1621,8 +1622,13 @@ static void hdmi_present_sense_via_verbs
+ int present;
+ int ret;
+
++#ifdef CONFIG_PM
++ if (dev->power.runtime_status == RPM_SUSPENDING)
++ return;
++#endif
++
+ ret = snd_hda_power_up_pm(codec);
+- if (ret < 0 && pm_runtime_suspended(hda_codec_dev(codec)))
++ if (ret < 0 && pm_runtime_suspended(dev))
+ goto out;
+
+ present = snd_hda_jack_pin_sense(codec, pin_nid, dev_id);
--- /dev/null
+From f30741cded62f87bb4b1cc58bc627f076abcaba8 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Wed, 30 Mar 2022 14:13:33 +0800
+Subject: ALSA: hda/realtek: Fix audio regression on Mi Notebook Pro 2020
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit f30741cded62f87bb4b1cc58bc627f076abcaba8 upstream.
+
+Commit 5aec98913095 ("ALSA: hda/realtek - ALC236 headset MIC recording
+issue") is to solve recording issue met on AL236, by matching codec
+variant ALC269_TYPE_ALC257 and ALC269_TYPE_ALC256.
+
+This match can be too broad and Mi Notebook Pro 2020 is broken by the
+patch.
+
+Instead, use codec ID to be narrow down the scope, in order to make
+ALC256 unaffected.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215484
+Fixes: 5aec98913095 ("ALSA: hda/realtek - ALC236 headset MIC recording issue")
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Link: https://lore.kernel.org/r/20220330061335.1015533-1-kai.heng.feng@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -3615,8 +3615,8 @@ static void alc256_shutup(struct hda_cod
+ /* If disable 3k pulldown control for alc257, the Mic detection will not work correctly
+ * when booting with headset plugged. So skip setting it for the codec alc257
+ */
+- if (spec->codec_variant != ALC269_TYPE_ALC257 &&
+- spec->codec_variant != ALC269_TYPE_ALC256)
++ if (codec->core.vendor_id != 0x10ec0236 &&
++ codec->core.vendor_id != 0x10ec0257)
+ alc_update_coef_idx(codec, 0x46, 0, 3 << 12);
+
+ if (!spec->no_shutup_pins)
--- /dev/null
+From bc55cfd5718c7c23e5524582e9fa70b4d10f2433 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 30 Mar 2022 14:09:03 +0200
+Subject: ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit bc55cfd5718c7c23e5524582e9fa70b4d10f2433 upstream.
+
+syzbot caught a potential deadlock between the PCM
+runtime->buffer_mutex and the mm->mmap_lock. It was brought by the
+recent fix to cover the racy read/write and other ioctls, and in that
+commit, I overlooked a (hopefully only) corner case that may take the
+revert lock, namely, the OSS mmap. The OSS mmap operation
+exceptionally allows to re-configure the parameters inside the OSS
+mmap syscall, where mm->mmap_mutex is already held. Meanwhile, the
+copy_from/to_user calls at read/write operations also take the
+mm->mmap_lock internally, hence it may lead to a AB/BA deadlock.
+
+A similar problem was already seen in the past and we fixed it with a
+refcount (in commit b248371628aa). The former fix covered only the
+call paths with OSS read/write and OSS ioctls, while we need to cover
+the concurrent access via both ALSA and OSS APIs now.
+
+This patch addresses the problem above by replacing the buffer_mutex
+lock in the read/write operations with a refcount similar as we've
+used for OSS. The new field, runtime->buffer_accessing, keeps the
+number of concurrent read/write operations. Unlike the former
+buffer_mutex protection, this protects only around the
+copy_from/to_user() calls; the other codes are basically protected by
+the PCM stream lock. The refcount can be a negative, meaning blocked
+by the ioctls. If a negative value is seen, the read/write aborts
+with -EBUSY. In the ioctl side, OTOH, they check this refcount, too,
+and set to a negative value for blocking unless it's already being
+accessed.
+
+Reported-by: syzbot+6e5c88838328e99c7e1c@syzkaller.appspotmail.com
+Fixes: dca947d4d26d ("ALSA: pcm: Fix races among concurrent read/write and buffer changes")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/000000000000381a0d05db622a81@google.com
+Link: https://lore.kernel.org/r/20220330120903.4738-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/sound/pcm.h | 1 +
+ sound/core/pcm.c | 1 +
+ sound/core/pcm_lib.c | 9 +++++----
+ sound/core/pcm_native.c | 39 ++++++++++++++++++++++++++++++++-------
+ 4 files changed, 39 insertions(+), 11 deletions(-)
+
+--- a/include/sound/pcm.h
++++ b/include/sound/pcm.h
+@@ -399,6 +399,7 @@ struct snd_pcm_runtime {
+ struct fasync_struct *fasync;
+ bool stop_operating; /* sync_stop will be called */
+ struct mutex buffer_mutex; /* protect for buffer changes */
++ atomic_t buffer_accessing; /* >0: in r/w operation, <0: blocked */
+
+ /* -- private section -- */
+ void *private_data;
+--- a/sound/core/pcm.c
++++ b/sound/core/pcm.c
+@@ -970,6 +970,7 @@ int snd_pcm_attach_substream(struct snd_
+
+ runtime->status->state = SNDRV_PCM_STATE_OPEN;
+ mutex_init(&runtime->buffer_mutex);
++ atomic_set(&runtime->buffer_accessing, 0);
+
+ substream->runtime = runtime;
+ substream->private_data = pcm->private_data;
+--- a/sound/core/pcm_lib.c
++++ b/sound/core/pcm_lib.c
+@@ -1871,11 +1871,9 @@ static int wait_for_avail(struct snd_pcm
+ if (avail >= runtime->twake)
+ break;
+ snd_pcm_stream_unlock_irq(substream);
+- mutex_unlock(&runtime->buffer_mutex);
+
+ tout = schedule_timeout(wait_time);
+
+- mutex_lock(&runtime->buffer_mutex);
+ snd_pcm_stream_lock_irq(substream);
+ set_current_state(TASK_INTERRUPTIBLE);
+ switch (runtime->status->state) {
+@@ -2169,7 +2167,6 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str
+
+ nonblock = !!(substream->f_flags & O_NONBLOCK);
+
+- mutex_lock(&runtime->buffer_mutex);
+ snd_pcm_stream_lock_irq(substream);
+ err = pcm_accessible_state(runtime);
+ if (err < 0)
+@@ -2224,10 +2221,15 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str
+ err = -EINVAL;
+ goto _end_unlock;
+ }
++ if (!atomic_inc_unless_negative(&runtime->buffer_accessing)) {
++ err = -EBUSY;
++ goto _end_unlock;
++ }
+ snd_pcm_stream_unlock_irq(substream);
+ err = writer(substream, appl_ofs, data, offset, frames,
+ transfer);
+ snd_pcm_stream_lock_irq(substream);
++ atomic_dec(&runtime->buffer_accessing);
+ if (err < 0)
+ goto _end_unlock;
+ err = pcm_accessible_state(runtime);
+@@ -2257,7 +2259,6 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str
+ if (xfer > 0 && err >= 0)
+ snd_pcm_update_state(substream, runtime);
+ snd_pcm_stream_unlock_irq(substream);
+- mutex_unlock(&runtime->buffer_mutex);
+ return xfer > 0 ? (snd_pcm_sframes_t)xfer : err;
+ }
+ EXPORT_SYMBOL(__snd_pcm_lib_xfer);
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -667,6 +667,24 @@ static int snd_pcm_hw_params_choose(stru
+ return 0;
+ }
+
++/* acquire buffer_mutex; if it's in r/w operation, return -EBUSY, otherwise
++ * block the further r/w operations
++ */
++static int snd_pcm_buffer_access_lock(struct snd_pcm_runtime *runtime)
++{
++ if (!atomic_dec_unless_positive(&runtime->buffer_accessing))
++ return -EBUSY;
++ mutex_lock(&runtime->buffer_mutex);
++ return 0; /* keep buffer_mutex, unlocked by below */
++}
++
++/* release buffer_mutex and clear r/w access flag */
++static void snd_pcm_buffer_access_unlock(struct snd_pcm_runtime *runtime)
++{
++ mutex_unlock(&runtime->buffer_mutex);
++ atomic_inc(&runtime->buffer_accessing);
++}
++
+ #if IS_ENABLED(CONFIG_SND_PCM_OSS)
+ #define is_oss_stream(substream) ((substream)->oss.oss)
+ #else
+@@ -677,14 +695,16 @@ static int snd_pcm_hw_params(struct snd_
+ struct snd_pcm_hw_params *params)
+ {
+ struct snd_pcm_runtime *runtime;
+- int err = 0, usecs;
++ int err, usecs;
+ unsigned int bits;
+ snd_pcm_uframes_t frames;
+
+ if (PCM_RUNTIME_CHECK(substream))
+ return -ENXIO;
+ runtime = substream->runtime;
+- mutex_lock(&runtime->buffer_mutex);
++ err = snd_pcm_buffer_access_lock(runtime);
++ if (err < 0)
++ return err;
+ snd_pcm_stream_lock_irq(substream);
+ switch (runtime->status->state) {
+ case SNDRV_PCM_STATE_OPEN:
+@@ -801,7 +821,7 @@ static int snd_pcm_hw_params(struct snd_
+ snd_pcm_lib_free_pages(substream);
+ }
+ unlock:
+- mutex_unlock(&runtime->buffer_mutex);
++ snd_pcm_buffer_access_unlock(runtime);
+ return err;
+ }
+
+@@ -846,7 +866,9 @@ static int snd_pcm_hw_free(struct snd_pc
+ if (PCM_RUNTIME_CHECK(substream))
+ return -ENXIO;
+ runtime = substream->runtime;
+- mutex_lock(&runtime->buffer_mutex);
++ result = snd_pcm_buffer_access_lock(runtime);
++ if (result < 0)
++ return result;
+ snd_pcm_stream_lock_irq(substream);
+ switch (runtime->status->state) {
+ case SNDRV_PCM_STATE_SETUP:
+@@ -865,7 +887,7 @@ static int snd_pcm_hw_free(struct snd_pc
+ snd_pcm_set_state(substream, SNDRV_PCM_STATE_OPEN);
+ cpu_latency_qos_remove_request(&substream->latency_pm_qos_req);
+ unlock:
+- mutex_unlock(&runtime->buffer_mutex);
++ snd_pcm_buffer_access_unlock(runtime);
+ return result;
+ }
+
+@@ -1350,12 +1372,15 @@ static int snd_pcm_action_nonatomic(cons
+
+ /* Guarantee the group members won't change during non-atomic action */
+ down_read(&snd_pcm_link_rwsem);
+- mutex_lock(&substream->runtime->buffer_mutex);
++ res = snd_pcm_buffer_access_lock(substream->runtime);
++ if (res < 0)
++ goto unlock;
+ if (snd_pcm_stream_linked(substream))
+ res = snd_pcm_action_group(ops, substream, state, false);
+ else
+ res = snd_pcm_action_single(ops, substream, state);
+- mutex_unlock(&substream->runtime->buffer_mutex);
++ snd_pcm_buffer_access_unlock(substream->runtime);
++ unlock:
+ up_read(&snd_pcm_link_rwsem);
+ return res;
+ }
--- /dev/null
+From d6f5e358452479fa8a773b5c6ccc9e4ec5a20880 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@cjr.nz>
+Date: Tue, 29 Mar 2022 16:20:06 -0300
+Subject: cifs: fix NULL ptr dereference in smb2_ioctl_query_info()
+
+From: Paulo Alcantara <pc@cjr.nz>
+
+commit d6f5e358452479fa8a773b5c6ccc9e4ec5a20880 upstream.
+
+When calling smb2_ioctl_query_info() with invalid
+smb_query_info::flags, a NULL ptr dereference is triggered when trying
+to kfree() uninitialised rqst[n].rq_iov array.
+
+This also fixes leaked paths that are created in SMB2_open_init()
+which required SMB2_open_free() to properly free them.
+
+Here is a small C reproducer that triggers it
+
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stdint.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include <sys/ioctl.h>
+
+ #define die(s) perror(s), exit(1)
+ #define QUERY_INFO 0xc018cf07
+
+ int main(int argc, char *argv[])
+ {
+ int fd;
+
+ if (argc < 2)
+ exit(1);
+ fd = open(argv[1], O_RDONLY);
+ if (fd == -1)
+ die("open");
+ if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)
+ die("ioctl");
+ close(fd);
+ return 0;
+ }
+
+ mount.cifs //srv/share /mnt -o ...
+ gcc repro.c && ./a.out /mnt/f0
+
+ [ 1832.124468] CIFS: VFS: \\w22-dc.zelda.test\test Invalid passthru query flags: 0x4
+ [ 1832.125043] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
+ [ 1832.125764] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ [ 1832.126241] CPU: 3 PID: 1133 Comm: a.out Not tainted 5.17.0-rc8 #2
+ [ 1832.126630] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
+ [ 1832.127322] RIP: 0010:smb2_ioctl_query_info+0x7a3/0xe30 [cifs]
+ [ 1832.127749] Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 6c 05 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 74 24 28 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 cb 04 00 00 49 8b 3e e8 bb fc fa ff 48 89 da 48
+ [ 1832.128911] RSP: 0018:ffffc90000957b08 EFLAGS: 00010256
+ [ 1832.129243] RAX: dffffc0000000000 RBX: ffff888117e9b850 RCX: ffffffffa020580d
+ [ 1832.129691] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a2c0
+ [ 1832.130137] RBP: ffff888117e9b878 R08: 0000000000000001 R09: 0000000000000003
+ [ 1832.130585] R10: fffffbfff4087458 R11: 0000000000000001 R12: ffff888117e9b800
+ [ 1832.131037] R13: 00000000ffffffea R14: 0000000000000000 R15: ffff888117e9b8a8
+ [ 1832.131485] FS: 00007fcee9900740(0000) GS:ffff888151a00000(0000) knlGS:0000000000000000
+ [ 1832.131993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 1832.132354] CR2: 00007fcee9a1ef5e CR3: 0000000114cd2000 CR4: 0000000000350ee0
+ [ 1832.132801] Call Trace:
+ [ 1832.132962] <TASK>
+ [ 1832.133104] ? smb2_query_reparse_tag+0x890/0x890 [cifs]
+ [ 1832.133489] ? cifs_mapchar+0x460/0x460 [cifs]
+ [ 1832.133822] ? rcu_read_lock_sched_held+0x3f/0x70
+ [ 1832.134125] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]
+ [ 1832.134502] ? lock_downgrade+0x6f0/0x6f0
+ [ 1832.134760] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]
+ [ 1832.135170] ? smb2_check_message+0x1080/0x1080 [cifs]
+ [ 1832.135545] cifs_ioctl+0x1577/0x3320 [cifs]
+ [ 1832.135864] ? lock_downgrade+0x6f0/0x6f0
+ [ 1832.136125] ? cifs_readdir+0x2e60/0x2e60 [cifs]
+ [ 1832.136468] ? rcu_read_lock_sched_held+0x3f/0x70
+ [ 1832.136769] ? __rseq_handle_notify_resume+0x80b/0xbe0
+ [ 1832.137096] ? __up_read+0x192/0x710
+ [ 1832.137327] ? __ia32_sys_rseq+0xf0/0xf0
+ [ 1832.137578] ? __x64_sys_openat+0x11f/0x1d0
+ [ 1832.137850] __x64_sys_ioctl+0x127/0x190
+ [ 1832.138103] do_syscall_64+0x3b/0x90
+ [ 1832.138378] entry_SYSCALL_64_after_hwframe+0x44/0xae
+ [ 1832.138702] RIP: 0033:0x7fcee9a253df
+ [ 1832.138937] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
+ [ 1832.140107] RSP: 002b:00007ffeba94a8a0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+ [ 1832.140606] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcee9a253df
+ [ 1832.141058] RDX: 00007ffeba94a910 RSI: 00000000c018cf07 RDI: 0000000000000003
+ [ 1832.141503] RBP: 00007ffeba94a930 R08: 00007fcee9b24db0 R09: 00007fcee9b45c4e
+ [ 1832.141948] R10: 00007fcee9918d40 R11: 0000000000000246 R12: 00007ffeba94aa48
+ [ 1832.142396] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007fcee9b78000
+ [ 1832.142851] </TASK>
+ [ 1832.142994] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload [last unloaded: cifs]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2ops.c | 124 ++++++++++++++++++++++++++++--------------------------
+ 1 file changed, 65 insertions(+), 59 deletions(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -1526,6 +1526,7 @@ smb2_ioctl_query_info(const unsigned int
+ unsigned int size[2];
+ void *data[2];
+ int create_options = is_dir ? CREATE_NOT_FILE : CREATE_NOT_DIR;
++ void (*free_req1_func)(struct smb_rqst *r);
+
+ vars = kzalloc(sizeof(*vars), GFP_ATOMIC);
+ if (vars == NULL)
+@@ -1535,17 +1536,18 @@ smb2_ioctl_query_info(const unsigned int
+
+ resp_buftype[0] = resp_buftype[1] = resp_buftype[2] = CIFS_NO_BUFFER;
+
+- if (copy_from_user(&qi, arg, sizeof(struct smb_query_info)))
+- goto e_fault;
+-
++ if (copy_from_user(&qi, arg, sizeof(struct smb_query_info))) {
++ rc = -EFAULT;
++ goto free_vars;
++ }
+ if (qi.output_buffer_length > 1024) {
+- kfree(vars);
+- return -EINVAL;
++ rc = -EINVAL;
++ goto free_vars;
+ }
+
+ if (!ses || !server) {
+- kfree(vars);
+- return -EIO;
++ rc = -EIO;
++ goto free_vars;
+ }
+
+ if (smb3_encryption_required(tcon))
+@@ -1554,8 +1556,8 @@ smb2_ioctl_query_info(const unsigned int
+ if (qi.output_buffer_length) {
+ buffer = memdup_user(arg + sizeof(struct smb_query_info), qi.output_buffer_length);
+ if (IS_ERR(buffer)) {
+- kfree(vars);
+- return PTR_ERR(buffer);
++ rc = PTR_ERR(buffer);
++ goto free_vars;
+ }
+ }
+
+@@ -1594,48 +1596,45 @@ smb2_ioctl_query_info(const unsigned int
+ rc = SMB2_open_init(tcon, server,
+ &rqst[0], &oplock, &oparms, path);
+ if (rc)
+- goto iqinf_exit;
++ goto free_output_buffer;
+ smb2_set_next_command(tcon, &rqst[0]);
+
+ /* Query */
+ if (qi.flags & PASSTHRU_FSCTL) {
+ /* Can eventually relax perm check since server enforces too */
+- if (!capable(CAP_SYS_ADMIN))
++ if (!capable(CAP_SYS_ADMIN)) {
+ rc = -EPERM;
+- else {
+- rqst[1].rq_iov = &vars->io_iov[0];
+- rqst[1].rq_nvec = SMB2_IOCTL_IOV_SIZE;
+-
+- rc = SMB2_ioctl_init(tcon, server,
+- &rqst[1],
+- COMPOUND_FID, COMPOUND_FID,
+- qi.info_type, true, buffer,
+- qi.output_buffer_length,
+- CIFSMaxBufSize -
+- MAX_SMB2_CREATE_RESPONSE_SIZE -
+- MAX_SMB2_CLOSE_RESPONSE_SIZE);
++ goto free_open_req;
+ }
++ rqst[1].rq_iov = &vars->io_iov[0];
++ rqst[1].rq_nvec = SMB2_IOCTL_IOV_SIZE;
++
++ rc = SMB2_ioctl_init(tcon, server, &rqst[1], COMPOUND_FID, COMPOUND_FID,
++ qi.info_type, true, buffer, qi.output_buffer_length,
++ CIFSMaxBufSize - MAX_SMB2_CREATE_RESPONSE_SIZE -
++ MAX_SMB2_CLOSE_RESPONSE_SIZE);
++ free_req1_func = SMB2_ioctl_free;
+ } else if (qi.flags == PASSTHRU_SET_INFO) {
+ /* Can eventually relax perm check since server enforces too */
+- if (!capable(CAP_SYS_ADMIN))
++ if (!capable(CAP_SYS_ADMIN)) {
+ rc = -EPERM;
+- else if (qi.output_buffer_length < 8)
++ goto free_open_req;
++ }
++ if (qi.output_buffer_length < 8) {
+ rc = -EINVAL;
+- else {
+- rqst[1].rq_iov = &vars->si_iov[0];
+- rqst[1].rq_nvec = 1;
+-
+- /* MS-FSCC 2.4.13 FileEndOfFileInformation */
+- size[0] = 8;
+- data[0] = buffer;
+-
+- rc = SMB2_set_info_init(tcon, server,
+- &rqst[1],
+- COMPOUND_FID, COMPOUND_FID,
+- current->tgid,
+- FILE_END_OF_FILE_INFORMATION,
+- SMB2_O_INFO_FILE, 0, data, size);
++ goto free_open_req;
+ }
++ rqst[1].rq_iov = &vars->si_iov[0];
++ rqst[1].rq_nvec = 1;
++
++ /* MS-FSCC 2.4.13 FileEndOfFileInformation */
++ size[0] = 8;
++ data[0] = buffer;
++
++ rc = SMB2_set_info_init(tcon, server, &rqst[1], COMPOUND_FID, COMPOUND_FID,
++ current->tgid, FILE_END_OF_FILE_INFORMATION,
++ SMB2_O_INFO_FILE, 0, data, size);
++ free_req1_func = SMB2_set_info_free;
+ } else if (qi.flags == PASSTHRU_QUERY_INFO) {
+ rqst[1].rq_iov = &vars->qi_iov[0];
+ rqst[1].rq_nvec = 1;
+@@ -1646,6 +1645,7 @@ smb2_ioctl_query_info(const unsigned int
+ qi.info_type, qi.additional_information,
+ qi.input_buffer_length,
+ qi.output_buffer_length, buffer);
++ free_req1_func = SMB2_query_info_free;
+ } else { /* unknown flags */
+ cifs_tcon_dbg(VFS, "Invalid passthru query flags: 0x%x\n",
+ qi.flags);
+@@ -1653,7 +1653,7 @@ smb2_ioctl_query_info(const unsigned int
+ }
+
+ if (rc)
+- goto iqinf_exit;
++ goto free_open_req;
+ smb2_set_next_command(tcon, &rqst[1]);
+ smb2_set_related(&rqst[1]);
+
+@@ -1664,14 +1664,14 @@ smb2_ioctl_query_info(const unsigned int
+ rc = SMB2_close_init(tcon, server,
+ &rqst[2], COMPOUND_FID, COMPOUND_FID, false);
+ if (rc)
+- goto iqinf_exit;
++ goto free_req_1;
+ smb2_set_related(&rqst[2]);
+
+ rc = compound_send_recv(xid, ses, server,
+ flags, 3, rqst,
+ resp_buftype, rsp_iov);
+ if (rc)
+- goto iqinf_exit;
++ goto out;
+
+ /* No need to bump num_remote_opens since handle immediately closed */
+ if (qi.flags & PASSTHRU_FSCTL) {
+@@ -1681,18 +1681,22 @@ smb2_ioctl_query_info(const unsigned int
+ qi.input_buffer_length = le32_to_cpu(io_rsp->OutputCount);
+ if (qi.input_buffer_length > 0 &&
+ le32_to_cpu(io_rsp->OutputOffset) + qi.input_buffer_length
+- > rsp_iov[1].iov_len)
+- goto e_fault;
++ > rsp_iov[1].iov_len) {
++ rc = -EFAULT;
++ goto out;
++ }
+
+ if (copy_to_user(&pqi->input_buffer_length,
+ &qi.input_buffer_length,
+- sizeof(qi.input_buffer_length)))
+- goto e_fault;
++ sizeof(qi.input_buffer_length))) {
++ rc = -EFAULT;
++ goto out;
++ }
+
+ if (copy_to_user((void __user *)pqi + sizeof(struct smb_query_info),
+ (const void *)io_rsp + le32_to_cpu(io_rsp->OutputOffset),
+ qi.input_buffer_length))
+- goto e_fault;
++ rc = -EFAULT;
+ } else {
+ pqi = (struct smb_query_info __user *)arg;
+ qi_rsp = (struct smb2_query_info_rsp *)rsp_iov[1].iov_base;
+@@ -1700,28 +1704,30 @@ smb2_ioctl_query_info(const unsigned int
+ qi.input_buffer_length = le32_to_cpu(qi_rsp->OutputBufferLength);
+ if (copy_to_user(&pqi->input_buffer_length,
+ &qi.input_buffer_length,
+- sizeof(qi.input_buffer_length)))
+- goto e_fault;
++ sizeof(qi.input_buffer_length))) {
++ rc = -EFAULT;
++ goto out;
++ }
+
+ if (copy_to_user(pqi + 1, qi_rsp->Buffer,
+ qi.input_buffer_length))
+- goto e_fault;
++ rc = -EFAULT;
+ }
+
+- iqinf_exit:
+- cifs_small_buf_release(rqst[0].rq_iov[0].iov_base);
+- cifs_small_buf_release(rqst[1].rq_iov[0].iov_base);
+- cifs_small_buf_release(rqst[2].rq_iov[0].iov_base);
++out:
+ free_rsp_buf(resp_buftype[0], rsp_iov[0].iov_base);
+ free_rsp_buf(resp_buftype[1], rsp_iov[1].iov_base);
+ free_rsp_buf(resp_buftype[2], rsp_iov[2].iov_base);
+- kfree(vars);
++ SMB2_close_free(&rqst[2]);
++free_req_1:
++ free_req1_func(&rqst[1]);
++free_open_req:
++ SMB2_open_free(&rqst[0]);
++free_output_buffer:
+ kfree(buffer);
++free_vars:
++ kfree(vars);
+ return rc;
+-
+-e_fault:
+- rc = -EFAULT;
+- goto iqinf_exit;
+ }
+
+ static ssize_t
--- /dev/null
+From b92e358757b91c2827af112cae9af513f26a3f34 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@cjr.nz>
+Date: Tue, 29 Mar 2022 16:20:05 -0300
+Subject: cifs: prevent bad output lengths in smb2_ioctl_query_info()
+
+From: Paulo Alcantara <pc@cjr.nz>
+
+commit b92e358757b91c2827af112cae9af513f26a3f34 upstream.
+
+When calling smb2_ioctl_query_info() with
+smb_query_info::flags=PASSTHRU_FSCTL and
+smb_query_info::output_buffer_length=0, the following would return
+0x10
+
+ buffer = memdup_user(arg + sizeof(struct smb_query_info),
+ qi.output_buffer_length);
+ if (IS_ERR(buffer)) {
+ kfree(vars);
+ return PTR_ERR(buffer);
+ }
+
+rather than a valid pointer thus making IS_ERR() check fail. This
+would then cause a NULL ptr deference in @buffer when accessing it
+later in smb2_ioctl_query_ioctl(). While at it, prevent having a
+@buffer smaller than 8 bytes to correctly handle SMB2_SET_INFO
+FileEndOfFileInformation requests when
+smb_query_info::flags=PASSTHRU_SET_INFO.
+
+Here is a small C reproducer which triggers a NULL ptr in @buffer when
+passing an invalid smb_query_info::flags
+
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stdint.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include <sys/ioctl.h>
+
+ #define die(s) perror(s), exit(1)
+ #define QUERY_INFO 0xc018cf07
+
+ int main(int argc, char *argv[])
+ {
+ int fd;
+
+ if (argc < 2)
+ exit(1);
+ fd = open(argv[1], O_RDONLY);
+ if (fd == -1)
+ die("open");
+ if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)
+ die("ioctl");
+ close(fd);
+ return 0;
+ }
+
+ mount.cifs //srv/share /mnt -o ...
+ gcc repro.c && ./a.out /mnt/f0
+
+ [ 114.138620] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
+ [ 114.139310] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ [ 114.139775] CPU: 2 PID: 995 Comm: a.out Not tainted 5.17.0-rc8 #1
+ [ 114.140148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
+ [ 114.140818] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
+ [ 114.141221] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
+ [ 114.142348] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
+ [ 114.142692] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
+ [ 114.143119] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
+ [ 114.143544] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
+ [ 114.143983] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
+ [ 114.144424] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000
+ [ 114.144852] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000
+ [ 114.145338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 114.145692] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0
+ [ 114.146131] Call Trace:
+ [ 114.146291] <TASK>
+ [ 114.146432] ? smb2_query_reparse_tag+0x890/0x890 [cifs]
+ [ 114.146800] ? cifs_mapchar+0x460/0x460 [cifs]
+ [ 114.147121] ? rcu_read_lock_sched_held+0x3f/0x70
+ [ 114.147412] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]
+ [ 114.147775] ? dentry_path_raw+0xa6/0xf0
+ [ 114.148024] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]
+ [ 114.148413] ? smb2_check_message+0x1080/0x1080 [cifs]
+ [ 114.148766] ? rcu_read_lock_sched_held+0x3f/0x70
+ [ 114.149065] cifs_ioctl+0x1577/0x3320 [cifs]
+ [ 114.149371] ? lock_downgrade+0x6f0/0x6f0
+ [ 114.149631] ? cifs_readdir+0x2e60/0x2e60 [cifs]
+ [ 114.149956] ? rcu_read_lock_sched_held+0x3f/0x70
+ [ 114.150250] ? __rseq_handle_notify_resume+0x80b/0xbe0
+ [ 114.150562] ? __up_read+0x192/0x710
+ [ 114.150791] ? __ia32_sys_rseq+0xf0/0xf0
+ [ 114.151025] ? __x64_sys_openat+0x11f/0x1d0
+ [ 114.151296] __x64_sys_ioctl+0x127/0x190
+ [ 114.151549] do_syscall_64+0x3b/0x90
+ [ 114.151768] entry_SYSCALL_64_after_hwframe+0x44/0xae
+ [ 114.152079] RIP: 0033:0x7f7aead043df
+ [ 114.152306] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
+ [ 114.153431] RSP: 002b:00007ffc2e0c1f80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+ [ 114.153890] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7aead043df
+ [ 114.154315] RDX: 00007ffc2e0c1ff0 RSI: 00000000c018cf07 RDI: 0000000000000003
+ [ 114.154747] RBP: 00007ffc2e0c2010 R08: 00007f7aeae03db0 R09: 00007f7aeae24c4e
+ [ 114.155192] R10: 00007f7aeabf7d40 R11: 0000000000000246 R12: 00007ffc2e0c2128
+ [ 114.155642] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007f7aeae57000
+ [ 114.156071] </TASK>
+ [ 114.156218] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload
+ [ 114.156608] ---[ end trace 0000000000000000 ]---
+ [ 114.156898] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
+ [ 114.157792] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
+ [ 114.159293] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
+ [ 114.159641] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
+ [ 114.160093] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
+ [ 114.160699] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
+ [ 114.161196] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
+ [ 114.155642] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007f7aeae57000
+ [ 114.156071] </TASK>
+ [ 114.156218] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload
+ [ 114.156608] ---[ end trace 0000000000000000 ]---
+ [ 114.156898] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
+ [ 114.157792] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
+ [ 114.159293] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
+ [ 114.159641] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
+ [ 114.160093] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
+ [ 114.160699] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
+ [ 114.161196] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
+ [ 114.161823] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000
+ [ 114.162274] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000
+ [ 114.162853] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 114.163218] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0
+ [ 114.163691] Kernel panic - not syncing: Fatal exception
+ [ 114.164087] Kernel Offset: disabled
+ [ 114.164316] ---[ end Kernel panic - not syncing: Fatal exception ]---
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2ops.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -1551,11 +1551,12 @@ smb2_ioctl_query_info(const unsigned int
+ if (smb3_encryption_required(tcon))
+ flags |= CIFS_TRANSFORM_REQ;
+
+- buffer = memdup_user(arg + sizeof(struct smb_query_info),
+- qi.output_buffer_length);
+- if (IS_ERR(buffer)) {
+- kfree(vars);
+- return PTR_ERR(buffer);
++ if (qi.output_buffer_length) {
++ buffer = memdup_user(arg + sizeof(struct smb_query_info), qi.output_buffer_length);
++ if (IS_ERR(buffer)) {
++ kfree(vars);
++ return PTR_ERR(buffer);
++ }
+ }
+
+ /* Open */
+@@ -1618,10 +1619,13 @@ smb2_ioctl_query_info(const unsigned int
+ /* Can eventually relax perm check since server enforces too */
+ if (!capable(CAP_SYS_ADMIN))
+ rc = -EPERM;
+- else {
++ else if (qi.output_buffer_length < 8)
++ rc = -EINVAL;
++ else {
+ rqst[1].rq_iov = &vars->si_iov[0];
+ rqst[1].rq_nvec = 1;
+
++ /* MS-FSCC 2.4.13 FileEndOfFileInformation */
+ size[0] = 8;
+ data[0] = buffer;
+
--- /dev/null
+From 8b188fba75195745026e11d408e4a7e94e01d701 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jose.exposito89@gmail.com>
+Date: Thu, 31 Mar 2022 21:15:36 -0700
+Subject: Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+commit 8b188fba75195745026e11d408e4a7e94e01d701 upstream.
+
+This reverts commit 37ef4c19b4c659926ce65a7ac709ceaefb211c40.
+
+The touchpad present in the Dell Precision 7550 and 7750 laptops
+reports a HID_DG_BUTTONTYPE of type MT_BUTTONTYPE_CLICKPAD. However,
+the device is not a clickpad, it is a touchpad with physical buttons.
+
+In order to fix this issue, a quirk for the device was introduced in
+libinput [1] [2] to disable the INPUT_PROP_BUTTONPAD property:
+
+ [Precision 7x50 Touchpad]
+ MatchBus=i2c
+ MatchUdevType=touchpad
+ MatchDMIModalias=dmi:*svnDellInc.:pnPrecision7?50*
+ AttrInputPropDisable=INPUT_PROP_BUTTONPAD
+
+However, because of the change introduced in 37ef4c19b4 ("Input: clear
+BTN_RIGHT/MIDDLE on buttonpads") the BTN_RIGHT key bit is not mapped
+anymore breaking the device right click button and making impossible to
+workaround it in user space.
+
+In order to avoid breakage on other present or future devices, revert
+the patch causing the issue.
+
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20220321184404.20025-1-jose.exposito89@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/input.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/input/input.c
++++ b/drivers/input/input.c
+@@ -2179,12 +2179,6 @@ int input_register_device(struct input_d
+ /* KEY_RESERVED is not supposed to be transmitted to userspace. */
+ __clear_bit(KEY_RESERVED, dev->keybit);
+
+- /* Buttonpads should not map BTN_RIGHT and/or BTN_MIDDLE. */
+- if (test_bit(INPUT_PROP_BUTTONPAD, dev->propbit)) {
+- __clear_bit(BTN_RIGHT, dev->keybit);
+- __clear_bit(BTN_MIDDLE, dev->keybit);
+- }
+-
+ /* Make sure that bitmasks not mentioned in dev->evbit are clean. */
+ input_cleanse_bitmasks(dev);
+
--- /dev/null
+From 2b2b574ac587ec5bd7716a356492a85ab8b0ce9f Mon Sep 17 00:00:00 2001
+From: Nikita Shubin <n.shubin@yadro.com>
+Date: Fri, 11 Mar 2022 09:58:15 +0300
+Subject: riscv: Fix fill_callchain return value
+
+From: Nikita Shubin <n.shubin@yadro.com>
+
+commit 2b2b574ac587ec5bd7716a356492a85ab8b0ce9f upstream.
+
+perf_callchain_store return 0 on success, -1 otherwise,
+fix fill_callchain to return correct bool value.
+
+Fixes: dbeb90b0c1eb ("riscv: Add perf callchain support")
+Signed-off-by: Nikita Shubin <n.shubin@yadro.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/perf_callchain.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/riscv/kernel/perf_callchain.c
++++ b/arch/riscv/kernel/perf_callchain.c
+@@ -77,7 +77,7 @@ void perf_callchain_user(struct perf_cal
+
+ bool fill_callchain(unsigned long pc, void *entry)
+ {
+- return perf_callchain_store(entry, pc);
++ return perf_callchain_store(entry, pc) == 0;
+ }
+
+ void notrace walk_stackframe(struct task_struct *task,
--- /dev/null
+From b81d591386c3a50b96dddcf663628ea0df0bf2b3 Mon Sep 17 00:00:00 2001
+From: Dmitry Vyukov <dvyukov@google.com>
+Date: Mon, 14 Mar 2022 10:06:52 +0100
+Subject: riscv: Increase stack size under KASAN
+
+From: Dmitry Vyukov <dvyukov@google.com>
+
+commit b81d591386c3a50b96dddcf663628ea0df0bf2b3 upstream.
+
+KASAN requires more stack space because of compiler instrumentation.
+Increase stack size as other arches do.
+
+Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
+Reported-by: syzbot+0600986d88e2d4d7ebb8@syzkaller.appspotmail.com
+Fixes: 8ad8b72721d0 ("riscv: Add KASAN support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/include/asm/thread_info.h | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/riscv/include/asm/thread_info.h
++++ b/arch/riscv/include/asm/thread_info.h
+@@ -11,11 +11,17 @@
+ #include <asm/page.h>
+ #include <linux/const.h>
+
++#ifdef CONFIG_KASAN
++#define KASAN_STACK_ORDER 1
++#else
++#define KASAN_STACK_ORDER 0
++#endif
++
+ /* thread information allocation */
+ #ifdef CONFIG_64BIT
+-#define THREAD_SIZE_ORDER (2)
++#define THREAD_SIZE_ORDER (2 + KASAN_STACK_ORDER)
+ #else
+-#define THREAD_SIZE_ORDER (1)
++#define THREAD_SIZE_ORDER (1 + KASAN_STACK_ORDER)
+ #endif
+ #define THREAD_SIZE (PAGE_SIZE << THREAD_SIZE_ORDER)
+
scsi-libsas-fix-sas_ata_qc_issue-handling-of-ncq-non-data-commands.patch
qed-display-vf-trust-config.patch
qed-validate-and-restrict-untrusted-vfs-vlan-promisc-mode.patch
+riscv-fix-fill_callchain-return-value.patch
+riscv-increase-stack-size-under-kasan.patch
+revert-input-clear-btn_right-middle-on-buttonpads.patch
+cifs-prevent-bad-output-lengths-in-smb2_ioctl_query_info.patch
+cifs-fix-null-ptr-dereference-in-smb2_ioctl_query_info.patch
+alsa-cs4236-fix-an-incorrect-null-check-on-list-iterator.patch
+alsa-hda-avoid-unsol-event-during-rpm-suspending.patch
+alsa-pcm-fix-potential-ab-ba-lock-with-buffer_mutex-and-mmap_lock.patch
+alsa-hda-realtek-fix-audio-regression-on-mi-notebook-pro-2020.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
