From: Greg Kroah-Hartman Date: Sat, 13 Nov 2021 13:42:02 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v5.4.160~145 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=53ca22857261e4dd7320ef42289bf989589edff5;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: alsa-6fire-fix-control-and-bulk-message-timeouts.patch alsa-hda-free-card-instance-properly-at-probe-errors.patch alsa-hda-realtek-add-a-quirk-for-acer-spin-sp513-54n.patch alsa-hda-realtek-add-a-quirk-for-hp-omen-15-mute-led.patch alsa-hda-realtek-add-quirk-for-asus-ux550ve.patch alsa-hda-realtek-add-quirk-for-clevo-pc70hs.patch alsa-hda-realtek-add-quirk-for-hp-elitebook-840-g7-mute-led.patch alsa-hda-realtek-fix-mic-mute-led-for-the-hp-spectre-x360-14.patch alsa-hda-realtek-headset-fixup-for-clevo-nh77hjq.patch alsa-line6-fix-control-and-interrupt-message-timeouts.patch alsa-synth-missing-check-for-possible-null-after-the-call-to-kstrdup.patch alsa-timer-fix-use-after-free-problem.patch alsa-timer-unconditionally-unlink-slave-instances-too.patch alsa-ua101-fix-division-by-zero-at-probe.patch alsa-usb-audio-add-registration-quirk-for-jbl-quantum-400.patch alsa-usb-audio-line6-hx-stomp-xl-usb_id-for-48k-fixed-quirk.patch ext4-ensure-enough-credits-in-ext4_ext_shift_path_extents.patch ext4-fix-lazy-initialization-next-schedule-time-computation-in-more-granular-unit.patch ext4-refresh-the-ext4_ext_path-struct-after-dropping-i_data_sem.patch fuse-fix-page-stealing.patch x86-cpu-fix-migration-safety-with-x86_bug_null_sel.patch x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch x86-sme-use-define-use_early_pgtable_l5-in-mem_encrypt_identity.c.patch --- diff --git a/queue-5.10/alsa-6fire-fix-control-and-bulk-message-timeouts.patch b/queue-5.10/alsa-6fire-fix-control-and-bulk-message-timeouts.patch new file mode 100644 index 00000000000..b4bc4e93715 --- /dev/null +++ b/queue-5.10/alsa-6fire-fix-control-and-bulk-message-timeouts.patch @@ -0,0 +1,63 @@ +From 9b371c6cc37f954360989eec41c2ddc5a6b83917 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 14:11:41 +0200 +Subject: ALSA: 6fire: fix control and bulk message timeouts + +From: Johan Hovold + +commit 9b371c6cc37f954360989eec41c2ddc5a6b83917 upstream. + +USB control and bulk message timeouts are specified in milliseconds and +should specifically not vary with CONFIG_HZ. + +Fixes: c6d43ba816d1 ("ALSA: usb/6fire - Driver for TerraTec DMX 6Fire USB") +Cc: stable@vger.kernel.org # 2.6.39 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211025121142.6531-2-johan@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/6fire/comm.c | 2 +- + sound/usb/6fire/firmware.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/sound/usb/6fire/comm.c ++++ b/sound/usb/6fire/comm.c +@@ -95,7 +95,7 @@ static int usb6fire_comm_send_buffer(u8 + int actual_len; + + ret = usb_interrupt_msg(dev, usb_sndintpipe(dev, COMM_EP), +- buffer, buffer[1] + 2, &actual_len, HZ); ++ buffer, buffer[1] + 2, &actual_len, 1000); + if (ret < 0) + return ret; + else if (actual_len != buffer[1] + 2) +--- a/sound/usb/6fire/firmware.c ++++ b/sound/usb/6fire/firmware.c +@@ -160,7 +160,7 @@ static int usb6fire_fw_ezusb_write(struc + { + return usb_control_msg_send(device, 0, type, + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- value, 0, data, len, HZ, GFP_KERNEL); ++ value, 0, data, len, 1000, GFP_KERNEL); + } + + static int usb6fire_fw_ezusb_read(struct usb_device *device, +@@ -168,7 +168,7 @@ static int usb6fire_fw_ezusb_read(struct + { + return usb_control_msg_recv(device, 0, type, + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- value, 0, data, len, HZ, GFP_KERNEL); ++ value, 0, data, len, 1000, GFP_KERNEL); + } + + static int usb6fire_fw_fpga_write(struct usb_device *device, +@@ -178,7 +178,7 @@ static int usb6fire_fw_fpga_write(struct + int ret; + + ret = usb_bulk_msg(device, usb_sndbulkpipe(device, FPGA_EP), data, len, +- &actual_len, HZ); ++ &actual_len, 1000); + if (ret < 0) + return ret; + else if (actual_len != len) diff --git a/queue-5.10/alsa-hda-free-card-instance-properly-at-probe-errors.patch b/queue-5.10/alsa-hda-free-card-instance-properly-at-probe-errors.patch new file mode 100644 index 00000000000..49e54c7f7da --- /dev/null +++ b/queue-5.10/alsa-hda-free-card-instance-properly-at-probe-errors.patch @@ -0,0 +1,48 @@ +From 39173303c83859723dab32c2abfb97296d6af3bf Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 10 Nov 2021 20:46:33 +0100 +Subject: ALSA: hda: Free card instance properly at probe errors + +From: Takashi Iwai + +commit 39173303c83859723dab32c2abfb97296d6af3bf upstream. + +The recent change in hda-intel driver to allow repeated probes +surfaced a problem that has been hidden until; the probe process in +the work calls azx_free() at the error path, and this skips the card +free process that eventually releases codec instances. As a result, +we get a kernel WARNING like: + + snd_hda_intel 0000:00:1f.3: Cannot probe codecs, giving up + ------------[ cut here ]------------ + WARNING: CPU: 14 PID: 186 at sound/hda/hdac_bus.c:73 + .... + +For fixing this, we need to call snd_card_free() instead of +azx_free(). Additionally, the device drvdata has to be cleared, as +the driver binding itself is still active. Then the PM and other +driver callbacks will ignore the procedure. + +Fixes: c0f1886de7e1 ("ALSA: hda: intel: Allow repeatedly probing on codec configuration errors") +Reported-and-tested-by: Scott Branden +Cc: +Link: https://lore.kernel.org/r/063e2397-7edb-5f48-7b0d-618b938d9dd8@broadcom.com +Link: https://lore.kernel.org/r/20211110194633.19098-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/hda_intel.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2392,7 +2392,8 @@ static int azx_probe_continue(struct azx + + out_free: + if (err < 0) { +- azx_free(chip); ++ pci_set_drvdata(pci, NULL); ++ snd_card_free(chip->card); + return err; + } + diff --git a/queue-5.10/alsa-hda-realtek-add-a-quirk-for-acer-spin-sp513-54n.patch b/queue-5.10/alsa-hda-realtek-add-a-quirk-for-acer-spin-sp513-54n.patch new file mode 100644 index 00000000000..836591eb26e --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-add-a-quirk-for-acer-spin-sp513-54n.patch @@ -0,0 +1,31 @@ +From 2a5bb694488bb6593066d46881bfd9d07edd1628 Mon Sep 17 00:00:00 2001 +From: Jaroslav Kysela +Date: Thu, 4 Nov 2021 16:57:26 +0100 +Subject: ALSA: hda/realtek: Add a quirk for Acer Spin SP513-54N + +From: Jaroslav Kysela + +commit 2a5bb694488bb6593066d46881bfd9d07edd1628 upstream. + +Another model requires ALC255_FIXUP_ACER_MIC_NO_PRESENCE fixup. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=211853 +Signed-off-by: Jaroslav Kysela +Cc: +Link: https://lore.kernel.org/r/20211104155726.2090997-1-perex@perex.cz +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8392,6 +8392,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1025, 0x1308, "Acer Aspire Z24-890", ALC286_FIXUP_ACER_AIO_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x132a, "Acer TravelMate B114-21", ALC233_FIXUP_ACER_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x1330, "Acer TravelMate X514-51T", ALC255_FIXUP_ACER_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1025, 0x141f, "Acer Spin SP513-54N", ALC255_FIXUP_ACER_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1025, 0x142b, "Acer Swift SF314-42", ALC255_FIXUP_ACER_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1025, 0x1430, "Acer TravelMate B311R-31", ALC256_FIXUP_ACER_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1025, 0x1466, "Acer Aspire A515-56", ALC255_FIXUP_ACER_HEADPHONE_AND_MIC), diff --git a/queue-5.10/alsa-hda-realtek-add-a-quirk-for-hp-omen-15-mute-led.patch b/queue-5.10/alsa-hda-realtek-add-a-quirk-for-hp-omen-15-mute-led.patch new file mode 100644 index 00000000000..c0b431d67e5 --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-add-a-quirk-for-hp-omen-15-mute-led.patch @@ -0,0 +1,32 @@ +From 375f8426ed994addd2be4d76febc946a6fdd8280 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 28 Oct 2021 09:09:11 +0200 +Subject: ALSA: hda/realtek: Add a quirk for HP OMEN 15 mute LED + +From: Takashi Iwai + +commit 375f8426ed994addd2be4d76febc946a6fdd8280 upstream. + +HP OMEN 15 laptop requires the quirk to fiddle with COEF 0x0b bit 2 +for toggling the mute LED. It's already implemented for other HP +laptops, and we just need to add a proper fixup entry. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214735 +Cc: +Link: https://lore.kernel.org/r/20211028070911.18891-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8530,6 +8530,7 @@ static const struct snd_pci_quirk alc269 + ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8783, "HP ZBook Fury 15 G7 Mobile Workstation", + ALC285_FIXUP_HP_GPIO_AMP_INIT), ++ SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87e5, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87e7, "HP ProBook 450 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), diff --git a/queue-5.10/alsa-hda-realtek-add-quirk-for-asus-ux550ve.patch b/queue-5.10/alsa-hda-realtek-add-quirk-for-asus-ux550ve.patch new file mode 100644 index 00000000000..f91758d6543 --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-add-quirk-for-asus-ux550ve.patch @@ -0,0 +1,32 @@ +From 4fad4fb9871b43389e4f4bead18ec693064697bb Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 7 Nov 2021 09:33:39 +0100 +Subject: ALSA: hda/realtek: Add quirk for ASUS UX550VE + +From: Takashi Iwai + +commit 4fad4fb9871b43389e4f4bead18ec693064697bb upstream. + +ASUS UX550VE (SSID 1043:1970) requires a similar workaround for +managing the routing of the 4 speakers like some other ASUS models. +Add a corresponding quirk entry for fixing it. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=212641 +Cc: +Link: https://lore.kernel.org/r/20211107083339.18013-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8590,6 +8590,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1043, 0x18b1, "Asus MJ401TA", ALC256_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x18f1, "Asus FX505DT", ALC256_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x194e, "ASUS UX563FD", ALC294_FIXUP_ASUS_HPE), ++ SND_PCI_QUIRK(0x1043, 0x1970, "ASUS UX550VE", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x1982, "ASUS B1400CEPE", ALC256_FIXUP_ASUS_HPE), + SND_PCI_QUIRK(0x1043, 0x19ce, "ASUS B9450FA", ALC294_FIXUP_ASUS_HPE), + SND_PCI_QUIRK(0x1043, 0x19e1, "ASUS UX581LV", ALC295_FIXUP_ASUS_MIC_NO_PRESENCE), diff --git a/queue-5.10/alsa-hda-realtek-add-quirk-for-clevo-pc70hs.patch b/queue-5.10/alsa-hda-realtek-add-quirk-for-clevo-pc70hs.patch new file mode 100644 index 00000000000..8d1eeb60540 --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-add-quirk-for-clevo-pc70hs.patch @@ -0,0 +1,31 @@ +From dbfe83507cf4ea66ce4efee2ac14c5ad420e31d3 Mon Sep 17 00:00:00 2001 +From: Tim Crawford +Date: Mon, 1 Nov 2021 10:21:34 -0600 +Subject: ALSA: hda/realtek: Add quirk for Clevo PC70HS + +From: Tim Crawford + +commit dbfe83507cf4ea66ce4efee2ac14c5ad420e31d3 upstream. + +Apply the PB51ED PCI quirk to the Clevo PC70HS. Fixes audio output from +the internal speakers. + +Signed-off-by: Tim Crawford +Cc: +Link: https://lore.kernel.org/r/20211101162134.5336-1-tcrawford@system76.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2551,6 +2551,7 @@ static const struct snd_pci_quirk alc882 + SND_PCI_QUIRK(0x1558, 0x67d1, "Clevo PB71[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x67e1, "Clevo PB71[DE][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x67e5, "Clevo PC70D[PRS](?:-D|-G)?", ALC1220_FIXUP_CLEVO_PB51ED_PINS), ++ SND_PCI_QUIRK(0x1558, 0x67f1, "Clevo PC70H[PRS]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x70d1, "Clevo PC70[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x7714, "Clevo X170SM", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x7715, "Clevo X170KM-G", ALC1220_FIXUP_CLEVO_PB51ED), diff --git a/queue-5.10/alsa-hda-realtek-add-quirk-for-hp-elitebook-840-g7-mute-led.patch b/queue-5.10/alsa-hda-realtek-add-quirk-for-hp-elitebook-840-g7-mute-led.patch new file mode 100644 index 00000000000..78d43ffcc55 --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-add-quirk-for-hp-elitebook-840-g7-mute-led.patch @@ -0,0 +1,31 @@ +From c058493df7edcef8f48c1494d9a84218519f966b Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Wed, 10 Nov 2021 22:40:32 +0800 +Subject: ALSA: hda/realtek: Add quirk for HP EliteBook 840 G7 mute LED + +From: Kai-Heng Feng + +commit c058493df7edcef8f48c1494d9a84218519f966b upstream. + +The mute and micmute LEDs don't work on HP EliteBook 840 G7. The same +quirk for other HP laptops can let LEDs work, so apply it. + +Signed-off-by: Kai-Heng Feng +Cc: +Link: https://lore.kernel.org/r/20211110144033.118451-1-kai.heng.feng@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8532,6 +8532,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8728, "HP EliteBook 840 G7", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8729, "HP", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8730, "HP ProBook 445 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT), diff --git a/queue-5.10/alsa-hda-realtek-fix-mic-mute-led-for-the-hp-spectre-x360-14.patch b/queue-5.10/alsa-hda-realtek-fix-mic-mute-led-for-the-hp-spectre-x360-14.patch new file mode 100644 index 00000000000..6ade98976da --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-fix-mic-mute-led-for-the-hp-spectre-x360-14.patch @@ -0,0 +1,72 @@ +From 5fc462c3aaad601d5089fd5588a5799896a6937d Mon Sep 17 00:00:00 2001 +From: Johnathon Clark +Date: Wed, 20 Oct 2021 14:12:51 +0100 +Subject: ALSA: hda/realtek: Fix mic mute LED for the HP Spectre x360 14 + +From: Johnathon Clark + +commit 5fc462c3aaad601d5089fd5588a5799896a6937d upstream. + +On the 'HP Spectre x360 Convertible 14-ea0xx' the microphone mute led is +controlled by GPIO 0x04. The speaker mute LED does not seem to be +exposed by GPIO and is there not set. + +[ a slight coding-style fix by tiwai ] + +Fixes: c3bb2b521944 ("ALSA: hda/realtek: Quirk for HP Spectre x360 14 amp setup") +Signed-off-by: Johnathon Clark +Cc: +Link: https://lore.kernel.org/r/20211020131253.35894-1-john.clark@cantab.net +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4300,6 +4300,16 @@ static void alc287_fixup_hp_gpio_led(str + alc_fixup_hp_gpio_led(codec, action, 0x10, 0); + } + ++static void alc245_fixup_hp_gpio_led(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ struct alc_spec *spec = codec->spec; ++ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) ++ spec->micmute_led_polarity = 1; ++ alc_fixup_hp_gpio_led(codec, action, 0, 0x04); ++} ++ + /* turn on/off mic-mute LED per capture hook via VREF change */ + static int vref_micmute_led_set(struct led_classdev *led_cdev, + enum led_brightness brightness) +@@ -6616,6 +6626,7 @@ enum { + ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK, + ALC287_FIXUP_HP_GPIO_LED, + ALC256_FIXUP_HP_HEADSET_MIC, ++ ALC245_FIXUP_HP_GPIO_LED, + ALC236_FIXUP_DELL_AIO_HEADSET_MIC, + ALC282_FIXUP_ACER_DISABLE_LINEOUT, + ALC255_FIXUP_ACER_LIMIT_INT_MIC_BOOST, +@@ -7239,6 +7250,8 @@ static const struct hda_fixup alc269_fix + [ALC245_FIXUP_HP_X360_AMP] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc245_fixup_hp_x360_amp, ++ .chained = true, ++ .chain_id = ALC245_FIXUP_HP_GPIO_LED + }, + [ALC288_FIXUP_DELL_HEADSET_MODE] = { + .type = HDA_FIXUP_FUNC, +@@ -8328,6 +8341,10 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc256_fixup_tongfang_reset_persistent_settings, + }, ++ [ALC245_FIXUP_HP_GPIO_LED] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc245_fixup_hp_gpio_led, ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { diff --git a/queue-5.10/alsa-hda-realtek-headset-fixup-for-clevo-nh77hjq.patch b/queue-5.10/alsa-hda-realtek-headset-fixup-for-clevo-nh77hjq.patch new file mode 100644 index 00000000000..abfed91daec --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-headset-fixup-for-clevo-nh77hjq.patch @@ -0,0 +1,68 @@ +From 1278cc5ac2f96bab50dd55c8c05e0a6a77ce323e Mon Sep 17 00:00:00 2001 +From: Jeremy Soller +Date: Tue, 2 Nov 2021 11:21:04 -0600 +Subject: ALSA: hda/realtek: Headset fixup for Clevo NH77HJQ + +From: Jeremy Soller + +commit 1278cc5ac2f96bab50dd55c8c05e0a6a77ce323e upstream. + +On Clevo NH77HJ, NH77HP, and their 15" variants, there is a headset +microphone input attached to 0x19 that does not have a jack detect. In +order to get it working, the pin configuration needs to be set +correctly, and a new ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE fixup is +applied. This is similar to the existing System76 quirk for ALC293, but +for ALC256. + +Signed-off-by: Jeremy Soller +Signed-off-by: Tim Crawford +Cc: +Link: https://lore.kernel.org/r/20211102172104.10610-1-tcrawford@system76.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6645,6 +6645,7 @@ enum { + ALC287_FIXUP_YOGA7_14ITL_SPEAKERS, + ALC287_FIXUP_13S_GEN2_SPEAKERS, + ALC256_FIXUP_TONGFANG_RESET_PERSISTENT_SETTINGS, ++ ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE, + }; + + static const struct hda_fixup alc269_fixups[] = { +@@ -8346,6 +8347,15 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc245_fixup_hp_gpio_led, + }, ++ [ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x19, 0x03a11120 }, /* use as headset mic, without its own jack detect */ ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC, ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -8642,11 +8652,15 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1558, 0x40a1, "Clevo NL40GU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x40c1, "Clevo NL40[CZ]U", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x40d1, "Clevo NL41DU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0x5015, "Clevo NH5[58]H[HJK]Q", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0x5017, "Clevo NH7[79]H[HJK]Q", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x50a3, "Clevo NJ51GU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x50b3, "Clevo NK50S[BEZ]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x50b6, "Clevo NK50S5", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x50b8, "Clevo NK50SZ", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x50d5, "Clevo NP50D5", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0x50e1, "Clevo NH5[58]HPQ", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0x50e2, "Clevo NH7[79]HPQ", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x50f0, "Clevo NH50A[CDF]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x50f2, "Clevo NH50E[PR]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x50f3, "Clevo NH58DPQ", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), diff --git a/queue-5.10/alsa-line6-fix-control-and-interrupt-message-timeouts.patch b/queue-5.10/alsa-line6-fix-control-and-interrupt-message-timeouts.patch new file mode 100644 index 00000000000..1d1e30f128b --- /dev/null +++ b/queue-5.10/alsa-line6-fix-control-and-interrupt-message-timeouts.patch @@ -0,0 +1,138 @@ +From f4000b58b64344871d7b27c05e73932f137cfef6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 14:11:42 +0200 +Subject: ALSA: line6: fix control and interrupt message timeouts + +From: Johan Hovold + +commit f4000b58b64344871d7b27c05e73932f137cfef6 upstream. + +USB control and interrupt message timeouts are specified in milliseconds +and should specifically not vary with CONFIG_HZ. + +Fixes: 705ececd1c60 ("Staging: add line6 usb driver") +Cc: stable@vger.kernel.org # 2.6.30 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211025121142.6531-3-johan@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/line6/driver.c | 14 +++++++------- + sound/usb/line6/driver.h | 2 +- + sound/usb/line6/podhd.c | 6 +++--- + sound/usb/line6/toneport.c | 2 +- + 4 files changed, 12 insertions(+), 12 deletions(-) + +--- a/sound/usb/line6/driver.c ++++ b/sound/usb/line6/driver.c +@@ -113,12 +113,12 @@ int line6_send_raw_message(struct usb_li + retval = usb_interrupt_msg(line6->usbdev, + usb_sndintpipe(line6->usbdev, properties->ep_ctrl_w), + (char *)frag_buf, frag_size, +- &partial, LINE6_TIMEOUT * HZ); ++ &partial, LINE6_TIMEOUT); + } else { + retval = usb_bulk_msg(line6->usbdev, + usb_sndbulkpipe(line6->usbdev, properties->ep_ctrl_w), + (char *)frag_buf, frag_size, +- &partial, LINE6_TIMEOUT * HZ); ++ &partial, LINE6_TIMEOUT); + } + + if (retval) { +@@ -347,7 +347,7 @@ int line6_read_data(struct usb_line6 *li + ret = usb_control_msg_send(usbdev, 0, 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, + (datalen << 8) | 0x21, address, NULL, 0, +- LINE6_TIMEOUT * HZ, GFP_KERNEL); ++ LINE6_TIMEOUT, GFP_KERNEL); + if (ret) { + dev_err(line6->ifcdev, "read request failed (error %d)\n", ret); + goto exit; +@@ -360,7 +360,7 @@ int line6_read_data(struct usb_line6 *li + ret = usb_control_msg_recv(usbdev, 0, 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, + 0x0012, 0x0000, &len, 1, +- LINE6_TIMEOUT * HZ, GFP_KERNEL); ++ LINE6_TIMEOUT, GFP_KERNEL); + if (ret) { + dev_err(line6->ifcdev, + "receive length failed (error %d)\n", ret); +@@ -387,7 +387,7 @@ int line6_read_data(struct usb_line6 *li + /* receive the result: */ + ret = usb_control_msg_recv(usbdev, 0, 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, +- 0x0013, 0x0000, data, datalen, LINE6_TIMEOUT * HZ, ++ 0x0013, 0x0000, data, datalen, LINE6_TIMEOUT, + GFP_KERNEL); + if (ret) + dev_err(line6->ifcdev, "read failed (error %d)\n", ret); +@@ -417,7 +417,7 @@ int line6_write_data(struct usb_line6 *l + + ret = usb_control_msg_send(usbdev, 0, 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, +- 0x0022, address, data, datalen, LINE6_TIMEOUT * HZ, ++ 0x0022, address, data, datalen, LINE6_TIMEOUT, + GFP_KERNEL); + if (ret) { + dev_err(line6->ifcdev, +@@ -430,7 +430,7 @@ int line6_write_data(struct usb_line6 *l + + ret = usb_control_msg_recv(usbdev, 0, 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, +- 0x0012, 0x0000, status, 1, LINE6_TIMEOUT * HZ, ++ 0x0012, 0x0000, status, 1, LINE6_TIMEOUT, + GFP_KERNEL); + if (ret) { + dev_err(line6->ifcdev, +--- a/sound/usb/line6/driver.h ++++ b/sound/usb/line6/driver.h +@@ -27,7 +27,7 @@ + #define LINE6_FALLBACK_INTERVAL 10 + #define LINE6_FALLBACK_MAXPACKETSIZE 16 + +-#define LINE6_TIMEOUT 1 ++#define LINE6_TIMEOUT 1000 + #define LINE6_BUFSIZE_LISTEN 64 + #define LINE6_MIDI_MESSAGE_MAXLEN 256 + +--- a/sound/usb/line6/podhd.c ++++ b/sound/usb/line6/podhd.c +@@ -190,7 +190,7 @@ static int podhd_dev_start(struct usb_li + ret = usb_control_msg_send(usbdev, 0, + 0x67, USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, + 0x11, 0, +- NULL, 0, LINE6_TIMEOUT * HZ, GFP_KERNEL); ++ NULL, 0, LINE6_TIMEOUT, GFP_KERNEL); + if (ret) { + dev_err(pod->line6.ifcdev, "read request failed (error %d)\n", ret); + goto exit; +@@ -200,7 +200,7 @@ static int podhd_dev_start(struct usb_li + ret = usb_control_msg_recv(usbdev, 0, 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, + 0x11, 0x0, +- init_bytes, 3, LINE6_TIMEOUT * HZ, GFP_KERNEL); ++ init_bytes, 3, LINE6_TIMEOUT, GFP_KERNEL); + if (ret) { + dev_err(pod->line6.ifcdev, + "receive length failed (error %d)\n", ret); +@@ -220,7 +220,7 @@ static int podhd_dev_start(struct usb_li + USB_REQ_SET_FEATURE, + USB_TYPE_STANDARD | USB_RECIP_DEVICE | USB_DIR_OUT, + 1, 0, +- NULL, 0, LINE6_TIMEOUT * HZ, GFP_KERNEL); ++ NULL, 0, LINE6_TIMEOUT, GFP_KERNEL); + exit: + return ret; + } +--- a/sound/usb/line6/toneport.c ++++ b/sound/usb/line6/toneport.c +@@ -128,7 +128,7 @@ static int toneport_send_cmd(struct usb_ + + ret = usb_control_msg_send(usbdev, 0, 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, +- cmd1, cmd2, NULL, 0, LINE6_TIMEOUT * HZ, ++ cmd1, cmd2, NULL, 0, LINE6_TIMEOUT, + GFP_KERNEL); + + if (ret) { diff --git a/queue-5.10/alsa-synth-missing-check-for-possible-null-after-the-call-to-kstrdup.patch b/queue-5.10/alsa-synth-missing-check-for-possible-null-after-the-call-to-kstrdup.patch new file mode 100644 index 00000000000..f01c9d25572 --- /dev/null +++ b/queue-5.10/alsa-synth-missing-check-for-possible-null-after-the-call-to-kstrdup.patch @@ -0,0 +1,35 @@ +From d159037abbe3412285c271bdfb9cdf19e62678ff Mon Sep 17 00:00:00 2001 +From: Austin Kim +Date: Tue, 9 Nov 2021 00:37:42 +0000 +Subject: ALSA: synth: missing check for possible NULL after the call to kstrdup + +From: Austin Kim + +commit d159037abbe3412285c271bdfb9cdf19e62678ff upstream. + +If kcalloc() return NULL due to memory starvation, it is possible for +kstrdup() to return NULL in similar case. So add null check after the call +to kstrdup() is made. + +[ minor coding-style fix by tiwai ] + +Signed-off-by: Austin Kim +Cc: +Link: https://lore.kernel.org/r/20211109003742.GA5423@raspberrypi +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/synth/emux/emux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/synth/emux/emux.c ++++ b/sound/synth/emux/emux.c +@@ -88,7 +88,7 @@ int snd_emux_register(struct snd_emux *e + emu->name = kstrdup(name, GFP_KERNEL); + emu->voices = kcalloc(emu->max_voices, sizeof(struct snd_emux_voice), + GFP_KERNEL); +- if (emu->voices == NULL) ++ if (emu->name == NULL || emu->voices == NULL) + return -ENOMEM; + + /* create soundfont list */ diff --git a/queue-5.10/alsa-timer-fix-use-after-free-problem.patch b/queue-5.10/alsa-timer-fix-use-after-free-problem.patch new file mode 100644 index 00000000000..3d428e1b3b6 --- /dev/null +++ b/queue-5.10/alsa-timer-fix-use-after-free-problem.patch @@ -0,0 +1,53 @@ +From c0317c0e87094f5b5782b6fdef5ae0a4b150496c Mon Sep 17 00:00:00 2001 +From: Wang Wensheng +Date: Wed, 3 Nov 2021 03:35:17 +0000 +Subject: ALSA: timer: Fix use-after-free problem + +From: Wang Wensheng + +commit c0317c0e87094f5b5782b6fdef5ae0a4b150496c upstream. + +When the timer instance was add into ack_list but was not currently in +process, the user could stop it via snd_timer_stop1() without delete it +from the ack_list. Then the user could free the timer instance and when +it was actually processed UAF occurred. + +This issue could be reproduced via testcase snd_timer01 in ltp - running +several instances of that testcase at the same time. + +What I actually met was that the ack_list of the timer broken and the +kernel went into deadloop with irqoff. That could be detected by +hardlockup detector on board or when we run it on qemu, we could use gdb +to dump the ack_list when the console has no response. + +To fix this issue, we delete the timer instance from ack_list and +active_list unconditionally in snd_timer_stop1(). + +Signed-off-by: Wang Wensheng +Suggested-by: Takashi Iwai +Cc: +Link: https://lore.kernel.org/r/20211103033517.80531-1-wangwensheng4@huawei.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/timer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -624,13 +624,13 @@ static int snd_timer_stop1(struct snd_ti + if (!timer) + return -EINVAL; + spin_lock_irqsave(&timer->lock, flags); ++ list_del_init(&timeri->ack_list); ++ list_del_init(&timeri->active_list); + if (!(timeri->flags & (SNDRV_TIMER_IFLG_RUNNING | + SNDRV_TIMER_IFLG_START))) { + result = -EBUSY; + goto unlock; + } +- list_del_init(&timeri->ack_list); +- list_del_init(&timeri->active_list); + if (timer->card && timer->card->shutdown) + goto unlock; + if (stop) { diff --git a/queue-5.10/alsa-timer-unconditionally-unlink-slave-instances-too.patch b/queue-5.10/alsa-timer-unconditionally-unlink-slave-instances-too.patch new file mode 100644 index 00000000000..5b44f525916 --- /dev/null +++ b/queue-5.10/alsa-timer-unconditionally-unlink-slave-instances-too.patch @@ -0,0 +1,55 @@ +From ffdd98277f0a1d15a67a74ae09bee713df4c0dbc Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 5 Nov 2021 10:15:17 +0100 +Subject: ALSA: timer: Unconditionally unlink slave instances, too + +From: Takashi Iwai + +commit ffdd98277f0a1d15a67a74ae09bee713df4c0dbc upstream. + +Like the previous fix (commit c0317c0e8709 "ALSA: timer: Fix +use-after-free problem"), we have to unlink slave timer instances +immediately at snd_timer_stop(), too. Otherwise it may leave a stale +entry in the list if the slave instance is freed before actually +running. + +Cc: +Link: https://lore.kernel.org/r/20211105091517.21733-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/timer.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -665,23 +665,22 @@ static int snd_timer_stop1(struct snd_ti + static int snd_timer_stop_slave(struct snd_timer_instance *timeri, bool stop) + { + unsigned long flags; ++ bool running; + + spin_lock_irqsave(&slave_active_lock, flags); +- if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) { +- spin_unlock_irqrestore(&slave_active_lock, flags); +- return -EBUSY; +- } ++ running = timeri->flags & SNDRV_TIMER_IFLG_RUNNING; + timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING; + if (timeri->timer) { + spin_lock(&timeri->timer->lock); + list_del_init(&timeri->ack_list); + list_del_init(&timeri->active_list); +- snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP : +- SNDRV_TIMER_EVENT_PAUSE); ++ if (running) ++ snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP : ++ SNDRV_TIMER_EVENT_PAUSE); + spin_unlock(&timeri->timer->lock); + } + spin_unlock_irqrestore(&slave_active_lock, flags); +- return 0; ++ return running ? 0 : -EBUSY; + } + + /* diff --git a/queue-5.10/alsa-ua101-fix-division-by-zero-at-probe.patch b/queue-5.10/alsa-ua101-fix-division-by-zero-at-probe.patch new file mode 100644 index 00000000000..915e7b5cd90 --- /dev/null +++ b/queue-5.10/alsa-ua101-fix-division-by-zero-at-probe.patch @@ -0,0 +1,48 @@ +From 55f261b73a7e1cb254577c3536cef8f415de220a Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 26 Oct 2021 11:54:01 +0200 +Subject: ALSA: ua101: fix division by zero at probe + +From: Johan Hovold + +commit 55f261b73a7e1cb254577c3536cef8f415de220a upstream. + +Add the missing endpoint max-packet sanity check to probe() to avoid +division by zero in alloc_stream_buffers() in case a malicious device +has broken descriptors (or when doing descriptor fuzz testing). + +Note that USB core will reject URBs submitted for endpoints with zero +wMaxPacketSize but that drivers doing packet-size calculations still +need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip +endpoint descriptors with maxpacket=0")). + +Fixes: 63978ab3e3e9 ("sound: add Edirol UA-101 support") +Cc: stable@vger.kernel.org # 2.6.34 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211026095401.26522-1-johan@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/misc/ua101.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/usb/misc/ua101.c ++++ b/sound/usb/misc/ua101.c +@@ -1001,7 +1001,7 @@ static int detect_usb_format(struct ua10 + fmt_playback->bSubframeSize * ua->playback.channels; + + epd = &ua->intf[INTF_CAPTURE]->altsetting[1].endpoint[0].desc; +- if (!usb_endpoint_is_isoc_in(epd)) { ++ if (!usb_endpoint_is_isoc_in(epd) || usb_endpoint_maxp(epd) == 0) { + dev_err(&ua->dev->dev, "invalid capture endpoint\n"); + return -ENXIO; + } +@@ -1009,7 +1009,7 @@ static int detect_usb_format(struct ua10 + ua->capture.max_packet_bytes = usb_endpoint_maxp(epd); + + epd = &ua->intf[INTF_PLAYBACK]->altsetting[1].endpoint[0].desc; +- if (!usb_endpoint_is_isoc_out(epd)) { ++ if (!usb_endpoint_is_isoc_out(epd) || usb_endpoint_maxp(epd) == 0) { + dev_err(&ua->dev->dev, "invalid playback endpoint\n"); + return -ENXIO; + } diff --git a/queue-5.10/alsa-usb-audio-add-registration-quirk-for-jbl-quantum-400.patch b/queue-5.10/alsa-usb-audio-add-registration-quirk-for-jbl-quantum-400.patch new file mode 100644 index 00000000000..62d3d1fb1bd --- /dev/null +++ b/queue-5.10/alsa-usb-audio-add-registration-quirk-for-jbl-quantum-400.patch @@ -0,0 +1,31 @@ +From 763d92ed5dece7d439fc28a88b2d2728d525ffd9 Mon Sep 17 00:00:00 2001 +From: Alexander Tsoy +Date: Sat, 30 Oct 2021 20:43:08 +0300 +Subject: ALSA: usb-audio: Add registration quirk for JBL Quantum 400 + +From: Alexander Tsoy + +commit 763d92ed5dece7d439fc28a88b2d2728d525ffd9 upstream. + +Add another device ID for JBL Quantum 400. It requires the same quirk as +other JBL Quantum devices. + +Signed-off-by: Alexander Tsoy +Cc: +Link: https://lore.kernel.org/r/20211030174308.1011825-1-alexander@tsoy.me +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1897,6 +1897,7 @@ static const struct registration_quirk r + REG_QUIRK_ENTRY(0x0951, 0x16ea, 2), /* Kingston HyperX Cloud Flight S */ + REG_QUIRK_ENTRY(0x0ecb, 0x1f46, 2), /* JBL Quantum 600 */ + REG_QUIRK_ENTRY(0x0ecb, 0x1f47, 2), /* JBL Quantum 800 */ ++ REG_QUIRK_ENTRY(0x0ecb, 0x1f4c, 2), /* JBL Quantum 400 */ + REG_QUIRK_ENTRY(0x0ecb, 0x2039, 2), /* JBL Quantum 400 */ + REG_QUIRK_ENTRY(0x0ecb, 0x203c, 2), /* JBL Quantum 600 */ + REG_QUIRK_ENTRY(0x0ecb, 0x203e, 2), /* JBL Quantum 800 */ diff --git a/queue-5.10/alsa-usb-audio-line6-hx-stomp-xl-usb_id-for-48k-fixed-quirk.patch b/queue-5.10/alsa-usb-audio-line6-hx-stomp-xl-usb_id-for-48k-fixed-quirk.patch new file mode 100644 index 00000000000..537bfa4cdd5 --- /dev/null +++ b/queue-5.10/alsa-usb-audio-line6-hx-stomp-xl-usb_id-for-48k-fixed-quirk.patch @@ -0,0 +1,38 @@ +From 8f27b689066113a3e579d4df171c980c54368c4e Mon Sep 17 00:00:00 2001 +From: Jason Ormes +Date: Sat, 30 Oct 2021 15:04:05 -0500 +Subject: ALSA: usb-audio: Line6 HX-Stomp XL USB_ID for 48k-fixed quirk + +From: Jason Ormes + +commit 8f27b689066113a3e579d4df171c980c54368c4e upstream. + +Adding the Line6 HX-Stomp XL USB_ID as it needs this fixed frequency +quirk as well. + +The device is basically just the HX-Stomp with some more buttons on +the face. I've done some recording with it after adding it, and it +seems to function properly with this fix. The Midi features appear to +be working as well. + +[ a coding style fix and patch reformat by tiwai ] + +Signed-off-by: Jason Ormes +Cc: +Link: https://lore.kernel.org/r/20211030200405.1358678-1-skryking@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/format.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/usb/format.c ++++ b/sound/usb/format.c +@@ -410,6 +410,7 @@ static int line6_parse_audio_format_rate + case USB_ID(0x0e41, 0x4242): /* Line6 Helix Rack */ + case USB_ID(0x0e41, 0x4244): /* Line6 Helix LT */ + case USB_ID(0x0e41, 0x4246): /* Line6 HX-Stomp */ ++ case USB_ID(0x0e41, 0x4253): /* Line6 HX-Stomp XL */ + case USB_ID(0x0e41, 0x4247): /* Line6 Pod Go */ + case USB_ID(0x0e41, 0x4248): /* Line6 Helix >= fw 2.82 */ + case USB_ID(0x0e41, 0x4249): /* Line6 Helix Rack >= fw 2.82 */ diff --git a/queue-5.10/ext4-ensure-enough-credits-in-ext4_ext_shift_path_extents.patch b/queue-5.10/ext4-ensure-enough-credits-in-ext4_ext_shift_path_extents.patch new file mode 100644 index 00000000000..e54d665df64 --- /dev/null +++ b/queue-5.10/ext4-ensure-enough-credits-in-ext4_ext_shift_path_extents.patch @@ -0,0 +1,108 @@ +From 4268496e48dc681cfa53b92357314b5d7221e625 Mon Sep 17 00:00:00 2001 +From: yangerkun +Date: Fri, 3 Sep 2021 14:27:47 +0800 +Subject: ext4: ensure enough credits in ext4_ext_shift_path_extents + +From: yangerkun + +commit 4268496e48dc681cfa53b92357314b5d7221e625 upstream. + +Like ext4_ext_rm_leaf, we can ensure that there are enough credits +before every call that will consume credits. As part of this fix we +fold the functionality of ext4_access_path() into +ext4_ext_shift_path_extents(). This change is needed as a preparation +for the next bugfix patch. + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20210903062748.4118886-3-yangerkun@huawei.com +Signed-off-by: yangerkun +Reviewed-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/extents.c | 49 +++++++++++++++---------------------------------- + 1 file changed, 15 insertions(+), 34 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -4971,36 +4971,6 @@ int ext4_get_es_cache(struct inode *inod + } + + /* +- * ext4_access_path: +- * Function to access the path buffer for marking it dirty. +- * It also checks if there are sufficient credits left in the journal handle +- * to update path. +- */ +-static int +-ext4_access_path(handle_t *handle, struct inode *inode, +- struct ext4_ext_path *path) +-{ +- int credits, err; +- +- if (!ext4_handle_valid(handle)) +- return 0; +- +- /* +- * Check if need to extend journal credits +- * 3 for leaf, sb, and inode plus 2 (bmap and group +- * descriptor) for each block group; assume two block +- * groups +- */ +- credits = ext4_writepage_trans_blocks(inode); +- err = ext4_datasem_ensure_credits(handle, inode, 7, credits, 0); +- if (err < 0) +- return err; +- +- err = ext4_ext_get_access(handle, inode, path); +- return err; +-} +- +-/* + * ext4_ext_shift_path_extents: + * Shift the extents of a path structure lying between path[depth].p_ext + * and EXT_LAST_EXTENT(path[depth].p_hdr), by @shift blocks. @SHIFT tells +@@ -5014,6 +4984,7 @@ ext4_ext_shift_path_extents(struct ext4_ + int depth, err = 0; + struct ext4_extent *ex_start, *ex_last; + bool update = false; ++ int credits, restart_credits; + depth = path->p_depth; + + while (depth >= 0) { +@@ -5023,13 +4994,23 @@ ext4_ext_shift_path_extents(struct ext4_ + return -EFSCORRUPTED; + + ex_last = EXT_LAST_EXTENT(path[depth].p_hdr); ++ /* leaf + sb + inode */ ++ credits = 3; ++ if (ex_start == EXT_FIRST_EXTENT(path[depth].p_hdr)) { ++ update = true; ++ /* extent tree + sb + inode */ ++ credits = depth + 2; ++ } + +- err = ext4_access_path(handle, inode, path + depth); ++ restart_credits = ext4_writepage_trans_blocks(inode); ++ err = ext4_datasem_ensure_credits(handle, inode, credits, ++ restart_credits, 0); + if (err) + goto out; + +- if (ex_start == EXT_FIRST_EXTENT(path[depth].p_hdr)) +- update = true; ++ err = ext4_ext_get_access(handle, inode, path + depth); ++ if (err) ++ goto out; + + while (ex_start <= ex_last) { + if (SHIFT == SHIFT_LEFT) { +@@ -5060,7 +5041,7 @@ ext4_ext_shift_path_extents(struct ext4_ + } + + /* Update index too */ +- err = ext4_access_path(handle, inode, path + depth); ++ err = ext4_ext_get_access(handle, inode, path + depth); + if (err) + goto out; + diff --git a/queue-5.10/ext4-fix-lazy-initialization-next-schedule-time-computation-in-more-granular-unit.patch b/queue-5.10/ext4-fix-lazy-initialization-next-schedule-time-computation-in-more-granular-unit.patch new file mode 100644 index 00000000000..1a97f7d293d --- /dev/null +++ b/queue-5.10/ext4-fix-lazy-initialization-next-schedule-time-computation-in-more-granular-unit.patch @@ -0,0 +1,58 @@ +From 39fec6889d15a658c3a3ebb06fd69d3584ddffd3 Mon Sep 17 00:00:00 2001 +From: Shaoying Xu +Date: Thu, 2 Sep 2021 16:44:12 +0000 +Subject: ext4: fix lazy initialization next schedule time computation in more granular unit + +From: Shaoying Xu + +commit 39fec6889d15a658c3a3ebb06fd69d3584ddffd3 upstream. + +Ext4 file system has default lazy inode table initialization setup once +it is mounted. However, it has issue on computing the next schedule time +that makes the timeout same amount in jiffies but different real time in +secs if with various HZ values. Therefore, fix by measuring the current +time in a more granular unit nanoseconds and make the next schedule time +independent of the HZ value. + +Fixes: bfff68738f1c ("ext4: add support for lazy inode table initialization") +Signed-off-by: Shaoying Xu +Cc: stable@vger.kernel.org +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/20210902164412.9994-2-shaoyi@amazon.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3436,9 +3436,9 @@ static int ext4_run_li_request(struct ex + struct super_block *sb = elr->lr_super; + ext4_group_t ngroups = EXT4_SB(sb)->s_groups_count; + ext4_group_t group = elr->lr_next_group; +- unsigned long timeout = 0; + unsigned int prefetch_ios = 0; + int ret = 0; ++ u64 start_time; + + if (elr->lr_mode == EXT4_LI_MODE_PREFETCH_BBITMAP) { + elr->lr_next_group = ext4_mb_prefetch(sb, group, +@@ -3475,14 +3475,13 @@ static int ext4_run_li_request(struct ex + ret = 1; + + if (!ret) { +- timeout = jiffies; ++ start_time = ktime_get_real_ns(); + ret = ext4_init_inode_table(sb, group, + elr->lr_timeout ? 0 : 1); + trace_ext4_lazy_itable_init(sb, group); + if (elr->lr_timeout == 0) { +- timeout = (jiffies - timeout) * +- EXT4_SB(elr->lr_super)->s_li_wait_mult; +- elr->lr_timeout = timeout; ++ elr->lr_timeout = nsecs_to_jiffies((ktime_get_real_ns() - start_time) * ++ EXT4_SB(elr->lr_super)->s_li_wait_mult); + } + elr->lr_next_sched = jiffies + elr->lr_timeout; + elr->lr_next_group = group + 1; diff --git a/queue-5.10/ext4-refresh-the-ext4_ext_path-struct-after-dropping-i_data_sem.patch b/queue-5.10/ext4-refresh-the-ext4_ext_path-struct-after-dropping-i_data_sem.patch new file mode 100644 index 00000000000..2fb85cbac8f --- /dev/null +++ b/queue-5.10/ext4-refresh-the-ext4_ext_path-struct-after-dropping-i_data_sem.patch @@ -0,0 +1,95 @@ +From 1811bc401aa58c7bdb0df3205aa6613b49d32127 Mon Sep 17 00:00:00 2001 +From: yangerkun +Date: Fri, 3 Sep 2021 14:27:48 +0800 +Subject: ext4: refresh the ext4_ext_path struct after dropping i_data_sem. + +From: yangerkun + +commit 1811bc401aa58c7bdb0df3205aa6613b49d32127 upstream. + +After we drop i_data sem, we need to reload the ext4_ext_path +structure since the extent tree can change once i_data_sem is +released. + +This addresses the BUG: + +[52117.465187] ------------[ cut here ]------------ +[52117.465686] kernel BUG at fs/ext4/extents.c:1756! +... +[52117.478306] Call Trace: +[52117.478565] ext4_ext_shift_extents+0x3ee/0x710 +[52117.479020] ext4_fallocate+0x139c/0x1b40 +[52117.479405] ? __do_sys_newfstat+0x6b/0x80 +[52117.479805] vfs_fallocate+0x151/0x4b0 +[52117.480177] ksys_fallocate+0x4a/0xa0 +[52117.480533] __x64_sys_fallocate+0x22/0x30 +[52117.480930] do_syscall_64+0x35/0x80 +[52117.481277] entry_SYSCALL_64_after_hwframe+0x44/0xae +[52117.481769] RIP: 0033:0x7fa062f855ca + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20210903062748.4118886-4-yangerkun@huawei.com +Signed-off-by: yangerkun +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/extents.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -5005,8 +5005,11 @@ ext4_ext_shift_path_extents(struct ext4_ + restart_credits = ext4_writepage_trans_blocks(inode); + err = ext4_datasem_ensure_credits(handle, inode, credits, + restart_credits, 0); +- if (err) ++ if (err) { ++ if (err > 0) ++ err = -EAGAIN; + goto out; ++ } + + err = ext4_ext_get_access(handle, inode, path + depth); + if (err) +@@ -5080,6 +5083,7 @@ ext4_ext_shift_extents(struct inode *ino + int ret = 0, depth; + struct ext4_extent *extent; + ext4_lblk_t stop, *iterator, ex_start, ex_end; ++ ext4_lblk_t tmp = EXT_MAX_BLOCKS; + + /* Let path point to the last extent */ + path = ext4_find_extent(inode, EXT_MAX_BLOCKS - 1, NULL, +@@ -5133,11 +5137,15 @@ ext4_ext_shift_extents(struct inode *ino + * till we reach stop. In case of right shift, iterator points to stop + * and it is decreased till we reach start. + */ ++again: + if (SHIFT == SHIFT_LEFT) + iterator = &start; + else + iterator = &stop; + ++ if (tmp != EXT_MAX_BLOCKS) ++ *iterator = tmp; ++ + /* + * Its safe to start updating extents. Start and stop are unsigned, so + * in case of right shift if extent with 0 block is reached, iterator +@@ -5166,6 +5174,7 @@ ext4_ext_shift_extents(struct inode *ino + } + } + ++ tmp = *iterator; + if (SHIFT == SHIFT_LEFT) { + extent = EXT_LAST_EXTENT(path[depth].p_hdr); + *iterator = le32_to_cpu(extent->ee_block) + +@@ -5184,6 +5193,9 @@ ext4_ext_shift_extents(struct inode *ino + } + ret = ext4_ext_shift_path_extents(path, shift, inode, + handle, SHIFT); ++ /* iterator can be NULL which means we should break */ ++ if (ret == -EAGAIN) ++ goto again; + if (ret) + break; + } diff --git a/queue-5.10/fuse-fix-page-stealing.patch b/queue-5.10/fuse-fix-page-stealing.patch new file mode 100644 index 00000000000..5da21eb54bb --- /dev/null +++ b/queue-5.10/fuse-fix-page-stealing.patch @@ -0,0 +1,64 @@ +From 712a951025c0667ff00b25afc360f74e639dfabe Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Tue, 2 Nov 2021 11:10:37 +0100 +Subject: fuse: fix page stealing + +From: Miklos Szeredi + +commit 712a951025c0667ff00b25afc360f74e639dfabe upstream. + +It is possible to trigger a crash by splicing anon pipe bufs to the fuse +device. + +The reason for this is that anon_pipe_buf_release() will reuse buf->page if +the refcount is 1, but that page might have already been stolen and its +flags modified (e.g. PG_lru added). + +This happens in the unlikely case of fuse_dev_splice_write() getting around +to calling pipe_buf_release() after a page has been stolen, added to the +page cache and removed from the page cache. + +Fix by calling pipe_buf_release() right after the page was inserted into +the page cache. In this case the page has an elevated refcount so any +release function will know that the page isn't reusable. + +Reported-by: Frank Dinoff +Link: https://lore.kernel.org/r/CAAmZXrsGg2xsP1CK+cbuEMumtrqdvD-NKnWzhNcvn71RV3c1yw@mail.gmail.com/ +Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device") +Cc: # v2.6.35 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dev.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -851,6 +851,12 @@ static int fuse_try_move_page(struct fus + goto out_put_old; + } + ++ /* ++ * Release while we have extra ref on stolen page. Otherwise ++ * anon_pipe_buf_release() might think the page can be reused. ++ */ ++ pipe_buf_release(cs->pipe, buf); ++ + get_page(newpage); + + if (!(buf->flags & PIPE_BUF_FLAG_LRU)) +@@ -2035,8 +2041,12 @@ static ssize_t fuse_dev_splice_write(str + + pipe_lock(pipe); + out_free: +- for (idx = 0; idx < nbuf; idx++) +- pipe_buf_release(pipe, &bufs[idx]); ++ for (idx = 0; idx < nbuf; idx++) { ++ struct pipe_buffer *buf = &bufs[idx]; ++ ++ if (buf->ops) ++ pipe_buf_release(pipe, buf); ++ } + pipe_unlock(pipe); + + kvfree(bufs); diff --git a/queue-5.10/series b/queue-5.10/series index 51019bd4668..5cc53b313be 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -24,3 +24,26 @@ media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch media-rkvdec-support-dynamic-resolution-changes.patch media-ir-kbd-i2c-improve-responsiveness-of-hauppauge-zilog-receivers.patch media-v4l2-ioctl-fix-check_ext_ctrls.patch +alsa-hda-realtek-fix-mic-mute-led-for-the-hp-spectre-x360-14.patch +alsa-hda-realtek-add-a-quirk-for-hp-omen-15-mute-led.patch +alsa-hda-realtek-add-quirk-for-clevo-pc70hs.patch +alsa-hda-realtek-headset-fixup-for-clevo-nh77hjq.patch +alsa-hda-realtek-add-a-quirk-for-acer-spin-sp513-54n.patch +alsa-hda-realtek-add-quirk-for-asus-ux550ve.patch +alsa-hda-realtek-add-quirk-for-hp-elitebook-840-g7-mute-led.patch +alsa-ua101-fix-division-by-zero-at-probe.patch +alsa-6fire-fix-control-and-bulk-message-timeouts.patch +alsa-line6-fix-control-and-interrupt-message-timeouts.patch +alsa-usb-audio-line6-hx-stomp-xl-usb_id-for-48k-fixed-quirk.patch +alsa-usb-audio-add-registration-quirk-for-jbl-quantum-400.patch +alsa-hda-free-card-instance-properly-at-probe-errors.patch +alsa-synth-missing-check-for-possible-null-after-the-call-to-kstrdup.patch +alsa-timer-fix-use-after-free-problem.patch +alsa-timer-unconditionally-unlink-slave-instances-too.patch +ext4-fix-lazy-initialization-next-schedule-time-computation-in-more-granular-unit.patch +ext4-ensure-enough-credits-in-ext4_ext_shift_path_extents.patch +ext4-refresh-the-ext4_ext_path-struct-after-dropping-i_data_sem.patch +fuse-fix-page-stealing.patch +x86-sme-use-define-use_early_pgtable_l5-in-mem_encrypt_identity.c.patch +x86-cpu-fix-migration-safety-with-x86_bug_null_sel.patch +x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch diff --git a/queue-5.10/x86-cpu-fix-migration-safety-with-x86_bug_null_sel.patch b/queue-5.10/x86-cpu-fix-migration-safety-with-x86_bug_null_sel.patch new file mode 100644 index 00000000000..5aa479b559a --- /dev/null +++ b/queue-5.10/x86-cpu-fix-migration-safety-with-x86_bug_null_sel.patch @@ -0,0 +1,147 @@ +From 415de44076640483648d6c0f6d645a9ee61328ad Mon Sep 17 00:00:00 2001 +From: Jane Malalane +Date: Thu, 21 Oct 2021 11:47:44 +0100 +Subject: x86/cpu: Fix migration safety with X86_BUG_NULL_SEL + +From: Jane Malalane + +commit 415de44076640483648d6c0f6d645a9ee61328ad upstream. + +Currently, Linux probes for X86_BUG_NULL_SEL unconditionally which +makes it unsafe to migrate in a virtualised environment as the +properties across the migration pool might differ. + +To be specific, the case which goes wrong is: + +1. Zen1 (or earlier) and Zen2 (or later) in a migration pool +2. Linux boots on Zen2, probes and finds the absence of X86_BUG_NULL_SEL +3. Linux is then migrated to Zen1 + +Linux is now running on a X86_BUG_NULL_SEL-impacted CPU while believing +that the bug is fixed. + +The only way to address the problem is to fully trust the "no longer +affected" CPUID bit when virtualised, because in the above case it would +be clear deliberately to indicate the fact "you might migrate to +somewhere which has this behaviour". + +Zen3 adds the NullSelectorClearsBase CPUID bit to indicate that loading +a NULL segment selector zeroes the base and limit fields, as well as +just attributes. Zen2 also has this behaviour but doesn't have the NSCB +bit. + + [ bp: Minor touchups. ] + +Signed-off-by: Jane Malalane +Signed-off-by: Borislav Petkov +CC: +Link: https://lkml.kernel.org/r/20211021104744.24126-1-jane.malalane@citrix.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/amd.c | 2 + + arch/x86/kernel/cpu/common.c | 44 ++++++++++++++++++++++++++++++++++++------- + arch/x86/kernel/cpu/cpu.h | 1 + arch/x86/kernel/cpu/hygon.c | 2 + + 4 files changed, 42 insertions(+), 7 deletions(-) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -1017,6 +1017,8 @@ static void init_amd(struct cpuinfo_x86 + if (cpu_has(c, X86_FEATURE_IRPERF) && + !cpu_has_amd_erratum(c, amd_erratum_1054)) + msr_set_bit(MSR_K7_HWCR, MSR_K7_HWCR_IRPERF_EN_BIT); ++ ++ check_null_seg_clears_base(c); + } + + #ifdef CONFIG_X86_32 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -1391,9 +1391,8 @@ void __init early_cpu_init(void) + early_identify_cpu(&boot_cpu_data); + } + +-static void detect_null_seg_behavior(struct cpuinfo_x86 *c) ++static bool detect_null_seg_behavior(void) + { +-#ifdef CONFIG_X86_64 + /* + * Empirically, writing zero to a segment selector on AMD does + * not clear the base, whereas writing zero to a segment +@@ -1414,10 +1413,43 @@ static void detect_null_seg_behavior(str + wrmsrl(MSR_FS_BASE, 1); + loadsegment(fs, 0); + rdmsrl(MSR_FS_BASE, tmp); +- if (tmp != 0) +- set_cpu_bug(c, X86_BUG_NULL_SEG); + wrmsrl(MSR_FS_BASE, old_base); +-#endif ++ return tmp == 0; ++} ++ ++void check_null_seg_clears_base(struct cpuinfo_x86 *c) ++{ ++ /* BUG_NULL_SEG is only relevant with 64bit userspace */ ++ if (!IS_ENABLED(CONFIG_X86_64)) ++ return; ++ ++ /* Zen3 CPUs advertise Null Selector Clears Base in CPUID. */ ++ if (c->extended_cpuid_level >= 0x80000021 && ++ cpuid_eax(0x80000021) & BIT(6)) ++ return; ++ ++ /* ++ * CPUID bit above wasn't set. If this kernel is still running ++ * as a HV guest, then the HV has decided not to advertize ++ * that CPUID bit for whatever reason. For example, one ++ * member of the migration pool might be vulnerable. Which ++ * means, the bug is present: set the BUG flag and return. ++ */ ++ if (cpu_has(c, X86_FEATURE_HYPERVISOR)) { ++ set_cpu_bug(c, X86_BUG_NULL_SEG); ++ return; ++ } ++ ++ /* ++ * Zen2 CPUs also have this behaviour, but no CPUID bit. ++ * 0x18 is the respective family for Hygon. ++ */ ++ if ((c->x86 == 0x17 || c->x86 == 0x18) && ++ detect_null_seg_behavior()) ++ return; ++ ++ /* All the remaining ones are affected */ ++ set_cpu_bug(c, X86_BUG_NULL_SEG); + } + + static void generic_identify(struct cpuinfo_x86 *c) +@@ -1453,8 +1485,6 @@ static void generic_identify(struct cpui + + get_model_name(c); /* Default name */ + +- detect_null_seg_behavior(c); +- + /* + * ESPFIX is a strange bug. All real CPUs have it. Paravirt + * systems that run Linux at CPL > 0 may or may not have the +--- a/arch/x86/kernel/cpu/cpu.h ++++ b/arch/x86/kernel/cpu/cpu.h +@@ -73,6 +73,7 @@ extern int detect_extended_topology_earl + extern int detect_extended_topology(struct cpuinfo_x86 *c); + extern int detect_ht_early(struct cpuinfo_x86 *c); + extern void detect_ht(struct cpuinfo_x86 *c); ++extern void check_null_seg_clears_base(struct cpuinfo_x86 *c); + + unsigned int aperfmperf_get_khz(int cpu); + +--- a/arch/x86/kernel/cpu/hygon.c ++++ b/arch/x86/kernel/cpu/hygon.c +@@ -351,6 +351,8 @@ static void init_hygon(struct cpuinfo_x8 + /* Hygon CPUs don't reset SS attributes on SYSRET, Xen does. */ + if (!cpu_has(c, X86_FEATURE_XENPV)) + set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS); ++ ++ check_null_seg_clears_base(c); + } + + static void cpu_detect_tlb_hygon(struct cpuinfo_x86 *c) diff --git a/queue-5.10/x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch b/queue-5.10/x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch new file mode 100644 index 00000000000..1e2a0a42325 --- /dev/null +++ b/queue-5.10/x86-irq-ensure-pi-wakeup-handler-is-unregistered-before-module-unload.patch @@ -0,0 +1,43 @@ +From 6ff53f6a438f72998f56e82e76694a1df9d1ea2c Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 8 Oct 2021 17:11:04 -0700 +Subject: x86/irq: Ensure PI wakeup handler is unregistered before module unload + +From: Sean Christopherson + +commit 6ff53f6a438f72998f56e82e76694a1df9d1ea2c upstream. + +Add a synchronize_rcu() after clearing the posted interrupt wakeup handler +to ensure all readers, i.e. in-flight IRQ handlers, see the new handler +before returning to the caller. If the caller is an exiting module and +is unregistering its handler, failure to wait could result in the IRQ +handler jumping into an unloaded module. + +The registration path doesn't require synchronization, as it's the +caller's responsibility to not generate interrupts it cares about until +after its handler is registered. + +Fixes: f6b3c72c2366 ("x86/irq: Define a global vector for VT-d Posted-Interrupts") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20211009001107.3936588-2-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/irq.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/irq.c ++++ b/arch/x86/kernel/irq.c +@@ -290,8 +290,10 @@ void kvm_set_posted_intr_wakeup_handler( + { + if (handler) + kvm_posted_intr_wakeup_handler = handler; +- else ++ else { + kvm_posted_intr_wakeup_handler = dummy_handler; ++ synchronize_rcu(); ++ } + } + EXPORT_SYMBOL_GPL(kvm_set_posted_intr_wakeup_handler); + diff --git a/queue-5.10/x86-sme-use-define-use_early_pgtable_l5-in-mem_encrypt_identity.c.patch b/queue-5.10/x86-sme-use-define-use_early_pgtable_l5-in-mem_encrypt_identity.c.patch new file mode 100644 index 00000000000..0aabb31e2b0 --- /dev/null +++ b/queue-5.10/x86-sme-use-define-use_early_pgtable_l5-in-mem_encrypt_identity.c.patch @@ -0,0 +1,57 @@ +From e7d445ab26db833d6640d4c9a08bee176777cc82 Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Fri, 15 Oct 2021 12:24:16 -0500 +Subject: x86/sme: Use #define USE_EARLY_PGTABLE_L5 in mem_encrypt_identity.c + +From: Tom Lendacky + +commit e7d445ab26db833d6640d4c9a08bee176777cc82 upstream. + +When runtime support for converting between 4-level and 5-level pagetables +was added to the kernel, the SME code that built pagetables was updated +to use the pagetable functions, e.g. p4d_offset(), etc., in order to +simplify the code. However, the use of the pagetable functions in early +boot code requires the use of the USE_EARLY_PGTABLE_L5 #define in order to +ensure that the proper definition of pgtable_l5_enabled() is used. + +Without the #define, pgtable_l5_enabled() is #defined as +cpu_feature_enabled(X86_FEATURE_LA57). In early boot, the CPU features +have not yet been discovered and populated, so pgtable_l5_enabled() will +return false even when 5-level paging is enabled. This causes the SME code +to always build 4-level pagetables to perform the in-place encryption. +If 5-level paging is enabled, switching to the SME pagetables results in +a page-fault that kills the boot. + +Adding the #define results in pgtable_l5_enabled() using the +__pgtable_l5_enabled variable set in early boot and the SME code building +pagetables for the proper paging level. + +Fixes: aad983913d77 ("x86/mm/encrypt: Simplify sme_populate_pgd() and sme_populate_pgd_large()") +Signed-off-by: Tom Lendacky +Signed-off-by: Borislav Petkov +Acked-by: Kirill A. Shutemov +Cc: # 4.18.x +Link: https://lkml.kernel.org/r/2cb8329655f5c753905812d951e212022a480475.1634318656.git.thomas.lendacky@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/mem_encrypt_identity.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/arch/x86/mm/mem_encrypt_identity.c ++++ b/arch/x86/mm/mem_encrypt_identity.c +@@ -27,6 +27,15 @@ + #undef CONFIG_PARAVIRT_XXL + #undef CONFIG_PARAVIRT_SPINLOCKS + ++/* ++ * This code runs before CPU feature bits are set. By default, the ++ * pgtable_l5_enabled() function uses bit X86_FEATURE_LA57 to determine if ++ * 5-level paging is active, so that won't work here. USE_EARLY_PGTABLE_L5 ++ * is provided to handle this situation and, instead, use a variable that ++ * has been set by the early boot code. ++ */ ++#define USE_EARLY_PGTABLE_L5 ++ + #include + #include + #include