From: Greg Kroah-Hartman Date: Sun, 12 Dec 2021 12:43:16 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.4.295~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=58bfe2cb125ab64839c66986d73ed90172c82c1e;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: alsa-ctl-fix-copy-of-updated-id-with-element-read-write.patch alsa-hda-realtek-add-headset-mic-support-for-lenovo-alc897-platform.patch alsa-hda-realtek-fix-quirk-for-tongfang-phxtxx1.patch alsa-pcm-oss-fix-negative-period-buffer-sizes.patch alsa-pcm-oss-handle-missing-errors-in-snd_pcm_oss_change_params.patch alsa-pcm-oss-limit-the-period-size-to-16mb.patch btrfs-clear-extent-buffer-uptodate-when-we-fail-to-write-it.patch btrfs-fix-re-dirty-process-of-tree-log-nodes.patch btrfs-free-exchange-changeset-on-failures.patch btrfs-replace-the-bug_on-in-btrfs_del_root_ref-with-proper-error-handling.patch cifs-fix-crash-on-unload-of-cifs_arc4.ko.patch scsi-qla2xxx-format-log-strings-only-if-needed.patch --- diff --git a/queue-5.15/alsa-ctl-fix-copy-of-updated-id-with-element-read-write.patch b/queue-5.15/alsa-ctl-fix-copy-of-updated-id-with-element-read-write.patch new file mode 100644 index 00000000000..5d41c0c3899 --- /dev/null +++ b/queue-5.15/alsa-ctl-fix-copy-of-updated-id-with-element-read-write.patch @@ -0,0 +1,51 @@ +From b6409dd6bdc03aa178bbff0d80db2a30d29b63ac Mon Sep 17 00:00:00 2001 +From: Alan Young +Date: Thu, 2 Dec 2021 15:06:07 +0000 +Subject: ALSA: ctl: Fix copy of updated id with element read/write + +From: Alan Young + +commit b6409dd6bdc03aa178bbff0d80db2a30d29b63ac upstream. + +When control_compat.c:copy_ctl_value_to_user() is used, by +ctl_elem_read_user() & ctl_elem_write_user(), it must also copy back the +snd_ctl_elem_id value that may have been updated (filled in) by the call +to snd_ctl_elem_read/snd_ctl_elem_write(). + +This matches the functionality provided by snd_ctl_elem_read_user() and +snd_ctl_elem_write_user(), via snd_ctl_build_ioff(). + +Without this, and without making additional calls to snd_ctl_info() +which are unnecessary when using the non-compat calls, a userspace +application will not know the numid value for the element and +consequently will not be able to use the poll/read interface on the +control file to determine which elements have updates. + +Signed-off-by: Alan Young +Cc: +Link: https://lore.kernel.org/r/20211202150607.543389-1-consult.awy@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/control_compat.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/core/control_compat.c ++++ b/sound/core/control_compat.c +@@ -264,6 +264,7 @@ static int copy_ctl_value_to_user(void _ + struct snd_ctl_elem_value *data, + int type, int count) + { ++ struct snd_ctl_elem_value32 __user *data32 = userdata; + int i, size; + + if (type == SNDRV_CTL_ELEM_TYPE_BOOLEAN || +@@ -280,6 +281,8 @@ static int copy_ctl_value_to_user(void _ + if (copy_to_user(valuep, data->value.bytes.data, size)) + return -EFAULT; + } ++ if (copy_to_user(&data32->id, &data->id, sizeof(data32->id))) ++ return -EFAULT; + return 0; + } + diff --git a/queue-5.15/alsa-hda-realtek-add-headset-mic-support-for-lenovo-alc897-platform.patch b/queue-5.15/alsa-hda-realtek-add-headset-mic-support-for-lenovo-alc897-platform.patch new file mode 100644 index 00000000000..3164cc02933 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-headset-mic-support-for-lenovo-alc897-platform.patch @@ -0,0 +1,91 @@ +From d7f32791a9fcf0dae8b073cdea9b79e29098c5f4 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Tue, 23 Nov 2021 16:32:44 +0800 +Subject: ALSA: hda/realtek - Add headset Mic support for Lenovo ALC897 platform + +From: Kailang Yang + +commit d7f32791a9fcf0dae8b073cdea9b79e29098c5f4 upstream. + +Lenovo ALC897 platform had headset Mic. +This patch enable supported headset Mic. + +Signed-off-by: Kailang Yang +Cc: +Link: https://lore.kernel.org/r/baab2c2536cb4cc18677a862c6f6d840@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 40 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 40 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10231,6 +10231,27 @@ static void alc671_fixup_hp_headset_mic2 + } + } + ++static void alc897_hp_automute_hook(struct hda_codec *codec, ++ struct hda_jack_callback *jack) ++{ ++ struct alc_spec *spec = codec->spec; ++ int vref; ++ ++ snd_hda_gen_hp_automute(codec, jack); ++ vref = spec->gen.hp_jack_present ? (PIN_HP | AC_PINCTL_VREF_100) : PIN_HP; ++ snd_hda_codec_write(codec, 0x1b, 0, AC_VERB_SET_PIN_WIDGET_CONTROL, ++ vref); ++} ++ ++static void alc897_fixup_lenovo_headset_mic(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ struct alc_spec *spec = codec->spec; ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) { ++ spec->gen.hp_automute_hook = alc897_hp_automute_hook; ++ } ++} ++ + static const struct coef_fw alc668_coefs[] = { + WRITE_COEF(0x01, 0xbebe), WRITE_COEF(0x02, 0xaaaa), WRITE_COEF(0x03, 0x0), + WRITE_COEF(0x04, 0x0180), WRITE_COEF(0x06, 0x0), WRITE_COEF(0x07, 0x0f80), +@@ -10311,6 +10332,8 @@ enum { + ALC668_FIXUP_ASUS_NO_HEADSET_MIC, + ALC668_FIXUP_HEADSET_MIC, + ALC668_FIXUP_MIC_DET_COEF, ++ ALC897_FIXUP_LENOVO_HEADSET_MIC, ++ ALC897_FIXUP_HEADSET_MIC_PIN, + }; + + static const struct hda_fixup alc662_fixups[] = { +@@ -10717,6 +10740,19 @@ static const struct hda_fixup alc662_fix + {} + }, + }, ++ [ALC897_FIXUP_LENOVO_HEADSET_MIC] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc897_fixup_lenovo_headset_mic, ++ }, ++ [ALC897_FIXUP_HEADSET_MIC_PIN] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x1a, 0x03a11050 }, ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC897_FIXUP_LENOVO_HEADSET_MIC ++ }, + }; + + static const struct snd_pci_quirk alc662_fixup_tbl[] = { +@@ -10761,6 +10797,10 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x144d, 0xc051, "Samsung R720", ALC662_FIXUP_IDEAPAD), + SND_PCI_QUIRK(0x14cd, 0x5003, "USI", ALC662_FIXUP_USI_HEADSET_MODE), + SND_PCI_QUIRK(0x17aa, 0x1036, "Lenovo P520", ALC662_FIXUP_LENOVO_MULTI_CODECS), ++ SND_PCI_QUIRK(0x17aa, 0x32ca, "Lenovo ThinkCentre M80", ALC897_FIXUP_HEADSET_MIC_PIN), ++ SND_PCI_QUIRK(0x17aa, 0x32cb, "Lenovo ThinkCentre M70", ALC897_FIXUP_HEADSET_MIC_PIN), ++ SND_PCI_QUIRK(0x17aa, 0x32cf, "Lenovo ThinkCentre M950", ALC897_FIXUP_HEADSET_MIC_PIN), ++ SND_PCI_QUIRK(0x17aa, 0x32f7, "Lenovo ThinkCentre M90", ALC897_FIXUP_HEADSET_MIC_PIN), + SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo Ideapad Y550P", ALC662_FIXUP_IDEAPAD), + SND_PCI_QUIRK(0x17aa, 0x3a0d, "Lenovo Ideapad Y550", ALC662_FIXUP_IDEAPAD), + SND_PCI_QUIRK(0x1849, 0x5892, "ASRock B150M", ALC892_FIXUP_ASROCK_MOBO), diff --git a/queue-5.15/alsa-hda-realtek-fix-quirk-for-tongfang-phxtxx1.patch b/queue-5.15/alsa-hda-realtek-fix-quirk-for-tongfang-phxtxx1.patch new file mode 100644 index 00000000000..4a38283d880 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-fix-quirk-for-tongfang-phxtxx1.patch @@ -0,0 +1,102 @@ +From 619764cc2ec9ce1283a8bbcd89a1376a7c68293b Mon Sep 17 00:00:00 2001 +From: Werner Sembach +Date: Thu, 2 Dec 2021 17:50:10 +0100 +Subject: ALSA: hda/realtek: Fix quirk for TongFang PHxTxX1 + +From: Werner Sembach + +commit 619764cc2ec9ce1283a8bbcd89a1376a7c68293b upstream. + +This fixes the SND_PCI_QUIRK(...) of the TongFang PHxTxX1 barebone. This +fixes the issue of sound not working after s3 suspend. + +When waking up from s3 suspend the Coef 0x10 is set to 0x0220 instead of +0x0020. Setting the value manually makes the sound work again. This patch +does this automatically. + +While being on it, I also fixed the comment formatting of the quirk and +shortened variable and function names. + +Signed-off-by: Werner Sembach +Fixes: dd6dd6e3c791 ("ALSA: hda/realtek: Add quirk for TongFang PHxTxX1") +Cc: +Link: https://lore.kernel.org/r/20211202165010.876431-1-wse@tuxedocomputers.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 40 ++++++++++++++++++++++------------------ + 1 file changed, 22 insertions(+), 18 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6503,22 +6503,26 @@ static void alc287_fixup_legion_15imhg05 + /* for alc285_fixup_ideapad_s740_coef() */ + #include "ideapad_s740_helper.c" + +-static void alc256_fixup_tongfang_reset_persistent_settings(struct hda_codec *codec, +- const struct hda_fixup *fix, +- int action) ++static const struct coef_fw alc256_fixup_set_coef_defaults_coefs[] = { ++ WRITE_COEF(0x10, 0x0020), WRITE_COEF(0x24, 0x0000), ++ WRITE_COEF(0x26, 0x0000), WRITE_COEF(0x29, 0x3000), ++ WRITE_COEF(0x37, 0xfe05), WRITE_COEF(0x45, 0x5089), ++ {} ++}; ++ ++static void alc256_fixup_set_coef_defaults(struct hda_codec *codec, ++ const struct hda_fixup *fix, ++ int action) + { + /* +- * A certain other OS sets these coeffs to different values. On at least one TongFang +- * barebone these settings might survive even a cold reboot. So to restore a clean slate the +- * values are explicitly reset to default here. Without this, the external microphone is +- * always in a plugged-in state, while the internal microphone is always in an unplugged +- * state, breaking the ability to use the internal microphone. +- */ +- alc_write_coef_idx(codec, 0x24, 0x0000); +- alc_write_coef_idx(codec, 0x26, 0x0000); +- alc_write_coef_idx(codec, 0x29, 0x3000); +- alc_write_coef_idx(codec, 0x37, 0xfe05); +- alc_write_coef_idx(codec, 0x45, 0x5089); ++ * A certain other OS sets these coeffs to different values. On at least ++ * one TongFang barebone these settings might survive even a cold ++ * reboot. So to restore a clean slate the values are explicitly reset ++ * to default here. Without this, the external microphone is always in a ++ * plugged-in state, while the internal microphone is always in an ++ * unplugged state, breaking the ability to use the internal microphone. ++ */ ++ alc_process_coef_fw(codec, alc256_fixup_set_coef_defaults_coefs); + } + + static const struct coef_fw alc233_fixup_no_audio_jack_coefs[] = { +@@ -6759,7 +6763,7 @@ enum { + ALC287_FIXUP_LEGION_15IMHG05_AUTOMUTE, + ALC287_FIXUP_YOGA7_14ITL_SPEAKERS, + ALC287_FIXUP_13S_GEN2_SPEAKERS, +- ALC256_FIXUP_TONGFANG_RESET_PERSISTENT_SETTINGS, ++ ALC256_FIXUP_SET_COEF_DEFAULTS, + ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE, + ALC233_FIXUP_NO_AUDIO_JACK, + }; +@@ -8465,9 +8469,9 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC269_FIXUP_HEADSET_MODE, + }, +- [ALC256_FIXUP_TONGFANG_RESET_PERSISTENT_SETTINGS] = { ++ [ALC256_FIXUP_SET_COEF_DEFAULTS] = { + .type = HDA_FIXUP_FUNC, +- .v.func = alc256_fixup_tongfang_reset_persistent_settings, ++ .v.func = alc256_fixup_set_coef_defaults, + }, + [ALC245_FIXUP_HP_GPIO_LED] = { + .type = HDA_FIXUP_FUNC, +@@ -8929,7 +8933,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1b7d, 0xa831, "Ordissimo EVE2 ", ALC269VB_FIXUP_ORDISSIMO_EVE2), /* Also known as Malata PC-B1303 */ + SND_PCI_QUIRK(0x1c06, 0x2013, "Lemote A1802", ALC269_FIXUP_LEMOTE_A1802), + SND_PCI_QUIRK(0x1c06, 0x2015, "Lemote A190X", ALC269_FIXUP_LEMOTE_A190X), +- SND_PCI_QUIRK(0x1d05, 0x1132, "TongFang PHxTxX1", ALC256_FIXUP_TONGFANG_RESET_PERSISTENT_SETTINGS), ++ SND_PCI_QUIRK(0x1d05, 0x1132, "TongFang PHxTxX1", ALC256_FIXUP_SET_COEF_DEFAULTS), + SND_PCI_QUIRK(0x1d72, 0x1602, "RedmiBook", ALC255_FIXUP_XIAOMI_HEADSET_MIC), + SND_PCI_QUIRK(0x1d72, 0x1701, "XiaomiNotebook Pro", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC), diff --git a/queue-5.15/alsa-pcm-oss-fix-negative-period-buffer-sizes.patch b/queue-5.15/alsa-pcm-oss-fix-negative-period-buffer-sizes.patch new file mode 100644 index 00000000000..925e5e6d53d --- /dev/null +++ b/queue-5.15/alsa-pcm-oss-fix-negative-period-buffer-sizes.patch @@ -0,0 +1,96 @@ +From 9d2479c960875ca1239bcb899f386970c13d9cfe Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 1 Dec 2021 08:36:04 +0100 +Subject: ALSA: pcm: oss: Fix negative period/buffer sizes + +From: Takashi Iwai + +commit 9d2479c960875ca1239bcb899f386970c13d9cfe upstream. + +The period size calculation in OSS layer may receive a negative value +as an error, but the code there assumes only the positive values and +handle them with size_t. Due to that, a too big value may be passed +to the lower layers. + +This patch changes the code to handle with ssize_t and adds the proper +error checks appropriately. + +Reported-by: syzbot+bb348e9f9a954d42746f@syzkaller.appspotmail.com +Reported-by: Bixuan Cui +Cc: +Link: https://lore.kernel.org/r/1638270978-42412-1-git-send-email-cuibixuan@linux.alibaba.com +Link: https://lore.kernel.org/r/20211201073606.11660-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/oss/pcm_oss.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -147,7 +147,7 @@ snd_pcm_hw_param_value_min(const struct + * + * Return the maximum value for field PAR. + */ +-static unsigned int ++static int + snd_pcm_hw_param_value_max(const struct snd_pcm_hw_params *params, + snd_pcm_hw_param_t var, int *dir) + { +@@ -682,18 +682,24 @@ static int snd_pcm_oss_period_size(struc + struct snd_pcm_hw_params *oss_params, + struct snd_pcm_hw_params *slave_params) + { +- size_t s; +- size_t oss_buffer_size, oss_period_size, oss_periods; +- size_t min_period_size, max_period_size; ++ ssize_t s; ++ ssize_t oss_buffer_size; ++ ssize_t oss_period_size, oss_periods; ++ ssize_t min_period_size, max_period_size; + struct snd_pcm_runtime *runtime = substream->runtime; + size_t oss_frame_size; + + oss_frame_size = snd_pcm_format_physical_width(params_format(oss_params)) * + params_channels(oss_params) / 8; + ++ oss_buffer_size = snd_pcm_hw_param_value_max(slave_params, ++ SNDRV_PCM_HW_PARAM_BUFFER_SIZE, ++ NULL); ++ if (oss_buffer_size <= 0) ++ return -EINVAL; + oss_buffer_size = snd_pcm_plug_client_size(substream, +- snd_pcm_hw_param_value_max(slave_params, SNDRV_PCM_HW_PARAM_BUFFER_SIZE, NULL)) * oss_frame_size; +- if (!oss_buffer_size) ++ oss_buffer_size * oss_frame_size); ++ if (oss_buffer_size <= 0) + return -EINVAL; + oss_buffer_size = rounddown_pow_of_two(oss_buffer_size); + if (atomic_read(&substream->mmap_count)) { +@@ -730,7 +736,7 @@ static int snd_pcm_oss_period_size(struc + + min_period_size = snd_pcm_plug_client_size(substream, + snd_pcm_hw_param_value_min(slave_params, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, NULL)); +- if (min_period_size) { ++ if (min_period_size > 0) { + min_period_size *= oss_frame_size; + min_period_size = roundup_pow_of_two(min_period_size); + if (oss_period_size < min_period_size) +@@ -739,7 +745,7 @@ static int snd_pcm_oss_period_size(struc + + max_period_size = snd_pcm_plug_client_size(substream, + snd_pcm_hw_param_value_max(slave_params, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, NULL)); +- if (max_period_size) { ++ if (max_period_size > 0) { + max_period_size *= oss_frame_size; + max_period_size = rounddown_pow_of_two(max_period_size); + if (oss_period_size > max_period_size) +@@ -752,7 +758,7 @@ static int snd_pcm_oss_period_size(struc + oss_periods = substream->oss.setup.periods; + + s = snd_pcm_hw_param_value_max(slave_params, SNDRV_PCM_HW_PARAM_PERIODS, NULL); +- if (runtime->oss.maxfrags && s > runtime->oss.maxfrags) ++ if (s > 0 && runtime->oss.maxfrags && s > runtime->oss.maxfrags) + s = runtime->oss.maxfrags; + if (oss_periods > s) + oss_periods = s; diff --git a/queue-5.15/alsa-pcm-oss-handle-missing-errors-in-snd_pcm_oss_change_params.patch b/queue-5.15/alsa-pcm-oss-handle-missing-errors-in-snd_pcm_oss_change_params.patch new file mode 100644 index 00000000000..d09f3536981 --- /dev/null +++ b/queue-5.15/alsa-pcm-oss-handle-missing-errors-in-snd_pcm_oss_change_params.patch @@ -0,0 +1,41 @@ +From 6665bb30a6b1a4a853d52557c05482ee50e71391 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 1 Dec 2021 08:36:06 +0100 +Subject: ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*() + +From: Takashi Iwai + +commit 6665bb30a6b1a4a853d52557c05482ee50e71391 upstream. + +A couple of calls in snd_pcm_oss_change_params_locked() ignore the +possible errors. Catch those errors and abort the operation for +avoiding further problems. + +Cc: +Link: https://lore.kernel.org/r/20211201073606.11660-4-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/oss/pcm_oss.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -884,8 +884,15 @@ static int snd_pcm_oss_change_params_loc + err = -EINVAL; + goto failure; + } +- choose_rate(substream, sparams, runtime->oss.rate); +- snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_CHANNELS, runtime->oss.channels, NULL); ++ ++ err = choose_rate(substream, sparams, runtime->oss.rate); ++ if (err < 0) ++ goto failure; ++ err = snd_pcm_hw_param_near(substream, sparams, ++ SNDRV_PCM_HW_PARAM_CHANNELS, ++ runtime->oss.channels, NULL); ++ if (err < 0) ++ goto failure; + + format = snd_pcm_oss_format_from(runtime->oss.format); + diff --git a/queue-5.15/alsa-pcm-oss-limit-the-period-size-to-16mb.patch b/queue-5.15/alsa-pcm-oss-limit-the-period-size-to-16mb.patch new file mode 100644 index 00000000000..bea560933e2 --- /dev/null +++ b/queue-5.15/alsa-pcm-oss-limit-the-period-size-to-16mb.patch @@ -0,0 +1,38 @@ +From 8839c8c0f77ab8fc0463f4ab8b37fca3f70677c2 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 1 Dec 2021 08:36:05 +0100 +Subject: ALSA: pcm: oss: Limit the period size to 16MB + +From: Takashi Iwai + +commit 8839c8c0f77ab8fc0463f4ab8b37fca3f70677c2 upstream. + +Set the practical limit to the period size (the fragment shift in OSS) +instead of a full 31bit; a too large value could lead to the exhaust +of memory as we allocate temporary buffers of the period size, too. + +As of this patch, we set to 16MB limit, which should cover all use +cases. + +Reported-by: syzbot+bb348e9f9a954d42746f@syzkaller.appspotmail.com +Reported-by: Bixuan Cui +Cc: +Link: https://lore.kernel.org/r/1638270978-42412-1-git-send-email-cuibixuan@linux.alibaba.com +Link: https://lore.kernel.org/r/20211201073606.11660-3-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/oss/pcm_oss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -1962,7 +1962,7 @@ static int snd_pcm_oss_set_fragment1(str + if (runtime->oss.subdivision || runtime->oss.fragshift) + return -EINVAL; + fragshift = val & 0xffff; +- if (fragshift >= 31) ++ if (fragshift >= 25) /* should be large enough */ + return -EINVAL; + runtime->oss.fragshift = fragshift; + runtime->oss.maxfrags = (val >> 16) & 0xffff; diff --git a/queue-5.15/btrfs-clear-extent-buffer-uptodate-when-we-fail-to-write-it.patch b/queue-5.15/btrfs-clear-extent-buffer-uptodate-when-we-fail-to-write-it.patch new file mode 100644 index 00000000000..df8eea8895d --- /dev/null +++ b/queue-5.15/btrfs-clear-extent-buffer-uptodate-when-we-fail-to-write-it.patch @@ -0,0 +1,80 @@ +From c2e39305299f0118298c2201f6d6cc7d3485f29e Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Wed, 24 Nov 2021 14:14:23 -0500 +Subject: btrfs: clear extent buffer uptodate when we fail to write it + +From: Josef Bacik + +commit c2e39305299f0118298c2201f6d6cc7d3485f29e upstream. + +I got dmesg errors on generic/281 on our overnight fstests. Looking at +the history this happens occasionally, with errors like this + + WARNING: CPU: 0 PID: 673217 at fs/btrfs/extent_io.c:6848 assert_eb_page_uptodate+0x3f/0x50 + CPU: 0 PID: 673217 Comm: kworker/u4:13 Tainted: G W 5.16.0-rc2+ #469 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014 + Workqueue: btrfs-cache btrfs_work_helper + RIP: 0010:assert_eb_page_uptodate+0x3f/0x50 + RSP: 0018:ffffae598230bc60 EFLAGS: 00010246 + RAX: 0017ffffc0002112 RBX: ffffebaec4100900 RCX: 0000000000001000 + RDX: ffffebaec45733c7 RSI: ffffebaec4100900 RDI: ffff9fd98919f340 + RBP: 0000000000000d56 R08: ffff9fd98e300000 R09: 0000000000000000 + R10: 0001207370a91c50 R11: 0000000000000000 R12: 00000000000007b0 + R13: ffff9fd98919f340 R14: 0000000001500000 R15: 0000000001cb0000 + FS: 0000000000000000(0000) GS:ffff9fd9fbc00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f549fcf8940 CR3: 0000000114908004 CR4: 0000000000370ef0 + Call Trace: + + extent_buffer_test_bit+0x3f/0x70 + free_space_test_bit+0xa6/0xc0 + load_free_space_tree+0x1d6/0x430 + caching_thread+0x454/0x630 + ? rcu_read_lock_sched_held+0x12/0x60 + ? rcu_read_lock_sched_held+0x12/0x60 + ? rcu_read_lock_sched_held+0x12/0x60 + ? lock_release+0x1f0/0x2d0 + btrfs_work_helper+0xf2/0x3e0 + ? lock_release+0x1f0/0x2d0 + ? finish_task_switch.isra.0+0xf9/0x3a0 + process_one_work+0x270/0x5a0 + worker_thread+0x55/0x3c0 + ? process_one_work+0x5a0/0x5a0 + kthread+0x174/0x1a0 + ? set_kthread_struct+0x40/0x40 + ret_from_fork+0x1f/0x30 + +This happens because we're trying to read from a extent buffer page that +is !PageUptodate. This happens because we will clear the page uptodate +when we have an IO error, but we don't clear the extent buffer uptodate. +If we do a read later and find this extent buffer we'll think its valid +and not return an error, and then trip over this warning. + +Fix this by also clearing uptodate on the extent buffer when this +happens, so that we get an error when we do a btrfs_search_slot() and +find this block later. + +CC: stable@vger.kernel.org # 5.4+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent_io.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -4285,6 +4285,12 @@ static void set_btree_ioerr(struct page + return; + + /* ++ * A read may stumble upon this buffer later, make sure that it gets an ++ * error and knows there was an error. ++ */ ++ clear_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags); ++ ++ /* + * If we error out, we should add back the dirty_metadata_bytes + * to make it consistent. + */ diff --git a/queue-5.15/btrfs-fix-re-dirty-process-of-tree-log-nodes.patch b/queue-5.15/btrfs-fix-re-dirty-process-of-tree-log-nodes.patch new file mode 100644 index 00000000000..f6c6f18ba2b --- /dev/null +++ b/queue-5.15/btrfs-fix-re-dirty-process-of-tree-log-nodes.patch @@ -0,0 +1,118 @@ +From 84c25448929942edacba905cecc0474e91114e7a Mon Sep 17 00:00:00 2001 +From: Naohiro Aota +Date: Tue, 30 Nov 2021 12:40:21 +0900 +Subject: btrfs: fix re-dirty process of tree-log nodes + +From: Naohiro Aota + +commit 84c25448929942edacba905cecc0474e91114e7a upstream. + +There is a report of a transaction abort of -EAGAIN with the following +script. + + #!/bin/sh + + for d in sda sdb; do + mkfs.btrfs -d single -m single -f /dev/\${d} + done + + mount /dev/sda /mnt/test + mount /dev/sdb /mnt/scratch + + for dir in test scratch; do + echo 3 >/proc/sys/vm/drop_caches + fio --directory=/mnt/\${dir} --name=fio.\${dir} --rw=read --size=50G --bs=64m \ + --numjobs=$(nproc) --time_based --ramp_time=5 --runtime=480 \ + --group_reporting |& tee /dev/shm/fio.\${dir} + echo 3 >/proc/sys/vm/drop_caches + done + + for d in sda sdb; do + umount /dev/\${d} + done + +The stack trace is shown in below. + + [3310.967991] BTRFS: error (device sda) in btrfs_commit_transaction:2341: errno=-11 unknown (Error while writing out transaction) + [3310.968060] BTRFS info (device sda): forced readonly + [3310.968064] BTRFS warning (device sda): Skipping commit of aborted transaction. + [3310.968065] ------------[ cut here ]------------ + [3310.968066] BTRFS: Transaction aborted (error -11) + [3310.968074] WARNING: CPU: 14 PID: 1684 at fs/btrfs/transaction.c:1946 btrfs_commit_transaction.cold+0x209/0x2c8 + [3310.968131] CPU: 14 PID: 1684 Comm: fio Not tainted 5.14.10-300.fc35.x86_64 #1 + [3310.968135] Hardware name: DIAWAY Tartu/Tartu, BIOS V2.01.B10 04/08/2021 + [3310.968137] RIP: 0010:btrfs_commit_transaction.cold+0x209/0x2c8 + [3310.968144] RSP: 0018:ffffb284ce393e10 EFLAGS: 00010282 + [3310.968147] RAX: 0000000000000026 RBX: ffff973f147b0f60 RCX: 0000000000000027 + [3310.968149] RDX: ffff974ecf098a08 RSI: 0000000000000001 RDI: ffff974ecf098a00 + [3310.968150] RBP: ffff973f147b0f08 R08: 0000000000000000 R09: ffffb284ce393c48 + [3310.968151] R10: ffffb284ce393c40 R11: ffffffff84f47468 R12: ffff973f101bfc00 + [3310.968153] R13: ffff971f20cf2000 R14: 00000000fffffff5 R15: ffff973f147b0e58 + [3310.968154] FS: 00007efe65468740(0000) GS:ffff974ecf080000(0000) knlGS:0000000000000000 + [3310.968157] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [3310.968158] CR2: 000055691bcbe260 CR3: 000000105cfa4001 CR4: 0000000000770ee0 + [3310.968160] PKRU: 55555554 + [3310.968161] Call Trace: + [3310.968167] ? dput+0xd4/0x300 + [3310.968174] btrfs_sync_file+0x3f1/0x490 + [3310.968180] __x64_sys_fsync+0x33/0x60 + [3310.968185] do_syscall_64+0x3b/0x90 + [3310.968190] entry_SYSCALL_64_after_hwframe+0x44/0xae + [3310.968194] RIP: 0033:0x7efe6557329b + [3310.968200] RSP: 002b:00007ffe0236ebc0 EFLAGS: 00000293 ORIG_RAX: 000000000000004a + [3310.968203] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007efe6557329b + [3310.968204] RDX: 0000000000000000 RSI: 00007efe58d77010 RDI: 0000000000000006 + [3310.968205] RBP: 0000000004000000 R08: 0000000000000000 R09: 00007efe58d77010 + [3310.968207] R10: 0000000016cacc0c R11: 0000000000000293 R12: 00007efe5ce95980 + [3310.968208] R13: 0000000000000000 R14: 00007efe6447c790 R15: 0000000c80000000 + [3310.968212] ---[ end trace 1a346f4d3c0d96ba ]--- + [3310.968214] BTRFS: error (device sda) in cleanup_transaction:1946: errno=-11 unknown + +The abort occurs because of a write hole while writing out freeing tree +nodes of a tree-log tree. For zoned btrfs, we re-dirty a freed tree +node to ensure btrfs can write the region and does not leave a hole on +write on a zoned device. The current code fails to re-dirty a node +when the tree-log tree's depth is greater or equal to 2. That leads to +a transaction abort with -EAGAIN. + +Fix the issue by properly re-dirtying a node on walking up the tree. + +Fixes: d3575156f662 ("btrfs: zoned: redirty released extent buffers") +CC: stable@vger.kernel.org # 5.12+ +Link: https://github.com/kdave/btrfs-progs/issues/415 +Reviewed-by: Johannes Thumshirn +Signed-off-by: Naohiro Aota +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -2879,6 +2879,8 @@ static noinline int walk_up_log_tree(str + path->nodes[*level]->len); + if (ret) + return ret; ++ btrfs_redirty_list_add(trans->transaction, ++ next); + } else { + if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags)) + clear_extent_buffer_dirty(next); +@@ -2959,6 +2961,7 @@ static int walk_log_tree(struct btrfs_tr + next->start, next->len); + if (ret) + goto out; ++ btrfs_redirty_list_add(trans->transaction, next); + } else { + if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags)) + clear_extent_buffer_dirty(next); +@@ -3412,8 +3415,6 @@ static void free_log_tree(struct btrfs_t + EXTENT_DIRTY | EXTENT_NEW | EXTENT_NEED_WAIT); + extent_io_tree_release(&log->log_csum_range); + +- if (trans && log->node) +- btrfs_redirty_list_add(trans->transaction, log->node); + btrfs_put_root(log); + } + diff --git a/queue-5.15/btrfs-free-exchange-changeset-on-failures.patch b/queue-5.15/btrfs-free-exchange-changeset-on-failures.patch new file mode 100644 index 00000000000..9dc5532aca9 --- /dev/null +++ b/queue-5.15/btrfs-free-exchange-changeset-on-failures.patch @@ -0,0 +1,87 @@ +From da5e817d9d75422eaaa05490d0b9a5e328fc1a51 Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn +Date: Fri, 3 Dec 2021 02:55:33 -0800 +Subject: btrfs: free exchange changeset on failures + +From: Johannes Thumshirn + +commit da5e817d9d75422eaaa05490d0b9a5e328fc1a51 upstream. + +Fstests runs on my VMs have show several kmemleak reports like the following. + + unreferenced object 0xffff88811ae59080 (size 64): + comm "xfs_io", pid 12124, jiffies 4294987392 (age 6.368s) + hex dump (first 32 bytes): + 00 c0 1c 00 00 00 00 00 ff cf 1c 00 00 00 00 00 ................ + 90 97 e5 1a 81 88 ff ff 90 97 e5 1a 81 88 ff ff ................ + backtrace: + [<00000000ac0176d2>] ulist_add_merge+0x60/0x150 [btrfs] + [<0000000076e9f312>] set_state_bits+0x86/0xc0 [btrfs] + [<0000000014fe73d6>] set_extent_bit+0x270/0x690 [btrfs] + [<000000004f675208>] set_record_extent_bits+0x19/0x20 [btrfs] + [<00000000b96137b1>] qgroup_reserve_data+0x274/0x310 [btrfs] + [<0000000057e9dcbb>] btrfs_check_data_free_space+0x5c/0xa0 [btrfs] + [<0000000019c4511d>] btrfs_delalloc_reserve_space+0x1b/0xa0 [btrfs] + [<000000006d37e007>] btrfs_dio_iomap_begin+0x415/0x970 [btrfs] + [<00000000fb8a74b8>] iomap_iter+0x161/0x1e0 + [<0000000071dff6ff>] __iomap_dio_rw+0x1df/0x700 + [<000000002567ba53>] iomap_dio_rw+0x5/0x20 + [<0000000072e555f8>] btrfs_file_write_iter+0x290/0x530 [btrfs] + [<000000005eb3d845>] new_sync_write+0x106/0x180 + [<000000003fb505bf>] vfs_write+0x24d/0x2f0 + [<000000009bb57d37>] __x64_sys_pwrite64+0x69/0xa0 + [<000000003eba3fdf>] do_syscall_64+0x43/0x90 + +In case brtfs_qgroup_reserve_data() or btrfs_delalloc_reserve_metadata() +fail the allocated extent_changeset will not be freed. + +So in btrfs_check_data_free_space() and btrfs_delalloc_reserve_space() +free the allocated extent_changeset to get rid of the allocated memory. + +The issue currently only happens in the direct IO write path, but only +after 65b3c08606e5 ("btrfs: fix ENOSPC failure when attempting direct IO +write into NOCOW range"), and also at defrag_one_locked_target(). Every +other place is always calling extent_changeset_free() even if its call +to btrfs_delalloc_reserve_space() or btrfs_check_data_free_space() has +failed. + +CC: stable@vger.kernel.org # 5.15+ +Reviewed-by: Filipe Manana +Signed-off-by: Johannes Thumshirn +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/delalloc-space.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/delalloc-space.c ++++ b/fs/btrfs/delalloc-space.c +@@ -143,10 +143,13 @@ int btrfs_check_data_free_space(struct b + + /* Use new btrfs_qgroup_reserve_data to reserve precious data space. */ + ret = btrfs_qgroup_reserve_data(inode, reserved, start, len); +- if (ret < 0) ++ if (ret < 0) { + btrfs_free_reserved_data_space_noquota(fs_info, len); +- else ++ extent_changeset_free(*reserved); ++ *reserved = NULL; ++ } else { + ret = 0; ++ } + return ret; + } + +@@ -452,8 +455,11 @@ int btrfs_delalloc_reserve_space(struct + if (ret < 0) + return ret; + ret = btrfs_delalloc_reserve_metadata(inode, len); +- if (ret < 0) ++ if (ret < 0) { + btrfs_free_reserved_data_space(inode, *reserved, start, len); ++ extent_changeset_free(*reserved); ++ *reserved = NULL; ++ } + return ret; + } + diff --git a/queue-5.15/btrfs-replace-the-bug_on-in-btrfs_del_root_ref-with-proper-error-handling.patch b/queue-5.15/btrfs-replace-the-bug_on-in-btrfs_del_root_ref-with-proper-error-handling.patch new file mode 100644 index 00000000000..658b5653db9 --- /dev/null +++ b/queue-5.15/btrfs-replace-the-bug_on-in-btrfs_del_root_ref-with-proper-error-handling.patch @@ -0,0 +1,36 @@ +From 8289ed9f93bef2762f9184e136d994734b16d997 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 1 Dec 2021 19:56:17 +0800 +Subject: btrfs: replace the BUG_ON in btrfs_del_root_ref with proper error handling + +From: Qu Wenruo + +commit 8289ed9f93bef2762f9184e136d994734b16d997 upstream. + +I hit the BUG_ON() with generic/475 test case, and to my surprise, all +callers of btrfs_del_root_ref() are already aborting transaction, thus +there is not need for such BUG_ON(), just go to @out label and caller +will properly handle the error. + +CC: stable@vger.kernel.org # 5.4+ +Reviewed-by: Josef Bacik +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/root-tree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/root-tree.c ++++ b/fs/btrfs/root-tree.c +@@ -336,7 +336,8 @@ int btrfs_del_root_ref(struct btrfs_tran + key.offset = ref_id; + again: + ret = btrfs_search_slot(trans, tree_root, &key, path, -1, 1); +- BUG_ON(ret < 0); ++ if (ret < 0) ++ goto out; + if (ret == 0) { + leaf = path->nodes[0]; + ref = btrfs_item_ptr(leaf, path->slots[0], diff --git a/queue-5.15/cifs-fix-crash-on-unload-of-cifs_arc4.ko.patch b/queue-5.15/cifs-fix-crash-on-unload-of-cifs_arc4.ko.patch new file mode 100644 index 00000000000..1839a19dc93 --- /dev/null +++ b/queue-5.15/cifs-fix-crash-on-unload-of-cifs_arc4.ko.patch @@ -0,0 +1,43 @@ +From 51a08bdeca27988a17c87b87d8e64ffecbd2a172 Mon Sep 17 00:00:00 2001 +From: Vincent Whitchurch +Date: Tue, 7 Dec 2021 12:54:19 +0100 +Subject: cifs: Fix crash on unload of cifs_arc4.ko + +From: Vincent Whitchurch + +commit 51a08bdeca27988a17c87b87d8e64ffecbd2a172 upstream. + +The exit function is wrongly placed in the __init section and this leads +to a crash when the module is unloaded. Just remove both the init and +exit functions since this module does not need them. + +Fixes: 71c02863246167b3d ("cifs: fork arc4 and create a separate module...") +Signed-off-by: Vincent Whitchurch +Acked-by: Ronnie Sahlberg +Acked-by: Paulo Alcantara (SUSE) +Cc: stable@vger.kernel.org # 5.15 +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smbfs_common/cifs_arc4.c | 13 ------------- + 1 file changed, 13 deletions(-) + +--- a/fs/smbfs_common/cifs_arc4.c ++++ b/fs/smbfs_common/cifs_arc4.c +@@ -72,16 +72,3 @@ void cifs_arc4_crypt(struct arc4_ctx *ct + ctx->y = y; + } + EXPORT_SYMBOL_GPL(cifs_arc4_crypt); +- +-static int __init +-init_smbfs_common(void) +-{ +- return 0; +-} +-static void __init +-exit_smbfs_common(void) +-{ +-} +- +-module_init(init_smbfs_common) +-module_exit(exit_smbfs_common) diff --git a/queue-5.15/scsi-qla2xxx-format-log-strings-only-if-needed.patch b/queue-5.15/scsi-qla2xxx-format-log-strings-only-if-needed.patch new file mode 100644 index 00000000000..fc9b2c28337 --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-format-log-strings-only-if-needed.patch @@ -0,0 +1,37 @@ +From 69002c8ce914ef0ae22a6ea14b43bb30b9a9a6a8 Mon Sep 17 00:00:00 2001 +From: Roman Bolshakov +Date: Fri, 12 Nov 2021 17:54:46 +0300 +Subject: scsi: qla2xxx: Format log strings only if needed + +From: Roman Bolshakov + +commit 69002c8ce914ef0ae22a6ea14b43bb30b9a9a6a8 upstream. + +Commit 598a90f2002c ("scsi: qla2xxx: add ring buffer for tracing debug +logs") introduced unconditional log string formatting to ql_dbg() even if +ql_dbg_log event is disabled. It harms performance because some strings are +formatted in fastpath and/or interrupt context. + +Link: https://lore.kernel.org/r/20211112145446.51210-1-r.bolshakov@yadro.com +Fixes: 598a90f2002c ("scsi: qla2xxx: add ring buffer for tracing debug logs") +Cc: Rajan Shanmugavelu +Cc: stable@vger.kernel.org +Signed-off-by: Roman Bolshakov +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_dbg.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_dbg.c ++++ b/drivers/scsi/qla2xxx/qla_dbg.c +@@ -2491,6 +2491,9 @@ ql_dbg(uint level, scsi_qla_host_t *vha, + struct va_format vaf; + char pbuf[64]; + ++ if (!ql_mask_match(level) && !trace_ql_dbg_log_enabled()) ++ return; ++ + va_start(va, fmt); + + vaf.fmt = fmt; diff --git a/queue-5.15/series b/queue-5.15/series index 598e8018803..3c6b7b543ea 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -61,3 +61,15 @@ timers-implement-usleep_idle_range.patch mm-damon-core-fix-fake-load-reports-due-to-uninterruptible-sleeps.patch mm-slub-fix-endianness-bug-for-alloc-free_traces-attributes.patch mm-bdi-initialize-bdi_min_ratio-when-bdi-is-unregistered.patch +alsa-ctl-fix-copy-of-updated-id-with-element-read-write.patch +alsa-hda-realtek-add-headset-mic-support-for-lenovo-alc897-platform.patch +alsa-hda-realtek-fix-quirk-for-tongfang-phxtxx1.patch +alsa-pcm-oss-fix-negative-period-buffer-sizes.patch +alsa-pcm-oss-limit-the-period-size-to-16mb.patch +alsa-pcm-oss-handle-missing-errors-in-snd_pcm_oss_change_params.patch +cifs-fix-crash-on-unload-of-cifs_arc4.ko.patch +scsi-qla2xxx-format-log-strings-only-if-needed.patch +btrfs-clear-extent-buffer-uptodate-when-we-fail-to-write-it.patch +btrfs-fix-re-dirty-process-of-tree-log-nodes.patch +btrfs-replace-the-bug_on-in-btrfs_del_root_ref-with-proper-error-handling.patch +btrfs-free-exchange-changeset-on-failures.patch