From: Greg Kroah-Hartman Date: Fri, 25 Mar 2022 09:49:49 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.9.309~47 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=77fdfa208d4f635029c490aefc8a515b776cd676;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: alsa-cmipci-restore-aux-vol-on-suspend-resume.patch alsa-pci-fix-reading-of-swapped-values-from-pcmreg-in-ac97-codec.patch alsa-pcm-add-stream-lock-during-pcm-reset-ioctl-operations.patch alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-rode-nt-usb.patch drivers-net-xgene-fix-regression-in-crc-stripping.patch llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch netfilter-nf_tables-initialize-registers-in-nft_do_chain.patch thermal-int340x-fix-memory-leak-in-int3400_notify.patch --- diff --git a/queue-4.14/alsa-cmipci-restore-aux-vol-on-suspend-resume.patch b/queue-4.14/alsa-cmipci-restore-aux-vol-on-suspend-resume.patch new file mode 100644 index 00000000000..0bd61d68ef2 --- /dev/null +++ b/queue-4.14/alsa-cmipci-restore-aux-vol-on-suspend-resume.patch @@ -0,0 +1,43 @@ +From c14231cc04337c2c2a937db084af342ce704dbde Mon Sep 17 00:00:00 2001 +From: Jonathan Teh +Date: Sun, 13 Mar 2022 19:56:17 +0000 +Subject: ALSA: cmipci: Restore aux vol on suspend/resume + +From: Jonathan Teh + +commit c14231cc04337c2c2a937db084af342ce704dbde upstream. + +Save and restore CM_REG_AUX_VOL instead of register 0x24 twice on +suspend/resume. + +Tested on CMI8738LX. + +Fixes: cb60e5f5b2b1 ("[ALSA] cmipci - Add PM support") +Signed-off-by: Jonathan Teh +Cc: +Link: https://lore.kernel.org/r/DBAPR04MB7366CB3EA9C8521C35C56E8B920E9@DBAPR04MB7366.eurprd04.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/cmipci.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/sound/pci/cmipci.c ++++ b/sound/pci/cmipci.c +@@ -315,7 +315,6 @@ MODULE_PARM_DESC(joystick_port, "Joystic + #define CM_MICGAINZ 0x01 /* mic boost */ + #define CM_MICGAINZ_SHIFT 0 + +-#define CM_REG_MIXER3 0x24 + #define CM_REG_AUX_VOL 0x26 + #define CM_VAUXL_MASK 0xf0 + #define CM_VAUXR_MASK 0x0f +@@ -3326,7 +3325,7 @@ static void snd_cmipci_remove(struct pci + */ + static unsigned char saved_regs[] = { + CM_REG_FUNCTRL1, CM_REG_CHFORMAT, CM_REG_LEGACY_CTRL, CM_REG_MISC_CTRL, +- CM_REG_MIXER0, CM_REG_MIXER1, CM_REG_MIXER2, CM_REG_MIXER3, CM_REG_PLL, ++ CM_REG_MIXER0, CM_REG_MIXER1, CM_REG_MIXER2, CM_REG_AUX_VOL, CM_REG_PLL, + CM_REG_CH0_FRAME1, CM_REG_CH0_FRAME2, + CM_REG_CH1_FRAME1, CM_REG_CH1_FRAME2, CM_REG_EXT_MISC, + CM_REG_INT_STATUS, CM_REG_INT_HLDCLR, CM_REG_FUNCTRL0, diff --git a/queue-4.14/alsa-pci-fix-reading-of-swapped-values-from-pcmreg-in-ac97-codec.patch b/queue-4.14/alsa-pci-fix-reading-of-swapped-values-from-pcmreg-in-ac97-codec.patch new file mode 100644 index 00000000000..0a03d76eada --- /dev/null +++ b/queue-4.14/alsa-pci-fix-reading-of-swapped-values-from-pcmreg-in-ac97-codec.patch @@ -0,0 +1,56 @@ +From 17aaf0193392cb3451bf0ac75ba396ec4cbded6e Mon Sep 17 00:00:00 2001 +From: Giacomo Guiduzzi +Date: Tue, 22 Mar 2022 21:06:54 +0100 +Subject: ALSA: pci: fix reading of swapped values from pcmreg in AC97 codec + +From: Giacomo Guiduzzi + +commit 17aaf0193392cb3451bf0ac75ba396ec4cbded6e upstream. + +Tests 72 and 78 for ALSA in kselftest fail due to reading +inconsistent values from some devices on a VirtualBox +Virtual Machine using the snd_intel8x0 driver for the AC'97 +Audio Controller device. +Taking for example test number 72, this is what the test reports: +"Surround Playback Volume.0 expected 1 but read 0, is_volatile 0" +"Surround Playback Volume.1 expected 0 but read 1, is_volatile 0" +These errors repeat for each value from 0 to 31. + +Taking a look at these error messages it is possible to notice +that the written values are read back swapped. +When the write is performed, these values are initially stored in +an array used to sanity-check them and write them in the pcmreg +array. To write them, the two one-byte values are packed together +in a two-byte variable through bitwise operations: the first +value is shifted left by one byte and the second value is stored in the +right byte through a bitwise OR. When reading the values back, +right shifts are performed to retrieve the previously stored +bytes. These shifts are executed in the wrong order, thus +reporting the values swapped as shown above. + +This patch fixes this mistake by reversing the read +operations' order. + +Signed-off-by: Giacomo Guiduzzi +Signed-off-by: Paolo Valente +Cc: +Link: https://lore.kernel.org/r/20220322200653.15862-1-guiduzzi.giacomo@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/ac97/ac97_codec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/pci/ac97/ac97_codec.c ++++ b/sound/pci/ac97/ac97_codec.c +@@ -958,8 +958,8 @@ static int snd_ac97_ad18xx_pcm_get_volum + int codec = kcontrol->private_value & 3; + + mutex_lock(&ac97->page_mutex); +- ucontrol->value.integer.value[0] = 31 - ((ac97->spec.ad18xx.pcmreg[codec] >> 0) & 31); +- ucontrol->value.integer.value[1] = 31 - ((ac97->spec.ad18xx.pcmreg[codec] >> 8) & 31); ++ ucontrol->value.integer.value[0] = 31 - ((ac97->spec.ad18xx.pcmreg[codec] >> 8) & 31); ++ ucontrol->value.integer.value[1] = 31 - ((ac97->spec.ad18xx.pcmreg[codec] >> 0) & 31); + mutex_unlock(&ac97->page_mutex); + return 0; + } diff --git a/queue-4.14/alsa-pcm-add-stream-lock-during-pcm-reset-ioctl-operations.patch b/queue-4.14/alsa-pcm-add-stream-lock-during-pcm-reset-ioctl-operations.patch new file mode 100644 index 00000000000..037aabb88c0 --- /dev/null +++ b/queue-4.14/alsa-pcm-add-stream-lock-during-pcm-reset-ioctl-operations.patch @@ -0,0 +1,53 @@ +From 1f68915b2efd0d6bfd6e124aa63c94b3c69f127c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 22 Mar 2022 18:13:25 +0100 +Subject: ALSA: pcm: Add stream lock during PCM reset ioctl operations + +From: Takashi Iwai + +commit 1f68915b2efd0d6bfd6e124aa63c94b3c69f127c upstream. + +snd_pcm_reset() is a non-atomic operation, and it's allowed to run +during the PCM stream running. It implies that the manipulation of +hw_ptr and other parameters might be racy. + +This patch adds the PCM stream lock at appropriate places in +snd_pcm_*_reset() actions for covering that. + +Cc: +Reviewed-by: Jaroslav Kysela +Link: https://lore.kernel.org/r/20220322171325.4355-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/pcm_native.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -1616,21 +1616,25 @@ static int snd_pcm_do_reset(struct snd_p + int err = substream->ops->ioctl(substream, SNDRV_PCM_IOCTL1_RESET, NULL); + if (err < 0) + return err; ++ snd_pcm_stream_lock_irq(substream); + runtime->hw_ptr_base = 0; + runtime->hw_ptr_interrupt = runtime->status->hw_ptr - + runtime->status->hw_ptr % runtime->period_size; + runtime->silence_start = runtime->status->hw_ptr; + runtime->silence_filled = 0; ++ snd_pcm_stream_unlock_irq(substream); + return 0; + } + + static void snd_pcm_post_reset(struct snd_pcm_substream *substream, int state) + { + struct snd_pcm_runtime *runtime = substream->runtime; ++ snd_pcm_stream_lock_irq(substream); + runtime->control->appl_ptr = runtime->status->hw_ptr; + if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK && + runtime->silence_size > 0) + snd_pcm_playback_silence(substream, ULONG_MAX); ++ snd_pcm_stream_unlock_irq(substream); + } + + static const struct action_ops snd_pcm_action_reset = { diff --git a/queue-4.14/alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-rode-nt-usb.patch b/queue-4.14/alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-rode-nt-usb.patch new file mode 100644 index 00000000000..ddf897754a7 --- /dev/null +++ b/queue-4.14/alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-rode-nt-usb.patch @@ -0,0 +1,41 @@ +From 0f306cca42fe879694fb5e2382748c43dc9e0196 Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Fri, 11 Mar 2022 21:14:00 +0100 +Subject: ALSA: usb-audio: Add mute TLV for playback volumes on RODE NT-USB + +From: Lars-Peter Clausen + +commit 0f306cca42fe879694fb5e2382748c43dc9e0196 upstream. + +For the RODE NT-USB the lowest Playback mixer volume setting mutes the +audio output. But it is not reported as such causing e.g. PulseAudio to +accidentally mute the device when selecting a low volume. + +Fix this by applying the existing quirk for this kind of issue when the +device is detected. + +Signed-off-by: Lars-Peter Clausen +Cc: +Link: https://lore.kernel.org/r/20220311201400.235892-1-lars@metafoo.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer_quirks.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -1884,9 +1884,10 @@ void snd_usb_mixer_fu_apply_quirk(struct + if (unitid == 7 && cval->control == UAC_FU_VOLUME) + snd_dragonfly_quirk_db_scale(mixer, cval, kctl); + break; +- /* lowest playback value is muted on C-Media devices */ +- case USB_ID(0x0d8c, 0x000c): +- case USB_ID(0x0d8c, 0x0014): ++ /* lowest playback value is muted on some devices */ ++ case USB_ID(0x0d8c, 0x000c): /* C-Media */ ++ case USB_ID(0x0d8c, 0x0014): /* C-Media */ ++ case USB_ID(0x19f7, 0x0003): /* RODE NT-USB */ + if (strstr(kctl->id.name, "Playback")) + cval->min_mute = 1; + break; diff --git a/queue-4.14/drivers-net-xgene-fix-regression-in-crc-stripping.patch b/queue-4.14/drivers-net-xgene-fix-regression-in-crc-stripping.patch new file mode 100644 index 00000000000..3a1e499d203 --- /dev/null +++ b/queue-4.14/drivers-net-xgene-fix-regression-in-crc-stripping.patch @@ -0,0 +1,57 @@ +From e9e6faeafaa00da1851bcf47912b0f1acae666b4 Mon Sep 17 00:00:00 2001 +From: Stephane Graber +Date: Tue, 22 Mar 2022 18:42:06 -0400 +Subject: drivers: net: xgene: Fix regression in CRC stripping + +From: Stephane Graber + +commit e9e6faeafaa00da1851bcf47912b0f1acae666b4 upstream. + +All packets on ingress (except for jumbo) are terminated with a 4-bytes +CRC checksum. It's the responsability of the driver to strip those 4 +bytes. Unfortunately a change dating back to March 2017 re-shuffled some +code and made the CRC stripping code effectively dead. + +This change re-orders that part a bit such that the datalen is +immediately altered if needed. + +Fixes: 4902a92270fb ("drivers: net: xgene: Add workaround for errata 10GE_8/ENET_11") +Cc: stable@vger.kernel.org +Signed-off-by: Stephane Graber +Tested-by: Stephane Graber +Link: https://lore.kernel.org/r/20220322224205.752795-1-stgraber@ubuntu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/apm/xgene/xgene_enet_main.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c ++++ b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c +@@ -707,6 +707,12 @@ static int xgene_enet_rx_frame(struct xg + buf_pool->rx_skb[skb_index] = NULL; + + datalen = xgene_enet_get_data_len(le64_to_cpu(raw_desc->m1)); ++ ++ /* strip off CRC as HW isn't doing this */ ++ nv = GET_VAL(NV, le64_to_cpu(raw_desc->m0)); ++ if (!nv) ++ datalen -= 4; ++ + skb_put(skb, datalen); + prefetch(skb->data - NET_IP_ALIGN); + skb->protocol = eth_type_trans(skb, ndev); +@@ -728,12 +734,8 @@ static int xgene_enet_rx_frame(struct xg + } + } + +- nv = GET_VAL(NV, le64_to_cpu(raw_desc->m0)); +- if (!nv) { +- /* strip off CRC as HW isn't doing this */ +- datalen -= 4; ++ if (!nv) + goto skip_jumbo; +- } + + slots = page_pool->slots - 1; + head = page_pool->head; diff --git a/queue-4.14/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch b/queue-4.14/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch new file mode 100644 index 00000000000..9d797b575e5 --- /dev/null +++ b/queue-4.14/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch @@ -0,0 +1,55 @@ +From 764f4eb6846f5475f1244767d24d25dd86528a4a Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 22 Mar 2022 17:41:47 -0700 +Subject: llc: fix netdevice reference leaks in llc_ui_bind() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Dumazet + +commit 764f4eb6846f5475f1244767d24d25dd86528a4a upstream. + +Whenever llc_ui_bind() and/or llc_ui_autobind() +took a reference on a netdevice but subsequently fail, +they must properly release their reference +or risk the infamous message from unregister_netdevice() +at device dismantle. + +unregister_netdevice: waiting for eth0 to become free. Usage count = 3 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: 赵子轩 +Reported-by: Stoyan Manolov +Link: https://lore.kernel.org/r/20220323004147.1990845-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/llc/af_llc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -311,6 +311,10 @@ static int llc_ui_autobind(struct socket + sock_reset_flag(sk, SOCK_ZAPPED); + rc = 0; + out: ++ if (rc) { ++ dev_put(llc->dev); ++ llc->dev = NULL; ++ } + return rc; + } + +@@ -410,6 +414,10 @@ static int llc_ui_bind(struct socket *so + out_put: + llc_sap_put(sap); + out: ++ if (rc) { ++ dev_put(llc->dev); ++ llc->dev = NULL; ++ } + release_sock(sk); + return rc; + } diff --git a/queue-4.14/netfilter-nf_tables-initialize-registers-in-nft_do_chain.patch b/queue-4.14/netfilter-nf_tables-initialize-registers-in-nft_do_chain.patch new file mode 100644 index 00000000000..a875362f6de --- /dev/null +++ b/queue-4.14/netfilter-nf_tables-initialize-registers-in-nft_do_chain.patch @@ -0,0 +1,29 @@ +From 4c905f6740a365464e91467aa50916555b28213d Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 17 Mar 2022 12:04:42 +0100 +Subject: netfilter: nf_tables: initialize registers in nft_do_chain() + +From: Pablo Neira Ayuso + +commit 4c905f6740a365464e91467aa50916555b28213d upstream. + +Initialize registers to avoid stack leak into userspace. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nf_tables_core.c ++++ b/net/netfilter/nf_tables_core.c +@@ -150,7 +150,7 @@ nft_do_chain(struct nft_pktinfo *pkt, vo + const struct net *net = nft_net(pkt); + const struct nft_rule *rule; + const struct nft_expr *expr, *last; +- struct nft_regs regs; ++ struct nft_regs regs = {}; + unsigned int stackptr = 0; + struct nft_jumpstack jumpstack[NFT_JUMP_STACK_SIZE]; + int rulenum; diff --git a/queue-4.14/series b/queue-4.14/series index 514626dc294..c16f86b4971 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -2,3 +2,11 @@ nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch net-ipv6-fix-skb_over_panic-in-__ip6_append_data.patch esp-fix-possible-buffer-overflow-in-esp-transformation.patch staging-fbtft-fb_st7789v-reset-display-before-initialization.patch +thermal-int340x-fix-memory-leak-in-int3400_notify.patch +llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch +alsa-pcm-add-stream-lock-during-pcm-reset-ioctl-operations.patch +alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-rode-nt-usb.patch +alsa-cmipci-restore-aux-vol-on-suspend-resume.patch +alsa-pci-fix-reading-of-swapped-values-from-pcmreg-in-ac97-codec.patch +drivers-net-xgene-fix-regression-in-crc-stripping.patch +netfilter-nf_tables-initialize-registers-in-nft_do_chain.patch diff --git a/queue-4.14/thermal-int340x-fix-memory-leak-in-int3400_notify.patch b/queue-4.14/thermal-int340x-fix-memory-leak-in-int3400_notify.patch new file mode 100644 index 00000000000..39d381e8271 --- /dev/null +++ b/queue-4.14/thermal-int340x-fix-memory-leak-in-int3400_notify.patch @@ -0,0 +1,54 @@ +From foo@baz Fri Mar 25 10:10:23 AM CET 2022 +From: Chuansheng Liu +Date: Wed, 23 Feb 2022 08:20:24 +0800 +Subject: thermal: int340x: fix memory leak in int3400_notify() + +From: Chuansheng Liu + +commit 3abea10e6a8f0e7804ed4c124bea2d15aca977c8 upstream. + +It is easy to hit the below memory leaks in my TigerLake platform: + +unreferenced object 0xffff927c8b91dbc0 (size 32): + comm "kworker/0:2", pid 112, jiffies 4294893323 (age 83.604s) + hex dump (first 32 bytes): + 4e 41 4d 45 3d 49 4e 54 33 34 30 30 20 54 68 65 NAME=INT3400 The + 72 6d 61 6c 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 rmal.kkkkkkkkkk. + backtrace: + [] __kmalloc_track_caller+0x2fe/0x4a0 + [] kvasprintf+0x65/0xd0 + [] kasprintf+0x4e/0x70 + [] int3400_notify+0x82/0x120 [int3400_thermal] + [] acpi_ev_notify_dispatch+0x54/0x71 + [] acpi_os_execute_deferred+0x17/0x30 + [] process_one_work+0x21a/0x3f0 + [] worker_thread+0x4a/0x3b0 + [] kthread+0xfd/0x130 + [] ret_from_fork+0x1f/0x30 + +Fix it by calling kfree() accordingly. + +Fixes: 38e44da59130 ("thermal: int3400_thermal: process "thermal table changed" event") +Signed-off-by: Chuansheng Liu +Cc: 4.14+ # 4.14+ +Signed-off-by: Rafael J. Wysocki +[sudip: change in old path] +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/int340x_thermal/int3400_thermal.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/thermal/int340x_thermal/int3400_thermal.c ++++ b/drivers/thermal/int340x_thermal/int3400_thermal.c +@@ -223,6 +223,10 @@ static void int3400_notify(acpi_handle h + thermal_prop[4] = NULL; + kobject_uevent_env(&priv->thermal->device.kobj, KOBJ_CHANGE, + thermal_prop); ++ kfree(thermal_prop[0]); ++ kfree(thermal_prop[1]); ++ kfree(thermal_prop[2]); ++ kfree(thermal_prop[3]); + break; + default: + dev_err(&priv->adev->dev, "Unsupported event [0x%x]\n", event);