From: Greg Kroah-Hartman Date: Sat, 15 Apr 2023 16:47:07 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.14.313~61 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8636773424599a33be4d4159caadf4e51a65c54f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: alsa-emu10k1-fix-capture-interrupt-handler-unlinking.patch alsa-hda-sigmatel-add-pin-overrides-for-intel-dp45sg-motherboard.patch alsa-hda-sigmatel-fix-s-pdif-out-on-intel-d-45-motherboards.patch alsa-i2c-cs8427-fix-iec958-mixer-control-deactivation.patch bluetooth-fix-race-condition-in-hidp_session_thread.patch bluetooth-l2cap-fix-use-after-free-in-l2cap_disconnect_-req-rsp.patch --- diff --git a/queue-4.19/alsa-emu10k1-fix-capture-interrupt-handler-unlinking.patch b/queue-4.19/alsa-emu10k1-fix-capture-interrupt-handler-unlinking.patch new file mode 100644 index 00000000000..4032166d5fc --- /dev/null +++ b/queue-4.19/alsa-emu10k1-fix-capture-interrupt-handler-unlinking.patch @@ -0,0 +1,49 @@ +From b09c551c77c7e01dc6e4f3c8bf06b5ffa7b06db5 Mon Sep 17 00:00:00 2001 +From: Oswald Buddenhagen +Date: Wed, 5 Apr 2023 22:12:20 +0200 +Subject: ALSA: emu10k1: fix capture interrupt handler unlinking + +From: Oswald Buddenhagen + +commit b09c551c77c7e01dc6e4f3c8bf06b5ffa7b06db5 upstream. + +Due to two copy/pastos, closing the MIC or EFX capture device would +make a running ADC capture hang due to unsetting its interrupt handler. +In principle, this would have also allowed dereferencing dangling +pointers, but we're actually rather thorough at disabling and flushing +the ints. + +While it may sound like one, this actually wasn't a hypothetical bug: +PortAudio will open a capture stream at startup (and close it right +away) even if not asked to. If the first device is busy, it will just +proceed with the next one ... thus killing a concurrent capture. + +Signed-off-by: Oswald Buddenhagen +Cc: +Link: https://lore.kernel.org/r/20230405201220.2197923-1-oswald.buddenhagen@gmx.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/emu10k1/emupcm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/pci/emu10k1/emupcm.c ++++ b/sound/pci/emu10k1/emupcm.c +@@ -1258,7 +1258,7 @@ static int snd_emu10k1_capture_mic_close + { + struct snd_emu10k1 *emu = snd_pcm_substream_chip(substream); + +- emu->capture_interrupt = NULL; ++ emu->capture_mic_interrupt = NULL; + emu->pcm_capture_mic_substream = NULL; + return 0; + } +@@ -1366,7 +1366,7 @@ static int snd_emu10k1_capture_efx_close + { + struct snd_emu10k1 *emu = snd_pcm_substream_chip(substream); + +- emu->capture_interrupt = NULL; ++ emu->capture_efx_interrupt = NULL; + emu->pcm_capture_efx_substream = NULL; + return 0; + } diff --git a/queue-4.19/alsa-hda-sigmatel-add-pin-overrides-for-intel-dp45sg-motherboard.patch b/queue-4.19/alsa-hda-sigmatel-add-pin-overrides-for-intel-dp45sg-motherboard.patch new file mode 100644 index 00000000000..a691cd4d2c1 --- /dev/null +++ b/queue-4.19/alsa-hda-sigmatel-add-pin-overrides-for-intel-dp45sg-motherboard.patch @@ -0,0 +1,44 @@ +From c17f8fd31700392b1bb9e7b66924333568cb3700 Mon Sep 17 00:00:00 2001 +From: Oswald Buddenhagen +Date: Wed, 5 Apr 2023 22:12:19 +0200 +Subject: ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard + +From: Oswald Buddenhagen + +commit c17f8fd31700392b1bb9e7b66924333568cb3700 upstream. + +Like the other boards from the D*45* series, this one sets up the +outputs not quite correctly. + +Signed-off-by: Oswald Buddenhagen +Cc: +Link: https://lore.kernel.org/r/20230405201220.2197826-1-oswald.buddenhagen@gmx.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/sound/hd-audio/models.rst | 2 +- + sound/pci/hda/patch_sigmatel.c | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/Documentation/sound/hd-audio/models.rst ++++ b/Documentation/sound/hd-audio/models.rst +@@ -691,7 +691,7 @@ ref + no-jd + BIOS setup but without jack-detection + intel +- Intel DG45* mobos ++ Intel D*45* mobos + dell-m6-amic + Dell desktops/laptops with analog mics + dell-m6-dmic +--- a/sound/pci/hda/patch_sigmatel.c ++++ b/sound/pci/hda/patch_sigmatel.c +@@ -1971,6 +1971,8 @@ static const struct snd_pci_quirk stac92 + "DFI LanParty", STAC_92HD73XX_REF), + SND_PCI_QUIRK(PCI_VENDOR_ID_DFI, 0x3101, + "DFI LanParty", STAC_92HD73XX_REF), ++ SND_PCI_QUIRK(PCI_VENDOR_ID_INTEL, 0x5001, ++ "Intel DP45SG", STAC_92HD73XX_INTEL), + SND_PCI_QUIRK(PCI_VENDOR_ID_INTEL, 0x5002, + "Intel DG45ID", STAC_92HD73XX_INTEL), + SND_PCI_QUIRK(PCI_VENDOR_ID_INTEL, 0x5003, diff --git a/queue-4.19/alsa-hda-sigmatel-fix-s-pdif-out-on-intel-d-45-motherboards.patch b/queue-4.19/alsa-hda-sigmatel-fix-s-pdif-out-on-intel-d-45-motherboards.patch new file mode 100644 index 00000000000..d22462bb5e7 --- /dev/null +++ b/queue-4.19/alsa-hda-sigmatel-fix-s-pdif-out-on-intel-d-45-motherboards.patch @@ -0,0 +1,67 @@ +From f342ac00da1064eb4f94b1f4bcacbdfea955797a Mon Sep 17 00:00:00 2001 +From: Oswald Buddenhagen +Date: Wed, 5 Apr 2023 22:12:20 +0200 +Subject: ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards + +From: Oswald Buddenhagen + +commit f342ac00da1064eb4f94b1f4bcacbdfea955797a upstream. + +The BIOS botches this one completely - it says the 2nd S/PDIF output is +used, while in fact it's the 1st one. This is tested on DP45SG, but I'm +assuming it's valid for the other boards in the series as well. + +Also add some comments regarding the pins. +FWIW, the codec is apparently still sold by Tempo Semiconductor, Inc., +where one can download the documentation. + +Signed-off-by: Oswald Buddenhagen +Cc: +Link: https://lore.kernel.org/r/20230405201220.2197826-2-oswald.buddenhagen@gmx.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_sigmatel.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/sound/pci/hda/patch_sigmatel.c ++++ b/sound/pci/hda/patch_sigmatel.c +@@ -1723,6 +1723,7 @@ static const struct snd_pci_quirk stac92 + }; + + static const struct hda_pintbl ref92hd73xx_pin_configs[] = { ++ // Port A-H + { 0x0a, 0x02214030 }, + { 0x0b, 0x02a19040 }, + { 0x0c, 0x01a19020 }, +@@ -1731,9 +1732,12 @@ static const struct hda_pintbl ref92hd73 + { 0x0f, 0x01014010 }, + { 0x10, 0x01014020 }, + { 0x11, 0x01014030 }, ++ // CD in + { 0x12, 0x02319040 }, ++ // Digial Mic ins + { 0x13, 0x90a000f0 }, + { 0x14, 0x90a000f0 }, ++ // Digital outs + { 0x22, 0x01452050 }, + { 0x23, 0x01452050 }, + {} +@@ -1774,6 +1778,7 @@ static const struct hda_pintbl alienware + }; + + static const struct hda_pintbl intel_dg45id_pin_configs[] = { ++ // Analog outputs + { 0x0a, 0x02214230 }, + { 0x0b, 0x02A19240 }, + { 0x0c, 0x01013214 }, +@@ -1781,6 +1786,9 @@ static const struct hda_pintbl intel_dg4 + { 0x0e, 0x01A19250 }, + { 0x0f, 0x01011212 }, + { 0x10, 0x01016211 }, ++ // Digital output ++ { 0x22, 0x01451380 }, ++ { 0x23, 0x40f000f0 }, + {} + }; + diff --git a/queue-4.19/alsa-i2c-cs8427-fix-iec958-mixer-control-deactivation.patch b/queue-4.19/alsa-i2c-cs8427-fix-iec958-mixer-control-deactivation.patch new file mode 100644 index 00000000000..c36be464d09 --- /dev/null +++ b/queue-4.19/alsa-i2c-cs8427-fix-iec958-mixer-control-deactivation.patch @@ -0,0 +1,40 @@ +From e98e7a82bca2b6dce3e03719cff800ec913f9af7 Mon Sep 17 00:00:00 2001 +From: Oswald Buddenhagen +Date: Wed, 5 Apr 2023 22:12:19 +0200 +Subject: ALSA: i2c/cs8427: fix iec958 mixer control deactivation + +From: Oswald Buddenhagen + +commit e98e7a82bca2b6dce3e03719cff800ec913f9af7 upstream. + +snd_cs8427_iec958_active() would always delete +SNDRV_CTL_ELEM_ACCESS_INACTIVE, even though the function has an +argument `active`. + +Signed-off-by: Oswald Buddenhagen +Cc: +Link: https://lore.kernel.org/r/20230405201219.2197811-1-oswald.buddenhagen@gmx.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/i2c/cs8427.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/sound/i2c/cs8427.c ++++ b/sound/i2c/cs8427.c +@@ -568,10 +568,13 @@ int snd_cs8427_iec958_active(struct snd_ + if (snd_BUG_ON(!cs8427)) + return -ENXIO; + chip = cs8427->private_data; +- if (active) ++ if (active) { + memcpy(chip->playback.pcm_status, + chip->playback.def_status, 24); +- chip->playback.pcm_ctl->vd[0].access &= ~SNDRV_CTL_ELEM_ACCESS_INACTIVE; ++ chip->playback.pcm_ctl->vd[0].access &= ~SNDRV_CTL_ELEM_ACCESS_INACTIVE; ++ } else { ++ chip->playback.pcm_ctl->vd[0].access |= SNDRV_CTL_ELEM_ACCESS_INACTIVE; ++ } + snd_ctl_notify(cs8427->bus->card, + SNDRV_CTL_EVENT_MASK_VALUE | SNDRV_CTL_EVENT_MASK_INFO, + &chip->playback.pcm_ctl->id); diff --git a/queue-4.19/bluetooth-fix-race-condition-in-hidp_session_thread.patch b/queue-4.19/bluetooth-fix-race-condition-in-hidp_session_thread.patch new file mode 100644 index 00000000000..247e0555cc4 --- /dev/null +++ b/queue-4.19/bluetooth-fix-race-condition-in-hidp_session_thread.patch @@ -0,0 +1,52 @@ +From c95930abd687fcd1aa040dc4fe90dff947916460 Mon Sep 17 00:00:00 2001 +From: Min Li +Date: Sat, 4 Mar 2023 22:23:30 +0800 +Subject: Bluetooth: Fix race condition in hidp_session_thread + +From: Min Li + +commit c95930abd687fcd1aa040dc4fe90dff947916460 upstream. + +There is a potential race condition in hidp_session_thread that may +lead to use-after-free. For instance, the timer is active while +hidp_del_timer is called in hidp_session_thread(). After hidp_session_put, +then 'session' will be freed, causing kernel panic when hidp_idle_timeout +is running. + +The solution is to use del_timer_sync instead of del_timer. + +Here is the call trace: + +? hidp_session_probe+0x780/0x780 +call_timer_fn+0x2d/0x1e0 +__run_timers.part.0+0x569/0x940 +hidp_session_probe+0x780/0x780 +call_timer_fn+0x1e0/0x1e0 +ktime_get+0x5c/0xf0 +lapic_next_deadline+0x2c/0x40 +clockevents_program_event+0x205/0x320 +run_timer_softirq+0xa9/0x1b0 +__do_softirq+0x1b9/0x641 +__irq_exit_rcu+0xdc/0x190 +irq_exit_rcu+0xe/0x20 +sysvec_apic_timer_interrupt+0xa1/0xc0 + +Cc: stable@vger.kernel.org +Signed-off-by: Min Li +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hidp/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -428,7 +428,7 @@ static void hidp_set_timer(struct hidp_s + static void hidp_del_timer(struct hidp_session *session) + { + if (session->idle_to > 0) +- del_timer(&session->timer); ++ del_timer_sync(&session->timer); + } + + static void hidp_process_report(struct hidp_session *session, int type, diff --git a/queue-4.19/bluetooth-l2cap-fix-use-after-free-in-l2cap_disconnect_-req-rsp.patch b/queue-4.19/bluetooth-l2cap-fix-use-after-free-in-l2cap_disconnect_-req-rsp.patch new file mode 100644 index 00000000000..81f378d97e1 --- /dev/null +++ b/queue-4.19/bluetooth-l2cap-fix-use-after-free-in-l2cap_disconnect_-req-rsp.patch @@ -0,0 +1,97 @@ +From a2a9339e1c9deb7e1e079e12e27a0265aea8421a Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Thu, 6 Apr 2023 09:33:09 -0700 +Subject: Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} + +From: Luiz Augusto von Dentz + +commit a2a9339e1c9deb7e1e079e12e27a0265aea8421a upstream. + +Similar to commit d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free +caused by l2cap_chan_put"), just use l2cap_chan_hold_unless_zero to +prevent referencing a channel that is about to be destroyed. + +Cc: stable@kernel.org +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Min Li +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_core.c | 24 ++++++------------------ + 1 file changed, 6 insertions(+), 18 deletions(-) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4350,33 +4350,27 @@ static inline int l2cap_disconnect_req(s + + BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid); + +- mutex_lock(&conn->chan_lock); +- +- chan = __l2cap_get_chan_by_scid(conn, dcid); ++ chan = l2cap_get_chan_by_scid(conn, dcid); + if (!chan) { +- mutex_unlock(&conn->chan_lock); + cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid); + return 0; + } + +- l2cap_chan_hold(chan); +- l2cap_chan_lock(chan); +- + rsp.dcid = cpu_to_le16(chan->scid); + rsp.scid = cpu_to_le16(chan->dcid); + l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp); + + chan->ops->set_shutdown(chan); + ++ mutex_lock(&conn->chan_lock); + l2cap_chan_del(chan, ECONNRESET); ++ mutex_unlock(&conn->chan_lock); + + chan->ops->close(chan); + + l2cap_chan_unlock(chan); + l2cap_chan_put(chan); + +- mutex_unlock(&conn->chan_lock); +- + return 0; + } + +@@ -4396,33 +4390,27 @@ static inline int l2cap_disconnect_rsp(s + + BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid); + +- mutex_lock(&conn->chan_lock); +- +- chan = __l2cap_get_chan_by_scid(conn, scid); ++ chan = l2cap_get_chan_by_scid(conn, scid); + if (!chan) { + mutex_unlock(&conn->chan_lock); + return 0; + } + +- l2cap_chan_hold(chan); +- l2cap_chan_lock(chan); +- + if (chan->state != BT_DISCONN) { + l2cap_chan_unlock(chan); + l2cap_chan_put(chan); +- mutex_unlock(&conn->chan_lock); + return 0; + } + ++ mutex_lock(&conn->chan_lock); + l2cap_chan_del(chan, 0); ++ mutex_unlock(&conn->chan_lock); + + chan->ops->close(chan); + + l2cap_chan_unlock(chan); + l2cap_chan_put(chan); + +- mutex_unlock(&conn->chan_lock); +- + return 0; + } + diff --git a/queue-4.19/series b/queue-4.19/series index 733c31b1c58..d3772c940ee 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -26,3 +26,9 @@ ftrace-mark-get_lock_parent_ip-__always_inline.patch ring-buffer-fix-race-while-reader-and-writer-are-on-the-same-page.patch mm-swap-fix-swap_info_struct-race-between-swapoff-and-get_swap_pages.patch revert-pinctrl-amd-disable-and-mask-interrupts-on-resume.patch +alsa-emu10k1-fix-capture-interrupt-handler-unlinking.patch +alsa-hda-sigmatel-add-pin-overrides-for-intel-dp45sg-motherboard.patch +alsa-i2c-cs8427-fix-iec958-mixer-control-deactivation.patch +alsa-hda-sigmatel-fix-s-pdif-out-on-intel-d-45-motherboards.patch +bluetooth-l2cap-fix-use-after-free-in-l2cap_disconnect_-req-rsp.patch +bluetooth-fix-race-condition-in-hidp_session_thread.patch