From: Greg Kroah-Hartman Date: Sat, 24 May 2025 15:51:34 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.12.31~59 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=987d62c9beb62dbc683282d9b46b3428d71c1ba9;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14asp10.patch alsa-pcm-fix-race-of-buffer-access-at-pcm-oss-layer.patch asoc-sof-ipc4-control-use-sof_ctrl_cmd_binary-as-numid-for-bytes_ext.patch asoc-sof-ipc4-pcm-delay-reporting-is-only-supported-for-playback-direction.patch asoc-sof-topology-connect-dai-to-a-single-dai-link.patch can-kvaser_pciefd-continue-parsing-dma-buf-after-dropped-rx.patch llc-fix-data-loss-when-reading-from-a-socket-in-llc_ui_recvmsg.patch --- diff --git a/queue-6.6/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14asp10.patch b/queue-6.6/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14asp10.patch new file mode 100644 index 0000000000..2ac9e49f6d --- /dev/null +++ b/queue-6.6/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14asp10.patch @@ -0,0 +1,32 @@ +From 8d70503068510e6080c2c649cccb154f16de26c9 Mon Sep 17 00:00:00 2001 +From: Ed Burcher +Date: Mon, 19 May 2025 23:49:07 +0100 +Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10 + +From: Ed Burcher + +commit 8d70503068510e6080c2c649cccb154f16de26c9 upstream. + +Lenovo Yoga Pro 7 (gen 10) with Realtek ALC3306 and combined CS35L56 +amplifiers need quirk ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN to +enable bass + +Signed-off-by: Ed Burcher +Cc: +Link: https://patch.msgid.link/20250519224907.31265-2-git@edburcher.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10574,6 +10574,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x17aa, 0x38f9, "Thinkbook 16P Gen5", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x17aa, 0x38fa, "Thinkbook 16P Gen5", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x390d, "Lenovo Yoga Pro 7 14ASP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x3913, "Lenovo 145", ALC236_FIXUP_LENOVO_INV_DMIC), + SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC), + SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo B50-70", ALC269_FIXUP_DMIC_THINKPAD_ACPI), diff --git a/queue-6.6/alsa-pcm-fix-race-of-buffer-access-at-pcm-oss-layer.patch b/queue-6.6/alsa-pcm-fix-race-of-buffer-access-at-pcm-oss-layer.patch new file mode 100644 index 0000000000..ebc4d18500 --- /dev/null +++ b/queue-6.6/alsa-pcm-fix-race-of-buffer-access-at-pcm-oss-layer.patch @@ -0,0 +1,74 @@ +From 93a81ca0657758b607c3f4ba889ae806be9beb73 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 16 May 2025 10:08:16 +0200 +Subject: ALSA: pcm: Fix race of buffer access at PCM OSS layer + +From: Takashi Iwai + +commit 93a81ca0657758b607c3f4ba889ae806be9beb73 upstream. + +The PCM OSS layer tries to clear the buffer with the silence data at +initialization (or reconfiguration) of a stream with the explicit call +of snd_pcm_format_set_silence() with runtime->dma_area. But this may +lead to a UAF because the accessed runtime->dma_area might be freed +concurrently, as it's performed outside the PCM ops. + +For avoiding it, move the code into the PCM core and perform it inside +the buffer access lock, so that it won't be changed during the +operation. + +Reported-by: syzbot+32d4647f551007595173@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/68164d8e.050a0220.11da1b.0019.GAE@google.com +Cc: +Link: https://patch.msgid.link/20250516080817.20068-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + include/sound/pcm.h | 2 ++ + sound/core/oss/pcm_oss.c | 3 +-- + sound/core/pcm_native.c | 11 +++++++++++ + 3 files changed, 14 insertions(+), 2 deletions(-) + +--- a/include/sound/pcm.h ++++ b/include/sound/pcm.h +@@ -1427,6 +1427,8 @@ int snd_pcm_lib_mmap_iomem(struct snd_pc + #define snd_pcm_lib_mmap_iomem NULL + #endif + ++void snd_pcm_runtime_buffer_set_silence(struct snd_pcm_runtime *runtime); ++ + /** + * snd_pcm_limit_isa_dma_size - Get the max size fitting with ISA DMA transfer + * @dma: DMA number +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -1085,8 +1085,7 @@ static int snd_pcm_oss_change_params_loc + runtime->oss.params = 0; + runtime->oss.prepare = 1; + runtime->oss.buffer_used = 0; +- if (runtime->dma_area) +- snd_pcm_format_set_silence(runtime->format, runtime->dma_area, bytes_to_samples(runtime, runtime->dma_bytes)); ++ snd_pcm_runtime_buffer_set_silence(runtime); + + runtime->oss.period_frames = snd_pcm_alsa_frames(substream, oss_period_size); + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -703,6 +703,17 @@ static void snd_pcm_buffer_access_unlock + atomic_inc(&runtime->buffer_accessing); + } + ++/* fill the PCM buffer with the current silence format; called from pcm_oss.c */ ++void snd_pcm_runtime_buffer_set_silence(struct snd_pcm_runtime *runtime) ++{ ++ snd_pcm_buffer_access_lock(runtime); ++ if (runtime->dma_area) ++ snd_pcm_format_set_silence(runtime->format, runtime->dma_area, ++ bytes_to_samples(runtime, runtime->dma_bytes)); ++ snd_pcm_buffer_access_unlock(runtime); ++} ++EXPORT_SYMBOL_GPL(snd_pcm_runtime_buffer_set_silence); ++ + #if IS_ENABLED(CONFIG_SND_PCM_OSS) + #define is_oss_stream(substream) ((substream)->oss.oss) + #else diff --git a/queue-6.6/asoc-sof-ipc4-control-use-sof_ctrl_cmd_binary-as-numid-for-bytes_ext.patch b/queue-6.6/asoc-sof-ipc4-control-use-sof_ctrl_cmd_binary-as-numid-for-bytes_ext.patch new file mode 100644 index 0000000000..d2085b05d3 --- /dev/null +++ b/queue-6.6/asoc-sof-ipc4-control-use-sof_ctrl_cmd_binary-as-numid-for-bytes_ext.patch @@ -0,0 +1,64 @@ +From 4d14b1069e9e672dbe1adab52594076da6f4a62d Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Fri, 9 May 2025 11:56:33 +0300 +Subject: ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for bytes_ext + +From: Peter Ujfalusi + +commit 4d14b1069e9e672dbe1adab52594076da6f4a62d upstream. + +The header.numid is set to scontrol->comp_id in bytes_ext_get and it is +ignored during bytes_ext_put. +The use of comp_id is not quite great as it is kernel internal +identification number. + +Set the header.numid to SOF_CTRL_CMD_BINARY during get and validate the +numid during put to provide consistent and compatible identification +number as IPC3. + +For IPC4 existing tooling also ignored the numid but with the use of +SOF_CTRL_CMD_BINARY the different handling of the blobs can be dropped, +providing better user experience. + +Reported-by: Seppo Ingalsuo +Closes: https://github.com/thesofproject/linux/issues/5282 +Fixes: a062c8899fed ("ASoC: SOF: ipc4-control: Add support for bytes control get and put") +Cc: stable@vger.kernel.org +Signed-off-by: Peter Ujfalusi +Reviewed-by: Seppo Ingalsuo +Reviewed-by: Ranjani Sridharan +Reviewed-by: Liam Girdwood +Link: https://patch.msgid.link/20250509085633.14930-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sof/ipc4-control.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/sound/soc/sof/ipc4-control.c ++++ b/sound/soc/sof/ipc4-control.c +@@ -483,6 +483,14 @@ static int sof_ipc4_bytes_ext_put(struct + return -EINVAL; + } + ++ /* Check header id */ ++ if (header.numid != SOF_CTRL_CMD_BINARY) { ++ dev_err_ratelimited(scomp->dev, ++ "Incorrect numid for bytes put %d\n", ++ header.numid); ++ return -EINVAL; ++ } ++ + /* Verify the ABI header first */ + if (copy_from_user(&abi_hdr, tlvd->tlv, sizeof(abi_hdr))) + return -EFAULT; +@@ -565,7 +573,8 @@ static int _sof_ipc4_bytes_ext_get(struc + if (data_size > size) + return -ENOSPC; + +- header.numid = scontrol->comp_id; ++ /* Set header id and length */ ++ header.numid = SOF_CTRL_CMD_BINARY; + header.length = data_size; + + if (copy_to_user(tlvd, &header, sizeof(struct snd_ctl_tlv))) diff --git a/queue-6.6/asoc-sof-ipc4-pcm-delay-reporting-is-only-supported-for-playback-direction.patch b/queue-6.6/asoc-sof-ipc4-pcm-delay-reporting-is-only-supported-for-playback-direction.patch new file mode 100644 index 0000000000..b280619c35 --- /dev/null +++ b/queue-6.6/asoc-sof-ipc4-pcm-delay-reporting-is-only-supported-for-playback-direction.patch @@ -0,0 +1,39 @@ +From 98db16f314b3a0d6e5acd94708ea69751436467f Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Fri, 9 May 2025 11:59:51 +0300 +Subject: ASoC: SOF: ipc4-pcm: Delay reporting is only supported for playback direction + +From: Peter Ujfalusi + +commit 98db16f314b3a0d6e5acd94708ea69751436467f upstream. + +The firmware does not provide any information for capture streams via the +shared pipeline registers. + +To avoid reporting invalid delay value for capture streams to user space +we need to disable it. + +Fixes: af74dbd0dbcf ("ASoC: SOF: ipc4-pcm: allocate time info for pcm delay feature") +Cc: stable@vger.kernel.org +Signed-off-by: Peter Ujfalusi +Reviewed-by: Bard Liao +Reviewed-by: Liam Girdwood +Link: https://patch.msgid.link/20250509085951.15696-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sof/ipc4-pcm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/soc/sof/ipc4-pcm.c ++++ b/sound/soc/sof/ipc4-pcm.c +@@ -621,7 +621,8 @@ static int sof_ipc4_pcm_setup(struct snd + return -ENOMEM; + } + +- if (!support_info) ++ /* Delay reporting is only supported on playback */ ++ if (!support_info || stream == SNDRV_PCM_STREAM_CAPTURE) + continue; + + stream_info = kzalloc(sizeof(*stream_info), GFP_KERNEL); diff --git a/queue-6.6/asoc-sof-topology-connect-dai-to-a-single-dai-link.patch b/queue-6.6/asoc-sof-topology-connect-dai-to-a-single-dai-link.patch new file mode 100644 index 0000000000..c682ec7d92 --- /dev/null +++ b/queue-6.6/asoc-sof-topology-connect-dai-to-a-single-dai-link.patch @@ -0,0 +1,70 @@ +From 6052f05254b4fe7b16bbd8224779af52fba98b71 Mon Sep 17 00:00:00 2001 +From: Kai Vehmanen +Date: Fri, 9 May 2025 11:53:18 +0300 +Subject: ASoc: SOF: topology: connect DAI to a single DAI link +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kai Vehmanen + +commit 6052f05254b4fe7b16bbd8224779af52fba98b71 upstream. + +The partial matching of DAI widget to link names, can cause problems if +one of the widget names is a substring of another. E.g. with names +"Foo1" and Foo10", it's not possible to correctly link up "Foo1". + +Modify the logic so that if multiple DAI links match the widget stream +name, prioritize a full match if one is found. + +Fixes: fe88788779fc ("ASoC: SOF: topology: Use partial match for connecting DAI link and DAI widget") +Link: https://github.com/thesofproject/linux/issues/5308 +Signed-off-by: Kai Vehmanen +Reviewed-by: Péter Ujfalusi +Reviewed-by: Ranjani Sridharan +Cc: stable@vger.kernel.org +Signed-off-by: Peter Ujfalusi +Link: https://patch.msgid.link/20250509085318.13936-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sof/topology.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/sound/soc/sof/topology.c ++++ b/sound/soc/sof/topology.c +@@ -1057,7 +1057,7 @@ static int sof_connect_dai_widget(struct + struct snd_sof_dai *dai) + { + struct snd_soc_card *card = scomp->card; +- struct snd_soc_pcm_runtime *rtd; ++ struct snd_soc_pcm_runtime *rtd, *full, *partial; + struct snd_soc_dai *cpu_dai; + int stream; + int i; +@@ -1074,12 +1074,22 @@ static int sof_connect_dai_widget(struct + else + goto end; + ++ full = NULL; ++ partial = NULL; + list_for_each_entry(rtd, &card->rtd_list, list) { + /* does stream match DAI link ? */ +- if (!rtd->dai_link->stream_name || +- !strstr(rtd->dai_link->stream_name, w->sname)) +- continue; ++ if (rtd->dai_link->stream_name) { ++ if (!strcmp(rtd->dai_link->stream_name, w->sname)) { ++ full = rtd; ++ break; ++ } else if (strstr(rtd->dai_link->stream_name, w->sname)) { ++ partial = rtd; ++ } ++ } ++ } + ++ rtd = full ? full : partial; ++ if (rtd) { + for_each_rtd_cpu_dais(rtd, i, cpu_dai) { + /* + * Please create DAI widget in the right order diff --git a/queue-6.6/can-kvaser_pciefd-continue-parsing-dma-buf-after-dropped-rx.patch b/queue-6.6/can-kvaser_pciefd-continue-parsing-dma-buf-after-dropped-rx.patch new file mode 100644 index 0000000000..79631bfa43 --- /dev/null +++ b/queue-6.6/can-kvaser_pciefd-continue-parsing-dma-buf-after-dropped-rx.patch @@ -0,0 +1,62 @@ +From 6d820b81c4dc4a4023e45c3cd6707a07dd838649 Mon Sep 17 00:00:00 2001 +From: Axel Forsman +Date: Tue, 20 May 2025 13:43:32 +0200 +Subject: can: kvaser_pciefd: Continue parsing DMA buf after dropped RX + +From: Axel Forsman + +commit 6d820b81c4dc4a4023e45c3cd6707a07dd838649 upstream. + +Going bus-off on a channel doing RX could result in dropped packets. + +As netif_running() gets cleared before the channel abort procedure, +the handling of any last RDATA packets would see netif_rx() return +non-zero to signal a dropped packet. kvaser_pciefd_read_buffer() dealt +with this "error" by breaking out of processing the remaining DMA RX +buffer. + +Only return an error from kvaser_pciefd_read_buffer() due to packet +corruption, otherwise handle it internally. + +Cc: stable@vger.kernel.org +Signed-off-by: Axel Forsman +Tested-by: Jimmy Assarsson +Reviewed-by: Jimmy Assarsson +Link: https://patch.msgid.link/20250520114332.8961-4-axfo@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/kvaser_pciefd.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -1137,7 +1137,7 @@ static int kvaser_pciefd_handle_data_pac + skb = alloc_canfd_skb(priv->dev, &cf); + if (!skb) { + priv->dev->stats.rx_dropped++; +- return -ENOMEM; ++ return 0; + } + + cf->len = can_fd_dlc2len(dlc); +@@ -1149,7 +1149,7 @@ static int kvaser_pciefd_handle_data_pac + skb = alloc_can_skb(priv->dev, (struct can_frame **)&cf); + if (!skb) { + priv->dev->stats.rx_dropped++; +- return -ENOMEM; ++ return 0; + } + can_frame_set_cc_len((struct can_frame *)cf, dlc, priv->ctrlmode); + } +@@ -1167,7 +1167,9 @@ static int kvaser_pciefd_handle_data_pac + priv->dev->stats.rx_packets++; + kvaser_pciefd_set_skb_timestamp(pcie, skb, p->timestamp); + +- return netif_rx(skb); ++ netif_rx(skb); ++ ++ return 0; + } + + static void kvaser_pciefd_change_state(struct kvaser_pciefd_can *can, diff --git a/queue-6.6/llc-fix-data-loss-when-reading-from-a-socket-in-llc_ui_recvmsg.patch b/queue-6.6/llc-fix-data-loss-when-reading-from-a-socket-in-llc_ui_recvmsg.patch new file mode 100644 index 0000000000..143f06805e --- /dev/null +++ b/queue-6.6/llc-fix-data-loss-when-reading-from-a-socket-in-llc_ui_recvmsg.patch @@ -0,0 +1,49 @@ +From 239af1970bcb039a1551d2c438d113df0010c149 Mon Sep 17 00:00:00 2001 +From: Ilia Gavrilov +Date: Thu, 15 May 2025 12:20:15 +0000 +Subject: llc: fix data loss when reading from a socket in llc_ui_recvmsg() + +From: Ilia Gavrilov + +commit 239af1970bcb039a1551d2c438d113df0010c149 upstream. + +For SOCK_STREAM sockets, if user buffer size (len) is less +than skb size (skb->len), the remaining data from skb +will be lost after calling kfree_skb(). + +To fix this, move the statement for partial reading +above skb deletion. + +Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) + +Fixes: 30a584d944fb ("[LLX]: SOCK_DGRAM interface fixes") +Cc: stable@vger.kernel.org +Signed-off-by: Ilia Gavrilov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/llc/af_llc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -888,15 +888,15 @@ static int llc_ui_recvmsg(struct socket + if (sk->sk_type != SOCK_STREAM) + goto copy_uaddr; + ++ /* Partial read */ ++ if (used + offset < skb_len) ++ continue; ++ + if (!(flags & MSG_PEEK)) { + skb_unlink(skb, &sk->sk_receive_queue); + kfree_skb(skb); + *seq = 0; + } +- +- /* Partial read */ +- if (used + offset < skb_len) +- continue; + } while (len > 0); + + out: diff --git a/queue-6.6/series b/queue-6.6/series index 08813a196a..a2139afdb8 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -361,3 +361,10 @@ padata-do-not-leak-refcount-in-reorder_work.patch can-slcan-allow-reception-of-short-error-messages.patch can-bcm-add-locking-for-bcm_op-runtime-updates.patch can-bcm-add-missing-rcu-read-protection-for-procfs-content.patch +asoc-sof-ipc4-control-use-sof_ctrl_cmd_binary-as-numid-for-bytes_ext.patch +asoc-sof-topology-connect-dai-to-a-single-dai-link.patch +asoc-sof-ipc4-pcm-delay-reporting-is-only-supported-for-playback-direction.patch +alsa-pcm-fix-race-of-buffer-access-at-pcm-oss-layer.patch +alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14asp10.patch +llc-fix-data-loss-when-reading-from-a-socket-in-llc_ui_recvmsg.patch +can-kvaser_pciefd-continue-parsing-dma-buf-after-dropped-rx.patch