From 030ce8bf0deeecede03bf35bd3d21ed73e7bb7c0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 25 Mar 2022 10:50:33 +0100 Subject: [PATCH] 5.16-stable patches added patches: alsa-cmipci-restore-aux-vol-on-suspend-resume.patch alsa-hda-realtek-add-quirk-for-asus-ga402.patch alsa-hda-realtek-add-quirk-for-clevo-np50pnj.patch alsa-hda-realtek-add-quirk-for-clevo-np70pnj.patch alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc671.patch alsa-oss-fix-pcm-oss-buffer-allocation-overflow.patch alsa-pci-fix-reading-of-swapped-values-from-pcmreg-in-ac97-codec.patch alsa-pcm-add-stream-lock-during-pcm-reset-ioctl-operations.patch alsa-pcm-fix-races-among-concurrent-hw_params-and-hw_free-calls.patch alsa-pcm-fix-races-among-concurrent-prealloc-proc-writes.patch alsa-pcm-fix-races-among-concurrent-prepare-and-hw_params-hw_free-calls.patch alsa-pcm-fix-races-among-concurrent-read-write-and-buffer-changes.patch alsa-usb-audio-add-mapping-for-new-corsair-virtuoso-se.patch alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-rode-nt-usb.patch asoc-sti-fix-deadlock-via-snd_pcm_stop_xrun-call.patch bluetooth-btusb-add-another-realtek-8761bu.patch drivers-net-xgene-fix-regression-in-crc-stripping.patch llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch netfilter-nf_tables-initialize-registers-in-nft_do_chain.patch netfilter-nf_tables-validate-registers-coming-from-userspace.patch --- ...ci-restore-aux-vol-on-suspend-resume.patch | 43 +++++ ...hda-realtek-add-quirk-for-asus-ga402.patch | 31 +++ ...-realtek-add-quirk-for-clevo-np50pnj.patch | 30 +++ ...-realtek-add-quirk-for-clevo-np70pnj.patch | 30 +++ ...problem-for-a-hp-machine-with-alc671.patch | 32 ++++ ...x-pcm-oss-buffer-allocation-overflow.patch | 83 ++++++++ ...ped-values-from-pcmreg-in-ac97-codec.patch | 56 ++++++ ...ck-during-pcm-reset-ioctl-operations.patch | 54 ++++++ ...ncurrent-hw_params-and-hw_free-calls.patch | 179 ++++++++++++++++++ ...mong-concurrent-prealloc-proc-writes.patch | 68 +++++++ ...-prepare-and-hw_params-hw_free-calls.patch | 97 ++++++++++ ...urrent-read-write-and-buffer-changes.patch | 60 ++++++ ...-mapping-for-new-corsair-virtuoso-se.patch | 49 +++++ ...-for-playback-volumes-on-rode-nt-usb.patch | 41 ++++ ...-deadlock-via-snd_pcm_stop_xrun-call.patch | 74 ++++++++ ...oth-btusb-add-another-realtek-8761bu.patch | 61 ++++++ ...gene-fix-regression-in-crc-stripping.patch | 57 ++++++ ...evice-reference-leaks-in-llc_ui_bind.patch | 55 ++++++ ...initialize-registers-in-nft_do_chain.patch | 29 +++ ...date-registers-coming-from-userspace.patch | 71 +++++++ queue-5.16/series | 20 ++ 21 files changed, 1220 insertions(+) create mode 100644 queue-5.16/alsa-cmipci-restore-aux-vol-on-suspend-resume.patch create mode 100644 queue-5.16/alsa-hda-realtek-add-quirk-for-asus-ga402.patch create mode 100644 queue-5.16/alsa-hda-realtek-add-quirk-for-clevo-np50pnj.patch create mode 100644 queue-5.16/alsa-hda-realtek-add-quirk-for-clevo-np70pnj.patch create mode 100644 queue-5.16/alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc671.patch create mode 100644 queue-5.16/alsa-oss-fix-pcm-oss-buffer-allocation-overflow.patch create mode 100644 queue-5.16/alsa-pci-fix-reading-of-swapped-values-from-pcmreg-in-ac97-codec.patch create mode 100644 queue-5.16/alsa-pcm-add-stream-lock-during-pcm-reset-ioctl-operations.patch create mode 100644 queue-5.16/alsa-pcm-fix-races-among-concurrent-hw_params-and-hw_free-calls.patch create mode 100644 queue-5.16/alsa-pcm-fix-races-among-concurrent-prealloc-proc-writes.patch create mode 100644 queue-5.16/alsa-pcm-fix-races-among-concurrent-prepare-and-hw_params-hw_free-calls.patch create mode 100644 queue-5.16/alsa-pcm-fix-races-among-concurrent-read-write-and-buffer-changes.patch create mode 100644 queue-5.16/alsa-usb-audio-add-mapping-for-new-corsair-virtuoso-se.patch create mode 100644 queue-5.16/alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-rode-nt-usb.patch create mode 100644 queue-5.16/asoc-sti-fix-deadlock-via-snd_pcm_stop_xrun-call.patch create mode 100644 queue-5.16/bluetooth-btusb-add-another-realtek-8761bu.patch create mode 100644 queue-5.16/drivers-net-xgene-fix-regression-in-crc-stripping.patch create mode 100644 queue-5.16/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch create mode 100644 queue-5.16/netfilter-nf_tables-initialize-registers-in-nft_do_chain.patch create mode 100644 queue-5.16/netfilter-nf_tables-validate-registers-coming-from-userspace.patch diff --git a/queue-5.16/alsa-cmipci-restore-aux-vol-on-suspend-resume.patch b/queue-5.16/alsa-cmipci-restore-aux-vol-on-suspend-resume.patch new file mode 100644 index 00000000000..d79d3472f70 --- /dev/null +++ b/queue-5.16/alsa-cmipci-restore-aux-vol-on-suspend-resume.patch @@ -0,0 +1,43 @@ +From c14231cc04337c2c2a937db084af342ce704dbde Mon Sep 17 00:00:00 2001 +From: Jonathan Teh +Date: Sun, 13 Mar 2022 19:56:17 +0000 +Subject: ALSA: cmipci: Restore aux vol on suspend/resume + +From: Jonathan Teh + +commit c14231cc04337c2c2a937db084af342ce704dbde upstream. + +Save and restore CM_REG_AUX_VOL instead of register 0x24 twice on +suspend/resume. + +Tested on CMI8738LX. + +Fixes: cb60e5f5b2b1 ("[ALSA] cmipci - Add PM support") +Signed-off-by: Jonathan Teh +Cc: +Link: https://lore.kernel.org/r/DBAPR04MB7366CB3EA9C8521C35C56E8B920E9@DBAPR04MB7366.eurprd04.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/cmipci.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/sound/pci/cmipci.c ++++ b/sound/pci/cmipci.c +@@ -298,7 +298,6 @@ MODULE_PARM_DESC(joystick_port, "Joystic + #define CM_MICGAINZ 0x01 /* mic boost */ + #define CM_MICGAINZ_SHIFT 0 + +-#define CM_REG_MIXER3 0x24 + #define CM_REG_AUX_VOL 0x26 + #define CM_VAUXL_MASK 0xf0 + #define CM_VAUXR_MASK 0x0f +@@ -3265,7 +3264,7 @@ static int snd_cmipci_probe(struct pci_d + */ + static const unsigned char saved_regs[] = { + CM_REG_FUNCTRL1, CM_REG_CHFORMAT, CM_REG_LEGACY_CTRL, CM_REG_MISC_CTRL, +- CM_REG_MIXER0, CM_REG_MIXER1, CM_REG_MIXER2, CM_REG_MIXER3, CM_REG_PLL, ++ CM_REG_MIXER0, CM_REG_MIXER1, CM_REG_MIXER2, CM_REG_AUX_VOL, CM_REG_PLL, + CM_REG_CH0_FRAME1, CM_REG_CH0_FRAME2, + CM_REG_CH1_FRAME1, CM_REG_CH1_FRAME2, CM_REG_EXT_MISC, + CM_REG_INT_STATUS, CM_REG_INT_HLDCLR, CM_REG_FUNCTRL0, diff --git a/queue-5.16/alsa-hda-realtek-add-quirk-for-asus-ga402.patch b/queue-5.16/alsa-hda-realtek-add-quirk-for-asus-ga402.patch new file mode 100644 index 00000000000..b64d66c3267 --- /dev/null +++ b/queue-5.16/alsa-hda-realtek-add-quirk-for-asus-ga402.patch @@ -0,0 +1,31 @@ +From b7557267c233b55d8e8d7ba4c68cf944fe2ec02c Mon Sep 17 00:00:00 2001 +From: Jason Zheng +Date: Sun, 13 Mar 2022 04:22:16 -0500 +Subject: ALSA: hda/realtek: Add quirk for ASUS GA402 + +From: Jason Zheng + +commit b7557267c233b55d8e8d7ba4c68cf944fe2ec02c upstream. + +ASUS GA402 requires a workaround to manage the routing of its 4 speakers +like the other ASUS models. Add a corresponding quirk entry to fix it. + +Signed-off-by: Jason Zheng +Cc: +Link: https://lore.kernel.org/r/20220313092216.29858-1-jasonzheng2004@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8866,6 +8866,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1043, 0x1e51, "ASUS Zephyrus M15", ALC294_FIXUP_ASUS_GU502_PINS), + SND_PCI_QUIRK(0x1043, 0x1e8e, "ASUS Zephyrus G15", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x1f11, "ASUS Zephyrus G14", ALC289_FIXUP_ASUS_GA401), ++ SND_PCI_QUIRK(0x1043, 0x1d42, "ASUS Zephyrus G14 2022", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x16b2, "ASUS GU603", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x3030, "ASUS ZN270IE", ALC256_FIXUP_ASUS_AIO_GPIO2), + SND_PCI_QUIRK(0x1043, 0x831a, "ASUS P901", ALC269_FIXUP_STEREO_DMIC), diff --git a/queue-5.16/alsa-hda-realtek-add-quirk-for-clevo-np50pnj.patch b/queue-5.16/alsa-hda-realtek-add-quirk-for-clevo-np50pnj.patch new file mode 100644 index 00000000000..ce09b3deeea --- /dev/null +++ b/queue-5.16/alsa-hda-realtek-add-quirk-for-clevo-np50pnj.patch @@ -0,0 +1,30 @@ +From 9cb727506704b5323998047789fc871e64a6aa14 Mon Sep 17 00:00:00 2001 +From: Tim Crawford +Date: Mon, 7 Mar 2022 12:32:29 -0700 +Subject: ALSA: hda/realtek: Add quirk for Clevo NP50PNJ + +From: Tim Crawford + +commit 9cb727506704b5323998047789fc871e64a6aa14 upstream. + +Fixes headset detection on Clevo NP50PNJ. + +Signed-off-by: Tim Crawford +Cc: +Link: https://lore.kernel.org/r/20220307193229.5141-1-tcrawford@system76.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8949,6 +8949,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1558, 0x8561, "Clevo NH[57][0-9][ER][ACDH]Q", ALC269_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x1558, 0x8562, "Clevo NH[57][0-9]RZ[Q]", ALC269_FIXUP_DMIC), + SND_PCI_QUIRK(0x1558, 0x8668, "Clevo NP50B[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0x866d, "Clevo NP5[05]PN[HJK]", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x867d, "Clevo NP7[01]PN[HJK]", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x8680, "Clevo NJ50LU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x8686, "Clevo NH50[CZ]U", ALC256_FIXUP_MIC_NO_PRESENCE_AND_RESUME), diff --git a/queue-5.16/alsa-hda-realtek-add-quirk-for-clevo-np70pnj.patch b/queue-5.16/alsa-hda-realtek-add-quirk-for-clevo-np70pnj.patch new file mode 100644 index 00000000000..ed6bd4cc323 --- /dev/null +++ b/queue-5.16/alsa-hda-realtek-add-quirk-for-clevo-np70pnj.patch @@ -0,0 +1,30 @@ +From 0c20fce13e6e111463e3a15ce3cf6713fe518388 Mon Sep 17 00:00:00 2001 +From: Tim Crawford +Date: Fri, 4 Mar 2022 10:08:40 -0700 +Subject: ALSA: hda/realtek: Add quirk for Clevo NP70PNJ + +From: Tim Crawford + +commit 0c20fce13e6e111463e3a15ce3cf6713fe518388 upstream. + +Fixes headset detection on Clevo NP70PNJ. + +Signed-off-by: Tim Crawford +Cc: +Link: https://lore.kernel.org/r/20220304170840.3351-1-tcrawford@system76.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8949,6 +8949,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1558, 0x8561, "Clevo NH[57][0-9][ER][ACDH]Q", ALC269_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x1558, 0x8562, "Clevo NH[57][0-9]RZ[Q]", ALC269_FIXUP_DMIC), + SND_PCI_QUIRK(0x1558, 0x8668, "Clevo NP50B[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0x867d, "Clevo NP7[01]PN[HJK]", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x8680, "Clevo NJ50LU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x8686, "Clevo NH50[CZ]U", ALC256_FIXUP_MIC_NO_PRESENCE_AND_RESUME), + SND_PCI_QUIRK(0x1558, 0x8a20, "Clevo NH55DCQ-Y", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), diff --git a/queue-5.16/alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc671.patch b/queue-5.16/alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc671.patch new file mode 100644 index 00000000000..44f56d63c25 --- /dev/null +++ b/queue-5.16/alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc671.patch @@ -0,0 +1,32 @@ +From 882bd07f564f97fca6e42ce6ce627ce24ce1ef5a Mon Sep 17 00:00:00 2001 +From: huangwenhui +Date: Fri, 11 Mar 2022 17:38:36 +0800 +Subject: ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671 + +From: huangwenhui + +commit 882bd07f564f97fca6e42ce6ce627ce24ce1ef5a upstream. + +On a HP 288 Pro G8, the front mic could not be detected.In order to +get it working, the pin configuration needs to be set correctly, and +the ALC671_FIXUP_HP_HEADSET_MIC2 fixup needs to be applied. + +Signed-off-by: huangwenhui +Cc: +Link: https://lore.kernel.org/r/20220311093836.20754-1-huangwenhuia@uniontech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10911,6 +10911,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x1028, 0x069f, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800), + SND_PCI_QUIRK(0x103c, 0x873e, "HP", ALC671_FIXUP_HP_HEADSET_MIC2), ++ SND_PCI_QUIRK(0x103c, 0x885f, "HP 288 Pro G8", ALC671_FIXUP_HP_HEADSET_MIC2), + SND_PCI_QUIRK(0x1043, 0x1080, "Asus UX501VW", ALC668_FIXUP_HEADSET_MODE), + SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_ASUS_Nx50), + SND_PCI_QUIRK(0x1043, 0x129d, "Asus N750", ALC662_FIXUP_ASUS_Nx50), diff --git a/queue-5.16/alsa-oss-fix-pcm-oss-buffer-allocation-overflow.patch b/queue-5.16/alsa-oss-fix-pcm-oss-buffer-allocation-overflow.patch new file mode 100644 index 00000000000..9788cab8da3 --- /dev/null +++ b/queue-5.16/alsa-oss-fix-pcm-oss-buffer-allocation-overflow.patch @@ -0,0 +1,83 @@ +From efb6402c3c4a7c26d97c92d70186424097b6e366 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 18 Mar 2022 09:20:36 +0100 +Subject: ALSA: oss: Fix PCM OSS buffer allocation overflow + +From: Takashi Iwai + +commit efb6402c3c4a7c26d97c92d70186424097b6e366 upstream. + +We've got syzbot reports hitting INT_MAX overflow at vmalloc() +allocation that is called from snd_pcm_plug_alloc(). Although we +apply the restrictions to input parameters, it's based only on the +hw_params of the underlying PCM device. Since the PCM OSS layer +allocates a temporary buffer for the data conversion, the size may +become unexpectedly large when more channels or higher rates is given; +in the reported case, it went over INT_MAX, hence it hits WARN_ON(). + +This patch is an attempt to avoid such an overflow and an allocation +for too large buffers. First off, it adds the limit of 1MB as the +upper bound for period bytes. This must be large enough for all use +cases, and we really don't want to handle a larger temporary buffer +than this size. The size check is performed at two places, where the +original period bytes is calculated and where the plugin buffer size +is calculated. + +In addition, the driver uses array_size() and array3_size() for +multiplications to catch overflows for the converted period size and +buffer bytes. + +Reported-by: syzbot+72732c532ac1454eeee9@syzkaller.appspotmail.com +Suggested-by: Linus Torvalds +Cc: +Link: https://lore.kernel.org/r/00000000000085b1b305da5a66f3@google.com +Link: https://lore.kernel.org/r/20220318082036.29699-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/oss/pcm_oss.c | 12 ++++++++---- + sound/core/oss/pcm_plugin.c | 5 ++++- + 2 files changed, 12 insertions(+), 5 deletions(-) + +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -774,6 +774,11 @@ static int snd_pcm_oss_period_size(struc + + if (oss_period_size < 16) + return -EINVAL; ++ ++ /* don't allocate too large period; 1MB period must be enough */ ++ if (oss_period_size > 1024 * 1024) ++ return -ENOMEM; ++ + runtime->oss.period_bytes = oss_period_size; + runtime->oss.period_frames = 1; + runtime->oss.periods = oss_periods; +@@ -1043,10 +1048,9 @@ static int snd_pcm_oss_change_params_loc + goto failure; + } + #endif +- oss_period_size *= oss_frame_size; +- +- oss_buffer_size = oss_period_size * runtime->oss.periods; +- if (oss_buffer_size < 0) { ++ oss_period_size = array_size(oss_period_size, oss_frame_size); ++ oss_buffer_size = array_size(oss_period_size, runtime->oss.periods); ++ if (oss_buffer_size <= 0) { + err = -EINVAL; + goto failure; + } +--- a/sound/core/oss/pcm_plugin.c ++++ b/sound/core/oss/pcm_plugin.c +@@ -62,7 +62,10 @@ static int snd_pcm_plugin_alloc(struct s + width = snd_pcm_format_physical_width(format->format); + if (width < 0) + return width; +- size = frames * format->channels * width; ++ size = array3_size(frames, format->channels, width); ++ /* check for too large period size once again */ ++ if (size > 1024 * 1024) ++ return -ENOMEM; + if (snd_BUG_ON(size % 8)) + return -ENXIO; + size /= 8; diff --git a/queue-5.16/alsa-pci-fix-reading-of-swapped-values-from-pcmreg-in-ac97-codec.patch b/queue-5.16/alsa-pci-fix-reading-of-swapped-values-from-pcmreg-in-ac97-codec.patch new file mode 100644 index 00000000000..8b8261a1ddd --- /dev/null +++ b/queue-5.16/alsa-pci-fix-reading-of-swapped-values-from-pcmreg-in-ac97-codec.patch @@ -0,0 +1,56 @@ +From 17aaf0193392cb3451bf0ac75ba396ec4cbded6e Mon Sep 17 00:00:00 2001 +From: Giacomo Guiduzzi +Date: Tue, 22 Mar 2022 21:06:54 +0100 +Subject: ALSA: pci: fix reading of swapped values from pcmreg in AC97 codec + +From: Giacomo Guiduzzi + +commit 17aaf0193392cb3451bf0ac75ba396ec4cbded6e upstream. + +Tests 72 and 78 for ALSA in kselftest fail due to reading +inconsistent values from some devices on a VirtualBox +Virtual Machine using the snd_intel8x0 driver for the AC'97 +Audio Controller device. +Taking for example test number 72, this is what the test reports: +"Surround Playback Volume.0 expected 1 but read 0, is_volatile 0" +"Surround Playback Volume.1 expected 0 but read 1, is_volatile 0" +These errors repeat for each value from 0 to 31. + +Taking a look at these error messages it is possible to notice +that the written values are read back swapped. +When the write is performed, these values are initially stored in +an array used to sanity-check them and write them in the pcmreg +array. To write them, the two one-byte values are packed together +in a two-byte variable through bitwise operations: the first +value is shifted left by one byte and the second value is stored in the +right byte through a bitwise OR. When reading the values back, +right shifts are performed to retrieve the previously stored +bytes. These shifts are executed in the wrong order, thus +reporting the values swapped as shown above. + +This patch fixes this mistake by reversing the read +operations' order. + +Signed-off-by: Giacomo Guiduzzi +Signed-off-by: Paolo Valente +Cc: +Link: https://lore.kernel.org/r/20220322200653.15862-1-guiduzzi.giacomo@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/ac97/ac97_codec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/pci/ac97/ac97_codec.c ++++ b/sound/pci/ac97/ac97_codec.c +@@ -938,8 +938,8 @@ static int snd_ac97_ad18xx_pcm_get_volum + int codec = kcontrol->private_value & 3; + + mutex_lock(&ac97->page_mutex); +- ucontrol->value.integer.value[0] = 31 - ((ac97->spec.ad18xx.pcmreg[codec] >> 0) & 31); +- ucontrol->value.integer.value[1] = 31 - ((ac97->spec.ad18xx.pcmreg[codec] >> 8) & 31); ++ ucontrol->value.integer.value[0] = 31 - ((ac97->spec.ad18xx.pcmreg[codec] >> 8) & 31); ++ ucontrol->value.integer.value[1] = 31 - ((ac97->spec.ad18xx.pcmreg[codec] >> 0) & 31); + mutex_unlock(&ac97->page_mutex); + return 0; + } diff --git a/queue-5.16/alsa-pcm-add-stream-lock-during-pcm-reset-ioctl-operations.patch b/queue-5.16/alsa-pcm-add-stream-lock-during-pcm-reset-ioctl-operations.patch new file mode 100644 index 00000000000..a804e4340b2 --- /dev/null +++ b/queue-5.16/alsa-pcm-add-stream-lock-during-pcm-reset-ioctl-operations.patch @@ -0,0 +1,54 @@ +From 1f68915b2efd0d6bfd6e124aa63c94b3c69f127c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 22 Mar 2022 18:13:25 +0100 +Subject: ALSA: pcm: Add stream lock during PCM reset ioctl operations + +From: Takashi Iwai + +commit 1f68915b2efd0d6bfd6e124aa63c94b3c69f127c upstream. + +snd_pcm_reset() is a non-atomic operation, and it's allowed to run +during the PCM stream running. It implies that the manipulation of +hw_ptr and other parameters might be racy. + +This patch adds the PCM stream lock at appropriate places in +snd_pcm_*_reset() actions for covering that. + +Cc: +Reviewed-by: Jaroslav Kysela +Link: https://lore.kernel.org/r/20220322171325.4355-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/pcm_native.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -1851,11 +1851,13 @@ static int snd_pcm_do_reset(struct snd_p + int err = snd_pcm_ops_ioctl(substream, SNDRV_PCM_IOCTL1_RESET, NULL); + if (err < 0) + return err; ++ snd_pcm_stream_lock_irq(substream); + runtime->hw_ptr_base = 0; + runtime->hw_ptr_interrupt = runtime->status->hw_ptr - + runtime->status->hw_ptr % runtime->period_size; + runtime->silence_start = runtime->status->hw_ptr; + runtime->silence_filled = 0; ++ snd_pcm_stream_unlock_irq(substream); + return 0; + } + +@@ -1863,10 +1865,12 @@ static void snd_pcm_post_reset(struct sn + snd_pcm_state_t state) + { + struct snd_pcm_runtime *runtime = substream->runtime; ++ snd_pcm_stream_lock_irq(substream); + runtime->control->appl_ptr = runtime->status->hw_ptr; + if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK && + runtime->silence_size > 0) + snd_pcm_playback_silence(substream, ULONG_MAX); ++ snd_pcm_stream_unlock_irq(substream); + } + + static const struct action_ops snd_pcm_action_reset = { diff --git a/queue-5.16/alsa-pcm-fix-races-among-concurrent-hw_params-and-hw_free-calls.patch b/queue-5.16/alsa-pcm-fix-races-among-concurrent-hw_params-and-hw_free-calls.patch new file mode 100644 index 00000000000..cf24d09cdcd --- /dev/null +++ b/queue-5.16/alsa-pcm-fix-races-among-concurrent-hw_params-and-hw_free-calls.patch @@ -0,0 +1,179 @@ +From 92ee3c60ec9fe64404dc035e7c41277d74aa26cb Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 22 Mar 2022 18:07:17 +0100 +Subject: ALSA: pcm: Fix races among concurrent hw_params and hw_free calls + +From: Takashi Iwai + +commit 92ee3c60ec9fe64404dc035e7c41277d74aa26cb upstream. + +Currently we have neither proper check nor protection against the +concurrent calls of PCM hw_params and hw_free ioctls, which may result +in a UAF. Since the existing PCM stream lock can't be used for +protecting the whole ioctl operations, we need a new mutex to protect +those racy calls. + +This patch introduced a new mutex, runtime->buffer_mutex, and applies +it to both hw_params and hw_free ioctl code paths. Along with it, the +both functions are slightly modified (the mmap_count check is moved +into the state-check block) for code simplicity. + +Reported-by: Hu Jiahui +Cc: +Reviewed-by: Jaroslav Kysela +Link: https://lore.kernel.org/r/20220322170720.3529-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + include/sound/pcm.h | 1 + sound/core/pcm.c | 2 + + sound/core/pcm_native.c | 61 ++++++++++++++++++++++++++++++------------------ + 3 files changed, 42 insertions(+), 22 deletions(-) + +--- a/include/sound/pcm.h ++++ b/include/sound/pcm.h +@@ -398,6 +398,7 @@ struct snd_pcm_runtime { + wait_queue_head_t tsleep; /* transfer sleep */ + struct fasync_struct *fasync; + bool stop_operating; /* sync_stop will be called */ ++ struct mutex buffer_mutex; /* protect for buffer changes */ + + /* -- private section -- */ + void *private_data; +--- a/sound/core/pcm.c ++++ b/sound/core/pcm.c +@@ -969,6 +969,7 @@ int snd_pcm_attach_substream(struct snd_ + init_waitqueue_head(&runtime->tsleep); + + runtime->status->state = SNDRV_PCM_STATE_OPEN; ++ mutex_init(&runtime->buffer_mutex); + + substream->runtime = runtime; + substream->private_data = pcm->private_data; +@@ -1002,6 +1003,7 @@ void snd_pcm_detach_substream(struct snd + } else { + substream->runtime = NULL; + } ++ mutex_destroy(&runtime->buffer_mutex); + kfree(runtime); + put_pid(substream->pid); + substream->pid = NULL; +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -672,33 +672,40 @@ static int snd_pcm_hw_params_choose(stru + return 0; + } + ++#if IS_ENABLED(CONFIG_SND_PCM_OSS) ++#define is_oss_stream(substream) ((substream)->oss.oss) ++#else ++#define is_oss_stream(substream) false ++#endif ++ + static int snd_pcm_hw_params(struct snd_pcm_substream *substream, + struct snd_pcm_hw_params *params) + { + struct snd_pcm_runtime *runtime; +- int err, usecs; ++ int err = 0, usecs; + unsigned int bits; + snd_pcm_uframes_t frames; + + if (PCM_RUNTIME_CHECK(substream)) + return -ENXIO; + runtime = substream->runtime; ++ mutex_lock(&runtime->buffer_mutex); + snd_pcm_stream_lock_irq(substream); + switch (runtime->status->state) { + case SNDRV_PCM_STATE_OPEN: + case SNDRV_PCM_STATE_SETUP: + case SNDRV_PCM_STATE_PREPARED: ++ if (!is_oss_stream(substream) && ++ atomic_read(&substream->mmap_count)) ++ err = -EBADFD; + break; + default: +- snd_pcm_stream_unlock_irq(substream); +- return -EBADFD; ++ err = -EBADFD; ++ break; + } + snd_pcm_stream_unlock_irq(substream); +-#if IS_ENABLED(CONFIG_SND_PCM_OSS) +- if (!substream->oss.oss) +-#endif +- if (atomic_read(&substream->mmap_count)) +- return -EBADFD; ++ if (err) ++ goto unlock; + + snd_pcm_sync_stop(substream, true); + +@@ -786,16 +793,21 @@ static int snd_pcm_hw_params(struct snd_ + if (usecs >= 0) + cpu_latency_qos_add_request(&substream->latency_pm_qos_req, + usecs); +- return 0; ++ err = 0; + _error: +- /* hardware might be unusable from this time, +- so we force application to retry to set +- the correct hardware parameter settings */ +- snd_pcm_set_state(substream, SNDRV_PCM_STATE_OPEN); +- if (substream->ops->hw_free != NULL) +- substream->ops->hw_free(substream); +- if (substream->managed_buffer_alloc) +- snd_pcm_lib_free_pages(substream); ++ if (err) { ++ /* hardware might be unusable from this time, ++ * so we force application to retry to set ++ * the correct hardware parameter settings ++ */ ++ snd_pcm_set_state(substream, SNDRV_PCM_STATE_OPEN); ++ if (substream->ops->hw_free != NULL) ++ substream->ops->hw_free(substream); ++ if (substream->managed_buffer_alloc) ++ snd_pcm_lib_free_pages(substream); ++ } ++ unlock: ++ mutex_unlock(&runtime->buffer_mutex); + return err; + } + +@@ -835,26 +847,31 @@ static int do_hw_free(struct snd_pcm_sub + static int snd_pcm_hw_free(struct snd_pcm_substream *substream) + { + struct snd_pcm_runtime *runtime; +- int result; ++ int result = 0; + + if (PCM_RUNTIME_CHECK(substream)) + return -ENXIO; + runtime = substream->runtime; ++ mutex_lock(&runtime->buffer_mutex); + snd_pcm_stream_lock_irq(substream); + switch (runtime->status->state) { + case SNDRV_PCM_STATE_SETUP: + case SNDRV_PCM_STATE_PREPARED: ++ if (atomic_read(&substream->mmap_count)) ++ result = -EBADFD; + break; + default: +- snd_pcm_stream_unlock_irq(substream); +- return -EBADFD; ++ result = -EBADFD; ++ break; + } + snd_pcm_stream_unlock_irq(substream); +- if (atomic_read(&substream->mmap_count)) +- return -EBADFD; ++ if (result) ++ goto unlock; + result = do_hw_free(substream); + snd_pcm_set_state(substream, SNDRV_PCM_STATE_OPEN); + cpu_latency_qos_remove_request(&substream->latency_pm_qos_req); ++ unlock: ++ mutex_unlock(&runtime->buffer_mutex); + return result; + } + diff --git a/queue-5.16/alsa-pcm-fix-races-among-concurrent-prealloc-proc-writes.patch b/queue-5.16/alsa-pcm-fix-races-among-concurrent-prealloc-proc-writes.patch new file mode 100644 index 00000000000..887a68cd171 --- /dev/null +++ b/queue-5.16/alsa-pcm-fix-races-among-concurrent-prealloc-proc-writes.patch @@ -0,0 +1,68 @@ +From 69534c48ba8ce552ce383b3dfdb271ffe51820c3 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 22 Mar 2022 18:07:20 +0100 +Subject: ALSA: pcm: Fix races among concurrent prealloc proc writes + +From: Takashi Iwai + +commit 69534c48ba8ce552ce383b3dfdb271ffe51820c3 upstream. + +We have no protection against concurrent PCM buffer preallocation +changes via proc files, and it may potentially lead to UAF or some +weird problem. This patch applies the PCM open_mutex to the proc +write operation for avoiding the racy proc writes and the PCM stream +open (and further operations). + +Cc: +Reviewed-by: Jaroslav Kysela +Link: https://lore.kernel.org/r/20220322170720.3529-5-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/pcm_memory.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/sound/core/pcm_memory.c ++++ b/sound/core/pcm_memory.c +@@ -163,19 +163,20 @@ static void snd_pcm_lib_preallocate_proc + size_t size; + struct snd_dma_buffer new_dmab; + ++ mutex_lock(&substream->pcm->open_mutex); + if (substream->runtime) { + buffer->error = -EBUSY; +- return; ++ goto unlock; + } + if (!snd_info_get_line(buffer, line, sizeof(line))) { + snd_info_get_str(str, line, sizeof(str)); + size = simple_strtoul(str, NULL, 10) * 1024; + if ((size != 0 && size < 8192) || size > substream->dma_max) { + buffer->error = -EINVAL; +- return; ++ goto unlock; + } + if (substream->dma_buffer.bytes == size) +- return; ++ goto unlock; + memset(&new_dmab, 0, sizeof(new_dmab)); + new_dmab.dev = substream->dma_buffer.dev; + if (size > 0) { +@@ -189,7 +190,7 @@ static void snd_pcm_lib_preallocate_proc + substream->pcm->card->number, substream->pcm->device, + substream->stream ? 'c' : 'p', substream->number, + substream->pcm->name, size); +- return; ++ goto unlock; + } + substream->buffer_bytes_max = size; + } else { +@@ -201,6 +202,8 @@ static void snd_pcm_lib_preallocate_proc + } else { + buffer->error = -EINVAL; + } ++ unlock: ++ mutex_unlock(&substream->pcm->open_mutex); + } + + static inline void preallocate_info_init(struct snd_pcm_substream *substream) diff --git a/queue-5.16/alsa-pcm-fix-races-among-concurrent-prepare-and-hw_params-hw_free-calls.patch b/queue-5.16/alsa-pcm-fix-races-among-concurrent-prepare-and-hw_params-hw_free-calls.patch new file mode 100644 index 00000000000..bcbf7ca3bd1 --- /dev/null +++ b/queue-5.16/alsa-pcm-fix-races-among-concurrent-prepare-and-hw_params-hw_free-calls.patch @@ -0,0 +1,97 @@ +From 3c3201f8c7bb77eb53b08a3ca8d9a4ddc500b4c0 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 22 Mar 2022 18:07:19 +0100 +Subject: ALSA: pcm: Fix races among concurrent prepare and hw_params/hw_free calls + +From: Takashi Iwai + +commit 3c3201f8c7bb77eb53b08a3ca8d9a4ddc500b4c0 upstream. + +Like the previous fixes to hw_params and hw_free ioctl races, we need +to paper over the concurrent prepare ioctl calls against hw_params and +hw_free, too. + +This patch implements the locking with the existing +runtime->buffer_mutex for prepare ioctls. Unlike the previous case +for snd_pcm_hw_hw_params() and snd_pcm_hw_free(), snd_pcm_prepare() is +performed to the linked streams, hence the lock can't be applied +simply on the top. For tracking the lock in each linked substream, we +modify snd_pcm_action_group() slightly and apply the buffer_mutex for +the case stream_lock=false (formerly there was no lock applied) +there. + +Cc: +Reviewed-by: Jaroslav Kysela +Link: https://lore.kernel.org/r/20220322170720.3529-4-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/pcm_native.c | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -1177,15 +1177,17 @@ struct action_ops { + static int snd_pcm_action_group(const struct action_ops *ops, + struct snd_pcm_substream *substream, + snd_pcm_state_t state, +- bool do_lock) ++ bool stream_lock) + { + struct snd_pcm_substream *s = NULL; + struct snd_pcm_substream *s1; + int res = 0, depth = 1; + + snd_pcm_group_for_each_entry(s, substream) { +- if (do_lock && s != substream) { +- if (s->pcm->nonatomic) ++ if (s != substream) { ++ if (!stream_lock) ++ mutex_lock_nested(&s->runtime->buffer_mutex, depth); ++ else if (s->pcm->nonatomic) + mutex_lock_nested(&s->self_group.mutex, depth); + else + spin_lock_nested(&s->self_group.lock, depth); +@@ -1213,18 +1215,18 @@ static int snd_pcm_action_group(const st + ops->post_action(s, state); + } + _unlock: +- if (do_lock) { +- /* unlock streams */ +- snd_pcm_group_for_each_entry(s1, substream) { +- if (s1 != substream) { +- if (s1->pcm->nonatomic) +- mutex_unlock(&s1->self_group.mutex); +- else +- spin_unlock(&s1->self_group.lock); +- } +- if (s1 == s) /* end */ +- break; ++ /* unlock streams */ ++ snd_pcm_group_for_each_entry(s1, substream) { ++ if (s1 != substream) { ++ if (!stream_lock) ++ mutex_unlock(&s1->runtime->buffer_mutex); ++ else if (s1->pcm->nonatomic) ++ mutex_unlock(&s1->self_group.mutex); ++ else ++ spin_unlock(&s1->self_group.lock); + } ++ if (s1 == s) /* end */ ++ break; + } + return res; + } +@@ -1354,10 +1356,12 @@ static int snd_pcm_action_nonatomic(cons + + /* Guarantee the group members won't change during non-atomic action */ + down_read(&snd_pcm_link_rwsem); ++ mutex_lock(&substream->runtime->buffer_mutex); + if (snd_pcm_stream_linked(substream)) + res = snd_pcm_action_group(ops, substream, state, false); + else + res = snd_pcm_action_single(ops, substream, state); ++ mutex_unlock(&substream->runtime->buffer_mutex); + up_read(&snd_pcm_link_rwsem); + return res; + } diff --git a/queue-5.16/alsa-pcm-fix-races-among-concurrent-read-write-and-buffer-changes.patch b/queue-5.16/alsa-pcm-fix-races-among-concurrent-read-write-and-buffer-changes.patch new file mode 100644 index 00000000000..d3c32d85cad --- /dev/null +++ b/queue-5.16/alsa-pcm-fix-races-among-concurrent-read-write-and-buffer-changes.patch @@ -0,0 +1,60 @@ +From dca947d4d26dbf925a64a6cfb2ddbc035e831a3d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 22 Mar 2022 18:07:18 +0100 +Subject: ALSA: pcm: Fix races among concurrent read/write and buffer changes + +From: Takashi Iwai + +commit dca947d4d26dbf925a64a6cfb2ddbc035e831a3d upstream. + +In the current PCM design, the read/write syscalls (as well as the +equivalent ioctls) are allowed before the PCM stream is running, that +is, at PCM PREPARED state. Meanwhile, we also allow to re-issue +hw_params and hw_free ioctl calls at the PREPARED state that may +change or free the buffers, too. The problem is that there is no +protection against those mix-ups. + +This patch applies the previously introduced runtime->buffer_mutex to +the read/write operations so that the concurrent hw_params or hw_free +call can no longer interfere during the operation. The mutex is +unlocked before scheduling, so we don't take it too long. + +Cc: +Reviewed-by: Jaroslav Kysela +Link: https://lore.kernel.org/r/20220322170720.3529-3-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/pcm_lib.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/core/pcm_lib.c ++++ b/sound/core/pcm_lib.c +@@ -1906,9 +1906,11 @@ static int wait_for_avail(struct snd_pcm + if (avail >= runtime->twake) + break; + snd_pcm_stream_unlock_irq(substream); ++ mutex_unlock(&runtime->buffer_mutex); + + tout = schedule_timeout(wait_time); + ++ mutex_lock(&runtime->buffer_mutex); + snd_pcm_stream_lock_irq(substream); + set_current_state(TASK_INTERRUPTIBLE); + switch (runtime->status->state) { +@@ -2202,6 +2204,7 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str + + nonblock = !!(substream->f_flags & O_NONBLOCK); + ++ mutex_lock(&runtime->buffer_mutex); + snd_pcm_stream_lock_irq(substream); + err = pcm_accessible_state(runtime); + if (err < 0) +@@ -2293,6 +2296,7 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str + if (xfer > 0 && err >= 0) + snd_pcm_update_state(substream, runtime); + snd_pcm_stream_unlock_irq(substream); ++ mutex_unlock(&runtime->buffer_mutex); + return xfer > 0 ? (snd_pcm_sframes_t)xfer : err; + } + EXPORT_SYMBOL(__snd_pcm_lib_xfer); diff --git a/queue-5.16/alsa-usb-audio-add-mapping-for-new-corsair-virtuoso-se.patch b/queue-5.16/alsa-usb-audio-add-mapping-for-new-corsair-virtuoso-se.patch new file mode 100644 index 00000000000..b46ee54b891 --- /dev/null +++ b/queue-5.16/alsa-usb-audio-add-mapping-for-new-corsair-virtuoso-se.patch @@ -0,0 +1,49 @@ +From cd94df1795418056a19ff4cb44eadfc18ac99a57 Mon Sep 17 00:00:00 2001 +From: Reza Jahanbakhshi +Date: Fri, 4 Mar 2022 22:23:02 +0100 +Subject: ALSA: usb-audio: add mapping for new Corsair Virtuoso SE + +From: Reza Jahanbakhshi + +commit cd94df1795418056a19ff4cb44eadfc18ac99a57 upstream. + +New device id for Corsair Virtuoso SE RGB Wireless that currently is not +in the mixer_map. This entry in the mixer_map is necessary in order to +label its mixer appropriately and allow userspace to pick the correct +volume controls. For instance, my own Corsair Virtuoso SE RGB Wireless +headset has this new ID and consequently, the sidetone and volume are not + working correctly without this change. +> sudo lsusb -v | grep -i corsair +Bus 007 Device 011: ID 1b1c:0a40 Corsair CORSAIR VIRTUOSO SE Wireless Gam + idVendor 0x1b1c Corsair + iManufacturer 1 Corsair + iProduct 2 CORSAIR VIRTUOSO SE Wireless Gaming Headset + +Signed-off-by: Reza Jahanbakhshi +Cc: +Link: https://lore.kernel.org/r/20220304212303.195949-1-reza.jahanbakhshi@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer_maps.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/sound/usb/mixer_maps.c ++++ b/sound/usb/mixer_maps.c +@@ -537,6 +537,16 @@ static const struct usbmix_ctl_map usbmi + .map = corsair_virtuoso_map, + }, + { ++ /* Corsair Virtuoso SE Latest (wired mode) */ ++ .id = USB_ID(0x1b1c, 0x0a3f), ++ .map = corsair_virtuoso_map, ++ }, ++ { ++ /* Corsair Virtuoso SE Latest (wireless mode) */ ++ .id = USB_ID(0x1b1c, 0x0a40), ++ .map = corsair_virtuoso_map, ++ }, ++ { + /* Corsair Virtuoso (wireless mode) */ + .id = USB_ID(0x1b1c, 0x0a42), + .map = corsair_virtuoso_map, diff --git a/queue-5.16/alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-rode-nt-usb.patch b/queue-5.16/alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-rode-nt-usb.patch new file mode 100644 index 00000000000..0dae52a0098 --- /dev/null +++ b/queue-5.16/alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-rode-nt-usb.patch @@ -0,0 +1,41 @@ +From 0f306cca42fe879694fb5e2382748c43dc9e0196 Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Fri, 11 Mar 2022 21:14:00 +0100 +Subject: ALSA: usb-audio: Add mute TLV for playback volumes on RODE NT-USB + +From: Lars-Peter Clausen + +commit 0f306cca42fe879694fb5e2382748c43dc9e0196 upstream. + +For the RODE NT-USB the lowest Playback mixer volume setting mutes the +audio output. But it is not reported as such causing e.g. PulseAudio to +accidentally mute the device when selecting a low volume. + +Fix this by applying the existing quirk for this kind of issue when the +device is detected. + +Signed-off-by: Lars-Peter Clausen +Cc: +Link: https://lore.kernel.org/r/20220311201400.235892-1-lars@metafoo.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer_quirks.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -3362,9 +3362,10 @@ void snd_usb_mixer_fu_apply_quirk(struct + if (unitid == 7 && cval->control == UAC_FU_VOLUME) + snd_dragonfly_quirk_db_scale(mixer, cval, kctl); + break; +- /* lowest playback value is muted on C-Media devices */ +- case USB_ID(0x0d8c, 0x000c): +- case USB_ID(0x0d8c, 0x0014): ++ /* lowest playback value is muted on some devices */ ++ case USB_ID(0x0d8c, 0x000c): /* C-Media */ ++ case USB_ID(0x0d8c, 0x0014): /* C-Media */ ++ case USB_ID(0x19f7, 0x0003): /* RODE NT-USB */ + if (strstr(kctl->id.name, "Playback")) + cval->min_mute = 1; + break; diff --git a/queue-5.16/asoc-sti-fix-deadlock-via-snd_pcm_stop_xrun-call.patch b/queue-5.16/asoc-sti-fix-deadlock-via-snd_pcm_stop_xrun-call.patch new file mode 100644 index 00000000000..2eea844908a --- /dev/null +++ b/queue-5.16/asoc-sti-fix-deadlock-via-snd_pcm_stop_xrun-call.patch @@ -0,0 +1,74 @@ +From 455c5653f50e10b4f460ef24e99f0044fbe3401c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 15 Mar 2022 17:41:58 +0100 +Subject: ASoC: sti: Fix deadlock via snd_pcm_stop_xrun() call + +From: Takashi Iwai + +commit 455c5653f50e10b4f460ef24e99f0044fbe3401c upstream. + +This is essentially a revert of the commit dc865fb9e7c2 ("ASoC: sti: +Use snd_pcm_stop_xrun() helper"), which converted the manual +snd_pcm_stop() calls with snd_pcm_stop_xrun(). + +The commit above introduced a deadlock as snd_pcm_stop_xrun() itself +takes the PCM stream lock while the caller already holds it. Since +the conversion was done only for consistency reason and the open-call +with snd_pcm_stop() to the XRUN state is a correct usage, let's revert +the commit back as the fix. + +Fixes: dc865fb9e7c2 ("ASoC: sti: Use snd_pcm_stop_xrun() helper") +Reported-by: Daniel Palmer +Cc: Arnaud POULIQUEN +Cc: +Link: https://lore.kernel.org/r/20220315091319.3351522-1-daniel@0x0f.com +Signed-off-by: Takashi Iwai +Reviewed-by: Arnaud Pouliquen +Link: https://lore.kernel.org/r/20220315164158.19804-1-tiwai@suse.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sti/uniperif_player.c | 6 +++--- + sound/soc/sti/uniperif_reader.c | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/sound/soc/sti/uniperif_player.c ++++ b/sound/soc/sti/uniperif_player.c +@@ -91,7 +91,7 @@ static irqreturn_t uni_player_irq_handle + SET_UNIPERIF_ITM_BCLR_FIFO_ERROR(player); + + /* Stop the player */ +- snd_pcm_stop_xrun(player->substream); ++ snd_pcm_stop(player->substream, SNDRV_PCM_STATE_XRUN); + } + + ret = IRQ_HANDLED; +@@ -105,7 +105,7 @@ static irqreturn_t uni_player_irq_handle + SET_UNIPERIF_ITM_BCLR_DMA_ERROR(player); + + /* Stop the player */ +- snd_pcm_stop_xrun(player->substream); ++ snd_pcm_stop(player->substream, SNDRV_PCM_STATE_XRUN); + + ret = IRQ_HANDLED; + } +@@ -138,7 +138,7 @@ static irqreturn_t uni_player_irq_handle + dev_err(player->dev, "Underflow recovery failed\n"); + + /* Stop the player */ +- snd_pcm_stop_xrun(player->substream); ++ snd_pcm_stop(player->substream, SNDRV_PCM_STATE_XRUN); + + ret = IRQ_HANDLED; + } +--- a/sound/soc/sti/uniperif_reader.c ++++ b/sound/soc/sti/uniperif_reader.c +@@ -65,7 +65,7 @@ static irqreturn_t uni_reader_irq_handle + if (unlikely(status & UNIPERIF_ITS_FIFO_ERROR_MASK(reader))) { + dev_err(reader->dev, "FIFO error detected\n"); + +- snd_pcm_stop_xrun(reader->substream); ++ snd_pcm_stop(reader->substream, SNDRV_PCM_STATE_XRUN); + + ret = IRQ_HANDLED; + } diff --git a/queue-5.16/bluetooth-btusb-add-another-realtek-8761bu.patch b/queue-5.16/bluetooth-btusb-add-another-realtek-8761bu.patch new file mode 100644 index 00000000000..59784538526 --- /dev/null +++ b/queue-5.16/bluetooth-btusb-add-another-realtek-8761bu.patch @@ -0,0 +1,61 @@ +From 6dfbe29f45fb0bde29213dbd754a79e8bfc6ecef Mon Sep 17 00:00:00 2001 +From: Helmut Grohne +Date: Sat, 26 Feb 2022 16:22:56 +0100 +Subject: Bluetooth: btusb: Add another Realtek 8761BU + +From: Helmut Grohne + +commit 6dfbe29f45fb0bde29213dbd754a79e8bfc6ecef upstream. + +This device is sometimes wrapped with a label "EDUP". + +T: Bus=01 Lev=02 Prnt=02 Port=02 Cnt=03 Dev#=107 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=2550 ProdID=8761 Rev= 2.00 +S: Manufacturer=Realtek +S: Product=Bluetooth Radio +S: SerialNumber=00E04C239987 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Signed-off-by: Helmut Grohne +Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1955351 +Signed-off-by: Marcel Holtmann +Cc: Ismael Ferreras Morezuelas +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -481,6 +481,8 @@ static const struct usb_device_id blackl + /* Additional Realtek 8761BU Bluetooth devices */ + { USB_DEVICE(0x0b05, 0x190e), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, ++ { USB_DEVICE(0x2550, 0x8761), .driver_info = BTUSB_REALTEK | ++ BTUSB_WIDEBAND_SPEECH }, + + /* Additional Realtek 8821AE Bluetooth devices */ + { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK }, diff --git a/queue-5.16/drivers-net-xgene-fix-regression-in-crc-stripping.patch b/queue-5.16/drivers-net-xgene-fix-regression-in-crc-stripping.patch new file mode 100644 index 00000000000..b92be010525 --- /dev/null +++ b/queue-5.16/drivers-net-xgene-fix-regression-in-crc-stripping.patch @@ -0,0 +1,57 @@ +From e9e6faeafaa00da1851bcf47912b0f1acae666b4 Mon Sep 17 00:00:00 2001 +From: Stephane Graber +Date: Tue, 22 Mar 2022 18:42:06 -0400 +Subject: drivers: net: xgene: Fix regression in CRC stripping + +From: Stephane Graber + +commit e9e6faeafaa00da1851bcf47912b0f1acae666b4 upstream. + +All packets on ingress (except for jumbo) are terminated with a 4-bytes +CRC checksum. It's the responsability of the driver to strip those 4 +bytes. Unfortunately a change dating back to March 2017 re-shuffled some +code and made the CRC stripping code effectively dead. + +This change re-orders that part a bit such that the datalen is +immediately altered if needed. + +Fixes: 4902a92270fb ("drivers: net: xgene: Add workaround for errata 10GE_8/ENET_11") +Cc: stable@vger.kernel.org +Signed-off-by: Stephane Graber +Tested-by: Stephane Graber +Link: https://lore.kernel.org/r/20220322224205.752795-1-stgraber@ubuntu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/apm/xgene/xgene_enet_main.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c ++++ b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c +@@ -696,6 +696,12 @@ static int xgene_enet_rx_frame(struct xg + buf_pool->rx_skb[skb_index] = NULL; + + datalen = xgene_enet_get_data_len(le64_to_cpu(raw_desc->m1)); ++ ++ /* strip off CRC as HW isn't doing this */ ++ nv = GET_VAL(NV, le64_to_cpu(raw_desc->m0)); ++ if (!nv) ++ datalen -= 4; ++ + skb_put(skb, datalen); + prefetch(skb->data - NET_IP_ALIGN); + skb->protocol = eth_type_trans(skb, ndev); +@@ -717,12 +723,8 @@ static int xgene_enet_rx_frame(struct xg + } + } + +- nv = GET_VAL(NV, le64_to_cpu(raw_desc->m0)); +- if (!nv) { +- /* strip off CRC as HW isn't doing this */ +- datalen -= 4; ++ if (!nv) + goto skip_jumbo; +- } + + slots = page_pool->slots - 1; + head = page_pool->head; diff --git a/queue-5.16/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch b/queue-5.16/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch new file mode 100644 index 00000000000..3e051eab427 --- /dev/null +++ b/queue-5.16/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch @@ -0,0 +1,55 @@ +From 764f4eb6846f5475f1244767d24d25dd86528a4a Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 22 Mar 2022 17:41:47 -0700 +Subject: llc: fix netdevice reference leaks in llc_ui_bind() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Dumazet + +commit 764f4eb6846f5475f1244767d24d25dd86528a4a upstream. + +Whenever llc_ui_bind() and/or llc_ui_autobind() +took a reference on a netdevice but subsequently fail, +they must properly release their reference +or risk the infamous message from unregister_netdevice() +at device dismantle. + +unregister_netdevice: waiting for eth0 to become free. Usage count = 3 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: 赵子轩 +Reported-by: Stoyan Manolov +Link: https://lore.kernel.org/r/20220323004147.1990845-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/llc/af_llc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -310,6 +310,10 @@ static int llc_ui_autobind(struct socket + sock_reset_flag(sk, SOCK_ZAPPED); + rc = 0; + out: ++ if (rc) { ++ dev_put(llc->dev); ++ llc->dev = NULL; ++ } + return rc; + } + +@@ -407,6 +411,10 @@ static int llc_ui_bind(struct socket *so + out_put: + llc_sap_put(sap); + out: ++ if (rc) { ++ dev_put(llc->dev); ++ llc->dev = NULL; ++ } + release_sock(sk); + return rc; + } diff --git a/queue-5.16/netfilter-nf_tables-initialize-registers-in-nft_do_chain.patch b/queue-5.16/netfilter-nf_tables-initialize-registers-in-nft_do_chain.patch new file mode 100644 index 00000000000..bee722a0886 --- /dev/null +++ b/queue-5.16/netfilter-nf_tables-initialize-registers-in-nft_do_chain.patch @@ -0,0 +1,29 @@ +From 4c905f6740a365464e91467aa50916555b28213d Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 17 Mar 2022 12:04:42 +0100 +Subject: netfilter: nf_tables: initialize registers in nft_do_chain() + +From: Pablo Neira Ayuso + +commit 4c905f6740a365464e91467aa50916555b28213d upstream. + +Initialize registers to avoid stack leak into userspace. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nf_tables_core.c ++++ b/net/netfilter/nf_tables_core.c +@@ -162,7 +162,7 @@ nft_do_chain(struct nft_pktinfo *pkt, vo + struct nft_rule *const *rules; + const struct nft_rule *rule; + const struct nft_expr *expr, *last; +- struct nft_regs regs; ++ struct nft_regs regs = {}; + unsigned int stackptr = 0; + struct nft_jumpstack jumpstack[NFT_JUMP_STACK_SIZE]; + bool genbit = READ_ONCE(net->nft.gencursor); diff --git a/queue-5.16/netfilter-nf_tables-validate-registers-coming-from-userspace.patch b/queue-5.16/netfilter-nf_tables-validate-registers-coming-from-userspace.patch new file mode 100644 index 00000000000..c0c36be74e4 --- /dev/null +++ b/queue-5.16/netfilter-nf_tables-validate-registers-coming-from-userspace.patch @@ -0,0 +1,71 @@ +From 6e1acfa387b9ff82cfc7db8cc3b6959221a95851 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 17 Mar 2022 11:59:26 +0100 +Subject: netfilter: nf_tables: validate registers coming from userspace. + +From: Pablo Neira Ayuso + +commit 6e1acfa387b9ff82cfc7db8cc3b6959221a95851 upstream. + +Bail out in case userspace uses unsupported registers. + +Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -9208,17 +9208,23 @@ int nft_parse_u32_check(const struct nla + } + EXPORT_SYMBOL_GPL(nft_parse_u32_check); + +-static unsigned int nft_parse_register(const struct nlattr *attr) ++static unsigned int nft_parse_register(const struct nlattr *attr, u32 *preg) + { + unsigned int reg; + + reg = ntohl(nla_get_be32(attr)); + switch (reg) { + case NFT_REG_VERDICT...NFT_REG_4: +- return reg * NFT_REG_SIZE / NFT_REG32_SIZE; ++ *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE; ++ break; ++ case NFT_REG32_00...NFT_REG32_15: ++ *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00; ++ break; + default: +- return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00; ++ return -ERANGE; + } ++ ++ return 0; + } + + /** +@@ -9260,7 +9266,10 @@ int nft_parse_register_load(const struct + u32 reg; + int err; + +- reg = nft_parse_register(attr); ++ err = nft_parse_register(attr, ®); ++ if (err < 0) ++ return err; ++ + err = nft_validate_register_load(reg, len); + if (err < 0) + return err; +@@ -9315,7 +9324,10 @@ int nft_parse_register_store(const struc + int err; + u32 reg; + +- reg = nft_parse_register(attr); ++ err = nft_parse_register(attr, ®); ++ if (err < 0) ++ return err; ++ + err = nft_validate_register_store(ctx, reg, data, type, len); + if (err < 0) + return err; diff --git a/queue-5.16/series b/queue-5.16/series index 40120ad1a3b..c42418ef2e0 100644 --- a/queue-5.16/series +++ b/queue-5.16/series @@ -1,3 +1,23 @@ +bluetooth-btusb-add-another-realtek-8761bu.patch +llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch +asoc-sti-fix-deadlock-via-snd_pcm_stop_xrun-call.patch +alsa-oss-fix-pcm-oss-buffer-allocation-overflow.patch +alsa-usb-audio-add-mapping-for-new-corsair-virtuoso-se.patch +alsa-hda-realtek-add-quirk-for-clevo-np70pnj.patch +alsa-hda-realtek-add-quirk-for-clevo-np50pnj.patch +alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc671.patch +alsa-hda-realtek-add-quirk-for-asus-ga402.patch +alsa-pcm-fix-races-among-concurrent-hw_params-and-hw_free-calls.patch +alsa-pcm-fix-races-among-concurrent-read-write-and-buffer-changes.patch nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch net-ipv6-fix-skb_over_panic-in-__ip6_append_data.patch tpm-fix-error-handling-in-async-work.patch +alsa-pcm-fix-races-among-concurrent-prepare-and-hw_params-hw_free-calls.patch +alsa-pcm-fix-races-among-concurrent-prealloc-proc-writes.patch +alsa-pcm-add-stream-lock-during-pcm-reset-ioctl-operations.patch +alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-rode-nt-usb.patch +alsa-cmipci-restore-aux-vol-on-suspend-resume.patch +alsa-pci-fix-reading-of-swapped-values-from-pcmreg-in-ac97-codec.patch +drivers-net-xgene-fix-regression-in-crc-stripping.patch +netfilter-nf_tables-initialize-registers-in-nft_do_chain.patch +netfilter-nf_tables-validate-registers-coming-from-userspace.patch -- 2.47.3