From f706b5a2b9bfd62c78b1624d412ed93d88045e9c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 24 Oct 2020 11:53:54 +0200 Subject: [PATCH] 4.19-stable patches added patches: alsa-hda-realtek-enable-audio-jacks-of-asus-d700sa-with-alc887.patch cifs-remove-bogus-debug-code.patch cifs-return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch kvm-svm-initialize-prev_ga_tag-before-use.patch kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch --- ...dio-jacks-of-asus-d700sa-with-alc887.patch | 99 +++++++++++++++++++ queue-4.19/cifs-remove-bogus-debug-code.patch | 72 ++++++++++++++ ...t_message-when-enc-dec-key-not-found.patch | 44 +++++++++ ...vm-initialize-prev_ga_tag-before-use.patch | 62 ++++++++++++ ...invalid-pages-when-recovering-lpages.patch | 39 ++++++++ queue-4.19/series | 5 + 6 files changed, 321 insertions(+) create mode 100644 queue-4.19/alsa-hda-realtek-enable-audio-jacks-of-asus-d700sa-with-alc887.patch create mode 100644 queue-4.19/cifs-remove-bogus-debug-code.patch create mode 100644 queue-4.19/cifs-return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch create mode 100644 queue-4.19/kvm-svm-initialize-prev_ga_tag-before-use.patch create mode 100644 queue-4.19/kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch diff --git a/queue-4.19/alsa-hda-realtek-enable-audio-jacks-of-asus-d700sa-with-alc887.patch b/queue-4.19/alsa-hda-realtek-enable-audio-jacks-of-asus-d700sa-with-alc887.patch new file mode 100644 index 00000000000..35ef1141cb4 --- /dev/null +++ b/queue-4.19/alsa-hda-realtek-enable-audio-jacks-of-asus-d700sa-with-alc887.patch @@ -0,0 +1,99 @@ +From ca184355db8e60290fa34bf61c13308e6f4f50d3 Mon Sep 17 00:00:00 2001 +From: Jian-Hong Pan +Date: Wed, 7 Oct 2020 13:22:25 +0800 +Subject: ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 + +From: Jian-Hong Pan + +commit ca184355db8e60290fa34bf61c13308e6f4f50d3 upstream. + +The ASUS D700SA desktop's audio (1043:2390) with ALC887 cannot detect +the headset microphone and another headphone jack until +ALC887_FIXUP_ASUS_HMIC and ALC887_FIXUP_ASUS_AUDIO quirks are applied. +The NID 0x15 maps as the headset microphone and NID 0x19 maps as another +headphone jack. Also need the function like alc887_fixup_asus_jack to +enable the audio jacks. + +Signed-off-by: Jian-Hong Pan +Signed-off-by: Kailang Yang +Cc: +Link: https://lore.kernel.org/r/20201007052224.22611-1-jhp@endlessos.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 42 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -1906,6 +1906,8 @@ enum { + ALC1220_FIXUP_CLEVO_P950, + ALC1220_FIXUP_CLEVO_PB51ED, + ALC1220_FIXUP_CLEVO_PB51ED_PINS, ++ ALC887_FIXUP_ASUS_AUDIO, ++ ALC887_FIXUP_ASUS_HMIC, + }; + + static void alc889_fixup_coef(struct hda_codec *codec, +@@ -2118,6 +2120,31 @@ static void alc1220_fixup_clevo_pb51ed(s + alc_fixup_headset_mode_no_hp_mic(codec, fix, action); + } + ++static void alc887_asus_hp_automute_hook(struct hda_codec *codec, ++ struct hda_jack_callback *jack) ++{ ++ struct alc_spec *spec = codec->spec; ++ unsigned int vref; ++ ++ snd_hda_gen_hp_automute(codec, jack); ++ ++ if (spec->gen.hp_jack_present) ++ vref = AC_PINCTL_VREF_80; ++ else ++ vref = AC_PINCTL_VREF_HIZ; ++ snd_hda_set_pin_ctl(codec, 0x19, PIN_HP | vref); ++} ++ ++static void alc887_fixup_asus_jack(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ struct alc_spec *spec = codec->spec; ++ if (action != HDA_FIXUP_ACT_PROBE) ++ return; ++ snd_hda_set_pin_ctl_cache(codec, 0x1b, PIN_HP); ++ spec->gen.hp_automute_hook = alc887_asus_hp_automute_hook; ++} ++ + static const struct hda_fixup alc882_fixups[] = { + [ALC882_FIXUP_ABIT_AW9D_MAX] = { + .type = HDA_FIXUP_PINS, +@@ -2375,6 +2402,20 @@ static const struct hda_fixup alc882_fix + .chained = true, + .chain_id = ALC1220_FIXUP_CLEVO_PB51ED, + }, ++ [ALC887_FIXUP_ASUS_AUDIO] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x15, 0x02a14150 }, /* use as headset mic, without its own jack detect */ ++ { 0x19, 0x22219420 }, ++ {} ++ }, ++ }, ++ [ALC887_FIXUP_ASUS_HMIC] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc887_fixup_asus_jack, ++ .chained = true, ++ .chain_id = ALC887_FIXUP_ASUS_AUDIO, ++ }, + }; + + static const struct snd_pci_quirk alc882_fixup_tbl[] = { +@@ -2408,6 +2449,7 @@ static const struct snd_pci_quirk alc882 + SND_PCI_QUIRK(0x1043, 0x13c2, "Asus A7M", ALC882_FIXUP_EAPD), + SND_PCI_QUIRK(0x1043, 0x1873, "ASUS W90V", ALC882_FIXUP_ASUS_W90V), + SND_PCI_QUIRK(0x1043, 0x1971, "Asus W2JC", ALC882_FIXUP_ASUS_W2JC), ++ SND_PCI_QUIRK(0x1043, 0x2390, "Asus D700SA", ALC887_FIXUP_ASUS_HMIC), + SND_PCI_QUIRK(0x1043, 0x835f, "Asus Eee 1601", ALC888_FIXUP_EEE1601), + SND_PCI_QUIRK(0x1043, 0x84bc, "ASUS ET2700", ALC887_FIXUP_ASUS_BASS), + SND_PCI_QUIRK(0x1043, 0x8691, "ASUS ROG Ranger VIII", ALC882_FIXUP_GPIO3), diff --git a/queue-4.19/cifs-remove-bogus-debug-code.patch b/queue-4.19/cifs-remove-bogus-debug-code.patch new file mode 100644 index 00000000000..00c3828c45e --- /dev/null +++ b/queue-4.19/cifs-remove-bogus-debug-code.patch @@ -0,0 +1,72 @@ +From d367cb960ce88914898cbfa43645c2e43ede9465 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 16 Sep 2020 23:18:21 +0300 +Subject: cifs: remove bogus debug code + +From: Dan Carpenter + +commit d367cb960ce88914898cbfa43645c2e43ede9465 upstream. + +The "end" pointer is either NULL or it points to the next byte to parse. +If there isn't a next byte then dereferencing "end" is an off-by-one out +of bounds error. And, of course, if it's NULL that leads to an Oops. +Printing "*end" doesn't seem very useful so let's delete this code. + +Also for the last debug statement, I noticed that it should be printing +"sequence_end" instead of "end" so fix that as well. + +Reported-by: Dominik Maier +Signed-off-by: Dan Carpenter +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/asn1.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/fs/cifs/asn1.c ++++ b/fs/cifs/asn1.c +@@ -541,8 +541,8 @@ decode_negTokenInit(unsigned char *secur + return 0; + } else if ((cls != ASN1_CTX) || (con != ASN1_CON) + || (tag != ASN1_EOC)) { +- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 0\n", +- cls, con, tag, end, *end); ++ cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p exit 0\n", ++ cls, con, tag, end); + return 0; + } + +@@ -552,8 +552,8 @@ decode_negTokenInit(unsigned char *secur + return 0; + } else if ((cls != ASN1_UNI) || (con != ASN1_CON) + || (tag != ASN1_SEQ)) { +- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 1\n", +- cls, con, tag, end, *end); ++ cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p exit 1\n", ++ cls, con, tag, end); + return 0; + } + +@@ -563,8 +563,8 @@ decode_negTokenInit(unsigned char *secur + return 0; + } else if ((cls != ASN1_CTX) || (con != ASN1_CON) + || (tag != ASN1_EOC)) { +- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 0\n", +- cls, con, tag, end, *end); ++ cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p exit 0\n", ++ cls, con, tag, end); + return 0; + } + +@@ -575,8 +575,8 @@ decode_negTokenInit(unsigned char *secur + return 0; + } else if ((cls != ASN1_UNI) || (con != ASN1_CON) + || (tag != ASN1_SEQ)) { +- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 1\n", +- cls, con, tag, end, *end); ++ cifs_dbg(FYI, "cls = %d con = %d tag = %d sequence_end = %p exit 1\n", ++ cls, con, tag, sequence_end); + return 0; + } + diff --git a/queue-4.19/cifs-return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch b/queue-4.19/cifs-return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch new file mode 100644 index 00000000000..817fac48074 --- /dev/null +++ b/queue-4.19/cifs-return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch @@ -0,0 +1,44 @@ +From 0bd294b55a5de442370c29fa53bab17aef3ff318 Mon Sep 17 00:00:00 2001 +From: Shyam Prasad N +Date: Thu, 15 Oct 2020 10:41:31 -0700 +Subject: cifs: Return the error from crypt_message when enc/dec key not found. + +From: Shyam Prasad N + +commit 0bd294b55a5de442370c29fa53bab17aef3ff318 upstream. + +In crypt_message, when smb2_get_enc_key returns error, we need to +return the error back to the caller. If not, we end up processing +the message further, causing a kernel oops due to unwarranted access +of memory. + +Call Trace: +smb3_receive_transform+0x120/0x870 [cifs] +cifs_demultiplex_thread+0xb53/0xc20 [cifs] +? cifs_handle_standard+0x190/0x190 [cifs] +kthread+0x116/0x130 +? kthread_park+0x80/0x80 +ret_from_fork+0x1f/0x30 + +Signed-off-by: Shyam Prasad N +Reviewed-by: Pavel Shilovsky +Reviewed-by: Ronnie Sahlberg +CC: Stable +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -2730,7 +2730,7 @@ crypt_message(struct TCP_Server_Info *se + if (rc) { + cifs_dbg(VFS, "%s: Could not get %scryption key\n", __func__, + enc ? "en" : "de"); +- return 0; ++ return rc; + } + + rc = smb3_crypto_aead_allocate(server); diff --git a/queue-4.19/kvm-svm-initialize-prev_ga_tag-before-use.patch b/queue-4.19/kvm-svm-initialize-prev_ga_tag-before-use.patch new file mode 100644 index 00000000000..49666e46ca4 --- /dev/null +++ b/queue-4.19/kvm-svm-initialize-prev_ga_tag-before-use.patch @@ -0,0 +1,62 @@ +From f6426ab9c957e97418ac5b0466538792767b1738 Mon Sep 17 00:00:00 2001 +From: Suravee Suthikulpanit +Date: Sat, 3 Oct 2020 23:27:07 +0000 +Subject: KVM: SVM: Initialize prev_ga_tag before use + +From: Suravee Suthikulpanit + +commit f6426ab9c957e97418ac5b0466538792767b1738 upstream. + +The function amd_ir_set_vcpu_affinity makes use of the parameter struct +amd_iommu_pi_data.prev_ga_tag to determine if it should delete struct +amd_iommu_pi_data from a list when not running in AVIC mode. + +However, prev_ga_tag is initialized only when AVIC is enabled. The non-zero +uninitialized value can cause unintended code path, which ends up making +use of the struct vcpu_svm.ir_list and ir_list_lock without being +initialized (since they are intended only for the AVIC case). + +This triggers NULL pointer dereference bug in the function vm_ir_list_del +with the following call trace: + + svm_update_pi_irte+0x3c2/0x550 [kvm_amd] + ? proc_create_single_data+0x41/0x50 + kvm_arch_irq_bypass_add_producer+0x40/0x60 [kvm] + __connect+0x5f/0xb0 [irqbypass] + irq_bypass_register_producer+0xf8/0x120 [irqbypass] + vfio_msi_set_vector_signal+0x1de/0x2d0 [vfio_pci] + vfio_msi_set_block+0x77/0xe0 [vfio_pci] + vfio_pci_set_msi_trigger+0x25c/0x2f0 [vfio_pci] + vfio_pci_set_irqs_ioctl+0x88/0xb0 [vfio_pci] + vfio_pci_ioctl+0x2ea/0xed0 [vfio_pci] + ? alloc_file_pseudo+0xa5/0x100 + vfio_device_fops_unl_ioctl+0x26/0x30 [vfio] + ? vfio_device_fops_unl_ioctl+0x26/0x30 [vfio] + __x64_sys_ioctl+0x96/0xd0 + do_syscall_64+0x37/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Therefore, initialize prev_ga_tag to zero before use. This should be safe +because ga_tag value 0 is invalid (see function avic_vm_init). + +Fixes: dfa20099e26e ("KVM: SVM: Refactor AVIC vcpu initialization into avic_init_vcpu()") +Signed-off-by: Suravee Suthikulpanit +Message-Id: <20201003232707.4662-1-suravee.suthikulpanit@amd.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -5380,6 +5380,7 @@ static int svm_update_pi_irte(struct kvm + * - Tell IOMMU to use legacy mode for this interrupt. + * - Retrieve ga_tag of prior interrupt remapping data. + */ ++ pi.prev_ga_tag = 0; + pi.is_guest_mode = false; + ret = irq_set_vcpu_affinity(host_irq, &pi); + diff --git a/queue-4.19/kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch b/queue-4.19/kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch new file mode 100644 index 00000000000..5022f6b1aeb --- /dev/null +++ b/queue-4.19/kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch @@ -0,0 +1,39 @@ +From e89505698c9f70125651060547da4ff5046124fc Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 23 Sep 2020 11:37:28 -0700 +Subject: KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages + +From: Sean Christopherson + +commit e89505698c9f70125651060547da4ff5046124fc upstream. + +Call kvm_mmu_commit_zap_page() after exiting the "prepare zap" loop in +kvm_recover_nx_lpages() to finish zapping pages in the unlikely event +that the loop exited due to lpage_disallowed_mmu_pages being empty. +Because the recovery thread drops mmu_lock() when rescheduling, it's +possible that lpage_disallowed_mmu_pages could be emptied by a different +thread without to_zap reaching zero despite to_zap being derived from +the number of disallowed lpages. + +Fixes: 1aa9b9572b105 ("kvm: x86: mmu: Recovery of shattered NX large pages") +Cc: Junaid Shahid +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20200923183735.584-2-sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -6225,6 +6225,7 @@ static void kvm_recover_nx_lpages(struct + cond_resched_lock(&kvm->mmu_lock); + } + } ++ kvm_mmu_commit_zap_page(kvm, &invalid_list); + + spin_unlock(&kvm->mmu_lock); + srcu_read_unlock(&kvm->srcu, rcu_idx); diff --git a/queue-4.19/series b/queue-4.19/series index 9ad5b4fc3ef..6625ac6983c 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -23,3 +23,8 @@ nfc-ensure-presence-of-nfc_attr_firmware_name-attribute-in-nfc_genl_fw_download. tcp-fix-to-update-snd_wl1-in-bulk-receiver-fast-path.patch r8169-fix-operation-under-forced-interrupt-threading.patch icmp-randomize-the-global-rate-limiter.patch +alsa-hda-realtek-enable-audio-jacks-of-asus-d700sa-with-alc887.patch +cifs-remove-bogus-debug-code.patch +cifs-return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch +kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch +kvm-svm-initialize-prev_ga_tag-before-use.patch -- 2.47.3