--- /dev/null
+From ffb2759df7efbc00187bfd9d1072434a13a54139 Mon Sep 17 00:00:00 2001
+From: Zheyu Ma <zheyuma97@gmail.com>
+Date: Fri, 15 Jul 2022 09:05:15 +0800
+Subject: ALSA: bcd2000: Fix a UAF bug on the error path of probing
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+commit ffb2759df7efbc00187bfd9d1072434a13a54139 upstream.
+
+When the driver fails in snd_card_register() at probe time, it will free
+the 'bcd2k->midi_out_urb' before killing it, which may cause a UAF bug.
+
+The following log can reveal it:
+
+[ 50.727020] BUG: KASAN: use-after-free in bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]
+[ 50.727623] Read of size 8 at addr ffff88810fab0e88 by task swapper/4/0
+[ 50.729530] Call Trace:
+[ 50.732899] bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]
+
+Fix this by adding usb_kill_urb() before usb_free_urb().
+
+Fixes: b47a22290d58 ("ALSA: MIDI driver for Behringer BCD2000 USB device")
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20220715010515.2087925-1-zheyuma97@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/bcd2000/bcd2000.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/bcd2000/bcd2000.c
++++ b/sound/usb/bcd2000/bcd2000.c
+@@ -348,7 +348,8 @@ static int bcd2000_init_midi(struct bcd2
+ static void bcd2000_free_usb_related_resources(struct bcd2000 *bcd2k,
+ struct usb_interface *interface)
+ {
+- /* usb_kill_urb not necessary, urb is aborted automatically */
++ usb_kill_urb(bcd2k->midi_out_urb);
++ usb_kill_urb(bcd2k->midi_in_urb);
+
+ usb_free_urb(bcd2k->midi_out_urb);
+ usb_free_urb(bcd2k->midi_in_urb);
--- /dev/null
+From be561ffad708f0cee18aee4231f80ffafaf7a419 Mon Sep 17 00:00:00 2001
+From: Tim Crawford <tcrawford@system76.com>
+Date: Sat, 30 Jul 2022 21:22:43 -0600
+Subject: ALSA: hda/realtek: Add quirk for Clevo NV45PZ
+
+From: Tim Crawford <tcrawford@system76.com>
+
+commit be561ffad708f0cee18aee4231f80ffafaf7a419 upstream.
+
+Fixes headset detection on Clevo NV45PZ.
+
+Signed-off-by: Tim Crawford <tcrawford@system76.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20220731032243.4300-1-tcrawford@system76.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -8992,6 +8992,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1558, 0x4018, "Clevo NV40M[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x4019, "Clevo NV40MZ", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x4020, "Clevo NV40MB", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0x1558, 0x4041, "Clevo NV4[15]PZ", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x40a1, "Clevo NL40GU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x40c1, "Clevo NL40[CZ]U", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x40d1, "Clevo NL41DU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
--- /dev/null
+From 24df5428ef9d1ca1edd54eca7eb667110f2dfae3 Mon Sep 17 00:00:00 2001
+From: Ivan Hasenkampf <ivan.hasenkampf@gmail.com>
+Date: Wed, 3 Aug 2022 18:40:01 +0200
+Subject: ALSA: hda/realtek: Add quirk for HP Spectre x360 15-eb0xxx
+
+From: Ivan Hasenkampf <ivan.hasenkampf@gmail.com>
+
+commit 24df5428ef9d1ca1edd54eca7eb667110f2dfae3 upstream.
+
+Fixes speaker output on HP Spectre x360 15-eb0xxx
+
+[ re-sorted in SSID order by tiwai ]
+
+Signed-off-by: Ivan Hasenkampf <ivan.hasenkampf@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20220803164001.290394-1-ivan.hasenkampf@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -8852,6 +8852,8 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x861f, "HP Elite Dragonfly G1", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x869d, "HP", ALC236_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x86c7, "HP Envy AiO 32", ALC274_FIXUP_HP_ENVY_GPIO),
++ SND_PCI_QUIRK(0x103c, 0x86e7, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1),
++ SND_PCI_QUIRK(0x103c, 0x86e8, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1),
+ SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED),
--- /dev/null
+From e086c37f876fd1f551e2b4f9be97d4a1923cd219 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 22 Jul 2022 16:39:48 +0200
+Subject: ALSA: usb-audio: Add quirk for Behringer UMC202HD
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit e086c37f876fd1f551e2b4f9be97d4a1923cd219 upstream.
+
+Just like other Behringer models, UMC202HD (USB ID 1397:0507) requires
+the quirk for the stable streaming, too.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=215934
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20220722143948.29804-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1843,6 +1843,8 @@ static const struct usb_audio_quirk_flag
+ QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER),
+ DEVICE_FLG(0x1395, 0x740a, /* Sennheiser DECT */
+ QUIRK_FLAG_GET_SAMPLE_RATE),
++ DEVICE_FLG(0x1397, 0x0507, /* Behringer UMC202HD */
++ QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB),
+ DEVICE_FLG(0x1397, 0x0508, /* Behringer UMC204HD */
+ QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB),
+ DEVICE_FLG(0x1397, 0x0509, /* Behringer UMC404HD */
--- /dev/null
+From bb283ca18d1e67c82d22a329c96c9d6036a74790 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Sun, 27 Mar 2022 16:43:03 -0400
+Subject: NFSD: Clean up the show_nf_flags() macro
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit bb283ca18d1e67c82d22a329c96c9d6036a74790 upstream.
+
+The flags are defined using C macros, so TRACE_DEFINE_ENUM is
+unnecessary.
+
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/trace.h | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/fs/nfsd/trace.h
++++ b/fs/nfsd/trace.h
+@@ -636,12 +636,6 @@ DEFINE_CLID_EVENT(confirmed_r);
+ /*
+ * from fs/nfsd/filecache.h
+ */
+-TRACE_DEFINE_ENUM(NFSD_FILE_HASHED);
+-TRACE_DEFINE_ENUM(NFSD_FILE_PENDING);
+-TRACE_DEFINE_ENUM(NFSD_FILE_BREAK_READ);
+-TRACE_DEFINE_ENUM(NFSD_FILE_BREAK_WRITE);
+-TRACE_DEFINE_ENUM(NFSD_FILE_REFERENCED);
+-
+ #define show_nf_flags(val) \
+ __print_flags(val, "|", \
+ { 1 << NFSD_FILE_HASHED, "HASHED" }, \
--- /dev/null
+From 23ba98de6dcec665e15c0ca19244379bb0d30932 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@kernel.org>
+Date: Fri, 29 Jul 2022 17:01:07 -0400
+Subject: nfsd: eliminate the NFSD_FILE_BREAK_* flags
+
+From: Jeff Layton <jlayton@kernel.org>
+
+commit 23ba98de6dcec665e15c0ca19244379bb0d30932 upstream.
+
+We had a report from the spring Bake-a-thon of data corruption in some
+nfstest_interop tests. Looking at the traces showed the NFS server
+allowing a v3 WRITE to proceed while a read delegation was still
+outstanding.
+
+Currently, we only set NFSD_FILE_BREAK_* flags if
+NFSD_MAY_NOT_BREAK_LEASE was set when we call nfsd_file_alloc.
+NFSD_MAY_NOT_BREAK_LEASE was intended to be set when finding files for
+COMMIT ops, where we need a writeable filehandle but don't need to
+break read leases.
+
+It doesn't make any sense to consult that flag when allocating a file
+since the file may be used on subsequent calls where we do want to break
+the lease (and the usage of it here seems to be reverse from what it
+should be anyway).
+
+Also, after calling nfsd_open_break_lease, we don't want to clear the
+BREAK_* bits. A lease could end up being set on it later (more than
+once) and we need to be able to break those leases as well.
+
+This means that the NFSD_FILE_BREAK_* flags now just mirror
+NFSD_MAY_{READ,WRITE} flags, so there's no need for them at all. Just
+drop those flags and unconditionally call nfsd_open_break_lease every
+time.
+
+Reported-by: Olga Kornieskaia <kolga@netapp.com>
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2107360
+Fixes: 65294c1f2c5e (nfsd: add a new struct file caching facility to nfsd)
+Cc: <stable@vger.kernel.org> # 5.4.x : bb283ca18d1e NFSD: Clean up the show_nf_flags() macro
+Cc: <stable@vger.kernel.org> # 5.4.x
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/filecache.c | 22 +---------------------
+ fs/nfsd/filecache.h | 4 +---
+ fs/nfsd/trace.h | 2 --
+ 3 files changed, 2 insertions(+), 26 deletions(-)
+
+--- a/fs/nfsd/filecache.c
++++ b/fs/nfsd/filecache.c
+@@ -187,12 +187,6 @@ nfsd_file_alloc(struct inode *inode, uns
+ nf->nf_hashval = hashval;
+ refcount_set(&nf->nf_ref, 1);
+ nf->nf_may = may & NFSD_FILE_MAY_MASK;
+- if (may & NFSD_MAY_NOT_BREAK_LEASE) {
+- if (may & NFSD_MAY_WRITE)
+- __set_bit(NFSD_FILE_BREAK_WRITE, &nf->nf_flags);
+- if (may & NFSD_MAY_READ)
+- __set_bit(NFSD_FILE_BREAK_READ, &nf->nf_flags);
+- }
+ nf->nf_mark = NULL;
+ trace_nfsd_file_alloc(nf);
+ }
+@@ -990,21 +984,7 @@ wait_for_construction:
+
+ this_cpu_inc(nfsd_file_cache_hits);
+
+- if (!(may_flags & NFSD_MAY_NOT_BREAK_LEASE)) {
+- bool write = (may_flags & NFSD_MAY_WRITE);
+-
+- if (test_bit(NFSD_FILE_BREAK_READ, &nf->nf_flags) ||
+- (test_bit(NFSD_FILE_BREAK_WRITE, &nf->nf_flags) && write)) {
+- status = nfserrno(nfsd_open_break_lease(
+- file_inode(nf->nf_file), may_flags));
+- if (status == nfs_ok) {
+- clear_bit(NFSD_FILE_BREAK_READ, &nf->nf_flags);
+- if (write)
+- clear_bit(NFSD_FILE_BREAK_WRITE,
+- &nf->nf_flags);
+- }
+- }
+- }
++ status = nfserrno(nfsd_open_break_lease(file_inode(nf->nf_file), may_flags));
+ out:
+ if (status == nfs_ok) {
+ *pnf = nf;
+--- a/fs/nfsd/filecache.h
++++ b/fs/nfsd/filecache.h
+@@ -37,9 +37,7 @@ struct nfsd_file {
+ struct net *nf_net;
+ #define NFSD_FILE_HASHED (0)
+ #define NFSD_FILE_PENDING (1)
+-#define NFSD_FILE_BREAK_READ (2)
+-#define NFSD_FILE_BREAK_WRITE (3)
+-#define NFSD_FILE_REFERENCED (4)
++#define NFSD_FILE_REFERENCED (2)
+ unsigned long nf_flags;
+ struct inode *nf_inode;
+ unsigned int nf_hashval;
+--- a/fs/nfsd/trace.h
++++ b/fs/nfsd/trace.h
+@@ -640,8 +640,6 @@ DEFINE_CLID_EVENT(confirmed_r);
+ __print_flags(val, "|", \
+ { 1 << NFSD_FILE_HASHED, "HASHED" }, \
+ { 1 << NFSD_FILE_PENDING, "PENDING" }, \
+- { 1 << NFSD_FILE_BREAK_READ, "BREAK_READ" }, \
+- { 1 << NFSD_FILE_BREAK_WRITE, "BREAK_WRITE" }, \
+ { 1 << NFSD_FILE_REFERENCED, "REFERENCED"})
+
+ DECLARE_EVENT_CLASS(nfsd_file_class,
--- /dev/null
+From 7836d75467e9d214bdf5c693b32721de729a6e38 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Wed, 18 May 2022 16:09:06 -0400
+Subject: pNFS/flexfiles: Report RDMA connection errors to the server
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 7836d75467e9d214bdf5c693b32721de729a6e38 upstream.
+
+The RPC/RDMA driver will return -EPROTO and -ENODEV as connection errors
+under certain circumstances. Make sure that we handle them and report
+them to the server. If not, we can end up cycling forever in a
+LAYOUTGET/LAYOUTRETURN loop.
+
+Fixes: a12f996d3413 ("NFSv4/pNFS: Use connections to a DS that are all of the same protocol family")
+Cc: stable@vger.kernel.org # 5.11.x
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayout.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/nfs/flexfilelayout/flexfilelayout.c
++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
+@@ -1140,6 +1140,8 @@ static int ff_layout_async_handle_error_
+ case -EIO:
+ case -ETIMEDOUT:
+ case -EPIPE:
++ case -EPROTO:
++ case -ENODEV:
+ dprintk("%s DS connection error %d\n", __func__,
+ task->tk_status);
+ nfs4_delete_deviceid(devid->ld, devid->nfs_client,
+@@ -1245,6 +1247,8 @@ static void ff_layout_io_track_ds_error(
+ case -ENOBUFS:
+ case -EPIPE:
+ case -EPERM:
++ case -EPROTO:
++ case -ENODEV:
+ *op_status = status = NFS4ERR_NXIO;
+ break;
+ case -EACCES:
x86-link-vdso-and-boot-with-z-noexecstack-no-warn-rwx-segments.patch
revert-pnfs-nfs3_set_ds_client-should-set-nfs_cs_noping.patch
scsi-revert-scsi-qla2xxx-fix-disk-failure-to-rediscover.patch
+pnfs-flexfiles-report-rdma-connection-errors-to-the-server.patch
+nfsd-clean-up-the-show_nf_flags-macro.patch
+nfsd-eliminate-the-nfsd_file_break_-flags.patch
+alsa-usb-audio-add-quirk-for-behringer-umc202hd.patch
+alsa-bcd2000-fix-a-uaf-bug-on-the-error-path-of-probing.patch
+alsa-hda-realtek-add-quirk-for-clevo-nv45pz.patch
+alsa-hda-realtek-add-quirk-for-hp-spectre-x360-15-eb0xxx.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
