--- /dev/null
+From 1c2b9519159b470ef24b2638f4794e86e2952ab7 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 16 Jul 2021 15:27:23 +0200
+Subject: ALSA: sb: Fix potential ABBA deadlock in CSP driver
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 1c2b9519159b470ef24b2638f4794e86e2952ab7 upstream.
+
+SB16 CSP driver may hit potentially a typical ABBA deadlock in two
+code paths:
+
+ In snd_sb_csp_stop():
+ spin_lock_irqsave(&p->chip->mixer_lock, flags);
+ spin_lock(&p->chip->reg_lock);
+
+ In snd_sb_csp_load():
+ spin_lock_irqsave(&p->chip->reg_lock, flags);
+ spin_lock(&p->chip->mixer_lock);
+
+Also the similar pattern is seen in snd_sb_csp_start().
+
+Although the practical impact is very small (those states aren't
+triggered in the same running state and this happens only on a real
+hardware, decades old ISA sound boards -- which must be very difficult
+to find nowadays), it's a real scenario and has to be fixed.
+
+This patch addresses those deadlocks by splitting the locks in
+snd_sb_csp_start() and snd_sb_csp_stop() for avoiding the nested
+locks.
+
+Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/7b0fcdaf-cd4f-4728-2eae-48c151a92e10@gmail.com
+Link: https://lore.kernel.org/r/20210716132723.13216-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/isa/sb/sb16_csp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/isa/sb/sb16_csp.c
++++ b/sound/isa/sb/sb16_csp.c
+@@ -828,6 +828,7 @@ static int snd_sb_csp_start(struct snd_s
+ mixR = snd_sbmixer_read(p->chip, SB_DSP4_PCM_DEV + 1);
+ snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV, mixL & 0x7);
+ snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV + 1, mixR & 0x7);
++ spin_unlock_irqrestore(&p->chip->mixer_lock, flags);
+
+ spin_lock(&p->chip->reg_lock);
+ set_mode_register(p->chip, 0xc0); /* c0 = STOP */
+@@ -867,6 +868,7 @@ static int snd_sb_csp_start(struct snd_s
+ spin_unlock(&p->chip->reg_lock);
+
+ /* restore PCM volume */
++ spin_lock_irqsave(&p->chip->mixer_lock, flags);
+ snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV, mixL);
+ snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV + 1, mixR);
+ spin_unlock_irqrestore(&p->chip->mixer_lock, flags);
+@@ -892,6 +894,7 @@ static int snd_sb_csp_stop(struct snd_sb
+ mixR = snd_sbmixer_read(p->chip, SB_DSP4_PCM_DEV + 1);
+ snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV, mixL & 0x7);
+ snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV + 1, mixR & 0x7);
++ spin_unlock_irqrestore(&p->chip->mixer_lock, flags);
+
+ spin_lock(&p->chip->reg_lock);
+ if (p->running & SNDRV_SB_CSP_ST_QSOUND) {
+@@ -906,6 +909,7 @@ static int snd_sb_csp_stop(struct snd_sb
+ spin_unlock(&p->chip->reg_lock);
+
+ /* restore PCM volume */
++ spin_lock_irqsave(&p->chip->mixer_lock, flags);
+ snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV, mixL);
+ snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV + 1, mixR);
+ spin_unlock_irqrestore(&p->chip->mixer_lock, flags);
--- /dev/null
+From b0084afde27fe8a504377dee65f55bc6aa776937 Mon Sep 17 00:00:00 2001
+From: Alexander Tsoy <alexander@tsoy.me>
+Date: Thu, 22 Jul 2021 02:56:05 +0300
+Subject: ALSA: usb-audio: Add registration quirk for JBL Quantum headsets
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alexander Tsoy <alexander@tsoy.me>
+
+commit b0084afde27fe8a504377dee65f55bc6aa776937 upstream.
+
+These devices has two interfaces, but only the second interface
+contains the capture endpoint, thus quirk is required to delay the
+registration until the second interface appears.
+
+Tested-by: Jakub FiĊĦer <jakub@ufiseru.cz>
+Signed-off-by: Alexander Tsoy <alexander@tsoy.me>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210721235605.53741-1-alexander@tsoy.me
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/quirks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1553,6 +1553,9 @@ static const struct registration_quirk r
+ REG_QUIRK_ENTRY(0x0951, 0x16d8, 2), /* Kingston HyperX AMP */
+ REG_QUIRK_ENTRY(0x0951, 0x16ed, 2), /* Kingston HyperX Cloud Alpha S */
+ REG_QUIRK_ENTRY(0x0951, 0x16ea, 2), /* Kingston HyperX Cloud Flight S */
++ REG_QUIRK_ENTRY(0x0ecb, 0x1f46, 2), /* JBL Quantum 600 */
++ REG_QUIRK_ENTRY(0x0ecb, 0x2039, 2), /* JBL Quantum 400 */
++ REG_QUIRK_ENTRY(0x0ecb, 0x203e, 2), /* JBL Quantum 800 */
+ { 0 } /* terminator */
+ };
+
--- /dev/null
+From f8c2602733c953ed7a16e060640b8e96f9d94b9b Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Fri, 25 Jun 2021 23:50:07 +0200
+Subject: s390/ftrace: fix ftrace_update_ftrace_func implementation
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit f8c2602733c953ed7a16e060640b8e96f9d94b9b upstream.
+
+s390 enforces DYNAMIC_FTRACE if FUNCTION_TRACER is selected.
+At the same time implementation of ftrace_caller is not compliant with
+HAVE_DYNAMIC_FTRACE since it doesn't provide implementation of
+ftrace_update_ftrace_func() and calls ftrace_trace_function() directly.
+
+The subtle difference is that during ftrace code patching ftrace
+replaces function tracer via ftrace_update_ftrace_func() and activates
+it back afterwards. Unexpected direct calls to ftrace_trace_function()
+during ftrace code patching leads to nullptr-dereferences when tracing
+is activated for one of functions which are used during code patching.
+Those function currently are:
+copy_from_kernel_nofault()
+copy_from_kernel_nofault_allowed()
+preempt_count_sub() [with debug_defconfig]
+preempt_count_add() [with debug_defconfig]
+
+Corresponding KASAN report:
+ BUG: KASAN: nullptr-dereference in function_trace_call+0x316/0x3b0
+ Read of size 4 at addr 0000000000001e08 by task migration/0/15
+
+ CPU: 0 PID: 15 Comm: migration/0 Tainted: G B 5.13.0-41423-g08316af3644d
+ Hardware name: IBM 3906 M04 704 (LPAR)
+ Stopper: multi_cpu_stop+0x0/0x3e0 <- stop_machine_cpuslocked+0x1e4/0x218
+ Call Trace:
+ [<0000000001f77caa>] show_stack+0x16a/0x1d0
+ [<0000000001f8de42>] dump_stack+0x15a/0x1b0
+ [<0000000001f81d56>] print_address_description.constprop.0+0x66/0x2e0
+ [<000000000082b0ca>] kasan_report+0x152/0x1c0
+ [<00000000004cfd8e>] function_trace_call+0x316/0x3b0
+ [<0000000001fb7082>] ftrace_caller+0x7a/0x7e
+ [<00000000006bb3e6>] copy_from_kernel_nofault_allowed+0x6/0x10
+ [<00000000006bb42e>] copy_from_kernel_nofault+0x3e/0xd0
+ [<000000000014605c>] ftrace_make_call+0xb4/0x1f8
+ [<000000000047a1b4>] ftrace_replace_code+0x134/0x1d8
+ [<000000000047a6e0>] ftrace_modify_all_code+0x120/0x1d0
+ [<000000000047a7ec>] __ftrace_modify_code+0x5c/0x78
+ [<000000000042395c>] multi_cpu_stop+0x224/0x3e0
+ [<0000000000423212>] cpu_stopper_thread+0x33a/0x5a0
+ [<0000000000243ff2>] smpboot_thread_fn+0x302/0x708
+ [<00000000002329ea>] kthread+0x342/0x408
+ [<00000000001066b2>] __ret_from_fork+0x92/0xf0
+ [<0000000001fb57fa>] ret_from_fork+0xa/0x30
+
+ The buggy address belongs to the page:
+ page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1
+ flags: 0x1ffff00000001000(reserved|node=0|zone=0|lastcpupid=0x1ffff)
+ raw: 1ffff00000001000 0000040000000048 0000040000000048 0000000000000000
+ raw: 0000000000000000 0000000000000000 ffffffff00000001 0000000000000000
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+ 0000000000001d00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+ 0000000000001d80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+ >0000000000001e00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+ ^
+ 0000000000001e80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+ 0000000000001f00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+ ==================================================================
+
+To fix that introduce ftrace_func callback to be called from
+ftrace_caller and update it in ftrace_update_ftrace_func().
+
+Fixes: 4cc9bed034d1 ("[S390] cleanup ftrace backend functions")
+Cc: stable@vger.kernel.org
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/ftrace.h | 1 +
+ arch/s390/kernel/ftrace.c | 2 ++
+ arch/s390/kernel/mcount.S | 4 ++--
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/include/asm/ftrace.h
++++ b/arch/s390/include/asm/ftrace.h
+@@ -20,6 +20,7 @@ void ftrace_caller(void);
+
+ extern char ftrace_graph_caller_end;
+ extern unsigned long ftrace_plt;
++extern void *ftrace_func;
+
+ struct dyn_arch_ftrace { };
+
+--- a/arch/s390/kernel/ftrace.c
++++ b/arch/s390/kernel/ftrace.c
+@@ -57,6 +57,7 @@
+ * > brasl %r0,ftrace_caller # offset 0
+ */
+
++void *ftrace_func __read_mostly = ftrace_stub;
+ unsigned long ftrace_plt;
+
+ static inline void ftrace_generate_orig_insn(struct ftrace_insn *insn)
+@@ -166,6 +167,7 @@ int ftrace_make_call(struct dyn_ftrace *
+
+ int ftrace_update_ftrace_func(ftrace_func_t func)
+ {
++ ftrace_func = func;
+ return 0;
+ }
+
+--- a/arch/s390/kernel/mcount.S
++++ b/arch/s390/kernel/mcount.S
+@@ -60,13 +60,13 @@ ENTRY(ftrace_caller)
+ #ifdef CONFIG_HAVE_MARCH_Z196_FEATURES
+ aghik %r2,%r0,-MCOUNT_INSN_SIZE
+ lgrl %r4,function_trace_op
+- lgrl %r1,ftrace_trace_function
++ lgrl %r1,ftrace_func
+ #else
+ lgr %r2,%r0
+ aghi %r2,-MCOUNT_INSN_SIZE
+ larl %r4,function_trace_op
+ lg %r4,0(%r4)
+- larl %r1,ftrace_trace_function
++ larl %r1,ftrace_func
+ lg %r1,0(%r1)
+ #endif
+ lgr %r3,%r14
drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch
proc-avoid-mixing-integer-types-in-mem_rw.patch
revert-mips-add-pmd-table-accounting-into-mips-pmd_alloc_one.patch
+s390-ftrace-fix-ftrace_update_ftrace_func-implementation.patch
+alsa-usb-audio-add-registration-quirk-for-jbl-quantum-headsets.patch
+alsa-sb-fix-potential-abba-deadlock-in-csp-driver.patch
+xhci-fix-lost-usb-2-remote-wake.patch
--- /dev/null
+From 72f68bf5c756f5ce1139b31daae2684501383ad5 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Thu, 15 Jul 2021 18:06:51 +0300
+Subject: xhci: Fix lost USB 2 remote wake
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 72f68bf5c756f5ce1139b31daae2684501383ad5 upstream.
+
+There's a small window where a USB 2 remote wake may be left unhandled
+due to a race between hub thread and xhci port event interrupt handler.
+
+When the resume event is detected in the xhci interrupt handler it kicks
+the hub timer, which should move the port from resume to U0 once resume
+has been signalled for long enough.
+
+To keep the hub "thread" running we set a bus_state->resuming_ports flag.
+This flag makes sure hub timer function kicks itself.
+
+checking this flag was not properly protected by the spinlock. Flag was
+copied to a local variable before lock was taken. The local variable was
+then checked later with spinlock held.
+
+If interrupt is handled right after copying the flag to the local variable
+we end up stopping the hub thread before it can handle the USB 2 resume.
+
+CPU0 CPU1
+(hub thread) (xhci event handler)
+
+xhci_hub_status_data()
+status = bus_state->resuming_ports;
+ <Interrupt>
+ handle_port_status()
+ spin_lock()
+ bus_state->resuming_ports = 1
+ set_flag(HCD_FLAG_POLL_RH)
+ spin_unlock()
+spin_lock()
+if (!status)
+ clear_flag(HCD_FLAG_POLL_RH)
+spin_unlock()
+
+Fix this by taking the lock a bit earlier so that it covers
+the resuming_ports flag copy in the hub thread
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20210715150651.1996099-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-hub.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-hub.c
++++ b/drivers/usb/host/xhci-hub.c
+@@ -1458,11 +1458,12 @@ int xhci_hub_status_data(struct usb_hcd
+ * Inform the usbcore about resume-in-progress by returning
+ * a non-zero value even if there are no status changes.
+ */
++ spin_lock_irqsave(&xhci->lock, flags);
++
+ status = bus_state->resuming_ports;
+
+ mask = PORT_CSC | PORT_PEC | PORT_OCC | PORT_PLC | PORT_WRC | PORT_CEC;
+
+- spin_lock_irqsave(&xhci->lock, flags);
+ /* For each port, did anything change? If so, set that bit in buf. */
+ for (i = 0; i < max_ports; i++) {
+ temp = readl(ports[i]->addr);
projects / thirdparty / kernel / stable-queue.git / commitdiff
