--- /dev/null
+From 99bf5b0baac941176a6a3d5cef7705b29808de34 Mon Sep 17 00:00:00 2001
+From: Vitaly Rodionov <vitalyr@opensource.cirrus.com>
+Date: Mon, 4 Sep 2023 17:00:33 +0100
+Subject: ALSA: hda/cirrus: Fix broken audio on hardware with two CS42L42 codecs.
+
+From: Vitaly Rodionov <vitalyr@opensource.cirrus.com>
+
+commit 99bf5b0baac941176a6a3d5cef7705b29808de34 upstream.
+
+Recently in v6.3-rc1 there was a change affecting behaviour of hrtimers
+(commit 0c52310f260014d95c1310364379772cb74cf82d) and causing
+few issues on platforms with two CS42L42 codecs. Canonical/Dell
+has reported an issue with Vostro-3910.
+We need to increase this value by 15ms.
+
+Link: https://bugs.launchpad.net/somerville/+bug/2031060
+Fixes: 9fb9fa18fb50 ("ALSA: hda/cirrus: Add extra 10 ms delay to allow PLL settle and lock.")
+Signed-off-by: Vitaly Rodionov <vitalyr@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20230904160033.908135-1-vitalyr@opensource.cirrus.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_cs8409.c | 2 +-
+ sound/pci/hda/patch_cs8409.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_cs8409.c
++++ b/sound/pci/hda/patch_cs8409.c
+@@ -888,7 +888,7 @@ static void cs42l42_resume(struct sub_co
+
+ /* Initialize CS42L42 companion codec */
+ cs8409_i2c_bulk_write(cs42l42, cs42l42->init_seq, cs42l42->init_seq_num);
+- usleep_range(30000, 35000);
++ msleep(CS42L42_INIT_TIMEOUT_MS);
+
+ /* Clear interrupts, by reading interrupt status registers */
+ cs8409_i2c_bulk_read(cs42l42, irq_regs, ARRAY_SIZE(irq_regs));
+--- a/sound/pci/hda/patch_cs8409.h
++++ b/sound/pci/hda/patch_cs8409.h
+@@ -229,6 +229,7 @@ enum cs8409_coefficient_index_registers
+ #define CS42L42_I2C_SLEEP_US (2000)
+ #define CS42L42_PDN_TIMEOUT_US (250000)
+ #define CS42L42_PDN_SLEEP_US (2000)
++#define CS42L42_INIT_TIMEOUT_MS (45)
+ #define CS42L42_FULL_SCALE_VOL_MASK (2)
+ #define CS42L42_FULL_SCALE_VOL_0DB (1)
+ #define CS42L42_FULL_SCALE_VOL_MINUS6DB (0)
--- /dev/null
+From 86496fd4a2fabb7c978fdaca2d4b718207a96d36 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 5 Sep 2023 10:12:10 +0200
+Subject: ALSA: seq: Fix snd_seq_expand_var_event() call to user-space
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 86496fd4a2fabb7c978fdaca2d4b718207a96d36 upstream.
+
+The recent fix to clear the padding bytes at
+snd_seq_expand_var_event() broke the read to user-space with
+in_kernel=0 parameter. For user-space address, it has to use
+clear_user() instead of memset().
+
+Fixes: f80e6d60d677 ("ALSA: seq: Clear padded bytes at expanding events")
+Reported-and-tested-by: Ash Holland <ash@sorrel.sh>
+Closes: https://lore.kernel.org/r/8a555319-9f31-4ea2-878f-adc338bc40d4@sorrel.sh
+Link: https://lore.kernel.org/r/20230905052631.18240-1-tiwai@suse.de
+Link: https://lore.kernel.org/r/20230905081210.6731-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/seq/seq_memory.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/sound/core/seq/seq_memory.c
++++ b/sound/core/seq/seq_memory.c
+@@ -187,8 +187,13 @@ int snd_seq_expand_var_event(const struc
+ err = expand_var_event(event, 0, len, buf, in_kernel);
+ if (err < 0)
+ return err;
+- if (len != newlen)
+- memset(buf + len, 0, newlen - len);
++ if (len != newlen) {
++ if (in_kernel)
++ memset(buf + len, 0, newlen - len);
++ else if (clear_user((__force void __user *)buf + len,
++ newlen - len))
++ return -EFAULT;
++ }
+ return newlen;
+ }
+ EXPORT_SYMBOL(snd_seq_expand_var_event);
--- /dev/null
+From b1757fa30ef14f254f4719bf6f7d54a4c8207216 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 5 Sep 2023 07:45:11 +0200
+Subject: ALSA: usb-audio: Fix potential memory leaks at error path for UMP open
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit b1757fa30ef14f254f4719bf6f7d54a4c8207216 upstream.
+
+The allocation and initialization errors at alloc_midi_urbs() that is
+called at MIDI 2.0 / UMP device are supposed to be handled at the
+caller side by invoking free_midi_urbs(). However, free_midi_urbs()
+loops only for ep->num_urbs entries, and since ep->num_entries wasn't
+updated yet at the allocation / init error in alloc_midi_urbs(), this
+entry won't be released.
+
+The intention of free_midi_urbs() is to release the whole elements, so
+change the loop size to NUM_URBS to scan over all elements for fixing
+the missed releases.
+
+Also, the call of free_midi_urbs() is missing at
+snd_usb_midi_v2_open(). Although it'll be released later at
+reopen/close or disconnection, it's better to release immediately at
+the error path.
+
+Fixes: ff49d1df79ae ("ALSA: usb-audio: USB MIDI 2.0 UMP support")
+Reported-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Closes: https://lore.kernel.org/r/fc275ed315b9157952dcf2744ee7bdb78defdb5f.1693746347.git.christophe.jaillet@wanadoo.fr
+Link: https://lore.kernel.org/r/20230905054511.20502-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/midi2.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/midi2.c
++++ b/sound/usb/midi2.c
+@@ -265,7 +265,7 @@ static void free_midi_urbs(struct snd_us
+
+ if (!ep)
+ return;
+- for (i = 0; i < ep->num_urbs; ++i) {
++ for (i = 0; i < NUM_URBS; ++i) {
+ ctx = &ep->urbs[i];
+ if (!ctx->urb)
+ break;
+@@ -279,6 +279,7 @@ static void free_midi_urbs(struct snd_us
+ }
+
+ /* allocate URBs for an EP */
++/* the callers should handle allocation errors via free_midi_urbs() */
+ static int alloc_midi_urbs(struct snd_usb_midi2_endpoint *ep)
+ {
+ struct snd_usb_midi2_urb *ctx;
+@@ -351,8 +352,10 @@ static int snd_usb_midi_v2_open(struct s
+ return -EIO;
+ if (ep->direction == STR_OUT) {
+ err = alloc_midi_urbs(ep);
+- if (err)
++ if (err) {
++ free_midi_urbs(ep);
+ return err;
++ }
+ }
+ return 0;
+ }
--- /dev/null
+From 8bd795fedb8450ecbef18eeadbd23ed8fc7630f5 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Thu, 7 Sep 2023 09:54:11 +0100
+Subject: arm64: csum: Fix OoB access in IP checksum code for negative lengths
+
+From: Will Deacon <will@kernel.org>
+
+commit 8bd795fedb8450ecbef18eeadbd23ed8fc7630f5 upstream.
+
+Although commit c2c24edb1d9c ("arm64: csum: Fix pathological zero-length
+calls") added an early return for zero-length input, syzkaller has
+popped up with an example of a _negative_ length which causes an
+undefined shift and an out-of-bounds read:
+
+ | BUG: KASAN: slab-out-of-bounds in do_csum+0x44/0x254 arch/arm64/lib/csum.c:39
+ | Read of size 4294966928 at addr ffff0000d7ac0170 by task syz-executor412/5975
+ |
+ | CPU: 0 PID: 5975 Comm: syz-executor412 Not tainted 6.4.0-rc4-syzkaller-g908f31f2a05b #0
+ | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
+ | Call trace:
+ | dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233
+ | show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240
+ | __dump_stack lib/dump_stack.c:88 [inline]
+ | dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
+ | print_address_description mm/kasan/report.c:351 [inline]
+ | print_report+0x174/0x514 mm/kasan/report.c:462
+ | kasan_report+0xd4/0x130 mm/kasan/report.c:572
+ | kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:187
+ | __kasan_check_read+0x20/0x30 mm/kasan/shadow.c:31
+ | do_csum+0x44/0x254 arch/arm64/lib/csum.c:39
+ | csum_partial+0x30/0x58 lib/checksum.c:128
+ | gso_make_checksum include/linux/skbuff.h:4928 [inline]
+ | __udp_gso_segment+0xaf4/0x1bc4 net/ipv4/udp_offload.c:332
+ | udp6_ufo_fragment+0x540/0xca0 net/ipv6/udp_offload.c:47
+ | ipv6_gso_segment+0x5cc/0x1760 net/ipv6/ip6_offload.c:119
+ | skb_mac_gso_segment+0x2b4/0x5b0 net/core/gro.c:141
+ | __skb_gso_segment+0x250/0x3d0 net/core/dev.c:3401
+ | skb_gso_segment include/linux/netdevice.h:4859 [inline]
+ | validate_xmit_skb+0x364/0xdbc net/core/dev.c:3659
+ | validate_xmit_skb_list+0x94/0x130 net/core/dev.c:3709
+ | sch_direct_xmit+0xe8/0x548 net/sched/sch_generic.c:327
+ | __dev_xmit_skb net/core/dev.c:3805 [inline]
+ | __dev_queue_xmit+0x147c/0x3318 net/core/dev.c:4210
+ | dev_queue_xmit include/linux/netdevice.h:3085 [inline]
+ | packet_xmit+0x6c/0x318 net/packet/af_packet.c:276
+ | packet_snd net/packet/af_packet.c:3081 [inline]
+ | packet_sendmsg+0x376c/0x4c98 net/packet/af_packet.c:3113
+ | sock_sendmsg_nosec net/socket.c:724 [inline]
+ | sock_sendmsg net/socket.c:747 [inline]
+ | __sys_sendto+0x3b4/0x538 net/socket.c:2144
+
+Extend the early return to reject negative lengths as well, aligning our
+implementation with the generic code in lib/checksum.c
+
+Cc: Robin Murphy <robin.murphy@arm.com>
+Fixes: 5777eaed566a ("arm64: Implement optimised checksum routine")
+Reported-by: syzbot+4a9f9820bd8d302e22f7@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/000000000000e0e94c0603f8d213@google.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/lib/csum.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/lib/csum.c
++++ b/arch/arm64/lib/csum.c
+@@ -24,7 +24,7 @@ unsigned int __no_sanitize_address do_cs
+ const u64 *ptr;
+ u64 data, sum64 = 0;
+
+- if (unlikely(len == 0))
++ if (unlikely(len <= 0))
+ return 0;
+
+ offset = (unsigned long)buff & 7;
--- /dev/null
+From bd6fc5da4c51107e1e0cec4a3a07963d1dae2c84 Mon Sep 17 00:00:00 2001
+From: Gabriel Krisman Bertazi <krisman@suse.de>
+Date: Mon, 28 Aug 2023 19:42:49 -0400
+Subject: io_uring: Don't set affinity on a dying sqpoll thread
+
+From: Gabriel Krisman Bertazi <krisman@suse.de>
+
+commit bd6fc5da4c51107e1e0cec4a3a07963d1dae2c84 upstream.
+
+Syzbot reported a null-ptr-deref of sqd->thread inside
+io_sqpoll_wq_cpu_affinity. It turns out the sqd->thread can go away
+from under us during io_uring_register, in case the process gets a
+fatal signal during io_uring_register.
+
+It is not particularly hard to hit the race, and while I am not sure
+this is the exact case hit by syzbot, it solves it. Finally, checking
+->thread is enough to close the race because we locked sqd while
+"parking" the thread, thus preventing it from going away.
+
+I reproduced it fairly consistently with a program that does:
+
+int main(void) {
+ ...
+ io_uring_queue_init(RING_LEN, &ring1, IORING_SETUP_SQPOLL);
+ while (1) {
+ io_uring_register_iowq_aff(ring, 1, &mask);
+ }
+}
+
+Executed in a loop with timeout to trigger SIGTERM:
+ while true; do timeout 1 /a.out ; done
+
+This will hit the following BUG() in very few attempts.
+
+BUG: kernel NULL pointer dereference, address: 00000000000007a8
+PGD 800000010e949067 P4D 800000010e949067 PUD 10e46e067 PMD 0
+Oops: 0000 [#1] PREEMPT SMP PTI
+CPU: 0 PID: 15715 Comm: dead-sqpoll Not tainted 6.5.0-rc7-next-20230825-g193296236fa0-dirty #23
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+RIP: 0010:io_sqpoll_wq_cpu_affinity+0x27/0x70
+Code: 90 90 90 0f 1f 44 00 00 55 53 48 8b 9f 98 03 00 00 48 85 db 74 4f
+48 89 df 48 89 f5 e8 e2 f8 ff ff 48 8b 43 38 48 85 c0 74 22 <48> 8b b8
+a8 07 00 00 48 89 ee e8 ba b1 00 00 48 89 df 89 c5 e8 70
+RSP: 0018:ffffb04040ea7e70 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: ffff93c010749e40 RCX: 0000000000000001
+RDX: 0000000000000000 RSI: ffffffffa7653331 RDI: 00000000ffffffff
+RBP: ffffb04040ea7eb8 R08: 0000000000000000 R09: c0000000ffffdfff
+R10: ffff93c01141b600 R11: ffffb04040ea7d18 R12: ffff93c00ea74840
+R13: 0000000000000011 R14: 0000000000000000 R15: ffff93c00ea74800
+FS: 00007fb7c276ab80(0000) GS:ffff93c36f200000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000000007a8 CR3: 0000000111634003 CR4: 0000000000370ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ ? __die_body+0x1a/0x60
+ ? page_fault_oops+0x154/0x440
+ ? do_user_addr_fault+0x174/0x7b0
+ ? exc_page_fault+0x63/0x140
+ ? asm_exc_page_fault+0x22/0x30
+ ? io_sqpoll_wq_cpu_affinity+0x27/0x70
+ __io_register_iowq_aff+0x2b/0x60
+ __io_uring_register+0x614/0xa70
+ __x64_sys_io_uring_register+0xaa/0x1a0
+ do_syscall_64+0x3a/0x90
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+RIP: 0033:0x7fb7c226fec9
+Code: 2e 00 b8 ca 00 00 00 0f 05 eb a5 66 0f 1f 44 00 00 48 89 f8 48 89
+f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
+f0 ff ff 73 01 c3 48 8b 0d 97 7f 2d 00 f7 d8 64 89 01 48
+RSP: 002b:00007ffe2c0674f8 EFLAGS: 00000246 ORIG_RAX: 00000000000001ab
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb7c226fec9
+RDX: 00007ffe2c067530 RSI: 0000000000000011 RDI: 0000000000000003
+RBP: 00007ffe2c0675d0 R08: 00007ffe2c067550 R09: 00007ffe2c067550
+R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007ffe2c067750 R14: 0000000000000000 R15: 0000000000000000
+ </TASK>
+Modules linked in:
+CR2: 00000000000007a8
+---[ end trace 0000000000000000 ]---
+
+Reported-by: syzbot+c74fea926a78b8a91042@syzkaller.appspotmail.com
+Fixes: ebdfefc09c6d ("io_uring/sqpoll: fix io-wq affinity when IORING_SETUP_SQPOLL is used")
+Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
+Link: https://lore.kernel.org/r/87v8cybuo6.fsf@suse.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/sqpoll.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/io_uring/sqpoll.c
++++ b/io_uring/sqpoll.c
+@@ -430,7 +430,9 @@ __cold int io_sqpoll_wq_cpu_affinity(str
+
+ if (sqd) {
+ io_sq_thread_park(sqd);
+- ret = io_wq_cpu_affinity(sqd->thread->io_uring, mask);
++ /* Don't set affinity for a dying thread */
++ if (sqd->thread)
++ ret = io_wq_cpu_affinity(sqd->thread->io_uring, mask);
+ io_sq_thread_unpark(sqd);
+ }
+
--- /dev/null
+From 2a2015495142ee0a35711b5dcf7b215c31489f27 Mon Sep 17 00:00:00 2001
+From: Ding Xiang <dingxiang@cmss.chinamobile.com>
+Date: Wed, 30 Aug 2023 18:11:48 +0800
+Subject: selftests/landlock: Fix a resource leak
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ding Xiang <dingxiang@cmss.chinamobile.com>
+
+commit 2a2015495142ee0a35711b5dcf7b215c31489f27 upstream.
+
+The opened file should be closed before return, otherwise resource leak
+will occur.
+
+Signed-off-by: Ding Xiang <dingxiang@cmss.chinamobile.com>
+Link: https://lore.kernel.org/r/20230830101148.3738-1-dingxiang@cmss.chinamobile.com
+Fixes: 3de64b656b3c ("selftests/landlock: Add supports_filesystem() helper")
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/landlock/fs_test.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/tools/testing/selftests/landlock/fs_test.c
++++ b/tools/testing/selftests/landlock/fs_test.c
+@@ -113,7 +113,7 @@ static bool supports_filesystem(const ch
+ {
+ char str[32];
+ int len;
+- bool res;
++ bool res = true;
+ FILE *const inf = fopen("/proc/filesystems", "r");
+
+ /*
+@@ -125,14 +125,16 @@ static bool supports_filesystem(const ch
+
+ /* filesystem can be null for bind mounts. */
+ if (!filesystem)
+- return true;
++ goto out;
+
+ len = snprintf(str, sizeof(str), "nodev\t%s\n", filesystem);
+ if (len >= sizeof(str))
+ /* Ignores too-long filesystem names. */
+- return true;
++ goto out;
+
+ res = fgrep(inf, str);
++
++out:
+ fclose(inf);
+ return res;
+ }
powercap-intel_rapl-fix-invalid-setting-of-power-limit-4.patch
powerpc-ftrace-fix-dropping-weak-symbols-with-older-toolchains.patch
i3c-master-svc-fix-probe-failure-when-no-i3c-device-exist.patch
+io_uring-don-t-set-affinity-on-a-dying-sqpoll-thread.patch
+arm64-csum-fix-oob-access-in-ip-checksum-code-for-negative-lengths.patch
+alsa-usb-audio-fix-potential-memory-leaks-at-error-path-for-ump-open.patch
+alsa-seq-fix-snd_seq_expand_var_event-call-to-user-space.patch
+alsa-hda-cirrus-fix-broken-audio-on-hardware-with-two-cs42l42-codecs.patch
+selftests-landlock-fix-a-resource-leak.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
