--- /dev/null
+From 3e48940abee88b8dbbeeaf8a07e7b2b6be1271b3 Mon Sep 17 00:00:00 2001
+From: Pattara Teerapong <pteerapong@chromium.org>
+Date: Thu, 1 Sep 2022 14:40:36 +0000
+Subject: ALSA: aloop: Fix random zeros in capture data when using jiffies timer
+
+From: Pattara Teerapong <pteerapong@chromium.org>
+
+commit 3e48940abee88b8dbbeeaf8a07e7b2b6be1271b3 upstream.
+
+In loopback_jiffies_timer_pos_update(), we are getting jiffies twice.
+First time for playback, second time for capture. Jiffies can be updated
+between these two calls and if the capture jiffies is larger, extra zeros
+will be filled in the capture buffer.
+
+Change to get jiffies once and use it for both playback and capture.
+
+Signed-off-by: Pattara Teerapong <pteerapong@chromium.org>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20220901144036.4049060-1-pteerapong@chromium.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/drivers/aloop.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/sound/drivers/aloop.c
++++ b/sound/drivers/aloop.c
+@@ -605,17 +605,18 @@ static unsigned int loopback_jiffies_tim
+ cable->streams[SNDRV_PCM_STREAM_PLAYBACK];
+ struct loopback_pcm *dpcm_capt =
+ cable->streams[SNDRV_PCM_STREAM_CAPTURE];
+- unsigned long delta_play = 0, delta_capt = 0;
++ unsigned long delta_play = 0, delta_capt = 0, cur_jiffies;
+ unsigned int running, count1, count2;
+
++ cur_jiffies = jiffies;
+ running = cable->running ^ cable->pause;
+ if (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) {
+- delta_play = jiffies - dpcm_play->last_jiffies;
++ delta_play = cur_jiffies - dpcm_play->last_jiffies;
+ dpcm_play->last_jiffies += delta_play;
+ }
+
+ if (running & (1 << SNDRV_PCM_STREAM_CAPTURE)) {
+- delta_capt = jiffies - dpcm_capt->last_jiffies;
++ delta_capt = cur_jiffies - dpcm_capt->last_jiffies;
+ dpcm_capt->last_jiffies += delta_capt;
+ }
+
--- /dev/null
+From d29f59051d3a07b81281b2df2b8c9dfe4716067f Mon Sep 17 00:00:00 2001
+From: Tasos Sahanidis <tasos@tasossah.com>
+Date: Wed, 7 Sep 2022 04:18:00 +0300
+Subject: ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()
+
+From: Tasos Sahanidis <tasos@tasossah.com>
+
+commit d29f59051d3a07b81281b2df2b8c9dfe4716067f upstream.
+
+The voice allocator sometimes begins allocating from near the end of the
+array and then wraps around, however snd_emu10k1_pcm_channel_alloc()
+accesses the newly allocated voices as if it never wrapped around.
+
+This results in out of bounds access if the first voice has a high enough
+index so that first_voice + requested_voice_count > NUM_G (64).
+The more voices are requested, the more likely it is for this to occur.
+
+This was initially discovered using PipeWire, however it can be reproduced
+by calling aplay multiple times with 16 channels:
+aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero
+
+UBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40
+index 65 is out of range for type 'snd_emu10k1_voice [64]'
+CPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7
+Hardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010
+Call Trace:
+<TASK>
+dump_stack_lvl+0x49/0x63
+dump_stack+0x10/0x16
+ubsan_epilogue+0x9/0x3f
+__ubsan_handle_out_of_bounds.cold+0x44/0x49
+snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]
+snd_pcm_hw_params+0x29f/0x600 [snd_pcm]
+snd_pcm_common_ioctl+0x188/0x1410 [snd_pcm]
+? exit_to_user_mode_prepare+0x35/0x170
+? do_syscall_64+0x69/0x90
+? syscall_exit_to_user_mode+0x26/0x50
+? do_syscall_64+0x69/0x90
+? exit_to_user_mode_prepare+0x35/0x170
+snd_pcm_ioctl+0x27/0x40 [snd_pcm]
+__x64_sys_ioctl+0x95/0xd0
+do_syscall_64+0x5c/0x90
+? do_syscall_64+0x69/0x90
+? do_syscall_64+0x69/0x90
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Signed-off-by: Tasos Sahanidis <tasos@tasossah.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/3707dcab-320a-62ff-63c0-73fc201ef756@tasossah.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/emu10k1/emupcm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/emu10k1/emupcm.c
++++ b/sound/pci/emu10k1/emupcm.c
+@@ -124,7 +124,7 @@ static int snd_emu10k1_pcm_channel_alloc
+ epcm->voices[0]->epcm = epcm;
+ if (voices > 1) {
+ for (i = 1; i < voices; i++) {
+- epcm->voices[i] = &epcm->emu->voices[epcm->voices[0]->number + i];
++ epcm->voices[i] = &epcm->emu->voices[(epcm->voices[0]->number + i) % NUM_G];
+ epcm->voices[i]->epcm = epcm;
+ }
+ }
--- /dev/null
+From 37137ec26c2c03039d8064c00f6eae176841ee0d Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 6 Sep 2022 11:03:19 +0200
+Subject: ALSA: hda: Once again fix regression of page allocations with IOMMU
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 37137ec26c2c03039d8064c00f6eae176841ee0d upstream.
+
+The last fix for trying to recover the regression on AMD platforms,
+unfortunately, leaded to yet another regression: it turned out that
+IOMMUs don't like the usage of raw page allocations.
+
+This is yet another attempt for addressing the log saga; at this time,
+we re-use the existing buffer allocation mechanism with SG-pages
+although we require only single pages. The SG buffer allocation
+itself was confirmed to work for stream buffers, so it's relatively
+easy to adapt for other places.
+
+The only problem is: although the HD-audio code is accessing the
+address directly via dmab->address field, SG-pages don't set up it.
+For the ease of adaption, we now set up the dmab->addr field from the
+address of the first page as default, so that it can run with the
+HD-audio driver code as-is without the excessive call of
+snd_sgbuf_get_addr() multiple times; that's the only change in the
+memalloc helper side. The rest is nothing but a flip of the dma_type
+field in the HD-audio side.
+
+Fixes: a8d302a0b770 ("ALSA: memalloc: Revive x86-specific WC page allocations again")
+Reported-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/CABXGCsO+kB2t5QyHY-rUe76npr1m0-5JOtt8g8SiHUo34ur7Ww@mail.gmail.com
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216112
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216363
+Link: https://lore.kernel.org/r/20220906090319.23358-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/memalloc.c | 9 +++++++--
+ sound/pci/hda/hda_intel.c | 2 +-
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+--- a/sound/core/memalloc.c
++++ b/sound/core/memalloc.c
+@@ -535,10 +535,13 @@ static void *snd_dma_noncontig_alloc(str
+ dmab->dev.need_sync = dma_need_sync(dmab->dev.dev,
+ sg_dma_address(sgt->sgl));
+ p = dma_vmap_noncontiguous(dmab->dev.dev, size, sgt);
+- if (p)
++ if (p) {
+ dmab->private_data = sgt;
+- else
++ /* store the first page address for convenience */
++ dmab->addr = snd_sgbuf_get_addr(dmab, 0);
++ } else {
+ dma_free_noncontiguous(dmab->dev.dev, size, sgt, dmab->dev.dir);
++ }
+ return p;
+ }
+
+@@ -772,6 +775,8 @@ static void *snd_dma_sg_fallback_alloc(s
+ if (!p)
+ goto error;
+ dmab->private_data = sgbuf;
++ /* store the first page address for convenience */
++ dmab->addr = snd_sgbuf_get_addr(dmab, 0);
+ return p;
+
+ error:
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -1817,7 +1817,7 @@ static int azx_create(struct snd_card *c
+
+ /* use the non-cached pages in non-snoop mode */
+ if (!azx_snoop(chip))
+- azx_bus(chip)->dma_type = SNDRV_DMA_TYPE_DEV_WC;
++ azx_bus(chip)->dma_type = SNDRV_DMA_TYPE_DEV_WC_SG;
+
+ if (chip->driver_type == AZX_DRIVER_NVIDIA) {
+ dev_dbg(chip->card->dev, "Enable delay in RIRB handling\n");
--- /dev/null
+From 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 5 Sep 2022 08:07:14 +0200
+Subject: ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d upstream.
+
+There is a small race window at snd_pcm_oss_sync() that is called from
+OSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls
+snd_pcm_oss_make_ready() at first, then takes the params_lock mutex
+for the rest. When the stream is set up again by another thread
+between them, it leads to inconsistency, and may result in unexpected
+results such as NULL dereference of OSS buffer as a fuzzer spotted
+recently.
+
+The fix is simply to cover snd_pcm_oss_make_ready() call into the same
+params_lock mutex with snd_pcm_oss_make_ready_locked() variant.
+
+Reported-and-tested-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
+Reviewed-by: Jaroslav Kysela <perex@perex.cz>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com
+Link: https://lore.kernel.org/r/20220905060714.22549-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/oss/pcm_oss.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -1672,14 +1672,14 @@ static int snd_pcm_oss_sync(struct snd_p
+ runtime = substream->runtime;
+ if (atomic_read(&substream->mmap_count))
+ goto __direct;
+- err = snd_pcm_oss_make_ready(substream);
+- if (err < 0)
+- return err;
+ atomic_inc(&runtime->oss.rw_ref);
+ if (mutex_lock_interruptible(&runtime->oss.params_lock)) {
+ atomic_dec(&runtime->oss.rw_ref);
+ return -ERESTARTSYS;
+ }
++ err = snd_pcm_oss_make_ready_locked(substream);
++ if (err < 0)
++ goto unlock;
+ format = snd_pcm_oss_format_from(runtime->oss.format);
+ width = snd_pcm_format_physical_width(format);
+ if (runtime->oss.buffer_used > 0) {
--- /dev/null
+From 809f44a0cc5ad4b1209467a6287f8ac0eb49d393 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 7 Sep 2022 12:04:21 +0200
+Subject: ALSA: usb-audio: Clear fixed clock rate at closing EP
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 809f44a0cc5ad4b1209467a6287f8ac0eb49d393 upstream.
+
+The recent commit c11117b634f4 ("ALSA: usb-audio: Refcount multiple
+accesses on the single clock") tries to manage the clock rate shared
+by several endpoints. This was intended for avoiding the unmatched
+rate by a different endpoint, but unfortunately, it introduced a
+regression for PulseAudio and pipewire, too; those applications try to
+probe the multiple possible rates (44.1k and 48kHz) and setting up the
+normal rate fails but only the last rate is applied.
+
+The cause is that the last sample rate is still left to the clock
+reference even after closing the endpoint, and this value is still
+used at the next open. It happens only when applications set up via
+PCM prepare but don't start/stop the stream; the rate is reset when
+the stream is stopped, but it's not cleared at close.
+
+This patch addresses the issue above, simply by clearing the rate set
+in the clock reference at the last close of each endpoint.
+
+Fixes: c11117b634f4 ("ALSA: usb-audio: Refcount multiple accesses on the single clock")
+Reported-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Tested-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/all/YxXIWv8dYmg1tnXP@zx2c4.com/
+Link: https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/2620
+Link: https://lore.kernel.org/r/20220907100421.6443-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/endpoint.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -925,6 +925,8 @@ void snd_usb_endpoint_close(struct snd_u
+ endpoint_set_interface(chip, ep, false);
+
+ if (!--ep->opened) {
++ if (ep->clock_ref && !atomic_read(&ep->clock_ref->locked))
++ ep->clock_ref->rate = 0;
+ ep->iface = 0;
+ ep->altsetting = 0;
+ ep->cur_audiofmt = NULL;
--- /dev/null
+From e53f47f6c1a56d2af728909f1cb894da6b43d9bf Mon Sep 17 00:00:00 2001
+From: Dongxiang Ke <kdx.glider@gmail.com>
+Date: Tue, 6 Sep 2022 10:49:28 +0800
+Subject: ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface()
+
+From: Dongxiang Ke <kdx.glider@gmail.com>
+
+commit e53f47f6c1a56d2af728909f1cb894da6b43d9bf upstream.
+
+There may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and
+the number of it's interfaces less than 4, an out-of-bounds read bug occurs
+when parsing the interface descriptor for this device.
+
+Fix this by checking the number of interfaces.
+
+Signed-off-by: Dongxiang Ke <kdx.glider@gmail.com>
+Link: https://lore.kernel.org/r/20220906024928.10951-1-kdx.glider@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/stream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/stream.c
++++ b/sound/usb/stream.c
+@@ -1105,7 +1105,7 @@ static int __snd_usb_parse_audio_interfa
+ * Dallas DS4201 workaround: It presents 5 altsettings, but the last
+ * one misses syncpipe, and does not produce any sound.
+ */
+- if (chip->usb_id == USB_ID(0x04fa, 0x4201))
++ if (chip->usb_id == USB_ID(0x04fa, 0x4201) && num >= 4)
+ num = 4;
+
+ for (i = 0; i < num; i++) {
--- /dev/null
+From ff878b408a03bef5d610b7e2302702e16a53636e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 1 Sep 2022 14:41:36 +0200
+Subject: ALSA: usb-audio: Split endpoint setups for hw_params and prepare
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit ff878b408a03bef5d610b7e2302702e16a53636e upstream.
+
+One of the former changes for the endpoint management was the more
+consistent setup of endpoints at hw_params.
+snd_usb_endpoint_configure() is a single function that does the full
+setup, and it's called from both PCM hw_params and prepare callbacks.
+Although the EP setup at the prepare phase is usually skipped (by
+checking need_setup flag), it may be still effective in some cases
+like suspend/resume that requires the interface setup again.
+
+As it's a full and single setup, the invocation of
+snd_usb_endpoint_configure() includes not only the USB interface setup
+but also the buffer release and allocation. OTOH, doing the buffer
+release and re-allocation at PCM prepare phase is rather superfluous,
+and better to be done only in the hw_params phase.
+
+For those optimizations, this patch splits the endpoint setup to two
+phases: snd_usb_endpoint_set_params() and snd_usb_endpoint_prepare(),
+to be called from hw_params and from prepare, respectively.
+
+Note that this patch changes the driver operation slightly,
+effectively moving the USB interface setup again to PCM prepare stage
+instead of hw_params stage, while the buffer allocation and such
+initializations are still done at hw_params stage.
+
+And, the change of the USB interface setup timing (moving to prepare)
+gave an interesting "fix", too: it was reported that the recent
+kernels caused silent output at the beginning on playbacks on some
+devices on Android, and this change casually fixed the regression.
+It seems that those devices are picky about the sample rate change (or
+the interface change?), and don't follow the too immediate rate
+changes.
+
+Meanwhile, Android operates the PCM in the following order:
+- open, then hw_params with the possibly highest sample rate
+- close without prepare
+- re-open, hw_params with the normal sample rate
+- prepare, and start streaming
+This procedure ended up the hw_params twice with different rates, and
+because the recent kernel did set up the sample rate twice one and
+after, it screwed up the device. OTOH, the earlier kernels didn't set
+up the USB interface at hw_params, hence this problem didn't appear.
+
+Now, with this patch, the USB interface setup is again back to the
+prepare phase, and it works around the problem automagically.
+Although we should address the sample rate problem in a more solid
+way in future, let's keep things working as before for now.
+
+Fixes: bf6313a0ff76 ("ALSA: usb-audio: Refactor endpoint management")
+Cc: <stable@vger.kernel.org>
+Reported-by: chihhao chen <chihhao.chen@mediatek.com>
+Link: https://lore.kernel.org/r/87e6d6ae69d68dc588ac9acc8c0f24d6188375c3.camel@mediatek.com
+Link: https://lore.kernel.org/r/20220901124136.4984-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/endpoint.c | 23 +++++++++--------------
+ sound/usb/endpoint.h | 6 ++++--
+ sound/usb/pcm.c | 14 ++++++++++----
+ 3 files changed, 23 insertions(+), 20 deletions(-)
+
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -758,7 +758,8 @@ bool snd_usb_endpoint_compatible(struct
+ * The endpoint needs to be closed via snd_usb_endpoint_close() later.
+ *
+ * Note that this function doesn't configure the endpoint. The substream
+- * needs to set it up later via snd_usb_endpoint_configure().
++ * needs to set it up later via snd_usb_endpoint_set_params() and
++ * snd_usb_endpoint_prepare().
+ */
+ struct snd_usb_endpoint *
+ snd_usb_endpoint_open(struct snd_usb_audio *chip,
+@@ -1290,12 +1291,13 @@ out_of_memory:
+ /*
+ * snd_usb_endpoint_set_params: configure an snd_usb_endpoint
+ *
++ * It's called either from hw_params callback.
+ * Determine the number of URBs to be used on this endpoint.
+ * An endpoint must be configured before it can be started.
+ * An endpoint that is already running can not be reconfigured.
+ */
+-static int snd_usb_endpoint_set_params(struct snd_usb_audio *chip,
+- struct snd_usb_endpoint *ep)
++int snd_usb_endpoint_set_params(struct snd_usb_audio *chip,
++ struct snd_usb_endpoint *ep)
+ {
+ const struct audioformat *fmt = ep->cur_audiofmt;
+ int err;
+@@ -1378,18 +1380,18 @@ static int init_sample_rate(struct snd_u
+ }
+
+ /*
+- * snd_usb_endpoint_configure: Configure the endpoint
++ * snd_usb_endpoint_prepare: Prepare the endpoint
+ *
+ * This function sets up the EP to be fully usable state.
+- * It's called either from hw_params or prepare callback.
++ * It's called either from prepare callback.
+ * The function checks need_setup flag, and performs nothing unless needed,
+ * so it's safe to call this multiple times.
+ *
+ * This returns zero if unchanged, 1 if the configuration has changed,
+ * or a negative error code.
+ */
+-int snd_usb_endpoint_configure(struct snd_usb_audio *chip,
+- struct snd_usb_endpoint *ep)
++int snd_usb_endpoint_prepare(struct snd_usb_audio *chip,
++ struct snd_usb_endpoint *ep)
+ {
+ bool iface_first;
+ int err = 0;
+@@ -1410,9 +1412,6 @@ int snd_usb_endpoint_configure(struct sn
+ if (err < 0)
+ goto unlock;
+ }
+- err = snd_usb_endpoint_set_params(chip, ep);
+- if (err < 0)
+- goto unlock;
+ goto done;
+ }
+
+@@ -1440,10 +1439,6 @@ int snd_usb_endpoint_configure(struct sn
+ if (err < 0)
+ goto unlock;
+
+- err = snd_usb_endpoint_set_params(chip, ep);
+- if (err < 0)
+- goto unlock;
+-
+ err = snd_usb_select_mode_quirk(chip, ep->cur_audiofmt);
+ if (err < 0)
+ goto unlock;
+--- a/sound/usb/endpoint.h
++++ b/sound/usb/endpoint.h
+@@ -17,8 +17,10 @@ snd_usb_endpoint_open(struct snd_usb_aud
+ bool is_sync_ep);
+ void snd_usb_endpoint_close(struct snd_usb_audio *chip,
+ struct snd_usb_endpoint *ep);
+-int snd_usb_endpoint_configure(struct snd_usb_audio *chip,
+- struct snd_usb_endpoint *ep);
++int snd_usb_endpoint_set_params(struct snd_usb_audio *chip,
++ struct snd_usb_endpoint *ep);
++int snd_usb_endpoint_prepare(struct snd_usb_audio *chip,
++ struct snd_usb_endpoint *ep);
+ int snd_usb_endpoint_get_clock_rate(struct snd_usb_audio *chip, int clock);
+
+ bool snd_usb_endpoint_compatible(struct snd_usb_audio *chip,
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -443,17 +443,17 @@ static int configure_endpoints(struct sn
+ if (stop_endpoints(subs, false))
+ sync_pending_stops(subs);
+ if (subs->sync_endpoint) {
+- err = snd_usb_endpoint_configure(chip, subs->sync_endpoint);
++ err = snd_usb_endpoint_prepare(chip, subs->sync_endpoint);
+ if (err < 0)
+ return err;
+ }
+- err = snd_usb_endpoint_configure(chip, subs->data_endpoint);
++ err = snd_usb_endpoint_prepare(chip, subs->data_endpoint);
+ if (err < 0)
+ return err;
+ snd_usb_set_format_quirk(subs, subs->cur_audiofmt);
+ } else {
+ if (subs->sync_endpoint) {
+- err = snd_usb_endpoint_configure(chip, subs->sync_endpoint);
++ err = snd_usb_endpoint_prepare(chip, subs->sync_endpoint);
+ if (err < 0)
+ return err;
+ }
+@@ -551,7 +551,13 @@ static int snd_usb_hw_params(struct snd_
+ subs->cur_audiofmt = fmt;
+ mutex_unlock(&chip->mutex);
+
+- ret = configure_endpoints(chip, subs);
++ if (subs->sync_endpoint) {
++ ret = snd_usb_endpoint_set_params(chip, subs->sync_endpoint);
++ if (ret < 0)
++ goto unlock;
++ }
++
++ ret = snd_usb_endpoint_set_params(chip, subs->data_endpoint);
+
+ unlock:
+ if (ret < 0)
--- /dev/null
+From d5b81ced74afded85619ffbbe9c32ba9d82c9b1e Mon Sep 17 00:00:00 2001
+From: Naohiro Aota <naohiro.aota@wdc.com>
+Date: Wed, 31 Aug 2022 13:55:48 +0900
+Subject: btrfs: zoned: fix API misuse of zone finish waiting
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+commit d5b81ced74afded85619ffbbe9c32ba9d82c9b1e upstream.
+
+The commit 2ce543f47843 ("btrfs: zoned: wait until zone is finished when
+allocation didn't progress") implemented a zone finish waiting mechanism
+to the write path of zoned mode. However, using
+wait_var_event()/wake_up_all() on fs_info->zone_finish_wait is wrong and
+wait_var_event() just hangs because no one ever wakes it up once it goes
+into sleep.
+
+Instead, we can simply use wait_on_bit_io() and clear_and_wake_up_bit()
+on fs_info->flags with a proper barrier installed.
+
+Fixes: 2ce543f47843 ("btrfs: zoned: wait until zone is finished when allocation didn't progress")
+CC: stable@vger.kernel.org # 5.16+
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ctree.h | 2 --
+ fs/btrfs/disk-io.c | 1 -
+ fs/btrfs/inode.c | 7 +++----
+ fs/btrfs/zoned.c | 3 +--
+ 4 files changed, 4 insertions(+), 9 deletions(-)
+
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -1065,8 +1065,6 @@ struct btrfs_fs_info {
+
+ spinlock_t zone_active_bgs_lock;
+ struct list_head zone_active_bgs;
+- /* Waiters when BTRFS_FS_NEED_ZONE_FINISH is set */
+- wait_queue_head_t zone_finish_wait;
+
+ #ifdef CONFIG_BTRFS_FS_REF_VERIFY
+ spinlock_t ref_verify_lock;
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -3173,7 +3173,6 @@ void btrfs_init_fs_info(struct btrfs_fs_
+ init_waitqueue_head(&fs_info->transaction_blocked_wait);
+ init_waitqueue_head(&fs_info->async_submit_wait);
+ init_waitqueue_head(&fs_info->delayed_iputs_wait);
+- init_waitqueue_head(&fs_info->zone_finish_wait);
+
+ /* Usable values until the real ones are cached from the superblock */
+ fs_info->nodesize = 4096;
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -1643,10 +1643,9 @@ static noinline int run_delalloc_zoned(s
+ done_offset = end;
+
+ if (done_offset == start) {
+- struct btrfs_fs_info *info = inode->root->fs_info;
+-
+- wait_var_event(&info->zone_finish_wait,
+- !test_bit(BTRFS_FS_NEED_ZONE_FINISH, &info->flags));
++ wait_on_bit_io(&inode->root->fs_info->flags,
++ BTRFS_FS_NEED_ZONE_FINISH,
++ TASK_UNINTERRUPTIBLE);
+ continue;
+ }
+
+--- a/fs/btrfs/zoned.c
++++ b/fs/btrfs/zoned.c
+@@ -2016,8 +2016,7 @@ static int do_zone_finish(struct btrfs_b
+ /* For active_bg_list */
+ btrfs_put_block_group(block_group);
+
+- clear_bit(BTRFS_FS_NEED_ZONE_FINISH, &fs_info->flags);
+- wake_up_all(&fs_info->zone_finish_wait);
++ clear_and_wake_up_bit(BTRFS_FS_NEED_ZONE_FINISH, &fs_info->flags);
+
+ return 0;
+ }
--- /dev/null
+From cac5c44c48c9fb9cc31bea15ebd9ef0c6462314f Mon Sep 17 00:00:00 2001
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Date: Fri, 26 Aug 2022 16:42:15 +0900
+Subject: btrfs: zoned: set pseudo max append zone limit in zone emulation mode
+
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+
+commit cac5c44c48c9fb9cc31bea15ebd9ef0c6462314f upstream.
+
+The commit 7d7672bc5d10 ("btrfs: convert count_max_extents() to use
+fs_info->max_extent_size") introduced a division by
+fs_info->max_extent_size. This max_extent_size is initialized with max
+zone append limit size of the device btrfs runs on. However, in zone
+emulation mode, the device is not zoned then its zone append limit is
+zero. This resulted in zero value of fs_info->max_extent_size and caused
+zero division error.
+
+Fix the error by setting non-zero pseudo value to max append zone limit
+in zone emulation mode. Set the pseudo value based on max_segments as
+suggested in the commit c2ae7b772ef4 ("btrfs: zoned: revive
+max_zone_append_bytes").
+
+Fixes: 7d7672bc5d10 ("btrfs: convert count_max_extents() to use fs_info->max_extent_size")
+CC: stable@vger.kernel.org # 5.12+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Naohiro Aota <naohiro.aota@wdc.com>
+Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/zoned.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/zoned.c
++++ b/fs/btrfs/zoned.c
+@@ -421,10 +421,19 @@ int btrfs_get_dev_zone_info(struct btrfs
+ * since btrfs adds the pages one by one to a bio, and btrfs cannot
+ * increase the metadata reservation even if it increases the number of
+ * extents, it is safe to stick with the limit.
++ *
++ * With the zoned emulation, we can have non-zoned device on the zoned
++ * mode. In this case, we don't have a valid max zone append size. So,
++ * use max_segments * PAGE_SIZE as the pseudo max_zone_append_size.
+ */
+- zone_info->max_zone_append_size =
+- min_t(u64, (u64)bdev_max_zone_append_sectors(bdev) << SECTOR_SHIFT,
+- (u64)bdev_max_segments(bdev) << PAGE_SHIFT);
++ if (bdev_is_zoned(bdev)) {
++ zone_info->max_zone_append_size = min_t(u64,
++ (u64)bdev_max_zone_append_sectors(bdev) << SECTOR_SHIFT,
++ (u64)bdev_max_segments(bdev) << PAGE_SHIFT);
++ } else {
++ zone_info->max_zone_append_size =
++ (u64)bdev_max_segments(bdev) << PAGE_SHIFT;
++ }
+ if (!IS_ALIGNED(nr_sectors, zone_sectors))
+ zone_info->nr_zones++;
+
--- /dev/null
+From 1efda38d6f9ba26ac88b359c6277f1172db03f1e Mon Sep 17 00:00:00 2001
+From: "Christian A. Ehrhardt" <lk@c--e.de>
+Date: Wed, 7 Sep 2022 22:09:17 +0200
+Subject: kprobes: Prohibit probes in gate area
+
+From: Christian A. Ehrhardt <lk@c--e.de>
+
+commit 1efda38d6f9ba26ac88b359c6277f1172db03f1e upstream.
+
+The system call gate area counts as kernel text but trying
+to install a kprobe in this area fails with an Oops later on.
+To fix this explicitly disallow the gate area for kprobes.
+
+Found by syzkaller with the following reproducer:
+perf_event_open$cgroup(&(0x7f00000001c0)={0x6, 0x80, 0x0, 0x0, 0x0, 0x0, 0x80ffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext={0x0, 0xffffffffff600000}}, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0)
+
+Sample report:
+BUG: unable to handle page fault for address: fffffbfff3ac6000
+PGD 6dfcb067 P4D 6dfcb067 PUD 6df8f067 PMD 6de4d067 PTE 0
+Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
+CPU: 0 PID: 21978 Comm: syz-executor.2 Not tainted 6.0.0-rc3-00363-g7726d4c3e60b-dirty #6
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+RIP: 0010:__insn_get_emulate_prefix arch/x86/lib/insn.c:91 [inline]
+RIP: 0010:insn_get_emulate_prefix arch/x86/lib/insn.c:106 [inline]
+RIP: 0010:insn_get_prefixes.part.0+0xa8/0x1110 arch/x86/lib/insn.c:134
+Code: 49 be 00 00 00 00 00 fc ff df 48 8b 40 60 48 89 44 24 08 e9 81 00 00 00 e8 e5 4b 39 ff 4c 89 fa 4c 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 32 38 ca 7f 08 84 d2 0f 85 06 10 00 00 48 89 d8 48 89
+RSP: 0018:ffffc900088bf860 EFLAGS: 00010246
+RAX: 0000000000040000 RBX: ffffffff9b9bebc0 RCX: 0000000000000000
+RDX: 1ffffffff3ac6000 RSI: ffffc90002d82000 RDI: ffffc900088bf9e8
+RBP: ffffffff9d630001 R08: 0000000000000000 R09: ffffc900088bf9e8
+R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
+R13: ffffffff9d630000 R14: dffffc0000000000 R15: ffffffff9d630000
+FS: 00007f63eef63640(0000) GS:ffff88806d000000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: fffffbfff3ac6000 CR3: 0000000029d90005 CR4: 0000000000770ef0
+PKRU: 55555554
+Call Trace:
+ <TASK>
+ insn_get_prefixes arch/x86/lib/insn.c:131 [inline]
+ insn_get_opcode arch/x86/lib/insn.c:272 [inline]
+ insn_get_modrm+0x64a/0x7b0 arch/x86/lib/insn.c:343
+ insn_get_sib+0x29a/0x330 arch/x86/lib/insn.c:421
+ insn_get_displacement+0x350/0x6b0 arch/x86/lib/insn.c:464
+ insn_get_immediate arch/x86/lib/insn.c:632 [inline]
+ insn_get_length arch/x86/lib/insn.c:707 [inline]
+ insn_decode+0x43a/0x490 arch/x86/lib/insn.c:747
+ can_probe+0xfc/0x1d0 arch/x86/kernel/kprobes/core.c:282
+ arch_prepare_kprobe+0x79/0x1c0 arch/x86/kernel/kprobes/core.c:739
+ prepare_kprobe kernel/kprobes.c:1160 [inline]
+ register_kprobe kernel/kprobes.c:1641 [inline]
+ register_kprobe+0xb6e/0x1690 kernel/kprobes.c:1603
+ __register_trace_kprobe kernel/trace/trace_kprobe.c:509 [inline]
+ __register_trace_kprobe+0x26a/0x2d0 kernel/trace/trace_kprobe.c:477
+ create_local_trace_kprobe+0x1f7/0x350 kernel/trace/trace_kprobe.c:1833
+ perf_kprobe_init+0x18c/0x280 kernel/trace/trace_event_perf.c:271
+ perf_kprobe_event_init+0xf8/0x1c0 kernel/events/core.c:9888
+ perf_try_init_event+0x12d/0x570 kernel/events/core.c:11261
+ perf_init_event kernel/events/core.c:11325 [inline]
+ perf_event_alloc.part.0+0xf7f/0x36a0 kernel/events/core.c:11619
+ perf_event_alloc kernel/events/core.c:12059 [inline]
+ __do_sys_perf_event_open+0x4a8/0x2a00 kernel/events/core.c:12157
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7f63ef7efaed
+Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f63eef63028 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
+RAX: ffffffffffffffda RBX: 00007f63ef90ff80 RCX: 00007f63ef7efaed
+RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 00000000200001c0
+RBP: 00007f63ef86019c R08: 0000000000000000 R09: 0000000000000000
+R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000
+R13: 0000000000000002 R14: 00007f63ef90ff80 R15: 00007f63eef43000
+ </TASK>
+Modules linked in:
+CR2: fffffbfff3ac6000
+---[ end trace 0000000000000000 ]---
+RIP: 0010:__insn_get_emulate_prefix arch/x86/lib/insn.c:91 [inline]
+RIP: 0010:insn_get_emulate_prefix arch/x86/lib/insn.c:106 [inline]
+RIP: 0010:insn_get_prefixes.part.0+0xa8/0x1110 arch/x86/lib/insn.c:134
+Code: 49 be 00 00 00 00 00 fc ff df 48 8b 40 60 48 89 44 24 08 e9 81 00 00 00 e8 e5 4b 39 ff 4c 89 fa 4c 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 32 38 ca 7f 08 84 d2 0f 85 06 10 00 00 48 89 d8 48 89
+RSP: 0018:ffffc900088bf860 EFLAGS: 00010246
+RAX: 0000000000040000 RBX: ffffffff9b9bebc0 RCX: 0000000000000000
+RDX: 1ffffffff3ac6000 RSI: ffffc90002d82000 RDI: ffffc900088bf9e8
+RBP: ffffffff9d630001 R08: 0000000000000000 R09: ffffc900088bf9e8
+R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
+R13: ffffffff9d630000 R14: dffffc0000000000 R15: ffffffff9d630000
+FS: 00007f63eef63640(0000) GS:ffff88806d000000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: fffffbfff3ac6000 CR3: 0000000029d90005 CR4: 0000000000770ef0
+PKRU: 55555554
+==================================================================
+
+Link: https://lkml.kernel.org/r/20220907200917.654103-1-lk@c--e.de
+
+cc: "Naveen N. Rao" <naveen.n.rao@linux.ibm.com>
+cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
+cc: "David S. Miller" <davem@davemloft.net>
+Cc: stable@vger.kernel.org
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kprobes.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1562,6 +1562,7 @@ static int check_kprobe_address_safe(str
+ /* Ensure it is not in reserved area nor out of text */
+ if (!(core_kernel_text((unsigned long) p->addr) ||
+ is_module_text_address((unsigned long) p->addr)) ||
++ in_gate_area_no_mm((unsigned long) p->addr) ||
+ within_kprobe_blacklist((unsigned long) p->addr) ||
+ jump_label_text_reserved(p->addr, p->addr) ||
+ static_call_text_reserved(p->addr, p->addr) ||
--- /dev/null
+From 20e0fbab16003ae23a9e86a64bcb93e3121587ca Mon Sep 17 00:00:00 2001
+From: Sergey Matyukevich <sergey.matyukevich@syntacore.com>
+Date: Tue, 30 Aug 2022 18:53:04 +0300
+Subject: perf: RISC-V: fix access beyond allocated array
+
+From: Sergey Matyukevich <sergey.matyukevich@syntacore.com>
+
+commit 20e0fbab16003ae23a9e86a64bcb93e3121587ca upstream.
+
+SBI firmware should report total number of firmware and hardware counters
+including unused ones or special ones. In this case the kernel doesn't need
+to make any assumptions about gaps in reported counters, e.g. excluded timer
+counter. That was fixed in OpenSBI v1.1 by commit 3f66465fb6bf ("lib: pmu:
+allow to use the highest available counter"). This kernel patch has no effect
+if SBI firmware behaves correctly. However it eliminates access beyond the
+allocated pmu_ctr_list if the kernel is used with OpenSBI older than v1.1.
+
+Fixes: e9991434596f ("RISC-V: Add perf platform driver based on SBI PMU extension")
+Signed-off-by: Sergey Matyukevich <sergey.matyukevich@syntacore.com>
+Reviewed-by: Atish Patra <atishp@rivosinc.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20220830155306.301714-2-geomatsi@gmail.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/perf/riscv_pmu_sbi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/perf/riscv_pmu_sbi.c
++++ b/drivers/perf/riscv_pmu_sbi.c
+@@ -467,7 +467,7 @@ static int pmu_sbi_get_ctrinfo(int nctr)
+ if (!pmu_ctr_list)
+ return -ENOMEM;
+
+- for (i = 0; i <= nctr; i++) {
++ for (i = 0; i < nctr; i++) {
+ ret = sbi_ecall(SBI_EXT_PMU, SBI_EXT_PMU_COUNTER_GET_INFO, i, 0, 0, 0, 0, 0);
+ if (ret.error)
+ /* The logical counter ids are not expected to be contiguous */
x86-sev-mark-snp_abort-noreturn.patch
drm-amdgpu-add-sdma-instance-check-for-gfx11-cgcg.patch
drm-amdgpu-mmvm_l2_cntl3-register-not-initialized-co.patch
+alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch
+alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch
+alsa-hda-once-again-fix-regression-of-page-allocations-with-iommu.patch
+alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch
+alsa-usb-audio-split-endpoint-setups-for-hw_params-and-prepare.patch
+alsa-usb-audio-clear-fixed-clock-rate-at-closing-ep.patch
+alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch
+tracefs-only-clobber-mode-uid-gid-on-remount-if-asked.patch
+tracing-hold-caller_addr-to-hardirq_-enable-disable-_ip.patch
+tracing-fix-to-check-event_mutex-is-held-while-accessing-trigger-list.patch
+btrfs-zoned-set-pseudo-max-append-zone-limit-in-zone-emulation-mode.patch
+btrfs-zoned-fix-api-misuse-of-zone-finish-waiting.patch
+vfio-type1-unpin-zero-pages.patch
+kprobes-prohibit-probes-in-gate-area.patch
+perf-risc-v-fix-access-beyond-allocated-array.patch
--- /dev/null
+From 47311db8e8f33011d90dee76b39c8886120cdda4 Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Fri, 26 Aug 2022 17:44:17 -0700
+Subject: tracefs: Only clobber mode/uid/gid on remount if asked
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit 47311db8e8f33011d90dee76b39c8886120cdda4 upstream.
+
+Users may have explicitly configured their tracefs permissions; we
+shouldn't overwrite those just because a second mount appeared.
+
+Only clobber if the options were provided at mount time.
+
+Note: the previous behavior was especially surprising in the presence of
+automounted /sys/kernel/debug/tracing/.
+
+Existing behavior:
+
+ ## Pre-existing status: tracefs is 0755.
+ # stat -c '%A' /sys/kernel/tracing/
+ drwxr-xr-x
+
+ ## (Re)trigger the automount.
+ # umount /sys/kernel/debug/tracing
+ # stat -c '%A' /sys/kernel/debug/tracing/.
+ drwx------
+
+ ## Unexpected: the automount changed mode for other mount instances.
+ # stat -c '%A' /sys/kernel/tracing/
+ drwx------
+
+New behavior (after this change):
+
+ ## Pre-existing status: tracefs is 0755.
+ # stat -c '%A' /sys/kernel/tracing/
+ drwxr-xr-x
+
+ ## (Re)trigger the automount.
+ # umount /sys/kernel/debug/tracing
+ # stat -c '%A' /sys/kernel/debug/tracing/.
+ drwxr-xr-x
+
+ ## Expected: the automount does not change other mount instances.
+ # stat -c '%A' /sys/kernel/tracing/
+ drwxr-xr-x
+
+Link: https://lkml.kernel.org/r/20220826174353.2.Iab6e5ea57963d6deca5311b27fb7226790d44406@changeid
+
+Cc: stable@vger.kernel.org
+Fixes: 4282d60689d4f ("tracefs: Add new tracefs file system")
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/tracefs/inode.c | 31 +++++++++++++++++++++++--------
+ 1 file changed, 23 insertions(+), 8 deletions(-)
+
+--- a/fs/tracefs/inode.c
++++ b/fs/tracefs/inode.c
+@@ -141,6 +141,8 @@ struct tracefs_mount_opts {
+ kuid_t uid;
+ kgid_t gid;
+ umode_t mode;
++ /* Opt_* bitfield. */
++ unsigned int opts;
+ };
+
+ enum {
+@@ -241,6 +243,7 @@ static int tracefs_parse_options(char *d
+ kgid_t gid;
+ char *p;
+
++ opts->opts = 0;
+ opts->mode = TRACEFS_DEFAULT_MODE;
+
+ while ((p = strsep(&data, ",")) != NULL) {
+@@ -275,24 +278,36 @@ static int tracefs_parse_options(char *d
+ * but traditionally tracefs has ignored all mount options
+ */
+ }
++
++ opts->opts |= BIT(token);
+ }
+
+ return 0;
+ }
+
+-static int tracefs_apply_options(struct super_block *sb)
++static int tracefs_apply_options(struct super_block *sb, bool remount)
+ {
+ struct tracefs_fs_info *fsi = sb->s_fs_info;
+ struct inode *inode = d_inode(sb->s_root);
+ struct tracefs_mount_opts *opts = &fsi->mount_opts;
+
+- inode->i_mode &= ~S_IALLUGO;
+- inode->i_mode |= opts->mode;
++ /*
++ * On remount, only reset mode/uid/gid if they were provided as mount
++ * options.
++ */
++
++ if (!remount || opts->opts & BIT(Opt_mode)) {
++ inode->i_mode &= ~S_IALLUGO;
++ inode->i_mode |= opts->mode;
++ }
+
+- inode->i_uid = opts->uid;
++ if (!remount || opts->opts & BIT(Opt_uid))
++ inode->i_uid = opts->uid;
+
+- /* Set all the group ids to the mount option */
+- set_gid(sb->s_root, opts->gid);
++ if (!remount || opts->opts & BIT(Opt_gid)) {
++ /* Set all the group ids to the mount option */
++ set_gid(sb->s_root, opts->gid);
++ }
+
+ return 0;
+ }
+@@ -307,7 +322,7 @@ static int tracefs_remount(struct super_
+ if (err)
+ goto fail;
+
+- tracefs_apply_options(sb);
++ tracefs_apply_options(sb, true);
+
+ fail:
+ return err;
+@@ -359,7 +374,7 @@ static int trace_fill_super(struct super
+
+ sb->s_op = &tracefs_super_operations;
+
+- tracefs_apply_options(sb);
++ tracefs_apply_options(sb, false);
+
+ return 0;
+
--- /dev/null
+From cecf8e128ec69149fe53c9a7bafa505a4bee25d9 Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Sun, 4 Sep 2022 13:12:29 +0900
+Subject: tracing: Fix to check event_mutex is held while accessing trigger list
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit cecf8e128ec69149fe53c9a7bafa505a4bee25d9 upstream.
+
+Since the check_user_trigger() is called outside of RCU
+read lock, this list_for_each_entry_rcu() caused a suspicious
+RCU usage warning.
+
+ # echo hist:keys=pid > events/sched/sched_stat_runtime/trigger
+ # cat events/sched/sched_stat_runtime/trigger
+[ 43.167032]
+[ 43.167418] =============================
+[ 43.167992] WARNING: suspicious RCU usage
+[ 43.168567] 5.19.0-rc5-00029-g19ebe4651abf #59 Not tainted
+[ 43.169283] -----------------------------
+[ 43.169863] kernel/trace/trace_events_trigger.c:145 RCU-list traversed in non-reader section!!
+...
+
+However, this file->triggers list is safe when it is accessed
+under event_mutex is held.
+To fix this warning, adds a lockdep_is_held check to the
+list_for_each_entry_rcu().
+
+Link: https://lkml.kernel.org/r/166226474977.223837.1992182913048377113.stgit@devnote2
+
+Cc: stable@vger.kernel.org
+Fixes: 7491e2c44278 ("tracing: Add a probe that attaches to trace events")
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events_trigger.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_events_trigger.c
++++ b/kernel/trace/trace_events_trigger.c
+@@ -142,7 +142,8 @@ static bool check_user_trigger(struct tr
+ {
+ struct event_trigger_data *data;
+
+- list_for_each_entry_rcu(data, &file->triggers, list) {
++ list_for_each_entry_rcu(data, &file->triggers, list,
++ lockdep_is_held(&event_mutex)) {
+ if (data->flags & EVENT_TRIGGER_FL_PROBE)
+ continue;
+ return true;
--- /dev/null
+From 54c3931957f6a6194d5972eccc36d052964b2abe Mon Sep 17 00:00:00 2001
+From: Yipeng Zou <zouyipeng@huawei.com>
+Date: Thu, 1 Sep 2022 18:45:14 +0800
+Subject: tracing: hold caller_addr to hardirq_{enable,disable}_ip
+
+From: Yipeng Zou <zouyipeng@huawei.com>
+
+commit 54c3931957f6a6194d5972eccc36d052964b2abe upstream.
+
+Currently, The arguments passing to lockdep_hardirqs_{on,off} was fixed
+in CALLER_ADDR0.
+The function trace_hardirqs_on_caller should have been intended to use
+caller_addr to represent the address that caller wants to be traced.
+
+For example, lockdep log in riscv showing the last {enabled,disabled} at
+__trace_hardirqs_{on,off} all the time(if called by):
+[ 57.853175] hardirqs last enabled at (2519): __trace_hardirqs_on+0xc/0x14
+[ 57.853848] hardirqs last disabled at (2520): __trace_hardirqs_off+0xc/0x14
+
+After use trace_hardirqs_xx_caller, we can get more effective information:
+[ 53.781428] hardirqs last enabled at (2595): restore_all+0xe/0x66
+[ 53.782185] hardirqs last disabled at (2596): ret_from_exception+0xa/0x10
+
+Link: https://lkml.kernel.org/r/20220901104515.135162-2-zouyipeng@huawei.com
+
+Cc: stable@vger.kernel.org
+Fixes: c3bc8fd637a96 ("tracing: Centralize preemptirq tracepoints and unify their usage")
+Signed-off-by: Yipeng Zou <zouyipeng@huawei.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_preemptirq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace_preemptirq.c
++++ b/kernel/trace/trace_preemptirq.c
+@@ -95,14 +95,14 @@ __visible void trace_hardirqs_on_caller(
+ }
+
+ lockdep_hardirqs_on_prepare();
+- lockdep_hardirqs_on(CALLER_ADDR0);
++ lockdep_hardirqs_on(caller_addr);
+ }
+ EXPORT_SYMBOL(trace_hardirqs_on_caller);
+ NOKPROBE_SYMBOL(trace_hardirqs_on_caller);
+
+ __visible void trace_hardirqs_off_caller(unsigned long caller_addr)
+ {
+- lockdep_hardirqs_off(CALLER_ADDR0);
++ lockdep_hardirqs_off(caller_addr);
+
+ if (!this_cpu_read(tracing_irq_cpu)) {
+ this_cpu_write(tracing_irq_cpu, 1);
--- /dev/null
+From 873aefb376bbc0ed1dd2381ea1d6ec88106fdbd4 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Mon, 29 Aug 2022 21:05:40 -0600
+Subject: vfio/type1: Unpin zero pages
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 873aefb376bbc0ed1dd2381ea1d6ec88106fdbd4 upstream.
+
+There's currently a reference count leak on the zero page. We increment
+the reference via pin_user_pages_remote(), but the page is later handled
+as an invalid/reserved page, therefore it's not accounted against the
+user and not unpinned by our put_pfn().
+
+Introducing special zero page handling in put_pfn() would resolve the
+leak, but without accounting of the zero page, a single user could
+still create enough mappings to generate a reference count overflow.
+
+The zero page is always resident, so for our purposes there's no reason
+to keep it pinned. Therefore, add a loop to walk pages returned from
+pin_user_pages_remote() and unpin any zero pages.
+
+Cc: stable@vger.kernel.org
+Reported-by: Luboslav Pivarc <lpivarc@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Link: https://lore.kernel.org/r/166182871735.3518559.8884121293045337358.stgit@omen
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vfio/vfio_iommu_type1.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/vfio/vfio_iommu_type1.c
++++ b/drivers/vfio/vfio_iommu_type1.c
+@@ -557,6 +557,18 @@ static int vaddr_get_pfns(struct mm_stru
+ ret = pin_user_pages_remote(mm, vaddr, npages, flags | FOLL_LONGTERM,
+ pages, NULL, NULL);
+ if (ret > 0) {
++ int i;
++
++ /*
++ * The zero page is always resident, we don't need to pin it
++ * and it falls into our invalid/reserved test so we don't
++ * unpin in put_pfn(). Unpin all zero pages in the batch here.
++ */
++ for (i = 0 ; i < ret; i++) {
++ if (unlikely(is_zero_pfn(page_to_pfn(pages[i]))))
++ unpin_user_page(pages[i]);
++ }
++
+ *pfn = page_to_pfn(pages[0]);
+ goto done;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
