--- /dev/null
+From 168632a495f49f33a18c2d502fc249d7610375e9 Mon Sep 17 00:00:00 2001
+From: Jonas Holmberg <jonashg@axis.com>
+Date: Wed, 7 Apr 2021 09:54:28 +0200
+Subject: ALSA: aloop: Fix initialization of controls
+
+From: Jonas Holmberg <jonashg@axis.com>
+
+commit 168632a495f49f33a18c2d502fc249d7610375e9 upstream.
+
+Add a control to the card before copying the id so that the numid field
+is initialized in the copy. Otherwise the numid field of active_id,
+format_id, rate_id and channels_id will be the same (0) and
+snd_ctl_notify() will not queue the events properly.
+
+Signed-off-by: Jonas Holmberg <jonashg@axis.com>
+Reviewed-by: Jaroslav Kysela <perex@perex.cz>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210407075428.2666787-1-jonashg@axis.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/drivers/aloop.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/sound/drivers/aloop.c
++++ b/sound/drivers/aloop.c
+@@ -1035,6 +1035,14 @@ static int loopback_mixer_new(struct loo
+ return -ENOMEM;
+ kctl->id.device = dev;
+ kctl->id.subdevice = substr;
++
++ /* Add the control before copying the id so that
++ * the numid field of the id is set in the copy.
++ */
++ err = snd_ctl_add(card, kctl);
++ if (err < 0)
++ return err;
++
+ switch (idx) {
+ case ACTIVE_IDX:
+ setup->active_id = kctl->id;
+@@ -1051,9 +1059,6 @@ static int loopback_mixer_new(struct loo
+ default:
+ break;
+ }
+- err = snd_ctl_add(card, kctl);
+- if (err < 0)
+- return err;
+ }
+ }
+ }
--- /dev/null
+From c8426b2700b57d2760ff335840a02f66a64b6044 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 7 Apr 2021 11:57:30 +0200
+Subject: ALSA: hda/realtek: Fix speaker amp setup on Acer Aspire E1
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit c8426b2700b57d2760ff335840a02f66a64b6044 upstream.
+
+We've got a report about Acer Aspire E1 (PCI SSID 1025:0840) that
+loses the speaker output after resume. With the comparison of COEF
+dumps, it was identified that the COEF 0x0d bits 0x6000 corresponds to
+the speaker amp.
+
+This patch adds the specific quirk for the device to restore the COEF
+bits at the codec (re-)initialization.
+
+BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1183869
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210407095730.12560-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -3917,6 +3917,15 @@ static void alc271_fixup_dmic(struct hda
+ snd_hda_sequence_write(codec, verbs);
+ }
+
++/* Fix the speaker amp after resume, etc */
++static void alc269vb_fixup_aspire_e1_coef(struct hda_codec *codec,
++ const struct hda_fixup *fix,
++ int action)
++{
++ if (action == HDA_FIXUP_ACT_INIT)
++ alc_update_coef_idx(codec, 0x0d, 0x6000, 0x6000);
++}
++
+ static void alc269_fixup_pcm_44k(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+ {
+@@ -6220,6 +6229,7 @@ enum {
+ ALC283_FIXUP_HEADSET_MIC,
+ ALC255_FIXUP_MIC_MUTE_LED,
+ ALC282_FIXUP_ASPIRE_V5_PINS,
++ ALC269VB_FIXUP_ASPIRE_E1_COEF,
+ ALC280_FIXUP_HP_GPIO4,
+ ALC286_FIXUP_HP_GPIO_LED,
+ ALC280_FIXUP_HP_GPIO2_MIC_HOTKEY,
+@@ -6890,6 +6900,10 @@ static const struct hda_fixup alc269_fix
+ { },
+ },
+ },
++ [ALC269VB_FIXUP_ASPIRE_E1_COEF] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc269vb_fixup_aspire_e1_coef,
++ },
+ [ALC280_FIXUP_HP_GPIO4] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc280_fixup_hp_gpio4,
+@@ -7764,6 +7778,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1025, 0x0762, "Acer Aspire E1-472", ALC271_FIXUP_HP_GATE_MIC_JACK_E1_572),
+ SND_PCI_QUIRK(0x1025, 0x0775, "Acer Aspire E1-572", ALC271_FIXUP_HP_GATE_MIC_JACK_E1_572),
+ SND_PCI_QUIRK(0x1025, 0x079b, "Acer Aspire V5-573G", ALC282_FIXUP_ASPIRE_V5_PINS),
++ SND_PCI_QUIRK(0x1025, 0x0840, "Acer Aspire E1", ALC269VB_FIXUP_ASPIRE_E1_COEF),
+ SND_PCI_QUIRK(0x1025, 0x101c, "Acer Veriton N2510G", ALC269_FIXUP_LIFEBOOK),
+ SND_PCI_QUIRK(0x1025, 0x102b, "Acer Aspire C24-860", ALC286_FIXUP_ACER_AIO_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1025, 0x1065, "Acer Aspire C20-820", ALC269VC_FIXUP_ACER_HEADSET_MIC),
+@@ -8240,6 +8255,7 @@ static const struct hda_model_fixup alc2
+ {.id = ALC283_FIXUP_HEADSET_MIC, .name = "alc283-headset"},
+ {.id = ALC255_FIXUP_MIC_MUTE_LED, .name = "alc255-dell-mute"},
+ {.id = ALC282_FIXUP_ASPIRE_V5_PINS, .name = "aspire-v5"},
++ {.id = ALC269VB_FIXUP_ASPIRE_E1_COEF, .name = "aspire-e1-coef"},
+ {.id = ALC280_FIXUP_HP_GPIO4, .name = "hp-gpio4"},
+ {.id = ALC286_FIXUP_HP_GPIO_LED, .name = "hp-gpio-led"},
+ {.id = ALC280_FIXUP_HP_GPIO2_MIC_HOTKEY, .name = "hp-gpio2-hotkey"},
--- /dev/null
+From aa65bacdb70e549a81de03ec72338e1047842883 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 24 Mar 2021 14:27:10 +0100
+Subject: ASoC: intel: atom: Stop advertising non working S24LE support
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit aa65bacdb70e549a81de03ec72338e1047842883 upstream.
+
+The SST firmware's media and deep-buffer inputs are hardcoded to
+S16LE, the corresponding DAIs don't have a hw_params callback and
+their prepare callback also does not take the format into account.
+
+So far the advertising of non working S24LE support has not caused
+issues because pulseaudio defaults to S16LE, but changing pulse-audio's
+config to use S24LE will result in broken sound.
+
+Pipewire is replacing pulse now and pipewire prefers S24LE over S16LE
+when available, causing the problem of the broken S24LE support to
+come to the surface now.
+
+Cc: stable@vger.kernel.org
+BugLink: https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/866
+Fixes: 098c2cd281409 ("ASoC: Intel: Atom: add 24-bit support for media playback and capture")
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20210324132711.216152-2-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/intel/atom/sst-mfld-platform-pcm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/sound/soc/intel/atom/sst-mfld-platform-pcm.c
++++ b/sound/soc/intel/atom/sst-mfld-platform-pcm.c
+@@ -500,14 +500,14 @@ static struct snd_soc_dai_driver sst_pla
+ .channels_min = SST_STEREO,
+ .channels_max = SST_STEREO,
+ .rates = SNDRV_PCM_RATE_44100|SNDRV_PCM_RATE_48000,
+- .formats = SNDRV_PCM_FMTBIT_S16_LE | SNDRV_PCM_FMTBIT_S24_LE,
++ .formats = SNDRV_PCM_FMTBIT_S16_LE,
+ },
+ .capture = {
+ .stream_name = "Headset Capture",
+ .channels_min = 1,
+ .channels_max = 2,
+ .rates = SNDRV_PCM_RATE_44100|SNDRV_PCM_RATE_48000,
+- .formats = SNDRV_PCM_FMTBIT_S16_LE | SNDRV_PCM_FMTBIT_S24_LE,
++ .formats = SNDRV_PCM_FMTBIT_S16_LE,
+ },
+ },
+ {
+@@ -518,7 +518,7 @@ static struct snd_soc_dai_driver sst_pla
+ .channels_min = SST_STEREO,
+ .channels_max = SST_STEREO,
+ .rates = SNDRV_PCM_RATE_44100|SNDRV_PCM_RATE_48000,
+- .formats = SNDRV_PCM_FMTBIT_S16_LE | SNDRV_PCM_FMTBIT_S24_LE,
++ .formats = SNDRV_PCM_FMTBIT_S16_LE,
+ },
+ },
+ {
--- /dev/null
+From 4b5db93e7f2afbdfe3b78e37879a85290187e6f1 Mon Sep 17 00:00:00 2001
+From: Xiaoming Ni <nixiaoming@huawei.com>
+Date: Thu, 25 Mar 2021 11:51:13 +0800
+Subject: nfc: Avoid endless loops caused by repeated llcp_sock_connect()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xiaoming Ni <nixiaoming@huawei.com>
+
+commit 4b5db93e7f2afbdfe3b78e37879a85290187e6f1 upstream.
+
+When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is
+ LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked,
+ nfc_llcp_sock_link() will add sk to local->connecting_sockets twice.
+ sk->sk_node->next will point to itself, that will make an endless loop
+ and hang-up the system.
+To fix it, check whether sk->sk_state is LLCP_CONNECTING in
+ llcp_sock_connect() to avoid repeated invoking.
+
+Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
+Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
+Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
+Cc: <stable@vger.kernel.org> #v3.11
+Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp_sock.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -673,6 +673,10 @@ static int llcp_sock_connect(struct sock
+ ret = -EISCONN;
+ goto error;
+ }
++ if (sk->sk_state == LLCP_CONNECTING) {
++ ret = -EINPROGRESS;
++ goto error;
++ }
+
+ dev = nfc_get_device(addr->dev_idx);
+ if (dev == NULL) {
--- /dev/null
+From 7574fcdbdcb335763b6b322f6928dc0fd5730451 Mon Sep 17 00:00:00 2001
+From: Xiaoming Ni <nixiaoming@huawei.com>
+Date: Thu, 25 Mar 2021 11:51:12 +0800
+Subject: nfc: fix memory leak in llcp_sock_connect()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xiaoming Ni <nixiaoming@huawei.com>
+
+commit 7574fcdbdcb335763b6b322f6928dc0fd5730451 upstream.
+
+In llcp_sock_connect(), use kmemdup to allocate memory for
+ "llcp_sock->service_name". The memory is not released in the sock_unlink
+label of the subsequent failure branch.
+As a result, memory leakage occurs.
+
+fix CVE-2020-25672
+
+Fixes: d646960f7986 ("NFC: Initial LLCP support")
+Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
+Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
+Cc: <stable@vger.kernel.org> #v3.3
+Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp_sock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -746,6 +746,8 @@ static int llcp_sock_connect(struct sock
+
+ sock_unlink:
+ nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
++ kfree(llcp_sock->service_name);
++ llcp_sock->service_name = NULL;
+
+ sock_llcp_release:
+ nfc_llcp_put_ssap(local, llcp_sock->ssap);
--- /dev/null
+From c33b1cc62ac05c1dbb1cdafe2eb66da01c76ca8d Mon Sep 17 00:00:00 2001
+From: Xiaoming Ni <nixiaoming@huawei.com>
+Date: Thu, 25 Mar 2021 11:51:10 +0800
+Subject: nfc: fix refcount leak in llcp_sock_bind()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xiaoming Ni <nixiaoming@huawei.com>
+
+commit c33b1cc62ac05c1dbb1cdafe2eb66da01c76ca8d upstream.
+
+nfc_llcp_local_get() is invoked in llcp_sock_bind(),
+but nfc_llcp_local_put() is not invoked in subsequent failure branches.
+As a result, refcount leakage occurs.
+To fix it, add calling nfc_llcp_local_put().
+
+fix CVE-2020-25670
+Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket")
+Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
+Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
+Cc: <stable@vger.kernel.org> #v3.6
+Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp_sock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -108,11 +108,13 @@ static int llcp_sock_bind(struct socket
+ llcp_sock->service_name_len,
+ GFP_KERNEL);
+ if (!llcp_sock->service_name) {
++ nfc_llcp_local_put(llcp_sock->local);
+ ret = -ENOMEM;
+ goto put_dev;
+ }
+ llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock);
+ if (llcp_sock->ssap == LLCP_SAP_MAX) {
++ nfc_llcp_local_put(llcp_sock->local);
+ kfree(llcp_sock->service_name);
+ llcp_sock->service_name = NULL;
+ ret = -EADDRINUSE;
--- /dev/null
+From 8a4cd82d62b5ec7e5482333a72b58a4eea4979f0 Mon Sep 17 00:00:00 2001
+From: Xiaoming Ni <nixiaoming@huawei.com>
+Date: Thu, 25 Mar 2021 11:51:11 +0800
+Subject: nfc: fix refcount leak in llcp_sock_connect()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xiaoming Ni <nixiaoming@huawei.com>
+
+commit 8a4cd82d62b5ec7e5482333a72b58a4eea4979f0 upstream.
+
+nfc_llcp_local_get() is invoked in llcp_sock_connect(),
+but nfc_llcp_local_put() is not invoked in subsequent failure branches.
+As a result, refcount leakage occurs.
+To fix it, add calling nfc_llcp_local_put().
+
+fix CVE-2020-25671
+Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket")
+Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
+Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
+Cc: <stable@vger.kernel.org> #v3.6
+Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp_sock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -704,6 +704,7 @@ static int llcp_sock_connect(struct sock
+ llcp_sock->local = nfc_llcp_local_get(local);
+ llcp_sock->ssap = nfc_llcp_get_local_ssap(local);
+ if (llcp_sock->ssap == LLCP_SAP_MAX) {
++ nfc_llcp_local_put(llcp_sock->local);
+ ret = -ENOMEM;
+ goto put_dev;
+ }
+@@ -748,6 +749,7 @@ sock_unlink:
+
+ sock_llcp_release:
+ nfc_llcp_put_ssap(local, llcp_sock->ssap);
++ nfc_llcp_local_put(llcp_sock->local);
+
+ put_dev:
+ nfc_put_device(dev);
counter-stm32-timer-cnt-fix-ceiling-miss-alignment-with-reload-register.patch
+alsa-aloop-fix-initialization-of-controls.patch
+alsa-hda-realtek-fix-speaker-amp-setup-on-acer-aspire-e1.patch
+asoc-intel-atom-stop-advertising-non-working-s24le-support.patch
+nfc-fix-refcount-leak-in-llcp_sock_bind.patch
+nfc-fix-refcount-leak-in-llcp_sock_connect.patch
+nfc-fix-memory-leak-in-llcp_sock_connect.patch
+nfc-avoid-endless-loops-caused-by-repeated-llcp_sock_connect.patch
+xen-evtchn-change-irq_info-lock-to-raw_spinlock_t.patch
--- /dev/null
+From d120198bd5ff1d41808b6914e1eb89aff937415c Mon Sep 17 00:00:00 2001
+From: Luca Fancellu <luca.fancellu@arm.com>
+Date: Tue, 6 Apr 2021 11:51:04 +0100
+Subject: xen/evtchn: Change irq_info lock to raw_spinlock_t
+
+From: Luca Fancellu <luca.fancellu@arm.com>
+
+commit d120198bd5ff1d41808b6914e1eb89aff937415c upstream.
+
+Unmask operation must be called with interrupt disabled,
+on preempt_rt spin_lock_irqsave/spin_unlock_irqrestore
+don't disable/enable interrupts, so use raw_* implementation
+and change lock variable in struct irq_info from spinlock_t
+to raw_spinlock_t
+
+Cc: stable@vger.kernel.org
+Fixes: 25da4618af24 ("xen/events: don't unmask an event channel when an eoi is pending")
+Signed-off-by: Luca Fancellu <luca.fancellu@arm.com>
+Reviewed-by: Julien Grall <jgrall@amazon.com>
+Reviewed-by: Wei Liu <wei.liu@kernel.org>
+Link: https://lore.kernel.org/r/20210406105105.10141-1-luca.fancellu@arm.com
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/events/events_base.c | 10 +++++-----
+ drivers/xen/events/events_internal.h | 2 +-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/xen/events/events_base.c
++++ b/drivers/xen/events/events_base.c
+@@ -222,7 +222,7 @@ static int xen_irq_info_common_setup(str
+ info->evtchn = evtchn;
+ info->cpu = cpu;
+ info->mask_reason = EVT_MASK_REASON_EXPLICIT;
+- spin_lock_init(&info->lock);
++ raw_spin_lock_init(&info->lock);
+
+ ret = set_evtchn_to_irq(evtchn, irq);
+ if (ret < 0)
+@@ -374,28 +374,28 @@ static void do_mask(struct irq_info *inf
+ {
+ unsigned long flags;
+
+- spin_lock_irqsave(&info->lock, flags);
++ raw_spin_lock_irqsave(&info->lock, flags);
+
+ if (!info->mask_reason)
+ mask_evtchn(info->evtchn);
+
+ info->mask_reason |= reason;
+
+- spin_unlock_irqrestore(&info->lock, flags);
++ raw_spin_unlock_irqrestore(&info->lock, flags);
+ }
+
+ static void do_unmask(struct irq_info *info, u8 reason)
+ {
+ unsigned long flags;
+
+- spin_lock_irqsave(&info->lock, flags);
++ raw_spin_lock_irqsave(&info->lock, flags);
+
+ info->mask_reason &= ~reason;
+
+ if (!info->mask_reason)
+ unmask_evtchn(info->evtchn);
+
+- spin_unlock_irqrestore(&info->lock, flags);
++ raw_spin_unlock_irqrestore(&info->lock, flags);
+ }
+
+ #ifdef CONFIG_X86
+--- a/drivers/xen/events/events_internal.h
++++ b/drivers/xen/events/events_internal.h
+@@ -45,7 +45,7 @@ struct irq_info {
+ unsigned short eoi_cpu; /* EOI must happen on this cpu */
+ unsigned int irq_epoch; /* If eoi_cpu valid: irq_epoch of event */
+ u64 eoi_time; /* Time in jiffies when to EOI. */
+- spinlock_t lock;
++ raw_spinlock_t lock;
+
+ union {
+ unsigned short virq;
projects / thirdparty / kernel / stable-queue.git / commitdiff
