From: Sasha Levin Date: Sat, 5 Oct 2024 18:29:10 +0000 (-0400) Subject: Fixes for 6.6 X-Git-Tag: v6.6.55~147 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=27b085a691459ca3ad319cc3ee19ccfe85ca2a43;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.6 Signed-off-by: Sasha Levin --- diff --git a/queue-6.6/alsa-gus-fix-some-error-handling-paths-related-to-ge.patch b/queue-6.6/alsa-gus-fix-some-error-handling-paths-related-to-ge.patch new file mode 100644 index 00000000000..32aae8bfd3e --- /dev/null +++ b/queue-6.6/alsa-gus-fix-some-error-handling-paths-related-to-ge.patch @@ -0,0 +1,46 @@ +From a1b1cebd684e0e991523931bde1a1bef23fe4103 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Oct 2024 21:34:01 +0200 +Subject: ALSA: gus: Fix some error handling paths related to get_bpos() usage + +From: Christophe JAILLET + +[ Upstream commit 9df39a872c462ea07a3767ebd0093c42b2ff78a2 ] + +If get_bpos() fails, it is likely that the corresponding error code should +be returned. + +Fixes: a6970bb1dd99 ("ALSA: gus: Convert to the new PCM ops") +Signed-off-by: Christophe JAILLET +Link: https://patch.msgid.link/d9ca841edad697154afa97c73a5d7a14919330d9.1727984008.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/isa/gus/gus_pcm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/isa/gus/gus_pcm.c b/sound/isa/gus/gus_pcm.c +index 850544725da79..d55c3dc229c0e 100644 +--- a/sound/isa/gus/gus_pcm.c ++++ b/sound/isa/gus/gus_pcm.c +@@ -378,7 +378,7 @@ static int snd_gf1_pcm_playback_copy(struct snd_pcm_substream *substream, + + bpos = get_bpos(pcmp, voice, pos, len); + if (bpos < 0) +- return pos; ++ return bpos; + if (copy_from_iter(runtime->dma_area + bpos, len, src) != len) + return -EFAULT; + return playback_copy_ack(substream, bpos, len); +@@ -395,7 +395,7 @@ static int snd_gf1_pcm_playback_silence(struct snd_pcm_substream *substream, + + bpos = get_bpos(pcmp, voice, pos, len); + if (bpos < 0) +- return pos; ++ return bpos; + snd_pcm_format_set_silence(runtime->format, runtime->dma_area + bpos, + bytes_to_samples(runtime, count)); + return playback_copy_ack(substream, bpos, len); +-- +2.43.0 + diff --git a/queue-6.6/alsa-hda-conexant-fix-conflicting-quirk-for-system76.patch b/queue-6.6/alsa-hda-conexant-fix-conflicting-quirk-for-system76.patch new file mode 100644 index 00000000000..6988e2de1a6 --- /dev/null +++ b/queue-6.6/alsa-hda-conexant-fix-conflicting-quirk-for-system76.patch @@ -0,0 +1,72 @@ +From cfb7bfcf1d8eacdba2019bf64acd14c9aef9ef0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2024 10:25:58 +0200 +Subject: ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin + +From: Takashi Iwai + +[ Upstream commit b3ebb007060f89d5a45c9b99f06a55e36a1945b5 ] + +We received a regression report for System76 Pangolin (pang14) due to +the recent fix for Tuxedo Sirius devices to support the top speaker. +The reason was the conflicting PCI SSID, as often seen. + +As a workaround, now the codec SSID is checked and the quirk is +applied conditionally only to Sirius devices. + +Fixes: 4178d78cd7a8 ("ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius devices") +Reported-by: Christian Heusel +Reported-by: Jerry +Closes: https://lore.kernel.org/c930b6a6-64e5-498f-b65a-1cd5e0a1d733@heusel.eu +Link: https://patch.msgid.link/20241004082602.29016-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_conexant.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index 63bd0e384bae2..8a3abd4babba6 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -820,6 +820,23 @@ static const struct hda_pintbl cxt_pincfg_sws_js201d[] = { + {} + }; + ++/* pincfg quirk for Tuxedo Sirius; ++ * unfortunately the (PCI) SSID conflicts with System76 Pangolin pang14, ++ * which has incompatible pin setup, so we check the codec SSID (luckily ++ * different one!) and conditionally apply the quirk here ++ */ ++static void cxt_fixup_sirius_top_speaker(struct hda_codec *codec, ++ const struct hda_fixup *fix, ++ int action) ++{ ++ /* ignore for incorrectly picked-up pang14 */ ++ if (codec->core.subsystem_id == 0x278212b3) ++ return; ++ /* set up the top speaker pin */ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) ++ snd_hda_codec_set_pincfg(codec, 0x1d, 0x82170111); ++} ++ + static const struct hda_fixup cxt_fixups[] = { + [CXT_PINCFG_LENOVO_X200] = { + .type = HDA_FIXUP_PINS, +@@ -980,11 +997,8 @@ static const struct hda_fixup cxt_fixups[] = { + .v.pins = cxt_pincfg_sws_js201d, + }, + [CXT_PINCFG_TOP_SPEAKER] = { +- .type = HDA_FIXUP_PINS, +- .v.pins = (const struct hda_pintbl[]) { +- { 0x1d, 0x82170111 }, +- { } +- }, ++ .type = HDA_FIXUP_FUNC, ++ .v.func = cxt_fixup_sirius_top_speaker, + }, + }; + +-- +2.43.0 + diff --git a/queue-6.6/alsa-hda-generic-unconditionally-prefer-preferred_da.patch b/queue-6.6/alsa-hda-generic-unconditionally-prefer-preferred_da.patch new file mode 100644 index 00000000000..29b1a302702 --- /dev/null +++ b/queue-6.6/alsa-hda-generic-unconditionally-prefer-preferred_da.patch @@ -0,0 +1,60 @@ +From 823b814695a99f32d7b572f580368f80e0c37621 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 14:14:36 +0200 +Subject: ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs + +From: Takashi Iwai + +[ Upstream commit 1c801e7f77445bc56e5e1fec6191fd4503534787 ] + +Some time ago, we introduced the obey_preferred_dacs flag for choosing +the DAC/pin pairs specified by the driver instead of parsing the +paths. This works as expected, per se, but there have been a few +cases where we forgot to set this flag while preferred_dacs table is +already set up. It ended up with incorrect wiring and made us +wondering why it doesn't work. + +Basically, when the preferred_dacs table is provided, it means that +the driver really wants to wire up to follow that. That is, the +presence of the preferred_dacs table itself is already a "do-it" +flag. + +In this patch, we simply replace the evaluation of obey_preferred_dacs +flag with the presence of preferred_dacs table for fixing the +misbehavior. Another patch to drop of the obsoleted flag will +follow. + +Fixes: 242d990c158d ("ALSA: hda/generic: Add option to enforce preferred_dacs pairs") +Link: https://bugzilla.suse.com/show_bug.cgi?id=1219803 +Link: https://patch.msgid.link/20241001121439.26060-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_generic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c +index d3ed3e21b1979..8e8d4c667923c 100644 +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -1383,7 +1383,7 @@ static int try_assign_dacs(struct hda_codec *codec, int num_outs, + struct nid_path *path; + hda_nid_t pin = pins[i]; + +- if (!spec->obey_preferred_dacs) { ++ if (!spec->preferred_dacs) { + path = snd_hda_get_path_from_idx(codec, path_idx[i]); + if (path) { + badness += assign_out_path_ctls(codec, path); +@@ -1395,7 +1395,7 @@ static int try_assign_dacs(struct hda_codec *codec, int num_outs, + if (dacs[i]) { + if (is_dac_already_used(codec, dacs[i])) + badness += bad->shared_primary; +- } else if (spec->obey_preferred_dacs) { ++ } else if (spec->preferred_dacs) { + badness += BAD_NO_PRIMARY_DAC; + } + +-- +2.43.0 + diff --git a/queue-6.6/alsa-hda-realtek-fix-the-push-button-function-for-th.patch b/queue-6.6/alsa-hda-realtek-fix-the-push-button-function-for-th.patch new file mode 100644 index 00000000000..80bd3a3f71d --- /dev/null +++ b/queue-6.6/alsa-hda-realtek-fix-the-push-button-function-for-th.patch @@ -0,0 +1,36 @@ +From fd7867bce459150bddaa68c2be3b6bfb852865d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2024 18:50:39 +0800 +Subject: ALSA: hda/realtek: Fix the push button function for the ALC257 + +From: Oder Chiou + +[ Upstream commit 05df9732a0894846c46d0062d4af535c5002799d ] + +The headset push button cannot work properly in case of the ALC257. +This patch reverted the previous commit to correct the side effect. + +Fixes: ef9718b3d54e ("ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7") +Signed-off-by: Oder Chiou +Link: https://patch.msgid.link/20240930105039.3473266-1-oder_chiou@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 130508f5ad9c8..657223c49515c 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -585,6 +585,7 @@ static void alc_shutup_pins(struct hda_codec *codec) + switch (codec->core.vendor_id) { + case 0x10ec0236: + case 0x10ec0256: ++ case 0x10ec0257: + case 0x19e58326: + case 0x10ec0283: + case 0x10ec0285: +-- +2.43.0 + diff --git a/queue-6.6/alsa-mixer_oss-remove-some-incorrect-kfree_const-usa.patch b/queue-6.6/alsa-mixer_oss-remove-some-incorrect-kfree_const-usa.patch new file mode 100644 index 00000000000..a38db8e5b39 --- /dev/null +++ b/queue-6.6/alsa-mixer_oss-remove-some-incorrect-kfree_const-usa.patch @@ -0,0 +1,44 @@ +From e0315f16a89b807e1d8e4da8b91bc1101257e20a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Sep 2024 20:17:36 +0200 +Subject: ALSA: mixer_oss: Remove some incorrect kfree_const() usages + +From: Christophe JAILLET + +[ Upstream commit 368e4663c557de4a33f321b44e7eeec0a21b2e4e ] + +"assigned" and "assigned->name" are allocated in snd_mixer_oss_proc_write() +using kmalloc() and kstrdup(), so there is no point in using kfree_const() +to free these resources. + +Switch to the more standard kfree() to free these resources. + +This could avoid a memory leak. + +Fixes: 454f5ec1d2b7 ("ALSA: mixer: oss: Constify snd_mixer_oss_assign_table definition") +Signed-off-by: Christophe JAILLET +Link: https://patch.msgid.link/63ac20f64234b7c9ea87a7fa9baf41e8255852f7.1727374631.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/oss/mixer_oss.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/core/oss/mixer_oss.c b/sound/core/oss/mixer_oss.c +index dae2da3808351..abc99ae333282 100644 +--- a/sound/core/oss/mixer_oss.c ++++ b/sound/core/oss/mixer_oss.c +@@ -967,8 +967,8 @@ static void snd_mixer_oss_slot_free(struct snd_mixer_oss_slot *chn) + struct slot *p = chn->private_data; + if (p) { + if (p->allocated && p->assigned) { +- kfree_const(p->assigned->name); +- kfree_const(p->assigned); ++ kfree(p->assigned->name); ++ kfree(p->assigned); + } + kfree(p); + } +-- +2.43.0 + diff --git a/queue-6.6/asoc-atmel-mchp-pdmc-skip-alsa-restoration-if-substr.patch b/queue-6.6/asoc-atmel-mchp-pdmc-skip-alsa-restoration-if-substr.patch new file mode 100644 index 00000000000..e82706e963e --- /dev/null +++ b/queue-6.6/asoc-atmel-mchp-pdmc-skip-alsa-restoration-if-substr.patch @@ -0,0 +1,41 @@ +From 089f7afcc7b3e1e5971f5425f773df3810b57314 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 11:12:38 +0300 +Subject: ASoC: atmel: mchp-pdmc: Skip ALSA restoration if substream runtime is + uninitialized + +From: Andrei Simion + +[ Upstream commit 09cfc6a532d249a51d3af5022d37ebbe9c3d31f6 ] + +Update the driver to prevent alsa-restore.service from failing when +reading data from /var/lib/alsa/asound.state at boot. Ensure that the +restoration of ALSA mixer configurations is skipped if substream->runtime +is NULL. + +Fixes: 50291652af52 ("ASoC: atmel: mchp-pdmc: add PDMC driver") +Signed-off-by: Andrei Simion +Link: https://patch.msgid.link/20240924081237.50046-1-andrei.simion@microchip.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/atmel/mchp-pdmc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/atmel/mchp-pdmc.c b/sound/soc/atmel/mchp-pdmc.c +index dcc4e14b3dde2..206bbb5aaab5d 100644 +--- a/sound/soc/atmel/mchp-pdmc.c ++++ b/sound/soc/atmel/mchp-pdmc.c +@@ -285,6 +285,9 @@ static int mchp_pdmc_chmap_ctl_put(struct snd_kcontrol *kcontrol, + if (!substream) + return -ENODEV; + ++ if (!substream->runtime) ++ return 0; /* just for avoiding error from alsactl restore */ ++ + map = mchp_pdmc_chmap_get(substream, info); + if (!map) + return -EINVAL; +-- +2.43.0 + diff --git a/queue-6.6/asoc-imx-card-set-card.owner-to-avoid-a-warning-call.patch b/queue-6.6/asoc-imx-card-set-card.owner-to-avoid-a-warning-call.patch new file mode 100644 index 00000000000..4c10df2d8b7 --- /dev/null +++ b/queue-6.6/asoc-imx-card-set-card.owner-to-avoid-a-warning-call.patch @@ -0,0 +1,46 @@ +From fb193070586a2f224aec088e56b5186b495d16cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2024 10:56:59 +0800 +Subject: ASoC: imx-card: Set card.owner to avoid a warning calltrace if SND=m + +From: Hui Wang + +[ Upstream commit 47d7d3fd72afc7dcd548806291793ee6f3848215 ] + +In most Linux distribution kernels, the SND is set to m, in such a +case, when booting the kernel on i.MX8MP EVK board, there is a +warning calltrace like below: + Call trace: + snd_card_init+0x484/0x4cc [snd] + snd_card_new+0x70/0xa8 [snd] + snd_soc_bind_card+0x310/0xbd0 [snd_soc_core] + snd_soc_register_card+0xf0/0x108 [snd_soc_core] + devm_snd_soc_register_card+0x4c/0xa4 [snd_soc_core] + +That is because the card.owner is not set, a warning calltrace is +raised in the snd_card_init() due to it. + +Fixes: aa736700f42f ("ASoC: imx-card: Add imx-card machine driver") +Signed-off-by: Hui Wang +Link: https://patch.msgid.link/20241002025659.723544-1-hui.wang@canonical.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/imx-card.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/fsl/imx-card.c b/sound/soc/fsl/imx-card.c +index 356a0bc3b126b..f8144bf4c90d3 100644 +--- a/sound/soc/fsl/imx-card.c ++++ b/sound/soc/fsl/imx-card.c +@@ -714,6 +714,7 @@ static int imx_card_probe(struct platform_device *pdev) + + data->plat_data = plat_data; + data->card.dev = &pdev->dev; ++ data->card.owner = THIS_MODULE; + + dev_set_drvdata(&pdev->dev, &data->card); + snd_soc_card_set_drvdata(&data->card, data); +-- +2.43.0 + diff --git a/queue-6.6/bluetooth-hci_sock-fix-not-validating-setsockopt-use.patch b/queue-6.6/bluetooth-hci_sock-fix-not-validating-setsockopt-use.patch new file mode 100644 index 00000000000..06427860687 --- /dev/null +++ b/queue-6.6/bluetooth-hci_sock-fix-not-validating-setsockopt-use.patch @@ -0,0 +1,78 @@ +From 354782a24cfe50d5907d3f645ae2de7902dad222 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 16:46:50 -0400 +Subject: Bluetooth: hci_sock: Fix not validating setsockopt user input + +From: Luiz Augusto von Dentz + +[ Upstream commit b2186061d6043d6345a97100460363e990af0d46 ] + +Check user input length before copying data. + +Fixes: 09572fca7223 ("Bluetooth: hci_sock: Add support for BT_{SND,RCV}BUF") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sock.c | 21 ++++++++------------- + 1 file changed, 8 insertions(+), 13 deletions(-) + +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index 3d904ca92e9e8..69c2ba1e843eb 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -1943,10 +1943,9 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, + + switch (optname) { + case HCI_DATA_DIR: +- if (copy_from_sockptr(&opt, optval, sizeof(opt))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len); ++ if (err) + break; +- } + + if (opt) + hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR; +@@ -1955,10 +1954,9 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, + break; + + case HCI_TIME_STAMP: +- if (copy_from_sockptr(&opt, optval, sizeof(opt))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len); ++ if (err) + break; +- } + + if (opt) + hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP; +@@ -1976,11 +1974,9 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, + uf.event_mask[1] = *((u32 *) f->event_mask + 1); + } + +- len = min_t(unsigned int, len, sizeof(uf)); +- if (copy_from_sockptr(&uf, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&uf, sizeof(uf), optval, len); ++ if (err) + break; +- } + + if (!capable(CAP_NET_RAW)) { + uf.type_mask &= hci_sec_filter.type_mask; +@@ -2039,10 +2035,9 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, + goto done; + } + +- if (copy_from_sockptr(&opt, optval, sizeof(opt))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len); ++ if (err) + break; +- } + + hci_pi(sk)->mtu = opt; + break; +-- +2.43.0 + diff --git a/queue-6.6/bluetooth-iso-fix-not-validating-setsockopt-user-inp.patch b/queue-6.6/bluetooth-iso-fix-not-validating-setsockopt-user-inp.patch new file mode 100644 index 00000000000..28d8b62bed6 --- /dev/null +++ b/queue-6.6/bluetooth-iso-fix-not-validating-setsockopt-user-inp.patch @@ -0,0 +1,107 @@ +From aec2cab0c0f13ebb85f498d201d3543d0682a3a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 15:56:50 -0400 +Subject: Bluetooth: ISO: Fix not validating setsockopt user input + +From: Luiz Augusto von Dentz + +[ Upstream commit 9e8742cdfc4b0e65266bb4a901a19462bda9285e ] + +Check user input length before copying data. + +Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type") +Fixes: 0731c5ab4d51 ("Bluetooth: ISO: Add support for BT_PKT_STATUS") +Fixes: f764a6c2c1e4 ("Bluetooth: ISO: Add broadcast support") +Signed-off-by: Eric Dumazet +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/iso.c | 36 ++++++++++++------------------------ + 1 file changed, 12 insertions(+), 24 deletions(-) + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 3ccba592f7349..c46d123c30e14 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -1349,7 +1349,7 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname, + sockptr_t optval, unsigned int optlen) + { + struct sock *sk = sock->sk; +- int len, err = 0; ++ int err = 0; + struct bt_iso_qos qos = default_qos; + u32 opt; + +@@ -1364,10 +1364,9 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt) + set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); +@@ -1376,10 +1375,9 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname, + break; + + case BT_PKT_STATUS: +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt) + set_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags); +@@ -1394,17 +1392,9 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- len = min_t(unsigned int, sizeof(qos), optlen); +- +- if (copy_from_sockptr(&qos, optval, len)) { +- err = -EFAULT; +- break; +- } +- +- if (len == sizeof(qos.ucast) && !check_ucast_qos(&qos)) { +- err = -EINVAL; ++ err = bt_copy_from_sockptr(&qos, sizeof(qos), optval, optlen); ++ if (err) + break; +- } + + iso_pi(sk)->qos = qos; + iso_pi(sk)->qos_user_set = true; +@@ -1419,18 +1409,16 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname, + } + + if (optlen > sizeof(iso_pi(sk)->base)) { +- err = -EOVERFLOW; ++ err = -EINVAL; + break; + } + +- len = min_t(unsigned int, sizeof(iso_pi(sk)->base), optlen); +- +- if (copy_from_sockptr(iso_pi(sk)->base, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(iso_pi(sk)->base, optlen, optval, ++ optlen); ++ if (err) + break; +- } + +- iso_pi(sk)->base_len = len; ++ iso_pi(sk)->base_len = optlen; + + break; + +-- +2.43.0 + diff --git a/queue-6.6/bluetooth-l2cap-fix-not-validating-setsockopt-user-i.patch b/queue-6.6/bluetooth-l2cap-fix-not-validating-setsockopt-user-i.patch new file mode 100644 index 00000000000..341850ac265 --- /dev/null +++ b/queue-6.6/bluetooth-l2cap-fix-not-validating-setsockopt-user-i.patch @@ -0,0 +1,165 @@ +From f86f64ccd4d8c1c8d5542c9e86f76a419cdcb758 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 15:50:47 -0400 +Subject: Bluetooth: L2CAP: Fix not validating setsockopt user input + +From: Luiz Augusto von Dentz + +[ Upstream commit 4f3951242ace5efc7131932e2e01e6ac6baed846 ] + +Check user input length before copying data. + +Fixes: 33575df7be67 ("Bluetooth: move l2cap_sock_setsockopt() to l2cap_sock.c") +Fixes: 3ee7b7cd8390 ("Bluetooth: Add BT_MODE socket option") +Signed-off-by: Eric Dumazet +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 52 +++++++++++++++----------------------- + 1 file changed, 20 insertions(+), 32 deletions(-) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 5d332e69c7e1a..f04ce84267988 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -727,7 +727,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, + struct sock *sk = sock->sk; + struct l2cap_chan *chan = l2cap_pi(sk)->chan; + struct l2cap_options opts; +- int len, err = 0; ++ int err = 0; + u32 opt; + + BT_DBG("sk %p", sk); +@@ -754,11 +754,9 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, + opts.max_tx = chan->max_tx; + opts.txwin_size = chan->tx_win; + +- len = min_t(unsigned int, sizeof(opts), optlen); +- if (copy_from_sockptr(&opts, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opts, sizeof(opts), optval, optlen); ++ if (err) + break; +- } + + if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) { + err = -EINVAL; +@@ -801,10 +799,9 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, + break; + + case L2CAP_LM: +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt & L2CAP_LM_FIPS) { + err = -EINVAL; +@@ -885,7 +882,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + struct bt_security sec; + struct bt_power pwr; + struct l2cap_conn *conn; +- int len, err = 0; ++ int err = 0; + u32 opt; + u16 mtu; + u8 mode; +@@ -911,11 +908,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + + sec.level = BT_SECURITY_LOW; + +- len = min_t(unsigned int, sizeof(sec), optlen); +- if (copy_from_sockptr(&sec, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen); ++ if (err) + break; +- } + + if (sec.level < BT_SECURITY_LOW || + sec.level > BT_SECURITY_FIPS) { +@@ -960,10 +955,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt) { + set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); +@@ -975,10 +969,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + + case BT_FLUSHABLE: +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt > BT_FLUSHABLE_ON) { + err = -EINVAL; +@@ -1010,11 +1003,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + + pwr.force_active = BT_POWER_FORCE_ACTIVE_ON; + +- len = min_t(unsigned int, sizeof(pwr), optlen); +- if (copy_from_sockptr(&pwr, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&pwr, sizeof(pwr), optval, optlen); ++ if (err) + break; +- } + + if (pwr.force_active) + set_bit(FLAG_FORCE_ACTIVE, &chan->flags); +@@ -1023,10 +1014,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + + case BT_CHANNEL_POLICY: +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + err = -EOPNOTSUPP; + break; +@@ -1055,10 +1045,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- if (copy_from_sockptr(&mtu, optval, sizeof(u16))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&mtu, sizeof(mtu), optval, optlen); ++ if (err) + break; +- } + + if (chan->mode == L2CAP_MODE_EXT_FLOWCTL && + sk->sk_state == BT_CONNECTED) +@@ -1086,10 +1075,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- if (copy_from_sockptr(&mode, optval, sizeof(u8))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&mode, sizeof(mode), optval, optlen); ++ if (err) + break; +- } + + BT_DBG("mode %u", mode); + +-- +2.43.0 + diff --git a/queue-6.6/cifs-do-not-convert-delimiter-when-parsing-nfs-style.patch b/queue-6.6/cifs-do-not-convert-delimiter-when-parsing-nfs-style.patch new file mode 100644 index 00000000000..e58812daa6a --- /dev/null +++ b/queue-6.6/cifs-do-not-convert-delimiter-when-parsing-nfs-style.patch @@ -0,0 +1,48 @@ +From eca64b3f59f12bbf02cceb8279114c622648be92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Sep 2024 23:59:46 +0200 +Subject: cifs: Do not convert delimiter when parsing NFS-style symlinks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit d3a49f60917323228f8fdeee313260ef14f94df7 ] + +NFS-style symlinks have target location always stored in NFS/UNIX form +where backslash means the real UNIX backslash and not the SMB path +separator. + +So do not mangle slash and backslash content of NFS-style symlink during +readlink() syscall as it is already in the correct Linux form. + +This fixes interoperability of NFS-style symlinks with backslashes created +by Linux NFS3 client throw Windows NFS server and retrieved by Linux SMB +client throw Windows SMB server, where both Windows servers exports the +same directory. + +Fixes: d5ecebc4900d ("smb3: Allow query of symlinks stored as reparse points") +Acked-by: Paulo Alcantara (Red Hat) +Signed-off-by: Pali Rohár +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/reparse.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c +index cfa03c166de8c..ad0e0de9a165d 100644 +--- a/fs/smb/client/reparse.c ++++ b/fs/smb/client/reparse.c +@@ -335,7 +335,6 @@ static int parse_reparse_posix(struct reparse_posix_data *buf, + cifs_sb->local_nls); + if (!data->symlink_target) + return -ENOMEM; +- convert_delimiter(data->symlink_target, '/'); + cifs_dbg(FYI, "%s: target path: %s\n", + __func__, data->symlink_target); + break; +-- +2.43.0 + diff --git a/queue-6.6/cifs-fix-buffer-overflow-when-parsing-nfs-reparse-po.patch b/queue-6.6/cifs-fix-buffer-overflow-when-parsing-nfs-reparse-po.patch new file mode 100644 index 00000000000..01b3b5ab687 --- /dev/null +++ b/queue-6.6/cifs-fix-buffer-overflow-when-parsing-nfs-reparse-po.patch @@ -0,0 +1,81 @@ +From af69d18055692a87a8e9d17198063b13bc282bb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Sep 2024 12:22:40 +0200 +Subject: cifs: Fix buffer overflow when parsing NFS reparse points +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit e2a8910af01653c1c268984855629d71fb81f404 ] + +ReparseDataLength is sum of the InodeType size and DataBuffer size. +So to get DataBuffer size it is needed to subtract InodeType's size from +ReparseDataLength. + +Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer +at position after the end of the buffer because it does not subtract +InodeType size from the length. Fix this problem and correctly subtract +variable len. + +Member InodeType is present only when reparse buffer is large enough. Check +for ReparseDataLength before accessing InodeType to prevent another invalid +memory access. + +Major and minor rdev values are present also only when reparse buffer is +large enough. Check for reparse buffer size before calling reparse_mkdev(). + +Fixes: d5ecebc4900d ("smb3: Allow query of symlinks stored as reparse points") +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: Pali Rohár +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/reparse.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c +index 48c27581ec511..cfa03c166de8c 100644 +--- a/fs/smb/client/reparse.c ++++ b/fs/smb/client/reparse.c +@@ -320,9 +320,16 @@ static int parse_reparse_posix(struct reparse_posix_data *buf, + unsigned int len; + u64 type; + ++ len = le16_to_cpu(buf->ReparseDataLength); ++ if (len < sizeof(buf->InodeType)) { ++ cifs_dbg(VFS, "srv returned malformed nfs buffer\n"); ++ return -EIO; ++ } ++ ++ len -= sizeof(buf->InodeType); ++ + switch ((type = le64_to_cpu(buf->InodeType))) { + case NFS_SPECFILE_LNK: +- len = le16_to_cpu(buf->ReparseDataLength); + data->symlink_target = cifs_strndup_from_utf16(buf->DataBuffer, + len, true, + cifs_sb->local_nls); +@@ -482,12 +489,18 @@ bool cifs_reparse_point_to_fattr(struct cifs_sb_info *cifs_sb, + u32 tag = data->reparse.tag; + + if (tag == IO_REPARSE_TAG_NFS && buf) { ++ if (le16_to_cpu(buf->ReparseDataLength) < sizeof(buf->InodeType)) ++ return false; + switch (le64_to_cpu(buf->InodeType)) { + case NFS_SPECFILE_CHR: ++ if (le16_to_cpu(buf->ReparseDataLength) != sizeof(buf->InodeType) + 8) ++ return false; + fattr->cf_mode |= S_IFCHR; + fattr->cf_rdev = reparse_nfs_mkdev(buf); + break; + case NFS_SPECFILE_BLK: ++ if (le16_to_cpu(buf->ReparseDataLength) != sizeof(buf->InodeType) + 8) ++ return false; + fattr->cf_mode |= S_IFBLK; + fattr->cf_rdev = reparse_nfs_mkdev(buf); + break; +-- +2.43.0 + diff --git a/queue-6.6/cifs-remove-intermediate-object-of-failed-create-rep.patch b/queue-6.6/cifs-remove-intermediate-object-of-failed-create-rep.patch new file mode 100644 index 00000000000..372c77f049b --- /dev/null +++ b/queue-6.6/cifs-remove-intermediate-object-of-failed-create-rep.patch @@ -0,0 +1,89 @@ +From d268574fdcb73c5e87e29b7234643d4803ab1c74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2024 22:25:10 +0200 +Subject: cifs: Remove intermediate object of failed create reparse call +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit c9432ad5e32f066875b1bf95939c363bc46d6a45 ] + +If CREATE was successful but SMB2_OP_SET_REPARSE failed then remove the +intermediate object created by CREATE. Otherwise empty object stay on the +server when reparse call failed. + +This ensures that if the creating of special files is unsupported by the +server then no empty file stay on the server as a result of unsupported +operation. + +Fixes: 102466f303ff ("smb: client: allow creating special files via reparse points") +Signed-off-by: Pali Rohár +Acked-by: Paulo Alcantara (Red Hat) +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smb2inode.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c +index dd8acd2077521..8010b3ed4b3fe 100644 +--- a/fs/smb/client/smb2inode.c ++++ b/fs/smb/client/smb2inode.c +@@ -1205,9 +1205,12 @@ struct inode *smb2_get_reparse_inode(struct cifs_open_info_data *data, + struct cifs_sb_info *cifs_sb = CIFS_SB(sb); + struct cifsFileInfo *cfile; + struct inode *new = NULL; ++ int out_buftype[4] = {}; ++ struct kvec out_iov[4] = {}; + struct kvec in_iov[2]; + int cmds[2]; + int rc; ++ int i; + + oparms = CIFS_OPARMS(cifs_sb, tcon, full_path, + SYNCHRONIZE | DELETE | +@@ -1228,7 +1231,7 @@ struct inode *smb2_get_reparse_inode(struct cifs_open_info_data *data, + cmds[1] = SMB2_OP_POSIX_QUERY_INFO; + cifs_get_writable_path(tcon, full_path, FIND_WR_ANY, &cfile); + rc = smb2_compound_op(xid, tcon, cifs_sb, full_path, &oparms, +- in_iov, cmds, 2, cfile, NULL, NULL, NULL); ++ in_iov, cmds, 2, cfile, out_iov, out_buftype, NULL); + if (!rc) { + rc = smb311_posix_get_inode_info(&new, full_path, + data, sb, xid); +@@ -1237,12 +1240,29 @@ struct inode *smb2_get_reparse_inode(struct cifs_open_info_data *data, + cmds[1] = SMB2_OP_QUERY_INFO; + cifs_get_writable_path(tcon, full_path, FIND_WR_ANY, &cfile); + rc = smb2_compound_op(xid, tcon, cifs_sb, full_path, &oparms, +- in_iov, cmds, 2, cfile, NULL, NULL, NULL); ++ in_iov, cmds, 2, cfile, out_iov, out_buftype, NULL); + if (!rc) { + rc = cifs_get_inode_info(&new, full_path, + data, sb, xid, NULL); + } + } ++ ++ ++ /* ++ * If CREATE was successful but SMB2_OP_SET_REPARSE failed then ++ * remove the intermediate object created by CREATE. Otherwise ++ * empty object stay on the server when reparse call failed. ++ */ ++ if (rc && ++ out_iov[0].iov_base != NULL && out_buftype[0] != CIFS_NO_BUFFER && ++ ((struct smb2_hdr *)out_iov[0].iov_base)->Status == STATUS_SUCCESS && ++ (out_iov[1].iov_base == NULL || out_buftype[1] == CIFS_NO_BUFFER || ++ ((struct smb2_hdr *)out_iov[1].iov_base)->Status != STATUS_SUCCESS)) ++ smb2_unlink(xid, tcon, full_path, cifs_sb, NULL); ++ ++ for (i = 0; i < ARRAY_SIZE(out_buftype); i++) ++ free_rsp_buf(out_buftype[i], out_iov[i].iov_base); ++ + return rc ? ERR_PTR(rc) : new; + } + +-- +2.43.0 + diff --git a/queue-6.6/i2c-xiic-improve-error-message-when-transfer-fails-t.patch b/queue-6.6/i2c-xiic-improve-error-message-when-transfer-fails-t.patch new file mode 100644 index 00000000000..a7dabae1685 --- /dev/null +++ b/queue-6.6/i2c-xiic-improve-error-message-when-transfer-fails-t.patch @@ -0,0 +1,72 @@ +From eb4867c3cbb68e3f762d361a30ac0dadbabb12e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 12:03:24 -0400 +Subject: i2c: xiic: improve error message when transfer fails to start + +From: Marc Ferland + +[ Upstream commit ee1691d0ae103ba7fd9439800ef454674fadad27 ] + +xiic_start_xfer can fail for different reasons: + +- EBUSY: bus is busy or i2c messages still in tx_msg or rx_msg +- ETIMEDOUT: timed-out trying to clear the RX fifo +- EINVAL: wrong clock settings + +Both EINVAL and ETIMEDOUT will currently print a specific error +message followed by a generic one, for example: + + Failed to clear rx fifo + Error xiic_start_xfer + +however EBUSY will simply output the generic message: + + Error xiic_start_xfer + +which is not really helpful. + +This commit adds a new error message when a busy condition is detected +and also removes the generic message since it does not provide any +relevant information to the user. + +Signed-off-by: Marc Ferland +Acked-by: Michal Simek +Signed-off-by: Andi Shyti +Stable-dep-of: 1d4a1adbed25 ("i2c: xiic: Try re-initialization on bus busy timeout") +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-xiic.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c +index 71391b590adae..19468565120e1 100644 +--- a/drivers/i2c/busses/i2c-xiic.c ++++ b/drivers/i2c/busses/i2c-xiic.c +@@ -1105,8 +1105,11 @@ static int xiic_start_xfer(struct xiic_i2c *i2c, struct i2c_msg *msgs, int num) + mutex_lock(&i2c->lock); + + ret = xiic_busy(i2c); +- if (ret) ++ if (ret) { ++ dev_err(i2c->adap.dev.parent, ++ "cannot start a transfer while busy\n"); + goto out; ++ } + + i2c->tx_msg = msgs; + i2c->rx_msg = NULL; +@@ -1164,10 +1167,8 @@ static int xiic_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num) + return err; + + err = xiic_start_xfer(i2c, msgs, num); +- if (err < 0) { +- dev_err(adap->dev.parent, "Error xiic_start_xfer\n"); ++ if (err < 0) + goto out; +- } + + err = wait_for_completion_timeout(&i2c->completion, XIIC_XFER_TIMEOUT); + mutex_lock(&i2c->lock); +-- +2.43.0 + diff --git a/queue-6.6/i2c-xiic-try-re-initialization-on-bus-busy-timeout.patch b/queue-6.6/i2c-xiic-try-re-initialization-on-bus-busy-timeout.patch new file mode 100644 index 00000000000..3c537f6afc8 --- /dev/null +++ b/queue-6.6/i2c-xiic-try-re-initialization-on-bus-busy-timeout.patch @@ -0,0 +1,105 @@ +From 57405ffe21d3aab36dce35b6b8af5159f8fe98b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 22:16:53 +0200 +Subject: i2c: xiic: Try re-initialization on bus busy timeout + +From: Robert Hancock + +[ Upstream commit 1d4a1adbed2582444aaf97671858b7d12915bd05 ] + +In the event that the I2C bus was powered down when the I2C controller +driver loads, or some spurious pulses occur on the I2C bus, it's +possible that the controller detects a spurious I2C "start" condition. +In this situation it may continue to report the bus is busy indefinitely +and block the controller from working. + +The "single-master" DT flag can be specified to disable bus busy checks +entirely, but this may not be safe to use in situations where other I2C +masters may potentially exist. + +In the event that the controller reports "bus busy" for too long when +starting a transaction, we can try reinitializing the controller to see +if the busy condition clears. This allows recovering from this scenario. + +Fixes: e1d5b6598cdc ("i2c: Add support for Xilinx XPS IIC Bus Interface") +Signed-off-by: Robert Hancock +Cc: # v2.6.34+ +Reviewed-by: Manikanta Guntupalli +Acked-by: Michal Simek +Signed-off-by: Andi Shyti +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-xiic.c | 41 ++++++++++++++++++++++------------- + 1 file changed, 26 insertions(+), 15 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c +index 19468565120e1..d3ca7d2f81a61 100644 +--- a/drivers/i2c/busses/i2c-xiic.c ++++ b/drivers/i2c/busses/i2c-xiic.c +@@ -844,23 +844,11 @@ static int xiic_bus_busy(struct xiic_i2c *i2c) + return (sr & XIIC_SR_BUS_BUSY_MASK) ? -EBUSY : 0; + } + +-static int xiic_busy(struct xiic_i2c *i2c) ++static int xiic_wait_not_busy(struct xiic_i2c *i2c) + { + int tries = 3; + int err; + +- if (i2c->tx_msg || i2c->rx_msg) +- return -EBUSY; +- +- /* In single master mode bus can only be busy, when in use by this +- * driver. If the register indicates bus being busy for some reason we +- * should ignore it, since bus will never be released and i2c will be +- * stuck forever. +- */ +- if (i2c->singlemaster) { +- return 0; +- } +- + /* for instance if previous transfer was terminated due to TX error + * it might be that the bus is on it's way to become available + * give it at most 3 ms to wake +@@ -1104,13 +1092,36 @@ static int xiic_start_xfer(struct xiic_i2c *i2c, struct i2c_msg *msgs, int num) + + mutex_lock(&i2c->lock); + +- ret = xiic_busy(i2c); +- if (ret) { ++ if (i2c->tx_msg || i2c->rx_msg) { + dev_err(i2c->adap.dev.parent, + "cannot start a transfer while busy\n"); ++ ret = -EBUSY; + goto out; + } + ++ /* In single master mode bus can only be busy, when in use by this ++ * driver. If the register indicates bus being busy for some reason we ++ * should ignore it, since bus will never be released and i2c will be ++ * stuck forever. ++ */ ++ if (!i2c->singlemaster) { ++ ret = xiic_wait_not_busy(i2c); ++ if (ret) { ++ /* If the bus is stuck in a busy state, such as due to spurious low ++ * pulses on the bus causing a false start condition to be detected, ++ * then try to recover by re-initializing the controller and check ++ * again if the bus is still busy. ++ */ ++ dev_warn(i2c->adap.dev.parent, "I2C bus busy timeout, reinitializing\n"); ++ ret = xiic_reinit(i2c); ++ if (ret) ++ goto out; ++ ret = xiic_wait_not_busy(i2c); ++ if (ret) ++ goto out; ++ } ++ } ++ + i2c->tx_msg = msgs; + i2c->rx_msg = NULL; + i2c->nmsgs = num; +-- +2.43.0 + diff --git a/queue-6.6/loop-don-t-set-queue_flag_nomerges.patch b/queue-6.6/loop-don-t-set-queue_flag_nomerges.patch new file mode 100644 index 00000000000..26aa5709259 --- /dev/null +++ b/queue-6.6/loop-don-t-set-queue_flag_nomerges.patch @@ -0,0 +1,67 @@ +From dd70291c06c5a3a82dd65e61430a20b49b6905c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2024 14:49:11 +0200 +Subject: loop: don't set QUEUE_FLAG_NOMERGES + +From: Christoph Hellwig + +[ Upstream commit 667ea36378cf7f669044b27871c496e1559c872a ] + +QUEUE_FLAG_NOMERGES isn't really a driver interface, but a user tunable. +There also isn't any good reason to set it in the loop driver. + +The original commit adding it (5b5e20f421c0b6d "block: loop: set +QUEUE_FLAG_NOMERGES for request queue of loop") claims that "It doesn't +make sense to enable merge because the I/O submitted to backing file is +handled page by page." which of course isn't true for multi-page bvec +now, and it never has been for direct I/O, for which commit 40326d8a33d +("block/loop: allow request merge for directio mode") alredy disabled +the nomerges flag. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Bart Van Assche +Link: https://lore.kernel.org/r/20240627124926.512662-2-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/loop.c | 15 ++------------- + 1 file changed, 2 insertions(+), 13 deletions(-) + +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index 552f56a84a7eb..886c635990377 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -211,13 +211,10 @@ static void __loop_update_dio(struct loop_device *lo, bool dio) + if (lo->lo_state == Lo_bound) + blk_mq_freeze_queue(lo->lo_queue); + lo->use_dio = use_dio; +- if (use_dio) { +- blk_queue_flag_clear(QUEUE_FLAG_NOMERGES, lo->lo_queue); ++ if (use_dio) + lo->lo_flags |= LO_FLAGS_DIRECT_IO; +- } else { +- blk_queue_flag_set(QUEUE_FLAG_NOMERGES, lo->lo_queue); ++ else + lo->lo_flags &= ~LO_FLAGS_DIRECT_IO; +- } + if (lo->lo_state == Lo_bound) + blk_mq_unfreeze_queue(lo->lo_queue); + } +@@ -2038,14 +2035,6 @@ static int loop_add(int i) + + blk_queue_max_hw_sectors(lo->lo_queue, BLK_DEF_MAX_SECTORS); + +- /* +- * By default, we do buffer IO, so it doesn't make sense to enable +- * merge because the I/O submitted to backing file is handled page by +- * page. For directio mode, merge does help to dispatch bigger request +- * to underlayer disk. We will enable merge once directio is enabled. +- */ +- blk_queue_flag_set(QUEUE_FLAG_NOMERGES, lo->lo_queue); +- + /* + * Disable partition scanning by default. The in-kernel partition + * scanning can be requested individually per-device during its +-- +2.43.0 + diff --git a/queue-6.6/media-usbtv-remove-useless-locks-in-usbtv_video_free.patch b/queue-6.6/media-usbtv-remove-useless-locks-in-usbtv_video_free.patch new file mode 100644 index 00000000000..f78b20b30f6 --- /dev/null +++ b/queue-6.6/media-usbtv-remove-useless-locks-in-usbtv_video_free.patch @@ -0,0 +1,55 @@ +From 0f3372c9c5ab6815db6e75f9f92b227009c52fa6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Mar 2024 11:37:08 +0100 +Subject: media: usbtv: Remove useless locks in usbtv_video_free() + +From: Benjamin Gaignard + +[ Upstream commit 65e6a2773d655172143cc0b927cdc89549842895 ] + +Remove locks calls in usbtv_video_free() because +are useless and may led to a deadlock as reported here: +https://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000 +Also remove usbtv_stop() call since it will be called when +unregistering the device. + +Before 'c838530d230b' this issue would only be noticed if you +disconnect while streaming and now it is noticeable even when +disconnecting while not streaming. + +Fixes: c838530d230b ("media: media videobuf2: Be more flexible on the number of queue stored buffers") +Fixes: f3d27f34fdd7 ("[media] usbtv: Add driver for Fushicai USBTV007 video frame grabber") + +Signed-off-by: Benjamin Gaignard +Reviewed-by: Tomasz Figa +Tested-by: Hans Verkuil +Signed-off-by: Hans Verkuil +[hverkuil: fix minor spelling mistake in log message] +Signed-off-by: Sasha Levin +--- + drivers/media/usb/usbtv/usbtv-video.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/drivers/media/usb/usbtv/usbtv-video.c b/drivers/media/usb/usbtv/usbtv-video.c +index 1e30e05953dc6..7495df6b51912 100644 +--- a/drivers/media/usb/usbtv/usbtv-video.c ++++ b/drivers/media/usb/usbtv/usbtv-video.c +@@ -962,15 +962,8 @@ int usbtv_video_init(struct usbtv *usbtv) + + void usbtv_video_free(struct usbtv *usbtv) + { +- mutex_lock(&usbtv->vb2q_lock); +- mutex_lock(&usbtv->v4l2_lock); +- +- usbtv_stop(usbtv); + vb2_video_unregister_device(&usbtv->vdev); + v4l2_device_disconnect(&usbtv->v4l2_dev); + +- mutex_unlock(&usbtv->v4l2_lock); +- mutex_unlock(&usbtv->vb2q_lock); +- + v4l2_device_put(&usbtv->v4l2_dev); + } +-- +2.43.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 231ba11a06f..a87b6311d72 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -36,3 +36,20 @@ ppp-do-not-assume-bh-is-held-in-ppp_channel_bridge_i.patch iomap-constrain-the-file-range-passed-to-iomap_file_.patch dt-bindings-net-xlnx-axi-ethernet-add-missing-reg-mi.patch sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch +i2c-xiic-improve-error-message-when-transfer-fails-t.patch +i2c-xiic-try-re-initialization-on-bus-busy-timeout.patch +loop-don-t-set-queue_flag_nomerges.patch +bluetooth-hci_sock-fix-not-validating-setsockopt-use.patch +media-usbtv-remove-useless-locks-in-usbtv_video_free.patch +bluetooth-iso-fix-not-validating-setsockopt-user-inp.patch +bluetooth-l2cap-fix-not-validating-setsockopt-user-i.patch +asoc-atmel-mchp-pdmc-skip-alsa-restoration-if-substr.patch +alsa-mixer_oss-remove-some-incorrect-kfree_const-usa.patch +alsa-hda-realtek-fix-the-push-button-function-for-th.patch +cifs-remove-intermediate-object-of-failed-create-rep.patch +alsa-hda-generic-unconditionally-prefer-preferred_da.patch +asoc-imx-card-set-card.owner-to-avoid-a-warning-call.patch +cifs-fix-buffer-overflow-when-parsing-nfs-reparse-po.patch +cifs-do-not-convert-delimiter-when-parsing-nfs-style.patch +alsa-gus-fix-some-error-handling-paths-related-to-ge.patch +alsa-hda-conexant-fix-conflicting-quirk-for-system76.patch