From: Greg Kroah-Hartman Date: Mon, 22 May 2023 17:45:09 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v6.3.4~29 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2812bb79167a2ac72689d3f524436c20b86d1a64;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch alsa-hda-fix-oops-by-9.1-surround-channel-names.patch ceph-force-updating-the-msg-pointer-in-non-split-case.patch serial-add-support-for-advantech-pci-1611u-card.patch statfs-enforce-statfs-structure-initialization.patch usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch usb-typec-altmodes-displayport-fix-pin_assignment_show.patch --- diff --git a/queue-4.19/alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch b/queue-4.19/alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch new file mode 100644 index 00000000000..2d19f22f33e --- /dev/null +++ b/queue-4.19/alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch @@ -0,0 +1,38 @@ +From dc4f2ccaedddb489a83e7b12ebbdc347272aacc9 Mon Sep 17 00:00:00 2001 +From: Nikhil Mahale +Date: Wed, 17 May 2023 14:37:36 +0530 +Subject: ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table + +From: Nikhil Mahale + +commit dc4f2ccaedddb489a83e7b12ebbdc347272aacc9 upstream. + +These IDs are for AD102, AD103, AD104, AD106, and AD107 gpus with +audio functions that are largely similar to the existing ones. + +Tested audio using gnome-settings, over HDMI, DP-SST and DP-MST +connections on AD106 gpu. + +Signed-off-by: Nikhil Mahale +Cc: +Link: https://lore.kernel.org/r/20230517090736.15088-1-nmahale@nvidia.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_hdmi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -3937,6 +3937,11 @@ HDA_CODEC_ENTRY(0x10de009d, "GPU 9d HDMI + HDA_CODEC_ENTRY(0x10de009e, "GPU 9e HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de009f, "GPU 9f HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de00a0, "GPU a0 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a3, "GPU a3 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a4, "GPU a4 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a5, "GPU a5 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch), + HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI", patch_nvhdmi_2ch), + HDA_CODEC_ENTRY(0x11069f80, "VX900 HDMI/DP", patch_via_hdmi), diff --git a/queue-4.19/alsa-hda-fix-oops-by-9.1-surround-channel-names.patch b/queue-4.19/alsa-hda-fix-oops-by-9.1-surround-channel-names.patch new file mode 100644 index 00000000000..229b97d9c9f --- /dev/null +++ b/queue-4.19/alsa-hda-fix-oops-by-9.1-surround-channel-names.patch @@ -0,0 +1,57 @@ +From 3b44ec8c5c44790a82f07e90db45643c762878c6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 16 May 2023 20:44:12 +0200 +Subject: ALSA: hda: Fix Oops by 9.1 surround channel names + +From: Takashi Iwai + +commit 3b44ec8c5c44790a82f07e90db45643c762878c6 upstream. + +get_line_out_pfx() may trigger an Oops by overflowing the static array +with more than 8 channels. This was reported for MacBookPro 12,1 with +Cirrus codec. + +As a workaround, extend for the 9.1 channels and also fix the +potential Oops by unifying the code paths accessing the same array +with the proper size check. + +Reported-by: Olliver Schinagl +Cc: +Link: https://lore.kernel.org/r/64d95eb0-dbdb-cff8-a8b1-988dc22b24cd@schinagl.nl +Link: https://lore.kernel.org/r/20230516184412.24078-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/hda_generic.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -1159,8 +1159,8 @@ static bool path_has_mixer(struct hda_co + return path && path->ctls[ctl_type]; + } + +-static const char * const channel_name[4] = { +- "Front", "Surround", "CLFE", "Side" ++static const char * const channel_name[] = { ++ "Front", "Surround", "CLFE", "Side", "Back", + }; + + /* give some appropriate ctl name prefix for the given line out channel */ +@@ -1186,7 +1186,7 @@ static const char *get_line_out_pfx(stru + + /* multi-io channels */ + if (ch >= cfg->line_outs) +- return channel_name[ch]; ++ goto fixed_name; + + switch (cfg->line_out_type) { + case AUTO_PIN_SPEAKER_OUT: +@@ -1238,6 +1238,7 @@ static const char *get_line_out_pfx(stru + if (cfg->line_outs == 1 && !spec->multi_ios) + return "Line Out"; + ++ fixed_name: + if (ch >= ARRAY_SIZE(channel_name)) { + snd_BUG(); + return "PCM"; diff --git a/queue-4.19/ceph-force-updating-the-msg-pointer-in-non-split-case.patch b/queue-4.19/ceph-force-updating-the-msg-pointer-in-non-split-case.patch new file mode 100644 index 00000000000..07328c8110f --- /dev/null +++ b/queue-4.19/ceph-force-updating-the-msg-pointer-in-non-split-case.patch @@ -0,0 +1,46 @@ +From 4cafd0400bcb6187c0d4ab4d4b0229a89ac4f8c2 Mon Sep 17 00:00:00 2001 +From: Xiubo Li +Date: Thu, 18 May 2023 09:47:23 +0800 +Subject: ceph: force updating the msg pointer in non-split case + +From: Xiubo Li + +commit 4cafd0400bcb6187c0d4ab4d4b0229a89ac4f8c2 upstream. + +When the MClientSnap reqeust's op is not CEPH_SNAP_OP_SPLIT the +request may still contain a list of 'split_realms', and we need +to skip it anyway. Or it will be parsed as a corrupt snaptrace. + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/61200 +Reported-by: Frank Schilder +Signed-off-by: Xiubo Li +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/snap.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/fs/ceph/snap.c ++++ b/fs/ceph/snap.c +@@ -976,6 +976,19 @@ skip_inode: + continue; + adjust_snap_realm_parent(mdsc, child, realm->ino); + } ++ } else { ++ /* ++ * In the non-split case both 'num_split_inos' and ++ * 'num_split_realms' should be 0, making this a no-op. ++ * However the MDS happens to populate 'split_realms' list ++ * in one of the UPDATE op cases by mistake. ++ * ++ * Skip both lists just in case to ensure that 'p' is ++ * positioned at the start of realm info, as expected by ++ * ceph_update_snap_trace(). ++ */ ++ p += sizeof(u64) * num_split_inos; ++ p += sizeof(u64) * num_split_realms; + } + + /* diff --git a/queue-4.19/serial-add-support-for-advantech-pci-1611u-card.patch b/queue-4.19/serial-add-support-for-advantech-pci-1611u-card.patch new file mode 100644 index 00000000000..78c471e1234 --- /dev/null +++ b/queue-4.19/serial-add-support-for-advantech-pci-1611u-card.patch @@ -0,0 +1,48 @@ +From d2b00516de0e1d696724247098f6733a6ea53908 Mon Sep 17 00:00:00 2001 +From: Vitaliy Tomin +Date: Sun, 23 Apr 2023 11:45:12 +0800 +Subject: serial: Add support for Advantech PCI-1611U card + +From: Vitaliy Tomin + +commit d2b00516de0e1d696724247098f6733a6ea53908 upstream. + +Add support for Advantech PCI-1611U card + +Advantech provides opensource drivers for this and many others card +based on legacy copy of 8250_pci driver called adv950 + +https://www.advantech.com/emt/support/details/driver?id=1-TDOIMJ + +It is hard to maintain to run as out of tree module on newer kernels. +Just adding PCI ID to kernel 8250_pci works perfect. + +Signed-off-by: Vitaliy Tomin +Cc: stable +Link: https://lore.kernel.org/r/20230423034512.2671157-1-tomin@iszf.irk.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -1648,6 +1648,8 @@ pci_wch_ch38x_setup(struct serial_privat + #define PCI_SUBDEVICE_ID_SIIG_DUAL_30 0x2530 + #define PCI_VENDOR_ID_ADVANTECH 0x13fe + #define PCI_DEVICE_ID_INTEL_CE4100_UART 0x2e66 ++#define PCI_DEVICE_ID_ADVANTECH_PCI1600 0x1600 ++#define PCI_DEVICE_ID_ADVANTECH_PCI1600_1611 0x1611 + #define PCI_DEVICE_ID_ADVANTECH_PCI3620 0x3620 + #define PCI_DEVICE_ID_ADVANTECH_PCI3618 0x3618 + #define PCI_DEVICE_ID_ADVANTECH_PCIf618 0xf618 +@@ -3840,6 +3842,9 @@ static SIMPLE_DEV_PM_OPS(pciserial_pm_op + pciserial_resume_one); + + static const struct pci_device_id serial_pci_tbl[] = { ++ { PCI_VENDOR_ID_ADVANTECH, PCI_DEVICE_ID_ADVANTECH_PCI1600, ++ PCI_DEVICE_ID_ADVANTECH_PCI1600_1611, PCI_ANY_ID, 0, 0, ++ pbn_b0_4_921600 }, + /* Advantech use PCI_DEVICE_ID_ADVANTECH_PCI3620 (0x3620) as 'PCI_SUBVENDOR_ID' */ + { PCI_VENDOR_ID_ADVANTECH, PCI_DEVICE_ID_ADVANTECH_PCI3620, + PCI_DEVICE_ID_ADVANTECH_PCI3620, 0x0001, 0, 0, diff --git a/queue-4.19/series b/queue-4.19/series index 0ad0aae38a2..df6a85490c0 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -64,3 +64,10 @@ net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch cassini-fix-a-memory-leak-in-the-error-handling-path.patch igb-fix-bit_shift-to-be-in-1.8-range.patch vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch +usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch +usb-typec-altmodes-displayport-fix-pin_assignment_show.patch +alsa-hda-fix-oops-by-9.1-surround-channel-names.patch +alsa-hda-add-nvidia-codec-ids-a3-through-a7-to-patch-table.patch +statfs-enforce-statfs-structure-initialization.patch +serial-add-support-for-advantech-pci-1611u-card.patch +ceph-force-updating-the-msg-pointer-in-non-split-case.patch diff --git a/queue-4.19/statfs-enforce-statfs-structure-initialization.patch b/queue-4.19/statfs-enforce-statfs-structure-initialization.patch new file mode 100644 index 00000000000..ae2fced9cb2 --- /dev/null +++ b/queue-4.19/statfs-enforce-statfs-structure-initialization.patch @@ -0,0 +1,62 @@ +From ed40866ec7d328b3dfb70db7e2011640a16202c3 Mon Sep 17 00:00:00 2001 +From: Ilya Leoshkevich +Date: Thu, 4 May 2023 16:40:20 +0200 +Subject: statfs: enforce statfs[64] structure initialization + +From: Ilya Leoshkevich + +commit ed40866ec7d328b3dfb70db7e2011640a16202c3 upstream. + +s390's struct statfs and struct statfs64 contain padding, which +field-by-field copying does not set. Initialize the respective structs +with zeros before filling them and copying them to userspace, like it's +already done for the compat versions of these structs. + +Found by KMSAN. + +[agordeev@linux.ibm.com: fixed typo in patch description] +Acked-by: Heiko Carstens +Cc: stable@vger.kernel.org # v4.14+ +Signed-off-by: Ilya Leoshkevich +Reviewed-by: Andrew Morton +Link: https://lore.kernel.org/r/20230504144021.808932-2-iii@linux.ibm.com +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + fs/statfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/statfs.c ++++ b/fs/statfs.c +@@ -114,6 +114,7 @@ static int do_statfs_native(struct kstat + if (sizeof(buf) == sizeof(*st)) + memcpy(&buf, st, sizeof(*st)); + else { ++ memset(&buf, 0, sizeof(buf)); + if (sizeof buf.f_blocks == 4) { + if ((st->f_blocks | st->f_bfree | st->f_bavail | + st->f_bsize | st->f_frsize) & +@@ -142,7 +143,6 @@ static int do_statfs_native(struct kstat + buf.f_namelen = st->f_namelen; + buf.f_frsize = st->f_frsize; + buf.f_flags = st->f_flags; +- memset(buf.f_spare, 0, sizeof(buf.f_spare)); + } + if (copy_to_user(p, &buf, sizeof(buf))) + return -EFAULT; +@@ -155,6 +155,7 @@ static int do_statfs64(struct kstatfs *s + if (sizeof(buf) == sizeof(*st)) + memcpy(&buf, st, sizeof(*st)); + else { ++ memset(&buf, 0, sizeof(buf)); + buf.f_type = st->f_type; + buf.f_bsize = st->f_bsize; + buf.f_blocks = st->f_blocks; +@@ -166,7 +167,6 @@ static int do_statfs64(struct kstatfs *s + buf.f_namelen = st->f_namelen; + buf.f_frsize = st->f_frsize; + buf.f_flags = st->f_flags; +- memset(buf.f_spare, 0, sizeof(buf.f_spare)); + } + if (copy_to_user(p, &buf, sizeof(buf))) + return -EFAULT; diff --git a/queue-4.19/usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch b/queue-4.19/usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch new file mode 100644 index 00000000000..dc4344bc5fb --- /dev/null +++ b/queue-4.19/usb-storage-fix-deadlock-when-a-scsi-command-timeouts-more-than-once.patch @@ -0,0 +1,108 @@ +From a398d5eac6984316e71474e25b975688f282379b Mon Sep 17 00:00:00 2001 +From: Maxime Bizon +Date: Fri, 5 May 2023 13:47:59 +0200 +Subject: usb-storage: fix deadlock when a scsi command timeouts more than once + +From: Maxime Bizon + +commit a398d5eac6984316e71474e25b975688f282379b upstream. + +With faulty usb-storage devices, read/write can timeout, in that case +the SCSI layer will abort and re-issue the command. USB storage has no +internal timeout, it relies on SCSI layer aborting commands via +.eh_abort_handler() for non those responsive devices. + +After two consecutive timeouts of the same command, SCSI layer calls +.eh_device_reset_handler(), without calling .eh_abort_handler() first. + +With usb-storage, this causes a deadlock: + + -> .eh_device_reset_handler + -> device_reset + -> mutex_lock(&(us->dev_mutex)); + +mutex already by usb_stor_control_thread(), which is waiting for +command completion: + + -> usb_stor_control_thread (mutex taken here) + -> usb_stor_invoke_transport + -> usb_stor_Bulk_transport + -> usb_stor_bulk_srb + -> usb_stor_bulk_transfer_sglist + -> usb_sg_wait + +Make sure we cancel any pending command in .eh_device_reset_handler() +to avoid this. + +Signed-off-by: Maxime Bizon +Cc: linux-usb@vger.kernel.org +Cc: stable +Link: https://lore.kernel.org/all/ZEllnjMKT8ulZbJh@sakura/ +Reviewed-by: Alan Stern +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20230505114759.1189741-1-mbizon@freebox.fr +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/scsiglue.c | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +--- a/drivers/usb/storage/scsiglue.c ++++ b/drivers/usb/storage/scsiglue.c +@@ -392,22 +392,25 @@ static DEF_SCSI_QCMD(queuecommand) + ***********************************************************************/ + + /* Command timeout and abort */ +-static int command_abort(struct scsi_cmnd *srb) ++static int command_abort_matching(struct us_data *us, struct scsi_cmnd *srb_match) + { +- struct us_data *us = host_to_us(srb->device->host); +- +- usb_stor_dbg(us, "%s called\n", __func__); +- + /* + * us->srb together with the TIMED_OUT, RESETTING, and ABORTING + * bits are protected by the host lock. + */ + scsi_lock(us_to_host(us)); + +- /* Is this command still active? */ +- if (us->srb != srb) { ++ /* is there any active pending command to abort ? */ ++ if (!us->srb) { + scsi_unlock(us_to_host(us)); + usb_stor_dbg(us, "-- nothing to abort\n"); ++ return SUCCESS; ++ } ++ ++ /* Does the command match the passed srb if any ? */ ++ if (srb_match && us->srb != srb_match) { ++ scsi_unlock(us_to_host(us)); ++ usb_stor_dbg(us, "-- pending command mismatch\n"); + return FAILED; + } + +@@ -430,6 +433,14 @@ static int command_abort(struct scsi_cmn + return SUCCESS; + } + ++static int command_abort(struct scsi_cmnd *srb) ++{ ++ struct us_data *us = host_to_us(srb->device->host); ++ ++ usb_stor_dbg(us, "%s called\n", __func__); ++ return command_abort_matching(us, srb); ++} ++ + /* + * This invokes the transport reset mechanism to reset the state of the + * device +@@ -441,6 +452,9 @@ static int device_reset(struct scsi_cmnd + + usb_stor_dbg(us, "%s called\n", __func__); + ++ /* abort any pending command before reset */ ++ command_abort_matching(us, NULL); ++ + /* lock the device pointers and do the reset */ + mutex_lock(&(us->dev_mutex)); + result = us->transport_reset(us); diff --git a/queue-4.19/usb-typec-altmodes-displayport-fix-pin_assignment_show.patch b/queue-4.19/usb-typec-altmodes-displayport-fix-pin_assignment_show.patch new file mode 100644 index 00000000000..0c243d60a5a --- /dev/null +++ b/queue-4.19/usb-typec-altmodes-displayport-fix-pin_assignment_show.patch @@ -0,0 +1,53 @@ +From d8f28269dd4bf9b55c3fb376ae31512730a96fce Mon Sep 17 00:00:00 2001 +From: Badhri Jagan Sridharan +Date: Mon, 8 May 2023 21:44:43 +0000 +Subject: usb: typec: altmodes/displayport: fix pin_assignment_show + +From: Badhri Jagan Sridharan + +commit d8f28269dd4bf9b55c3fb376ae31512730a96fce upstream. + +This patch fixes negative indexing of buf array in pin_assignment_show +when get_current_pin_assignments returns 0 i.e. no compatible pin +assignments are found. + +BUG: KASAN: use-after-free in pin_assignment_show+0x26c/0x33c +... +Call trace: +dump_backtrace+0x110/0x204 +dump_stack_lvl+0x84/0xbc +print_report+0x358/0x974 +kasan_report+0x9c/0xfc +__do_kernel_fault+0xd4/0x2d4 +do_bad_area+0x48/0x168 +do_tag_check_fault+0x24/0x38 +do_mem_abort+0x6c/0x14c +el1_abort+0x44/0x68 +el1h_64_sync_handler+0x64/0xa4 +el1h_64_sync+0x78/0x7c +pin_assignment_show+0x26c/0x33c +dev_attr_show+0x50/0xc0 + +Fixes: 0e3bb7d6894d ("usb: typec: Add driver for DisplayPort alternate mode") +Cc: stable@vger.kernel.org +Signed-off-by: Badhri Jagan Sridharan +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20230508214443.893436-1-badhri@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/altmodes/displayport.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/typec/altmodes/displayport.c ++++ b/drivers/usb/typec/altmodes/displayport.c +@@ -501,6 +501,10 @@ static ssize_t pin_assignment_show(struc + + mutex_unlock(&dp->lock); + ++ /* get_current_pin_assignments can return 0 when no matching pin assignments are found */ ++ if (len == 0) ++ len++; ++ + buf[len - 1] = '\n'; + return len; + }