From: Greg Kroah-Hartman Date: Thu, 25 Jul 2024 12:47:58 +0000 (+0200) Subject: 6.9-stable patches X-Git-Tag: v4.19.319~26 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4321b2b938fc98313b3be08ad5fcdf1f71cb4a27;p=thirdparty%2Fkernel%2Fstable-queue.git 6.9-stable patches added patches: alsa-hda-realtek-enable-headset-mic-on-positivo-su-c1400.patch alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch alsa-hda-tas2781-add-new-quirk-for-lenovo-hera2-laptop.patch arm64-dts-qcom-sc7180-disable-superspeed-instances-in-park-mode.patch drm-amdgpu-fix-signedness-bug-in-sdma_v4_0_process_trap_irq.patch fs-ntfs3-add-a-check-for-attr_names-and-oatbl.patch fs-ntfs3-validate-ff-offset.patch jfs-don-t-walk-off-the-end-of-ealist.patch ocfs2-add-bounds-checking-to-ocfs2_check_dir_entry.patch s390-mm-fix-vm_fault_hwpoison-handling-in-do_exception.patch series usb-gadget-midi2-fix-incorrect-default-midi2-protocol-setup.patch --- diff --git a/queue-6.9/alsa-hda-realtek-enable-headset-mic-on-positivo-su-c1400.patch b/queue-6.9/alsa-hda-realtek-enable-headset-mic-on-positivo-su-c1400.patch new file mode 100644 index 00000000000..eb25088ab42 --- /dev/null +++ b/queue-6.9/alsa-hda-realtek-enable-headset-mic-on-positivo-su-c1400.patch @@ -0,0 +1,31 @@ +From 8fc1e8b230771442133d5cf5fa4313277aa2bb8b Mon Sep 17 00:00:00 2001 +From: Edson Juliano Drosdeck +Date: Fri, 12 Jul 2024 15:06:42 -0300 +Subject: ALSA: hda/realtek: Enable headset mic on Positivo SU C1400 + +From: Edson Juliano Drosdeck + +commit 8fc1e8b230771442133d5cf5fa4313277aa2bb8b upstream. + +Positivo SU C1400 is equipped with ALC256, and it needs +ALC269_FIXUP_ASPIRE_HEADSET_MIC quirk to make its headset mic work. + +Signed-off-by: Edson Juliano Drosdeck +Cc: +Link: https://patch.msgid.link/20240712180642.22564-1-edson.drosdeck@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10333,6 +10333,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x10cf, 0x1845, "Lifebook U904", ALC269_FIXUP_LIFEBOOK_EXTMIC), + SND_PCI_QUIRK(0x10ec, 0x10f2, "Intel Reference board", ALC700_FIXUP_INTEL_REFERENCE), + SND_PCI_QUIRK(0x10ec, 0x118c, "Medion EE4254 MD62100", ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE), ++ SND_PCI_QUIRK(0x10ec, 0x119e, "Positivo SU C1400", ALC269_FIXUP_ASPIRE_HEADSET_MIC), + SND_PCI_QUIRK(0x10ec, 0x11bc, "VAIO VJFE-IL", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x10ec, 0x1230, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK), + SND_PCI_QUIRK(0x10ec, 0x124c, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK), diff --git a/queue-6.9/alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch b/queue-6.9/alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch new file mode 100644 index 00000000000..ba3b5a90b98 --- /dev/null +++ b/queue-6.9/alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch @@ -0,0 +1,32 @@ +From d7063c08738573fc2f3296da6d31a22fa8aa843a Mon Sep 17 00:00:00 2001 +From: Seunghun Han +Date: Thu, 18 Jul 2024 17:09:08 +0900 +Subject: ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 + +From: Seunghun Han + +commit d7063c08738573fc2f3296da6d31a22fa8aa843a upstream. + +Samsung Galaxy Book Pro 360 (13" 2022 NT935QDB-KC71S) with codec SSID +144d:c1a4 requires the same workaround to enable the speaker amp +as other Samsung models with the ALC298 codec. + +Signed-off-by: Seunghun Han +Cc: +Link: https://patch.msgid.link/20240718080908.8677-1-kkamagui@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10348,6 +10348,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Flex Book (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc1a3, "Samsung Galaxy Book Pro (NP935XDB-KC1SE)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xc1a4, "Samsung Galaxy Book Pro 360 (NT935QBD)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc1a6, "Samsung Galaxy Book Pro 360 (NP930QBD)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc740, "Samsung Ativ book 8 (NP870Z5G)", ALC269_FIXUP_ATIV_BOOK_8), + SND_PCI_QUIRK(0x144d, 0xc812, "Samsung Notebook Pen S (NT950SBE-X58)", ALC298_FIXUP_SAMSUNG_AMP), diff --git a/queue-6.9/alsa-hda-tas2781-add-new-quirk-for-lenovo-hera2-laptop.patch b/queue-6.9/alsa-hda-tas2781-add-new-quirk-for-lenovo-hera2-laptop.patch new file mode 100644 index 00000000000..dfac1be53b7 --- /dev/null +++ b/queue-6.9/alsa-hda-tas2781-add-new-quirk-for-lenovo-hera2-laptop.patch @@ -0,0 +1,30 @@ +From 1e5597e5ff18d452cf9afa847e904f301d1ac690 Mon Sep 17 00:00:00 2001 +From: Shenghao Ding +Date: Wed, 17 Jul 2024 19:53:04 +0800 +Subject: ALSA: hda/tas2781: Add new quirk for Lenovo Hera2 Laptop + +From: Shenghao Ding + +commit 1e5597e5ff18d452cf9afa847e904f301d1ac690 upstream. + +Add new vendor_id and subsystem_id in quirk for Lenovo Hera2 Laptop. + +Signed-off-by: Shenghao Ding +Cc: +Link: https://patch.msgid.link/20240717115305.723-1-shenghao-ding@ti.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10488,6 +10488,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x231a, "Thinkpad Z16 Gen2", ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD), + SND_PCI_QUIRK(0x17aa, 0x231e, "Thinkpad", ALC287_FIXUP_LENOVO_THKPAD_WH_ALC1318), + SND_PCI_QUIRK(0x17aa, 0x231f, "Thinkpad", ALC287_FIXUP_LENOVO_THKPAD_WH_ALC1318), ++ SND_PCI_QUIRK(0x17aa, 0x2326, "Hera2", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), diff --git a/queue-6.9/arm64-dts-qcom-sc7180-disable-superspeed-instances-in-park-mode.patch b/queue-6.9/arm64-dts-qcom-sc7180-disable-superspeed-instances-in-park-mode.patch new file mode 100644 index 00000000000..9531a2b7988 --- /dev/null +++ b/queue-6.9/arm64-dts-qcom-sc7180-disable-superspeed-instances-in-park-mode.patch @@ -0,0 +1,41 @@ +From 5b8baed4b88132c12010ce6ca1b56f00d122e376 Mon Sep 17 00:00:00 2001 +From: Krishna Kurapati +Date: Tue, 4 Jun 2024 11:36:58 +0530 +Subject: arm64: dts: qcom: sc7180: Disable SuperSpeed instances in park mode + +From: Krishna Kurapati + +commit 5b8baed4b88132c12010ce6ca1b56f00d122e376 upstream. + +On SC7180, in host mode, it is observed that stressing out controller +results in HC died error: + + xhci-hcd.12.auto: xHCI host not responding to stop endpoint command + xhci-hcd.12.auto: xHCI host controller not responding, assume dead + xhci-hcd.12.auto: HC died; cleaning up + +And at this instant only restarting the host mode fixes it. Disable +SuperSpeed instances in park mode for SC7180 to mitigate this issue. + +Reported-by: Doug Anderson +Cc: stable@vger.kernel.org +Fixes: 0b766e7fe5a2 ("arm64: dts: qcom: sc7180: Add USB related nodes") +Signed-off-by: Krishna Kurapati +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20240604060659.1449278-2-quic_kriskura@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sc7180.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/boot/dts/qcom/sc7180.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc7180.dtsi +@@ -3063,6 +3063,7 @@ + iommus = <&apps_smmu 0x540 0>; + snps,dis_u2_susphy_quirk; + snps,dis_enblslpm_quirk; ++ snps,parkmode-disable-ss-quirk; + phys = <&usb_1_hsphy>, <&usb_1_qmpphy QMP_USB43DP_USB3_PHY>; + phy-names = "usb2-phy", "usb3-phy"; + maximum-speed = "super-speed"; diff --git a/queue-6.9/drm-amdgpu-fix-signedness-bug-in-sdma_v4_0_process_trap_irq.patch b/queue-6.9/drm-amdgpu-fix-signedness-bug-in-sdma_v4_0_process_trap_irq.patch new file mode 100644 index 00000000000..a5fec9fba53 --- /dev/null +++ b/queue-6.9/drm-amdgpu-fix-signedness-bug-in-sdma_v4_0_process_trap_irq.patch @@ -0,0 +1,32 @@ +From 6769a23697f17f9bf9365ca8ed62fe37e361a05a Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sun, 28 Apr 2024 15:57:00 +0300 +Subject: drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() + +From: Dan Carpenter + +commit 6769a23697f17f9bf9365ca8ed62fe37e361a05a upstream. + +The "instance" variable needs to be signed for the error handling to work. + +Fixes: 8b2faf1a4f3b ("drm/amdgpu: add error handle to avoid out-of-bounds") +Reviewed-by: Bob Zhou +Signed-off-by: Dan Carpenter +Signed-off-by: Alex Deucher +Cc: Siddh Raman Pant +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c +@@ -2017,7 +2017,7 @@ static int sdma_v4_0_process_trap_irq(st + struct amdgpu_irq_src *source, + struct amdgpu_iv_entry *entry) + { +- uint32_t instance; ++ int instance; + + DRM_DEBUG("IH: SDMA trap\n"); + instance = sdma_v4_0_irq_id_to_seq(entry->client_id); diff --git a/queue-6.9/fs-ntfs3-add-a-check-for-attr_names-and-oatbl.patch b/queue-6.9/fs-ntfs3-add-a-check-for-attr_names-and-oatbl.patch new file mode 100644 index 00000000000..f4e524a244d --- /dev/null +++ b/queue-6.9/fs-ntfs3-add-a-check-for-attr_names-and-oatbl.patch @@ -0,0 +1,85 @@ +From 702d4930eb06dcfda85a2fa67e8a1a27bfa2a845 Mon Sep 17 00:00:00 2001 +From: Konstantin Komarov +Date: Mon, 3 Jun 2024 13:13:17 +0300 +Subject: fs/ntfs3: Add a check for attr_names and oatbl + +From: Konstantin Komarov + +commit 702d4930eb06dcfda85a2fa67e8a1a27bfa2a845 upstream. + +Added out-of-bound checking for *ane (ATTR_NAME_ENTRY). + +Reported-by: lei lu +Fixes: 865e7a7700d93 ("fs/ntfs3: Reduce stack usage") +Signed-off-by: Konstantin Komarov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/fslog.c | 38 ++++++++++++++++++++++++++++++++------ + 1 file changed, 32 insertions(+), 6 deletions(-) + +--- a/fs/ntfs3/fslog.c ++++ b/fs/ntfs3/fslog.c +@@ -3722,6 +3722,8 @@ int log_replay(struct ntfs_inode *ni, bo + + u64 rec_lsn, checkpt_lsn = 0, rlsn = 0; + struct ATTR_NAME_ENTRY *attr_names = NULL; ++ u32 attr_names_bytes = 0; ++ u32 oatbl_bytes = 0; + struct RESTART_TABLE *dptbl = NULL; + struct RESTART_TABLE *trtbl = NULL; + const struct RESTART_TABLE *rt; +@@ -3736,6 +3738,7 @@ int log_replay(struct ntfs_inode *ni, bo + struct NTFS_RESTART *rst = NULL; + struct lcb *lcb = NULL; + struct OPEN_ATTR_ENRTY *oe; ++ struct ATTR_NAME_ENTRY *ane; + struct TRANSACTION_ENTRY *tr; + struct DIR_PAGE_ENTRY *dp; + u32 i, bytes_per_attr_entry; +@@ -4314,17 +4317,40 @@ check_attr_table: + lcb = NULL; + + check_attribute_names2: +- if (rst->attr_names_len && oatbl) { +- struct ATTR_NAME_ENTRY *ane = attr_names; +- while (ane->off) { ++ if (attr_names && oatbl) { ++ off = 0; ++ for (;;) { ++ /* Check we can use attribute name entry 'ane'. */ ++ static_assert(sizeof(*ane) == 4); ++ if (off + sizeof(*ane) > attr_names_bytes) { ++ /* just ignore the rest. */ ++ break; ++ } ++ ++ ane = Add2Ptr(attr_names, off); ++ t16 = le16_to_cpu(ane->off); ++ if (!t16) { ++ /* this is the only valid exit. */ ++ break; ++ } ++ ++ /* Check we can use open attribute entry 'oe'. */ ++ if (t16 + sizeof(*oe) > oatbl_bytes) { ++ /* just ignore the rest. */ ++ break; ++ } ++ + /* TODO: Clear table on exit! */ +- oe = Add2Ptr(oatbl, le16_to_cpu(ane->off)); ++ oe = Add2Ptr(oatbl, t16); + t16 = le16_to_cpu(ane->name_bytes); ++ off += t16 + sizeof(*ane); ++ if (off > attr_names_bytes) { ++ /* just ignore the rest. */ ++ break; ++ } + oe->name_len = t16 / sizeof(short); + oe->ptr = ane->name; + oe->is_attr_name = 2; +- ane = Add2Ptr(ane, +- sizeof(struct ATTR_NAME_ENTRY) + t16); + } + } + diff --git a/queue-6.9/fs-ntfs3-validate-ff-offset.patch b/queue-6.9/fs-ntfs3-validate-ff-offset.patch new file mode 100644 index 00000000000..c66523f89d5 --- /dev/null +++ b/queue-6.9/fs-ntfs3-validate-ff-offset.patch @@ -0,0 +1,43 @@ +From 50c47879650b4c97836a0086632b3a2e300b0f06 Mon Sep 17 00:00:00 2001 +From: lei lu +Date: Wed, 29 May 2024 02:52:22 +0800 +Subject: fs/ntfs3: Validate ff offset + +From: lei lu + +commit 50c47879650b4c97836a0086632b3a2e300b0f06 upstream. + +This adds sanity checks for ff offset. There is a check +on rt->first_free at first, but walking through by ff +without any check. If the second ff is a large offset. +We may encounter an out-of-bound read. + +Signed-off-by: lei lu +Signed-off-by: Konstantin Komarov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/fslog.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/ntfs3/fslog.c ++++ b/fs/ntfs3/fslog.c +@@ -724,7 +724,8 @@ static bool check_rstbl(const struct RES + + if (!rsize || rsize > bytes || + rsize + sizeof(struct RESTART_TABLE) > bytes || bytes < ts || +- le16_to_cpu(rt->total) > ne || ff > ts || lf > ts || ++ le16_to_cpu(rt->total) > ne || ++ ff > ts - sizeof(__le32) || lf > ts - sizeof(__le32) || + (ff && ff < sizeof(struct RESTART_TABLE)) || + (lf && lf < sizeof(struct RESTART_TABLE))) { + return false; +@@ -754,6 +755,9 @@ static bool check_rstbl(const struct RES + return false; + + off = le32_to_cpu(*(__le32 *)Add2Ptr(rt, off)); ++ ++ if (off > ts - sizeof(__le32)) ++ return false; + } + + return true; diff --git a/queue-6.9/jfs-don-t-walk-off-the-end-of-ealist.patch b/queue-6.9/jfs-don-t-walk-off-the-end-of-ealist.patch new file mode 100644 index 00000000000..c7266f95fef --- /dev/null +++ b/queue-6.9/jfs-don-t-walk-off-the-end-of-ealist.patch @@ -0,0 +1,83 @@ +From d0fa70aca54c8643248e89061da23752506ec0d4 Mon Sep 17 00:00:00 2001 +From: lei lu +Date: Wed, 29 May 2024 02:30:40 +0800 +Subject: jfs: don't walk off the end of ealist + +From: lei lu + +commit d0fa70aca54c8643248e89061da23752506ec0d4 upstream. + +Add a check before visiting the members of ea to +make sure each ea stays within the ealist. + +Signed-off-by: lei lu +Signed-off-by: Dave Kleikamp +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/xattr.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +--- a/fs/jfs/xattr.c ++++ b/fs/jfs/xattr.c +@@ -797,7 +797,7 @@ ssize_t __jfs_getxattr(struct inode *ino + size_t buf_size) + { + struct jfs_ea_list *ealist; +- struct jfs_ea *ea; ++ struct jfs_ea *ea, *ealist_end; + struct ea_buffer ea_buf; + int xattr_size; + ssize_t size; +@@ -817,9 +817,16 @@ ssize_t __jfs_getxattr(struct inode *ino + goto not_found; + + ealist = (struct jfs_ea_list *) ea_buf.xattr; ++ ealist_end = END_EALIST(ealist); + + /* Find the named attribute */ +- for (ea = FIRST_EA(ealist); ea < END_EALIST(ealist); ea = NEXT_EA(ea)) ++ for (ea = FIRST_EA(ealist); ea < ealist_end; ea = NEXT_EA(ea)) { ++ if (unlikely(ea + 1 > ealist_end) || ++ unlikely(NEXT_EA(ea) > ealist_end)) { ++ size = -EUCLEAN; ++ goto release; ++ } ++ + if ((namelen == ea->namelen) && + memcmp(name, ea->name, namelen) == 0) { + /* Found it */ +@@ -834,6 +841,7 @@ ssize_t __jfs_getxattr(struct inode *ino + memcpy(data, value, size); + goto release; + } ++ } + not_found: + size = -ENODATA; + release: +@@ -861,7 +869,7 @@ ssize_t jfs_listxattr(struct dentry * de + ssize_t size = 0; + int xattr_size; + struct jfs_ea_list *ealist; +- struct jfs_ea *ea; ++ struct jfs_ea *ea, *ealist_end; + struct ea_buffer ea_buf; + + down_read(&JFS_IP(inode)->xattr_sem); +@@ -876,9 +884,16 @@ ssize_t jfs_listxattr(struct dentry * de + goto release; + + ealist = (struct jfs_ea_list *) ea_buf.xattr; ++ ealist_end = END_EALIST(ealist); + + /* compute required size of list */ +- for (ea = FIRST_EA(ealist); ea < END_EALIST(ealist); ea = NEXT_EA(ea)) { ++ for (ea = FIRST_EA(ealist); ea < ealist_end; ea = NEXT_EA(ea)) { ++ if (unlikely(ea + 1 > ealist_end) || ++ unlikely(NEXT_EA(ea) > ealist_end)) { ++ size = -EUCLEAN; ++ goto release; ++ } ++ + if (can_list(ea)) + size += name_size(ea) + 1; + } diff --git a/queue-6.9/ocfs2-add-bounds-checking-to-ocfs2_check_dir_entry.patch b/queue-6.9/ocfs2-add-bounds-checking-to-ocfs2_check_dir_entry.patch new file mode 100644 index 00000000000..e5ebc6ed753 --- /dev/null +++ b/queue-6.9/ocfs2-add-bounds-checking-to-ocfs2_check_dir_entry.patch @@ -0,0 +1,163 @@ +From 255547c6bb8940a97eea94ef9d464ea5967763fb Mon Sep 17 00:00:00 2001 +From: lei lu +Date: Wed, 26 Jun 2024 18:44:33 +0800 +Subject: ocfs2: add bounds checking to ocfs2_check_dir_entry() + +From: lei lu + +commit 255547c6bb8940a97eea94ef9d464ea5967763fb upstream. + +This adds sanity checks for ocfs2_dir_entry to make sure all members of +ocfs2_dir_entry don't stray beyond valid memory region. + +Link: https://lkml.kernel.org/r/20240626104433.163270-1-llfamsec@gmail.com +Signed-off-by: lei lu +Reviewed-by: Heming Zhao +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/dir.c | 46 +++++++++++++++++++++++++++++----------------- + 1 file changed, 29 insertions(+), 17 deletions(-) + +--- a/fs/ocfs2/dir.c ++++ b/fs/ocfs2/dir.c +@@ -294,13 +294,16 @@ out: + * bh passed here can be an inode block or a dir data block, depending + * on the inode inline data flag. + */ +-static int ocfs2_check_dir_entry(struct inode * dir, +- struct ocfs2_dir_entry * de, +- struct buffer_head * bh, ++static int ocfs2_check_dir_entry(struct inode *dir, ++ struct ocfs2_dir_entry *de, ++ struct buffer_head *bh, ++ char *buf, ++ unsigned int size, + unsigned long offset) + { + const char *error_msg = NULL; + const int rlen = le16_to_cpu(de->rec_len); ++ const unsigned long next_offset = ((char *) de - buf) + rlen; + + if (unlikely(rlen < OCFS2_DIR_REC_LEN(1))) + error_msg = "rec_len is smaller than minimal"; +@@ -308,9 +311,11 @@ static int ocfs2_check_dir_entry(struct + error_msg = "rec_len % 4 != 0"; + else if (unlikely(rlen < OCFS2_DIR_REC_LEN(de->name_len))) + error_msg = "rec_len is too small for name_len"; +- else if (unlikely( +- ((char *) de - bh->b_data) + rlen > dir->i_sb->s_blocksize)) +- error_msg = "directory entry across blocks"; ++ else if (unlikely(next_offset > size)) ++ error_msg = "directory entry overrun"; ++ else if (unlikely(next_offset > size - OCFS2_DIR_REC_LEN(1)) && ++ next_offset != size) ++ error_msg = "directory entry too close to end"; + + if (unlikely(error_msg != NULL)) + mlog(ML_ERROR, "bad entry in directory #%llu: %s - " +@@ -352,16 +357,17 @@ static inline int ocfs2_search_dirblock( + de_buf = first_de; + dlimit = de_buf + bytes; + +- while (de_buf < dlimit) { ++ while (de_buf < dlimit - OCFS2_DIR_MEMBER_LEN) { + /* this code is executed quadratically often */ + /* do minimal checking `by hand' */ + + de = (struct ocfs2_dir_entry *) de_buf; + +- if (de_buf + namelen <= dlimit && ++ if (de->name + namelen <= dlimit && + ocfs2_match(namelen, name, de)) { + /* found a match - just to be sure, do a full check */ +- if (!ocfs2_check_dir_entry(dir, de, bh, offset)) { ++ if (!ocfs2_check_dir_entry(dir, de, bh, first_de, ++ bytes, offset)) { + ret = -1; + goto bail; + } +@@ -1138,7 +1144,7 @@ static int __ocfs2_delete_entry(handle_t + pde = NULL; + de = (struct ocfs2_dir_entry *) first_de; + while (i < bytes) { +- if (!ocfs2_check_dir_entry(dir, de, bh, i)) { ++ if (!ocfs2_check_dir_entry(dir, de, bh, first_de, bytes, i)) { + status = -EIO; + mlog_errno(status); + goto bail; +@@ -1635,7 +1641,8 @@ int __ocfs2_add_entry(handle_t *handle, + /* These checks should've already been passed by the + * prepare function, but I guess we can leave them + * here anyway. */ +- if (!ocfs2_check_dir_entry(dir, de, insert_bh, offset)) { ++ if (!ocfs2_check_dir_entry(dir, de, insert_bh, data_start, ++ size, offset)) { + retval = -ENOENT; + goto bail; + } +@@ -1774,7 +1781,8 @@ static int ocfs2_dir_foreach_blk_id(stru + } + + de = (struct ocfs2_dir_entry *) (data->id_data + ctx->pos); +- if (!ocfs2_check_dir_entry(inode, de, di_bh, ctx->pos)) { ++ if (!ocfs2_check_dir_entry(inode, de, di_bh, (char *)data->id_data, ++ i_size_read(inode), ctx->pos)) { + /* On error, skip the f_pos to the end. */ + ctx->pos = i_size_read(inode); + break; +@@ -1867,7 +1875,8 @@ static int ocfs2_dir_foreach_blk_el(stru + while (ctx->pos < i_size_read(inode) + && offset < sb->s_blocksize) { + de = (struct ocfs2_dir_entry *) (bh->b_data + offset); +- if (!ocfs2_check_dir_entry(inode, de, bh, offset)) { ++ if (!ocfs2_check_dir_entry(inode, de, bh, bh->b_data, ++ sb->s_blocksize, offset)) { + /* On error, skip the f_pos to the + next block. */ + ctx->pos = (ctx->pos | (sb->s_blocksize - 1)) + 1; +@@ -3339,7 +3348,7 @@ static int ocfs2_find_dir_space_id(struc + struct super_block *sb = dir->i_sb; + struct ocfs2_dinode *di = (struct ocfs2_dinode *)di_bh->b_data; + struct ocfs2_dir_entry *de, *last_de = NULL; +- char *de_buf, *limit; ++ char *first_de, *de_buf, *limit; + unsigned long offset = 0; + unsigned int rec_len, new_rec_len, free_space; + +@@ -3352,14 +3361,16 @@ static int ocfs2_find_dir_space_id(struc + else + free_space = dir->i_sb->s_blocksize - i_size_read(dir); + +- de_buf = di->id2.i_data.id_data; ++ first_de = di->id2.i_data.id_data; ++ de_buf = first_de; + limit = de_buf + i_size_read(dir); + rec_len = OCFS2_DIR_REC_LEN(namelen); + + while (de_buf < limit) { + de = (struct ocfs2_dir_entry *)de_buf; + +- if (!ocfs2_check_dir_entry(dir, de, di_bh, offset)) { ++ if (!ocfs2_check_dir_entry(dir, de, di_bh, first_de, ++ i_size_read(dir), offset)) { + ret = -ENOENT; + goto out; + } +@@ -3441,7 +3452,8 @@ static int ocfs2_find_dir_space_el(struc + /* move to next block */ + de = (struct ocfs2_dir_entry *) bh->b_data; + } +- if (!ocfs2_check_dir_entry(dir, de, bh, offset)) { ++ if (!ocfs2_check_dir_entry(dir, de, bh, bh->b_data, blocksize, ++ offset)) { + status = -ENOENT; + goto bail; + } diff --git a/queue-6.9/s390-mm-fix-vm_fault_hwpoison-handling-in-do_exception.patch b/queue-6.9/s390-mm-fix-vm_fault_hwpoison-handling-in-do_exception.patch new file mode 100644 index 00000000000..dbcd14aad7d --- /dev/null +++ b/queue-6.9/s390-mm-fix-vm_fault_hwpoison-handling-in-do_exception.patch @@ -0,0 +1,55 @@ +From df39038cd89525d465c2c8827eb64116873f141a Mon Sep 17 00:00:00 2001 +From: Gerald Schaefer +Date: Mon, 15 Jul 2024 20:04:16 +0200 +Subject: s390/mm: Fix VM_FAULT_HWPOISON handling in do_exception() + +From: Gerald Schaefer + +commit df39038cd89525d465c2c8827eb64116873f141a upstream. + +There is no support for HWPOISON, MEMORY_FAILURE, or ARCH_HAS_COPY_MC on +s390. Therefore we do not expect to see VM_FAULT_HWPOISON in +do_exception(). + +However, since commit af19487f00f3 ("mm: make PTE_MARKER_SWAPIN_ERROR more +general"), it is possible to see VM_FAULT_HWPOISON in combination with +PTE_MARKER_POISONED, even on architectures that do not support HWPOISON +otherwise. In this case, we will end up on the BUG() in do_exception(). + +Fix this by treating VM_FAULT_HWPOISON the same as VM_FAULT_SIGBUS, similar +to x86 when MEMORY_FAILURE is not configured. Also print unexpected fault +flags, for easier debugging. + +Note that VM_FAULT_HWPOISON_LARGE is not expected, because s390 cannot +support swap entries on other levels than PTE level. + +Cc: stable@vger.kernel.org # 6.6+ +Fixes: af19487f00f3 ("mm: make PTE_MARKER_SWAPIN_ERROR more general") +Reported-by: Yunseong Kim +Tested-by: Yunseong Kim +Acked-by: Alexander Gordeev +Signed-off-by: Gerald Schaefer +Message-ID: <20240715180416.3632453-1-gerald.schaefer@linux.ibm.com> +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/mm/fault.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/s390/mm/fault.c ++++ b/arch/s390/mm/fault.c +@@ -432,12 +432,13 @@ error: + handle_fault_error_nolock(regs, 0); + else + do_sigsegv(regs, SEGV_MAPERR); +- } else if (fault & VM_FAULT_SIGBUS) { ++ } else if (fault & (VM_FAULT_SIGBUS | VM_FAULT_HWPOISON)) { + if (!user_mode(regs)) + handle_fault_error_nolock(regs, 0); + else + do_sigbus(regs); + } else { ++ pr_emerg("Unexpected fault flags: %08x\n", fault); + BUG(); + } + } diff --git a/queue-6.9/series b/queue-6.9/series new file mode 100644 index 00000000000..f80b3ca100a --- /dev/null +++ b/queue-6.9/series @@ -0,0 +1,11 @@ +drm-amdgpu-fix-signedness-bug-in-sdma_v4_0_process_trap_irq.patch +s390-mm-fix-vm_fault_hwpoison-handling-in-do_exception.patch +ocfs2-add-bounds-checking-to-ocfs2_check_dir_entry.patch +jfs-don-t-walk-off-the-end-of-ealist.patch +fs-ntfs3-add-a-check-for-attr_names-and-oatbl.patch +fs-ntfs3-validate-ff-offset.patch +usb-gadget-midi2-fix-incorrect-default-midi2-protocol-setup.patch +alsa-hda-tas2781-add-new-quirk-for-lenovo-hera2-laptop.patch +alsa-hda-realtek-enable-headset-mic-on-positivo-su-c1400.patch +alsa-hda-realtek-fix-the-speaker-output-on-samsung-galaxy-book-pro-360.patch +arm64-dts-qcom-sc7180-disable-superspeed-instances-in-park-mode.patch diff --git a/queue-6.9/usb-gadget-midi2-fix-incorrect-default-midi2-protocol-setup.patch b/queue-6.9/usb-gadget-midi2-fix-incorrect-default-midi2-protocol-setup.patch new file mode 100644 index 00000000000..cbc842d55b0 --- /dev/null +++ b/queue-6.9/usb-gadget-midi2-fix-incorrect-default-midi2-protocol-setup.patch @@ -0,0 +1,92 @@ +From 3eb27d3e32c78badbc4db6ae76614b5961e32291 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 8 Jul 2024 11:57:17 +0200 +Subject: usb: gadget: midi2: Fix incorrect default MIDI2 protocol setup + +From: Takashi Iwai + +commit 3eb27d3e32c78badbc4db6ae76614b5961e32291 upstream. + +The MIDI2 gadget driver handled the default MIDI protocol version +incorrectly due to the confusion of the protocol version passed via +configfs (either 1 or 2) and UMP protocol bits (0x100 / 0x200). +As a consequence, the default protocol always resulted in MIDI1. + +This patch addresses the misunderstanding of the protocol handling. + +Fixes: 29ee7a4dddd5 ("usb: gadget: midi2: Add configfs support") +Cc: stable +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20240708095719.25627-1-tiwai@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_midi2.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/drivers/usb/gadget/function/f_midi2.c ++++ b/drivers/usb/gadget/function/f_midi2.c +@@ -150,6 +150,9 @@ struct f_midi2 { + + #define func_to_midi2(f) container_of(f, struct f_midi2, func) + ++/* convert from MIDI protocol number (1 or 2) to SNDRV_UMP_EP_INFO_PROTO_* */ ++#define to_ump_protocol(v) (((v) & 3) << 8) ++ + /* get EP name string */ + static const char *ump_ep_name(const struct f_midi2_ep *ep) + { +@@ -564,8 +567,7 @@ static void reply_ump_stream_ep_config(s + .status = UMP_STREAM_MSG_STATUS_STREAM_CFG, + }; + +- if ((ep->info.protocol & SNDRV_UMP_EP_INFO_PROTO_MIDI_MASK) == +- SNDRV_UMP_EP_INFO_PROTO_MIDI2) ++ if (ep->info.protocol == 2) + rep.protocol = UMP_STREAM_MSG_EP_INFO_CAP_MIDI2 >> 8; + else + rep.protocol = UMP_STREAM_MSG_EP_INFO_CAP_MIDI1 >> 8; +@@ -627,13 +629,13 @@ static void process_ump_stream_msg(struc + return; + case UMP_STREAM_MSG_STATUS_STREAM_CFG_REQUEST: + if (*data & UMP_STREAM_MSG_EP_INFO_CAP_MIDI2) { +- ep->info.protocol = SNDRV_UMP_EP_INFO_PROTO_MIDI2; ++ ep->info.protocol = 2; + DBG(midi2, "Switching Protocol to MIDI2\n"); + } else { +- ep->info.protocol = SNDRV_UMP_EP_INFO_PROTO_MIDI1; ++ ep->info.protocol = 1; + DBG(midi2, "Switching Protocol to MIDI1\n"); + } +- snd_ump_switch_protocol(ep->ump, ep->info.protocol); ++ snd_ump_switch_protocol(ep->ump, to_ump_protocol(ep->info.protocol)); + reply_ump_stream_ep_config(ep); + return; + case UMP_STREAM_MSG_STATUS_FB_DISCOVERY: +@@ -1065,7 +1067,8 @@ static void f_midi2_midi1_ep_out_complet + group = midi2->out_cable_mapping[cable].group; + bytes = midi1_packet_bytes[*buf & 0x0f]; + for (c = 0; c < bytes; c++) { +- snd_ump_convert_to_ump(cvt, group, ep->info.protocol, ++ snd_ump_convert_to_ump(cvt, group, ++ to_ump_protocol(ep->info.protocol), + buf[c + 1]); + if (cvt->ump_bytes) { + snd_ump_receive(ep->ump, cvt->ump, +@@ -1375,7 +1378,7 @@ static void assign_block_descriptors(str + desc->nNumGroupTrm = b->num_groups; + desc->iBlockItem = ep->blks[blk].string_id; + +- if (ep->info.protocol & SNDRV_UMP_EP_INFO_PROTO_MIDI2) ++ if (ep->info.protocol == 2) + desc->bMIDIProtocol = USB_MS_MIDI_PROTO_2_0; + else + desc->bMIDIProtocol = USB_MS_MIDI_PROTO_1_0_128; +@@ -1552,7 +1555,7 @@ static int f_midi2_create_card(struct f_ + if (midi2->info.static_block) + ump->info.flags |= SNDRV_UMP_EP_INFO_STATIC_BLOCKS; + ump->info.protocol_caps = (ep->info.protocol_caps & 3) << 8; +- ump->info.protocol = (ep->info.protocol & 3) << 8; ++ ump->info.protocol = to_ump_protocol(ep->info.protocol); + ump->info.version = 0x0101; + ump->info.family_id = ep->info.family; + ump->info.model_id = ep->info.model;