From: Sasha Levin Date: Sat, 5 Oct 2024 18:29:13 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v6.6.55~144 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=dc2b0bbcf86265b0cb930c5448c457fd0ac083a5;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/alsa-hda-conexant-fix-conflicting-quirk-for-system76.patch b/queue-5.10/alsa-hda-conexant-fix-conflicting-quirk-for-system76.patch new file mode 100644 index 00000000000..372904bb9ef --- /dev/null +++ b/queue-5.10/alsa-hda-conexant-fix-conflicting-quirk-for-system76.patch @@ -0,0 +1,72 @@ +From 80642088fc68d74b0d8865c43c02a3c60d93698b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2024 10:25:58 +0200 +Subject: ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin + +From: Takashi Iwai + +[ Upstream commit b3ebb007060f89d5a45c9b99f06a55e36a1945b5 ] + +We received a regression report for System76 Pangolin (pang14) due to +the recent fix for Tuxedo Sirius devices to support the top speaker. +The reason was the conflicting PCI SSID, as often seen. + +As a workaround, now the codec SSID is checked and the quirk is +applied conditionally only to Sirius devices. + +Fixes: 4178d78cd7a8 ("ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius devices") +Reported-by: Christian Heusel +Reported-by: Jerry +Closes: https://lore.kernel.org/c930b6a6-64e5-498f-b65a-1cd5e0a1d733@heusel.eu +Link: https://patch.msgid.link/20241004082602.29016-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_conexant.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index d908a39af9f5e..4046ce3db4b50 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -747,6 +747,23 @@ static const struct hda_pintbl cxt_pincfg_sws_js201d[] = { + {} + }; + ++/* pincfg quirk for Tuxedo Sirius; ++ * unfortunately the (PCI) SSID conflicts with System76 Pangolin pang14, ++ * which has incompatible pin setup, so we check the codec SSID (luckily ++ * different one!) and conditionally apply the quirk here ++ */ ++static void cxt_fixup_sirius_top_speaker(struct hda_codec *codec, ++ const struct hda_fixup *fix, ++ int action) ++{ ++ /* ignore for incorrectly picked-up pang14 */ ++ if (codec->core.subsystem_id == 0x278212b3) ++ return; ++ /* set up the top speaker pin */ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) ++ snd_hda_codec_set_pincfg(codec, 0x1d, 0x82170111); ++} ++ + static const struct hda_fixup cxt_fixups[] = { + [CXT_PINCFG_LENOVO_X200] = { + .type = HDA_FIXUP_PINS, +@@ -907,11 +924,8 @@ static const struct hda_fixup cxt_fixups[] = { + .v.pins = cxt_pincfg_sws_js201d, + }, + [CXT_PINCFG_TOP_SPEAKER] = { +- .type = HDA_FIXUP_PINS, +- .v.pins = (const struct hda_pintbl[]) { +- { 0x1d, 0x82170111 }, +- { } +- }, ++ .type = HDA_FIXUP_FUNC, ++ .v.func = cxt_fixup_sirius_top_speaker, + }, + }; + +-- +2.43.0 + diff --git a/queue-5.10/alsa-hda-generic-unconditionally-prefer-preferred_da.patch b/queue-5.10/alsa-hda-generic-unconditionally-prefer-preferred_da.patch new file mode 100644 index 00000000000..5c5d6869775 --- /dev/null +++ b/queue-5.10/alsa-hda-generic-unconditionally-prefer-preferred_da.patch @@ -0,0 +1,60 @@ +From 61ccdaf40dd1465c81e77c08656cd56670727933 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 14:14:36 +0200 +Subject: ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs + +From: Takashi Iwai + +[ Upstream commit 1c801e7f77445bc56e5e1fec6191fd4503534787 ] + +Some time ago, we introduced the obey_preferred_dacs flag for choosing +the DAC/pin pairs specified by the driver instead of parsing the +paths. This works as expected, per se, but there have been a few +cases where we forgot to set this flag while preferred_dacs table is +already set up. It ended up with incorrect wiring and made us +wondering why it doesn't work. + +Basically, when the preferred_dacs table is provided, it means that +the driver really wants to wire up to follow that. That is, the +presence of the preferred_dacs table itself is already a "do-it" +flag. + +In this patch, we simply replace the evaluation of obey_preferred_dacs +flag with the presence of preferred_dacs table for fixing the +misbehavior. Another patch to drop of the obsoleted flag will +follow. + +Fixes: 242d990c158d ("ALSA: hda/generic: Add option to enforce preferred_dacs pairs") +Link: https://bugzilla.suse.com/show_bug.cgi?id=1219803 +Link: https://patch.msgid.link/20241001121439.26060-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_generic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c +index 733dc9953a38b..d697041a8529a 100644 +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -1377,7 +1377,7 @@ static int try_assign_dacs(struct hda_codec *codec, int num_outs, + struct nid_path *path; + hda_nid_t pin = pins[i]; + +- if (!spec->obey_preferred_dacs) { ++ if (!spec->preferred_dacs) { + path = snd_hda_get_path_from_idx(codec, path_idx[i]); + if (path) { + badness += assign_out_path_ctls(codec, path); +@@ -1389,7 +1389,7 @@ static int try_assign_dacs(struct hda_codec *codec, int num_outs, + if (dacs[i]) { + if (is_dac_already_used(codec, dacs[i])) + badness += bad->shared_primary; +- } else if (spec->obey_preferred_dacs) { ++ } else if (spec->preferred_dacs) { + badness += BAD_NO_PRIMARY_DAC; + } + +-- +2.43.0 + diff --git a/queue-5.10/alsa-hda-realtek-fix-the-push-button-function-for-th.patch b/queue-5.10/alsa-hda-realtek-fix-the-push-button-function-for-th.patch new file mode 100644 index 00000000000..0f75c3fd721 --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-fix-the-push-button-function-for-th.patch @@ -0,0 +1,36 @@ +From 411cf777fe02dc8a609e65a19926008efc529b11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2024 18:50:39 +0800 +Subject: ALSA: hda/realtek: Fix the push button function for the ALC257 + +From: Oder Chiou + +[ Upstream commit 05df9732a0894846c46d0062d4af535c5002799d ] + +The headset push button cannot work properly in case of the ALC257. +This patch reverted the previous commit to correct the side effect. + +Fixes: ef9718b3d54e ("ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7") +Signed-off-by: Oder Chiou +Link: https://patch.msgid.link/20240930105039.3473266-1-oder_chiou@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index d6ebde90f0825..de2a7eb55ae35 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -578,6 +578,7 @@ static void alc_shutup_pins(struct hda_codec *codec) + switch (codec->core.vendor_id) { + case 0x10ec0236: + case 0x10ec0256: ++ case 0x10ec0257: + case 0x19e58326: + case 0x10ec0283: + case 0x10ec0285: +-- +2.43.0 + diff --git a/queue-5.10/alsa-mixer_oss-remove-some-incorrect-kfree_const-usa.patch b/queue-5.10/alsa-mixer_oss-remove-some-incorrect-kfree_const-usa.patch new file mode 100644 index 00000000000..851eba83a08 --- /dev/null +++ b/queue-5.10/alsa-mixer_oss-remove-some-incorrect-kfree_const-usa.patch @@ -0,0 +1,44 @@ +From a45dd215737e194a0fce74ecdbc8464db9a0bd27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Sep 2024 20:17:36 +0200 +Subject: ALSA: mixer_oss: Remove some incorrect kfree_const() usages + +From: Christophe JAILLET + +[ Upstream commit 368e4663c557de4a33f321b44e7eeec0a21b2e4e ] + +"assigned" and "assigned->name" are allocated in snd_mixer_oss_proc_write() +using kmalloc() and kstrdup(), so there is no point in using kfree_const() +to free these resources. + +Switch to the more standard kfree() to free these resources. + +This could avoid a memory leak. + +Fixes: 454f5ec1d2b7 ("ALSA: mixer: oss: Constify snd_mixer_oss_assign_table definition") +Signed-off-by: Christophe JAILLET +Link: https://patch.msgid.link/63ac20f64234b7c9ea87a7fa9baf41e8255852f7.1727374631.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/oss/mixer_oss.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/core/oss/mixer_oss.c b/sound/core/oss/mixer_oss.c +index bfed82a3a1881..eb1a6229a31ca 100644 +--- a/sound/core/oss/mixer_oss.c ++++ b/sound/core/oss/mixer_oss.c +@@ -957,8 +957,8 @@ static void snd_mixer_oss_slot_free(struct snd_mixer_oss_slot *chn) + struct slot *p = chn->private_data; + if (p) { + if (p->allocated && p->assigned) { +- kfree_const(p->assigned->name); +- kfree_const(p->assigned); ++ kfree(p->assigned->name); ++ kfree(p->assigned); + } + kfree(p); + } +-- +2.43.0 + diff --git a/queue-5.10/bluetooth-l2cap-fix-not-validating-setsockopt-user-i.patch b/queue-5.10/bluetooth-l2cap-fix-not-validating-setsockopt-user-i.patch new file mode 100644 index 00000000000..42b4c971d31 --- /dev/null +++ b/queue-5.10/bluetooth-l2cap-fix-not-validating-setsockopt-user-i.patch @@ -0,0 +1,165 @@ +From e5da64a7f11190db520216ca59a254ece63d4e15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 15:50:47 -0400 +Subject: Bluetooth: L2CAP: Fix not validating setsockopt user input + +From: Luiz Augusto von Dentz + +[ Upstream commit 4f3951242ace5efc7131932e2e01e6ac6baed846 ] + +Check user input length before copying data. + +Fixes: 33575df7be67 ("Bluetooth: move l2cap_sock_setsockopt() to l2cap_sock.c") +Fixes: 3ee7b7cd8390 ("Bluetooth: Add BT_MODE socket option") +Signed-off-by: Eric Dumazet +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 52 +++++++++++++++----------------------- + 1 file changed, 20 insertions(+), 32 deletions(-) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 3a2be1b4a5743..93afa52c04660 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -745,7 +745,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, + struct sock *sk = sock->sk; + struct l2cap_chan *chan = l2cap_pi(sk)->chan; + struct l2cap_options opts; +- int len, err = 0; ++ int err = 0; + u32 opt; + + BT_DBG("sk %p", sk); +@@ -772,11 +772,9 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, + opts.max_tx = chan->max_tx; + opts.txwin_size = chan->tx_win; + +- len = min_t(unsigned int, sizeof(opts), optlen); +- if (copy_from_sockptr(&opts, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opts, sizeof(opts), optval, optlen); ++ if (err) + break; +- } + + if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) { + err = -EINVAL; +@@ -819,10 +817,9 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, + break; + + case L2CAP_LM: +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt & L2CAP_LM_FIPS) { + err = -EINVAL; +@@ -903,7 +900,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + struct bt_security sec; + struct bt_power pwr; + struct l2cap_conn *conn; +- int len, err = 0; ++ int err = 0; + u32 opt; + u16 mtu; + u8 mode; +@@ -929,11 +926,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + + sec.level = BT_SECURITY_LOW; + +- len = min_t(unsigned int, sizeof(sec), optlen); +- if (copy_from_sockptr(&sec, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen); ++ if (err) + break; +- } + + if (sec.level < BT_SECURITY_LOW || + sec.level > BT_SECURITY_FIPS) { +@@ -978,10 +973,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt) { + set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); +@@ -993,10 +987,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + + case BT_FLUSHABLE: +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt > BT_FLUSHABLE_ON) { + err = -EINVAL; +@@ -1028,11 +1021,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + + pwr.force_active = BT_POWER_FORCE_ACTIVE_ON; + +- len = min_t(unsigned int, sizeof(pwr), optlen); +- if (copy_from_sockptr(&pwr, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&pwr, sizeof(pwr), optval, optlen); ++ if (err) + break; +- } + + if (pwr.force_active) + set_bit(FLAG_FORCE_ACTIVE, &chan->flags); +@@ -1041,10 +1032,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + + case BT_CHANNEL_POLICY: +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt > BT_CHANNEL_POLICY_AMP_PREFERRED) { + err = -EINVAL; +@@ -1089,10 +1079,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- if (copy_from_sockptr(&mtu, optval, sizeof(u16))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&mtu, sizeof(mtu), optval, optlen); ++ if (err) + break; +- } + + if (chan->mode == L2CAP_MODE_EXT_FLOWCTL && + sk->sk_state == BT_CONNECTED) +@@ -1120,10 +1109,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- if (copy_from_sockptr(&mode, optval, sizeof(u8))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&mode, sizeof(mode), optval, optlen); ++ if (err) + break; +- } + + BT_DBG("mode %u", mode); + +-- +2.43.0 + diff --git a/queue-5.10/f2fs-require-fmode_write-for-atomic-write-ioctls.patch b/queue-5.10/f2fs-require-fmode_write-for-atomic-write-ioctls.patch new file mode 100644 index 00000000000..9077e7bd0fd --- /dev/null +++ b/queue-5.10/f2fs-require-fmode_write-for-atomic-write-ioctls.patch @@ -0,0 +1,97 @@ +From f85ed150d5978edcb27bb67f7c5040e43fa0405e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2024 19:36:43 +0000 +Subject: f2fs: Require FMODE_WRITE for atomic write ioctls + +From: Jann Horn + +commit 4f5a100f87f32cb65d4bb1ad282a08c92f6f591e upstream. + +The F2FS ioctls for starting and committing atomic writes check for +inode_owner_or_capable(), but this does not give LSMs like SELinux or +Landlock an opportunity to deny the write access - if the caller's FSUID +matches the inode's UID, inode_owner_or_capable() immediately returns true. + +There are scenarios where LSMs want to deny a process the ability to write +particular files, even files that the FSUID of the process owns; but this +can currently partially be bypassed using atomic write ioctls in two ways: + + - F2FS_IOC_START_ATOMIC_REPLACE + F2FS_IOC_COMMIT_ATOMIC_WRITE can + truncate an inode to size 0 + - F2FS_IOC_START_ATOMIC_WRITE + F2FS_IOC_ABORT_ATOMIC_WRITE can revert + changes another process concurrently made to a file + +Fix it by requiring FMODE_WRITE for these operations, just like for +F2FS_IOC_MOVE_RANGE. Since any legitimate caller should only be using these +ioctls when intending to write into the file, that seems unlikely to break +anything. + +Fixes: 88b88a667971 ("f2fs: support atomic writes") +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn +Reviewed-by: Chao Yu +Reviewed-by: Eric Biggers +Signed-off-by: Jaegeuk Kim +Signed-off-by: Eric Biggers +Signed-off-by: Sasha Levin +--- + fs/f2fs/file.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 060bd64502c68..7ce22137afbe9 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -2054,6 +2054,9 @@ static int f2fs_ioc_start_atomic_write(struct file *filp) + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); + int ret; + ++ if (!(filp->f_mode & FMODE_WRITE)) ++ return -EBADF; ++ + if (!inode_owner_or_capable(inode)) + return -EACCES; + +@@ -2124,6 +2127,9 @@ static int f2fs_ioc_commit_atomic_write(struct file *filp) + struct inode *inode = file_inode(filp); + int ret; + ++ if (!(filp->f_mode & FMODE_WRITE)) ++ return -EBADF; ++ + if (!inode_owner_or_capable(inode)) + return -EACCES; + +@@ -2166,6 +2172,9 @@ static int f2fs_ioc_start_volatile_write(struct file *filp) + struct inode *inode = file_inode(filp); + int ret; + ++ if (!(filp->f_mode & FMODE_WRITE)) ++ return -EBADF; ++ + if (!inode_owner_or_capable(inode)) + return -EACCES; + +@@ -2201,6 +2210,9 @@ static int f2fs_ioc_release_volatile_write(struct file *filp) + struct inode *inode = file_inode(filp); + int ret; + ++ if (!(filp->f_mode & FMODE_WRITE)) ++ return -EBADF; ++ + if (!inode_owner_or_capable(inode)) + return -EACCES; + +@@ -2230,6 +2242,9 @@ static int f2fs_ioc_abort_volatile_write(struct file *filp) + struct inode *inode = file_inode(filp); + int ret; + ++ if (!(filp->f_mode & FMODE_WRITE)) ++ return -EBADF; ++ + if (!inode_owner_or_capable(inode)) + return -EACCES; + +-- +2.43.0 + diff --git a/queue-5.10/i2c-xiic-fix-broken-locking-on-tx_msg.patch b/queue-5.10/i2c-xiic-fix-broken-locking-on-tx_msg.patch new file mode 100644 index 00000000000..73ba095811b --- /dev/null +++ b/queue-5.10/i2c-xiic-fix-broken-locking-on-tx_msg.patch @@ -0,0 +1,101 @@ +From 72f950ab7f7fd26291fae5cf63be23e6687f11ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Aug 2021 23:41:40 +0200 +Subject: i2c: xiic: Fix broken locking on tx_msg + +From: Marek Vasut + +[ Upstream commit c119e7d00c916881913011e6f4c6ac349a41e4e2 ] + +The tx_msg is set from multiple places, sometimes without locking, +which fall apart on any SMP system. Only ever access tx_msg inside +the driver mutex. + +Signed-off-by: Marek Vasut +Acked-by: Michal Simek +Signed-off-by: Wolfram Sang +Stable-dep-of: 1d4a1adbed25 ("i2c: xiic: Try re-initialization on bus busy timeout") +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-xiic.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c +index 568e97c3896d1..ae9ef3f7220e6 100644 +--- a/drivers/i2c/busses/i2c-xiic.c ++++ b/drivers/i2c/busses/i2c-xiic.c +@@ -170,7 +170,7 @@ struct xiic_i2c { + #define xiic_tx_space(i2c) ((i2c)->tx_msg->len - (i2c)->tx_pos) + #define xiic_rx_space(i2c) ((i2c)->rx_msg->len - (i2c)->rx_pos) + +-static int xiic_start_xfer(struct xiic_i2c *i2c); ++static int xiic_start_xfer(struct xiic_i2c *i2c, struct i2c_msg *msgs, int num); + static void __xiic_start_xfer(struct xiic_i2c *i2c); + + /* +@@ -701,15 +701,25 @@ static void __xiic_start_xfer(struct xiic_i2c *i2c) + + } + +-static int xiic_start_xfer(struct xiic_i2c *i2c) ++static int xiic_start_xfer(struct xiic_i2c *i2c, struct i2c_msg *msgs, int num) + { + int ret; ++ + mutex_lock(&i2c->lock); + ++ ret = xiic_busy(i2c); ++ if (ret) ++ goto out; ++ ++ i2c->tx_msg = msgs; ++ i2c->rx_msg = NULL; ++ i2c->nmsgs = num; ++ + ret = xiic_reinit(i2c); + if (!ret) + __xiic_start_xfer(i2c); + ++out: + mutex_unlock(&i2c->lock); + + return ret; +@@ -727,14 +737,7 @@ static int xiic_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num) + if (err < 0) + return err; + +- err = xiic_busy(i2c); +- if (err) +- goto out; +- +- i2c->tx_msg = msgs; +- i2c->nmsgs = num; +- +- err = xiic_start_xfer(i2c); ++ err = xiic_start_xfer(i2c, msgs, num); + if (err < 0) { + dev_err(adap->dev.parent, "Error xiic_start_xfer\n"); + goto out; +@@ -742,9 +745,11 @@ static int xiic_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num) + + if (wait_event_timeout(i2c->wait, (i2c->state == STATE_ERROR) || + (i2c->state == STATE_DONE), HZ)) { ++ mutex_lock(&i2c->lock); + err = (i2c->state == STATE_DONE) ? num : -EIO; + goto out; + } else { ++ mutex_lock(&i2c->lock); + i2c->tx_msg = NULL; + i2c->rx_msg = NULL; + i2c->nmsgs = 0; +@@ -752,6 +757,7 @@ static int xiic_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num) + goto out; + } + out: ++ mutex_unlock(&i2c->lock); + pm_runtime_mark_last_busy(i2c->dev); + pm_runtime_put_autosuspend(i2c->dev); + return err; +-- +2.43.0 + diff --git a/queue-5.10/i2c-xiic-fix-rx-irq-busy-check.patch b/queue-5.10/i2c-xiic-fix-rx-irq-busy-check.patch new file mode 100644 index 00000000000..67063c576ed --- /dev/null +++ b/queue-5.10/i2c-xiic-fix-rx-irq-busy-check.patch @@ -0,0 +1,39 @@ +From 07f23f62b9a1af2207d890e77715241dc12ffe7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Aug 2021 23:41:45 +0200 +Subject: i2c: xiic: Fix RX IRQ busy check + +From: Marek Vasut + +[ Upstream commit 294b29f15469e90893c2b72a738a962ee02a12eb ] + +In case the XIIC does TX/RX transfer, make sure no other kernel thread +can start another TX transfer at the same time. This could happen since +the driver only checks tx_msg for being non-NULL and returns -EBUSY in +that case, however it is necessary to check also rx_msg for the same. + +Signed-off-by: Marek Vasut +Acked-by: Michal Simek +Signed-off-by: Wolfram Sang +Stable-dep-of: 1d4a1adbed25 ("i2c: xiic: Try re-initialization on bus busy timeout") +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-xiic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c +index c6447b2769f9d..b91ea900aae3a 100644 +--- a/drivers/i2c/busses/i2c-xiic.c ++++ b/drivers/i2c/busses/i2c-xiic.c +@@ -545,7 +545,7 @@ static int xiic_busy(struct xiic_i2c *i2c) + int tries = 3; + int err; + +- if (i2c->tx_msg) ++ if (i2c->tx_msg || i2c->rx_msg) + return -EBUSY; + + /* In single master mode bus can only be busy, when in use by this +-- +2.43.0 + diff --git a/queue-5.10/i2c-xiic-improve-error-message-when-transfer-fails-t.patch b/queue-5.10/i2c-xiic-improve-error-message-when-transfer-fails-t.patch new file mode 100644 index 00000000000..a168039cf6a --- /dev/null +++ b/queue-5.10/i2c-xiic-improve-error-message-when-transfer-fails-t.patch @@ -0,0 +1,72 @@ +From 7011ed6f74239c1853a6c4c397d0097590970c88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 12:03:24 -0400 +Subject: i2c: xiic: improve error message when transfer fails to start + +From: Marc Ferland + +[ Upstream commit ee1691d0ae103ba7fd9439800ef454674fadad27 ] + +xiic_start_xfer can fail for different reasons: + +- EBUSY: bus is busy or i2c messages still in tx_msg or rx_msg +- ETIMEDOUT: timed-out trying to clear the RX fifo +- EINVAL: wrong clock settings + +Both EINVAL and ETIMEDOUT will currently print a specific error +message followed by a generic one, for example: + + Failed to clear rx fifo + Error xiic_start_xfer + +however EBUSY will simply output the generic message: + + Error xiic_start_xfer + +which is not really helpful. + +This commit adds a new error message when a busy condition is detected +and also removes the generic message since it does not provide any +relevant information to the user. + +Signed-off-by: Marc Ferland +Acked-by: Michal Simek +Signed-off-by: Andi Shyti +Stable-dep-of: 1d4a1adbed25 ("i2c: xiic: Try re-initialization on bus busy timeout") +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-xiic.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c +index bd5fc4ace0667..41104f9f6f0ae 100644 +--- a/drivers/i2c/busses/i2c-xiic.c ++++ b/drivers/i2c/busses/i2c-xiic.c +@@ -711,8 +711,11 @@ static int xiic_start_xfer(struct xiic_i2c *i2c, struct i2c_msg *msgs, int num) + mutex_lock(&i2c->lock); + + ret = xiic_busy(i2c); +- if (ret) ++ if (ret) { ++ dev_err(i2c->adap.dev.parent, ++ "cannot start a transfer while busy\n"); + goto out; ++ } + + i2c->tx_msg = msgs; + i2c->rx_msg = NULL; +@@ -742,10 +745,8 @@ static int xiic_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num) + return err; + + err = xiic_start_xfer(i2c, msgs, num); +- if (err < 0) { +- dev_err(adap->dev.parent, "Error xiic_start_xfer\n"); ++ if (err < 0) + goto out; +- } + + err = wait_for_completion_timeout(&i2c->completion, XIIC_XFER_TIMEOUT); + mutex_lock(&i2c->lock); +-- +2.43.0 + diff --git a/queue-5.10/i2c-xiic-switch-from-waitqueue-to-completion.patch b/queue-5.10/i2c-xiic-switch-from-waitqueue-to-completion.patch new file mode 100644 index 00000000000..8917ca7167a --- /dev/null +++ b/queue-5.10/i2c-xiic-switch-from-waitqueue-to-completion.patch @@ -0,0 +1,126 @@ +From 2b5afccf251f984e5dd4115ca62d16405c7833f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Aug 2021 23:41:43 +0200 +Subject: i2c: xiic: Switch from waitqueue to completion + +From: Marek Vasut + +[ Upstream commit fdacc3c7405d1fc33c1f2771699a4fc24551e480 ] + +There will never be threads queueing up in the xiic_xmit(), use +completion synchronization primitive to wait for the interrupt +handler thread to complete instead as it is much better fit and +there is no need to overload it for this purpose. + +Signed-off-by: Marek Vasut +Acked-by: Michal Simek +Signed-off-by: Wolfram Sang +Stable-dep-of: 1d4a1adbed25 ("i2c: xiic: Try re-initialization on bus busy timeout") +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-xiic.c | 33 ++++++++++++++++++--------------- + 1 file changed, 18 insertions(+), 15 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c +index ae9ef3f7220e6..c6447b2769f9d 100644 +--- a/drivers/i2c/busses/i2c-xiic.c ++++ b/drivers/i2c/busses/i2c-xiic.c +@@ -23,7 +23,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +@@ -48,7 +48,7 @@ enum xiic_endian { + * struct xiic_i2c - Internal representation of the XIIC I2C bus + * @dev: Pointer to device structure + * @base: Memory base of the HW registers +- * @wait: Wait queue for callers ++ * @completion: Completion for callers + * @adap: Kernel adapter representation + * @tx_msg: Messages from above to be sent + * @lock: Mutual exclusion +@@ -64,7 +64,7 @@ enum xiic_endian { + struct xiic_i2c { + struct device *dev; + void __iomem *base; +- wait_queue_head_t wait; ++ struct completion completion; + struct i2c_adapter adap; + struct i2c_msg *tx_msg; + struct mutex lock; +@@ -160,6 +160,9 @@ struct xiic_i2c { + #define XIIC_PM_TIMEOUT 1000 /* ms */ + /* timeout waiting for the controller to respond */ + #define XIIC_I2C_TIMEOUT (msecs_to_jiffies(1000)) ++/* timeout waiting for the controller finish transfers */ ++#define XIIC_XFER_TIMEOUT (msecs_to_jiffies(10000)) ++ + /* + * The following constant is used for the device global interrupt enable + * register, to enable all interrupts for the device, this is the only bit +@@ -367,7 +370,7 @@ static void xiic_wakeup(struct xiic_i2c *i2c, int code) + i2c->rx_msg = NULL; + i2c->nmsgs = 0; + i2c->state = code; +- wake_up(&i2c->wait); ++ complete(&i2c->completion); + } + + static irqreturn_t xiic_process(int irq, void *dev_id) +@@ -714,6 +717,7 @@ static int xiic_start_xfer(struct xiic_i2c *i2c, struct i2c_msg *msgs, int num) + i2c->tx_msg = msgs; + i2c->rx_msg = NULL; + i2c->nmsgs = num; ++ init_completion(&i2c->completion); + + ret = xiic_reinit(i2c); + if (!ret) +@@ -740,23 +744,23 @@ static int xiic_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num) + err = xiic_start_xfer(i2c, msgs, num); + if (err < 0) { + dev_err(adap->dev.parent, "Error xiic_start_xfer\n"); +- goto out; ++ return err; + } + +- if (wait_event_timeout(i2c->wait, (i2c->state == STATE_ERROR) || +- (i2c->state == STATE_DONE), HZ)) { +- mutex_lock(&i2c->lock); +- err = (i2c->state == STATE_DONE) ? num : -EIO; +- goto out; +- } else { +- mutex_lock(&i2c->lock); ++ err = wait_for_completion_timeout(&i2c->completion, XIIC_XFER_TIMEOUT); ++ mutex_lock(&i2c->lock); ++ if (err == 0) { /* Timeout */ + i2c->tx_msg = NULL; + i2c->rx_msg = NULL; + i2c->nmsgs = 0; + err = -ETIMEDOUT; +- goto out; ++ } else if (err < 0) { /* Completion error */ ++ i2c->tx_msg = NULL; ++ i2c->rx_msg = NULL; ++ i2c->nmsgs = 0; ++ } else { ++ err = (i2c->state == STATE_DONE) ? num : -EIO; + } +-out: + mutex_unlock(&i2c->lock); + pm_runtime_mark_last_busy(i2c->dev); + pm_runtime_put_autosuspend(i2c->dev); +@@ -819,7 +823,6 @@ static int xiic_i2c_probe(struct platform_device *pdev) + DRIVER_NAME " %s", pdev->name); + + mutex_init(&i2c->lock); +- init_waitqueue_head(&i2c->wait); + + i2c->clk = devm_clk_get(&pdev->dev, NULL); + if (IS_ERR(i2c->clk)) { +-- +2.43.0 + diff --git a/queue-5.10/i2c-xiic-try-re-initialization-on-bus-busy-timeout.patch b/queue-5.10/i2c-xiic-try-re-initialization-on-bus-busy-timeout.patch new file mode 100644 index 00000000000..82c739ca328 --- /dev/null +++ b/queue-5.10/i2c-xiic-try-re-initialization-on-bus-busy-timeout.patch @@ -0,0 +1,105 @@ +From af8f8ee2d3c7ca4519ada722e52c44af8fe75d98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 22:16:53 +0200 +Subject: i2c: xiic: Try re-initialization on bus busy timeout + +From: Robert Hancock + +[ Upstream commit 1d4a1adbed2582444aaf97671858b7d12915bd05 ] + +In the event that the I2C bus was powered down when the I2C controller +driver loads, or some spurious pulses occur on the I2C bus, it's +possible that the controller detects a spurious I2C "start" condition. +In this situation it may continue to report the bus is busy indefinitely +and block the controller from working. + +The "single-master" DT flag can be specified to disable bus busy checks +entirely, but this may not be safe to use in situations where other I2C +masters may potentially exist. + +In the event that the controller reports "bus busy" for too long when +starting a transaction, we can try reinitializing the controller to see +if the busy condition clears. This allows recovering from this scenario. + +Fixes: e1d5b6598cdc ("i2c: Add support for Xilinx XPS IIC Bus Interface") +Signed-off-by: Robert Hancock +Cc: # v2.6.34+ +Reviewed-by: Manikanta Guntupalli +Acked-by: Michal Simek +Signed-off-by: Andi Shyti +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-xiic.c | 41 ++++++++++++++++++++++------------- + 1 file changed, 26 insertions(+), 15 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c +index 41104f9f6f0ae..9130563fbea0e 100644 +--- a/drivers/i2c/busses/i2c-xiic.c ++++ b/drivers/i2c/busses/i2c-xiic.c +@@ -540,23 +540,11 @@ static int xiic_bus_busy(struct xiic_i2c *i2c) + return (sr & XIIC_SR_BUS_BUSY_MASK) ? -EBUSY : 0; + } + +-static int xiic_busy(struct xiic_i2c *i2c) ++static int xiic_wait_not_busy(struct xiic_i2c *i2c) + { + int tries = 3; + int err; + +- if (i2c->tx_msg || i2c->rx_msg) +- return -EBUSY; +- +- /* In single master mode bus can only be busy, when in use by this +- * driver. If the register indicates bus being busy for some reason we +- * should ignore it, since bus will never be released and i2c will be +- * stuck forever. +- */ +- if (i2c->singlemaster) { +- return 0; +- } +- + /* for instance if previous transfer was terminated due to TX error + * it might be that the bus is on it's way to become available + * give it at most 3 ms to wake +@@ -710,13 +698,36 @@ static int xiic_start_xfer(struct xiic_i2c *i2c, struct i2c_msg *msgs, int num) + + mutex_lock(&i2c->lock); + +- ret = xiic_busy(i2c); +- if (ret) { ++ if (i2c->tx_msg || i2c->rx_msg) { + dev_err(i2c->adap.dev.parent, + "cannot start a transfer while busy\n"); ++ ret = -EBUSY; + goto out; + } + ++ /* In single master mode bus can only be busy, when in use by this ++ * driver. If the register indicates bus being busy for some reason we ++ * should ignore it, since bus will never be released and i2c will be ++ * stuck forever. ++ */ ++ if (!i2c->singlemaster) { ++ ret = xiic_wait_not_busy(i2c); ++ if (ret) { ++ /* If the bus is stuck in a busy state, such as due to spurious low ++ * pulses on the bus causing a false start condition to be detected, ++ * then try to recover by re-initializing the controller and check ++ * again if the bus is still busy. ++ */ ++ dev_warn(i2c->adap.dev.parent, "I2C bus busy timeout, reinitializing\n"); ++ ret = xiic_reinit(i2c); ++ if (ret) ++ goto out; ++ ret = xiic_wait_not_busy(i2c); ++ if (ret) ++ goto out; ++ } ++ } ++ + i2c->tx_msg = msgs; + i2c->rx_msg = NULL; + i2c->nmsgs = num; +-- +2.43.0 + diff --git a/queue-5.10/i2c-xiic-xiic_xfer-fix-runtime-pm-leak-on-error-path.patch b/queue-5.10/i2c-xiic-xiic_xfer-fix-runtime-pm-leak-on-error-path.patch new file mode 100644 index 00000000000..fe08bba900b --- /dev/null +++ b/queue-5.10/i2c-xiic-xiic_xfer-fix-runtime-pm-leak-on-error-path.patch @@ -0,0 +1,51 @@ +From e5faddd17608afffe95e16d013e5f05bfd2eb96c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 19:10:22 -0700 +Subject: i2c: xiic: xiic_xfer(): Fix runtime PM leak on error path + +From: Lars-Peter Clausen + +[ Upstream commit d663d93bb47e7ab45602b227701022d8aa16040a ] + +The xiic_xfer() function gets a runtime PM reference when the function is +entered. This reference is released when the function is exited. There is +currently one error path where the function exits directly, which leads to +a leak of the runtime PM reference. + +Make sure that this error path also releases the runtime PM reference. + +Fixes: fdacc3c7405d ("i2c: xiic: Switch from waitqueue to completion") +Signed-off-by: Lars-Peter Clausen +Reviewed-by: Michal Simek +Signed-off-by: Wolfram Sang +Stable-dep-of: 1d4a1adbed25 ("i2c: xiic: Try re-initialization on bus busy timeout") +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-xiic.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c +index b91ea900aae3a..bd5fc4ace0667 100644 +--- a/drivers/i2c/busses/i2c-xiic.c ++++ b/drivers/i2c/busses/i2c-xiic.c +@@ -744,7 +744,7 @@ static int xiic_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num) + err = xiic_start_xfer(i2c, msgs, num); + if (err < 0) { + dev_err(adap->dev.parent, "Error xiic_start_xfer\n"); +- return err; ++ goto out; + } + + err = wait_for_completion_timeout(&i2c->completion, XIIC_XFER_TIMEOUT); +@@ -762,6 +762,8 @@ static int xiic_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num) + err = (i2c->state == STATE_DONE) ? num : -EIO; + } + mutex_unlock(&i2c->lock); ++ ++out: + pm_runtime_mark_last_busy(i2c->dev); + pm_runtime_put_autosuspend(i2c->dev); + return err; +-- +2.43.0 + diff --git a/queue-5.10/media-usbtv-remove-useless-locks-in-usbtv_video_free.patch b/queue-5.10/media-usbtv-remove-useless-locks-in-usbtv_video_free.patch new file mode 100644 index 00000000000..fa649e96ac6 --- /dev/null +++ b/queue-5.10/media-usbtv-remove-useless-locks-in-usbtv_video_free.patch @@ -0,0 +1,55 @@ +From 646a2cf4ab79b25d33dc1e7268978be429831e4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Mar 2024 11:37:08 +0100 +Subject: media: usbtv: Remove useless locks in usbtv_video_free() + +From: Benjamin Gaignard + +[ Upstream commit 65e6a2773d655172143cc0b927cdc89549842895 ] + +Remove locks calls in usbtv_video_free() because +are useless and may led to a deadlock as reported here: +https://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000 +Also remove usbtv_stop() call since it will be called when +unregistering the device. + +Before 'c838530d230b' this issue would only be noticed if you +disconnect while streaming and now it is noticeable even when +disconnecting while not streaming. + +Fixes: c838530d230b ("media: media videobuf2: Be more flexible on the number of queue stored buffers") +Fixes: f3d27f34fdd7 ("[media] usbtv: Add driver for Fushicai USBTV007 video frame grabber") + +Signed-off-by: Benjamin Gaignard +Reviewed-by: Tomasz Figa +Tested-by: Hans Verkuil +Signed-off-by: Hans Verkuil +[hverkuil: fix minor spelling mistake in log message] +Signed-off-by: Sasha Levin +--- + drivers/media/usb/usbtv/usbtv-video.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/drivers/media/usb/usbtv/usbtv-video.c b/drivers/media/usb/usbtv/usbtv-video.c +index 3b4a2e7692309..f2aaec0f77c8d 100644 +--- a/drivers/media/usb/usbtv/usbtv-video.c ++++ b/drivers/media/usb/usbtv/usbtv-video.c +@@ -959,15 +959,8 @@ int usbtv_video_init(struct usbtv *usbtv) + + void usbtv_video_free(struct usbtv *usbtv) + { +- mutex_lock(&usbtv->vb2q_lock); +- mutex_lock(&usbtv->v4l2_lock); +- +- usbtv_stop(usbtv); + vb2_video_unregister_device(&usbtv->vdev); + v4l2_device_disconnect(&usbtv->v4l2_dev); + +- mutex_unlock(&usbtv->v4l2_lock); +- mutex_unlock(&usbtv->vb2q_lock); +- + v4l2_device_put(&usbtv->v4l2_dev); + } +-- +2.43.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 0b09eef0137..449229885a0 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -292,3 +292,16 @@ net-avoid-potential-underflow-in-qdisc_pkt_len_init-.patch net-add-more-sanity-checks-to-qdisc_pkt_len_init.patch ipv4-ip_gre-fix-drops-of-small-packets-in-ipgre_xmit.patch sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch +i2c-xiic-fix-broken-locking-on-tx_msg.patch +i2c-xiic-switch-from-waitqueue-to-completion.patch +i2c-xiic-fix-rx-irq-busy-check.patch +i2c-xiic-xiic_xfer-fix-runtime-pm-leak-on-error-path.patch +i2c-xiic-improve-error-message-when-transfer-fails-t.patch +i2c-xiic-try-re-initialization-on-bus-busy-timeout.patch +media-usbtv-remove-useless-locks-in-usbtv_video_free.patch +bluetooth-l2cap-fix-not-validating-setsockopt-user-i.patch +alsa-mixer_oss-remove-some-incorrect-kfree_const-usa.patch +alsa-hda-realtek-fix-the-push-button-function-for-th.patch +alsa-hda-generic-unconditionally-prefer-preferred_da.patch +alsa-hda-conexant-fix-conflicting-quirk-for-system76.patch +f2fs-require-fmode_write-for-atomic-write-ioctls.patch