From 2bf32fe35e4fef06f070296b260c1f4873c32c33 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 20 Oct 2023 20:04:18 +0200 Subject: [PATCH] 6.1-stable patches added patches: alsa-hda-realtek-add-quirk-for-asus-rog-gu603zv.patch alsa-hda-realtek-fixed-asus-platform-headset-mic-issue.patch alsa-hda-relatek-enable-mute-led-on-hp-laptop-15s-fq5xxx.patch asoc-codecs-wcd938x-drop-bogus-bind-error-handling.patch asoc-codecs-wcd938x-fix-resource-leaks-on-bind-errors.patch asoc-codecs-wcd938x-fix-unbind-tear-down-order.patch asoc-codecs-wcd938x-sdw-fix-runtime-pm-imbalance-on-probe-errors.patch asoc-codecs-wcd938x-sdw-fix-use-after-free-on-driver-unbind.patch drm-i915-retry-gtt-fault-when-out-of-fence-registers.patch drm-mediatek-correctly-free-sg_table-in-gem-prime-vmap.patch nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch qed-fix-ll2-rx-buffer-allocation.patch --- ...altek-add-quirk-for-asus-rog-gu603zv.patch | 35 +++++ ...ixed-asus-platform-headset-mic-issue.patch | 76 ++++++++++ ...ble-mute-led-on-hp-laptop-15s-fq5xxx.patch | 31 ++++ ...d938x-drop-bogus-bind-error-handling.patch | 36 +++++ ...8x-fix-resource-leaks-on-bind-errors.patch | 133 ++++++++++++++++++ ...s-wcd938x-fix-unbind-tear-down-order.patch | 37 +++++ ...runtime-pm-imbalance-on-probe-errors.patch | 56 ++++++++ ...-fix-use-after-free-on-driver-unbind.patch | 49 +++++++ ...tt-fault-when-out-of-fence-registers.patch | 52 +++++++ ...ctly-free-sg_table-in-gem-prime-vmap.patch | 67 +++++++++ ...ble-uaf-in-queue-intialization-setup.patch | 61 ++++++++ .../qed-fix-ll2-rx-buffer-allocation.patch | 66 +++++++++ queue-6.1/series | 12 ++ 13 files changed, 711 insertions(+) create mode 100644 queue-6.1/alsa-hda-realtek-add-quirk-for-asus-rog-gu603zv.patch create mode 100644 queue-6.1/alsa-hda-realtek-fixed-asus-platform-headset-mic-issue.patch create mode 100644 queue-6.1/alsa-hda-relatek-enable-mute-led-on-hp-laptop-15s-fq5xxx.patch create mode 100644 queue-6.1/asoc-codecs-wcd938x-drop-bogus-bind-error-handling.patch create mode 100644 queue-6.1/asoc-codecs-wcd938x-fix-resource-leaks-on-bind-errors.patch create mode 100644 queue-6.1/asoc-codecs-wcd938x-fix-unbind-tear-down-order.patch create mode 100644 queue-6.1/asoc-codecs-wcd938x-sdw-fix-runtime-pm-imbalance-on-probe-errors.patch create mode 100644 queue-6.1/asoc-codecs-wcd938x-sdw-fix-use-after-free-on-driver-unbind.patch create mode 100644 queue-6.1/drm-i915-retry-gtt-fault-when-out-of-fence-registers.patch create mode 100644 queue-6.1/drm-mediatek-correctly-free-sg_table-in-gem-prime-vmap.patch create mode 100644 queue-6.1/nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch create mode 100644 queue-6.1/qed-fix-ll2-rx-buffer-allocation.patch diff --git a/queue-6.1/alsa-hda-realtek-add-quirk-for-asus-rog-gu603zv.patch b/queue-6.1/alsa-hda-realtek-add-quirk-for-asus-rog-gu603zv.patch new file mode 100644 index 00000000000..332a0a075fc --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-add-quirk-for-asus-rog-gu603zv.patch @@ -0,0 +1,35 @@ +From 5dedc9f53eef7ec07b23686381100d03fb259f50 Mon Sep 17 00:00:00 2001 +From: Artem Borisov +Date: Sat, 14 Oct 2023 10:50:42 +0300 +Subject: ALSA: hda/realtek: Add quirk for ASUS ROG GU603ZV + +From: Artem Borisov + +commit 5dedc9f53eef7ec07b23686381100d03fb259f50 upstream. + +Enables the SPI-connected Cirrus amp and the required pins +for headset mic detection. + +As of BIOS version 313 it is still necessary to modify the +ACPI table to add the related _DSD properties: + https://gist.github.com/Flex1911/1bce378645fc95a5743671bd5deabfc8 + +Signed-off-by: Artem Borisov +Cc: +Link: https://lore.kernel.org/r/20231014075044.17474-1-dedsa2002@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9717,6 +9717,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A), + SND_PCI_QUIRK(0x1043, 0x1573, "ASUS GZ301V", ALC285_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x1662, "ASUS GV301QH", ALC294_FIXUP_ASUS_DUAL_SPK), ++ SND_PCI_QUIRK(0x1043, 0x1663, "ASUS GU603ZV", ALC285_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x1683, "ASUS UM3402YAR", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x16b2, "ASUS GU603", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC), diff --git a/queue-6.1/alsa-hda-realtek-fixed-asus-platform-headset-mic-issue.patch b/queue-6.1/alsa-hda-realtek-fixed-asus-platform-headset-mic-issue.patch new file mode 100644 index 00000000000..044f2cc30fe --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-fixed-asus-platform-headset-mic-issue.patch @@ -0,0 +1,76 @@ +From c8c0a03ec1be6b3f3ec1ce91685351235212db19 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Tue, 17 Oct 2023 15:30:24 +0800 +Subject: ALSA: hda/realtek - Fixed ASUS platform headset Mic issue + +From: Kailang Yang + +commit c8c0a03ec1be6b3f3ec1ce91685351235212db19 upstream. + +ASUS platform Headset Mic was disable by default. +Assigned verb table for Mic pin will enable it. + +Signed-off-by: Kailang Yang +Cc: +Link: https://lore.kernel.org/r/1155d914c20c40569f56d36c79254879@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7006,6 +7006,24 @@ static void alc287_fixup_bind_dacs(struc + 0x0); /* Make sure 0x14 was disable */ + } + } ++/* Fix none verb table of Headset Mic pin */ ++static void alc_fixup_headset_mic(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ struct alc_spec *spec = codec->spec; ++ static const struct hda_pintbl pincfgs[] = { ++ { 0x19, 0x03a1103c }, ++ { } ++ }; ++ ++ switch (action) { ++ case HDA_FIXUP_ACT_PRE_PROBE: ++ snd_hda_apply_pincfgs(codec, pincfgs); ++ alc_update_coef_idx(codec, 0x45, 0xf<<12 | 1<<10, 5<<12); ++ spec->parse_flags |= HDA_PINCFG_HEADSET_MIC; ++ break; ++ } ++} + + + enum { +@@ -7270,6 +7288,7 @@ enum { + ALC245_FIXUP_HP_X360_MUTE_LEDS, + ALC287_FIXUP_THINKPAD_I2S_SPK, + ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD, ++ ALC2XX_FIXUP_HEADSET_MIC, + }; + + /* A special fixup for Lenovo C940 and Yoga Duet 7; +@@ -9359,6 +9378,10 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI, + }, ++ [ALC2XX_FIXUP_HEADSET_MIC] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc_fixup_headset_mic, ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -10633,6 +10656,8 @@ static const struct snd_hda_pin_quirk al + SND_HDA_PIN_QUIRK(0x10ec0274, 0x1028, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB, + {0x19, 0x40000000}, + {0x1a, 0x40000000}), ++ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1043, "ASUS", ALC2XX_FIXUP_HEADSET_MIC, ++ {0x19, 0x40000000}), + {} + }; + diff --git a/queue-6.1/alsa-hda-relatek-enable-mute-led-on-hp-laptop-15s-fq5xxx.patch b/queue-6.1/alsa-hda-relatek-enable-mute-led-on-hp-laptop-15s-fq5xxx.patch new file mode 100644 index 00000000000..2bb4b245497 --- /dev/null +++ b/queue-6.1/alsa-hda-relatek-enable-mute-led-on-hp-laptop-15s-fq5xxx.patch @@ -0,0 +1,31 @@ +From 56e85993896b914032d11e32ecbf8415e7b2f621 Mon Sep 17 00:00:00 2001 +From: Luka Guzenko +Date: Tue, 17 Oct 2023 00:13:28 +0200 +Subject: ALSA: hda/relatek: Enable Mute LED on HP Laptop 15s-fq5xxx + +From: Luka Guzenko + +commit 56e85993896b914032d11e32ecbf8415e7b2f621 upstream. + +This HP Laptop uses ALC236 codec with COEF 0x07 controlling the +mute LED. Enable existing quirk for this device. + +Signed-off-by: Luka Guzenko +Cc: +Link: https://lore.kernel.org/r/20231016221328.1521674-1-l.guzenko@web.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9649,6 +9649,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x89c6, "Zbook Fury 17 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x89ca, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x89d3, "HP EliteBook 645 G9 (MB 89D2)", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x8a20, "HP Laptop 15s-fq5xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x8a25, "HP Victus 16-d1xxx (MB 8A25)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8a78, "HP Dev One", ALC285_FIXUP_HP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x103c, 0x8aa0, "HP ProBook 440 G9 (MB 8A9E)", ALC236_FIXUP_HP_GPIO_LED), diff --git a/queue-6.1/asoc-codecs-wcd938x-drop-bogus-bind-error-handling.patch b/queue-6.1/asoc-codecs-wcd938x-drop-bogus-bind-error-handling.patch new file mode 100644 index 00000000000..8eb6bd6d246 --- /dev/null +++ b/queue-6.1/asoc-codecs-wcd938x-drop-bogus-bind-error-handling.patch @@ -0,0 +1,36 @@ +From bfbc79de60c53e5fed505390440b87ef59ee268c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 3 Oct 2023 17:55:52 +0200 +Subject: ASoC: codecs: wcd938x: drop bogus bind error handling + +From: Johan Hovold + +commit bfbc79de60c53e5fed505390440b87ef59ee268c upstream. + +Drop the bogus error handling for a soundwire device backcast during +bind() that cannot fail. + +Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20231003155558.27079-2-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3454,10 +3454,6 @@ static int wcd938x_bind(struct device *d + wcd938x->sdw_priv[AIF1_CAP] = dev_get_drvdata(wcd938x->txdev); + wcd938x->sdw_priv[AIF1_CAP]->wcd938x = wcd938x; + wcd938x->tx_sdw_dev = dev_to_sdw_dev(wcd938x->txdev); +- if (!wcd938x->tx_sdw_dev) { +- dev_err(dev, "could not get txslave with matching of dev\n"); +- return -EINVAL; +- } + + /* As TX is main CSR reg interface, which should not be suspended first. + * expicilty add the dependency link */ diff --git a/queue-6.1/asoc-codecs-wcd938x-fix-resource-leaks-on-bind-errors.patch b/queue-6.1/asoc-codecs-wcd938x-fix-resource-leaks-on-bind-errors.patch new file mode 100644 index 00000000000..1d2dab9f7e4 --- /dev/null +++ b/queue-6.1/asoc-codecs-wcd938x-fix-resource-leaks-on-bind-errors.patch @@ -0,0 +1,133 @@ +From da29b94ed3547cee9d510d02eca4009f2de476cf Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 3 Oct 2023 17:55:54 +0200 +Subject: ASoC: codecs: wcd938x: fix resource leaks on bind errors + +From: Johan Hovold + +commit da29b94ed3547cee9d510d02eca4009f2de476cf upstream. + +Add the missing code to release resources on bind errors, including the +references taken by wcd938x_sdw_device_get() which also need to be +dropped on unbind(). + +Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20231003155558.27079-4-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 44 ++++++++++++++++++++++++++++++++++---------- + 1 file changed, 34 insertions(+), 10 deletions(-) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3441,7 +3441,8 @@ static int wcd938x_bind(struct device *d + wcd938x->rxdev = wcd938x_sdw_device_get(wcd938x->rxnode); + if (!wcd938x->rxdev) { + dev_err(dev, "could not find slave with matching of node\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_unbind; + } + wcd938x->sdw_priv[AIF1_PB] = dev_get_drvdata(wcd938x->rxdev); + wcd938x->sdw_priv[AIF1_PB]->wcd938x = wcd938x; +@@ -3449,7 +3450,8 @@ static int wcd938x_bind(struct device *d + wcd938x->txdev = wcd938x_sdw_device_get(wcd938x->txnode); + if (!wcd938x->txdev) { + dev_err(dev, "could not find txslave with matching of node\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_put_rxdev; + } + wcd938x->sdw_priv[AIF1_CAP] = dev_get_drvdata(wcd938x->txdev); + wcd938x->sdw_priv[AIF1_CAP]->wcd938x = wcd938x; +@@ -3460,31 +3462,35 @@ static int wcd938x_bind(struct device *d + if (!device_link_add(wcd938x->rxdev, wcd938x->txdev, DL_FLAG_STATELESS | + DL_FLAG_PM_RUNTIME)) { + dev_err(dev, "could not devlink tx and rx\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_put_txdev; + } + + if (!device_link_add(dev, wcd938x->txdev, DL_FLAG_STATELESS | + DL_FLAG_PM_RUNTIME)) { + dev_err(dev, "could not devlink wcd and tx\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_remove_rxtx_link; + } + + if (!device_link_add(dev, wcd938x->rxdev, DL_FLAG_STATELESS | + DL_FLAG_PM_RUNTIME)) { + dev_err(dev, "could not devlink wcd and rx\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_remove_tx_link; + } + + wcd938x->regmap = dev_get_regmap(&wcd938x->tx_sdw_dev->dev, NULL); + if (!wcd938x->regmap) { + dev_err(dev, "could not get TX device regmap\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_remove_rx_link; + } + + ret = wcd938x_irq_init(wcd938x, dev); + if (ret) { + dev_err(dev, "%s: IRQ init failed: %d\n", __func__, ret); +- return ret; ++ goto err_remove_rx_link; + } + + wcd938x->sdw_priv[AIF1_PB]->slave_irq = wcd938x->virq; +@@ -3493,17 +3499,33 @@ static int wcd938x_bind(struct device *d + ret = wcd938x_set_micbias_data(wcd938x); + if (ret < 0) { + dev_err(dev, "%s: bad micbias pdata\n", __func__); +- return ret; ++ goto err_remove_rx_link; + } + + ret = snd_soc_register_component(dev, &soc_codec_dev_wcd938x, + wcd938x_dais, ARRAY_SIZE(wcd938x_dais)); +- if (ret) ++ if (ret) { + dev_err(dev, "%s: Codec registration failed\n", + __func__); ++ goto err_remove_rx_link; ++ } + +- return ret; ++ return 0; + ++err_remove_rx_link: ++ device_link_remove(dev, wcd938x->rxdev); ++err_remove_tx_link: ++ device_link_remove(dev, wcd938x->txdev); ++err_remove_rxtx_link: ++ device_link_remove(wcd938x->rxdev, wcd938x->txdev); ++err_put_txdev: ++ put_device(wcd938x->txdev); ++err_put_rxdev: ++ put_device(wcd938x->rxdev); ++err_unbind: ++ component_unbind_all(dev, wcd938x); ++ ++ return ret; + } + + static void wcd938x_unbind(struct device *dev) +@@ -3514,6 +3536,8 @@ static void wcd938x_unbind(struct device + device_link_remove(dev, wcd938x->txdev); + device_link_remove(dev, wcd938x->rxdev); + device_link_remove(wcd938x->rxdev, wcd938x->txdev); ++ put_device(wcd938x->txdev); ++ put_device(wcd938x->rxdev); + component_unbind_all(dev, wcd938x); + } + diff --git a/queue-6.1/asoc-codecs-wcd938x-fix-unbind-tear-down-order.patch b/queue-6.1/asoc-codecs-wcd938x-fix-unbind-tear-down-order.patch new file mode 100644 index 00000000000..70327bef820 --- /dev/null +++ b/queue-6.1/asoc-codecs-wcd938x-fix-unbind-tear-down-order.patch @@ -0,0 +1,37 @@ +From fa2f8a991ba4aa733ac1c3b1be0c86148aa4c52c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 3 Oct 2023 17:55:53 +0200 +Subject: ASoC: codecs: wcd938x: fix unbind tear down order + +From: Johan Hovold + +commit fa2f8a991ba4aa733ac1c3b1be0c86148aa4c52c upstream. + +Make sure to deregister the component before tearing down the resources +it depends on during unbind(). + +Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20231003155558.27079-3-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3510,10 +3510,10 @@ static void wcd938x_unbind(struct device + { + struct wcd938x_priv *wcd938x = dev_get_drvdata(dev); + ++ snd_soc_unregister_component(dev); + device_link_remove(dev, wcd938x->txdev); + device_link_remove(dev, wcd938x->rxdev); + device_link_remove(wcd938x->rxdev, wcd938x->txdev); +- snd_soc_unregister_component(dev); + component_unbind_all(dev, wcd938x); + } + diff --git a/queue-6.1/asoc-codecs-wcd938x-sdw-fix-runtime-pm-imbalance-on-probe-errors.patch b/queue-6.1/asoc-codecs-wcd938x-sdw-fix-runtime-pm-imbalance-on-probe-errors.patch new file mode 100644 index 00000000000..ff7b292f2ca --- /dev/null +++ b/queue-6.1/asoc-codecs-wcd938x-sdw-fix-runtime-pm-imbalance-on-probe-errors.patch @@ -0,0 +1,56 @@ +From c5c0383082eace13da2ffceeea154db2780165e7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 3 Oct 2023 17:55:58 +0200 +Subject: ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors + +From: Johan Hovold + +commit c5c0383082eace13da2ffceeea154db2780165e7 upstream. + +Make sure to balance the runtime PM operations, including the disable +count, on probe errors and on driver unbind. + +Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20231003155558.27079-8-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x-sdw.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/sound/soc/codecs/wcd938x-sdw.c ++++ b/sound/soc/codecs/wcd938x-sdw.c +@@ -1278,7 +1278,18 @@ static int wcd9380_probe(struct sdw_slav + pm_runtime_set_active(dev); + pm_runtime_enable(dev); + +- return component_add(dev, &wcd938x_sdw_component_ops); ++ ret = component_add(dev, &wcd938x_sdw_component_ops); ++ if (ret) ++ goto err_disable_rpm; ++ ++ return 0; ++ ++err_disable_rpm: ++ pm_runtime_disable(dev); ++ pm_runtime_set_suspended(dev); ++ pm_runtime_dont_use_autosuspend(dev); ++ ++ return ret; + } + + static int wcd9380_remove(struct sdw_slave *pdev) +@@ -1287,6 +1298,10 @@ static int wcd9380_remove(struct sdw_sla + + component_del(dev, &wcd938x_sdw_component_ops); + ++ pm_runtime_disable(dev); ++ pm_runtime_set_suspended(dev); ++ pm_runtime_dont_use_autosuspend(dev); ++ + return 0; + } + diff --git a/queue-6.1/asoc-codecs-wcd938x-sdw-fix-use-after-free-on-driver-unbind.patch b/queue-6.1/asoc-codecs-wcd938x-sdw-fix-use-after-free-on-driver-unbind.patch new file mode 100644 index 00000000000..e62d0255f84 --- /dev/null +++ b/queue-6.1/asoc-codecs-wcd938x-sdw-fix-use-after-free-on-driver-unbind.patch @@ -0,0 +1,49 @@ +From f0dfdcbe706462495d47982eecd13a61aabd644d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 3 Oct 2023 17:55:57 +0200 +Subject: ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind + +From: Johan Hovold + +commit f0dfdcbe706462495d47982eecd13a61aabd644d upstream. + +Make sure to deregister the component when the driver is being unbound +and before the underlying device-managed resources are freed. + +Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20231003155558.27079-7-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x-sdw.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/sound/soc/codecs/wcd938x-sdw.c ++++ b/sound/soc/codecs/wcd938x-sdw.c +@@ -1281,6 +1281,15 @@ static int wcd9380_probe(struct sdw_slav + return component_add(dev, &wcd938x_sdw_component_ops); + } + ++static int wcd9380_remove(struct sdw_slave *pdev) ++{ ++ struct device *dev = &pdev->dev; ++ ++ component_del(dev, &wcd938x_sdw_component_ops); ++ ++ return 0; ++} ++ + static const struct sdw_device_id wcd9380_slave_id[] = { + SDW_SLAVE_ENTRY(0x0217, 0x10d, 0), + {}, +@@ -1320,6 +1329,7 @@ static const struct dev_pm_ops wcd938x_s + + static struct sdw_driver wcd9380_codec_driver = { + .probe = wcd9380_probe, ++ .remove = wcd9380_remove, + .ops = &wcd9380_slave_ops, + .id_table = wcd9380_slave_id, + .driver = { diff --git a/queue-6.1/drm-i915-retry-gtt-fault-when-out-of-fence-registers.patch b/queue-6.1/drm-i915-retry-gtt-fault-when-out-of-fence-registers.patch new file mode 100644 index 00000000000..be71f532ee6 --- /dev/null +++ b/queue-6.1/drm-i915-retry-gtt-fault-when-out-of-fence-registers.patch @@ -0,0 +1,52 @@ +From e339c6d628fe66c9b64bf31040a55770952aec57 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Thu, 12 Oct 2023 16:28:01 +0300 +Subject: drm/i915: Retry gtt fault when out of fence registers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit e339c6d628fe66c9b64bf31040a55770952aec57 upstream. + +If we can't find a free fence register to handle a fault in the GMADR +range just return VM_FAULT_NOPAGE without populating the PTE so that +userspace will retry the access and trigger another fault. Eventually +we should find a free fence and the fault will get properly handled. + +A further improvement idea might be to reserve a fence (or one per CPU?) +for the express purpose of handling faults without having to retry. But +that would require some additional work. + +Looks like this may have gotten broken originally by +commit 39965b376601 ("drm/i915: don't trash the gtt when running out of fences") +as that changed the errno to -EDEADLK which wasn't handle by the gtt +fault code either. But later in commit 2feeb52859fc ("drm/i915/gt: Fix +-EDEADLK handling regression") I changed it again to -ENOBUFS as -EDEADLK +was now getting used for the ww mutex dance. So this fix only makes +sense after that last commit. + +Cc: stable@vger.kernel.org +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/9479 +Fixes: 2feeb52859fc ("drm/i915/gt: Fix -EDEADLK handling regression") +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20231012132801.16292-1-ville.syrjala@linux.intel.com +Reviewed-by: Andi Shyti +(cherry picked from commit 7f403caabe811b88ab0de3811ff3f4782c415761) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gem/i915_gem_mman.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c +@@ -235,6 +235,7 @@ static vm_fault_t i915_error_to_vmf_faul + case 0: + case -EAGAIN: + case -ENOSPC: /* transient failure to evict? */ ++ case -ENOBUFS: /* temporarily out of fences? */ + case -ERESTARTSYS: + case -EINTR: + case -EBUSY: diff --git a/queue-6.1/drm-mediatek-correctly-free-sg_table-in-gem-prime-vmap.patch b/queue-6.1/drm-mediatek-correctly-free-sg_table-in-gem-prime-vmap.patch new file mode 100644 index 00000000000..1bd1d87b269 --- /dev/null +++ b/queue-6.1/drm-mediatek-correctly-free-sg_table-in-gem-prime-vmap.patch @@ -0,0 +1,67 @@ +From dcc583c225e659d5da34b4ad83914fd6b51e3dbf Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Wed, 4 Oct 2023 16:32:24 +0800 +Subject: drm/mediatek: Correctly free sg_table in gem prime vmap + +From: Chen-Yu Tsai + +commit dcc583c225e659d5da34b4ad83914fd6b51e3dbf upstream. + +The MediaTek DRM driver implements GEM PRIME vmap by fetching the +sg_table for the object, iterating through the pages, and then +vmapping them. In essence, unlike the GEM DMA helpers which vmap +when the object is first created or imported, the MediaTek version +does it on request. + +Unfortunately, the code never correctly frees the sg_table contents. +This results in a kernel memory leak. On a Hayato device with a text +console on the internal display, this results in the system running +out of memory in a few days from all the console screen cursor updates. + +Add sg_free_table() to correctly free the contents of the sg_table. This +was missing despite explicitly required by mtk_gem_prime_get_sg_table(). + +Also move the "out" shortcut label to after the kfree() call for the +sg_table. Having sg_free_table() together with kfree() makes more sense. +The shortcut is only used when the object already has a kernel address, +in which case the pointer is NULL and kfree() does nothing. Hence this +change causes no functional change. + +Fixes: 3df64d7b0a4f ("drm/mediatek: Implement gem prime vmap/vunmap function") +Cc: +Signed-off-by: Chen-Yu Tsai +Reviewed-by: CK Hu +Link: https://patchwork.kernel.org/project/dri-devel/patch/20231004083226.1940055-1-wenst@chromium.org/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/mediatek/mtk_drm_gem.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +@@ -234,6 +234,7 @@ int mtk_drm_gem_prime_vmap(struct drm_ge + npages = obj->size >> PAGE_SHIFT; + mtk_gem->pages = kcalloc(npages, sizeof(*mtk_gem->pages), GFP_KERNEL); + if (!mtk_gem->pages) { ++ sg_free_table(sgt); + kfree(sgt); + return -ENOMEM; + } +@@ -243,12 +244,15 @@ int mtk_drm_gem_prime_vmap(struct drm_ge + mtk_gem->kvaddr = vmap(mtk_gem->pages, npages, VM_MAP, + pgprot_writecombine(PAGE_KERNEL)); + if (!mtk_gem->kvaddr) { ++ sg_free_table(sgt); + kfree(sgt); + kfree(mtk_gem->pages); + return -ENOMEM; + } +-out: ++ sg_free_table(sgt); + kfree(sgt); ++ ++out: + iosys_map_set_vaddr(map, mtk_gem->kvaddr); + + return 0; diff --git a/queue-6.1/nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch b/queue-6.1/nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch new file mode 100644 index 00000000000..3aee66703a3 --- /dev/null +++ b/queue-6.1/nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch @@ -0,0 +1,61 @@ +From d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Mon, 2 Oct 2023 13:54:28 +0300 +Subject: nvmet-tcp: Fix a possible UAF in queue intialization setup + +From: Sagi Grimberg + +commit d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd upstream. + +From Alon: +"Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel, +a malicious user can cause a UAF and a double free, which may lead to +RCE (may also lead to an LPE in case the attacker already has local +privileges)." + +Hence, when a queue initialization fails after the ahash requests are +allocated, it is guaranteed that the queue removal async work will be +called, hence leave the deallocation to the queue removal. + +Also, be extra careful not to continue processing the socket, so set +queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error. + +Cc: stable@vger.kernel.org +Reported-by: Alon Zahavi +Tested-by: Alon Zahavi +Signed-off-by: Sagi Grimberg +Reviewed-by: Christoph Hellwig +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/tcp.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -345,6 +345,7 @@ static void nvmet_tcp_fatal_error(struct + + static void nvmet_tcp_socket_error(struct nvmet_tcp_queue *queue, int status) + { ++ queue->rcv_state = NVMET_TCP_RECV_ERR; + if (status == -EPIPE || status == -ECONNRESET) + kernel_sock_shutdown(queue->sock, SHUT_RDWR); + else +@@ -871,15 +872,11 @@ static int nvmet_tcp_handle_icreq(struct + iov.iov_len = sizeof(*icresp); + ret = kernel_sendmsg(queue->sock, &msg, &iov, 1, iov.iov_len); + if (ret < 0) +- goto free_crypto; ++ return ret; /* queue removal will cleanup */ + + queue->state = NVMET_TCP_Q_LIVE; + nvmet_prepare_receive_pdu(queue); + return 0; +-free_crypto: +- if (queue->hdr_digest || queue->data_digest) +- nvmet_tcp_free_crypto(queue); +- return ret; + } + + static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue, diff --git a/queue-6.1/qed-fix-ll2-rx-buffer-allocation.patch b/queue-6.1/qed-fix-ll2-rx-buffer-allocation.patch new file mode 100644 index 00000000000..c996973febf --- /dev/null +++ b/queue-6.1/qed-fix-ll2-rx-buffer-allocation.patch @@ -0,0 +1,66 @@ +From 2f3389c73832ad90b63208c0fc281ad080114c7a Mon Sep 17 00:00:00 2001 +From: Manish Chopra +Date: Fri, 13 Oct 2023 18:48:12 +0530 +Subject: qed: fix LL2 RX buffer allocation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Manish Chopra + +commit 2f3389c73832ad90b63208c0fc281ad080114c7a upstream. + +Driver allocates the LL2 rx buffers from kmalloc() +area to construct the skb using slab_build_skb() + +The required size allocation seems to have overlooked +for accounting both skb_shared_info size and device +placement padding bytes which results into the below +panic when doing skb_put() for a standard MTU sized frame. + +skbuff: skb_over_panic: text:ffffffffc0b0225f len:1514 put:1514 +head:ff3dabceaf39c000 data:ff3dabceaf39c042 tail:0x62c end:0x566 +dev: +… +skb_panic+0x48/0x4a +skb_put.cold+0x10/0x10 +qed_ll2b_complete_rx_packet+0x14f/0x260 [qed] +qed_ll2_rxq_handle_completion.constprop.0+0x169/0x200 [qed] +qed_ll2_rxq_completion+0xba/0x320 [qed] +qed_int_sp_dpc+0x1a7/0x1e0 [qed] + +This patch fixes this by accouting skb_shared_info and device +placement padding size bytes when allocating the buffers. + +Cc: David S. Miller +Fixes: 0a7fb11c23c0 ("qed: Add Light L2 support") +Signed-off-by: Manish Chopra +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_ll2.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_ll2.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_ll2.c +@@ -113,7 +113,10 @@ static void qed_ll2b_complete_tx_packet( + static int qed_ll2_alloc_buffer(struct qed_dev *cdev, + u8 **data, dma_addr_t *phys_addr) + { +- *data = kmalloc(cdev->ll2->rx_size, GFP_ATOMIC); ++ size_t size = cdev->ll2->rx_size + NET_SKB_PAD + ++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); ++ ++ *data = kmalloc(size, GFP_ATOMIC); + if (!(*data)) { + DP_INFO(cdev, "Failed to allocate LL2 buffer data\n"); + return -ENOMEM; +@@ -2590,7 +2593,7 @@ static int qed_ll2_start(struct qed_dev + INIT_LIST_HEAD(&cdev->ll2->list); + spin_lock_init(&cdev->ll2->lock); + +- cdev->ll2->rx_size = NET_SKB_PAD + ETH_HLEN + ++ cdev->ll2->rx_size = PRM_DMA_PAD_BYTES_NUM + ETH_HLEN + + L1_CACHE_BYTES + params->mtu; + + /* Allocate memory for LL2. diff --git a/queue-6.1/series b/queue-6.1/series index 92f069b549e..d768f4c7c6c 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -32,3 +32,15 @@ fs-ntfs3-fix-possible-null-pointer-dereference-in-hdr_find_e.patch fs-ntfs3-fix-panic-about-slab-out-of-bounds-caused-by-ntfs_list_ea.patch fs-ntfs3-fix-deadlock-in-mark_as_free_ex.patch netfilter-nft_payload-fix-wrong-mac-header-matching.patch +nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch +drm-i915-retry-gtt-fault-when-out-of-fence-registers.patch +drm-mediatek-correctly-free-sg_table-in-gem-prime-vmap.patch +alsa-hda-realtek-fixed-asus-platform-headset-mic-issue.patch +alsa-hda-realtek-add-quirk-for-asus-rog-gu603zv.patch +alsa-hda-relatek-enable-mute-led-on-hp-laptop-15s-fq5xxx.patch +asoc-codecs-wcd938x-sdw-fix-use-after-free-on-driver-unbind.patch +asoc-codecs-wcd938x-sdw-fix-runtime-pm-imbalance-on-probe-errors.patch +asoc-codecs-wcd938x-drop-bogus-bind-error-handling.patch +asoc-codecs-wcd938x-fix-unbind-tear-down-order.patch +asoc-codecs-wcd938x-fix-resource-leaks-on-bind-errors.patch +qed-fix-ll2-rx-buffer-allocation.patch -- 2.47.3