From 5a3fbf167b2523db4311230c0fc85df7b4a2286f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 7 Aug 2024 16:35:30 +0200 Subject: [PATCH] 5.15-stable patches added patches: alsa-hda-realtek-add-quirk-for-acer-aspire-e5-574g.patch alsa-usb-audio-correct-surround-channels-in-uac1-channel-map.patch drm-vmwgfx-fix-a-deadlock-in-dma-buf-fence-polling.patch hid-wacom-modify-pen-ids.patch mptcp-fix-duplicate-data-handling.patch net-usb-sr9700-fix-uninitialized-variable-use-in-sr_mdio_read.patch platform-chrome-cros_ec_proto-lock-device-when-updating-mkbp-version.patch protect-the-fetch-of-fd-in-do_dup2-from-mispredictions.patch r8169-don-t-increment-tx_dropped-in-case-of-netdev_tx_busy.patch revert-alsa-firewire-lib-obsolete-workqueue-for-period-update.patch revert-alsa-firewire-lib-operate-for-period-elapse-event-in-process-context.patch --- ...ek-add-quirk-for-acer-aspire-e5-574g.patch | 31 +++++ ...urround-channels-in-uac1-channel-map.patch | 41 ++++++ ...-a-deadlock-in-dma-buf-fence-polling.patch | 104 +++++++++++++++ queue-5.15/hid-wacom-modify-pen-ids.patch | 43 +++++++ .../mptcp-fix-duplicate-data-handling.patch | 62 +++++++++ ...ialized-variable-use-in-sr_mdio_read.patch | 60 +++++++++ ...ck-device-when-updating-mkbp-version.patch | 42 +++++++ ...of-fd-in-do_dup2-from-mispredictions.patch | 34 +++++ ...tx_dropped-in-case-of-netdev_tx_busy.patch | 48 +++++++ ...obsolete-workqueue-for-period-update.patch | 89 +++++++++++++ ...riod-elapse-event-in-process-context.patch | 118 ++++++++++++++++++ queue-5.15/series | 11 ++ 12 files changed, 683 insertions(+) create mode 100644 queue-5.15/alsa-hda-realtek-add-quirk-for-acer-aspire-e5-574g.patch create mode 100644 queue-5.15/alsa-usb-audio-correct-surround-channels-in-uac1-channel-map.patch create mode 100644 queue-5.15/drm-vmwgfx-fix-a-deadlock-in-dma-buf-fence-polling.patch create mode 100644 queue-5.15/hid-wacom-modify-pen-ids.patch create mode 100644 queue-5.15/mptcp-fix-duplicate-data-handling.patch create mode 100644 queue-5.15/net-usb-sr9700-fix-uninitialized-variable-use-in-sr_mdio_read.patch create mode 100644 queue-5.15/platform-chrome-cros_ec_proto-lock-device-when-updating-mkbp-version.patch create mode 100644 queue-5.15/protect-the-fetch-of-fd-in-do_dup2-from-mispredictions.patch create mode 100644 queue-5.15/r8169-don-t-increment-tx_dropped-in-case-of-netdev_tx_busy.patch create mode 100644 queue-5.15/revert-alsa-firewire-lib-obsolete-workqueue-for-period-update.patch create mode 100644 queue-5.15/revert-alsa-firewire-lib-operate-for-period-elapse-event-in-process-context.patch diff --git a/queue-5.15/alsa-hda-realtek-add-quirk-for-acer-aspire-e5-574g.patch b/queue-5.15/alsa-hda-realtek-add-quirk-for-acer-aspire-e5-574g.patch new file mode 100644 index 00000000000..8048e6d8c9c --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-quirk-for-acer-aspire-e5-574g.patch @@ -0,0 +1,31 @@ +From 3c0b6f924e1259ade38587ea719b693f6f6f2f3e Mon Sep 17 00:00:00 2001 +From: Mavroudis Chatzilazaridis +Date: Sun, 28 Jul 2024 12:36:04 +0000 +Subject: ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G + +From: Mavroudis Chatzilazaridis + +commit 3c0b6f924e1259ade38587ea719b693f6f6f2f3e upstream. + +ALC255_FIXUP_ACER_LIMIT_INT_MIC_BOOST fixes combo jack detection and +limits the internal microphone boost that causes clipping on this model. + +Signed-off-by: Mavroudis Chatzilazaridis +Cc: +Link: https://patch.msgid.link/20240728123601.144017-1-mavchatz@protonmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8958,6 +8958,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1025, 0x079b, "Acer Aspire V5-573G", ALC282_FIXUP_ASPIRE_V5_PINS), + SND_PCI_QUIRK(0x1025, 0x080d, "Acer Aspire V5-122P", ALC269_FIXUP_ASPIRE_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x0840, "Acer Aspire E1", ALC269VB_FIXUP_ASPIRE_E1_COEF), ++ SND_PCI_QUIRK(0x1025, 0x100c, "Acer Aspire E5-574G", ALC255_FIXUP_ACER_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x1025, 0x101c, "Acer Veriton N2510G", ALC269_FIXUP_LIFEBOOK), + SND_PCI_QUIRK(0x1025, 0x102b, "Acer Aspire C24-860", ALC286_FIXUP_ACER_AIO_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1025, 0x1065, "Acer Aspire C20-820", ALC269VC_FIXUP_ACER_HEADSET_MIC), diff --git a/queue-5.15/alsa-usb-audio-correct-surround-channels-in-uac1-channel-map.patch b/queue-5.15/alsa-usb-audio-correct-surround-channels-in-uac1-channel-map.patch new file mode 100644 index 00000000000..050df035ae5 --- /dev/null +++ b/queue-5.15/alsa-usb-audio-correct-surround-channels-in-uac1-channel-map.patch @@ -0,0 +1,41 @@ +From b7b7e1ab7619deb3b299b5e5c619c3e6f183a12d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 31 Jul 2024 16:19:41 +0200 +Subject: ALSA: usb-audio: Correct surround channels in UAC1 channel map + +From: Takashi Iwai + +commit b7b7e1ab7619deb3b299b5e5c619c3e6f183a12d upstream. + +USB-audio driver puts SNDRV_CHMAP_SL and _SR as left and right +surround channels for UAC1 channel map, respectively. But they should +have been SNDRV_CHMAP_RL and _RR; the current value *_SL and _SR are +rather "side" channels, not "surround". I guess I took those +mistakenly when I read the spec mentioning "surround left". + +This patch corrects those entries to be the right channels. + +Suggested-by: Sylvain BERTRAND +Closes: https://lore.kernel.orgZ/qIyJD8lhd8hFhlC@freedom +Fixes: 04324ccc75f9 ("ALSA: usb-audio: add channel map support") +Cc: +Link: https://patch.msgid.link/20240731142018.24750-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/stream.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -244,8 +244,8 @@ static struct snd_pcm_chmap_elem *conver + SNDRV_CHMAP_FR, /* right front */ + SNDRV_CHMAP_FC, /* center front */ + SNDRV_CHMAP_LFE, /* LFE */ +- SNDRV_CHMAP_SL, /* left surround */ +- SNDRV_CHMAP_SR, /* right surround */ ++ SNDRV_CHMAP_RL, /* left surround */ ++ SNDRV_CHMAP_RR, /* right surround */ + SNDRV_CHMAP_FLC, /* left of center */ + SNDRV_CHMAP_FRC, /* right of center */ + SNDRV_CHMAP_RC, /* surround */ diff --git a/queue-5.15/drm-vmwgfx-fix-a-deadlock-in-dma-buf-fence-polling.patch b/queue-5.15/drm-vmwgfx-fix-a-deadlock-in-dma-buf-fence-polling.patch new file mode 100644 index 00000000000..2048f432997 --- /dev/null +++ b/queue-5.15/drm-vmwgfx-fix-a-deadlock-in-dma-buf-fence-polling.patch @@ -0,0 +1,104 @@ +From e58337100721f3cc0c7424a18730e4f39844934f Mon Sep 17 00:00:00 2001 +From: Zack Rusin +Date: Mon, 22 Jul 2024 14:41:13 -0400 +Subject: drm/vmwgfx: Fix a deadlock in dma buf fence polling + +From: Zack Rusin + +commit e58337100721f3cc0c7424a18730e4f39844934f upstream. + +Introduce a version of the fence ops that on release doesn't remove +the fence from the pending list, and thus doesn't require a lock to +fix poll->fence wait->fence unref deadlocks. + +vmwgfx overwrites the wait callback to iterate over the list of all +fences and update their status, to do that it holds a lock to prevent +the list modifcations from other threads. The fence destroy callback +both deletes the fence and removes it from the list of pending +fences, for which it holds a lock. + +dma buf polling cb unrefs a fence after it's been signaled: so the poll +calls the wait, which signals the fences, which are being destroyed. +The destruction tries to acquire the lock on the pending fences list +which it can never get because it's held by the wait from which it +was called. + +Old bug, but not a lot of userspace apps were using dma-buf polling +interfaces. Fix those, in particular this fixes KDE stalls/deadlock. + +Signed-off-by: Zack Rusin +Fixes: 2298e804e96e ("drm/vmwgfx: rework to new fence interface, v2") +Cc: Broadcom internal kernel review list +Cc: dri-devel@lists.freedesktop.org +Cc: # v6.2+ +Reviewed-by: Maaz Mombasawala +Reviewed-by: Martin Krastev +Link: https://patchwork.freedesktop.org/patch/msgid/20240722184313.181318-2-zack.rusin@broadcom.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c +@@ -32,7 +32,6 @@ + #define VMW_FENCE_WRAP (1 << 31) + + struct vmw_fence_manager { +- int num_fence_objects; + struct vmw_private *dev_priv; + spinlock_t lock; + struct list_head fence_list; +@@ -127,13 +126,13 @@ static void vmw_fence_obj_destroy(struct + { + struct vmw_fence_obj *fence = + container_of(f, struct vmw_fence_obj, base); +- + struct vmw_fence_manager *fman = fman_from_fence(fence); + +- spin_lock(&fman->lock); +- list_del_init(&fence->head); +- --fman->num_fence_objects; +- spin_unlock(&fman->lock); ++ if (!list_empty(&fence->head)) { ++ spin_lock(&fman->lock); ++ list_del_init(&fence->head); ++ spin_unlock(&fman->lock); ++ } + fence->destroy(fence); + } + +@@ -260,7 +259,6 @@ static const struct dma_fence_ops vmw_fe + .release = vmw_fence_obj_destroy, + }; + +- + /* + * Execute signal actions on fences recently signaled. + * This is done from a workqueue so we don't have to execute +@@ -363,7 +361,6 @@ static int vmw_fence_obj_init(struct vmw + goto out_unlock; + } + list_add_tail(&fence->head, &fman->fence_list); +- ++fman->num_fence_objects; + + out_unlock: + spin_unlock(&fman->lock); +@@ -411,7 +408,7 @@ static bool vmw_fence_goal_new_locked(st + u32 passed_seqno) + { + u32 goal_seqno; +- struct vmw_fence_obj *fence; ++ struct vmw_fence_obj *fence, *next_fence; + + if (likely(!fman->seqno_valid)) + return false; +@@ -421,7 +418,7 @@ static bool vmw_fence_goal_new_locked(st + return false; + + fman->seqno_valid = false; +- list_for_each_entry(fence, &fman->fence_list, head) { ++ list_for_each_entry_safe(fence, next_fence, &fman->fence_list, head) { + if (!list_empty(&fence->seq_passed_actions)) { + fman->seqno_valid = true; + vmw_fence_goal_write(fman->dev_priv, diff --git a/queue-5.15/hid-wacom-modify-pen-ids.patch b/queue-5.15/hid-wacom-modify-pen-ids.patch new file mode 100644 index 00000000000..500fc69fc91 --- /dev/null +++ b/queue-5.15/hid-wacom-modify-pen-ids.patch @@ -0,0 +1,43 @@ +From f0d17d696dfce77c9abc830e4ac2d677890a2dad Mon Sep 17 00:00:00 2001 +From: Tatsunosuke Tobita +Date: Tue, 9 Jul 2024 14:57:28 +0900 +Subject: HID: wacom: Modify pen IDs + +From: Tatsunosuke Tobita + +commit f0d17d696dfce77c9abc830e4ac2d677890a2dad upstream. + +The pen ID, 0x80842, was not the correct ID for wacom driver to +treat. The ID was corrected to 0x8842. +Also, 0x4200 was not the expected ID used on any Wacom device. +Therefore, 0x4200 was removed. + +Signed-off-by: Tatsunosuke Tobita +Signed-off-by: Tatsunosuke Tobita +Fixes: bfdc750c4cb2 ("HID: wacom: add three styli to wacom_intuos_get_tool_type") +Cc: stable@kernel.org #6.2 +Reviewed-by: Ping Cheng +Link: https://patch.msgid.link/20240709055729.17158-1-tatsunosuke.wacom@gmail.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_wac.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -714,13 +714,12 @@ static int wacom_intuos_get_tool_type(in + case 0x8e2: /* IntuosHT2 pen */ + case 0x022: + case 0x200: /* Pro Pen 3 */ +- case 0x04200: /* Pro Pen 3 */ + case 0x10842: /* MobileStudio Pro Pro Pen slim */ + case 0x14802: /* Intuos4/5 13HD/24HD Classic Pen */ + case 0x16802: /* Cintiq 13HD Pro Pen */ + case 0x18802: /* DTH2242 Pen */ + case 0x10802: /* Intuos4/5 13HD/24HD General Pen */ +- case 0x80842: /* Intuos Pro and Cintiq Pro 3D Pen */ ++ case 0x8842: /* Intuos Pro and Cintiq Pro 3D Pen */ + tool_type = BTN_TOOL_PEN; + break; + diff --git a/queue-5.15/mptcp-fix-duplicate-data-handling.patch b/queue-5.15/mptcp-fix-duplicate-data-handling.patch new file mode 100644 index 00000000000..2bf3d19eccb --- /dev/null +++ b/queue-5.15/mptcp-fix-duplicate-data-handling.patch @@ -0,0 +1,62 @@ +From 68cc924729ffcfe90d0383177192030a9aeb2ee4 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Wed, 31 Jul 2024 12:10:15 +0200 +Subject: mptcp: fix duplicate data handling + +From: Paolo Abeni + +commit 68cc924729ffcfe90d0383177192030a9aeb2ee4 upstream. + +When a subflow receives and discards duplicate data, the mptcp +stack assumes that the consumed offset inside the current skb is +zero. + +With multiple subflows receiving data simultaneously such assertion +does not held true. As a result the subflow-level copied_seq will +be incorrectly increased and later on the same subflow will observe +a bad mapping, leading to subflow reset. + +Address the issue taking into account the skb consumed offset in +mptcp_subflow_discard_data(). + +Fixes: 04e4cd4f7ca4 ("mptcp: cleanup mptcp_subflow_discard_data()") +Cc: stable@vger.kernel.org +Link: https://github.com/multipath-tcp/mptcp_net-next/issues/501 +Signed-off-by: Paolo Abeni +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/subflow.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -1099,14 +1099,22 @@ static void mptcp_subflow_discard_data(s + { + struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk); + bool fin = TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN; +- u32 incr; ++ struct tcp_sock *tp = tcp_sk(ssk); ++ u32 offset, incr, avail_len; + +- incr = limit >= skb->len ? skb->len + fin : limit; ++ offset = tp->copied_seq - TCP_SKB_CB(skb)->seq; ++ if (WARN_ON_ONCE(offset > skb->len)) ++ goto out; + +- pr_debug("discarding=%d len=%d seq=%d", incr, skb->len, +- subflow->map_subflow_seq); ++ avail_len = skb->len - offset; ++ incr = limit >= avail_len ? avail_len + fin : limit; ++ ++ pr_debug("discarding=%d len=%d offset=%d seq=%d", incr, skb->len, ++ offset, subflow->map_subflow_seq); + MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_DUPDATA); + tcp_sk(ssk)->copied_seq += incr; ++ ++out: + if (!before(tcp_sk(ssk)->copied_seq, TCP_SKB_CB(skb)->end_seq)) + sk_eat_skb(ssk, skb); + if (mptcp_subflow_get_map_offset(subflow) >= subflow->map_data_len) diff --git a/queue-5.15/net-usb-sr9700-fix-uninitialized-variable-use-in-sr_mdio_read.patch b/queue-5.15/net-usb-sr9700-fix-uninitialized-variable-use-in-sr_mdio_read.patch new file mode 100644 index 00000000000..65bb4c8ecc0 --- /dev/null +++ b/queue-5.15/net-usb-sr9700-fix-uninitialized-variable-use-in-sr_mdio_read.patch @@ -0,0 +1,60 @@ +From 08f3a5c38087d1569e982a121aad1e6acbf145ce Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Thu, 25 Jul 2024 10:29:42 +0800 +Subject: net: usb: sr9700: fix uninitialized variable use in sr_mdio_read + +From: Ma Ke + +commit 08f3a5c38087d1569e982a121aad1e6acbf145ce upstream. + +It could lead to error happen because the variable res is not updated if +the call to sr_share_read_word returns an error. In this particular case +error code was returned and res stayed uninitialized. Same issue also +applies to sr_read_reg. + +This can be avoided by checking the return value of sr_share_read_word +and sr_read_reg, and propagating the error if the read operation failed. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support") +Signed-off-by: Ma Ke +Reviewed-by: Shigeru Yoshida +Reviewed-by: Hariprasad Kelam +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/sr9700.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/usb/sr9700.c ++++ b/drivers/net/usb/sr9700.c +@@ -179,6 +179,7 @@ static int sr_mdio_read(struct net_devic + struct usbnet *dev = netdev_priv(netdev); + __le16 res; + int rc = 0; ++ int err; + + if (phy_id) { + netdev_dbg(netdev, "Only internal phy supported\n"); +@@ -189,11 +190,17 @@ static int sr_mdio_read(struct net_devic + if (loc == MII_BMSR) { + u8 value; + +- sr_read_reg(dev, SR_NSR, &value); ++ err = sr_read_reg(dev, SR_NSR, &value); ++ if (err < 0) ++ return err; ++ + if (value & NSR_LINKST) + rc = 1; + } +- sr_share_read_word(dev, 1, loc, &res); ++ err = sr_share_read_word(dev, 1, loc, &res); ++ if (err < 0) ++ return err; ++ + if (rc == 1) + res = le16_to_cpu(res) | BMSR_LSTATUS; + else diff --git a/queue-5.15/platform-chrome-cros_ec_proto-lock-device-when-updating-mkbp-version.patch b/queue-5.15/platform-chrome-cros_ec_proto-lock-device-when-updating-mkbp-version.patch new file mode 100644 index 00000000000..cb9a1338983 --- /dev/null +++ b/queue-5.15/platform-chrome-cros_ec_proto-lock-device-when-updating-mkbp-version.patch @@ -0,0 +1,42 @@ +From df615907f1bf907260af01ccb904d0e9304b5278 Mon Sep 17 00:00:00 2001 +From: Patryk Duda +Date: Tue, 30 Jul 2024 10:44:25 +0000 +Subject: platform/chrome: cros_ec_proto: Lock device when updating MKBP version + +From: Patryk Duda + +commit df615907f1bf907260af01ccb904d0e9304b5278 upstream. + +The cros_ec_get_host_command_version_mask() function requires that the +caller must have ec_dev->lock mutex before calling it. This requirement +was not met and as a result it was possible that two commands were sent +to the device at the same time. + +The problem was observed while using UART backend which doesn't use any +additional locks, unlike SPI backend which locks the controller until +response is received. + +Fixes: f74c7557ed0d ("platform/chrome: cros_ec_proto: Update version on GET_NEXT_EVENT failure") +Cc: stable@vger.kernel.org +Signed-off-by: Patryk Duda +Link: https://lore.kernel.org/r/20240730104425.607083-1-patrykd@google.com +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec_proto.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/platform/chrome/cros_ec_proto.c ++++ b/drivers/platform/chrome/cros_ec_proto.c +@@ -780,9 +780,11 @@ int cros_ec_get_next_event(struct cros_e + if (ret == -ENOPROTOOPT) { + dev_dbg(ec_dev->dev, + "GET_NEXT_EVENT returned invalid version error.\n"); ++ mutex_lock(&ec_dev->lock); + ret = cros_ec_get_host_command_version_mask(ec_dev, + EC_CMD_GET_NEXT_EVENT, + &ver_mask); ++ mutex_unlock(&ec_dev->lock); + if (ret < 0 || ver_mask == 0) + /* + * Do not change the MKBP supported version if we can't diff --git a/queue-5.15/protect-the-fetch-of-fd-in-do_dup2-from-mispredictions.patch b/queue-5.15/protect-the-fetch-of-fd-in-do_dup2-from-mispredictions.patch new file mode 100644 index 00000000000..19c46f081d7 --- /dev/null +++ b/queue-5.15/protect-the-fetch-of-fd-in-do_dup2-from-mispredictions.patch @@ -0,0 +1,34 @@ +From 8aa37bde1a7b645816cda8b80df4753ecf172bf1 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 1 Aug 2024 15:22:22 -0400 +Subject: protect the fetch of ->fd[fd] in do_dup2() from mispredictions + +From: Al Viro + +commit 8aa37bde1a7b645816cda8b80df4753ecf172bf1 upstream. + +both callers have verified that fd is not greater than ->max_fds; +however, misprediction might end up with + tofree = fdt->fd[fd]; +being speculatively executed. That's wrong for the same reasons +why it's wrong in close_fd()/file_close_fd_locked(); the same +solution applies - array_index_nospec(fd, fdt->max_fds) could differ +from fd only in case of speculative execution on mispredicted path. + +Cc: stable@vger.kernel.org +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman +--- + fs/file.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/file.c ++++ b/fs/file.c +@@ -1148,6 +1148,7 @@ __releases(&files->file_lock) + * tables and this condition does not arise without those. + */ + fdt = files_fdtable(files); ++ fd = array_index_nospec(fd, fdt->max_fds); + tofree = fdt->fd[fd]; + if (!tofree && fd_is_open(fd, fdt)) + goto Ebusy; diff --git a/queue-5.15/r8169-don-t-increment-tx_dropped-in-case-of-netdev_tx_busy.patch b/queue-5.15/r8169-don-t-increment-tx_dropped-in-case-of-netdev_tx_busy.patch new file mode 100644 index 00000000000..80d673eb86c --- /dev/null +++ b/queue-5.15/r8169-don-t-increment-tx_dropped-in-case-of-netdev_tx_busy.patch @@ -0,0 +1,48 @@ +From d516b187a9cc2e842030dd005be2735db3e8f395 Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Tue, 30 Jul 2024 21:51:52 +0200 +Subject: r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY + +From: Heiner Kallweit + +commit d516b187a9cc2e842030dd005be2735db3e8f395 upstream. + +The skb isn't consumed in case of NETDEV_TX_BUSY, therefore don't +increment the tx_dropped counter. + +Fixes: 188f4af04618 ("r8169: use NETDEV_TX_{BUSY/OK}") +Cc: stable@vger.kernel.org +Suggested-by: Jakub Kicinski +Signed-off-by: Heiner Kallweit +Reviewed-by: Wojciech Drewek +Link: https://patch.msgid.link/bbba9c48-8bac-4932-9aa1-d2ed63bc9433@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169_main.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4283,7 +4283,8 @@ static netdev_tx_t rtl8169_start_xmit(st + if (unlikely(!rtl_tx_slots_avail(tp))) { + if (net_ratelimit()) + netdev_err(dev, "BUG! Tx Ring full when queue awake!\n"); +- goto err_stop_0; ++ netif_stop_queue(dev); ++ return NETDEV_TX_BUSY; + } + + opts[1] = rtl8169_tx_vlan_tag(skb); +@@ -4356,11 +4357,6 @@ err_dma_0: + dev_kfree_skb_any(skb); + dev->stats.tx_dropped++; + return NETDEV_TX_OK; +- +-err_stop_0: +- netif_stop_queue(dev); +- dev->stats.tx_dropped++; +- return NETDEV_TX_BUSY; + } + + static unsigned int rtl_last_frag_len(struct sk_buff *skb) diff --git a/queue-5.15/revert-alsa-firewire-lib-obsolete-workqueue-for-period-update.patch b/queue-5.15/revert-alsa-firewire-lib-obsolete-workqueue-for-period-update.patch new file mode 100644 index 00000000000..1966f95be3d --- /dev/null +++ b/queue-5.15/revert-alsa-firewire-lib-obsolete-workqueue-for-period-update.patch @@ -0,0 +1,89 @@ +From 6ccf9984d6be3c2f804087b736db05c2ec42664b Mon Sep 17 00:00:00 2001 +From: Edmund Raile +Date: Tue, 30 Jul 2024 19:53:26 +0000 +Subject: Revert "ALSA: firewire-lib: obsolete workqueue for period update" + +From: Edmund Raile + +commit 6ccf9984d6be3c2f804087b736db05c2ec42664b upstream. + +prepare resolution of AB/BA deadlock competition for substream lock: +restore workqueue previously used for process context: + +revert commit b5b519965c4c ("ALSA: firewire-lib: obsolete workqueue +for period update") + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/kwryofzdmjvzkuw6j3clftsxmoolynljztxqwg76hzeo4simnl@jn3eo7pe642q/ +Signed-off-by: Edmund Raile +Reviewed-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20240730195318.869840-2-edmund.raile@protonmail.com +Signed-off-by: Greg Kroah-Hartman +--- + sound/firewire/amdtp-stream.c | 15 +++++++++++++++ + sound/firewire/amdtp-stream.h | 1 + + 2 files changed, 16 insertions(+) + +--- a/sound/firewire/amdtp-stream.c ++++ b/sound/firewire/amdtp-stream.c +@@ -77,6 +77,8 @@ + // overrun. Actual device can skip more, then this module stops the packet streaming. + #define IR_JUMBO_PAYLOAD_MAX_SKIP_CYCLES 5 + ++static void pcm_period_work(struct work_struct *work); ++ + /** + * amdtp_stream_init - initialize an AMDTP stream structure + * @s: the AMDTP stream to initialize +@@ -105,6 +107,7 @@ int amdtp_stream_init(struct amdtp_strea + s->flags = flags; + s->context = ERR_PTR(-1); + mutex_init(&s->mutex); ++ INIT_WORK(&s->period_work, pcm_period_work); + s->packet_index = 0; + + init_waitqueue_head(&s->ready_wait); +@@ -343,6 +346,7 @@ EXPORT_SYMBOL(amdtp_stream_get_max_paylo + */ + void amdtp_stream_pcm_prepare(struct amdtp_stream *s) + { ++ cancel_work_sync(&s->period_work); + s->pcm_buffer_pointer = 0; + s->pcm_period_pointer = 0; + } +@@ -622,6 +626,16 @@ static void update_pcm_pointers(struct a + } + } + ++static void pcm_period_work(struct work_struct *work) ++{ ++ struct amdtp_stream *s = container_of(work, struct amdtp_stream, ++ period_work); ++ struct snd_pcm_substream *pcm = READ_ONCE(s->pcm); ++ ++ if (pcm) ++ snd_pcm_period_elapsed(pcm); ++} ++ + static int queue_packet(struct amdtp_stream *s, struct fw_iso_packet *params, + bool sched_irq) + { +@@ -1798,6 +1812,7 @@ static void amdtp_stream_stop(struct amd + return; + } + ++ cancel_work_sync(&s->period_work); + fw_iso_context_stop(s->context); + fw_iso_context_destroy(s->context); + s->context = ERR_PTR(-1); +--- a/sound/firewire/amdtp-stream.h ++++ b/sound/firewire/amdtp-stream.h +@@ -190,6 +190,7 @@ struct amdtp_stream { + + /* For a PCM substream processing. */ + struct snd_pcm_substream *pcm; ++ struct work_struct period_work; + snd_pcm_uframes_t pcm_buffer_pointer; + unsigned int pcm_period_pointer; + diff --git a/queue-5.15/revert-alsa-firewire-lib-operate-for-period-elapse-event-in-process-context.patch b/queue-5.15/revert-alsa-firewire-lib-operate-for-period-elapse-event-in-process-context.patch new file mode 100644 index 00000000000..a5663a858cb --- /dev/null +++ b/queue-5.15/revert-alsa-firewire-lib-operate-for-period-elapse-event-in-process-context.patch @@ -0,0 +1,118 @@ +From 3dab73ab925a51ab05543b491bf17463a48ca323 Mon Sep 17 00:00:00 2001 +From: Edmund Raile +Date: Tue, 30 Jul 2024 19:53:29 +0000 +Subject: Revert "ALSA: firewire-lib: operate for period elapse event in process context" + +From: Edmund Raile + +commit 3dab73ab925a51ab05543b491bf17463a48ca323 upstream. + +Commit 7ba5ca32fe6e ("ALSA: firewire-lib: operate for period elapse event +in process context") removed the process context workqueue from +amdtp_domain_stream_pcm_pointer() and update_pcm_pointers() to remove +its overhead. + +With RME Fireface 800, this lead to a regression since +Kernels 5.14.0, causing an AB/BA deadlock competition for the +substream lock with eventual system freeze under ALSA operation: + +thread 0: + * (lock A) acquire substream lock by + snd_pcm_stream_lock_irq() in + snd_pcm_status64() + * (lock B) wait for tasklet to finish by calling + tasklet_unlock_spin_wait() in + tasklet_disable_in_atomic() in + ohci_flush_iso_completions() of ohci.c + +thread 1: + * (lock B) enter tasklet + * (lock A) attempt to acquire substream lock, + waiting for it to be released: + snd_pcm_stream_lock_irqsave() in + snd_pcm_period_elapsed() in + update_pcm_pointers() in + process_ctx_payloads() in + process_rx_packets() of amdtp-stream.c + +? tasklet_unlock_spin_wait + + +ohci_flush_iso_completions firewire_ohci +amdtp_domain_stream_pcm_pointer snd_firewire_lib +snd_pcm_update_hw_ptr0 snd_pcm +snd_pcm_status64 snd_pcm + +? native_queued_spin_lock_slowpath + + +_raw_spin_lock_irqsave +snd_pcm_period_elapsed snd_pcm +process_rx_packets snd_firewire_lib +irq_target_callback snd_firewire_lib +handle_it_packet firewire_ohci +context_tasklet firewire_ohci + +Restore the process context work queue to prevent deadlock +AB/BA deadlock competition for ALSA substream lock of +snd_pcm_stream_lock_irq() in snd_pcm_status64() +and snd_pcm_stream_lock_irqsave() in snd_pcm_period_elapsed(). + +revert commit 7ba5ca32fe6e ("ALSA: firewire-lib: operate for period +elapse event in process context") + +Replace inline description to prevent future deadlock. + +Cc: stable@vger.kernel.org +Fixes: 7ba5ca32fe6e ("ALSA: firewire-lib: operate for period elapse event in process context") +Reported-by: edmund.raile +Closes: https://lore.kernel.org/r/kwryofzdmjvzkuw6j3clftsxmoolynljztxqwg76hzeo4simnl@jn3eo7pe642q/ +Signed-off-by: Edmund Raile +Reviewed-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20240730195318.869840-3-edmund.raile@protonmail.com +Signed-off-by: Greg Kroah-Hartman +--- + sound/firewire/amdtp-stream.c | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +--- a/sound/firewire/amdtp-stream.c ++++ b/sound/firewire/amdtp-stream.c +@@ -613,16 +613,8 @@ static void update_pcm_pointers(struct a + // The program in user process should periodically check the status of intermediate + // buffer associated to PCM substream to process PCM frames in the buffer, instead + // of receiving notification of period elapsed by poll wait. +- if (!pcm->runtime->no_period_wakeup) { +- if (in_softirq()) { +- // In software IRQ context for 1394 OHCI. +- snd_pcm_period_elapsed(pcm); +- } else { +- // In process context of ALSA PCM application under acquired lock of +- // PCM substream. +- snd_pcm_period_elapsed_under_stream_lock(pcm); +- } +- } ++ if (!pcm->runtime->no_period_wakeup) ++ queue_work(system_highpri_wq, &s->period_work); + } + } + +@@ -1752,11 +1744,14 @@ unsigned long amdtp_domain_stream_pcm_po + { + struct amdtp_stream *irq_target = d->irq_target; + +- // Process isochronous packets queued till recent isochronous cycle to handle PCM frames. + if (irq_target && amdtp_stream_running(irq_target)) { +- // In software IRQ context, the call causes dead-lock to disable the tasklet +- // synchronously. +- if (!in_softirq()) ++ // use wq to prevent AB/BA deadlock competition for ++ // substream lock: ++ // fw_iso_context_flush_completions() acquires ++ // lock by ohci_flush_iso_completions(), ++ // amdtp-stream process_rx_packets() attempts to ++ // acquire same lock by snd_pcm_elapsed() ++ if (current_work() != &s->period_work) + fw_iso_context_flush_completions(irq_target->context); + } + diff --git a/queue-5.15/series b/queue-5.15/series index 1f9d2724e0b..ba396559387 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -361,3 +361,14 @@ net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch ipv6-fix-ndisc_is_useropt-handling-for-pio.patch riscv-mm-add-handling-for-vm_fault_sigsegv-in-mm_fau.patch power-supply-bq24190_charger-replace-deprecated-strn.patch +platform-chrome-cros_ec_proto-lock-device-when-updating-mkbp-version.patch +hid-wacom-modify-pen-ids.patch +protect-the-fetch-of-fd-in-do_dup2-from-mispredictions.patch +alsa-usb-audio-correct-surround-channels-in-uac1-channel-map.patch +alsa-hda-realtek-add-quirk-for-acer-aspire-e5-574g.patch +revert-alsa-firewire-lib-obsolete-workqueue-for-period-update.patch +revert-alsa-firewire-lib-operate-for-period-elapse-event-in-process-context.patch +drm-vmwgfx-fix-a-deadlock-in-dma-buf-fence-polling.patch +net-usb-sr9700-fix-uninitialized-variable-use-in-sr_mdio_read.patch +r8169-don-t-increment-tx_dropped-in-case-of-netdev_tx_busy.patch +mptcp-fix-duplicate-data-handling.patch -- 2.47.3