From 8a36e5e3b1a9c71e1e2d4c4e04ef0fc9977bf48c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 12 Aug 2024 11:39:39 +0200 Subject: [PATCH] 5.15-stable patches added patches: alsa-hda-add-hp-mp9-g4-retail-system-ams-to-force-connect-list.patch alsa-hda-hdmi-yet-more-pin-fix-for-hp-elitedesk-800-g4.patch alsa-line6-fix-racy-access-to-midibuf.patch drm-client-fix-null-pointer-dereference-in-drm_client_modeset_probe.patch usb-serial-debug-do-not-echo-input-by-default.patch usb-vhci-hcd-do-not-drop-references-before-new-references-are-gained.patch --- ...ail-system-ams-to-force-connect-list.patch | 35 +++++++++ ...more-pin-fix-for-hp-elitedesk-800-g4.patch | 30 +++++++ ...lsa-line6-fix-racy-access-to-midibuf.patch | 60 ++++++++++++++ ...eference-in-drm_client_modeset_probe.patch | 38 +++++++++ queue-5.15/series | 6 ++ ...l-debug-do-not-echo-input-by-default.patch | 69 ++++++++++++++++ ...ces-before-new-references-are-gained.patch | 78 +++++++++++++++++++ 7 files changed, 316 insertions(+) create mode 100644 queue-5.15/alsa-hda-add-hp-mp9-g4-retail-system-ams-to-force-connect-list.patch create mode 100644 queue-5.15/alsa-hda-hdmi-yet-more-pin-fix-for-hp-elitedesk-800-g4.patch create mode 100644 queue-5.15/alsa-line6-fix-racy-access-to-midibuf.patch create mode 100644 queue-5.15/drm-client-fix-null-pointer-dereference-in-drm_client_modeset_probe.patch create mode 100644 queue-5.15/usb-serial-debug-do-not-echo-input-by-default.patch create mode 100644 queue-5.15/usb-vhci-hcd-do-not-drop-references-before-new-references-are-gained.patch diff --git a/queue-5.15/alsa-hda-add-hp-mp9-g4-retail-system-ams-to-force-connect-list.patch b/queue-5.15/alsa-hda-add-hp-mp9-g4-retail-system-ams-to-force-connect-list.patch new file mode 100644 index 00000000000..5ad90607e27 --- /dev/null +++ b/queue-5.15/alsa-hda-add-hp-mp9-g4-retail-system-ams-to-force-connect-list.patch @@ -0,0 +1,35 @@ +From 7e1e206b99f4b3345aeb49d94584a420b7887f1d Mon Sep 17 00:00:00 2001 +From: Steven 'Steve' Kendall +Date: Tue, 6 Aug 2024 00:08:24 +0000 +Subject: ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list + +From: Steven 'Steve' Kendall + +commit 7e1e206b99f4b3345aeb49d94584a420b7887f1d upstream. + +In recent HP UEFI firmware (likely v2.15 and above, tested on 2.27), +these pins are incorrectly set for HDMI/DP audio. Tested on +HP MP9 G4 Retail System AMS. Tested audio with two monitors connected +via DisplayPort. + +Link: https://forum.manjaro.org/t/intel-cannon-lake-pch-cavs-conexant-cx20632-no-sound-at-hdmi-or-displayport/133494 +Link: https://bbs.archlinux.org/viewtopic.php?id=270523 +Signed-off-by: Steven 'Steve' Kendall +Cc: +Link: https://patch.msgid.link/20240806-hdmi-audio-hp-wrongpins-v2-1-d9eb4ad41043@chromium.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_hdmi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -1960,6 +1960,7 @@ static int hdmi_add_cvt(struct hda_codec + } + + static const struct snd_pci_quirk force_connect_list[] = { ++ SND_PCI_QUIRK(0x103c, 0x83ef, "HP MP9 G4 Retail System AMS", 1), + SND_PCI_QUIRK(0x103c, 0x870f, "HP", 1), + SND_PCI_QUIRK(0x103c, 0x871a, "HP", 1), + SND_PCI_QUIRK(0x103c, 0x8711, "HP", 1), diff --git a/queue-5.15/alsa-hda-hdmi-yet-more-pin-fix-for-hp-elitedesk-800-g4.patch b/queue-5.15/alsa-hda-hdmi-yet-more-pin-fix-for-hp-elitedesk-800-g4.patch new file mode 100644 index 00000000000..faae7cac7a5 --- /dev/null +++ b/queue-5.15/alsa-hda-hdmi-yet-more-pin-fix-for-hp-elitedesk-800-g4.patch @@ -0,0 +1,30 @@ +From 176fd1511dd9086ab4fa9323cb232177c6235288 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 6 Aug 2024 08:49:16 +0200 +Subject: ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4 + +From: Takashi Iwai + +commit 176fd1511dd9086ab4fa9323cb232177c6235288 upstream. + +HP EliteDesk 800 G4 (PCI SSID 103c:83e2) is another Kabylake machine +where BIOS misses the HDMI pin initializations. Add the quirk entry. + +Cc: +Link: https://patch.msgid.link/20240806064918.11132-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_hdmi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -1960,6 +1960,7 @@ static int hdmi_add_cvt(struct hda_codec + } + + static const struct snd_pci_quirk force_connect_list[] = { ++ SND_PCI_QUIRK(0x103c, 0x83e2, "HP EliteDesk 800 G4", 1), + SND_PCI_QUIRK(0x103c, 0x83ef, "HP MP9 G4 Retail System AMS", 1), + SND_PCI_QUIRK(0x103c, 0x870f, "HP", 1), + SND_PCI_QUIRK(0x103c, 0x871a, "HP", 1), diff --git a/queue-5.15/alsa-line6-fix-racy-access-to-midibuf.patch b/queue-5.15/alsa-line6-fix-racy-access-to-midibuf.patch new file mode 100644 index 00000000000..903a0d329f3 --- /dev/null +++ b/queue-5.15/alsa-line6-fix-racy-access-to-midibuf.patch @@ -0,0 +1,60 @@ +From 15b7a03205b31bc5623378c190d22b7ff60026f1 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 5 Aug 2024 15:01:28 +0200 +Subject: ALSA: line6: Fix racy access to midibuf + +From: Takashi Iwai + +commit 15b7a03205b31bc5623378c190d22b7ff60026f1 upstream. + +There can be concurrent accesses to line6 midibuf from both the URB +completion callback and the rawmidi API access. This could be a cause +of KMSAN warning triggered by syzkaller below (so put as reported-by +here). + +This patch protects the midibuf call of the former code path with a +spinlock for avoiding the possible races. + +Reported-by: syzbot+78eccfb8b3c9a85fc6c5@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/00000000000000949c061df288c5@google.com +Cc: +Link: https://patch.msgid.link/20240805130129.10872-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/line6/driver.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/usb/line6/driver.c ++++ b/sound/usb/line6/driver.c +@@ -286,12 +286,14 @@ static void line6_data_received(struct u + { + struct usb_line6 *line6 = (struct usb_line6 *)urb->context; + struct midi_buffer *mb = &line6->line6midi->midibuf_in; ++ unsigned long flags; + int done; + + if (urb->status == -ESHUTDOWN) + return; + + if (line6->properties->capabilities & LINE6_CAP_CONTROL_MIDI) { ++ spin_lock_irqsave(&line6->line6midi->lock, flags); + done = + line6_midibuf_write(mb, urb->transfer_buffer, urb->actual_length); + +@@ -300,12 +302,15 @@ static void line6_data_received(struct u + dev_dbg(line6->ifcdev, "%d %d buffer overflow - message skipped\n", + done, urb->actual_length); + } ++ spin_unlock_irqrestore(&line6->line6midi->lock, flags); + + for (;;) { ++ spin_lock_irqsave(&line6->line6midi->lock, flags); + done = + line6_midibuf_read(mb, line6->buffer_message, + LINE6_MIDI_MESSAGE_MAXLEN, + LINE6_MIDIBUF_READ_RX); ++ spin_unlock_irqrestore(&line6->line6midi->lock, flags); + + if (done <= 0) + break; diff --git a/queue-5.15/drm-client-fix-null-pointer-dereference-in-drm_client_modeset_probe.patch b/queue-5.15/drm-client-fix-null-pointer-dereference-in-drm_client_modeset_probe.patch new file mode 100644 index 00000000000..a9cd7dfa426 --- /dev/null +++ b/queue-5.15/drm-client-fix-null-pointer-dereference-in-drm_client_modeset_probe.patch @@ -0,0 +1,38 @@ +From 113fd6372a5bb3689aba8ef5b8a265ed1529a78f Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Fri, 2 Aug 2024 12:47:36 +0800 +Subject: drm/client: fix null pointer dereference in drm_client_modeset_probe + +From: Ma Ke + +commit 113fd6372a5bb3689aba8ef5b8a265ed1529a78f upstream. + +In drm_client_modeset_probe(), the return value of drm_mode_duplicate() is +assigned to modeset->mode, which will lead to a possible NULL pointer +dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. + +Cc: stable@vger.kernel.org +Fixes: cf13909aee05 ("drm/fb-helper: Move out modeset config code") +Signed-off-by: Ma Ke +Reviewed-by: Thomas Zimmermann +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20240802044736.1570345-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_client_modeset.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/drm_client_modeset.c ++++ b/drivers/gpu/drm/drm_client_modeset.c +@@ -867,6 +867,11 @@ int drm_client_modeset_probe(struct drm_ + + kfree(modeset->mode); + modeset->mode = drm_mode_duplicate(dev, mode); ++ if (!modeset->mode) { ++ ret = -ENOMEM; ++ break; ++ } ++ + drm_connector_get(connector); + modeset->connectors[modeset->num_connectors++] = connector; + modeset->x = offset->x; diff --git a/queue-5.15/series b/queue-5.15/series index 7435f316e44..50ae5770a1a 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -437,3 +437,9 @@ i2c-qcom-geni-add-missing-geni_icc_disable-in-geni_i.patch spi-spi-fsl-lpspi-fix-scldiv-calculation.patch alsa-usb-audio-re-add-scratchamp-quirk-entries.patch asoc-meson-axg-fifo-fix-irq-scheduling-issue-with-pr.patch +drm-client-fix-null-pointer-dereference-in-drm_client_modeset_probe.patch +alsa-line6-fix-racy-access-to-midibuf.patch +alsa-hda-add-hp-mp9-g4-retail-system-ams-to-force-connect-list.patch +alsa-hda-hdmi-yet-more-pin-fix-for-hp-elitedesk-800-g4.patch +usb-vhci-hcd-do-not-drop-references-before-new-references-are-gained.patch +usb-serial-debug-do-not-echo-input-by-default.patch diff --git a/queue-5.15/usb-serial-debug-do-not-echo-input-by-default.patch b/queue-5.15/usb-serial-debug-do-not-echo-input-by-default.patch new file mode 100644 index 00000000000..10caedf533d --- /dev/null +++ b/queue-5.15/usb-serial-debug-do-not-echo-input-by-default.patch @@ -0,0 +1,69 @@ +From 00af4f3dda1461ec90d892edc10bec6d3c50c554 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= + +Date: Mon, 15 Jul 2024 12:44:53 +0200 +Subject: USB: serial: debug: do not echo input by default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Marczykowski-Górecki + +commit 00af4f3dda1461ec90d892edc10bec6d3c50c554 upstream. + +This driver is intended as a "client" end of the console connection. +When connected to a host it's supposed to receive debug logs, and +possibly allow to interact with whatever debug console is available +there. Feeding messages back, depending on a configuration may cause log +messages be executed as shell commands (which can be really bad if one +is unlucky, imagine a log message like "prevented running `rm -rf +/home`"). In case of Xen, it exposes sysrq-like debug interface, and +feeding it its own logs will pretty quickly hit 'R' for "instant +reboot". + +Contrary to a classic serial console, the USB one cannot be configured +ahead of time, as the device shows up only when target OS is up. And at +the time device is opened to execute relevant ioctl, it's already too +late, especially when logs start flowing shortly after device is +initialized. +Avoid the issue by changing default to no echo for this type of devices. + +Signed-off-by: Marek Marczykowski-Górecki +[ johan: amend summary; disable also ECHONL ] +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/usb_debug.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/serial/usb_debug.c ++++ b/drivers/usb/serial/usb_debug.c +@@ -69,6 +69,11 @@ static void usb_debug_process_read_urb(s + usb_serial_generic_process_read_urb(urb); + } + ++static void usb_debug_init_termios(struct tty_struct *tty) ++{ ++ tty->termios.c_lflag &= ~(ECHO | ECHONL); ++} ++ + static struct usb_serial_driver debug_device = { + .driver = { + .owner = THIS_MODULE, +@@ -78,6 +83,7 @@ static struct usb_serial_driver debug_de + .num_ports = 1, + .bulk_out_size = USB_DEBUG_MAX_PACKET_SIZE, + .break_ctl = usb_debug_break_ctl, ++ .init_termios = usb_debug_init_termios, + .process_read_urb = usb_debug_process_read_urb, + }; + +@@ -89,6 +95,7 @@ static struct usb_serial_driver dbc_devi + .id_table = dbc_id_table, + .num_ports = 1, + .break_ctl = usb_debug_break_ctl, ++ .init_termios = usb_debug_init_termios, + .process_read_urb = usb_debug_process_read_urb, + }; + diff --git a/queue-5.15/usb-vhci-hcd-do-not-drop-references-before-new-references-are-gained.patch b/queue-5.15/usb-vhci-hcd-do-not-drop-references-before-new-references-are-gained.patch new file mode 100644 index 00000000000..6e5d67ec555 --- /dev/null +++ b/queue-5.15/usb-vhci-hcd-do-not-drop-references-before-new-references-are-gained.patch @@ -0,0 +1,78 @@ +From afdcfd3d6fcdeca2735ca8d994c5f2d24a368f0a Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 9 Jul 2024 13:38:41 +0200 +Subject: usb: vhci-hcd: Do not drop references before new references are gained + +From: Oliver Neukum + +commit afdcfd3d6fcdeca2735ca8d994c5f2d24a368f0a upstream. + +At a few places the driver carries stale pointers +to references that can still be used. Make sure that does not happen. +This strictly speaking closes ZDI-CAN-22273, though there may be +similar races in the driver. + +Signed-off-by: Oliver Neukum +Cc: stable +Acked-by: Shuah Khan +Link: https://lore.kernel.org/r/20240709113851.14691-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/vhci_hcd.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/usb/usbip/vhci_hcd.c ++++ b/drivers/usb/usbip/vhci_hcd.c +@@ -745,6 +745,7 @@ static int vhci_urb_enqueue(struct usb_h + * + */ + if (usb_pipedevice(urb->pipe) == 0) { ++ struct usb_device *old; + __u8 type = usb_pipetype(urb->pipe); + struct usb_ctrlrequest *ctrlreq = + (struct usb_ctrlrequest *) urb->setup_packet; +@@ -755,14 +756,15 @@ static int vhci_urb_enqueue(struct usb_h + goto no_need_xmit; + } + ++ old = vdev->udev; + switch (ctrlreq->bRequest) { + case USB_REQ_SET_ADDRESS: + /* set_address may come when a device is reset */ + dev_info(dev, "SetAddress Request (%d) to port %d\n", + ctrlreq->wValue, vdev->rhport); + +- usb_put_dev(vdev->udev); + vdev->udev = usb_get_dev(urb->dev); ++ usb_put_dev(old); + + spin_lock(&vdev->ud.lock); + vdev->ud.status = VDEV_ST_USED; +@@ -781,8 +783,8 @@ static int vhci_urb_enqueue(struct usb_h + usbip_dbg_vhci_hc( + "Not yet?:Get_Descriptor to device 0 (get max pipe size)\n"); + +- usb_put_dev(vdev->udev); + vdev->udev = usb_get_dev(urb->dev); ++ usb_put_dev(old); + goto out; + + default: +@@ -1067,6 +1069,7 @@ static void vhci_shutdown_connection(str + static void vhci_device_reset(struct usbip_device *ud) + { + struct vhci_device *vdev = container_of(ud, struct vhci_device, ud); ++ struct usb_device *old = vdev->udev; + unsigned long flags; + + spin_lock_irqsave(&ud->lock, flags); +@@ -1074,8 +1077,8 @@ static void vhci_device_reset(struct usb + vdev->speed = 0; + vdev->devid = 0; + +- usb_put_dev(vdev->udev); + vdev->udev = NULL; ++ usb_put_dev(old); + + if (ud->tcp_socket) { + sockfd_put(ud->tcp_socket); -- 2.47.3