From badca54be9df41491cb90570de94ce72652dad39 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 9 Sep 2023 14:32:49 +0100
Subject: [PATCH] 6.1-stable patches

added patches:
	alsa-hda-cirrus-fix-broken-audio-on-hardware-with-two-cs42l42-codecs.patch
	arm64-csum-fix-oob-access-in-ip-checksum-code-for-negative-lengths.patch
---
 ...-on-hardware-with-two-cs42l42-codecs.patch | 47 ++++++++++++
 ...p-checksum-code-for-negative-lengths.patch | 75 +++++++++++++++++++
 queue-6.1/series                              |  2 +
 3 files changed, 124 insertions(+)
 create mode 100644 queue-6.1/alsa-hda-cirrus-fix-broken-audio-on-hardware-with-two-cs42l42-codecs.patch
 create mode 100644 queue-6.1/arm64-csum-fix-oob-access-in-ip-checksum-code-for-negative-lengths.patch

diff --git a/queue-6.1/alsa-hda-cirrus-fix-broken-audio-on-hardware-with-two-cs42l42-codecs.patch b/queue-6.1/alsa-hda-cirrus-fix-broken-audio-on-hardware-with-two-cs42l42-codecs.patch
new file mode 100644
index 00000000000..54814e64f40
--- /dev/null
+++ b/queue-6.1/alsa-hda-cirrus-fix-broken-audio-on-hardware-with-two-cs42l42-codecs.patch
@@ -0,0 +1,47 @@
+From 99bf5b0baac941176a6a3d5cef7705b29808de34 Mon Sep 17 00:00:00 2001
+From: Vitaly Rodionov <vitalyr@opensource.cirrus.com>
+Date: Mon, 4 Sep 2023 17:00:33 +0100
+Subject: ALSA: hda/cirrus: Fix broken audio on hardware with two CS42L42 codecs.
+
+From: Vitaly Rodionov <vitalyr@opensource.cirrus.com>
+
+commit 99bf5b0baac941176a6a3d5cef7705b29808de34 upstream.
+
+Recently in v6.3-rc1 there was a change affecting behaviour of hrtimers
+(commit 0c52310f260014d95c1310364379772cb74cf82d) and causing
+few issues on platforms with two CS42L42 codecs. Canonical/Dell
+has reported an issue with Vostro-3910.
+We need to increase this value by 15ms.
+
+Link: https://bugs.launchpad.net/somerville/+bug/2031060
+Fixes: 9fb9fa18fb50 ("ALSA: hda/cirrus: Add extra 10 ms delay to allow PLL settle and lock.")
+Signed-off-by: Vitaly Rodionov <vitalyr@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20230904160033.908135-1-vitalyr@opensource.cirrus.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_cs8409.c |    2 +-
+ sound/pci/hda/patch_cs8409.h |    1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_cs8409.c
++++ b/sound/pci/hda/patch_cs8409.c
+@@ -888,7 +888,7 @@ static void cs42l42_resume(struct sub_co
+ 
+ 	/* Initialize CS42L42 companion codec */
+ 	cs8409_i2c_bulk_write(cs42l42, cs42l42->init_seq, cs42l42->init_seq_num);
+-	usleep_range(30000, 35000);
++	msleep(CS42L42_INIT_TIMEOUT_MS);
+ 
+ 	/* Clear interrupts, by reading interrupt status registers */
+ 	cs8409_i2c_bulk_read(cs42l42, irq_regs, ARRAY_SIZE(irq_regs));
+--- a/sound/pci/hda/patch_cs8409.h
++++ b/sound/pci/hda/patch_cs8409.h
+@@ -229,6 +229,7 @@ enum cs8409_coefficient_index_registers
+ #define CS42L42_I2C_SLEEP_US			(2000)
+ #define CS42L42_PDN_TIMEOUT_US			(250000)
+ #define CS42L42_PDN_SLEEP_US			(2000)
++#define CS42L42_INIT_TIMEOUT_MS			(45)
+ #define CS42L42_FULL_SCALE_VOL_MASK		(2)
+ #define CS42L42_FULL_SCALE_VOL_0DB		(1)
+ #define CS42L42_FULL_SCALE_VOL_MINUS6DB		(0)
diff --git a/queue-6.1/arm64-csum-fix-oob-access-in-ip-checksum-code-for-negative-lengths.patch b/queue-6.1/arm64-csum-fix-oob-access-in-ip-checksum-code-for-negative-lengths.patch
new file mode 100644
index 00000000000..3b18571031a
--- /dev/null
+++ b/queue-6.1/arm64-csum-fix-oob-access-in-ip-checksum-code-for-negative-lengths.patch
@@ -0,0 +1,75 @@
+From 8bd795fedb8450ecbef18eeadbd23ed8fc7630f5 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Thu, 7 Sep 2023 09:54:11 +0100
+Subject: arm64: csum: Fix OoB access in IP checksum code for negative lengths
+
+From: Will Deacon <will@kernel.org>
+
+commit 8bd795fedb8450ecbef18eeadbd23ed8fc7630f5 upstream.
+
+Although commit c2c24edb1d9c ("arm64: csum: Fix pathological zero-length
+calls") added an early return for zero-length input, syzkaller has
+popped up with an example of a _negative_ length which causes an
+undefined shift and an out-of-bounds read:
+
+ | BUG: KASAN: slab-out-of-bounds in do_csum+0x44/0x254 arch/arm64/lib/csum.c:39
+ | Read of size 4294966928 at addr ffff0000d7ac0170 by task syz-executor412/5975
+ |
+ | CPU: 0 PID: 5975 Comm: syz-executor412 Not tainted 6.4.0-rc4-syzkaller-g908f31f2a05b #0
+ | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
+ | Call trace:
+ |  dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233
+ |  show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240
+ |  __dump_stack lib/dump_stack.c:88 [inline]
+ |  dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
+ |  print_address_description mm/kasan/report.c:351 [inline]
+ |  print_report+0x174/0x514 mm/kasan/report.c:462
+ |  kasan_report+0xd4/0x130 mm/kasan/report.c:572
+ |  kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:187
+ |  __kasan_check_read+0x20/0x30 mm/kasan/shadow.c:31
+ |  do_csum+0x44/0x254 arch/arm64/lib/csum.c:39
+ |  csum_partial+0x30/0x58 lib/checksum.c:128
+ |  gso_make_checksum include/linux/skbuff.h:4928 [inline]
+ |  __udp_gso_segment+0xaf4/0x1bc4 net/ipv4/udp_offload.c:332
+ |  udp6_ufo_fragment+0x540/0xca0 net/ipv6/udp_offload.c:47
+ |  ipv6_gso_segment+0x5cc/0x1760 net/ipv6/ip6_offload.c:119
+ |  skb_mac_gso_segment+0x2b4/0x5b0 net/core/gro.c:141
+ |  __skb_gso_segment+0x250/0x3d0 net/core/dev.c:3401
+ |  skb_gso_segment include/linux/netdevice.h:4859 [inline]
+ |  validate_xmit_skb+0x364/0xdbc net/core/dev.c:3659
+ |  validate_xmit_skb_list+0x94/0x130 net/core/dev.c:3709
+ |  sch_direct_xmit+0xe8/0x548 net/sched/sch_generic.c:327
+ |  __dev_xmit_skb net/core/dev.c:3805 [inline]
+ |  __dev_queue_xmit+0x147c/0x3318 net/core/dev.c:4210
+ |  dev_queue_xmit include/linux/netdevice.h:3085 [inline]
+ |  packet_xmit+0x6c/0x318 net/packet/af_packet.c:276
+ |  packet_snd net/packet/af_packet.c:3081 [inline]
+ |  packet_sendmsg+0x376c/0x4c98 net/packet/af_packet.c:3113
+ |  sock_sendmsg_nosec net/socket.c:724 [inline]
+ |  sock_sendmsg net/socket.c:747 [inline]
+ |  __sys_sendto+0x3b4/0x538 net/socket.c:2144
+
+Extend the early return to reject negative lengths as well, aligning our
+implementation with the generic code in lib/checksum.c
+
+Cc: Robin Murphy <robin.murphy@arm.com>
+Fixes: 5777eaed566a ("arm64: Implement optimised checksum routine")
+Reported-by: syzbot+4a9f9820bd8d302e22f7@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/000000000000e0e94c0603f8d213@google.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/lib/csum.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/lib/csum.c
++++ b/arch/arm64/lib/csum.c
+@@ -24,7 +24,7 @@ unsigned int __no_sanitize_address do_cs
+ 	const u64 *ptr;
+ 	u64 data, sum64 = 0;
+ 
+-	if (unlikely(len == 0))
++	if (unlikely(len <= 0))
+ 		return 0;
+ 
+ 	offset = (unsigned long)buff & 7;
diff --git a/queue-6.1/series b/queue-6.1/series
index d051ab64593..6de93407bed 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -542,3 +542,5 @@ drm-amd-display-register-edp_backlight_control-for-dcn301.patch
 xtensa-pmu-fix-base-address-for-the-newer-hardware.patch
 loongarch-mm-add-p-d_leaf-definitions.patch
 i3c-master-svc-fix-probe-failure-when-no-i3c-device-exist.patch
+arm64-csum-fix-oob-access-in-ip-checksum-code-for-negative-lengths.patch
+alsa-hda-cirrus-fix-broken-audio-on-hardware-with-two-cs42l42-codecs.patch
-- 
2.47.3