commit bb67b270b37e8bd9c96829d58ffe758635651e90 Author: Greg Kroah-Hartman Date: Sat Jul 27 11:36:19 2024 +0200 Linux 6.9.12 Link: https://lore.kernel.org/r/20240725142731.678993846@linuxfoundation.org Tested-by: Justin M. Forbes Tested-by: Peter Schneider  Tested-by: SeongJae Park Tested-by: Markus Reichelt Tested-by: Ron Economos Tested-by: Mark Brown Tested-by: Shuah Khan Tested-by: Jon Hunter Tested-by: Linux Kernel Functional Testing Tested-by: Florian Fainelli Signed-off-by: Greg Kroah-Hartman commit 73d462a38d5f782b7c872fe9ae8393d9ef5483da Author: Si-Wei Liu Date: Wed Jul 24 10:04:51 2024 -0700 tap: add missing verification for short frame commit ed7f2afdd0e043a397677e597ced0830b83ba0b3 upstream. The cited commit missed to check against the validity of the frame length in the tap_get_user_xdp() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tap_get_user_xdp()-->skb_set_network_header() may assume the size is more than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tap_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted. This is to drop any frame shorter than the Ethernet header size just like how tap_get_user() does. CVE: CVE-2024-41090 Link: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/ Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()") Cc: stable@vger.kernel.org Signed-off-by: Si-Wei Liu Signed-off-by: Dongli Zhang Reviewed-by: Willem de Bruijn Reviewed-by: Paolo Abeni Reviewed-by: Jason Wang Link: https://patch.msgid.link/20240724170452.16837-2-dongli.zhang@oracle.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb Author: Dongli Zhang Date: Wed Jul 24 10:04:52 2024 -0700 tun: add missing verification for short frame commit 049584807f1d797fc3078b68035450a9769eb5c3 upstream. The cited commit missed to check against the validity of the frame length in the tun_xdp_one() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tun_xdp_one-->eth_type_trans() may access the Ethernet header although it can be less than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tun_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted for IFF_TAP. This is to drop any frame shorter than the Ethernet header size just like how tun_get_user() does. CVE: CVE-2024-41091 Inspired-by: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/ Fixes: 043d222f93ab ("tuntap: accept an array of XDP buffs through sendmsg()") Cc: stable@vger.kernel.org Signed-off-by: Dongli Zhang Reviewed-by: Si-Wei Liu Reviewed-by: Willem de Bruijn Reviewed-by: Paolo Abeni Reviewed-by: Jason Wang Link: https://patch.msgid.link/20240724170452.16837-3-dongli.zhang@oracle.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 5b0af8e4c70e4b884bb94ff5f0cd49ecf1273c02 Author: Jann Horn Date: Tue Jul 23 17:03:56 2024 +0200 filelock: Fix fcntl/close race recovery compat path commit f8138f2ad2f745b9a1c696a05b749eabe44337ea upstream. When I wrote commit 3cad1bc01041 ("filelock: Remove locks reliably when fcntl/close race is detected"), I missed that there are two copies of the code I was patching: The normal version, and the version for 64-bit offsets on 32-bit kernels. Thanks to Greg KH for stumbling over this while doing the stable backport... Apply exactly the same fix to the compat path for 32-bit kernels. Fixes: c293621bbf67 ("[PATCH] stale POSIX lock handling") Cc: stable@kernel.org Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2563 Signed-off-by: Jann Horn Link: https://lore.kernel.org/r/20240723-fs-lock-recover-compatfix-v1-1-148096719529@google.com Signed-off-by: Christian Brauner Signed-off-by: Greg Kroah-Hartman commit 93a77374e2ae24c2d195f84f5edf239b927f87e9 Author: Takashi Iwai Date: Wed Jul 17 10:33:01 2024 +0200 ALSA: seq: ump: Skip useless ports for static blocks commit 3bfd7c0ba184de99e9f5083b29e5308f30767265 upstream. When the UMP Endpoint is configured with static blocks, the block configuration will never change, hence the unused ports will be unchanged as well. Creating sequencer ports for those unused ports is simply useless, and it might be rather confusing for users. The idea behind the inactive ports was for allowing connections from/to ports that can become usable later, but this will never happen for inactive groups in static blocks. Let's change the sequencer UMP binding to skip those unused ports when the UMP EP is with static blocks. Fixes: 81fd444aa371 ("ALSA: seq: Bind UMP device") Cc: Link: https://patch.msgid.link/20240717083322.25892-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 56eb8b96126e995fc21e92fd42c5474633a10ca4 Author: Shengjiu Wang Date: Wed Jul 17 14:44:53 2024 +0800 ALSA: pcm_dmaengine: Don't synchronize DMA channel when DMA is paused commit 88e98af9f4b5b0d60c1fe7f7f2701b5467691e75 upstream. When suspended, the DMA channel may enter PAUSE state if dmaengine_pause() is supported by DMA. At this state, dmaengine_synchronize() should not be called, otherwise the DMA channel can't be resumed successfully. Fixes: e8343410ddf0 ("ALSA: dmaengine: Synchronize dma channel after drop()") Signed-off-by: Shengjiu Wang Cc: Link: https://patch.msgid.link/1721198693-27636-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 0bdafa35d05f4bdb087622e020a9132d5f338c93 Author: Krishna Kurapati Date: Thu Jul 4 20:58:45 2024 +0530 arm64: dts: qcom: sm6115: Disable SS instance in Parkmode for USB commit 074992a1163295d717faa21d1818c4c19ef6e676 upstream. For Gen-1 targets like SM6115, it is seen that stressing out the controller in host mode results in HC died error: xhci-hcd.12.auto: xHCI host not responding to stop endpoint command xhci-hcd.12.auto: xHCI host controller not responding, assume dead xhci-hcd.12.auto: HC died; cleaning up And at this instant only restarting the host mode fixes it. Disable SuperSpeed instance in park mode for SM6115 to mitigate this issue. Cc: stable@vger.kernel.org Fixes: 97e563bf5ba1 ("arm64: dts: qcom: sm6115: Add basic soc dtsi") Signed-off-by: Krishna Kurapati Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20240704152848.3380602-6-quic_kriskura@quicinc.com Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit f60f2433d03bde609ae82279757ab3f41b5f00d5 Author: Krishna Kurapati Date: Thu Jul 4 20:58:48 2024 +0530 arm64: dts: qcom: sdm845: Disable SS instance in Parkmode for USB commit cf4d6d54eadb60d2ee4d31c9d92299f5e8dcb55c upstream. For Gen-1 targets like SDM845, it is seen that stressing out the controller in host mode results in HC died error: xhci-hcd.12.auto: xHCI host not responding to stop endpoint command xhci-hcd.12.auto: xHCI host controller not responding, assume dead xhci-hcd.12.auto: HC died; cleaning up And at this instant only restarting the host mode fixes it. Disable SuperSpeed instance in park mode for SDM845 to mitigate this issue. Cc: stable@vger.kernel.org Fixes: ca4db2b538a1 ("arm64: dts: qcom: sdm845: Add USB-related nodes") Signed-off-by: Krishna Kurapati Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20240704152848.3380602-9-quic_kriskura@quicinc.com Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 8adcc01b5cb3ffcfb5b8f9263fdf94ac0d02f43d Author: Krishna Kurapati Date: Thu Jul 4 20:58:42 2024 +0530 arm64: dts: qcom: ipq8074: Disable SS instance in Parkmode for USB commit dc6ba95c6c4400a84cca5b419b34ae852a08cfb5 upstream. For Gen-1 targets like IPQ8074, it is seen that stressing out the controller in host mode results in HC died error: xhci-hcd.12.auto: xHCI host not responding to stop endpoint command xhci-hcd.12.auto: xHCI host controller not responding, assume dead xhci-hcd.12.auto: HC died; cleaning up And at this instant only restarting the host mode fixes it. Disable SuperSpeed instance in park mode for IPQ8074 to mitigate this issue. Cc: stable@vger.kernel.org Fixes: 5e09bc51d07b ("arm64: dts: ipq8074: enable USB support") Signed-off-by: Krishna Kurapati Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20240704152848.3380602-3-quic_kriskura@quicinc.com Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 0e0a6a8fab3fb0e8dd415e6fd407ef45cc7bb9c2 Author: Krishna Kurapati Date: Thu Jul 4 20:58:44 2024 +0530 arm64: dts: qcom: sdm630: Disable SS instance in Parkmode for USB commit fad58a41b84667cb6c9232371fc3af77d4443889 upstream. For Gen-1 targets like SDM630, it is seen that stressing out the controller in host mode results in HC died error: xhci-hcd.12.auto: xHCI host not responding to stop endpoint command xhci-hcd.12.auto: xHCI host controller not responding, assume dead xhci-hcd.12.auto: HC died; cleaning up And at this instant only restarting the host mode fixes it. Disable SuperSpeed instance in park mode for SDM630 to mitigate this issue. Cc: stable@vger.kernel.org Fixes: c65a4ed2ea8b ("arm64: dts: qcom: sdm630: Add USB configuration") Signed-off-by: Krishna Kurapati Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20240704152848.3380602-5-quic_kriskura@quicinc.com Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit ceacd5f47cc01d1ce631e27b9269de8b42dece58 Author: Krishna Kurapati Date: Thu Jul 4 20:58:41 2024 +0530 arm64: dts: qcom: ipq6018: Disable SS instance in Parkmode for USB commit 4ae4837871ee8c8b055cf8131f65d31ee4208fa0 upstream. For Gen-1 targets like IPQ6018, it is seen that stressing out the controller in host mode results in HC died error: xhci-hcd.12.auto: xHCI host not responding to stop endpoint command xhci-hcd.12.auto: xHCI host controller not responding, assume dead xhci-hcd.12.auto: HC died; cleaning up And at this instant only restarting the host mode fixes it. Disable SuperSpeed instance in park mode for IPQ6018 to mitigate this issue. Cc: stable@vger.kernel.org Fixes: 20bb9e3dd2e4 ("arm64: dts: qcom: ipq6018: add usb3 DT description") Signed-off-by: Krishna Kurapati Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20240704152848.3380602-2-quic_kriskura@quicinc.com Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit a78d68db44e096fcd47c8de42a3fbf638dfa956e Author: Krishna Kurapati Date: Thu Jul 4 20:58:43 2024 +0530 arm64: dts: qcom: msm8998: Disable SS instance in Parkmode for USB commit 0046325ae52079b46da13a7f84dd7b2a6f7c38f8 upstream. For Gen-1 targets like MSM8998, it is seen that stressing out the controller in host mode results in HC died error: xhci-hcd.12.auto: xHCI host not responding to stop endpoint command xhci-hcd.12.auto: xHCI host controller not responding, assume dead xhci-hcd.12.auto: HC died; cleaning up And at this instant only restarting the host mode fixes it. Disable SuperSpeed instance in park mode for MSM8998 to mitigate this issue. Cc: stable@vger.kernel.org Fixes: 026dad8f5873 ("arm64: dts: qcom: msm8998: Add USB-related nodes") Signed-off-by: Krishna Kurapati Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20240704152848.3380602-4-quic_kriskura@quicinc.com Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit fee147abe49b7aa8bc27cce658671a8ffec8af6e Author: Krishna Kurapati Date: Thu Jul 4 20:58:46 2024 +0530 arm64: dts: qcom: sm6350: Disable SS instance in Parkmode for USB commit c5d57eb7d06df16c07037cea5dacfd74d49d1833 upstream. For Gen-1 targets like SM6350, it is seen that stressing out the controller in host mode results in HC died error: xhci-hcd.12.auto: xHCI host not responding to stop endpoint command xhci-hcd.12.auto: xHCI host controller not responding, assume dead xhci-hcd.12.auto: HC died; cleaning up And at this instant only restarting the host mode fixes it. Disable SuperSpeed instance in park mode for SM6350 to mitigate this issue. Cc: stable@vger.kernel.org Fixes: 23737b9557fe ("arm64: dts: qcom: sm6350: Add USB1 nodes") Signed-off-by: Krishna Kurapati Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20240704152848.3380602-7-quic_kriskura@quicinc.com Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 0c59401932f56c224a5defccf8a109c67f9441a1 Author: Krishna Kurapati Date: Thu Jul 4 20:58:47 2024 +0530 arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB commit 44ea1ae3cf95db97e10d6ce17527948121f1dd4b upstream. For Gen-1 targets like MSM8996, it is seen that stressing out the controller in host mode results in HC died error: xhci-hcd.12.auto: xHCI host not responding to stop endpoint command xhci-hcd.12.auto: xHCI host controller not responding, assume dead xhci-hcd.12.auto: HC died; cleaning up And at this instant only restarting the host mode fixes it. Disable SuperSpeed instance in park mode for MSM8996 to mitigate this issue. Cc: stable@vger.kernel.org Fixes: 1e39255ed29d ("arm64: dts: msm8996: Add device node for qcom,dwc3") Signed-off-by: Krishna Kurapati Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20240704152848.3380602-8-quic_kriskura@quicinc.com Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 6c8192e7458e446c82bf060c304a36c16a6890cc Author: Abel Vesa Date: Thu May 30 19:35:45 2024 +0300 arm64: dts: qcom: x1e80100-crd: Fix USB PHYs regulators commit ae5cee8e7349d7e5deff4cf90a08cbd738287155 upstream. The 1.2v HS PHY shared regulator is actually LDO2 from PM8550ve id J. Also add the missing supplies to QMP PHYs. Fixes: d7e03cce0400 ("arm64: dts: qcom: x1e80100-crd: Enable more support") Signed-off-by: Abel Vesa Reviewed-by: Dmitry Baryshkov Cc: stable@vger.kernel.org # 6.9 Link: https://lore.kernel.org/r/20240530-x1e80100-dts-fix-usb-phy-supplies-v1-1-6eb72a546227@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 32fc3a4eeb2016d2c9a61f28f0912ba813191f4f Author: Abel Vesa Date: Thu May 30 18:43:40 2024 +0300 arm64: dts: qcom: x1e80100-qcp: Fix the PHY regulator for PCIe 6a commit 87042003f6ea7d075784db98da6903738a38f3cf upstream. The actual PHY regulator is L1d instead of L3j, so fix it accordingly. Fixes: f9a9c11471da ("arm64: dts: qcom: x1e80100-qcp: Enable more support") Signed-off-by: Abel Vesa Reviewed-by: Dmitry Baryshkov Cc: stable@vger.kernel.org # 6.9 Link: https://lore.kernel.org/r/20240530-x1e80100-dts-pcie6a-v1-2-ee17a9939ba5@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit b155b3c188ddb96427faceb28d84fb585b8c660f Author: Abel Vesa Date: Thu May 30 18:43:39 2024 +0300 arm64: dts: qcom: x1e80100-crd: Fix the PHY regulator for PCIe 6a commit cf7d2157aa87dca6f078a2d4867fd0a9dbc357aa upstream. The actual PHY regulator is L1d instead of L3j, so fix it accordingly. Fixes: d7e03cce0400 ("arm64: dts: qcom: x1e80100-crd: Enable more support") Signed-off-by: Abel Vesa Reviewed-by: Dmitry Baryshkov Cc: stable@vger.kernel.org # 6.9 Link: https://lore.kernel.org/r/20240530-x1e80100-dts-pcie6a-v1-1-ee17a9939ba5@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 92ff9f43277c073d1b23b78796ed4b7685dd135e Author: Dmitry Baryshkov Date: Wed Jun 5 11:55:57 2024 +0300 arm64: dts: qcom: qrb4210-rb2: switch I2C2 to i2c-gpio commit f77e7bd40c3c2d79685e9cc80de874b69a976f55 upstream. On the Qualcomm RB2 platform the I2C bus connected to the LT9611UXC bridge under some circumstances can go into a state when all transfers timeout. This causes both issues with fetching of EDID and with updating of the bridge's firmware. While we are debugging the issue, switch corresponding I2C bus to use i2c-gpio driver. While using i2c-gpio no communication issues are observed. This patch is asusmed to be a temporary fix, so it is implemented in a non-intrusive manner to simply reverting it later. Fixes: f7b01e07e89c ("arm64: dts: qcom: qrb4210-rb2: Enable display out") Cc: stable@vger.kernel.org Signed-off-by: Dmitry Baryshkov Reviewed-by: Caleb Connolly Link: https://lore.kernel.org/r/20240605-rb12-i2c2g-pio-v2-2-946f5d6b6948@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit a4a3d414d476b201b7e6f6420fa9ffcb9087baa8 Author: Dmitry Baryshkov Date: Wed Jun 5 11:55:56 2024 +0300 arm64: dts: qcom: qrb2210-rb1: switch I2C2 to i2c-gpio commit b7b545ccc08873e107aa24c461b1fdb123dd3761 upstream. On the Qualcomm RB1 platform the I2C bus connected to the LT9611UXC bridge under some circumstances can go into a state when all transfers timeout. This causes both issues with fetching of EDID and with updating of the bridge's firmware. While we are debugging the issue, switch corresponding I2C bus to use i2c-gpio driver. While using i2c-gpio no communication issues are observed. This patch is asusmed to be a temporary fix, so it is implemented in a non-intrusive manner to simply reverting it later. Fixes: 616eda24edd4 ("arm64: dts: qcom: qrb2210-rb1: Set up HDMI") Cc: stable@vger.kernel.org Signed-off-by: Dmitry Baryshkov Reviewed-by: Caleb Connolly Link: https://lore.kernel.org/r/20240605-rb12-i2c2g-pio-v2-1-946f5d6b6948@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 213aa2a35e949990722ed1106d0d1700d4c6a3df Author: Abel Vesa Date: Thu May 30 19:35:46 2024 +0300 arm64: dts: qcom: x1e80100-qcp: Fix USB PHYs regulators commit 20676f7819d7364b7e8bd437b212106faa893b49 upstream. The 1.2v HS PHY shared regulator is actually LDO2 from PM8550ve id J. Also add the missing supplies to QMP PHYs. Fixes: f9a9c11471da ("arm64: dts: qcom: x1e80100-qcp: Enable more support") Signed-off-by: Abel Vesa Reviewed-by: Dmitry Baryshkov Cc: stable@vger.kernel.org # 6.9 Link: https://lore.kernel.org/r/20240530-x1e80100-dts-fix-usb-phy-supplies-v1-2-6eb72a546227@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 92f31da2e80b0fb59a2a1e9bbb5847e40e546c32 Author: Krishna Kurapati Date: Tue Jun 4 11:36:59 2024 +0530 arm64: dts: qcom: sc7280: Disable SuperSpeed instances in park mode commit 3d930f1750ce30a6c36dbc71f8ff7e20322b94d7 upstream. On SC7280, in host mode, it is observed that stressing out controller results in HC died error: xhci-hcd.12.auto: xHCI host not responding to stop endpoint command xhci-hcd.12.auto: xHCI host controller not responding, assume dead xhci-hcd.12.auto: HC died; cleaning up And at this instant only restarting the host mode fixes it. Disable SuperSpeed instances in park mode for SC7280 to mitigate this issue. Reported-by: Doug Anderson Cc: stable@vger.kernel.org Fixes: bb9efa59c665 ("arm64: dts: qcom: sc7280: Add USB related nodes") Signed-off-by: Krishna Kurapati Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20240604060659.1449278-3-quic_kriskura@quicinc.com Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit a2be741dd297cf3b064ad736f0b104f4e01cba11 Author: Krishna Kurapati Date: Tue Jun 4 11:36:58 2024 +0530 arm64: dts: qcom: sc7180: Disable SuperSpeed instances in park mode commit 5b8baed4b88132c12010ce6ca1b56f00d122e376 upstream. On SC7180, in host mode, it is observed that stressing out controller results in HC died error: xhci-hcd.12.auto: xHCI host not responding to stop endpoint command xhci-hcd.12.auto: xHCI host controller not responding, assume dead xhci-hcd.12.auto: HC died; cleaning up And at this instant only restarting the host mode fixes it. Disable SuperSpeed instances in park mode for SC7180 to mitigate this issue. Reported-by: Doug Anderson Cc: stable@vger.kernel.org Fixes: 0b766e7fe5a2 ("arm64: dts: qcom: sc7180: Add USB related nodes") Signed-off-by: Krishna Kurapati Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20240604060659.1449278-2-quic_kriskura@quicinc.com Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 6e6e644862c70e9062ed3f1255eef02c1b71a7b8 Author: Seunghun Han Date: Thu Jul 18 17:09:08 2024 +0900 ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 commit d7063c08738573fc2f3296da6d31a22fa8aa843a upstream. Samsung Galaxy Book Pro 360 (13" 2022 NT935QDB-KC71S) with codec SSID 144d:c1a4 requires the same workaround to enable the speaker amp as other Samsung models with the ALC298 codec. Signed-off-by: Seunghun Han Cc: Link: https://patch.msgid.link/20240718080908.8677-1-kkamagui@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 38c68e094008a8c1350f4f80956712ba34be4ea3 Author: Edson Juliano Drosdeck Date: Fri Jul 12 15:06:42 2024 -0300 ALSA: hda/realtek: Enable headset mic on Positivo SU C1400 commit 8fc1e8b230771442133d5cf5fa4313277aa2bb8b upstream. Positivo SU C1400 is equipped with ALC256, and it needs ALC269_FIXUP_ASPIRE_HEADSET_MIC quirk to make its headset mic work. Signed-off-by: Edson Juliano Drosdeck Cc: Link: https://patch.msgid.link/20240712180642.22564-1-edson.drosdeck@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b6b2509139cbc13a9b914bba31084b2220c17947 Author: Shenghao Ding Date: Wed Jul 17 19:53:04 2024 +0800 ALSA: hda/tas2781: Add new quirk for Lenovo Hera2 Laptop commit 1e5597e5ff18d452cf9afa847e904f301d1ac690 upstream. Add new vendor_id and subsystem_id in quirk for Lenovo Hera2 Laptop. Signed-off-by: Shenghao Ding Cc: Link: https://patch.msgid.link/20240717115305.723-1-shenghao-ding@ti.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 0c777978498fb9fa7c41684a3d1c810ebcb9248b Author: Takashi Iwai Date: Mon Jul 8 11:57:17 2024 +0200 usb: gadget: midi2: Fix incorrect default MIDI2 protocol setup commit 3eb27d3e32c78badbc4db6ae76614b5961e32291 upstream. The MIDI2 gadget driver handled the default MIDI protocol version incorrectly due to the confusion of the protocol version passed via configfs (either 1 or 2) and UMP protocol bits (0x100 / 0x200). As a consequence, the default protocol always resulted in MIDI1. This patch addresses the misunderstanding of the protocol handling. Fixes: 29ee7a4dddd5 ("usb: gadget: midi2: Add configfs support") Cc: stable Signed-off-by: Takashi Iwai Link: https://lore.kernel.org/r/20240708095719.25627-1-tiwai@suse.de Signed-off-by: Greg Kroah-Hartman commit 82c94e6a7bd116724738aa67eba6f5fedf3a3319 Author: lei lu Date: Wed May 29 02:52:22 2024 +0800 fs/ntfs3: Validate ff offset commit 50c47879650b4c97836a0086632b3a2e300b0f06 upstream. This adds sanity checks for ff offset. There is a check on rt->first_free at first, but walking through by ff without any check. If the second ff is a large offset. We may encounter an out-of-bound read. Signed-off-by: lei lu Signed-off-by: Konstantin Komarov Signed-off-by: Greg Kroah-Hartman commit c114d2b88f8b226d4b2acf5a1ba0412cde6c31dd Author: Konstantin Komarov Date: Mon Jun 3 13:13:17 2024 +0300 fs/ntfs3: Add a check for attr_names and oatbl commit 702d4930eb06dcfda85a2fa67e8a1a27bfa2a845 upstream. Added out-of-bound checking for *ane (ATTR_NAME_ENTRY). Reported-by: lei lu Fixes: 865e7a7700d93 ("fs/ntfs3: Reduce stack usage") Signed-off-by: Konstantin Komarov Signed-off-by: Greg Kroah-Hartman commit f4435f476b9bf059cd9e26a69f5b29c768d00375 Author: lei lu Date: Wed May 29 02:30:40 2024 +0800 jfs: don't walk off the end of ealist commit d0fa70aca54c8643248e89061da23752506ec0d4 upstream. Add a check before visiting the members of ea to make sure each ea stays within the ealist. Signed-off-by: lei lu Signed-off-by: Dave Kleikamp Signed-off-by: Greg Kroah-Hartman commit 624b380074f0dc209fb8706db3295c735079f34c Author: lei lu Date: Wed Jun 26 18:44:33 2024 +0800 ocfs2: add bounds checking to ocfs2_check_dir_entry() commit 255547c6bb8940a97eea94ef9d464ea5967763fb upstream. This adds sanity checks for ocfs2_dir_entry to make sure all members of ocfs2_dir_entry don't stray beyond valid memory region. Link: https://lkml.kernel.org/r/20240626104433.163270-1-llfamsec@gmail.com Signed-off-by: lei lu Reviewed-by: Heming Zhao Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 9e13767ccefdc4f8aa92514b592b60f6b54882ff Author: Gerald Schaefer Date: Mon Jul 15 20:04:16 2024 +0200 s390/mm: Fix VM_FAULT_HWPOISON handling in do_exception() commit df39038cd89525d465c2c8827eb64116873f141a upstream. There is no support for HWPOISON, MEMORY_FAILURE, or ARCH_HAS_COPY_MC on s390. Therefore we do not expect to see VM_FAULT_HWPOISON in do_exception(). However, since commit af19487f00f3 ("mm: make PTE_MARKER_SWAPIN_ERROR more general"), it is possible to see VM_FAULT_HWPOISON in combination with PTE_MARKER_POISONED, even on architectures that do not support HWPOISON otherwise. In this case, we will end up on the BUG() in do_exception(). Fix this by treating VM_FAULT_HWPOISON the same as VM_FAULT_SIGBUS, similar to x86 when MEMORY_FAILURE is not configured. Also print unexpected fault flags, for easier debugging. Note that VM_FAULT_HWPOISON_LARGE is not expected, because s390 cannot support swap entries on other levels than PTE level. Cc: stable@vger.kernel.org # 6.6+ Fixes: af19487f00f3 ("mm: make PTE_MARKER_SWAPIN_ERROR more general") Reported-by: Yunseong Kim Tested-by: Yunseong Kim Acked-by: Alexander Gordeev Signed-off-by: Gerald Schaefer Message-ID: <20240715180416.3632453-1-gerald.schaefer@linux.ibm.com> Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman commit d347c9a398bf7eab9408d207c0a50fb720f9de7d Author: Dan Carpenter Date: Sun Apr 28 15:57:00 2024 +0300 drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() commit 6769a23697f17f9bf9365ca8ed62fe37e361a05a upstream. The "instance" variable needs to be signed for the error handling to work. Fixes: 8b2faf1a4f3b ("drm/amdgpu: add error handle to avoid out-of-bounds") Reviewed-by: Bob Zhou Signed-off-by: Dan Carpenter Signed-off-by: Alex Deucher Cc: Siddh Raman Pant Signed-off-by: Greg Kroah-Hartman