Changelog in Linux kernel 6.1.102

 
ALSA: hda/realtek: Enable headset mic on Positivo SU C1400 [+ + +]
Author: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
Date:   Fri Jul 12 15:06:42 2024 -0300

    ALSA: hda/realtek: Enable headset mic on Positivo SU C1400
    
    commit 8fc1e8b230771442133d5cf5fa4313277aa2bb8b upstream.
    
    Positivo SU C1400 is equipped with ALC256, and it needs
    ALC269_FIXUP_ASPIRE_HEADSET_MIC quirk to make its headset mic work.
    
    Signed-off-by: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
    Cc: <stable@vger.kernel.org>
    Link: https://patch.msgid.link/20240712180642.22564-1-edson.drosdeck@gmail.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 [+ + +]
Author: Seunghun Han <kkamagui@gmail.com>
Date:   Thu Jul 18 17:09:08 2024 +0900

    ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360
    
    commit d7063c08738573fc2f3296da6d31a22fa8aa843a upstream.
    
    Samsung Galaxy Book Pro 360 (13" 2022 NT935QDB-KC71S) with codec SSID
    144d:c1a4 requires the same workaround to enable the speaker amp
    as other Samsung models with the ALC298 codec.
    
    Signed-off-by: Seunghun Han <kkamagui@gmail.com>
    Cc: <stable@vger.kernel.org>
    Link: https://patch.msgid.link/20240718080908.8677-1-kkamagui@gmail.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ALSA: pcm_dmaengine: Don't synchronize DMA channel when DMA is paused [+ + +]
Author: Shengjiu Wang <shengjiu.wang@nxp.com>
Date:   Wed Jul 17 14:44:53 2024 +0800

    ALSA: pcm_dmaengine: Don't synchronize DMA channel when DMA is paused
    
    commit 88e98af9f4b5b0d60c1fe7f7f2701b5467691e75 upstream.
    
    When suspended, the DMA channel may enter PAUSE state if dmaengine_pause()
    is supported by DMA.
    At this state, dmaengine_synchronize() should not be called, otherwise
    the DMA channel can't be resumed successfully.
    
    Fixes: e8343410ddf0 ("ALSA: dmaengine: Synchronize dma channel after drop()")
    Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
    Cc: <stable@vger.kernel.org>
    Link: https://patch.msgid.link/1721198693-27636-1-git-send-email-shengjiu.wang@nxp.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
arm64: dts: qcom: ipq6018: Disable SS instance in Parkmode for USB [+ + +]
Author: Krishna Kurapati <quic_kriskura@quicinc.com>
Date:   Thu Jul 4 20:58:41 2024 +0530

    arm64: dts: qcom: ipq6018: Disable SS instance in Parkmode for USB
    
    commit 4ae4837871ee8c8b055cf8131f65d31ee4208fa0 upstream.
    
    For Gen-1 targets like IPQ6018, it is seen that stressing out the
    controller in host mode results in HC died error:
    
     xhci-hcd.12.auto: xHCI host not responding to stop endpoint command
     xhci-hcd.12.auto: xHCI host controller not responding, assume dead
     xhci-hcd.12.auto: HC died; cleaning up
    
    And at this instant only restarting the host mode fixes it. Disable
    SuperSpeed instance in park mode for IPQ6018 to mitigate this issue.
    
    Cc: stable@vger.kernel.org
    Fixes: 20bb9e3dd2e4 ("arm64: dts: qcom: ipq6018: add usb3 DT description")
    Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
    Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
    Link: https://lore.kernel.org/r/20240704152848.3380602-2-quic_kriskura@quicinc.com
    Signed-off-by: Bjorn Andersson <andersson@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB [+ + +]
Author: Krishna Kurapati <quic_kriskura@quicinc.com>
Date:   Thu Jul 4 20:58:47 2024 +0530

    arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB
    
    commit 44ea1ae3cf95db97e10d6ce17527948121f1dd4b upstream.
    
    For Gen-1 targets like MSM8996, it is seen that stressing out the
    controller in host mode results in HC died error:
    
     xhci-hcd.12.auto: xHCI host not responding to stop endpoint command
     xhci-hcd.12.auto: xHCI host controller not responding, assume dead
     xhci-hcd.12.auto: HC died; cleaning up
    
    And at this instant only restarting the host mode fixes it. Disable
    SuperSpeed instance in park mode for MSM8996 to mitigate this issue.
    
    Cc: stable@vger.kernel.org
    Fixes: 1e39255ed29d ("arm64: dts: msm8996: Add device node for qcom,dwc3")
    Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
    Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
    Link: https://lore.kernel.org/r/20240704152848.3380602-8-quic_kriskura@quicinc.com
    Signed-off-by: Bjorn Andersson <andersson@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

arm64: dts: qcom: sdm630: Disable SS instance in Parkmode for USB [+ + +]
Author: Krishna Kurapati <quic_kriskura@quicinc.com>
Date:   Thu Jul 4 20:58:44 2024 +0530

    arm64: dts: qcom: sdm630: Disable SS instance in Parkmode for USB
    
    commit fad58a41b84667cb6c9232371fc3af77d4443889 upstream.
    
    For Gen-1 targets like SDM630, it is seen that stressing out the
    controller in host mode results in HC died error:
    
     xhci-hcd.12.auto: xHCI host not responding to stop endpoint command
     xhci-hcd.12.auto: xHCI host controller not responding, assume dead
     xhci-hcd.12.auto: HC died; cleaning up
    
    And at this instant only restarting the host mode fixes it. Disable
    SuperSpeed instance in park mode for SDM630 to mitigate this issue.
    
    Cc: stable@vger.kernel.org
    Fixes: c65a4ed2ea8b ("arm64: dts: qcom: sdm630: Add USB configuration")
    Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
    Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
    Link: https://lore.kernel.org/r/20240704152848.3380602-5-quic_kriskura@quicinc.com
    Signed-off-by: Bjorn Andersson <andersson@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
btrfs: do not BUG_ON on failure to get dir index for new snapshot [+ + +]
Author: Filipe Manana <fdmanana@suse.com>
Date:   Tue Jun 13 16:42:16 2023 +0100

    btrfs: do not BUG_ON on failure to get dir index for new snapshot
    
    commit df9f278239046719c91aeb59ec0afb1a99ee8b2b upstream.
    
    During the transaction commit path, at create_pending_snapshot(), there
    is no need to BUG_ON() in case we fail to get a dir index for the snapshot
    in the parent directory. This should fail very rarely because the parent
    inode should be loaded in memory already, with the respective delayed
    inode created and the parent inode's index_cnt field already initialized.
    
    However if it fails, it may be -ENOMEM like the comment at
    create_pending_snapshot() says or any error returned by
    btrfs_search_slot() through btrfs_set_inode_index_count(), which can be
    pretty much anything such as -EIO or -EUCLEAN for example. So the comment
    is not correct when it says it can only be -ENOMEM.
    
    However doing a BUG_ON() here is overkill, since we can instead abort
    the transaction and return the error. Note that any error returned by
    create_pending_snapshot() will eventually result in a transaction
    abort at cleanup_transaction(), called from btrfs_commit_transaction(),
    but we can explicitly abort the transaction at this point instead so that
    we get a stack trace to tell us that the call to btrfs_set_inode_index()
    failed.
    
    So just abort the transaction and return in case btrfs_set_inode_index()
    returned an error at create_pending_snapshot().
    
    Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Signed-off-by: Filipe Manana <fdmanana@suse.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sergio Gonzц║lez Collado <sergio.collado@gmail.com>
    Reported-by: syzbot+c56033c8c15c08286062@syzkaller.appspotmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() [+ + +]
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date:   Sun Apr 28 15:57:00 2024 +0300

    drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()
    
    commit 6769a23697f17f9bf9365ca8ed62fe37e361a05a upstream.
    
    The "instance" variable needs to be signed for the error handling to work.
    
    Fixes: 8b2faf1a4f3b ("drm/amdgpu: add error handle to avoid out-of-bounds")
    Reviewed-by: Bob Zhou <bob.zhou@amd.com>
    Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: Siddh Raman Pant <siddh.raman.pant@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 
f2fs: avoid dead loop in f2fs_issue_checkpoint() [+ + +]
Author: Chao Yu <chao@kernel.org>
Date:   Fri Jun 2 16:36:05 2023 +0800

    f2fs: avoid dead loop in f2fs_issue_checkpoint()
    
    commit 5079e1c0c879311668b77075de3e701869804adf upstream.
    
    generic/082 reports a bug as below:
    
    __schedule+0x332/0xf60
    schedule+0x6f/0xf0
    schedule_timeout+0x23b/0x2a0
    wait_for_completion+0x8f/0x140
    f2fs_issue_checkpoint+0xfe/0x1b0
    f2fs_sync_fs+0x9d/0xb0
    sync_filesystem+0x87/0xb0
    dquot_load_quota_sb+0x41b/0x460
    dquot_load_quota_inode+0xa5/0x130
    dquot_quota_on+0x4b/0x60
    f2fs_quota_on+0xe3/0x1b0
    do_quotactl+0x483/0x700
    __x64_sys_quotactl+0x15c/0x310
    do_syscall_64+0x3f/0x90
    entry_SYSCALL_64_after_hwframe+0x72/0xdc
    
    The root casue is race case as below:
    
    Thread A                        Kworker                 IRQ
    - write()
    : write data to quota.user file
    
                                    - writepages
                                     - f2fs_submit_page_write
                                      - __is_cp_guaranteed return false
                                      - inc_page_count(F2FS_WB_DATA)
                                     - submit_bio
    - quotactl(Q_QUOTAON)
     - f2fs_quota_on
      - dquot_quota_on
       - dquot_load_quota_inode
        - vfs_setup_quota_inode
        : inode->i_flags |= S_NOQUOTA
                                                            - f2fs_write_end_io
                                                             - __is_cp_guaranteed return true
                                                             - dec_page_count(F2FS_WB_CP_DATA)
        - dquot_load_quota_sb
         - f2fs_sync_fs
          - f2fs_issue_checkpoint
           - do_checkpoint
            - f2fs_wait_on_all_pages(F2FS_WB_CP_DATA)
            : loop due to F2FS_WB_CP_DATA count is negative
    
    Calling filemap_fdatawrite() and filemap_fdatawait() to keep all data
    clean before quota file setup.
    
    Signed-off-by: Chao Yu <chao@kernel.org>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Sergio Gonzц║lez Collado <sergio.collado@gmail.com>
    Reported-by: syzbot+d0ab8746c920a592aeab@syzkaller.appspotmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
filelock: Fix fcntl/close race recovery compat path [+ + +]
Author: Jann Horn <jannh@google.com>
Date:   Tue Jul 23 17:03:56 2024 +0200

    filelock: Fix fcntl/close race recovery compat path
    
    commit f8138f2ad2f745b9a1c696a05b749eabe44337ea upstream.
    
    When I wrote commit 3cad1bc01041 ("filelock: Remove locks reliably when
    fcntl/close race is detected"), I missed that there are two copies of the
    code I was patching: The normal version, and the version for 64-bit offsets
    on 32-bit kernels.
    Thanks to Greg KH for stumbling over this while doing the stable
    backport...
    
    Apply exactly the same fix to the compat path for 32-bit kernels.
    
    Fixes: c293621bbf67 ("[PATCH] stale POSIX lock handling")
    Cc: stable@kernel.org
    Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2563
    Signed-off-by: Jann Horn <jannh@google.com>
    Link: https://lore.kernel.org/r/20240723-fs-lock-recover-compatfix-v1-1-148096719529@google.com
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
fs/ntfs3: Validate ff offset [+ + +]
Author: lei lu <llfamsec@gmail.com>
Date:   Wed May 29 02:52:22 2024 +0800

    fs/ntfs3: Validate ff offset
    
    commit 50c47879650b4c97836a0086632b3a2e300b0f06 upstream.
    
    This adds sanity checks for ff offset. There is a check
    on rt->first_free at first, but walking through by ff
    without any check. If the second ff is a large offset.
    We may encounter an out-of-bound read.
    
    Signed-off-by: lei lu <llfamsec@gmail.com>
    Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
jfs: don't walk off the end of ealist [+ + +]
Author: lei lu <llfamsec@gmail.com>
Date:   Wed May 29 02:30:40 2024 +0800

    jfs: don't walk off the end of ealist
    
    commit d0fa70aca54c8643248e89061da23752506ec0d4 upstream.
    
    Add a check before visiting the members of ea to
    make sure each ea stays within the ealist.
    
    Signed-off-by: lei lu <llfamsec@gmail.com>
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Linux: Linux 6.1.102 [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Sat Jul 27 11:32:20 2024 +0200

    Linux 6.1.102
    
    Link: https://lore.kernel.org/r/20240725142728.029052310@linuxfoundation.org
    Tested-by:б═Peterб═Schneiderб═<pschneider1968@googlemail.com>
    Tested-by: SeongJae Park <sj@kernel.org>
    Tested-by: Pavel Machek (CIP) <pavel@denx.de>
    Tested-by: Ron Economos <re@w6rz.net>
    Tested-by: Mark Brown <broonie@kernel.org>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: ChromeOS CQ Test <chromeos-kernel-stable-merge@google.com>
    Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ocfs2: add bounds checking to ocfs2_check_dir_entry() [+ + +]
Author: lei lu <llfamsec@gmail.com>
Date:   Wed Jun 26 18:44:33 2024 +0800

    ocfs2: add bounds checking to ocfs2_check_dir_entry()
    
    commit 255547c6bb8940a97eea94ef9d464ea5967763fb upstream.
    
    This adds sanity checks for ocfs2_dir_entry to make sure all members of
    ocfs2_dir_entry don't stray beyond valid memory region.
    
    Link: https://lkml.kernel.org/r/20240626104433.163270-1-llfamsec@gmail.com
    Signed-off-by: lei lu <llfamsec@gmail.com>
    Reviewed-by: Heming Zhao <heming.zhao@suse.com>
    Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Cc: Mark Fasheh <mark@fasheh.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Gang He <ghe@suse.com>
    Cc: Jun Piao <piaojun@huawei.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
tap: add missing verification for short frame [+ + +]
Author: Si-Wei Liu <si-wei.liu@oracle.com>
Date:   Wed Jul 24 10:04:51 2024 -0700

    tap: add missing verification for short frame
    
    commit ed7f2afdd0e043a397677e597ced0830b83ba0b3 upstream.
    
    The cited commit missed to check against the validity of the frame length
    in the tap_get_user_xdp() path, which could cause a corrupted skb to be
    sent downstack. Even before the skb is transmitted, the
    tap_get_user_xdp()-->skb_set_network_header() may assume the size is more
    than ETH_HLEN. Once transmitted, this could either cause out-of-bound
    access beyond the actual length, or confuse the underlayer with incorrect
    or inconsistent header length in the skb metadata.
    
    In the alternative path, tap_get_user() already prohibits short frame which
    has the length less than Ethernet header size from being transmitted.
    
    This is to drop any frame shorter than the Ethernet header size just like
    how tap_get_user() does.
    
    CVE: CVE-2024-41090
    Link: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/
    Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()")
    Cc: stable@vger.kernel.org
    Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
    Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
    Reviewed-by: Willem de Bruijn <willemb@google.com>
    Reviewed-by: Paolo Abeni <pabeni@redhat.com>
    Reviewed-by: Jason Wang <jasowang@redhat.com>
    Link: https://patch.msgid.link/20240724170452.16837-2-dongli.zhang@oracle.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
tun: add missing verification for short frame [+ + +]
Author: Dongli Zhang <dongli.zhang@oracle.com>
Date:   Wed Jul 24 10:04:52 2024 -0700

    tun: add missing verification for short frame
    
    commit 049584807f1d797fc3078b68035450a9769eb5c3 upstream.
    
    The cited commit missed to check against the validity of the frame length
    in the tun_xdp_one() path, which could cause a corrupted skb to be sent
    downstack. Even before the skb is transmitted, the
    tun_xdp_one-->eth_type_trans() may access the Ethernet header although it
    can be less than ETH_HLEN. Once transmitted, this could either cause
    out-of-bound access beyond the actual length, or confuse the underlayer
    with incorrect or inconsistent header length in the skb metadata.
    
    In the alternative path, tun_get_user() already prohibits short frame which
    has the length less than Ethernet header size from being transmitted for
    IFF_TAP.
    
    This is to drop any frame shorter than the Ethernet header size just like
    how tun_get_user() does.
    
    CVE: CVE-2024-41091
    Inspired-by: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/
    Fixes: 043d222f93ab ("tuntap: accept an array of XDP buffs through sendmsg()")
    Cc: stable@vger.kernel.org
    Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
    Reviewed-by: Si-Wei Liu <si-wei.liu@oracle.com>
    Reviewed-by: Willem de Bruijn <willemb@google.com>
    Reviewed-by: Paolo Abeni <pabeni@redhat.com>
    Reviewed-by: Jason Wang <jasowang@redhat.com>
    Link: https://patch.msgid.link/20240724170452.16837-3-dongli.zhang@oracle.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>