--- /dev/null
+From daf6c4681a74034d5723e2fb761e0d7f3a1ca18f Mon Sep 17 00:00:00 2001
+From: Christoffer Sandberg <cs@tuxedo.de>
+Date: Thu, 28 Mar 2024 11:27:57 +0100
+Subject: ALSA: hda/realtek - Fix inactive headset mic jack
+
+From: Christoffer Sandberg <cs@tuxedo.de>
+
+commit daf6c4681a74034d5723e2fb761e0d7f3a1ca18f upstream.
+
+This patch adds the existing fixup to certain TF platforms implementing
+the ALC274 codec with a headset jack. It fixes/activates the inactive
+microphone of the headset.
+
+Signed-off-by: Christoffer Sandberg <cs@tuxedo.de>
+Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
+Cc: <stable@vger.kernel.org>
+Message-ID: <20240328102757.50310-1-wse@tuxedocomputers.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10302,6 +10302,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1d05, 0x1147, "TongFang GMxTGxx", ALC269_FIXUP_NO_SHUTUP),
+ SND_PCI_QUIRK(0x1d05, 0x115c, "TongFang GMxTGxx", ALC269_FIXUP_NO_SHUTUP),
+ SND_PCI_QUIRK(0x1d05, 0x121b, "TongFang GMxAGxx", ALC269_FIXUP_NO_SHUTUP),
++ SND_PCI_QUIRK(0x1d05, 0x1387, "TongFang GMxIXxx", ALC2XX_FIXUP_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1d72, 0x1602, "RedmiBook", ALC255_FIXUP_XIAOMI_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1d72, 0x1701, "XiaomiNotebook Pro", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC),
--- /dev/null
+From 1576f263ee2147dc395531476881058609ad3d38 Mon Sep 17 00:00:00 2001
+From: I Gede Agastya Darma Laksana <gedeagas22@gmail.com>
+Date: Tue, 2 Apr 2024 00:46:02 +0700
+Subject: ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with microphone
+
+From: I Gede Agastya Darma Laksana <gedeagas22@gmail.com>
+
+commit 1576f263ee2147dc395531476881058609ad3d38 upstream.
+
+This patch addresses an issue with the Panasonic CF-SZ6's existing quirk,
+specifically its headset microphone functionality. Previously, the quirk
+used ALC269_FIXUP_HEADSET_MODE, which does not support the CF-SZ6's design
+of a single 3.5mm jack for both mic and audio output effectively. The
+device uses pin 0x19 for the headset mic without jack detection.
+
+Following verification on the CF-SZ6 and discussions with the original
+patch author, i determined that the update to
+ALC269_FIXUP_ASPIRE_HEADSET_MIC is the appropriate solution. This change
+is custom-designed for the CF-SZ6's unique hardware setup, which includes
+a single 3.5mm jack for both mic and audio output, connecting the headset
+microphone to pin 0x19 without the use of jack detection.
+
+Fixes: 0fca97a29b83 ("ALSA: hda/realtek - Add Panasonic CF-SZ6 headset jack quirk")
+Signed-off-by: I Gede Agastya Darma Laksana <gedeagas22@gmail.com>
+Cc: <stable@vger.kernel.org>
+Message-ID: <20240401174602.14133-1-gedeagas22@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10072,7 +10072,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x10ec, 0x1252, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK),
+ SND_PCI_QUIRK(0x10ec, 0x1254, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK),
+ SND_PCI_QUIRK(0x10ec, 0x12cc, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK),
+- SND_PCI_QUIRK(0x10f7, 0x8338, "Panasonic CF-SZ6", ALC269_FIXUP_HEADSET_MODE),
++ SND_PCI_QUIRK(0x10f7, 0x8338, "Panasonic CF-SZ6", ALC269_FIXUP_ASPIRE_HEADSET_MIC),
+ SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC),
+ SND_PCI_QUIRK(0x144d, 0xc169, "Samsung Notebook 9 Pen (NP930SBE-K01US)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc176, "Samsung Notebook 9 Pro (NP930MBE-K04US)", ALC298_FIXUP_SAMSUNG_AMP),
--- /dev/null
+From b3b95964590a3d756d69ea8604c856de805479ad Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Thu, 4 Apr 2024 11:33:27 +0200
+Subject: gpio: cdev: check for NULL labels when sanitizing them for irqs
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit b3b95964590a3d756d69ea8604c856de805479ad upstream.
+
+We need to take into account that a line's consumer label may be NULL
+and not try to kstrdup() it in that case but rather pass the NULL
+pointer up the stack to the interrupt request function.
+
+To that end: let make_irq_label() return NULL as a valid return value
+and use ERR_PTR() instead to signal an allocation failure to callers.
+
+Cc: stable@vger.kernel.org
+Fixes: b34490879baa ("gpio: cdev: sanitize the label before requesting the interrupt")
+Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Closes: https://lore.kernel.org/lkml/20240402093534.212283-1-naresh.kamboju@linaro.org/
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Tested-by: Anders Roxell <anders.roxell@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib-cdev.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpio/gpiolib-cdev.c
++++ b/drivers/gpio/gpiolib-cdev.c
+@@ -1012,7 +1012,16 @@ static u32 gpio_v2_line_config_debounce_
+
+ static inline char *make_irq_label(const char *orig)
+ {
+- return kstrdup_and_replace(orig, '/', ':', GFP_KERNEL);
++ char *new;
++
++ if (!orig)
++ return NULL;
++
++ new = kstrdup_and_replace(orig, '/', ':', GFP_KERNEL);
++ if (!new)
++ return ERR_PTR(-ENOMEM);
++
++ return new;
+ }
+
+ static inline void free_irq_label(const char *label)
+@@ -1086,8 +1095,8 @@ static int edge_detector_setup(struct li
+ irqflags |= IRQF_ONESHOT;
+
+ label = make_irq_label(line->req->label);
+- if (!label)
+- return -ENOMEM;
++ if (IS_ERR(label))
++ return PTR_ERR(label);
+
+ /* Request a thread to read the events */
+ ret = request_threaded_irq(irq, edge_irq_handler, edge_irq_thread,
+@@ -2194,8 +2203,8 @@ static int lineevent_create(struct gpio_
+ goto out_free_le;
+
+ label = make_irq_label(le->label);
+- if (!label) {
+- ret = -ENOMEM;
++ if (IS_ERR(label)) {
++ ret = PTR_ERR(label);
+ goto out_free_le;
+ }
+
--- /dev/null
+From 83092341e15d0dfee1caa8dc502f66c815ccd78a Mon Sep 17 00:00:00 2001
+From: Kent Gibson <warthog618@gmail.com>
+Date: Thu, 4 Apr 2024 11:33:28 +0200
+Subject: gpio: cdev: fix missed label sanitizing in debounce_setup()
+
+From: Kent Gibson <warthog618@gmail.com>
+
+commit 83092341e15d0dfee1caa8dc502f66c815ccd78a upstream.
+
+When adding sanitization of the label, the path through
+edge_detector_setup() that leads to debounce_setup() was overlooked.
+A request taking this path does not allocate a new label and the
+request label is freed twice when the request is released, resulting
+in memory corruption.
+
+Add label sanitization to debounce_setup().
+
+Cc: stable@vger.kernel.org
+Fixes: b34490879baa ("gpio: cdev: sanitize the label before requesting the interrupt")
+Signed-off-by: Kent Gibson <warthog618@gmail.com>
+[Bartosz: rebased on top of the fix for empty GPIO labels]
+Co-developed-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib-cdev.c | 49 +++++++++++++++++++++++++-------------------
+ 1 file changed, 28 insertions(+), 21 deletions(-)
+
+--- a/drivers/gpio/gpiolib-cdev.c
++++ b/drivers/gpio/gpiolib-cdev.c
+@@ -655,6 +655,25 @@ static u32 line_event_id(int level)
+ GPIO_V2_LINE_EVENT_FALLING_EDGE;
+ }
+
++static inline char *make_irq_label(const char *orig)
++{
++ char *new;
++
++ if (!orig)
++ return NULL;
++
++ new = kstrdup_and_replace(orig, '/', ':', GFP_KERNEL);
++ if (!new)
++ return ERR_PTR(-ENOMEM);
++
++ return new;
++}
++
++static inline void free_irq_label(const char *label)
++{
++ kfree(label);
++}
++
+ #ifdef CONFIG_HTE
+
+ static enum hte_return process_hw_ts_thread(void *p)
+@@ -942,6 +961,7 @@ static int debounce_setup(struct line *l
+ {
+ unsigned long irqflags;
+ int ret, level, irq;
++ char *label;
+
+ /* try hardware */
+ ret = gpiod_set_debounce(line->desc, debounce_period_us);
+@@ -964,11 +984,17 @@ static int debounce_setup(struct line *l
+ if (irq < 0)
+ return -ENXIO;
+
++ label = make_irq_label(line->req->label);
++ if (IS_ERR(label))
++ return -ENOMEM;
++
+ irqflags = IRQF_TRIGGER_FALLING | IRQF_TRIGGER_RISING;
+ ret = request_irq(irq, debounce_irq_handler, irqflags,
+- line->req->label, line);
+- if (ret)
++ label, line);
++ if (ret) {
++ free_irq_label(label);
+ return ret;
++ }
+ line->irq = irq;
+ } else {
+ ret = hte_edge_setup(line, GPIO_V2_LINE_FLAG_EDGE_BOTH);
+@@ -1010,25 +1036,6 @@ static u32 gpio_v2_line_config_debounce_
+ return 0;
+ }
+
+-static inline char *make_irq_label(const char *orig)
+-{
+- char *new;
+-
+- if (!orig)
+- return NULL;
+-
+- new = kstrdup_and_replace(orig, '/', ':', GFP_KERNEL);
+- if (!new)
+- return ERR_PTR(-ENOMEM);
+-
+- return new;
+-}
+-
+-static inline void free_irq_label(const char *label)
+-{
+- kfree(label);
+-}
+-
+ static void edge_detector_stop(struct line *line)
+ {
+ if (line->irq) {
--- /dev/null
+From 5ed11af19e56f0434ce0959376d136005745a936 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Tue, 2 Apr 2024 09:31:22 +0900
+Subject: ksmbd: do not set SMB2_GLOBAL_CAP_ENCRYPTION for SMB 3.1.1
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 5ed11af19e56f0434ce0959376d136005745a936 upstream.
+
+SMB2_GLOBAL_CAP_ENCRYPTION flag should be used only for 3.0 and
+3.0.2 dialects. This flags set cause compatibility problems with
+other SMB clients.
+
+Reported-by: James Christopher Adduono <jc@adduono.com>
+Tested-by: James Christopher Adduono <jc@adduono.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2ops.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/fs/smb/server/smb2ops.c
++++ b/fs/smb/server/smb2ops.c
+@@ -228,6 +228,11 @@ void init_smb3_0_server(struct ksmbd_con
+ conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION)
+ conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
+
++ if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION ||
++ (!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF) &&
++ conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION))
++ conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
++
+ if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL)
+ conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL;
+ }
+@@ -275,11 +280,6 @@ int init_smb3_11_server(struct ksmbd_con
+ conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING |
+ SMB2_GLOBAL_CAP_DIRECTORY_LEASING;
+
+- if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION ||
+- (!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF) &&
+- conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION))
+- conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
+-
+ if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL)
+ conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL;
+
--- /dev/null
+From c1832f67035dc04fb89e6b591b64e4d515843cda Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sun, 31 Mar 2024 21:58:26 +0900
+Subject: ksmbd: don't send oplock break if rename fails
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit c1832f67035dc04fb89e6b591b64e4d515843cda upstream.
+
+Don't send oplock break if rename fails. This patch fix
+smb2.oplock.batch20 test.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -5631,8 +5631,9 @@ static int smb2_rename(struct ksmbd_work
+ if (!file_info->ReplaceIfExists)
+ flags = RENAME_NOREPLACE;
+
+- smb_break_all_levII_oplock(work, fp, 0);
+ rc = ksmbd_vfs_rename(work, &fp->filp->f_path, new_name, flags);
++ if (!rc)
++ smb_break_all_levII_oplock(work, fp, 0);
+ out:
+ kfree(new_name);
+ return rc;
--- /dev/null
+From a677ebd8ca2f2632ccdecbad7b87641274e15aac Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sun, 31 Mar 2024 21:59:10 +0900
+Subject: ksmbd: validate payload size in ipc response
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit a677ebd8ca2f2632ccdecbad7b87641274e15aac upstream.
+
+If installing malicious ksmbd-tools, ksmbd.mountd can return invalid ipc
+response to ksmbd kernel server. ksmbd should validate payload size of
+ipc response from ksmbd.mountd to avoid memory overrun or
+slab-out-of-bounds. This patch validate 3 ipc response that has payload.
+
+Cc: stable@vger.kernel.org
+Reported-by: Chao Ma <machao2019@gmail.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/ksmbd_netlink.h | 3 ++-
+ fs/smb/server/mgmt/share_config.c | 7 ++++++-
+ fs/smb/server/transport_ipc.c | 37 +++++++++++++++++++++++++++++++++++++
+ 3 files changed, 45 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/ksmbd_netlink.h
++++ b/fs/smb/server/ksmbd_netlink.h
+@@ -166,7 +166,8 @@ struct ksmbd_share_config_response {
+ __u16 force_uid;
+ __u16 force_gid;
+ __s8 share_name[KSMBD_REQ_MAX_SHARE_NAME];
+- __u32 reserved[112]; /* Reserved room */
++ __u32 reserved[111]; /* Reserved room */
++ __u32 payload_sz;
+ __u32 veto_list_sz;
+ __s8 ____payload[];
+ };
+--- a/fs/smb/server/mgmt/share_config.c
++++ b/fs/smb/server/mgmt/share_config.c
+@@ -158,7 +158,12 @@ static struct ksmbd_share_config *share_
+ share->name = kstrdup(name, GFP_KERNEL);
+
+ if (!test_share_config_flag(share, KSMBD_SHARE_FLAG_PIPE)) {
+- share->path = kstrdup(ksmbd_share_config_path(resp),
++ int path_len = PATH_MAX;
++
++ if (resp->payload_sz)
++ path_len = resp->payload_sz - resp->veto_list_sz;
++
++ share->path = kstrndup(ksmbd_share_config_path(resp), path_len,
+ GFP_KERNEL);
+ if (share->path)
+ share->path_sz = strlen(share->path);
+--- a/fs/smb/server/transport_ipc.c
++++ b/fs/smb/server/transport_ipc.c
+@@ -65,6 +65,7 @@ struct ipc_msg_table_entry {
+ struct hlist_node ipc_table_hlist;
+
+ void *response;
++ unsigned int msg_sz;
+ };
+
+ static struct delayed_work ipc_timer_work;
+@@ -275,6 +276,7 @@ static int handle_response(int type, voi
+ }
+
+ memcpy(entry->response, payload, sz);
++ entry->msg_sz = sz;
+ wake_up_interruptible(&entry->wait);
+ ret = 0;
+ break;
+@@ -453,6 +455,34 @@ out:
+ return ret;
+ }
+
++static int ipc_validate_msg(struct ipc_msg_table_entry *entry)
++{
++ unsigned int msg_sz = entry->msg_sz;
++
++ if (entry->type == KSMBD_EVENT_RPC_REQUEST) {
++ struct ksmbd_rpc_command *resp = entry->response;
++
++ msg_sz = sizeof(struct ksmbd_rpc_command) + resp->payload_sz;
++ } else if (entry->type == KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST) {
++ struct ksmbd_spnego_authen_response *resp = entry->response;
++
++ msg_sz = sizeof(struct ksmbd_spnego_authen_response) +
++ resp->session_key_len + resp->spnego_blob_len;
++ } else if (entry->type == KSMBD_EVENT_SHARE_CONFIG_REQUEST) {
++ struct ksmbd_share_config_response *resp = entry->response;
++
++ if (resp->payload_sz) {
++ if (resp->payload_sz < resp->veto_list_sz)
++ return -EINVAL;
++
++ msg_sz = sizeof(struct ksmbd_share_config_response) +
++ resp->payload_sz;
++ }
++ }
++
++ return entry->msg_sz != msg_sz ? -EINVAL : 0;
++}
++
+ static void *ipc_msg_send_request(struct ksmbd_ipc_msg *msg, unsigned int handle)
+ {
+ struct ipc_msg_table_entry entry;
+@@ -477,6 +507,13 @@ static void *ipc_msg_send_request(struct
+ ret = wait_event_interruptible_timeout(entry.wait,
+ entry.response != NULL,
+ IPC_WAIT_TIMEOUT);
++ if (entry.response) {
++ ret = ipc_validate_msg(&entry);
++ if (ret) {
++ kvfree(entry.response);
++ entry.response = NULL;
++ }
++ }
+ out:
+ down_write(&ipc_msg_table_lock);
+ hash_del(&entry.ipc_table_hlist);
nfsd-hold-a-lighter-weight-client-reference-over-cb_.patch
ice-fix-typo-in-assignment.patch
x86-retpoline-add-noendbr-annotation-to-the-srso-dummy-return-thunk.patch
+gpio-cdev-check-for-null-labels-when-sanitizing-them-for-irqs.patch
+gpio-cdev-fix-missed-label-sanitizing-in-debounce_setup.patch
+ksmbd-don-t-send-oplock-break-if-rename-fails.patch
+ksmbd-validate-payload-size-in-ipc-response.patch
+ksmbd-do-not-set-smb2_global_cap_encryption-for-smb-3.1.1.patch
+alsa-hda-realtek-fix-inactive-headset-mic-jack.patch
+alsa-hda-realtek-update-panasonic-cf-sz6-quirk-to-support-headset-with-microphone.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
