From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 30 Jan 2025 13:14:42 +0000 (+0100)
Subject: 6.1-stable patches
X-Git-Tag: v6.13.1~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=18af752e885b5e0c15f9b6c659c0ecfe6758c804;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	asoc-samsung-midas_wm1811-fix-headphone-switch-control-creation.patch
	smb-client-fix-null-ptr-deref-in-crypto_aead_setkey.patch
---

diff --git a/queue-6.1/asoc-samsung-midas_wm1811-fix-headphone-switch-control-creation.patch b/queue-6.1/asoc-samsung-midas_wm1811-fix-headphone-switch-control-creation.patch
new file mode 100644
index 0000000000..39a346cd76
--- /dev/null
+++ b/queue-6.1/asoc-samsung-midas_wm1811-fix-headphone-switch-control-creation.patch
@@ -0,0 +1,39 @@
+From 48c6253fefa38556e0c5c2942edd9181529407e4 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Wed, 9 Aug 2023 12:04:46 +0200
+Subject: ASoC: samsung: midas_wm1811: Fix 'Headphone Switch' control creation
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit 48c6253fefa38556e0c5c2942edd9181529407e4 upstream.
+
+'Headphone Switch' control is already registered from
+sound/soc/codecs/wm_hubs.c:479, so duplicating it in midas_wm1811
+causes following probe failure:
+
+midas-audio sound: control 2:0:0:Headphone Switch:0 is already present
+midas-audio sound: ASoC: Failed to add Headphone Switch: -16
+midas-audio sound: Failed to register card: -16
+midas-audio: probe of sound failed with error -16
+
+Fix this by dropping duplicated control.
+
+Fixes: d27224a45e54 ("ASoC: samsung: midas_wm1811: Map missing jack kcontrols")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Link: https://lore.kernel.org/r/20230809100446.2105825-1-m.szyprowski@samsung.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/samsung/midas_wm1811.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/sound/soc/samsung/midas_wm1811.c
++++ b/sound/soc/samsung/midas_wm1811.c
+@@ -257,7 +257,6 @@ static const struct snd_kcontrol_new mid
+ 	SOC_DAPM_PIN_SWITCH("Main Mic"),
+ 	SOC_DAPM_PIN_SWITCH("Sub Mic"),
+ 	SOC_DAPM_PIN_SWITCH("Headset Mic"),
+-	SOC_DAPM_PIN_SWITCH("Headphone"),
+ 
+ 	SOC_DAPM_PIN_SWITCH("FM In"),
+ };
diff --git a/queue-6.1/series b/queue-6.1/series
index a7b0c909f9..31d20b456d 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -45,3 +45,5 @@ alsa-usb-audio-add-delay-quirk-for-usb-audio-device.patch
 input-atkbd-map-f23-key-to-support-default-copilot-shortcut.patch
 input-xpad-add-unofficial-xbox-360-wireless-receiver-clone.patch
 input-xpad-add-support-for-wooting-two-he-arm.patch
+smb-client-fix-null-ptr-deref-in-crypto_aead_setkey.patch
+asoc-samsung-midas_wm1811-fix-headphone-switch-control-creation.patch
diff --git a/queue-6.1/smb-client-fix-null-ptr-deref-in-crypto_aead_setkey.patch b/queue-6.1/smb-client-fix-null-ptr-deref-in-crypto_aead_setkey.patch
new file mode 100644
index 0000000000..2ce103249d
--- /dev/null
+++ b/queue-6.1/smb-client-fix-null-ptr-deref-in-crypto_aead_setkey.patch
@@ -0,0 +1,121 @@
+From 4bdec0d1f658f7c98749bd2c5a486e6cfa8565d2 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.com>
+Date: Mon, 25 Nov 2024 17:17:23 -0300
+Subject: smb: client: fix NULL ptr deref in crypto_aead_setkey()
+
+From: Paulo Alcantara <pc@manguebit.com>
+
+commit 4bdec0d1f658f7c98749bd2c5a486e6cfa8565d2 upstream.
+
+Neither SMB3.0 or SMB3.02 supports encryption negotiate context, so
+when SMB2_GLOBAL_CAP_ENCRYPTION flag is set in the negotiate response,
+the client uses AES-128-CCM as the default cipher.  See MS-SMB2
+3.3.5.4.
+
+Commit b0abcd65ec54 ("smb: client: fix UAF in async decryption") added
+a @server->cipher_type check to conditionally call
+smb3_crypto_aead_allocate(), but that check would always be false as
+@server->cipher_type is unset for SMB3.02.
+
+Fix the following KASAN splat by setting @server->cipher_type for
+SMB3.02 as well.
+
+mount.cifs //srv/share /mnt -o vers=3.02,seal,...
+
+BUG: KASAN: null-ptr-deref in crypto_aead_setkey+0x2c/0x130
+Read of size 8 at addr 0000000000000020 by task mount.cifs/1095
+CPU: 1 UID: 0 PID: 1095 Comm: mount.cifs Not tainted 6.12.0 #1
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41
+04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x5d/0x80
+ ? crypto_aead_setkey+0x2c/0x130
+ kasan_report+0xda/0x110
+ ? crypto_aead_setkey+0x2c/0x130
+ crypto_aead_setkey+0x2c/0x130
+ crypt_message+0x258/0xec0 [cifs]
+ ? __asan_memset+0x23/0x50
+ ? __pfx_crypt_message+0x10/0x10 [cifs]
+ ? mark_lock+0xb0/0x6a0
+ ? hlock_class+0x32/0xb0
+ ? mark_lock+0xb0/0x6a0
+ smb3_init_transform_rq+0x352/0x3f0 [cifs]
+ ? lock_acquire.part.0+0xf4/0x2a0
+ smb_send_rqst+0x144/0x230 [cifs]
+ ? __pfx_smb_send_rqst+0x10/0x10 [cifs]
+ ? hlock_class+0x32/0xb0
+ ? smb2_setup_request+0x225/0x3a0 [cifs]
+ ? __pfx_cifs_compound_last_callback+0x10/0x10 [cifs]
+ compound_send_recv+0x59b/0x1140 [cifs]
+ ? __pfx_compound_send_recv+0x10/0x10 [cifs]
+ ? __create_object+0x5e/0x90
+ ? hlock_class+0x32/0xb0
+ ? do_raw_spin_unlock+0x9a/0xf0
+ cifs_send_recv+0x23/0x30 [cifs]
+ SMB2_tcon+0x3ec/0xb30 [cifs]
+ ? __pfx_SMB2_tcon+0x10/0x10 [cifs]
+ ? lock_acquire.part.0+0xf4/0x2a0
+ ? __pfx_lock_release+0x10/0x10
+ ? do_raw_spin_trylock+0xc6/0x120
+ ? lock_acquire+0x3f/0x90
+ ? _get_xid+0x16/0xd0 [cifs]
+ ? __pfx_SMB2_tcon+0x10/0x10 [cifs]
+ ? cifs_get_smb_ses+0xcdd/0x10a0 [cifs]
+ cifs_get_smb_ses+0xcdd/0x10a0 [cifs]
+ ? __pfx_cifs_get_smb_ses+0x10/0x10 [cifs]
+ ? cifs_get_tcp_session+0xaa0/0xca0 [cifs]
+ cifs_mount_get_session+0x8a/0x210 [cifs]
+ dfs_mount_share+0x1b0/0x11d0 [cifs]
+ ? __pfx___lock_acquire+0x10/0x10
+ ? __pfx_dfs_mount_share+0x10/0x10 [cifs]
+ ? lock_acquire.part.0+0xf4/0x2a0
+ ? find_held_lock+0x8a/0xa0
+ ? hlock_class+0x32/0xb0
+ ? lock_release+0x203/0x5d0
+ cifs_mount+0xb3/0x3d0 [cifs]
+ ? do_raw_spin_trylock+0xc6/0x120
+ ? __pfx_cifs_mount+0x10/0x10 [cifs]
+ ? lock_acquire+0x3f/0x90
+ ? find_nls+0x16/0xa0
+ ? smb3_update_mnt_flags+0x372/0x3b0 [cifs]
+ cifs_smb3_do_mount+0x1e2/0xc80 [cifs]
+ ? __pfx_vfs_parse_fs_string+0x10/0x10
+ ? __pfx_cifs_smb3_do_mount+0x10/0x10 [cifs]
+ smb3_get_tree+0x1bf/0x330 [cifs]
+ vfs_get_tree+0x4a/0x160
+ path_mount+0x3c1/0xfb0
+ ? kasan_quarantine_put+0xc7/0x1d0
+ ? __pfx_path_mount+0x10/0x10
+ ? kmem_cache_free+0x118/0x3e0
+ ? user_path_at+0x74/0xa0
+ __x64_sys_mount+0x1a6/0x1e0
+ ? __pfx___x64_sys_mount+0x10/0x10
+ ? mark_held_locks+0x1a/0x90
+ do_syscall_64+0xbb/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Cc: Tom Talpey <tom@talpey.com>
+Reported-by: Jianhong Yin <jiyin@redhat.com>
+Cc: stable@vger.kernel.org # v6.12
+Fixes: b0abcd65ec54 ("smb: client: fix UAF in async decryption")
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2pdu.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/client/smb2pdu.c
++++ b/fs/smb/client/smb2pdu.c
+@@ -1070,7 +1070,9 @@ SMB2_negotiate(const unsigned int xid,
+ 	 * SMB3.0 supports only 1 cipher and doesn't have a encryption neg context
+ 	 * Set the cipher type manually.
+ 	 */
+-	if (server->dialect == SMB30_PROT_ID && (server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION))
++	if ((server->dialect == SMB30_PROT_ID ||
++	     server->dialect == SMB302_PROT_ID) &&
++	    (server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION))
+ 		server->cipher_type = SMB2_ENCRYPTION_AES128_CCM;
+ 
+ 	security_blob = smb2_get_data_area_len(&blob_offset, &blob_length,