From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 4 Mar 2024 06:39:24 +0000 (+0100)
Subject: 6.1-stable patches
X-Git-Tag: v4.19.309~89
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6519b0122bac491c06816733735da748982bcce2;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	alsa-firewire-lib-fix-to-check-cycle-continuity.patch
	alsa-hda-realtek-enable-mute-led-on-hp-840-g8-mb-8ab8.patch
	alsa-hda-realtek-fix-mute-micmute-led-for-hp-mt440.patch
	tomoyo-fix-uaf-write-bug-in-tomoyo_write_control.patch
---

diff --git a/queue-6.1/alsa-firewire-lib-fix-to-check-cycle-continuity.patch b/queue-6.1/alsa-firewire-lib-fix-to-check-cycle-continuity.patch
new file mode 100644
index 00000000000..a9c36ef8718
--- /dev/null
+++ b/queue-6.1/alsa-firewire-lib-fix-to-check-cycle-continuity.patch
@@ -0,0 +1,39 @@
+From 77ce96543b03f437c6b45f286d8110db2b6622a3 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Sun, 18 Feb 2024 12:30:26 +0900
+Subject: ALSA: firewire-lib: fix to check cycle continuity
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 77ce96543b03f437c6b45f286d8110db2b6622a3 upstream.
+
+The local helper function to compare the given pair of cycle count
+evaluates them. If the left value is less than the right value, the
+function returns negative value.
+
+If the safe cycle is less than the current cycle, it is the case of
+cycle lost. However, it is not currently handled properly.
+
+This commit fixes the bug.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 705794c53b00 ("ALSA: firewire-lib: check cycle continuity")
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Link: https://lore.kernel.org/r/20240218033026.72577-1-o-takashi@sakamocchi.jp
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/firewire/amdtp-stream.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/firewire/amdtp-stream.c
++++ b/sound/firewire/amdtp-stream.c
+@@ -934,7 +934,7 @@ static int generate_device_pkt_descs(str
+ 				// to the reason.
+ 				unsigned int safe_cycle = increment_ohci_cycle_count(next_cycle,
+ 								IR_JUMBO_PAYLOAD_MAX_SKIP_CYCLES);
+-				lost = (compare_ohci_cycle_count(safe_cycle, cycle) > 0);
++				lost = (compare_ohci_cycle_count(safe_cycle, cycle) < 0);
+ 			}
+ 			if (lost) {
+ 				dev_err(&s->unit->device, "Detect discontinuity of cycle: %d %d\n",
diff --git a/queue-6.1/alsa-hda-realtek-enable-mute-led-on-hp-840-g8-mb-8ab8.patch b/queue-6.1/alsa-hda-realtek-enable-mute-led-on-hp-840-g8-mb-8ab8.patch
new file mode 100644
index 00000000000..fa605d19e51
--- /dev/null
+++ b/queue-6.1/alsa-hda-realtek-enable-mute-led-on-hp-840-g8-mb-8ab8.patch
@@ -0,0 +1,34 @@
+From 1fdf4e8be7059e7784fec11d30cd32784f0bdc83 Mon Sep 17 00:00:00 2001
+From: Hans Peter <flurry123@gmx.ch>
+Date: Mon, 19 Feb 2024 17:38:49 +0100
+Subject: ALSA: hda/realtek: Enable Mute LED on HP 840 G8 (MB 8AB8)
+
+From: Hans Peter <flurry123@gmx.ch>
+
+commit 1fdf4e8be7059e7784fec11d30cd32784f0bdc83 upstream.
+
+On my EliteBook 840 G8 Notebook PC (ProdId 5S7R6EC#ABD; built 2022 for
+german market) the Mute LED is always on. The mute button itself works
+as expected. alsa-info.sh shows a different subsystem-id 0x8ab9 for
+Realtek ALC285 Codec, thus the existing quirks for HP 840 G8 don't work.
+Therefore, add a new quirk for this type of EliteBook.
+
+Signed-off-by: Hans Peter <flurry123@gmx.ch>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20240219164518.4099-1-flurry123@gmx.ch
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9687,6 +9687,7 @@ static const struct snd_pci_quirk alc269
+ 	SND_PCI_QUIRK(0x103c, 0x8aa3, "HP ProBook 450 G9 (MB 8AA1)", ALC236_FIXUP_HP_GPIO_LED),
+ 	SND_PCI_QUIRK(0x103c, 0x8aa8, "HP EliteBook 640 G9 (MB 8AA6)", ALC236_FIXUP_HP_GPIO_LED),
+ 	SND_PCI_QUIRK(0x103c, 0x8aab, "HP EliteBook 650 G9 (MB 8AA9)", ALC236_FIXUP_HP_GPIO_LED),
++	SND_PCI_QUIRK(0x103c, 0x8ab9, "HP EliteBook 840 G8 (MB 8AB8)", ALC285_FIXUP_HP_GPIO_LED),
+ 	SND_PCI_QUIRK(0x103c, 0x8abb, "HP ZBook Firefly 14 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ 	SND_PCI_QUIRK(0x103c, 0x8ad1, "HP EliteBook 840 14 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ 	SND_PCI_QUIRK(0x103c, 0x8ad2, "HP EliteBook 860 16 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
diff --git a/queue-6.1/alsa-hda-realtek-fix-mute-micmute-led-for-hp-mt440.patch b/queue-6.1/alsa-hda-realtek-fix-mute-micmute-led-for-hp-mt440.patch
new file mode 100644
index 00000000000..b7382d56862
--- /dev/null
+++ b/queue-6.1/alsa-hda-realtek-fix-mute-micmute-led-for-hp-mt440.patch
@@ -0,0 +1,44 @@
+From 67c3d7717efbd46092f217b1f811df1b205cce06 Mon Sep 17 00:00:00 2001
+From: Eniac Zhang <eniac-xw.zhang@hp.com>
+Date: Tue, 20 Feb 2024 17:58:12 +0000
+Subject: ALSA: hda/realtek: fix mute/micmute LED For HP mt440
+
+From: Eniac Zhang <eniac-xw.zhang@hp.com>
+
+commit 67c3d7717efbd46092f217b1f811df1b205cce06 upstream.
+
+The HP mt440 Thin Client uses an ALC236 codec and needs the
+ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF quirk to make the mute and
+micmute LEDs work.
+
+There are two variants of the USB-C PD chip on this device. Each uses
+a different BIOS and board ID, hence the two entries.
+
+Signed-off-by: Eniac Zhang <eniac-xw.zhang@hp.com>
+Signed-off-by: Alexandru Gagniuc <alexandru.gagniuc@hp.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20240220175812.782687-1-alexandru.gagniuc@hp.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9662,6 +9662,7 @@ static const struct snd_pci_quirk alc269
+ 	SND_PCI_QUIRK(0x103c, 0x8973, "HP EliteBook 860 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ 	SND_PCI_QUIRK(0x103c, 0x8974, "HP EliteBook 840 Aero G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ 	SND_PCI_QUIRK(0x103c, 0x8975, "HP EliteBook x360 840 Aero G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
++	SND_PCI_QUIRK(0x103c, 0x897d, "HP mt440 Mobile Thin Client U74", ALC236_FIXUP_HP_GPIO_LED),
+ 	SND_PCI_QUIRK(0x103c, 0x8981, "HP Elite Dragonfly G3", ALC245_FIXUP_CS35L41_SPI_4),
+ 	SND_PCI_QUIRK(0x103c, 0x898e, "HP EliteBook 835 G9", ALC287_FIXUP_CS35L41_I2C_2),
+ 	SND_PCI_QUIRK(0x103c, 0x898f, "HP EliteBook 835 G9", ALC287_FIXUP_CS35L41_I2C_2),
+@@ -9693,6 +9694,7 @@ static const struct snd_pci_quirk alc269
+ 	SND_PCI_QUIRK(0x103c, 0x8ad2, "HP EliteBook 860 16 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ 	SND_PCI_QUIRK(0x103c, 0x8b0f, "HP Elite mt645 G7 Mobile Thin Client U81", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ 	SND_PCI_QUIRK(0x103c, 0x8b2f, "HP 255 15.6 inch G10 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
++	SND_PCI_QUIRK(0x103c, 0x8b3f, "HP mt440 Mobile Thin Client U91", ALC236_FIXUP_HP_GPIO_LED),
+ 	SND_PCI_QUIRK(0x103c, 0x8b42, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ 	SND_PCI_QUIRK(0x103c, 0x8b43, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ 	SND_PCI_QUIRK(0x103c, 0x8b44, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
diff --git a/queue-6.1/series b/queue-6.1/series
index 908f99533a3..d6874433cd0 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -71,3 +71,7 @@ fbcon-always-restore-the-old-font-data-in-fbcon_do_s.patch
 afs-fix-endless-loop-in-directory-parsing.patch
 riscv-sparse-memory-vmemmap-out-of-bounds-fix.patch
 of-property-fw_devlink-fix-stupid-bug-in-remote-endp.patch
+tomoyo-fix-uaf-write-bug-in-tomoyo_write_control.patch
+alsa-firewire-lib-fix-to-check-cycle-continuity.patch
+alsa-hda-realtek-enable-mute-led-on-hp-840-g8-mb-8ab8.patch
+alsa-hda-realtek-fix-mute-micmute-led-for-hp-mt440.patch
diff --git a/queue-6.1/tomoyo-fix-uaf-write-bug-in-tomoyo_write_control.patch b/queue-6.1/tomoyo-fix-uaf-write-bug-in-tomoyo_write_control.patch
new file mode 100644
index 00000000000..e84bf1293c2
--- /dev/null
+++ b/queue-6.1/tomoyo-fix-uaf-write-bug-in-tomoyo_write_control.patch
@@ -0,0 +1,43 @@
+From 2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 1 Mar 2024 22:04:06 +0900
+Subject: tomoyo: fix UAF write bug in tomoyo_write_control()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815 upstream.
+
+Since tomoyo_write_control() updates head->write_buf when write()
+of long lines is requested, we need to fetch head->write_buf after
+head->io_sem is held.  Otherwise, concurrent write() requests can
+cause use-after-free-write and double-free problems.
+
+Reported-by: Sam Sun <samsun1006219@gmail.com>
+Closes: https://lkml.kernel.org/r/CAEkJfYNDspuGxYx5kym8Lvp--D36CMDUErg4rxfWFJuPbbji8g@mail.gmail.com
+Fixes: bd03a3e4c9a9 ("TOMOYO: Add policy namespace support.")
+Cc:  <stable@vger.kernel.org> # Linux 3.1+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/tomoyo/common.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/tomoyo/common.c
++++ b/security/tomoyo/common.c
+@@ -2648,13 +2648,14 @@ ssize_t tomoyo_write_control(struct tomo
+ {
+ 	int error = buffer_len;
+ 	size_t avail_len = buffer_len;
+-	char *cp0 = head->write_buf;
++	char *cp0;
+ 	int idx;
+ 
+ 	if (!head->write)
+ 		return -EINVAL;
+ 	if (mutex_lock_interruptible(&head->io_sem))
+ 		return -EINTR;
++	cp0 = head->write_buf;
+ 	head->read_user_buf_avail = 0;
+ 	idx = tomoyo_read_lock();
+ 	/* Read a line and dispatch it to the policy handler. */