From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 24 Feb 2025 10:43:42 +0000 (+0100)
Subject: 5.4-stable patches
X-Git-Tag: v6.6.80~23
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9df9c17301dbe25b8163fa3f398c8d0929a4db49;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	acct-block-access-to-kernel-internal-filesystems.patch
	alsa-hda-conexant-add-quirk-for-hp-probook-450-g4-mute-led.patch
	nfp-bpf-add-check-for-nfp_app_ctrl_msg_alloc.patch
	tee-optee-fix-supplicant-wait-loop.patch
---

diff --git a/queue-5.4/acct-block-access-to-kernel-internal-filesystems.patch b/queue-5.4/acct-block-access-to-kernel-internal-filesystems.patch
new file mode 100644
index 0000000000..27d442ac13
--- /dev/null
+++ b/queue-5.4/acct-block-access-to-kernel-internal-filesystems.patch
@@ -0,0 +1,47 @@
+From 890ed45bde808c422c3c27d3285fc45affa0f930 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <brauner@kernel.org>
+Date: Tue, 11 Feb 2025 18:16:00 +0100
+Subject: acct: block access to kernel internal filesystems
+
+From: Christian Brauner <brauner@kernel.org>
+
+commit 890ed45bde808c422c3c27d3285fc45affa0f930 upstream.
+
+There's no point in allowing anything kernel internal nor procfs or
+sysfs.
+
+Link: https://lore.kernel.org/r/20250127091811.3183623-1-quzicheng@huawei.com
+Link: https://lore.kernel.org/r/20250211-work-acct-v1-2-1c16aecab8b3@kernel.org
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Amir Goldstein <amir73il@gmail.com>
+Reported-by: Zicheng Qu <quzicheng@huawei.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/acct.c |   14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/kernel/acct.c
++++ b/kernel/acct.c
+@@ -216,6 +216,20 @@ static int acct_on(struct filename *path
+ 		return -EACCES;
+ 	}
+ 
++	/* Exclude kernel kernel internal filesystems. */
++	if (file_inode(file)->i_sb->s_flags & (SB_NOUSER | SB_KERNMOUNT)) {
++		kfree(acct);
++		filp_close(file, NULL);
++		return -EINVAL;
++	}
++
++	/* Exclude procfs and sysfs. */
++	if (file_inode(file)->i_sb->s_iflags & SB_I_USERNS_VISIBLE) {
++		kfree(acct);
++		filp_close(file, NULL);
++		return -EINVAL;
++	}
++
+ 	if (!(file->f_mode & FMODE_CAN_WRITE)) {
+ 		kfree(acct);
+ 		filp_close(file, NULL);
diff --git a/queue-5.4/alsa-hda-conexant-add-quirk-for-hp-probook-450-g4-mute-led.patch b/queue-5.4/alsa-hda-conexant-add-quirk-for-hp-probook-450-g4-mute-led.patch
new file mode 100644
index 0000000000..84f67749da
--- /dev/null
+++ b/queue-5.4/alsa-hda-conexant-add-quirk-for-hp-probook-450-g4-mute-led.patch
@@ -0,0 +1,31 @@
+From 6d1f86610f23b0bc334d6506a186f21a98f51392 Mon Sep 17 00:00:00 2001
+From: John Veness <john-linux@pelago.org.uk>
+Date: Mon, 17 Feb 2025 12:15:50 +0000
+Subject: ALSA: hda/conexant: Add quirk for HP ProBook 450 G4 mute LED
+
+From: John Veness <john-linux@pelago.org.uk>
+
+commit 6d1f86610f23b0bc334d6506a186f21a98f51392 upstream.
+
+Allows the LED on the dedicated mute button on the HP ProBook 450 G4
+laptop to change colour correctly.
+
+Signed-off-by: John Veness <john-linux@pelago.org.uk>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/2fb55d48-6991-4a42-b591-4c78f2fad8d7@pelago.org.uk
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_conexant.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -949,6 +949,7 @@ static const struct snd_pci_quirk cxt506
+ 	SND_PCI_QUIRK(0x103c, 0x814f, "HP ZBook 15u G3", CXT_FIXUP_MUTE_LED_GPIO),
+ 	SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
+ 	SND_PCI_QUIRK(0x103c, 0x822e, "HP ProBook 440 G4", CXT_FIXUP_MUTE_LED_GPIO),
++	SND_PCI_QUIRK(0x103c, 0x8231, "HP ProBook 450 G4", CXT_FIXUP_MUTE_LED_GPIO),
+ 	SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK),
+ 	SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE),
+ 	SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE),
diff --git a/queue-5.4/nfp-bpf-add-check-for-nfp_app_ctrl_msg_alloc.patch b/queue-5.4/nfp-bpf-add-check-for-nfp_app_ctrl_msg_alloc.patch
new file mode 100644
index 0000000000..5b82a1ce7f
--- /dev/null
+++ b/queue-5.4/nfp-bpf-add-check-for-nfp_app_ctrl_msg_alloc.patch
@@ -0,0 +1,33 @@
+From 878e7b11736e062514e58f3b445ff343e6705537 Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Tue, 18 Feb 2025 11:04:09 +0800
+Subject: nfp: bpf: Add check for nfp_app_ctrl_msg_alloc()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit 878e7b11736e062514e58f3b445ff343e6705537 upstream.
+
+Add check for the return value of nfp_app_ctrl_msg_alloc() in
+nfp_bpf_cmsg_alloc() to prevent null pointer dereference.
+
+Fixes: ff3d43f7568c ("nfp: bpf: implement helpers for FW map ops")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Link: https://patch.msgid.link/20250218030409.2425798-1-haoxiang_li2024@163.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/bpf/cmsg.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/netronome/nfp/bpf/cmsg.c
++++ b/drivers/net/ethernet/netronome/nfp/bpf/cmsg.c
+@@ -20,6 +20,8 @@ nfp_bpf_cmsg_alloc(struct nfp_app_bpf *b
+ 	struct sk_buff *skb;
+ 
+ 	skb = nfp_app_ctrl_msg_alloc(bpf->app, size, GFP_KERNEL);
++	if (!skb)
++		return NULL;
+ 	skb_put(skb, size);
+ 
+ 	return skb;
diff --git a/queue-5.4/series b/queue-5.4/series
index df2c12a799..d404ededea 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -241,3 +241,7 @@ net-extract-port-range-fields-from-fl_flow_key.patch
 flow_dissector-fix-handling-of-mixed-port-and-port-r.patch
 flow_dissector-fix-port-range-key-handling-in-bpf-co.patch
 power-supply-da9150-fg-fix-potential-overflow.patch
+tee-optee-fix-supplicant-wait-loop.patch
+nfp-bpf-add-check-for-nfp_app_ctrl_msg_alloc.patch
+alsa-hda-conexant-add-quirk-for-hp-probook-450-g4-mute-led.patch
+acct-block-access-to-kernel-internal-filesystems.patch
diff --git a/queue-5.4/tee-optee-fix-supplicant-wait-loop.patch b/queue-5.4/tee-optee-fix-supplicant-wait-loop.patch
new file mode 100644
index 0000000000..ca1f7fead4
--- /dev/null
+++ b/queue-5.4/tee-optee-fix-supplicant-wait-loop.patch
@@ -0,0 +1,93 @@
+From 70b0d6b0a199c5a3ee6c72f5e61681ed6f759612 Mon Sep 17 00:00:00 2001
+From: Sumit Garg <sumit.garg@linaro.org>
+Date: Tue, 4 Feb 2025 13:04:18 +0530
+Subject: tee: optee: Fix supplicant wait loop
+
+From: Sumit Garg <sumit.garg@linaro.org>
+
+commit 70b0d6b0a199c5a3ee6c72f5e61681ed6f759612 upstream.
+
+OP-TEE supplicant is a user-space daemon and it's possible for it
+be hung or crashed or killed in the middle of processing an OP-TEE
+RPC call. It becomes more complicated when there is incorrect shutdown
+ordering of the supplicant process vs the OP-TEE client application which
+can eventually lead to system hang-up waiting for the closure of the
+client application.
+
+Allow the client process waiting in kernel for supplicant response to
+be killed rather than indefinitely waiting in an unkillable state. Also,
+a normal uninterruptible wait should not have resulted in the hung-task
+watchdog getting triggered, but the endless loop would.
+
+This fixes issues observed during system reboot/shutdown when supplicant
+got hung for some reason or gets crashed/killed which lead to client
+getting hung in an unkillable state. It in turn lead to system being in
+hung up state requiring hard power off/on to recover.
+
+Fixes: 4fb0a5eb364d ("tee: add OP-TEE driver")
+Suggested-by: Arnd Bergmann <arnd@arndb.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tee/optee/supp.c |   35 ++++++++---------------------------
+ 1 file changed, 8 insertions(+), 27 deletions(-)
+
+--- a/drivers/tee/optee/supp.c
++++ b/drivers/tee/optee/supp.c
+@@ -80,7 +80,6 @@ u32 optee_supp_thrd_req(struct tee_conte
+ 	struct optee *optee = tee_get_drvdata(ctx->teedev);
+ 	struct optee_supp *supp = &optee->supp;
+ 	struct optee_supp_req *req;
+-	bool interruptable;
+ 	u32 ret;
+ 
+ 	/*
+@@ -111,36 +110,18 @@ u32 optee_supp_thrd_req(struct tee_conte
+ 	/*
+ 	 * Wait for supplicant to process and return result, once we've
+ 	 * returned from wait_for_completion(&req->c) successfully we have
+-	 * exclusive access again.
++	 * exclusive access again. Allow the wait to be killable such that
++	 * the wait doesn't turn into an indefinite state if the supplicant
++	 * gets hung for some reason.
+ 	 */
+-	while (wait_for_completion_interruptible(&req->c)) {
++	if (wait_for_completion_killable(&req->c)) {
+ 		mutex_lock(&supp->mutex);
+-		interruptable = !supp->ctx;
+-		if (interruptable) {
+-			/*
+-			 * There's no supplicant available and since the
+-			 * supp->mutex currently is held none can
+-			 * become available until the mutex released
+-			 * again.
+-			 *
+-			 * Interrupting an RPC to supplicant is only
+-			 * allowed as a way of slightly improving the user
+-			 * experience in case the supplicant hasn't been
+-			 * started yet. During normal operation the supplicant
+-			 * will serve all requests in a timely manner and
+-			 * interrupting then wouldn't make sense.
+-			 */
+-			if (req->in_queue) {
+-				list_del(&req->link);
+-				req->in_queue = false;
+-			}
++		if (req->in_queue) {
++			list_del(&req->link);
++			req->in_queue = false;
+ 		}
+ 		mutex_unlock(&supp->mutex);
+-
+-		if (interruptable) {
+-			req->ret = TEEC_ERROR_COMMUNICATION;
+-			break;
+-		}
++		req->ret = TEEC_ERROR_COMMUNICATION;
+ 	}
+ 
+ 	ret = req->ret;