From 48ec36e150c45a4a611e82af353c318ea58bda7c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 13 Oct 2025 10:00:16 +0200 Subject: [PATCH] 6.17-stable patches added patches: alsa-hda-hdmi-add-pin-fix-for-hp-prodesk-model.patch alsa-hda-realtek-add-quirk-for-hp-spectre-14t-ea100.patch squashfs-fix-uninit-value-in-squashfs_get_parent.patch tpm-disable-tpm2_tcg_hmac-by-default.patch --- ...dmi-add-pin-fix-for-hp-prodesk-model.patch | 31 +++++ ...k-add-quirk-for-hp-spectre-14t-ea100.patch | 33 +++++ queue-6.17/series | 4 + ...-uninit-value-in-squashfs_get_parent.patch | 119 ++++++++++++++++++ ...tpm-disable-tpm2_tcg_hmac-by-default.patch | 50 ++++++++ 5 files changed, 237 insertions(+) create mode 100644 queue-6.17/alsa-hda-hdmi-add-pin-fix-for-hp-prodesk-model.patch create mode 100644 queue-6.17/alsa-hda-realtek-add-quirk-for-hp-spectre-14t-ea100.patch create mode 100644 queue-6.17/squashfs-fix-uninit-value-in-squashfs_get_parent.patch create mode 100644 queue-6.17/tpm-disable-tpm2_tcg_hmac-by-default.patch diff --git a/queue-6.17/alsa-hda-hdmi-add-pin-fix-for-hp-prodesk-model.patch b/queue-6.17/alsa-hda-hdmi-add-pin-fix-for-hp-prodesk-model.patch new file mode 100644 index 0000000000..4661a26177 --- /dev/null +++ b/queue-6.17/alsa-hda-hdmi-add-pin-fix-for-hp-prodesk-model.patch @@ -0,0 +1,31 @@ +From 74662f9f92b67c0ca55139c5aa392da0f0a26c08 Mon Sep 17 00:00:00 2001 +From: Steven 'Steve' Kendall +Date: Mon, 29 Sep 2025 21:33:34 +0000 +Subject: ALSA: hda/hdmi: Add pin fix for HP ProDesk model + +From: Steven 'Steve' Kendall + +commit 74662f9f92b67c0ca55139c5aa392da0f0a26c08 upstream. + +The HP ProDesk 400 (SSID 103c:83f3) also needs a quirk for +enabling HDMI outputs. This patch adds the required quirk +entry. + +Signed-off-by: Steven 'Steve' Kendall +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/codecs/hdmi/hdmi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/hda/codecs/hdmi/hdmi.c ++++ b/sound/hda/codecs/hdmi/hdmi.c +@@ -1583,6 +1583,7 @@ static const struct snd_pci_quirk force_ + SND_PCI_QUIRK(0x103c, 0x83e2, "HP EliteDesk 800 G4", 1), + SND_PCI_QUIRK(0x103c, 0x83ef, "HP MP9 G4 Retail System AMS", 1), + SND_PCI_QUIRK(0x103c, 0x845a, "HP EliteDesk 800 G4 DM 65W", 1), ++ SND_PCI_QUIRK(0x103c, 0x83f3, "HP ProDesk 400", 1), + SND_PCI_QUIRK(0x103c, 0x870f, "HP", 1), + SND_PCI_QUIRK(0x103c, 0x871a, "HP", 1), + SND_PCI_QUIRK(0x103c, 0x8711, "HP", 1), diff --git a/queue-6.17/alsa-hda-realtek-add-quirk-for-hp-spectre-14t-ea100.patch b/queue-6.17/alsa-hda-realtek-add-quirk-for-hp-spectre-14t-ea100.patch new file mode 100644 index 0000000000..900b163457 --- /dev/null +++ b/queue-6.17/alsa-hda-realtek-add-quirk-for-hp-spectre-14t-ea100.patch @@ -0,0 +1,33 @@ +From 50a098e3e9b1bb30cefc43cdfba3c7b9b32e14a7 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sat, 27 Sep 2025 11:47:23 +0200 +Subject: ALSA: hda/realtek: Add quirk for HP Spectre 14t-ea100 + +From: Takashi Iwai + +commit 50a098e3e9b1bb30cefc43cdfba3c7b9b32e14a7 upstream. + +HP-Spectre 14t-ea100 model has no speaker output unless booting +previously from Windows on dual boot, a reboot while on Linux will +stop the speakers working. Applying the existing quirk for HP Spectre +X360 EU0xxx seems fixing this speaker problem. + +Reported-by: Kaden Berger +Cc: +Link: https://lore.kernel.org/aMxdGAmfOQ6VPNU8@archlinux +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -6487,6 +6487,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x103c, 0x89c6, "Zbook Fury 17 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x89ca, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x89d3, "HP EliteBook 645 G9 (MB 89D2)", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x89da, "HP Spectre x360 14t-ea100", ALC245_FIXUP_HP_SPECTRE_X360_EU0XXX), + SND_PCI_QUIRK(0x103c, 0x89e7, "HP Elite x2 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8a0f, "HP Pavilion 14-ec1xxx", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8a20, "HP Laptop 15s-fq5xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), diff --git a/queue-6.17/series b/queue-6.17/series index ba5933daa7..5c303b1a2b 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -495,3 +495,7 @@ selftests-bpf-move-get_ksyms-and-get_addrs-to-trace_.patch selftests-bpf-fix-realloc-size-in-bpf_get_addrs.patch bpf-skip-scalar-adjustment-for-bpf_neg-if-dst-is-a-p.patch bpf-reject-negative-offsets-for-alu-ops.patch +tpm-disable-tpm2_tcg_hmac-by-default.patch +alsa-hda-hdmi-add-pin-fix-for-hp-prodesk-model.patch +alsa-hda-realtek-add-quirk-for-hp-spectre-14t-ea100.patch +squashfs-fix-uninit-value-in-squashfs_get_parent.patch diff --git a/queue-6.17/squashfs-fix-uninit-value-in-squashfs_get_parent.patch b/queue-6.17/squashfs-fix-uninit-value-in-squashfs_get_parent.patch new file mode 100644 index 0000000000..af4b772b65 --- /dev/null +++ b/queue-6.17/squashfs-fix-uninit-value-in-squashfs_get_parent.patch @@ -0,0 +1,119 @@ +From 74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf Mon Sep 17 00:00:00 2001 +From: Phillip Lougher +Date: Fri, 19 Sep 2025 00:33:08 +0100 +Subject: Squashfs: fix uninit-value in squashfs_get_parent + +From: Phillip Lougher + +commit 74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf upstream. + +Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug. + +This is caused by open_by_handle_at() being called with a file handle +containing an invalid parent inode number. In particular the inode number +is that of a symbolic link, rather than a directory. + +Squashfs_get_parent() gets called with that symbolic link inode, and +accesses the parent member field. + + unsigned int parent_ino = squashfs_i(inode)->parent; + +Because non-directory inodes in Squashfs do not have a parent value, this +is uninitialised, and this causes an uninitialised value access. + +The fix is to initialise parent with the invalid inode 0, which will cause +an EINVAL error to be returned. + +Regular inodes used to share the parent field with the block_list_start +field. This is removed in this commit to enable the parent field to +contain the invalid inode number 0. + +Link: https://lkml.kernel.org/r/20250918233308.293861-1-phillip@squashfs.org.uk +Fixes: 122601408d20 ("Squashfs: export operations") +Signed-off-by: Phillip Lougher +Reported-by: syzbot+157bdef5cf596ad0da2c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68cc2431.050a0220.139b6.0001.GAE@google.com/ +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/inode.c | 7 +++++++ + fs/squashfs/squashfs_fs_i.h | 2 +- + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/squashfs/inode.c ++++ b/fs/squashfs/inode.c +@@ -165,6 +165,7 @@ int squashfs_read_inode(struct inode *in + squashfs_i(inode)->start = le32_to_cpu(sqsh_ino->start_block); + squashfs_i(inode)->block_list_start = block; + squashfs_i(inode)->offset = offset; ++ squashfs_i(inode)->parent = 0; + inode->i_data.a_ops = &squashfs_aops; + + TRACE("File inode %x:%x, start_block %llx, block_list_start " +@@ -212,6 +213,7 @@ int squashfs_read_inode(struct inode *in + squashfs_i(inode)->start = le64_to_cpu(sqsh_ino->start_block); + squashfs_i(inode)->block_list_start = block; + squashfs_i(inode)->offset = offset; ++ squashfs_i(inode)->parent = 0; + inode->i_data.a_ops = &squashfs_aops; + + TRACE("File inode %x:%x, start_block %llx, block_list_start " +@@ -292,6 +294,7 @@ int squashfs_read_inode(struct inode *in + inode->i_mode |= S_IFLNK; + squashfs_i(inode)->start = block; + squashfs_i(inode)->offset = offset; ++ squashfs_i(inode)->parent = 0; + + if (type == SQUASHFS_LSYMLINK_TYPE) { + __le32 xattr; +@@ -329,6 +332,7 @@ int squashfs_read_inode(struct inode *in + set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); + rdev = le32_to_cpu(sqsh_ino->rdev); + init_special_inode(inode, inode->i_mode, new_decode_dev(rdev)); ++ squashfs_i(inode)->parent = 0; + + TRACE("Device inode %x:%x, rdev %x\n", + SQUASHFS_INODE_BLK(ino), offset, rdev); +@@ -353,6 +357,7 @@ int squashfs_read_inode(struct inode *in + set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); + rdev = le32_to_cpu(sqsh_ino->rdev); + init_special_inode(inode, inode->i_mode, new_decode_dev(rdev)); ++ squashfs_i(inode)->parent = 0; + + TRACE("Device inode %x:%x, rdev %x\n", + SQUASHFS_INODE_BLK(ino), offset, rdev); +@@ -373,6 +378,7 @@ int squashfs_read_inode(struct inode *in + inode->i_mode |= S_IFSOCK; + set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); + init_special_inode(inode, inode->i_mode, 0); ++ squashfs_i(inode)->parent = 0; + break; + } + case SQUASHFS_LFIFO_TYPE: +@@ -392,6 +398,7 @@ int squashfs_read_inode(struct inode *in + inode->i_op = &squashfs_inode_ops; + set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); + init_special_inode(inode, inode->i_mode, 0); ++ squashfs_i(inode)->parent = 0; + break; + } + default: +--- a/fs/squashfs/squashfs_fs_i.h ++++ b/fs/squashfs/squashfs_fs_i.h +@@ -16,6 +16,7 @@ struct squashfs_inode_info { + u64 xattr; + unsigned int xattr_size; + int xattr_count; ++ int parent; + union { + struct { + u64 fragment_block; +@@ -27,7 +28,6 @@ struct squashfs_inode_info { + u64 dir_idx_start; + int dir_idx_offset; + int dir_idx_cnt; +- int parent; + }; + }; + struct inode vfs_inode; diff --git a/queue-6.17/tpm-disable-tpm2_tcg_hmac-by-default.patch b/queue-6.17/tpm-disable-tpm2_tcg_hmac-by-default.patch new file mode 100644 index 0000000000..75b8bae960 --- /dev/null +++ b/queue-6.17/tpm-disable-tpm2_tcg_hmac-by-default.patch @@ -0,0 +1,50 @@ +From 4bddf4587c131d7b8ce8952cd32b284dcda0dd1f Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Mon, 25 Aug 2025 23:32:23 +0300 +Subject: tpm: Disable TPM2_TCG_HMAC by default + +From: Jarkko Sakkinen + +commit 4bddf4587c131d7b8ce8952cd32b284dcda0dd1f upstream. + +After reading all the feedback, right now disabling the TPM2_TCG_HMAC +is the right call. + +Other views discussed: + +A. Having a kernel command-line parameter or refining the feature + otherwise. This goes to the area of improvements. E.g., one + example is my own idea where the null key specific code would be + replaced with a persistent handle parameter (which can be + *unambigously* defined as part of attestation process when + done correctly). + +B. Removing the code. I don't buy this because that is same as saying + that HMAC encryption cannot work at all (if really nitpicking) in + any form. Also I disagree on the view that the feature could not + be refined to something more reasoable. + +Also, both A and B are worst options in terms of backporting. + +Thuss, this is the best possible choice. + +Cc: stable@vger.kernel.or # v6.10+ +Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation") +Suggested-by: Chris Fenner +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/tpm/Kconfig ++++ b/drivers/char/tpm/Kconfig +@@ -29,7 +29,7 @@ if TCG_TPM + + config TCG_TPM2_HMAC + bool "Use HMAC and encrypted transactions on the TPM bus" +- default X86_64 ++ default n + select CRYPTO_ECDH + select CRYPTO_LIB_AESCFB + select CRYPTO_LIB_SHA256 -- 2.47.3