From ca49fc9a86a2323a7cabf75f767ee46a19ba7c69 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 4 Mar 2024 07:39:37 +0100 Subject: [PATCH] 6.6-stable patches added patches: alsa-firewire-lib-fix-to-check-cycle-continuity.patch alsa-hda-realtek-add-special-fixup-for-lenovo-14irp8.patch alsa-hda-realtek-enable-mute-led-on-hp-840-g8-mb-8ab8.patch alsa-hda-realtek-fix-mute-micmute-led-for-hp-mt440.patch alsa-hda-realtek-tas2781-enable-subwoofer-volume-control.patch alsa-ump-fix-the-discard-error-code-from-snd_ump_legacy_open.patch bluetooth-hci_bcm4377-do-not-mark-valid-bd_addr-as-invalid.patch tomoyo-fix-uaf-write-bug-in-tomoyo_write_control.patch --- ...re-lib-fix-to-check-cycle-continuity.patch | 39 +++++++++ ...-add-special-fixup-for-lenovo-14irp8.patch | 83 +++++++++++++++++++ ...enable-mute-led-on-hp-840-g8-mb-8ab8.patch | 34 ++++++++ ...ek-fix-mute-micmute-led-for-hp-mt440.patch | 44 ++++++++++ ...2781-enable-subwoofer-volume-control.patch | 37 +++++++++ ...-error-code-from-snd_ump_legacy_open.patch | 41 +++++++++ ...do-not-mark-valid-bd_addr-as-invalid.patch | 55 ++++++++++++ queue-6.6/series | 8 ++ ...af-write-bug-in-tomoyo_write_control.patch | 43 ++++++++++ 9 files changed, 384 insertions(+) create mode 100644 queue-6.6/alsa-firewire-lib-fix-to-check-cycle-continuity.patch create mode 100644 queue-6.6/alsa-hda-realtek-add-special-fixup-for-lenovo-14irp8.patch create mode 100644 queue-6.6/alsa-hda-realtek-enable-mute-led-on-hp-840-g8-mb-8ab8.patch create mode 100644 queue-6.6/alsa-hda-realtek-fix-mute-micmute-led-for-hp-mt440.patch create mode 100644 queue-6.6/alsa-hda-realtek-tas2781-enable-subwoofer-volume-control.patch create mode 100644 queue-6.6/alsa-ump-fix-the-discard-error-code-from-snd_ump_legacy_open.patch create mode 100644 queue-6.6/bluetooth-hci_bcm4377-do-not-mark-valid-bd_addr-as-invalid.patch create mode 100644 queue-6.6/tomoyo-fix-uaf-write-bug-in-tomoyo_write_control.patch diff --git a/queue-6.6/alsa-firewire-lib-fix-to-check-cycle-continuity.patch b/queue-6.6/alsa-firewire-lib-fix-to-check-cycle-continuity.patch new file mode 100644 index 00000000000..c4d721dac48 --- /dev/null +++ b/queue-6.6/alsa-firewire-lib-fix-to-check-cycle-continuity.patch @@ -0,0 +1,39 @@ +From 77ce96543b03f437c6b45f286d8110db2b6622a3 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Sun, 18 Feb 2024 12:30:26 +0900 +Subject: ALSA: firewire-lib: fix to check cycle continuity + +From: Takashi Sakamoto + +commit 77ce96543b03f437c6b45f286d8110db2b6622a3 upstream. + +The local helper function to compare the given pair of cycle count +evaluates them. If the left value is less than the right value, the +function returns negative value. + +If the safe cycle is less than the current cycle, it is the case of +cycle lost. However, it is not currently handled properly. + +This commit fixes the bug. + +Cc: +Fixes: 705794c53b00 ("ALSA: firewire-lib: check cycle continuity") +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20240218033026.72577-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/firewire/amdtp-stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/amdtp-stream.c ++++ b/sound/firewire/amdtp-stream.c +@@ -951,7 +951,7 @@ static int generate_tx_packet_descs(stru + // to the reason. + unsigned int safe_cycle = increment_ohci_cycle_count(next_cycle, + IR_JUMBO_PAYLOAD_MAX_SKIP_CYCLES); +- lost = (compare_ohci_cycle_count(safe_cycle, cycle) > 0); ++ lost = (compare_ohci_cycle_count(safe_cycle, cycle) < 0); + } + if (lost) { + dev_err(&s->unit->device, "Detect discontinuity of cycle: %d %d\n", diff --git a/queue-6.6/alsa-hda-realtek-add-special-fixup-for-lenovo-14irp8.patch b/queue-6.6/alsa-hda-realtek-add-special-fixup-for-lenovo-14irp8.patch new file mode 100644 index 00000000000..6faec37807c --- /dev/null +++ b/queue-6.6/alsa-hda-realtek-add-special-fixup-for-lenovo-14irp8.patch @@ -0,0 +1,83 @@ +From 0ac32a396e4f41e88df76ce2282423188a2d2ed0 Mon Sep 17 00:00:00 2001 +From: Willian Wang +Date: Sat, 24 Feb 2024 13:11:49 -0300 +Subject: ALSA: hda/realtek: Add special fixup for Lenovo 14IRP8 + +From: Willian Wang + +commit 0ac32a396e4f41e88df76ce2282423188a2d2ed0 upstream. + +Lenovo Slim/Yoga Pro 9 14IRP8 requires a special fixup because there is +a collision of its PCI SSID (17aa:3802) with Lenovo Yoga DuetITL 2021 +codec SSID. + +Fixes: 3babae915f4c ("ALSA: hda/tas2781: Add tas2781 HDA driver") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=208555 +Link: https://lore.kernel.org/all/d5b42e483566a3815d229270abd668131a0d9f3a.camel@irl.hu +Cc: stable@vger.kernel.org +Signed-off-by: Willian Wang +Reviewed-by: Gergo Koteles +Link: https://lore.kernel.org/r/170879111795.8.6687687359006700715.273812184@willian.wang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 27 ++++++++++++++++++++++++++- + 1 file changed, 26 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7352,6 +7352,7 @@ enum { + ALC287_FIXUP_LEGION_15IMHG05_AUTOMUTE, + ALC287_FIXUP_YOGA7_14ITL_SPEAKERS, + ALC298_FIXUP_LENOVO_C940_DUET7, ++ ALC287_FIXUP_LENOVO_14IRP8_DUETITL, + ALC287_FIXUP_13S_GEN2_SPEAKERS, + ALC256_FIXUP_SET_COEF_DEFAULTS, + ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE, +@@ -7401,6 +7402,26 @@ static void alc298_fixup_lenovo_c940_due + __snd_hda_apply_fixup(codec, id, action, 0); + } + ++/* A special fixup for Lenovo Slim/Yoga Pro 9 14IRP8 and Yoga DuetITL 2021; ++ * 14IRP8 PCI SSID will mistakenly be matched with the DuetITL codec SSID, ++ * so we need to apply a different fixup in this case. The only DuetITL codec ++ * SSID reported so far is the 17aa:3802 while the 14IRP8 has the 17aa:38be ++ * and 17aa:38bf. If it weren't for the PCI SSID, the 14IRP8 models would ++ * have matched correctly by their codecs. ++ */ ++static void alc287_fixup_lenovo_14irp8_duetitl(struct hda_codec *codec, ++ const struct hda_fixup *fix, ++ int action) ++{ ++ int id; ++ ++ if (codec->core.subsystem_id == 0x17aa3802) ++ id = ALC287_FIXUP_YOGA7_14ITL_SPEAKERS; /* DuetITL */ ++ else ++ id = ALC287_FIXUP_TAS2781_I2C; /* 14IRP8 */ ++ __snd_hda_apply_fixup(codec, id, action, 0); ++} ++ + static const struct hda_fixup alc269_fixups[] = { + [ALC269_FIXUP_GPIO2] = { + .type = HDA_FIXUP_FUNC, +@@ -9285,6 +9306,10 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc298_fixup_lenovo_c940_duet7, + }, ++ [ALC287_FIXUP_LENOVO_14IRP8_DUETITL] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc287_fixup_lenovo_14irp8_duetitl, ++ }, + [ALC287_FIXUP_13S_GEN2_SPEAKERS] = { + .type = HDA_FIXUP_VERBS, + .v.verbs = (const struct hda_verb[]) { +@@ -10134,7 +10159,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x31af, "ThinkCentre Station", ALC623_FIXUP_LENOVO_THINKSTATION_P340), + SND_PCI_QUIRK(0x17aa, 0x334b, "Lenovo ThinkCentre M70 Gen5", ALC283_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x17aa, 0x3801, "Lenovo Yoga9 14IAP7", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), +- SND_PCI_QUIRK(0x17aa, 0x3802, "Lenovo Yoga DuetITL 2021", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS), ++ SND_PCI_QUIRK(0x17aa, 0x3802, "Lenovo Yoga Pro 9 14IRP8 / DuetITL 2021", ALC287_FIXUP_LENOVO_14IRP8_DUETITL), + SND_PCI_QUIRK(0x17aa, 0x3813, "Legion 7i 15IMHG05", ALC287_FIXUP_LEGION_15IMHG05_SPEAKERS), + SND_PCI_QUIRK(0x17aa, 0x3818, "Lenovo C940 / Yoga Duet 7", ALC298_FIXUP_LENOVO_C940_DUET7), + SND_PCI_QUIRK(0x17aa, 0x3819, "Lenovo 13s Gen2 ITL", ALC287_FIXUP_13S_GEN2_SPEAKERS), diff --git a/queue-6.6/alsa-hda-realtek-enable-mute-led-on-hp-840-g8-mb-8ab8.patch b/queue-6.6/alsa-hda-realtek-enable-mute-led-on-hp-840-g8-mb-8ab8.patch new file mode 100644 index 00000000000..926b8ef7b14 --- /dev/null +++ b/queue-6.6/alsa-hda-realtek-enable-mute-led-on-hp-840-g8-mb-8ab8.patch @@ -0,0 +1,34 @@ +From 1fdf4e8be7059e7784fec11d30cd32784f0bdc83 Mon Sep 17 00:00:00 2001 +From: Hans Peter +Date: Mon, 19 Feb 2024 17:38:49 +0100 +Subject: ALSA: hda/realtek: Enable Mute LED on HP 840 G8 (MB 8AB8) + +From: Hans Peter + +commit 1fdf4e8be7059e7784fec11d30cd32784f0bdc83 upstream. + +On my EliteBook 840 G8 Notebook PC (ProdId 5S7R6EC#ABD; built 2022 for +german market) the Mute LED is always on. The mute button itself works +as expected. alsa-info.sh shows a different subsystem-id 0x8ab9 for +Realtek ALC285 Codec, thus the existing quirks for HP 840 G8 don't work. +Therefore, add a new quirk for this type of EliteBook. + +Signed-off-by: Hans Peter +Cc: +Link: https://lore.kernel.org/r/20240219164518.4099-1-flurry123@gmx.ch +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9820,6 +9820,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8aa3, "HP ProBook 450 G9 (MB 8AA1)", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8aa8, "HP EliteBook 640 G9 (MB 8AA6)", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8aab, "HP EliteBook 650 G9 (MB 8AA9)", ALC236_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8ab9, "HP EliteBook 840 G8 (MB 8AB8)", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8abb, "HP ZBook Firefly 14 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8ad1, "HP EliteBook 840 14 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8ad2, "HP EliteBook 860 16 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), diff --git a/queue-6.6/alsa-hda-realtek-fix-mute-micmute-led-for-hp-mt440.patch b/queue-6.6/alsa-hda-realtek-fix-mute-micmute-led-for-hp-mt440.patch new file mode 100644 index 00000000000..62a5f83edf6 --- /dev/null +++ b/queue-6.6/alsa-hda-realtek-fix-mute-micmute-led-for-hp-mt440.patch @@ -0,0 +1,44 @@ +From 67c3d7717efbd46092f217b1f811df1b205cce06 Mon Sep 17 00:00:00 2001 +From: Eniac Zhang +Date: Tue, 20 Feb 2024 17:58:12 +0000 +Subject: ALSA: hda/realtek: fix mute/micmute LED For HP mt440 + +From: Eniac Zhang + +commit 67c3d7717efbd46092f217b1f811df1b205cce06 upstream. + +The HP mt440 Thin Client uses an ALC236 codec and needs the +ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF quirk to make the mute and +micmute LEDs work. + +There are two variants of the USB-C PD chip on this device. Each uses +a different BIOS and board ID, hence the two entries. + +Signed-off-by: Eniac Zhang +Signed-off-by: Alexandru Gagniuc +Cc: +Link: https://lore.kernel.org/r/20240220175812.782687-1-alexandru.gagniuc@hp.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9795,6 +9795,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8973, "HP EliteBook 860 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8974, "HP EliteBook 840 Aero G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8975, "HP EliteBook x360 840 Aero G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x897d, "HP mt440 Mobile Thin Client U74", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8981, "HP Elite Dragonfly G3", ALC245_FIXUP_CS35L41_SPI_4), + SND_PCI_QUIRK(0x103c, 0x898e, "HP EliteBook 835 G9", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x898f, "HP EliteBook 835 G9", ALC287_FIXUP_CS35L41_I2C_2), +@@ -9826,6 +9827,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8ad2, "HP EliteBook 860 16 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b0f, "HP Elite mt645 G7 Mobile Thin Client U81", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8b2f, "HP 255 15.6 inch G10 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), ++ SND_PCI_QUIRK(0x103c, 0x8b3f, "HP mt440 Mobile Thin Client U91", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b42, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b43, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b44, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), diff --git a/queue-6.6/alsa-hda-realtek-tas2781-enable-subwoofer-volume-control.patch b/queue-6.6/alsa-hda-realtek-tas2781-enable-subwoofer-volume-control.patch new file mode 100644 index 00000000000..0ceac896ded --- /dev/null +++ b/queue-6.6/alsa-hda-realtek-tas2781-enable-subwoofer-volume-control.patch @@ -0,0 +1,37 @@ +From c1947ce61ff4cd4de2fe5f72423abedb6dc83011 Mon Sep 17 00:00:00 2001 +From: Gergo Koteles +Date: Fri, 23 Feb 2024 12:34:30 +0100 +Subject: ALSA: hda/realtek: tas2781: enable subwoofer volume control + +From: Gergo Koteles + +commit c1947ce61ff4cd4de2fe5f72423abedb6dc83011 upstream. + +The volume of subwoofer channels is always at maximum with the +ALC269_FIXUP_THINKPAD_ACPI chain. + +Use ALC285_FIXUP_THINKPAD_HEADSET_JACK to align it to the master volume. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=208555#c827 + +Fixes: 3babae915f4c ("ALSA: hda/tas2781: Add tas2781 HDA driver") +Cc: +Signed-off-by: Gergo Koteles +Link: https://lore.kernel.org/r/7ffae10ebba58601d25fe2ff8381a6ae3a926e62.1708687813.git.soyer@irl.hu +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9487,7 +9487,7 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = tas2781_fixup_i2c, + .chained = true, +- .chain_id = ALC269_FIXUP_THINKPAD_ACPI, ++ .chain_id = ALC285_FIXUP_THINKPAD_HEADSET_JACK, + }, + [ALC245_FIXUP_HP_MUTE_LED_COEFBIT] = { + .type = HDA_FIXUP_FUNC, diff --git a/queue-6.6/alsa-ump-fix-the-discard-error-code-from-snd_ump_legacy_open.patch b/queue-6.6/alsa-ump-fix-the-discard-error-code-from-snd_ump_legacy_open.patch new file mode 100644 index 00000000000..30d6e8a4521 --- /dev/null +++ b/queue-6.6/alsa-ump-fix-the-discard-error-code-from-snd_ump_legacy_open.patch @@ -0,0 +1,41 @@ +From 49cbb7b7d36ec3ba73ce1daf7ae1d71d435453b8 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 20 Feb 2024 16:08:43 +0100 +Subject: ALSA: ump: Fix the discard error code from snd_ump_legacy_open() + +From: Takashi Iwai + +commit 49cbb7b7d36ec3ba73ce1daf7ae1d71d435453b8 upstream. + +snd_ump_legacy_open() didn't return the error code properly even if it +couldn't open. Fix it. + +Fixes: 0b5288f5fe63 ("ALSA: ump: Add legacy raw MIDI support") +Cc: +Link: https://lore.kernel.org/r/20240220150843.28630-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/ump.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/core/ump.c ++++ b/sound/core/ump.c +@@ -985,7 +985,7 @@ static int snd_ump_legacy_open(struct sn + struct snd_ump_endpoint *ump = substream->rmidi->private_data; + int dir = substream->stream; + int group = ump->legacy_mapping[substream->number]; +- int err; ++ int err = 0; + + mutex_lock(&ump->open_mutex); + if (ump->legacy_substreams[dir][group]) { +@@ -1009,7 +1009,7 @@ static int snd_ump_legacy_open(struct sn + spin_unlock_irq(&ump->legacy_locks[dir]); + unlock: + mutex_unlock(&ump->open_mutex); +- return 0; ++ return err; + } + + static int snd_ump_legacy_close(struct snd_rawmidi_substream *substream) diff --git a/queue-6.6/bluetooth-hci_bcm4377-do-not-mark-valid-bd_addr-as-invalid.patch b/queue-6.6/bluetooth-hci_bcm4377-do-not-mark-valid-bd_addr-as-invalid.patch new file mode 100644 index 00000000000..149a4e0e4b3 --- /dev/null +++ b/queue-6.6/bluetooth-hci_bcm4377-do-not-mark-valid-bd_addr-as-invalid.patch @@ -0,0 +1,55 @@ +From c17d2a7b216e168c3ba62d93482179c01b369ac7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 27 Dec 2023 11:10:03 +0100 +Subject: Bluetooth: hci_bcm4377: do not mark valid bd_addr as invalid + +From: Johan Hovold + +commit c17d2a7b216e168c3ba62d93482179c01b369ac7 upstream. + +A recent commit restored the original (and still documented) semantics +for the HCI_QUIRK_USE_BDADDR_PROPERTY quirk so that the device address +is considered invalid unless an address is provided by firmware. + +This specifically means that this flag must only be set for devices with +invalid addresses, but the Broadcom BCM4377 driver has so far been +setting this flag unconditionally. + +Fortunately the driver already checks for invalid addresses during setup +and sets the HCI_QUIRK_INVALID_BDADDR flag, which can simply be replaced +with HCI_QUIRK_USE_BDADDR_PROPERTY to indicate that the default address +is invalid but can be overridden by firmware (long term, this should +probably just always be allowed). + +Fixes: 6945795bc81a ("Bluetooth: fix use-bdaddr-property quirk") +Cc: stable@vger.kernel.org # 6.5 +Reported-by: Felix Zhang +Link: https://lore.kernel.org/r/77419ffacc5b4875e920e038332575a2a5bff29f.camel@mrman314.tech/ +Signed-off-by: Johan Hovold +Reported-by: Felix Zhang +Reviewed-by: Neal Gompa +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/hci_bcm4377.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/bluetooth/hci_bcm4377.c ++++ b/drivers/bluetooth/hci_bcm4377.c +@@ -1417,7 +1417,7 @@ static int bcm4377_check_bdaddr(struct b + + bda = (struct hci_rp_read_bd_addr *)skb->data; + if (!bcm4377_is_valid_bdaddr(bcm4377, &bda->bdaddr)) +- set_bit(HCI_QUIRK_INVALID_BDADDR, &bcm4377->hdev->quirks); ++ set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &bcm4377->hdev->quirks); + + kfree_skb(skb); + return 0; +@@ -2368,7 +2368,6 @@ static int bcm4377_probe(struct pci_dev + hdev->set_bdaddr = bcm4377_hci_set_bdaddr; + hdev->setup = bcm4377_hci_setup; + +- set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks); + if (bcm4377->hw->broken_mws_transport_config) + set_bit(HCI_QUIRK_BROKEN_MWS_TRANSPORT_CONFIG, &hdev->quirks); + if (bcm4377->hw->broken_ext_scan) diff --git a/queue-6.6/series b/queue-6.6/series index 2cc56135f8f..01808cadd69 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -65,3 +65,11 @@ riscv-fix-pte_leaf_size-for-napot.patch riscv-sparse-memory-vmemmap-out-of-bounds-fix.patch btrfs-fix-race-between-ordered-extent-completion-and.patch of-property-fw_devlink-fix-stupid-bug-in-remote-endp.patch +tomoyo-fix-uaf-write-bug-in-tomoyo_write_control.patch +alsa-firewire-lib-fix-to-check-cycle-continuity.patch +alsa-ump-fix-the-discard-error-code-from-snd_ump_legacy_open.patch +alsa-hda-realtek-tas2781-enable-subwoofer-volume-control.patch +alsa-hda-realtek-enable-mute-led-on-hp-840-g8-mb-8ab8.patch +alsa-hda-realtek-fix-mute-micmute-led-for-hp-mt440.patch +alsa-hda-realtek-add-special-fixup-for-lenovo-14irp8.patch +bluetooth-hci_bcm4377-do-not-mark-valid-bd_addr-as-invalid.patch diff --git a/queue-6.6/tomoyo-fix-uaf-write-bug-in-tomoyo_write_control.patch b/queue-6.6/tomoyo-fix-uaf-write-bug-in-tomoyo_write_control.patch new file mode 100644 index 00000000000..461a7cdefc7 --- /dev/null +++ b/queue-6.6/tomoyo-fix-uaf-write-bug-in-tomoyo_write_control.patch @@ -0,0 +1,43 @@ +From 2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Fri, 1 Mar 2024 22:04:06 +0900 +Subject: tomoyo: fix UAF write bug in tomoyo_write_control() + +From: Tetsuo Handa + +commit 2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815 upstream. + +Since tomoyo_write_control() updates head->write_buf when write() +of long lines is requested, we need to fetch head->write_buf after +head->io_sem is held. Otherwise, concurrent write() requests can +cause use-after-free-write and double-free problems. + +Reported-by: Sam Sun +Closes: https://lkml.kernel.org/r/CAEkJfYNDspuGxYx5kym8Lvp--D36CMDUErg4rxfWFJuPbbji8g@mail.gmail.com +Fixes: bd03a3e4c9a9 ("TOMOYO: Add policy namespace support.") +Cc: # Linux 3.1+ +Signed-off-by: Tetsuo Handa +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + security/tomoyo/common.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/security/tomoyo/common.c ++++ b/security/tomoyo/common.c +@@ -2649,13 +2649,14 @@ ssize_t tomoyo_write_control(struct tomo + { + int error = buffer_len; + size_t avail_len = buffer_len; +- char *cp0 = head->write_buf; ++ char *cp0; + int idx; + + if (!head->write) + return -EINVAL; + if (mutex_lock_interruptible(&head->io_sem)) + return -EINTR; ++ cp0 = head->write_buf; + head->read_user_buf_avail = 0; + idx = tomoyo_read_lock(); + /* Read a line and dispatch it to the policy handler. */ -- 2.47.2