6.1-stable patches

added patches:
	alsa-hda-realtek-fix-inactive-headset-mic-jack.patch
	alsa-hda-realtek-update-panasonic-cf-sz6-quirk-to-support-headset-with-microphone.patch
	ksmbd-do-not-set-smb2_global_cap_encryption-for-smb-3.1.1.patch
	ksmbd-don-t-send-oplock-break-if-rename-fails.patch
	ksmbd-validate-payload-size-in-ipc-response.patch

diff --git a/queue-6.1/alsa-hda-realtek-fix-inactive-headset-mic-jack.patch b/queue-6.1/alsa-hda-realtek-fix-inactive-headset-mic-jack.patch
new file mode 100644 (file)
index 0000000..bf12a56
--- /dev/null
+++ b/queue-6.1/alsa-hda-realtek-fix-inactive-headset-mic-jack.patch
@@ -0,0 +1,33 @@
+From daf6c4681a74034d5723e2fb761e0d7f3a1ca18f Mon Sep 17 00:00:00 2001
+From: Christoffer Sandberg <cs@tuxedo.de>
+Date: Thu, 28 Mar 2024 11:27:57 +0100
+Subject: ALSA: hda/realtek - Fix inactive headset mic jack
+
+From: Christoffer Sandberg <cs@tuxedo.de>
+
+commit daf6c4681a74034d5723e2fb761e0d7f3a1ca18f upstream.
+
+This patch adds the existing fixup to certain TF platforms implementing
+the ALC274 codec with a headset jack. It fixes/activates the inactive
+microphone of the headset.
+
+Signed-off-by: Christoffer Sandberg <cs@tuxedo.de>
+Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
+Cc: <stable@vger.kernel.org>
+Message-ID: <20240328102757.50310-1-wse@tuxedocomputers.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10121,6 +10121,7 @@ static const struct snd_pci_quirk alc269
+       SND_PCI_QUIRK(0x1d05, 0x1147, "TongFang GMxTGxx", ALC269_FIXUP_NO_SHUTUP),
+       SND_PCI_QUIRK(0x1d05, 0x115c, "TongFang GMxTGxx", ALC269_FIXUP_NO_SHUTUP),
+       SND_PCI_QUIRK(0x1d05, 0x121b, "TongFang GMxAGxx", ALC269_FIXUP_NO_SHUTUP),
++      SND_PCI_QUIRK(0x1d05, 0x1387, "TongFang GMxIXxx", ALC2XX_FIXUP_HEADSET_MIC),
+       SND_PCI_QUIRK(0x1d72, 0x1602, "RedmiBook", ALC255_FIXUP_XIAOMI_HEADSET_MIC),
+       SND_PCI_QUIRK(0x1d72, 0x1701, "XiaomiNotebook Pro", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE),
+       SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC),

diff --git a/queue-6.1/alsa-hda-realtek-update-panasonic-cf-sz6-quirk-to-support-headset-with-microphone.patch b/queue-6.1/alsa-hda-realtek-update-panasonic-cf-sz6-quirk-to-support-headset-with-microphone.patch
new file mode 100644 (file)
index 0000000..2c020b7
--- /dev/null
+++ b/queue-6.1/alsa-hda-realtek-update-panasonic-cf-sz6-quirk-to-support-headset-with-microphone.patch
@@ -0,0 +1,43 @@
+From 1576f263ee2147dc395531476881058609ad3d38 Mon Sep 17 00:00:00 2001
+From: I Gede Agastya Darma Laksana <gedeagas22@gmail.com>
+Date: Tue, 2 Apr 2024 00:46:02 +0700
+Subject: ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with microphone
+
+From: I Gede Agastya Darma Laksana <gedeagas22@gmail.com>
+
+commit 1576f263ee2147dc395531476881058609ad3d38 upstream.
+
+This patch addresses an issue with the Panasonic CF-SZ6's existing quirk,
+specifically its headset microphone functionality. Previously, the quirk
+used ALC269_FIXUP_HEADSET_MODE, which does not support the CF-SZ6's design
+of a single 3.5mm jack for both mic and audio output effectively. The
+device uses pin 0x19 for the headset mic without jack detection.
+
+Following verification on the CF-SZ6 and discussions with the original
+patch author, i determined that the update to
+ALC269_FIXUP_ASPIRE_HEADSET_MIC is the appropriate solution. This change
+is custom-designed for the CF-SZ6's unique hardware setup, which includes
+a single 3.5mm jack for both mic and audio output, connecting the headset
+microphone to pin 0x19 without the use of jack detection.
+
+Fixes: 0fca97a29b83 ("ALSA: hda/realtek - Add Panasonic CF-SZ6 headset jack quirk")
+Signed-off-by: I Gede Agastya Darma Laksana <gedeagas22@gmail.com>
+Cc: <stable@vger.kernel.org>
+Message-ID: <20240401174602.14133-1-gedeagas22@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9905,7 +9905,7 @@ static const struct snd_pci_quirk alc269
+       SND_PCI_QUIRK(0x10ec, 0x1252, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK),
+       SND_PCI_QUIRK(0x10ec, 0x1254, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK),
+       SND_PCI_QUIRK(0x10ec, 0x12cc, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK),
+-      SND_PCI_QUIRK(0x10f7, 0x8338, "Panasonic CF-SZ6", ALC269_FIXUP_HEADSET_MODE),
++      SND_PCI_QUIRK(0x10f7, 0x8338, "Panasonic CF-SZ6", ALC269_FIXUP_ASPIRE_HEADSET_MIC),
+       SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC),
+       SND_PCI_QUIRK(0x144d, 0xc169, "Samsung Notebook 9 Pen (NP930SBE-K01US)", ALC298_FIXUP_SAMSUNG_AMP),
+       SND_PCI_QUIRK(0x144d, 0xc176, "Samsung Notebook 9 Pro (NP930MBE-K04US)", ALC298_FIXUP_SAMSUNG_AMP),

diff --git a/queue-6.1/ksmbd-do-not-set-smb2_global_cap_encryption-for-smb-3.1.1.patch b/queue-6.1/ksmbd-do-not-set-smb2_global_cap_encryption-for-smb-3.1.1.patch
new file mode 100644 (file)
index 0000000..c4d8ca1
--- /dev/null
+++ b/queue-6.1/ksmbd-do-not-set-smb2_global_cap_encryption-for-smb-3.1.1.patch
@@ -0,0 +1,49 @@
+From 5ed11af19e56f0434ce0959376d136005745a936 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Tue, 2 Apr 2024 09:31:22 +0900
+Subject: ksmbd: do not set SMB2_GLOBAL_CAP_ENCRYPTION for SMB 3.1.1
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 5ed11af19e56f0434ce0959376d136005745a936 upstream.
+
+SMB2_GLOBAL_CAP_ENCRYPTION flag should be used only for 3.0 and
+3.0.2 dialects. This flags set cause compatibility problems with
+other SMB clients.
+
+Reported-by: James Christopher Adduono <jc@adduono.com>
+Tested-by: James Christopher Adduono <jc@adduono.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2ops.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/fs/smb/server/smb2ops.c
++++ b/fs/smb/server/smb2ops.c
+@@ -228,6 +228,11 @@ void init_smb3_0_server(struct ksmbd_con
+           conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION)
+               conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
+ 
++      if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION ||
++          (!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF) &&
++           conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION))
++              conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
++
+       if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL)
+               conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL;
+ }
+@@ -275,11 +280,6 @@ int init_smb3_11_server(struct ksmbd_con
+               conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING |
+                       SMB2_GLOBAL_CAP_DIRECTORY_LEASING;
+ 
+-      if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION ||
+-          (!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF) &&
+-           conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION))
+-              conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
+-
+       if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL)
+               conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL;
+ 

diff --git a/queue-6.1/ksmbd-don-t-send-oplock-break-if-rename-fails.patch b/queue-6.1/ksmbd-don-t-send-oplock-break-if-rename-fails.patch
new file mode 100644 (file)
index 0000000..4fc4972
--- /dev/null
+++ b/queue-6.1/ksmbd-don-t-send-oplock-break-if-rename-fails.patch
@@ -0,0 +1,33 @@
+From c1832f67035dc04fb89e6b591b64e4d515843cda Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sun, 31 Mar 2024 21:58:26 +0900
+Subject: ksmbd: don't send oplock break if rename fails
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit c1832f67035dc04fb89e6b591b64e4d515843cda upstream.
+
+Don't send oplock break if rename fails. This patch fix
+smb2.oplock.batch20 test.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -5579,8 +5579,9 @@ static int smb2_rename(struct ksmbd_work
+       if (!file_info->ReplaceIfExists)
+               flags = RENAME_NOREPLACE;
+ 
+-      smb_break_all_levII_oplock(work, fp, 0);
+       rc = ksmbd_vfs_rename(work, &fp->filp->f_path, new_name, flags);
++      if (!rc)
++              smb_break_all_levII_oplock(work, fp, 0);
+ out:
+       kfree(new_name);
+       return rc;

diff --git a/queue-6.1/ksmbd-validate-payload-size-in-ipc-response.patch b/queue-6.1/ksmbd-validate-payload-size-in-ipc-response.patch
new file mode 100644 (file)
index 0000000..dbe8938
--- /dev/null
+++ b/queue-6.1/ksmbd-validate-payload-size-in-ipc-response.patch
@@ -0,0 +1,120 @@
+From a677ebd8ca2f2632ccdecbad7b87641274e15aac Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sun, 31 Mar 2024 21:59:10 +0900
+Subject: ksmbd: validate payload size in ipc response
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit a677ebd8ca2f2632ccdecbad7b87641274e15aac upstream.
+
+If installing malicious ksmbd-tools, ksmbd.mountd can return invalid ipc
+response to ksmbd kernel server. ksmbd should validate payload size of
+ipc response from ksmbd.mountd to avoid memory overrun or
+slab-out-of-bounds. This patch validate 3 ipc response that has payload.
+
+Cc: stable@vger.kernel.org
+Reported-by: Chao Ma <machao2019@gmail.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/ksmbd_netlink.h     |    3 ++-
+ fs/smb/server/mgmt/share_config.c |    7 ++++++-
+ fs/smb/server/transport_ipc.c     |   37 +++++++++++++++++++++++++++++++++++++
+ 3 files changed, 45 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/ksmbd_netlink.h
++++ b/fs/smb/server/ksmbd_netlink.h
+@@ -166,7 +166,8 @@ struct ksmbd_share_config_response {
+       __u16   force_uid;
+       __u16   force_gid;
+       __s8    share_name[KSMBD_REQ_MAX_SHARE_NAME];
+-      __u32   reserved[112];          /* Reserved room */
++      __u32   reserved[111];          /* Reserved room */
++      __u32   payload_sz;
+       __u32   veto_list_sz;
+       __s8    ____payload[];
+ };
+--- a/fs/smb/server/mgmt/share_config.c
++++ b/fs/smb/server/mgmt/share_config.c
+@@ -158,7 +158,12 @@ static struct ksmbd_share_config *share_
+       share->name = kstrdup(name, GFP_KERNEL);
+ 
+       if (!test_share_config_flag(share, KSMBD_SHARE_FLAG_PIPE)) {
+-              share->path = kstrdup(ksmbd_share_config_path(resp),
++              int path_len = PATH_MAX;
++
++              if (resp->payload_sz)
++                      path_len = resp->payload_sz - resp->veto_list_sz;
++
++              share->path = kstrndup(ksmbd_share_config_path(resp), path_len,
+                                     GFP_KERNEL);
+               if (share->path)
+                       share->path_sz = strlen(share->path);
+--- a/fs/smb/server/transport_ipc.c
++++ b/fs/smb/server/transport_ipc.c
+@@ -65,6 +65,7 @@ struct ipc_msg_table_entry {
+       struct hlist_node       ipc_table_hlist;
+ 
+       void                    *response;
++      unsigned int            msg_sz;
+ };
+ 
+ static struct delayed_work ipc_timer_work;
+@@ -275,6 +276,7 @@ static int handle_response(int type, voi
+               }
+ 
+               memcpy(entry->response, payload, sz);
++              entry->msg_sz = sz;
+               wake_up_interruptible(&entry->wait);
+               ret = 0;
+               break;
+@@ -453,6 +455,34 @@ out:
+       return ret;
+ }
+ 
++static int ipc_validate_msg(struct ipc_msg_table_entry *entry)
++{
++      unsigned int msg_sz = entry->msg_sz;
++
++      if (entry->type == KSMBD_EVENT_RPC_REQUEST) {
++              struct ksmbd_rpc_command *resp = entry->response;
++
++              msg_sz = sizeof(struct ksmbd_rpc_command) + resp->payload_sz;
++      } else if (entry->type == KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST) {
++              struct ksmbd_spnego_authen_response *resp = entry->response;
++
++              msg_sz = sizeof(struct ksmbd_spnego_authen_response) +
++                              resp->session_key_len + resp->spnego_blob_len;
++      } else if (entry->type == KSMBD_EVENT_SHARE_CONFIG_REQUEST) {
++              struct ksmbd_share_config_response *resp = entry->response;
++
++              if (resp->payload_sz) {
++                      if (resp->payload_sz < resp->veto_list_sz)
++                              return -EINVAL;
++
++                      msg_sz = sizeof(struct ksmbd_share_config_response) +
++                                      resp->payload_sz;
++              }
++      }
++
++      return entry->msg_sz != msg_sz ? -EINVAL : 0;
++}
++
+ static void *ipc_msg_send_request(struct ksmbd_ipc_msg *msg, unsigned int handle)
+ {
+       struct ipc_msg_table_entry entry;
+@@ -477,6 +507,13 @@ static void *ipc_msg_send_request(struct
+       ret = wait_event_interruptible_timeout(entry.wait,
+                                              entry.response != NULL,
+                                              IPC_WAIT_TIMEOUT);
++      if (entry.response) {
++              ret = ipc_validate_msg(&entry);
++              if (ret) {
++                      kvfree(entry.response);
++                      entry.response = NULL;
++              }
++      }
+ out:
+       down_write(&ipc_msg_table_lock);
+       hash_del(&entry.ipc_table_hlist);

diff --git a/queue-6.1/series b/queue-6.1/series
index 62e253635a0fabebea650686e811d41b28e513b0..bb7c99b64fe17ee68cec72e35eb8e28838228d4a 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -109,3 +109,8 @@ s390-pai-fix-sampling-event-removal-for-pmu-device-d.patch
 ata-sata_mv-fix-pci-device-id-table-declaration-comp.patch
 nfsd-hold-a-lighter-weight-client-reference-over-cb_.patch
 x86-retpoline-add-noendbr-annotation-to-the-srso-dummy-return-thunk.patch
+ksmbd-don-t-send-oplock-break-if-rename-fails.patch
+ksmbd-validate-payload-size-in-ipc-response.patch
+ksmbd-do-not-set-smb2_global_cap_encryption-for-smb-3.1.1.patch
+alsa-hda-realtek-fix-inactive-headset-mic-jack.patch
+alsa-hda-realtek-update-panasonic-cf-sz6-quirk-to-support-headset-with-microphone.patch