From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 8 Apr 2024 08:44:10 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v5.15.154~56
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1e6ae6ccd06d644a35d0d8b87fbd440a21cabba6;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	alsa-hda-realtek-fix-inactive-headset-mic-jack.patch
	alsa-hda-realtek-update-panasonic-cf-sz6-quirk-to-support-headset-with-microphone.patch
	ksmbd-do-not-set-smb2_global_cap_encryption-for-smb-3.1.1.patch
	ksmbd-don-t-send-oplock-break-if-rename-fails.patch
	ksmbd-validate-payload-size-in-ipc-response.patch
---

diff --git a/queue-6.1/alsa-hda-realtek-fix-inactive-headset-mic-jack.patch b/queue-6.1/alsa-hda-realtek-fix-inactive-headset-mic-jack.patch
new file mode 100644
index 00000000000..bf12a56ec48
--- /dev/null
+++ b/queue-6.1/alsa-hda-realtek-fix-inactive-headset-mic-jack.patch
@@ -0,0 +1,33 @@
+From daf6c4681a74034d5723e2fb761e0d7f3a1ca18f Mon Sep 17 00:00:00 2001
+From: Christoffer Sandberg <cs@tuxedo.de>
+Date: Thu, 28 Mar 2024 11:27:57 +0100
+Subject: ALSA: hda/realtek - Fix inactive headset mic jack
+
+From: Christoffer Sandberg <cs@tuxedo.de>
+
+commit daf6c4681a74034d5723e2fb761e0d7f3a1ca18f upstream.
+
+This patch adds the existing fixup to certain TF platforms implementing
+the ALC274 codec with a headset jack. It fixes/activates the inactive
+microphone of the headset.
+
+Signed-off-by: Christoffer Sandberg <cs@tuxedo.de>
+Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
+Cc: <stable@vger.kernel.org>
+Message-ID: <20240328102757.50310-1-wse@tuxedocomputers.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10121,6 +10121,7 @@ static const struct snd_pci_quirk alc269
+ 	SND_PCI_QUIRK(0x1d05, 0x1147, "TongFang GMxTGxx", ALC269_FIXUP_NO_SHUTUP),
+ 	SND_PCI_QUIRK(0x1d05, 0x115c, "TongFang GMxTGxx", ALC269_FIXUP_NO_SHUTUP),
+ 	SND_PCI_QUIRK(0x1d05, 0x121b, "TongFang GMxAGxx", ALC269_FIXUP_NO_SHUTUP),
++	SND_PCI_QUIRK(0x1d05, 0x1387, "TongFang GMxIXxx", ALC2XX_FIXUP_HEADSET_MIC),
+ 	SND_PCI_QUIRK(0x1d72, 0x1602, "RedmiBook", ALC255_FIXUP_XIAOMI_HEADSET_MIC),
+ 	SND_PCI_QUIRK(0x1d72, 0x1701, "XiaomiNotebook Pro", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE),
+ 	SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC),
diff --git a/queue-6.1/alsa-hda-realtek-update-panasonic-cf-sz6-quirk-to-support-headset-with-microphone.patch b/queue-6.1/alsa-hda-realtek-update-panasonic-cf-sz6-quirk-to-support-headset-with-microphone.patch
new file mode 100644
index 00000000000..2c020b718bc
--- /dev/null
+++ b/queue-6.1/alsa-hda-realtek-update-panasonic-cf-sz6-quirk-to-support-headset-with-microphone.patch
@@ -0,0 +1,43 @@
+From 1576f263ee2147dc395531476881058609ad3d38 Mon Sep 17 00:00:00 2001
+From: I Gede Agastya Darma Laksana <gedeagas22@gmail.com>
+Date: Tue, 2 Apr 2024 00:46:02 +0700
+Subject: ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with microphone
+
+From: I Gede Agastya Darma Laksana <gedeagas22@gmail.com>
+
+commit 1576f263ee2147dc395531476881058609ad3d38 upstream.
+
+This patch addresses an issue with the Panasonic CF-SZ6's existing quirk,
+specifically its headset microphone functionality. Previously, the quirk
+used ALC269_FIXUP_HEADSET_MODE, which does not support the CF-SZ6's design
+of a single 3.5mm jack for both mic and audio output effectively. The
+device uses pin 0x19 for the headset mic without jack detection.
+
+Following verification on the CF-SZ6 and discussions with the original
+patch author, i determined that the update to
+ALC269_FIXUP_ASPIRE_HEADSET_MIC is the appropriate solution. This change
+is custom-designed for the CF-SZ6's unique hardware setup, which includes
+a single 3.5mm jack for both mic and audio output, connecting the headset
+microphone to pin 0x19 without the use of jack detection.
+
+Fixes: 0fca97a29b83 ("ALSA: hda/realtek - Add Panasonic CF-SZ6 headset jack quirk")
+Signed-off-by: I Gede Agastya Darma Laksana <gedeagas22@gmail.com>
+Cc: <stable@vger.kernel.org>
+Message-ID: <20240401174602.14133-1-gedeagas22@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9905,7 +9905,7 @@ static const struct snd_pci_quirk alc269
+ 	SND_PCI_QUIRK(0x10ec, 0x1252, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK),
+ 	SND_PCI_QUIRK(0x10ec, 0x1254, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK),
+ 	SND_PCI_QUIRK(0x10ec, 0x12cc, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK),
+-	SND_PCI_QUIRK(0x10f7, 0x8338, "Panasonic CF-SZ6", ALC269_FIXUP_HEADSET_MODE),
++	SND_PCI_QUIRK(0x10f7, 0x8338, "Panasonic CF-SZ6", ALC269_FIXUP_ASPIRE_HEADSET_MIC),
+ 	SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC),
+ 	SND_PCI_QUIRK(0x144d, 0xc169, "Samsung Notebook 9 Pen (NP930SBE-K01US)", ALC298_FIXUP_SAMSUNG_AMP),
+ 	SND_PCI_QUIRK(0x144d, 0xc176, "Samsung Notebook 9 Pro (NP930MBE-K04US)", ALC298_FIXUP_SAMSUNG_AMP),
diff --git a/queue-6.1/ksmbd-do-not-set-smb2_global_cap_encryption-for-smb-3.1.1.patch b/queue-6.1/ksmbd-do-not-set-smb2_global_cap_encryption-for-smb-3.1.1.patch
new file mode 100644
index 00000000000..c4d8ca1ca20
--- /dev/null
+++ b/queue-6.1/ksmbd-do-not-set-smb2_global_cap_encryption-for-smb-3.1.1.patch
@@ -0,0 +1,49 @@
+From 5ed11af19e56f0434ce0959376d136005745a936 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Tue, 2 Apr 2024 09:31:22 +0900
+Subject: ksmbd: do not set SMB2_GLOBAL_CAP_ENCRYPTION for SMB 3.1.1
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 5ed11af19e56f0434ce0959376d136005745a936 upstream.
+
+SMB2_GLOBAL_CAP_ENCRYPTION flag should be used only for 3.0 and
+3.0.2 dialects. This flags set cause compatibility problems with
+other SMB clients.
+
+Reported-by: James Christopher Adduono <jc@adduono.com>
+Tested-by: James Christopher Adduono <jc@adduono.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2ops.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/fs/smb/server/smb2ops.c
++++ b/fs/smb/server/smb2ops.c
+@@ -228,6 +228,11 @@ void init_smb3_0_server(struct ksmbd_con
+ 	    conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION)
+ 		conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
+ 
++	if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION ||
++	    (!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF) &&
++	     conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION))
++		conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
++
+ 	if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL)
+ 		conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL;
+ }
+@@ -275,11 +280,6 @@ int init_smb3_11_server(struct ksmbd_con
+ 		conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING |
+ 			SMB2_GLOBAL_CAP_DIRECTORY_LEASING;
+ 
+-	if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION ||
+-	    (!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF) &&
+-	     conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION))
+-		conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
+-
+ 	if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL)
+ 		conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL;
+ 
diff --git a/queue-6.1/ksmbd-don-t-send-oplock-break-if-rename-fails.patch b/queue-6.1/ksmbd-don-t-send-oplock-break-if-rename-fails.patch
new file mode 100644
index 00000000000..4fc49728ed5
--- /dev/null
+++ b/queue-6.1/ksmbd-don-t-send-oplock-break-if-rename-fails.patch
@@ -0,0 +1,33 @@
+From c1832f67035dc04fb89e6b591b64e4d515843cda Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sun, 31 Mar 2024 21:58:26 +0900
+Subject: ksmbd: don't send oplock break if rename fails
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit c1832f67035dc04fb89e6b591b64e4d515843cda upstream.
+
+Don't send oplock break if rename fails. This patch fix
+smb2.oplock.batch20 test.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -5579,8 +5579,9 @@ static int smb2_rename(struct ksmbd_work
+ 	if (!file_info->ReplaceIfExists)
+ 		flags = RENAME_NOREPLACE;
+ 
+-	smb_break_all_levII_oplock(work, fp, 0);
+ 	rc = ksmbd_vfs_rename(work, &fp->filp->f_path, new_name, flags);
++	if (!rc)
++		smb_break_all_levII_oplock(work, fp, 0);
+ out:
+ 	kfree(new_name);
+ 	return rc;
diff --git a/queue-6.1/ksmbd-validate-payload-size-in-ipc-response.patch b/queue-6.1/ksmbd-validate-payload-size-in-ipc-response.patch
new file mode 100644
index 00000000000..dbe893846ec
--- /dev/null
+++ b/queue-6.1/ksmbd-validate-payload-size-in-ipc-response.patch
@@ -0,0 +1,120 @@
+From a677ebd8ca2f2632ccdecbad7b87641274e15aac Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sun, 31 Mar 2024 21:59:10 +0900
+Subject: ksmbd: validate payload size in ipc response
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit a677ebd8ca2f2632ccdecbad7b87641274e15aac upstream.
+
+If installing malicious ksmbd-tools, ksmbd.mountd can return invalid ipc
+response to ksmbd kernel server. ksmbd should validate payload size of
+ipc response from ksmbd.mountd to avoid memory overrun or
+slab-out-of-bounds. This patch validate 3 ipc response that has payload.
+
+Cc: stable@vger.kernel.org
+Reported-by: Chao Ma <machao2019@gmail.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/ksmbd_netlink.h     |    3 ++-
+ fs/smb/server/mgmt/share_config.c |    7 ++++++-
+ fs/smb/server/transport_ipc.c     |   37 +++++++++++++++++++++++++++++++++++++
+ 3 files changed, 45 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/ksmbd_netlink.h
++++ b/fs/smb/server/ksmbd_netlink.h
+@@ -166,7 +166,8 @@ struct ksmbd_share_config_response {
+ 	__u16	force_uid;
+ 	__u16	force_gid;
+ 	__s8	share_name[KSMBD_REQ_MAX_SHARE_NAME];
+-	__u32	reserved[112];		/* Reserved room */
++	__u32	reserved[111];		/* Reserved room */
++	__u32	payload_sz;
+ 	__u32	veto_list_sz;
+ 	__s8	____payload[];
+ };
+--- a/fs/smb/server/mgmt/share_config.c
++++ b/fs/smb/server/mgmt/share_config.c
+@@ -158,7 +158,12 @@ static struct ksmbd_share_config *share_
+ 	share->name = kstrdup(name, GFP_KERNEL);
+ 
+ 	if (!test_share_config_flag(share, KSMBD_SHARE_FLAG_PIPE)) {
+-		share->path = kstrdup(ksmbd_share_config_path(resp),
++		int path_len = PATH_MAX;
++
++		if (resp->payload_sz)
++			path_len = resp->payload_sz - resp->veto_list_sz;
++
++		share->path = kstrndup(ksmbd_share_config_path(resp), path_len,
+ 				      GFP_KERNEL);
+ 		if (share->path)
+ 			share->path_sz = strlen(share->path);
+--- a/fs/smb/server/transport_ipc.c
++++ b/fs/smb/server/transport_ipc.c
+@@ -65,6 +65,7 @@ struct ipc_msg_table_entry {
+ 	struct hlist_node	ipc_table_hlist;
+ 
+ 	void			*response;
++	unsigned int		msg_sz;
+ };
+ 
+ static struct delayed_work ipc_timer_work;
+@@ -275,6 +276,7 @@ static int handle_response(int type, voi
+ 		}
+ 
+ 		memcpy(entry->response, payload, sz);
++		entry->msg_sz = sz;
+ 		wake_up_interruptible(&entry->wait);
+ 		ret = 0;
+ 		break;
+@@ -453,6 +455,34 @@ out:
+ 	return ret;
+ }
+ 
++static int ipc_validate_msg(struct ipc_msg_table_entry *entry)
++{
++	unsigned int msg_sz = entry->msg_sz;
++
++	if (entry->type == KSMBD_EVENT_RPC_REQUEST) {
++		struct ksmbd_rpc_command *resp = entry->response;
++
++		msg_sz = sizeof(struct ksmbd_rpc_command) + resp->payload_sz;
++	} else if (entry->type == KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST) {
++		struct ksmbd_spnego_authen_response *resp = entry->response;
++
++		msg_sz = sizeof(struct ksmbd_spnego_authen_response) +
++				resp->session_key_len + resp->spnego_blob_len;
++	} else if (entry->type == KSMBD_EVENT_SHARE_CONFIG_REQUEST) {
++		struct ksmbd_share_config_response *resp = entry->response;
++
++		if (resp->payload_sz) {
++			if (resp->payload_sz < resp->veto_list_sz)
++				return -EINVAL;
++
++			msg_sz = sizeof(struct ksmbd_share_config_response) +
++					resp->payload_sz;
++		}
++	}
++
++	return entry->msg_sz != msg_sz ? -EINVAL : 0;
++}
++
+ static void *ipc_msg_send_request(struct ksmbd_ipc_msg *msg, unsigned int handle)
+ {
+ 	struct ipc_msg_table_entry entry;
+@@ -477,6 +507,13 @@ static void *ipc_msg_send_request(struct
+ 	ret = wait_event_interruptible_timeout(entry.wait,
+ 					       entry.response != NULL,
+ 					       IPC_WAIT_TIMEOUT);
++	if (entry.response) {
++		ret = ipc_validate_msg(&entry);
++		if (ret) {
++			kvfree(entry.response);
++			entry.response = NULL;
++		}
++	}
+ out:
+ 	down_write(&ipc_msg_table_lock);
+ 	hash_del(&entry.ipc_table_hlist);
diff --git a/queue-6.1/series b/queue-6.1/series
index 62e253635a0..bb7c99b64fe 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -109,3 +109,8 @@ s390-pai-fix-sampling-event-removal-for-pmu-device-d.patch
 ata-sata_mv-fix-pci-device-id-table-declaration-comp.patch
 nfsd-hold-a-lighter-weight-client-reference-over-cb_.patch
 x86-retpoline-add-noendbr-annotation-to-the-srso-dummy-return-thunk.patch
+ksmbd-don-t-send-oplock-break-if-rename-fails.patch
+ksmbd-validate-payload-size-in-ipc-response.patch
+ksmbd-do-not-set-smb2_global_cap_encryption-for-smb-3.1.1.patch
+alsa-hda-realtek-fix-inactive-headset-mic-jack.patch
+alsa-hda-realtek-update-panasonic-cf-sz6-quirk-to-support-headset-with-microphone.patch