From: Sasha Levin Date: Sun, 24 Dec 2023 14:10:31 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v6.1.70~43^2~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=50f4719e63aa6fa3f3baf02de93e70c9ee3a895e;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/alsa-hda-hdmi-add-force-connect-quirk-for-nuc5cpyb.patch b/queue-5.4/alsa-hda-hdmi-add-force-connect-quirk-for-nuc5cpyb.patch new file mode 100644 index 00000000000..0d06a160f0f --- /dev/null +++ b/queue-5.4/alsa-hda-hdmi-add-force-connect-quirk-for-nuc5cpyb.patch @@ -0,0 +1,47 @@ +From 9e03adb876f331059648c4ec89b8fcc29503aed2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Dec 2023 15:21:26 +0200 +Subject: ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kai Vehmanen + +[ Upstream commit 3b1ff57e24a7bcd2e2a8426dd2013a80d1fa96eb ] + +Add one more older NUC model that requires quirk to force all pins to be +connected. The display codec pins are not registered properly without +the force-connect quirk. The codec will report only one pin as having +external connectivity, but i915 finds all three connectors on the +system, so the two drivers are not in sync. + +Issue found with DRM igt-gpu-tools test kms_hdmi_inject@inject-audio. + +Link: https://gitlab.freedesktop.org/drm/igt-gpu-tools/-/issues/3 +Cc: Ville Syrjälä +Cc: Jani Saarinen +Signed-off-by: Kai Vehmanen +Cc: +Link: https://lore.kernel.org/r/20231208132127.2438067-2-kai.vehmanen@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_hdmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index a0de66674faaf..ff81e6051773a 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -1825,6 +1825,7 @@ static const struct snd_pci_quirk force_connect_list[] = { + SND_PCI_QUIRK(0x1043, 0x86ae, "ASUS", 1), /* Z170 PRO */ + SND_PCI_QUIRK(0x1043, 0x86c7, "ASUS", 1), /* Z170M PLUS */ + SND_PCI_QUIRK(0x1462, 0xec94, "MS-7C94", 1), ++ SND_PCI_QUIRK(0x8086, 0x2060, "Intel NUC5CPYB", 1), + SND_PCI_QUIRK(0x8086, 0x2081, "Intel NUC 10", 1), + {} + }; +-- +2.43.0 + diff --git a/queue-5.4/alsa-hda-hdmi-add-quirk-to-force-pin-connectivity-on.patch b/queue-5.4/alsa-hda-hdmi-add-quirk-to-force-pin-connectivity-on.patch new file mode 100644 index 00000000000..7363a36e587 --- /dev/null +++ b/queue-5.4/alsa-hda-hdmi-add-quirk-to-force-pin-connectivity-on.patch @@ -0,0 +1,38 @@ +From 75fa32ccbd95242b40910d675e080bbb6475848c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 18:32:16 +0300 +Subject: ALSA: hda/hdmi: Add quirk to force pin connectivity on NUC10 + +From: Kai Vehmanen + +[ Upstream commit e81d71e343c6c62cf323042caed4b7ca049deda5 ] + +On some Intel NUC10 variants, codec reports AC_JACK_PORT_NONE as +pin default config for all pins. This results in broken audio. +Add a quirk to force connectivity. + +BugLink: https://github.com/clearlinux/distribution/issues/2396 +Signed-off-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20210720153216.2200938-1-kai.vehmanen@linux.intel.com +Signed-off-by: Takashi Iwai +Stable-dep-of: 3b1ff57e24a7 ("ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB") +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_hdmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 56943daccfc72..a0de66674faaf 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -1825,6 +1825,7 @@ static const struct snd_pci_quirk force_connect_list[] = { + SND_PCI_QUIRK(0x1043, 0x86ae, "ASUS", 1), /* Z170 PRO */ + SND_PCI_QUIRK(0x1043, 0x86c7, "ASUS", 1), /* Z170M PLUS */ + SND_PCI_QUIRK(0x1462, 0xec94, "MS-7C94", 1), ++ SND_PCI_QUIRK(0x8086, 0x2081, "Intel NUC 10", 1), + {} + }; + +-- +2.43.0 + diff --git a/queue-5.4/btrfs-do-not-allow-non-subvolume-root-targets-for-sn.patch b/queue-5.4/btrfs-do-not-allow-non-subvolume-root-targets-for-sn.patch new file mode 100644 index 00000000000..aa6c8b701b4 --- /dev/null +++ b/queue-5.4/btrfs-do-not-allow-non-subvolume-root-targets-for-sn.patch @@ -0,0 +1,49 @@ +From 7004fc6d7a28002a69417c746aa3ca3302ac84e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Dec 2023 10:01:44 -0500 +Subject: btrfs: do not allow non subvolume root targets for snapshot + +From: Josef Bacik + +[ Upstream commit a8892fd71933126ebae3d60aec5918d4dceaae76 ] + +Our btrfs subvolume snapshot utility enforces +that is the root of the subvolume, however this isn't enforced +in the kernel. Update the kernel to also enforce this limitation to +avoid problems with other users of this ioctl that don't have the +appropriate checks in place. + +Reported-by: Martin Michaelis +CC: stable@vger.kernel.org # 4.14+ +Reviewed-by: Neal Gompa +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ioctl.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index 1575992d1f14c..9f1efd5c24f1a 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -1847,6 +1847,15 @@ static noinline int btrfs_ioctl_snap_create_transid(struct file *file, + * are limited to own subvolumes only + */ + ret = -EPERM; ++ } else if (btrfs_ino(BTRFS_I(src_inode)) != BTRFS_FIRST_FREE_OBJECTID) { ++ /* ++ * Snapshots must be made with the src_inode referring ++ * to the subvolume inode, otherwise the permission ++ * checking above is useless because we may have ++ * permission on a lower directory but not the subvol ++ * itself. ++ */ ++ ret = -EINVAL; + } else { + ret = btrfs_mksubvol(&file->f_path, name, namelen, + BTRFS_I(src_inode)->root, +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index dc54096a065..3f75a855a62 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -19,3 +19,7 @@ net-check-dev-gso_max_size-in-gso_features_check.patch afs-fix-overwriting-of-result-of-dns-query.patch i2c-aspeed-handle-the-coalesced-stop-conditions-with.patch pinctrl-at91-pio4-use-dedicated-lock-class-for-irq.patch +alsa-hda-hdmi-add-quirk-to-force-pin-connectivity-on.patch +alsa-hda-hdmi-add-force-connect-quirk-for-nuc5cpyb.patch +smb-client-fix-null-deref-in-asn1_ber_decoder.patch +btrfs-do-not-allow-non-subvolume-root-targets-for-sn.patch diff --git a/queue-5.4/smb-client-fix-null-deref-in-asn1_ber_decoder.patch b/queue-5.4/smb-client-fix-null-deref-in-asn1_ber_decoder.patch new file mode 100644 index 00000000000..784d3169638 --- /dev/null +++ b/queue-5.4/smb-client-fix-null-deref-in-asn1_ber_decoder.patch @@ -0,0 +1,136 @@ +From 672aa2b3832796bba3dc39f08e58d5a236ba9f7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 10:26:42 -0300 +Subject: smb: client: fix NULL deref in asn1_ber_decoder() + +From: Paulo Alcantara + +[ Upstream commit 90d025c2e953c11974e76637977c473200593a46 ] + +If server replied SMB2_NEGOTIATE with a zero SecurityBufferOffset, +smb2_get_data_area() sets @len to non-zero but return NULL, so +decode_negTokeninit() ends up being called with a NULL @security_blob: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 2 PID: 871 Comm: mount.cifs Not tainted 6.7.0-rc4 #2 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 + RIP: 0010:asn1_ber_decoder+0x173/0xc80 + Code: 01 4c 39 2c 24 75 09 45 84 c9 0f 85 2f 03 00 00 48 8b 14 24 4c 29 ea 48 83 fa 01 0f 86 1e 07 00 00 48 8b 74 24 28 4d 8d 5d 01 <42> 0f b6 3c 2e 89 fa 40 88 7c 24 5c f7 d2 83 e2 1f 0f 84 3d 07 00 + RSP: 0018:ffffc9000063f950 EFLAGS: 00010202 + RAX: 0000000000000002 RBX: 0000000000000000 RCX: 000000000000004a + RDX: 000000000000004a RSI: 0000000000000000 RDI: 0000000000000000 + RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000002 R11: 0000000000000001 R12: 0000000000000000 + R13: 0000000000000000 R14: 000000000000004d R15: 0000000000000000 + FS: 00007fce52b0fbc0(0000) GS:ffff88806ba00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 000000001ae64000 CR4: 0000000000750ef0 + PKRU: 55555554 + Call Trace: + + ? __die+0x23/0x70 + ? page_fault_oops+0x181/0x480 + ? __stack_depot_save+0x1e6/0x480 + ? exc_page_fault+0x6f/0x1c0 + ? asm_exc_page_fault+0x26/0x30 + ? asn1_ber_decoder+0x173/0xc80 + ? check_object+0x40/0x340 + decode_negTokenInit+0x1e/0x30 [cifs] + SMB2_negotiate+0xc99/0x17c0 [cifs] + ? smb2_negotiate+0x46/0x60 [cifs] + ? srso_alias_return_thunk+0x5/0xfbef5 + smb2_negotiate+0x46/0x60 [cifs] + cifs_negotiate_protocol+0xae/0x130 [cifs] + cifs_get_smb_ses+0x517/0x1040 [cifs] + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? queue_delayed_work_on+0x5d/0x90 + cifs_mount_get_session+0x78/0x200 [cifs] + dfs_mount_share+0x13a/0x9f0 [cifs] + ? srso_alias_return_thunk+0x5/0xfbef5 + ? lock_acquire+0xbf/0x2b0 + ? find_nls+0x16/0x80 + ? srso_alias_return_thunk+0x5/0xfbef5 + cifs_mount+0x7e/0x350 [cifs] + cifs_smb3_do_mount+0x128/0x780 [cifs] + smb3_get_tree+0xd9/0x290 [cifs] + vfs_get_tree+0x2c/0x100 + ? capable+0x37/0x70 + path_mount+0x2d7/0xb80 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? _raw_spin_unlock_irqrestore+0x44/0x60 + __x64_sys_mount+0x11a/0x150 + do_syscall_64+0x47/0xf0 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 + RIP: 0033:0x7fce52c2ab1e + +Fix this by setting @len to zero when @off == 0 so callers won't +attempt to dereference non-existing data areas. + +Reported-by: Robert Morris +Cc: stable@vger.kernel.org +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2misc.c | 26 ++++++++++---------------- + 1 file changed, 10 insertions(+), 16 deletions(-) + +diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c +index 7177720e822e1..d3d5d2c6c4013 100644 +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -302,6 +302,9 @@ static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = { + char * + smb2_get_data_area_len(int *off, int *len, struct smb2_sync_hdr *shdr) + { ++ const int max_off = 4096; ++ const int max_len = 128 * 1024; ++ + *off = 0; + *len = 0; + +@@ -369,29 +372,20 @@ smb2_get_data_area_len(int *off, int *len, struct smb2_sync_hdr *shdr) + * Invalid length or offset probably means data area is invalid, but + * we have little choice but to ignore the data area in this case. + */ +- if (*off > 4096) { +- cifs_dbg(VFS, "offset %d too large, data area ignored\n", *off); +- *len = 0; +- *off = 0; +- } else if (*off < 0) { +- cifs_dbg(VFS, "negative offset %d to data invalid ignore data area\n", +- *off); ++ if (unlikely(*off < 0 || *off > max_off || ++ *len < 0 || *len > max_len)) { ++ cifs_dbg(VFS, "%s: invalid data area (off=%d len=%d)\n", ++ __func__, *off, *len); + *off = 0; + *len = 0; +- } else if (*len < 0) { +- cifs_dbg(VFS, "negative data length %d invalid, data area ignored\n", +- *len); +- *len = 0; +- } else if (*len > 128 * 1024) { +- cifs_dbg(VFS, "data area larger than 128K: %d\n", *len); ++ } else if (*off == 0) { + *len = 0; + } + + /* return pointer to beginning of data area, ie offset from SMB start */ +- if ((*off != 0) && (*len != 0)) ++ if (*off > 0 && *len > 0) + return (char *)shdr + *off; +- else +- return NULL; ++ return NULL; + } + + /* +-- +2.43.0 +