user/sven/linux.git, branch v5.10.223 Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v5.10.223 2024-07-27T08:40:24Z Linux 5.10.223 2024-07-27T08:40:24Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2024-07-27T08:40:24Z urn:sha1:b15dc4170c6317731c00fa8fe7d4d99a0a04c83c Link: https://lore.kernel.org/r/20240725142733.262322603@linuxfoundation.org Tested-by: ChromeOS CQ Test <chromeos-kernel-stable-merge@google.com> Tested-by: Pavel Machek (CIP) <pavel@denx.de> Tested-by: kernelci.org bot <bot@kernelci.org> Tested-by: Mark Brown <broonie@kernel.org> Tested-by: Jon Hunter <jonathanh@nvidia.com> Tested-by: Florian Fainelli <florian.fainelli@broadcom.com> Tested-by: Linux Kernel Functional Testing <lkft@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> tap: add missing verification for short frame 2024-07-27T08:40:24Z Si-Wei Liu si-wei.liu@oracle.com 2024-07-24T17:04:51Z urn:sha1:7431144b406ae82807eb87d8c98e518475b0450f commit ed7f2afdd0e043a397677e597ced0830b83ba0b3 upstream. The cited commit missed to check against the validity of the frame length in the tap_get_user_xdp() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tap_get_user_xdp()-->skb_set_network_header() may assume the size is more than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tap_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted. This is to drop any frame shorter than the Ethernet header size just like how tap_get_user() does. CVE: CVE-2024-41090 Link: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/ Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()") Cc: stable@vger.kernel.org Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com> Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Reviewed-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Link: https://patch.msgid.link/20240724170452.16837-2-dongli.zhang@oracle.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> tun: add missing verification for short frame 2024-07-27T08:40:24Z Dongli Zhang dongli.zhang@oracle.com 2024-07-24T17:04:52Z urn:sha1:6100e0237204890269e3f934acfc50d35fd6f319 commit 049584807f1d797fc3078b68035450a9769eb5c3 upstream. The cited commit missed to check against the validity of the frame length in the tun_xdp_one() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tun_xdp_one-->eth_type_trans() may access the Ethernet header although it can be less than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tun_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted for IFF_TAP. This is to drop any frame shorter than the Ethernet header size just like how tun_get_user() does. CVE: CVE-2024-41091 Inspired-by: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/ Fixes: 043d222f93ab ("tuntap: accept an array of XDP buffs through sendmsg()") Cc: stable@vger.kernel.org Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com> Reviewed-by: Si-Wei Liu <si-wei.liu@oracle.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Reviewed-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Link: https://patch.msgid.link/20240724170452.16837-3-dongli.zhang@oracle.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> filelock: Fix fcntl/close race recovery compat path 2024-07-27T08:40:24Z Jann Horn jannh@google.com 2024-07-23T15:03:56Z urn:sha1:911cc83e56a2de5a40758766c6a70d6998248860 commit f8138f2ad2f745b9a1c696a05b749eabe44337ea upstream. When I wrote commit 3cad1bc01041 ("filelock: Remove locks reliably when fcntl/close race is detected"), I missed that there are two copies of the code I was patching: The normal version, and the version for 64-bit offsets on 32-bit kernels. Thanks to Greg KH for stumbling over this while doing the stable backport... Apply exactly the same fix to the compat path for 32-bit kernels. Fixes: c293621bbf67 ("[PATCH] stale POSIX lock handling") Cc: stable@kernel.org Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2563 Signed-off-by: Jann Horn <jannh@google.com> Link: https://lore.kernel.org/r/20240723-fs-lock-recover-compatfix-v1-1-148096719529@google.com Signed-off-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ALSA: pcm_dmaengine: Don't synchronize DMA channel when DMA is paused 2024-07-27T08:40:24Z Shengjiu Wang shengjiu.wang@nxp.com 2024-07-17T06:44:53Z urn:sha1:7fa9d1d2524ccbec10d24318a9f84b62067950ec commit 88e98af9f4b5b0d60c1fe7f7f2701b5467691e75 upstream. When suspended, the DMA channel may enter PAUSE state if dmaengine_pause() is supported by DMA. At this state, dmaengine_synchronize() should not be called, otherwise the DMA channel can't be resumed successfully. Fixes: e8343410ddf0 ("ALSA: dmaengine: Synchronize dma channel after drop()") Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com> Cc: <stable@vger.kernel.org> Link: https://patch.msgid.link/1721198693-27636-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB 2024-07-27T08:40:23Z Krishna Kurapati quic_kriskura@quicinc.com 2024-07-04T15:28:47Z urn:sha1:ddf0caf01295e81602e3e81ed51cd04095b5a370 commit 44ea1ae3cf95db97e10d6ce17527948121f1dd4b upstream. For Gen-1 targets like MSM8996, it is seen that stressing out the controller in host mode results in HC died error: xhci-hcd.12.auto: xHCI host not responding to stop endpoint command xhci-hcd.12.auto: xHCI host controller not responding, assume dead xhci-hcd.12.auto: HC died; cleaning up And at this instant only restarting the host mode fixes it. Disable SuperSpeed instance in park mode for MSM8996 to mitigate this issue. Cc: stable@vger.kernel.org Fixes: 1e39255ed29d ("arm64: dts: msm8996: Add device node for qcom,dwc3") Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com> Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org> Link: https://lore.kernel.org/r/20240704152848.3380602-8-quic_kriskura@quicinc.com Signed-off-by: Bjorn Andersson <andersson@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 2024-07-27T08:40:23Z Seunghun Han kkamagui@gmail.com 2024-07-18T08:09:08Z urn:sha1:a7ec8a5a7ff277b1fbd8f6e23095a7c0447ab72d commit d7063c08738573fc2f3296da6d31a22fa8aa843a upstream. Samsung Galaxy Book Pro 360 (13" 2022 NT935QDB-KC71S) with codec SSID 144d:c1a4 requires the same workaround to enable the speaker amp as other Samsung models with the ALC298 codec. Signed-off-by: Seunghun Han <kkamagui@gmail.com> Cc: <stable@vger.kernel.org> Link: https://patch.msgid.link/20240718080908.8677-1-kkamagui@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ALSA: hda/realtek: Enable headset mic on Positivo SU C1400 2024-07-27T08:40:23Z Edson Juliano Drosdeck edson.drosdeck@gmail.com 2024-07-12T18:06:42Z urn:sha1:74c6b151a85e84901a7408885b9d0e57bc215512 commit 8fc1e8b230771442133d5cf5fa4313277aa2bb8b upstream. Positivo SU C1400 is equipped with ALC256, and it needs ALC269_FIXUP_ASPIRE_HEADSET_MIC quirk to make its headset mic work. Signed-off-by: Edson Juliano Drosdeck <edson.drosdeck@gmail.com> Cc: <stable@vger.kernel.org> Link: https://patch.msgid.link/20240712180642.22564-1-edson.drosdeck@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> jfs: don't walk off the end of ealist 2024-07-27T08:40:23Z lei lu llfamsec@gmail.com 2024-05-28T18:30:40Z urn:sha1:6386f1b6a10e5d1ddd03db4ff6dfc55d488852ce commit d0fa70aca54c8643248e89061da23752506ec0d4 upstream. Add a check before visiting the members of ea to make sure each ea stays within the ealist. Signed-off-by: lei lu <llfamsec@gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ocfs2: add bounds checking to ocfs2_check_dir_entry() 2024-07-27T08:40:23Z lei lu llfamsec@gmail.com 2024-06-26T10:44:33Z urn:sha1:77495e5da5cb110a8fed27b052c77853fe282176 commit 255547c6bb8940a97eea94ef9d464ea5967763fb upstream. This adds sanity checks for ocfs2_dir_entry to make sure all members of ocfs2_dir_entry don't stray beyond valid memory region. Link: https://lkml.kernel.org/r/20240626104433.163270-1-llfamsec@gmail.com Signed-off-by: lei lu <llfamsec@gmail.com> Reviewed-by: Heming Zhao <heming.zhao@suse.com> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> Cc: Mark Fasheh <mark@fasheh.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Junxiao Bi <junxiao.bi@oracle.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: Gang He <ghe@suse.com> Cc: Jun Piao <piaojun@huawei.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>