commit 90bb4f8f399f63c479c188f3771a38e9a42791d9 Author: Greg Kroah-Hartman Date: Sat Jan 14 10:23:29 2023 +0100 Linux 5.15.88 Link: https://lore.kernel.org/r/20230112135326.689857506@linuxfoundation.org Tested-by: Florian Fainelli Tested-by: Shuah Khan Tested-by: Kelsey Steele Tested-by: Bagas Sanjaya Tested-by: Guenter Roeck Tested-by: Sudip Mukherjee Tested-by: Jon Hunter Tested-by: Linux Kernel Functional Testing Tested-by: Allen Pais Tested-by: Ron Economos Signed-off-by: Greg Kroah-Hartman commit cbd3e6d5e5169fbb43bde3b07375a96cccab5642 Author: Chris Chiu Date: Tue Jan 3 17:53:32 2023 +0800 ALSA: hda - Enable headset mic on another Dell laptop with ALC3254 commit a5751933a7f6abbdad90d98f25a25bb4b133a9e6 upstream. There is another Dell Latitude laptop (1028:0c03) with Realtek codec ALC3254 which needs the ALC269_FIXUP_DELL4_MIC_NO_PRESENCE instead of the default matched ALC269_FIXUP_DELL1_MIC_NO_PRESENCE. Apply correct fixup for this particular model to enable headset mic. Signed-off-by: Chris Chiu Cc: Link: https://lore.kernel.org/r/20230103095332.730677-1-chris.chiu@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b98dee474642dfa94ce4222553928f1b73c4b149 Author: Adrian Chan Date: Mon Jan 9 16:05:20 2023 -0500 ALSA: hda/hdmi: Add a HP device 0x8715 to force connect list commit de1ccb9e61728dd941fe0e955a7a129418657267 upstream. Add the 'HP Engage Flex Mini' device to the force connect list to enable audio through HDMI. Signed-off-by: Adrian Chan Cc: Link: https://lore.kernel.org/r/20230109210520.16060-1-adchan@google.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 26350c21bc5e97a805af878e092eb8125843fe2c Author: Clement Lecigne Date: Fri Jan 13 13:07:45 2023 +0100 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e upstream. Takes rwsem lock inside snd_ctl_elem_read instead of snd_ctl_elem_read_user like it was done for write in commit 1fa4445f9adf1 ("ALSA: control - introduce snd_ctl_notify_one() helper"). Doing this way we are also fixing the following locking issue happening in the compat path which can be easily triggered and turned into an use-after-free. 64-bits: snd_ctl_ioctl snd_ctl_elem_read_user [takes controls_rwsem] snd_ctl_elem_read [lock properly held, all good] [drops controls_rwsem] 32-bits: snd_ctl_ioctl_compat snd_ctl_elem_write_read_compat ctl_elem_write_read snd_ctl_elem_read [missing lock, not good] CVE-2023-0266 was assigned for this issue. Cc: stable@kernel.org # 5.13+ Signed-off-by: Clement Lecigne Reviewed-by: Jaroslav Kysela Link: https://lore.kernel.org/r/20230113120745.25464-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit dadd0dcaa67d27f550131de95c8e182643d2c9d6 Author: Paolo Abeni Date: Tue Jan 3 12:19:17 2023 +0100 net/ulp: prevent ULP without clone op from entering the LISTEN status commit 2c02d41d71f90a5168391b6a5f2954112ba2307c upstream. When an ULP-enabled socket enters the LISTEN status, the listener ULP data pointer is copied inside the child/accepted sockets by sk_clone_lock(). The relevant ULP can take care of de-duplicating the context pointer via the clone() operation, but only MPTCP and SMC implement such op. Other ULPs may end-up with a double-free at socket disposal time. We can't simply clear the ULP data at clone time, as TLS replaces the socket ops with custom ones assuming a valid TLS ULP context is available. Instead completely prevent clone-less ULP sockets from entering the LISTEN status. Fixes: 734942cc4ea6 ("tcp: ULP infrastructure") Reported-by: slipper Signed-off-by: Paolo Abeni Link: https://lore.kernel.org/r/4b80c3d1dbe3d0ab072f80450c202d9bc88b4b03.1672740602.git.pabeni@redhat.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 04941c1d5bb59d64165e09813de2947bdf6f4f28 Author: Frederick Lawler Date: Mon Jan 9 10:39:06 2023 -0600 net: sched: disallow noqueue for qdisc classes commit 96398560f26aa07e8f2969d73c8197e6a6d10407 upstream. While experimenting with applying noqueue to a classful queue discipline, we discovered a NULL pointer dereference in the __dev_queue_xmit() path that generates a kernel OOPS: # dev=enp0s5 # tc qdisc replace dev $dev root handle 1: htb default 1 # tc class add dev $dev parent 1: classid 1:1 htb rate 10mbit # tc qdisc add dev $dev parent 1:1 handle 10: noqueue # ping -I $dev -w 1 -c 1 1.1.1.1 [ 2.172856] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 2.173217] #PF: supervisor instruction fetch in kernel mode ... [ 2.178451] Call Trace: [ 2.178577] [ 2.178686] htb_enqueue+0x1c8/0x370 [ 2.178880] dev_qdisc_enqueue+0x15/0x90 [ 2.179093] __dev_queue_xmit+0x798/0xd00 [ 2.179305] ? _raw_write_lock_bh+0xe/0x30 [ 2.179522] ? __local_bh_enable_ip+0x32/0x70 [ 2.179759] ? ___neigh_create+0x610/0x840 [ 2.179968] ? eth_header+0x21/0xc0 [ 2.180144] ip_finish_output2+0x15e/0x4f0 [ 2.180348] ? dst_output+0x30/0x30 [ 2.180525] ip_push_pending_frames+0x9d/0xb0 [ 2.180739] raw_sendmsg+0x601/0xcb0 [ 2.180916] ? _raw_spin_trylock+0xe/0x50 [ 2.181112] ? _raw_spin_unlock_irqrestore+0x16/0x30 [ 2.181354] ? get_page_from_freelist+0xcd6/0xdf0 [ 2.181594] ? sock_sendmsg+0x56/0x60 [ 2.181781] sock_sendmsg+0x56/0x60 [ 2.181958] __sys_sendto+0xf7/0x160 [ 2.182139] ? handle_mm_fault+0x6e/0x1d0 [ 2.182366] ? do_user_addr_fault+0x1e1/0x660 [ 2.182627] __x64_sys_sendto+0x1b/0x30 [ 2.182881] do_syscall_64+0x38/0x90 [ 2.183085] entry_SYSCALL_64_after_hwframe+0x63/0xcd ... [ 2.187402] Previously in commit d66d6c3152e8 ("net: sched: register noqueue qdisc"), NULL was set for the noqueue discipline on noqueue init so that __dev_queue_xmit() falls through for the noqueue case. This also sets a bypass of the enqueue NULL check in the register_qdisc() function for the struct noqueue_disc_ops. Classful queue disciplines make it past the NULL check in __dev_queue_xmit() because the discipline is set to htb (in this case), and then in the call to __dev_xmit_skb(), it calls into htb_enqueue() which grabs a leaf node for a class and then calls qdisc_enqueue() by passing in a queue discipline which assumes ->enqueue() is not set to NULL. Fix this by not allowing classes to be assigned to the noqueue discipline. Linux TC Notes states that classes cannot be set to the noqueue discipline. [1] Let's enforce that here. Links: 1. https://linux-tc-notes.sourceforge.net/tc/doc/sch_noqueue.txt Fixes: d66d6c3152e8 ("net: sched: register noqueue qdisc") Cc: stable@vger.kernel.org Signed-off-by: Frederick Lawler Reviewed-by: Jakub Sitnicki Link: https://lore.kernel.org/r/20230109163906.706000-1-fred@cloudflare.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 068b512193624c93afa02db6ca40e87865ff11a6 Author: Rasmus Villemoes Date: Thu Dec 22 12:44:14 2022 +0100 serial: fixup backport of "serial: Deassert Transmit Enable on probe in driver-specific way" When 7c7f9bc986e6 ("serial: Deassert Transmit Enable on probe in driver-specific way") got backported to 5.15.y, there known as b079d3775237, some hunks were accidentally left out. In fsl_lpuart.c, this amounts to uart_remove_one_port() being called in an error path despite uart_add_one_port() not having been called. In serial_core.c, it is possible that the omission in uart_suspend_port() is harmless, but the backport did have the corresponding hunk in uart_resume_port(), it runs counter to the original commit's intention of Skip any invocation of ->set_mctrl() if RS485 is enabled. and it's certainly better to be aligned with upstream. Fixes: b079d3775237 ("serial: Deassert Transmit Enable on probe in driver-specific way") Signed-off-by: Rasmus Villemoes Reviewed-by: Dominique MARTINET Signed-off-by: Greg Kroah-Hartman commit 46aa1557581ff4cc380c3b29ef516f2b15129a4e Author: Kyle Huey Date: Mon Jan 9 13:02:14 2023 -0800 selftests/vm/pkeys: Add a regression test for setting PKRU through ptrace commit 6ea25770b043c7997ab21d1ce95ba5de4d3d85d9 upstream This tests PTRACE_SETREGSET with NT_X86_XSTATE modifying PKRU directly and removing the PKRU bit from XSTATE_BV. Signed-off-by: Kyle Huey Signed-off-by: Dave Hansen Link: https://lore.kernel.org/all/20221115230932.7126-7-khuey%40kylehuey.com Signed-off-by: Greg Kroah-Hartman commit 3c1940c54922c2f5d434f11f568045dc5e5154f4 Author: Kyle Huey Date: Mon Jan 9 13:02:13 2023 -0800 x86/fpu: Emulate XRSTOR's behavior if the xfeatures PKRU bit is not set commit d7e5aceace514a2b1b3ca3dc44f93f1704766ca7 upstream The hardware XRSTOR instruction resets the PKRU register to its hardware init value (namely 0) if the PKRU bit is not set in the xfeatures mask. Emulating that here restores the pre-5.14 behavior for PTRACE_SET_REGSET with NT_X86_XSTATE, and makes sigreturn (which still uses XRSTOR) and behave identically. Fixes: e84ba47e313d ("x86/fpu: Hook up PKRU into ptrace()") Signed-off-by: Kyle Huey Signed-off-by: Dave Hansen Link: https://lore.kernel.org/all/20221115230932.7126-6-khuey%40kylehuey.com Signed-off-by: Greg Kroah-Hartman commit 3f1c81426a9f1cf038b00994dab1ececa72de56b Author: Kyle Huey Date: Mon Jan 9 13:02:12 2023 -0800 x86/fpu: Allow PKRU to be (once again) written by ptrace. commit 4a804c4f8356393d6b5eff7600f07615d7869c13 upstream Handle PKRU in copy_uabi_to_xstate() for the benefit of APIs that write the XSTATE such as PTRACE_SETREGSET with NT_X86_XSTATE. This restores the pre-5.14 behavior of ptrace. The regression can be seen by running gdb and executing `p $pkru`, `set $pkru = 42`, and `p $pkru`. On affected kernels (5.14+) the write to the PKRU register (which gdb performs through ptrace) is ignored. Fixes: e84ba47e313d ("x86/fpu: Hook up PKRU into ptrace()") Signed-off-by: Kyle Huey Signed-off-by: Dave Hansen Link: https://lore.kernel.org/all/20221115230932.7126-5-khuey%40kylehuey.com Signed-off-by: Greg Kroah-Hartman commit b29773d6b0bb8e4eaab2195dce873fb32a5d4731 Author: Kyle Huey Date: Mon Jan 9 13:02:11 2023 -0800 x86/fpu: Add a pkru argument to copy_uabi_to_xstate() commit 2c87767c35ee9744f666ccec869d5fe742c3de0a upstream In preparation for adding PKRU handling code into copy_uabi_to_xstate(), add an argument that copy_uabi_from_kernel_to_xstate() can use to pass the canonical location of the PKRU value. For copy_sigframe_from_user_to_xstate() the kernel will actually restore the PKRU value from the fpstate, but pass in the thread_struct's pkru location anyways for consistency. Signed-off-by: Kyle Huey Signed-off-by: Dave Hansen Link: https://lore.kernel.org/all/20221115230932.7126-4-khuey%40kylehuey.com Signed-off-by: Greg Kroah-Hartman commit 9813c5fc22bcc3c7923226137a108b94da9305ee Author: Kyle Huey Date: Mon Jan 9 13:02:10 2023 -0800 x86/fpu: Add a pkru argument to copy_uabi_from_kernel_to_xstate(). commit 1c813ce0305571e1b2e4cc4acca451da9e6ad18f upstream ptrace (through PTRACE_SETREGSET with NT_X86_XSTATE) ultimately calls copy_uabi_from_kernel_to_xstate(). In preparation for eventually handling PKRU in copy_uabi_to_xstate, pass in a pointer to the PKRU location. Signed-off-by: Kyle Huey Signed-off-by: Dave Hansen Link: https://lore.kernel.org/all/20221115230932.7126-3-khuey%40kylehuey.com Signed-off-by: Greg Kroah-Hartman commit fea26e83a196f1ae5f4d14ce80206f2c0e733732 Author: Kyle Huey Date: Mon Jan 9 13:02:09 2023 -0800 x86/fpu: Take task_struct* in copy_sigframe_from_user_to_xstate() commit 6a877d2450ace4f27c012519e5a1ae818f931983 upstream This will allow copy_sigframe_from_user_to_xstate() to grab the address of thread_struct's pkru value in a later patch. Signed-off-by: Kyle Huey Signed-off-by: Dave Hansen Link: https://lore.kernel.org/all/20221115230932.7126-2-khuey%40kylehuey.com Signed-off-by: Greg Kroah-Hartman commit d4d152017e1d7418645be07be8aed1c8a65e6e8a Author: Helge Deller Date: Sun Dec 11 19:50:20 2022 +0100 parisc: Align parisc MADV_XXX constants with all other architectures commit 71bdea6f798b425bc0003780b13e3fdecb16a010 upstream. Adjust some MADV_XXX constants to be in sync what their values are on all other platforms. There is currently no reason to have an own numbering on parisc, but it requires workarounds in many userspace sources (e.g. glibc, qemu, ...) - which are often forgotten and thus introduce bugs and different behaviour on parisc. A wrapper avoids an ABI breakage for existing userspace applications by translating any old values to the new ones, so this change allows us to move over all programs to the new ABI over time. Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman