--- /dev/null
+From cb3e9864cdbe35ff6378966660edbcbac955fe17 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 10 Jan 2023 08:59:06 +0800
+Subject: ipv6: raw: Deduct extension header length in rawv6_push_pending_frames
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit cb3e9864cdbe35ff6378966660edbcbac955fe17 upstream.
+
+The total cork length created by ip6_append_data includes extension
+headers, so we must exclude them when comparing them against the
+IPV6_CHECKSUM offset which does not include extension headers.
+
+Reported-by: Kyle Zeng <zengyhkyle@gmail.com>
+Fixes: 357b40a18b04 ("[IPV6]: IPV6_CHECKSUM socket option can corrupt kernel memory")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/raw.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -544,6 +544,7 @@ csum_copy_err:
+ static int rawv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6,
+ struct raw6_sock *rp)
+ {
++ struct ipv6_txoptions *opt;
+ struct sk_buff *skb;
+ int err = 0;
+ int offset;
+@@ -561,6 +562,9 @@ static int rawv6_push_pending_frames(str
+
+ offset = rp->offset;
+ total_len = inet_sk(sk)->cork.base.length;
++ opt = inet6_sk(sk)->cork.opt;
++ total_len -= opt ? opt->opt_flen : 0;
++
+ if (offset >= total_len - 1) {
+ err = -EINVAL;
+ ip6_flush_pending_frames(sk);
--- /dev/null
+From ad75bd85b1db69c97eefea07b375567821f6ef58 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 13 Dec 2022 13:29:43 +0100
+Subject: platform/x86: sony-laptop: Don't turn off 0x153 keyboard backlight during probe
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit ad75bd85b1db69c97eefea07b375567821f6ef58 upstream.
+
+The 0x153 version of the kbd backlight control SNC handle has no separate
+address to probe if the backlight is there.
+
+This turns the probe call into a set keyboard backlight call with a value
+of 0 turning off the keyboard backlight.
+
+Skip probing when there is no separate probe address to avoid this.
+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1583752
+Fixes: 800f20170dcf ("Keyboard backlight control for some Vaio Fit models")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Mattia Dongili <malattia@linux.it>
+Link: https://lore.kernel.org/r/20221213122943.11123-1-hdegoede@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/sony-laptop.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+--- a/drivers/platform/x86/sony-laptop.c
++++ b/drivers/platform/x86/sony-laptop.c
+@@ -1911,14 +1911,21 @@ static int sony_nc_kbd_backlight_setup(s
+ break;
+ }
+
+- ret = sony_call_snc_handle(handle, probe_base, &result);
+- if (ret)
+- return ret;
++ /*
++ * Only probe if there is a separate probe_base, otherwise the probe call
++ * is equivalent to __sony_nc_kbd_backlight_mode_set(0), resulting in
++ * the keyboard backlight being turned off.
++ */
++ if (probe_base) {
++ ret = sony_call_snc_handle(handle, probe_base, &result);
++ if (ret)
++ return ret;
+
+- if ((handle == 0x0137 && !(result & 0x02)) ||
+- !(result & 0x01)) {
+- dprintk("no backlight keyboard found\n");
+- return 0;
++ if ((handle == 0x0137 && !(result & 0x02)) ||
++ !(result & 0x01)) {
++ dprintk("no backlight keyboard found\n");
++ return 0;
++ }
+ }
+
+ kbdbl_ctl = kzalloc(sizeof(*kbdbl_ctl), GFP_KERNEL);
projects / thirdparty / kernel / stable-queue.git / commitdiff
