--- /dev/null
+From 4fc14db2dd03bc12b960fbe24e258ce5265e25a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jan 2023 00:22:59 -0800
+Subject: ALSA: hda/via: Avoid potential array out-of-bound in
+ add_secret_dac_path()
+
+From: Artemii Karasev <karasev@ispras.ru>
+
+[ Upstream commit b9cee506da2b7920b5ea02ccd8e78a907d0ee7aa ]
+
+snd_hda_get_connections() can return a negative error code.
+It may lead to accessing 'conn' array at a negative index.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Artemii Karasev <karasev@ispras.ru>
+Fixes: 30b4503378c9 ("ALSA: hda - Expose secret DAC-AA connection of some VIA codecs")
+Link: https://lore.kernel.org/r/20230119082259.3634-1-karasev@ispras.ru
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_via.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/pci/hda/patch_via.c b/sound/pci/hda/patch_via.c
+index 9dd104c308e1..5ab6d9b3e6d0 100644
+--- a/sound/pci/hda/patch_via.c
++++ b/sound/pci/hda/patch_via.c
+@@ -870,6 +870,9 @@ static int add_secret_dac_path(struct hda_codec *codec)
+ return 0;
+ nums = snd_hda_get_connections(codec, spec->gen.mixer_nid, conn,
+ ARRAY_SIZE(conn) - 1);
++ if (nums < 0)
++ return nums;
++
+ for (i = 0; i < nums; i++) {
+ if (get_wcaps_type(get_wcaps(codec, conn[i])) == AC_WID_AUD_OUT)
+ return 0;
+--
+2.39.0
+
--- /dev/null
+From d1dd189c7eeb29402b07a42be35adcdf80cbfe86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 09:42:00 +0000
+Subject: bus: sunxi-rsb: Fix error handling in sunxi_rsb_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit f71eaf2708be7831428eacae7db25d8ec6b8b4c5 ]
+
+The sunxi_rsb_init() returns the platform_driver_register() directly
+without checking its return value, if platform_driver_register() failed,
+the sunxi_rsb_bus is not unregistered.
+Fix by unregister sunxi_rsb_bus when platform_driver_register() failed.
+
+Fixes: d787dcdb9c8f ("bus: sunxi-rsb: Add driver for Allwinner Reduced Serial Bus")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Link: https://lore.kernel.org/r/20221123094200.12036-1-yuancan@huawei.com
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/sunxi-rsb.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c
+index d3fb350dc9ee..bf4db708f0bd 100644
+--- a/drivers/bus/sunxi-rsb.c
++++ b/drivers/bus/sunxi-rsb.c
+@@ -783,7 +783,13 @@ static int __init sunxi_rsb_init(void)
+ return ret;
+ }
+
+- return platform_driver_register(&sunxi_rsb_driver);
++ ret = platform_driver_register(&sunxi_rsb_driver);
++ if (ret) {
++ bus_unregister(&sunxi_rsb_bus);
++ return ret;
++ }
++
++ return 0;
+ }
+ module_init(sunxi_rsb_init);
+
+--
+2.39.0
+
--- /dev/null
+From 9fbb7787d30cda68d8caa7e07e6864ce9f168979 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Feb 2023 00:02:18 +0300
+Subject: net: openvswitch: fix flow memory leak in ovs_flow_cmd_new
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 0c598aed445eb45b0ee7ba405f7ece99ee349c30 ]
+
+Syzkaller reports a memory leak of new_flow in ovs_flow_cmd_new() as it is
+not freed when an allocation of a key fails.
+
+BUG: memory leak
+unreferenced object 0xffff888116668000 (size 632):
+ comm "syz-executor231", pid 1090, jiffies 4294844701 (age 18.871s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000defa3494>] kmem_cache_zalloc include/linux/slab.h:654 [inline]
+ [<00000000defa3494>] ovs_flow_alloc+0x19/0x180 net/openvswitch/flow_table.c:77
+ [<00000000c67d8873>] ovs_flow_cmd_new+0x1de/0xd40 net/openvswitch/datapath.c:957
+ [<0000000010a539a8>] genl_family_rcv_msg_doit+0x22d/0x330 net/netlink/genetlink.c:739
+ [<00000000dff3302d>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
+ [<00000000dff3302d>] genl_rcv_msg+0x328/0x590 net/netlink/genetlink.c:800
+ [<000000000286dd87>] netlink_rcv_skb+0x153/0x430 net/netlink/af_netlink.c:2515
+ [<0000000061fed410>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
+ [<000000009dc0f111>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
+ [<000000009dc0f111>] netlink_unicast+0x545/0x7f0 net/netlink/af_netlink.c:1339
+ [<000000004a5ee816>] netlink_sendmsg+0x8e7/0xde0 net/netlink/af_netlink.c:1934
+ [<00000000482b476f>] sock_sendmsg_nosec net/socket.c:651 [inline]
+ [<00000000482b476f>] sock_sendmsg+0x152/0x190 net/socket.c:671
+ [<00000000698574ba>] ____sys_sendmsg+0x70a/0x870 net/socket.c:2356
+ [<00000000d28d9e11>] ___sys_sendmsg+0xf3/0x170 net/socket.c:2410
+ [<0000000083ba9120>] __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
+ [<00000000c00628f8>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46
+ [<000000004abfdcf4>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
+
+To fix this the patch rearranges the goto labels to reflect the order of
+object allocations and adds appropriate goto statements on the error
+paths.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 68bb10101e6b ("openvswitch: Fix flow lookup to use unmasked key")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Acked-by: Eelco Chaudron <echaudro@redhat.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230201210218.361970-1-pchelkin@ispras.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/datapath.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
+index 8598bc101244..3ae4ccb9895d 100644
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -961,14 +961,14 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
+ key = kzalloc(sizeof(*key), GFP_KERNEL);
+ if (!key) {
+ error = -ENOMEM;
+- goto err_kfree_key;
++ goto err_kfree_flow;
+ }
+
+ ovs_match_init(&match, key, false, &mask);
+ error = ovs_nla_get_match(net, &match, a[OVS_FLOW_ATTR_KEY],
+ a[OVS_FLOW_ATTR_MASK], log);
+ if (error)
+- goto err_kfree_flow;
++ goto err_kfree_key;
+
+ ovs_flow_mask_key(&new_flow->key, key, true, &mask);
+
+@@ -976,14 +976,14 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
+ error = ovs_nla_get_identifier(&new_flow->id, a[OVS_FLOW_ATTR_UFID],
+ key, log);
+ if (error)
+- goto err_kfree_flow;
++ goto err_kfree_key;
+
+ /* Validate actions. */
+ error = ovs_nla_copy_actions(net, a[OVS_FLOW_ATTR_ACTIONS],
+ &new_flow->key, &acts, log);
+ if (error) {
+ OVS_NLERR(log, "Flow actions may not be safe on all matching packets.");
+- goto err_kfree_flow;
++ goto err_kfree_key;
+ }
+
+ reply = ovs_flow_cmd_alloc_info(acts, &new_flow->id, info, false,
+@@ -1083,10 +1083,10 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
+ kfree_skb(reply);
+ err_kfree_acts:
+ ovs_nla_free_flow_actions(acts);
+-err_kfree_flow:
+- ovs_flow_free(new_flow, false);
+ err_kfree_key:
+ kfree(key);
++err_kfree_flow:
++ ovs_flow_free(new_flow, false);
+ error:
+ return error;
+ }
+--
+2.39.0
+
--- /dev/null
+From 75d02537d3fc1281c42776a1e5f3f3b6dec9d33f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jan 2023 11:43:23 -0800
+Subject: net/x25: Fix to not accept on connected socket
+
+From: Hyunwoo Kim <v4bel@theori.io>
+
+[ Upstream commit f2b0b5210f67c56a3bcdf92ff665fb285d6e0067 ]
+
+When listen() and accept() are called on an x25 socket
+that connect() succeeds, accept() succeeds immediately.
+This is because x25_connect() queues the skb to
+sk->sk_receive_queue, and x25_accept() dequeues it.
+
+This creates a child socket with the sk of the parent
+x25 socket, which can cause confusion.
+
+Fix x25_listen() to return -EINVAL if the socket has
+already been successfully connect()ed to avoid this issue.
+
+Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/x25/af_x25.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
+index e103ec39759f..73e293c3f2fb 100644
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -496,6 +496,12 @@ static int x25_listen(struct socket *sock, int backlog)
+ int rc = -EOPNOTSUPP;
+
+ lock_sock(sk);
++ if (sock->state != SS_UNCONNECTED) {
++ rc = -EINVAL;
++ release_sock(sk);
++ return rc;
++ }
++
+ if (sk->sk_state != TCP_LISTEN) {
+ memset(&x25_sk(sk)->dest_addr, 0, X25_ADDR_LEN);
+ sk->sk_max_ack_backlog = backlog;
+--
+2.39.0
+
--- /dev/null
+From d6b39f4bfaea6aec1f17f1a6ef831112655c71cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jan 2023 18:32:50 -0800
+Subject: netrom: Fix use-after-free caused by accept on already connected
+ socket
+
+From: Hyunwoo Kim <v4bel@theori.io>
+
+[ Upstream commit 611792920925fb088ddccbe2783c7f92fdfb6b64 ]
+
+If you call listen() and accept() on an already connect()ed
+AF_NETROM socket, accept() can successfully connect.
+This is because when the peer socket sends data to sendmsg,
+the skb with its own sk stored in the connected socket's
+sk->sk_receive_queue is connected, and nr_accept() dequeues
+the skb waiting in the sk->sk_receive_queue.
+
+As a result, nr_accept() allocates and returns a sock with
+the sk of the parent AF_NETROM socket.
+
+And here use-after-free can happen through complex race conditions:
+```
+ cpu0 cpu1
+ 1. socket_2 = socket(AF_NETROM)
+ .
+ .
+ listen(socket_2)
+ accepted_socket = accept(socket_2)
+ 2. socket_1 = socket(AF_NETROM)
+ nr_create() // sk refcount : 1
+ connect(socket_1)
+ 3. write(accepted_socket)
+ nr_sendmsg()
+ nr_output()
+ nr_kick()
+ nr_send_iframe()
+ nr_transmit_buffer()
+ nr_route_frame()
+ nr_loopback_queue()
+ nr_loopback_timer()
+ nr_rx_frame()
+ nr_process_rx_frame(sk, skb); // sk : socket_1's sk
+ nr_state3_machine()
+ nr_queue_rx_frame()
+ sock_queue_rcv_skb()
+ sock_queue_rcv_skb_reason()
+ __sock_queue_rcv_skb()
+ __skb_queue_tail(list, skb); // list : socket_1's sk->sk_receive_queue
+ 4. listen(socket_1)
+ nr_listen()
+ uaf_socket = accept(socket_1)
+ nr_accept()
+ skb_dequeue(&sk->sk_receive_queue);
+ 5. close(accepted_socket)
+ nr_release()
+ nr_write_internal(sk, NR_DISCREQ)
+ nr_transmit_buffer() // NR_DISCREQ
+ nr_route_frame()
+ nr_loopback_queue()
+ nr_loopback_timer()
+ nr_rx_frame() // sk : socket_1's sk
+ nr_process_rx_frame() // NR_STATE_3
+ nr_state3_machine() // NR_DISCREQ
+ nr_disconnect()
+ nr_sk(sk)->state = NR_STATE_0;
+ 6. close(socket_1) // sk refcount : 3
+ nr_release() // NR_STATE_0
+ sock_put(sk); // sk refcount : 0
+ sk_free(sk);
+ close(uaf_socket)
+ nr_release()
+ sock_hold(sk); // UAF
+```
+
+KASAN report by syzbot:
+```
+BUG: KASAN: use-after-free in nr_release+0x66/0x460 net/netrom/af_netrom.c:520
+Write of size 4 at addr ffff8880235d8080 by task syz-executor564/5128
+
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:306 [inline]
+ print_report+0x15e/0x461 mm/kasan/report.c:417
+ kasan_report+0xbf/0x1f0 mm/kasan/report.c:517
+ check_region_inline mm/kasan/generic.c:183 [inline]
+ kasan_check_range+0x141/0x190 mm/kasan/generic.c:189
+ instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
+ atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline]
+ __refcount_add include/linux/refcount.h:193 [inline]
+ __refcount_inc include/linux/refcount.h:250 [inline]
+ refcount_inc include/linux/refcount.h:267 [inline]
+ sock_hold include/net/sock.h:775 [inline]
+ nr_release+0x66/0x460 net/netrom/af_netrom.c:520
+ __sock_release+0xcd/0x280 net/socket.c:650
+ sock_close+0x1c/0x20 net/socket.c:1365
+ __fput+0x27c/0xa90 fs/file_table.c:320
+ task_work_run+0x16f/0x270 kernel/task_work.c:179
+ exit_task_work include/linux/task_work.h:38 [inline]
+ do_exit+0xaa8/0x2950 kernel/exit.c:867
+ do_group_exit+0xd4/0x2a0 kernel/exit.c:1012
+ get_signal+0x21c3/0x2450 kernel/signal.c:2859
+ arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
+ exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
+ exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
+ syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
+ do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7f6c19e3c9b9
+Code: Unable to access opcode bytes at 0x7f6c19e3c98f.
+RSP: 002b:00007fffd4ba2ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
+RAX: 0000000000000116 RBX: 0000000000000003 RCX: 00007f6c19e3c9b9
+RDX: 0000000000000318 RSI: 00000000200bd000 RDI: 0000000000000006
+RBP: 0000000000000003 R08: 000000000000000d R09: 000000000000000d
+R10: 0000000000000000 R11: 0000000000000246 R12: 000055555566a2c0
+R13: 0000000000000011 R14: 0000000000000000 R15: 0000000000000000
+ </TASK>
+
+Allocated by task 5128:
+ kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ ____kasan_kmalloc mm/kasan/common.c:371 [inline]
+ ____kasan_kmalloc mm/kasan/common.c:330 [inline]
+ __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380
+ kasan_kmalloc include/linux/kasan.h:211 [inline]
+ __do_kmalloc_node mm/slab_common.c:968 [inline]
+ __kmalloc+0x5a/0xd0 mm/slab_common.c:981
+ kmalloc include/linux/slab.h:584 [inline]
+ sk_prot_alloc+0x140/0x290 net/core/sock.c:2038
+ sk_alloc+0x3a/0x7a0 net/core/sock.c:2091
+ nr_create+0xb6/0x5f0 net/netrom/af_netrom.c:433
+ __sock_create+0x359/0x790 net/socket.c:1515
+ sock_create net/socket.c:1566 [inline]
+ __sys_socket_create net/socket.c:1603 [inline]
+ __sys_socket_create net/socket.c:1588 [inline]
+ __sys_socket+0x133/0x250 net/socket.c:1636
+ __do_sys_socket net/socket.c:1649 [inline]
+ __se_sys_socket net/socket.c:1647 [inline]
+ __x64_sys_socket+0x73/0xb0 net/socket.c:1647
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Freed by task 5128:
+ kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:518
+ ____kasan_slab_free mm/kasan/common.c:236 [inline]
+ ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200
+ kasan_slab_free include/linux/kasan.h:177 [inline]
+ __cache_free mm/slab.c:3394 [inline]
+ __do_kmem_cache_free mm/slab.c:3580 [inline]
+ __kmem_cache_free+0xcd/0x3b0 mm/slab.c:3587
+ sk_prot_free net/core/sock.c:2074 [inline]
+ __sk_destruct+0x5df/0x750 net/core/sock.c:2166
+ sk_destruct net/core/sock.c:2181 [inline]
+ __sk_free+0x175/0x460 net/core/sock.c:2192
+ sk_free+0x7c/0xa0 net/core/sock.c:2203
+ sock_put include/net/sock.h:1991 [inline]
+ nr_release+0x39e/0x460 net/netrom/af_netrom.c:554
+ __sock_release+0xcd/0x280 net/socket.c:650
+ sock_close+0x1c/0x20 net/socket.c:1365
+ __fput+0x27c/0xa90 fs/file_table.c:320
+ task_work_run+0x16f/0x270 kernel/task_work.c:179
+ exit_task_work include/linux/task_work.h:38 [inline]
+ do_exit+0xaa8/0x2950 kernel/exit.c:867
+ do_group_exit+0xd4/0x2a0 kernel/exit.c:1012
+ get_signal+0x21c3/0x2450 kernel/signal.c:2859
+ arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
+ exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
+ exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
+ syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
+ do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+```
+
+To fix this issue, nr_listen() returns -EINVAL for sockets that
+successfully nr_connect().
+
+Reported-by: syzbot+caa188bdfc1eeafeb418@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/af_netrom.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index aebc804c10aa..b5a99b517207 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -403,6 +403,11 @@ static int nr_listen(struct socket *sock, int backlog)
+ struct sock *sk = sock->sk;
+
+ lock_sock(sk);
++ if (sock->state != SS_UNCONNECTED) {
++ release_sock(sk);
++ return -EINVAL;
++ }
++
+ if (sk->sk_state != TCP_LISTEN) {
+ memset(&nr_sk(sk)->user_addr, 0, AX25_ADDR_LEN);
+ sk->sk_max_ack_backlog = backlog;
+--
+2.39.0
+
--- /dev/null
+From 15a626e455cef1515a5732fcef9ee4707d4d78eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jan 2023 13:39:37 -0600
+Subject: scsi: iscsi_tcp: Fix UAF during login when accessing the shost
+ ipaddress
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ]
+
+If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,
+userspace could be accessing the host's ipaddress attr. If we then free the
+session via iscsi_session_teardown() while userspace is still accessing the
+session we will hit a use after free bug.
+
+Set the tcp_sw_host->session after we have completed session creation and
+can no longer fail.
+
+Link: https://lore.kernel.org/r/20230117193937.21244-3-michael.christie@oracle.com
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Acked-by: Ding Hui <dinghui@sangfor.com.cn>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/iscsi_tcp.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
+index e3ca16043f9a..9161fe8fba88 100644
+--- a/drivers/scsi/iscsi_tcp.c
++++ b/drivers/scsi/iscsi_tcp.c
+@@ -773,7 +773,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
+ enum iscsi_host_param param, char *buf)
+ {
+ struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost);
+- struct iscsi_session *session = tcp_sw_host->session;
++ struct iscsi_session *session;
+ struct iscsi_conn *conn;
+ struct iscsi_tcp_conn *tcp_conn;
+ struct iscsi_sw_tcp_conn *tcp_sw_conn;
+@@ -782,6 +782,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
+
+ switch (param) {
+ case ISCSI_HOST_PARAM_IPADDRESS:
++ session = tcp_sw_host->session;
+ if (!session)
+ return -ENOTCONN;
+
+@@ -870,12 +871,14 @@ iscsi_sw_tcp_session_create(struct iscsi_endpoint *ep, uint16_t cmds_max,
+ if (!cls_session)
+ goto remove_host;
+ session = cls_session->dd_data;
+- tcp_sw_host = iscsi_host_priv(shost);
+- tcp_sw_host->session = session;
+
+ shost->can_queue = session->scsi_cmds_max;
+ if (iscsi_tcp_r2tpool_alloc(session))
+ goto remove_session;
++
++ /* We are now fully setup so expose the session to sysfs. */
++ tcp_sw_host = iscsi_host_priv(shost);
++ tcp_sw_host->session = session;
+ return cls_session;
+
+ remove_session:
+--
+2.39.0
+
--- /dev/null
+From 832c5a473acb386434f2d7d3cd607c1cf95f93e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jan 2023 13:53:10 +0100
+Subject: scsi: target: core: Fix warning on RT kernels
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 84ed64b1a7a7fcd507598dee7708c1f225123711 ]
+
+Calling spin_lock_irqsave() does not disable the interrupts on realtime
+kernels, remove the warning and replace assert_spin_locked() with
+lockdep_assert_held().
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20230110125310.55884-1-mlombard@redhat.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_tmr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c
+index 9c7bc1ca341a..e72bfb10a3f0 100644
+--- a/drivers/target/target_core_tmr.c
++++ b/drivers/target/target_core_tmr.c
+@@ -114,8 +114,8 @@ static bool __target_check_io_state(struct se_cmd *se_cmd,
+ {
+ struct se_session *sess = se_cmd->se_sess;
+
+- assert_spin_locked(&sess->sess_cmd_lock);
+- WARN_ON_ONCE(!irqs_disabled());
++ lockdep_assert_held(&sess->sess_cmd_lock);
++
+ /*
+ * If command already reached CMD_T_COMPLETE state within
+ * target_complete_cmd() or CMD_T_FABRIC_STOP due to shutdown,
+--
+2.39.0
+
--- /dev/null
+From f2101fdcb7a5483f2f2982bb9045d281b3fb17db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jan 2023 11:25:33 -0500
+Subject: sctp: do not check hb_timer.expires when resetting hb_timer
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 8f35ae17ef565a605de5f409e04bcd49a55d7646 ]
+
+It tries to avoid the frequently hb_timer refresh in commit ba6f5e33bdbb
+("sctp: avoid refreshing heartbeat timer too often"), and it only allows
+mod_timer when the new expires is after hb_timer.expires. It means even
+a much shorter interval for hb timer gets applied, it will have to wait
+until the current hb timer to time out.
+
+In sctp_do_8_2_transport_strike(), when a transport enters PF state, it
+expects to update the hb timer to resend a heartbeat every rto after
+calling sctp_transport_reset_hb_timer(), which will not work as the
+change mentioned above.
+
+The frequently hb_timer refresh was caused by sctp_transport_reset_timers()
+called in sctp_outq_flush() and it was already removed in the commit above.
+So we don't have to check hb_timer.expires when resetting hb_timer as it is
+now not called very often.
+
+Fixes: ba6f5e33bdbb ("sctp: avoid refreshing heartbeat timer too often")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Link: https://lore.kernel.org/r/d958c06985713ec84049a2d5664879802710179a.1675095933.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/transport.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/net/sctp/transport.c b/net/sctp/transport.c
+index af56651169b2..79d2aa44c6e5 100644
+--- a/net/sctp/transport.c
++++ b/net/sctp/transport.c
+@@ -210,9 +210,7 @@ void sctp_transport_reset_hb_timer(struct sctp_transport *transport)
+
+ /* When a data chunk is sent, reset the heartbeat interval. */
+ expires = jiffies + sctp_transport_timeout(transport);
+- if ((time_before(transport->hb_timer.expires, expires) ||
+- !timer_pending(&transport->hb_timer)) &&
+- !mod_timer(&transport->hb_timer,
++ if (!mod_timer(&transport->hb_timer,
+ expires + prandom_u32_max(transport->rto)))
+ sctp_transport_hold(transport);
+ }
+--
+2.39.0
+
firewire-fix-memory-leak-for-payload-of-request-subaction-to-iec-61883-1-fcp-region.patch
+bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch
+alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch
+netrom-fix-use-after-free-caused-by-accept-on-alread.patch
+squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch
+sctp-do-not-check-hb_timer.expires-when-resetting-hb.patch
+net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch
+scsi-target-core-fix-warning-on-rt-kernels.patch
+scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch
+net-x25-fix-to-not-accept-on-connected-socket.patch
--- /dev/null
+From bebe2bff014292fc16c1b288622217df975e6e32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jan 2023 13:52:26 +0300
+Subject: squashfs: harden sanity check in squashfs_read_xattr_id_table
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 72e544b1b28325fe78a4687b980871a7e4101f76 ]
+
+While mounting a corrupted filesystem, a signed integer '*xattr_ids' can
+become less than zero. This leads to the incorrect computation of 'len'
+and 'indexes' values which can cause null-ptr-deref in copy_bio_to_actor()
+or out-of-bounds accesses in the next sanity checks inside
+squashfs_read_xattr_id_table().
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Link: https://lkml.kernel.org/r/20230117105226.329303-2-pchelkin@ispras.ru
+Fixes: 506220d2ba21 ("squashfs: add more sanity checks in xattr id lookup")
+Reported-by: <syzbot+082fa4af80a5bb1a9843@syzkaller.appspotmail.com>
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Cc: Phillip Lougher <phillip@squashfs.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/squashfs/xattr_id.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/squashfs/xattr_id.c b/fs/squashfs/xattr_id.c
+index 7f718d2bf357..0c0d7882bcca 100644
+--- a/fs/squashfs/xattr_id.c
++++ b/fs/squashfs/xattr_id.c
+@@ -89,7 +89,7 @@ __le64 *squashfs_read_xattr_id_table(struct super_block *sb, u64 table_start,
+ /* Sanity check values */
+
+ /* there is always at least one xattr id */
+- if (*xattr_ids == 0)
++ if (*xattr_ids <= 0)
+ return ERR_PTR(-EINVAL);
+
+ len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids);
+--
+2.39.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
