From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 28 May 2023 16:29:11 +0000 (+0100)
Subject: 6.1-stable patches
X-Git-Tag: review~31
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0c6759e24d702ae3daa428367bfd739b44f508df;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	debugobjects-don-t-wake-up-kswapd-from-fill_pool.patch
	fbdev-udlfb-fix-endpoint-check.patch
	media-radio-shark-add-endpoint-checks.patch
	net-fix-stack-overflow-when-lro-is-disabled-for-virtual-interfaces.patch
	udplite-fix-null-pointer-dereference-in-__sk_mem_raise_allocated.patch
	usb-core-add-routines-for-endpoint-checks-in-old-drivers.patch
	usb-sisusbvga-add-endpoint-checks.patch
---

diff --git a/queue-6.1/debugobjects-don-t-wake-up-kswapd-from-fill_pool.patch b/queue-6.1/debugobjects-don-t-wake-up-kswapd-from-fill_pool.patch
new file mode 100644
index 00000000000..f608a07fca9
--- /dev/null
+++ b/queue-6.1/debugobjects-don-t-wake-up-kswapd-from-fill_pool.patch
@@ -0,0 +1,41 @@
+From eb799279fb1f9c63c520fe8c1c41cb9154252db6 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Thu, 11 May 2023 22:47:32 +0900
+Subject: debugobjects: Don't wake up kswapd from fill_pool()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit eb799279fb1f9c63c520fe8c1c41cb9154252db6 upstream.
+
+syzbot is reporting a lockdep warning in fill_pool() because the allocation
+from debugobjects is using GFP_ATOMIC, which is (__GFP_HIGH | __GFP_KSWAPD_RECLAIM)
+and therefore tries to wake up kswapd, which acquires kswapd_wait::lock.
+
+Since fill_pool() might be called with arbitrary locks held, fill_pool()
+should not assume that acquiring kswapd_wait::lock is safe.
+
+Use __GFP_HIGH instead and remove __GFP_NORETRY as it is pointless for
+!__GFP_DIRECT_RECLAIM allocation.
+
+Fixes: 3ac7fe5a4aab ("infrastructure to debug (dynamic) objects")
+Reported-by: syzbot <syzbot+fe0c72f0ccbb93786380@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/6577e1fa-b6ee-f2be-2414-a2b51b1c5e30@I-love.SAKURA.ne.jp
+Closes: https://syzkaller.appspot.com/bug?extid=fe0c72f0ccbb93786380
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/debugobjects.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/debugobjects.c
++++ b/lib/debugobjects.c
+@@ -126,7 +126,7 @@ static const char *obj_states[ODEBUG_STA
+ 
+ static void fill_pool(void)
+ {
+-	gfp_t gfp = GFP_ATOMIC | __GFP_NORETRY | __GFP_NOWARN;
++	gfp_t gfp = __GFP_HIGH | __GFP_NOWARN;
+ 	struct debug_obj *obj;
+ 	unsigned long flags;
+ 
diff --git a/queue-6.1/fbdev-udlfb-fix-endpoint-check.patch b/queue-6.1/fbdev-udlfb-fix-endpoint-check.patch
new file mode 100644
index 00000000000..9739ce16bfb
--- /dev/null
+++ b/queue-6.1/fbdev-udlfb-fix-endpoint-check.patch
@@ -0,0 +1,94 @@
+From ed9de4ed39875706607fb08118a58344ae6c5f42 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 19 May 2023 15:32:30 -0400
+Subject: fbdev: udlfb: Fix endpoint check
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit ed9de4ed39875706607fb08118a58344ae6c5f42 upstream.
+
+The syzbot fuzzer detected a problem in the udlfb driver, caused by an
+endpoint not having the expected type:
+
+usb 1-1: Read EDID byte 0 failed: -71
+usb 1-1: Unable to get valid EDID from device/display
+------------[ cut here ]------------
+usb 1-1: BOGUS urb xfer, pipe 3 != type 1
+WARNING: CPU: 0 PID: 9 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880
+drivers/usb/core/urb.c:504
+Modules linked in:
+CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted
+6.4.0-rc1-syzkaller-00016-ga4422ff22142 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
+04/28/2023
+Workqueue: usb_hub_wq hub_event
+RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
+...
+Call Trace:
+ <TASK>
+ dlfb_submit_urb+0x92/0x180 drivers/video/fbdev/udlfb.c:1980
+ dlfb_set_video_mode+0x21f0/0x2950 drivers/video/fbdev/udlfb.c:315
+ dlfb_ops_set_par+0x2a7/0x8d0 drivers/video/fbdev/udlfb.c:1111
+ dlfb_usb_probe+0x149a/0x2710 drivers/video/fbdev/udlfb.c:1743
+
+The current approach for this issue failed to catch the problem
+because it only checks for the existence of a bulk-OUT endpoint; it
+doesn't check whether this endpoint is the one that the driver will
+actually use.
+
+We can fix the problem by instead checking that the endpoint used by
+the driver does exist and is bulk-OUT.
+
+Reported-and-tested-by: syzbot+0e22d63dcebb802b9bc8@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+CC: Pavel Skripkin <paskripkin@gmail.com>
+Fixes: aaf7dbe07385 ("video: fbdev: udlfb: properly check endpoint type")
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/udlfb.c |   13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/video/fbdev/udlfb.c
++++ b/drivers/video/fbdev/udlfb.c
+@@ -27,6 +27,8 @@
+ #include <video/udlfb.h>
+ #include "edid.h"
+ 
++#define OUT_EP_NUM	1	/* The endpoint number we will use */
++
+ static const struct fb_fix_screeninfo dlfb_fix = {
+ 	.id =           "udlfb",
+ 	.type =         FB_TYPE_PACKED_PIXELS,
+@@ -1652,7 +1654,7 @@ static int dlfb_usb_probe(struct usb_int
+ 	struct fb_info *info;
+ 	int retval;
+ 	struct usb_device *usbdev = interface_to_usbdev(intf);
+-	struct usb_endpoint_descriptor *out;
++	static u8 out_ep[] = {OUT_EP_NUM + USB_DIR_OUT, 0};
+ 
+ 	/* usb initialization */
+ 	dlfb = kzalloc(sizeof(*dlfb), GFP_KERNEL);
+@@ -1666,9 +1668,9 @@ static int dlfb_usb_probe(struct usb_int
+ 	dlfb->udev = usb_get_dev(usbdev);
+ 	usb_set_intfdata(intf, dlfb);
+ 
+-	retval = usb_find_common_endpoints(intf->cur_altsetting, NULL, &out, NULL, NULL);
+-	if (retval) {
+-		dev_err(&intf->dev, "Device should have at lease 1 bulk endpoint!\n");
++	if (!usb_check_bulk_endpoints(intf, out_ep)) {
++		dev_err(&intf->dev, "Invalid DisplayLink device!\n");
++		retval = -EINVAL;
+ 		goto error;
+ 	}
+ 
+@@ -1927,7 +1929,8 @@ retry:
+ 		}
+ 
+ 		/* urb->transfer_buffer_length set to actual before submit */
+-		usb_fill_bulk_urb(urb, dlfb->udev, usb_sndbulkpipe(dlfb->udev, 1),
++		usb_fill_bulk_urb(urb, dlfb->udev,
++			usb_sndbulkpipe(dlfb->udev, OUT_EP_NUM),
+ 			buf, size, dlfb_urb_completion, unode);
+ 		urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
+ 
diff --git a/queue-6.1/media-radio-shark-add-endpoint-checks.patch b/queue-6.1/media-radio-shark-add-endpoint-checks.patch
new file mode 100644
index 00000000000..99e7a825998
--- /dev/null
+++ b/queue-6.1/media-radio-shark-add-endpoint-checks.patch
@@ -0,0 +1,92 @@
+From 76e31045ba030e94e72105c01b2e98f543d175ac Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 10 Apr 2023 15:40:05 -0400
+Subject: media: radio-shark: Add endpoint checks
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 76e31045ba030e94e72105c01b2e98f543d175ac upstream.
+
+The syzbot fuzzer was able to provoke a WARNING from the radio-shark2
+driver:
+
+------------[ cut here ]------------
+usb 1-1: BOGUS urb xfer, pipe 1 != type 3
+WARNING: CPU: 0 PID: 3271 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504
+Modules linked in:
+CPU: 0 PID: 3271 Comm: kworker/0:3 Not tainted 6.1.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
+Workqueue: usb_hub_wq hub_event
+RIP: 0010:usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504
+Code: 7c 24 18 e8 00 36 ea fb 48 8b 7c 24 18 e8 36 1c 02 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 b6 90 8a e8 9a 29 b8 03 <0f> 0b e9 58 f8 ff ff e8 d2 35 ea fb 48 81 c5 c0 05 00 00 e9 84 f7
+RSP: 0018:ffffc90003876dd0 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
+RDX: ffff8880750b0040 RSI: ffffffff816152b8 RDI: fffff5200070edac
+RBP: ffff8880172d81e0 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001
+R13: ffff8880285c5040 R14: 0000000000000002 R15: ffff888017158200
+FS:  0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffe03235b90 CR3: 000000000bc8e000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58
+ usb_bulk_msg+0x226/0x550 drivers/usb/core/message.c:387
+ shark_write_reg+0x1ff/0x2e0 drivers/media/radio/radio-shark2.c:88
+...
+
+The problem was caused by the fact that the driver does not check
+whether the endpoints it uses are actually present and have the
+appropriate types.  This can be fixed by adding a simple check of
+these endpoints (and similarly for the radio-shark driver).
+
+Link: https://syzkaller.appspot.com/bug?extid=4b3f8190f6e13b3efd74
+Reported-and-tested-by: syzbot+4b3f8190f6e13b3efd74@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/e2858ab4-4adf-46e5-bbf6-c56742034547@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/radio/radio-shark.c  |   10 ++++++++++
+ drivers/media/radio/radio-shark2.c |   10 ++++++++++
+ 2 files changed, 20 insertions(+)
+
+--- a/drivers/media/radio/radio-shark.c
++++ b/drivers/media/radio/radio-shark.c
+@@ -316,6 +316,16 @@ static int usb_shark_probe(struct usb_in
+ {
+ 	struct shark_device *shark;
+ 	int retval = -ENOMEM;
++	static const u8 ep_addresses[] = {
++		SHARK_IN_EP | USB_DIR_IN,
++		SHARK_OUT_EP | USB_DIR_OUT,
++		0};
++
++	/* Are the expected endpoints present? */
++	if (!usb_check_int_endpoints(intf, ep_addresses)) {
++		dev_err(&intf->dev, "Invalid radioSHARK device\n");
++		return -EINVAL;
++	}
+ 
+ 	shark = kzalloc(sizeof(struct shark_device), GFP_KERNEL);
+ 	if (!shark)
+--- a/drivers/media/radio/radio-shark2.c
++++ b/drivers/media/radio/radio-shark2.c
+@@ -282,6 +282,16 @@ static int usb_shark_probe(struct usb_in
+ {
+ 	struct shark_device *shark;
+ 	int retval = -ENOMEM;
++	static const u8 ep_addresses[] = {
++		SHARK_IN_EP | USB_DIR_IN,
++		SHARK_OUT_EP | USB_DIR_OUT,
++		0};
++
++	/* Are the expected endpoints present? */
++	if (!usb_check_int_endpoints(intf, ep_addresses)) {
++		dev_err(&intf->dev, "Invalid radioSHARK2 device\n");
++		return -EINVAL;
++	}
+ 
+ 	shark = kzalloc(sizeof(struct shark_device), GFP_KERNEL);
+ 	if (!shark)
diff --git a/queue-6.1/net-fix-stack-overflow-when-lro-is-disabled-for-virtual-interfaces.patch b/queue-6.1/net-fix-stack-overflow-when-lro-is-disabled-for-virtual-interfaces.patch
new file mode 100644
index 00000000000..9203a89fee7
--- /dev/null
+++ b/queue-6.1/net-fix-stack-overflow-when-lro-is-disabled-for-virtual-interfaces.patch
@@ -0,0 +1,138 @@
+From ae9b15fbe63447bc1d3bba3769f409d17ca6fdf6 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Wed, 17 May 2023 14:30:10 +0000
+Subject: net: fix stack overflow when LRO is disabled for virtual interfaces
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+commit ae9b15fbe63447bc1d3bba3769f409d17ca6fdf6 upstream.
+
+When the virtual interface's feature is updated, it synchronizes the
+updated feature for its own lower interface.
+This propagation logic should be worked as the iteration, not recursively.
+But it works recursively due to the netdev notification unexpectedly.
+This problem occurs when it disables LRO only for the team and bonding
+interface type.
+
+       team0
+         |
+  +------+------+-----+-----+
+  |      |      |     |     |
+team1  team2  team3  ...  team200
+
+If team0's LRO feature is updated, it generates the NETDEV_FEAT_CHANGE
+event to its own lower interfaces(team1 ~ team200).
+It is worked by netdev_sync_lower_features().
+So, the NETDEV_FEAT_CHANGE notification logic of each lower interface
+work iteratively.
+But generated NETDEV_FEAT_CHANGE event is also sent to the upper
+interface too.
+upper interface(team0) generates the NETDEV_FEAT_CHANGE event for its own
+lower interfaces again.
+lower and upper interfaces receive this event and generate this
+event again and again.
+So, the stack overflow occurs.
+
+But it is not the infinite loop issue.
+Because the netdev_sync_lower_features() updates features before
+generating the NETDEV_FEAT_CHANGE event.
+Already synchronized lower interfaces skip notification logic.
+So, it is just the problem that iteration logic is changed to the
+recursive unexpectedly due to the notification mechanism.
+
+Reproducer:
+
+ip link add team0 type team
+ethtool -K team0 lro on
+for i in {1..200}
+do
+        ip link add team$i master team0 type team
+        ethtool -K team$i lro on
+done
+
+ethtool -K team0 lro off
+
+In order to fix it, the notifier_ctx member of bonding/team is introduced.
+
+Reported-by: syzbot+60748c96cf5c6df8e581@syzkaller.appspotmail.com
+Fixes: fd867d51f889 ("net/core: generic support for disabling netdev features down stack")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://lore.kernel.org/r/20230517143010.3596250-1-ap420073@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c |    8 +++++++-
+ drivers/net/team/team.c         |    7 ++++++-
+ include/linux/if_team.h         |    1 +
+ include/net/bonding.h           |    1 +
+ 4 files changed, 15 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3921,7 +3921,11 @@ static int bond_slave_netdev_event(unsig
+ 		unblock_netpoll_tx();
+ 		break;
+ 	case NETDEV_FEAT_CHANGE:
+-		bond_compute_features(bond);
++		if (!bond->notifier_ctx) {
++			bond->notifier_ctx = true;
++			bond_compute_features(bond);
++			bond->notifier_ctx = false;
++		}
+ 		break;
+ 	case NETDEV_RESEND_IGMP:
+ 		/* Propagate to master device */
+@@ -6284,6 +6288,8 @@ static int bond_init(struct net_device *
+ 	if (!bond->wq)
+ 		return -ENOMEM;
+ 
++	bond->notifier_ctx = false;
++
+ 	spin_lock_init(&bond->stats_lock);
+ 	netdev_lockdep_set_classes(bond_dev);
+ 
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1629,6 +1629,7 @@ static int team_init(struct net_device *
+ 
+ 	team->dev = dev;
+ 	team_set_no_mode(team);
++	team->notifier_ctx = false;
+ 
+ 	team->pcpu_stats = netdev_alloc_pcpu_stats(struct team_pcpu_stats);
+ 	if (!team->pcpu_stats)
+@@ -3022,7 +3023,11 @@ static int team_device_event(struct noti
+ 		team_del_slave(port->team->dev, dev);
+ 		break;
+ 	case NETDEV_FEAT_CHANGE:
+-		team_compute_features(port->team);
++		if (!port->team->notifier_ctx) {
++			port->team->notifier_ctx = true;
++			team_compute_features(port->team);
++			port->team->notifier_ctx = false;
++		}
+ 		break;
+ 	case NETDEV_PRECHANGEMTU:
+ 		/* Forbid to change mtu of underlaying device */
+--- a/include/linux/if_team.h
++++ b/include/linux/if_team.h
+@@ -208,6 +208,7 @@ struct team {
+ 	bool queue_override_enabled;
+ 	struct list_head *qom_lists; /* array of queue override mapping lists */
+ 	bool port_mtu_change_allowed;
++	bool notifier_ctx;
+ 	struct {
+ 		unsigned int count;
+ 		unsigned int interval; /* in ms */
+--- a/include/net/bonding.h
++++ b/include/net/bonding.h
+@@ -223,6 +223,7 @@ struct bonding {
+ 	struct   bond_up_slave __rcu *usable_slaves;
+ 	struct   bond_up_slave __rcu *all_slaves;
+ 	bool     force_primary;
++	bool     notifier_ctx;
+ 	s32      slave_cnt; /* never change this value outside the attach/detach wrappers */
+ 	int     (*recv_probe)(const struct sk_buff *, struct bonding *,
+ 			      struct slave *);
diff --git a/queue-6.1/series b/queue-6.1/series
index fba67dc3920..8fa9cae3f0d 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -53,3 +53,10 @@ perf-x86-uncore-correct-the-number-of-chas-on-spr.patch
 x86-topology-fix-erroneous-smp_num_siblings-on-intel-hybrid-platforms.patch
 irqchip-mips-gic-don-t-touch-vl_map-if-a-local-interrupt-is-not-routable.patch
 irqchip-mips-gic-use-raw-spinlock-for-gic_lock.patch
+debugobjects-don-t-wake-up-kswapd-from-fill_pool.patch
+fbdev-udlfb-fix-endpoint-check.patch
+net-fix-stack-overflow-when-lro-is-disabled-for-virtual-interfaces.patch
+udplite-fix-null-pointer-dereference-in-__sk_mem_raise_allocated.patch
+usb-core-add-routines-for-endpoint-checks-in-old-drivers.patch
+usb-sisusbvga-add-endpoint-checks.patch
+media-radio-shark-add-endpoint-checks.patch
diff --git a/queue-6.1/udplite-fix-null-pointer-dereference-in-__sk_mem_raise_allocated.patch b/queue-6.1/udplite-fix-null-pointer-dereference-in-__sk_mem_raise_allocated.patch
new file mode 100644
index 00000000000..ac6dfa4c645
--- /dev/null
+++ b/queue-6.1/udplite-fix-null-pointer-dereference-in-__sk_mem_raise_allocated.patch
@@ -0,0 +1,125 @@
+From ad42a35bdfc6d3c0fc4cb4027d7b2757ce665665 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+Date: Tue, 23 May 2023 09:33:05 -0700
+Subject: udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+commit ad42a35bdfc6d3c0fc4cb4027d7b2757ce665665 upstream.
+
+syzbot reported [0] a null-ptr-deref in sk_get_rmem0() while using
+IPPROTO_UDPLITE (0x88):
+
+  14:25:52 executing program 1:
+  r0 = socket$inet6(0xa, 0x80002, 0x88)
+
+We had a similar report [1] for probably sk_memory_allocated_add()
+in __sk_mem_raise_allocated(), and commit c915fe13cbaa ("udplite: fix
+NULL pointer dereference") fixed it by setting .memory_allocated for
+udplite_prot and udplitev6_prot.
+
+To fix the variant, we need to set either .sysctl_wmem_offset or
+.sysctl_rmem.
+
+Now UDP and UDPLITE share the same value for .memory_allocated, so we
+use the same .sysctl_wmem_offset for UDP and UDPLITE.
+
+[0]:
+general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+CPU: 0 PID: 6829 Comm: syz-executor.1 Not tainted 6.4.0-rc2-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
+RIP: 0010:sk_get_rmem0 include/net/sock.h:2907 [inline]
+RIP: 0010:__sk_mem_raise_allocated+0x806/0x17a0 net/core/sock.c:3006
+Code: c1 ea 03 80 3c 02 00 0f 85 23 0f 00 00 48 8b 44 24 08 48 8b 98 38 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 0f 8d 6f 0a 00 00 8b
+RSP: 0018:ffffc90005d7f450 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004d92000
+RDX: 0000000000000000 RSI: ffffffff88066482 RDI: ffffffff8e2ccbb8
+RBP: ffff8880173f7000 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000030000
+R13: 0000000000000001 R14: 0000000000000340 R15: 0000000000000001
+FS:  0000000000000000(0000) GS:ffff8880b9800000(0063) knlGS:00000000f7f1cb40
+CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
+CR2: 000000002e82f000 CR3: 0000000034ff0000 CR4: 00000000003506f0
+Call Trace:
+ <TASK>
+ __sk_mem_schedule+0x6c/0xe0 net/core/sock.c:3077
+ udp_rmem_schedule net/ipv4/udp.c:1539 [inline]
+ __udp_enqueue_schedule_skb+0x776/0xb30 net/ipv4/udp.c:1581
+ __udpv6_queue_rcv_skb net/ipv6/udp.c:666 [inline]
+ udpv6_queue_rcv_one_skb+0xc39/0x16c0 net/ipv6/udp.c:775
+ udpv6_queue_rcv_skb+0x194/0xa10 net/ipv6/udp.c:793
+ __udp6_lib_mcast_deliver net/ipv6/udp.c:906 [inline]
+ __udp6_lib_rcv+0x1bda/0x2bd0 net/ipv6/udp.c:1013
+ ip6_protocol_deliver_rcu+0x2e7/0x1250 net/ipv6/ip6_input.c:437
+ ip6_input_finish+0x150/0x2f0 net/ipv6/ip6_input.c:482
+ NF_HOOK include/linux/netfilter.h:303 [inline]
+ NF_HOOK include/linux/netfilter.h:297 [inline]
+ ip6_input+0xa0/0xd0 net/ipv6/ip6_input.c:491
+ ip6_mc_input+0x40b/0xf50 net/ipv6/ip6_input.c:585
+ dst_input include/net/dst.h:468 [inline]
+ ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
+ NF_HOOK include/linux/netfilter.h:303 [inline]
+ NF_HOOK include/linux/netfilter.h:297 [inline]
+ ipv6_rcv+0x250/0x380 net/ipv6/ip6_input.c:309
+ __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5491
+ __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5605
+ netif_receive_skb_internal net/core/dev.c:5691 [inline]
+ netif_receive_skb+0x133/0x7a0 net/core/dev.c:5750
+ tun_rx_batched+0x4b3/0x7a0 drivers/net/tun.c:1553
+ tun_get_user+0x2452/0x39c0 drivers/net/tun.c:1989
+ tun_chr_write_iter+0xdf/0x200 drivers/net/tun.c:2035
+ call_write_iter include/linux/fs.h:1868 [inline]
+ new_sync_write fs/read_write.c:491 [inline]
+ vfs_write+0x945/0xd50 fs/read_write.c:584
+ ksys_write+0x12b/0x250 fs/read_write.c:637
+ do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
+ __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
+ do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
+ entry_SYSENTER_compat_after_hwframe+0x70/0x82
+RIP: 0023:0xf7f21579
+Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
+RSP: 002b:00000000f7f1c590 EFLAGS: 00000282 ORIG_RAX: 0000000000000004
+RAX: ffffffffffffffda RBX: 00000000000000c8 RCX: 0000000020000040
+RDX: 0000000000000083 RSI: 00000000f734e000 RDI: 0000000000000000
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ </TASK>
+Modules linked in:
+
+Link: https://lore.kernel.org/netdev/CANaxB-yCk8hhP68L4Q2nFOJht8sqgXGGQO2AftpHs0u1xyGG5A@mail.gmail.com/ [1]
+Fixes: 850cbaddb52d ("udp: use it's own memory accounting schema")
+Reported-by: syzbot+444ca0907e96f7c5e48b@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=444ca0907e96f7c5e48b
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/r/20230523163305.66466-1-kuniyu@amazon.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/udplite.c |    2 ++
+ net/ipv6/udplite.c |    2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/net/ipv4/udplite.c
++++ b/net/ipv4/udplite.c
+@@ -64,6 +64,8 @@ struct proto 	udplite_prot = {
+ 	.per_cpu_fw_alloc  = &udp_memory_per_cpu_fw_alloc,
+ 
+ 	.sysctl_mem	   = sysctl_udp_mem,
++	.sysctl_wmem_offset = offsetof(struct net, ipv4.sysctl_udp_wmem_min),
++	.sysctl_rmem_offset = offsetof(struct net, ipv4.sysctl_udp_rmem_min),
+ 	.obj_size	   = sizeof(struct udp_sock),
+ 	.h.udp_table	   = &udplite_table,
+ };
+--- a/net/ipv6/udplite.c
++++ b/net/ipv6/udplite.c
+@@ -60,6 +60,8 @@ struct proto udplitev6_prot = {
+ 	.per_cpu_fw_alloc  = &udp_memory_per_cpu_fw_alloc,
+ 
+ 	.sysctl_mem	   = sysctl_udp_mem,
++	.sysctl_wmem_offset = offsetof(struct net, ipv4.sysctl_udp_wmem_min),
++	.sysctl_rmem_offset = offsetof(struct net, ipv4.sysctl_udp_rmem_min),
+ 	.obj_size	   = sizeof(struct udp6_sock),
+ 	.h.udp_table	   = &udplite_table,
+ };
diff --git a/queue-6.1/usb-core-add-routines-for-endpoint-checks-in-old-drivers.patch b/queue-6.1/usb-core-add-routines-for-endpoint-checks-in-old-drivers.patch
new file mode 100644
index 00000000000..92f1b9faff3
--- /dev/null
+++ b/queue-6.1/usb-core-add-routines-for-endpoint-checks-in-old-drivers.patch
@@ -0,0 +1,150 @@
+From 13890626501ffda22b18213ddaf7930473da5792 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 10 Apr 2023 15:37:07 -0400
+Subject: USB: core: Add routines for endpoint checks in old drivers
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 13890626501ffda22b18213ddaf7930473da5792 upstream.
+
+Many of the older USB drivers in the Linux USB stack were written
+based simply on a vendor's device specification.  They use the
+endpoint information in the spec and assume these endpoints will
+always be present, with the properties listed, in any device matching
+the given vendor and product IDs.
+
+While that may have been true back then, with spoofing and fuzzing it
+is not true any more.  More and more we are finding that those old
+drivers need to perform at least a minimum of checking before they try
+to use any endpoint other than ep0.
+
+To make this checking as simple as possible, we now add a couple of
+utility routines to the USB core.  usb_check_bulk_endpoints() and
+usb_check_int_endpoints() take an interface pointer together with a
+list of endpoint addresses (numbers and directions).  They check that
+the interface's current alternate setting includes endpoints with
+those addresses and that each of these endpoints has the right type:
+bulk or interrupt, respectively.
+
+Although we already have usb_find_common_endpoints() and related
+routines meant for a similar purpose, they are not well suited for
+this kind of checking.  Those routines find endpoints of various
+kinds, but only one (either the first or the last) of each kind, and
+they don't verify that the endpoints' addresses agree with what the
+caller expects.
+
+In theory the new routines could be more general: They could take a
+particular altsetting as their argument instead of always using the
+interface's current altsetting.  In practice I think this won't matter
+too much; multiple altsettings tend to be used for transferring media
+(audio or visual) over isochronous endpoints, not bulk or interrupt.
+Drivers for such devices will generally require more sophisticated
+checking than these simplistic routines provide.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/dd2c8e8c-2c87-44ea-ba17-c64b97e201c9@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/usb.c |   76 +++++++++++++++++++++++++++++++++++++++++++++++++
+ include/linux/usb.h    |    5 +++
+ 2 files changed, 81 insertions(+)
+
+--- a/drivers/usb/core/usb.c
++++ b/drivers/usb/core/usb.c
+@@ -207,6 +207,82 @@ int usb_find_common_endpoints_reverse(st
+ EXPORT_SYMBOL_GPL(usb_find_common_endpoints_reverse);
+ 
+ /**
++ * usb_find_endpoint() - Given an endpoint address, search for the endpoint's
++ * usb_host_endpoint structure in an interface's current altsetting.
++ * @intf: the interface whose current altsetting should be searched
++ * @ep_addr: the endpoint address (number and direction) to find
++ *
++ * Search the altsetting's list of endpoints for one with the specified address.
++ *
++ * Return: Pointer to the usb_host_endpoint if found, %NULL otherwise.
++ */
++static const struct usb_host_endpoint *usb_find_endpoint(
++		const struct usb_interface *intf, unsigned int ep_addr)
++{
++	int n;
++	const struct usb_host_endpoint *ep;
++
++	n = intf->cur_altsetting->desc.bNumEndpoints;
++	ep = intf->cur_altsetting->endpoint;
++	for (; n > 0; (--n, ++ep)) {
++		if (ep->desc.bEndpointAddress == ep_addr)
++			return ep;
++	}
++	return NULL;
++}
++
++/**
++ * usb_check_bulk_endpoints - Check whether an interface's current altsetting
++ * contains a set of bulk endpoints with the given addresses.
++ * @intf: the interface whose current altsetting should be searched
++ * @ep_addrs: 0-terminated array of the endpoint addresses (number and
++ * direction) to look for
++ *
++ * Search for endpoints with the specified addresses and check their types.
++ *
++ * Return: %true if all the endpoints are found and are bulk, %false otherwise.
++ */
++bool usb_check_bulk_endpoints(
++		const struct usb_interface *intf, const u8 *ep_addrs)
++{
++	const struct usb_host_endpoint *ep;
++
++	for (; *ep_addrs; ++ep_addrs) {
++		ep = usb_find_endpoint(intf, *ep_addrs);
++		if (!ep || !usb_endpoint_xfer_bulk(&ep->desc))
++			return false;
++	}
++	return true;
++}
++EXPORT_SYMBOL_GPL(usb_check_bulk_endpoints);
++
++/**
++ * usb_check_int_endpoints - Check whether an interface's current altsetting
++ * contains a set of interrupt endpoints with the given addresses.
++ * @intf: the interface whose current altsetting should be searched
++ * @ep_addrs: 0-terminated array of the endpoint addresses (number and
++ * direction) to look for
++ *
++ * Search for endpoints with the specified addresses and check their types.
++ *
++ * Return: %true if all the endpoints are found and are interrupt,
++ * %false otherwise.
++ */
++bool usb_check_int_endpoints(
++		const struct usb_interface *intf, const u8 *ep_addrs)
++{
++	const struct usb_host_endpoint *ep;
++
++	for (; *ep_addrs; ++ep_addrs) {
++		ep = usb_find_endpoint(intf, *ep_addrs);
++		if (!ep || !usb_endpoint_xfer_int(&ep->desc))
++			return false;
++	}
++	return true;
++}
++EXPORT_SYMBOL_GPL(usb_check_int_endpoints);
++
++/**
+  * usb_find_alt_setting() - Given a configuration, find the alternate setting
+  * for the given interface.
+  * @config: the configuration to search (not necessarily the current config).
+--- a/include/linux/usb.h
++++ b/include/linux/usb.h
+@@ -279,6 +279,11 @@ void usb_put_intf(struct usb_interface *
+ #define USB_MAXINTERFACES	32
+ #define USB_MAXIADS		(USB_MAXINTERFACES/2)
+ 
++bool usb_check_bulk_endpoints(
++		const struct usb_interface *intf, const u8 *ep_addrs);
++bool usb_check_int_endpoints(
++		const struct usb_interface *intf, const u8 *ep_addrs);
++
+ /*
+  * USB Resume Timer: Every Host controller driver should drive the resume
+  * signalling on the bus for the amount of time defined by this macro.
diff --git a/queue-6.1/usb-sisusbvga-add-endpoint-checks.patch b/queue-6.1/usb-sisusbvga-add-endpoint-checks.patch
new file mode 100644
index 00000000000..1090414bb9a
--- /dev/null
+++ b/queue-6.1/usb-sisusbvga-add-endpoint-checks.patch
@@ -0,0 +1,79 @@
+From df05a9b05e466a46725564528b277d0c570d0104 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 10 Apr 2023 15:38:22 -0400
+Subject: USB: sisusbvga: Add endpoint checks
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit df05a9b05e466a46725564528b277d0c570d0104 upstream.
+
+The syzbot fuzzer was able to provoke a WARNING from the sisusbvga driver:
+
+------------[ cut here ]------------
+usb 1-1: BOGUS urb xfer, pipe 3 != type 1
+WARNING: CPU: 1 PID: 26 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
+Modules linked in:
+CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.2.0-rc5-syzkaller-00199-g5af6ce704936 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
+Workqueue: usb_hub_wq hub_event
+RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
+Code: 7c 24 18 e8 6c 50 80 fb 48 8b 7c 24 18 e8 62 1a 01 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 60 b1 fa 8a e8 84 b0 be 03 <0f> 0b e9 58 f8 ff ff e8 3e 50 80 fb 48 81 c5 c0 05 00 00 e9 84 f7
+RSP: 0018:ffffc90000a1ed18 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
+RDX: ffff888012783a80 RSI: ffffffff816680ec RDI: fffff52000143d95
+RBP: ffff888079020000 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000003
+R13: ffff888017d33370 R14: 0000000000000003 R15: ffff888021213600
+FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00005592753a60b0 CR3: 0000000022899000 CR4: 00000000003506e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ sisusb_bulkout_msg drivers/usb/misc/sisusbvga/sisusbvga.c:224 [inline]
+ sisusb_send_bulk_msg.constprop.0+0x904/0x1230 drivers/usb/misc/sisusbvga/sisusbvga.c:379
+ sisusb_send_bridge_packet drivers/usb/misc/sisusbvga/sisusbvga.c:567 [inline]
+ sisusb_do_init_gfxdevice drivers/usb/misc/sisusbvga/sisusbvga.c:2077 [inline]
+ sisusb_init_gfxdevice+0x87b/0x4000 drivers/usb/misc/sisusbvga/sisusbvga.c:2177
+ sisusb_probe+0x9cd/0xbe2 drivers/usb/misc/sisusbvga/sisusbvga.c:2869
+...
+
+The problem was caused by the fact that the driver does not check
+whether the endpoints it uses are actually present and have the
+appropriate types.  This can be fixed by adding a simple check of
+the endpoints.
+
+Link: https://syzkaller.appspot.com/bug?extid=23be03b56c5259385d79
+Reported-and-tested-by: syzbot+23be03b56c5259385d79@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/48ef98f7-51ae-4f63-b8d3-0ef2004bb60a@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/misc/sisusbvga/sisusb.c |   14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/usb/misc/sisusbvga/sisusb.c
++++ b/drivers/usb/misc/sisusbvga/sisusb.c
+@@ -3014,6 +3014,20 @@ static int sisusb_probe(struct usb_inter
+ 	struct usb_device *dev = interface_to_usbdev(intf);
+ 	struct sisusb_usb_data *sisusb;
+ 	int retval = 0, i;
++	static const u8 ep_addresses[] = {
++		SISUSB_EP_GFX_IN | USB_DIR_IN,
++		SISUSB_EP_GFX_OUT | USB_DIR_OUT,
++		SISUSB_EP_GFX_BULK_OUT | USB_DIR_OUT,
++		SISUSB_EP_GFX_LBULK_OUT | USB_DIR_OUT,
++		SISUSB_EP_BRIDGE_IN | USB_DIR_IN,
++		SISUSB_EP_BRIDGE_OUT | USB_DIR_OUT,
++		0};
++
++	/* Are the expected endpoints present? */
++	if (!usb_check_bulk_endpoints(intf, ep_addresses)) {
++		dev_err(&intf->dev, "Invalid USB2VGA device\n");
++		return -EINVAL;
++	}
+ 
+ 	dev_info(&dev->dev, "USB2VGA dongle found at address %d\n",
+ 			dev->devnum);