From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 14 Jan 2023 15:09:54 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v4.14.303~69
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9508139ef6922217d2d81a5896eff6ad3c3557aa;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	ipv6-raw-deduct-extension-header-length-in-rawv6_push_pending_frames.patch
	platform-x86-sony-laptop-don-t-turn-off-0x153-keyboard-backlight-during-probe.patch
---

diff --git a/queue-4.14/ipv6-raw-deduct-extension-header-length-in-rawv6_push_pending_frames.patch b/queue-4.14/ipv6-raw-deduct-extension-header-length-in-rawv6_push_pending_frames.patch
new file mode 100644
index 00000000000..233edb56df2
--- /dev/null
+++ b/queue-4.14/ipv6-raw-deduct-extension-header-length-in-rawv6_push_pending_frames.patch
@@ -0,0 +1,42 @@
+From cb3e9864cdbe35ff6378966660edbcbac955fe17 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 10 Jan 2023 08:59:06 +0800
+Subject: ipv6: raw: Deduct extension header length in rawv6_push_pending_frames
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit cb3e9864cdbe35ff6378966660edbcbac955fe17 upstream.
+
+The total cork length created by ip6_append_data includes extension
+headers, so we must exclude them when comparing them against the
+IPV6_CHECKSUM offset which does not include extension headers.
+
+Reported-by: Kyle Zeng <zengyhkyle@gmail.com>
+Fixes: 357b40a18b04 ("[IPV6]: IPV6_CHECKSUM socket option can corrupt kernel memory")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/raw.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -544,6 +544,7 @@ csum_copy_err:
+ static int rawv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6,
+ 				     struct raw6_sock *rp)
+ {
++	struct ipv6_txoptions *opt;
+ 	struct sk_buff *skb;
+ 	int err = 0;
+ 	int offset;
+@@ -561,6 +562,9 @@ static int rawv6_push_pending_frames(str
+ 
+ 	offset = rp->offset;
+ 	total_len = inet_sk(sk)->cork.base.length;
++	opt = inet6_sk(sk)->cork.opt;
++	total_len -= opt ? opt->opt_flen : 0;
++
+ 	if (offset >= total_len - 1) {
+ 		err = -EINVAL;
+ 		ip6_flush_pending_frames(sk);
diff --git a/queue-4.14/platform-x86-sony-laptop-don-t-turn-off-0x153-keyboard-backlight-during-probe.patch b/queue-4.14/platform-x86-sony-laptop-don-t-turn-off-0x153-keyboard-backlight-during-probe.patch
new file mode 100644
index 00000000000..68b107c844d
--- /dev/null
+++ b/queue-4.14/platform-x86-sony-laptop-don-t-turn-off-0x153-keyboard-backlight-during-probe.patch
@@ -0,0 +1,58 @@
+From ad75bd85b1db69c97eefea07b375567821f6ef58 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 13 Dec 2022 13:29:43 +0100
+Subject: platform/x86: sony-laptop: Don't turn off 0x153 keyboard backlight during probe
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit ad75bd85b1db69c97eefea07b375567821f6ef58 upstream.
+
+The 0x153 version of the kbd backlight control SNC handle has no separate
+address to probe if the backlight is there.
+
+This turns the probe call into a set keyboard backlight call with a value
+of 0 turning off the keyboard backlight.
+
+Skip probing when there is no separate probe address to avoid this.
+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1583752
+Fixes: 800f20170dcf ("Keyboard backlight control for some Vaio Fit models")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Mattia Dongili <malattia@linux.it>
+Link: https://lore.kernel.org/r/20221213122943.11123-1-hdegoede@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/sony-laptop.c |   21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+--- a/drivers/platform/x86/sony-laptop.c
++++ b/drivers/platform/x86/sony-laptop.c
+@@ -1911,14 +1911,21 @@ static int sony_nc_kbd_backlight_setup(s
+ 		break;
+ 	}
+ 
+-	ret = sony_call_snc_handle(handle, probe_base, &result);
+-	if (ret)
+-		return ret;
++	/*
++	 * Only probe if there is a separate probe_base, otherwise the probe call
++	 * is equivalent to __sony_nc_kbd_backlight_mode_set(0), resulting in
++	 * the keyboard backlight being turned off.
++	 */
++	if (probe_base) {
++		ret = sony_call_snc_handle(handle, probe_base, &result);
++		if (ret)
++			return ret;
+ 
+-	if ((handle == 0x0137 && !(result & 0x02)) ||
+-			!(result & 0x01)) {
+-		dprintk("no backlight keyboard found\n");
+-		return 0;
++		if ((handle == 0x0137 && !(result & 0x02)) ||
++				!(result & 0x01)) {
++			dprintk("no backlight keyboard found\n");
++			return 0;
++		}
+ 	}
+ 
+ 	kbdbl_ctl = kzalloc(sizeof(*kbdbl_ctl), GFP_KERNEL);
diff --git a/queue-4.14/series b/queue-4.14/series
index f430a13dd3d..92fed630d38 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -327,3 +327,5 @@ perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch
 s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch
 net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch
 alsa-pcm-move-rwsem-lock-inside-snd_ctl_elem_read-to-prevent-uaf.patch
+platform-x86-sony-laptop-don-t-turn-off-0x153-keyboard-backlight-during-probe.patch
+ipv6-raw-deduct-extension-header-length-in-rawv6_push_pending_frames.patch