From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 14 Jan 2023 15:10:08 +0000 (+0100)
Subject: 4.19-stable patches
X-Git-Tag: v4.14.303~68
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a51547f1ef9bd7db561afa5a328fd3d8fcf07712;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	cifs-fix-uninitialized-memory-read-for-smb311-posix-symlink-create.patch
	ipv6-raw-deduct-extension-header-length-in-rawv6_push_pending_frames.patch
	platform-x86-sony-laptop-don-t-turn-off-0x153-keyboard-backlight-during-probe.patch
---

diff --git a/queue-4.19/cifs-fix-uninitialized-memory-read-for-smb311-posix-symlink-create.patch b/queue-4.19/cifs-fix-uninitialized-memory-read-for-smb311-posix-symlink-create.patch
new file mode 100644
index 00000000000..ff05101bf02
--- /dev/null
+++ b/queue-4.19/cifs-fix-uninitialized-memory-read-for-smb311-posix-symlink-create.patch
@@ -0,0 +1,34 @@
+From a152d05ae4a71d802d50cf9177dba34e8bb09f68 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Wed, 11 Jan 2023 12:37:58 +0100
+Subject: cifs: Fix uninitialized memory read for smb311 posix symlink create
+
+From: Volker Lendecke <vl@samba.org>
+
+commit a152d05ae4a71d802d50cf9177dba34e8bb09f68 upstream.
+
+If smb311 posix is enabled, we send the intended mode for file
+creation in the posix create context. Instead of using what's there on
+the stack, create the mfsymlink file with 0644.
+
+Fixes: ce558b0e17f8a ("smb3: Add posix create context for smb3.11 posix mounts")
+Cc: stable@vger.kernel.org
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Tom Talpey <tom@talpey.com>
+Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/link.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/cifs/link.c
++++ b/fs/cifs/link.c
+@@ -481,6 +481,7 @@ smb3_create_mf_symlink(unsigned int xid,
+ 	oparms.disposition = FILE_CREATE;
+ 	oparms.fid = &fid;
+ 	oparms.reconnect = false;
++	oparms.mode = 0644;
+ 
+ 	rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL,
+ 		       NULL);
diff --git a/queue-4.19/ipv6-raw-deduct-extension-header-length-in-rawv6_push_pending_frames.patch b/queue-4.19/ipv6-raw-deduct-extension-header-length-in-rawv6_push_pending_frames.patch
new file mode 100644
index 00000000000..233edb56df2
--- /dev/null
+++ b/queue-4.19/ipv6-raw-deduct-extension-header-length-in-rawv6_push_pending_frames.patch
@@ -0,0 +1,42 @@
+From cb3e9864cdbe35ff6378966660edbcbac955fe17 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 10 Jan 2023 08:59:06 +0800
+Subject: ipv6: raw: Deduct extension header length in rawv6_push_pending_frames
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit cb3e9864cdbe35ff6378966660edbcbac955fe17 upstream.
+
+The total cork length created by ip6_append_data includes extension
+headers, so we must exclude them when comparing them against the
+IPV6_CHECKSUM offset which does not include extension headers.
+
+Reported-by: Kyle Zeng <zengyhkyle@gmail.com>
+Fixes: 357b40a18b04 ("[IPV6]: IPV6_CHECKSUM socket option can corrupt kernel memory")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/raw.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -544,6 +544,7 @@ csum_copy_err:
+ static int rawv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6,
+ 				     struct raw6_sock *rp)
+ {
++	struct ipv6_txoptions *opt;
+ 	struct sk_buff *skb;
+ 	int err = 0;
+ 	int offset;
+@@ -561,6 +562,9 @@ static int rawv6_push_pending_frames(str
+ 
+ 	offset = rp->offset;
+ 	total_len = inet_sk(sk)->cork.base.length;
++	opt = inet6_sk(sk)->cork.opt;
++	total_len -= opt ? opt->opt_flen : 0;
++
+ 	if (offset >= total_len - 1) {
+ 		err = -EINVAL;
+ 		ip6_flush_pending_frames(sk);
diff --git a/queue-4.19/platform-x86-sony-laptop-don-t-turn-off-0x153-keyboard-backlight-during-probe.patch b/queue-4.19/platform-x86-sony-laptop-don-t-turn-off-0x153-keyboard-backlight-during-probe.patch
new file mode 100644
index 00000000000..9a344459d82
--- /dev/null
+++ b/queue-4.19/platform-x86-sony-laptop-don-t-turn-off-0x153-keyboard-backlight-during-probe.patch
@@ -0,0 +1,58 @@
+From ad75bd85b1db69c97eefea07b375567821f6ef58 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 13 Dec 2022 13:29:43 +0100
+Subject: platform/x86: sony-laptop: Don't turn off 0x153 keyboard backlight during probe
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit ad75bd85b1db69c97eefea07b375567821f6ef58 upstream.
+
+The 0x153 version of the kbd backlight control SNC handle has no separate
+address to probe if the backlight is there.
+
+This turns the probe call into a set keyboard backlight call with a value
+of 0 turning off the keyboard backlight.
+
+Skip probing when there is no separate probe address to avoid this.
+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1583752
+Fixes: 800f20170dcf ("Keyboard backlight control for some Vaio Fit models")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Mattia Dongili <malattia@linux.it>
+Link: https://lore.kernel.org/r/20221213122943.11123-1-hdegoede@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/sony-laptop.c |   21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+--- a/drivers/platform/x86/sony-laptop.c
++++ b/drivers/platform/x86/sony-laptop.c
+@@ -1913,14 +1913,21 @@ static int sony_nc_kbd_backlight_setup(s
+ 		break;
+ 	}
+ 
+-	ret = sony_call_snc_handle(handle, probe_base, &result);
+-	if (ret)
+-		return ret;
++	/*
++	 * Only probe if there is a separate probe_base, otherwise the probe call
++	 * is equivalent to __sony_nc_kbd_backlight_mode_set(0), resulting in
++	 * the keyboard backlight being turned off.
++	 */
++	if (probe_base) {
++		ret = sony_call_snc_handle(handle, probe_base, &result);
++		if (ret)
++			return ret;
+ 
+-	if ((handle == 0x0137 && !(result & 0x02)) ||
+-			!(result & 0x01)) {
+-		dprintk("no backlight keyboard found\n");
+-		return 0;
++		if ((handle == 0x0137 && !(result & 0x02)) ||
++				!(result & 0x01)) {
++			dprintk("no backlight keyboard found\n");
++			return 0;
++		}
+ 	}
+ 
+ 	kbdbl_ctl = kzalloc(sizeof(*kbdbl_ctl), GFP_KERNEL);
diff --git a/queue-4.19/series b/queue-4.19/series
index 616ba7d1c50..47d302122dd 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -468,3 +468,6 @@ perf-auxtrace-fix-address-filter-duplicate-symbol-selection.patch
 s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch
 net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch
 alsa-pcm-move-rwsem-lock-inside-snd_ctl_elem_read-to-prevent-uaf.patch
+cifs-fix-uninitialized-memory-read-for-smb311-posix-symlink-create.patch
+platform-x86-sony-laptop-don-t-turn-off-0x153-keyboard-backlight-during-probe.patch
+ipv6-raw-deduct-extension-header-length-in-rawv6_push_pending_frames.patch