--- /dev/null
+From 6dbcd9e0c1f51e9a5bc7a86ecb8d6aaf0efc0db1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 18:02:03 +0800
+Subject: drm/vmwgfx: fix typo of sizeof argument
+
+From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
+
+[ Upstream commit 39465cac283702a7d4a507a558db81898029c6d3 ]
+
+Since size of 'header' pointer and '*header' structure is equal on 64-bit
+machines issue probably didn't cause any wrong behavior. But anyway,
+fixing typo is required.
+
+Fixes: 7a73ba7469cb ("drm/vmwgfx: Use TTM handles instead of SIDs as user-space surface handles.")
+Co-developed-by: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com>
+Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
+Reviewed-by: Zack Rusin <zackr@vmware.com>
+Signed-off-by: Zack Rusin <zackr@vmware.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230905100203.1716731-1-konstantin.meskhidze@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+index 996696ad6f988..3bb0a36260c20 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+@@ -1836,7 +1836,7 @@ static int vmw_cmd_tex_state(struct vmw_private *dev_priv,
+ } *cmd;
+
+ SVGA3dTextureState *last_state = (SVGA3dTextureState *)
+- ((unsigned long) header + header->size + sizeof(header));
++ ((unsigned long) header + header->size + sizeof(*header));
+ SVGA3dTextureState *cur_state = (SVGA3dTextureState *)
+ ((unsigned long) header + sizeof(struct vmw_tex_state_cmd));
+ struct vmw_resource_val_node *ctx_node;
+--
+2.40.1
+
--- /dev/null
+From 72797c7408d7b24008b1c9ca8dc8caafc1c3976c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Oct 2023 11:30:49 +0800
+Subject: ieee802154: ca8210: Fix a potential UAF in ca8210_probe
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit f990874b1c98fe8e57ee9385669f501822979258 ]
+
+If of_clk_add_provider() fails in ca8210_register_ext_clock(),
+it calls clk_unregister() to release priv->clk and returns an
+error. However, the caller ca8210_probe() then calls ca8210_remove(),
+where priv->clk is freed again in ca8210_unregister_ext_clock(). In
+this case, a use-after-free may happen in the second time we call
+clk_unregister().
+
+Fix this by removing the first clk_unregister(). Also, priv->clk could
+be an error code on failure of clk_register_fixed_rate(). Use
+IS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().
+
+Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Message-ID: <20231007033049.22353-1-dinghao.liu@zju.edu.cn>
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/ca8210.c | 17 +++--------------
+ 1 file changed, 3 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
+index 4ec65582eaf70..d903106436dc6 100644
+--- a/drivers/net/ieee802154/ca8210.c
++++ b/drivers/net/ieee802154/ca8210.c
+@@ -2782,7 +2782,6 @@ static int ca8210_register_ext_clock(struct spi_device *spi)
+ struct device_node *np = spi->dev.of_node;
+ struct ca8210_priv *priv = spi_get_drvdata(spi);
+ struct ca8210_platform_data *pdata = spi->dev.platform_data;
+- int ret = 0;
+
+ if (!np)
+ return -EFAULT;
+@@ -2799,18 +2798,8 @@ static int ca8210_register_ext_clock(struct spi_device *spi)
+ dev_crit(&spi->dev, "Failed to register external clk\n");
+ return PTR_ERR(priv->clk);
+ }
+- ret = of_clk_add_provider(np, of_clk_src_simple_get, priv->clk);
+- if (ret) {
+- clk_unregister(priv->clk);
+- dev_crit(
+- &spi->dev,
+- "Failed to register external clock as clock provider\n"
+- );
+- } else {
+- dev_info(&spi->dev, "External clock set as clock provider\n");
+- }
+
+- return ret;
++ return of_clk_add_provider(np, of_clk_src_simple_get, priv->clk);
+ }
+
+ /**
+@@ -2822,8 +2811,8 @@ static void ca8210_unregister_ext_clock(struct spi_device *spi)
+ {
+ struct ca8210_priv *priv = spi_get_drvdata(spi);
+
+- if (!priv->clk)
+- return
++ if (IS_ERR_OR_NULL(priv->clk))
++ return;
+
+ of_clk_del_provider(spi->dev.of_node);
+ clk_unregister(priv->clk);
+--
+2.40.1
+
--- /dev/null
+From c7d806c67e48d437031f8c1516d213d488e6888f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Oct 2023 15:53:09 +0300
+Subject: ixgbe: fix crash with empty VF macvlan list
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 7b5add9af567c44e12196107f0fe106e194034fd ]
+
+The adapter->vf_mvs.l list needs to be initialized even if the list is
+empty. Otherwise it will lead to crashes.
+
+Fixes: a1cbb15c1397 ("ixgbe: Add macvlan support for VF")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Link: https://lore.kernel.org/r/ZSADNdIw8zFx1xw2@kadam
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
+index f36bb9e7d8d59..3698c45837d82 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
+@@ -53,6 +53,9 @@ static inline void ixgbe_alloc_vf_macvlans(struct ixgbe_adapter *adapter,
+ struct vf_macvlans *mv_list;
+ int num_vf_macvlans, i;
+
++ /* Initialize list of VF macvlans */
++ INIT_LIST_HEAD(&adapter->vf_mvs.l);
++
+ num_vf_macvlans = hw->mac.num_rar_entries -
+ (IXGBE_MAX_PF_MACVLANS + 1 + num_vfs);
+ if (!num_vf_macvlans)
+@@ -61,8 +64,6 @@ static inline void ixgbe_alloc_vf_macvlans(struct ixgbe_adapter *adapter,
+ mv_list = kcalloc(num_vf_macvlans, sizeof(struct vf_macvlans),
+ GFP_KERNEL);
+ if (mv_list) {
+- /* Initialize list of VF macvlans */
+- INIT_LIST_HEAD(&adapter->vf_mvs.l);
+ for (i = 0; i < num_vf_macvlans; i++) {
+ mv_list[i].vf = -1;
+ mv_list[i].free = true;
+--
+2.40.1
+
--- /dev/null
+From 3d7cbc0e71221e98073a7be634f7f96dbcaa0bbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Oct 2023 16:00:54 -0400
+Subject: nfc: nci: assert requested protocol is valid
+
+From: Jeremy Cline <jeremy@jcline.org>
+
+[ Upstream commit 354a6e707e29cb0c007176ee5b8db8be7bd2dee0 ]
+
+The protocol is used in a bit mask to determine if the protocol is
+supported. Assert the provided protocol is less than the maximum
+defined so it doesn't potentially perform a shift-out-of-bounds and
+provide a clearer error for undefined protocols vs unsupported ones.
+
+Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
+Reported-and-tested-by: syzbot+0839b78e119aae1fec78@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=0839b78e119aae1fec78
+Signed-off-by: Jeremy Cline <jeremy@jcline.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20231009200054.82557-1-jeremy@jcline.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/nci/core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
+index 216228c39acba..d42c603dd635c 100644
+--- a/net/nfc/nci/core.c
++++ b/net/nfc/nci/core.c
+@@ -906,6 +906,11 @@ static int nci_activate_target(struct nfc_dev *nfc_dev,
+ return -EINVAL;
+ }
+
++ if (protocol >= NFC_PROTO_MAX) {
++ pr_err("the requested nfc protocol is invalid\n");
++ return -EINVAL;
++ }
++
+ if (!(nci_target->supported_protocols & (1 << protocol))) {
+ pr_err("target does not support the requested protocol 0x%x\n",
+ protocol);
+--
+2.40.1
+
platform-x86-hp-wmi-mark-driver-struct-with-__refdat.patch
hid-logitech-hidpp-fix-kernel-crash-on-receiver-usb-disconnect.patch
drm-etvnaviv-fix-bad-backport-leading-to-warning.patch
+ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch
+drm-vmwgfx-fix-typo-of-sizeof-argument.patch
+ixgbe-fix-crash-with-empty-vf-macvlan-list.patch
+nfc-nci-assert-requested-protocol-is-valid.patch
+workqueue-override-implicit-ordered-attribute-in-wor.patch
--- /dev/null
+From e49feebfb57d59829bce0712bca6f7a80f9018e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Oct 2023 22:48:42 -0400
+Subject: workqueue: Override implicit ordered attribute in
+ workqueue_apply_unbound_cpumask()
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit ca10d851b9ad0338c19e8e3089e24d565ebfffd7 ]
+
+Commit 5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1
+to be ordered") enabled implicit ordered attribute to be added to
+WQ_UNBOUND workqueues with max_active of 1. This prevented the changing
+of attributes to these workqueues leading to fix commit 0a94efb5acbb
+("workqueue: implicit ordered attribute should be overridable").
+
+However, workqueue_apply_unbound_cpumask() was not updated at that time.
+So sysfs changes to wq_unbound_cpumask has no effect on WQ_UNBOUND
+workqueues with implicit ordered attribute. Since not all WQ_UNBOUND
+workqueues are visible on sysfs, we are not able to make all the
+necessary cpumask changes even if we iterates all the workqueue cpumasks
+in sysfs and changing them one by one.
+
+Fix this problem by applying the corresponding change made
+to apply_workqueue_attrs_locked() in the fix commit to
+workqueue_apply_unbound_cpumask().
+
+Fixes: 5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1 to be ordered")
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/workqueue.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/workqueue.c b/kernel/workqueue.c
+index 87eca8d1faad1..69238bc8be50e 100644
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -5001,9 +5001,13 @@ static int workqueue_apply_unbound_cpumask(void)
+ list_for_each_entry(wq, &workqueues, list) {
+ if (!(wq->flags & WQ_UNBOUND))
+ continue;
++
+ /* creating multiple pwqs breaks ordering guarantee */
+- if (wq->flags & __WQ_ORDERED)
+- continue;
++ if (!list_empty(&wq->pwqs)) {
++ if (wq->flags & __WQ_ORDERED_EXPLICIT)
++ continue;
++ wq->flags &= ~__WQ_ORDERED;
++ }
+
+ ctx = apply_wqattrs_prepare(wq, wq->unbound_attrs);
+ if (!ctx) {
+--
+2.40.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
