--- /dev/null
+From 24013314be6ee4ee456114a671e9fa3461323de8 Mon Sep 17 00:00:00 2001
+From: Rob Clark <robdclark@chromium.org>
+Date: Wed, 30 Nov 2022 10:57:47 -0800
+Subject: drm/shmem-helper: Remove errant put in error path
+
+From: Rob Clark <robdclark@chromium.org>
+
+commit 24013314be6ee4ee456114a671e9fa3461323de8 upstream.
+
+drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM
+object getting prematurely freed leading to a later use-after-free.
+
+Link: https://syzkaller.appspot.com/bug?extid=c8ae65286134dd1b800d
+Reported-by: syzbot+c8ae65286134dd1b800d@syzkaller.appspotmail.com
+Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects")
+Cc: stable@vger.kernel.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221130185748.357410-2-robdclark@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_gem_shmem_helper.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/drm_gem_shmem_helper.c
++++ b/drivers/gpu/drm/drm_gem_shmem_helper.c
+@@ -554,10 +554,8 @@ int drm_gem_shmem_mmap(struct file *filp
+ shmem = to_drm_gem_shmem_obj(vma->vm_private_data);
+
+ ret = drm_gem_shmem_get_pages(shmem);
+- if (ret) {
+- drm_gem_vm_close(vma);
++ if (ret)
+ return ret;
+- }
+
+ /* VM_PFNMAP was set by drm_gem_mmap() */
+ vma->vm_flags &= ~VM_PFNMAP;
--- /dev/null
+From ec61b41918587be530398b0d1c9a0d16619397e5 Mon Sep 17 00:00:00 2001
+From: ZhangPeng <zhangpeng362@huawei.com>
+Date: Wed, 16 Nov 2022 07:14:28 +0000
+Subject: HID: core: fix shift-out-of-bounds in hid_report_raw_event
+
+From: ZhangPeng <zhangpeng362@huawei.com>
+
+commit ec61b41918587be530398b0d1c9a0d16619397e5 upstream.
+
+Syzbot reported shift-out-of-bounds in hid_report_raw_event.
+
+microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) >
+32! (swapper/0)
+======================================================================
+UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20
+shift exponent 127 is too large for 32-bit type 'int'
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted
+6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0
+Hardware name: Google Compute Engine/Google Compute Engine, BIOS
+Google 10/26/2022
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
+ ubsan_epilogue lib/ubsan.c:151 [inline]
+ __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322
+ snto32 drivers/hid/hid-core.c:1323 [inline]
+ hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline]
+ hid_process_report drivers/hid/hid-core.c:1665 [inline]
+ hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998
+ hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066
+ hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284
+ __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671
+ dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988
+ call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474
+ expire_timers kernel/time/timer.c:1519 [inline]
+ __run_timers+0x76a/0x980 kernel/time/timer.c:1790
+ run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803
+ __do_softirq+0x277/0x75b kernel/softirq.c:571
+ __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650
+ irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
+ sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107
+======================================================================
+
+If the size of the integer (unsigned n) is bigger than 32 in snto32(),
+shift exponent will be too large for 32-bit type 'int', resulting in a
+shift-out-of-bounds bug.
+Fix this by adding a check on the size of the integer (unsigned n) in
+snto32(). To add support for n greater than 32 bits, set n to 32, if n
+is greater than 32.
+
+Reported-by: syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com
+Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split")
+Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1303,6 +1303,9 @@ static s32 snto32(__u32 value, unsigned
+ if (!value || !n)
+ return 0;
+
++ if (n > 32)
++ n = 32;
++
+ switch (n) {
+ case 8: return ((__s8)value);
+ case 16: return ((__s16)value);
--- /dev/null
+From d180b6496143cd360c5d5f58ae4b9a8229c1f344 Mon Sep 17 00:00:00 2001
+From: Anastasia Belova <abelova@astralinux.ru>
+Date: Fri, 11 Nov 2022 15:55:11 +0300
+Subject: HID: hid-lg4ff: Add check for empty lbuf
+
+From: Anastasia Belova <abelova@astralinux.ru>
+
+commit d180b6496143cd360c5d5f58ae4b9a8229c1f344 upstream.
+
+If an empty buf is received, lbuf is also empty. So lbuf is
+accessed by index -1.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: f31a2de3fe36 ("HID: hid-lg4ff: Allow switching of Logitech gaming wheels between compatibility modes")
+Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-lg4ff.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/hid/hid-lg4ff.c
++++ b/drivers/hid/hid-lg4ff.c
+@@ -872,6 +872,12 @@ static ssize_t lg4ff_alternate_modes_sto
+ return -ENOMEM;
+
+ i = strlen(lbuf);
++
++ if (i == 0) {
++ kfree(lbuf);
++ return -EINVAL;
++ }
++
+ if (lbuf[i-1] == '\n') {
+ if (i == 1) {
+ kfree(lbuf);
--- /dev/null
+From f6d910a89a2391e5ce1f275d205023880a33d3f8 Mon Sep 17 00:00:00 2001
+From: Ankit Patel <anpatel@nvidia.com>
+Date: Tue, 22 Nov 2022 15:35:20 +0800
+Subject: HID: usbhid: Add ALWAYS_POLL quirk for some mice
+
+From: Ankit Patel <anpatel@nvidia.com>
+
+commit f6d910a89a2391e5ce1f275d205023880a33d3f8 upstream.
+
+Some additional USB mouse devices are needing ALWAYS_POLL quirk without
+which they disconnect and reconnect every 60s.
+
+Add below devices to the known quirk list.
+CHERRY VID 0x046a, PID 0x000c
+MICROSOFT VID 0x045e, PID 0x0783
+PRIMAX VID 0x0461, PID 0x4e2a
+
+Signed-off-by: Ankit Patel <anpatel@nvidia.com>
+Signed-off-by: Haotien Hsu <haotienh@nvidia.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-ids.h | 3 +++
+ drivers/hid/hid-quirks.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -259,6 +259,7 @@
+ #define USB_DEVICE_ID_CH_AXIS_295 0x001c
+
+ #define USB_VENDOR_ID_CHERRY 0x046a
++#define USB_DEVICE_ID_CHERRY_MOUSE_000C 0x000c
+ #define USB_DEVICE_ID_CHERRY_CYMOTION 0x0023
+ #define USB_DEVICE_ID_CHERRY_CYMOTION_SOLAR 0x0027
+
+@@ -864,6 +865,7 @@
+ #define USB_DEVICE_ID_MS_XBOX_ONE_S_CONTROLLER 0x02fd
+ #define USB_DEVICE_ID_MS_PIXART_MOUSE 0x00cb
+ #define USB_DEVICE_ID_8BITDO_SN30_PRO_PLUS 0x02e0
++#define USB_DEVICE_ID_MS_MOUSE_0783 0x0783
+
+ #define USB_VENDOR_ID_MOJO 0x8282
+ #define USB_DEVICE_ID_RETRO_ADAPTER 0x3201
+@@ -1292,6 +1294,7 @@
+
+ #define USB_VENDOR_ID_PRIMAX 0x0461
+ #define USB_DEVICE_ID_PRIMAX_MOUSE_4D22 0x4d22
++#define USB_DEVICE_ID_PRIMAX_MOUSE_4E2A 0x4e2a
+ #define USB_DEVICE_ID_PRIMAX_KEYBOARD 0x4e05
+ #define USB_DEVICE_ID_PRIMAX_REZEL 0x4e72
+ #define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F 0x4d0f
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -54,6 +54,7 @@ static const struct hid_device_id hid_qu
+ { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_FLIGHT_SIM_YOKE), HID_QUIRK_NOGET },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_PRO_PEDALS), HID_QUIRK_NOGET },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_PRO_THROTTLE), HID_QUIRK_NOGET },
++ { HID_USB_DEVICE(USB_VENDOR_ID_CHERRY, USB_DEVICE_ID_CHERRY_MOUSE_000C), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB), HID_QUIRK_NO_INIT_REPORTS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB_RAPIDFIRE), HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K70RGB), HID_QUIRK_NO_INIT_REPORTS },
+@@ -122,6 +123,7 @@ static const struct hid_device_id hid_qu
+ { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C05A), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C06A), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MCS, USB_DEVICE_ID_MCS_GAMEPADBLOCK), HID_QUIRK_MULTI_INPUT },
++ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_MOUSE_0783), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_PIXART_MOUSE), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_POWER_COVER), HID_QUIRK_NO_INIT_REPORTS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_SURFACE3_COVER), HID_QUIRK_NO_INIT_REPORTS },
+@@ -146,6 +148,7 @@ static const struct hid_device_id hid_qu
+ { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN), HID_QUIRK_NO_INIT_REPORTS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4D22), HID_QUIRK_ALWAYS_POLL },
++ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4E2A), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D65), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22), HID_QUIRK_ALWAYS_POLL },
--- /dev/null
+From 0dd4cdccdab3d74bd86b868768a7dca216bcce7e Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Wed, 23 Nov 2022 10:08:33 +0100
+Subject: KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field
+
+From: Thomas Huth <thuth@redhat.com>
+
+commit 0dd4cdccdab3d74bd86b868768a7dca216bcce7e upstream.
+
+We recently experienced some weird huge time jumps in nested guests when
+rebooting them in certain cases. After adding some debug code to the epoch
+handling in vsie.c (thanks to David Hildenbrand for the idea!), it was
+obvious that the "epdx" field (the multi-epoch extension) did not get set
+to 0xff in case the "epoch" field was negative.
+Seems like the code misses to copy the value from the epdx field from
+the guest to the shadow control block. By doing so, the weird time
+jumps are gone in our scenarios.
+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2140899
+Fixes: 8fa1696ea781 ("KVM: s390: Multiple Epoch Facility support")
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
+Cc: stable@vger.kernel.org # 4.19+
+Link: https://lore.kernel.org/r/20221123090833.292938-1-thuth@redhat.com
+Message-Id: <20221123090833.292938-1-thuth@redhat.com>
+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kvm/vsie.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/kvm/vsie.c
++++ b/arch/s390/kvm/vsie.c
+@@ -540,8 +540,10 @@ static int shadow_scb(struct kvm_vcpu *v
+ if (test_kvm_cpu_feat(vcpu->kvm, KVM_S390_VM_CPU_FEAT_CEI))
+ scb_s->eca |= scb_o->eca & ECA_CEI;
+ /* Epoch Extension */
+- if (test_kvm_facility(vcpu->kvm, 139))
++ if (test_kvm_facility(vcpu->kvm, 139)) {
+ scb_s->ecd |= scb_o->ecd & ECD_MEF;
++ scb_s->epdx = scb_o->epdx;
++ }
+
+ /* etoken */
+ if (test_kvm_facility(vcpu->kvm, 156))
--- /dev/null
+From 5eef2141776da02772c44ec406d6871a790761ee Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Wed, 16 Nov 2022 15:07:22 +0000
+Subject: media: v4l2-dv-timings.c: fix too strict blanking sanity checks
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit 5eef2141776da02772c44ec406d6871a790761ee upstream.
+
+Sanity checks were added to verify the v4l2_bt_timings blanking fields
+in order to avoid integer overflows when userspace passes weird values.
+
+But that assumed that userspace would correctly fill in the front porch,
+backporch and sync values, but sometimes all you know is the total
+blanking, which is then assigned to just one of these fields.
+
+And that can fail with these checks.
+
+So instead set a maximum for the total horizontal and vertical
+blanking and check that each field remains below that.
+
+That is still sufficient to avoid integer overflows, but it also
+allows for more flexibility in how userspace fills in these fields.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Fixes: 4b6d66a45ed3 ("media: v4l2-dv-timings: add sanity checks for blanking values")
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-dv-timings.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-dv-timings.c
++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c
+@@ -145,6 +145,8 @@ bool v4l2_valid_dv_timings(const struct
+ const struct v4l2_bt_timings *bt = &t->bt;
+ const struct v4l2_bt_timings_cap *cap = &dvcap->bt;
+ u32 caps = cap->capabilities;
++ const u32 max_vert = 10240;
++ u32 max_hor = 3 * bt->width;
+
+ if (t->type != V4L2_DV_BT_656_1120)
+ return false;
+@@ -166,14 +168,20 @@ bool v4l2_valid_dv_timings(const struct
+ if (!bt->interlaced &&
+ (bt->il_vbackporch || bt->il_vsync || bt->il_vfrontporch))
+ return false;
+- if (bt->hfrontporch > 2 * bt->width ||
+- bt->hsync > 1024 || bt->hbackporch > 1024)
++ /*
++ * Some video receivers cannot properly separate the frontporch,
++ * backporch and sync values, and instead they only have the total
++ * blanking. That can be assigned to any of these three fields.
++ * So just check that none of these are way out of range.
++ */
++ if (bt->hfrontporch > max_hor ||
++ bt->hsync > max_hor || bt->hbackporch > max_hor)
+ return false;
+- if (bt->vfrontporch > 4096 ||
+- bt->vsync > 128 || bt->vbackporch > 4096)
++ if (bt->vfrontporch > max_vert ||
++ bt->vsync > max_vert || bt->vbackporch > max_vert)
+ return false;
+- if (bt->interlaced && (bt->il_vfrontporch > 4096 ||
+- bt->il_vsync > 128 || bt->il_vbackporch > 4096))
++ if (bt->interlaced && (bt->il_vfrontporch > max_vert ||
++ bt->il_vsync > max_vert || bt->il_vbackporch > max_vert))
+ return false;
+ return fnc == NULL || fnc(t, fnc_handle);
+ }
--- /dev/null
+From 4a7ba45b1a435e7097ca0f79a847d0949d0eb088 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Wed, 7 Dec 2022 16:53:15 -1000
+Subject: memcg: fix possible use-after-free in memcg_write_event_control()
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 4a7ba45b1a435e7097ca0f79a847d0949d0eb088 upstream.
+
+memcg_write_event_control() accesses the dentry->d_name of the specified
+control fd to route the write call. As a cgroup interface file can't be
+renamed, it's safe to access d_name as long as the specified file is a
+regular cgroup file. Also, as these cgroup interface files can't be
+removed before the directory, it's safe to access the parent too.
+
+Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a
+call to __file_cft() which verified that the specified file is a regular
+cgroupfs file before further accesses. The cftype pointer returned from
+__file_cft() was no longer necessary and the commit inadvertently dropped
+the file type check with it allowing any file to slip through. With the
+invarients broken, the d_name and parent accesses can now race against
+renames and removals of arbitrary files and cause use-after-free's.
+
+Fix the bug by resurrecting the file type check in __file_cft(). Now that
+cgroupfs is implemented through kernfs, checking the file operations needs
+to go through a layer of indirection. Instead, let's check the superblock
+and dentry type.
+
+Link: https://lkml.kernel.org/r/Y5FRm/cfcKPGzWwl@slm.duckdns.org
+Fixes: 347c4a874710 ("memcg: remove cgroup_event->cft")
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Jann Horn <jannh@google.com>
+Acked-by: Roman Gushchin <roman.gushchin@linux.dev>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Muchun Song <songmuchun@bytedance.com>
+Cc: Shakeel Butt <shakeelb@google.com>
+Cc: <stable@vger.kernel.org> [3.14+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/cgroup.h | 1 +
+ kernel/cgroup/cgroup-internal.h | 1 -
+ mm/memcontrol.c | 15 +++++++++++++--
+ 3 files changed, 14 insertions(+), 3 deletions(-)
+
+--- a/include/linux/cgroup.h
++++ b/include/linux/cgroup.h
+@@ -69,6 +69,7 @@ struct css_task_iter {
+ struct list_head iters_node; /* css_set->task_iters */
+ };
+
++extern struct file_system_type cgroup_fs_type;
+ extern struct cgroup_root cgrp_dfl_root;
+ extern struct css_set init_css_set;
+
+--- a/kernel/cgroup/cgroup-internal.h
++++ b/kernel/cgroup/cgroup-internal.h
+@@ -169,7 +169,6 @@ extern struct mutex cgroup_mutex;
+ extern spinlock_t css_set_lock;
+ extern struct cgroup_subsys *cgroup_subsys[];
+ extern struct list_head cgroup_roots;
+-extern struct file_system_type cgroup_fs_type;
+
+ /* iterate across the hierarchies */
+ #define for_each_root(root) \
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -4709,6 +4709,7 @@ static ssize_t memcg_write_event_control
+ unsigned int efd, cfd;
+ struct fd efile;
+ struct fd cfile;
++ struct dentry *cdentry;
+ const char *name;
+ char *endp;
+ int ret;
+@@ -4760,6 +4761,16 @@ static ssize_t memcg_write_event_control
+ goto out_put_cfile;
+
+ /*
++ * The control file must be a regular cgroup1 file. As a regular cgroup
++ * file can't be renamed, it's safe to access its name afterwards.
++ */
++ cdentry = cfile.file->f_path.dentry;
++ if (cdentry->d_sb->s_type != &cgroup_fs_type || !d_is_reg(cdentry)) {
++ ret = -EINVAL;
++ goto out_put_cfile;
++ }
++
++ /*
+ * Determine the event callbacks and set them in @event. This used
+ * to be done via struct cftype but cgroup core no longer knows
+ * about these events. The following is crude but the whole thing
+@@ -4767,7 +4778,7 @@ static ssize_t memcg_write_event_control
+ *
+ * DO NOT ADD NEW FILES.
+ */
+- name = cfile.file->f_path.dentry->d_name.name;
++ name = cdentry->d_name.name;
+
+ if (!strcmp(name, "memory.usage_in_bytes")) {
+ event->register_event = mem_cgroup_usage_register_event;
+@@ -4791,7 +4802,7 @@ static ssize_t memcg_write_event_control
+ * automatically removed on cgroup destruction but the removal is
+ * asynchronous, so take an extra ref on @css.
+ */
+- cfile_css = css_tryget_online_from_dir(cfile.file->f_path.dentry->d_parent,
++ cfile_css = css_tryget_online_from_dir(cdentry->d_parent,
+ &memory_cgrp_subsys);
+ ret = -EINVAL;
+ if (IS_ERR(cfile_css))
--- /dev/null
+From fcd0ccd836ffad73d98a66f6fea7b16f735ea920 Mon Sep 17 00:00:00 2001
+From: John Starks <jostarks@microsoft.com>
+Date: Tue, 6 Dec 2022 22:00:53 -0800
+Subject: mm/gup: fix gup_pud_range() for dax
+
+From: John Starks <jostarks@microsoft.com>
+
+commit fcd0ccd836ffad73d98a66f6fea7b16f735ea920 upstream.
+
+For dax pud, pud_huge() returns true on x86. So the function works as long
+as hugetlb is configured. However, dax doesn't depend on hugetlb.
+Commit 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") fixed
+devmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as
+well.
+
+This fixes the below kernel panic:
+
+general protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1] SMP
+ < snip >
+Call Trace:
+<TASK>
+get_user_pages_fast+0x1f/0x40
+iov_iter_get_pages+0xc6/0x3b0
+? mempool_alloc+0x5d/0x170
+bio_iov_iter_get_pages+0x82/0x4e0
+? bvec_alloc+0x91/0xc0
+? bio_alloc_bioset+0x19a/0x2a0
+blkdev_direct_IO+0x282/0x480
+? __io_complete_rw_common+0xc0/0xc0
+? filemap_range_has_page+0x82/0xc0
+generic_file_direct_write+0x9d/0x1a0
+? inode_update_time+0x24/0x30
+__generic_file_write_iter+0xbd/0x1e0
+blkdev_write_iter+0xb4/0x150
+? io_import_iovec+0x8d/0x340
+io_write+0xf9/0x300
+io_issue_sqe+0x3c3/0x1d30
+? sysvec_reschedule_ipi+0x6c/0x80
+__io_queue_sqe+0x33/0x240
+? fget+0x76/0xa0
+io_submit_sqes+0xe6a/0x18d0
+? __fget_light+0xd1/0x100
+__x64_sys_io_uring_enter+0x199/0x880
+? __context_tracking_enter+0x1f/0x70
+? irqentry_exit_to_user_mode+0x24/0x30
+? irqentry_exit+0x1d/0x30
+? __context_tracking_exit+0xe/0x70
+do_syscall_64+0x3b/0x90
+entry_SYSCALL_64_after_hwframe+0x61/0xcb
+RIP: 0033:0x7fc97c11a7be
+ < snip >
+</TASK>
+---[ end trace 48b2e0e67debcaeb ]---
+RIP: 0010:internal_get_user_pages_fast+0x340/0x990
+ < snip >
+Kernel panic - not syncing: Fatal exception
+Kernel Offset: disabled
+
+Link: https://lkml.kernel.org/r/1670392853-28252-1-git-send-email-ssengar@linux.microsoft.com
+Fixes: 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax")
+Signed-off-by: John Starks <jostarks@microsoft.com>
+Signed-off-by: Saurabh Sengar <ssengar@linux.microsoft.com>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Yu Zhao <yuzhao@google.com>
+Cc: Jason Gunthorpe <jgg@nvidia.com>
+Cc: John Hubbard <jhubbard@nvidia.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Alistair Popple <apopple@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/gup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/gup.c
++++ b/mm/gup.c
+@@ -2240,7 +2240,7 @@ static int gup_pud_range(p4d_t *p4dp, p4
+ next = pud_addr_end(addr, end);
+ if (pud_none(pud))
+ return 0;
+- if (unlikely(pud_huge(pud))) {
++ if (unlikely(pud_huge(pud) || pud_devmap(pud))) {
+ if (!gup_huge_pud(pud, pudp, addr, next, flags,
+ pages, nr))
+ return 0;
xen-netback-do-some-code-cleanup.patch
xen-netback-don-t-call-kfree_skb-with-interrupts-dis.patch
revert-net-dsa-b53-fix-valid-setting-for-mdb-entries.patch
+media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch
+memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch
+mm-gup-fix-gup_pud_range-for-dax.patch
+kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch
+drm-shmem-helper-remove-errant-put-in-error-path.patch
+hid-usbhid-add-always_poll-quirk-for-some-mice.patch
+hid-hid-lg4ff-add-check-for-empty-lbuf.patch
+hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
