--- /dev/null
+From a654a69b9f9c06b2e56387d0b99f0e3e6b0ff4ef Mon Sep 17 00:00:00 2001
+From: Rob Herring <robh@kernel.org>
+Date: Thu, 21 Sep 2023 14:41:51 -0500
+Subject: arm64: Add Cortex-A520 CPU part definition
+
+From: Rob Herring <robh@kernel.org>
+
+commit a654a69b9f9c06b2e56387d0b99f0e3e6b0ff4ef upstream.
+
+Add the CPU Part number for the new Arm design.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Rob Herring <robh@kernel.org>
+Link: https://lore.kernel.org/r/20230921194156.1050055-1-robh@kernel.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/cputype.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/include/asm/cputype.h
++++ b/arch/arm64/include/asm/cputype.h
+@@ -79,6 +79,7 @@
+ #define ARM_CPU_PART_CORTEX_A78AE 0xD42
+ #define ARM_CPU_PART_CORTEX_X1 0xD44
+ #define ARM_CPU_PART_CORTEX_A510 0xD46
++#define ARM_CPU_PART_CORTEX_A520 0xD80
+ #define ARM_CPU_PART_CORTEX_A710 0xD47
+ #define ARM_CPU_PART_CORTEX_X2 0xD48
+ #define ARM_CPU_PART_NEOVERSE_N2 0xD49
+@@ -130,6 +131,7 @@
+ #define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE)
+ #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1)
+ #define MIDR_CORTEX_A510 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A510)
++#define MIDR_CORTEX_A520 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A520)
+ #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710)
+ #define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2)
+ #define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2)
--- /dev/null
+From 5f521494cc73520ffac18ede0758883b9aedd018 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Wed, 27 Sep 2023 10:43:15 +0930
+Subject: btrfs: reject unknown mount options early
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit 5f521494cc73520ffac18ede0758883b9aedd018 upstream.
+
+[BUG]
+The following script would allow invalid mount options to be specified
+(although such invalid options would just be ignored):
+
+ # mkfs.btrfs -f $dev
+ # mount $dev $mnt1 <<< Successful mount expected
+ # mount $dev $mnt2 -o junk <<< Failed mount expected
+ # echo $?
+ 0
+
+[CAUSE]
+For the 2nd mount, since the fs is already mounted, we won't go through
+open_ctree() thus no btrfs_parse_options(), but only through
+btrfs_parse_subvol_options().
+
+However we do not treat unrecognized options from valid but irrelevant
+options, thus those invalid options would just be ignored by
+btrfs_parse_subvol_options().
+
+[FIX]
+Add the handling for Opt_err to handle invalid options and error out,
+while still ignore other valid options inside btrfs_parse_subvol_options().
+
+Reported-by: Anand Jain <anand.jain@oracle.com>
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/super.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -1182,6 +1182,10 @@ static int btrfs_parse_subvol_options(co
+
+ *subvol_objectid = subvolid;
+ break;
++ case Opt_err:
++ btrfs_err(NULL, "unrecognized mount option '%s'", p);
++ error = -EINVAL;
++ goto out;
+ default:
+ break;
+ }
--- /dev/null
+From 134b8c5d8674e7cde380f82e9aedfd46dcdd16f7 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Tue, 26 Sep 2023 17:59:53 -0500
+Subject: drm/amd: Fix detection of _PR3 on the PCIe root port
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit 134b8c5d8674e7cde380f82e9aedfd46dcdd16f7 upstream.
+
+On some systems with Navi3x dGPU will attempt to use BACO for runtime
+PM but fails to resume properly. This is because on these systems
+the root port goes into D3cold which is incompatible with BACO.
+
+This happens because in this case dGPU is connected to a bridge between
+root port which causes BOCO detection logic to fail. Fix the intent of
+the logic by looking at root port, not the immediate upstream bridge for
+_PR3.
+
+Cc: stable@vger.kernel.org
+Suggested-by: Jun Ma <Jun.Ma2@amd.com>
+Tested-by: David Perry <David.Perry@amd.com>
+Fixes: b10c1c5b3a4e ("drm/amdgpu: add check for ACPI power resources")
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -2225,7 +2225,7 @@ static int amdgpu_device_ip_early_init(s
+ adev->flags |= AMD_IS_PX;
+
+ if (!(adev->flags & AMD_IS_APU)) {
+- parent = pci_upstream_bridge(adev->pdev);
++ parent = pcie_find_root_port(adev->pdev);
+ adev->has_pr3 = parent ? pci_pr3_present(parent) : false;
+ }
+
--- /dev/null
+From 86a7e0b69bd5b812e48a20c66c2161744f3caa16 Mon Sep 17 00:00:00 2001
+From: Jordan Rife <jrife@google.com>
+Date: Thu, 21 Sep 2023 18:46:41 -0500
+Subject: net: prevent rewrite of msg_name in sock_sendmsg()
+
+From: Jordan Rife <jrife@google.com>
+
+commit 86a7e0b69bd5b812e48a20c66c2161744f3caa16 upstream.
+
+Callers of sock_sendmsg(), and similarly kernel_sendmsg(), in kernel
+space may observe their value of msg_name change in cases where BPF
+sendmsg hooks rewrite the send address. This has been confirmed to break
+NFS mounts running in UDP mode and has the potential to break other
+systems.
+
+This patch:
+
+1) Creates a new function called __sock_sendmsg() with same logic as the
+ old sock_sendmsg() function.
+2) Replaces calls to sock_sendmsg() made by __sys_sendto() and
+ __sys_sendmsg() with __sock_sendmsg() to avoid an unnecessary copy,
+ as these system calls are already protected.
+3) Modifies sock_sendmsg() so that it makes a copy of msg_name if
+ present before passing it down the stack to insulate callers from
+ changes to the send address.
+
+Link: https://lore.kernel.org/netdev/20230912013332.2048422-1-jrife@google.com/
+Fixes: 1cedee13d25a ("bpf: Hooks for sys_sendmsg")
+Cc: stable@vger.kernel.org
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Jordan Rife <jrife@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/socket.c | 29 +++++++++++++++++++++++------
+ 1 file changed, 23 insertions(+), 6 deletions(-)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -708,6 +708,14 @@ static inline int sock_sendmsg_nosec(str
+ return ret;
+ }
+
++static int __sock_sendmsg(struct socket *sock, struct msghdr *msg)
++{
++ int err = security_socket_sendmsg(sock, msg,
++ msg_data_left(msg));
++
++ return err ?: sock_sendmsg_nosec(sock, msg);
++}
++
+ /**
+ * sock_sendmsg - send a message through @sock
+ * @sock: socket
+@@ -718,10 +726,19 @@ static inline int sock_sendmsg_nosec(str
+ */
+ int sock_sendmsg(struct socket *sock, struct msghdr *msg)
+ {
+- int err = security_socket_sendmsg(sock, msg,
+- msg_data_left(msg));
++ struct sockaddr_storage *save_addr = (struct sockaddr_storage *)msg->msg_name;
++ struct sockaddr_storage address;
++ int ret;
+
+- return err ?: sock_sendmsg_nosec(sock, msg);
++ if (msg->msg_name) {
++ memcpy(&address, msg->msg_name, msg->msg_namelen);
++ msg->msg_name = &address;
++ }
++
++ ret = __sock_sendmsg(sock, msg);
++ msg->msg_name = save_addr;
++
++ return ret;
+ }
+ EXPORT_SYMBOL(sock_sendmsg);
+
+@@ -1057,7 +1074,7 @@ static ssize_t sock_write_iter(struct ki
+ if (sock->type == SOCK_SEQPACKET)
+ msg.msg_flags |= MSG_EOR;
+
+- res = sock_sendmsg(sock, &msg);
++ res = __sock_sendmsg(sock, &msg);
+ *from = msg.msg_iter;
+ return res;
+ }
+@@ -2036,7 +2053,7 @@ int __sys_sendto(int fd, void __user *bu
+ if (sock->file->f_flags & O_NONBLOCK)
+ flags |= MSG_DONTWAIT;
+ msg.msg_flags = flags;
+- err = sock_sendmsg(sock, &msg);
++ err = __sock_sendmsg(sock, &msg);
+
+ out_put:
+ fput_light(sock->file, fput_needed);
+@@ -2409,7 +2426,7 @@ static int ____sys_sendmsg(struct socket
+ err = sock_sendmsg_nosec(sock, msg_sys);
+ goto out_freectl;
+ }
+- err = sock_sendmsg(sock, msg_sys);
++ err = __sock_sendmsg(sock, msg_sys);
+ /*
+ * If this is sendmmsg() and sending to current destination address was
+ * successful, remember it.
--- /dev/null
+From 26297b4ce1ce4ea40bc9a48ec99f45da3f64d2e2 Mon Sep 17 00:00:00 2001
+From: Jordan Rife <jrife@google.com>
+Date: Thu, 21 Sep 2023 18:46:40 -0500
+Subject: net: replace calls to sock->ops->connect() with kernel_connect()
+
+From: Jordan Rife <jrife@google.com>
+
+commit 26297b4ce1ce4ea40bc9a48ec99f45da3f64d2e2 upstream.
+
+commit 0bdf399342c5 ("net: Avoid address overwrite in kernel_connect")
+ensured that kernel_connect() will not overwrite the address parameter
+in cases where BPF connect hooks perform an address rewrite. This change
+replaces direct calls to sock->ops->connect() in net with kernel_connect()
+to make these call safe.
+
+Link: https://lore.kernel.org/netdev/20230912013332.2048422-1-jrife@google.com/
+Fixes: d74bad4e74ee ("bpf: Hooks for sys_connect")
+Cc: stable@vger.kernel.org
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Jordan Rife <jrife@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipvs/ip_vs_sync.c | 4 ++--
+ net/rds/tcp_connect.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/ipvs/ip_vs_sync.c
++++ b/net/netfilter/ipvs/ip_vs_sync.c
+@@ -1507,8 +1507,8 @@ static int make_send_sock(struct netns_i
+ }
+
+ get_mcast_sockaddr(&mcast_addr, &salen, &ipvs->mcfg, id);
+- result = sock->ops->connect(sock, (struct sockaddr *) &mcast_addr,
+- salen, 0);
++ result = kernel_connect(sock, (struct sockaddr *)&mcast_addr,
++ salen, 0);
+ if (result < 0) {
+ pr_err("Error connecting to the multicast addr\n");
+ goto error;
+--- a/net/rds/tcp_connect.c
++++ b/net/rds/tcp_connect.c
+@@ -170,7 +170,7 @@ int rds_tcp_conn_path_connect(struct rds
+ * own the socket
+ */
+ rds_tcp_set_callbacks(sock, cp);
+- ret = sock->ops->connect(sock, addr, addrlen, O_NONBLOCK);
++ ret = kernel_connect(sock, addr, addrlen, O_NONBLOCK);
+
+ rdsdebug("connect to address %pI6c returned %d\n", &conn->c_faddr, ret);
+ if (ret == -EINPROGRESS)
--- /dev/null
+From eea03d18af9c44235865a4bc9bec4d780ef6cf21 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
+Date: Sat, 23 Sep 2023 19:15:59 -0600
+Subject: qed/red_ll2: Fix undefined behavior bug in struct qed_ll2_info
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+commit eea03d18af9c44235865a4bc9bec4d780ef6cf21 upstream.
+
+The flexible structure (a structure that contains a flexible-array member
+at the end) `qed_ll2_tx_packet` is nested within the second layer of
+`struct qed_ll2_info`:
+
+struct qed_ll2_tx_packet {
+ ...
+ /* Flexible Array of bds_set determined by max_bds_per_packet */
+ struct {
+ struct core_tx_bd *txq_bd;
+ dma_addr_t tx_frag;
+ u16 frag_len;
+ } bds_set[];
+};
+
+struct qed_ll2_tx_queue {
+ ...
+ struct qed_ll2_tx_packet cur_completing_packet;
+};
+
+struct qed_ll2_info {
+ ...
+ struct qed_ll2_tx_queue tx_queue;
+ struct qed_ll2_cbs cbs;
+};
+
+The problem is that member `cbs` in `struct qed_ll2_info` is placed just
+after an object of type `struct qed_ll2_tx_queue`, which is in itself
+an implicit flexible structure, which by definition ends in a flexible
+array member, in this case `bds_set`. This causes an undefined behavior
+bug at run-time when dynamic memory is allocated for `bds_set`, which
+could lead to a serious issue if `cbs` in `struct qed_ll2_info` is
+overwritten by the contents of `bds_set`. Notice that the type of `cbs`
+is a structure full of function pointers (and a cookie :) ):
+
+include/linux/qed/qed_ll2_if.h:
+107 typedef
+108 void (*qed_ll2_complete_rx_packet_cb)(void *cxt,
+109 struct qed_ll2_comp_rx_data *data);
+110
+111 typedef
+112 void (*qed_ll2_release_rx_packet_cb)(void *cxt,
+113 u8 connection_handle,
+114 void *cookie,
+115 dma_addr_t rx_buf_addr,
+116 bool b_last_packet);
+117
+118 typedef
+119 void (*qed_ll2_complete_tx_packet_cb)(void *cxt,
+120 u8 connection_handle,
+121 void *cookie,
+122 dma_addr_t first_frag_addr,
+123 bool b_last_fragment,
+124 bool b_last_packet);
+125
+126 typedef
+127 void (*qed_ll2_release_tx_packet_cb)(void *cxt,
+128 u8 connection_handle,
+129 void *cookie,
+130 dma_addr_t first_frag_addr,
+131 bool b_last_fragment, bool b_last_packet);
+132
+133 typedef
+134 void (*qed_ll2_slowpath_cb)(void *cxt, u8 connection_handle,
+135 u32 opaque_data_0, u32 opaque_data_1);
+136
+137 struct qed_ll2_cbs {
+138 qed_ll2_complete_rx_packet_cb rx_comp_cb;
+139 qed_ll2_release_rx_packet_cb rx_release_cb;
+140 qed_ll2_complete_tx_packet_cb tx_comp_cb;
+141 qed_ll2_release_tx_packet_cb tx_release_cb;
+142 qed_ll2_slowpath_cb slowpath_cb;
+143 void *cookie;
+144 };
+
+Fix this by moving the declaration of `cbs` to the middle of its
+containing structure `qed_ll2_info`, preventing it from being
+overwritten by the contents of `bds_set` at run-time.
+
+This bug was introduced in 2017, when `bds_set` was converted to a
+one-element array, and started to be used as a Variable Length Object
+(VLO) at run-time.
+
+Fixes: f5823fe6897c ("qed: Add ll2 option to limit the number of bds per packet")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/ZQ+Nz8DfPg56pIzr@work
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_ll2.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_ll2.h
++++ b/drivers/net/ethernet/qlogic/qed/qed_ll2.h
+@@ -111,9 +111,9 @@ struct qed_ll2_info {
+ enum core_tx_dest tx_dest;
+ u8 tx_stats_en;
+ bool main_func_queue;
++ struct qed_ll2_cbs cbs;
+ struct qed_ll2_rx_queue rx_queue;
+ struct qed_ll2_tx_queue tx_queue;
+- struct qed_ll2_cbs cbs;
+ };
+
+ extern const struct qed_ll2_ops qed_ll2_ops_pass;
--- /dev/null
+From b481f644d9174670b385c3a699617052cd2a79d3 Mon Sep 17 00:00:00 2001
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Date: Sat, 23 Sep 2023 18:37:23 +0800
+Subject: scsi: zfcp: Fix a double put in zfcp_port_enqueue()
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+commit b481f644d9174670b385c3a699617052cd2a79d3 upstream.
+
+When device_register() fails, zfcp_port_release() will be called after
+put_device(). As a result, zfcp_ccw_adapter_put() will be called twice: one
+in zfcp_port_release() and one in the error path after device_register().
+So the reference on the adapter object is doubly put, which may lead to a
+premature free. Fix this by adjusting the error tag after
+device_register().
+
+Fixes: f3450c7b9172 ("[SCSI] zfcp: Replace local reference counting with common kref")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Link: https://lore.kernel.org/r/20230923103723.10320-1-dinghao.liu@zju.edu.cn
+Acked-by: Benjamin Block <bblock@linux.ibm.com>
+Cc: stable@vger.kernel.org # v2.6.33+
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/scsi/zfcp_aux.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/s390/scsi/zfcp_aux.c
++++ b/drivers/s390/scsi/zfcp_aux.c
+@@ -518,12 +518,12 @@ struct zfcp_port *zfcp_port_enqueue(stru
+ if (port) {
+ put_device(&port->dev);
+ retval = -EEXIST;
+- goto err_out;
++ goto err_put;
+ }
+
+ port = kzalloc(sizeof(struct zfcp_port), GFP_KERNEL);
+ if (!port)
+- goto err_out;
++ goto err_put;
+
+ rwlock_init(&port->unit_list_lock);
+ INIT_LIST_HEAD(&port->unit_list);
+@@ -546,7 +546,7 @@ struct zfcp_port *zfcp_port_enqueue(stru
+
+ if (dev_set_name(&port->dev, "0x%016llx", (unsigned long long)wwpn)) {
+ kfree(port);
+- goto err_out;
++ goto err_put;
+ }
+ retval = -EINVAL;
+
+@@ -563,7 +563,8 @@ struct zfcp_port *zfcp_port_enqueue(stru
+
+ return port;
+
+-err_out:
++err_put:
+ zfcp_ccw_adapter_put(adapter);
++err_out:
+ return ERR_PTR(retval);
+ }
rbd-take-header_rwsem-in-rbd_dev_refresh-only-when-u.patch
block-fix-use-after-free-of-q-q_usage_counter.patch
revert-clk-imx-pll14xx-dynamically-configure-pll-for-393216000-361267200hz.patch
+scsi-zfcp-fix-a-double-put-in-zfcp_port_enqueue.patch
+vringh-don-t-use-vringh_kiov_advance-in-vringh_iov_xfer.patch
+qed-red_ll2-fix-undefined-behavior-bug-in-struct-qed_ll2_info.patch
+wifi-mwifiex-fix-tlv_buf_left-calculation.patch
+net-replace-calls-to-sock-ops-connect-with-kernel_connect.patch
+btrfs-reject-unknown-mount-options-early.patch
+net-prevent-rewrite-of-msg_name-in-sock_sendmsg.patch
+drm-amd-fix-detection-of-_pr3-on-the-pcie-root-port.patch
+arm64-add-cortex-a520-cpu-part-definition.patch
--- /dev/null
+From 7aed44babc7f97e82b38e9a68515e699692cc100 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Mon, 25 Sep 2023 12:30:57 +0200
+Subject: vringh: don't use vringh_kiov_advance() in vringh_iov_xfer()
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit 7aed44babc7f97e82b38e9a68515e699692cc100 upstream.
+
+In the while loop of vringh_iov_xfer(), `partlen` could be 0 if one of
+the `iov` has 0 lenght.
+In this case, we should skip the iov and go to the next one.
+But calling vringh_kiov_advance() with 0 lenght does not cause the
+advancement, since it returns immediately if asked to advance by 0 bytes.
+
+Let's restore the code that was there before commit b8c06ad4d67d
+("vringh: implement vringh_kiov_advance()"), avoiding using
+vringh_kiov_advance().
+
+Fixes: b8c06ad4d67d ("vringh: implement vringh_kiov_advance()")
+Cc: stable@vger.kernel.org
+Reported-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vringh.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/vhost/vringh.c
++++ b/drivers/vhost/vringh.c
+@@ -123,8 +123,18 @@ static inline ssize_t vringh_iov_xfer(st
+ done += partlen;
+ len -= partlen;
+ ptr += partlen;
++ iov->consumed += partlen;
++ iov->iov[iov->i].iov_len -= partlen;
++ iov->iov[iov->i].iov_base += partlen;
+
+- vringh_kiov_advance(iov, partlen);
++ if (!iov->iov[iov->i].iov_len) {
++ /* Fix up old iov element then increment. */
++ iov->iov[iov->i].iov_len = iov->consumed;
++ iov->iov[iov->i].iov_base -= iov->consumed;
++
++ iov->consumed = 0;
++ iov->i++;
++ }
+ }
+ return done;
+ }
--- /dev/null
+From eec679e4ac5f47507774956fb3479c206e761af7 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
+Date: Thu, 24 Aug 2023 21:06:51 -0600
+Subject: wifi: mwifiex: Fix tlv_buf_left calculation
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+commit eec679e4ac5f47507774956fb3479c206e761af7 upstream.
+
+In a TLV encoding scheme, the Length part represents the length after
+the header containing the values for type and length. In this case,
+`tlv_len` should be:
+
+tlv_len == (sizeof(*tlv_rxba) - 1) - sizeof(tlv_rxba->header) + tlv_bitmap_len
+
+Notice that the `- 1` accounts for the one-element array `bitmap`, which
+1-byte size is already included in `sizeof(*tlv_rxba)`.
+
+So, if the above is correct, there is a double-counting of some members
+in `struct mwifiex_ie_types_rxba_sync`, when `tlv_buf_left` and `tmp`
+are calculated:
+
+968 tlv_buf_left -= (sizeof(*tlv_rxba) + tlv_len);
+969 tmp = (u8 *)tlv_rxba + tlv_len + sizeof(*tlv_rxba);
+
+in specific, members:
+
+drivers/net/wireless/marvell/mwifiex/fw.h:777
+ 777 u8 mac[ETH_ALEN];
+ 778 u8 tid;
+ 779 u8 reserved;
+ 780 __le16 seq_num;
+ 781 __le16 bitmap_len;
+
+This is clearly wrong, and affects the subsequent decoding of data in
+`event_buf` through `tlv_rxba`:
+
+970 tlv_rxba = (struct mwifiex_ie_types_rxba_sync *)tmp;
+
+Fix this by using `sizeof(tlv_rxba->header)` instead of `sizeof(*tlv_rxba)`
+in the calculation of `tlv_buf_left` and `tmp`.
+
+This results in the following binary differences before/after changes:
+
+| drivers/net/wireless/marvell/mwifiex/11n_rxreorder.o
+| @@ -4698,11 +4698,11 @@
+| drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c:968
+| tlv_buf_left -= (sizeof(tlv_rxba->header) + tlv_len);
+| - 1da7: lea -0x11(%rbx),%edx
+| + 1da7: lea -0x4(%rbx),%edx
+| 1daa: movzwl %bp,%eax
+| drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c:969
+| tmp = (u8 *)tlv_rxba + sizeof(tlv_rxba->header) + tlv_len;
+| - 1dad: lea 0x11(%r15,%rbp,1),%r15
+| + 1dad: lea 0x4(%r15,%rbp,1),%r15
+
+The above reflects the desired change: avoid counting 13 too many bytes;
+which is the total size of the double-counted members in
+`struct mwifiex_ie_types_rxba_sync`:
+
+$ pahole -C mwifiex_ie_types_rxba_sync drivers/net/wireless/marvell/mwifiex/11n_rxreorder.o
+struct mwifiex_ie_types_rxba_sync {
+ struct mwifiex_ie_types_header header; /* 0 4 */
+
+ |-----------------------------------------------------------------------
+ | u8 mac[6]; /* 4 6 */ |
+ | u8 tid; /* 10 1 */ |
+ | u8 reserved; /* 11 1 */ |
+ | __le16 seq_num; /* 12 2 */ |
+ | __le16 bitmap_len; /* 14 2 */ |
+ | u8 bitmap[1]; /* 16 1 */ |
+ |----------------------------------------------------------------------|
+ | 13 bytes|
+ -----------
+
+ /* size: 17, cachelines: 1, members: 7 */
+ /* last cacheline: 17 bytes */
+} __attribute__((__packed__));
+
+Fixes: 99ffe72cdae4 ("mwifiex: process rxba_sync event")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/06668edd68e7a26bbfeebd1201ae077a2a7a8bce.1692931954.git.gustavoars@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
++++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
+@@ -977,8 +977,8 @@ void mwifiex_11n_rxba_sync_event(struct
+ }
+ }
+
+- tlv_buf_left -= (sizeof(*tlv_rxba) + tlv_len);
+- tmp = (u8 *)tlv_rxba + tlv_len + sizeof(*tlv_rxba);
++ tlv_buf_left -= (sizeof(tlv_rxba->header) + tlv_len);
++ tmp = (u8 *)tlv_rxba + sizeof(tlv_rxba->header) + tlv_len;
+ tlv_rxba = (struct mwifiex_ie_types_rxba_sync *)tmp;
+ }
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
