From 90b801ed59d693f30b917e07f66078f215cbb2a6 Mon Sep 17 00:00:00 2001
From: Kernel Build Daemon <kbuild@suse.de>
Date: Mar 02 2023 06:28:57 +0000
Subject: Merge branch 'cve/linux-5.3' into SLE15-SP2-LTSS


---

diff --git a/patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch b/patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch
new file mode 100644
index 0000000..c6c5d55
--- /dev/null
+++ b/patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch
@@ -0,0 +1,52 @@
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 13 Feb 2023 22:53:55 -0800
+Subject: net: mpls: fix stale pointer if allocation fails during device rename
+Patch-mainline: v6.2
+Git-commit: fda6c89fe3d9aca073495a664e1d5aea28cd4377
+References: bsc#1208700 CVE-2023-26545
+
+lianhui reports that when MPLS fails to register the sysctl table
+under new location (during device rename) the old pointers won't
+get overwritten and may be freed again (double free).
+
+Handle this gracefully. The best option would be unregistering
+the MPLS from the device completely on failure, but unfortunately
+mpls_ifdown() can fail. So failing fully is also unreliable.
+
+Another option is to register the new table first then only
+remove old one if the new one succeeds. That requires more
+code, changes order of notifications and two tables may be
+visible at the same time.
+
+sysctl point is not used in the rest of the code - set to NULL
+on failures and skip unregister if already NULL.
+
+Reported-by: lianhui tang <bluetlh@gmail.com>
+Fixes: 0fae3bf018d9 ("mpls: handle device renames for per-device sysctls")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+---
+ net/mpls/af_mpls.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/mpls/af_mpls.c
++++ b/net/mpls/af_mpls.c
+@@ -1428,6 +1428,7 @@ static int mpls_dev_sysctl_register(stru
+ free:
+ 	kfree(table);
+ out:
++	mdev->sysctl = NULL;
+ 	return -ENOBUFS;
+ }
+ 
+@@ -1437,6 +1438,9 @@ static void mpls_dev_sysctl_unregister(s
+ 	struct net *net = dev_net(dev);
+ 	struct ctl_table *table;
+ 
++	if (!mdev->sysctl)
++		return;
++
+ 	table = mdev->sysctl->ctl_table_arg;
+ 	unregister_net_sysctl_table(mdev->sysctl);
+ 	kfree(table);
diff --git a/patches.suse/usb-dwc3-dwc3-qcom-Add-missing-platform_device_put-i.patch b/patches.suse/usb-dwc3-dwc3-qcom-Add-missing-platform_device_put-i.patch
new file mode 100644
index 0000000..2cbe0de
--- /dev/null
+++ b/patches.suse/usb-dwc3-dwc3-qcom-Add-missing-platform_device_put-i.patch
@@ -0,0 +1,51 @@
+From fa0ef93868a6062babe1144df2807a8b1d4924d2 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Fri, 31 Dec 2021 11:36:41 +0000
+Subject: [PATCH] usb: dwc3: dwc3-qcom: Add missing platform_device_put() in
+ dwc3_qcom_acpi_register_core
+Git-commit: fa0ef93868a6062babe1144df2807a8b1d4924d2
+Patch-mainline: v5.17-rc1
+References: bsc#1208741 CVE-2023-22995
+
+Add the missing platform_device_put() before return from
+dwc3_qcom_acpi_register_core in the error handling case.
+
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20211231113641.31474-1-linmq006@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/usb/dwc3/dwc3-qcom.c |   11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/dwc3/dwc3-qcom.c
++++ b/drivers/usb/dwc3/dwc3-qcom.c
+@@ -474,8 +474,10 @@ static int dwc3_qcom_acpi_register_core(
+ 	qcom->dwc3->dev.coherent_dma_mask = dev->coherent_dma_mask;
+ 
+ 	child_res = kcalloc(2, sizeof(*child_res), GFP_KERNEL);
+-	if (!child_res)
++	if (!child_res) {
++		platform_device_put(qcom->dwc3);
+ 		return -ENOMEM;
++	}
+ 
+ 	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ 	if (!res) {
+@@ -507,10 +509,15 @@ static int dwc3_qcom_acpi_register_core(
+ 	}
+ 
+ 	ret = platform_device_add(qcom->dwc3);
+-	if (ret)
++	if (ret) {
+ 		dev_err(&pdev->dev, "failed to add device\n");
++		goto out;
++	}
++	kfree(child_res);
++	return 0;
+ 
+ out:
++	platform_device_put(qcom->dwc3);
+ 	kfree(child_res);
+ 	return ret;
+ }
diff --git a/series.conf b/series.conf
index d1620b5..fa83288 100644
--- a/series.conf
+++ b/series.conf
@@ -23010,6 +23010,7 @@
 	patches.suse/usb-host-xen-hcd-add-missing-unlock-in-error-path.patch
 	patches.suse/usb-gadget-don-t-release-an-existing-dev-buf.patch
 	patches.suse/usb-gadget-clear-related-members-when-goto-fail.patch
+	patches.suse/usb-dwc3-dwc3-qcom-Add-missing-platform_device_put-i.patch
 	patches.suse/x86-use-mindirect-branch-cs-prefix-for-retpoline-builds.patch
 	patches.suse/x86-lib-atomic64_386_32-rename-things.patch
 	patches.suse/x86-prepare-asm-files-for-straight-line-speculation.patch
@@ -23349,6 +23350,7 @@
 	patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch
 	patches.suse/net-mana-Fix-accessing-freed-irq-affinity_hint.patch
 	patches.suse/vmxnet3-move-rss-code-block-under-eop-descriptor.patch
+	patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch
 
 	########################################################
 	# end of sorted patches