--- /dev/null
+From 3be7a9572dd41f0115fb5fcfd83b53363f98da55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jan 2023 13:49:30 +0100
+Subject: affs: initialize fsdata in affs_truncate()
+
+From: Alexander Potapenko <glider@google.com>
+
+[ Upstream commit eef034ac6690118c88f357b00e2b3239c9d8575d ]
+
+When aops->write_begin() does not initialize fsdata, KMSAN may report
+an error passing the latter to aops->write_end().
+
+Fix this by unconditionally initializing fsdata.
+
+Fixes: f2b6a16eb8f5 ("fs: affs convert to new aops")
+Suggested-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/affs/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/affs/file.c b/fs/affs/file.c
+index ba084b0b214b..82bb38370aa9 100644
+--- a/fs/affs/file.c
++++ b/fs/affs/file.c
+@@ -878,7 +878,7 @@ affs_truncate(struct inode *inode)
+ if (inode->i_size > AFFS_I(inode)->mmu_private) {
+ struct address_space *mapping = inode->i_mapping;
+ struct page *page;
+- void *fsdata;
++ void *fsdata = NULL;
+ loff_t isize = inode->i_size;
+ int res;
+
+--
+2.39.0
+
--- /dev/null
+From 7b8ac0d55eaee9c1751b732410c382991a1c6989 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 22:58:51 +0530
+Subject: amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit 579923d84b04abb6cd4cd1fd9974096a2dd1832b ]
+
+There is difference in the TX Flow Control registers (TFCR) between the
+revisions of the hardware. The older revisions of hardware used to have
+single register per queue. Whereas, the newer revision of hardware (from
+ver 30H onwards) have one register per priority.
+
+Update the driver to use the TFCR based on the reported version of the
+hardware.
+
+Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver")
+Co-developed-by: Ajith Nayak <Ajith.Nayak@amd.com>
+Signed-off-by: Ajith Nayak <Ajith.Nayak@amd.com>
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Acked-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
+index 1e4bb33925e6..39d4df40700f 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
+@@ -523,19 +523,28 @@ static void xgbe_disable_vxlan(struct xgbe_prv_data *pdata)
+ netif_dbg(pdata, drv, pdata->netdev, "VXLAN acceleration disabled\n");
+ }
+
++static unsigned int xgbe_get_fc_queue_count(struct xgbe_prv_data *pdata)
++{
++ unsigned int max_q_count = XGMAC_MAX_FLOW_CONTROL_QUEUES;
++
++ /* From MAC ver 30H the TFCR is per priority, instead of per queue */
++ if (XGMAC_GET_BITS(pdata->hw_feat.version, MAC_VR, SNPSVER) >= 0x30)
++ return max_q_count;
++ else
++ return min_t(unsigned int, pdata->tx_q_count, max_q_count);
++}
++
+ static int xgbe_disable_tx_flow_control(struct xgbe_prv_data *pdata)
+ {
+- unsigned int max_q_count, q_count;
+ unsigned int reg, reg_val;
+- unsigned int i;
++ unsigned int i, q_count;
+
+ /* Clear MTL flow control */
+ for (i = 0; i < pdata->rx_q_count; i++)
+ XGMAC_MTL_IOWRITE_BITS(pdata, i, MTL_Q_RQOMR, EHFC, 0);
+
+ /* Clear MAC flow control */
+- max_q_count = XGMAC_MAX_FLOW_CONTROL_QUEUES;
+- q_count = min_t(unsigned int, pdata->tx_q_count, max_q_count);
++ q_count = xgbe_get_fc_queue_count(pdata);
+ reg = MAC_Q0TFCR;
+ for (i = 0; i < q_count; i++) {
+ reg_val = XGMAC_IOREAD(pdata, reg);
+@@ -552,9 +561,8 @@ static int xgbe_enable_tx_flow_control(struct xgbe_prv_data *pdata)
+ {
+ struct ieee_pfc *pfc = pdata->pfc;
+ struct ieee_ets *ets = pdata->ets;
+- unsigned int max_q_count, q_count;
+ unsigned int reg, reg_val;
+- unsigned int i;
++ unsigned int i, q_count;
+
+ /* Set MTL flow control */
+ for (i = 0; i < pdata->rx_q_count; i++) {
+@@ -578,8 +586,7 @@ static int xgbe_enable_tx_flow_control(struct xgbe_prv_data *pdata)
+ }
+
+ /* Set MAC flow control */
+- max_q_count = XGMAC_MAX_FLOW_CONTROL_QUEUES;
+- q_count = min_t(unsigned int, pdata->tx_q_count, max_q_count);
++ q_count = xgbe_get_fc_queue_count(pdata);
+ reg = MAC_Q0TFCR;
+ for (i = 0; i < q_count; i++) {
+ reg_val = XGMAC_IOREAD(pdata, reg);
+--
+2.39.0
+
--- /dev/null
+From 4c4f56dfcf1e5cb20fc347ac66d0cbf31960ab1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 17:22:59 -0300
+Subject: ARM: dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts'
+
+From: Fabio Estevam <festevam@denx.de>
+
+[ Upstream commit 9dfbc72256b5de608ad10989bcbafdbbd1ac8d4e ]
+
+The following build warning is seen when running:
+
+make dtbs_check DT_SCHEMA_FILES=fsl-imx-uart.yaml
+
+arch/arm/boot/dts/imx6dl-gw560x.dtb: serial@2020000: rts-gpios: False schema does not allow [[20, 1, 0]]
+ From schema: Documentation/devicetree/bindings/serial/fsl-imx-uart.yaml
+
+The imx6qdl-gw560x board does not expose the UART RTS and CTS
+as native UART pins, so 'uart-has-rtscts' should not be used.
+
+Using 'uart-has-rtscts' with 'rts-gpios' is an invalid combination
+detected by serial.yaml.
+
+Fix the problem by removing the incorrect 'uart-has-rtscts' property.
+
+Fixes: b8a559feffb2 ("ARM: dts: imx: add Gateworks Ventana GW5600 support")
+Signed-off-by: Fabio Estevam <festevam@denx.de>
+Acked-by: Tim Harvey <tharvey@gateworks.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6qdl-gw560x.dtsi | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/imx6qdl-gw560x.dtsi b/arch/arm/boot/dts/imx6qdl-gw560x.dtsi
+index d894dde6e85d..b2fc09fec2be 100644
+--- a/arch/arm/boot/dts/imx6qdl-gw560x.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-gw560x.dtsi
+@@ -462,7 +462,6 @@ &ssi1 {
+ &uart1 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_uart1>;
+- uart-has-rtscts;
+ rts-gpios = <&gpio7 1 GPIO_ACTIVE_HIGH>;
+ status = "okay";
+ };
+--
+2.39.0
+
--- /dev/null
+From 6ab2ade6f5b3d7f195a85bfaf7104a99b761cb56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 11:00:50 +0800
+Subject: dmaengine: Fix double increment of client_count in dma_chan_get()
+
+From: Koba Ko <koba.ko@canonical.com>
+
+[ Upstream commit f3dc1b3b4750851a94212dba249703dd0e50bb20 ]
+
+The first time dma_chan_get() is called for a channel the channel
+client_count is incorrectly incremented twice for public channels,
+first in balance_ref_count(), and again prior to returning. This
+results in an incorrect client count which will lead to the
+channel resources not being freed when they should be. A simple
+ test of repeated module load and unload of async_tx on a Dell
+ Power Edge R7425 also shows this resulting in a kref underflow
+ warning.
+
+[ 124.329662] async_tx: api initialized (async)
+[ 129.000627] async_tx: api initialized (async)
+[ 130.047839] ------------[ cut here ]------------
+[ 130.052472] refcount_t: underflow; use-after-free.
+[ 130.057279] WARNING: CPU: 3 PID: 19364 at lib/refcount.c:28
+refcount_warn_saturate+0xba/0x110
+[ 130.065811] Modules linked in: async_tx(-) rfkill intel_rapl_msr
+intel_rapl_common amd64_edac edac_mce_amd ipmi_ssif kvm_amd dcdbas kvm
+mgag200 drm_shmem_helper acpi_ipmi irqbypass drm_kms_helper ipmi_si
+syscopyarea sysfillrect rapl pcspkr ipmi_devintf sysimgblt fb_sys_fops
+k10temp i2c_piix4 ipmi_msghandler acpi_power_meter acpi_cpufreq vfat
+fat drm fuse xfs libcrc32c sd_mod t10_pi sg ahci crct10dif_pclmul
+libahci crc32_pclmul crc32c_intel ghash_clmulni_intel igb megaraid_sas
+i40e libata i2c_algo_bit ccp sp5100_tco dca dm_mirror dm_region_hash
+dm_log dm_mod [last unloaded: async_tx]
+[ 130.117361] CPU: 3 PID: 19364 Comm: modprobe Kdump: loaded Not
+tainted 5.14.0-185.el9.x86_64 #1
+[ 130.126091] Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS
+1.18.0 01/17/2022
+[ 130.133806] RIP: 0010:refcount_warn_saturate+0xba/0x110
+[ 130.139041] Code: 01 01 e8 6d bd 55 00 0f 0b e9 72 9d 8a 00 80 3d
+26 18 9c 01 00 75 85 48 c7 c7 f8 a3 03 9d c6 05 16 18 9c 01 01 e8 4a
+bd 55 00 <0f> 0b e9 4f 9d 8a 00 80 3d 01 18 9c 01 00 0f 85 5e ff ff ff
+48 c7
+[ 130.157807] RSP: 0018:ffffbf98898afe68 EFLAGS: 00010286
+[ 130.163036] RAX: 0000000000000000 RBX: ffff9da06028e598 RCX: 0000000000000000
+[ 130.170172] RDX: ffff9daf9de26480 RSI: ffff9daf9de198a0 RDI: ffff9daf9de198a0
+[ 130.177316] RBP: ffff9da7cddf3970 R08: 0000000000000000 R09: 00000000ffff7fff
+[ 130.184459] R10: ffffbf98898afd00 R11: ffffffff9d9e8c28 R12: ffff9da7cddf1970
+[ 130.191596] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 130.198739] FS: 00007f646435c740(0000) GS:ffff9daf9de00000(0000)
+knlGS:0000000000000000
+[ 130.206832] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 130.212586] CR2: 00007f6463b214f0 CR3: 00000008ab98c000 CR4: 00000000003506e0
+[ 130.219729] Call Trace:
+[ 130.222192] <TASK>
+[ 130.224305] dma_chan_put+0x10d/0x110
+[ 130.227988] dmaengine_put+0x7a/0xa0
+[ 130.231575] __do_sys_delete_module.constprop.0+0x178/0x280
+[ 130.237157] ? syscall_trace_enter.constprop.0+0x145/0x1d0
+[ 130.242652] do_syscall_64+0x5c/0x90
+[ 130.246240] ? exc_page_fault+0x62/0x150
+[ 130.250178] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 130.255243] RIP: 0033:0x7f6463a3f5ab
+[ 130.258830] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48
+83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00
+00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89
+01 48
+[ 130.277591] RSP: 002b:00007fff22f972c8 EFLAGS: 00000206 ORIG_RAX:
+00000000000000b0
+[ 130.285164] RAX: ffffffffffffffda RBX: 000055b6786edd40 RCX: 00007f6463a3f5ab
+[ 130.292303] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6786edda8
+[ 130.299443] RBP: 000055b6786edd40 R08: 0000000000000000 R09: 0000000000000000
+[ 130.306584] R10: 00007f6463b9eac0 R11: 0000000000000206 R12: 000055b6786edda8
+[ 130.313731] R13: 0000000000000000 R14: 000055b6786edda8 R15: 00007fff22f995f8
+[ 130.320875] </TASK>
+[ 130.323081] ---[ end trace eff7156d56b5cf25 ]---
+
+cat /sys/class/dma/dma0chan*/in_use would get the wrong result.
+2
+2
+2
+
+Fixes: d2f4f99db3e9 ("dmaengine: Rework dma_chan_get")
+Signed-off-by: Koba Ko <koba.ko@canonical.com>
+Reviewed-by: Jie Hai <haijie1@huawei.com>
+Test-by: Jie Hai <haijie1@huawei.com>
+Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Tested-by: Joel Savitz <jsavitz@redhat.com>
+Link: https://lore.kernel.org/r/20221201030050.978595-1-koba.ko@canonical.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/dmaengine.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
+index faaaf10311ec..ef93045d7d7f 100644
+--- a/drivers/dma/dmaengine.c
++++ b/drivers/dma/dmaengine.c
+@@ -225,7 +225,8 @@ static int dma_chan_get(struct dma_chan *chan)
+ /* The channel is already in use, update client count */
+ if (chan->client_count) {
+ __module_get(owner);
+- goto out;
++ chan->client_count++;
++ return 0;
+ }
+
+ if (!try_module_get(owner))
+@@ -238,11 +239,11 @@ static int dma_chan_get(struct dma_chan *chan)
+ goto err_out;
+ }
+
++ chan->client_count++;
++
+ if (!dma_has_cap(DMA_PRIVATE, chan->device->cap_mask))
+ balance_ref_count(chan);
+
+-out:
+- chan->client_count++;
+ return 0;
+
+ err_out:
+--
+2.39.0
+
--- /dev/null
+From a744560fc2f6d4a58a29b5636a4a6aded25c4b39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Dec 2022 09:48:24 +0400
+Subject: EDAC/highbank: Fix memory leak in highbank_mc_probe()
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit e7a293658c20a7945014570e1921bf7d25d68a36 ]
+
+When devres_open_group() fails, it returns -ENOMEM without freeing memory
+allocated by edac_mc_alloc().
+
+Call edac_mc_free() on the error handling path to avoid a memory leak.
+
+ [ bp: Massage commit message. ]
+
+Fixes: a1b01edb2745 ("edac: add support for Calxeda highbank memory controller")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Andre Przywara <andre.przywara@arm.com>
+Link: https://lore.kernel.org/r/20221229054825.1361993-1-linmq006@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/highbank_mc_edac.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/edac/highbank_mc_edac.c b/drivers/edac/highbank_mc_edac.c
+index 6092e61be605..bcf41601a977 100644
+--- a/drivers/edac/highbank_mc_edac.c
++++ b/drivers/edac/highbank_mc_edac.c
+@@ -185,8 +185,10 @@ static int highbank_mc_probe(struct platform_device *pdev)
+ drvdata = mci->pvt_info;
+ platform_set_drvdata(pdev, mci);
+
+- if (!devres_open_group(&pdev->dev, NULL, GFP_KERNEL))
+- return -ENOMEM;
++ if (!devres_open_group(&pdev->dev, NULL, GFP_KERNEL)) {
++ res = -ENOMEM;
++ goto free;
++ }
+
+ r = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ if (!r) {
+@@ -254,6 +256,7 @@ static int highbank_mc_probe(struct platform_device *pdev)
+ edac_mc_del_mc(&pdev->dev);
+ err:
+ devres_release_group(&pdev->dev, NULL);
++free:
+ edac_mc_free(mci);
+ return res;
+ }
+--
+2.39.0
+
--- /dev/null
+From c6972643336dacfda195b9b670814c2b7107b244 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 18:12:16 +0000
+Subject: HID: betop: check shape of output reports
+
+From: Pietro Borrello <borrello@diag.uniroma1.it>
+
+[ Upstream commit 3782c0d6edf658b71354a64d60aa7a296188fc90 ]
+
+betopff_init() only checks the total sum of the report counts for each
+report field to be at least 4, but hid_betopff_play() expects 4 report
+fields.
+A device advertising an output report with one field and 4 report counts
+would pass the check but crash the kernel with a NULL pointer dereference
+in hid_betopff_play().
+
+Fixes: 52cd7785f3cd ("HID: betop: add drivers/hid/hid-betopff.c")
+Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-betopff.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c
+index 9b60efe6ec44..ba386e5aa055 100644
+--- a/drivers/hid/hid-betopff.c
++++ b/drivers/hid/hid-betopff.c
+@@ -63,7 +63,6 @@ static int betopff_init(struct hid_device *hid)
+ struct list_head *report_list =
+ &hid->report_enum[HID_OUTPUT_REPORT].report_list;
+ struct input_dev *dev;
+- int field_count = 0;
+ int error;
+ int i, j;
+
+@@ -89,19 +88,21 @@ static int betopff_init(struct hid_device *hid)
+ * -----------------------------------------
+ * Do init them with default value.
+ */
++ if (report->maxfield < 4) {
++ hid_err(hid, "not enough fields in the report: %d\n",
++ report->maxfield);
++ return -ENODEV;
++ }
+ for (i = 0; i < report->maxfield; i++) {
++ if (report->field[i]->report_count < 1) {
++ hid_err(hid, "no values in the field\n");
++ return -ENODEV;
++ }
+ for (j = 0; j < report->field[i]->report_count; j++) {
+ report->field[i]->value[j] = 0x00;
+- field_count++;
+ }
+ }
+
+- if (field_count < 4) {
+- hid_err(hid, "not enough fields in the report: %d\n",
+- field_count);
+- return -ENODEV;
+- }
+-
+ betopff = kzalloc(sizeof(*betopff), GFP_KERNEL);
+ if (!betopff)
+ return -ENOMEM;
+--
+2.39.0
+
--- /dev/null
+From c3c78cd38cb5b1ae45a0c8b0f40dd7d12a7249ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jan 2023 11:11:24 +0000
+Subject: HID: check empty report_list in hid_validate_values()
+
+From: Pietro Borrello <borrello@diag.uniroma1.it>
+
+[ Upstream commit b12fece4c64857e5fab4290bf01b2e0317a88456 ]
+
+Add a check for empty report_list in hid_validate_values().
+The missing check causes a type confusion when issuing a list_entry()
+on an empty report_list.
+The problem is caused by the assumption that the device must
+have valid report_list. While this will be true for all normal HID
+devices, a suitably malicious device can violate the assumption.
+
+Fixes: 1b15d2e5b807 ("HID: core: fix validation of report id 0")
+Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index a3debe38d2c7..ab78c1e6f37d 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -984,8 +984,8 @@ struct hid_report *hid_validate_values(struct hid_device *hid,
+ * Validating on id 0 means we should examine the first
+ * report in the list.
+ */
+- report = list_entry(
+- hid->report_enum[type].report_list.next,
++ report = list_first_entry_or_null(
++ &hid->report_enum[type].report_list,
+ struct hid_report, list);
+ } else {
+ report = hid->report_enum[type].report_id_hash[id];
+--
+2.39.0
+
--- /dev/null
+From 2c43b9ab13a45b52c9336c3f32f52eae91c52f99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 21:48:23 +0800
+Subject: HID: intel_ish-hid: Add check for ishtp_dma_tx_map
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit b3d40c3ec3dc4ad78017de6c3a38979f57aaaab8 ]
+
+As the kcalloc may return NULL pointer,
+it should be better to check the ishtp_dma_tx_map
+before use in order to avoid NULL pointer dereference.
+
+Fixes: 3703f53b99e4 ("HID: intel_ish-hid: ISH Transport layer")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/intel-ish-hid/ishtp/dma-if.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/hid/intel-ish-hid/ishtp/dma-if.c b/drivers/hid/intel-ish-hid/ishtp/dma-if.c
+index 2783f3666114..ff4419c8ed4f 100644
+--- a/drivers/hid/intel-ish-hid/ishtp/dma-if.c
++++ b/drivers/hid/intel-ish-hid/ishtp/dma-if.c
+@@ -113,6 +113,11 @@ void *ishtp_cl_get_dma_send_buf(struct ishtp_device *dev,
+ int required_slots = (size / DMA_SLOT_SIZE)
+ + 1 * (size % DMA_SLOT_SIZE != 0);
+
++ if (!dev->ishtp_dma_tx_map) {
++ dev_err(dev->devc, "Fail to allocate Tx map\n");
++ return NULL;
++ }
++
+ spin_lock_irqsave(&dev->ishtp_dma_tx_lock, flags);
+ for (i = 0; i <= (dev->ishtp_dma_num_slots - required_slots); i++) {
+ free = 1;
+@@ -159,6 +164,11 @@ void ishtp_cl_release_dma_acked_mem(struct ishtp_device *dev,
+ return;
+ }
+
++ if (!dev->ishtp_dma_tx_map) {
++ dev_err(dev->devc, "Fail to allocate Tx map\n");
++ return;
++ }
++
+ i = (msg_addr - dev->ishtp_host_dma_tx_buf) / DMA_SLOT_SIZE;
+ spin_lock_irqsave(&dev->ishtp_dma_tx_lock, flags);
+ for (j = 0; j < acked_slots; j++) {
+--
+2.39.0
+
--- /dev/null
+From 6d649e45e6a8ef960950d246aeacbf8b5d7608fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jan 2023 12:31:11 -0500
+Subject: IB/hfi1: Reject a zero-length user expected buffer
+
+From: Dean Luick <dean.luick@cornelisnetworks.com>
+
+[ Upstream commit 0a0a6e80472c98947d73c3d13bcd7d101895f55d ]
+
+A zero length user buffer makes no sense and the code
+does not handle it correctly. Instead, reject a
+zero length as invalid.
+
+Fixes: 97736f36dbeb ("IB/hfi1: Validate page aligned for a given virtual addres")
+Signed-off-by: Dean Luick <dean.luick@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Link: https://lore.kernel.org/r/167328547120.1472310.6362802432127399257.stgit@awfm-02.cornelisnetworks.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/user_exp_rcv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+index c6d085e1c10d..056ffab86a06 100644
+--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+@@ -323,6 +323,8 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+
+ if (!PAGE_ALIGNED(tinfo->vaddr))
+ return -EINVAL;
++ if (tinfo->length == 0)
++ return -EINVAL;
+
+ tidbuf = kzalloc(sizeof(*tidbuf), GFP_KERNEL);
+ if (!tidbuf)
+--
+2.39.0
+
--- /dev/null
+From 065842730328ae00d711b394813e8276a5cb091f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jan 2023 12:31:16 -0500
+Subject: IB/hfi1: Reserve user expected TIDs
+
+From: Dean Luick <dean.luick@cornelisnetworks.com>
+
+[ Upstream commit ecf91551cdd2925ed6d9a9d99074fa5f67b90596 ]
+
+To avoid a race, reserve the number of user expected
+TIDs before setup.
+
+Fixes: 7e7a436ecb6e ("staging/hfi1: Add TID entry program function body")
+Signed-off-by: Dean Luick <dean.luick@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Link: https://lore.kernel.org/r/167328547636.1472310.7419712824785353905.stgit@awfm-02.cornelisnetworks.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/user_exp_rcv.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+index 056ffab86a06..b17c1fc59f7e 100644
+--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+@@ -349,16 +349,13 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+ /* Find sets of physically contiguous pages */
+ tidbuf->n_psets = find_phys_blocks(tidbuf, pinned);
+
+- /*
+- * We don't need to access this under a lock since tid_used is per
+- * process and the same process cannot be in hfi1_user_exp_rcv_clear()
+- * and hfi1_user_exp_rcv_setup() at the same time.
+- */
++ /* Reserve the number of expected tids to be used. */
+ spin_lock(&fd->tid_lock);
+ if (fd->tid_used + tidbuf->n_psets > fd->tid_limit)
+ pageset_count = fd->tid_limit - fd->tid_used;
+ else
+ pageset_count = tidbuf->n_psets;
++ fd->tid_used += pageset_count;
+ spin_unlock(&fd->tid_lock);
+
+ if (!pageset_count)
+@@ -468,10 +465,11 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+ nomem:
+ hfi1_cdbg(TID, "total mapped: tidpairs:%u pages:%u (%d)", tididx,
+ mapped_pages, ret);
++ /* adjust reserved tid_used to actual count */
++ spin_lock(&fd->tid_lock);
++ fd->tid_used -= pageset_count - tididx;
++ spin_unlock(&fd->tid_lock);
+ if (tididx) {
+- spin_lock(&fd->tid_lock);
+- fd->tid_used += tididx;
+- spin_unlock(&fd->tid_lock);
+ tinfo->tidcnt = tididx;
+ tinfo->length = mapped_pages * PAGE_SIZE;
+
+--
+2.39.0
+
--- /dev/null
+From 5d5ee277c083dd9b5fe177912aba4e5b6fe6421b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Jan 2023 11:54:06 +0100
+Subject: net: mdio: validate parameter addr in mdiobus_get_phy()
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 867dbe784c5010a466f00a7d1467c1c5ea569c75 ]
+
+The caller may pass any value as addr, what may result in an out-of-bounds
+access to array mdio_map. One existing case is stmmac_init_phy() that
+may pass -1 as addr. Therefore validate addr before using it.
+
+Fixes: 7f854420fbfe ("phy: Add API for {un}registering an mdio device to a bus.")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/cdf664ea-3312-e915-73f8-021678d08887@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mdio_bus.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
+index 7a813449d0d1..a9a0638a9b7a 100644
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -70,7 +70,12 @@ EXPORT_SYMBOL(mdiobus_unregister_device);
+
+ struct phy_device *mdiobus_get_phy(struct mii_bus *bus, int addr)
+ {
+- struct mdio_device *mdiodev = bus->mdio_map[addr];
++ struct mdio_device *mdiodev;
++
++ if (addr < 0 || addr >= ARRAY_SIZE(bus->mdio_map))
++ return NULL;
++
++ mdiodev = bus->mdio_map[addr];
+
+ if (!mdiodev)
+ return NULL;
+--
+2.39.0
+
--- /dev/null
+From 2298870b056cf412fe93bb785c18435b0e14729d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 20:12:29 -0700
+Subject: net: mlx5: eliminate anonymous module_init & module_exit
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 2c1e1b949024989e20907b84e11a731a50778416 ]
+
+Eliminate anonymous module_init() and module_exit(), which can lead to
+confusion or ambiguity when reading System.map, crashes/oops/bugs,
+or an initcall_debug log.
+
+Give each of these init and exit functions unique driver-specific
+names to eliminate the anonymous names.
+
+Example 1: (System.map)
+ ffffffff832fc78c t init
+ ffffffff832fc79e t init
+ ffffffff832fc8f8 t init
+
+Example 2: (initcall_debug log)
+ calling init+0x0/0x12 @ 1
+ initcall init+0x0/0x12 returned 0 after 15 usecs
+ calling init+0x0/0x60 @ 1
+ initcall init+0x0/0x60 returned 0 after 2 usecs
+ calling init+0x0/0x9a @ 1
+ initcall init+0x0/0x9a returned 0 after 74 usecs
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Eli Cohen <eli@mellanox.com>
+Cc: Saeed Mahameed <saeedm@nvidia.com>
+Cc: Leon Romanovsky <leon@kernel.org>
+Cc: linux-rdma@vger.kernel.org
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+index 049d9d19c66d..840ce070bddf 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1615,7 +1615,7 @@ static void mlx5_core_verify_params(void)
+ }
+ }
+
+-static int __init init(void)
++static int __init mlx5_init(void)
+ {
+ int err;
+
+@@ -1637,7 +1637,7 @@ static int __init init(void)
+ return err;
+ }
+
+-static void __exit cleanup(void)
++static void __exit mlx5_cleanup(void)
+ {
+ #ifdef CONFIG_MLX5_CORE_EN
+ mlx5e_cleanup();
+@@ -1646,5 +1646,5 @@ static void __exit cleanup(void)
+ mlx5_unregister_debugfs();
+ }
+
+-module_init(init);
+-module_exit(cleanup);
++module_init(mlx5_init);
++module_exit(mlx5_cleanup);
+--
+2.39.0
+
--- /dev/null
+From 469572f2377d65a6088916440fa51c893781003e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 22:19:14 +0900
+Subject: net: nfc: Fix use-after-free in local_cleanup()
+
+From: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
+
+[ Upstream commit 4bb4db7f3187c6e3de6b229ffc87cdb30a2d22b6 ]
+
+Fix a use-after-free that occurs in kfree_skb() called from
+local_cleanup(). This could happen when killing nfc daemon (e.g. neard)
+after detaching an nfc device.
+When detaching an nfc device, local_cleanup() called from
+nfc_llcp_unregister_device() frees local->rx_pending and decreases
+local->ref by kref_put() in nfc_llcp_local_put().
+In the terminating process, nfc daemon releases all sockets and it leads
+to decreasing local->ref. After the last release of local->ref,
+local_cleanup() called from local_release() frees local->rx_pending
+again, which leads to the bug.
+
+Setting local->rx_pending to NULL in local_cleanup() could prevent
+use-after-free when local_cleanup() is called twice.
+
+Found by a modified version of syzkaller.
+
+BUG: KASAN: use-after-free in kfree_skb()
+
+Call Trace:
+dump_stack_lvl (lib/dump_stack.c:106)
+print_address_description.constprop.0.cold (mm/kasan/report.c:306)
+kasan_check_range (mm/kasan/generic.c:189)
+kfree_skb (net/core/skbuff.c:955)
+local_cleanup (net/nfc/llcp_core.c:159)
+nfc_llcp_local_put.part.0 (net/nfc/llcp_core.c:172)
+nfc_llcp_local_put (net/nfc/llcp_core.c:181)
+llcp_sock_destruct (net/nfc/llcp_sock.c:959)
+__sk_destruct (net/core/sock.c:2133)
+sk_destruct (net/core/sock.c:2181)
+__sk_free (net/core/sock.c:2192)
+sk_free (net/core/sock.c:2203)
+llcp_sock_release (net/nfc/llcp_sock.c:646)
+__sock_release (net/socket.c:650)
+sock_close (net/socket.c:1365)
+__fput (fs/file_table.c:306)
+task_work_run (kernel/task_work.c:179)
+ptrace_notify (kernel/signal.c:2354)
+syscall_exit_to_user_mode_prepare (kernel/entry/common.c:278)
+syscall_exit_to_user_mode (kernel/entry/common.c:296)
+do_syscall_64 (arch/x86/entry/common.c:86)
+entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:106)
+
+Allocated by task 4719:
+kasan_save_stack (mm/kasan/common.c:45)
+__kasan_slab_alloc (mm/kasan/common.c:325)
+slab_post_alloc_hook (mm/slab.h:766)
+kmem_cache_alloc_node (mm/slub.c:3497)
+__alloc_skb (net/core/skbuff.c:552)
+pn533_recv_response (drivers/nfc/pn533/usb.c:65)
+__usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1671)
+usb_giveback_urb_bh (drivers/usb/core/hcd.c:1704)
+tasklet_action_common.isra.0 (kernel/softirq.c:797)
+__do_softirq (kernel/softirq.c:571)
+
+Freed by task 1901:
+kasan_save_stack (mm/kasan/common.c:45)
+kasan_set_track (mm/kasan/common.c:52)
+kasan_save_free_info (mm/kasan/genericdd.c:518)
+__kasan_slab_free (mm/kasan/common.c:236)
+kmem_cache_free (mm/slub.c:3809)
+kfree_skbmem (net/core/skbuff.c:874)
+kfree_skb (net/core/skbuff.c:931)
+local_cleanup (net/nfc/llcp_core.c:159)
+nfc_llcp_unregister_device (net/nfc/llcp_core.c:1617)
+nfc_unregister_device (net/nfc/core.c:1179)
+pn53x_unregister_nfc (drivers/nfc/pn533/pn533.c:2846)
+pn533_usb_disconnect (drivers/nfc/pn533/usb.c:579)
+usb_unbind_interface (drivers/usb/core/driver.c:458)
+device_release_driver_internal (drivers/base/dd.c:1279)
+bus_remove_device (drivers/base/bus.c:529)
+device_del (drivers/base/core.c:3665)
+usb_disable_device (drivers/usb/core/message.c:1420)
+usb_disconnect (drivers/usb/core.c:2261)
+hub_event (drivers/usb/core/hub.c:5833)
+process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281)
+worker_thread (include/linux/list.h:282 kernel/workqueue.c:2423)
+kthread (kernel/kthread.c:319)
+ret_from_fork (arch/x86/entry/entry_64.S:301)
+
+Fixes: 3536da06db0b ("NFC: llcp: Clean local timers and works when removing a device")
+Signed-off-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
+Link: https://lore.kernel.org/r/20230111131914.3338838-1-jisoo.jang@yonsei.ac.kr
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/llcp_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
+index 7e619ff8a653..150f7ffbf6bc 100644
+--- a/net/nfc/llcp_core.c
++++ b/net/nfc/llcp_core.c
+@@ -171,6 +171,7 @@ static void local_cleanup(struct nfc_llcp_local *local)
+ cancel_work_sync(&local->rx_work);
+ cancel_work_sync(&local->timeout_work);
+ kfree_skb(local->rx_pending);
++ local->rx_pending = NULL;
+ del_timer_sync(&local->sdreq_timer);
+ cancel_work_sync(&local->sdreq_timeout_work);
+ nfc_llcp_free_sdp_tlv_list(&local->pending_sdreqs);
+--
+2.39.0
+
--- /dev/null
+From 5bb7f9df7a9f82fc9514c71df1b29440adfae7f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Jan 2023 19:23:26 +0100
+Subject: net: usb: sr9700: Handle negative len
+
+From: Szymon Heidrich <szymon.heidrich@gmail.com>
+
+[ Upstream commit ecf7cf8efb59789e2b21d2f9ab926142579092b2 ]
+
+Packet len computed as difference of length word extracted from
+skb data and four may result in a negative value. In such case
+processing of the buffer should be interrupted rather than
+setting sr_skb->len to an unexpectedly large value (due to cast
+from signed to unsigned integer) and passing sr_skb to
+usbnet_skb_return.
+
+Fixes: e9da0b56fe27 ("sr9700: sanity check for packet length")
+Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Link: https://lore.kernel.org/r/20230114182326.30479-1-szymon.heidrich@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/sr9700.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c
+index a97dd62b9d54..dbdb027abe47 100644
+--- a/drivers/net/usb/sr9700.c
++++ b/drivers/net/usb/sr9700.c
+@@ -410,7 +410,7 @@ static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ /* ignore the CRC length */
+ len = (skb->data[1] | (skb->data[2] << 8)) - 4;
+
+- if (len > ETH_FRAME_LEN || len > skb->len)
++ if (len > ETH_FRAME_LEN || len > skb->len || len < 0)
+ return 0;
+
+ /* the last packet of current skb */
+--
+2.39.0
+
--- /dev/null
+From 26266f05b42c7a821494c37d5fa2f2518be7d650 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 19:58:23 +0800
+Subject: phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in
+ rockchip_usb2phy_power_on()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit 5daba914da0e48950e9407ea4d75fa57029c9adc ]
+
+The clk_disable_unprepare() should be called in the error handling of
+rockchip_usb2phy_power_on().
+
+Fixes: 0e08d2a727e6 ("phy: rockchip-inno-usb2: add a new driver for Rockchip usb2phy")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Link: https://lore.kernel.org/r/20221205115823.16957-1-shangxiaojing@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c
+index ee7ce5ee53f9..a088cb027657 100644
+--- a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c
++++ b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c
+@@ -477,8 +477,10 @@ static int rockchip_usb2phy_power_on(struct phy *phy)
+ return ret;
+
+ ret = property_enable(base, &rport->port_cfg->phy_sus, false);
+- if (ret)
++ if (ret) {
++ clk_disable_unprepare(rphy->clk480m);
+ return ret;
++ }
+
+ /* waiting for the utmi_clk to become stable */
+ usleep_range(1500, 2000);
+--
+2.39.0
+
--- /dev/null
+arm-dts-imx6qdl-gw560x-remove-incorrect-uart-has-rts.patch
+hid-intel_ish-hid-add-check-for-ishtp_dma_tx_map.patch
+edac-highbank-fix-memory-leak-in-highbank_mc_probe.patch
+tomoyo-fix-broken-dependency-on-.conf.default.patch
+ib-hfi1-reject-a-zero-length-user-expected-buffer.patch
+ib-hfi1-reserve-user-expected-tids.patch
+affs-initialize-fsdata-in-affs_truncate.patch
+amd-xgbe-tx-flow-ctrl-registers-are-h-w-ver-dependen.patch
+phy-rockchip-inno-usb2-fix-missing-clk_disable_unpre.patch
+net-nfc-fix-use-after-free-in-local_cleanup.patch
+wifi-rndis_wlan-prevent-buffer-overflow-in-rndis_que.patch
+net-usb-sr9700-handle-negative-len.patch
+net-mdio-validate-parameter-addr-in-mdiobus_get_phy.patch
+hid-check-empty-report_list-in-hid_validate_values.patch
+usb-gadget-f_fs-prevent-race-during-ffs_ep0_queue_wa.patch
+usb-gadget-f_fs-ensure-ep0req-is-dequeued-before-fre.patch
+net-mlx5-eliminate-anonymous-module_init-module_exit.patch
+dmaengine-fix-double-increment-of-client_count-in-dm.patch
+hid-betop-check-shape-of-output-reports.patch
+w1-fix-deadloop-in-__w1_remove_master_device.patch
+w1-fix-warning-after-calling-w1_process.patch
--- /dev/null
+From 7323f68b95cfa8ed53b5ff2bb7171094a3ed05c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Jan 2023 16:47:41 +0900
+Subject: tomoyo: fix broken dependency on *.conf.default
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit eaf2213ba563b2d74a1f2c13a6b258273f689802 ]
+
+If *.conf.default is updated, builtin-policy.h should be rebuilt,
+but this does not work when compiled with O= option.
+
+[Without this commit]
+
+ $ touch security/tomoyo/policy/exception_policy.conf.default
+ $ make O=/tmp security/tomoyo/
+ make[1]: Entering directory '/tmp'
+ GEN Makefile
+ CALL /home/masahiro/ref/linux/scripts/checksyscalls.sh
+ DESCEND objtool
+ make[1]: Leaving directory '/tmp'
+
+[With this commit]
+
+ $ touch security/tomoyo/policy/exception_policy.conf.default
+ $ make O=/tmp security/tomoyo/
+ make[1]: Entering directory '/tmp'
+ GEN Makefile
+ CALL /home/masahiro/ref/linux/scripts/checksyscalls.sh
+ DESCEND objtool
+ POLICY security/tomoyo/builtin-policy.h
+ CC security/tomoyo/common.o
+ AR security/tomoyo/built-in.a
+ make[1]: Leaving directory '/tmp'
+
+$(srctree)/ is essential because $(wildcard ) does not follow VPATH.
+
+Fixes: f02dee2d148b ("tomoyo: Do not generate empty policy files")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/tomoyo/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/tomoyo/Makefile b/security/tomoyo/Makefile
+index b7c6a7ffc058..a1ecf68930c7 100644
+--- a/security/tomoyo/Makefile
++++ b/security/tomoyo/Makefile
+@@ -10,7 +10,7 @@ endef
+ quiet_cmd_policy = POLICY $@
+ cmd_policy = ($(call do_policy,profile); $(call do_policy,exception_policy); $(call do_policy,domain_policy); $(call do_policy,manager); $(call do_policy,stat)) >$@
+
+-$(obj)/builtin-policy.h: $(wildcard $(obj)/policy/*.conf $(src)/policy/*.conf.default) FORCE
++$(obj)/builtin-policy.h: $(wildcard $(obj)/policy/*.conf $(srctree)/$(src)/policy/*.conf.default) FORCE
+ $(call if_changed,policy)
+
+ $(obj)/common.o: $(obj)/builtin-policy.h
+--
+2.39.0
+
--- /dev/null
+From e153dfc014a71c944fbcdc8197a40ecf853cdcd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Dec 2022 10:59:06 +0530
+Subject: usb: gadget: f_fs: Ensure ep0req is dequeued before free_request
+
+From: Udipto Goswami <quic_ugoswami@quicinc.com>
+
+[ Upstream commit ce405d561b020e5a46340eb5146805a625dcacee ]
+
+As per the documentation, function usb_ep_free_request guarantees
+the request will not be queued or no longer be re-queued (or
+otherwise used). However, with the current implementation it
+doesn't make sure that the request in ep0 isn't reused.
+
+Fix this by dequeuing the ep0req on functionfs_unbind before
+freeing the request to align with the definition.
+
+Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
+Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
+Tested-by: Krishna Kurapati <quic_kriskura@quicinc.com>
+Link: https://lore.kernel.org/r/20221215052906.8993-3-quic_ugoswami@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
+index df880fe73088..946cf039eddd 100644
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -1800,6 +1800,8 @@ static void functionfs_unbind(struct ffs_data *ffs)
+ ENTER();
+
+ if (!WARN_ON(!ffs->gadget)) {
++ /* dequeue before freeing ep0req */
++ usb_ep_dequeue(ffs->gadget->ep0, ffs->ep0req);
+ mutex_lock(&ffs->mutex);
+ usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req);
+ ffs->ep0req = NULL;
+--
+2.39.0
+
--- /dev/null
+From d054b9af60303ed195c8c5e5274264c701c0891f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Dec 2022 10:59:05 +0530
+Subject: usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait
+
+From: Udipto Goswami <quic_ugoswami@quicinc.com>
+
+[ Upstream commit 6a19da111057f69214b97c62fb0ac59023970850 ]
+
+While performing fast composition switch, there is a possibility that the
+process of ffs_ep0_write/ffs_ep0_read get into a race condition
+due to ep0req being freed up from functionfs_unbind.
+
+Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait
+by taking a lock &ffs->ev.waitq.lock. However, the functionfs_unbind isn't
+bounded so it can go ahead and mark the ep0req to NULL, and since there
+is no NULL check in ffs_ep0_queue_wait we will end up in use-after-free.
+
+Fix this by making a serialized execution between the two functions using
+a mutex_lock(ffs->mutex).
+
+Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
+Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
+Tested-by: Krishna Kurapati <quic_kriskura@quicinc.com>
+Link: https://lore.kernel.org/r/20221215052906.8993-2-quic_ugoswami@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
+index 13a38ed806df..df880fe73088 100644
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -274,6 +274,9 @@ static int __ffs_ep0_queue_wait(struct ffs_data *ffs, char *data, size_t len)
+ struct usb_request *req = ffs->ep0req;
+ int ret;
+
++ if (!req)
++ return -EINVAL;
++
+ req->zero = len < le16_to_cpu(ffs->ev.setup.wLength);
+
+ spin_unlock_irq(&ffs->ev.waitq.lock);
+@@ -1797,10 +1800,12 @@ static void functionfs_unbind(struct ffs_data *ffs)
+ ENTER();
+
+ if (!WARN_ON(!ffs->gadget)) {
++ mutex_lock(&ffs->mutex);
+ usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req);
+ ffs->ep0req = NULL;
+ ffs->gadget = NULL;
+ clear_bit(FFS_FL_BOUND, &ffs->flags);
++ mutex_unlock(&ffs->mutex);
+ ffs_data_put(ffs);
+ }
+ }
+--
+2.39.0
+
--- /dev/null
+From 72a381a21ef29934cd4d2294523297ad0707b49a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 16:04:34 +0800
+Subject: w1: fix deadloop in __w1_remove_master_device()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 25d5648802f12ae486076ceca5d7ddf1fef792b2 ]
+
+I got a deadloop report while doing device(ds2482) add/remove test:
+
+ [ 162.241881] w1_master_driver w1_bus_master1: Waiting for w1_bus_master1 to become free: refcnt=1.
+ [ 163.272251] w1_master_driver w1_bus_master1: Waiting for w1_bus_master1 to become free: refcnt=1.
+ [ 164.296157] w1_master_driver w1_bus_master1: Waiting for w1_bus_master1 to become free: refcnt=1.
+ ...
+
+__w1_remove_master_device() can't return, because the dev->refcnt is not zero.
+
+w1_add_master_device() |
+ w1_alloc_dev() |
+ atomic_set(&dev->refcnt, 2) |
+ kthread_run() |
+ |__w1_remove_master_device()
+ | kthread_stop()
+ // KTHREAD_SHOULD_STOP is set, |
+ // threadfn(w1_process) won't be |
+ // called. |
+ kthread() |
+ | // refcnt will never be 0, it's deadloop.
+ | while (atomic_read(&dev->refcnt)) {...}
+
+After calling w1_add_master_device(), w1_process() is not really
+invoked, before w1_process() starting, if kthread_stop() is called
+in __w1_remove_master_device(), w1_process() will never be called,
+the refcnt can not be decreased, then it causes deadloop in remove
+function because of non-zero refcnt.
+
+We need to make sure w1_process() is really started, so move the
+set refcnt into w1_process() to fix this problem.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221205080434.3149205-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/w1/w1.c | 2 ++
+ drivers/w1/w1_int.c | 5 ++---
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c
+index 6f9e9505b34c..44315f9fd669 100644
+--- a/drivers/w1/w1.c
++++ b/drivers/w1/w1.c
+@@ -1136,6 +1136,8 @@ int w1_process(void *data)
+ /* remainder if it woke up early */
+ unsigned long jremain = 0;
+
++ atomic_inc(&dev->refcnt);
++
+ for (;;) {
+
+ if (!jremain && dev->search_count) {
+diff --git a/drivers/w1/w1_int.c b/drivers/w1/w1_int.c
+index 1c776178f598..eb851eb44300 100644
+--- a/drivers/w1/w1_int.c
++++ b/drivers/w1/w1_int.c
+@@ -60,10 +60,9 @@ static struct w1_master *w1_alloc_dev(u32 id, int slave_count, int slave_ttl,
+ dev->search_count = w1_search_count;
+ dev->enable_pullup = w1_enable_pullup;
+
+- /* 1 for w1_process to decrement
+- * 1 for __w1_remove_master_device to decrement
++ /* For __w1_remove_master_device to decrement
+ */
+- atomic_set(&dev->refcnt, 2);
++ atomic_set(&dev->refcnt, 1);
+
+ INIT_LIST_HEAD(&dev->slist);
+ INIT_LIST_HEAD(&dev->async_list);
+--
+2.39.0
+
--- /dev/null
+From b4f786e96022287f253a7468c4085d2c3cad23fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 18:15:58 +0800
+Subject: w1: fix WARNING after calling w1_process()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 36225a7c72e9e3e1ce4001b6ce72849f5c9a2d3b ]
+
+I got the following WARNING message while removing driver(ds2482):
+
+------------[ cut here ]------------
+do not call blocking ops when !TASK_RUNNING; state=1 set at [<000000002d50bfb6>] w1_process+0x9e/0x1d0 [wire]
+WARNING: CPU: 0 PID: 262 at kernel/sched/core.c:9817 __might_sleep+0x98/0xa0
+CPU: 0 PID: 262 Comm: w1_bus_master1 Tainted: G N 6.1.0-rc3+ #307
+RIP: 0010:__might_sleep+0x98/0xa0
+Call Trace:
+ exit_signals+0x6c/0x550
+ do_exit+0x2b4/0x17e0
+ kthread_exit+0x52/0x60
+ kthread+0x16d/0x1e0
+ ret_from_fork+0x1f/0x30
+
+The state of task is set to TASK_INTERRUPTIBLE in loop in w1_process(),
+set it to TASK_RUNNING when it breaks out of the loop to avoid the
+warning.
+
+Fixes: 3c52e4e62789 ("W1: w1_process, block or sleep")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221205101558.3599162-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/w1/w1.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c
+index 44315f9fd669..4d43c373e5c6 100644
+--- a/drivers/w1/w1.c
++++ b/drivers/w1/w1.c
+@@ -1165,8 +1165,10 @@ int w1_process(void *data)
+ */
+ mutex_unlock(&dev->list_mutex);
+
+- if (kthread_should_stop())
++ if (kthread_should_stop()) {
++ __set_current_state(TASK_RUNNING);
+ break;
++ }
+
+ /* Only sleep when the search is active. */
+ if (dev->search_count) {
+--
+2.39.0
+
--- /dev/null
+From cff838791ad71d51b0f456bc46f3462d5946f956 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 18:50:31 +0100
+Subject: wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid
+
+From: Szymon Heidrich <szymon.heidrich@gmail.com>
+
+[ Upstream commit b870e73a56c4cccbec33224233eaf295839f228c ]
+
+Since resplen and respoffs are signed integers sufficiently
+large values of unsigned int len and offset members of RNDIS
+response will result in negative values of prior variables.
+This may be utilized to bypass implemented security checks
+to either extract memory contents by manipulating offset or
+overflow the data buffer via memcpy by manipulating both
+offset and len.
+
+Additionally assure that sum of resplen and respoffs does not
+overflow so buffer boundaries are kept.
+
+Fixes: 80f8c5b434f9 ("rndis_wlan: copy only useful data from rndis_command respond")
+Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230111175031.7049-1-szymon.heidrich@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/rndis_wlan.c | 19 ++++++-------------
+ 1 file changed, 6 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
+index d4947e3a909e..0376a2a74572 100644
+--- a/drivers/net/wireless/rndis_wlan.c
++++ b/drivers/net/wireless/rndis_wlan.c
+@@ -712,8 +712,8 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len)
+ struct rndis_query *get;
+ struct rndis_query_c *get_c;
+ } u;
+- int ret, buflen;
+- int resplen, respoffs, copylen;
++ int ret;
++ size_t buflen, resplen, respoffs, copylen;
+
+ buflen = *len + sizeof(*u.get);
+ if (buflen < CONTROL_BUFFER_SIZE)
+@@ -748,22 +748,15 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len)
+
+ if (respoffs > buflen) {
+ /* Device returned data offset outside buffer, error. */
+- netdev_dbg(dev->net, "%s(%s): received invalid "
+- "data offset: %d > %d\n", __func__,
+- oid_to_string(oid), respoffs, buflen);
++ netdev_dbg(dev->net,
++ "%s(%s): received invalid data offset: %zu > %zu\n",
++ __func__, oid_to_string(oid), respoffs, buflen);
+
+ ret = -EINVAL;
+ goto exit_unlock;
+ }
+
+- if ((resplen + respoffs) > buflen) {
+- /* Device would have returned more data if buffer would
+- * have been big enough. Copy just the bits that we got.
+- */
+- copylen = buflen - respoffs;
+- } else {
+- copylen = resplen;
+- }
++ copylen = min(resplen, buflen - respoffs);
+
+ if (copylen > *len)
+ copylen = *len;
+--
+2.39.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
