--- /dev/null
+From d91a34c01e692c032695ea67e97df5532fe1da73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jan 2023 13:49:30 +0100
+Subject: affs: initialize fsdata in affs_truncate()
+
+From: Alexander Potapenko <glider@google.com>
+
+[ Upstream commit eef034ac6690118c88f357b00e2b3239c9d8575d ]
+
+When aops->write_begin() does not initialize fsdata, KMSAN may report
+an error passing the latter to aops->write_end().
+
+Fix this by unconditionally initializing fsdata.
+
+Fixes: f2b6a16eb8f5 ("fs: affs convert to new aops")
+Suggested-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/affs/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/affs/file.c b/fs/affs/file.c
+index ba084b0b214b..82bb38370aa9 100644
+--- a/fs/affs/file.c
++++ b/fs/affs/file.c
+@@ -878,7 +878,7 @@ affs_truncate(struct inode *inode)
+ if (inode->i_size > AFFS_I(inode)->mmu_private) {
+ struct address_space *mapping = inode->i_mapping;
+ struct page *page;
+- void *fsdata;
++ void *fsdata = NULL;
+ loff_t isize = inode->i_size;
+ int res;
+
+--
+2.39.0
+
--- /dev/null
+From 958847c416adda3a3cd6e18b650b0b42d3c4ef19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 22:58:52 +0530
+Subject: amd-xgbe: Delay AN timeout during KR training
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit 926446ae24c03311a480fb96eb78f0ce7ea6d091 ]
+
+AN restart triggered during KR training not only aborts the KR training
+process but also move the HW to unstable state. Driver has to wait upto
+500ms or until the KR training is completed before restarting AN cycle.
+
+Fixes: 7c12aa08779c ("amd-xgbe: Move the PHY support into amd-xgbe")
+Co-developed-by: Sudheesh Mavila <sudheesh.mavila@amd.com>
+Signed-off-by: Sudheesh Mavila <sudheesh.mavila@amd.com>
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Acked-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 24 +++++++++++++++++++++++
+ drivers/net/ethernet/amd/xgbe/xgbe.h | 2 ++
+ 2 files changed, 26 insertions(+)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+index 97167fc9bebe..7840eb4cdb8d 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+@@ -496,6 +496,7 @@ static enum xgbe_an xgbe_an73_tx_training(struct xgbe_prv_data *pdata,
+ reg |= XGBE_KR_TRAINING_ENABLE;
+ reg |= XGBE_KR_TRAINING_START;
+ XMDIO_WRITE(pdata, MDIO_MMD_PMAPMD, MDIO_PMA_10GBR_PMD_CTRL, reg);
++ pdata->kr_start_time = jiffies;
+
+ netif_dbg(pdata, link, pdata->netdev,
+ "KR training initiated\n");
+@@ -632,6 +633,8 @@ static enum xgbe_an xgbe_an73_incompat_link(struct xgbe_prv_data *pdata)
+
+ xgbe_switch_mode(pdata);
+
++ pdata->an_result = XGBE_AN_READY;
++
+ xgbe_an_restart(pdata);
+
+ return XGBE_AN_INCOMPAT_LINK;
+@@ -1275,9 +1278,30 @@ static bool xgbe_phy_aneg_done(struct xgbe_prv_data *pdata)
+ static void xgbe_check_link_timeout(struct xgbe_prv_data *pdata)
+ {
+ unsigned long link_timeout;
++ unsigned long kr_time;
++ int wait;
+
+ link_timeout = pdata->link_check + (XGBE_LINK_TIMEOUT * HZ);
+ if (time_after(jiffies, link_timeout)) {
++ if ((xgbe_cur_mode(pdata) == XGBE_MODE_KR) &&
++ pdata->phy.autoneg == AUTONEG_ENABLE) {
++ /* AN restart should not happen while KR training is in progress.
++ * The while loop ensures no AN restart during KR training,
++ * waits up to 500ms and AN restart is triggered only if KR
++ * training is failed.
++ */
++ wait = XGBE_KR_TRAINING_WAIT_ITER;
++ while (wait--) {
++ kr_time = pdata->kr_start_time +
++ msecs_to_jiffies(XGBE_AN_MS_TIMEOUT);
++ if (time_after(jiffies, kr_time))
++ break;
++ /* AN restart is not required, if AN result is COMPLETE */
++ if (pdata->an_result == XGBE_AN_COMPLETE)
++ return;
++ usleep_range(10000, 11000);
++ }
++ }
+ netif_dbg(pdata, link, pdata->netdev, "AN link timeout\n");
+ xgbe_phy_config_aneg(pdata);
+ }
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h
+index 0c93a552b921..729307a96c50 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe.h
++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h
+@@ -290,6 +290,7 @@
+ /* Auto-negotiation */
+ #define XGBE_AN_MS_TIMEOUT 500
+ #define XGBE_LINK_TIMEOUT 5
++#define XGBE_KR_TRAINING_WAIT_ITER 50
+
+ #define XGBE_SGMII_AN_LINK_STATUS BIT(1)
+ #define XGBE_SGMII_AN_LINK_SPEED (BIT(2) | BIT(3))
+@@ -1266,6 +1267,7 @@ struct xgbe_prv_data {
+ unsigned int parallel_detect;
+ unsigned int fec_ability;
+ unsigned long an_start;
++ unsigned long kr_start_time;
+ enum xgbe_an_mode an_mode;
+
+ /* I2C support */
+--
+2.39.0
+
--- /dev/null
+From 73b161a48518ec39dc32a55f38858d96509e7700 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 22:58:51 +0530
+Subject: amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit 579923d84b04abb6cd4cd1fd9974096a2dd1832b ]
+
+There is difference in the TX Flow Control registers (TFCR) between the
+revisions of the hardware. The older revisions of hardware used to have
+single register per queue. Whereas, the newer revision of hardware (from
+ver 30H onwards) have one register per priority.
+
+Update the driver to use the TFCR based on the reported version of the
+hardware.
+
+Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver")
+Co-developed-by: Ajith Nayak <Ajith.Nayak@amd.com>
+Signed-off-by: Ajith Nayak <Ajith.Nayak@amd.com>
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Acked-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
+index 4666084eda16..9d6fe5a892d9 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
+@@ -524,19 +524,28 @@ static void xgbe_disable_vxlan(struct xgbe_prv_data *pdata)
+ netif_dbg(pdata, drv, pdata->netdev, "VXLAN acceleration disabled\n");
+ }
+
++static unsigned int xgbe_get_fc_queue_count(struct xgbe_prv_data *pdata)
++{
++ unsigned int max_q_count = XGMAC_MAX_FLOW_CONTROL_QUEUES;
++
++ /* From MAC ver 30H the TFCR is per priority, instead of per queue */
++ if (XGMAC_GET_BITS(pdata->hw_feat.version, MAC_VR, SNPSVER) >= 0x30)
++ return max_q_count;
++ else
++ return min_t(unsigned int, pdata->tx_q_count, max_q_count);
++}
++
+ static int xgbe_disable_tx_flow_control(struct xgbe_prv_data *pdata)
+ {
+- unsigned int max_q_count, q_count;
+ unsigned int reg, reg_val;
+- unsigned int i;
++ unsigned int i, q_count;
+
+ /* Clear MTL flow control */
+ for (i = 0; i < pdata->rx_q_count; i++)
+ XGMAC_MTL_IOWRITE_BITS(pdata, i, MTL_Q_RQOMR, EHFC, 0);
+
+ /* Clear MAC flow control */
+- max_q_count = XGMAC_MAX_FLOW_CONTROL_QUEUES;
+- q_count = min_t(unsigned int, pdata->tx_q_count, max_q_count);
++ q_count = xgbe_get_fc_queue_count(pdata);
+ reg = MAC_Q0TFCR;
+ for (i = 0; i < q_count; i++) {
+ reg_val = XGMAC_IOREAD(pdata, reg);
+@@ -553,9 +562,8 @@ static int xgbe_enable_tx_flow_control(struct xgbe_prv_data *pdata)
+ {
+ struct ieee_pfc *pfc = pdata->pfc;
+ struct ieee_ets *ets = pdata->ets;
+- unsigned int max_q_count, q_count;
+ unsigned int reg, reg_val;
+- unsigned int i;
++ unsigned int i, q_count;
+
+ /* Set MTL flow control */
+ for (i = 0; i < pdata->rx_q_count; i++) {
+@@ -579,8 +587,7 @@ static int xgbe_enable_tx_flow_control(struct xgbe_prv_data *pdata)
+ }
+
+ /* Set MAC flow control */
+- max_q_count = XGMAC_MAX_FLOW_CONTROL_QUEUES;
+- q_count = min_t(unsigned int, pdata->tx_q_count, max_q_count);
++ q_count = xgbe_get_fc_queue_count(pdata);
+ reg = MAC_Q0TFCR;
+ for (i = 0; i < q_count; i++) {
+ reg_val = XGMAC_IOREAD(pdata, reg);
+--
+2.39.0
+
--- /dev/null
+From 59a0aac7acd572075d5d81fa3d0ef5e40f864b9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 17:22:59 -0300
+Subject: ARM: dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts'
+
+From: Fabio Estevam <festevam@denx.de>
+
+[ Upstream commit 9dfbc72256b5de608ad10989bcbafdbbd1ac8d4e ]
+
+The following build warning is seen when running:
+
+make dtbs_check DT_SCHEMA_FILES=fsl-imx-uart.yaml
+
+arch/arm/boot/dts/imx6dl-gw560x.dtb: serial@2020000: rts-gpios: False schema does not allow [[20, 1, 0]]
+ From schema: Documentation/devicetree/bindings/serial/fsl-imx-uart.yaml
+
+The imx6qdl-gw560x board does not expose the UART RTS and CTS
+as native UART pins, so 'uart-has-rtscts' should not be used.
+
+Using 'uart-has-rtscts' with 'rts-gpios' is an invalid combination
+detected by serial.yaml.
+
+Fix the problem by removing the incorrect 'uart-has-rtscts' property.
+
+Fixes: b8a559feffb2 ("ARM: dts: imx: add Gateworks Ventana GW5600 support")
+Signed-off-by: Fabio Estevam <festevam@denx.de>
+Acked-by: Tim Harvey <tharvey@gateworks.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6qdl-gw560x.dtsi | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/imx6qdl-gw560x.dtsi b/arch/arm/boot/dts/imx6qdl-gw560x.dtsi
+index b5986efe1090..143d249b821e 100644
+--- a/arch/arm/boot/dts/imx6qdl-gw560x.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-gw560x.dtsi
+@@ -463,7 +463,6 @@ &ssi1 {
+ &uart1 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_uart1>;
+- uart-has-rtscts;
+ rts-gpios = <&gpio7 1 GPIO_ACTIVE_HIGH>;
+ status = "okay";
+ };
+--
+2.39.0
+
--- /dev/null
+From 28384516c9fa201309db5c2f6c7eb136fc8d21e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jan 2023 16:05:46 +0100
+Subject: bpf: Fix pointer-leak due to insufficient speculative store bypass
+ mitigation
+
+From: Luis Gerhorst <gerhorst@cs.fau.de>
+
+[ Upstream commit e4f4db47794c9f474b184ee1418f42e6a07412b6 ]
+
+To mitigate Spectre v4, 2039f26f3aca ("bpf: Fix leakage due to
+insufficient speculative store bypass mitigation") inserts lfence
+instructions after 1) initializing a stack slot and 2) spilling a
+pointer to the stack.
+
+However, this does not cover cases where a stack slot is first
+initialized with a pointer (subject to sanitization) but then
+overwritten with a scalar (not subject to sanitization because
+the slot was already initialized). In this case, the second write
+may be subject to speculative store bypass (SSB) creating a
+speculative pointer-as-scalar type confusion. This allows the
+program to subsequently leak the numerical pointer value using,
+for example, a branch-based cache side channel.
+
+To fix this, also sanitize scalars if they write a stack slot
+that previously contained a pointer. Assuming that pointer-spills
+are only generated by LLVM on register-pressure, the performance
+impact on most real-world BPF programs should be small.
+
+The following unprivileged BPF bytecode drafts a minimal exploit
+and the mitigation:
+
+ [...]
+ // r6 = 0 or 1 (skalar, unknown user input)
+ // r7 = accessible ptr for side channel
+ // r10 = frame pointer (fp), to be leaked
+ //
+ r9 = r10 # fp alias to encourage ssb
+ *(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, to be leaked
+ // lfence added here because of pointer spill to stack.
+ //
+ // Ommitted: Dummy bpf_ringbuf_output() here to train alias predictor
+ // for no r9-r10 dependency.
+ //
+ *(u64 *)(r10 - 8) = r6 // fp[-8] = scalar, overwrites ptr
+ // 2039f26f3aca: no lfence added because stack slot was not STACK_INVALID,
+ // store may be subject to SSB
+ //
+ // fix: also add an lfence when the slot contained a ptr
+ //
+ r8 = *(u64 *)(r9 - 8)
+ // r8 = architecturally a scalar, speculatively a ptr
+ //
+ // leak ptr using branch-based cache side channel:
+ r8 &= 1 // choose bit to leak
+ if r8 == 0 goto SLOW // no mispredict
+ // architecturally dead code if input r6 is 0,
+ // only executes speculatively iff ptr bit is 1
+ r8 = *(u64 *)(r7 + 0) # encode bit in cache (0: slow, 1: fast)
+SLOW:
+ [...]
+
+After running this, the program can time the access to *(r7 + 0) to
+determine whether the chosen pointer bit was 0 or 1. Repeat this 64
+times to recover the whole address on amd64.
+
+In summary, sanitization can only be skipped if one scalar is
+overwritten with another scalar. Scalar-confusion due to speculative
+store bypass can not lead to invalid accesses because the pointer
+bounds deducted during verification are enforced using branchless
+logic. See 979d63d50c0c ("bpf: prevent out of bounds speculation on
+pointer arithmetic") for details.
+
+Do not make the mitigation depend on !env->allow_{uninit_stack,ptr_leaks}
+because speculative leaks are likely unexpected if these were enabled.
+For example, leaking the address to a protected log file may be acceptable
+while disabling the mitigation might unintentionally leak the address
+into the cached-state of a map that is accessible to unprivileged
+processes.
+
+Fixes: 2039f26f3aca ("bpf: Fix leakage due to insufficient speculative store bypass mitigation")
+Signed-off-by: Luis Gerhorst <gerhorst@cs.fau.de>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Henriette Hofmeier <henriette.hofmeier@rub.de>
+Link: https://lore.kernel.org/bpf/edc95bad-aada-9cfc-ffe2-fa9bb206583c@cs.fau.de
+Link: https://lore.kernel.org/bpf/20230109150544.41465-1-gerhorst@cs.fau.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 694ee0b1fefe..61f3a31abc1a 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -1012,7 +1012,9 @@ static int check_stack_write(struct bpf_verifier_env *env,
+ bool sanitize = reg && is_spillable_regtype(reg->type);
+
+ for (i = 0; i < size; i++) {
+- if (state->stack[spi].slot_type[i] == STACK_INVALID) {
++ u8 type = state->stack[spi].slot_type[i];
++
++ if (type != STACK_MISC && type != STACK_ZERO) {
+ sanitize = true;
+ break;
+ }
+--
+2.39.0
+
--- /dev/null
+From f53e31935485c866f183bbaeb1820c768cfb94f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 11:00:50 +0800
+Subject: dmaengine: Fix double increment of client_count in dma_chan_get()
+
+From: Koba Ko <koba.ko@canonical.com>
+
+[ Upstream commit f3dc1b3b4750851a94212dba249703dd0e50bb20 ]
+
+The first time dma_chan_get() is called for a channel the channel
+client_count is incorrectly incremented twice for public channels,
+first in balance_ref_count(), and again prior to returning. This
+results in an incorrect client count which will lead to the
+channel resources not being freed when they should be. A simple
+ test of repeated module load and unload of async_tx on a Dell
+ Power Edge R7425 also shows this resulting in a kref underflow
+ warning.
+
+[ 124.329662] async_tx: api initialized (async)
+[ 129.000627] async_tx: api initialized (async)
+[ 130.047839] ------------[ cut here ]------------
+[ 130.052472] refcount_t: underflow; use-after-free.
+[ 130.057279] WARNING: CPU: 3 PID: 19364 at lib/refcount.c:28
+refcount_warn_saturate+0xba/0x110
+[ 130.065811] Modules linked in: async_tx(-) rfkill intel_rapl_msr
+intel_rapl_common amd64_edac edac_mce_amd ipmi_ssif kvm_amd dcdbas kvm
+mgag200 drm_shmem_helper acpi_ipmi irqbypass drm_kms_helper ipmi_si
+syscopyarea sysfillrect rapl pcspkr ipmi_devintf sysimgblt fb_sys_fops
+k10temp i2c_piix4 ipmi_msghandler acpi_power_meter acpi_cpufreq vfat
+fat drm fuse xfs libcrc32c sd_mod t10_pi sg ahci crct10dif_pclmul
+libahci crc32_pclmul crc32c_intel ghash_clmulni_intel igb megaraid_sas
+i40e libata i2c_algo_bit ccp sp5100_tco dca dm_mirror dm_region_hash
+dm_log dm_mod [last unloaded: async_tx]
+[ 130.117361] CPU: 3 PID: 19364 Comm: modprobe Kdump: loaded Not
+tainted 5.14.0-185.el9.x86_64 #1
+[ 130.126091] Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS
+1.18.0 01/17/2022
+[ 130.133806] RIP: 0010:refcount_warn_saturate+0xba/0x110
+[ 130.139041] Code: 01 01 e8 6d bd 55 00 0f 0b e9 72 9d 8a 00 80 3d
+26 18 9c 01 00 75 85 48 c7 c7 f8 a3 03 9d c6 05 16 18 9c 01 01 e8 4a
+bd 55 00 <0f> 0b e9 4f 9d 8a 00 80 3d 01 18 9c 01 00 0f 85 5e ff ff ff
+48 c7
+[ 130.157807] RSP: 0018:ffffbf98898afe68 EFLAGS: 00010286
+[ 130.163036] RAX: 0000000000000000 RBX: ffff9da06028e598 RCX: 0000000000000000
+[ 130.170172] RDX: ffff9daf9de26480 RSI: ffff9daf9de198a0 RDI: ffff9daf9de198a0
+[ 130.177316] RBP: ffff9da7cddf3970 R08: 0000000000000000 R09: 00000000ffff7fff
+[ 130.184459] R10: ffffbf98898afd00 R11: ffffffff9d9e8c28 R12: ffff9da7cddf1970
+[ 130.191596] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 130.198739] FS: 00007f646435c740(0000) GS:ffff9daf9de00000(0000)
+knlGS:0000000000000000
+[ 130.206832] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 130.212586] CR2: 00007f6463b214f0 CR3: 00000008ab98c000 CR4: 00000000003506e0
+[ 130.219729] Call Trace:
+[ 130.222192] <TASK>
+[ 130.224305] dma_chan_put+0x10d/0x110
+[ 130.227988] dmaengine_put+0x7a/0xa0
+[ 130.231575] __do_sys_delete_module.constprop.0+0x178/0x280
+[ 130.237157] ? syscall_trace_enter.constprop.0+0x145/0x1d0
+[ 130.242652] do_syscall_64+0x5c/0x90
+[ 130.246240] ? exc_page_fault+0x62/0x150
+[ 130.250178] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 130.255243] RIP: 0033:0x7f6463a3f5ab
+[ 130.258830] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48
+83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00
+00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89
+01 48
+[ 130.277591] RSP: 002b:00007fff22f972c8 EFLAGS: 00000206 ORIG_RAX:
+00000000000000b0
+[ 130.285164] RAX: ffffffffffffffda RBX: 000055b6786edd40 RCX: 00007f6463a3f5ab
+[ 130.292303] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6786edda8
+[ 130.299443] RBP: 000055b6786edd40 R08: 0000000000000000 R09: 0000000000000000
+[ 130.306584] R10: 00007f6463b9eac0 R11: 0000000000000206 R12: 000055b6786edda8
+[ 130.313731] R13: 0000000000000000 R14: 000055b6786edda8 R15: 00007fff22f995f8
+[ 130.320875] </TASK>
+[ 130.323081] ---[ end trace eff7156d56b5cf25 ]---
+
+cat /sys/class/dma/dma0chan*/in_use would get the wrong result.
+2
+2
+2
+
+Fixes: d2f4f99db3e9 ("dmaengine: Rework dma_chan_get")
+Signed-off-by: Koba Ko <koba.ko@canonical.com>
+Reviewed-by: Jie Hai <haijie1@huawei.com>
+Test-by: Jie Hai <haijie1@huawei.com>
+Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Tested-by: Joel Savitz <jsavitz@redhat.com>
+Link: https://lore.kernel.org/r/20221201030050.978595-1-koba.ko@canonical.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/dmaengine.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
+index 8a52a5efee4f..e1cf7c250c33 100644
+--- a/drivers/dma/dmaengine.c
++++ b/drivers/dma/dmaengine.c
+@@ -223,7 +223,8 @@ static int dma_chan_get(struct dma_chan *chan)
+ /* The channel is already in use, update client count */
+ if (chan->client_count) {
+ __module_get(owner);
+- goto out;
++ chan->client_count++;
++ return 0;
+ }
+
+ if (!try_module_get(owner))
+@@ -236,11 +237,11 @@ static int dma_chan_get(struct dma_chan *chan)
+ goto err_out;
+ }
+
++ chan->client_count++;
++
+ if (!dma_has_cap(DMA_PRIVATE, chan->device->cap_mask))
+ balance_ref_count(chan);
+
+-out:
+- chan->client_count++;
+ return 0;
+
+ err_out:
+--
+2.39.0
+
--- /dev/null
+From bd44dddc441487dbab3e43cff71e9934d7eaa233 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 10:16:12 +0800
+Subject: dmaengine: xilinx_dma: call of_node_put() when breaking out of
+ for_each_child_of_node()
+
+From: Liu Shixin <liushixin2@huawei.com>
+
+[ Upstream commit 596b53ccc36a546ab28e8897315c5b4d1d5a0200 ]
+
+Since for_each_child_of_node() will increase the refcount of node, we need
+to call of_node_put() manually when breaking out of the iteration.
+
+Fixes: 9cd4360de609 ("dma: Add Xilinx AXI Video Direct Memory Access Engine driver support")
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Acked-by: Peter Korsgaard <peter@korsgaard.com>
+Link: https://lore.kernel.org/r/20221122021612.1908866-1-liushixin2@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/xilinx_dma.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
+index c56ce7cd1f6f..5f9945651e95 100644
+--- a/drivers/dma/xilinx/xilinx_dma.c
++++ b/drivers/dma/xilinx/xilinx_dma.c
+@@ -2759,8 +2759,10 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+ /* Initialize the channels */
+ for_each_child_of_node(node, child) {
+ err = xilinx_dma_child_probe(xdev, child);
+- if (err < 0)
++ if (err < 0) {
++ of_node_put(child);
+ goto error;
++ }
+ }
+
+ if (xdev->dma_config->dmatype == XDMA_TYPE_VDMA) {
+--
+2.39.0
+
--- /dev/null
+From 2ec73aab118bba64b359f19441f0ca5cbaa254e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Nov 2018 16:31:45 +0100
+Subject: dmaengine: xilinx_dma: commonize DMA copy size calculation
+
+From: Andrea Merello <andrea.merello@gmail.com>
+
+[ Upstream commit 616f0f81d857e248a72b5af45ab185196556ae2e ]
+
+This patch removes a bit of duplicated code by introducing a new
+function that implements calculations for DMA copy size, and
+prepares for changes to the copy size calculation that will
+happen in following patches.
+
+Suggested-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Andrea Merello <andrea.merello@gmail.com>
+Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Stable-dep-of: 596b53ccc36a ("dmaengine: xilinx_dma: call of_node_put() when breaking out of for_each_child_of_node()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/xilinx_dma.c | 39 ++++++++++++++++++++++++++-------
+ 1 file changed, 31 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
+index 0ba70be4ea85..e4ea94b93400 100644
+--- a/drivers/dma/xilinx/xilinx_dma.c
++++ b/drivers/dma/xilinx/xilinx_dma.c
+@@ -428,6 +428,7 @@ struct xilinx_dma_config {
+ * @rxs_clk: DMA s2mm stream clock
+ * @nr_channels: Number of channels DMA device supports
+ * @chan_id: DMA channel identifier
++ * @max_buffer_len: Max buffer length
+ */
+ struct xilinx_dma_device {
+ void __iomem *regs;
+@@ -447,6 +448,7 @@ struct xilinx_dma_device {
+ struct clk *rxs_clk;
+ u32 nr_channels;
+ u32 chan_id;
++ u32 max_buffer_len;
+ };
+
+ /* Macros */
+@@ -969,6 +971,25 @@ static int xilinx_dma_alloc_chan_resources(struct dma_chan *dchan)
+ return 0;
+ }
+
++/**
++ * xilinx_dma_calc_copysize - Calculate the amount of data to copy
++ * @chan: Driver specific DMA channel
++ * @size: Total data that needs to be copied
++ * @done: Amount of data that has been already copied
++ *
++ * Return: Amount of data that has to be copied
++ */
++static int xilinx_dma_calc_copysize(struct xilinx_dma_chan *chan,
++ int size, int done)
++{
++ size_t copy;
++
++ copy = min_t(size_t, size - done,
++ chan->xdev->max_buffer_len);
++
++ return copy;
++}
++
+ /**
+ * xilinx_dma_tx_status - Get DMA transaction status
+ * @dchan: DMA channel
+@@ -1002,7 +1023,7 @@ static enum dma_status xilinx_dma_tx_status(struct dma_chan *dchan,
+ list_for_each_entry(segment, &desc->segments, node) {
+ hw = &segment->hw;
+ residue += (hw->control - hw->status) &
+- XILINX_DMA_MAX_TRANS_LEN;
++ chan->xdev->max_buffer_len;
+ }
+ }
+ spin_unlock_irqrestore(&chan->lock, flags);
+@@ -1262,7 +1283,7 @@ static void xilinx_cdma_start_transfer(struct xilinx_dma_chan *chan)
+
+ /* Start the transfer */
+ dma_ctrl_write(chan, XILINX_DMA_REG_BTT,
+- hw->control & XILINX_DMA_MAX_TRANS_LEN);
++ hw->control & chan->xdev->max_buffer_len);
+ }
+
+ list_splice_tail_init(&chan->pending_list, &chan->active_list);
+@@ -1365,7 +1386,7 @@ static void xilinx_dma_start_transfer(struct xilinx_dma_chan *chan)
+
+ /* Start the transfer */
+ dma_ctrl_write(chan, XILINX_DMA_REG_BTT,
+- hw->control & XILINX_DMA_MAX_TRANS_LEN);
++ hw->control & chan->xdev->max_buffer_len);
+ }
+
+ list_splice_tail_init(&chan->pending_list, &chan->active_list);
+@@ -1729,7 +1750,7 @@ xilinx_cdma_prep_memcpy(struct dma_chan *dchan, dma_addr_t dma_dst,
+ struct xilinx_cdma_tx_segment *segment;
+ struct xilinx_cdma_desc_hw *hw;
+
+- if (!len || len > XILINX_DMA_MAX_TRANS_LEN)
++ if (!len || len > chan->xdev->max_buffer_len)
+ return NULL;
+
+ desc = xilinx_dma_alloc_tx_descriptor(chan);
+@@ -1819,8 +1840,8 @@ static struct dma_async_tx_descriptor *xilinx_dma_prep_slave_sg(
+ * Calculate the maximum number of bytes to transfer,
+ * making sure it is less than the hw limit
+ */
+- copy = min_t(size_t, sg_dma_len(sg) - sg_used,
+- XILINX_DMA_MAX_TRANS_LEN);
++ copy = xilinx_dma_calc_copysize(chan, sg_dma_len(sg),
++ sg_used);
+ hw = &segment->hw;
+
+ /* Fill in the descriptor */
+@@ -1924,8 +1945,8 @@ static struct dma_async_tx_descriptor *xilinx_dma_prep_dma_cyclic(
+ * Calculate the maximum number of bytes to transfer,
+ * making sure it is less than the hw limit
+ */
+- copy = min_t(size_t, period_len - sg_used,
+- XILINX_DMA_MAX_TRANS_LEN);
++ copy = xilinx_dma_calc_copysize(chan, period_len,
++ sg_used);
+ hw = &segment->hw;
+ xilinx_axidma_buf(chan, hw, buf_addr, sg_used,
+ period_len * i);
+@@ -2645,6 +2666,8 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+
+ /* Retrieve the DMA engine properties from the device tree */
+ xdev->has_sg = of_property_read_bool(node, "xlnx,include-sg");
++ xdev->max_buffer_len = XILINX_DMA_MAX_TRANS_LEN;
++
+ if (xdev->dma_config->dmatype == XDMA_TYPE_AXIDMA)
+ xdev->mcdma = of_property_read_bool(node, "xlnx,mcdma");
+
+--
+2.39.0
+
--- /dev/null
+From 6c1b3a6a58ef9b271d20c299201235528889b934 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Aug 2022 11:41:23 +0530
+Subject: dmaengine: xilinx_dma: Fix devm_platform_ioremap_resource error
+ handling
+
+From: Swati Agarwal <swati.agarwal@xilinx.com>
+
+[ Upstream commit 91df7751eb890e970afc08f50b8f0fa5ea39e03d ]
+
+Add missing cleanup in devm_platform_ioremap_resource().
+When probe fails remove dma channel resources and disable clocks in
+accordance with the order of resources allocated .
+
+Signed-off-by: Swati Agarwal <swati.agarwal@xilinx.com>
+Link: https://lore.kernel.org/r/20220817061125.4720-2-swati.agarwal@xilinx.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Stable-dep-of: 596b53ccc36a ("dmaengine: xilinx_dma: call of_node_put() when breaking out of for_each_child_of_node()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/xilinx_dma.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
+index 6687cee26843..c56ce7cd1f6f 100644
+--- a/drivers/dma/xilinx/xilinx_dma.c
++++ b/drivers/dma/xilinx/xilinx_dma.c
+@@ -2663,9 +2663,10 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+ /* Request and map I/O memory */
+ io = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ xdev->regs = devm_ioremap_resource(&pdev->dev, io);
+- if (IS_ERR(xdev->regs))
+- return PTR_ERR(xdev->regs);
+-
++ if (IS_ERR(xdev->regs)) {
++ err = PTR_ERR(xdev->regs);
++ goto disable_clks;
++ }
+ /* Retrieve the DMA engine properties from the device tree */
+ xdev->has_sg = of_property_read_bool(node, "xlnx,include-sg");
+ xdev->max_buffer_len = GENMASK(XILINX_DMA_MAX_TRANS_LEN_MAX - 1, 0);
+@@ -2759,7 +2760,7 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+ for_each_child_of_node(node, child) {
+ err = xilinx_dma_child_probe(xdev, child);
+ if (err < 0)
+- goto disable_clks;
++ goto error;
+ }
+
+ if (xdev->dma_config->dmatype == XDMA_TYPE_VDMA) {
+@@ -2792,12 +2793,12 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+
+ return 0;
+
+-disable_clks:
+- xdma_disable_allclks(xdev);
+ error:
+ for (i = 0; i < xdev->nr_channels; i++)
+ if (xdev->chan[i])
+ xilinx_dma_chan_remove(xdev->chan[i]);
++disable_clks:
++ xdma_disable_allclks(xdev);
+
+ return err;
+ }
+--
+2.39.0
+
--- /dev/null
+From 54d901bb07ec4a5895b36f24c68d14b59face162 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Nov 2018 16:31:48 +0100
+Subject: dmaengine: xilinx_dma: program hardware supported buffer length
+
+From: Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com>
+
+[ Upstream commit ae809690b46a71dc56cda5b3b8884c8c41a0df15 ]
+
+AXI-DMA IP supports configurable (c_sg_length_width) buffer length
+register width, hence read buffer length (xlnx,sg-length-width) DT
+property and ensure that driver doesn't program buffer length
+exceeding the supported limit. For VDMA and CDMA there is no change.
+
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: devicetree@vger.kernel.org
+Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com>
+Signed-off-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Andrea Merello <andrea.merello@gmail.com> [rebase, reword]
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Stable-dep-of: 596b53ccc36a ("dmaengine: xilinx_dma: call of_node_put() when breaking out of for_each_child_of_node()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/xilinx_dma.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
+index e4ea94b93400..6687cee26843 100644
+--- a/drivers/dma/xilinx/xilinx_dma.c
++++ b/drivers/dma/xilinx/xilinx_dma.c
+@@ -164,7 +164,9 @@
+ #define XILINX_DMA_REG_BTT 0x28
+
+ /* AXI DMA Specific Masks/Bit fields */
+-#define XILINX_DMA_MAX_TRANS_LEN GENMASK(22, 0)
++#define XILINX_DMA_MAX_TRANS_LEN_MIN 8
++#define XILINX_DMA_MAX_TRANS_LEN_MAX 23
++#define XILINX_DMA_V2_MAX_TRANS_LEN_MAX 26
+ #define XILINX_DMA_CR_COALESCE_MAX GENMASK(23, 16)
+ #define XILINX_DMA_CR_CYCLIC_BD_EN_MASK BIT(4)
+ #define XILINX_DMA_CR_COALESCE_SHIFT 16
+@@ -2634,7 +2636,7 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+ struct xilinx_dma_device *xdev;
+ struct device_node *child, *np = pdev->dev.of_node;
+ struct resource *io;
+- u32 num_frames, addr_width;
++ u32 num_frames, addr_width, len_width;
+ int i, err;
+
+ /* Allocate and initialize the DMA engine structure */
+@@ -2666,10 +2668,24 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+
+ /* Retrieve the DMA engine properties from the device tree */
+ xdev->has_sg = of_property_read_bool(node, "xlnx,include-sg");
+- xdev->max_buffer_len = XILINX_DMA_MAX_TRANS_LEN;
++ xdev->max_buffer_len = GENMASK(XILINX_DMA_MAX_TRANS_LEN_MAX - 1, 0);
+
+- if (xdev->dma_config->dmatype == XDMA_TYPE_AXIDMA)
++ if (xdev->dma_config->dmatype == XDMA_TYPE_AXIDMA) {
+ xdev->mcdma = of_property_read_bool(node, "xlnx,mcdma");
++ if (!of_property_read_u32(node, "xlnx,sg-length-width",
++ &len_width)) {
++ if (len_width < XILINX_DMA_MAX_TRANS_LEN_MIN ||
++ len_width > XILINX_DMA_V2_MAX_TRANS_LEN_MAX) {
++ dev_warn(xdev->dev,
++ "invalid xlnx,sg-length-width property value. Using default width\n");
++ } else {
++ if (len_width > XILINX_DMA_MAX_TRANS_LEN_MAX)
++ dev_warn(xdev->dev, "Please ensure that IP supports buffer length > 23 bits\n");
++ xdev->max_buffer_len =
++ GENMASK(len_width - 1, 0);
++ }
++ }
++ }
+
+ if (xdev->dma_config->dmatype == XDMA_TYPE_VDMA) {
+ err = of_property_read_u32(node, "xlnx,num-fstores",
+--
+2.39.0
+
--- /dev/null
+From 6e6dfbdac96d3782fb1ab2e2a4aa2a86393beec1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Dec 2022 09:48:24 +0400
+Subject: EDAC/highbank: Fix memory leak in highbank_mc_probe()
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit e7a293658c20a7945014570e1921bf7d25d68a36 ]
+
+When devres_open_group() fails, it returns -ENOMEM without freeing memory
+allocated by edac_mc_alloc().
+
+Call edac_mc_free() on the error handling path to avoid a memory leak.
+
+ [ bp: Massage commit message. ]
+
+Fixes: a1b01edb2745 ("edac: add support for Calxeda highbank memory controller")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Andre Przywara <andre.przywara@arm.com>
+Link: https://lore.kernel.org/r/20221229054825.1361993-1-linmq006@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/highbank_mc_edac.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/edac/highbank_mc_edac.c b/drivers/edac/highbank_mc_edac.c
+index 6092e61be605..bcf41601a977 100644
+--- a/drivers/edac/highbank_mc_edac.c
++++ b/drivers/edac/highbank_mc_edac.c
+@@ -185,8 +185,10 @@ static int highbank_mc_probe(struct platform_device *pdev)
+ drvdata = mci->pvt_info;
+ platform_set_drvdata(pdev, mci);
+
+- if (!devres_open_group(&pdev->dev, NULL, GFP_KERNEL))
+- return -ENOMEM;
++ if (!devres_open_group(&pdev->dev, NULL, GFP_KERNEL)) {
++ res = -ENOMEM;
++ goto free;
++ }
+
+ r = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ if (!r) {
+@@ -254,6 +256,7 @@ static int highbank_mc_probe(struct platform_device *pdev)
+ edac_mc_del_mc(&pdev->dev);
+ err:
+ devres_release_group(&pdev->dev, NULL);
++free:
+ edac_mc_free(mci);
+ return res;
+ }
+--
+2.39.0
+
--- /dev/null
+From 5d51ee2a9ee156abec0b53134f3329e3a431a38c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 18:12:16 +0000
+Subject: HID: betop: check shape of output reports
+
+From: Pietro Borrello <borrello@diag.uniroma1.it>
+
+[ Upstream commit 3782c0d6edf658b71354a64d60aa7a296188fc90 ]
+
+betopff_init() only checks the total sum of the report counts for each
+report field to be at least 4, but hid_betopff_play() expects 4 report
+fields.
+A device advertising an output report with one field and 4 report counts
+would pass the check but crash the kernel with a NULL pointer dereference
+in hid_betopff_play().
+
+Fixes: 52cd7785f3cd ("HID: betop: add drivers/hid/hid-betopff.c")
+Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-betopff.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c
+index 9b60efe6ec44..ba386e5aa055 100644
+--- a/drivers/hid/hid-betopff.c
++++ b/drivers/hid/hid-betopff.c
+@@ -63,7 +63,6 @@ static int betopff_init(struct hid_device *hid)
+ struct list_head *report_list =
+ &hid->report_enum[HID_OUTPUT_REPORT].report_list;
+ struct input_dev *dev;
+- int field_count = 0;
+ int error;
+ int i, j;
+
+@@ -89,19 +88,21 @@ static int betopff_init(struct hid_device *hid)
+ * -----------------------------------------
+ * Do init them with default value.
+ */
++ if (report->maxfield < 4) {
++ hid_err(hid, "not enough fields in the report: %d\n",
++ report->maxfield);
++ return -ENODEV;
++ }
+ for (i = 0; i < report->maxfield; i++) {
++ if (report->field[i]->report_count < 1) {
++ hid_err(hid, "no values in the field\n");
++ return -ENODEV;
++ }
+ for (j = 0; j < report->field[i]->report_count; j++) {
+ report->field[i]->value[j] = 0x00;
+- field_count++;
+ }
+ }
+
+- if (field_count < 4) {
+- hid_err(hid, "not enough fields in the report: %d\n",
+- field_count);
+- return -ENODEV;
+- }
+-
+ betopff = kzalloc(sizeof(*betopff), GFP_KERNEL);
+ if (!betopff)
+ return -ENOMEM;
+--
+2.39.0
+
--- /dev/null
+From 9a49c071b7ffc44e959c01151af26e0e91e181de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jan 2023 11:11:24 +0000
+Subject: HID: check empty report_list in hid_validate_values()
+
+From: Pietro Borrello <borrello@diag.uniroma1.it>
+
+[ Upstream commit b12fece4c64857e5fab4290bf01b2e0317a88456 ]
+
+Add a check for empty report_list in hid_validate_values().
+The missing check causes a type confusion when issuing a list_entry()
+on an empty report_list.
+The problem is caused by the assumption that the device must
+have valid report_list. While this will be true for all normal HID
+devices, a suitably malicious device can violate the assumption.
+
+Fixes: 1b15d2e5b807 ("HID: core: fix validation of report id 0")
+Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 62656636d30c..8cc79d0d11fb 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -980,8 +980,8 @@ struct hid_report *hid_validate_values(struct hid_device *hid,
+ * Validating on id 0 means we should examine the first
+ * report in the list.
+ */
+- report = list_entry(
+- hid->report_enum[type].report_list.next,
++ report = list_first_entry_or_null(
++ &hid->report_enum[type].report_list,
+ struct hid_report, list);
+ } else {
+ report = hid->report_enum[type].report_id_hash[id];
+--
+2.39.0
+
--- /dev/null
+From ef451e88a2ac2efb256985fce544663b06d3b824 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 21:48:23 +0800
+Subject: HID: intel_ish-hid: Add check for ishtp_dma_tx_map
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit b3d40c3ec3dc4ad78017de6c3a38979f57aaaab8 ]
+
+As the kcalloc may return NULL pointer,
+it should be better to check the ishtp_dma_tx_map
+before use in order to avoid NULL pointer dereference.
+
+Fixes: 3703f53b99e4 ("HID: intel_ish-hid: ISH Transport layer")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/intel-ish-hid/ishtp/dma-if.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/hid/intel-ish-hid/ishtp/dma-if.c b/drivers/hid/intel-ish-hid/ishtp/dma-if.c
+index 2783f3666114..ff4419c8ed4f 100644
+--- a/drivers/hid/intel-ish-hid/ishtp/dma-if.c
++++ b/drivers/hid/intel-ish-hid/ishtp/dma-if.c
+@@ -113,6 +113,11 @@ void *ishtp_cl_get_dma_send_buf(struct ishtp_device *dev,
+ int required_slots = (size / DMA_SLOT_SIZE)
+ + 1 * (size % DMA_SLOT_SIZE != 0);
+
++ if (!dev->ishtp_dma_tx_map) {
++ dev_err(dev->devc, "Fail to allocate Tx map\n");
++ return NULL;
++ }
++
+ spin_lock_irqsave(&dev->ishtp_dma_tx_lock, flags);
+ for (i = 0; i <= (dev->ishtp_dma_num_slots - required_slots); i++) {
+ free = 1;
+@@ -159,6 +164,11 @@ void ishtp_cl_release_dma_acked_mem(struct ishtp_device *dev,
+ return;
+ }
+
++ if (!dev->ishtp_dma_tx_map) {
++ dev_err(dev->devc, "Fail to allocate Tx map\n");
++ return;
++ }
++
+ i = (msg_addr - dev->ishtp_host_dma_tx_buf) / DMA_SLOT_SIZE;
+ spin_lock_irqsave(&dev->ishtp_dma_tx_lock, flags);
+ for (j = 0; j < acked_slots; j++) {
+--
+2.39.0
+
--- /dev/null
+From 6f13e21934fc717299413637d2d1d480e9e700b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jan 2023 12:31:21 -0500
+Subject: IB/hfi1: Fix expected receive setup error exit issues
+
+From: Dean Luick <dean.luick@cornelisnetworks.com>
+
+[ Upstream commit e0c4a422f5246abefbf7c178ef99a1f2dc3c5f62 ]
+
+Fix three error exit issues in expected receive setup.
+Re-arrange error exits to increase readability.
+
+Issues and fixes:
+1. Possible missed page unpin if tidlist copyout fails and
+ not all pinned pages where made part of a TID.
+ Fix: Unpin the unused pages.
+
+2. Return success with unset return values tidcnt and length
+ when no pages were pinned.
+ Fix: Return -ENOSPC if no pages were pinned.
+
+3. Return success with unset return values tidcnt and length when
+ no rcvarray entries available.
+ Fix: Return -ENOSPC if no rcvarray entries are available.
+
+Fixes: 7e7a436ecb6e ("staging/hfi1: Add TID entry program function body")
+Fixes: 97736f36dbeb ("IB/hfi1: Validate page aligned for a given virtual addres")
+Fixes: f404ca4c7ea8 ("IB/hfi1: Refactor hfi_user_exp_rcv_setup() IOCTL")
+Signed-off-by: Dean Luick <dean.luick@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Link: https://lore.kernel.org/r/167328548150.1472310.1492305874804187634.stgit@awfm-02.cornelisnetworks.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/user_exp_rcv.c | 83 ++++++++++++++---------
+ 1 file changed, 50 insertions(+), 33 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+index 0a118f2963fb..dab823aac95e 100644
+--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+@@ -337,15 +337,14 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+ tidbuf->psets = kcalloc(uctxt->expected_count, sizeof(*tidbuf->psets),
+ GFP_KERNEL);
+ if (!tidbuf->psets) {
+- kfree(tidbuf);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto fail_release_mem;
+ }
+
+ pinned = pin_rcv_pages(fd, tidbuf);
+ if (pinned <= 0) {
+- kfree(tidbuf->psets);
+- kfree(tidbuf);
+- return pinned;
++ ret = (pinned < 0) ? pinned : -ENOSPC;
++ goto fail_unpin;
+ }
+
+ /* Find sets of physically contiguous pages */
+@@ -360,14 +359,16 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+ fd->tid_used += pageset_count;
+ spin_unlock(&fd->tid_lock);
+
+- if (!pageset_count)
+- goto bail;
++ if (!pageset_count) {
++ ret = -ENOSPC;
++ goto fail_unreserve;
++ }
+
+ ngroups = pageset_count / dd->rcv_entries.group_size;
+ tidlist = kcalloc(pageset_count, sizeof(*tidlist), GFP_KERNEL);
+ if (!tidlist) {
+ ret = -ENOMEM;
+- goto nomem;
++ goto fail_unreserve;
+ }
+
+ tididx = 0;
+@@ -463,44 +464,60 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+ }
+ unlock:
+ mutex_unlock(&uctxt->exp_mutex);
+-nomem:
+ hfi1_cdbg(TID, "total mapped: tidpairs:%u pages:%u (%d)", tididx,
+ mapped_pages, ret);
++
++ /* fail if nothing was programmed, set error if none provided */
++ if (tididx == 0) {
++ if (ret >= 0)
++ ret = -ENOSPC;
++ goto fail_unreserve;
++ }
++
+ /* adjust reserved tid_used to actual count */
+ spin_lock(&fd->tid_lock);
+ fd->tid_used -= pageset_count - tididx;
+ spin_unlock(&fd->tid_lock);
+- if (tididx) {
+- tinfo->tidcnt = tididx;
+- tinfo->length = mapped_pages * PAGE_SIZE;
+
+- if (copy_to_user(u64_to_user_ptr(tinfo->tidlist),
+- tidlist, sizeof(tidlist[0]) * tididx)) {
+- /*
+- * On failure to copy to the user level, we need to undo
+- * everything done so far so we don't leak resources.
+- */
+- tinfo->tidlist = (unsigned long)&tidlist;
+- hfi1_user_exp_rcv_clear(fd, tinfo);
+- tinfo->tidlist = 0;
+- ret = -EFAULT;
+- goto bail;
+- }
++ /* unpin all pages not covered by a TID */
++ unpin_rcv_pages(fd, tidbuf, NULL, mapped_pages, pinned - mapped_pages,
++ false);
++
++ tinfo->tidcnt = tididx;
++ tinfo->length = mapped_pages * PAGE_SIZE;
++
++ if (copy_to_user(u64_to_user_ptr(tinfo->tidlist),
++ tidlist, sizeof(tidlist[0]) * tididx)) {
++ ret = -EFAULT;
++ goto fail_unprogram;
+ }
+
+- /*
+- * If not everything was mapped (due to insufficient RcvArray entries,
+- * for example), unpin all unmapped pages so we can pin them nex time.
+- */
+- if (mapped_pages != pinned)
+- unpin_rcv_pages(fd, tidbuf, NULL, mapped_pages,
+- (pinned - mapped_pages), false);
+-bail:
++ kfree(tidbuf->pages);
+ kfree(tidbuf->psets);
++ kfree(tidbuf);
+ kfree(tidlist);
++ return 0;
++
++fail_unprogram:
++ /* unprogram, unmap, and unpin all allocated TIDs */
++ tinfo->tidlist = (unsigned long)tidlist;
++ hfi1_user_exp_rcv_clear(fd, tinfo);
++ tinfo->tidlist = 0;
++ pinned = 0; /* nothing left to unpin */
++ pageset_count = 0; /* nothing left reserved */
++fail_unreserve:
++ spin_lock(&fd->tid_lock);
++ fd->tid_used -= pageset_count;
++ spin_unlock(&fd->tid_lock);
++fail_unpin:
++ if (pinned > 0)
++ unpin_rcv_pages(fd, tidbuf, NULL, 0, pinned, false);
++fail_release_mem:
+ kfree(tidbuf->pages);
++ kfree(tidbuf->psets);
+ kfree(tidbuf);
+- return ret > 0 ? 0 : ret;
++ kfree(tidlist);
++ return ret;
+ }
+
+ int hfi1_user_exp_rcv_clear(struct hfi1_filedata *fd,
+--
+2.39.0
+
--- /dev/null
+From ec7d2512e2ccbee0219b4f67fbf6ff9b6f6df65d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jan 2023 12:31:11 -0500
+Subject: IB/hfi1: Reject a zero-length user expected buffer
+
+From: Dean Luick <dean.luick@cornelisnetworks.com>
+
+[ Upstream commit 0a0a6e80472c98947d73c3d13bcd7d101895f55d ]
+
+A zero length user buffer makes no sense and the code
+does not handle it correctly. Instead, reject a
+zero length as invalid.
+
+Fixes: 97736f36dbeb ("IB/hfi1: Validate page aligned for a given virtual addres")
+Signed-off-by: Dean Luick <dean.luick@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Link: https://lore.kernel.org/r/167328547120.1472310.6362802432127399257.stgit@awfm-02.cornelisnetworks.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/user_exp_rcv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+index 4e417ed08b09..4e0f7cd14c57 100644
+--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+@@ -325,6 +325,8 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+
+ if (!PAGE_ALIGNED(tinfo->vaddr))
+ return -EINVAL;
++ if (tinfo->length == 0)
++ return -EINVAL;
+
+ tidbuf = kzalloc(sizeof(*tidbuf), GFP_KERNEL);
+ if (!tidbuf)
+--
+2.39.0
+
--- /dev/null
+From cfc69fc28fb640b865f6d2ef6b84b7ace03c6898 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jan 2023 12:31:16 -0500
+Subject: IB/hfi1: Reserve user expected TIDs
+
+From: Dean Luick <dean.luick@cornelisnetworks.com>
+
+[ Upstream commit ecf91551cdd2925ed6d9a9d99074fa5f67b90596 ]
+
+To avoid a race, reserve the number of user expected
+TIDs before setup.
+
+Fixes: 7e7a436ecb6e ("staging/hfi1: Add TID entry program function body")
+Signed-off-by: Dean Luick <dean.luick@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Link: https://lore.kernel.org/r/167328547636.1472310.7419712824785353905.stgit@awfm-02.cornelisnetworks.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/user_exp_rcv.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+index 4e0f7cd14c57..0a118f2963fb 100644
+--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+@@ -351,16 +351,13 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+ /* Find sets of physically contiguous pages */
+ tidbuf->n_psets = find_phys_blocks(tidbuf, pinned);
+
+- /*
+- * We don't need to access this under a lock since tid_used is per
+- * process and the same process cannot be in hfi1_user_exp_rcv_clear()
+- * and hfi1_user_exp_rcv_setup() at the same time.
+- */
++ /* Reserve the number of expected tids to be used. */
+ spin_lock(&fd->tid_lock);
+ if (fd->tid_used + tidbuf->n_psets > fd->tid_limit)
+ pageset_count = fd->tid_limit - fd->tid_used;
+ else
+ pageset_count = tidbuf->n_psets;
++ fd->tid_used += pageset_count;
+ spin_unlock(&fd->tid_lock);
+
+ if (!pageset_count)
+@@ -469,10 +466,11 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+ nomem:
+ hfi1_cdbg(TID, "total mapped: tidpairs:%u pages:%u (%d)", tididx,
+ mapped_pages, ret);
++ /* adjust reserved tid_used to actual count */
++ spin_lock(&fd->tid_lock);
++ fd->tid_used -= pageset_count - tididx;
++ spin_unlock(&fd->tid_lock);
+ if (tididx) {
+- spin_lock(&fd->tid_lock);
+- fd->tid_used += tididx;
+- spin_unlock(&fd->tid_lock);
+ tinfo->tidcnt = tididx;
+ tinfo->length = mapped_pages * PAGE_SIZE;
+
+--
+2.39.0
+
--- /dev/null
+From da36ef1273dd9bd9a06c554e84abf12b3157b6b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 15:37:57 +0800
+Subject: memory: atmel-sdramc: Fix missing clk_disable_unprepare in
+ atmel_ramc_probe()
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit 340cb392a038cf70540a4cdf2e98a247c66b6df4 ]
+
+The clk_disable_unprepare() should be called in the error handling
+of caps->has_mpddr_clk, fix it by replacing devm_clk_get and
+clk_prepare_enable by devm_clk_get_enabled.
+
+Fixes: e81b6abebc87 ("memory: add a driver for atmel ram controllers")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Link: https://lore.kernel.org/r/20221125073757.3535219-1-cuigaosheng1@huawei.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/atmel-sdramc.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/memory/atmel-sdramc.c b/drivers/memory/atmel-sdramc.c
+index b418b39af180..ae2c0b3fb552 100644
+--- a/drivers/memory/atmel-sdramc.c
++++ b/drivers/memory/atmel-sdramc.c
+@@ -59,19 +59,17 @@ static int atmel_ramc_probe(struct platform_device *pdev)
+ caps = of_device_get_match_data(&pdev->dev);
+
+ if (caps->has_ddrck) {
+- clk = devm_clk_get(&pdev->dev, "ddrck");
++ clk = devm_clk_get_enabled(&pdev->dev, "ddrck");
+ if (IS_ERR(clk))
+ return PTR_ERR(clk);
+- clk_prepare_enable(clk);
+ }
+
+ if (caps->has_mpddr_clk) {
+- clk = devm_clk_get(&pdev->dev, "mpddr");
++ clk = devm_clk_get_enabled(&pdev->dev, "mpddr");
+ if (IS_ERR(clk)) {
+ pr_err("AT91 RAMC: couldn't get mpddr clock\n");
+ return PTR_ERR(clk);
+ }
+- clk_prepare_enable(clk);
+ }
+
+ return 0;
+--
+2.39.0
+
--- /dev/null
+From 52133d336da1b2a2fea42bd67a06a671d3be8797 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Nov 2022 12:49:11 +0800
+Subject: memory: mvebu-devbus: Fix missing clk_disable_unprepare in
+ mvebu_devbus_probe()
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit cb8fd6f75775165390ededea8799b60d93d9fe3e ]
+
+The clk_disable_unprepare() should be called in the error handling
+of devbus_get_timing_params() and of_platform_populate(), fix it by
+replacing devm_clk_get and clk_prepare_enable by devm_clk_get_enabled.
+
+Fixes: e81b6abebc87 ("memory: add a driver for atmel ram controllers")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Link: https://lore.kernel.org/r/20221126044911.7226-1-cuigaosheng1@huawei.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/mvebu-devbus.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/memory/mvebu-devbus.c b/drivers/memory/mvebu-devbus.c
+index 981860879d02..ddd2e50814b7 100644
+--- a/drivers/memory/mvebu-devbus.c
++++ b/drivers/memory/mvebu-devbus.c
+@@ -294,10 +294,9 @@ static int mvebu_devbus_probe(struct platform_device *pdev)
+ if (IS_ERR(devbus->base))
+ return PTR_ERR(devbus->base);
+
+- clk = devm_clk_get(&pdev->dev, NULL);
++ clk = devm_clk_get_enabled(&pdev->dev, NULL);
+ if (IS_ERR(clk))
+ return PTR_ERR(clk);
+- clk_prepare_enable(clk);
+
+ /*
+ * Obtain clock period in picoseconds,
+--
+2.39.0
+
--- /dev/null
+From c90a9e41db8d4938aa668da5bddbb4e4469a2d9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Dec 2018 11:57:41 +0000
+Subject: mmc: sdhci-esdhc-imx: clear ESDHC_STD_TUNING_EN for manual tuning
+ method
+
+From: BOUGH CHEN <haibo.chen@nxp.com>
+
+[ Upstream commit a98c557e2af3e12e38dee6019a5cf210156d629e ]
+
+The bit ESDHC_STD_TUNING_EN may be configed by bootloader code if it
+choose to use standard tuning method. So on linux side, if choose to
+use manual tuning method, need to clear the bit ESDHC_STD_TUNING_EN,
+remove the impact of bootloader code.
+
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Stable-dep-of: 1e336aa0c025 ("mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-esdhc-imx.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c
+index f8a4791e64f8..71ca97c696b1 100644
+--- a/drivers/mmc/host/sdhci-esdhc-imx.c
++++ b/drivers/mmc/host/sdhci-esdhc-imx.c
+@@ -1141,6 +1141,15 @@ static void sdhci_esdhc_imx_hwinit(struct sdhci_host *host)
+ << ESDHC_TUNING_STEP_SHIFT;
+ }
+ writel(tmp, host->ioaddr + ESDHC_TUNING_CTRL);
++ } else if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING) {
++ /*
++ * ESDHC_STD_TUNING_EN may be configed in bootloader
++ * or ROM code, so clear this bit here to make sure
++ * the manual tuning can work.
++ */
++ tmp = readl(host->ioaddr + ESDHC_TUNING_CTRL);
++ tmp &= ~ESDHC_STD_TUNING_EN;
++ writel(tmp, host->ioaddr + ESDHC_TUNING_CTRL);
+ }
+ }
+ }
+--
+2.39.0
+
--- /dev/null
+From 621203bec98eef58da6ebe60418aa2fa71e2dd2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Feb 2020 16:25:54 +0800
+Subject: mmc: sdhci-esdhc-imx: clear pending interrupt and halt cqhci
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+[ Upstream commit 982cf37da3ee0f1e3e20d97e19f13cba79be51c7 ]
+
+On i.MX8MM, we are running Dual Linux OS, with 1st Linux using SD Card
+as rootfs storage, 2nd Linux using eMMC as rootfs storage. We let the
+the 1st linux configure power/clock for the 2nd Linux.
+
+When the 2nd Linux is booting into rootfs stage, we let the 1st Linux
+to destroy the 2nd linux, then restart the 2nd linux, we met SDHCI dump
+as following, after we clear the pending interrupt and halt CQCTL, issue
+gone.
+
+[ 1.334594] mmc2: Got command interrupt 0x00000001 even though no command operation was in progress.
+[ 1.334595] mmc2: sdhci: ============ SDHCI REGISTER DUMP ===========
+[ 1.334599] mmc2: sdhci: Sys addr: 0xa05dcc00 | Version: 0x00000002
+[ 1.345538] mmc2: sdhci: Blk size: 0x00000200 | Blk cnt: 0x00000000
+[ 1.345541] mmc2: sdhci: Argument: 0x00018000 | Trn mode: 0x00000033
+[ 1.345543] mmc2: sdhci: Present: 0x01f88008 | Host ctl: 0x00000031
+[ 1.345547] mmc2: sdhci: Power: 0x00000002 | Blk gap: 0x00000080
+[ 1.357903] mmc2: sdhci: Wake-up: 0x00000008 | Clock: 0x0000003f
+[ 1.357905] mmc2: sdhci: Timeout: 0x0000008f | Int stat: 0x00000000
+[ 1.357908] mmc2: sdhci: Int enab: 0x107f100b | Sig enab: 0x107f100b
+[ 1.357911] mmc2: sdhci: AC12 err: 0x00000000 | Slot int: 0x00000502
+[ 1.370268] mmc2: sdhci: Caps: 0x07eb0000 | Caps_1: 0x0000b400
+[ 1.370270] mmc2: sdhci: Cmd: 0x00000d1a | Max curr: 0x00ffffff
+[ 1.370273] mmc2: sdhci: Resp[0]: 0x00000b00 | Resp[1]: 0xffffffff
+[ 1.370276] mmc2: sdhci: Resp[2]: 0x328f5903 | Resp[3]: 0x00d00f00
+[ 1.382132] mmc2: sdhci: Host ctl2: 0x00000000
+[ 1.382135] mmc2: sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0xa2040208
+
+[ 2.060932] mmc2: Unexpected interrupt 0x00004000.
+[ 2.065538] mmc2: sdhci: ============ SDHCI REGISTER DUMP ===========
+[ 2.071720] mmc2: sdhci: Sys addr: 0x00000000 | Version: 0x00000002
+[ 2.077902] mmc2: sdhci: Blk size: 0x00000200 | Blk cnt: 0x00000001
+[ 2.084083] mmc2: sdhci: Argument: 0x00000000 | Trn mode: 0x00000000
+[ 2.090264] mmc2: sdhci: Present: 0x01f88009 | Host ctl: 0x00000011
+[ 2.096446] mmc2: sdhci: Power: 0x00000002 | Blk gap: 0x00000080
+[ 2.102627] mmc2: sdhci: Wake-up: 0x00000008 | Clock: 0x000010ff
+[ 2.108809] mmc2: sdhci: Timeout: 0x0000008f | Int stat: 0x00004000
+[ 2.114990] mmc2: sdhci: Int enab: 0x007f1003 | Sig enab: 0x007f1003
+[ 2.121171] mmc2: sdhci: AC12 err: 0x00000000 | Slot int: 0x00000502
+[ 2.127353] mmc2: sdhci: Caps: 0x07eb0000 | Caps_1: 0x0000b400
+[ 2.133534] mmc2: sdhci: Cmd: 0x0000371a | Max curr: 0x00ffffff
+[ 2.139715] mmc2: sdhci: Resp[0]: 0x00000900 | Resp[1]: 0xffffffff
+[ 2.145896] mmc2: sdhci: Resp[2]: 0x328f5903 | Resp[3]: 0x00d00f00
+[ 2.152077] mmc2: sdhci: Host ctl2: 0x00000000
+[ 2.156342] mmc2: sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x00000000
+
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/1582100757-20683-6-git-send-email-haibo.chen@nxp.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Stable-dep-of: 1e336aa0c025 ("mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-esdhc-imx.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c
+index 71ca97c696b1..dc0a10a5e2c3 100644
+--- a/drivers/mmc/host/sdhci-esdhc-imx.c
++++ b/drivers/mmc/host/sdhci-esdhc-imx.c
+@@ -1092,6 +1092,7 @@ static void sdhci_esdhc_imx_hwinit(struct sdhci_host *host)
+ {
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+ struct pltfm_imx_data *imx_data = sdhci_pltfm_priv(pltfm_host);
++ struct cqhci_host *cq_host = host->mmc->cqe_private;
+ int tmp;
+
+ if (esdhc_is_usdhc(imx_data)) {
+@@ -1151,6 +1152,21 @@ static void sdhci_esdhc_imx_hwinit(struct sdhci_host *host)
+ tmp &= ~ESDHC_STD_TUNING_EN;
+ writel(tmp, host->ioaddr + ESDHC_TUNING_CTRL);
+ }
++
++ /*
++ * On i.MX8MM, we are running Dual Linux OS, with 1st Linux using SD Card
++ * as rootfs storage, 2nd Linux using eMMC as rootfs storage. We let the
++ * the 1st linux configure power/clock for the 2nd Linux.
++ *
++ * When the 2nd Linux is booting into rootfs stage, we let the 1st Linux
++ * to destroy the 2nd linux, then restart the 2nd linux, we met SDHCI dump.
++ * After we clear the pending interrupt and halt CQCTL, issue gone.
++ */
++ if (cq_host) {
++ tmp = cqhci_readl(cq_host, CQHCI_IS);
++ cqhci_writel(cq_host, tmp, CQHCI_IS);
++ cqhci_writel(cq_host, CQHCI_HALT, CQHCI_CTL);
++ }
+ }
+ }
+
+--
+2.39.0
+
--- /dev/null
+From 730ae5e3c6d1397618caab6b69d8b7b5df23da23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 19:23:15 +0800
+Subject: mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+[ Upstream commit 1e336aa0c0250ec84c6f16efac40c9f0138e367d ]
+
+Current code logic may be impacted by the setting of ROM/Bootloader,
+so unmask these bits first, then setting these bits accordingly.
+
+Fixes: 2b16cf326b70 ("mmc: sdhci-esdhc-imx: move tuning static configuration into hwinit function")
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20221207112315.1812222-1-haibo.chen@nxp.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-esdhc-imx.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c
+index 30c75a96fce1..97ec4f870e11 100644
+--- a/drivers/mmc/host/sdhci-esdhc-imx.c
++++ b/drivers/mmc/host/sdhci-esdhc-imx.c
+@@ -85,6 +85,7 @@
+ #define ESDHC_TUNING_START_TAP_DEFAULT 0x1
+ #define ESDHC_TUNING_START_TAP_MASK 0x7f
+ #define ESDHC_TUNING_CMD_CRC_CHECK_DISABLE (1 << 7)
++#define ESDHC_TUNING_STEP_DEFAULT 0x1
+ #define ESDHC_TUNING_STEP_MASK 0x00070000
+ #define ESDHC_TUNING_STEP_SHIFT 16
+
+@@ -1094,7 +1095,7 @@ static void sdhci_esdhc_imx_hwinit(struct sdhci_host *host)
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+ struct pltfm_imx_data *imx_data = sdhci_pltfm_priv(pltfm_host);
+ struct cqhci_host *cq_host = host->mmc->cqe_private;
+- int tmp;
++ u32 tmp;
+
+ if (esdhc_is_usdhc(imx_data)) {
+ /*
+@@ -1130,17 +1131,24 @@ static void sdhci_esdhc_imx_hwinit(struct sdhci_host *host)
+
+ if (imx_data->socdata->flags & ESDHC_FLAG_STD_TUNING) {
+ tmp = readl(host->ioaddr + ESDHC_TUNING_CTRL);
+- tmp |= ESDHC_STD_TUNING_EN |
+- ESDHC_TUNING_START_TAP_DEFAULT;
+- if (imx_data->boarddata.tuning_start_tap) {
+- tmp &= ~ESDHC_TUNING_START_TAP_MASK;
++ tmp |= ESDHC_STD_TUNING_EN;
++
++ /*
++ * ROM code or bootloader may config the start tap
++ * and step, unmask them first.
++ */
++ tmp &= ~(ESDHC_TUNING_START_TAP_MASK | ESDHC_TUNING_STEP_MASK);
++ if (imx_data->boarddata.tuning_start_tap)
+ tmp |= imx_data->boarddata.tuning_start_tap;
+- }
++ else
++ tmp |= ESDHC_TUNING_START_TAP_DEFAULT;
+
+ if (imx_data->boarddata.tuning_step) {
+- tmp &= ~ESDHC_TUNING_STEP_MASK;
+ tmp |= imx_data->boarddata.tuning_step
+ << ESDHC_TUNING_STEP_SHIFT;
++ } else {
++ tmp |= ESDHC_TUNING_STEP_DEFAULT
++ << ESDHC_TUNING_STEP_SHIFT;
+ }
+
+ /* Disable the CMD CRC check for tuning, if not, need to
+--
+2.39.0
+
--- /dev/null
+From 6a381e3ed356ba8d7a920f5638848aad3e63c9be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 May 2020 18:22:02 +0800
+Subject: mmc: sdhci-esdhc-imx: disable the CMD CRC check for standard tuning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+[ Upstream commit 16e40e5b1e3c6646fd90d0c3186703d209216f03 ]
+
+In current code, we add 1ms dealy after each tuning command for standard
+tuning method. Adding this 1ms dealy is because USDHC default check the
+CMD CRC and DATA line. If detect the CMD CRC, USDHC standard tuning
+IC logic do not wait for the tuning data sending out by the card, trigger
+the buffer read ready interrupt immediately, and step to next cycle. So
+when next time the new tuning command send out by USDHC, card may still
+not send out the tuning data of the upper command,then some eMMC cards
+may stuck, can't response to any command, block the whole tuning procedure.
+
+If do not check the CMD CRC for tuning, then do not has this issue. USDHC
+will wait for the tuning data of each tuning command and check them. If the
+tuning data pass the check, it also means the CMD line also okay for tuning.
+
+So this patch disable the CMD CRC check for tuning, save some time for the
+whole tuning procedure.
+
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Link: https://lore.kernel.org/r/1590488522-9292-2-git-send-email-haibo.chen@nxp.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Stable-dep-of: 1e336aa0c025 ("mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-esdhc-imx.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c
+index dc0a10a5e2c3..30c75a96fce1 100644
+--- a/drivers/mmc/host/sdhci-esdhc-imx.c
++++ b/drivers/mmc/host/sdhci-esdhc-imx.c
+@@ -84,6 +84,7 @@
+ /* NOTE: the minimum valid tuning start tap for mx6sl is 1 */
+ #define ESDHC_TUNING_START_TAP_DEFAULT 0x1
+ #define ESDHC_TUNING_START_TAP_MASK 0x7f
++#define ESDHC_TUNING_CMD_CRC_CHECK_DISABLE (1 << 7)
+ #define ESDHC_TUNING_STEP_MASK 0x00070000
+ #define ESDHC_TUNING_STEP_SHIFT 16
+
+@@ -1141,6 +1142,18 @@ static void sdhci_esdhc_imx_hwinit(struct sdhci_host *host)
+ tmp |= imx_data->boarddata.tuning_step
+ << ESDHC_TUNING_STEP_SHIFT;
+ }
++
++ /* Disable the CMD CRC check for tuning, if not, need to
++ * add some delay after every tuning command, because
++ * hardware standard tuning logic will directly go to next
++ * step once it detect the CMD CRC error, will not wait for
++ * the card side to finally send out the tuning data, trigger
++ * the buffer read ready interrupt immediately. If usdhc send
++ * the next tuning command some eMMC card will stuck, can't
++ * response, block the tuning procedure or the first command
++ * after the whole tuning procedure always can't get any response.
++ */
++ tmp |= ESDHC_TUNING_CMD_CRC_CHECK_DISABLE;
+ writel(tmp, host->ioaddr + ESDHC_TUNING_CTRL);
+ } else if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING) {
+ /*
+--
+2.39.0
+
--- /dev/null
+From c0619c63a70bfadc71a4c314b9a614f2c52fd8c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jan 2023 15:41:33 -0600
+Subject: net: macb: fix PTP TX timestamp failure due to packet padding
+
+From: Robert Hancock <robert.hancock@calian.com>
+
+[ Upstream commit 7b90f5a665acd46efbbfa677a3a3a18d01ad6487 ]
+
+PTP TX timestamp handling was observed to be broken with this driver
+when using the raw Layer 2 PTP encapsulation. ptp4l was not receiving
+the expected TX timestamp after transmitting a packet, causing it to
+enter a failure state.
+
+The problem appears to be due to the way that the driver pads packets
+which are smaller than the Ethernet minimum of 60 bytes. If headroom
+space was available in the SKB, this caused the driver to move the data
+back to utilize it. However, this appears to cause other data references
+in the SKB to become inconsistent. In particular, this caused the
+ptp_one_step_sync function to later (in the TX completion path) falsely
+detect the packet as a one-step SYNC packet, even when it was not, which
+caused the TX timestamp to not be processed when it should be.
+
+Using the headroom for this purpose seems like an unnecessary complexity
+as this is not a hot path in the driver, and in most cases it appears
+that there is sufficient tailroom to not require using the headroom
+anyway. Remove this usage of headroom to prevent this inconsistency from
+occurring and causing other problems.
+
+Fixes: 653e92a9175e ("net: macb: add support for padding and fcs computation")
+Signed-off-by: Robert Hancock <robert.hancock@calian.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Claudiu Beznea <claudiu.beznea@microchip.com> # on SAMA7G5
+Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 50331b202f73..324d81516832 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -1738,7 +1738,6 @@ static int macb_pad_and_fcs(struct sk_buff **skb, struct net_device *ndev)
+ bool cloned = skb_cloned(*skb) || skb_header_cloned(*skb) ||
+ skb_is_nonlinear(*skb);
+ int padlen = ETH_ZLEN - (*skb)->len;
+- int headroom = skb_headroom(*skb);
+ int tailroom = skb_tailroom(*skb);
+ struct sk_buff *nskb;
+ u32 fcs;
+@@ -1752,9 +1751,6 @@ static int macb_pad_and_fcs(struct sk_buff **skb, struct net_device *ndev)
+ /* FCS could be appeded to tailroom. */
+ if (tailroom >= ETH_FCS_LEN)
+ goto add_fcs;
+- /* FCS could be appeded by moving data to headroom. */
+- else if (!cloned && headroom + tailroom >= ETH_FCS_LEN)
+- padlen = 0;
+ /* No room for FCS, need to reallocate skb. */
+ else
+ padlen = ETH_FCS_LEN;
+@@ -1763,10 +1759,7 @@ static int macb_pad_and_fcs(struct sk_buff **skb, struct net_device *ndev)
+ padlen += ETH_FCS_LEN;
+ }
+
+- if (!cloned && headroom + tailroom >= padlen) {
+- (*skb)->data = memmove((*skb)->head, (*skb)->data, (*skb)->len);
+- skb_set_tail_pointer(*skb, (*skb)->len);
+- } else {
++ if (cloned || tailroom < padlen) {
+ nskb = skb_copy_expand(*skb, 0, padlen, GFP_ATOMIC);
+ if (!nskb)
+ return -ENOMEM;
+--
+2.39.0
+
--- /dev/null
+From 5184bc3b344de16e1144b4a9bb8c44135550539c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Jan 2023 11:54:06 +0100
+Subject: net: mdio: validate parameter addr in mdiobus_get_phy()
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 867dbe784c5010a466f00a7d1467c1c5ea569c75 ]
+
+The caller may pass any value as addr, what may result in an out-of-bounds
+access to array mdio_map. One existing case is stmmac_init_phy() that
+may pass -1 as addr. Therefore validate addr before using it.
+
+Fixes: 7f854420fbfe ("phy: Add API for {un}registering an mdio device to a bus.")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/cdf664ea-3312-e915-73f8-021678d08887@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mdio_bus.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
+index 1d1fbd7bd6fc..550806351049 100644
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -103,7 +103,12 @@ EXPORT_SYMBOL(mdiobus_unregister_device);
+
+ struct phy_device *mdiobus_get_phy(struct mii_bus *bus, int addr)
+ {
+- struct mdio_device *mdiodev = bus->mdio_map[addr];
++ struct mdio_device *mdiodev;
++
++ if (addr < 0 || addr >= ARRAY_SIZE(bus->mdio_map))
++ return NULL;
++
++ mdiodev = bus->mdio_map[addr];
+
+ if (!mdiodev)
+ return NULL;
+--
+2.39.0
+
--- /dev/null
+From 929f22603be0b660a1b6e1c941e8431a55536ab9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 20:12:29 -0700
+Subject: net: mlx5: eliminate anonymous module_init & module_exit
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 2c1e1b949024989e20907b84e11a731a50778416 ]
+
+Eliminate anonymous module_init() and module_exit(), which can lead to
+confusion or ambiguity when reading System.map, crashes/oops/bugs,
+or an initcall_debug log.
+
+Give each of these init and exit functions unique driver-specific
+names to eliminate the anonymous names.
+
+Example 1: (System.map)
+ ffffffff832fc78c t init
+ ffffffff832fc79e t init
+ ffffffff832fc8f8 t init
+
+Example 2: (initcall_debug log)
+ calling init+0x0/0x12 @ 1
+ initcall init+0x0/0x12 returned 0 after 15 usecs
+ calling init+0x0/0x60 @ 1
+ initcall init+0x0/0x60 returned 0 after 2 usecs
+ calling init+0x0/0x9a @ 1
+ initcall init+0x0/0x9a returned 0 after 74 usecs
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Eli Cohen <eli@mellanox.com>
+Cc: Saeed Mahameed <saeedm@nvidia.com>
+Cc: Leon Romanovsky <leon@kernel.org>
+Cc: linux-rdma@vger.kernel.org
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+index a2b25afa2472..e09bd059984e 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1683,7 +1683,7 @@ static void mlx5_core_verify_params(void)
+ }
+ }
+
+-static int __init init(void)
++static int __init mlx5_init(void)
+ {
+ int err;
+
+@@ -1708,7 +1708,7 @@ static int __init init(void)
+ return err;
+ }
+
+-static void __exit cleanup(void)
++static void __exit mlx5_cleanup(void)
+ {
+ #ifdef CONFIG_MLX5_CORE_EN
+ mlx5e_cleanup();
+@@ -1717,5 +1717,5 @@ static void __exit cleanup(void)
+ mlx5_unregister_debugfs();
+ }
+
+-module_init(init);
+-module_exit(cleanup);
++module_init(mlx5_init);
++module_exit(mlx5_cleanup);
+--
+2.39.0
+
--- /dev/null
+From 0180f110796e621b20f86accdd2fbaa2a6462fbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 22:19:14 +0900
+Subject: net: nfc: Fix use-after-free in local_cleanup()
+
+From: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
+
+[ Upstream commit 4bb4db7f3187c6e3de6b229ffc87cdb30a2d22b6 ]
+
+Fix a use-after-free that occurs in kfree_skb() called from
+local_cleanup(). This could happen when killing nfc daemon (e.g. neard)
+after detaching an nfc device.
+When detaching an nfc device, local_cleanup() called from
+nfc_llcp_unregister_device() frees local->rx_pending and decreases
+local->ref by kref_put() in nfc_llcp_local_put().
+In the terminating process, nfc daemon releases all sockets and it leads
+to decreasing local->ref. After the last release of local->ref,
+local_cleanup() called from local_release() frees local->rx_pending
+again, which leads to the bug.
+
+Setting local->rx_pending to NULL in local_cleanup() could prevent
+use-after-free when local_cleanup() is called twice.
+
+Found by a modified version of syzkaller.
+
+BUG: KASAN: use-after-free in kfree_skb()
+
+Call Trace:
+dump_stack_lvl (lib/dump_stack.c:106)
+print_address_description.constprop.0.cold (mm/kasan/report.c:306)
+kasan_check_range (mm/kasan/generic.c:189)
+kfree_skb (net/core/skbuff.c:955)
+local_cleanup (net/nfc/llcp_core.c:159)
+nfc_llcp_local_put.part.0 (net/nfc/llcp_core.c:172)
+nfc_llcp_local_put (net/nfc/llcp_core.c:181)
+llcp_sock_destruct (net/nfc/llcp_sock.c:959)
+__sk_destruct (net/core/sock.c:2133)
+sk_destruct (net/core/sock.c:2181)
+__sk_free (net/core/sock.c:2192)
+sk_free (net/core/sock.c:2203)
+llcp_sock_release (net/nfc/llcp_sock.c:646)
+__sock_release (net/socket.c:650)
+sock_close (net/socket.c:1365)
+__fput (fs/file_table.c:306)
+task_work_run (kernel/task_work.c:179)
+ptrace_notify (kernel/signal.c:2354)
+syscall_exit_to_user_mode_prepare (kernel/entry/common.c:278)
+syscall_exit_to_user_mode (kernel/entry/common.c:296)
+do_syscall_64 (arch/x86/entry/common.c:86)
+entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:106)
+
+Allocated by task 4719:
+kasan_save_stack (mm/kasan/common.c:45)
+__kasan_slab_alloc (mm/kasan/common.c:325)
+slab_post_alloc_hook (mm/slab.h:766)
+kmem_cache_alloc_node (mm/slub.c:3497)
+__alloc_skb (net/core/skbuff.c:552)
+pn533_recv_response (drivers/nfc/pn533/usb.c:65)
+__usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1671)
+usb_giveback_urb_bh (drivers/usb/core/hcd.c:1704)
+tasklet_action_common.isra.0 (kernel/softirq.c:797)
+__do_softirq (kernel/softirq.c:571)
+
+Freed by task 1901:
+kasan_save_stack (mm/kasan/common.c:45)
+kasan_set_track (mm/kasan/common.c:52)
+kasan_save_free_info (mm/kasan/genericdd.c:518)
+__kasan_slab_free (mm/kasan/common.c:236)
+kmem_cache_free (mm/slub.c:3809)
+kfree_skbmem (net/core/skbuff.c:874)
+kfree_skb (net/core/skbuff.c:931)
+local_cleanup (net/nfc/llcp_core.c:159)
+nfc_llcp_unregister_device (net/nfc/llcp_core.c:1617)
+nfc_unregister_device (net/nfc/core.c:1179)
+pn53x_unregister_nfc (drivers/nfc/pn533/pn533.c:2846)
+pn533_usb_disconnect (drivers/nfc/pn533/usb.c:579)
+usb_unbind_interface (drivers/usb/core/driver.c:458)
+device_release_driver_internal (drivers/base/dd.c:1279)
+bus_remove_device (drivers/base/bus.c:529)
+device_del (drivers/base/core.c:3665)
+usb_disable_device (drivers/usb/core/message.c:1420)
+usb_disconnect (drivers/usb/core.c:2261)
+hub_event (drivers/usb/core/hub.c:5833)
+process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281)
+worker_thread (include/linux/list.h:282 kernel/workqueue.c:2423)
+kthread (kernel/kthread.c:319)
+ret_from_fork (arch/x86/entry/entry_64.S:301)
+
+Fixes: 3536da06db0b ("NFC: llcp: Clean local timers and works when removing a device")
+Signed-off-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
+Link: https://lore.kernel.org/r/20230111131914.3338838-1-jisoo.jang@yonsei.ac.kr
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/llcp_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
+index 4fa015208aab..3290f2275b85 100644
+--- a/net/nfc/llcp_core.c
++++ b/net/nfc/llcp_core.c
+@@ -171,6 +171,7 @@ static void local_cleanup(struct nfc_llcp_local *local)
+ cancel_work_sync(&local->rx_work);
+ cancel_work_sync(&local->timeout_work);
+ kfree_skb(local->rx_pending);
++ local->rx_pending = NULL;
+ del_timer_sync(&local->sdreq_timer);
+ cancel_work_sync(&local->sdreq_timeout_work);
+ nfc_llcp_free_sdp_tlv_list(&local->pending_sdreqs);
+--
+2.39.0
+
--- /dev/null
+From 0578fbb6db93ba80a15a9f6ae9fef50850ff51c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Jan 2023 19:23:26 +0100
+Subject: net: usb: sr9700: Handle negative len
+
+From: Szymon Heidrich <szymon.heidrich@gmail.com>
+
+[ Upstream commit ecf7cf8efb59789e2b21d2f9ab926142579092b2 ]
+
+Packet len computed as difference of length word extracted from
+skb data and four may result in a negative value. In such case
+processing of the buffer should be interrupted rather than
+setting sr_skb->len to an unexpectedly large value (due to cast
+from signed to unsigned integer) and passing sr_skb to
+usbnet_skb_return.
+
+Fixes: e9da0b56fe27 ("sr9700: sanity check for packet length")
+Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Link: https://lore.kernel.org/r/20230114182326.30479-1-szymon.heidrich@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/sr9700.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c
+index 83640628c47d..8bee8286e41a 100644
+--- a/drivers/net/usb/sr9700.c
++++ b/drivers/net/usb/sr9700.c
+@@ -410,7 +410,7 @@ static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ /* ignore the CRC length */
+ len = (skb->data[1] | (skb->data[2] << 8)) - 4;
+
+- if (len > ETH_FRAME_LEN || len > skb->len)
++ if (len > ETH_FRAME_LEN || len > skb->len || len < 0)
+ return 0;
+
+ /* the last packet of current skb */
+--
+2.39.0
+
--- /dev/null
+From c6a4e67a680a27c82c41e89e150739578d0a5660 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 19:58:23 +0800
+Subject: phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in
+ rockchip_usb2phy_power_on()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit 5daba914da0e48950e9407ea4d75fa57029c9adc ]
+
+The clk_disable_unprepare() should be called in the error handling of
+rockchip_usb2phy_power_on().
+
+Fixes: 0e08d2a727e6 ("phy: rockchip-inno-usb2: add a new driver for Rockchip usb2phy")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Link: https://lore.kernel.org/r/20221205115823.16957-1-shangxiaojing@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c
+index 5049dac79bd0..77c1c3ffaed7 100644
+--- a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c
++++ b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c
+@@ -477,8 +477,10 @@ static int rockchip_usb2phy_power_on(struct phy *phy)
+ return ret;
+
+ ret = property_enable(base, &rport->port_cfg->phy_sus, false);
+- if (ret)
++ if (ret) {
++ clk_disable_unprepare(rphy->clk480m);
+ return ret;
++ }
+
+ /* waiting for the utmi_clk to become stable */
+ usleep_range(1500, 2000);
+--
+2.39.0
+
--- /dev/null
+memory-atmel-sdramc-fix-missing-clk_disable_unprepar.patch
+memory-mvebu-devbus-fix-missing-clk_disable_unprepar.patch
+arm-dts-imx6qdl-gw560x-remove-incorrect-uart-has-rts.patch
+hid-intel_ish-hid-add-check-for-ishtp_dma_tx_map.patch
+edac-highbank-fix-memory-leak-in-highbank_mc_probe.patch
+tomoyo-fix-broken-dependency-on-.conf.default.patch
+ib-hfi1-reject-a-zero-length-user-expected-buffer.patch
+ib-hfi1-reserve-user-expected-tids.patch
+ib-hfi1-fix-expected-receive-setup-error-exit-issues.patch
+affs-initialize-fsdata-in-affs_truncate.patch
+amd-xgbe-tx-flow-ctrl-registers-are-h-w-ver-dependen.patch
+amd-xgbe-delay-an-timeout-during-kr-training.patch
+bpf-fix-pointer-leak-due-to-insufficient-speculative.patch
+phy-rockchip-inno-usb2-fix-missing-clk_disable_unpre.patch
+net-nfc-fix-use-after-free-in-local_cleanup.patch
+wifi-rndis_wlan-prevent-buffer-overflow-in-rndis_que.patch
+net-usb-sr9700-handle-negative-len.patch
+net-mdio-validate-parameter-addr-in-mdiobus_get_phy.patch
+hid-check-empty-report_list-in-hid_validate_values.patch
+usb-gadget-f_fs-prevent-race-during-ffs_ep0_queue_wa.patch
+usb-gadget-f_fs-ensure-ep0req-is-dequeued-before-fre.patch
+net-mlx5-eliminate-anonymous-module_init-module_exit.patch
+dmaengine-fix-double-increment-of-client_count-in-dm.patch
+net-macb-fix-ptp-tx-timestamp-failure-due-to-packet-.patch
+hid-betop-check-shape-of-output-reports.patch
+dmaengine-xilinx_dma-commonize-dma-copy-size-calcula.patch
+dmaengine-xilinx_dma-program-hardware-supported-buff.patch
+dmaengine-xilinx_dma-fix-devm_platform_ioremap_resou.patch
+dmaengine-xilinx_dma-call-of_node_put-when-breaking-.patch
+tcp-avoid-the-lookup-process-failing-to-get-sk-in-eh.patch
+w1-fix-deadloop-in-__w1_remove_master_device.patch
+w1-fix-warning-after-calling-w1_process.patch
+mmc-sdhci-esdhc-imx-clear-esdhc_std_tuning_en-for-ma.patch
+mmc-sdhci-esdhc-imx-clear-pending-interrupt-and-halt.patch
+mmc-sdhci-esdhc-imx-disable-the-cmd-crc-check-for-st.patch
+mmc-sdhci-esdhc-imx-correct-the-tuning-start-tap-and.patch
--- /dev/null
+From 6b5da29c2c7a5e76e9759048f9dab79caff958ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jan 2023 09:59:41 +0800
+Subject: tcp: avoid the lookup process failing to get sk in ehash table
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit 3f4ca5fafc08881d7a57daa20449d171f2887043 ]
+
+While one cpu is working on looking up the right socket from ehash
+table, another cpu is done deleting the request socket and is about
+to add (or is adding) the big socket from the table. It means that
+we could miss both of them, even though it has little chance.
+
+Let me draw a call trace map of the server side.
+ CPU 0 CPU 1
+ ----- -----
+tcp_v4_rcv() syn_recv_sock()
+ inet_ehash_insert()
+ -> sk_nulls_del_node_init_rcu(osk)
+__inet_lookup_established()
+ -> __sk_nulls_add_node_rcu(sk, list)
+
+Notice that the CPU 0 is receiving the data after the final ack
+during 3-way shakehands and CPU 1 is still handling the final ack.
+
+Why could this be a real problem?
+This case is happening only when the final ack and the first data
+receiving by different CPUs. Then the server receiving data with
+ACK flag tries to search one proper established socket from ehash
+table, but apparently it fails as my map shows above. After that,
+the server fetches a listener socket and then sends a RST because
+it finds a ACK flag in the skb (data), which obeys RST definition
+in RFC 793.
+
+Besides, Eric pointed out there's one more race condition where it
+handles tw socket hashdance. Only by adding to the tail of the list
+before deleting the old one can we avoid the race if the reader has
+already begun the bucket traversal and it would possibly miss the head.
+
+Many thanks to Eric for great help from beginning to end.
+
+Fixes: 5e0724d027f0 ("tcp/dccp: fix hashdance race for passive sessions")
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/lkml/20230112065336.41034-1-kerneljasonxing@gmail.com/
+Link: https://lore.kernel.org/r/20230118015941.1313-1-kerneljasonxing@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/inet_hashtables.c | 17 +++++++++++++++--
+ net/ipv4/inet_timewait_sock.c | 8 ++++----
+ 2 files changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index 3c58019f0718..d64522af9c3a 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -579,8 +579,20 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk)
+ spin_lock(lock);
+ if (osk) {
+ WARN_ON_ONCE(sk->sk_hash != osk->sk_hash);
+- ret = sk_nulls_del_node_init_rcu(osk);
+- } else if (found_dup_sk) {
++ ret = sk_hashed(osk);
++ if (ret) {
++ /* Before deleting the node, we insert a new one to make
++ * sure that the look-up-sk process would not miss either
++ * of them and that at least one node would exist in ehash
++ * table all the time. Otherwise there's a tiny chance
++ * that lookup process could find nothing in ehash table.
++ */
++ __sk_nulls_add_node_tail_rcu(sk, list);
++ sk_nulls_del_node_init_rcu(osk);
++ }
++ goto unlock;
++ }
++ if (found_dup_sk) {
+ *found_dup_sk = inet_ehash_lookup_by_sk(sk, list);
+ if (*found_dup_sk)
+ ret = false;
+@@ -589,6 +601,7 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk)
+ if (ret)
+ __sk_nulls_add_node_rcu(sk, list);
+
++unlock:
+ spin_unlock(lock);
+
+ return ret;
+diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
+index 88c5069b5d20..fedd19c22b39 100644
+--- a/net/ipv4/inet_timewait_sock.c
++++ b/net/ipv4/inet_timewait_sock.c
+@@ -80,10 +80,10 @@ void inet_twsk_put(struct inet_timewait_sock *tw)
+ }
+ EXPORT_SYMBOL_GPL(inet_twsk_put);
+
+-static void inet_twsk_add_node_rcu(struct inet_timewait_sock *tw,
+- struct hlist_nulls_head *list)
++static void inet_twsk_add_node_tail_rcu(struct inet_timewait_sock *tw,
++ struct hlist_nulls_head *list)
+ {
+- hlist_nulls_add_head_rcu(&tw->tw_node, list);
++ hlist_nulls_add_tail_rcu(&tw->tw_node, list);
+ }
+
+ static void inet_twsk_add_bind_node(struct inet_timewait_sock *tw,
+@@ -119,7 +119,7 @@ void inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk,
+
+ spin_lock(lock);
+
+- inet_twsk_add_node_rcu(tw, &ehead->chain);
++ inet_twsk_add_node_tail_rcu(tw, &ehead->chain);
+
+ /* Step 3: Remove SK from hash chain */
+ if (__sk_nulls_del_node_init_rcu(sk))
+--
+2.39.0
+
--- /dev/null
+From 2fa2a39c4226cba4b6e69dc7ce72696f97edba90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Jan 2023 16:47:41 +0900
+Subject: tomoyo: fix broken dependency on *.conf.default
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit eaf2213ba563b2d74a1f2c13a6b258273f689802 ]
+
+If *.conf.default is updated, builtin-policy.h should be rebuilt,
+but this does not work when compiled with O= option.
+
+[Without this commit]
+
+ $ touch security/tomoyo/policy/exception_policy.conf.default
+ $ make O=/tmp security/tomoyo/
+ make[1]: Entering directory '/tmp'
+ GEN Makefile
+ CALL /home/masahiro/ref/linux/scripts/checksyscalls.sh
+ DESCEND objtool
+ make[1]: Leaving directory '/tmp'
+
+[With this commit]
+
+ $ touch security/tomoyo/policy/exception_policy.conf.default
+ $ make O=/tmp security/tomoyo/
+ make[1]: Entering directory '/tmp'
+ GEN Makefile
+ CALL /home/masahiro/ref/linux/scripts/checksyscalls.sh
+ DESCEND objtool
+ POLICY security/tomoyo/builtin-policy.h
+ CC security/tomoyo/common.o
+ AR security/tomoyo/built-in.a
+ make[1]: Leaving directory '/tmp'
+
+$(srctree)/ is essential because $(wildcard ) does not follow VPATH.
+
+Fixes: f02dee2d148b ("tomoyo: Do not generate empty policy files")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/tomoyo/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/tomoyo/Makefile b/security/tomoyo/Makefile
+index cca5a3012fee..221eaadffb09 100644
+--- a/security/tomoyo/Makefile
++++ b/security/tomoyo/Makefile
+@@ -10,7 +10,7 @@ endef
+ quiet_cmd_policy = POLICY $@
+ cmd_policy = ($(call do_policy,profile); $(call do_policy,exception_policy); $(call do_policy,domain_policy); $(call do_policy,manager); $(call do_policy,stat)) >$@
+
+-$(obj)/builtin-policy.h: $(wildcard $(obj)/policy/*.conf $(src)/policy/*.conf.default) FORCE
++$(obj)/builtin-policy.h: $(wildcard $(obj)/policy/*.conf $(srctree)/$(src)/policy/*.conf.default) FORCE
+ $(call if_changed,policy)
+
+ $(obj)/common.o: $(obj)/builtin-policy.h
+--
+2.39.0
+
--- /dev/null
+From 2a4c810f7f62670d20cc5cfd05322e61dde2dd87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Dec 2022 10:59:06 +0530
+Subject: usb: gadget: f_fs: Ensure ep0req is dequeued before free_request
+
+From: Udipto Goswami <quic_ugoswami@quicinc.com>
+
+[ Upstream commit ce405d561b020e5a46340eb5146805a625dcacee ]
+
+As per the documentation, function usb_ep_free_request guarantees
+the request will not be queued or no longer be re-queued (or
+otherwise used). However, with the current implementation it
+doesn't make sure that the request in ep0 isn't reused.
+
+Fix this by dequeuing the ep0req on functionfs_unbind before
+freeing the request to align with the definition.
+
+Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
+Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
+Tested-by: Krishna Kurapati <quic_kriskura@quicinc.com>
+Link: https://lore.kernel.org/r/20221215052906.8993-3-quic_ugoswami@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
+index b3489a3449f6..48bdb2a3972b 100644
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -1810,6 +1810,8 @@ static void functionfs_unbind(struct ffs_data *ffs)
+ ENTER();
+
+ if (!WARN_ON(!ffs->gadget)) {
++ /* dequeue before freeing ep0req */
++ usb_ep_dequeue(ffs->gadget->ep0, ffs->ep0req);
+ mutex_lock(&ffs->mutex);
+ usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req);
+ ffs->ep0req = NULL;
+--
+2.39.0
+
--- /dev/null
+From 58a9a7ce429e129b9c0685634a2fc7c3aa07c819 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Dec 2022 10:59:05 +0530
+Subject: usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait
+
+From: Udipto Goswami <quic_ugoswami@quicinc.com>
+
+[ Upstream commit 6a19da111057f69214b97c62fb0ac59023970850 ]
+
+While performing fast composition switch, there is a possibility that the
+process of ffs_ep0_write/ffs_ep0_read get into a race condition
+due to ep0req being freed up from functionfs_unbind.
+
+Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait
+by taking a lock &ffs->ev.waitq.lock. However, the functionfs_unbind isn't
+bounded so it can go ahead and mark the ep0req to NULL, and since there
+is no NULL check in ffs_ep0_queue_wait we will end up in use-after-free.
+
+Fix this by making a serialized execution between the two functions using
+a mutex_lock(ffs->mutex).
+
+Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
+Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
+Tested-by: Krishna Kurapati <quic_kriskura@quicinc.com>
+Link: https://lore.kernel.org/r/20221215052906.8993-2-quic_ugoswami@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
+index 49eb4e3c760f..b3489a3449f6 100644
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -271,6 +271,9 @@ static int __ffs_ep0_queue_wait(struct ffs_data *ffs, char *data, size_t len)
+ struct usb_request *req = ffs->ep0req;
+ int ret;
+
++ if (!req)
++ return -EINVAL;
++
+ req->zero = len < le16_to_cpu(ffs->ev.setup.wLength);
+
+ spin_unlock_irq(&ffs->ev.waitq.lock);
+@@ -1807,10 +1810,12 @@ static void functionfs_unbind(struct ffs_data *ffs)
+ ENTER();
+
+ if (!WARN_ON(!ffs->gadget)) {
++ mutex_lock(&ffs->mutex);
+ usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req);
+ ffs->ep0req = NULL;
+ ffs->gadget = NULL;
+ clear_bit(FFS_FL_BOUND, &ffs->flags);
++ mutex_unlock(&ffs->mutex);
+ ffs_data_put(ffs);
+ }
+ }
+--
+2.39.0
+
--- /dev/null
+From a07e6843ed8e5ad1c876ceaeae8a19441fb30ca3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 16:04:34 +0800
+Subject: w1: fix deadloop in __w1_remove_master_device()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 25d5648802f12ae486076ceca5d7ddf1fef792b2 ]
+
+I got a deadloop report while doing device(ds2482) add/remove test:
+
+ [ 162.241881] w1_master_driver w1_bus_master1: Waiting for w1_bus_master1 to become free: refcnt=1.
+ [ 163.272251] w1_master_driver w1_bus_master1: Waiting for w1_bus_master1 to become free: refcnt=1.
+ [ 164.296157] w1_master_driver w1_bus_master1: Waiting for w1_bus_master1 to become free: refcnt=1.
+ ...
+
+__w1_remove_master_device() can't return, because the dev->refcnt is not zero.
+
+w1_add_master_device() |
+ w1_alloc_dev() |
+ atomic_set(&dev->refcnt, 2) |
+ kthread_run() |
+ |__w1_remove_master_device()
+ | kthread_stop()
+ // KTHREAD_SHOULD_STOP is set, |
+ // threadfn(w1_process) won't be |
+ // called. |
+ kthread() |
+ | // refcnt will never be 0, it's deadloop.
+ | while (atomic_read(&dev->refcnt)) {...}
+
+After calling w1_add_master_device(), w1_process() is not really
+invoked, before w1_process() starting, if kthread_stop() is called
+in __w1_remove_master_device(), w1_process() will never be called,
+the refcnt can not be decreased, then it causes deadloop in remove
+function because of non-zero refcnt.
+
+We need to make sure w1_process() is really started, so move the
+set refcnt into w1_process() to fix this problem.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221205080434.3149205-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/w1/w1.c | 2 ++
+ drivers/w1/w1_int.c | 5 ++---
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c
+index 890c038c25f8..c1d0e723fabc 100644
+--- a/drivers/w1/w1.c
++++ b/drivers/w1/w1.c
+@@ -1140,6 +1140,8 @@ int w1_process(void *data)
+ /* remainder if it woke up early */
+ unsigned long jremain = 0;
+
++ atomic_inc(&dev->refcnt);
++
+ for (;;) {
+
+ if (!jremain && dev->search_count) {
+diff --git a/drivers/w1/w1_int.c b/drivers/w1/w1_int.c
+index 1c776178f598..eb851eb44300 100644
+--- a/drivers/w1/w1_int.c
++++ b/drivers/w1/w1_int.c
+@@ -60,10 +60,9 @@ static struct w1_master *w1_alloc_dev(u32 id, int slave_count, int slave_ttl,
+ dev->search_count = w1_search_count;
+ dev->enable_pullup = w1_enable_pullup;
+
+- /* 1 for w1_process to decrement
+- * 1 for __w1_remove_master_device to decrement
++ /* For __w1_remove_master_device to decrement
+ */
+- atomic_set(&dev->refcnt, 2);
++ atomic_set(&dev->refcnt, 1);
+
+ INIT_LIST_HEAD(&dev->slist);
+ INIT_LIST_HEAD(&dev->async_list);
+--
+2.39.0
+
--- /dev/null
+From e46995484a5bbc32942dfebb801d77bb6bb31a5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 18:15:58 +0800
+Subject: w1: fix WARNING after calling w1_process()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 36225a7c72e9e3e1ce4001b6ce72849f5c9a2d3b ]
+
+I got the following WARNING message while removing driver(ds2482):
+
+------------[ cut here ]------------
+do not call blocking ops when !TASK_RUNNING; state=1 set at [<000000002d50bfb6>] w1_process+0x9e/0x1d0 [wire]
+WARNING: CPU: 0 PID: 262 at kernel/sched/core.c:9817 __might_sleep+0x98/0xa0
+CPU: 0 PID: 262 Comm: w1_bus_master1 Tainted: G N 6.1.0-rc3+ #307
+RIP: 0010:__might_sleep+0x98/0xa0
+Call Trace:
+ exit_signals+0x6c/0x550
+ do_exit+0x2b4/0x17e0
+ kthread_exit+0x52/0x60
+ kthread+0x16d/0x1e0
+ ret_from_fork+0x1f/0x30
+
+The state of task is set to TASK_INTERRUPTIBLE in loop in w1_process(),
+set it to TASK_RUNNING when it breaks out of the loop to avoid the
+warning.
+
+Fixes: 3c52e4e62789 ("W1: w1_process, block or sleep")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221205101558.3599162-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/w1/w1.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c
+index c1d0e723fabc..cb3650efc29c 100644
+--- a/drivers/w1/w1.c
++++ b/drivers/w1/w1.c
+@@ -1169,8 +1169,10 @@ int w1_process(void *data)
+ */
+ mutex_unlock(&dev->list_mutex);
+
+- if (kthread_should_stop())
++ if (kthread_should_stop()) {
++ __set_current_state(TASK_RUNNING);
+ break;
++ }
+
+ /* Only sleep when the search is active. */
+ if (dev->search_count) {
+--
+2.39.0
+
--- /dev/null
+From af82c2653a2995ab03aa8e51ae99485e733c9642 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 18:50:31 +0100
+Subject: wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid
+
+From: Szymon Heidrich <szymon.heidrich@gmail.com>
+
+[ Upstream commit b870e73a56c4cccbec33224233eaf295839f228c ]
+
+Since resplen and respoffs are signed integers sufficiently
+large values of unsigned int len and offset members of RNDIS
+response will result in negative values of prior variables.
+This may be utilized to bypass implemented security checks
+to either extract memory contents by manipulating offset or
+overflow the data buffer via memcpy by manipulating both
+offset and len.
+
+Additionally assure that sum of resplen and respoffs does not
+overflow so buffer boundaries are kept.
+
+Fixes: 80f8c5b434f9 ("rndis_wlan: copy only useful data from rndis_command respond")
+Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230111175031.7049-1-szymon.heidrich@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/rndis_wlan.c | 19 ++++++-------------
+ 1 file changed, 6 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
+index 51e4e92d95a0..0bbeb61ec3a3 100644
+--- a/drivers/net/wireless/rndis_wlan.c
++++ b/drivers/net/wireless/rndis_wlan.c
+@@ -712,8 +712,8 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len)
+ struct rndis_query *get;
+ struct rndis_query_c *get_c;
+ } u;
+- int ret, buflen;
+- int resplen, respoffs, copylen;
++ int ret;
++ size_t buflen, resplen, respoffs, copylen;
+
+ buflen = *len + sizeof(*u.get);
+ if (buflen < CONTROL_BUFFER_SIZE)
+@@ -748,22 +748,15 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len)
+
+ if (respoffs > buflen) {
+ /* Device returned data offset outside buffer, error. */
+- netdev_dbg(dev->net, "%s(%s): received invalid "
+- "data offset: %d > %d\n", __func__,
+- oid_to_string(oid), respoffs, buflen);
++ netdev_dbg(dev->net,
++ "%s(%s): received invalid data offset: %zu > %zu\n",
++ __func__, oid_to_string(oid), respoffs, buflen);
+
+ ret = -EINVAL;
+ goto exit_unlock;
+ }
+
+- if ((resplen + respoffs) > buflen) {
+- /* Device would have returned more data if buffer would
+- * have been big enough. Copy just the bits that we got.
+- */
+- copylen = buflen - respoffs;
+- } else {
+- copylen = resplen;
+- }
++ copylen = min(resplen, buflen - respoffs);
+
+ if (copylen > *len)
+ copylen = *len;
+--
+2.39.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
