--- /dev/null
+From dcb8db58afbb4d76d8ed5fc956d86067bd7d6b39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Jul 2022 17:49:52 +0200
+Subject: clk: bcm: rpi: Add missing newline
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+[ Upstream commit 13b5cf8d6a0d4a5d289e1ed046cadc63b416db85 ]
+
+Some log messages lacks the final newline. So add them.
+
+Fixes: 93d2725affd6 ("clk: bcm: rpi: Discover the firmware clocks")
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Link: https://lore.kernel.org/r/20220713154953.3336-3-stefan.wahren@i2se.com
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Ivan T. Ivanov <iivanov@suse.de>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/bcm/clk-raspberrypi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/bcm/clk-raspberrypi.c b/drivers/clk/bcm/clk-raspberrypi.c
+index 27ae08c4952e7..969227e2df215 100644
+--- a/drivers/clk/bcm/clk-raspberrypi.c
++++ b/drivers/clk/bcm/clk-raspberrypi.c
+@@ -156,7 +156,7 @@ static int raspberrypi_fw_set_rate(struct clk_hw *hw, unsigned long rate,
+ ret = raspberrypi_clock_property(rpi->firmware, data,
+ RPI_FIRMWARE_SET_CLOCK_RATE, &_rate);
+ if (ret)
+- dev_err_ratelimited(rpi->dev, "Failed to change %s frequency: %d",
++ dev_err_ratelimited(rpi->dev, "Failed to change %s frequency: %d\n",
+ clk_hw_get_name(hw), ret);
+
+ return ret;
+@@ -208,7 +208,7 @@ static struct clk_hw *raspberrypi_clk_register(struct raspberrypi_clk *rpi,
+ RPI_FIRMWARE_GET_MIN_CLOCK_RATE,
+ &min_rate);
+ if (ret) {
+- dev_err(rpi->dev, "Failed to get clock %d min freq: %d",
++ dev_err(rpi->dev, "Failed to get clock %d min freq: %d\n",
+ id, ret);
+ return ERR_PTR(ret);
+ }
+--
+2.35.1
+
--- /dev/null
+From 7277ebc04e6b00361456f49a58f2ec4a1e75d37d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Jun 2022 10:36:43 +0200
+Subject: clk: bcm: rpi: Fix error handling of raspberrypi_fw_get_rate
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+[ Upstream commit 35f73cca1cecda0c1f8bb7d8be4ce5cd2d46ae8c ]
+
+The function raspberrypi_fw_get_rate (e.g. used for the recalc_rate
+hook) can fail to get the clock rate from the firmware. In this case
+we cannot return a signed error value, which would be casted to
+unsigned long. Fix this by returning 0 instead.
+
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Link: https://lore.kernel.org/r/20220625083643.4012-1-stefan.wahren@i2se.com
+Fixes: 4e85e535e6cc ("clk: bcm283x: add driver interfacing with Raspberry Pi's firmware")
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/bcm/clk-raspberrypi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/bcm/clk-raspberrypi.c b/drivers/clk/bcm/clk-raspberrypi.c
+index f89b9cfc43099..2c12bd5ac1388 100644
+--- a/drivers/clk/bcm/clk-raspberrypi.c
++++ b/drivers/clk/bcm/clk-raspberrypi.c
+@@ -139,7 +139,7 @@ static unsigned long raspberrypi_fw_get_rate(struct clk_hw *hw,
+ ret = raspberrypi_clock_property(rpi->firmware, data,
+ RPI_FIRMWARE_GET_CLOCK_RATE, &val);
+ if (ret)
+- return ret;
++ return 0;
+
+ return val;
+ }
+--
+2.35.1
+
--- /dev/null
+From ac3411b01e7a57c31dbfe25d77329043605baa14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Jul 2022 17:49:51 +0200
+Subject: clk: bcm: rpi: Prevent out-of-bounds access
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+[ Upstream commit bc163555603e4ae9c817675ad80d618a4cdbfa2d ]
+
+The while loop in raspberrypi_discover_clocks() relies on the assumption
+that the id of the last clock element is zero. Because this data comes
+from the Videocore firmware and it doesn't guarantuee such a behavior
+this could lead to out-of-bounds access. So fix this by providing
+a sentinel element.
+
+Fixes: 93d2725affd6 ("clk: bcm: rpi: Discover the firmware clocks")
+Link: https://github.com/raspberrypi/firmware/issues/1688
+Suggested-by: Phil Elwell <phil@raspberrypi.com>
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Link: https://lore.kernel.org/r/20220713154953.3336-2-stefan.wahren@i2se.com
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Ivan T. Ivanov <iivanov@suse.de>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/bcm/clk-raspberrypi.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/bcm/clk-raspberrypi.c b/drivers/clk/bcm/clk-raspberrypi.c
+index ff87305cbe9d9..27ae08c4952e7 100644
+--- a/drivers/clk/bcm/clk-raspberrypi.c
++++ b/drivers/clk/bcm/clk-raspberrypi.c
+@@ -251,8 +251,13 @@ static int raspberrypi_discover_clocks(struct raspberrypi_clk *rpi,
+ struct rpi_firmware_get_clocks_response *clks;
+ int ret;
+
++ /*
++ * The firmware doesn't guarantee that the last element of
++ * RPI_FIRMWARE_GET_CLOCKS is zeroed. So allocate an additional
++ * zero element as sentinel.
++ */
+ clks = devm_kcalloc(rpi->dev,
+- RPI_FIRMWARE_NUM_CLK_ID, sizeof(*clks),
++ RPI_FIRMWARE_NUM_CLK_ID + 1, sizeof(*clks),
+ GFP_KERNEL);
+ if (!clks)
+ return -ENOMEM;
+--
+2.35.1
+
--- /dev/null
+From fc60f741e78001531af1cec198d69975393c1612 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 May 2022 23:20:58 +0200
+Subject: clk: bcm: rpi: Use correct order for the parameters of devm_kcalloc()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit b7fa6242f3e035308a76284560e4f918dad9b017 ]
+
+We should have 'n', then 'size', not the opposite.
+This is harmless because the 2 values are just multiplied, but having
+the correct order silence a (unpublished yet) smatch warning.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/49d726d11964ca0e3757bdb5659e3b3eaa1572b5.1653081643.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/bcm/clk-raspberrypi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/bcm/clk-raspberrypi.c b/drivers/clk/bcm/clk-raspberrypi.c
+index 2c12bd5ac1388..ff87305cbe9d9 100644
+--- a/drivers/clk/bcm/clk-raspberrypi.c
++++ b/drivers/clk/bcm/clk-raspberrypi.c
+@@ -252,7 +252,7 @@ static int raspberrypi_discover_clocks(struct raspberrypi_clk *rpi,
+ int ret;
+
+ clks = devm_kcalloc(rpi->dev,
+- sizeof(*clks), RPI_FIRMWARE_NUM_CLK_ID,
++ RPI_FIRMWARE_NUM_CLK_ID, sizeof(*clks),
+ GFP_KERNEL);
+ if (!clks)
+ return -ENOMEM;
+--
+2.35.1
+
--- /dev/null
+From 6edf0b1c95883f8bbec1d3cff504884058c21eb2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Aug 2022 16:14:24 +0800
+Subject: clk: core: Fix runtime PM sequence in clk_core_unprepare()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit 4b592061f7b3971c70e8b72fc42aaead47c24701 ]
+
+In the original commit 9a34b45397e5 ("clk: Add support for runtime PM"),
+the commit message mentioned that pm_runtime_put_sync() would be done
+at the end of clk_core_unprepare(). This mirrors the operations in
+clk_core_prepare() in the opposite order.
+
+However, the actual code that was added wasn't in the order the commit
+message described. Move clk_pm_runtime_put() to the end of
+clk_core_unprepare() so that it is in the correct order.
+
+Fixes: 9a34b45397e5 ("clk: Add support for runtime PM")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Link: https://lore.kernel.org/r/20220822081424.1310926-3-wenst@chromium.org
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c
+index 2e56cc0a3bce6..b355d3d40f63a 100644
+--- a/drivers/clk/clk.c
++++ b/drivers/clk/clk.c
+@@ -846,10 +846,9 @@ static void clk_core_unprepare(struct clk_core *core)
+ if (core->ops->unprepare)
+ core->ops->unprepare(core->hw);
+
+- clk_pm_runtime_put(core);
+-
+ trace_clk_unprepare_complete(core);
+ clk_core_unprepare(core->parent);
++ clk_pm_runtime_put(core);
+ }
+
+ static void clk_core_unprepare_lock(struct clk_core *core)
+--
+2.35.1
+
--- /dev/null
+From 51cc53d63c9910dfb01d44d4663bbb67d0008dc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Aug 2022 16:14:23 +0800
+Subject: clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit 35b0fac808b95eea1212f8860baf6ad25b88b087 ]
+
+In the previous commits that added CLK_OPS_PARENT_ENABLE, support for
+this flag was only added to rate change operations (rate setting and
+reparent) and disabling unused subtree. It was not added to the
+clock gate related operations. Any hardware driver that needs it for
+these operations will either see bogus results, or worse, hang.
+
+This has been seen on MT8192 and MT8195, where the imp_ii2_* clk
+drivers set this, but dumping debugfs clk_summary would cause it
+to hang.
+
+Fixes: fc8726a2c021 ("clk: core: support clocks which requires parents enable (part 2)")
+Fixes: a4b3518d146f ("clk: core: support clocks which requires parents enable (part 1)")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Tested-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Link: https://lore.kernel.org/r/20220822081424.1310926-2-wenst@chromium.org
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c
+index 2e56cc0a3bce6..4f20d5318183f 100644
+--- a/drivers/clk/clk.c
++++ b/drivers/clk/clk.c
+@@ -203,6 +203,9 @@ static bool clk_core_rate_is_protected(struct clk_core *core)
+ return core->protect_count;
+ }
+
++static int clk_core_prepare_enable(struct clk_core *core);
++static void clk_core_disable_unprepare(struct clk_core *core);
++
+ static bool clk_core_is_prepared(struct clk_core *core)
+ {
+ bool ret = false;
+@@ -215,7 +218,11 @@ static bool clk_core_is_prepared(struct clk_core *core)
+ return core->prepare_count;
+
+ if (!clk_pm_runtime_get(core)) {
++ if (core->flags & CLK_OPS_PARENT_ENABLE)
++ clk_core_prepare_enable(core->parent);
+ ret = core->ops->is_prepared(core->hw);
++ if (core->flags & CLK_OPS_PARENT_ENABLE)
++ clk_core_disable_unprepare(core->parent);
+ clk_pm_runtime_put(core);
+ }
+
+@@ -251,7 +258,13 @@ static bool clk_core_is_enabled(struct clk_core *core)
+ }
+ }
+
++ if (core->flags & CLK_OPS_PARENT_ENABLE)
++ clk_core_prepare_enable(core->parent);
++
+ ret = core->ops->is_enabled(core->hw);
++
++ if (core->flags & CLK_OPS_PARENT_ENABLE)
++ clk_core_disable_unprepare(core->parent);
+ done:
+ if (core->rpm_enabled)
+ pm_runtime_put(core->dev);
+@@ -818,6 +831,9 @@ int clk_rate_exclusive_get(struct clk *clk)
+ }
+ EXPORT_SYMBOL_GPL(clk_rate_exclusive_get);
+
++static int clk_core_enable_lock(struct clk_core *core);
++static void clk_core_disable_lock(struct clk_core *core);
++
+ static void clk_core_unprepare(struct clk_core *core)
+ {
+ lockdep_assert_held(&prepare_lock);
+@@ -841,6 +857,9 @@ static void clk_core_unprepare(struct clk_core *core)
+
+ WARN(core->enable_count > 0, "Unpreparing enabled %s\n", core->name);
+
++ if (core->flags & CLK_OPS_PARENT_ENABLE)
++ clk_core_enable_lock(core->parent);
++
+ trace_clk_unprepare(core);
+
+ if (core->ops->unprepare)
+@@ -849,6 +868,9 @@ static void clk_core_unprepare(struct clk_core *core)
+ clk_pm_runtime_put(core);
+
+ trace_clk_unprepare_complete(core);
++
++ if (core->flags & CLK_OPS_PARENT_ENABLE)
++ clk_core_disable_lock(core->parent);
+ clk_core_unprepare(core->parent);
+ }
+
+@@ -897,6 +919,9 @@ static int clk_core_prepare(struct clk_core *core)
+ if (ret)
+ goto runtime_put;
+
++ if (core->flags & CLK_OPS_PARENT_ENABLE)
++ clk_core_enable_lock(core->parent);
++
+ trace_clk_prepare(core);
+
+ if (core->ops->prepare)
+@@ -904,6 +929,9 @@ static int clk_core_prepare(struct clk_core *core)
+
+ trace_clk_prepare_complete(core);
+
++ if (core->flags & CLK_OPS_PARENT_ENABLE)
++ clk_core_disable_lock(core->parent);
++
+ if (ret)
+ goto unprepare;
+ }
+--
+2.35.1
+
--- /dev/null
+From 3ba3941b50fda8ecd07a6f0b987ac973c6470db3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 13:02:47 +0800
+Subject: drm/i915/reg: Fix spelling mistake "Unsupport" -> "Unsupported"
+
+From: Colin Ian King <colin.i.king@gmail.com>
+
+[ Upstream commit 233f56745be446b289edac2ba8184c09365c005e ]
+
+There is a spelling mistake in a gvt_vgpu_err error message. Fix it.
+
+Fixes: 695fbc08d80f ("drm/i915/gvt: replace the gvt_err with gvt_vgpu_err")
+Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
+Signed-off-by: Zhi Wang <zhi.a.wang@intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20220315202449.2952845-1-colin.i.king@gmail.com
+Reviewed-by: Zhi Wang <zhi.a.wang@intel.com>
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gvt/handlers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gvt/handlers.c b/drivers/gpu/drm/i915/gvt/handlers.c
+index 0b1ea29dcffac..606e6c315fe24 100644
+--- a/drivers/gpu/drm/i915/gvt/handlers.c
++++ b/drivers/gpu/drm/i915/gvt/handlers.c
+@@ -660,7 +660,7 @@ static int update_fdi_rx_iir_status(struct intel_vgpu *vgpu,
+ else if (FDI_RX_IMR_TO_PIPE(offset) != INVALID_INDEX)
+ index = FDI_RX_IMR_TO_PIPE(offset);
+ else {
+- gvt_vgpu_err("Unsupport registers %x\n", offset);
++ gvt_vgpu_err("Unsupported registers %x\n", offset);
+ return -EINVAL;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 6595abf19475352a3b1cbb2064361e9438389eef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Aug 2022 18:37:35 +0800
+Subject: gpio: pca953x: Add mutex_lock for regcache sync in PM
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+[ Upstream commit 518e26f11af2fe4f5bebf9a0351595d508c7077f ]
+
+The regcache sync will set the cache_bypass = true, at that
+time, when there is regmap write operation, it will bypass
+the regmap cache, then the regcache sync will write back the
+value from cache to register, which is not as our expectation.
+
+Though regmap already use its internal lock to avoid such issue,
+but this driver force disable the regmap internal lock in its
+regmap config: disable_locking = true
+
+To avoid this issue, use the driver's own lock to do the protect
+in system PM.
+
+Fixes: b76574300504 ("gpio: pca953x: Restore registers after suspend/resume cycle")
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-pca953x.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c
+index 957be5f69406a..3ad1a9e432c8a 100644
+--- a/drivers/gpio/gpio-pca953x.c
++++ b/drivers/gpio/gpio-pca953x.c
+@@ -1162,7 +1162,9 @@ static int pca953x_suspend(struct device *dev)
+ {
+ struct pca953x_chip *chip = dev_get_drvdata(dev);
+
++ mutex_lock(&chip->i2c_lock);
+ regcache_cache_only(chip->regmap, true);
++ mutex_unlock(&chip->i2c_lock);
+
+ if (atomic_read(&chip->wakeup_path))
+ device_set_wakeup_path(dev);
+@@ -1185,13 +1187,17 @@ static int pca953x_resume(struct device *dev)
+ }
+ }
+
++ mutex_lock(&chip->i2c_lock);
+ regcache_cache_only(chip->regmap, false);
+ regcache_mark_dirty(chip->regmap);
+ ret = pca953x_regcache_sync(dev);
+- if (ret)
++ if (ret) {
++ mutex_unlock(&chip->i2c_lock);
+ return ret;
++ }
+
+ ret = regcache_sync(chip->regmap);
++ mutex_unlock(&chip->i2c_lock);
+ if (ret) {
+ dev_err(dev, "Failed to restore register map: %d\n", ret);
+ return ret;
+--
+2.35.1
+
--- /dev/null
+From afbecabc5235b9eff86e6d00f76d2997843962b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 03:11:01 +0200
+Subject: hwmon: (gpio-fan) Fix array out of bounds access
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+[ Upstream commit f233d2be38dbbb22299192292983037f01ab363c ]
+
+The driver does not check if the cooling state passed to
+gpio_fan_set_cur_state() exceeds the maximum cooling state as
+stored in fan_data->num_speeds. Since the cooling state is later
+used as an array index in set_fan_speed(), an array out of bounds
+access can occur.
+This can be exploited by setting the state of the thermal cooling device
+to arbitrary values, causing for example a kernel oops when unavailable
+memory is accessed this way.
+
+Example kernel oops:
+[ 807.987276] Unable to handle kernel paging request at virtual address ffffff80d0588064
+[ 807.987369] Mem abort info:
+[ 807.987398] ESR = 0x96000005
+[ 807.987428] EC = 0x25: DABT (current EL), IL = 32 bits
+[ 807.987477] SET = 0, FnV = 0
+[ 807.987507] EA = 0, S1PTW = 0
+[ 807.987536] FSC = 0x05: level 1 translation fault
+[ 807.987570] Data abort info:
+[ 807.987763] ISV = 0, ISS = 0x00000005
+[ 807.987801] CM = 0, WnR = 0
+[ 807.987832] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000001165000
+[ 807.987872] [ffffff80d0588064] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
+[ 807.987961] Internal error: Oops: 96000005 [#1] PREEMPT SMP
+[ 807.987992] Modules linked in: cmac algif_hash aes_arm64 algif_skcipher af_alg bnep hci_uart btbcm bluetooth ecdh_generic ecc 8021q garp stp llc snd_soc_hdmi_codec brcmfmac vc4 brcmutil cec drm_kms_helper snd_soc_core cfg80211 snd_compress bcm2835_codec(C) snd_pcm_dmaengine syscopyarea bcm2835_isp(C) bcm2835_v4l2(C) sysfillrect v4l2_mem2mem bcm2835_mmal_vchiq(C) raspberrypi_hwmon sysimgblt videobuf2_dma_contig videobuf2_vmalloc fb_sys_fops videobuf2_memops rfkill videobuf2_v4l2 videobuf2_common i2c_bcm2835 snd_bcm2835(C) videodev snd_pcm snd_timer snd mc vc_sm_cma(C) gpio_fan uio_pdrv_genirq uio drm fuse drm_panel_orientation_quirks backlight ip_tables x_tables ipv6
+[ 807.988508] CPU: 0 PID: 1321 Comm: bash Tainted: G C 5.15.56-v8+ #1575
+[ 807.988548] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
+[ 807.988574] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 807.988608] pc : set_fan_speed.part.5+0x34/0x80 [gpio_fan]
+[ 807.988654] lr : gpio_fan_set_cur_state+0x34/0x50 [gpio_fan]
+[ 807.988691] sp : ffffffc008cf3bd0
+[ 807.988710] x29: ffffffc008cf3bd0 x28: ffffff80019edac0 x27: 0000000000000000
+[ 807.988762] x26: 0000000000000000 x25: 0000000000000000 x24: ffffff800747c920
+[ 807.988787] x23: 000000000000000a x22: ffffff800369f000 x21: 000000001999997c
+[ 807.988854] x20: ffffff800369f2e8 x19: ffffff8002ae8080 x18: 0000000000000000
+[ 807.988877] x17: 0000000000000000 x16: 0000000000000000 x15: 000000559e271b70
+[ 807.988938] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
+[ 807.988960] x11: 0000000000000000 x10: ffffffc008cf3c20 x9 : ffffffcfb60c741c
+[ 807.989018] x8 : 000000000000000a x7 : 00000000ffffffc9 x6 : 0000000000000009
+[ 807.989040] x5 : 000000000000002a x4 : 0000000000000000 x3 : ffffff800369f2e8
+[ 807.989062] x2 : 000000000000e780 x1 : 0000000000000001 x0 : ffffff80d0588060
+[ 807.989084] Call trace:
+[ 807.989091] set_fan_speed.part.5+0x34/0x80 [gpio_fan]
+[ 807.989113] gpio_fan_set_cur_state+0x34/0x50 [gpio_fan]
+[ 807.989199] cur_state_store+0x84/0xd0
+[ 807.989221] dev_attr_store+0x20/0x38
+[ 807.989262] sysfs_kf_write+0x4c/0x60
+[ 807.989282] kernfs_fop_write_iter+0x130/0x1c0
+[ 807.989298] new_sync_write+0x10c/0x190
+[ 807.989315] vfs_write+0x254/0x378
+[ 807.989362] ksys_write+0x70/0xf8
+[ 807.989379] __arm64_sys_write+0x24/0x30
+[ 807.989424] invoke_syscall+0x4c/0x110
+[ 807.989442] el0_svc_common.constprop.3+0xfc/0x120
+[ 807.989458] do_el0_svc+0x2c/0x90
+[ 807.989473] el0_svc+0x24/0x60
+[ 807.989544] el0t_64_sync_handler+0x90/0xb8
+[ 807.989558] el0t_64_sync+0x1a0/0x1a4
+[ 807.989579] Code: b9403801 f9402800 7100003f 8b35cc00 (b9400416)
+[ 807.989627] ---[ end trace 8ded4c918658445b ]---
+
+Fix this by checking the cooling state and return an error if it
+exceeds the maximum cooling state.
+
+Tested on a Raspberry Pi 3.
+
+Fixes: b5cf88e46bad ("(gpio-fan): Add thermal control hooks")
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Link: https://lore.kernel.org/r/20220830011101.178843-1-W_Armin@gmx.de
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/gpio-fan.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/hwmon/gpio-fan.c b/drivers/hwmon/gpio-fan.c
+index 3ea4021f267cf..d96e435cc42b1 100644
+--- a/drivers/hwmon/gpio-fan.c
++++ b/drivers/hwmon/gpio-fan.c
+@@ -391,6 +391,9 @@ static int gpio_fan_set_cur_state(struct thermal_cooling_device *cdev,
+ if (!fan_data)
+ return -EINVAL;
+
++ if (state >= fan_data->num_speed)
++ return -EINVAL;
++
+ set_fan_speed(fan_data, state);
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 3ba2321bce156a5bbc7b607b60b542cea2363657 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Aug 2022 16:33:18 -0700
+Subject: Input: rk805-pwrkey - fix module autoloading
+
+From: Peter Robinson <pbrobinson@gmail.com>
+
+[ Upstream commit 99077ad668ddd9b4823cc8ce3f3c7a3fc56f6fd9 ]
+
+Add the module alias so the rk805-pwrkey driver will
+autoload when built as a module.
+
+Fixes: 5a35b85c2d92 ("Input: add power key driver for Rockchip RK805 PMIC")
+Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Link: https://lore.kernel.org/r/20220612225437.3628788-1-pbrobinson@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/rk805-pwrkey.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/input/misc/rk805-pwrkey.c b/drivers/input/misc/rk805-pwrkey.c
+index 3fb64dbda1a21..76873aa005b41 100644
+--- a/drivers/input/misc/rk805-pwrkey.c
++++ b/drivers/input/misc/rk805-pwrkey.c
+@@ -98,6 +98,7 @@ static struct platform_driver rk805_pwrkey_driver = {
+ };
+ module_platform_driver(rk805_pwrkey_driver);
+
++MODULE_ALIAS("platform:rk805-pwrkey");
+ MODULE_AUTHOR("Joseph Chen <chenjh@rock-chips.com>");
+ MODULE_DESCRIPTION("RK805 PMIC Power Key driver");
+ MODULE_LICENSE("GPL");
+--
+2.35.1
+
--- /dev/null
+From 2dd63a1f1cd332c7c5430c9a0390fe7736caa0b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 10:49:47 -0700
+Subject: KVM: x86: Mask off unsupported and unknown bits of
+ IA32_ARCH_CAPABILITIES
+
+From: Jim Mattson <jmattson@google.com>
+
+[ Upstream commit 0204750bd4c6ccc2fb7417618477f10373b33f56 ]
+
+KVM should not claim to virtualize unknown IA32_ARCH_CAPABILITIES
+bits. When kvm_get_arch_capabilities() was originally written, there
+were only a few bits defined in this MSR, and KVM could virtualize all
+of them. However, over the years, several bits have been defined that
+KVM cannot just blindly pass through to the guest without additional
+work (such as virtualizing an MSR promised by the
+IA32_ARCH_CAPABILITES feature bit).
+
+Define a mask of supported IA32_ARCH_CAPABILITIES bits, and mask off
+any other bits that are set in the hardware MSR.
+
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Fixes: 5b76a3cff011 ("KVM: VMX: Tell the nested hypervisor to skip L1D flush on vmentry")
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: Vipin Sharma <vipinsh@google.com>
+Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
+Message-Id: <20220830174947.2182144-1-jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/x86.c | 25 +++++++++++++++++++++----
+ 1 file changed, 21 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 5f4f855bb3b10..c5a08ec348e6f 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1364,12 +1364,32 @@ static const u32 msr_based_features_all[] = {
+ static u32 msr_based_features[ARRAY_SIZE(msr_based_features_all)];
+ static unsigned int num_msr_based_features;
+
++/*
++ * Some IA32_ARCH_CAPABILITIES bits have dependencies on MSRs that KVM
++ * does not yet virtualize. These include:
++ * 10 - MISC_PACKAGE_CTRLS
++ * 11 - ENERGY_FILTERING_CTL
++ * 12 - DOITM
++ * 18 - FB_CLEAR_CTRL
++ * 21 - XAPIC_DISABLE_STATUS
++ * 23 - OVERCLOCKING_STATUS
++ */
++
++#define KVM_SUPPORTED_ARCH_CAP \
++ (ARCH_CAP_RDCL_NO | ARCH_CAP_IBRS_ALL | ARCH_CAP_RSBA | \
++ ARCH_CAP_SKIP_VMENTRY_L1DFLUSH | ARCH_CAP_SSB_NO | ARCH_CAP_MDS_NO | \
++ ARCH_CAP_PSCHANGE_MC_NO | ARCH_CAP_TSX_CTRL_MSR | ARCH_CAP_TAA_NO | \
++ ARCH_CAP_SBDR_SSDP_NO | ARCH_CAP_FBSDP_NO | ARCH_CAP_PSDP_NO | \
++ ARCH_CAP_FB_CLEAR | ARCH_CAP_RRSBA | ARCH_CAP_PBRSB_NO)
++
+ static u64 kvm_get_arch_capabilities(void)
+ {
+ u64 data = 0;
+
+- if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES))
++ if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES)) {
+ rdmsrl(MSR_IA32_ARCH_CAPABILITIES, data);
++ data &= KVM_SUPPORTED_ARCH_CAP;
++ }
+
+ /*
+ * If nx_huge_pages is enabled, KVM's shadow paging will ensure that
+@@ -1417,9 +1437,6 @@ static u64 kvm_get_arch_capabilities(void)
+ */
+ }
+
+- /* Guests don't need to know "Fill buffer clear control" exists */
+- data &= ~ARCH_CAP_FB_CLEAR_CTRL;
+-
+ return data;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From ed9d6a679077598cc39476ab56e5d077b05ebd8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 12:26:12 +0100
+Subject: mm: pagewalk: Fix race between unmap and page walker
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Steven Price <steven.price@arm.com>
+
+[ Upstream commit 8782fb61cc848364e1e1599d76d3c9dd58a1cc06 ]
+
+The mmap lock protects the page walker from changes to the page tables
+during the walk. However a read lock is insufficient to protect those
+areas which don't have a VMA as munmap() detaches the VMAs before
+downgrading to a read lock and actually tearing down PTEs/page tables.
+
+For users of walk_page_range() the solution is to simply call pte_hole()
+immediately without checking the actual page tables when a VMA is not
+present. We now never call __walk_page_range() without a valid vma.
+
+For walk_page_range_novma() the locking requirements are tightened to
+require the mmap write lock to be taken, and then walking the pgd
+directly with 'no_vma' set.
+
+This in turn means that all page walkers either have a valid vma, or
+it's that special 'novma' case for page table debugging. As a result,
+all the odd '(!walk->vma && !walk->no_vma)' tests can be removed.
+
+Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Steven Price <steven.price@arm.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Cc: Konstantin Khlebnikov <koct9i@gmail.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/mm/pageattr.c | 4 ++--
+ mm/pagewalk.c | 21 ++++++++++++---------
+ mm/ptdump.c | 4 ++--
+ 3 files changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/arch/riscv/mm/pageattr.c b/arch/riscv/mm/pageattr.c
+index 19fecb362d815..09f6be19ba7b3 100644
+--- a/arch/riscv/mm/pageattr.c
++++ b/arch/riscv/mm/pageattr.c
+@@ -118,10 +118,10 @@ static int __set_memory(unsigned long addr, int numpages, pgprot_t set_mask,
+ if (!numpages)
+ return 0;
+
+- mmap_read_lock(&init_mm);
++ mmap_write_lock(&init_mm);
+ ret = walk_page_range_novma(&init_mm, start, end, &pageattr_ops, NULL,
+ &masks);
+- mmap_read_unlock(&init_mm);
++ mmap_write_unlock(&init_mm);
+
+ flush_tlb_kernel_range(start, end);
+
+diff --git a/mm/pagewalk.c b/mm/pagewalk.c
+index e81640d9f1770..371ec21a19899 100644
+--- a/mm/pagewalk.c
++++ b/mm/pagewalk.c
+@@ -71,7 +71,7 @@ static int walk_pmd_range(pud_t *pud, unsigned long addr, unsigned long end,
+ do {
+ again:
+ next = pmd_addr_end(addr, end);
+- if (pmd_none(*pmd) || (!walk->vma && !walk->no_vma)) {
++ if (pmd_none(*pmd)) {
+ if (ops->pte_hole)
+ err = ops->pte_hole(addr, next, depth, walk);
+ if (err)
+@@ -129,7 +129,7 @@ static int walk_pud_range(p4d_t *p4d, unsigned long addr, unsigned long end,
+ do {
+ again:
+ next = pud_addr_end(addr, end);
+- if (pud_none(*pud) || (!walk->vma && !walk->no_vma)) {
++ if (pud_none(*pud)) {
+ if (ops->pte_hole)
+ err = ops->pte_hole(addr, next, depth, walk);
+ if (err)
+@@ -318,19 +318,19 @@ static int __walk_page_range(unsigned long start, unsigned long end,
+ struct vm_area_struct *vma = walk->vma;
+ const struct mm_walk_ops *ops = walk->ops;
+
+- if (vma && ops->pre_vma) {
++ if (ops->pre_vma) {
+ err = ops->pre_vma(start, end, walk);
+ if (err)
+ return err;
+ }
+
+- if (vma && is_vm_hugetlb_page(vma)) {
++ if (is_vm_hugetlb_page(vma)) {
+ if (ops->hugetlb_entry)
+ err = walk_hugetlb_range(start, end, walk);
+ } else
+ err = walk_pgd_range(start, end, walk);
+
+- if (vma && ops->post_vma)
++ if (ops->post_vma)
+ ops->post_vma(walk);
+
+ return err;
+@@ -402,9 +402,13 @@ int walk_page_range(struct mm_struct *mm, unsigned long start,
+ if (!vma) { /* after the last vma */
+ walk.vma = NULL;
+ next = end;
++ if (ops->pte_hole)
++ err = ops->pte_hole(start, next, -1, &walk);
+ } else if (start < vma->vm_start) { /* outside vma */
+ walk.vma = NULL;
+ next = min(end, vma->vm_start);
++ if (ops->pte_hole)
++ err = ops->pte_hole(start, next, -1, &walk);
+ } else { /* inside vma */
+ walk.vma = vma;
+ next = min(end, vma->vm_end);
+@@ -422,9 +426,8 @@ int walk_page_range(struct mm_struct *mm, unsigned long start,
+ }
+ if (err < 0)
+ break;
+- }
+- if (walk.vma || walk.ops->pte_hole)
+ err = __walk_page_range(start, next, &walk);
++ }
+ if (err)
+ break;
+ } while (start = next, start < end);
+@@ -453,9 +456,9 @@ int walk_page_range_novma(struct mm_struct *mm, unsigned long start,
+ if (start >= end || !walk.mm)
+ return -EINVAL;
+
+- mmap_assert_locked(walk.mm);
++ mmap_assert_write_locked(walk.mm);
+
+- return __walk_page_range(start, end, &walk);
++ return walk_pgd_range(start, end, &walk);
+ }
+
+ int walk_page_vma(struct vm_area_struct *vma, const struct mm_walk_ops *ops,
+diff --git a/mm/ptdump.c b/mm/ptdump.c
+index 93f2f63dc52dc..a917bf55c61ea 100644
+--- a/mm/ptdump.c
++++ b/mm/ptdump.c
+@@ -141,13 +141,13 @@ void ptdump_walk_pgd(struct ptdump_state *st, struct mm_struct *mm, pgd_t *pgd)
+ {
+ const struct ptdump_range *range = st->range;
+
+- mmap_read_lock(mm);
++ mmap_write_lock(mm);
+ while (range->start != range->end) {
+ walk_page_range_novma(mm, range->start, range->end,
+ &ptdump_ops, pgd, st);
+ range++;
+ }
+- mmap_read_unlock(mm);
++ mmap_write_unlock(mm);
+
+ /* Flush out the last page */
+ st->note_page(st, 0, -1, 0);
+--
+2.35.1
+
--- /dev/null
+From 7b82219bde71f593e86d2e2c318ae696be110628 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Aug 2022 10:53:25 -0700
+Subject: Revert "clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops"
+
+From: Stephen Boyd <sboyd@kernel.org>
+
+[ Upstream commit abb5f3f4b1f5f0ad50eb067a00051d3587dec9fb ]
+
+This reverts commit 35b0fac808b95eea1212f8860baf6ad25b88b087. Alexander
+reports that it causes boot failures on i.MX8M Plus based boards
+(specifically imx8mp-tqma8mpql-mba8mpxl.dts).
+
+Reported-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Cc: Chen-Yu Tsai <wenst@chromium.org>
+Fixes: 35b0fac808b9 ("clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops")
+Link: https://lore.kernel.org/r/12115951.O9o76ZdvQC@steina-w
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Link: https://lore.kernel.org/r/20220831175326.2523912-1-sboyd@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk.c | 28 ----------------------------
+ 1 file changed, 28 deletions(-)
+
+diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c
+index 4f20d5318183f..2e56cc0a3bce6 100644
+--- a/drivers/clk/clk.c
++++ b/drivers/clk/clk.c
+@@ -203,9 +203,6 @@ static bool clk_core_rate_is_protected(struct clk_core *core)
+ return core->protect_count;
+ }
+
+-static int clk_core_prepare_enable(struct clk_core *core);
+-static void clk_core_disable_unprepare(struct clk_core *core);
+-
+ static bool clk_core_is_prepared(struct clk_core *core)
+ {
+ bool ret = false;
+@@ -218,11 +215,7 @@ static bool clk_core_is_prepared(struct clk_core *core)
+ return core->prepare_count;
+
+ if (!clk_pm_runtime_get(core)) {
+- if (core->flags & CLK_OPS_PARENT_ENABLE)
+- clk_core_prepare_enable(core->parent);
+ ret = core->ops->is_prepared(core->hw);
+- if (core->flags & CLK_OPS_PARENT_ENABLE)
+- clk_core_disable_unprepare(core->parent);
+ clk_pm_runtime_put(core);
+ }
+
+@@ -258,13 +251,7 @@ static bool clk_core_is_enabled(struct clk_core *core)
+ }
+ }
+
+- if (core->flags & CLK_OPS_PARENT_ENABLE)
+- clk_core_prepare_enable(core->parent);
+-
+ ret = core->ops->is_enabled(core->hw);
+-
+- if (core->flags & CLK_OPS_PARENT_ENABLE)
+- clk_core_disable_unprepare(core->parent);
+ done:
+ if (core->rpm_enabled)
+ pm_runtime_put(core->dev);
+@@ -831,9 +818,6 @@ int clk_rate_exclusive_get(struct clk *clk)
+ }
+ EXPORT_SYMBOL_GPL(clk_rate_exclusive_get);
+
+-static int clk_core_enable_lock(struct clk_core *core);
+-static void clk_core_disable_lock(struct clk_core *core);
+-
+ static void clk_core_unprepare(struct clk_core *core)
+ {
+ lockdep_assert_held(&prepare_lock);
+@@ -857,9 +841,6 @@ static void clk_core_unprepare(struct clk_core *core)
+
+ WARN(core->enable_count > 0, "Unpreparing enabled %s\n", core->name);
+
+- if (core->flags & CLK_OPS_PARENT_ENABLE)
+- clk_core_enable_lock(core->parent);
+-
+ trace_clk_unprepare(core);
+
+ if (core->ops->unprepare)
+@@ -868,9 +849,6 @@ static void clk_core_unprepare(struct clk_core *core)
+ clk_pm_runtime_put(core);
+
+ trace_clk_unprepare_complete(core);
+-
+- if (core->flags & CLK_OPS_PARENT_ENABLE)
+- clk_core_disable_lock(core->parent);
+ clk_core_unprepare(core->parent);
+ }
+
+@@ -919,9 +897,6 @@ static int clk_core_prepare(struct clk_core *core)
+ if (ret)
+ goto runtime_put;
+
+- if (core->flags & CLK_OPS_PARENT_ENABLE)
+- clk_core_enable_lock(core->parent);
+-
+ trace_clk_prepare(core);
+
+ if (core->ops->prepare)
+@@ -929,9 +904,6 @@ static int clk_core_prepare(struct clk_core *core)
+
+ trace_clk_prepare_complete(core);
+
+- if (core->flags & CLK_OPS_PARENT_ENABLE)
+- clk_core_disable_lock(core->parent);
+-
+ if (ret)
+ goto unprepare;
+ }
+--
+2.35.1
+
usb-serial-ftdi_sio-add-omron-cs1w-cif31-device-id.patch
binder-fix-uaf-of-ref-proc-caused-by-race-condition.patch
usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch
+drm-i915-reg-fix-spelling-mistake-unsupport-unsuppor.patch
+clk-core-honor-clk_ops_parent_enable-for-clk-gate-op.patch
+revert-clk-core-honor-clk_ops_parent_enable-for-clk-.patch
+clk-core-fix-runtime-pm-sequence-in-clk_core_unprepa.patch
+input-rk805-pwrkey-fix-module-autoloading.patch
+clk-bcm-rpi-fix-error-handling-of-raspberrypi_fw_get.patch
+clk-bcm-rpi-use-correct-order-for-the-parameters-of-.patch
+clk-bcm-rpi-prevent-out-of-bounds-access.patch
+clk-bcm-rpi-add-missing-newline.patch
+hwmon-gpio-fan-fix-array-out-of-bounds-access.patch
+gpio-pca953x-add-mutex_lock-for-regcache-sync-in-pm.patch
+kvm-x86-mask-off-unsupported-and-unknown-bits-of-ia3.patch
+xen-grants-prevent-integer-overflow-in-gnttab_dma_al.patch
+mm-pagewalk-fix-race-between-unmap-and-page-walker.patch
--- /dev/null
+From c562a7c1c17c32db7e26e5da946e6c755afa0efa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 18:35:20 +0300
+Subject: xen/grants: prevent integer overflow in gnttab_dma_alloc_pages()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit e9ea0b30ada008f4e65933f449db6894832cb242 ]
+
+The change from kcalloc() to kvmalloc() means that arg->nr_pages
+might now be large enough that the "args->nr_pages << PAGE_SHIFT" can
+result in an integer overflow.
+
+Fixes: b3f7931f5c61 ("xen/gntdev: switch from kcalloc() to kvcalloc()")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Link: https://lore.kernel.org/r/YxDROJqu/RPvR0bi@kili
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/grant-table.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
+index 5c83d41766c85..0a2d24d6ac6f7 100644
+--- a/drivers/xen/grant-table.c
++++ b/drivers/xen/grant-table.c
+@@ -981,6 +981,9 @@ int gnttab_dma_alloc_pages(struct gnttab_dma_alloc_args *args)
+ size_t size;
+ int i, ret;
+
++ if (args->nr_pages < 0 || args->nr_pages > (INT_MAX >> PAGE_SHIFT))
++ return -ENOMEM;
++
+ size = args->nr_pages << PAGE_SHIFT;
+ if (args->coherent)
+ args->vaddr = dma_alloc_coherent(args->dev, size,
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
