--- /dev/null
+From cd49f900a9854127adb310001f4d7c83d55506b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Aug 2022 20:49:50 +0200
+Subject: ACPI: video: Add Toshiba Satellite/Portege Z830 quirk
+
+From: Arvid Norlander <lkml@vorpal.se>
+
+[ Upstream commit 574160b8548deff8b80b174f03201e94ab8431e2 ]
+
+Toshiba Satellite Z830 needs the quirk video_disable_backlight_sysfs_if
+for proper backlight control after suspend/resume cycles.
+
+Toshiba Portege Z830 is simply the same laptop rebranded for certain
+markets (I looked through the manual to other language sections to confirm
+this) and thus also needs this quirk.
+
+Thanks to Hans de Goede for suggesting this fix.
+
+Link: https://www.spinics.net/lists/platform-driver-x86/msg34394.html
+Suggested-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Arvid Norlander <lkml@vorpal.se>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Tested-by: Arvid Norlander <lkml@vorpal.se>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_video.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c
+index ac54fc03cf81..eb7fca6f9444 100644
+--- a/drivers/acpi/acpi_video.c
++++ b/drivers/acpi/acpi_video.c
+@@ -511,6 +511,22 @@ static const struct dmi_system_id video_dmi_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "SATELLITE R830"),
+ },
+ },
++ {
++ .callback = video_disable_backlight_sysfs_if,
++ .ident = "Toshiba Satellite Z830",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "SATELLITE Z830"),
++ },
++ },
++ {
++ .callback = video_disable_backlight_sysfs_if,
++ .ident = "Toshiba Portege Z830",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE Z830"),
++ },
++ },
+ /*
+ * Some machine's _DOD IDs don't have bit 31(Device ID Scheme) set
+ * but the IDs actually follow the Device ID Scheme.
+--
+2.35.1
+
--- /dev/null
+From 332864df7b33b479a3a4a18d4269ecac575c8f67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 18:58:13 +0200
+Subject: ALSA: dmaengine: increment buffer pointer atomically
+
+From: Andreas Pape <apape@de.adit-jv.com>
+
+[ Upstream commit d1c442019594692c64a70a86ad88eb5b6db92216 ]
+
+Setting pointer and afterwards checking for wraparound leads
+to the possibility of returning the inconsistent pointer position.
+
+This patch increments buffer pointer atomically to avoid this issue.
+
+Fixes: e7f73a1613567a ("ASoC: Add dmaengine PCM helper functions")
+Signed-off-by: Andreas Pape <apape@de.adit-jv.com>
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Link: https://lore.kernel.org/r/1664211493-11789-1-git-send-email-erosca@de.adit-jv.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/pcm_dmaengine.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/sound/core/pcm_dmaengine.c b/sound/core/pcm_dmaengine.c
+index 8eb58c709b14..6f6da1128edc 100644
+--- a/sound/core/pcm_dmaengine.c
++++ b/sound/core/pcm_dmaengine.c
+@@ -139,12 +139,14 @@ EXPORT_SYMBOL_GPL(snd_dmaengine_pcm_set_config_from_dai_data);
+
+ static void dmaengine_pcm_dma_complete(void *arg)
+ {
++ unsigned int new_pos;
+ struct snd_pcm_substream *substream = arg;
+ struct dmaengine_pcm_runtime_data *prtd = substream_to_prtd(substream);
+
+- prtd->pos += snd_pcm_lib_period_bytes(substream);
+- if (prtd->pos >= snd_pcm_lib_buffer_bytes(substream))
+- prtd->pos = 0;
++ new_pos = prtd->pos + snd_pcm_lib_period_bytes(substream);
++ if (new_pos >= snd_pcm_lib_buffer_bytes(substream))
++ new_pos = 0;
++ prtd->pos = new_pos;
+
+ snd_pcm_period_elapsed(substream);
+ }
+--
+2.35.1
+
--- /dev/null
+From 1a67d667c581bf5a9b16b5717f5f2611cfb587fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 15:28:26 +0200
+Subject: ARM: Drop CMDLINE_* dependency on ATAGS
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 136f4b1ec7c962ee37a787e095fd37b058d72bd3 ]
+
+On arm32, the configuration options to specify the kernel command line
+type depend on ATAGS. However, the actual CMDLINE cofiguration option
+does not depend on ATAGS, and the code that handles this is not specific
+to ATAGS (see drivers/of/fdt.c:early_init_dt_scan_chosen()).
+
+Hence users who desire to override the kernel command line on arm32 must
+enable support for ATAGS, even on a pure-DT system. Other architectures
+(arm64, loongarch, microblaze, nios2, powerpc, and riscv) do not impose
+such a restriction.
+
+Hence drop the dependency on ATAGS.
+
+Fixes: bd51e2f595580fb6 ("ARM: 7506/1: allow for ATAGS to be configured out when DT support is selected")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index fce7e85f3ef5..41bde0e62e90 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -1943,7 +1943,6 @@ config CMDLINE
+ choice
+ prompt "Kernel command line type" if CMDLINE != ""
+ default CMDLINE_FROM_BOOTLOADER
+- depends on ATAGS
+
+ config CMDLINE_FROM_BOOTLOADER
+ bool "Use bootloader kernel arguments if available"
+--
+2.35.1
+
--- /dev/null
+From 0b611377c19e926118ec035180397a7de3772353 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 12:43:53 +0200
+Subject: ARM: dts: exynos: correct s5k6a3 reset polarity on Midas family
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit 3ba2d4bb9592bf7a6a3fe3dbe711ecfc3d004bab ]
+
+According to s5k6a3 driver code, the reset line for the chip appears to
+be active low. This also matches the typical polarity of reset lines in
+general. Let's fix it up as having correct polarity in DTS is important
+when the driver will be switched over to gpiod API.
+
+Fixes: b4fec64758ab ("ARM: dts: Add camera device nodes for Exynos4412 TRATS2 board")
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20220913164104.203957-1-dmitry.torokhov@gmail.com
+Link: https://lore.kernel.org/r/20220926104354.118578-2-krzysztof.kozlowski@linaro.org'
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/exynos4412-midas.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/exynos4412-midas.dtsi b/arch/arm/boot/dts/exynos4412-midas.dtsi
+index 60fbad25b5f2..93c8918e599b 100644
+--- a/arch/arm/boot/dts/exynos4412-midas.dtsi
++++ b/arch/arm/boot/dts/exynos4412-midas.dtsi
+@@ -525,7 +525,7 @@
+ clocks = <&camera 1>;
+ clock-names = "extclk";
+ samsung,camclk-out = <1>;
+- gpios = <&gpm1 6 GPIO_ACTIVE_HIGH>;
++ gpios = <&gpm1 6 GPIO_ACTIVE_LOW>;
+
+ port {
+ is_s5k6a3_ep: endpoint {
+--
+2.35.1
+
--- /dev/null
+From 4472e25f08cdb71163d4eadb499d8b5cf2e6fbfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 15:05:03 -0700
+Subject: ARM: dts: exynos: fix polarity of VBUS GPIO of Origen
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit a08137bd1e0a7ce951dce9ce4a83e39d379b6e1b ]
+
+EHCI Oxynos (drivers/usb/host/ehci-exynos.c) drives VBUS GPIO high when
+trying to power up the bus, therefore the GPIO in DTS must be marked as
+"active high". This will be important when EHCI driver is converted to
+gpiod API that respects declared polarities.
+
+Fixes: 4e8991def565 ("ARM: dts: exynos: Enable AX88760 USB hub on Origen board")
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Link: https://lore.kernel.org/r/20220927220504.3744878-1-dmitry.torokhov@gmail.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/exynos4412-origen.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/exynos4412-origen.dts b/arch/arm/boot/dts/exynos4412-origen.dts
+index 346f71932457..e5bfa76185a2 100644
+--- a/arch/arm/boot/dts/exynos4412-origen.dts
++++ b/arch/arm/boot/dts/exynos4412-origen.dts
+@@ -87,7 +87,7 @@
+ };
+
+ &ehci {
+- samsung,vbus-gpio = <&gpx3 5 1>;
++ samsung,vbus-gpio = <&gpx3 5 GPIO_ACTIVE_HIGH>;
+ status = "okay";
+
+ port@1 {
+--
+2.35.1
+
--- /dev/null
+From cd92de31c06106f422222e5e2ac0fdb2d9f63aba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 07:53:32 +0200
+Subject: ARM: dts: imx6dl: add missing properties for sram
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit f5848b95633d598bacf0500e0108dc5961af88c0 ]
+
+All 3 properties are required by sram.yaml. Fixes the dtbs_check warning:
+sram@900000: '#address-cells' is a required property
+sram@900000: '#size-cells' is a required property
+sram@900000: 'ranges' is a required property
+
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6dl.dtsi | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm/boot/dts/imx6dl.dtsi b/arch/arm/boot/dts/imx6dl.dtsi
+index f0607eb41df4..079f77c7e0f0 100644
+--- a/arch/arm/boot/dts/imx6dl.dtsi
++++ b/arch/arm/boot/dts/imx6dl.dtsi
+@@ -81,6 +81,9 @@
+ ocram: sram@900000 {
+ compatible = "mmio-sram";
+ reg = <0x00900000 0x20000>;
++ ranges = <0 0x00900000 0x20000>;
++ #address-cells = <1>;
++ #size-cells = <1>;
+ clocks = <&clks IMX6QDL_CLK_OCRAM>;
+ };
+
+--
+2.35.1
+
--- /dev/null
+From d87be3c860980f6e20e6cb3d87027829eca6bd14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 07:53:31 +0200
+Subject: ARM: dts: imx6q: add missing properties for sram
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit b11d083c5dcec7c42fe982c854706d404ddd3a5f ]
+
+All 3 properties are required by sram.yaml. Fixes the dtbs_check warning:
+sram@900000: '#address-cells' is a required property
+sram@900000: '#size-cells' is a required property
+sram@900000: 'ranges' is a required property
+
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6q.dtsi | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm/boot/dts/imx6q.dtsi b/arch/arm/boot/dts/imx6q.dtsi
+index 0193ee6fe964..a28dce3c6457 100644
+--- a/arch/arm/boot/dts/imx6q.dtsi
++++ b/arch/arm/boot/dts/imx6q.dtsi
+@@ -158,6 +158,9 @@
+ ocram: sram@900000 {
+ compatible = "mmio-sram";
+ reg = <0x00900000 0x40000>;
++ ranges = <0 0x00900000 0x40000>;
++ #address-cells = <1>;
++ #size-cells = <1>;
+ clocks = <&clks IMX6QDL_CLK_OCRAM>;
+ };
+
+--
+2.35.1
+
--- /dev/null
+From e3c681cb69633d1fc1af2b572fc48b7c78e7056c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 07:53:33 +0200
+Subject: ARM: dts: imx6qp: add missing properties for sram
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit 088fe5237435ee2f7ed4450519b2ef58b94c832f ]
+
+All 3 properties are required by sram.yaml. Fixes the dtbs_check warning:
+sram@940000: '#address-cells' is a required property
+sram@940000: '#size-cells' is a required property
+sram@940000: 'ranges' is a required property
+
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6qp.dtsi | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/arm/boot/dts/imx6qp.dtsi b/arch/arm/boot/dts/imx6qp.dtsi
+index d91f92f944c5..3633383db706 100644
+--- a/arch/arm/boot/dts/imx6qp.dtsi
++++ b/arch/arm/boot/dts/imx6qp.dtsi
+@@ -9,12 +9,18 @@
+ ocram2: sram@940000 {
+ compatible = "mmio-sram";
+ reg = <0x00940000 0x20000>;
++ ranges = <0 0x00940000 0x20000>;
++ #address-cells = <1>;
++ #size-cells = <1>;
+ clocks = <&clks IMX6QDL_CLK_OCRAM>;
+ };
+
+ ocram3: sram@960000 {
+ compatible = "mmio-sram";
+ reg = <0x00960000 0x20000>;
++ ranges = <0 0x00960000 0x20000>;
++ #address-cells = <1>;
++ #size-cells = <1>;
+ clocks = <&clks IMX6QDL_CLK_OCRAM>;
+ };
+
+--
+2.35.1
+
--- /dev/null
+From eba333291f3d1a7b198a7562afa80c1ead3554e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 07:53:34 +0200
+Subject: ARM: dts: imx6sl: add missing properties for sram
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit 60c9213a1d9941a8b33db570796c3f9be8984974 ]
+
+All 3 properties are required by sram.yaml. Fixes the dtbs_check warning:
+sram@900000: '#address-cells' is a required property
+sram@900000: '#size-cells' is a required property
+sram@900000: 'ranges' is a required property
+
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6sl.dtsi | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm/boot/dts/imx6sl.dtsi b/arch/arm/boot/dts/imx6sl.dtsi
+index 9d19183f40e1..afde0ed6d71a 100644
+--- a/arch/arm/boot/dts/imx6sl.dtsi
++++ b/arch/arm/boot/dts/imx6sl.dtsi
+@@ -118,6 +118,9 @@
+ ocram: sram@900000 {
+ compatible = "mmio-sram";
+ reg = <0x00900000 0x20000>;
++ ranges = <0 0x00900000 0x20000>;
++ #address-cells = <1>;
++ #size-cells = <1>;
+ clocks = <&clks IMX6SL_CLK_OCRAM>;
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 15cdde9cc95ccfa4c89485f00338eab85511ee6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 07:53:35 +0200
+Subject: ARM: dts: imx6sll: add missing properties for sram
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit 7492a83ed9b7a151e2dd11d64b06da7a7f0fa7f9 ]
+
+All 3 properties are required by sram.yaml. Fixes the dtbs_check warning:
+sram@900000: '#address-cells' is a required property
+sram@900000: '#size-cells' is a required property
+sram@900000: 'ranges' is a required property
+
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6sll.dtsi | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm/boot/dts/imx6sll.dtsi b/arch/arm/boot/dts/imx6sll.dtsi
+index 7c7d5c47578e..d7d092a5522a 100644
+--- a/arch/arm/boot/dts/imx6sll.dtsi
++++ b/arch/arm/boot/dts/imx6sll.dtsi
+@@ -131,6 +131,9 @@
+ ocram: sram@900000 {
+ compatible = "mmio-sram";
+ reg = <0x00900000 0x20000>;
++ ranges = <0 0x00900000 0x20000>;
++ #address-cells = <1>;
++ #size-cells = <1>;
+ };
+
+ L2: l2-cache@a02000 {
+--
+2.35.1
+
--- /dev/null
+From 16398571c4eb87ce8a06fba01931fee351687eca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 07:53:36 +0200
+Subject: ARM: dts: imx6sx: add missing properties for sram
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit 415432c008b2bce8138841356ba444631cabaa50 ]
+
+All 3 properties are required by sram.yaml. Fixes the dtbs_check warning:
+sram@900000: '#address-cells' is a required property
+sram@900000: '#size-cells' is a required property
+sram@900000: 'ranges' is a required property
+
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6sx.dtsi | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/arm/boot/dts/imx6sx.dtsi b/arch/arm/boot/dts/imx6sx.dtsi
+index ae0728df542e..b9ab1118be30 100644
+--- a/arch/arm/boot/dts/imx6sx.dtsi
++++ b/arch/arm/boot/dts/imx6sx.dtsi
+@@ -167,12 +167,18 @@
+ ocram_s: sram@8f8000 {
+ compatible = "mmio-sram";
+ reg = <0x008f8000 0x4000>;
++ ranges = <0 0x008f8000 0x4000>;
++ #address-cells = <1>;
++ #size-cells = <1>;
+ clocks = <&clks IMX6SX_CLK_OCRAM_S>;
+ };
+
+ ocram: sram@900000 {
+ compatible = "mmio-sram";
+ reg = <0x00900000 0x20000>;
++ ranges = <0 0x00900000 0x20000>;
++ #address-cells = <1>;
++ #size-cells = <1>;
+ clocks = <&clks IMX6SX_CLK_OCRAM>;
+ };
+
+--
+2.35.1
+
--- /dev/null
+From d0c2c360c1998f64cb933a4c4f426b2260c06082 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jul 2022 18:16:22 +0800
+Subject: ARM: dts: imx7d-sdb: config the max pressure for tsc2046
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+[ Upstream commit e7c4ebe2f9cd68588eb24ba4ed122e696e2d5272 ]
+
+Use the general touchscreen method to config the max pressure for
+touch tsc2046(data sheet suggest 8 bit pressure), otherwise, for
+ABS_PRESSURE, when config the same max and min value, weston will
+meet the following issue,
+
+[17:19:39.183] event1 - ADS7846 Touchscreen: is tagged by udev as: Touchscreen
+[17:19:39.183] event1 - ADS7846 Touchscreen: kernel bug: device has min == max on ABS_PRESSURE
+[17:19:39.183] event1 - ADS7846 Touchscreen: was rejected
+[17:19:39.183] event1 - not using input device '/dev/input/event1'
+
+This will then cause the APP weston-touch-calibrator can't list touch devices.
+
+root@imx6ul7d:~# weston-touch-calibrator
+could not load cursor 'dnd-move'
+could not load cursor 'dnd-copy'
+could not load cursor 'dnd-none'
+No devices listed.
+
+And accroding to binding Doc, "ti,x-max", "ti,y-max", "ti,pressure-max"
+belong to the deprecated properties, so remove them. Also for "ti,x-min",
+"ti,y-min", "ti,x-plate-ohms", the value set in dts equal to the default
+value in driver, so are redundant, also remove here.
+
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx7d-sdb.dts | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/arch/arm/boot/dts/imx7d-sdb.dts b/arch/arm/boot/dts/imx7d-sdb.dts
+index 317f1bcc56e2..bd2c3c8f4ebb 100644
+--- a/arch/arm/boot/dts/imx7d-sdb.dts
++++ b/arch/arm/boot/dts/imx7d-sdb.dts
+@@ -163,12 +163,7 @@
+ interrupt-parent = <&gpio2>;
+ interrupts = <29 0>;
+ pendown-gpio = <&gpio2 29 GPIO_ACTIVE_HIGH>;
+- ti,x-min = /bits/ 16 <0>;
+- ti,x-max = /bits/ 16 <0>;
+- ti,y-min = /bits/ 16 <0>;
+- ti,y-max = /bits/ 16 <0>;
+- ti,pressure-max = /bits/ 16 <0>;
+- ti,x-plate-ohms = /bits/ 16 <400>;
++ touchscreen-max-pressure = <255>;
+ wakeup-source;
+ };
+ };
+--
+2.35.1
+
--- /dev/null
+From 120c5cdcaf08ac48ef13ab325f470811ea423aec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 02:10:24 +0200
+Subject: ARM: dts: kirkwood: lsxl: fix serial line
+
+From: Michael Walle <michael@walle.cc>
+
+[ Upstream commit 04eabc6ac10fda9424606d9a7ab6ab9a5d95350a ]
+
+Commit 327e15428977 ("ARM: dts: kirkwood: consolidate common pinctrl
+settings") unknowingly broke the serial output on this board. Before
+this commit, the pinmux was still configured by the bootloader and the
+kernel didn't reconfigured it again. This was an oversight by the
+initial board support where the pinmux for the serial line was never
+configured by the kernel. But with this commit, the serial line will be
+reconfigured to the wrong pins. This is especially confusing, because
+the output still works, but the input doesn't. Presumingly, the input is
+reconfigured to MPP10, but the output is connected to both MPP11 and
+MPP5.
+
+Override the pinmux in the board device tree.
+
+Fixes: 327e15428977 ("ARM: dts: kirkwood: consolidate common pinctrl settings")
+Signed-off-by: Michael Walle <michael@walle.cc>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/kirkwood-lsxl.dtsi | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/arm/boot/dts/kirkwood-lsxl.dtsi b/arch/arm/boot/dts/kirkwood-lsxl.dtsi
+index 7b151acb9984..321a40a98ed2 100644
+--- a/arch/arm/boot/dts/kirkwood-lsxl.dtsi
++++ b/arch/arm/boot/dts/kirkwood-lsxl.dtsi
+@@ -10,6 +10,11 @@
+
+ ocp@f1000000 {
+ pinctrl: pin-controller@10000 {
++ /* Non-default UART pins */
++ pmx_uart0: pmx-uart0 {
++ marvell,pins = "mpp4", "mpp5";
++ };
++
+ pmx_power_hdd: pmx-power-hdd {
+ marvell,pins = "mpp10";
+ marvell,function = "gpo";
+--
+2.35.1
+
--- /dev/null
+From 0ad7517cbcb9822940b003653e9253b59dc08327 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 02:10:25 +0200
+Subject: ARM: dts: kirkwood: lsxl: remove first ethernet port
+
+From: Michael Walle <michael@walle.cc>
+
+[ Upstream commit 2d528eda7c96ce5c70f895854ecd5684bd5d80b9 ]
+
+Both the Linkstation LS-CHLv2 and the LS-XHL have only one ethernet
+port. This has always been wrong, i.e. the board code used to set up
+both ports, but the driver will play nice and return -ENODEV if the
+assiciated PHY is not found. Nevertheless, it is wrong. Remove it.
+
+Fixes: 876e23333511 ("ARM: kirkwood: add gigabit ethernet and mvmdio device tree nodes")
+Signed-off-by: Michael Walle <michael@walle.cc>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/kirkwood-lsxl.dtsi | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+diff --git a/arch/arm/boot/dts/kirkwood-lsxl.dtsi b/arch/arm/boot/dts/kirkwood-lsxl.dtsi
+index 321a40a98ed2..88b70ba1c8fe 100644
+--- a/arch/arm/boot/dts/kirkwood-lsxl.dtsi
++++ b/arch/arm/boot/dts/kirkwood-lsxl.dtsi
+@@ -218,22 +218,11 @@
+ &mdio {
+ status = "okay";
+
+- ethphy0: ethernet-phy@0 {
+- reg = <0>;
+- };
+-
+ ethphy1: ethernet-phy@8 {
+ reg = <8>;
+ };
+ };
+
+-ð0 {
+- status = "okay";
+- ethernet0-port@0 {
+- phy-handle = <ðphy0>;
+- };
+-};
+-
+ ð1 {
+ status = "okay";
+ ethernet1-port@0 {
+--
+2.35.1
+
--- /dev/null
+From b7ff611327dd12914ed62dbbe53882faae2058ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jul 2022 14:56:10 +0200
+Subject: ARM: dts: turris-omnia: Fix mpp26 pin name and comment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+[ Upstream commit 49e93898f0dc177e645c22d0664813567fd9ec00 ]
+
+There is a bug in Turris Omnia's schematics, whereupon the MPP[26] pin,
+which is routed to CN11 pin header, is documented as SPI CS1, but
+MPP[26] pin does not support this function. Instead it controls chip
+select 2 if in "spi0" mode.
+
+Fix the name of the pin node in pinctrl node and fix the comment in SPI
+node.
+
+Fixes: 26ca8b52d6e1 ("ARM: dts: add support for Turris Omnia")
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/armada-385-turris-omnia.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/armada-385-turris-omnia.dts b/arch/arm/boot/dts/armada-385-turris-omnia.dts
+index fde4c302f08e..92e08486ec81 100644
+--- a/arch/arm/boot/dts/armada-385-turris-omnia.dts
++++ b/arch/arm/boot/dts/armada-385-turris-omnia.dts
+@@ -307,7 +307,7 @@
+ marvell,function = "spi0";
+ };
+
+- spi0cs1_pins: spi0cs1-pins {
++ spi0cs2_pins: spi0cs2-pins {
+ marvell,pins = "mpp26";
+ marvell,function = "spi0";
+ };
+@@ -342,7 +342,7 @@
+ };
+ };
+
+- /* MISO, MOSI, SCLK and CS1 are routed to pin header CN11 */
++ /* MISO, MOSI, SCLK and CS2 are routed to pin header CN11 */
+ };
+
+ &uart0 {
+--
+2.35.1
+
--- /dev/null
+From 0b5fe8b835971b96e0c0097d317e9e1b472b835a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Sep 2022 21:55:50 +0200
+Subject: ARM: orion: fix include path
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 63872304bdb3decd5454f4dd210c25395278ed13 ]
+
+Now that CONFIG_ARCH_MULTIPLATFORM can be disabled anywhere,
+there is a build failure for plat-orion:
+
+arch/arm/plat-orion/irq.c:19:10: fatal error: plat/irq.h: No such file or directory
+
+Make the include path unconditional.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/plat-orion/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/plat-orion/Makefile b/arch/arm/plat-orion/Makefile
+index 9433605cd290..06c3530d8ad5 100644
+--- a/arch/arm/plat-orion/Makefile
++++ b/arch/arm/plat-orion/Makefile
+@@ -1,7 +1,7 @@
+ #
+ # Makefile for the linux kernel.
+ #
+-ccflags-$(CONFIG_ARCH_MULTIPLATFORM) := -I$(srctree)/$(src)/include
++ccflags-y := -I$(srctree)/$(src)/include
+
+ orion-gpio-$(CONFIG_GPIOLIB) += gpio.o
+ obj-$(CONFIG_PLAT_ORION_LEGACY) += irq.o pcie.o time.o common.o mpp.o
+--
+2.35.1
+
--- /dev/null
+From 4a00ef094cfafd1fd3fd7c7c57157d57c7ba51ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 13:23:18 +0900
+Subject: arm64: dts: uniphier: Add USB-device support for PXs3 reference board
+
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+
+[ Upstream commit 19fee1a1096d21ab1f1e712148b5417bda2939a2 ]
+
+PXs3 reference board can change each USB port 0 and 1 to device mode
+with jumpers. Prepare devicetree sources for USB port 0 and 1.
+
+This specifies dr_mode, pinctrl, and some quirks and removes nodes for
+unused phys and vbus-supply properties.
+
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Link: https://lore.kernel.org/r/20220913042321.4817-8-hayashi.kunihiko@socionext.com'
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/uniphier-pinctrl.dtsi | 10 +++++
+ arch/arm64/boot/dts/socionext/Makefile | 4 +-
+ .../socionext/uniphier-pxs3-ref-gadget0.dts | 41 +++++++++++++++++++
+ .../socionext/uniphier-pxs3-ref-gadget1.dts | 40 ++++++++++++++++++
+ 4 files changed, 94 insertions(+), 1 deletion(-)
+ create mode 100644 arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget0.dts
+ create mode 100644 arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget1.dts
+
+diff --git a/arch/arm/boot/dts/uniphier-pinctrl.dtsi b/arch/arm/boot/dts/uniphier-pinctrl.dtsi
+index 51f0e69f49fd..21cc91110439 100644
+--- a/arch/arm/boot/dts/uniphier-pinctrl.dtsi
++++ b/arch/arm/boot/dts/uniphier-pinctrl.dtsi
+@@ -156,11 +156,21 @@
+ function = "usb0";
+ };
+
++ pinctrl_usb0_device: usb0-device {
++ groups = "usb0_device";
++ function = "usb0";
++ };
++
+ pinctrl_usb1: usb1 {
+ groups = "usb1";
+ function = "usb1";
+ };
+
++ pinctrl_usb1_device: usb1-device {
++ groups = "usb1_device";
++ function = "usb1";
++ };
++
+ pinctrl_usb2: usb2 {
+ groups = "usb2";
+ function = "usb2";
+diff --git a/arch/arm64/boot/dts/socionext/Makefile b/arch/arm64/boot/dts/socionext/Makefile
+index d45441249cb5..c922d9303b69 100644
+--- a/arch/arm64/boot/dts/socionext/Makefile
++++ b/arch/arm64/boot/dts/socionext/Makefile
+@@ -4,4 +4,6 @@ dtb-$(CONFIG_ARCH_UNIPHIER) += \
+ uniphier-ld11-ref.dtb \
+ uniphier-ld20-global.dtb \
+ uniphier-ld20-ref.dtb \
+- uniphier-pxs3-ref.dtb
++ uniphier-pxs3-ref.dtb \
++ uniphier-pxs3-ref-gadget0.dtb \
++ uniphier-pxs3-ref-gadget1.dtb
+diff --git a/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget0.dts b/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget0.dts
+new file mode 100644
+index 000000000000..7069f51bc120
+--- /dev/null
++++ b/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget0.dts
+@@ -0,0 +1,41 @@
++// SPDX-License-Identifier: GPL-2.0-or-later OR MIT
++//
++// Device Tree Source for UniPhier PXs3 Reference Board (for USB-Device #0)
++//
++// Copyright (C) 2021 Socionext Inc.
++// Author: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
++
++/dts-v1/;
++#include "uniphier-pxs3-ref.dts"
++
++/ {
++ model = "UniPhier PXs3 Reference Board (USB-Device #0)";
++};
++
++/* I2C3 pinctrl is shared with USB*VBUSIN */
++&i2c3 {
++ status = "disabled";
++};
++
++&usb0 {
++ status = "okay";
++ dr_mode = "peripheral";
++ pinctrl-0 = <&pinctrl_usb0_device>;
++ snps,dis_enblslpm_quirk;
++ snps,dis_u2_susphy_quirk;
++ snps,dis_u3_susphy_quirk;
++ snps,usb2_gadget_lpm_disable;
++ phy-names = "usb2-phy", "usb3-phy";
++ phys = <&usb0_hsphy0>, <&usb0_ssphy0>;
++};
++
++&usb0_hsphy0 {
++ /delete-property/ vbus-supply;
++};
++
++&usb0_ssphy0 {
++ /delete-property/ vbus-supply;
++};
++
++/delete-node/ &usb0_hsphy1;
++/delete-node/ &usb0_ssphy1;
+diff --git a/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget1.dts b/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget1.dts
+new file mode 100644
+index 000000000000..a3cfa8113ffb
+--- /dev/null
++++ b/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget1.dts
+@@ -0,0 +1,40 @@
++// SPDX-License-Identifier: GPL-2.0-or-later OR MIT
++//
++// Device Tree Source for UniPhier PXs3 Reference Board (for USB-Device #1)
++//
++// Copyright (C) 2021 Socionext Inc.
++// Author: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
++
++/dts-v1/;
++#include "uniphier-pxs3-ref.dts"
++
++/ {
++ model = "UniPhier PXs3 Reference Board (USB-Device #1)";
++};
++
++/* I2C3 pinctrl is shared with USB*VBUSIN */
++&i2c3 {
++ status = "disabled";
++};
++
++&usb1 {
++ status = "okay";
++ dr_mode = "peripheral";
++ pinctrl-0 = <&pinctrl_usb1_device>;
++ snps,dis_enblslpm_quirk;
++ snps,dis_u2_susphy_quirk;
++ snps,dis_u3_susphy_quirk;
++ snps,usb2_gadget_lpm_disable;
++ phy-names = "usb2-phy", "usb3-phy";
++ phys = <&usb1_hsphy0>, <&usb1_ssphy0>;
++};
++
++&usb1_hsphy0 {
++ /delete-property/ vbus-supply;
++};
++
++&usb1_ssphy0 {
++ /delete-property/ vbus-supply;
++};
++
++/delete-node/ &usb1_hsphy1;
+--
+2.35.1
+
--- /dev/null
+From 229aec6c073941c7dde71f10cb47e639ada0dc34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Sep 2022 21:43:54 +0800
+Subject: ASoC: eureka-tlv320: Hold reference returned from of_find_xxx API
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit bfb735a3ceff0bab6473bac275da96f9b2a06dec ]
+
+In eukrea_tlv320_probe(), we need to hold the reference returned
+from of_find_compatible_node() which has increased the refcount
+and then call of_node_put() with it when done.
+
+Fixes: 66f232908de2 ("ASoC: eukrea-tlv320: Add DT support.")
+Co-authored-by: Kelin Wang <wangkelin2023@163.com>
+Signed-off-by: Liang He <windhl@126.com>
+Link: https://lore.kernel.org/r/20220914134354.3995587-1-windhl@126.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/eukrea-tlv320.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/fsl/eukrea-tlv320.c b/sound/soc/fsl/eukrea-tlv320.c
+index 30a3d68b5c03..3705b003f528 100644
+--- a/sound/soc/fsl/eukrea-tlv320.c
++++ b/sound/soc/fsl/eukrea-tlv320.c
+@@ -87,7 +87,7 @@ static int eukrea_tlv320_probe(struct platform_device *pdev)
+ int ret;
+ int int_port = 0, ext_port;
+ struct device_node *np = pdev->dev.of_node;
+- struct device_node *ssi_np = NULL, *codec_np = NULL;
++ struct device_node *ssi_np = NULL, *codec_np = NULL, *tmp_np = NULL;
+
+ eukrea_tlv320.dev = &pdev->dev;
+ if (np) {
+@@ -144,7 +144,7 @@ static int eukrea_tlv320_probe(struct platform_device *pdev)
+ }
+
+ if (machine_is_eukrea_cpuimx27() ||
+- of_find_compatible_node(NULL, NULL, "fsl,imx21-audmux")) {
++ (tmp_np = of_find_compatible_node(NULL, NULL, "fsl,imx21-audmux"))) {
+ imx_audmux_v1_configure_port(MX27_AUDMUX_HPCR1_SSI0,
+ IMX_AUDMUX_V1_PCR_SYN |
+ IMX_AUDMUX_V1_PCR_TFSDIR |
+@@ -159,10 +159,11 @@ static int eukrea_tlv320_probe(struct platform_device *pdev)
+ IMX_AUDMUX_V1_PCR_SYN |
+ IMX_AUDMUX_V1_PCR_RXDSEL(MX27_AUDMUX_HPCR1_SSI0)
+ );
++ of_node_put(tmp_np);
+ } else if (machine_is_eukrea_cpuimx25sd() ||
+ machine_is_eukrea_cpuimx35sd() ||
+ machine_is_eukrea_cpuimx51sd() ||
+- of_find_compatible_node(NULL, NULL, "fsl,imx31-audmux")) {
++ (tmp_np = of_find_compatible_node(NULL, NULL, "fsl,imx31-audmux"))) {
+ if (!np)
+ ext_port = machine_is_eukrea_cpuimx25sd() ?
+ 4 : 3;
+@@ -179,6 +180,7 @@ static int eukrea_tlv320_probe(struct platform_device *pdev)
+ IMX_AUDMUX_V2_PTCR_SYN,
+ IMX_AUDMUX_V2_PDCR_RXDSEL(int_port)
+ );
++ of_node_put(tmp_np);
+ } else {
+ if (np) {
+ /* The eukrea,asoc-tlv320 driver was explicitly
+--
+2.35.1
+
--- /dev/null
+From 13510872b66337eef5c4de6f6a6f598c20912785 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 00:01:15 +0800
+Subject: ASoC: wm5102: Fix PM disable depth imbalance in wm5102_probe
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit fcbb60820cd3008bb44334a0395e5e57ccb77329 ]
+
+The pm_runtime_enable will increase power disable depth. Thus
+a pairing decrement is needed on the error handling path to
+keep it balanced according to context. We fix it by moving
+pm_runtime_enable to the endding of wm5102_probe.
+
+Fixes:93e8791dd34ca ("ASoC: wm5102: Initial driver")
+
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Link: https://lore.kernel.org/r/20220928160116.125020-4-zhangqilong3@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wm5102.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/codecs/wm5102.c b/sound/soc/codecs/wm5102.c
+index 7e817e1877c2..9b33c87c2fe4 100644
+--- a/sound/soc/codecs/wm5102.c
++++ b/sound/soc/codecs/wm5102.c
+@@ -2085,9 +2085,6 @@ static int wm5102_probe(struct platform_device *pdev)
+ regmap_update_bits(arizona->regmap, wm5102_digital_vu[i],
+ WM5102_DIG_VU, WM5102_DIG_VU);
+
+- pm_runtime_enable(&pdev->dev);
+- pm_runtime_idle(&pdev->dev);
+-
+ ret = arizona_request_irq(arizona, ARIZONA_IRQ_DSP_IRQ1,
+ "ADSP2 Compressed IRQ", wm5102_adsp2_irq,
+ wm5102);
+@@ -2120,6 +2117,9 @@ static int wm5102_probe(struct platform_device *pdev)
+ goto err_spk_irqs;
+ }
+
++ pm_runtime_enable(&pdev->dev);
++ pm_runtime_idle(&pdev->dev);
++
+ return ret;
+
+ err_spk_irqs:
+--
+2.35.1
+
--- /dev/null
+From dd249e53b889bfa57e1b01f560549b346183af10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 00:01:14 +0800
+Subject: ASoC: wm5110: Fix PM disable depth imbalance in wm5110_probe
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 86b46bf1feb83898d89a2b4a8d08d21e9ea277a7 ]
+
+The pm_runtime_enable will increase power disable depth. Thus
+a pairing decrement is needed on the error handling path to
+keep it balanced according to context. We fix it by moving
+pm_runtime_enable to the endding of wm5110_probe.
+
+Fixes:5c6af635fd772 ("ASoC: wm5110: Add audio CODEC driver")
+
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Link: https://lore.kernel.org/r/20220928160116.125020-3-zhangqilong3@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wm5110.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/codecs/wm5110.c b/sound/soc/codecs/wm5110.c
+index e510aca55163..43a47312d71b 100644
+--- a/sound/soc/codecs/wm5110.c
++++ b/sound/soc/codecs/wm5110.c
+@@ -2453,9 +2453,6 @@ static int wm5110_probe(struct platform_device *pdev)
+ regmap_update_bits(arizona->regmap, wm5110_digital_vu[i],
+ WM5110_DIG_VU, WM5110_DIG_VU);
+
+- pm_runtime_enable(&pdev->dev);
+- pm_runtime_idle(&pdev->dev);
+-
+ ret = arizona_request_irq(arizona, ARIZONA_IRQ_DSP_IRQ1,
+ "ADSP2 Compressed IRQ", wm5110_adsp2_irq,
+ wm5110);
+@@ -2488,6 +2485,9 @@ static int wm5110_probe(struct platform_device *pdev)
+ goto err_spk_irqs;
+ }
+
++ pm_runtime_enable(&pdev->dev);
++ pm_runtime_idle(&pdev->dev);
++
+ return ret;
+
+ err_spk_irqs:
+--
+2.35.1
+
--- /dev/null
+From c4dd8179de686feeaf887a9beee3f3fc5ffee490 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 00:01:13 +0800
+Subject: ASoC: wm8997: Fix PM disable depth imbalance in wm8997_probe
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 41a736ac20602f64773e80f0f5b32cde1830a44a ]
+
+The pm_runtime_enable will increase power disable depth. Thus
+a pairing decrement is needed on the error handling path to
+keep it balanced according to context. We fix it by moving
+pm_runtime_enable to the endding of wm8997_probe
+
+Fixes:40843aea5a9bd ("ASoC: wm8997: Initial CODEC driver")
+
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Link: https://lore.kernel.org/r/20220928160116.125020-2-zhangqilong3@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wm8997.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/codecs/wm8997.c b/sound/soc/codecs/wm8997.c
+index bb6a95be8726..9f819113af1e 100644
+--- a/sound/soc/codecs/wm8997.c
++++ b/sound/soc/codecs/wm8997.c
+@@ -1159,9 +1159,6 @@ static int wm8997_probe(struct platform_device *pdev)
+ regmap_update_bits(arizona->regmap, wm8997_digital_vu[i],
+ WM8997_DIG_VU, WM8997_DIG_VU);
+
+- pm_runtime_enable(&pdev->dev);
+- pm_runtime_idle(&pdev->dev);
+-
+ arizona_init_common(arizona);
+
+ ret = arizona_init_vol_limit(arizona);
+@@ -1180,6 +1177,9 @@ static int wm8997_probe(struct platform_device *pdev)
+ goto err_spk_irqs;
+ }
+
++ pm_runtime_enable(&pdev->dev);
++ pm_runtime_idle(&pdev->dev);
++
+ return ret;
+
+ err_spk_irqs:
+--
+2.35.1
+
--- /dev/null
+From 41db7e87d92a0131b6b6d082ec7cb6e4682a25fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 14:28:33 +0200
+Subject: ata: fix ata_id_has_devslp()
+
+From: Niklas Cassel <niklas.cassel@wdc.com>
+
+[ Upstream commit 9c6e09a434e1317e09b78b3b69cd384022ec9a03 ]
+
+ACS-5 section
+7.13.6.36 Word 78: Serial ATA features supported
+states that:
+
+If word 76 is not 0000h or FFFFh, word 78 reports the features supported
+by the device. If this word is not supported, the word shall be cleared
+to zero.
+
+(This text also exists in really old ACS standards, e.g. ACS-3.)
+
+Additionally, move the macro to the other ATA_ID_FEATURE_SUPP macros
+(which already have this check), thus making it more likely that the
+next ATA_ID_FEATURE_SUPP macro that is added will include this check.
+
+Fixes: 65fe1f0f66a5 ("ahci: implement aggressive SATA device sleep support")
+Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ata.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/ata.h b/include/linux/ata.h
+index 351e58312e7d..e9d24a23c0aa 100644
+--- a/include/linux/ata.h
++++ b/include/linux/ata.h
+@@ -581,6 +581,10 @@ struct ata_bmdma_prd {
+ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \
+ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \
+ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 2)))
++#define ata_id_has_devslp(id) \
++ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \
++ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \
++ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 8)))
+ #define ata_id_iordy_disable(id) ((id)[ATA_ID_CAPABILITY] & (1 << 10))
+ #define ata_id_has_iordy(id) ((id)[ATA_ID_CAPABILITY] & (1 << 11))
+ #define ata_id_u32(id,n) \
+@@ -593,7 +597,6 @@ struct ata_bmdma_prd {
+
+ #define ata_id_cdb_intr(id) (((id)[ATA_ID_CONFIG] & 0x60) == 0x20)
+ #define ata_id_has_da(id) ((id)[ATA_ID_SATA_CAPABILITY_2] & (1 << 4))
+-#define ata_id_has_devslp(id) ((id)[ATA_ID_FEATURE_SUPP] & (1 << 8))
+ #define ata_id_has_ncq_autosense(id) \
+ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7))
+
+--
+2.35.1
+
--- /dev/null
+From b614d692cf3abfafe76c8787c3dda28cbfa2d311 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 14:28:35 +0200
+Subject: ata: fix ata_id_has_dipm()
+
+From: Niklas Cassel <niklas.cassel@wdc.com>
+
+[ Upstream commit 630624cb1b5826d753ac8e01a0e42de43d66dedf ]
+
+ACS-5 section
+7.13.6.36 Word 78: Serial ATA features supported
+states that:
+
+If word 76 is not 0000h or FFFFh, word 78 reports the features supported
+by the device. If this word is not supported, the word shall be cleared
+to zero.
+
+(This text also exists in really old ACS standards, e.g. ACS-3.)
+
+The problem with ata_id_has_dipm() is that the while it performs a
+check against 0 and 0xffff, it performs the check against
+ATA_ID_FEATURE_SUPP (word 78), the same word where the feature bit
+is stored.
+
+Fix this by performing the check against ATA_ID_SATA_CAPABILITY
+(word 76), like required by the spec. The feature bit check itself
+is of course still performed against ATA_ID_FEATURE_SUPP (word 78).
+
+Additionally, move the macro to the other ATA_ID_FEATURE_SUPP macros
+(which already have this check), thus making it more likely that the
+next ATA_ID_FEATURE_SUPP macro that is added will include this check.
+
+Fixes: ca77329fb713 ("[libata] Link power management infrastructure")
+Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ata.h | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/include/linux/ata.h b/include/linux/ata.h
+index cfdaa08c45c9..981eb1cb7e49 100644
+--- a/include/linux/ata.h
++++ b/include/linux/ata.h
+@@ -589,6 +589,10 @@ struct ata_bmdma_prd {
+ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \
+ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \
+ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7)))
++#define ata_id_has_dipm(id) \
++ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \
++ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \
++ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 3)))
+ #define ata_id_iordy_disable(id) ((id)[ATA_ID_CAPABILITY] & (1 << 10))
+ #define ata_id_has_iordy(id) ((id)[ATA_ID_CAPABILITY] & (1 << 11))
+ #define ata_id_u32(id,n) \
+@@ -612,17 +616,6 @@ static inline bool ata_id_has_hipm(const u16 *id)
+ return val & (1 << 9);
+ }
+
+-static inline bool ata_id_has_dipm(const u16 *id)
+-{
+- u16 val = id[ATA_ID_FEATURE_SUPP];
+-
+- if (val == 0 || val == 0xffff)
+- return false;
+-
+- return val & (1 << 3);
+-}
+-
+-
+ static inline bool ata_id_has_fua(const u16 *id)
+ {
+ if ((id[ATA_ID_CFSSE] & 0xC000) != 0x4000)
+--
+2.35.1
+
--- /dev/null
+From 7e2061c85c01337017f02965b63bf43a6b4e6ae2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 14:28:34 +0200
+Subject: ata: fix ata_id_has_ncq_autosense()
+
+From: Niklas Cassel <niklas.cassel@wdc.com>
+
+[ Upstream commit a5fb6bf853148974dbde092ec1bde553bea5e49f ]
+
+ACS-5 section
+7.13.6.36 Word 78: Serial ATA features supported
+states that:
+
+If word 76 is not 0000h or FFFFh, word 78 reports the features supported
+by the device. If this word is not supported, the word shall be cleared
+to zero.
+
+(This text also exists in really old ACS standards, e.g. ACS-3.)
+
+Additionally, move the macro to the other ATA_ID_FEATURE_SUPP macros
+(which already have this check), thus making it more likely that the
+next ATA_ID_FEATURE_SUPP macro that is added will include this check.
+
+Fixes: 5b01e4b9efa0 ("libata: Implement NCQ autosense")
+Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ata.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/ata.h b/include/linux/ata.h
+index e9d24a23c0aa..cfdaa08c45c9 100644
+--- a/include/linux/ata.h
++++ b/include/linux/ata.h
+@@ -585,6 +585,10 @@ struct ata_bmdma_prd {
+ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \
+ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \
+ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 8)))
++#define ata_id_has_ncq_autosense(id) \
++ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \
++ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \
++ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7)))
+ #define ata_id_iordy_disable(id) ((id)[ATA_ID_CAPABILITY] & (1 << 10))
+ #define ata_id_has_iordy(id) ((id)[ATA_ID_CAPABILITY] & (1 << 11))
+ #define ata_id_u32(id,n) \
+@@ -597,8 +601,6 @@ struct ata_bmdma_prd {
+
+ #define ata_id_cdb_intr(id) (((id)[ATA_ID_CONFIG] & 0x60) == 0x20)
+ #define ata_id_has_da(id) ((id)[ATA_ID_SATA_CAPABILITY_2] & (1 << 4))
+-#define ata_id_has_ncq_autosense(id) \
+- ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7))
+
+ static inline bool ata_id_has_hipm(const u16 *id)
+ {
+--
+2.35.1
+
--- /dev/null
+From d8036aed98b4fd62d441f77330fcbbc6c75f9914 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 14:28:32 +0200
+Subject: ata: fix ata_id_sense_reporting_enabled() and
+ ata_id_has_sense_reporting()
+
+From: Niklas Cassel <niklas.cassel@wdc.com>
+
+[ Upstream commit 690aa8c3ae308bc696ec8b1b357b995193927083 ]
+
+ACS-5 section
+7.13.6.41 Words 85..87, 120: Commands and feature sets supported or enabled
+states that:
+
+If bit 15 of word 86 is set to one, bit 14 of word 119 is set to one,
+and bit 15 of word 119 is cleared to zero, then word 119 is valid.
+
+If bit 15 of word 86 is set to one, bit 14 of word 120 is set to one,
+and bit 15 of word 120 is cleared to zero, then word 120 is valid.
+
+(This text also exists in really old ACS standards, e.g. ACS-3.)
+
+Currently, ata_id_sense_reporting_enabled() and
+ata_id_has_sense_reporting() both check bit 15 of word 86,
+but neither of them check that bit 14 of word 119 is set to one,
+or that bit 15 of word 119 is cleared to zero.
+
+Additionally, make ata_id_sense_reporting_enabled() return false
+if !ata_id_has_sense_reporting(), similar to how e.g.
+ata_id_flush_ext_enabled() returns false if !ata_id_has_flush_ext().
+
+Fixes: e87fd28cf9a2 ("libata: Implement support for sense data reporting")
+Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ata.h | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/include/linux/ata.h b/include/linux/ata.h
+index 40d150ad7e07..351e58312e7d 100644
+--- a/include/linux/ata.h
++++ b/include/linux/ata.h
+@@ -786,16 +786,21 @@ static inline bool ata_id_has_read_log_dma_ext(const u16 *id)
+
+ static inline bool ata_id_has_sense_reporting(const u16 *id)
+ {
+- if (!(id[ATA_ID_CFS_ENABLE_2] & (1 << 15)))
++ if (!(id[ATA_ID_CFS_ENABLE_2] & BIT(15)))
++ return false;
++ if ((id[ATA_ID_COMMAND_SET_3] & (BIT(15) | BIT(14))) != BIT(14))
+ return false;
+- return id[ATA_ID_COMMAND_SET_3] & (1 << 6);
++ return id[ATA_ID_COMMAND_SET_3] & BIT(6);
+ }
+
+ static inline bool ata_id_sense_reporting_enabled(const u16 *id)
+ {
+- if (!(id[ATA_ID_CFS_ENABLE_2] & (1 << 15)))
++ if (!ata_id_has_sense_reporting(id))
++ return false;
++ /* ata_id_has_sense_reporting() == true, word 86 must have bit 15 set */
++ if ((id[ATA_ID_COMMAND_SET_4] & (BIT(15) | BIT(14))) != BIT(14))
+ return false;
+- return id[ATA_ID_COMMAND_SET_4] & (1 << 6);
++ return id[ATA_ID_COMMAND_SET_4] & BIT(6);
+ }
+
+ /**
+--
+2.35.1
+
--- /dev/null
+From d81678f5759dc58dd5dfd410d9c2a2d833f7a726 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 22:36:06 +0300
+Subject: ata: libahci_platform: Sanity check the DT child nodes number
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit 3c132ea6508b34956e5ed88d04936983ec230601 ]
+
+Having greater than AHCI_MAX_PORTS (32) ports detected isn't that critical
+from the further AHCI-platform initialization point of view since
+exceeding the ports upper limit will cause allocating more resources than
+will be used afterwards. But detecting too many child DT-nodes doesn't
+seem right since it's very unlikely to have it on an ordinary platform. In
+accordance with the AHCI specification there can't be more than 32 ports
+implemented at least due to having the CAP.NP field of 5 bits wide and the
+PI register of dword size. Thus if such situation is found the DTB must
+have been corrupted and the data read from it shouldn't be reliable. Let's
+consider that as an erroneous situation and halt further resources
+allocation.
+
+Note it's logically more correct to have the nports set only after the
+initialization value is checked for being sane. So while at it let's make
+sure nports is assigned with a correct value.
+
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libahci_platform.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c
+index 6a55aac0c60f..63086f90bbf8 100644
+--- a/drivers/ata/libahci_platform.c
++++ b/drivers/ata/libahci_platform.c
+@@ -421,14 +421,24 @@ struct ahci_host_priv *ahci_platform_get_resources(struct platform_device *pdev,
+ }
+ }
+
+- hpriv->nports = child_nodes = of_get_child_count(dev->of_node);
++ /*
++ * Too many sub-nodes most likely means having something wrong with
++ * the firmware.
++ */
++ child_nodes = of_get_child_count(dev->of_node);
++ if (child_nodes > AHCI_MAX_PORTS) {
++ rc = -EINVAL;
++ goto err_out;
++ }
+
+ /*
+ * If no sub-node was found, we still need to set nports to
+ * one in order to be able to use the
+ * ahci_platform_[en|dis]able_[phys|regulators] functions.
+ */
+- if (!child_nodes)
++ if (child_nodes)
++ hpriv->nports = child_nodes;
++ else
+ hpriv->nports = 1;
+
+ hpriv->phys = devm_kcalloc(dev, hpriv->nports, sizeof(*hpriv->phys), GFP_KERNEL);
+--
+2.35.1
+
--- /dev/null
+From 894d18ea52b1f2f176b0e759b3fa5821cc490bdd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 10:56:59 -0700
+Subject: Bluetooth: hci_sysfs: Fix attempting to call device_add multiple
+ times
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 448a496f760664d3e2e79466aa1787e6abc922b5 ]
+
+device_add shall not be called multiple times as stated in its
+documentation:
+
+ 'Do not call this routine or device_register() more than once for
+ any device structure'
+
+Syzkaller reports a bug as follows [1]:
+------------[ cut here ]------------
+kernel BUG at lib/list_debug.c:33!
+invalid opcode: 0000 [#1] PREEMPT SMP KASAN
+[...]
+Call Trace:
+ <TASK>
+ __list_add include/linux/list.h:69 [inline]
+ list_add_tail include/linux/list.h:102 [inline]
+ kobj_kset_join lib/kobject.c:164 [inline]
+ kobject_add_internal+0x18f/0x8f0 lib/kobject.c:214
+ kobject_add_varg lib/kobject.c:358 [inline]
+ kobject_add+0x150/0x1c0 lib/kobject.c:410
+ device_add+0x368/0x1e90 drivers/base/core.c:3452
+ hci_conn_add_sysfs+0x9b/0x1b0 net/bluetooth/hci_sysfs.c:53
+ hci_le_cis_estabilished_evt+0x57c/0xae0 net/bluetooth/hci_event.c:6799
+ hci_le_meta_evt+0x2b8/0x510 net/bluetooth/hci_event.c:7110
+ hci_event_func net/bluetooth/hci_event.c:7440 [inline]
+ hci_event_packet+0x63d/0xfd0 net/bluetooth/hci_event.c:7495
+ hci_rx_work+0xae7/0x1230 net/bluetooth/hci_core.c:4007
+ process_one_work+0x991/0x1610 kernel/workqueue.c:2289
+ worker_thread+0x665/0x1080 kernel/workqueue.c:2436
+ kthread+0x2e4/0x3a0 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
+ </TASK>
+
+Link: https://syzkaller.appspot.com/bug?id=da3246e2d33afdb92d66bc166a0934c5b146404a
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Tested-by: Hawkins Jiawei <yin31149@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sysfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
+index b69d88b88d2e..ccd2c377bf83 100644
+--- a/net/bluetooth/hci_sysfs.c
++++ b/net/bluetooth/hci_sysfs.c
+@@ -48,6 +48,9 @@ void hci_conn_add_sysfs(struct hci_conn *conn)
+
+ BT_DBG("conn %p", conn);
+
++ if (device_is_registered(&conn->dev))
++ return;
++
+ dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle);
+
+ if (device_add(&conn->dev) < 0) {
+--
+2.35.1
+
--- /dev/null
+From 956078e403e2a3fbd4cf0b3e213075f2cbc9932f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 13:27:13 -0700
+Subject: Bluetooth: L2CAP: Fix user-after-free
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 35fcbc4243aad7e7d020b7c1dfb14bb888b20a4f ]
+
+This uses l2cap_chan_hold_unless_zero() after calling
+__l2cap_get_chan_blah() to prevent the following trace:
+
+Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref
+*kref)
+Bluetooth: chan 0000000023c4974d
+Bluetooth: parent 00000000ae861c08
+==================================================================
+BUG: KASAN: use-after-free in __mutex_waiter_is_first
+kernel/locking/mutex.c:191 [inline]
+BUG: KASAN: use-after-free in __mutex_lock_common
+kernel/locking/mutex.c:671 [inline]
+BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400
+kernel/locking/mutex.c:729
+Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389
+
+Link: https://lore.kernel.org/lkml/20220622082716.478486-1-lee.jones@linaro.org
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 7c280fcdcaa0..5c965f7b1709 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -4049,6 +4049,12 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
+ }
+ }
+
++ chan = l2cap_chan_hold_unless_zero(chan);
++ if (!chan) {
++ err = -EBADSLT;
++ goto unlock;
++ }
++
+ err = 0;
+
+ l2cap_chan_lock(chan);
+@@ -4078,6 +4084,7 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
+ }
+
+ l2cap_chan_unlock(chan);
++ l2cap_chan_put(chan);
+
+ unlock:
+ mutex_unlock(&conn->chan_lock);
+--
+2.35.1
+
--- /dev/null
+From 2549dcbfa6d0d368b13c738084bd7c9e32385c80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Sep 2022 00:32:56 +0900
+Subject: Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit 2d2cb3066f2c90cd8ca540b36ba7a55e7f2406e0 ]
+
+syzbot is reporting cancel_delayed_work() without INIT_DELAYED_WORK() at
+l2cap_chan_del() [1], for CONF_NOT_COMPLETE flag (which meant to prevent
+l2cap_chan_del() from calling cancel_delayed_work()) is cleared by timer
+which fires before l2cap_chan_del() is called by closing file descriptor
+created by socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP).
+
+l2cap_bredr_sig_cmd(L2CAP_CONF_REQ) and l2cap_bredr_sig_cmd(L2CAP_CONF_RSP)
+are calling l2cap_ertm_init(chan), and they call l2cap_chan_ready() (which
+clears CONF_NOT_COMPLETE flag) only when l2cap_ertm_init(chan) succeeded.
+
+l2cap_sock_init() does not call l2cap_ertm_init(chan), and it instead sets
+CONF_NOT_COMPLETE flag by calling l2cap_chan_set_defaults(). However, when
+connect() is requested, "command 0x0409 tx timeout" happens after 2 seconds
+ from connect() request, and CONF_NOT_COMPLETE flag is cleared after 4
+seconds from connect() request, for l2cap_conn_start() from
+l2cap_info_timeout() callback scheduled by
+
+ schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
+
+in l2cap_connect() is calling l2cap_chan_ready().
+
+Fix this problem by initializing delayed works used by L2CAP_MODE_ERTM
+mode as soon as l2cap_chan_create() allocates a channel, like I did in
+commit be8597239379f0f5 ("Bluetooth: initialize skb_queue_head at
+l2cap_chan_create()").
+
+Link: https://syzkaller.appspot.com/bug?extid=83672956c7aa6af698b3 [1]
+Reported-by: syzbot <syzbot+83672956c7aa6af698b3@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 65d20bdff023..7c280fcdcaa0 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -63,6 +63,9 @@ static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
+
+ static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
+ struct sk_buff_head *skbs, u8 event);
++static void l2cap_retrans_timeout(struct work_struct *work);
++static void l2cap_monitor_timeout(struct work_struct *work);
++static void l2cap_ack_timeout(struct work_struct *work);
+
+ static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
+ {
+@@ -470,6 +473,9 @@ struct l2cap_chan *l2cap_chan_create(void)
+ write_unlock(&chan_list_lock);
+
+ INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
++ INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
++ INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
++ INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
+
+ chan->state = BT_OPEN;
+
+@@ -3154,10 +3160,6 @@ int l2cap_ertm_init(struct l2cap_chan *chan)
+ chan->rx_state = L2CAP_RX_STATE_RECV;
+ chan->tx_state = L2CAP_TX_STATE_XMIT;
+
+- INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
+- INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
+- INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
+-
+ skb_queue_head_init(&chan->srej_q);
+
+ err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
+--
+2.35.1
+
--- /dev/null
+From 471b6938079aa78fb31110636135fa6779fbf066 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 14:28:43 +0800
+Subject: bnx2x: fix potential memory leak in bnx2x_tpa_stop()
+
+From: Jianglei Nie <niejianglei2021@163.com>
+
+[ Upstream commit b43f9acbb8942b05252be83ac25a81cec70cc192 ]
+
+bnx2x_tpa_stop() allocates a memory chunk from new_data with
+bnx2x_frag_alloc(). The new_data should be freed when gets some error.
+But when "pad + len > fp->rx_buf_size" is true, bnx2x_tpa_stop() returns
+without releasing the new_data, which will lead to a memory leak.
+
+We should free the new_data with bnx2x_frag_free() when "pad + len >
+fp->rx_buf_size" is true.
+
+Fixes: 07b0f00964def8af9321cfd6c4a7e84f6362f728 ("bnx2x: fix possible panic under memory stress")
+Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+index 2610acf9ac36..53b1b05f905e 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -788,6 +788,7 @@ static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp,
+ BNX2X_ERR("skb_put is about to fail... pad %d len %d rx_buf_size %d\n",
+ pad, len, fp->rx_buf_size);
+ bnx2x_panic();
++ bnx2x_frag_free(fp, new_data);
+ return;
+ }
+ #endif
+--
+2.35.1
+
--- /dev/null
+From 75c0fefd0e218e196ba3393e13eb683f81dd358b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Sep 2022 11:01:20 +0000
+Subject: bpf: btf: fix truncated last_member_type_id in btf_struct_resolve
+
+From: Lorenz Bauer <oss@lmb.io>
+
+[ Upstream commit a37a32583e282d8d815e22add29bc1e91e19951a ]
+
+When trying to finish resolving a struct member, btf_struct_resolve
+saves the member type id in a u16 temporary variable. This truncates
+the 32 bit type id value if it exceeds UINT16_MAX.
+
+As a result, structs that have members with type ids > UINT16_MAX and
+which need resolution will fail with a message like this:
+
+ [67414] STRUCT ff_device size=120 vlen=12
+ effect_owners type_id=67434 bits_offset=960 Member exceeds struct_size
+
+Fix this by changing the type of last_member_type_id to u32.
+
+Fixes: a0791f0df7d2 ("bpf: fix BTF limits")
+Reviewed-by: Stanislav Fomichev <sdf@google.com>
+Signed-off-by: Lorenz Bauer <oss@lmb.io>
+Link: https://lore.kernel.org/r/20220910110120.339242-1-oss@lmb.io
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/btf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
+index 471cc5c117a5..62e05b6283c0 100644
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -1660,7 +1660,7 @@ static int btf_struct_resolve(struct btf_verifier_env *env,
+ if (v->next_member) {
+ const struct btf_type *last_member_type;
+ const struct btf_member *last_member;
+- u16 last_member_type_id;
++ u32 last_member_type_id;
+
+ last_member = btf_type_member(v->t) + v->next_member - 1;
+ last_member_type_id = last_member->type;
+--
+2.35.1
+
--- /dev/null
+From 55c3965e2e7b1ce786c646cc7680a622afa6a433 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 14:38:55 +0100
+Subject: bpf: Ensure correct locking around vulnerable function find_vpid()
+
+From: Lee Jones <lee@kernel.org>
+
+[ Upstream commit 83c10cc362d91c0d8d25e60779ee52fdbbf3894d ]
+
+The documentation for find_vpid() clearly states:
+
+ "Must be called with the tasklist_lock or rcu_read_lock() held."
+
+Presently we do neither for find_vpid() instance in bpf_task_fd_query().
+Add proper rcu_read_lock/unlock() to fix the issue.
+
+Fixes: 41bdc4b40ed6f ("bpf: introduce bpf subcommand BPF_TASK_FD_QUERY")
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20220912133855.1218900-1-lee@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/syscall.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index e940c1f65938..02e5bdb82a9a 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -2325,7 +2325,9 @@ static int bpf_task_fd_query(const union bpf_attr *attr,
+ if (attr->task_fd_query.flags != 0)
+ return -EINVAL;
+
++ rcu_read_lock();
+ task = get_pid_task(find_vpid(pid), PIDTYPE_PID);
++ rcu_read_unlock();
+ if (!task)
+ return -ENOENT;
+
+--
+2.35.1
+
--- /dev/null
+From c688bd86d217fdb328455fa4bfe51271e06e9b30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Aug 2022 15:59:00 -0700
+Subject: bpftool: Fix a wrong type cast in btf_dumper_int
+
+From: Lam Thai <lamthai@arista.com>
+
+[ Upstream commit 7184aef9c0f7a81db8fd18d183ee42481d89bf35 ]
+
+When `data` points to a boolean value, casting it to `int *` is problematic
+and could lead to a wrong value being passed to `jsonw_bool`. Change the
+cast to `bool *` instead.
+
+Fixes: b12d6ec09730 ("bpf: btf: add btf print functionality")
+Signed-off-by: Lam Thai <lamthai@arista.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Quentin Monnet <quentin@isovalent.com>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20220824225859.9038-1-lamthai@arista.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/btf_dumper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/bpf/bpftool/btf_dumper.c b/tools/bpf/bpftool/btf_dumper.c
+index 1e7c619228a2..2da43d930ed3 100644
+--- a/tools/bpf/bpftool/btf_dumper.c
++++ b/tools/bpf/bpftool/btf_dumper.c
+@@ -164,7 +164,7 @@ static int btf_dumper_int(const struct btf_type *t, __u8 bit_offset,
+ *(char *)data);
+ break;
+ case BTF_INT_BOOL:
+- jsonw_bool(jw, *(int *)data);
++ jsonw_bool(jw, *(bool *)data);
+ break;
+ default:
+ /* shouldn't happen */
+--
+2.35.1
+
--- /dev/null
+From 4cdf7d78235749ef8bf1131c8990f95cec5fdca6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Sep 2022 09:55:56 +0800
+Subject: can: bcm: check the result of can_send() in bcm_can_tx()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 3fd7bfd28cfd68ae80a2fe92ea1615722cc2ee6e ]
+
+If can_send() fail, it should not update frames_abs counter
+in bcm_can_tx(). Add the result check for can_send() in bcm_can_tx().
+
+Suggested-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Suggested-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Link: https://lore.kernel.org/all/9851878e74d6d37aee2f1ee76d68361a46f89458.1663206163.git.william.xuanziyang@huawei.com
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/bcm.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 3c825b158fb5..74e555a22de7 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -273,6 +273,7 @@ static void bcm_can_tx(struct bcm_op *op)
+ struct sk_buff *skb;
+ struct net_device *dev;
+ struct canfd_frame *cf = op->frames + op->cfsiz * op->currframe;
++ int err;
+
+ /* no target device? => exit */
+ if (!op->ifindex)
+@@ -297,11 +298,11 @@ static void bcm_can_tx(struct bcm_op *op)
+ /* send with loopback */
+ skb->dev = dev;
+ can_skb_set_owner(skb, op->sk);
+- can_send(skb, 1);
++ err = can_send(skb, 1);
++ if (!err)
++ op->frames_abs++;
+
+- /* update statistics */
+ op->currframe++;
+- op->frames_abs++;
+
+ /* reached last frame? */
+ if (op->currframe >= op->nframes)
+--
+2.35.1
+
--- /dev/null
+From eefcc9e925b36d85a47a208c424b09bd953fb6bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Aug 2022 21:38:00 +0200
+Subject: can: rx-offload: can_rx_offload_init_queue(): fix typo
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 766108d91246530d31b42765046f7ec2d1e42581 ]
+
+Fix typo "rounted" -> "rounded".
+
+Link: https://lore.kernel.org/all/20220811093617.1861938-2-mkl@pengutronix.de
+Fixes: d254586c3453 ("can: rx-offload: Add support for HW fifo based irq offloading")
+Reported-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/rx-offload.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/rx-offload.c b/drivers/net/can/rx-offload.c
+index 5cf4171df1f4..3b9d4e544a89 100644
+--- a/drivers/net/can/rx-offload.c
++++ b/drivers/net/can/rx-offload.c
+@@ -341,7 +341,7 @@ static int can_rx_offload_init_queue(struct net_device *dev, struct can_rx_offlo
+ {
+ offload->dev = dev;
+
+- /* Limit queue len to 4x the weight (rounted to next power of two) */
++ /* Limit queue len to 4x the weight (rounded to next power of two) */
+ offload->skb_queue_len_max = 2 << fls(weight);
+ offload->skb_queue_len_max *= 4;
+ skb_queue_head_init(&offload->skb_queue);
+--
+2.35.1
+
--- /dev/null
+From 3abee4bc916c3dcfd4bd906e579ca6baeeb8dac1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Sep 2022 16:10:37 +0200
+Subject: clk: bcm2835: fix bcm2835_clock_rate_from_divisor declaration
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+[ Upstream commit 0b919a3728691c172312dee99ba654055ccd8c84 ]
+
+The return value of bcm2835_clock_rate_from_divisor is always unsigned
+and also all caller expect this. So fix the declaration accordingly.
+
+Fixes: 41691b8862e2 ("clk: bcm2835: Add support for programming the audio domain clocks")
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Link: https://lore.kernel.org/r/20220904141037.38816-1-stefan.wahren@i2se.com
+Reviewed-by: Ivan T. Ivanov <iivanov@suse.de>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/bcm/clk-bcm2835.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c
+index fd78dd5356ed..5a2f8d5d8d7a 100644
+--- a/drivers/clk/bcm/clk-bcm2835.c
++++ b/drivers/clk/bcm/clk-bcm2835.c
+@@ -950,9 +950,9 @@ static u32 bcm2835_clock_choose_div(struct clk_hw *hw,
+ return div;
+ }
+
+-static long bcm2835_clock_rate_from_divisor(struct bcm2835_clock *clock,
+- unsigned long parent_rate,
+- u32 div)
++static unsigned long bcm2835_clock_rate_from_divisor(struct bcm2835_clock *clock,
++ unsigned long parent_rate,
++ u32 div)
+ {
+ const struct bcm2835_clock_data *data = clock->data;
+ u64 temp;
+--
+2.35.1
+
--- /dev/null
+From 8b66ff7b0822c8bbd16b66582be88d4dd3915feb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 10:45:09 +0200
+Subject: clk: bcm2835: Make peripheral PLLC critical
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit 6c5422851d8be8c7451e968fd2e6da41b6109e17 ]
+
+When testing for a series affecting the VEC, it was discovered that
+turning off and on the VEC clock is crashing the system.
+
+It turns out that, when disabling the VEC clock, it's the only child of
+the PLLC-per clock which will also get disabled. The source of the crash
+is PLLC-per being disabled.
+
+It's likely that some other device might not take a clock reference that
+it actually needs, but it's unclear which at this point. Let's make
+PLLC-per critical so that we don't have that crash.
+
+Reported-by: Noralf Trønnes <noralf@tronnes.org>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://lore.kernel.org/r/20220926084509.12233-1-maxime@cerno.tech
+Reviewed-by: Stefan Wahren <stefan.wahren@i2se.com>
+Acked-by: Noralf Trønnes <noralf@tronnes.org>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/bcm/clk-bcm2835.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c
+index 5a2f8d5d8d7a..180abc00160d 100644
+--- a/drivers/clk/bcm/clk-bcm2835.c
++++ b/drivers/clk/bcm/clk-bcm2835.c
+@@ -1737,7 +1737,7 @@ static const struct bcm2835_clk_desc clk_desc_array[] = {
+ .load_mask = CM_PLLC_LOADPER,
+ .hold_mask = CM_PLLC_HOLDPER,
+ .fixed_divider = 1,
+- .flags = CLK_SET_RATE_PARENT),
++ .flags = CLK_IS_CRITICAL | CLK_SET_RATE_PARENT),
+
+ /*
+ * PLLD is the display PLL, used to drive DSI display panels.
+--
+2.35.1
+
--- /dev/null
+From fe7c05a2f8bb34c67615ca92491ea61c4a1f3332 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Jul 2022 16:49:00 +0800
+Subject: clk: berlin: Add of_node_put() for of_get_parent()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 37c381b812dcbfde9c3f1f3d3e75fdfc1b40d5bc ]
+
+In berlin2_clock_setup() and berlin2q_clock_setup(), we need to
+call of_node_put() for the reference returned by of_get_parent()
+which has increased the refcount. We should call *_put() in fail
+path or when it is not used anymore.
+
+Fixes: 26b3b6b959b2 ("clk: berlin: prepare simple-mfd conversion")
+Signed-off-by: Liang He <windhl@126.com>
+Link: https://lore.kernel.org/r/20220708084900.311684-1-windhl@126.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/berlin/bg2.c | 5 ++++-
+ drivers/clk/berlin/bg2q.c | 6 +++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/berlin/bg2.c b/drivers/clk/berlin/bg2.c
+index 0b4b44a2579e..6efc3e02da47 100644
+--- a/drivers/clk/berlin/bg2.c
++++ b/drivers/clk/berlin/bg2.c
+@@ -499,12 +499,15 @@ static void __init berlin2_clock_setup(struct device_node *np)
+ int n, ret;
+
+ clk_data = kzalloc(struct_size(clk_data, hws, MAX_CLKS), GFP_KERNEL);
+- if (!clk_data)
++ if (!clk_data) {
++ of_node_put(parent_np);
+ return;
++ }
+ clk_data->num = MAX_CLKS;
+ hws = clk_data->hws;
+
+ gbase = of_iomap(parent_np, 0);
++ of_node_put(parent_np);
+ if (!gbase)
+ return;
+
+diff --git a/drivers/clk/berlin/bg2q.c b/drivers/clk/berlin/bg2q.c
+index 9b9db743df25..5bcd8406ac93 100644
+--- a/drivers/clk/berlin/bg2q.c
++++ b/drivers/clk/berlin/bg2q.c
+@@ -285,19 +285,23 @@ static void __init berlin2q_clock_setup(struct device_node *np)
+ int n, ret;
+
+ clk_data = kzalloc(struct_size(clk_data, hws, MAX_CLKS), GFP_KERNEL);
+- if (!clk_data)
++ if (!clk_data) {
++ of_node_put(parent_np);
+ return;
++ }
+ clk_data->num = MAX_CLKS;
+ hws = clk_data->hws;
+
+ gbase = of_iomap(parent_np, 0);
+ if (!gbase) {
++ of_node_put(parent_np);
+ pr_err("%pOF: Unable to map global base\n", np);
+ return;
+ }
+
+ /* BG2Q CPU PLL is not part of global registers */
+ cpupll_base = of_iomap(parent_np, 1);
++ of_node_put(parent_np);
+ if (!cpupll_base) {
+ pr_err("%pOF: Unable to map cpupll base\n", np);
+ iounmap(gbase);
+--
+2.35.1
+
--- /dev/null
+From e527a4fabe9b92d5e8af23989a87135cb711673d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jun 2022 22:31:55 +0800
+Subject: clk: oxnas: Hold reference returned by of_get_parent()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 1d6aa08c54cd0e005210ab8e3b1e92ede70f8a4f ]
+
+In oxnas_stdclk_probe(), we need to hold the reference returned by
+of_get_parent() and use it to call of_node_put() for refcount
+balance.
+
+Fixes: 0bbd72b4c64f ("clk: Add Oxford Semiconductor OXNAS Standard Clocks")
+Signed-off-by: Liang He <windhl@126.com>
+Link: https://lore.kernel.org/r/20220628143155.170550-1-windhl@126.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-oxnas.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/clk-oxnas.c b/drivers/clk/clk-oxnas.c
+index e51e0023fc6e..a92bf71f03ac 100644
+--- a/drivers/clk/clk-oxnas.c
++++ b/drivers/clk/clk-oxnas.c
+@@ -218,7 +218,7 @@ static const struct of_device_id oxnas_stdclk_dt_ids[] = {
+
+ static int oxnas_stdclk_probe(struct platform_device *pdev)
+ {
+- struct device_node *np = pdev->dev.of_node;
++ struct device_node *np = pdev->dev.of_node, *parent_np;
+ const struct oxnas_stdclk_data *data;
+ const struct of_device_id *id;
+ struct regmap *regmap;
+@@ -230,7 +230,9 @@ static int oxnas_stdclk_probe(struct platform_device *pdev)
+ return -ENODEV;
+ data = id->data;
+
+- regmap = syscon_node_to_regmap(of_get_parent(np));
++ parent_np = of_get_parent(np);
++ regmap = syscon_node_to_regmap(parent_np);
++ of_node_put(parent_np);
+ if (IS_ERR(regmap)) {
+ dev_err(&pdev->dev, "failed to have parent regmap\n");
+ return PTR_ERR(regmap);
+--
+2.35.1
+
--- /dev/null
+From a8043c9aa3a8212574f1c953319d3aeee7cb86d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 May 2022 18:38:34 +0400
+Subject: clk: tegra: Fix refcount leak in tegra114_clock_init
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit db16a80c76ea395766913082b1e3f939dde29b2c ]
+
+of_find_matching_node() returns a node pointer with refcount
+incremented, we should use of_node_put() on it when not need anymore.
+Add missing of_node_put() to avoid refcount leak.
+
+Fixes: 2cb5efefd6f7 ("clk: tegra: Implement clocks for Tegra114")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220523143834.7587-1-linmq006@gmail.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/tegra/clk-tegra114.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/tegra/clk-tegra114.c b/drivers/clk/tegra/clk-tegra114.c
+index 625d11091330..1e5025c127bd 100644
+--- a/drivers/clk/tegra/clk-tegra114.c
++++ b/drivers/clk/tegra/clk-tegra114.c
+@@ -1348,6 +1348,7 @@ static void __init tegra114_clock_init(struct device_node *np)
+ }
+
+ pmc_base = of_iomap(node, 0);
++ of_node_put(node);
+ if (!pmc_base) {
+ pr_err("Can't map pmc registers\n");
+ WARN_ON(1);
+--
+2.35.1
+
--- /dev/null
+From ef6aacb4e3df38ca690e114836e85236901e7153 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 May 2022 18:26:08 +0400
+Subject: clk: tegra: Fix refcount leak in tegra210_clock_init
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 56c78cb1f00a9dde8cd762131ce8f4c5eb046fbb ]
+
+of_find_matching_node() returns a node pointer with refcount
+incremented, we should use of_node_put() on it when not need anymore.
+Add missing of_node_put() to avoid refcount leak.
+
+Fixes: 6b301a059eb2 ("clk: tegra: Add support for Tegra210 clocks")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220523142608.65074-1-linmq006@gmail.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/tegra/clk-tegra210.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/tegra/clk-tegra210.c b/drivers/clk/tegra/clk-tegra210.c
+index 7264e9731034..f97c4b0a9164 100644
+--- a/drivers/clk/tegra/clk-tegra210.c
++++ b/drivers/clk/tegra/clk-tegra210.c
+@@ -3529,6 +3529,7 @@ static void __init tegra210_clock_init(struct device_node *np)
+ }
+
+ pmc_base = of_iomap(node, 0);
++ of_node_put(node);
+ if (!pmc_base) {
+ pr_err("Can't map pmc registers\n");
+ WARN_ON(1);
+--
+2.35.1
+
--- /dev/null
+From 1368bd5b49eae1883a479c16229ace4624ff84a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 May 2022 19:28:11 +0400
+Subject: clk: tegra20: Fix refcount leak in tegra20_clock_init
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 4e343bafe03ff68a62f48f8235cf98f2c685468b ]
+
+of_find_matching_node() returns a node pointer with refcount
+incremented, we should use of_node_put() on it when not need anymore.
+Add missing of_node_put() to avoid refcount leak.
+
+Fixes: 37c26a906527 ("clk: tegra: add clock support for Tegra20")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220523152811.19692-1-linmq006@gmail.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/tegra/clk-tegra20.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/tegra/clk-tegra20.c b/drivers/clk/tegra/clk-tegra20.c
+index 68551effb5ca..5859b8ee1478 100644
+--- a/drivers/clk/tegra/clk-tegra20.c
++++ b/drivers/clk/tegra/clk-tegra20.c
+@@ -1152,6 +1152,7 @@ static void __init tegra20_clock_init(struct device_node *np)
+ }
+
+ pmc_base = of_iomap(node, 0);
++ of_node_put(node);
+ if (!pmc_base) {
+ pr_err("Can't map pmc registers\n");
+ BUG();
+--
+2.35.1
+
--- /dev/null
+From 82072f06e1f6c4d981d628fecb7406331390cc7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Jun 2022 07:08:36 +0400
+Subject: clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 9c59a01caba26ec06fefd6ca1f22d5fd1de57d63 ]
+
+pm_runtime_get_sync() will increment pm usage counter.
+Forgetting to putting operation will result in reference leak.
+Add missing pm_runtime_put_sync in some error paths.
+
+Fixes: 9ac33b0ce81f ("CLK: TI: Driver for DRA7 ATL (Audio Tracking Logic)")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220602030838.52057-1-linmq006@gmail.com
+Reviewed-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/ti/clk-dra7-atl.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/ti/clk-dra7-atl.c b/drivers/clk/ti/clk-dra7-atl.c
+index beb672a215b6..a4b6f3ac2d34 100644
+--- a/drivers/clk/ti/clk-dra7-atl.c
++++ b/drivers/clk/ti/clk-dra7-atl.c
+@@ -252,14 +252,16 @@ static int of_dra7_atl_clk_probe(struct platform_device *pdev)
+ if (rc) {
+ pr_err("%s: failed to lookup atl clock %d\n", __func__,
+ i);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto pm_put;
+ }
+
+ clk = of_clk_get_from_provider(&clkspec);
+ if (IS_ERR(clk)) {
+ pr_err("%s: failed to get atl clock %d from provider\n",
+ __func__, i);
+- return PTR_ERR(clk);
++ ret = PTR_ERR(clk);
++ goto pm_put;
+ }
+
+ cdesc = to_atl_desc(__clk_get_hw(clk));
+@@ -292,8 +294,9 @@ static int of_dra7_atl_clk_probe(struct platform_device *pdev)
+ if (cdesc->enabled)
+ atl_clk_enable(__clk_get_hw(clk));
+ }
+- pm_runtime_put_sync(cinfo->dev);
+
++pm_put:
++ pm_runtime_put_sync(cinfo->dev);
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 326aaff02bb21e82106773fd5165ee49d872920b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 09:43:27 +0300
+Subject: crypto: cavium - prevent integer overflow loading firmware
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 2526d6bf27d15054bb0778b2f7bc6625fd934905 ]
+
+The "code_length" value comes from the firmware file. If your firmware
+is untrusted realistically there is probably very little you can do to
+protect yourself. Still we try to limit the damage as much as possible.
+Also Smatch marks any data read from the filesystem as untrusted and
+prints warnings if it not capped correctly.
+
+The "ntohl(ucode->code_length) * 2" multiplication can have an
+integer overflow.
+
+Fixes: 9e2c7d99941d ("crypto: cavium - Add Support for Octeon-tx CPT Engine")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/cavium/cpt/cptpf_main.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/cavium/cpt/cptpf_main.c b/drivers/crypto/cavium/cpt/cptpf_main.c
+index 06ad85ab5e86..7416f30ee976 100644
+--- a/drivers/crypto/cavium/cpt/cptpf_main.c
++++ b/drivers/crypto/cavium/cpt/cptpf_main.c
+@@ -257,6 +257,7 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae)
+ const struct firmware *fw_entry;
+ struct device *dev = &cpt->pdev->dev;
+ struct ucode_header *ucode;
++ unsigned int code_length;
+ struct microcode *mcode;
+ int j, ret = 0;
+
+@@ -267,11 +268,12 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae)
+ ucode = (struct ucode_header *)fw_entry->data;
+ mcode = &cpt->mcode[cpt->next_mc_idx];
+ memcpy(mcode->version, (u8 *)fw_entry->data, CPT_UCODE_VERSION_SZ);
+- mcode->code_size = ntohl(ucode->code_length) * 2;
+- if (!mcode->code_size) {
++ code_length = ntohl(ucode->code_length);
++ if (code_length == 0 || code_length >= INT_MAX / 2) {
+ ret = -EINVAL;
+ goto fw_release;
+ }
++ mcode->code_size = code_length * 2;
+
+ mcode->is_ae = is_ae;
+ mcode->core_mask = 0ULL;
+--
+2.35.1
+
--- /dev/null
+From 4a98126ccdbedcdf55009599eb5b27bacb29b2c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 09:58:42 -0700
+Subject: dmaengine: ioat: stop mod_timer from resurrecting deleted timer in
+ __cleanup()
+
+From: Dave Jiang <dave.jiang@intel.com>
+
+[ Upstream commit 898ec89dbb55b8294695ad71694a0684e62b2a73 ]
+
+User reports observing timer event report channel halted but no error
+observed in CHANERR register. The driver finished self-test and released
+channel resources. Debug shows that __cleanup() can call
+mod_timer() after the timer has been deleted and thus resurrect the
+timer. While harmless, it causes suprious error message to be emitted.
+Use mod_timer_pending() call to prevent deleted timer from being
+resurrected.
+
+Fixes: 3372de5813e4 ("dmaengine: ioatdma: removal of dma_v3.c and relevant ioat3 references")
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Link: https://lore.kernel.org/r/166360672197.3851724.17040290563764838369.stgit@djiang5-desk3.ch.intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/ioat/dma.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/dma/ioat/dma.c b/drivers/dma/ioat/dma.c
+index 890cadf3ec5d..e86a3d19b718 100644
+--- a/drivers/dma/ioat/dma.c
++++ b/drivers/dma/ioat/dma.c
+@@ -653,7 +653,7 @@ static void __cleanup(struct ioatdma_chan *ioat_chan, dma_addr_t phys_complete)
+ if (active - i == 0) {
+ dev_dbg(to_dev(ioat_chan), "%s: cancel completion timeout\n",
+ __func__);
+- mod_timer(&ioat_chan->timer, jiffies + IDLE_TIMEOUT);
++ mod_timer_pending(&ioat_chan->timer, jiffies + IDLE_TIMEOUT);
+ }
+
+ /* microsecond delay by sysfs variable per pending descriptor */
+@@ -679,7 +679,7 @@ static void ioat_cleanup(struct ioatdma_chan *ioat_chan)
+
+ if (chanerr &
+ (IOAT_CHANERR_HANDLE_MASK | IOAT_CHANERR_RECOVER_MASK)) {
+- mod_timer(&ioat_chan->timer, jiffies + IDLE_TIMEOUT);
++ mod_timer_pending(&ioat_chan->timer, jiffies + IDLE_TIMEOUT);
+ ioat_eh(ioat_chan);
+ }
+ }
+@@ -876,7 +876,7 @@ static void check_active(struct ioatdma_chan *ioat_chan)
+ }
+
+ if (test_and_clear_bit(IOAT_CHAN_ACTIVE, &ioat_chan->state))
+- mod_timer(&ioat_chan->timer, jiffies + IDLE_TIMEOUT);
++ mod_timer_pending(&ioat_chan->timer, jiffies + IDLE_TIMEOUT);
+ }
+
+ void ioat_timer_event(struct timer_list *t)
+--
+2.35.1
+
--- /dev/null
+From 2f31183f8314d73e87fa9abb6fee23d50c2d6016 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 14:22:47 +0300
+Subject: drivers: serial: jsm: fix some leaks in probe
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 1d5859ef229e381f4db38dce8ed58e4bf862006b ]
+
+This error path needs to unwind instead of just returning directly.
+
+Fixes: 03a8482c17dd ("drivers: serial: jsm: Enable support for Digi Classic adapters")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YyxFh1+lOeZ9WfKO@kili
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/jsm/jsm_driver.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/jsm/jsm_driver.c b/drivers/tty/serial/jsm/jsm_driver.c
+index 592e51d8944e..07e9be9865c7 100644
+--- a/drivers/tty/serial/jsm/jsm_driver.c
++++ b/drivers/tty/serial/jsm/jsm_driver.c
+@@ -212,7 +212,8 @@ static int jsm_probe_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ break;
+ default:
+- return -ENXIO;
++ rc = -ENXIO;
++ goto out_kfree_brd;
+ }
+
+ rc = request_irq(brd->irq, brd->bd_ops->intr, IRQF_SHARED, "JSM", brd);
+--
+2.35.1
+
--- /dev/null
+From a99ac85099b32813c6b7f104f066d9cf0b54b9a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Aug 2022 17:43:26 -0300
+Subject: drm/amd/display: fix overflow on MIN_I64 definition
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Gow <davidgow@google.com>
+
+[ Upstream commit 6ae0632d17759852c07e2d1e0a31c728eb6ba246 ]
+
+The definition of MIN_I64 in bw_fixed.c can cause gcc to whinge about
+integer overflow, because it is treated as a positive value, which is
+then negated. The temporary positive value is not necessarily
+representable.
+
+This causes the following warning:
+../drivers/gpu/drm/amd/amdgpu/../display/dc/dml/calcs/bw_fixed.c:30:19:
+warning: integer overflow in expression ‘-9223372036854775808’ of type
+‘long long int’ results in ‘-9223372036854775808’ [-Woverflow]
+ 30 | (int64_t)(-(1LL << 63))
+ | ^
+
+Writing out (-MAX_I64 - 1) works instead.
+
+Signed-off-by: David Gow <davidgow@google.com>
+Signed-off-by: Tales Aparecida <tales.aparecida@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/calcs/bw_fixed.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/calcs/bw_fixed.c b/drivers/gpu/drm/amd/display/dc/calcs/bw_fixed.c
+index 6ca288fb5fb9..2d46bc527b21 100644
+--- a/drivers/gpu/drm/amd/display/dc/calcs/bw_fixed.c
++++ b/drivers/gpu/drm/amd/display/dc/calcs/bw_fixed.c
+@@ -26,12 +26,12 @@
+ #include "bw_fixed.h"
+
+
+-#define MIN_I64 \
+- (int64_t)(-(1LL << 63))
+-
+ #define MAX_I64 \
+ (int64_t)((1ULL << 63) - 1)
+
++#define MIN_I64 \
++ (-MAX_I64 - 1)
++
+ #define FRACTIONAL_PART_MASK \
+ ((1ULL << BW_FIXED_BITS_PER_FRACTIONAL_PART) - 1)
+
+--
+2.35.1
+
--- /dev/null
+From 7c9c01d79b38df64d8d40ed980fe6346dcebfb66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 17:24:53 +0800
+Subject: drm/amdgpu: fix initial connector audio value
+
+From: hongao <hongao@uniontech.com>
+
+[ Upstream commit 4bb71fce58f30df3f251118291d6b0187ce531e6 ]
+
+This got lost somewhere along the way, This fixes
+audio not working until set_property was called.
+
+Signed-off-by: hongao <hongao@uniontech.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+index 3e4305c3c983..86ceefb8b8fb 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+@@ -1638,10 +1638,12 @@ amdgpu_connector_add(struct amdgpu_device *adev,
+ adev->mode_info.dither_property,
+ AMDGPU_FMT_DITHER_DISABLE);
+
+- if (amdgpu_audio != 0)
++ if (amdgpu_audio != 0) {
+ drm_object_attach_property(&amdgpu_connector->base.base,
+ adev->mode_info.audio_property,
+ AMDGPU_AUDIO_AUTO);
++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO;
++ }
+
+ subpixel_order = SubPixelHorizontalRGB;
+ connector->interlace_allowed = true;
+@@ -1746,6 +1748,7 @@ amdgpu_connector_add(struct amdgpu_device *adev,
+ drm_object_attach_property(&amdgpu_connector->base.base,
+ adev->mode_info.audio_property,
+ AMDGPU_AUDIO_AUTO);
++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO;
+ }
+ drm_object_attach_property(&amdgpu_connector->base.base,
+ adev->mode_info.dither_property,
+@@ -1794,6 +1797,7 @@ amdgpu_connector_add(struct amdgpu_device *adev,
+ drm_object_attach_property(&amdgpu_connector->base.base,
+ adev->mode_info.audio_property,
+ AMDGPU_AUDIO_AUTO);
++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO;
+ }
+ drm_object_attach_property(&amdgpu_connector->base.base,
+ adev->mode_info.dither_property,
+@@ -1839,6 +1843,7 @@ amdgpu_connector_add(struct amdgpu_device *adev,
+ drm_object_attach_property(&amdgpu_connector->base.base,
+ adev->mode_info.audio_property,
+ AMDGPU_AUDIO_AUTO);
++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO;
+ }
+ drm_object_attach_property(&amdgpu_connector->base.base,
+ adev->mode_info.dither_property,
+--
+2.35.1
+
--- /dev/null
+From 86fe25054b3d98a00f3ddeb86438004b49c0bb10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Jun 2022 16:48:53 +0200
+Subject: drm: bridge: adv7511: fix CEC power down control register offset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alvin Šipraga <alsi@bang-olufsen.dk>
+
+[ Upstream commit 1d22b6033ea113a4c3850dfa2c0770885c81aec8 ]
+
+The ADV7511_REG_CEC_CTRL = 0xE2 register is part of the main register
+map - not the CEC register map. As such, we shouldn't apply an offset to
+the register address. Doing so will cause us to address a bogus register
+for chips with a CEC register map offset (e.g. ADV7533).
+
+Fixes: 3b1b975003e4 ("drm: adv7511/33: add HDMI CEC support")
+Signed-off-by: Alvin Šipraga <alsi@bang-olufsen.dk>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220612144854.2223873-2-alvin@pqrs.dk
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/adv7511/adv7511.h | 5 +----
+ drivers/gpu/drm/bridge/adv7511/adv7511_cec.c | 4 ++--
+ 2 files changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511.h b/drivers/gpu/drm/bridge/adv7511/adv7511.h
+index 73d8ccb97742..d214865c2459 100644
+--- a/drivers/gpu/drm/bridge/adv7511/adv7511.h
++++ b/drivers/gpu/drm/bridge/adv7511/adv7511.h
+@@ -383,10 +383,7 @@ void adv7511_cec_irq_process(struct adv7511 *adv7511, unsigned int irq1);
+ #else
+ static inline int adv7511_cec_init(struct device *dev, struct adv7511 *adv7511)
+ {
+- unsigned int offset = adv7511->type == ADV7533 ?
+- ADV7533_REG_CEC_OFFSET : 0;
+-
+- regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL + offset,
++ regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL,
+ ADV7511_CEC_CTRL_POWER_DOWN);
+ return 0;
+ }
+diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_cec.c b/drivers/gpu/drm/bridge/adv7511/adv7511_cec.c
+index a20a45c0b353..ddd1305b82b2 100644
+--- a/drivers/gpu/drm/bridge/adv7511/adv7511_cec.c
++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_cec.c
+@@ -316,7 +316,7 @@ int adv7511_cec_init(struct device *dev, struct adv7511 *adv7511)
+ goto err_cec_alloc;
+ }
+
+- regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL + offset, 0);
++ regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL, 0);
+ /* cec soft reset */
+ regmap_write(adv7511->regmap_cec,
+ ADV7511_REG_CEC_SOFT_RESET + offset, 0x01);
+@@ -343,7 +343,7 @@ int adv7511_cec_init(struct device *dev, struct adv7511 *adv7511)
+ dev_info(dev, "Initializing CEC failed with error %d, disabling CEC\n",
+ ret);
+ err_cec_parse_dt:
+- regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL + offset,
++ regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL,
+ ADV7511_CEC_CTRL_POWER_DOWN);
+ return ret == -EPROBE_DEFER ? ret : 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From eb7da755128dad1bfbca99e2ed64389327563850 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 15:34:50 +0800
+Subject: drm/bridge: megachips: Fix a null pointer dereference bug
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 1ff673333d46d2c1b053ebd0c1c7c7c79e36943e ]
+
+When removing the module we will get the following warning:
+
+[ 31.911505] i2c-core: driver [stdp2690-ge-b850v3-fw] unregistered
+[ 31.912484] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
+[ 31.913338] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
+[ 31.915280] RIP: 0010:drm_bridge_remove+0x97/0x130
+[ 31.921825] Call Trace:
+[ 31.922533] stdp4028_ge_b850v3_fw_remove+0x34/0x60 [megachips_stdpxxxx_ge_b850v3_fw]
+[ 31.923139] i2c_device_remove+0x181/0x1f0
+
+The two bridges (stdp2690, stdp4028) do not probe at the same time, so
+the driver does not call ge_b850v3_resgiter() when probing, causing the
+driver to try to remove the object that has not been initialized.
+
+Fix this by checking whether both the bridges are probed.
+
+Fixes: 11632d4aa2b3 ("drm/bridge: megachips: Ensure both bridges are probed before registration")
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220830073450.1897020-1-zheyuma97@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
+index a8d776edccc1..07e3a8aaa0e4 100644
+--- a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
++++ b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
+@@ -290,7 +290,9 @@ static void ge_b850v3_lvds_remove(void)
+ * This check is to avoid both the drivers
+ * removing the bridge in their remove() function
+ */
+- if (!ge_b850v3_lvds_ptr)
++ if (!ge_b850v3_lvds_ptr ||
++ !ge_b850v3_lvds_ptr->stdp2690_i2c ||
++ !ge_b850v3_lvds_ptr->stdp4028_i2c)
+ goto out;
+
+ drm_bridge_remove(&ge_b850v3_lvds_ptr->bridge);
+--
+2.35.1
+
--- /dev/null
+From cd60f484a067ff2066b2cfc1b5fa6e50ff1e3dcc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 09:31:00 +0900
+Subject: drm/exynos: Fix return type for mixer_mode_valid and hdmi_mode_valid
+
+From: Nathan Huckleberry <nhuck@google.com>
+
+[ Upstream commit 1261255531088208daeca818e2b486030b5339e5 ]
+
+The field mode_valid in exynos_drm_crtc_ops is expected to be of type enum
+drm_mode_status (*mode_valid)(struct exynos_drm_crtc *crtc,
+ const struct drm_display_mode *mode);
+
+Likewise for mode_valid in drm_connector_helper_funcs.
+
+The mismatched return type breaks forward edge kCFI since the underlying
+function definition does not match the function hook definition.
+
+The return type of mixer_mode_valid and hdmi_mode_valid should be changed
+from int to enum drm_mode_status.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Link: https://protect2.fireeye.com/v1/url?k=3e644738-5fef521d-3e65cc77-
+74fe485cbff6-36ad29bf912d3c9f&q=1&e=5cc06174-77dd-4abd-ab50-
+155da5711aa3&u=https%3A%2F%2Fgithub.com%2FClangBuiltLinux%2Flinux%2Fissues%2F
+1703
+Cc: llvm@lists.linux.dev
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/exynos/exynos_hdmi.c | 4 ++--
+ drivers/gpu/drm/exynos/exynos_mixer.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/exynos/exynos_hdmi.c b/drivers/gpu/drm/exynos/exynos_hdmi.c
+index 2092a650df7d..227856f0a3c4 100644
+--- a/drivers/gpu/drm/exynos/exynos_hdmi.c
++++ b/drivers/gpu/drm/exynos/exynos_hdmi.c
+@@ -911,8 +911,8 @@ static int hdmi_find_phy_conf(struct hdmi_context *hdata, u32 pixel_clock)
+ return -EINVAL;
+ }
+
+-static int hdmi_mode_valid(struct drm_connector *connector,
+- struct drm_display_mode *mode)
++static enum drm_mode_status hdmi_mode_valid(struct drm_connector *connector,
++ struct drm_display_mode *mode)
+ {
+ struct hdmi_context *hdata = connector_to_hdmi(connector);
+ int ret;
+diff --git a/drivers/gpu/drm/exynos/exynos_mixer.c b/drivers/gpu/drm/exynos/exynos_mixer.c
+index 522d6c46d7b1..16a7624021a8 100644
+--- a/drivers/gpu/drm/exynos/exynos_mixer.c
++++ b/drivers/gpu/drm/exynos/exynos_mixer.c
+@@ -1018,7 +1018,7 @@ static void mixer_disable(struct exynos_drm_crtc *crtc)
+ clear_bit(MXR_BIT_POWERED, &ctx->flags);
+ }
+
+-static int mixer_mode_valid(struct exynos_drm_crtc *crtc,
++static enum drm_mode_status mixer_mode_valid(struct exynos_drm_crtc *crtc,
+ const struct drm_display_mode *mode)
+ {
+ struct mixer_context *ctx = crtc->ctx;
+--
+2.35.1
+
--- /dev/null
+From e237cc9a7b652bc41a9a532290ff515e98a6b84c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Jul 2022 19:38:31 +0200
+Subject: drm/mipi-dsi: Detach devices when removing the host
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit 668a8f17b5290d04ef7343636a5588a0692731a1 ]
+
+Whenever the MIPI-DSI host is unregistered, the code of
+mipi_dsi_host_unregister() loops over every device currently found on that
+bus and will unregister it.
+
+However, it doesn't detach it from the bus first, which leads to all kind
+of resource leaks if the host wants to perform some clean up whenever a
+device is detached.
+
+Fixes: 068a00233969 ("drm: Add MIPI DSI bus support")
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://lore.kernel.org/r/20220711173939.1132294-2-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_mipi_dsi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c
+index 7ed8e510565e..c8c9daecd00d 100644
+--- a/drivers/gpu/drm/drm_mipi_dsi.c
++++ b/drivers/gpu/drm/drm_mipi_dsi.c
+@@ -305,6 +305,7 @@ static int mipi_dsi_remove_device_fn(struct device *dev, void *priv)
+ {
+ struct mipi_dsi_device *dsi = to_mipi_dsi_device(dev);
+
++ mipi_dsi_detach(dsi);
+ mipi_dsi_device_unregister(dsi);
+
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 9154b8f034d65c9652e37cefcc1fd0a7d9bdfc57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jun 2022 15:57:01 +0300
+Subject: drm/msm/dpu: index dpu_kms->hw_vbif using vbif_idx
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 7538f80ae0d98bf51eb89eee5344aec219902d42 ]
+
+Remove loops over hw_vbif. Instead always VBIF's idx as an index in the
+array. This fixes an error in dpu_kms_hw_init(), where we fill
+dpu_kms->hw_vbif[i], but check for an error pointer at
+dpu_kms->hw_vbif[vbif_idx].
+
+Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/489569/
+Link: https://lore.kernel.org/r/20220615125703.24647-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 12 ++++------
+ drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c | 29 +++++++++++-------------
+ 2 files changed, 18 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
+index c88bb92282df..57b40cf0f199 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
+@@ -654,12 +654,10 @@ static void _dpu_kms_hw_destroy(struct dpu_kms *dpu_kms)
+ _dpu_kms_mmu_destroy(dpu_kms);
+
+ if (dpu_kms->catalog) {
+- for (i = 0; i < dpu_kms->catalog->vbif_count; i++) {
+- u32 vbif_idx = dpu_kms->catalog->vbif[i].id;
+-
+- if ((vbif_idx < VBIF_MAX) && dpu_kms->hw_vbif[vbif_idx]) {
+- dpu_hw_vbif_destroy(dpu_kms->hw_vbif[vbif_idx]);
+- dpu_kms->hw_vbif[vbif_idx] = NULL;
++ for (i = 0; i < ARRAY_SIZE(dpu_kms->hw_vbif); i++) {
++ if (dpu_kms->hw_vbif[i]) {
++ dpu_hw_vbif_destroy(dpu_kms->hw_vbif[i]);
++ dpu_kms->hw_vbif[i] = NULL;
+ }
+ }
+ }
+@@ -1094,7 +1092,7 @@ static int dpu_kms_hw_init(struct msm_kms *kms)
+ for (i = 0; i < dpu_kms->catalog->vbif_count; i++) {
+ u32 vbif_idx = dpu_kms->catalog->vbif[i].id;
+
+- dpu_kms->hw_vbif[i] = dpu_hw_vbif_init(vbif_idx,
++ dpu_kms->hw_vbif[vbif_idx] = dpu_hw_vbif_init(vbif_idx,
+ dpu_kms->vbif[vbif_idx], dpu_kms->catalog);
+ if (IS_ERR_OR_NULL(dpu_kms->hw_vbif[vbif_idx])) {
+ rc = PTR_ERR(dpu_kms->hw_vbif[vbif_idx]);
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c
+index 295528292296..24d009e066ab 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c
+@@ -18,6 +18,14 @@
+ #include "dpu_hw_vbif.h"
+ #include "dpu_trace.h"
+
++static struct dpu_hw_vbif *dpu_get_vbif(struct dpu_kms *dpu_kms, enum dpu_vbif vbif_idx)
++{
++ if (vbif_idx < ARRAY_SIZE(dpu_kms->hw_vbif))
++ return dpu_kms->hw_vbif[vbif_idx];
++
++ return NULL;
++}
++
+ /**
+ * _dpu_vbif_wait_for_xin_halt - wait for the xin to halt
+ * @vbif: Pointer to hardware vbif driver
+@@ -155,11 +163,11 @@ static u32 _dpu_vbif_get_ot_limit(struct dpu_hw_vbif *vbif,
+ void dpu_vbif_set_ot_limit(struct dpu_kms *dpu_kms,
+ struct dpu_vbif_set_ot_params *params)
+ {
+- struct dpu_hw_vbif *vbif = NULL;
++ struct dpu_hw_vbif *vbif;
+ struct dpu_hw_mdp *mdp;
+ bool forced_on = false;
+ u32 ot_lim;
+- int ret, i;
++ int ret;
+
+ if (!dpu_kms) {
+ DPU_ERROR("invalid arguments\n");
+@@ -167,12 +175,7 @@ void dpu_vbif_set_ot_limit(struct dpu_kms *dpu_kms,
+ }
+ mdp = dpu_kms->hw_mdp;
+
+- for (i = 0; i < ARRAY_SIZE(dpu_kms->hw_vbif); i++) {
+- if (dpu_kms->hw_vbif[i] &&
+- dpu_kms->hw_vbif[i]->idx == params->vbif_idx)
+- vbif = dpu_kms->hw_vbif[i];
+- }
+-
++ vbif = dpu_get_vbif(dpu_kms, params->vbif_idx);
+ if (!vbif || !mdp) {
+ DPU_DEBUG("invalid arguments vbif %d mdp %d\n",
+ vbif != 0, mdp != 0);
+@@ -217,7 +220,7 @@ void dpu_vbif_set_ot_limit(struct dpu_kms *dpu_kms,
+ void dpu_vbif_set_qos_remap(struct dpu_kms *dpu_kms,
+ struct dpu_vbif_set_qos_params *params)
+ {
+- struct dpu_hw_vbif *vbif = NULL;
++ struct dpu_hw_vbif *vbif;
+ struct dpu_hw_mdp *mdp;
+ bool forced_on = false;
+ const struct dpu_vbif_qos_tbl *qos_tbl;
+@@ -229,13 +232,7 @@ void dpu_vbif_set_qos_remap(struct dpu_kms *dpu_kms,
+ }
+ mdp = dpu_kms->hw_mdp;
+
+- for (i = 0; i < ARRAY_SIZE(dpu_kms->hw_vbif); i++) {
+- if (dpu_kms->hw_vbif[i] &&
+- dpu_kms->hw_vbif[i]->idx == params->vbif_idx) {
+- vbif = dpu_kms->hw_vbif[i];
+- break;
+- }
+- }
++ vbif = dpu_get_vbif(dpu_kms, params->vbif_idx);
+
+ if (!vbif || !vbif->cap) {
+ DPU_ERROR("invalid vbif %d\n", params->vbif_idx);
+--
+2.35.1
+
--- /dev/null
+From 4b3a5d808134d1724359660048441f6b36979fed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 15:46:12 +0200
+Subject: drm/msm: Make .remove and .shutdown HW shutdown consistent
+
+From: Javier Martinez Canillas <javierm@redhat.com>
+
+[ Upstream commit 0a58d2ae572adaec8d046f8d35b40c2c32ac7468 ]
+
+Drivers' .remove and .shutdown callbacks are executed on different code
+paths. The former is called when a device is removed from the bus, while
+the latter is called at system shutdown time to quiesce the device.
+
+This means that some overlap exists between the two, because both have to
+take care of properly shutting down the hardware. But currently the logic
+used in these two callbacks isn't consistent in msm drivers, which could
+lead to kernel panic.
+
+For example, on .remove the component is deleted and its .unbind callback
+leads to the hardware being shutdown but only if the DRM device has been
+marked as registered.
+
+That check doesn't exist in the .shutdown logic and this can lead to the
+driver calling drm_atomic_helper_shutdown() for a DRM device that hasn't
+been properly initialized.
+
+A situation like this can happen if drivers for expected sub-devices fail
+to probe, since the .bind callback will never be executed. If that is the
+case, drm_atomic_helper_shutdown() will attempt to take mutexes that are
+only initialized if drm_mode_config_init() is called during a device bind.
+
+This bug was attempted to be fixed in commit 623f279c7781 ("drm/msm: fix
+shutdown hook in case GPU components failed to bind"), but unfortunately
+it still happens in some cases as the one mentioned above, i.e:
+
+ systemd-shutdown[1]: Powering off.
+ kvm: exiting hardware virtualization
+ platform wifi-firmware.0: Removing from iommu group 12
+ platform video-firmware.0: Removing from iommu group 10
+ ------------[ cut here ]------------
+ WARNING: CPU: 6 PID: 1 at drivers/gpu/drm/drm_modeset_lock.c:317 drm_modeset_lock_all_ctx+0x3c4/0x3d0
+ ...
+ Hardware name: Google CoachZ (rev3+) (DT)
+ pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : drm_modeset_lock_all_ctx+0x3c4/0x3d0
+ lr : drm_modeset_lock_all_ctx+0x48/0x3d0
+ sp : ffff80000805bb80
+ x29: ffff80000805bb80 x28: ffff327c00128000 x27: 0000000000000000
+ x26: 0000000000000000 x25: 0000000000000001 x24: ffffc95d820ec030
+ x23: ffff327c00bbd090 x22: ffffc95d8215eca0 x21: ffff327c039c5800
+ x20: ffff327c039c5988 x19: ffff80000805bbe8 x18: 0000000000000034
+ x17: 000000040044ffff x16: ffffc95d80cac920 x15: 0000000000000000
+ x14: 0000000000000315 x13: 0000000000000315 x12: 0000000000000000
+ x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
+ x8 : ffff80000805bc28 x7 : 0000000000000000 x6 : 0000000000000000
+ x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
+ x2 : ffff327c00128000 x1 : 0000000000000000 x0 : ffff327c039c59b0
+ Call trace:
+ drm_modeset_lock_all_ctx+0x3c4/0x3d0
+ drm_atomic_helper_shutdown+0x70/0x134
+ msm_drv_shutdown+0x30/0x40
+ platform_shutdown+0x28/0x40
+ device_shutdown+0x148/0x350
+ kernel_power_off+0x38/0x80
+ __do_sys_reboot+0x288/0x2c0
+ __arm64_sys_reboot+0x28/0x34
+ invoke_syscall+0x48/0x114
+ el0_svc_common.constprop.0+0x44/0xec
+ do_el0_svc+0x2c/0xc0
+ el0_svc+0x2c/0x84
+ el0t_64_sync_handler+0x11c/0x150
+ el0t_64_sync+0x18c/0x190
+ ---[ end trace 0000000000000000 ]---
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018
+ Mem abort info:
+ ESR = 0x0000000096000004
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x04: level 0 translation fault
+ Data abort info:
+ ISV = 0, ISS = 0x00000004
+ CM = 0, WnR = 0
+ user pgtable: 4k pages, 48-bit VAs, pgdp=000000010eab1000
+ [0000000000000018] pgd=0000000000000000, p4d=0000000000000000
+ Internal error: Oops: 96000004 [#1] PREEMPT SMP
+ ...
+ Hardware name: Google CoachZ (rev3+) (DT)
+ pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : ww_mutex_lock+0x28/0x32c
+ lr : drm_modeset_lock_all_ctx+0x1b0/0x3d0
+ sp : ffff80000805bb50
+ x29: ffff80000805bb50 x28: ffff327c00128000 x27: 0000000000000000
+ x26: 0000000000000000 x25: 0000000000000001 x24: 0000000000000018
+ x23: ffff80000805bc10 x22: ffff327c039c5ad8 x21: ffff327c039c5800
+ x20: ffff80000805bbe8 x19: 0000000000000018 x18: 0000000000000034
+ x17: 000000040044ffff x16: ffffc95d80cac920 x15: 0000000000000000
+ x14: 0000000000000315 x13: 0000000000000315 x12: 0000000000000000
+ x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
+ x8 : ffff80000805bc28 x7 : 0000000000000000 x6 : 0000000000000000
+ x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
+ x2 : ffff327c00128000 x1 : 0000000000000000 x0 : 0000000000000018
+ Call trace:
+ ww_mutex_lock+0x28/0x32c
+ drm_modeset_lock_all_ctx+0x1b0/0x3d0
+ drm_atomic_helper_shutdown+0x70/0x134
+ msm_drv_shutdown+0x30/0x40
+ platform_shutdown+0x28/0x40
+ device_shutdown+0x148/0x350
+ kernel_power_off+0x38/0x80
+ __do_sys_reboot+0x288/0x2c0
+ __arm64_sys_reboot+0x28/0x34
+ invoke_syscall+0x48/0x114
+ el0_svc_common.constprop.0+0x44/0xec
+ do_el0_svc+0x2c/0xc0
+ el0_svc+0x2c/0x84
+ el0t_64_sync_handler+0x11c/0x150
+ el0t_64_sync+0x18c/0x190
+ Code: aa0103f4 d503201f d2800001 aa0103e3 (c8e37c02)
+ ---[ end trace 0000000000000000 ]---
+ Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
+ Kernel Offset: 0x495d77c00000 from 0xffff800008000000
+ PHYS_OFFSET: 0xffffcd8500000000
+ CPU features: 0x800,00c2a015,19801c82
+ Memory Limit: none
+ ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]---
+
+Fixes: 9d5cbf5fe46e ("drm/msm: add shutdown support for display platform_driver")
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220816134612.916527-1-javierm@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_drv.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
+index 11bad11101b9..f9024e21dc6a 100644
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -1365,10 +1365,15 @@ static void msm_pdev_shutdown(struct platform_device *pdev)
+ struct drm_device *drm = platform_get_drvdata(pdev);
+ struct msm_drm_private *priv = drm ? drm->dev_private : NULL;
+
+- if (!priv || !priv->kms)
+- return;
+-
+- drm_atomic_helper_shutdown(drm);
++ /*
++ * Shutdown the hw if we're far enough along where things might be on.
++ * If we run this too early, we'll end up panicking in any variety of
++ * places. Since we don't register the drm device until late in
++ * msm_drm_init, drm_dev->registered is used as an indicator that the
++ * shutdown will be successful.
++ */
++ if (drm && drm->registered)
++ drm_atomic_helper_shutdown(drm);
+ }
+
+ static const struct of_device_id dt_match[] = {
+--
+2.35.1
+
--- /dev/null
+From 3f12c62c041a167ffdb92b6481ae922c76189386 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Aug 2022 20:24:03 +0200
+Subject: drm: panel-orientation-quirks: Add quirk for Anbernic Win600
+
+From: Maya Matuszczyk <maccraft123mc@gmail.com>
+
+[ Upstream commit 770e19076065e079a32f33eb11be2057c87f1cde ]
+
+This device is another x86 gaming handheld, and as (hopefully) there is
+only one set of DMI IDs it's using DMI_EXACT_MATCH
+
+Signed-off-by: Maya Matuszczyk <maccraft123mc@gmail.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220803182402.1217293-1-maccraft123mc@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+index 265df1e67eb3..bea1d3e7e964 100644
+--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+@@ -95,6 +95,12 @@ static const struct dmi_system_id orientation_data[] = {
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "One S1003"),
+ },
+ .driver_data = (void *)&lcd800x1280_rightside_up,
++ }, { /* Anbernic Win600 */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "Anbernic"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Win600"),
++ },
++ .driver_data = (void *)&lcd720x1280_rightside_up,
+ }, { /* Asus T100HA */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+--
+2.35.1
+
--- /dev/null
+From 2a6e73349feec3829331f5322feb155a8373e8e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Jul 2022 12:02:14 +0200
+Subject: drm: Prevent drm_copy_field() to attempt copying a NULL pointer
+
+From: Javier Martinez Canillas <javierm@redhat.com>
+
+[ Upstream commit f6ee30407e883042482ad4ad30da5eaba47872ee ]
+
+There are some struct drm_driver fields that are required by drivers since
+drm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION.
+
+But it can be possible that a driver has a bug and did not set some of the
+fields, which leads to drm_copy_field() attempting to copy a NULL pointer:
+
+[ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000
+[ +0.010955] Mem abort info:
+[ +0.002835] ESR = 0x0000000096000004
+[ +0.003872] EC = 0x25: DABT (current EL), IL = 32 bits
+[ +0.005395] SET = 0, FnV = 0
+[ +0.003113] EA = 0, S1PTW = 0
+[ +0.003182] FSC = 0x04: level 0 translation fault
+[ +0.004964] Data abort info:
+[ +0.002919] ISV = 0, ISS = 0x00000004
+[ +0.003886] CM = 0, WnR = 0
+[ +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000
+[ +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
+[ +0.006925] Internal error: Oops: 96000004 [#1] SMP
+...
+[ +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ +0.007061] pc : __pi_strlen+0x14/0x150
+[ +0.003895] lr : drm_copy_field+0x30/0x1a4
+[ +0.004156] sp : ffff8000094b3a50
+[ +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040
+[ +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040
+[ +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000
+[ +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000
+[ +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40
+[ +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
+[ +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8
+[ +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141
+[ +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
+[ +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000
+[ +0.007240] Call trace:
+[ +0.002475] __pi_strlen+0x14/0x150
+[ +0.003537] drm_version+0x84/0xac
+[ +0.003448] drm_ioctl_kernel+0xa8/0x16c
+[ +0.003975] drm_ioctl+0x270/0x580
+[ +0.003448] __arm64_sys_ioctl+0xb8/0xfc
+[ +0.003978] invoke_syscall+0x78/0x100
+[ +0.003799] el0_svc_common.constprop.0+0x4c/0xf4
+[ +0.004767] do_el0_svc+0x38/0x4c
+[ +0.003357] el0_svc+0x34/0x100
+[ +0.003185] el0t_64_sync_handler+0x11c/0x150
+[ +0.004418] el0t_64_sync+0x190/0x194
+[ +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02)
+[ +0.006180] ---[ end trace 0000000000000000 ]---
+
+Reported-by: Peter Robinson <pbrobinson@gmail.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220705100215.572498-3-javierm@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_ioctl.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
+index 4fea6519510c..2651bfb763a4 100644
+--- a/drivers/gpu/drm/drm_ioctl.c
++++ b/drivers/gpu/drm/drm_ioctl.c
+@@ -460,6 +460,12 @@ static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value)
+ {
+ size_t len;
+
++ /* don't attempt to copy a NULL pointer */
++ if (WARN_ONCE(!value, "BUG: the value to copy was not set!")) {
++ *buf_len = 0;
++ return 0;
++ }
++
+ /* don't overflow userbuf */
+ len = strlen(value);
+ if (len > *buf_len)
+--
+2.35.1
+
--- /dev/null
+From c3edbea3c5e009204819dcd2ab59e48521efc0f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Jul 2022 12:02:13 +0200
+Subject: drm: Use size_t type for len variable in drm_copy_field()
+
+From: Javier Martinez Canillas <javierm@redhat.com>
+
+[ Upstream commit 94dc3471d1b2b58b3728558d0e3f264e9ce6ff59 ]
+
+The strlen() function returns a size_t which is an unsigned int on 32-bit
+arches and an unsigned long on 64-bit arches. But in the drm_copy_field()
+function, the strlen() return value is assigned to an 'int len' variable.
+
+Later, the len variable is passed as copy_from_user() third argument that
+is an unsigned long parameter as well.
+
+In theory, this can lead to an integer overflow via type conversion. Since
+the assignment happens to a signed int lvalue instead of a size_t lvalue.
+
+In practice though, that's unlikely since the values copied are set by DRM
+drivers and not controlled by userspace. But using a size_t for len is the
+correct thing to do anyways.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Tested-by: Peter Robinson <pbrobinson@gmail.com>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220705100215.572498-2-javierm@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
+index babd7ebabfef..4fea6519510c 100644
+--- a/drivers/gpu/drm/drm_ioctl.c
++++ b/drivers/gpu/drm/drm_ioctl.c
+@@ -458,7 +458,7 @@ EXPORT_SYMBOL(drm_invalid_op);
+ */
+ static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value)
+ {
+- int len;
++ size_t len;
+
+ /* don't overflow userbuf */
+ len = strlen(value);
+--
+2.35.1
+
--- /dev/null
+From b865634916ca866a7fcf47fb0b517e0f6f3fe1aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Aug 2022 15:11:42 +0200
+Subject: drm/vc4: vec: Fix timings for VEC modes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mateusz Kwiatkowski <kfyatek+publicgit@gmail.com>
+
+[ Upstream commit 30d7565be96b3946c18a1ce3fd538f7946839092 ]
+
+This commit fixes vertical timings of the VEC (composite output) modes
+to accurately represent the 525-line ("NTSC") and 625-line ("PAL") ITU-R
+standards.
+
+Previous timings were actually defined as 502 and 601 lines, resulting
+in non-standard 62.69 Hz and 52 Hz signals being generated,
+respectively.
+
+Signed-off-by: Mateusz Kwiatkowski <kfyatek+publicgit@gmail.com>
+Acked-by: Noralf Trønnes <noralf@tronnes.org>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220728-rpi-analog-tv-properties-v2-28-459522d653a7@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_vec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_vec.c b/drivers/gpu/drm/vc4/vc4_vec.c
+index 8e7facb6514e..ae0354ceb2a3 100644
+--- a/drivers/gpu/drm/vc4/vc4_vec.c
++++ b/drivers/gpu/drm/vc4/vc4_vec.c
+@@ -291,7 +291,7 @@ static void vc4_vec_ntsc_j_mode_set(struct vc4_vec *vec)
+ static const struct drm_display_mode ntsc_mode = {
+ DRM_MODE("720x480", DRM_MODE_TYPE_DRIVER, 13500,
+ 720, 720 + 14, 720 + 14 + 64, 720 + 14 + 64 + 60, 0,
+- 480, 480 + 3, 480 + 3 + 3, 480 + 3 + 3 + 16, 0,
++ 480, 480 + 7, 480 + 7 + 6, 525, 0,
+ DRM_MODE_FLAG_INTERLACE)
+ };
+
+@@ -313,7 +313,7 @@ static void vc4_vec_pal_m_mode_set(struct vc4_vec *vec)
+ static const struct drm_display_mode pal_mode = {
+ DRM_MODE("720x576", DRM_MODE_TYPE_DRIVER, 13500,
+ 720, 720 + 20, 720 + 20 + 64, 720 + 20 + 64 + 60, 0,
+- 576, 576 + 2, 576 + 2 + 3, 576 + 2 + 3 + 20, 0,
++ 576, 576 + 4, 576 + 4 + 6, 625, 0,
+ DRM_MODE_FLAG_INTERLACE)
+ };
+
+--
+2.35.1
+
--- /dev/null
+From f8416e316cb04169b753ae86bc88ce86cb10b794 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Sep 2022 15:40:39 -0600
+Subject: dyndbg: fix module.dyndbg handling
+
+From: Jim Cromie <jim.cromie@gmail.com>
+
+[ Upstream commit 85d6b66d31c35158364058ee98fb69ab5bb6a6b1 ]
+
+For CONFIG_DYNAMIC_DEBUG=N, the ddebug_dyndbg_module_param_cb()
+stub-fn is too permissive:
+
+bash-5.1# modprobe drm JUNKdyndbg
+bash-5.1# modprobe drm dyndbgJUNK
+[ 42.933220] dyndbg param is supported only in CONFIG_DYNAMIC_DEBUG builds
+[ 42.937484] ACPI: bus type drm_connector registered
+
+This caused no ill effects, because unknown parameters are either
+ignored by default with an "unknown parameter" warning, or ignored
+because dyndbg allows its no-effect use on non-dyndbg builds.
+
+But since the code has an explicit feedback message, it should be
+issued accurately. Fix with strcmp for exact param-name match.
+
+Fixes: b48420c1d301 dynamic_debug: make dynamic-debug work for module initialization
+Reported-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Acked-by: Jason Baron <jbaron@akamai.com>
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Jim Cromie <jim.cromie@gmail.com>
+Link: https://lore.kernel.org/r/20220904214134.408619-3-jim.cromie@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/dynamic_debug.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/dynamic_debug.h b/include/linux/dynamic_debug.h
+index b3419da1a776..77a16b2eb42f 100644
+--- a/include/linux/dynamic_debug.h
++++ b/include/linux/dynamic_debug.h
+@@ -168,7 +168,7 @@ static inline int ddebug_remove_module(const char *mod)
+ static inline int ddebug_dyndbg_module_param_cb(char *param, char *val,
+ const char *modname)
+ {
+- if (strstr(param, "dyndbg")) {
++ if (!strcmp(param, "dyndbg")) {
+ /* avoid pr_warn(), which wants pr_fmt() fully defined */
+ printk(KERN_WARNING "dyndbg param is supported only in "
+ "CONFIG_DYNAMIC_DEBUG builds\n");
+--
+2.35.1
+
--- /dev/null
+From f12a9481f3f4081f259e912f10f94bcd0b4a29d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Sep 2022 15:40:44 -0600
+Subject: dyndbg: let query-modname override actual module name
+
+From: Jim Cromie <jim.cromie@gmail.com>
+
+[ Upstream commit e75ef56f74965f426dd819a41336b640ffdd8fbc ]
+
+dyndbg's control-parser: ddebug_parse_query(), requires that search
+terms: module, func, file, lineno, are used only once in a query; a
+thing cannot be named both foo and bar.
+
+The cited commit added an overriding module modname, taken from the
+module loader, which is authoritative. So it set query.module 1st,
+which disallowed its use in the query-string.
+
+But now, its useful to allow a module-load to enable classes across a
+whole (or part of) a subsystem at once.
+
+ # enable (dynamic-debug in) drm only
+ modprobe drm dyndbg="class DRM_UT_CORE +p"
+
+ # get drm_helper too
+ modprobe drm dyndbg="class DRM_UT_CORE module drm* +p"
+
+ # get everything that knows DRM_UT_CORE
+ modprobe drm dyndbg="class DRM_UT_CORE module * +p"
+
+ # also for boot-args:
+ drm.dyndbg="class DRM_UT_CORE module * +p"
+
+So convert the override into a default, by filling it only when/after
+the query-string omitted the module.
+
+NB: the query class FOO handling is forthcoming.
+
+Fixes: 8e59b5cfb9a6 dynamic_debug: add modname arg to exec_query callchain
+Acked-by: Jason Baron <jbaron@akamai.com>
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Jim Cromie <jim.cromie@gmail.com>
+Link: https://lore.kernel.org/r/20220904214134.408619-8-jim.cromie@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/dynamic_debug.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c
+index 9305ff43fc15..fec610703095 100644
+--- a/lib/dynamic_debug.c
++++ b/lib/dynamic_debug.c
+@@ -327,10 +327,6 @@ static int ddebug_parse_query(char *words[], int nwords,
+ }
+ memset(query, 0, sizeof(*query));
+
+- if (modname)
+- /* support $modname.dyndbg=<multiple queries> */
+- query->module = modname;
+-
+ for (i = 0; i < nwords; i += 2) {
+ if (!strcmp(words[i], "func")) {
+ rc = check_set(&query->function, words[i+1], "func");
+@@ -379,6 +375,13 @@ static int ddebug_parse_query(char *words[], int nwords,
+ if (rc)
+ return rc;
+ }
++ if (!query->module && modname)
++ /*
++ * support $modname.dyndbg=<multiple queries>, when
++ * not given in the query itself
++ */
++ query->module = modname;
++
+ vpr_info_dq(query, "parsed");
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 369eaecd19163c5aecb3773ba16af7ec62842db5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Sep 2022 12:59:17 +0800
+Subject: f2fs: fix race condition on setting FI_NO_EXTENT flag
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 07725adc55c0a414c10acb5c8c86cea34b95ddef ]
+
+The following scenarios exist.
+process A: process B:
+->f2fs_drop_extent_tree ->f2fs_update_extent_cache_range
+ ->f2fs_update_extent_tree_range
+ ->write_lock
+ ->set_inode_flag
+ ->is_inode_flag_set
+ ->__free_extent_tree // Shouldn't
+ // have been
+ // cleaned up
+ // here
+ ->write_lock
+
+In this case, the "FI_NO_EXTENT" flag is set between
+f2fs_update_extent_tree_range and is_inode_flag_set
+by other process. it leads to clearing the whole exten
+tree which should not have happened. And we fix it by
+move the setting it to the range of write_lock.
+
+Fixes:5f281fab9b9a3 ("f2fs: disable extent_cache for fcollapse/finsert inodes")
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/extent_cache.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c
+index a70cd2580eae..36d6b561b524 100644
+--- a/fs/f2fs/extent_cache.c
++++ b/fs/f2fs/extent_cache.c
+@@ -717,9 +717,8 @@ void f2fs_drop_extent_tree(struct inode *inode)
+ if (!f2fs_may_extent_tree(inode))
+ return;
+
+- set_inode_flag(inode, FI_NO_EXTENT);
+-
+ write_lock(&et->lock);
++ set_inode_flag(inode, FI_NO_EXTENT);
+ __free_extent_tree(sbi, et);
+ if (et->largest.len) {
+ et->largest.len = 0;
+--
+2.35.1
+
--- /dev/null
+From b2c246abacb8b0e1a8bb1299eaa1b4015a1f41e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 17:07:55 -0300
+Subject: firmware: google: Test spinlock on panic path to avoid lockups
+
+From: Guilherme G. Piccoli <gpiccoli@igalia.com>
+
+[ Upstream commit 3e081438b8e639cc76ef1a5ce0c1bd8a154082c7 ]
+
+Currently the gsmi driver registers a panic notifier as well as
+reboot and die notifiers. The callbacks registered are called in
+atomic and very limited context - for instance, panic disables
+preemption and local IRQs, also all secondary CPUs (not executing
+the panic path) are shutdown.
+
+With that said, taking a spinlock in this scenario is a dangerous
+invitation for lockup scenarios. So, fix that by checking if the
+spinlock is free to acquire in the panic notifier callback - if not,
+bail-out and avoid a potential hang.
+
+Fixes: 74c5b31c6618 ("driver: Google EFI SMI")
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Ard Biesheuvel <ardb@kernel.org>
+Cc: David Gow <davidgow@google.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Julius Werner <jwerner@chromium.org>
+Cc: Petr Mladek <pmladek@suse.com>
+Reviewed-by: Evan Green <evgreen@chromium.org>
+Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
+Link: https://lore.kernel.org/r/20220909200755.189679-1-gpiccoli@igalia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/google/gsmi.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/firmware/google/gsmi.c b/drivers/firmware/google/gsmi.c
+index 62337be07afc..2e3ef0eb6e82 100644
+--- a/drivers/firmware/google/gsmi.c
++++ b/drivers/firmware/google/gsmi.c
+@@ -661,6 +661,15 @@ static struct notifier_block gsmi_die_notifier = {
+ static int gsmi_panic_callback(struct notifier_block *nb,
+ unsigned long reason, void *arg)
+ {
++
++ /*
++ * Panic callbacks are executed with all other CPUs stopped,
++ * so we must not attempt to spin waiting for gsmi_dev.lock
++ * to be released.
++ */
++ if (spin_is_locked(&gsmi_dev.lock))
++ return NOTIFY_DONE;
++
+ gsmi_shutdown_reason(GSMI_SHUTDOWN_PANIC);
+ return NOTIFY_DONE;
+ }
+--
+2.35.1
+
--- /dev/null
+From f8fa6f7a279a421b44d01688ac0c998586ae85c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Jan 2022 15:34:11 +0800
+Subject: fsi: core: Check error number after calling ida_simple_get
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 35af9fb49bc5c6d61ef70b501c3a56fe161cce3e ]
+
+If allocation fails, the ida_simple_get() will return error number.
+So master->idx could be error number and be used in dev_set_name().
+Therefore, it should be better to check it and return error if fails,
+like the ida_simple_get() in __fsi_get_new_minor().
+
+Fixes: 09aecfab93b8 ("drivers/fsi: Add fsi master definition")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Reviewed-by: Eddie James <eajames@linux.ibm.com>
+Link: https://lore.kernel.org/r/20220111073411.614138-1-jiasheng@iscas.ac.cn
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/fsi/fsi-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/fsi/fsi-core.c b/drivers/fsi/fsi-core.c
+index 5b4ca6142270..5133fe0a0abe 100644
+--- a/drivers/fsi/fsi-core.c
++++ b/drivers/fsi/fsi-core.c
+@@ -1279,6 +1279,9 @@ int fsi_master_register(struct fsi_master *master)
+
+ mutex_init(&master->scan_lock);
+ master->idx = ida_simple_get(&master_ida, 0, INT_MAX, GFP_KERNEL);
++ if (master->idx < 0)
++ return master->idx;
++
+ dev_set_name(&master->dev, "fsi%d", master->idx);
+
+ rc = device_register(&master->dev);
+--
+2.35.1
+
--- /dev/null
+From a5fff52a9467f06e628e4ac7d35ccc95660539ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Apr 2022 08:59:11 +0000
+Subject: fsi: master-ast-cf: Fix missing of_node_put in fsi_master_acf_probe
+
+From: Lv Ruyi <lv.ruyi@zte.com.cn>
+
+[ Upstream commit 182d98e00e4745fe253cb0c24c63bbac253464a2 ]
+
+of_parse_phandle returns node pointer with refcount incremented, use
+of_node_put() on it when done.
+
+Reported-by: Zeal Robot <zealci@zte.com.cn>
+Signed-off-by: Lv Ruyi <lv.ruyi@zte.com.cn>
+Link: https://lore.kernel.org/r/20220407085911.2491719-1-lv.ruyi@zte.com.cn
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/fsi/fsi-master-ast-cf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/fsi/fsi-master-ast-cf.c b/drivers/fsi/fsi-master-ast-cf.c
+index 04d10ea8d343..1d39e435bfd1 100644
+--- a/drivers/fsi/fsi-master-ast-cf.c
++++ b/drivers/fsi/fsi-master-ast-cf.c
+@@ -1324,12 +1324,14 @@ static int fsi_master_acf_probe(struct platform_device *pdev)
+ }
+ master->cvic = devm_of_iomap(&pdev->dev, np, 0, NULL);
+ if (IS_ERR(master->cvic)) {
++ of_node_put(np);
+ rc = PTR_ERR(master->cvic);
+ dev_err(&pdev->dev, "Error %d mapping CVIC\n", rc);
+ goto err_free;
+ }
+ rc = of_property_read_u32(np, "copro-sw-interrupts",
+ &master->cvic_sw_irq);
++ of_node_put(np);
+ if (rc) {
+ dev_err(&pdev->dev, "Can't find coprocessor SW interrupt\n");
+ goto err_free;
+--
+2.35.1
+
--- /dev/null
+From 9a942df0f03f90c84760fc89e053b51b1770564b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Sep 2022 12:31:15 -0700
+Subject: HID: roccat: Fix use-after-free in roccat_read()
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit cacdb14b1c8d3804a3a7d31773bc7569837b71a4 ]
+
+roccat_report_event() is responsible for registering
+roccat-related reports in struct roccat_device.
+
+int roccat_report_event(int minor, u8 const *data)
+{
+ struct roccat_device *device;
+ struct roccat_reader *reader;
+ struct roccat_report *report;
+ uint8_t *new_value;
+
+ device = devices[minor];
+
+ new_value = kmemdup(data, device->report_size, GFP_ATOMIC);
+ if (!new_value)
+ return -ENOMEM;
+
+ report = &device->cbuf[device->cbuf_end];
+
+ /* passing NULL is safe */
+ kfree(report->value);
+ ...
+
+The registered report is stored in the struct roccat_device member
+"struct roccat_report cbuf[ROCCAT_CBUF_SIZE];".
+If more reports are received than the "ROCCAT_CBUF_SIZE" value,
+kfree() the saved report from cbuf[0] and allocates a new reprot.
+Since there is no lock when this kfree() is performed,
+kfree() can be performed even while reading the saved report.
+
+static ssize_t roccat_read(struct file *file, char __user *buffer,
+ size_t count, loff_t *ppos)
+{
+ struct roccat_reader *reader = file->private_data;
+ struct roccat_device *device = reader->device;
+ struct roccat_report *report;
+ ssize_t retval = 0, len;
+ DECLARE_WAITQUEUE(wait, current);
+
+ mutex_lock(&device->cbuf_lock);
+
+ ...
+
+ report = &device->cbuf[reader->cbuf_start];
+ /*
+ * If report is larger than requested amount of data, rest of report
+ * is lost!
+ */
+ len = device->report_size > count ? count : device->report_size;
+
+ if (copy_to_user(buffer, report->value, len)) {
+ retval = -EFAULT;
+ goto exit_unlock;
+ }
+ ...
+
+The roccat_read() function receives the device->cbuf report and
+delivers it to the user through copy_to_user().
+If the N+ROCCAT_CBUF_SIZE th report is received while copying of
+the Nth report->value is in progress, the pointer that copy_to_user()
+is working on is kfree()ed and UAF read may occur. (race condition)
+
+Since the device node of this driver does not set separate permissions,
+this is not a security vulnerability, but because it is used for
+requesting screen display of profile or dpi settings,
+a user using the roccat device can apply udev to this device node or
+There is a possibility to use it by giving.
+
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-roccat.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c
+index 5be8de70c651..c9cec00b4e6e 100644
+--- a/drivers/hid/hid-roccat.c
++++ b/drivers/hid/hid-roccat.c
+@@ -260,6 +260,8 @@ int roccat_report_event(int minor, u8 const *data)
+ if (!new_value)
+ return -ENOMEM;
+
++ mutex_lock(&device->cbuf_lock);
++
+ report = &device->cbuf[device->cbuf_end];
+
+ /* passing NULL is safe */
+@@ -279,6 +281,8 @@ int roccat_report_event(int minor, u8 const *data)
+ reader->cbuf_start = (reader->cbuf_start + 1) % ROCCAT_CBUF_SIZE;
+ }
+
++ mutex_unlock(&device->cbuf_lock);
++
+ wake_up_interruptible(&device->wait);
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 91acbb5d253312076ca436e9d75cf298675455e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Sep 2022 20:36:13 -0400
+Subject: hid: topre: Add driver fixing report descriptor
+
+From: Harry Stern <harry@harrystern.net>
+
+[ Upstream commit a109d5c45b3d6728b9430716b915afbe16eef27c ]
+
+The Topre REALFORCE R2 firmware incorrectly reports that interface
+descriptor number 1, input report descriptor 2's events are array events
+rather than variable events. That particular report descriptor is used
+to report keypresses when there are more than 6 keys held at a time.
+This bug prevents events from this interface from being registered
+properly, so only 6 keypresses (from a different interface) can be
+registered at once, rather than full n-key rollover.
+
+This commit fixes the bug by setting the correct value in a report_fixup
+function.
+
+The original bug report can be found here:
+Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/804
+
+Thanks to Benjamin Tissoires for diagnosing the issue with the report
+descriptor.
+
+Signed-off-by: Harry Stern <harry@harrystern.net>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Link: https://lore.kernel.org/r/20220911003614.297613-1-harry@harrystern.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/Kconfig | 6 +++++
+ drivers/hid/Makefile | 1 +
+ drivers/hid/hid-ids.h | 3 +++
+ drivers/hid/hid-topre.c | 49 +++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 59 insertions(+)
+ create mode 100644 drivers/hid/hid-topre.c
+
+diff --git a/drivers/hid/Kconfig b/drivers/hid/Kconfig
+index 88bb59ba58cd..d64a2799331e 100644
+--- a/drivers/hid/Kconfig
++++ b/drivers/hid/Kconfig
+@@ -943,6 +943,12 @@ config HID_TOPSEED
+ Say Y if you have a TopSeed Cyberlink or BTC Emprex or Conceptronic
+ CLLRCMCE remote control.
+
++config HID_TOPRE
++ tristate "Topre REALFORCE keyboards"
++ depends on HID
++ help
++ Say Y for N-key rollover support on Topre REALFORCE R2 108 key keyboards.
++
+ config HID_THINGM
+ tristate "ThingM blink(1) USB RGB LED"
+ depends on HID
+diff --git a/drivers/hid/Makefile b/drivers/hid/Makefile
+index bd7ac53b75c5..9493ea3a3898 100644
+--- a/drivers/hid/Makefile
++++ b/drivers/hid/Makefile
+@@ -106,6 +106,7 @@ obj-$(CONFIG_HID_GREENASIA) += hid-gaff.o
+ obj-$(CONFIG_HID_THRUSTMASTER) += hid-tmff.o
+ obj-$(CONFIG_HID_TIVO) += hid-tivo.o
+ obj-$(CONFIG_HID_TOPSEED) += hid-topseed.o
++obj-$(CONFIG_HID_TOPRE) += hid-topre.o
+ obj-$(CONFIG_HID_TWINHAN) += hid-twinhan.o
+ obj-$(CONFIG_HID_UCLOGIC) += hid-uclogic.o
+ obj-$(CONFIG_HID_UDRAW_PS3) += hid-udraw-ps3.o
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 70079d29822b..ab95d952bcc2 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -1123,6 +1123,9 @@
+ #define USB_DEVICE_ID_TIVO_SLIDE 0x1201
+ #define USB_DEVICE_ID_TIVO_SLIDE_PRO 0x1203
+
++#define USB_VENDOR_ID_TOPRE 0x0853
++#define USB_DEVICE_ID_TOPRE_REALFORCE_R2_108 0x0148
++
+ #define USB_VENDOR_ID_TOPSEED 0x0766
+ #define USB_DEVICE_ID_TOPSEED_CYBERLINK 0x0204
+
+diff --git a/drivers/hid/hid-topre.c b/drivers/hid/hid-topre.c
+new file mode 100644
+index 000000000000..88a91cdad5f8
+--- /dev/null
++++ b/drivers/hid/hid-topre.c
+@@ -0,0 +1,49 @@
++// SPDX-License-Identifier: GPL-2.0+
++/*
++ * HID driver for Topre REALFORCE Keyboards
++ *
++ * Copyright (c) 2022 Harry Stern <harry@harrystern.net>
++ *
++ * Based on the hid-macally driver
++ */
++
++#include <linux/hid.h>
++#include <linux/module.h>
++
++#include "hid-ids.h"
++
++MODULE_AUTHOR("Harry Stern <harry@harrystern.net>");
++MODULE_DESCRIPTION("REALFORCE R2 Keyboard driver");
++MODULE_LICENSE("GPL");
++
++/*
++ * Fix the REALFORCE R2's non-boot interface's report descriptor to match the
++ * events it's actually sending. It claims to send array events but is instead
++ * sending variable events.
++ */
++static __u8 *topre_report_fixup(struct hid_device *hdev, __u8 *rdesc,
++ unsigned int *rsize)
++{
++ if (*rsize >= 119 && rdesc[69] == 0x29 && rdesc[70] == 0xe7 &&
++ rdesc[71] == 0x81 && rdesc[72] == 0x00) {
++ hid_info(hdev,
++ "fixing up Topre REALFORCE keyboard report descriptor\n");
++ rdesc[72] = 0x02;
++ }
++ return rdesc;
++}
++
++static const struct hid_device_id topre_id_table[] = {
++ { HID_USB_DEVICE(USB_VENDOR_ID_TOPRE,
++ USB_DEVICE_ID_TOPRE_REALFORCE_R2_108) },
++ { }
++};
++MODULE_DEVICE_TABLE(hid, topre_id_table);
++
++static struct hid_driver topre_driver = {
++ .name = "topre",
++ .id_table = topre_id_table,
++ .report_fixup = topre_report_fixup,
++};
++
++module_hid_driver(topre_driver);
+--
+2.35.1
+
--- /dev/null
+From 852f4ca6dd8d476224fa389f7b7b4fe947af67b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Apr 2022 08:52:32 +0000
+Subject: HSI: omap_ssi: Fix refcount leak in ssi_probe
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 9a2ea132df860177b33c9fd421b26c4e9a0a9396 ]
+
+When returning or breaking early from a
+for_each_available_child_of_node() loop, we need to explicitly call
+of_node_put() on the child node to possibly release the node.
+
+Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hsi/controllers/omap_ssi_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c
+index 129c5e6bc654..15ecc4bc8de6 100644
+--- a/drivers/hsi/controllers/omap_ssi_core.c
++++ b/drivers/hsi/controllers/omap_ssi_core.c
+@@ -560,6 +560,7 @@ static int ssi_probe(struct platform_device *pd)
+ if (!childpdev) {
+ err = -ENODEV;
+ dev_err(&pd->dev, "failed to create ssi controller port\n");
++ of_node_put(child);
+ goto out3;
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From d5d6be79a48064f6fd9ede28d8b56e6bec71a83f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 12:12:27 +0200
+Subject: HSI: omap_ssi_port: Fix dma_map_sg error check
+
+From: Jack Wang <jinpu.wang@ionos.com>
+
+[ Upstream commit 551e325bbd3fb8b5a686ac1e6cf76e5641461cf2 ]
+
+dma_map_sg return 0 on error, in case of error return -EIO
+to caller.
+
+Cc: Sebastian Reichel <sre@kernel.org>
+Cc: linux-kernel@vger.kernel.org (open list)
+Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver")
+Signed-off-by: Jack Wang <jinpu.wang@ionos.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hsi/controllers/omap_ssi_port.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/hsi/controllers/omap_ssi_port.c b/drivers/hsi/controllers/omap_ssi_port.c
+index 2ada82d2ec8c..e6149fd43b62 100644
+--- a/drivers/hsi/controllers/omap_ssi_port.c
++++ b/drivers/hsi/controllers/omap_ssi_port.c
+@@ -253,10 +253,10 @@ static int ssi_start_dma(struct hsi_msg *msg, int lch)
+ if (msg->ttype == HSI_MSG_READ) {
+ err = dma_map_sg(&ssi->device, msg->sgt.sgl, msg->sgt.nents,
+ DMA_FROM_DEVICE);
+- if (err < 0) {
++ if (!err) {
+ dev_dbg(&ssi->device, "DMA map SG failed !\n");
+ pm_runtime_put_autosuspend(omap_port->pdev);
+- return err;
++ return -EIO;
+ }
+ csdp = SSI_DST_BURST_4x32_BIT | SSI_DST_MEMORY_PORT |
+ SSI_SRC_SINGLE_ACCESS0 | SSI_SRC_PERIPHERAL_PORT |
+@@ -270,10 +270,10 @@ static int ssi_start_dma(struct hsi_msg *msg, int lch)
+ } else {
+ err = dma_map_sg(&ssi->device, msg->sgt.sgl, msg->sgt.nents,
+ DMA_TO_DEVICE);
+- if (err < 0) {
++ if (!err) {
+ dev_dbg(&ssi->device, "DMA map SG failed !\n");
+ pm_runtime_put_autosuspend(omap_port->pdev);
+- return err;
++ return -EIO;
+ }
+ csdp = SSI_SRC_BURST_4x32_BIT | SSI_SRC_MEMORY_PORT |
+ SSI_DST_SINGLE_ACCESS0 | SSI_DST_PERIPHERAL_PORT |
+--
+2.35.1
+
--- /dev/null
+From 1c929ec661fd5d2083fe203dad8383fd5dc46000 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Sep 2022 15:48:01 +0800
+Subject: HSI: ssi_protocol: fix potential resource leak in ssip_pn_open()
+
+From: Jianglei Nie <niejianglei2021@163.com>
+
+[ Upstream commit b28dbcb379e6a7f80262c2732a57681b1ee548ca ]
+
+ssip_pn_open() claims the HSI client's port with hsi_claim_port(). When
+hsi_register_port_event() gets some error and returns a negetive value,
+the HSI client's port should be released with hsi_release_port().
+
+Fix it by calling hsi_release_port() when hsi_register_port_event() fails.
+
+Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hsi/clients/ssi_protocol.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hsi/clients/ssi_protocol.c b/drivers/hsi/clients/ssi_protocol.c
+index 561abf7bdf1f..2d2175fd150f 100644
+--- a/drivers/hsi/clients/ssi_protocol.c
++++ b/drivers/hsi/clients/ssi_protocol.c
+@@ -942,6 +942,7 @@ static int ssip_pn_open(struct net_device *dev)
+ if (err < 0) {
+ dev_err(&cl->device, "Register HSI port event failed (%d)\n",
+ err);
++ hsi_release_port(cl);
+ return err;
+ }
+ dev_dbg(&cl->device, "Configuring SSI port\n");
+--
+2.35.1
+
--- /dev/null
+From 5ecdb25dee2df4e1c0000fda9cc3efcda174a666 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Sep 2022 17:14:57 +0800
+Subject: IB/rdmavt: Add __init/__exit annotations to module init/exit funcs
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit 78657a445ca7603024348781c921f8ecaee10a49 ]
+
+Add missing __init/__exit annotations to module init/exit funcs.
+
+Fixes: 0194621b2253 ("IB/rdmavt: Create module framework and handle driver registration")
+Link: https://lore.kernel.org/r/20220924091457.52446-1-xiujianfeng@huawei.com
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rdmavt/vt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rdmavt/vt.c b/drivers/infiniband/sw/rdmavt/vt.c
+index 541ee30727aa..e6d85fcc2624 100644
+--- a/drivers/infiniband/sw/rdmavt/vt.c
++++ b/drivers/infiniband/sw/rdmavt/vt.c
+@@ -57,7 +57,7 @@
+ MODULE_LICENSE("Dual BSD/GPL");
+ MODULE_DESCRIPTION("RDMA Verbs Transport Library");
+
+-static int rvt_init(void)
++static int __init rvt_init(void)
+ {
+ int ret = rvt_driver_cq_init();
+
+@@ -68,7 +68,7 @@ static int rvt_init(void)
+ }
+ module_init(rvt_init);
+
+-static void rvt_cleanup(void)
++static void __exit rvt_cleanup(void)
+ {
+ rvt_cq_exit();
+ }
+--
+2.35.1
+
--- /dev/null
+From 19e3d6b6b02fe11ffd15ce72ffead1f0ef3c82c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Aug 2018 06:29:44 -0700
+Subject: ice: Rework flex descriptor programming
+
+From: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+
+[ Upstream commit 22ef683b48182f4d6125a2fb2725eb8a141514ff ]
+
+The driver can support two flex descriptor profiles, ICE_RXDID_FLEX_NIC
+and ICE_RXDID_FLEX_NIC_2. This patch reworks the current flex programming
+logic to add support for the latter profile.
+
+Signed-off-by: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Stable-dep-of: c5783af35468 ("sh: machvec: Use char[] for section boundaries")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_common.c | 102 ++++++++++++++----
+ .../net/ethernet/intel/ice/ice_lan_tx_rx.h | 24 +++--
+ 2 files changed, 92 insertions(+), 34 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_common.c b/drivers/net/ethernet/intel/ice/ice_common.c
+index f8d00263d901..72a6f22ee423 100644
+--- a/drivers/net/ethernet/intel/ice/ice_common.c
++++ b/drivers/net/ethernet/intel/ice/ice_common.c
+@@ -7,16 +7,16 @@
+
+ #define ICE_PF_RESET_WAIT_COUNT 200
+
+-#define ICE_NIC_FLX_ENTRY(hw, mdid, idx) \
+- wr32((hw), GLFLXP_RXDID_FLX_WRD_##idx(ICE_RXDID_FLEX_NIC), \
++#define ICE_PROG_FLEX_ENTRY(hw, rxdid, mdid, idx) \
++ wr32((hw), GLFLXP_RXDID_FLX_WRD_##idx(rxdid), \
+ ((ICE_RX_OPC_MDID << \
+ GLFLXP_RXDID_FLX_WRD_##idx##_RXDID_OPCODE_S) & \
+ GLFLXP_RXDID_FLX_WRD_##idx##_RXDID_OPCODE_M) | \
+ (((mdid) << GLFLXP_RXDID_FLX_WRD_##idx##_PROT_MDID_S) & \
+ GLFLXP_RXDID_FLX_WRD_##idx##_PROT_MDID_M))
+
+-#define ICE_NIC_FLX_FLG_ENTRY(hw, flg_0, flg_1, flg_2, flg_3, idx) \
+- wr32((hw), GLFLXP_RXDID_FLAGS(ICE_RXDID_FLEX_NIC, idx), \
++#define ICE_PROG_FLG_ENTRY(hw, rxdid, flg_0, flg_1, flg_2, flg_3, idx) \
++ wr32((hw), GLFLXP_RXDID_FLAGS(rxdid, idx), \
+ (((flg_0) << GLFLXP_RXDID_FLAGS_FLEXIFLAG_4N_S) & \
+ GLFLXP_RXDID_FLAGS_FLEXIFLAG_4N_M) | \
+ (((flg_1) << GLFLXP_RXDID_FLAGS_FLEXIFLAG_4N_1_S) & \
+@@ -290,30 +290,85 @@ ice_aq_get_link_info(struct ice_port_info *pi, bool ena_lse,
+ }
+
+ /**
+- * ice_init_flex_parser - initialize rx flex parser
++ * ice_init_flex_flags
+ * @hw: pointer to the hardware structure
++ * @prof_id: Rx Descriptor Builder profile ID
+ *
+- * Function to initialize flex descriptors
++ * Function to initialize Rx flex flags
+ */
+-static void ice_init_flex_parser(struct ice_hw *hw)
++static void ice_init_flex_flags(struct ice_hw *hw, enum ice_rxdid prof_id)
+ {
+ u8 idx = 0;
+
+- ICE_NIC_FLX_ENTRY(hw, ICE_RX_MDID_HASH_LOW, 0);
+- ICE_NIC_FLX_ENTRY(hw, ICE_RX_MDID_HASH_HIGH, 1);
+- ICE_NIC_FLX_ENTRY(hw, ICE_RX_MDID_FLOW_ID_LOWER, 2);
+- ICE_NIC_FLX_ENTRY(hw, ICE_RX_MDID_FLOW_ID_HIGH, 3);
+- ICE_NIC_FLX_FLG_ENTRY(hw, ICE_RXFLG_PKT_FRG, ICE_RXFLG_UDP_GRE,
+- ICE_RXFLG_PKT_DSI, ICE_RXFLG_FIN, idx++);
+- ICE_NIC_FLX_FLG_ENTRY(hw, ICE_RXFLG_SYN, ICE_RXFLG_RST,
+- ICE_RXFLG_PKT_DSI, ICE_RXFLG_PKT_DSI, idx++);
+- ICE_NIC_FLX_FLG_ENTRY(hw, ICE_RXFLG_PKT_DSI, ICE_RXFLG_PKT_DSI,
+- ICE_RXFLG_EVLAN_x8100, ICE_RXFLG_EVLAN_x9100,
+- idx++);
+- ICE_NIC_FLX_FLG_ENTRY(hw, ICE_RXFLG_VLAN_x8100, ICE_RXFLG_TNL_VLAN,
+- ICE_RXFLG_TNL_MAC, ICE_RXFLG_TNL0, idx++);
+- ICE_NIC_FLX_FLG_ENTRY(hw, ICE_RXFLG_TNL1, ICE_RXFLG_TNL2,
+- ICE_RXFLG_PKT_DSI, ICE_RXFLG_PKT_DSI, idx);
++ /* Flex-flag fields (0-2) are programmed with FLG64 bits with layout:
++ * flexiflags0[5:0] - TCP flags, is_packet_fragmented, is_packet_UDP_GRE
++ * flexiflags1[3:0] - Not used for flag programming
++ * flexiflags2[7:0] - Tunnel and VLAN types
++ * 2 invalid fields in last index
++ */
++ switch (prof_id) {
++ /* Rx flex flags are currently programmed for the NIC profiles only.
++ * Different flag bit programming configurations can be added per
++ * profile as needed.
++ */
++ case ICE_RXDID_FLEX_NIC:
++ case ICE_RXDID_FLEX_NIC_2:
++ ICE_PROG_FLG_ENTRY(hw, prof_id, ICE_RXFLG_PKT_FRG,
++ ICE_RXFLG_UDP_GRE, ICE_RXFLG_PKT_DSI,
++ ICE_RXFLG_FIN, idx++);
++ /* flex flag 1 is not used for flexi-flag programming, skipping
++ * these four FLG64 bits.
++ */
++ ICE_PROG_FLG_ENTRY(hw, prof_id, ICE_RXFLG_SYN, ICE_RXFLG_RST,
++ ICE_RXFLG_PKT_DSI, ICE_RXFLG_PKT_DSI, idx++);
++ ICE_PROG_FLG_ENTRY(hw, prof_id, ICE_RXFLG_PKT_DSI,
++ ICE_RXFLG_PKT_DSI, ICE_RXFLG_EVLAN_x8100,
++ ICE_RXFLG_EVLAN_x9100, idx++);
++ ICE_PROG_FLG_ENTRY(hw, prof_id, ICE_RXFLG_VLAN_x8100,
++ ICE_RXFLG_TNL_VLAN, ICE_RXFLG_TNL_MAC,
++ ICE_RXFLG_TNL0, idx++);
++ ICE_PROG_FLG_ENTRY(hw, prof_id, ICE_RXFLG_TNL1, ICE_RXFLG_TNL2,
++ ICE_RXFLG_PKT_DSI, ICE_RXFLG_PKT_DSI, idx);
++ break;
++
++ default:
++ ice_debug(hw, ICE_DBG_INIT,
++ "Flag programming for profile ID %d not supported\n",
++ prof_id);
++ }
++}
++
++/**
++ * ice_init_flex_flds
++ * @hw: pointer to the hardware structure
++ * @prof_id: Rx Descriptor Builder profile ID
++ *
++ * Function to initialize flex descriptors
++ */
++static void ice_init_flex_flds(struct ice_hw *hw, enum ice_rxdid prof_id)
++{
++ enum ice_flex_rx_mdid mdid;
++
++ switch (prof_id) {
++ case ICE_RXDID_FLEX_NIC:
++ case ICE_RXDID_FLEX_NIC_2:
++ ICE_PROG_FLEX_ENTRY(hw, prof_id, ICE_RX_MDID_HASH_LOW, 0);
++ ICE_PROG_FLEX_ENTRY(hw, prof_id, ICE_RX_MDID_HASH_HIGH, 1);
++ ICE_PROG_FLEX_ENTRY(hw, prof_id, ICE_RX_MDID_FLOW_ID_LOWER, 2);
++
++ mdid = (prof_id == ICE_RXDID_FLEX_NIC_2) ?
++ ICE_RX_MDID_SRC_VSI : ICE_RX_MDID_FLOW_ID_HIGH;
++
++ ICE_PROG_FLEX_ENTRY(hw, prof_id, mdid, 3);
++
++ ice_init_flex_flags(hw, prof_id);
++ break;
++
++ default:
++ ice_debug(hw, ICE_DBG_INIT,
++ "Field init for profile ID %d not supported\n",
++ prof_id);
++ }
+ }
+
+ /**
+@@ -494,7 +549,8 @@ enum ice_status ice_init_hw(struct ice_hw *hw)
+ if (status)
+ goto err_unroll_fltr_mgmt_struct;
+
+- ice_init_flex_parser(hw);
++ ice_init_flex_flds(hw, ICE_RXDID_FLEX_NIC);
++ ice_init_flex_flds(hw, ICE_RXDID_FLEX_NIC_2);
+
+ return 0;
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h b/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h
+index 068dbc740b76..94504023d86e 100644
+--- a/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h
++++ b/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h
+@@ -188,23 +188,25 @@ struct ice_32b_rx_flex_desc_nic {
+ * with a specific metadata (profile 7 reserved for HW)
+ */
+ enum ice_rxdid {
+- ICE_RXDID_START = 0,
+- ICE_RXDID_LEGACY_0 = ICE_RXDID_START,
+- ICE_RXDID_LEGACY_1,
+- ICE_RXDID_FLX_START,
+- ICE_RXDID_FLEX_NIC = ICE_RXDID_FLX_START,
+- ICE_RXDID_FLX_LAST = 63,
+- ICE_RXDID_LAST = ICE_RXDID_FLX_LAST
++ ICE_RXDID_LEGACY_0 = 0,
++ ICE_RXDID_LEGACY_1 = 1,
++ ICE_RXDID_FLEX_NIC = 2,
++ ICE_RXDID_FLEX_NIC_2 = 6,
++ ICE_RXDID_HW = 7,
++ ICE_RXDID_LAST = 63,
+ };
+
+ /* Receive Flex Descriptor Rx opcode values */
+ #define ICE_RX_OPC_MDID 0x01
+
+ /* Receive Descriptor MDID values */
+-#define ICE_RX_MDID_FLOW_ID_LOWER 5
+-#define ICE_RX_MDID_FLOW_ID_HIGH 6
+-#define ICE_RX_MDID_HASH_LOW 56
+-#define ICE_RX_MDID_HASH_HIGH 57
++enum ice_flex_rx_mdid {
++ ICE_RX_MDID_FLOW_ID_LOWER = 5,
++ ICE_RX_MDID_FLOW_ID_HIGH,
++ ICE_RX_MDID_SRC_VSI = 19,
++ ICE_RX_MDID_HASH_LOW = 56,
++ ICE_RX_MDID_HASH_HIGH,
++};
+
+ /* Rx Flag64 packet flag bits */
+ enum ice_rx_flg64_bits {
+--
+2.35.1
+
--- /dev/null
+From 80942c5d808bab17705a03802fa487b8b93cb82f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Jun 2022 13:29:23 +0100
+Subject: iio: ABI: Fix wrong format of differential capacitance channel ABI.
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 1efc41035f1841acf0af2bab153158e27ce94f10 ]
+
+in_ only occurs once in these attributes.
+
+Fixes: 0baf29d658c7 ("staging:iio:documentation Add abi docs for capacitance adcs.")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20220626122938.582107-3-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/ABI/testing/sysfs-bus-iio | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Documentation/ABI/testing/sysfs-bus-iio b/Documentation/ABI/testing/sysfs-bus-iio
+index d10bcca6c3fb..b3adbb33a868 100644
+--- a/Documentation/ABI/testing/sysfs-bus-iio
++++ b/Documentation/ABI/testing/sysfs-bus-iio
+@@ -135,7 +135,7 @@ Description:
+ Raw capacitance measurement from channel Y. Units after
+ application of scale and offset are nanofarads.
+
+-What: /sys/.../iio:deviceX/in_capacitanceY-in_capacitanceZ_raw
++What: /sys/.../iio:deviceX/in_capacitanceY-capacitanceZ_raw
+ KernelVersion: 3.2
+ Contact: linux-iio@vger.kernel.org
+ Description:
+--
+2.35.1
+
--- /dev/null
+From ba524bcd2e076cb8f9944f854e0a9697753b6e3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Aug 2022 13:28:38 +0300
+Subject: iio: adc: at91-sama5d2_adc: check return status for pressure and
+ touch
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit d84ace944a3b24529798dbae1340dea098473155 ]
+
+Check return status of at91_adc_read_position() and
+at91_adc_read_pressure() in at91_adc_read_info_raw().
+
+Fixes: 6794e23fa3fe ("iio: adc: at91-sama5d2_adc: add support for oversampling resolution")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20220803102855.2191070-3-claudiu.beznea@microchip.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/at91-sama5d2_adc.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c
+index 141badb8707e..b355899f54cc 100644
+--- a/drivers/iio/adc/at91-sama5d2_adc.c
++++ b/drivers/iio/adc/at91-sama5d2_adc.c
+@@ -1329,8 +1329,10 @@ static int at91_adc_read_info_raw(struct iio_dev *indio_dev,
+ *val = tmp_val;
+ mutex_unlock(&st->lock);
+ iio_device_release_direct_mode(indio_dev);
++ if (ret > 0)
++ ret = at91_adc_adjust_val_osr(st, val);
+
+- return at91_adc_adjust_val_osr(st, val);
++ return ret;
+ }
+ if (chan->type == IIO_PRESSURE) {
+ ret = iio_device_claim_direct_mode(indio_dev);
+@@ -1343,8 +1345,10 @@ static int at91_adc_read_info_raw(struct iio_dev *indio_dev,
+ *val = tmp_val;
+ mutex_unlock(&st->lock);
+ iio_device_release_direct_mode(indio_dev);
++ if (ret > 0)
++ ret = at91_adc_adjust_val_osr(st, val);
+
+- return at91_adc_adjust_val_osr(st, val);
++ return ret;
+ }
+
+ /* in this case we have a voltage channel */
+--
+2.35.1
+
--- /dev/null
+From af6413a78835666afcff2b279b94b967e53400cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Aug 2022 13:28:37 +0300
+Subject: iio: adc: at91-sama5d2_adc: fix AT91_SAMA5D2_MR_TRACKTIM_MAX
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit bb73d5d9164c57c4bb916739a98e5cd8e0a5ed8c ]
+
+All ADC HW versions handled by this driver (SAMA5D2, SAM9X60, SAMA7G5)
+have MR.TRACKTIM on 4 bits. Fix AT91_SAMA5D2_MR_TRACKTIM_MAX to reflect
+this.
+
+Fixes: 27e177190891 ("iio:adc:at91_adc8xx: introduce new atmel adc driver")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20220803102855.2191070-2-claudiu.beznea@microchip.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/at91-sama5d2_adc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c
+index 129c3adad4c0..141badb8707e 100644
+--- a/drivers/iio/adc/at91-sama5d2_adc.c
++++ b/drivers/iio/adc/at91-sama5d2_adc.c
+@@ -81,7 +81,7 @@
+ #define AT91_SAMA5D2_MR_ANACH BIT(23)
+ /* Tracking Time */
+ #define AT91_SAMA5D2_MR_TRACKTIM(v) ((v) << 24)
+-#define AT91_SAMA5D2_MR_TRACKTIM_MAX 0xff
++#define AT91_SAMA5D2_MR_TRACKTIM_MAX 0xf
+ /* Transfer Time */
+ #define AT91_SAMA5D2_MR_TRANSFER(v) ((v) << 28)
+ #define AT91_SAMA5D2_MR_TRANSFER_MAX 0x3
+--
+2.35.1
+
--- /dev/null
+From 07ea3e066ffa87eee074883edfcb437c604b12ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Jul 2022 14:28:49 +0200
+Subject: iio: inkern: only release the device node when done with it
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nuno Sá <nuno.sa@analog.com>
+
+[ Upstream commit 79c3e84874c7d14f04ad58313b64955a0d2e9437 ]
+
+'of_node_put()' can potentially release the memory pointed to by
+'iiospec.np' which would leave us with an invalid pointer (and we would
+still pass it in 'of_xlate()'). Note that it is not guaranteed for the
+of_node lifespan to be attached to the device (to which is attached)
+lifespan so that there is (even though very unlikely) the possibility
+for the node to be freed while the device is still around. Thus, as there
+are indeed some of_xlate users which do access the node, a race is indeed
+possible.
+
+As such, we can only release the node after we are done with it.
+
+Fixes: 17d82b47a215d ("iio: Add OF support")
+Signed-off-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20220715122903.332535-2-nuno.sa@analog.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/inkern.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c
+index a8ccc6e5a773..5108b0504616 100644
+--- a/drivers/iio/inkern.c
++++ b/drivers/iio/inkern.c
+@@ -139,9 +139,10 @@ static int __of_iio_channel_get(struct iio_channel *channel,
+
+ idev = bus_find_device(&iio_bus_type, NULL, iiospec.np,
+ iio_dev_node_match);
+- of_node_put(iiospec.np);
+- if (idev == NULL)
++ if (idev == NULL) {
++ of_node_put(iiospec.np);
+ return -EPROBE_DEFER;
++ }
+
+ indio_dev = dev_to_iio_dev(idev);
+ channel->indio_dev = indio_dev;
+@@ -149,6 +150,7 @@ static int __of_iio_channel_get(struct iio_channel *channel,
+ index = indio_dev->info->of_xlate(indio_dev, &iiospec);
+ else
+ index = __of_iio_simple_xlate(indio_dev, &iiospec);
++ of_node_put(iiospec.np);
+ if (index < 0)
+ goto err_put;
+ channel->channel = &indio_dev->channels[index];
+--
+2.35.1
+
--- /dev/null
+From 9348c14f56d3438169fdf237e60756be66bca409 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 12:47:20 +0100
+Subject: iommu/iova: Fix module config properly
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit 4f58330fcc8482aa90674e1f40f601e82f18ed4a ]
+
+IOMMU_IOVA is intended to be an optional library for users to select as
+and when they desire. Since it can be a module now, this means that
+built-in code which has chosen not to select it should not fail to link
+if it happens to have selected as a module by someone else. Replace
+IS_ENABLED() with IS_REACHABLE() to do the right thing.
+
+CC: Thierry Reding <thierry.reding@gmail.com>
+Reported-by: John Garry <john.garry@huawei.com>
+Fixes: 15bbdec3931e ("iommu: Make the iova library a module")
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Reviewed-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/548c2f683ca379aface59639a8f0cccc3a1ac050.1663069227.git.robin.murphy@arm.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/iova.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/iova.h b/include/linux/iova.h
+index 84fbe73d2ec0..8d4616c532da 100644
+--- a/include/linux/iova.h
++++ b/include/linux/iova.h
+@@ -133,7 +133,7 @@ static inline unsigned long iova_pfn(struct iova_domain *iovad, dma_addr_t iova)
+ return iova >> iova_shift(iovad);
+ }
+
+-#if IS_ENABLED(CONFIG_IOMMU_IOVA)
++#if IS_REACHABLE(CONFIG_IOMMU_IOVA)
+ int iova_cache_get(void);
+ void iova_cache_put(void);
+
+--
+2.35.1
+
--- /dev/null
+From 89fb385cb702394dbc17a6ab42b00286d143d137 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Aug 2022 17:32:39 +0300
+Subject: iommu/omap: Fix buffer overflow in debugfs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 184233a5202786b20220acd2d04ddf909ef18f29 ]
+
+There are two issues here:
+
+1) The "len" variable needs to be checked before the very first write.
+ Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a
+ buffer overflow.
+2) The snprintf() function returns the number of bytes that *would* have
+ been copied if there were enough space. But we want to know the
+ number of bytes which were *actually* copied so use scnprintf()
+ instead.
+
+Fixes: bd4396f09a4a ("iommu/omap: Consolidate OMAP IOMMU modules")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Link: https://lore.kernel.org/r/YuvYh1JbE3v+abd5@kili
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/omap-iommu-debug.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c
+index 5ce55fabc9d8..726702d01522 100644
+--- a/drivers/iommu/omap-iommu-debug.c
++++ b/drivers/iommu/omap-iommu-debug.c
+@@ -35,12 +35,12 @@ static inline bool is_omap_iommu_detached(struct omap_iommu *obj)
+ ssize_t bytes; \
+ const char *str = "%20s: %08x\n"; \
+ const int maxcol = 32; \
+- bytes = snprintf(p, maxcol, str, __stringify(name), \
++ if (len < maxcol) \
++ goto out; \
++ bytes = scnprintf(p, maxcol, str, __stringify(name), \
+ iommu_read_reg(obj, MMU_##name)); \
+ p += bytes; \
+ len -= bytes; \
+- if (len < maxcol) \
+- goto out; \
+ } while (0)
+
+ static ssize_t
+--
+2.35.1
+
--- /dev/null
+From ec93fcf1db7a5c7756437e75f6d0e7c34f5b7790 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 17:07:08 +0800
+Subject: libbpf: Fix overrun in netlink attribute iteration
+
+From: Xin Liu <liuxin350@huawei.com>
+
+[ Upstream commit 51e05a8cf8eb34da7473823b7f236a77adfef0b4 ]
+
+I accidentally found that a change in commit 1045b03e07d8 ("netlink: fix
+overrun in attribute iteration") was not synchronized to the function
+`nla_ok` in tools/lib/bpf/nlattr.c, I think it is necessary to modify,
+this patch will do it.
+
+Signed-off-by: Xin Liu <liuxin350@huawei.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20220930090708.62394-1-liuxin350@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/nlattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/nlattr.c b/tools/lib/bpf/nlattr.c
+index 4719434278b2..869b2fe14726 100644
+--- a/tools/lib/bpf/nlattr.c
++++ b/tools/lib/bpf/nlattr.c
+@@ -41,7 +41,7 @@ static struct nlattr *nla_next(const struct nlattr *nla, int *remaining)
+
+ static int nla_ok(const struct nlattr *nla, int remaining)
+ {
+- return remaining >= sizeof(*nla) &&
++ return remaining >= (int)sizeof(*nla) &&
+ nla->nla_len >= sizeof(*nla) &&
+ nla->nla_len <= remaining;
+ }
+--
+2.35.1
+
--- /dev/null
+From 119e57ad2d4ff86a6d55b34d4ea95b61ece79fe4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 12:13:35 +0200
+Subject: mailbox: bcm-ferxrm-mailbox: Fix error check for dma_map_sg
+
+From: Jack Wang <jinpu.wang@ionos.com>
+
+[ Upstream commit 6b207ce8a96a71e966831e3a13c38143ba9a73c1 ]
+
+dma_map_sg return 0 on error, fix the error check, and return -EIO
+to caller.
+
+Fixes: dbc049eee730 ("mailbox: Add driver for Broadcom FlexRM ring manager")
+Signed-off-by: Jack Wang <jinpu.wang@ionos.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/bcm-flexrm-mailbox.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mailbox/bcm-flexrm-mailbox.c b/drivers/mailbox/bcm-flexrm-mailbox.c
+index 96bcabfebc23..543c4a4a8fca 100644
+--- a/drivers/mailbox/bcm-flexrm-mailbox.c
++++ b/drivers/mailbox/bcm-flexrm-mailbox.c
+@@ -634,15 +634,15 @@ static int flexrm_spu_dma_map(struct device *dev, struct brcm_message *msg)
+
+ rc = dma_map_sg(dev, msg->spu.src, sg_nents(msg->spu.src),
+ DMA_TO_DEVICE);
+- if (rc < 0)
+- return rc;
++ if (!rc)
++ return -EIO;
+
+ rc = dma_map_sg(dev, msg->spu.dst, sg_nents(msg->spu.dst),
+ DMA_FROM_DEVICE);
+- if (rc < 0) {
++ if (!rc) {
+ dma_unmap_sg(dev, msg->spu.src, sg_nents(msg->spu.src),
+ DMA_TO_DEVICE);
+- return rc;
++ return -EIO;
+ }
+
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From c09f8f49f98016afd53720897472ece5951b0780 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 09:46:27 -0600
+Subject: md/raid5: Ensure stripe_fill happens on non-read IO with journal
+
+From: Logan Gunthorpe <logang@deltatee.com>
+
+[ Upstream commit e2eed85bc75138a9eeb63863d20f8904ac42a577 ]
+
+When doing degrade/recover tests using the journal a kernel BUG
+is hit at drivers/md/raid5.c:4381 in handle_parity_checks5():
+
+ BUG_ON(!test_bit(R5_UPTODATE, &dev->flags));
+
+This was found to occur because handle_stripe_fill() was skipped
+for stripes in the journal due to a condition in that function.
+Thus blocks were not fetched and R5_UPTODATE was not set when
+the code reached handle_parity_checks5().
+
+To fix this, don't skip handle_stripe_fill() unless the stripe is
+for read.
+
+Fixes: 07e83364845e ("md/r5cache: shift complex rmw from read path to write path")
+Link: https://lore.kernel.org/linux-raid/e05c4239-41a9-d2f7-3cfa-4aa9d2cea8c1@deltatee.com/
+Suggested-by: Song Liu <song@kernel.org>
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid5.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
+index 6f04473f0838..3310f670a4ab 100644
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -3723,7 +3723,7 @@ static void handle_stripe_fill(struct stripe_head *sh,
+ * back cache (prexor with orig_page, and then xor with
+ * page) in the read path
+ */
+- if (s->injournal && s->failed) {
++ if (s->to_read && s->injournal && s->failed) {
+ if (test_bit(STRIPE_R5C_CACHING, &sh->state))
+ r5c_make_stripe_write_out(sh);
+ goto out;
+--
+2.35.1
+
--- /dev/null
+From d4f288b640e2a4fe669481d4c595bbbb4047c7ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 10:28:37 -0600
+Subject: md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d
+
+From: Logan Gunthorpe <logang@deltatee.com>
+
+[ Upstream commit 5e2cf333b7bd5d3e62595a44d598a254c697cd74 ]
+
+A complicated deadlock exists when using the journal and an elevated
+group_thrtead_cnt. It was found with loop devices, but its not clear
+whether it can be seen with real disks. The deadlock can occur simply
+by writing data with an fio script.
+
+When the deadlock occurs, multiple threads will hang in different ways:
+
+ 1) The group threads will hang in the blk-wbt code with bios waiting to
+ be submitted to the block layer:
+
+ io_schedule+0x70/0xb0
+ rq_qos_wait+0x153/0x210
+ wbt_wait+0x115/0x1b0
+ io_schedule+0x70/0xb0
+ rq_qos_wait+0x153/0x210
+ wbt_wait+0x115/0x1b0
+ __rq_qos_throttle+0x38/0x60
+ blk_mq_submit_bio+0x589/0xcd0
+ wbt_wait+0x115/0x1b0
+ __rq_qos_throttle+0x38/0x60
+ blk_mq_submit_bio+0x589/0xcd0
+ __submit_bio+0xe6/0x100
+ submit_bio_noacct_nocheck+0x42e/0x470
+ submit_bio_noacct+0x4c2/0xbb0
+ ops_run_io+0x46b/0x1a30
+ handle_stripe+0xcd3/0x36b0
+ handle_active_stripes.constprop.0+0x6f6/0xa60
+ raid5_do_work+0x177/0x330
+
+ Or:
+ io_schedule+0x70/0xb0
+ rq_qos_wait+0x153/0x210
+ wbt_wait+0x115/0x1b0
+ __rq_qos_throttle+0x38/0x60
+ blk_mq_submit_bio+0x589/0xcd0
+ __submit_bio+0xe6/0x100
+ submit_bio_noacct_nocheck+0x42e/0x470
+ submit_bio_noacct+0x4c2/0xbb0
+ flush_deferred_bios+0x136/0x170
+ raid5_do_work+0x262/0x330
+
+ 2) The r5l_reclaim thread will hang in the same way, submitting a
+ bio to the block layer:
+
+ io_schedule+0x70/0xb0
+ rq_qos_wait+0x153/0x210
+ wbt_wait+0x115/0x1b0
+ __rq_qos_throttle+0x38/0x60
+ blk_mq_submit_bio+0x589/0xcd0
+ __submit_bio+0xe6/0x100
+ submit_bio_noacct_nocheck+0x42e/0x470
+ submit_bio_noacct+0x4c2/0xbb0
+ submit_bio+0x3f/0xf0
+ md_super_write+0x12f/0x1b0
+ md_update_sb.part.0+0x7c6/0xff0
+ md_update_sb+0x30/0x60
+ r5l_do_reclaim+0x4f9/0x5e0
+ r5l_reclaim_thread+0x69/0x30b
+
+ However, before hanging, the MD_SB_CHANGE_PENDING flag will be
+ set for sb_flags in r5l_write_super_and_discard_space(). This
+ flag will never be cleared because the submit_bio() call never
+ returns.
+
+ 3) Due to the MD_SB_CHANGE_PENDING flag being set, handle_stripe()
+ will do no processing on any pending stripes and re-set
+ STRIPE_HANDLE. This will cause the raid5d thread to enter an
+ infinite loop, constantly trying to handle the same stripes
+ stuck in the queue.
+
+ The raid5d thread has a blk_plug that holds a number of bios
+ that are also stuck waiting seeing the thread is in a loop
+ that never schedules. These bios have been accounted for by
+ blk-wbt thus preventing the other threads above from
+ continuing when they try to submit bios. --Deadlock.
+
+To fix this, add the same wait_event() that is used in raid5_do_work()
+to raid5d() such that if MD_SB_CHANGE_PENDING is set, the thread will
+schedule and wait until the flag is cleared. The schedule action will
+flush the plug which will allow the r5l_reclaim thread to continue,
+thus preventing the deadlock.
+
+However, md_check_recovery() calls can also clear MD_SB_CHANGE_PENDING
+from the same thread and can thus deadlock if the thread is put to
+sleep. So avoid waiting if md_check_recovery() is being called in the
+loop.
+
+It's not clear when the deadlock was introduced, but the similar
+wait_event() call in raid5_do_work() was added in 2017 by this
+commit:
+
+ 16d997b78b15 ("md/raid5: simplfy delaying of writes while metadata
+ is updated.")
+
+Link: https://lore.kernel.org/r/7f3b87b6-b52a-f737-51d7-a4eec5c44112@deltatee.com
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid5.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
+index 3310f670a4ab..7fe0619c487a 100644
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -44,6 +44,7 @@
+ */
+
+ #include <linux/blkdev.h>
++#include <linux/delay.h>
+ #include <linux/kthread.h>
+ #include <linux/raid/pq.h>
+ #include <linux/async_tx.h>
+@@ -6329,7 +6330,18 @@ static void raid5d(struct md_thread *thread)
+ spin_unlock_irq(&conf->device_lock);
+ md_check_recovery(mddev);
+ spin_lock_irq(&conf->device_lock);
++
++ /*
++ * Waiting on MD_SB_CHANGE_PENDING below may deadlock
++ * seeing md_check_recovery() is needed to clear
++ * the flag when using mdmon.
++ */
++ continue;
+ }
++
++ wait_event_lock_irq(mddev->sb_wait,
++ !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags),
++ conf->device_lock);
+ }
+ pr_debug("%d stripes handled\n", handled);
+
+--
+2.35.1
+
--- /dev/null
+From 82ebe2cf0474ca79fdafc7ada1f7fa241d916f37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Jul 2022 04:23:38 +0200
+Subject: media: cx88: Fix a null-ptr-deref bug in buffer_prepare()
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 2b064d91440b33fba5b452f2d1b31f13ae911d71 ]
+
+When the driver calls cx88_risc_buffer() to prepare the buffer, the
+function call may fail, resulting in a empty buffer and null-ptr-deref
+later in buffer_queue().
+
+The following log can reveal it:
+
+[ 41.822762] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
+[ 41.824488] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+[ 41.828027] RIP: 0010:buffer_queue+0xc2/0x500
+[ 41.836311] Call Trace:
+[ 41.836945] __enqueue_in_driver+0x141/0x360
+[ 41.837262] vb2_start_streaming+0x62/0x4a0
+[ 41.838216] vb2_core_streamon+0x1da/0x2c0
+[ 41.838516] __vb2_init_fileio+0x981/0xbc0
+[ 41.839141] __vb2_perform_fileio+0xbf9/0x1120
+[ 41.840072] vb2_fop_read+0x20e/0x400
+[ 41.840346] v4l2_read+0x215/0x290
+[ 41.840603] vfs_read+0x162/0x4c0
+
+Fix this by checking the return value of cx88_risc_buffer()
+
+[hverkuil: fix coding style issues]
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/cx88/cx88-vbi.c | 9 +++---
+ drivers/media/pci/cx88/cx88-video.c | 43 +++++++++++++++--------------
+ 2 files changed, 26 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/media/pci/cx88/cx88-vbi.c b/drivers/media/pci/cx88/cx88-vbi.c
+index 58489ea0c1da..7cf2271866d0 100644
+--- a/drivers/media/pci/cx88/cx88-vbi.c
++++ b/drivers/media/pci/cx88/cx88-vbi.c
+@@ -144,11 +144,10 @@ static int buffer_prepare(struct vb2_buffer *vb)
+ return -EINVAL;
+ vb2_set_plane_payload(vb, 0, size);
+
+- cx88_risc_buffer(dev->pci, &buf->risc, sgt->sgl,
+- 0, VBI_LINE_LENGTH * lines,
+- VBI_LINE_LENGTH, 0,
+- lines);
+- return 0;
++ return cx88_risc_buffer(dev->pci, &buf->risc, sgt->sgl,
++ 0, VBI_LINE_LENGTH * lines,
++ VBI_LINE_LENGTH, 0,
++ lines);
+ }
+
+ static void buffer_finish(struct vb2_buffer *vb)
+diff --git a/drivers/media/pci/cx88/cx88-video.c b/drivers/media/pci/cx88/cx88-video.c
+index 248fb3b6833c..2bc5080198bb 100644
+--- a/drivers/media/pci/cx88/cx88-video.c
++++ b/drivers/media/pci/cx88/cx88-video.c
+@@ -452,6 +452,7 @@ static int queue_setup(struct vb2_queue *q,
+
+ static int buffer_prepare(struct vb2_buffer *vb)
+ {
++ int ret;
+ struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb);
+ struct cx8800_dev *dev = vb->vb2_queue->drv_priv;
+ struct cx88_core *core = dev->core;
+@@ -466,35 +467,35 @@ static int buffer_prepare(struct vb2_buffer *vb)
+
+ switch (core->field) {
+ case V4L2_FIELD_TOP:
+- cx88_risc_buffer(dev->pci, &buf->risc,
+- sgt->sgl, 0, UNSET,
+- buf->bpl, 0, core->height);
++ ret = cx88_risc_buffer(dev->pci, &buf->risc,
++ sgt->sgl, 0, UNSET,
++ buf->bpl, 0, core->height);
+ break;
+ case V4L2_FIELD_BOTTOM:
+- cx88_risc_buffer(dev->pci, &buf->risc,
+- sgt->sgl, UNSET, 0,
+- buf->bpl, 0, core->height);
++ ret = cx88_risc_buffer(dev->pci, &buf->risc,
++ sgt->sgl, UNSET, 0,
++ buf->bpl, 0, core->height);
+ break;
+ case V4L2_FIELD_SEQ_TB:
+- cx88_risc_buffer(dev->pci, &buf->risc,
+- sgt->sgl,
+- 0, buf->bpl * (core->height >> 1),
+- buf->bpl, 0,
+- core->height >> 1);
++ ret = cx88_risc_buffer(dev->pci, &buf->risc,
++ sgt->sgl,
++ 0, buf->bpl * (core->height >> 1),
++ buf->bpl, 0,
++ core->height >> 1);
+ break;
+ case V4L2_FIELD_SEQ_BT:
+- cx88_risc_buffer(dev->pci, &buf->risc,
+- sgt->sgl,
+- buf->bpl * (core->height >> 1), 0,
+- buf->bpl, 0,
+- core->height >> 1);
++ ret = cx88_risc_buffer(dev->pci, &buf->risc,
++ sgt->sgl,
++ buf->bpl * (core->height >> 1), 0,
++ buf->bpl, 0,
++ core->height >> 1);
+ break;
+ case V4L2_FIELD_INTERLACED:
+ default:
+- cx88_risc_buffer(dev->pci, &buf->risc,
+- sgt->sgl, 0, buf->bpl,
+- buf->bpl, buf->bpl,
+- core->height >> 1);
++ ret = cx88_risc_buffer(dev->pci, &buf->risc,
++ sgt->sgl, 0, buf->bpl,
++ buf->bpl, buf->bpl,
++ core->height >> 1);
+ break;
+ }
+ dprintk(2,
+@@ -502,7 +503,7 @@ static int buffer_prepare(struct vb2_buffer *vb)
+ buf, buf->vb.vb2_buf.index,
+ core->width, core->height, dev->fmt->depth, dev->fmt->name,
+ (unsigned long)buf->risc.dma);
+- return 0;
++ return ret;
+ }
+
+ static void buffer_finish(struct vb2_buffer *vb)
+--
+2.35.1
+
--- /dev/null
+From cb558b9d9dee7f70caae2febcdb936d92fb05d3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Jul 2022 16:30:03 +0200
+Subject: media: exynos4-is: fimc-is: Add of_node_put() when breaking out of
+ loop
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 211f8304fa21aaedc2c247f0c9d6c7f1aaa61ad7 ]
+
+In fimc_is_register_subdevs(), we need to call of_node_put() for
+the reference 'i2c_bus' when breaking out of the
+for_each_compatible_node() which has increased the refcount.
+
+Fixes: 9a761e436843 ("[media] exynos4-is: Add Exynos4x12 FIMC-IS driver")
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/exynos4-is/fimc-is.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/platform/exynos4-is/fimc-is.c b/drivers/media/platform/exynos4-is/fimc-is.c
+index 0f3f82bd4d20..6f59fe02c727 100644
+--- a/drivers/media/platform/exynos4-is/fimc-is.c
++++ b/drivers/media/platform/exynos4-is/fimc-is.c
+@@ -217,6 +217,7 @@ static int fimc_is_register_subdevs(struct fimc_is *is)
+
+ if (ret < 0 || index >= FIMC_IS_SENSORS_NUM) {
+ of_node_put(child);
++ of_node_put(i2c_bus);
+ return ret;
+ }
+ index++;
+--
+2.35.1
+
--- /dev/null
+From 2fed4a40cad07045f1b6b81ca354da7f765f38b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Jul 2022 18:12:36 +0800
+Subject: media: tm6000: Fix unused value in vidioc_try_fmt_vid_cap()
+
+From: Zeng Jingxiang <linuszeng@tencent.com>
+
+[ Upstream commit d682869daa23938b5e8919db45c4b5b227749712 ]
+
+Coverity warns of an unused value:
+
+assigned_value: Assign the value of the variable f->fmt.pix.field
+to field here, but that stored value is overwritten.
+before it can be used.
+919 field = f->fmt.pix.field;
+920
+
+value_overwrite: Overwriting previous write to field with
+the value of V4L2_FIELD_INTERLACED.
+921 field = V4L2_FIELD_INTERLACED;
+
+Fixes: ed57256f6fe8 ("[media] tm6000: fix G/TRY_FMT")
+Signed-off-by: Zeng Jingxiang <linuszeng@tencent.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/tm6000/tm6000-video.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/media/usb/tm6000/tm6000-video.c b/drivers/media/usb/tm6000/tm6000-video.c
+index 62f012841971..102d55d0d067 100644
+--- a/drivers/media/usb/tm6000/tm6000-video.c
++++ b/drivers/media/usb/tm6000/tm6000-video.c
+@@ -926,8 +926,6 @@ static int vidioc_try_fmt_vid_cap(struct file *file, void *priv,
+ return -EINVAL;
+ }
+
+- field = f->fmt.pix.field;
+-
+ field = V4L2_FIELD_INTERLACED;
+
+ tm6000_get_std_res(dev);
+--
+2.35.1
+
--- /dev/null
+From 3b82bebce54b825b499a5df68d739ec476b99330 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Jun 2022 06:25:14 +0200
+Subject: media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 1c78f19c3a0ea312a8178a6bfd8934eb93e9b10a ]
+
+of_get_child_by_name() returns a node pointer with refcount
+incremented, we should use of_node_put() on it when not need anymore.
+Add missing of_node_put() to avoid refcount leak.
+
+Fixes: df3305156f98 ("[media] v4l: xilinx: Add Xilinx Video IP core")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/xilinx/xilinx-vipp.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/platform/xilinx/xilinx-vipp.c b/drivers/media/platform/xilinx/xilinx-vipp.c
+index 6d95ec1e9a6b..9177db789b07 100644
+--- a/drivers/media/platform/xilinx/xilinx-vipp.c
++++ b/drivers/media/platform/xilinx/xilinx-vipp.c
+@@ -464,7 +464,7 @@ static int xvip_graph_dma_init(struct xvip_composite_device *xdev)
+ {
+ struct device_node *ports;
+ struct device_node *port;
+- int ret;
++ int ret = 0;
+
+ ports = of_get_child_by_name(xdev->dev->of_node, "ports");
+ if (ports == NULL) {
+@@ -474,13 +474,14 @@ static int xvip_graph_dma_init(struct xvip_composite_device *xdev)
+
+ for_each_child_of_node(ports, port) {
+ ret = xvip_graph_dma_init_one(xdev, port);
+- if (ret < 0) {
++ if (ret) {
+ of_node_put(port);
+- return ret;
++ break;
+ }
+ }
+
+- return 0;
++ of_node_put(ports);
++ return ret;
+ }
+
+ static void xvip_graph_cleanup(struct xvip_composite_device *xdev)
+--
+2.35.1
+
--- /dev/null
+From 9004178ae3f15f9d42eb27df005f5734295ec4cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Jul 2022 16:56:39 +0800
+Subject: memory: of: Fix refcount leak bug in of_get_ddr_timings()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 05215fb32010d4afb68fbdbb4d237df6e2d4567b ]
+
+We should add the of_node_put() when breaking out of
+for_each_child_of_node() as it will automatically increase
+and decrease the refcount.
+
+Fixes: e6b42eb6a66c ("memory: emif: add device tree support to emif driver")
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20220719085640.1210583-1-windhl@126.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/of_memory.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/memory/of_memory.c b/drivers/memory/of_memory.c
+index 2f5ed7366eec..83a559d48f93 100644
+--- a/drivers/memory/of_memory.c
++++ b/drivers/memory/of_memory.c
+@@ -135,6 +135,7 @@ const struct lpddr2_timings *of_get_ddr_timings(struct device_node *np_ddr,
+ for_each_child_of_node(np_ddr, np_tim) {
+ if (of_device_is_compatible(np_tim, tim_compat)) {
+ if (of_do_get_timings(np_tim, &timings[i])) {
++ of_node_put(np_tim);
+ devm_kfree(dev, timings);
+ goto default_timings;
+ }
+--
+2.35.1
+
--- /dev/null
+From 0036bbaa3fea0b6cacd084c09fc8a5ca30a6bc13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Jul 2022 14:06:23 +0200
+Subject: mfd: fsl-imx25: Fix an error handling path in mx25_tsadc_setup_irq()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 3fa9e4cfb55da512ebfd57336fde468830719298 ]
+
+If devm_of_platform_populate() fails, some resources need to be
+released.
+
+Introduce a mx25_tsadc_unset_irq() function that undoes
+mx25_tsadc_setup_irq() and call it both from the new error handling path
+of the probe and in the remove function.
+
+Fixes: a55196eff6d6 ("mfd: fsl-imx25: Use devm_of_platform_populate()")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/d404e04828fc06bcfddf81f9f3e9b4babbe35415.1659269156.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/fsl-imx25-tsadc.c | 32 ++++++++++++++++++++++++--------
+ 1 file changed, 24 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/mfd/fsl-imx25-tsadc.c b/drivers/mfd/fsl-imx25-tsadc.c
+index dbb85caaafed..2718fcb26786 100644
+--- a/drivers/mfd/fsl-imx25-tsadc.c
++++ b/drivers/mfd/fsl-imx25-tsadc.c
+@@ -89,6 +89,19 @@ static int mx25_tsadc_setup_irq(struct platform_device *pdev,
+ return 0;
+ }
+
++static int mx25_tsadc_unset_irq(struct platform_device *pdev)
++{
++ struct mx25_tsadc *tsadc = platform_get_drvdata(pdev);
++ int irq = platform_get_irq(pdev, 0);
++
++ if (irq) {
++ irq_set_chained_handler_and_data(irq, NULL, NULL);
++ irq_domain_remove(tsadc->domain);
++ }
++
++ return 0;
++}
++
+ static void mx25_tsadc_setup_clk(struct platform_device *pdev,
+ struct mx25_tsadc *tsadc)
+ {
+@@ -176,18 +189,21 @@ static int mx25_tsadc_probe(struct platform_device *pdev)
+
+ platform_set_drvdata(pdev, tsadc);
+
+- return devm_of_platform_populate(dev);
++ ret = devm_of_platform_populate(dev);
++ if (ret)
++ goto err_irq;
++
++ return 0;
++
++err_irq:
++ mx25_tsadc_unset_irq(pdev);
++
++ return ret;
+ }
+
+ static int mx25_tsadc_remove(struct platform_device *pdev)
+ {
+- struct mx25_tsadc *tsadc = platform_get_drvdata(pdev);
+- int irq = platform_get_irq(pdev, 0);
+-
+- if (irq) {
+- irq_set_chained_handler_and_data(irq, NULL, NULL);
+- irq_domain_remove(tsadc->domain);
+- }
++ mx25_tsadc_unset_irq(pdev);
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 0bc00c75f5b44725c051874c7895910e3eae213c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Aug 2022 14:42:02 +0300
+Subject: mfd: intel_soc_pmic: Fix an error handling path in
+ intel_soc_pmic_i2c_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 48749cabba109397b4e7dd556e85718ec0ec114d ]
+
+The commit in Fixes: has added a pwm_add_table() call in the probe() and
+a pwm_remove_table() call in the remove(), but forget to update the error
+handling path of the probe.
+
+Add the missing pwm_remove_table() call.
+
+Fixes: a3aa9a93df9f ("mfd: intel_soc_pmic_core: ADD PWM lookup table for CRC PMIC based PWM")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/20220801114211.36267-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/intel_soc_pmic_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mfd/intel_soc_pmic_core.c b/drivers/mfd/intel_soc_pmic_core.c
+index 274306d98ac1..75a2a793ac14 100644
+--- a/drivers/mfd/intel_soc_pmic_core.c
++++ b/drivers/mfd/intel_soc_pmic_core.c
+@@ -118,6 +118,7 @@ static int intel_soc_pmic_i2c_probe(struct i2c_client *i2c,
+ return 0;
+
+ err_del_irq_chip:
++ pwm_remove_table(crc_pwm_lookup, ARRAY_SIZE(crc_pwm_lookup));
+ regmap_del_irq_chip(pmic->irq, pmic->irq_chip_data);
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From 2ed0229307a1c0320dde37b9059a177cb3781186 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Jul 2022 11:55:38 +0200
+Subject: mfd: lp8788: Fix an error handling path in lp8788_irq_init() and
+ lp8788_irq_init()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 557244f6284f30613f2d61f14b579303165876c3 ]
+
+In lp8788_irq_init(), if an error occurs after a successful
+irq_domain_add_linear() call, it must be undone by a corresponding
+irq_domain_remove() call.
+
+irq_domain_remove() should also be called in lp8788_irq_exit() for the same
+reason.
+
+Fixes: eea6b7cc53aa ("mfd: Add lp8788 mfd driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/bcd5a72c9c1c383dd6324680116426e32737655a.1659261275.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/lp8788-irq.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mfd/lp8788-irq.c b/drivers/mfd/lp8788-irq.c
+index 792d51bae20f..ae65928f35f0 100644
+--- a/drivers/mfd/lp8788-irq.c
++++ b/drivers/mfd/lp8788-irq.c
+@@ -179,6 +179,7 @@ int lp8788_irq_init(struct lp8788 *lp, int irq)
+ IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
+ "lp8788-irq", irqd);
+ if (ret) {
++ irq_domain_remove(lp->irqdm);
+ dev_err(lp->dev, "failed to create a thread for IRQ_N\n");
+ return ret;
+ }
+@@ -192,4 +193,6 @@ void lp8788_irq_exit(struct lp8788 *lp)
+ {
+ if (lp->irq)
+ free_irq(lp->irq, lp->irqdm);
++ if (lp->irqdm)
++ irq_domain_remove(lp->irqdm);
+ }
+--
+2.35.1
+
--- /dev/null
+From 72197731a400511518efa39e415da6d84317080e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Jul 2022 11:55:27 +0200
+Subject: mfd: lp8788: Fix an error handling path in lp8788_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit becfdcd75126b20b8ec10066c5e85b34f8994ad5 ]
+
+Should an error occurs in mfd_add_devices(), some resources need to be
+released, as already done in the .remove() function.
+
+Add an error handling path and a lp8788_irq_exit() call to undo a previous
+lp8788_irq_init().
+
+Fixes: eea6b7cc53aa ("mfd: Add lp8788 mfd driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/18398722da9df9490722d853e4797350189ae79b.1659261275.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/lp8788.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mfd/lp8788.c b/drivers/mfd/lp8788.c
+index acf616559512..e47150cdf747 100644
+--- a/drivers/mfd/lp8788.c
++++ b/drivers/mfd/lp8788.c
+@@ -199,8 +199,16 @@ static int lp8788_probe(struct i2c_client *cl, const struct i2c_device_id *id)
+ if (ret)
+ return ret;
+
+- return mfd_add_devices(lp->dev, -1, lp8788_devs,
+- ARRAY_SIZE(lp8788_devs), NULL, 0, NULL);
++ ret = mfd_add_devices(lp->dev, -1, lp8788_devs,
++ ARRAY_SIZE(lp8788_devs), NULL, 0, NULL);
++ if (ret)
++ goto err_exit_irq;
++
++ return 0;
++
++err_exit_irq:
++ lp8788_irq_exit(lp);
++ return ret;
+ }
+
+ static int lp8788_remove(struct i2c_client *cl)
+--
+2.35.1
+
--- /dev/null
+From acc8ab349247191819fb70dab3dd5a2e970fc880 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 17:11:12 +0800
+Subject: mfd: sm501: Add check for platform_driver_register()
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 8325a6c24ad78b8c1acc3c42b098ee24105d68e5 ]
+
+As platform_driver_register() can return error numbers,
+it should be better to check platform_driver_register()
+and deal with the exception.
+
+Fixes: b6d6454fdb66 ("[PATCH] mfd: SM501 core driver")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/20220913091112.1739138-1-jiasheng@iscas.ac.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/sm501.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c
+index ec1ac61a21ed..6254b4025b5e 100644
+--- a/drivers/mfd/sm501.c
++++ b/drivers/mfd/sm501.c
+@@ -1738,7 +1738,12 @@ static struct platform_driver sm501_plat_driver = {
+
+ static int __init sm501_base_init(void)
+ {
+- platform_driver_register(&sm501_plat_driver);
++ int ret;
++
++ ret = platform_driver_register(&sm501_plat_driver);
++ if (ret < 0)
++ return ret;
++
+ return pci_register_driver(&sm501_pci_driver);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From b63975533d2837ed93effe9897e18380649f1254 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 16:05:56 -0700
+Subject: MIPS: BCM47XX: Cast memcmp() of function to (void *)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 0dedcf6e3301836eb70cfa649052e7ce4fcd13ba ]
+
+Clang is especially sensitive about argument type matching when using
+__overloaded functions (like memcmp(), etc). Help it see that function
+pointers are just "void *". Avoids this error:
+
+arch/mips/bcm47xx/prom.c:89:8: error: no matching function for call to 'memcmp'
+ if (!memcmp(prom_init, prom_init + mem, 32))
+ ^~~~~~
+include/linux/string.h:156:12: note: candidate function not viable: no known conversion from 'void (void)' to 'const void *' for 1st argument extern int memcmp(const void *,const void *,__kernel_size_t);
+
+Cc: Hauke Mehrtens <hauke@hauke-m.de>
+Cc: "Rafał Miłecki" <zajec5@gmail.com>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: linux-mips@vger.kernel.org
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: llvm@lists.linux.dev
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/lkml/202209080652.sz2d68e5-lkp@intel.com
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/bcm47xx/prom.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/bcm47xx/prom.c b/arch/mips/bcm47xx/prom.c
+index 135a5407f015..d26d9a6f6ee7 100644
+--- a/arch/mips/bcm47xx/prom.c
++++ b/arch/mips/bcm47xx/prom.c
+@@ -85,7 +85,7 @@ static __init void prom_init_mem(void)
+ pr_debug("Assume 128MB RAM\n");
+ break;
+ }
+- if (!memcmp(prom_init, prom_init + mem, 32))
++ if (!memcmp((void *)prom_init, (void *)prom_init + mem, 32))
+ break;
+ }
+ lowmem = mem;
+@@ -162,7 +162,7 @@ void __init bcm47xx_prom_highmem_init(void)
+
+ off = EXTVBASE + __pa(off);
+ for (extmem = 128 << 20; extmem < 512 << 20; extmem <<= 1) {
+- if (!memcmp(prom_init, (void *)(off + extmem), 16))
++ if (!memcmp((void *)prom_init, (void *)(off + extmem), 16))
+ break;
+ }
+ extmem -= lowmem;
+--
+2.35.1
+
--- /dev/null
+From 05a7f392fa44b39724410c955a8c3a7a70b43e42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Sep 2022 21:39:38 +0800
+Subject: mISDN: fix use-after-free bugs in l1oip timer handlers
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 2568a7e0832ee30b0a351016d03062ab4e0e0a3f ]
+
+The l1oip_cleanup() traverses the l1oip_ilist and calls
+release_card() to cleanup module and stack. However,
+release_card() calls del_timer() to delete the timers
+such as keep_tl and timeout_tl. If the timer handler is
+running, the del_timer() will not stop it and result in
+UAF bugs. One of the processes is shown below:
+
+ (cleanup routine) | (timer handler)
+release_card() | l1oip_timeout()
+ ... |
+ del_timer() | ...
+ ... |
+ kfree(hc) //FREE |
+ | hc->timeout_on = 0 //USE
+
+Fix by calling del_timer_sync() in release_card(), which
+makes sure the timer handlers have finished before the
+resources, such as l1oip and so on, have been deallocated.
+
+What's more, the hc->workq and hc->socket_thread can kick
+those timers right back in. We add a bool flag to show
+if card is released. Then, check this flag in hc->workq
+and hc->socket_thread.
+
+Fixes: 3712b42d4b1b ("Add layer1 over IP support")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/mISDN/l1oip.h | 1 +
+ drivers/isdn/mISDN/l1oip_core.c | 13 +++++++------
+ 2 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/isdn/mISDN/l1oip.h b/drivers/isdn/mISDN/l1oip.h
+index 7ea10db20e3a..48133d022812 100644
+--- a/drivers/isdn/mISDN/l1oip.h
++++ b/drivers/isdn/mISDN/l1oip.h
+@@ -59,6 +59,7 @@ struct l1oip {
+ int bundle; /* bundle channels in one frm */
+ int codec; /* codec to use for transmis. */
+ int limit; /* limit number of bchannels */
++ bool shutdown; /* if card is released */
+
+ /* timer */
+ struct timer_list keep_tl;
+diff --git a/drivers/isdn/mISDN/l1oip_core.c b/drivers/isdn/mISDN/l1oip_core.c
+index b05022f94f18..2f4a01ab25e8 100644
+--- a/drivers/isdn/mISDN/l1oip_core.c
++++ b/drivers/isdn/mISDN/l1oip_core.c
+@@ -289,7 +289,7 @@ l1oip_socket_send(struct l1oip *hc, u8 localcodec, u8 channel, u32 chanmask,
+ p = frame;
+
+ /* restart timer */
+- if (time_before(hc->keep_tl.expires, jiffies + 5 * HZ))
++ if (time_before(hc->keep_tl.expires, jiffies + 5 * HZ) && !hc->shutdown)
+ mod_timer(&hc->keep_tl, jiffies + L1OIP_KEEPALIVE * HZ);
+ else
+ hc->keep_tl.expires = jiffies + L1OIP_KEEPALIVE * HZ;
+@@ -615,7 +615,9 @@ l1oip_socket_parse(struct l1oip *hc, struct sockaddr_in *sin, u8 *buf, int len)
+ goto multiframe;
+
+ /* restart timer */
+- if (time_before(hc->timeout_tl.expires, jiffies + 5 * HZ) || !hc->timeout_on) {
++ if ((time_before(hc->timeout_tl.expires, jiffies + 5 * HZ) ||
++ !hc->timeout_on) &&
++ !hc->shutdown) {
+ hc->timeout_on = 1;
+ mod_timer(&hc->timeout_tl, jiffies + L1OIP_TIMEOUT * HZ);
+ } else /* only adjust timer */
+@@ -1247,11 +1249,10 @@ release_card(struct l1oip *hc)
+ {
+ int ch;
+
+- if (timer_pending(&hc->keep_tl))
+- del_timer(&hc->keep_tl);
++ hc->shutdown = true;
+
+- if (timer_pending(&hc->timeout_tl))
+- del_timer(&hc->timeout_tl);
++ del_timer_sync(&hc->keep_tl);
++ del_timer_sync(&hc->timeout_tl);
+
+ cancel_work_sync(&hc->workq);
+
+--
+2.35.1
+
--- /dev/null
+From 8fecf43b0ae3e21dfe77d4db1e482a964a9a237c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 09:33:57 +0200
+Subject: mmc: au1xmmc: Fix an error handling path in au1xmmc_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 5cbedf52608cc3cbc1c2a9a861fb671620427a20 ]
+
+If clk_prepare_enable() fails, there is no point in calling
+clk_disable_unprepare() in the error handling path.
+
+Move the out_clk label at the right place.
+
+Fixes: b6507596dfd6 ("MIPS: Alchemy: au1xmmc: use clk framework")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/21d99886d07fa7fcbec74992657dabad98c935c4.1661412818.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/au1xmmc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/au1xmmc.c b/drivers/mmc/host/au1xmmc.c
+index 9b4be67330dd..7cd0551aec78 100644
+--- a/drivers/mmc/host/au1xmmc.c
++++ b/drivers/mmc/host/au1xmmc.c
+@@ -1118,8 +1118,9 @@ static int au1xmmc_probe(struct platform_device *pdev)
+ if (host->platdata && host->platdata->cd_setup &&
+ !(mmc->caps & MMC_CAP_NEEDS_POLL))
+ host->platdata->cd_setup(mmc, 0);
+-out_clk:
++
+ clk_disable_unprepare(host->clk);
++out_clk:
+ clk_put(host->clk);
+ out_irq:
+ free_irq(host->irq, host);
+--
+2.35.1
+
--- /dev/null
+From aafe2155427d4412e1c651eb7cec28c66b8e0c8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 21:06:40 +0200
+Subject: mmc: wmt-sdmmc: Fix an error handling path in wmt_mci_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit cb58188ad90a61784a56a64f5107faaf2ad323e7 ]
+
+A dma_free_coherent() call is missing in the error handling path of the
+probe, as already done in the remove function.
+
+Fixes: 3a96dff0f828 ("mmc: SD/MMC Host Controller for Wondermedia WM8505/WM8650")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/53fc6ffa5d1c428fefeae7d313cf4a669c3a1e98.1663873255.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/wmt-sdmmc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/wmt-sdmmc.c b/drivers/mmc/host/wmt-sdmmc.c
+index 3ba42f508014..f8b169684693 100644
+--- a/drivers/mmc/host/wmt-sdmmc.c
++++ b/drivers/mmc/host/wmt-sdmmc.c
+@@ -853,7 +853,7 @@ static int wmt_mci_probe(struct platform_device *pdev)
+ if (IS_ERR(priv->clk_sdmmc)) {
+ dev_err(&pdev->dev, "Error getting clock\n");
+ ret = PTR_ERR(priv->clk_sdmmc);
+- goto fail5;
++ goto fail5_and_a_half;
+ }
+
+ ret = clk_prepare_enable(priv->clk_sdmmc);
+@@ -870,6 +870,9 @@ static int wmt_mci_probe(struct platform_device *pdev)
+ return 0;
+ fail6:
+ clk_put(priv->clk_sdmmc);
++fail5_and_a_half:
++ dma_free_coherent(&pdev->dev, mmc->max_blk_count * 16,
++ priv->dma_desc_buffer, priv->dma_desc_device_addr);
+ fail5:
+ free_irq(dma_irq, priv);
+ fail4:
+--
+2.35.1
+
--- /dev/null
+From 6345a9aa1fd63c5c75e9a892eb46717bf24ac88f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Jul 2022 17:16:44 +0800
+Subject: mtd: devices: docg3: check the return value of devm_ioremap() in the
+ probe
+
+From: William Dean <williamsukatube@gmail.com>
+
+[ Upstream commit 26e784433e6c65735cd6d93a8db52531970d9a60 ]
+
+The function devm_ioremap() in docg3_probe() can fail, so
+its return value should be checked.
+
+Fixes: 82402aeb8c81e ("mtd: docg3: Use devm_*() functions")
+Reported-by: Hacash Robot <hacashRobot@santino.com>
+Signed-off-by: William Dean <williamsukatube@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20220722091644.2937953-1-williamsukatube@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/devices/docg3.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
+index 512bd4c2eec0..740a09c9f67a 100644
+--- a/drivers/mtd/devices/docg3.c
++++ b/drivers/mtd/devices/docg3.c
+@@ -1990,9 +1990,14 @@ static int __init docg3_probe(struct platform_device *pdev)
+ dev_err(dev, "No I/O memory resource defined\n");
+ return ret;
+ }
+- base = devm_ioremap(dev, ress->start, DOC_IOSPACE_SIZE);
+
+ ret = -ENOMEM;
++ base = devm_ioremap(dev, ress->start, DOC_IOSPACE_SIZE);
++ if (!base) {
++ dev_err(dev, "devm_ioremap dev failed\n");
++ return ret;
++ }
++
+ cascade = devm_kcalloc(dev, DOC_MAX_NBFLOORS, sizeof(*cascade),
+ GFP_KERNEL);
+ if (!cascade)
+--
+2.35.1
+
--- /dev/null
+From 62ec9354e7dd1c226ac5e4bbdcdedc8d8c5ed5da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Sep 2022 01:35:02 +0900
+Subject: nbd: Fix hung when signal interrupts nbd_start_device_ioctl()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit 1de7c3cf48fc41cd95adb12bd1ea9033a917798a ]
+
+syzbot reported hung task [1]. The following program is a simplified
+version of the reproducer:
+
+int main(void)
+{
+ int sv[2], fd;
+
+ if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) < 0)
+ return 1;
+ if ((fd = open("/dev/nbd0", 0)) < 0)
+ return 1;
+ if (ioctl(fd, NBD_SET_SIZE_BLOCKS, 0x81) < 0)
+ return 1;
+ if (ioctl(fd, NBD_SET_SOCK, sv[0]) < 0)
+ return 1;
+ if (ioctl(fd, NBD_DO_IT) < 0)
+ return 1;
+ return 0;
+}
+
+When signal interrupt nbd_start_device_ioctl() waiting the condition
+atomic_read(&config->recv_threads) == 0, the task can hung because it
+waits the completion of the inflight IOs.
+
+This patch fixes the issue by clearing queue, not just shutdown, when
+signal interrupt nbd_start_device_ioctl().
+
+Link: https://syzkaller.appspot.com/bug?id=7d89a3ffacd2b83fdd39549bc4d8e0a89ef21239 [1]
+Reported-by: syzbot+38e6c55d4969a14c1534@syzkaller.appspotmail.com
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Link: https://lore.kernel.org/r/20220907163502.577561-1-syoshida@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 2ef7eec6461c..cc66983e8b6a 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -1271,10 +1271,12 @@ static int nbd_start_device_ioctl(struct nbd_device *nbd, struct block_device *b
+ mutex_unlock(&nbd->config_lock);
+ ret = wait_event_interruptible(config->recv_wq,
+ atomic_read(&config->recv_threads) == 0);
+- if (ret)
++ if (ret) {
+ sock_shutdown(nbd);
+- flush_workqueue(nbd->recv_workq);
++ nbd_clear_que(nbd);
++ }
+
++ flush_workqueue(nbd->recv_workq);
+ mutex_lock(&nbd->config_lock);
+ nbd_bdev_reset(bdev);
+ /* user requested, ignore socket errors */
+--
+2.35.1
+
--- /dev/null
+From 48b355d7bf814f5ba415e32a28cc9d6cde1f7afc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 12:47:19 -0700
+Subject: net: davicom: Fix return type of dm9000_start_xmit
+
+From: Nathan Huckleberry <nhuck@google.com>
+
+[ Upstream commit 0191580b000d50089a0b351f7cdbec4866e3d0d2 ]
+
+The ndo_start_xmit field in net_device_ops is expected to be of type
+netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev).
+
+The mismatched return type breaks forward edge kCFI since the underlying
+function definition does not match the function hook definition.
+
+The return type of dm9000_start_xmit should be changed from int to
+netdev_tx_t.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1703
+Cc: llvm@lists.linux.dev
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://lore.kernel.org/r/20220912194722.809525-1-nhuck@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/davicom/dm9000.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/davicom/dm9000.c b/drivers/net/ethernet/davicom/dm9000.c
+index 8b07890b0b23..833e27ce4a57 100644
+--- a/drivers/net/ethernet/davicom/dm9000.c
++++ b/drivers/net/ethernet/davicom/dm9000.c
+@@ -1025,7 +1025,7 @@ static void dm9000_send_packet(struct net_device *dev,
+ * Hardware start transmission.
+ * Send a packet to media from the upper layer.
+ */
+-static int
++static netdev_tx_t
+ dm9000_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ unsigned long flags;
+--
+2.35.1
+
--- /dev/null
+From 0d4bcf29e168596a3d1da2c63bb2646589dc4cef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 12:50:19 -0700
+Subject: net: ethernet: ti: davinci_emac: Fix return type of emac_dev_xmit
+
+From: Nathan Huckleberry <nhuck@google.com>
+
+[ Upstream commit 5972ca946098487c5155fe13654743f9010f5ed5 ]
+
+The ndo_start_xmit field in net_device_ops is expected to be of type
+netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev).
+
+The mismatched return type breaks forward edge kCFI since the underlying
+function definition does not match the function hook definition.
+
+The return type of emac_dev_xmit should be changed from int to
+netdev_tx_t.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1703
+Cc: llvm@lists.linux.dev
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://lore.kernel.org/r/20220912195023.810319-1-nhuck@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/davinci_emac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c
+index 566da1e3cfbc..337e38b98d69 100644
+--- a/drivers/net/ethernet/ti/davinci_emac.c
++++ b/drivers/net/ethernet/ti/davinci_emac.c
+@@ -955,7 +955,7 @@ static void emac_tx_handler(void *token, int len, int status)
+ *
+ * Returns success(NETDEV_TX_OK) or error code (typically out of desc's)
+ */
+-static int emac_dev_xmit(struct sk_buff *skb, struct net_device *ndev)
++static netdev_tx_t emac_dev_xmit(struct sk_buff *skb, struct net_device *ndev)
+ {
+ struct device *emac_dev = &ndev->dev;
+ int ret_code;
+--
+2.35.1
+
--- /dev/null
+From c2eefa60d82e2fd17ad7063d79f20e81c8d1cfba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Sep 2022 13:55:13 +0000
+Subject: net: fs_enet: Fix wrong check in do_pd_setup
+
+From: Zheng Yongjun <zhengyongjun3@huawei.com>
+
+[ Upstream commit ec3f06b542a960806a81345042e4eee3f8c5dec4 ]
+
+Should check of_iomap return value 'fep->fec.fecp' instead of 'fep->fcc.fccp'
+
+Fixes: 976de6a8c304 ("fs_enet: Be an of_platform device when CONFIG_PPC_CPM_NEW_BINDING is set.")
+Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fs_enet/mac-fec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/fs_enet/mac-fec.c b/drivers/net/ethernet/freescale/fs_enet/mac-fec.c
+index 99fe2c210d0f..61f4b6e50d29 100644
+--- a/drivers/net/ethernet/freescale/fs_enet/mac-fec.c
++++ b/drivers/net/ethernet/freescale/fs_enet/mac-fec.c
+@@ -98,7 +98,7 @@ static int do_pd_setup(struct fs_enet_private *fep)
+ return -EINVAL;
+
+ fep->fec.fecp = of_iomap(ofdev->dev.of_node, 0);
+- if (!fep->fcc.fccp)
++ if (!fep->fec.fecp)
+ return -EINVAL;
+
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 6f26d727337ea3bab1f21879a3cd26080f675bb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 14:37:49 +0300
+Subject: net: ftmac100: fix endianness-related issues from 'sparse'
+
+From: Sergei Antonov <saproj@gmail.com>
+
+[ Upstream commit 9df696b3b3a4c96c3219eb87c7bf03fb50e490b8 ]
+
+Sparse found a number of endianness-related issues of these kinds:
+
+.../ftmac100.c:192:32: warning: restricted __le32 degrades to integer
+
+.../ftmac100.c:208:23: warning: incorrect type in assignment (different base types)
+.../ftmac100.c:208:23: expected unsigned int rxdes0
+.../ftmac100.c:208:23: got restricted __le32 [usertype]
+
+.../ftmac100.c:249:23: warning: invalid assignment: &=
+.../ftmac100.c:249:23: left side has type unsigned int
+.../ftmac100.c:249:23: right side has type restricted __le32
+
+.../ftmac100.c:527:16: warning: cast to restricted __le32
+
+Change type of some fields from 'unsigned int' to '__le32' to fix it.
+
+Signed-off-by: Sergei Antonov <saproj@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20220902113749.1408562-1-saproj@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/faraday/ftmac100.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/faraday/ftmac100.h b/drivers/net/ethernet/faraday/ftmac100.h
+index 46a0c47b1ee1..0731d65e856c 100644
+--- a/drivers/net/ethernet/faraday/ftmac100.h
++++ b/drivers/net/ethernet/faraday/ftmac100.h
+@@ -135,9 +135,9 @@
+ * Transmit descriptor, aligned to 16 bytes
+ */
+ struct ftmac100_txdes {
+- unsigned int txdes0;
+- unsigned int txdes1;
+- unsigned int txdes2; /* TXBUF_BADR */
++ __le32 txdes0;
++ __le32 txdes1;
++ __le32 txdes2; /* TXBUF_BADR */
+ unsigned int txdes3; /* not used by HW */
+ } __attribute__ ((aligned(16)));
+
+@@ -156,9 +156,9 @@ struct ftmac100_txdes {
+ * Receive descriptor, aligned to 16 bytes
+ */
+ struct ftmac100_rxdes {
+- unsigned int rxdes0;
+- unsigned int rxdes1;
+- unsigned int rxdes2; /* RXBUF_BADR */
++ __le32 rxdes0;
++ __le32 rxdes1;
++ __le32 rxdes2; /* RXBUF_BADR */
+ unsigned int rxdes3; /* not used by HW */
+ } __attribute__ ((aligned(16)));
+
+--
+2.35.1
+
--- /dev/null
+From 2a07c27f765a132331738fe4cc0744098c67a4fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 21:37:54 +0800
+Subject: net: If sock is dead don't access sock's sk_wq in
+ sk_stream_wait_memory
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit 3f8ef65af927db247418d4e1db49164d7a158fc5 ]
+
+Fixes the below NULL pointer dereference:
+
+ [...]
+ [ 14.471200] Call Trace:
+ [ 14.471562] <TASK>
+ [ 14.471882] lock_acquire+0x245/0x2e0
+ [ 14.472416] ? remove_wait_queue+0x12/0x50
+ [ 14.473014] ? _raw_spin_lock_irqsave+0x17/0x50
+ [ 14.473681] _raw_spin_lock_irqsave+0x3d/0x50
+ [ 14.474318] ? remove_wait_queue+0x12/0x50
+ [ 14.474907] remove_wait_queue+0x12/0x50
+ [ 14.475480] sk_stream_wait_memory+0x20d/0x340
+ [ 14.476127] ? do_wait_intr_irq+0x80/0x80
+ [ 14.476704] do_tcp_sendpages+0x287/0x600
+ [ 14.477283] tcp_bpf_push+0xab/0x260
+ [ 14.477817] tcp_bpf_sendmsg_redir+0x297/0x500
+ [ 14.478461] ? __local_bh_enable_ip+0x77/0xe0
+ [ 14.479096] tcp_bpf_send_verdict+0x105/0x470
+ [ 14.479729] tcp_bpf_sendmsg+0x318/0x4f0
+ [ 14.480311] sock_sendmsg+0x2d/0x40
+ [ 14.480822] ____sys_sendmsg+0x1b4/0x1c0
+ [ 14.481390] ? copy_msghdr_from_user+0x62/0x80
+ [ 14.482048] ___sys_sendmsg+0x78/0xb0
+ [ 14.482580] ? vmf_insert_pfn_prot+0x91/0x150
+ [ 14.483215] ? __do_fault+0x2a/0x1a0
+ [ 14.483738] ? do_fault+0x15e/0x5d0
+ [ 14.484246] ? __handle_mm_fault+0x56b/0x1040
+ [ 14.484874] ? lock_is_held_type+0xdf/0x130
+ [ 14.485474] ? find_held_lock+0x2d/0x90
+ [ 14.486046] ? __sys_sendmsg+0x41/0x70
+ [ 14.486587] __sys_sendmsg+0x41/0x70
+ [ 14.487105] ? intel_pmu_drain_pebs_core+0x350/0x350
+ [ 14.487822] do_syscall_64+0x34/0x80
+ [ 14.488345] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ [...]
+
+The test scenario has the following flow:
+
+thread1 thread2
+----------- ---------------
+ tcp_bpf_sendmsg
+ tcp_bpf_send_verdict
+ tcp_bpf_sendmsg_redir sock_close
+ tcp_bpf_push_locked __sock_release
+ tcp_bpf_push //inet_release
+ do_tcp_sendpages sock->ops->release
+ sk_stream_wait_memory // tcp_close
+ sk_wait_event sk->sk_prot->close
+ release_sock(__sk);
+ ***
+ lock_sock(sk);
+ __tcp_close
+ sock_orphan(sk)
+ sk->sk_wq = NULL
+ release_sock
+ ****
+ lock_sock(__sk);
+ remove_wait_queue(sk_sleep(sk), &wait);
+ sk_sleep(sk)
+ //NULL pointer dereference
+ &rcu_dereference_raw(sk->sk_wq)->wait
+
+While waiting for memory in thread1, the socket is released with its wait
+queue because thread2 has closed it. This caused by tcp_bpf_send_verdict
+didn't increase the f_count of psock->sk_redir->sk_socket->file in thread1.
+
+We should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory
+before accessing the wait queue.
+
+Suggested-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/bpf/20220823133755.314697-2-liujian56@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/stream.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/stream.c b/net/core/stream.c
+index 3d98774cf128..7b411a91a81c 100644
+--- a/net/core/stream.c
++++ b/net/core/stream.c
+@@ -159,7 +159,8 @@ int sk_stream_wait_memory(struct sock *sk, long *timeo_p)
+ *timeo_p = current_timeo;
+ }
+ out:
+- remove_wait_queue(sk_sleep(sk), &wait);
++ if (!sock_flag(sk, SOCK_DEAD))
++ remove_wait_queue(sk_sleep(sk), &wait);
+ return err;
+
+ do_error:
+--
+2.35.1
+
--- /dev/null
+From e3eb1efdc92b5ff239d78ba9bbc06ea0075efb33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 14:43:40 -0700
+Subject: net: korina: Fix return type of korina_send_packet
+
+From: Nathan Huckleberry <nhuck@google.com>
+
+[ Upstream commit 106c67ce46f3c82dd276e983668a91d6ed631173 ]
+
+The ndo_start_xmit field in net_device_ops is expected to be of type
+netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev).
+
+The mismatched return type breaks forward edge kCFI since the underlying
+function definition does not match the function hook definition.
+
+The return type of korina_send_packet should be changed from int to
+netdev_tx_t.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1703
+Cc: llvm@lists.linux.dev
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://lore.kernel.org/r/20220912214344.928925-1-nhuck@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/korina.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c
+index 9f804e2aba35..d1bd56f6eecb 100644
+--- a/drivers/net/ethernet/korina.c
++++ b/drivers/net/ethernet/korina.c
+@@ -196,7 +196,8 @@ static void korina_chain_rx(struct korina_private *lp,
+ }
+
+ /* transmit packet */
+-static int korina_send_packet(struct sk_buff *skb, struct net_device *dev)
++static netdev_tx_t korina_send_packet(struct sk_buff *skb,
++ struct net_device *dev)
+ {
+ struct korina_private *lp = netdev_priv(dev);
+ unsigned long flags;
+--
+2.35.1
+
--- /dev/null
+From dbdcd21615930991234166d382b17e6f13585f22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 16:15:21 +0800
+Subject: net: lantiq_etop: Fix return type for implementation of
+ ndo_start_xmit
+
+From: GUO Zihua <guozihua@huawei.com>
+
+[ Upstream commit c8ef3c94bda0e21123202d057d4a299698fa0ed9 ]
+
+Since Linux now supports CFI, it will be a good idea to fix mismatched
+return type for implementation of hooks. Otherwise this might get
+cought out by CFI and cause a panic.
+
+ltq_etop_tx() would return either NETDEV_TX_BUSY or NETDEV_TX_OK, so
+change the return type to netdev_tx_t directly.
+
+Signed-off-by: GUO Zihua <guozihua@huawei.com>
+Link: https://lore.kernel.org/r/20220902081521.59867-1-guozihua@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/lantiq_etop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c
+index e08301d833e2..27671163151c 100644
+--- a/drivers/net/ethernet/lantiq_etop.c
++++ b/drivers/net/ethernet/lantiq_etop.c
+@@ -465,7 +465,7 @@ ltq_etop_stop(struct net_device *dev)
+ return 0;
+ }
+
+-static int
++static netdev_tx_t
+ ltq_etop_tx(struct sk_buff *skb, struct net_device *dev)
+ {
+ int queue = skb_get_queue_mapping(skb);
+--
+2.35.1
+
--- /dev/null
+From 31bb7fa993a2b726f317a4c766c723011a458fc3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Oct 2022 17:19:27 +0100
+Subject: net: mvpp2: fix mvpp2 debugfs leak
+
+From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit 0152dfee235e87660f52a117fc9f70dc55956bb4 ]
+
+When mvpp2 is unloaded, the driver specific debugfs directory is not
+removed, which technically leads to a memory leak. However, this
+directory is only created when the first device is probed, so the
+hardware is present. Removing the module is only something a developer
+would to when e.g. testing out changes, so the module would be
+reloaded. So this memory leak is minor.
+
+The original attempt in commit fe2c9c61f668 ("net: mvpp2: debugfs: fix
+memory leak when using debugfs_lookup()") that was labelled as a memory
+leak fix was not, it fixed a refcount leak, but in doing so created a
+problem when the module is reloaded - the directory already exists, but
+mvpp2_root is NULL, so we lose all debugfs entries. This fix has been
+reverted.
+
+This is the alternative fix, where we remove the offending directory
+whenever the driver is unloaded.
+
+Fixes: 21da57a23125 ("net: mvpp2: add a debugfs interface for the Header Parser")
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Marcin Wojtas <mw@semihalf.com>
+Link: https://lore.kernel.org/r/E1ofOAB-00CzkG-UO@rmk-PC.armlinux.org.uk
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 1 +
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c | 10 ++++++++--
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 13 ++++++++++++-
+ 3 files changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
+index 46911b67b039..23f60bc5d48f 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
+@@ -1107,5 +1107,6 @@ void mvpp2_percpu_write_relaxed(struct mvpp2 *priv, int cpu, u32 offset,
+ void mvpp2_dbgfs_init(struct mvpp2 *priv, const char *name);
+
+ void mvpp2_dbgfs_cleanup(struct mvpp2 *priv);
++void mvpp2_dbgfs_exit(void);
+
+ #endif
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c
+index 87d9cbe10cec..004e0fac5455 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c
+@@ -648,6 +648,13 @@ static int mvpp2_dbgfs_port_init(struct dentry *parent,
+ return 0;
+ }
+
++static struct dentry *mvpp2_root;
++
++void mvpp2_dbgfs_exit(void)
++{
++ debugfs_remove(mvpp2_root);
++}
++
+ void mvpp2_dbgfs_cleanup(struct mvpp2 *priv)
+ {
+ debugfs_remove_recursive(priv->dbgfs_dir);
+@@ -655,10 +662,9 @@ void mvpp2_dbgfs_cleanup(struct mvpp2 *priv)
+
+ void mvpp2_dbgfs_init(struct mvpp2 *priv, const char *name)
+ {
+- struct dentry *mvpp2_dir, *mvpp2_root;
++ struct dentry *mvpp2_dir;
+ int ret, i;
+
+- mvpp2_root = debugfs_lookup(MVPP2_DRIVER_NAME, NULL);
+ if (!mvpp2_root)
+ mvpp2_root = debugfs_create_dir(MVPP2_DRIVER_NAME, NULL);
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index 52fdb200a0c7..788fe627e78a 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -5417,7 +5417,18 @@ static struct platform_driver mvpp2_driver = {
+ },
+ };
+
+-module_platform_driver(mvpp2_driver);
++static int __init mvpp2_driver_init(void)
++{
++ return platform_driver_register(&mvpp2_driver);
++}
++module_init(mvpp2_driver_init);
++
++static void __exit mvpp2_driver_exit(void)
++{
++ platform_driver_unregister(&mvpp2_driver);
++ mvpp2_dbgfs_exit();
++}
++module_exit(mvpp2_driver_exit);
+
+ MODULE_DESCRIPTION("Marvell PPv2 Ethernet Driver - www.marvell.com");
+ MODULE_AUTHOR("Marcin Wojtas <mw@semihalf.com>");
+--
+2.35.1
+
--- /dev/null
+From 773154772051ec826979e89044c7f254c32a1aba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 00:25:37 +0900
+Subject: net: rds: don't hold sock lock when cancelling work from
+ rds_tcp_reset_callbacks()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit a91b750fd6629354460282bbf5146c01b05c4859 ]
+
+syzbot is reporting lockdep warning at rds_tcp_reset_callbacks() [1], for
+commit ac3615e7f3cffe2a ("RDS: TCP: Reduce code duplication in
+rds_tcp_reset_callbacks()") added cancel_delayed_work_sync() into a section
+protected by lock_sock() without realizing that rds_send_xmit() might call
+lock_sock().
+
+We don't need to protect cancel_delayed_work_sync() using lock_sock(), for
+even if rds_{send,recv}_worker() re-queued this work while __flush_work()
+ from cancel_delayed_work_sync() was waiting for this work to complete,
+retried rds_{send,recv}_worker() is no-op due to the absence of RDS_CONN_UP
+bit.
+
+Link: https://syzkaller.appspot.com/bug?extid=78c55c7bc6f66e53dce2 [1]
+Reported-by: syzbot <syzbot+78c55c7bc6f66e53dce2@syzkaller.appspotmail.com>
+Co-developed-by: Hillf Danton <hdanton@sina.com>
+Signed-off-by: Hillf Danton <hdanton@sina.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Tested-by: syzbot <syzbot+78c55c7bc6f66e53dce2@syzkaller.appspotmail.com>
+Fixes: ac3615e7f3cffe2a ("RDS: TCP: Reduce code duplication in rds_tcp_reset_callbacks()")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rds/tcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/rds/tcp.c b/net/rds/tcp.c
+index d4e6466d3989..645cbb17c13a 100644
+--- a/net/rds/tcp.c
++++ b/net/rds/tcp.c
+@@ -176,10 +176,10 @@ void rds_tcp_reset_callbacks(struct socket *sock,
+ */
+ atomic_set(&cp->cp_state, RDS_CONN_RESETTING);
+ wait_event(cp->cp_waitq, !test_bit(RDS_IN_XMIT, &cp->cp_flags));
+- lock_sock(osock->sk);
+ /* reset receive side state for rds_tcp_data_recv() for osock */
+ cancel_delayed_work_sync(&cp->cp_send_w);
+ cancel_delayed_work_sync(&cp->cp_recv_w);
++ lock_sock(osock->sk);
+ if (tc->t_tinc) {
+ rds_inc_put(&tc->t_tinc->ti_inc);
+ tc->t_tinc = NULL;
+--
+2.35.1
+
--- /dev/null
+From b101b3279930d68f356c5d38822f6e210d01e284 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 16:16:12 +0800
+Subject: net: xscale: Fix return type for implementation of ndo_start_xmit
+
+From: GUO Zihua <guozihua@huawei.com>
+
+[ Upstream commit 0dbaf0fa62329d9fe452d9041a707a33f6274f1f ]
+
+Since Linux now supports CFI, it will be a good idea to fix mismatched
+return type for implementation of hooks. Otherwise this might get
+cought out by CFI and cause a panic.
+
+eth_xmit() would return either NETDEV_TX_BUSY or NETDEV_TX_OK, so
+change the return type to netdev_tx_t directly.
+
+Signed-off-by: GUO Zihua <guozihua@huawei.com>
+Link: https://lore.kernel.org/r/20220902081612.60405-1-guozihua@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xscale/ixp4xx_eth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/xscale/ixp4xx_eth.c b/drivers/net/ethernet/xscale/ixp4xx_eth.c
+index aee55c03def0..d2aed667c0da 100644
+--- a/drivers/net/ethernet/xscale/ixp4xx_eth.c
++++ b/drivers/net/ethernet/xscale/ixp4xx_eth.c
+@@ -835,7 +835,7 @@ static void eth_txdone_irq(void *unused)
+ }
+ }
+
+-static int eth_xmit(struct sk_buff *skb, struct net_device *dev)
++static netdev_tx_t eth_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct port *port = netdev_priv(dev);
+ unsigned int txreadyq = port->plat->txreadyq;
+--
+2.35.1
+
--- /dev/null
+From 47490d4976feda73e1d3c54780a69a2f5e698cd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 13:07:31 +0200
+Subject: netfilter: nft_fib: Fix for rpath check with VRF devices
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 2a8a7c0eaa8747c16aa4a48d573aa920d5c00a5c ]
+
+Analogous to commit b575b24b8eee3 ("netfilter: Fix rpfilter
+dropping vrf packets by mistake") but for nftables fib expression:
+Add special treatment of VRF devices so that typical reverse path
+filtering via 'fib saddr . iif oif' expression works as expected.
+
+Fixes: f6d0cbcf09c50 ("netfilter: nf_tables: add fib expression")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/netfilter/nft_fib_ipv4.c | 3 +++
+ net/ipv6/netfilter/nft_fib_ipv6.c | 6 +++++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c b/net/ipv4/netfilter/nft_fib_ipv4.c
+index e50976e3c213..3b2e8ac45d4e 100644
+--- a/net/ipv4/netfilter/nft_fib_ipv4.c
++++ b/net/ipv4/netfilter/nft_fib_ipv4.c
+@@ -95,6 +95,9 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
+ else
+ oif = NULL;
+
++ if (priv->flags & NFTA_FIB_F_IIF)
++ fl4.flowi4_oif = l3mdev_master_ifindex_rcu(oif);
++
+ if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&
+ nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {
+ nft_fib_store_result(dest, priv, pkt,
+diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c
+index 36be3cf0adef..fa71e40789ed 100644
+--- a/net/ipv6/netfilter/nft_fib_ipv6.c
++++ b/net/ipv6/netfilter/nft_fib_ipv6.c
+@@ -41,6 +41,9 @@ static int nft_fib6_flowi_init(struct flowi6 *fl6, const struct nft_fib *priv,
+ if (ipv6_addr_type(&fl6->daddr) & IPV6_ADDR_LINKLOCAL) {
+ lookup_flags |= RT6_LOOKUP_F_IFACE;
+ fl6->flowi6_oif = get_ifindex(dev ? dev : pkt->skb->dev);
++ } else if ((priv->flags & NFTA_FIB_F_IIF) &&
++ (netif_is_l3_master(dev) || netif_is_l3_slave(dev))) {
++ fl6->flowi6_oif = dev->ifindex;
+ }
+
+ if (ipv6_addr_type(&fl6->saddr) & IPV6_ADDR_UNICAST)
+@@ -189,7 +192,8 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
+ if (rt->rt6i_flags & (RTF_REJECT | RTF_ANYCAST | RTF_LOCAL))
+ goto put_rt_err;
+
+- if (oif && oif != rt->rt6i_idev->dev)
++ if (oif && oif != rt->rt6i_idev->dev &&
++ l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) != oif->ifindex)
+ goto put_rt_err;
+
+ switch (priv->result) {
+--
+2.35.1
+
--- /dev/null
+From d9b0a222e0b98fea2b124c33b2b852c84abafc89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 14:01:50 -0400
+Subject: NFSD: Return nfserr_serverfault if splice_ok but buf->pages have data
+
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+
+[ Upstream commit 06981d560606ac48d61e5f4fff6738b925c93173 ]
+
+This was discussed with Chuck as part of this patch set. Returning
+nfserr_resource was decided to not be the best error message here, and
+he suggested changing to nfserr_serverfault instead.
+
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Link: https://lore.kernel.org/linux-nfs/20220907195259.926736-1-anna@kernel.org/T/#t
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4xdr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
+index f67c5de1aeb8..96b79bd90631 100644
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -3594,7 +3594,7 @@ nfsd4_encode_read(struct nfsd4_compoundres *resp, __be32 nfserr,
+ if (resp->xdr.buf->page_len &&
+ test_bit(RQ_SPLICE_OK, &resp->rqstp->rq_flags)) {
+ WARN_ON_ONCE(1);
+- return nfserr_resource;
++ return nfserr_serverfault;
+ }
+ xdr_commit_encode(xdr);
+
+--
+2.35.1
+
--- /dev/null
+From 0314edaaa9242756ce20d148b8e0e5fcf55920d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 12:45:08 -0700
+Subject: nvme: copy firmware_rev on each init
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit a8eb6c1ba48bddea82e8d74cbe6e119f006be97d ]
+
+The firmware revision can change on after a reset so copy the most
+recent info each time instead of just the first time, otherwise the
+sysfs firmware_rev entry may contain stale data.
+
+Reported-by: Jeff Lien <jeff.lien@wdc.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Reviewed-by: Chao Leng <lengchao@huawei.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 582c3b190418..986912e680d8 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -2320,7 +2320,6 @@ static int nvme_init_subsystem(struct nvme_ctrl *ctrl, struct nvme_id_ctrl *id)
+ nvme_init_subnqn(subsys, ctrl, id);
+ memcpy(subsys->serial, id->sn, sizeof(subsys->serial));
+ memcpy(subsys->model, id->mn, sizeof(subsys->model));
+- memcpy(subsys->firmware_rev, id->fr, sizeof(subsys->firmware_rev));
+ subsys->vendor_id = le16_to_cpu(id->vid);
+ subsys->cmic = id->cmic;
+
+@@ -2481,6 +2480,8 @@ int nvme_init_identify(struct nvme_ctrl *ctrl)
+ ctrl->quirks |= core_quirks[i].quirks;
+ }
+ }
++ memcpy(ctrl->subsys->firmware_rev, id->fr,
++ sizeof(ctrl->subsys->firmware_rev));
+
+ if (force_apst && (ctrl->quirks & NVME_QUIRK_NO_DEEPEST_PS)) {
+ dev_warn(ctrl->device, "forcibly allowing all power states due to nvme_core.force_apst -- use at your own risk\n");
+--
+2.35.1
+
--- /dev/null
+From eeffe3813e930d6ebdf7370a37cfc56fe3f15a49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Oct 2022 13:51:02 -0700
+Subject: once: add DO_ONCE_SLOW() for sleepable contexts
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 62c07983bef9d3e78e71189441e1a470f0d1e653 ]
+
+Christophe Leroy reported a ~80ms latency spike
+happening at first TCP connect() time.
+
+This is because __inet_hash_connect() uses get_random_once()
+to populate a perturbation table which became quite big
+after commit 4c2c8f03a5ab ("tcp: increase source port perturb table to 2^16")
+
+get_random_once() uses DO_ONCE(), which block hard irqs for the duration
+of the operation.
+
+This patch adds DO_ONCE_SLOW() which uses a mutex instead of a spinlock
+for operations where we prefer to stay in process context.
+
+Then __inet_hash_connect() can use get_random_slow_once()
+to populate its perturbation table.
+
+Fixes: 4c2c8f03a5ab ("tcp: increase source port perturb table to 2^16")
+Fixes: 190cc82489f4 ("tcp: change source port randomizarion at connect() time")
+Reported-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Link: https://lore.kernel.org/netdev/CANn89iLAEYBaoYajy0Y9UmGFff5GPxDUoG-ErVB2jDdRNQ5Tug@mail.gmail.com/T/#t
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willy Tarreau <w@1wt.eu>
+Tested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/once.h | 28 ++++++++++++++++++++++++++++
+ lib/once.c | 30 ++++++++++++++++++++++++++++++
+ net/ipv4/inet_hashtables.c | 4 ++--
+ 3 files changed, 60 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/once.h b/include/linux/once.h
+index ae6f4eb41cbe..bb58e1c3aa03 100644
+--- a/include/linux/once.h
++++ b/include/linux/once.h
+@@ -5,10 +5,18 @@
+ #include <linux/types.h>
+ #include <linux/jump_label.h>
+
++/* Helpers used from arbitrary contexts.
++ * Hard irqs are blocked, be cautious.
++ */
+ bool __do_once_start(bool *done, unsigned long *flags);
+ void __do_once_done(bool *done, struct static_key_true *once_key,
+ unsigned long *flags, struct module *mod);
+
++/* Variant for process contexts only. */
++bool __do_once_slow_start(bool *done);
++void __do_once_slow_done(bool *done, struct static_key_true *once_key,
++ struct module *mod);
++
+ /* Call a function exactly once. The idea of DO_ONCE() is to perform
+ * a function call such as initialization of random seeds, etc, only
+ * once, where DO_ONCE() can live in the fast-path. After @func has
+@@ -52,9 +60,29 @@ void __do_once_done(bool *done, struct static_key_true *once_key,
+ ___ret; \
+ })
+
++/* Variant of DO_ONCE() for process/sleepable contexts. */
++#define DO_ONCE_SLOW(func, ...) \
++ ({ \
++ bool ___ret = false; \
++ static bool __section(".data.once") ___done = false; \
++ static DEFINE_STATIC_KEY_TRUE(___once_key); \
++ if (static_branch_unlikely(&___once_key)) { \
++ ___ret = __do_once_slow_start(&___done); \
++ if (unlikely(___ret)) { \
++ func(__VA_ARGS__); \
++ __do_once_slow_done(&___done, &___once_key, \
++ THIS_MODULE); \
++ } \
++ } \
++ ___ret; \
++ })
++
+ #define get_random_once(buf, nbytes) \
+ DO_ONCE(get_random_bytes, (buf), (nbytes))
+ #define get_random_once_wait(buf, nbytes) \
+ DO_ONCE(get_random_bytes_wait, (buf), (nbytes)) \
+
++#define get_random_slow_once(buf, nbytes) \
++ DO_ONCE_SLOW(get_random_bytes, (buf), (nbytes))
++
+ #endif /* _LINUX_ONCE_H */
+diff --git a/lib/once.c b/lib/once.c
+index 59149bf3bfb4..351f66aad310 100644
+--- a/lib/once.c
++++ b/lib/once.c
+@@ -66,3 +66,33 @@ void __do_once_done(bool *done, struct static_key_true *once_key,
+ once_disable_jump(once_key, mod);
+ }
+ EXPORT_SYMBOL(__do_once_done);
++
++static DEFINE_MUTEX(once_mutex);
++
++bool __do_once_slow_start(bool *done)
++ __acquires(once_mutex)
++{
++ mutex_lock(&once_mutex);
++ if (*done) {
++ mutex_unlock(&once_mutex);
++ /* Keep sparse happy by restoring an even lock count on
++ * this mutex. In case we return here, we don't call into
++ * __do_once_done but return early in the DO_ONCE_SLOW() macro.
++ */
++ __acquire(once_mutex);
++ return false;
++ }
++
++ return true;
++}
++EXPORT_SYMBOL(__do_once_slow_start);
++
++void __do_once_slow_done(bool *done, struct static_key_true *once_key,
++ struct module *mod)
++ __releases(once_mutex)
++{
++ *done = true;
++ mutex_unlock(&once_mutex);
++ once_disable_jump(once_key, mod);
++}
++EXPORT_SYMBOL(__do_once_slow_done);
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index 5295a579ec82..70070f1003a0 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -765,8 +765,8 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row,
+ if (likely(remaining > 1))
+ remaining &= ~1U;
+
+- net_get_random_once(table_perturb,
+- INET_TABLE_PERTURB_SIZE * sizeof(*table_perturb));
++ get_random_slow_once(table_perturb,
++ INET_TABLE_PERTURB_SIZE * sizeof(*table_perturb));
+ index = port_offset & (INET_TABLE_PERTURB_SIZE - 1);
+
+ offset = READ_ONCE(table_perturb[index]) + (port_offset >> 32);
+--
+2.35.1
+
--- /dev/null
+From 92911baa50beb5fb22103070833fbd0b001a2f9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Aug 2022 11:06:34 -0400
+Subject: openvswitch: Fix double reporting of drops in dropwatch
+
+From: Mike Pattrick <mkp@redhat.com>
+
+[ Upstream commit 1100248a5c5ccd57059eb8d02ec077e839a23826 ]
+
+Frames sent to userspace can be reported as dropped in
+ovs_dp_process_packet, however, if they are dropped in the netlink code
+then netlink_attachskb will report the same frame as dropped.
+
+This patch checks for error codes which indicate that the frame has
+already been freed.
+
+Signed-off-by: Mike Pattrick <mkp@redhat.com>
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2109946
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/datapath.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
+index f350faef044d..a9868e97db45 100644
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -249,10 +249,17 @@ void ovs_dp_process_packet(struct sk_buff *skb, struct sw_flow_key *key)
+ upcall.portid = ovs_vport_find_upcall_portid(p, skb);
+ upcall.mru = OVS_CB(skb)->mru;
+ error = ovs_dp_upcall(dp, skb, key, &upcall, 0);
+- if (unlikely(error))
+- kfree_skb(skb);
+- else
++ switch (error) {
++ case 0:
++ case -EAGAIN:
++ case -ERESTARTSYS:
++ case -EINTR:
+ consume_skb(skb);
++ break;
++ default:
++ kfree_skb(skb);
++ break;
++ }
+ stats_counter = &stats->n_missed;
+ goto out;
+ }
+--
+2.35.1
+
--- /dev/null
+From 52ac5440d35a1593a422fe4b3e6c9636f3c342a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Aug 2022 11:06:35 -0400
+Subject: openvswitch: Fix overreporting of drops in dropwatch
+
+From: Mike Pattrick <mkp@redhat.com>
+
+[ Upstream commit c21ab2afa2c64896a7f0e3cbc6845ec63dcfad2e ]
+
+Currently queue_userspace_packet will call kfree_skb for all frames,
+whether or not an error occurred. This can result in a single dropped
+frame being reported as multiple drops in dropwatch. This functions
+caller may also call kfree_skb in case of an error. This patch will
+consume the skbs instead and allow caller's to use kfree_skb.
+
+Signed-off-by: Mike Pattrick <mkp@redhat.com>
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2109957
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/datapath.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
+index a9868e97db45..b4e3db194140 100644
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -526,8 +526,9 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb,
+ out:
+ if (err)
+ skb_tx_error(skb);
+- kfree_skb(user_skb);
+- kfree_skb(nskb);
++ consume_skb(user_skb);
++ consume_skb(nskb);
++
+ return err;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 1f75cc4ddf932f3263e391e0c9443cca677c0d1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Sep 2022 13:13:33 +0800
+Subject: phy: qualcomm: call clk_disable_unprepare in the error handling
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit c3966ced8eb8dc53b6c8d7f97d32cc8a2107d83e ]
+
+Smatch reports the following error:
+
+drivers/phy/qualcomm/phy-qcom-usb-hsic.c:82 qcom_usb_hsic_phy_power_on()
+warn: 'uphy->cal_clk' from clk_prepare_enable() not released on lines:
+58.
+drivers/phy/qualcomm/phy-qcom-usb-hsic.c:82 qcom_usb_hsic_phy_power_on()
+warn: 'uphy->cal_sleep_clk' from clk_prepare_enable() not released on
+lines: 58.
+drivers/phy/qualcomm/phy-qcom-usb-hsic.c:82 qcom_usb_hsic_phy_power_on()
+warn: 'uphy->phy_clk' from clk_prepare_enable() not released on lines:
+58.
+
+Fix this by calling proper clk_disable_unprepare calls.
+
+Fixes: 0b56e9a7e835 ("phy: Group vendor specific phy drivers")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20220914051334.69282-1-dzm91@hust.edu.cn
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-usb-hsic.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-usb-hsic.c b/drivers/phy/qualcomm/phy-qcom-usb-hsic.c
+index c110563a73cb..00926df4bc5b 100644
+--- a/drivers/phy/qualcomm/phy-qcom-usb-hsic.c
++++ b/drivers/phy/qualcomm/phy-qcom-usb-hsic.c
+@@ -57,8 +57,10 @@ static int qcom_usb_hsic_phy_power_on(struct phy *phy)
+
+ /* Configure pins for HSIC functionality */
+ pins_default = pinctrl_lookup_state(uphy->pctl, PINCTRL_STATE_DEFAULT);
+- if (IS_ERR(pins_default))
+- return PTR_ERR(pins_default);
++ if (IS_ERR(pins_default)) {
++ ret = PTR_ERR(pins_default);
++ goto err_ulpi;
++ }
+
+ ret = pinctrl_select_state(uphy->pctl, pins_default);
+ if (ret)
+--
+2.35.1
+
--- /dev/null
+From afde3af7e325999cacfc4bd97bec2dfb894e9bcf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Aug 2022 01:08:43 +0300
+Subject: platform/chrome: fix double-free in chromeos_laptop_prepare()
+
+From: Rustam Subkhankulov <subkhankulov@ispras.ru>
+
+[ Upstream commit 6ad4194d6a1e1d11b285989cd648ef695b4a93c0 ]
+
+If chromeos_laptop_prepare_i2c_peripherals() fails after allocating memory
+for 'cros_laptop->i2c_peripherals', this memory is freed at 'err_out' label
+and nonzero value is returned. Then chromeos_laptop_destroy() is called,
+resulting in double-free error.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Rustam Subkhankulov <subkhankulov@ispras.ru>
+Fixes: 5020cd29d8bf ("platform/chrome: chromeos_laptop - supply properties for ACPI devices")
+Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Link: https://lore.kernel.org/r/20220813220843.2373004-1-subkhankulov@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/chrome/chromeos_laptop.c | 24 ++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/platform/chrome/chromeos_laptop.c b/drivers/platform/chrome/chromeos_laptop.c
+index 24326eecd787..096e8e5b2cde 100644
+--- a/drivers/platform/chrome/chromeos_laptop.c
++++ b/drivers/platform/chrome/chromeos_laptop.c
+@@ -716,6 +716,7 @@ static int __init
+ chromeos_laptop_prepare_i2c_peripherals(struct chromeos_laptop *cros_laptop,
+ const struct chromeos_laptop *src)
+ {
++ struct i2c_peripheral *i2c_peripherals;
+ struct i2c_peripheral *i2c_dev;
+ struct i2c_board_info *info;
+ int i;
+@@ -724,17 +725,15 @@ chromeos_laptop_prepare_i2c_peripherals(struct chromeos_laptop *cros_laptop,
+ if (!src->num_i2c_peripherals)
+ return 0;
+
+- cros_laptop->i2c_peripherals = kmemdup(src->i2c_peripherals,
+- src->num_i2c_peripherals *
+- sizeof(*src->i2c_peripherals),
+- GFP_KERNEL);
+- if (!cros_laptop->i2c_peripherals)
++ i2c_peripherals = kmemdup(src->i2c_peripherals,
++ src->num_i2c_peripherals *
++ sizeof(*src->i2c_peripherals),
++ GFP_KERNEL);
++ if (!i2c_peripherals)
+ return -ENOMEM;
+
+- cros_laptop->num_i2c_peripherals = src->num_i2c_peripherals;
+-
+- for (i = 0; i < cros_laptop->num_i2c_peripherals; i++) {
+- i2c_dev = &cros_laptop->i2c_peripherals[i];
++ for (i = 0; i < src->num_i2c_peripherals; i++) {
++ i2c_dev = &i2c_peripherals[i];
+ info = &i2c_dev->board_info;
+
+ error = chromeos_laptop_setup_irq(i2c_dev);
+@@ -752,16 +751,19 @@ chromeos_laptop_prepare_i2c_peripherals(struct chromeos_laptop *cros_laptop,
+ }
+ }
+
++ cros_laptop->i2c_peripherals = i2c_peripherals;
++ cros_laptop->num_i2c_peripherals = src->num_i2c_peripherals;
++
+ return 0;
+
+ err_out:
+ while (--i >= 0) {
+- i2c_dev = &cros_laptop->i2c_peripherals[i];
++ i2c_dev = &i2c_peripherals[i];
+ info = &i2c_dev->board_info;
+ if (info->properties)
+ property_entries_free(info->properties);
+ }
+- kfree(cros_laptop->i2c_peripherals);
++ kfree(i2c_peripherals);
+ return error;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From f0287fe20fa9a1fa5d5901688f2bc2a2a2d7d72c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Sep 2022 23:04:07 +0200
+Subject: platform/x86: msi-laptop: Change DMI match / alias strings to fix
+ module autoloading
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 2a2565272a3628e45d61625e36ef17af7af4e3de ]
+
+On a MSI S270 with Fedora 37 x86_64 / systemd-251.4 the module does not
+properly autoload.
+
+This is likely caused by issues with how systemd-udevd handles the single
+quote char (') which is part of the sys_vendor / chassis_vendor strings
+on this laptop. As a workaround remove the single quote char + everything
+behind it from the sys_vendor + chassis_vendor matches. This fixes
+the module not autoloading.
+
+Link: https://github.com/systemd/systemd/issues/24715
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20220917210407.647432-1-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/msi-laptop.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
+index 1ba5f4689df4..42b31c549db0 100644
+--- a/drivers/platform/x86/msi-laptop.c
++++ b/drivers/platform/x86/msi-laptop.c
+@@ -609,11 +609,10 @@ static const struct dmi_system_id msi_dmi_table[] __initconst = {
+ {
+ .ident = "MSI S270",
+ .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "MICRO-STAR INT'L CO.,LTD"),
++ DMI_MATCH(DMI_SYS_VENDOR, "MICRO-STAR INT"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "MS-1013"),
+ DMI_MATCH(DMI_PRODUCT_VERSION, "0131"),
+- DMI_MATCH(DMI_CHASSIS_VENDOR,
+- "MICRO-STAR INT'L CO.,LTD")
++ DMI_MATCH(DMI_CHASSIS_VENDOR, "MICRO-STAR INT")
+ },
+ .driver_data = &quirk_old_ec_model,
+ .callback = dmi_check_cb
+@@ -646,8 +645,7 @@ static const struct dmi_system_id msi_dmi_table[] __initconst = {
+ DMI_MATCH(DMI_SYS_VENDOR, "NOTEBOOK"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "SAM2000"),
+ DMI_MATCH(DMI_PRODUCT_VERSION, "0131"),
+- DMI_MATCH(DMI_CHASSIS_VENDOR,
+- "MICRO-STAR INT'L CO.,LTD")
++ DMI_MATCH(DMI_CHASSIS_VENDOR, "MICRO-STAR INT")
+ },
+ .driver_data = &quirk_old_ec_model,
+ .callback = dmi_check_cb
+--
+2.35.1
+
--- /dev/null
+From 4f245d5e4f8933b5357890b4a62f5e30c23b7fcc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 16:13:34 +0200
+Subject: platform/x86: msi-laptop: Fix old-ec check for backlight registering
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 83ac7a1c2ed5f17caa07cbbc84bad3c05dc3bf22 ]
+
+Commit 2cc6c717799f ("msi-laptop: Port to new backlight interface
+selection API") replaced this check:
+
+ if (!quirks->old_ec_model || acpi_video_backlight_support())
+ pr_info("Brightness ignored, ...");
+ else
+ do_register();
+
+With:
+
+ if (quirks->old_ec_model ||
+ acpi_video_get_backlight_type() == acpi_backlight_vendor)
+ do_register();
+
+But since the do_register() part was part of the else branch, the entire
+condition should be inverted. So not only the 2 statements on either
+side of the || should be inverted, but the || itself should be replaced
+with a &&.
+
+In practice this has likely not been an issue because the new-ec models
+(old_ec_model==false) likely all support ACPI video backlight control,
+making acpi_video_get_backlight_type() return acpi_backlight_video
+turning the second part of the || also false when old_ec_model == false.
+
+Fixes: 2cc6c717799f ("msi-laptop: Port to new backlight interface selection API")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20220825141336.208597-1-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/msi-laptop.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
+index d5bfcc602090..7279390a2d54 100644
+--- a/drivers/platform/x86/msi-laptop.c
++++ b/drivers/platform/x86/msi-laptop.c
+@@ -1061,8 +1061,7 @@ static int __init msi_init(void)
+ return -EINVAL;
+
+ /* Register backlight stuff */
+-
+- if (quirks->old_ec_model ||
++ if (quirks->old_ec_model &&
+ acpi_video_get_backlight_type() == acpi_backlight_vendor) {
+ struct backlight_properties props;
+ memset(&props, 0, sizeof(struct backlight_properties));
+--
+2.35.1
+
--- /dev/null
+From e44910d2f12a7f8fd674b778a60e0d1f3e2563e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 16:13:36 +0200
+Subject: platform/x86: msi-laptop: Fix resource cleanup
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 5523632aa10f906dfe2eb714ee748590dc7fc6b1 ]
+
+Fix the input-device not getting free-ed on probe-errors and
+fix the msi_touchpad_dwork not getting cancelled on neither
+probe-errors nor on remove.
+
+Fixes: 143a4c0284dc ("msi-laptop: send out touchpad on/off key")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20220825141336.208597-3-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/msi-laptop.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
+index 7279390a2d54..1ba5f4689df4 100644
+--- a/drivers/platform/x86/msi-laptop.c
++++ b/drivers/platform/x86/msi-laptop.c
+@@ -1129,6 +1129,8 @@ static int __init msi_init(void)
+ fail_create_group:
+ if (quirks->load_scm_model) {
+ i8042_remove_filter(msi_laptop_i8042_filter);
++ cancel_delayed_work_sync(&msi_touchpad_dwork);
++ input_unregister_device(msi_laptop_input_dev);
+ cancel_delayed_work_sync(&msi_rfkill_dwork);
+ cancel_work_sync(&msi_rfkill_work);
+ rfkill_cleanup();
+@@ -1149,6 +1151,7 @@ static void __exit msi_cleanup(void)
+ {
+ if (quirks->load_scm_model) {
+ i8042_remove_filter(msi_laptop_i8042_filter);
++ cancel_delayed_work_sync(&msi_touchpad_dwork);
+ input_unregister_device(msi_laptop_input_dev);
+ cancel_delayed_work_sync(&msi_rfkill_dwork);
+ cancel_work_sync(&msi_rfkill_work);
+--
+2.35.1
+
--- /dev/null
+From 765eb1570f35e9472342bb1ec6153de111a6d03d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Aug 2022 07:32:23 +0000
+Subject: power: supply: adp5061: fix out-of-bounds read in
+ adp5061_get_chg_type()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 9d47e01b9d807808224347935562f7043a358054 ]
+
+ADP5061_CHG_STATUS_1_CHG_STATUS is masked with 0x07, which means a length
+of 8, but adp5061_chg_type array size is 4, may end up reading 4 elements
+beyond the end of the adp5061_chg_type[] array.
+
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Michael Hennerich <michael.hennerich@analog.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/adp5061.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/power/supply/adp5061.c b/drivers/power/supply/adp5061.c
+index 939fd3d8fb1a..1ad044330599 100644
+--- a/drivers/power/supply/adp5061.c
++++ b/drivers/power/supply/adp5061.c
+@@ -428,11 +428,11 @@ static int adp5061_get_chg_type(struct adp5061_state *st,
+ if (ret < 0)
+ return ret;
+
+- chg_type = adp5061_chg_type[ADP5061_CHG_STATUS_1_CHG_STATUS(status1)];
+- if (chg_type > ADP5061_CHG_FAST_CV)
++ chg_type = ADP5061_CHG_STATUS_1_CHG_STATUS(status1);
++ if (chg_type >= ARRAY_SIZE(adp5061_chg_type))
+ val->intval = POWER_SUPPLY_STATUS_UNKNOWN;
+ else
+- val->intval = chg_type;
++ val->intval = adp5061_chg_type[chg_type];
+
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From 16d961246fa902eb4d85ff1bfa806364a6097d70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 14:08:26 +0800
+Subject: powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue
+
+From: Chao Qin <chao.qin@intel.com>
+
+[ Upstream commit 2d93540014387d1c73b9ccc4d7895320df66d01b ]
+
+When value < time_unit, the parameter of ilog2() will be zero and
+the return value is -1. u64(-1) is too large for shift exponent
+and then will trigger shift-out-of-bounds:
+
+shift exponent 18446744073709551615 is too large for 32-bit type 'int'
+Call Trace:
+ rapl_compute_time_window_core
+ rapl_write_data_raw
+ set_time_window
+ store_constraint_time_window_us
+
+Signed-off-by: Chao Qin <chao.qin@intel.com>
+Acked-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/powercap/intel_rapl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/powercap/intel_rapl.c b/drivers/powercap/intel_rapl.c
+index 8cbfcce57a06..ae6721333c0f 100644
+--- a/drivers/powercap/intel_rapl.c
++++ b/drivers/powercap/intel_rapl.c
+@@ -1068,6 +1068,9 @@ static u64 rapl_compute_time_window_core(struct rapl_package *rp, u64 value,
+ y = value & 0x1f;
+ value = (1 << y) * (4 + f) * rp->time_unit / 4;
+ } else {
++ if (value < rp->time_unit)
++ return 0;
++
+ do_div(value, rp->time_unit);
+ y = ilog2(value);
+ f = div64_u64(4 * (value - (1 << y)), 1 << y);
+--
+2.35.1
+
--- /dev/null
+From 1efe7b4b90e6db0adfbb954d63cadb0f43be7ec3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 11:41:02 +1000
+Subject: powerpc/64s: Fix GENERIC_CPU build flags for PPC970 / G5
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit 58ec7f06b74e0d6e76c4110afce367c8b5f0837d ]
+
+Big-endian GENERIC_CPU supports 970, but builds with -mcpu=power5.
+POWER5 is ISA v2.02 whereas 970 is v2.01 plus Altivec. 2.02 added
+the popcntb instruction which a compiler might use.
+
+Use -mcpu=power4.
+
+Fixes: 471d7ff8b51b ("powerpc/64s: Remove POWER4 support")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Reviewed-by: Segher Boessenkool <segher@kernel.crashing.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220921014103.587954-1-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile
+index 26654d0c2af7..5987ae0d8fbb 100644
+--- a/arch/powerpc/Makefile
++++ b/arch/powerpc/Makefile
+@@ -165,7 +165,7 @@ CFLAGS-$(CONFIG_GENERIC_CPU) += -mcpu=power8
+ CFLAGS-$(CONFIG_GENERIC_CPU) += $(call cc-option,-mtune=power9,-mtune=power8)
+ else
+ CFLAGS-$(CONFIG_GENERIC_CPU) += $(call cc-option,-mtune=power7,$(call cc-option,-mtune=power5))
+-CFLAGS-$(CONFIG_GENERIC_CPU) += $(call cc-option,-mcpu=power5,-mcpu=power4)
++CFLAGS-$(CONFIG_GENERIC_CPU) += -mcpu=power4
+ endif
+ else ifdef CONFIG_PPC_BOOK3E_64
+ CFLAGS-$(CONFIG_GENERIC_CPU) += -mcpu=powerpc64
+--
+2.35.1
+
--- /dev/null
+From 23e7399ab407dfed5ddbc252e60086e89266219e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 23:21:02 +0200
+Subject: powerpc: Fix SPE Power ISA properties for e500v1 platforms
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 37b9345ce7f4ab17538ea62def6f6d430f091355 ]
+
+Commit 2eb28006431c ("powerpc/e500v2: Add Power ISA properties to comply
+with ePAPR 1.1") introduced new include file e500v2_power_isa.dtsi and
+should have used it for all e500v2 platforms. But apparently it was used
+also for e500v1 platforms mpc8540, mpc8541, mpc8555 and mpc8560.
+
+e500v1 cores compared to e500v2 do not support double precision floating
+point SPE instructions. Hence power-isa-sp.fd should not be set on e500v1
+platforms, which is in e500v2_power_isa.dtsi include file.
+
+Fix this issue by introducing a new e500v1_power_isa.dtsi include file and
+use it in all e500v1 device tree files.
+
+Fixes: 2eb28006431c ("powerpc/e500v2: Add Power ISA properties to comply with ePAPR 1.1")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220902212103.22534-1-pali@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/fsl/e500v1_power_isa.dtsi | 51 +++++++++++++++++++
+ arch/powerpc/boot/dts/fsl/mpc8540ads.dts | 2 +-
+ arch/powerpc/boot/dts/fsl/mpc8541cds.dts | 2 +-
+ arch/powerpc/boot/dts/fsl/mpc8555cds.dts | 2 +-
+ arch/powerpc/boot/dts/fsl/mpc8560ads.dts | 2 +-
+ 5 files changed, 55 insertions(+), 4 deletions(-)
+ create mode 100644 arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi
+
+diff --git a/arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi b/arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi
+new file mode 100644
+index 000000000000..7e2a90cde72e
+--- /dev/null
++++ b/arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi
+@@ -0,0 +1,51 @@
++/*
++ * e500v1 Power ISA Device Tree Source (include)
++ *
++ * Copyright 2012 Freescale Semiconductor Inc.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions are met:
++ * * Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * * Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * * Neither the name of Freescale Semiconductor nor the
++ * names of its contributors may be used to endorse or promote products
++ * derived from this software without specific prior written permission.
++ *
++ *
++ * ALTERNATIVELY, this software may be distributed under the terms of the
++ * GNU General Public License ("GPL") as published by the Free Software
++ * Foundation, either version 2 of that License or (at your option) any
++ * later version.
++ *
++ * THIS SOFTWARE IS PROVIDED BY Freescale Semiconductor "AS IS" AND ANY
++ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
++ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED. IN NO EVENT SHALL Freescale Semiconductor BE LIABLE FOR ANY
++ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
++ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
++ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++/ {
++ cpus {
++ power-isa-version = "2.03";
++ power-isa-b; // Base
++ power-isa-e; // Embedded
++ power-isa-atb; // Alternate Time Base
++ power-isa-cs; // Cache Specification
++ power-isa-e.le; // Embedded.Little-Endian
++ power-isa-e.pm; // Embedded.Performance Monitor
++ power-isa-ecl; // Embedded Cache Locking
++ power-isa-mmc; // Memory Coherence
++ power-isa-sp; // Signal Processing Engine
++ power-isa-sp.fs; // SPE.Embedded Float Scalar Single
++ power-isa-sp.fv; // SPE.Embedded Float Vector
++ mmu-type = "power-embedded";
++ };
++};
+diff --git a/arch/powerpc/boot/dts/fsl/mpc8540ads.dts b/arch/powerpc/boot/dts/fsl/mpc8540ads.dts
+index e6d0b166d68d..b4314aa6769c 100644
+--- a/arch/powerpc/boot/dts/fsl/mpc8540ads.dts
++++ b/arch/powerpc/boot/dts/fsl/mpc8540ads.dts
+@@ -11,7 +11,7 @@
+
+ /dts-v1/;
+
+-/include/ "e500v2_power_isa.dtsi"
++/include/ "e500v1_power_isa.dtsi"
+
+ / {
+ model = "MPC8540ADS";
+diff --git a/arch/powerpc/boot/dts/fsl/mpc8541cds.dts b/arch/powerpc/boot/dts/fsl/mpc8541cds.dts
+index 9fa2c734a988..48492c621edf 100644
+--- a/arch/powerpc/boot/dts/fsl/mpc8541cds.dts
++++ b/arch/powerpc/boot/dts/fsl/mpc8541cds.dts
+@@ -11,7 +11,7 @@
+
+ /dts-v1/;
+
+-/include/ "e500v2_power_isa.dtsi"
++/include/ "e500v1_power_isa.dtsi"
+
+ / {
+ model = "MPC8541CDS";
+diff --git a/arch/powerpc/boot/dts/fsl/mpc8555cds.dts b/arch/powerpc/boot/dts/fsl/mpc8555cds.dts
+index 272f08caea92..325c817dedeb 100644
+--- a/arch/powerpc/boot/dts/fsl/mpc8555cds.dts
++++ b/arch/powerpc/boot/dts/fsl/mpc8555cds.dts
+@@ -11,7 +11,7 @@
+
+ /dts-v1/;
+
+-/include/ "e500v2_power_isa.dtsi"
++/include/ "e500v1_power_isa.dtsi"
+
+ / {
+ model = "MPC8555CDS";
+diff --git a/arch/powerpc/boot/dts/fsl/mpc8560ads.dts b/arch/powerpc/boot/dts/fsl/mpc8560ads.dts
+index 7a822b08aa35..b5fb5ae3ed68 100644
+--- a/arch/powerpc/boot/dts/fsl/mpc8560ads.dts
++++ b/arch/powerpc/boot/dts/fsl/mpc8560ads.dts
+@@ -11,7 +11,7 @@
+
+ /dts-v1/;
+
+-/include/ "e500v2_power_isa.dtsi"
++/include/ "e500v1_power_isa.dtsi"
+
+ / {
+ model = "MPC8560ADS";
+--
+2.35.1
+
--- /dev/null
+From cc512d55c83415d28b492e1a2a66518665045567 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 18:00:08 +0200
+Subject: powerpc/math_emu/efp: Include module.h
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit cfe0d370e0788625ce0df3239aad07a2506c1796 ]
+
+When building with a recent version of clang, there are a couple of
+errors around the call to module_init():
+
+ arch/powerpc/math-emu/math_efp.c:927:1: error: type specifier missing, defaults to 'int'; ISO C99 and later do not support implicit int [-Wimplicit-int]
+ module_init(spe_mathemu_init);
+ ^
+ int
+ arch/powerpc/math-emu/math_efp.c:927:13: error: a parameter list without types is only allowed in a function definition
+ module_init(spe_mathemu_init);
+ ^
+ 2 errors generated.
+
+module_init() is a macro, which is not getting expanded because module.h
+is not included in this file. Add the include so that the macro can
+expand properly, clearing up the build failure.
+
+Fixes: ac6f120369ff ("powerpc/85xx: Workaroudn e500 CPU erratum A005")
+[chleroy: added fixes tag]
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Link: https://lore.kernel.org/r/8403854a4c187459b2f4da3537f51227b70b9223.1662134272.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/math-emu/math_efp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/math-emu/math_efp.c b/arch/powerpc/math-emu/math_efp.c
+index 581f404caa1d..b9848179dbaa 100644
+--- a/arch/powerpc/math-emu/math_efp.c
++++ b/arch/powerpc/math-emu/math_efp.c
+@@ -21,6 +21,7 @@
+
+ #include <linux/types.h>
+ #include <linux/prctl.h>
++#include <linux/module.h>
+
+ #include <linux/uaccess.h>
+ #include <asm/reg.h>
+--
+2.35.1
+
--- /dev/null
+From fa9edc5d2ab00b62ab2ac13f4e176e2a66126e20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Jul 2022 21:17:50 +0800
+Subject: powerpc/pci_dn: Add missing of_node_put()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 110a1fcb6c4d55144d8179983a475f17a1d6f832 ]
+
+In pci_add_device_node_info(), use of_node_put() to drop the reference
+to 'parent' returned by of_get_parent() to keep refcount balance.
+
+Fixes: cca87d303c85 ("powerpc/pci: Refactor pci_dn")
+Co-authored-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Reviewed-by: Tyrel Datwyler <tyreld@linux.ibm.com>
+Link: https://lore.kernel.org/r/20220701131750.240170-1-windhl@126.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/pci_dn.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/kernel/pci_dn.c b/arch/powerpc/kernel/pci_dn.c
+index 7cecc3bd953b..bd68c3259fad 100644
+--- a/arch/powerpc/kernel/pci_dn.c
++++ b/arch/powerpc/kernel/pci_dn.c
+@@ -338,6 +338,7 @@ struct pci_dn *pci_add_device_node_info(struct pci_controller *hose,
+ INIT_LIST_HEAD(&pdn->list);
+ parent = of_get_parent(dn);
+ pdn->parent = parent ? PCI_DN(parent) : NULL;
++ of_node_put(parent);
+ if (pdn->parent)
+ list_add_tail(&pdn->list, &pdn->parent->child_list);
+
+--
+2.35.1
+
--- /dev/null
+From 6bde913c6b7b1f503ce3a3f2c6cab4ffb8a67566 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Sep 2022 14:17:03 +0000
+Subject: powerpc/powernv: add missing of_node_put() in opal_export_attrs()
+
+From: Zheng Yongjun <zhengyongjun3@huawei.com>
+
+[ Upstream commit 71a92e99c47900cc164620948b3863382cec4f1a ]
+
+After using 'np' returned by of_find_node_by_path(), of_node_put()
+need be called to decrease the refcount.
+
+Fixes: 11fe909d2362 ("powerpc/powernv: Add OPAL exports attributes to sysfs")
+Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220906141703.118192-1-zhengyongjun3@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/powernv/opal.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/platforms/powernv/opal.c b/arch/powerpc/platforms/powernv/opal.c
+index edf9032e2e5c..96a3d23132ba 100644
+--- a/arch/powerpc/platforms/powernv/opal.c
++++ b/arch/powerpc/platforms/powernv/opal.c
+@@ -740,6 +740,7 @@ static void opal_export_attrs(void)
+ kobj = kobject_create_and_add("exports", opal_kobj);
+ if (!kobj) {
+ pr_warn("kobject_create_and_add() of exports failed\n");
++ of_node_put(np);
+ return;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 4fca38cb2d7791eab53c6db5c696df63f5956465 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Jul 2022 22:52:33 +0800
+Subject: powerpc/sysdev/fsl_msi: Add missing of_node_put()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit def435c04ee984a5f9ed2711b2bfe946936c6a21 ]
+
+In fsl_setup_msi_irqs(), use of_node_put() to drop the reference
+returned by of_parse_phandle().
+
+Fixes: 895d603f945ba ("powerpc/fsl_msi: add support for the fsl, msi property in PCI nodes")
+Co-authored-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220704145233.278539-1-windhl@126.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/sysdev/fsl_msi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/powerpc/sysdev/fsl_msi.c b/arch/powerpc/sysdev/fsl_msi.c
+index df95102e732c..44aedb6b9f55 100644
+--- a/arch/powerpc/sysdev/fsl_msi.c
++++ b/arch/powerpc/sysdev/fsl_msi.c
+@@ -216,8 +216,10 @@ static int fsl_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type)
+ dev_err(&pdev->dev,
+ "node %pOF has an invalid fsl,msi phandle %u\n",
+ hose->dn, np->phandle);
++ of_node_put(np);
+ return -EINVAL;
+ }
++ of_node_put(np);
+ }
+
+ for_each_pci_msi_entry(entry, pdev) {
+--
+2.35.1
+
--- /dev/null
+From 98404852e1cf8d364b3ee94237d5d2eb1f8c08ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Oct 2022 12:41:28 +0900
+Subject: r8152: Rate limit overflow messages
+
+From: Andrew Gaul <gaul@gaul.org>
+
+[ Upstream commit 93e2be344a7db169b7119de21ac1bf253b8c6907 ]
+
+My system shows almost 10 million of these messages over a 24-hour
+period which pollutes my logs.
+
+Signed-off-by: Andrew Gaul <gaul@google.com>
+Link: https://lore.kernel.org/r/20221002034128.2026653-1-gaul@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index 4764e4f54cef..d5a74a71bf59 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -1386,7 +1386,9 @@ static void intr_callback(struct urb *urb)
+ "Stop submitting intr, status %d\n", status);
+ return;
+ case -EOVERFLOW:
+- netif_info(tp, intr, tp->netdev, "intr status -EOVERFLOW\n");
++ if (net_ratelimit())
++ netif_info(tp, intr, tp->netdev,
++ "intr status -EOVERFLOW\n");
+ goto resubmit;
+ /* -EPIPE: should clear the halt */
+ default:
+--
+2.35.1
+
--- /dev/null
+From 8ccf417cb9d49cef8e896dab84c86a854ed87c2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Aug 2022 21:16:13 -0400
+Subject: RDMA/rxe: Fix "kernel NULL pointer dereference" error
+
+From: Zhu Yanjun <yanjun.zhu@linux.dev>
+
+[ Upstream commit a625ca30eff806395175ebad3ac1399014bdb280 ]
+
+When rxe_queue_init in the function rxe_qp_init_req fails,
+both qp->req.task.func and qp->req.task.arg are not initialized.
+
+Because of creation of qp fails, the function rxe_create_qp will
+call rxe_qp_do_cleanup to handle allocated resource.
+
+Before calling __rxe_do_task, both qp->req.task.func and
+qp->req.task.arg should be checked.
+
+Fixes: 8700e3e7c485 ("Soft RoCE driver")
+Link: https://lore.kernel.org/r/20220822011615.805603-2-yanjun.zhu@linux.dev
+Reported-by: syzbot+ab99dc4c6e961eed8b8e@syzkaller.appspotmail.com
+Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: Li Zhijian <lizhijian@fujitsu.com>
+Reviewed-by: Bob Pearson <rpearsonhpe@gmail.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_qp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c
+index a4b5374deac8..476871c8ae44 100644
+--- a/drivers/infiniband/sw/rxe/rxe_qp.c
++++ b/drivers/infiniband/sw/rxe/rxe_qp.c
+@@ -799,7 +799,9 @@ void rxe_qp_destroy(struct rxe_qp *qp)
+ rxe_cleanup_task(&qp->comp.task);
+
+ /* flush out any receive wr's or pending requests */
+- __rxe_do_task(&qp->req.task);
++ if (qp->req.task.func)
++ __rxe_do_task(&qp->req.task);
++
+ if (qp->sq.queue) {
+ __rxe_do_task(&qp->comp.task);
+ __rxe_do_task(&qp->req.task);
+--
+2.35.1
+
--- /dev/null
+From d79e54809e3425c69c4673efbdad1ad3f494aca9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Aug 2022 21:16:14 -0400
+Subject: RDMA/rxe: Fix the error caused by qp->sk
+
+From: Zhu Yanjun <yanjun.zhu@linux.dev>
+
+[ Upstream commit 548ce2e66725dcba4e27d1e8ac468d5dd17fd509 ]
+
+When sock_create_kern in the function rxe_qp_init_req fails,
+qp->sk is set to NULL.
+
+Then the function rxe_create_qp will call rxe_qp_do_cleanup
+to handle allocated resource.
+
+Before handling qp->sk, this variable should be checked.
+
+Fixes: 8700e3e7c485 ("Soft RoCE driver")
+Link: https://lore.kernel.org/r/20220822011615.805603-3-yanjun.zhu@linux.dev
+Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: Li Zhijian <lizhijian@fujitsu.com>
+Reviewed-by: Bob Pearson <rpearsonhpe@gmail.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_qp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c
+index 476871c8ae44..6320390f531c 100644
+--- a/drivers/infiniband/sw/rxe/rxe_qp.c
++++ b/drivers/infiniband/sw/rxe/rxe_qp.c
+@@ -841,8 +841,10 @@ static void rxe_qp_do_cleanup(struct work_struct *work)
+
+ free_rd_atomic_resources(qp);
+
+- kernel_sock_shutdown(qp->sk, SHUT_RDWR);
+- sock_release(qp->sk);
++ if (qp->sk) {
++ kernel_sock_shutdown(qp->sk, SHUT_RDWR);
++ sock_release(qp->sk);
++ }
+ }
+
+ /* called when the last reference to the qp is dropped */
+--
+2.35.1
+
--- /dev/null
+From 3628838f61ffb9d375f5d3d8fd3426273a166ffe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 20:49:13 +0900
+Subject: Revert "usb: storage: Add quirk for Samsung Fit flash"
+
+From: sunghwan jung <onenowy@gmail.com>
+
+[ Upstream commit ad5dbfc123e6ffbbde194e2a4603323e09f741ee ]
+
+This reverts commit 86d92f5465958752481269348d474414dccb1552,
+which fix the timeout issue for "Samsung Fit Flash".
+
+But the commit affects not only "Samsung Fit Flash" but also other usb
+storages that use the same controller and causes severe performance
+regression.
+
+ # hdparm -t /dev/sda (without the quirk)
+ Timing buffered disk reads: 622 MB in 3.01 seconds = 206.66 MB/sec
+
+ # hdparm -t /dev/sda (with the quirk)
+ Timing buffered disk reads: 220 MB in 3.00 seconds = 73.32 MB/sec
+
+The commit author mentioned that "Issue was reproduced after device has
+bad block", so this quirk should be applied when we have the timeout
+issue with a device that has bad blocks.
+
+We revert the commit so that we apply this quirk by adding kernel
+paramters using a bootloader or other ways when we really need it,
+without the performance regression with devices that don't have the
+issue.
+
+Signed-off-by: sunghwan jung <onenowy@gmail.com>
+Link: https://lore.kernel.org/r/20220913114913.3073-1-onenowy@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/storage/unusual_devs.h | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
+index 6a59950a63a0..b270be141b8e 100644
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -1275,12 +1275,6 @@ UNUSUAL_DEV( 0x090a, 0x1200, 0x0000, 0x9999,
+ USB_SC_RBC, USB_PR_BULK, NULL,
+ 0 ),
+
+-UNUSUAL_DEV(0x090c, 0x1000, 0x1100, 0x1100,
+- "Samsung",
+- "Flash Drive FIT",
+- USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+- US_FL_MAX_SECTORS_64),
+-
+ /* aeb */
+ UNUSUAL_DEV( 0x090c, 0x1132, 0x0000, 0xffff,
+ "Feiya",
+--
+2.35.1
+
--- /dev/null
+From e0483e76e17af926690bb0151e2e7a83ad2e9a88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Sep 2022 15:09:37 +0200
+Subject: sbitmap: Avoid leaving waitqueue in invalid state in __sbq_wake_up()
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 48c033314f372478548203c583529f53080fd078 ]
+
+When __sbq_wake_up() decrements wait_cnt to 0 but races with someone
+else waking the waiter on the waitqueue (so the waitqueue becomes
+empty), it exits without reseting wait_cnt to wake_batch number. Once
+wait_cnt is 0, nobody will ever reset the wait_cnt or wake the new
+waiters resulting in possible deadlocks or busyloops. Fix the problem by
+making sure we reset wait_cnt even if we didn't wake up anybody in the
+end.
+
+Fixes: 040b83fcecfb ("sbitmap: fix possible io hung due to lost wakeup")
+Reported-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20220908130937.2795-1-jack@suse.cz
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/sbitmap.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/lib/sbitmap.c b/lib/sbitmap.c
+index 474e014a2b6e..6913f2c4f2c8 100644
+--- a/lib/sbitmap.c
++++ b/lib/sbitmap.c
+@@ -463,6 +463,7 @@ static bool __sbq_wake_up(struct sbitmap_queue *sbq)
+ struct sbq_wait_state *ws;
+ unsigned int wake_batch;
+ int wait_cnt;
++ bool ret;
+
+ ws = sbq_wake_ptr(sbq);
+ if (!ws)
+@@ -473,12 +474,23 @@ static bool __sbq_wake_up(struct sbitmap_queue *sbq)
+ * For concurrent callers of this, callers should call this function
+ * again to wakeup a new batch on a different 'ws'.
+ */
+- if (wait_cnt < 0 || !waitqueue_active(&ws->wait))
++ if (wait_cnt < 0)
+ return true;
+
++ /*
++ * If we decremented queue without waiters, retry to avoid lost
++ * wakeups.
++ */
+ if (wait_cnt > 0)
+- return false;
++ return !waitqueue_active(&ws->wait);
+
++ /*
++ * When wait_cnt == 0, we have to be particularly careful as we are
++ * responsible to reset wait_cnt regardless whether we've actually
++ * woken up anybody. But in case we didn't wakeup anybody, we still
++ * need to retry.
++ */
++ ret = !waitqueue_active(&ws->wait);
+ wake_batch = READ_ONCE(sbq->wake_batch);
+
+ /*
+@@ -507,7 +519,7 @@ static bool __sbq_wake_up(struct sbitmap_queue *sbq)
+ sbq_index_atomic_inc(&sbq->wake_index);
+ atomic_set(&ws->wait_cnt, wake_batch);
+
+- return false;
++ return ret;
+ }
+
+ void sbitmap_queue_wake_up(struct sbitmap_queue *sbq)
+--
+2.35.1
+
--- /dev/null
+From ff0fe7d067ce297123456fb491d402905450ddd0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Aug 2022 20:15:04 +0800
+Subject: sbitmap: fix possible io hung due to lost wakeup
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 040b83fcecfb86f3225d3a5de7fd9b3fbccf83b4 ]
+
+There are two problems can lead to lost wakeup:
+
+1) invalid wakeup on the wrong waitqueue:
+
+For example, 2 * wake_batch tags are put, while only wake_batch threads
+are woken:
+
+__sbq_wake_up
+ atomic_cmpxchg -> reset wait_cnt
+ __sbq_wake_up -> decrease wait_cnt
+ ...
+ __sbq_wake_up -> wait_cnt is decreased to 0 again
+ atomic_cmpxchg
+ sbq_index_atomic_inc -> increase wake_index
+ wake_up_nr -> wake up and waitqueue might be empty
+ sbq_index_atomic_inc -> increase again, one waitqueue is skipped
+ wake_up_nr -> invalid wake up because old wakequeue might be empty
+
+To fix the problem, increasing 'wake_index' before resetting 'wait_cnt'.
+
+2) 'wait_cnt' can be decreased while waitqueue is empty
+
+As pointed out by Jan Kara, following race is possible:
+
+CPU1 CPU2
+__sbq_wake_up __sbq_wake_up
+ sbq_wake_ptr() sbq_wake_ptr() -> the same
+ wait_cnt = atomic_dec_return()
+ /* decreased to 0 */
+ sbq_index_atomic_inc()
+ /* move to next waitqueue */
+ atomic_set()
+ /* reset wait_cnt */
+ wake_up_nr()
+ /* wake up on the old waitqueue */
+ wait_cnt = atomic_dec_return()
+ /*
+ * decrease wait_cnt in the old
+ * waitqueue, while it can be
+ * empty.
+ */
+
+Fix the problem by waking up before updating 'wake_index' and
+'wait_cnt'.
+
+With this patch, noted that 'wait_cnt' is still decreased in the old
+empty waitqueue, however, the wakeup is redirected to a active waitqueue,
+and the extra decrement on the old empty waitqueue is not handled.
+
+Fixes: 88459642cba4 ("blk-mq: abstract tag allocation out into sbitmap library")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20220803121504.212071-1-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/sbitmap.c | 55 ++++++++++++++++++++++++++++++---------------------
+ 1 file changed, 33 insertions(+), 22 deletions(-)
+
+diff --git a/lib/sbitmap.c b/lib/sbitmap.c
+index 0572ac340325..474e014a2b6e 100644
+--- a/lib/sbitmap.c
++++ b/lib/sbitmap.c
+@@ -469,32 +469,43 @@ static bool __sbq_wake_up(struct sbitmap_queue *sbq)
+ return false;
+
+ wait_cnt = atomic_dec_return(&ws->wait_cnt);
+- if (wait_cnt <= 0) {
+- int ret;
++ /*
++ * For concurrent callers of this, callers should call this function
++ * again to wakeup a new batch on a different 'ws'.
++ */
++ if (wait_cnt < 0 || !waitqueue_active(&ws->wait))
++ return true;
+
+- wake_batch = READ_ONCE(sbq->wake_batch);
++ if (wait_cnt > 0)
++ return false;
+
+- /*
+- * Pairs with the memory barrier in sbitmap_queue_resize() to
+- * ensure that we see the batch size update before the wait
+- * count is reset.
+- */
+- smp_mb__before_atomic();
++ wake_batch = READ_ONCE(sbq->wake_batch);
+
+- /*
+- * For concurrent callers of this, the one that failed the
+- * atomic_cmpxhcg() race should call this function again
+- * to wakeup a new batch on a different 'ws'.
+- */
+- ret = atomic_cmpxchg(&ws->wait_cnt, wait_cnt, wake_batch);
+- if (ret == wait_cnt) {
+- sbq_index_atomic_inc(&sbq->wake_index);
+- wake_up_nr(&ws->wait, wake_batch);
+- return false;
+- }
++ /*
++ * Wake up first in case that concurrent callers decrease wait_cnt
++ * while waitqueue is empty.
++ */
++ wake_up_nr(&ws->wait, wake_batch);
+
+- return true;
+- }
++ /*
++ * Pairs with the memory barrier in sbitmap_queue_resize() to
++ * ensure that we see the batch size update before the wait
++ * count is reset.
++ *
++ * Also pairs with the implicit barrier between decrementing wait_cnt
++ * and checking for waitqueue_active() to make sure waitqueue_active()
++ * sees result of the wakeup if atomic_dec_return() has seen the result
++ * of atomic_set().
++ */
++ smp_mb__before_atomic();
++
++ /*
++ * Increase wake_index before updating wait_cnt, otherwise concurrent
++ * callers can see valid wait_cnt in old waitqueue, which can cause
++ * invalid wakeup on the old waitqueue.
++ */
++ sbq_index_atomic_inc(&sbq->wake_index);
++ atomic_set(&ws->wait_cnt, wake_batch);
+
+ return false;
+ }
+--
+2.35.1
+
--- /dev/null
+From 5e62673c112b447add66f39ec284a87ce6220811 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Aug 2022 19:01:15 +0800
+Subject: scsi: 3w-9xxx: Avoid disabling device if failing to enable it
+
+From: Letu Ren <fantasquex@gmail.com>
+
+[ Upstream commit 7eff437b5ee1309b34667844361c6bbb5c97df05 ]
+
+The original code will "goto out_disable_device" and call
+pci_disable_device() if pci_enable_device() fails. The kernel will generate
+a warning message like "3w-9xxx 0000:00:05.0: disabling already-disabled
+device".
+
+We shouldn't disable a device that failed to be enabled. A simple return is
+fine.
+
+Link: https://lore.kernel.org/r/20220829110115.38789-1-fantasquex@gmail.com
+Reported-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Letu Ren <fantasquex@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/3w-9xxx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c
+index 27521fc3ef5a..ea2cd8ecc3a5 100644
+--- a/drivers/scsi/3w-9xxx.c
++++ b/drivers/scsi/3w-9xxx.c
+@@ -2009,7 +2009,7 @@ static int twa_probe(struct pci_dev *pdev, const struct pci_device_id *dev_id)
+ retval = pci_enable_device(pdev);
+ if (retval) {
+ TW_PRINTK(host, TW_DRIVER, 0x34, "Failed to enable pci device");
+- goto out_disable_device;
++ return -ENODEV;
+ }
+
+ pci_set_master(pdev);
+--
+2.35.1
+
--- /dev/null
+From 30bb99a3771929f771c8415b3a4c332bbb8cfae0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Sep 2022 14:10:13 -0400
+Subject: sctp: handle the error returned from sctp_auth_asoc_init_active_key
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 022152aaebe116a25c39818a07e175a8cd3c1e11 ]
+
+When it returns an error from sctp_auth_asoc_init_active_key(), the
+active_key is actually not updated. The old sh_key will be freeed
+while it's still used as active key in asoc. Then an use-after-free
+will be triggered when sending patckets, as found by syzbot:
+
+ sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
+ sctp_set_owner_w net/sctp/socket.c:132 [inline]
+ sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863
+ sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025
+ inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819
+ sock_sendmsg_nosec net/socket.c:714 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:734
+
+This patch is to fix it by not replacing the sh_key when it returns
+errors from sctp_auth_asoc_init_active_key() in sctp_auth_set_key().
+For sctp_auth_set_active_key(), old active_key_id will be set back
+to asoc->active_key_id when the same thing happens.
+
+Fixes: 58acd1009226 ("sctp: update active_key for asoc when old key is being replaced")
+Reported-by: syzbot+a236dd8e9622ed8954a3@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/auth.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/net/sctp/auth.c b/net/sctp/auth.c
+index 9e0c98df20da..9cf61a18098a 100644
+--- a/net/sctp/auth.c
++++ b/net/sctp/auth.c
+@@ -886,12 +886,17 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
+ }
+
+ list_del_init(&shkey->key_list);
+- sctp_auth_shkey_release(shkey);
+ list_add(&cur_key->key_list, sh_keys);
+
+- if (asoc && asoc->active_key_id == auth_key->sca_keynumber)
+- sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL);
++ if (asoc && asoc->active_key_id == auth_key->sca_keynumber &&
++ sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL)) {
++ list_del_init(&cur_key->key_list);
++ sctp_auth_shkey_release(cur_key);
++ list_add(&shkey->key_list, sh_keys);
++ return -ENOMEM;
++ }
+
++ sctp_auth_shkey_release(shkey);
+ return 0;
+ }
+
+@@ -920,8 +925,13 @@ int sctp_auth_set_active_key(struct sctp_endpoint *ep,
+ return -EINVAL;
+
+ if (asoc) {
++ __u16 active_key_id = asoc->active_key_id;
++
+ asoc->active_key_id = key_id;
+- sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL);
++ if (sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL)) {
++ asoc->active_key_id = active_key_id;
++ return -ENOMEM;
++ }
+ } else
+ ep->active_key_id = key_id;
+
+--
+2.35.1
+
--- /dev/null
+From fa5c835edcd0d92dc0ece047c94030528f830bc5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Sep 2022 21:36:12 +0800
+Subject: selftests/cpu-hotplug: Use return instead of exit
+
+From: Zhao Gongyi <zhaogongyi@huawei.com>
+
+[ Upstream commit 972cf4ce51ef5532d56822af17defb148aac0ccb ]
+
+Some cpus will be left in offline state when online
+function exits in some error conditions. Use return
+instead of exit to fix it.
+
+Signed-off-by: Zhao Gongyi <zhaogongyi@huawei.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/cpu-hotplug/cpu-on-off-test.sh | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh
+index 0d26b5e3f966..940b68c940bb 100755
+--- a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh
++++ b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh
+@@ -4,6 +4,7 @@
+ SYSFS=
+ # Kselftest framework requirement - SKIP code is 4.
+ ksft_skip=4
++retval=0
+
+ prerequisite()
+ {
+@@ -102,10 +103,10 @@ online_cpu_expect_success()
+
+ if ! online_cpu $cpu; then
+ echo $FUNCNAME $cpu: unexpected fail >&2
+- exit 1
++ retval=1
+ elif ! cpu_is_online $cpu; then
+ echo $FUNCNAME $cpu: unexpected offline >&2
+- exit 1
++ retval=1
+ fi
+ }
+
+@@ -128,10 +129,10 @@ offline_cpu_expect_success()
+
+ if ! offline_cpu $cpu; then
+ echo $FUNCNAME $cpu: unexpected fail >&2
+- exit 1
++ retval=1
+ elif ! cpu_is_offline $cpu; then
+ echo $FUNCNAME $cpu: unexpected offline >&2
+- exit 1
++ retval=1
+ fi
+ }
+
+@@ -201,7 +202,7 @@ if [ $allcpus -eq 0 ]; then
+ offline_cpu_expect_success $present_max
+ online_cpu $present_max
+ fi
+- exit 0
++ exit $retval
+ else
+ echo "Full scope test: all hotplug cpus"
+ echo -e "\t online all offline cpus"
+@@ -291,3 +292,5 @@ done
+
+ echo 0 > $NOTIFIER_ERR_INJECT_DIR/actions/CPU_DOWN_PREPARE/error
+ /sbin/modprobe -q -r cpu-notifier-error-inject
++
++exit $retval
+--
+2.35.1
+
--- /dev/null
+From aa49810cfe27ad73dc64e32c48550499c675e3e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Sep 2022 12:43:24 +0200
+Subject: serial: 8250: Fix restoring termios speed after suspend
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 379a33786d489ab81885ff0b3935cfeb36137fea ]
+
+Since commit edc6afc54968 ("tty: switch to ktermios and new framework")
+termios speed is no longer stored only in c_cflag member but also in new
+additional c_ispeed and c_ospeed members. If BOTHER flag is set in c_cflag
+then termios speed is stored only in these new members.
+
+Since commit 027b57170bf8 ("serial: core: Fix initializing and restoring
+termios speed") termios speed is available also in struct console.
+
+So properly restore also c_ispeed and c_ospeed members after suspend to fix
+restoring termios speed which is not represented by Bnnn constant.
+
+Fixes: 4516d50aabed ("serial: 8250: Use canary to restart console after suspend")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Link: https://lore.kernel.org/r/20220924104324.4035-1-pali@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_port.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
+index f11d1202566e..6fc89888a52e 100644
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -3269,8 +3269,13 @@ static void serial8250_console_restore(struct uart_8250_port *up)
+ unsigned int baud, quot, frac = 0;
+
+ termios.c_cflag = port->cons->cflag;
+- if (port->state->port.tty && termios.c_cflag == 0)
++ termios.c_ispeed = port->cons->ispeed;
++ termios.c_ospeed = port->cons->ospeed;
++ if (port->state->port.tty && termios.c_cflag == 0) {
+ termios.c_cflag = port->state->port.tty->termios.c_cflag;
++ termios.c_ispeed = port->state->port.tty->termios.c_ispeed;
++ termios.c_ospeed = port->state->port.tty->termios.c_ospeed;
++ }
+
+ baud = serial8250_get_baud_rate(port, &termios, NULL);
+ quot = serial8250_get_divisor(port, baud, &frac);
+--
+2.35.1
+
kvm-x86-emulator-fix-handing-of-pop-ss-to-correctly-set-interruptibility.patch
kvm-nvmx-unconditionally-purge-queued-injected-events-on-nested-exit.patch
selinux-use-grep-e-instead-of-egrep.patch
+ice-rework-flex-descriptor-programming.patch
+sh-machvec-use-char-for-section-boundaries.patch
+wifi-ath10k-add-peer-map-clean-up-for-peer-delete-in.patch
+wifi-mac80211-allow-bw-change-during-channel-switch-.patch
+bpftool-fix-a-wrong-type-cast-in-btf_dumper_int.patch
+spi-mt7621-fix-an-error-message-in-mt7621_spi_probe.patch
+wifi-rtl8xxxu-tighten-bounds-checking-in-rtl8xxxu_re.patch
+spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch
+spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch-18198
+can-rx-offload-can_rx_offload_init_queue-fix-typo.patch
+wifi-rtl8xxxu-fix-skb-misuse-in-tx-queue-selection.patch
+bpf-btf-fix-truncated-last_member_type_id-in-btf_str.patch
+wifi-rtl8xxxu-gen2-fix-mistake-in-path-b-iq-calibrat.patch
+net-fs_enet-fix-wrong-check-in-do_pd_setup.patch
+bpf-ensure-correct-locking-around-vulnerable-functio.patch
+spi-omap100k-fix-pm-disable-depth-imbalance-in-omap1.patch
+netfilter-nft_fib-fix-for-rpath-check-with-vrf-devic.patch
+spi-s3c64xx-fix-large-transfers-with-dma.patch
+vhost-vsock-use-kvmalloc-kvfree-for-larger-packets.patch
+misdn-fix-use-after-free-bugs-in-l1oip-timer-handler.patch
+sctp-handle-the-error-returned-from-sctp_auth_asoc_i.patch
+tcp-fix-tcp_cwnd_validate-to-not-forget-is_cwnd_limi.patch
+net-rds-don-t-hold-sock-lock-when-cancelling-work-fr.patch
+bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch
+once-add-do_once_slow-for-sleepable-contexts.patch
+net-mvpp2-fix-mvpp2-debugfs-leak.patch
+drm-bridge-adv7511-fix-cec-power-down-control-regist.patch
+drm-mipi-dsi-detach-devices-when-removing-the-host.patch
+drm-msm-make-.remove-and-.shutdown-hw-shutdown-consi.patch
+platform-chrome-fix-double-free-in-chromeos_laptop_p.patch
+platform-x86-msi-laptop-fix-old-ec-check-for-backlig.patch
+platform-x86-msi-laptop-fix-resource-cleanup.patch
+drm-bridge-megachips-fix-a-null-pointer-dereference-.patch
+mmc-au1xmmc-fix-an-error-handling-path-in-au1xmmc_pr.patch
+asoc-eureka-tlv320-hold-reference-returned-from-of_f.patch
+drm-msm-dpu-index-dpu_kms-hw_vbif-using-vbif_idx.patch
+alsa-dmaengine-increment-buffer-pointer-atomically.patch
+mmc-wmt-sdmmc-fix-an-error-handling-path-in-wmt_mci_.patch
+asoc-wm8997-fix-pm-disable-depth-imbalance-in-wm8997.patch
+asoc-wm5110-fix-pm-disable-depth-imbalance-in-wm5110.patch
+asoc-wm5102-fix-pm-disable-depth-imbalance-in-wm5102.patch
+memory-of-fix-refcount-leak-bug-in-of_get_ddr_timing.patch
+soc-qcom-smsm-fix-refcount-leak-bugs-in-qcom_smsm_pr.patch
+soc-qcom-smem_state-add-refcounting-for-the-state-of.patch
+arm-dts-turris-omnia-fix-mpp26-pin-name-and-comment.patch
+arm-dts-kirkwood-lsxl-fix-serial-line.patch
+arm-dts-kirkwood-lsxl-remove-first-ethernet-port.patch
+arm-dts-exynos-correct-s5k6a3-reset-polarity-on-mida.patch
+arm-drop-cmdline_-dependency-on-atags.patch
+arm-dts-exynos-fix-polarity-of-vbus-gpio-of-origen.patch
+iio-adc-at91-sama5d2_adc-fix-at91_sama5d2_mr_trackti.patch
+iio-adc-at91-sama5d2_adc-check-return-status-for-pre.patch
+iio-inkern-only-release-the-device-node-when-done-wi.patch
+iio-abi-fix-wrong-format-of-differential-capacitance.patch
+clk-oxnas-hold-reference-returned-by-of_get_parent.patch
+clk-berlin-add-of_node_put-for-of_get_parent.patch
+clk-tegra-fix-refcount-leak-in-tegra210_clock_init.patch
+clk-tegra-fix-refcount-leak-in-tegra114_clock_init.patch
+clk-tegra20-fix-refcount-leak-in-tegra20_clock_init.patch
+sbitmap-fix-possible-io-hung-due-to-lost-wakeup.patch
+hsi-omap_ssi-fix-refcount-leak-in-ssi_probe.patch
+hsi-omap_ssi_port-fix-dma_map_sg-error-check.patch
+media-exynos4-is-fimc-is-add-of_node_put-when-breaki.patch
+media-tm6000-fix-unused-value-in-vidioc_try_fmt_vid_.patch
+tty-xilinx_uartps-fix-the-ignore_status.patch
+media-xilinx-vipp-fix-refcount-leak-in-xvip_graph_dm.patch
+rdma-rxe-fix-kernel-null-pointer-dereference-error.patch
+rdma-rxe-fix-the-error-caused-by-qp-sk.patch
+dyndbg-fix-module.dyndbg-handling.patch
+dyndbg-let-query-modname-override-actual-module-name.patch
+sbitmap-avoid-leaving-waitqueue-in-invalid-state-in-.patch
+usb-serial-console-move-mutex_unlock-before-usb_seri.patch
+mtd-devices-docg3-check-the-return-value-of-devm_ior.patch
+ata-fix-ata_id_sense_reporting_enabled-and-ata_id_ha.patch
+ata-fix-ata_id_has_devslp.patch
+ata-fix-ata_id_has_ncq_autosense.patch
+ata-fix-ata_id_has_dipm.patch
+md-raid5-ensure-stripe_fill-happens-on-non-read-io-w.patch
+xhci-don-t-show-warning-for-reinit-on-known-broken-s.patch
+usb-gadget-function-fix-dangling-pnp_string-in-f_pri.patch
+drivers-serial-jsm-fix-some-leaks-in-probe.patch
+phy-qualcomm-call-clk_disable_unprepare-in-the-error.patch
+staging-vt6655-fix-some-erroneous-memory-clean-up-lo.patch
+firmware-google-test-spinlock-on-panic-path-to-avoid.patch
+serial-8250-fix-restoring-termios-speed-after-suspen.patch
+ib-rdmavt-add-__init-__exit-annotations-to-module-in.patch
+fsi-core-check-error-number-after-calling-ida_simple.patch
+mfd-intel_soc_pmic-fix-an-error-handling-path-in-int.patch
+mfd-fsl-imx25-fix-an-error-handling-path-in-mx25_tsa.patch
+mfd-lp8788-fix-an-error-handling-path-in-lp8788_prob.patch
+mfd-lp8788-fix-an-error-handling-path-in-lp8788_irq_.patch
+mfd-sm501-add-check-for-platform_driver_register.patch
+dmaengine-ioat-stop-mod_timer-from-resurrecting-dele.patch
+spmi-pmic-arb-correct-duplicate-apid-to-ppid-mapping.patch
+clk-bcm2835-fix-bcm2835_clock_rate_from_divisor-decl.patch
+clk-ti-dra7-atl-fix-reference-leak-in-of_dra7_atl_cl.patch
+mailbox-bcm-ferxrm-mailbox-fix-error-check-for-dma_m.patch
+powerpc-math_emu-efp-include-module.h.patch
+powerpc-sysdev-fsl_msi-add-missing-of_node_put.patch
+powerpc-pci_dn-add-missing-of_node_put.patch
+powerpc-powernv-add-missing-of_node_put-in-opal_expo.patch
+x86-hyperv-fix-struct-hv_enlightened_vmcs-definition.patch
+powerpc-64s-fix-generic_cpu-build-flags-for-ppc970-g.patch
+powerpc-fix-spe-power-isa-properties-for-e500v1-plat.patch
+iommu-omap-fix-buffer-overflow-in-debugfs.patch
+iommu-iova-fix-module-config-properly.patch
+crypto-cavium-prevent-integer-overflow-loading-firmw.patch
+f2fs-fix-race-condition-on-setting-fi_no_extent-flag.patch
+acpi-video-add-toshiba-satellite-portege-z830-quirk.patch
+mips-bcm47xx-cast-memcmp-of-function-to-void.patch
+powercap-intel_rapl-fix-ubsan-shift-out-of-bounds-is.patch
+thermal-intel_powerclamp-use-get_cpu-instead-of-smp_.patch
+x86-entry-work-around-clang-__bdos-bug.patch
+nfsd-return-nfserr_serverfault-if-splice_ok-but-buf-.patch
+wifi-brcmfmac-fix-invalid-address-access-when-enabli.patch
+openvswitch-fix-double-reporting-of-drops-in-dropwat.patch
+openvswitch-fix-overreporting-of-drops-in-dropwatch.patch
+tcp-annotate-data-race-around-tcp_md5sig_pool_popula.patch
+wifi-ath9k-avoid-uninit-memory-read-in-ath9k_htc_rx_.patch
+xfrm-update-ipcomp_scratches-with-null-when-freed.patch
+net-xscale-fix-return-type-for-implementation-of-ndo.patch
+net-lantiq_etop-fix-return-type-for-implementation-o.patch
+net-ftmac100-fix-endianness-related-issues-from-spar.patch
+wifi-brcmfmac-fix-use-after-free-bug-in-brcmf_netdev.patch
+bluetooth-l2cap-initialize-delayed-works-at-l2cap_ch.patch
+net-davicom-fix-return-type-of-dm9000_start_xmit.patch
+net-ethernet-ti-davinci_emac-fix-return-type-of-emac.patch
+net-korina-fix-return-type-of-korina_send_packet.patch
+bluetooth-hci_sysfs-fix-attempting-to-call-device_ad.patch
+wifi-ath10k-reset-pointer-after-memory-free-to-avoid.patch
+can-bcm-check-the-result-of-can_send-in-bcm_can_tx.patch
+wifi-rt2x00-don-t-run-rt5592-iq-calibration-on-mt762.patch
+wifi-rt2x00-set-correct-tx_sw_cfg1-mac-register-for-.patch
+wifi-rt2x00-set-soc-wmac-clock-register.patch
+wifi-rt2x00-correctly-set-bbp-register-86-for-mt7620.patch
+net-if-sock-is-dead-don-t-access-sock-s-sk_wq-in-sk_.patch
+bluetooth-l2cap-fix-user-after-free.patch
+libbpf-fix-overrun-in-netlink-attribute-iteration.patch
+r8152-rate-limit-overflow-messages.patch
+drm-use-size_t-type-for-len-variable-in-drm_copy_fie.patch
+drm-prevent-drm_copy_field-to-attempt-copying-a-null.patch
+drm-amd-display-fix-overflow-on-min_i64-definition.patch
+drm-vc4-vec-fix-timings-for-vec-modes.patch
+drm-panel-orientation-quirks-add-quirk-for-anbernic-.patch
+platform-x86-msi-laptop-change-dmi-match-alias-strin.patch
+drm-amdgpu-fix-initial-connector-audio-value.patch
+drm-exynos-fix-return-type-for-mixer_mode_valid-and-.patch
+arm-dts-imx7d-sdb-config-the-max-pressure-for-tsc204.patch
+arm-dts-imx6q-add-missing-properties-for-sram.patch
+arm-dts-imx6dl-add-missing-properties-for-sram.patch
+arm-dts-imx6qp-add-missing-properties-for-sram.patch
+arm-dts-imx6sl-add-missing-properties-for-sram.patch
+arm-dts-imx6sll-add-missing-properties-for-sram.patch
+arm-dts-imx6sx-add-missing-properties-for-sram.patch
+arm-orion-fix-include-path.patch
+arm64-dts-uniphier-add-usb-device-support-for-pxs3-r.patch
+selftests-cpu-hotplug-use-return-instead-of-exit.patch
+media-cx88-fix-a-null-ptr-deref-bug-in-buffer_prepar.patch
+scsi-3w-9xxx-avoid-disabling-device-if-failing-to-en.patch
+nbd-fix-hung-when-signal-interrupts-nbd_start_device.patch
+power-supply-adp5061-fix-out-of-bounds-read-in-adp50.patch
+staging-vt6655-fix-potential-memory-leak.patch
+ata-libahci_platform-sanity-check-the-dt-child-nodes.patch
+hid-topre-add-driver-fixing-report-descriptor.patch
+hid-roccat-fix-use-after-free-in-roccat_read.patch
+hsi-ssi_protocol-fix-potential-resource-leak-in-ssip.patch
+md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch
+usb-host-xhci-fix-potential-memory-leak-in-xhci_allo.patch
+usb-musb-fix-musb_gadget.c-rxstate-overflow-bug.patch
+revert-usb-storage-add-quirk-for-samsung-fit-flash.patch
+nvme-copy-firmware_rev-on-each-init.patch
+usb-idmouse-fix-an-uninit-value-in-idmouse_open.patch
+fsi-master-ast-cf-fix-missing-of_node_put-in-fsi_mas.patch
+clk-bcm2835-make-peripheral-pllc-critical.patch
--- /dev/null
+From 284179bb98945ef62179d90fc44034359bd36de3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 16:40:44 -0700
+Subject: sh: machvec: Use char[] for section boundaries
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit c5783af354688b24abd359f7086c282ec74de993 ]
+
+As done for other sections, define the extern as a character array,
+which relaxes many of the compiler-time object size checks, which would
+otherwise assume it's a single long. Solves the following build error:
+
+arch/sh/kernel/machvec.c: error: array subscript 'struct sh_machine_vector[0]' is partly outside array bounds of 'long int[1]' [-Werror=array-bounds]: => 105:33
+
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Cc: Rich Felker <dalias@libc.org>
+Cc: linux-sh@vger.kernel.org
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/lkml/alpine.DEB.2.22.394.2209050944290.964530@ramsan.of.borg/
+Fixes: 9655ad03af2d ("sh: Fixup machvec support.")
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Acked-by: Rich Felker <dalias@libc.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/include/asm/sections.h | 2 +-
+ arch/sh/kernel/machvec.c | 10 +++++-----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/arch/sh/include/asm/sections.h b/arch/sh/include/asm/sections.h
+index 8edb824049b9..0cb0ca149ac3 100644
+--- a/arch/sh/include/asm/sections.h
++++ b/arch/sh/include/asm/sections.h
+@@ -4,7 +4,7 @@
+
+ #include <asm-generic/sections.h>
+
+-extern long __machvec_start, __machvec_end;
++extern char __machvec_start[], __machvec_end[];
+ extern char __uncached_start, __uncached_end;
+ extern char __start_eh_frame[], __stop_eh_frame[];
+
+diff --git a/arch/sh/kernel/machvec.c b/arch/sh/kernel/machvec.c
+index ec05f491c347..a9f797a76e7c 100644
+--- a/arch/sh/kernel/machvec.c
++++ b/arch/sh/kernel/machvec.c
+@@ -22,8 +22,8 @@
+ #define MV_NAME_SIZE 32
+
+ #define for_each_mv(mv) \
+- for ((mv) = (struct sh_machine_vector *)&__machvec_start; \
+- (mv) && (unsigned long)(mv) < (unsigned long)&__machvec_end; \
++ for ((mv) = (struct sh_machine_vector *)__machvec_start; \
++ (mv) && (unsigned long)(mv) < (unsigned long)__machvec_end; \
+ (mv)++)
+
+ static struct sh_machine_vector * __init get_mv_byname(const char *name)
+@@ -89,8 +89,8 @@ void __init sh_mv_setup(void)
+ if (!machvec_selected) {
+ unsigned long machvec_size;
+
+- machvec_size = ((unsigned long)&__machvec_end -
+- (unsigned long)&__machvec_start);
++ machvec_size = ((unsigned long)__machvec_end -
++ (unsigned long)__machvec_start);
+
+ /*
+ * Sanity check for machvec section alignment. Ensure
+@@ -104,7 +104,7 @@ void __init sh_mv_setup(void)
+ * vector (usually the only one) from .machvec.init.
+ */
+ if (machvec_size >= sizeof(struct sh_machine_vector))
+- sh_mv = *(struct sh_machine_vector *)&__machvec_start;
++ sh_mv = *(struct sh_machine_vector *)__machvec_start;
+ }
+
+ printk(KERN_NOTICE "Booting machvec: %s\n", get_system_type());
+--
+2.35.1
+
--- /dev/null
+From f03c4a2863dfc38a5c8cc35d7697117d7fd7a691 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jul 2022 21:52:17 +0800
+Subject: soc: qcom: smem_state: Add refcounting for the 'state->of_node'
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 90681f53b9381c23ff7762a3b13826d620c272de ]
+
+In qcom_smem_state_register() and qcom_smem_state_release(), we
+should better use of_node_get() and of_node_put() for the reference
+creation and destruction of 'device_node'.
+
+Fixes: 9460ae2ff308 ("soc: qcom: Introduce common SMEM state machine code")
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20220721135217.1301039-2-windhl@126.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/smem_state.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/soc/qcom/smem_state.c b/drivers/soc/qcom/smem_state.c
+index d5437ca76ed9..1502cf037a6b 100644
+--- a/drivers/soc/qcom/smem_state.c
++++ b/drivers/soc/qcom/smem_state.c
+@@ -144,6 +144,7 @@ static void qcom_smem_state_release(struct kref *ref)
+ struct qcom_smem_state *state = container_of(ref, struct qcom_smem_state, refcount);
+
+ list_del(&state->list);
++ of_node_put(state->of_node);
+ kfree(state);
+ }
+
+@@ -177,7 +178,7 @@ struct qcom_smem_state *qcom_smem_state_register(struct device_node *of_node,
+
+ kref_init(&state->refcount);
+
+- state->of_node = of_node;
++ state->of_node = of_node_get(of_node);
+ state->ops = *ops;
+ state->priv = priv;
+
+--
+2.35.1
+
--- /dev/null
+From 3ef024ea805ff9f93c21db0c16645110d4678d87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jul 2022 21:52:16 +0800
+Subject: soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit af8f6f39b8afd772fda4f8e61823ef8c021bf382 ]
+
+There are two refcount leak bugs in qcom_smsm_probe():
+
+(1) The 'local_node' is escaped out from for_each_child_of_node() as
+the break of iteration, we should call of_node_put() for it in error
+path or when it is not used anymore.
+(2) The 'node' is escaped out from for_each_available_child_of_node()
+as the 'goto', we should call of_node_put() for it in goto target.
+
+Fixes: c97c4090ff72 ("soc: qcom: smsm: Add driver for Qualcomm SMSM")
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20220721135217.1301039-1-windhl@126.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/smsm.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/soc/qcom/smsm.c b/drivers/soc/qcom/smsm.c
+index 5304529b41c9..a8a1dc49519e 100644
+--- a/drivers/soc/qcom/smsm.c
++++ b/drivers/soc/qcom/smsm.c
+@@ -519,7 +519,7 @@ static int qcom_smsm_probe(struct platform_device *pdev)
+ for (id = 0; id < smsm->num_hosts; id++) {
+ ret = smsm_parse_ipc(smsm, id);
+ if (ret < 0)
+- return ret;
++ goto out_put;
+ }
+
+ /* Acquire the main SMSM state vector */
+@@ -527,13 +527,14 @@ static int qcom_smsm_probe(struct platform_device *pdev)
+ smsm->num_entries * sizeof(u32));
+ if (ret < 0 && ret != -EEXIST) {
+ dev_err(&pdev->dev, "unable to allocate shared state entry\n");
+- return ret;
++ goto out_put;
+ }
+
+ states = qcom_smem_get(QCOM_SMEM_HOST_ANY, SMEM_SMSM_SHARED_STATE, NULL);
+ if (IS_ERR(states)) {
+ dev_err(&pdev->dev, "Unable to acquire shared state entry\n");
+- return PTR_ERR(states);
++ ret = PTR_ERR(states);
++ goto out_put;
+ }
+
+ /* Acquire the list of interrupt mask vectors */
+@@ -541,13 +542,14 @@ static int qcom_smsm_probe(struct platform_device *pdev)
+ ret = qcom_smem_alloc(QCOM_SMEM_HOST_ANY, SMEM_SMSM_CPU_INTR_MASK, size);
+ if (ret < 0 && ret != -EEXIST) {
+ dev_err(&pdev->dev, "unable to allocate smsm interrupt mask\n");
+- return ret;
++ goto out_put;
+ }
+
+ intr_mask = qcom_smem_get(QCOM_SMEM_HOST_ANY, SMEM_SMSM_CPU_INTR_MASK, NULL);
+ if (IS_ERR(intr_mask)) {
+ dev_err(&pdev->dev, "unable to acquire shared memory interrupt mask\n");
+- return PTR_ERR(intr_mask);
++ ret = PTR_ERR(intr_mask);
++ goto out_put;
+ }
+
+ /* Setup the reference to the local state bits */
+@@ -558,7 +560,8 @@ static int qcom_smsm_probe(struct platform_device *pdev)
+ smsm->state = qcom_smem_state_register(local_node, &smsm_state_ops, smsm);
+ if (IS_ERR(smsm->state)) {
+ dev_err(smsm->dev, "failed to register qcom_smem_state\n");
+- return PTR_ERR(smsm->state);
++ ret = PTR_ERR(smsm->state);
++ goto out_put;
+ }
+
+ /* Register handlers for remote processor entries of interest. */
+@@ -588,16 +591,19 @@ static int qcom_smsm_probe(struct platform_device *pdev)
+ }
+
+ platform_set_drvdata(pdev, smsm);
++ of_node_put(local_node);
+
+ return 0;
+
+ unwind_interfaces:
++ of_node_put(node);
+ for (id = 0; id < smsm->num_entries; id++)
+ if (smsm->entries[id].domain)
+ irq_domain_remove(smsm->entries[id].domain);
+
+ qcom_smem_state_unregister(smsm->state);
+-
++out_put:
++ of_node_put(local_node);
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From fd8ef2449c8d93ed53aaa6ca5c141144e02aaad2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Aug 2022 13:42:07 +0200
+Subject: spi: mt7621: Fix an error message in mt7621_spi_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 2b2bf6b7faa9010fae10dc7de76627a3fdb525b3 ]
+
+'status' is known to be 0 at this point. The expected error code is
+PTR_ERR(clk).
+
+Switch to dev_err_probe() in order to display the expected error code (in a
+human readable way).
+This also filters -EPROBE_DEFER cases, should it happen.
+
+Fixes: 1ab7f2a43558 ("staging: mt7621-spi: add mt7621 support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Link: https://lore.kernel.org/r/928f3fb507d53ba0774df27cea0bbba4b055993b.1661599671.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/mt7621-spi/spi-mt7621.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/staging/mt7621-spi/spi-mt7621.c b/drivers/staging/mt7621-spi/spi-mt7621.c
+index 75ed48f60c8c..b73823830e3a 100644
+--- a/drivers/staging/mt7621-spi/spi-mt7621.c
++++ b/drivers/staging/mt7621-spi/spi-mt7621.c
+@@ -442,11 +442,9 @@ static int mt7621_spi_probe(struct platform_device *pdev)
+ return PTR_ERR(base);
+
+ clk = devm_clk_get(&pdev->dev, NULL);
+- if (IS_ERR(clk)) {
+- dev_err(&pdev->dev, "unable to get SYS clock, err=%d\n",
+- status);
+- return PTR_ERR(clk);
+- }
++ if (IS_ERR(clk))
++ return dev_err_probe(&pdev->dev, PTR_ERR(clk),
++ "unable to get SYS clock\n");
+
+ status = clk_prepare_enable(clk);
+ if (status)
+--
+2.35.1
+
--- /dev/null
+From 6ff95d78f5f0d246de1a6a54a797a5fbd813a48e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Sep 2022 20:13:09 +0800
+Subject: spi/omap100k:Fix PM disable depth imbalance in omap1_spi100k_probe
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 29f65f2171c85a9633daa380df14009a365f42f2 ]
+
+The pm_runtime_enable will increase power disable depth. Thus
+a pairing decrement is needed on the error handling path to
+keep it balanced according to context.
+
+Fixes:db91841b58f9a ("spi/omap100k: Convert to runtime PM")
+
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Link: https://lore.kernel.org/r/20220924121310.78331-4-zhangqilong3@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-omap-100k.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi-omap-100k.c b/drivers/spi/spi-omap-100k.c
+index 2eeb0fe2eed2..022f5bccef81 100644
+--- a/drivers/spi/spi-omap-100k.c
++++ b/drivers/spi/spi-omap-100k.c
+@@ -425,6 +425,7 @@ static int omap1_spi100k_probe(struct platform_device *pdev)
+ return status;
+
+ err_fck:
++ pm_runtime_disable(&pdev->dev);
+ clk_disable_unprepare(spi100k->fck);
+ err_ick:
+ clk_disable_unprepare(spi100k->ick);
+--
+2.35.1
+
--- /dev/null
+From 7f610efbd2064408fc6cca72cb9890e84215cb42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 06:53:23 +0000
+Subject: spi: qup: add missing clk_disable_unprepare on error in
+ spi_qup_resume()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xu Qiang <xuqiang36@huawei.com>
+
+[ Upstream commit 70034320fdc597b8f58b4a43bb547f17c4c5557a ]
+
+Add the missing clk_disable_unprepare() before return
+from spi_qup_resume() in the error handling case.
+
+Fixes: 64ff247a978f (“spi: Add Qualcomm QUP SPI controller support”)
+Signed-off-by: Xu Qiang <xuqiang36@huawei.com>
+Link: https://lore.kernel.org/r/20220825065324.68446-1-xuqiang36@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-qup.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-qup.c b/drivers/spi/spi-qup.c
+index cb74fd1af205..c5c727274814 100644
+--- a/drivers/spi/spi-qup.c
++++ b/drivers/spi/spi-qup.c
+@@ -1219,14 +1219,25 @@ static int spi_qup_resume(struct device *device)
+ return ret;
+
+ ret = clk_prepare_enable(controller->cclk);
+- if (ret)
++ if (ret) {
++ clk_disable_unprepare(controller->iclk);
+ return ret;
++ }
+
+ ret = spi_qup_set_state(controller, QUP_STATE_RESET);
+ if (ret)
+- return ret;
++ goto disable_clk;
++
++ ret = spi_master_resume(master);
++ if (ret)
++ goto disable_clk;
+
+- return spi_master_resume(master);
++ return 0;
++
++disable_clk:
++ clk_disable_unprepare(controller->cclk);
++ clk_disable_unprepare(controller->iclk);
++ return ret;
+ }
+ #endif /* CONFIG_PM_SLEEP */
+
+--
+2.35.1
+
--- /dev/null
+From aaf394d1f26abd1445c52efc07339e399f49721b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 06:53:24 +0000
+Subject: spi: qup: add missing clk_disable_unprepare on error in
+ spi_qup_pm_resume_runtime()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xu Qiang <xuqiang36@huawei.com>
+
+[ Upstream commit 494a22765ce479c9f8ad181c5d24cffda9f534bb ]
+
+Add the missing clk_disable_unprepare() before return
+from spi_qup_pm_resume_runtime() in the error handling case.
+
+Fixes: dae1a7700b34 (“spi: qup: Handle clocks in pm_runtime suspend and resume”)
+Signed-off-by: Xu Qiang <xuqiang36@huawei.com>
+Link: https://lore.kernel.org/r/20220825065324.68446-2-xuqiang36@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-qup.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-qup.c b/drivers/spi/spi-qup.c
+index c5c727274814..1ca678bcb527 100644
+--- a/drivers/spi/spi-qup.c
++++ b/drivers/spi/spi-qup.c
+@@ -1172,8 +1172,10 @@ static int spi_qup_pm_resume_runtime(struct device *device)
+ return ret;
+
+ ret = clk_prepare_enable(controller->cclk);
+- if (ret)
++ if (ret) {
++ clk_disable_unprepare(controller->iclk);
+ return ret;
++ }
+
+ /* Disable clocks auto gaiting */
+ config = readl_relaxed(controller->base + QUP_CONFIG);
+--
+2.35.1
+
--- /dev/null
+From 9a20b4a9cf6eb27258564d4b1abebc225498f3c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 13:21:17 +0200
+Subject: spi: s3c64xx: Fix large transfers with DMA
+
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+
+[ Upstream commit 1224e29572f655facfcd850cf0f0a4784f36a903 ]
+
+The COUNT_VALUE in the PACKET_CNT register is 16-bit so the maximum
+value is 65535. Asking the driver to transfer a larger size currently
+leads to the DMA transfer timing out. Implement ->max_transfer_size()
+and have the core split the transfer as needed.
+
+Fixes: 230d42d422e7 ("spi: Add s3c64xx SPI Controller driver")
+Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Link: https://lore.kernel.org/r/20220927112117.77599-5-vincent.whitchurch@axis.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-s3c64xx.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c
+index 1d948fee1a03..d9420561236c 100644
+--- a/drivers/spi/spi-s3c64xx.c
++++ b/drivers/spi/spi-s3c64xx.c
+@@ -84,6 +84,7 @@
+ #define S3C64XX_SPI_ST_TX_FIFORDY (1<<0)
+
+ #define S3C64XX_SPI_PACKET_CNT_EN (1<<16)
++#define S3C64XX_SPI_PACKET_CNT_MASK GENMASK(15, 0)
+
+ #define S3C64XX_SPI_PND_TX_UNDERRUN_CLR (1<<4)
+ #define S3C64XX_SPI_PND_TX_OVERRUN_CLR (1<<3)
+@@ -654,6 +655,13 @@ static int s3c64xx_spi_prepare_message(struct spi_master *master,
+ return 0;
+ }
+
++static size_t s3c64xx_spi_max_transfer_size(struct spi_device *spi)
++{
++ struct spi_controller *ctlr = spi->controller;
++
++ return ctlr->can_dma ? S3C64XX_SPI_PACKET_CNT_MASK : SIZE_MAX;
++}
++
+ static int s3c64xx_spi_transfer_one(struct spi_master *master,
+ struct spi_device *spi,
+ struct spi_transfer *xfer)
+@@ -1118,6 +1126,7 @@ static int s3c64xx_spi_probe(struct platform_device *pdev)
+ master->prepare_transfer_hardware = s3c64xx_spi_prepare_transfer;
+ master->prepare_message = s3c64xx_spi_prepare_message;
+ master->transfer_one = s3c64xx_spi_transfer_one;
++ master->max_transfer_size = s3c64xx_spi_max_transfer_size;
+ master->num_chipselect = sci->num_cs;
+ master->dma_alignment = 8;
+ master->bits_per_word_mask = SPI_BPW_MASK(32) | SPI_BPW_MASK(16) |
+--
+2.35.1
+
--- /dev/null
+From 535aac83b99264abf7145b6e57f508c77ec19545 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 17:50:16 -0700
+Subject: spmi: pmic-arb: correct duplicate APID to PPID mapping logic
+
+From: David Collins <collinsd@codeaurora.org>
+
+[ Upstream commit 1f1693118c2476cb1666ad357edcf3cf48bf9b16 ]
+
+Correct the way that duplicate PPID mappings are handled for PMIC
+arbiter v5. The final APID mapped to a given PPID should be the
+one which has write owner = APPS EE, if it exists, or if not
+that, then the first APID mapped to the PPID, if it exists.
+
+Fixes: 40f318f0ed67 ("spmi: pmic-arb: add support for HW version 5")
+Signed-off-by: David Collins <collinsd@codeaurora.org>
+Signed-off-by: Fenglin Wu <quic_fenglinw@quicinc.com>
+Link: https://lore.kernel.org/r/1655004286-11493-7-git-send-email-quic_fenglinw@quicinc.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Link: https://lore.kernel.org/r/20220930005019.2663064-8-sboyd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spmi/spmi-pmic-arb.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/spmi/spmi-pmic-arb.c b/drivers/spmi/spmi-pmic-arb.c
+index 360b8218f322..0eb156aa4975 100644
+--- a/drivers/spmi/spmi-pmic-arb.c
++++ b/drivers/spmi/spmi-pmic-arb.c
+@@ -867,7 +867,8 @@ static int pmic_arb_read_apid_map_v5(struct spmi_pmic_arb *pmic_arb)
+ * version 5, there is more than one APID mapped to each PPID.
+ * The owner field for each of these mappings specifies the EE which is
+ * allowed to write to the APID. The owner of the last (highest) APID
+- * for a given PPID will receive interrupts from the PPID.
++ * which has the IRQ owner bit set for a given PPID will receive
++ * interrupts from the PPID.
+ */
+ for (i = 0; ; i++, apidd++) {
+ offset = pmic_arb->ver_ops->apid_map_offset(i);
+@@ -890,16 +891,16 @@ static int pmic_arb_read_apid_map_v5(struct spmi_pmic_arb *pmic_arb)
+ apid = pmic_arb->ppid_to_apid[ppid] & ~PMIC_ARB_APID_VALID;
+ prev_apidd = &pmic_arb->apid_data[apid];
+
+- if (valid && is_irq_ee &&
+- prev_apidd->write_ee == pmic_arb->ee) {
++ if (!valid || apidd->write_ee == pmic_arb->ee) {
++ /* First PPID mapping or one for this EE */
++ pmic_arb->ppid_to_apid[ppid] = i | PMIC_ARB_APID_VALID;
++ } else if (valid && is_irq_ee &&
++ prev_apidd->write_ee == pmic_arb->ee) {
+ /*
+ * Duplicate PPID mapping after the one for this EE;
+ * override the irq owner
+ */
+ prev_apidd->irq_ee = apidd->irq_ee;
+- } else if (!valid || is_irq_ee) {
+- /* First PPID mapping or duplicate for another EE */
+- pmic_arb->ppid_to_apid[ppid] = i | PMIC_ARB_APID_VALID;
+ }
+
+ apidd->ppid = ppid;
+--
+2.35.1
+
--- /dev/null
+From 65e4b58888e71dfdaae8c3fa32bd88ddcd967026 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 16:13:39 +0200
+Subject: staging: vt6655: fix potential memory leak
+
+From: Nam Cao <namcaov@gmail.com>
+
+[ Upstream commit c8ff91535880d41b49699b3829fb6151942de29e ]
+
+In function device_init_td0_ring, memory is allocated for member
+td_info of priv->apTD0Rings[i], with i increasing from 0. In case of
+allocation failure, the memory is freed in reversed order, with i
+decreasing to 0. However, the case i=0 is left out and thus memory is
+leaked.
+
+Modify the memory freeing loop to include the case i=0.
+
+Tested-by: Philipp Hortmann <philipp.g.hortmann@gmail.com>
+Signed-off-by: Nam Cao <namcaov@gmail.com>
+Link: https://lore.kernel.org/r/20220909141338.19343-1-namcaov@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/vt6655/device_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c
+index cf86b1efa821..4c4432adb6c9 100644
+--- a/drivers/staging/vt6655/device_main.c
++++ b/drivers/staging/vt6655/device_main.c
+@@ -677,7 +677,7 @@ static int device_init_td0_ring(struct vnt_private *priv)
+ return 0;
+
+ err_free_desc:
+- while (--i) {
++ while (i--) {
+ desc = &priv->apTD0Rings[i];
+ kfree(desc->td_info);
+ }
+--
+2.35.1
+
--- /dev/null
+From bc738b81f60fb294e67ad2c8569cacf98ee9972b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 19:04:31 +0200
+Subject: staging: vt6655: fix some erroneous memory clean-up loops
+
+From: Nam Cao <namcaov@gmail.com>
+
+[ Upstream commit 2a2db520e3ca5aafba7c211abfd397666c9b5f9d ]
+
+In some initialization functions of this driver, memory is allocated with
+'i' acting as an index variable and increasing from 0. The commit in
+"Fixes" introduces some clean-up codes in case of allocation failure,
+which free memory in reverse order with 'i' decreasing to 0. However,
+there are some problems:
+ - The case i=0 is left out. Thus memory is leaked.
+ - In case memory allocation fails right from the start, the memory
+ freeing loops will start with i=-1 and invalid memory locations will
+ be accessed.
+
+One of these loops has been fixed in commit c8ff91535880 ("staging:
+vt6655: fix potential memory leak"). Fix the remaining erroneous loops.
+
+Link: https://lore.kernel.org/linux-staging/Yx9H1zSpxmNqx6Xc@kadam/
+Fixes: 5341ee0adb17 ("staging: vt6655: check for memory allocation failures")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Tested-by: Philipp Hortmann <philipp.g.hortmann@gmail.com>
+Signed-off-by: Nam Cao <namcaov@gmail.com>
+Link: https://lore.kernel.org/r/20220912170429.29852-1-namcaov@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/vt6655/device_main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c
+index 76f434c1c088..cf86b1efa821 100644
+--- a/drivers/staging/vt6655/device_main.c
++++ b/drivers/staging/vt6655/device_main.c
+@@ -567,7 +567,7 @@ static int device_init_rd0_ring(struct vnt_private *priv)
+ kfree(desc->rd_info);
+
+ err_free_desc:
+- while (--i) {
++ while (i--) {
+ desc = &priv->aRD0Ring[i];
+ device_free_rx_buf(priv, desc);
+ kfree(desc->rd_info);
+@@ -613,7 +613,7 @@ static int device_init_rd1_ring(struct vnt_private *priv)
+ kfree(desc->rd_info);
+
+ err_free_desc:
+- while (--i) {
++ while (i--) {
+ desc = &priv->aRD1Ring[i];
+ device_free_rx_buf(priv, desc);
+ kfree(desc->rd_info);
+@@ -717,7 +717,7 @@ static int device_init_td1_ring(struct vnt_private *priv)
+ return 0;
+
+ err_free_desc:
+- while (--i) {
++ while (i--) {
+ desc = &priv->apTD1Rings[i];
+ kfree(desc->td_info);
+ }
+--
+2.35.1
+
--- /dev/null
+From 638fe9d16eda823fe92ff9eeceb31f74da2d808d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Aug 2022 21:15:28 +0000
+Subject: tcp: annotate data-race around tcp_md5sig_pool_populated
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit aacd467c0a576e5e44d2de4205855dc0fe43f6fb ]
+
+tcp_md5sig_pool_populated can be read while another thread
+changes its value.
+
+The race has no consequence because allocations
+are protected with tcp_md5sig_mutex.
+
+This patch adds READ_ONCE() and WRITE_ONCE() to document
+the race and silence KCSAN.
+
+Reported-by: Abhishek Shah <abhishek.shah@columbia.edu>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index e25130812cc8..1a6c55441627 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -3692,12 +3692,16 @@ static void __tcp_alloc_md5sig_pool(void)
+ * to memory. See smp_rmb() in tcp_get_md5sig_pool()
+ */
+ smp_wmb();
+- tcp_md5sig_pool_populated = true;
++ /* Paired with READ_ONCE() from tcp_alloc_md5sig_pool()
++ * and tcp_get_md5sig_pool().
++ */
++ WRITE_ONCE(tcp_md5sig_pool_populated, true);
+ }
+
+ bool tcp_alloc_md5sig_pool(void)
+ {
+- if (unlikely(!tcp_md5sig_pool_populated)) {
++ /* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */
++ if (unlikely(!READ_ONCE(tcp_md5sig_pool_populated))) {
+ mutex_lock(&tcp_md5sig_mutex);
+
+ if (!tcp_md5sig_pool_populated)
+@@ -3705,7 +3709,8 @@ bool tcp_alloc_md5sig_pool(void)
+
+ mutex_unlock(&tcp_md5sig_mutex);
+ }
+- return tcp_md5sig_pool_populated;
++ /* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */
++ return READ_ONCE(tcp_md5sig_pool_populated);
+ }
+ EXPORT_SYMBOL(tcp_alloc_md5sig_pool);
+
+@@ -3721,7 +3726,8 @@ struct tcp_md5sig_pool *tcp_get_md5sig_pool(void)
+ {
+ local_bh_disable();
+
+- if (tcp_md5sig_pool_populated) {
++ /* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */
++ if (READ_ONCE(tcp_md5sig_pool_populated)) {
+ /* coupled with smp_wmb() in __tcp_alloc_md5sig_pool() */
+ smp_rmb();
+ return this_cpu_ptr(&tcp_md5sig_pool);
+--
+2.35.1
+
--- /dev/null
+From fcc0fb148dc4083b60ce7c06b5f5ec8cc858bdbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Sep 2022 16:03:31 -0400
+Subject: tcp: fix tcp_cwnd_validate() to not forget is_cwnd_limited
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit f4ce91ce12a7c6ead19b128ffa8cff6e3ded2a14 ]
+
+This commit fixes a bug in the tracking of max_packets_out and
+is_cwnd_limited. This bug can cause the connection to fail to remember
+that is_cwnd_limited is true, causing the connection to fail to grow
+cwnd when it should, causing throughput to be lower than it should be.
+
+The following event sequence is an example that triggers the bug:
+
+ (a) The connection is cwnd_limited, but packets_out is not at its
+ peak due to TSO deferral deciding not to send another skb yet.
+ In such cases the connection can advance max_packets_seq and set
+ tp->is_cwnd_limited to true and max_packets_out to a small
+ number.
+
+(b) Then later in the round trip the connection is pacing-limited (not
+ cwnd-limited), and packets_out is larger. In such cases the
+ connection would raise max_packets_out to a bigger number but
+ (unexpectedly) flip tp->is_cwnd_limited from true to false.
+
+This commit fixes that bug.
+
+One straightforward fix would be to separately track (a) the next
+window after max_packets_out reaches a maximum, and (b) the next
+window after tp->is_cwnd_limited is set to true. But this would
+require consuming an extra u32 sequence number.
+
+Instead, to save space we track only the most important
+information. Specifically, we track the strongest available signal of
+the degree to which the cwnd is fully utilized:
+
+(1) If the connection is cwnd-limited then we remember that fact for
+the current window.
+
+(2) If the connection not cwnd-limited then we track the maximum
+number of outstanding packets in the current window.
+
+In particular, note that the new logic cannot trigger the buggy
+(a)/(b) sequence above because with the new logic a condition where
+tp->packets_out > tp->max_packets_out can only trigger an update of
+tp->is_cwnd_limited if tp->is_cwnd_limited is false.
+
+This first showed up in a testing of a BBRv2 dev branch, but this
+buggy behavior highlighted a general issue with the
+tcp_cwnd_validate() logic that can cause cwnd to fail to increase at
+the proper rate for any TCP congestion control, including Reno or
+CUBIC.
+
+Fixes: ca8a22634381 ("tcp: make cwnd-limited checks measurement-based, and gentler")
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Kevin(Yudong) Yang <yyd@google.com>
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/tcp.h | 2 +-
+ include/net/tcp.h | 5 ++++-
+ net/ipv4/tcp.c | 2 ++
+ net/ipv4/tcp_output.c | 19 ++++++++++++-------
+ 4 files changed, 19 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/tcp.h b/include/linux/tcp.h
+index 1192f1e76015..621ab5a7fb8f 100644
+--- a/include/linux/tcp.h
++++ b/include/linux/tcp.h
+@@ -263,7 +263,7 @@ struct tcp_sock {
+ u32 packets_out; /* Packets which are "in flight" */
+ u32 retrans_out; /* Retransmitted packets out */
+ u32 max_packets_out; /* max packets_out in last window */
+- u32 max_packets_seq; /* right edge of max_packets_out flight */
++ u32 cwnd_usage_seq; /* right edge of cwnd usage tracking flight */
+
+ u16 urg_data; /* Saved octet of OOB data and control flags */
+ u8 ecn_flags; /* ECN status bits. */
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index 436ad4bc9d4c..487b6c5f53f4 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -1231,11 +1231,14 @@ static inline bool tcp_is_cwnd_limited(const struct sock *sk)
+ {
+ const struct tcp_sock *tp = tcp_sk(sk);
+
++ if (tp->is_cwnd_limited)
++ return true;
++
+ /* If in slow start, ensure cwnd grows to twice what was ACKed. */
+ if (tcp_in_slow_start(tp))
+ return tp->snd_cwnd < 2 * tp->max_packets_out;
+
+- return tp->is_cwnd_limited;
++ return false;
+ }
+
+ /* BBR congestion control needs pacing.
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 768a7daab559..e25130812cc8 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2607,6 +2607,8 @@ int tcp_disconnect(struct sock *sk, int flags)
+ icsk->icsk_probes_out = 0;
+ tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
+ tp->snd_cwnd_cnt = 0;
++ tp->is_cwnd_limited = 0;
++ tp->max_packets_out = 0;
+ tp->window_clamp = 0;
+ tp->delivered = 0;
+ tp->delivered_ce = 0;
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 35bf58599223..8962864223b4 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -1638,15 +1638,20 @@ static void tcp_cwnd_validate(struct sock *sk, bool is_cwnd_limited)
+ const struct tcp_congestion_ops *ca_ops = inet_csk(sk)->icsk_ca_ops;
+ struct tcp_sock *tp = tcp_sk(sk);
+
+- /* Track the maximum number of outstanding packets in each
+- * window, and remember whether we were cwnd-limited then.
++ /* Track the strongest available signal of the degree to which the cwnd
++ * is fully utilized. If cwnd-limited then remember that fact for the
++ * current window. If not cwnd-limited then track the maximum number of
++ * outstanding packets in the current window. (If cwnd-limited then we
++ * chose to not update tp->max_packets_out to avoid an extra else
++ * clause with no functional impact.)
+ */
+- if (!before(tp->snd_una, tp->max_packets_seq) ||
+- tp->packets_out > tp->max_packets_out ||
+- is_cwnd_limited) {
+- tp->max_packets_out = tp->packets_out;
+- tp->max_packets_seq = tp->snd_nxt;
++ if (!before(tp->snd_una, tp->cwnd_usage_seq) ||
++ is_cwnd_limited ||
++ (!tp->is_cwnd_limited &&
++ tp->packets_out > tp->max_packets_out)) {
+ tp->is_cwnd_limited = is_cwnd_limited;
++ tp->max_packets_out = tp->packets_out;
++ tp->cwnd_usage_seq = tp->snd_nxt;
+ }
+
+ if (tcp_is_cwnd_limited(sk)) {
+--
+2.35.1
+
--- /dev/null
+From 40988c21c3f2b7419d82dee45d64b929148392a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 04:06:57 -0700
+Subject: thermal: intel_powerclamp: Use get_cpu() instead of
+ smp_processor_id() to avoid crash
+
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+
+[ Upstream commit 68b99e94a4a2db6ba9b31fe0485e057b9354a640 ]
+
+When CPU 0 is offline and intel_powerclamp is used to inject
+idle, it generates kernel BUG:
+
+BUG: using smp_processor_id() in preemptible [00000000] code: bash/15687
+caller is debug_smp_processor_id+0x17/0x20
+CPU: 4 PID: 15687 Comm: bash Not tainted 5.19.0-rc7+ #57
+Call Trace:
+<TASK>
+dump_stack_lvl+0x49/0x63
+dump_stack+0x10/0x16
+check_preemption_disabled+0xdd/0xe0
+debug_smp_processor_id+0x17/0x20
+powerclamp_set_cur_state+0x7f/0xf9 [intel_powerclamp]
+...
+...
+
+Here CPU 0 is the control CPU by default and changed to the current CPU,
+if CPU 0 offlined. This check has to be performed under cpus_read_lock(),
+hence the above warning.
+
+Use get_cpu() instead of smp_processor_id() to avoid this BUG.
+
+Suggested-by: Chen Yu <yu.c.chen@intel.com>
+Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+[ rjw: Subject edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/intel_powerclamp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/thermal/intel_powerclamp.c b/drivers/thermal/intel_powerclamp.c
+index 8e8328347c0e..079c8c1a5f15 100644
+--- a/drivers/thermal/intel_powerclamp.c
++++ b/drivers/thermal/intel_powerclamp.c
+@@ -550,8 +550,10 @@ static int start_power_clamp(void)
+
+ /* prefer BSP */
+ control_cpu = 0;
+- if (!cpu_online(control_cpu))
+- control_cpu = smp_processor_id();
++ if (!cpu_online(control_cpu)) {
++ control_cpu = get_cpu();
++ put_cpu();
++ }
+
+ clamping = true;
+ schedule_delayed_work(&poll_pkg_cstate_work, 0);
+--
+2.35.1
+
--- /dev/null
+From 823aa751fcb0a7dd1583dd4095a26986207b7339 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Jul 2022 17:17:45 +0530
+Subject: tty: xilinx_uartps: Fix the ignore_status
+
+From: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+
+[ Upstream commit b8a6c3b3d4654fba19881cc77da61eac29f57cae ]
+
+Currently the ignore_status is not considered in the isr.
+Add a check to add the ignore_status.
+
+Fixes: 61ec9016988f ("tty/serial: add support for Xilinx PS UART")
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Link: https://lore.kernel.org/r/20220729114748.18332-5-shubhrajyoti.datta@xilinx.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/xilinx_uartps.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c
+index c22bd40fc6f0..ded9f16d08eb 100644
+--- a/drivers/tty/serial/xilinx_uartps.c
++++ b/drivers/tty/serial/xilinx_uartps.c
+@@ -365,6 +365,8 @@ static irqreturn_t cdns_uart_isr(int irq, void *dev_id)
+ isrstatus &= ~CDNS_UART_IXR_TXEMPTY;
+ }
+
++ isrstatus &= port->read_status_mask;
++ isrstatus &= ~port->ignore_status_mask;
+ /*
+ * Skip RX processing if RX is disabled as RXEMPTY will never be set
+ * as read bytes will not be removed from the FIFO.
+--
+2.35.1
+
--- /dev/null
+From 01f827db2a8b02b3d9124bf1e2e7b914d3a47073 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Sep 2022 15:37:55 -0700
+Subject: usb: gadget: function: fix dangling pnp_string in f_printer.c
+
+From: Albert Briscoe <albertsbriscoe@gmail.com>
+
+[ Upstream commit 24b7ba2f88e04800b54d462f376512e8c41b8a3c ]
+
+When opts->pnp_string is changed with configfs, new memory is allocated for
+the string. It does not, however, update dev->pnp_string, even though the
+memory is freed. When rquesting the string, the host then gets old or
+corrupted data rather than the new string. The ieee 1284 id string should
+be allowed to change while the device is connected.
+
+The bug was introduced in commit fdc01cc286be ("usb: gadget: printer:
+Remove pnp_string static buffer"), which changed opts->pnp_string from a
+char[] to a char*.
+This patch changes dev->pnp_string from a char* to a char** pointing to
+opts->pnp_string.
+
+Fixes: fdc01cc286be ("usb: gadget: printer: Remove pnp_string static buffer")
+Signed-off-by: Albert Briscoe <albertsbriscoe@gmail.com>
+Link: https://lore.kernel.org/r/20220911223753.20417-1-albertsbriscoe@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_printer.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c
+index 2a1868b2d24c..dd5eb6202fe1 100644
+--- a/drivers/usb/gadget/function/f_printer.c
++++ b/drivers/usb/gadget/function/f_printer.c
+@@ -87,7 +87,7 @@ struct printer_dev {
+ u8 printer_cdev_open;
+ wait_queue_head_t wait;
+ unsigned q_len;
+- char *pnp_string; /* We don't own memory! */
++ char **pnp_string; /* We don't own memory! */
+ struct usb_function function;
+ };
+
+@@ -963,16 +963,16 @@ static int printer_func_setup(struct usb_function *f,
+ if ((wIndex>>8) != dev->interface)
+ break;
+
+- if (!dev->pnp_string) {
++ if (!*dev->pnp_string) {
+ value = 0;
+ break;
+ }
+- value = strlen(dev->pnp_string);
++ value = strlen(*dev->pnp_string);
+ buf[0] = (value >> 8) & 0xFF;
+ buf[1] = value & 0xFF;
+- memcpy(buf + 2, dev->pnp_string, value);
++ memcpy(buf + 2, *dev->pnp_string, value);
+ DBG(dev, "1284 PNP String: %x %s\n", value,
+- dev->pnp_string);
++ *dev->pnp_string);
+ break;
+
+ case GET_PORT_STATUS: /* Get Port Status */
+@@ -1435,7 +1435,7 @@ static struct usb_function *gprinter_alloc(struct usb_function_instance *fi)
+ kref_init(&dev->kref);
+ ++opts->refcnt;
+ dev->minor = opts->minor;
+- dev->pnp_string = opts->pnp_string;
++ dev->pnp_string = &opts->pnp_string;
+ dev->q_len = opts->q_len;
+ mutex_unlock(&opts->lock);
+
+--
+2.35.1
+
--- /dev/null
+From 6ba809389c0eda321fa612d0964199cd48fd7177 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 15:34:45 +0300
+Subject: usb: host: xhci: Fix potential memory leak in
+ xhci_alloc_stream_info()
+
+From: Jianglei Nie <niejianglei2021@163.com>
+
+[ Upstream commit 7e271f42a5cc3768cd2622b929ba66859ae21f97 ]
+
+xhci_alloc_stream_info() allocates stream context array for stream_info
+->stream_ctx_array with xhci_alloc_stream_ctx(). When some error occurs,
+stream_info->stream_ctx_array is not released, which will lead to a
+memory leak.
+
+We can fix it by releasing the stream_info->stream_ctx_array with
+xhci_free_stream_ctx() on the error path to avoid the potential memory
+leak.
+
+Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20220921123450.671459-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-mem.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
+index 798823ce2b34..7de21722d455 100644
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -650,7 +650,7 @@ struct xhci_stream_info *xhci_alloc_stream_info(struct xhci_hcd *xhci,
+ num_stream_ctxs, &stream_info->ctx_array_dma,
+ mem_flags);
+ if (!stream_info->stream_ctx_array)
+- goto cleanup_ctx;
++ goto cleanup_ring_array;
+ memset(stream_info->stream_ctx_array, 0,
+ sizeof(struct xhci_stream_ctx)*num_stream_ctxs);
+
+@@ -711,6 +711,11 @@ struct xhci_stream_info *xhci_alloc_stream_info(struct xhci_hcd *xhci,
+ }
+ xhci_free_command(xhci, stream_info->free_streams_command);
+ cleanup_ctx:
++ xhci_free_stream_ctx(xhci,
++ stream_info->num_stream_ctxs,
++ stream_info->stream_ctx_array,
++ stream_info->ctx_array_dma);
++cleanup_ring_array:
+ kfree(stream_info->stream_rings);
+ cleanup_info:
+ kfree(stream_info);
+--
+2.35.1
+
--- /dev/null
+From 7f81c7dbcd6b3dcaac7fc55ac115fd62c1f891b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 21:48:44 +0800
+Subject: usb: idmouse: fix an uninit-value in idmouse_open
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit bce2b0539933e485d22d6f6f076c0fcd6f185c4c ]
+
+In idmouse_create_image, if any ftip_command fails, it will
+go to the reset label. However, this leads to the data in
+bulk_in_buffer[HEADER..IMGSIZE] uninitialized. And the check
+for valid image incurs an uninitialized dereference.
+
+Fix this by moving the check before reset label since this
+check only be valid if the data after bulk_in_buffer[HEADER]
+has concrete data.
+
+Note that this is found by KMSAN, so only kernel compilation
+is tested.
+
+Reported-by: syzbot+79832d33eb89fb3cd092@syzkaller.appspotmail.com
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Link: https://lore.kernel.org/r/20220922134847.1101921-1-dzm91@hust.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/misc/idmouse.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/misc/idmouse.c b/drivers/usb/misc/idmouse.c
+index bb24527f3c70..ba2b6fbab9b8 100644
+--- a/drivers/usb/misc/idmouse.c
++++ b/drivers/usb/misc/idmouse.c
+@@ -178,10 +178,6 @@ static int idmouse_create_image(struct usb_idmouse *dev)
+ bytes_read += bulk_read;
+ }
+
+- /* reset the device */
+-reset:
+- ftip_command(dev, FTIP_RELEASE, 0, 0);
+-
+ /* check for valid image */
+ /* right border should be black (0x00) */
+ for (bytes_read = sizeof(HEADER)-1 + WIDTH-1; bytes_read < IMGSIZE; bytes_read += WIDTH)
+@@ -193,6 +189,10 @@ static int idmouse_create_image(struct usb_idmouse *dev)
+ if (dev->bulk_in_buffer[bytes_read] != 0xFF)
+ return -EAGAIN;
+
++ /* reset the device */
++reset:
++ ftip_command(dev, FTIP_RELEASE, 0, 0);
++
+ /* should be IMGSIZE == 65040 */
+ dev_dbg(&dev->interface->dev, "read %d bytes fingerprint data\n",
+ bytes_read);
+--
+2.35.1
+
--- /dev/null
+From a1976e648e60f804044203acfb7dd08445aec56b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Sep 2022 10:21:19 +0800
+Subject: usb: musb: Fix musb_gadget.c rxstate overflow bug
+
+From: Robin Guo <guoweibin@inspur.com>
+
+[ Upstream commit eea4c860c3b366369eff0489d94ee4f0571d467d ]
+
+The usb function device call musb_gadget_queue() adds the passed
+request to musb_ep::req_list,If the (request->length > musb_ep->packet_sz)
+and (is_buffer_mapped(req) return false),the rxstate() will copy all data
+in fifo to request->buf which may cause request->buf out of bounds.
+
+Fix it by add the length check :
+fifocnt = min_t(unsigned, request->length - request->actual, fifocnt);
+
+Signed-off-by: Robin Guo <guoweibin@inspur.com>
+Link: https://lore.kernel.org/r/20220906102119.1b071d07a8391ff115e6d1ef@inspur.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/musb/musb_gadget.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c
+index 4622400ba4dd..8e83995fc3bd 100644
+--- a/drivers/usb/musb/musb_gadget.c
++++ b/drivers/usb/musb/musb_gadget.c
+@@ -760,6 +760,9 @@ static void rxstate(struct musb *musb, struct musb_request *req)
+ musb_writew(epio, MUSB_RXCSR, csr);
+
+ buffer_aint_mapped:
++ fifo_count = min_t(unsigned int,
++ request->length - request->actual,
++ (unsigned int)fifo_count);
+ musb_read_fifo(musb_ep->hw_ep, fifo_count, (u8 *)
+ (request->buf + request->actual));
+ request->actual += fifo_count;
+--
+2.35.1
+
--- /dev/null
+From 8018340be2eb73f413e44383b523eca8b1ce1d5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 18:48:24 +0800
+Subject: USB: serial: console: move mutex_unlock() before usb_serial_put()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 61dfa797c731754642d1ac500a6ac42f9b47f920 ]
+
+While in current version there is no use-after-free as USB serial
+core holds another reference when the console is registered, we
+should better unlock before dropping the reference in
+usb_console_setup().
+
+Fixes: 7bd032dc2793 ("USB serial: update the console driver")
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/serial/console.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c
+index 7d289302ff6c..299bdb3a58fe 100644
+--- a/drivers/usb/serial/console.c
++++ b/drivers/usb/serial/console.c
+@@ -186,8 +186,8 @@ static int usb_console_setup(struct console *co, char *options)
+ info->port = NULL;
+ usb_autopm_put_interface(serial->interface);
+ error_get_interface:
+- usb_serial_put(serial);
+ mutex_unlock(&serial->disc_mutex);
++ usb_serial_put(serial);
+ return retval;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From c7547a88dfa412ce9953676226e199008eccc22f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Sep 2022 15:45:38 +0900
+Subject: vhost/vsock: Use kvmalloc/kvfree for larger packets.
+
+From: Junichi Uekawa <uekawa@chromium.org>
+
+[ Upstream commit 0e3f72931fc47bb81686020cc643cde5d9cd0bb8 ]
+
+When copying a large file over sftp over vsock, data size is usually 32kB,
+and kmalloc seems to fail to try to allocate 32 32kB regions.
+
+ vhost-5837: page allocation failure: order:4, mode:0x24040c0
+ Call Trace:
+ [<ffffffffb6a0df64>] dump_stack+0x97/0xdb
+ [<ffffffffb68d6aed>] warn_alloc_failed+0x10f/0x138
+ [<ffffffffb68d868a>] ? __alloc_pages_direct_compact+0x38/0xc8
+ [<ffffffffb664619f>] __alloc_pages_nodemask+0x84c/0x90d
+ [<ffffffffb6646e56>] alloc_kmem_pages+0x17/0x19
+ [<ffffffffb6653a26>] kmalloc_order_trace+0x2b/0xdb
+ [<ffffffffb66682f3>] __kmalloc+0x177/0x1f7
+ [<ffffffffb66e0d94>] ? copy_from_iter+0x8d/0x31d
+ [<ffffffffc0689ab7>] vhost_vsock_handle_tx_kick+0x1fa/0x301 [vhost_vsock]
+ [<ffffffffc06828d9>] vhost_worker+0xf7/0x157 [vhost]
+ [<ffffffffb683ddce>] kthread+0xfd/0x105
+ [<ffffffffc06827e2>] ? vhost_dev_set_owner+0x22e/0x22e [vhost]
+ [<ffffffffb683dcd1>] ? flush_kthread_worker+0xf3/0xf3
+ [<ffffffffb6eb332e>] ret_from_fork+0x4e/0x80
+ [<ffffffffb683dcd1>] ? flush_kthread_worker+0xf3/0xf3
+
+Work around by doing kvmalloc instead.
+
+Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko")
+Signed-off-by: Junichi Uekawa <uekawa@chromium.org>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Link: https://lore.kernel.org/r/20220928064538.667678-1-uekawa@chromium.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vsock.c | 2 +-
+ net/vmw_vsock/virtio_transport_common.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
+index 9f67717eaf45..08d49f34c785 100644
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -354,7 +354,7 @@ vhost_vsock_alloc_pkt(struct vhost_virtqueue *vq,
+ return NULL;
+ }
+
+- pkt->buf = kmalloc(pkt->len, GFP_KERNEL);
++ pkt->buf = kvmalloc(pkt->len, GFP_KERNEL);
+ if (!pkt->buf) {
+ kfree(pkt);
+ return NULL;
+diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
+index cbb336f01cf2..449b5261e661 100644
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -1079,7 +1079,7 @@ EXPORT_SYMBOL_GPL(virtio_transport_recv_pkt);
+
+ void virtio_transport_free_pkt(struct virtio_vsock_pkt *pkt)
+ {
+- kfree(pkt->buf);
++ kvfree(pkt->buf);
+ kfree(pkt);
+ }
+ EXPORT_SYMBOL_GPL(virtio_transport_free_pkt);
+--
+2.35.1
+
--- /dev/null
+From 4c28bcc21abc207003645deaa00c1d34307a0fd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Aug 2022 10:19:30 -0400
+Subject: wifi: ath10k: add peer map clean up for peer delete in
+ ath10k_sta_state()
+
+From: Wen Gong <quic_wgong@quicinc.com>
+
+[ Upstream commit f020d9570a04df0762a2ac5c50cf1d8c511c9164 ]
+
+When peer delete failed in a disconnect operation, use-after-free
+detected by KFENCE in below log. It is because for each vdev_id and
+address, it has only one struct ath10k_peer, it is allocated in
+ath10k_peer_map_event(). When connected to an AP, it has more than
+one HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the
+array peer_map of struct ath10k will be set muti-elements to the
+same ath10k_peer in ath10k_peer_map_event(). When peer delete failed
+in ath10k_sta_state(), the ath10k_peer will be free for the 1st peer
+id in array peer_map of struct ath10k, and then use-after-free happened
+for the 2nd peer id because they map to the same ath10k_peer.
+
+And clean up all peers in array peer_map for the ath10k_peer, then
+user-after-free disappeared
+
+peer map event log:
+[ 306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e
+[ 306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33
+[ 306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246
+[ 306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198
+[ 306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166
+
+peer unmap event log:
+[ 435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING)
+[ 435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone)
+[ 435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246
+[ 435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198
+[ 435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166
+
+use-after-free log:
+[21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING)
+[21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110
+[21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed
+[21713.799968] ==================================================================
+[21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core]
+[21713.799991]
+[21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69):
+[21713.800010] ath10k_sta_state+0x265/0xb8a [ath10k_core]
+[21713.800041] drv_sta_state+0x115/0x677 [mac80211]
+[21713.800059] __sta_info_destroy_part2+0xb1/0x133 [mac80211]
+[21713.800076] __sta_info_flush+0x11d/0x162 [mac80211]
+[21713.800093] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211]
+[21713.800110] ieee80211_mgd_deauth+0x26c/0x29b [mac80211]
+[21713.800137] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211]
+[21713.800153] nl80211_deauthenticate+0xf8/0x121 [cfg80211]
+[21713.800161] genl_rcv_msg+0x38e/0x3be
+[21713.800166] netlink_rcv_skb+0x89/0xf7
+[21713.800171] genl_rcv+0x28/0x36
+[21713.800176] netlink_unicast+0x179/0x24b
+[21713.800181] netlink_sendmsg+0x3a0/0x40e
+[21713.800187] sock_sendmsg+0x72/0x76
+[21713.800192] ____sys_sendmsg+0x16d/0x1e3
+[21713.800196] ___sys_sendmsg+0x95/0xd1
+[21713.800200] __sys_sendmsg+0x85/0xbf
+[21713.800205] do_syscall_64+0x43/0x55
+[21713.800210] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[21713.800213]
+[21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k
+[21713.800219]
+[21713.800224] allocated by task 13 on cpu 0 at 21705.501373s:
+[21713.800241] ath10k_peer_map_event+0x7e/0x154 [ath10k_core]
+[21713.800254] ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core]
+[21713.800265] ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core]
+[21713.800277] ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core]
+[21713.800283] ath10k_pci_process_rx_cb+0x195/0x1df [ath10k_pci]
+[21713.800294] ath10k_ce_per_engine_service+0x55/0x74 [ath10k_core]
+[21713.800305] ath10k_ce_per_engine_service_any+0x76/0x84 [ath10k_core]
+[21713.800310] ath10k_pci_napi_poll+0x49/0x144 [ath10k_pci]
+[21713.800316] net_rx_action+0xdc/0x361
+[21713.800320] __do_softirq+0x163/0x29a
+[21713.800325] asm_call_irq_on_stack+0x12/0x20
+[21713.800331] do_softirq_own_stack+0x3c/0x48
+[21713.800337] __irq_exit_rcu+0x9b/0x9d
+[21713.800342] common_interrupt+0xc9/0x14d
+[21713.800346] asm_common_interrupt+0x1e/0x40
+[21713.800351] ksoftirqd_should_run+0x5/0x16
+[21713.800357] smpboot_thread_fn+0x148/0x211
+[21713.800362] kthread+0x150/0x15f
+[21713.800367] ret_from_fork+0x22/0x30
+[21713.800370]
+[21713.800374] freed by task 708 on cpu 1 at 21713.799953s:
+[21713.800498] ath10k_sta_state+0x2c6/0xb8a [ath10k_core]
+[21713.800515] drv_sta_state+0x115/0x677 [mac80211]
+[21713.800532] __sta_info_destroy_part2+0xb1/0x133 [mac80211]
+[21713.800548] __sta_info_flush+0x11d/0x162 [mac80211]
+[21713.800565] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211]
+[21713.800581] ieee80211_mgd_deauth+0x26c/0x29b [mac80211]
+[21713.800598] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211]
+[21713.800614] nl80211_deauthenticate+0xf8/0x121 [cfg80211]
+[21713.800619] genl_rcv_msg+0x38e/0x3be
+[21713.800623] netlink_rcv_skb+0x89/0xf7
+[21713.800628] genl_rcv+0x28/0x36
+[21713.800632] netlink_unicast+0x179/0x24b
+[21713.800637] netlink_sendmsg+0x3a0/0x40e
+[21713.800642] sock_sendmsg+0x72/0x76
+[21713.800646] ____sys_sendmsg+0x16d/0x1e3
+[21713.800651] ___sys_sendmsg+0x95/0xd1
+[21713.800655] __sys_sendmsg+0x85/0xbf
+[21713.800659] do_syscall_64+0x43/0x55
+[21713.800663] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1
+
+Fixes: d0eeafad1189 ("ath10k: Clean up peer when sta goes away.")
+Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20220801141930.16794-1-quic_wgong@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 54 ++++++++++++++-------------
+ 1 file changed, 29 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index 6e4096fd6633..07308571665c 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -819,11 +819,36 @@ static int ath10k_peer_delete(struct ath10k *ar, u32 vdev_id, const u8 *addr)
+ return 0;
+ }
+
++static void ath10k_peer_map_cleanup(struct ath10k *ar, struct ath10k_peer *peer)
++{
++ int peer_id, i;
++
++ lockdep_assert_held(&ar->conf_mutex);
++
++ for_each_set_bit(peer_id, peer->peer_ids,
++ ATH10K_MAX_NUM_PEER_IDS) {
++ ar->peer_map[peer_id] = NULL;
++ }
++
++ /* Double check that peer is properly un-referenced from
++ * the peer_map
++ */
++ for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++) {
++ if (ar->peer_map[i] == peer) {
++ ath10k_warn(ar, "removing stale peer_map entry for %pM (ptr %pK idx %d)\n",
++ peer->addr, peer, i);
++ ar->peer_map[i] = NULL;
++ }
++ }
++
++ list_del(&peer->list);
++ kfree(peer);
++ ar->num_peers--;
++}
++
+ static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id)
+ {
+ struct ath10k_peer *peer, *tmp;
+- int peer_id;
+- int i;
+
+ lockdep_assert_held(&ar->conf_mutex);
+
+@@ -835,25 +860,7 @@ static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id)
+ ath10k_warn(ar, "removing stale peer %pM from vdev_id %d\n",
+ peer->addr, vdev_id);
+
+- for_each_set_bit(peer_id, peer->peer_ids,
+- ATH10K_MAX_NUM_PEER_IDS) {
+- ar->peer_map[peer_id] = NULL;
+- }
+-
+- /* Double check that peer is properly un-referenced from
+- * the peer_map
+- */
+- for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++) {
+- if (ar->peer_map[i] == peer) {
+- ath10k_warn(ar, "removing stale peer_map entry for %pM (ptr %pK idx %d)\n",
+- peer->addr, peer, i);
+- ar->peer_map[i] = NULL;
+- }
+- }
+-
+- list_del(&peer->list);
+- kfree(peer);
+- ar->num_peers--;
++ ath10k_peer_map_cleanup(ar, peer);
+ }
+ spin_unlock_bh(&ar->data_lock);
+ }
+@@ -6371,10 +6378,7 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
+ /* Clean up the peer object as well since we
+ * must have failed to do this above.
+ */
+- list_del(&peer->list);
+- ar->peer_map[i] = NULL;
+- kfree(peer);
+- ar->num_peers--;
++ ath10k_peer_map_cleanup(ar, peer);
+ }
+ }
+ spin_unlock_bh(&ar->data_lock);
+--
+2.35.1
+
--- /dev/null
+From 9b5822acd6054252d01ab94a16ec80d3081dc469 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 18:23:54 +0300
+Subject: wifi: ath10k: reset pointer after memory free to avoid potential
+ use-after-free
+
+From: Wen Gong <quic_wgong@quicinc.com>
+
+[ Upstream commit 1e1cb8e0b73e6f39a9d4a7a15d940b1265387eb5 ]
+
+When running suspend test, kernel crash happened in ath10k, and it is
+fixed by commit b72a4aff947b ("ath10k: skip ath10k_halt during suspend
+for driver state RESTARTING").
+
+Currently the crash is fixed, but as a common code style, it is better
+to set the pointer to NULL after memory is free.
+
+This is to address the code style and it will avoid potential bug of
+use-after-free.
+
+Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
+Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20220505092248.787-1-quic_wgong@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/htt_rx.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
+index 0a7551dc0f94..68728cba6df3 100644
+--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
+@@ -302,12 +302,16 @@ void ath10k_htt_rx_free(struct ath10k_htt *htt)
+ ath10k_htt_get_vaddr_ring(htt),
+ htt->rx_ring.base_paddr);
+
++ ath10k_htt_config_paddrs_ring(htt, NULL);
++
+ dma_free_coherent(htt->ar->dev,
+ sizeof(*htt->rx_ring.alloc_idx.vaddr),
+ htt->rx_ring.alloc_idx.vaddr,
+ htt->rx_ring.alloc_idx.paddr);
++ htt->rx_ring.alloc_idx.vaddr = NULL;
+
+ kfree(htt->rx_ring.netbufs_ring);
++ htt->rx_ring.netbufs_ring = NULL;
+ }
+
+ static inline struct sk_buff *ath10k_htt_rx_netbuf_pop(struct ath10k_htt *htt)
+@@ -641,8 +645,10 @@ int ath10k_htt_rx_alloc(struct ath10k_htt *htt)
+ ath10k_htt_get_rx_ring_size(htt),
+ vaddr_ring,
+ htt->rx_ring.base_paddr);
++ ath10k_htt_config_paddrs_ring(htt, NULL);
+ err_dma_ring:
+ kfree(htt->rx_ring.netbufs_ring);
++ htt->rx_ring.netbufs_ring = NULL;
+ err_netbuf:
+ return -ENOMEM;
+ }
+--
+2.35.1
+
--- /dev/null
+From 884e3786800e402eb3e602f451267161daeadb87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 23:46:13 +0900
+Subject: wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit b383e8abed41cc6ff1a3b34de75df9397fa4878c ]
+
+syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for
+ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with
+pkt_len = 0 but ath9k_hif_usb_rx_stream() uses
+__dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that
+pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb
+with uninitialized memory and ath9k_htc_rx_msg() is reading from
+uninitialized memory.
+
+Since bytes accessed by ath9k_htc_rx_msg() is not known until
+ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid
+pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in
+ath9k_hif_usb_rx_stream().
+
+We have two choices. One is to workaround by adding __GFP_ZERO so that
+ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let
+ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose
+the latter.
+
+Note that I'm not sure threshold condition is correct, for I can't find
+details on possible packet length used by this protocol.
+
+Link: https://syzkaller.appspot.com/bug?extid=2ca247c2d60c7023de7f [1]
+Reported-by: syzbot <syzbot+2ca247c2d60c7023de7f@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/7acfa1be-4b5c-b2ce-de43-95b0593fb3e5@I-love.SAKURA.ne.jp
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc_hst.c | 43 +++++++++++++++---------
+ 1 file changed, 28 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
+index e37de14bc502..6d69cf69fd86 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
+@@ -367,33 +367,27 @@ void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle,
+ }
+
+ static void ath9k_htc_fw_panic_report(struct htc_target *htc_handle,
+- struct sk_buff *skb)
++ struct sk_buff *skb, u32 len)
+ {
+ uint32_t *pattern = (uint32_t *)skb->data;
+
+- switch (*pattern) {
+- case 0x33221199:
+- {
++ if (*pattern == 0x33221199 && len >= sizeof(struct htc_panic_bad_vaddr)) {
+ struct htc_panic_bad_vaddr *htc_panic;
+ htc_panic = (struct htc_panic_bad_vaddr *) skb->data;
+ dev_err(htc_handle->dev, "ath: firmware panic! "
+ "exccause: 0x%08x; pc: 0x%08x; badvaddr: 0x%08x.\n",
+ htc_panic->exccause, htc_panic->pc,
+ htc_panic->badvaddr);
+- break;
+- }
+- case 0x33221299:
+- {
++ return;
++ }
++ if (*pattern == 0x33221299) {
+ struct htc_panic_bad_epid *htc_panic;
+ htc_panic = (struct htc_panic_bad_epid *) skb->data;
+ dev_err(htc_handle->dev, "ath: firmware panic! "
+ "bad epid: 0x%08x\n", htc_panic->epid);
+- break;
+- }
+- default:
+- dev_err(htc_handle->dev, "ath: unknown panic pattern!\n");
+- break;
++ return;
+ }
++ dev_err(htc_handle->dev, "ath: unknown panic pattern!\n");
+ }
+
+ /*
+@@ -414,16 +408,26 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
+ if (!htc_handle || !skb)
+ return;
+
++ /* A valid message requires len >= 8.
++ *
++ * sizeof(struct htc_frame_hdr) == 8
++ * sizeof(struct htc_ready_msg) == 8
++ * sizeof(struct htc_panic_bad_vaddr) == 16
++ * sizeof(struct htc_panic_bad_epid) == 8
++ */
++ if (unlikely(len < sizeof(struct htc_frame_hdr)))
++ goto invalid;
+ htc_hdr = (struct htc_frame_hdr *) skb->data;
+ epid = htc_hdr->endpoint_id;
+
+ if (epid == 0x99) {
+- ath9k_htc_fw_panic_report(htc_handle, skb);
++ ath9k_htc_fw_panic_report(htc_handle, skb, len);
+ kfree_skb(skb);
+ return;
+ }
+
+ if (epid < 0 || epid >= ENDPOINT_MAX) {
++invalid:
+ if (pipe_id != USB_REG_IN_PIPE)
+ dev_kfree_skb_any(skb);
+ else
+@@ -435,21 +439,30 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
+
+ /* Handle trailer */
+ if (htc_hdr->flags & HTC_FLAGS_RECV_TRAILER) {
+- if (be32_to_cpu(*(__be32 *) skb->data) == 0x00C60000)
++ if (be32_to_cpu(*(__be32 *) skb->data) == 0x00C60000) {
+ /* Move past the Watchdog pattern */
+ htc_hdr = (struct htc_frame_hdr *)(skb->data + 4);
++ len -= 4;
++ }
+ }
+
+ /* Get the message ID */
++ if (unlikely(len < sizeof(struct htc_frame_hdr) + sizeof(__be16)))
++ goto invalid;
+ msg_id = (__be16 *) ((void *) htc_hdr +
+ sizeof(struct htc_frame_hdr));
+
+ /* Now process HTC messages */
+ switch (be16_to_cpu(*msg_id)) {
+ case HTC_MSG_READY_ID:
++ if (unlikely(len < sizeof(struct htc_ready_msg)))
++ goto invalid;
+ htc_process_target_rdy(htc_handle, htc_hdr);
+ break;
+ case HTC_MSG_CONNECT_SERVICE_RESPONSE_ID:
++ if (unlikely(len < sizeof(struct htc_frame_hdr) +
++ sizeof(struct htc_conn_svc_rspmsg)))
++ goto invalid;
+ htc_process_conn_rsp(htc_handle, htc_hdr);
+ break;
+ default:
+--
+2.35.1
+
--- /dev/null
+From d6e38dfdb607b60d0832ac7f728f0ca1a1aa3f61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Jul 2022 13:56:28 +0200
+Subject: wifi: brcmfmac: fix invalid address access when enabling SCAN log
+ level
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wright Feng <wright.feng@cypress.com>
+
+[ Upstream commit aa666b68e73fc06d83c070d96180b9010cf5a960 ]
+
+The variable i is changed when setting random MAC address and causes
+invalid address access when printing the value of pi->reqs[i]->reqid.
+
+We replace reqs index with ri to fix the issue.
+
+[ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000
+[ 136.737365] Mem abort info:
+[ 136.740172] ESR = 0x96000004
+[ 136.743359] Exception class = DABT (current EL), IL = 32 bits
+[ 136.749294] SET = 0, FnV = 0
+[ 136.752481] EA = 0, S1PTW = 0
+[ 136.755635] Data abort info:
+[ 136.758514] ISV = 0, ISS = 0x00000004
+[ 136.762487] CM = 0, WnR = 0
+[ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577
+[ 136.772265] [0000000000000000] pgd=0000000000000000
+[ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP
+[ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O)
+[ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb)
+[ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1
+[ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT)
+[ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO)
+[ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]
+[ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac]
+[ 136.828162] sp : ffff00000e9a3880
+[ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400
+[ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0
+[ 136.842098] x25: ffff80002054345c x24: ffff800088d22400
+[ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8
+[ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400
+[ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000
+[ 136.863343] x17: 0000000000000000 x16: 0000000000000000
+[ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050
+[ 136.873966] x13: 0000000000003135 x12: 0000000000000000
+[ 136.879277] x11: 0000000000000000 x10: ffff000009a61888
+[ 136.884589] x9 : 000000000000000f x8 : 0000000000000008
+[ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d
+[ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942
+[ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8
+[ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000
+[ 136.911146] Call trace:
+[ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]
+[ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac]
+[ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac]
+[ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211]
+[ 136.937298] genl_rcv_msg+0x358/0x3f4
+[ 136.940960] netlink_rcv_skb+0xb4/0x118
+[ 136.944795] genl_rcv+0x34/0x48
+[ 136.947935] netlink_unicast+0x264/0x300
+[ 136.951856] netlink_sendmsg+0x2e4/0x33c
+[ 136.955781] __sys_sendto+0x120/0x19c
+
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com>
+Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Signed-off-by: Alvin Šipraga <alsi@bang-olufsen.dk>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220722115632.620681-4-alvin@pqrs.dk
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/pno.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c
+index ffa243e2e2d0..581a23549ee5 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c
+@@ -163,12 +163,12 @@ static int brcmf_pno_set_random(struct brcmf_if *ifp, struct brcmf_pno_info *pi)
+ struct brcmf_pno_macaddr_le pfn_mac;
+ u8 *mac_addr = NULL;
+ u8 *mac_mask = NULL;
+- int err, i;
++ int err, i, ri;
+
+- for (i = 0; i < pi->n_reqs; i++)
+- if (pi->reqs[i]->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
+- mac_addr = pi->reqs[i]->mac_addr;
+- mac_mask = pi->reqs[i]->mac_addr_mask;
++ for (ri = 0; ri < pi->n_reqs; ri++)
++ if (pi->reqs[ri]->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
++ mac_addr = pi->reqs[ri]->mac_addr;
++ mac_mask = pi->reqs[ri]->mac_addr_mask;
+ break;
+ }
+
+@@ -190,7 +190,7 @@ static int brcmf_pno_set_random(struct brcmf_if *ifp, struct brcmf_pno_info *pi)
+ pfn_mac.mac[0] |= 0x02;
+
+ brcmf_dbg(SCAN, "enabling random mac: reqid=%llu mac=%pM\n",
+- pi->reqs[i]->reqid, pfn_mac.mac);
++ pi->reqs[ri]->reqid, pfn_mac.mac);
+ err = brcmf_fil_iovar_data_set(ifp, "pfn_macaddr", &pfn_mac,
+ sizeof(pfn_mac));
+ if (err)
+--
+2.35.1
+
--- /dev/null
+From ec1d774fc93d0d77758a7b355bdbbb4402ca5ee0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Aug 2022 10:49:26 -0700
+Subject: wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()
+
+From: Alexander Coffin <alex.coffin@matician.com>
+
+[ Upstream commit 3f42faf6db431e04bf942d2ebe3ae88975723478 ]
+
+> ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb);
+
+may be schedule, and then complete before the line
+
+> ndev->stats.tx_bytes += skb->len;
+
+[ 46.912801] ==================================================================
+[ 46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]
+[ 46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328
+[ 46.935991]
+[ 46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G O 5.4.199-[REDACTED] #1
+[ 46.947255] Hardware name: [REDACTED]
+[ 46.954568] Call trace:
+[ 46.957037] dump_backtrace+0x0/0x2b8
+[ 46.960719] show_stack+0x24/0x30
+[ 46.964052] dump_stack+0x128/0x194
+[ 46.967557] print_address_description.isra.0+0x64/0x380
+[ 46.972877] __kasan_report+0x1d4/0x240
+[ 46.976723] kasan_report+0xc/0x18
+[ 46.980138] __asan_report_load4_noabort+0x18/0x20
+[ 46.985027] brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]
+[ 46.990613] dev_hard_start_xmit+0x1bc/0xda0
+[ 46.994894] sch_direct_xmit+0x198/0xd08
+[ 46.998827] __qdisc_run+0x37c/0x1dc0
+[ 47.002500] __dev_queue_xmit+0x1528/0x21f8
+[ 47.006692] dev_queue_xmit+0x24/0x30
+[ 47.010366] neigh_resolve_output+0x37c/0x678
+[ 47.014734] ip_finish_output2+0x598/0x2458
+[ 47.018927] __ip_finish_output+0x300/0x730
+[ 47.023118] ip_output+0x2e0/0x430
+[ 47.026530] ip_local_out+0x90/0x140
+[ 47.030117] igmpv3_sendpack+0x14c/0x228
+[ 47.034049] igmpv3_send_cr+0x384/0x6b8
+[ 47.037895] igmp_ifc_timer_expire+0x4c/0x118
+[ 47.042262] call_timer_fn+0x1cc/0xbe8
+[ 47.046021] __run_timers+0x4d8/0xb28
+[ 47.049693] run_timer_softirq+0x24/0x40
+[ 47.053626] __do_softirq+0x2c0/0x117c
+[ 47.057387] irq_exit+0x2dc/0x388
+[ 47.060715] __handle_domain_irq+0xb4/0x158
+[ 47.064908] gic_handle_irq+0x58/0xb0
+[ 47.068581] el0_irq_naked+0x50/0x5c
+[ 47.072162]
+[ 47.073665] Allocated by task 328:
+[ 47.077083] save_stack+0x24/0xb0
+[ 47.080410] __kasan_kmalloc.isra.0+0xc0/0xe0
+[ 47.084776] kasan_slab_alloc+0x14/0x20
+[ 47.088622] kmem_cache_alloc+0x15c/0x468
+[ 47.092643] __alloc_skb+0xa4/0x498
+[ 47.096142] igmpv3_newpack+0x158/0xd78
+[ 47.099987] add_grhead+0x210/0x288
+[ 47.103485] add_grec+0x6b0/0xb70
+[ 47.106811] igmpv3_send_cr+0x2e0/0x6b8
+[ 47.110657] igmp_ifc_timer_expire+0x4c/0x118
+[ 47.115027] call_timer_fn+0x1cc/0xbe8
+[ 47.118785] __run_timers+0x4d8/0xb28
+[ 47.122457] run_timer_softirq+0x24/0x40
+[ 47.126389] __do_softirq+0x2c0/0x117c
+[ 47.130142]
+[ 47.131643] Freed by task 180:
+[ 47.134712] save_stack+0x24/0xb0
+[ 47.138041] __kasan_slab_free+0x108/0x180
+[ 47.142146] kasan_slab_free+0x10/0x18
+[ 47.145904] slab_free_freelist_hook+0xa4/0x1b0
+[ 47.150444] kmem_cache_free+0x8c/0x528
+[ 47.154292] kfree_skbmem+0x94/0x108
+[ 47.157880] consume_skb+0x10c/0x5a8
+[ 47.161466] __dev_kfree_skb_any+0x88/0xa0
+[ 47.165598] brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil]
+[ 47.171023] brcmf_txfinalize+0xec/0x190 [brcmfmac]
+[ 47.176016] brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac]
+[ 47.182056] brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac]
+[ 47.187568] brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac]
+[ 47.192529] brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac]
+[ 47.197859] process_one_work+0x7fc/0x1a80
+[ 47.201965] worker_thread+0x31c/0xc40
+[ 47.205726] kthread+0x2d8/0x370
+[ 47.208967] ret_from_fork+0x10/0x18
+[ 47.212546]
+[ 47.214051] The buggy address belongs to the object at ffffff803f588280
+[ 47.214051] which belongs to the cache skbuff_head_cache of size 208
+[ 47.227086] The buggy address is located 104 bytes inside of
+[ 47.227086] 208-byte region [ffffff803f588280, ffffff803f588350)
+[ 47.238814] The buggy address belongs to the page:
+[ 47.243618] page:ffffffff00dd6200 refcount:1 mapcount:0 mapping:ffffff804b6bf800 index:0xffffff803f589900 compound_mapcount: 0
+[ 47.255007] flags: 0x10200(slab|head)
+[ 47.258689] raw: 0000000000010200 ffffffff00dfa980 0000000200000002 ffffff804b6bf800
+[ 47.266439] raw: ffffff803f589900 0000000080190018 00000001ffffffff 0000000000000000
+[ 47.274180] page dumped because: kasan: bad access detected
+[ 47.279752]
+[ 47.281251] Memory state around the buggy address:
+[ 47.286051] ffffff803f588180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 47.293277] ffffff803f588200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 47.300502] >ffffff803f588280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 47.307723] ^
+[ 47.314343] ffffff803f588300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
+[ 47.321569] ffffff803f588380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+[ 47.328789] ==================================================================
+
+Signed-off-by: Alexander Coffin <alex.coffin@matician.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220808174925.3922558-1-alex.coffin@matician.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+index db4c541f58ae..31bf2eb47b49 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -270,6 +270,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
+ struct brcmf_pub *drvr = ifp->drvr;
+ struct ethhdr *eh;
+ int head_delta;
++ unsigned int tx_bytes = skb->len;
+
+ brcmf_dbg(DATA, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx);
+
+@@ -341,7 +342,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
+ ndev->stats.tx_dropped++;
+ } else {
+ ndev->stats.tx_packets++;
+- ndev->stats.tx_bytes += skb->len;
++ ndev->stats.tx_bytes += tx_bytes;
+ }
+
+ /* Return ok: we always eat the packet */
+--
+2.35.1
+
--- /dev/null
+From d2b7dc9285fbed5c112a77f69031d37c032c530c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jul 2022 12:02:29 +0530
+Subject: wifi: mac80211: allow bw change during channel switch in mesh
+
+From: Hari Chandrakanthan <quic_haric@quicinc.com>
+
+[ Upstream commit 6b75f133fe05c36c52d691ff21545d5757fff721 ]
+
+From 'IEEE Std 802.11-2020 section 11.8.8.4.1':
+ The mesh channel switch may be triggered by the need to avoid
+ interference to a detected radar signal, or to reassign mesh STA
+ channels to ensure the MBSS connectivity.
+
+ A 20/40 MHz MBSS may be changed to a 20 MHz MBSS and a 20 MHz
+ MBSS may be changed to a 20/40 MHz MBSS.
+
+Since the standard allows the change of bandwidth during
+the channel switch in mesh, remove the bandwidth check present in
+ieee80211_set_csa_beacon.
+
+Fixes: c6da674aff94 ("{nl,cfg,mac}80211: enable the triggering of CSA frame in mesh")
+Signed-off-by: Hari Chandrakanthan <quic_haric@quicinc.com>
+Link: https://lore.kernel.org/r/1658903549-21218-1-git-send-email-quic_haric@quicinc.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 9348caf1c611..5659af1bec17 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -3136,9 +3136,6 @@ static int ieee80211_set_csa_beacon(struct ieee80211_sub_if_data *sdata,
+ case NL80211_IFTYPE_MESH_POINT: {
+ struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
+
+- if (params->chandef.width != sdata->vif.bss_conf.chandef.width)
+- return -EINVAL;
+-
+ /* changes into another band are not supported */
+ if (sdata->vif.bss_conf.chandef.chan->band !=
+ params->chandef.chan->band)
+--
+2.35.1
+
--- /dev/null
+From 281361a7285e8edad4132ae8eda61a3559518848 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Sep 2022 21:30:09 +0100
+Subject: wifi: rt2x00: correctly set BBP register 86 for MT7620
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit c9aada64fe6493461127f1522d7e2f01792d2424 ]
+
+Instead of 0 set the correct value for BBP register 86 for MT7620.
+
+Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/257267247ee4fa7ebc6a5d0c4948b3f8119c0d77.1663445157.git.daniel@makrotopia.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+index 9469517ac65f..c9fa56b721b2 100644
+--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+@@ -3658,7 +3658,10 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev,
+ rt2800_bbp_write(rt2x00dev, 62, 0x37 - rt2x00dev->lna_gain);
+ rt2800_bbp_write(rt2x00dev, 63, 0x37 - rt2x00dev->lna_gain);
+ rt2800_bbp_write(rt2x00dev, 64, 0x37 - rt2x00dev->lna_gain);
+- rt2800_bbp_write(rt2x00dev, 86, 0);
++ if (rt2x00_rt(rt2x00dev, RT6352))
++ rt2800_bbp_write(rt2x00dev, 86, 0x38);
++ else
++ rt2800_bbp_write(rt2x00dev, 86, 0);
+ }
+
+ if (rf->channel <= 14) {
+--
+2.35.1
+
--- /dev/null
+From 22b40154389fb30f0f07b0dfd04d2375e5a7dc7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Sep 2022 21:28:29 +0100
+Subject: wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit d3aad83d05aec0cfd7670cf0028f2ad4b81de92e ]
+
+The function rt2800_iq_calibrate is intended for Rt5592 only.
+Don't call it for MT7620 which has it's own calibration functions.
+
+Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/31a1c34ddbd296b82f38c18c9ae7339059215fdc.1663445157.git.daniel@makrotopia.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+index a567bc273ffc..2a119f314c38 100644
+--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+@@ -3838,7 +3838,8 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev,
+ reg += 2 * rt2x00dev->lna_gain;
+ rt2800_bbp_write_with_rx_chain(rt2x00dev, 66, reg);
+
+- rt2800_iq_calibrate(rt2x00dev, rf->channel);
++ if (rt2x00_rt(rt2x00dev, RT5592))
++ rt2800_iq_calibrate(rt2x00dev, rf->channel);
+ }
+
+ bbp = rt2800_bbp_read(rt2x00dev, 4);
+--
+2.35.1
+
--- /dev/null
+From c986876bce9435749f7dbfc7d803fd40e45184ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Sep 2022 21:29:26 +0100
+Subject: wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit eeb50acf15762b61921f9df18663f839f387c054 ]
+
+Set correct TX_SW_CFG1 MAC register as it is done also in v3 of the
+vendor driver[1].
+
+[1]: https://gitlab.com/dm38/padavan-ng/-/blob/master/trunk/proprietary/rt_wifi/rtpci/3.0.X.X/mt76x2/chips/rt6352.c#L531
+Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/4be38975ce600a34249e12d09a3cb758c6e71071.1663445157.git.daniel@makrotopia.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+index 2a119f314c38..b8224b215532 100644
+--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+@@ -5318,7 +5318,7 @@ static int rt2800_init_registers(struct rt2x00_dev *rt2x00dev)
+ rt2800_register_write(rt2x00dev, TX_SW_CFG0, 0x00000404);
+ } else if (rt2x00_rt(rt2x00dev, RT6352)) {
+ rt2800_register_write(rt2x00dev, TX_SW_CFG0, 0x00000401);
+- rt2800_register_write(rt2x00dev, TX_SW_CFG1, 0x000C0000);
++ rt2800_register_write(rt2x00dev, TX_SW_CFG1, 0x000C0001);
+ rt2800_register_write(rt2x00dev, TX_SW_CFG2, 0x00000000);
+ rt2800_register_write(rt2x00dev, MIMO_PS_CFG, 0x00000002);
+ rt2800_register_write(rt2x00dev, TX_PIN_CFG, 0x00150F0F);
+--
+2.35.1
+
--- /dev/null
+From 1e1298096d5777fbdf9f3e42f994a0c1772dbf3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Sep 2022 21:29:55 +0100
+Subject: wifi: rt2x00: set SoC wmac clock register
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit cbde6ed406a51092d9e8a2df058f5f8490f27443 ]
+
+Instead of using the default value 33 (pci), set US_CYC_CNT init based
+on Programming guide:
+If available, set chipset bus clock with fallback to cpu clock/3.
+
+Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/3e275d259f476f597dab91a9c395015ef3fe3284.1663445157.git.daniel@makrotopia.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/ralink/rt2x00/rt2800lib.c | 21 +++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+index b8224b215532..9469517ac65f 100644
+--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+@@ -5570,6 +5570,27 @@ static int rt2800_init_registers(struct rt2x00_dev *rt2x00dev)
+ reg = rt2800_register_read(rt2x00dev, US_CYC_CNT);
+ rt2x00_set_field32(®, US_CYC_CNT_CLOCK_CYCLE, 125);
+ rt2800_register_write(rt2x00dev, US_CYC_CNT, reg);
++ } else if (rt2x00_is_soc(rt2x00dev)) {
++ struct clk *clk = clk_get_sys("bus", NULL);
++ int rate;
++
++ if (IS_ERR(clk)) {
++ clk = clk_get_sys("cpu", NULL);
++
++ if (IS_ERR(clk)) {
++ rate = 125;
++ } else {
++ rate = clk_get_rate(clk) / 3000000;
++ clk_put(clk);
++ }
++ } else {
++ rate = clk_get_rate(clk) / 1000000;
++ clk_put(clk);
++ }
++
++ reg = rt2800_register_read(rt2x00dev, US_CYC_CNT);
++ rt2x00_set_field32(®, US_CYC_CNT_CLOCK_CYCLE, rate);
++ rt2800_register_write(rt2x00dev, US_CYC_CNT, reg);
+ }
+
+ reg = rt2800_register_read(rt2x00dev, HT_FBK_CFG0);
+--
+2.35.1
+
--- /dev/null
+From ed4cd1eb79b26a420a9ded819c5e18ce645c8a6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Aug 2022 19:12:36 +0300
+Subject: wifi: rtl8xxxu: Fix skb misuse in TX queue selection
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+[ Upstream commit edd5747aa12ed61a5ecbfa58d3908623fddbf1e8 ]
+
+rtl8xxxu_queue_select() selects the wrong TX queues because it's
+reading memory from the wrong address. It expects to find ieee80211_hdr
+at skb->data, but that's not the case after skb_push(). Move the call
+to rtl8xxxu_queue_select() before the call to skb_push().
+
+Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/7fa4819a-4f20-b2af-b7a6-8ee01ac49295@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index dd345ed1a717..ccd76c1da40c 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -4955,6 +4955,8 @@ static void rtl8xxxu_tx(struct ieee80211_hw *hw,
+ if (control && control->sta)
+ sta = control->sta;
+
++ queue = rtl8xxxu_queue_select(hw, skb);
++
+ tx_desc = skb_push(skb, tx_desc_size);
+
+ memset(tx_desc, 0, tx_desc_size);
+@@ -4967,7 +4969,6 @@ static void rtl8xxxu_tx(struct ieee80211_hw *hw,
+ is_broadcast_ether_addr(ieee80211_get_DA(hdr)))
+ tx_desc->txdw0 |= TXDESC_BROADMULTICAST;
+
+- queue = rtl8xxxu_queue_select(hw, skb);
+ tx_desc->txdw1 = cpu_to_le32(queue << TXDESC_QUEUE_SHIFT);
+
+ if (tx_info->control.hw_key) {
+--
+2.35.1
+
--- /dev/null
+From ca4adbac84cd4890795ded27d35974d30046ae45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 14:48:32 +0300
+Subject: wifi: rtl8xxxu: gen2: Fix mistake in path B IQ calibration
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+[ Upstream commit e963a19c64ac0d2f8785d36a27391abd91ac77aa ]
+
+Found by comparing with the vendor driver. Currently this affects
+only the RTL8192EU, which is the only gen2 chip with 2 TX paths
+supported by this driver. It's unclear what kind of effect the
+mistake had in practice, since I don't have any RTL8192EU devices
+to test it.
+
+Fixes: e1547c535ede ("rtl8xxxu: First stab at adding IQK calibration for 8723bu parts")
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/30a59f3a-cfa9-8379-7af0-78a8f4c77cfd@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index ccd76c1da40c..38f06ee98b35 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -2930,12 +2930,12 @@ bool rtl8xxxu_gen2_simularity_compare(struct rtl8xxxu_priv *priv,
+ }
+
+ if (!(simubitmap & 0x30) && priv->tx_paths > 1) {
+- /* path B RX OK */
++ /* path B TX OK */
+ for (i = 4; i < 6; i++)
+ result[3][i] = result[c1][i];
+ }
+
+- if (!(simubitmap & 0x30) && priv->tx_paths > 1) {
++ if (!(simubitmap & 0xc0) && priv->tx_paths > 1) {
+ /* path B RX OK */
+ for (i = 6; i < 8; i++)
+ result[3][i] = result[c1][i];
+--
+2.35.1
+
--- /dev/null
+From a1937925bfb637f225cf675addb47d8d414454d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Aug 2022 08:22:32 +0300
+Subject: wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 620d5eaeb9059636864bda83ca1c68c20ede34a5 ]
+
+There some bounds checking to ensure that "map_addr" is not out of
+bounds before the start of the loop. But the checking needs to be
+done as we iterate through the loop because "map_addr" gets larger as
+we iterate.
+
+Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Jes Sorensen <Jes.Sorensen@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/Yv8eGLdBslLAk3Ct@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index b80cff96dea1..dd345ed1a717 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -1879,13 +1879,6 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv)
+
+ /* We have 8 bits to indicate validity */
+ map_addr = offset * 8;
+- if (map_addr >= EFUSE_MAP_LEN) {
+- dev_warn(dev, "%s: Illegal map_addr (%04x), "
+- "efuse corrupt!\n",
+- __func__, map_addr);
+- ret = -EINVAL;
+- goto exit;
+- }
+ for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++) {
+ /* Check word enable condition in the section */
+ if (word_mask & BIT(i)) {
+@@ -1896,6 +1889,13 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv)
+ ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);
+ if (ret)
+ goto exit;
++ if (map_addr >= EFUSE_MAP_LEN - 1) {
++ dev_warn(dev, "%s: Illegal map_addr (%04x), "
++ "efuse corrupt!\n",
++ __func__, map_addr);
++ ret = -EINVAL;
++ goto exit;
++ }
+ priv->efuse_wifi.raw[map_addr++] = val8;
+
+ ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);
+--
+2.35.1
+
--- /dev/null
+From 9e7ded7771dcd598caa07ce83f226733267b7975 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 19:45:14 -0700
+Subject: x86/entry: Work around Clang __bdos() bug
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 3e1730842f142add55dc658929221521a9ea62b6 ]
+
+Clang produces a false positive when building with CONFIG_FORTIFY_SOURCE=y
+and CONFIG_UBSAN_BOUNDS=y when operating on an array with a dynamic
+offset. Work around this by using a direct assignment of an empty
+instance. Avoids this warning:
+
+../include/linux/fortify-string.h:309:4: warning: call to __write_overflow_field declared with 'warn
+ing' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wat
+tribute-warning]
+ __write_overflow_field(p_size_field, size);
+ ^
+
+which was isolated to the memset() call in xen_load_idt().
+
+Note that this looks very much like another bug that was worked around:
+https://github.com/ClangBuiltLinux/linux/issues/1592
+
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: x86@kernel.org
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: xen-devel@lists.xenproject.org
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Link: https://lore.kernel.org/lkml/41527d69-e8ab-3f86-ff37-6b298c01d5bc@oracle.com
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/enlighten_pv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
+index 8f1ff8dad2ce..04bfd9c3987b 100644
+--- a/arch/x86/xen/enlighten_pv.c
++++ b/arch/x86/xen/enlighten_pv.c
+@@ -752,6 +752,7 @@ static void xen_load_idt(const struct desc_ptr *desc)
+ {
+ static DEFINE_SPINLOCK(lock);
+ static struct trap_info traps[257];
++ static const struct trap_info zero = { };
+ unsigned out;
+
+ trace_xen_cpu_load_idt(desc);
+@@ -761,7 +762,7 @@ static void xen_load_idt(const struct desc_ptr *desc)
+ memcpy(this_cpu_ptr(&idt_desc), desc, sizeof(idt_desc));
+
+ out = xen_convert_trap_info(desc, traps, false);
+- memset(&traps[out], 0, sizeof(traps[0]));
++ traps[out] = zero;
+
+ xen_mc_flush();
+ if (HYPERVISOR_set_trap_table(traps))
+--
+2.35.1
+
--- /dev/null
+From 08e0ed3272e8438fd8ac98041030b4f7d0c66be1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 15:37:05 +0200
+Subject: x86/hyperv: Fix 'struct hv_enlightened_vmcs' definition
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+[ Upstream commit ea9da788a61e47e7ab9cbad397453e51cd82ac0d ]
+
+Section 1.9 of TLFS v6.0b says:
+
+"All structures are padded in such a way that fields are aligned
+naturally (that is, an 8-byte field is aligned to an offset of 8 bytes
+and so on)".
+
+'struct enlightened_vmcs' has a glitch:
+
+...
+ struct {
+ u32 nested_flush_hypercall:1; /* 836: 0 4 */
+ u32 msr_bitmap:1; /* 836: 1 4 */
+ u32 reserved:30; /* 836: 2 4 */
+ } hv_enlightenments_control; /* 836 4 */
+ u32 hv_vp_id; /* 840 4 */
+ u64 hv_vm_id; /* 844 8 */
+ u64 partition_assist_page; /* 852 8 */
+...
+
+And the observed values in 'partition_assist_page' make no sense at
+all. Fix the layout by padding the structure properly.
+
+Fixes: 68d1eb72ee99 ("x86/hyper-v: define struct hv_enlightened_vmcs and clean field bits")
+Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Link: https://lore.kernel.org/r/20220830133737.1539624-2-vkuznets@redhat.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/hyperv-tlfs.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/include/asm/hyperv-tlfs.h b/arch/x86/include/asm/hyperv-tlfs.h
+index 00e01d215f74..e1bd23641fc6 100644
+--- a/arch/x86/include/asm/hyperv-tlfs.h
++++ b/arch/x86/include/asm/hyperv-tlfs.h
+@@ -682,7 +682,7 @@ struct hv_enlightened_vmcs {
+ u64 guest_rip;
+
+ u32 hv_clean_fields;
+- u32 hv_padding_32;
++ u32 padding32_1;
+ u32 hv_synthetic_controls;
+ struct {
+ u32 nested_flush_hypercall:1;
+@@ -690,7 +690,7 @@ struct hv_enlightened_vmcs {
+ u32 reserved:30;
+ } hv_enlightenments_control;
+ u32 hv_vp_id;
+-
++ u32 padding32_2;
+ u64 hv_vm_id;
+ u64 partition_assist_page;
+ u64 padding64_4[4];
+--
+2.35.1
+
--- /dev/null
+From 3632b1dcff9595a2e50faabde7ea200b54b3a38a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 13:12:10 +0600
+Subject: xfrm: Update ipcomp_scratches with NULL when freed
+
+From: Khalid Masum <khalid.masum.92@gmail.com>
+
+[ Upstream commit 8a04d2fc700f717104bfb95b0f6694e448a4537f ]
+
+Currently if ipcomp_alloc_scratches() fails to allocate memory
+ipcomp_scratches holds obsolete address. So when we try to free the
+percpu scratches using ipcomp_free_scratches() it tries to vfree non
+existent vm area. Described below:
+
+static void * __percpu *ipcomp_alloc_scratches(void)
+{
+ ...
+ scratches = alloc_percpu(void *);
+ if (!scratches)
+ return NULL;
+ipcomp_scratches does not know about this allocation failure.
+Therefore holding the old obsolete address.
+ ...
+}
+
+So when we free,
+
+static void ipcomp_free_scratches(void)
+{
+ ...
+ scratches = ipcomp_scratches;
+Assigning obsolete address from ipcomp_scratches
+
+ if (!scratches)
+ return;
+
+ for_each_possible_cpu(i)
+ vfree(*per_cpu_ptr(scratches, i));
+Trying to free non existent page, causing warning: trying to vfree
+existent vm area.
+ ...
+}
+
+Fix this breakage by updating ipcomp_scrtches with NULL when scratches
+is freed
+
+Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
+Reported-by: syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com
+Tested-by: syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com
+Signed-off-by: Khalid Masum <khalid.masum.92@gmail.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_ipcomp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
+index a00ec715aa46..32aed1d0f6ee 100644
+--- a/net/xfrm/xfrm_ipcomp.c
++++ b/net/xfrm/xfrm_ipcomp.c
+@@ -216,6 +216,7 @@ static void ipcomp_free_scratches(void)
+ vfree(*per_cpu_ptr(scratches, i));
+
+ free_percpu(scratches);
++ ipcomp_scratches = NULL;
+ }
+
+ static void * __percpu *ipcomp_alloc_scratches(void)
+--
+2.35.1
+
--- /dev/null
+From c2b577a7d3b7db3fb524e051d8ae3fab2ba697e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 15:34:47 +0300
+Subject: xhci: Don't show warning for reinit on known broken suspend
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 484d6f7aa3283d082c87654b7fe7a7f725423dfb ]
+
+commit 8b328f8002bc ("xhci: re-initialize the HC during resume if HCE was
+set") introduced a new warning message when the host controller error
+was set and re-initializing.
+
+This is expected behavior on some designs which already set
+`xhci->broken_suspend` so the new warning is alarming to some users.
+
+Modify the code to only show the warning if this was a surprising behavior
+to the XHCI driver.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216470
+Fixes: 8b328f8002bc ("xhci: re-initialize the HC during resume if HCE was set")
+Reported-by: Artem S. Tashkinov <aros@gmx.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20220921123450.671459-4-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index 7fef6d9ed04f..3a1ed63d7334 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -1155,7 +1155,8 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
+ /* re-initialize the HC on Restore Error, or Host Controller Error */
+ if (temp & (STS_SRE | STS_HCE)) {
+ reinit_xhc = true;
+- xhci_warn(xhci, "xHC error in resume, USBSTS 0x%x, Reinit\n", temp);
++ if (!xhci->broken_suspend)
++ xhci_warn(xhci, "xHC error in resume, USBSTS 0x%x, Reinit\n", temp);
+ }
+
+ if (reinit_xhc) {
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
