--- /dev/null
+From 4a66b225ee11f44e39dbccf0017643bc9aaf68d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Sep 2022 22:09:11 +0100
+Subject: afs: Return -EAGAIN, not -EREMOTEIO, when a file already locked
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 0066f1b0e27556381402db3ff31f85d2a2265858 ]
+
+When trying to get a file lock on an AFS file, the server may return
+UAEAGAIN to indicate that the lock is already held. This is currently
+translated by the default path to -EREMOTEIO.
+
+Translate it instead to -EAGAIN so that we know we can retry it.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jeffrey E Altman <jaltman@auristor.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Link: https://lore.kernel.org/r/166075761334.3533338.2591992675160918098.stgit@warthog.procyon.org.uk/
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/misc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/afs/misc.c b/fs/afs/misc.c
+index 1d1a8debe472..f1dc2162900a 100644
+--- a/fs/afs/misc.c
++++ b/fs/afs/misc.c
+@@ -69,6 +69,7 @@ int afs_abort_to_error(u32 abort_code)
+ /* Unified AFS error table */
+ case UAEPERM: return -EPERM;
+ case UAENOENT: return -ENOENT;
++ case UAEAGAIN: return -EAGAIN;
+ case UAEACCES: return -EACCES;
+ case UAEBUSY: return -EBUSY;
+ case UAEEXIST: return -EEXIST;
+--
+2.35.1
+
--- /dev/null
+From 60c6070d2e9097d5bd821df32a0afc09b6141ba0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Sep 2022 09:27:50 +0200
+Subject: ALSA: hda/sigmatel: Keep power up while beep is enabled
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 414d38ba871092aeac4ed097ac4ced89486646f7 ]
+
+It seems that the beep playback doesn't work well on IDT codec devices
+when the codec auto-pm is enabled. Keep the power on while the beep
+switch is enabled.
+
+Link: https://bugzilla.suse.com/show_bug.cgi?id=1200544
+Link: https://lore.kernel.org/r/20220904072750.26164-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_sigmatel.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c
+index c662431bf13a..e9d0b0a30b99 100644
+--- a/sound/pci/hda/patch_sigmatel.c
++++ b/sound/pci/hda/patch_sigmatel.c
+@@ -209,6 +209,7 @@ struct sigmatel_spec {
+
+ /* beep widgets */
+ hda_nid_t anabeep_nid;
++ bool beep_power_on;
+
+ /* SPDIF-out mux */
+ const char * const *spdif_labels;
+@@ -4447,6 +4448,26 @@ static int stac_suspend(struct hda_codec *codec)
+ stac_shutup(codec);
+ return 0;
+ }
++
++static int stac_check_power_status(struct hda_codec *codec, hda_nid_t nid)
++{
++ struct sigmatel_spec *spec = codec->spec;
++ int ret = snd_hda_gen_check_power_status(codec, nid);
++
++#ifdef CONFIG_SND_HDA_INPUT_BEEP
++ if (nid == spec->gen.beep_nid && codec->beep) {
++ if (codec->beep->enabled != spec->beep_power_on) {
++ spec->beep_power_on = codec->beep->enabled;
++ if (spec->beep_power_on)
++ snd_hda_power_up_pm(codec);
++ else
++ snd_hda_power_down_pm(codec);
++ }
++ ret |= spec->beep_power_on;
++ }
++#endif
++ return ret;
++}
+ #else
+ #define stac_suspend NULL
+ #endif /* CONFIG_PM */
+@@ -4459,6 +4480,7 @@ static const struct hda_codec_ops stac_patch_ops = {
+ .unsol_event = snd_hda_jack_unsol_event,
+ #ifdef CONFIG_PM
+ .suspend = stac_suspend,
++ .check_power_status = stac_check_power_status,
+ #endif
+ .reboot_notify = stac_shutup,
+ };
+--
+2.35.1
+
--- /dev/null
+From 5fbd43c9539f334857edc9dbf863945fc3ef6541 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Sep 2022 22:54:20 +0530
+Subject: ALSA: hda/tegra: Align BDL entry to 4KB boundary
+
+From: Mohan Kumar <mkumard@nvidia.com>
+
+[ Upstream commit 8d44e6044a0e885acdd01813768a0b27906d64fd ]
+
+AZA HW may send a burst read/write request crossing 4K memory boundary.
+The 4KB boundary is not guaranteed by Tegra HDA HW. Make SW change to
+include the flag AZX_DCAPS_4K_BDLE_BOUNDARY to align BDLE to 4K
+boundary.
+
+Signed-off-by: Mohan Kumar <mkumard@nvidia.com>
+Link: https://lore.kernel.org/r/20220905172420.3801-1-mkumard@nvidia.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_tegra.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/hda_tegra.c b/sound/pci/hda/hda_tegra.c
+index 07787698b973..1e44e337986e 100644
+--- a/sound/pci/hda/hda_tegra.c
++++ b/sound/pci/hda/hda_tegra.c
+@@ -479,7 +479,8 @@ MODULE_DEVICE_TABLE(of, hda_tegra_match);
+ static int hda_tegra_probe(struct platform_device *pdev)
+ {
+ const unsigned int driver_flags = AZX_DCAPS_CORBRP_SELF_CLEAR |
+- AZX_DCAPS_PM_RUNTIME;
++ AZX_DCAPS_PM_RUNTIME |
++ AZX_DCAPS_4K_BDLE_BOUNDARY;
+ struct snd_card *card;
+ struct azx *chip;
+ struct hda_tegra *hda;
+--
+2.35.1
+
--- /dev/null
+From 6bdb1046b3b7c25ba5bb965c5401882ac560c9a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 10:09:57 +0200
+Subject: ASoC: nau8824: Fix semaphore unbalance at error paths
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 5628560e90395d3812800a8e44a01c32ffa429ec ]
+
+The semaphore of nau8824 wasn't properly unlocked at some error
+handling code paths, hence this may result in the unbalance (and
+potential lock-up). Fix them to handle the semaphore up properly.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://lore.kernel.org/r/20220823081000.2965-3-tiwai@suse.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/nau8824.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/sound/soc/codecs/nau8824.c b/sound/soc/codecs/nau8824.c
+index c8ccfa2fff84..a95fe3fff1db 100644
+--- a/sound/soc/codecs/nau8824.c
++++ b/sound/soc/codecs/nau8824.c
+@@ -1072,6 +1072,7 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream,
+ struct snd_soc_component *component = dai->component;
+ struct nau8824 *nau8824 = snd_soc_component_get_drvdata(component);
+ unsigned int val_len = 0, osr, ctrl_val, bclk_fs, bclk_div;
++ int err = -EINVAL;
+
+ nau8824_sema_acquire(nau8824, HZ);
+
+@@ -1088,7 +1089,7 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream,
+ osr &= NAU8824_DAC_OVERSAMPLE_MASK;
+ if (nau8824_clock_check(nau8824, substream->stream,
+ nau8824->fs, osr))
+- return -EINVAL;
++ goto error;
+ regmap_update_bits(nau8824->regmap, NAU8824_REG_CLK_DIVIDER,
+ NAU8824_CLK_DAC_SRC_MASK,
+ osr_dac_sel[osr].clk_src << NAU8824_CLK_DAC_SRC_SFT);
+@@ -1098,7 +1099,7 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream,
+ osr &= NAU8824_ADC_SYNC_DOWN_MASK;
+ if (nau8824_clock_check(nau8824, substream->stream,
+ nau8824->fs, osr))
+- return -EINVAL;
++ goto error;
+ regmap_update_bits(nau8824->regmap, NAU8824_REG_CLK_DIVIDER,
+ NAU8824_CLK_ADC_SRC_MASK,
+ osr_adc_sel[osr].clk_src << NAU8824_CLK_ADC_SRC_SFT);
+@@ -1119,7 +1120,7 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream,
+ else if (bclk_fs <= 256)
+ bclk_div = 0;
+ else
+- return -EINVAL;
++ goto error;
+ regmap_update_bits(nau8824->regmap,
+ NAU8824_REG_PORT0_I2S_PCM_CTRL_2,
+ NAU8824_I2S_LRC_DIV_MASK | NAU8824_I2S_BLK_DIV_MASK,
+@@ -1140,15 +1141,17 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream,
+ val_len |= NAU8824_I2S_DL_32;
+ break;
+ default:
+- return -EINVAL;
++ goto error;
+ }
+
+ regmap_update_bits(nau8824->regmap, NAU8824_REG_PORT0_I2S_PCM_CTRL_1,
+ NAU8824_I2S_DL_MASK, val_len);
++ err = 0;
+
++ error:
+ nau8824_sema_release(nau8824);
+
+- return 0;
++ return err;
+ }
+
+ static int nau8824_set_fmt(struct snd_soc_dai *dai, unsigned int fmt)
+@@ -1157,8 +1160,6 @@ static int nau8824_set_fmt(struct snd_soc_dai *dai, unsigned int fmt)
+ struct nau8824 *nau8824 = snd_soc_component_get_drvdata(component);
+ unsigned int ctrl1_val = 0, ctrl2_val = 0;
+
+- nau8824_sema_acquire(nau8824, HZ);
+-
+ switch (fmt & SND_SOC_DAIFMT_MASTER_MASK) {
+ case SND_SOC_DAIFMT_CBM_CFM:
+ ctrl2_val |= NAU8824_I2S_MS_MASTER;
+@@ -1200,6 +1201,8 @@ static int nau8824_set_fmt(struct snd_soc_dai *dai, unsigned int fmt)
+ return -EINVAL;
+ }
+
++ nau8824_sema_acquire(nau8824, HZ);
++
+ regmap_update_bits(nau8824->regmap, NAU8824_REG_PORT0_I2S_PCM_CTRL_1,
+ NAU8824_I2S_DF_MASK | NAU8824_I2S_BP_MASK |
+ NAU8824_I2S_PCMB_EN, ctrl1_val);
+--
+2.35.1
+
--- /dev/null
+From 8b21a627b8e74c897a04d96c3ff526d095afa4c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Sep 2022 11:59:43 +0200
+Subject: MIPS: OCTEON: irq: Fix octeon_irq_force_ciu_mapping()
+
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+
+[ Upstream commit ba912afbd611d3a5f22af247721a071ad1d5b9e0 ]
+
+For irq_domain_associate() to work the virq descriptor has to be
+pre-allocated in advance. Otherwise the following happens:
+
+WARNING: CPU: 0 PID: 0 at .../kernel/irq/irqdomain.c:527 irq_domain_associate+0x298/0x2e8
+error: virq128 is not allocated
+Modules linked in:
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.19.78-... #1
+ ...
+Call Trace:
+[<ffffffff801344c4>] show_stack+0x9c/0x130
+[<ffffffff80769550>] dump_stack+0x90/0xd0
+[<ffffffff801576d0>] __warn+0x118/0x130
+[<ffffffff80157734>] warn_slowpath_fmt+0x4c/0x70
+[<ffffffff801b83c0>] irq_domain_associate+0x298/0x2e8
+[<ffffffff80a43bb8>] octeon_irq_init_ciu+0x4c8/0x53c
+[<ffffffff80a76cbc>] of_irq_init+0x1e0/0x388
+[<ffffffff80a452cc>] init_IRQ+0x4c/0xf4
+[<ffffffff80a3cc00>] start_kernel+0x404/0x698
+
+Use irq_alloc_desc_at() to avoid the above problem.
+
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/cavium-octeon/octeon-irq.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/arch/mips/cavium-octeon/octeon-irq.c b/arch/mips/cavium-octeon/octeon-irq.c
+index 6501a842c41a..191bcaf56513 100644
+--- a/arch/mips/cavium-octeon/octeon-irq.c
++++ b/arch/mips/cavium-octeon/octeon-irq.c
+@@ -127,6 +127,16 @@ static void octeon_irq_free_cd(struct irq_domain *d, unsigned int irq)
+ static int octeon_irq_force_ciu_mapping(struct irq_domain *domain,
+ int irq, int line, int bit)
+ {
++ struct device_node *of_node;
++ int ret;
++
++ of_node = irq_domain_get_of_node(domain);
++ if (!of_node)
++ return -EINVAL;
++ ret = irq_alloc_desc_at(irq, of_node_to_nid(of_node));
++ if (ret < 0)
++ return ret;
++
+ return irq_domain_associate(domain, irq, line << 6 | bit);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 0fa96da5072d172443c8a13eac851069a196ad5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 19:10:59 +0800
+Subject: mksysmap: Fix the mismatch of 'L0' symbols in System.map
+
+From: Youling Tang <tangyouling@loongson.cn>
+
+[ Upstream commit c17a2538704f926ee4d167ba625e09b1040d8439 ]
+
+When System.map was generated, the kernel used mksysmap to filter the
+kernel symbols, we need to filter "L0" symbols in LoongArch architecture.
+
+$ cat System.map | grep L0
+9000000000221540 t L0
+
+The L0 symbol exists in System.map, but not in .tmp_System.map. When
+"cmp -s System.map .tmp_System.map" will show "Inconsistent kallsyms
+data" error message in link-vmlinux.sh script.
+
+Signed-off-by: Youling Tang <tangyouling@loongson.cn>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/mksysmap | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/mksysmap b/scripts/mksysmap
+index 9aa23d15862a..ad8bbc52267d 100755
+--- a/scripts/mksysmap
++++ b/scripts/mksysmap
+@@ -41,4 +41,4 @@
+ # so we just ignore them to let readprofile continue to work.
+ # (At least sparc64 has __crc_ in the middle).
+
+-$NM -n $1 | grep -v '\( [aNUw] \)\|\(__crc_\)\|\( \$[adt]\)\|\( \.L\)' > $2
++$NM -n $1 | grep -v '\( [aNUw] \)\|\(__crc_\)\|\( \$[adt]\)\|\( \.L\)\|\( L0\)' > $2
+--
+2.35.1
+
--- /dev/null
+From 24f9e4af2b16c42327cde7198834a5d58aacb2f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 15:41:11 +0200
+Subject: net: mvpp2: debugfs: fix memory leak when using debugfs_lookup()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit fe2c9c61f668cde28dac2b188028c5299cedcc1e ]
+
+When calling debugfs_lookup() the result must have dput() called on it,
+otherwise the memory will leak over time. Fix this up to be much
+simpler logic and only create the root debugfs directory once when the
+driver is first accessed. That resolves the memory leak and makes
+things more obvious as to what the intent is.
+
+Cc: Marcin Wojtas <mw@semihalf.com>
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: netdev@vger.kernel.org
+Cc: stable <stable@kernel.org>
+Fixes: 21da57a23125 ("net: mvpp2: add a debugfs interface for the Header Parser")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c
+index 4a3baa7e0142..0eec05d905eb 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c
+@@ -700,10 +700,10 @@ void mvpp2_dbgfs_cleanup(struct mvpp2 *priv)
+
+ void mvpp2_dbgfs_init(struct mvpp2 *priv, const char *name)
+ {
+- struct dentry *mvpp2_dir, *mvpp2_root;
++ static struct dentry *mvpp2_root;
++ struct dentry *mvpp2_dir;
+ int ret, i;
+
+- mvpp2_root = debugfs_lookup(MVPP2_DRIVER_NAME, NULL);
+ if (!mvpp2_root)
+ mvpp2_root = debugfs_create_dir(MVPP2_DRIVER_NAME, NULL);
+
+--
+2.35.1
+
--- /dev/null
+From c0eee5ed4aa184183de64f3d77ae6a8a09f9b720 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Sep 2022 09:24:52 +0800
+Subject: net: usb: qmi_wwan: add Quectel RM520N
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: jerry.meng <jerry-meng@foxmail.com>
+
+[ Upstream commit e1091e226a2bab4ded1fe26efba2aee1aab06450 ]
+
+add support for Quectel RM520N which is based on Qualcomm SDX62 chip.
+
+0x0801: DIAG + NMEA + AT + MODEM + RMNET
+
+T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 10 Spd=480 MxCh= 0
+D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=2c7c ProdID=0801 Rev= 5.04
+S: Manufacturer=Quectel
+S: Product=RM520N-GL
+S: SerialNumber=384af524
+C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option
+E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Signed-off-by: jerry.meng <jerry-meng@foxmail.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Link: https://lore.kernel.org/r/tencent_E50CA8A206904897C2D20DDAE90731183C05@qq.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index 48e8b94e4a7c..1502069f3a4e 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1024,6 +1024,7 @@ static const struct usb_device_id products[] = {
+ {QMI_MATCH_FF_FF_FF(0x2c7c, 0x0512)}, /* Quectel EG12/EM12 */
+ {QMI_MATCH_FF_FF_FF(0x2c7c, 0x0620)}, /* Quectel EM160R-GL */
+ {QMI_MATCH_FF_FF_FF(0x2c7c, 0x0800)}, /* Quectel RM500Q-GL */
++ {QMI_MATCH_FF_FF_FF(0x2c7c, 0x0801)}, /* Quectel RM520N */
+
+ /* 3. Combined interface devices matching on interface number */
+ {QMI_FIXED_INTF(0x0408, 0xea42, 4)}, /* Yota / Megafon M100-1 */
+--
+2.35.1
+
--- /dev/null
+From 31772061dd5effbea17d5ee2f79e9406a9e4af1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 19:19:22 +0800
+Subject: regulator: pfuze100: Fix the global-out-of-bounds access in
+ pfuze100_regulator_probe()
+
+From: Xiaolei Wang <xiaolei.wang@windriver.com>
+
+[ Upstream commit 78e1e867f44e6bdc72c0e6a2609a3407642fb30b ]
+
+The pfuze_chip::regulator_descs is an array of size
+PFUZE100_MAX_REGULATOR, the pfuze_chip::pfuze_regulators
+is the pointer to the real regulators of a specific device.
+The number of real regulator is supposed to be less than
+the PFUZE100_MAX_REGULATOR, so we should use the size of
+'regulator_num * sizeof(struct pfuze_regulator)' in memcpy().
+This fixes the out of bounds access bug reported by KASAN.
+
+Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
+Link: https://lore.kernel.org/r/20220825111922.1368055-1-xiaolei.wang@windriver.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/pfuze100-regulator.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/pfuze100-regulator.c b/drivers/regulator/pfuze100-regulator.c
+index 0a19500d3725..44a8e500fb30 100644
+--- a/drivers/regulator/pfuze100-regulator.c
++++ b/drivers/regulator/pfuze100-regulator.c
+@@ -791,7 +791,7 @@ static int pfuze100_regulator_probe(struct i2c_client *client,
+ ((pfuze_chip->chip_id == PFUZE3000) ? "3000" : "3001"))));
+
+ memcpy(pfuze_chip->regulator_descs, pfuze_chip->pfuze_regulators,
+- sizeof(pfuze_chip->regulator_descs));
++ regulator_num * sizeof(struct pfuze_regulator));
+
+ ret = pfuze_parse_regulators_dt(pfuze_chip);
+ if (ret)
+--
+2.35.1
+
--- /dev/null
+From e40f8bc2ec8a4646b44c62e9ca07cc875da40e12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Apr 2022 13:34:09 +0100
+Subject: rxrpc: Fix calc of resend age
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 214a9dc7d852216e83acac7b75bc18f01ce184c2 ]
+
+Fix the calculation of the resend age to add a microsecond value as
+microseconds, not nanoseconds.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/call_event.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c
+index f8ecad2b730e..2a93e7b5fbd0 100644
+--- a/net/rxrpc/call_event.c
++++ b/net/rxrpc/call_event.c
+@@ -166,7 +166,7 @@ static void rxrpc_resend(struct rxrpc_call *call, unsigned long now_j)
+ _enter("{%d,%d}", call->tx_hard_ack, call->tx_top);
+
+ now = ktime_get_real();
+- max_age = ktime_sub(now, jiffies_to_usecs(call->peer->rto_j));
++ max_age = ktime_sub_us(now, jiffies_to_usecs(call->peer->rto_j));
+
+ spin_lock_bh(&call->lock);
+
+--
+2.35.1
+
--- /dev/null
+From 265901487b280c0272aec590dd0376976d9b6b37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 May 2022 23:55:21 +0100
+Subject: rxrpc: Fix local destruction being repeated
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit d3d863036d688313f8d566b87acd7d99daf82749 ]
+
+If the local processor work item for the rxrpc local endpoint gets requeued
+by an event (such as an incoming packet) between it getting scheduled for
+destruction and the UDP socket being closed, the rxrpc_local_destroyer()
+function can get run twice. The second time it can hang because it can end
+up waiting for cleanup events that will never happen.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/local_object.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c
+index 8c2881054266..ebbf1b03b62c 100644
+--- a/net/rxrpc/local_object.c
++++ b/net/rxrpc/local_object.c
+@@ -424,6 +424,9 @@ static void rxrpc_local_processor(struct work_struct *work)
+ container_of(work, struct rxrpc_local, processor);
+ bool again;
+
++ if (local->dead)
++ return;
++
+ trace_rxrpc_local(local->debug_id, rxrpc_local_processing,
+ atomic_read(&local->usage), NULL);
+
+--
+2.35.1
+
tools-include-uapi-fix-asm-errno.h-for-parisc-and-xtensa.patch
video-fbdev-i740fb-error-out-if-pixclock-equals-zero.patch
revert-serial-8250-fix-reporting-real-baudrate-value-in-c_ospeed-field.patch
+asoc-nau8824-fix-semaphore-unbalance-at-error-paths.patch
+regulator-pfuze100-fix-the-global-out-of-bounds-acce.patch
+rxrpc-fix-local-destruction-being-repeated.patch
+rxrpc-fix-calc-of-resend-age.patch
+wifi-mac80211_hwsim-check-length-for-virtio-packets.patch
+alsa-hda-sigmatel-keep-power-up-while-beep-is-enable.patch
+alsa-hda-tegra-align-bdl-entry-to-4kb-boundary.patch
+net-usb-qmi_wwan-add-quectel-rm520n.patch
+afs-return-eagain-not-eremoteio-when-a-file-already-.patch
+mips-octeon-irq-fix-octeon_irq_force_ciu_mapping.patch
+mksysmap-fix-the-mismatch-of-l0-symbols-in-system.ma.patch
+video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch
+net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch
--- /dev/null
+From 1a734d01a3cdb957dda70699635ac451090f1ec9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jun 2022 07:17:46 -0700
+Subject: video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 ]
+
+In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of
+type int. Then, copy_from_user() may cause a heap overflow because it is used
+as the third argument of copy_from_user().
+
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/pxa3xx-gcu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c
+index 9421d14d0eb0..9e9888e40c57 100644
+--- a/drivers/video/fbdev/pxa3xx-gcu.c
++++ b/drivers/video/fbdev/pxa3xx-gcu.c
+@@ -381,7 +381,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff,
+ struct pxa3xx_gcu_batch *buffer;
+ struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file);
+
+- int words = count / 4;
++ size_t words = count / 4;
+
+ /* Does not need to be atomic. There's a lock in user space,
+ * but anyhow, this is just for statistics. */
+--
+2.35.1
+
--- /dev/null
+From a30e77fbbf9d87f42c9bc8db8cff4f691af3a00f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 10:19:58 +0200
+Subject: wifi: mac80211_hwsim: check length for virtio packets
+
+From: Soenke Huster <soenke.huster@eknoes.de>
+
+[ Upstream commit 8c0427842aaef161a38ac83b7e8d8fe050b4be04 ]
+
+An invalid packet with a length shorter than the specified length in the
+netlink header can lead to use-after-frees and slab-out-of-bounds in the
+processing of the netlink attributes, such as the following:
+
+ BUG: KASAN: slab-out-of-bounds in __nla_validate_parse+0x1258/0x2010
+ Read of size 2 at addr ffff88800ac7952c by task kworker/0:1/12
+
+ Workqueue: events hwsim_virtio_rx_work
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x45/0x5d
+ print_report.cold+0x5e/0x5e5
+ kasan_report+0xb1/0x1c0
+ __nla_validate_parse+0x1258/0x2010
+ __nla_parse+0x22/0x30
+ hwsim_virtio_handle_cmd.isra.0+0x13f/0x2d0
+ hwsim_virtio_rx_work+0x1b2/0x370
+ process_one_work+0x8df/0x1530
+ worker_thread+0x575/0x11a0
+ kthread+0x29d/0x340
+ ret_from_fork+0x22/0x30
+ </TASK>
+
+Discarding packets with an invalid length solves this.
+Therefore, skb->len must be set at reception.
+
+Change-Id: Ieaeb9a4c62d3beede274881a7c2722c6c6f477b6
+Signed-off-by: Soenke Huster <soenke.huster@eknoes.de>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
+index 8e412125a49c..50190ded7edc 100644
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -4209,6 +4209,10 @@ static int hwsim_virtio_handle_cmd(struct sk_buff *skb)
+
+ nlh = nlmsg_hdr(skb);
+ gnlh = nlmsg_data(nlh);
++
++ if (skb->len < nlh->nlmsg_len)
++ return -EINVAL;
++
+ err = genlmsg_parse(nlh, &hwsim_genl_family, tb, HWSIM_ATTR_MAX,
+ hwsim_genl_policy, NULL);
+ if (err) {
+@@ -4251,7 +4255,8 @@ static void hwsim_virtio_rx_work(struct work_struct *work)
+ spin_unlock_irqrestore(&hwsim_virtio_lock, flags);
+
+ skb->data = skb->head;
+- skb_set_tail_pointer(skb, len);
++ skb_reset_tail_pointer(skb);
++ skb_put(skb, len);
+ hwsim_virtio_handle_cmd(skb);
+
+ spin_lock_irqsave(&hwsim_virtio_lock, flags);
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
