--- /dev/null
+From 85140ef275f577f64e8a2c5789447222dfc14fc4 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Mon, 11 Jul 2022 14:25:59 +0300
+Subject: ACPI: property: Return type of acpi_add_nondev_subnodes() should be bool
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 85140ef275f577f64e8a2c5789447222dfc14fc4 upstream.
+
+The value acpi_add_nondev_subnodes() returns is bool so change the return
+type of the function to match that.
+
+Fixes: 445b0eb058f5 ("ACPI / property: Add support for data-only subnodes")
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/property.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/acpi/property.c
++++ b/drivers/acpi/property.c
+@@ -132,10 +132,10 @@ static bool acpi_nondev_subnode_ok(acpi_
+ return acpi_nondev_subnode_data_ok(handle, link, list, parent);
+ }
+
+-static int acpi_add_nondev_subnodes(acpi_handle scope,
+- const union acpi_object *links,
+- struct list_head *list,
+- struct fwnode_handle *parent)
++static bool acpi_add_nondev_subnodes(acpi_handle scope,
++ const union acpi_object *links,
++ struct list_head *list,
++ struct fwnode_handle *parent)
+ {
+ bool ret = false;
+ int i;
--- /dev/null
+From 3e2a3a0830a2090e766d0d887d52c67de2a6f323 Mon Sep 17 00:00:00 2001
+From: Tom Rix <trix@redhat.com>
+Date: Sun, 13 Feb 2022 13:32:28 -0800
+Subject: apparmor: fix aa_label_asxprint return check
+
+From: Tom Rix <trix@redhat.com>
+
+commit 3e2a3a0830a2090e766d0d887d52c67de2a6f323 upstream.
+
+Clang static analysis reports this issue
+label.c:1802:3: warning: 2nd function call argument
+ is an uninitialized value
+ pr_info("%s", str);
+ ^~~~~~~~~~~~~~~~~~
+
+str is set from a successful call to aa_label_asxprint(&str, ...)
+On failure a negative value is returned, not a -1. So change
+the check.
+
+Fixes: f1bd904175e8 ("apparmor: add the base fns() for domain labels")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/label.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/security/apparmor/label.c
++++ b/security/apparmor/label.c
+@@ -1722,7 +1722,7 @@ void aa_label_xaudit(struct audit_buffer
+ if (!use_label_hname(ns, label, flags) ||
+ display_mode(ns, label, flags)) {
+ len = aa_label_asxprint(&name, ns, label, flags, gfp);
+- if (len == -1) {
++ if (len < 0) {
+ AA_DEBUG("label print error");
+ return;
+ }
+@@ -1750,7 +1750,7 @@ void aa_label_seq_xprint(struct seq_file
+ int len;
+
+ len = aa_label_asxprint(&str, ns, label, flags, gfp);
+- if (len == -1) {
++ if (len < 0) {
+ AA_DEBUG("label print error");
+ return;
+ }
+@@ -1773,7 +1773,7 @@ void aa_label_xprintk(struct aa_ns *ns,
+ int len;
+
+ len = aa_label_asxprint(&str, ns, label, flags, gfp);
+- if (len == -1) {
++ if (len < 0) {
+ AA_DEBUG("label print error");
+ return;
+ }
--- /dev/null
+From ec240b5905bbb09a03dccffee03062cf39e38dc2 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Tue, 25 Jan 2022 00:37:42 -0800
+Subject: apparmor: Fix failed mount permission check error message
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit ec240b5905bbb09a03dccffee03062cf39e38dc2 upstream.
+
+When the mount check fails due to a permission check failure instead
+of explicitly at one of the subcomponent checks, AppArmor is reporting
+a failure in the flags match. However this is not true and AppArmor
+can not attribute the error at this point to any particular component,
+and should only indicate the mount failed due to missing permissions.
+
+Fixes: 2ea3ffb7782a ("apparmor: add mount mediation")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/mount.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/security/apparmor/mount.c
++++ b/security/apparmor/mount.c
+@@ -233,7 +233,8 @@ static const char * const mnt_info_table
+ "failed srcname match",
+ "failed type match",
+ "failed flags match",
+- "failed data match"
++ "failed data match",
++ "failed perms check"
+ };
+
+ /*
+@@ -288,8 +289,8 @@ static int do_match_mnt(struct aa_dfa *d
+ return 0;
+ }
+
+- /* failed at end of flags match */
+- return 4;
++ /* failed at perms check, don't confuse with flags match */
++ return 6;
+ }
+
+
--- /dev/null
+From 68ff8540cc9e4ab557065b3f635c1ff4c96e1f1c Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Thu, 29 Apr 2021 01:48:28 -0700
+Subject: apparmor: fix quiet_denied for file rules
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit 68ff8540cc9e4ab557065b3f635c1ff4c96e1f1c upstream.
+
+Global quieting of denied AppArmor generated file events is not
+handled correctly. Unfortunately the is checking if quieting of all
+audit events is set instead of just denied events.
+
+Fixes: 67012e8209df ("AppArmor: basic auditing infrastructure.")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/audit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/apparmor/audit.c
++++ b/security/apparmor/audit.c
+@@ -143,7 +143,7 @@ int aa_audit(int type, struct aa_profile
+ }
+ if (AUDIT_MODE(profile) == AUDIT_QUIET ||
+ (type == AUDIT_APPARMOR_DENIED &&
+- AUDIT_MODE(profile) == AUDIT_QUIET))
++ AUDIT_MODE(profile) == AUDIT_QUIET_DENIED))
+ return aad(sa)->error;
+
+ if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)
--- /dev/null
+From 11c3627ec6b56c1525013f336f41b79a983b4d46 Mon Sep 17 00:00:00 2001
+From: Xin Xiong <xiongx18@fudan.edu.cn>
+Date: Thu, 28 Apr 2022 11:39:08 +0800
+Subject: apparmor: fix reference count leak in aa_pivotroot()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xin Xiong <xiongx18@fudan.edu.cn>
+
+commit 11c3627ec6b56c1525013f336f41b79a983b4d46 upstream.
+
+The aa_pivotroot() function has a reference counting bug in a specific
+path. When aa_replace_current_label() returns on success, the function
+forgets to decrement the reference count of “target”, which is
+increased earlier by build_pivotroot(), causing a reference leak.
+
+Fix it by decreasing the refcount of “target” in that path.
+
+Fixes: 2ea3ffb7782a ("apparmor: add mount mediation")
+Co-developed-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Co-developed-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/mount.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/security/apparmor/mount.c
++++ b/security/apparmor/mount.c
+@@ -687,6 +687,7 @@ int aa_pivotroot(struct aa_label *label,
+ aa_put_label(target);
+ goto out;
+ }
++ aa_put_label(target);
+ } else
+ /* already audited error */
+ error = PTR_ERR(target);
--- /dev/null
+From a4cb6e62ea4d36e53fb3c0f18ea4503d7b76674f Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Mon, 1 Aug 2022 22:47:16 +0200
+Subject: can: ems_usb: fix clang's -Wunaligned-access warning
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit a4cb6e62ea4d36e53fb3c0f18ea4503d7b76674f upstream.
+
+clang emits a -Wunaligned-access warning on struct __packed
+ems_cpc_msg.
+
+The reason is that the anonymous union msg (not declared as packed) is
+being packed right after some non naturally aligned variables (3*8
+bits + 2*32) inside a packed struct:
+
+| struct __packed ems_cpc_msg {
+| u8 type; /* type of message */
+| u8 length; /* length of data within union 'msg' */
+| u8 msgid; /* confirmation handle */
+| __le32 ts_sec; /* timestamp in seconds */
+| __le32 ts_nsec; /* timestamp in nano seconds */
+| /* ^ not naturally aligned */
+|
+| union {
+| /* ^ not declared as packed */
+| u8 generic[64];
+| struct cpc_can_msg can_msg;
+| struct cpc_can_params can_params;
+| struct cpc_confirm confirmation;
+| struct cpc_overrun overrun;
+| struct cpc_can_error error;
+| struct cpc_can_err_counter err_counter;
+| u8 can_state;
+| } msg;
+| };
+
+Starting from LLVM 14, having an unpacked struct nested in a packed
+struct triggers a warning. c.f. [1].
+
+Fix the warning by marking the anonymous union as packed.
+
+[1] https://github.com/llvm/llvm-project/issues/55520
+
+Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
+Link: https://lore.kernel.org/all/20220802094021.959858-1-mkl@pengutronix.de
+Cc: Gerhard Uttenthaler <uttenthaler@ems-wuensche.com>
+Cc: Sebastian Haas <haas@ems-wuensche.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/ems_usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/ems_usb.c
++++ b/drivers/net/can/usb/ems_usb.c
+@@ -206,7 +206,7 @@ struct __packed ems_cpc_msg {
+ __le32 ts_sec; /* timestamp in seconds */
+ __le32 ts_nsec; /* timestamp in nano seconds */
+
+- union {
++ union __packed {
+ u8 generic[64];
+ struct cpc_can_msg can_msg;
+ struct cpc_can_params can_params;
--- /dev/null
+From ca2bb69514a8bc7f83914122f0d596371352416c Mon Sep 17 00:00:00 2001
+From: Matthias May <matthias.may@westermo.com>
+Date: Fri, 5 Aug 2022 21:19:03 +0200
+Subject: geneve: do not use RT_TOS for IPv6 flowlabel
+
+From: Matthias May <matthias.may@westermo.com>
+
+commit ca2bb69514a8bc7f83914122f0d596371352416c upstream.
+
+According to Guillaume Nault RT_TOS should never be used for IPv6.
+
+Quote:
+RT_TOS() is an old macro used to interprete IPv4 TOS as described in
+the obsolete RFC 1349. It's conceptually wrong to use it even in IPv4
+code, although, given the current state of the code, most of the
+existing calls have no consequence.
+
+But using RT_TOS() in IPv6 code is always a bug: IPv6 never had a "TOS"
+field to be interpreted the RFC 1349 way. There's no historical
+compatibility to worry about.
+
+Fixes: 3a56f86f1be6 ("geneve: handle ipv6 priority like ipv4 tos")
+Acked-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Matthias May <matthias.may@westermo.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/geneve.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -795,8 +795,7 @@ static struct dst_entry *geneve_get_v6_d
+ use_cache = false;
+ }
+
+- fl6->flowlabel = ip6_make_flowinfo(RT_TOS(prio),
+- info->key.label);
++ fl6->flowlabel = ip6_make_flowinfo(prio, info->key.label);
+ dst_cache = (struct dst_cache *)&info->dst_cache;
+ if (use_cache) {
+ dst = dst_cache_get_ip6(dst_cache, &fl6->saddr);
--- /dev/null
+From 51fd2eb52c0ca8275a906eed81878ef50ae94eb0 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Wed, 13 Jul 2022 17:46:52 -0400
+Subject: NFSv4: Fix races in the legacy idmapper upcall
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 51fd2eb52c0ca8275a906eed81878ef50ae94eb0 upstream.
+
+nfs_idmap_instantiate() will cause the process that is waiting in
+request_key_with_auxdata() to wake up and exit. If there is a second
+process waiting for the idmap->idmap_mutex, then it may wake up and
+start a new call to request_key_with_auxdata(). If the call to
+idmap_pipe_downcall() from the first process has not yet finished
+calling nfs_idmap_complete_pipe_upcall_locked(), then we may end up
+triggering the WARN_ON_ONCE() in nfs_idmap_prepare_pipe_upcall().
+
+The fix is to ensure that we clear idmap->idmap_upcall_data before
+calling nfs_idmap_instantiate().
+
+Fixes: e9ab41b620e4 ("NFSv4: Clean up the legacy idmapper upcall")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4idmap.c | 46 ++++++++++++++++++++++++----------------------
+ 1 file changed, 24 insertions(+), 22 deletions(-)
+
+--- a/fs/nfs/nfs4idmap.c
++++ b/fs/nfs/nfs4idmap.c
+@@ -543,22 +543,20 @@ nfs_idmap_prepare_pipe_upcall(struct idm
+ return true;
+ }
+
+-static void
+-nfs_idmap_complete_pipe_upcall_locked(struct idmap *idmap, int ret)
++static void nfs_idmap_complete_pipe_upcall(struct idmap_legacy_upcalldata *data,
++ int ret)
+ {
+- struct key *authkey = idmap->idmap_upcall_data->authkey;
+-
+- kfree(idmap->idmap_upcall_data);
+- idmap->idmap_upcall_data = NULL;
+- complete_request_key(authkey, ret);
+- key_put(authkey);
++ complete_request_key(data->authkey, ret);
++ key_put(data->authkey);
++ kfree(data);
+ }
+
+-static void
+-nfs_idmap_abort_pipe_upcall(struct idmap *idmap, int ret)
++static void nfs_idmap_abort_pipe_upcall(struct idmap *idmap,
++ struct idmap_legacy_upcalldata *data,
++ int ret)
+ {
+- if (idmap->idmap_upcall_data != NULL)
+- nfs_idmap_complete_pipe_upcall_locked(idmap, ret);
++ if (cmpxchg(&idmap->idmap_upcall_data, data, NULL) == data)
++ nfs_idmap_complete_pipe_upcall(data, ret);
+ }
+
+ static int nfs_idmap_legacy_upcall(struct key *authkey, void *aux)
+@@ -595,7 +593,7 @@ static int nfs_idmap_legacy_upcall(struc
+
+ ret = rpc_queue_upcall(idmap->idmap_pipe, msg);
+ if (ret < 0)
+- nfs_idmap_abort_pipe_upcall(idmap, ret);
++ nfs_idmap_abort_pipe_upcall(idmap, data, ret);
+
+ return ret;
+ out2:
+@@ -651,6 +649,7 @@ idmap_pipe_downcall(struct file *filp, c
+ struct request_key_auth *rka;
+ struct rpc_inode *rpci = RPC_I(file_inode(filp));
+ struct idmap *idmap = (struct idmap *)rpci->private;
++ struct idmap_legacy_upcalldata *data;
+ struct key *authkey;
+ struct idmap_msg im;
+ size_t namelen_in;
+@@ -660,10 +659,11 @@ idmap_pipe_downcall(struct file *filp, c
+ * will have been woken up and someone else may now have used
+ * idmap_key_cons - so after this point we may no longer touch it.
+ */
+- if (idmap->idmap_upcall_data == NULL)
++ data = xchg(&idmap->idmap_upcall_data, NULL);
++ if (data == NULL)
+ goto out_noupcall;
+
+- authkey = idmap->idmap_upcall_data->authkey;
++ authkey = data->authkey;
+ rka = get_request_key_auth(authkey);
+
+ if (mlen != sizeof(im)) {
+@@ -685,18 +685,17 @@ idmap_pipe_downcall(struct file *filp, c
+ if (namelen_in == 0 || namelen_in == IDMAP_NAMESZ) {
+ ret = -EINVAL;
+ goto out;
+-}
++ }
+
+- ret = nfs_idmap_read_and_verify_message(&im,
+- &idmap->idmap_upcall_data->idmap_msg,
+- rka->target_key, authkey);
++ ret = nfs_idmap_read_and_verify_message(&im, &data->idmap_msg,
++ rka->target_key, authkey);
+ if (ret >= 0) {
+ key_set_timeout(rka->target_key, nfs_idmap_cache_timeout);
+ ret = mlen;
+ }
+
+ out:
+- nfs_idmap_complete_pipe_upcall_locked(idmap, ret);
++ nfs_idmap_complete_pipe_upcall(data, ret);
+ out_noupcall:
+ return ret;
+ }
+@@ -710,7 +709,7 @@ idmap_pipe_destroy_msg(struct rpc_pipe_m
+ struct idmap *idmap = data->idmap;
+
+ if (msg->errno)
+- nfs_idmap_abort_pipe_upcall(idmap, msg->errno);
++ nfs_idmap_abort_pipe_upcall(idmap, data, msg->errno);
+ }
+
+ static void
+@@ -718,8 +717,11 @@ idmap_release_pipe(struct inode *inode)
+ {
+ struct rpc_inode *rpci = RPC_I(inode);
+ struct idmap *idmap = (struct idmap *)rpci->private;
++ struct idmap_legacy_upcalldata *data;
+
+- nfs_idmap_abort_pipe_upcall(idmap, -EPIPE);
++ data = xchg(&idmap->idmap_upcall_data, NULL);
++ if (data)
++ nfs_idmap_complete_pipe_upcall(data, -EPIPE);
+ }
+
+ int nfs_map_name_to_uid(const struct nfs_server *server, const char *name, size_t namelen, kuid_t *uid)
--- /dev/null
+From e35a5e782f67ed76a65ad0f23a484444a95f000f Mon Sep 17 00:00:00 2001
+From: Zhang Xianwei <zhang.xianwei8@zte.com.cn>
+Date: Wed, 27 Jul 2022 18:01:07 +0800
+Subject: NFSv4.1: RECLAIM_COMPLETE must handle EACCES
+
+From: Zhang Xianwei <zhang.xianwei8@zte.com.cn>
+
+commit e35a5e782f67ed76a65ad0f23a484444a95f000f upstream.
+
+A client should be able to handle getting an EACCES error while doing
+a mount operation to reclaim state due to NFS4CLNT_RECLAIM_REBOOT
+being set. If the server returns RPC_AUTH_BADCRED because authentication
+failed when we execute "exportfs -au", then RECLAIM_COMPLETE will go a
+wrong way. After mount succeeds, all OPEN call will fail due to an
+NFS4ERR_GRACE error being returned. This patch is to fix it by resending
+a RPC request.
+
+Signed-off-by: Zhang Xianwei <zhang.xianwei8@zte.com.cn>
+Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
+Fixes: aa5190d0ed7d ("NFSv4: Kill nfs4_async_handle_error() abuses by NFSv4.1")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -8371,6 +8371,9 @@ static int nfs41_reclaim_complete_handle
+ rpc_delay(task, NFS4_POLL_RETRY_MAX);
+ /* fall through */
+ case -NFS4ERR_RETRY_UNCACHED_REP:
++ case -EACCES:
++ dprintk("%s: failed to reclaim complete error %d for server %s, retrying\n",
++ __func__, task->tk_status, clp->cl_hostname);
+ return -EAGAIN;
+ case -NFS4ERR_BADSESSION:
+ case -NFS4ERR_DEADSESSION:
--- /dev/null
+From 4b32e054335ea0ce50967f63a7bfd4db058b14b9 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Tue, 7 Jun 2022 15:16:01 +0400
+Subject: pinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 4b32e054335ea0ce50967f63a7bfd4db058b14b9 upstream.
+
+of_parse_phandle() returns a node pointer with refcount
+incremented, we should use of_node_put() on it when not need anymore.
+Add missing of_node_put() to avoid refcount leak."
+
+Fixes: c2f6d059abfc ("pinctrl: nomadik: refactor DT parser to take two paths")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220607111602.57355-1-linmq006@gmail.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/nomadik/pinctrl-nomadik.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/nomadik/pinctrl-nomadik.c
++++ b/drivers/pinctrl/nomadik/pinctrl-nomadik.c
+@@ -1455,8 +1455,10 @@ static int nmk_pinctrl_dt_subnode_to_map
+
+ has_config = nmk_pinctrl_dt_get_config(np, &configs);
+ np_config = of_parse_phandle(np, "ste,config", 0);
+- if (np_config)
++ if (np_config) {
+ has_config |= nmk_pinctrl_dt_get_config(np_config, &configs);
++ of_node_put(np_config);
++ }
+ if (has_config) {
+ const char *gpio_name;
+ const char *pin;
--- /dev/null
+From 44339391c666e46cba522d19c65a6ad1071c68b7 Mon Sep 17 00:00:00 2001
+From: Nikita Travkin <nikita@trvn.ru>
+Date: Sun, 12 Jun 2022 19:59:54 +0500
+Subject: pinctrl: qcom: msm8916: Allow CAMSS GP clocks to be muxed
+
+From: Nikita Travkin <nikita@trvn.ru>
+
+commit 44339391c666e46cba522d19c65a6ad1071c68b7 upstream.
+
+GPIO 31, 32 can be muxed to GCC_CAMSS_GP(1,2)_CLK respectively but the
+function was never assigned to the pingroup (even though the function
+exists already).
+
+Add this mode to the related pins.
+
+Fixes: 5373a2c5abb6 ("pinctrl: qcom: Add msm8916 pinctrl driver")
+Signed-off-by: Nikita Travkin <nikita@trvn.ru>
+Link: https://lore.kernel.org/r/20220612145955.385787-4-nikita@trvn.ru
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/qcom/pinctrl-msm8916.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/qcom/pinctrl-msm8916.c
++++ b/drivers/pinctrl/qcom/pinctrl-msm8916.c
+@@ -852,8 +852,8 @@ static const struct msm_pingroup msm8916
+ PINGROUP(28, pwr_modem_enabled_a, NA, NA, NA, NA, NA, qdss_tracedata_b, NA, atest_combodac),
+ PINGROUP(29, cci_i2c, NA, NA, NA, NA, NA, qdss_tracedata_b, NA, atest_combodac),
+ PINGROUP(30, cci_i2c, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b),
+- PINGROUP(31, cci_timer0, NA, NA, NA, NA, NA, NA, NA, NA),
+- PINGROUP(32, cci_timer1, NA, NA, NA, NA, NA, NA, NA, NA),
++ PINGROUP(31, cci_timer0, flash_strobe, NA, NA, NA, NA, NA, NA, NA),
++ PINGROUP(32, cci_timer1, flash_strobe, NA, NA, NA, NA, NA, NA, NA),
+ PINGROUP(33, cci_async, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b),
+ PINGROUP(34, pwr_nav_enabled_a, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b),
+ PINGROUP(35, pwr_crypto_enabled_a, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b),
rds-add-missing-barrier-to-release_refill.patch
ata-libata-eh-add-missing-command-name.patch
btrfs-fix-lost-error-handling-when-looking-up-extended-ref-on-log-replay.patch
+can-ems_usb-fix-clang-s-wunaligned-access-warning.patch
+apparmor-fix-quiet_denied-for-file-rules.patch
+apparmor-fix-failed-mount-permission-check-error-message.patch
+apparmor-fix-aa_label_asxprint-return-check.patch
+apparmor-fix-reference-count-leak-in-aa_pivotroot.patch
+nfsv4-fix-races-in-the-legacy-idmapper-upcall.patch
+nfsv4.1-reclaim_complete-must-handle-eacces.patch
+sunrpc-reinitialise-the-backchannel-request-buffers-before-reuse.patch
+pinctrl-nomadik-fix-refcount-leak-in-nmk_pinctrl_dt_subnode_to_map.patch
+pinctrl-qcom-msm8916-allow-camss-gp-clocks-to-be-muxed.patch
+acpi-property-return-type-of-acpi_add_nondev_subnodes-should-be-bool.patch
+geneve-do-not-use-rt_tos-for-ipv6-flowlabel.patch
+vsock-fix-memory-leak-in-vsock_connect.patch
+vsock-set-socket-state-back-to-ss_unconnected-in-vsock_connect_timeout.patch
--- /dev/null
+From 6622e3a73112fc336c1c2c582428fb5ef18e456a Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Wed, 27 Jul 2022 12:27:54 -0400
+Subject: SUNRPC: Reinitialise the backchannel request buffers before reuse
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 6622e3a73112fc336c1c2c582428fb5ef18e456a upstream.
+
+When we're reusing the backchannel requests instead of freeing them,
+then we should reinitialise any values of the send/receive xdr_bufs so
+that they reflect the available space.
+
+Fixes: 0d2a970d0ae5 ("SUNRPC: Fix a backchannel race")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/backchannel_rqst.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/net/sunrpc/backchannel_rqst.c
++++ b/net/sunrpc/backchannel_rqst.c
+@@ -69,6 +69,17 @@ static void xprt_free_allocation(struct
+ kfree(req);
+ }
+
++static void xprt_bc_reinit_xdr_buf(struct xdr_buf *buf)
++{
++ buf->head[0].iov_len = PAGE_SIZE;
++ buf->tail[0].iov_len = 0;
++ buf->pages = NULL;
++ buf->page_len = 0;
++ buf->flags = 0;
++ buf->len = 0;
++ buf->buflen = PAGE_SIZE;
++}
++
+ static int xprt_alloc_xdr_buf(struct xdr_buf *buf, gfp_t gfp_flags)
+ {
+ struct page *page;
+@@ -291,6 +302,9 @@ void xprt_free_bc_rqst(struct rpc_rqst *
+ */
+ spin_lock_bh(&xprt->bc_pa_lock);
+ if (xprt_need_to_requeue(xprt)) {
++ xprt_bc_reinit_xdr_buf(&req->rq_snd_buf);
++ xprt_bc_reinit_xdr_buf(&req->rq_rcv_buf);
++ req->rq_rcv_buf.len = PAGE_SIZE;
+ list_add_tail(&req->rq_bc_pa_list, &xprt->bc_pa_list);
+ xprt->bc_alloc_count++;
+ req = NULL;
--- /dev/null
+From 7e97cfed9929eaabc41829c395eb0d1350fccb9d Mon Sep 17 00:00:00 2001
+From: Peilin Ye <peilin.ye@bytedance.com>
+Date: Mon, 8 Aug 2022 11:04:47 -0700
+Subject: vsock: Fix memory leak in vsock_connect()
+
+From: Peilin Ye <peilin.ye@bytedance.com>
+
+commit 7e97cfed9929eaabc41829c395eb0d1350fccb9d upstream.
+
+An O_NONBLOCK vsock_connect() request may try to reschedule
+@connect_work. Imagine the following sequence of vsock_connect()
+requests:
+
+ 1. The 1st, non-blocking request schedules @connect_work, which will
+ expire after 200 jiffies. Socket state is now SS_CONNECTING;
+
+ 2. Later, the 2nd, blocking request gets interrupted by a signal after
+ a few jiffies while waiting for the connection to be established.
+ Socket state is back to SS_UNCONNECTED, but @connect_work is still
+ pending, and will expire after 100 jiffies.
+
+ 3. Now, the 3rd, non-blocking request tries to schedule @connect_work
+ again. Since @connect_work is already scheduled,
+ schedule_delayed_work() silently returns. sock_hold() is called
+ twice, but sock_put() will only be called once in
+ vsock_connect_timeout(), causing a memory leak reported by syzbot:
+
+ BUG: memory leak
+ unreferenced object 0xffff88810ea56a40 (size 1232):
+ comm "syz-executor756", pid 3604, jiffies 4294947681 (age 12.350s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 28 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............
+ backtrace:
+ [<ffffffff837c830e>] sk_prot_alloc+0x3e/0x1b0 net/core/sock.c:1930
+ [<ffffffff837cbe22>] sk_alloc+0x32/0x2e0 net/core/sock.c:1989
+ [<ffffffff842ccf68>] __vsock_create.constprop.0+0x38/0x320 net/vmw_vsock/af_vsock.c:734
+ [<ffffffff842ce8f1>] vsock_create+0xc1/0x2d0 net/vmw_vsock/af_vsock.c:2203
+ [<ffffffff837c0cbb>] __sock_create+0x1ab/0x2b0 net/socket.c:1468
+ [<ffffffff837c3acf>] sock_create net/socket.c:1519 [inline]
+ [<ffffffff837c3acf>] __sys_socket+0x6f/0x140 net/socket.c:1561
+ [<ffffffff837c3bba>] __do_sys_socket net/socket.c:1570 [inline]
+ [<ffffffff837c3bba>] __se_sys_socket net/socket.c:1568 [inline]
+ [<ffffffff837c3bba>] __x64_sys_socket+0x1a/0x20 net/socket.c:1568
+ [<ffffffff84512815>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ [<ffffffff84512815>] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
+ [<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+ <...>
+
+Use mod_delayed_work() instead: if @connect_work is already scheduled,
+reschedule it, and undo sock_hold() to keep the reference count
+balanced.
+
+Reported-and-tested-by: syzbot+b03f55bf128f9a38f064@syzkaller.appspotmail.com
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Co-developed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1222,7 +1222,14 @@ static int vsock_stream_connect(struct s
+ * timeout fires.
+ */
+ sock_hold(sk);
+- schedule_delayed_work(&vsk->connect_work, timeout);
++
++ /* If the timeout function is already scheduled,
++ * reschedule it, then ungrab the socket refcount to
++ * keep it balanced.
++ */
++ if (mod_delayed_work(system_wq, &vsk->connect_work,
++ timeout))
++ sock_put(sk);
+
+ /* Skip ahead to preserve error code set above. */
+ goto out_wait;
--- /dev/null
+From a3e7b29e30854ed67be0d17687e744ad0c769c4b Mon Sep 17 00:00:00 2001
+From: Peilin Ye <peilin.ye@bytedance.com>
+Date: Mon, 8 Aug 2022 11:05:25 -0700
+Subject: vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout()
+
+From: Peilin Ye <peilin.ye@bytedance.com>
+
+commit a3e7b29e30854ed67be0d17687e744ad0c769c4b upstream.
+
+Imagine two non-blocking vsock_connect() requests on the same socket.
+The first request schedules @connect_work, and after it times out,
+vsock_connect_timeout() sets *sock* state back to TCP_CLOSE, but keeps
+*socket* state as SS_CONNECTING.
+
+Later, the second request returns -EALREADY, meaning the socket "already
+has a pending connection in progress", even though the first request has
+already timed out.
+
+As suggested by Stefano, fix it by setting *socket* state back to
+SS_UNCONNECTED, so that the second request will return -ETIMEDOUT.
+
+Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1125,6 +1125,7 @@ static void vsock_connect_timeout(struct
+ if (sk->sk_state == TCP_SYN_SENT &&
+ (sk->sk_shutdown != SHUTDOWN_MASK)) {
+ sk->sk_state = TCP_CLOSE;
++ sk->sk_socket->state = SS_UNCONNECTED;
+ sk->sk_err = ETIMEDOUT;
+ sk->sk_error_report(sk);
+ vsock_transport_cancel_pkt(vsk);
projects / thirdparty / kernel / stable-queue.git / commitdiff
