--- /dev/null
+From 955aebd445e2b49622f2184b7abb82b05c060549 Mon Sep 17 00:00:00 2001
+From: Ismael Ferreras Morezuelas <swyterzone@gmail.com>
+Date: Sat, 29 Oct 2022 22:24:53 +0200
+Subject: Bluetooth: btusb: Add debug message for CSR controllers
+
+From: Ismael Ferreras Morezuelas <swyterzone@gmail.com>
+
+commit 955aebd445e2b49622f2184b7abb82b05c060549 upstream.
+
+The rationale of showing this is that it's potentially critical
+information to diagnose and find more CSR compatibility bugs in the
+future and it will save a lot of headaches.
+
+Given that clones come from a wide array of vendors (some are actually
+Barrot, some are something else) and these numbers are what let us find
+differences between actual and fake ones, it will be immensely helpful
+to scour the Internet looking for this pattern and building an actual
+database to find correlations and improve the checks.
+
+Cc: stable@vger.kernel.org
+Cc: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Ismael Ferreras Morezuelas <swyterzone@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btusb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -2042,6 +2042,11 @@ static int btusb_setup_csr(struct hci_de
+
+ rp = (struct hci_rp_read_local_version *)skb->data;
+
++ bt_dev_info(hdev, "CSR: Setting up dongle with HCI ver=%u rev=%04x; LMP ver=%u subver=%04x; manufacturer=%u",
++ le16_to_cpu(rp->hci_ver), le16_to_cpu(rp->hci_rev),
++ le16_to_cpu(rp->lmp_ver), le16_to_cpu(rp->lmp_subver),
++ le16_to_cpu(rp->manufacturer));
++
+ /* Detect a wide host of Chinese controllers that aren't CSR.
+ *
+ * Known fake bcdDevices: 0x0100, 0x0134, 0x1915, 0x2520, 0x7558, 0x8891
--- /dev/null
+From 42d7731e3e7409f9444ff44e30c025958f1b14f0 Mon Sep 17 00:00:00 2001
+From: Ismael Ferreras Morezuelas <swyterzone@gmail.com>
+Date: Sat, 29 Oct 2022 22:24:52 +0200
+Subject: Bluetooth: btusb: Fix CSR clones again by re-adding ERR_DATA_REPORTING quirk
+
+From: Ismael Ferreras Morezuelas <swyterzone@gmail.com>
+
+commit 42d7731e3e7409f9444ff44e30c025958f1b14f0 upstream.
+
+A patch series by a Qualcomm engineer essentially removed my
+quirk/workaround because they thought it was unnecessary.
+
+It wasn't, and it broke everything again:
+
+https://patchwork.kernel.org/project/netdevbpf/list/?series=661703&archive=both&state=*
+
+He argues that the quirk is not necessary because the code should check
+if the dongle says if it's supported or not. The problem is that for
+these Chinese CSR clones they say that it would work:
+
+= New Index: 00:00:00:00:00:00 (Primary,USB,hci0)
+= Open Index: 00:00:00:00:00:00
+< HCI Command: Read Local Version Information (0x04|0x0001) plen 0
+> HCI Event: Command Complete (0x0e) plen 12
+> [hci0] 11.276039
+ Read Local Version Information (0x04|0x0001) ncmd 1
+ Status: Success (0x00)
+ HCI version: Bluetooth 5.0 (0x09) - Revision 2064 (0x0810)
+ LMP version: Bluetooth 5.0 (0x09) - Subversion 8978 (0x2312)
+ Manufacturer: Cambridge Silicon Radio (10)
+...
+< HCI Command: Read Local Supported Features (0x04|0x0003) plen 0
+> HCI Event: Command Complete (0x0e) plen 68
+> [hci0] 11.668030
+ Read Local Supported Commands (0x04|0x0002) ncmd 1
+ Status: Success (0x00)
+ Commands: 163 entries
+ ...
+ Read Default Erroneous Data Reporting (Octet 18 - Bit 2)
+ Write Default Erroneous Data Reporting (Octet 18 - Bit 3)
+ ...
+...
+< HCI Command: Read Default Erroneous Data Reporting (0x03|0x005a) plen 0
+= Close Index: 00:1A:7D:DA:71:XX
+
+So bring it back wholesale.
+
+Fixes: 63b1a7dd38bf ("Bluetooth: hci_sync: Remove HCI_QUIRK_BROKEN_ERR_DATA_REPORTING")
+Fixes: e168f6900877 ("Bluetooth: btusb: Remove HCI_QUIRK_BROKEN_ERR_DATA_REPORTING for fake CSR")
+Fixes: 766ae2422b43 ("Bluetooth: hci_sync: Check LMP feature bit instead of quirk")
+Cc: stable@vger.kernel.org
+Cc: Zijun Hu <quic_zijuhu@quicinc.com>
+Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Tested-by: Ismael Ferreras Morezuelas <swyterzone@gmail.com>
+Signed-off-by: Ismael Ferreras Morezuelas <swyterzone@gmail.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btusb.c | 1 +
+ include/net/bluetooth/hci.h | 11 +++++++++++
+ net/bluetooth/hci_sync.c | 9 +++++++--
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -2104,6 +2104,7 @@ static int btusb_setup_csr(struct hci_de
+ * without these the controller will lock up.
+ */
+ set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks);
++ set_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks);
+ set_bit(HCI_QUIRK_BROKEN_FILTER_CLEAR_ALL, &hdev->quirks);
+ set_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks);
+
+--- a/include/net/bluetooth/hci.h
++++ b/include/net/bluetooth/hci.h
+@@ -228,6 +228,17 @@ enum {
+ */
+ HCI_QUIRK_VALID_LE_STATES,
+
++ /* When this quirk is set, then erroneous data reporting
++ * is ignored. This is mainly due to the fact that the HCI
++ * Read Default Erroneous Data Reporting command is advertised,
++ * but not supported; these controllers often reply with unknown
++ * command and tend to lock up randomly. Needing a hard reset.
++ *
++ * This quirk can be set before hci_register_dev is called or
++ * during the hdev->setup vendor callback.
++ */
++ HCI_QUIRK_BROKEN_ERR_DATA_REPORTING,
++
+ /*
+ * When this quirk is set, then the hci_suspend_notifier is not
+ * registered. This is intended for devices which drop completely
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -3459,7 +3459,8 @@ static int hci_read_page_scan_activity_s
+ static int hci_read_def_err_data_reporting_sync(struct hci_dev *hdev)
+ {
+ if (!(hdev->commands[18] & 0x04) ||
+- !(hdev->features[0][6] & LMP_ERR_DATA_REPORTING))
++ !(hdev->features[0][6] & LMP_ERR_DATA_REPORTING) ||
++ test_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks))
+ return 0;
+
+ return __hci_cmd_sync_status(hdev, HCI_OP_READ_DEF_ERR_DATA_REPORTING,
+@@ -3977,7 +3978,8 @@ static int hci_set_err_data_report_sync(
+ bool enabled = hci_dev_test_flag(hdev, HCI_WIDEBAND_SPEECH_ENABLED);
+
+ if (!(hdev->commands[18] & 0x08) ||
+- !(hdev->features[0][6] & LMP_ERR_DATA_REPORTING))
++ !(hdev->features[0][6] & LMP_ERR_DATA_REPORTING) ||
++ test_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks))
+ return 0;
+
+ if (enabled == hdev->err_data_reporting)
+@@ -4136,6 +4138,9 @@ static const struct {
+ HCI_QUIRK_BROKEN(STORED_LINK_KEY,
+ "HCI Delete Stored Link Key command is advertised, "
+ "but not supported."),
++ HCI_QUIRK_BROKEN(ERR_DATA_REPORTING,
++ "HCI Read Default Erroneous Data Reporting command is "
++ "advertised, but not supported."),
+ HCI_QUIRK_BROKEN(READ_TRANSMIT_POWER,
+ "HCI Read Transmit Power Level command is advertised, "
+ "but not supported."),
--- /dev/null
+From b5ca338751ad4783ec8d37b5d99c3e37b7813e59 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 29 Nov 2022 12:54:13 -0800
+Subject: Bluetooth: Fix crash when replugging CSR fake controllers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit b5ca338751ad4783ec8d37b5d99c3e37b7813e59 upstream.
+
+It seems fake CSR 5.0 clones can cause the suspend notifier to be
+registered twice causing the following kernel panic:
+
+[ 71.986122] Call Trace:
+[ 71.986124] <TASK>
+[ 71.986125] blocking_notifier_chain_register+0x33/0x60
+[ 71.986130] hci_register_dev+0x316/0x3d0 [bluetooth 99b5497ea3d09708fa1366c1dc03288bf3cca8da]
+[ 71.986154] btusb_probe+0x979/0xd85 [btusb e1e0605a4f4c01984a4b9c8ac58c3666ae287477]
+[ 71.986159] ? __pm_runtime_set_status+0x1a9/0x300
+[ 71.986162] ? ktime_get_mono_fast_ns+0x3e/0x90
+[ 71.986167] usb_probe_interface+0xe3/0x2b0
+[ 71.986171] really_probe+0xdb/0x380
+[ 71.986174] ? pm_runtime_barrier+0x54/0x90
+[ 71.986177] __driver_probe_device+0x78/0x170
+[ 71.986180] driver_probe_device+0x1f/0x90
+[ 71.986183] __device_attach_driver+0x89/0x110
+[ 71.986186] ? driver_allows_async_probing+0x70/0x70
+[ 71.986189] bus_for_each_drv+0x8c/0xe0
+[ 71.986192] __device_attach+0xb2/0x1e0
+[ 71.986195] bus_probe_device+0x92/0xb0
+[ 71.986198] device_add+0x422/0x9a0
+[ 71.986201] ? sysfs_merge_group+0xd4/0x110
+[ 71.986205] usb_set_configuration+0x57a/0x820
+[ 71.986208] usb_generic_driver_probe+0x4f/0x70
+[ 71.986211] usb_probe_device+0x3a/0x110
+[ 71.986213] really_probe+0xdb/0x380
+[ 71.986216] ? pm_runtime_barrier+0x54/0x90
+[ 71.986219] __driver_probe_device+0x78/0x170
+[ 71.986221] driver_probe_device+0x1f/0x90
+[ 71.986224] __device_attach_driver+0x89/0x110
+[ 71.986227] ? driver_allows_async_probing+0x70/0x70
+[ 71.986230] bus_for_each_drv+0x8c/0xe0
+[ 71.986232] __device_attach+0xb2/0x1e0
+[ 71.986235] bus_probe_device+0x92/0xb0
+[ 71.986237] device_add+0x422/0x9a0
+[ 71.986239] ? _dev_info+0x7d/0x98
+[ 71.986242] ? blake2s_update+0x4c/0xc0
+[ 71.986246] usb_new_device.cold+0x148/0x36d
+[ 71.986250] hub_event+0xa8a/0x1910
+[ 71.986255] process_one_work+0x1c4/0x380
+[ 71.986259] worker_thread+0x51/0x390
+[ 71.986262] ? rescuer_thread+0x3b0/0x3b0
+[ 71.986264] kthread+0xdb/0x110
+[ 71.986266] ? kthread_complete_and_exit+0x20/0x20
+[ 71.986268] ret_from_fork+0x1f/0x30
+[ 71.986273] </TASK>
+[ 71.986274] ---[ end trace 0000000000000000 ]---
+[ 71.986284] btusb: probe of 2-1.6:1.0 failed with error -17
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216683
+Cc: stable@vger.kernel.org
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Tested-by: Leonardo EugĂȘnio <lelgenio@disroot.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_core.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -2757,7 +2757,8 @@ int hci_register_suspend_notifier(struct
+ {
+ int ret = 0;
+
+- if (!test_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks)) {
++ if (!hdev->suspend_notifier.notifier_call &&
++ !test_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks)) {
+ hdev->suspend_notifier.notifier_call = hci_suspend_notifier;
+ ret = register_pm_notifier(&hdev->suspend_notifier);
+ }
+@@ -2769,8 +2770,11 @@ int hci_unregister_suspend_notifier(stru
+ {
+ int ret = 0;
+
+- if (!test_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks))
++ if (hdev->suspend_notifier.notifier_call) {
+ ret = unregister_pm_notifier(&hdev->suspend_notifier);
++ if (!ret)
++ hdev->suspend_notifier.notifier_call = NULL;
++ }
+
+ return ret;
+ }
--- /dev/null
+From f4a4d121ebecaa6f396f21745ce97de014281ccc Mon Sep 17 00:00:00 2001
+From: Max Staudt <max@enpas.org>
+Date: Sat, 3 Dec 2022 01:01:48 +0900
+Subject: can: can327: flush TX_work on ldisc .close()
+
+From: Max Staudt <max@enpas.org>
+
+commit f4a4d121ebecaa6f396f21745ce97de014281ccc upstream.
+
+Additionally, remove it from .ndo_stop().
+
+This ensures that the worker is not called after being freed, and that
+the UART TX queue remains active to send final commands when the
+netdev is stopped.
+
+Thanks to Jiri Slaby for finding this in slcan:
+
+ https://lore.kernel.org/linux-can/20221201073426.17328-1-jirislaby@kernel.org/
+
+A variant of this patch for slcan, with the flush in .ndo_stop() still
+present, has been tested successfully on physical hardware:
+
+ https://bugzilla.suse.com/show_bug.cgi?id=1205597
+
+Fixes: 43da2f07622f ("can: can327: CAN/ldisc driver for ELM327 based OBD-II adapters")
+Cc: "Jiri Slaby (SUSE)" <jirislaby@kernel.org>
+Cc: Max Staudt <max@enpas.org>
+Cc: Wolfgang Grandegger <wg@grandegger.com>
+Cc: Marc Kleine-Budde <mkl@pengutronix.de>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: linux-can@vger.kernel.org
+Cc: netdev@vger.kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Max Staudt <max@enpas.org>
+Link: https://lore.kernel.org/all/20221202160148.282564-1-max@enpas.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/can327.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/can/can327.c b/drivers/net/can/can327.c
+index ed3d0b8989a0..dc7192ecb001 100644
+--- a/drivers/net/can/can327.c
++++ b/drivers/net/can/can327.c
+@@ -796,9 +796,9 @@ static int can327_netdev_close(struct net_device *dev)
+
+ netif_stop_queue(dev);
+
+- /* Give UART one final chance to flush. */
+- clear_bit(TTY_DO_WRITE_WAKEUP, &elm->tty->flags);
+- flush_work(&elm->tx_work);
++ /* We don't flush the UART TX queue here, as we want final stop
++ * commands (like the above dummy char) to be flushed out.
++ */
+
+ can_rx_offload_disable(&elm->offload);
+ elm->can.state = CAN_STATE_STOPPED;
+@@ -1069,12 +1069,15 @@ static void can327_ldisc_close(struct tty_struct *tty)
+ {
+ struct can327 *elm = (struct can327 *)tty->disc_data;
+
+- /* unregister_netdev() calls .ndo_stop() so we don't have to.
+- * Our .ndo_stop() also flushes the TTY write wakeup handler,
+- * so we can safely set elm->tty = NULL after this.
+- */
++ /* unregister_netdev() calls .ndo_stop() so we don't have to. */
+ unregister_candev(elm->dev);
+
++ /* Give UART one final chance to flush.
++ * No need to clear TTY_DO_WRITE_WAKEUP since .write_wakeup() is
++ * serialised against .close() and will not be called once we return.
++ */
++ flush_work(&elm->tx_work);
++
+ /* Mark channel as dead */
+ spin_lock_bh(&elm->lock);
+ tty->disc_data = NULL;
+--
+2.38.1
+
--- /dev/null
+From 918ee4911f7a41fb4505dff877c1d7f9f64eb43e Mon Sep 17 00:00:00 2001
+From: Frank Jungclaus <frank.jungclaus@esd.eu>
+Date: Wed, 30 Nov 2022 21:22:42 +0100
+Subject: can: esd_usb: Allow REC and TEC to return to zero
+
+From: Frank Jungclaus <frank.jungclaus@esd.eu>
+
+commit 918ee4911f7a41fb4505dff877c1d7f9f64eb43e upstream.
+
+We don't get any further EVENT from an esd CAN USB device for changes
+on REC or TEC while those counters converge to 0 (with ecc == 0). So
+when handling the "Back to Error Active"-event force txerr = rxerr =
+0, otherwise the berr-counters might stay on values like 95 forever.
+
+Also, to make life easier during the ongoing development a
+netdev_dbg() has been introduced to allow dumping error events send by
+an esd CAN USB device.
+
+Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device")
+Signed-off-by: Frank Jungclaus <frank.jungclaus@esd.eu>
+Link: https://lore.kernel.org/all/20221130202242.3998219-2-frank.jungclaus@esd.eu
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/esd_usb.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/can/usb/esd_usb.c
++++ b/drivers/net/can/usb/esd_usb.c
+@@ -234,6 +234,10 @@ static void esd_usb_rx_event(struct esd_
+ u8 rxerr = msg->msg.rx.data[2];
+ u8 txerr = msg->msg.rx.data[3];
+
++ netdev_dbg(priv->netdev,
++ "CAN_ERR_EV_EXT: dlc=%#02x state=%02x ecc=%02x rec=%02x tec=%02x\n",
++ msg->msg.rx.dlc, state, ecc, rxerr, txerr);
++
+ skb = alloc_can_err_skb(priv->netdev, &cf);
+ if (skb == NULL) {
+ stats->rx_dropped++;
+@@ -260,6 +264,8 @@ static void esd_usb_rx_event(struct esd_
+ break;
+ default:
+ priv->can.state = CAN_STATE_ERROR_ACTIVE;
++ txerr = 0;
++ rxerr = 0;
+ break;
+ }
+ } else {
--- /dev/null
+From fb855e9f3b6b42c72af3f1eb0b288998fe0d5ebb Mon Sep 17 00:00:00 2001
+From: "Jiri Slaby (SUSE)" <jirislaby@kernel.org>
+Date: Thu, 1 Dec 2022 08:34:26 +0100
+Subject: can: slcan: fix freed work crash
+
+From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+
+commit fb855e9f3b6b42c72af3f1eb0b288998fe0d5ebb upstream.
+
+The LTP test pty03 is causing a crash in slcan:
+ BUG: kernel NULL pointer dereference, address: 0000000000000008
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 0 PID: 348 Comm: kworker/0:3 Not tainted 6.0.8-1-default #1 openSUSE Tumbleweed 9d20364b934f5aab0a9bdf84e8f45cfdfae39dab
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
+ Workqueue: 0x0 (events)
+ RIP: 0010:process_one_work (/home/rich/kernel/linux/kernel/workqueue.c:706 /home/rich/kernel/linux/kernel/workqueue.c:2185)
+ Code: 49 89 ff 41 56 41 55 41 54 55 53 48 89 f3 48 83 ec 10 48 8b 06 48 8b 6f 48 49 89 c4 45 30 e4 a8 04 b8 00 00 00 00 4c 0f 44 e0 <49> 8b 44 24 08 44 8b a8 00 01 00 00 41 83 e5 20 f6 45 10 04 75 0e
+ RSP: 0018:ffffaf7b40f47e98 EFLAGS: 00010046
+ RAX: 0000000000000000 RBX: ffff9d644e1b8b48 RCX: ffff9d649e439968
+ RDX: 00000000ffff8455 RSI: ffff9d644e1b8b48 RDI: ffff9d64764aa6c0
+ RBP: ffff9d649e4335c0 R08: 0000000000000c00 R09: ffff9d64764aa734
+ R10: 0000000000000007 R11: 0000000000000001 R12: 0000000000000000
+ R13: ffff9d649e4335e8 R14: ffff9d64490da780 R15: ffff9d64764aa6c0
+ FS: 0000000000000000(0000) GS:ffff9d649e400000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000008 CR3: 0000000036424000 CR4: 00000000000006f0
+ Call Trace:
+ <TASK>
+ worker_thread (/home/rich/kernel/linux/kernel/workqueue.c:2436)
+ kthread (/home/rich/kernel/linux/kernel/kthread.c:376)
+ ret_from_fork (/home/rich/kernel/linux/arch/x86/entry/entry_64.S:312)
+
+Apparently, the slcan's tx_work is freed while being scheduled. While
+slcan_netdev_close() (netdev side) calls flush_work(&sl->tx_work),
+slcan_close() (tty side) does not. So when the netdev is never set UP,
+but the tty is stuffed with bytes and forced to wakeup write, the work
+is scheduled, but never flushed.
+
+So add an additional flush_work() to slcan_close() to be sure the work
+is flushed under all circumstances.
+
+The Fixes commit below moved flush_work() from slcan_close() to
+slcan_netdev_close(). What was the rationale behind it? Maybe we can
+drop the one in slcan_netdev_close()?
+
+I see the same pattern in can327. So it perhaps needs the very same fix.
+
+Fixes: cfcb4465e992 ("can: slcan: remove legacy infrastructure")
+Link: https://bugzilla.suse.com/show_bug.cgi?id=1205597
+Reported-by: Richard Palethorpe <richard.palethorpe@suse.com>
+Tested-by: Petr Vorel <petr.vorel@suse.com>
+Cc: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+Cc: Wolfgang Grandegger <wg@grandegger.com>
+Cc: Marc Kleine-Budde <mkl@pengutronix.de>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: linux-can@vger.kernel.org
+Cc: netdev@vger.kernel.org
+Cc: stable@vger.kernel.org
+Cc: Max Staudt <max@enpas.org>
+Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+Reviewed-by: Max Staudt <max@enpas.org>
+Link: https://lore.kernel.org/all/20221201073426.17328-1-jirislaby@kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/slcan/slcan-core.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/can/slcan/slcan-core.c b/drivers/net/can/slcan/slcan-core.c
+index fbb34139daa1..f4db77007c13 100644
+--- a/drivers/net/can/slcan/slcan-core.c
++++ b/drivers/net/can/slcan/slcan-core.c
+@@ -864,12 +864,14 @@ static void slcan_close(struct tty_struct *tty)
+ {
+ struct slcan *sl = (struct slcan *)tty->disc_data;
+
+- /* unregister_netdev() calls .ndo_stop() so we don't have to.
+- * Our .ndo_stop() also flushes the TTY write wakeup handler,
+- * so we can safely set sl->tty = NULL after this.
+- */
+ unregister_candev(sl->dev);
+
++ /*
++ * The netdev needn't be UP (so .ndo_stop() is not called). Hence make
++ * sure this is not running before freeing it up.
++ */
++ flush_work(&sl->tx_work);
++
+ /* Mark channel as dead */
+ spin_lock_bh(&sl->lock);
+ tty->disc_data = NULL;
+--
+2.38.1
+
--- /dev/null
+From aeffc8fb2174f017a10df114bc312f899904dc68 Mon Sep 17 00:00:00 2001
+From: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Date: Fri, 25 Nov 2022 19:13:41 -0500
+Subject: drm/amd/display: fix array index out of bound error in DCN32 DML
+
+From: Aurabindo Pillai <aurabindo.pillai@amd.com>
+
+commit aeffc8fb2174f017a10df114bc312f899904dc68 upstream.
+
+[Why&How]
+LinkCapacitySupport array is indexed with the number of voltage states and
+not the number of max DPPs. Fix the error by changing the array
+declaration to use the correct (larger) array size of total number of
+voltage states.
+
+Signed-off-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Reviewed-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org # 6.0.x
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.h
++++ b/drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.h
+@@ -1152,7 +1152,7 @@ struct vba_vars_st {
+ double UrgBurstFactorLumaPre[DC__NUM_DPP__MAX];
+ double UrgBurstFactorChromaPre[DC__NUM_DPP__MAX];
+ bool NotUrgentLatencyHidingPre[DC__NUM_DPP__MAX];
+- bool LinkCapacitySupport[DC__NUM_DPP__MAX];
++ bool LinkCapacitySupport[DC__VOLTAGE_STATES];
+ bool VREADY_AT_OR_AFTER_VSYNC[DC__NUM_DPP__MAX];
+ unsigned int MIN_DST_Y_NEXT_START[DC__NUM_DPP__MAX];
+ unsigned int VFrontPorch[DC__NUM_DPP__MAX];
--- /dev/null
+From bc21fe9a5844c5bc8f7ec319b11d2671a94eb867 Mon Sep 17 00:00:00 2001
+From: Prike Liang <Prike.Liang@amd.com>
+Date: Thu, 1 Dec 2022 11:17:31 +0800
+Subject: drm/amdgpu/sdma_v4_0: turn off SDMA ring buffer in the s2idle suspend
+
+From: Prike Liang <Prike.Liang@amd.com>
+
+commit bc21fe9a5844c5bc8f7ec319b11d2671a94eb867 upstream.
+
+In the SDMA s0ix save process requires to turn off SDMA ring buffer for
+avoiding the SDMA in-flight request, otherwise will suffer from SDMA page
+fault which causes by page request from in-flight SDMA ring accessing at
+SDMA restore phase.
+
+Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2248
+Cc: stable@vger.kernel.org # 6.0,5.15+
+Fixes: f8f4e2a51834 ("drm/amdgpu: skipping SDMA hw_init and hw_fini for S0ix.")
+Signed-off-by: Prike Liang <Prike.Liang@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Tested-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
+@@ -980,13 +980,13 @@ static void sdma_v4_0_ring_emit_fence(st
+
+
+ /**
+- * sdma_v4_0_gfx_stop - stop the gfx async dma engines
++ * sdma_v4_0_gfx_enable - enable the gfx async dma engines
+ *
+ * @adev: amdgpu_device pointer
+- *
+- * Stop the gfx async dma ring buffers (VEGA10).
++ * @enable: enable SDMA RB/IB
++ * control the gfx async dma ring buffers (VEGA10).
+ */
+-static void sdma_v4_0_gfx_stop(struct amdgpu_device *adev)
++static void sdma_v4_0_gfx_enable(struct amdgpu_device *adev, bool enable)
+ {
+ struct amdgpu_ring *sdma[AMDGPU_MAX_SDMA_INSTANCES];
+ u32 rb_cntl, ib_cntl;
+@@ -1001,10 +1001,10 @@ static void sdma_v4_0_gfx_stop(struct am
+ }
+
+ rb_cntl = RREG32_SDMA(i, mmSDMA0_GFX_RB_CNTL);
+- rb_cntl = REG_SET_FIELD(rb_cntl, SDMA0_GFX_RB_CNTL, RB_ENABLE, 0);
++ rb_cntl = REG_SET_FIELD(rb_cntl, SDMA0_GFX_RB_CNTL, RB_ENABLE, enable ? 1 : 0);
+ WREG32_SDMA(i, mmSDMA0_GFX_RB_CNTL, rb_cntl);
+ ib_cntl = RREG32_SDMA(i, mmSDMA0_GFX_IB_CNTL);
+- ib_cntl = REG_SET_FIELD(ib_cntl, SDMA0_GFX_IB_CNTL, IB_ENABLE, 0);
++ ib_cntl = REG_SET_FIELD(ib_cntl, SDMA0_GFX_IB_CNTL, IB_ENABLE, enable ? 1 : 0);
+ WREG32_SDMA(i, mmSDMA0_GFX_IB_CNTL, ib_cntl);
+ }
+ }
+@@ -1131,7 +1131,7 @@ static void sdma_v4_0_enable(struct amdg
+ int i;
+
+ if (!enable) {
+- sdma_v4_0_gfx_stop(adev);
++ sdma_v4_0_gfx_enable(adev, enable);
+ sdma_v4_0_rlc_stop(adev);
+ if (adev->sdma.has_page_queue)
+ sdma_v4_0_page_stop(adev);
+@@ -2043,8 +2043,10 @@ static int sdma_v4_0_suspend(void *handl
+ struct amdgpu_device *adev = (struct amdgpu_device *)handle;
+
+ /* SMU saves SDMA state for us */
+- if (adev->in_s0ix)
++ if (adev->in_s0ix) {
++ sdma_v4_0_gfx_enable(adev, false);
+ return 0;
++ }
+
+ return sdma_v4_0_hw_fini(adev);
+ }
+@@ -2054,8 +2056,12 @@ static int sdma_v4_0_resume(void *handle
+ struct amdgpu_device *adev = (struct amdgpu_device *)handle;
+
+ /* SMU restores SDMA state for us */
+- if (adev->in_s0ix)
++ if (adev->in_s0ix) {
++ sdma_v4_0_enable(adev, true);
++ sdma_v4_0_gfx_enable(adev, true);
++ amdgpu_ttm_set_buffer_funcs_status(adev, true);
+ return 0;
++ }
+
+ return sdma_v4_0_hw_init(adev);
+ }
--- /dev/null
+From 09bf649a74573cb596e211418a4f8008f265c5a9 Mon Sep 17 00:00:00 2001
+From: Rob Clark <robdclark@chromium.org>
+Date: Wed, 30 Nov 2022 10:57:48 -0800
+Subject: drm/shmem-helper: Avoid vm_open error paths
+
+From: Rob Clark <robdclark@chromium.org>
+
+commit 09bf649a74573cb596e211418a4f8008f265c5a9 upstream.
+
+vm_open() is not allowed to fail. Fortunately we are guaranteed that
+the pages are already pinned, thanks to the initial mmap which is now
+being cloned into a forked process, and only need to increment the
+refcnt. So just increment it directly. Previously if a signal was
+delivered at the wrong time to the forking process, the
+mutex_lock_interruptible() could fail resulting in the pages_use_count
+not being incremented.
+
+Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects")
+Cc: stable@vger.kernel.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221130185748.357410-3-robdclark@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_gem_shmem_helper.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/drm_gem_shmem_helper.c
++++ b/drivers/gpu/drm/drm_gem_shmem_helper.c
+@@ -571,12 +571,20 @@ static void drm_gem_shmem_vm_open(struct
+ {
+ struct drm_gem_object *obj = vma->vm_private_data;
+ struct drm_gem_shmem_object *shmem = to_drm_gem_shmem_obj(obj);
+- int ret;
+
+ WARN_ON(shmem->base.import_attach);
+
+- ret = drm_gem_shmem_get_pages(shmem);
+- WARN_ON_ONCE(ret != 0);
++ mutex_lock(&shmem->pages_lock);
++
++ /*
++ * We should have already pinned the pages when the buffer was first
++ * mmap'd, vm_open() just grabs an additional reference for the new
++ * mm the vma is getting copied into (ie. on fork()).
++ */
++ if (!WARN_ON_ONCE(!shmem->pages_use_count))
++ shmem->pages_use_count++;
++
++ mutex_unlock(&shmem->pages_lock);
+
+ drm_gem_vm_open(vma);
+ }
--- /dev/null
+From 24013314be6ee4ee456114a671e9fa3461323de8 Mon Sep 17 00:00:00 2001
+From: Rob Clark <robdclark@chromium.org>
+Date: Wed, 30 Nov 2022 10:57:47 -0800
+Subject: drm/shmem-helper: Remove errant put in error path
+
+From: Rob Clark <robdclark@chromium.org>
+
+commit 24013314be6ee4ee456114a671e9fa3461323de8 upstream.
+
+drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM
+object getting prematurely freed leading to a later use-after-free.
+
+Link: https://syzkaller.appspot.com/bug?extid=c8ae65286134dd1b800d
+Reported-by: syzbot+c8ae65286134dd1b800d@syzkaller.appspotmail.com
+Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects")
+Cc: stable@vger.kernel.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221130185748.357410-2-robdclark@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_gem_shmem_helper.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/drm_gem_shmem_helper.c
++++ b/drivers/gpu/drm/drm_gem_shmem_helper.c
+@@ -622,10 +622,8 @@ int drm_gem_shmem_mmap(struct drm_gem_sh
+ }
+
+ ret = drm_gem_shmem_get_pages(shmem);
+- if (ret) {
+- drm_gem_vm_close(vma);
++ if (ret)
+ return ret;
+- }
+
+ vma->vm_flags |= VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP;
+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
--- /dev/null
+From 6e90293618ed476d6b11f82ce724efbb9e9a071b Mon Sep 17 00:00:00 2001
+From: Zack Rusin <zackr@vmware.com>
+Date: Thu, 1 Dec 2022 12:53:41 -0500
+Subject: drm/vmwgfx: Don't use screen objects when SEV is active
+
+From: Zack Rusin <zackr@vmware.com>
+
+commit 6e90293618ed476d6b11f82ce724efbb9e9a071b upstream.
+
+When SEV is enabled gmr's and mob's are explicitly disabled because
+the encrypted system memory can not be used by the hypervisor.
+
+The driver was disabling GMR's but the presentation code, which depends
+on GMR's, wasn't honoring it which lead to black screen on hosts
+with SEV enabled.
+
+Make sure screen objects presentation is not used when guest memory
+regions have been disabled to fix presentation on SEV enabled hosts.
+
+Fixes: 3b0d6458c705 ("drm/vmwgfx: Refuse DMA operation when SEV encryption is active")
+Cc: <stable@vger.kernel.org> # v5.7+
+Signed-off-by: Zack Rusin <zackr@vmware.com>
+Reported-by: Nicholas Hunt <nhunt@vmware.com>
+Reviewed-by: Martin Krastev <krastevm@vmware.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221201175341.491884-1-zack@kde.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c
+@@ -950,6 +950,10 @@ int vmw_kms_sou_init_display(struct vmw_
+ struct drm_device *dev = &dev_priv->drm;
+ int i, ret;
+
++ /* Screen objects won't work if GMR's aren't available */
++ if (!dev_priv->has_gmr)
++ return -ENOSYS;
++
+ if (!(dev_priv->capabilities & SVGA_CAP_SCREEN_OBJECT_2)) {
+ return -ENOSYS;
+ }
--- /dev/null
+From ec61b41918587be530398b0d1c9a0d16619397e5 Mon Sep 17 00:00:00 2001
+From: ZhangPeng <zhangpeng362@huawei.com>
+Date: Wed, 16 Nov 2022 07:14:28 +0000
+Subject: HID: core: fix shift-out-of-bounds in hid_report_raw_event
+
+From: ZhangPeng <zhangpeng362@huawei.com>
+
+commit ec61b41918587be530398b0d1c9a0d16619397e5 upstream.
+
+Syzbot reported shift-out-of-bounds in hid_report_raw_event.
+
+microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) >
+32! (swapper/0)
+======================================================================
+UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20
+shift exponent 127 is too large for 32-bit type 'int'
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted
+6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0
+Hardware name: Google Compute Engine/Google Compute Engine, BIOS
+Google 10/26/2022
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
+ ubsan_epilogue lib/ubsan.c:151 [inline]
+ __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322
+ snto32 drivers/hid/hid-core.c:1323 [inline]
+ hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline]
+ hid_process_report drivers/hid/hid-core.c:1665 [inline]
+ hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998
+ hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066
+ hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284
+ __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671
+ dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988
+ call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474
+ expire_timers kernel/time/timer.c:1519 [inline]
+ __run_timers+0x76a/0x980 kernel/time/timer.c:1790
+ run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803
+ __do_softirq+0x277/0x75b kernel/softirq.c:571
+ __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650
+ irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
+ sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107
+======================================================================
+
+If the size of the integer (unsigned n) is bigger than 32 in snto32(),
+shift exponent will be too large for 32-bit type 'int', resulting in a
+shift-out-of-bounds bug.
+Fix this by adding a check on the size of the integer (unsigned n) in
+snto32(). To add support for n greater than 32 bits, set n to 32, if n
+is greater than 32.
+
+Reported-by: syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com
+Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split")
+Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1315,6 +1315,9 @@ static s32 snto32(__u32 value, unsigned
+ if (!value || !n)
+ return 0;
+
++ if (n > 32)
++ n = 32;
++
+ switch (n) {
+ case 8: return ((__s8)value);
+ case 16: return ((__s16)value);
--- /dev/null
+From 2afac81dd16544d825f309fd992d2af6304353df Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Thu, 3 Nov 2022 16:57:42 +0100
+Subject: HID: fix I2C_HID not selected when I2C_HID_OF_ELAN is
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+commit 2afac81dd16544d825f309fd992d2af6304353df upstream.
+
+When I2C_HID_OF_ELAN is set, we need to turn on I2C_HID_CORE to
+ensure we get all the HID requirements.
+
+Fixes: bd3cba00dcc6 ("HID: i2c-hid: elan: Add support for Elan eKTH6915 i2c-hid touchscreens")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/i2c-hid/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/i2c-hid/Kconfig b/drivers/hid/i2c-hid/Kconfig
+index 5273ee2bb134..d65abe65ce73 100644
+--- a/drivers/hid/i2c-hid/Kconfig
++++ b/drivers/hid/i2c-hid/Kconfig
+@@ -66,6 +66,6 @@ endmenu
+
+ config I2C_HID_CORE
+ tristate
+- default y if I2C_HID_ACPI=y || I2C_HID_OF=y || I2C_HID_OF_GOODIX=y
+- default m if I2C_HID_ACPI=m || I2C_HID_OF=m || I2C_HID_OF_GOODIX=m
++ default y if I2C_HID_ACPI=y || I2C_HID_OF=y || I2C_HID_OF_ELAN=y || I2C_HID_OF_GOODIX=y
++ default m if I2C_HID_ACPI=m || I2C_HID_OF=m || I2C_HID_OF_ELAN=m || I2C_HID_OF_GOODIX=m
+ select HID
+--
+2.38.1
+
--- /dev/null
+From d180b6496143cd360c5d5f58ae4b9a8229c1f344 Mon Sep 17 00:00:00 2001
+From: Anastasia Belova <abelova@astralinux.ru>
+Date: Fri, 11 Nov 2022 15:55:11 +0300
+Subject: HID: hid-lg4ff: Add check for empty lbuf
+
+From: Anastasia Belova <abelova@astralinux.ru>
+
+commit d180b6496143cd360c5d5f58ae4b9a8229c1f344 upstream.
+
+If an empty buf is received, lbuf is also empty. So lbuf is
+accessed by index -1.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: f31a2de3fe36 ("HID: hid-lg4ff: Allow switching of Logitech gaming wheels between compatibility modes")
+Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-lg4ff.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/hid/hid-lg4ff.c
++++ b/drivers/hid/hid-lg4ff.c
+@@ -872,6 +872,12 @@ static ssize_t lg4ff_alternate_modes_sto
+ return -ENOMEM;
+
+ i = strlen(lbuf);
++
++ if (i == 0) {
++ kfree(lbuf);
++ return -EINVAL;
++ }
++
+ if (lbuf[i-1] == '\n') {
+ if (i == 1) {
+ kfree(lbuf);
--- /dev/null
+From 9ad6645a9dce4d0e42daca6ebf32a154401c59d3 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 8 Nov 2022 16:13:50 +0100
+Subject: HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch V 10
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 9ad6645a9dce4d0e42daca6ebf32a154401c59d3 upstream.
+
+The Acer Aspire Switch V 10 (SW5-017)'s keyboard-dock uses the same
+ITE controller setup as other Acer Switch 2-in-1's.
+
+This needs special handling for the wifi on/off toggle hotkey as well as
+to properly report touchpad on/off keypresses.
+
+Add the USB-ids for the SW5-017's keyboard-dock with a quirk setting of
+QUIRK_TOUCHPAD_ON_OFF_REPORT to fix both issues.
+
+Cc: Rudolf Polzer <rpolzer@google.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-ite.c | 5 +++++
+ 2 files changed, 6 insertions(+)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -1217,6 +1217,7 @@
+ #define USB_DEVICE_ID_SYNAPTICS_DELL_K15A 0x6e21
+ #define USB_DEVICE_ID_SYNAPTICS_ACER_ONE_S1002 0x73f4
+ #define USB_DEVICE_ID_SYNAPTICS_ACER_ONE_S1003 0x73f5
++#define USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_017 0x73f6
+ #define USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5 0x81a7
+
+ #define USB_VENDOR_ID_TEXAS_INSTRUMENTS 0x2047
+--- a/drivers/hid/hid-ite.c
++++ b/drivers/hid/hid-ite.c
+@@ -121,6 +121,11 @@ static const struct hid_device_id ite_de
+ USB_VENDOR_ID_SYNAPTICS,
+ USB_DEVICE_ID_SYNAPTICS_ACER_ONE_S1003),
+ .driver_data = QUIRK_TOUCHPAD_ON_OFF_REPORT },
++ /* ITE8910 USB kbd ctlr, with Synaptics touchpad connected to it. */
++ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC,
++ USB_VENDOR_ID_SYNAPTICS,
++ USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_017),
++ .driver_data = QUIRK_TOUCHPAD_ON_OFF_REPORT },
+ { }
+ };
+ MODULE_DEVICE_TABLE(hid, ite_devices);
--- /dev/null
+From 3405a4beaaa852f3ed2a5eb3b5149932d5c3779b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jose.exposito89@gmail.com>
+Date: Thu, 10 Nov 2022 18:40:56 +0100
+Subject: HID: uclogic: Add HID_QUIRK_HIDINPUT_FORCE quirk
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+commit 3405a4beaaa852f3ed2a5eb3b5149932d5c3779b upstream.
+
+Commit f7d8e387d9ae ("HID: uclogic: Switch to Digitizer usage for
+styluses") changed the usage used in UCLogic from "Pen" to "Digitizer".
+
+However, the IS_INPUT_APPLICATION() macro evaluates to false for
+HID_DG_DIGITIZER causing issues with the XP-Pen Star G640 tablet.
+
+Add the HID_QUIRK_HIDINPUT_FORCE quirk to bypass the
+IS_INPUT_APPLICATION() check.
+
+Reported-by: Torge Matthies <openglfreak@googlemail.com>
+Reported-by: Alexander Zhang <alex@alexyzhang.dev>
+Tested-by: Alexander Zhang <alex@alexyzhang.dev>
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-uclogic-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hid/hid-uclogic-core.c b/drivers/hid/hid-uclogic-core.c
+index 0fbc408c2607..7fa6fe04f1b2 100644
+--- a/drivers/hid/hid-uclogic-core.c
++++ b/drivers/hid/hid-uclogic-core.c
+@@ -192,6 +192,7 @@ static int uclogic_probe(struct hid_device *hdev,
+ * than the pen, so use QUIRK_MULTI_INPUT for all tablets.
+ */
+ hdev->quirks |= HID_QUIRK_MULTI_INPUT;
++ hdev->quirks |= HID_QUIRK_HIDINPUT_FORCE;
+
+ /* Allocate and assign driver data */
+ drvdata = devm_kzalloc(&hdev->dev, sizeof(*drvdata), GFP_KERNEL);
+--
+2.38.1
+
--- /dev/null
+From a6f4f1662711bd03308371d9649783a5be596898 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jose.exposito89@gmail.com>
+Date: Thu, 10 Nov 2022 18:49:18 +0100
+Subject: HID: uclogic: Fix frame templates for big endian architectures
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+commit a6f4f1662711bd03308371d9649783a5be596898 upstream.
+
+When parsing a frame template with a placeholder indicating the number
+of buttons present on the frame its value was incorrectly set on big
+endian architectures due to double little endian conversion.
+
+In order to reproduce the issue and verify the fix, run the HID KUnit
+tests on the PowerPC architecture:
+
+ $ ./tools/testing/kunit/kunit.py run --kunitconfig=drivers/hid \
+ --arch=powerpc --cross_compile=powerpc64-linux-gnu-
+
+Fixes: 867c89254425 ("HID: uclogic: Allow to generate frame templates")
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-uclogic-rdesc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-uclogic-rdesc.c
++++ b/drivers/hid/hid-uclogic-rdesc.c
+@@ -1119,7 +1119,7 @@ __u8 *uclogic_rdesc_template_apply(const
+ p[sizeof(btn_head)] < param_num) {
+ v = param_list[p[sizeof(btn_head)]];
+ put_unaligned((__u8)0x2A, p); /* Usage Maximum */
+- put_unaligned_le16((__force u16)cpu_to_le16(v), p + 1);
++ put_unaligned((__force u16)cpu_to_le16(v), (s16 *)(p + 1));
+ p += sizeof(btn_head) + 1;
+ } else {
+ p++;
--- /dev/null
+From f6d910a89a2391e5ce1f275d205023880a33d3f8 Mon Sep 17 00:00:00 2001
+From: Ankit Patel <anpatel@nvidia.com>
+Date: Tue, 22 Nov 2022 15:35:20 +0800
+Subject: HID: usbhid: Add ALWAYS_POLL quirk for some mice
+
+From: Ankit Patel <anpatel@nvidia.com>
+
+commit f6d910a89a2391e5ce1f275d205023880a33d3f8 upstream.
+
+Some additional USB mouse devices are needing ALWAYS_POLL quirk without
+which they disconnect and reconnect every 60s.
+
+Add below devices to the known quirk list.
+CHERRY VID 0x046a, PID 0x000c
+MICROSOFT VID 0x045e, PID 0x0783
+PRIMAX VID 0x0461, PID 0x4e2a
+
+Signed-off-by: Ankit Patel <anpatel@nvidia.com>
+Signed-off-by: Haotien Hsu <haotienh@nvidia.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-ids.h | 3 +++
+ drivers/hid/hid-quirks.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -274,6 +274,7 @@
+ #define USB_DEVICE_ID_CH_AXIS_295 0x001c
+
+ #define USB_VENDOR_ID_CHERRY 0x046a
++#define USB_DEVICE_ID_CHERRY_MOUSE_000C 0x000c
+ #define USB_DEVICE_ID_CHERRY_CYMOTION 0x0023
+ #define USB_DEVICE_ID_CHERRY_CYMOTION_SOLAR 0x0027
+
+@@ -917,6 +918,7 @@
+ #define USB_DEVICE_ID_MS_XBOX_ONE_S_CONTROLLER 0x02fd
+ #define USB_DEVICE_ID_MS_PIXART_MOUSE 0x00cb
+ #define USB_DEVICE_ID_8BITDO_SN30_PRO_PLUS 0x02e0
++#define USB_DEVICE_ID_MS_MOUSE_0783 0x0783
+
+ #define USB_VENDOR_ID_MOJO 0x8282
+ #define USB_DEVICE_ID_RETRO_ADAPTER 0x3201
+@@ -1379,6 +1381,7 @@
+
+ #define USB_VENDOR_ID_PRIMAX 0x0461
+ #define USB_DEVICE_ID_PRIMAX_MOUSE_4D22 0x4d22
++#define USB_DEVICE_ID_PRIMAX_MOUSE_4E2A 0x4e2a
+ #define USB_DEVICE_ID_PRIMAX_KEYBOARD 0x4e05
+ #define USB_DEVICE_ID_PRIMAX_REZEL 0x4e72
+ #define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F 0x4d0f
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -54,6 +54,7 @@ static const struct hid_device_id hid_qu
+ { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_FLIGHT_SIM_YOKE), HID_QUIRK_NOGET },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_PRO_PEDALS), HID_QUIRK_NOGET },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_PRO_THROTTLE), HID_QUIRK_NOGET },
++ { HID_USB_DEVICE(USB_VENDOR_ID_CHERRY, USB_DEVICE_ID_CHERRY_MOUSE_000C), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB), HID_QUIRK_NO_INIT_REPORTS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB_RAPIDFIRE), HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K70RGB), HID_QUIRK_NO_INIT_REPORTS },
+@@ -122,6 +123,7 @@ static const struct hid_device_id hid_qu
+ { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C05A), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C06A), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MCS, USB_DEVICE_ID_MCS_GAMEPADBLOCK), HID_QUIRK_MULTI_INPUT },
++ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_MOUSE_0783), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_PIXART_MOUSE), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_POWER_COVER), HID_QUIRK_NO_INIT_REPORTS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_SURFACE3_COVER), HID_QUIRK_NO_INIT_REPORTS },
+@@ -146,6 +148,7 @@ static const struct hid_device_id hid_qu
+ { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN), HID_QUIRK_NO_INIT_REPORTS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4D22), HID_QUIRK_ALWAYS_POLL },
++ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4E2A), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D65), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22), HID_QUIRK_ALWAYS_POLL },
--- /dev/null
+From 998b30c3948e4d0b1097e639918c5cff332acac5 Mon Sep 17 00:00:00 2001
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Date: Tue, 6 Dec 2022 01:38:32 -0800
+Subject: io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+commit 998b30c3948e4d0b1097e639918c5cff332acac5 upstream.
+
+Syzkaller reports a NULL deref bug as follows:
+
+ BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3
+ Read of size 4 at addr 0000000000000138 by task file1/1955
+
+ CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0xcd/0x134
+ ? io_tctx_exit_cb+0x53/0xd3
+ kasan_report+0xbb/0x1f0
+ ? io_tctx_exit_cb+0x53/0xd3
+ kasan_check_range+0x140/0x190
+ io_tctx_exit_cb+0x53/0xd3
+ task_work_run+0x164/0x250
+ ? task_work_cancel+0x30/0x30
+ get_signal+0x1c3/0x2440
+ ? lock_downgrade+0x6e0/0x6e0
+ ? lock_downgrade+0x6e0/0x6e0
+ ? exit_signals+0x8b0/0x8b0
+ ? do_raw_read_unlock+0x3b/0x70
+ ? do_raw_spin_unlock+0x50/0x230
+ arch_do_signal_or_restart+0x82/0x2470
+ ? kmem_cache_free+0x260/0x4b0
+ ? putname+0xfe/0x140
+ ? get_sigframe_size+0x10/0x10
+ ? do_execveat_common.isra.0+0x226/0x710
+ ? lockdep_hardirqs_on+0x79/0x100
+ ? putname+0xfe/0x140
+ ? do_execveat_common.isra.0+0x238/0x710
+ exit_to_user_mode_prepare+0x15f/0x250
+ syscall_exit_to_user_mode+0x19/0x50
+ do_syscall_64+0x42/0xb0
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ RIP: 0023:0x0
+ Code: Unable to access opcode bytes at 0xffffffffffffffd6.
+ RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+ RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+ R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ </TASK>
+ Kernel panic - not syncing: panic_on_warn set ...
+
+This happens because the adding of task_work from io_ring_exit_work()
+isn't synchronized with canceling all work items from eg exec. The
+execution of the two are ordered in that they are both run by the task
+itself, but if io_tctx_exit_cb() is queued while we're canceling all
+work items off exec AND gets executed when the task exits to userspace
+rather than in the main loop in io_uring_cancel_generic(), then we can
+find current->io_uring == NULL and hit the above crash.
+
+It's safe to add this NULL check here, because the execution of the two
+paths are done by the task itself.
+
+Cc: stable@vger.kernel.org
+Fixes: d56d938b4bef ("io_uring: do ctx initiated file note removal")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Link: https://lore.kernel.org/r/20221206093833.3812138-1-harshit.m.mogalapalli@oracle.com
+[axboe: add code comment and also put an explanation in the commit msg]
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -2560,8 +2560,10 @@ static __cold void io_tctx_exit_cb(struc
+ /*
+ * When @in_idle, we're in cancellation and it's racy to remove the
+ * node. It'll be removed by the end of cancellation, just ignore it.
++ * tctx can be NULL if the queueing of this task_work raced with
++ * work cancelation off the exec path.
+ */
+- if (!atomic_read(&tctx->in_idle))
++ if (tctx && !atomic_read(&tctx->in_idle))
+ io_uring_del_tctx_node((unsigned long)work->ctx);
+ complete(&work->completion);
+ }
--- /dev/null
+From 0dd4cdccdab3d74bd86b868768a7dca216bcce7e Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Wed, 23 Nov 2022 10:08:33 +0100
+Subject: KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field
+
+From: Thomas Huth <thuth@redhat.com>
+
+commit 0dd4cdccdab3d74bd86b868768a7dca216bcce7e upstream.
+
+We recently experienced some weird huge time jumps in nested guests when
+rebooting them in certain cases. After adding some debug code to the epoch
+handling in vsie.c (thanks to David Hildenbrand for the idea!), it was
+obvious that the "epdx" field (the multi-epoch extension) did not get set
+to 0xff in case the "epoch" field was negative.
+Seems like the code misses to copy the value from the epdx field from
+the guest to the shadow control block. By doing so, the weird time
+jumps are gone in our scenarios.
+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2140899
+Fixes: 8fa1696ea781 ("KVM: s390: Multiple Epoch Facility support")
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
+Cc: stable@vger.kernel.org # 4.19+
+Link: https://lore.kernel.org/r/20221123090833.292938-1-thuth@redhat.com
+Message-Id: <20221123090833.292938-1-thuth@redhat.com>
+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kvm/vsie.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/kvm/vsie.c
++++ b/arch/s390/kvm/vsie.c
+@@ -546,8 +546,10 @@ static int shadow_scb(struct kvm_vcpu *v
+ if (test_kvm_cpu_feat(vcpu->kvm, KVM_S390_VM_CPU_FEAT_CEI))
+ scb_s->eca |= scb_o->eca & ECA_CEI;
+ /* Epoch Extension */
+- if (test_kvm_facility(vcpu->kvm, 139))
++ if (test_kvm_facility(vcpu->kvm, 139)) {
+ scb_s->ecd |= scb_o->ecd & ECD_MEF;
++ scb_s->epdx = scb_o->epdx;
++ }
+
+ /* etoken */
+ if (test_kvm_facility(vcpu->kvm, 156))
--- /dev/null
+From 5eef2141776da02772c44ec406d6871a790761ee Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Wed, 16 Nov 2022 15:07:22 +0000
+Subject: media: v4l2-dv-timings.c: fix too strict blanking sanity checks
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit 5eef2141776da02772c44ec406d6871a790761ee upstream.
+
+Sanity checks were added to verify the v4l2_bt_timings blanking fields
+in order to avoid integer overflows when userspace passes weird values.
+
+But that assumed that userspace would correctly fill in the front porch,
+backporch and sync values, but sometimes all you know is the total
+blanking, which is then assigned to just one of these fields.
+
+And that can fail with these checks.
+
+So instead set a maximum for the total horizontal and vertical
+blanking and check that each field remains below that.
+
+That is still sufficient to avoid integer overflows, but it also
+allows for more flexibility in how userspace fills in these fields.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Fixes: 4b6d66a45ed3 ("media: v4l2-dv-timings: add sanity checks for blanking values")
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-dv-timings.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-dv-timings.c
++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c
+@@ -145,6 +145,8 @@ bool v4l2_valid_dv_timings(const struct
+ const struct v4l2_bt_timings *bt = &t->bt;
+ const struct v4l2_bt_timings_cap *cap = &dvcap->bt;
+ u32 caps = cap->capabilities;
++ const u32 max_vert = 10240;
++ u32 max_hor = 3 * bt->width;
+
+ if (t->type != V4L2_DV_BT_656_1120)
+ return false;
+@@ -166,14 +168,20 @@ bool v4l2_valid_dv_timings(const struct
+ if (!bt->interlaced &&
+ (bt->il_vbackporch || bt->il_vsync || bt->il_vfrontporch))
+ return false;
+- if (bt->hfrontporch > 2 * bt->width ||
+- bt->hsync > 1024 || bt->hbackporch > 1024)
++ /*
++ * Some video receivers cannot properly separate the frontporch,
++ * backporch and sync values, and instead they only have the total
++ * blanking. That can be assigned to any of these three fields.
++ * So just check that none of these are way out of range.
++ */
++ if (bt->hfrontporch > max_hor ||
++ bt->hsync > max_hor || bt->hbackporch > max_hor)
+ return false;
+- if (bt->vfrontporch > 4096 ||
+- bt->vsync > 128 || bt->vbackporch > 4096)
++ if (bt->vfrontporch > max_vert ||
++ bt->vsync > max_vert || bt->vbackporch > max_vert)
+ return false;
+- if (bt->interlaced && (bt->il_vfrontporch > 4096 ||
+- bt->il_vsync > 128 || bt->il_vbackporch > 4096))
++ if (bt->interlaced && (bt->il_vfrontporch > max_vert ||
++ bt->il_vsync > max_vert || bt->il_vbackporch > max_vert))
+ return false;
+ return fnc == NULL || fnc(t, fnc_handle);
+ }
--- /dev/null
+From 4a7ba45b1a435e7097ca0f79a847d0949d0eb088 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Wed, 7 Dec 2022 16:53:15 -1000
+Subject: memcg: fix possible use-after-free in memcg_write_event_control()
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 4a7ba45b1a435e7097ca0f79a847d0949d0eb088 upstream.
+
+memcg_write_event_control() accesses the dentry->d_name of the specified
+control fd to route the write call. As a cgroup interface file can't be
+renamed, it's safe to access d_name as long as the specified file is a
+regular cgroup file. Also, as these cgroup interface files can't be
+removed before the directory, it's safe to access the parent too.
+
+Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a
+call to __file_cft() which verified that the specified file is a regular
+cgroupfs file before further accesses. The cftype pointer returned from
+__file_cft() was no longer necessary and the commit inadvertently dropped
+the file type check with it allowing any file to slip through. With the
+invarients broken, the d_name and parent accesses can now race against
+renames and removals of arbitrary files and cause use-after-free's.
+
+Fix the bug by resurrecting the file type check in __file_cft(). Now that
+cgroupfs is implemented through kernfs, checking the file operations needs
+to go through a layer of indirection. Instead, let's check the superblock
+and dentry type.
+
+Link: https://lkml.kernel.org/r/Y5FRm/cfcKPGzWwl@slm.duckdns.org
+Fixes: 347c4a874710 ("memcg: remove cgroup_event->cft")
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Jann Horn <jannh@google.com>
+Acked-by: Roman Gushchin <roman.gushchin@linux.dev>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Muchun Song <songmuchun@bytedance.com>
+Cc: Shakeel Butt <shakeelb@google.com>
+Cc: <stable@vger.kernel.org> [3.14+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/cgroup.h | 1 +
+ kernel/cgroup/cgroup-internal.h | 1 -
+ mm/memcontrol.c | 15 +++++++++++++--
+ 3 files changed, 14 insertions(+), 3 deletions(-)
+
+--- a/include/linux/cgroup.h
++++ b/include/linux/cgroup.h
+@@ -68,6 +68,7 @@ struct css_task_iter {
+ struct list_head iters_node; /* css_set->task_iters */
+ };
+
++extern struct file_system_type cgroup_fs_type;
+ extern struct cgroup_root cgrp_dfl_root;
+ extern struct css_set init_css_set;
+
+--- a/kernel/cgroup/cgroup-internal.h
++++ b/kernel/cgroup/cgroup-internal.h
+@@ -168,7 +168,6 @@ extern struct mutex cgroup_mutex;
+ extern spinlock_t css_set_lock;
+ extern struct cgroup_subsys *cgroup_subsys[];
+ extern struct list_head cgroup_roots;
+-extern struct file_system_type cgroup_fs_type;
+
+ /* iterate across the hierarchies */
+ #define for_each_root(root) \
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -4772,6 +4772,7 @@ static ssize_t memcg_write_event_control
+ unsigned int efd, cfd;
+ struct fd efile;
+ struct fd cfile;
++ struct dentry *cdentry;
+ const char *name;
+ char *endp;
+ int ret;
+@@ -4826,6 +4827,16 @@ static ssize_t memcg_write_event_control
+ goto out_put_cfile;
+
+ /*
++ * The control file must be a regular cgroup1 file. As a regular cgroup
++ * file can't be renamed, it's safe to access its name afterwards.
++ */
++ cdentry = cfile.file->f_path.dentry;
++ if (cdentry->d_sb->s_type != &cgroup_fs_type || !d_is_reg(cdentry)) {
++ ret = -EINVAL;
++ goto out_put_cfile;
++ }
++
++ /*
+ * Determine the event callbacks and set them in @event. This used
+ * to be done via struct cftype but cgroup core no longer knows
+ * about these events. The following is crude but the whole thing
+@@ -4833,7 +4844,7 @@ static ssize_t memcg_write_event_control
+ *
+ * DO NOT ADD NEW FILES.
+ */
+- name = cfile.file->f_path.dentry->d_name.name;
++ name = cdentry->d_name.name;
+
+ if (!strcmp(name, "memory.usage_in_bytes")) {
+ event->register_event = mem_cgroup_usage_register_event;
+@@ -4857,7 +4868,7 @@ static ssize_t memcg_write_event_control
+ * automatically removed on cgroup destruction but the removal is
+ * asynchronous, so take an extra ref on @css.
+ */
+- cfile_css = css_tryget_online_from_dir(cfile.file->f_path.dentry->d_parent,
++ cfile_css = css_tryget_online_from_dir(cdentry->d_parent,
+ &memory_cgrp_subsys);
+ ret = -EINVAL;
+ if (IS_ERR(cfile_css))
--- /dev/null
+From fcd0ccd836ffad73d98a66f6fea7b16f735ea920 Mon Sep 17 00:00:00 2001
+From: John Starks <jostarks@microsoft.com>
+Date: Tue, 6 Dec 2022 22:00:53 -0800
+Subject: mm/gup: fix gup_pud_range() for dax
+
+From: John Starks <jostarks@microsoft.com>
+
+commit fcd0ccd836ffad73d98a66f6fea7b16f735ea920 upstream.
+
+For dax pud, pud_huge() returns true on x86. So the function works as long
+as hugetlb is configured. However, dax doesn't depend on hugetlb.
+Commit 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") fixed
+devmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as
+well.
+
+This fixes the below kernel panic:
+
+general protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1] SMP
+ < snip >
+Call Trace:
+<TASK>
+get_user_pages_fast+0x1f/0x40
+iov_iter_get_pages+0xc6/0x3b0
+? mempool_alloc+0x5d/0x170
+bio_iov_iter_get_pages+0x82/0x4e0
+? bvec_alloc+0x91/0xc0
+? bio_alloc_bioset+0x19a/0x2a0
+blkdev_direct_IO+0x282/0x480
+? __io_complete_rw_common+0xc0/0xc0
+? filemap_range_has_page+0x82/0xc0
+generic_file_direct_write+0x9d/0x1a0
+? inode_update_time+0x24/0x30
+__generic_file_write_iter+0xbd/0x1e0
+blkdev_write_iter+0xb4/0x150
+? io_import_iovec+0x8d/0x340
+io_write+0xf9/0x300
+io_issue_sqe+0x3c3/0x1d30
+? sysvec_reschedule_ipi+0x6c/0x80
+__io_queue_sqe+0x33/0x240
+? fget+0x76/0xa0
+io_submit_sqes+0xe6a/0x18d0
+? __fget_light+0xd1/0x100
+__x64_sys_io_uring_enter+0x199/0x880
+? __context_tracking_enter+0x1f/0x70
+? irqentry_exit_to_user_mode+0x24/0x30
+? irqentry_exit+0x1d/0x30
+? __context_tracking_exit+0xe/0x70
+do_syscall_64+0x3b/0x90
+entry_SYSCALL_64_after_hwframe+0x61/0xcb
+RIP: 0033:0x7fc97c11a7be
+ < snip >
+</TASK>
+---[ end trace 48b2e0e67debcaeb ]---
+RIP: 0010:internal_get_user_pages_fast+0x340/0x990
+ < snip >
+Kernel panic - not syncing: Fatal exception
+Kernel Offset: disabled
+
+Link: https://lkml.kernel.org/r/1670392853-28252-1-git-send-email-ssengar@linux.microsoft.com
+Fixes: 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax")
+Signed-off-by: John Starks <jostarks@microsoft.com>
+Signed-off-by: Saurabh Sengar <ssengar@linux.microsoft.com>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Yu Zhao <yuzhao@google.com>
+Cc: Jason Gunthorpe <jgg@nvidia.com>
+Cc: John Hubbard <jhubbard@nvidia.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Alistair Popple <apopple@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/gup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/gup.c
++++ b/mm/gup.c
+@@ -2818,7 +2818,7 @@ static int gup_pud_range(p4d_t *p4dp, p4
+ next = pud_addr_end(addr, end);
+ if (unlikely(!pud_present(pud)))
+ return 0;
+- if (unlikely(pud_huge(pud))) {
++ if (unlikely(pud_huge(pud) || pud_devmap(pud))) {
+ if (!gup_huge_pud(pud, pudp, addr, next, flags,
+ pages, nr))
+ return 0;
--- /dev/null
+From f8bac7f9fdb0017b32157957ffffd490f95faa07 Mon Sep 17 00:00:00 2001
+From: "Radu Nicolae Pirea (OSS)" <radu-nicolae.pirea@oss.nxp.com>
+Date: Wed, 7 Dec 2022 15:23:47 +0200
+Subject: net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()
+
+From: Radu Nicolae Pirea (OSS) <radu-nicolae.pirea@oss.nxp.com>
+
+commit f8bac7f9fdb0017b32157957ffffd490f95faa07 upstream.
+
+The SJA1105 family has 45 L2 policing table entries
+(SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110
+(SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but
+accounting for the difference in port count (5 in SJA1105 vs 10 in
+SJA1110) does not fully explain the difference. Rather, the SJA1110 also
+has L2 ingress policers for multicast traffic. If a packet is classified
+as multicast, it will be processed by the policer index 99 + SRCPORT.
+
+The sja1105_init_l2_policing() function initializes all L2 policers such
+that they don't interfere with normal packet reception by default. To have
+a common code between SJA1105 and SJA1110, the index of the multicast
+policer for the port is calculated because it's an index that is out of
+bounds for SJA1105 but in bounds for SJA1110, and a bounds check is
+performed.
+
+The code fails to do the proper thing when determining what to do with the
+multicast policer of port 0 on SJA1105 (ds->num_ports = 5). The "mcast"
+index will be equal to 45, which is also equal to
+table->ops->max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes
+through the check. But at the same time, SJA1105 doesn't have multicast
+policers. So the code programs the SHARINDX field of an out-of-bounds
+element in the L2 Policing table of the static config.
+
+The comparison between index 45 and 45 entries should have determined the
+code to not access this policer index on SJA1105, since its memory wasn't
+even allocated.
+
+With enough bad luck, the out-of-bounds write could even overwrite other
+valid kernel data, but in this case, the issue was detected using KASAN.
+
+Kernel log:
+
+sja1105 spi5.0: Probed switch chip: SJA1105Q
+==================================================================
+BUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340
+Write of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8
+...
+Workqueue: events_unbound deferred_probe_work_func
+Call trace:
+...
+sja1105_setup+0x1cbc/0x2340
+dsa_register_switch+0x1284/0x18d0
+sja1105_probe+0x748/0x840
+...
+Allocated by task 8:
+...
+sja1105_setup+0x1bcc/0x2340
+dsa_register_switch+0x1284/0x18d0
+sja1105_probe+0x748/0x840
+...
+
+Fixes: 38fbe91f2287 ("net: dsa: sja1105: configure the multicast policers, if present")
+CC: stable@vger.kernel.org # 5.15+
+Signed-off-by: Radu Nicolae Pirea (OSS) <radu-nicolae.pirea@oss.nxp.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Link: https://lore.kernel.org/r/20221207132347.38698-1-radu-nicolae.pirea@oss.nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/sja1105/sja1105_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -1038,7 +1038,7 @@ static int sja1105_init_l2_policing(stru
+
+ policing[bcast].sharindx = port;
+ /* Only SJA1110 has multicast policers */
+- if (mcast <= table->ops->max_entry_count)
++ if (mcast < table->ops->max_entry_count)
+ policing[mcast].sharindx = port;
+ }
+
--- /dev/null
+From 18010ff776fa42340efc428b3ea6d19b3e7c7b21 Mon Sep 17 00:00:00 2001
+From: Haiyang Zhang <haiyangz@microsoft.com>
+Date: Fri, 2 Dec 2022 11:43:10 -0800
+Subject: net: mana: Fix race on per-CQ variable napi work_done
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+commit 18010ff776fa42340efc428b3ea6d19b3e7c7b21 upstream.
+
+After calling napi_complete_done(), the NAPIF_STATE_SCHED bit may be
+cleared, and another CPU can start napi thread and access per-CQ variable,
+cq->work_done. If the other thread (for example, from busy_poll) sets
+it to a value >= budget, this thread will continue to run when it should
+stop, and cause memory corruption and panic.
+
+To fix this issue, save the per-CQ work_done variable in a local variable
+before napi_complete_done(), so it won't be corrupted by a possible
+concurrent thread after napi_complete_done().
+
+Also, add a flag bit to advertise to the NIC firmware: the NAPI work_done
+variable race is fixed, so the driver is able to reliably support features
+like busy_poll.
+
+Cc: stable@vger.kernel.org
+Fixes: e1b5683ff62e ("net: mana: Move NAPI from EQ to CQ")
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Link: https://lore.kernel.org/r/1670010190-28595-1-git-send-email-haiyangz@microsoft.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/microsoft/mana/gdma.h | 9 ++++++++-
+ drivers/net/ethernet/microsoft/mana/mana_en.c | 16 +++++++++++-----
+ 2 files changed, 19 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/microsoft/mana/gdma.h
++++ b/drivers/net/ethernet/microsoft/mana/gdma.h
+@@ -498,7 +498,14 @@ enum {
+
+ #define GDMA_DRV_CAP_FLAG_1_EQ_SHARING_MULTI_VPORT BIT(0)
+
+-#define GDMA_DRV_CAP_FLAGS1 GDMA_DRV_CAP_FLAG_1_EQ_SHARING_MULTI_VPORT
++/* Advertise to the NIC firmware: the NAPI work_done variable race is fixed,
++ * so the driver is able to reliably support features like busy_poll.
++ */
++#define GDMA_DRV_CAP_FLAG_1_NAPI_WKDONE_FIX BIT(2)
++
++#define GDMA_DRV_CAP_FLAGS1 \
++ (GDMA_DRV_CAP_FLAG_1_EQ_SHARING_MULTI_VPORT | \
++ GDMA_DRV_CAP_FLAG_1_NAPI_WKDONE_FIX)
+
+ #define GDMA_DRV_CAP_FLAGS2 0
+
+--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
+@@ -1303,10 +1303,11 @@ static void mana_poll_rx_cq(struct mana_
+ xdp_do_flush();
+ }
+
+-static void mana_cq_handler(void *context, struct gdma_queue *gdma_queue)
++static int mana_cq_handler(void *context, struct gdma_queue *gdma_queue)
+ {
+ struct mana_cq *cq = context;
+ u8 arm_bit;
++ int w;
+
+ WARN_ON_ONCE(cq->gdma_cq != gdma_queue);
+
+@@ -1315,26 +1316,31 @@ static void mana_cq_handler(void *contex
+ else
+ mana_poll_tx_cq(cq);
+
+- if (cq->work_done < cq->budget &&
+- napi_complete_done(&cq->napi, cq->work_done)) {
++ w = cq->work_done;
++
++ if (w < cq->budget &&
++ napi_complete_done(&cq->napi, w)) {
+ arm_bit = SET_ARM_BIT;
+ } else {
+ arm_bit = 0;
+ }
+
+ mana_gd_ring_cq(gdma_queue, arm_bit);
++
++ return w;
+ }
+
+ static int mana_poll(struct napi_struct *napi, int budget)
+ {
+ struct mana_cq *cq = container_of(napi, struct mana_cq, napi);
++ int w;
+
+ cq->work_done = 0;
+ cq->budget = budget;
+
+- mana_cq_handler(cq, cq->gdma_cq);
++ w = mana_cq_handler(cq, cq->gdma_cq);
+
+- return min(cq->work_done, budget);
++ return min(w, budget);
+ }
+
+ static void mana_schedule_napi(void *context, struct gdma_queue *gdma_queue)
--- /dev/null
+From ef19964da8a668c683f1d38274f6fb756e047945 Mon Sep 17 00:00:00 2001
+From: Francesco Dolcini <francesco.dolcini@toradex.com>
+Date: Mon, 5 Dec 2022 16:23:27 +0100
+Subject: Revert "ARM: dts: imx7: Fix NAND controller size-cells"
+
+From: Francesco Dolcini <francesco.dolcini@toradex.com>
+
+commit ef19964da8a668c683f1d38274f6fb756e047945 upstream.
+
+This reverts commit 753395ea1e45c724150070b5785900b6a44bd5fb.
+
+It introduced a boot regression on colibri-imx7, and potentially any
+other i.MX7 boards with MTD partition list generated into the fdt by
+U-Boot.
+
+While the commit we are reverting here is not obviously wrong, it fixes
+only a dt binding checker warning that is non-functional, while it
+introduces a boot regression and there is no obvious fix ready.
+
+Fixes: 753395ea1e45 ("ARM: dts: imx7: Fix NAND controller size-cells")
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Acked-by: Marek Vasut <marex@denx.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/Y4dgBTGNWpM6SQXI@francesco-nb.int.toradex.com/
+Link: https://lore.kernel.org/all/20221205144917.6514168a@xps-13/
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/imx7s.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/imx7s.dtsi
++++ b/arch/arm/boot/dts/imx7s.dtsi
+@@ -1270,10 +1270,10 @@
+ clocks = <&clks IMX7D_NAND_USDHC_BUS_RAWNAND_CLK>;
+ };
+
+- gpmi: nand-controller@33002000 {
++ gpmi: nand-controller@33002000{
+ compatible = "fsl,imx7d-gpmi-nand";
+ #address-cells = <1>;
+- #size-cells = <0>;
++ #size-cells = <1>;
+ reg = <0x33002000 0x2000>, <0x33004000 0x4000>;
+ reg-names = "gpmi-nand", "bch";
+ interrupts = <GIC_SPI 14 IRQ_TYPE_LEVEL_HIGH>;
--- /dev/null
+From 6648eadba8d6b37c8e6cb1b906f68509b3b39385 Mon Sep 17 00:00:00 2001
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Date: Thu, 1 Dec 2022 21:18:52 +0800
+Subject: selftests/tls: Fix tls selftests dependency to correct algorithm
+
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+
+commit 6648eadba8d6b37c8e6cb1b906f68509b3b39385 upstream.
+
+Commit d2825fa9365d ("crypto: sm3,sm4 - move into crypto directory") moves
+SM3 and SM4 algorithm implementations from stand-alone library to crypto
+API. The corresponding configuration options for the API version (generic)
+are CONFIG_CRYPTO_SM3_GENERIC and CONFIG_CRYPTO_SM4_GENERIC, respectively.
+
+Replace option selected in selftests configuration from the library version
+to the API version.
+
+Fixes: d2825fa9365d ("crypto: sm3,sm4 - move into crypto directory")
+Reported-by: Hangbin Liu <liuhangbin@gmail.com>
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: stable@vger.kernel.org # v5.19+
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20221201131852.38501-1-tianjia.zhang@linux.alibaba.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/config | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/config b/tools/testing/selftests/net/config
+index ead7963b9bf0..bd89198cd817 100644
+--- a/tools/testing/selftests/net/config
++++ b/tools/testing/selftests/net/config
+@@ -43,5 +43,5 @@ CONFIG_NET_ACT_TUNNEL_KEY=m
+ CONFIG_NET_ACT_MIRRED=m
+ CONFIG_BAREUDP=m
+ CONFIG_IPV6_IOAM6_LWTUNNEL=y
+-CONFIG_CRYPTO_SM4=y
++CONFIG_CRYPTO_SM4_GENERIC=y
+ CONFIG_AMT=m
+--
+2.38.1
+
media-videobuf2-core-take-mmap_lock-in-vb2_get_unmap.patch
fscache-fix-oops-due-to-race-with-cookie_lru-and-use.patch
soundwire-intel-initialize-clock-stop-timeout.patch
+revert-arm-dts-imx7-fix-nand-controller-size-cells.patch
+media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch
+memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch
+mm-gup-fix-gup_pud_range-for-dax.patch
+tmpfs-fix-data-loss-from-failed-fallocate.patch
+bluetooth-btusb-fix-csr-clones-again-by-re-adding-err_data_reporting-quirk.patch
+bluetooth-btusb-add-debug-message-for-csr-controllers.patch
+bluetooth-fix-crash-when-replugging-csr-fake-controllers.patch
+selftests-tls-fix-tls-selftests-dependency-to-correct-algorithm.patch
+net-mana-fix-race-on-per-cq-variable-napi-work_done.patch
+io_uring-fix-a-null-ptr-deref-in-io_tctx_exit_cb.patch
+hid-uclogic-fix-frame-templates-for-big-endian-architectures.patch
+kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch
+drm-vmwgfx-don-t-use-screen-objects-when-sev-is-active.patch
+can-can327-flush-tx_work-on-ldisc-.close.patch
+can-slcan-fix-freed-work-crash.patch
+can-esd_usb-allow-rec-and-tec-to-return-to-zero.patch
+drm-amdgpu-sdma_v4_0-turn-off-sdma-ring-buffer-in-the-s2idle-suspend.patch
+drm-amd-display-fix-array-index-out-of-bound-error-in-dcn32-dml.patch
+drm-shmem-helper-remove-errant-put-in-error-path.patch
+drm-shmem-helper-avoid-vm_open-error-paths.patch
+net-dsa-sja1105-avoid-out-of-bounds-access-in-sja1105_init_l2_policing.patch
+hid-usbhid-add-always_poll-quirk-for-some-mice.patch
+hid-fix-i2c_hid-not-selected-when-i2c_hid_of_elan-is.patch
+hid-uclogic-add-hid_quirk_hidinput_force-quirk.patch
+hid-hid-lg4ff-add-check-for-empty-lbuf.patch
+hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch
+hid-ite-enable-quirk_touchpad_on_off_report-on-acer-aspire-switch-v-10.patch
--- /dev/null
+From 44bcabd70cf1425b4243e02251c02b01638a8287 Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Sun, 4 Dec 2022 16:51:50 -0800
+Subject: tmpfs: fix data loss from failed fallocate
+
+From: Hugh Dickins <hughd@google.com>
+
+commit 44bcabd70cf1425b4243e02251c02b01638a8287 upstream.
+
+Fix tmpfs data loss when the fallocate system call is interrupted by a
+signal, or fails for some other reason. The partial folio handling in
+shmem_undo_range() forgot to consider this unfalloc case, and was liable
+to erase or truncate out data which had already been committed earlier.
+
+It turns out that none of the partial folio handling there is appropriate
+for the unfalloc case, which just wants to proceed to removal of whole
+folios: which find_get_entries() provides, even when partially covered.
+
+Original patch by Rui Wang.
+
+Link: https://lore.kernel.org/linux-mm/33b85d82.7764.1842e9ab207.Coremail.chenguoqic@163.com/
+Link: https://lkml.kernel.org/r/a5dac112-cf4b-7af-a33-f386e347fd38@google.com
+Fixes: b9a8a4195c7d ("truncate,shmem: Handle truncates that split large folios")
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Reported-by: Guoqi Chen <chenguoqic@163.com>
+ Link: https://lore.kernel.org/all/20221101032248.819360-1-kernel@hev.cc/
+Cc: Rui Wang <kernel@hev.cc>
+Cc: Huacai Chen <chenhuacai@loongson.cn>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Vishal Moola (Oracle) <vishal.moola@gmail.com>
+Cc: <stable@vger.kernel.org> [5.17+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/shmem.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -958,6 +958,15 @@ static void shmem_undo_range(struct inod
+ index++;
+ }
+
++ /*
++ * When undoing a failed fallocate, we want none of the partial folio
++ * zeroing and splitting below, but shall want to truncate the whole
++ * folio when !uptodate indicates that it was added by this fallocate,
++ * even when [lstart, lend] covers only a part of the folio.
++ */
++ if (unfalloc)
++ goto whole_folios;
++
+ same_folio = (lstart >> PAGE_SHIFT) == (lend >> PAGE_SHIFT);
+ folio = shmem_get_partial_folio(inode, lstart >> PAGE_SHIFT);
+ if (folio) {
+@@ -983,6 +992,8 @@ static void shmem_undo_range(struct inod
+ folio_put(folio);
+ }
+
++whole_folios:
++
+ index = start;
+ while (index < end) {
+ cond_resched();
projects / thirdparty / kernel / stable-queue.git / commitdiff
