--- /dev/null
+From 991927d7e4023c512d12f0981b87490dc69cc7ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jan 2023 10:04:24 +0800
+Subject: 9p/rdma: unmap receive dma buffer in rdma_request()/post_recv()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 74a25e6e916cb57dab4267a96fbe8864ed21abdb ]
+
+When down_interruptible() or ib_post_send() failed in rdma_request(),
+receive dma buffer is not unmapped. Add unmap action to error path.
+Also if ib_post_recv() failed in post_recv(), dma buffer is not unmapped.
+Add unmap action to error path.
+
+Link: https://lkml.kernel.org/r/20230104020424.611926-1-shaozhengchao@huawei.com
+Fixes: fc79d4b104f0 ("9p: rdma: RDMA Transport Support for 9P")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Eric Van Hensbergen <ericvh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_rdma.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
+index 2885ff9c76f07..7217bd9886e36 100644
+--- a/net/9p/trans_rdma.c
++++ b/net/9p/trans_rdma.c
+@@ -386,6 +386,7 @@ post_recv(struct p9_client *client, struct p9_rdma_context *c)
+ struct p9_trans_rdma *rdma = client->trans;
+ struct ib_recv_wr wr;
+ struct ib_sge sge;
++ int ret;
+
+ c->busa = ib_dma_map_single(rdma->cm_id->device,
+ c->rc.sdata, client->msize,
+@@ -403,7 +404,12 @@ post_recv(struct p9_client *client, struct p9_rdma_context *c)
+ wr.wr_cqe = &c->cqe;
+ wr.sg_list = &sge;
+ wr.num_sge = 1;
+- return ib_post_recv(rdma->qp, &wr, NULL);
++
++ ret = ib_post_recv(rdma->qp, &wr, NULL);
++ if (ret)
++ ib_dma_unmap_single(rdma->cm_id->device, c->busa,
++ client->msize, DMA_FROM_DEVICE);
++ return ret;
+
+ error:
+ p9_debug(P9_DEBUG_ERROR, "EIO\n");
+@@ -500,7 +506,7 @@ static int rdma_request(struct p9_client *client, struct p9_req_t *req)
+
+ if (down_interruptible(&rdma->sq_sem)) {
+ err = -EINTR;
+- goto send_error;
++ goto dma_unmap;
+ }
+
+ /* Mark request as `sent' *before* we actually send it,
+@@ -510,11 +516,14 @@ static int rdma_request(struct p9_client *client, struct p9_req_t *req)
+ req->status = REQ_STATUS_SENT;
+ err = ib_post_send(rdma->qp, &wr, NULL);
+ if (err)
+- goto send_error;
++ goto dma_unmap;
+
+ /* Success */
+ return 0;
+
++dma_unmap:
++ ib_dma_unmap_single(rdma->cm_id->device, c->busa,
++ c->req->tc.size, DMA_TO_DEVICE);
+ /* Handle errors that happened during or while preparing the send: */
+ send_error:
+ req->status = REQ_STATUS_ERROR;
+--
+2.39.2
+
--- /dev/null
+From 42b23da209c04798698d552824e7ed081a0d85e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jan 2023 12:30:36 +0100
+Subject: 9p/xen: fix connection sequence
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit c15fe55d14b3b4ded5af2a3260877460a6ffb8ad ]
+
+Today the connection sequence of the Xen 9pfs frontend doesn't match
+the documented sequence. It can work reliably only for a PV 9pfs device
+having been added at boot time already, as the frontend is not waiting
+for the backend to have set its state to "XenbusStateInitWait" before
+reading the backend properties from Xenstore.
+
+Fix that by following the documented sequence [1] (the documentation
+has a bug, so the reference is for the patch fixing that).
+
+[1]: https://lore.kernel.org/xen-devel/20230130090937.31623-1-jgross@suse.com/T/#u
+
+Link: https://lkml.kernel.org/r/20230130113036.7087-3-jgross@suse.com
+Fixes: 868eb122739a ("xen/9pfs: introduce Xen 9pfs transport driver")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Eric Van Hensbergen <ericvh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_xen.c | 38 +++++++++++++++++++++++---------------
+ 1 file changed, 23 insertions(+), 15 deletions(-)
+
+diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
+index d8ed75e8dbb1d..220e8f4ac0cfe 100644
+--- a/net/9p/trans_xen.c
++++ b/net/9p/trans_xen.c
+@@ -393,12 +393,11 @@ static int xen_9pfs_front_alloc_dataring(struct xenbus_device *dev,
+ return ret;
+ }
+
+-static int xen_9pfs_front_probe(struct xenbus_device *dev,
+- const struct xenbus_device_id *id)
++static int xen_9pfs_front_init(struct xenbus_device *dev)
+ {
+ int ret, i;
+ struct xenbus_transaction xbt;
+- struct xen_9pfs_front_priv *priv = NULL;
++ struct xen_9pfs_front_priv *priv = dev_get_drvdata(&dev->dev);
+ char *versions, *v;
+ unsigned int max_rings, max_ring_order, len = 0;
+
+@@ -426,11 +425,6 @@ static int xen_9pfs_front_probe(struct xenbus_device *dev,
+ if (p9_xen_trans.maxsize > XEN_FLEX_RING_SIZE(max_ring_order))
+ p9_xen_trans.maxsize = XEN_FLEX_RING_SIZE(max_ring_order) / 2;
+
+- priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+- if (!priv)
+- return -ENOMEM;
+-
+- priv->dev = dev;
+ priv->num_rings = XEN_9PFS_NUM_RINGS;
+ priv->rings = kcalloc(priv->num_rings, sizeof(*priv->rings),
+ GFP_KERNEL);
+@@ -489,23 +483,35 @@ static int xen_9pfs_front_probe(struct xenbus_device *dev,
+ goto error;
+ }
+
+- write_lock(&xen_9pfs_lock);
+- list_add_tail(&priv->list, &xen_9pfs_devs);
+- write_unlock(&xen_9pfs_lock);
+- dev_set_drvdata(&dev->dev, priv);
+- xenbus_switch_state(dev, XenbusStateInitialised);
+-
+ return 0;
+
+ error_xenbus:
+ xenbus_transaction_end(xbt, 1);
+ xenbus_dev_fatal(dev, ret, "writing xenstore");
+ error:
+- dev_set_drvdata(&dev->dev, NULL);
+ xen_9pfs_front_free(priv);
+ return ret;
+ }
+
++static int xen_9pfs_front_probe(struct xenbus_device *dev,
++ const struct xenbus_device_id *id)
++{
++ struct xen_9pfs_front_priv *priv = NULL;
++
++ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
++ if (!priv)
++ return -ENOMEM;
++
++ priv->dev = dev;
++ dev_set_drvdata(&dev->dev, priv);
++
++ write_lock(&xen_9pfs_lock);
++ list_add_tail(&priv->list, &xen_9pfs_devs);
++ write_unlock(&xen_9pfs_lock);
++
++ return 0;
++}
++
+ static int xen_9pfs_front_resume(struct xenbus_device *dev)
+ {
+ dev_warn(&dev->dev, "suspend/resume unsupported\n");
+@@ -524,6 +530,8 @@ static void xen_9pfs_front_changed(struct xenbus_device *dev,
+ break;
+
+ case XenbusStateInitWait:
++ if (!xen_9pfs_front_init(dev))
++ xenbus_switch_state(dev, XenbusStateInitialised);
+ break;
+
+ case XenbusStateConnected:
+--
+2.39.2
+
--- /dev/null
+From 63b7312dd4ed7bbfd6fc2ecb8b9d68c8de69196f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jan 2023 12:30:35 +0100
+Subject: 9p/xen: fix version parsing
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit f1956f4ec15195ec60976d9b5625326285ab102e ]
+
+When connecting the Xen 9pfs frontend to the backend, the "versions"
+Xenstore entry written by the backend is parsed in a wrong way.
+
+The "versions" entry is defined to contain the versions supported by
+the backend separated by commas (e.g. "1,2"). Today only version "1"
+is defined. Unfortunately the frontend doesn't look for "1" being
+listed in the entry, but it is expecting the entry to have the value
+"1".
+
+This will result in failure as soon as the backend will support e.g.
+versions "1" and "2".
+
+Fix that by scanning the entry correctly.
+
+Link: https://lkml.kernel.org/r/20230130113036.7087-2-jgross@suse.com
+Fixes: 71ebd71921e4 ("xen/9pfs: connect to the backend")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Eric Van Hensbergen <ericvh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_xen.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
+index 6c8a33f98f093..d8ed75e8dbb1d 100644
+--- a/net/9p/trans_xen.c
++++ b/net/9p/trans_xen.c
+@@ -399,13 +399,19 @@ static int xen_9pfs_front_probe(struct xenbus_device *dev,
+ int ret, i;
+ struct xenbus_transaction xbt;
+ struct xen_9pfs_front_priv *priv = NULL;
+- char *versions;
++ char *versions, *v;
+ unsigned int max_rings, max_ring_order, len = 0;
+
+ versions = xenbus_read(XBT_NIL, dev->otherend, "versions", &len);
+ if (IS_ERR(versions))
+ return PTR_ERR(versions);
+- if (strcmp(versions, "1")) {
++ for (v = versions; *v; v++) {
++ if (simple_strtoul(v, &v, 10) == 1) {
++ v = NULL;
++ break;
++ }
++ }
++ if (v) {
+ kfree(versions);
+ return -EINVAL;
+ }
+--
+2.39.2
+
--- /dev/null
+From 794ddc439bf829dd9b6641862e93e120888cae81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Feb 2023 17:22:37 +0100
+Subject: ARM: dts: spear320-hmi: correct STMPE GPIO compatible
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 33a0c1b850c8c85f400531dab3a0b022cdb164b1 ]
+
+The compatible is st,stmpe-gpio.
+
+Fixes: e2eb69183ec4 ("ARM: SPEAr320: DT: Add SPEAr 320 HMI board support")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Link: https://lore.kernel.org/r/20230225162237.40242-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/spear320-hmi.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/spear320-hmi.dts b/arch/arm/boot/dts/spear320-hmi.dts
+index 367ba48aac3e5..5c562fb4886f4 100644
+--- a/arch/arm/boot/dts/spear320-hmi.dts
++++ b/arch/arm/boot/dts/spear320-hmi.dts
+@@ -242,7 +242,7 @@
+ irq-trigger = <0x1>;
+
+ stmpegpio: stmpe-gpio {
+- compatible = "stmpe,gpio";
++ compatible = "st,stmpe-gpio";
+ reg = <0>;
+ gpio-controller;
+ #gpio-cells = <2>;
+--
+2.39.2
+
--- /dev/null
+From d9949bfeb9fe1da40bb4252fd8c0a08bf654a519 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Feb 2023 11:45:51 +0100
+Subject: ASoC: adau7118: don't disable regulators on device unbind
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nuno Sá <nuno.sa@analog.com>
+
+[ Upstream commit b5bfa7277ee7d944421e0ef193586c6e34d7492c ]
+
+The regulators are supposed to be controlled through the
+set_bias_level() component callback. Moreover, the regulators are not
+enabled during probe and so, this would lead to a regulator unbalanced
+use count.
+
+Fixes: ca514c0f12b02 ("ASOC: Add ADAU7118 8 Channel PDM-to-I2S/TDM Converter driver")
+Signed-off-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20230224104551.1139981-1-nuno.sa@analog.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/adau7118.c | 19 +------------------
+ 1 file changed, 1 insertion(+), 18 deletions(-)
+
+diff --git a/sound/soc/codecs/adau7118.c b/sound/soc/codecs/adau7118.c
+index 841229dcbca10..305f294b7710e 100644
+--- a/sound/soc/codecs/adau7118.c
++++ b/sound/soc/codecs/adau7118.c
+@@ -445,22 +445,6 @@ static const struct snd_soc_component_driver adau7118_component_driver = {
+ .non_legacy_dai_naming = 1,
+ };
+
+-static void adau7118_regulator_disable(void *data)
+-{
+- struct adau7118_data *st = data;
+- int ret;
+- /*
+- * If we fail to disable DVDD, don't bother in trying IOVDD. We
+- * actually don't want to be left in the situation where DVDD
+- * is enabled and IOVDD is disabled.
+- */
+- ret = regulator_disable(st->dvdd);
+- if (ret)
+- return;
+-
+- regulator_disable(st->iovdd);
+-}
+-
+ static int adau7118_regulator_setup(struct adau7118_data *st)
+ {
+ st->iovdd = devm_regulator_get(st->dev, "iovdd");
+@@ -482,8 +466,7 @@ static int adau7118_regulator_setup(struct adau7118_data *st)
+ regcache_cache_only(st->map, true);
+ }
+
+- return devm_add_action_or_reset(st->dev, adau7118_regulator_disable,
+- st);
++ return 0;
+ }
+
+ static int adau7118_parset_dt(const struct adau7118_data *st)
+--
+2.39.2
+
--- /dev/null
+From 14bacd122323de4b981469df7ba3deda3ca8580c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 09:58:26 +0100
+Subject: ASoC: zl38060 add gpiolib dependency
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 0de2cc3707b6b6e2ad40bd24ce09a5c1f65d01e1 ]
+
+Without gpiolib, this driver fails to link:
+
+arm-linux-gnueabi-ld: sound/soc/codecs/zl38060.o: in function `chip_gpio_get':
+zl38060.c:(.text+0x30): undefined reference to `gpiochip_get_data'
+arm-linux-gnueabi-ld: sound/soc/codecs/zl38060.o: in function `zl38_spi_probe':
+zl38060.c:(.text+0xa18): undefined reference to `devm_gpiochip_add_data_with_key'
+
+This appears to have been in the driver since the start, but is hard to
+hit in randconfig testing since gpiolib is almost always selected by something
+else.
+
+Fixes: 52e8a94baf90 ("ASoC: Add initial ZL38060 driver")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20230227085850.2503725-1-arnd@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/codecs/Kconfig b/sound/soc/codecs/Kconfig
+index a96f18a9479e8..f1c9e563994b2 100644
+--- a/sound/soc/codecs/Kconfig
++++ b/sound/soc/codecs/Kconfig
+@@ -1701,6 +1701,7 @@ config SND_SOC_WSA881X
+ config SND_SOC_ZL38060
+ tristate "Microsemi ZL38060 Connected Home Audio Processor"
+ depends on SPI_MASTER
++ depends on GPIOLIB
+ select REGMAP
+ help
+ Support for ZL38060 Connected Home Audio Processor from Microsemi,
+--
+2.39.2
+
--- /dev/null
+From 31511684e56518e7ba94abae3a3d7fa43c48a613 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Feb 2022 19:23:32 +0000
+Subject: ASoC: zl38060: Remove spurious gpiolib select
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit 8e70aaae32b72d3088d18a3447b67112b3f5979a ]
+
+The usage of GPIOs is optional in the code so don't force on gpiolib when
+building it, avoiding warnings in randconfigs.
+
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20220202192333.3655269-6-broonie@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: 0de2cc3707b6 ("ASoC: zl38060 add gpiolib dependency")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sound/soc/codecs/Kconfig b/sound/soc/codecs/Kconfig
+index 25f331551f689..a96f18a9479e8 100644
+--- a/sound/soc/codecs/Kconfig
++++ b/sound/soc/codecs/Kconfig
+@@ -1701,7 +1701,6 @@ config SND_SOC_WSA881X
+ config SND_SOC_ZL38060
+ tristate "Microsemi ZL38060 Connected Home Audio Processor"
+ depends on SPI_MASTER
+- select GPIOLIB
+ select REGMAP
+ help
+ Support for ZL38060 Connected Home Audio Processor from Microsemi,
+--
+2.39.2
+
--- /dev/null
+From 86f69658153264a2773fe7a53b08dce45722bf4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Feb 2023 08:27:49 +0900
+Subject: bootconfig: Increase max nodes of bootconfig from 1024 to 8192 for
+ DCC support
+
+From: Souradeep Chowdhury <quic_schowdhu@quicinc.com>
+
+[ Upstream commit 6c40624930c58529185a257380442547580ed837 ]
+
+The Data Capture and Compare(DCC) is a debugging tool that uses the bootconfig
+for configuring the register values during boot-time. Increase the max nodes
+supported by bootconfig to cater to the requirements of the Data Capture and
+Compare Driver.
+
+Link: https://lore.kernel.org/all/1674536682-18404-1-git-send-email-quic_schowdhu@quicinc.com/
+
+Signed-off-by: Souradeep Chowdhury <quic_schowdhu@quicinc.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bootconfig.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/bootconfig.h b/include/linux/bootconfig.h
+index 2696eb0fc1497..df9cbf02d0303 100644
+--- a/include/linux/bootconfig.h
++++ b/include/linux/bootconfig.h
+@@ -29,7 +29,7 @@ struct xbc_node {
+ /* Maximum size of boot config is 32KB - 1 */
+ #define XBC_DATA_MAX (XBC_VALUE - 1)
+
+-#define XBC_NODE_MAX 1024
++#define XBC_NODE_MAX 8192
+ #define XBC_KEYLEN_MAX 256
+ #define XBC_DEPTH_MAX 16
+
+--
+2.39.2
+
--- /dev/null
+From f97033576a0b1cfbd984cb9128364e5fc4969af0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Aug 2022 15:33:00 -0700
+Subject: f2fs: use memcpy_{to,from}_page() where possible
+
+From: Eric Biggers <ebiggers@google.com>
+
+[ Upstream commit b87846bd61c7c09560617da416208a5454530d57 ]
+
+This is simpler, and as a side effect it replaces several uses of
+kmap_atomic() with its recommended replacement kmap_local_page().
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Fabio M. De Francesco <fmdefrancesco@gmail.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Stable-dep-of: b1b9896718bc ("fs: f2fs: initialize fsdata in pagecache_write()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/inline.c | 15 ++++-----------
+ fs/f2fs/super.c | 11 ++---------
+ fs/f2fs/verity.c | 10 ++--------
+ 3 files changed, 8 insertions(+), 28 deletions(-)
+
+diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c
+index 4e794c1390cc1..df1a0cbfa1be4 100644
+--- a/fs/f2fs/inline.c
++++ b/fs/f2fs/inline.c
+@@ -64,7 +64,6 @@ bool f2fs_may_inline_dentry(struct inode *inode)
+ void f2fs_do_read_inline_data(struct page *page, struct page *ipage)
+ {
+ struct inode *inode = page->mapping->host;
+- void *src_addr, *dst_addr;
+
+ if (PageUptodate(page))
+ return;
+@@ -74,11 +73,8 @@ void f2fs_do_read_inline_data(struct page *page, struct page *ipage)
+ zero_user_segment(page, MAX_INLINE_DATA(inode), PAGE_SIZE);
+
+ /* Copy the whole inline data block */
+- src_addr = inline_data_addr(inode, ipage);
+- dst_addr = kmap_atomic(page);
+- memcpy(dst_addr, src_addr, MAX_INLINE_DATA(inode));
+- flush_dcache_page(page);
+- kunmap_atomic(dst_addr);
++ memcpy_to_page(page, 0, inline_data_addr(inode, ipage),
++ MAX_INLINE_DATA(inode));
+ if (!PageUptodate(page))
+ SetPageUptodate(page);
+ }
+@@ -245,7 +241,6 @@ int f2fs_convert_inline_inode(struct inode *inode)
+
+ int f2fs_write_inline_data(struct inode *inode, struct page *page)
+ {
+- void *src_addr, *dst_addr;
+ struct dnode_of_data dn;
+ int err;
+
+@@ -262,10 +257,8 @@ int f2fs_write_inline_data(struct inode *inode, struct page *page)
+ f2fs_bug_on(F2FS_I_SB(inode), page->index);
+
+ f2fs_wait_on_page_writeback(dn.inode_page, NODE, true, true);
+- src_addr = kmap_atomic(page);
+- dst_addr = inline_data_addr(inode, dn.inode_page);
+- memcpy(dst_addr, src_addr, MAX_INLINE_DATA(inode));
+- kunmap_atomic(src_addr);
++ memcpy_from_page(inline_data_addr(inode, dn.inode_page),
++ page, 0, MAX_INLINE_DATA(inode));
+ set_page_dirty(dn.inode_page);
+
+ f2fs_clear_page_cache_dirty_tag(page);
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index fba413ced9826..0bba5c72fc77e 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -2034,7 +2034,6 @@ static ssize_t f2fs_quota_read(struct super_block *sb, int type, char *data,
+ size_t toread;
+ loff_t i_size = i_size_read(inode);
+ struct page *page;
+- char *kaddr;
+
+ if (off > i_size)
+ return 0;
+@@ -2068,9 +2067,7 @@ static ssize_t f2fs_quota_read(struct super_block *sb, int type, char *data,
+ return -EIO;
+ }
+
+- kaddr = kmap_atomic(page);
+- memcpy(data, kaddr + offset, tocopy);
+- kunmap_atomic(kaddr);
++ memcpy_from_page(data, page, offset, tocopy);
+ f2fs_put_page(page, 1);
+
+ offset = 0;
+@@ -2092,7 +2089,6 @@ static ssize_t f2fs_quota_write(struct super_block *sb, int type,
+ size_t towrite = len;
+ struct page *page;
+ void *fsdata = NULL;
+- char *kaddr;
+ int err = 0;
+ int tocopy;
+
+@@ -2112,10 +2108,7 @@ static ssize_t f2fs_quota_write(struct super_block *sb, int type,
+ break;
+ }
+
+- kaddr = kmap_atomic(page);
+- memcpy(kaddr + offset, data, tocopy);
+- kunmap_atomic(kaddr);
+- flush_dcache_page(page);
++ memcpy_to_page(page, offset, data, tocopy);
+
+ a_ops->write_end(NULL, mapping, off, tocopy, tocopy,
+ page, fsdata);
+diff --git a/fs/f2fs/verity.c b/fs/f2fs/verity.c
+index cff94d095d0fe..dafdb19ec0dba 100644
+--- a/fs/f2fs/verity.c
++++ b/fs/f2fs/verity.c
+@@ -47,16 +47,13 @@ static int pagecache_read(struct inode *inode, void *buf, size_t count,
+ size_t n = min_t(size_t, count,
+ PAGE_SIZE - offset_in_page(pos));
+ struct page *page;
+- void *addr;
+
+ page = read_mapping_page(inode->i_mapping, pos >> PAGE_SHIFT,
+ NULL);
+ if (IS_ERR(page))
+ return PTR_ERR(page);
+
+- addr = kmap_atomic(page);
+- memcpy(buf, addr + offset_in_page(pos), n);
+- kunmap_atomic(addr);
++ memcpy_from_page(buf, page, offset_in_page(pos), n);
+
+ put_page(page);
+
+@@ -82,7 +79,6 @@ static int pagecache_write(struct inode *inode, const void *buf, size_t count,
+ PAGE_SIZE - offset_in_page(pos));
+ struct page *page;
+ void *fsdata;
+- void *addr;
+ int res;
+
+ res = pagecache_write_begin(NULL, inode->i_mapping, pos, n, 0,
+@@ -90,9 +86,7 @@ static int pagecache_write(struct inode *inode, const void *buf, size_t count,
+ if (res)
+ return res;
+
+- addr = kmap_atomic(page);
+- memcpy(addr + offset_in_page(pos), buf, n);
+- kunmap_atomic(addr);
++ memcpy_to_page(page, offset_in_page(pos), buf, n);
+
+ res = pagecache_write_end(NULL, inode->i_mapping, pos, n, n,
+ page, fsdata);
+--
+2.39.2
+
--- /dev/null
+From 441a038c74294b58c71ab472e952cc3f1b216575 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Feb 2023 11:50:45 +0000
+Subject: firmware/efi sysfb_efi: Add quirk for Lenovo IdeaPad Duet 3
+
+From: Darrell Kavanagh <darrell.kavanagh@gmail.com>
+
+[ Upstream commit e1d447157f232c650e6f32c9fb89ff3d0207c69a ]
+
+Another Lenovo convertable which reports a landscape resolution of
+1920x1200 with a pitch of (1920 * 4) bytes, while the actual framebuffer
+has a resolution of 1200x1920 with a pitch of (1200 * 4) bytes.
+
+Signed-off-by: Darrell Kavanagh <darrell.kavanagh@gmail.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/sysfb_efi.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/x86/kernel/sysfb_efi.c b/arch/x86/kernel/sysfb_efi.c
+index 653b7f617b61b..9ea65611fba0b 100644
+--- a/arch/x86/kernel/sysfb_efi.c
++++ b/arch/x86/kernel/sysfb_efi.c
+@@ -264,6 +264,14 @@ static const struct dmi_system_id efifb_dmi_swap_width_height[] __initconst = {
+ "Lenovo ideapad D330-10IGM"),
+ },
+ },
++ {
++ /* Lenovo IdeaPad Duet 3 10IGL5 with 1200x1920 portrait screen */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION,
++ "IdeaPad Duet 3 10IGL5"),
++ },
++ },
+ {},
+ };
+
+--
+2.39.2
+
--- /dev/null
+From cc9e95ded0502b032c19d0df207a068a2551dfd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 12:21:32 +0100
+Subject: fs: f2fs: initialize fsdata in pagecache_write()
+
+From: Alexander Potapenko <glider@google.com>
+
+[ Upstream commit b1b9896718bc1a212dc288ad66a5fa2fef11353d ]
+
+When aops->write_begin() does not initialize fsdata, KMSAN may report
+an error passing the latter to aops->write_end().
+
+Fix this by unconditionally initializing fsdata.
+
+Suggested-by: Eric Biggers <ebiggers@kernel.org>
+Fixes: 95ae251fe828 ("f2fs: add fs-verity support")
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/verity.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/verity.c b/fs/f2fs/verity.c
+index dafdb19ec0dba..cef40d92268f7 100644
+--- a/fs/f2fs/verity.c
++++ b/fs/f2fs/verity.c
+@@ -78,7 +78,7 @@ static int pagecache_write(struct inode *inode, const void *buf, size_t count,
+ size_t n = min_t(size_t, count,
+ PAGE_SIZE - offset_in_page(pos));
+ struct page *page;
+- void *fsdata;
++ void *fsdata = NULL;
+ int res;
+
+ res = pagecache_write_begin(NULL, inode->i_mapping, pos, n, 0,
+--
+2.39.2
+
--- /dev/null
+From afa3d73c21d566f88d90906be3e80ea3627abeb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 11:01:59 +0800
+Subject: fs/jfs: fix shift exponent db_agl2size negative
+
+From: Liu Shixin via Jfs-discussion <jfs-discussion@lists.sourceforge.net>
+
+[ Upstream commit fad376fce0af58deebc5075b8539dc05bf639af3 ]
+
+As a shift exponent, db_agl2size can not be less than 0. Add the missing
+check to fix the shift-out-of-bounds bug reported by syzkaller:
+
+ UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2227:15
+ shift exponent -744642816 is negative
+
+Reported-by: syzbot+0be96567042453c0c820@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index 2c9493011aec3..501263355ef48 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -193,7 +193,8 @@ int dbMount(struct inode *ipbmap)
+ bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
+ bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart);
+ bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size);
+- if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG) {
++ if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG ||
++ bmp->db_agl2size < 0) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
+--
+2.39.2
+
--- /dev/null
+From ec19daa6188c9bcb99b0430e4a44608b4beca427 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jan 2023 14:04:29 -0500
+Subject: IB/hfi1: Update RMT size calculation
+
+From: Dean Luick <dean.luick@cornelisnetworks.com>
+
+[ Upstream commit 892ede5a77f337831609fb9c248ac60948061894 ]
+
+Fix possible RMT overflow: Use the correct netdev size.
+Don't allow adjusted user contexts to go negative.
+
+Fix QOS calculation: Send kernel context count as an argument since
+dd->n_krcv_queues is not yet set up in earliest call. Do not include
+the control context in the QOS calculation. Use the same sized
+variable to find the max of krcvq[] entries.
+
+Update the RMT count explanation to make more sense.
+
+Signed-off-by: Dean Luick <dean.luick@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Link: https://lore.kernel.org/r/167329106946.1472990.18385495251650939054.stgit@awfm-02.cornelisnetworks.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/chip.c | 59 +++++++++++++++++--------------
+ 1 file changed, 32 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/chip.c b/drivers/infiniband/hw/hfi1/chip.c
+index 88476a1a601a4..4b41f35668b20 100644
+--- a/drivers/infiniband/hw/hfi1/chip.c
++++ b/drivers/infiniband/hw/hfi1/chip.c
+@@ -1097,7 +1097,7 @@ static void read_link_down_reason(struct hfi1_devdata *dd, u8 *ldr);
+ static void handle_temp_err(struct hfi1_devdata *dd);
+ static void dc_shutdown(struct hfi1_devdata *dd);
+ static void dc_start(struct hfi1_devdata *dd);
+-static int qos_rmt_entries(struct hfi1_devdata *dd, unsigned int *mp,
++static int qos_rmt_entries(unsigned int n_krcv_queues, unsigned int *mp,
+ unsigned int *np);
+ static void clear_full_mgmt_pkey(struct hfi1_pportdata *ppd);
+ static int wait_link_transfer_active(struct hfi1_devdata *dd, int wait_ms);
+@@ -13403,7 +13403,6 @@ static int set_up_context_variables(struct hfi1_devdata *dd)
+ int ret;
+ unsigned ngroups;
+ int rmt_count;
+- int user_rmt_reduced;
+ u32 n_usr_ctxts;
+ u32 send_contexts = chip_send_contexts(dd);
+ u32 rcv_contexts = chip_rcv_contexts(dd);
+@@ -13462,28 +13461,34 @@ static int set_up_context_variables(struct hfi1_devdata *dd)
+ (num_kernel_contexts + n_usr_ctxts),
+ &node_affinity.real_cpu_mask);
+ /*
+- * The RMT entries are currently allocated as shown below:
+- * 1. QOS (0 to 128 entries);
+- * 2. FECN (num_kernel_context - 1 + num_user_contexts +
+- * num_netdev_contexts);
+- * 3. netdev (num_netdev_contexts).
+- * It should be noted that FECN oversubscribe num_netdev_contexts
+- * entries of RMT because both netdev and PSM could allocate any receive
+- * context between dd->first_dyn_alloc_text and dd->num_rcv_contexts,
+- * and PSM FECN must reserve an RMT entry for each possible PSM receive
+- * context.
++ * RMT entries are allocated as follows:
++ * 1. QOS (0 to 128 entries)
++ * 2. FECN (num_kernel_context - 1 [a] + num_user_contexts +
++ * num_netdev_contexts [b])
++ * 3. netdev (NUM_NETDEV_MAP_ENTRIES)
++ *
++ * Notes:
++ * [a] Kernel contexts (except control) are included in FECN if kernel
++ * TID_RDMA is active.
++ * [b] Netdev and user contexts are randomly allocated from the same
++ * context pool, so FECN must cover all contexts in the pool.
+ */
+- rmt_count = qos_rmt_entries(dd, NULL, NULL) + (num_netdev_contexts * 2);
+- if (HFI1_CAP_IS_KSET(TID_RDMA))
+- rmt_count += num_kernel_contexts - 1;
+- if (rmt_count + n_usr_ctxts > NUM_MAP_ENTRIES) {
+- user_rmt_reduced = NUM_MAP_ENTRIES - rmt_count;
+- dd_dev_err(dd,
+- "RMT size is reducing the number of user receive contexts from %u to %d\n",
+- n_usr_ctxts,
+- user_rmt_reduced);
+- /* recalculate */
+- n_usr_ctxts = user_rmt_reduced;
++ rmt_count = qos_rmt_entries(num_kernel_contexts - 1, NULL, NULL)
++ + (HFI1_CAP_IS_KSET(TID_RDMA) ? num_kernel_contexts - 1
++ : 0)
++ + n_usr_ctxts
++ + num_netdev_contexts
++ + NUM_NETDEV_MAP_ENTRIES;
++ if (rmt_count > NUM_MAP_ENTRIES) {
++ int over = rmt_count - NUM_MAP_ENTRIES;
++ /* try to squish user contexts, minimum of 1 */
++ if (over >= n_usr_ctxts) {
++ dd_dev_err(dd, "RMT overflow: reduce the requested number of contexts\n");
++ return -EINVAL;
++ }
++ dd_dev_err(dd, "RMT overflow: reducing # user contexts from %u to %u\n",
++ n_usr_ctxts, n_usr_ctxts - over);
++ n_usr_ctxts -= over;
+ }
+
+ /* the first N are kernel contexts, the rest are user/netdev contexts */
+@@ -14340,15 +14345,15 @@ static void clear_rsm_rule(struct hfi1_devdata *dd, u8 rule_index)
+ }
+
+ /* return the number of RSM map table entries that will be used for QOS */
+-static int qos_rmt_entries(struct hfi1_devdata *dd, unsigned int *mp,
++static int qos_rmt_entries(unsigned int n_krcv_queues, unsigned int *mp,
+ unsigned int *np)
+ {
+ int i;
+ unsigned int m, n;
+- u8 max_by_vl = 0;
++ uint max_by_vl = 0;
+
+ /* is QOS active at all? */
+- if (dd->n_krcv_queues <= MIN_KERNEL_KCTXTS ||
++ if (n_krcv_queues < MIN_KERNEL_KCTXTS ||
+ num_vls == 1 ||
+ krcvqsset <= 1)
+ goto no_qos;
+@@ -14406,7 +14411,7 @@ static void init_qos(struct hfi1_devdata *dd, struct rsm_map_table *rmt)
+
+ if (!rmt)
+ goto bail;
+- rmt_entries = qos_rmt_entries(dd, &m, &n);
++ rmt_entries = qos_rmt_entries(dd->n_krcv_queues - 1, &m, &n);
+ if (rmt_entries == 0)
+ goto bail;
+ qpns_per_vl = 1 << m;
+--
+2.39.2
+
--- /dev/null
+From 19928949d46aee49af452a7aed08a97e6ee9a333 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jan 2023 07:21:46 -0800
+Subject: iio: accel: mma9551_core: Prevent uninitialized variable in
+ mma9551_read_status_word()
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+[ Upstream commit e56d2c34ce9dc122b1a618172ec0e05e50adb9e9 ]
+
+Smatch Warns: drivers/iio/accel/mma9551_core.c:357
+ mma9551_read_status_word() error: uninitialized symbol 'v'.
+
+When (offset >= 1 << 12) is true mma9551_transfer() will return -EINVAL
+without 'v' being initialized, so check for the error and return.
+
+Note: Not a bug as such because the caller checks return value and
+doesn't not use this parameter in the problem case.
+
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Link: https://lore.kernel.org/r/20230126152147.3585874-1-harshit.m.mogalapalli@oracle.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/mma9551_core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/accel/mma9551_core.c b/drivers/iio/accel/mma9551_core.c
+index 666e7a04a7d7a..aa16d66784944 100644
+--- a/drivers/iio/accel/mma9551_core.c
++++ b/drivers/iio/accel/mma9551_core.c
+@@ -354,9 +354,12 @@ int mma9551_read_status_word(struct i2c_client *client, u8 app_id,
+
+ ret = mma9551_transfer(client, app_id, MMA9551_CMD_READ_STATUS,
+ reg, NULL, 0, (u8 *)&v, 2);
++ if (ret < 0)
++ return ret;
++
+ *val = be16_to_cpu(v);
+
+- return ret;
++ return 0;
+ }
+ EXPORT_SYMBOL(mma9551_read_status_word);
+
+--
+2.39.2
+
--- /dev/null
+From e88464898a32f0fbd6ed3e7bb9bb1ac1bb87e88f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jan 2023 07:36:09 -0800
+Subject: iio: accel: mma9551_core: Prevent uninitialized variable in
+ mma9551_read_config_word()
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+[ Upstream commit 64a68158738ec8f520347144352f7a09bdb9e169 ]
+
+Smatch Warns:
+drivers/iio/accel/mma9551_core.c:299
+ mma9551_read_config_word() error: uninitialized symbol 'v'.
+
+When (offset >= 1 << 12) is true mma9551_transfer() will return -EINVAL
+without 'v' being initialized, so check for the error and return.
+
+Note: No actual bug as caller checks the return value and does not
+use the parameter in the problem case.
+
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Link: https://lore.kernel.org/r/20230126153610.3586243-1-harshit.m.mogalapalli@oracle.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/mma9551_core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/accel/mma9551_core.c b/drivers/iio/accel/mma9551_core.c
+index aa16d66784944..9bb5c2fea08cf 100644
+--- a/drivers/iio/accel/mma9551_core.c
++++ b/drivers/iio/accel/mma9551_core.c
+@@ -296,9 +296,12 @@ int mma9551_read_config_word(struct i2c_client *client, u8 app_id,
+
+ ret = mma9551_transfer(client, app_id, MMA9551_CMD_READ_CONFIG,
+ reg, NULL, 0, (u8 *)&v, 2);
++ if (ret < 0)
++ return ret;
++
+ *val = be16_to_cpu(v);
+
+- return ret;
++ return 0;
+ }
+ EXPORT_SYMBOL(mma9551_read_config_word);
+
+--
+2.39.2
+
--- /dev/null
+From aa1d215e6ce2fed9e8c8e07e4684f9318c3eec02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Feb 2023 16:36:28 +0800
+Subject: ipv6: Add lwtunnel encap size of all siblings in nexthop calculation
+
+From: Lu Wei <luwei32@huawei.com>
+
+[ Upstream commit 4cc59f386991ec9374cb4bc83dbe1c0b5a95033f ]
+
+In function rt6_nlmsg_size(), the length of nexthop is calculated
+by multipling the nexthop length of fib6_info and the number of
+siblings. However if the fib6_info has no lwtunnel but the siblings
+have lwtunnels, the nexthop length is less than it should be, and
+it will trigger a warning in inet6_rt_notify() as follows:
+
+WARNING: CPU: 0 PID: 6082 at net/ipv6/route.c:6180 inet6_rt_notify+0x120/0x130
+......
+Call Trace:
+ <TASK>
+ fib6_add_rt2node+0x685/0xa30
+ fib6_add+0x96/0x1b0
+ ip6_route_add+0x50/0xd0
+ inet6_rtm_newroute+0x97/0xa0
+ rtnetlink_rcv_msg+0x156/0x3d0
+ netlink_rcv_skb+0x5a/0x110
+ netlink_unicast+0x246/0x350
+ netlink_sendmsg+0x250/0x4c0
+ sock_sendmsg+0x66/0x70
+ ___sys_sendmsg+0x7c/0xd0
+ __sys_sendmsg+0x5d/0xb0
+ do_syscall_64+0x3f/0x90
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+This bug can be reproduced by script:
+
+ip -6 addr add 2002::2/64 dev ens2
+ip -6 route add 100::/64 via 2002::1 dev ens2 metric 100
+
+for i in 10 20 30 40 50 60 70;
+do
+ ip link add link ens2 name ipv_$i type ipvlan
+ ip -6 addr add 2002::$i/64 dev ipv_$i
+ ifconfig ipv_$i up
+done
+
+for i in 10 20 30 40 50 60;
+do
+ ip -6 route append 100::/64 encap ip6 dst 2002::$i via 2002::1
+dev ipv_$i metric 100
+done
+
+ip -6 route append 100::/64 via 2002::1 dev ipv_70 metric 100
+
+This patch fixes it by adding nexthop_len of every siblings using
+rt6_nh_nlmsg_size().
+
+Fixes: beb1afac518d ("net: ipv6: Add support to dump multipath routes via RTA_MULTIPATH attribute")
+Signed-off-by: Lu Wei <luwei32@huawei.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20230222083629.335683-2-luwei32@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 803d1aa83140c..a6d5c99f65a3a 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -5444,16 +5444,17 @@ static size_t rt6_nlmsg_size(struct fib6_info *f6i)
+ nexthop_for_each_fib6_nh(f6i->nh, rt6_nh_nlmsg_size,
+ &nexthop_len);
+ } else {
++ struct fib6_info *sibling, *next_sibling;
+ struct fib6_nh *nh = f6i->fib6_nh;
+
+ nexthop_len = 0;
+ if (f6i->fib6_nsiblings) {
+- nexthop_len = nla_total_size(0) /* RTA_MULTIPATH */
+- + NLA_ALIGN(sizeof(struct rtnexthop))
+- + nla_total_size(16) /* RTA_GATEWAY */
+- + lwtunnel_get_encap_size(nh->fib_nh_lws);
++ rt6_nh_nlmsg_size(nh, &nexthop_len);
+
+- nexthop_len *= f6i->fib6_nsiblings;
++ list_for_each_entry_safe(sibling, next_sibling,
++ &f6i->fib6_siblings, fib6_siblings) {
++ rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len);
++ }
+ }
+ nexthop_len += lwtunnel_get_encap_size(nh->fib_nh_lws);
+ }
+--
+2.39.2
+
--- /dev/null
+From fc72bbe6778869fc5c7998c5b2ce7e5c9d6320ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Feb 2023 16:16:33 +0100
+Subject: kernel/fail_function: fix memory leak with using debugfs_lookup()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit 2bb3669f576559db273efe49e0e69f82450efbca ]
+
+When calling debugfs_lookup() the result must have dput() called on it,
+otherwise the memory will leak over time. To make things simpler, just
+call debugfs_lookup_and_remove() instead which handles all of the logic
+at once.
+
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20230202151633.2310897-1-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/fail_function.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/kernel/fail_function.c b/kernel/fail_function.c
+index b0b1ad93fa957..8f3795d8ac5b0 100644
+--- a/kernel/fail_function.c
++++ b/kernel/fail_function.c
+@@ -163,10 +163,7 @@ static void fei_debugfs_add_attr(struct fei_attr *attr)
+
+ static void fei_debugfs_remove_attr(struct fei_attr *attr)
+ {
+- struct dentry *dir;
+-
+- dir = debugfs_lookup(attr->kp.symbol_name, fei_debugfs_dir);
+- debugfs_remove_recursive(dir);
++ debugfs_lookup_and_remove(attr->kp.symbol_name, fei_debugfs_dir);
+ }
+
+ static int fei_kprobe_handler(struct kprobe *kp, struct pt_regs *regs)
+--
+2.39.2
+
--- /dev/null
+From 24cbfa31a78cd09c5e5ae49b476e86da82ceb345 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Feb 2023 17:50:27 +0800
+Subject: loop: loop_set_status_from_info() check before assignment
+
+From: Zhong Jinghua <zhongjinghua@huawei.com>
+
+[ Upstream commit 9f6ad5d533d1c71e51bdd06a5712c4fbc8768dfa ]
+
+In loop_set_status_from_info(), lo->lo_offset and lo->lo_sizelimit should
+be checked before reassignment, because if an overflow error occurs, the
+original correct value will be changed to the wrong value, and it will not
+be changed back.
+
+More, the original patch did not solve the problem, the value was set and
+ioctl returned an error, but the subsequent io used the value in the loop
+driver, which still caused an alarm:
+
+loop_handle_cmd
+ do_req_filebacked
+ loff_t pos = ((loff_t) blk_rq_pos(rq) << 9) + lo->lo_offset;
+ lo_rw_aio
+ cmd->iocb.ki_pos = pos
+
+Fixes: c490a0b5a4f3 ("loop: Check for overflow while configuring loop")
+Signed-off-by: Zhong Jinghua <zhongjinghua@huawei.com>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Link: https://lore.kernel.org/r/20230221095027.3656193-1-zhongjinghua@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/loop.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index b10410585a746..d86fbea54652a 100644
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1029,13 +1029,13 @@ loop_set_status_from_info(struct loop_device *lo,
+ if (err)
+ return err;
+
++ /* Avoid assigning overflow values */
++ if (info->lo_offset > LLONG_MAX || info->lo_sizelimit > LLONG_MAX)
++ return -EOVERFLOW;
++
+ lo->lo_offset = info->lo_offset;
+ lo->lo_sizelimit = info->lo_sizelimit;
+
+- /* loff_t vars have been assigned __u64 */
+- if (lo->lo_offset < 0 || lo->lo_sizelimit < 0)
+- return -EOVERFLOW;
+-
+ memcpy(lo->lo_file_name, info->lo_file_name, LO_NAME_SIZE);
+ memcpy(lo->lo_crypt_name, info->lo_crypt_name, LO_NAME_SIZE);
+ lo->lo_file_name[LO_NAME_SIZE-1] = 0;
+--
+2.39.2
+
--- /dev/null
+From d15eb8242a298a7681e2c2e9eb2b41e4447b93b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 16:04:55 +0200
+Subject: media: uvcvideo: Handle cameras with invalid descriptors
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 41ddb251c68ac75c101d3a50a68c4629c9055e4c ]
+
+If the source entity does not contain any pads, do not create a link.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_entity.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_entity.c b/drivers/media/usb/uvc/uvc_entity.c
+index ca3a9c2eec271..7c9895377118c 100644
+--- a/drivers/media/usb/uvc/uvc_entity.c
++++ b/drivers/media/usb/uvc/uvc_entity.c
+@@ -37,7 +37,7 @@ static int uvc_mc_create_links(struct uvc_video_chain *chain,
+ continue;
+
+ remote = uvc_entity_by_id(chain->dev, entity->baSourceID[i]);
+- if (remote == NULL)
++ if (remote == NULL || remote->num_pads == 0)
+ return -EINVAL;
+
+ source = (UVC_ENTITY_TYPE(remote) == UVC_TT_STREAMING)
+--
+2.39.2
+
--- /dev/null
+From 565620fd5d8dec560469caa575e7afeff329abc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 16:41:01 +0200
+Subject: media: uvcvideo: Handle errors from calls to usb_string
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 4867bb590ae445bcfaa711a86b603c97e94574b3 ]
+
+On a Webcam from Quanta, we see the following error.
+
+usb 3-5: New USB device found, idVendor=0408, idProduct=30d2, bcdDevice= 0.03
+usb 3-5: New USB device strings: Mfr=3, Product=1, SerialNumber=2
+usb 3-5: Product: USB2.0 HD UVC WebCam
+usb 3-5: Manufacturer: Quanta
+usb 3-5: SerialNumber: 0x0001
+...
+uvcvideo: Found UVC 1.10 device USB2.0 HD UVC WebCam (0408:30d2)
+uvcvideo: Failed to initialize entity for entity 5
+uvcvideo: Failed to register entities (-22).
+
+The Webcam reports an entity of type UVC_VC_EXTENSION_UNIT. It reports a
+string index of '7' associated with that entity. The attempt to read that
+string from the camera fails with error -32 (-EPIPE). usb_string() returns
+that error, but it is ignored. As result, the entity name is empty. This
+later causes v4l2_device_register_subdev() to return -EINVAL, and no
+entities are registered as result.
+
+While this appears to be a firmware problem with the camera, the kernel
+should still handle the situation gracefully. To do that, check the return
+value from usb_string(). If it reports an error, assign the entity's
+default name.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 48 ++++++++++++------------------
+ 1 file changed, 19 insertions(+), 29 deletions(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
+index 282f3d2388cc2..2be18fa7982d7 100644
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -1121,10 +1121,8 @@ static int uvc_parse_vendor_control(struct uvc_device *dev,
+ + n;
+ memcpy(unit->extension.bmControls, &buffer[23+p], 2*n);
+
+- if (buffer[24+p+2*n] != 0)
+- usb_string(udev, buffer[24+p+2*n], unit->name,
+- sizeof(unit->name));
+- else
++ if (buffer[24+p+2*n] == 0 ||
++ usb_string(udev, buffer[24+p+2*n], unit->name, sizeof(unit->name)) < 0)
+ sprintf(unit->name, "Extension %u", buffer[3]);
+
+ list_add_tail(&unit->list, &dev->entities);
+@@ -1249,15 +1247,15 @@ static int uvc_parse_standard_control(struct uvc_device *dev,
+ memcpy(term->media.bmTransportModes, &buffer[10+n], p);
+ }
+
+- if (buffer[7] != 0)
+- usb_string(udev, buffer[7], term->name,
+- sizeof(term->name));
+- else if (UVC_ENTITY_TYPE(term) == UVC_ITT_CAMERA)
+- sprintf(term->name, "Camera %u", buffer[3]);
+- else if (UVC_ENTITY_TYPE(term) == UVC_ITT_MEDIA_TRANSPORT_INPUT)
+- sprintf(term->name, "Media %u", buffer[3]);
+- else
+- sprintf(term->name, "Input %u", buffer[3]);
++ if (buffer[7] == 0 ||
++ usb_string(udev, buffer[7], term->name, sizeof(term->name)) < 0) {
++ if (UVC_ENTITY_TYPE(term) == UVC_ITT_CAMERA)
++ sprintf(term->name, "Camera %u", buffer[3]);
++ if (UVC_ENTITY_TYPE(term) == UVC_ITT_MEDIA_TRANSPORT_INPUT)
++ sprintf(term->name, "Media %u", buffer[3]);
++ else
++ sprintf(term->name, "Input %u", buffer[3]);
++ }
+
+ list_add_tail(&term->list, &dev->entities);
+ break;
+@@ -1289,10 +1287,8 @@ static int uvc_parse_standard_control(struct uvc_device *dev,
+
+ memcpy(term->baSourceID, &buffer[7], 1);
+
+- if (buffer[8] != 0)
+- usb_string(udev, buffer[8], term->name,
+- sizeof(term->name));
+- else
++ if (buffer[8] == 0 ||
++ usb_string(udev, buffer[8], term->name, sizeof(term->name)) < 0)
+ sprintf(term->name, "Output %u", buffer[3]);
+
+ list_add_tail(&term->list, &dev->entities);
+@@ -1314,10 +1310,8 @@ static int uvc_parse_standard_control(struct uvc_device *dev,
+
+ memcpy(unit->baSourceID, &buffer[5], p);
+
+- if (buffer[5+p] != 0)
+- usb_string(udev, buffer[5+p], unit->name,
+- sizeof(unit->name));
+- else
++ if (buffer[5+p] == 0 ||
++ usb_string(udev, buffer[5+p], unit->name, sizeof(unit->name)) < 0)
+ sprintf(unit->name, "Selector %u", buffer[3]);
+
+ list_add_tail(&unit->list, &dev->entities);
+@@ -1347,10 +1341,8 @@ static int uvc_parse_standard_control(struct uvc_device *dev,
+ if (dev->uvc_version >= 0x0110)
+ unit->processing.bmVideoStandards = buffer[9+n];
+
+- if (buffer[8+n] != 0)
+- usb_string(udev, buffer[8+n], unit->name,
+- sizeof(unit->name));
+- else
++ if (buffer[8+n] == 0 ||
++ usb_string(udev, buffer[8+n], unit->name, sizeof(unit->name)) < 0)
+ sprintf(unit->name, "Processing %u", buffer[3]);
+
+ list_add_tail(&unit->list, &dev->entities);
+@@ -1378,10 +1370,8 @@ static int uvc_parse_standard_control(struct uvc_device *dev,
+ unit->extension.bmControls = (u8 *)unit + sizeof(*unit);
+ memcpy(unit->extension.bmControls, &buffer[23+p], n);
+
+- if (buffer[23+p+n] != 0)
+- usb_string(udev, buffer[23+p+n], unit->name,
+- sizeof(unit->name));
+- else
++ if (buffer[23+p+n] == 0 ||
++ usb_string(udev, buffer[23+p+n], unit->name, sizeof(unit->name)) < 0)
+ sprintf(unit->name, "Extension %u", buffer[3]);
+
+ list_add_tail(&unit->list, &dev->entities);
+--
+2.39.2
+
--- /dev/null
+From 067dc96e8d70e614f7b94979fbf3ab2475bfd053 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jan 2023 11:45:23 +0100
+Subject: media: uvcvideo: Quirk for autosuspend in Logitech B910 and C910
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 136effa754b57632f99574fc4a3433e0cfc031d9 ]
+
+Logitech B910 and C910 firmware are unable to recover from a USB
+autosuspend. When it resumes, the device is in a state where it only
+produces invalid frames. Eg:
+
+$ echo 0xFFFF > /sys/module/uvcvideo/parameters/trace # enable verbose log
+$ yavta -c1 -n1 --file='frame#.jpg' --format MJPEG --size=1920x1080 /dev/video1
+[350438.435219] uvcvideo: uvc_v4l2_open
+[350438.529794] uvcvideo: Resuming interface 2
+[350438.529801] uvcvideo: Resuming interface 3
+[350438.529991] uvcvideo: Trying format 0x47504a4d (MJPG): 1920x1080.
+[350438.529996] uvcvideo: Using default frame interval 33333.3 us (30.0 fps).
+[350438.551496] uvcvideo: uvc_v4l2_mmap
+[350438.555890] uvcvideo: Device requested 3060 B/frame bandwidth.
+[350438.555896] uvcvideo: Selecting alternate setting 11 (3060 B/frame bandwidth).
+[350438.556362] uvcvideo: Allocated 5 URB buffers of 32x3060 bytes each.
+[350439.316468] uvcvideo: Marking buffer as bad (error bit set).
+[350439.316475] uvcvideo: Frame complete (EOF found).
+[350439.316477] uvcvideo: EOF in empty payload.
+[350439.316484] uvcvideo: frame 1 stats: 149/261/417 packets, 1/149/417 pts (early initial), 416/417 scr, last pts/stc/sof 2976325734/2978107243/249
+[350439.384510] uvcvideo: Marking buffer as bad (error bit set).
+[350439.384516] uvcvideo: Frame complete (EOF found).
+[350439.384518] uvcvideo: EOF in empty payload.
+[350439.384525] uvcvideo: frame 2 stats: 265/379/533 packets, 1/265/533 pts (early initial), 532/533 scr, last pts/stc/sof 2979524454/2981305193/316
+[350439.448472] uvcvideo: Marking buffer as bad (error bit set).
+[350439.448478] uvcvideo: Frame complete (EOF found).
+[350439.448480] uvcvideo: EOF in empty payload.
+[350439.448487] uvcvideo: frame 3 stats: 265/377/533 packets, 1/265/533 pts (early initial), 532/533 scr, last pts/stc/sof 2982723174/2984503144/382
+...(loop)...
+
+The devices can leave this invalid state if the alternate setting of
+the streaming interface is toggled.
+
+This patch adds a quirk for this device so it can be autosuspended
+properly.
+
+lsusb -v:
+Bus 001 Device 049: ID 046d:0821 Logitech, Inc. HD Webcam C910
+Device Descriptor:
+ bLength 18
+ bDescriptorType 1
+ bcdUSB 2.00
+ bDeviceClass 239 Miscellaneous Device
+ bDeviceSubClass 2
+ bDeviceProtocol 1 Interface Association
+ bMaxPacketSize0 64
+ idVendor 0x046d Logitech, Inc.
+ idProduct 0x0821 HD Webcam C910
+ bcdDevice 0.10
+ iManufacturer 0
+ iProduct 0
+ iSerial 1 390022B0
+ bNumConfigurations 1
+
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 18 ++++++++++++++++++
+ drivers/media/usb/uvc/uvc_video.c | 11 +++++++++++
+ drivers/media/usb/uvc/uvcvideo.h | 1 +
+ 3 files changed, 30 insertions(+)
+
+diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
+index 2be18fa7982d7..6334f99f1854d 100644
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -2555,6 +2555,24 @@ static const struct usb_device_id uvc_ids[] = {
+ .bInterfaceSubClass = 1,
+ .bInterfaceProtocol = 0,
+ .driver_info = (kernel_ulong_t)&uvc_quirk_probe_minmax },
++ /* Logitech, Webcam C910 */
++ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE
++ | USB_DEVICE_ID_MATCH_INT_INFO,
++ .idVendor = 0x046d,
++ .idProduct = 0x0821,
++ .bInterfaceClass = USB_CLASS_VIDEO,
++ .bInterfaceSubClass = 1,
++ .bInterfaceProtocol = 0,
++ .driver_info = UVC_INFO_QUIRK(UVC_QUIRK_WAKE_AUTOSUSPEND)},
++ /* Logitech, Webcam B910 */
++ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE
++ | USB_DEVICE_ID_MATCH_INT_INFO,
++ .idVendor = 0x046d,
++ .idProduct = 0x0823,
++ .bInterfaceClass = USB_CLASS_VIDEO,
++ .bInterfaceSubClass = 1,
++ .bInterfaceProtocol = 0,
++ .driver_info = UVC_INFO_QUIRK(UVC_QUIRK_WAKE_AUTOSUSPEND)},
+ /* Logitech Quickcam Fusion */
+ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE
+ | USB_DEVICE_ID_MATCH_INT_INFO,
+diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
+index f6373d678d256..d5a4e967883c5 100644
+--- a/drivers/media/usb/uvc/uvc_video.c
++++ b/drivers/media/usb/uvc/uvc_video.c
+@@ -1903,6 +1903,17 @@ static int uvc_video_start_transfer(struct uvc_streaming *stream,
+ uvc_trace(UVC_TRACE_VIDEO, "Selecting alternate setting %u "
+ "(%u B/frame bandwidth).\n", altsetting, best_psize);
+
++ /*
++ * Some devices, namely the Logitech C910 and B910, are unable
++ * to recover from a USB autosuspend, unless the alternate
++ * setting of the streaming interface is toggled.
++ */
++ if (stream->dev->quirks & UVC_QUIRK_WAKE_AUTOSUSPEND) {
++ usb_set_interface(stream->dev->udev, intfnum,
++ altsetting);
++ usb_set_interface(stream->dev->udev, intfnum, 0);
++ }
++
+ ret = usb_set_interface(stream->dev->udev, intfnum, altsetting);
+ if (ret < 0)
+ return ret;
+diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h
+index c884020b28784..284200becbbdb 100644
+--- a/drivers/media/usb/uvc/uvcvideo.h
++++ b/drivers/media/usb/uvc/uvcvideo.h
+@@ -203,6 +203,7 @@
+ #define UVC_QUIRK_RESTORE_CTRLS_ON_INIT 0x00000400
+ #define UVC_QUIRK_FORCE_Y8 0x00000800
+ #define UVC_QUIRK_FORCE_BPP 0x00001000
++#define UVC_QUIRK_WAKE_AUTOSUSPEND 0x00002000
+
+ /* Format flags */
+ #define UVC_FMT_FLAG_COMPRESSED 0x00000001
+--
+2.39.2
+
--- /dev/null
+From 58f40a38ee8f6f73afdc6aaa94cd26b3c8f1522d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Jan 2023 22:17:04 -0800
+Subject: media: uvcvideo: Silence memcpy() run-time false positive warnings
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit b839212988575c701aab4d3d9ca15e44c87e383c ]
+
+The memcpy() in uvc_video_decode_meta() intentionally copies across the
+length and flags members and into the trailing buf flexible array.
+Split the copy so that the compiler can better reason about (the lack
+of) buffer overflows here. Avoid the run-time false positive warning:
+
+ memcpy: detected field-spanning write (size 12) of single field "&meta->length" at drivers/media/usb/uvc/uvc_video.c:1355 (size 1)
+
+Additionally fix a typo in the documentation for struct uvc_meta_buf.
+
+Reported-by: ionut_n2001@yahoo.com
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216810
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_video.c | 4 +++-
+ include/uapi/linux/uvcvideo.h | 2 +-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
+index d5a4e967883c5..03dfe96bcebac 100644
+--- a/drivers/media/usb/uvc/uvc_video.c
++++ b/drivers/media/usb/uvc/uvc_video.c
+@@ -1308,7 +1308,9 @@ static void uvc_video_decode_meta(struct uvc_streaming *stream,
+ if (has_scr)
+ memcpy(stream->clock.last_scr, scr, 6);
+
+- memcpy(&meta->length, mem, length);
++ meta->length = mem[0];
++ meta->flags = mem[1];
++ memcpy(meta->buf, &mem[2], length - 2);
+ meta_buf->bytesused += length + sizeof(meta->ns) + sizeof(meta->sof);
+
+ uvc_trace(UVC_TRACE_FRAME,
+diff --git a/include/uapi/linux/uvcvideo.h b/include/uapi/linux/uvcvideo.h
+index f80f05b3c423f..2140923661934 100644
+--- a/include/uapi/linux/uvcvideo.h
++++ b/include/uapi/linux/uvcvideo.h
+@@ -86,7 +86,7 @@ struct uvc_xu_control_query {
+ * struct. The first two fields are added by the driver, they can be used for
+ * clock synchronisation. The rest is an exact copy of a UVC payload header.
+ * Only complete objects with complete buffers are included. Therefore it's
+- * always sizeof(meta->ts) + sizeof(meta->sof) + meta->length bytes large.
++ * always sizeof(meta->ns) + sizeof(meta->sof) + meta->length bytes large.
+ */
+ struct uvc_meta_buf {
+ __u64 ns;
+--
+2.39.2
+
--- /dev/null
+From 545a035a8c02725d0162e4d8447153340c1c52e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Dec 2022 23:49:33 +0200
+Subject: mei: bus-fixup:upon error print return values of send and receive
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+[ Upstream commit 4b8659e2c258e4fdac9ccdf06cc20c0677894ef9 ]
+
+For easier debugging, upon error, print also return values
+from __mei_cl_recv() and __mei_cl_send() functions.
+
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Link: https://lore.kernel.org/r/20221212214933.275434-1-tomas.winkler@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/mei/bus-fixup.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/misc/mei/bus-fixup.c b/drivers/misc/mei/bus-fixup.c
+index 4e30fa98fe7d3..c4c1275581ec9 100644
+--- a/drivers/misc/mei/bus-fixup.c
++++ b/drivers/misc/mei/bus-fixup.c
+@@ -172,7 +172,7 @@ static int mei_fwver(struct mei_cl_device *cldev)
+ ret = __mei_cl_send(cldev->cl, (u8 *)&req, sizeof(req),
+ MEI_CL_IO_TX_BLOCKING);
+ if (ret < 0) {
+- dev_err(&cldev->dev, "Could not send ReqFWVersion cmd\n");
++ dev_err(&cldev->dev, "Could not send ReqFWVersion cmd ret = %d\n", ret);
+ return ret;
+ }
+
+@@ -184,7 +184,7 @@ static int mei_fwver(struct mei_cl_device *cldev)
+ * Should be at least one version block,
+ * error out if nothing found
+ */
+- dev_err(&cldev->dev, "Could not read FW version\n");
++ dev_err(&cldev->dev, "Could not read FW version ret = %d\n", bytes_recv);
+ return -EIO;
+ }
+
+@@ -332,7 +332,7 @@ static int mei_nfc_if_version(struct mei_cl *cl,
+
+ ret = __mei_cl_send(cl, (u8 *)&cmd, sizeof(cmd), MEI_CL_IO_TX_BLOCKING);
+ if (ret < 0) {
+- dev_err(bus->dev, "Could not send IF version cmd\n");
++ dev_err(bus->dev, "Could not send IF version cmd ret = %d\n", ret);
+ return ret;
+ }
+
+@@ -346,7 +346,7 @@ static int mei_nfc_if_version(struct mei_cl *cl,
+ ret = 0;
+ bytes_recv = __mei_cl_recv(cl, (u8 *)reply, if_version_length, 0, 0);
+ if (bytes_recv < 0 || (size_t)bytes_recv < if_version_length) {
+- dev_err(bus->dev, "Could not read IF version\n");
++ dev_err(bus->dev, "Could not read IF version ret = %d\n", bytes_recv);
+ ret = -EIO;
+ goto err;
+ }
+--
+2.39.2
+
--- /dev/null
+From 1e4b253dec0c3ef5c5793a126fd1f6f3b99d1a8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Jan 2023 14:10:55 +0800
+Subject: mfd: arizona: Use pm_runtime_resume_and_get() to prevent refcnt leak
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 4414a7ab80cebf715045e3c4d465feefbad21139 ]
+
+In arizona_clk32k_enable(), we should use pm_runtime_resume_and_get()
+as pm_runtime_get_sync() will increase the refcnt even when it
+returns an error.
+
+Signed-off-by: Liang He <windhl@126.com>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/20230105061055.1509261-1-windhl@126.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/arizona-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/arizona-core.c b/drivers/mfd/arizona-core.c
+index 000cb82023e35..afdc490836255 100644
+--- a/drivers/mfd/arizona-core.c
++++ b/drivers/mfd/arizona-core.c
+@@ -45,7 +45,7 @@ int arizona_clk32k_enable(struct arizona *arizona)
+ if (arizona->clk32k_ref == 1) {
+ switch (arizona->pdata.clk32k_src) {
+ case ARIZONA_32KZ_MCLK1:
+- ret = pm_runtime_get_sync(arizona->dev);
++ ret = pm_runtime_resume_and_get(arizona->dev);
+ if (ret != 0)
+ goto err_ref;
+ ret = clk_prepare_enable(arizona->mclk[ARIZONA_MCLK1]);
+--
+2.39.2
+
--- /dev/null
+From ea53dea3753fc75261822e71a5897cac1644f822 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Feb 2023 08:38:45 +0000
+Subject: net: fix __dev_kfree_skb_any() vs drop monitor
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit ac3ad19584b26fae9ac86e4faebe790becc74491 ]
+
+dev_kfree_skb() is aliased to consume_skb().
+
+When a driver is dropping a packet by calling dev_kfree_skb_any()
+we should propagate the drop reason instead of pretending
+the packet was consumed.
+
+Note: Now we have enum skb_drop_reason we could remove
+enum skb_free_reason (for linux-6.4)
+
+v2: added an unlikely(), suggested by Yunsheng Lin.
+
+Fixes: e6247027e517 ("net: introduce dev_consume_skb_any()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Yunsheng Lin <linyunsheng@huawei.com>
+Reviewed-by: Yunsheng Lin <linyunsheng@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index b7646d4e079b4..8cbcb6a104f2f 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3119,8 +3119,10 @@ void __dev_kfree_skb_any(struct sk_buff *skb, enum skb_free_reason reason)
+ {
+ if (in_irq() || irqs_disabled())
+ __dev_kfree_skb_irq(skb, reason);
++ else if (unlikely(reason == SKB_REASON_DROPPED))
++ kfree_skb(skb);
+ else
+- dev_kfree_skb(skb);
++ consume_skb(skb);
+ }
+ EXPORT_SYMBOL(__dev_kfree_skb_any);
+
+--
+2.39.2
+
--- /dev/null
+From 9367ec911fd5b3bbc4027854078ad9af3a7406af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Feb 2023 17:44:06 +0200
+Subject: net/mlx5: Geneve, Fix handling of Geneve object id as error code
+
+From: Maor Dickman <maord@nvidia.com>
+
+[ Upstream commit d28a06d7dbedc598a06bd1e53a28125f87ca5d0c ]
+
+On success, mlx5_geneve_tlv_option_create returns non negative
+Geneve object id. In case the object id is positive value the
+caller functions will handle it as an error (non zero) and
+will fail to offload the Geneve rule.
+
+Fix this by changing caller function ,mlx5_geneve_tlv_option_add,
+to return 0 in case valid non negative object id was provided.
+
+Fixes: 0ccc171ea6a2 ("net/mlx5: Geneve, Manage Geneve TLV options")
+Signed-off-by: Maor Dickman <maord@nvidia.com>
+Reviewed-by: Raed Salem <raeds@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/lib/geneve.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/geneve.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/geneve.c
+index 23361a9ae4fa0..6dc83e871cd76 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/geneve.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/geneve.c
+@@ -105,6 +105,7 @@ int mlx5_geneve_tlv_option_add(struct mlx5_geneve *geneve, struct geneve_opt *op
+ geneve->opt_type = opt->type;
+ geneve->obj_id = res;
+ geneve->refcount++;
++ res = 0;
+ }
+
+ unlock:
+--
+2.39.2
+
--- /dev/null
+From 1a0b667a08fe98d0edda86b299223ca7de0d5edf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Feb 2023 12:00:58 -0300
+Subject: net/sched: act_sample: fix action bind logic
+
+From: Pedro Tammela <pctammela@mojatatu.com>
+
+[ Upstream commit 4a20056a49a1854966562241922f68197f950539 ]
+
+The TC architecture allows filters and actions to be created independently.
+In filters the user can reference action objects using:
+tc action add action sample ... index 1
+tc filter add ... action pedit index 1
+
+In the current code for act_sample this is broken as it checks netlink
+attributes for create/update before actually checking if we are binding to an
+existing action.
+
+tdc results:
+1..29
+ok 1 9784 - Add valid sample action with mandatory arguments
+ok 2 5c91 - Add valid sample action with mandatory arguments and continue control action
+ok 3 334b - Add valid sample action with mandatory arguments and drop control action
+ok 4 da69 - Add valid sample action with mandatory arguments and reclassify control action
+ok 5 13ce - Add valid sample action with mandatory arguments and pipe control action
+ok 6 1886 - Add valid sample action with mandatory arguments and jump control action
+ok 7 7571 - Add sample action with invalid rate
+ok 8 b6d4 - Add sample action with mandatory arguments and invalid control action
+ok 9 a874 - Add invalid sample action without mandatory arguments
+ok 10 ac01 - Add invalid sample action without mandatory argument rate
+ok 11 4203 - Add invalid sample action without mandatory argument group
+ok 12 14a7 - Add invalid sample action without mandatory argument group
+ok 13 8f2e - Add valid sample action with trunc argument
+ok 14 45f8 - Add sample action with maximum rate argument
+ok 15 ad0c - Add sample action with maximum trunc argument
+ok 16 83a9 - Add sample action with maximum group argument
+ok 17 ed27 - Add sample action with invalid rate argument
+ok 18 2eae - Add sample action with invalid group argument
+ok 19 6ff3 - Add sample action with invalid trunc size
+ok 20 2b2a - Add sample action with invalid index
+ok 21 dee2 - Add sample action with maximum allowed index
+ok 22 560e - Add sample action with cookie
+ok 23 704a - Replace existing sample action with new rate argument
+ok 24 60eb - Replace existing sample action with new group argument
+ok 25 2cce - Replace existing sample action with new trunc argument
+ok 26 59d1 - Replace existing sample action with new control argument
+ok 27 0a6e - Replace sample action with invalid goto chain control
+ok 28 3872 - Delete sample action with valid index
+ok 29 a394 - Delete sample action with invalid index
+
+Fixes: 5c5670fae430 ("net/sched: Introduce sample tc action")
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_sample.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/net/sched/act_sample.c b/net/sched/act_sample.c
+index 2f0e98bcf4945..6988a9cf40806 100644
+--- a/net/sched/act_sample.c
++++ b/net/sched/act_sample.c
+@@ -54,8 +54,8 @@ static int tcf_sample_init(struct net *net, struct nlattr *nla,
+ sample_policy, NULL);
+ if (ret < 0)
+ return ret;
+- if (!tb[TCA_SAMPLE_PARMS] || !tb[TCA_SAMPLE_RATE] ||
+- !tb[TCA_SAMPLE_PSAMPLE_GROUP])
++
++ if (!tb[TCA_SAMPLE_PARMS])
+ return -EINVAL;
+
+ parm = nla_data(tb[TCA_SAMPLE_PARMS]);
+@@ -79,6 +79,13 @@ static int tcf_sample_init(struct net *net, struct nlattr *nla,
+ tcf_idr_release(*a, bind);
+ return -EEXIST;
+ }
++
++ if (!tb[TCA_SAMPLE_RATE] || !tb[TCA_SAMPLE_PSAMPLE_GROUP]) {
++ NL_SET_ERR_MSG(extack, "sample rate and group are required");
++ err = -EINVAL;
++ goto release_idr;
++ }
++
+ err = tcf_action_check_ctrlact(parm->action, tp, &goto_ch, extack);
+ if (err < 0)
+ goto release_idr;
+--
+2.39.2
+
--- /dev/null
+From 626c5b38fa7bed68035c950df5f617b6834699f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Feb 2023 15:17:30 +0800
+Subject: netfilter: ctnetlink: fix possible refcount leak in
+ ctnetlink_create_conntrack()
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+[ Upstream commit ac4893980bbe79ce383daf9a0885666a30fe4c83 ]
+
+nf_ct_put() needs to be called to put the refcount got by
+nf_conntrack_find_get() to avoid refcount leak when
+nf_conntrack_hash_check_insert() fails.
+
+Fixes: 7d367e06688d ("netfilter: ctnetlink: fix soft lockup when netlink adds new entries (v2)")
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 2efdc50f978b0..f8ba3bc25cf34 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -2359,12 +2359,15 @@ ctnetlink_create_conntrack(struct net *net,
+
+ err = nf_conntrack_hash_check_insert(ct);
+ if (err < 0)
+- goto err2;
++ goto err3;
+
+ rcu_read_unlock();
+
+ return ct;
+
++err3:
++ if (ct->master)
++ nf_ct_put(ct->master);
+ err2:
+ rcu_read_unlock();
+ err1:
+--
+2.39.2
+
--- /dev/null
+From 2ea15e42c95e2862e28beb9e0b696201246067af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Feb 2023 23:20:06 +0100
+Subject: netfilter: ebtables: fix table blob use-after-free
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit e58a171d35e32e6e8c37cfe0e8a94406732a331f ]
+
+We are not allowed to return an error at this point.
+Looking at the code it looks like ret is always 0 at this
+point, but its not.
+
+t = find_table_lock(net, repl->name, &ret, &ebt_mutex);
+
+... this can return a valid table, with ret != 0.
+
+This bug causes update of table->private with the new
+blob, but then frees the blob right away in the caller.
+
+Syzbot report:
+
+BUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168
+Read of size 4 at addr ffffc90005425000 by task kworker/u4:4/74
+Workqueue: netns cleanup_net
+Call Trace:
+ kasan_report+0xbf/0x1f0 mm/kasan/report.c:517
+ __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168
+ ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372
+ ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169
+ cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613
+...
+
+ip(6)tables appears to be ok (ret should be 0 at this point) but make
+this more obvious.
+
+Fixes: c58dd2dd443c ("netfilter: Can't fail and free after table replacement")
+Reported-by: syzbot+f61594de72d6705aea03@syzkaller.appspotmail.com
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/netfilter/ebtables.c | 2 +-
+ net/ipv4/netfilter/ip_tables.c | 3 +--
+ net/ipv6/netfilter/ip6_tables.c | 3 +--
+ 3 files changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 06b80b5843819..8335b7e4bcf6f 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1049,7 +1049,7 @@ static int do_replace_finish(struct net *net, struct ebt_replace *repl,
+
+ audit_log_nfcfg(repl->name, AF_BRIDGE, repl->nentries,
+ AUDIT_XT_OP_REPLACE, GFP_KERNEL);
+- return ret;
++ return 0;
+
+ free_unlock:
+ mutex_unlock(&ebt_mutex);
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index f77ea0dbe6562..ec981618b7b22 100644
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -1044,7 +1044,6 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
+ struct xt_counters *counters;
+ struct ipt_entry *iter;
+
+- ret = 0;
+ counters = xt_counters_alloc(num_counters);
+ if (!counters) {
+ ret = -ENOMEM;
+@@ -1090,7 +1089,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
+ net_warn_ratelimited("iptables: counters copy to user failed while replacing table\n");
+ }
+ vfree(counters);
+- return ret;
++ return 0;
+
+ put_module:
+ module_put(t->me);
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index d36168baf6776..99bb11d167127 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -1062,7 +1062,6 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
+ struct xt_counters *counters;
+ struct ip6t_entry *iter;
+
+- ret = 0;
+ counters = xt_counters_alloc(num_counters);
+ if (!counters) {
+ ret = -ENOMEM;
+@@ -1108,7 +1107,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
+ net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n");
+ }
+ vfree(counters);
+- return ret;
++ return 0;
+
+ put_module:
+ module_put(t->me);
+--
+2.39.2
+
--- /dev/null
+From b125ad32b984e7cab4ae33c1efae817f1522e8af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Feb 2023 13:56:14 +0300
+Subject: nfc: fix memory leak of se_io context in nfc_genl_se_io
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 25ff6f8a5a3b8dc48e8abda6f013e8cc4b14ffea ]
+
+The callback context for sending/receiving APDUs to/from the selected
+secure element is allocated inside nfc_genl_se_io and supposed to be
+eventually freed in se_io_cb callback function. However, there are several
+error paths where the bwi_timer is not charged to call se_io_cb later, and
+the cb_context is leaked.
+
+The patch proposes to free the cb_context explicitly on those error paths.
+
+At the moment we can't simply check 'dev->ops->se_io()' return value as it
+may be negative in both cases: when the timer was charged and was not.
+
+Fixes: 5ce3f32b5264 ("NFC: netlink: SE API implementation")
+Reported-by: syzbot+df64c0a2e8d68e78a4fa@syzkaller.appspotmail.com
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/st-nci/se.c | 6 ++++++
+ drivers/nfc/st21nfca/se.c | 6 ++++++
+ net/nfc/netlink.c | 4 ++++
+ 3 files changed, 16 insertions(+)
+
+diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c
+index 37d397aae9b9d..a14afceaf5e92 100644
+--- a/drivers/nfc/st-nci/se.c
++++ b/drivers/nfc/st-nci/se.c
+@@ -664,6 +664,12 @@ int st_nci_se_io(struct nci_dev *ndev, u32 se_idx,
+ ST_NCI_EVT_TRANSMIT_DATA, apdu,
+ apdu_length);
+ default:
++ /* Need to free cb_context here as at the moment we can't
++ * clearly indicate to the caller if the callback function
++ * would be called (and free it) or not. In both cases a
++ * negative value may be returned to the caller.
++ */
++ kfree(cb_context);
+ return -ENODEV;
+ }
+ }
+diff --git a/drivers/nfc/st21nfca/se.c b/drivers/nfc/st21nfca/se.c
+index d416365042462..6a1d3b2752fbf 100644
+--- a/drivers/nfc/st21nfca/se.c
++++ b/drivers/nfc/st21nfca/se.c
+@@ -236,6 +236,12 @@ int st21nfca_hci_se_io(struct nfc_hci_dev *hdev, u32 se_idx,
+ ST21NFCA_EVT_TRANSMIT_DATA,
+ apdu, apdu_length);
+ default:
++ /* Need to free cb_context here as at the moment we can't
++ * clearly indicate to the caller if the callback function
++ * would be called (and free it) or not. In both cases a
++ * negative value may be returned to the caller.
++ */
++ kfree(cb_context);
+ return -ENODEV;
+ }
+ }
+diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
+index 610caea4feec8..3f4785be066a8 100644
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -1442,7 +1442,11 @@ static int nfc_se_io(struct nfc_dev *dev, u32 se_idx,
+ rc = dev->ops->se_io(dev, se_idx, apdu,
+ apdu_length, cb, cb_context);
+
++ device_unlock(&dev->dev);
++ return rc;
++
+ error:
++ kfree(cb_context);
+ device_unlock(&dev->dev);
+ return rc;
+ }
+--
+2.39.2
+
--- /dev/null
+From 0cce33029fcfd280cb1aab3c5060adede664e5d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 12:06:42 +0400
+Subject: objtool: Fix memory leak in create_static_call_sections()
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 3da73f102309fe29150e5c35acd20dd82063ff67 ]
+
+strdup() allocates memory for key_name. We need to release the memory in
+the following error paths. Add free() to avoid memory leak.
+
+Fixes: 1e7e47883830 ("x86/static_call: Add inline static call implementation for x86-64")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/20221205080642.558583-1-linmq006@gmail.com
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/objtool/check.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/objtool/check.c b/tools/objtool/check.c
+index 5c4190382a51a..9a0a54194636c 100644
+--- a/tools/objtool/check.c
++++ b/tools/objtool/check.c
+@@ -572,6 +572,7 @@ static int create_static_call_sections(struct objtool_file *file)
+ if (strncmp(key_name, STATIC_CALL_TRAMP_PREFIX_STR,
+ STATIC_CALL_TRAMP_PREFIX_LEN)) {
+ WARN("static_call: trampoline name malformed: %s", key_name);
++ free(key_name);
+ return -1;
+ }
+ tmp = key_name + STATIC_CALL_TRAMP_PREFIX_LEN - STATIC_CALL_KEY_PREFIX_LEN;
+@@ -581,6 +582,7 @@ static int create_static_call_sections(struct objtool_file *file)
+ if (!key_sym) {
+ if (!module) {
+ WARN("static_call: can't find static_call_key symbol: %s", tmp);
++ free(key_name);
+ return -1;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 84375f27795536025fb1d27a530ea1c0e47910be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Jan 2023 21:56:55 +0000
+Subject: parport_pc: Set up mode and ECR masks for Oxford Semiconductor
+ devices
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+[ Upstream commit c087df8d1e7dc2e764d11234d84b5af46d500f16 ]
+
+No Oxford Semiconductor PCI or PCIe parallel port device supports the
+Parallel Port FIFO mode. All support the PS/2 Parallel Port mode and
+the Enhanced Parallel Port mode via the ECR register. The original 5V
+PCI OX16PCI954 device does not support the Extended Capabilities Port
+mode, the Test mode or the Configuration mode, but all the other OxSemi
+devices do, including in particular the 3.3V PCI OXmPCI954 device and
+the universal voltage PCI OXuPCI954 device. All the unsupported modes
+are marked reserved in the relevant datasheets.
+
+Accordingly enable the `base_hi' BAR for the 954 devices to enable PS2
+and EPP mode support via the ECR register, however mask the COMPAT mode
+and, until we have a way to determine what chip variant it is that we
+poke at, also the ECP mode, and mask the COMPAT mode only for all the
+remaining OxSemi devices, fixing errors like:
+
+parport0: FIFO is stuck
+FIFO write timed out
+
+and a non-functional port when the Parallel Port FIFO mode is selected.
+
+Complementing the fix apply an ECR mask for all these devices, which are
+documented to only permit writing to the mode field of the ECR register
+with a bit pattern of 00001 required to be written to bits 4:0 on mode
+field writes. No nFault or service interrupts are implemented, which
+will therefore never have to be enabled, though bit 2 does report the
+FIFO threshold status to be polled for in the ECP mode where supported.
+
+We have a documented case of writing 1 to bit 2 causing a lock-up with
+at least one OX12PCI840 device (from old drivers/parport/ChangeLog):
+
+2001-10-10 Tim Waugh <twaugh@redhat.com>
+
+ * parport_pc.c: Support for OX12PCI840 PCI card (reported by
+ mk@daveg.com). Lock-ups diagnosed by Ronnie Arosa (and now we
+ just don't trust its ECR).
+
+which commit adbd321a17cc ("parport_pc: add base_hi BAR for oxsemi_840")
+must have broken and by applying an ECR mask here we prevent the lock-up
+from triggering. This could have been the reason for requiring 00001 to
+be written to bits 4:0 of ECR.
+
+Update the inline comment accordingly; it has come from Linux 2.4.12
+back in 2001 and predates the introduction of OXmPCI954 and OXuPCI954
+devices that do support ECP.
+
+References:
+
+[1] "OX16PCI954 Integrated Quad UART and PCI interface", Oxford
+ Semiconductor Ltd., Data Sheet Revision 1.3, Feb. 1999, Chapter 9
+ "Bidirectional Parallel Port", pp. 53-55
+
+[2] "OX16PCI952 Data Sheet, Integrated High Performance Dual UARTs,
+ Parallel Port and 5.0v PCI interface", Oxford Semiconductor Ltd.,
+ DS_B008A_00, Datasheet rev 1.1, June 2001, Chapter 8 "Bi-directional
+ Parallel Port", pp. 52-56
+
+[3] "OXmPCI954 DATA SHEET Integrated High Performance Quad UARTs, 8-bit
+ Local Bus/Parallel Port. 3.3v PCI/miniPCI interface.", Oxford
+ Semiconductor Ltd., DS-0019, June 2005, Chapter 10 "Bidirectional
+ Parallel Port", pp. 86-90
+
+[4] "OXmPCI952 Data Sheet, Integrated High Performance Dual UARTs, 8-bit
+ Local Bus/Parallel Port. 3.3v PCI/miniPCI interface.", Oxford
+ Semiconductor Ltd., DS-0020, June 2005, Chapter 8 "Bidirectional
+ Parallel Port", pp. 73-77
+
+[5] "OX12PCI840 Integrated Parallel Port and PCI interface", Oxford
+ Semiconductor Ltd., DS-0021, Jun 2005, Chapter 5 "Bi-directional
+ Parallel Port", pp. 18-21
+
+[6] "OXPCIe952 PCI Express Bridge to Dual Serial & Parallel Port",
+ Oxford Semiconductor, Inc., DS-0046, Mar 06 08, Chapter "Parallel
+ Port Function", pp. 59-62
+
+[7] "OXPCIe840 PCI Express Bridge to Parallel Port", Oxford
+ Semiconductor, Inc., DS-0049, Mar 06 08, Chapter "Parallel Port
+ Function", pp. 15-18
+
+[8] "OXuPCI954 Data Sheet, Integrated High Performance Quad UARTs, 8-bit
+ Local Bus/Parallel Port, 3.3 V and 5 V (Universal Voltage) PCI
+ Interface.", Oxford Semiconductor, Inc., DS-0058, 26 Jan 2009,
+ Chapter 8 "Bidirectional Parallel Port", pp. 62-65
+
+[9] "OXuPCI952 Data Sheet, Integrated High Performance Dual UARTs, 8-bit
+ Local Bus/Parallel Port, 3.3 V and 5.0 V Universal Voltage PCI
+ Interface.", Oxford Semiconductor, Inc., DS-0059, Sep 2007, Chapter
+ 8 "Bidirectional Parallel Port", pp. 61-64
+
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Link: https://lore.kernel.org/r/20230108215656.6433-6-sudipm.mukherjee@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/parport/parport_pc.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/parport/parport_pc.c b/drivers/parport/parport_pc.c
+index 925be41eeebec..c2af2aa6d437c 100644
+--- a/drivers/parport/parport_pc.c
++++ b/drivers/parport/parport_pc.c
+@@ -2657,12 +2657,19 @@ static struct parport_pc_pci {
+ /* titan_010l */ { 1, { { 3, -1 }, } },
+ /* avlab_1p */ { 1, { { 0, 1}, } },
+ /* avlab_2p */ { 2, { { 0, 1}, { 2, 3 },} },
+- /* The Oxford Semi cards are unusual: 954 doesn't support ECP,
+- * and 840 locks up if you write 1 to bit 2! */
+- /* oxsemi_952 */ { 1, { { 0, 1 }, } },
+- /* oxsemi_954 */ { 1, { { 0, -1 }, } },
+- /* oxsemi_840 */ { 1, { { 0, 1 }, } },
+- /* oxsemi_pcie_pport */ { 1, { { 0, 1 }, } },
++ /* The Oxford Semi cards are unusual: older variants of 954 don't
++ * support ECP, and 840 locks up if you write 1 to bit 2! None
++ * implement nFault or service interrupts and all require 00001
++ * bit pattern to be used for bits 4:0 with ECR writes. */
++ /* oxsemi_952 */ { 1, { { 0, 1 }, },
++ PARPORT_MODE_COMPAT, ECR_MODE_MASK },
++ /* oxsemi_954 */ { 1, { { 0, 1 }, },
++ PARPORT_MODE_ECP |
++ PARPORT_MODE_COMPAT, ECR_MODE_MASK },
++ /* oxsemi_840 */ { 1, { { 0, 1 }, },
++ PARPORT_MODE_COMPAT, ECR_MODE_MASK },
++ /* oxsemi_pcie_pport */ { 1, { { 0, 1 }, },
++ PARPORT_MODE_COMPAT, ECR_MODE_MASK },
+ /* aks_0100 */ { 1, { { 0, -1 }, } },
+ /* mobility_pp */ { 1, { { 0, 1 }, } },
+
+--
+2.39.2
+
--- /dev/null
+From 92a4404aea9c8bf8db743303fa1445105a6bee58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Feb 2023 18:24:19 +0800
+Subject: PCI: Add ACS quirk for Wangxun NICs
+
+From: Mengyuan Lou <mengyuanlou@net-swift.com>
+
+[ Upstream commit a2b9b123ccac913e9f9b80337d687a2fe786a634 ]
+
+Wangxun has verified there is no peer-to-peer between functions for the
+below selection of SFxxx, RP1000 and RP2000 NICS. They may be
+multi-function devices, but the hardware does not advertise ACS capability.
+
+Add an ACS quirk for these devices so the functions can be in independent
+IOMMU groups.
+
+Link: https://lore.kernel.org/r/20230207102419.44326-1-mengyuanlou@net-swift.com
+Signed-off-by: Mengyuan Lou <mengyuanlou@net-swift.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/quirks.c | 22 ++++++++++++++++++++++
+ include/linux/pci_ids.h | 2 ++
+ 2 files changed, 24 insertions(+)
+
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index f30c42f0ac310..c1ebd5e12b06e 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -4797,6 +4797,26 @@ static int pci_quirk_brcm_acs(struct pci_dev *dev, u16 acs_flags)
+ PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF);
+ }
+
++/*
++ * Wangxun 10G/1G NICs have no ACS capability, and on multi-function
++ * devices, peer-to-peer transactions are not be used between the functions.
++ * So add an ACS quirk for below devices to isolate functions.
++ * SFxxx 1G NICs(em).
++ * RP1000/RP2000 10G NICs(sp).
++ */
++static int pci_quirk_wangxun_nic_acs(struct pci_dev *dev, u16 acs_flags)
++{
++ switch (dev->device) {
++ case 0x0100 ... 0x010F:
++ case 0x1001:
++ case 0x2001:
++ return pci_acs_ctrl_enabled(acs_flags,
++ PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF);
++ }
++
++ return false;
++}
++
+ static const struct pci_dev_acs_enabled {
+ u16 vendor;
+ u16 device;
+@@ -4942,6 +4962,8 @@ static const struct pci_dev_acs_enabled {
+ { PCI_VENDOR_ID_NXP, 0x8d9b, pci_quirk_nxp_rp_acs },
+ /* Zhaoxin Root/Downstream Ports */
+ { PCI_VENDOR_ID_ZHAOXIN, PCI_ANY_ID, pci_quirk_zhaoxin_pcie_ports_acs },
++ /* Wangxun nics */
++ { PCI_VENDOR_ID_WANGXUN, PCI_ANY_ID, pci_quirk_wangxun_nic_acs },
+ { 0 }
+ };
+
+diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h
+index 69e310173fbca..2e1935917c241 100644
+--- a/include/linux/pci_ids.h
++++ b/include/linux/pci_ids.h
+@@ -3033,6 +3033,8 @@
+ #define PCI_DEVICE_ID_INTEL_VMD_9A0B 0x9a0b
+ #define PCI_DEVICE_ID_INTEL_S21152BB 0xb152
+
++#define PCI_VENDOR_ID_WANGXUN 0x8088
++
+ #define PCI_VENDOR_ID_SCALEMP 0x8686
+ #define PCI_DEVICE_ID_SCALEMP_VSMP_CTL 0x1010
+
+--
+2.39.2
+
--- /dev/null
+From 7d08be52cf3057102c29633fc13e7b9f7d03ba04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Jan 2023 11:24:03 +0200
+Subject: PCI: Align extra resources for hotplug bridges properly
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+[ Upstream commit 08f0a15ee8adb4846b08ca5d5c175fbf0f652bc9 ]
+
+After division the extra resource space per hotplug bridge may not be
+aligned according to the window alignment, so align it before passing it
+down for further distribution.
+
+Link: https://lore.kernel.org/r/20230131092405.29121-2-mika.westerberg@linux.intel.com
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/setup-bus.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c
+index 2ce636937c6ea..4a6b698b5dd10 100644
+--- a/drivers/pci/setup-bus.c
++++ b/drivers/pci/setup-bus.c
+@@ -2004,6 +2004,7 @@ static void pci_bus_distribute_available_resources(struct pci_bus *bus,
+ * resource space between hotplug bridges.
+ */
+ for_each_pci_bridge(dev, bus) {
++ struct resource *res;
+ struct pci_bus *b;
+
+ b = dev->subordinate;
+@@ -2015,16 +2016,28 @@ static void pci_bus_distribute_available_resources(struct pci_bus *bus,
+ * hotplug-capable downstream ports taking alignment into
+ * account.
+ */
+- io.end = io.start + io_per_hp - 1;
+- mmio.end = mmio.start + mmio_per_hp - 1;
+- mmio_pref.end = mmio_pref.start + mmio_pref_per_hp - 1;
++ res = &dev->resource[PCI_BRIDGE_IO_WINDOW];
++ align = pci_resource_alignment(dev, res);
++ io.end = align ? io.start + ALIGN_DOWN(io_per_hp, align) - 1
++ : io.start + io_per_hp - 1;
++
++ res = &dev->resource[PCI_BRIDGE_MEM_WINDOW];
++ align = pci_resource_alignment(dev, res);
++ mmio.end = align ? mmio.start + ALIGN_DOWN(mmio_per_hp, align) - 1
++ : mmio.start + mmio_per_hp - 1;
++
++ res = &dev->resource[PCI_BRIDGE_PREF_MEM_WINDOW];
++ align = pci_resource_alignment(dev, res);
++ mmio_pref.end = align ? mmio_pref.start +
++ ALIGN_DOWN(mmio_pref_per_hp, align) - 1
++ : mmio_pref.start + mmio_pref_per_hp - 1;
+
+ pci_bus_distribute_available_resources(b, add_list, io, mmio,
+ mmio_pref);
+
+- io.start += io_per_hp;
+- mmio.start += mmio_per_hp;
+- mmio_pref.start += mmio_pref_per_hp;
++ io.start += io.end + 1;
++ mmio.start += mmio.end + 1;
++ mmio_pref.start += mmio_pref.end + 1;
+ }
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 14502fedd5a01a4ae7a00ecec7cafb396e5dce4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Feb 2023 10:33:21 +0800
+Subject: PCI: loongson: Add more devices that need MRRS quirk
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+[ Upstream commit c768f8c5f40fcdc6f058cc2f02592163d6c6716c ]
+
+Loongson-2K SOC and LS7A2000 chipset add new PCI IDs that need MRRS
+quirk. Add them.
+
+Link: https://lore.kernel.org/r/20230211023321.3530080-1-chenhuacai@loongson.cn
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-loongson.c | 33 +++++++++++++++++++--------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/pci/controller/pci-loongson.c b/drivers/pci/controller/pci-loongson.c
+index dc7b4e4293ced..e73e18a73833b 100644
+--- a/drivers/pci/controller/pci-loongson.c
++++ b/drivers/pci/controller/pci-loongson.c
+@@ -13,9 +13,14 @@
+ #include "../pci.h"
+
+ /* Device IDs */
+-#define DEV_PCIE_PORT_0 0x7a09
+-#define DEV_PCIE_PORT_1 0x7a19
+-#define DEV_PCIE_PORT_2 0x7a29
++#define DEV_LS2K_PCIE_PORT0 0x1a05
++#define DEV_LS7A_PCIE_PORT0 0x7a09
++#define DEV_LS7A_PCIE_PORT1 0x7a19
++#define DEV_LS7A_PCIE_PORT2 0x7a29
++#define DEV_LS7A_PCIE_PORT3 0x7a39
++#define DEV_LS7A_PCIE_PORT4 0x7a49
++#define DEV_LS7A_PCIE_PORT5 0x7a59
++#define DEV_LS7A_PCIE_PORT6 0x7a69
+
+ #define DEV_LS2K_APB 0x7a02
+ #define DEV_LS7A_CONF 0x7a10
+@@ -38,11 +43,11 @@ static void bridge_class_quirk(struct pci_dev *dev)
+ dev->class = PCI_CLASS_BRIDGE_PCI << 8;
+ }
+ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_LOONGSON,
+- DEV_PCIE_PORT_0, bridge_class_quirk);
++ DEV_LS7A_PCIE_PORT0, bridge_class_quirk);
+ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_LOONGSON,
+- DEV_PCIE_PORT_1, bridge_class_quirk);
++ DEV_LS7A_PCIE_PORT1, bridge_class_quirk);
+ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_LOONGSON,
+- DEV_PCIE_PORT_2, bridge_class_quirk);
++ DEV_LS7A_PCIE_PORT2, bridge_class_quirk);
+
+ static void system_bus_quirk(struct pci_dev *pdev)
+ {
+@@ -72,11 +77,21 @@ static void loongson_mrrs_quirk(struct pci_dev *pdev)
+ bridge->no_inc_mrrs = 1;
+ }
+ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_LOONGSON,
+- DEV_PCIE_PORT_0, loongson_mrrs_quirk);
++ DEV_LS2K_PCIE_PORT0, loongson_mrrs_quirk);
+ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_LOONGSON,
+- DEV_PCIE_PORT_1, loongson_mrrs_quirk);
++ DEV_LS7A_PCIE_PORT0, loongson_mrrs_quirk);
+ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_LOONGSON,
+- DEV_PCIE_PORT_2, loongson_mrrs_quirk);
++ DEV_LS7A_PCIE_PORT1, loongson_mrrs_quirk);
++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_LOONGSON,
++ DEV_LS7A_PCIE_PORT2, loongson_mrrs_quirk);
++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_LOONGSON,
++ DEV_LS7A_PCIE_PORT3, loongson_mrrs_quirk);
++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_LOONGSON,
++ DEV_LS7A_PCIE_PORT4, loongson_mrrs_quirk);
++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_LOONGSON,
++ DEV_LS7A_PCIE_PORT5, loongson_mrrs_quirk);
++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_LOONGSON,
++ DEV_LS7A_PCIE_PORT6, loongson_mrrs_quirk);
+
+ static void __iomem *cfg1_map(struct loongson_pci *priv, int bus,
+ unsigned int devfn, int where)
+--
+2.39.2
+
--- /dev/null
+From 6fad6d63b9f264f1970f2392d64ef2876d90ecbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Feb 2023 12:30:18 +0800
+Subject: PCI: loongson: Prevent LS7A MRRS increases
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+[ Upstream commit 8b3517f88ff2983f52698893519227c10aac90b2 ]
+
+Except for isochronous-configured devices, software may set
+Max_Read_Request_Size (MRRS) to any value up to 4096. If a device issues a
+read request with size greater than the completer's Max_Payload_Size (MPS),
+the completer is required to break the response into multiple completions.
+
+Instead of correctly responding with multiple completions to a large read
+request, some LS7A Root Ports respond with a Completer Abort. To prevent
+this, the MRRS must be limited to an implementation-specific value.
+
+The OS cannot detect that value, so rely on BIOS to configure MRRS before
+booting, and quirk the Root Ports so we never set an MRRS larger than that
+BIOS value for any downstream device.
+
+N.B. Hot-added devices are not configured by BIOS, and they power up with
+MRRS = 512 bytes, so these devices will be limited to 512 bytes. If the
+LS7A limit is smaller, those hot-added devices may not work correctly, but
+per [1], hotplug is not supported with this chipset revision.
+
+[1] https://lore.kernel.org/r/073638a7-ae68-2847-ac3d-29e5e760d6af@loongson.cn
+
+[bhelgaas: commit log]
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216884
+Link: https://lore.kernel.org/r/20230201043018.778499-3-chenhuacai@loongson.cn
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-loongson.c | 44 +++++++++------------------
+ drivers/pci/pci.c | 10 ++++++
+ include/linux/pci.h | 1 +
+ 3 files changed, 26 insertions(+), 29 deletions(-)
+
+diff --git a/drivers/pci/controller/pci-loongson.c b/drivers/pci/controller/pci-loongson.c
+index 48169b1e38171..dc7b4e4293ced 100644
+--- a/drivers/pci/controller/pci-loongson.c
++++ b/drivers/pci/controller/pci-loongson.c
+@@ -60,37 +60,23 @@ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_LOONGSON,
+ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_LOONGSON,
+ DEV_LS7A_LPC, system_bus_quirk);
+
+-static void loongson_mrrs_quirk(struct pci_dev *dev)
++static void loongson_mrrs_quirk(struct pci_dev *pdev)
+ {
+- struct pci_bus *bus = dev->bus;
+- struct pci_dev *bridge;
+- static const struct pci_device_id bridge_devids[] = {
+- { PCI_VDEVICE(LOONGSON, DEV_PCIE_PORT_0) },
+- { PCI_VDEVICE(LOONGSON, DEV_PCIE_PORT_1) },
+- { PCI_VDEVICE(LOONGSON, DEV_PCIE_PORT_2) },
+- { 0, },
+- };
+-
+- /* look for the matching bridge */
+- while (!pci_is_root_bus(bus)) {
+- bridge = bus->self;
+- bus = bus->parent;
+- /*
+- * Some Loongson PCIe ports have a h/w limitation of
+- * 256 bytes maximum read request size. They can't handle
+- * anything larger than this. So force this limit on
+- * any devices attached under these ports.
+- */
+- if (pci_match_id(bridge_devids, bridge)) {
+- if (pcie_get_readrq(dev) > 256) {
+- pci_info(dev, "limiting MRRS to 256\n");
+- pcie_set_readrq(dev, 256);
+- }
+- break;
+- }
+- }
++ /*
++ * Some Loongson PCIe ports have h/w limitations of maximum read
++ * request size. They can't handle anything larger than this. So
++ * force this limit on any devices attached under these ports.
++ */
++ struct pci_host_bridge *bridge = pci_find_host_bridge(pdev->bus);
++
++ bridge->no_inc_mrrs = 1;
+ }
+-DECLARE_PCI_FIXUP_ENABLE(PCI_ANY_ID, PCI_ANY_ID, loongson_mrrs_quirk);
++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_LOONGSON,
++ DEV_PCIE_PORT_0, loongson_mrrs_quirk);
++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_LOONGSON,
++ DEV_PCIE_PORT_1, loongson_mrrs_quirk);
++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_LOONGSON,
++ DEV_PCIE_PORT_2, loongson_mrrs_quirk);
+
+ static void __iomem *cfg1_map(struct loongson_pci *priv, int bus,
+ unsigned int devfn, int where)
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 845851e233521..744a2e05635b9 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -5739,6 +5739,7 @@ int pcie_set_readrq(struct pci_dev *dev, int rq)
+ {
+ u16 v;
+ int ret;
++ struct pci_host_bridge *bridge = pci_find_host_bridge(dev->bus);
+
+ if (rq < 128 || rq > 4096 || !is_power_of_2(rq))
+ return -EINVAL;
+@@ -5757,6 +5758,15 @@ int pcie_set_readrq(struct pci_dev *dev, int rq)
+
+ v = (ffs(rq) - 8) << 12;
+
++ if (bridge->no_inc_mrrs) {
++ int max_mrrs = pcie_get_readrq(dev);
++
++ if (rq > max_mrrs) {
++ pci_info(dev, "can't set Max_Read_Request_Size to %d; max is %d\n", rq, max_mrrs);
++ return -EINVAL;
++ }
++ }
++
+ ret = pcie_capability_clear_and_set_word(dev, PCI_EXP_DEVCTL,
+ PCI_EXP_DEVCTL_READRQ, v);
+
+diff --git a/include/linux/pci.h b/include/linux/pci.h
+index 692ce678c5f1c..4cc42ad2f6c52 100644
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -539,6 +539,7 @@ struct pci_host_bridge {
+ struct msi_controller *msi;
+ unsigned int ignore_reset_delay:1; /* For entire hierarchy */
+ unsigned int no_ext_tags:1; /* No Extended Tags */
++ unsigned int no_inc_mrrs:1; /* No Increase MRRS */
+ unsigned int native_aer:1; /* OS may use PCIe AER */
+ unsigned int native_pcie_hotplug:1; /* OS may use PCIe hotplug */
+ unsigned int native_shpc_hotplug:1; /* OS may use SHPC hotplug */
+--
+2.39.2
+
--- /dev/null
+From 4e7f9eba8a5a5cc21a2870724b6af8074f5f4eb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Jan 2023 11:24:04 +0200
+Subject: PCI: Take other bus devices into account when distributing resources
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+[ Upstream commit 9db0b9b6a14249ef65a5f1e5e3b37762af96f425 ]
+
+A PCI bridge may reside on a bus with other devices as well. The resource
+distribution code does not take this into account and therefore it expands
+the bridge resource windows too much, not leaving space for the other
+devices (or functions of a multifunction device). This leads to an issue
+that Jonathan reported when running QEMU with the following topology (QEMU
+parameters):
+
+ -device pcie-root-port,port=0,id=root_port13,chassis=0,slot=2 \
+ -device x3130-upstream,id=sw1,bus=root_port13,multifunction=on \
+ -device e1000,bus=root_port13,addr=0.1 \
+ -device xio3130-downstream,id=fun1,bus=sw1,chassis=0,slot=3 \
+ -device e1000,bus=fun1
+
+The first e1000 NIC here is another function in the switch upstream port.
+This leads to following errors:
+
+ pci 0000:00:04.0: bridge window [mem 0x10200000-0x103fffff] to [bus 02-04]
+ pci 0000:02:00.0: bridge window [mem 0x10200000-0x103fffff] to [bus 03-04]
+ pci 0000:02:00.1: BAR 0: failed to assign [mem size 0x00020000]
+ e1000 0000:02:00.1: can't ioremap BAR 0: [??? 0x00000000 flags 0x0]
+
+Fix this by taking into account bridge windows, device BARs and SR-IOV PF
+BARs on the bus (PF BARs include space for VF BARS so only account PF
+BARs), including the ones belonging to bridges themselves if it has any.
+
+Link: https://lore.kernel.org/linux-pci/20221014124553.0000696f@huawei.com/
+Link: https://lore.kernel.org/linux-pci/6053736d-1923-41e7-def9-7585ce1772d9@ixsystems.com/
+Link: https://lore.kernel.org/r/20230131092405.29121-3-mika.westerberg@linux.intel.com
+Reported-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reported-by: Alexander Motin <mav@ixsystems.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/setup-bus.c | 176 ++++++++++++++++++++++++----------------
+ 1 file changed, 106 insertions(+), 70 deletions(-)
+
+diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c
+index 4a6b698b5dd10..16d291e10627b 100644
+--- a/drivers/pci/setup-bus.c
++++ b/drivers/pci/setup-bus.c
+@@ -1878,12 +1878,67 @@ static void adjust_bridge_window(struct pci_dev *bridge, struct resource *res,
+ add_size = size - new_size;
+ pci_dbg(bridge, "bridge window %pR shrunken by %pa\n", res,
+ &add_size);
++ } else {
++ return;
+ }
+
+ res->end = res->start + new_size - 1;
+ remove_from_list(add_list, res);
+ }
+
++static void remove_dev_resource(struct resource *avail, struct pci_dev *dev,
++ struct resource *res)
++{
++ resource_size_t size, align, tmp;
++
++ size = resource_size(res);
++ if (!size)
++ return;
++
++ align = pci_resource_alignment(dev, res);
++ align = align ? ALIGN(avail->start, align) - avail->start : 0;
++ tmp = align + size;
++ avail->start = min(avail->start + tmp, avail->end + 1);
++}
++
++static void remove_dev_resources(struct pci_dev *dev, struct resource *io,
++ struct resource *mmio,
++ struct resource *mmio_pref)
++{
++ int i;
++
++ for (i = 0; i < PCI_NUM_RESOURCES; i++) {
++ struct resource *res = &dev->resource[i];
++
++ if (resource_type(res) == IORESOURCE_IO) {
++ remove_dev_resource(io, dev, res);
++ } else if (resource_type(res) == IORESOURCE_MEM) {
++
++ /*
++ * Make sure prefetchable memory is reduced from
++ * the correct resource. Specifically we put 32-bit
++ * prefetchable memory in non-prefetchable window
++ * if there is an 64-bit pretchable window.
++ *
++ * See comments in __pci_bus_size_bridges() for
++ * more information.
++ */
++ if ((res->flags & IORESOURCE_PREFETCH) &&
++ ((res->flags & IORESOURCE_MEM_64) ==
++ (mmio_pref->flags & IORESOURCE_MEM_64)))
++ remove_dev_resource(mmio_pref, dev, res);
++ else
++ remove_dev_resource(mmio, dev, res);
++ }
++ }
++}
++
++/*
++ * io, mmio and mmio_pref contain the total amount of bridge window space
++ * available. This includes the minimal space needed to cover all the
++ * existing devices on the bus and the possible extra space that can be
++ * shared with the bridges.
++ */
+ static void pci_bus_distribute_available_resources(struct pci_bus *bus,
+ struct list_head *add_list,
+ struct resource io,
+@@ -1893,7 +1948,7 @@ static void pci_bus_distribute_available_resources(struct pci_bus *bus,
+ unsigned int normal_bridges = 0, hotplug_bridges = 0;
+ struct resource *io_res, *mmio_res, *mmio_pref_res;
+ struct pci_dev *dev, *bridge = bus->self;
+- resource_size_t io_per_hp, mmio_per_hp, mmio_pref_per_hp, align;
++ resource_size_t io_per_b, mmio_per_b, mmio_pref_per_b, align;
+
+ io_res = &bridge->resource[PCI_BRIDGE_IO_WINDOW];
+ mmio_res = &bridge->resource[PCI_BRIDGE_MEM_WINDOW];
+@@ -1937,100 +1992,81 @@ static void pci_bus_distribute_available_resources(struct pci_bus *bus,
+ normal_bridges++;
+ }
+
+- /*
+- * There is only one bridge on the bus so it gets all available
+- * resources which it can then distribute to the possible hotplug
+- * bridges below.
+- */
+- if (hotplug_bridges + normal_bridges == 1) {
+- dev = list_first_entry(&bus->devices, struct pci_dev, bus_list);
+- if (dev->subordinate)
+- pci_bus_distribute_available_resources(dev->subordinate,
+- add_list, io, mmio, mmio_pref);
+- return;
+- }
+-
+- if (hotplug_bridges == 0)
++ if (!(hotplug_bridges + normal_bridges))
+ return;
+
+ /*
+- * Calculate the total amount of extra resource space we can
+- * pass to bridges below this one. This is basically the
+- * extra space reduced by the minimal required space for the
+- * non-hotplug bridges.
++ * Calculate the amount of space we can forward from "bus" to any
++ * downstream buses, i.e., the space left over after assigning the
++ * BARs and windows on "bus".
+ */
+- for_each_pci_bridge(dev, bus) {
+- resource_size_t used_size;
+- struct resource *res;
+-
+- if (dev->is_hotplug_bridge)
+- continue;
+-
+- /*
+- * Reduce the available resource space by what the
+- * bridge and devices below it occupy.
+- */
+- res = &dev->resource[PCI_BRIDGE_IO_WINDOW];
+- align = pci_resource_alignment(dev, res);
+- align = align ? ALIGN(io.start, align) - io.start : 0;
+- used_size = align + resource_size(res);
+- if (!res->parent)
+- io.start = min(io.start + used_size, io.end + 1);
+-
+- res = &dev->resource[PCI_BRIDGE_MEM_WINDOW];
+- align = pci_resource_alignment(dev, res);
+- align = align ? ALIGN(mmio.start, align) - mmio.start : 0;
+- used_size = align + resource_size(res);
+- if (!res->parent)
+- mmio.start = min(mmio.start + used_size, mmio.end + 1);
+-
+- res = &dev->resource[PCI_BRIDGE_PREF_MEM_WINDOW];
+- align = pci_resource_alignment(dev, res);
+- align = align ? ALIGN(mmio_pref.start, align) -
+- mmio_pref.start : 0;
+- used_size = align + resource_size(res);
+- if (!res->parent)
+- mmio_pref.start = min(mmio_pref.start + used_size,
+- mmio_pref.end + 1);
++ list_for_each_entry(dev, &bus->devices, bus_list) {
++ if (!dev->is_virtfn)
++ remove_dev_resources(dev, &io, &mmio, &mmio_pref);
+ }
+
+- io_per_hp = div64_ul(resource_size(&io), hotplug_bridges);
+- mmio_per_hp = div64_ul(resource_size(&mmio), hotplug_bridges);
+- mmio_pref_per_hp = div64_ul(resource_size(&mmio_pref),
+- hotplug_bridges);
+-
+ /*
+- * Go over devices on this bus and distribute the remaining
+- * resource space between hotplug bridges.
++ * If there is at least one hotplug bridge on this bus it gets all
++ * the extra resource space that was left after the reductions
++ * above.
++ *
++ * If there are no hotplug bridges the extra resource space is
++ * split between non-hotplug bridges. This is to allow possible
++ * hotplug bridges below them to get the extra space as well.
+ */
++ if (hotplug_bridges) {
++ io_per_b = div64_ul(resource_size(&io), hotplug_bridges);
++ mmio_per_b = div64_ul(resource_size(&mmio), hotplug_bridges);
++ mmio_pref_per_b = div64_ul(resource_size(&mmio_pref),
++ hotplug_bridges);
++ } else {
++ io_per_b = div64_ul(resource_size(&io), normal_bridges);
++ mmio_per_b = div64_ul(resource_size(&mmio), normal_bridges);
++ mmio_pref_per_b = div64_ul(resource_size(&mmio_pref),
++ normal_bridges);
++ }
++
+ for_each_pci_bridge(dev, bus) {
+ struct resource *res;
+ struct pci_bus *b;
+
+ b = dev->subordinate;
+- if (!b || !dev->is_hotplug_bridge)
++ if (!b)
+ continue;
++ if (hotplug_bridges && !dev->is_hotplug_bridge)
++ continue;
++
++ res = &dev->resource[PCI_BRIDGE_IO_WINDOW];
+
+ /*
+- * Distribute available extra resources equally between
+- * hotplug-capable downstream ports taking alignment into
+- * account.
++ * Make sure the split resource space is properly aligned
++ * for bridge windows (align it down to avoid going above
++ * what is available).
+ */
+- res = &dev->resource[PCI_BRIDGE_IO_WINDOW];
+ align = pci_resource_alignment(dev, res);
+- io.end = align ? io.start + ALIGN_DOWN(io_per_hp, align) - 1
+- : io.start + io_per_hp - 1;
++ io.end = align ? io.start + ALIGN_DOWN(io_per_b, align) - 1
++ : io.start + io_per_b - 1;
++
++ /*
++ * The x_per_b holds the extra resource space that can be
++ * added for each bridge but there is the minimal already
++ * reserved as well so adjust x.start down accordingly to
++ * cover the whole space.
++ */
++ io.start -= resource_size(res);
+
+ res = &dev->resource[PCI_BRIDGE_MEM_WINDOW];
+ align = pci_resource_alignment(dev, res);
+- mmio.end = align ? mmio.start + ALIGN_DOWN(mmio_per_hp, align) - 1
+- : mmio.start + mmio_per_hp - 1;
++ mmio.end = align ? mmio.start + ALIGN_DOWN(mmio_per_b, align) - 1
++ : mmio.start + mmio_per_b - 1;
++ mmio.start -= resource_size(res);
+
+ res = &dev->resource[PCI_BRIDGE_PREF_MEM_WINDOW];
+ align = pci_resource_alignment(dev, res);
+ mmio_pref.end = align ? mmio_pref.start +
+- ALIGN_DOWN(mmio_pref_per_hp, align) - 1
+- : mmio_pref.start + mmio_pref_per_hp - 1;
++ ALIGN_DOWN(mmio_pref_per_b, align) - 1
++ : mmio_pref.start + mmio_pref_per_b - 1;
++ mmio_pref.start -= resource_size(res);
+
+ pci_bus_distribute_available_resources(b, add_list, io, mmio,
+ mmio_pref);
+--
+2.39.2
+
--- /dev/null
+From d3a7d168cbda465c0fe174e42847a23e36555f7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Feb 2023 11:57:09 +0800
+Subject: phy: rockchip-typec: Fix unsigned comparison with less than zero
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit f765c59c5a72546a2d74a92ae5d0eb0329d8e247 ]
+
+The dp and ufp are defined as bool type, the return value type of
+function extcon_get_state should be int, so the type of dp and ufp
+are modified to int.
+
+./drivers/phy/rockchip/phy-rockchip-typec.c:827:12-14: WARNING: Unsigned expression compared with zero: dp > 0.
+
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=3962
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20230213035709.99027-1-jiapeng.chong@linux.alibaba.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/rockchip/phy-rockchip-typec.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/phy/rockchip/phy-rockchip-typec.c b/drivers/phy/rockchip/phy-rockchip-typec.c
+index 70a31251b202b..20f787d5ec581 100644
+--- a/drivers/phy/rockchip/phy-rockchip-typec.c
++++ b/drivers/phy/rockchip/phy-rockchip-typec.c
+@@ -808,9 +808,8 @@ static int tcphy_get_mode(struct rockchip_typec_phy *tcphy)
+ struct extcon_dev *edev = tcphy->extcon;
+ union extcon_property_value property;
+ unsigned int id;
+- bool ufp, dp;
+ u8 mode;
+- int ret;
++ int ret, ufp, dp;
+
+ if (!edev)
+ return MODE_DFP_USB;
+--
+2.39.2
+
--- /dev/null
+From 4bbe1e13c8fb22b373d3f05ac3e4028e5d20344e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 12:37:24 +0100
+Subject: pwm: sifive: Always let the first pwm_apply_state succeed
+
+From: Emil Renner Berthing <emil.renner.berthing@canonical.com>
+
+[ Upstream commit 334c7b13d38321e47d1a51dba0bef9f4c403ec75 ]
+
+Commit 2cfe9bbec56ea579135cdd92409fff371841904f added support for the
+RGB and green PWM controlled LEDs on the HiFive Unmatched board
+managed by the leds-pwm-multicolor and leds-pwm drivers respectively.
+All three colours of the RGB LED and the green LED run from different
+lines of the same PWM, but with the same period so this works fine when
+the LED drivers are loaded one after the other.
+
+Unfortunately it does expose a race in the PWM driver when both LED
+drivers are loaded at roughly the same time. Here is an example:
+
+ | Thread A | Thread B |
+ | led_pwm_mc_probe | led_pwm_probe |
+ | devm_fwnode_pwm_get | |
+ | pwm_sifive_request | |
+ | ddata->user_count++ | |
+ | | devm_fwnode_pwm_get |
+ | | pwm_sifive_request |
+ | | ddata->user_count++ |
+ | ... | ... |
+ | pwm_state_apply | pwm_state_apply |
+ | pwm_sifive_apply | pwm_sifive_apply |
+
+Now both calls to pwm_sifive_apply will see that ddata->approx_period,
+initially 0, is different from the requested period and the clock needs
+to be updated. But since ddata->user_count >= 2 both calls will fail
+with -EBUSY, which will then cause both LED drivers to fail to probe.
+
+Fix it by letting the first call to pwm_sifive_apply update the clock
+even when ddata->user_count != 1.
+
+Fixes: 9e37a53eb051 ("pwm: sifive: Add a driver for SiFive SoC PWM")
+Signed-off-by: Emil Renner Berthing <emil.renner.berthing@canonical.com>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-sifive.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pwm/pwm-sifive.c b/drivers/pwm/pwm-sifive.c
+index 400cc91057acf..52a55bae033de 100644
+--- a/drivers/pwm/pwm-sifive.c
++++ b/drivers/pwm/pwm-sifive.c
+@@ -184,7 +184,13 @@ static int pwm_sifive_apply(struct pwm_chip *chip, struct pwm_device *pwm,
+
+ mutex_lock(&ddata->lock);
+ if (state->period != ddata->approx_period) {
+- if (ddata->user_count != 1) {
++ /*
++ * Don't let a 2nd user change the period underneath the 1st user.
++ * However if ddate->approx_period == 0 this is the first time we set
++ * any period, so let whoever gets here first set the period so other
++ * users who agree on the period won't fail.
++ */
++ if (ddata->user_count != 1 && ddata->approx_period) {
+ mutex_unlock(&ddata->lock);
+ ret = -EBUSY;
+ goto exit;
+--
+2.39.2
+
--- /dev/null
+From 4f0c47a24ed2a3eb67bd0c620ab860e77aafb8ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jul 2022 12:31:25 +0200
+Subject: pwm: sifive: Reduce time the controller lock is held
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 0f02f491b786143f08eb19840f1cf4f12aec6dee ]
+
+The lock is only to serialize access and update to user_count and
+approx_period between different PWMs served by the same pwm_chip.
+So the lock needs only to be taken during the check if the (chip global)
+period can and/or needs to be changed.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Tested-by: Emil Renner Berthing <emil.renner.berthing@canonical.com>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Stable-dep-of: 334c7b13d383 ("pwm: sifive: Always let the first pwm_apply_state succeed")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-sifive.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pwm/pwm-sifive.c b/drivers/pwm/pwm-sifive.c
+index 12e9e23272ab1..400cc91057acf 100644
+--- a/drivers/pwm/pwm-sifive.c
++++ b/drivers/pwm/pwm-sifive.c
+@@ -41,7 +41,7 @@
+
+ struct pwm_sifive_ddata {
+ struct pwm_chip chip;
+- struct mutex lock; /* lock to protect user_count */
++ struct mutex lock; /* lock to protect user_count and approx_period */
+ struct notifier_block notifier;
+ struct clk *clk;
+ void __iomem *regs;
+@@ -76,6 +76,7 @@ static void pwm_sifive_free(struct pwm_chip *chip, struct pwm_device *pwm)
+ mutex_unlock(&ddata->lock);
+ }
+
++/* Called holding ddata->lock */
+ static void pwm_sifive_update_clock(struct pwm_sifive_ddata *ddata,
+ unsigned long rate)
+ {
+@@ -163,7 +164,6 @@ static int pwm_sifive_apply(struct pwm_chip *chip, struct pwm_device *pwm,
+ return ret;
+ }
+
+- mutex_lock(&ddata->lock);
+ cur_state = pwm->state;
+ enabled = cur_state.enabled;
+
+@@ -182,14 +182,17 @@ static int pwm_sifive_apply(struct pwm_chip *chip, struct pwm_device *pwm,
+ /* The hardware cannot generate a 100% duty cycle */
+ frac = min(frac, (1U << PWM_SIFIVE_CMPWIDTH) - 1);
+
++ mutex_lock(&ddata->lock);
+ if (state->period != ddata->approx_period) {
+ if (ddata->user_count != 1) {
++ mutex_unlock(&ddata->lock);
+ ret = -EBUSY;
+ goto exit;
+ }
+ ddata->approx_period = state->period;
+ pwm_sifive_update_clock(ddata, clk_get_rate(ddata->clk));
+ }
++ mutex_unlock(&ddata->lock);
+
+ writel(frac, ddata->regs + PWM_SIFIVE_PWMCMP(pwm->hwpwm));
+
+@@ -198,7 +201,6 @@ static int pwm_sifive_apply(struct pwm_chip *chip, struct pwm_device *pwm,
+
+ exit:
+ clk_disable(ddata->clk);
+- mutex_unlock(&ddata->lock);
+ return ret;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 028142db3c002774a55bfb76c219f83994c7e4b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 14:36:52 +0100
+Subject: pwm: stm32-lp: fix the check on arr and cmp registers update
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+
+[ Upstream commit 3066bc2d58be31275afb51a589668f265e419c37 ]
+
+The ARR (auto reload register) and CMP (compare) registers are
+successively written. The status bits to check the update of these
+registers are polled together with regmap_read_poll_timeout().
+The condition to end the loop may become true, even if one of the
+register isn't correctly updated.
+So ensure both status bits are set before clearing them.
+
+Fixes: e70a540b4e02 ("pwm: Add STM32 LPTimer PWM driver")
+Signed-off-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-stm32-lp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pwm/pwm-stm32-lp.c b/drivers/pwm/pwm-stm32-lp.c
+index 945a8b2b85648..c8a847fcb775b 100644
+--- a/drivers/pwm/pwm-stm32-lp.c
++++ b/drivers/pwm/pwm-stm32-lp.c
+@@ -127,7 +127,7 @@ static int stm32_pwm_lp_apply(struct pwm_chip *chip, struct pwm_device *pwm,
+
+ /* ensure CMP & ARR registers are properly written */
+ ret = regmap_read_poll_timeout(priv->regmap, STM32_LPTIM_ISR, val,
+- (val & STM32_LPTIM_CMPOK_ARROK),
++ (val & STM32_LPTIM_CMPOK_ARROK) == STM32_LPTIM_CMPOK_ARROK,
+ 100, 1000);
+ if (ret) {
+ dev_err(priv->chip.dev, "ARR/CMP registers write issue\n");
+--
+2.39.2
+
--- /dev/null
+From 002989259ae4e4473e7c2708ea5ad18f0d937977 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Dec 2022 15:53:19 -0600
+Subject: rtc: sun6i: Always export the internal oscillator
+
+From: Samuel Holland <samuel@sholland.org>
+
+[ Upstream commit 344f4030f6c50a9db2d03021884c4bf36191b53a ]
+
+On all variants of the hardware, the internal oscillator is one possible
+parent for the AR100 clock. It needs to be exported so we can model that
+relationship correctly in the devicetree.
+
+Fixes: c56afc1844d6 ("rtc: sun6i: Expose internal oscillator through device tree")
+Signed-off-by: Samuel Holland <samuel@sholland.org>
+Acked-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Link: https://lore.kernel.org/r/20221229215319.14145-1-samuel@sholland.org
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-sun6i.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/rtc/rtc-sun6i.c b/drivers/rtc/rtc-sun6i.c
+index 52b36b7c61298..a72856fb5252c 100644
+--- a/drivers/rtc/rtc-sun6i.c
++++ b/drivers/rtc/rtc-sun6i.c
+@@ -128,7 +128,6 @@ struct sun6i_rtc_clk_data {
+ unsigned int fixed_prescaler : 16;
+ unsigned int has_prescaler : 1;
+ unsigned int has_out_clk : 1;
+- unsigned int export_iosc : 1;
+ unsigned int has_losc_en : 1;
+ unsigned int has_auto_swt : 1;
+ };
+@@ -260,10 +259,8 @@ static void __init sun6i_rtc_clk_init(struct device_node *node,
+ /* Yes, I know, this is ugly. */
+ sun6i_rtc = rtc;
+
+- /* Only read IOSC name from device tree if it is exported */
+- if (rtc->data->export_iosc)
+- of_property_read_string_index(node, "clock-output-names", 2,
+- &iosc_name);
++ of_property_read_string_index(node, "clock-output-names", 2,
++ &iosc_name);
+
+ rtc->int_osc = clk_hw_register_fixed_rate_with_accuracy(NULL,
+ iosc_name,
+@@ -304,13 +301,10 @@ static void __init sun6i_rtc_clk_init(struct device_node *node,
+ goto err_register;
+ }
+
+- clk_data->num = 2;
++ clk_data->num = 3;
+ clk_data->hws[0] = &rtc->hw;
+ clk_data->hws[1] = __clk_get_hw(rtc->ext_losc);
+- if (rtc->data->export_iosc) {
+- clk_data->hws[2] = rtc->int_osc;
+- clk_data->num = 3;
+- }
++ clk_data->hws[2] = rtc->int_osc;
+ of_clk_add_hw_provider(node, of_clk_hw_onecell_get, clk_data);
+ return;
+
+@@ -350,7 +344,6 @@ static const struct sun6i_rtc_clk_data sun8i_h3_rtc_data = {
+ .fixed_prescaler = 32,
+ .has_prescaler = 1,
+ .has_out_clk = 1,
+- .export_iosc = 1,
+ };
+
+ static void __init sun8i_h3_rtc_clk_init(struct device_node *node)
+@@ -368,7 +361,6 @@ static const struct sun6i_rtc_clk_data sun50i_h6_rtc_data = {
+ .fixed_prescaler = 32,
+ .has_prescaler = 1,
+ .has_out_clk = 1,
+- .export_iosc = 1,
+ .has_losc_en = 1,
+ .has_auto_swt = 1,
+ };
+--
+2.39.2
+
--- /dev/null
+From 9484bdd45d431ff66453800f65ace57bd2a324fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Feb 2023 14:28:08 +0100
+Subject: scsi: ipr: Work around fortify-string warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit ee4e7dfe4ffc9ca50c6875757bd119abfe22b5c5 ]
+
+The ipr_log_vpd_compact() function triggers a fortified memcpy() warning
+about a potential string overflow with all versions of clang:
+
+In file included from drivers/scsi/ipr.c:43:
+In file included from include/linux/string.h:254:
+include/linux/fortify-string.h:520:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
+ __write_overflow_field(p_size_field, size);
+ ^
+include/linux/fortify-string.h:520:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
+2 errors generated.
+
+I don't see anything actually wrong with the function, but this is the only
+instance I can reproduce of the fortification going wrong in the kernel at
+the moment, so the easiest solution may be to rewrite the function into
+something that does not trigger the warning.
+
+Instead of having a combined buffer for vendor/device/serial strings, use
+three separate local variables and just truncate the whitespace
+individually.
+
+Link: https://lore.kernel.org/r/20230214132831.2118392-1-arnd@kernel.org
+Cc: Kees Cook <keescook@chromium.org>
+Fixes: 8cf093e275d0 ("[SCSI] ipr: Improved dual adapter errors")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Acked-by: Brian King <brking@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ipr.c | 41 +++++++++++++++++++++--------------------
+ 1 file changed, 21 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
+index a5e6fbd86ad45..8c376736a8f51 100644
+--- a/drivers/scsi/ipr.c
++++ b/drivers/scsi/ipr.c
+@@ -1516,23 +1516,22 @@ static void ipr_process_ccn(struct ipr_cmnd *ipr_cmd)
+ }
+
+ /**
+- * strip_and_pad_whitespace - Strip and pad trailing whitespace.
+- * @i: index into buffer
+- * @buf: string to modify
++ * strip_whitespace - Strip and pad trailing whitespace.
++ * @i: size of buffer
++ * @buf: string to modify
+ *
+- * This function will strip all trailing whitespace, pad the end
+- * of the string with a single space, and NULL terminate the string.
++ * This function will strip all trailing whitespace and
++ * NUL terminate the string.
+ *
+- * Return value:
+- * new length of string
+ **/
+-static int strip_and_pad_whitespace(int i, char *buf)
++static void strip_whitespace(int i, char *buf)
+ {
++ if (i < 1)
++ return;
++ i--;
+ while (i && buf[i] == ' ')
+ i--;
+- buf[i+1] = ' ';
+- buf[i+2] = '\0';
+- return i + 2;
++ buf[i+1] = '\0';
+ }
+
+ /**
+@@ -1547,19 +1546,21 @@ static int strip_and_pad_whitespace(int i, char *buf)
+ static void ipr_log_vpd_compact(char *prefix, struct ipr_hostrcb *hostrcb,
+ struct ipr_vpd *vpd)
+ {
+- char buffer[IPR_VENDOR_ID_LEN + IPR_PROD_ID_LEN + IPR_SERIAL_NUM_LEN + 3];
+- int i = 0;
++ char vendor_id[IPR_VENDOR_ID_LEN + 1];
++ char product_id[IPR_PROD_ID_LEN + 1];
++ char sn[IPR_SERIAL_NUM_LEN + 1];
+
+- memcpy(buffer, vpd->vpids.vendor_id, IPR_VENDOR_ID_LEN);
+- i = strip_and_pad_whitespace(IPR_VENDOR_ID_LEN - 1, buffer);
++ memcpy(vendor_id, vpd->vpids.vendor_id, IPR_VENDOR_ID_LEN);
++ strip_whitespace(IPR_VENDOR_ID_LEN, vendor_id);
+
+- memcpy(&buffer[i], vpd->vpids.product_id, IPR_PROD_ID_LEN);
+- i = strip_and_pad_whitespace(i + IPR_PROD_ID_LEN - 1, buffer);
++ memcpy(product_id, vpd->vpids.product_id, IPR_PROD_ID_LEN);
++ strip_whitespace(IPR_PROD_ID_LEN, product_id);
+
+- memcpy(&buffer[i], vpd->sn, IPR_SERIAL_NUM_LEN);
+- buffer[IPR_SERIAL_NUM_LEN + i] = '\0';
++ memcpy(sn, vpd->sn, IPR_SERIAL_NUM_LEN);
++ strip_whitespace(IPR_SERIAL_NUM_LEN, sn);
+
+- ipr_hcam_err(hostrcb, "%s VPID/SN: %s\n", prefix, buffer);
++ ipr_hcam_err(hostrcb, "%s VPID/SN: %s %s %s\n", prefix,
++ vendor_id, product_id, sn);
+ }
+
+ /**
+--
+2.39.2
+
--- /dev/null
+From 3498b4e04d258d8042cd367e44e054aa5eade2d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Feb 2023 12:07:21 -0500
+Subject: sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 68ba44639537de6f91fe32783766322d41848127 ]
+
+With this refcnt added in sctp_stream_priorities, we don't need to
+traverse all streams to check if the prio is used by other streams
+when freeing one stream's prio in sctp_sched_prio_free_sid(). This
+can avoid a nested loop (up to 65535 * 65535), which may cause a
+stuck as Ying reported:
+
+ watchdog: BUG: soft lockup - CPU#23 stuck for 26s! [ksoftirqd/23:136]
+ Call Trace:
+ <TASK>
+ sctp_sched_prio_free_sid+0xab/0x100 [sctp]
+ sctp_stream_free_ext+0x64/0xa0 [sctp]
+ sctp_stream_free+0x31/0x50 [sctp]
+ sctp_association_free+0xa5/0x200 [sctp]
+
+Note that it doesn't need to use refcount_t type for this counter,
+as its accessing is always protected under the sock lock.
+
+v1->v2:
+ - add a check in sctp_sched_prio_set to avoid the possible prio_head
+ refcnt overflow.
+
+Fixes: 9ed7bfc79542 ("sctp: fix memory leak in sctp_stream_outq_migrate()")
+Reported-by: Ying Xu <yinxu@redhat.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Link: https://lore.kernel.org/r/825eb0c905cb864991eba335f4a2b780e543f06b.1677085641.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sctp/structs.h | 1 +
+ net/sctp/stream_sched_prio.c | 52 +++++++++++++++---------------------
+ 2 files changed, 22 insertions(+), 31 deletions(-)
+
+diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
+index be9ff0422c162..be59e8df0bffc 100644
+--- a/include/net/sctp/structs.h
++++ b/include/net/sctp/structs.h
+@@ -1394,6 +1394,7 @@ struct sctp_stream_priorities {
+ /* The next stream in line */
+ struct sctp_stream_out_ext *next;
+ __u16 prio;
++ __u16 users;
+ };
+
+ struct sctp_stream_out_ext {
+diff --git a/net/sctp/stream_sched_prio.c b/net/sctp/stream_sched_prio.c
+index 4fc9f2923ed11..7dd9f8b387cca 100644
+--- a/net/sctp/stream_sched_prio.c
++++ b/net/sctp/stream_sched_prio.c
+@@ -25,6 +25,18 @@
+
+ static void sctp_sched_prio_unsched_all(struct sctp_stream *stream);
+
++static struct sctp_stream_priorities *sctp_sched_prio_head_get(struct sctp_stream_priorities *p)
++{
++ p->users++;
++ return p;
++}
++
++static void sctp_sched_prio_head_put(struct sctp_stream_priorities *p)
++{
++ if (p && --p->users == 0)
++ kfree(p);
++}
++
+ static struct sctp_stream_priorities *sctp_sched_prio_new_head(
+ struct sctp_stream *stream, int prio, gfp_t gfp)
+ {
+@@ -38,6 +50,7 @@ static struct sctp_stream_priorities *sctp_sched_prio_new_head(
+ INIT_LIST_HEAD(&p->active);
+ p->next = NULL;
+ p->prio = prio;
++ p->users = 1;
+
+ return p;
+ }
+@@ -53,7 +66,7 @@ static struct sctp_stream_priorities *sctp_sched_prio_get_head(
+ */
+ list_for_each_entry(p, &stream->prio_list, prio_sched) {
+ if (p->prio == prio)
+- return p;
++ return sctp_sched_prio_head_get(p);
+ if (p->prio > prio)
+ break;
+ }
+@@ -70,7 +83,7 @@ static struct sctp_stream_priorities *sctp_sched_prio_get_head(
+ */
+ break;
+ if (p->prio == prio)
+- return p;
++ return sctp_sched_prio_head_get(p);
+ }
+
+ /* If not even there, allocate a new one. */
+@@ -154,32 +167,21 @@ static int sctp_sched_prio_set(struct sctp_stream *stream, __u16 sid,
+ struct sctp_stream_out_ext *soute = sout->ext;
+ struct sctp_stream_priorities *prio_head, *old;
+ bool reschedule = false;
+- int i;
++
++ old = soute->prio_head;
++ if (old && old->prio == prio)
++ return 0;
+
+ prio_head = sctp_sched_prio_get_head(stream, prio, gfp);
+ if (!prio_head)
+ return -ENOMEM;
+
+ reschedule = sctp_sched_prio_unsched(soute);
+- old = soute->prio_head;
+ soute->prio_head = prio_head;
+ if (reschedule)
+ sctp_sched_prio_sched(stream, soute);
+
+- if (!old)
+- /* Happens when we set the priority for the first time */
+- return 0;
+-
+- for (i = 0; i < stream->outcnt; i++) {
+- soute = SCTP_SO(stream, i)->ext;
+- if (soute && soute->prio_head == old)
+- /* It's still in use, nothing else to do here. */
+- return 0;
+- }
+-
+- /* No hits, we are good to free it. */
+- kfree(old);
+-
++ sctp_sched_prio_head_put(old);
+ return 0;
+ }
+
+@@ -206,20 +208,8 @@ static int sctp_sched_prio_init_sid(struct sctp_stream *stream, __u16 sid,
+
+ static void sctp_sched_prio_free_sid(struct sctp_stream *stream, __u16 sid)
+ {
+- struct sctp_stream_priorities *prio = SCTP_SO(stream, sid)->ext->prio_head;
+- int i;
+-
+- if (!prio)
+- return;
+-
++ sctp_sched_prio_head_put(SCTP_SO(stream, sid)->ext->prio_head);
+ SCTP_SO(stream, sid)->ext->prio_head = NULL;
+- for (i = 0; i < stream->outcnt; i++) {
+- if (SCTP_SO(stream, i)->ext &&
+- SCTP_SO(stream, i)->ext->prio_head == prio)
+- return;
+- }
+-
+- kfree(prio);
+ }
+
+ static void sctp_sched_prio_free(struct sctp_stream *stream)
+--
+2.39.2
+
--- /dev/null
+From 914f57423cbf58e7008cb2be81d54e2ac1706d58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 11:55:30 +0100
+Subject: serial: sc16is7xx: setup GPIO controller later in probe
+
+From: Isaac True <isaac.true@canonical.com>
+
+[ Upstream commit c8f71b49ee4d28930c4a6798d1969fa91dc4ef3e ]
+
+The GPIO controller component of the sc16is7xx driver is setup too
+early, which can result in a race condition where another device tries
+to utilise the GPIO lines before the sc16is7xx device has finished
+initialising.
+
+This issue manifests itself as an Oops when the GPIO lines are configured:
+
+ Unable to handle kernel read from unreadable memory at virtual address
+ ...
+ pc : sc16is7xx_gpio_direction_output+0x68/0x108 [sc16is7xx]
+ lr : sc16is7xx_gpio_direction_output+0x4c/0x108 [sc16is7xx]
+ ...
+ Call trace:
+ sc16is7xx_gpio_direction_output+0x68/0x108 [sc16is7xx]
+ gpiod_direction_output_raw_commit+0x64/0x318
+ gpiod_direction_output+0xb0/0x170
+ create_gpio_led+0xec/0x198
+ gpio_led_probe+0x16c/0x4f0
+ platform_drv_probe+0x5c/0xb0
+ really_probe+0xe8/0x448
+ driver_probe_device+0xe8/0x138
+ __device_attach_driver+0x94/0x118
+ bus_for_each_drv+0x8c/0xe0
+ __device_attach+0x100/0x1b8
+ device_initial_probe+0x28/0x38
+ bus_probe_device+0xa4/0xb0
+ deferred_probe_work_func+0x90/0xe0
+ process_one_work+0x1c4/0x480
+ worker_thread+0x54/0x430
+ kthread+0x138/0x150
+ ret_from_fork+0x10/0x1c
+
+This patch moves the setup of the GPIO controller functions to later in the
+probe function, ensuring the sc16is7xx device has already finished
+initialising by the time other devices try to make use of the GPIO lines.
+The error handling has also been reordered to reflect the new
+initialisation order.
+
+Co-developed-by: Wen-chien Jesse Sung <jesse.sung@canonical.com>
+Signed-off-by: Wen-chien Jesse Sung <jesse.sung@canonical.com>
+Signed-off-by: Isaac True <isaac.true@canonical.com>
+Link: https://lore.kernel.org/r/20221130105529.698385-1-isaac.true@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/sc16is7xx.c | 51 +++++++++++++++++-----------------
+ 1 file changed, 26 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c
+index 04b4ed5d06341..7ece8d1a23cb3 100644
+--- a/drivers/tty/serial/sc16is7xx.c
++++ b/drivers/tty/serial/sc16is7xx.c
+@@ -1243,25 +1243,6 @@ static int sc16is7xx_probe(struct device *dev,
+ }
+ sched_set_fifo(s->kworker_task);
+
+-#ifdef CONFIG_GPIOLIB
+- if (devtype->nr_gpio) {
+- /* Setup GPIO cotroller */
+- s->gpio.owner = THIS_MODULE;
+- s->gpio.parent = dev;
+- s->gpio.label = dev_name(dev);
+- s->gpio.direction_input = sc16is7xx_gpio_direction_input;
+- s->gpio.get = sc16is7xx_gpio_get;
+- s->gpio.direction_output = sc16is7xx_gpio_direction_output;
+- s->gpio.set = sc16is7xx_gpio_set;
+- s->gpio.base = -1;
+- s->gpio.ngpio = devtype->nr_gpio;
+- s->gpio.can_sleep = 1;
+- ret = gpiochip_add_data(&s->gpio, s);
+- if (ret)
+- goto out_thread;
+- }
+-#endif
+-
+ /* reset device, purging any pending irq / data */
+ regmap_write(s->regmap, SC16IS7XX_IOCONTROL_REG << SC16IS7XX_REG_SHIFT,
+ SC16IS7XX_IOCONTROL_SRESET_BIT);
+@@ -1327,6 +1308,25 @@ static int sc16is7xx_probe(struct device *dev,
+ s->p[u].irda_mode = true;
+ }
+
++#ifdef CONFIG_GPIOLIB
++ if (devtype->nr_gpio) {
++ /* Setup GPIO cotroller */
++ s->gpio.owner = THIS_MODULE;
++ s->gpio.parent = dev;
++ s->gpio.label = dev_name(dev);
++ s->gpio.direction_input = sc16is7xx_gpio_direction_input;
++ s->gpio.get = sc16is7xx_gpio_get;
++ s->gpio.direction_output = sc16is7xx_gpio_direction_output;
++ s->gpio.set = sc16is7xx_gpio_set;
++ s->gpio.base = -1;
++ s->gpio.ngpio = devtype->nr_gpio;
++ s->gpio.can_sleep = 1;
++ ret = gpiochip_add_data(&s->gpio, s);
++ if (ret)
++ goto out_thread;
++ }
++#endif
++
+ /*
+ * Setup interrupt. We first try to acquire the IRQ line as level IRQ.
+ * If that succeeds, we can allow sharing the interrupt as well.
+@@ -1346,18 +1346,19 @@ static int sc16is7xx_probe(struct device *dev,
+ if (!ret)
+ return 0;
+
+-out_ports:
+- for (i--; i >= 0; i--) {
+- uart_remove_one_port(&sc16is7xx_uart, &s->p[i].port);
+- clear_bit(s->p[i].port.line, &sc16is7xx_lines);
+- }
+-
+ #ifdef CONFIG_GPIOLIB
+ if (devtype->nr_gpio)
+ gpiochip_remove(&s->gpio);
+
+ out_thread:
+ #endif
++
++out_ports:
++ for (i--; i >= 0; i--) {
++ uart_remove_one_port(&sc16is7xx_uart, &s->p[i].port);
++ clear_bit(s->p[i].port.line, &sc16is7xx_lines);
++ }
++
+ kthread_stop(s->kworker_task);
+
+ out_clk:
+--
+2.39.2
+
pinctrl-rockchip-fix-reading-pull-type-on-rk3568.patch
kbuild-port-silent-mode-detection-to-future-gnu-make.patch
net-sched-retire-tcindex-classifier.patch
+fs-jfs-fix-shift-exponent-db_agl2size-negative.patch
+objtool-fix-memory-leak-in-create_static_call_sectio.patch
+pwm-sifive-reduce-time-the-controller-lock-is-held.patch
+pwm-sifive-always-let-the-first-pwm_apply_state-succ.patch
+pwm-stm32-lp-fix-the-check-on-arr-and-cmp-registers-.patch
+f2fs-use-memcpy_-to-from-_page-where-possible.patch
+fs-f2fs-initialize-fsdata-in-pagecache_write.patch
+um-vector-fix-memory-leak-in-vector_config.patch
+ubi-ensure-that-vid-header-offset-vid-header-size-al.patch
+ubifs-fix-build-errors-as-symbol-undefined.patch
+ubifs-rectify-space-budget-for-ubifs_symlink-if-syml.patch
+ubifs-rectify-space-budget-for-ubifs_xrename.patch
+ubifs-fix-wrong-dirty-space-budget-for-dirty-inode.patch
+ubifs-do_rename-fix-wrong-space-budget-when-target-i.patch
+ubifs-reserve-one-leb-for-each-journal-head-while-do.patch
+ubi-fix-use-after-free-when-volume-resizing-failed.patch
+ubi-fix-unreferenced-object-reported-by-kmemleak-in-.patch
+ubifs-fix-memory-leak-in-alloc_wbufs.patch
+ubi-fix-possible-null-ptr-deref-in-ubi_free_volume.patch
+ubifs-re-statistic-cleaned-znode-count-if-commit-fai.patch
+ubifs-dirty_cow_znode-fix-memleak-in-error-handling-.patch
+ubifs-ubifs_writepage-mark-page-dirty-after-writing-.patch
+ubi-fastmap-fix-missed-fm_anchor-peb-in-wear-levelin.patch
+ubi-fix-uaf-wear-leveling-entry-in-eraseblk_count_se.patch
+ubi-ubi_wl_put_peb-fix-infinite-loop-when-wear-level.patch
+x86-um-vdso-add-rcx-and-r11-to-the-syscall-clobber-l.patch
+watchdog-at91sam9_wdt-use-devm_request_irq-to-avoid-.patch
+watchdog-fix-kmemleak-in-watchdog_cdev_register.patch
+watchdog-pcwd_usb-fix-attempting-to-access-uninitial.patch
+netfilter-ctnetlink-fix-possible-refcount-leak-in-ct.patch
+netfilter-ebtables-fix-table-blob-use-after-free.patch
+ipv6-add-lwtunnel-encap-size-of-all-siblings-in-next.patch
+sctp-add-a-refcnt-in-sctp_stream_priorities-to-avoid.patch
+net-fix-__dev_kfree_skb_any-vs-drop-monitor.patch
+9p-xen-fix-version-parsing.patch
+9p-xen-fix-connection-sequence.patch
+9p-rdma-unmap-receive-dma-buffer-in-rdma_request-pos.patch
+net-mlx5-geneve-fix-handling-of-geneve-object-id-as-.patch
+nfc-fix-memory-leak-of-se_io-context-in-nfc_genl_se_.patch
+net-sched-act_sample-fix-action-bind-logic.patch
+arm-dts-spear320-hmi-correct-stmpe-gpio-compatible.patch
+tcp-tcp_check_req-can-be-called-from-process-context.patch
+vc_screen-modify-vcs_size-handling-in-vcs_read.patch
+rtc-sun6i-always-export-the-internal-oscillator.patch
+scsi-ipr-work-around-fortify-string-warning.patch
+loop-loop_set_status_from_info-check-before-assignme.patch
+asoc-adau7118-don-t-disable-regulators-on-device-unb.patch
+asoc-zl38060-remove-spurious-gpiolib-select.patch
+asoc-zl38060-add-gpiolib-dependency.patch
+thermal-intel-quark_dts-fix-error-pointer-dereferenc.patch
+thermal-intel-bxt_pmic-select-regmap-instead-of-depe.patch
+tracing-add-null-checks-for-buffer-in-ring_buffer_fr.patch
+firmware-efi-sysfb_efi-add-quirk-for-lenovo-ideapad-.patch
+bootconfig-increase-max-nodes-of-bootconfig-from-102.patch
+mfd-arizona-use-pm_runtime_resume_and_get-to-prevent.patch
+ib-hfi1-update-rmt-size-calculation.patch
+media-uvcvideo-handle-cameras-with-invalid-descripto.patch
+media-uvcvideo-handle-errors-from-calls-to-usb_strin.patch
+media-uvcvideo-quirk-for-autosuspend-in-logitech-b91.patch
+media-uvcvideo-silence-memcpy-run-time-false-positiv.patch
+staging-emxx_udc-add-checks-for-dma_alloc_coherent.patch
+tty-fix-out-of-bounds-access-in-tty_driver_lookup_tt.patch
+tty-serial-fsl_lpuart-disable-the-cts-when-send-brea.patch
+serial-sc16is7xx-setup-gpio-controller-later-in-prob.patch
+mei-bus-fixup-upon-error-print-return-values-of-send.patch
+parport_pc-set-up-mode-and-ecr-masks-for-oxford-semi.patch
+tools-iio-iio_utils-fix-memory-leak.patch
+iio-accel-mma9551_core-prevent-uninitialized-variabl.patch
+iio-accel-mma9551_core-prevent-uninitialized-variabl.patch-4278
+pci-loongson-prevent-ls7a-mrrs-increases.patch
+usb-host-xhci-mvebu-iterate-over-array-indexes-inste.patch
+usb-ene_usb6250-allocate-enough-memory-for-full-obje.patch
+usb-uvc-enumerate-valid-values-for-color-matching.patch
+usb-gadget-uvc-make-bsourceid-read-write.patch
+pci-align-extra-resources-for-hotplug-bridges-proper.patch
+pci-take-other-bus-devices-into-account-when-distrib.patch
+kernel-fail_function-fix-memory-leak-with-using-debu.patch
+pci-loongson-add-more-devices-that-need-mrrs-quirk.patch
+pci-add-acs-quirk-for-wangxun-nics.patch
+phy-rockchip-typec-fix-unsigned-comparison-with-less.patch
+soundwire-cadence-remove-wasted-space-in-response_bu.patch
+soundwire-cadence-drain-the-rx-fifo-after-an-io-time.patch
--- /dev/null
+From 6f16e43569960d23762aaa46fde30185e73a2a56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 16:18:12 +0000
+Subject: soundwire: cadence: Drain the RX FIFO after an IO timeout
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 0603a47bd3a8f439d7844b841eee1819353063e0 ]
+
+If wait_for_completion_timeout() times-out in _cdns_xfer_msg() it
+is possible that something could have been written to the RX FIFO.
+In this case, we should drain the RX FIFO so that anything in it
+doesn't carry over and mess up the next transfer.
+
+Obviously, if we got to this state something went wrong, and we
+don't really know the state of everything. The cleanup in this
+situation cannot be bullet-proof but we should attempt to avoid
+breaking future transaction, if only to reduce the amount of
+error noise when debugging the failure from a kernel log.
+
+Note that this patch only implements the draining for blocking
+(non-deferred) transfers. The deferred API doesn't have any proper
+handling of error conditions and would need some re-design before
+implementing cleanup. That is a task for a separate patch...
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20221202161812.4186897-4-rf@opensource.cirrus.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/cadence_master.c | 50 ++++++++++++++++--------------
+ 1 file changed, 27 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/soundwire/cadence_master.c b/drivers/soundwire/cadence_master.c
+index 292c4460eaaa3..18e7d158fcca4 100644
+--- a/drivers/soundwire/cadence_master.c
++++ b/drivers/soundwire/cadence_master.c
+@@ -511,6 +511,29 @@ cdns_fill_msg_resp(struct sdw_cdns *cdns,
+ return SDW_CMD_OK;
+ }
+
++static void cdns_read_response(struct sdw_cdns *cdns)
++{
++ u32 num_resp, cmd_base;
++ int i;
++
++ /* RX_FIFO_AVAIL can be 2 entries more than the FIFO size */
++ BUILD_BUG_ON(ARRAY_SIZE(cdns->response_buf) < CDNS_MCP_CMD_LEN + 2);
++
++ num_resp = cdns_readl(cdns, CDNS_MCP_FIFOSTAT);
++ num_resp &= CDNS_MCP_RX_FIFO_AVAIL;
++ if (num_resp > ARRAY_SIZE(cdns->response_buf)) {
++ dev_warn(cdns->dev, "RX AVAIL %d too long\n", num_resp);
++ num_resp = ARRAY_SIZE(cdns->response_buf);
++ }
++
++ cmd_base = CDNS_MCP_CMD_BASE;
++
++ for (i = 0; i < num_resp; i++) {
++ cdns->response_buf[i] = cdns_readl(cdns, cmd_base);
++ cmd_base += CDNS_MCP_CMD_WORD_LEN;
++ }
++}
++
+ static enum sdw_command_response
+ _cdns_xfer_msg(struct sdw_cdns *cdns, struct sdw_msg *msg, int cmd,
+ int offset, int count, bool defer)
+@@ -552,6 +575,10 @@ _cdns_xfer_msg(struct sdw_cdns *cdns, struct sdw_msg *msg, int cmd,
+ dev_err(cdns->dev, "IO transfer timed out, cmd %d device %d addr %x len %d\n",
+ cmd, msg->dev_num, msg->addr, msg->len);
+ msg->len = 0;
++
++ /* Drain anything in the RX_FIFO */
++ cdns_read_response(cdns);
++
+ return SDW_CMD_TIMEOUT;
+ }
+
+@@ -720,29 +747,6 @@ EXPORT_SYMBOL(cdns_reset_page_addr);
+ * IRQ handling
+ */
+
+-static void cdns_read_response(struct sdw_cdns *cdns)
+-{
+- u32 num_resp, cmd_base;
+- int i;
+-
+- /* RX_FIFO_AVAIL can be 2 entries more than the FIFO size */
+- BUILD_BUG_ON(ARRAY_SIZE(cdns->response_buf) < CDNS_MCP_CMD_LEN + 2);
+-
+- num_resp = cdns_readl(cdns, CDNS_MCP_FIFOSTAT);
+- num_resp &= CDNS_MCP_RX_FIFO_AVAIL;
+- if (num_resp > ARRAY_SIZE(cdns->response_buf)) {
+- dev_warn(cdns->dev, "RX AVAIL %d too long\n", num_resp);
+- num_resp = ARRAY_SIZE(cdns->response_buf);
+- }
+-
+- cmd_base = CDNS_MCP_CMD_BASE;
+-
+- for (i = 0; i < num_resp; i++) {
+- cdns->response_buf[i] = cdns_readl(cdns, cmd_base);
+- cmd_base += CDNS_MCP_CMD_WORD_LEN;
+- }
+-}
+-
+ static int cdns_update_slave_status(struct sdw_cdns *cdns,
+ u32 slave0, u32 slave1)
+ {
+--
+2.39.2
+
--- /dev/null
+From 703baa72e9e55d0d3b66498fd22ede549169dc2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 16:18:11 +0000
+Subject: soundwire: cadence: Remove wasted space in response_buf
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 827c32d0df4bbe0d1c47d79f6a5eabfe9ac75216 ]
+
+The response_buf was declared much larger (128 entries) than the number
+of responses that could ever be written into it. The Cadence IP is
+configurable up to a maximum of 32 entries, and the datasheet says
+that RX_FIFO_AVAIL can be 2 larger than this. So allow up to 34
+responses.
+
+Also add checking in cdns_read_response() to prevent overflowing
+reponse_buf if RX_FIFO_AVAIL contains an unexpectedly large number.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20221202161812.4186897-3-rf@opensource.cirrus.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/cadence_master.c | 7 +++++++
+ drivers/soundwire/cadence_master.h | 13 ++++++++++++-
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/soundwire/cadence_master.c b/drivers/soundwire/cadence_master.c
+index a3247692ddc07..292c4460eaaa3 100644
+--- a/drivers/soundwire/cadence_master.c
++++ b/drivers/soundwire/cadence_master.c
+@@ -725,8 +725,15 @@ static void cdns_read_response(struct sdw_cdns *cdns)
+ u32 num_resp, cmd_base;
+ int i;
+
++ /* RX_FIFO_AVAIL can be 2 entries more than the FIFO size */
++ BUILD_BUG_ON(ARRAY_SIZE(cdns->response_buf) < CDNS_MCP_CMD_LEN + 2);
++
+ num_resp = cdns_readl(cdns, CDNS_MCP_FIFOSTAT);
+ num_resp &= CDNS_MCP_RX_FIFO_AVAIL;
++ if (num_resp > ARRAY_SIZE(cdns->response_buf)) {
++ dev_warn(cdns->dev, "RX AVAIL %d too long\n", num_resp);
++ num_resp = ARRAY_SIZE(cdns->response_buf);
++ }
+
+ cmd_base = CDNS_MCP_CMD_BASE;
+
+diff --git a/drivers/soundwire/cadence_master.h b/drivers/soundwire/cadence_master.h
+index 4d1aab5b5ec2d..e7f0108d417ca 100644
+--- a/drivers/soundwire/cadence_master.h
++++ b/drivers/soundwire/cadence_master.h
+@@ -8,6 +8,12 @@
+ #define SDW_CADENCE_GSYNC_KHZ 4 /* 4 kHz */
+ #define SDW_CADENCE_GSYNC_HZ (SDW_CADENCE_GSYNC_KHZ * 1000)
+
++/*
++ * The Cadence IP supports up to 32 entries in the FIFO, though implementations
++ * can configure the IP to have a smaller FIFO.
++ */
++#define CDNS_MCP_IP_MAX_CMD_LEN 32
++
+ /**
+ * struct sdw_cdns_pdi: PDI (Physical Data Interface) instance
+ *
+@@ -119,7 +125,12 @@ struct sdw_cdns {
+ struct sdw_bus bus;
+ unsigned int instance;
+
+- u32 response_buf[0x80];
++ /*
++ * The datasheet says the RX FIFO AVAIL can be 2 entries more
++ * than the FIFO capacity, so allow for this.
++ */
++ u32 response_buf[CDNS_MCP_IP_MAX_CMD_LEN + 2];
++
+ struct completion tx_complete;
+ struct sdw_defer *defer;
+
+--
+2.39.2
+
--- /dev/null
+From c5d7266b10c1402a999eb48c11454972212cc487 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jan 2023 08:31:19 +0000
+Subject: staging: emxx_udc: Add checks for dma_alloc_coherent()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit f6510a93cfd8c6c79b4dda0f2967cdc6df42eff4 ]
+
+As the dma_alloc_coherent may return NULL, the return value needs to be
+checked to avoid NULL poineter dereference.
+
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Reviewed-by: Simon Horman <horms@verge.net.au>
+Link: https://lore.kernel.org/r/20230119083119.16956-1-yuancan@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/emxx_udc/emxx_udc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/emxx_udc/emxx_udc.c b/drivers/staging/emxx_udc/emxx_udc.c
+index 3897f8e8f5e0d..6870a33d4ccf3 100644
+--- a/drivers/staging/emxx_udc/emxx_udc.c
++++ b/drivers/staging/emxx_udc/emxx_udc.c
+@@ -2591,10 +2591,15 @@ static int nbu2ss_ep_queue(struct usb_ep *_ep,
+ req->unaligned = false;
+
+ if (req->unaligned) {
+- if (!ep->virt_buf)
++ if (!ep->virt_buf) {
+ ep->virt_buf = dma_alloc_coherent(udc->dev, PAGE_SIZE,
+ &ep->phys_buf,
+ GFP_ATOMIC | GFP_DMA);
++ if (!ep->virt_buf) {
++ spin_unlock_irqrestore(&udc->lock, flags);
++ return -ENOMEM;
++ }
++ }
+ if (ep->epnum > 0) {
+ if (ep->direct == USB_DIR_IN)
+ memcpy(ep->virt_buf, req->req.buf,
+--
+2.39.2
+
--- /dev/null
+From 25e123f6c933e836d42077567e36f7236fa3a58b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 08:33:36 +0000
+Subject: tcp: tcp_check_req() can be called from process context
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 580f98cc33a260bb8c6a39ae2921b29586b84fdf ]
+
+This is a follow up of commit 0a375c822497 ("tcp: tcp_rtx_synack()
+can be called from process context").
+
+Frederick Lawler reported another "__this_cpu_add() in preemptible"
+warning caused by the same reason.
+
+In my former patch I took care of tcp_rtx_synack()
+but forgot that tcp_check_req() also contained some SNMP updates.
+
+Note that some parts of tcp_check_req() always run in BH context,
+I added a comment to clarify this.
+
+Fixes: 8336886f786f ("tcp: TCP Fast Open Server - support TFO listeners")
+Link: https://lore.kernel.org/netdev/8cd33923-a21d-397c-e46b-2a068c287b03@cloudflare.com/T/
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Frederick Lawler <fred@cloudflare.com>
+Tested-by: Frederick Lawler <fred@cloudflare.com>
+Link: https://lore.kernel.org/r/20230227083336.4153089-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_minisocks.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
+index e42312321191b..8d854feebdb00 100644
+--- a/net/ipv4/tcp_minisocks.c
++++ b/net/ipv4/tcp_minisocks.c
+@@ -565,6 +565,9 @@ EXPORT_SYMBOL(tcp_create_openreq_child);
+ * validation and inside tcp_v4_reqsk_send_ack(). Can we do better?
+ *
+ * We don't need to initialize tmp_opt.sack_ok as we don't use the results
++ *
++ * Note: If @fastopen is true, this can be called from process context.
++ * Otherwise, this is from BH context.
+ */
+
+ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb,
+@@ -717,7 +720,7 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb,
+ &tcp_rsk(req)->last_oow_ack_time))
+ req->rsk_ops->send_ack(sk, skb, req);
+ if (paws_reject)
+- __NET_INC_STATS(sock_net(sk), LINUX_MIB_PAWSESTABREJECTED);
++ NET_INC_STATS(sock_net(sk), LINUX_MIB_PAWSESTABREJECTED);
+ return NULL;
+ }
+
+@@ -736,7 +739,7 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb,
+ * "fourth, check the SYN bit"
+ */
+ if (flg & (TCP_FLAG_RST|TCP_FLAG_SYN)) {
+- __TCP_INC_STATS(sock_net(sk), TCP_MIB_ATTEMPTFAILS);
++ TCP_INC_STATS(sock_net(sk), TCP_MIB_ATTEMPTFAILS);
+ goto embryonic_reset;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 5b29801bb135e5c3fd09a80d72885503412014c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Feb 2023 21:39:52 -0800
+Subject: thermal: intel: BXT_PMIC: select REGMAP instead of depending on it
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 1467fb960349dfa5e300658f1a409dde2cfb0c51 ]
+
+REGMAP is a hidden (not user visible) symbol. Users cannot set it
+directly thru "make *config", so drivers should select it instead of
+depending on it if they need it.
+
+Consistently using "select" or "depends on" can also help reduce
+Kconfig circular dependency issues.
+
+Therefore, change the use of "depends on REGMAP" to "select REGMAP".
+
+Fixes: b474303ffd57 ("thermal: add Intel BXT WhiskeyCove PMIC thermal driver")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/intel/Kconfig | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/intel/Kconfig b/drivers/thermal/intel/Kconfig
+index 8025b21f43fa5..b5427579fae59 100644
+--- a/drivers/thermal/intel/Kconfig
++++ b/drivers/thermal/intel/Kconfig
+@@ -60,7 +60,8 @@ endmenu
+
+ config INTEL_BXT_PMIC_THERMAL
+ tristate "Intel Broxton PMIC thermal driver"
+- depends on X86 && INTEL_SOC_PMIC_BXTWC && REGMAP
++ depends on X86 && INTEL_SOC_PMIC_BXTWC
++ select REGMAP
+ help
+ Select this driver for Intel Broxton PMIC with ADC channels monitoring
+ system temperature measurements and alerts.
+--
+2.39.2
+
--- /dev/null
+From 1a88da57e08c7fbf3d22c52ec05159cb4ecd4e24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 13:06:50 +0300
+Subject: thermal: intel: quark_dts: fix error pointer dereference
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit f1b930e740811d416de4d2074da48b6633a672c8 ]
+
+If alloc_soc_dts() fails, then we can just return. Trying to free
+"soc_dts" will lead to an Oops.
+
+Fixes: 8c1876939663 ("thermal: intel Quark SoC X1000 DTS thermal driver")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/intel/intel_quark_dts_thermal.c | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/thermal/intel/intel_quark_dts_thermal.c b/drivers/thermal/intel/intel_quark_dts_thermal.c
+index 3eafc6b0e6c30..b43fbd5eaa6b4 100644
+--- a/drivers/thermal/intel/intel_quark_dts_thermal.c
++++ b/drivers/thermal/intel/intel_quark_dts_thermal.c
+@@ -415,22 +415,14 @@ MODULE_DEVICE_TABLE(x86cpu, qrk_thermal_ids);
+
+ static int __init intel_quark_thermal_init(void)
+ {
+- int err = 0;
+-
+ if (!x86_match_cpu(qrk_thermal_ids) || !iosf_mbi_available())
+ return -ENODEV;
+
+ soc_dts = alloc_soc_dts();
+- if (IS_ERR(soc_dts)) {
+- err = PTR_ERR(soc_dts);
+- goto err_free;
+- }
++ if (IS_ERR(soc_dts))
++ return PTR_ERR(soc_dts);
+
+ return 0;
+-
+-err_free:
+- free_soc_dts(soc_dts);
+- return err;
+ }
+
+ static void __exit intel_quark_thermal_exit(void)
+--
+2.39.2
+
--- /dev/null
+From 39db204caaf1b5048913482b6ccf224b6dbdb87d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jan 2023 10:51:47 +0800
+Subject: tools/iio/iio_utils:fix memory leak
+
+From: Yulong Zhang <yulong.zhang@metoak.net>
+
+[ Upstream commit f2edf0c819a4823cd6c288801ce737e8d4fcde06 ]
+
+1. fopen sysfs without fclose.
+2. asprintf filename without free.
+3. if asprintf return error,do not need to free the buffer.
+
+Signed-off-by: Yulong Zhang <yulong.zhang@metoak.net>
+Link: https://lore.kernel.org/r/20230117025147.69890-1-yulong.zhang@metoak.net
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/iio/iio_utils.c | 23 ++++++-----------------
+ 1 file changed, 6 insertions(+), 17 deletions(-)
+
+diff --git a/tools/iio/iio_utils.c b/tools/iio/iio_utils.c
+index d66b18c54606a..48360994c2a13 100644
+--- a/tools/iio/iio_utils.c
++++ b/tools/iio/iio_utils.c
+@@ -262,6 +262,7 @@ int iioutils_get_param_float(float *output, const char *param_name,
+ if (fscanf(sysfsfp, "%f", output) != 1)
+ ret = errno ? -errno : -ENODATA;
+
++ fclose(sysfsfp);
+ break;
+ }
+ error_free_filename:
+@@ -342,9 +343,9 @@ int build_channel_array(const char *device_dir,
+ }
+
+ sysfsfp = fopen(filename, "r");
++ free(filename);
+ if (!sysfsfp) {
+ ret = -errno;
+- free(filename);
+ goto error_close_dir;
+ }
+
+@@ -354,7 +355,6 @@ int build_channel_array(const char *device_dir,
+ if (fclose(sysfsfp))
+ perror("build_channel_array(): Failed to close file");
+
+- free(filename);
+ goto error_close_dir;
+ }
+ if (ret == 1)
+@@ -362,11 +362,9 @@ int build_channel_array(const char *device_dir,
+
+ if (fclose(sysfsfp)) {
+ ret = -errno;
+- free(filename);
+ goto error_close_dir;
+ }
+
+- free(filename);
+ }
+
+ *ci_array = malloc(sizeof(**ci_array) * (*counter));
+@@ -392,9 +390,9 @@ int build_channel_array(const char *device_dir,
+ }
+
+ sysfsfp = fopen(filename, "r");
++ free(filename);
+ if (!sysfsfp) {
+ ret = -errno;
+- free(filename);
+ count--;
+ goto error_cleanup_array;
+ }
+@@ -402,20 +400,17 @@ int build_channel_array(const char *device_dir,
+ errno = 0;
+ if (fscanf(sysfsfp, "%i", ¤t_enabled) != 1) {
+ ret = errno ? -errno : -ENODATA;
+- free(filename);
+ count--;
+ goto error_cleanup_array;
+ }
+
+ if (fclose(sysfsfp)) {
+ ret = -errno;
+- free(filename);
+ count--;
+ goto error_cleanup_array;
+ }
+
+ if (!current_enabled) {
+- free(filename);
+ count--;
+ continue;
+ }
+@@ -426,7 +421,6 @@ int build_channel_array(const char *device_dir,
+ strlen(ent->d_name) -
+ strlen("_en"));
+ if (!current->name) {
+- free(filename);
+ ret = -ENOMEM;
+ count--;
+ goto error_cleanup_array;
+@@ -436,7 +430,6 @@ int build_channel_array(const char *device_dir,
+ ret = iioutils_break_up_name(current->name,
+ ¤t->generic_name);
+ if (ret) {
+- free(filename);
+ free(current->name);
+ count--;
+ goto error_cleanup_array;
+@@ -447,17 +440,16 @@ int build_channel_array(const char *device_dir,
+ scan_el_dir,
+ current->name);
+ if (ret < 0) {
+- free(filename);
+ ret = -ENOMEM;
+ goto error_cleanup_array;
+ }
+
+ sysfsfp = fopen(filename, "r");
++ free(filename);
+ if (!sysfsfp) {
+ ret = -errno;
+- fprintf(stderr, "failed to open %s\n",
+- filename);
+- free(filename);
++ fprintf(stderr, "failed to open %s/%s_index\n",
++ scan_el_dir, current->name);
+ goto error_cleanup_array;
+ }
+
+@@ -467,17 +459,14 @@ int build_channel_array(const char *device_dir,
+ if (fclose(sysfsfp))
+ perror("build_channel_array(): Failed to close file");
+
+- free(filename);
+ goto error_cleanup_array;
+ }
+
+ if (fclose(sysfsfp)) {
+ ret = -errno;
+- free(filename);
+ goto error_cleanup_array;
+ }
+
+- free(filename);
+ /* Find the scale */
+ ret = iioutils_get_param_float(¤t->scale,
+ "scale",
+--
+2.39.2
+
--- /dev/null
+From f72d42994c7315040cc4166974aaf3879d39bcbd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jan 2023 20:55:01 +0800
+Subject: tracing: Add NULL checks for buffer in ring_buffer_free_read_page()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 3e4272b9954094907f16861199728f14002fcaf6 ]
+
+In a previous commit 7433632c9ff6, buffer, buffer->buffers and
+buffer->buffers[cpu] in ring_buffer_wake_waiters() can be NULL,
+and thus the related checks are added.
+
+However, in the same call stack, these variables are also used in
+ring_buffer_free_read_page():
+
+tracing_buffers_release()
+ ring_buffer_wake_waiters(iter->array_buffer->buffer)
+ cpu_buffer = buffer->buffers[cpu] -> Add checks by previous commit
+ ring_buffer_free_read_page(iter->array_buffer->buffer)
+ cpu_buffer = buffer->buffers[cpu] -> No check
+
+Thus, to avod possible null-pointer derefernces, the related checks
+should be added.
+
+These results are reported by a static tool designed by myself.
+
+Link: https://lkml.kernel.org/r/20230113125501.760324-1-baijiaju1990@gmail.com
+
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/ring_buffer.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
+index c00463613eab6..70da6f3212bc4 100644
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -5302,11 +5302,16 @@ EXPORT_SYMBOL_GPL(ring_buffer_alloc_read_page);
+ */
+ void ring_buffer_free_read_page(struct trace_buffer *buffer, int cpu, void *data)
+ {
+- struct ring_buffer_per_cpu *cpu_buffer = buffer->buffers[cpu];
++ struct ring_buffer_per_cpu *cpu_buffer;
+ struct buffer_data_page *bpage = data;
+ struct page *page = virt_to_page(bpage);
+ unsigned long flags;
+
++ if (!buffer || !buffer->buffers || !buffer->buffers[cpu])
++ return;
++
++ cpu_buffer = buffer->buffers[cpu];
++
+ /* If the page is still in use someplace else, we can't reuse it */
+ if (page_ref_count(page) > 1)
+ goto out;
+--
+2.39.2
+
--- /dev/null
+From 8cb08bdfd5c8f606d9efb8bf28e0fa2a4f1ef32c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 12:27:36 +0100
+Subject: tty: fix out-of-bounds access in tty_driver_lookup_tty()
+
+From: Sven Schnelle <svens@linux.ibm.com>
+
+[ Upstream commit db4df8e9d79e7d37732c1a1b560958e8dadfefa1 ]
+
+When specifying an invalid console= device like console=tty3270,
+tty_driver_lookup_tty() returns the tty struct without checking
+whether index is a valid number.
+
+To reproduce:
+
+qemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \
+-kernel ../linux-build-x86/arch/x86/boot/bzImage \
+-append "console=ttyS0 console=tty3270"
+
+This crashes with:
+
+[ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef
+[ 0.771265] #PF: supervisor read access in kernel mode
+[ 0.771773] #PF: error_code(0x0000) - not-present page
+[ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI
+[ 0.774878] RIP: 0010:tty_open+0x268/0x6f0
+[ 0.784013] chrdev_open+0xbd/0x230
+[ 0.784444] ? cdev_device_add+0x80/0x80
+[ 0.784920] do_dentry_open+0x1e0/0x410
+[ 0.785389] path_openat+0xca9/0x1050
+[ 0.785813] do_filp_open+0xaa/0x150
+[ 0.786240] file_open_name+0x133/0x1b0
+[ 0.786746] filp_open+0x27/0x50
+[ 0.787244] console_on_rootfs+0x14/0x4d
+[ 0.787800] kernel_init_freeable+0x1e4/0x20d
+[ 0.788383] ? rest_init+0xc0/0xc0
+[ 0.788881] kernel_init+0x11/0x120
+[ 0.789356] ret_from_fork+0x22/0x30
+
+Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Link: https://lore.kernel.org/r/20221209112737.3222509-2-svens@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/tty_io.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index 669aef77a0bd0..c37d2657308cd 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -1237,14 +1237,16 @@ static struct tty_struct *tty_driver_lookup_tty(struct tty_driver *driver,
+ {
+ struct tty_struct *tty;
+
+- if (driver->ops->lookup)
++ if (driver->ops->lookup) {
+ if (!file)
+ tty = ERR_PTR(-EIO);
+ else
+ tty = driver->ops->lookup(driver, file, idx);
+- else
++ } else {
++ if (idx >= driver->num)
++ return ERR_PTR(-EINVAL);
+ tty = driver->ttys[idx];
+-
++ }
+ if (!IS_ERR(tty))
+ tty_kref_get(tty);
+ return tty;
+--
+2.39.2
+
--- /dev/null
+From 2ef5c3ee9bee114dbadc3bf649de1b49fd44d13d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Dec 2022 11:11:35 +0800
+Subject: tty: serial: fsl_lpuart: disable the CTS when send break signal
+
+From: Sherry Sun <sherry.sun@nxp.com>
+
+[ Upstream commit c4c81db5cf8bc53d6160c3abf26d382c841aa434 ]
+
+LPUART IP has a bug that it treats the CTS as higher priority than the
+break signal, which cause the break signal sending through UARTCTRL_SBK
+may impacted by the CTS input if the HW flow control is enabled.
+
+Add this workaround patch to fix the IP bug, we can disable CTS before
+asserting SBK to avoid any interference from CTS, and re-enable it when
+break off.
+
+Such as for the bluetooth chip power save feature, host can let the BT
+chip get into sleep state by sending a UART break signal, and wake it up
+by turning off the UART break. If the BT chip enters the sleep mode
+successfully, it will pull up the CTS line, if the BT chip is woken up,
+it will pull down the CTS line. If without this workaround patch, the
+UART TX pin cannot send the break signal successfully as it affected by
+the BT CTS pin. After adding this patch, the BT power save feature can
+work well.
+
+Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
+Link: https://lore.kernel.org/r/20221214031137.28815-2-sherry.sun@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/fsl_lpuart.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c
+index 223695947b654..9cb0e8673f826 100644
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -1448,12 +1448,32 @@ static void lpuart_break_ctl(struct uart_port *port, int break_state)
+
+ static void lpuart32_break_ctl(struct uart_port *port, int break_state)
+ {
+- unsigned long temp;
++ unsigned long temp, modem;
++ struct tty_struct *tty;
++ unsigned int cflag = 0;
++
++ tty = tty_port_tty_get(&port->state->port);
++ if (tty) {
++ cflag = tty->termios.c_cflag;
++ tty_kref_put(tty);
++ }
+
+ temp = lpuart32_read(port, UARTCTRL) & ~UARTCTRL_SBK;
++ modem = lpuart32_read(port, UARTMODIR);
+
+- if (break_state != 0)
++ if (break_state != 0) {
+ temp |= UARTCTRL_SBK;
++ /*
++ * LPUART CTS has higher priority than SBK, need to disable CTS before
++ * asserting SBK to avoid any interference if flow control is enabled.
++ */
++ if (cflag & CRTSCTS && modem & UARTMODIR_TXCTSE)
++ lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR);
++ } else {
++ /* Re-enable the CTS when break off. */
++ if (cflag & CRTSCTS && !(modem & UARTMODIR_TXCTSE))
++ lpuart32_write(port, modem | UARTMODIR_TXCTSE, UARTMODIR);
++ }
+
+ lpuart32_write(port, temp, UARTCTRL);
+ }
+--
+2.39.2
+
--- /dev/null
+From d0debeed80d318d7bebd5f509fd807ea52a129f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 10:14:44 -0500
+Subject: ubi: ensure that VID header offset + VID header size <= alloc, size
+
+From: George Kennedy <george.kennedy@oracle.com>
+
+[ Upstream commit 1b42b1a36fc946f0d7088425b90d491b4257ca3e ]
+
+Ensure that the VID header offset + VID header size does not exceed
+the allocated area to avoid slab OOB.
+
+BUG: KASAN: slab-out-of-bounds in crc32_body lib/crc32.c:111 [inline]
+BUG: KASAN: slab-out-of-bounds in crc32_le_generic lib/crc32.c:179 [inline]
+BUG: KASAN: slab-out-of-bounds in crc32_le_base+0x58c/0x626 lib/crc32.c:197
+Read of size 4 at addr ffff88802bb36f00 by task syz-executor136/1555
+
+CPU: 2 PID: 1555 Comm: syz-executor136 Tainted: G W
+6.0.0-1868 #1
+Hardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7860+a7792d29
+04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x85/0xad lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:317 [inline]
+ print_report.cold.13+0xb6/0x6bb mm/kasan/report.c:433
+ kasan_report+0xa7/0x11b mm/kasan/report.c:495
+ crc32_body lib/crc32.c:111 [inline]
+ crc32_le_generic lib/crc32.c:179 [inline]
+ crc32_le_base+0x58c/0x626 lib/crc32.c:197
+ ubi_io_write_vid_hdr+0x1b7/0x472 drivers/mtd/ubi/io.c:1067
+ create_vtbl+0x4d5/0x9c4 drivers/mtd/ubi/vtbl.c:317
+ create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline]
+ ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812
+ ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601
+ ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965
+ ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:870 [inline]
+ __se_sys_ioctl fs/ioctl.c:856 [inline]
+ __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0x0
+RIP: 0033:0x7f96d5cf753d
+Code:
+RSP: 002b:00007fffd72206f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f96d5cf753d
+RDX: 0000000020000080 RSI: 0000000040186f40 RDI: 0000000000000003
+RBP: 0000000000400cd0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400be0
+R13: 00007fffd72207e0 R14: 0000000000000000 R15: 0000000000000000
+ </TASK>
+
+Allocated by task 1555:
+ kasan_save_stack+0x20/0x3d mm/kasan/common.c:38
+ kasan_set_track mm/kasan/common.c:45 [inline]
+ set_alloc_info mm/kasan/common.c:437 [inline]
+ ____kasan_kmalloc mm/kasan/common.c:516 [inline]
+ __kasan_kmalloc+0x88/0xa3 mm/kasan/common.c:525
+ kasan_kmalloc include/linux/kasan.h:234 [inline]
+ __kmalloc+0x138/0x257 mm/slub.c:4429
+ kmalloc include/linux/slab.h:605 [inline]
+ ubi_alloc_vid_buf drivers/mtd/ubi/ubi.h:1093 [inline]
+ create_vtbl+0xcc/0x9c4 drivers/mtd/ubi/vtbl.c:295
+ create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline]
+ ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812
+ ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601
+ ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965
+ ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:870 [inline]
+ __se_sys_ioctl fs/ioctl.c:856 [inline]
+ __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0x0
+
+The buggy address belongs to the object at ffff88802bb36e00
+ which belongs to the cache kmalloc-256 of size 256
+The buggy address is located 0 bytes to the right of
+ 256-byte region [ffff88802bb36e00, ffff88802bb36f00)
+
+The buggy address belongs to the physical page:
+page:00000000ea4d1263 refcount:1 mapcount:0 mapping:0000000000000000
+index:0x0 pfn:0x2bb36
+head:00000000ea4d1263 order:1 compound_mapcount:0 compound_pincount:0
+flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
+raw: 000fffffc0010200 ffffea000066c300 dead000000000003 ffff888100042b40
+raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff88802bb36e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff88802bb36e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+>ffff88802bb36f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff88802bb36f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88802bb37000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+Fixes: 801c135ce73d ("UBI: Unsorted Block Images")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: George Kennedy <george.kennedy@oracle.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/ubi/build.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
+index 4153e0d15c5f9..8747569e793d4 100644
+--- a/drivers/mtd/ubi/build.c
++++ b/drivers/mtd/ubi/build.c
+@@ -664,6 +664,12 @@ static int io_init(struct ubi_device *ubi, int max_beb_per1024)
+ ubi->ec_hdr_alsize = ALIGN(UBI_EC_HDR_SIZE, ubi->hdrs_min_io_size);
+ ubi->vid_hdr_alsize = ALIGN(UBI_VID_HDR_SIZE, ubi->hdrs_min_io_size);
+
++ if (ubi->vid_hdr_offset && ((ubi->vid_hdr_offset + UBI_VID_HDR_SIZE) >
++ ubi->vid_hdr_alsize)) {
++ ubi_err(ubi, "VID header offset %d too large.", ubi->vid_hdr_offset);
++ return -EINVAL;
++ }
++
+ dbg_gen("min_io_size %d", ubi->min_io_size);
+ dbg_gen("max_write_size %d", ubi->max_write_size);
+ dbg_gen("hdrs_min_io_size %d", ubi->hdrs_min_io_size);
+--
+2.39.2
+
--- /dev/null
+From 9e5dc47ed7e1475ba96d0371a4adafff075bc05e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Aug 2022 15:06:19 +0800
+Subject: ubi: fastmap: Fix missed fm_anchor PEB in wear-leveling after
+ disabling fastmap
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 76f9476ece445a07aeb72df9d896cd563fb5b50f ]
+
+After disabling fastmap(ubi->fm_disabled = 1), fastmap won't be updated,
+fm_anchor PEB is missed being scheduled for erasing. Besides, fm_anchor
+PEB may have smallest erase count, it doesn't participate wear-leveling.
+The difference of erase count between fm_anchor PEB and other PEBs will
+be larger and larger later on.
+
+In which situation fastmap can be disabled? Initially, we have an UBI
+image with fastmap. Then the image will be atttached without module
+parameter 'fm_autoconvert', ubi turns to full scanning mode in one
+random attaching process(eg. bad fastmap caused by powercut), ubi
+fastmap is disabled since then.
+
+Fix it by not getting fm_anchor if fastmap is disabled in
+ubi_refill_pools().
+
+Fetch a reproducer in [Link].
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216341
+Fixes: 4b68bf9a69d22d ("ubi: Select fastmap anchor PEBs considering ...")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/ubi/fastmap-wl.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/mtd/ubi/fastmap-wl.c b/drivers/mtd/ubi/fastmap-wl.c
+index 053ab52668e8b..69592be33adfc 100644
+--- a/drivers/mtd/ubi/fastmap-wl.c
++++ b/drivers/mtd/ubi/fastmap-wl.c
+@@ -146,13 +146,15 @@ void ubi_refill_pools(struct ubi_device *ubi)
+ if (ubi->fm_anchor) {
+ wl_tree_add(ubi->fm_anchor, &ubi->free);
+ ubi->free_count++;
++ ubi->fm_anchor = NULL;
+ }
+
+- /*
+- * All available PEBs are in ubi->free, now is the time to get
+- * the best anchor PEBs.
+- */
+- ubi->fm_anchor = ubi_wl_get_fm_peb(ubi, 1);
++ if (!ubi->fm_disabled)
++ /*
++ * All available PEBs are in ubi->free, now is the time to get
++ * the best anchor PEBs.
++ */
++ ubi->fm_anchor = ubi_wl_get_fm_peb(ubi, 1);
+
+ for (;;) {
+ enough = 0;
+--
+2.39.2
+
--- /dev/null
+From 18c2272b3ae9f8ae3c97d9870799a6a97a0a639a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 18:26:24 +0800
+Subject: ubi: Fix possible null-ptr-deref in ubi_free_volume()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit c15859bfd326c10230f09cb48a17f8a35f190342 ]
+
+It willl cause null-ptr-deref in the following case:
+
+uif_init()
+ ubi_add_volume()
+ cdev_add() -> if it fails, call kill_volumes()
+ device_register()
+
+kill_volumes() -> if ubi_add_volume() fails call this function
+ ubi_free_volume()
+ cdev_del()
+ device_unregister() -> trying to delete a not added device,
+ it causes null-ptr-deref
+
+So in ubi_free_volume(), it delete devices whether they are added
+or not, it will causes null-ptr-deref.
+
+Handle the error case whlie calling ubi_add_volume() to fix this
+problem. If add volume fails, set the corresponding vol to null,
+so it can not be accessed in kill_volumes() and release the
+resource in ubi_add_volume() error path.
+
+Fixes: 801c135ce73d ("UBI: Unsorted Block Images")
+Suggested-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/ubi/build.c | 1 +
+ drivers/mtd/ubi/vmt.c | 12 ++++++------
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
+index 8747569e793d4..e45fdc1bf66a4 100644
+--- a/drivers/mtd/ubi/build.c
++++ b/drivers/mtd/ubi/build.c
+@@ -467,6 +467,7 @@ static int uif_init(struct ubi_device *ubi)
+ err = ubi_add_volume(ubi, ubi->volumes[i]);
+ if (err) {
+ ubi_err(ubi, "cannot add volume %d", i);
++ ubi->volumes[i] = NULL;
+ goto out_volumes;
+ }
+ }
+diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c
+index 2e5bd473e5e25..d79323e8ea29d 100644
+--- a/drivers/mtd/ubi/vmt.c
++++ b/drivers/mtd/ubi/vmt.c
+@@ -582,6 +582,7 @@ int ubi_add_volume(struct ubi_device *ubi, struct ubi_volume *vol)
+ if (err) {
+ ubi_err(ubi, "cannot add character device for volume %d, error %d",
+ vol_id, err);
++ vol_release(&vol->dev);
+ return err;
+ }
+
+@@ -592,15 +593,14 @@ int ubi_add_volume(struct ubi_device *ubi, struct ubi_volume *vol)
+ vol->dev.groups = volume_dev_groups;
+ dev_set_name(&vol->dev, "%s_%d", ubi->ubi_name, vol->vol_id);
+ err = device_register(&vol->dev);
+- if (err)
+- goto out_cdev;
++ if (err) {
++ cdev_del(&vol->cdev);
++ put_device(&vol->dev);
++ return err;
++ }
+
+ self_check_volumes(ubi);
+ return err;
+-
+-out_cdev:
+- cdev_del(&vol->cdev);
+- return err;
+ }
+
+ /**
+--
+2.39.2
+
--- /dev/null
+From 6f2c367e2277255ed0ae21fa89baa499db0488a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Jul 2022 19:28:37 +0800
+Subject: ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit a240bc5c43130c6aa50831d7caaa02a1d84e1bce ]
+
+Wear-leveling entry could be freed in error path, which may be accessed
+again in eraseblk_count_seq_show(), for example:
+
+__erase_worker eraseblk_count_seq_show
+ wl = ubi->lookuptbl[*block_number]
+ if (wl)
+ wl_entry_destroy
+ ubi->lookuptbl[e->pnum] = NULL
+ kmem_cache_free(ubi_wl_entry_slab, e)
+ erase_count = wl->ec // UAF!
+
+Wear-leveling entry updating/accessing in ubi->lookuptbl should be
+protected by ubi->wl_lock, fix it by adding ubi->wl_lock to serialize
+wl entry accessing between wl_entry_destroy() and
+eraseblk_count_seq_show().
+
+Fetch a reproducer in [Link].
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216305
+Fixes: 7bccd12d27b7e3 ("ubi: Add debugfs file for tracking PEB state")
+Fixes: 801c135ce73d5d ("UBI: Unsorted Block Images")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/ubi/wl.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c
+index 820b5c1c8e8e7..7406bc96affb5 100644
+--- a/drivers/mtd/ubi/wl.c
++++ b/drivers/mtd/ubi/wl.c
+@@ -885,8 +885,11 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk,
+
+ err = do_sync_erase(ubi, e1, vol_id, lnum, 0);
+ if (err) {
+- if (e2)
++ if (e2) {
++ spin_lock(&ubi->wl_lock);
+ wl_entry_destroy(ubi, e2);
++ spin_unlock(&ubi->wl_lock);
++ }
+ goto out_ro;
+ }
+
+@@ -1121,14 +1124,18 @@ static int __erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk)
+ /* Re-schedule the LEB for erasure */
+ err1 = schedule_erase(ubi, e, vol_id, lnum, 0, false);
+ if (err1) {
++ spin_lock(&ubi->wl_lock);
+ wl_entry_destroy(ubi, e);
++ spin_unlock(&ubi->wl_lock);
+ err = err1;
+ goto out_ro;
+ }
+ return err;
+ }
+
++ spin_lock(&ubi->wl_lock);
+ wl_entry_destroy(ubi, e);
++ spin_unlock(&ubi->wl_lock);
+ if (err != -EIO)
+ /*
+ * If this is not %-EIO, we have no idea what to do. Scheduling
+--
+2.39.2
+
--- /dev/null
+From 55a24216bc3be41375ba4a053d3ee4292af87c50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 18:21:57 +0800
+Subject: ubi: Fix unreferenced object reported by kmemleak in
+ ubi_resize_volume()
+
+From: Li Zetao <lizetao1@huawei.com>
+
+[ Upstream commit 1e591ea072df7211f64542a09482b5f81cb3ad27 ]
+
+There is a memory leaks problem reported by kmemleak:
+
+unreferenced object 0xffff888102007a00 (size 128):
+ comm "ubirsvol", pid 32090, jiffies 4298464136 (age 2361.231s)
+ hex dump (first 32 bytes):
+ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
+ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
+ backtrace:
+[<ffffffff8176cecd>] __kmalloc+0x4d/0x150
+[<ffffffffa02a9a36>] ubi_eba_create_table+0x76/0x170 [ubi]
+[<ffffffffa029764e>] ubi_resize_volume+0x1be/0xbc0 [ubi]
+[<ffffffffa02a3321>] ubi_cdev_ioctl+0x701/0x1850 [ubi]
+[<ffffffff81975d2d>] __x64_sys_ioctl+0x11d/0x170
+[<ffffffff83c142a5>] do_syscall_64+0x35/0x80
+[<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+This is due to a mismatch between create and destroy interfaces, and
+in detail that "new_eba_tbl" created by ubi_eba_create_table() but
+destroyed by kfree(), while will causing "new_eba_tbl->entries" not
+freed.
+
+Fix it by replacing kfree(new_eba_tbl) with
+ubi_eba_destroy_table(new_eba_tbl)
+
+Fixes: 799dca34ac54 ("UBI: hide EBA internals")
+Signed-off-by: Li Zetao <lizetao1@huawei.com>
+Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/ubi/vmt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c
+index 6c7822c1cc451..2e5bd473e5e25 100644
+--- a/drivers/mtd/ubi/vmt.c
++++ b/drivers/mtd/ubi/vmt.c
+@@ -515,7 +515,7 @@ int ubi_resize_volume(struct ubi_volume_desc *desc, int reserved_pebs)
+ return err;
+
+ out_free:
+- kfree(new_eba_tbl);
++ ubi_eba_destroy_table(new_eba_tbl);
+ return err;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 067c9630fc509a7f3d2de9869186c91e19e2ca22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 18:21:56 +0800
+Subject: ubi: Fix use-after-free when volume resizing failed
+
+From: Li Zetao <lizetao1@huawei.com>
+
+[ Upstream commit 9af31d6ec1a4be4caab2550096c6bd2ba8fba472 ]
+
+There is an use-after-free problem reported by KASAN:
+ ==================================================================
+ BUG: KASAN: use-after-free in ubi_eba_copy_table+0x11f/0x1c0 [ubi]
+ Read of size 8 at addr ffff888101eec008 by task ubirsvol/4735
+
+ CPU: 2 PID: 4735 Comm: ubirsvol
+ Not tainted 6.1.0-rc1-00003-g84fa3304a7fc-dirty #14
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
+ BIOS 1.14.0-1.fc33 04/01/2014
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x34/0x44
+ print_report+0x171/0x472
+ kasan_report+0xad/0x130
+ ubi_eba_copy_table+0x11f/0x1c0 [ubi]
+ ubi_resize_volume+0x4f9/0xbc0 [ubi]
+ ubi_cdev_ioctl+0x701/0x1850 [ubi]
+ __x64_sys_ioctl+0x11d/0x170
+ do_syscall_64+0x35/0x80
+ entry_SYSCALL_64_after_hwframe+0x46/0xb0
+ </TASK>
+
+When ubi_change_vtbl_record() returns an error in ubi_resize_volume(),
+"new_eba_tbl" will be freed on error handing path, but it is holded
+by "vol->eba_tbl" in ubi_eba_replace_table(). It means that the liftcycle
+of "vol->eba_tbl" and "vol" are different, so when resizing volume in
+next time, it causing an use-after-free fault.
+
+Fix it by not freeing "new_eba_tbl" after it replaced in
+ubi_eba_replace_table(), while will be freed in next volume resizing.
+
+Fixes: 801c135ce73d ("UBI: Unsorted Block Images")
+Signed-off-by: Li Zetao <lizetao1@huawei.com>
+Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/ubi/vmt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c
+index 6ea95ade4ca6b..6c7822c1cc451 100644
+--- a/drivers/mtd/ubi/vmt.c
++++ b/drivers/mtd/ubi/vmt.c
+@@ -464,7 +464,7 @@ int ubi_resize_volume(struct ubi_volume_desc *desc, int reserved_pebs)
+ for (i = 0; i < -pebs; i++) {
+ err = ubi_eba_unmap_leb(ubi, vol, reserved_pebs + i);
+ if (err)
+- goto out_acc;
++ goto out_free;
+ }
+ spin_lock(&ubi->volumes_lock);
+ ubi->rsvd_pebs += pebs;
+@@ -512,6 +512,8 @@ int ubi_resize_volume(struct ubi_volume_desc *desc, int reserved_pebs)
+ ubi->avail_pebs += pebs;
+ spin_unlock(&ubi->volumes_lock);
+ }
++ return err;
++
+ out_free:
+ kfree(new_eba_tbl);
+ return err;
+--
+2.39.2
+
--- /dev/null
+From ebe04b46e4dd57bae15b6cd792cf4c498fcdd4f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jun 2022 14:59:04 +0800
+Subject: ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 4d57a7333e26040f2b583983e1970d9d460e56b0 ]
+
+Following process will trigger an infinite loop in ubi_wl_put_peb():
+
+ ubifs_bgt ubi_bgt
+ubifs_leb_unmap
+ ubi_leb_unmap
+ ubi_eba_unmap_leb
+ ubi_wl_put_peb wear_leveling_worker
+ e1 = rb_entry(rb_first(&ubi->used)
+ e2 = get_peb_for_wl(ubi)
+ ubi_io_read_vid_hdr // return err (flash fault)
+ out_error:
+ ubi->move_from = ubi->move_to = NULL
+ wl_entry_destroy(ubi, e1)
+ ubi->lookuptbl[e->pnum] = NULL
+ retry:
+ e = ubi->lookuptbl[pnum]; // return NULL
+ if (e == ubi->move_from) { // NULL == NULL gets true
+ goto retry; // infinite loop !!!
+
+$ top
+ PID USER PR NI VIRT RES SHR S %CPU %MEM COMMAND
+ 7676 root 20 0 0 0 0 R 100.0 0.0 ubifs_bgt0_0
+
+Fix it by:
+ 1) Letting ubi_wl_put_peb() returns directly if wearl leveling entry has
+ been removed from 'ubi->lookuptbl'.
+ 2) Using 'ubi->wl_lock' protecting wl entry deletion to preventing an
+ use-after-free problem for wl entry in ubi_wl_put_peb().
+
+Fetch a reproducer in [Link].
+
+Fixes: 43f9b25a9cdd7b1 ("UBI: bugfix: protect from volume removal")
+Fixes: ee59ba8b064f692 ("UBI: Fix stale pointers in ubi->lookuptbl")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216111
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/ubi/wl.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c
+index 7406bc96affb5..6da09263e0b9f 100644
+--- a/drivers/mtd/ubi/wl.c
++++ b/drivers/mtd/ubi/wl.c
+@@ -971,11 +971,11 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk,
+ spin_lock(&ubi->wl_lock);
+ ubi->move_from = ubi->move_to = NULL;
+ ubi->move_to_put = ubi->wl_scheduled = 0;
++ wl_entry_destroy(ubi, e1);
++ wl_entry_destroy(ubi, e2);
+ spin_unlock(&ubi->wl_lock);
+
+ ubi_free_vid_buf(vidb);
+- wl_entry_destroy(ubi, e1);
+- wl_entry_destroy(ubi, e2);
+
+ out_ro:
+ ubi_ro_mode(ubi);
+@@ -1251,6 +1251,18 @@ int ubi_wl_put_peb(struct ubi_device *ubi, int vol_id, int lnum,
+ retry:
+ spin_lock(&ubi->wl_lock);
+ e = ubi->lookuptbl[pnum];
++ if (!e) {
++ /*
++ * This wl entry has been removed for some errors by other
++ * process (eg. wear leveling worker), corresponding process
++ * (except __erase_worker, which cannot concurrent with
++ * ubi_wl_put_peb) will set ubi ro_mode at the same time,
++ * just ignore this wl entry.
++ */
++ spin_unlock(&ubi->wl_lock);
++ up_read(&ubi->fm_protect);
++ return 0;
++ }
+ if (e == ubi->move_from) {
+ /*
+ * User is putting the physical eraseblock which was selected to
+--
+2.39.2
+
--- /dev/null
+From 05482fbb1890edc6acafded6fd655d7434277d24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 17:02:36 +0800
+Subject: ubifs: dirty_cow_znode: Fix memleak in error handling path
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 122deabfe1428bffe95e2bf364ff8a5059bdf089 ]
+
+Following process will cause a memleak for copied up znode:
+
+dirty_cow_znode
+ zn = copy_znode(c, znode);
+ err = insert_old_idx(c, zbr->lnum, zbr->offs);
+ if (unlikely(err))
+ return ERR_PTR(err); // No one refers to zn.
+
+Fix it by adding copied znode back to tnc, then it will be freed
+by ubifs_destroy_tnc_subtree() while closing tnc.
+
+Fetch a reproducer in [Link].
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216705
+Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/tnc.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c
+index 7c36b66774301..07470449b9602 100644
+--- a/fs/ubifs/tnc.c
++++ b/fs/ubifs/tnc.c
+@@ -267,11 +267,18 @@ static struct ubifs_znode *dirty_cow_znode(struct ubifs_info *c,
+ if (zbr->len) {
+ err = insert_old_idx(c, zbr->lnum, zbr->offs);
+ if (unlikely(err))
+- return ERR_PTR(err);
++ /*
++ * Obsolete znodes will be freed by tnc_destroy_cnext()
++ * or free_obsolete_znodes(), copied up znodes should
++ * be added back to tnc and freed by
++ * ubifs_destroy_tnc_subtree().
++ */
++ goto out;
+ err = add_idx_dirt(c, zbr->lnum, zbr->len);
+ } else
+ err = 0;
+
++out:
+ zbr->znode = zn;
+ zbr->lnum = 0;
+ zbr->offs = 0;
+--
+2.39.2
+
--- /dev/null
+From c4c115314b470a2ae8a0d487340043d094a45d62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 11:47:31 +0800
+Subject: ubifs: do_rename: Fix wrong space budget when target inode's nlink >
+ 1
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 25fce616a61fc2f1821e4a9ce212d0e064707093 ]
+
+If target inode is a special file (eg. block/char device) with nlink
+count greater than 1, the inode with ui->data will be re-written on
+disk. However, UBIFS losts target inode's data_len while doing space
+budget. Bad space budget may let make_reservation() return with -ENOSPC,
+which could turn ubifs to read-only mode in do_writepage() process.
+
+Fetch a reproducer in [Link].
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216494
+Fixes: 1e51764a3c2ac0 ("UBIFS: add new flash file system")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/dir.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c
+index 15b5664fd5c93..6039943877e10 100644
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -1288,6 +1288,8 @@ static int do_rename(struct inode *old_dir, struct dentry *old_dentry,
+ if (unlink) {
+ ubifs_assert(c, inode_is_locked(new_inode));
+
++ /* Budget for old inode's data when its nlink > 1. */
++ req.dirtied_ino_d = ALIGN(ubifs_inode(new_inode)->data_len, 8);
+ err = ubifs_purge_xattrs(new_inode);
+ if (err)
+ return err;
+--
+2.39.2
+
--- /dev/null
+From 5e7fc9db48f84ab43ebc19021fcaf067d71c9977 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 19:18:47 +0800
+Subject: ubifs: Fix build errors as symbol undefined
+
+From: Li Hua <hucool.lihua@huawei.com>
+
+[ Upstream commit aa6d148e6d6270274e3d5a529b71c54cd329d17f ]
+
+With CONFIG_UBIFS_FS_AUTHENTICATION not set, the compiler can assume that
+ubifs_node_check_hash() is never true and drops the call to ubifs_bad_hash().
+Is CONFIG_CC_OPTIMIZE_FOR_SIZE enabled this optimization does not happen anymore.
+
+So When CONFIG_UBIFS_FS and CONFIG_CC_OPTIMIZE_FOR_SIZE is enabled but
+CONFIG_UBIFS_FS_AUTHENTICATION is not set, the build errors is as followd:
+ ERROR: modpost: "ubifs_bad_hash" [fs/ubifs/ubifs.ko] undefined!
+
+Fix it by add no-op ubifs_bad_hash() for the CONFIG_UBIFS_FS_AUTHENTICATION=n case.
+
+Fixes: 16a26b20d2af ("ubifs: authentication: Add hashes to index nodes")
+Signed-off-by: Li Hua <hucool.lihua@huawei.com>
+Reviewed-by: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/ubifs.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/ubifs/ubifs.h b/fs/ubifs/ubifs.h
+index e7e48f3b179ab..b66ebab5c5dec 100644
+--- a/fs/ubifs/ubifs.h
++++ b/fs/ubifs/ubifs.h
+@@ -1594,8 +1594,13 @@ static inline int ubifs_check_hmac(const struct ubifs_info *c,
+ return crypto_memneq(expected, got, c->hmac_desc_len);
+ }
+
++#ifdef CONFIG_UBIFS_FS_AUTHENTICATION
+ void ubifs_bad_hash(const struct ubifs_info *c, const void *node,
+ const u8 *hash, int lnum, int offs);
++#else
++static inline void ubifs_bad_hash(const struct ubifs_info *c, const void *node,
++ const u8 *hash, int lnum, int offs) {};
++#endif
+
+ int __ubifs_node_check_hash(const struct ubifs_info *c, const void *buf,
+ const u8 *expected);
+--
+2.39.2
+
--- /dev/null
+From 1dfd4b5bc6ecc5f5b8482f7ed43edae65ad7370d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Oct 2022 19:52:11 +0800
+Subject: ubifs: Fix memory leak in alloc_wbufs()
+
+From: Li Zetao <lizetao1@huawei.com>
+
+[ Upstream commit 4a1ff3c5d04b9079b4f768d9a71b51c4af578dd2 ]
+
+kmemleak reported a sequence of memory leaks, and show them as following:
+
+ unreferenced object 0xffff8881575f8400 (size 1024):
+ comm "mount", pid 19625, jiffies 4297119604 (age 20.383s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff8176cecd>] __kmalloc+0x4d/0x150
+ [<ffffffffa0406b2b>] ubifs_mount+0x307b/0x7170 [ubifs]
+ [<ffffffff819fa8fd>] legacy_get_tree+0xed/0x1d0
+ [<ffffffff81936f2d>] vfs_get_tree+0x7d/0x230
+ [<ffffffff819b2bd4>] path_mount+0xdd4/0x17b0
+ [<ffffffff819b37aa>] __x64_sys_mount+0x1fa/0x270
+ [<ffffffff83c14295>] do_syscall_64+0x35/0x80
+ [<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+ unreferenced object 0xffff8881798a6e00 (size 512):
+ comm "mount", pid 19677, jiffies 4297121912 (age 37.816s)
+ hex dump (first 32 bytes):
+ 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+ 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+ backtrace:
+ [<ffffffff8176cecd>] __kmalloc+0x4d/0x150
+ [<ffffffffa0418342>] ubifs_wbuf_init+0x52/0x480 [ubifs]
+ [<ffffffffa0406ca5>] ubifs_mount+0x31f5/0x7170 [ubifs]
+ [<ffffffff819fa8fd>] legacy_get_tree+0xed/0x1d0
+ [<ffffffff81936f2d>] vfs_get_tree+0x7d/0x230
+ [<ffffffff819b2bd4>] path_mount+0xdd4/0x17b0
+ [<ffffffff819b37aa>] __x64_sys_mount+0x1fa/0x270
+ [<ffffffff83c14295>] do_syscall_64+0x35/0x80
+ [<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+The problem is that the ubifs_wbuf_init() returns an error in the
+loop which in the alloc_wbufs(), then the wbuf->buf and wbuf->inodes
+that were successfully alloced before are not freed.
+
+Fix it by adding error hanging path in alloc_wbufs() which frees
+the memory alloced before when ubifs_wbuf_init() returns an error.
+
+Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
+Signed-off-by: Li Zetao <lizetao1@huawei.com>
+Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/super.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
+index 6a8f9efc2e2f0..1df193c87e920 100644
+--- a/fs/ubifs/super.c
++++ b/fs/ubifs/super.c
+@@ -833,7 +833,7 @@ static int alloc_wbufs(struct ubifs_info *c)
+ INIT_LIST_HEAD(&c->jheads[i].buds_list);
+ err = ubifs_wbuf_init(c, &c->jheads[i].wbuf);
+ if (err)
+- return err;
++ goto out_wbuf;
+
+ c->jheads[i].wbuf.sync_callback = &bud_wbuf_callback;
+ c->jheads[i].wbuf.jhead = i;
+@@ -841,7 +841,7 @@ static int alloc_wbufs(struct ubifs_info *c)
+ c->jheads[i].log_hash = ubifs_hash_get_desc(c);
+ if (IS_ERR(c->jheads[i].log_hash)) {
+ err = PTR_ERR(c->jheads[i].log_hash);
+- goto out;
++ goto out_log_hash;
+ }
+ }
+
+@@ -854,9 +854,18 @@ static int alloc_wbufs(struct ubifs_info *c)
+
+ return 0;
+
+-out:
+- while (i--)
++out_log_hash:
++ kfree(c->jheads[i].wbuf.buf);
++ kfree(c->jheads[i].wbuf.inodes);
++
++out_wbuf:
++ while (i--) {
++ kfree(c->jheads[i].wbuf.buf);
++ kfree(c->jheads[i].wbuf.inodes);
+ kfree(c->jheads[i].log_hash);
++ }
++ kfree(c->jheads);
++ c->jheads = NULL;
+
+ return err;
+ }
+--
+2.39.2
+
--- /dev/null
+From 106ab4de61043dbcdd0ea5f4e641126d232dd737 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 11:47:30 +0800
+Subject: ubifs: Fix wrong dirty space budget for dirty inode
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit b248eaf049d9cdc5eb76b59399e4d3de233f02ac ]
+
+Each dirty inode should reserve 'c->bi.inode_budget' bytes in space
+budget calculation. Currently, space budget for dirty inode reports
+more space than what UBIFS actually needs to write.
+
+Fixes: 1e51764a3c2ac0 ("UBIFS: add new flash file system")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/budget.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ubifs/budget.c b/fs/ubifs/budget.c
+index c0b84e960b20c..bdb79be6dc0e2 100644
+--- a/fs/ubifs/budget.c
++++ b/fs/ubifs/budget.c
+@@ -403,7 +403,7 @@ static int calc_dd_growth(const struct ubifs_info *c,
+ dd_growth = req->dirtied_page ? c->bi.page_budget : 0;
+
+ if (req->dirtied_ino)
+- dd_growth += c->bi.inode_budget << (req->dirtied_ino - 1);
++ dd_growth += c->bi.inode_budget * req->dirtied_ino;
+ if (req->mod_dent)
+ dd_growth += c->bi.dent_budget;
+ dd_growth += req->dirtied_ino_d;
+--
+2.39.2
+
--- /dev/null
+From 077fc87b987f47a1beed95adeddf1ebd636102c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 17:02:35 +0800
+Subject: ubifs: Re-statistic cleaned znode count if commit failed
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 944e096aa24071d3fe22822f6249d3ae309e39ea ]
+
+Dirty znodes will be written on flash in committing process with
+following states:
+
+ process A | znode state
+------------------------------------------------------
+do_commit | DIRTY_ZNODE
+ ubifs_tnc_start_commit | DIRTY_ZNODE
+ get_znodes_to_commit | DIRTY_ZNODE | COW_ZNODE
+ layout_commit | DIRTY_ZNODE | COW_ZNODE
+ fill_gap | 0
+ write master | 0 or OBSOLETE_ZNODE
+
+ process B | znode state
+------------------------------------------------------
+do_commit | DIRTY_ZNODE[1]
+ ubifs_tnc_start_commit | DIRTY_ZNODE
+ get_znodes_to_commit | DIRTY_ZNODE | COW_ZNODE
+ ubifs_tnc_end_commit | DIRTY_ZNODE | COW_ZNODE
+ write_index | 0
+ write master | 0 or OBSOLETE_ZNODE[2] or
+ | DIRTY_ZNODE[3]
+
+[1] znode is dirtied without concurrent committing process
+[2] znode is copied up (re-dirtied by other process) before cleaned
+ up in committing process
+[3] znode is re-dirtied after cleaned up in committing process
+
+Currently, the clean znode count is updated in free_obsolete_znodes(),
+which is called only in normal path. If do_commit failed, clean znode
+count won't be updated, which triggers a failure ubifs assertion[4] in
+ubifs_tnc_close():
+ ubifs_assert_failed [ubifs]: UBIFS assert failed: freed == n
+
+[4] Commit 380347e9ca7682 ("UBIFS: Add an assertion for clean_zn_cnt").
+
+Fix it by re-statisticing cleaned znode count in tnc_destroy_cnext().
+
+Fetch a reproducer in [Link].
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216704
+Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/tnc.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c
+index 894f1ab14616e..7c36b66774301 100644
+--- a/fs/ubifs/tnc.c
++++ b/fs/ubifs/tnc.c
+@@ -3053,6 +3053,21 @@ static void tnc_destroy_cnext(struct ubifs_info *c)
+ cnext = cnext->cnext;
+ if (ubifs_zn_obsolete(znode))
+ kfree(znode);
++ else if (!ubifs_zn_cow(znode)) {
++ /*
++ * Don't forget to update clean znode count after
++ * committing failed, because ubifs will check this
++ * count while closing tnc. Non-obsolete znode could
++ * be re-dirtied during committing process, so dirty
++ * flag is untrustable. The flag 'COW_ZNODE' is set
++ * for each dirty znode before committing, and it is
++ * cleared as long as the znode become clean, so we
++ * can statistic clean znode count according to this
++ * flag.
++ */
++ atomic_long_inc(&c->clean_zn_cnt);
++ atomic_long_inc(&ubifs_clean_zn_cnt);
++ }
+ } while (cnext && cnext != c->cnext);
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 9d4bd3ccfbb36c15351e17c352c04b2552e4441c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 11:47:27 +0800
+Subject: ubifs: Rectify space budget for ubifs_symlink() if symlink is
+ encrypted
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit c2c36cc6ca23e614f9e4238d0ecf48549ee9002a ]
+
+Fix bad space budget when symlink file is encrypted. Bad space budget
+may let make_reservation() return with -ENOSPC, which could turn ubifs
+to read-only mode in do_writepage() process.
+
+Fetch a reproducer in [Link].
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216490
+Fixes: ca7f85be8d6cf9 ("ubifs: Add support for encrypted symlinks")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c
+index 9257ee893bdb8..7dceca1be9b5d 100644
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -1117,7 +1117,6 @@ static int ubifs_symlink(struct inode *dir, struct dentry *dentry,
+ int err, sz_change, len = strlen(symname);
+ struct fscrypt_str disk_link;
+ struct ubifs_budget_req req = { .new_ino = 1, .new_dent = 1,
+- .new_ino_d = ALIGN(len, 8),
+ .dirtied_ino = 1 };
+ struct fscrypt_name nm;
+
+@@ -1133,6 +1132,7 @@ static int ubifs_symlink(struct inode *dir, struct dentry *dentry,
+ * Budget request settings: new inode, new direntry and changing parent
+ * directory inode.
+ */
++ req.new_ino_d = ALIGN(disk_link.len - 1, 8);
+ err = ubifs_budget_space(c, &req);
+ if (err)
+ return err;
+--
+2.39.2
+
--- /dev/null
+From 9bef2852e035460073f074b97fa83fec16f7222e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 11:47:28 +0800
+Subject: ubifs: Rectify space budget for ubifs_xrename()
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 1b2ba09060e41adb356b9ae58ef94a7390928004 ]
+
+There is no space budget for ubifs_xrename(). It may let
+make_reservation() return with -ENOSPC, which could turn
+ubifs to read-only mode in do_writepage() process.
+Fix it by adding space budget for ubifs_xrename().
+
+Fetch a reproducer in [Link].
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216569
+Fixes: 9ec64962afb170 ("ubifs: Implement RENAME_EXCHANGE")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/dir.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c
+index 7dceca1be9b5d..15b5664fd5c93 100644
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -1530,6 +1530,10 @@ static int ubifs_xrename(struct inode *old_dir, struct dentry *old_dentry,
+ return err;
+ }
+
++ err = ubifs_budget_space(c, &req);
++ if (err)
++ goto out;
++
+ lock_4_inodes(old_dir, new_dir, NULL, NULL);
+
+ time = current_time(old_dir);
+@@ -1555,6 +1559,7 @@ static int ubifs_xrename(struct inode *old_dir, struct dentry *old_dentry,
+ unlock_4_inodes(old_dir, new_dir, NULL, NULL);
+ ubifs_release_budget(c, &req);
+
++out:
+ fscrypt_free_filename(&fst_nm);
+ fscrypt_free_filename(&snd_nm);
+ return err;
+--
+2.39.2
+
--- /dev/null
+From 6d16d2f392691f5195abac66a9b385f886c6c287 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 11:47:32 +0800
+Subject: ubifs: Reserve one leb for each journal head while doing budget
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit e874dcde1cbf82c786c0e7f2899811c02630cc52 ]
+
+UBIFS calculates available space by c->main_bytes - c->lst.total_used
+(which means non-index lebs' free and dirty space is accounted into
+total available), then index lebs and four lebs (one for gc_lnum, one
+for deletions, two for journal heads) are deducted.
+In following situation, ubifs may get -ENOSPC from make_reservation():
+ LEB 84: DATAHD free 122880 used 1920 dirty 2176 dark 6144
+ LEB 110:DELETION free 126976 used 0 dirty 0 dark 6144 (empty)
+ LEB 201:gc_lnum free 126976 used 0 dirty 0 dark 6144
+ LEB 272:GCHD free 77824 used 47672 dirty 1480 dark 6144
+ LEB 356:BASEHD free 0 used 39776 dirty 87200 dark 6144
+ OTHERS: index lebs, zero-available non-index lebs
+
+UBIFS calculates the available bytes is 6888 (How to calculate it:
+126976 * 5[remain main bytes] - 1920[used] - 47672[used] - 39776[used] -
+126976 * 1[deletions] - 126976 * 1[gc_lnum] - 126976 * 2[journal heads]
+- 6144 * 5[dark] = 6888) after doing budget, however UBIFS cannot use
+BASEHD's dirty space(87200), because UBIFS cannot find next BASEHD to
+reclaim current BASEHD. (c->bi.min_idx_lebs equals to c->lst.idx_lebs,
+the empty leb won't be found by ubifs_find_free_space(), and dirty index
+lebs won't be picked as gced lebs. All non-index lebs has dirty space
+less then c->dead_wm, non-index lebs won't be picked as gced lebs
+either. So new free lebs won't be produced.). See more details in Link.
+
+To fix it, reserve one leb for each journal head while doing budget.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216562
+Fixes: 1e51764a3c2ac0 ("UBIFS: add new flash file system")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/budget.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ubifs/budget.c b/fs/ubifs/budget.c
+index bdb79be6dc0e2..9cb05ef9b9dd9 100644
+--- a/fs/ubifs/budget.c
++++ b/fs/ubifs/budget.c
+@@ -212,11 +212,10 @@ long long ubifs_calc_available(const struct ubifs_info *c, int min_idx_lebs)
+ subtract_lebs += 1;
+
+ /*
+- * The GC journal head LEB is not really accessible. And since
+- * different write types go to different heads, we may count only on
+- * one head's space.
++ * Since different write types go to different heads, we should
++ * reserve one leb for each head.
+ */
+- subtract_lebs += c->jhead_cnt - 1;
++ subtract_lebs += c->jhead_cnt;
+
+ /* We also reserve one LEB for deletions, which bypass budgeting */
+ subtract_lebs += 1;
+--
+2.39.2
+
--- /dev/null
+From 585a52b8e85d40fdb3c33846c00e1996093dca18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Jun 2022 10:59:59 +0800
+Subject: ubifs: ubifs_writepage: Mark page dirty after writing inode failed
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit fb8bc4c74ae4526d9489362ab2793a936d072b84 ]
+
+There are two states for ubifs writing pages:
+1. Dirty, Private
+2. Not Dirty, Not Private
+
+There is a third possibility which maybe related to [1] that page is
+private but not dirty caused by following process:
+
+ PA
+lock(page)
+ubifs_write_end
+ attach_page_private // set Private
+ __set_page_dirty_nobuffers // set Dirty
+unlock(page)
+
+write_cache_pages
+ lock(page)
+ clear_page_dirty_for_io(page) // clear Dirty
+ ubifs_writepage
+ write_inode
+ // fail, goto out, following codes are not executed
+ // do_writepage
+ // set_page_writeback // set Writeback
+ // detach_page_private // clear Private
+ // end_page_writeback // clear Writeback
+ out:
+ unlock(page) // Private, Not Dirty
+
+ PB
+ ksys_fadvise64_64
+ generic_fadvise
+ invalidate_inode_page
+ // page is neither Dirty nor Writeback
+ invalidate_complete_page
+ // page_has_private is true
+ try_to_release_page
+ ubifs_releasepage
+ ubifs_assert(c, 0) !!!
+
+Then we may get following assertion failed:
+ UBIFS error (ubi0:0 pid 1492): ubifs_assert_failed [ubifs]:
+ UBIFS assert failed: 0, in fs/ubifs/file.c:1499
+ UBIFS warning (ubi0:0 pid 1492): ubifs_ro_mode [ubifs]:
+ switched to read-only mode, error -22
+ CPU: 2 PID: 1492 Comm: aa Not tainted 5.16.0-rc2-00012-g7bb767dee0ba-dirty
+ Call Trace:
+ dump_stack+0x13/0x1b
+ ubifs_ro_mode+0x54/0x60 [ubifs]
+ ubifs_assert_failed+0x4b/0x80 [ubifs]
+ ubifs_releasepage+0x7e/0x1e0 [ubifs]
+ try_to_release_page+0x57/0xe0
+ invalidate_inode_page+0xfb/0x130
+ invalidate_mapping_pagevec+0x12/0x20
+ generic_fadvise+0x303/0x3c0
+ vfs_fadvise+0x35/0x40
+ ksys_fadvise64_64+0x4c/0xb0
+
+Jump [2] to find a reproducer.
+
+[1] https://linux-mtd.infradead.narkive.com/NQoBeT1u/patch-rfc-ubifs-fix-assert-failed-in-ubifs-set-page-dirty
+[2] https://bugzilla.kernel.org/show_bug.cgi?id=215357
+
+Fixes: 1e51764a3c2ac0 ("UBIFS: add new flash file system")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/file.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ubifs/file.c b/fs/ubifs/file.c
+index 354457e846cda..19fdcda045890 100644
+--- a/fs/ubifs/file.c
++++ b/fs/ubifs/file.c
+@@ -1031,7 +1031,7 @@ static int ubifs_writepage(struct page *page, struct writeback_control *wbc)
+ if (page->index >= synced_i_size >> PAGE_SHIFT) {
+ err = inode->i_sb->s_op->write_inode(inode, NULL);
+ if (err)
+- goto out_unlock;
++ goto out_redirty;
+ /*
+ * The inode has been written, but the write-buffer has
+ * not been synchronized, so in case of an unclean
+@@ -1059,11 +1059,17 @@ static int ubifs_writepage(struct page *page, struct writeback_control *wbc)
+ if (i_size > synced_i_size) {
+ err = inode->i_sb->s_op->write_inode(inode, NULL);
+ if (err)
+- goto out_unlock;
++ goto out_redirty;
+ }
+
+ return do_writepage(page, len);
+-
++out_redirty:
++ /*
++ * redirty_page_for_writepage() won't call ubifs_dirty_inode() because
++ * it passes I_DIRTY_PAGES flag while calling __mark_inode_dirty(), so
++ * there is no need to do space budget for dirty inode.
++ */
++ redirty_page_for_writepage(wbc, page);
+ out_unlock:
+ unlock_page(page);
+ return err;
+--
+2.39.2
+
--- /dev/null
+From 730308f19abb04e4bbca2c522811d75e0dd4f1c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 15:32:25 +0800
+Subject: um: vector: Fix memory leak in vector_config
+
+From: Xiang Yang <xiangyang3@huawei.com>
+
+[ Upstream commit 8f88c73afe481f93d40801596927e8c0047b6d96 ]
+
+If the return value of the uml_parse_vector_ifspec function is NULL,
+we should call kfree(params) to prevent memory leak.
+
+Fixes: 49da7e64f33e ("High Performance UML Vector Network Driver")
+Signed-off-by: Xiang Yang <xiangyang3@huawei.com>
+Acked-By: Anton Ivanov <anton.ivanov@kot-begemot.co.uk>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/drivers/vector_kern.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/um/drivers/vector_kern.c b/arch/um/drivers/vector_kern.c
+index 555203e3e7b45..fc662f7cc2afb 100644
+--- a/arch/um/drivers/vector_kern.c
++++ b/arch/um/drivers/vector_kern.c
+@@ -771,6 +771,7 @@ static int vector_config(char *str, char **error_out)
+
+ if (parsed == NULL) {
+ *error_out = "vector_config failed to parse parameters";
++ kfree(params);
+ return -EINVAL;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From bce9b5801b7afb50ee4266184594d9afd6f40ed3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Feb 2023 10:35:46 -0800
+Subject: USB: ene_usb6250: Allocate enough memory for full object
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit ce33e64c1788912976b61314b56935abd4bc97ef ]
+
+The allocation of PageBuffer is 512 bytes in size, but the dereferencing
+of struct ms_bootblock_idi (also size 512) happens at a calculated offset
+within the allocation, which means the object could potentially extend
+beyond the end of the allocation. Avoid this case by just allocating
+enough space to catch any accesses beyond the end. Seen with GCC 13:
+
+../drivers/usb/storage/ene_ub6250.c: In function 'ms_lib_process_bootblock':
+../drivers/usb/storage/ene_ub6250.c:1050:44: warning: array subscript 'struct ms_bootblock_idi[0]' is partly outside array bounds of 'unsigned char[512]' [-Warray-bounds=]
+ 1050 | if (le16_to_cpu(idi->wIDIgeneralConfiguration) != MS_IDI_GENERAL_CONF)
+ | ^~
+../include/uapi/linux/byteorder/little_endian.h:37:51: note: in definition of macro '__le16_to_cpu'
+ 37 | #define __le16_to_cpu(x) ((__force __u16)(__le16)(x))
+ | ^
+../drivers/usb/storage/ene_ub6250.c:1050:29: note: in expansion of macro 'le16_to_cpu'
+ 1050 | if (le16_to_cpu(idi->wIDIgeneralConfiguration) != MS_IDI_GENERAL_CONF)
+ | ^~~~~~~~~~~
+In file included from ../drivers/usb/storage/ene_ub6250.c:5:
+In function 'kmalloc',
+ inlined from 'ms_lib_process_bootblock' at ../drivers/usb/storage/ene_ub6250.c:942:15:
+../include/linux/slab.h:580:24: note: at offset [256, 512] into object of size 512 allocated by 'kmalloc_trace'
+ 580 | return kmalloc_trace(
+ | ^~~~~~~~~~~~~~
+ 581 | kmalloc_caches[kmalloc_type(flags)][index],
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 582 | flags, size);
+ | ~~~~~~~~~~~~
+
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20230204183546.never.849-kees@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/storage/ene_ub6250.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/storage/ene_ub6250.c b/drivers/usb/storage/ene_ub6250.c
+index c9ce1c25c80cc..737398f1b896a 100644
+--- a/drivers/usb/storage/ene_ub6250.c
++++ b/drivers/usb/storage/ene_ub6250.c
+@@ -938,7 +938,7 @@ static int ms_lib_process_bootblock(struct us_data *us, u16 PhyBlock, u8 *PageDa
+ struct ms_lib_type_extdat ExtraData;
+ struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
+
+- PageBuffer = kmalloc(MS_BYTES_PER_PAGE, GFP_KERNEL);
++ PageBuffer = kzalloc(MS_BYTES_PER_PAGE * 2, GFP_KERNEL);
+ if (PageBuffer == NULL)
+ return (u32)-1;
+
+--
+2.39.2
+
--- /dev/null
+From df8f47904381d7a173afee8c3213b321a275c3c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Feb 2023 16:17:52 +0000
+Subject: usb: gadget: uvc: Make bSourceID read/write
+
+From: Daniel Scally <dan.scally@ideasonboard.com>
+
+[ Upstream commit b3c839bd8a07d303bc59a900d55dd35c7826562c ]
+
+At the moment, the UVC function graph is hardcoded IT -> PU -> OT.
+To add XU support we need the ability to insert the XU descriptors
+into the chain. To facilitate that, make the output terminal's
+bSourceID attribute writeable so that we can configure its source.
+
+Signed-off-by: Daniel Scally <dan.scally@ideasonboard.com>
+Link: https://lore.kernel.org/r/20230206161802.892954-2-dan.scally@ideasonboard.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ABI/testing/configfs-usb-gadget-uvc | 2 +-
+ drivers/usb/gadget/function/uvc_configfs.c | 59 ++++++++++++++++++-
+ 2 files changed, 59 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/ABI/testing/configfs-usb-gadget-uvc b/Documentation/ABI/testing/configfs-usb-gadget-uvc
+index ac5e11af79a81..4b1813994bd0d 100644
+--- a/Documentation/ABI/testing/configfs-usb-gadget-uvc
++++ b/Documentation/ABI/testing/configfs-usb-gadget-uvc
+@@ -51,7 +51,7 @@ Date: Dec 2014
+ KernelVersion: 4.0
+ Description: Default output terminal descriptors
+
+- All attributes read only:
++ All attributes read only except bSourceID:
+
+ ============== =============================================
+ iTerminal index of string descriptor
+diff --git a/drivers/usb/gadget/function/uvc_configfs.c b/drivers/usb/gadget/function/uvc_configfs.c
+index 00fb58e50a155..7bb11d532b195 100644
+--- a/drivers/usb/gadget/function/uvc_configfs.c
++++ b/drivers/usb/gadget/function/uvc_configfs.c
+@@ -505,11 +505,68 @@ UVC_ATTR_RO(uvcg_default_output_, cname, aname)
+ UVCG_DEFAULT_OUTPUT_ATTR(b_terminal_id, bTerminalID, 8);
+ UVCG_DEFAULT_OUTPUT_ATTR(w_terminal_type, wTerminalType, 16);
+ UVCG_DEFAULT_OUTPUT_ATTR(b_assoc_terminal, bAssocTerminal, 8);
+-UVCG_DEFAULT_OUTPUT_ATTR(b_source_id, bSourceID, 8);
+ UVCG_DEFAULT_OUTPUT_ATTR(i_terminal, iTerminal, 8);
+
+ #undef UVCG_DEFAULT_OUTPUT_ATTR
+
++static ssize_t uvcg_default_output_b_source_id_show(struct config_item *item,
++ char *page)
++{
++ struct config_group *group = to_config_group(item);
++ struct f_uvc_opts *opts;
++ struct config_item *opts_item;
++ struct mutex *su_mutex = &group->cg_subsys->su_mutex;
++ struct uvc_output_terminal_descriptor *cd;
++ int result;
++
++ mutex_lock(su_mutex); /* for navigating configfs hierarchy */
++
++ opts_item = group->cg_item.ci_parent->ci_parent->
++ ci_parent->ci_parent;
++ opts = to_f_uvc_opts(opts_item);
++ cd = &opts->uvc_output_terminal;
++
++ mutex_lock(&opts->lock);
++ result = sprintf(page, "%u\n", le8_to_cpu(cd->bSourceID));
++ mutex_unlock(&opts->lock);
++
++ mutex_unlock(su_mutex);
++
++ return result;
++}
++
++static ssize_t uvcg_default_output_b_source_id_store(struct config_item *item,
++ const char *page, size_t len)
++{
++ struct config_group *group = to_config_group(item);
++ struct f_uvc_opts *opts;
++ struct config_item *opts_item;
++ struct mutex *su_mutex = &group->cg_subsys->su_mutex;
++ struct uvc_output_terminal_descriptor *cd;
++ int result;
++ u8 num;
++
++ mutex_lock(su_mutex); /* for navigating configfs hierarchy */
++
++ opts_item = group->cg_item.ci_parent->ci_parent->
++ ci_parent->ci_parent;
++ opts = to_f_uvc_opts(opts_item);
++ cd = &opts->uvc_output_terminal;
++
++ result = kstrtou8(page, 0, &num);
++ if (result)
++ return result;
++
++ mutex_lock(&opts->lock);
++ cd->bSourceID = num;
++ mutex_unlock(&opts->lock);
++
++ mutex_unlock(su_mutex);
++
++ return len;
++}
++UVC_ATTR(uvcg_default_output_, b_source_id, bSourceID);
++
+ static struct configfs_attribute *uvcg_default_output_attrs[] = {
+ &uvcg_default_output_attr_b_terminal_id,
+ &uvcg_default_output_attr_w_terminal_type,
+--
+2.39.2
+
--- /dev/null
+From 512edf5bc1876be46d92a4ecf455784cee478409 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Feb 2023 10:36:52 -0800
+Subject: usb: host: xhci: mvebu: Iterate over array indexes instead of using
+ pointer math
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 0fbd2cda92cdb00f72080665554a586f88bca821 ]
+
+Walking the dram->cs array was seen as accesses beyond the first array
+item by the compiler. Instead, use the array index directly. This allows
+for run-time bounds checking under CONFIG_UBSAN_BOUNDS as well. Seen
+with GCC 13 with -fstrict-flex-arrays:
+
+In function 'xhci_mvebu_mbus_config',
+ inlined from 'xhci_mvebu_mbus_init_quirk' at ../drivers/usb/host/xhci-mvebu.c:66:2:
+../drivers/usb/host/xhci-mvebu.c:37:28: warning: array subscript 0 is outside array bounds of 'const struct mbus_dram_window[0]' [-Warray-bounds=]
+ 37 | writel(((cs->size - 1) & 0xffff0000) | (cs->mbus_attr << 8) |
+ | ~~^~~~~~
+
+Cc: Mathias Nyman <mathias.nyman@intel.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20230204183651.never.663-kees@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-mvebu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci-mvebu.c b/drivers/usb/host/xhci-mvebu.c
+index 8ca1a235d1645..eabccf25796b2 100644
+--- a/drivers/usb/host/xhci-mvebu.c
++++ b/drivers/usb/host/xhci-mvebu.c
+@@ -33,7 +33,7 @@ static void xhci_mvebu_mbus_config(void __iomem *base,
+
+ /* Program each DRAM CS in a seperate window */
+ for (win = 0; win < dram->num_cs; win++) {
+- const struct mbus_dram_window *cs = dram->cs + win;
++ const struct mbus_dram_window *cs = &dram->cs[win];
+
+ writel(((cs->size - 1) & 0xffff0000) | (cs->mbus_attr << 8) |
+ (dram->mbus_dram_target_id << 4) | 1,
+--
+2.39.2
+
--- /dev/null
+From 6cc0fed627238a8e03323c5dfa1bdf91c569b071 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Feb 2023 11:41:37 +0000
+Subject: usb: uvc: Enumerate valid values for color matching
+
+From: Daniel Scally <dan.scally@ideasonboard.com>
+
+[ Upstream commit e16cab9c1596e251761d2bfb5e1467950d616963 ]
+
+The color matching descriptors defined in the UVC Specification
+contain 3 fields with discrete numeric values representing particular
+settings. Enumerate those values so that later code setting them can
+be more readable.
+
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Daniel Scally <dan.scally@ideasonboard.com>
+Link: https://lore.kernel.org/r/20230202114142.300858-2-dan.scally@ideasonboard.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/usb/video.h | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/include/uapi/linux/usb/video.h b/include/uapi/linux/usb/video.h
+index bfdae12cdacf8..c58854fb7d94a 100644
+--- a/include/uapi/linux/usb/video.h
++++ b/include/uapi/linux/usb/video.h
+@@ -179,6 +179,36 @@
+ #define UVC_CONTROL_CAP_AUTOUPDATE (1 << 3)
+ #define UVC_CONTROL_CAP_ASYNCHRONOUS (1 << 4)
+
++/* 3.9.2.6 Color Matching Descriptor Values */
++enum uvc_color_primaries_values {
++ UVC_COLOR_PRIMARIES_UNSPECIFIED,
++ UVC_COLOR_PRIMARIES_BT_709_SRGB,
++ UVC_COLOR_PRIMARIES_BT_470_2_M,
++ UVC_COLOR_PRIMARIES_BT_470_2_B_G,
++ UVC_COLOR_PRIMARIES_SMPTE_170M,
++ UVC_COLOR_PRIMARIES_SMPTE_240M,
++};
++
++enum uvc_transfer_characteristics_values {
++ UVC_TRANSFER_CHARACTERISTICS_UNSPECIFIED,
++ UVC_TRANSFER_CHARACTERISTICS_BT_709,
++ UVC_TRANSFER_CHARACTERISTICS_BT_470_2_M,
++ UVC_TRANSFER_CHARACTERISTICS_BT_470_2_B_G,
++ UVC_TRANSFER_CHARACTERISTICS_SMPTE_170M,
++ UVC_TRANSFER_CHARACTERISTICS_SMPTE_240M,
++ UVC_TRANSFER_CHARACTERISTICS_LINEAR,
++ UVC_TRANSFER_CHARACTERISTICS_SRGB,
++};
++
++enum uvc_matrix_coefficients {
++ UVC_MATRIX_COEFFICIENTS_UNSPECIFIED,
++ UVC_MATRIX_COEFFICIENTS_BT_709,
++ UVC_MATRIX_COEFFICIENTS_FCC,
++ UVC_MATRIX_COEFFICIENTS_BT_470_2_B_G,
++ UVC_MATRIX_COEFFICIENTS_SMPTE_170M,
++ UVC_MATRIX_COEFFICIENTS_SMPTE_240M,
++};
++
+ /* ------------------------------------------------------------------------
+ * UVC structures
+ */
+--
+2.39.2
+
--- /dev/null
+From d304bbf7ee544d7ed312ac48e7497a95b02e492f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 15:21:41 -0500
+Subject: vc_screen: modify vcs_size() handling in vcs_read()
+
+From: George Kennedy <george.kennedy@oracle.com>
+
+[ Upstream commit 46d733d0efc79bc8430d63b57ab88011806d5180 ]
+
+Restore the vcs_size() handling in vcs_read() to what
+it had been in previous version.
+
+Fixes: 226fae124b2d ("vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF")
+Suggested-by: Jiri Slaby <jirislaby@kernel.org>
+Signed-off-by: George Kennedy <george.kennedy@oracle.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/vt/vc_screen.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/tty/vt/vc_screen.c b/drivers/tty/vt/vc_screen.c
+index 71e091f879f0e..1dc07f9214d57 100644
+--- a/drivers/tty/vt/vc_screen.c
++++ b/drivers/tty/vt/vc_screen.c
+@@ -415,10 +415,8 @@ vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
+ */
+ size = vcs_size(vc, attr, uni_mode);
+ if (size < 0) {
+- if (read)
+- break;
+ ret = size;
+- goto unlock_out;
++ break;
+ }
+ if (pos >= size)
+ break;
+--
+2.39.2
+
--- /dev/null
+From 591c3edb39350f884c80da6ff5f0b68c5bb1be05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 17:49:50 +0800
+Subject: watchdog: at91sam9_wdt: use devm_request_irq to avoid missing
+ free_irq() in error path
+
+From: ruanjinjie <ruanjinjie@huawei.com>
+
+[ Upstream commit 07bec0e09c1afbab4c5674fd2341f4f52d594f30 ]
+
+free_irq() is missing in case of error in at91_wdt_init(), use
+devm_request_irq to fix that.
+
+Fixes: 5161b31dc39a ("watchdog: at91sam9_wdt: better watchdog support")
+Signed-off-by: ruanjinjie <ruanjinjie@huawei.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20221116094950.3141943-1-ruanjinjie@huawei.com
+[groeck: Adjust multi-line alignment]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/at91sam9_wdt.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/watchdog/at91sam9_wdt.c b/drivers/watchdog/at91sam9_wdt.c
+index 292b5a1ca8318..fed7be2464420 100644
+--- a/drivers/watchdog/at91sam9_wdt.c
++++ b/drivers/watchdog/at91sam9_wdt.c
+@@ -206,10 +206,9 @@ static int at91_wdt_init(struct platform_device *pdev, struct at91wdt *wdt)
+ "min heartbeat and max heartbeat might be too close for the system to handle it correctly\n");
+
+ if ((tmp & AT91_WDT_WDFIEN) && wdt->irq) {
+- err = request_irq(wdt->irq, wdt_interrupt,
+- IRQF_SHARED | IRQF_IRQPOLL |
+- IRQF_NO_SUSPEND,
+- pdev->name, wdt);
++ err = devm_request_irq(dev, wdt->irq, wdt_interrupt,
++ IRQF_SHARED | IRQF_IRQPOLL | IRQF_NO_SUSPEND,
++ pdev->name, wdt);
+ if (err)
+ return err;
+ }
+--
+2.39.2
+
--- /dev/null
+From 128d22519f47b0425be2b591357e78fc262206d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 01:27:14 +0000
+Subject: watchdog: Fix kmemleak in watchdog_cdev_register
+
+From: Chen Jun <chenjun102@huawei.com>
+
+[ Upstream commit 13721a2ac66b246f5802ba1b75ad8637e53eeecc ]
+
+kmemleak reports memory leaks in watchdog_dev_register, as follows:
+unreferenced object 0xffff888116233000 (size 2048):
+ comm ""modprobe"", pid 28147, jiffies 4353426116 (age 61.741s)
+ hex dump (first 32 bytes):
+ 80 fa b9 05 81 88 ff ff 08 30 23 16 81 88 ff ff .........0#.....
+ 08 30 23 16 81 88 ff ff 00 00 00 00 00 00 00 00 .0#.............
+ backtrace:
+ [<000000007f001ffd>] __kmem_cache_alloc_node+0x157/0x220
+ [<000000006a389304>] kmalloc_trace+0x21/0x110
+ [<000000008d640eea>] watchdog_dev_register+0x4e/0x780 [watchdog]
+ [<0000000053c9f248>] __watchdog_register_device+0x4f0/0x680 [watchdog]
+ [<00000000b2979824>] watchdog_register_device+0xd2/0x110 [watchdog]
+ [<000000001f730178>] 0xffffffffc10880ae
+ [<000000007a1a8bcc>] do_one_initcall+0xcb/0x4d0
+ [<00000000b98be325>] do_init_module+0x1ca/0x5f0
+ [<0000000046d08e7c>] load_module+0x6133/0x70f0
+ ...
+
+unreferenced object 0xffff888105b9fa80 (size 16):
+ comm ""modprobe"", pid 28147, jiffies 4353426116 (age 61.741s)
+ hex dump (first 16 bytes):
+ 77 61 74 63 68 64 6f 67 31 00 b9 05 81 88 ff ff watchdog1.......
+ backtrace:
+ [<000000007f001ffd>] __kmem_cache_alloc_node+0x157/0x220
+ [<00000000486ab89b>] __kmalloc_node_track_caller+0x44/0x1b0
+ [<000000005a39aab0>] kvasprintf+0xb5/0x140
+ [<0000000024806f85>] kvasprintf_const+0x55/0x180
+ [<000000009276cb7f>] kobject_set_name_vargs+0x56/0x150
+ [<00000000a92e820b>] dev_set_name+0xab/0xe0
+ [<00000000cec812c6>] watchdog_dev_register+0x285/0x780 [watchdog]
+ [<0000000053c9f248>] __watchdog_register_device+0x4f0/0x680 [watchdog]
+ [<00000000b2979824>] watchdog_register_device+0xd2/0x110 [watchdog]
+ [<000000001f730178>] 0xffffffffc10880ae
+ [<000000007a1a8bcc>] do_one_initcall+0xcb/0x4d0
+ [<00000000b98be325>] do_init_module+0x1ca/0x5f0
+ [<0000000046d08e7c>] load_module+0x6133/0x70f0
+ ...
+
+The reason is that put_device is not be called if cdev_device_add fails
+and wdd->id != 0.
+
+watchdog_cdev_register
+ wd_data = kzalloc [1]
+ err = dev_set_name [2]
+ ..
+ err = cdev_device_add
+ if (err) {
+ if (wdd->id == 0) { // wdd->id != 0
+ ..
+ }
+ return err; // [1],[2] would be leaked
+
+To fix it, call put_device in all wdd->id cases.
+
+Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of watchdog_core_data and cdev")
+Signed-off-by: Chen Jun <chenjun102@huawei.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20221116012714.102066-1-chenjun102@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/watchdog_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c
+index 2ee017442dfcd..f37255cd75fdf 100644
+--- a/drivers/watchdog/watchdog_dev.c
++++ b/drivers/watchdog/watchdog_dev.c
+@@ -1037,8 +1037,8 @@ static int watchdog_cdev_register(struct watchdog_device *wdd)
+ if (wdd->id == 0) {
+ misc_deregister(&watchdog_miscdev);
+ old_wd_data = NULL;
+- put_device(&wd_data->dev);
+ }
++ put_device(&wd_data->dev);
+ return err;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 2ac80a725aa529de69a0e39fe958dc9b1b78dd14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 10:07:06 +0800
+Subject: watchdog: pcwd_usb: Fix attempting to access uninitialized memory
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Li Hua <hucool.lihua@huawei.com>
+
+[ Upstream commit 7d06c07c67100fd0f8e6b3ab7145ce789f788117 ]
+
+The stack variable msb and lsb may be used uninitialized in function
+usb_pcwd_get_temperature and usb_pcwd_get_timeleft when usb card no response.
+
+The build waring is:
+drivers/watchdog/pcwd_usb.c:336:22: error: ‘lsb’ is used uninitialized in this function [-Werror=uninitialized]
+ *temperature = (lsb * 9 / 5) + 32;
+ ~~~~^~~
+drivers/watchdog/pcwd_usb.c:328:21: note: ‘lsb’ was declared here
+ unsigned char msb, lsb;
+ ^~~
+cc1: all warnings being treated as errors
+scripts/Makefile.build:250: recipe for target 'drivers/watchdog/pcwd_usb.o' failed
+make[3]: *** [drivers/watchdog/pcwd_usb.o] Error 1
+
+Fixes: b7e04f8c61a4 ("mv watchdog tree under drivers")
+Signed-off-by: Li Hua <hucool.lihua@huawei.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20221116020706.70847-1-hucool.lihua@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/pcwd_usb.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/watchdog/pcwd_usb.c b/drivers/watchdog/pcwd_usb.c
+index 1bdaf17c1d38d..8202f0a6b0935 100644
+--- a/drivers/watchdog/pcwd_usb.c
++++ b/drivers/watchdog/pcwd_usb.c
+@@ -325,7 +325,8 @@ static int usb_pcwd_set_heartbeat(struct usb_pcwd_private *usb_pcwd, int t)
+ static int usb_pcwd_get_temperature(struct usb_pcwd_private *usb_pcwd,
+ int *temperature)
+ {
+- unsigned char msb, lsb;
++ unsigned char msb = 0x00;
++ unsigned char lsb = 0x00;
+
+ usb_pcwd_send_command(usb_pcwd, CMD_READ_TEMP, &msb, &lsb);
+
+@@ -341,7 +342,8 @@ static int usb_pcwd_get_temperature(struct usb_pcwd_private *usb_pcwd,
+ static int usb_pcwd_get_timeleft(struct usb_pcwd_private *usb_pcwd,
+ int *time_left)
+ {
+- unsigned char msb, lsb;
++ unsigned char msb = 0x00;
++ unsigned char lsb = 0x00;
+
+ /* Read the time that's left before rebooting */
+ /* Note: if the board is not yet armed then we will read 0xFFFF */
+--
+2.39.2
+
--- /dev/null
+From 5fc1e784bdc938e5be432823a0cfc1332717ada2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Dec 2022 00:23:38 +0700
+Subject: x86: um: vdso: Add '%rcx' and '%r11' to the syscall clobber list
+
+From: Ammar Faizi <ammarfaizi2@gnuweeb.org>
+
+[ Upstream commit 5541992e512de8c9133110809f767bd1b54ee10d ]
+
+The 'syscall' instruction clobbers '%rcx' and '%r11', but they are not
+listed in the inline Assembly that performs the syscall instruction.
+
+No real bug is found. It wasn't buggy by luck because '%rcx' and '%r11'
+are caller-saved registers, and not used in the functions, and the
+functions are never inlined.
+
+Add them to the clobber list for code correctness.
+
+Fixes: f1c2bb8b9964ed31de988910f8b1cfb586d30091 ("um: implement a x86_64 vDSO")
+Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/um/vdso/um_vdso.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/um/vdso/um_vdso.c b/arch/x86/um/vdso/um_vdso.c
+index 2112b8d146688..ff0f3b4b6c45e 100644
+--- a/arch/x86/um/vdso/um_vdso.c
++++ b/arch/x86/um/vdso/um_vdso.c
+@@ -17,8 +17,10 @@ int __vdso_clock_gettime(clockid_t clock, struct __kernel_old_timespec *ts)
+ {
+ long ret;
+
+- asm("syscall" : "=a" (ret) :
+- "0" (__NR_clock_gettime), "D" (clock), "S" (ts) : "memory");
++ asm("syscall"
++ : "=a" (ret)
++ : "0" (__NR_clock_gettime), "D" (clock), "S" (ts)
++ : "rcx", "r11", "memory");
+
+ return ret;
+ }
+@@ -29,8 +31,10 @@ int __vdso_gettimeofday(struct __kernel_old_timeval *tv, struct timezone *tz)
+ {
+ long ret;
+
+- asm("syscall" : "=a" (ret) :
+- "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
++ asm("syscall"
++ : "=a" (ret)
++ : "0" (__NR_gettimeofday), "D" (tv), "S" (tz)
++ : "rcx", "r11", "memory");
+
+ return ret;
+ }
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
