--- /dev/null
+From d9149cf7a64451c3e4deb63497b6c46aa6b2f02b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Jan 2023 09:50:50 +0100
+Subject: ACPI: battery: Fix missing NUL-termination with large strings
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+[ Upstream commit f2ac14b5f197e4a2dec51e5ceaa56682ff1592bc ]
+
+When encountering a string bigger than the destination buffer (32 bytes),
+the string is not properly NUL-terminated, causing buffer overreads later.
+
+This for example happens on the Inspiron 3505, where the battery
+model name is larger than 32 bytes, which leads to sysfs showing
+the model name together with the serial number string (which is
+NUL-terminated and thus prevents worse).
+
+Fix this by using strscpy() which ensures that the result is
+always NUL-terminated.
+
+Fixes: 106449e870b3 ("ACPI: Battery: Allow extract string from integer")
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/battery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c
+index 42fba8493854f..96aeb0c8cc0e9 100644
+--- a/drivers/acpi/battery.c
++++ b/drivers/acpi/battery.c
+@@ -415,7 +415,7 @@ static int extract_package(struct acpi_battery *battery,
+ u8 *ptr = (u8 *)battery + offsets[i].offset;
+ if (element->type == ACPI_TYPE_STRING ||
+ element->type == ACPI_TYPE_BUFFER)
+- strncpy(ptr, element->string.pointer, 32);
++ strscpy(ptr, element->string.pointer, 32);
+ else if (element->type == ACPI_TYPE_INTEGER) {
+ strncpy(ptr, (u8 *)&element->integer.value,
+ sizeof(u64));
+--
+2.39.2
+
--- /dev/null
+From abde976836aed9e765b67d7a11033393f4e09efc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jan 2023 13:45:58 +0000
+Subject: ACPI: Don't build ACPICA with '-Os'
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 8f9e0a52810dd83406c768972d022c37e7a18f1f ]
+
+The ACPICA code has been built with '-Os' since the beginning of git
+history, though there's no explanatory comment as to why.
+
+This is unfortunate as GCC drops the alignment specificed by
+'-falign-functions=N' when '-Os' is used, as reported in GCC bug 88345:
+
+ https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88345
+
+This prevents CONFIG_FUNCTION_ALIGNMENT and
+CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B from having their expected effect
+on the ACPICA code. This is doubly unfortunate as in subsequent patches
+arm64 will depend upon CONFIG_FUNCTION_ALIGNMENT for its ftrace
+implementation.
+
+Drop the '-Os' flag when building the ACPICA code. With this removed,
+the code builds cleanly and works correctly in testing so far.
+
+I've tested this by selecting CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B=y,
+building and booting a kernel using ACPI, and looking for misaligned
+text symbols:
+
+* arm64:
+
+ Before, v6.2-rc3:
+ # uname -rm
+ 6.2.0-rc3 aarch64
+ # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l
+ 5009
+
+ Before, v6.2-rc3 + fixed __cold:
+ # uname -rm
+ 6.2.0-rc3-00001-g2a2bedf8bfa9 aarch64
+ # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l
+ 919
+
+ After:
+ # uname -rm
+ 6.2.0-rc3-00002-g267bddc38572 aarch64
+ # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l
+ 323
+ # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | grep acpi | wc -l
+ 0
+
+* x86_64:
+
+ Before, v6.2-rc3:
+ # uname -rm
+ 6.2.0-rc3 x86_64
+ # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l
+ 11537
+
+ Before, v6.2-rc3 + fixed __cold:
+ # uname -rm
+ 6.2.0-rc3-00001-g2a2bedf8bfa9 x86_64
+ # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l
+ 2805
+
+ After:
+ # uname -rm
+ 6.2.0-rc3-00002-g267bddc38572 x86_64
+ # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l
+ 1357
+ # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | grep acpi | wc -l
+ 0
+
+With the patch applied, the remaining unaligned text labels are a
+combination of static call trampolines and labels in assembly, which can
+be dealt with in subsequent patches.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Cc: Florent Revest <revest@chromium.org>
+Cc: Len Brown <lenb@kernel.org>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Robert Moore <robert.moore@intel.com>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Will Deacon <will@kernel.org>
+Cc: linux-acpi@vger.kernel.org
+Link: https://lore.kernel.org/r/20230123134603.1064407-4-mark.rutland@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/acpica/Makefile b/drivers/acpi/acpica/Makefile
+index e05232da05888..1e8e4e7a29cb3 100644
+--- a/drivers/acpi/acpica/Makefile
++++ b/drivers/acpi/acpica/Makefile
+@@ -3,7 +3,7 @@
+ # Makefile for ACPICA Core interpreter
+ #
+
+-ccflags-y := -Os -D_LINUX -DBUILDING_ACPICA
++ccflags-y := -D_LINUX -DBUILDING_ACPICA
+ ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT
+
+ # use acpi.o to put all files here into acpi.o modparam namespace
+--
+2.39.2
+
--- /dev/null
+From 5da4f8042b69566bef084a2c783a91fef5cc8f73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Feb 2023 13:44:49 +0100
+Subject: ACPI: video: Fix Lenovo Ideapad Z570 DMI match
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 2d11eae42d52a131f06061015e49dc0f085c5bfc ]
+
+Multiple Ideapad Z570 variants need acpi_backlight=native to force native
+use on these pre Windows 8 machines since acpi_video backlight control
+does not work here.
+
+The original DMI quirk matches on a product_name of "102434U" but other
+variants may have different product_name-s such as e.g. "1024D9U".
+
+Move to checking product_version instead as is more or less standard for
+Lenovo DMI quirks for similar reasons.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/video_detect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
+index 0ec74ab2a3995..b4f16073ef432 100644
+--- a/drivers/acpi/video_detect.c
++++ b/drivers/acpi/video_detect.c
+@@ -300,7 +300,7 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
+ .ident = "Lenovo Ideapad Z570",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+- DMI_MATCH(DMI_PRODUCT_NAME, "102434U"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "Ideapad Z570"),
+ },
+ },
+ {
+--
+2.39.2
+
--- /dev/null
+From 6dca4b2326799d22b158f948ab38a39c07a37ca5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Jan 2023 02:53:08 +0300
+Subject: ACPICA: nsrepair: handle cases without a return value correctly
+
+From: Daniil Tatianin <d-tatianin@yandex-team.ru>
+
+[ Upstream commit ca843a4c79486e99a19b859ef0b9887854afe146 ]
+
+Previously acpi_ns_simple_repair() would crash if expected_btypes
+contained any combination of ACPI_RTYPE_NONE with a different type,
+e.g | ACPI_RTYPE_INTEGER because of slightly incorrect logic in the
+!return_object branch, which wouldn't return AE_AML_NO_RETURN_VALUE
+for such cases.
+
+Found by Linux Verification Center (linuxtesting.org) with the SVACE
+static analysis tool.
+
+Link: https://github.com/acpica/acpica/pull/811
+Fixes: 61db45ca2163 ("ACPICA: Restore code that repairs NULL package elements in return values.")
+Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/nsrepair.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/acpi/acpica/nsrepair.c b/drivers/acpi/acpica/nsrepair.c
+index 418ef2ac82abe..9f95369772ddc 100644
+--- a/drivers/acpi/acpica/nsrepair.c
++++ b/drivers/acpi/acpica/nsrepair.c
+@@ -215,8 +215,9 @@ acpi_ns_simple_repair(struct acpi_evaluate_info *info,
+ * Try to fix if there was no return object. Warning if failed to fix.
+ */
+ if (!return_object) {
+- if (expected_btypes && (!(expected_btypes & ACPI_RTYPE_NONE))) {
+- if (package_index != ACPI_NOT_PACKAGE_ELEMENT) {
++ if (expected_btypes) {
++ if (!(expected_btypes & ACPI_RTYPE_NONE) &&
++ package_index != ACPI_NOT_PACKAGE_ELEMENT) {
+ ACPI_WARN_PREDEFINED((AE_INFO,
+ info->full_pathname,
+ ACPI_WARN_ALWAYS,
+@@ -230,14 +231,15 @@ acpi_ns_simple_repair(struct acpi_evaluate_info *info,
+ if (ACPI_SUCCESS(status)) {
+ return (AE_OK); /* Repair was successful */
+ }
+- } else {
++ }
++
++ if (expected_btypes != ACPI_RTYPE_NONE) {
+ ACPI_WARN_PREDEFINED((AE_INFO,
+ info->full_pathname,
+ ACPI_WARN_ALWAYS,
+ "Missing expected return value"));
++ return (AE_AML_NO_RETURN_VALUE);
+ }
+-
+- return (AE_AML_NO_RETURN_VALUE);
+ }
+ }
+
+--
+2.39.2
+
--- /dev/null
+From a276cd37dd079c4dcc53db0242ddbf091972ff20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jan 2023 14:15:23 +0300
+Subject: ALSA: hda/ca0132: minor fix for allocation size
+
+From: Alexey V. Vissarionov <gremlin@altlinux.org>
+
+[ Upstream commit 3ee0fe7fa39b14d1cea455b7041f2df933bd97d2 ]
+
+Although the "dma_chan" pointer occupies more or equal space compared
+to "*dma_chan", the allocation size should use the size of variable
+itself.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 01ef7dbffb41 ("ALSA: hda - Update CA0132 codec to load DSP firmware binary")
+Signed-off-by: Alexey V. Vissarionov <gremlin@altlinux.org>
+Link: https://lore.kernel.org/r/20230117111522.GA15213@altlinux.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_ca0132.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
+index 369f812d70722..280643f72c6e2 100644
+--- a/sound/pci/hda/patch_ca0132.c
++++ b/sound/pci/hda/patch_ca0132.c
+@@ -1523,7 +1523,7 @@ static int dspio_set_uint_param(struct hda_codec *codec, int mod_id,
+ static int dspio_alloc_dma_chan(struct hda_codec *codec, unsigned int *dma_chan)
+ {
+ int status = 0;
+- unsigned int size = sizeof(dma_chan);
++ unsigned int size = sizeof(*dma_chan);
+
+ codec_dbg(codec, " dspio_alloc_dma_chan() -- begin\n");
+ status = dspio_scp(codec, MASTERCONTROL, MASTERCONTROL_ALLOC_DMA_CHAN,
+--
+2.39.2
+
--- /dev/null
+From 58b8bb1c64ff7ae1acd2262e24be7f3e8d642a8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jan 2023 16:53:54 +0100
+Subject: ARM: dts: exynos: correct wr-active property in Exynos3250 Rinato
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit d15d2a617499882971ddb773a583015bf36fa492 ]
+
+The property is wr-active:
+
+ exynos3250-rinato.dtb: fimd@11c00000: i80-if-timings: 'wr-act' does not match any of the regexes: 'pinctrl-[0-9]+'
+
+Fixes: b59b3afb94d4 ("ARM: dts: add fimd device support for exynos3250-rinato")
+Link: https://lore.kernel.org/r/20230120155404.323386-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/exynos3250-rinato.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/exynos3250-rinato.dts b/arch/arm/boot/dts/exynos3250-rinato.dts
+index c0c3b185b731f..2a945d04592b1 100644
+--- a/arch/arm/boot/dts/exynos3250-rinato.dts
++++ b/arch/arm/boot/dts/exynos3250-rinato.dts
+@@ -258,7 +258,7 @@ &fimd {
+ i80-if-timings {
+ cs-setup = <0>;
+ wr-setup = <0>;
+- wr-act = <1>;
++ wr-active = <1>;
+ wr-hold = <0>;
+ };
+ };
+--
+2.39.2
+
--- /dev/null
+From e80bf18b58a03a7f800614159a826322e515bf3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Jan 2023 22:18:42 +0200
+Subject: ARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy
+
+From: Markuss Broks <markuss.broks@gmail.com>
+
+[ Upstream commit 5d5aa219a790d61cad2c38e1aa32058f16ad2f0b ]
+
+For some reason, the driver adding support for Exynos5420 MIPI phy
+back in 2016 wasn't used on Exynos5420, which caused a kernel panic.
+Add the proper compatible for it.
+
+Signed-off-by: Markuss Broks <markuss.broks@gmail.com>
+Link: https://lore.kernel.org/r/20230121201844.46872-2-markuss.broks@gmail.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/exynos5420.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/exynos5420.dtsi b/arch/arm/boot/dts/exynos5420.dtsi
+index 02d2f898efa6c..d07e2a94a9dd6 100644
+--- a/arch/arm/boot/dts/exynos5420.dtsi
++++ b/arch/arm/boot/dts/exynos5420.dtsi
+@@ -536,7 +536,7 @@ dp_phy: dp-video-phy {
+ };
+
+ mipi_phy: mipi-video-phy {
+- compatible = "samsung,s5pv210-mipi-video-phy";
++ compatible = "samsung,exynos5420-mipi-video-phy";
+ syscon = <&pmu_system_controller>;
+ #phy-cells = <1>;
+ };
+--
+2.39.2
+
--- /dev/null
+From 494132eda885c07ecc8dfa7c4169d6811554de42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jan 2023 11:57:54 +0200
+Subject: ARM: OMAP1: call platform_device_put() in error case in
+ omap1_dm_timer_init()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 0414a100d6ab32721efa70ab55524540fdfe0ede ]
+
+If platform_device_add() is not called or failed, it should call
+platform_device_put() in error case.
+
+Fixes: 97933d6ced60 ("ARM: OMAP1: dmtimer: conversion to platform devices")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Message-Id: <20220701094602.2365099-1-yangyingliang@huawei.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap1/timer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-omap1/timer.c b/arch/arm/mach-omap1/timer.c
+index 8fb1ec6fa9992..7654253bc63c3 100644
+--- a/arch/arm/mach-omap1/timer.c
++++ b/arch/arm/mach-omap1/timer.c
+@@ -165,7 +165,7 @@ static int __init omap1_dm_timer_init(void)
+ kfree(pdata);
+
+ err_free_pdev:
+- platform_device_unregister(pdev);
++ platform_device_put(pdev);
+
+ return ret;
+ }
+--
+2.39.2
+
--- /dev/null
+From d076c26e1886980963736733b702ef6aaba9f1d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 22:19:17 +0800
+Subject: ARM: OMAP2+: Fix memory leak in realtime_counter_init()
+
+From: Chen Hui <judy.chenhui@huawei.com>
+
+[ Upstream commit ed8167cbf65c2b6ff6faeb0f96ded4d6d581e1ac ]
+
+The "sys_clk" resource is malloced by clk_get(),
+it is not released when the function return.
+
+Fixes: fa6d79d27614 ("ARM: OMAP: Add initialisation for the real-time counter.")
+Signed-off-by: Chen Hui <judy.chenhui@huawei.com>
+Message-Id: <20221108141917.46796-1-judy.chenhui@huawei.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap2/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/mach-omap2/timer.c b/arch/arm/mach-omap2/timer.c
+index d61fbd7a2840a..c421d12b32038 100644
+--- a/arch/arm/mach-omap2/timer.c
++++ b/arch/arm/mach-omap2/timer.c
+@@ -562,6 +562,7 @@ static void __init realtime_counter_init(void)
+ }
+
+ rate = clk_get_rate(sys_clk);
++ clk_put(sys_clk);
+
+ if (soc_is_dra7xx()) {
+ /*
+--
+2.39.2
+
--- /dev/null
+From 60f5bd573bad07061c3741b91308318a44a85fdc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 22:05:44 +0800
+Subject: ARM: zynq: Fix refcount leak in zynq_early_slcr_init
+
+From: Qiheng Lin <linqiheng@huawei.com>
+
+[ Upstream commit 9eedb910a3be0005b88c696a8552c0d4c9937cd4 ]
+
+of_find_compatible_node() returns a node pointer with refcount incremented,
+we should use of_node_put() on error path.
+Add missing of_node_put() to avoid refcount leak.
+
+Fixes: 3329659df030 ("ARM: zynq: Simplify SLCR initialization")
+Signed-off-by: Qiheng Lin <linqiheng@huawei.com>
+Link: https://lore.kernel.org/r/20221129140544.41293-1-linqiheng@huawei.com
+Signed-off-by: Michal Simek <michal.simek@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-zynq/slcr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/mach-zynq/slcr.c b/arch/arm/mach-zynq/slcr.c
+index f0292a30e6f69..6b75ef7be3fda 100644
+--- a/arch/arm/mach-zynq/slcr.c
++++ b/arch/arm/mach-zynq/slcr.c
+@@ -222,6 +222,7 @@ int __init zynq_early_slcr_init(void)
+ zynq_slcr_regmap = syscon_regmap_lookup_by_compatible("xlnx,zynq-slcr");
+ if (IS_ERR(zynq_slcr_regmap)) {
+ pr_err("%s: failed to find zynq-slcr\n", __func__);
++ of_node_put(np);
+ return -ENODEV;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From fbc2292c21996e9732509e59b861fe395f306937 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jan 2023 11:34:27 +0100
+Subject: arm64: dts: amlogic: meson-gx: add missing unit address to rng node
+ name
+
+From: Neil Armstrong <neil.armstrong@linaro.org>
+
+[ Upstream commit 61ff70708b98a85516eccb3755084ac97b42cf48 ]
+
+Fixes:
+bus@c8834000: rng: {...} should not be valid under {'type': 'object'}
+
+Link: https://lore.kernel.org/r/20230124-b4-amlogic-bindings-fixups-v1-6-44351528957e@linaro.org
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-gx.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi
+index a677873a32abe..735dd7f07aaad 100644
+--- a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi
++++ b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi
+@@ -435,7 +435,7 @@ periphs: periphs@c8834000 {
+ #size-cells = <2>;
+ ranges = <0x0 0x0 0x0 0xc8834000 0x0 0x2000>;
+
+- hwrng: rng {
++ hwrng: rng@0 {
+ compatible = "amlogic,meson-rng";
+ reg = <0x0 0x0 0x0 0x4>;
+ };
+--
+2.39.2
+
--- /dev/null
+From abfc95fa98c3626c0d8d6954952e42076e51ed89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jan 2023 11:34:22 +0100
+Subject: arm64: dts: amlogic: meson-gx: fix SCPI clock dvfs node name
+
+From: Neil Armstrong <neil.armstrong@linaro.org>
+
+[ Upstream commit 127f79212b07c5d9a6657a87e3eafdd889335814 ]
+
+Fixes:
+scpi: clocks: 'clock-controller' does not match any of the regexes: '^clocks-[0-9a-f]+$', 'pinctrl-[0-9]+'
+
+Link: https://lore.kernel.org/r/20230124-b4-amlogic-bindings-fixups-v1-1-44351528957e@linaro.org
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-gx.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi
+index f78be385d4dcd..a677873a32abe 100644
+--- a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi
++++ b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi
+@@ -191,7 +191,7 @@ scpi {
+ scpi_clocks: clocks {
+ compatible = "arm,scpi-clocks";
+
+- scpi_dvfs: clock-controller {
++ scpi_dvfs: clocks-0 {
+ compatible = "arm,scpi-dvfs-clocks";
+ #clock-cells = <1>;
+ clock-indices = <0>;
+--
+2.39.2
+
--- /dev/null
+From 3302af45ac545a7b9019574561baf044f6593e2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jan 2023 11:34:30 +0100
+Subject: arm64: dts: amlogic: meson-gxl: add missing unit address to
+ eth-phy-mux node name
+
+From: Neil Armstrong <neil.armstrong@linaro.org>
+
+[ Upstream commit d19189f70ba596798ea49166d2d1ef36a8df5289 ]
+
+Fixes:
+bus@c8834000: eth-phy-mux: {...} should not be valid under {'type': 'object'}
+
+Link: https://lore.kernel.org/r/20230124-b4-amlogic-bindings-fixups-v1-9-44351528957e@linaro.org
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-gxl.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi b/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi
+index 3ee6c4bae08f6..853da285929c3 100644
+--- a/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi
++++ b/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi
+@@ -609,7 +609,7 @@ mux {
+ };
+ };
+
+- eth-phy-mux {
++ eth-phy-mux@55c {
+ compatible = "mdio-mux-mmioreg", "mdio-mux";
+ #address-cells = <1>;
+ #size-cells = <0>;
+--
+2.39.2
+
--- /dev/null
+From c82f77018d678afca10a6ae918416fd17e9f1d29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 22:13:48 +0100
+Subject: arm64: dts: meson-gx: Fix Ethernet MAC address unit name
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit 8ed5310356bfa47cc6bb4221ae6b21258c52e3d1 ]
+
+Unit names should use hyphens instead of underscores to not cause
+warnings.
+
+Fixes: bfe59f92d306 ("ARM64: dts: amlogic: gxbb: Enable NVMEM")
+Suggested-by: Vyacheslav Bocharov <adeep@lexina.in>
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20230111211350.1461860-5-martin.blumenstingl@googlemail.com
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-gx.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi
+index f175db8462861..007aed410704f 100644
+--- a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi
++++ b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi
+@@ -174,7 +174,7 @@ sn: sn@14 {
+ reg = <0x14 0x10>;
+ };
+
+- eth_mac: eth_mac@34 {
++ eth_mac: eth-mac@34 {
+ reg = <0x34 0x10>;
+ };
+
+--
+2.39.2
+
--- /dev/null
+From f14c5fac7005a55ac19aabcc6595f2d08f28da85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 22:13:50 +0100
+Subject: arm64: dts: meson-gx: Fix the SCPI DVFS node name and unit address
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit f189c869ad92787ddd753558bcbae89d75825bb6 ]
+
+Node names should be generic and use hyphens instead of underscores to
+not cause warnings. Also nodes without a reg property should not have a
+unit-address. Change the scpi_dvfs node to use clock-controller as node
+name without a unit address (since it does not have a reg property).
+
+Fixes: 70db166a2baa ("ARM64: dts: meson-gxbb: Add SCPI with cpufreq & sensors Nodes")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20230111211350.1461860-7-martin.blumenstingl@googlemail.com
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-gx.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi
+index 007aed410704f..f78be385d4dcd 100644
+--- a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi
++++ b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi
+@@ -191,7 +191,7 @@ scpi {
+ scpi_clocks: clocks {
+ compatible = "arm,scpi-clocks";
+
+- scpi_dvfs: scpi_clocks@0 {
++ scpi_dvfs: clock-controller {
+ compatible = "arm,scpi-dvfs-clocks";
+ #clock-cells = <1>;
+ clock-indices = <0>;
+--
+2.39.2
+
--- /dev/null
+From 0acea9e066bdab3c75d060dfcdc883fda72acfdc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jan 2023 14:41:29 -0800
+Subject: ASoC: kirkwood: Iterate over array indexes instead of using pointer
+ math
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit b3bcedc0402fcdc5c8624c433562d9d1882749d8 ]
+
+Walking the dram->cs array was seen as accesses beyond the first array
+item by the compiler. Instead, use the array index directly. This allows
+for run-time bounds checking under CONFIG_UBSAN_BOUNDS as well. Seen
+with GCC 13 with -fstrict-flex-arrays:
+
+../sound/soc/kirkwood/kirkwood-dma.c: In function
+'kirkwood_dma_conf_mbus_windows.constprop':
+../sound/soc/kirkwood/kirkwood-dma.c:90:24: warning: array subscript 0 is outside array bounds of 'const struct mbus_dram_window[0]' [-Warray-bounds=]
+ 90 | if ((cs->base & 0xffff0000) < (dma & 0xffff0000)) {
+ | ~~^~~~~~
+
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Cc: alsa-devel@alsa-project.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20230127224128.never.410-kees@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/kirkwood/kirkwood-dma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/kirkwood/kirkwood-dma.c b/sound/soc/kirkwood/kirkwood-dma.c
+index 35ca8e8bb5e52..9736fb36082fb 100644
+--- a/sound/soc/kirkwood/kirkwood-dma.c
++++ b/sound/soc/kirkwood/kirkwood-dma.c
+@@ -90,7 +90,7 @@ kirkwood_dma_conf_mbus_windows(void __iomem *base, int win,
+
+ /* try to find matching cs for current dma address */
+ for (i = 0; i < dram->num_cs; i++) {
+- const struct mbus_dram_window *cs = dram->cs + i;
++ const struct mbus_dram_window *cs = &dram->cs[i];
+ if ((cs->base & 0xffff0000) < (dma & 0xffff0000)) {
+ writel(cs->base & 0xffff0000,
+ base + KIRKWOOD_AUDIO_WIN_BASE_REG(win));
+--
+2.39.2
+
--- /dev/null
+From 98be4ccb7c9869d4c98a473c2452b4777b9f0d3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jan 2023 23:17:20 +0000
+Subject: ASoC: soc-compress.c: fixup private_data on snd_soc_new_compress()
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit ffe4c0f0bfaa571a676a0e946d4a6a0607f94294 ]
+
+commit d3268a40d4b19f ("ASoC: soc-compress.c: fix NULL dereference")
+enables DPCM capture, but it should independent from playback.
+This patch fixup it.
+
+Fixes: d3268a40d4b1 ("ASoC: soc-compress.c: fix NULL dereference")
+Link: https://lore.kernel.org/r/87tu0i6j7j.wl-kuninori.morimoto.gx@renesas.com
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/871qnkvo1s.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-compress.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/soc-compress.c b/sound/soc/soc-compress.c
+index 2cb8d3b55fbc2..c00f21dbcf11d 100644
+--- a/sound/soc/soc-compress.c
++++ b/sound/soc/soc-compress.c
+@@ -788,7 +788,7 @@ int snd_soc_new_compress(struct snd_soc_pcm_runtime *rtd, int num)
+ rtd->fe_compr = 1;
+ if (rtd->dai_link->dpcm_playback)
+ be_pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream->private_data = rtd;
+- else if (rtd->dai_link->dpcm_capture)
++ if (rtd->dai_link->dpcm_capture)
+ be_pcm->streams[SNDRV_PCM_STREAM_CAPTURE].substream->private_data = rtd;
+ memcpy(compr->ops, &soc_compr_dyn_ops, sizeof(soc_compr_dyn_ops));
+ } else {
+--
+2.39.2
+
--- /dev/null
+From c91baa94f6e7ebdce395c1fa8fe40680f3727fd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Feb 2023 12:18:01 -0500
+Subject: block: bio-integrity: Copy flags when bio_integrity_payload is cloned
+
+From: Martin K. Petersen <martin.petersen@oracle.com>
+
+[ Upstream commit b6a4bdcda430e3ca43bbb9cb1d4d4d34ebe15c40 ]
+
+Make sure to copy the flags when a bio_integrity_payload is cloned.
+Otherwise per-I/O properties such as IP checksum flag will not be
+passed down to the HBA driver. Since the integrity buffer is owned by
+the original bio, the BIP_BLOCK_INTEGRITY flag needs to be masked off
+to avoid a double free in the completion path.
+
+Fixes: aae7df50190a ("block: Integrity checksum flag")
+Fixes: b1f01388574c ("block: Relocate bio integrity flags")
+Reported-by: Saurav Kashyap <skashyap@marvell.com>
+Tested-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Link: https://lore.kernel.org/r/20230215171801.21062-1-martin.petersen@oracle.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bio-integrity.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/block/bio-integrity.c b/block/bio-integrity.c
+index 4cee9446ce588..d0cdfba3a4c4d 100644
+--- a/block/bio-integrity.c
++++ b/block/bio-integrity.c
+@@ -462,6 +462,7 @@ int bio_integrity_clone(struct bio *bio, struct bio *bio_src,
+
+ bip->bip_vcnt = bip_src->bip_vcnt;
+ bip->bip_iter = bip_src->bip_iter;
++ bip->bip_flags = bip_src->bip_flags & ~BIP_BLOCK_INTEGRITY;
+
+ return 0;
+ }
+--
+2.39.2
+
--- /dev/null
+From e0e48012cd9b21e4f027f709b05d9796188dd153 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Feb 2023 14:01:11 -0800
+Subject: Bluetooth: L2CAP: Fix potential user-after-free
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit df5703348813235874d851934e957c3723d71644 ]
+
+This fixes all instances of which requires to allocate a buffer calling
+alloc_skb which may release the chan lock and reacquire later which
+makes it possible that the chan is disconnected in the meantime.
+
+Fixes: a6a5568c03c4 ("Bluetooth: Lock the L2CAP channel when sending")
+Reported-by: Alexander Coffin <alex.coffin@matician.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 24 ------------------------
+ net/bluetooth/l2cap_sock.c | 8 ++++++++
+ 2 files changed, 8 insertions(+), 24 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index a5a19be51aff0..9fdd2260961e6 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -2517,14 +2517,6 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
+ if (IS_ERR(skb))
+ return PTR_ERR(skb);
+
+- /* Channel lock is released before requesting new skb and then
+- * reacquired thus we need to recheck channel state.
+- */
+- if (chan->state != BT_CONNECTED) {
+- kfree_skb(skb);
+- return -ENOTCONN;
+- }
+-
+ l2cap_do_send(chan, skb);
+ return len;
+ }
+@@ -2568,14 +2560,6 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
+ if (IS_ERR(skb))
+ return PTR_ERR(skb);
+
+- /* Channel lock is released before requesting new skb and then
+- * reacquired thus we need to recheck channel state.
+- */
+- if (chan->state != BT_CONNECTED) {
+- kfree_skb(skb);
+- return -ENOTCONN;
+- }
+-
+ l2cap_do_send(chan, skb);
+ err = len;
+ break;
+@@ -2596,14 +2580,6 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
+ */
+ err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
+
+- /* The channel could have been closed while segmenting,
+- * check that it is still connected.
+- */
+- if (chan->state != BT_CONNECTED) {
+- __skb_queue_purge(&seg_queue);
+- err = -ENOTCONN;
+- }
+-
+ if (err)
+ break;
+
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index 13d070e7738db..47a16f6e741b8 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1415,6 +1415,14 @@ static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
+ if (!skb)
+ return ERR_PTR(err);
+
++ /* Channel lock is released before requesting new skb and then
++ * reacquired thus we need to recheck channel state.
++ */
++ if (chan->state != BT_CONNECTED) {
++ kfree_skb(skb);
++ return ERR_PTR(-ENOTCONN);
++ }
++
+ skb->priority = sk->sk_priority;
+
+ bt_cb(skb)->l2cap.chan = chan;
+--
+2.39.2
+
--- /dev/null
+From 4c2336f6cf6b9cbee5ad8fa0c5b3b4dad918abdc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Feb 2023 20:04:48 +0100
+Subject: can: esd_usb: Move mislocated storage of SJA1000_ECC_SEG bits in case
+ of a bus error
+
+From: Frank Jungclaus <frank.jungclaus@esd.eu>
+
+[ Upstream commit 118469f88180438ef43dee93d71f77c00e7b425d ]
+
+Move the supply for cf->data[3] (bit stream position of CAN error), in
+case of a bus- or protocol-error, outside of the "switch (ecc &
+SJA1000_ECC_MASK){}"-statement, because this bit stream position is
+independent of the error type.
+
+Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device")
+Signed-off-by: Frank Jungclaus <frank.jungclaus@esd.eu>
+Link: https://lore.kernel.org/all/20230216190450.3901254-2-frank.jungclaus@esd.eu
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/esd_usb2.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c
+index fbe1173b2651f..b15154a6c53eb 100644
+--- a/drivers/net/can/usb/esd_usb2.c
++++ b/drivers/net/can/usb/esd_usb2.c
+@@ -284,7 +284,6 @@ static void esd_usb2_rx_event(struct esd_usb2_net_priv *priv,
+ cf->data[2] |= CAN_ERR_PROT_STUFF;
+ break;
+ default:
+- cf->data[3] = ecc & SJA1000_ECC_SEG;
+ break;
+ }
+
+@@ -292,6 +291,9 @@ static void esd_usb2_rx_event(struct esd_usb2_net_priv *priv,
+ if (!(ecc & SJA1000_ECC_DIR))
+ cf->data[2] |= CAN_ERR_PROT_TX;
+
++ /* Bit stream position in CAN frame as the error was detected */
++ cf->data[3] = ecc & SJA1000_ECC_SEG;
++
+ if (priv->can.state == CAN_STATE_ERROR_WARNING ||
+ priv->can.state == CAN_STATE_ERROR_PASSIVE) {
+ cf->data[1] = (txerr > rxerr) ?
+--
+2.39.2
+
--- /dev/null
+From 7c73bcbbcf5b318473d98e28b314863e94fda963 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Feb 2023 10:26:54 +0100
+Subject: cpufreq: davinci: Fix clk use after free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 5d8f384a9b4fc50f6a18405f1c08e5a87a77b5b3 ]
+
+The remove function first frees the clks and only then calls
+cpufreq_unregister_driver(). If one of the cpufreq callbacks is called
+just before cpufreq_unregister_driver() is run, the freed clks might be
+used.
+
+Fixes: 6601b8030de3 ("davinci: add generic CPUFreq driver for DaVinci")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/davinci-cpufreq.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/cpufreq/davinci-cpufreq.c b/drivers/cpufreq/davinci-cpufreq.c
+index d54a27c991218..3dacfc53a80da 100644
+--- a/drivers/cpufreq/davinci-cpufreq.c
++++ b/drivers/cpufreq/davinci-cpufreq.c
+@@ -138,12 +138,14 @@ static int __init davinci_cpufreq_probe(struct platform_device *pdev)
+
+ static int __exit davinci_cpufreq_remove(struct platform_device *pdev)
+ {
++ cpufreq_unregister_driver(&davinci_driver);
++
+ clk_put(cpufreq.armclk);
+
+ if (cpufreq.asyncclk)
+ clk_put(cpufreq.asyncclk);
+
+- return cpufreq_unregister_driver(&davinci_driver);
++ return 0;
+ }
+
+ static struct platform_driver davinci_cpufreq_driver = {
+--
+2.39.2
+
--- /dev/null
+From e5ee9dbca41f3d1164ac80b43af50799a17270e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Jan 2023 16:02:04 +0800
+Subject: crypto: rsa-pkcs1pad - Use akcipher_request_complete
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 564cabc0ca0bdfa8f0fc1ae74b24d0a7554522c5 ]
+
+Use the akcipher_request_complete helper instead of calling the
+completion function directly. In fact the previous code was buggy
+in that EINPROGRESS was never passed back to the original caller.
+
+Fixes: 3d5b1ecdea6f ("crypto: rsa - RSA padding algorithm")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/rsa-pkcs1pad.c | 34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+diff --git a/crypto/rsa-pkcs1pad.c b/crypto/rsa-pkcs1pad.c
+index 3279b457c4ede..0c70fbcd293d9 100644
+--- a/crypto/rsa-pkcs1pad.c
++++ b/crypto/rsa-pkcs1pad.c
+@@ -216,16 +216,14 @@ static void pkcs1pad_encrypt_sign_complete_cb(
+ struct crypto_async_request *child_async_req, int err)
+ {
+ struct akcipher_request *req = child_async_req->data;
+- struct crypto_async_request async_req;
+
+ if (err == -EINPROGRESS)
+- return;
++ goto out;
++
++ err = pkcs1pad_encrypt_sign_complete(req, err);
+
+- async_req.data = req->base.data;
+- async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req));
+- async_req.flags = child_async_req->flags;
+- req->base.complete(&async_req,
+- pkcs1pad_encrypt_sign_complete(req, err));
++out:
++ akcipher_request_complete(req, err);
+ }
+
+ static int pkcs1pad_encrypt(struct akcipher_request *req)
+@@ -336,15 +334,14 @@ static void pkcs1pad_decrypt_complete_cb(
+ struct crypto_async_request *child_async_req, int err)
+ {
+ struct akcipher_request *req = child_async_req->data;
+- struct crypto_async_request async_req;
+
+ if (err == -EINPROGRESS)
+- return;
++ goto out;
++
++ err = pkcs1pad_decrypt_complete(req, err);
+
+- async_req.data = req->base.data;
+- async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req));
+- async_req.flags = child_async_req->flags;
+- req->base.complete(&async_req, pkcs1pad_decrypt_complete(req, err));
++out:
++ akcipher_request_complete(req, err);
+ }
+
+ static int pkcs1pad_decrypt(struct akcipher_request *req)
+@@ -506,15 +503,14 @@ static void pkcs1pad_verify_complete_cb(
+ struct crypto_async_request *child_async_req, int err)
+ {
+ struct akcipher_request *req = child_async_req->data;
+- struct crypto_async_request async_req;
+
+ if (err == -EINPROGRESS)
+- return;
++ goto out;
+
+- async_req.data = req->base.data;
+- async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req));
+- async_req.flags = child_async_req->flags;
+- req->base.complete(&async_req, pkcs1pad_verify_complete(req, err));
++ err = pkcs1pad_verify_complete(req, err);
++
++out:
++ akcipher_request_complete(req, err);
+ }
+
+ /*
+--
+2.39.2
+
--- /dev/null
+From ebe646b91853044d3365eabf026958ccd1d39232 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jan 2023 18:27:51 +0800
+Subject: crypto: seqiv - Handle EBUSY correctly
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 32e62025e5e52fbe4812ef044759de7010b15dbc ]
+
+As it is seqiv only handles the special return value of EINPROGERSS,
+which means that in all other cases it will free data related to the
+request.
+
+However, as the caller of seqiv may specify MAY_BACKLOG, we also need
+to expect EBUSY and treat it in the same way. Otherwise backlogged
+requests will trigger a use-after-free.
+
+Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/seqiv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/seqiv.c b/crypto/seqiv.c
+index 570b7d1aa0cac..ce9214097bc98 100644
+--- a/crypto/seqiv.c
++++ b/crypto/seqiv.c
+@@ -30,7 +30,7 @@ static void seqiv_aead_encrypt_complete2(struct aead_request *req, int err)
+ struct aead_request *subreq = aead_request_ctx(req);
+ struct crypto_aead *geniv;
+
+- if (err == -EINPROGRESS)
++ if (err == -EINPROGRESS || err == -EBUSY)
+ return;
+
+ if (err)
+--
+2.39.2
+
--- /dev/null
+From a8b9efb0e05cff96bee46c9665f2b9e9a47e5722 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Feb 2023 15:31:08 -0500
+Subject: dm cache: add cond_resched() to various workqueue loops
+
+From: Mike Snitzer <snitzer@kernel.org>
+
+[ Upstream commit 76227f6dc805e9e960128bcc6276647361e0827c ]
+
+Otherwise on resource constrained systems these workqueues may be too
+greedy.
+
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-cache-target.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
+index 5458a06971670..590aff275acb8 100644
+--- a/drivers/md/dm-cache-target.c
++++ b/drivers/md/dm-cache-target.c
+@@ -1952,6 +1952,7 @@ static void process_deferred_bios(struct work_struct *ws)
+
+ else
+ commit_needed = process_bio(cache, bio) || commit_needed;
++ cond_resched();
+ }
+
+ if (commit_needed)
+@@ -1974,6 +1975,7 @@ static void requeue_deferred_bios(struct cache *cache)
+ while ((bio = bio_list_pop(&bios))) {
+ bio->bi_status = BLK_STS_DM_REQUEUE;
+ bio_endio(bio);
++ cond_resched();
+ }
+ }
+
+@@ -2014,6 +2016,8 @@ static void check_migrations(struct work_struct *ws)
+ r = mg_start(cache, op, NULL);
+ if (r)
+ break;
++
++ cond_resched();
+ }
+ }
+
+--
+2.39.2
+
--- /dev/null
+From d9f3508d7786ed25d0ec93da42c4c5d73d420dd2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Feb 2023 13:06:05 -0500
+Subject: dm: remove flush_scheduled_work() during local_exit()
+
+From: Mike Snitzer <snitzer@kernel.org>
+
+[ Upstream commit 0b22ff5360f5c4e11050b89206370fdf7dc0a226 ]
+
+Commit acfe0ad74d2e1 ("dm: allocate a special workqueue for deferred
+device removal") switched from using system workqueue to a single
+workqueue local to DM. But it didn't eliminate the call to
+flush_scheduled_work() that was introduced purely for the benefit of
+deferred device removal with commit 2c140a246dc ("dm: allow remove to
+be deferred").
+
+Since DM core uses its own workqueue (and queue_work) there is no need
+to call flush_scheduled_work() from local_exit(). local_exit()'s
+destroy_workqueue(deferred_remove_workqueue) handles flushing work
+started with queue_work().
+
+Fixes: acfe0ad74d2e1 ("dm: allocate a special workqueue for deferred device removal")
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index 9e6689fd22730..e3facf14f6149 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -220,7 +220,6 @@ static int __init local_init(void)
+
+ static void local_exit(void)
+ {
+- flush_scheduled_work();
+ destroy_workqueue(deferred_remove_workqueue);
+
+ kmem_cache_destroy(_rq_cache);
+--
+2.39.2
+
--- /dev/null
+From b54e930245daf206460880fdb59a4f7f85810a9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Feb 2023 15:29:44 -0500
+Subject: dm thin: add cond_resched() to various workqueue loops
+
+From: Mike Snitzer <snitzer@kernel.org>
+
+[ Upstream commit e4f80303c2353952e6e980b23914e4214487f2a6 ]
+
+Otherwise on resource constrained systems these workqueues may be too
+greedy.
+
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-thin.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c
+index 6c7fa790c8ae6..fcf1eaafec72d 100644
+--- a/drivers/md/dm-thin.c
++++ b/drivers/md/dm-thin.c
+@@ -2233,6 +2233,7 @@ static void process_thin_deferred_bios(struct thin_c *tc)
+ throttle_work_update(&pool->throttle);
+ dm_pool_issue_prefetches(pool->pmd);
+ }
++ cond_resched();
+ }
+ blk_finish_plug(&plug);
+ }
+@@ -2316,6 +2317,7 @@ static void process_thin_deferred_cells(struct thin_c *tc)
+ else
+ pool->process_cell(tc, cell);
+ }
++ cond_resched();
+ } while (!list_empty(&cells));
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 318fc5db6830700c8f2c2cc64f734e2e063ee839 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jan 2023 00:23:20 +0100
+Subject: docs/scripts/gdb: add necessary make scripts_gdb step
+
+From: Jakob Koschel <jkl820.git@gmail.com>
+
+[ Upstream commit 6b219431037bf98c9efd49716aea9b68440477a3 ]
+
+In order to debug the kernel successfully with gdb you need to run
+'make scripts_gdb' nowadays.
+
+This was changed with the following commit:
+
+Commit 67274c083438340ad16c ("scripts/gdb: delay generation of gdb
+constants.py")
+
+In order to have a complete guide for beginners this remark
+should be added to the offial documentation.
+
+Signed-off-by: Jakob Koschel <jkl820.git@gmail.com>
+Link: https://lore.kernel.org/r/20230112-documentation-gdb-v2-1-292785c43dc9@gmail.com
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/dev-tools/gdb-kernel-debugging.rst | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/Documentation/dev-tools/gdb-kernel-debugging.rst b/Documentation/dev-tools/gdb-kernel-debugging.rst
+index 19df79286f000..afe4bc206486c 100644
+--- a/Documentation/dev-tools/gdb-kernel-debugging.rst
++++ b/Documentation/dev-tools/gdb-kernel-debugging.rst
+@@ -39,6 +39,10 @@ Setup
+ this mode. In this case, you should build the kernel with
+ CONFIG_RANDOMIZE_BASE disabled if the architecture supports KASLR.
+
++- Build the gdb scripts (required on kernels v5.1 and above)::
++
++ make scripts_gdb
++
+ - Enable the gdb stub of QEMU/KVM, either
+
+ - at VM startup time by appending "-s" to the QEMU command line
+--
+2.39.2
+
--- /dev/null
+From 2cd47624e72c2a1e9907655e006f4e971e5d914a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 09:12:26 +0000
+Subject: drm/bridge: megachips: Fix error handling in i2c_register_driver()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 4ecff954c370b82bce45bdca2846c5c5563e8a8a ]
+
+A problem about insmod megachips-stdpxxxx-ge-b850v3-fw.ko failed is
+triggered with the following log given:
+
+[ 4497.981497] Error: Driver 'stdp4028-ge-b850v3-fw' is already registered, aborting...
+insmod: ERROR: could not insert module megachips-stdpxxxx-ge-b850v3-fw.ko: Device or resource busy
+
+The reason is that stdpxxxx_ge_b850v3_init() returns i2c_add_driver()
+directly without checking its return value, if i2c_add_driver() failed,
+it returns without calling i2c_del_driver() on the previous i2c driver,
+resulting the megachips-stdpxxxx-ge-b850v3-fw can never be installed
+later.
+A simple call graph is shown as below:
+
+ stdpxxxx_ge_b850v3_init()
+ i2c_add_driver(&stdp4028_ge_b850v3_fw_driver)
+ i2c_add_driver(&stdp2690_ge_b850v3_fw_driver)
+ i2c_register_driver()
+ driver_register()
+ bus_add_driver()
+ priv = kzalloc(...) # OOM happened
+ # return without delete stdp4028_ge_b850v3_fw_driver
+
+Fix by calling i2c_del_driver() on stdp4028_ge_b850v3_fw_driver when
+i2c_add_driver() returns error.
+
+Fixes: fcfa0ddc18ed ("drm/bridge: Drivers for megachips-stdpxxxx-ge-b850v3-fw (LVDS-DP++)")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com>
+Tested-by: Ian Ray <ian.ray@ge.com>
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221108091226.114524-1-yuancan@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
+index 313c80f299722..89454d1d2d998 100644
+--- a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
++++ b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
+@@ -437,7 +437,11 @@ static int __init stdpxxxx_ge_b850v3_init(void)
+ if (ret)
+ return ret;
+
+- return i2c_add_driver(&stdp2690_ge_b850v3_fw_driver);
++ ret = i2c_add_driver(&stdp2690_ge_b850v3_fw_driver);
++ if (ret)
++ i2c_del_driver(&stdp4028_ge_b850v3_fw_driver);
++
++ return ret;
+ }
+ module_init(stdpxxxx_ge_b850v3_init);
+
+--
+2.39.2
+
--- /dev/null
+From 000c91e488766e1a803a7ecbc10d6e83edd3d1db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jan 2023 15:12:55 -0800
+Subject: drm/mediatek: Drop unbalanced obj unref
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit 4deef811828e87e26a978d5d6433b261d4713849 ]
+
+In the error path, mtk_drm_gem_object_mmap() is dropping an obj
+reference that it doesn't own.
+
+Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20230119231255.2883365-1-robdclark@gmail.com/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_drm_gem.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
+index f595ac816b555..1818980dafced 100644
+--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
++++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
+@@ -148,8 +148,6 @@ static int mtk_drm_gem_object_mmap(struct drm_gem_object *obj,
+
+ ret = dma_mmap_attrs(priv->dma_dev, vma, mtk_gem->cookie,
+ mtk_gem->dma_addr, obj->size, mtk_gem->dma_attrs);
+- if (ret)
+- drm_gem_vm_close(vma);
+
+ return ret;
+ }
+--
+2.39.2
+
--- /dev/null
+From 9eae599673b998373b3f9813a5d881f1bde365d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jan 2023 17:49:07 -0500
+Subject: drm/mipi-dsi: Fix byte order of 16-bit DCS set/get brightness
+
+From: Daniel Mentz <danielmentz@google.com>
+
+[ Upstream commit c9d27c6be518b4ef2966d9564654ef99292ea1b3 ]
+
+The MIPI DCS specification demands that brightness values are sent in
+big endian byte order. It also states that one parameter (i.e. one byte)
+shall be sent/received for 8 bit wide values, and two parameters shall
+be used for values that are between 9 and 16 bits wide.
+
+Add new functions to properly handle 16-bit brightness in big endian,
+since the two 8- and 16-bit cases are distinct from each other.
+
+[richard: use separate functions instead of switch/case]
+[richard: split into 16-bit component]
+
+Fixes: 1a9d759331b8 ("drm/dsi: Implement DCS set/get display brightness")
+Signed-off-by: Daniel Mentz <danielmentz@google.com>
+Link: https://android.googlesource.com/kernel/msm/+/754affd62d0ee268c686c53169b1dbb7deac8550
+[richard: fix 16-bit brightness_get]
+Signed-off-by: Richard Acayan <mailingradian@gmail.com>
+Tested-by: Caleb Connolly <caleb@connolly.tech>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Reviewed-by: Sam Ravnborg <sam@ravnborg.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230116224909.23884-2-mailingradian@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_mipi_dsi.c | 52 ++++++++++++++++++++++++++++++++++
+ include/drm/drm_mipi_dsi.h | 4 +++
+ 2 files changed, 56 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c
+index bd5e8661f826a..6995bee5ad0fb 100644
+--- a/drivers/gpu/drm/drm_mipi_dsi.c
++++ b/drivers/gpu/drm/drm_mipi_dsi.c
+@@ -1091,6 +1091,58 @@ int mipi_dsi_dcs_get_display_brightness(struct mipi_dsi_device *dsi,
+ }
+ EXPORT_SYMBOL(mipi_dsi_dcs_get_display_brightness);
+
++/**
++ * mipi_dsi_dcs_set_display_brightness_large() - sets the 16-bit brightness value
++ * of the display
++ * @dsi: DSI peripheral device
++ * @brightness: brightness value
++ *
++ * Return: 0 on success or a negative error code on failure.
++ */
++int mipi_dsi_dcs_set_display_brightness_large(struct mipi_dsi_device *dsi,
++ u16 brightness)
++{
++ u8 payload[2] = { brightness >> 8, brightness & 0xff };
++ ssize_t err;
++
++ err = mipi_dsi_dcs_write(dsi, MIPI_DCS_SET_DISPLAY_BRIGHTNESS,
++ payload, sizeof(payload));
++ if (err < 0)
++ return err;
++
++ return 0;
++}
++EXPORT_SYMBOL(mipi_dsi_dcs_set_display_brightness_large);
++
++/**
++ * mipi_dsi_dcs_get_display_brightness_large() - gets the current 16-bit
++ * brightness value of the display
++ * @dsi: DSI peripheral device
++ * @brightness: brightness value
++ *
++ * Return: 0 on success or a negative error code on failure.
++ */
++int mipi_dsi_dcs_get_display_brightness_large(struct mipi_dsi_device *dsi,
++ u16 *brightness)
++{
++ u8 brightness_be[2];
++ ssize_t err;
++
++ err = mipi_dsi_dcs_read(dsi, MIPI_DCS_GET_DISPLAY_BRIGHTNESS,
++ brightness_be, sizeof(brightness_be));
++ if (err <= 0) {
++ if (err == 0)
++ err = -ENODATA;
++
++ return err;
++ }
++
++ *brightness = (brightness_be[0] << 8) | brightness_be[1];
++
++ return 0;
++}
++EXPORT_SYMBOL(mipi_dsi_dcs_get_display_brightness_large);
++
+ static int mipi_dsi_drv_probe(struct device *dev)
+ {
+ struct mipi_dsi_driver *drv = to_mipi_dsi_driver(dev->driver);
+diff --git a/include/drm/drm_mipi_dsi.h b/include/drm/drm_mipi_dsi.h
+index 4fef19064b0f1..689f615471ab1 100644
+--- a/include/drm/drm_mipi_dsi.h
++++ b/include/drm/drm_mipi_dsi.h
+@@ -274,6 +274,10 @@ int mipi_dsi_dcs_set_display_brightness(struct mipi_dsi_device *dsi,
+ u16 brightness);
+ int mipi_dsi_dcs_get_display_brightness(struct mipi_dsi_device *dsi,
+ u16 *brightness);
++int mipi_dsi_dcs_set_display_brightness_large(struct mipi_dsi_device *dsi,
++ u16 brightness);
++int mipi_dsi_dcs_get_display_brightness_large(struct mipi_dsi_device *dsi,
++ u16 *brightness);
+
+ /**
+ * struct mipi_dsi_driver - DSI driver
+--
+2.39.2
+
--- /dev/null
+From 006ddce03ca3da7b6b7ef4a9eeb5dbbc9552a3e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jan 2023 10:16:51 +0800
+Subject: drm/msm/dsi: Add missing check for alloc_ordered_workqueue
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 115906ca7b535afb1fe7b5406c566ccd3873f82b ]
+
+Add check for the return value of alloc_ordered_workqueue as it may return
+NULL pointer and cause NULL pointer dereference.
+
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/517646/
+Link: https://lore.kernel.org/r/20230110021651.12770-1-jiasheng@iscas.ac.cn
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
+index c9c8d21905159..43a3a48a15df5 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -1769,6 +1769,9 @@ int msm_dsi_host_init(struct msm_dsi *msm_dsi)
+
+ /* setup workqueue */
+ msm_host->workqueue = alloc_ordered_workqueue("dsi_drm_work", 0);
++ if (!msm_host->workqueue)
++ return -ENOMEM;
++
+ INIT_WORK(&msm_host->err_work, dsi_err_worker);
+ INIT_WORK(&msm_host->hpd_work, dsi_hpd_worker);
+
+--
+2.39.2
+
--- /dev/null
+From 11bed4905f9eb33b75ae7ddc2e46cfb33aec595a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jan 2023 10:30:11 +0800
+Subject: drm/msm/hdmi: Add missing check for alloc_ordered_workqueue
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit afe4cb96153a0d8003e4e4ebd91b5c543e10df84 ]
+
+Add check for the return value of alloc_ordered_workqueue as it may return
+NULL pointer and cause NULL pointer dereference in `hdmi_hdcp.c` and
+`hdmi_hpd.c`.
+
+Fixes: c6a57a50ad56 ("drm/msm/hdmi: add hdmi hdcp support (V3)")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/517211/
+Link: https://lore.kernel.org/r/20230106023011.3985-1-jiasheng@iscas.ac.cn
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/hdmi/hdmi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/hdmi/hdmi.c b/drivers/gpu/drm/msm/hdmi/hdmi.c
+index c55e1920bfde7..4c02c057fc0d0 100644
+--- a/drivers/gpu/drm/msm/hdmi/hdmi.c
++++ b/drivers/gpu/drm/msm/hdmi/hdmi.c
+@@ -246,6 +246,10 @@ static struct hdmi *msm_hdmi_init(struct platform_device *pdev)
+ pm_runtime_enable(&pdev->dev);
+
+ hdmi->workq = alloc_ordered_workqueue("msm_hdmi", 0);
++ if (!hdmi->workq) {
++ ret = -ENOMEM;
++ goto fail;
++ }
+
+ hdmi->i2c = msm_hdmi_i2c_init(hdmi);
+ if (IS_ERR(hdmi->i2c)) {
+--
+2.39.2
+
--- /dev/null
+From 4a3a70ca245b082844242f28441f6cb229f21c58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 16:59:55 +0100
+Subject: drm: mxsfb: DRM_MXSFB should depend on ARCH_MXS || ARCH_MXC
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 7783cc67862f9166c901bfa0f80b717aa8d354dd ]
+
+Freescale/NXP i.MX LCDIF and eLCDIF LCD controllers are only present on
+Freescale/NXP i.MX SoCs. Hence add a dependency on ARCH_MXS ||
+ARCH_MXC, to prevent asking the user about this driver when configuring
+a kernel without Freescale/NXP i.MX support.
+
+Fixes: 45d59d704080cc0c ("drm: Add new driver for MXSFB controller")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Marek Vasut <marex@denx.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/98e74779ca2bc575d91afff03369e86b080c01ac.1669046358.git.geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mxsfb/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/mxsfb/Kconfig b/drivers/gpu/drm/mxsfb/Kconfig
+index 3ed6849d63cba..1a2805c7a0eb7 100644
+--- a/drivers/gpu/drm/mxsfb/Kconfig
++++ b/drivers/gpu/drm/mxsfb/Kconfig
+@@ -7,6 +7,7 @@ config DRM_MXSFB
+ tristate "i.MX23/i.MX28/i.MX6SX MXSFB LCD controller"
+ depends on DRM && OF
+ depends on COMMON_CLK
++ depends on ARCH_MXS || ARCH_MXC || COMPILE_TEST
+ select DRM_MXS
+ select DRM_KMS_HELPER
+ select DRM_KMS_CMA_HELPER
+--
+2.39.2
+
--- /dev/null
+From f8385b2775765cc962671870e13b6c217a404d51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jan 2023 17:47:29 +0800
+Subject: drm/radeon: free iio for atombios when driver shutdown
+
+From: Liwei Song <liwei.song@windriver.com>
+
+[ Upstream commit 4773fadedca918faec443daaca5e4ea1c0ced144 ]
+
+Fix below kmemleak when unload radeon driver:
+
+unreferenced object 0xffff9f8608ede200 (size 512):
+ comm "systemd-udevd", pid 326, jiffies 4294682822 (age 716.338s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 c4 aa ec aa 14 ab 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<0000000062fadebe>] kmem_cache_alloc_trace+0x2f1/0x500
+ [<00000000b6883cea>] atom_parse+0x117/0x230 [radeon]
+ [<00000000158c23fd>] radeon_atombios_init+0xab/0x170 [radeon]
+ [<00000000683f672e>] si_init+0x57/0x750 [radeon]
+ [<00000000566cc31f>] radeon_device_init+0x559/0x9c0 [radeon]
+ [<0000000046efabb3>] radeon_driver_load_kms+0xc1/0x1a0 [radeon]
+ [<00000000b5155064>] drm_dev_register+0xdd/0x1d0
+ [<0000000045fec835>] radeon_pci_probe+0xbd/0x100 [radeon]
+ [<00000000e69ecca3>] pci_device_probe+0xe1/0x160
+ [<0000000019484b76>] really_probe.part.0+0xc1/0x2c0
+ [<000000003f2649da>] __driver_probe_device+0x96/0x130
+ [<00000000231c5bb1>] driver_probe_device+0x24/0xf0
+ [<0000000000a42377>] __driver_attach+0x77/0x190
+ [<00000000d7574da6>] bus_for_each_dev+0x7f/0xd0
+ [<00000000633166d2>] driver_attach+0x1e/0x30
+ [<00000000313b05b8>] bus_add_driver+0x12c/0x1e0
+
+iio was allocated in atom_index_iio() called by atom_parse(),
+but it doesn't got released when the dirver is shutdown.
+Fix this kmemleak by free it in radeon_atombios_fini().
+
+Signed-off-by: Liwei Song <liwei.song@windriver.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_device.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
+index 906547b229a9a..e0fe21e7378b6 100644
+--- a/drivers/gpu/drm/radeon/radeon_device.c
++++ b/drivers/gpu/drm/radeon/radeon_device.c
+@@ -1045,6 +1045,7 @@ void radeon_atombios_fini(struct radeon_device *rdev)
+ {
+ if (rdev->mode_info.atom_context) {
+ kfree(rdev->mode_info.atom_context->scratch);
++ kfree(rdev->mode_info.atom_context->iio);
+ }
+ kfree(rdev->mode_info.atom_context);
+ rdev->mode_info.atom_context = NULL;
+--
+2.39.2
+
--- /dev/null
+From d745c4631fcf1cbaf3953668fb930e6078c48c83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Nov 2022 17:25:03 +0800
+Subject: genirq: Fix the return type of kstat_cpu_irqs_sum()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 47904aed898a08f028572b9b5a5cc101ddfb2d82 ]
+
+The type of member ->irqs_sum is unsigned long, but kstat_cpu_irqs_sum()
+returns int, which can result in truncation. Therefore, change the
+kstat_cpu_irqs_sum() function's return value to unsigned long to avoid
+truncation.
+
+Fixes: f2c66cd8eedd ("/proc/stat: scalability of irq num per cpu")
+Reported-by: Elliott, Robert (Servers) <elliott@hpe.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org>
+Cc: Josh Don <joshdon@google.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/kernel_stat.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/kernel_stat.h b/include/linux/kernel_stat.h
+index 7ee2bb43b251a..f7f20cf1bd3b1 100644
+--- a/include/linux/kernel_stat.h
++++ b/include/linux/kernel_stat.h
+@@ -73,7 +73,7 @@ extern unsigned int kstat_irqs_usr(unsigned int irq);
+ /*
+ * Number of interrupts per cpu, since bootup
+ */
+-static inline unsigned int kstat_cpu_irqs_sum(unsigned int cpu)
++static inline unsigned long kstat_cpu_irqs_sum(unsigned int cpu)
+ {
+ return kstat_cpu(cpu).irqs_sum;
+ }
+--
+2.39.2
+
--- /dev/null
+From 5e1f30de0fe7a0b7a1889f25f225b3ea3548756f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Dec 2022 17:02:47 +0800
+Subject: gpio: vf610: connect GPIO label to dev name
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+[ Upstream commit 6f8ecb7f85f441eb7d78ba2a4df45ee8a821934e ]
+
+Current GPIO label is fixed, so can't distinguish different GPIO
+controllers through labels. Use dev name instead.
+
+Fixes: 7f2691a19627 ("gpio: vf610: add gpiolib/IRQ chip driver for Vybrid")
+Signed-off-by: Clark Wang <xiaoning.wang@nxp.com>
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-vf610.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-vf610.c b/drivers/gpio/gpio-vf610.c
+index 91d6966c3d29b..457ee42023f41 100644
+--- a/drivers/gpio/gpio-vf610.c
++++ b/drivers/gpio/gpio-vf610.c
+@@ -281,7 +281,7 @@ static int vf610_gpio_probe(struct platform_device *pdev)
+ gc = &port->gc;
+ gc->of_node = np;
+ gc->parent = dev;
+- gc->label = "vf610-gpio";
++ gc->label = dev_name(dev);
+ gc->ngpio = VF610_GPIO_PER_PORT;
+ gc->base = of_alias_get_id(np, "gpio") * VF610_GPIO_PER_PORT;
+
+--
+2.39.2
+
--- /dev/null
+From 1548d0ff918b6f79a0f5dbc27e2150c8111eb3c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Jul 2022 23:22:27 +0800
+Subject: gpu: ipu-v3: common: Add of_node_put() for reference returned by
+ of_graph_get_port_by_id()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 9afdf98cfdfa2ba8ec068cf08c5fcdc1ed8daf3f ]
+
+In ipu_add_client_devices(), we need to call of_node_put() for
+reference returned by of_graph_get_port_by_id() in fail path.
+
+Fixes: 17e052175039 ("gpu: ipu-v3: Do not bail out on missing optional port nodes")
+Signed-off-by: Liang He <windhl@126.com>
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Link: https://lore.kernel.org/r/20220720152227.1288413-1-windhl@126.com
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220720152227.1288413-1-windhl@126.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/ipu-v3/ipu-common.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c
+index f3a57c0500f30..1a7ca888546f7 100644
+--- a/drivers/gpu/ipu-v3/ipu-common.c
++++ b/drivers/gpu/ipu-v3/ipu-common.c
+@@ -1234,6 +1234,7 @@ static int ipu_add_client_devices(struct ipu_soc *ipu, unsigned long ipu_base)
+ pdev = platform_device_alloc(reg->name, id++);
+ if (!pdev) {
+ ret = -ENOMEM;
++ of_node_put(of_node);
+ goto err_register;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From c95720d2a551238cd6cf0ea0d8cf792a503237c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jan 2023 17:32:25 -0500
+Subject: hwmon: (ltc2945) Handle error case in ltc2945_value_store
+
+From: Jonathan Cormier <jcormier@criticallink.com>
+
+[ Upstream commit 178b01eccfb0b8149682f61388400bd3d903dddc ]
+
+ltc2945_val_to_reg errors were not being handled
+which would have resulted in register being set to
+0 (clamped) instead of being left alone.
+
+Fixes: 6700ce035f83 ("hwmon: Driver for Linear Technologies LTC2945")
+
+Signed-off-by: Jonathan Cormier <jcormier@criticallink.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/ltc2945.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/hwmon/ltc2945.c b/drivers/hwmon/ltc2945.c
+index 1b92e4f6e2349..efabe514ec560 100644
+--- a/drivers/hwmon/ltc2945.c
++++ b/drivers/hwmon/ltc2945.c
+@@ -257,6 +257,8 @@ static ssize_t ltc2945_set_value(struct device *dev,
+
+ /* convert to register value, then clamp and write result */
+ regval = ltc2945_val_to_reg(dev, reg, val);
++ if (regval < 0)
++ return regval;
+ if (is_power_reg(reg)) {
+ regval = clamp_val(regval, 0, 0xffffff);
+ regbuf[0] = regval >> 16;
+--
+2.39.2
+
--- /dev/null
+From bcfdfc986a9ba69eb7a4e1508a28115d397eab9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Jan 2023 13:11:41 +0000
+Subject: inet: fix fast path in __inet_hash_connect()
+
+From: Pietro Borrello <borrello@diag.uniroma1.it>
+
+[ Upstream commit 21cbd90a6fab7123905386985e3e4a80236b8714 ]
+
+__inet_hash_connect() has a fast path taken if sk_head(&tb->owners) is
+equal to the sk parameter.
+sk_head() returns the hlist_entry() with respect to the sk_node field.
+However entries in the tb->owners list are inserted with respect to the
+sk_bind_node field with sk_add_bind_node().
+Thus the check would never pass and the fast path never execute.
+
+This fast path has never been executed or tested as this bug seems
+to be present since commit 1da177e4c3f4 ("Linux-2.6.12-rc2"), thus
+remove it to reduce code complexity.
+
+Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230112-inet_hash_connect_bind_head-v3-1-b591fd212b93@diag.uniroma1.it
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/inet_hashtables.c | 12 +-----------
+ 1 file changed, 1 insertion(+), 11 deletions(-)
+
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index 590801a7487f7..c5092e2b5933e 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -616,17 +616,7 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row,
+ u32 index;
+
+ if (port) {
+- head = &hinfo->bhash[inet_bhashfn(net, port,
+- hinfo->bhash_size)];
+- tb = inet_csk(sk)->icsk_bind_hash;
+- spin_lock_bh(&head->lock);
+- if (sk_head(&tb->owners) == sk && !sk->sk_bind_node.next) {
+- inet_ehash_nolisten(sk, NULL, NULL);
+- spin_unlock_bh(&head->lock);
+- return 0;
+- }
+- spin_unlock(&head->lock);
+- /* No definite answer... Walk to established hash table */
++ local_bh_disable();
+ ret = check_established(death_row, sk, port, NULL);
+ local_bh_enable();
+ return ret;
+--
+2.39.2
+
--- /dev/null
+From 42436ec5ea470f9fd48cebab22e1ed349d7f2d37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jan 2023 11:52:27 +0100
+Subject: Input: ads7846 - don't check penirq immediately for 7845
+
+From: Luca Ellero <l.ellero@asem.it>
+
+[ Upstream commit fa9f4275b20ec7b2a8fb05c66362d10b36f9efec ]
+
+To discard false readings, one should use "ti,penirq-recheck-delay-usecs".
+Checking get_pendown_state() at the beginning, most of the time fails
+causing malfunctioning.
+
+Fixes: ffa458c1bd9b ("spi: ads7846 driver")
+Signed-off-by: Luca Ellero <l.ellero@asem.it>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20230126105227.47648-4-l.ellero@asem.it
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/ads7846.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/drivers/input/touchscreen/ads7846.c b/drivers/input/touchscreen/ads7846.c
+index 491cc7efecf9e..fe6c9e1870414 100644
+--- a/drivers/input/touchscreen/ads7846.c
++++ b/drivers/input/touchscreen/ads7846.c
+@@ -790,14 +790,8 @@ static void ads7846_report_state(struct ads7846 *ts)
+ if (x == MAX_12BIT)
+ x = 0;
+
+- if (ts->model == 7843) {
++ if (ts->model == 7843 || ts->model == 7845) {
+ Rt = ts->pressure_max / 2;
+- } else if (ts->model == 7845) {
+- if (get_pendown_state(ts))
+- Rt = ts->pressure_max / 2;
+- else
+- Rt = 0;
+- dev_vdbg(&ts->spi->dev, "x/y: %d/%d, PD %d\n", x, y, Rt);
+ } else if (likely(x && z1)) {
+ /* compute touch pressure resistance using equation #2 */
+ Rt = z2;
+--
+2.39.2
+
--- /dev/null
+From 0c9638468e305e3e198166c01230c01b8204580a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jan 2023 11:52:25 +0100
+Subject: Input: ads7846 - don't report pressure for ads7845
+
+From: Luca Ellero <l.ellero@asem.it>
+
+[ Upstream commit d50584d783313c8b05b84d0b07a2142f1bde46dd ]
+
+ADS7845 doesn't support pressure.
+Avoid the following error reported by libinput-list-devices:
+"ADS7845 Touchscreen: kernel bug: device has min == max on ABS_PRESSURE".
+
+Fixes: ffa458c1bd9b ("spi: ads7846 driver")
+Signed-off-by: Luca Ellero <l.ellero@asem.it>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20230126105227.47648-2-l.ellero@asem.it
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/ads7846.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/input/touchscreen/ads7846.c b/drivers/input/touchscreen/ads7846.c
+index b536768234b7c..491cc7efecf9e 100644
+--- a/drivers/input/touchscreen/ads7846.c
++++ b/drivers/input/touchscreen/ads7846.c
+@@ -1374,8 +1374,9 @@ static int ads7846_probe(struct spi_device *spi)
+ pdata->y_min ? : 0,
+ pdata->y_max ? : MAX_12BIT,
+ 0, 0);
+- input_set_abs_params(input_dev, ABS_PRESSURE,
+- pdata->pressure_min, pdata->pressure_max, 0, 0);
++ if (ts->model != 7845)
++ input_set_abs_params(input_dev, ABS_PRESSURE,
++ pdata->pressure_min, pdata->pressure_max, 0, 0);
+
+ ads7846_setup_spi_msg(ts, pdata);
+
+--
+2.39.2
+
--- /dev/null
+From b537fa9a85aa207855ff6e3897f759dfdd994c0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Jan 2023 12:28:10 +0400
+Subject: irqchip/alpine-msi: Fix refcount leak in alpine_msix_init_domains
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 071d068b89e95d1b078aa6bbcb9d0961b77d6aa1 ]
+
+of_irq_find_parent() returns a node pointer with refcount incremented,
+We should use of_node_put() on it when not needed anymore.
+Add missing of_node_put() to avoid refcount leak.
+
+Fixes: e6b78f2c3e14 ("irqchip: Add the Alpine MSIX interrupt controller")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20230102082811.3947760-1-linmq006@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-alpine-msi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/irqchip/irq-alpine-msi.c b/drivers/irqchip/irq-alpine-msi.c
+index ac431697ebe1c..5e03574e1c5fb 100644
+--- a/drivers/irqchip/irq-alpine-msi.c
++++ b/drivers/irqchip/irq-alpine-msi.c
+@@ -199,6 +199,7 @@ static int alpine_msix_init_domains(struct alpine_msix_data *priv,
+ }
+
+ gic_domain = irq_find_host(gic_node);
++ of_node_put(gic_node);
+ if (!gic_domain) {
+ pr_err("Failed to find the GIC domain\n");
+ return -ENXIO;
+--
+2.39.2
+
--- /dev/null
+From 6ecbafa1a9d3b7e411ba0306d5bd15af76860947 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Dec 2022 15:09:34 -0800
+Subject: irqchip/irq-bcm7120-l2: Set IRQ_LEVEL for level triggered interrupts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 13a157b38ca5b4f9eed81442b8821db293755961 ]
+
+When support for the interrupt controller was added with a5042de2688d,
+we forgot to update the flags to be set to contain IRQ_LEVEL. While the
+flow handler is correct, the output from /proc/interrupts does not show
+such interrupts as being level triggered when they are, correct that.
+
+Fixes: a5042de2688d ("irqchip: bcm7120-l2: Add Broadcom BCM7120-style Level 2 interrupt controller")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20221216230934.2478345-3-f.fainelli@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-bcm7120-l2.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-bcm7120-l2.c b/drivers/irqchip/irq-bcm7120-l2.c
+index 983640eba418e..80c52854d41b5 100644
+--- a/drivers/irqchip/irq-bcm7120-l2.c
++++ b/drivers/irqchip/irq-bcm7120-l2.c
+@@ -271,7 +271,8 @@ static int __init bcm7120_l2_intc_probe(struct device_node *dn,
+ flags |= IRQ_GC_BE_IO;
+
+ ret = irq_alloc_domain_generic_chips(data->domain, IRQS_PER_WORD, 1,
+- dn->full_name, handle_level_irq, clr, 0, flags);
++ dn->full_name, handle_level_irq, clr,
++ IRQ_LEVEL, flags);
+ if (ret) {
+ pr_err("failed to allocate generic irq chip\n");
+ goto out_free_domain;
+--
+2.39.2
+
--- /dev/null
+From c7dab20b29428d6d9710e00be3ca6e3ef7b03b69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Jan 2023 12:42:08 +0400
+Subject: irqchip/irq-mvebu-gicp: Fix refcount leak in mvebu_gicp_probe
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 9419e700021a393f67be36abd0c4f3acc6139041 ]
+
+of_irq_find_parent() returns a node pointer with refcount incremented,
+We should use of_node_put() on it when not needed anymore.
+Add missing of_node_put() to avoid refcount leak.
+
+Fixes: a68a63cb4dfc ("irqchip/irq-mvebu-gicp: Add new driver for Marvell GICP")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20230102084208.3951758-1-linmq006@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-mvebu-gicp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/irqchip/irq-mvebu-gicp.c b/drivers/irqchip/irq-mvebu-gicp.c
+index 17a4a7b6cdbb9..6d9761423cbd6 100644
+--- a/drivers/irqchip/irq-mvebu-gicp.c
++++ b/drivers/irqchip/irq-mvebu-gicp.c
+@@ -239,6 +239,7 @@ static int mvebu_gicp_probe(struct platform_device *pdev)
+ }
+
+ parent_domain = irq_find_host(irq_parent_dn);
++ of_node_put(irq_parent_dn);
+ if (!parent_domain) {
+ dev_err(&pdev->dev, "failed to find parent IRQ domain\n");
+ return -ENODEV;
+--
+2.39.2
+
--- /dev/null
+From 8e0790f9a43b8cf094cb16af94807d9c2d6f9ca7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Dec 2022 15:27:39 +0100
+Subject: lib/mpi: Fix buffer overrun when SG is too long
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 7361d1bc307b926cbca214ab67b641123c2d6357 ]
+
+The helper mpi_read_raw_from_sgl sets the number of entries in
+the SG list according to nbytes. However, if the last entry
+in the SG list contains more data than nbytes, then it may overrun
+the buffer because it only allocates enough memory for nbytes.
+
+Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers")
+Reported-by: Roberto Sassu <roberto.sassu@huaweicloud.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/mpi/mpicoder.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/mpi/mpicoder.c b/lib/mpi/mpicoder.c
+index eead4b3394668..4f73db248009e 100644
+--- a/lib/mpi/mpicoder.c
++++ b/lib/mpi/mpicoder.c
+@@ -397,7 +397,8 @@ MPI mpi_read_raw_from_sgl(struct scatterlist *sgl, unsigned int nbytes)
+
+ while (sg_miter_next(&miter)) {
+ buff = miter.addr;
+- len = miter.length;
++ len = min_t(unsigned, miter.length, nbytes);
++ nbytes -= len;
+
+ for (x = 0; x < len; x++) {
+ a <<= 8;
+--
+2.39.2
+
--- /dev/null
+From 128bc596be58b766c63b7a75887d7e5c75b645c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jan 2023 16:55:27 +1300
+Subject: m68k: Check syscall_trace_enter() return code
+
+From: Michael Schmitz <schmitzmic@gmail.com>
+
+[ Upstream commit 2ca8a1de4437f21562e57f9ac123914747a8e7a1 ]
+
+Check return code of syscall_trace_enter(), and skip syscall
+if -1. Return code will be left at what had been set by
+ptrace or seccomp (in regs->d0).
+
+No regression seen in testing with strace on ARAnyM.
+
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/r/20230112035529.13521-2-schmitzmic@gmail.com
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/68000/entry.S | 2 ++
+ arch/m68k/coldfire/entry.S | 2 ++
+ arch/m68k/kernel/entry.S | 3 +++
+ 3 files changed, 7 insertions(+)
+
+diff --git a/arch/m68k/68000/entry.S b/arch/m68k/68000/entry.S
+index 259b3661b6141..94abf3d8afc52 100644
+--- a/arch/m68k/68000/entry.S
++++ b/arch/m68k/68000/entry.S
+@@ -47,6 +47,8 @@ do_trace:
+ jbsr syscall_trace_enter
+ RESTORE_SWITCH_STACK
+ addql #4,%sp
++ addql #1,%d0
++ jeq ret_from_exception
+ movel %sp@(PT_OFF_ORIG_D0),%d1
+ movel #-ENOSYS,%d0
+ cmpl #NR_syscalls,%d1
+diff --git a/arch/m68k/coldfire/entry.S b/arch/m68k/coldfire/entry.S
+index 52d312d5b4d4f..fb3b065677459 100644
+--- a/arch/m68k/coldfire/entry.S
++++ b/arch/m68k/coldfire/entry.S
+@@ -92,6 +92,8 @@ ENTRY(system_call)
+ jbsr syscall_trace_enter
+ RESTORE_SWITCH_STACK
+ addql #4,%sp
++ addql #1,%d0
++ jeq ret_from_exception
+ movel %d3,%a0
+ jbsr %a0@
+ movel %d0,%sp@(PT_OFF_D0) /* save the return value */
+diff --git a/arch/m68k/kernel/entry.S b/arch/m68k/kernel/entry.S
+index 97cd3ea5f10b8..9a66657773beb 100644
+--- a/arch/m68k/kernel/entry.S
++++ b/arch/m68k/kernel/entry.S
+@@ -160,9 +160,12 @@ do_trace_entry:
+ jbsr syscall_trace
+ RESTORE_SWITCH_STACK
+ addql #4,%sp
++ addql #1,%d0 | optimization for cmpil #-1,%d0
++ jeq ret_from_syscall
+ movel %sp@(PT_OFF_ORIG_D0),%d0
+ cmpl #NR_syscalls,%d0
+ jcs syscall
++ jra ret_from_syscall
+ badsys:
+ movel #-ENOSYS,%sp@(PT_OFF_D0)
+ jra ret_from_syscall
+--
+2.39.2
+
--- /dev/null
+From b2917788d2f9e617f1b28d0472509142ad7b77a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Feb 2023 17:08:25 -0800
+Subject: m68k: /proc/hardware should depend on PROC_FS
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 1e5b5df65af99013b4d31607ddb3ca5731dbe44d ]
+
+When CONFIG_PROC_FS is not set, there is a build error for an unused
+function. Make PROC_HARDWARE depend on PROC_FS to prevent this error.
+
+In file included from ../arch/m68k/kernel/setup.c:3:
+../arch/m68k/kernel/setup_mm.c:477:12: error: 'hardware_proc_show' defined but not used [-Werror=unused-function]
+ 477 | static int hardware_proc_show(struct seq_file *m, void *v)
+ | ^~~~~~~~~~~~~~~~~~
+
+Fixes: 66d857b08b8c ("m68k: merge m68k and m68knommu arch directories") # v3.0
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/r/20230209010825.24136-1-rdunlap@infradead.org
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/Kconfig.devices | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/m68k/Kconfig.devices b/arch/m68k/Kconfig.devices
+index 3e9b0b826f8a1..6fb693bb0771c 100644
+--- a/arch/m68k/Kconfig.devices
++++ b/arch/m68k/Kconfig.devices
+@@ -19,6 +19,7 @@ config HEARTBEAT
+ # We have a dedicated heartbeat LED. :-)
+ config PROC_HARDWARE
+ bool "/proc/hardware support"
++ depends on PROC_FS
+ help
+ Say Y here to support the /proc/hardware file, which gives you
+ access to information about the machine you're running on,
+--
+2.39.2
+
--- /dev/null
+From 054eef7271fd289a35e615b432a092a9b41437ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jan 2023 09:55:37 +0100
+Subject: media: platform: ti: Add missing check for devm_regulator_get
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit da8e05f84a11c3cc3b0ba0a3c62d20e358002d99 ]
+
+Add check for the return value of devm_regulator_get since it may return
+error pointer.
+
+Fixes: 448de7e7850b ("[media] omap3isp: OMAP3 ISP core")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/omap3isp/isp.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c
+index c46402f3e88c1..0df930c80916a 100644
+--- a/drivers/media/platform/omap3isp/isp.c
++++ b/drivers/media/platform/omap3isp/isp.c
+@@ -2286,7 +2286,16 @@ static int isp_probe(struct platform_device *pdev)
+
+ /* Regulators */
+ isp->isp_csiphy1.vdd = devm_regulator_get(&pdev->dev, "vdd-csiphy1");
++ if (IS_ERR(isp->isp_csiphy1.vdd)) {
++ ret = PTR_ERR(isp->isp_csiphy1.vdd);
++ goto error;
++ }
++
+ isp->isp_csiphy2.vdd = devm_regulator_get(&pdev->dev, "vdd-csiphy2");
++ if (IS_ERR(isp->isp_csiphy2.vdd)) {
++ ret = PTR_ERR(isp->isp_csiphy2.vdd);
++ goto error;
++ }
+
+ /* Clocks
+ *
+--
+2.39.2
+
--- /dev/null
+From 6e189a03fb645167aea2ca6e6c9a78908acae1a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jan 2023 08:55:33 +0100
+Subject: media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 29b0589a865b6f66d141d79b2dd1373e4e50fe17 ]
+
+When the ene device is detaching, function ene_remove() will
+be called. But there is no function to cancel tx_sim_timer
+in ene_remove(), the timer handler ene_tx_irqsim() could race
+with ene_remove(). As a result, the UAF bugs could happen,
+the process is shown below.
+
+ (cleanup routine) | (timer routine)
+ | mod_timer(&dev->tx_sim_timer, ..)
+ene_remove() | (wait a time)
+ | ene_tx_irqsim()
+ | dev->hw_lock //USE
+ | ene_tx_sample(dev) //USE
+
+Fix by adding del_timer_sync(&dev->tx_sim_timer) in ene_remove(),
+The tx_sim_timer could stop before ene device is deallocated.
+
+What's more, The rc_unregister_device() and del_timer_sync()
+should be called first in ene_remove() and the deallocated
+functions such as free_irq(), release_region() and so on
+should be called behind them. Because the rc_unregister_device()
+is well synchronized. Otherwise, race conditions may happen. The
+situations that may lead to race conditions are shown below.
+
+Firstly, the rx receiver is disabled with ene_rx_disable()
+before rc_unregister_device() in ene_remove(), which means it
+can be enabled again if a process opens /dev/lirc0 between
+ene_rx_disable() and rc_unregister_device().
+
+Secondly, the irqaction descriptor is freed by free_irq()
+before the rc device is unregistered, which means irqaction
+descriptor may be accessed again after it is deallocated.
+
+Thirdly, the timer can call ene_tx_sample() that can write
+to the io ports, which means the io ports could be accessed
+again after they are deallocated by release_region().
+
+Therefore, the rc_unregister_device() and del_timer_sync()
+should be called first in ene_remove().
+
+Suggested by: Sean Young <sean@mess.org>
+
+Fixes: 9ea53b74df9c ("V4L/DVB: STAGING: remove lirc_ene0100 driver")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/rc/ene_ir.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/rc/ene_ir.c b/drivers/media/rc/ene_ir.c
+index af7ba23e16e12..4761b2a72d8eb 100644
+--- a/drivers/media/rc/ene_ir.c
++++ b/drivers/media/rc/ene_ir.c
+@@ -1117,6 +1117,8 @@ static void ene_remove(struct pnp_dev *pnp_dev)
+ struct ene_device *dev = pnp_get_drvdata(pnp_dev);
+ unsigned long flags;
+
++ rc_unregister_device(dev->rdev);
++ del_timer_sync(&dev->tx_sim_timer);
+ spin_lock_irqsave(&dev->hw_lock, flags);
+ ene_rx_disable(dev);
+ ene_rx_restore_hw_buffer(dev);
+@@ -1124,7 +1126,6 @@ static void ene_remove(struct pnp_dev *pnp_dev)
+
+ free_irq(dev->irq, dev);
+ release_region(dev->hw_io, ENE_IO_SIZE);
+- rc_unregister_device(dev->rdev);
+ kfree(dev);
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 341bf58e41ea7081a6aa1eea75d4f68da904e5d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jan 2023 03:04:38 +0100
+Subject: media: usb: siano: Fix use after free bugs caused by do_submit_urb
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit ebad8e731c1c06adf04621d6fd327b860c0861b5 ]
+
+There are UAF bugs caused by do_submit_urb(). One of the KASan reports
+is shown below:
+
+[ 36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890
+[ 36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49
+[ 36.408316]
+[ 36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237ad1d4-dir8
+[ 36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584
+[ 36.416157] Workqueue: 0x0 (events)
+[ 36.417654] Call Trace:
+[ 36.418546] <TASK>
+[ 36.419320] dump_stack_lvl+0x96/0xd0
+[ 36.420522] print_address_description+0x75/0x350
+[ 36.421992] print_report+0x11b/0x250
+[ 36.423174] ? _raw_spin_lock_irqsave+0x87/0xd0
+[ 36.424806] ? __virt_addr_valid+0xcf/0x170
+[ 36.426069] ? worker_thread+0x4a2/0x890
+[ 36.427355] kasan_report+0x131/0x160
+[ 36.428556] ? worker_thread+0x4a2/0x890
+[ 36.430053] worker_thread+0x4a2/0x890
+[ 36.431297] ? worker_clr_flags+0x90/0x90
+[ 36.432479] kthread+0x166/0x190
+[ 36.433493] ? kthread_blkcg+0x50/0x50
+[ 36.434669] ret_from_fork+0x22/0x30
+[ 36.435923] </TASK>
+[ 36.436684]
+[ 36.437215] Allocated by task 24:
+[ 36.438289] kasan_set_track+0x50/0x80
+[ 36.439436] __kasan_kmalloc+0x89/0xa0
+[ 36.440566] smsusb_probe+0x374/0xc90
+[ 36.441920] usb_probe_interface+0x2d1/0x4c0
+[ 36.443253] really_probe+0x1d5/0x580
+[ 36.444539] __driver_probe_device+0xe3/0x130
+[ 36.446085] driver_probe_device+0x49/0x220
+[ 36.447423] __device_attach_driver+0x19e/0x1b0
+[ 36.448931] bus_for_each_drv+0xcb/0x110
+[ 36.450217] __device_attach+0x132/0x1f0
+[ 36.451470] bus_probe_device+0x59/0xf0
+[ 36.452563] device_add+0x4ec/0x7b0
+[ 36.453830] usb_set_configuration+0xc63/0xe10
+[ 36.455230] usb_generic_driver_probe+0x3b/0x80
+[ 36.456166] printk: console [ttyGS0] disabled
+[ 36.456569] usb_probe_device+0x90/0x110
+[ 36.459523] really_probe+0x1d5/0x580
+[ 36.461027] __driver_probe_device+0xe3/0x130
+[ 36.462465] driver_probe_device+0x49/0x220
+[ 36.463847] __device_attach_driver+0x19e/0x1b0
+[ 36.465229] bus_for_each_drv+0xcb/0x110
+[ 36.466466] __device_attach+0x132/0x1f0
+[ 36.467799] bus_probe_device+0x59/0xf0
+[ 36.469010] device_add+0x4ec/0x7b0
+[ 36.470125] usb_new_device+0x863/0xa00
+[ 36.471374] hub_event+0x18c7/0x2220
+[ 36.472746] process_one_work+0x34c/0x5b0
+[ 36.474041] worker_thread+0x4b7/0x890
+[ 36.475216] kthread+0x166/0x190
+[ 36.476267] ret_from_fork+0x22/0x30
+[ 36.477447]
+[ 36.478160] Freed by task 24:
+[ 36.479239] kasan_set_track+0x50/0x80
+[ 36.480512] kasan_save_free_info+0x2b/0x40
+[ 36.481808] ____kasan_slab_free+0x122/0x1a0
+[ 36.483173] __kmem_cache_free+0xc4/0x200
+[ 36.484563] smsusb_term_device+0xcd/0xf0
+[ 36.485896] smsusb_probe+0xc85/0xc90
+[ 36.486976] usb_probe_interface+0x2d1/0x4c0
+[ 36.488303] really_probe+0x1d5/0x580
+[ 36.489498] __driver_probe_device+0xe3/0x130
+[ 36.491140] driver_probe_device+0x49/0x220
+[ 36.492475] __device_attach_driver+0x19e/0x1b0
+[ 36.493988] bus_for_each_drv+0xcb/0x110
+[ 36.495171] __device_attach+0x132/0x1f0
+[ 36.496617] bus_probe_device+0x59/0xf0
+[ 36.497875] device_add+0x4ec/0x7b0
+[ 36.498972] usb_set_configuration+0xc63/0xe10
+[ 36.500264] usb_generic_driver_probe+0x3b/0x80
+[ 36.501740] usb_probe_device+0x90/0x110
+[ 36.503084] really_probe+0x1d5/0x580
+[ 36.504241] __driver_probe_device+0xe3/0x130
+[ 36.505548] driver_probe_device+0x49/0x220
+[ 36.506766] __device_attach_driver+0x19e/0x1b0
+[ 36.508368] bus_for_each_drv+0xcb/0x110
+[ 36.509646] __device_attach+0x132/0x1f0
+[ 36.510911] bus_probe_device+0x59/0xf0
+[ 36.512103] device_add+0x4ec/0x7b0
+[ 36.513215] usb_new_device+0x863/0xa00
+[ 36.514736] hub_event+0x18c7/0x2220
+[ 36.516130] process_one_work+0x34c/0x5b0
+[ 36.517396] worker_thread+0x4b7/0x890
+[ 36.518591] kthread+0x166/0x190
+[ 36.519599] ret_from_fork+0x22/0x30
+[ 36.520851]
+[ 36.521405] Last potentially related work creation:
+[ 36.523143] kasan_save_stack+0x3f/0x60
+[ 36.524275] kasan_record_aux_stack_noalloc+0x9d/0xb0
+[ 36.525831] insert_work+0x25/0x130
+[ 36.527039] __queue_work+0x4d4/0x620
+[ 36.528236] queue_work_on+0x72/0xb0
+[ 36.529344] __usb_hcd_giveback_urb+0x13f/0x1b0
+[ 36.530819] dummy_timer+0x350/0x1a40
+[ 36.532149] call_timer_fn+0x2c/0x190
+[ 36.533567] expire_timers+0x69/0x1f0
+[ 36.534736] __run_timers+0x289/0x2d0
+[ 36.535841] run_timer_softirq+0x2d/0x60
+[ 36.537110] __do_softirq+0x116/0x380
+[ 36.538377]
+[ 36.538950] Second to last potentially related work creation:
+[ 36.540855] kasan_save_stack+0x3f/0x60
+[ 36.542084] kasan_record_aux_stack_noalloc+0x9d/0xb0
+[ 36.543592] insert_work+0x25/0x130
+[ 36.544891] __queue_work+0x4d4/0x620
+[ 36.546168] queue_work_on+0x72/0xb0
+[ 36.547328] __usb_hcd_giveback_urb+0x13f/0x1b0
+[ 36.548805] dummy_timer+0x350/0x1a40
+[ 36.550116] call_timer_fn+0x2c/0x190
+[ 36.551570] expire_timers+0x69/0x1f0
+[ 36.552762] __run_timers+0x289/0x2d0
+[ 36.553916] run_timer_softirq+0x2d/0x60
+[ 36.555118] __do_softirq+0x116/0x380
+[ 36.556239]
+[ 36.556807] The buggy address belongs to the object at ffff888005960000
+[ 36.556807] which belongs to the cache kmalloc-4k of size 4096
+[ 36.560652] The buggy address is located 232 bytes inside of
+[ 36.560652] 4096-byte region [ffff888005960000, ffff888005961000)
+[ 36.564791]
+[ 36.565355] The buggy address belongs to the physical page:
+[ 36.567212] page:000000004f0a0731 refcount:1 mapcount:0 mapping:0000000000000000 index:0x00
+[ 36.570534] head:000000004f0a0731 order:3 compound_mapcount:0 subpages_mapcount:0 compound0
+[ 36.573717] flags: 0x100000000010200(slab|head|node=0|zone=1)
+[ 36.575481] raw: 0100000000010200 ffff888001042140 dead000000000122 0000000000000000
+[ 36.577842] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
+[ 36.580175] page dumped because: kasan: bad access detected
+[ 36.581994]
+[ 36.582548] Memory state around the buggy address:
+[ 36.583983] ffff88800595ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 36.586240] ffff888005960000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 36.588884] >ffff888005960080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 36.591071] ^
+[ 36.593295] ffff888005960100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 36.595705] ffff888005960180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 36.598026] ==================================================================
+[ 36.600224] Disabling lock debugging due to kernel taint
+[ 36.602681] general protection fault, probably for non-canonical address 0x43600a000000060I
+[ 36.607129] CPU: 0 PID: 49 Comm: kworker/0:2 Tainted: G B 6.2.0-rc3-15798-8
+[ 36.611115] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584
+[ 36.615026] Workqueue: events do_submit_urb
+[ 36.616290] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0
+[ 36.618107] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5
+[ 36.623522] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046
+[ 36.625072] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7
+[ 36.627206] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0
+[ 36.629813] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f
+[ 36.631974] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020
+[ 36.634285] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001
+[ 36.636438] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000
+[ 36.639092] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 36.640951] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0
+[ 36.643411] Call Trace:
+[ 36.644215] <TASK>
+[ 36.644902] smscore_getbuffer+0x3e/0x1e0
+[ 36.646147] do_submit_urb+0x4f/0x190
+[ 36.647449] process_one_work+0x34c/0x5b0
+[ 36.648777] worker_thread+0x4b7/0x890
+[ 36.649984] ? worker_clr_flags+0x90/0x90
+[ 36.651166] kthread+0x166/0x190
+[ 36.652151] ? kthread_blkcg+0x50/0x50
+[ 36.653547] ret_from_fork+0x22/0x30
+[ 36.655051] </TASK>
+[ 36.655733] Modules linked in:
+[ 36.656787] ---[ end trace 0000000000000000 ]---
+[ 36.658328] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0
+[ 36.660045] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5
+[ 36.665730] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046
+[ 36.667448] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7
+[ 36.669675] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0
+[ 36.672645] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f
+[ 36.674921] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020
+[ 36.677034] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001
+[ 36.679184] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000
+[ 36.681655] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 36.683383] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0
+[ 36.685733] Kernel panic - not syncing: Fatal exception
+[ 36.688585] Kernel Offset: 0x1d400000 from 0xffffffff81000000 (relocation range: 0xfffffff)
+[ 36.692199] ---[ end Kernel panic - not syncing: Fatal exception ]---
+
+When the siano device is plugged in, it may call the following functions
+to initialize the device.
+
+smsusb_probe()-->smsusb_init_device()-->smscore_start_device().
+
+When smscore_start_device() gets failed, the function smsusb_term_device()
+will be called and smsusb_device_t will be deallocated. Although we use
+usb_kill_urb() in smsusb_stop_streaming() to cancel transfer requests
+and wait for them to finish, the worker threads that are scheduled by
+smsusb_onresponse() may be still running. As a result, the UAF bugs
+could happen.
+
+We add cancel_work_sync() in smsusb_stop_streaming() in order that the
+worker threads could finish before the smsusb_device_t is deallocated.
+
+Fixes: dd47fbd40e6e ("[media] smsusb: don't sleep while atomic")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/siano/smsusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
+index ec759f43c634d..cdbc636e8ff88 100644
+--- a/drivers/media/usb/siano/smsusb.c
++++ b/drivers/media/usb/siano/smsusb.c
+@@ -191,6 +191,7 @@ static void smsusb_stop_streaming(struct smsusb_device_t *dev)
+
+ for (i = 0; i < MAX_URBS; i++) {
+ usb_kill_urb(&dev->surbs[i].urb);
++ cancel_work_sync(&dev->surbs[i].wq);
+
+ if (dev->surbs[i].cb) {
+ smscore_putbuffer(dev->coredev, dev->surbs[i].cb);
+--
+2.39.2
+
--- /dev/null
+From f4cebc70fc9e3ee19d4ed39a9cdf1ba5d27f878b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 14:15:55 +0800
+Subject: mfd: pcf50633-adc: Fix potential memleak in pcf50633_adc_async_read()
+
+From: Qiheng Lin <linqiheng@huawei.com>
+
+[ Upstream commit 8b450dcff23aa254844492831a8e2b508a9d522d ]
+
+`req` is allocated in pcf50633_adc_async_read(), but
+adc_enqueue_request() could fail to insert the `req` into queue.
+We need to check the return value and free it in the case of failure.
+
+Fixes: 08c3e06a5eb2 ("mfd: PCF50633 adc driver")
+Signed-off-by: Qiheng Lin <linqiheng@huawei.com>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/20221208061555.8776-1-linqiheng@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/pcf50633-adc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/pcf50633-adc.c b/drivers/mfd/pcf50633-adc.c
+index c1984b0d1b652..a4a765055ee6b 100644
+--- a/drivers/mfd/pcf50633-adc.c
++++ b/drivers/mfd/pcf50633-adc.c
+@@ -140,6 +140,7 @@ int pcf50633_adc_async_read(struct pcf50633 *pcf, int mux, int avg,
+ void *callback_param)
+ {
+ struct pcf50633_adc_request *req;
++ int ret;
+
+ /* req is freed when the result is ready, in interrupt handler */
+ req = kmalloc(sizeof(*req), GFP_KERNEL);
+@@ -151,7 +152,11 @@ int pcf50633_adc_async_read(struct pcf50633 *pcf, int mux, int avg,
+ req->callback = callback;
+ req->callback_param = callback_param;
+
+- return adc_enqueue_request(pcf, req);
++ ret = adc_enqueue_request(pcf, req);
++ if (ret)
++ kfree(req);
++
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(pcf50633_adc_async_read);
+
+--
+2.39.2
+
--- /dev/null
+From 85cb0e7be9a2118139f351478f51d90df3d22d27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Feb 2023 15:15:25 -0800
+Subject: MIPS: vpe-mt: drop physical_memsize
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 91dc288f4edf0d768e46c2c6d33e0ab703403459 ]
+
+When neither LANTIQ nor MIPS_MALTA is set, 'physical_memsize' is not
+declared. This causes the build to fail with:
+
+mips-linux-ld: arch/mips/kernel/vpe-mt.o: in function `vpe_run':
+arch/mips/kernel/vpe-mt.c:(.text.vpe_run+0x280): undefined reference to `physical_memsize'
+
+LANTIQ is not using 'physical_memsize' and MIPS_MALTA's use of it is
+self-contained in mti-malta/malta-dtshim.c.
+Use of physical_memsize in vpe-mt.c appears to be unused, so eliminate
+this loader mode completely and require VPE programs to be compiled with
+DFLT_STACK_SIZE and DFLT_HEAP_SIZE defined.
+
+Fixes: 9050d50e2244 ("MIPS: lantiq: Set physical_memsize")
+Fixes: 1a2a6d7e8816 ("MIPS: APRP: Split VPE loader into separate files.")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/all/202302030625.2g3E98sY-lkp@intel.com/
+Cc: Dengcheng Zhu <dzhu@wavecomp.com>
+Cc: John Crispin <john@phrozen.org>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Philippe Mathieu-Daudé <philmd@linaro.org>
+Cc: "Steven J. Hill" <Steven.Hill@imgtec.com>
+Cc: Qais Yousef <Qais.Yousef@imgtec.com>
+Cc: Yang Yingliang <yangyingliang@huawei.com>
+Cc: Hauke Mehrtens <hauke@hauke-m.de>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/vpe.h | 1 -
+ arch/mips/kernel/vpe-mt.c | 7 +++----
+ arch/mips/lantiq/prom.c | 6 ------
+ 3 files changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/arch/mips/include/asm/vpe.h b/arch/mips/include/asm/vpe.h
+index 80e70dbd1f641..012731546cf60 100644
+--- a/arch/mips/include/asm/vpe.h
++++ b/arch/mips/include/asm/vpe.h
+@@ -104,7 +104,6 @@ struct vpe_control {
+ struct list_head tc_list; /* Thread contexts */
+ };
+
+-extern unsigned long physical_memsize;
+ extern struct vpe_control vpecontrol;
+ extern const struct file_operations vpe_fops;
+
+diff --git a/arch/mips/kernel/vpe-mt.c b/arch/mips/kernel/vpe-mt.c
+index 9fd7cd48ea1d2..496ed8f362f62 100644
+--- a/arch/mips/kernel/vpe-mt.c
++++ b/arch/mips/kernel/vpe-mt.c
+@@ -92,12 +92,11 @@ int vpe_run(struct vpe *v)
+ write_tc_c0_tchalt(read_tc_c0_tchalt() & ~TCHALT_H);
+
+ /*
+- * The sde-kit passes 'memsize' to __start in $a3, so set something
+- * here... Or set $a3 to zero and define DFLT_STACK_SIZE and
+- * DFLT_HEAP_SIZE when you compile your program
++ * We don't pass the memsize here, so VPE programs need to be
++ * compiled with DFLT_STACK_SIZE and DFLT_HEAP_SIZE defined.
+ */
++ mttgpr(7, 0);
+ mttgpr(6, v->ntcs);
+- mttgpr(7, physical_memsize);
+
+ /* set up VPE1 */
+ /*
+diff --git a/arch/mips/lantiq/prom.c b/arch/mips/lantiq/prom.c
+index a26322ff57e01..8cf1868540312 100644
+--- a/arch/mips/lantiq/prom.c
++++ b/arch/mips/lantiq/prom.c
+@@ -25,12 +25,6 @@
+ DEFINE_SPINLOCK(ebu_lock);
+ EXPORT_SYMBOL_GPL(ebu_lock);
+
+-/*
+- * This is needed by the VPE loader code, just set it to 0 and assume
+- * that the firmware hardcodes this value to something useful.
+- */
+-unsigned long physical_memsize = 0L;
+-
+ /*
+ * this struct is filled by the soc specific detection code and holds
+ * information about the specific soc type, revision and name
+--
+2.39.2
+
--- /dev/null
+From 3eb451f9b7fc93670b4f68af686a598644bb21b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Dec 2022 12:15:24 -0600
+Subject: mtd: rawnand: sunxi: Fix the size of the last OOB region
+
+From: Samuel Holland <samuel@sholland.org>
+
+[ Upstream commit 34569d869532b54d6e360d224a0254dcdd6a1785 ]
+
+The previous code assigned to the wrong structure member.
+
+Fixes: c66811e6d350 ("mtd: nand: sunxi: switch to mtd_ooblayout_ops")
+Signed-off-by: Samuel Holland <samuel@sholland.org>
+Acked-By: Dhruva Gole <d-gole@ti.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20221229181526.53766-6-samuel@sholland.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/sunxi_nand.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/sunxi_nand.c b/drivers/mtd/nand/sunxi_nand.c
+index 916e0ccd1e27e..f8e98b1eaede7 100644
+--- a/drivers/mtd/nand/sunxi_nand.c
++++ b/drivers/mtd/nand/sunxi_nand.c
+@@ -1786,7 +1786,7 @@ static int sunxi_nand_ooblayout_free(struct mtd_info *mtd, int section,
+ if (section < ecc->steps)
+ oobregion->length = 4;
+ else
+- oobregion->offset = mtd->oobsize - oobregion->offset;
++ oobregion->length = mtd->oobsize - oobregion->offset;
+
+ return 0;
+ }
+--
+2.39.2
+
--- /dev/null
+From ea5bdae1295454b7095e803c18eff65406daf06c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jan 2023 16:08:19 -0800
+Subject: net: bcmgenet: Add a check for oversized packets
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 5c0862c2c962052ed5055220a00ac1cefb92fbcd ]
+
+Occasionnaly we may get oversized packets from the hardware which
+exceed the nomimal 2KiB buffer size we allocate SKBs with. Add an early
+check which drops the packet to avoid invoking skb_over_panic() and move
+on to processing the next packet.
+
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+index 9bb398d058379..e5e52c0c39a55 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -1799,6 +1799,14 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring,
+ __func__, p_index, ring->c_index,
+ ring->read_ptr, dma_length_status);
+
++ if (unlikely(len > RX_BUF_LENGTH)) {
++ netif_err(priv, rx_status, dev, "oversized packet\n");
++ dev->stats.rx_length_errors++;
++ dev->stats.rx_errors++;
++ dev_kfree_skb_any(skb);
++ goto next;
++ }
++
+ if (unlikely(!(dma_flag & DMA_EOP) || !(dma_flag & DMA_SOP))) {
+ netif_err(priv, rx_status, dev,
+ "dropping fragmented packet!\n");
+--
+2.39.2
+
--- /dev/null
+From 6437023aa5f74ae017e600b43f7edbf083923caf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jan 2023 19:57:04 +0200
+Subject: net/mlx5: Enhance debug print in page allocation failure
+
+From: Jack Morgenstein <jackm@nvidia.com>
+
+[ Upstream commit 7eef93003e5d20e1a6a6e59e12d914b5431cbda2 ]
+
+Provide more details to aid debugging.
+
+Fixes: bf0bf77f6519 ("mlx5: Support communicating arbitrary host page size to firmware")
+Signed-off-by: Eran Ben Elisha <eranbe@nvidia.com>
+Signed-off-by: Majd Dibbiny <majd@nvidia.com>
+Signed-off-by: Jack Morgenstein <jackm@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c b/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c
+index 9c3653e06886a..fc880c02459db 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c
+@@ -164,7 +164,8 @@ static int alloc_4k(struct mlx5_core_dev *dev, u64 *addr)
+ fp = list_entry(dev->priv.free_list.next, struct fw_page, list);
+ n = find_first_bit(&fp->bitmask, 8 * sizeof(fp->bitmask));
+ if (n >= MLX5_NUM_4K_IN_PAGE) {
+- mlx5_core_warn(dev, "alloc 4k bug\n");
++ mlx5_core_warn(dev, "alloc 4k bug: fw page = 0x%llx, n = %u, bitmask: %lu, max num of 4K pages: %d\n",
++ fp->addr, n, fp->bitmask, MLX5_NUM_4K_IN_PAGE);
+ return -ENOENT;
+ }
+ clear_bit(n, &fp->bitmask);
+--
+2.39.2
+
--- /dev/null
+From 3003ab2b38a5ab618b5cc5e559da0c4fd93687e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Feb 2023 15:27:14 +0200
+Subject: pinctrl: at91: use devm_kasprintf() to avoid potential leaks
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit 1c4e5c470a56f7f7c649c0c70e603abc1eab15c4 ]
+
+Use devm_kasprintf() instead of kasprintf() to avoid any potential
+leaks. At the moment drivers have no remove functionality thus
+there is no need for fixes tag.
+
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20230203132714.1931596-1-claudiu.beznea@microchip.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-at91-pio4.c | 4 ++--
+ drivers/pinctrl/pinctrl-at91.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pinctrl/pinctrl-at91-pio4.c b/drivers/pinctrl/pinctrl-at91-pio4.c
+index e9d7977072553..78aeb882f1cad 100644
+--- a/drivers/pinctrl/pinctrl-at91-pio4.c
++++ b/drivers/pinctrl/pinctrl-at91-pio4.c
+@@ -981,8 +981,8 @@ static int atmel_pinctrl_probe(struct platform_device *pdev)
+
+ pin_desc[i].number = i;
+ /* Pin naming convention: P(bank_name)(bank_pin_number). */
+- pin_desc[i].name = kasprintf(GFP_KERNEL, "P%c%d",
+- bank + 'A', line);
++ pin_desc[i].name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "P%c%d",
++ bank + 'A', line);
+
+ group->name = group_names[i] = pin_desc[i].name;
+ group->pin = pin_desc[i].number;
+diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c
+index 404711f0985aa..3173e1f5bcb69 100644
+--- a/drivers/pinctrl/pinctrl-at91.c
++++ b/drivers/pinctrl/pinctrl-at91.c
+@@ -1774,7 +1774,7 @@ static int at91_gpio_probe(struct platform_device *pdev)
+ }
+
+ for (i = 0; i < chip->ngpio; i++)
+- names[i] = kasprintf(GFP_KERNEL, "pio%c%d", alias_idx + 'A', i);
++ names[i] = devm_kasprintf(&pdev->dev, GFP_KERNEL, "pio%c%d", alias_idx + 'A', i);
+
+ chip->names = (const char *const *)names;
+
+--
+2.39.2
+
--- /dev/null
+From 7cb75889a790ca8faa315ce408f6442c677353f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Jan 2023 15:28:45 +0400
+Subject: pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit c818ae563bf99457f02e8170aabd6b174f629f65 ]
+
+of_find_node_by_phandle() returns a node pointer with refcount incremented,
+We should use of_node_put() on it when not needed anymore.
+Add missing of_node_put() to avoid refcount leak.
+
+Fixes: d3e5116119bd ("pinctrl: add pinctrl driver for Rockchip SoCs")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20230102112845.3982407-1-linmq006@gmail.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-rockchip.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pinctrl/pinctrl-rockchip.c b/drivers/pinctrl/pinctrl-rockchip.c
+index 0c237dd13f2ff..1f4b9fc9e2781 100644
+--- a/drivers/pinctrl/pinctrl-rockchip.c
++++ b/drivers/pinctrl/pinctrl-rockchip.c
+@@ -2320,6 +2320,7 @@ static int rockchip_pinctrl_parse_groups(struct device_node *np,
+ np_config = of_find_node_by_phandle(be32_to_cpup(phandle));
+ ret = pinconf_generic_parse_dt_config(np_config, NULL,
+ &grp->data[j].configs, &grp->data[j].nconfigs);
++ of_node_put(np_config);
+ if (ret)
+ return ret;
+ }
+--
+2.39.2
+
--- /dev/null
+From 6745c43938be4c090cb6e3ddf3807adc9f6a5c2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jan 2023 10:32:15 +0100
+Subject: powerpc/powernv/ioda: Skip unallocated resources when mapping to PE
+
+From: Frederic Barrat <fbarrat@linux.ibm.com>
+
+[ Upstream commit e64e71056f323a1e178dccf04d4c0f032d84436c ]
+
+pnv_ioda_setup_pe_res() calls opal to map a resource with a PE. However,
+the code assumes the resource is allocated and it uses the resource
+address to find out the segment(s) which need to be mapped to the
+PE. In the unlikely case where the resource hasn't been allocated, the
+computation for the segment number is garbage, which can lead to
+invalid memory access and potentially a kernel crash, such as:
+
+[ ] pci_bus 0002:02: Configuring PE for bus
+[ ] pci 0002:02 : [PE# fc] Secondary bus 0x0000000000000002..0x0000000000000002 associated with PE#fc
+[ ] BUG: Kernel NULL pointer dereference on write at 0x00000000
+[ ] Faulting instruction address: 0xc00000000005eac4
+[ ] Oops: Kernel access of bad area, sig: 7 [#1]
+[ ] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
+[ ] Modules linked in:
+[ ] CPU: 12 PID: 1 Comm: swapper/20 Not tainted 5.10.50-openpower1 #2
+[ ] NIP: c00000000005eac4 LR: c00000000005ea44 CTR: 0000000030061b9c
+[ ] REGS: c000200007383650 TRAP: 0300 Not tainted (5.10.50-openpower1)
+[ ] MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 44000224 XER: 20040000
+[ ] CFAR: c00000000005eaa0 DAR: 0000000000000000 DSISR: 02080000 IRQMASK: 0
+[ ] GPR00: c00000000005dd98 c0002000073838e0 c00000000185de00 c000200fff018960
+[ ] GPR04: 00000000000000fc 0000000000000003 0000000000000000 0000000000000000
+[ ] GPR08: 0000000000000000 0000000000000000 0000000000000000 9000000000001033
+[ ] GPR12: 0000000031cb0000 c000000ffffe6a80 c000000000010a58 0000000000000000
+[ ] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+[ ] GPR20: 0000000000000000 0000000000000000 0000000000000000 c00000000711e200
+[ ] GPR24: 0000000000000100 c000200009501120 c00020000cee2800 00000000000003ff
+[ ] GPR28: c000200fff018960 0000000000000000 c000200ffcb7fd00 0000000000000000
+[ ] NIP [c00000000005eac4] pnv_ioda_setup_pe_res+0x94/0x1a0
+[ ] LR [c00000000005ea44] pnv_ioda_setup_pe_res+0x14/0x1a0
+[ ] Call Trace:
+[ ] [c0002000073838e0] [c00000000005eb98] pnv_ioda_setup_pe_res+0x168/0x1a0 (unreliable)
+[ ] [c000200007383970] [c00000000005dd98] pnv_pci_ioda_dma_dev_setup+0x43c/0x970
+[ ] [c000200007383a60] [c000000000032cdc] pcibios_bus_add_device+0x78/0x18c
+[ ] [c000200007383aa0] [c00000000028f2bc] pci_bus_add_device+0x28/0xbc
+[ ] [c000200007383b10] [c00000000028f3a0] pci_bus_add_devices+0x50/0x7c
+[ ] [c000200007383b50] [c00000000028f3c4] pci_bus_add_devices+0x74/0x7c
+[ ] [c000200007383b90] [c00000000028f3c4] pci_bus_add_devices+0x74/0x7c
+[ ] [c000200007383bd0] [c00000000069ad0c] pcibios_init+0xf0/0x104
+[ ] [c000200007383c50] [c0000000000106d8] do_one_initcall+0x84/0x1c4
+[ ] [c000200007383d20] [c0000000006910b8] kernel_init_freeable+0x264/0x268
+[ ] [c000200007383dc0] [c000000000010a68] kernel_init+0x18/0x138
+[ ] [c000200007383e20] [c00000000000cbfc] ret_from_kernel_thread+0x5c/0x80
+[ ] Instruction dump:
+[ ] 7f89e840 409d000c 7fbbf840 409c000c 38210090 4848f448 809c002c e95e0120
+[ ] 7ba91764 38a00003 57a7043e 38c00000 <7c8a492e> 5484043e e87e0018 4bff23bd
+
+Hitting the problem is not that easy. It was seen with a (semi-bogus)
+PCI device with a class code of 0. The generic PCI framework doesn't
+allocate resources in such a case.
+
+The patch is simply skipping resources which are still flagged with
+IORESOURCE_UNSET.
+
+We don't have the problem with 64-bit mem resources, as the address of
+the resource is checked to be within the range of the 64-bit mmio
+window. See pnv_ioda_reserve_dev_m64_pe() and pnv_pci_is_m64().
+
+Reported-by: Andrew Jeffery <andrew@aj.id.au>
+Fixes: 23e79425fe7c ("powerpc/powernv: Simplify pnv_ioda_setup_pe_seg()")
+Signed-off-by: Frederic Barrat <fbarrat@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20230120093215.19496-1-fbarrat@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/powernv/pci-ioda.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/powernv/pci-ioda.c b/arch/powerpc/platforms/powernv/pci-ioda.c
+index 36ef504eeab32..58798ced4dbbf 100644
+--- a/arch/powerpc/platforms/powernv/pci-ioda.c
++++ b/arch/powerpc/platforms/powernv/pci-ioda.c
+@@ -3155,7 +3155,8 @@ static void pnv_ioda_setup_pe_res(struct pnv_ioda_pe *pe,
+ int index;
+ int64_t rc;
+
+- if (!res || !res->flags || res->start > res->end)
++ if (!res || !res->flags || res->start > res->end ||
++ res->flags & IORESOURCE_UNSET)
+ return;
+
+ if (res->flags & IORESOURCE_IO) {
+--
+2.39.2
+
--- /dev/null
+From dae00a25ca6e7a1e85ce028579cd39fcaeeace7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Feb 2023 12:41:52 -0600
+Subject: powerpc/pseries/lparcfg: add missing RTAS retry status handling
+
+From: Nathan Lynch <nathanl@linux.ibm.com>
+
+[ Upstream commit 5d08633e5f6564b60f1cbe09af3af40a74d66431 ]
+
+The ibm,get-system-parameter RTAS function may return -2 or 990x,
+which indicate that the caller should try again.
+
+lparcfg's parse_system_parameter_string() ignores this, making it
+possible to intermittently report incorrect SPLPAR characteristics.
+
+Move the RTAS call into a coventional rtas_busy_delay()-based loop.
+
+Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20230125-b4-powerpc-rtas-queue-v3-4-26929c8cce78@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/lparcfg.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/arch/powerpc/platforms/pseries/lparcfg.c b/arch/powerpc/platforms/pseries/lparcfg.c
+index 779fc2a1c8f77..f40dabf7d163f 100644
+--- a/arch/powerpc/platforms/pseries/lparcfg.c
++++ b/arch/powerpc/platforms/pseries/lparcfg.c
+@@ -289,6 +289,7 @@ static void parse_mpp_x_data(struct seq_file *m)
+ */
+ static void parse_system_parameter_string(struct seq_file *m)
+ {
++ const s32 token = rtas_token("ibm,get-system-parameter");
+ int call_status;
+
+ unsigned char *local_buffer = kmalloc(SPLPAR_MAXLENGTH, GFP_KERNEL);
+@@ -298,16 +299,15 @@ static void parse_system_parameter_string(struct seq_file *m)
+ return;
+ }
+
+- spin_lock(&rtas_data_buf_lock);
+- memset(rtas_data_buf, 0, SPLPAR_MAXLENGTH);
+- call_status = rtas_call(rtas_token("ibm,get-system-parameter"), 3, 1,
+- NULL,
+- SPLPAR_CHARACTERISTICS_TOKEN,
+- __pa(rtas_data_buf),
+- RTAS_DATA_BUF_SIZE);
+- memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH);
+- local_buffer[SPLPAR_MAXLENGTH - 1] = '\0';
+- spin_unlock(&rtas_data_buf_lock);
++ do {
++ spin_lock(&rtas_data_buf_lock);
++ memset(rtas_data_buf, 0, SPLPAR_MAXLENGTH);
++ call_status = rtas_call(token, 3, 1, NULL, SPLPAR_CHARACTERISTICS_TOKEN,
++ __pa(rtas_data_buf), RTAS_DATA_BUF_SIZE);
++ memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH);
++ local_buffer[SPLPAR_MAXLENGTH - 1] = '\0';
++ spin_unlock(&rtas_data_buf_lock);
++ } while (rtas_busy_delay(call_status));
+
+ if (call_status != 0) {
+ printk(KERN_INFO
+--
+2.39.2
+
--- /dev/null
+From e4d10627a8f674cab4e8084937374e5d41574464 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Dec 2022 15:55:48 -0800
+Subject: rcu: Suppress smp_processor_id() complaint in
+ synchronize_rcu_expedited_wait()
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+[ Upstream commit 2d7f00b2f01301d6e41fd4a28030dab0442265be ]
+
+The normal grace period's RCU CPU stall warnings are invoked from the
+scheduling-clock interrupt handler, and can thus invoke smp_processor_id()
+with impunity, which allows them to directly invoke dump_cpu_task().
+In contrast, the expedited grace period's RCU CPU stall warnings are
+invoked from process context, which causes the dump_cpu_task() function's
+calls to smp_processor_id() to complain bitterly in debug kernels.
+
+This commit therefore causes synchronize_rcu_expedited_wait() to disable
+preemption around its call to dump_cpu_task().
+
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree_exp.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/rcu/tree_exp.h b/kernel/rcu/tree_exp.h
+index f90d10c1c3c8d..843399e98bb37 100644
+--- a/kernel/rcu/tree_exp.h
++++ b/kernel/rcu/tree_exp.h
+@@ -498,7 +498,9 @@ static void synchronize_sched_expedited_wait(struct rcu_state *rsp)
+ mask = leaf_node_cpu_bit(rnp, cpu);
+ if (!(rnp->expmask & mask))
+ continue;
++ preempt_disable(); // For smp_processor_id() in dump_cpu_task().
+ dump_cpu_task(cpu);
++ preempt_enable();
+ }
+ }
+ jiffies_stall = 3 * rcu_jiffies_till_stall_check() + 3;
+--
+2.39.2
+
--- /dev/null
+From 12eec43ad3fa7a603084143348058086b608662e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jan 2023 14:52:07 -0800
+Subject: regulator: max77802: Bounds check regulator id against opmode
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 4fd8bcec5fd7c0d586206fa2f42bd67b06cdaa7e ]
+
+Explicitly bounds-check the id before accessing the opmode array. Seen
+with GCC 13:
+
+../drivers/regulator/max77802-regulator.c: In function 'max77802_enable':
+../drivers/regulator/max77802-regulator.c:217:29: warning: array subscript [0, 41] is outside array bounds of 'unsigned int[42]' [-Warray-bounds=]
+ 217 | if (max77802->opmode[id] == MAX77802_OFF_PWRREQ)
+ | ~~~~~~~~~~~~~~~~^~~~
+../drivers/regulator/max77802-regulator.c:62:22: note: while referencing 'opmode'
+ 62 | unsigned int opmode[MAX77802_REG_MAX];
+ | ^~~~~~
+
+Cc: Javier Martinez Canillas <javier@dowhile0.org>
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Acked-by: Javier Martinez Canillas <javierm@redhat.com>
+Link: https://lore.kernel.org/r/20230127225203.never.864-kees@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/max77802-regulator.c | 34 ++++++++++++++++++--------
+ 1 file changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/regulator/max77802-regulator.c b/drivers/regulator/max77802-regulator.c
+index b6261903818c6..e12bab733e186 100644
+--- a/drivers/regulator/max77802-regulator.c
++++ b/drivers/regulator/max77802-regulator.c
+@@ -107,9 +107,11 @@ static int max77802_set_suspend_disable(struct regulator_dev *rdev)
+ {
+ unsigned int val = MAX77802_OFF_PWRREQ;
+ struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev);
+- int id = rdev_get_id(rdev);
++ unsigned int id = rdev_get_id(rdev);
+ int shift = max77802_get_opmode_shift(id);
+
++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode)))
++ return -EINVAL;
+ max77802->opmode[id] = val;
+ return regmap_update_bits(rdev->regmap, rdev->desc->enable_reg,
+ rdev->desc->enable_mask, val << shift);
+@@ -123,7 +125,7 @@ static int max77802_set_suspend_disable(struct regulator_dev *rdev)
+ static int max77802_set_mode(struct regulator_dev *rdev, unsigned int mode)
+ {
+ struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev);
+- int id = rdev_get_id(rdev);
++ unsigned int id = rdev_get_id(rdev);
+ unsigned int val;
+ int shift = max77802_get_opmode_shift(id);
+
+@@ -140,6 +142,9 @@ static int max77802_set_mode(struct regulator_dev *rdev, unsigned int mode)
+ return -EINVAL;
+ }
+
++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode)))
++ return -EINVAL;
++
+ max77802->opmode[id] = val;
+ return regmap_update_bits(rdev->regmap, rdev->desc->enable_reg,
+ rdev->desc->enable_mask, val << shift);
+@@ -148,8 +153,10 @@ static int max77802_set_mode(struct regulator_dev *rdev, unsigned int mode)
+ static unsigned max77802_get_mode(struct regulator_dev *rdev)
+ {
+ struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev);
+- int id = rdev_get_id(rdev);
++ unsigned int id = rdev_get_id(rdev);
+
++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode)))
++ return -EINVAL;
+ return max77802_map_mode(max77802->opmode[id]);
+ }
+
+@@ -173,10 +180,13 @@ static int max77802_set_suspend_mode(struct regulator_dev *rdev,
+ unsigned int mode)
+ {
+ struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev);
+- int id = rdev_get_id(rdev);
++ unsigned int id = rdev_get_id(rdev);
+ unsigned int val;
+ int shift = max77802_get_opmode_shift(id);
+
++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode)))
++ return -EINVAL;
++
+ /*
+ * If the regulator has been disabled for suspend
+ * then is invalid to try setting a suspend mode.
+@@ -222,9 +232,11 @@ static int max77802_set_suspend_mode(struct regulator_dev *rdev,
+ static int max77802_enable(struct regulator_dev *rdev)
+ {
+ struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev);
+- int id = rdev_get_id(rdev);
++ unsigned int id = rdev_get_id(rdev);
+ int shift = max77802_get_opmode_shift(id);
+
++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode)))
++ return -EINVAL;
+ if (max77802->opmode[id] == MAX77802_OFF_PWRREQ)
+ max77802->opmode[id] = MAX77802_OPMODE_NORMAL;
+
+@@ -553,7 +565,7 @@ static int max77802_pmic_probe(struct platform_device *pdev)
+
+ for (i = 0; i < MAX77802_REG_MAX; i++) {
+ struct regulator_dev *rdev;
+- int id = regulators[i].id;
++ unsigned int id = regulators[i].id;
+ int shift = max77802_get_opmode_shift(id);
+ int ret;
+
+@@ -571,10 +583,12 @@ static int max77802_pmic_probe(struct platform_device *pdev)
+ * the hardware reports OFF as the regulator operating mode.
+ * Default to operating mode NORMAL in that case.
+ */
+- if (val == MAX77802_STATUS_OFF)
+- max77802->opmode[id] = MAX77802_OPMODE_NORMAL;
+- else
+- max77802->opmode[id] = val;
++ if (id < ARRAY_SIZE(max77802->opmode)) {
++ if (val == MAX77802_STATUS_OFF)
++ max77802->opmode[id] = MAX77802_OPMODE_NORMAL;
++ else
++ max77802->opmode[id] = val;
++ }
+
+ rdev = devm_regulator_register(&pdev->dev,
+ ®ulators[i], &config);
+--
+2.39.2
+
--- /dev/null
+From cb160e72cd69b99b034378ac92249d7cd3035019 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jan 2023 16:53:58 -0800
+Subject: regulator: s5m8767: Bounds check id indexing into arrays
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit e314e15a0b58f9d051c00b25951073bcdae61953 ]
+
+The compiler has no way to know if "id" is within the array bounds of
+the regulators array. Add a check for this and a build-time check that
+the regulators and reg_voltage_map arrays are sized the same. Seen with
+GCC 13:
+
+../drivers/regulator/s5m8767.c: In function 's5m8767_pmic_probe':
+../drivers/regulator/s5m8767.c:936:35: warning: array subscript [0, 36] is outside array bounds of 'struct regulator_desc[37]' [-Warray-bounds=]
+ 936 | regulators[id].vsel_reg =
+ | ~~~~~~~~~~^~~~
+
+Cc: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: linux-samsung-soc@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20230128005358.never.313-kees@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/s5m8767.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/s5m8767.c b/drivers/regulator/s5m8767.c
+index d558f806a4705..80e751759b706 100644
+--- a/drivers/regulator/s5m8767.c
++++ b/drivers/regulator/s5m8767.c
+@@ -918,10 +918,14 @@ static int s5m8767_pmic_probe(struct platform_device *pdev)
+
+ for (i = 0; i < pdata->num_regulators; i++) {
+ const struct sec_voltage_desc *desc;
+- int id = pdata->regulators[i].id;
++ unsigned int id = pdata->regulators[i].id;
+ int enable_reg, enable_val;
+ struct regulator_dev *rdev;
+
++ BUILD_BUG_ON(ARRAY_SIZE(regulators) != ARRAY_SIZE(reg_voltage_map));
++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(regulators)))
++ continue;
++
+ desc = reg_voltage_map[id];
+ if (desc) {
+ regulators[id].n_voltages =
+--
+2.39.2
+
--- /dev/null
+From be83a532e2a4362fa923a877521d8e84031416af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Feb 2023 15:42:31 -0800
+Subject: rpmsg: glink: Avoid infinite loop on intent for missing channel
+
+From: Bjorn Andersson <quic_bjorande@quicinc.com>
+
+[ Upstream commit 3e74ec2f39362bffbd42854acbb67c7f4cb808f9 ]
+
+In the event that an intent advertisement arrives on an unknown channel
+the fifo is not advanced, resulting in the same message being handled
+over and over.
+
+Fixes: dacbb35e930f ("rpmsg: glink: Receive and store the remote intent buffers")
+Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com>
+Reviewed-by: Chris Lew <quic_clew@quicinc.com>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20230214234231.2069751-1-quic_bjorande@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rpmsg/qcom_glink_native.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
+index 4c90364638f9c..0fb185e0620aa 100644
+--- a/drivers/rpmsg/qcom_glink_native.c
++++ b/drivers/rpmsg/qcom_glink_native.c
+@@ -928,6 +928,7 @@ static void qcom_glink_handle_intent(struct qcom_glink *glink,
+ spin_unlock_irqrestore(&glink->idr_lock, flags);
+ if (!channel) {
+ dev_err(glink->dev, "intents for non-existing channel\n");
++ qcom_glink_rx_advance(glink, ALIGN(msglen, 8));
+ return;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 914c53dcaea29d0ddb50b4ea448049e04982f337 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Jan 2023 20:04:55 +0100
+Subject: s390/bpf: Add expoline to tail calls
+
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+
+[ Upstream commit bb4ef8fc3d193ed8d5583fb47cbeff5d8fb8302f ]
+
+All the indirect jumps in the eBPF JIT already use expolines, except
+for the tail call one.
+
+Fixes: de5cb6eb514e ("s390: use expoline thunks in the BPF JIT")
+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Link: https://lore.kernel.org/r/20230129190501.1624747-3-iii@linux.ibm.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/net/bpf_jit_comp.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
+index 60029baaa72ad..f2b516f8a3a64 100644
+--- a/arch/s390/net/bpf_jit_comp.c
++++ b/arch/s390/net/bpf_jit_comp.c
+@@ -1119,8 +1119,16 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i
+ /* lg %r1,bpf_func(%r1) */
+ EMIT6_DISP_LH(0xe3000000, 0x0004, REG_1, REG_1, REG_0,
+ offsetof(struct bpf_prog, bpf_func));
+- /* bc 0xf,tail_call_start(%r1) */
+- _EMIT4(0x47f01000 + jit->tail_call_start);
++ if (nospec_uses_trampoline()) {
++ jit->seen |= SEEN_FUNC;
++ /* aghi %r1,tail_call_start */
++ EMIT4_IMM(0xa70b0000, REG_1, jit->tail_call_start);
++ /* brcl 0xf,__s390_indirect_jump_r1 */
++ EMIT6_PCREL_RILC(0xc0040000, 0xf, jit->r1_thunk_ip);
++ } else {
++ /* bc 0xf,tail_call_start(%r1) */
++ _EMIT4(0x47f01000 + jit->tail_call_start);
++ }
+ /* out: */
+ jit->labels[0] = jit->prg;
+ break;
+--
+2.39.2
+
--- /dev/null
+From 38247e1de3305a6ef644404ac818bc6129440eae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jan 2023 13:22:16 +0100
+Subject: sched/fair: sanitize vruntime of entity being placed
+
+From: Zhang Qiao <zhangqiao22@huawei.com>
+
+[ Upstream commit 829c1651e9c4a6f78398d3e67651cef9bb6b42cc ]
+
+When a scheduling entity is placed onto cfs_rq, its vruntime is pulled
+to the base level (around cfs_rq->min_vruntime), so that the entity
+doesn't gain extra boost when placed backwards.
+
+However, if the entity being placed wasn't executed for a long time, its
+vruntime may get too far behind (e.g. while cfs_rq was executing a
+low-weight hog), which can inverse the vruntime comparison due to s64
+overflow. This results in the entity being placed with its original
+vruntime way forwards, so that it will effectively never get to the cpu.
+
+To prevent that, ignore the vruntime of the entity being placed if it
+didn't execute for much longer than the characteristic sheduler time
+scale.
+
+[rkagan: formatted, adjusted commit log, comments, cutoff value]
+Signed-off-by: Zhang Qiao <zhangqiao22@huawei.com>
+Co-developed-by: Roman Kagan <rkagan@amazon.de>
+Signed-off-by: Roman Kagan <rkagan@amazon.de>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20230130122216.3555094-1-rkagan@amazon.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 3ff60230710c9..afa21e43477fa 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -3615,6 +3615,7 @@ static void
+ place_entity(struct cfs_rq *cfs_rq, struct sched_entity *se, int initial)
+ {
+ u64 vruntime = cfs_rq->min_vruntime;
++ u64 sleep_time;
+
+ /*
+ * The 'current' period is already promised to the current tasks,
+@@ -3639,8 +3640,18 @@ place_entity(struct cfs_rq *cfs_rq, struct sched_entity *se, int initial)
+ vruntime -= thresh;
+ }
+
+- /* ensure we never gain time by being placed backwards. */
+- se->vruntime = max_vruntime(se->vruntime, vruntime);
++ /*
++ * Pull vruntime of the entity being placed to the base level of
++ * cfs_rq, to prevent boosting it if placed backwards. If the entity
++ * slept for a long time, don't even try to compare its vruntime with
++ * the base as it may be too far off and the comparison may get
++ * inversed due to s64 overflow.
++ */
++ sleep_time = rq_clock_task(rq_of(cfs_rq)) - se->exec_start;
++ if ((s64)sleep_time > 60LL * NSEC_PER_SEC)
++ se->vruntime = vruntime;
++ else
++ se->vruntime = max_vruntime(se->vruntime, vruntime);
+ }
+
+ static void check_enqueue_throttle(struct cfs_rq *cfs_rq);
+--
+2.39.2
+
--- /dev/null
+From ac3ceff954cc8972eecb0aa2037e69beba9c9002 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Jan 2023 19:08:32 +0800
+Subject: scsi: aic94xx: Add missing check for dma_map_single()
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 32fe45274edb5926abc0fac7263d9f889d02d9cf ]
+
+Add check for dma_map_single() and return error if it fails in order to
+avoid invalid DMA address.
+
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Link: https://lore.kernel.org/r/20230128110832.6792-1-jiasheng@iscas.ac.cn
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Reviewed-by: Jason Yan <yanaijie@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/aic94xx/aic94xx_task.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/scsi/aic94xx/aic94xx_task.c b/drivers/scsi/aic94xx/aic94xx_task.c
+index cdd4ab683be98..4de4bbca1f925 100644
+--- a/drivers/scsi/aic94xx/aic94xx_task.c
++++ b/drivers/scsi/aic94xx/aic94xx_task.c
+@@ -68,6 +68,9 @@ static int asd_map_scatterlist(struct sas_task *task,
+ dma_addr_t dma = pci_map_single(asd_ha->pcidev, p,
+ task->total_xfer_len,
+ task->data_dir);
++ if (dma_mapping_error(&asd_ha->pcidev->dev, dma))
++ return -ENOMEM;
++
+ sg_arr[0].bus_addr = cpu_to_le64((u64)dma);
+ sg_arr[0].size = cpu_to_le32(task->total_xfer_len);
+ sg_arr[0].flags |= ASD_SG_EL_LIST_EOL;
+--
+2.39.2
+
hid-asus-remove-check-for-same-led-brightness-on-set.patch
hid-asus-use-spinlock-to-protect-concurrent-accesses.patch
hid-asus-use-spinlock-to-safely-schedule-workers.patch
+arm-omap2-fix-memory-leak-in-realtime_counter_init.patch
+arm-zynq-fix-refcount-leak-in-zynq_early_slcr_init.patch
+arm64-dts-meson-gx-fix-ethernet-mac-address-unit-nam.patch
+arm64-dts-meson-gx-fix-the-scpi-dvfs-node-name-and-u.patch
+arm-omap1-call-platform_device_put-in-error-case-in-.patch
+arm-dts-exynos-correct-wr-active-property-in-exynos3.patch
+arm64-dts-amlogic-meson-gx-fix-scpi-clock-dvfs-node-.patch
+arm64-dts-amlogic-meson-gx-add-missing-unit-address-.patch
+arm64-dts-amlogic-meson-gxl-add-missing-unit-address.patch
+block-bio-integrity-copy-flags-when-bio_integrity_pa.patch
+wifi-libertas-fix-memory-leak-in-lbs_init_adapter.patch
+wifi-rtl8xxxu-don-t-call-dev_kfree_skb-under-spin_lo.patch
+wifi-ipw2200-fix-memory-leak-in-ipw_wdev_init.patch
+wifi-brcmfmac-fix-potential-memory-leak-in-brcmf_net.patch
+wifi-brcmfmac-unmap-dma-buffer-in-brcmf_msgbuf_alloc.patch
+wifi-libertas-main-don-t-call-kfree_skb-under-spin_l.patch
+wifi-libertas-cmdresp-don-t-call-kfree_skb-under-spi.patch
+wifi-wl3501_cs-don-t-call-kfree_skb-under-spin_lock_.patch
+genirq-fix-the-return-type-of-kstat_cpu_irqs_sum.patch
+lib-mpi-fix-buffer-overrun-when-sg-is-too-long.patch
+acpica-nsrepair-handle-cases-without-a-return-value-.patch
+wifi-orinoco-check-return-value-of-hermes_write_word.patch
+wifi-ath9k-htc_hst-free-skb-in-ath9k_htc_rx_msg-if-t.patch
+wifi-ath9k-fix-potential-stack-out-of-bounds-write-i.patch
+acpi-battery-fix-missing-nul-termination-with-large-.patch
+crypto-seqiv-handle-ebusy-correctly.patch
+s390-bpf-add-expoline-to-tail-calls.patch
+net-mlx5-enhance-debug-print-in-page-allocation-fail.patch
+irqchip-alpine-msi-fix-refcount-leak-in-alpine_msix_.patch
+irqchip-irq-mvebu-gicp-fix-refcount-leak-in-mvebu_gi.patch
+cpufreq-davinci-fix-clk-use-after-free.patch
+bluetooth-l2cap-fix-potential-user-after-free.patch
+crypto-rsa-pkcs1pad-use-akcipher_request_complete.patch
+m68k-proc-hardware-should-depend-on-proc_fs.patch
+wifi-mwifiex-fix-loop-iterator-in-mwifiex_update_amp.patch
+can-esd_usb-move-mislocated-storage-of-sja1000_ecc_s.patch
+irqchip-irq-bcm7120-l2-set-irq_level-for-level-trigg.patch
+drm-mxsfb-drm_mxsfb-should-depend-on-arch_mxs-arch_m.patch
+drm-bridge-megachips-fix-error-handling-in-i2c_regis.patch
+gpu-ipu-v3-common-add-of_node_put-for-reference-retu.patch
+drm-msm-hdmi-add-missing-check-for-alloc_ordered_wor.patch
+pinctrl-rockchip-fix-refcount-leak-in-rockchip_pinct.patch
+alsa-hda-ca0132-minor-fix-for-allocation-size.patch
+drm-mipi-dsi-fix-byte-order-of-16-bit-dcs-set-get-br.patch
+drm-mediatek-drop-unbalanced-obj-unref.patch
+asoc-soc-compress.c-fixup-private_data-on-snd_soc_ne.patch
+gpio-vf610-connect-gpio-label-to-dev-name.patch
+hwmon-ltc2945-handle-error-case-in-ltc2945_value_sto.patch
+scsi-aic94xx-add-missing-check-for-dma_map_single.patch
+spi-bcm63xx-hsspi-endianness-fix-for-arm-based-soc.patch
+dm-remove-flush_scheduled_work-during-local_exit.patch
+mfd-pcf50633-adc-fix-potential-memleak-in-pcf50633_a.patch
+mtd-rawnand-sunxi-fix-the-size-of-the-last-oob-regio.patch
+input-ads7846-don-t-report-pressure-for-ads7845.patch
+input-ads7846-don-t-check-penirq-immediately-for-784.patch
+powerpc-powernv-ioda-skip-unallocated-resources-when.patch
+powerpc-pseries-lparcfg-add-missing-rtas-retry-statu.patch
+mips-vpe-mt-drop-physical_memsize.patch
+media-platform-ti-add-missing-check-for-devm_regulat.patch
+media-rc-fix-use-after-free-bugs-caused-by-ene_tx_ir.patch
+media-usb-siano-fix-use-after-free-bugs-caused-by-do.patch
+rpmsg-glink-avoid-infinite-loop-on-intent-for-missin.patch
+udf-define-efscorrupted-error-code.patch
+arm-dts-exynos-use-exynos5420-compatible-for-the-mip.patch
+sched-fair-sanitize-vruntime-of-entity-being-placed.patch
+wifi-brcmfmac-fix-potential-stack-out-of-bounds-in-b.patch
+rcu-suppress-smp_processor_id-complaint-in-synchroni.patch
+thermal-intel-fix-unsigned-comparison-with-less-than.patch
+timers-prevent-union-confusion-from-unexpected-resta.patch
+x86-bugs-reset-speculation-control-settings-on-init.patch
+inet-fix-fast-path-in-__inet_hash_connect.patch
+acpi-don-t-build-acpica-with-os.patch
+net-bcmgenet-add-a-check-for-oversized-packets.patch
+m68k-check-syscall_trace_enter-return-code.patch
+acpi-video-fix-lenovo-ideapad-z570-dmi-match.patch
+drm-radeon-free-iio-for-atombios-when-driver-shutdow.patch
+drm-msm-dsi-add-missing-check-for-alloc_ordered_work.patch
+docs-scripts-gdb-add-necessary-make-scripts_gdb-step.patch
+asoc-kirkwood-iterate-over-array-indexes-instead-of-.patch
+regulator-max77802-bounds-check-regulator-id-against.patch
+regulator-s5m8767-bounds-check-id-indexing-into-arra.patch
+pinctrl-at91-use-devm_kasprintf-to-avoid-potential-l.patch
+dm-thin-add-cond_resched-to-various-workqueue-loops.patch
+dm-cache-add-cond_resched-to-various-workqueue-loops.patch
+spi-bcm63xx-hsspi-fix-multi-bit-mode-setting.patch
--- /dev/null
+From 7ae079fbda5ccd60b72d76e6f5d44e8355d3f4dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Feb 2023 22:58:17 -0800
+Subject: spi: bcm63xx-hsspi: Endianness fix for ARM based SoC
+
+From: William Zhang <william.zhang@broadcom.com>
+
+[ Upstream commit 85a84a61699990db6a025b5073f337f49933a875 ]
+
+HSSPI controller uses big endian for the opcode in the message to the
+controller ping pong buffer. Use cpu_to_be16 to properly handle the
+endianness for both big and little endian host.
+
+Fixes: 142168eba9dc ("spi: bcm63xx-hsspi: add bcm63xx HSSPI driver")
+Signed-off-by: Kursad Oney <kursad.oney@broadcom.com>
+Signed-off-by: William Zhang <william.zhang@broadcom.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+
+Link: https://lore.kernel.org/r/20230207065826.285013-7-william.zhang@broadcom.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-bcm63xx-hsspi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c
+index cbcba614b2533..bc539010f2b98 100644
+--- a/drivers/spi/spi-bcm63xx-hsspi.c
++++ b/drivers/spi/spi-bcm63xx-hsspi.c
+@@ -191,7 +191,7 @@ static int bcm63xx_hsspi_do_txrx(struct spi_device *spi, struct spi_transfer *t)
+ tx += curr_step;
+ }
+
+- __raw_writew(opcode | curr_step, bs->fifo);
++ __raw_writew((u16)cpu_to_be16(opcode | curr_step), bs->fifo);
+
+ /* enable interrupt */
+ __raw_writel(HSSPI_PINGx_CMD_DONE(0),
+--
+2.39.2
+
--- /dev/null
+From 50a8924674a937d8fc8f74bc7caf655c357d6913 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Feb 2023 12:02:41 -0800
+Subject: spi: bcm63xx-hsspi: Fix multi-bit mode setting
+
+From: William Zhang <william.zhang@broadcom.com>
+
+[ Upstream commit 811ff802aaf878ebbbaeac0307a0164fa21e7d40 ]
+
+Currently the driver always sets the controller to dual data bit mode
+for both tx and rx data in the profile mode control register even for
+single data bit transfer. Luckily the opcode is set correctly according
+to SPI transfer data bit width so it does not actually cause issues.
+
+This change fixes the problem by setting tx and rx data bit mode field
+correctly according to the actual SPI transfer tx and rx data bit width.
+
+Fixes: 142168eba9dc ("spi: bcm63xx-hsspi: add bcm63xx HSSPI driver")
+Signed-off-by: William Zhang <william.zhang@broadcom.com>
+Link: https://lore.kernel.org/r/20230209200246.141520-11-william.zhang@broadcom.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-bcm63xx-hsspi.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c
+index bc539010f2b98..6071756149ef4 100644
+--- a/drivers/spi/spi-bcm63xx-hsspi.c
++++ b/drivers/spi/spi-bcm63xx-hsspi.c
+@@ -160,6 +160,7 @@ static int bcm63xx_hsspi_do_txrx(struct spi_device *spi, struct spi_transfer *t)
+ int step_size = HSSPI_BUFFER_LEN;
+ const u8 *tx = t->tx_buf;
+ u8 *rx = t->rx_buf;
++ u32 val = 0;
+
+ bcm63xx_hsspi_set_clk(bs, spi, t->speed_hz);
+ bcm63xx_hsspi_set_cs(bs, spi->chip_select, true);
+@@ -175,11 +176,16 @@ static int bcm63xx_hsspi_do_txrx(struct spi_device *spi, struct spi_transfer *t)
+ step_size -= HSSPI_OPCODE_LEN;
+
+ if ((opcode == HSSPI_OP_READ && t->rx_nbits == SPI_NBITS_DUAL) ||
+- (opcode == HSSPI_OP_WRITE && t->tx_nbits == SPI_NBITS_DUAL))
++ (opcode == HSSPI_OP_WRITE && t->tx_nbits == SPI_NBITS_DUAL)) {
+ opcode |= HSSPI_OP_MULTIBIT;
+
+- __raw_writel(1 << MODE_CTRL_MULTIDATA_WR_SIZE_SHIFT |
+- 1 << MODE_CTRL_MULTIDATA_RD_SIZE_SHIFT | 0xff,
++ if (t->rx_nbits == SPI_NBITS_DUAL)
++ val |= 1 << MODE_CTRL_MULTIDATA_RD_SIZE_SHIFT;
++ if (t->tx_nbits == SPI_NBITS_DUAL)
++ val |= 1 << MODE_CTRL_MULTIDATA_WR_SIZE_SHIFT;
++ }
++
++ __raw_writel(val | 0xff,
+ bs->regs + HSSPI_PROFILE_MODE_CTRL_REG(chip_select));
+
+ while (pending > 0) {
+--
+2.39.2
+
--- /dev/null
+From 1c833bd6bcab52ef2440777415fb260578f76658 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jan 2023 08:59:51 +0800
+Subject: thermal: intel: Fix unsigned comparison with less than zero
+
+From: Yang Li <yang.lee@linux.alibaba.com>
+
+[ Upstream commit e7fcfe67f9f410736b758969477b17ea285e8e6c ]
+
+The return value from the call to intel_tcc_get_tjmax() is int, which can
+be a negative error code. However, the return value is being assigned to
+an u32 variable 'tj_max', so making 'tj_max' an int.
+
+Eliminate the following warning:
+./drivers/thermal/intel/intel_soc_dts_iosf.c:394:5-11: WARNING: Unsigned expression compared with zero: tj_max < 0
+
+Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=3637
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Signed-off-by: Yang Li <yang.lee@linux.alibaba.com>
+Acked-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/intel_soc_dts_iosf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/intel_soc_dts_iosf.c b/drivers/thermal/intel_soc_dts_iosf.c
+index e0813dfaa2783..435a093998000 100644
+--- a/drivers/thermal/intel_soc_dts_iosf.c
++++ b/drivers/thermal/intel_soc_dts_iosf.c
+@@ -405,7 +405,7 @@ struct intel_soc_dts_sensors *intel_soc_dts_iosf_init(
+ {
+ struct intel_soc_dts_sensors *sensors;
+ bool notification;
+- u32 tj_max;
++ int tj_max;
+ int ret;
+ int i;
+
+--
+2.39.2
+
--- /dev/null
+From 3c683c46758688b0b24f8123a07a7e22ca57692e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Jan 2023 14:44:03 +0100
+Subject: timers: Prevent union confusion from unexpected restart_syscall()
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit 9f76d59173d9d146e96c66886b671c1915a5c5e5 ]
+
+The nanosleep syscalls use the restart_block mechanism, with a quirk:
+The `type` and `rmtp`/`compat_rmtp` fields are set up unconditionally on
+syscall entry, while the rest of the restart_block is only set up in the
+unlikely case that the syscall is actually interrupted by a signal (or
+pseudo-signal) that doesn't have a signal handler.
+
+If the restart_block was set up by a previous syscall (futex(...,
+FUTEX_WAIT, ...) or poll()) and hasn't been invalidated somehow since then,
+this will clobber some of the union fields used by futex_wait_restart() and
+do_restart_poll().
+
+If userspace afterwards wrongly calls the restart_syscall syscall,
+futex_wait_restart()/do_restart_poll() will read struct fields that have
+been clobbered.
+
+This doesn't actually lead to anything particularly interesting because
+none of the union fields contain trusted kernel data, and
+futex(..., FUTEX_WAIT, ...) and poll() aren't syscalls where it makes much
+sense to apply seccomp filters to their arguments.
+
+So the current consequences are just of the "if userspace does bad stuff,
+it can damage itself, and that's not a problem" flavor.
+
+But still, it seems like a hazard for future developers, so invalidate the
+restart_block when partly setting it up in the nanosleep syscalls.
+
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20230105134403.754986-1-jannh@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/hrtimer.c | 2 ++
+ kernel/time/posix-stubs.c | 2 ++
+ kernel/time/posix-timers.c | 2 ++
+ 3 files changed, 6 insertions(+)
+
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 94dd37e8890d8..7a84c54219f35 100644
+--- a/kernel/time/hrtimer.c
++++ b/kernel/time/hrtimer.c
+@@ -1564,6 +1564,7 @@ SYSCALL_DEFINE2(nanosleep, struct timespec __user *, rqtp,
+ if (!timespec64_valid(&tu))
+ return -EINVAL;
+
++ current->restart_block.fn = do_no_restart_syscall;
+ current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE;
+ current->restart_block.nanosleep.rmtp = rmtp;
+ return hrtimer_nanosleep(&tu, HRTIMER_MODE_REL, CLOCK_MONOTONIC);
+@@ -1582,6 +1583,7 @@ COMPAT_SYSCALL_DEFINE2(nanosleep, struct compat_timespec __user *, rqtp,
+ if (!timespec64_valid(&tu))
+ return -EINVAL;
+
++ current->restart_block.fn = do_no_restart_syscall;
+ current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE;
+ current->restart_block.nanosleep.compat_rmtp = rmtp;
+ return hrtimer_nanosleep(&tu, HRTIMER_MODE_REL, CLOCK_MONOTONIC);
+diff --git a/kernel/time/posix-stubs.c b/kernel/time/posix-stubs.c
+index 06f34feb635ed..20117340c2493 100644
+--- a/kernel/time/posix-stubs.c
++++ b/kernel/time/posix-stubs.c
+@@ -136,6 +136,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const clockid_t, which_clock, int, flags,
+ return -EINVAL;
+ if (flags & TIMER_ABSTIME)
+ rmtp = NULL;
++ current->restart_block.fn = do_no_restart_syscall;
+ current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE;
+ current->restart_block.nanosleep.rmtp = rmtp;
+ return hrtimer_nanosleep(&t64, flags & TIMER_ABSTIME ?
+@@ -222,6 +223,7 @@ COMPAT_SYSCALL_DEFINE4(clock_nanosleep, clockid_t, which_clock, int, flags,
+ return -EINVAL;
+ if (flags & TIMER_ABSTIME)
+ rmtp = NULL;
++ current->restart_block.fn = do_no_restart_syscall;
+ current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE;
+ current->restart_block.nanosleep.compat_rmtp = rmtp;
+ return hrtimer_nanosleep(&t64, flags & TIMER_ABSTIME ?
+diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
+index f46694850b445..8b90abd690730 100644
+--- a/kernel/time/posix-timers.c
++++ b/kernel/time/posix-timers.c
+@@ -1227,6 +1227,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const clockid_t, which_clock, int, flags,
+ return -EINVAL;
+ if (flags & TIMER_ABSTIME)
+ rmtp = NULL;
++ current->restart_block.fn = do_no_restart_syscall;
+ current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE;
+ current->restart_block.nanosleep.rmtp = rmtp;
+
+@@ -1253,6 +1254,7 @@ COMPAT_SYSCALL_DEFINE4(clock_nanosleep, clockid_t, which_clock, int, flags,
+ return -EINVAL;
+ if (flags & TIMER_ABSTIME)
+ rmtp = NULL;
++ current->restart_block.fn = do_no_restart_syscall;
+ current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE;
+ current->restart_block.nanosleep.compat_rmtp = rmtp;
+
+--
+2.39.2
+
--- /dev/null
+From ed3660d47bcb95f9e5fb8b7762ea5f1e583e9aff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 16:34:45 +0200
+Subject: udf: Define EFSCORRUPTED error code
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 3d2d7e61553dbcc8ba45201d8ae4f383742c8202 ]
+
+Similarly to other filesystems define EFSCORRUPTED error code for
+reporting internal filesystem corruption.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/udf_sb.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/udf/udf_sb.h b/fs/udf/udf_sb.h
+index 68c9f1d618f5b..796706d73feb8 100644
+--- a/fs/udf/udf_sb.h
++++ b/fs/udf/udf_sb.h
+@@ -56,6 +56,8 @@
+ #define MF_DUPLICATE_MD 0x01
+ #define MF_MIRROR_FE_LOADED 0x02
+
++#define EFSCORRUPTED EUCLEAN
++
+ struct udf_meta_data {
+ __u32 s_meta_file_loc;
+ __u32 s_mirror_file_loc;
+--
+2.39.2
+
--- /dev/null
+From 695c0b02425ae99a090c64e33d682426a711c99e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jan 2023 21:41:30 +0900
+Subject: wifi: ath9k: Fix potential stack-out-of-bounds write in
+ ath9k_wmi_rsp_callback()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
+
+[ Upstream commit 8a2f35b9830692f7a616f2f627f943bc748af13a ]
+
+Fix a stack-out-of-bounds write that occurs in a WMI response callback
+function that is called after a timeout occurs in ath9k_wmi_cmd().
+The callback writes to wmi->cmd_rsp_buf, a stack-allocated buffer that
+could no longer be valid when a timeout occurs. Set wmi->last_seq_id to
+0 when a timeout occurred.
+
+Found by a modified version of syzkaller.
+
+BUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx
+Write of size 4
+Call Trace:
+ memcpy
+ ath9k_wmi_ctrl_rx
+ ath9k_htc_rx_msg
+ ath9k_hif_usb_reg_in_cb
+ __usb_hcd_giveback_urb
+ usb_hcd_giveback_urb
+ dummy_timer
+ call_timer_fn
+ run_timer_softirq
+ __do_softirq
+ irq_exit_rcu
+ sysvec_apic_timer_interrupt
+
+Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
+Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230104124130.10996-1-linuxlovemin@yonsei.ac.kr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c
+index 4b68804f3742e..9a17f7a07b1e8 100644
+--- a/drivers/net/wireless/ath/ath9k/wmi.c
++++ b/drivers/net/wireless/ath/ath9k/wmi.c
+@@ -337,6 +337,7 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id,
+ if (!time_left) {
+ ath_dbg(common, WMI, "Timeout waiting for WMI command: %s\n",
+ wmi_cmd_to_name(cmd_id));
++ wmi->last_seq_id = 0;
+ mutex_unlock(&wmi->op_mutex);
+ kfree_skb(skb);
+ return -ETIMEDOUT;
+--
+2.39.2
+
--- /dev/null
+From 00b553341a9692e1f89ea76c4d1cb3fb00a7501e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jan 2023 15:35:46 +0300
+Subject: wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no
+ callback function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 9b25e3985477ac3f02eca5fc1e0cc6850a3f7e69 ]
+
+It is stated that ath9k_htc_rx_msg() either frees the provided skb or
+passes its management to another callback function. However, the skb is
+not freed in case there is no another callback function, and Syzkaller was
+able to cause a memory leak. Also minor comment fix.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
+Reported-by: syzbot+e008dccab31bd3647609@syzkaller.appspotmail.com
+Reported-by: syzbot+6692c72009680f7c4eb2@syzkaller.appspotmail.com
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230104123546.51427-1-pchelkin@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc_hst.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
+index 6d69cf69fd86e..6331c98088e03 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
+@@ -394,7 +394,7 @@ static void ath9k_htc_fw_panic_report(struct htc_target *htc_handle,
+ * HTC Messages are handled directly here and the obtained SKB
+ * is freed.
+ *
+- * Service messages (Data, WMI) passed to the corresponding
++ * Service messages (Data, WMI) are passed to the corresponding
+ * endpoint RX handlers, which have to free the SKB.
+ */
+ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
+@@ -481,6 +481,8 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
+ if (endpoint->ep_callbacks.rx)
+ endpoint->ep_callbacks.rx(endpoint->ep_callbacks.priv,
+ skb, epid);
++ else
++ goto invalid;
+ }
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 7cbecdd172a2f771477fb290e9586adb6e3462ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 19:33:01 +0800
+Subject: wifi: brcmfmac: fix potential memory leak in
+ brcmf_netdev_start_xmit()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 212fde3fe76e962598ce1d47b97cc78afdfc71b3 ]
+
+The brcmf_netdev_start_xmit() returns NETDEV_TX_OK without freeing skb
+in case of pskb_expand_head() fails, add dev_kfree_skb() to fix it.
+Compile tested only.
+
+Fixes: 270a6c1f65fe ("brcmfmac: rework headroom check in .start_xmit()")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/1668684782-47422-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+index 9c8102be1d0b3..55027886f4041 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -226,6 +226,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
+ brcmf_err("%s: failed to expand headroom\n",
+ brcmf_ifname(ifp));
+ atomic_inc(&drvr->bus_if->stats.pktcow_failed);
++ dev_kfree_skb(skb);
+ goto done;
+ }
+ }
+--
+2.39.2
+
--- /dev/null
+From fa23bbb31955db1ba893b4b99d4a1a2b938c8358 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 13:34:58 +0900
+Subject: wifi: brcmfmac: Fix potential stack-out-of-bounds in
+ brcmf_c_preinit_dcmds()
+
+From: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
+
+[ Upstream commit 0a06cadcc2a0044e4a117cc0e61436fc3a0dad69 ]
+
+This patch fixes a stack-out-of-bounds read in brcmfmac that occurs
+when 'buf' that is not null-terminated is passed as an argument of
+strsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmware
+version string by memcpy() in brcmf_fil_iovar_data_get().
+The patch ensures buf is null-terminated.
+
+Found by a modified version of syzkaller.
+
+[ 47.569679][ T1897] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43236b for chip BCM43236/3
+[ 47.582839][ T1897] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available
+[ 47.601565][ T1897] ==================================================================
+[ 47.602574][ T1897] BUG: KASAN: stack-out-of-bounds in strsep+0x1b2/0x1f0
+[ 47.603447][ T1897] Read of size 1 at addr ffffc90001f6f000 by task kworker/0:2/1897
+[ 47.604336][ T1897]
+[ 47.604621][ T1897] CPU: 0 PID: 1897 Comm: kworker/0:2 Tainted: G O 5.14.0+ #131
+[ 47.605617][ T1897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+[ 47.606907][ T1897] Workqueue: usb_hub_wq hub_event
+[ 47.607453][ T1897] Call Trace:
+[ 47.607801][ T1897] dump_stack_lvl+0x8e/0xd1
+[ 47.608295][ T1897] print_address_description.constprop.0.cold+0xf/0x334
+[ 47.609009][ T1897] ? strsep+0x1b2/0x1f0
+[ 47.609434][ T1897] ? strsep+0x1b2/0x1f0
+[ 47.609863][ T1897] kasan_report.cold+0x83/0xdf
+[ 47.610366][ T1897] ? strsep+0x1b2/0x1f0
+[ 47.610882][ T1897] strsep+0x1b2/0x1f0
+[ 47.611300][ T1897] ? brcmf_fil_iovar_data_get+0x3a/0xf0
+[ 47.611883][ T1897] brcmf_c_preinit_dcmds+0x995/0xc40
+[ 47.612434][ T1897] ? brcmf_c_set_joinpref_default+0x100/0x100
+[ 47.613078][ T1897] ? rcu_read_lock_sched_held+0xa1/0xd0
+[ 47.613662][ T1897] ? rcu_read_lock_bh_held+0xb0/0xb0
+[ 47.614208][ T1897] ? lock_acquire+0x19d/0x4e0
+[ 47.614704][ T1897] ? find_held_lock+0x2d/0x110
+[ 47.615236][ T1897] ? brcmf_usb_deq+0x1a7/0x260
+[ 47.615741][ T1897] ? brcmf_usb_rx_fill_all+0x5a/0xf0
+[ 47.616288][ T1897] brcmf_attach+0x246/0xd40
+[ 47.616758][ T1897] ? wiphy_new_nm+0x1703/0x1dd0
+[ 47.617280][ T1897] ? kmemdup+0x43/0x50
+[ 47.617720][ T1897] brcmf_usb_probe+0x12de/0x1690
+[ 47.618244][ T1897] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470
+[ 47.618901][ T1897] usb_probe_interface+0x2aa/0x760
+[ 47.619429][ T1897] ? usb_probe_device+0x250/0x250
+[ 47.619950][ T1897] really_probe+0x205/0xb70
+[ 47.620435][ T1897] ? driver_allows_async_probing+0x130/0x130
+[ 47.621048][ T1897] __driver_probe_device+0x311/0x4b0
+[ 47.621595][ T1897] ? driver_allows_async_probing+0x130/0x130
+[ 47.622209][ T1897] driver_probe_device+0x4e/0x150
+[ 47.622739][ T1897] __device_attach_driver+0x1cc/0x2a0
+[ 47.623287][ T1897] bus_for_each_drv+0x156/0x1d0
+[ 47.623796][ T1897] ? bus_rescan_devices+0x30/0x30
+[ 47.624309][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0
+[ 47.624907][ T1897] ? trace_hardirqs_on+0x46/0x160
+[ 47.625437][ T1897] __device_attach+0x23f/0x3a0
+[ 47.625924][ T1897] ? device_bind_driver+0xd0/0xd0
+[ 47.626433][ T1897] ? kobject_uevent_env+0x287/0x14b0
+[ 47.627057][ T1897] bus_probe_device+0x1da/0x290
+[ 47.627557][ T1897] device_add+0xb7b/0x1eb0
+[ 47.628027][ T1897] ? wait_for_completion+0x290/0x290
+[ 47.628593][ T1897] ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0
+[ 47.629249][ T1897] usb_set_configuration+0xf59/0x16f0
+[ 47.629829][ T1897] usb_generic_driver_probe+0x82/0xa0
+[ 47.630385][ T1897] usb_probe_device+0xbb/0x250
+[ 47.630927][ T1897] ? usb_suspend+0x590/0x590
+[ 47.631397][ T1897] really_probe+0x205/0xb70
+[ 47.631855][ T1897] ? driver_allows_async_probing+0x130/0x130
+[ 47.632469][ T1897] __driver_probe_device+0x311/0x4b0
+[ 47.633002][ T1897] ? usb_generic_driver_match+0x75/0x90
+[ 47.633573][ T1897] ? driver_allows_async_probing+0x130/0x130
+[ 47.634170][ T1897] driver_probe_device+0x4e/0x150
+[ 47.634703][ T1897] __device_attach_driver+0x1cc/0x2a0
+[ 47.635248][ T1897] bus_for_each_drv+0x156/0x1d0
+[ 47.635748][ T1897] ? bus_rescan_devices+0x30/0x30
+[ 47.636271][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0
+[ 47.636881][ T1897] ? trace_hardirqs_on+0x46/0x160
+[ 47.637396][ T1897] __device_attach+0x23f/0x3a0
+[ 47.637904][ T1897] ? device_bind_driver+0xd0/0xd0
+[ 47.638426][ T1897] ? kobject_uevent_env+0x287/0x14b0
+[ 47.638985][ T1897] bus_probe_device+0x1da/0x290
+[ 47.639512][ T1897] device_add+0xb7b/0x1eb0
+[ 47.639977][ T1897] ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0
+[ 47.640612][ T1897] ? kfree+0x14a/0x6b0
+[ 47.641055][ T1897] ? __usb_get_extra_descriptor+0x116/0x160
+[ 47.641679][ T1897] usb_new_device.cold+0x49c/0x1029
+[ 47.642245][ T1897] ? hub_disconnect+0x450/0x450
+[ 47.642756][ T1897] ? rwlock_bug.part.0+0x90/0x90
+[ 47.643273][ T1897] ? _raw_spin_unlock_irq+0x24/0x30
+[ 47.643822][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0
+[ 47.644445][ T1897] hub_event+0x1c98/0x3950
+[ 47.644939][ T1897] ? hub_port_debounce+0x2e0/0x2e0
+[ 47.645467][ T1897] ? check_irq_usage+0x861/0xf20
+[ 47.645975][ T1897] ? drain_workqueue+0x280/0x360
+[ 47.646506][ T1897] ? lock_release+0x640/0x640
+[ 47.646994][ T1897] ? rcu_read_lock_sched_held+0xa1/0xd0
+[ 47.647572][ T1897] ? rcu_read_lock_bh_held+0xb0/0xb0
+[ 47.648111][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0
+[ 47.648735][ T1897] process_one_work+0x92b/0x1460
+[ 47.649262][ T1897] ? pwq_dec_nr_in_flight+0x330/0x330
+[ 47.649816][ T1897] ? rwlock_bug.part.0+0x90/0x90
+[ 47.650336][ T1897] worker_thread+0x95/0xe00
+[ 47.650830][ T1897] ? __kthread_parkme+0x115/0x1e0
+[ 47.651361][ T1897] ? process_one_work+0x1460/0x1460
+[ 47.651904][ T1897] kthread+0x3a1/0x480
+[ 47.652329][ T1897] ? set_kthread_struct+0x120/0x120
+[ 47.652878][ T1897] ret_from_fork+0x1f/0x30
+[ 47.653370][ T1897]
+[ 47.653608][ T1897]
+[ 47.653848][ T1897] addr ffffc90001f6f000 is located in stack of task kworker/0:2/1897 at offset 512 in frame:
+[ 47.654891][ T1897] brcmf_c_preinit_dcmds+0x0/0xc40
+[ 47.655442][ T1897]
+[ 47.655690][ T1897] this frame has 4 objects:
+[ 47.656151][ T1897] [48, 56) 'ptr'
+[ 47.656159][ T1897] [80, 148) 'revinfo'
+[ 47.656534][ T1897] [192, 210) 'eventmask'
+[ 47.656953][ T1897] [256, 512) 'buf'
+[ 47.657410][ T1897]
+[ 47.658035][ T1897] Memory state around the buggy address:
+[ 47.658743][ T1897] ffffc90001f6ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 47.659577][ T1897] ffffc90001f6ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 47.660394][ T1897] >ffffc90001f6f000: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
+[ 47.661199][ T1897] ^
+[ 47.661625][ T1897] ffffc90001f6f080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 47.662455][ T1897] ffffc90001f6f100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
+[ 47.663318][ T1897] ==================================================================
+[ 47.664147][ T1897] Disabling lock debugging due to kernel taint
+
+Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr>
+Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
+Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
+Signed-off-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221115043458.37562-1-jisoo.jang@yonsei.ac.kr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+index 7a2b49587b4d3..b2f46685391c2 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+@@ -157,6 +157,7 @@ int brcmf_c_preinit_dcmds(struct brcmf_if *ifp)
+ err);
+ goto done;
+ }
++ buf[sizeof(buf) - 1] = '\0';
+ ptr = (char *)buf;
+ strsep(&ptr, "\n");
+
+--
+2.39.2
+
--- /dev/null
+From cf7c9e0c7068bf224de24bd8ce25471d3ea47561 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 09:31:14 +0800
+Subject: wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit b9f420032f2ba1e634b22ca7b433e5c40ea663af ]
+
+After the DMA buffer is mapped to a physical address, address is stored
+in pktids in brcmf_msgbuf_alloc_pktid(). Then, pktids is parsed in
+brcmf_msgbuf_get_pktid()/brcmf_msgbuf_release_array() to obtain physaddr
+and later unmap the DMA buffer. But when count is always equal to
+pktids->array_size, physaddr isn't stored in pktids and the DMA buffer
+will not be unmapped anyway.
+
+Fixes: 9a1bb60250d2 ("brcmfmac: Adding msgbuf protocol.")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221207013114.1748936-1-shaozhengchao@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+index 5f0af5fac343d..19dad0a72753d 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+@@ -337,8 +337,11 @@ brcmf_msgbuf_alloc_pktid(struct device *dev,
+ count++;
+ } while (count < pktids->array_size);
+
+- if (count == pktids->array_size)
++ if (count == pktids->array_size) {
++ dma_unmap_single(dev, *physaddr, skb->len - data_offset,
++ pktids->direction);
+ return -ENOMEM;
++ }
+
+ array[*idx].data_offset = data_offset;
+ array[*idx].physaddr = *physaddr;
+--
+2.39.2
+
--- /dev/null
+From 4166914c7ee1fda60c5c19822e7c878e2a996c1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 09:24:22 +0800
+Subject: wifi: ipw2200: fix memory leak in ipw_wdev_init()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 9fe21dc626117fb44a8eb393713a86a620128ce3 ]
+
+In the error path of ipw_wdev_init(), exception value is returned, and
+the memory applied for in the function is not released. Also the memory
+is not released in ipw_pci_probe(). As a result, memory leakage occurs.
+So memory release needs to be added to the error path of ipw_wdev_init().
+
+Fixes: a3caa99e6c68 ("libipw: initiate cfg80211 API conversion (v2)")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221209012422.182669-1-shaozhengchao@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/ipw2x00/ipw2200.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2200.c b/drivers/net/wireless/intel/ipw2x00/ipw2200.c
+index 2d0734ab3f747..3c447d6f84af5 100644
+--- a/drivers/net/wireless/intel/ipw2x00/ipw2200.c
++++ b/drivers/net/wireless/intel/ipw2x00/ipw2200.c
+@@ -11437,9 +11437,14 @@ static int ipw_wdev_init(struct net_device *dev)
+ set_wiphy_dev(wdev->wiphy, &priv->pci_dev->dev);
+
+ /* With that information in place, we can now register the wiphy... */
+- if (wiphy_register(wdev->wiphy))
+- rc = -EIO;
++ rc = wiphy_register(wdev->wiphy);
++ if (rc)
++ goto out;
++
++ return 0;
+ out:
++ kfree(priv->ieee->a_band.channels);
++ kfree(priv->ieee->bg_band.channels);
+ return rc;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From e3182e11fc87a953efde0086b31bdb56824de9e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 23:00:08 +0800
+Subject: wifi: libertas: cmdresp: don't call kfree_skb() under
+ spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 708a49a64237f19bd404852f297aaadbc9e7fee0 ]
+
+It is not allowed to call kfree_skb() from hardware interrupt
+context or with interrupts being disabled. So replace kfree_skb()
+with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile
+tested only.
+
+Fixes: f52b041aed77 ("libertas: Add spinlock to avoid race condition")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221207150008.111743-5-yangyingliang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas/cmdresp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/marvell/libertas/cmdresp.c b/drivers/net/wireless/marvell/libertas/cmdresp.c
+index b73d083813985..5908f07d62ed7 100644
+--- a/drivers/net/wireless/marvell/libertas/cmdresp.c
++++ b/drivers/net/wireless/marvell/libertas/cmdresp.c
+@@ -48,7 +48,7 @@ void lbs_mac_event_disconnected(struct lbs_private *priv,
+
+ /* Free Tx and Rx packets */
+ spin_lock_irqsave(&priv->driver_lock, flags);
+- kfree_skb(priv->currenttxskb);
++ dev_kfree_skb_irq(priv->currenttxskb);
+ priv->currenttxskb = NULL;
+ priv->tx_pending_len = 0;
+ spin_unlock_irqrestore(&priv->driver_lock, flags);
+--
+2.39.2
+
--- /dev/null
+From 1967a9ad2e5e9b42031473deaf805cf1b0a42e0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 20:14:48 +0800
+Subject: wifi: libertas: fix memory leak in lbs_init_adapter()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 16a03958618fb91bb1bc7077cf3211055162cc2f ]
+
+When kfifo_alloc() failed in lbs_init_adapter(), cmd buffer is not
+released. Add free memory to processing error path.
+
+Fixes: 7919b89c8276 ("libertas: convert libertas driver to use an event/cmdresp queue")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221208121448.2845986-1-shaozhengchao@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/marvell/libertas/main.c b/drivers/net/wireless/marvell/libertas/main.c
+index aefa88f4f29ce..feb204cd74a9a 100644
+--- a/drivers/net/wireless/marvell/libertas/main.c
++++ b/drivers/net/wireless/marvell/libertas/main.c
+@@ -872,6 +872,7 @@ static int lbs_init_adapter(struct lbs_private *priv)
+ ret = kfifo_alloc(&priv->event_fifo, sizeof(u32) * 16, GFP_KERNEL);
+ if (ret) {
+ pr_err("Out of memory allocating event FIFO buffer\n");
++ lbs_free_cmd_buffer(priv);
+ goto out;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 3484a9186e959d4eae982e187161a7c2de35783a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 23:00:07 +0800
+Subject: wifi: libertas: main: don't call kfree_skb() under
+ spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit f393df151540bf858effbd29ff572ab94e76a4c4 ]
+
+It is not allowed to call kfree_skb() from hardware interrupt
+context or with interrupts being disabled. So replace kfree_skb()
+with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile
+tested only.
+
+Fixes: d2e7b3425c47 ("libertas: disable functionality when interface is down")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221207150008.111743-4-yangyingliang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/marvell/libertas/main.c b/drivers/net/wireless/marvell/libertas/main.c
+index feb204cd74a9a..21816f0e9e930 100644
+--- a/drivers/net/wireless/marvell/libertas/main.c
++++ b/drivers/net/wireless/marvell/libertas/main.c
+@@ -216,7 +216,7 @@ int lbs_stop_iface(struct lbs_private *priv)
+
+ spin_lock_irqsave(&priv->driver_lock, flags);
+ priv->iface_running = false;
+- kfree_skb(priv->currenttxskb);
++ dev_kfree_skb_irq(priv->currenttxskb);
+ priv->currenttxskb = NULL;
+ priv->tx_pending_len = 0;
+ spin_unlock_irqrestore(&priv->driver_lock, flags);
+--
+2.39.2
+
--- /dev/null
+From 08b3c7bb593c900f003eb338823ac74f68d15f5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Feb 2023 17:41:33 +0300
+Subject: wifi: mwifiex: fix loop iterator in mwifiex_update_ampdu_txwinsize()
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit 3cfb7df24cee0f5fdc4cc5d3176cab9aadfcb430 ]
+
+This code re-uses "i" to be the iterator for both the inside and outside
+loops. It means the outside loop will exit earlier than intended.
+
+Fixes: d219b7eb3792 ("mwifiex: handle BT coex event to adjust Rx BA window size")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/Y+ERnaDaZD7RtLvX@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/11n.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/11n.c b/drivers/net/wireless/marvell/mwifiex/11n.c
+index 2844f937cc659..1e4921d9061dc 100644
+--- a/drivers/net/wireless/marvell/mwifiex/11n.c
++++ b/drivers/net/wireless/marvell/mwifiex/11n.c
+@@ -878,7 +878,7 @@ mwifiex_send_delba_txbastream_tbl(struct mwifiex_private *priv, u8 tid)
+ */
+ void mwifiex_update_ampdu_txwinsize(struct mwifiex_adapter *adapter)
+ {
+- u8 i;
++ u8 i, j;
+ u32 tx_win_size;
+ struct mwifiex_private *priv;
+
+@@ -909,8 +909,8 @@ void mwifiex_update_ampdu_txwinsize(struct mwifiex_adapter *adapter)
+ if (tx_win_size != priv->add_ba_param.tx_win_size) {
+ if (!priv->media_connected)
+ continue;
+- for (i = 0; i < MAX_NUM_TID; i++)
+- mwifiex_send_delba_txbastream_tbl(priv, i);
++ for (j = 0; j < MAX_NUM_TID; j++)
++ mwifiex_send_delba_txbastream_tbl(priv, j);
+ }
+ }
+ }
+--
+2.39.2
+
--- /dev/null
+From 6114ddbfc3721144f9369c76fd179bd86c066c6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Dec 2022 16:33:06 +0300
+Subject: wifi: orinoco: check return value of hermes_write_wordrec()
+
+From: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
+
+[ Upstream commit 1e346cbb096a5351a637ec1992beffbf330547f0 ]
+
+There is currently no return check for writing an authentication
+type (HERMES_AUTH_SHARED_KEY or HERMES_AUTH_OPEN). It looks like
+it was accidentally skipped.
+
+This patch adds a return check similar to the other checks in
+__orinoco_hw_setup_enc() for hermes_write_wordrec().
+
+Detected using the static analysis tool - Svace.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221227133306.201356-1-aleksei.kodanev@bell-sw.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intersil/orinoco/hw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/intersil/orinoco/hw.c b/drivers/net/wireless/intersil/orinoco/hw.c
+index 61af5a28f269f..af49aa421e47f 100644
+--- a/drivers/net/wireless/intersil/orinoco/hw.c
++++ b/drivers/net/wireless/intersil/orinoco/hw.c
+@@ -931,6 +931,8 @@ int __orinoco_hw_setup_enc(struct orinoco_private *priv)
+ err = hermes_write_wordrec(hw, USER_BAP,
+ HERMES_RID_CNFAUTHENTICATION_AGERE,
+ auth_flag);
++ if (err)
++ return err;
+ }
+ err = hermes_write_wordrec(hw, USER_BAP,
+ HERMES_RID_CNFWEPENABLED_AGERE,
+--
+2.39.2
+
--- /dev/null
+From 0574d12abeaf2c32a056b42aac4b8e2df0a30507 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 22:35:17 +0800
+Subject: wifi: rtl8xxxu: don't call dev_kfree_skb() under spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 4c2005ac87685907b3719b4f40215b578efd27c4 ]
+
+It is not allowed to call kfree_skb() or consume_skb() from hardware
+interrupt context or with hardware interrupts being disabled.
+
+It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
+The difference between them is free reason, dev_kfree_skb_irq() means
+the SKB is dropped in error and dev_consume_skb_irq() means the SKB
+is consumed in normal.
+
+In this case, dev_kfree_skb() is called to free and drop the SKB when
+it's shutdown, so replace it with dev_kfree_skb_irq(). Compile tested
+only.
+
+Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221208143517.2383424-1-yangyingliang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index f7c879a7a1be3..c9fe9383026e2 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -5101,7 +5101,7 @@ static void rtl8xxxu_queue_rx_urb(struct rtl8xxxu_priv *priv,
+ pending = priv->rx_urb_pending_count;
+ } else {
+ skb = (struct sk_buff *)rx_urb->urb.context;
+- dev_kfree_skb(skb);
++ dev_kfree_skb_irq(skb);
+ usb_free_urb(&rx_urb->urb);
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 62b8b69151113f114279be189f1b520bcedde7a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 23:04:53 +0800
+Subject: wifi: wl3501_cs: don't call kfree_skb() under spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 44bacbdf9066c590423259dbd6d520baac99c1a8 ]
+
+It is not allowed to call kfree_skb() from hardware interrupt
+context or with interrupts being disabled. So replace kfree_skb()
+with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile
+tested only.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221207150453.114742-1-yangyingliang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/wl3501_cs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
+index f33ece9370473..cfde9b94b4b60 100644
+--- a/drivers/net/wireless/wl3501_cs.c
++++ b/drivers/net/wireless/wl3501_cs.c
+@@ -1329,7 +1329,7 @@ static netdev_tx_t wl3501_hard_start_xmit(struct sk_buff *skb,
+ } else {
+ ++dev->stats.tx_packets;
+ dev->stats.tx_bytes += skb->len;
+- kfree_skb(skb);
++ dev_kfree_skb_irq(skb);
+
+ if (this->tx_buffer_cnt < 2)
+ netif_stop_queue(dev);
+--
+2.39.2
+
--- /dev/null
+From b88524bab80fcb164f449ae71d2b5104e1dc533f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 07:31:48 -0800
+Subject: x86/bugs: Reset speculation control settings on init
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 0125acda7d76b943ca55811df40ed6ec0ecf670f ]
+
+Currently, x86_spec_ctrl_base is read at boot time and speculative bits
+are set if Kconfig items are enabled. For example, IBRS is enabled if
+CONFIG_CPU_IBRS_ENTRY is configured, etc. These MSR bits are not cleared
+if the mitigations are disabled.
+
+This is a problem when kexec-ing a kernel that has the mitigation
+disabled from a kernel that has the mitigation enabled. In this case,
+the MSR bits are not cleared during the new kernel boot. As a result,
+this might have some performance degradation that is hard to pinpoint.
+
+This problem does not happen if the machine is (hard) rebooted because
+the bit will be cleared by default.
+
+ [ bp: Massage. ]
+
+Suggested-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/20221128153148.1129350-1-leitao@debian.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/msr-index.h | 4 ++++
+ arch/x86/kernel/cpu/bugs.c | 10 +++++++++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
+index d7a344e0a8519..c71862d340485 100644
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -50,6 +50,10 @@
+ #define SPEC_CTRL_RRSBA_DIS_S_SHIFT 6 /* Disable RRSBA behavior */
+ #define SPEC_CTRL_RRSBA_DIS_S BIT(SPEC_CTRL_RRSBA_DIS_S_SHIFT)
+
++/* A mask for bits which the kernel toggles when controlling mitigations */
++#define SPEC_CTRL_MITIGATIONS_MASK (SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_SSBD \
++ | SPEC_CTRL_RRSBA_DIS_S)
++
+ #define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */
+ #define PRED_CMD_IBPB BIT(0) /* Indirect Branch Prediction Barrier */
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index 80dfd84c3ca82..166c9e28f7bfe 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -135,9 +135,17 @@ void __init check_bugs(void)
+ * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD
+ * init code as it is not enumerated and depends on the family.
+ */
+- if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
++ if (cpu_feature_enabled(X86_FEATURE_MSR_SPEC_CTRL)) {
+ rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
+
++ /*
++ * Previously running kernel (kexec), may have some controls
++ * turned ON. Clear them and let the mitigations setup below
++ * rediscover them based on configuration.
++ */
++ x86_spec_ctrl_base &= ~SPEC_CTRL_MITIGATIONS_MASK;
++ }
++
+ /* Select the proper CPU mitigations before patching alternatives: */
+ spectre_v1_select_mitigation();
+ spectre_v2_select_mitigation();
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
