--- /dev/null
+From bc5c405171e99fd9b926b2a2928188f786caaea2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 May 2023 15:43:42 +0000
+Subject: af_packet: do not use READ_ONCE() in packet_bind()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 6ffc57ea004234d9373c57b204fd10370a69f392 ]
+
+A recent patch added READ_ONCE() in packet_bind() and packet_bind_spkt()
+
+This is better handled by reading pkt_sk(sk)->num later
+in packet_do_bind() while appropriate lock is held.
+
+READ_ONCE() in writers are often an evidence of something being wrong.
+
+Fixes: 822b5a1c17df ("af_packet: Fix data-races of pkt_sk(sk)->num.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/r/20230526154342.2533026-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 131c347bba56b..228a409eb92da 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3153,6 +3153,9 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
+
+ lock_sock(sk);
+ spin_lock(&po->bind_lock);
++ if (!proto)
++ proto = po->num;
++
+ rcu_read_lock();
+
+ if (po->fanout) {
+@@ -3255,7 +3258,7 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr,
+ memcpy(name, uaddr->sa_data, sizeof(uaddr->sa_data));
+ name[sizeof(uaddr->sa_data)] = 0;
+
+- return packet_do_bind(sk, name, 0, READ_ONCE(pkt_sk(sk)->num));
++ return packet_do_bind(sk, name, 0, 0);
+ }
+
+ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+@@ -3272,8 +3275,7 @@ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len
+ if (sll->sll_family != AF_PACKET)
+ return -EINVAL;
+
+- return packet_do_bind(sk, NULL, sll->sll_ifindex,
+- sll->sll_protocol ? : READ_ONCE(pkt_sk(sk)->num));
++ return packet_do_bind(sk, NULL, sll->sll_ifindex, sll->sll_protocol);
+ }
+
+ static struct proto packet_proto = {
+--
+2.39.2
+
--- /dev/null
+From 4ac25a69183b70b775b56c7d56e926332519ce66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 May 2023 16:29:34 -0700
+Subject: af_packet: Fix data-races of pkt_sk(sk)->num.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 822b5a1c17df7e338b9f05d1cfe5764e37c7f74f ]
+
+syzkaller found a data race of pkt_sk(sk)->num.
+
+The value is changed under lock_sock() and po->bind_lock, so we
+need READ_ONCE() to access pkt_sk(sk)->num without these locks in
+packet_bind_spkt(), packet_bind(), and sk_diag_fill().
+
+Note that WRITE_ONCE() is already added by commit c7d2ef5dd4b0
+("net/packet: annotate accesses to po->bind").
+
+BUG: KCSAN: data-race in packet_bind / packet_do_bind
+
+write (marked) to 0xffff88802ffd1cee of 2 bytes by task 7322 on cpu 0:
+ packet_do_bind+0x446/0x640 net/packet/af_packet.c:3236
+ packet_bind+0x99/0xe0 net/packet/af_packet.c:3321
+ __sys_bind+0x19b/0x1e0 net/socket.c:1803
+ __do_sys_bind net/socket.c:1814 [inline]
+ __se_sys_bind net/socket.c:1812 [inline]
+ __x64_sys_bind+0x40/0x50 net/socket.c:1812
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+read to 0xffff88802ffd1cee of 2 bytes by task 7318 on cpu 1:
+ packet_bind+0xbf/0xe0 net/packet/af_packet.c:3322
+ __sys_bind+0x19b/0x1e0 net/socket.c:1803
+ __do_sys_bind net/socket.c:1814 [inline]
+ __se_sys_bind net/socket.c:1812 [inline]
+ __x64_sys_bind+0x40/0x50 net/socket.c:1812
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+value changed: 0x0300 -> 0x0000
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 7318 Comm: syz-executor.4 Not tainted 6.3.0-13380-g7fddb5b5300c #4
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+
+Fixes: 96ec6327144e ("packet: Diag core and basic socket info dumping")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20230524232934.50950-1-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 4 ++--
+ net/packet/diag.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 2089da69da103..131c347bba56b 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3255,7 +3255,7 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr,
+ memcpy(name, uaddr->sa_data, sizeof(uaddr->sa_data));
+ name[sizeof(uaddr->sa_data)] = 0;
+
+- return packet_do_bind(sk, name, 0, pkt_sk(sk)->num);
++ return packet_do_bind(sk, name, 0, READ_ONCE(pkt_sk(sk)->num));
+ }
+
+ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+@@ -3273,7 +3273,7 @@ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len
+ return -EINVAL;
+
+ return packet_do_bind(sk, NULL, sll->sll_ifindex,
+- sll->sll_protocol ? : pkt_sk(sk)->num);
++ sll->sll_protocol ? : READ_ONCE(pkt_sk(sk)->num));
+ }
+
+ static struct proto packet_proto = {
+diff --git a/net/packet/diag.c b/net/packet/diag.c
+index d9f912ad23dfa..ecabf78d29b8e 100644
+--- a/net/packet/diag.c
++++ b/net/packet/diag.c
+@@ -142,7 +142,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
+ rp = nlmsg_data(nlh);
+ rp->pdiag_family = AF_PACKET;
+ rp->pdiag_type = sk->sk_type;
+- rp->pdiag_num = ntohs(po->num);
++ rp->pdiag_num = ntohs(READ_ONCE(po->num));
+ rp->pdiag_ino = sk_ino;
+ sock_diag_save_cookie(sk, rp->pdiag_cookie);
+
+--
+2.39.2
+
--- /dev/null
+From 57afe6aa2c96e598aaebbc263d2ac3580fa1ece5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 21:50:42 +0200
+Subject: ALSA: oss: avoid missing-prototype warnings
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 040b5a046a9e18098580d3ccd029e2318fca7859 ]
+
+Two functions are defined and used in pcm_oss.c but also optionally
+used from io.c, with an optional prototype. If CONFIG_SND_PCM_OSS_PLUGINS
+is disabled, this causes a warning as the functions are not static
+and have no prototype:
+
+sound/core/oss/pcm_oss.c:1235:19: error: no previous prototype for 'snd_pcm_oss_write3' [-Werror=missing-prototypes]
+sound/core/oss/pcm_oss.c:1266:19: error: no previous prototype for 'snd_pcm_oss_read3' [-Werror=missing-prototypes]
+
+Avoid this by making the prototypes unconditional.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20230516195046.550584-2-arnd@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/oss/pcm_plugin.h | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/sound/core/oss/pcm_plugin.h b/sound/core/oss/pcm_plugin.h
+index c9cd29d86efda..64a2057aa0610 100644
+--- a/sound/core/oss/pcm_plugin.h
++++ b/sound/core/oss/pcm_plugin.h
+@@ -156,6 +156,14 @@ int snd_pcm_area_copy(const struct snd_pcm_channel_area *src_channel,
+
+ void *snd_pcm_plug_buf_alloc(struct snd_pcm_substream *plug, snd_pcm_uframes_t size);
+ void snd_pcm_plug_buf_unlock(struct snd_pcm_substream *plug, void *ptr);
++#else
++
++static inline snd_pcm_sframes_t snd_pcm_plug_client_size(struct snd_pcm_substream *handle, snd_pcm_uframes_t drv_size) { return drv_size; }
++static inline snd_pcm_sframes_t snd_pcm_plug_slave_size(struct snd_pcm_substream *handle, snd_pcm_uframes_t clt_size) { return clt_size; }
++static inline int snd_pcm_plug_slave_format(int format, const struct snd_mask *format_mask) { return format; }
++
++#endif
++
+ snd_pcm_sframes_t snd_pcm_oss_write3(struct snd_pcm_substream *substream,
+ const char *ptr, snd_pcm_uframes_t size,
+ int in_kernel);
+@@ -166,14 +174,6 @@ snd_pcm_sframes_t snd_pcm_oss_writev3(struct snd_pcm_substream *substream,
+ snd_pcm_sframes_t snd_pcm_oss_readv3(struct snd_pcm_substream *substream,
+ void **bufs, snd_pcm_uframes_t frames);
+
+-#else
+-
+-static inline snd_pcm_sframes_t snd_pcm_plug_client_size(struct snd_pcm_substream *handle, snd_pcm_uframes_t drv_size) { return drv_size; }
+-static inline snd_pcm_sframes_t snd_pcm_plug_slave_size(struct snd_pcm_substream *handle, snd_pcm_uframes_t clt_size) { return clt_size; }
+-static inline int snd_pcm_plug_slave_format(int format, const struct snd_mask *format_mask) { return format; }
+-
+-#endif
+-
+ #ifdef PLUGIN_DEBUG
+ #define pdprintf(fmt, args...) printk(KERN_DEBUG "plugin: " fmt, ##args)
+ #else
+--
+2.39.2
+
--- /dev/null
+From 2d5debb2803d79e9572c26d56a576e86eab84670 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Apr 2023 10:17:07 +0100
+Subject: ARM: 9295/1: unwind:fix unwind abort for uleb128 case
+
+From: Haibo Li <haibo.li@mediatek.com>
+
+[ Upstream commit fa3eeb638de0c1a9d2d860e5b48259facdd65176 ]
+
+When unwind instruction is 0xb2,the subsequent instructions
+are uleb128 bytes.
+For now,it uses only the first uleb128 byte in code.
+
+For vsp increments of 0x204~0x400,use one uleb128 byte like below:
+0xc06a00e4 <unwind_test_work>: 0x80b27fac
+ Compact model index: 0
+ 0xb2 0x7f vsp = vsp + 1024
+ 0xac pop {r4, r5, r6, r7, r8, r14}
+
+For vsp increments larger than 0x400,use two uleb128 bytes like below:
+0xc06a00e4 <unwind_test_work>: @0xc0cc9e0c
+ Compact model index: 1
+ 0xb2 0x81 0x01 vsp = vsp + 1032
+ 0xac pop {r4, r5, r6, r7, r8, r14}
+The unwind works well since the decoded uleb128 byte is also 0x81.
+
+For vsp increments larger than 0x600,use two uleb128 bytes like below:
+0xc06a00e4 <unwind_test_work>: @0xc0cc9e0c
+ Compact model index: 1
+ 0xb2 0x81 0x02 vsp = vsp + 1544
+ 0xac pop {r4, r5, r6, r7, r8, r14}
+In this case,the decoded uleb128 result is 0x101(vsp=0x204+(0x101<<2)).
+While the uleb128 used in code is 0x81(vsp=0x204+(0x81<<2)).
+The unwind aborts at this frame since it gets incorrect vsp.
+
+To fix this,add uleb128 decode to cover all the above case.
+
+Signed-off-by: Haibo Li <haibo.li@mediatek.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Alexandre Mergnat <amergnat@baylibre.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/unwind.c | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/kernel/unwind.c b/arch/arm/kernel/unwind.c
+index 314cfb232a635..f2bb090373c67 100644
+--- a/arch/arm/kernel/unwind.c
++++ b/arch/arm/kernel/unwind.c
+@@ -313,6 +313,29 @@ static int unwind_exec_pop_subset_r0_to_r3(struct unwind_ctrl_block *ctrl,
+ return URC_OK;
+ }
+
++static unsigned long unwind_decode_uleb128(struct unwind_ctrl_block *ctrl)
++{
++ unsigned long bytes = 0;
++ unsigned long insn;
++ unsigned long result = 0;
++
++ /*
++ * unwind_get_byte() will advance `ctrl` one instruction at a time, so
++ * loop until we get an instruction byte where bit 7 is not set.
++ *
++ * Note: This decodes a maximum of 4 bytes to output 28 bits data where
++ * max is 0xfffffff: that will cover a vsp increment of 1073742336, hence
++ * it is sufficient for unwinding the stack.
++ */
++ do {
++ insn = unwind_get_byte(ctrl);
++ result |= (insn & 0x7f) << (bytes * 7);
++ bytes++;
++ } while (!!(insn & 0x80) && (bytes != sizeof(result)));
++
++ return result;
++}
++
+ /*
+ * Execute the current unwind instruction.
+ */
+@@ -366,7 +389,7 @@ static int unwind_exec_insn(struct unwind_ctrl_block *ctrl)
+ if (ret)
+ goto error;
+ } else if (insn == 0xb2) {
+- unsigned long uleb128 = unwind_get_byte(ctrl);
++ unsigned long uleb128 = unwind_decode_uleb128(ctrl);
+
+ ctrl->vrs[SP] += 0x204 + (uleb128 << 2);
+ } else {
+--
+2.39.2
+
--- /dev/null
+From eb192091e6cd6f0d2b81262d05617e0b907479a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 May 2023 09:28:20 +0300
+Subject: ASoC: dwc: limit the number of overrun messages
+
+From: Maxim Kochetkov <fido_max@inbox.ru>
+
+[ Upstream commit ab6ecfbf40fccf74b6ec2ba7ed6dd2fc024c3af2 ]
+
+On slow CPU (FPGA/QEMU emulated) printing overrun messages from
+interrupt handler to uart console may leads to more overrun errors.
+So use dev_err_ratelimited to limit the number of error messages.
+
+Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru
+Link: https://lore.kernel.org/r/20230505062820.21840-1-fido_max@inbox.ru
+Signed-off-by: Mark Brown <broonie@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/dwc/dwc-i2s.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/dwc/dwc-i2s.c b/sound/soc/dwc/dwc-i2s.c
+index e27e21f8569a0..e6a0ec3c0e764 100644
+--- a/sound/soc/dwc/dwc-i2s.c
++++ b/sound/soc/dwc/dwc-i2s.c
+@@ -132,13 +132,13 @@ static irqreturn_t i2s_irq_handler(int irq, void *dev_id)
+
+ /* Error Handling: TX */
+ if (isr[i] & ISR_TXFO) {
+- dev_err(dev->dev, "TX overrun (ch_id=%d)\n", i);
++ dev_err_ratelimited(dev->dev, "TX overrun (ch_id=%d)\n", i);
+ irq_valid = true;
+ }
+
+ /* Error Handling: TX */
+ if (isr[i] & ISR_RXFO) {
+- dev_err(dev->dev, "RX overrun (ch_id=%d)\n", i);
++ dev_err_ratelimited(dev->dev, "RX overrun (ch_id=%d)\n", i);
+ irq_valid = true;
+ }
+ }
+--
+2.39.2
+
--- /dev/null
+From 93c10d28eb3f11c2962c41102669152b83612e47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 May 2023 13:30:37 +0200
+Subject: ASoC: ssm2602: Add workaround for playback distortions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paweł Anikiel <pan@semihalf.com>
+
+[ Upstream commit f63550e2b165208a2f382afcaf5551df9569e1d4 ]
+
+Apply a workaround for what appears to be a hardware quirk.
+
+The problem seems to happen when enabling "whole chip power" (bit D7
+register R6) for the very first time after the chip receives power. If
+either "output" (D4) or "DAC" (D3) aren't powered on at that time,
+playback becomes very distorted later on.
+
+This happens on the Google Chameleon v3, as well as on a ZYBO Z7-10:
+https://ez.analog.com/audio/f/q-a/543726/solved-ssm2603-right-output-offset-issue/480229
+I suspect this happens only when using an external MCLK signal (which
+is the case for both of these boards).
+
+Here are some experiments run on a Google Chameleon v3. These were run
+in userspace using a wrapper around the i2cset utility:
+ssmset() {
+ i2cset -y 0 0x1a $(($1*2)) $2
+}
+
+For each of the following sequences, we apply power to the ssm2603
+chip, set the configuration registers R0-R5 and R7-R8, run the selected
+sequence, and check for distortions on playback.
+
+ ssmset 0x09 0x01 # core
+ ssmset 0x06 0x07 # chip, out, dac
+ OK
+
+ ssmset 0x09 0x01 # core
+ ssmset 0x06 0x87 # out, dac
+ ssmset 0x06 0x07 # chip
+ OK
+
+ (disable MCLK)
+ ssmset 0x09 0x01 # core
+ ssmset 0x06 0x1f # chip
+ ssmset 0x06 0x07 # out, dac
+ (enable MCLK)
+ OK
+
+ ssmset 0x09 0x01 # core
+ ssmset 0x06 0x1f # chip
+ ssmset 0x06 0x07 # out, dac
+ NOT OK
+
+ ssmset 0x06 0x1f # chip
+ ssmset 0x09 0x01 # core
+ ssmset 0x06 0x07 # out, dac
+ NOT OK
+
+ ssmset 0x09 0x01 # core
+ ssmset 0x06 0x0f # chip, out
+ ssmset 0x06 0x07 # dac
+ NOT OK
+
+ ssmset 0x09 0x01 # core
+ ssmset 0x06 0x17 # chip, dac
+ ssmset 0x06 0x07 # out
+ NOT OK
+
+For each of the following sequences, we apply power to the ssm2603
+chip, run the selected sequence, issue a reset with R15, configure
+R0-R5 and R7-R8, run one of the NOT OK sequences from above, and check
+for distortions.
+
+ ssmset 0x09 0x01 # core
+ ssmset 0x06 0x07 # chip, out, dac
+ OK
+
+ (disable MCLK)
+ ssmset 0x09 0x01 # core
+ ssmset 0x06 0x07 # chip, out, dac
+ (enable MCLK after reset)
+ NOT OK
+
+ ssmset 0x09 0x01 # core
+ ssmset 0x06 0x17 # chip, dac
+ NOT OK
+
+ ssmset 0x09 0x01 # core
+ ssmset 0x06 0x0f # chip, out
+ NOT OK
+
+ ssmset 0x06 0x07 # chip, out, dac
+ NOT OK
+
+Signed-off-by: Paweł Anikiel <pan@semihalf.com
+Link: https://lore.kernel.org/r/20230508113037.137627-8-pan@semihalf.com
+Signed-off-by: Mark Brown <broonie@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/ssm2602.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/sound/soc/codecs/ssm2602.c b/sound/soc/codecs/ssm2602.c
+index 5e80867d09ef7..256e5af6690b7 100644
+--- a/sound/soc/codecs/ssm2602.c
++++ b/sound/soc/codecs/ssm2602.c
+@@ -67,6 +67,18 @@ static const struct reg_default ssm2602_reg[SSM2602_CACHEREGNUM] = {
+ { .reg = 0x09, .def = 0x0000 }
+ };
+
++/*
++ * ssm2602 register patch
++ * Workaround for playback distortions after power up: activates digital
++ * core, and then powers on output, DAC, and whole chip at the same time
++ */
++
++static const struct reg_sequence ssm2602_patch[] = {
++ { SSM2602_ACTIVE, 0x01 },
++ { SSM2602_PWR, 0x07 },
++ { SSM2602_RESET, 0x00 },
++};
++
+
+ /*Appending several "None"s just for OSS mixer use*/
+ static const char *ssm2602_input_select[] = {
+@@ -577,6 +589,9 @@ static int ssm260x_codec_probe(struct snd_soc_codec *codec)
+ return ret;
+ }
+
++ regmap_register_patch(ssm2602->regmap, ssm2602_patch,
++ ARRAY_SIZE(ssm2602_patch));
++
+ /* set the update bits */
+ regmap_update_bits(ssm2602->regmap, SSM2602_LINVOL,
+ LINVOL_LRIN_BOTH, LINVOL_LRIN_BOTH);
+--
+2.39.2
+
--- /dev/null
+From 567f1e5a7b0fd91f168931b3325f29effcf798e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 21:45:34 +0200
+Subject: atm: hide unused procfs functions
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit fb1b7be9b16c1f4626969ba4e95a97da2a452b41 ]
+
+When CONFIG_PROC_FS is disabled, the function declarations for some
+procfs functions are hidden, but the definitions are still build,
+as shown by this compiler warning:
+
+net/atm/resources.c:403:7: error: no previous prototype for 'atm_dev_seq_start' [-Werror=missing-prototypes]
+net/atm/resources.c:409:6: error: no previous prototype for 'atm_dev_seq_stop' [-Werror=missing-prototypes]
+net/atm/resources.c:414:7: error: no previous prototype for 'atm_dev_seq_next' [-Werror=missing-prototypes]
+
+Add another #ifdef to leave these out of the build.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20230516194625.549249-2-arnd@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/resources.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/atm/resources.c b/net/atm/resources.c
+index bada395ecdb18..9389080224f87 100644
+--- a/net/atm/resources.c
++++ b/net/atm/resources.c
+@@ -447,6 +447,7 @@ int atm_dev_ioctl(unsigned int cmd, void __user *arg, int compat)
+ return error;
+ }
+
++#ifdef CONFIG_PROC_FS
+ void *atm_dev_seq_start(struct seq_file *seq, loff_t *pos)
+ {
+ mutex_lock(&atm_dev_mutex);
+@@ -462,3 +463,4 @@ void *atm_dev_seq_next(struct seq_file *seq, void *v, loff_t *pos)
+ {
+ return seq_list_next(v, &atm_devs, pos);
+ }
++#endif
+--
+2.39.2
+
--- /dev/null
+From 3690f12633fd7462ec6cc4ec40cd1230f0710db3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 May 2023 21:53:10 -0700
+Subject: dmaengine: pl330: rename _start to prevent build error
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit a1a5f2c887252dec161c1e12e04303ca9ba56fa9 ]
+
+"_start" is used in several arches and proably should be reserved
+for ARCH usage. Using it in a driver for a private symbol can cause
+a build error when it conflicts with ARCH usage of the same symbol.
+
+Therefore rename pl330's "_start" to "pl330_start_thread" so that there
+is no conflict and no build error.
+
+drivers/dma/pl330.c:1053:13: error: '_start' redeclared as different kind of symbol
+ 1053 | static bool _start(struct pl330_thread *thrd)
+ | ^~~~~~
+In file included from ../include/linux/interrupt.h:21,
+ from ../drivers/dma/pl330.c:18:
+arch/riscv/include/asm/sections.h:11:13: note: previous declaration of '_start' with type 'char[]'
+ 11 | extern char _start[];
+ | ^~~~~~
+
+Fixes: b7d861d93945 ("DMA: PL330: Merge PL330 driver into drivers/dma/")
+Fixes: ae43b3289186 ("ARM: 8202/1: dmaengine: pl330: Add runtime Power Management support v12")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Jaswinder Singh <jassisinghbrar@gmail.com>
+Cc: Boojin Kim <boojin.kim@samsung.com>
+Cc: Krzysztof Kozlowski <krzk@kernel.org>
+Cc: Russell King <rmk+kernel@arm.linux.org.uk>
+Cc: Vinod Koul <vkoul@kernel.org>
+Cc: dmaengine@vger.kernel.org
+Cc: linux-riscv@lists.infradead.org
+Link: https://lore.kernel.org/r/20230524045310.27923-1-rdunlap@infradead.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/pl330.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
+index a8cea236099a1..982b69d017cda 100644
+--- a/drivers/dma/pl330.c
++++ b/drivers/dma/pl330.c
+@@ -1041,7 +1041,7 @@ static bool _trigger(struct pl330_thread *thrd)
+ return true;
+ }
+
+-static bool _start(struct pl330_thread *thrd)
++static bool pl330_start_thread(struct pl330_thread *thrd)
+ {
+ switch (_state(thrd)) {
+ case PL330_STATE_FAULT_COMPLETING:
+@@ -1584,7 +1584,7 @@ static int pl330_update(struct pl330_dmac *pl330)
+ thrd->req_running = -1;
+
+ /* Get going again ASAP */
+- _start(thrd);
++ pl330_start_thread(thrd);
+
+ /* For now, just make a list of callbacks to be done */
+ list_add_tail(&descdone->rqd, &pl330->req_done);
+@@ -1974,7 +1974,7 @@ static void pl330_tasklet(unsigned long data)
+ } else {
+ /* Make sure the PL330 Channel thread is active */
+ spin_lock(&pch->thread->dmac->lock);
+- _start(pch->thread);
++ pl330_start_thread(pch->thread);
+ spin_unlock(&pch->thread->dmac->lock);
+ }
+
+@@ -1992,7 +1992,7 @@ static void pl330_tasklet(unsigned long data)
+ if (power_down) {
+ pch->active = true;
+ spin_lock(&pch->thread->dmac->lock);
+- _start(pch->thread);
++ pl330_start_thread(pch->thread);
+ spin_unlock(&pch->thread->dmac->lock);
+ power_down = false;
+ }
+--
+2.39.2
+
--- /dev/null
+From a56f1a505aaa41bbb3a06a4bc7c5dc1e06e16a2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Apr 2023 23:24:26 +0200
+Subject: fbdev: modedb: Add 1920x1080 at 60 Hz video mode
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit c8902258b2b8ecaa1b8d88c312853c5b14c2553d ]
+
+Add typical resolution for Full-HD monitors.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/core/modedb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/video/fbdev/core/modedb.c b/drivers/video/fbdev/core/modedb.c
+index a9d76e1b43781..d02712548a3e4 100644
+--- a/drivers/video/fbdev/core/modedb.c
++++ b/drivers/video/fbdev/core/modedb.c
+@@ -257,6 +257,11 @@ static const struct fb_videomode modedb[] = {
+ { NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3, 0,
+ FB_VMODE_DOUBLE },
+
++ /* 1920x1080 @ 60 Hz, 67.3 kHz hsync */
++ { NULL, 60, 1920, 1080, 6734, 148, 88, 36, 4, 44, 5, 0,
++ FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
++ FB_VMODE_NONINTERLACED },
++
+ /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
+ { NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
+ FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
+--
+2.39.2
+
--- /dev/null
+From 2daa5ef5205aadc2e3f52079abd0044213f0569a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 11:50:33 +0200
+Subject: fbdev: stifb: Fix info entry in sti_struct on error path
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit 0bdf1ad8d10bd4e50a8b1a2c53d15984165f7fea ]
+
+Minor fix to reset the info field to NULL in case of error.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/stifb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/video/fbdev/stifb.c b/drivers/video/fbdev/stifb.c
+index 9313562e739e1..16eed250fd8f3 100644
+--- a/drivers/video/fbdev/stifb.c
++++ b/drivers/video/fbdev/stifb.c
+@@ -1373,6 +1373,7 @@ static int __init stifb_init_fb(struct sti_struct *sti, int bpp_pref)
+ iounmap(info->screen_base);
+ out_err0:
+ kfree(fb);
++ sti->info = NULL;
+ return -ENXIO;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From f0328fcd5b22cd1f947e8ee01d62d0dee519586e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 May 2023 12:22:09 +0300
+Subject: mailbox: mailbox-test: fix a locking issue in
+ mbox_test_message_write()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 8fe72b76db79d694858e872370df49676bc3be8c ]
+
+There was a bug where this code forgot to unlock the tdev->mutex if the
+kzalloc() failed. Fix this issue, by moving the allocation outside the
+lock.
+
+Fixes: 2d1e952a2b8e ("mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write()")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/mailbox-test.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
+index c23acd994d783..1dbbc9036bb8e 100644
+--- a/drivers/mailbox/mailbox-test.c
++++ b/drivers/mailbox/mailbox-test.c
+@@ -101,6 +101,7 @@ static ssize_t mbox_test_message_write(struct file *filp,
+ size_t count, loff_t *ppos)
+ {
+ struct mbox_test_device *tdev = filp->private_data;
++ char *message;
+ void *data;
+ int ret;
+
+@@ -116,12 +117,13 @@ static ssize_t mbox_test_message_write(struct file *filp,
+ return -EINVAL;
+ }
+
+- mutex_lock(&tdev->mutex);
+-
+- tdev->message = kzalloc(MBOX_MAX_MSG_LEN, GFP_KERNEL);
+- if (!tdev->message)
++ message = kzalloc(MBOX_MAX_MSG_LEN, GFP_KERNEL);
++ if (!message)
+ return -ENOMEM;
+
++ mutex_lock(&tdev->mutex);
++
++ tdev->message = message;
+ ret = copy_from_user(tdev->message, userbuf, count);
+ if (ret) {
+ ret = -EFAULT;
+--
+2.39.2
+
--- /dev/null
+From b41cf00a97124ba8774ad4809fad8828b5e4e14a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Apr 2023 08:27:18 +0100
+Subject: mailbox: mailbox-test: Fix potential double-free in
+ mbox_test_message_write()
+
+From: Lee Jones <lee@kernel.org>
+
+[ Upstream commit 2d1e952a2b8e5e92d8d55ac88a7cf7ca5ea591ad ]
+
+If a user can make copy_from_user() fail, there is a potential for
+UAF/DF due to a lack of locking around the allocation, use and freeing
+of the data buffers.
+
+This issue is not theoretical. I managed to author a POC for it:
+
+ BUG: KASAN: double-free in kfree+0x5c/0xac
+ Free of addr ffff29280be5de00 by task poc/356
+ CPU: 1 PID: 356 Comm: poc Not tainted 6.1.0-00001-g961aa6552c04-dirty #20
+ Hardware name: linux,dummy-virt (DT)
+ Call trace:
+ dump_backtrace.part.0+0xe0/0xf0
+ show_stack+0x18/0x40
+ dump_stack_lvl+0x64/0x80
+ print_report+0x188/0x48c
+ kasan_report_invalid_free+0xa0/0xc0
+ ____kasan_slab_free+0x174/0x1b0
+ __kasan_slab_free+0x18/0x24
+ __kmem_cache_free+0x130/0x2e0
+ kfree+0x5c/0xac
+ mbox_test_message_write+0x208/0x29c
+ full_proxy_write+0x90/0xf0
+ vfs_write+0x154/0x440
+ ksys_write+0xcc/0x180
+ __arm64_sys_write+0x44/0x60
+ invoke_syscall+0x60/0x190
+ el0_svc_common.constprop.0+0x7c/0x160
+ do_el0_svc+0x40/0xf0
+ el0_svc+0x2c/0x6c
+ el0t_64_sync_handler+0xf4/0x120
+ el0t_64_sync+0x18c/0x190
+
+ Allocated by task 356:
+ kasan_save_stack+0x3c/0x70
+ kasan_set_track+0x2c/0x40
+ kasan_save_alloc_info+0x24/0x34
+ __kasan_kmalloc+0xb8/0xc0
+ kmalloc_trace+0x58/0x70
+ mbox_test_message_write+0x6c/0x29c
+ full_proxy_write+0x90/0xf0
+ vfs_write+0x154/0x440
+ ksys_write+0xcc/0x180
+ __arm64_sys_write+0x44/0x60
+ invoke_syscall+0x60/0x190
+ el0_svc_common.constprop.0+0x7c/0x160
+ do_el0_svc+0x40/0xf0
+ el0_svc+0x2c/0x6c
+ el0t_64_sync_handler+0xf4/0x120
+ el0t_64_sync+0x18c/0x190
+
+ Freed by task 357:
+ kasan_save_stack+0x3c/0x70
+ kasan_set_track+0x2c/0x40
+ kasan_save_free_info+0x38/0x5c
+ ____kasan_slab_free+0x13c/0x1b0
+ __kasan_slab_free+0x18/0x24
+ __kmem_cache_free+0x130/0x2e0
+ kfree+0x5c/0xac
+ mbox_test_message_write+0x208/0x29c
+ full_proxy_write+0x90/0xf0
+ vfs_write+0x154/0x440
+ ksys_write+0xcc/0x180
+ __arm64_sys_write+0x44/0x60
+ invoke_syscall+0x60/0x190
+ el0_svc_common.constprop.0+0x7c/0x160
+ do_el0_svc+0x40/0xf0
+ el0_svc+0x2c/0x6c
+ el0t_64_sync_handler+0xf4/0x120
+ el0t_64_sync+0x18c/0x190
+
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/mailbox-test.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
+index 546ba140f83d2..c23acd994d783 100644
+--- a/drivers/mailbox/mailbox-test.c
++++ b/drivers/mailbox/mailbox-test.c
+@@ -16,6 +16,7 @@
+ #include <linux/kernel.h>
+ #include <linux/mailbox_client.h>
+ #include <linux/module.h>
++#include <linux/mutex.h>
+ #include <linux/of.h>
+ #include <linux/platform_device.h>
+ #include <linux/poll.h>
+@@ -43,6 +44,7 @@ struct mbox_test_device {
+ char *signal;
+ char *message;
+ spinlock_t lock;
++ struct mutex mutex;
+ wait_queue_head_t waitq;
+ struct fasync_struct *async_queue;
+ };
+@@ -114,6 +116,8 @@ static ssize_t mbox_test_message_write(struct file *filp,
+ return -EINVAL;
+ }
+
++ mutex_lock(&tdev->mutex);
++
+ tdev->message = kzalloc(MBOX_MAX_MSG_LEN, GFP_KERNEL);
+ if (!tdev->message)
+ return -ENOMEM;
+@@ -148,6 +152,8 @@ static ssize_t mbox_test_message_write(struct file *filp,
+ kfree(tdev->message);
+ tdev->signal = NULL;
+
++ mutex_unlock(&tdev->mutex);
++
+ return ret < 0 ? ret : count;
+ }
+
+@@ -396,6 +402,7 @@ static int mbox_test_probe(struct platform_device *pdev)
+ platform_set_drvdata(pdev, tdev);
+
+ spin_lock_init(&tdev->lock);
++ mutex_init(&tdev->mutex);
+
+ if (tdev->rx_channel) {
+ tdev->rx_buffer = devm_kzalloc(&pdev->dev,
+--
+2.39.2
+
--- /dev/null
+From 49ac18cb84d902d2610f8cf63671d8e31061c1f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 16:18:00 +0100
+Subject: media: dvb-core: Fix kernel WARNING for blocking operation in
+ wait_event*()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit b8c75e4a1b325ea0a9433fa8834be97b5836b946 ]
+
+Using a semaphore in the wait_event*() condition is no good idea.
+It hits a kernel WARN_ON() at prepare_to_wait_event() like:
+ do not call blocking ops when !TASK_RUNNING; state=1 set at
+ prepare_to_wait_event+0x6d/0x690
+
+For avoiding the potential deadlock, rewrite to an open-coded loop
+instead. Unlike the loop in wait_event*(), this uses wait_woken()
+after the condition check, hence the task state stays consistent.
+
+CVE-2023-31084 was assigned to this bug.
+
+Link: https://lore.kernel.org/r/CA+UBctCu7fXn4q41O_3=id1+OdyQ85tZY1x+TkT-6OVBL6KAUw@mail.gmail.com/
+
+Link: https://lore.kernel.org/linux-media/20230512151800.1874-1-tiwai@suse.de
+Reported-by: Yu Hao <yhao016@ucr.edu>
+Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-31084
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvb_frontend.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c
+index e3a4a4688c2ec..651234584eb2c 100644
+--- a/drivers/media/dvb-core/dvb_frontend.c
++++ b/drivers/media/dvb-core/dvb_frontend.c
+@@ -301,14 +301,22 @@ static int dvb_frontend_get_event(struct dvb_frontend *fe,
+ }
+
+ if (events->eventw == events->eventr) {
+- int ret;
++ struct wait_queue_entry wait;
++ int ret = 0;
+
+ if (flags & O_NONBLOCK)
+ return -EWOULDBLOCK;
+
+- ret = wait_event_interruptible(events->wait_queue,
+- dvb_frontend_test_event(fepriv, events));
+-
++ init_waitqueue_entry(&wait, current);
++ add_wait_queue(&events->wait_queue, &wait);
++ while (!dvb_frontend_test_event(fepriv, events)) {
++ wait_woken(&wait, TASK_INTERRUPTIBLE, 0);
++ if (signal_pending(current)) {
++ ret = -ERESTARTSYS;
++ break;
++ }
++ }
++ remove_wait_queue(&events->wait_queue, &wait);
+ if (ret < 0)
+ return ret;
+ }
+--
+2.39.2
+
--- /dev/null
+From 3e0b3ec1f15b3527c81ebb5a822d7ee1c8f99b3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 06:33:08 +0000
+Subject: media: dvb-core: Fix use-after-free due to race condition at
+ dvb_ca_en50221
+
+From: Hyunwoo Kim <v4bel@theori.io>
+
+[ Upstream commit 280a8ab81733da8bc442253c700a52c4c0886ffd ]
+
+If the device node of dvb_ca_en50221 is open() and the
+device is disconnected, a UAF may occur when calling
+close() on the device node.
+
+The root cause is that wake_up() and wait_event() for
+dvbdev->wait_queue are not implemented.
+
+So implement wait_event() function in dvb_ca_en50221_release()
+and add 'remove_mutex' which prevents race condition
+for 'ca->exit'.
+
+[mchehab: fix a checkpatch warning]
+
+Link: https://lore.kernel.org/linux-media/20221121063308.GA33821@ubuntu
+Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvb_ca_en50221.c | 37 ++++++++++++++++++++++++-
+ 1 file changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c
+index 56114d85510f5..5dc8b2d143520 100644
+--- a/drivers/media/dvb-core/dvb_ca_en50221.c
++++ b/drivers/media/dvb-core/dvb_ca_en50221.c
+@@ -161,6 +161,12 @@ struct dvb_ca_private {
+
+ /* mutex serializing ioctls */
+ struct mutex ioctl_mutex;
++
++ /* A mutex used when a device is disconnected */
++ struct mutex remove_mutex;
++
++ /* Whether the device is disconnected */
++ int exit;
+ };
+
+ static void dvb_ca_private_free(struct dvb_ca_private *ca)
+@@ -1713,12 +1719,22 @@ static int dvb_ca_en50221_io_open(struct inode *inode, struct file *file)
+
+ dprintk("%s\n", __func__);
+
+- if (!try_module_get(ca->pub->owner))
++ mutex_lock(&ca->remove_mutex);
++
++ if (ca->exit) {
++ mutex_unlock(&ca->remove_mutex);
++ return -ENODEV;
++ }
++
++ if (!try_module_get(ca->pub->owner)) {
++ mutex_unlock(&ca->remove_mutex);
+ return -EIO;
++ }
+
+ err = dvb_generic_open(inode, file);
+ if (err < 0) {
+ module_put(ca->pub->owner);
++ mutex_unlock(&ca->remove_mutex);
+ return err;
+ }
+
+@@ -1743,6 +1759,7 @@ static int dvb_ca_en50221_io_open(struct inode *inode, struct file *file)
+
+ dvb_ca_private_get(ca);
+
++ mutex_unlock(&ca->remove_mutex);
+ return 0;
+ }
+
+@@ -1762,6 +1779,8 @@ static int dvb_ca_en50221_io_release(struct inode *inode, struct file *file)
+
+ dprintk("%s\n", __func__);
+
++ mutex_lock(&ca->remove_mutex);
++
+ /* mark the CA device as closed */
+ ca->open = 0;
+ dvb_ca_en50221_thread_update_delay(ca);
+@@ -1772,6 +1791,13 @@ static int dvb_ca_en50221_io_release(struct inode *inode, struct file *file)
+
+ dvb_ca_private_put(ca);
+
++ if (dvbdev->users == 1 && ca->exit == 1) {
++ mutex_unlock(&ca->remove_mutex);
++ wake_up(&dvbdev->wait_queue);
++ } else {
++ mutex_unlock(&ca->remove_mutex);
++ }
++
+ return err;
+ }
+
+@@ -1896,6 +1922,7 @@ int dvb_ca_en50221_init(struct dvb_adapter *dvb_adapter,
+ }
+
+ mutex_init(&ca->ioctl_mutex);
++ mutex_init(&ca->remove_mutex);
+
+ if (signal_pending(current)) {
+ ret = -EINTR;
+@@ -1939,6 +1966,14 @@ void dvb_ca_en50221_release(struct dvb_ca_en50221 *pubca)
+
+ dprintk("%s\n", __func__);
+
++ mutex_lock(&ca->remove_mutex);
++ ca->exit = 1;
++ mutex_unlock(&ca->remove_mutex);
++
++ if (ca->dvbdev->users < 1)
++ wait_event(ca->dvbdev->wait_queue,
++ ca->dvbdev->users == 1);
++
+ /* shutdown the thread if there was one */
+ kthread_stop(ca->thread);
+
+--
+2.39.2
+
--- /dev/null
+From 1837f24ac2128049c9e34c0fce34c735e532032e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Mar 2023 16:56:04 +0000
+Subject: media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer()
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit 858e97d7956d17a2cb56a9413468704a4d5abfe1 ]
+
+In az6027_i2c_xfer, msg is controlled by user. When msg[i].buf is null,
+commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in
+az6027_i2c_xfer()") fix the null-ptr-deref bug when msg[i].addr is 0x99.
+However, null-ptr-deref also happens when msg[i].addr is 0xd0 and 0xc0.
+We add check on msg[i].len to prevent null-ptr-deref.
+
+Link: https://lore.kernel.org/linux-media/20230310165604.3093483-1-harperchen1110@gmail.com
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/az6027.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c
+index f2b5ba1d28098..05988c5ce63ca 100644
+--- a/drivers/media/usb/dvb-usb/az6027.c
++++ b/drivers/media/usb/dvb-usb/az6027.c
+@@ -991,6 +991,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
+ /* write/read request */
+ if (i + 1 < num && (msg[i + 1].flags & I2C_M_RD)) {
+ req = 0xB9;
++ if (msg[i].len < 1) {
++ i = -EOPNOTSUPP;
++ break;
++ }
+ index = (((msg[i].buf[0] << 8) & 0xff00) | (msg[i].buf[1] & 0x00ff));
+ value = msg[i].addr + (msg[i].len << 8);
+ length = msg[i + 1].len + 6;
+@@ -1004,6 +1008,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
+
+ /* demod 16bit addr */
+ req = 0xBD;
++ if (msg[i].len < 1) {
++ i = -EOPNOTSUPP;
++ break;
++ }
+ index = (((msg[i].buf[0] << 8) & 0xff00) | (msg[i].buf[1] & 0x00ff));
+ value = msg[i].addr + (2 << 8);
+ length = msg[i].len - 2;
+@@ -1029,6 +1037,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
+ } else {
+
+ req = 0xBD;
++ if (msg[i].len < 1) {
++ i = -EOPNOTSUPP;
++ break;
++ }
+ index = msg[i].buf[0] & 0x00FF;
+ value = msg[i].addr + (1 << 8);
+ length = msg[i].len - 1;
+--
+2.39.2
+
--- /dev/null
+From 45ed9cc9b484d2a24ab14f00e8debc581c4f34af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 09:50:08 +0000
+Subject: media: dvb-usb: digitv: fix null-ptr-deref in digitv_i2c_xfer()
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit 9ded5bd2a49ce3015b7c936743eec0a0e6e11f0c ]
+
+In digitv_i2c_xfer, msg is controlled by user. When msg[i].buf
+is null and msg[i].len is zero, former checks on msg[i].buf would be
+passed. Malicious data finally reach digitv_i2c_xfer. If accessing
+msg[i].buf[0] without sanity check, null ptr deref would happen. We add
+check on msg[i].len to prevent crash.
+
+Similar commit:
+commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
+
+Link: https://lore.kernel.org/linux-media/20230313095008.1039689-1-harperchen1110@gmail.com
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/digitv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/usb/dvb-usb/digitv.c b/drivers/media/usb/dvb-usb/digitv.c
+index 20d33f0544ed2..0e2cffa946f69 100644
+--- a/drivers/media/usb/dvb-usb/digitv.c
++++ b/drivers/media/usb/dvb-usb/digitv.c
+@@ -66,6 +66,10 @@ static int digitv_i2c_xfer(struct i2c_adapter *adap,struct i2c_msg msg[],int num
+ warn("more than 2 i2c messages at a time is not handled yet. TODO.");
+
+ for (i = 0; i < num; i++) {
++ if (msg[i].len < 1) {
++ i = -EOPNOTSUPP;
++ break;
++ }
+ /* write/read request */
+ if (i+1 < num && (msg[i+1].flags & I2C_M_RD)) {
+ if (digitv_ctrl_msg(d, USB_READ_COFDM, msg[i].buf[0], NULL, 0,
+--
+2.39.2
+
--- /dev/null
+From 8953fb9face88fc6ad0af250ca5e6e246ea5a2a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Mar 2023 13:44:16 +0100
+Subject: media: dvb-usb: dw2102: fix uninit-value in su3000_read_mac_address
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit a3fd1ef27aa686d871cefe207bd6168c4b0cd29e ]
+
+In su3000_read_mac_address, if i2c_transfer fails to execute two
+messages, array mac address will not be initialized. Without handling
+such error, later in function dvb_usb_adapter_dvb_init, proposed_mac
+is accessed before initialization.
+
+Fix this error by returning a negative value if message execution fails.
+
+Link: https://lore.kernel.org/linux-media/20230328124416.560889-1-harperchen1110@gmail.com
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c
+index 98770a95721b9..2c9c4432a0e65 100644
+--- a/drivers/media/usb/dvb-usb/dw2102.c
++++ b/drivers/media/usb/dvb-usb/dw2102.c
+@@ -951,7 +951,7 @@ static int su3000_read_mac_address(struct dvb_usb_device *d, u8 mac[6])
+ for (i = 0; i < 6; i++) {
+ obuf[1] = 0xf0 + i;
+ if (i2c_transfer(&d->i2c_adap, msg, 2) != 2)
+- break;
++ return -1;
+ else
+ mac[i] = ibuf[0];
+ }
+--
+2.39.2
+
--- /dev/null
+From d4ec572e2afee076eb5ebdac2be506335d519407 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 09:27:51 +0000
+Subject: media: dvb-usb-v2: ce6230: fix null-ptr-deref in
+ ce6230_i2c_master_xfer()
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit dff919090155fb22679869e8469168f270dcd97f ]
+
+In ce6230_i2c_master_xfer, msg is controlled by user. When msg[i].buf
+is null and msg[i].len is zero, former checks on msg[i].buf would be
+passed. Malicious data finally reach ce6230_i2c_master_xfer. If accessing
+msg[i].buf[0] without sanity check, null ptr deref would happen. We add
+check on msg[i].len to prevent crash.
+
+Similar commit:
+commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
+
+Link: https://lore.kernel.org/linux-media/20230313092751.209496-1-harperchen1110@gmail.com
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb-v2/ce6230.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/media/usb/dvb-usb-v2/ce6230.c b/drivers/media/usb/dvb-usb-v2/ce6230.c
+index e596031a708d0..80a07aab3b4b0 100644
+--- a/drivers/media/usb/dvb-usb-v2/ce6230.c
++++ b/drivers/media/usb/dvb-usb-v2/ce6230.c
+@@ -111,6 +111,10 @@ static int ce6230_i2c_master_xfer(struct i2c_adapter *adap,
+ if (num > i + 1 && (msg[i+1].flags & I2C_M_RD)) {
+ if (msg[i].addr ==
+ ce6230_zl10353_config.demod_address) {
++ if (msg[i].len < 1) {
++ i = -EOPNOTSUPP;
++ break;
++ }
+ req.cmd = DEMOD_READ;
+ req.value = msg[i].addr >> 1;
+ req.index = msg[i].buf[0];
+@@ -127,6 +131,10 @@ static int ce6230_i2c_master_xfer(struct i2c_adapter *adap,
+ } else {
+ if (msg[i].addr ==
+ ce6230_zl10353_config.demod_address) {
++ if (msg[i].len < 1) {
++ i = -EOPNOTSUPP;
++ break;
++ }
+ req.cmd = DEMOD_WRITE;
+ req.value = msg[i].addr >> 1;
+ req.index = msg[i].buf[0];
+--
+2.39.2
+
--- /dev/null
+From 1264ad4eb6d5c68d125361d749947c13bf284d1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 08:58:53 +0000
+Subject: media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168_i2c_xfer()
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit a6dcefcc08eca1bf4e3d213c97c3cfb75f377935 ]
+
+In ec168_i2c_xfer, msg is controlled by user. When msg[i].buf is null
+and msg[i].len is zero, former checks on msg[i].buf would be passed.
+If accessing msg[i].buf[0] without sanity check, null pointer deref
+would happen. We add check on msg[i].len to prevent crash.
+
+Similar commit:
+commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
+
+Link: https://lore.kernel.org/linux-media/20230313085853.3252349-1-harperchen1110@gmail.com
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb-v2/ec168.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/media/usb/dvb-usb-v2/ec168.c b/drivers/media/usb/dvb-usb-v2/ec168.c
+index 1db8aeef36553..19605958501e1 100644
+--- a/drivers/media/usb/dvb-usb-v2/ec168.c
++++ b/drivers/media/usb/dvb-usb-v2/ec168.c
+@@ -125,6 +125,10 @@ static int ec168_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+ while (i < num) {
+ if (num > i + 1 && (msg[i+1].flags & I2C_M_RD)) {
+ if (msg[i].addr == ec168_ec100_config.demod_address) {
++ if (msg[i].len < 1) {
++ i = -EOPNOTSUPP;
++ break;
++ }
+ req.cmd = READ_DEMOD;
+ req.value = 0;
+ req.index = 0xff00 + msg[i].buf[0]; /* reg */
+@@ -141,6 +145,10 @@ static int ec168_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+ }
+ } else {
+ if (msg[i].addr == ec168_ec100_config.demod_address) {
++ if (msg[i].len < 1) {
++ i = -EOPNOTSUPP;
++ break;
++ }
+ req.cmd = WRITE_DEMOD;
+ req.value = msg[i].buf[1]; /* val */
+ req.index = 0xff00 + msg[i].buf[0]; /* reg */
+@@ -149,6 +157,10 @@ static int ec168_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+ ret = ec168_ctrl_msg(d, &req);
+ i += 1;
+ } else {
++ if (msg[i].len < 1) {
++ i = -EOPNOTSUPP;
++ break;
++ }
+ req.cmd = WRITE_I2C;
+ req.value = msg[i].buf[0]; /* val */
+ req.index = 0x0100 + msg[i].addr; /* I2C addr */
+--
+2.39.2
+
--- /dev/null
+From 91716005b5ae6fea997510e38ac8dd6f0e72cb6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 May 2023 15:52:47 +0100
+Subject: media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer
+
+From: Zhang Shurong <zhang_shurong@foxmail.com>
+
+[ Upstream commit aa4a447b81b84f69c1a89ad899df157f386d7636 ]
+
+In rtl28xxu_i2c_xfer, msg is controlled by user. When msg[i].buf
+is null and msg[i].len is zero, former checks on msg[i].buf would be
+passed. Malicious data finally reach rtl28xxu_i2c_xfer. If accessing
+msg[i].buf[0] without sanity check, null ptr deref would happen.
+We add check on msg[i].len to prevent crash.
+
+Similar commit:
+commit 0ed554fd769a
+("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
+
+Link: https://lore.kernel.org/linux-media/tencent_3623572106754AC2F266B316798B0F6CCA05@qq.com
+Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
+index bfce2d6addf7e..5c0ad2dc315a5 100644
+--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
++++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
+@@ -189,6 +189,10 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+ ret = -EOPNOTSUPP;
+ goto err_mutex_unlock;
+ } else if (msg[0].addr == 0x10) {
++ if (msg[0].len < 1 || msg[1].len < 1) {
++ ret = -EOPNOTSUPP;
++ goto err_mutex_unlock;
++ }
+ /* method 1 - integrated demod */
+ if (msg[0].buf[0] == 0x00) {
+ /* return demod page from driver cache */
+@@ -202,6 +206,10 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+ ret = rtl28xxu_ctrl_msg(d, &req);
+ }
+ } else if (msg[0].len < 2) {
++ if (msg[0].len < 1) {
++ ret = -EOPNOTSUPP;
++ goto err_mutex_unlock;
++ }
+ /* method 2 - old I2C */
+ req.value = (msg[0].buf[0] << 8) | (msg[0].addr << 1);
+ req.index = CMD_I2C_RD;
+@@ -230,8 +238,16 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+ ret = -EOPNOTSUPP;
+ goto err_mutex_unlock;
+ } else if (msg[0].addr == 0x10) {
++ if (msg[0].len < 1) {
++ ret = -EOPNOTSUPP;
++ goto err_mutex_unlock;
++ }
+ /* method 1 - integrated demod */
+ if (msg[0].buf[0] == 0x00) {
++ if (msg[0].len < 2) {
++ ret = -EOPNOTSUPP;
++ goto err_mutex_unlock;
++ }
+ /* save demod page for later demod access */
+ dev->page = msg[0].buf[1];
+ ret = 0;
+@@ -244,6 +260,10 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+ ret = rtl28xxu_ctrl_msg(d, &req);
+ }
+ } else if ((msg[0].len < 23) && (!dev->new_i2c_write)) {
++ if (msg[0].len < 1) {
++ ret = -EOPNOTSUPP;
++ goto err_mutex_unlock;
++ }
+ /* method 2 - old I2C */
+ req.value = (msg[0].buf[0] << 8) | (msg[0].addr << 1);
+ req.index = CMD_I2C_WR;
+--
+2.39.2
+
--- /dev/null
+From 960896fc53c8f17adbb573bc572956888c740644 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 13:45:18 +0000
+Subject: media: netup_unidvb: fix irq init by register it at the end of probe
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit e6ad6233592593079db5c8fa592c298e51bc1356 ]
+
+IRQ handler netup_spi_interrupt() takes spinlock spi->lock. The lock
+is initialized in netup_spi_init(). However, irq handler is registered
+before initializing the lock.
+
+Spinlock dma->lock and i2c->lock suffer from the same problem.
+
+Fix this by registering the irq at the end of probe.
+
+Link: https://lore.kernel.org/linux-media/20230315134518.1074497-1-harperchen1110@gmail.com
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../media/pci/netup_unidvb/netup_unidvb_core.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
+index 4f2ea0f035ae5..0a9086f8c759d 100644
+--- a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
++++ b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
+@@ -897,12 +897,7 @@ static int netup_unidvb_initdev(struct pci_dev *pci_dev,
+ ndev->lmmio0, (u32)pci_resource_len(pci_dev, 0),
+ ndev->lmmio1, (u32)pci_resource_len(pci_dev, 1),
+ pci_dev->irq);
+- if (request_irq(pci_dev->irq, netup_unidvb_isr, IRQF_SHARED,
+- "netup_unidvb", pci_dev) < 0) {
+- dev_err(&pci_dev->dev,
+- "%s(): can't get IRQ %d\n", __func__, pci_dev->irq);
+- goto irq_request_err;
+- }
++
+ ndev->dma_size = 2 * 188 *
+ NETUP_DMA_BLOCKS_COUNT * NETUP_DMA_PACKETS_COUNT;
+ ndev->dma_virt = dma_alloc_coherent(&pci_dev->dev,
+@@ -943,6 +938,14 @@ static int netup_unidvb_initdev(struct pci_dev *pci_dev,
+ dev_err(&pci_dev->dev, "netup_unidvb: DMA setup failed\n");
+ goto dma_setup_err;
+ }
++
++ if (request_irq(pci_dev->irq, netup_unidvb_isr, IRQF_SHARED,
++ "netup_unidvb", pci_dev) < 0) {
++ dev_err(&pci_dev->dev,
++ "%s(): can't get IRQ %d\n", __func__, pci_dev->irq);
++ goto dma_setup_err;
++ }
++
+ dev_info(&pci_dev->dev,
+ "netup_unidvb: device has been initialized\n");
+ return 0;
+@@ -961,8 +964,6 @@ static int netup_unidvb_initdev(struct pci_dev *pci_dev,
+ dma_free_coherent(&pci_dev->dev, ndev->dma_size,
+ ndev->dma_virt, ndev->dma_phys);
+ dma_alloc_err:
+- free_irq(pci_dev->irq, pci_dev);
+-irq_request_err:
+ iounmap(ndev->lmmio1);
+ pci_bar1_error:
+ iounmap(ndev->lmmio0);
+--
+2.39.2
+
--- /dev/null
+From ecf8e626bba98af6e1e8cb964cd4217fc4cfa1b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 04:59:25 +0000
+Subject: media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb()
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit 517a281338322ff8293f988771c98aaa7205e457 ]
+
+Since dvb_frontend_detach() is not called in ttusb_dec_exit_dvb(),
+which is called when the device is disconnected, dvb_frontend_free()
+is not finally called.
+
+This causes a memory leak just by repeatedly plugging and
+unplugging the device.
+
+Fix this issue by adding dvb_frontend_detach() to ttusb_dec_exit_dvb().
+
+Link: https://lore.kernel.org/linux-media/20221117045925.14297-5-imv4bel@gmail.com
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/ttusb-dec/ttusb_dec.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/ttusb-dec/ttusb_dec.c
+index cad2746158160..d41ba80881759 100644
+--- a/drivers/media/usb/ttusb-dec/ttusb_dec.c
++++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c
+@@ -1571,8 +1571,7 @@ static void ttusb_dec_exit_dvb(struct ttusb_dec *dec)
+ dvb_dmx_release(&dec->demux);
+ if (dec->fe) {
+ dvb_unregister_frontend(dec->fe);
+- if (dec->fe->ops.release)
+- dec->fe->ops.release(dec->fe);
++ dvb_frontend_detach(dec->fe);
+ }
+ dvb_unregister_adapter(&dec->adapter);
+ }
+--
+2.39.2
+
--- /dev/null
+From fa99e78972d9de74de8fa84c5a0120b5e6d6ed3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 17:05:32 +0400
+Subject: nbd: Fix debugfs_create_dir error checking
+
+From: Ivan Orlov <ivan.orlov0322@gmail.com>
+
+[ Upstream commit 4913cfcf014c95f0437db2df1734472fd3e15098 ]
+
+The debugfs_create_dir function returns ERR_PTR in case of error, and the
+only correct way to check if an error occurred is 'IS_ERR' inline function.
+This patch will replace the null-comparison with IS_ERR.
+
+Signed-off-by: Ivan Orlov <ivan.orlov0322@gmail.com>
+Link: https://lore.kernel.org/r/20230512130533.98709-1-ivan.orlov0322@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index f01b8860ba143..eb2ca7f6ab3ab 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -1531,7 +1531,7 @@ static int nbd_dev_dbg_init(struct nbd_device *nbd)
+ return -EIO;
+
+ dir = debugfs_create_dir(nbd_name(nbd), nbd_dbg_dir);
+- if (!dir) {
++ if (IS_ERR(dir)) {
+ dev_err(nbd_to_dev(nbd), "Failed to create debugfs dir for '%s'\n",
+ nbd_name(nbd));
+ return -EIO;
+@@ -1557,7 +1557,7 @@ static int nbd_dbg_init(void)
+ struct dentry *dbg_dir;
+
+ dbg_dir = debugfs_create_dir("nbd", NULL);
+- if (!dbg_dir)
++ if (IS_ERR(dbg_dir))
+ return -EIO;
+
+ nbd_dbg_dir = dbg_dir;
+--
+2.39.2
+
--- /dev/null
+From 5f4856183cfdba1cfe0e7f921df162438eb99f47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 May 2023 16:52:23 +0200
+Subject: net: dsa: mv88e6xxx: Increase wait after reset deactivation
+
+From: Andreas Svensson <andreas.svensson@axis.com>
+
+[ Upstream commit 3c27f3d53d588618d81d30d6712459a3cc9489b8 ]
+
+A switch held in reset by default needs to wait longer until we can
+reliably detect it.
+
+An issue was observed when testing on the Marvell 88E6393X (Link Street).
+The driver failed to detect the switch on some upstarts. Increasing the
+wait time after reset deactivation solves this issue.
+
+The updated wait time is now also the same as the wait time in the
+mv88e6xxx_hardware_reset function.
+
+Fixes: 7b75e49de424 ("net: dsa: mv88e6xxx: wait after reset deactivation")
+Signed-off-by: Andreas Svensson <andreas.svensson@axis.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20230530145223.1223993-1-andreas.svensson@axis.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
+index ef016c9f7c744..e8f6d70c1ec64 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -4060,7 +4060,7 @@ static int mv88e6xxx_probe(struct mdio_device *mdiodev)
+ }
+ }
+ if (chip->reset)
+- usleep_range(1000, 2000);
++ usleep_range(10000, 20000);
+
+ err = mv88e6xxx_mdios_register(chip, np);
+ if (err)
+--
+2.39.2
+
--- /dev/null
+From 9a73a6ba523cbf7cf54e2f8db99b15d2f0c99637 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 10:00:10 -0400
+Subject: netfilter: conntrack: define variables exp_nat_nla_policy and
+ any_addr with CONFIG_NF_NAT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 224a876e37543eee111bf9b6aa4935080e619335 ]
+
+gcc with W=1 and ! CONFIG_NF_NAT
+net/netfilter/nf_conntrack_netlink.c:3463:32: error:
+ ‘exp_nat_nla_policy’ defined but not used [-Werror=unused-const-variable=]
+ 3463 | static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {
+ | ^~~~~~~~~~~~~~~~~~
+net/netfilter/nf_conntrack_netlink.c:2979:33: error:
+ ‘any_addr’ defined but not used [-Werror=unused-const-variable=]
+ 2979 | static const union nf_inet_addr any_addr;
+ | ^~~~~~~~
+
+These variables use is controlled by CONFIG_NF_NAT, so should their definitions.
+
+Signed-off-by: Tom Rix <trix@redhat.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 733e61fc50433..1d0abd8529e62 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -2531,7 +2531,9 @@ static int ctnetlink_exp_dump_mask(struct sk_buff *skb,
+ return -1;
+ }
+
++#if IS_ENABLED(CONFIG_NF_NAT)
+ static const union nf_inet_addr any_addr;
++#endif
+
+ static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp)
+ {
+@@ -3031,10 +3033,12 @@ ctnetlink_change_expect(struct nf_conntrack_expect *x,
+ return 0;
+ }
+
++#if IS_ENABLED(CONFIG_NF_NAT)
+ static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {
+ [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 },
+ [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED },
+ };
++#endif
+
+ static int
+ ctnetlink_parse_expect_nat(const struct nlattr *attr,
+--
+2.39.2
+
--- /dev/null
+From 14ecaa6057f0e837d461b23c66761d7935ebbe2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 May 2023 14:14:56 +0000
+Subject: netrom: fix info-leak in nr_write_internal()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 31642e7089df8fd3f54ca7843f7ee2952978cad1 ]
+
+Simon Kapadia reported the following issue:
+
+<quote>
+
+The Online Amateur Radio Community (OARC) has recently been experimenting
+with building a nationwide packet network in the UK.
+As part of our experimentation, we have been testing out packet on 300bps HF,
+and playing with net/rom. For HF packet at this baud rate you really need
+to make sure that your MTU is relatively low; AX.25 suggests a PACLEN of 60,
+and a net/rom PACLEN of 40 to go with that.
+However the Linux net/rom support didn't work with a low PACLEN;
+the mkiss module would truncate packets if you set the PACLEN below about 200 or so, e.g.:
+
+Apr 19 14:00:51 radio kernel: [12985.747310] mkiss: ax1: truncating oversized transmit packet!
+
+This didn't make any sense to me (if the packets are smaller why would they
+be truncated?) so I started investigating.
+I looked at the packets using ethereal, and found that many were just huge
+compared to what I would expect.
+A simple net/rom connection request packet had the request and then a bunch
+of what appeared to be random data following it:
+
+</quote>
+
+Simon provided a patch that I slightly revised:
+Not only we must not use skb_tailroom(), we also do
+not want to count NR_NETWORK_LEN twice.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Co-Developed-by: Simon Kapadia <szymon@kapadia.pl>
+Signed-off-by: Simon Kapadia <szymon@kapadia.pl>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Tested-by: Simon Kapadia <szymon@kapadia.pl>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230524141456.1045467-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_subr.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/netrom/nr_subr.c b/net/netrom/nr_subr.c
+index 029c8bb90f4c3..a7d3a265befb9 100644
+--- a/net/netrom/nr_subr.c
++++ b/net/netrom/nr_subr.c
+@@ -126,7 +126,7 @@ void nr_write_internal(struct sock *sk, int frametype)
+ unsigned char *dptr;
+ int len, timeout;
+
+- len = NR_NETWORK_LEN + NR_TRANSPORT_LEN;
++ len = NR_TRANSPORT_LEN;
+
+ switch (frametype & 0x0F) {
+ case NR_CONNREQ:
+@@ -144,7 +144,8 @@ void nr_write_internal(struct sock *sk, int frametype)
+ return;
+ }
+
+- if ((skb = alloc_skb(len, GFP_ATOMIC)) == NULL)
++ skb = alloc_skb(NR_NETWORK_LEN + len, GFP_ATOMIC);
++ if (!skb)
+ return;
+
+ /*
+@@ -152,7 +153,7 @@ void nr_write_internal(struct sock *sk, int frametype)
+ */
+ skb_reserve(skb, NR_NETWORK_LEN);
+
+- dptr = skb_put(skb, skb_tailroom(skb));
++ dptr = skb_put(skb, len);
+
+ switch (frametype & 0x0F) {
+ case NR_CONNREQ:
+--
+2.39.2
+
--- /dev/null
+From b0d25f6d71a012df9bd91aa3524f721a214a11a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 May 2023 15:01:56 +0800
+Subject: scsi: core: Decrease scsi_device's iorequest_cnt if dispatch failed
+
+From: Wenchao Hao <haowenchao2@huawei.com>
+
+[ Upstream commit 09e797c8641f6ad435c33ae24c223351197ea29a ]
+
+If scsi_dispatch_cmd() failed, the SCSI command was not sent to the target,
+scsi_queue_rq() would return BLK_STS_RESOURCE and the related request would
+be requeued. The timeout of this request would not fire, no one would
+increase iodone_cnt.
+
+The above flow would result the iodone_cnt smaller than iorequest_cnt. So
+decrease the iorequest_cnt if dispatch failed to workaround the issue.
+
+Signed-off-by: Wenchao Hao <haowenchao2@huawei.com>
+Reported-by: Ming Lei <ming.lei@redhat.com>
+Closes: https://lore.kernel.org/r/ZF+zB+bB7iqe0wGd@ovpn-8-17.pek2.redhat.com
+Link: https://lore.kernel.org/r/20230515070156.1790181-3-haowenchao2@huawei.com
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_lib.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
+index fccda61e768c2..a2c13e437114e 100644
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -1717,6 +1717,7 @@ static int scsi_dispatch_cmd(struct scsi_cmnd *cmd)
+ */
+ SCSI_LOG_MLQUEUE(3, scmd_printk(KERN_INFO, cmd,
+ "queuecommand : device blocked\n"));
++ atomic_dec(&cmd->device->iorequest_cnt);
+ return SCSI_MLQUEUE_DEVICE_BUSY;
+ }
+
+@@ -1749,6 +1750,7 @@ static int scsi_dispatch_cmd(struct scsi_cmnd *cmd)
+ trace_scsi_dispatch_cmd_start(cmd);
+ rtn = host->hostt->queuecommand(host, cmd);
+ if (rtn) {
++ atomic_dec(&cmd->device->iorequest_cnt);
+ trace_scsi_dispatch_cmd_error(cmd, rtn);
+ if (rtn != SCSI_MLQUEUE_DEVICE_BUSY &&
+ rtn != SCSI_MLQUEUE_TARGET_BUSY)
+--
+2.39.2
+
power-supply-bq27xxx-after-charger-plug-in-out-wait-.patch
asoc-intel-skylake-fix-declaration-of-enum-skl_ch_cf.patch
bluetooth-add-cmd-validity-checks-at-the-start-of-hci_sock_ioctl.patch
+dmaengine-pl330-rename-_start-to-prevent-build-error.patch
+netrom-fix-info-leak-in-nr_write_internal.patch
+af_packet-fix-data-races-of-pkt_sk-sk-num.patch
+af_packet-do-not-use-read_once-in-packet_bind.patch
+tcp-return-user_mss-for-tcp_maxseg-in-close-listen-s.patch
+udp6-fix-race-condition-in-udp6_sendmsg-connect.patch
+net-dsa-mv88e6xxx-increase-wait-after-reset-deactiva.patch
+mailbox-mailbox-test-fix-potential-double-free-in-mb.patch
+arm-9295-1-unwind-fix-unwind-abort-for-uleb128-case.patch
+fbdev-modedb-add-1920x1080-at-60-hz-video-mode.patch
+fbdev-stifb-fix-info-entry-in-sti_struct-on-error-pa.patch
+nbd-fix-debugfs_create_dir-error-checking.patch
+asoc-dwc-limit-the-number-of-overrun-messages.patch
+asoc-ssm2602-add-workaround-for-playback-distortions.patch
+media-dvb-usb-az6027-fix-three-null-ptr-deref-in-az6.patch
+media-dvb-usb-v2-ec168-fix-null-ptr-deref-in-ec168_i.patch
+media-dvb-usb-v2-ce6230-fix-null-ptr-deref-in-ce6230.patch
+media-dvb-usb-v2-rtl28xxu-fix-null-ptr-deref-in-rtl2.patch
+media-dvb-usb-digitv-fix-null-ptr-deref-in-digitv_i2.patch
+media-dvb-usb-dw2102-fix-uninit-value-in-su3000_read.patch
+media-netup_unidvb-fix-irq-init-by-register-it-at-th.patch
+media-ttusb-dec-fix-memory-leak-in-ttusb_dec_exit_dv.patch
+media-dvb-core-fix-kernel-warning-for-blocking-opera.patch
+media-dvb-core-fix-use-after-free-due-to-race-condit.patch
+wifi-rtl8xxxu-fix-authentication-timeout-due-to-inco.patch
+scsi-core-decrease-scsi_device-s-iorequest_cnt-if-di.patch
+wifi-b43-fix-incorrect-__packed-annotation.patch
+netfilter-conntrack-define-variables-exp_nat_nla_pol.patch
+alsa-oss-avoid-missing-prototype-warnings.patch
+atm-hide-unused-procfs-functions.patch
+mailbox-mailbox-test-fix-a-locking-issue-in-mbox_tes.patch
--- /dev/null
+From df94cbf9fe724d8e5d9936600332254e8f9e5758 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 May 2023 12:03:17 +0800
+Subject: tcp: Return user_mss for TCP_MAXSEG in CLOSE/LISTEN state if user_mss
+ set
+
+From: Cambda Zhu <cambda@linux.alibaba.com>
+
+[ Upstream commit 34dfde4ad87b84d21278a7e19d92b5b2c68e6c4d ]
+
+This patch replaces the tp->mss_cache check in getting TCP_MAXSEG
+with tp->rx_opt.user_mss check for CLOSE/LISTEN sock. Since
+tp->mss_cache is initialized with TCP_MSS_DEFAULT, checking if
+it's zero is probably a bug.
+
+With this change, getting TCP_MAXSEG before connecting will return
+default MSS normally, and return user_mss if user_mss is set.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Jack Yang <mingliang@linux.alibaba.com>
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/netdev/CANn89i+3kL9pYtkxkwxwNMzvC_w3LNUum_2=3u+UyLBmGmifHA@mail.gmail.com/#t
+Signed-off-by: Cambda Zhu <cambda@linux.alibaba.com>
+Link: https://lore.kernel.org/netdev/14D45862-36EA-4076-974C-EA67513C92F6@linux.alibaba.com/
+Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230527040317.68247-1-cambda@linux.alibaba.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 160ed3e7c24d6..c93aa6542d43b 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -3037,7 +3037,8 @@ static int do_tcp_getsockopt(struct sock *sk, int level,
+ switch (optname) {
+ case TCP_MAXSEG:
+ val = tp->mss_cache;
+- if (!val && ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)))
++ if (tp->rx_opt.user_mss &&
++ ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)))
+ val = tp->rx_opt.user_mss;
+ if (tp->repair)
+ val = tp->rx_opt.mss_clamp;
+--
+2.39.2
+
--- /dev/null
+From 0240e27e9ed8e1431f971e3bcaf7a77a11494522 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 May 2023 14:39:41 +0300
+Subject: udp6: Fix race condition in udp6_sendmsg & connect
+
+From: Vladislav Efanov <VEfanov@ispras.ru>
+
+[ Upstream commit 448a5ce1120c5bdbce1f1ccdabcd31c7d029f328 ]
+
+Syzkaller got the following report:
+BUG: KASAN: use-after-free in sk_setup_caps+0x621/0x690 net/core/sock.c:2018
+Read of size 8 at addr ffff888027f82780 by task syz-executor276/3255
+
+The function sk_setup_caps (called by ip6_sk_dst_store_flow->
+ip6_dst_store) referenced already freed memory as this memory was
+freed by parallel task in udpv6_sendmsg->ip6_sk_dst_lookup_flow->
+sk_dst_check.
+
+ task1 (connect) task2 (udp6_sendmsg)
+ sk_setup_caps->sk_dst_set |
+ | sk_dst_check->
+ | sk_dst_set
+ | dst_release
+ sk_setup_caps references |
+ to already freed dst_entry|
+
+The reason for this race condition is: sk_setup_caps() keeps using
+the dst after transferring the ownership to the dst cache.
+
+Found by Linux Verification Center (linuxtesting.org) with syzkaller.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Vladislav Efanov <VEfanov@ispras.ru>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 002c91dd7191f..b05296d79f621 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1788,7 +1788,6 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst)
+ {
+ u32 max_segs = 1;
+
+- sk_dst_set(sk, dst);
+ sk->sk_route_caps = dst->dev->features;
+ if (sk->sk_route_caps & NETIF_F_GSO)
+ sk->sk_route_caps |= NETIF_F_GSO_SOFTWARE;
+@@ -1803,6 +1802,7 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst)
+ }
+ }
+ sk->sk_gso_max_segs = max_segs;
++ sk_dst_set(sk, dst);
+ }
+ EXPORT_SYMBOL_GPL(sk_setup_caps);
+
+--
+2.39.2
+
--- /dev/null
+From 661495d64a9d49b0fb71840167de94b548992a77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 20:34:22 +0200
+Subject: wifi: b43: fix incorrect __packed annotation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 212457ccbd60dba34f965e4ffbe62f0e4f970538 ]
+
+clang warns about an unpacked structure inside of a packed one:
+
+drivers/net/wireless/broadcom/b43/b43.h:654:4: error: field data within 'struct b43_iv' is less aligned than 'union (unnamed union at /home/arnd/arm-soc/drivers/net/wireless/broadcom/b43/b43.h:651:2)' and is usually due to 'struct b43_iv' being packed, which can lead to unaligned accesses [-Werror,-Wunaligned-access]
+
+The problem here is that the anonymous union has the default alignment
+from its members, apparently because the original author mixed up the
+placement of the __packed attribute by placing it next to the struct
+member rather than the union definition. As the struct itself is
+also marked as __packed, there is no need to mark its members, so just
+move the annotation to the inner type instead.
+
+As Michael noted, the same problem is present in b43legacy, so
+change both at the same time.
+
+Acked-by: Michael Büsch <m@bues.ch>
+Reported-by: kernel test robot <lkp@intel.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Tested-by: Larry Finger <Larry.Finger@lwfinger.net>
+Link: https://lore.kernel.org/oe-kbuild-all/202305160749.ay1HAoyP-lkp@intel.com/
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230516183442.536589-1-arnd@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/b43/b43.h | 2 +-
+ drivers/net/wireless/broadcom/b43legacy/b43legacy.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/b43/b43.h b/drivers/net/wireless/broadcom/b43/b43.h
+index b77d1a904f7e6..a449561fccf28 100644
+--- a/drivers/net/wireless/broadcom/b43/b43.h
++++ b/drivers/net/wireless/broadcom/b43/b43.h
+@@ -651,7 +651,7 @@ struct b43_iv {
+ union {
+ __be16 d16;
+ __be32 d32;
+- } data __packed;
++ } __packed data;
+ } __packed;
+
+
+diff --git a/drivers/net/wireless/broadcom/b43legacy/b43legacy.h b/drivers/net/wireless/broadcom/b43legacy/b43legacy.h
+index 6b0cec467938f..f49365d14619f 100644
+--- a/drivers/net/wireless/broadcom/b43legacy/b43legacy.h
++++ b/drivers/net/wireless/broadcom/b43legacy/b43legacy.h
+@@ -379,7 +379,7 @@ struct b43legacy_iv {
+ union {
+ __be16 d16;
+ __be32 d32;
+- } data __packed;
++ } __packed data;
+ } __packed;
+
+ #define B43legacy_PHYMODE(phytype) (1 << (phytype))
+--
+2.39.2
+
--- /dev/null
+From ebbec7285b0f50925ceb730119c9112f162e9b6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 09:20:55 +0800
+Subject: wifi: rtl8xxxu: fix authentication timeout due to incorrect RCR value
+
+From: Yun Lu <luyun@kylinos.cn>
+
+[ Upstream commit 20429444e653ee8242dfbf815c0c37866beb371b ]
+
+When using rtl8192cu with rtl8xxxu driver to connect wifi, there is a
+probability of failure, which shows "authentication with ... timed out".
+Through debugging, it was found that the RCR register has been inexplicably
+modified to an incorrect value, resulting in the nic not being able to
+receive authenticated frames.
+
+To fix this problem, add regrcr in rtl8xxxu_priv struct, and store
+the RCR value every time the register is written, and use it the next
+time the register need to be modified.
+
+Signed-off-by: Yun Lu <luyun@kylinos.cn>
+Link: https://lore.kernel.org/all/20230427020512.1221062-1-luyun_611@163.com
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230512012055.2990472-1-luyun_611@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 1 +
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
+index c1163f2a09251..1913b51c1e809 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
+@@ -1268,6 +1268,7 @@ struct rtl8xxxu_priv {
+ u32 rege9c;
+ u32 regeb4;
+ u32 regebc;
++ u32 regrcr;
+ int next_mbox;
+ int nr_out_eps;
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index 1c9f7e1f63cfd..bfd704b17a447 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -4051,6 +4051,7 @@ static int rtl8xxxu_init_device(struct ieee80211_hw *hw)
+ RCR_ACCEPT_MGMT_FRAME | RCR_HTC_LOC_CTRL |
+ RCR_APPEND_PHYSTAT | RCR_APPEND_ICV | RCR_APPEND_MIC;
+ rtl8xxxu_write32(priv, REG_RCR, val32);
++ priv->regrcr = val32;
+
+ /*
+ * Accept all multicast
+@@ -5591,7 +5592,7 @@ static void rtl8xxxu_configure_filter(struct ieee80211_hw *hw,
+ unsigned int *total_flags, u64 multicast)
+ {
+ struct rtl8xxxu_priv *priv = hw->priv;
+- u32 rcr = rtl8xxxu_read32(priv, REG_RCR);
++ u32 rcr = priv->regrcr;
+
+ dev_dbg(&priv->udev->dev, "%s: changed_flags %08x, total_flags %08x\n",
+ __func__, changed_flags, *total_flags);
+@@ -5637,6 +5638,7 @@ static void rtl8xxxu_configure_filter(struct ieee80211_hw *hw,
+ */
+
+ rtl8xxxu_write32(priv, REG_RCR, rcr);
++ priv->regrcr = rcr;
+
+ *total_flags &= (FIF_ALLMULTI | FIF_FCSFAIL | FIF_BCN_PRBRESP_PROMISC |
+ FIF_CONTROL | FIF_OTHER_BSS | FIF_PSPOLL |
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
