--- /dev/null
+From a7501ad831ee6e59077f6f45c28d91ee99568d55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jan 2023 10:04:24 +0800
+Subject: 9p/rdma: unmap receive dma buffer in rdma_request()/post_recv()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 74a25e6e916cb57dab4267a96fbe8864ed21abdb ]
+
+When down_interruptible() or ib_post_send() failed in rdma_request(),
+receive dma buffer is not unmapped. Add unmap action to error path.
+Also if ib_post_recv() failed in post_recv(), dma buffer is not unmapped.
+Add unmap action to error path.
+
+Link: https://lkml.kernel.org/r/20230104020424.611926-1-shaozhengchao@huawei.com
+Fixes: fc79d4b104f0 ("9p: rdma: RDMA Transport Support for 9P")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Eric Van Hensbergen <ericvh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_rdma.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
+index 119103bfa82ee..4bbb8683d4518 100644
+--- a/net/9p/trans_rdma.c
++++ b/net/9p/trans_rdma.c
+@@ -400,6 +400,7 @@ post_recv(struct p9_client *client, struct p9_rdma_context *c)
+ struct p9_trans_rdma *rdma = client->trans;
+ struct ib_recv_wr wr;
+ struct ib_sge sge;
++ int ret;
+
+ c->busa = ib_dma_map_single(rdma->cm_id->device,
+ c->rc.sdata, client->msize,
+@@ -417,7 +418,12 @@ post_recv(struct p9_client *client, struct p9_rdma_context *c)
+ wr.wr_cqe = &c->cqe;
+ wr.sg_list = &sge;
+ wr.num_sge = 1;
+- return ib_post_recv(rdma->qp, &wr, NULL);
++
++ ret = ib_post_recv(rdma->qp, &wr, NULL);
++ if (ret)
++ ib_dma_unmap_single(rdma->cm_id->device, c->busa,
++ client->msize, DMA_FROM_DEVICE);
++ return ret;
+
+ error:
+ p9_debug(P9_DEBUG_ERROR, "EIO\n");
+@@ -514,7 +520,7 @@ static int rdma_request(struct p9_client *client, struct p9_req_t *req)
+
+ if (down_interruptible(&rdma->sq_sem)) {
+ err = -EINTR;
+- goto send_error;
++ goto dma_unmap;
+ }
+
+ /* Mark request as `sent' *before* we actually send it,
+@@ -524,11 +530,14 @@ static int rdma_request(struct p9_client *client, struct p9_req_t *req)
+ req->status = REQ_STATUS_SENT;
+ err = ib_post_send(rdma->qp, &wr, NULL);
+ if (err)
+- goto send_error;
++ goto dma_unmap;
+
+ /* Success */
+ return 0;
+
++dma_unmap:
++ ib_dma_unmap_single(rdma->cm_id->device, c->busa,
++ c->req->tc.size, DMA_TO_DEVICE);
+ /* Handle errors that happened during or while preparing the send: */
+ send_error:
+ req->status = REQ_STATUS_ERROR;
+--
+2.39.2
+
--- /dev/null
+From 5e21bf89f1a7bd094edb8566c9cc198622011b5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jan 2023 12:30:36 +0100
+Subject: 9p/xen: fix connection sequence
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit c15fe55d14b3b4ded5af2a3260877460a6ffb8ad ]
+
+Today the connection sequence of the Xen 9pfs frontend doesn't match
+the documented sequence. It can work reliably only for a PV 9pfs device
+having been added at boot time already, as the frontend is not waiting
+for the backend to have set its state to "XenbusStateInitWait" before
+reading the backend properties from Xenstore.
+
+Fix that by following the documented sequence [1] (the documentation
+has a bug, so the reference is for the patch fixing that).
+
+[1]: https://lore.kernel.org/xen-devel/20230130090937.31623-1-jgross@suse.com/T/#u
+
+Link: https://lkml.kernel.org/r/20230130113036.7087-3-jgross@suse.com
+Fixes: 868eb122739a ("xen/9pfs: introduce Xen 9pfs transport driver")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Eric Van Hensbergen <ericvh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_xen.c | 38 +++++++++++++++++++++++---------------
+ 1 file changed, 23 insertions(+), 15 deletions(-)
+
+diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
+index c4aea1e3134c2..08b96aeaff464 100644
+--- a/net/9p/trans_xen.c
++++ b/net/9p/trans_xen.c
+@@ -389,12 +389,11 @@ static int xen_9pfs_front_alloc_dataring(struct xenbus_device *dev,
+ return ret;
+ }
+
+-static int xen_9pfs_front_probe(struct xenbus_device *dev,
+- const struct xenbus_device_id *id)
++static int xen_9pfs_front_init(struct xenbus_device *dev)
+ {
+ int ret, i;
+ struct xenbus_transaction xbt;
+- struct xen_9pfs_front_priv *priv = NULL;
++ struct xen_9pfs_front_priv *priv = dev_get_drvdata(&dev->dev);
+ char *versions, *v;
+ unsigned int max_rings, max_ring_order, len = 0;
+
+@@ -420,11 +419,6 @@ static int xen_9pfs_front_probe(struct xenbus_device *dev,
+ if (max_ring_order < XEN_9PFS_RING_ORDER)
+ return -EINVAL;
+
+- priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+- if (!priv)
+- return -ENOMEM;
+-
+- priv->dev = dev;
+ priv->num_rings = XEN_9PFS_NUM_RINGS;
+ priv->rings = kcalloc(priv->num_rings, sizeof(*priv->rings),
+ GFP_KERNEL);
+@@ -482,23 +476,35 @@ static int xen_9pfs_front_probe(struct xenbus_device *dev,
+ goto error;
+ }
+
+- write_lock(&xen_9pfs_lock);
+- list_add_tail(&priv->list, &xen_9pfs_devs);
+- write_unlock(&xen_9pfs_lock);
+- dev_set_drvdata(&dev->dev, priv);
+- xenbus_switch_state(dev, XenbusStateInitialised);
+-
+ return 0;
+
+ error_xenbus:
+ xenbus_transaction_end(xbt, 1);
+ xenbus_dev_fatal(dev, ret, "writing xenstore");
+ error:
+- dev_set_drvdata(&dev->dev, NULL);
+ xen_9pfs_front_free(priv);
+ return ret;
+ }
+
++static int xen_9pfs_front_probe(struct xenbus_device *dev,
++ const struct xenbus_device_id *id)
++{
++ struct xen_9pfs_front_priv *priv = NULL;
++
++ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
++ if (!priv)
++ return -ENOMEM;
++
++ priv->dev = dev;
++ dev_set_drvdata(&dev->dev, priv);
++
++ write_lock(&xen_9pfs_lock);
++ list_add_tail(&priv->list, &xen_9pfs_devs);
++ write_unlock(&xen_9pfs_lock);
++
++ return 0;
++}
++
+ static int xen_9pfs_front_resume(struct xenbus_device *dev)
+ {
+ dev_warn(&dev->dev, "suspend/resume unsupported\n");
+@@ -517,6 +523,8 @@ static void xen_9pfs_front_changed(struct xenbus_device *dev,
+ break;
+
+ case XenbusStateInitWait:
++ if (!xen_9pfs_front_init(dev))
++ xenbus_switch_state(dev, XenbusStateInitialised);
+ break;
+
+ case XenbusStateConnected:
+--
+2.39.2
+
--- /dev/null
+From b396367e8df2b5167d4e7452c80c4f65c0e28888 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jan 2023 12:30:35 +0100
+Subject: 9p/xen: fix version parsing
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit f1956f4ec15195ec60976d9b5625326285ab102e ]
+
+When connecting the Xen 9pfs frontend to the backend, the "versions"
+Xenstore entry written by the backend is parsed in a wrong way.
+
+The "versions" entry is defined to contain the versions supported by
+the backend separated by commas (e.g. "1,2"). Today only version "1"
+is defined. Unfortunately the frontend doesn't look for "1" being
+listed in the entry, but it is expecting the entry to have the value
+"1".
+
+This will result in failure as soon as the backend will support e.g.
+versions "1" and "2".
+
+Fix that by scanning the entry correctly.
+
+Link: https://lkml.kernel.org/r/20230130113036.7087-2-jgross@suse.com
+Fixes: 71ebd71921e4 ("xen/9pfs: connect to the backend")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Eric Van Hensbergen <ericvh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_xen.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
+index 6459c2356ff9f..c4aea1e3134c2 100644
+--- a/net/9p/trans_xen.c
++++ b/net/9p/trans_xen.c
+@@ -395,13 +395,19 @@ static int xen_9pfs_front_probe(struct xenbus_device *dev,
+ int ret, i;
+ struct xenbus_transaction xbt;
+ struct xen_9pfs_front_priv *priv = NULL;
+- char *versions;
++ char *versions, *v;
+ unsigned int max_rings, max_ring_order, len = 0;
+
+ versions = xenbus_read(XBT_NIL, dev->otherend, "versions", &len);
+ if (IS_ERR(versions))
+ return PTR_ERR(versions);
+- if (strcmp(versions, "1")) {
++ for (v = versions; *v; v++) {
++ if (simple_strtoul(v, &v, 10) == 1) {
++ v = NULL;
++ break;
++ }
++ }
++ if (v) {
+ kfree(versions);
+ return -EINVAL;
+ }
+--
+2.39.2
+
--- /dev/null
+From 6c98ab4192b1c3517b662b9a4926d6e7c7da9911 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Feb 2023 17:22:37 +0100
+Subject: ARM: dts: spear320-hmi: correct STMPE GPIO compatible
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 33a0c1b850c8c85f400531dab3a0b022cdb164b1 ]
+
+The compatible is st,stmpe-gpio.
+
+Fixes: e2eb69183ec4 ("ARM: SPEAr320: DT: Add SPEAr 320 HMI board support")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Link: https://lore.kernel.org/r/20230225162237.40242-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/spear320-hmi.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/spear320-hmi.dts b/arch/arm/boot/dts/spear320-hmi.dts
+index 0d0da1f65f0e6..1e54748799a6b 100644
+--- a/arch/arm/boot/dts/spear320-hmi.dts
++++ b/arch/arm/boot/dts/spear320-hmi.dts
+@@ -248,7 +248,7 @@
+ irq-trigger = <0x1>;
+
+ stmpegpio: stmpe-gpio {
+- compatible = "stmpe,gpio";
++ compatible = "st,stmpe-gpio";
+ reg = <0>;
+ gpio-controller;
+ #gpio-cells = <2>;
+--
+2.39.2
+
--- /dev/null
+From b0a2756dc442cabaf14c71f72fa82345f5b7b313 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Feb 2023 11:50:45 +0000
+Subject: firmware/efi sysfb_efi: Add quirk for Lenovo IdeaPad Duet 3
+
+From: Darrell Kavanagh <darrell.kavanagh@gmail.com>
+
+[ Upstream commit e1d447157f232c650e6f32c9fb89ff3d0207c69a ]
+
+Another Lenovo convertable which reports a landscape resolution of
+1920x1200 with a pitch of (1920 * 4) bytes, while the actual framebuffer
+has a resolution of 1200x1920 with a pitch of (1200 * 4) bytes.
+
+Signed-off-by: Darrell Kavanagh <darrell.kavanagh@gmail.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/sysfb_efi.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/x86/kernel/sysfb_efi.c b/arch/x86/kernel/sysfb_efi.c
+index 897da526e40e6..dd8d7636c5420 100644
+--- a/arch/x86/kernel/sysfb_efi.c
++++ b/arch/x86/kernel/sysfb_efi.c
+@@ -265,6 +265,14 @@ static const struct dmi_system_id efifb_dmi_swap_width_height[] __initconst = {
+ "Lenovo ideapad D330-10IGM"),
+ },
+ },
++ {
++ /* Lenovo IdeaPad Duet 3 10IGL5 with 1200x1920 portrait screen */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION,
++ "IdeaPad Duet 3 10IGL5"),
++ },
++ },
+ {},
+ };
+
+--
+2.39.2
+
--- /dev/null
+From b2829da999ef241f604f4345d0c10e08185871f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 11:01:59 +0800
+Subject: fs/jfs: fix shift exponent db_agl2size negative
+
+From: Liu Shixin via Jfs-discussion <jfs-discussion@lists.sourceforge.net>
+
+[ Upstream commit fad376fce0af58deebc5075b8539dc05bf639af3 ]
+
+As a shift exponent, db_agl2size can not be less than 0. Add the missing
+check to fix the shift-out-of-bounds bug reported by syzkaller:
+
+ UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2227:15
+ shift exponent -744642816 is negative
+
+Reported-by: syzbot+0be96567042453c0c820@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index f06796cad9aa8..3ad0a33e0443b 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -206,7 +206,8 @@ int dbMount(struct inode *ipbmap)
+ bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
+ bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart);
+ bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size);
+- if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG) {
++ if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG ||
++ bmp->db_agl2size < 0) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
+--
+2.39.2
+
--- /dev/null
+From 2be4c2766ceaa54d2d2cf1b61d4f39310c488ccc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jan 2023 07:21:46 -0800
+Subject: iio: accel: mma9551_core: Prevent uninitialized variable in
+ mma9551_read_status_word()
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+[ Upstream commit e56d2c34ce9dc122b1a618172ec0e05e50adb9e9 ]
+
+Smatch Warns: drivers/iio/accel/mma9551_core.c:357
+ mma9551_read_status_word() error: uninitialized symbol 'v'.
+
+When (offset >= 1 << 12) is true mma9551_transfer() will return -EINVAL
+without 'v' being initialized, so check for the error and return.
+
+Note: Not a bug as such because the caller checks return value and
+doesn't not use this parameter in the problem case.
+
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Link: https://lore.kernel.org/r/20230126152147.3585874-1-harshit.m.mogalapalli@oracle.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/mma9551_core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/accel/mma9551_core.c b/drivers/iio/accel/mma9551_core.c
+index c34c5ce8123b0..b4bbc83be4310 100644
+--- a/drivers/iio/accel/mma9551_core.c
++++ b/drivers/iio/accel/mma9551_core.c
+@@ -362,9 +362,12 @@ int mma9551_read_status_word(struct i2c_client *client, u8 app_id,
+
+ ret = mma9551_transfer(client, app_id, MMA9551_CMD_READ_STATUS,
+ reg, NULL, 0, (u8 *)&v, 2);
++ if (ret < 0)
++ return ret;
++
+ *val = be16_to_cpu(v);
+
+- return ret;
++ return 0;
+ }
+ EXPORT_SYMBOL(mma9551_read_status_word);
+
+--
+2.39.2
+
--- /dev/null
+From e3e6620e19272f312bf4220b6ee0ef6221a4c0b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jan 2023 07:36:09 -0800
+Subject: iio: accel: mma9551_core: Prevent uninitialized variable in
+ mma9551_read_config_word()
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+[ Upstream commit 64a68158738ec8f520347144352f7a09bdb9e169 ]
+
+Smatch Warns:
+drivers/iio/accel/mma9551_core.c:299
+ mma9551_read_config_word() error: uninitialized symbol 'v'.
+
+When (offset >= 1 << 12) is true mma9551_transfer() will return -EINVAL
+without 'v' being initialized, so check for the error and return.
+
+Note: No actual bug as caller checks the return value and does not
+use the parameter in the problem case.
+
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Link: https://lore.kernel.org/r/20230126153610.3586243-1-harshit.m.mogalapalli@oracle.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/mma9551_core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/accel/mma9551_core.c b/drivers/iio/accel/mma9551_core.c
+index b4bbc83be4310..19b4fbc682e63 100644
+--- a/drivers/iio/accel/mma9551_core.c
++++ b/drivers/iio/accel/mma9551_core.c
+@@ -304,9 +304,12 @@ int mma9551_read_config_word(struct i2c_client *client, u8 app_id,
+
+ ret = mma9551_transfer(client, app_id, MMA9551_CMD_READ_CONFIG,
+ reg, NULL, 0, (u8 *)&v, 2);
++ if (ret < 0)
++ return ret;
++
+ *val = be16_to_cpu(v);
+
+- return ret;
++ return 0;
+ }
+ EXPORT_SYMBOL(mma9551_read_config_word);
+
+--
+2.39.2
+
--- /dev/null
+From 8b679788c4220bfcebc02961b8d423495c35ecad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 16:04:55 +0200
+Subject: media: uvcvideo: Handle cameras with invalid descriptors
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 41ddb251c68ac75c101d3a50a68c4629c9055e4c ]
+
+If the source entity does not contain any pads, do not create a link.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_entity.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_entity.c b/drivers/media/usb/uvc/uvc_entity.c
+index f2457953f27c6..0d5aaaa7e2d96 100644
+--- a/drivers/media/usb/uvc/uvc_entity.c
++++ b/drivers/media/usb/uvc/uvc_entity.c
+@@ -42,7 +42,7 @@ static int uvc_mc_create_links(struct uvc_video_chain *chain,
+ continue;
+
+ remote = uvc_entity_by_id(chain->dev, entity->baSourceID[i]);
+- if (remote == NULL)
++ if (remote == NULL || remote->num_pads == 0)
+ return -EINVAL;
+
+ source = (UVC_ENTITY_TYPE(remote) == UVC_TT_STREAMING)
+--
+2.39.2
+
--- /dev/null
+From 073051cbe0b1b3a4cb64bc864659c1a9de43b9fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 16:41:01 +0200
+Subject: media: uvcvideo: Handle errors from calls to usb_string
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 4867bb590ae445bcfaa711a86b603c97e94574b3 ]
+
+On a Webcam from Quanta, we see the following error.
+
+usb 3-5: New USB device found, idVendor=0408, idProduct=30d2, bcdDevice= 0.03
+usb 3-5: New USB device strings: Mfr=3, Product=1, SerialNumber=2
+usb 3-5: Product: USB2.0 HD UVC WebCam
+usb 3-5: Manufacturer: Quanta
+usb 3-5: SerialNumber: 0x0001
+...
+uvcvideo: Found UVC 1.10 device USB2.0 HD UVC WebCam (0408:30d2)
+uvcvideo: Failed to initialize entity for entity 5
+uvcvideo: Failed to register entities (-22).
+
+The Webcam reports an entity of type UVC_VC_EXTENSION_UNIT. It reports a
+string index of '7' associated with that entity. The attempt to read that
+string from the camera fails with error -32 (-EPIPE). usb_string() returns
+that error, but it is ignored. As result, the entity name is empty. This
+later causes v4l2_device_register_subdev() to return -EINVAL, and no
+entities are registered as result.
+
+While this appears to be a firmware problem with the camera, the kernel
+should still handle the situation gracefully. To do that, check the return
+value from usb_string(). If it reports an error, assign the entity's
+default name.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 48 ++++++++++++------------------
+ 1 file changed, 19 insertions(+), 29 deletions(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
+index 998ce712978ae..775d677206484 100644
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -1033,10 +1033,8 @@ static int uvc_parse_vendor_control(struct uvc_device *dev,
+ + n;
+ memcpy(unit->extension.bmControls, &buffer[23+p], 2*n);
+
+- if (buffer[24+p+2*n] != 0)
+- usb_string(udev, buffer[24+p+2*n], unit->name,
+- sizeof(unit->name));
+- else
++ if (buffer[24+p+2*n] == 0 ||
++ usb_string(udev, buffer[24+p+2*n], unit->name, sizeof(unit->name)) < 0)
+ sprintf(unit->name, "Extension %u", buffer[3]);
+
+ list_add_tail(&unit->list, &dev->entities);
+@@ -1161,15 +1159,15 @@ static int uvc_parse_standard_control(struct uvc_device *dev,
+ memcpy(term->media.bmTransportModes, &buffer[10+n], p);
+ }
+
+- if (buffer[7] != 0)
+- usb_string(udev, buffer[7], term->name,
+- sizeof(term->name));
+- else if (UVC_ENTITY_TYPE(term) == UVC_ITT_CAMERA)
+- sprintf(term->name, "Camera %u", buffer[3]);
+- else if (UVC_ENTITY_TYPE(term) == UVC_ITT_MEDIA_TRANSPORT_INPUT)
+- sprintf(term->name, "Media %u", buffer[3]);
+- else
+- sprintf(term->name, "Input %u", buffer[3]);
++ if (buffer[7] == 0 ||
++ usb_string(udev, buffer[7], term->name, sizeof(term->name)) < 0) {
++ if (UVC_ENTITY_TYPE(term) == UVC_ITT_CAMERA)
++ sprintf(term->name, "Camera %u", buffer[3]);
++ if (UVC_ENTITY_TYPE(term) == UVC_ITT_MEDIA_TRANSPORT_INPUT)
++ sprintf(term->name, "Media %u", buffer[3]);
++ else
++ sprintf(term->name, "Input %u", buffer[3]);
++ }
+
+ list_add_tail(&term->list, &dev->entities);
+ break;
+@@ -1201,10 +1199,8 @@ static int uvc_parse_standard_control(struct uvc_device *dev,
+
+ memcpy(term->baSourceID, &buffer[7], 1);
+
+- if (buffer[8] != 0)
+- usb_string(udev, buffer[8], term->name,
+- sizeof(term->name));
+- else
++ if (buffer[8] == 0 ||
++ usb_string(udev, buffer[8], term->name, sizeof(term->name)) < 0)
+ sprintf(term->name, "Output %u", buffer[3]);
+
+ list_add_tail(&term->list, &dev->entities);
+@@ -1226,10 +1222,8 @@ static int uvc_parse_standard_control(struct uvc_device *dev,
+
+ memcpy(unit->baSourceID, &buffer[5], p);
+
+- if (buffer[5+p] != 0)
+- usb_string(udev, buffer[5+p], unit->name,
+- sizeof(unit->name));
+- else
++ if (buffer[5+p] == 0 ||
++ usb_string(udev, buffer[5+p], unit->name, sizeof(unit->name)) < 0)
+ sprintf(unit->name, "Selector %u", buffer[3]);
+
+ list_add_tail(&unit->list, &dev->entities);
+@@ -1259,10 +1253,8 @@ static int uvc_parse_standard_control(struct uvc_device *dev,
+ if (dev->uvc_version >= 0x0110)
+ unit->processing.bmVideoStandards = buffer[9+n];
+
+- if (buffer[8+n] != 0)
+- usb_string(udev, buffer[8+n], unit->name,
+- sizeof(unit->name));
+- else
++ if (buffer[8+n] == 0 ||
++ usb_string(udev, buffer[8+n], unit->name, sizeof(unit->name)) < 0)
+ sprintf(unit->name, "Processing %u", buffer[3]);
+
+ list_add_tail(&unit->list, &dev->entities);
+@@ -1290,10 +1282,8 @@ static int uvc_parse_standard_control(struct uvc_device *dev,
+ unit->extension.bmControls = (u8 *)unit + sizeof(*unit);
+ memcpy(unit->extension.bmControls, &buffer[23+p], n);
+
+- if (buffer[23+p+n] != 0)
+- usb_string(udev, buffer[23+p+n], unit->name,
+- sizeof(unit->name));
+- else
++ if (buffer[23+p+n] == 0 ||
++ usb_string(udev, buffer[23+p+n], unit->name, sizeof(unit->name)) < 0)
+ sprintf(unit->name, "Extension %u", buffer[3]);
+
+ list_add_tail(&unit->list, &dev->entities);
+--
+2.39.2
+
--- /dev/null
+From ddfeca0c4a4eb249347b710457c438c8140c9fc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Jan 2023 22:17:04 -0800
+Subject: media: uvcvideo: Silence memcpy() run-time false positive warnings
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit b839212988575c701aab4d3d9ca15e44c87e383c ]
+
+The memcpy() in uvc_video_decode_meta() intentionally copies across the
+length and flags members and into the trailing buf flexible array.
+Split the copy so that the compiler can better reason about (the lack
+of) buffer overflows here. Avoid the run-time false positive warning:
+
+ memcpy: detected field-spanning write (size 12) of single field "&meta->length" at drivers/media/usb/uvc/uvc_video.c:1355 (size 1)
+
+Additionally fix a typo in the documentation for struct uvc_meta_buf.
+
+Reported-by: ionut_n2001@yahoo.com
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216810
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_video.c | 4 +++-
+ include/uapi/linux/uvcvideo.h | 2 +-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
+index b431f06d5a1f5..1c0249df52566 100644
+--- a/drivers/media/usb/uvc/uvc_video.c
++++ b/drivers/media/usb/uvc/uvc_video.c
+@@ -1278,7 +1278,9 @@ static void uvc_video_decode_meta(struct uvc_streaming *stream,
+ if (has_scr)
+ memcpy(stream->clock.last_scr, scr, 6);
+
+- memcpy(&meta->length, mem, length);
++ meta->length = mem[0];
++ meta->flags = mem[1];
++ memcpy(meta->buf, &mem[2], length - 2);
+ meta_buf->bytesused += length + sizeof(meta->ns) + sizeof(meta->sof);
+
+ uvc_trace(UVC_TRACE_FRAME,
+diff --git a/include/uapi/linux/uvcvideo.h b/include/uapi/linux/uvcvideo.h
+index f80f05b3c423f..2140923661934 100644
+--- a/include/uapi/linux/uvcvideo.h
++++ b/include/uapi/linux/uvcvideo.h
+@@ -86,7 +86,7 @@ struct uvc_xu_control_query {
+ * struct. The first two fields are added by the driver, they can be used for
+ * clock synchronisation. The rest is an exact copy of a UVC payload header.
+ * Only complete objects with complete buffers are included. Therefore it's
+- * always sizeof(meta->ts) + sizeof(meta->sof) + meta->length bytes large.
++ * always sizeof(meta->ns) + sizeof(meta->sof) + meta->length bytes large.
+ */
+ struct uvc_meta_buf {
+ __u64 ns;
+--
+2.39.2
+
--- /dev/null
+From b7ee32f6c15c74649d0ab9b76e7f0996e733ff67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Dec 2022 23:49:33 +0200
+Subject: mei: bus-fixup:upon error print return values of send and receive
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+[ Upstream commit 4b8659e2c258e4fdac9ccdf06cc20c0677894ef9 ]
+
+For easier debugging, upon error, print also return values
+from __mei_cl_recv() and __mei_cl_send() functions.
+
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Link: https://lore.kernel.org/r/20221212214933.275434-1-tomas.winkler@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/mei/bus-fixup.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/misc/mei/bus-fixup.c b/drivers/misc/mei/bus-fixup.c
+index 198e030e5b3d5..14f3e05643fc3 100644
+--- a/drivers/misc/mei/bus-fixup.c
++++ b/drivers/misc/mei/bus-fixup.c
+@@ -174,7 +174,7 @@ static int mei_fwver(struct mei_cl_device *cldev)
+ ret = __mei_cl_send(cldev->cl, buf, sizeof(struct mkhi_msg_hdr),
+ MEI_CL_IO_TX_BLOCKING);
+ if (ret < 0) {
+- dev_err(&cldev->dev, "Could not send ReqFWVersion cmd\n");
++ dev_err(&cldev->dev, "Could not send ReqFWVersion cmd ret = %d\n", ret);
+ return ret;
+ }
+
+@@ -186,7 +186,7 @@ static int mei_fwver(struct mei_cl_device *cldev)
+ * Should be at least one version block,
+ * error out if nothing found
+ */
+- dev_err(&cldev->dev, "Could not read FW version\n");
++ dev_err(&cldev->dev, "Could not read FW version ret = %d\n", bytes_recv);
+ return -EIO;
+ }
+
+@@ -335,7 +335,7 @@ static int mei_nfc_if_version(struct mei_cl *cl,
+ ret = __mei_cl_send(cl, (u8 *)&cmd, sizeof(struct mei_nfc_cmd),
+ MEI_CL_IO_TX_BLOCKING);
+ if (ret < 0) {
+- dev_err(bus->dev, "Could not send IF version cmd\n");
++ dev_err(bus->dev, "Could not send IF version cmd ret = %d\n", ret);
+ return ret;
+ }
+
+@@ -350,7 +350,7 @@ static int mei_nfc_if_version(struct mei_cl *cl,
+ ret = 0;
+ bytes_recv = __mei_cl_recv(cl, (u8 *)reply, if_version_length, 0, 0);
+ if (bytes_recv < 0 || (size_t)bytes_recv < if_version_length) {
+- dev_err(bus->dev, "Could not read IF version\n");
++ dev_err(bus->dev, "Could not read IF version ret = %d\n", bytes_recv);
+ ret = -EIO;
+ goto err;
+ }
+--
+2.39.2
+
--- /dev/null
+From f97cb44cf8ad99c95a1b950f3eec4eeff0c85eaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Feb 2023 08:38:45 +0000
+Subject: net: fix __dev_kfree_skb_any() vs drop monitor
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit ac3ad19584b26fae9ac86e4faebe790becc74491 ]
+
+dev_kfree_skb() is aliased to consume_skb().
+
+When a driver is dropping a packet by calling dev_kfree_skb_any()
+we should propagate the drop reason instead of pretending
+the packet was consumed.
+
+Note: Now we have enum skb_drop_reason we could remove
+enum skb_free_reason (for linux-6.4)
+
+v2: added an unlikely(), suggested by Yunsheng Lin.
+
+Fixes: e6247027e517 ("net: introduce dev_consume_skb_any()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Yunsheng Lin <linyunsheng@huawei.com>
+Reviewed-by: Yunsheng Lin <linyunsheng@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 880b096eef8a6..b778f35965433 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2794,8 +2794,10 @@ void __dev_kfree_skb_any(struct sk_buff *skb, enum skb_free_reason reason)
+ {
+ if (in_irq() || irqs_disabled())
+ __dev_kfree_skb_irq(skb, reason);
++ else if (unlikely(reason == SKB_REASON_DROPPED))
++ kfree_skb(skb);
+ else
+- dev_kfree_skb(skb);
++ consume_skb(skb);
+ }
+ EXPORT_SYMBOL(__dev_kfree_skb_any);
+
+--
+2.39.2
+
--- /dev/null
+From 76ffb42e4481ee1ba850fe96c6d71e8820d281fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Feb 2023 15:17:30 +0800
+Subject: netfilter: ctnetlink: fix possible refcount leak in
+ ctnetlink_create_conntrack()
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+[ Upstream commit ac4893980bbe79ce383daf9a0885666a30fe4c83 ]
+
+nf_ct_put() needs to be called to put the refcount got by
+nf_conntrack_find_get() to avoid refcount leak when
+nf_conntrack_hash_check_insert() fails.
+
+Fixes: 7d367e06688d ("netfilter: ctnetlink: fix soft lockup when netlink adds new entries (v2)")
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 2850a638401d5..58bba2e2691fa 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -2056,12 +2056,15 @@ ctnetlink_create_conntrack(struct net *net,
+
+ err = nf_conntrack_hash_check_insert(ct);
+ if (err < 0)
+- goto err2;
++ goto err3;
+
+ rcu_read_unlock();
+
+ return ct;
+
++err3:
++ if (ct->master)
++ nf_ct_put(ct->master);
+ err2:
+ rcu_read_unlock();
+ err1:
+--
+2.39.2
+
--- /dev/null
+From 897ec41de0a9671f69876fd30c3c2063553cc002 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Feb 2023 13:56:14 +0300
+Subject: nfc: fix memory leak of se_io context in nfc_genl_se_io
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 25ff6f8a5a3b8dc48e8abda6f013e8cc4b14ffea ]
+
+The callback context for sending/receiving APDUs to/from the selected
+secure element is allocated inside nfc_genl_se_io and supposed to be
+eventually freed in se_io_cb callback function. However, there are several
+error paths where the bwi_timer is not charged to call se_io_cb later, and
+the cb_context is leaked.
+
+The patch proposes to free the cb_context explicitly on those error paths.
+
+At the moment we can't simply check 'dev->ops->se_io()' return value as it
+may be negative in both cases: when the timer was charged and was not.
+
+Fixes: 5ce3f32b5264 ("NFC: netlink: SE API implementation")
+Reported-by: syzbot+df64c0a2e8d68e78a4fa@syzkaller.appspotmail.com
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/st-nci/se.c | 6 ++++++
+ drivers/nfc/st21nfca/se.c | 6 ++++++
+ net/nfc/netlink.c | 4 ++++
+ 3 files changed, 16 insertions(+)
+
+diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c
+index cdf9e915c974b..f702aa9c7cf5b 100644
+--- a/drivers/nfc/st-nci/se.c
++++ b/drivers/nfc/st-nci/se.c
+@@ -676,6 +676,12 @@ int st_nci_se_io(struct nci_dev *ndev, u32 se_idx,
+ ST_NCI_EVT_TRANSMIT_DATA, apdu,
+ apdu_length);
+ default:
++ /* Need to free cb_context here as at the moment we can't
++ * clearly indicate to the caller if the callback function
++ * would be called (and free it) or not. In both cases a
++ * negative value may be returned to the caller.
++ */
++ kfree(cb_context);
+ return -ENODEV;
+ }
+ }
+diff --git a/drivers/nfc/st21nfca/se.c b/drivers/nfc/st21nfca/se.c
+index 52e209950c436..8a96354796c76 100644
+--- a/drivers/nfc/st21nfca/se.c
++++ b/drivers/nfc/st21nfca/se.c
+@@ -247,6 +247,12 @@ int st21nfca_hci_se_io(struct nfc_hci_dev *hdev, u32 se_idx,
+ ST21NFCA_EVT_TRANSMIT_DATA,
+ apdu, apdu_length);
+ default:
++ /* Need to free cb_context here as at the moment we can't
++ * clearly indicate to the caller if the callback function
++ * would be called (and free it) or not. In both cases a
++ * negative value may be returned to the caller.
++ */
++ kfree(cb_context);
+ return -ENODEV;
+ }
+ }
+diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
+index 8953b03d5a529..2c5443ce449c3 100644
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -1460,7 +1460,11 @@ static int nfc_se_io(struct nfc_dev *dev, u32 se_idx,
+ rc = dev->ops->se_io(dev, se_idx, apdu,
+ apdu_length, cb, cb_context);
+
++ device_unlock(&dev->dev);
++ return rc;
++
+ error:
++ kfree(cb_context);
+ device_unlock(&dev->dev);
+ return rc;
+ }
+--
+2.39.2
+
--- /dev/null
+From a5cee9206bb802f06e8f32e0f24f274f1cc9ed53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Jan 2023 21:56:55 +0000
+Subject: parport_pc: Set up mode and ECR masks for Oxford Semiconductor
+ devices
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+[ Upstream commit c087df8d1e7dc2e764d11234d84b5af46d500f16 ]
+
+No Oxford Semiconductor PCI or PCIe parallel port device supports the
+Parallel Port FIFO mode. All support the PS/2 Parallel Port mode and
+the Enhanced Parallel Port mode via the ECR register. The original 5V
+PCI OX16PCI954 device does not support the Extended Capabilities Port
+mode, the Test mode or the Configuration mode, but all the other OxSemi
+devices do, including in particular the 3.3V PCI OXmPCI954 device and
+the universal voltage PCI OXuPCI954 device. All the unsupported modes
+are marked reserved in the relevant datasheets.
+
+Accordingly enable the `base_hi' BAR for the 954 devices to enable PS2
+and EPP mode support via the ECR register, however mask the COMPAT mode
+and, until we have a way to determine what chip variant it is that we
+poke at, also the ECP mode, and mask the COMPAT mode only for all the
+remaining OxSemi devices, fixing errors like:
+
+parport0: FIFO is stuck
+FIFO write timed out
+
+and a non-functional port when the Parallel Port FIFO mode is selected.
+
+Complementing the fix apply an ECR mask for all these devices, which are
+documented to only permit writing to the mode field of the ECR register
+with a bit pattern of 00001 required to be written to bits 4:0 on mode
+field writes. No nFault or service interrupts are implemented, which
+will therefore never have to be enabled, though bit 2 does report the
+FIFO threshold status to be polled for in the ECP mode where supported.
+
+We have a documented case of writing 1 to bit 2 causing a lock-up with
+at least one OX12PCI840 device (from old drivers/parport/ChangeLog):
+
+2001-10-10 Tim Waugh <twaugh@redhat.com>
+
+ * parport_pc.c: Support for OX12PCI840 PCI card (reported by
+ mk@daveg.com). Lock-ups diagnosed by Ronnie Arosa (and now we
+ just don't trust its ECR).
+
+which commit adbd321a17cc ("parport_pc: add base_hi BAR for oxsemi_840")
+must have broken and by applying an ECR mask here we prevent the lock-up
+from triggering. This could have been the reason for requiring 00001 to
+be written to bits 4:0 of ECR.
+
+Update the inline comment accordingly; it has come from Linux 2.4.12
+back in 2001 and predates the introduction of OXmPCI954 and OXuPCI954
+devices that do support ECP.
+
+References:
+
+[1] "OX16PCI954 Integrated Quad UART and PCI interface", Oxford
+ Semiconductor Ltd., Data Sheet Revision 1.3, Feb. 1999, Chapter 9
+ "Bidirectional Parallel Port", pp. 53-55
+
+[2] "OX16PCI952 Data Sheet, Integrated High Performance Dual UARTs,
+ Parallel Port and 5.0v PCI interface", Oxford Semiconductor Ltd.,
+ DS_B008A_00, Datasheet rev 1.1, June 2001, Chapter 8 "Bi-directional
+ Parallel Port", pp. 52-56
+
+[3] "OXmPCI954 DATA SHEET Integrated High Performance Quad UARTs, 8-bit
+ Local Bus/Parallel Port. 3.3v PCI/miniPCI interface.", Oxford
+ Semiconductor Ltd., DS-0019, June 2005, Chapter 10 "Bidirectional
+ Parallel Port", pp. 86-90
+
+[4] "OXmPCI952 Data Sheet, Integrated High Performance Dual UARTs, 8-bit
+ Local Bus/Parallel Port. 3.3v PCI/miniPCI interface.", Oxford
+ Semiconductor Ltd., DS-0020, June 2005, Chapter 8 "Bidirectional
+ Parallel Port", pp. 73-77
+
+[5] "OX12PCI840 Integrated Parallel Port and PCI interface", Oxford
+ Semiconductor Ltd., DS-0021, Jun 2005, Chapter 5 "Bi-directional
+ Parallel Port", pp. 18-21
+
+[6] "OXPCIe952 PCI Express Bridge to Dual Serial & Parallel Port",
+ Oxford Semiconductor, Inc., DS-0046, Mar 06 08, Chapter "Parallel
+ Port Function", pp. 59-62
+
+[7] "OXPCIe840 PCI Express Bridge to Parallel Port", Oxford
+ Semiconductor, Inc., DS-0049, Mar 06 08, Chapter "Parallel Port
+ Function", pp. 15-18
+
+[8] "OXuPCI954 Data Sheet, Integrated High Performance Quad UARTs, 8-bit
+ Local Bus/Parallel Port, 3.3 V and 5 V (Universal Voltage) PCI
+ Interface.", Oxford Semiconductor, Inc., DS-0058, 26 Jan 2009,
+ Chapter 8 "Bidirectional Parallel Port", pp. 62-65
+
+[9] "OXuPCI952 Data Sheet, Integrated High Performance Dual UARTs, 8-bit
+ Local Bus/Parallel Port, 3.3 V and 5.0 V Universal Voltage PCI
+ Interface.", Oxford Semiconductor, Inc., DS-0059, Sep 2007, Chapter
+ 8 "Bidirectional Parallel Port", pp. 61-64
+
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Link: https://lore.kernel.org/r/20230108215656.6433-6-sudipm.mukherjee@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/parport/parport_pc.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/parport/parport_pc.c b/drivers/parport/parport_pc.c
+index d99ac73a1d89e..40c29e19f8647 100644
+--- a/drivers/parport/parport_pc.c
++++ b/drivers/parport/parport_pc.c
+@@ -2691,12 +2691,19 @@ static struct parport_pc_pci {
+ /* titan_010l */ { 1, { { 3, -1 }, } },
+ /* avlab_1p */ { 1, { { 0, 1}, } },
+ /* avlab_2p */ { 2, { { 0, 1}, { 2, 3 },} },
+- /* The Oxford Semi cards are unusual: 954 doesn't support ECP,
+- * and 840 locks up if you write 1 to bit 2! */
+- /* oxsemi_952 */ { 1, { { 0, 1 }, } },
+- /* oxsemi_954 */ { 1, { { 0, -1 }, } },
+- /* oxsemi_840 */ { 1, { { 0, 1 }, } },
+- /* oxsemi_pcie_pport */ { 1, { { 0, 1 }, } },
++ /* The Oxford Semi cards are unusual: older variants of 954 don't
++ * support ECP, and 840 locks up if you write 1 to bit 2! None
++ * implement nFault or service interrupts and all require 00001
++ * bit pattern to be used for bits 4:0 with ECR writes. */
++ /* oxsemi_952 */ { 1, { { 0, 1 }, },
++ PARPORT_MODE_COMPAT, ECR_MODE_MASK },
++ /* oxsemi_954 */ { 1, { { 0, 1 }, },
++ PARPORT_MODE_ECP |
++ PARPORT_MODE_COMPAT, ECR_MODE_MASK },
++ /* oxsemi_840 */ { 1, { { 0, 1 }, },
++ PARPORT_MODE_COMPAT, ECR_MODE_MASK },
++ /* oxsemi_pcie_pport */ { 1, { { 0, 1 }, },
++ PARPORT_MODE_COMPAT, ECR_MODE_MASK },
+ /* aks_0100 */ { 1, { { 0, -1 }, } },
+ /* mobility_pp */ { 1, { { 0, 1 }, } },
+
+--
+2.39.2
+
--- /dev/null
+From 7865eb451ebb3913f892fb7d08f074e73fb1ed76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Feb 2023 11:57:09 +0800
+Subject: phy: rockchip-typec: Fix unsigned comparison with less than zero
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit f765c59c5a72546a2d74a92ae5d0eb0329d8e247 ]
+
+The dp and ufp are defined as bool type, the return value type of
+function extcon_get_state should be int, so the type of dp and ufp
+are modified to int.
+
+./drivers/phy/rockchip/phy-rockchip-typec.c:827:12-14: WARNING: Unsigned expression compared with zero: dp > 0.
+
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=3962
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20230213035709.99027-1-jiapeng.chong@linux.alibaba.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/rockchip/phy-rockchip-typec.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/phy/rockchip/phy-rockchip-typec.c b/drivers/phy/rockchip/phy-rockchip-typec.c
+index 76a4b58ec7717..ca4b80d0d8b78 100644
+--- a/drivers/phy/rockchip/phy-rockchip-typec.c
++++ b/drivers/phy/rockchip/phy-rockchip-typec.c
+@@ -817,9 +817,8 @@ static int tcphy_get_mode(struct rockchip_typec_phy *tcphy)
+ struct extcon_dev *edev = tcphy->extcon;
+ union extcon_property_value property;
+ unsigned int id;
+- bool ufp, dp;
+ u8 mode;
+- int ret;
++ int ret, ufp, dp;
+
+ if (!edev)
+ return MODE_DFP_USB;
+--
+2.39.2
+
--- /dev/null
+From 0709f6c21943abe0f1919dae00b9bac023d8ca86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 14:36:52 +0100
+Subject: pwm: stm32-lp: fix the check on arr and cmp registers update
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+
+[ Upstream commit 3066bc2d58be31275afb51a589668f265e419c37 ]
+
+The ARR (auto reload register) and CMP (compare) registers are
+successively written. The status bits to check the update of these
+registers are polled together with regmap_read_poll_timeout().
+The condition to end the loop may become true, even if one of the
+register isn't correctly updated.
+So ensure both status bits are set before clearing them.
+
+Fixes: e70a540b4e02 ("pwm: Add STM32 LPTimer PWM driver")
+Signed-off-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-stm32-lp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pwm/pwm-stm32-lp.c b/drivers/pwm/pwm-stm32-lp.c
+index e92a140074221..7c8c2bb8f6a28 100644
+--- a/drivers/pwm/pwm-stm32-lp.c
++++ b/drivers/pwm/pwm-stm32-lp.c
+@@ -126,7 +126,7 @@ static int stm32_pwm_lp_apply(struct pwm_chip *chip, struct pwm_device *pwm,
+
+ /* ensure CMP & ARR registers are properly written */
+ ret = regmap_read_poll_timeout(priv->regmap, STM32_LPTIM_ISR, val,
+- (val & STM32_LPTIM_CMPOK_ARROK),
++ (val & STM32_LPTIM_CMPOK_ARROK) == STM32_LPTIM_CMPOK_ARROK,
+ 100, 1000);
+ if (ret) {
+ dev_err(priv->chip.dev, "ARR/CMP registers write issue\n");
+--
+2.39.2
+
--- /dev/null
+From 6229144b29df6f05f95cf155a2095f257722b64b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Feb 2023 14:28:08 +0100
+Subject: scsi: ipr: Work around fortify-string warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit ee4e7dfe4ffc9ca50c6875757bd119abfe22b5c5 ]
+
+The ipr_log_vpd_compact() function triggers a fortified memcpy() warning
+about a potential string overflow with all versions of clang:
+
+In file included from drivers/scsi/ipr.c:43:
+In file included from include/linux/string.h:254:
+include/linux/fortify-string.h:520:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
+ __write_overflow_field(p_size_field, size);
+ ^
+include/linux/fortify-string.h:520:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
+2 errors generated.
+
+I don't see anything actually wrong with the function, but this is the only
+instance I can reproduce of the fortification going wrong in the kernel at
+the moment, so the easiest solution may be to rewrite the function into
+something that does not trigger the warning.
+
+Instead of having a combined buffer for vendor/device/serial strings, use
+three separate local variables and just truncate the whitespace
+individually.
+
+Link: https://lore.kernel.org/r/20230214132831.2118392-1-arnd@kernel.org
+Cc: Kees Cook <keescook@chromium.org>
+Fixes: 8cf093e275d0 ("[SCSI] ipr: Improved dual adapter errors")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Acked-by: Brian King <brking@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ipr.c | 41 +++++++++++++++++++++--------------------
+ 1 file changed, 21 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
+index 5989c868bfe08..921ecaf33c9b4 100644
+--- a/drivers/scsi/ipr.c
++++ b/drivers/scsi/ipr.c
+@@ -1531,23 +1531,22 @@ static void ipr_process_ccn(struct ipr_cmnd *ipr_cmd)
+ }
+
+ /**
+- * strip_and_pad_whitespace - Strip and pad trailing whitespace.
+- * @i: index into buffer
+- * @buf: string to modify
++ * strip_whitespace - Strip and pad trailing whitespace.
++ * @i: size of buffer
++ * @buf: string to modify
+ *
+- * This function will strip all trailing whitespace, pad the end
+- * of the string with a single space, and NULL terminate the string.
++ * This function will strip all trailing whitespace and
++ * NUL terminate the string.
+ *
+- * Return value:
+- * new length of string
+ **/
+-static int strip_and_pad_whitespace(int i, char *buf)
++static void strip_whitespace(int i, char *buf)
+ {
++ if (i < 1)
++ return;
++ i--;
+ while (i && buf[i] == ' ')
+ i--;
+- buf[i+1] = ' ';
+- buf[i+2] = '\0';
+- return i + 2;
++ buf[i+1] = '\0';
+ }
+
+ /**
+@@ -1562,19 +1561,21 @@ static int strip_and_pad_whitespace(int i, char *buf)
+ static void ipr_log_vpd_compact(char *prefix, struct ipr_hostrcb *hostrcb,
+ struct ipr_vpd *vpd)
+ {
+- char buffer[IPR_VENDOR_ID_LEN + IPR_PROD_ID_LEN + IPR_SERIAL_NUM_LEN + 3];
+- int i = 0;
++ char vendor_id[IPR_VENDOR_ID_LEN + 1];
++ char product_id[IPR_PROD_ID_LEN + 1];
++ char sn[IPR_SERIAL_NUM_LEN + 1];
+
+- memcpy(buffer, vpd->vpids.vendor_id, IPR_VENDOR_ID_LEN);
+- i = strip_and_pad_whitespace(IPR_VENDOR_ID_LEN - 1, buffer);
++ memcpy(vendor_id, vpd->vpids.vendor_id, IPR_VENDOR_ID_LEN);
++ strip_whitespace(IPR_VENDOR_ID_LEN, vendor_id);
+
+- memcpy(&buffer[i], vpd->vpids.product_id, IPR_PROD_ID_LEN);
+- i = strip_and_pad_whitespace(i + IPR_PROD_ID_LEN - 1, buffer);
++ memcpy(product_id, vpd->vpids.product_id, IPR_PROD_ID_LEN);
++ strip_whitespace(IPR_PROD_ID_LEN, product_id);
+
+- memcpy(&buffer[i], vpd->sn, IPR_SERIAL_NUM_LEN);
+- buffer[IPR_SERIAL_NUM_LEN + i] = '\0';
++ memcpy(sn, vpd->sn, IPR_SERIAL_NUM_LEN);
++ strip_whitespace(IPR_SERIAL_NUM_LEN, sn);
+
+- ipr_hcam_err(hostrcb, "%s VPID/SN: %s\n", prefix, buffer);
++ ipr_hcam_err(hostrcb, "%s VPID/SN: %s %s %s\n", prefix,
++ vendor_id, product_id, sn);
+ }
+
+ /**
+--
+2.39.2
+
wifi-ath9k-use-proper-statements-in-conditionals.patch
kbuild-port-silent-mode-detection-to-future-gnu-make.patch
net-sched-retire-tcindex-classifier.patch
+fs-jfs-fix-shift-exponent-db_agl2size-negative.patch
+pwm-stm32-lp-fix-the-check-on-arr-and-cmp-registers-.patch
+um-vector-fix-memory-leak-in-vector_config.patch
+ubi-ensure-that-vid-header-offset-vid-header-size-al.patch
+ubifs-rectify-space-budget-for-ubifs_symlink-if-syml.patch
+ubifs-rectify-space-budget-for-ubifs_xrename.patch
+ubifs-fix-wrong-dirty-space-budget-for-dirty-inode.patch
+ubifs-do_rename-fix-wrong-space-budget-when-target-i.patch
+ubifs-reserve-one-leb-for-each-journal-head-while-do.patch
+ubi-fix-use-after-free-when-volume-resizing-failed.patch
+ubi-fix-unreferenced-object-reported-by-kmemleak-in-.patch
+ubi-fix-possible-null-ptr-deref-in-ubi_free_volume.patch
+ubifs-re-statistic-cleaned-znode-count-if-commit-fai.patch
+ubifs-dirty_cow_znode-fix-memleak-in-error-handling-.patch
+ubifs-ubifs_writepage-mark-page-dirty-after-writing-.patch
+ubi-fix-uaf-wear-leveling-entry-in-eraseblk_count_se.patch
+ubi-ubi_wl_put_peb-fix-infinite-loop-when-wear-level.patch
+x86-um-vdso-add-rcx-and-r11-to-the-syscall-clobber-l.patch
+watchdog-at91sam9_wdt-use-devm_request_irq-to-avoid-.patch
+watchdog-fix-kmemleak-in-watchdog_cdev_register.patch
+watchdog-pcwd_usb-fix-attempting-to-access-uninitial.patch
+netfilter-ctnetlink-fix-possible-refcount-leak-in-ct.patch
+net-fix-__dev_kfree_skb_any-vs-drop-monitor.patch
+9p-xen-fix-version-parsing.patch
+9p-xen-fix-connection-sequence.patch
+9p-rdma-unmap-receive-dma-buffer-in-rdma_request-pos.patch
+nfc-fix-memory-leak-of-se_io-context-in-nfc_genl_se_.patch
+arm-dts-spear320-hmi-correct-stmpe-gpio-compatible.patch
+tcp-tcp_check_req-can-be-called-from-process-context.patch
+vc_screen-modify-vcs_size-handling-in-vcs_read.patch
+scsi-ipr-work-around-fortify-string-warning.patch
+thermal-intel-quark_dts-fix-error-pointer-dereferenc.patch
+tracing-add-null-checks-for-buffer-in-ring_buffer_fr.patch
+firmware-efi-sysfb_efi-add-quirk-for-lenovo-ideapad-.patch
+media-uvcvideo-handle-cameras-with-invalid-descripto.patch
+media-uvcvideo-handle-errors-from-calls-to-usb_strin.patch
+media-uvcvideo-silence-memcpy-run-time-false-positiv.patch
+tty-fix-out-of-bounds-access-in-tty_driver_lookup_tt.patch
+tty-serial-fsl_lpuart-disable-the-cts-when-send-brea.patch
+mei-bus-fixup-upon-error-print-return-values-of-send.patch
+parport_pc-set-up-mode-and-ecr-masks-for-oxford-semi.patch
+tools-iio-iio_utils-fix-memory-leak.patch
+iio-accel-mma9551_core-prevent-uninitialized-variabl.patch
+iio-accel-mma9551_core-prevent-uninitialized-variabl.patch-26174
+usb-host-xhci-mvebu-iterate-over-array-indexes-inste.patch
+usb-ene_usb6250-allocate-enough-memory-for-full-obje.patch
+usb-uvc-enumerate-valid-values-for-color-matching.patch
+phy-rockchip-typec-fix-unsigned-comparison-with-less.patch
--- /dev/null
+From 120ef4bc447462f9abdb909f5e36880edf5394cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 08:33:36 +0000
+Subject: tcp: tcp_check_req() can be called from process context
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 580f98cc33a260bb8c6a39ae2921b29586b84fdf ]
+
+This is a follow up of commit 0a375c822497 ("tcp: tcp_rtx_synack()
+can be called from process context").
+
+Frederick Lawler reported another "__this_cpu_add() in preemptible"
+warning caused by the same reason.
+
+In my former patch I took care of tcp_rtx_synack()
+but forgot that tcp_check_req() also contained some SNMP updates.
+
+Note that some parts of tcp_check_req() always run in BH context,
+I added a comment to clarify this.
+
+Fixes: 8336886f786f ("tcp: TCP Fast Open Server - support TFO listeners")
+Link: https://lore.kernel.org/netdev/8cd33923-a21d-397c-e46b-2a068c287b03@cloudflare.com/T/
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Frederick Lawler <fred@cloudflare.com>
+Tested-by: Frederick Lawler <fred@cloudflare.com>
+Link: https://lore.kernel.org/r/20230227083336.4153089-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_minisocks.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
+index 0fc238d79b03a..bae0199a943bd 100644
+--- a/net/ipv4/tcp_minisocks.c
++++ b/net/ipv4/tcp_minisocks.c
+@@ -582,6 +582,9 @@ EXPORT_SYMBOL(tcp_create_openreq_child);
+ * validation and inside tcp_v4_reqsk_send_ack(). Can we do better?
+ *
+ * We don't need to initialize tmp_opt.sack_ok as we don't use the results
++ *
++ * Note: If @fastopen is true, this can be called from process context.
++ * Otherwise, this is from BH context.
+ */
+
+ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb,
+@@ -734,7 +737,7 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb,
+ &tcp_rsk(req)->last_oow_ack_time))
+ req->rsk_ops->send_ack(sk, skb, req);
+ if (paws_reject)
+- __NET_INC_STATS(sock_net(sk), LINUX_MIB_PAWSESTABREJECTED);
++ NET_INC_STATS(sock_net(sk), LINUX_MIB_PAWSESTABREJECTED);
+ return NULL;
+ }
+
+@@ -753,7 +756,7 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb,
+ * "fourth, check the SYN bit"
+ */
+ if (flg & (TCP_FLAG_RST|TCP_FLAG_SYN)) {
+- __TCP_INC_STATS(sock_net(sk), TCP_MIB_ATTEMPTFAILS);
++ TCP_INC_STATS(sock_net(sk), TCP_MIB_ATTEMPTFAILS);
+ goto embryonic_reset;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From be9bd2de91aa81f05a3667b31cd7db82133b42df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 13:06:50 +0300
+Subject: thermal: intel: quark_dts: fix error pointer dereference
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit f1b930e740811d416de4d2074da48b6633a672c8 ]
+
+If alloc_soc_dts() fails, then we can just return. Trying to free
+"soc_dts" will lead to an Oops.
+
+Fixes: 8c1876939663 ("thermal: intel Quark SoC X1000 DTS thermal driver")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/intel_quark_dts_thermal.c | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/thermal/intel_quark_dts_thermal.c b/drivers/thermal/intel_quark_dts_thermal.c
+index 5d33b350da1c6..ad92d8f0add19 100644
+--- a/drivers/thermal/intel_quark_dts_thermal.c
++++ b/drivers/thermal/intel_quark_dts_thermal.c
+@@ -440,22 +440,14 @@ MODULE_DEVICE_TABLE(x86cpu, qrk_thermal_ids);
+
+ static int __init intel_quark_thermal_init(void)
+ {
+- int err = 0;
+-
+ if (!x86_match_cpu(qrk_thermal_ids) || !iosf_mbi_available())
+ return -ENODEV;
+
+ soc_dts = alloc_soc_dts();
+- if (IS_ERR(soc_dts)) {
+- err = PTR_ERR(soc_dts);
+- goto err_free;
+- }
++ if (IS_ERR(soc_dts))
++ return PTR_ERR(soc_dts);
+
+ return 0;
+-
+-err_free:
+- free_soc_dts(soc_dts);
+- return err;
+ }
+
+ static void __exit intel_quark_thermal_exit(void)
+--
+2.39.2
+
--- /dev/null
+From 7abbb6eea8d0b460a461286e769e276c7ba7fe23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jan 2023 10:51:47 +0800
+Subject: tools/iio/iio_utils:fix memory leak
+
+From: Yulong Zhang <yulong.zhang@metoak.net>
+
+[ Upstream commit f2edf0c819a4823cd6c288801ce737e8d4fcde06 ]
+
+1. fopen sysfs without fclose.
+2. asprintf filename without free.
+3. if asprintf return error,do not need to free the buffer.
+
+Signed-off-by: Yulong Zhang <yulong.zhang@metoak.net>
+Link: https://lore.kernel.org/r/20230117025147.69890-1-yulong.zhang@metoak.net
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/iio/iio_utils.c | 23 ++++++-----------------
+ 1 file changed, 6 insertions(+), 17 deletions(-)
+
+diff --git a/tools/iio/iio_utils.c b/tools/iio/iio_utils.c
+index d60a252577f0b..d174487b2f226 100644
+--- a/tools/iio/iio_utils.c
++++ b/tools/iio/iio_utils.c
+@@ -265,6 +265,7 @@ int iioutils_get_param_float(float *output, const char *param_name,
+ if (fscanf(sysfsfp, "%f", output) != 1)
+ ret = errno ? -errno : -ENODATA;
+
++ fclose(sysfsfp);
+ break;
+ }
+ error_free_filename:
+@@ -345,9 +346,9 @@ int build_channel_array(const char *device_dir,
+ }
+
+ sysfsfp = fopen(filename, "r");
++ free(filename);
+ if (!sysfsfp) {
+ ret = -errno;
+- free(filename);
+ goto error_close_dir;
+ }
+
+@@ -357,7 +358,6 @@ int build_channel_array(const char *device_dir,
+ if (fclose(sysfsfp))
+ perror("build_channel_array(): Failed to close file");
+
+- free(filename);
+ goto error_close_dir;
+ }
+ if (ret == 1)
+@@ -365,11 +365,9 @@ int build_channel_array(const char *device_dir,
+
+ if (fclose(sysfsfp)) {
+ ret = -errno;
+- free(filename);
+ goto error_close_dir;
+ }
+
+- free(filename);
+ }
+
+ *ci_array = malloc(sizeof(**ci_array) * (*counter));
+@@ -395,9 +393,9 @@ int build_channel_array(const char *device_dir,
+ }
+
+ sysfsfp = fopen(filename, "r");
++ free(filename);
+ if (!sysfsfp) {
+ ret = -errno;
+- free(filename);
+ count--;
+ goto error_cleanup_array;
+ }
+@@ -405,20 +403,17 @@ int build_channel_array(const char *device_dir,
+ errno = 0;
+ if (fscanf(sysfsfp, "%i", ¤t_enabled) != 1) {
+ ret = errno ? -errno : -ENODATA;
+- free(filename);
+ count--;
+ goto error_cleanup_array;
+ }
+
+ if (fclose(sysfsfp)) {
+ ret = -errno;
+- free(filename);
+ count--;
+ goto error_cleanup_array;
+ }
+
+ if (!current_enabled) {
+- free(filename);
+ count--;
+ continue;
+ }
+@@ -429,7 +424,6 @@ int build_channel_array(const char *device_dir,
+ strlen(ent->d_name) -
+ strlen("_en"));
+ if (!current->name) {
+- free(filename);
+ ret = -ENOMEM;
+ count--;
+ goto error_cleanup_array;
+@@ -439,7 +433,6 @@ int build_channel_array(const char *device_dir,
+ ret = iioutils_break_up_name(current->name,
+ ¤t->generic_name);
+ if (ret) {
+- free(filename);
+ free(current->name);
+ count--;
+ goto error_cleanup_array;
+@@ -450,17 +443,16 @@ int build_channel_array(const char *device_dir,
+ scan_el_dir,
+ current->name);
+ if (ret < 0) {
+- free(filename);
+ ret = -ENOMEM;
+ goto error_cleanup_array;
+ }
+
+ sysfsfp = fopen(filename, "r");
++ free(filename);
+ if (!sysfsfp) {
+ ret = -errno;
+- fprintf(stderr, "failed to open %s\n",
+- filename);
+- free(filename);
++ fprintf(stderr, "failed to open %s/%s_index\n",
++ scan_el_dir, current->name);
+ goto error_cleanup_array;
+ }
+
+@@ -470,17 +462,14 @@ int build_channel_array(const char *device_dir,
+ if (fclose(sysfsfp))
+ perror("build_channel_array(): Failed to close file");
+
+- free(filename);
+ goto error_cleanup_array;
+ }
+
+ if (fclose(sysfsfp)) {
+ ret = -errno;
+- free(filename);
+ goto error_cleanup_array;
+ }
+
+- free(filename);
+ /* Find the scale */
+ ret = iioutils_get_param_float(¤t->scale,
+ "scale",
+--
+2.39.2
+
--- /dev/null
+From 40d15c7450a0ca35ac1027855ad2927ac02e5ead Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jan 2023 20:55:01 +0800
+Subject: tracing: Add NULL checks for buffer in ring_buffer_free_read_page()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 3e4272b9954094907f16861199728f14002fcaf6 ]
+
+In a previous commit 7433632c9ff6, buffer, buffer->buffers and
+buffer->buffers[cpu] in ring_buffer_wake_waiters() can be NULL,
+and thus the related checks are added.
+
+However, in the same call stack, these variables are also used in
+ring_buffer_free_read_page():
+
+tracing_buffers_release()
+ ring_buffer_wake_waiters(iter->array_buffer->buffer)
+ cpu_buffer = buffer->buffers[cpu] -> Add checks by previous commit
+ ring_buffer_free_read_page(iter->array_buffer->buffer)
+ cpu_buffer = buffer->buffers[cpu] -> No check
+
+Thus, to avod possible null-pointer derefernces, the related checks
+should be added.
+
+These results are reported by a static tool designed by myself.
+
+Link: https://lkml.kernel.org/r/20230113125501.760324-1-baijiaju1990@gmail.com
+
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/ring_buffer.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
+index 5e5b0c067f611..bef3d01b8ff61 100644
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -4685,11 +4685,16 @@ EXPORT_SYMBOL_GPL(ring_buffer_alloc_read_page);
+ */
+ void ring_buffer_free_read_page(struct ring_buffer *buffer, int cpu, void *data)
+ {
+- struct ring_buffer_per_cpu *cpu_buffer = buffer->buffers[cpu];
++ struct ring_buffer_per_cpu *cpu_buffer;
+ struct buffer_data_page *bpage = data;
+ struct page *page = virt_to_page(bpage);
+ unsigned long flags;
+
++ if (!buffer || !buffer->buffers || !buffer->buffers[cpu])
++ return;
++
++ cpu_buffer = buffer->buffers[cpu];
++
+ /* If the page is still in use someplace else, we can't reuse it */
+ if (page_ref_count(page) > 1)
+ goto out;
+--
+2.39.2
+
--- /dev/null
+From e6e573e7ab5498d3183573a4295805ff63ab22e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 12:27:36 +0100
+Subject: tty: fix out-of-bounds access in tty_driver_lookup_tty()
+
+From: Sven Schnelle <svens@linux.ibm.com>
+
+[ Upstream commit db4df8e9d79e7d37732c1a1b560958e8dadfefa1 ]
+
+When specifying an invalid console= device like console=tty3270,
+tty_driver_lookup_tty() returns the tty struct without checking
+whether index is a valid number.
+
+To reproduce:
+
+qemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \
+-kernel ../linux-build-x86/arch/x86/boot/bzImage \
+-append "console=ttyS0 console=tty3270"
+
+This crashes with:
+
+[ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef
+[ 0.771265] #PF: supervisor read access in kernel mode
+[ 0.771773] #PF: error_code(0x0000) - not-present page
+[ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI
+[ 0.774878] RIP: 0010:tty_open+0x268/0x6f0
+[ 0.784013] chrdev_open+0xbd/0x230
+[ 0.784444] ? cdev_device_add+0x80/0x80
+[ 0.784920] do_dentry_open+0x1e0/0x410
+[ 0.785389] path_openat+0xca9/0x1050
+[ 0.785813] do_filp_open+0xaa/0x150
+[ 0.786240] file_open_name+0x133/0x1b0
+[ 0.786746] filp_open+0x27/0x50
+[ 0.787244] console_on_rootfs+0x14/0x4d
+[ 0.787800] kernel_init_freeable+0x1e4/0x20d
+[ 0.788383] ? rest_init+0xc0/0xc0
+[ 0.788881] kernel_init+0x11/0x120
+[ 0.789356] ret_from_fork+0x22/0x30
+
+Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Link: https://lore.kernel.org/r/20221209112737.3222509-2-svens@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/tty_io.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index b6f42d0ee6269..d3e6b66155536 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -1155,14 +1155,16 @@ static struct tty_struct *tty_driver_lookup_tty(struct tty_driver *driver,
+ {
+ struct tty_struct *tty;
+
+- if (driver->ops->lookup)
++ if (driver->ops->lookup) {
+ if (!file)
+ tty = ERR_PTR(-EIO);
+ else
+ tty = driver->ops->lookup(driver, file, idx);
+- else
++ } else {
++ if (idx >= driver->num)
++ return ERR_PTR(-EINVAL);
+ tty = driver->ttys[idx];
+-
++ }
+ if (!IS_ERR(tty))
+ tty_kref_get(tty);
+ return tty;
+--
+2.39.2
+
--- /dev/null
+From 662171d477ba26884d08a8ca0fb4226e0d54bfe1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Dec 2022 11:11:35 +0800
+Subject: tty: serial: fsl_lpuart: disable the CTS when send break signal
+
+From: Sherry Sun <sherry.sun@nxp.com>
+
+[ Upstream commit c4c81db5cf8bc53d6160c3abf26d382c841aa434 ]
+
+LPUART IP has a bug that it treats the CTS as higher priority than the
+break signal, which cause the break signal sending through UARTCTRL_SBK
+may impacted by the CTS input if the HW flow control is enabled.
+
+Add this workaround patch to fix the IP bug, we can disable CTS before
+asserting SBK to avoid any interference from CTS, and re-enable it when
+break off.
+
+Such as for the bluetooth chip power save feature, host can let the BT
+chip get into sleep state by sending a UART break signal, and wake it up
+by turning off the UART break. If the BT chip enters the sleep mode
+successfully, it will pull up the CTS line, if the BT chip is woken up,
+it will pull down the CTS line. If without this workaround patch, the
+UART TX pin cannot send the break signal successfully as it affected by
+the BT CTS pin. After adding this patch, the BT power save feature can
+work well.
+
+Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
+Link: https://lore.kernel.org/r/20221214031137.28815-2-sherry.sun@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/fsl_lpuart.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c
+index 069d02354c825..6ea1d23623e51 100644
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -1195,12 +1195,32 @@ static void lpuart_break_ctl(struct uart_port *port, int break_state)
+
+ static void lpuart32_break_ctl(struct uart_port *port, int break_state)
+ {
+- unsigned long temp;
++ unsigned long temp, modem;
++ struct tty_struct *tty;
++ unsigned int cflag = 0;
++
++ tty = tty_port_tty_get(&port->state->port);
++ if (tty) {
++ cflag = tty->termios.c_cflag;
++ tty_kref_put(tty);
++ }
+
+ temp = lpuart32_read(port, UARTCTRL) & ~UARTCTRL_SBK;
++ modem = lpuart32_read(port, UARTMODIR);
+
+- if (break_state != 0)
++ if (break_state != 0) {
+ temp |= UARTCTRL_SBK;
++ /*
++ * LPUART CTS has higher priority than SBK, need to disable CTS before
++ * asserting SBK to avoid any interference if flow control is enabled.
++ */
++ if (cflag & CRTSCTS && modem & UARTMODIR_TXCTSE)
++ lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR);
++ } else {
++ /* Re-enable the CTS when break off. */
++ if (cflag & CRTSCTS && !(modem & UARTMODIR_TXCTSE))
++ lpuart32_write(port, modem | UARTMODIR_TXCTSE, UARTMODIR);
++ }
+
+ lpuart32_write(port, temp, UARTCTRL);
+ }
+--
+2.39.2
+
--- /dev/null
+From 625d9347aa3bd37883dc15c321e8c5ad8ec0e803 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 10:14:44 -0500
+Subject: ubi: ensure that VID header offset + VID header size <= alloc, size
+
+From: George Kennedy <george.kennedy@oracle.com>
+
+[ Upstream commit 1b42b1a36fc946f0d7088425b90d491b4257ca3e ]
+
+Ensure that the VID header offset + VID header size does not exceed
+the allocated area to avoid slab OOB.
+
+BUG: KASAN: slab-out-of-bounds in crc32_body lib/crc32.c:111 [inline]
+BUG: KASAN: slab-out-of-bounds in crc32_le_generic lib/crc32.c:179 [inline]
+BUG: KASAN: slab-out-of-bounds in crc32_le_base+0x58c/0x626 lib/crc32.c:197
+Read of size 4 at addr ffff88802bb36f00 by task syz-executor136/1555
+
+CPU: 2 PID: 1555 Comm: syz-executor136 Tainted: G W
+6.0.0-1868 #1
+Hardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7860+a7792d29
+04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x85/0xad lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:317 [inline]
+ print_report.cold.13+0xb6/0x6bb mm/kasan/report.c:433
+ kasan_report+0xa7/0x11b mm/kasan/report.c:495
+ crc32_body lib/crc32.c:111 [inline]
+ crc32_le_generic lib/crc32.c:179 [inline]
+ crc32_le_base+0x58c/0x626 lib/crc32.c:197
+ ubi_io_write_vid_hdr+0x1b7/0x472 drivers/mtd/ubi/io.c:1067
+ create_vtbl+0x4d5/0x9c4 drivers/mtd/ubi/vtbl.c:317
+ create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline]
+ ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812
+ ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601
+ ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965
+ ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:870 [inline]
+ __se_sys_ioctl fs/ioctl.c:856 [inline]
+ __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0x0
+RIP: 0033:0x7f96d5cf753d
+Code:
+RSP: 002b:00007fffd72206f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f96d5cf753d
+RDX: 0000000020000080 RSI: 0000000040186f40 RDI: 0000000000000003
+RBP: 0000000000400cd0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400be0
+R13: 00007fffd72207e0 R14: 0000000000000000 R15: 0000000000000000
+ </TASK>
+
+Allocated by task 1555:
+ kasan_save_stack+0x20/0x3d mm/kasan/common.c:38
+ kasan_set_track mm/kasan/common.c:45 [inline]
+ set_alloc_info mm/kasan/common.c:437 [inline]
+ ____kasan_kmalloc mm/kasan/common.c:516 [inline]
+ __kasan_kmalloc+0x88/0xa3 mm/kasan/common.c:525
+ kasan_kmalloc include/linux/kasan.h:234 [inline]
+ __kmalloc+0x138/0x257 mm/slub.c:4429
+ kmalloc include/linux/slab.h:605 [inline]
+ ubi_alloc_vid_buf drivers/mtd/ubi/ubi.h:1093 [inline]
+ create_vtbl+0xcc/0x9c4 drivers/mtd/ubi/vtbl.c:295
+ create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline]
+ ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812
+ ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601
+ ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965
+ ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:870 [inline]
+ __se_sys_ioctl fs/ioctl.c:856 [inline]
+ __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0x0
+
+The buggy address belongs to the object at ffff88802bb36e00
+ which belongs to the cache kmalloc-256 of size 256
+The buggy address is located 0 bytes to the right of
+ 256-byte region [ffff88802bb36e00, ffff88802bb36f00)
+
+The buggy address belongs to the physical page:
+page:00000000ea4d1263 refcount:1 mapcount:0 mapping:0000000000000000
+index:0x0 pfn:0x2bb36
+head:00000000ea4d1263 order:1 compound_mapcount:0 compound_pincount:0
+flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
+raw: 000fffffc0010200 ffffea000066c300 dead000000000003 ffff888100042b40
+raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff88802bb36e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff88802bb36e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+>ffff88802bb36f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff88802bb36f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88802bb37000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+Fixes: 801c135ce73d ("UBI: Unsorted Block Images")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: George Kennedy <george.kennedy@oracle.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/ubi/build.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
+index 1ea3a4977c618..bb3a87cbebf5e 100644
+--- a/drivers/mtd/ubi/build.c
++++ b/drivers/mtd/ubi/build.c
+@@ -656,6 +656,12 @@ static int io_init(struct ubi_device *ubi, int max_beb_per1024)
+ ubi->ec_hdr_alsize = ALIGN(UBI_EC_HDR_SIZE, ubi->hdrs_min_io_size);
+ ubi->vid_hdr_alsize = ALIGN(UBI_VID_HDR_SIZE, ubi->hdrs_min_io_size);
+
++ if (ubi->vid_hdr_offset && ((ubi->vid_hdr_offset + UBI_VID_HDR_SIZE) >
++ ubi->vid_hdr_alsize)) {
++ ubi_err(ubi, "VID header offset %d too large.", ubi->vid_hdr_offset);
++ return -EINVAL;
++ }
++
+ dbg_gen("min_io_size %d", ubi->min_io_size);
+ dbg_gen("max_write_size %d", ubi->max_write_size);
+ dbg_gen("hdrs_min_io_size %d", ubi->hdrs_min_io_size);
+--
+2.39.2
+
--- /dev/null
+From 25d336c16d7513ff60da9ec282dd4df07d0b55aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 18:26:24 +0800
+Subject: ubi: Fix possible null-ptr-deref in ubi_free_volume()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit c15859bfd326c10230f09cb48a17f8a35f190342 ]
+
+It willl cause null-ptr-deref in the following case:
+
+uif_init()
+ ubi_add_volume()
+ cdev_add() -> if it fails, call kill_volumes()
+ device_register()
+
+kill_volumes() -> if ubi_add_volume() fails call this function
+ ubi_free_volume()
+ cdev_del()
+ device_unregister() -> trying to delete a not added device,
+ it causes null-ptr-deref
+
+So in ubi_free_volume(), it delete devices whether they are added
+or not, it will causes null-ptr-deref.
+
+Handle the error case whlie calling ubi_add_volume() to fix this
+problem. If add volume fails, set the corresponding vol to null,
+so it can not be accessed in kill_volumes() and release the
+resource in ubi_add_volume() error path.
+
+Fixes: 801c135ce73d ("UBI: Unsorted Block Images")
+Suggested-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/ubi/build.c | 1 +
+ drivers/mtd/ubi/vmt.c | 12 ++++++------
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
+index bb3a87cbebf5e..3d0241f8f3ec7 100644
+--- a/drivers/mtd/ubi/build.c
++++ b/drivers/mtd/ubi/build.c
+@@ -480,6 +480,7 @@ static int uif_init(struct ubi_device *ubi)
+ err = ubi_add_volume(ubi, ubi->volumes[i]);
+ if (err) {
+ ubi_err(ubi, "cannot add volume %d", i);
++ ubi->volumes[i] = NULL;
+ goto out_volumes;
+ }
+ }
+diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c
+index 405cc5289d89f..c5dec58846ce8 100644
+--- a/drivers/mtd/ubi/vmt.c
++++ b/drivers/mtd/ubi/vmt.c
+@@ -595,6 +595,7 @@ int ubi_add_volume(struct ubi_device *ubi, struct ubi_volume *vol)
+ if (err) {
+ ubi_err(ubi, "cannot add character device for volume %d, error %d",
+ vol_id, err);
++ vol_release(&vol->dev);
+ return err;
+ }
+
+@@ -605,15 +606,14 @@ int ubi_add_volume(struct ubi_device *ubi, struct ubi_volume *vol)
+ vol->dev.groups = volume_dev_groups;
+ dev_set_name(&vol->dev, "%s_%d", ubi->ubi_name, vol->vol_id);
+ err = device_register(&vol->dev);
+- if (err)
+- goto out_cdev;
++ if (err) {
++ cdev_del(&vol->cdev);
++ put_device(&vol->dev);
++ return err;
++ }
+
+ self_check_volumes(ubi);
+ return err;
+-
+-out_cdev:
+- cdev_del(&vol->cdev);
+- return err;
+ }
+
+ /**
+--
+2.39.2
+
--- /dev/null
+From ab1fd03e7b11449cf0c62f91a08faf26c4caae2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Jul 2022 19:28:37 +0800
+Subject: ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit a240bc5c43130c6aa50831d7caaa02a1d84e1bce ]
+
+Wear-leveling entry could be freed in error path, which may be accessed
+again in eraseblk_count_seq_show(), for example:
+
+__erase_worker eraseblk_count_seq_show
+ wl = ubi->lookuptbl[*block_number]
+ if (wl)
+ wl_entry_destroy
+ ubi->lookuptbl[e->pnum] = NULL
+ kmem_cache_free(ubi_wl_entry_slab, e)
+ erase_count = wl->ec // UAF!
+
+Wear-leveling entry updating/accessing in ubi->lookuptbl should be
+protected by ubi->wl_lock, fix it by adding ubi->wl_lock to serialize
+wl entry accessing between wl_entry_destroy() and
+eraseblk_count_seq_show().
+
+Fetch a reproducer in [Link].
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216305
+Fixes: 7bccd12d27b7e3 ("ubi: Add debugfs file for tracking PEB state")
+Fixes: 801c135ce73d5d ("UBI: Unsorted Block Images")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/ubi/wl.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c
+index ac336164f6253..f1142a2d8bd22 100644
+--- a/drivers/mtd/ubi/wl.c
++++ b/drivers/mtd/ubi/wl.c
+@@ -865,8 +865,11 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk,
+
+ err = do_sync_erase(ubi, e1, vol_id, lnum, 0);
+ if (err) {
+- if (e2)
++ if (e2) {
++ spin_lock(&ubi->wl_lock);
+ wl_entry_destroy(ubi, e2);
++ spin_unlock(&ubi->wl_lock);
++ }
+ goto out_ro;
+ }
+
+@@ -1096,14 +1099,18 @@ static int __erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk)
+ /* Re-schedule the LEB for erasure */
+ err1 = schedule_erase(ubi, e, vol_id, lnum, 0, false);
+ if (err1) {
++ spin_lock(&ubi->wl_lock);
+ wl_entry_destroy(ubi, e);
++ spin_unlock(&ubi->wl_lock);
+ err = err1;
+ goto out_ro;
+ }
+ return err;
+ }
+
++ spin_lock(&ubi->wl_lock);
+ wl_entry_destroy(ubi, e);
++ spin_unlock(&ubi->wl_lock);
+ if (err != -EIO)
+ /*
+ * If this is not %-EIO, we have no idea what to do. Scheduling
+--
+2.39.2
+
--- /dev/null
+From f5196622680cdb6d10d3821ba039f33eecdff6c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 18:21:57 +0800
+Subject: ubi: Fix unreferenced object reported by kmemleak in
+ ubi_resize_volume()
+
+From: Li Zetao <lizetao1@huawei.com>
+
+[ Upstream commit 1e591ea072df7211f64542a09482b5f81cb3ad27 ]
+
+There is a memory leaks problem reported by kmemleak:
+
+unreferenced object 0xffff888102007a00 (size 128):
+ comm "ubirsvol", pid 32090, jiffies 4298464136 (age 2361.231s)
+ hex dump (first 32 bytes):
+ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
+ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
+ backtrace:
+[<ffffffff8176cecd>] __kmalloc+0x4d/0x150
+[<ffffffffa02a9a36>] ubi_eba_create_table+0x76/0x170 [ubi]
+[<ffffffffa029764e>] ubi_resize_volume+0x1be/0xbc0 [ubi]
+[<ffffffffa02a3321>] ubi_cdev_ioctl+0x701/0x1850 [ubi]
+[<ffffffff81975d2d>] __x64_sys_ioctl+0x11d/0x170
+[<ffffffff83c142a5>] do_syscall_64+0x35/0x80
+[<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+This is due to a mismatch between create and destroy interfaces, and
+in detail that "new_eba_tbl" created by ubi_eba_create_table() but
+destroyed by kfree(), while will causing "new_eba_tbl->entries" not
+freed.
+
+Fix it by replacing kfree(new_eba_tbl) with
+ubi_eba_destroy_table(new_eba_tbl)
+
+Fixes: 799dca34ac54 ("UBI: hide EBA internals")
+Signed-off-by: Li Zetao <lizetao1@huawei.com>
+Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/ubi/vmt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c
+index 525aa795f934d..405cc5289d89f 100644
+--- a/drivers/mtd/ubi/vmt.c
++++ b/drivers/mtd/ubi/vmt.c
+@@ -528,7 +528,7 @@ int ubi_resize_volume(struct ubi_volume_desc *desc, int reserved_pebs)
+ return err;
+
+ out_free:
+- kfree(new_eba_tbl);
++ ubi_eba_destroy_table(new_eba_tbl);
+ return err;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 491993dee82ef685ad3846ff66594e623d680258 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 18:21:56 +0800
+Subject: ubi: Fix use-after-free when volume resizing failed
+
+From: Li Zetao <lizetao1@huawei.com>
+
+[ Upstream commit 9af31d6ec1a4be4caab2550096c6bd2ba8fba472 ]
+
+There is an use-after-free problem reported by KASAN:
+ ==================================================================
+ BUG: KASAN: use-after-free in ubi_eba_copy_table+0x11f/0x1c0 [ubi]
+ Read of size 8 at addr ffff888101eec008 by task ubirsvol/4735
+
+ CPU: 2 PID: 4735 Comm: ubirsvol
+ Not tainted 6.1.0-rc1-00003-g84fa3304a7fc-dirty #14
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
+ BIOS 1.14.0-1.fc33 04/01/2014
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x34/0x44
+ print_report+0x171/0x472
+ kasan_report+0xad/0x130
+ ubi_eba_copy_table+0x11f/0x1c0 [ubi]
+ ubi_resize_volume+0x4f9/0xbc0 [ubi]
+ ubi_cdev_ioctl+0x701/0x1850 [ubi]
+ __x64_sys_ioctl+0x11d/0x170
+ do_syscall_64+0x35/0x80
+ entry_SYSCALL_64_after_hwframe+0x46/0xb0
+ </TASK>
+
+When ubi_change_vtbl_record() returns an error in ubi_resize_volume(),
+"new_eba_tbl" will be freed on error handing path, but it is holded
+by "vol->eba_tbl" in ubi_eba_replace_table(). It means that the liftcycle
+of "vol->eba_tbl" and "vol" are different, so when resizing volume in
+next time, it causing an use-after-free fault.
+
+Fix it by not freeing "new_eba_tbl" after it replaced in
+ubi_eba_replace_table(), while will be freed in next volume resizing.
+
+Fixes: 801c135ce73d ("UBI: Unsorted Block Images")
+Signed-off-by: Li Zetao <lizetao1@huawei.com>
+Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/ubi/vmt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c
+index 9f6ffd340a3ef..525aa795f934d 100644
+--- a/drivers/mtd/ubi/vmt.c
++++ b/drivers/mtd/ubi/vmt.c
+@@ -477,7 +477,7 @@ int ubi_resize_volume(struct ubi_volume_desc *desc, int reserved_pebs)
+ for (i = 0; i < -pebs; i++) {
+ err = ubi_eba_unmap_leb(ubi, vol, reserved_pebs + i);
+ if (err)
+- goto out_acc;
++ goto out_free;
+ }
+ spin_lock(&ubi->volumes_lock);
+ ubi->rsvd_pebs += pebs;
+@@ -525,6 +525,8 @@ int ubi_resize_volume(struct ubi_volume_desc *desc, int reserved_pebs)
+ ubi->avail_pebs += pebs;
+ spin_unlock(&ubi->volumes_lock);
+ }
++ return err;
++
+ out_free:
+ kfree(new_eba_tbl);
+ return err;
+--
+2.39.2
+
--- /dev/null
+From aafcc1155cb88a7cf9ee79b10fcbbb050b499607 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jun 2022 14:59:04 +0800
+Subject: ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 4d57a7333e26040f2b583983e1970d9d460e56b0 ]
+
+Following process will trigger an infinite loop in ubi_wl_put_peb():
+
+ ubifs_bgt ubi_bgt
+ubifs_leb_unmap
+ ubi_leb_unmap
+ ubi_eba_unmap_leb
+ ubi_wl_put_peb wear_leveling_worker
+ e1 = rb_entry(rb_first(&ubi->used)
+ e2 = get_peb_for_wl(ubi)
+ ubi_io_read_vid_hdr // return err (flash fault)
+ out_error:
+ ubi->move_from = ubi->move_to = NULL
+ wl_entry_destroy(ubi, e1)
+ ubi->lookuptbl[e->pnum] = NULL
+ retry:
+ e = ubi->lookuptbl[pnum]; // return NULL
+ if (e == ubi->move_from) { // NULL == NULL gets true
+ goto retry; // infinite loop !!!
+
+$ top
+ PID USER PR NI VIRT RES SHR S %CPU %MEM COMMAND
+ 7676 root 20 0 0 0 0 R 100.0 0.0 ubifs_bgt0_0
+
+Fix it by:
+ 1) Letting ubi_wl_put_peb() returns directly if wearl leveling entry has
+ been removed from 'ubi->lookuptbl'.
+ 2) Using 'ubi->wl_lock' protecting wl entry deletion to preventing an
+ use-after-free problem for wl entry in ubi_wl_put_peb().
+
+Fetch a reproducer in [Link].
+
+Fixes: 43f9b25a9cdd7b1 ("UBI: bugfix: protect from volume removal")
+Fixes: ee59ba8b064f692 ("UBI: Fix stale pointers in ubi->lookuptbl")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216111
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/ubi/wl.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c
+index f1142a2d8bd22..7f0847ee53f28 100644
+--- a/drivers/mtd/ubi/wl.c
++++ b/drivers/mtd/ubi/wl.c
+@@ -951,11 +951,11 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk,
+ spin_lock(&ubi->wl_lock);
+ ubi->move_from = ubi->move_to = NULL;
+ ubi->move_to_put = ubi->wl_scheduled = 0;
++ wl_entry_destroy(ubi, e1);
++ wl_entry_destroy(ubi, e2);
+ spin_unlock(&ubi->wl_lock);
+
+ ubi_free_vid_buf(vidb);
+- wl_entry_destroy(ubi, e1);
+- wl_entry_destroy(ubi, e2);
+
+ out_ro:
+ ubi_ro_mode(ubi);
+@@ -1226,6 +1226,18 @@ int ubi_wl_put_peb(struct ubi_device *ubi, int vol_id, int lnum,
+ retry:
+ spin_lock(&ubi->wl_lock);
+ e = ubi->lookuptbl[pnum];
++ if (!e) {
++ /*
++ * This wl entry has been removed for some errors by other
++ * process (eg. wear leveling worker), corresponding process
++ * (except __erase_worker, which cannot concurrent with
++ * ubi_wl_put_peb) will set ubi ro_mode at the same time,
++ * just ignore this wl entry.
++ */
++ spin_unlock(&ubi->wl_lock);
++ up_read(&ubi->fm_protect);
++ return 0;
++ }
+ if (e == ubi->move_from) {
+ /*
+ * User is putting the physical eraseblock which was selected to
+--
+2.39.2
+
--- /dev/null
+From 065fe6849113d243a9599eda67b110e4d478dc58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 17:02:36 +0800
+Subject: ubifs: dirty_cow_znode: Fix memleak in error handling path
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 122deabfe1428bffe95e2bf364ff8a5059bdf089 ]
+
+Following process will cause a memleak for copied up znode:
+
+dirty_cow_znode
+ zn = copy_znode(c, znode);
+ err = insert_old_idx(c, zbr->lnum, zbr->offs);
+ if (unlikely(err))
+ return ERR_PTR(err); // No one refers to zn.
+
+Fix it by adding copied znode back to tnc, then it will be freed
+by ubifs_destroy_tnc_subtree() while closing tnc.
+
+Fetch a reproducer in [Link].
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216705
+Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/tnc.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c
+index 2073aa706c831..4665c4d7d76ac 100644
+--- a/fs/ubifs/tnc.c
++++ b/fs/ubifs/tnc.c
+@@ -279,11 +279,18 @@ static struct ubifs_znode *dirty_cow_znode(struct ubifs_info *c,
+ if (zbr->len) {
+ err = insert_old_idx(c, zbr->lnum, zbr->offs);
+ if (unlikely(err))
+- return ERR_PTR(err);
++ /*
++ * Obsolete znodes will be freed by tnc_destroy_cnext()
++ * or free_obsolete_znodes(), copied up znodes should
++ * be added back to tnc and freed by
++ * ubifs_destroy_tnc_subtree().
++ */
++ goto out;
+ err = add_idx_dirt(c, zbr->lnum, zbr->len);
+ } else
+ err = 0;
+
++out:
+ zbr->znode = zn;
+ zbr->lnum = 0;
+ zbr->offs = 0;
+--
+2.39.2
+
--- /dev/null
+From 8ab641cd8c736ae61963cf5db5da3f29fb9a26e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 11:47:31 +0800
+Subject: ubifs: do_rename: Fix wrong space budget when target inode's nlink >
+ 1
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 25fce616a61fc2f1821e4a9ce212d0e064707093 ]
+
+If target inode is a special file (eg. block/char device) with nlink
+count greater than 1, the inode with ui->data will be re-written on
+disk. However, UBIFS losts target inode's data_len while doing space
+budget. Bad space budget may let make_reservation() return with -ENOSPC,
+which could turn ubifs to read-only mode in do_writepage() process.
+
+Fetch a reproducer in [Link].
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216494
+Fixes: 1e51764a3c2ac0 ("UBIFS: add new flash file system")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/dir.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c
+index 89c5c2abc0faf..3b93b14e00412 100644
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -1309,9 +1309,13 @@ static int do_rename(struct inode *old_dir, struct dentry *old_dentry,
+ old_dentry, old_inode->i_ino, old_dir->i_ino,
+ new_dentry, new_dir->i_ino, flags);
+
+- if (unlink)
++ if (unlink) {
+ ubifs_assert(c, inode_is_locked(new_inode));
+
++ /* Budget for old inode's data when its nlink > 1. */
++ req.dirtied_ino_d = ALIGN(ubifs_inode(new_inode)->data_len, 8);
++ }
++
+ if (unlink && is_dir) {
+ err = ubifs_check_dir_empty(new_inode);
+ if (err)
+--
+2.39.2
+
--- /dev/null
+From dac04b701c8bef36f0b2e52ed94ca0c7d3fa2284 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 11:47:30 +0800
+Subject: ubifs: Fix wrong dirty space budget for dirty inode
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit b248eaf049d9cdc5eb76b59399e4d3de233f02ac ]
+
+Each dirty inode should reserve 'c->bi.inode_budget' bytes in space
+budget calculation. Currently, space budget for dirty inode reports
+more space than what UBIFS actually needs to write.
+
+Fixes: 1e51764a3c2ac0 ("UBIFS: add new flash file system")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/budget.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ubifs/budget.c b/fs/ubifs/budget.c
+index 7ef22baf9d150..2971a2c140d57 100644
+--- a/fs/ubifs/budget.c
++++ b/fs/ubifs/budget.c
+@@ -415,7 +415,7 @@ static int calc_dd_growth(const struct ubifs_info *c,
+ dd_growth = req->dirtied_page ? c->bi.page_budget : 0;
+
+ if (req->dirtied_ino)
+- dd_growth += c->bi.inode_budget << (req->dirtied_ino - 1);
++ dd_growth += c->bi.inode_budget * req->dirtied_ino;
+ if (req->mod_dent)
+ dd_growth += c->bi.dent_budget;
+ dd_growth += req->dirtied_ino_d;
+--
+2.39.2
+
--- /dev/null
+From a90e8197ce95f861b351ec9ddb96b12ee7f07134 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 17:02:35 +0800
+Subject: ubifs: Re-statistic cleaned znode count if commit failed
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 944e096aa24071d3fe22822f6249d3ae309e39ea ]
+
+Dirty znodes will be written on flash in committing process with
+following states:
+
+ process A | znode state
+------------------------------------------------------
+do_commit | DIRTY_ZNODE
+ ubifs_tnc_start_commit | DIRTY_ZNODE
+ get_znodes_to_commit | DIRTY_ZNODE | COW_ZNODE
+ layout_commit | DIRTY_ZNODE | COW_ZNODE
+ fill_gap | 0
+ write master | 0 or OBSOLETE_ZNODE
+
+ process B | znode state
+------------------------------------------------------
+do_commit | DIRTY_ZNODE[1]
+ ubifs_tnc_start_commit | DIRTY_ZNODE
+ get_znodes_to_commit | DIRTY_ZNODE | COW_ZNODE
+ ubifs_tnc_end_commit | DIRTY_ZNODE | COW_ZNODE
+ write_index | 0
+ write master | 0 or OBSOLETE_ZNODE[2] or
+ | DIRTY_ZNODE[3]
+
+[1] znode is dirtied without concurrent committing process
+[2] znode is copied up (re-dirtied by other process) before cleaned
+ up in committing process
+[3] znode is re-dirtied after cleaned up in committing process
+
+Currently, the clean znode count is updated in free_obsolete_znodes(),
+which is called only in normal path. If do_commit failed, clean znode
+count won't be updated, which triggers a failure ubifs assertion[4] in
+ubifs_tnc_close():
+ ubifs_assert_failed [ubifs]: UBIFS assert failed: freed == n
+
+[4] Commit 380347e9ca7682 ("UBIFS: Add an assertion for clean_zn_cnt").
+
+Fix it by re-statisticing cleaned znode count in tnc_destroy_cnext().
+
+Fetch a reproducer in [Link].
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216704
+Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/tnc.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c
+index f15ac37956e7a..2073aa706c831 100644
+--- a/fs/ubifs/tnc.c
++++ b/fs/ubifs/tnc.c
+@@ -3046,6 +3046,21 @@ static void tnc_destroy_cnext(struct ubifs_info *c)
+ cnext = cnext->cnext;
+ if (ubifs_zn_obsolete(znode))
+ kfree(znode);
++ else if (!ubifs_zn_cow(znode)) {
++ /*
++ * Don't forget to update clean znode count after
++ * committing failed, because ubifs will check this
++ * count while closing tnc. Non-obsolete znode could
++ * be re-dirtied during committing process, so dirty
++ * flag is untrustable. The flag 'COW_ZNODE' is set
++ * for each dirty znode before committing, and it is
++ * cleared as long as the znode become clean, so we
++ * can statistic clean znode count according to this
++ * flag.
++ */
++ atomic_long_inc(&c->clean_zn_cnt);
++ atomic_long_inc(&ubifs_clean_zn_cnt);
++ }
+ } while (cnext && cnext != c->cnext);
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 7bcc5a24d68f64f68e31b24c2fdb766d123b6098 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 11:47:27 +0800
+Subject: ubifs: Rectify space budget for ubifs_symlink() if symlink is
+ encrypted
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit c2c36cc6ca23e614f9e4238d0ecf48549ee9002a ]
+
+Fix bad space budget when symlink file is encrypted. Bad space budget
+may let make_reservation() return with -ENOSPC, which could turn ubifs
+to read-only mode in do_writepage() process.
+
+Fetch a reproducer in [Link].
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216490
+Fixes: ca7f85be8d6cf9 ("ubifs: Add support for encrypted symlinks")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c
+index 111905ddbfc2e..f054c12a0f939 100644
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -1141,7 +1141,6 @@ static int ubifs_symlink(struct inode *dir, struct dentry *dentry,
+ int err, sz_change, len = strlen(symname);
+ struct fscrypt_str disk_link;
+ struct ubifs_budget_req req = { .new_ino = 1, .new_dent = 1,
+- .new_ino_d = ALIGN(len, 8),
+ .dirtied_ino = 1 };
+ struct fscrypt_name nm;
+
+@@ -1157,6 +1156,7 @@ static int ubifs_symlink(struct inode *dir, struct dentry *dentry,
+ * Budget request settings: new inode, new direntry and changing parent
+ * directory inode.
+ */
++ req.new_ino_d = ALIGN(disk_link.len - 1, 8);
+ err = ubifs_budget_space(c, &req);
+ if (err)
+ return err;
+--
+2.39.2
+
--- /dev/null
+From 5cda6440ce8699c1e1b268540f5da10e009acf01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 11:47:28 +0800
+Subject: ubifs: Rectify space budget for ubifs_xrename()
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 1b2ba09060e41adb356b9ae58ef94a7390928004 ]
+
+There is no space budget for ubifs_xrename(). It may let
+make_reservation() return with -ENOSPC, which could turn
+ubifs to read-only mode in do_writepage() process.
+Fix it by adding space budget for ubifs_xrename().
+
+Fetch a reproducer in [Link].
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216569
+Fixes: 9ec64962afb170 ("ubifs: Implement RENAME_EXCHANGE")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/dir.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c
+index f054c12a0f939..89c5c2abc0faf 100644
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -1549,6 +1549,10 @@ static int ubifs_xrename(struct inode *old_dir, struct dentry *old_dentry,
+ return err;
+ }
+
++ err = ubifs_budget_space(c, &req);
++ if (err)
++ goto out;
++
+ lock_4_inodes(old_dir, new_dir, NULL, NULL);
+
+ time = current_time(old_dir);
+@@ -1574,6 +1578,7 @@ static int ubifs_xrename(struct inode *old_dir, struct dentry *old_dentry,
+ unlock_4_inodes(old_dir, new_dir, NULL, NULL);
+ ubifs_release_budget(c, &req);
+
++out:
+ fscrypt_free_filename(&fst_nm);
+ fscrypt_free_filename(&snd_nm);
+ return err;
+--
+2.39.2
+
--- /dev/null
+From a92474be82ce8fb91976c53db549ffb29ebf046b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 11:47:32 +0800
+Subject: ubifs: Reserve one leb for each journal head while doing budget
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit e874dcde1cbf82c786c0e7f2899811c02630cc52 ]
+
+UBIFS calculates available space by c->main_bytes - c->lst.total_used
+(which means non-index lebs' free and dirty space is accounted into
+total available), then index lebs and four lebs (one for gc_lnum, one
+for deletions, two for journal heads) are deducted.
+In following situation, ubifs may get -ENOSPC from make_reservation():
+ LEB 84: DATAHD free 122880 used 1920 dirty 2176 dark 6144
+ LEB 110:DELETION free 126976 used 0 dirty 0 dark 6144 (empty)
+ LEB 201:gc_lnum free 126976 used 0 dirty 0 dark 6144
+ LEB 272:GCHD free 77824 used 47672 dirty 1480 dark 6144
+ LEB 356:BASEHD free 0 used 39776 dirty 87200 dark 6144
+ OTHERS: index lebs, zero-available non-index lebs
+
+UBIFS calculates the available bytes is 6888 (How to calculate it:
+126976 * 5[remain main bytes] - 1920[used] - 47672[used] - 39776[used] -
+126976 * 1[deletions] - 126976 * 1[gc_lnum] - 126976 * 2[journal heads]
+- 6144 * 5[dark] = 6888) after doing budget, however UBIFS cannot use
+BASEHD's dirty space(87200), because UBIFS cannot find next BASEHD to
+reclaim current BASEHD. (c->bi.min_idx_lebs equals to c->lst.idx_lebs,
+the empty leb won't be found by ubifs_find_free_space(), and dirty index
+lebs won't be picked as gced lebs. All non-index lebs has dirty space
+less then c->dead_wm, non-index lebs won't be picked as gced lebs
+either. So new free lebs won't be produced.). See more details in Link.
+
+To fix it, reserve one leb for each journal head while doing budget.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216562
+Fixes: 1e51764a3c2ac0 ("UBIFS: add new flash file system")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/budget.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ubifs/budget.c b/fs/ubifs/budget.c
+index 2971a2c140d57..30c7bd63c2ad1 100644
+--- a/fs/ubifs/budget.c
++++ b/fs/ubifs/budget.c
+@@ -224,11 +224,10 @@ long long ubifs_calc_available(const struct ubifs_info *c, int min_idx_lebs)
+ subtract_lebs += 1;
+
+ /*
+- * The GC journal head LEB is not really accessible. And since
+- * different write types go to different heads, we may count only on
+- * one head's space.
++ * Since different write types go to different heads, we should
++ * reserve one leb for each head.
+ */
+- subtract_lebs += c->jhead_cnt - 1;
++ subtract_lebs += c->jhead_cnt;
+
+ /* We also reserve one LEB for deletions, which bypass budgeting */
+ subtract_lebs += 1;
+--
+2.39.2
+
--- /dev/null
+From cdd57f6c0869f6dfe0f0c6ec1c26611c980439c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Jun 2022 10:59:59 +0800
+Subject: ubifs: ubifs_writepage: Mark page dirty after writing inode failed
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit fb8bc4c74ae4526d9489362ab2793a936d072b84 ]
+
+There are two states for ubifs writing pages:
+1. Dirty, Private
+2. Not Dirty, Not Private
+
+There is a third possibility which maybe related to [1] that page is
+private but not dirty caused by following process:
+
+ PA
+lock(page)
+ubifs_write_end
+ attach_page_private // set Private
+ __set_page_dirty_nobuffers // set Dirty
+unlock(page)
+
+write_cache_pages
+ lock(page)
+ clear_page_dirty_for_io(page) // clear Dirty
+ ubifs_writepage
+ write_inode
+ // fail, goto out, following codes are not executed
+ // do_writepage
+ // set_page_writeback // set Writeback
+ // detach_page_private // clear Private
+ // end_page_writeback // clear Writeback
+ out:
+ unlock(page) // Private, Not Dirty
+
+ PB
+ ksys_fadvise64_64
+ generic_fadvise
+ invalidate_inode_page
+ // page is neither Dirty nor Writeback
+ invalidate_complete_page
+ // page_has_private is true
+ try_to_release_page
+ ubifs_releasepage
+ ubifs_assert(c, 0) !!!
+
+Then we may get following assertion failed:
+ UBIFS error (ubi0:0 pid 1492): ubifs_assert_failed [ubifs]:
+ UBIFS assert failed: 0, in fs/ubifs/file.c:1499
+ UBIFS warning (ubi0:0 pid 1492): ubifs_ro_mode [ubifs]:
+ switched to read-only mode, error -22
+ CPU: 2 PID: 1492 Comm: aa Not tainted 5.16.0-rc2-00012-g7bb767dee0ba-dirty
+ Call Trace:
+ dump_stack+0x13/0x1b
+ ubifs_ro_mode+0x54/0x60 [ubifs]
+ ubifs_assert_failed+0x4b/0x80 [ubifs]
+ ubifs_releasepage+0x7e/0x1e0 [ubifs]
+ try_to_release_page+0x57/0xe0
+ invalidate_inode_page+0xfb/0x130
+ invalidate_mapping_pagevec+0x12/0x20
+ generic_fadvise+0x303/0x3c0
+ vfs_fadvise+0x35/0x40
+ ksys_fadvise64_64+0x4c/0xb0
+
+Jump [2] to find a reproducer.
+
+[1] https://linux-mtd.infradead.narkive.com/NQoBeT1u/patch-rfc-ubifs-fix-assert-failed-in-ubifs-set-page-dirty
+[2] https://bugzilla.kernel.org/show_bug.cgi?id=215357
+
+Fixes: 1e51764a3c2ac0 ("UBIFS: add new flash file system")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/file.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ubifs/file.c b/fs/ubifs/file.c
+index 3dbb5ac630e42..ae836e8bb2933 100644
+--- a/fs/ubifs/file.c
++++ b/fs/ubifs/file.c
+@@ -1043,7 +1043,7 @@ static int ubifs_writepage(struct page *page, struct writeback_control *wbc)
+ if (page->index >= synced_i_size >> PAGE_SHIFT) {
+ err = inode->i_sb->s_op->write_inode(inode, NULL);
+ if (err)
+- goto out_unlock;
++ goto out_redirty;
+ /*
+ * The inode has been written, but the write-buffer has
+ * not been synchronized, so in case of an unclean
+@@ -1071,11 +1071,17 @@ static int ubifs_writepage(struct page *page, struct writeback_control *wbc)
+ if (i_size > synced_i_size) {
+ err = inode->i_sb->s_op->write_inode(inode, NULL);
+ if (err)
+- goto out_unlock;
++ goto out_redirty;
+ }
+
+ return do_writepage(page, len);
+-
++out_redirty:
++ /*
++ * redirty_page_for_writepage() won't call ubifs_dirty_inode() because
++ * it passes I_DIRTY_PAGES flag while calling __mark_inode_dirty(), so
++ * there is no need to do space budget for dirty inode.
++ */
++ redirty_page_for_writepage(wbc, page);
+ out_unlock:
+ unlock_page(page);
+ return err;
+--
+2.39.2
+
--- /dev/null
+From a9d334cc792fff2e344e9b2843b041279d549706 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 15:32:25 +0800
+Subject: um: vector: Fix memory leak in vector_config
+
+From: Xiang Yang <xiangyang3@huawei.com>
+
+[ Upstream commit 8f88c73afe481f93d40801596927e8c0047b6d96 ]
+
+If the return value of the uml_parse_vector_ifspec function is NULL,
+we should call kfree(params) to prevent memory leak.
+
+Fixes: 49da7e64f33e ("High Performance UML Vector Network Driver")
+Signed-off-by: Xiang Yang <xiangyang3@huawei.com>
+Acked-By: Anton Ivanov <anton.ivanov@kot-begemot.co.uk>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/drivers/vector_kern.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/um/drivers/vector_kern.c b/arch/um/drivers/vector_kern.c
+index 50ee3bb5a63a9..b0b124025b486 100644
+--- a/arch/um/drivers/vector_kern.c
++++ b/arch/um/drivers/vector_kern.c
+@@ -741,6 +741,7 @@ static int vector_config(char *str, char **error_out)
+
+ if (parsed == NULL) {
+ *error_out = "vector_config failed to parse parameters";
++ kfree(params);
+ return -EINVAL;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 0eee0b24d0b085c77b794d16404a6f80e0c647c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Feb 2023 10:35:46 -0800
+Subject: USB: ene_usb6250: Allocate enough memory for full object
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit ce33e64c1788912976b61314b56935abd4bc97ef ]
+
+The allocation of PageBuffer is 512 bytes in size, but the dereferencing
+of struct ms_bootblock_idi (also size 512) happens at a calculated offset
+within the allocation, which means the object could potentially extend
+beyond the end of the allocation. Avoid this case by just allocating
+enough space to catch any accesses beyond the end. Seen with GCC 13:
+
+../drivers/usb/storage/ene_ub6250.c: In function 'ms_lib_process_bootblock':
+../drivers/usb/storage/ene_ub6250.c:1050:44: warning: array subscript 'struct ms_bootblock_idi[0]' is partly outside array bounds of 'unsigned char[512]' [-Warray-bounds=]
+ 1050 | if (le16_to_cpu(idi->wIDIgeneralConfiguration) != MS_IDI_GENERAL_CONF)
+ | ^~
+../include/uapi/linux/byteorder/little_endian.h:37:51: note: in definition of macro '__le16_to_cpu'
+ 37 | #define __le16_to_cpu(x) ((__force __u16)(__le16)(x))
+ | ^
+../drivers/usb/storage/ene_ub6250.c:1050:29: note: in expansion of macro 'le16_to_cpu'
+ 1050 | if (le16_to_cpu(idi->wIDIgeneralConfiguration) != MS_IDI_GENERAL_CONF)
+ | ^~~~~~~~~~~
+In file included from ../drivers/usb/storage/ene_ub6250.c:5:
+In function 'kmalloc',
+ inlined from 'ms_lib_process_bootblock' at ../drivers/usb/storage/ene_ub6250.c:942:15:
+../include/linux/slab.h:580:24: note: at offset [256, 512] into object of size 512 allocated by 'kmalloc_trace'
+ 580 | return kmalloc_trace(
+ | ^~~~~~~~~~~~~~
+ 581 | kmalloc_caches[kmalloc_type(flags)][index],
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 582 | flags, size);
+ | ~~~~~~~~~~~~
+
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20230204183546.never.849-kees@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/storage/ene_ub6250.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/storage/ene_ub6250.c b/drivers/usb/storage/ene_ub6250.c
+index 54679679c825d..16b63f2cd661e 100644
+--- a/drivers/usb/storage/ene_ub6250.c
++++ b/drivers/usb/storage/ene_ub6250.c
+@@ -937,7 +937,7 @@ static int ms_lib_process_bootblock(struct us_data *us, u16 PhyBlock, u8 *PageDa
+ struct ms_lib_type_extdat ExtraData;
+ struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
+
+- PageBuffer = kmalloc(MS_BYTES_PER_PAGE, GFP_KERNEL);
++ PageBuffer = kzalloc(MS_BYTES_PER_PAGE * 2, GFP_KERNEL);
+ if (PageBuffer == NULL)
+ return (u32)-1;
+
+--
+2.39.2
+
--- /dev/null
+From 7c1a0ff06602af9d92700bc6ff5150bca98f8121 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Feb 2023 10:36:52 -0800
+Subject: usb: host: xhci: mvebu: Iterate over array indexes instead of using
+ pointer math
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 0fbd2cda92cdb00f72080665554a586f88bca821 ]
+
+Walking the dram->cs array was seen as accesses beyond the first array
+item by the compiler. Instead, use the array index directly. This allows
+for run-time bounds checking under CONFIG_UBSAN_BOUNDS as well. Seen
+with GCC 13 with -fstrict-flex-arrays:
+
+In function 'xhci_mvebu_mbus_config',
+ inlined from 'xhci_mvebu_mbus_init_quirk' at ../drivers/usb/host/xhci-mvebu.c:66:2:
+../drivers/usb/host/xhci-mvebu.c:37:28: warning: array subscript 0 is outside array bounds of 'const struct mbus_dram_window[0]' [-Warray-bounds=]
+ 37 | writel(((cs->size - 1) & 0xffff0000) | (cs->mbus_attr << 8) |
+ | ~~^~~~~~
+
+Cc: Mathias Nyman <mathias.nyman@intel.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20230204183651.never.663-kees@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-mvebu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci-mvebu.c b/drivers/usb/host/xhci-mvebu.c
+index 32e1585687885..fc9d6189c310f 100644
+--- a/drivers/usb/host/xhci-mvebu.c
++++ b/drivers/usb/host/xhci-mvebu.c
+@@ -31,7 +31,7 @@ static void xhci_mvebu_mbus_config(void __iomem *base,
+
+ /* Program each DRAM CS in a seperate window */
+ for (win = 0; win < dram->num_cs; win++) {
+- const struct mbus_dram_window *cs = dram->cs + win;
++ const struct mbus_dram_window *cs = &dram->cs[win];
+
+ writel(((cs->size - 1) & 0xffff0000) | (cs->mbus_attr << 8) |
+ (dram->mbus_dram_target_id << 4) | 1,
+--
+2.39.2
+
--- /dev/null
+From 99fc49c46fc137073dd18a438080c608d7b69a23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Feb 2023 11:41:37 +0000
+Subject: usb: uvc: Enumerate valid values for color matching
+
+From: Daniel Scally <dan.scally@ideasonboard.com>
+
+[ Upstream commit e16cab9c1596e251761d2bfb5e1467950d616963 ]
+
+The color matching descriptors defined in the UVC Specification
+contain 3 fields with discrete numeric values representing particular
+settings. Enumerate those values so that later code setting them can
+be more readable.
+
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Daniel Scally <dan.scally@ideasonboard.com>
+Link: https://lore.kernel.org/r/20230202114142.300858-2-dan.scally@ideasonboard.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/usb/video.h | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/include/uapi/linux/usb/video.h b/include/uapi/linux/usb/video.h
+index ff6cc6cb4227c..0c5087c39a9fe 100644
+--- a/include/uapi/linux/usb/video.h
++++ b/include/uapi/linux/usb/video.h
+@@ -179,6 +179,36 @@
+ #define UVC_CONTROL_CAP_AUTOUPDATE (1 << 3)
+ #define UVC_CONTROL_CAP_ASYNCHRONOUS (1 << 4)
+
++/* 3.9.2.6 Color Matching Descriptor Values */
++enum uvc_color_primaries_values {
++ UVC_COLOR_PRIMARIES_UNSPECIFIED,
++ UVC_COLOR_PRIMARIES_BT_709_SRGB,
++ UVC_COLOR_PRIMARIES_BT_470_2_M,
++ UVC_COLOR_PRIMARIES_BT_470_2_B_G,
++ UVC_COLOR_PRIMARIES_SMPTE_170M,
++ UVC_COLOR_PRIMARIES_SMPTE_240M,
++};
++
++enum uvc_transfer_characteristics_values {
++ UVC_TRANSFER_CHARACTERISTICS_UNSPECIFIED,
++ UVC_TRANSFER_CHARACTERISTICS_BT_709,
++ UVC_TRANSFER_CHARACTERISTICS_BT_470_2_M,
++ UVC_TRANSFER_CHARACTERISTICS_BT_470_2_B_G,
++ UVC_TRANSFER_CHARACTERISTICS_SMPTE_170M,
++ UVC_TRANSFER_CHARACTERISTICS_SMPTE_240M,
++ UVC_TRANSFER_CHARACTERISTICS_LINEAR,
++ UVC_TRANSFER_CHARACTERISTICS_SRGB,
++};
++
++enum uvc_matrix_coefficients {
++ UVC_MATRIX_COEFFICIENTS_UNSPECIFIED,
++ UVC_MATRIX_COEFFICIENTS_BT_709,
++ UVC_MATRIX_COEFFICIENTS_FCC,
++ UVC_MATRIX_COEFFICIENTS_BT_470_2_B_G,
++ UVC_MATRIX_COEFFICIENTS_SMPTE_170M,
++ UVC_MATRIX_COEFFICIENTS_SMPTE_240M,
++};
++
+ /* ------------------------------------------------------------------------
+ * UVC structures
+ */
+--
+2.39.2
+
--- /dev/null
+From 08eb09c61832d4c940ed23a68846e0ba5a3b6a65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 15:21:41 -0500
+Subject: vc_screen: modify vcs_size() handling in vcs_read()
+
+From: George Kennedy <george.kennedy@oracle.com>
+
+[ Upstream commit 46d733d0efc79bc8430d63b57ab88011806d5180 ]
+
+Restore the vcs_size() handling in vcs_read() to what
+it had been in previous version.
+
+Fixes: 226fae124b2d ("vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF")
+Suggested-by: Jiri Slaby <jirislaby@kernel.org>
+Signed-off-by: George Kennedy <george.kennedy@oracle.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/vt/vc_screen.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/tty/vt/vc_screen.c b/drivers/tty/vt/vc_screen.c
+index 5b5e800ab1549..28bc9c70de3ec 100644
+--- a/drivers/tty/vt/vc_screen.c
++++ b/drivers/tty/vt/vc_screen.c
+@@ -278,10 +278,8 @@ vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
+ */
+ size = vcs_size(inode);
+ if (size < 0) {
+- if (read)
+- break;
+ ret = size;
+- goto unlock_out;
++ break;
+ }
+ if (pos >= size)
+ break;
+--
+2.39.2
+
--- /dev/null
+From c95fdada68c82717687ec2d45f775f3a0919a2b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 17:49:50 +0800
+Subject: watchdog: at91sam9_wdt: use devm_request_irq to avoid missing
+ free_irq() in error path
+
+From: ruanjinjie <ruanjinjie@huawei.com>
+
+[ Upstream commit 07bec0e09c1afbab4c5674fd2341f4f52d594f30 ]
+
+free_irq() is missing in case of error in at91_wdt_init(), use
+devm_request_irq to fix that.
+
+Fixes: 5161b31dc39a ("watchdog: at91sam9_wdt: better watchdog support")
+Signed-off-by: ruanjinjie <ruanjinjie@huawei.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20221116094950.3141943-1-ruanjinjie@huawei.com
+[groeck: Adjust multi-line alignment]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/at91sam9_wdt.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/watchdog/at91sam9_wdt.c b/drivers/watchdog/at91sam9_wdt.c
+index f4050a229eb58..aaa3c5a8c4570 100644
+--- a/drivers/watchdog/at91sam9_wdt.c
++++ b/drivers/watchdog/at91sam9_wdt.c
+@@ -206,10 +206,9 @@ static int at91_wdt_init(struct platform_device *pdev, struct at91wdt *wdt)
+ "min heartbeat and max heartbeat might be too close for the system to handle it correctly\n");
+
+ if ((tmp & AT91_WDT_WDFIEN) && wdt->irq) {
+- err = request_irq(wdt->irq, wdt_interrupt,
+- IRQF_SHARED | IRQF_IRQPOLL |
+- IRQF_NO_SUSPEND,
+- pdev->name, wdt);
++ err = devm_request_irq(dev, wdt->irq, wdt_interrupt,
++ IRQF_SHARED | IRQF_IRQPOLL | IRQF_NO_SUSPEND,
++ pdev->name, wdt);
+ if (err)
+ return err;
+ }
+--
+2.39.2
+
--- /dev/null
+From d52427ae949380ca951431edcb89e08fc1914bfe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 01:27:14 +0000
+Subject: watchdog: Fix kmemleak in watchdog_cdev_register
+
+From: Chen Jun <chenjun102@huawei.com>
+
+[ Upstream commit 13721a2ac66b246f5802ba1b75ad8637e53eeecc ]
+
+kmemleak reports memory leaks in watchdog_dev_register, as follows:
+unreferenced object 0xffff888116233000 (size 2048):
+ comm ""modprobe"", pid 28147, jiffies 4353426116 (age 61.741s)
+ hex dump (first 32 bytes):
+ 80 fa b9 05 81 88 ff ff 08 30 23 16 81 88 ff ff .........0#.....
+ 08 30 23 16 81 88 ff ff 00 00 00 00 00 00 00 00 .0#.............
+ backtrace:
+ [<000000007f001ffd>] __kmem_cache_alloc_node+0x157/0x220
+ [<000000006a389304>] kmalloc_trace+0x21/0x110
+ [<000000008d640eea>] watchdog_dev_register+0x4e/0x780 [watchdog]
+ [<0000000053c9f248>] __watchdog_register_device+0x4f0/0x680 [watchdog]
+ [<00000000b2979824>] watchdog_register_device+0xd2/0x110 [watchdog]
+ [<000000001f730178>] 0xffffffffc10880ae
+ [<000000007a1a8bcc>] do_one_initcall+0xcb/0x4d0
+ [<00000000b98be325>] do_init_module+0x1ca/0x5f0
+ [<0000000046d08e7c>] load_module+0x6133/0x70f0
+ ...
+
+unreferenced object 0xffff888105b9fa80 (size 16):
+ comm ""modprobe"", pid 28147, jiffies 4353426116 (age 61.741s)
+ hex dump (first 16 bytes):
+ 77 61 74 63 68 64 6f 67 31 00 b9 05 81 88 ff ff watchdog1.......
+ backtrace:
+ [<000000007f001ffd>] __kmem_cache_alloc_node+0x157/0x220
+ [<00000000486ab89b>] __kmalloc_node_track_caller+0x44/0x1b0
+ [<000000005a39aab0>] kvasprintf+0xb5/0x140
+ [<0000000024806f85>] kvasprintf_const+0x55/0x180
+ [<000000009276cb7f>] kobject_set_name_vargs+0x56/0x150
+ [<00000000a92e820b>] dev_set_name+0xab/0xe0
+ [<00000000cec812c6>] watchdog_dev_register+0x285/0x780 [watchdog]
+ [<0000000053c9f248>] __watchdog_register_device+0x4f0/0x680 [watchdog]
+ [<00000000b2979824>] watchdog_register_device+0xd2/0x110 [watchdog]
+ [<000000001f730178>] 0xffffffffc10880ae
+ [<000000007a1a8bcc>] do_one_initcall+0xcb/0x4d0
+ [<00000000b98be325>] do_init_module+0x1ca/0x5f0
+ [<0000000046d08e7c>] load_module+0x6133/0x70f0
+ ...
+
+The reason is that put_device is not be called if cdev_device_add fails
+and wdd->id != 0.
+
+watchdog_cdev_register
+ wd_data = kzalloc [1]
+ err = dev_set_name [2]
+ ..
+ err = cdev_device_add
+ if (err) {
+ if (wdd->id == 0) { // wdd->id != 0
+ ..
+ }
+ return err; // [1],[2] would be leaked
+
+To fix it, call put_device in all wdd->id cases.
+
+Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of watchdog_core_data and cdev")
+Signed-off-by: Chen Jun <chenjun102@huawei.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20221116012714.102066-1-chenjun102@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/watchdog_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c
+index 8fe59b7d8eec8..808896c9e1c20 100644
+--- a/drivers/watchdog/watchdog_dev.c
++++ b/drivers/watchdog/watchdog_dev.c
+@@ -989,8 +989,8 @@ static int watchdog_cdev_register(struct watchdog_device *wdd)
+ if (wdd->id == 0) {
+ misc_deregister(&watchdog_miscdev);
+ old_wd_data = NULL;
+- put_device(&wd_data->dev);
+ }
++ put_device(&wd_data->dev);
+ return err;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 937b2c75951d7db3b4f867865a3d0a8f4856509c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 10:07:06 +0800
+Subject: watchdog: pcwd_usb: Fix attempting to access uninitialized memory
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Li Hua <hucool.lihua@huawei.com>
+
+[ Upstream commit 7d06c07c67100fd0f8e6b3ab7145ce789f788117 ]
+
+The stack variable msb and lsb may be used uninitialized in function
+usb_pcwd_get_temperature and usb_pcwd_get_timeleft when usb card no response.
+
+The build waring is:
+drivers/watchdog/pcwd_usb.c:336:22: error: ‘lsb’ is used uninitialized in this function [-Werror=uninitialized]
+ *temperature = (lsb * 9 / 5) + 32;
+ ~~~~^~~
+drivers/watchdog/pcwd_usb.c:328:21: note: ‘lsb’ was declared here
+ unsigned char msb, lsb;
+ ^~~
+cc1: all warnings being treated as errors
+scripts/Makefile.build:250: recipe for target 'drivers/watchdog/pcwd_usb.o' failed
+make[3]: *** [drivers/watchdog/pcwd_usb.o] Error 1
+
+Fixes: b7e04f8c61a4 ("mv watchdog tree under drivers")
+Signed-off-by: Li Hua <hucool.lihua@huawei.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20221116020706.70847-1-hucool.lihua@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/pcwd_usb.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/watchdog/pcwd_usb.c b/drivers/watchdog/pcwd_usb.c
+index 4d02f26156f9c..b7b9d562da137 100644
+--- a/drivers/watchdog/pcwd_usb.c
++++ b/drivers/watchdog/pcwd_usb.c
+@@ -329,7 +329,8 @@ static int usb_pcwd_set_heartbeat(struct usb_pcwd_private *usb_pcwd, int t)
+ static int usb_pcwd_get_temperature(struct usb_pcwd_private *usb_pcwd,
+ int *temperature)
+ {
+- unsigned char msb, lsb;
++ unsigned char msb = 0x00;
++ unsigned char lsb = 0x00;
+
+ usb_pcwd_send_command(usb_pcwd, CMD_READ_TEMP, &msb, &lsb);
+
+@@ -345,7 +346,8 @@ static int usb_pcwd_get_temperature(struct usb_pcwd_private *usb_pcwd,
+ static int usb_pcwd_get_timeleft(struct usb_pcwd_private *usb_pcwd,
+ int *time_left)
+ {
+- unsigned char msb, lsb;
++ unsigned char msb = 0x00;
++ unsigned char lsb = 0x00;
+
+ /* Read the time that's left before rebooting */
+ /* Note: if the board is not yet armed then we will read 0xFFFF */
+--
+2.39.2
+
--- /dev/null
+From 347902db1b403c539a93a9b90c6fddec44398db3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Dec 2022 00:23:38 +0700
+Subject: x86: um: vdso: Add '%rcx' and '%r11' to the syscall clobber list
+
+From: Ammar Faizi <ammarfaizi2@gnuweeb.org>
+
+[ Upstream commit 5541992e512de8c9133110809f767bd1b54ee10d ]
+
+The 'syscall' instruction clobbers '%rcx' and '%r11', but they are not
+listed in the inline Assembly that performs the syscall instruction.
+
+No real bug is found. It wasn't buggy by luck because '%rcx' and '%r11'
+are caller-saved registers, and not used in the functions, and the
+functions are never inlined.
+
+Add them to the clobber list for code correctness.
+
+Fixes: f1c2bb8b9964ed31de988910f8b1cfb586d30091 ("um: implement a x86_64 vDSO")
+Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/um/vdso/um_vdso.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/um/vdso/um_vdso.c b/arch/x86/um/vdso/um_vdso.c
+index 7c441b59d3752..be99ff25c5039 100644
+--- a/arch/x86/um/vdso/um_vdso.c
++++ b/arch/x86/um/vdso/um_vdso.c
+@@ -20,8 +20,10 @@ int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
+ {
+ long ret;
+
+- asm("syscall" : "=a" (ret) :
+- "0" (__NR_clock_gettime), "D" (clock), "S" (ts) : "memory");
++ asm("syscall"
++ : "=a" (ret)
++ : "0" (__NR_clock_gettime), "D" (clock), "S" (ts)
++ : "rcx", "r11", "memory");
+
+ return ret;
+ }
+@@ -32,8 +34,10 @@ int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
+ {
+ long ret;
+
+- asm("syscall" : "=a" (ret) :
+- "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
++ asm("syscall"
++ : "=a" (ret)
++ : "0" (__NR_gettimeofday), "D" (tv), "S" (tz)
++ : "rcx", "r11", "memory");
+
+ return ret;
+ }
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
