From: Sasha Levin <sashal@kernel.org>
Date: Thu, 9 Jun 2022 13:40:36 +0000 (-0400)
Subject: Fixes for 4.9
X-Git-Tag: v4.9.318~113
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=58b659e87f231c154d9f8f2cf638daed603315ac;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 4.9

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-4.9/clocksource-drivers-oxnas-rps-fix-irq_of_parse_and_m.patch b/queue-4.9/clocksource-drivers-oxnas-rps-fix-irq_of_parse_and_m.patch
new file mode 100644
index 00000000000..7e1a32518f1
--- /dev/null
+++ b/queue-4.9/clocksource-drivers-oxnas-rps-fix-irq_of_parse_and_m.patch
@@ -0,0 +1,38 @@
+From 9d305541deeb93356af3e362a3c93d59d07efa48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Apr 2022 12:41:01 +0200
+Subject: clocksource/drivers/oxnas-rps: Fix irq_of_parse_and_map() return
+ value
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 9c04a8ff03def4df3f81219ffbe1ec9b44ff5348 ]
+
+The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO.
+
+Fixes: 89355274e1f7 ("clocksource/drivers/oxnas-rps: Add Oxford Semiconductor RPS Dual Timer")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://lore.kernel.org/r/20220422104101.55754-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/timer-oxnas-rps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clocksource/timer-oxnas-rps.c b/drivers/clocksource/timer-oxnas-rps.c
+index d630bf417773..411f211185d3 100644
+--- a/drivers/clocksource/timer-oxnas-rps.c
++++ b/drivers/clocksource/timer-oxnas-rps.c
+@@ -247,7 +247,7 @@ static int __init oxnas_rps_timer_init(struct device_node *np)
+ 	}
+ 
+ 	rps->irq = irq_of_parse_and_map(np, 0);
+-	if (rps->irq < 0) {
++	if (!rps->irq) {
+ 		ret = -EINVAL;
+ 		goto err_iomap;
+ 	}
+-- 
+2.35.1
+
diff --git a/queue-4.9/firmware-dmi-sysfs-fix-memory-leak-in-dmi_sysfs_regi.patch b/queue-4.9/firmware-dmi-sysfs-fix-memory-leak-in-dmi_sysfs_regi.patch
new file mode 100644
index 00000000000..fdc6f0e003c
--- /dev/null
+++ b/queue-4.9/firmware-dmi-sysfs-fix-memory-leak-in-dmi_sysfs_regi.patch
@@ -0,0 +1,42 @@
+From 31c3ea5e709ba22246487d785b6a183965a7e4d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 May 2022 11:14:19 +0400
+Subject: firmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 660ba678f9998aca6db74f2dd912fa5124f0fa31 ]
+
+kobject_init_and_add() takes reference even when it fails.
+According to the doc of kobject_init_and_add()
+
+   If this function returns an error, kobject_put() must be called to
+   properly clean up the memory associated with the object.
+
+Fix this issue by calling kobject_put().
+
+Fixes: 948af1f0bbc8 ("firmware: Basic dmi-sysfs support")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220511071421.9769-1-linmq006@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/dmi-sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/dmi-sysfs.c b/drivers/firmware/dmi-sysfs.c
+index ef76e5eecf0b..37f76daa2b3d 100644
+--- a/drivers/firmware/dmi-sysfs.c
++++ b/drivers/firmware/dmi-sysfs.c
+@@ -601,7 +601,7 @@ static void __init dmi_sysfs_register_handle(const struct dmi_header *dh,
+ 				    "%d-%d", dh->type, entry->instance);
+ 
+ 	if (*ret) {
+-		kfree(entry);
++		kobject_put(&entry->kobj);
+ 		return;
+ 	}
+ 
+-- 
+2.35.1
+
diff --git a/queue-4.9/jffs2-fix-memory-leak-in-jffs2_do_fill_super.patch b/queue-4.9/jffs2-fix-memory-leak-in-jffs2_do_fill_super.patch
new file mode 100644
index 00000000000..a27ef4e1882
--- /dev/null
+++ b/queue-4.9/jffs2-fix-memory-leak-in-jffs2_do_fill_super.patch
@@ -0,0 +1,68 @@
+From bfe7a860055dfaba282b49cd803b448ab4e7e5eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Apr 2022 17:38:16 +0800
+Subject: jffs2: fix memory leak in jffs2_do_fill_super
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit c14adb1cf70a984ed081c67e9d27bc3caad9537c ]
+
+If jffs2_iget() or d_make_root() in jffs2_do_fill_super() returns
+an error, we can observe the following kmemleak report:
+
+--------------------------------------------
+unreferenced object 0xffff888105a65340 (size 64):
+  comm "mount", pid 710, jiffies 4302851558 (age 58.239s)
+  hex dump (first 32 bytes):
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  backtrace:
+    [<ffffffff859c45e5>] kmem_cache_alloc_trace+0x475/0x8a0
+    [<ffffffff86160146>] jffs2_sum_init+0x96/0x1a0
+    [<ffffffff86140e25>] jffs2_do_mount_fs+0x745/0x2120
+    [<ffffffff86149fec>] jffs2_do_fill_super+0x35c/0x810
+    [<ffffffff8614aae9>] jffs2_fill_super+0x2b9/0x3b0
+    [...]
+unreferenced object 0xffff8881bd7f0000 (size 65536):
+  comm "mount", pid 710, jiffies 4302851558 (age 58.239s)
+  hex dump (first 32 bytes):
+    bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
+    bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
+  backtrace:
+    [<ffffffff858579ba>] kmalloc_order+0xda/0x110
+    [<ffffffff85857a11>] kmalloc_order_trace+0x21/0x130
+    [<ffffffff859c2ed1>] __kmalloc+0x711/0x8a0
+    [<ffffffff86160189>] jffs2_sum_init+0xd9/0x1a0
+    [<ffffffff86140e25>] jffs2_do_mount_fs+0x745/0x2120
+    [<ffffffff86149fec>] jffs2_do_fill_super+0x35c/0x810
+    [<ffffffff8614aae9>] jffs2_fill_super+0x2b9/0x3b0
+    [...]
+--------------------------------------------
+
+This is because the resources allocated in jffs2_sum_init() are not
+released. Call jffs2_sum_exit() to release these resources to solve
+the problem.
+
+Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)")
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jffs2/fs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c
+index d3c9e4c82e57..610e11e76f2d 100644
+--- a/fs/jffs2/fs.c
++++ b/fs/jffs2/fs.c
+@@ -597,6 +597,7 @@ int jffs2_do_fill_super(struct super_block *sb, void *data, int silent)
+ 	jffs2_free_raw_node_refs(c);
+ 	kvfree(c->blocks);
+ 	jffs2_clear_xattr_subsystem(c);
++	jffs2_sum_exit(c);
+  out_inohash:
+ 	kfree(c->inocache_list);
+  out_wbuf:
+-- 
+2.35.1
+
diff --git a/queue-4.9/modpost-fix-removing-numeric-suffixes.patch b/queue-4.9/modpost-fix-removing-numeric-suffixes.patch
new file mode 100644
index 00000000000..d35b82744ea
--- /dev/null
+++ b/queue-4.9/modpost-fix-removing-numeric-suffixes.patch
@@ -0,0 +1,58 @@
+From 4953987c541957096330e8ec07012d425cf17f2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 May 2022 17:27:18 +0200
+Subject: modpost: fix removing numeric suffixes
+
+From: Alexander Lobakin <alexandr.lobakin@intel.com>
+
+[ Upstream commit b5beffa20d83c4e15306c991ffd00de0d8628338 ]
+
+With the `-z unique-symbol` linker flag or any similar mechanism,
+it is possible to trigger the following:
+
+ERROR: modpost: "param_set_uint.0" [vmlinux] is a static EXPORT_SYMBOL
+
+The reason is that for now the condition from remove_dot():
+
+if (m && (s[n + m] == '.' || s[n + m] == 0))
+
+which was designed to test if it's a dot or a '\0' after the suffix
+is never satisfied.
+This is due to that `s[n + m]` always points to the last digit of a
+numeric suffix, not on the symbol next to it (from a custom debug
+print added to modpost):
+
+param_set_uint.0, s[n + m] is '0', s[n + m + 1] is '\0'
+
+So it's off-by-one and was like that since 2014.
+
+Fix this for the sake of any potential upcoming features, but don't
+bother stable-backporting, as it's well hidden -- apart from that
+LD flag, it can be triggered only with GCC LTO which never landed
+upstream.
+
+Fixes: fcd38ed0ff26 ("scripts: modpost: fix compilation warning")
+Signed-off-by: Alexander Lobakin <alexandr.lobakin@intel.com>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/mod/modpost.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
+index 62b0552b7b71..29c3e4d6fc06 100644
+--- a/scripts/mod/modpost.c
++++ b/scripts/mod/modpost.c
+@@ -1932,7 +1932,7 @@ static char *remove_dot(char *s)
+ 
+ 	if (n && s[n]) {
+ 		size_t m = strspn(s + n + 1, "0123456789");
+-		if (m && (s[n + m] == '.' || s[n + m] == 0))
++		if (m && (s[n + m + 1] == '.' || s[n + m + 1] == 0))
+ 			s[n] = 0;
+ 	}
+ 	return s;
+-- 
+2.35.1
+
diff --git a/queue-4.9/net-ethernet-mtk_eth_soc-out-of-bounds-read-in-mtk_h.patch b/queue-4.9/net-ethernet-mtk_eth_soc-out-of-bounds-read-in-mtk_h.patch
new file mode 100644
index 00000000000..20373634637
--- /dev/null
+++ b/queue-4.9/net-ethernet-mtk_eth_soc-out-of-bounds-read-in-mtk_h.patch
@@ -0,0 +1,38 @@
+From 55cba0864a9d487698d16923500e2363b79e8ade Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 May 2022 11:02:42 +0300
+Subject: net: ethernet: mtk_eth_soc: out of bounds read in
+ mtk_hwlro_get_fdir_entry()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit e7e7104e2d5ddf3806a28695670f21bef471f1e1 ]
+
+The "fsp->location" variable comes from user via ethtool_get_rxnfc().
+Check that it is valid to prevent an out of bounds read.
+
+Fixes: 7aab747e5563 ("net: ethernet: mediatek: add ethtool functions to configure RX flows of HW LRO")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 5b072bf80783..84d667957221 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -1496,6 +1496,9 @@ static int mtk_hwlro_get_fdir_entry(struct net_device *dev,
+ 	struct ethtool_rx_flow_spec *fsp =
+ 		(struct ethtool_rx_flow_spec *)&cmd->fs;
+ 
++	if (fsp->location >= ARRAY_SIZE(mac->hwlro_ip))
++		return -EINVAL;
++
+ 	/* only tcp dst ipv4 is meaningful, others are meaningless */
+ 	fsp->flow_type = TCP_V4_FLOW;
+ 	fsp->h_u.tcp_ip4_spec.ip4dst = ntohl(mac->hwlro_ip[fsp->location]);
+-- 
+2.35.1
+
diff --git a/queue-4.9/pcmcia-db1xxx_ss-restrict-to-mips_db1xxx-boards.patch b/queue-4.9/pcmcia-db1xxx_ss-restrict-to-mips_db1xxx-boards.patch
new file mode 100644
index 00000000000..0d5109d85d9
--- /dev/null
+++ b/queue-4.9/pcmcia-db1xxx_ss-restrict-to-mips_db1xxx-boards.patch
@@ -0,0 +1,48 @@
+From 24ee98523be6764b586566d8fa1879d7242113cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Jan 2022 09:40:31 -0800
+Subject: pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 3928cf08334ed895a31458cbebd8d4ec6d84c080 ]
+
+When the MIPS_ALCHEMY board selection is MIPS_XXS1500 instead of
+MIPS_DB1XXX, the PCMCIA driver 'db1xxx_ss' has build errors due
+to missing DB1XXX symbols. The PCMCIA driver should be restricted
+to MIPS_DB1XXX instead of MIPS_ALCHEMY to fix this build error.
+
+ERROR: modpost: "bcsr_read" [drivers/pcmcia/db1xxx_ss.ko] undefined!
+ERROR: modpost: "bcsr_mod" [drivers/pcmcia/db1xxx_ss.ko] undefined!
+
+Fixes: 42a4f17dc356 ("MIPS: Alchemy: remove SOC_AU1X00 in favor of MIPS_ALCHEMY")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: linux-mips@vger.kernel.org
+Acked-by: Manuel Lauss <manuel.lauss@gmail.com>
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pcmcia/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pcmcia/Kconfig b/drivers/pcmcia/Kconfig
+index d3c378b4db6c..20d85d564b80 100644
+--- a/drivers/pcmcia/Kconfig
++++ b/drivers/pcmcia/Kconfig
+@@ -146,7 +146,7 @@ config TCIC
+ 
+ config PCMCIA_ALCHEMY_DEVBOARD
+ 	tristate "Alchemy Db/Pb1xxx PCMCIA socket services"
+-	depends on MIPS_ALCHEMY && PCMCIA
++	depends on MIPS_DB1XXX && PCMCIA
+ 	help
+ 	  Enable this driver of you want PCMCIA support on your Alchemy
+ 	  Db1000, Db/Pb1100, Db/Pb1500, Db/Pb1550, Db/Pb1200, DB1300
+-- 
+2.35.1
+
diff --git a/queue-4.9/pwm-lp3943-fix-duty-calculation-in-case-period-was-c.patch b/queue-4.9/pwm-lp3943-fix-duty-calculation-in-case-period-was-c.patch
new file mode 100644
index 00000000000..de4dd1828a9
--- /dev/null
+++ b/queue-4.9/pwm-lp3943-fix-duty-calculation-in-case-period-was-c.patch
@@ -0,0 +1,40 @@
+From f8f38c77ad8cfa0eb3c81d038c6052296922147d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Apr 2022 17:22:38 +0200
+Subject: pwm: lp3943: Fix duty calculation in case period was clamped
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 5e3b07ca5cc78cd4a987e78446849e41288d87cb ]
+
+The hardware only supports periods <= 1.6 ms and if a bigger period is
+requested it is clamped to 1.6 ms. In this case duty_cycle might be bigger
+than 1.6 ms and then the duty cycle register is written with a value
+bigger than LP3943_MAX_DUTY. So clamp duty_cycle accordingly.
+
+Fixes: af66b3c0934e ("pwm: Add LP3943 PWM driver")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-lp3943.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pwm/pwm-lp3943.c b/drivers/pwm/pwm-lp3943.c
+index 872ea76a4f19..4612315687cd 100644
+--- a/drivers/pwm/pwm-lp3943.c
++++ b/drivers/pwm/pwm-lp3943.c
+@@ -128,6 +128,7 @@ static int lp3943_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
+ 	if (err)
+ 		return err;
+ 
++	duty_ns = min(duty_ns, period_ns);
+ 	val = (u8)(duty_ns * LP3943_MAX_DUTY / period_ns);
+ 
+ 	return lp3943_write_byte(lp3943, reg_duty, val);
+-- 
+2.35.1
+
diff --git a/queue-4.9/rpmsg-qcom_smd-fix-irq_of_parse_and_map-return-value.patch b/queue-4.9/rpmsg-qcom_smd-fix-irq_of_parse_and_map-return-value.patch
new file mode 100644
index 00000000000..72ee691b719
--- /dev/null
+++ b/queue-4.9/rpmsg-qcom_smd-fix-irq_of_parse_and_map-return-value.patch
@@ -0,0 +1,36 @@
+From 166de41147680414436864af977e739ddc735e56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Apr 2022 12:53:26 +0200
+Subject: rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 1a358d35066487d228a68303d808bc4721c6b1b9 ]
+
+The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO.
+
+Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20220422105326.78713-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rpmsg/qcom_smd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c
+index 312cb7fec5b0..5e67e42e6461 100644
+--- a/drivers/rpmsg/qcom_smd.c
++++ b/drivers/rpmsg/qcom_smd.c
+@@ -1258,7 +1258,7 @@ static int qcom_smd_parse_edge(struct device *dev,
+ 	}
+ 
+ 	irq = irq_of_parse_and_map(node, 0);
+-	if (irq < 0) {
++	if (!irq) {
+ 		dev_err(dev, "required smd interrupt missing\n");
+ 		return -EINVAL;
+ 	}
+-- 
+2.35.1
+
diff --git a/queue-4.9/rtc-mt6397-check-return-value-after-calling-platform.patch b/queue-4.9/rtc-mt6397-check-return-value-after-calling-platform.patch
new file mode 100644
index 00000000000..f1159343989
--- /dev/null
+++ b/queue-4.9/rtc-mt6397-check-return-value-after-calling-platform.patch
@@ -0,0 +1,38 @@
+From 11e4dc65b347636a224ab49f03132cea423df1e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 May 2022 20:50:43 +0800
+Subject: rtc: mt6397: check return value after calling platform_get_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit d3b43eb505bffb8e4cdf6800c15660c001553fe6 ]
+
+It will cause null-ptr-deref if platform_get_resource() returns NULL,
+we need check the return value.
+
+Fixes: fc2979118f3f ("rtc: mediatek: Add MT6397 RTC driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20220505125043.1594771-1-yangyingliang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-mt6397.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/rtc/rtc-mt6397.c b/drivers/rtc/rtc-mt6397.c
+index 494a7fbd512b..7e37ec7c8e02 100644
+--- a/drivers/rtc/rtc-mt6397.c
++++ b/drivers/rtc/rtc-mt6397.c
+@@ -339,6 +339,8 @@ static int mtk_rtc_probe(struct platform_device *pdev)
+ 		return -ENOMEM;
+ 
+ 	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++	if (!res)
++		return -EINVAL;
+ 	rtc->addr_base = res->start;
+ 
+ 	res = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
+-- 
+2.35.1
+
diff --git a/queue-4.9/serial-digicolor-usart-don-t-allow-cs5-6.patch b/queue-4.9/serial-digicolor-usart-don-t-allow-cs5-6.patch
new file mode 100644
index 00000000000..584a00c46f1
--- /dev/null
+++ b/queue-4.9/serial-digicolor-usart-don-t-allow-cs5-6.patch
@@ -0,0 +1,46 @@
+From 788755c92363ef99f0f918da1db80b7ca5e9dfa2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 May 2022 11:18:01 +0300
+Subject: serial: digicolor-usart: Don't allow CS5-6
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit fd63031b8c0763addcecdefe0e0c59d49646204e ]
+
+Only CS7 and CS8 seem supported but CSIZE is not sanitized to CS8 in
+the default: block.
+
+Set CSIZE correctly so that userspace knows the effective value.
+Incorrect CSIZE also results in miscalculation of the frame bits in
+tty_get_char_size() or in its predecessor where the roughly the same
+code is directly within uart_update_timeout().
+
+Fixes: 5930cb3511df (serial: driver for Conexant Digicolor USART)
+Acked-by: Baruch Siach <baruch@tkos.co.il>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20220519081808.3776-3-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/digicolor-usart.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/tty/serial/digicolor-usart.c b/drivers/tty/serial/digicolor-usart.c
+index 794864fac625..74127813e6db 100644
+--- a/drivers/tty/serial/digicolor-usart.c
++++ b/drivers/tty/serial/digicolor-usart.c
+@@ -313,6 +313,8 @@ static void digicolor_uart_set_termios(struct uart_port *port,
+ 	case CS8:
+ 	default:
+ 		config |= UA_CONFIG_CHAR_LEN;
++		termios->c_cflag &= ~CSIZE;
++		termios->c_cflag |= CS8;
+ 		break;
+ 	}
+ 
+-- 
+2.35.1
+
diff --git a/queue-4.9/serial-meson-acquire-port-lock-in-startup.patch b/queue-4.9/serial-meson-acquire-port-lock-in-startup.patch
new file mode 100644
index 00000000000..5cf5900253e
--- /dev/null
+++ b/queue-4.9/serial-meson-acquire-port-lock-in-startup.patch
@@ -0,0 +1,98 @@
+From 3d7b0ba61d91645616121131b4e604b4b8ba5cbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 May 2022 12:41:47 +0206
+Subject: serial: meson: acquire port->lock in startup()
+
+From: John Ogness <john.ogness@linutronix.de>
+
+[ Upstream commit 589f892ac8ef244e47c5a00ffd8605daa1eaef8e ]
+
+The uart_ops startup() callback is called without interrupts
+disabled and without port->lock locked, relatively late during the
+boot process (from the call path of console_on_rootfs()). If the
+device is a console, it was already previously registered and could
+be actively printing messages.
+
+Since the startup() callback is reading/writing registers used by
+the console write() callback (AML_UART_CONTROL), its access must
+be synchronized using the port->lock. Currently it is not.
+
+The startup() callback is the only function that explicitly enables
+interrupts. Without the synchronization, it is possible that
+interrupts become accidentally permanently disabled.
+
+CPU0                           CPU1
+meson_serial_console_write     meson_uart_startup
+--------------------------     ------------------
+spin_lock(port->lock)
+val = readl(AML_UART_CONTROL)
+uart_console_write()
+                               writel(INT_EN, AML_UART_CONTROL)
+writel(val, AML_UART_CONTROL)
+spin_unlock(port->lock)
+
+Add port->lock synchronization to meson_uart_startup() to avoid
+racing with meson_serial_console_write().
+
+Also add detailed comments to meson_uart_reset() explaining why it
+is *not* using port->lock synchronization.
+
+Link: https://lore.kernel.org/lkml/2a82eae7-a256-f70c-fd82-4e510750906e@samsung.com
+Fixes: ff7693d079e5 ("ARM: meson: serial: add MesonX SoC on-chip uart driver")
+Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Acked-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: John Ogness <john.ogness@linutronix.de>
+Link: https://lore.kernel.org/r/20220508103547.626355-1-john.ogness@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/meson_uart.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/drivers/tty/serial/meson_uart.c b/drivers/tty/serial/meson_uart.c
+index 6aea0f4a9165..273292f09bf6 100644
+--- a/drivers/tty/serial/meson_uart.c
++++ b/drivers/tty/serial/meson_uart.c
+@@ -253,6 +253,14 @@ static const char *meson_uart_type(struct uart_port *port)
+ 	return (port->type == PORT_MESON) ? "meson_uart" : NULL;
+ }
+ 
++/*
++ * This function is called only from probe() using a temporary io mapping
++ * in order to perform a reset before setting up the device. Since the
++ * temporarily mapped region was successfully requested, there can be no
++ * console on this port at this time. Hence it is not necessary for this
++ * function to acquire the port->lock. (Since there is no console on this
++ * port at this time, the port->lock is not initialized yet.)
++ */
+ static void meson_uart_reset(struct uart_port *port)
+ {
+ 	u32 val;
+@@ -267,9 +275,12 @@ static void meson_uart_reset(struct uart_port *port)
+ 
+ static int meson_uart_startup(struct uart_port *port)
+ {
++	unsigned long flags;
+ 	u32 val;
+ 	int ret = 0;
+ 
++	spin_lock_irqsave(&port->lock, flags);
++
+ 	val = readl(port->membase + AML_UART_CONTROL);
+ 	val |= AML_UART_CLR_ERR;
+ 	writel(val, port->membase + AML_UART_CONTROL);
+@@ -285,6 +296,8 @@ static int meson_uart_startup(struct uart_port *port)
+ 	val = (AML_UART_RECV_IRQ(1) | AML_UART_XMIT_IRQ(port->fifosize / 2));
+ 	writel(val, port->membase + AML_UART_MISC);
+ 
++	spin_unlock_irqrestore(&port->lock, flags);
++
+ 	ret = request_irq(port->irq, meson_uart_interrupt, 0,
+ 			  meson_uart_type(port), port);
+ 
+-- 
+2.35.1
+
diff --git a/queue-4.9/serial-sh-sci-don-t-allow-cs5-6.patch b/queue-4.9/serial-sh-sci-don-t-allow-cs5-6.patch
new file mode 100644
index 00000000000..9827f7fe4a1
--- /dev/null
+++ b/queue-4.9/serial-sh-sci-don-t-allow-cs5-6.patch
@@ -0,0 +1,50 @@
+From 33e541f13ad8de02dfd5e050495713cd00331a0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 May 2022 11:18:04 +0300
+Subject: serial: sh-sci: Don't allow CS5-6
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit 9b87162de8be26bf3156460b37deee6399fd0fcb ]
+
+Only CS7 and CS8 seem supported but CSIZE is not sanitized from
+CS5 or CS6 to CS8.
+
+Set CSIZE correctly so that userspace knows the effective value.
+Incorrect CSIZE also results in miscalculation of the frame bits in
+tty_get_char_size() or in its predecessor where the roughly the same
+code is directly within uart_update_timeout().
+
+Fixes: 1da177e4c3f4 (Linux-2.6.12-rc2)
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20220519081808.3776-6-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/sh-sci.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
+index 5c6243a31166..91c69fc3987a 100644
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -2206,8 +2206,12 @@ static void sci_set_termios(struct uart_port *port, struct ktermios *termios,
+ 	unsigned long max_freq = 0;
+ 	int best_clk = -1;
+ 
+-	if ((termios->c_cflag & CSIZE) == CS7)
++	if ((termios->c_cflag & CSIZE) == CS7) {
+ 		smr_val |= SCSMR_CHR;
++	} else {
++		termios->c_cflag &= ~CSIZE;
++		termios->c_cflag |= CS8;
++	}
+ 	if (termios->c_cflag & PARENB)
+ 		smr_val |= SCSMR_PE;
+ 	if (termios->c_cflag & PARODD)
+-- 
+2.35.1
+
diff --git a/queue-4.9/serial-st-asc-sanitize-csize-and-correct-parenb-for-.patch b/queue-4.9/serial-st-asc-sanitize-csize-and-correct-parenb-for-.patch
new file mode 100644
index 00000000000..843aeccee61
--- /dev/null
+++ b/queue-4.9/serial-st-asc-sanitize-csize-and-correct-parenb-for-.patch
@@ -0,0 +1,52 @@
+From 33cc18e02aca68c31261d3b042fdc9b656dd505f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 May 2022 11:18:06 +0300
+Subject: serial: st-asc: Sanitize CSIZE and correct PARENB for CS7
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit 52bb1cb7118564166b04d52387bd8403632f5190 ]
+
+Only CS7 and CS8 seem supported but CSIZE is not sanitized from CS5 or
+CS6 to CS8. In addition, ASC_CTL_MODE_7BIT_PAR suggests that CS7 has
+to have parity, thus add PARENB.
+
+Incorrect CSIZE results in miscalculation of the frame bits in
+tty_get_char_size() or in its predecessor where the roughly the same
+code is directly within uart_update_timeout().
+
+Fixes: c4b058560762 (serial:st-asc: Add ST ASC driver.)
+Cc: Srinivas Kandagatla <srinivas.kandagatla@st.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20220519081808.3776-8-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/st-asc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/tty/serial/st-asc.c b/drivers/tty/serial/st-asc.c
+index 379e5bd37df9..b845cd05e350 100644
+--- a/drivers/tty/serial/st-asc.c
++++ b/drivers/tty/serial/st-asc.c
+@@ -509,10 +509,14 @@ static void asc_set_termios(struct uart_port *port, struct ktermios *termios,
+ 	/* set character length */
+ 	if ((cflag & CSIZE) == CS7) {
+ 		ctrl_val |= ASC_CTL_MODE_7BIT_PAR;
++		cflag |= PARENB;
+ 	} else {
+ 		ctrl_val |= (cflag & PARENB) ?  ASC_CTL_MODE_8BIT_PAR :
+ 						ASC_CTL_MODE_8BIT;
++		cflag &= ~CSIZE;
++		cflag |= CS8;
+ 	}
++	termios->c_cflag = cflag;
+ 
+ 	/* set stop bit */
+ 	ctrl_val |= (cflag & CSTOPB) ? ASC_CTL_STOP_2BIT : ASC_CTL_STOP_1BIT;
+-- 
+2.35.1
+
diff --git a/queue-4.9/serial-txx9-don-t-allow-cs5-6.patch b/queue-4.9/serial-txx9-don-t-allow-cs5-6.patch
new file mode 100644
index 00000000000..aa30a60a791
--- /dev/null
+++ b/queue-4.9/serial-txx9-don-t-allow-cs5-6.patch
@@ -0,0 +1,45 @@
+From 3ac57bbabaac5418e84baf9b61b73b0664afa8fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 May 2022 11:18:03 +0300
+Subject: serial: txx9: Don't allow CS5-6
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit 79ac88655dc0551e3571ad16bdabdbe65d61553e ]
+
+Only CS7 and CS8 are supported but CSIZE is not sanitized with
+CS5 or CS6 to CS8.
+
+Set CSIZE correctly so that userspace knows the effective value.
+Incorrect CSIZE also results in miscalculation of the frame bits in
+tty_get_char_size() or in its predecessor where the roughly the same
+code is directly within uart_update_timeout().
+
+Fixes: 1da177e4c3f4 (Linux-2.6.12-rc2)
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20220519081808.3776-5-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/serial_txx9.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/tty/serial/serial_txx9.c b/drivers/tty/serial/serial_txx9.c
+index ffb3fb1bda9e..61e0b65c3aaf 100644
+--- a/drivers/tty/serial/serial_txx9.c
++++ b/drivers/tty/serial/serial_txx9.c
+@@ -652,6 +652,8 @@ serial_txx9_set_termios(struct uart_port *port, struct ktermios *termios,
+ 	case CS6:	/* not supported */
+ 	case CS8:
+ 		cval |= TXX9_SILCR_UMODE_8BIT;
++		termios->c_cflag &= ~CSIZE;
++		termios->c_cflag |= CS8;
+ 		break;
+ 	}
+ 
+-- 
+2.35.1
+
diff --git a/queue-4.9/series b/queue-4.9/series
index 5fc971e5c2d..3be06bf6801 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -106,3 +106,22 @@ dt-bindings-gpio-altera-correct-interrupt-cells.patch
 rdma-rxe-generate-a-completion-for-unsupported-invalid-opcode.patch
 mips-ip27-remove-incorrect-cpu_has_fpu-override.patch
 netfilter-nf_tables-disallow-non-stateful-expression-in-sets-earlier.patch
+pcmcia-db1xxx_ss-restrict-to-mips_db1xxx-boards.patch
+staging-greybus-codecs-fix-type-confusion-of-list-it.patch
+usb-usbip-fix-a-refcount-leak-in-stub_probe.patch
+usb-usbip-add-missing-device-lock-on-tweak-configura.patch
+usb-storage-karma-fix-rio_karma_init-return.patch
+pwm-lp3943-fix-duty-calculation-in-case-period-was-c.patch
+rpmsg-qcom_smd-fix-irq_of_parse_and_map-return-value.patch
+rtc-mt6397-check-return-value-after-calling-platform.patch
+serial-meson-acquire-port-lock-in-startup.patch
+serial-digicolor-usart-don-t-allow-cs5-6.patch
+serial-txx9-don-t-allow-cs5-6.patch
+serial-sh-sci-don-t-allow-cs5-6.patch
+serial-st-asc-sanitize-csize-and-correct-parenb-for-.patch
+firmware-dmi-sysfs-fix-memory-leak-in-dmi_sysfs_regi.patch
+clocksource-drivers-oxnas-rps-fix-irq_of_parse_and_m.patch
+net-ethernet-mtk_eth_soc-out-of-bounds-read-in-mtk_h.patch
+modpost-fix-removing-numeric-suffixes.patch
+jffs2-fix-memory-leak-in-jffs2_do_fill_super.patch
+tcp-tcp_rtx_synack-can-be-called-from-process-contex.patch
diff --git a/queue-4.9/staging-greybus-codecs-fix-type-confusion-of-list-it.patch b/queue-4.9/staging-greybus-codecs-fix-type-confusion-of-list-it.patch
new file mode 100644
index 00000000000..ecf12572edb
--- /dev/null
+++ b/queue-4.9/staging-greybus-codecs-fix-type-confusion-of-list-it.patch
@@ -0,0 +1,44 @@
+From 8a6c2e8594ab2133ecdf7c70df4b1c4b30008b01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Mar 2022 13:36:26 +0100
+Subject: staging: greybus: codecs: fix type confusion of list iterator
+ variable
+
+From: Jakob Koschel <jakobkoschel@gmail.com>
+
+[ Upstream commit 84ef256550196bc06e6849a34224c998b45bd557 ]
+
+If the list does not exit early then data == NULL and 'module' does not
+point to a valid list element.
+Using 'module' in such a case is not valid and was therefore removed.
+
+Fixes: 6dd67645f22c ("greybus: audio: Use single codec driver registration")
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Vaibhav Agarwal <vaibhav.sr@gmail.com>
+Reviewed-by: Mark Greer <mgreer@animalcreek.com>
+Signed-off-by: Jakob Koschel <jakobkoschel@gmail.com>
+Link: https://lore.kernel.org/r/20220321123626.3068639-1-jakobkoschel@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/greybus/audio_codec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/greybus/audio_codec.c b/drivers/staging/greybus/audio_codec.c
+index 4c2d6c2d4fb4..90bc23408a9c 100644
+--- a/drivers/staging/greybus/audio_codec.c
++++ b/drivers/staging/greybus/audio_codec.c
+@@ -618,8 +618,8 @@ static int gbcodec_mute_stream(struct snd_soc_dai *dai, int mute, int stream)
+ 			break;
+ 	}
+ 	if (!data) {
+-		dev_err(dai->dev, "%s:%s DATA connection missing\n",
+-			dai->name, module->name);
++		dev_err(dai->dev, "%s DATA connection missing\n",
++			dai->name);
+ 		mutex_unlock(&codec->lock);
+ 		return -ENODEV;
+ 	}
+-- 
+2.35.1
+
diff --git a/queue-4.9/tcp-tcp_rtx_synack-can-be-called-from-process-contex.patch b/queue-4.9/tcp-tcp_rtx_synack-can-be-called-from-process-contex.patch
new file mode 100644
index 00000000000..a9086510d0b
--- /dev/null
+++ b/queue-4.9/tcp-tcp_rtx_synack-can-be-called-from-process-contex.patch
@@ -0,0 +1,92 @@
+From e3e08404e20f28077ce155e397c9ed9e7a824b97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 May 2022 14:37:13 -0700
+Subject: tcp: tcp_rtx_synack() can be called from process context
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 0a375c822497ed6ad6b5da0792a12a6f1af10c0b ]
+
+Laurent reported the enclosed report [1]
+
+This bug triggers with following coditions:
+
+0) Kernel built with CONFIG_DEBUG_PREEMPT=y
+
+1) A new passive FastOpen TCP socket is created.
+   This FO socket waits for an ACK coming from client to be a complete
+   ESTABLISHED one.
+2) A socket operation on this socket goes through lock_sock()
+   release_sock() dance.
+3) While the socket is owned by the user in step 2),
+   a retransmit of the SYN is received and stored in socket backlog.
+4) At release_sock() time, the socket backlog is processed while
+   in process context.
+5) A SYNACK packet is cooked in response of the SYN retransmit.
+6) -> tcp_rtx_synack() is called in process context.
+
+Before blamed commit, tcp_rtx_synack() was always called from BH handler,
+from a timer handler.
+
+Fix this by using TCP_INC_STATS() & NET_INC_STATS()
+which do not assume caller is in non preemptible context.
+
+[1]
+BUG: using __this_cpu_add() in preemptible [00000000] code: epollpep/2180
+caller is tcp_rtx_synack.part.0+0x36/0xc0
+CPU: 10 PID: 2180 Comm: epollpep Tainted: G           OE     5.16.0-0.bpo.4-amd64 #1  Debian 5.16.12-1~bpo11+1
+Hardware name: Supermicro SYS-5039MC-H8TRF/X11SCD-F, BIOS 1.7 11/23/2021
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x48/0x5e
+ check_preemption_disabled+0xde/0xe0
+ tcp_rtx_synack.part.0+0x36/0xc0
+ tcp_rtx_synack+0x8d/0xa0
+ ? kmem_cache_alloc+0x2e0/0x3e0
+ ? apparmor_file_alloc_security+0x3b/0x1f0
+ inet_rtx_syn_ack+0x16/0x30
+ tcp_check_req+0x367/0x610
+ tcp_rcv_state_process+0x91/0xf60
+ ? get_nohz_timer_target+0x18/0x1a0
+ ? lock_timer_base+0x61/0x80
+ ? preempt_count_add+0x68/0xa0
+ tcp_v4_do_rcv+0xbd/0x270
+ __release_sock+0x6d/0xb0
+ release_sock+0x2b/0x90
+ sock_setsockopt+0x138/0x1140
+ ? __sys_getsockname+0x7e/0xc0
+ ? aa_sk_perm+0x3e/0x1a0
+ __sys_setsockopt+0x198/0x1e0
+ __x64_sys_setsockopt+0x21/0x30
+ do_syscall_64+0x38/0xc0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Laurent Fasnacht <laurent.fasnacht@proton.ch>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Link: https://lore.kernel.org/r/20220530213713.601888-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_output.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 95b0f486cb10..e0009cd69da7 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -3709,8 +3709,8 @@ int tcp_rtx_synack(const struct sock *sk, struct request_sock *req)
+ 	tcp_rsk(req)->txhash = net_tx_rndhash();
+ 	res = af_ops->send_synack(sk, NULL, &fl, req, NULL, TCP_SYNACK_NORMAL);
+ 	if (!res) {
+-		__TCP_INC_STATS(sock_net(sk), TCP_MIB_RETRANSSEGS);
+-		__NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNRETRANS);
++		TCP_INC_STATS(sock_net(sk), TCP_MIB_RETRANSSEGS);
++		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNRETRANS);
+ 		if (unlikely(tcp_passive_fastopen(sk)))
+ 			tcp_sk(sk)->total_retrans++;
+ 	}
+-- 
+2.35.1
+
diff --git a/queue-4.9/usb-storage-karma-fix-rio_karma_init-return.patch b/queue-4.9/usb-storage-karma-fix-rio_karma_init-return.patch
new file mode 100644
index 00000000000..5abe546be68
--- /dev/null
+++ b/queue-4.9/usb-storage-karma-fix-rio_karma_init-return.patch
@@ -0,0 +1,63 @@
+From db02f1703ef6ca519bb5e1043303bdcf32fc97c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Apr 2022 22:43:59 +0800
+Subject: USB: storage: karma: fix rio_karma_init return
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit b92ffb1eddd9a66a90defc556dcbf65a43c196c7 ]
+
+The function rio_karam_init() should return -ENOMEM instead of
+value 0 (USB_STOR_TRANSPORT_GOOD) when allocation fails.
+
+Similarly, it should return -EIO when rio_karma_send_command() fails.
+
+Fixes: dfe0d3ba20e8 ("USB Storage: add rio karma eject support")
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Link: https://lore.kernel.org/r/20220412144359.28447-1-linma@zju.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/storage/karma.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/usb/storage/karma.c b/drivers/usb/storage/karma.c
+index f9d407f0b508..13d77421a915 100644
+--- a/drivers/usb/storage/karma.c
++++ b/drivers/usb/storage/karma.c
+@@ -185,23 +185,24 @@ static void rio_karma_destructor(void *extra)
+ 
+ static int rio_karma_init(struct us_data *us)
+ {
+-	int ret = 0;
+ 	struct karma_data *data = kzalloc(sizeof(struct karma_data), GFP_NOIO);
+ 	if (!data)
+-		goto out;
++		return -ENOMEM;
+ 
+ 	data->recv = kmalloc(RIO_RECV_LEN, GFP_NOIO);
+ 	if (!data->recv) {
+ 		kfree(data);
+-		goto out;
++		return -ENOMEM;
+ 	}
+ 
+ 	us->extra = data;
+ 	us->extra_destructor = rio_karma_destructor;
+-	ret = rio_karma_send_command(RIO_ENTER_STORAGE, us);
+-	data->in_storage = (ret == 0);
+-out:
+-	return ret;
++	if (rio_karma_send_command(RIO_ENTER_STORAGE, us))
++		return -EIO;
++
++	data->in_storage = 1;
++
++	return 0;
+ }
+ 
+ static struct scsi_host_template karma_host_template;
+-- 
+2.35.1
+
diff --git a/queue-4.9/usb-usbip-add-missing-device-lock-on-tweak-configura.patch b/queue-4.9/usb-usbip-add-missing-device-lock-on-tweak-configura.patch
new file mode 100644
index 00000000000..246f58154e8
--- /dev/null
+++ b/queue-4.9/usb-usbip-add-missing-device-lock-on-tweak-configura.patch
@@ -0,0 +1,49 @@
+From 73c8918a35093bbee804a6387871b157ee9c8763 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Apr 2022 18:50:55 +0200
+Subject: usb: usbip: add missing device lock on tweak configuration cmd
+
+From: Niels Dossche <dossche.niels@gmail.com>
+
+[ Upstream commit d088fabace2ca337b275d1d4b36db4fe7771e44f ]
+
+The function documentation of usb_set_configuration says that its
+callers should hold the device lock. This lock is held for all
+callsites except tweak_set_configuration_cmd. The code path can be
+executed for example when attaching a remote USB device.
+The solution is to surround the call by the device lock.
+
+This bug was found using my experimental own-developed static analysis
+tool, which reported the missing lock on v5.17.2. I manually verified
+this bug report by doing code review as well. I runtime checked that
+the required lock is not held. I compiled and runtime tested this on
+x86_64 with a USB mouse. After applying this patch, my analyser no
+longer reports this potential bug.
+
+Fixes: 2c8c98158946 ("staging: usbip: let client choose device configuration")
+Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Niels Dossche <dossche.niels@gmail.com>
+Link: https://lore.kernel.org/r/20220412165055.257113-1-dossche.niels@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/usbip/stub_rx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c
+index d47176f9c310..dd6228a51d0d 100644
+--- a/drivers/usb/usbip/stub_rx.c
++++ b/drivers/usb/usbip/stub_rx.c
+@@ -151,7 +151,9 @@ static int tweak_set_configuration_cmd(struct urb *urb)
+ 	req = (struct usb_ctrlrequest *) urb->setup_packet;
+ 	config = le16_to_cpu(req->wValue);
+ 
++	usb_lock_device(sdev->udev);
+ 	err = usb_set_configuration(sdev->udev, config);
++	usb_unlock_device(sdev->udev);
+ 	if (err && err != -ENODEV)
+ 		dev_err(&sdev->udev->dev, "can't set config #%d, error %d\n",
+ 			config, err);
+-- 
+2.35.1
+
diff --git a/queue-4.9/usb-usbip-fix-a-refcount-leak-in-stub_probe.patch b/queue-4.9/usb-usbip-fix-a-refcount-leak-in-stub_probe.patch
new file mode 100644
index 00000000000..5c9624ba525
--- /dev/null
+++ b/queue-4.9/usb-usbip-fix-a-refcount-leak-in-stub_probe.patch
@@ -0,0 +1,49 @@
+From 6ed1721715bb7757e5c825321fdae796de20173b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Apr 2022 10:02:57 +0800
+Subject: usb: usbip: fix a refcount leak in stub_probe()
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+[ Upstream commit 9ec4cbf1cc55d126759051acfe328d489c5d6e60 ]
+
+usb_get_dev() is called in stub_device_alloc(). When stub_probe() fails
+after that, usb_put_dev() needs to be called to release the reference.
+
+Fix this by moving usb_put_dev() to sdev_free error path handling.
+
+Find this by code review.
+
+Fixes: 3ff67445750a ("usbip: fix error handling in stub_probe()")
+Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Link: https://lore.kernel.org/r/20220412020257.9767-1-hbh25y@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/usbip/stub_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c
+index cec5805feb25..ca76ee4058c9 100644
+--- a/drivers/usb/usbip/stub_dev.c
++++ b/drivers/usb/usbip/stub_dev.c
+@@ -441,7 +441,6 @@ static int stub_probe(struct usb_device *udev)
+ 			     (struct usb_dev_state *) udev);
+ err_port:
+ 	dev_set_drvdata(&udev->dev, NULL);
+-	usb_put_dev(udev);
+ 
+ 	/* we already have busid_priv, just lock busid_lock */
+ 	spin_lock(&busid_priv->busid_lock);
+@@ -456,6 +455,7 @@ static int stub_probe(struct usb_device *udev)
+ 	put_busid_priv(busid_priv);
+ 
+ sdev_free:
++	usb_put_dev(udev);
+ 	stub_device_free(sdev);
+ 
+ 	return rc;
+-- 
+2.35.1
+