--- /dev/null
+From 06eaf083affee8d1a450bdaf2829961bd1a72623 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 00:49:24 +0000
+Subject: ALSA: asihpi: check pao in control_message()
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit 9026c0bf233db53b86f74f4c620715e94eb32a09 ]
+
+control_message() might be called with pao = NULL.
+Here indicates control_message() as sample.
+
+(B) static void control_message(struct hpi_adapter_obj *pao, ...)
+ { ^^^
+ struct hpi_hw_obj *phw = pao->priv;
+ ... ^^^
+ }
+
+(A) void _HPI_6205(struct hpi_adapter_obj *pao, ...)
+ { ^^^
+ ...
+ case HPI_OBJ_CONTROL:
+(B) control_message(pao, phm, phr);
+ break; ^^^
+ ...
+ }
+
+ void HPI_6205(...)
+ {
+ ...
+(A) _HPI_6205(NULL, phm, phr);
+ ... ^^^^
+ }
+
+Therefore, We will get too many warning via cppcheck, like below
+
+ sound/pci/asihpi/hpi6205.c:238:27: warning: Possible null pointer dereference: pao [nullPointer]
+ struct hpi_hw_obj *phw = pao->priv;
+ ^
+ sound/pci/asihpi/hpi6205.c:433:13: note: Calling function '_HPI_6205', 1st argument 'NULL' value is 0
+ _HPI_6205(NULL, phm, phr);
+ ^
+ sound/pci/asihpi/hpi6205.c:401:20: note: Calling function 'control_message', 1st argument 'pao' value is 0
+ control_message(pao, phm, phr);
+ ^
+Set phr->error like many functions doing, and don't call _HPI_6205()
+with NULL.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/87ttypeaqz.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/asihpi/hpi6205.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/asihpi/hpi6205.c b/sound/pci/asihpi/hpi6205.c
+index 3d6914c64c4a8..4cdaeefeb6885 100644
+--- a/sound/pci/asihpi/hpi6205.c
++++ b/sound/pci/asihpi/hpi6205.c
+@@ -430,7 +430,7 @@ void HPI_6205(struct hpi_message *phm, struct hpi_response *phr)
+ pao = hpi_find_adapter(phm->adapter_index);
+ } else {
+ /* subsys messages don't address an adapter */
+- _HPI_6205(NULL, phm, phr);
++ phr->error = HPI_ERROR_INVALID_OBJ_INDEX;
+ return;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 646ce2b1a816c929214553c7512ac1134fd29d55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 00:50:28 +0000
+Subject: ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit 98e5eb110095ec77cb6d775051d181edbf9cd3cf ]
+
+tuning_ctl_set() might have buffer overrun at (X) if it didn't break
+from loop by matching (A).
+
+ static int tuning_ctl_set(...)
+ {
+ for (i = 0; i < TUNING_CTLS_COUNT; i++)
+(A) if (nid == ca0132_tuning_ctls[i].nid)
+ break;
+
+ snd_hda_power_up(...);
+(X) dspio_set_param(..., ca0132_tuning_ctls[i].mid, ...);
+ snd_hda_power_down(...); ^
+
+ return 1;
+ }
+
+We will get below error by cppcheck
+
+ sound/pci/hda/patch_ca0132.c:4229:2: note: After for loop, i has value 12
+ for (i = 0; i < TUNING_CTLS_COUNT; i++)
+ ^
+ sound/pci/hda/patch_ca0132.c:4234:43: note: Array index out of bounds
+ dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,
+ ^
+This patch cares non match case.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/87sfe9eap7.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_ca0132.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
+index c0cb6e49a9b65..2646663e03426 100644
+--- a/sound/pci/hda/patch_ca0132.c
++++ b/sound/pci/hda/patch_ca0132.c
+@@ -4231,8 +4231,10 @@ static int tuning_ctl_set(struct hda_codec *codec, hda_nid_t nid,
+
+ for (i = 0; i < TUNING_CTLS_COUNT; i++)
+ if (nid == ca0132_tuning_ctls[i].nid)
+- break;
++ goto found;
+
++ return -EINVAL;
++found:
+ snd_hda_power_up(codec);
+ dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,
+ ca0132_tuning_ctls[i].req,
+--
+2.39.2
+
--- /dev/null
+From 43e3afcab5015044a6dc7cfe04696eb360dfe7af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Mar 2023 13:37:02 +0530
+Subject: ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds
+
+From: Ravulapati Vishnu Vardhan Rao <quic_visr@quicinc.com>
+
+[ Upstream commit e5e7e398f6bb7918dab0612eb6991f7bae95520d ]
+
+When we run syzkaller we get below Out of Bound.
+ "KASAN: slab-out-of-bounds Read in regcache_flat_read"
+
+ Below is the backtrace of the issue:
+
+ dump_backtrace+0x0/0x4c8
+ show_stack+0x34/0x44
+ dump_stack_lvl+0xd8/0x118
+ print_address_description+0x30/0x2d8
+ kasan_report+0x158/0x198
+ __asan_report_load4_noabort+0x44/0x50
+ regcache_flat_read+0x10c/0x110
+ regcache_read+0xf4/0x180
+ _regmap_read+0xc4/0x278
+ _regmap_update_bits+0x130/0x290
+ regmap_update_bits_base+0xc0/0x15c
+ snd_soc_component_update_bits+0xa8/0x22c
+ snd_soc_component_write_field+0x68/0xd4
+ tx_macro_digital_mute+0xec/0x140
+
+ Actually There is no need to have decimator with 32 bits.
+ By limiting the variable with short type u8 issue is resolved.
+
+Signed-off-by: Ravulapati Vishnu Vardhan Rao <quic_visr@quicinc.com>
+Link: https://lore.kernel.org/r/20230304080702.609-1-quic_visr@quicinc.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/lpass-tx-macro.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c
+index 2b7ba78551fab..35d148e60c334 100644
+--- a/sound/soc/codecs/lpass-tx-macro.c
++++ b/sound/soc/codecs/lpass-tx-macro.c
+@@ -239,7 +239,7 @@ enum {
+
+ struct tx_mute_work {
+ struct tx_macro *tx;
+- u32 decimator;
++ u8 decimator;
+ struct delayed_work dwork;
+ };
+
+@@ -632,7 +632,7 @@ static int tx_macro_mclk_enable(struct tx_macro *tx,
+ return 0;
+ }
+
+-static bool is_amic_enabled(struct snd_soc_component *component, int decimator)
++static bool is_amic_enabled(struct snd_soc_component *component, u8 decimator)
+ {
+ u16 adc_mux_reg, adc_reg, adc_n;
+
+@@ -843,7 +843,7 @@ static int tx_macro_enable_dec(struct snd_soc_dapm_widget *w,
+ struct snd_kcontrol *kcontrol, int event)
+ {
+ struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm);
+- unsigned int decimator;
++ u8 decimator;
+ u16 tx_vol_ctl_reg, dec_cfg_reg, hpf_gate_reg, tx_gain_ctl_reg;
+ u8 hpf_cut_off_freq;
+ int hpf_delay = TX_MACRO_DMIC_HPF_DELAY_MS;
+@@ -1058,7 +1058,8 @@ static int tx_macro_hw_params(struct snd_pcm_substream *substream,
+ struct snd_soc_dai *dai)
+ {
+ struct snd_soc_component *component = dai->component;
+- u32 decimator, sample_rate;
++ u32 sample_rate;
++ u8 decimator;
+ int tx_fs_rate;
+ struct tx_macro *tx = snd_soc_component_get_drvdata(component);
+
+@@ -1122,7 +1123,7 @@ static int tx_macro_digital_mute(struct snd_soc_dai *dai, int mute, int stream)
+ {
+ struct snd_soc_component *component = dai->component;
+ struct tx_macro *tx = snd_soc_component_get_drvdata(component);
+- u16 decimator;
++ u8 decimator;
+
+ decimator = tx->active_decimator[dai->id];
+
+--
+2.39.2
+
--- /dev/null
+From 924cf4a5c3ae4a4864717aa07a9a5b4651174b20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 09:22:54 +0000
+Subject: fbdev: au1200fb: Fix potential divide by zero
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit 44a3b36b42acfc433aaaf526191dd12fbb919fdb ]
+
+var->pixclock can be assigned to zero by user. Without
+proper check, divide by zero would occur when invoking
+macro PICOS2KHZ in au1200fb_fb_check_var.
+
+Error out if var->pixclock is zero.
+
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/au1200fb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c
+index c00e01a173685..a8a0a448cdb5e 100644
+--- a/drivers/video/fbdev/au1200fb.c
++++ b/drivers/video/fbdev/au1200fb.c
+@@ -1040,6 +1040,9 @@ static int au1200fb_fb_check_var(struct fb_var_screeninfo *var,
+ u32 pixclock;
+ int screen_size, plane;
+
++ if (!var->pixclock)
++ return -EINVAL;
++
+ plane = fbdev->plane;
+
+ /* Make sure that the mode respect all LCD controller and
+--
+2.39.2
+
--- /dev/null
+From 0013239133f8537da2fea4e50d4cfb44ca48be9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 08:33:47 +0000
+Subject: fbdev: intelfb: Fix potential divide by zero
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit d823685486a3446d061fed7c7d2f80af984f119a ]
+
+Variable var->pixclock is controlled by user and can be assigned
+to zero. Without proper check, divide by zero would occur in
+intelfbhw_validate_mode and intelfbhw_mode_to_hw.
+
+Error out if var->pixclock is zero.
+
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/intelfb/intelfbdrv.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/intelfb/intelfbdrv.c b/drivers/video/fbdev/intelfb/intelfbdrv.c
+index a9579964eaba8..8a703adfa9360 100644
+--- a/drivers/video/fbdev/intelfb/intelfbdrv.c
++++ b/drivers/video/fbdev/intelfb/intelfbdrv.c
+@@ -1214,6 +1214,9 @@ static int intelfb_check_var(struct fb_var_screeninfo *var,
+
+ dinfo = GET_DINFO(info);
+
++ if (!var->pixclock)
++ return -EINVAL;
++
+ /* update the pitch */
+ if (intelfbhw_validate_mode(dinfo, var) != 0)
+ return -EINVAL;
+--
+2.39.2
+
--- /dev/null
+From 6ff8792ff5eb617e31fbba5ecda978ac10cdacd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 09:05:18 +0000
+Subject: fbdev: lxfb: Fix potential divide by zero
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit 61ac4b86a4c047c20d5cb423ddd87496f14d9868 ]
+
+var->pixclock can be assigned to zero by user. Without proper
+check, divide by zero would occur in lx_set_clock.
+
+Error out if var->pixclock is zero.
+
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/geode/lxfb_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/geode/lxfb_core.c b/drivers/video/fbdev/geode/lxfb_core.c
+index 66c81262d18f8..6c6b6efb49f69 100644
+--- a/drivers/video/fbdev/geode/lxfb_core.c
++++ b/drivers/video/fbdev/geode/lxfb_core.c
+@@ -234,6 +234,9 @@ static void get_modedb(struct fb_videomode **modedb, unsigned int *size)
+
+ static int lxfb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
+ {
++ if (!var->pixclock)
++ return -EINVAL;
++
+ if (var->xres > 1920 || var->yres > 1440)
+ return -EINVAL;
+
+--
+2.39.2
+
--- /dev/null
+From 8bd68366c0c39507b275f489dceb54360df661f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 07:18:31 +0000
+Subject: fbdev: nvidia: Fix potential divide by zero
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit 92e2a00f2987483e1f9253625828622edd442e61 ]
+
+variable var->pixclock can be set by user. In case it
+equals to zero, divide by zero would occur in nvidiafb_set_par.
+
+Similar crashes have happened in other fbdev drivers. There
+is no check and modification on var->pixclock along the call
+chain to nvidia_check_var and nvidiafb_set_par. We believe it
+could also be triggered in driver nvidia from user site.
+
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/nvidia/nvidia.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/video/fbdev/nvidia/nvidia.c b/drivers/video/fbdev/nvidia/nvidia.c
+index a372a183c1f01..f9c388a8c10e3 100644
+--- a/drivers/video/fbdev/nvidia/nvidia.c
++++ b/drivers/video/fbdev/nvidia/nvidia.c
+@@ -763,6 +763,8 @@ static int nvidiafb_check_var(struct fb_var_screeninfo *var,
+ int pitch, err = 0;
+
+ NVTRACE_ENTER();
++ if (!var->pixclock)
++ return -EINVAL;
+
+ var->transp.offset = 0;
+ var->transp.length = 0;
+--
+2.39.2
+
--- /dev/null
+From addc252a7a18fd330de7578e1024b469c80a828d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 13:08:56 +0000
+Subject: fbdev: tgafb: Fix potential divide by zero
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit f90bd245de82c095187d8c2cabb8b488a39eaecc ]
+
+fb_set_var would by called when user invokes ioctl with cmd
+FBIOPUT_VSCREENINFO. User-provided data would finally reach
+tgafb_check_var. In case var->pixclock is assigned to zero,
+divide by zero would occur when checking whether reciprocal
+of var->pixclock is too high.
+
+Similar crashes have happened in other fbdev drivers. There
+is no check and modification on var->pixclock along the call
+chain to tgafb_check_var. We believe it could also be triggered
+in driver tgafb from user site.
+
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/tgafb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/tgafb.c b/drivers/video/fbdev/tgafb.c
+index ae0cf55406369..b9b00a1ffe222 100644
+--- a/drivers/video/fbdev/tgafb.c
++++ b/drivers/video/fbdev/tgafb.c
+@@ -166,6 +166,9 @@ tgafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
+ {
+ struct tga_par *par = (struct tga_par *)info->par;
+
++ if (!var->pixclock)
++ return -EINVAL;
++
+ if (par->tga_type == TGA_TYPE_8PLANE) {
+ if (var->bits_per_pixel != 8)
+ return -EINVAL;
+--
+2.39.2
+
--- /dev/null
+From 2be6239463ed3769e2d565954be559862b92d62e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 09:36:25 +1100
+Subject: md: avoid signed overflow in slot_store()
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit 3bc57292278a0b6ac4656cad94c14f2453344b57 ]
+
+slot_store() uses kstrtouint() to get a slot number, but stores the
+result in an "int" variable (by casting a pointer).
+This can result in a negative slot number if the unsigned int value is
+very large.
+
+A negative number means that the slot is empty, but setting a negative
+slot number this way will not remove the device from the array. I don't
+think this is a serious problem, but it could cause confusion and it is
+best to fix it.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 9e54b865f30da..bd0c9dfac9815 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -3189,6 +3189,9 @@ slot_store(struct md_rdev *rdev, const char *buf, size_t len)
+ err = kstrtouint(buf, 10, (unsigned int *)&slot);
+ if (err < 0)
+ return err;
++ if (slot < 0)
++ /* overflow */
++ return -ENOSPC;
+ }
+ if (rdev->mddev->pers && slot == -1) {
+ /* Setting 'slot' on an active array requires also
+--
+2.39.2
+
--- /dev/null
+From 4488344bc93f7c4a5a632b38435b2242e5ff8f7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 14:32:29 +0100
+Subject: net: hsr: Don't log netdev_err message on unknown prp dst node
+
+From: Kristian Overskeid <koverskeid@gmail.com>
+
+[ Upstream commit 28e8cabe80f3e6e3c98121576eda898eeb20f1b1 ]
+
+If no frames has been exchanged with a node for HSR_NODE_FORGET_TIME, the
+node will be deleted from the node_db list. If a frame is sent to the node
+after it is deleted, a netdev_err message for each slave interface is
+produced. This should not happen with dan nodes because of supervision
+frames, but can happen often with san nodes, which clutters the kernel
+log. Since the hsr protocol does not support sans, this is only relevant
+for the prp protocol.
+
+Signed-off-by: Kristian Overskeid <koverskeid@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_framereg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c
+index 414bf4d3d3c92..44eb9c9f80ee9 100644
+--- a/net/hsr/hsr_framereg.c
++++ b/net/hsr/hsr_framereg.c
+@@ -385,7 +385,7 @@ void hsr_addr_subst_dest(struct hsr_node *node_src, struct sk_buff *skb,
+ node_dst = find_node_by_addr_A(&port->hsr->node_db,
+ eth_hdr(skb)->h_dest);
+ if (!node_dst) {
+- if (net_ratelimit())
++ if (net_ratelimit() && port->hsr->prot_version != PRP_V1)
+ netdev_err(skb->dev, "%s: Unknown node\n", __func__);
+ return;
+ }
+--
+2.39.2
+
--- /dev/null
+From c18fd69f2aace4dda0b123a1eee6fb984e46856c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Mar 2023 19:32:38 -0700
+Subject: sched_getaffinity: don't assume 'cpumask_size()' is fully initialized
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit 6015b1aca1a233379625385feb01dd014aca60b5 ]
+
+The getaffinity() system call uses 'cpumask_size()' to decide how big
+the CPU mask is - so far so good. It is indeed the allocation size of a
+cpumask.
+
+But the code also assumes that the whole allocation is initialized
+without actually doing so itself. That's wrong, because we might have
+fixed-size allocations (making copying and clearing more efficient), but
+not all of it is then necessarily used if 'nr_cpu_ids' is smaller.
+
+Having checked other users of 'cpumask_size()', they all seem to be ok,
+either using it purely for the allocation size, or explicitly zeroing
+the cpumask before using the size in bytes to copy it.
+
+See for example the ublk_ctrl_get_queue_affinity() function that uses
+the proper 'zalloc_cpumask_var()' to make sure that the whole mask is
+cleared, whether the storage is on the stack or if it was an external
+allocation.
+
+Fix this by just zeroing the allocation before using it. Do the same
+for the compat version of sched_getaffinity(), which had the same logic.
+
+Also, for consistency, make sched_getaffinity() use 'cpumask_bits()' to
+access the bits. For a cpumask_var_t, it ends up being a pointer to the
+same data either way, but it's just a good idea to treat it like you
+would a 'cpumask_t'. The compat case already did that.
+
+Reported-by: Ryan Roberts <ryan.roberts@arm.com>
+Link: https://lore.kernel.org/lkml/7d026744-6bd6-6827-0471-b5e8eae0be3f@arm.com/
+Cc: Yury Norov <yury.norov@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/compat.c | 2 +-
+ kernel/sched/core.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/compat.c b/kernel/compat.c
+index 55551989d9da5..fb50f29d9b361 100644
+--- a/kernel/compat.c
++++ b/kernel/compat.c
+@@ -152,7 +152,7 @@ COMPAT_SYSCALL_DEFINE3(sched_getaffinity, compat_pid_t, pid, unsigned int, len,
+ if (len & (sizeof(compat_ulong_t)-1))
+ return -EINVAL;
+
+- if (!alloc_cpumask_var(&mask, GFP_KERNEL))
++ if (!zalloc_cpumask_var(&mask, GFP_KERNEL))
+ return -ENOMEM;
+
+ ret = sched_getaffinity(pid, mask);
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 0c72459d5f42a..acf7c09c9152f 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -8185,14 +8185,14 @@ SYSCALL_DEFINE3(sched_getaffinity, pid_t, pid, unsigned int, len,
+ if (len & (sizeof(unsigned long)-1))
+ return -EINVAL;
+
+- if (!alloc_cpumask_var(&mask, GFP_KERNEL))
++ if (!zalloc_cpumask_var(&mask, GFP_KERNEL))
+ return -ENOMEM;
+
+ ret = sched_getaffinity(pid, mask);
+ if (ret == 0) {
+ unsigned int retlen = min(len, cpumask_size());
+
+- if (copy_to_user(user_mask_ptr, mask, retlen))
++ if (copy_to_user(user_mask_ptr, cpumask_bits(mask), retlen))
+ ret = -EFAULT;
+ else
+ ret = retlen;
+--
+2.39.2
+
kcsan-avoid-passing-g-for-test.patch
ksmbd-don-t-terminate-inactive-sessions-after-a-few-.patch
bus-imx-weim-fix-branch-condition-evaluates-to-a-gar.patch
+xfrm-zero-padding-when-dumping-algos-and-encap.patch
+asoc-codecs-tx-macro-fix-for-kasan-slab-out-of-bound.patch
+md-avoid-signed-overflow-in-slot_store.patch
+x86-pvh-obtain-vga-console-info-in-dom0.patch
+net-hsr-don-t-log-netdev_err-message-on-unknown-prp-.patch
+alsa-asihpi-check-pao-in-control_message.patch
+alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch
+fbdev-tgafb-fix-potential-divide-by-zero.patch
+sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch
+fbdev-nvidia-fix-potential-divide-by-zero.patch
+fbdev-intelfb-fix-potential-divide-by-zero.patch
+fbdev-lxfb-fix-potential-divide-by-zero.patch
+fbdev-au1200fb-fix-potential-divide-by-zero.patch
+tools-power-turbostat-fix-dev-cpu_dma_latency-warnin.patch
+tools-power-turbostat-fix-decoding-of-hwp_status.patch
+tracing-fix-wrong-return-in-kprobe_event_gen_test.c.patch
--- /dev/null
+From e1f7dcb17bbf47e098679e26fe071d88ef399382 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jan 2023 15:17:50 +0200
+Subject: tools/power turbostat: fix decoding of HWP_STATUS
+
+From: Antti Laakso <antti.laakso@intel.com>
+
+[ Upstream commit 92c25393586ac799b9b7d9e50434f3c44a7622c4 ]
+
+The "excursion to minimum" information is in bit2
+in HWP_STATUS MSR. Fix the bitmask used for
+decoding the register.
+
+Signed-off-by: Antti Laakso <antti.laakso@intel.com>
+Reviewed-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index 84b8a35c91972..a3197efe52c63 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -4241,7 +4241,7 @@ int print_hwp(struct thread_data *t, struct core_data *c, struct pkg_data *p)
+
+ fprintf(outf, "cpu%d: MSR_HWP_STATUS: 0x%08llx "
+ "(%sGuaranteed_Perf_Change, %sExcursion_Min)\n",
+- cpu, msr, ((msr) & 0x1) ? "" : "No-", ((msr) & 0x2) ? "" : "No-");
++ cpu, msr, ((msr) & 0x1) ? "" : "No-", ((msr) & 0x4) ? "" : "No-");
+
+ return 0;
+ }
+--
+2.39.2
+
--- /dev/null
+From 05f1bfec1e72aa26791a8fd0ca0e517e4d3375e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Dec 2022 10:18:16 -0500
+Subject: tools/power turbostat: Fix /dev/cpu_dma_latency warnings
+
+From: Prarit Bhargava <prarit@redhat.com>
+
+[ Upstream commit 40aafc7d58d3544f152a863a0e9863014b6d5d8c ]
+
+When running as non-root the following error is seen in turbostat:
+
+turbostat: fopen /dev/cpu_dma_latency
+: Permission denied
+
+turbostat and the man page have information on how to avoid other
+permission errors, so these can be fixed the same way.
+
+Provide better /dev/cpu_dma_latency warnings that provide instructions on
+how to avoid the error, and update the man page.
+
+Signed-off-by: Prarit Bhargava <prarit@redhat.com>
+Cc: linux-pm@vger.kernel.org
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.8 | 2 ++
+ tools/power/x86/turbostat/turbostat.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.8 b/tools/power/x86/turbostat/turbostat.8
+index 9b17097bc3d7b..b3d4bf08e70b1 100644
+--- a/tools/power/x86/turbostat/turbostat.8
++++ b/tools/power/x86/turbostat/turbostat.8
+@@ -296,6 +296,8 @@ Alternatively, non-root users can be enabled to run turbostat this way:
+
+ # chmod +r /dev/cpu/*/msr
+
++# chmod +r /dev/cpu_dma_latency
++
+ .B "turbostat "
+ reads hardware counters, but doesn't write them.
+ So it will not interfere with the OS or other programs, including
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index 4f176bbf29f42..84b8a35c91972 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -5237,7 +5237,7 @@ void print_dev_latency(void)
+
+ retval = read(fd, (void *)&value, sizeof(int));
+ if (retval != sizeof(int)) {
+- warn("read %s\n", path);
++ warn("read failed %s\n", path);
+ close(fd);
+ return;
+ }
+--
+2.39.2
+
--- /dev/null
+From cca1d4c8b318c3675f6b9b52a2ceb829c22a6d9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Jan 2023 10:58:18 +0300
+Subject: tracing: Fix wrong return in kprobe_event_gen_test.c
+
+From: Anton Gusev <aagusev@ispras.ru>
+
+[ Upstream commit bc4f359b3b607daac0290d0038561237a86b38cb ]
+
+Overwriting the error code with the deletion result may cause the
+function to return 0 despite encountering an error. Commit b111545d26c0
+("tracing: Remove the useless value assignment in
+test_create_synth_event()") solves a similar issue by
+returning the original error code, so this patch does the same.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Link: https://lore.kernel.org/linux-trace-kernel/20230131075818.5322-1-aagusev@ispras.ru
+
+Signed-off-by: Anton Gusev <aagusev@ispras.ru>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/kprobe_event_gen_test.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/trace/kprobe_event_gen_test.c b/kernel/trace/kprobe_event_gen_test.c
+index c736487fc0e48..e0c420eb0b2b4 100644
+--- a/kernel/trace/kprobe_event_gen_test.c
++++ b/kernel/trace/kprobe_event_gen_test.c
+@@ -146,7 +146,7 @@ static int __init test_gen_kprobe_cmd(void)
+ if (trace_event_file_is_valid(gen_kprobe_test))
+ gen_kprobe_test = NULL;
+ /* We got an error after creating the event, delete it */
+- ret = kprobe_event_delete("gen_kprobe_test");
++ kprobe_event_delete("gen_kprobe_test");
+ goto out;
+ }
+
+@@ -211,7 +211,7 @@ static int __init test_gen_kretprobe_cmd(void)
+ if (trace_event_file_is_valid(gen_kretprobe_test))
+ gen_kretprobe_test = NULL;
+ /* We got an error after creating the event, delete it */
+- ret = kprobe_event_delete("gen_kretprobe_test");
++ kprobe_event_delete("gen_kretprobe_test");
+ goto out;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 71b40a2c8eb39f1311913fa425776b7eaf249a6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 15:45:48 +0100
+Subject: x86/PVH: obtain VGA console info in Dom0
+
+From: Jan Beulich <jbeulich@suse.com>
+
+[ Upstream commit 934ef33ee75c3846f605f18b65048acd147e3918 ]
+
+A new platform-op was added to Xen to allow obtaining the same VGA
+console information PV Dom0 is handed. Invoke the new function and have
+the output data processed by xen_init_vga().
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+
+Link: https://lore.kernel.org/r/8f315e92-7bda-c124-71cc-478ab9c5e610@suse.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/Makefile | 2 +-
+ arch/x86/xen/enlighten_pv.c | 3 ++-
+ arch/x86/xen/enlighten_pvh.c | 13 +++++++++++++
+ arch/x86/xen/vga.c | 5 ++---
+ arch/x86/xen/xen-ops.h | 7 ++++---
+ include/xen/interface/platform.h | 3 +++
+ 6 files changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/arch/x86/xen/Makefile b/arch/x86/xen/Makefile
+index 4953260e281c3..40b5779fce21c 100644
+--- a/arch/x86/xen/Makefile
++++ b/arch/x86/xen/Makefile
+@@ -45,7 +45,7 @@ obj-$(CONFIG_PARAVIRT_SPINLOCKS)+= spinlock.o
+
+ obj-$(CONFIG_XEN_DEBUG_FS) += debugfs.o
+
+-obj-$(CONFIG_XEN_PV_DOM0) += vga.o
++obj-$(CONFIG_XEN_DOM0) += vga.o
+
+ obj-$(CONFIG_SWIOTLB_XEN) += pci-swiotlb-xen.o
+
+diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
+index 561aad13412f9..998db0257e2ad 100644
+--- a/arch/x86/xen/enlighten_pv.c
++++ b/arch/x86/xen/enlighten_pv.c
+@@ -1353,7 +1353,8 @@ asmlinkage __visible void __init xen_start_kernel(void)
+
+ x86_platform.set_legacy_features =
+ xen_dom0_set_legacy_features;
+- xen_init_vga(info, xen_start_info->console.dom0.info_size);
++ xen_init_vga(info, xen_start_info->console.dom0.info_size,
++ &boot_params.screen_info);
+ xen_start_info->console.domU.mfn = 0;
+ xen_start_info->console.domU.evtchn = 0;
+
+diff --git a/arch/x86/xen/enlighten_pvh.c b/arch/x86/xen/enlighten_pvh.c
+index bcae606bbc5cf..1da44aca896c6 100644
+--- a/arch/x86/xen/enlighten_pvh.c
++++ b/arch/x86/xen/enlighten_pvh.c
+@@ -43,6 +43,19 @@ void __init xen_pvh_init(struct boot_params *boot_params)
+ x86_init.oem.banner = xen_banner;
+
+ xen_efi_init(boot_params);
++
++ if (xen_initial_domain()) {
++ struct xen_platform_op op = {
++ .cmd = XENPF_get_dom0_console,
++ };
++ long ret = HYPERVISOR_platform_op(&op);
++
++ if (ret > 0)
++ xen_init_vga(&op.u.dom0_console,
++ min(ret * sizeof(char),
++ sizeof(op.u.dom0_console)),
++ &boot_params->screen_info);
++ }
+ }
+
+ void __init mem_map_via_hcall(struct boot_params *boot_params_p)
+diff --git a/arch/x86/xen/vga.c b/arch/x86/xen/vga.c
+index e336f223f7f47..93697109592c3 100644
+--- a/arch/x86/xen/vga.c
++++ b/arch/x86/xen/vga.c
+@@ -9,10 +9,9 @@
+
+ #include "xen-ops.h"
+
+-void __init xen_init_vga(const struct dom0_vga_console_info *info, size_t size)
++void __init xen_init_vga(const struct dom0_vga_console_info *info, size_t size,
++ struct screen_info *screen_info)
+ {
+- struct screen_info *screen_info = &boot_params.screen_info;
+-
+ /* This is drawn from a dump from vgacon:startup in
+ * standard Linux. */
+ screen_info->orig_video_mode = 3;
+diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h
+index 16aed4b121297..71f31032c635f 100644
+--- a/arch/x86/xen/xen-ops.h
++++ b/arch/x86/xen/xen-ops.h
+@@ -110,11 +110,12 @@ static inline void xen_uninit_lock_cpu(int cpu)
+
+ struct dom0_vga_console_info;
+
+-#ifdef CONFIG_XEN_PV_DOM0
+-void __init xen_init_vga(const struct dom0_vga_console_info *, size_t size);
++#ifdef CONFIG_XEN_DOM0
++void __init xen_init_vga(const struct dom0_vga_console_info *, size_t size,
++ struct screen_info *);
+ #else
+ static inline void __init xen_init_vga(const struct dom0_vga_console_info *info,
+- size_t size)
++ size_t size, struct screen_info *si)
+ {
+ }
+ #endif
+diff --git a/include/xen/interface/platform.h b/include/xen/interface/platform.h
+index 732efb08c3e17..744bc41355678 100644
+--- a/include/xen/interface/platform.h
++++ b/include/xen/interface/platform.h
+@@ -500,6 +500,8 @@ struct xenpf_symdata {
+ };
+ DEFINE_GUEST_HANDLE_STRUCT(xenpf_symdata);
+
++#define XENPF_get_dom0_console 64
++
+ struct xen_platform_op {
+ uint32_t cmd;
+ uint32_t interface_version; /* XENPF_INTERFACE_VERSION */
+@@ -523,6 +525,7 @@ struct xen_platform_op {
+ struct xenpf_mem_hotadd mem_add;
+ struct xenpf_core_parking core_parking;
+ struct xenpf_symdata symdata;
++ struct dom0_vga_console_info dom0_console;
+ uint8_t pad[128];
+ } u;
+ };
+--
+2.39.2
+
--- /dev/null
+From 5867b6a14c7f98c57b3102d1988e8c2cc9514e40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Feb 2023 09:09:52 +0800
+Subject: xfrm: Zero padding when dumping algos and encap
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 8222d5910dae08213b6d9d4bc9a7f8502855e624 ]
+
+When copying data to user-space we should ensure that only valid
+data is copied over. Padding in structures may be filled with
+random (possibly sensitve) data and should never be given directly
+to user-space.
+
+This patch fixes the copying of xfrm algorithms and the encap
+template in xfrm_user so that padding is zeroed.
+
+Reported-by: syzbot+fa5414772d5c445dac3c@syzkaller.appspotmail.com
+Reported-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 45 ++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 41 insertions(+), 4 deletions(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 5fba82757ce5e..eb0952dbf4236 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -906,7 +906,9 @@ static int copy_to_user_aead(struct xfrm_algo_aead *aead, struct sk_buff *skb)
+ return -EMSGSIZE;
+
+ ap = nla_data(nla);
+- memcpy(ap, aead, sizeof(*aead));
++ strscpy_pad(ap->alg_name, aead->alg_name, sizeof(ap->alg_name));
++ ap->alg_key_len = aead->alg_key_len;
++ ap->alg_icv_len = aead->alg_icv_len;
+
+ if (redact_secret && aead->alg_key_len)
+ memset(ap->alg_key, 0, (aead->alg_key_len + 7) / 8);
+@@ -926,7 +928,8 @@ static int copy_to_user_ealg(struct xfrm_algo *ealg, struct sk_buff *skb)
+ return -EMSGSIZE;
+
+ ap = nla_data(nla);
+- memcpy(ap, ealg, sizeof(*ealg));
++ strscpy_pad(ap->alg_name, ealg->alg_name, sizeof(ap->alg_name));
++ ap->alg_key_len = ealg->alg_key_len;
+
+ if (redact_secret && ealg->alg_key_len)
+ memset(ap->alg_key, 0, (ealg->alg_key_len + 7) / 8);
+@@ -937,6 +940,40 @@ static int copy_to_user_ealg(struct xfrm_algo *ealg, struct sk_buff *skb)
+ return 0;
+ }
+
++static int copy_to_user_calg(struct xfrm_algo *calg, struct sk_buff *skb)
++{
++ struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_COMP, sizeof(*calg));
++ struct xfrm_algo *ap;
++
++ if (!nla)
++ return -EMSGSIZE;
++
++ ap = nla_data(nla);
++ strscpy_pad(ap->alg_name, calg->alg_name, sizeof(ap->alg_name));
++ ap->alg_key_len = 0;
++
++ return 0;
++}
++
++static int copy_to_user_encap(struct xfrm_encap_tmpl *ep, struct sk_buff *skb)
++{
++ struct nlattr *nla = nla_reserve(skb, XFRMA_ENCAP, sizeof(*ep));
++ struct xfrm_encap_tmpl *uep;
++
++ if (!nla)
++ return -EMSGSIZE;
++
++ uep = nla_data(nla);
++ memset(uep, 0, sizeof(*uep));
++
++ uep->encap_type = ep->encap_type;
++ uep->encap_sport = ep->encap_sport;
++ uep->encap_dport = ep->encap_dport;
++ uep->encap_oa = ep->encap_oa;
++
++ return 0;
++}
++
+ static int xfrm_smark_put(struct sk_buff *skb, struct xfrm_mark *m)
+ {
+ int ret = 0;
+@@ -992,12 +1029,12 @@ static int copy_to_user_state_extra(struct xfrm_state *x,
+ goto out;
+ }
+ if (x->calg) {
+- ret = nla_put(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg);
++ ret = copy_to_user_calg(x->calg, skb);
+ if (ret)
+ goto out;
+ }
+ if (x->encap) {
+- ret = nla_put(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap);
++ ret = copy_to_user_encap(x->encap, skb);
+ if (ret)
+ goto out;
+ }
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
