--- /dev/null
+From 0d9ac228cf66a8fa67c7465ccb21bebc17592794 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jun 2023 10:17:32 +0800
+Subject: ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit 79597c8bf64ca99eab385115743131d260339da5 ]
+
+smatch error:
+sound/pci/ac97/ac97_codec.c:2354 snd_ac97_mixer() error:
+we previously assumed 'rac97' could be null (see line 2072)
+
+remove redundant assignment, return error if rac97 is NULL.
+
+Fixes: da3cec35dd3c ("ALSA: Kill snd_assert() in sound/pci/*")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Link: https://lore.kernel.org/r/20230615021732.1972194-1-suhui@nfschina.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/ac97/ac97_codec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c
+index 83bb086bf9757..b920c739d6863 100644
+--- a/sound/pci/ac97/ac97_codec.c
++++ b/sound/pci/ac97/ac97_codec.c
+@@ -2006,8 +2006,8 @@ int snd_ac97_mixer(struct snd_ac97_bus *bus, struct snd_ac97_template *template,
+ .dev_disconnect = snd_ac97_dev_disconnect,
+ };
+
+- if (rac97)
+- *rac97 = NULL;
++ if (!rac97)
++ return -EINVAL;
+ if (snd_BUG_ON(!bus || !template))
+ return -EINVAL;
+ if (snd_BUG_ON(template->num >= 4))
+--
+2.39.2
+
--- /dev/null
+From 5609fcb852bae84c9a25bfb1cfe1f4b99face629 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jun 2023 00:50:50 +0900
+Subject: ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__
+ guard
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit 92e2921eeafdfca9acd9b83f07d2b7ca099bac24 ]
+
+ASM_NL is useful not only in *.S files but also in .c files for using
+inline assembler in C code.
+
+On ARC, however, ASM_NL is evaluated inconsistently. It is expanded to
+a backquote (`) in *.S files, but a semicolon (;) in *.c files because
+arch/arc/include/asm/linkage.h defines it inside #ifdef __ASSEMBLY__,
+so the definition for C code falls back to the default value defined in
+include/linux/linkage.h.
+
+If ASM_NL is used in inline assembler in .c files, it will result in
+wrong assembly code because a semicolon is not an instruction separator,
+but the start of a comment for ARC.
+
+Move ASM_NL (also __ALIGN and __ALIGN_STR) out of the #ifdef.
+
+Fixes: 9df62f054406 ("arch: use ASM_NL instead of ';' for assembler new line character in the macro")
+Fixes: 8d92e992a785 ("ARC: define __ALIGN_STR and __ALIGN symbols for ARC")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/include/asm/linkage.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arc/include/asm/linkage.h b/arch/arc/include/asm/linkage.h
+index fe19f1d412e71..284fd513d7c67 100644
+--- a/arch/arc/include/asm/linkage.h
++++ b/arch/arc/include/asm/linkage.h
+@@ -8,6 +8,10 @@
+
+ #include <asm/dwarf.h>
+
++#define ASM_NL ` /* use '`' to mark new line in macro */
++#define __ALIGN .align 4
++#define __ALIGN_STR __stringify(__ALIGN)
++
+ #ifdef __ASSEMBLY__
+
+ .macro ST2 e, o, off
+@@ -28,10 +32,6 @@
+ #endif
+ .endm
+
+-#define ASM_NL ` /* use '`' to mark new line in macro */
+-#define __ALIGN .align 4
+-#define __ALIGN_STR __stringify(__ALIGN)
+-
+ /* annotation for data we want in DCCM - if enabled in .config */
+ .macro ARCFP_DATA nm
+ #ifdef CONFIG_ARC_HAS_DCCM
+--
+2.39.2
+
--- /dev/null
+From 6402def2cf5aa40cd02fab84a340ccf05ca5bf4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Jun 2023 19:28:42 +0100
+Subject: ARM: 9303/1: kprobes: avoid missing-declaration warnings
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 1b9c3ddcec6a55e15d3e38e7405e2d078db02020 ]
+
+checker_stack_use_t32strd() and kprobe_handler() can be made static since
+they are not used from other files, while coverage_start_registers()
+and __kprobes_test_case() are used from assembler code, and just need
+a declaration to avoid a warning with the global definition.
+
+arch/arm/probes/kprobes/checkers-common.c:43:18: error: no previous prototype for 'checker_stack_use_t32strd'
+arch/arm/probes/kprobes/core.c:236:16: error: no previous prototype for 'kprobe_handler'
+arch/arm/probes/kprobes/test-core.c:723:10: error: no previous prototype for 'coverage_start_registers'
+arch/arm/probes/kprobes/test-core.c:918:14: error: no previous prototype for '__kprobes_test_case_start'
+arch/arm/probes/kprobes/test-core.c:952:14: error: no previous prototype for '__kprobes_test_case_end_16'
+arch/arm/probes/kprobes/test-core.c:967:14: error: no previous prototype for '__kprobes_test_case_end_32'
+
+Fixes: 6624cf651f1a ("ARM: kprobes: collects stack consumption for store instructions")
+Fixes: 454f3e132d05 ("ARM/kprobes: Remove jprobe arm implementation")
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/probes/kprobes/checkers-common.c | 2 +-
+ arch/arm/probes/kprobes/core.c | 2 +-
+ arch/arm/probes/kprobes/opt-arm.c | 2 --
+ arch/arm/probes/kprobes/test-core.c | 2 +-
+ arch/arm/probes/kprobes/test-core.h | 4 ++++
+ 5 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm/probes/kprobes/checkers-common.c b/arch/arm/probes/kprobes/checkers-common.c
+index 4d720990cf2a3..eba7ac4725c02 100644
+--- a/arch/arm/probes/kprobes/checkers-common.c
++++ b/arch/arm/probes/kprobes/checkers-common.c
+@@ -40,7 +40,7 @@ enum probes_insn checker_stack_use_imm_0xx(probes_opcode_t insn,
+ * Different from other insn uses imm8, the real addressing offset of
+ * STRD in T32 encoding should be imm8 * 4. See ARMARM description.
+ */
+-enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn,
++static enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn,
+ struct arch_probes_insn *asi,
+ const struct decode_header *h)
+ {
+diff --git a/arch/arm/probes/kprobes/core.c b/arch/arm/probes/kprobes/core.c
+index 0a783bd4641c5..44b5f7dbcc00f 100644
+--- a/arch/arm/probes/kprobes/core.c
++++ b/arch/arm/probes/kprobes/core.c
+@@ -231,7 +231,7 @@ singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *kcb)
+ * kprobe, and that level is reserved for user kprobe handlers, so we can't
+ * risk encountering a new kprobe in an interrupt handler.
+ */
+-void __kprobes kprobe_handler(struct pt_regs *regs)
++static void __kprobes kprobe_handler(struct pt_regs *regs)
+ {
+ struct kprobe *p, *cur;
+ struct kprobe_ctlblk *kcb;
+diff --git a/arch/arm/probes/kprobes/opt-arm.c b/arch/arm/probes/kprobes/opt-arm.c
+index c78180172120f..e20304f1d8bc9 100644
+--- a/arch/arm/probes/kprobes/opt-arm.c
++++ b/arch/arm/probes/kprobes/opt-arm.c
+@@ -145,8 +145,6 @@ __arch_remove_optimized_kprobe(struct optimized_kprobe *op, int dirty)
+ }
+ }
+
+-extern void kprobe_handler(struct pt_regs *regs);
+-
+ static void
+ optimized_callback(struct optimized_kprobe *op, struct pt_regs *regs)
+ {
+diff --git a/arch/arm/probes/kprobes/test-core.c b/arch/arm/probes/kprobes/test-core.c
+index c562832b86272..171c7076b89f4 100644
+--- a/arch/arm/probes/kprobes/test-core.c
++++ b/arch/arm/probes/kprobes/test-core.c
+@@ -720,7 +720,7 @@ static const char coverage_register_lookup[16] = {
+ [REG_TYPE_NOSPPCX] = COVERAGE_ANY_REG | COVERAGE_SP,
+ };
+
+-unsigned coverage_start_registers(const struct decode_header *h)
++static unsigned coverage_start_registers(const struct decode_header *h)
+ {
+ unsigned regs = 0;
+ int i;
+diff --git a/arch/arm/probes/kprobes/test-core.h b/arch/arm/probes/kprobes/test-core.h
+index 19a5b2add41e1..805116c2ec27c 100644
+--- a/arch/arm/probes/kprobes/test-core.h
++++ b/arch/arm/probes/kprobes/test-core.h
+@@ -453,3 +453,7 @@ void kprobe_thumb32_test_cases(void);
+ #else
+ void kprobe_arm_test_cases(void);
+ #endif
++
++void __kprobes_test_case_start(void);
++void __kprobes_test_case_end_16(void);
++void __kprobes_test_case_end_32(void);
+--
+2.39.2
+
--- /dev/null
+From 0096c1e92ba0a406b0fd058c1a62d0e83b2acc16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 May 2023 14:28:30 +0200
+Subject: ARM: dts: BCM5301X: Drop "clock-names" from the SPI node
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+[ Upstream commit d3c8e2c5757153bbfad70019ec1decbca86f3def ]
+
+There is no such property in the SPI controller binding documentation.
+Also Linux driver doesn't look for it.
+
+This fixes:
+arch/arm/boot/dts/bcm4708-asus-rt-ac56u.dtb: spi@18029200: Unevaluated properties are not allowed ('clock-names' was unexpected)
+ From schema: Documentation/devicetree/bindings/spi/brcm,spi-bcm-qspi.yaml
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Link: https://lore.kernel.org/r/20230503122830.3200-1-zajec5@gmail.com
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/bcm5301x.dtsi | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/bcm5301x.dtsi b/arch/arm/boot/dts/bcm5301x.dtsi
+index 05d67f9769118..bf8154aa203a7 100644
+--- a/arch/arm/boot/dts/bcm5301x.dtsi
++++ b/arch/arm/boot/dts/bcm5301x.dtsi
+@@ -511,7 +511,6 @@ spi@18029200 {
+ "spi_lr_session_done",
+ "spi_lr_overread";
+ clocks = <&iprocmed>;
+- clock-names = "iprocmed";
+ num-cs = <2>;
+ #address-cells = <1>;
+ #size-cells = <0>;
+--
+2.39.2
+
--- /dev/null
+From 30dbdf68579470da0220645c27b82c006145814b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 May 2023 13:32:25 +0300
+Subject: ARM: dts: gta04: Move model property out of pinctrl node
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 4ffec92e70ac5097b9f67ec154065305b16a3b46 ]
+
+The model property should be at the top level, let's move it out
+of the pinctrl node.
+
+Fixes: d2eaf949d2c3 ("ARM: dts: omap3-gta04a5one: define GTA04A5 variant with OneNAND")
+Cc: Andreas Kemnade <andreas@kemnade.info>
+Cc: H. Nikolaus Schaller <hns@goldelico.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/omap3-gta04a5one.dts | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/omap3-gta04a5one.dts b/arch/arm/boot/dts/omap3-gta04a5one.dts
+index 9db9fe67cd63b..95df45cc70c09 100644
+--- a/arch/arm/boot/dts/omap3-gta04a5one.dts
++++ b/arch/arm/boot/dts/omap3-gta04a5one.dts
+@@ -5,9 +5,11 @@
+
+ #include "omap3-gta04a5.dts"
+
+-&omap3_pmx_core {
++/ {
+ model = "Goldelico GTA04A5/Letux 2804 with OneNAND";
++};
+
++&omap3_pmx_core {
+ gpmc_pins: pinmux_gpmc_pins {
+ pinctrl-single,pins = <
+
+--
+2.39.2
+
--- /dev/null
+From 685ad03a8c0da4a70dcb9d235a40f508a5ad0af2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 17:30:58 +0200
+Subject: ARM: ep93xx: fix missing-prototype warnings
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 419013740ea1e4343d8ade535d999f59fa28e460 ]
+
+ep93xx_clocksource_read() is only called from the file it is declared in,
+while ep93xx_timer_init() is declared in a header that is not included here.
+
+arch/arm/mach-ep93xx/timer-ep93xx.c:120:13: error: no previous prototype for 'ep93xx_timer_init'
+arch/arm/mach-ep93xx/timer-ep93xx.c:63:5: error: no previous prototype for 'ep93xx_clocksource_read'
+
+Fixes: 000bc17817bf ("ARM: ep93xx: switch to GENERIC_CLOCKEVENTS")
+Acked-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+Link: https://lore.kernel.org/r/20230516153109.514251-3-arnd@kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-ep93xx/timer-ep93xx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-ep93xx/timer-ep93xx.c b/arch/arm/mach-ep93xx/timer-ep93xx.c
+index de998830f534f..b07956883e165 100644
+--- a/arch/arm/mach-ep93xx/timer-ep93xx.c
++++ b/arch/arm/mach-ep93xx/timer-ep93xx.c
+@@ -9,6 +9,7 @@
+ #include <linux/io.h>
+ #include <asm/mach/time.h>
+ #include "soc.h"
++#include "platform.h"
+
+ /*************************************************************************
+ * Timer handling for EP93xx
+@@ -60,7 +61,7 @@ static u64 notrace ep93xx_read_sched_clock(void)
+ return ret;
+ }
+
+-u64 ep93xx_clocksource_read(struct clocksource *c)
++static u64 ep93xx_clocksource_read(struct clocksource *c)
+ {
+ u64 ret;
+
+--
+2.39.2
+
--- /dev/null
+From d93bb436a0e37af1a78696984562d6cfb1fcd591 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Apr 2023 23:18:40 +0200
+Subject: arm64: dts: qcom: msm8916: correct camss unit address
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 48798d992ce276cf0d57bf75318daf8eabd02aa4 ]
+
+Match unit-address to reg entry to fix dtbs W=1 warnings:
+
+ Warning (simple_bus_reg): /soc@0/camss@1b00000: simple-bus unit address format error, expected "1b0ac00"
+
+Fixes: 58f479f90a7c ("arm64: dts: qcom: msm8916: Add CAMSS support")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20230419211856.79332-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi
+index 301c1c467c0b7..bf40500adef73 100644
+--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi
+@@ -1451,7 +1451,7 @@ video-encoder {
+ };
+ };
+
+- camss: camss@1b00000 {
++ camss: camss@1b0ac00 {
+ compatible = "qcom,msm8916-camss";
+ reg = <0x1b0ac00 0x200>,
+ <0x1b00030 0x4>,
+--
+2.39.2
+
--- /dev/null
+From dabb2fd0846a090677f98cc9ec06cf81fe0e6f29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 May 2023 10:48:22 +0200
+Subject: arm64: dts: renesas: ulcb-kf: Remove flow control for SCIF1
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 1a2c4e5635177939a088d22fa35c6a7032725663 ]
+
+The schematics are misleading, the flow control is for HSCIF1. We need
+SCIF1 for GNSS/GPS which does not use flow control.
+
+Fixes: c6c816e22bc8 ("arm64: dts: ulcb-kf: enable SCIF1")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20230525084823.4195-2-wsa+renesas@sang-engineering.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/ulcb-kf.dtsi | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi b/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi
+index 202177706cdeb..df00acb35263d 100644
+--- a/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi
++++ b/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi
+@@ -269,7 +269,7 @@ hscif0_pins: hscif0 {
+ };
+
+ scif1_pins: scif1 {
+- groups = "scif1_data_b", "scif1_ctrl";
++ groups = "scif1_data_b";
+ function = "scif1";
+ };
+
+@@ -329,7 +329,6 @@ rsnd_for_pcm3168a_capture: endpoint {
+ &scif1 {
+ pinctrl-0 = <&scif1_pins>;
+ pinctrl-names = "default";
+- uart-has-rtscts;
+
+ status = "okay";
+ };
+--
+2.39.2
+
--- /dev/null
+From 8dee408ced8c40a6774e8d3b300f6704cdb1f0b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 May 2023 21:11:39 +0300
+Subject: ASoC: es8316: Do not set rate constraints for unsupported MCLKs
+
+From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+
+[ Upstream commit 60413129ee2b38a80347489270af7f6e1c1de4d0 ]
+
+When using the codec through the generic audio graph card, there are at
+least two calls of es8316_set_dai_sysclk(), with the effect of limiting
+the allowed sample rates according to the MCLK/LRCK ratios supported by
+the codec:
+
+1. During audio card setup, to set the initial MCLK - see
+ asoc_simple_init_dai().
+
+2. Before opening a stream, to update MCLK, according to the stream
+ sample rate and the multiplication factor - see
+ asoc_simple_hw_params().
+
+In some cases the initial MCLK might be set to a frequency that doesn't
+match any of the supported ratios, e.g. 12287999 instead of 12288000,
+which is only 1 Hz below the supported clock, as that is what the
+hardware reports. This creates an empty list of rate constraints, which
+is further passed to snd_pcm_hw_constraint_list() via
+es8316_pcm_startup(), and causes the following error on the very first
+access of the sound card:
+
+ $ speaker-test -D hw:Analog,0 -F S16_LE -c 2 -t wav
+ Broken configuration for playback: no configurations available: Invalid argument
+ Setting of hwparams failed: Invalid argument
+
+Note that all subsequent retries succeed thanks to the updated MCLK set
+at point 2 above, which uses a computed frequency value instead of a
+reading from the hardware registers. Normally this would have mitigated
+the issue, but es8316_pcm_startup() executes before the 2nd call to
+es8316_set_dai_sysclk(), hence it cannot make use of the updated
+constraints.
+
+Since es8316_pcm_hw_params() performs anyway a final validation of MCLK
+against the stream sample rate and the supported MCLK/LRCK ratios, fix
+the issue by ensuring that sysclk_constraints list is only set when at
+least one supported sample rate is autodetected by the codec.
+
+Fixes: b8b88b70875a ("ASoC: add es8316 codec driver")
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+Link: https://lore.kernel.org/r/20230530181140.483936-3-cristian.ciocaltea@collabora.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/es8316.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/sound/soc/codecs/es8316.c b/sound/soc/codecs/es8316.c
+index 9be667e76e552..131f41cccbe65 100644
+--- a/sound/soc/codecs/es8316.c
++++ b/sound/soc/codecs/es8316.c
+@@ -369,13 +369,11 @@ static int es8316_set_dai_sysclk(struct snd_soc_dai *codec_dai,
+ int count = 0;
+
+ es8316->sysclk = freq;
++ es8316->sysclk_constraints.list = NULL;
++ es8316->sysclk_constraints.count = 0;
+
+- if (freq == 0) {
+- es8316->sysclk_constraints.list = NULL;
+- es8316->sysclk_constraints.count = 0;
+-
++ if (freq == 0)
+ return 0;
+- }
+
+ ret = clk_set_rate(es8316->mclk, freq);
+ if (ret)
+@@ -391,8 +389,10 @@ static int es8316_set_dai_sysclk(struct snd_soc_dai *codec_dai,
+ es8316->allowed_rates[count++] = freq / ratio;
+ }
+
+- es8316->sysclk_constraints.list = es8316->allowed_rates;
+- es8316->sysclk_constraints.count = count;
++ if (count) {
++ es8316->sysclk_constraints.list = es8316->allowed_rates;
++ es8316->sysclk_constraints.count = count;
++ }
+
+ return 0;
+ }
+--
+2.39.2
+
--- /dev/null
+From 191a40bb157ade3123cc5c5334ec2eadd0a0dd3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 May 2023 21:11:38 +0300
+Subject: ASoC: es8316: Increment max value for ALC Capture Target Volume
+ control
+
+From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+
+[ Upstream commit 6f073429037cd79d7311cd8236311c53f5ea8f01 ]
+
+The following error occurs when trying to restore a previously saved
+ALSA mixer state (tested on a Rock 5B board):
+
+ $ alsactl --no-ucm -f /tmp/asound.state store hw:Analog
+ $ alsactl --no-ucm -I -f /tmp/asound.state restore hw:Analog
+ alsactl: set_control:1475: Cannot write control '2:0:0:ALC Capture Target Volume:0' : Invalid argument
+
+According to ES8316 datasheet, the register at address 0x2B, which is
+related to the above mixer control, contains by default the value 0xB0.
+Considering the corresponding ALC target bits (ALCLVL) are 7:4, the
+control is initialized with 11, which is one step above the maximum
+value allowed by the driver:
+
+ ALCLVL | dB gain
+ -------+--------
+ 0000 | -16.5
+ 0001 | -15.0
+ 0010 | -13.5
+ .... | .....
+ 0111 | -6.0
+ 1000 | -4.5
+ 1001 | -3.0
+ 1010 | -1.5
+ .... | .....
+ 1111 | -1.5
+
+The tests performed using the VU meter feature (--vumeter=TYPE) of
+arecord/aplay confirm the specs are correct and there is no measured
+gain if the 1011-1111 range would have been mapped to 0 dB:
+
+ dB gain | VU meter %
+ --------+-----------
+ -6.0 | 30-31
+ -4.5 | 35-36
+ -3.0 | 42-43
+ -1.5 | 50-51
+ 0.0 | 50-51
+
+Increment the max value allowed for ALC Capture Target Volume control,
+so that it matches the hardware default. Additionally, update the
+related TLV to prevent an artificial extension of the dB gain range.
+
+Fixes: b8b88b70875a ("ASoC: add es8316 codec driver")
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+Link: https://lore.kernel.org/r/20230530181140.483936-2-cristian.ciocaltea@collabora.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/es8316.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/es8316.c b/sound/soc/codecs/es8316.c
+index efeffa0bf2d78..9be667e76e552 100644
+--- a/sound/soc/codecs/es8316.c
++++ b/sound/soc/codecs/es8316.c
+@@ -52,7 +52,12 @@ static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(dac_vol_tlv, -9600, 50, 1);
+ static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(adc_vol_tlv, -9600, 50, 1);
+ static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_max_gain_tlv, -650, 150, 0);
+ static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_min_gain_tlv, -1200, 150, 0);
+-static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_target_tlv, -1650, 150, 0);
++
++static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(alc_target_tlv,
++ 0, 10, TLV_DB_SCALE_ITEM(-1650, 150, 0),
++ 11, 11, TLV_DB_SCALE_ITEM(-150, 0, 0),
++);
++
+ static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(hpmixer_gain_tlv,
+ 0, 4, TLV_DB_SCALE_ITEM(-1200, 150, 0),
+ 8, 11, TLV_DB_SCALE_ITEM(-450, 150, 0),
+@@ -115,7 +120,7 @@ static const struct snd_kcontrol_new es8316_snd_controls[] = {
+ alc_max_gain_tlv),
+ SOC_SINGLE_TLV("ALC Capture Min Volume", ES8316_ADC_ALC2, 0, 28, 0,
+ alc_min_gain_tlv),
+- SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 10, 0,
++ SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 11, 0,
+ alc_target_tlv),
+ SOC_SINGLE("ALC Capture Hold Time", ES8316_ADC_ALC3, 0, 10, 0),
+ SOC_SINGLE("ALC Capture Decay Time", ES8316_ADC_ALC4, 4, 10, 0),
+--
+2.39.2
+
--- /dev/null
+From c011bb31a4a41e3076ca6e2cd957d4a273572962 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jun 2023 15:15:09 +0300
+Subject: ASoC: imx-audmix: check return value of devm_kasprintf()
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit 2f76e1d6ca524a888d29aafe29f2ad2003857971 ]
+
+devm_kasprintf() returns a pointer to dynamically allocated memory.
+Pointer could be NULL in case allocation fails. Check pointer validity.
+Identified with coccinelle (kmerr.cocci script).
+
+Fixes: b86ef5367761 ("ASoC: fsl: Add Audio Mixer machine driver")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20230614121509.443926-1-claudiu.beznea@microchip.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/imx-audmix.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/sound/soc/fsl/imx-audmix.c b/sound/soc/fsl/imx-audmix.c
+index 71590ca6394b9..08c044a72250a 100644
+--- a/sound/soc/fsl/imx-audmix.c
++++ b/sound/soc/fsl/imx-audmix.c
+@@ -230,6 +230,8 @@ static int imx_audmix_probe(struct platform_device *pdev)
+
+ dai_name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "%s%s",
+ fe_name_pref, args.np->full_name + 1);
++ if (!dai_name)
++ return -ENOMEM;
+
+ dev_info(pdev->dev.parent, "DAI FE name:%s\n", dai_name);
+
+@@ -238,6 +240,8 @@ static int imx_audmix_probe(struct platform_device *pdev)
+ capture_dai_name =
+ devm_kasprintf(&pdev->dev, GFP_KERNEL, "%s %s",
+ dai_name, "CPU-Capture");
++ if (!capture_dai_name)
++ return -ENOMEM;
+ }
+
+ priv->dai[i].cpus = &dlc[0];
+@@ -268,6 +272,8 @@ static int imx_audmix_probe(struct platform_device *pdev)
+ "AUDMIX-Playback-%d", i);
+ be_cp = devm_kasprintf(&pdev->dev, GFP_KERNEL,
+ "AUDMIX-Capture-%d", i);
++ if (!be_name || !be_pb || !be_cp)
++ return -ENOMEM;
+
+ priv->dai[num_dai + i].cpus = &dlc[3];
+ priv->dai[num_dai + i].codecs = &dlc[4];
+@@ -295,6 +301,9 @@ static int imx_audmix_probe(struct platform_device *pdev)
+ priv->dapm_routes[i].source =
+ devm_kasprintf(&pdev->dev, GFP_KERNEL, "%s %s",
+ dai_name, "CPU-Playback");
++ if (!priv->dapm_routes[i].source)
++ return -ENOMEM;
++
+ priv->dapm_routes[i].sink = be_pb;
+ priv->dapm_routes[num_dai + i].source = be_pb;
+ priv->dapm_routes[num_dai + i].sink = be_cp;
+--
+2.39.2
+
--- /dev/null
+From 06e8c588011192b1a3a5de6047c5a34f5bb296de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 May 2023 12:39:07 +0300
+Subject: clk: cdce925: check return value of kasprintf()
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit bb7d09ddbf361d51eae46f38e7c8a2b85914ea2a ]
+
+kasprintf() returns a pointer to dynamically allocated memory.
+Pointer could be NULL in case allocation fails. Check pointer validity.
+Identified with coccinelle (kmerr.cocci script).
+
+Fixes: 19fbbbbcd3a3 ("Add TI CDCE925 I2C controlled clock synthesizer driver")
+Depends-on: e665f029a283 ("clk: Convert to using %pOFn instead of device_node.name")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20230530093913.1656095-3-claudiu.beznea@microchip.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-cdce925.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/clk/clk-cdce925.c b/drivers/clk/clk-cdce925.c
+index 308b353815e17..470d91d7314db 100644
+--- a/drivers/clk/clk-cdce925.c
++++ b/drivers/clk/clk-cdce925.c
+@@ -705,6 +705,10 @@ static int cdce925_probe(struct i2c_client *client,
+ for (i = 0; i < data->chip_info->num_plls; ++i) {
+ pll_clk_name[i] = kasprintf(GFP_KERNEL, "%pOFn.pll%d",
+ client->dev.of_node, i);
++ if (!pll_clk_name[i]) {
++ err = -ENOMEM;
++ goto error;
++ }
+ init.name = pll_clk_name[i];
+ data->pll[i].chip = data;
+ data->pll[i].hw.init = &init;
+@@ -746,6 +750,10 @@ static int cdce925_probe(struct i2c_client *client,
+ init.num_parents = 1;
+ init.parent_names = &parent_name; /* Mux Y1 to input */
+ init.name = kasprintf(GFP_KERNEL, "%pOFn.Y1", client->dev.of_node);
++ if (!init.name) {
++ err = -ENOMEM;
++ goto error;
++ }
+ data->clk[0].chip = data;
+ data->clk[0].hw.init = &init;
+ data->clk[0].index = 0;
+@@ -764,6 +772,10 @@ static int cdce925_probe(struct i2c_client *client,
+ for (i = 1; i < data->chip_info->num_outputs; ++i) {
+ init.name = kasprintf(GFP_KERNEL, "%pOFn.Y%d",
+ client->dev.of_node, i+1);
++ if (!init.name) {
++ err = -ENOMEM;
++ goto error;
++ }
+ data->clk[i].chip = data;
+ data->clk[i].hw.init = &init;
+ data->clk[i].index = i;
+--
+2.39.2
+
--- /dev/null
+From 2656d1bd9c07cc481e64665d3ce063f6bf282881 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 May 2023 12:39:11 +0300
+Subject: clk: keystone: sci-clk: check return value of kasprintf()
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit b73ed981da6d25c921aaefa7ca3df85bbd85b7fc ]
+
+kasprintf() returns a pointer to dynamically allocated memory.
+Pointer could be NULL in case allocation fails. Check pointer validity.
+Identified with coccinelle (kmerr.cocci script).
+
+Fixes: b745c0794e2f ("clk: keystone: Add sci-clk driver support")
+Depends-on: 96488c09b0f4 ("clk: keystone: sci-clk: cut down the clock name length")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20230530093913.1656095-7-claudiu.beznea@microchip.com
+Reviewed-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/keystone/sci-clk.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/clk/keystone/sci-clk.c b/drivers/clk/keystone/sci-clk.c
+index 64ea895f1a7df..8e28e3489ded3 100644
+--- a/drivers/clk/keystone/sci-clk.c
++++ b/drivers/clk/keystone/sci-clk.c
+@@ -287,6 +287,8 @@ static int _sci_clk_build(struct sci_clk_provider *provider,
+
+ name = kasprintf(GFP_KERNEL, "clk:%d:%d", sci_clk->dev_id,
+ sci_clk->clk_id);
++ if (!name)
++ return -ENOMEM;
+
+ init.name = name;
+
+--
+2.39.2
+
--- /dev/null
+From 5ff744f390b62ba363cc4ac655dab5a6724c3e54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 09:41:24 +0000
+Subject: clk: tegra: tegra124-emc: Fix potential memory leak
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 53a06e5924c0d43c11379a08c5a78529c3e61595 ]
+
+The tegra and tegra needs to be freed in the error handling path, otherwise
+it will be leaked.
+
+Fixes: 2db04f16b589 ("clk: tegra: Add EMC clock driver")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Link: https://lore.kernel.org/r/20221209094124.71043-1-yuancan@huawei.com
+Acked-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/tegra/clk-emc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/clk/tegra/clk-emc.c b/drivers/clk/tegra/clk-emc.c
+index 0c1b83bedb73d..eb2411a4cd783 100644
+--- a/drivers/clk/tegra/clk-emc.c
++++ b/drivers/clk/tegra/clk-emc.c
+@@ -459,6 +459,7 @@ static int load_timings_from_dt(struct tegra_clk_emc *tegra,
+ err = load_one_timing_from_dt(tegra, timing, child);
+ if (err) {
+ of_node_put(child);
++ kfree(tegra->timings);
+ return err;
+ }
+
+@@ -510,6 +511,7 @@ struct clk *tegra_clk_register_emc(void __iomem *base, struct device_node *np,
+ err = load_timings_from_dt(tegra, node, node_ram_code);
+ if (err) {
+ of_node_put(node);
++ kfree(tegra);
+ return ERR_PTR(err);
+ }
+ }
+--
+2.39.2
+
--- /dev/null
+From ff8dc93e7429fcd507170d44d712a4c5804cedb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Apr 2023 06:56:11 +0000
+Subject: clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe
+
+From: Feng Mingxi <m202271825@hust.edu.cn>
+
+[ Upstream commit 8b5bf64c89c7100c921bd807ba39b2eb003061ab ]
+
+Smatch reports:
+drivers/clocksource/timer-cadence-ttc.c:529 ttc_timer_probe()
+warn: 'timer_baseaddr' from of_iomap() not released on lines: 498,508,516.
+
+timer_baseaddr may have the problem of not being released after use,
+I replaced it with the devm_of_iomap() function and added the clk_put()
+function to cleanup the "clk_ce" and "clk_cs".
+
+Fixes: e932900a3279 ("arm: zynq: Use standard timer binding")
+Fixes: 70504f311d4b ("clocksource/drivers/cadence_ttc: Convert init function to return error")
+Signed-off-by: Feng Mingxi <m202271825@hust.edu.cn>
+Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
+Acked-by: Michal Simek <michal.simek@amd.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20230425065611.702917-1-m202271825@hust.edu.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/timer-cadence-ttc.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/clocksource/timer-cadence-ttc.c b/drivers/clocksource/timer-cadence-ttc.c
+index df5895e934636..bd49385178d0f 100644
+--- a/drivers/clocksource/timer-cadence-ttc.c
++++ b/drivers/clocksource/timer-cadence-ttc.c
+@@ -486,10 +486,10 @@ static int __init ttc_timer_probe(struct platform_device *pdev)
+ * and use it. Note that the event timer uses the interrupt and it's the
+ * 2nd TTC hence the irq_of_parse_and_map(,1)
+ */
+- timer_baseaddr = of_iomap(timer, 0);
+- if (!timer_baseaddr) {
++ timer_baseaddr = devm_of_iomap(&pdev->dev, timer, 0, NULL);
++ if (IS_ERR(timer_baseaddr)) {
+ pr_err("ERROR: invalid timer base address\n");
+- return -ENXIO;
++ return PTR_ERR(timer_baseaddr);
+ }
+
+ irq = irq_of_parse_and_map(timer, 1);
+@@ -513,20 +513,27 @@ static int __init ttc_timer_probe(struct platform_device *pdev)
+ clk_ce = of_clk_get(timer, clksel);
+ if (IS_ERR(clk_ce)) {
+ pr_err("ERROR: timer input clock not found\n");
+- return PTR_ERR(clk_ce);
++ ret = PTR_ERR(clk_ce);
++ goto put_clk_cs;
+ }
+
+ ret = ttc_setup_clocksource(clk_cs, timer_baseaddr, timer_width);
+ if (ret)
+- return ret;
++ goto put_clk_ce;
+
+ ret = ttc_setup_clockevent(clk_ce, timer_baseaddr + 4, irq);
+ if (ret)
+- return ret;
++ goto put_clk_ce;
+
+ pr_info("%pOFn #0 at %p, irq=%d\n", timer, timer_baseaddr, irq);
+
+ return 0;
++
++put_clk_ce:
++ clk_put(clk_ce);
++put_clk_cs:
++ clk_put(clk_cs);
++ return ret;
+ }
+
+ static const struct of_device_id ttc_timer_of_match[] = {
+--
+2.39.2
+
--- /dev/null
+From 9aafc8310ef35dfe631b0ae48e9a39bdf27caf13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2019 02:36:28 -0800
+Subject: clocksource/drivers/cadence-ttc: Use ttc driver as platform driver
+
+From: Rajan Vaja <rajan.vaja@xilinx.com>
+
+[ Upstream commit f5ac896b6a23eb46681cdbef440c1d991b04e519 ]
+
+Currently TTC driver is TIMER_OF_DECLARE type driver. Because of
+that, TTC driver may be initialized before other clock drivers. If
+TTC driver is dependent on that clock driver then initialization of
+TTC driver will failed.
+
+So use TTC driver as platform driver instead of using
+TIMER_OF_DECLARE.
+
+Signed-off-by: Rajan Vaja <rajan.vaja@xilinx.com>
+Tested-by: Michal Simek <michal.simek@xilinx.com>
+Acked-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/1573122988-18399-1-git-send-email-rajan.vaja@xilinx.com
+Stable-dep-of: 8b5bf64c89c7 ("clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/timer-cadence-ttc.c | 26 +++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/clocksource/timer-cadence-ttc.c b/drivers/clocksource/timer-cadence-ttc.c
+index 160bc6597de5b..df5895e934636 100644
+--- a/drivers/clocksource/timer-cadence-ttc.c
++++ b/drivers/clocksource/timer-cadence-ttc.c
+@@ -15,6 +15,8 @@
+ #include <linux/of_irq.h>
+ #include <linux/slab.h>
+ #include <linux/sched_clock.h>
++#include <linux/module.h>
++#include <linux/of_platform.h>
+
+ /*
+ * This driver configures the 2 16/32-bit count-up timers as follows:
+@@ -464,13 +466,7 @@ static int __init ttc_setup_clockevent(struct clk *clk,
+ return err;
+ }
+
+-/**
+- * ttc_timer_init - Initialize the timer
+- *
+- * Initializes the timer hardware and register the clock source and clock event
+- * timers with Linux kernal timer framework
+- */
+-static int __init ttc_timer_init(struct device_node *timer)
++static int __init ttc_timer_probe(struct platform_device *pdev)
+ {
+ unsigned int irq;
+ void __iomem *timer_baseaddr;
+@@ -478,6 +474,7 @@ static int __init ttc_timer_init(struct device_node *timer)
+ static int initialized;
+ int clksel, ret;
+ u32 timer_width = 16;
++ struct device_node *timer = pdev->dev.of_node;
+
+ if (initialized)
+ return 0;
+@@ -532,4 +529,17 @@ static int __init ttc_timer_init(struct device_node *timer)
+ return 0;
+ }
+
+-TIMER_OF_DECLARE(ttc, "cdns,ttc", ttc_timer_init);
++static const struct of_device_id ttc_timer_of_match[] = {
++ {.compatible = "cdns,ttc"},
++ {},
++};
++
++MODULE_DEVICE_TABLE(of, ttc_timer_of_match);
++
++static struct platform_driver ttc_timer_driver = {
++ .driver = {
++ .name = "cdns_ttc_timer",
++ .of_match_table = ttc_timer_of_match,
++ },
++};
++builtin_platform_driver_probe(ttc_timer_driver, ttc_timer_probe);
+--
+2.39.2
+
--- /dev/null
+From 95077e34f3fe5cbe27a65bd338f45589cd7ef28c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 May 2023 10:33:04 +0200
+Subject: crypto: marvell/cesa - Fix type mismatch warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit efbc7764c4446566edb76ca05e903b5905673d2e ]
+
+Commit df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3") uncovered
+a type mismatch in cesa 3des support that leads to a memcpy beyond the
+end of a structure:
+
+In function 'fortify_memcpy_chk',
+ inlined from 'mv_cesa_des3_ede_setkey' at drivers/crypto/marvell/cesa/cipher.c:307:2:
+include/linux/fortify-string.h:583:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
+ 583 | __write_overflow_field(p_size_field, size);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This is probably harmless as the actual data that is copied has the correct
+type, but clearly worth fixing nonetheless.
+
+Fixes: 4ada48397823 ("crypto: marvell/cesa - add Triple-DES support")
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Gustavo A. R. Silva" <gustavoars@kernel.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/marvell/cipher.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/marvell/cipher.c b/drivers/crypto/marvell/cipher.c
+index 708dc63b2f099..c7d433d1cd99d 100644
+--- a/drivers/crypto/marvell/cipher.c
++++ b/drivers/crypto/marvell/cipher.c
+@@ -287,7 +287,7 @@ static int mv_cesa_des_setkey(struct crypto_skcipher *cipher, const u8 *key,
+ static int mv_cesa_des3_ede_setkey(struct crypto_skcipher *cipher,
+ const u8 *key, unsigned int len)
+ {
+- struct mv_cesa_des_ctx *ctx = crypto_skcipher_ctx(cipher);
++ struct mv_cesa_des3_ctx *ctx = crypto_skcipher_ctx(cipher);
+ int err;
+
+ err = verify_skcipher_des3_key(cipher, key);
+--
+2.39.2
+
--- /dev/null
+From ab77abb378b334c4643ed68491cbad54967434c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 May 2023 15:33:34 -0700
+Subject: crypto: nx - fix build warnings when DEBUG_FS is not enabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit b04b076fb56560b39d695ac3744db457e12278fd ]
+
+Fix build warnings when DEBUG_FS is not enabled by using an empty
+do-while loop instead of a value:
+
+In file included from ../drivers/crypto/nx/nx.c:27:
+../drivers/crypto/nx/nx.c: In function 'nx_register_algs':
+../drivers/crypto/nx/nx.h:173:33: warning: statement with no effect [-Wunused-value]
+ 173 | #define NX_DEBUGFS_INIT(drv) (0)
+../drivers/crypto/nx/nx.c:573:9: note: in expansion of macro 'NX_DEBUGFS_INIT'
+ 573 | NX_DEBUGFS_INIT(&nx_driver);
+../drivers/crypto/nx/nx.c: In function 'nx_remove':
+../drivers/crypto/nx/nx.h:174:33: warning: statement with no effect [-Wunused-value]
+ 174 | #define NX_DEBUGFS_FINI(drv) (0)
+../drivers/crypto/nx/nx.c:793:17: note: in expansion of macro 'NX_DEBUGFS_FINI'
+ 793 | NX_DEBUGFS_FINI(&nx_driver);
+
+Also, there is no need to build nx_debugfs.o when DEBUG_FS is not
+enabled, so change the Makefile to accommodate that.
+
+Fixes: ae0222b7289d ("powerpc/crypto: nx driver code supporting nx encryption")
+Fixes: aef7b31c8833 ("powerpc/crypto: Build files for the nx device driver")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Breno Leitão <leitao@debian.org>
+Cc: Nayna Jain <nayna@linux.ibm.com>
+Cc: Paulo Flabiano Smorigo <pfsmorigo@gmail.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: linux-crypto@vger.kernel.org
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: linuxppc-dev@lists.ozlabs.org
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/nx/Makefile | 2 +-
+ drivers/crypto/nx/nx.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/nx/Makefile b/drivers/crypto/nx/Makefile
+index 015155da59c29..76139865d7fa1 100644
+--- a/drivers/crypto/nx/Makefile
++++ b/drivers/crypto/nx/Makefile
+@@ -1,7 +1,6 @@
+ # SPDX-License-Identifier: GPL-2.0
+ obj-$(CONFIG_CRYPTO_DEV_NX_ENCRYPT) += nx-crypto.o
+ nx-crypto-objs := nx.o \
+- nx_debugfs.o \
+ nx-aes-cbc.o \
+ nx-aes-ecb.o \
+ nx-aes-gcm.o \
+@@ -11,6 +10,7 @@ nx-crypto-objs := nx.o \
+ nx-sha256.o \
+ nx-sha512.o
+
++nx-crypto-$(CONFIG_DEBUG_FS) += nx_debugfs.o
+ obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_PSERIES) += nx-compress-pseries.o nx-compress.o
+ obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_POWERNV) += nx-compress-powernv.o nx-compress.o
+ nx-compress-objs := nx-842.o
+diff --git a/drivers/crypto/nx/nx.h b/drivers/crypto/nx/nx.h
+index 7ecca168f8c48..5c77aba450cf8 100644
+--- a/drivers/crypto/nx/nx.h
++++ b/drivers/crypto/nx/nx.h
+@@ -169,8 +169,8 @@ struct nx_sg *nx_walk_and_build(struct nx_sg *, unsigned int,
+ void nx_debugfs_init(struct nx_crypto_driver *);
+ void nx_debugfs_fini(struct nx_crypto_driver *);
+ #else
+-#define NX_DEBUGFS_INIT(drv) (0)
+-#define NX_DEBUGFS_FINI(drv) (0)
++#define NX_DEBUGFS_INIT(drv) do {} while (0)
++#define NX_DEBUGFS_FINI(drv) do {} while (0)
+ #endif
+
+ #define NX_PAGE_NUM(x) ((u64)(x) & 0xfffffffffffff000ULL)
+--
+2.39.2
+
--- /dev/null
+From 977d524b86005c307a4d0ed46d890c93102e12b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2019 12:41:10 -0700
+Subject: crypto: skcipher - remove crypto_has_ablkcipher()
+
+From: Eric Biggers <ebiggers@google.com>
+
+[ Upstream commit cec0cb8a28f9060367099beeafd0dbdb76fdfae2 ]
+
+crypto_has_ablkcipher() has no users, and it does the same thing as
+crypto_has_skcipher() anyway. So remove it. This also removes the last
+user of crypto_skcipher_type() and crypto_skcipher_mask(), so remove
+those too.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Stable-dep-of: efbc7764c444 ("crypto: marvell/cesa - Fix type mismatch warning")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/crypto/api-skcipher.rst | 2 +-
+ include/linux/crypto.h | 31 ---------------------------
+ 2 files changed, 1 insertion(+), 32 deletions(-)
+
+diff --git a/Documentation/crypto/api-skcipher.rst b/Documentation/crypto/api-skcipher.rst
+index 20ba08dddf2ec..55e0851f6fed9 100644
+--- a/Documentation/crypto/api-skcipher.rst
++++ b/Documentation/crypto/api-skcipher.rst
+@@ -41,7 +41,7 @@ Asynchronous Block Cipher API - Deprecated
+ :doc: Asynchronous Block Cipher API
+
+ .. kernel-doc:: include/linux/crypto.h
+- :functions: crypto_free_ablkcipher crypto_has_ablkcipher crypto_ablkcipher_ivsize crypto_ablkcipher_blocksize crypto_ablkcipher_setkey crypto_ablkcipher_reqtfm crypto_ablkcipher_encrypt crypto_ablkcipher_decrypt
++ :functions: crypto_free_ablkcipher crypto_ablkcipher_ivsize crypto_ablkcipher_blocksize crypto_ablkcipher_setkey crypto_ablkcipher_reqtfm crypto_ablkcipher_encrypt crypto_ablkcipher_decrypt
+
+ Asynchronous Cipher Request Handle - Deprecated
+ -----------------------------------------------
+diff --git a/include/linux/crypto.h b/include/linux/crypto.h
+index 0c720a2982ae4..019ddf7596534 100644
+--- a/include/linux/crypto.h
++++ b/include/linux/crypto.h
+@@ -903,20 +903,6 @@ static inline struct crypto_ablkcipher *__crypto_ablkcipher_cast(
+ return (struct crypto_ablkcipher *)tfm;
+ }
+
+-static inline u32 crypto_skcipher_type(u32 type)
+-{
+- type &= ~CRYPTO_ALG_TYPE_MASK;
+- type |= CRYPTO_ALG_TYPE_BLKCIPHER;
+- return type;
+-}
+-
+-static inline u32 crypto_skcipher_mask(u32 mask)
+-{
+- mask &= ~CRYPTO_ALG_TYPE_MASK;
+- mask |= CRYPTO_ALG_TYPE_BLKCIPHER_MASK;
+- return mask;
+-}
+-
+ /**
+ * DOC: Asynchronous Block Cipher API
+ *
+@@ -962,23 +948,6 @@ static inline void crypto_free_ablkcipher(struct crypto_ablkcipher *tfm)
+ crypto_free_tfm(crypto_ablkcipher_tfm(tfm));
+ }
+
+-/**
+- * crypto_has_ablkcipher() - Search for the availability of an ablkcipher.
+- * @alg_name: is the cra_name / name or cra_driver_name / driver name of the
+- * ablkcipher
+- * @type: specifies the type of the cipher
+- * @mask: specifies the mask for the cipher
+- *
+- * Return: true when the ablkcipher is known to the kernel crypto API; false
+- * otherwise
+- */
+-static inline int crypto_has_ablkcipher(const char *alg_name, u32 type,
+- u32 mask)
+-{
+- return crypto_has_alg(alg_name, crypto_skcipher_type(type),
+- crypto_skcipher_mask(mask));
+-}
+-
+ static inline struct ablkcipher_tfm *crypto_ablkcipher_crt(
+ struct crypto_ablkcipher *tfm)
+ {
+--
+2.39.2
+
--- /dev/null
+From 250ed9f7489ea73ea7422f38c4e4f648af200125 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2019 12:41:09 -0700
+Subject: crypto: skcipher - unify the crypto_has_skcipher*() functions
+
+From: Eric Biggers <ebiggers@google.com>
+
+[ Upstream commit d3ca75a8b3d77f2788e6c119ea7c3e3a1ab1e1ca ]
+
+crypto_has_skcipher() and crypto_has_skcipher2() do the same thing: they
+check for the availability of an algorithm of type skcipher, blkcipher,
+or ablkcipher, which also meets any non-type constraints the caller
+specified. And they have exactly the same prototype.
+
+Therefore, eliminate the redundancy by removing crypto_has_skcipher()
+and renaming crypto_has_skcipher2() to crypto_has_skcipher().
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Stable-dep-of: efbc7764c444 ("crypto: marvell/cesa - Fix type mismatch warning")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/skcipher.c | 4 ++--
+ include/crypto/skcipher.h | 19 +------------------
+ 2 files changed, 3 insertions(+), 20 deletions(-)
+
+diff --git a/crypto/skcipher.c b/crypto/skcipher.c
+index 22753c1c72022..233678d078169 100644
+--- a/crypto/skcipher.c
++++ b/crypto/skcipher.c
+@@ -1017,12 +1017,12 @@ struct crypto_sync_skcipher *crypto_alloc_sync_skcipher(
+ }
+ EXPORT_SYMBOL_GPL(crypto_alloc_sync_skcipher);
+
+-int crypto_has_skcipher2(const char *alg_name, u32 type, u32 mask)
++int crypto_has_skcipher(const char *alg_name, u32 type, u32 mask)
+ {
+ return crypto_type_has_alg(alg_name, &crypto_skcipher_type2,
+ type, mask);
+ }
+-EXPORT_SYMBOL_GPL(crypto_has_skcipher2);
++EXPORT_SYMBOL_GPL(crypto_has_skcipher);
+
+ static int skcipher_prepare_alg(struct skcipher_alg *alg)
+ {
+diff --git a/include/crypto/skcipher.h b/include/crypto/skcipher.h
+index 0bce6005d325d..6514e32e7c2fd 100644
+--- a/include/crypto/skcipher.h
++++ b/include/crypto/skcipher.h
+@@ -220,30 +220,13 @@ static inline void crypto_free_sync_skcipher(struct crypto_sync_skcipher *tfm)
+ * crypto_has_skcipher() - Search for the availability of an skcipher.
+ * @alg_name: is the cra_name / name or cra_driver_name / driver name of the
+ * skcipher
+- * @type: specifies the type of the cipher
+- * @mask: specifies the mask for the cipher
+- *
+- * Return: true when the skcipher is known to the kernel crypto API; false
+- * otherwise
+- */
+-static inline int crypto_has_skcipher(const char *alg_name, u32 type,
+- u32 mask)
+-{
+- return crypto_has_alg(alg_name, crypto_skcipher_type(type),
+- crypto_skcipher_mask(mask));
+-}
+-
+-/**
+- * crypto_has_skcipher2() - Search for the availability of an skcipher.
+- * @alg_name: is the cra_name / name or cra_driver_name / driver name of the
+- * skcipher
+ * @type: specifies the type of the skcipher
+ * @mask: specifies the mask for the skcipher
+ *
+ * Return: true when the skcipher is known to the kernel crypto API; false
+ * otherwise
+ */
+-int crypto_has_skcipher2(const char *alg_name, u32 type, u32 mask);
++int crypto_has_skcipher(const char *alg_name, u32 type, u32 mask);
+
+ static inline const char *crypto_skcipher_driver_name(
+ struct crypto_skcipher *tfm)
+--
+2.39.2
+
--- /dev/null
+From 328bbe520714edfe435345c4087849764a6099ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 04:23:14 -0700
+Subject: drm/amdkfd: Fix potential deallocation of previously deallocated
+ memory.
+
+From: Daniil Dulov <d.dulov@aladdin.ru>
+
+[ Upstream commit cabbdea1f1861098991768d7bbf5a49ed1608213 ]
+
+Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate().
+The function then returns non-zero value, which causes the second deallocation.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd")
+Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
+index d3380c5bdbdea..d978fcac26651 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c
+@@ -101,18 +101,19 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd,
+ &(mqd_mem_obj->gtt_mem),
+ &(mqd_mem_obj->gpu_addr),
+ (void *)&(mqd_mem_obj->cpu_ptr), true);
++
++ if (retval) {
++ kfree(mqd_mem_obj);
++ return NULL;
++ }
+ } else {
+ retval = kfd_gtt_sa_allocate(kfd, sizeof(struct v9_mqd),
+ &mqd_mem_obj);
+- }
+-
+- if (retval) {
+- kfree(mqd_mem_obj);
+- return NULL;
++ if (retval)
++ return NULL;
+ }
+
+ return mqd_mem_obj;
+-
+ }
+
+ static void init_mqd(struct mqd_manager *mm, void **mqd,
+--
+2.39.2
+
--- /dev/null
+From d841c53b30d3cc981ac76595875a83e2edf58a71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 10:50:39 +0200
+Subject: drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H
+
+From: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+
+[ Upstream commit f24b49550814fdee4a98b9552e35e243ccafd4a8 ]
+
+The previous setting was related to the overall dimension and not to the
+active display area.
+In the "PHYSICAL SPECIFICATIONS" section, the datasheet shows the
+following parameters:
+
+ ----------------------------------------------------------
+| Item | Specifications | unit |
+ ----------------------------------------------------------
+| Display area | 98.7 (W) x 57.5 (H) | mm |
+ ----------------------------------------------------------
+| Overall dimension | 105.5(W) x 67.2(H) x 4.96(D) | mm |
+ ----------------------------------------------------------
+
+Fixes: 966fea78adf2 ("drm/panel: simple: Add support for Ampire AM-480272H3TMQW-T01H")
+Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+[narmstrong: fixed Fixes commit id length]
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230516085039.3797303-1-dario.binacchi@amarulasolutions.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-simple.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
+index 312a3c4e23318..ec0085e664365 100644
+--- a/drivers/gpu/drm/panel/panel-simple.c
++++ b/drivers/gpu/drm/panel/panel-simple.c
+@@ -531,8 +531,8 @@ static const struct panel_desc ampire_am_480272h3tmqw_t01h = {
+ .num_modes = 1,
+ .bpc = 8,
+ .size = {
+- .width = 105,
+- .height = 67,
++ .width = 99,
++ .height = 58,
+ },
+ .bus_format = MEDIA_BUS_FMT_RGB888_1X24,
+ };
+--
+2.39.2
+
--- /dev/null
+From 7b737e2a192e5411fcf868db4dc700d9e0c467c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 May 2023 08:33:27 -0700
+Subject: drm/radeon: fix possible division-by-zero errors
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit 1becc57cd1a905e2aa0e1eca60d2a37744525c4a ]
+
+Function rv740_get_decoded_reference_divider() may return 0 due to
+unpredictable reference divider value calculated in
+radeon_atom_get_clock_dividers(). This will lead to
+division-by-zero error once that value is used as a divider
+in calculating 'clk_s'.
+While unlikely, this issue should nonetheless be prevented so add a
+sanity check for such cases by testing 'decoded_ref' value against 0.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+v2: minor coding style fixes (Alex)
+In practice this should actually happen as the vbios should be
+properly populated.
+
+Fixes: 66229b200598 ("drm/radeon/kms: add dpm support for rv7xx (v4)")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/cypress_dpm.c | 8 ++++++--
+ drivers/gpu/drm/radeon/ni_dpm.c | 8 ++++++--
+ drivers/gpu/drm/radeon/rv740_dpm.c | 8 ++++++--
+ 3 files changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/cypress_dpm.c b/drivers/gpu/drm/radeon/cypress_dpm.c
+index 32ed60f1048bd..b31d65a6752f1 100644
+--- a/drivers/gpu/drm/radeon/cypress_dpm.c
++++ b/drivers/gpu/drm/radeon/cypress_dpm.c
+@@ -559,8 +559,12 @@ static int cypress_populate_mclk_value(struct radeon_device *rdev,
+ ASIC_INTERNAL_MEMORY_SS, vco_freq)) {
+ u32 reference_clock = rdev->clock.mpll.reference_freq;
+ u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div);
+- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate);
+- u32 clk_v = ss.percentage *
++ u32 clk_s, clk_v;
++
++ if (!decoded_ref)
++ return -EINVAL;
++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate);
++ clk_v = ss.percentage *
+ (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625);
+
+ mpll_ss1 &= ~CLKV_MASK;
+diff --git a/drivers/gpu/drm/radeon/ni_dpm.c b/drivers/gpu/drm/radeon/ni_dpm.c
+index 288ec3039bc2c..cad7a73a551f7 100644
+--- a/drivers/gpu/drm/radeon/ni_dpm.c
++++ b/drivers/gpu/drm/radeon/ni_dpm.c
+@@ -2241,8 +2241,12 @@ static int ni_populate_mclk_value(struct radeon_device *rdev,
+ ASIC_INTERNAL_MEMORY_SS, vco_freq)) {
+ u32 reference_clock = rdev->clock.mpll.reference_freq;
+ u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div);
+- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate);
+- u32 clk_v = ss.percentage *
++ u32 clk_s, clk_v;
++
++ if (!decoded_ref)
++ return -EINVAL;
++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate);
++ clk_v = ss.percentage *
+ (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625);
+
+ mpll_ss1 &= ~CLKV_MASK;
+diff --git a/drivers/gpu/drm/radeon/rv740_dpm.c b/drivers/gpu/drm/radeon/rv740_dpm.c
+index 327d65a76e1f4..79b2de65e905e 100644
+--- a/drivers/gpu/drm/radeon/rv740_dpm.c
++++ b/drivers/gpu/drm/radeon/rv740_dpm.c
+@@ -250,8 +250,12 @@ int rv740_populate_mclk_value(struct radeon_device *rdev,
+ ASIC_INTERNAL_MEMORY_SS, vco_freq)) {
+ u32 reference_clock = rdev->clock.mpll.reference_freq;
+ u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div);
+- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate);
+- u32 clk_v = 0x40000 * ss.percentage *
++ u32 clk_s, clk_v;
++
++ if (!decoded_ref)
++ return -EINVAL;
++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate);
++ clk_v = 0x40000 * ss.percentage *
+ (dividers.whole_fb_div + (dividers.frac_fb_div / 8)) / (clk_s * 10000);
+
+ mpll_ss1 &= ~CLKV_MASK;
+--
+2.39.2
+
--- /dev/null
+From fe30f5a271889263f88508cc30282bf7e8b0d004 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Apr 2023 19:23:46 +0800
+Subject: drm: sun4i_tcon: use devm_clk_get_enabled in `sun4i_tcon_init_clocks`
+
+From: XuDong Liu <m202071377@hust.edu.cn>
+
+[ Upstream commit 123ee07ba5b7123e0ce0e0f9d64938026c16a2ce ]
+
+Smatch reports:
+drivers/gpu/drm/sun4i/sun4i_tcon.c:805 sun4i_tcon_init_clocks() warn:
+'tcon->clk' from clk_prepare_enable() not released on lines: 792,801.
+
+In the function sun4i_tcon_init_clocks(), tcon->clk and tcon->sclk0 are
+not disabled in the error handling, which affects the release of
+these variable. Although sun4i_tcon_bind(), which calls
+sun4i_tcon_init_clocks(), use sun4i_tcon_free_clocks to disable the
+variables mentioned, but the error handling branch of
+sun4i_tcon_init_clocks() ignores the required disable process.
+
+To fix this issue, use the devm_clk_get_enabled to automatically
+balance enable and disabled calls. As original implementation use
+sun4i_tcon_free_clocks() to disable clk explicitly, we delete the
+related calls and error handling that are no longer needed.
+
+Fixes: 9026e0d122ac ("drm: Add Allwinner A10 Display Engine support")
+Fixes: b14e945bda8a ("drm/sun4i: tcon: Prepare and enable TCON channel 0 clock at init")
+Fixes: 8e9240472522 ("drm/sun4i: support TCONs without channel 1")
+Fixes: 34d698f6e349 ("drm/sun4i: Add has_channel_0 TCON quirk")
+Signed-off-by: XuDong Liu <m202071377@hust.edu.cn>
+Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230430112347.4689-1-m202071377@hust.edu.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/sun4i/sun4i_tcon.c | 19 ++++---------------
+ 1 file changed, 4 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/gpu/drm/sun4i/sun4i_tcon.c b/drivers/gpu/drm/sun4i/sun4i_tcon.c
+index eb3b2350687fb..193c7f979bcaa 100644
+--- a/drivers/gpu/drm/sun4i/sun4i_tcon.c
++++ b/drivers/gpu/drm/sun4i/sun4i_tcon.c
+@@ -753,21 +753,19 @@ static irqreturn_t sun4i_tcon_handler(int irq, void *private)
+ static int sun4i_tcon_init_clocks(struct device *dev,
+ struct sun4i_tcon *tcon)
+ {
+- tcon->clk = devm_clk_get(dev, "ahb");
++ tcon->clk = devm_clk_get_enabled(dev, "ahb");
+ if (IS_ERR(tcon->clk)) {
+ dev_err(dev, "Couldn't get the TCON bus clock\n");
+ return PTR_ERR(tcon->clk);
+ }
+- clk_prepare_enable(tcon->clk);
+
+ if (tcon->quirks->has_channel_0) {
+- tcon->sclk0 = devm_clk_get(dev, "tcon-ch0");
++ tcon->sclk0 = devm_clk_get_enabled(dev, "tcon-ch0");
+ if (IS_ERR(tcon->sclk0)) {
+ dev_err(dev, "Couldn't get the TCON channel 0 clock\n");
+ return PTR_ERR(tcon->sclk0);
+ }
+ }
+- clk_prepare_enable(tcon->sclk0);
+
+ if (tcon->quirks->has_channel_1) {
+ tcon->sclk1 = devm_clk_get(dev, "tcon-ch1");
+@@ -780,12 +778,6 @@ static int sun4i_tcon_init_clocks(struct device *dev,
+ return 0;
+ }
+
+-static void sun4i_tcon_free_clocks(struct sun4i_tcon *tcon)
+-{
+- clk_disable_unprepare(tcon->sclk0);
+- clk_disable_unprepare(tcon->clk);
+-}
+-
+ static int sun4i_tcon_init_irq(struct device *dev,
+ struct sun4i_tcon *tcon)
+ {
+@@ -1202,14 +1194,14 @@ static int sun4i_tcon_bind(struct device *dev, struct device *master,
+ ret = sun4i_tcon_init_regmap(dev, tcon);
+ if (ret) {
+ dev_err(dev, "Couldn't init our TCON regmap\n");
+- goto err_free_clocks;
++ goto err_assert_reset;
+ }
+
+ if (tcon->quirks->has_channel_0) {
+ ret = sun4i_dclk_create(dev, tcon);
+ if (ret) {
+ dev_err(dev, "Couldn't create our TCON dot clock\n");
+- goto err_free_clocks;
++ goto err_assert_reset;
+ }
+ }
+
+@@ -1272,8 +1264,6 @@ static int sun4i_tcon_bind(struct device *dev, struct device *master,
+ err_free_dotclock:
+ if (tcon->quirks->has_channel_0)
+ sun4i_dclk_free(tcon);
+-err_free_clocks:
+- sun4i_tcon_free_clocks(tcon);
+ err_assert_reset:
+ reset_control_assert(tcon->lcd_rst);
+ return ret;
+@@ -1287,7 +1277,6 @@ static void sun4i_tcon_unbind(struct device *dev, struct device *master,
+ list_del(&tcon->list);
+ if (tcon->quirks->has_channel_0)
+ sun4i_dclk_free(tcon);
+- sun4i_tcon_free_clocks(tcon);
+ }
+
+ static const struct component_ops sun4i_tcon_ops = {
+--
+2.39.2
+
--- /dev/null
+From abf63e3dc62b3c5f67f4f72f67f0569585ca960b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 11:40:36 +0100
+Subject: evm: Complete description of evm_inode_setattr()
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+[ Upstream commit b1de86d4248b273cb12c4cd7d20c08d459519f7d ]
+
+Add the description for missing parameters of evm_inode_setattr() to
+avoid the warning arising with W=n compile option.
+
+Fixes: 817b54aa45db ("evm: add evm_inode_setattr to prevent updating an invalid security.evm") # v3.2+
+Fixes: c1632a0f1120 ("fs: port ->setattr() to pass mnt_idmap") # v6.3+
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/evm/evm_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
+index b82291d10e730..cc7e4e4439b0f 100644
+--- a/security/integrity/evm/evm_main.c
++++ b/security/integrity/evm/evm_main.c
+@@ -471,7 +471,9 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
+
+ /**
+ * evm_inode_setattr - prevent updating an invalid EVM extended attribute
++ * @idmap: idmap of the mount
+ * @dentry: pointer to the affected dentry
++ * @attr: iattr structure containing the new file attributes
+ *
+ * Permit update of file attributes when files have a valid EVM signature,
+ * except in the case of them having an immutable portable signature.
+--
+2.39.2
+
--- /dev/null
+From 30fc0db36e128b7b4fb0c7bfb64a59bafe212a8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Jun 2023 17:42:28 +0200
+Subject: fbdev: omapfb: lcd_mipid: Fix an error handling path in
+ mipid_spi_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 79a3908d1ea6c35157a6d907b1a9d8ec06015e7a ]
+
+If 'mipid_detect()' fails, we must free 'md' to avoid a memory leak.
+
+Fixes: 66d2f99d0bb5 ("omapfb: add support for MIPI-DCS compatible LCDs")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/omap/lcd_mipid.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/omap/lcd_mipid.c b/drivers/video/fbdev/omap/lcd_mipid.c
+index a75ae0c9b14c7..d1cd8785d011d 100644
+--- a/drivers/video/fbdev/omap/lcd_mipid.c
++++ b/drivers/video/fbdev/omap/lcd_mipid.c
+@@ -563,11 +563,15 @@ static int mipid_spi_probe(struct spi_device *spi)
+
+ r = mipid_detect(md);
+ if (r < 0)
+- return r;
++ goto free_md;
+
+ omapfb_register_panel(&md->panel);
+
+ return 0;
++
++free_md:
++ kfree(md);
++ return r;
+ }
+
+ static int mipid_spi_remove(struct spi_device *spi)
+--
+2.39.2
+
--- /dev/null
+From ce75be9ebfebfabcc631106036991740eb2b4f83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jun 2023 14:32:31 -0700
+Subject: gtp: Fix use-after-free in __gtp_encap_destroy().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit ce3aee7114c575fab32a5e9e939d4bbb3dcca79f ]
+
+syzkaller reported use-after-free in __gtp_encap_destroy(). [0]
+
+It shows the same process freed sk and touched it illegally.
+
+Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock()
+and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data,
+but release_sock() is called after sock_put() releases the last refcnt.
+
+[0]:
+BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
+BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]
+BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
+BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline]
+BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]
+BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178
+Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401
+
+CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:351 [inline]
+ print_report+0xcc/0x620 mm/kasan/report.c:462
+ kasan_report+0xb2/0xe0 mm/kasan/report.c:572
+ check_region_inline mm/kasan/generic.c:181 [inline]
+ kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187
+ instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
+ atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]
+ queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
+ do_raw_spin_lock include/linux/spinlock.h:186 [inline]
+ __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]
+ _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178
+ spin_lock_bh include/linux/spinlock.h:355 [inline]
+ release_sock+0x1f/0x1a0 net/core/sock.c:3526
+ gtp_encap_disable_sock drivers/net/gtp.c:651 [inline]
+ gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664
+ gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728
+ unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841
+ rtnl_delete_link net/core/rtnetlink.c:3216 [inline]
+ rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268
+ rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423
+ netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548
+ netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
+ netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365
+ netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913
+ sock_sendmsg_nosec net/socket.c:724 [inline]
+ sock_sendmsg+0x1b7/0x200 net/socket.c:747
+ ____sys_sendmsg+0x75a/0x990 net/socket.c:2493
+ ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547
+ __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+RIP: 0033:0x7f1168b1fe5d
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48
+RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d
+RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003
+RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000
+ </TASK>
+
+Allocated by task 1483:
+ kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ __kasan_slab_alloc+0x59/0x70 mm/kasan/common.c:328
+ kasan_slab_alloc include/linux/kasan.h:186 [inline]
+ slab_post_alloc_hook mm/slab.h:711 [inline]
+ slab_alloc_node mm/slub.c:3451 [inline]
+ slab_alloc mm/slub.c:3459 [inline]
+ __kmem_cache_alloc_lru mm/slub.c:3466 [inline]
+ kmem_cache_alloc+0x16d/0x340 mm/slub.c:3475
+ sk_prot_alloc+0x5f/0x280 net/core/sock.c:2073
+ sk_alloc+0x34/0x6c0 net/core/sock.c:2132
+ inet6_create net/ipv6/af_inet6.c:192 [inline]
+ inet6_create+0x2c7/0xf20 net/ipv6/af_inet6.c:119
+ __sock_create+0x2a1/0x530 net/socket.c:1535
+ sock_create net/socket.c:1586 [inline]
+ __sys_socket_create net/socket.c:1623 [inline]
+ __sys_socket_create net/socket.c:1608 [inline]
+ __sys_socket+0x137/0x250 net/socket.c:1651
+ __do_sys_socket net/socket.c:1664 [inline]
+ __se_sys_socket net/socket.c:1662 [inline]
+ __x64_sys_socket+0x72/0xb0 net/socket.c:1662
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+Freed by task 2401:
+ kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:521
+ ____kasan_slab_free mm/kasan/common.c:236 [inline]
+ ____kasan_slab_free mm/kasan/common.c:200 [inline]
+ __kasan_slab_free+0x10c/0x1b0 mm/kasan/common.c:244
+ kasan_slab_free include/linux/kasan.h:162 [inline]
+ slab_free_hook mm/slub.c:1781 [inline]
+ slab_free_freelist_hook mm/slub.c:1807 [inline]
+ slab_free mm/slub.c:3786 [inline]
+ kmem_cache_free+0xb4/0x490 mm/slub.c:3808
+ sk_prot_free net/core/sock.c:2113 [inline]
+ __sk_destruct+0x500/0x720 net/core/sock.c:2207
+ sk_destruct+0xc1/0xe0 net/core/sock.c:2222
+ __sk_free+0xed/0x3d0 net/core/sock.c:2233
+ sk_free+0x7c/0xa0 net/core/sock.c:2244
+ sock_put include/net/sock.h:1981 [inline]
+ __gtp_encap_destroy+0x165/0x1b0 drivers/net/gtp.c:634
+ gtp_encap_disable_sock drivers/net/gtp.c:651 [inline]
+ gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664
+ gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728
+ unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841
+ rtnl_delete_link net/core/rtnetlink.c:3216 [inline]
+ rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268
+ rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423
+ netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548
+ netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
+ netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365
+ netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913
+ sock_sendmsg_nosec net/socket.c:724 [inline]
+ sock_sendmsg+0x1b7/0x200 net/socket.c:747
+ ____sys_sendmsg+0x75a/0x990 net/socket.c:2493
+ ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547
+ __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+The buggy address belongs to the object at ffff88800dbef300
+ which belongs to the cache UDPv6 of size 1344
+The buggy address is located 152 bytes inside of
+ freed 1344-byte region [ffff88800dbef300, ffff88800dbef840)
+
+The buggy address belongs to the physical page:
+page:00000000d31bfed5 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800dbeed40 pfn:0xdbe8
+head:00000000d31bfed5 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+memcg:ffff888008ee0801
+flags: 0x100000000010200(slab|head|node=0|zone=1)
+page_type: 0xffffffff()
+raw: 0100000000010200 ffff88800c7a3000 dead000000000122 0000000000000000
+raw: ffff88800dbeed40 0000000080160015 00000001ffffffff ffff888008ee0801
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff88800dbef280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88800dbef300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff88800dbef380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff88800dbef400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88800dbef480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: e198987e7dd7 ("gtp: fix suspicious RCU usage")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Link: https://lore.kernel.org/r/20230622213231.24651-1-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index d0653babab923..0409afe9a53d6 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -297,7 +297,9 @@ static void __gtp_encap_destroy(struct sock *sk)
+ gtp->sk1u = NULL;
+ udp_sk(sk)->encap_type = 0;
+ rcu_assign_sk_user_data(sk, NULL);
++ release_sock(sk);
+ sock_put(sk);
++ return;
+ }
+ release_sock(sk);
+ }
+--
+2.39.2
+
--- /dev/null
+From dde4ce22ee66b30e82dc447eb0223bd7ea5448a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jun 2020 18:04:02 +1000
+Subject: hwrng: st - Fix W=1 unused variable warning
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit ad23756271d5744a0a0ba556f8aaa70e358d5aa6 ]
+
+This patch fixes an unused variable warning when this driver is
+built-in with CONFIG_OF=n.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Stable-dep-of: 501e197a02d4 ("hwrng: st - keep clock enabled while hwrng is registered")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/st-rng.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/hw_random/st-rng.c b/drivers/char/hw_random/st-rng.c
+index 863448360a7da..50975e761ca58 100644
+--- a/drivers/char/hw_random/st-rng.c
++++ b/drivers/char/hw_random/st-rng.c
+@@ -12,6 +12,7 @@
+ #include <linux/delay.h>
+ #include <linux/hw_random.h>
+ #include <linux/io.h>
++#include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/of.h>
+ #include <linux/platform_device.h>
+@@ -123,7 +124,7 @@ static int st_rng_remove(struct platform_device *pdev)
+ return 0;
+ }
+
+-static const struct of_device_id st_rng_match[] = {
++static const struct of_device_id st_rng_match[] __maybe_unused = {
+ { .compatible = "st,rng" },
+ {},
+ };
+--
+2.39.2
+
--- /dev/null
+From 715ccdf18c8c88329a35fdd3c69c07b7e74ada91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jun 2023 09:58:13 +0100
+Subject: hwrng: st - keep clock enabled while hwrng is registered
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+[ Upstream commit 501e197a02d4aef157f53ba3a0b9049c3e52fedc ]
+
+The st-rng driver uses devres to register itself with the hwrng core,
+the driver will be unregistered from hwrng when its device goes out of
+scope. This happens after the driver's remove function is called.
+
+However, st-rng's clock is disabled in the remove function. There's a
+short timeframe where st-rng is still registered with the hwrng core
+although its clock is disabled. I suppose the clock must be active to
+access the hardware and serve requests from the hwrng core.
+
+Switch to devm_clk_get_enabled and let devres disable the clock and
+unregister the hwrng. This avoids the race condition.
+
+Fixes: 3e75241be808 ("hwrng: drivers - Use device-managed registration API")
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/st-rng.c | 21 +--------------------
+ 1 file changed, 1 insertion(+), 20 deletions(-)
+
+diff --git a/drivers/char/hw_random/st-rng.c b/drivers/char/hw_random/st-rng.c
+index 50975e761ca58..f708a99619ecb 100644
+--- a/drivers/char/hw_random/st-rng.c
++++ b/drivers/char/hw_random/st-rng.c
+@@ -42,7 +42,6 @@
+
+ struct st_rng_data {
+ void __iomem *base;
+- struct clk *clk;
+ struct hwrng ops;
+ };
+
+@@ -87,26 +86,18 @@ static int st_rng_probe(struct platform_device *pdev)
+ if (IS_ERR(base))
+ return PTR_ERR(base);
+
+- clk = devm_clk_get(&pdev->dev, NULL);
++ clk = devm_clk_get_enabled(&pdev->dev, NULL);
+ if (IS_ERR(clk))
+ return PTR_ERR(clk);
+
+- ret = clk_prepare_enable(clk);
+- if (ret)
+- return ret;
+-
+ ddata->ops.priv = (unsigned long)ddata;
+ ddata->ops.read = st_rng_read;
+ ddata->ops.name = pdev->name;
+ ddata->base = base;
+- ddata->clk = clk;
+-
+- dev_set_drvdata(&pdev->dev, ddata);
+
+ ret = devm_hwrng_register(&pdev->dev, &ddata->ops);
+ if (ret) {
+ dev_err(&pdev->dev, "Failed to register HW RNG\n");
+- clk_disable_unprepare(clk);
+ return ret;
+ }
+
+@@ -115,15 +106,6 @@ static int st_rng_probe(struct platform_device *pdev)
+ return 0;
+ }
+
+-static int st_rng_remove(struct platform_device *pdev)
+-{
+- struct st_rng_data *ddata = dev_get_drvdata(&pdev->dev);
+-
+- clk_disable_unprepare(ddata->clk);
+-
+- return 0;
+-}
+-
+ static const struct of_device_id st_rng_match[] __maybe_unused = {
+ { .compatible = "st,rng" },
+ {},
+@@ -136,7 +118,6 @@ static struct platform_driver st_rng_driver = {
+ .of_match_table = of_match_ptr(st_rng_match),
+ },
+ .probe = st_rng_probe,
+- .remove = st_rng_remove
+ };
+
+ module_platform_driver(st_rng_driver);
+--
+2.39.2
+
--- /dev/null
+From 6a5b285b4e99eacbafc877c8cb9e45f6babcc378 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 12:11:08 +0200
+Subject: hwrng: virtio - add an internal buffer
+
+From: Laurent Vivier <lvivier@redhat.com>
+
+[ Upstream commit bf3175bc50a3754dc427e2f5046e17a9fafc8be7 ]
+
+hwrng core uses two buffers that can be mixed in the
+virtio-rng queue.
+
+If the buffer is provided with wait=0 it is enqueued in the
+virtio-rng queue but unused by the caller.
+On the next call, core provides another buffer but the
+first one is filled instead and the new one queued.
+And the caller reads the data from the new one that is not
+updated, and the data in the first one are lost.
+
+To avoid this mix, virtio-rng needs to use its own unique
+internal buffer at a cost of a data copy to the caller buffer.
+
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Link: https://lore.kernel.org/r/20211028101111.128049-2-lvivier@redhat.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/virtio-rng.c | 43 ++++++++++++++++++++++-------
+ 1 file changed, 33 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c
+index 718d8c0876506..23149e94d621f 100644
+--- a/drivers/char/hw_random/virtio-rng.c
++++ b/drivers/char/hw_random/virtio-rng.c
+@@ -17,13 +17,20 @@ static DEFINE_IDA(rng_index_ida);
+ struct virtrng_info {
+ struct hwrng hwrng;
+ struct virtqueue *vq;
+- struct completion have_data;
+ char name[25];
+- unsigned int data_avail;
+ int index;
+ bool busy;
+ bool hwrng_register_done;
+ bool hwrng_removed;
++ /* data transfer */
++ struct completion have_data;
++ unsigned int data_avail;
++ /* minimal size returned by rng_buffer_size() */
++#if SMP_CACHE_BYTES < 32
++ u8 data[32];
++#else
++ u8 data[SMP_CACHE_BYTES];
++#endif
+ };
+
+ static void random_recv_done(struct virtqueue *vq)
+@@ -38,14 +45,14 @@ static void random_recv_done(struct virtqueue *vq)
+ }
+
+ /* The host will fill any buffer we give it with sweet, sweet randomness. */
+-static void register_buffer(struct virtrng_info *vi, u8 *buf, size_t size)
++static void register_buffer(struct virtrng_info *vi)
+ {
+ struct scatterlist sg;
+
+- sg_init_one(&sg, buf, size);
++ sg_init_one(&sg, vi->data, sizeof(vi->data));
+
+ /* There should always be room for one buffer. */
+- virtqueue_add_inbuf(vi->vq, &sg, 1, buf, GFP_KERNEL);
++ virtqueue_add_inbuf(vi->vq, &sg, 1, vi->data, GFP_KERNEL);
+
+ virtqueue_kick(vi->vq);
+ }
+@@ -54,6 +61,8 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
+ {
+ int ret;
+ struct virtrng_info *vi = (struct virtrng_info *)rng->priv;
++ unsigned int chunk;
++ size_t read;
+
+ if (vi->hwrng_removed)
+ return -ENODEV;
+@@ -61,19 +70,33 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
+ if (!vi->busy) {
+ vi->busy = true;
+ reinit_completion(&vi->have_data);
+- register_buffer(vi, buf, size);
++ register_buffer(vi);
+ }
+
+ if (!wait)
+ return 0;
+
+- ret = wait_for_completion_killable(&vi->have_data);
+- if (ret < 0)
+- return ret;
++ read = 0;
++ while (size != 0) {
++ ret = wait_for_completion_killable(&vi->have_data);
++ if (ret < 0)
++ return ret;
++
++ chunk = min_t(unsigned int, size, vi->data_avail);
++ memcpy(buf + read, vi->data, chunk);
++ read += chunk;
++ size -= chunk;
++ vi->data_avail = 0;
++
++ if (size != 0) {
++ reinit_completion(&vi->have_data);
++ register_buffer(vi);
++ }
++ }
+
+ vi->busy = false;
+
+- return vi->data_avail;
++ return read;
+ }
+
+ static void virtio_cleanup(struct hwrng *rng)
+--
+2.39.2
+
--- /dev/null
+From 2cb8a0e665647074371a4a03a06c9dc5753ccdca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 12:11:11 +0200
+Subject: hwrng: virtio - always add a pending request
+
+From: Laurent Vivier <lvivier@redhat.com>
+
+[ Upstream commit 9a4b612d675b03f7fc9fa1957ca399c8223f3954 ]
+
+If we ensure we have already some data available by enqueuing
+again the buffer once data are exhausted, we can return what we
+have without waiting for the device answer.
+
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Link: https://lore.kernel.org/r/20211028101111.128049-5-lvivier@redhat.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/virtio-rng.c | 26 ++++++++++++--------------
+ 1 file changed, 12 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c
+index 207a5f3b335c0..f98e3ee5f8b03 100644
+--- a/drivers/char/hw_random/virtio-rng.c
++++ b/drivers/char/hw_random/virtio-rng.c
+@@ -19,7 +19,6 @@ struct virtrng_info {
+ struct virtqueue *vq;
+ char name[25];
+ int index;
+- bool busy;
+ bool hwrng_register_done;
+ bool hwrng_removed;
+ /* data transfer */
+@@ -43,16 +42,18 @@ static void random_recv_done(struct virtqueue *vq)
+ return;
+
+ vi->data_idx = 0;
+- vi->busy = false;
+
+ complete(&vi->have_data);
+ }
+
+-/* The host will fill any buffer we give it with sweet, sweet randomness. */
+-static void register_buffer(struct virtrng_info *vi)
++static void request_entropy(struct virtrng_info *vi)
+ {
+ struct scatterlist sg;
+
++ reinit_completion(&vi->have_data);
++ vi->data_avail = 0;
++ vi->data_idx = 0;
++
+ sg_init_one(&sg, vi->data, sizeof(vi->data));
+
+ /* There should always be room for one buffer. */
+@@ -68,6 +69,8 @@ static unsigned int copy_data(struct virtrng_info *vi, void *buf,
+ memcpy(buf, vi->data + vi->data_idx, size);
+ vi->data_idx += size;
+ vi->data_avail -= size;
++ if (vi->data_avail == 0)
++ request_entropy(vi);
+ return size;
+ }
+
+@@ -97,13 +100,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
+ * so either size is 0 or data_avail is 0
+ */
+ while (size != 0) {
+- /* data_avail is 0 */
+- if (!vi->busy) {
+- /* no pending request, ask for more */
+- vi->busy = true;
+- reinit_completion(&vi->have_data);
+- register_buffer(vi);
+- }
++ /* data_avail is 0 but a request is pending */
+ ret = wait_for_completion_killable(&vi->have_data);
+ if (ret < 0)
+ return ret;
+@@ -125,8 +122,7 @@ static void virtio_cleanup(struct hwrng *rng)
+ {
+ struct virtrng_info *vi = (struct virtrng_info *)rng->priv;
+
+- if (vi->busy)
+- complete(&vi->have_data);
++ complete(&vi->have_data);
+ }
+
+ static int probe_common(struct virtio_device *vdev)
+@@ -162,6 +158,9 @@ static int probe_common(struct virtio_device *vdev)
+ goto err_find;
+ }
+
++ /* we always have a pending entropy request */
++ request_entropy(vi);
++
+ return 0;
+
+ err_find:
+@@ -180,7 +179,6 @@ static void remove_common(struct virtio_device *vdev)
+ vi->data_idx = 0;
+ complete(&vi->have_data);
+ vdev->config->reset(vdev);
+- vi->busy = false;
+ if (vi->hwrng_register_done)
+ hwrng_unregister(&vi->hwrng);
+ vdev->config->del_vqs(vdev);
+--
+2.39.2
+
--- /dev/null
+From a406077dac0b95e2a23e07bd5b7c2612d68b3bb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 12:11:09 +0200
+Subject: hwrng: virtio - don't wait on cleanup
+
+From: Laurent Vivier <lvivier@redhat.com>
+
+[ Upstream commit 2bb31abdbe55742c89f4dc0cc26fcbc8467364f6 ]
+
+When virtio-rng device was dropped by the hwrng core we were forced
+to wait the buffer to come back from the device to not have
+remaining ongoing operation that could spoil the buffer.
+
+But now, as the buffer is internal to the virtio-rng we can release
+the waiting loop immediately, the buffer will be retrieve and use
+when the virtio-rng driver will be selected again.
+
+This avoids to hang on an rng_current write command if the virtio-rng
+device is blocked by a lack of entropy. This allows to select
+another entropy source if the current one is empty.
+
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Link: https://lore.kernel.org/r/20211028101111.128049-3-lvivier@redhat.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/virtio-rng.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c
+index 23149e94d621f..c8f5a3392e48c 100644
+--- a/drivers/char/hw_random/virtio-rng.c
++++ b/drivers/char/hw_random/virtio-rng.c
+@@ -81,6 +81,11 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
+ ret = wait_for_completion_killable(&vi->have_data);
+ if (ret < 0)
+ return ret;
++ /* if vi->data_avail is 0, we have been interrupted
++ * by a cleanup, but buffer stays in the queue
++ */
++ if (vi->data_avail == 0)
++ return read;
+
+ chunk = min_t(unsigned int, size, vi->data_avail);
+ memcpy(buf + read, vi->data, chunk);
+@@ -104,7 +109,7 @@ static void virtio_cleanup(struct hwrng *rng)
+ struct virtrng_info *vi = (struct virtrng_info *)rng->priv;
+
+ if (vi->busy)
+- wait_for_completion(&vi->have_data);
++ complete(&vi->have_data);
+ }
+
+ static int probe_common(struct virtio_device *vdev)
+--
+2.39.2
+
--- /dev/null
+From b24fa80fc841193dfa55417d1aad4e5737135b38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 12:11:10 +0200
+Subject: hwrng: virtio - don't waste entropy
+
+From: Laurent Vivier <lvivier@redhat.com>
+
+[ Upstream commit 5c8e933050044d6dd2a000f9a5756ae73cbe7c44 ]
+
+if we don't use all the entropy available in the buffer, keep it
+and use it later.
+
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Link: https://lore.kernel.org/r/20211028101111.128049-4-lvivier@redhat.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/virtio-rng.c | 52 +++++++++++++++++++----------
+ 1 file changed, 35 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c
+index c8f5a3392e48c..207a5f3b335c0 100644
+--- a/drivers/char/hw_random/virtio-rng.c
++++ b/drivers/char/hw_random/virtio-rng.c
+@@ -25,6 +25,7 @@ struct virtrng_info {
+ /* data transfer */
+ struct completion have_data;
+ unsigned int data_avail;
++ unsigned int data_idx;
+ /* minimal size returned by rng_buffer_size() */
+ #if SMP_CACHE_BYTES < 32
+ u8 data[32];
+@@ -41,6 +42,9 @@ static void random_recv_done(struct virtqueue *vq)
+ if (!virtqueue_get_buf(vi->vq, &vi->data_avail))
+ return;
+
++ vi->data_idx = 0;
++ vi->busy = false;
++
+ complete(&vi->have_data);
+ }
+
+@@ -57,6 +61,16 @@ static void register_buffer(struct virtrng_info *vi)
+ virtqueue_kick(vi->vq);
+ }
+
++static unsigned int copy_data(struct virtrng_info *vi, void *buf,
++ unsigned int size)
++{
++ size = min_t(unsigned int, size, vi->data_avail);
++ memcpy(buf, vi->data + vi->data_idx, size);
++ vi->data_idx += size;
++ vi->data_avail -= size;
++ return size;
++}
++
+ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
+ {
+ int ret;
+@@ -67,17 +81,29 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
+ if (vi->hwrng_removed)
+ return -ENODEV;
+
+- if (!vi->busy) {
+- vi->busy = true;
+- reinit_completion(&vi->have_data);
+- register_buffer(vi);
++ read = 0;
++
++ /* copy available data */
++ if (vi->data_avail) {
++ chunk = copy_data(vi, buf, size);
++ size -= chunk;
++ read += chunk;
+ }
+
+ if (!wait)
+- return 0;
++ return read;
+
+- read = 0;
++ /* We have already copied available entropy,
++ * so either size is 0 or data_avail is 0
++ */
+ while (size != 0) {
++ /* data_avail is 0 */
++ if (!vi->busy) {
++ /* no pending request, ask for more */
++ vi->busy = true;
++ reinit_completion(&vi->have_data);
++ register_buffer(vi);
++ }
+ ret = wait_for_completion_killable(&vi->have_data);
+ if (ret < 0)
+ return ret;
+@@ -87,20 +113,11 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
+ if (vi->data_avail == 0)
+ return read;
+
+- chunk = min_t(unsigned int, size, vi->data_avail);
+- memcpy(buf + read, vi->data, chunk);
+- read += chunk;
++ chunk = copy_data(vi, buf + read, size);
+ size -= chunk;
+- vi->data_avail = 0;
+-
+- if (size != 0) {
+- reinit_completion(&vi->have_data);
+- register_buffer(vi);
+- }
++ read += chunk;
+ }
+
+- vi->busy = false;
+-
+ return read;
+ }
+
+@@ -160,6 +177,7 @@ static void remove_common(struct virtio_device *vdev)
+
+ vi->hwrng_removed = true;
+ vi->data_avail = 0;
++ vi->data_idx = 0;
+ complete(&vi->have_data);
+ vdev->config->reset(vdev);
+ vi->busy = false;
+--
+2.39.2
+
--- /dev/null
+From 8a4a549b7f39f7e6fa22594774a47da073037e9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 May 2023 11:59:32 +0800
+Subject: hwrng: virtio - Fix race on data_avail and actual data
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit ac52578d6e8d300dd50f790f29a24169b1edd26c ]
+
+The virtio rng device kicks off a new entropy request whenever the
+data available reaches zero. When a new request occurs at the end
+of a read operation, that is, when the result of that request is
+only needed by the next reader, then there is a race between the
+writing of the new data and the next reader.
+
+This is because there is no synchronisation whatsoever between the
+writer and the reader.
+
+Fix this by writing data_avail with smp_store_release and reading
+it with smp_load_acquire when we first enter read. The subsequent
+reads are safe because they're either protected by the first load
+acquire, or by the completion mechanism.
+
+Also remove the redundant zeroing of data_idx in random_recv_done
+(data_idx must already be zero at this point) and data_avail in
+request_entropy (ditto).
+
+Reported-by: syzbot+726dc8c62c3536431ceb@syzkaller.appspotmail.com
+Fixes: f7f510ec1957 ("virtio: An entropy device, as suggested by hpa.")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/virtio-rng.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c
+index f98e3ee5f8b03..145d7b1055c07 100644
+--- a/drivers/char/hw_random/virtio-rng.c
++++ b/drivers/char/hw_random/virtio-rng.c
+@@ -4,6 +4,7 @@
+ * Copyright (C) 2007, 2008 Rusty Russell IBM Corporation
+ */
+
++#include <asm/barrier.h>
+ #include <linux/err.h>
+ #include <linux/hw_random.h>
+ #include <linux/scatterlist.h>
+@@ -36,13 +37,13 @@ struct virtrng_info {
+ static void random_recv_done(struct virtqueue *vq)
+ {
+ struct virtrng_info *vi = vq->vdev->priv;
++ unsigned int len;
+
+ /* We can get spurious callbacks, e.g. shared IRQs + virtio_pci. */
+- if (!virtqueue_get_buf(vi->vq, &vi->data_avail))
++ if (!virtqueue_get_buf(vi->vq, &len))
+ return;
+
+- vi->data_idx = 0;
+-
++ smp_store_release(&vi->data_avail, len);
+ complete(&vi->have_data);
+ }
+
+@@ -51,7 +52,6 @@ static void request_entropy(struct virtrng_info *vi)
+ struct scatterlist sg;
+
+ reinit_completion(&vi->have_data);
+- vi->data_avail = 0;
+ vi->data_idx = 0;
+
+ sg_init_one(&sg, vi->data, sizeof(vi->data));
+@@ -87,7 +87,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
+ read = 0;
+
+ /* copy available data */
+- if (vi->data_avail) {
++ if (smp_load_acquire(&vi->data_avail)) {
+ chunk = copy_data(vi, buf, size);
+ size -= chunk;
+ read += chunk;
+--
+2.39.2
+
--- /dev/null
+From 2dee9c4c3ff7ec007303988264b1cf40a7a30180 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Feb 2023 11:56:28 -0500
+Subject: IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors
+
+From: Patrick Kelsey <pat.kelsey@cornelisnetworks.com>
+
+[ Upstream commit fd8958efe8779d3db19c9124fce593ce681ac709 ]
+
+Fix three sources of error involving struct sdma_txreq.num_descs.
+
+When _extend_sdma_tx_descs() extends the descriptor array, it uses the
+value of tx->num_descs to determine how many existing entries from the
+tx's original, internal descriptor array to copy to the newly allocated
+one. As this value was incremented before the call, the copy loop will
+access one entry past the internal descriptor array, copying its contents
+into the corresponding slot in the new array.
+
+If the call to _extend_sdma_tx_descs() fails, _pad_smda_tx_descs() then
+invokes __sdma_tx_clean() which uses the value of tx->num_desc to drive a
+loop that unmaps all descriptor entries in use. As this value was
+incremented before the call, the unmap loop will invoke sdma_unmap_desc()
+on a descriptor entry whose contents consist of whatever random data was
+copied into it during (1), leading to cascading further calls into the
+kernel and driver using arbitrary data.
+
+_sdma_close_tx() was using tx->num_descs instead of tx->num_descs - 1.
+
+Fix all of the above by:
+- Only increment .num_descs after .descp is extended.
+- Use .num_descs - 1 instead of .num_descs for last .descp entry.
+
+Fixes: f4d26d81ad7f ("staging/rdma/hfi1: Add coalescing support for SDMA TX descriptors")
+Link: https://lore.kernel.org/r/167656658879.2223096.10026561343022570690.stgit@awfm-02.cornelisnetworks.com
+Signed-off-by: Brendan Cunningham <bcunningham@cornelisnetworks.com>
+Signed-off-by: Patrick Kelsey <pat.kelsey@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/sdma.c | 4 ++--
+ drivers/infiniband/hw/hfi1/sdma.h | 15 +++++++--------
+ 2 files changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c
+index 2a684fc6056e1..057c9ffcd02e1 100644
+--- a/drivers/infiniband/hw/hfi1/sdma.c
++++ b/drivers/infiniband/hw/hfi1/sdma.c
+@@ -3203,8 +3203,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx)
+ {
+ int rval = 0;
+
+- tx->num_desc++;
+- if ((unlikely(tx->num_desc == tx->desc_limit))) {
++ if ((unlikely(tx->num_desc + 1 == tx->desc_limit))) {
+ rval = _extend_sdma_tx_descs(dd, tx);
+ if (rval) {
+ __sdma_txclean(dd, tx);
+@@ -3217,6 +3216,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx)
+ SDMA_MAP_NONE,
+ dd->sdma_pad_phys,
+ sizeof(u32) - (tx->packet_len & (sizeof(u32) - 1)));
++ tx->num_desc++;
+ _sdma_close_tx(dd, tx);
+ return rval;
+ }
+diff --git a/drivers/infiniband/hw/hfi1/sdma.h b/drivers/infiniband/hw/hfi1/sdma.h
+index 1e2e40f79cb20..6ac00755848db 100644
+--- a/drivers/infiniband/hw/hfi1/sdma.h
++++ b/drivers/infiniband/hw/hfi1/sdma.h
+@@ -672,14 +672,13 @@ static inline void sdma_txclean(struct hfi1_devdata *dd, struct sdma_txreq *tx)
+ static inline void _sdma_close_tx(struct hfi1_devdata *dd,
+ struct sdma_txreq *tx)
+ {
+- tx->descp[tx->num_desc].qw[0] |=
+- SDMA_DESC0_LAST_DESC_FLAG;
+- tx->descp[tx->num_desc].qw[1] |=
+- dd->default_desc1;
++ u16 last_desc = tx->num_desc - 1;
++
++ tx->descp[last_desc].qw[0] |= SDMA_DESC0_LAST_DESC_FLAG;
++ tx->descp[last_desc].qw[1] |= dd->default_desc1;
+ if (tx->flags & SDMA_TXREQ_F_URGENT)
+- tx->descp[tx->num_desc].qw[1] |=
+- (SDMA_DESC1_HEAD_TO_HOST_FLAG |
+- SDMA_DESC1_INT_REQ_FLAG);
++ tx->descp[last_desc].qw[1] |= (SDMA_DESC1_HEAD_TO_HOST_FLAG |
++ SDMA_DESC1_INT_REQ_FLAG);
+ }
+
+ static inline int _sdma_txadd_daddr(
+@@ -696,6 +695,7 @@ static inline int _sdma_txadd_daddr(
+ type,
+ addr, len);
+ WARN_ON(len > tx->tlen);
++ tx->num_desc++;
+ tx->tlen -= len;
+ /* special cases for last */
+ if (!tx->tlen) {
+@@ -707,7 +707,6 @@ static inline int _sdma_txadd_daddr(
+ _sdma_close_tx(dd, tx);
+ }
+ }
+- tx->num_desc++;
+ return rval;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From a51450c0b2a17fd29dcb2b4169473a99934099d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jun 2023 09:41:13 +0200
+Subject: ima: Fix build warnings
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+[ Upstream commit 95526d13038c2bbddd567a4d8e39fac42484e182 ]
+
+Fix build warnings (function parameters description) for
+ima_collect_modsig(), ima_match_policy() and ima_parse_add_rule().
+
+Fixes: 15588227e086 ("ima: Collect modsig") # v5.4+
+Fixes: 2fe5d6def167 ("ima: integrity appraisal extension") # v5.14+
+Fixes: 4af4662fa4a9 ("integrity: IMA policy") # v3.2+
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/ima/ima_modsig.c | 3 +++
+ security/integrity/ima/ima_policy.c | 3 ++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c
+index d106885cc4955..5fb971efc6e10 100644
+--- a/security/integrity/ima/ima_modsig.c
++++ b/security/integrity/ima/ima_modsig.c
+@@ -109,6 +109,9 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
+
+ /**
+ * ima_collect_modsig - Calculate the file hash without the appended signature.
++ * @modsig: parsed module signature
++ * @buf: data to verify the signature on
++ * @size: data size
+ *
+ * Since the modsig is part of the file contents, the hash used in its signature
+ * isn't the same one ordinarily calculated by IMA. Therefore PKCS7 code
+diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
+index 6df0436462ab7..e749403f07a8b 100644
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -500,6 +500,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
+ * @secid: LSM secid of the task to be validated
+ * @func: IMA hook identifier
+ * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
++ * @flags: IMA actions to consider (e.g. IMA_MEASURE | IMA_APPRAISE)
+ * @pcr: set the pcr to extend
+ * @template_desc: the template that should be used for this rule
+ *
+@@ -1266,7 +1267,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
+
+ /**
+ * ima_parse_add_rule - add a rule to ima_policy_rules
+- * @rule - ima measurement policy rule
++ * @rule: ima measurement policy rule
+ *
+ * Avoid locking by allowing just one writer at a time in ima_write_policy()
+ * Returns the length of the rule parsed, an error code on failure
+--
+2.39.2
+
--- /dev/null
+From 9c456640af3511035ce8c2a97570abdec1de36c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 17:27:55 -0700
+Subject: Input: adxl34x - do not hardcode interrupt trigger type
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit e96220bce5176ed2309f77f061dcc0430b82b25e ]
+
+Instead of hardcoding IRQ trigger type to IRQF_TRIGGER_HIGH, let's
+respect the settings specified in the firmware description.
+
+Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Acked-by: Michael Hennerich <michael.hennerich@analog.com>
+Link: https://lore.kernel.org/r/20230509203555.549158-1-marex@denx.de
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/adxl34x.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/input/misc/adxl34x.c b/drivers/input/misc/adxl34x.c
+index 4cc4e8ff42b33..ad035c342cd3b 100644
+--- a/drivers/input/misc/adxl34x.c
++++ b/drivers/input/misc/adxl34x.c
+@@ -811,8 +811,7 @@ struct adxl34x *adxl34x_probe(struct device *dev, int irq,
+ AC_WRITE(ac, POWER_CTL, 0);
+
+ err = request_threaded_irq(ac->irq, NULL, adxl34x_irq,
+- IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
+- dev_name(dev), ac);
++ IRQF_ONESHOT, dev_name(dev), ac);
+ if (err) {
+ dev_err(dev, "irq %d busy?\n", ac->irq);
+ goto err_free_mem;
+--
+2.39.2
+
--- /dev/null
+From deaccebed61ccc21f57924efe05fd9eae857cfbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 May 2023 17:01:45 -0700
+Subject: Input: drv260x - sleep between polling GO bit
+
+From: Luca Weiss <luca@z3ntu.xyz>
+
+[ Upstream commit efef661dfa6bf8cbafe4cd6a97433fcef0118967 ]
+
+When doing the initial startup there's no need to poll without any
+delay and spam the I2C bus.
+
+Let's sleep 15ms between each attempt, which is the same time as used
+in the vendor driver.
+
+Fixes: 7132fe4f5687 ("Input: drv260x - add TI drv260x haptics driver")
+Signed-off-by: Luca Weiss <luca@z3ntu.xyz>
+Link: https://lore.kernel.org/r/20230430-drv260x-improvements-v1-2-1fb28b4cc698@z3ntu.xyz
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/drv260x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/input/misc/drv260x.c b/drivers/input/misc/drv260x.c
+index 79d7fa710a714..54002d1a446b7 100644
+--- a/drivers/input/misc/drv260x.c
++++ b/drivers/input/misc/drv260x.c
+@@ -435,6 +435,7 @@ static int drv260x_init(struct drv260x_data *haptics)
+ }
+
+ do {
++ usleep_range(15000, 15500);
+ error = regmap_read(haptics->regmap, DRV260X_GO, &cal_buf);
+ if (error) {
+ dev_err(&haptics->client->dev,
+--
+2.39.2
+
--- /dev/null
+From 35f34daabd4d15e75c1c2170d9f2c1a226290375 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jun 2023 17:33:47 +0800
+Subject: ipvlan: Fix return value of ipvlan_queue_xmit()
+
+From: Cambda Zhu <cambda@linux.alibaba.com>
+
+[ Upstream commit 8a9922e7be6d042fa00f894c376473b17a162b66 ]
+
+ipvlan_queue_xmit() should return NET_XMIT_XXX, but
+ipvlan_xmit_mode_l2/l3() returns rx_handler_result_t or NET_RX_XXX
+in some cases. ipvlan_rcv_frame() will only return RX_HANDLER_CONSUMED
+in ipvlan_xmit_mode_l2/l3() because 'local' is true. It's equal to
+NET_XMIT_SUCCESS. But dev_forward_skb() can return NET_RX_SUCCESS or
+NET_RX_DROP, and returning NET_RX_DROP(NET_XMIT_DROP) will increase
+both ipvlan and ipvlan->phy_dev drops counter.
+
+The skb to forward can be treated as xmitted successfully. This patch
+makes ipvlan_queue_xmit() return NET_XMIT_SUCCESS for forward skb.
+
+Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
+Signed-off-by: Cambda Zhu <cambda@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20230626093347.7492-1-cambda@linux.alibaba.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipvlan/ipvlan_core.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
+index 0a5b5ff597c6f..ab09d110760ec 100644
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -586,7 +586,8 @@ static int ipvlan_xmit_mode_l3(struct sk_buff *skb, struct net_device *dev)
+ consume_skb(skb);
+ return NET_XMIT_DROP;
+ }
+- return ipvlan_rcv_frame(addr, &skb, true);
++ ipvlan_rcv_frame(addr, &skb, true);
++ return NET_XMIT_SUCCESS;
+ }
+ }
+ out:
+@@ -612,7 +613,8 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev)
+ consume_skb(skb);
+ return NET_XMIT_DROP;
+ }
+- return ipvlan_rcv_frame(addr, &skb, true);
++ ipvlan_rcv_frame(addr, &skb, true);
++ return NET_XMIT_SUCCESS;
+ }
+ }
+ skb = skb_share_check(skb, GFP_ATOMIC);
+@@ -624,7 +626,8 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev)
+ * the skb for the main-dev. At the RX side we just return
+ * RX_PASS for it to be processed further on the stack.
+ */
+- return dev_forward_skb(ipvlan->phy_dev, skb);
++ dev_forward_skb(ipvlan->phy_dev, skb);
++ return NET_XMIT_SUCCESS;
+
+ } else if (is_multicast_ether_addr(eth->h_dest)) {
+ skb_reset_mac_header(skb);
+--
+2.39.2
+
--- /dev/null
+From f17b7dd8b298df39048fbf98b7ebd6f7c8b807af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 18:33:42 +0200
+Subject: irqchip/jcore-aic: Fix missing allocation of IRQ descriptors
+
+From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+
+[ Upstream commit 4848229494a323eeaab62eee5574ef9f7de80374 ]
+
+The initialization function for the J-Core AIC aic_irq_of_init() is
+currently missing the call to irq_alloc_descs() which allocates and
+initializes all the IRQ descriptors. Add missing function call and
+return the error code from irq_alloc_descs() in case the allocation
+fails.
+
+Fixes: 981b58f66cfc ("irqchip/jcore-aic: Add J-Core AIC driver")
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Tested-by: Rob Landley <rob@landley.net>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20230510163343.43090-1-glaubitz@physik.fu-berlin.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-jcore-aic.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/irqchip/irq-jcore-aic.c b/drivers/irqchip/irq-jcore-aic.c
+index 5f47d8ee4ae39..b9dcc8e78c750 100644
+--- a/drivers/irqchip/irq-jcore-aic.c
++++ b/drivers/irqchip/irq-jcore-aic.c
+@@ -68,6 +68,7 @@ static int __init aic_irq_of_init(struct device_node *node,
+ unsigned min_irq = JCORE_AIC2_MIN_HWIRQ;
+ unsigned dom_sz = JCORE_AIC_MAX_HWIRQ+1;
+ struct irq_domain *domain;
++ int ret;
+
+ pr_info("Initializing J-Core AIC\n");
+
+@@ -100,6 +101,12 @@ static int __init aic_irq_of_init(struct device_node *node,
+ jcore_aic.irq_unmask = noop;
+ jcore_aic.name = "AIC";
+
++ ret = irq_alloc_descs(-1, min_irq, dom_sz - min_irq,
++ of_node_to_nid(node));
++
++ if (ret < 0)
++ return ret;
++
+ domain = irq_domain_add_legacy(node, dom_sz - min_irq, min_irq, min_irq,
+ &jcore_aic_irqdomain_ops,
+ &jcore_aic);
+--
+2.39.2
+
--- /dev/null
+From 567410ef2e3646e5cde58e251d16d4bd165cb6e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 10:35:51 +0100
+Subject: irqchip/jcore-aic: Kill use of irq_create_strict_mappings()
+
+From: Marc Zyngier <maz@kernel.org>
+
+[ Upstream commit 5f8b938bd790cff6542c7fe3c1495c71f89fef1b ]
+
+irq_create_strict_mappings() is a poor way to allow the use of
+a linear IRQ domain as a legacy one. Let's be upfront about it.
+
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20210406093557.1073423-4-maz@kernel.org
+Stable-dep-of: 4848229494a3 ("irqchip/jcore-aic: Fix missing allocation of IRQ descriptors")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-jcore-aic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/irqchip/irq-jcore-aic.c b/drivers/irqchip/irq-jcore-aic.c
+index 033bccb41455c..5f47d8ee4ae39 100644
+--- a/drivers/irqchip/irq-jcore-aic.c
++++ b/drivers/irqchip/irq-jcore-aic.c
+@@ -100,11 +100,11 @@ static int __init aic_irq_of_init(struct device_node *node,
+ jcore_aic.irq_unmask = noop;
+ jcore_aic.name = "AIC";
+
+- domain = irq_domain_add_linear(node, dom_sz, &jcore_aic_irqdomain_ops,
++ domain = irq_domain_add_legacy(node, dom_sz - min_irq, min_irq, min_irq,
++ &jcore_aic_irqdomain_ops,
+ &jcore_aic);
+ if (!domain)
+ return -ENOMEM;
+- irq_create_strict_mappings(domain, min_irq, min_irq, dom_sz - min_irq);
+
+ return 0;
+ }
+--
+2.39.2
+
--- /dev/null
+From 5fb5cd1001376c72e6b15b36e2ec0a24646d9c74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 May 2023 20:34:34 +0800
+Subject: kexec: fix a memory leak in crash_shrink_memory()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 1cba6c4309f03de570202c46f03df3f73a0d4c82 ]
+
+Patch series "kexec: enable kexec_crash_size to support two crash kernel
+regions".
+
+When crashkernel=X fails to reserve region under 4G, it will fall back to
+reserve region above 4G and a region of the default size will also be
+reserved under 4G. Unfortunately, /sys/kernel/kexec_crash_size only
+supports one crash kernel region now, the user cannot sense the low memory
+reserved by reading /sys/kernel/kexec_crash_size. Also, low memory cannot
+be freed by writing this file.
+
+For example:
+resource_size(crashk_res) = 512M
+resource_size(crashk_low_res) = 256M
+
+The result of 'cat /sys/kernel/kexec_crash_size' is 512M, but it should be
+768M. When we execute 'echo 0 > /sys/kernel/kexec_crash_size', the size
+of crashk_res becomes 0 and resource_size(crashk_low_res) is still 256 MB,
+which is incorrect.
+
+Since crashk_res manages the memory with high address and crashk_low_res
+manages the memory with low address, crashk_low_res is shrunken only when
+all crashk_res is shrunken. And because when there is only one crash
+kernel region, crashk_res is always used. Therefore, if all crashk_res is
+shrunken and crashk_low_res still exists, swap them.
+
+This patch (of 6):
+
+If the value of parameter 'new_size' is in the semi-open and semi-closed
+interval (crashk_res.end - KEXEC_CRASH_MEM_ALIGN + 1, crashk_res.end], the
+calculation result of ram_res is:
+
+ ram_res->start = crashk_res.end + 1
+ ram_res->end = crashk_res.end
+
+The operation of insert_resource() fails, and ram_res is not added to
+iomem_resource. As a result, the memory of the control block ram_res is
+leaked.
+
+In fact, on all architectures, the start address and size of crashk_res
+are already aligned by KEXEC_CRASH_MEM_ALIGN. Therefore, we do not need
+to round up crashk_res.start again. Instead, we should round up
+'new_size' in advance.
+
+Link: https://lkml.kernel.org/r/20230527123439.772-1-thunder.leizhen@huawei.com
+Link: https://lkml.kernel.org/r/20230527123439.772-2-thunder.leizhen@huawei.com
+Fixes: 6480e5a09237 ("kdump: add missing RAM resource in crash_shrink_memory()")
+Fixes: 06a7f711246b ("kexec: premit reduction of the reserved memory size")
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Acked-by: Baoquan He <bhe@redhat.com>
+Cc: Cong Wang <amwang@redhat.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kexec_core.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
+index d65b0fc8fb48b..3694d90c3722f 100644
+--- a/kernel/kexec_core.c
++++ b/kernel/kexec_core.c
+@@ -1019,6 +1019,7 @@ int crash_shrink_memory(unsigned long new_size)
+ start = crashk_res.start;
+ end = crashk_res.end;
+ old_size = (end == 0) ? 0 : end - start + 1;
++ new_size = roundup(new_size, KEXEC_CRASH_MEM_ALIGN);
+ if (new_size >= old_size) {
+ ret = (new_size == old_size) ? 0 : -EINVAL;
+ goto unlock;
+@@ -1030,9 +1031,7 @@ int crash_shrink_memory(unsigned long new_size)
+ goto unlock;
+ }
+
+- start = roundup(start, KEXEC_CRASH_MEM_ALIGN);
+- end = roundup(start + new_size, KEXEC_CRASH_MEM_ALIGN);
+-
++ end = start + new_size;
+ crash_free_reserved_phys_range(end, crashk_res.end);
+
+ if ((start == end) && (crashk_res.parent != NULL))
+--
+2.39.2
+
--- /dev/null
+From e840b0560f2efee094b37016ba0a076546bc07d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jun 2023 20:06:57 +0100
+Subject: lib/ts_bm: reset initial match offset for every block of text
+
+From: Jeremy Sowden <jeremy@azazel.net>
+
+[ Upstream commit 6f67fbf8192da80c4db01a1800c7fceaca9cf1f9 ]
+
+The `shift` variable which indicates the offset in the string at which
+to start matching the pattern is initialized to `bm->patlen - 1`, but it
+is not reset when a new block is retrieved. This means the implemen-
+tation may start looking at later and later positions in each successive
+block and miss occurrences of the pattern at the beginning. E.g.,
+consider a HTTP packet held in a non-linear skb, where the HTTP request
+line occurs in the second block:
+
+ [... 52 bytes of packet headers ...]
+ GET /bmtest HTTP/1.1\r\nHost: www.example.com\r\n\r\n
+
+and the pattern is "GET /bmtest".
+
+Once the first block comprising the packet headers has been examined,
+`shift` will be pointing to somewhere near the end of the block, and so
+when the second block is examined the request line at the beginning will
+be missed.
+
+Reinitialize the variable for each new block.
+
+Fixes: 8082e4ed0a61 ("[LIB]: Boyer-Moore extension for textsearch infrastructure strike #2")
+Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1390
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/ts_bm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/ts_bm.c b/lib/ts_bm.c
+index b352903c50e38..0a22ae48af61f 100644
+--- a/lib/ts_bm.c
++++ b/lib/ts_bm.c
+@@ -60,10 +60,12 @@ static unsigned int bm_find(struct ts_config *conf, struct ts_state *state)
+ struct ts_bm *bm = ts_config_priv(conf);
+ unsigned int i, text_len, consumed = state->offset;
+ const u8 *text;
+- int shift = bm->patlen - 1, bs;
++ int bs;
+ const u8 icase = conf->flags & TS_IGNORECASE;
+
+ for (;;) {
++ int shift = bm->patlen - 1;
++
+ text_len = conf->get_next_block(consumed, &text, conf, state);
+
+ if (unlikely(text_len == 0))
+--
+2.39.2
+
--- /dev/null
+From 424deacdd4401864eadf2e2e8b7afd6a5ebb7f9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 May 2023 21:48:05 +0800
+Subject: md/raid10: check slab-out-of-bounds in md_bitmap_get_counter
+
+From: Li Nan <linan122@huawei.com>
+
+[ Upstream commit 301867b1c16805aebbc306aafa6ecdc68b73c7e5 ]
+
+If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage()
+will return -EINVAL because 'page >= bitmap->pages', but the return value
+was not checked immediately in md_bitmap_get_counter() in order to set
+*blocks value and slab-out-of-bounds occurs.
+
+Move check of 'page >= bitmap->pages' to md_bitmap_get_counter() and
+return directly if true.
+
+Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.")
+Signed-off-by: Li Nan <linan122@huawei.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20230515134808.3936750-2-linan666@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md-bitmap.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
+index 0545cdccf6369..bea8265ce9b8e 100644
+--- a/drivers/md/md-bitmap.c
++++ b/drivers/md/md-bitmap.c
+@@ -54,14 +54,7 @@ __acquires(bitmap->lock)
+ {
+ unsigned char *mappage;
+
+- if (page >= bitmap->pages) {
+- /* This can happen if bitmap_start_sync goes beyond
+- * End-of-device while looking for a whole page.
+- * It is harmless.
+- */
+- return -EINVAL;
+- }
+-
++ WARN_ON_ONCE(page >= bitmap->pages);
+ if (bitmap->bp[page].hijacked) /* it's hijacked, don't try to alloc */
+ return 0;
+
+@@ -1369,6 +1362,14 @@ __acquires(bitmap->lock)
+ sector_t csize;
+ int err;
+
++ if (page >= bitmap->pages) {
++ /*
++ * This can happen if bitmap_start_sync goes beyond
++ * End-of-device while looking for a whole page or
++ * user set a huge number to sysfs bitmap_set_bits.
++ */
++ return NULL;
++ }
+ err = md_bitmap_checkpage(bitmap, page, create, 0);
+
+ if (bitmap->bp[page].hijacked ||
+--
+2.39.2
+
--- /dev/null
+From dbee0683a39045c5b85c5ce372f10260fec448aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Jun 2023 17:18:39 +0800
+Subject: md/raid10: fix io loss while replacement replace rdev
+
+From: Li Nan <linan122@huawei.com>
+
+[ Upstream commit 2ae6aaf76912bae53c74b191569d2ab484f24bf3 ]
+
+When removing a disk with replacement, the replacement will be used to
+replace rdev. During this process, there is a brief window in which both
+rdev and replacement are read as NULL in raid10_write_request(). This
+will result in io not being submitted but it should be.
+
+ //remove //write
+ raid10_remove_disk raid10_write_request
+ mirror->rdev = NULL
+ read rdev -> NULL
+ mirror->rdev = mirror->replacement
+ mirror->replacement = NULL
+ read replacement -> NULL
+
+Fix it by reading replacement first and rdev later, meanwhile, use smp_mb()
+to prevent memory reordering.
+
+Fixes: 475b0321a4df ("md/raid10: writes should get directed to replacement as well as original.")
+Signed-off-by: Li Nan <linan122@huawei.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20230602091839.743798-3-linan666@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid10.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
+index 7f762df43a2fc..db4de8e07cd97 100644
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -751,8 +751,16 @@ static struct md_rdev *read_balance(struct r10conf *conf,
+ disk = r10_bio->devs[slot].devnum;
+ rdev = rcu_dereference(conf->mirrors[disk].replacement);
+ if (rdev == NULL || test_bit(Faulty, &rdev->flags) ||
+- r10_bio->devs[slot].addr + sectors > rdev->recovery_offset)
++ r10_bio->devs[slot].addr + sectors >
++ rdev->recovery_offset) {
++ /*
++ * Read replacement first to prevent reading both rdev
++ * and replacement as NULL during replacement replace
++ * rdev.
++ */
++ smp_mb();
+ rdev = rcu_dereference(conf->mirrors[disk].rdev);
++ }
+ if (rdev == NULL ||
+ test_bit(Faulty, &rdev->flags))
+ continue;
+@@ -1363,9 +1371,15 @@ static void raid10_write_request(struct mddev *mddev, struct bio *bio,
+
+ for (i = 0; i < conf->copies; i++) {
+ int d = r10_bio->devs[i].devnum;
+- struct md_rdev *rdev = rcu_dereference(conf->mirrors[d].rdev);
+- struct md_rdev *rrdev = rcu_dereference(
+- conf->mirrors[d].replacement);
++ struct md_rdev *rdev, *rrdev;
++
++ rrdev = rcu_dereference(conf->mirrors[d].replacement);
++ /*
++ * Read replacement first to prevent reading both rdev and
++ * replacement as NULL during replacement replace rdev.
++ */
++ smp_mb();
++ rdev = rcu_dereference(conf->mirrors[d].rdev);
+ if (rdev == rrdev)
+ rrdev = NULL;
+ if (rdev && unlikely(test_bit(Blocked, &rdev->flags))) {
+--
+2.39.2
+
--- /dev/null
+From fe46b1dc2a17a2bf0917ebda81c867957f1909ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 May 2023 15:22:15 +0800
+Subject: md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request
+
+From: Li Nan <linan122@huawei.com>
+
+[ Upstream commit 34817a2441747b48e444cb0e05d84e14bc9443da ]
+
+There are two check of 'mreplace' in raid10_sync_request(). In the first
+check, 'need_replace' will be set and 'mreplace' will be used later if
+no-Faulty 'mreplace' exists, In the second check, 'mreplace' will be
+set to NULL if it is Faulty, but 'need_replace' will not be changed
+accordingly. null-ptr-deref occurs if Faulty is set between two check.
+
+Fix it by merging two checks into one. And replace 'need_replace' with
+'mreplace' because their values are always the same.
+
+Fixes: ee37d7314a32 ("md/raid10: Fix raid10 replace hang when new added disk faulty")
+Signed-off-by: Li Nan <linan122@huawei.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20230527072218.2365857-2-linan666@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid10.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
+index aee429ab114a5..7f762df43a2fc 100644
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -3054,7 +3054,6 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr,
+ int must_sync;
+ int any_working;
+ int need_recover = 0;
+- int need_replace = 0;
+ struct raid10_info *mirror = &conf->mirrors[i];
+ struct md_rdev *mrdev, *mreplace;
+
+@@ -3066,11 +3065,10 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr,
+ !test_bit(Faulty, &mrdev->flags) &&
+ !test_bit(In_sync, &mrdev->flags))
+ need_recover = 1;
+- if (mreplace != NULL &&
+- !test_bit(Faulty, &mreplace->flags))
+- need_replace = 1;
++ if (mreplace && test_bit(Faulty, &mreplace->flags))
++ mreplace = NULL;
+
+- if (!need_recover && !need_replace) {
++ if (!need_recover && !mreplace) {
+ rcu_read_unlock();
+ continue;
+ }
+@@ -3086,8 +3084,6 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr,
+ rcu_read_unlock();
+ continue;
+ }
+- if (mreplace && test_bit(Faulty, &mreplace->flags))
+- mreplace = NULL;
+ /* Unless we are doing a full sync, or a replacement
+ * we only need to recover the block if it is set in
+ * the bitmap
+@@ -3210,11 +3206,11 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr,
+ bio = r10_bio->devs[1].repl_bio;
+ if (bio)
+ bio->bi_end_io = NULL;
+- /* Note: if need_replace, then bio
++ /* Note: if replace is not NULL, then bio
+ * cannot be NULL as r10buf_pool_alloc will
+ * have allocated it.
+ */
+- if (!need_replace)
++ if (!mreplace)
+ break;
+ bio->bi_next = biolist;
+ biolist = bio;
+--
+2.39.2
+
--- /dev/null
+From 047ef324b352b0a73fa40f3a132be57b8dc224b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 May 2023 15:25:33 +0800
+Subject: md/raid10: fix overflow of md/safe_mode_delay
+
+From: Li Nan <linan122@huawei.com>
+
+[ Upstream commit 6beb489b2eed25978523f379a605073f99240c50 ]
+
+There is no input check when echo md/safe_mode_delay in safe_delay_store().
+And msec might also overflow when HZ < 1000 in safe_delay_show(), Fix it by
+checking overflow in safe_delay_store() and use unsigned long conversion in
+safe_delay_show().
+
+Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers")
+Signed-off-by: Li Nan <linan122@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20230522072535.1523740-2-linan666@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 64558991ce0a0..bae264aae3cd0 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -3766,8 +3766,9 @@ int strict_strtoul_scaled(const char *cp, unsigned long *res, int scale)
+ static ssize_t
+ safe_delay_show(struct mddev *mddev, char *page)
+ {
+- int msec = (mddev->safemode_delay*1000)/HZ;
+- return sprintf(page, "%d.%03d\n", msec/1000, msec%1000);
++ unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ;
++
++ return sprintf(page, "%u.%03u\n", msec/1000, msec%1000);
+ }
+ static ssize_t
+ safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len)
+@@ -3779,7 +3780,7 @@ safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len)
+ return -EINVAL;
+ }
+
+- if (strict_strtoul_scaled(cbuf, &msec, 3) < 0)
++ if (strict_strtoul_scaled(cbuf, &msec, 3) < 0 || msec > UINT_MAX / HZ)
+ return -EINVAL;
+ if (msec == 0)
+ mddev->safemode_delay = 0;
+--
+2.39.2
+
--- /dev/null
+From 7c790c7196a12230bfbc93020dc28688b8f7016c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 May 2023 15:25:34 +0800
+Subject: md/raid10: fix wrong setting of max_corr_read_errors
+
+From: Li Nan <linan122@huawei.com>
+
+[ Upstream commit f8b20a405428803bd9881881d8242c9d72c6b2b2 ]
+
+There is no input check when echo md/max_read_errors and overflow might
+occur. Add check of input number.
+
+Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.")
+Signed-off-by: Li Nan <linan122@huawei.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20230522072535.1523740-3-linan666@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index bae264aae3cd0..0765712513e7d 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -4441,6 +4441,8 @@ max_corrected_read_errors_store(struct mddev *mddev, const char *buf, size_t len
+ rv = kstrtouint(buf, 10, &n);
+ if (rv < 0)
+ return rv;
++ if (n > INT_MAX)
++ return -EINVAL;
+ atomic_set(&mddev->max_corr_read_errors, n);
+ return len;
+ }
+--
+2.39.2
+
--- /dev/null
+From 9b02b49d7db025e04ef464355fa2fc21bf311e8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 May 2023 13:29:31 +0200
+Subject: memory: brcmstb_dpfe: fix testing array offset after use
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 1d9e93fad549bc38f593147479ee063f2872c170 ]
+
+Code should first check for valid value of array offset, then use it as
+the index. Fixes smatch warning:
+
+ drivers/memory/brcmstb_dpfe.c:443 __send_command() error: testing array offset 'cmd' after use.
+
+Fixes: 2f330caff577 ("memory: brcmstb: Add driver for DPFE")
+Acked-by: Markus Mayer <mmayer@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://lore.kernel.org/r/20230513112931.176066-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/brcmstb_dpfe.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/memory/brcmstb_dpfe.c b/drivers/memory/brcmstb_dpfe.c
+index 6827ed4847507..127a9bffdbca8 100644
+--- a/drivers/memory/brcmstb_dpfe.c
++++ b/drivers/memory/brcmstb_dpfe.c
+@@ -398,15 +398,17 @@ static void __finalize_command(struct private_data *priv)
+ static int __send_command(struct private_data *priv, unsigned int cmd,
+ u32 result[])
+ {
+- const u32 *msg = priv->dpfe_api->command[cmd];
+ void __iomem *regs = priv->regs;
+ unsigned int i, chksum, chksum_idx;
++ const u32 *msg;
+ int ret = 0;
+ u32 resp;
+
+ if (cmd >= DPFE_CMD_MAX)
+ return -1;
+
++ msg = priv->dpfe_api->command[cmd];
++
+ mutex_lock(&priv->lock);
+
+ /* Wait for DCPU to become ready */
+--
+2.39.2
+
--- /dev/null
+From a39791fb240f8a0cc95a7b38c8d051d9c66a539c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 22:27:04 +0200
+Subject: memstick r592: make memstick_debug_get_tpc_name() static
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 434587df9f7fd68575f99a889cc5f2efc2eaee5e ]
+
+There are no other files referencing this function, apparently
+it was left global to avoid an 'unused function' warning when
+the only caller is left out. With a 'W=1' build, it causes
+a 'missing prototype' warning though:
+
+drivers/memstick/host/r592.c:47:13: error: no previous prototype for 'memstick_debug_get_tpc_name' [-Werror=missing-prototypes]
+
+Annotate the function as 'static __maybe_unused' to avoid both
+problems.
+
+Fixes: 926341250102 ("memstick: add driver for Ricoh R5C592 card reader")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20230516202714.560929-1-arnd@kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memstick/host/r592.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c
+index dd06c18495eb6..0e37c6a5ee36c 100644
+--- a/drivers/memstick/host/r592.c
++++ b/drivers/memstick/host/r592.c
+@@ -44,12 +44,10 @@ static const char *tpc_names[] = {
+ * memstick_debug_get_tpc_name - debug helper that returns string for
+ * a TPC number
+ */
+-const char *memstick_debug_get_tpc_name(int tpc)
++static __maybe_unused const char *memstick_debug_get_tpc_name(int tpc)
+ {
+ return tpc_names[tpc-1];
+ }
+-EXPORT_SYMBOL(memstick_debug_get_tpc_name);
+-
+
+ /* Read a register*/
+ static inline u32 r592_read_reg(struct r592_device *dev, int address)
+--
+2.39.2
+
--- /dev/null
+From b87d4d45db6fc1d96fd0ef1971e19eeee6f18792 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jun 2023 11:23:40 +0300
+Subject: modpost: fix off by one in is_executable_section()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 3a3f1e573a105328a2cca45a7cfbebabbf5e3192 ]
+
+The > comparison should be >= to prevent an out of bounds array
+access.
+
+Fixes: 52dc0595d540 ("modpost: handle relocations mismatch in __ex_table.")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/mod/modpost.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
+index 75d76b8f50302..53e276bb24acd 100644
+--- a/scripts/mod/modpost.c
++++ b/scripts/mod/modpost.c
+@@ -1633,7 +1633,7 @@ static void default_mismatch_handler(const char *modname, struct elf_info *elf,
+
+ static int is_executable_section(struct elf_info* elf, unsigned int section_index)
+ {
+- if (section_index > elf->num_sections)
++ if (section_index >= elf->num_sections)
+ fatal("section_index is outside elf->num_sections!\n");
+
+ return ((elf->sechdrs[section_index].sh_flags & SHF_EXECINSTR) == SHF_EXECINSTR);
+--
+2.39.2
+
--- /dev/null
+From 18d9db07cfefd6401ee7753b30d76c0ee86a82bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jun 2023 21:09:56 +0900
+Subject: modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24}
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit 56a24b8ce6a7f9c4a21b2276a8644f6f3d8fc14d ]
+
+addend_arm_rel() processes R_ARM_PC24, R_ARM_CALL, R_ARM_JUMP24 in a
+wrong way.
+
+Here, test code.
+
+[test code for R_ARM_JUMP24]
+
+ .section .init.text,"ax"
+ bar:
+ bx lr
+
+ .section .text,"ax"
+ .globl foo
+ foo:
+ b bar
+
+[test code for R_ARM_CALL]
+
+ .section .init.text,"ax"
+ bar:
+ bx lr
+
+ .section .text,"ax"
+ .globl foo
+ foo:
+ push {lr}
+ bl bar
+ pop {pc}
+
+If you compile it with ARM multi_v7_defconfig, modpost will show the
+symbol name, (unknown).
+
+ WARNING: modpost: vmlinux.o: section mismatch in reference: foo (section: .text) -> (unknown) (section: .init.text)
+
+(You need to use GNU linker instead of LLD to reproduce it.)
+
+Fix the code to make modpost show the correct symbol name.
+
+I imported (with adjustment) sign_extend32() from include/linux/bitops.h.
+
+The '+8' is the compensation for pc-relative instruction. It is
+documented in "ELF for the Arm Architecture" [1].
+
+ "If the relocation is pc-relative then compensation for the PC bias
+ (the PC value is 8 bytes ahead of the executing instruction in Arm
+ state and 4 bytes in Thumb state) must be encoded in the relocation
+ by the object producer."
+
+[1]: https://github.com/ARM-software/abi-aa/blob/main/aaelf32/aaelf32.rst
+
+Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm")
+Fixes: 6e2e340b59d2 ("ARM: 7324/1: modpost: Fix section warnings for ARM for many compilers")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/mod/modpost.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
+index ad955c45d7a53..75d76b8f50302 100644
+--- a/scripts/mod/modpost.c
++++ b/scripts/mod/modpost.c
+@@ -1812,12 +1812,20 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r)
+ #define R_ARM_THM_JUMP19 51
+ #endif
+
++static int32_t sign_extend32(int32_t value, int index)
++{
++ uint8_t shift = 31 - index;
++
++ return (int32_t)(value << shift) >> shift;
++}
++
+ static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r)
+ {
+ unsigned int r_typ = ELF_R_TYPE(r->r_info);
+ Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info);
+ void *loc = reloc_location(elf, sechdr, r);
+ uint32_t inst;
++ int32_t offset;
+
+ switch (r_typ) {
+ case R_ARM_ABS32:
+@@ -1827,6 +1835,10 @@ static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r)
+ case R_ARM_PC24:
+ case R_ARM_CALL:
+ case R_ARM_JUMP24:
++ inst = TO_NATIVE(*(uint32_t *)loc);
++ offset = sign_extend32((inst & 0x00ffffff) << 2, 25);
++ r->r_addend = offset + sym->st_value + 8;
++ break;
+ case R_ARM_THM_CALL:
+ case R_ARM_THM_JUMP24:
+ case R_ARM_THM_JUMP19:
+--
+2.39.2
+
--- /dev/null
+From 20def63b530d07096c52c0a287ada543f35a00b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jun 2023 21:09:55 +0900
+Subject: modpost: fix section mismatch message for R_ARM_ABS32
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit b7c63520f6703a25eebb4f8138fed764fcae1c6f ]
+
+addend_arm_rel() processes R_ARM_ABS32 in a wrong way.
+
+Here, test code.
+
+ [test code 1]
+
+ #include <linux/init.h>
+
+ int __initdata foo;
+ int get_foo(void) { return foo; }
+
+If you compile it with ARM versatile_defconfig, modpost will show the
+symbol name, (unknown).
+
+ WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> (unknown) (section: .init.data)
+
+(You need to use GNU linker instead of LLD to reproduce it.)
+
+If you compile it for other architectures, modpost will show the correct
+symbol name.
+
+ WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data)
+
+For R_ARM_ABS32, addend_arm_rel() sets r->r_addend to a wrong value.
+
+I just mimicked the code in arch/arm/kernel/module.c.
+
+However, there is more difficulty for ARM.
+
+Here, test code.
+
+ [test code 2]
+
+ #include <linux/init.h>
+
+ int __initdata foo;
+ int get_foo(void) { return foo; }
+
+ int __initdata bar;
+ int get_bar(void) { return bar; }
+
+With this commit applied, modpost will show the following messages
+for ARM versatile_defconfig:
+
+ WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data)
+ WARNING: modpost: vmlinux.o: section mismatch in reference: get_bar (section: .text) -> foo (section: .init.data)
+
+The reference from 'get_bar' to 'foo' seems wrong.
+
+I have no solution for this because it is true in assembly level.
+
+In the following output, relocation at 0x1c is no longer associated
+with 'bar'. The two relocation entries point to the same symbol, and
+the offset to 'bar' is encoded in the instruction 'r0, [r3, #4]'.
+
+ Disassembly of section .text:
+
+ 00000000 <get_foo>:
+ 0: e59f3004 ldr r3, [pc, #4] @ c <get_foo+0xc>
+ 4: e5930000 ldr r0, [r3]
+ 8: e12fff1e bx lr
+ c: 00000000 .word 0x00000000
+
+ 00000010 <get_bar>:
+ 10: e59f3004 ldr r3, [pc, #4] @ 1c <get_bar+0xc>
+ 14: e5930004 ldr r0, [r3, #4]
+ 18: e12fff1e bx lr
+ 1c: 00000000 .word 0x00000000
+
+ Relocation section '.rel.text' at offset 0x244 contains 2 entries:
+ Offset Info Type Sym.Value Sym. Name
+ 0000000c 00000c02 R_ARM_ABS32 00000000 .init.data
+ 0000001c 00000c02 R_ARM_ABS32 00000000 .init.data
+
+When find_elf_symbol() gets into a situation where relsym->st_name is
+zero, there is no guarantee to get the symbol name as written in C.
+
+I am keeping the current logic because it is useful in many architectures,
+but the symbol name is not always correct depending on the optimization.
+I left some comments in find_tosym().
+
+Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/mod/modpost.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
+index e5aeaf72dcdb8..ad955c45d7a53 100644
+--- a/scripts/mod/modpost.c
++++ b/scripts/mod/modpost.c
+@@ -1325,6 +1325,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr,
+ if (relsym->st_name != 0)
+ return relsym;
+
++ /*
++ * Strive to find a better symbol name, but the resulting name may not
++ * match the symbol referenced in the original code.
++ */
+ relsym_secindex = get_secindex(elf, relsym);
+ for (sym = elf->symtab_start; sym < elf->symtab_stop; sym++) {
+ if (get_secindex(elf, sym) != relsym_secindex)
+@@ -1811,12 +1815,14 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r)
+ static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r)
+ {
+ unsigned int r_typ = ELF_R_TYPE(r->r_info);
++ Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info);
++ void *loc = reloc_location(elf, sechdr, r);
++ uint32_t inst;
+
+ switch (r_typ) {
+ case R_ARM_ABS32:
+- /* From ARM ABI: (S + A) | T */
+- r->r_addend = (int)(long)
+- (elf->symtab_start + ELF_R_SYM(r->r_info));
++ inst = TO_NATIVE(*(uint32_t *)loc);
++ r->r_addend = inst + sym->st_value;
+ break;
+ case R_ARM_PC24:
+ case R_ARM_CALL:
+--
+2.39.2
+
--- /dev/null
+From 2d67803006cfe8da5b9f45fd45488caadc9bd986 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Sep 2021 11:10:37 -0700
+Subject: net: create netdev->dev_addr assignment helpers
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 48eab831ae8b9f7002a533fa4235eed63ea1f1a3 ]
+
+Recent work on converting address list to a tree made it obvious
+we need an abstraction around writing netdev->dev_addr. Without
+such abstraction updating the main device address is invisible
+to the core.
+
+Introduce a number of helpers which for now just wrap memcpy()
+but in the future can make necessary changes to the address
+tree.
+
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/etherdevice.h | 12 ++++++++++++
+ include/linux/netdevice.h | 18 ++++++++++++++++++
+ 2 files changed, 30 insertions(+)
+
+diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h
+index 0f1e95240c0c0..66b89189a1e2e 100644
+--- a/include/linux/etherdevice.h
++++ b/include/linux/etherdevice.h
+@@ -288,6 +288,18 @@ static inline void ether_addr_copy(u8 *dst, const u8 *src)
+ #endif
+ }
+
++/**
++ * eth_hw_addr_set - Assign Ethernet address to a net_device
++ * @dev: pointer to net_device structure
++ * @addr: address to assign
++ *
++ * Assign given address to the net_device, addr_assign_type is not changed.
++ */
++static inline void eth_hw_addr_set(struct net_device *dev, const u8 *addr)
++{
++ ether_addr_copy(dev->dev_addr, addr);
++}
++
+ /**
+ * eth_hw_addr_inherit - Copy dev_addr from another net_device
+ * @dst: pointer to net_device to copy dev_addr to
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index 8dea4b53d664d..bf623f0e04d64 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -4189,6 +4189,24 @@ void __hw_addr_unsync_dev(struct netdev_hw_addr_list *list,
+ void __hw_addr_init(struct netdev_hw_addr_list *list);
+
+ /* Functions used for device addresses handling */
++static inline void
++__dev_addr_set(struct net_device *dev, const u8 *addr, size_t len)
++{
++ memcpy(dev->dev_addr, addr, len);
++}
++
++static inline void dev_addr_set(struct net_device *dev, const u8 *addr)
++{
++ __dev_addr_set(dev, addr, dev->addr_len);
++}
++
++static inline void
++dev_addr_mod(struct net_device *dev, unsigned int offset,
++ const u8 *addr, size_t len)
++{
++ memcpy(&dev->dev_addr[offset], addr, len);
++}
++
+ int dev_addr_add(struct net_device *dev, const unsigned char *addr,
+ unsigned char addr_type);
+ int dev_addr_del(struct net_device *dev, const unsigned char *addr,
+--
+2.39.2
+
--- /dev/null
+From 7ad4204145d770a3081ea1de73e27d2644c1e4ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Jun 2023 17:10:07 +0800
+Subject: net: nfc: Fix use-after-free caused by nfc_llcp_find_local
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit 6709d4b7bc2e079241fdef15d1160581c5261c10 ]
+
+This commit fixes several use-after-free that caused by function
+nfc_llcp_find_local(). For example, one UAF can happen when below buggy
+time window occurs.
+
+// nfc_genl_llc_get_params | // nfc_unregister_device
+ |
+dev = nfc_get_device(idx); | device_lock(...)
+if (!dev) | dev->shutting_down = true;
+ return -ENODEV; | device_unlock(...);
+ |
+device_lock(...); | // nfc_llcp_unregister_device
+ | nfc_llcp_find_local()
+nfc_llcp_find_local(...); |
+ | local_cleanup()
+if (!local) { |
+ rc = -ENODEV; | // nfc_llcp_local_put
+ goto exit; | kref_put(.., local_release)
+} |
+ | // local_release
+ | list_del(&local->list)
+ // nfc_genl_send_params | kfree()
+ local->dev->idx !!!UAF!!! |
+ |
+
+and the crash trace for the one of the discussed UAF like:
+
+BUG: KASAN: slab-use-after-free in nfc_genl_llc_get_params+0x72f/0x780 net/nfc/netlink.c:1045
+Read of size 8 at addr ffff888105b0e410 by task 20114
+
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:319 [inline]
+ print_report+0xcc/0x620 mm/kasan/report.c:430
+ kasan_report+0xb2/0xe0 mm/kasan/report.c:536
+ nfc_genl_send_params net/nfc/netlink.c:999 [inline]
+ nfc_genl_llc_get_params+0x72f/0x780 net/nfc/netlink.c:1045
+ genl_family_rcv_msg_doit.isra.0+0x1ee/0x2e0 net/netlink/genetlink.c:968
+ genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]
+ genl_rcv_msg+0x503/0x7d0 net/netlink/genetlink.c:1065
+ netlink_rcv_skb+0x161/0x430 net/netlink/af_netlink.c:2548
+ genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
+ netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
+ netlink_unicast+0x644/0x900 net/netlink/af_netlink.c:1365
+ netlink_sendmsg+0x934/0xe70 net/netlink/af_netlink.c:1913
+ sock_sendmsg_nosec net/socket.c:724 [inline]
+ sock_sendmsg+0x1b6/0x200 net/socket.c:747
+ ____sys_sendmsg+0x6e9/0x890 net/socket.c:2501
+ ___sys_sendmsg+0x110/0x1b0 net/socket.c:2555
+ __sys_sendmsg+0xf7/0x1d0 net/socket.c:2584
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+RIP: 0033:0x7f34640a2389
+RSP: 002b:00007f3463415168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007f34641c1f80 RCX: 00007f34640a2389
+RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000006
+RBP: 00007f34640ed493 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007ffe38449ecf R14: 00007f3463415300 R15: 0000000000022000
+ </TASK>
+
+Allocated by task 20116:
+ kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ ____kasan_kmalloc mm/kasan/common.c:374 [inline]
+ __kasan_kmalloc+0x7f/0x90 mm/kasan/common.c:383
+ kmalloc include/linux/slab.h:580 [inline]
+ kzalloc include/linux/slab.h:720 [inline]
+ nfc_llcp_register_device+0x49/0xa40 net/nfc/llcp_core.c:1567
+ nfc_register_device+0x61/0x260 net/nfc/core.c:1124
+ nci_register_device+0x776/0xb20 net/nfc/nci/core.c:1257
+ virtual_ncidev_open+0x147/0x230 drivers/nfc/virtual_ncidev.c:148
+ misc_open+0x379/0x4a0 drivers/char/misc.c:165
+ chrdev_open+0x26c/0x780 fs/char_dev.c:414
+ do_dentry_open+0x6c4/0x12a0 fs/open.c:920
+ do_open fs/namei.c:3560 [inline]
+ path_openat+0x24fe/0x37e0 fs/namei.c:3715
+ do_filp_open+0x1ba/0x410 fs/namei.c:3742
+ do_sys_openat2+0x171/0x4c0 fs/open.c:1356
+ do_sys_open fs/open.c:1372 [inline]
+ __do_sys_openat fs/open.c:1388 [inline]
+ __se_sys_openat fs/open.c:1383 [inline]
+ __x64_sys_openat+0x143/0x200 fs/open.c:1383
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+Freed by task 20115:
+ kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:521
+ ____kasan_slab_free mm/kasan/common.c:236 [inline]
+ ____kasan_slab_free mm/kasan/common.c:200 [inline]
+ __kasan_slab_free+0x10a/0x190 mm/kasan/common.c:244
+ kasan_slab_free include/linux/kasan.h:162 [inline]
+ slab_free_hook mm/slub.c:1781 [inline]
+ slab_free_freelist_hook mm/slub.c:1807 [inline]
+ slab_free mm/slub.c:3787 [inline]
+ __kmem_cache_free+0x7a/0x190 mm/slub.c:3800
+ local_release net/nfc/llcp_core.c:174 [inline]
+ kref_put include/linux/kref.h:65 [inline]
+ nfc_llcp_local_put net/nfc/llcp_core.c:182 [inline]
+ nfc_llcp_local_put net/nfc/llcp_core.c:177 [inline]
+ nfc_llcp_unregister_device+0x206/0x290 net/nfc/llcp_core.c:1620
+ nfc_unregister_device+0x160/0x1d0 net/nfc/core.c:1179
+ virtual_ncidev_close+0x52/0xa0 drivers/nfc/virtual_ncidev.c:163
+ __fput+0x252/0xa20 fs/file_table.c:321
+ task_work_run+0x174/0x270 kernel/task_work.c:179
+ resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
+ exit_to_user_mode_prepare+0x108/0x110 kernel/entry/common.c:204
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
+ syscall_exit_to_user_mode+0x21/0x50 kernel/entry/common.c:297
+ do_syscall_64+0x4c/0x90 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+Last potentially related work creation:
+ kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
+ __kasan_record_aux_stack+0x95/0xb0 mm/kasan/generic.c:491
+ kvfree_call_rcu+0x29/0xa80 kernel/rcu/tree.c:3328
+ drop_sysctl_table+0x3be/0x4e0 fs/proc/proc_sysctl.c:1735
+ unregister_sysctl_table.part.0+0x9c/0x190 fs/proc/proc_sysctl.c:1773
+ unregister_sysctl_table+0x24/0x30 fs/proc/proc_sysctl.c:1753
+ neigh_sysctl_unregister+0x5f/0x80 net/core/neighbour.c:3895
+ addrconf_notify+0x140/0x17b0 net/ipv6/addrconf.c:3684
+ notifier_call_chain+0xbe/0x210 kernel/notifier.c:87
+ call_netdevice_notifiers_info+0xb5/0x150 net/core/dev.c:1937
+ call_netdevice_notifiers_extack net/core/dev.c:1975 [inline]
+ call_netdevice_notifiers net/core/dev.c:1989 [inline]
+ dev_change_name+0x3c3/0x870 net/core/dev.c:1211
+ dev_ifsioc+0x800/0xf70 net/core/dev_ioctl.c:376
+ dev_ioctl+0x3d9/0xf80 net/core/dev_ioctl.c:542
+ sock_do_ioctl+0x160/0x260 net/socket.c:1213
+ sock_ioctl+0x3f9/0x670 net/socket.c:1316
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:870 [inline]
+ __se_sys_ioctl fs/ioctl.c:856 [inline]
+ __x64_sys_ioctl+0x19e/0x210 fs/ioctl.c:856
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+The buggy address belongs to the object at ffff888105b0e400
+ which belongs to the cache kmalloc-1k of size 1024
+The buggy address is located 16 bytes inside of
+ freed 1024-byte region [ffff888105b0e400, ffff888105b0e800)
+
+The buggy address belongs to the physical page:
+head:ffffea000416c200 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+flags: 0x200000000010200(slab|head|node=0|zone=2)
+raw: 0200000000010200 ffff8881000430c0 ffffea00044c7010 ffffea0004510e10
+raw: 0000000000000000 00000000000a000a 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff888105b0e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff888105b0e380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff888105b0e400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff888105b0e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888105b0e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+In summary, this patch solves those use-after-free by
+
+1. Re-implement the nfc_llcp_find_local(). The current version does not
+grab the reference when getting the local from the linked list. For
+example, the llcp_sock_bind() gets the reference like below:
+
+// llcp_sock_bind()
+
+ local = nfc_llcp_find_local(dev); // A
+ ..... \
+ | raceable
+ ..... /
+ llcp_sock->local = nfc_llcp_local_get(local); // B
+
+There is an apparent race window that one can drop the reference
+and free the local object fetched in (A) before (B) gets the reference.
+
+2. Some callers of the nfc_llcp_find_local() do not grab the reference
+at all. For example, the nfc_genl_llc_{{get/set}_params/sdreq} functions.
+We add the nfc_llcp_local_put() for them. Moreover, we add the necessary
+error handling function to put the reference.
+
+3. Add the nfc_llcp_remove_local() helper. The local object is removed
+from the linked list in local_release() when all reference is gone. This
+patch removes it when nfc_llcp_unregister_device() is called.
+
+Therefore, every caller of nfc_llcp_find_local() will get a reference
+even when the nfc_llcp_unregister_device() is called. This promises no
+use-after-free for the local object is ever possible.
+
+Fixes: 52feb444a903 ("NFC: Extend netlink interface for LTO, RW, and MIUX parameters support")
+Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/llcp.h | 1 -
+ net/nfc/llcp_commands.c | 12 +++++++---
+ net/nfc/llcp_core.c | 49 +++++++++++++++++++++++++++++++++++------
+ net/nfc/llcp_sock.c | 18 ++++++++-------
+ net/nfc/netlink.c | 20 ++++++++++++-----
+ net/nfc/nfc.h | 1 +
+ 6 files changed, 77 insertions(+), 24 deletions(-)
+
+diff --git a/net/nfc/llcp.h b/net/nfc/llcp.h
+index d49d4bf2e37c8..a81893bc06ce8 100644
+--- a/net/nfc/llcp.h
++++ b/net/nfc/llcp.h
+@@ -202,7 +202,6 @@ void nfc_llcp_sock_link(struct llcp_sock_list *l, struct sock *s);
+ void nfc_llcp_sock_unlink(struct llcp_sock_list *l, struct sock *s);
+ void nfc_llcp_socket_remote_param_init(struct nfc_llcp_sock *sock);
+ struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev);
+-struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local);
+ int nfc_llcp_local_put(struct nfc_llcp_local *local);
+ u8 nfc_llcp_get_sdp_ssap(struct nfc_llcp_local *local,
+ struct nfc_llcp_sock *sock);
+diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
+index bb9f40563ff63..5b8754ae7d3af 100644
+--- a/net/nfc/llcp_commands.c
++++ b/net/nfc/llcp_commands.c
+@@ -361,6 +361,7 @@ int nfc_llcp_send_symm(struct nfc_dev *dev)
+ struct sk_buff *skb;
+ struct nfc_llcp_local *local;
+ u16 size = 0;
++ int err;
+
+ pr_debug("Sending SYMM\n");
+
+@@ -372,8 +373,10 @@ int nfc_llcp_send_symm(struct nfc_dev *dev)
+ size += dev->tx_headroom + dev->tx_tailroom + NFC_HEADER_SIZE;
+
+ skb = alloc_skb(size, GFP_KERNEL);
+- if (skb == NULL)
+- return -ENOMEM;
++ if (skb == NULL) {
++ err = -ENOMEM;
++ goto out;
++ }
+
+ skb_reserve(skb, dev->tx_headroom + NFC_HEADER_SIZE);
+
+@@ -383,8 +386,11 @@ int nfc_llcp_send_symm(struct nfc_dev *dev)
+
+ nfc_llcp_send_to_raw_sock(local, skb, NFC_DIRECTION_TX);
+
+- return nfc_data_exchange(dev, local->target_idx, skb,
++ err = nfc_data_exchange(dev, local->target_idx, skb,
+ nfc_llcp_recv, local);
++out:
++ nfc_llcp_local_put(local);
++ return err;
+ }
+
+ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock)
+diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
+index fd43e75abd948..ddfd159f64e13 100644
+--- a/net/nfc/llcp_core.c
++++ b/net/nfc/llcp_core.c
+@@ -17,6 +17,8 @@
+ static u8 llcp_magic[3] = {0x46, 0x66, 0x6d};
+
+ static LIST_HEAD(llcp_devices);
++/* Protects llcp_devices list */
++static DEFINE_SPINLOCK(llcp_devices_lock);
+
+ static void nfc_llcp_rx_skb(struct nfc_llcp_local *local, struct sk_buff *skb);
+
+@@ -143,7 +145,7 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
+ write_unlock(&local->raw_sockets.lock);
+ }
+
+-struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
++static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
+ {
+ kref_get(&local->ref);
+
+@@ -171,7 +173,6 @@ static void local_release(struct kref *ref)
+
+ local = container_of(ref, struct nfc_llcp_local, ref);
+
+- list_del(&local->list);
+ local_cleanup(local);
+ kfree(local);
+ }
+@@ -284,12 +285,33 @@ static void nfc_llcp_sdreq_timer(struct timer_list *t)
+ struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev)
+ {
+ struct nfc_llcp_local *local;
++ struct nfc_llcp_local *res = NULL;
+
++ spin_lock(&llcp_devices_lock);
+ list_for_each_entry(local, &llcp_devices, list)
+- if (local->dev == dev)
++ if (local->dev == dev) {
++ res = nfc_llcp_local_get(local);
++ break;
++ }
++ spin_unlock(&llcp_devices_lock);
++
++ return res;
++}
++
++static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev)
++{
++ struct nfc_llcp_local *local, *tmp;
++
++ spin_lock(&llcp_devices_lock);
++ list_for_each_entry_safe(local, tmp, &llcp_devices, list)
++ if (local->dev == dev) {
++ list_del(&local->list);
++ spin_unlock(&llcp_devices_lock);
+ return local;
++ }
++ spin_unlock(&llcp_devices_lock);
+
+- pr_debug("No device found\n");
++ pr_warn("Shutting down device not found\n");
+
+ return NULL;
+ }
+@@ -610,12 +632,15 @@ u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len)
+
+ *general_bytes_len = local->gb_len;
+
++ nfc_llcp_local_put(local);
++
+ return local->gb;
+ }
+
+ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len)
+ {
+ struct nfc_llcp_local *local;
++ int err;
+
+ if (gb_len < 3 || gb_len > NFC_MAX_GT_LEN)
+ return -EINVAL;
+@@ -632,12 +657,16 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len)
+
+ if (memcmp(local->remote_gb, llcp_magic, 3)) {
+ pr_err("MAC does not support LLCP\n");
+- return -EINVAL;
++ err = -EINVAL;
++ goto out;
+ }
+
+- return nfc_llcp_parse_gb_tlv(local,
++ err = nfc_llcp_parse_gb_tlv(local,
+ &local->remote_gb[3],
+ local->remote_gb_len - 3);
++out:
++ nfc_llcp_local_put(local);
++ return err;
+ }
+
+ static u8 nfc_llcp_dsap(const struct sk_buff *pdu)
+@@ -1527,6 +1556,8 @@ int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb)
+
+ __nfc_llcp_recv(local, skb);
+
++ nfc_llcp_local_put(local);
++
+ return 0;
+ }
+
+@@ -1543,6 +1574,8 @@ void nfc_llcp_mac_is_down(struct nfc_dev *dev)
+
+ /* Close and purge all existing sockets */
+ nfc_llcp_socket_release(local, true, 0);
++
++ nfc_llcp_local_put(local);
+ }
+
+ void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx,
+@@ -1568,6 +1601,8 @@ void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx,
+ mod_timer(&local->link_timer,
+ jiffies + msecs_to_jiffies(local->remote_lto));
+ }
++
++ nfc_llcp_local_put(local);
+ }
+
+ int nfc_llcp_register_device(struct nfc_dev *ndev)
+@@ -1618,7 +1653,7 @@ int nfc_llcp_register_device(struct nfc_dev *ndev)
+
+ void nfc_llcp_unregister_device(struct nfc_dev *dev)
+ {
+- struct nfc_llcp_local *local = nfc_llcp_find_local(dev);
++ struct nfc_llcp_local *local = nfc_llcp_remove_local(dev);
+
+ if (local == NULL) {
+ pr_debug("No such device\n");
+diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
+index 1c1748b86fae7..aea337d817025 100644
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -99,7 +99,7 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
+ }
+
+ llcp_sock->dev = dev;
+- llcp_sock->local = nfc_llcp_local_get(local);
++ llcp_sock->local = local;
+ llcp_sock->nfc_protocol = llcp_addr.nfc_protocol;
+ llcp_sock->service_name_len = min_t(unsigned int,
+ llcp_addr.service_name_len,
+@@ -181,7 +181,7 @@ static int llcp_raw_sock_bind(struct socket *sock, struct sockaddr *addr,
+ }
+
+ llcp_sock->dev = dev;
+- llcp_sock->local = nfc_llcp_local_get(local);
++ llcp_sock->local = local;
+ llcp_sock->nfc_protocol = llcp_addr.nfc_protocol;
+
+ nfc_llcp_sock_link(&local->raw_sockets, sk);
+@@ -698,22 +698,22 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
+ if (dev->dep_link_up == false) {
+ ret = -ENOLINK;
+ device_unlock(&dev->dev);
+- goto put_dev;
++ goto sock_llcp_put_local;
+ }
+ device_unlock(&dev->dev);
+
+ if (local->rf_mode == NFC_RF_INITIATOR &&
+ addr->target_idx != local->target_idx) {
+ ret = -ENOLINK;
+- goto put_dev;
++ goto sock_llcp_put_local;
+ }
+
+ llcp_sock->dev = dev;
+- llcp_sock->local = nfc_llcp_local_get(local);
++ llcp_sock->local = local;
+ llcp_sock->ssap = nfc_llcp_get_local_ssap(local);
+ if (llcp_sock->ssap == LLCP_SAP_MAX) {
+ ret = -ENOMEM;
+- goto sock_llcp_put_local;
++ goto sock_llcp_nullify;
+ }
+
+ llcp_sock->reserved_ssap = llcp_sock->ssap;
+@@ -759,11 +759,13 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
+ sock_llcp_release:
+ nfc_llcp_put_ssap(local, llcp_sock->ssap);
+
+-sock_llcp_put_local:
+- nfc_llcp_local_put(llcp_sock->local);
++sock_llcp_nullify:
+ llcp_sock->local = NULL;
+ llcp_sock->dev = NULL;
+
++sock_llcp_put_local:
++ nfc_llcp_local_put(local);
++
+ put_dev:
+ nfc_put_device(dev);
+
+diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
+index 66ab97131fd24..5b55466fe315a 100644
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -1047,11 +1047,14 @@ static int nfc_genl_llc_get_params(struct sk_buff *skb, struct genl_info *info)
+ msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+ if (!msg) {
+ rc = -ENOMEM;
+- goto exit;
++ goto put_local;
+ }
+
+ rc = nfc_genl_send_params(msg, local, info->snd_portid, info->snd_seq);
+
++put_local:
++ nfc_llcp_local_put(local);
++
+ exit:
+ device_unlock(&dev->dev);
+
+@@ -1113,7 +1116,7 @@ static int nfc_genl_llc_set_params(struct sk_buff *skb, struct genl_info *info)
+ if (info->attrs[NFC_ATTR_LLC_PARAM_LTO]) {
+ if (dev->dep_link_up) {
+ rc = -EINPROGRESS;
+- goto exit;
++ goto put_local;
+ }
+
+ local->lto = nla_get_u8(info->attrs[NFC_ATTR_LLC_PARAM_LTO]);
+@@ -1125,6 +1128,9 @@ static int nfc_genl_llc_set_params(struct sk_buff *skb, struct genl_info *info)
+ if (info->attrs[NFC_ATTR_LLC_PARAM_MIUX])
+ local->miux = cpu_to_be16(miux);
+
++put_local:
++ nfc_llcp_local_put(local);
++
+ exit:
+ device_unlock(&dev->dev);
+
+@@ -1180,7 +1186,7 @@ static int nfc_genl_llc_sdreq(struct sk_buff *skb, struct genl_info *info)
+
+ if (rc != 0) {
+ rc = -EINVAL;
+- goto exit;
++ goto put_local;
+ }
+
+ if (!sdp_attrs[NFC_SDP_ATTR_URI])
+@@ -1199,7 +1205,7 @@ static int nfc_genl_llc_sdreq(struct sk_buff *skb, struct genl_info *info)
+ sdreq = nfc_llcp_build_sdreq_tlv(tid, uri, uri_len);
+ if (sdreq == NULL) {
+ rc = -ENOMEM;
+- goto exit;
++ goto put_local;
+ }
+
+ tlvs_len += sdreq->tlv_len;
+@@ -1209,10 +1215,14 @@ static int nfc_genl_llc_sdreq(struct sk_buff *skb, struct genl_info *info)
+
+ if (hlist_empty(&sdreq_list)) {
+ rc = -EINVAL;
+- goto exit;
++ goto put_local;
+ }
+
+ rc = nfc_llcp_send_snl_sdreq(local, &sdreq_list, tlvs_len);
++
++put_local:
++ nfc_llcp_local_put(local);
++
+ exit:
+ device_unlock(&dev->dev);
+
+diff --git a/net/nfc/nfc.h b/net/nfc/nfc.h
+index de2ec66d7e83a..0b1e6466f4fbf 100644
+--- a/net/nfc/nfc.h
++++ b/net/nfc/nfc.h
+@@ -52,6 +52,7 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len);
+ u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len);
+ int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb);
+ struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev);
++int nfc_llcp_local_put(struct nfc_llcp_local *local);
+ int __init nfc_llcp_init(void);
+ void nfc_llcp_exit(void);
+ void nfc_llcp_free_sdp_tlv(struct nfc_llcp_sdp_tlv *sdp);
+--
+2.39.2
+
--- /dev/null
+From d5a7c6ca8c18a86b6c52b8ab4093950930df3d5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jun 2023 17:56:53 +0200
+Subject: netfilter: conntrack: dccp: copy entire header to stack buffer, not
+ just basic one
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit ff0a3a7d52ff7282dbd183e7fc29a1fe386b0c30 ]
+
+Eric Dumazet says:
+ nf_conntrack_dccp_packet() has an unique:
+
+ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
+
+ And nothing more is 'pulled' from the packet, depending on the content.
+ dh->dccph_doff, and/or dh->dccph_x ...)
+ So dccp_ack_seq() is happily reading stuff past the _dh buffer.
+
+BUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0
+Read of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371
+[..]
+
+Fix this by increasing the stack buffer to also include room for
+the extra sequence numbers and all the known dccp packet type headers,
+then pull again after the initial validation of the basic header.
+
+While at it, mark packets invalid that lack 48bit sequence bit but
+where RFC says the type MUST use them.
+
+Compile tested only.
+
+v2: first skb_header_pointer() now needs to adjust the size to
+ only pull the generic header. (Eric)
+
+Heads-up: I intend to remove dccp conntrack support later this year.
+
+Fixes: 2bc780499aa3 ("[NETFILTER]: nf_conntrack: add DCCP protocol support")
+Reported-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_proto_dccp.c | 52 +++++++++++++++++++++++--
+ 1 file changed, 49 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
+index b3f4a334f9d78..67b8dedef2935 100644
+--- a/net/netfilter/nf_conntrack_proto_dccp.c
++++ b/net/netfilter/nf_conntrack_proto_dccp.c
+@@ -430,9 +430,19 @@ static bool dccp_error(const struct dccp_hdr *dh,
+ struct sk_buff *skb, unsigned int dataoff,
+ const struct nf_hook_state *state)
+ {
++ static const unsigned long require_seq48 = 1 << DCCP_PKT_REQUEST |
++ 1 << DCCP_PKT_RESPONSE |
++ 1 << DCCP_PKT_CLOSEREQ |
++ 1 << DCCP_PKT_CLOSE |
++ 1 << DCCP_PKT_RESET |
++ 1 << DCCP_PKT_SYNC |
++ 1 << DCCP_PKT_SYNCACK;
+ unsigned int dccp_len = skb->len - dataoff;
+ unsigned int cscov;
+ const char *msg;
++ u8 type;
++
++ BUILD_BUG_ON(DCCP_PKT_INVALID >= BITS_PER_LONG);
+
+ if (dh->dccph_doff * 4 < sizeof(struct dccp_hdr) ||
+ dh->dccph_doff * 4 > dccp_len) {
+@@ -457,10 +467,17 @@ static bool dccp_error(const struct dccp_hdr *dh,
+ goto out_invalid;
+ }
+
+- if (dh->dccph_type >= DCCP_PKT_INVALID) {
++ type = dh->dccph_type;
++ if (type >= DCCP_PKT_INVALID) {
+ msg = "nf_ct_dccp: reserved packet type ";
+ goto out_invalid;
+ }
++
++ if (test_bit(type, &require_seq48) && !dh->dccph_x) {
++ msg = "nf_ct_dccp: type lacks 48bit sequence numbers";
++ goto out_invalid;
++ }
++
+ return false;
+ out_invalid:
+ nf_l4proto_log_invalid(skb, state->net, state->pf,
+@@ -468,24 +485,53 @@ static bool dccp_error(const struct dccp_hdr *dh,
+ return true;
+ }
+
++struct nf_conntrack_dccp_buf {
++ struct dccp_hdr dh; /* generic header part */
++ struct dccp_hdr_ext ext; /* optional depending dh->dccph_x */
++ union { /* depends on header type */
++ struct dccp_hdr_ack_bits ack;
++ struct dccp_hdr_request req;
++ struct dccp_hdr_response response;
++ struct dccp_hdr_reset rst;
++ } u;
++};
++
++static struct dccp_hdr *
++dccp_header_pointer(const struct sk_buff *skb, int offset, const struct dccp_hdr *dh,
++ struct nf_conntrack_dccp_buf *buf)
++{
++ unsigned int hdrlen = __dccp_hdr_len(dh);
++
++ if (hdrlen > sizeof(*buf))
++ return NULL;
++
++ return skb_header_pointer(skb, offset, hdrlen, buf);
++}
++
+ int nf_conntrack_dccp_packet(struct nf_conn *ct, struct sk_buff *skb,
+ unsigned int dataoff,
+ enum ip_conntrack_info ctinfo,
+ const struct nf_hook_state *state)
+ {
+ enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
+- struct dccp_hdr _dh, *dh;
++ struct nf_conntrack_dccp_buf _dh;
+ u_int8_t type, old_state, new_state;
+ enum ct_dccp_roles role;
+ unsigned int *timeouts;
++ struct dccp_hdr *dh;
+
+- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
++ dh = skb_header_pointer(skb, dataoff, sizeof(*dh), &_dh.dh);
+ if (!dh)
+ return NF_DROP;
+
+ if (dccp_error(dh, skb, dataoff, state))
+ return -NF_ACCEPT;
+
++ /* pull again, including possible 48 bit sequences and subtype header */
++ dh = dccp_header_pointer(skb, dataoff, dh, &_dh);
++ if (!dh)
++ return NF_DROP;
++
+ type = dh->dccph_type;
+ if (!nf_ct_is_confirmed(ct) && !dccp_new(ct, skb, dh))
+ return -NF_ACCEPT;
+--
+2.39.2
+
--- /dev/null
+From b74a41236526cab841834be8c60c4dcace27e7ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jun 2023 11:23:46 +0000
+Subject: netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param()
+ return value.
+
+From: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
+
+[ Upstream commit f188d30087480eab421cd8ca552fb15f55d57f4d ]
+
+ct_sip_parse_numerical_param() returns only 0 or 1 now.
+But process_register_request() and process_register_response() imply
+checking for a negative value if parsing of a numerical header parameter
+failed.
+The invocation in nf_nat_sip() looks correct:
+ if (ct_sip_parse_numerical_param(...) > 0 &&
+ ...) { ... }
+
+Make the return value of the function ct_sip_parse_numerical_param()
+a tristate to fix all the cases
+a) return 1 if value is found; *val is set
+b) return 0 if value is not found; *val is unchanged
+c) return -1 on error; *val is undefined
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with SVACE.
+
+Fixes: 0f32a40fc91a ("[NETFILTER]: nf_conntrack_sip: create signalling expectations")
+Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_sip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
+index 78fd9122b70c7..751df19fe0f8a 100644
+--- a/net/netfilter/nf_conntrack_sip.c
++++ b/net/netfilter/nf_conntrack_sip.c
+@@ -611,7 +611,7 @@ int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr,
+ start += strlen(name);
+ *val = simple_strtoul(start, &end, 0);
+ if (start == end)
+- return 0;
++ return -1;
+ if (matchoff && matchlen) {
+ *matchoff = start - dptr;
+ *matchlen = end - start;
+--
+2.39.2
+
--- /dev/null
+From 778da9b0089a01d054cff210e6250f4fdb1821da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jun 2023 09:43:13 -0700
+Subject: netlink: Add __sock_i_ino() for __netlink_diag_dump().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 25a9c8a4431c364f97f75558cb346d2ad3f53fbb ]
+
+syzbot reported a warning in __local_bh_enable_ip(). [0]
+
+Commit 8d61f926d420 ("netlink: fix potential deadlock in
+netlink_set_err()") converted read_lock(&nl_table_lock) to
+read_lock_irqsave() in __netlink_diag_dump() to prevent a deadlock.
+
+However, __netlink_diag_dump() calls sock_i_ino() that uses
+read_lock_bh() and read_unlock_bh(). If CONFIG_TRACE_IRQFLAGS=y,
+read_unlock_bh() finally enables IRQ even though it should stay
+disabled until the following read_unlock_irqrestore().
+
+Using read_lock() in sock_i_ino() would trigger a lockdep splat
+in another place that was fixed in commit f064af1e500a ("net: fix
+a lockdep splat"), so let's add __sock_i_ino() that would be safe
+to use under BH disabled.
+
+[0]:
+WARNING: CPU: 0 PID: 5012 at kernel/softirq.c:376 __local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376
+Modules linked in:
+CPU: 0 PID: 5012 Comm: syz-executor487 Not tainted 6.4.0-rc7-syzkaller-00202-g6f68fc395f49 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
+RIP: 0010:__local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376
+Code: 45 bf 01 00 00 00 e8 91 5b 0a 00 e8 3c 15 3d 00 fb 65 8b 05 ec e9 b5 7e 85 c0 74 58 5b 5d c3 65 8b 05 b2 b6 b4 7e 85 c0 75 a2 <0f> 0b eb 9e e8 89 15 3d 00 eb 9f 48 89 ef e8 6f 49 18 00 eb a8 0f
+RSP: 0018:ffffc90003a1f3d0 EFLAGS: 00010046
+RAX: 0000000000000000 RBX: 0000000000000201 RCX: 1ffffffff1cf5996
+RDX: 0000000000000000 RSI: 0000000000000201 RDI: ffffffff8805c6f3
+RBP: ffffffff8805c6f3 R08: 0000000000000001 R09: ffff8880152b03a3
+R10: ffffed1002a56074 R11: 0000000000000005 R12: 00000000000073e4
+R13: dffffc0000000000 R14: 0000000000000002 R15: 0000000000000000
+FS: 0000555556726300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000000045ad50 CR3: 000000007c646000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ sock_i_ino+0x83/0xa0 net/core/sock.c:2559
+ __netlink_diag_dump+0x45c/0x790 net/netlink/diag.c:171
+ netlink_diag_dump+0xd6/0x230 net/netlink/diag.c:207
+ netlink_dump+0x570/0xc50 net/netlink/af_netlink.c:2269
+ __netlink_dump_start+0x64b/0x910 net/netlink/af_netlink.c:2374
+ netlink_dump_start include/linux/netlink.h:329 [inline]
+ netlink_diag_handler_dump+0x1ae/0x250 net/netlink/diag.c:238
+ __sock_diag_cmd net/core/sock_diag.c:238 [inline]
+ sock_diag_rcv_msg+0x31e/0x440 net/core/sock_diag.c:269
+ netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2547
+ sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280
+ netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
+ netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365
+ netlink_sendmsg+0x925/0xe30 net/netlink/af_netlink.c:1914
+ sock_sendmsg_nosec net/socket.c:724 [inline]
+ sock_sendmsg+0xde/0x190 net/socket.c:747
+ ____sys_sendmsg+0x71c/0x900 net/socket.c:2503
+ ___sys_sendmsg+0x110/0x1b0 net/socket.c:2557
+ __sys_sendmsg+0xf7/0x1c0 net/socket.c:2586
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7f5303aaabb9
+Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffc7506e548 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5303aaabb9
+RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
+RBP: 00007f5303a6ed60 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5303a6edf0
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ </TASK>
+
+Fixes: 8d61f926d420 ("netlink: fix potential deadlock in netlink_set_err()")
+Reported-by: syzbot+5da61cf6a9bc1902d422@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=5da61cf6a9bc1902d422
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230626164313.52528-1-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 1 +
+ net/core/sock.c | 17 ++++++++++++++---
+ net/netlink/diag.c | 2 +-
+ 3 files changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 87e57f81ee82b..ee8630d6abc16 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1863,6 +1863,7 @@ static inline void sock_graft(struct sock *sk, struct socket *parent)
+ }
+
+ kuid_t sock_i_uid(struct sock *sk);
++unsigned long __sock_i_ino(struct sock *sk);
+ unsigned long sock_i_ino(struct sock *sk);
+
+ static inline kuid_t sock_net_uid(const struct net *net, const struct sock *sk)
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 5e1dccbd61a60..d55eea5538bce 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2085,13 +2085,24 @@ kuid_t sock_i_uid(struct sock *sk)
+ }
+ EXPORT_SYMBOL(sock_i_uid);
+
+-unsigned long sock_i_ino(struct sock *sk)
++unsigned long __sock_i_ino(struct sock *sk)
+ {
+ unsigned long ino;
+
+- read_lock_bh(&sk->sk_callback_lock);
++ read_lock(&sk->sk_callback_lock);
+ ino = sk->sk_socket ? SOCK_INODE(sk->sk_socket)->i_ino : 0;
+- read_unlock_bh(&sk->sk_callback_lock);
++ read_unlock(&sk->sk_callback_lock);
++ return ino;
++}
++EXPORT_SYMBOL(__sock_i_ino);
++
++unsigned long sock_i_ino(struct sock *sk)
++{
++ unsigned long ino;
++
++ local_bh_disable();
++ ino = __sock_i_ino(sk);
++ local_bh_enable();
+ return ino;
+ }
+ EXPORT_SYMBOL(sock_i_ino);
+diff --git a/net/netlink/diag.c b/net/netlink/diag.c
+index 4143b2ea4195a..e4f21b1067bcc 100644
+--- a/net/netlink/diag.c
++++ b/net/netlink/diag.c
+@@ -168,7 +168,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
+ NETLINK_CB(cb->skb).portid,
+ cb->nlh->nlmsg_seq,
+ NLM_F_MULTI,
+- sock_i_ino(sk)) < 0) {
++ __sock_i_ino(sk)) < 0) {
+ ret = 1;
+ break;
+ }
+--
+2.39.2
+
--- /dev/null
+From 5f258f295e9638b079527a816407f29a70aaf082 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jun 2023 17:47:20 +0000
+Subject: netlink: do not hard code device address lenth in fdb dumps
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit aa5406950726e336c5c9585b09799a734b6e77bf ]
+
+syzbot reports that some netdev devices do not have a six bytes
+address [1]
+
+Replace ETH_ALEN by dev->addr_len.
+
+[1] (Case of a device where dev->addr_len = 4)
+
+BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
+BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169
+instrument_copy_to_user include/linux/instrumented.h:114 [inline]
+copyout+0xb8/0x100 lib/iov_iter.c:169
+_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536
+copy_to_iter include/linux/uio.h:206 [inline]
+simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513
+__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419
+skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527
+skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
+netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970
+sock_recvmsg_nosec net/socket.c:1019 [inline]
+sock_recvmsg net/socket.c:1040 [inline]
+____sys_recvmsg+0x283/0x7f0 net/socket.c:2722
+___sys_recvmsg+0x223/0x840 net/socket.c:2764
+do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
+__sys_recvmmsg net/socket.c:2937 [inline]
+__do_sys_recvmmsg net/socket.c:2960 [inline]
+__se_sys_recvmmsg net/socket.c:2953 [inline]
+__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Uninit was stored to memory at:
+__nla_put lib/nlattr.c:1009 [inline]
+nla_put+0x1c6/0x230 lib/nlattr.c:1067
+nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071
+nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline]
+ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456
+rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629
+netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268
+netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995
+sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019
+____sys_recvmsg+0x664/0x7f0 net/socket.c:2720
+___sys_recvmsg+0x223/0x840 net/socket.c:2764
+do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
+__sys_recvmmsg net/socket.c:2937 [inline]
+__do_sys_recvmmsg net/socket.c:2960 [inline]
+__se_sys_recvmmsg net/socket.c:2953 [inline]
+__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Uninit was created at:
+slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716
+slab_alloc_node mm/slub.c:3451 [inline]
+__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490
+kmalloc_trace+0x51/0x200 mm/slab_common.c:1057
+kmalloc include/linux/slab.h:559 [inline]
+__hw_addr_create net/core/dev_addr_lists.c:60 [inline]
+__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118
+__dev_mc_add net/core/dev_addr_lists.c:867 [inline]
+dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885
+igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680
+ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754
+ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708
+addrconf_type_change net/ipv6/addrconf.c:3731 [inline]
+addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699
+notifier_call_chain kernel/notifier.c:93 [inline]
+raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461
+call_netdevice_notifiers_info net/core/dev.c:1935 [inline]
+call_netdevice_notifiers_extack net/core/dev.c:1973 [inline]
+call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987
+bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906
+do_set_master net/core/rtnetlink.c:2626 [inline]
+rtnl_newlink_create net/core/rtnetlink.c:3460 [inline]
+__rtnl_newlink net/core/rtnetlink.c:3660 [inline]
+rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673
+rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395
+netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546
+rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413
+netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
+netlink_unicast+0xf28/0x1230 net/netlink/af_netlink.c:1365
+netlink_sendmsg+0x122f/0x13d0 net/netlink/af_netlink.c:1913
+sock_sendmsg_nosec net/socket.c:724 [inline]
+sock_sendmsg net/socket.c:747 [inline]
+____sys_sendmsg+0x999/0xd50 net/socket.c:2503
+___sys_sendmsg+0x28d/0x3c0 net/socket.c:2557
+__sys_sendmsg net/socket.c:2586 [inline]
+__do_sys_sendmsg net/socket.c:2595 [inline]
+__se_sys_sendmsg net/socket.c:2593 [inline]
+__x64_sys_sendmsg+0x304/0x490 net/socket.c:2593
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Bytes 2856-2857 of 3500 are uninitialized
+Memory access of size 3500 starts at ffff888018d99104
+Data copied to user address 0000000020000480
+
+Fixes: d83b06036048 ("net: add fdb generic dump routine")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Link: https://lore.kernel.org/r/20230621174720.1845040-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 0b0107797e490..1db92a44548f0 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -3586,7 +3586,7 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb,
+ ndm->ndm_ifindex = dev->ifindex;
+ ndm->ndm_state = ndm_state;
+
+- if (nla_put(skb, NDA_LLADDR, ETH_ALEN, addr))
++ if (nla_put(skb, NDA_LLADDR, dev->addr_len, addr))
+ goto nla_put_failure;
+ if (vid)
+ if (nla_put(skb, NDA_VLAN, sizeof(u16), &vid))
+@@ -3600,10 +3600,10 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb,
+ return -EMSGSIZE;
+ }
+
+-static inline size_t rtnl_fdb_nlmsg_size(void)
++static inline size_t rtnl_fdb_nlmsg_size(const struct net_device *dev)
+ {
+ return NLMSG_ALIGN(sizeof(struct ndmsg)) +
+- nla_total_size(ETH_ALEN) + /* NDA_LLADDR */
++ nla_total_size(dev->addr_len) + /* NDA_LLADDR */
+ nla_total_size(sizeof(u16)) + /* NDA_VLAN */
+ 0;
+ }
+@@ -3615,7 +3615,7 @@ static void rtnl_fdb_notify(struct net_device *dev, u8 *addr, u16 vid, int type,
+ struct sk_buff *skb;
+ int err = -ENOBUFS;
+
+- skb = nlmsg_new(rtnl_fdb_nlmsg_size(), GFP_ATOMIC);
++ skb = nlmsg_new(rtnl_fdb_nlmsg_size(dev), GFP_ATOMIC);
+ if (!skb)
+ goto errout;
+
+--
+2.39.2
+
--- /dev/null
+From 948b5b0cabac04cbb909065b88e8498feb9c99ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jun 2023 15:43:37 +0000
+Subject: netlink: fix potential deadlock in netlink_set_err()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8d61f926d42045961e6b65191c09e3678d86a9cf ]
+
+syzbot reported a possible deadlock in netlink_set_err() [1]
+
+A similar issue was fixed in commit 1d482e666b8e ("netlink: disable IRQs
+for netlink_lock_table()") in netlink_lock_table()
+
+This patch adds IRQ safety to netlink_set_err() and __netlink_diag_dump()
+which were not covered by cited commit.
+
+[1]
+
+WARNING: possible irq lock inversion dependency detected
+6.4.0-rc6-syzkaller-00240-g4e9f0ec38852 #0 Not tainted
+
+syz-executor.2/23011 just changed the state of lock:
+ffffffff8e1a7a58 (nl_table_lock){.+.?}-{2:2}, at: netlink_set_err+0x2e/0x3a0 net/netlink/af_netlink.c:1612
+but this lock was taken by another, SOFTIRQ-safe lock in the past:
+ (&local->queue_stop_reason_lock){..-.}-{2:2}
+
+and interrupts could create inverse lock ordering between them.
+
+other info that might help us debug this:
+ Possible interrupt unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(nl_table_lock);
+ local_irq_disable();
+ lock(&local->queue_stop_reason_lock);
+ lock(nl_table_lock);
+ <Interrupt>
+ lock(&local->queue_stop_reason_lock);
+
+ *** DEADLOCK ***
+
+Fixes: 1d482e666b8e ("netlink: disable IRQs for netlink_lock_table()")
+Reported-by: syzbot+a7d200a347f912723e5c@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=a7d200a347f912723e5c
+Link: https://lore.kernel.org/netdev/000000000000e38d1605fea5747e@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Johannes Berg <johannes.berg@intel.com>
+Link: https://lore.kernel.org/r/20230621154337.1668594-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlink/af_netlink.c | 5 +++--
+ net/netlink/diag.c | 5 +++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index bf7e300e8c25d..29eabd45b832a 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1601,6 +1601,7 @@ static int do_one_set_err(struct sock *sk, struct netlink_set_err_data *p)
+ int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code)
+ {
+ struct netlink_set_err_data info;
++ unsigned long flags;
+ struct sock *sk;
+ int ret = 0;
+
+@@ -1610,12 +1611,12 @@ int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code)
+ /* sk->sk_err wants a positive error value */
+ info.code = -code;
+
+- read_lock(&nl_table_lock);
++ read_lock_irqsave(&nl_table_lock, flags);
+
+ sk_for_each_bound(sk, &nl_table[ssk->sk_protocol].mc_list)
+ ret += do_one_set_err(sk, &info);
+
+- read_unlock(&nl_table_lock);
++ read_unlock_irqrestore(&nl_table_lock, flags);
+ return ret;
+ }
+ EXPORT_SYMBOL(netlink_set_err);
+diff --git a/net/netlink/diag.c b/net/netlink/diag.c
+index c6255eac305c7..4143b2ea4195a 100644
+--- a/net/netlink/diag.c
++++ b/net/netlink/diag.c
+@@ -94,6 +94,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
+ struct net *net = sock_net(skb->sk);
+ struct netlink_diag_req *req;
+ struct netlink_sock *nlsk;
++ unsigned long flags;
+ struct sock *sk;
+ int num = 2;
+ int ret = 0;
+@@ -152,7 +153,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
+ num++;
+
+ mc_list:
+- read_lock(&nl_table_lock);
++ read_lock_irqsave(&nl_table_lock, flags);
+ sk_for_each_bound(sk, &tbl->mc_list) {
+ if (sk_hashed(sk))
+ continue;
+@@ -173,7 +174,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
+ }
+ num++;
+ }
+- read_unlock(&nl_table_lock);
++ read_unlock_irqrestore(&nl_table_lock, flags);
+
+ done:
+ cb->args[0] = num;
+--
+2.39.2
+
--- /dev/null
+From d7791cb815175aa568c4ce42a8772e693d9331a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Jul 2021 16:41:59 +0200
+Subject: nfc: constify several pointers to u8, char and sk_buff
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+[ Upstream commit 3df40eb3a2ea58bf404a38f15a7a2768e4762cb0 ]
+
+Several functions receive pointers to u8, char or sk_buff but do not
+modify the contents so make them const. This allows doing the same for
+local variables and in total makes the code a little bit safer.
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 0d9b41daa590 ("nfc: llcp: fix possible use of uninitialized variable in nfc_llcp_send_connect()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/nfc/nfc.h | 4 ++--
+ net/nfc/core.c | 4 ++--
+ net/nfc/hci/llc_shdlc.c | 10 ++++-----
+ net/nfc/llcp.h | 8 +++----
+ net/nfc/llcp_commands.c | 46 ++++++++++++++++++++++-------------------
+ net/nfc/llcp_core.c | 44 +++++++++++++++++++++------------------
+ net/nfc/nfc.h | 2 +-
+ 7 files changed, 63 insertions(+), 55 deletions(-)
+
+diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h
+index 5d277d68fd8d9..c55e72474eb2b 100644
+--- a/include/net/nfc/nfc.h
++++ b/include/net/nfc/nfc.h
+@@ -266,7 +266,7 @@ struct sk_buff *nfc_alloc_send_skb(struct nfc_dev *dev, struct sock *sk,
+ struct sk_buff *nfc_alloc_recv_skb(unsigned int size, gfp_t gfp);
+
+ int nfc_set_remote_general_bytes(struct nfc_dev *dev,
+- u8 *gt, u8 gt_len);
++ const u8 *gt, u8 gt_len);
+ u8 *nfc_get_local_general_bytes(struct nfc_dev *dev, size_t *gb_len);
+
+ int nfc_fw_download_done(struct nfc_dev *dev, const char *firmware_name,
+@@ -280,7 +280,7 @@ int nfc_dep_link_is_up(struct nfc_dev *dev, u32 target_idx,
+ u8 comm_mode, u8 rf_mode);
+
+ int nfc_tm_activated(struct nfc_dev *dev, u32 protocol, u8 comm_mode,
+- u8 *gb, size_t gb_len);
++ const u8 *gb, size_t gb_len);
+ int nfc_tm_deactivated(struct nfc_dev *dev);
+ int nfc_tm_data_received(struct nfc_dev *dev, struct sk_buff *skb);
+
+diff --git a/net/nfc/core.c b/net/nfc/core.c
+index 2d4729d1f0eb9..fef112fb49930 100644
+--- a/net/nfc/core.c
++++ b/net/nfc/core.c
+@@ -634,7 +634,7 @@ int nfc_disable_se(struct nfc_dev *dev, u32 se_idx)
+ return rc;
+ }
+
+-int nfc_set_remote_general_bytes(struct nfc_dev *dev, u8 *gb, u8 gb_len)
++int nfc_set_remote_general_bytes(struct nfc_dev *dev, const u8 *gb, u8 gb_len)
+ {
+ pr_debug("dev_name=%s gb_len=%d\n", dev_name(&dev->dev), gb_len);
+
+@@ -663,7 +663,7 @@ int nfc_tm_data_received(struct nfc_dev *dev, struct sk_buff *skb)
+ EXPORT_SYMBOL(nfc_tm_data_received);
+
+ int nfc_tm_activated(struct nfc_dev *dev, u32 protocol, u8 comm_mode,
+- u8 *gb, size_t gb_len)
++ const u8 *gb, size_t gb_len)
+ {
+ int rc;
+
+diff --git a/net/nfc/hci/llc_shdlc.c b/net/nfc/hci/llc_shdlc.c
+index 0eb4ddc056e78..02909e3e91ef1 100644
+--- a/net/nfc/hci/llc_shdlc.c
++++ b/net/nfc/hci/llc_shdlc.c
+@@ -123,7 +123,7 @@ static bool llc_shdlc_x_lteq_y_lt_z(int x, int y, int z)
+ return ((y >= x) || (y < z)) ? true : false;
+ }
+
+-static struct sk_buff *llc_shdlc_alloc_skb(struct llc_shdlc *shdlc,
++static struct sk_buff *llc_shdlc_alloc_skb(const struct llc_shdlc *shdlc,
+ int payload_len)
+ {
+ struct sk_buff *skb;
+@@ -137,7 +137,7 @@ static struct sk_buff *llc_shdlc_alloc_skb(struct llc_shdlc *shdlc,
+ }
+
+ /* immediately sends an S frame. */
+-static int llc_shdlc_send_s_frame(struct llc_shdlc *shdlc,
++static int llc_shdlc_send_s_frame(const struct llc_shdlc *shdlc,
+ enum sframe_type sframe_type, int nr)
+ {
+ int r;
+@@ -159,7 +159,7 @@ static int llc_shdlc_send_s_frame(struct llc_shdlc *shdlc,
+ }
+
+ /* immediately sends an U frame. skb may contain optional payload */
+-static int llc_shdlc_send_u_frame(struct llc_shdlc *shdlc,
++static int llc_shdlc_send_u_frame(const struct llc_shdlc *shdlc,
+ struct sk_buff *skb,
+ enum uframe_modifier uframe_modifier)
+ {
+@@ -361,7 +361,7 @@ static void llc_shdlc_connect_complete(struct llc_shdlc *shdlc, int r)
+ wake_up(shdlc->connect_wq);
+ }
+
+-static int llc_shdlc_connect_initiate(struct llc_shdlc *shdlc)
++static int llc_shdlc_connect_initiate(const struct llc_shdlc *shdlc)
+ {
+ struct sk_buff *skb;
+
+@@ -377,7 +377,7 @@ static int llc_shdlc_connect_initiate(struct llc_shdlc *shdlc)
+ return llc_shdlc_send_u_frame(shdlc, skb, U_FRAME_RSET);
+ }
+
+-static int llc_shdlc_connect_send_ua(struct llc_shdlc *shdlc)
++static int llc_shdlc_connect_send_ua(const struct llc_shdlc *shdlc)
+ {
+ struct sk_buff *skb;
+
+diff --git a/net/nfc/llcp.h b/net/nfc/llcp.h
+index 97853c9cefc70..d49d4bf2e37c8 100644
+--- a/net/nfc/llcp.h
++++ b/net/nfc/llcp.h
+@@ -221,15 +221,15 @@ struct sock *nfc_llcp_accept_dequeue(struct sock *sk, struct socket *newsock);
+
+ /* TLV API */
+ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local,
+- u8 *tlv_array, u16 tlv_array_len);
++ const u8 *tlv_array, u16 tlv_array_len);
+ int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock,
+- u8 *tlv_array, u16 tlv_array_len);
++ const u8 *tlv_array, u16 tlv_array_len);
+
+ /* Commands API */
+ void nfc_llcp_recv(void *data, struct sk_buff *skb, int err);
+-u8 *nfc_llcp_build_tlv(u8 type, u8 *value, u8 value_length, u8 *tlv_length);
++u8 *nfc_llcp_build_tlv(u8 type, const u8 *value, u8 value_length, u8 *tlv_length);
+ struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdres_tlv(u8 tid, u8 sap);
+-struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri,
++struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, const char *uri,
+ size_t uri_len);
+ void nfc_llcp_free_sdp_tlv(struct nfc_llcp_sdp_tlv *sdp);
+ void nfc_llcp_free_sdp_tlv_list(struct hlist_head *sdp_head);
+diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
+index 475061c79c442..3c4172a5aeb5e 100644
+--- a/net/nfc/llcp_commands.c
++++ b/net/nfc/llcp_commands.c
+@@ -15,7 +15,7 @@
+ #include "nfc.h"
+ #include "llcp.h"
+
+-static u8 llcp_tlv_length[LLCP_TLV_MAX] = {
++static const u8 llcp_tlv_length[LLCP_TLV_MAX] = {
+ 0,
+ 1, /* VERSION */
+ 2, /* MIUX */
+@@ -29,7 +29,7 @@ static u8 llcp_tlv_length[LLCP_TLV_MAX] = {
+
+ };
+
+-static u8 llcp_tlv8(u8 *tlv, u8 type)
++static u8 llcp_tlv8(const u8 *tlv, u8 type)
+ {
+ if (tlv[0] != type || tlv[1] != llcp_tlv_length[tlv[0]])
+ return 0;
+@@ -37,7 +37,7 @@ static u8 llcp_tlv8(u8 *tlv, u8 type)
+ return tlv[2];
+ }
+
+-static u16 llcp_tlv16(u8 *tlv, u8 type)
++static u16 llcp_tlv16(const u8 *tlv, u8 type)
+ {
+ if (tlv[0] != type || tlv[1] != llcp_tlv_length[tlv[0]])
+ return 0;
+@@ -46,37 +46,37 @@ static u16 llcp_tlv16(u8 *tlv, u8 type)
+ }
+
+
+-static u8 llcp_tlv_version(u8 *tlv)
++static u8 llcp_tlv_version(const u8 *tlv)
+ {
+ return llcp_tlv8(tlv, LLCP_TLV_VERSION);
+ }
+
+-static u16 llcp_tlv_miux(u8 *tlv)
++static u16 llcp_tlv_miux(const u8 *tlv)
+ {
+ return llcp_tlv16(tlv, LLCP_TLV_MIUX) & 0x7ff;
+ }
+
+-static u16 llcp_tlv_wks(u8 *tlv)
++static u16 llcp_tlv_wks(const u8 *tlv)
+ {
+ return llcp_tlv16(tlv, LLCP_TLV_WKS);
+ }
+
+-static u16 llcp_tlv_lto(u8 *tlv)
++static u16 llcp_tlv_lto(const u8 *tlv)
+ {
+ return llcp_tlv8(tlv, LLCP_TLV_LTO);
+ }
+
+-static u8 llcp_tlv_opt(u8 *tlv)
++static u8 llcp_tlv_opt(const u8 *tlv)
+ {
+ return llcp_tlv8(tlv, LLCP_TLV_OPT);
+ }
+
+-static u8 llcp_tlv_rw(u8 *tlv)
++static u8 llcp_tlv_rw(const u8 *tlv)
+ {
+ return llcp_tlv8(tlv, LLCP_TLV_RW) & 0xf;
+ }
+
+-u8 *nfc_llcp_build_tlv(u8 type, u8 *value, u8 value_length, u8 *tlv_length)
++u8 *nfc_llcp_build_tlv(u8 type, const u8 *value, u8 value_length, u8 *tlv_length)
+ {
+ u8 *tlv, length;
+
+@@ -130,7 +130,7 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdres_tlv(u8 tid, u8 sap)
+ return sdres;
+ }
+
+-struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri,
++struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, const char *uri,
+ size_t uri_len)
+ {
+ struct nfc_llcp_sdp_tlv *sdreq;
+@@ -190,9 +190,10 @@ void nfc_llcp_free_sdp_tlv_list(struct hlist_head *head)
+ }
+
+ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local,
+- u8 *tlv_array, u16 tlv_array_len)
++ const u8 *tlv_array, u16 tlv_array_len)
+ {
+- u8 *tlv = tlv_array, type, length, offset = 0;
++ const u8 *tlv = tlv_array;
++ u8 type, length, offset = 0;
+
+ pr_debug("TLV array length %d\n", tlv_array_len);
+
+@@ -239,9 +240,10 @@ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local,
+ }
+
+ int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock,
+- u8 *tlv_array, u16 tlv_array_len)
++ const u8 *tlv_array, u16 tlv_array_len)
+ {
+- u8 *tlv = tlv_array, type, length, offset = 0;
++ const u8 *tlv = tlv_array;
++ u8 type, length, offset = 0;
+
+ pr_debug("TLV array length %d\n", tlv_array_len);
+
+@@ -295,7 +297,7 @@ static struct sk_buff *llcp_add_header(struct sk_buff *pdu,
+ return pdu;
+ }
+
+-static struct sk_buff *llcp_add_tlv(struct sk_buff *pdu, u8 *tlv,
++static struct sk_buff *llcp_add_tlv(struct sk_buff *pdu, const u8 *tlv,
+ u8 tlv_length)
+ {
+ /* XXX Add an skb length check */
+@@ -389,9 +391,10 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock)
+ {
+ struct nfc_llcp_local *local;
+ struct sk_buff *skb;
+- u8 *service_name_tlv = NULL, service_name_tlv_length;
+- u8 *miux_tlv = NULL, miux_tlv_length;
+- u8 *rw_tlv = NULL, rw_tlv_length, rw;
++ const u8 *service_name_tlv = NULL;
++ const u8 *miux_tlv = NULL;
++ const u8 *rw_tlv = NULL;
++ u8 service_name_tlv_length, miux_tlv_length, rw_tlv_length, rw;
+ int err;
+ u16 size = 0;
+ __be16 miux;
+@@ -465,8 +468,9 @@ int nfc_llcp_send_cc(struct nfc_llcp_sock *sock)
+ {
+ struct nfc_llcp_local *local;
+ struct sk_buff *skb;
+- u8 *miux_tlv = NULL, miux_tlv_length;
+- u8 *rw_tlv = NULL, rw_tlv_length, rw;
++ const u8 *miux_tlv = NULL;
++ const u8 *rw_tlv = NULL;
++ u8 miux_tlv_length, rw_tlv_length, rw;
+ int err;
+ u16 size = 0;
+ __be16 miux;
+diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
+index edadebb3efd2a..fd43e75abd948 100644
+--- a/net/nfc/llcp_core.c
++++ b/net/nfc/llcp_core.c
+@@ -302,7 +302,7 @@ static char *wks[] = {
+ "urn:nfc:sn:snep",
+ };
+
+-static int nfc_llcp_wks_sap(char *service_name, size_t service_name_len)
++static int nfc_llcp_wks_sap(const char *service_name, size_t service_name_len)
+ {
+ int sap, num_wks;
+
+@@ -326,7 +326,7 @@ static int nfc_llcp_wks_sap(char *service_name, size_t service_name_len)
+
+ static
+ struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local,
+- u8 *sn, size_t sn_len)
++ const u8 *sn, size_t sn_len)
+ {
+ struct sock *sk;
+ struct nfc_llcp_sock *llcp_sock, *tmp_sock;
+@@ -523,7 +523,7 @@ static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
+ {
+ u8 *gb_cur, version, version_length;
+ u8 lto_length, wks_length, miux_length;
+- u8 *version_tlv = NULL, *lto_tlv = NULL,
++ const u8 *version_tlv = NULL, *lto_tlv = NULL,
+ *wks_tlv = NULL, *miux_tlv = NULL;
+ __be16 wks = cpu_to_be16(local->local_wks);
+ u8 gb_len = 0;
+@@ -613,7 +613,7 @@ u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len)
+ return local->gb;
+ }
+
+-int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len)
++int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len)
+ {
+ struct nfc_llcp_local *local;
+
+@@ -640,27 +640,27 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len)
+ local->remote_gb_len - 3);
+ }
+
+-static u8 nfc_llcp_dsap(struct sk_buff *pdu)
++static u8 nfc_llcp_dsap(const struct sk_buff *pdu)
+ {
+ return (pdu->data[0] & 0xfc) >> 2;
+ }
+
+-static u8 nfc_llcp_ptype(struct sk_buff *pdu)
++static u8 nfc_llcp_ptype(const struct sk_buff *pdu)
+ {
+ return ((pdu->data[0] & 0x03) << 2) | ((pdu->data[1] & 0xc0) >> 6);
+ }
+
+-static u8 nfc_llcp_ssap(struct sk_buff *pdu)
++static u8 nfc_llcp_ssap(const struct sk_buff *pdu)
+ {
+ return pdu->data[1] & 0x3f;
+ }
+
+-static u8 nfc_llcp_ns(struct sk_buff *pdu)
++static u8 nfc_llcp_ns(const struct sk_buff *pdu)
+ {
+ return pdu->data[2] >> 4;
+ }
+
+-static u8 nfc_llcp_nr(struct sk_buff *pdu)
++static u8 nfc_llcp_nr(const struct sk_buff *pdu)
+ {
+ return pdu->data[2] & 0xf;
+ }
+@@ -802,7 +802,7 @@ static struct nfc_llcp_sock *nfc_llcp_connecting_sock_get(struct nfc_llcp_local
+ }
+
+ static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local,
+- u8 *sn, size_t sn_len)
++ const u8 *sn, size_t sn_len)
+ {
+ struct nfc_llcp_sock *llcp_sock;
+
+@@ -816,9 +816,10 @@ static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local,
+ return llcp_sock;
+ }
+
+-static u8 *nfc_llcp_connect_sn(struct sk_buff *skb, size_t *sn_len)
++static const u8 *nfc_llcp_connect_sn(const struct sk_buff *skb, size_t *sn_len)
+ {
+- u8 *tlv = &skb->data[2], type, length;
++ u8 type, length;
++ const u8 *tlv = &skb->data[2];
+ size_t tlv_array_len = skb->len - LLCP_HEADER_SIZE, offset = 0;
+
+ while (offset < tlv_array_len) {
+@@ -876,7 +877,7 @@ static void nfc_llcp_recv_ui(struct nfc_llcp_local *local,
+ }
+
+ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
+- struct sk_buff *skb)
++ const struct sk_buff *skb)
+ {
+ struct sock *new_sk, *parent;
+ struct nfc_llcp_sock *sock, *new_sock;
+@@ -894,7 +895,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
+ goto fail;
+ }
+ } else {
+- u8 *sn;
++ const u8 *sn;
+ size_t sn_len;
+
+ sn = nfc_llcp_connect_sn(skb, &sn_len);
+@@ -1113,7 +1114,7 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local,
+ }
+
+ static void nfc_llcp_recv_disc(struct nfc_llcp_local *local,
+- struct sk_buff *skb)
++ const struct sk_buff *skb)
+ {
+ struct nfc_llcp_sock *llcp_sock;
+ struct sock *sk;
+@@ -1156,7 +1157,8 @@ static void nfc_llcp_recv_disc(struct nfc_llcp_local *local,
+ nfc_llcp_sock_put(llcp_sock);
+ }
+
+-static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, struct sk_buff *skb)
++static void nfc_llcp_recv_cc(struct nfc_llcp_local *local,
++ const struct sk_buff *skb)
+ {
+ struct nfc_llcp_sock *llcp_sock;
+ struct sock *sk;
+@@ -1189,7 +1191,8 @@ static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, struct sk_buff *skb)
+ nfc_llcp_sock_put(llcp_sock);
+ }
+
+-static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb)
++static void nfc_llcp_recv_dm(struct nfc_llcp_local *local,
++ const struct sk_buff *skb)
+ {
+ struct nfc_llcp_sock *llcp_sock;
+ struct sock *sk;
+@@ -1227,12 +1230,13 @@ static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb)
+ }
+
+ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
+- struct sk_buff *skb)
++ const struct sk_buff *skb)
+ {
+ struct nfc_llcp_sock *llcp_sock;
+- u8 dsap, ssap, *tlv, type, length, tid, sap;
++ u8 dsap, ssap, type, length, tid, sap;
++ const u8 *tlv;
+ u16 tlv_len, offset;
+- char *service_name;
++ const char *service_name;
+ size_t service_name_len;
+ struct nfc_llcp_sdp_tlv *sdp;
+ HLIST_HEAD(llc_sdres_list);
+diff --git a/net/nfc/nfc.h b/net/nfc/nfc.h
+index 889fefd64e56b..de2ec66d7e83a 100644
+--- a/net/nfc/nfc.h
++++ b/net/nfc/nfc.h
+@@ -48,7 +48,7 @@ void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx,
+ u8 comm_mode, u8 rf_mode);
+ int nfc_llcp_register_device(struct nfc_dev *dev);
+ void nfc_llcp_unregister_device(struct nfc_dev *dev);
+-int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len);
++int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len);
+ u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len);
+ int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb);
+ struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev);
+--
+2.39.2
+
--- /dev/null
+From c435c43b07ef6b17b7b90f150282902f2a503788 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 May 2023 13:52:04 +0200
+Subject: nfc: llcp: fix possible use of uninitialized variable in
+ nfc_llcp_send_connect()
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 0d9b41daa5907756a31772d8af8ac5ff25cf17c1 ]
+
+If sock->service_name is NULL, the local variable
+service_name_tlv_length will not be assigned by nfc_llcp_build_tlv(),
+later leading to using value frmo the stack. Smatch warning:
+
+ net/nfc/llcp_commands.c:442 nfc_llcp_send_connect() error: uninitialized symbol 'service_name_tlv_length'.
+
+Fixes: de9e5aeb4f40 ("NFC: llcp: Fix usage of llcp_add_tlv()")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/llcp_commands.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
+index 3c4172a5aeb5e..bb9f40563ff63 100644
+--- a/net/nfc/llcp_commands.c
++++ b/net/nfc/llcp_commands.c
+@@ -394,7 +394,8 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock)
+ const u8 *service_name_tlv = NULL;
+ const u8 *miux_tlv = NULL;
+ const u8 *rw_tlv = NULL;
+- u8 service_name_tlv_length, miux_tlv_length, rw_tlv_length, rw;
++ u8 service_name_tlv_length = 0;
++ u8 miux_tlv_length, rw_tlv_length, rw;
+ int err;
+ u16 size = 0;
+ __be16 miux;
+--
+2.39.2
+
--- /dev/null
+From 03432eeff906bb9019659266c1377b092d9035c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Mar 2022 20:25:19 +0100
+Subject: nfc: llcp: simplify llcp_sock_connect() error paths
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+[ Upstream commit ec10fd154d934cc4195da3cbd017a12817b41d51 ]
+
+The llcp_sock_connect() error paths were using a mixed way of central
+exit (goto) and cleanup
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 6709d4b7bc2e ("net: nfc: Fix use-after-free caused by nfc_llcp_find_local")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/llcp_sock.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
+index bd2174699af97..1c1748b86fae7 100644
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -712,10 +712,8 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
+ llcp_sock->local = nfc_llcp_local_get(local);
+ llcp_sock->ssap = nfc_llcp_get_local_ssap(local);
+ if (llcp_sock->ssap == LLCP_SAP_MAX) {
+- nfc_llcp_local_put(llcp_sock->local);
+- llcp_sock->local = NULL;
+ ret = -ENOMEM;
+- goto put_dev;
++ goto sock_llcp_put_local;
+ }
+
+ llcp_sock->reserved_ssap = llcp_sock->ssap;
+@@ -760,8 +758,11 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
+
+ sock_llcp_release:
+ nfc_llcp_put_ssap(local, llcp_sock->ssap);
++
++sock_llcp_put_local:
+ nfc_llcp_local_put(llcp_sock->local);
+ llcp_sock->local = NULL;
++ llcp_sock->dev = NULL;
+
+ put_dev:
+ nfc_put_device(dev);
+--
+2.39.2
+
--- /dev/null
+From c75abb197fd47273f1a9756a46daaf04dc03bb9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jun 2023 17:32:25 -0400
+Subject: NFSv4.1: freeze the session table upon receiving NFS4ERR_BADSESSION
+
+From: Olga Kornievskaia <kolga@netapp.com>
+
+[ Upstream commit c907e72f58ed979a24a9fdcadfbc447c51d5e509 ]
+
+When the client received NFS4ERR_BADSESSION, it schedules recovery
+and start the state manager thread which in turn freezes the
+session table and does not allow for any new requests to use the
+no-longer valid session. However, it is possible that before
+the state manager thread runs, a new operation would use the
+released slot that received BADSESSION and was therefore not
+updated its sequence number. Such re-use of the slot can lead
+the application errors.
+
+Fixes: 5c441544f045 ("NFSv4.x: Handle bad/dead sessions correctly in nfs41_sequence_process()")
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index c54dd49c993c5..231da9fadf098 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -915,6 +915,7 @@ static int nfs41_sequence_process(struct rpc_task *task,
+ out_noaction:
+ return ret;
+ session_recover:
++ set_bit(NFS4_SLOT_TBL_DRAINING, &session->fc_slot_table.slot_tbl_state);
+ nfs4_schedule_session_recovery(session, status);
+ dprintk("%s ERROR: %d Reset session\n", __func__, status);
+ nfs41_sequence_free_slot(res);
+--
+2.39.2
+
--- /dev/null
+From db25f854d571d3fcae22d49953b6f83a15aafd41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 May 2023 18:27:44 +0800
+Subject: PCI: Add pci_clear_master() stub for non-CONFIG_PCI
+
+From: Sui Jingfeng <suijingfeng@loongson.cn>
+
+[ Upstream commit 2aa5ac633259843f656eb6ecff4cf01e8e810c5e ]
+
+Add a pci_clear_master() stub when CONFIG_PCI is not set so drivers that
+support both PCI and platform devices don't need #ifdefs or extra Kconfig
+symbols for the PCI parts.
+
+[bhelgaas: commit log]
+Fixes: 6a479079c072 ("PCI: Add pci_clear_master() as opposite of pci_set_master()")
+Link: https://lore.kernel.org/r/20230531102744.2354313-1-suijingfeng@loongson.cn
+Signed-off-by: Sui Jingfeng <suijingfeng@loongson.cn>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/pci.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/pci.h b/include/linux/pci.h
+index fc343d123127b..1cd5caa567cf5 100644
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -1687,6 +1687,7 @@ static inline struct pci_dev *pci_get_class(unsigned int class,
+ #define pci_dev_put(dev) do { } while (0)
+
+ static inline void pci_set_master(struct pci_dev *dev) { }
++static inline void pci_clear_master(struct pci_dev *dev) { }
+ static inline int pci_enable_device(struct pci_dev *dev) { return -EIO; }
+ static inline void pci_disable_device(struct pci_dev *dev) { }
+ static inline int pci_assign_resource(struct pci_dev *dev, int i)
+--
+2.39.2
+
--- /dev/null
+From 32b72de1b29eb74c3946b4b5b4d5775d6514b4dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 May 2023 11:40:57 +0800
+Subject: PCI/ASPM: Disable ASPM on MFD function removal to avoid
+ use-after-free
+
+From: Ding Hui <dinghui@sangfor.com.cn>
+
+[ Upstream commit 456d8aa37d0f56fc9e985e812496e861dcd6f2f2 ]
+
+Struct pcie_link_state->downstream is a pointer to the pci_dev of function
+0. Previously we retained that pointer when removing function 0, and
+subsequent ASPM policy changes dereferenced it, resulting in a
+use-after-free warning from KASAN, e.g.:
+
+ # echo 1 > /sys/bus/pci/devices/0000:03:00.0/remove
+ # echo powersave > /sys/module/pcie_aspm/parameters/policy
+
+ BUG: KASAN: slab-use-after-free in pcie_config_aspm_link+0x42d/0x500
+ Call Trace:
+ kasan_report+0xae/0xe0
+ pcie_config_aspm_link+0x42d/0x500
+ pcie_aspm_set_policy+0x8e/0x1a0
+ param_attr_store+0x162/0x2c0
+ module_attr_store+0x3e/0x80
+
+PCIe spec r6.0, sec 7.5.3.7, recommends that software program the same ASPM
+Control value in all functions of multi-function devices.
+
+Disable ASPM and free the pcie_link_state when any child function is
+removed so we can discard the dangling pcie_link_state->downstream pointer
+and maintain the same ASPM Control configuration for all functions.
+
+[bhelgaas: commit log and comment]
+Debugged-by: Zongquan Qin <qinzongquan@sangfor.com.cn>
+Suggested-by: Bjorn Helgaas <bhelgaas@google.com>
+Fixes: b5a0a9b59c81 ("PCI/ASPM: Read and set up L1 substate capabilities")
+Link: https://lore.kernel.org/r/20230507034057.20970-1-dinghui@sangfor.com.cn
+Signed-off-by: Ding Hui <dinghui@sangfor.com.cn>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pcie/aspm.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c
+index 7624c71011c6e..d8d27b11b48c4 100644
+--- a/drivers/pci/pcie/aspm.c
++++ b/drivers/pci/pcie/aspm.c
+@@ -991,21 +991,24 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev)
+
+ down_read(&pci_bus_sem);
+ mutex_lock(&aspm_lock);
+- /*
+- * All PCIe functions are in one slot, remove one function will remove
+- * the whole slot, so just wait until we are the last function left.
+- */
+- if (!list_empty(&parent->subordinate->devices))
+- goto out;
+
+ link = parent->link_state;
+ root = link->root;
+ parent_link = link->parent;
+
+- /* All functions are removed, so just disable ASPM for the link */
++ /*
++ * link->downstream is a pointer to the pci_dev of function 0. If
++ * we remove that function, the pci_dev is about to be deallocated,
++ * so we can't use link->downstream again. Free the link state to
++ * avoid this.
++ *
++ * If we're removing a non-0 function, it's possible we could
++ * retain the link state, but PCIe r6.0, sec 7.5.3.7, recommends
++ * programming the same ASPM Control value for all functions of
++ * multi-function devices, so disable ASPM for all of them.
++ */
+ pcie_config_aspm_link(link, 0);
+ list_del(&link->sibling);
+- /* Clock PM is for endpoint device */
+ free_link_state(link);
+
+ /* Recheck latencies and configure upstream links */
+@@ -1013,7 +1016,7 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev)
+ pcie_update_aspm_capable(root);
+ pcie_config_aspm_path(parent_link);
+ }
+-out:
++
+ mutex_unlock(&aspm_lock);
+ up_read(&pci_bus_sem);
+ }
+--
+2.39.2
+
--- /dev/null
+From d9c83ad50e70e515f58d592e5a298a460e44da62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 May 2023 12:36:41 +0800
+Subject: PCI: ftpci100: Release the clock resources
+
+From: Junyan Ye <yejunyan@hust.edu.cn>
+
+[ Upstream commit c60738de85f40b0b9f5cb23c21f9246e5a47908c ]
+
+Smatch reported:
+1. drivers/pci/controller/pci-ftpci100.c:526 faraday_pci_probe() warn:
+'clk' from clk_prepare_enable() not released on lines: 442,451,462,478,512,517.
+2. drivers/pci/controller/pci-ftpci100.c:526 faraday_pci_probe() warn:
+'p->bus_clk' from clk_prepare_enable() not released on lines: 451,462,478,512,517.
+
+The clock resource is obtained by devm_clk_get(), and then
+clk_prepare_enable() makes the clock resource ready for use. After that,
+clk_disable_unprepare() should be called to release the clock resource
+when it is no longer needed. However, while doing some error handling
+in faraday_pci_probe(), clk_disable_unprepare() is not called to release
+clk and p->bus_clk before returning. These return lines are exactly 442,
+451, 462, 478, 512, 517.
+
+Fix this warning by replacing devm_clk_get() with devm_clk_get_enabled(),
+which is equivalent to devm_clk_get() + clk_prepare_enable(). And with
+devm_clk_get_enabled(), the clock will automatically be disabled,
+unprepared and freed when the device is unbound from the bus.
+
+Link: https://lore.kernel.org/r/20230508043641.23807-1-yejunyan@hust.edu.cn
+Fixes: b3c433efb8a3 ("PCI: faraday: Fix wrong pointer passed to PTR_ERR()")
+Fixes: 2eeb02b28579 ("PCI: faraday: Add clock handling")
+Fixes: 783a862563f7 ("PCI: faraday: Use pci_parse_request_of_pci_ranges()")
+Fixes: d3c68e0a7e34 ("PCI: faraday: Add Faraday Technology FTPCI100 PCI Host Bridge driver")
+Fixes: f1e8bd21e39e ("PCI: faraday: Convert IRQ masking to raw PCI config accessors")
+Signed-off-by: Junyan Ye <yejunyan@hust.edu.cn>
+Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
+Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-ftpci100.c | 14 ++------------
+ 1 file changed, 2 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/pci/controller/pci-ftpci100.c b/drivers/pci/controller/pci-ftpci100.c
+index bf5ece5d9291f..88983fd0c1bdd 100644
+--- a/drivers/pci/controller/pci-ftpci100.c
++++ b/drivers/pci/controller/pci-ftpci100.c
+@@ -458,22 +458,12 @@ static int faraday_pci_probe(struct platform_device *pdev)
+ p->dev = dev;
+
+ /* Retrieve and enable optional clocks */
+- clk = devm_clk_get(dev, "PCLK");
++ clk = devm_clk_get_enabled(dev, "PCLK");
+ if (IS_ERR(clk))
+ return PTR_ERR(clk);
+- ret = clk_prepare_enable(clk);
+- if (ret) {
+- dev_err(dev, "could not prepare PCLK\n");
+- return ret;
+- }
+- p->bus_clk = devm_clk_get(dev, "PCICLK");
++ p->bus_clk = devm_clk_get_enabled(dev, "PCICLK");
+ if (IS_ERR(p->bus_clk))
+ return PTR_ERR(p->bus_clk);
+- ret = clk_prepare_enable(p->bus_clk);
+- if (ret) {
+- dev_err(dev, "could not prepare PCICLK\n");
+- return ret;
+- }
+
+ regs = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ p->base = devm_ioremap_resource(dev, regs);
+--
+2.39.2
+
--- /dev/null
+From 5b574f7d148a6cd0058b8187e37a6e1b390861e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 10:15:18 +0800
+Subject: PCI: pciehp: Cancel bringup sequence if card is not present
+
+From: Rongguang Wei <weirongguang@kylinos.cn>
+
+[ Upstream commit e8afd0d9fccc27c8ad263db5cf5952cfcf72d6fe ]
+
+If a PCIe hotplug slot has an Attention Button, the normal hot-add flow is:
+
+ - Slot is empty and slot power is off
+ - User inserts card in slot and presses Attention Button
+ - OS blinks Power Indicator for 5 seconds
+ - After 5 seconds, OS turns on Power Indicator, turns on slot power, and
+ enumerates the device
+
+Previously, if a user pressed the Attention Button on an *empty* slot,
+pciehp logged the following messages and blinked the Power Indicator
+until a second button press:
+
+ [0.000] pciehp: Button press: will power on in 5 sec
+ [0.001] # Power Indicator starts blinking
+ [5.001] # 5 second timeout; slot is empty, so we should cancel the
+ request to power on and turn off Power Indicator
+
+ [7.000] # Power Indicator still blinking
+ [8.000] # possible card insertion
+ [9.000] pciehp: Button press: canceling request to power on
+
+The first button press incorrectly left the slot in BLINKINGON_STATE, so
+the second was interpreted as a "cancel power on" event regardless of
+whether a card was present.
+
+If the slot is empty, turn off the Power Indicator and return from
+BLINKINGON_STATE to OFF_STATE after 5 seconds, effectively canceling the
+request to power on. Putting the slot in OFF_STATE also means the second
+button press will correctly request a slot power on if the slot is
+occupied.
+
+[bhelgaas: commit log]
+Link: https://lore.kernel.org/r/20230512021518.336460-1-clementwei90@163.com
+Fixes: d331710ea78f ("PCI: pciehp: Become resilient to missed events")
+Suggested-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Rongguang Wei <weirongguang@kylinos.cn>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/hotplug/pciehp_ctrl.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/pci/hotplug/pciehp_ctrl.c b/drivers/pci/hotplug/pciehp_ctrl.c
+index 6503d15effbbd..45d0f63707158 100644
+--- a/drivers/pci/hotplug/pciehp_ctrl.c
++++ b/drivers/pci/hotplug/pciehp_ctrl.c
+@@ -258,6 +258,14 @@ void pciehp_handle_presence_or_link_change(struct controller *ctrl, u32 events)
+ present = pciehp_card_present(ctrl);
+ link_active = pciehp_check_link_active(ctrl);
+ if (present <= 0 && link_active <= 0) {
++ if (ctrl->state == BLINKINGON_STATE) {
++ ctrl->state = OFF_STATE;
++ cancel_delayed_work(&ctrl->button_work);
++ pciehp_set_indicators(ctrl, PCI_EXP_SLTCTL_PWR_IND_OFF,
++ INDICATOR_NOOP);
++ ctrl_info(ctrl, "Slot(%s): Card not present\n",
++ slot_name(ctrl));
++ }
+ mutex_unlock(&ctrl->state_lock);
+ return;
+ }
+--
+2.39.2
+
--- /dev/null
+From a1737631184f4487cf332e1462297552a0c010ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jun 2023 16:41:01 -0700
+Subject: perf dwarf-aux: Fix off-by-one in die_get_varname()
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 3abfcfd847717d232e36963f31a361747c388fe7 ]
+
+The die_get_varname() returns "(unknown_type)" string if it failed to
+find a type for the variable. But it had a space before the opening
+parenthesis and it made the closing parenthesis cut off due to the
+off-by-one in the string length (14).
+
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Fixes: 88fd633cdfa19060 ("perf probe: No need to use formatting strbuf method")
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20230612234102.3909116-1-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/dwarf-aux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
+index f1e2f566ce6fc..1d51aa88f4cb6 100644
+--- a/tools/perf/util/dwarf-aux.c
++++ b/tools/perf/util/dwarf-aux.c
+@@ -1007,7 +1007,7 @@ int die_get_varname(Dwarf_Die *vr_die, struct strbuf *buf)
+ ret = die_get_typename(vr_die, buf);
+ if (ret < 0) {
+ pr_debug("Failed to get type, make it unknown.\n");
+- ret = strbuf_add(buf, " (unknown_type)", 14);
++ ret = strbuf_add(buf, "(unknown_type)", 14);
+ }
+
+ return ret < 0 ? ret : strbuf_addf(buf, "\t%s", dwarf_diename(vr_die));
+--
+2.39.2
+
--- /dev/null
+From 152d13a34e904600505943e1e6716353de95a91f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jun 2023 13:53:33 +0300
+Subject: pinctrl: at91-pio4: check return value of devm_kasprintf()
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0 ]
+
+devm_kasprintf() returns a pointer to dynamically allocated memory.
+Pointer could be NULL in case allocation fails. Check pointer validity.
+Identified with coccinelle (kmerr.cocci script).
+
+Fixes: 776180848b57 ("pinctrl: introduce driver for Atmel PIO4 controller")
+Depends-on: 1c4e5c470a56 ("pinctrl: at91: use devm_kasprintf() to avoid potential leaks")
+Depends-on: 5a8f9cf269e8 ("pinctrl: at91-pio4: use proper format specifier for unsigned int")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20230615105333.585304-4-claudiu.beznea@microchip.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-at91-pio4.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pinctrl/pinctrl-at91-pio4.c b/drivers/pinctrl/pinctrl-at91-pio4.c
+index 064b7c3c942a9..9c225256e3f4e 100644
+--- a/drivers/pinctrl/pinctrl-at91-pio4.c
++++ b/drivers/pinctrl/pinctrl-at91-pio4.c
+@@ -1013,6 +1013,8 @@ static int atmel_pinctrl_probe(struct platform_device *pdev)
+ /* Pin naming convention: P(bank_name)(bank_pin_number). */
+ pin_desc[i].name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "P%c%d",
+ bank + 'A', line);
++ if (!pin_desc[i].name)
++ return -ENOMEM;
+
+ group->name = group_names[i] = pin_desc[i].name;
+ group->pin = pin_desc[i].number;
+--
+2.39.2
+
--- /dev/null
+From d9266e338efc1bc6091314de4a485fbb7464cc50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jun 2023 17:37:34 +0300
+Subject: pinctrl: cherryview: Return correct value if pin in push-pull mode
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 5835196a17be5cfdcad0b617f90cf4abe16951a4 ]
+
+Currently the getter returns ENOTSUPP on pin configured in
+the push-pull mode. Fix this by adding the missed switch case.
+
+Fixes: ccdf81d08dbe ("pinctrl: cherryview: add option to set open-drain pin config")
+Fixes: 6e08d6bbebeb ("pinctrl: Add Intel Cherryview/Braswell pin controller support")
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/intel/pinctrl-cherryview.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c
+index 8f06445a8e39c..2b48901f1b2af 100644
+--- a/drivers/pinctrl/intel/pinctrl-cherryview.c
++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c
+@@ -1021,11 +1021,6 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned int pin,
+
+ break;
+
+- case PIN_CONFIG_DRIVE_OPEN_DRAIN:
+- if (!(ctrl1 & CHV_PADCTRL1_ODEN))
+- return -EINVAL;
+- break;
+-
+ case PIN_CONFIG_BIAS_HIGH_IMPEDANCE: {
+ u32 cfg;
+
+@@ -1035,6 +1030,16 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned int pin,
+ return -EINVAL;
+
+ break;
++
++ case PIN_CONFIG_DRIVE_PUSH_PULL:
++ if (ctrl1 & CHV_PADCTRL1_ODEN)
++ return -EINVAL;
++ break;
++
++ case PIN_CONFIG_DRIVE_OPEN_DRAIN:
++ if (!(ctrl1 & CHV_PADCTRL1_ODEN))
++ return -EINVAL;
++ break;
+ }
+
+ default:
+--
+2.39.2
+
--- /dev/null
+From dbaf9f92815b85a8f4615e155ec975e17a19d3db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Apr 2023 06:07:43 -0700
+Subject: PM: domains: fix integer overflow issues in genpd_parse_state()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit e5d1c8722083f0332dcd3c85fa1273d85fb6bed8 ]
+
+Currently, while calculating residency and latency values, right
+operands may overflow if resulting values are big enough.
+
+To prevent this, albeit unlikely case, play it safe and convert
+right operands to left ones' type s64.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: 30f604283e05 ("PM / Domains: Allow domain power states to be read from DT")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Acked-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/domain.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c
+index edb791354421b..5be76197bc361 100644
+--- a/drivers/base/power/domain.c
++++ b/drivers/base/power/domain.c
+@@ -2596,10 +2596,10 @@ static int genpd_parse_state(struct genpd_power_state *genpd_state,
+
+ err = of_property_read_u32(state_node, "min-residency-us", &residency);
+ if (!err)
+- genpd_state->residency_ns = 1000 * residency;
++ genpd_state->residency_ns = 1000LL * residency;
+
+- genpd_state->power_on_latency_ns = 1000 * exit_latency;
+- genpd_state->power_off_latency_ns = 1000 * entry_latency;
++ genpd_state->power_on_latency_ns = 1000LL * exit_latency;
++ genpd_state->power_off_latency_ns = 1000LL * entry_latency;
+ genpd_state->fwnode = &state_node->fwnode;
+
+ return 0;
+--
+2.39.2
+
--- /dev/null
+From 41525058e2272364af898c8cf1c11dc7ca4a4d98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jun 2023 22:00:00 +0800
+Subject: powercap: RAPL: Fix CONFIG_IOSF_MBI dependency
+
+From: Zhang Rui <rui.zhang@intel.com>
+
+[ Upstream commit 4658fe81b3f8afe8adf37734ec5fe595d90415c6 ]
+
+After commit 3382388d7148 ("intel_rapl: abstract RAPL common code"),
+accessing to IOSF_MBI interface is done in the RAPL common code.
+
+Thus it is the CONFIG_INTEL_RAPL_CORE that has dependency of
+CONFIG_IOSF_MBI, while CONFIG_INTEL_RAPL_MSR does not.
+
+This problem was not exposed previously because all the previous RAPL
+common code users, aka, the RAPL MSR and MMIO I/F drivers, have
+CONFIG_IOSF_MBI selected.
+
+Fix the CONFIG_IOSF_MBI dependency in RAPL code. This also fixes a build
+time failure when the RAPL TPMI I/F driver is introduced without
+selecting CONFIG_IOSF_MBI.
+
+x86_64-linux-ld: vmlinux.o: in function `set_floor_freq_atom':
+intel_rapl_common.c:(.text+0x2dac9b8): undefined reference to `iosf_mbi_write'
+x86_64-linux-ld: intel_rapl_common.c:(.text+0x2daca66): undefined reference to `iosf_mbi_read'
+
+Reference to iosf_mbi.h is also removed from the RAPL MSR I/F driver.
+
+Fixes: 3382388d7148 ("intel_rapl: abstract RAPL common code")
+Reported-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/all/20230601213246.3271412-1-arnd@kernel.org
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/powercap/Kconfig | 4 +++-
+ drivers/powercap/intel_rapl_msr.c | 1 -
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/powercap/Kconfig b/drivers/powercap/Kconfig
+index dc1c1381d7fa9..61fd5dfaf7a0f 100644
+--- a/drivers/powercap/Kconfig
++++ b/drivers/powercap/Kconfig
+@@ -18,10 +18,12 @@ if POWERCAP
+ # Client driver configurations go here.
+ config INTEL_RAPL_CORE
+ tristate
++ depends on PCI
++ select IOSF_MBI
+
+ config INTEL_RAPL
+ tristate "Intel RAPL Support via MSR Interface"
+- depends on X86 && IOSF_MBI
++ depends on X86 && PCI
+ select INTEL_RAPL_CORE
+ ---help---
+ This enables support for the Intel Running Average Power Limit (RAPL)
+diff --git a/drivers/powercap/intel_rapl_msr.c b/drivers/powercap/intel_rapl_msr.c
+index d5487965bdfe9..6091e462626a4 100644
+--- a/drivers/powercap/intel_rapl_msr.c
++++ b/drivers/powercap/intel_rapl_msr.c
+@@ -22,7 +22,6 @@
+ #include <linux/processor.h>
+ #include <linux/platform_device.h>
+
+-#include <asm/iosf_mbi.h>
+ #include <asm/cpu_device_id.h>
+ #include <asm/intel-family.h>
+
+--
+2.39.2
+
--- /dev/null
+From 90ee0d92192c1f49b6949c2bb419a14f084acc69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jun 2023 16:38:15 +0530
+Subject: powerpc/mm/dax: Fix the condition when checking if altmap vmemap can
+ cross-boundary
+
+From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+
+[ Upstream commit c8eebc4a99f15280654f23e914e746c40a516e50 ]
+
+Without this fix, the last subsection vmemmap can end up in memory even if
+the namespace is created with -M mem and has sufficient space in the altmap
+area.
+
+Fixes: cf387d9644d8 ("libnvdimm/altmap: Track namespace boundaries in altmap")
+Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Tested-by: Sachin Sant <sachinp@linux.ibm.com <mailto:sachinp@linux.ibm.com>>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20230616110826.344417-6-aneesh.kumar@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/mm/init_64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/mm/init_64.c b/arch/powerpc/mm/init_64.c
+index 210f1c28b8e41..e4fb5ab41e2d3 100644
+--- a/arch/powerpc/mm/init_64.c
++++ b/arch/powerpc/mm/init_64.c
+@@ -178,7 +178,7 @@ static bool altmap_cross_boundary(struct vmem_altmap *altmap, unsigned long star
+ unsigned long nr_pfn = page_size / sizeof(struct page);
+ unsigned long start_pfn = page_to_pfn((struct page *)start);
+
+- if ((start_pfn + nr_pfn) > altmap->end_pfn)
++ if ((start_pfn + nr_pfn - 1) > altmap->end_pfn)
+ return true;
+
+ if (start_pfn < altmap->base_pfn)
+--
+2.39.2
+
--- /dev/null
+From d8abc2ef0d780ff00ba6d1003735e7a8c95dc465 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jun 2023 17:37:33 +0800
+Subject: pstore/ram: Add check for kstrdup
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit d97038d5ec2062733c1e016caf9baaf68cf64ea1 ]
+
+Add check for the return value of kstrdup() and return the error
+if it fails in order to avoid NULL pointer dereference.
+
+Fixes: e163fdb3f7f8 ("pstore/ram: Regularize prz label allocation lifetime")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20230614093733.36048-1-jiasheng@iscas.ac.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/pstore/ram_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
+index 286340f312dcb..73aed51447b9a 100644
+--- a/fs/pstore/ram_core.c
++++ b/fs/pstore/ram_core.c
+@@ -579,6 +579,8 @@ struct persistent_ram_zone *persistent_ram_new(phys_addr_t start, size_t size,
+ raw_spin_lock_init(&prz->buffer_lock);
+ prz->flags = flags;
+ prz->label = kstrdup(label, GFP_KERNEL);
++ if (!prz->label)
++ goto err;
+
+ ret = persistent_ram_buffer_map(start, size, prz, memtype);
+ if (ret)
+--
+2.39.2
+
--- /dev/null
+From e2c127f46914a54e4105b6f582029ebd80336dac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Apr 2023 08:12:28 -0700
+Subject: radeon: avoid double free in ci_dpm_init()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit 20c3dffdccbd494e0dd631d1660aeecbff6775f2 ]
+
+Several calls to ci_dpm_fini() will attempt to free resources that
+either have been freed before or haven't been allocated yet. This
+may lead to undefined or dangerous behaviour.
+
+For instance, if r600_parse_extended_power_table() fails, it might
+call r600_free_extended_power_table() as will ci_dpm_fini() later
+during error handling.
+
+Fix this by only freeing pointers to objects previously allocated.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)")
+Co-developed-by: Natalia Petrova <n.petrova@fintech.ru>
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/ci_dpm.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c
+index 1e62e7bbf1b1d..5403f4c902b64 100644
+--- a/drivers/gpu/drm/radeon/ci_dpm.c
++++ b/drivers/gpu/drm/radeon/ci_dpm.c
+@@ -5556,6 +5556,7 @@ static int ci_parse_power_table(struct radeon_device *rdev)
+ u8 frev, crev;
+ u8 *power_state_offset;
+ struct ci_ps *ps;
++ int ret;
+
+ if (!atom_parse_data_header(mode_info->atom_context, index, NULL,
+ &frev, &crev, &data_offset))
+@@ -5585,11 +5586,15 @@ static int ci_parse_power_table(struct radeon_device *rdev)
+ non_clock_array_index = power_state->v2.nonClockInfoIndex;
+ non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *)
+ &non_clock_info_array->nonClockInfo[non_clock_array_index];
+- if (!rdev->pm.power_state[i].clock_info)
+- return -EINVAL;
++ if (!rdev->pm.power_state[i].clock_info) {
++ ret = -EINVAL;
++ goto err_free_ps;
++ }
+ ps = kzalloc(sizeof(struct ci_ps), GFP_KERNEL);
+- if (ps == NULL)
+- return -ENOMEM;
++ if (ps == NULL) {
++ ret = -ENOMEM;
++ goto err_free_ps;
++ }
+ rdev->pm.dpm.ps[i].ps_priv = ps;
+ ci_parse_pplib_non_clock_info(rdev, &rdev->pm.dpm.ps[i],
+ non_clock_info,
+@@ -5629,6 +5634,12 @@ static int ci_parse_power_table(struct radeon_device *rdev)
+ }
+
+ return 0;
++
++err_free_ps:
++ for (i = 0; i < rdev->pm.dpm.num_ps; i++)
++ kfree(rdev->pm.dpm.ps[i].ps_priv);
++ kfree(rdev->pm.dpm.ps);
++ return ret;
+ }
+
+ static int ci_get_vbios_boot_values(struct radeon_device *rdev,
+@@ -5717,25 +5728,26 @@ int ci_dpm_init(struct radeon_device *rdev)
+
+ ret = ci_get_vbios_boot_values(rdev, &pi->vbios_boot_state);
+ if (ret) {
+- ci_dpm_fini(rdev);
++ kfree(rdev->pm.dpm.priv);
+ return ret;
+ }
+
+ ret = r600_get_platform_caps(rdev);
+ if (ret) {
+- ci_dpm_fini(rdev);
++ kfree(rdev->pm.dpm.priv);
+ return ret;
+ }
+
+ ret = r600_parse_extended_power_table(rdev);
+ if (ret) {
+- ci_dpm_fini(rdev);
++ kfree(rdev->pm.dpm.priv);
+ return ret;
+ }
+
+ ret = ci_parse_power_table(rdev);
+ if (ret) {
+- ci_dpm_fini(rdev);
++ kfree(rdev->pm.dpm.priv);
++ r600_free_extended_power_table(rdev);
+ return ret;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 88597efc4f3c7716484af6ddfcd97f57e714380e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 May 2023 23:48:15 -0700
+Subject: RDMA/bnxt_re: Fix to remove an unnecessary log
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit 43774bc156614346fe5dacabc8e8c229167f2536 ]
+
+During destroy_qp, driver sets the qp handle in the existing CQEs
+belonging to the QP being destroyed to NULL. As a result, a poll_cq after
+destroy_qp can report unnecessary messages. Remove this noise from system
+logs.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Link: https://lore.kernel.org/r/1684478897-12247-6-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_fp.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+index 5fc5ab7813c0f..18b579c8a8c55 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+@@ -2606,11 +2606,8 @@ static int bnxt_qplib_cq_process_terminal(struct bnxt_qplib_cq *cq,
+
+ qp = (struct bnxt_qplib_qp *)((unsigned long)
+ le64_to_cpu(hwcqe->qp_handle));
+- if (!qp) {
+- dev_err(&cq->hwq.pdev->dev,
+- "FP: CQ Process terminal qp is NULL\n");
++ if (!qp)
+ return -EINVAL;
+- }
+
+ /* Must block new posting of SQ and RQ */
+ qp->state = CMDQ_MODIFY_QP_NEW_STATE_ERR;
+--
+2.39.2
+
--- /dev/null
+From 388374e93efa26da04d6ee279b68a8efcc466553 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 May 2023 13:13:58 +0200
+Subject: regulator: core: Fix more error checking for debugfs_create_dir()
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 2715bb11cfff964aa33946847f9527cfbd4874f5 ]
+
+In case of failure, debugfs_create_dir() does not return NULL, but an
+error pointer. Most incorrect error checks were fixed, but the one in
+create_regulator() was forgotten.
+
+Fix the remaining error check.
+
+Fixes: 2bf1c45be3b8f3a3 ("regulator: Fix error checking for debugfs_create_dir")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/ee980a108b5854dd8ce3630f8f673e784e057d17.1685013051.git.geert+renesas@glider.be
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index cc9aa95d69691..0ac9c763942f9 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -1710,7 +1710,7 @@ static struct regulator *create_regulator(struct regulator_dev *rdev,
+
+ if (err != -EEXIST)
+ regulator->debugfs = debugfs_create_dir(supply_name, rdev->debugfs);
+- if (!regulator->debugfs) {
++ if (IS_ERR(regulator->debugfs)) {
+ rdev_dbg(rdev, "Failed to create debugfs directory\n");
+ } else {
+ debugfs_create_u32("uA_load", 0444, regulator->debugfs,
+--
+2.39.2
+
--- /dev/null
+From 286608c89dc3e5d2200a1ef9e3bcaef22e6d3237 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 May 2023 13:13:59 +0200
+Subject: regulator: core: Streamline debugfs operations
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 08880713ceec023dd94d634f1e8902728c385939 ]
+
+If CONFIG_DEBUG_FS is not set:
+
+ regulator: Failed to create debugfs directory
+ ...
+ regulator-dummy: Failed to create debugfs directory
+
+As per the comments for debugfs_create_dir(), errors returned by this
+function should be expected, and ignored:
+
+ * If debugfs is not enabled in the kernel, the value -%ENODEV will be
+ * returned.
+ *
+ * NOTE: it's expected that most callers should _ignore_ the errors returned
+ * by this function. Other debugfs functions handle the fact that the "dentry"
+ * passed to them could be an error and they don't crash in that case.
+ * Drivers should generally work fine even if debugfs fails to init anyway.
+
+Adhere to the debugfs spirit, and streamline all operations by:
+ 1. Demoting the importance of the printed error messages to debug
+ level, like is already done in create_regulator(),
+ 2. Further ignoring any returned errors, as by design, all debugfs
+ functions are no-ops when passed an error pointer.
+
+Fixes: 2bf1c45be3b8f3a3 ("regulator: Fix error checking for debugfs_create_dir")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/2f8bb6e113359ddfab7b59e4d4274bd4c06d6d0a.1685013051.git.geert+renesas@glider.be
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/core.c | 30 +++++++++++++-----------------
+ 1 file changed, 13 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index 0ac9c763942f9..fe4b666edd037 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -1710,19 +1710,17 @@ static struct regulator *create_regulator(struct regulator_dev *rdev,
+
+ if (err != -EEXIST)
+ regulator->debugfs = debugfs_create_dir(supply_name, rdev->debugfs);
+- if (IS_ERR(regulator->debugfs)) {
++ if (IS_ERR(regulator->debugfs))
+ rdev_dbg(rdev, "Failed to create debugfs directory\n");
+- } else {
+- debugfs_create_u32("uA_load", 0444, regulator->debugfs,
+- ®ulator->uA_load);
+- debugfs_create_u32("min_uV", 0444, regulator->debugfs,
+- ®ulator->voltage[PM_SUSPEND_ON].min_uV);
+- debugfs_create_u32("max_uV", 0444, regulator->debugfs,
+- ®ulator->voltage[PM_SUSPEND_ON].max_uV);
+- debugfs_create_file("constraint_flags", 0444,
+- regulator->debugfs, regulator,
+- &constraint_flags_fops);
+- }
++
++ debugfs_create_u32("uA_load", 0444, regulator->debugfs,
++ ®ulator->uA_load);
++ debugfs_create_u32("min_uV", 0444, regulator->debugfs,
++ ®ulator->voltage[PM_SUSPEND_ON].min_uV);
++ debugfs_create_u32("max_uV", 0444, regulator->debugfs,
++ ®ulator->voltage[PM_SUSPEND_ON].max_uV);
++ debugfs_create_file("constraint_flags", 0444, regulator->debugfs,
++ regulator, &constraint_flags_fops);
+
+ /*
+ * Check now if the regulator is an always on regulator - if
+@@ -4906,10 +4904,8 @@ static void rdev_init_debugfs(struct regulator_dev *rdev)
+ }
+
+ rdev->debugfs = debugfs_create_dir(rname, debugfs_root);
+- if (IS_ERR(rdev->debugfs)) {
+- rdev_warn(rdev, "Failed to create debugfs directory\n");
+- return;
+- }
++ if (IS_ERR(rdev->debugfs))
++ rdev_dbg(rdev, "Failed to create debugfs directory\n");
+
+ debugfs_create_u32("use_count", 0444, rdev->debugfs,
+ &rdev->use_count);
+@@ -5797,7 +5793,7 @@ static int __init regulator_init(void)
+
+ debugfs_root = debugfs_create_dir("regulator", NULL);
+ if (IS_ERR(debugfs_root))
+- pr_warn("regulator: Failed to create debugfs directory\n");
++ pr_debug("regulator: Failed to create debugfs directory\n");
+
+ #ifdef CONFIG_DEBUG_FS
+ debugfs_create_file("supply_map", 0444, debugfs_root, NULL,
+--
+2.39.2
+
--- /dev/null
+From fefb2d8ee61360931f99c7d7d29e3846834e27a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Jun 2023 13:51:08 +0300
+Subject: rtnetlink: extend RTEXT_FILTER_SKIP_STATS to IFLA_VF_INFO
+
+From: Edwin Peer <edwin.peer@broadcom.com>
+
+[ Upstream commit fa0e21fa44438a0e856d42224bfa24641d37b979 ]
+
+This filter already exists for excluding IPv6 SNMP stats. Extend its
+definition to also exclude IFLA_VF_INFO stats in RTM_GETLINK.
+
+This patch constitutes a partial fix for a netlink attribute nesting
+overflow bug in IFLA_VFINFO_LIST. By excluding the stats when the
+requester doesn't need them, the truncation of the VF list is avoided.
+
+While it was technically only the stats added in commit c5a9f6f0ab40
+("net/core: Add drop counters to VF statistics") breaking the camel's
+back, the appreciable size of the stats data should never have been
+included without due consideration for the maximum number of VFs
+supported by PCI.
+
+Fixes: 3b766cd83232 ("net/core: Add reading VF statistics through the PF netdevice")
+Fixes: c5a9f6f0ab40 ("net/core: Add drop counters to VF statistics")
+Signed-off-by: Edwin Peer <edwin.peer@broadcom.com>
+Cc: Edwin Peer <espeer@gmail.com>
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Link: https://lore.kernel.org/r/20230611105108.122586-1-gal@nvidia.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 96 +++++++++++++++++++++++---------------------
+ 1 file changed, 51 insertions(+), 45 deletions(-)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index da1ef00fc9cc2..0b0107797e490 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -922,24 +922,27 @@ static inline int rtnl_vfinfo_size(const struct net_device *dev,
+ nla_total_size(sizeof(struct ifla_vf_rate)) +
+ nla_total_size(sizeof(struct ifla_vf_link_state)) +
+ nla_total_size(sizeof(struct ifla_vf_rss_query_en)) +
+- nla_total_size(0) + /* nest IFLA_VF_STATS */
+- /* IFLA_VF_STATS_RX_PACKETS */
+- nla_total_size_64bit(sizeof(__u64)) +
+- /* IFLA_VF_STATS_TX_PACKETS */
+- nla_total_size_64bit(sizeof(__u64)) +
+- /* IFLA_VF_STATS_RX_BYTES */
+- nla_total_size_64bit(sizeof(__u64)) +
+- /* IFLA_VF_STATS_TX_BYTES */
+- nla_total_size_64bit(sizeof(__u64)) +
+- /* IFLA_VF_STATS_BROADCAST */
+- nla_total_size_64bit(sizeof(__u64)) +
+- /* IFLA_VF_STATS_MULTICAST */
+- nla_total_size_64bit(sizeof(__u64)) +
+- /* IFLA_VF_STATS_RX_DROPPED */
+- nla_total_size_64bit(sizeof(__u64)) +
+- /* IFLA_VF_STATS_TX_DROPPED */
+- nla_total_size_64bit(sizeof(__u64)) +
+ nla_total_size(sizeof(struct ifla_vf_trust)));
++ if (~ext_filter_mask & RTEXT_FILTER_SKIP_STATS) {
++ size += num_vfs *
++ (nla_total_size(0) + /* nest IFLA_VF_STATS */
++ /* IFLA_VF_STATS_RX_PACKETS */
++ nla_total_size_64bit(sizeof(__u64)) +
++ /* IFLA_VF_STATS_TX_PACKETS */
++ nla_total_size_64bit(sizeof(__u64)) +
++ /* IFLA_VF_STATS_RX_BYTES */
++ nla_total_size_64bit(sizeof(__u64)) +
++ /* IFLA_VF_STATS_TX_BYTES */
++ nla_total_size_64bit(sizeof(__u64)) +
++ /* IFLA_VF_STATS_BROADCAST */
++ nla_total_size_64bit(sizeof(__u64)) +
++ /* IFLA_VF_STATS_MULTICAST */
++ nla_total_size_64bit(sizeof(__u64)) +
++ /* IFLA_VF_STATS_RX_DROPPED */
++ nla_total_size_64bit(sizeof(__u64)) +
++ /* IFLA_VF_STATS_TX_DROPPED */
++ nla_total_size_64bit(sizeof(__u64)));
++ }
+ return size;
+ } else
+ return 0;
+@@ -1189,7 +1192,8 @@ static noinline_for_stack int rtnl_fill_stats(struct sk_buff *skb,
+ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb,
+ struct net_device *dev,
+ int vfs_num,
+- struct nlattr *vfinfo)
++ struct nlattr *vfinfo,
++ u32 ext_filter_mask)
+ {
+ struct ifla_vf_rss_query_en vf_rss_query_en;
+ struct nlattr *vf, *vfstats, *vfvlanlist;
+@@ -1279,33 +1283,35 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb,
+ goto nla_put_vf_failure;
+ }
+ nla_nest_end(skb, vfvlanlist);
+- memset(&vf_stats, 0, sizeof(vf_stats));
+- if (dev->netdev_ops->ndo_get_vf_stats)
+- dev->netdev_ops->ndo_get_vf_stats(dev, vfs_num,
+- &vf_stats);
+- vfstats = nla_nest_start_noflag(skb, IFLA_VF_STATS);
+- if (!vfstats)
+- goto nla_put_vf_failure;
+- if (nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_PACKETS,
+- vf_stats.rx_packets, IFLA_VF_STATS_PAD) ||
+- nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_PACKETS,
+- vf_stats.tx_packets, IFLA_VF_STATS_PAD) ||
+- nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_BYTES,
+- vf_stats.rx_bytes, IFLA_VF_STATS_PAD) ||
+- nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_BYTES,
+- vf_stats.tx_bytes, IFLA_VF_STATS_PAD) ||
+- nla_put_u64_64bit(skb, IFLA_VF_STATS_BROADCAST,
+- vf_stats.broadcast, IFLA_VF_STATS_PAD) ||
+- nla_put_u64_64bit(skb, IFLA_VF_STATS_MULTICAST,
+- vf_stats.multicast, IFLA_VF_STATS_PAD) ||
+- nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_DROPPED,
+- vf_stats.rx_dropped, IFLA_VF_STATS_PAD) ||
+- nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_DROPPED,
+- vf_stats.tx_dropped, IFLA_VF_STATS_PAD)) {
+- nla_nest_cancel(skb, vfstats);
+- goto nla_put_vf_failure;
++ if (~ext_filter_mask & RTEXT_FILTER_SKIP_STATS) {
++ memset(&vf_stats, 0, sizeof(vf_stats));
++ if (dev->netdev_ops->ndo_get_vf_stats)
++ dev->netdev_ops->ndo_get_vf_stats(dev, vfs_num,
++ &vf_stats);
++ vfstats = nla_nest_start_noflag(skb, IFLA_VF_STATS);
++ if (!vfstats)
++ goto nla_put_vf_failure;
++ if (nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_PACKETS,
++ vf_stats.rx_packets, IFLA_VF_STATS_PAD) ||
++ nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_PACKETS,
++ vf_stats.tx_packets, IFLA_VF_STATS_PAD) ||
++ nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_BYTES,
++ vf_stats.rx_bytes, IFLA_VF_STATS_PAD) ||
++ nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_BYTES,
++ vf_stats.tx_bytes, IFLA_VF_STATS_PAD) ||
++ nla_put_u64_64bit(skb, IFLA_VF_STATS_BROADCAST,
++ vf_stats.broadcast, IFLA_VF_STATS_PAD) ||
++ nla_put_u64_64bit(skb, IFLA_VF_STATS_MULTICAST,
++ vf_stats.multicast, IFLA_VF_STATS_PAD) ||
++ nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_DROPPED,
++ vf_stats.rx_dropped, IFLA_VF_STATS_PAD) ||
++ nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_DROPPED,
++ vf_stats.tx_dropped, IFLA_VF_STATS_PAD)) {
++ nla_nest_cancel(skb, vfstats);
++ goto nla_put_vf_failure;
++ }
++ nla_nest_end(skb, vfstats);
+ }
+- nla_nest_end(skb, vfstats);
+ nla_nest_end(skb, vf);
+ return 0;
+
+@@ -1338,7 +1344,7 @@ static noinline_for_stack int rtnl_fill_vf(struct sk_buff *skb,
+ return -EMSGSIZE;
+
+ for (i = 0; i < num_vfs; i++) {
+- if (rtnl_fill_vfinfo(skb, dev, i, vfinfo))
++ if (rtnl_fill_vfinfo(skb, dev, i, vfinfo, ext_filter_mask))
+ return -EMSGSIZE;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 0ee82b960f4dc01a0d320e8313ba5f9117652bcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 May 2023 16:50:58 +0800
+Subject: samples/bpf: Fix buffer overflow in tcp_basertt
+
+From: Pengcheng Yang <yangpc@wangsu.com>
+
+[ Upstream commit f4dea9689c5fea3d07170c2cb0703e216f1a0922 ]
+
+Using sizeof(nv) or strlen(nv)+1 is correct.
+
+Fixes: c890063e4404 ("bpf: sample BPF_SOCKET_OPS_BASE_RTT program")
+Signed-off-by: Pengcheng Yang <yangpc@wangsu.com>
+Link: https://lore.kernel.org/r/1683276658-2860-1-git-send-email-yangpc@wangsu.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/tcp_basertt_kern.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/samples/bpf/tcp_basertt_kern.c b/samples/bpf/tcp_basertt_kern.c
+index 9dba48c2b9207..66dd58f78d528 100644
+--- a/samples/bpf/tcp_basertt_kern.c
++++ b/samples/bpf/tcp_basertt_kern.c
+@@ -47,7 +47,7 @@ int bpf_basertt(struct bpf_sock_ops *skops)
+ case BPF_SOCK_OPS_BASE_RTT:
+ n = bpf_getsockopt(skops, SOL_TCP, TCP_CONGESTION,
+ cong, sizeof(cong));
+- if (!n && !__builtin_memcmp(cong, nv, sizeof(nv)+1)) {
++ if (!n && !__builtin_memcmp(cong, nv, sizeof(nv))) {
+ /* Set base_rtt to 80us */
+ rv = 80;
+ } else if (n) {
+--
+2.39.2
+
--- /dev/null
+From faf7e47be6d7209421b9e209b652521f3d411e10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 May 2023 22:12:55 +0800
+Subject: scsi: 3w-xxxx: Add error handling for initialization failure in
+ tw_probe()
+
+From: Yuchen Yang <u202114568@hust.edu.cn>
+
+[ Upstream commit 2e2fe5ac695a00ab03cab4db1f4d6be07168ed9d ]
+
+Smatch complains that:
+
+tw_probe() warn: missing error code 'retval'
+
+This patch adds error checking to tw_probe() to handle initialization
+failure. If tw_reset_sequence() function returns a non-zero value, the
+function will return -EINVAL to indicate initialization failure.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yuchen Yang <u202114568@hust.edu.cn>
+Link: https://lore.kernel.org/r/20230505141259.7730-1-u202114568@hust.edu.cn
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/3w-xxxx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c
+index 2b1e0d5030201..75290aabd543b 100644
+--- a/drivers/scsi/3w-xxxx.c
++++ b/drivers/scsi/3w-xxxx.c
+@@ -2310,8 +2310,10 @@ static int tw_probe(struct pci_dev *pdev, const struct pci_device_id *dev_id)
+ TW_DISABLE_INTERRUPTS(tw_dev);
+
+ /* Initialize the card */
+- if (tw_reset_sequence(tw_dev))
++ if (tw_reset_sequence(tw_dev)) {
++ retval = -EINVAL;
+ goto out_release_mem_region;
++ }
+
+ /* Set host specific parameters */
+ host->max_id = TW_MAX_UNITS;
+--
+2.39.2
+
--- /dev/null
+From 80fe24ae9795741038f5de36d24f410e3915dfe2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 May 2023 22:00:21 +0800
+Subject: scsi: qedf: Fix NULL dereference in error handling
+
+From: Jinhong Zhu <jinhongzhu@hust.edu.cn>
+
+[ Upstream commit f025312b089474a54e4859f3453771314d9e3d4f ]
+
+Smatch reported:
+
+drivers/scsi/qedf/qedf_main.c:3056 qedf_alloc_global_queues()
+warn: missing unwind goto?
+
+At this point in the function, nothing has been allocated so we can return
+directly. In particular the "qedf->global_queues" have not been allocated
+so calling qedf_free_global_queues() will lead to a NULL dereference when
+we check if (!gl[i]) and "gl" is NULL.
+
+Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
+Signed-off-by: Jinhong Zhu <jinhongzhu@hust.edu.cn>
+Link: https://lore.kernel.org/r/20230502140022.2852-1-jinhongzhu@hust.edu.cn
+Reviewed-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedf/qedf_main.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
+index f864ef059d29e..858058f228191 100644
+--- a/drivers/scsi/qedf/qedf_main.c
++++ b/drivers/scsi/qedf/qedf_main.c
+@@ -2914,9 +2914,8 @@ static int qedf_alloc_global_queues(struct qedf_ctx *qedf)
+ * addresses of our queues
+ */
+ if (!qedf->p_cpuq) {
+- status = -EINVAL;
+ QEDF_ERR(&qedf->dbg_ctx, "p_cpuq is NULL.\n");
+- goto mem_alloc_failure;
++ return -EINVAL;
+ }
+
+ qedf->global_queues = kzalloc((sizeof(struct global_queue *)
+--
+2.39.2
+
--- /dev/null
+From 99215f1936d6398e88b17ca7218713097f26f412 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jun 2023 23:03:34 +0200
+Subject: selftests: rtnetlink: remove netdevsim device after ipsec offload
+ test
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 5f789f103671fec3733ebe756e56adf15c90c21d ]
+
+On systems where netdevsim is built-in or loaded before the test
+starts, kci_test_ipsec_offload doesn't remove the netdevsim device it
+created during the test.
+
+Fixes: e05b2d141fef ("netdevsim: move netdev creation/destruction to dev probe")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Link: https://lore.kernel.org/r/e1cb94f4f82f4eca4a444feec4488a1323396357.1687466906.git.sd@queasysnail.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/rtnetlink.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh
+index 911c549f186fb..3b929e031f59c 100755
+--- a/tools/testing/selftests/net/rtnetlink.sh
++++ b/tools/testing/selftests/net/rtnetlink.sh
+@@ -833,6 +833,7 @@ EOF
+ fi
+
+ # clean up any leftovers
++ echo 0 > /sys/bus/netdevsim/del_device
+ $probed && rmmod netdevsim
+
+ if [ $ret -ne 0 ]; then
+--
+2.39.2
+
hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch
scripts-tags.sh-resolve-gtags-empty-index-generation.patch
drm-amdgpu-validate-vm-ioctl-flags.patch
+x86-resctrl-use-is_closid_match-in-more-places.patch
+x86-resctrl-only-show-tasks-pid-in-current-pid-names.patch
+md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch
+md-raid10-fix-overflow-of-md-safe_mode_delay.patch
+md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch
+md-raid10-fix-null-ptr-deref-of-mreplace-in-raid10_s.patch
+md-raid10-fix-io-loss-while-replacement-replace-rdev.patch
+irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch
+irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch
+tracing-timer-add-missing-hrtimer-modes-to-decode_hr.patch
+clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch
+clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch
+pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch
+powercap-rapl-fix-config_iosf_mbi-dependency.patch
+arm-9303-1-kprobes-avoid-missing-declaration-warning.patch
+evm-complete-description-of-evm_inode_setattr.patch
+pstore-ram-add-check-for-kstrdup.patch
+ima-fix-build-warnings.patch
+wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch
+wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch
+samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch
+spi-spi-geni-qcom-correct-cs_toggle-bit-in-spi_trans.patch
+wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch
+nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch
+nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch
+regulator-core-fix-more-error-checking-for-debugfs_c.patch
+regulator-core-streamline-debugfs-operations.patch
+wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch
+wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch
+wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch
+wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch
+wl3501_cs-remove-unnecessary-null-check.patch
+wl3501_cs-fix-misspelling-and-provide-missing-docume.patch
+net-create-netdev-dev_addr-assignment-helpers.patch
+wl3501_cs-use-eth_hw_addr_set.patch
+wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch
+wifi-ray_cs-utilize-strnlen-in-parse_addr.patch
+wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch
+wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch
+wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch
+wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch
+watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch
+watchdog-perf-more-properly-prevent-false-positives-.patch
+kexec-fix-a-memory-leak-in-crash_shrink_memory.patch
+memstick-r592-make-memstick_debug_get_tpc_name-stati.patch
+wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch
+rtnetlink-extend-rtext_filter_skip_stats-to-ifla_vf_.patch
+wifi-iwlwifi-pull-from-txqs-with-softirqs-disabled.patch
+wifi-cfg80211-rewrite-merging-of-inherited-elements.patch
+wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch
+netlink-fix-potential-deadlock-in-netlink_set_err.patch
+netlink-do-not-hard-code-device-address-lenth-in-fdb.patch
+selftests-rtnetlink-remove-netdevsim-device-after-ip.patch
+gtp-fix-use-after-free-in-__gtp_encap_destroy.patch
+nfc-llcp-simplify-llcp_sock_connect-error-paths.patch
+net-nfc-fix-use-after-free-caused-by-nfc_llcp_find_l.patch
+lib-ts_bm-reset-initial-match-offset-for-every-block.patch
+netfilter-conntrack-dccp-copy-entire-header-to-stack.patch
+netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch
+ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch
+netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch
+radeon-avoid-double-free-in-ci_dpm_init.patch
+input-drv260x-sleep-between-polling-go-bit.patch
+arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch
+input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch
+drm-sun4i_tcon-use-devm_clk_get_enabled-in-sun4i_tco.patch
+rdma-bnxt_re-fix-to-remove-an-unnecessary-log.patch
+arm-dts-gta04-move-model-property-out-of-pinctrl-nod.patch
+arm64-dts-qcom-msm8916-correct-camss-unit-address.patch
+drm-panel-simple-fix-active-size-for-ampire-am-48027.patch
+arm-ep93xx-fix-missing-prototype-warnings.patch
+memory-brcmstb_dpfe-fix-testing-array-offset-after-u.patch
+asoc-es8316-increment-max-value-for-alc-capture-targ.patch
+asoc-es8316-do-not-set-rate-constraints-for-unsuppor.patch
+soc-fsl-qe-fix-usb.c-build-errors.patch
+ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch
+arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch
+fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch
+drm-amdkfd-fix-potential-deallocation-of-previously-.patch
+drm-radeon-fix-possible-division-by-zero-errors.patch
+clk-tegra-tegra124-emc-fix-potential-memory-leak.patch
+alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch
+clk-cdce925-check-return-value-of-kasprintf.patch
+clk-keystone-sci-clk-check-return-value-of-kasprintf.patch
+asoc-imx-audmix-check-return-value-of-devm_kasprintf.patch
+scsi-qedf-fix-null-dereference-in-error-handling.patch
+pci-aspm-disable-aspm-on-mfd-function-removal-to-avo.patch
+scsi-3w-xxxx-add-error-handling-for-initialization-f.patch
+pci-pciehp-cancel-bringup-sequence-if-card-is-not-pr.patch
+pci-ftpci100-release-the-clock-resources.patch
+pci-add-pci_clear_master-stub-for-non-config_pci.patch
+pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch
+perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch
+pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch
+powerpc-mm-dax-fix-the-condition-when-checking-if-al.patch
+hwrng-virtio-add-an-internal-buffer.patch
+hwrng-virtio-don-t-wait-on-cleanup.patch
+hwrng-virtio-don-t-waste-entropy.patch
+hwrng-virtio-always-add-a-pending-request.patch
+hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch
+crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch
+modpost-fix-section-mismatch-message-for-r_arm_abs32.patch
+modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch
+crypto-skcipher-unify-the-crypto_has_skcipher-functi.patch
+crypto-skcipher-remove-crypto_has_ablkcipher.patch
+crypto-marvell-cesa-fix-type-mismatch-warning.patch
+modpost-fix-off-by-one-in-is_executable_section.patch
+arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch
+nfsv4.1-freeze-the-session-table-upon-receiving-nfs4.patch
+hwrng-st-fix-w-1-unused-variable-warning.patch
+hwrng-st-keep-clock-enabled-while-hwrng-is-registere.patch
--- /dev/null
+From c3b66daa3de5c5e4f9b2e88b0dc50d38221b515e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 May 2023 15:52:16 -0700
+Subject: soc/fsl/qe: fix usb.c build errors
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 7b1a78babd0d2cd27aa07255dee0c2d7ac0f31e3 ]
+
+Fix build errors in soc/fsl/qe/usb.c when QUICC_ENGINE is not set.
+This happens when PPC_EP88XC is set, which selects CPM1 & CPM.
+When CPM is set, USB_FSL_QE can be set without QUICC_ENGINE
+being set. When USB_FSL_QE is set, QE_USB deafults to y, which
+causes build errors when QUICC_ENGINE is not set. Making
+QE_USB depend on QUICC_ENGINE prevents QE_USB from defaulting to y.
+
+Fixes these build errors:
+
+drivers/soc/fsl/qe/usb.o: in function `qe_usb_clock_set':
+usb.c:(.text+0x1e): undefined reference to `qe_immr'
+powerpc-linux-ld: usb.c:(.text+0x2a): undefined reference to `qe_immr'
+powerpc-linux-ld: usb.c:(.text+0xbc): undefined reference to `qe_setbrg'
+powerpc-linux-ld: usb.c:(.text+0xca): undefined reference to `cmxgcr_lock'
+powerpc-linux-ld: usb.c:(.text+0xce): undefined reference to `cmxgcr_lock'
+
+Fixes: 5e41486c408e ("powerpc/QE: add support for QE USB clocks routing")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/all/202301101500.pillNv6R-lkp@intel.com/
+Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Leo Li <leoyang.li@nxp.com>
+Cc: Masahiro Yamada <masahiroy@kernel.org>
+Cc: Nicolas Schier <nicolas@fjasle.eu>
+Cc: Qiang Zhao <qiang.zhao@nxp.com>
+Cc: linuxppc-dev <linuxppc-dev@lists.ozlabs.org>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: Kumar Gala <galak@kernel.crashing.org>
+Acked-by: Nicolas Schier <nicolas@jasle.eu>
+Signed-off-by: Li Yang <leoyang.li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qe/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/soc/fsl/qe/Kconfig b/drivers/soc/fsl/qe/Kconfig
+index cfa4b2939992c..3ed0838607647 100644
+--- a/drivers/soc/fsl/qe/Kconfig
++++ b/drivers/soc/fsl/qe/Kconfig
+@@ -38,6 +38,7 @@ config QE_TDM
+
+ config QE_USB
+ bool
++ depends on QUICC_ENGINE
+ default y if USB_FSL_QE
+ help
+ QE USB Controller support
+--
+2.39.2
+
--- /dev/null
+From f34cc0a8e911f3ac14b6bd726de7eb97e1254bda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Apr 2023 14:12:08 +0530
+Subject: spi: spi-geni-qcom: Correct CS_TOGGLE bit in SPI_TRANS_CFG
+
+From: Vijaya Krishna Nivarthi <quic_vnivarth@quicinc.com>
+
+[ Upstream commit 5fd7c99ecf45c8ee8a9b1268f0ffc91cc6271da2 ]
+
+The CS_TOGGLE bit when set is supposed to instruct FW to
+toggle CS line between words. The driver with intent of
+disabling this behaviour has been unsetting BIT(0). This has
+not caused any trouble so far because the original BIT(1)
+is untouched and BIT(0) likely wasn't being used.
+
+Correct this to prevent a potential future bug.
+
+Signed-off-by: Vijaya Krishna Nivarthi <quic_vnivarth@quicinc.com
+Acked-by: Konrad Dybcio <konrad.dybcio@linaro.org
+Fixes: 561de45f72bd ("spi: spi-geni-qcom: Add SPI driver support for GENI based QUP")
+Reviewed-by: Douglas Anderson <dianders@chromium.org
+Link: https://lore.kernel.org/r/1682412128-1913-1-git-send-email-quic_vnivarth@quicinc.com
+Signed-off-by: Mark Brown <broonie@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-geni-qcom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-geni-qcom.c b/drivers/spi/spi-geni-qcom.c
+index 01b53d816497c..ae1cbc3215366 100644
+--- a/drivers/spi/spi-geni-qcom.c
++++ b/drivers/spi/spi-geni-qcom.c
+@@ -32,7 +32,7 @@
+ #define CS_DEMUX_OUTPUT_SEL GENMASK(3, 0)
+
+ #define SE_SPI_TRANS_CFG 0x25c
+-#define CS_TOGGLE BIT(0)
++#define CS_TOGGLE BIT(1)
+
+ #define SE_SPI_WORD_LEN 0x268
+ #define WORD_LEN_MSK GENMASK(9, 0)
+--
+2.39.2
+
--- /dev/null
+From dcbe7117f0e1afd5766b9340d5a6b27fc655acf4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Apr 2023 16:38:54 +0200
+Subject: tracing/timer: Add missing hrtimer modes to decode_hrtimer_mode().
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 2951580ba6adb082bb6b7154a5ecb24e7c1f7569 ]
+
+The trace output for the HRTIMER_MODE_.*_HARD modes is seen as a number
+since these modes are not decoded. The author was not aware of the fancy
+decoding function which makes the life easier.
+
+Extend decode_hrtimer_mode() with the additional HRTIMER_MODE_.*_HARD
+modes.
+
+Fixes: ae6683d815895 ("hrtimer: Introduce HARD expiry mode")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Mukesh Ojha <quic_mojha@quicinc.com>
+Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Link: https://lore.kernel.org/r/20230418143854.8vHWQKLM@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/timer.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/include/trace/events/timer.h b/include/trace/events/timer.h
+index 295517f109d71..1b5371f0317af 100644
+--- a/include/trace/events/timer.h
++++ b/include/trace/events/timer.h
+@@ -156,7 +156,11 @@ DEFINE_EVENT(timer_class, timer_cancel,
+ { HRTIMER_MODE_ABS_SOFT, "ABS|SOFT" }, \
+ { HRTIMER_MODE_REL_SOFT, "REL|SOFT" }, \
+ { HRTIMER_MODE_ABS_PINNED_SOFT, "ABS|PINNED|SOFT" }, \
+- { HRTIMER_MODE_REL_PINNED_SOFT, "REL|PINNED|SOFT" })
++ { HRTIMER_MODE_REL_PINNED_SOFT, "REL|PINNED|SOFT" }, \
++ { HRTIMER_MODE_ABS_HARD, "ABS|HARD" }, \
++ { HRTIMER_MODE_REL_HARD, "REL|HARD" }, \
++ { HRTIMER_MODE_ABS_PINNED_HARD, "ABS|PINNED|HARD" }, \
++ { HRTIMER_MODE_REL_PINNED_HARD, "REL|PINNED|HARD" })
+
+ /**
+ * hrtimer_init - called when the hrtimer is initialized
+--
+2.39.2
+
--- /dev/null
+From 4f82659bdc1c56f32ea954b80471985ae827e31a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 May 2023 10:18:25 -0700
+Subject: watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on
+ correct config
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 5e008df11c55228a86a1bae692cc2002503572c9 ]
+
+Patch series "watchdog/hardlockup: Add the buddy hardlockup detector", v5.
+
+This patch series adds the "buddy" hardlockup detector. In brief, the
+buddy hardlockup detector can detect hardlockups without arch-level
+support by having CPUs checkup on a "buddy" CPU periodically.
+
+Given the new design of this patch series, testing all combinations is
+fairly difficult. I've attempted to make sure that all combinations of
+CONFIG_ options are good, but it wouldn't surprise me if I missed
+something. I apologize in advance and I'll do my best to fix any
+problems that are found.
+
+This patch (of 18):
+
+The real watchdog_update_hrtimer_threshold() is defined in
+kernel/watchdog_hld.c. That file is included if
+CONFIG_HARDLOCKUP_DETECTOR_PERF and the function is defined in that file
+if CONFIG_HARDLOCKUP_CHECK_TIMESTAMP.
+
+The dummy version of the function in "nmi.h" didn't get that quite right.
+While this doesn't appear to be a huge deal, it's nice to make it
+consistent.
+
+It doesn't break builds because CHECK_TIMESTAMP is only defined by x86 so
+others don't get a double definition, and x86 uses perf lockup detector,
+so it gets the out of line version.
+
+Link: https://lkml.kernel.org/r/20230519101840.v5.18.Ia44852044cdcb074f387e80df6b45e892965d4a1@changeid
+Link: https://lkml.kernel.org/r/20230519101840.v5.1.I8cbb2f4fa740528fcfade4f5439b6cdcdd059251@changeid
+Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Chen-Yu Tsai <wens@csie.org>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Daniel Thompson <daniel.thompson@linaro.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Guenter Roeck <groeck@chromium.org>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Lecopzer Chen <lecopzer.chen@mediatek.com>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Masayoshi Mizuma <msys.mizuma@gmail.com>
+Cc: Matthias Kaehlcke <mka@chromium.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Pingfan Liu <kernelfans@gmail.com>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: "Ravi V. Shankar" <ravi.v.shankar@intel.com>
+Cc: Ricardo Neri <ricardo.neri@intel.com>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Stephen Boyd <swboyd@chromium.org>
+Cc: Sumit Garg <sumit.garg@linaro.org>
+Cc: Tzung-Bi Shih <tzungbi@chromium.org>
+Cc: Will Deacon <will@kernel.org>
+Cc: Colin Cross <ccross@android.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/nmi.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/nmi.h b/include/linux/nmi.h
+index e972d1ae1ee63..6cb593d9ed08a 100644
+--- a/include/linux/nmi.h
++++ b/include/linux/nmi.h
+@@ -197,7 +197,7 @@ u64 hw_nmi_get_sample_period(int watchdog_thresh);
+ #endif
+
+ #if defined(CONFIG_HARDLOCKUP_CHECK_TIMESTAMP) && \
+- defined(CONFIG_HARDLOCKUP_DETECTOR)
++ defined(CONFIG_HARDLOCKUP_DETECTOR_PERF)
+ void watchdog_update_hrtimer_threshold(u64 period);
+ #else
+ static inline void watchdog_update_hrtimer_threshold(u64 period) { }
+--
+2.39.2
+
--- /dev/null
+From e2905033dff78f08fe660d4115a13ee9bacfe8b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 May 2023 10:18:26 -0700
+Subject: watchdog/perf: more properly prevent false positives with turbo modes
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 4379e59fe5665cfda737e45b8bf2f05321ef049c ]
+
+Currently, in the watchdog_overflow_callback() we first check to see if
+the watchdog had been touched and _then_ we handle the workaround for
+turbo mode. This order should be reversed.
+
+Specifically, "touching" the hardlockup detector's watchdog should avoid
+lockups being detected for one period that should be roughly the same
+regardless of whether we're running turbo or not. That means that we
+should do the extra accounting for turbo _before_ we look at (and clear)
+the global indicating that we've been touched.
+
+NOTE: this fix is made based on code inspection. I am not aware of any
+reports where the old code would have generated false positives. That
+being said, this order seems more correct and also makes it easier down
+the line to share code with the "buddy" hardlockup detector.
+
+Link: https://lkml.kernel.org/r/20230519101840.v5.2.I843b0d1de3e096ba111a179f3adb16d576bef5c7@changeid
+Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Chen-Yu Tsai <wens@csie.org>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Colin Cross <ccross@android.com>
+Cc: Daniel Thompson <daniel.thompson@linaro.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Guenter Roeck <groeck@chromium.org>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Lecopzer Chen <lecopzer.chen@mediatek.com>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Masayoshi Mizuma <msys.mizuma@gmail.com>
+Cc: Matthias Kaehlcke <mka@chromium.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Pingfan Liu <kernelfans@gmail.com>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: "Ravi V. Shankar" <ravi.v.shankar@intel.com>
+Cc: Ricardo Neri <ricardo.neri@intel.com>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Stephen Boyd <swboyd@chromium.org>
+Cc: Sumit Garg <sumit.garg@linaro.org>
+Cc: Tzung-Bi Shih <tzungbi@chromium.org>
+Cc: Will Deacon <will@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/watchdog_hld.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/watchdog_hld.c b/kernel/watchdog_hld.c
+index 247bf0b1582ca..1e8a49dc956e2 100644
+--- a/kernel/watchdog_hld.c
++++ b/kernel/watchdog_hld.c
+@@ -114,14 +114,14 @@ static void watchdog_overflow_callback(struct perf_event *event,
+ /* Ensure the watchdog never gets throttled */
+ event->hw.interrupts = 0;
+
++ if (!watchdog_check_timestamp())
++ return;
++
+ if (__this_cpu_read(watchdog_nmi_touch) == true) {
+ __this_cpu_write(watchdog_nmi_touch, false);
+ return;
+ }
+
+- if (!watchdog_check_timestamp())
+- return;
+-
+ /* check for a hardlockup
+ * This is done by making sure our timer interrupt
+ * is incrementing. The timer interrupt should have
+--
+2.39.2
+
--- /dev/null
+From c85c822808eddcd72b92e6eaf3b44ce43fd81baf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Apr 2023 17:35:01 +0300
+Subject: wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit f24292e827088bba8de7158501ac25a59b064953 ]
+
+For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid
+uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should
+validate pkt_len before accessing the SKB.
+
+For example, the obtained SKB may have been badly constructed with
+pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr
+but after being processed in ath9k_htc_rx_msg() and passed to
+ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI
+command header which should be located inside its data payload.
+
+Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit
+memory can be referenced.
+
+Tested on Qualcomm Atheros Communications AR9271 802.11n .
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
+Reported-and-tested-by: syzbot+f2cb6e0ffdb961921e4d@syzkaller.appspotmail.com
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230424183348.111355-1-pchelkin@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/wmi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c
+index deb22b8c2065f..ef861b19fd477 100644
+--- a/drivers/net/wireless/ath/ath9k/wmi.c
++++ b/drivers/net/wireless/ath/ath9k/wmi.c
+@@ -218,6 +218,10 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb,
+ if (unlikely(wmi->stopped))
+ goto free_skb;
+
++ /* Validate the obtained SKB. */
++ if (unlikely(skb->len < sizeof(struct wmi_cmd_hdr)))
++ goto free_skb;
++
+ hdr = (struct wmi_cmd_hdr *) skb->data;
+ cmd_id = be16_to_cpu(hdr->command_id);
+
+--
+2.39.2
+
--- /dev/null
+From 7a4ec3cd48756c3a4c45c84747bce2b2d8d347b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jun 2023 16:46:55 +0300
+Subject: wifi: ath9k: convert msecs to jiffies where needed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 2aa083acea9f61be3280184384551178f510ff51 ]
+
+Since 'ieee80211_queue_delayed_work()' expects timeout in
+jiffies and not milliseconds, 'msecs_to_jiffies()' should
+be used in 'ath_restart_work()' and '__ath9k_flush()'.
+
+Fixes: d63ffc45c5d3 ("ath9k: rename tx_complete_work to hw_check_work")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230613134655.248728-1-dmantipov@yandex.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
+index 4e606a4b19f2d..5968fcec11737 100644
+--- a/drivers/net/wireless/ath/ath9k/main.c
++++ b/drivers/net/wireless/ath/ath9k/main.c
+@@ -200,7 +200,7 @@ void ath_cancel_work(struct ath_softc *sc)
+ void ath_restart_work(struct ath_softc *sc)
+ {
+ ieee80211_queue_delayed_work(sc->hw, &sc->hw_check_work,
+- ATH_HW_CHECK_POLL_INT);
++ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT));
+
+ if (AR_SREV_9340(sc->sc_ah) || AR_SREV_9330(sc->sc_ah))
+ ieee80211_queue_delayed_work(sc->hw, &sc->hw_pll_work,
+@@ -2228,7 +2228,7 @@ void __ath9k_flush(struct ieee80211_hw *hw, u32 queues, bool drop,
+ }
+
+ ieee80211_queue_delayed_work(hw, &sc->hw_check_work,
+- ATH_HW_CHECK_POLL_INT);
++ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT));
+ }
+
+ static bool ath9k_tx_frames_pending(struct ieee80211_hw *hw)
+--
+2.39.2
+
--- /dev/null
+From 5160d3edafaccfd69a7f737c6a937a832bbf2a36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 May 2023 18:03:17 +0300
+Subject: wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 061b0cb9327b80d7a0f63a33e7c3e2a91a71f142 ]
+
+A bad USB device is able to construct a service connection response
+message with target endpoint being ENDPOINT0 which is reserved for
+HTC_CTRL_RSVD_SVC and should not be modified to be used for any other
+services.
+
+Reject such service connection responses.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
+Reported-by: syzbot+b68fbebe56d8362907e8@syzkaller.appspotmail.com
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230516150427.79469-1-pchelkin@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc_hst.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
+index fe62ff668f757..99667aba289df 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
+@@ -114,7 +114,13 @@ static void htc_process_conn_rsp(struct htc_target *target,
+
+ if (svc_rspmsg->status == HTC_SERVICE_SUCCESS) {
+ epid = svc_rspmsg->endpoint_id;
+- if (epid < 0 || epid >= ENDPOINT_MAX)
++
++ /* Check that the received epid for the endpoint to attach
++ * a new service is valid. ENDPOINT0 can't be used here as it
++ * is already reserved for HTC_CTRL_RSVD_SVC service and thus
++ * should not be modified.
++ */
++ if (epid <= ENDPOINT0 || epid >= ENDPOINT_MAX)
+ return;
+
+ service_id = be16_to_cpu(svc_rspmsg->service_id);
+--
+2.39.2
+
--- /dev/null
+From ac13d161aec4344df878948dd0a7edd2ebd65d67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Apr 2023 17:35:00 +0300
+Subject: wifi: ath9k: fix AR9003 mac hardware hang check register offset
+ calculation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Peter Seiderer <ps.report@gmx.net>
+
+[ Upstream commit 3e56c80931c7615250fe4bf83f93b57881969266 ]
+
+Fix ath9k_hw_verify_hang()/ar9003_hw_detect_mac_hang() register offset
+calculation (do not overflow the shift for the second register/queues
+above five, use the register layout described in the comments above
+ath9k_hw_verify_hang() instead).
+
+Fixes: 222e04830ff0 ("ath9k: Fix MAC HW hang check for AR9003")
+
+Reported-by: Gregg Wonderly <greggwonderly@seqtechllc.com>
+Link: https://lore.kernel.org/linux-wireless/E3A9C354-0CB7-420C-ADEF-F0177FB722F4@seqtechllc.com/
+Signed-off-by: Peter Seiderer <ps.report@gmx.net>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230422212423.26065-1-ps.report@gmx.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/ar9003_hw.c | 27 ++++++++++++++--------
+ 1 file changed, 18 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/ar9003_hw.c b/drivers/net/wireless/ath/ath9k/ar9003_hw.c
+index 2fe12b0de5b4f..dea8a998fb622 100644
+--- a/drivers/net/wireless/ath/ath9k/ar9003_hw.c
++++ b/drivers/net/wireless/ath/ath9k/ar9003_hw.c
+@@ -1099,17 +1099,22 @@ static bool ath9k_hw_verify_hang(struct ath_hw *ah, unsigned int queue)
+ {
+ u32 dma_dbg_chain, dma_dbg_complete;
+ u8 dcu_chain_state, dcu_complete_state;
++ unsigned int dbg_reg, reg_offset;
+ int i;
+
+- for (i = 0; i < NUM_STATUS_READS; i++) {
+- if (queue < 6)
+- dma_dbg_chain = REG_READ(ah, AR_DMADBG_4);
+- else
+- dma_dbg_chain = REG_READ(ah, AR_DMADBG_5);
++ if (queue < 6) {
++ dbg_reg = AR_DMADBG_4;
++ reg_offset = queue * 5;
++ } else {
++ dbg_reg = AR_DMADBG_5;
++ reg_offset = (queue - 6) * 5;
++ }
+
++ for (i = 0; i < NUM_STATUS_READS; i++) {
++ dma_dbg_chain = REG_READ(ah, dbg_reg);
+ dma_dbg_complete = REG_READ(ah, AR_DMADBG_6);
+
+- dcu_chain_state = (dma_dbg_chain >> (5 * queue)) & 0x1f;
++ dcu_chain_state = (dma_dbg_chain >> reg_offset) & 0x1f;
+ dcu_complete_state = dma_dbg_complete & 0x3;
+
+ if ((dcu_chain_state != 0x6) || (dcu_complete_state != 0x1))
+@@ -1128,6 +1133,7 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah)
+ u8 dcu_chain_state, dcu_complete_state;
+ bool dcu_wait_frdone = false;
+ unsigned long chk_dcu = 0;
++ unsigned int reg_offset;
+ unsigned int i = 0;
+
+ dma_dbg_4 = REG_READ(ah, AR_DMADBG_4);
+@@ -1139,12 +1145,15 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah)
+ goto exit;
+
+ for (i = 0; i < ATH9K_NUM_TX_QUEUES; i++) {
+- if (i < 6)
++ if (i < 6) {
+ chk_dbg = dma_dbg_4;
+- else
++ reg_offset = i * 5;
++ } else {
+ chk_dbg = dma_dbg_5;
++ reg_offset = (i - 6) * 5;
++ }
+
+- dcu_chain_state = (chk_dbg >> (5 * i)) & 0x1f;
++ dcu_chain_state = (chk_dbg >> reg_offset) & 0x1f;
+ if (dcu_chain_state == 0x6) {
+ dcu_wait_frdone = true;
+ chk_dcu |= BIT(i);
+--
+2.39.2
+
--- /dev/null
+From 5d57e9c45741a6ae31def7e692e434e493f9bdff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jun 2023 11:37:44 +0200
+Subject: wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit 75086cc6dee046e3fbb3dba148b376d8802f83bc ]
+
+On EDMA capable hardware, ath9k_txq_list_has_key() can enter infinite
+loop if it is called while all txq_fifos have packets that use different
+key that the one we are looking for. Fix it by exiting the loop if all
+txq_fifos have been checked already.
+
+Because this loop is called under spin_lock_bh() (see ath_txq_lock) it
+causes the following rcu stall:
+
+rcu: INFO: rcu_sched self-detected stall on CPU
+ath10k_pci 0000:01:00.0: failed to read temperature -11
+rcu: 1-....: (5254 ticks this GP) idle=189/1/0x4000000000000002 softirq=8442983/8442984 fqs=2579
+ (t=5257 jiffies g=17983297 q=334)
+Task dump for CPU 1:
+task:hostapd state:R running task stack: 0 pid: 297 ppid: 289 flags:0x0000000a
+Call trace:
+ dump_backtrace+0x0/0x170
+ show_stack+0x1c/0x24
+ sched_show_task+0x140/0x170
+ dump_cpu_task+0x48/0x54
+ rcu_dump_cpu_stacks+0xf0/0x134
+ rcu_sched_clock_irq+0x8d8/0x9fc
+ update_process_times+0xa0/0xec
+ tick_sched_timer+0x5c/0xd0
+ __hrtimer_run_queues+0x154/0x320
+ hrtimer_interrupt+0x120/0x2f0
+ arch_timer_handler_virt+0x38/0x44
+ handle_percpu_devid_irq+0x9c/0x1e0
+ handle_domain_irq+0x64/0x90
+ gic_handle_irq+0x78/0xb0
+ call_on_irq_stack+0x28/0x38
+ do_interrupt_handler+0x54/0x5c
+ el1_interrupt+0x2c/0x4c
+ el1h_64_irq_handler+0x14/0x1c
+ el1h_64_irq+0x74/0x78
+ ath9k_txq_has_key+0x1bc/0x250 [ath9k]
+ ath9k_set_key+0x1cc/0x3dc [ath9k]
+ drv_set_key+0x78/0x170
+ ieee80211_key_replace+0x564/0x6cc
+ ieee80211_key_link+0x174/0x220
+ ieee80211_add_key+0x11c/0x300
+ nl80211_new_key+0x12c/0x330
+ genl_family_rcv_msg_doit+0xbc/0x11c
+ genl_rcv_msg+0xd8/0x1c4
+ netlink_rcv_skb+0x40/0x100
+ genl_rcv+0x3c/0x50
+ netlink_unicast+0x1ec/0x2c0
+ netlink_sendmsg+0x198/0x3c0
+ ____sys_sendmsg+0x210/0x250
+ ___sys_sendmsg+0x78/0xc4
+ __sys_sendmsg+0x4c/0x90
+ __arm64_sys_sendmsg+0x28/0x30
+ invoke_syscall.constprop.0+0x60/0x100
+ do_el0_svc+0x48/0xd0
+ el0_svc+0x14/0x50
+ el0t_64_sync_handler+0xa8/0xb0
+ el0t_64_sync+0x158/0x15c
+
+This rcu stall is hard to reproduce as is, but changing ATH_TXFIFO_DEPTH
+from 8 to 2 makes it reasonably easy to reproduce.
+
+Fixes: ca2848022c12 ("ath9k: Postpone key cache entry deletion for TXQ frames reference it")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Tested-by: Nicolas Escande <nico.escande@gmail.com>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230609093744.1985-1-repk@triplefau.lt
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/main.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
+index eb5751a45f266..4e606a4b19f2d 100644
+--- a/drivers/net/wireless/ath/ath9k/main.c
++++ b/drivers/net/wireless/ath/ath9k/main.c
+@@ -847,7 +847,7 @@ static bool ath9k_txq_list_has_key(struct list_head *txq_list, u32 keyix)
+ static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix)
+ {
+ struct ath_hw *ah = sc->sc_ah;
+- int i;
++ int i, j;
+ struct ath_txq *txq;
+ bool key_in_use = false;
+
+@@ -865,8 +865,9 @@ static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix)
+ if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) {
+ int idx = txq->txq_tailidx;
+
+- while (!key_in_use &&
+- !list_empty(&txq->txq_fifo[idx])) {
++ for (j = 0; !key_in_use &&
++ !list_empty(&txq->txq_fifo[idx]) &&
++ j < ATH_TXFIFO_DEPTH; j++) {
+ key_in_use = ath9k_txq_list_has_key(
+ &txq->txq_fifo[idx], keyix);
+ INCR(idx, ATH_TXFIFO_DEPTH);
+--
+2.39.2
+
--- /dev/null
+From 41583092311a31bbcc90465936756f233013064d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 May 2023 09:53:14 +0200
+Subject: wifi: atmel: Fix an error handling path in atmel_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 6b92e4351a29af52c285fe235e6e4d1a75de04b2 ]
+
+Should atmel_config() fail, some resources need to be released as already
+done in the remove function.
+
+While at it, remove a useless and erroneous comment. The probe is
+atmel_probe(), not atmel_attach().
+
+Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/1e65f174607a83348034197fa7d603bab10ba4a9.1684569156.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/atmel/atmel_cs.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/atmel/atmel_cs.c b/drivers/net/wireless/atmel/atmel_cs.c
+index 7afc9c5329fb1..f5fa1a95b0c15 100644
+--- a/drivers/net/wireless/atmel/atmel_cs.c
++++ b/drivers/net/wireless/atmel/atmel_cs.c
+@@ -73,6 +73,7 @@ struct local_info {
+ static int atmel_probe(struct pcmcia_device *p_dev)
+ {
+ struct local_info *local;
++ int ret;
+
+ dev_dbg(&p_dev->dev, "atmel_attach()\n");
+
+@@ -83,8 +84,16 @@ static int atmel_probe(struct pcmcia_device *p_dev)
+
+ p_dev->priv = local;
+
+- return atmel_config(p_dev);
+-} /* atmel_attach */
++ ret = atmel_config(p_dev);
++ if (ret)
++ goto err_free_priv;
++
++ return 0;
++
++err_free_priv:
++ kfree(p_dev->priv);
++ return ret;
++}
+
+ static void atmel_detach(struct pcmcia_device *link)
+ {
+--
+2.39.2
+
--- /dev/null
+From a425af437544a834e787a98d16a6d4c9f473d0d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jun 2023 09:54:03 +0300
+Subject: wifi: cfg80211: rewrite merging of inherited elements
+
+From: Benjamin Berg <benjamin.berg@intel.com>
+
+[ Upstream commit dfd9aa3e7a456d57b18021d66472ab7ff8373ab7 ]
+
+The cfg80211_gen_new_ie function merges the IEs using inheritance rules.
+Rewrite this function to fix issues around inheritance rules. In
+particular, vendor elements do not require any special handling, as they
+are either all inherited or overridden by the subprofile.
+Also, add fragmentation handling as this may be needed in some cases.
+
+This also changes the function to not require making a copy. The new
+version could be optimized a bit by explicitly tracking which IEs have
+been handled already rather than looking that up again every time.
+
+Note that a small behavioural change is the removal of the SSID special
+handling. This should be fine for the MBSSID element, as the SSID must
+be included in the subelement.
+
+Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
+Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230616094949.bc6152e146db.I2b5f3bc45085e1901e5b5192a674436adaf94748@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 213 ++++++++++++++++++++++++++------------------
+ 1 file changed, 124 insertions(+), 89 deletions(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index c4c124cb5332b..e35c54ba2fd56 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -223,117 +223,152 @@ bool cfg80211_is_element_inherited(const struct element *elem,
+ }
+ EXPORT_SYMBOL(cfg80211_is_element_inherited);
+
+-static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
+- const u8 *subelement, size_t subie_len,
+- u8 *new_ie, gfp_t gfp)
++static size_t cfg80211_copy_elem_with_frags(const struct element *elem,
++ const u8 *ie, size_t ie_len,
++ u8 **pos, u8 *buf, size_t buf_len)
+ {
+- u8 *pos, *tmp;
+- const u8 *tmp_old, *tmp_new;
+- const struct element *non_inherit_elem;
+- u8 *sub_copy;
++ if (WARN_ON((u8 *)elem < ie || elem->data > ie + ie_len ||
++ elem->data + elem->datalen > ie + ie_len))
++ return 0;
+
+- /* copy subelement as we need to change its content to
+- * mark an ie after it is processed.
+- */
+- sub_copy = kmemdup(subelement, subie_len, gfp);
+- if (!sub_copy)
++ if (elem->datalen + 2 > buf + buf_len - *pos)
+ return 0;
+
+- pos = &new_ie[0];
++ memcpy(*pos, elem, elem->datalen + 2);
++ *pos += elem->datalen + 2;
+
+- /* set new ssid */
+- tmp_new = cfg80211_find_ie(WLAN_EID_SSID, sub_copy, subie_len);
+- if (tmp_new) {
+- memcpy(pos, tmp_new, tmp_new[1] + 2);
+- pos += (tmp_new[1] + 2);
++ /* Finish if it is not fragmented */
++ if (elem->datalen != 255)
++ return *pos - buf;
++
++ ie_len = ie + ie_len - elem->data - elem->datalen;
++ ie = (const u8 *)elem->data + elem->datalen;
++
++ for_each_element(elem, ie, ie_len) {
++ if (elem->id != WLAN_EID_FRAGMENT)
++ break;
++
++ if (elem->datalen + 2 > buf + buf_len - *pos)
++ return 0;
++
++ memcpy(*pos, elem, elem->datalen + 2);
++ *pos += elem->datalen + 2;
++
++ if (elem->datalen != 255)
++ break;
+ }
+
+- /* get non inheritance list if exists */
+- non_inherit_elem =
+- cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
+- sub_copy, subie_len);
++ return *pos - buf;
++}
+
+- /* go through IEs in ie (skip SSID) and subelement,
+- * merge them into new_ie
++static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
++ const u8 *subie, size_t subie_len,
++ u8 *new_ie, size_t new_ie_len)
++{
++ const struct element *non_inherit_elem, *parent, *sub;
++ u8 *pos = new_ie;
++ u8 id, ext_id;
++ unsigned int match_len;
++
++ non_inherit_elem = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
++ subie, subie_len);
++
++ /* We copy the elements one by one from the parent to the generated
++ * elements.
++ * If they are not inherited (included in subie or in the non
++ * inheritance element), then we copy all occurrences the first time
++ * we see this element type.
+ */
+- tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen);
+- tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie;
+-
+- while (tmp_old + 2 - ie <= ielen &&
+- tmp_old + tmp_old[1] + 2 - ie <= ielen) {
+- if (tmp_old[0] == 0) {
+- tmp_old++;
++ for_each_element(parent, ie, ielen) {
++ if (parent->id == WLAN_EID_FRAGMENT)
+ continue;
++
++ if (parent->id == WLAN_EID_EXTENSION) {
++ if (parent->datalen < 1)
++ continue;
++
++ id = WLAN_EID_EXTENSION;
++ ext_id = parent->data[0];
++ match_len = 1;
++ } else {
++ id = parent->id;
++ match_len = 0;
+ }
+
+- if (tmp_old[0] == WLAN_EID_EXTENSION)
+- tmp = (u8 *)cfg80211_find_ext_ie(tmp_old[2], sub_copy,
+- subie_len);
+- else
+- tmp = (u8 *)cfg80211_find_ie(tmp_old[0], sub_copy,
+- subie_len);
++ /* Find first occurrence in subie */
++ sub = cfg80211_find_elem_match(id, subie, subie_len,
++ &ext_id, match_len, 0);
+
+- if (!tmp) {
+- const struct element *old_elem = (void *)tmp_old;
++ /* Copy from parent if not in subie and inherited */
++ if (!sub &&
++ cfg80211_is_element_inherited(parent, non_inherit_elem)) {
++ if (!cfg80211_copy_elem_with_frags(parent,
++ ie, ielen,
++ &pos, new_ie,
++ new_ie_len))
++ return 0;
+
+- /* ie in old ie but not in subelement */
+- if (cfg80211_is_element_inherited(old_elem,
+- non_inherit_elem)) {
+- memcpy(pos, tmp_old, tmp_old[1] + 2);
+- pos += tmp_old[1] + 2;
+- }
+- } else {
+- /* ie in transmitting ie also in subelement,
+- * copy from subelement and flag the ie in subelement
+- * as copied (by setting eid field to WLAN_EID_SSID,
+- * which is skipped anyway).
+- * For vendor ie, compare OUI + type + subType to
+- * determine if they are the same ie.
+- */
+- if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) {
+- if (tmp_old[1] >= 5 && tmp[1] >= 5 &&
+- !memcmp(tmp_old + 2, tmp + 2, 5)) {
+- /* same vendor ie, copy from
+- * subelement
+- */
+- memcpy(pos, tmp, tmp[1] + 2);
+- pos += tmp[1] + 2;
+- tmp[0] = WLAN_EID_SSID;
+- } else {
+- memcpy(pos, tmp_old, tmp_old[1] + 2);
+- pos += tmp_old[1] + 2;
+- }
+- } else {
+- /* copy ie from subelement into new ie */
+- memcpy(pos, tmp, tmp[1] + 2);
+- pos += tmp[1] + 2;
+- tmp[0] = WLAN_EID_SSID;
+- }
++ continue;
+ }
+
+- if (tmp_old + tmp_old[1] + 2 - ie == ielen)
+- break;
++ /* Already copied if an earlier element had the same type */
++ if (cfg80211_find_elem_match(id, ie, (u8 *)parent - ie,
++ &ext_id, match_len, 0))
++ continue;
+
+- tmp_old += tmp_old[1] + 2;
++ /* Not inheriting, copy all similar elements from subie */
++ while (sub) {
++ if (!cfg80211_copy_elem_with_frags(sub,
++ subie, subie_len,
++ &pos, new_ie,
++ new_ie_len))
++ return 0;
++
++ sub = cfg80211_find_elem_match(id,
++ sub->data + sub->datalen,
++ subie_len + subie -
++ (sub->data +
++ sub->datalen),
++ &ext_id, match_len, 0);
++ }
+ }
+
+- /* go through subelement again to check if there is any ie not
+- * copied to new ie, skip ssid, capability, bssid-index ie
++ /* The above misses elements that are included in subie but not in the
++ * parent, so do a pass over subie and append those.
++ * Skip the non-tx BSSID caps and non-inheritance element.
+ */
+- tmp_new = sub_copy;
+- while (tmp_new + 2 - sub_copy <= subie_len &&
+- tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
+- if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP ||
+- tmp_new[0] == WLAN_EID_SSID)) {
+- memcpy(pos, tmp_new, tmp_new[1] + 2);
+- pos += tmp_new[1] + 2;
++ for_each_element(sub, subie, subie_len) {
++ if (sub->id == WLAN_EID_NON_TX_BSSID_CAP)
++ continue;
++
++ if (sub->id == WLAN_EID_FRAGMENT)
++ continue;
++
++ if (sub->id == WLAN_EID_EXTENSION) {
++ if (sub->datalen < 1)
++ continue;
++
++ id = WLAN_EID_EXTENSION;
++ ext_id = sub->data[0];
++ match_len = 1;
++
++ if (ext_id == WLAN_EID_EXT_NON_INHERITANCE)
++ continue;
++ } else {
++ id = sub->id;
++ match_len = 0;
+ }
+- if (tmp_new + tmp_new[1] + 2 - sub_copy == subie_len)
+- break;
+- tmp_new += tmp_new[1] + 2;
++
++ /* Processed if one was included in the parent */
++ if (cfg80211_find_elem_match(id, ie, ielen,
++ &ext_id, match_len, 0))
++ continue;
++
++ if (!cfg80211_copy_elem_with_frags(sub, subie, subie_len,
++ &pos, new_ie, new_ie_len))
++ return 0;
+ }
+
+- kfree(sub_copy);
+ return pos - new_ie;
+ }
+
+@@ -1659,7 +1694,7 @@ static void cfg80211_parse_mbssid_data(struct wiphy *wiphy,
+ new_ie_len = cfg80211_gen_new_ie(ie, ielen,
+ profile,
+ profile_len, new_ie,
+- gfp);
++ IEEE80211_MAX_DATA_LEN);
+ if (!new_ie_len)
+ continue;
+
+--
+2.39.2
+
--- /dev/null
+From ad0c4ac8adf759d2f50c28ae3a1e881c1d5d6a35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jun 2023 12:41:22 +0300
+Subject: wifi: iwlwifi: pull from TXQs with softirqs disabled
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 96fb6f47db24a712d650b0a9b9074873f273fb0e ]
+
+In mac80211, it's required that we pull from TXQs by calling
+ieee80211_tx_dequeue() only with softirqs disabled. However,
+in iwl_mvm_queue_state_change() we're often called with them
+enabled, e.g. from flush if anything was flushed, triggering
+a mac80211 warning.
+
+Fix that by disabling the softirqs across the TX call.
+
+Fixes: cfbc6c4c5b91 ("iwlwifi: mvm: support mac80211 TXQs model")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230614123446.0feef7fa81db.I4dd62542d955b40dd8f0af34fa4accb9d0d17c7e@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+index 5973eecbc0378..18c5975d7c037 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+@@ -1167,8 +1167,11 @@ static void iwl_mvm_queue_state_change(struct iwl_op_mode *op_mode,
+ mvmtxq = iwl_mvm_txq_from_mac80211(txq);
+ mvmtxq->stopped = !start;
+
+- if (start && mvmsta->sta_state != IEEE80211_STA_NOTEXIST)
++ if (start && mvmsta->sta_state != IEEE80211_STA_NOTEXIST) {
++ local_bh_disable();
+ iwl_mvm_mac_itxq_xmit(mvm->hw, txq);
++ local_bh_enable();
++ }
+ }
+
+ out:
+--
+2.39.2
+
--- /dev/null
+From 1085d36afdf3f8cf7e74b83e56c317c600b0b3ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 May 2023 15:53:15 +0200
+Subject: wifi: mwifiex: Fix the size of a memory allocation in
+ mwifiex_ret_802_11_scan()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit d9aef04fcfa81ee4fb2804a21a3712b7bbd936af ]
+
+The type of "mwifiex_adapter->nd_info" is "struct cfg80211_wowlan_nd_info",
+not "struct cfg80211_wowlan_nd_match".
+
+Use struct_size() to ease the computation of the needed size.
+
+The current code over-allocates some memory, so is safe.
+But it wastes 32 bytes.
+
+Fixes: 7d7f07d8c5d3 ("mwifiex: add wowlan net-detect support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/7a6074fb056d2181e058a3cc6048d8155c20aec7.1683371982.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/scan.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
+index 629af26675cf1..1ab04adc53dcd 100644
+--- a/drivers/net/wireless/marvell/mwifiex/scan.c
++++ b/drivers/net/wireless/marvell/mwifiex/scan.c
+@@ -2202,9 +2202,9 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv,
+
+ if (nd_config) {
+ adapter->nd_info =
+- kzalloc(sizeof(struct cfg80211_wowlan_nd_match) +
+- sizeof(struct cfg80211_wowlan_nd_match *) *
+- scan_rsp->number_of_sets, GFP_ATOMIC);
++ kzalloc(struct_size(adapter->nd_info, matches,
++ scan_rsp->number_of_sets),
++ GFP_ATOMIC);
+
+ if (adapter->nd_info)
+ adapter->nd_info->n_matches = scan_rsp->number_of_sets;
+--
+2.39.2
+
--- /dev/null
+From a82b964dc29e02673beba88eb3f3fac5fe8b3372 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 May 2023 09:38:22 +0200
+Subject: wifi: orinoco: Fix an error handling path in orinoco_cs_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 67a81d911c01225f426cc6bee2373df044c1a9b7 ]
+
+Should orinoco_cs_config() fail, some resources need to be released as
+already done in the remove function.
+
+While at it, remove a useless and erroneous comment. The probe is
+orinoco_cs_probe(), not orinoco_cs_attach().
+
+Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/e24735ce4d82901d5f7ea08419eea53bfdde3d65.1684568286.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intersil/orinoco/orinoco_cs.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c
+index a956f965a1e5e..03bfd2482656c 100644
+--- a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c
++++ b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c
+@@ -96,6 +96,7 @@ orinoco_cs_probe(struct pcmcia_device *link)
+ {
+ struct orinoco_private *priv;
+ struct orinoco_pccard *card;
++ int ret;
+
+ priv = alloc_orinocodev(sizeof(*card), &link->dev,
+ orinoco_cs_hard_reset, NULL);
+@@ -107,8 +108,16 @@ orinoco_cs_probe(struct pcmcia_device *link)
+ card->p_dev = link;
+ link->priv = priv;
+
+- return orinoco_cs_config(link);
+-} /* orinoco_cs_attach */
++ ret = orinoco_cs_config(link);
++ if (ret)
++ goto err_free_orinocodev;
++
++ return 0;
++
++err_free_orinocodev:
++ free_orinocodev(priv);
++ return ret;
++}
+
+ static void orinoco_cs_detach(struct pcmcia_device *link)
+ {
+--
+2.39.2
+
--- /dev/null
+From a6a54d691126bd157751bdc6406d43f6dc884f66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 May 2023 09:29:46 +0200
+Subject: wifi: orinoco: Fix an error handling path in spectrum_cs_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 925244325159824385209e3e0e3f91fa6bf0646c ]
+
+Should spectrum_cs_config() fail, some resources need to be released as
+already done in the remove function.
+
+While at it, remove a useless and erroneous comment. The probe is
+spectrum_cs_probe(), not spectrum_cs_attach().
+
+Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/c0bc0c21c58ca477fc5521607615bafbf2aef8eb.1684567733.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intersil/orinoco/spectrum_cs.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c
+index b60048c95e0a8..011c86e55923e 100644
+--- a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c
++++ b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c
+@@ -157,6 +157,7 @@ spectrum_cs_probe(struct pcmcia_device *link)
+ {
+ struct orinoco_private *priv;
+ struct orinoco_pccard *card;
++ int ret;
+
+ priv = alloc_orinocodev(sizeof(*card), &link->dev,
+ spectrum_cs_hard_reset,
+@@ -169,8 +170,16 @@ spectrum_cs_probe(struct pcmcia_device *link)
+ card->p_dev = link;
+ link->priv = priv;
+
+- return spectrum_cs_config(link);
+-} /* spectrum_cs_attach */
++ ret = spectrum_cs_config(link);
++ if (ret)
++ goto err_free_orinocodev;
++
++ return 0;
++
++err_free_orinocodev:
++ free_orinocodev(priv);
++ return ret;
++}
+
+ static void spectrum_cs_detach(struct pcmcia_device *link)
+ {
+--
+2.39.2
+
--- /dev/null
+From e5f704120e9c7703b284cdd5aba6b59e33ee59e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Jun 2022 19:44:14 +0300
+Subject: wifi: ray_cs: Drop useless status variable in parse_addr()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 4dfc63c002a555a2c3c34d89009532ad803be876 ]
+
+The status variable assigned only once and used also only once.
+Replace it's usage by actual value.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220603164414.48436-2-andriy.shevchenko@linux.intel.com
+Stable-dep-of: 4f8d66a9fb2e ("wifi: ray_cs: Fix an error handling path in ray_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ray_cs.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c
+index 29dd303a7beae..be2d599536cd5 100644
+--- a/drivers/net/wireless/ray_cs.c
++++ b/drivers/net/wireless/ray_cs.c
+@@ -1643,7 +1643,6 @@ static int parse_addr(char *in_str, UCHAR *out)
+ {
+ int i, k;
+ int len;
+- int status;
+
+ if (in_str == NULL)
+ return 0;
+@@ -1652,7 +1651,6 @@ static int parse_addr(char *in_str, UCHAR *out)
+ return 0;
+ memset(out, 0, ADDRLEN);
+
+- status = 1;
+ i = 5;
+
+ while (len > 0) {
+@@ -1670,7 +1668,7 @@ static int parse_addr(char *in_str, UCHAR *out)
+ if (!i--)
+ break;
+ }
+- return status;
++ return 1;
+ }
+
+ /*===========================================================================*/
+--
+2.39.2
+
--- /dev/null
+From 65be62ae0f66659dce4b99ad44de5557f5859187 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 May 2023 10:13:22 +0200
+Subject: wifi: ray_cs: Fix an error handling path in ray_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 4f8d66a9fb2edcd05c1e563456a55a08910bfb37 ]
+
+Should ray_config() fail, some resources need to be released as already
+done in the remove function.
+
+While at it, remove a useless and erroneous comment. The probe is
+ray_probe(), not ray_attach().
+
+Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/8c544d18084f8b37dd108e844f7e79e85ff708ff.1684570373.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ray_cs.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c
+index be2d599536cd5..d9c1ac5cb5626 100644
+--- a/drivers/net/wireless/ray_cs.c
++++ b/drivers/net/wireless/ray_cs.c
+@@ -270,13 +270,14 @@ static int ray_probe(struct pcmcia_device *p_dev)
+ {
+ ray_dev_t *local;
+ struct net_device *dev;
++ int ret;
+
+ dev_dbg(&p_dev->dev, "ray_attach()\n");
+
+ /* Allocate space for private device-specific data */
+ dev = alloc_etherdev(sizeof(ray_dev_t));
+ if (!dev)
+- goto fail_alloc_dev;
++ return -ENOMEM;
+
+ local = netdev_priv(dev);
+ local->finder = p_dev;
+@@ -313,11 +314,16 @@ static int ray_probe(struct pcmcia_device *p_dev)
+ timer_setup(&local->timer, NULL, 0);
+
+ this_device = p_dev;
+- return ray_config(p_dev);
++ ret = ray_config(p_dev);
++ if (ret)
++ goto err_free_dev;
++
++ return 0;
+
+-fail_alloc_dev:
+- return -ENOMEM;
+-} /* ray_attach */
++err_free_dev:
++ free_netdev(dev);
++ return ret;
++}
+
+ static void ray_detach(struct pcmcia_device *link)
+ {
+--
+2.39.2
+
--- /dev/null
+From c404c684d64e7ee50c7ab10cc256f416600336ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Jun 2022 19:44:13 +0300
+Subject: wifi: ray_cs: Utilize strnlen() in parse_addr()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 9e8e9187673cb24324f9165dd47b2b28f60b0b10 ]
+
+Instead of doing simple operations and using an additional variable on stack,
+utilize strnlen() and reuse len variable.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220603164414.48436-1-andriy.shevchenko@linux.intel.com
+Stable-dep-of: 4f8d66a9fb2e ("wifi: ray_cs: Fix an error handling path in ray_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ray_cs.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c
+index 3836d6ac53049..29dd303a7beae 100644
+--- a/drivers/net/wireless/ray_cs.c
++++ b/drivers/net/wireless/ray_cs.c
+@@ -1641,31 +1641,29 @@ static void authenticate_timeout(struct timer_list *t)
+ /*===========================================================================*/
+ static int parse_addr(char *in_str, UCHAR *out)
+ {
++ int i, k;
+ int len;
+- int i, j, k;
+ int status;
+
+ if (in_str == NULL)
+ return 0;
+- if ((len = strlen(in_str)) < 2)
++ len = strnlen(in_str, ADDRLEN * 2 + 1) - 1;
++ if (len < 1)
+ return 0;
+ memset(out, 0, ADDRLEN);
+
+ status = 1;
+- j = len - 1;
+- if (j > 12)
+- j = 12;
+ i = 5;
+
+- while (j > 0) {
+- if ((k = hex_to_bin(in_str[j--])) != -1)
++ while (len > 0) {
++ if ((k = hex_to_bin(in_str[len--])) != -1)
+ out[i] = k;
+ else
+ return 0;
+
+- if (j == 0)
++ if (len == 0)
+ break;
+- if ((k = hex_to_bin(in_str[j--])) != -1)
++ if ((k = hex_to_bin(in_str[len--])) != -1)
+ out[i] += k << 4;
+ else
+ return 0;
+--
+2.39.2
+
--- /dev/null
+From 7f54909fa4d4f617280082714baa5f5e1d8eb7f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 May 2023 00:28:59 +0200
+Subject: wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit e74f562328b03fbe9cf438f958464dff3a644dfc ]
+
+It makes no sense to set MMC_PM_KEEP_POWER in shutdown. The flag
+indicates to the MMC subsystem to keep the slot powered on during
+suspend, but in shutdown the slot should actually be powered off.
+Drop this call.
+
+Fixes: 063848c3e155 ("rsi: sdio: Add WOWLAN support for S5 shutdown state")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230527222859.273768-1-marex@denx.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/rsi/rsi_91x_sdio.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/net/wireless/rsi/rsi_91x_sdio.c b/drivers/net/wireless/rsi/rsi_91x_sdio.c
+index 4fe837090cdae..22b0567ad8261 100644
+--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c
++++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c
+@@ -1479,9 +1479,6 @@ static void rsi_shutdown(struct device *dev)
+ if (sdev->write_fail)
+ rsi_dbg(INFO_ZONE, "###### Device is not ready #######\n");
+
+- if (rsi_set_sdio_pm_caps(adapter))
+- rsi_dbg(INFO_ZONE, "Setting power management caps failed\n");
+-
+ rsi_dbg(INFO_ZONE, "***** RSI module shut down *****\n");
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 27ed8f9cf820b41bbf02b9d9948fd443406b59b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 May 2023 10:05:08 +0200
+Subject: wifi: wl3501_cs: Fix an error handling path in wl3501_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 391af06a02e7642039ac5f6c4b2c034ab0992b5d ]
+
+Should wl3501_config() fail, some resources need to be released as already
+done in the remove function.
+
+Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/7cc9c9316489b7d69b36aeb0edd3123538500b41.1684569865.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/wl3501_cs.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
+index ae660f25a0e5a..e6505624f0c28 100644
+--- a/drivers/net/wireless/wl3501_cs.c
++++ b/drivers/net/wireless/wl3501_cs.c
+@@ -1862,6 +1862,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev)
+ {
+ struct net_device *dev;
+ struct wl3501_card *this;
++ int ret;
+
+ /* The io structure describes IO port mapping */
+ p_dev->resource[0]->end = 16;
+@@ -1873,8 +1874,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev)
+
+ dev = alloc_etherdev(sizeof(struct wl3501_card));
+ if (!dev)
+- goto out_link;
+-
++ return -ENOMEM;
+
+ dev->netdev_ops = &wl3501_netdev_ops;
+ dev->watchdog_timeo = 5 * HZ;
+@@ -1887,9 +1887,15 @@ static int wl3501_probe(struct pcmcia_device *p_dev)
+ netif_stop_queue(dev);
+ p_dev->priv = dev;
+
+- return wl3501_config(p_dev);
+-out_link:
+- return -ENOMEM;
++ ret = wl3501_config(p_dev);
++ if (ret)
++ goto out_free_etherdev;
++
++ return 0;
++
++out_free_etherdev:
++ free_netdev(dev);
++ return ret;
+ }
+
+ static int wl3501_config(struct pcmcia_device *link)
+--
+2.39.2
+
--- /dev/null
+From 4df70183be4ba1ea9facec6034f736cafe92768c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 10:33:51 +0100
+Subject: wl3501_cs: Fix a bunch of formatting issues related to function docs
+
+From: Lee Jones <lee.jones@linaro.org>
+
+[ Upstream commit 2307d0bc9d8b60299f255d1771ce0d997162a957 ]
+
+Fixes the following W=1 kernel build warning(s):
+
+ In file included from drivers/net/wireless/wl3501_cs.c:57:
+ drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'reg_domain' not described in 'iw_valid_channel'
+ drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'channel' not described in 'iw_valid_channel'
+ drivers/net/wireless/wl3501_cs.c:162: warning: Function parameter or member 'reg_domain' not described in 'iw_default_channel'
+ drivers/net/wireless/wl3501_cs.c:248: warning: Function parameter or member 'this' not described in 'wl3501_set_to_wla'
+ drivers/net/wireless/wl3501_cs.c:270: warning: Function parameter or member 'this' not described in 'wl3501_get_from_wla'
+ drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'this' not described in 'wl3501_send_pkt'
+ drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'data' not described in 'wl3501_send_pkt'
+ drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'len' not described in 'wl3501_send_pkt'
+ drivers/net/wireless/wl3501_cs.c:729: warning: Function parameter or member 'this' not described in 'wl3501_block_interrupt'
+ drivers/net/wireless/wl3501_cs.c:746: warning: Function parameter or member 'this' not described in 'wl3501_unblock_interrupt'
+ drivers/net/wireless/wl3501_cs.c:1124: warning: Function parameter or member 'irq' not described in 'wl3501_interrupt'
+ drivers/net/wireless/wl3501_cs.c:1124: warning: Function parameter or member 'dev_id' not described in 'wl3501_interrupt'
+ drivers/net/wireless/wl3501_cs.c:1257: warning: Function parameter or member 'dev' not described in 'wl3501_reset'
+ drivers/net/wireless/wl3501_cs.c:1420: warning: Function parameter or member 'link' not described in 'wl3501_detach'
+
+Cc: Kalle Valo <kvalo@codeaurora.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Fox Chen <mhchen@golf.ccl.itri.org.tw>
+Cc: de Melo <acme@conectiva.com.br>
+Cc: Gustavo Niemeyer <niemeyer@conectiva.com>
+Cc: linux-wireless@vger.kernel.org
+Cc: netdev@vger.kernel.org
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200826093401.1458456-21-lee.jones@linaro.org
+Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/wl3501_cs.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
+index 8638c7c72bc30..b66c7d4798977 100644
+--- a/drivers/net/wireless/wl3501_cs.c
++++ b/drivers/net/wireless/wl3501_cs.c
+@@ -134,8 +134,8 @@ static const struct {
+
+ /**
+ * iw_valid_channel - validate channel in regulatory domain
+- * @reg_comain - regulatory domain
+- * @channel - channel to validate
++ * @reg_comain: regulatory domain
++ * @channel: channel to validate
+ *
+ * Returns 0 if invalid in the specified regulatory domain, non-zero if valid.
+ */
+@@ -154,7 +154,7 @@ static int iw_valid_channel(int reg_domain, int channel)
+
+ /**
+ * iw_default_channel - get default channel for a regulatory domain
+- * @reg_comain - regulatory domain
++ * @reg_domain: regulatory domain
+ *
+ * Returns the default channel for a regulatory domain
+ */
+@@ -237,6 +237,7 @@ static int wl3501_get_flash_mac_addr(struct wl3501_card *this)
+
+ /**
+ * wl3501_set_to_wla - Move 'size' bytes from PC to card
++ * @this: Card
+ * @dest: Card addressing space
+ * @src: PC addressing space
+ * @size: Bytes to move
+@@ -259,6 +260,7 @@ static void wl3501_set_to_wla(struct wl3501_card *this, u16 dest, void *src,
+
+ /**
+ * wl3501_get_from_wla - Move 'size' bytes from card to PC
++ * @this: Card
+ * @src: Card addressing space
+ * @dest: PC addressing space
+ * @size: Bytes to move
+@@ -455,7 +457,7 @@ static int wl3501_pwr_mgmt(struct wl3501_card *this, int suspend)
+
+ /**
+ * wl3501_send_pkt - Send a packet.
+- * @this - card
++ * @this: Card
+ *
+ * Send a packet.
+ *
+@@ -723,7 +725,7 @@ static void wl3501_mgmt_scan_confirm(struct wl3501_card *this, u16 addr)
+
+ /**
+ * wl3501_block_interrupt - Mask interrupt from SUTRO
+- * @this - card
++ * @this: Card
+ *
+ * Mask interrupt from SUTRO. (i.e. SUTRO cannot interrupt the HOST)
+ * Return: 1 if interrupt is originally enabled
+@@ -740,7 +742,7 @@ static int wl3501_block_interrupt(struct wl3501_card *this)
+
+ /**
+ * wl3501_unblock_interrupt - Enable interrupt from SUTRO
+- * @this - card
++ * @this: Card
+ *
+ * Enable interrupt from SUTRO. (i.e. SUTRO can interrupt the HOST)
+ * Return: 1 if interrupt is originally enabled
+@@ -1114,8 +1116,8 @@ static inline void wl3501_ack_interrupt(struct wl3501_card *this)
+
+ /**
+ * wl3501_interrupt - Hardware interrupt from card.
+- * @irq - Interrupt number
+- * @dev_id - net_device
++ * @irq: Interrupt number
++ * @dev_id: net_device
+ *
+ * We must acknowledge the interrupt as soon as possible, and block the
+ * interrupt from the same card immediately to prevent re-entry.
+@@ -1251,7 +1253,7 @@ static int wl3501_close(struct net_device *dev)
+
+ /**
+ * wl3501_reset - Reset the SUTRO.
+- * @dev - network device
++ * @dev: network device
+ *
+ * It is almost the same as wl3501_open(). In fact, we may just wl3501_close()
+ * and wl3501_open() again, but I wouldn't like to free_irq() when the driver
+@@ -1414,7 +1416,7 @@ static struct iw_statistics *wl3501_get_wireless_stats(struct net_device *dev)
+
+ /**
+ * wl3501_detach - deletes a driver "instance"
+- * @link - FILL_IN
++ * @link: FILL_IN
+ *
+ * This deletes a driver "instance". The device is de-registered with Card
+ * Services. If it has been released, all local data structures are freed.
+--
+2.39.2
+
--- /dev/null
+From d06d8d3ae789dbce1284e8b6b777fc79b1b5c8c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Nov 2020 11:23:53 +0000
+Subject: wl3501_cs: Fix misspelling and provide missing documentation
+
+From: Lee Jones <lee.jones@linaro.org>
+
+[ Upstream commit 8b8a6f8c3b50193d161c598a6784e721128d6dc3 ]
+
+Fixes the following W=1 kernel build warning(s):
+
+ In file included from drivers/net/wireless/wl3501_cs.c:57:
+ drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'reg_domain' not described in 'iw_valid_channel'
+ drivers/net/wireless/wl3501_cs.c:143: warning: Excess function parameter 'reg_comain' description in 'iw_valid_channel'
+ drivers/net/wireless/wl3501_cs.c:469: warning: Function parameter or member 'data' not described in 'wl3501_send_pkt'
+ drivers/net/wireless/wl3501_cs.c:469: warning: Function parameter or member 'len' not described in 'wl3501_send_pkt'
+
+Cc: Kalle Valo <kvalo@codeaurora.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Fox Chen <mhchen@golf.ccl.itri.org.tw>
+Cc: de Melo <acme@conectiva.com.br>
+Cc: Gustavo Niemeyer <niemeyer@conectiva.com>
+Cc: linux-wireless@vger.kernel.org
+Cc: netdev@vger.kernel.org
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20201102112410.1049272-25-lee.jones@linaro.org
+Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/wl3501_cs.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
+index cf67ea13dd8dc..115bb408d4f20 100644
+--- a/drivers/net/wireless/wl3501_cs.c
++++ b/drivers/net/wireless/wl3501_cs.c
+@@ -134,7 +134,7 @@ static const struct {
+
+ /**
+ * iw_valid_channel - validate channel in regulatory domain
+- * @reg_comain: regulatory domain
++ * @reg_domain: regulatory domain
+ * @channel: channel to validate
+ *
+ * Returns 0 if invalid in the specified regulatory domain, non-zero if valid.
+@@ -458,11 +458,9 @@ static int wl3501_pwr_mgmt(struct wl3501_card *this, int suspend)
+ /**
+ * wl3501_send_pkt - Send a packet.
+ * @this: Card
+- *
+- * Send a packet.
+- *
+- * data = Ethernet raw frame. (e.g. data[0] - data[5] is Dest MAC Addr,
++ * @data: Ethernet raw frame. (e.g. data[0] - data[5] is Dest MAC Addr,
+ * data[6] - data[11] is Src MAC Addr)
++ * @len: Packet length
+ * Ref: IEEE 802.11
+ */
+ static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len)
+--
+2.39.2
+
--- /dev/null
+From b36352bf9fdd7de7a64645153974a7cbd0efbd00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Sep 2020 18:45:58 +0100
+Subject: wl3501_cs: Remove unnecessary NULL check
+
+From: Alex Dewar <alex.dewar90@gmail.com>
+
+[ Upstream commit 1d2a85382282e7c77cbde5650335c3ffc6073fa1 ]
+
+In wl3501_detach(), link->priv is checked for a NULL value before being
+passed to free_netdev(). However, it cannot be NULL at this point as it
+has already been passed to other functions, so just remove the check.
+
+Addresses-Coverity: CID 710499: Null pointer dereferences (REVERSE_INULL)
+Signed-off-by: Alex Dewar <alex.dewar90@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200926174558.9436-1-alex.dewar90@gmail.com
+Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/wl3501_cs.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
+index b66c7d4798977..cf67ea13dd8dc 100644
+--- a/drivers/net/wireless/wl3501_cs.c
++++ b/drivers/net/wireless/wl3501_cs.c
+@@ -1437,9 +1437,7 @@ static void wl3501_detach(struct pcmcia_device *link)
+ wl3501_release(link);
+
+ unregister_netdev(dev);
+-
+- if (link->priv)
+- free_netdev(link->priv);
++ free_netdev(dev);
+ }
+
+ static int wl3501_get_name(struct net_device *dev, struct iw_request_info *info,
+--
+2.39.2
+
--- /dev/null
+From 3e39d5992157add9db25d94eac1b2b90e2a50a00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Oct 2021 16:50:20 -0700
+Subject: wl3501_cs: use eth_hw_addr_set()
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 18774612246d036c04ce9fee7f67192f96f48725 ]
+
+Commit 406f42fa0d3c ("net-next: When a bond have a massive amount
+of VLANs...") introduced a rbtree for faster Ethernet address look
+up. To maintain netdev->dev_addr in this tree we need to make all
+the writes to it got through appropriate helpers.
+
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211018235021.1279697-15-kuba@kernel.org
+Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/wl3501_cs.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
+index 115bb408d4f20..ae660f25a0e5a 100644
+--- a/drivers/net/wireless/wl3501_cs.c
++++ b/drivers/net/wireless/wl3501_cs.c
+@@ -1945,8 +1945,7 @@ static int wl3501_config(struct pcmcia_device *link)
+ goto failed;
+ }
+
+- for (i = 0; i < 6; i++)
+- dev->dev_addr[i] = ((char *)&this->mac_addr)[i];
++ eth_hw_addr_set(dev, this->mac_addr);
+
+ /* print probe information */
+ printk(KERN_INFO "%s: wl3501 @ 0x%3.3x, IRQ %d, "
+--
+2.39.2
+
--- /dev/null
+From 2998ac05b3d91d2d6eefb6428647f8668e5b752e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 May 2023 14:04:48 +0800
+Subject: x86/resctrl: Only show tasks' pid in current pid namespace
+
+From: Shawn Wang <shawnwang@linux.alibaba.com>
+
+[ Upstream commit 2997d94b5dd0e8b10076f5e0b6f18410c73e28bd ]
+
+When writing a task id to the "tasks" file in an rdtgroup,
+rdtgroup_tasks_write() treats the pid as a number in the current pid
+namespace. But when reading the "tasks" file, rdtgroup_tasks_show() shows
+the list of global pids from the init namespace, which is confusing and
+incorrect.
+
+To be more robust, let the "tasks" file only show pids in the current pid
+namespace.
+
+Fixes: e02737d5b826 ("x86/intel_rdt: Add tasks files")
+Signed-off-by: Shawn Wang <shawnwang@linux.alibaba.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Reinette Chatre <reinette.chatre@intel.com>
+Acked-by: Fenghua Yu <fenghua.yu@intel.com>
+Tested-by: Reinette Chatre <reinette.chatre@intel.com>
+Link: https://lore.kernel.org/all/20230116071246.97717-1-shawnwang@linux.alibaba.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/resctrl/rdtgroup.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/resctrl/rdtgroup.c b/arch/x86/kernel/cpu/resctrl/rdtgroup.c
+index 9de55fd77937c..91016bb18d4f9 100644
+--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c
++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c
+@@ -715,11 +715,15 @@ static ssize_t rdtgroup_tasks_write(struct kernfs_open_file *of,
+ static void show_rdt_tasks(struct rdtgroup *r, struct seq_file *s)
+ {
+ struct task_struct *p, *t;
++ pid_t pid;
+
+ rcu_read_lock();
+ for_each_process_thread(p, t) {
+- if (is_closid_match(t, r) || is_rmid_match(t, r))
+- seq_printf(s, "%d\n", t->pid);
++ if (is_closid_match(t, r) || is_rmid_match(t, r)) {
++ pid = task_pid_vnr(t);
++ if (pid)
++ seq_printf(s, "%d\n", pid);
++ }
+ }
+ rcu_read_unlock();
+ }
+--
+2.39.2
+
--- /dev/null
+From 5d6ccb5d9f775e13243d8b7284ea6b7abb0a0e2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jul 2020 16:39:25 +0000
+Subject: x86/resctrl: Use is_closid_match() in more places
+
+From: James Morse <james.morse@arm.com>
+
+[ Upstream commit e6b2fac36fcc0b73cbef063d700a9841850e37a0 ]
+
+rdtgroup_tasks_assigned() and show_rdt_tasks() loop over threads testing
+for a CTRL/MON group match by closid/rmid with the provided rdtgrp.
+Further down the file are helpers to do this, move these further up and
+make use of them here.
+
+These helpers additionally check for alloc/mon capable. This is harmless
+as rdtgroup_mkdir() tests these capable flags before allowing the config
+directories to be created.
+
+Signed-off-by: James Morse <james.morse@arm.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Reinette Chatre <reinette.chatre@intel.com>
+Link: https://lkml.kernel.org/r/20200708163929.2783-7-james.morse@arm.com
+Stable-dep-of: 2997d94b5dd0 ("x86/resctrl: Only show tasks' pid in current pid namespace")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/resctrl/rdtgroup.c | 30 ++++++++++++--------------
+ 1 file changed, 14 insertions(+), 16 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/resctrl/rdtgroup.c b/arch/x86/kernel/cpu/resctrl/rdtgroup.c
+index 0e4f14dae1c05..9de55fd77937c 100644
+--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c
++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c
+@@ -593,6 +593,18 @@ static int __rdtgroup_move_task(struct task_struct *tsk,
+ return 0;
+ }
+
++static bool is_closid_match(struct task_struct *t, struct rdtgroup *r)
++{
++ return (rdt_alloc_capable &&
++ (r->type == RDTCTRL_GROUP) && (t->closid == r->closid));
++}
++
++static bool is_rmid_match(struct task_struct *t, struct rdtgroup *r)
++{
++ return (rdt_mon_capable &&
++ (r->type == RDTMON_GROUP) && (t->rmid == r->mon.rmid));
++}
++
+ /**
+ * rdtgroup_tasks_assigned - Test if tasks have been assigned to resource group
+ * @r: Resource group
+@@ -608,8 +620,7 @@ int rdtgroup_tasks_assigned(struct rdtgroup *r)
+
+ rcu_read_lock();
+ for_each_process_thread(p, t) {
+- if ((r->type == RDTCTRL_GROUP && t->closid == r->closid) ||
+- (r->type == RDTMON_GROUP && t->rmid == r->mon.rmid)) {
++ if (is_closid_match(t, r) || is_rmid_match(t, r)) {
+ ret = 1;
+ break;
+ }
+@@ -707,8 +718,7 @@ static void show_rdt_tasks(struct rdtgroup *r, struct seq_file *s)
+
+ rcu_read_lock();
+ for_each_process_thread(p, t) {
+- if ((r->type == RDTCTRL_GROUP && t->closid == r->closid) ||
+- (r->type == RDTMON_GROUP && t->rmid == r->mon.rmid))
++ if (is_closid_match(t, r) || is_rmid_match(t, r))
+ seq_printf(s, "%d\n", t->pid);
+ }
+ rcu_read_unlock();
+@@ -2148,18 +2158,6 @@ static int reset_all_ctrls(struct rdt_resource *r)
+ return 0;
+ }
+
+-static bool is_closid_match(struct task_struct *t, struct rdtgroup *r)
+-{
+- return (rdt_alloc_capable &&
+- (r->type == RDTCTRL_GROUP) && (t->closid == r->closid));
+-}
+-
+-static bool is_rmid_match(struct task_struct *t, struct rdtgroup *r)
+-{
+- return (rdt_mon_capable &&
+- (r->type == RDTMON_GROUP) && (t->rmid == r->mon.rmid));
+-}
+-
+ /*
+ * Move tasks from one to the other group. If @from is NULL, then all tasks
+ * in the systems are moved unconditionally (used for teardown).
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
