--- /dev/null
+From 4192027b74f86835b6f47169e96616a28d1e0215 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 20:19:46 +0100
+Subject: arm64: dts: imx8mm: Fix NAND controller size-cells
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 1610233bc2c2cae2dff9e101e6ea5ef69cceb0e9 ]
+
+The NAND controller size-cells should be 0 per DT bindings.
+Fix the following warning produces by DT bindings check:
+"
+nand-controller@33002000: #size-cells:0:0: 0 was expected
+nand-controller@33002000: Unevaluated properties are not allowed ('#address-cells', '#size-cells' were unexpected)
+"
+Fix the missing space in node name too.
+
+Fixes: a05ea40eb384e ("arm64: dts: imx: Add i.mx8mm dtsi support")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mm.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mm.dtsi b/arch/arm64/boot/dts/freescale/imx8mm.dtsi
+index 7b178a77cc71..304399686c5a 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mm.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mm.dtsi
+@@ -838,10 +838,10 @@ dma_apbh: dma-controller@33000000 {
+ clocks = <&clk IMX8MM_CLK_NAND_USDHC_BUS_RAWNAND_CLK>;
+ };
+
+- gpmi: nand-controller@33002000{
++ gpmi: nand-controller@33002000 {
+ compatible = "fsl,imx8mm-gpmi-nand", "fsl,imx7d-gpmi-nand";
+ #address-cells = <1>;
+- #size-cells = <1>;
++ #size-cells = <0>;
+ reg = <0x33002000 0x2000>, <0x33004000 0x4000>;
+ reg-names = "gpmi-nand", "bch";
+ interrupts = <GIC_SPI 14 IRQ_TYPE_LEVEL_HIGH>;
+--
+2.35.1
+
--- /dev/null
+From 8331ebe98e1fc64424376ffcf24dac71b758d36e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 20:19:47 +0100
+Subject: arm64: dts: imx8mn: Fix NAND controller size-cells
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 5468e93b5b1083eaa729f98e59da18c85d9c4126 ]
+
+The NAND controller size-cells should be 0 per DT bindings.
+Fix the following warning produces by DT bindings check:
+"
+nand-controller@33002000: #size-cells:0:0: 0 was expected
+nand-controller@33002000: Unevaluated properties are not allowed ('#address-cells', '#size-cells' were unexpected)
+"
+
+Fixes: 6c3debcbae47a ("arm64: dts: freescale: Add i.MX8MN dtsi support")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mn.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mn.dtsi b/arch/arm64/boot/dts/freescale/imx8mn.dtsi
+index 546511b373d4..31c017736a05 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mn.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mn.dtsi
+@@ -695,7 +695,7 @@ dma_apbh: dma-controller@33000000 {
+ gpmi: nand-controller@33002000 {
+ compatible = "fsl,imx8mn-gpmi-nand", "fsl,imx7d-gpmi-nand";
+ #address-cells = <1>;
+- #size-cells = <1>;
++ #size-cells = <0>;
+ reg = <0x33002000 0x2000>, <0x33004000 0x4000>;
+ reg-names = "gpmi-nand", "bch";
+ interrupts = <GIC_SPI 14 IRQ_TYPE_LEVEL_HIGH>;
+--
+2.35.1
+
--- /dev/null
+From b463e2fb98c2dabd721c7345b2b2004d7d56c61b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 11:16:03 +0800
+Subject: ASoC: core: Fix use-after-free in snd_soc_exit()
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit 6ec27c53886c8963729885bcf2dd996eba2767a7 ]
+
+KASAN reports a use-after-free:
+
+BUG: KASAN: use-after-free in device_del+0xb5b/0xc60
+Read of size 8 at addr ffff888008655050 by task rmmod/387
+CPU: 2 PID: 387 Comm: rmmod
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
+Call Trace:
+<TASK>
+dump_stack_lvl+0x79/0x9a
+print_report+0x17f/0x47b
+kasan_report+0xbb/0xf0
+device_del+0xb5b/0xc60
+platform_device_del.part.0+0x24/0x200
+platform_device_unregister+0x2e/0x40
+snd_soc_exit+0xa/0x22 [snd_soc_core]
+__do_sys_delete_module.constprop.0+0x34f/0x5b0
+do_syscall_64+0x3a/0x90
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+...
+</TASK>
+
+It's bacause in snd_soc_init(), snd_soc_util_init() is possble to fail,
+but its ret is ignored, which makes soc_dummy_dev unregistered twice.
+
+snd_soc_init()
+ snd_soc_util_init()
+ platform_device_register_simple(soc_dummy_dev)
+ platform_driver_register() # fail
+ platform_device_unregister(soc_dummy_dev)
+ platform_driver_register() # success
+...
+snd_soc_exit()
+ snd_soc_util_exit()
+ # soc_dummy_dev will be unregistered for second time
+
+To fix it, handle error and stop snd_soc_init() when util_init() fail.
+Also clean debugfs when util_init() or driver_register() fail.
+
+Fixes: fb257897bf20 ("ASoC: Work around allmodconfig failure")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Link: https://lore.kernel.org/r/20221028031603.59416-1-chenzhongjin@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index 093ab32ea2c3..2115fd412c78 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -3512,10 +3512,23 @@ EXPORT_SYMBOL_GPL(snd_soc_of_get_dai_link_codecs);
+
+ static int __init snd_soc_init(void)
+ {
++ int ret;
++
+ snd_soc_debugfs_init();
+- snd_soc_util_init();
++ ret = snd_soc_util_init();
++ if (ret)
++ goto err_util_init;
+
+- return platform_driver_register(&soc_driver);
++ ret = platform_driver_register(&soc_driver);
++ if (ret)
++ goto err_register;
++ return 0;
++
++err_register:
++ snd_soc_util_exit();
++err_util_init:
++ snd_soc_debugfs_exit();
++ return ret;
+ }
+ module_init(snd_soc_init);
+
+--
+2.35.1
+
--- /dev/null
+From 31aa785d65157704d39005862b950e0257963edb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 21:40:31 +0800
+Subject: ASoC: soc-utils: Remove __exit for snd_soc_util_exit()
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit 314d34fe7f0a5836cb0472950c1f17744b4efde8 ]
+
+snd_soc_util_exit() is called in __init snd_soc_init() for cleanup.
+Remove the __exit annotation for it to fix the build warning:
+
+WARNING: modpost: sound/soc/snd-soc-core.o: section mismatch in reference: init_module (section: .init.text) -> snd_soc_util_exit (section: .exit.text)
+
+Fixes: 6ec27c53886c ("ASoC: core: Fix use-after-free in snd_soc_exit()")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Link: https://lore.kernel.org/r/20221031134031.256511-1-chenzhongjin@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/soc-utils.c b/sound/soc/soc-utils.c
+index 54dcece52b0c..abcc5d97b134 100644
+--- a/sound/soc/soc-utils.c
++++ b/sound/soc/soc-utils.c
+@@ -174,7 +174,7 @@ int __init snd_soc_util_init(void)
+ return ret;
+ }
+
+-void __exit snd_soc_util_exit(void)
++void snd_soc_util_exit(void)
+ {
+ platform_driver_unregister(&soc_dummy_driver);
+ platform_device_unregister(soc_dummy_dev);
+--
+2.35.1
+
--- /dev/null
+From 768465f60b59b9b745328cbd4f8bc2859440a748 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 21:40:01 +0800
+Subject: ata: libata-transport: fix double ata_host_put() in ata_tport_add()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 8c76310740807ade5ecdab5888f70ecb6d35732e ]
+
+In the error path in ata_tport_add(), when calling put_device(),
+ata_tport_release() is called, it will put the refcount of 'ap->host'.
+
+And then ata_host_put() is called again, the refcount is decreased
+to 0, ata_host_release() is called, all ports are freed and set to
+null.
+
+When unbinding the device after failure, ata_host_stop() is called
+to release the resources, it leads a null-ptr-deref(), because all
+the ports all freed and null.
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
+CPU: 7 PID: 18671 Comm: modprobe Kdump: loaded Tainted: G E 6.1.0-rc3+ #8
+pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : ata_host_stop+0x3c/0x84 [libata]
+lr : release_nodes+0x64/0xd0
+Call trace:
+ ata_host_stop+0x3c/0x84 [libata]
+ release_nodes+0x64/0xd0
+ devres_release_all+0xbc/0x1b0
+ device_unbind_cleanup+0x20/0x70
+ really_probe+0x158/0x320
+ __driver_probe_device+0x84/0x120
+ driver_probe_device+0x44/0x120
+ __driver_attach+0xb4/0x220
+ bus_for_each_dev+0x78/0xdc
+ driver_attach+0x2c/0x40
+ bus_add_driver+0x184/0x240
+ driver_register+0x80/0x13c
+ __pci_register_driver+0x4c/0x60
+ ahci_pci_driver_init+0x30/0x1000 [ahci]
+
+Fix this by removing redundant ata_host_put() in the error path.
+
+Fixes: 2623c7a5f279 ("libata: add refcounting to ata_host")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-transport.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/ata/libata-transport.c b/drivers/ata/libata-transport.c
+index c4f36312b8a4..1069cda6ff36 100644
+--- a/drivers/ata/libata-transport.c
++++ b/drivers/ata/libata-transport.c
+@@ -317,7 +317,6 @@ int ata_tport_add(struct device *parent,
+ tport_err:
+ transport_destroy_device(dev);
+ put_device(dev);
+- ata_host_put(ap->host);
+ return error;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 0eade2219dc77fe02d67bd323ce4f7dde59a45cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 23:39:44 +0300
+Subject: block: sed-opal: kmalloc the cmd/resp buffers
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit f829230dd51974c1f4478900ed30bb77ba530b40 ]
+
+In accordance with [1] the DMA-able memory buffers must be
+cacheline-aligned otherwise the cache writing-back and invalidation
+performed during the mapping may cause the adjacent data being lost. It's
+specifically required for the DMA-noncoherent platforms [2]. Seeing the
+opal_dev.{cmd,resp} buffers are implicitly used for DMAs in the NVME and
+SCSI/SD drivers in framework of the nvme_sec_submit() and sd_sec_submit()
+methods respectively they must be cacheline-aligned to prevent the denoted
+problem. One of the option to guarantee that is to kmalloc the buffers
+[2]. Let's explicitly allocate them then instead of embedding into the
+opal_dev structure instance.
+
+Note this fix was inspired by the commit c94b7f9bab22 ("nvme-hwmon:
+kmalloc the NVME SMART log buffer").
+
+[1] Documentation/core-api/dma-api.rst
+[2] Documentation/core-api/dma-api-howto.rst
+
+Fixes: 455a7b238cd6 ("block: Add Sed-opal library")
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20221107203944.31686-1-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/sed-opal.c | 32 ++++++++++++++++++++++++++++----
+ 1 file changed, 28 insertions(+), 4 deletions(-)
+
+diff --git a/block/sed-opal.c b/block/sed-opal.c
+index b4c761973ac1..401d33ae0158 100644
+--- a/block/sed-opal.c
++++ b/block/sed-opal.c
+@@ -88,8 +88,8 @@ struct opal_dev {
+ u64 lowest_lba;
+
+ size_t pos;
+- u8 cmd[IO_BUFFER_LENGTH];
+- u8 resp[IO_BUFFER_LENGTH];
++ u8 *cmd;
++ u8 *resp;
+
+ struct parsed_resp parsed;
+ size_t prev_d_len;
+@@ -2019,6 +2019,8 @@ void free_opal_dev(struct opal_dev *dev)
+ return;
+
+ clean_opal_dev(dev);
++ kfree(dev->resp);
++ kfree(dev->cmd);
+ kfree(dev);
+ }
+ EXPORT_SYMBOL(free_opal_dev);
+@@ -2031,17 +2033,39 @@ struct opal_dev *init_opal_dev(void *data, sec_send_recv *send_recv)
+ if (!dev)
+ return NULL;
+
++ /*
++ * Presumably DMA-able buffers must be cache-aligned. Kmalloc makes
++ * sure the allocated buffer is DMA-safe in that regard.
++ */
++ dev->cmd = kmalloc(IO_BUFFER_LENGTH, GFP_KERNEL);
++ if (!dev->cmd)
++ goto err_free_dev;
++
++ dev->resp = kmalloc(IO_BUFFER_LENGTH, GFP_KERNEL);
++ if (!dev->resp)
++ goto err_free_cmd;
++
+ INIT_LIST_HEAD(&dev->unlk_lst);
+ mutex_init(&dev->dev_lock);
+ dev->data = data;
+ dev->send_recv = send_recv;
+ if (check_opal_support(dev) != 0) {
+ pr_debug("Opal is not supported on this device\n");
+- kfree(dev);
+- return NULL;
++ goto err_free_resp;
+ }
+
+ return dev;
++
++err_free_resp:
++ kfree(dev->resp);
++
++err_free_cmd:
++ kfree(dev->cmd);
++
++err_free_dev:
++ kfree(dev);
++
++ return NULL;
+ }
+ EXPORT_SYMBOL(init_opal_dev);
+
+--
+2.35.1
+
--- /dev/null
+From adf64e4853bd9710130ea76c2d83f4e867ada110 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 15:04:33 +0800
+Subject: bnxt_en: Remove debugfs when pci_register_driver failed
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit 991aef4ee4f6eb999924f429b943441a32835c8f ]
+
+When pci_register_driver failed, we need to remove debugfs,
+which will caused a resource leak, fix it.
+
+Resource leak logs as follows:
+[ 52.184456] debugfs: Directory 'bnxt_en' with parent '/' already present!
+
+Fixes: cabfb09d87bd ("bnxt_en: add debugfs support for DIM")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index d7d7d6421c48..3636849f6365 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -12232,8 +12232,16 @@ static struct pci_driver bnxt_pci_driver = {
+
+ static int __init bnxt_init(void)
+ {
++ int err;
++
+ bnxt_debug_init();
+- return pci_register_driver(&bnxt_pci_driver);
++ err = pci_register_driver(&bnxt_pci_driver);
++ if (err) {
++ bnxt_debug_exit();
++ return err;
++ }
++
++ return 0;
+ }
+
+ static void __exit bnxt_exit(void)
+--
+2.35.1
+
--- /dev/null
+From 2ff1096c30a31dfe1a9a4c3974cf1dc91075ce3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 17:10:27 +0300
+Subject: cifs: add check for returning value of SMB2_set_info_init
+
+From: Anastasia Belova <abelova@astralinux.ru>
+
+[ Upstream commit a51e5d293dd1c2e7bf6f7be788466cd9b5d280fb ]
+
+If the returning value of SMB2_set_info_init is an error-value,
+exit the function.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 0967e5457954 ("cifs: use a compound for setting an xattr")
+
+Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2ops.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index 6039b0cdfe04..d67676545a42 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -1216,6 +1216,8 @@ smb2_set_ea(const unsigned int xid, struct cifs_tcon *tcon,
+ COMPOUND_FID, current->tgid,
+ FILE_FULL_EA_INFORMATION,
+ SMB2_O_INFO_FILE, 0, data, size);
++ if (rc)
++ goto sea_exit;
+ smb2_set_next_command(tcon, &rqst[1]);
+ smb2_set_related(&rqst[1]);
+
+--
+2.35.1
+
--- /dev/null
+From 986c3d772ac3850a9e92d0e6bff58306f7b65e51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 18:39:34 +0800
+Subject: cifs: Fix wrong return value checking when GETFLAGS
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+[ Upstream commit 92bbd67a55fee50743b42825d1c016e7fd5c79f9 ]
+
+The return value of CIFSGetExtAttr is negative, should be checked
+with -EOPNOTSUPP rather than EOPNOTSUPP.
+
+Fixes: 64a5cfa6db94 ("Allow setting per-file compression via SMB2/3")
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/ioctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/ioctl.c b/fs/cifs/ioctl.c
+index 1a01e108d75e..9266dddd4b1e 100644
+--- a/fs/cifs/ioctl.c
++++ b/fs/cifs/ioctl.c
+@@ -191,7 +191,7 @@ long cifs_ioctl(struct file *filep, unsigned int command, unsigned long arg)
+ rc = put_user(ExtAttrBits &
+ FS_FL_USER_VISIBLE,
+ (int __user *)arg);
+- if (rc != EOPNOTSUPP)
++ if (rc != -EOPNOTSUPP)
+ break;
+ }
+ #endif /* CONFIG_CIFS_POSIX */
+@@ -220,7 +220,7 @@ long cifs_ioctl(struct file *filep, unsigned int command, unsigned long arg)
+ * pSMBFile->fid.netfid,
+ * extAttrBits,
+ * &ExtAttrMask);
+- * if (rc != EOPNOTSUPP)
++ * if (rc != -EOPNOTSUPP)
+ * break;
+ */
+
+--
+2.35.1
+
--- /dev/null
+From 32d1a0568d7202b7c72a449a157b477df02cf4cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 16:16:43 +0300
+Subject: drbd: use after free in drbd_create_device()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit a7a1598189228b5007369a9622ccdf587be0730f ]
+
+The drbd_destroy_connection() frees the "connection" so use the _safe()
+iterator to prevent a use after free.
+
+Fixes: b6f85ef9538b ("drbd: Iterate over all connections")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Reviewed-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
+Link: https://lore.kernel.org/r/Y3Jd5iZRbNQ9w6gm@kili
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/drbd/drbd_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c
+index 5ece2fd70d9c..f3a96c76f5a4 100644
+--- a/drivers/block/drbd/drbd_main.c
++++ b/drivers/block/drbd/drbd_main.c
+@@ -2778,7 +2778,7 @@ static int init_submitter(struct drbd_device *device)
+ enum drbd_ret_code drbd_create_device(struct drbd_config_context *adm_ctx, unsigned int minor)
+ {
+ struct drbd_resource *resource = adm_ctx->resource;
+- struct drbd_connection *connection;
++ struct drbd_connection *connection, *n;
+ struct drbd_device *device;
+ struct drbd_peer_device *peer_device, *tmp_peer_device;
+ struct gendisk *disk;
+@@ -2906,7 +2906,7 @@ enum drbd_ret_code drbd_create_device(struct drbd_config_context *adm_ctx, unsig
+ out_idr_remove_vol:
+ idr_remove(&connection->peer_devices, vnr);
+ out_idr_remove_from_resource:
+- for_each_connection(connection, resource) {
++ for_each_connection_safe(connection, n, resource) {
+ peer_device = idr_remove(&connection->peer_devices, vnr);
+ if (peer_device)
+ kref_put(&connection->kref, drbd_destroy_connection);
+--
+2.35.1
+
--- /dev/null
+From 15e9d49440e4b59c58ea4ef1719e84cb70a80ade Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 19:38:23 +0800
+Subject: mISDN: fix misuse of put_device() in mISDN_register_device()
+
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+
+[ Upstream commit 2d25107e111a85c56f601a5470f1780ec054e6ac ]
+
+We should not release reference by put_device() before calling device_initialize().
+
+Fixes: e7d1d4d9ac0d ("mISDN: fix possible memory leak in mISDN_register_device()")
+Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/mISDN/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/isdn/mISDN/core.c b/drivers/isdn/mISDN/core.c
+index 7ea0100f218a..90ee56d07a6e 100644
+--- a/drivers/isdn/mISDN/core.c
++++ b/drivers/isdn/mISDN/core.c
+@@ -222,7 +222,7 @@ mISDN_register_device(struct mISDNdevice *dev,
+
+ err = get_free_devid();
+ if (err < 0)
+- goto error1;
++ return err;
+ dev->id = err;
+
+ device_initialize(&dev->dev);
+--
+2.35.1
+
--- /dev/null
+From 17303439747a06b973390fb0113382ed6dcf53aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 21:28:32 +0800
+Subject: mISDN: fix possible memory leak in mISDN_dsp_element_register()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 98a2ac1ca8fd6eca6867726fe238d06e75eb1acd ]
+
+Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's
+bus_id string array"), the name of device is allocated dynamically,
+use put_device() to give up the reference, so that the name can be
+freed in kobject_cleanup() when the refcount is 0.
+
+The 'entry' is going to be freed in mISDN_dsp_dev_release(), so the
+kfree() is removed. list_del() is called in mISDN_dsp_dev_release(),
+so it need be initialized.
+
+Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221109132832.3270119-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/mISDN/dsp_pipeline.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/isdn/mISDN/dsp_pipeline.c b/drivers/isdn/mISDN/dsp_pipeline.c
+index 40588692cec7..cd9bc11e8dfb 100644
+--- a/drivers/isdn/mISDN/dsp_pipeline.c
++++ b/drivers/isdn/mISDN/dsp_pipeline.c
+@@ -80,6 +80,7 @@ int mISDN_dsp_element_register(struct mISDN_dsp_element *elem)
+ if (!entry)
+ return -ENOMEM;
+
++ INIT_LIST_HEAD(&entry->list);
+ entry->elem = elem;
+
+ entry->dev.class = elements_class;
+@@ -114,7 +115,7 @@ int mISDN_dsp_element_register(struct mISDN_dsp_element *elem)
+ device_unregister(&entry->dev);
+ return ret;
+ err1:
+- kfree(entry);
++ put_device(&entry->dev);
+ return ret;
+ }
+ EXPORT_SYMBOL(mISDN_dsp_element_register);
+--
+2.35.1
+
--- /dev/null
+From bff781f959670c0679c73f9d74ba48d629562b2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 15:01:36 +0000
+Subject: net: bgmac: Drop free_netdev() from bgmac_enet_remove()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 6f928ab8ee9bfbcb0e631c47ea8a16c3d5116ff1 ]
+
+netdev is allocated in bgmac_alloc() with devm_alloc_etherdev() and will
+be auto released in ->remove and ->probe failure path. Using free_netdev()
+in bgmac_enet_remove() leads to double free.
+
+Fixes: 34a5102c3235 ("net: bgmac: allocate struct bgmac just once & don't copy it")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+
+Link: https://lore.kernel.org/r/20221109150136.2991171-1-weiyongjun@huaweicloud.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bgmac.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bgmac.c b/drivers/net/ethernet/broadcom/bgmac.c
+index 979af8e878e3..193722334d93 100644
+--- a/drivers/net/ethernet/broadcom/bgmac.c
++++ b/drivers/net/ethernet/broadcom/bgmac.c
+@@ -1564,7 +1564,6 @@ void bgmac_enet_remove(struct bgmac *bgmac)
+ phy_disconnect(bgmac->net_dev->phydev);
+ netif_napi_del(&bgmac->napi);
+ bgmac_dma_free(bgmac);
+- free_netdev(bgmac->net_dev);
+ }
+ EXPORT_SYMBOL_GPL(bgmac_enet_remove);
+
+--
+2.35.1
+
--- /dev/null
+From 5675a8e8c898439c312c44904b07df524f91ea0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 09:47:34 +0800
+Subject: net: caif: fix double disconnect client in chnl_net_open()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 8fbb53c8bfd8c56ecf1f78dc821778b58f505503 ]
+
+When connecting to client timeout, disconnect client for twice in
+chnl_net_open(). Remove one. Compile tested only.
+
+Fixes: 2aa40aef9deb ("caif: Use link layer MTU instead of fixed MTU")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/caif/chnl_net.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c
+index 910f164dd20c..4dfac31f9466 100644
+--- a/net/caif/chnl_net.c
++++ b/net/caif/chnl_net.c
+@@ -314,9 +314,6 @@ static int chnl_net_open(struct net_device *dev)
+
+ if (result == 0) {
+ pr_debug("connect timeout\n");
+- caif_disconnect_client(dev_net(dev), &priv->chnl);
+- priv->state = CAIF_DISCONNECTED;
+- pr_debug("state disconnected\n");
+ result = -ETIMEDOUT;
+ goto error;
+ }
+--
+2.35.1
+
--- /dev/null
+From 0d7105633ef753420d366d82069909f905e6110a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 18:30:37 +0800
+Subject: net: liquidio: release resources when liquidio driver open failed
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 8979f428a4afc215e390006e5ea19fd4e22c7ca9 ]
+
+When liquidio driver open failed, it doesn't release resources. Compile
+tested only.
+
+Fixes: 5b07aee11227 ("liquidio: MSIX support for CN23XX")
+Fixes: dbc97bfd3918 ("net: liquidio: Add missing null pointer checks")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/cavium/liquidio/lio_main.c | 34 ++++++++++++++-----
+ 1 file changed, 26 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c
+index d0c77ff9dbb1..69878589213a 100644
+--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c
++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c
+@@ -1836,13 +1836,10 @@ static int liquidio_open(struct net_device *netdev)
+
+ ifstate_set(lio, LIO_IFSTATE_RUNNING);
+
+- if (OCTEON_CN23XX_PF(oct)) {
+- if (!oct->msix_on)
+- if (setup_tx_poll_fn(netdev))
+- return -1;
+- } else {
+- if (setup_tx_poll_fn(netdev))
+- return -1;
++ if (!OCTEON_CN23XX_PF(oct) || (OCTEON_CN23XX_PF(oct) && !oct->msix_on)) {
++ ret = setup_tx_poll_fn(netdev);
++ if (ret)
++ goto err_poll;
+ }
+
+ netif_tx_start_all_queues(netdev);
+@@ -1855,7 +1852,7 @@ static int liquidio_open(struct net_device *netdev)
+ /* tell Octeon to start forwarding packets to host */
+ ret = send_rx_ctrl_cmd(lio, 1);
+ if (ret)
+- return ret;
++ goto err_rx_ctrl;
+
+ /* start periodical statistics fetch */
+ INIT_DELAYED_WORK(&lio->stats_wk.work, lio_fetch_stats);
+@@ -1866,6 +1863,27 @@ static int liquidio_open(struct net_device *netdev)
+ dev_info(&oct->pci_dev->dev, "%s interface is opened\n",
+ netdev->name);
+
++ return 0;
++
++err_rx_ctrl:
++ if (!OCTEON_CN23XX_PF(oct) || (OCTEON_CN23XX_PF(oct) && !oct->msix_on))
++ cleanup_tx_poll_fn(netdev);
++err_poll:
++ if (lio->ptp_clock) {
++ ptp_clock_unregister(lio->ptp_clock);
++ lio->ptp_clock = NULL;
++ }
++
++ if (oct->props[lio->ifidx].napi_enabled == 1) {
++ list_for_each_entry_safe(napi, n, &netdev->napi_list, dev_list)
++ napi_disable(napi);
++
++ oct->props[lio->ifidx].napi_enabled = 0;
++
++ if (OCTEON_CN23XX_PF(oct))
++ oct->droq[0]->ops.poll_mode = 0;
++ }
++
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 90e6ffe96408482272b7a062371a1687baccdaba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 09:41:30 +0800
+Subject: net: macvlan: Use built-in RCU list checking
+
+From: Chuang Wang <nashuiliang@gmail.com>
+
+[ Upstream commit 5df1341ea822292275c56744aab9c536d75c33be ]
+
+hlist_for_each_entry_rcu() has built-in RCU and lock checking.
+
+Pass cond argument to hlist_for_each_entry_rcu() to silence false
+lockdep warning when CONFIG_PROVE_RCU_LIST is enabled.
+
+Execute as follow:
+
+ ip link add link eth0 type macvlan mode source macaddr add <MAC-ADDR>
+
+The rtnl_lock is held when macvlan_hash_lookup_source() or
+macvlan_fill_info_macaddr() are called in the non-RCU read side section.
+So, pass lockdep_rtnl_is_held() to silence false lockdep warning.
+
+Fixes: 79cf79abce71 ("macvlan: add source mode")
+Signed-off-by: Chuang Wang <nashuiliang@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macvlan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
+index 253c0605f6e6..29c70d5e3926 100644
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -138,7 +138,7 @@ static struct macvlan_source_entry *macvlan_hash_lookup_source(
+ u32 idx = macvlan_eth_hash(addr);
+ struct hlist_head *h = &vlan->port->vlan_source_hash[idx];
+
+- hlist_for_each_entry_rcu(entry, h, hlist) {
++ hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) {
+ if (ether_addr_equal_64bits(entry->addr, addr) &&
+ entry->vlan == vlan)
+ return entry;
+@@ -1604,7 +1604,7 @@ static int macvlan_fill_info_macaddr(struct sk_buff *skb,
+ struct hlist_head *h = &vlan->port->vlan_source_hash[i];
+ struct macvlan_source_entry *entry;
+
+- hlist_for_each_entry_rcu(entry, h, hlist) {
++ hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) {
+ if (entry->vlan != vlan)
+ continue;
+ if (nla_put(skb, IFLA_MACVLAN_MACADDR, ETH_ALEN, entry->addr))
+--
+2.35.1
+
--- /dev/null
+From f4f5db85383616afb8a2933556129ca09605179d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 14:22:25 +0000
+Subject: net: thunderbolt: Fix error handling in tbnet_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit f524b7289bbb0c8ffaa2ba3c34c146e43da54fb2 ]
+
+A problem about insmod thunderbolt-net failed is triggered with following
+log given while lsmod does not show thunderbolt_net:
+
+ insmod: ERROR: could not insert module thunderbolt-net.ko: File exists
+
+The reason is that tbnet_init() returns tb_register_service_driver()
+directly without checking its return value, if tb_register_service_driver()
+failed, it returns without removing property directory, resulting the
+property directory can never be created later.
+
+ tbnet_init()
+ tb_register_property_dir() # register property directory
+ tb_register_service_driver()
+ driver_register()
+ bus_add_driver()
+ priv = kzalloc(...) # OOM happened
+ # return without remove property directory
+
+Fix by remove property directory when tb_register_service_driver() returns
+error.
+
+Fixes: e69b6c02b4c3 ("net: Add support for networking over Thunderbolt cable")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/thunderbolt.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/thunderbolt.c b/drivers/net/thunderbolt.c
+index dacb4f680fd4..ce7f0f604a5e 100644
+--- a/drivers/net/thunderbolt.c
++++ b/drivers/net/thunderbolt.c
+@@ -1339,12 +1339,21 @@ static int __init tbnet_init(void)
+ TBNET_MATCH_FRAGS_ID);
+
+ ret = tb_register_property_dir("network", tbnet_dir);
+- if (ret) {
+- tb_property_free_dir(tbnet_dir);
+- return ret;
+- }
++ if (ret)
++ goto err_free_dir;
++
++ ret = tb_register_service_driver(&tbnet_driver);
++ if (ret)
++ goto err_unregister;
+
+- return tb_register_service_driver(&tbnet_driver);
++ return 0;
++
++err_unregister:
++ tb_unregister_property_dir("network", tbnet_dir);
++err_free_dir:
++ tb_property_free_dir(tbnet_dir);
++
++ return ret;
+ }
+ module_init(tbnet_init);
+
+--
+2.35.1
+
--- /dev/null
+From 599a56e749ee8a362e27d708f9d70d4c44b5e325 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 11:05:19 +0000
+Subject: net/x25: Fix skb leak in x25_lapb_receive_frame()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 2929cceb2fcf0ded7182562e4888afafece82cce ]
+
+x25_lapb_receive_frame() using skb_copy() to get a private copy of
+skb, the new skb should be freed in the undersized/fragmented skb
+error handling path. Otherwise there is a memory leak.
+
+Fixes: cb101ed2c3c7 ("x25: Handle undersized/fragmented skbs")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Martin Schiller <ms@dev.tdt.de>
+Link: https://lore.kernel.org/r/20221114110519.514538-1-weiyongjun@huaweicloud.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/x25/x25_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/x25/x25_dev.c b/net/x25/x25_dev.c
+index 25bf72ee6cad..226397add422 100644
+--- a/net/x25/x25_dev.c
++++ b/net/x25/x25_dev.c
+@@ -117,7 +117,7 @@ int x25_lapb_receive_frame(struct sk_buff *skb, struct net_device *dev,
+
+ if (!pskb_may_pull(skb, 1)) {
+ x25_neigh_put(nb);
+- return 0;
++ goto drop;
+ }
+
+ switch (skb->data[0]) {
+--
+2.35.1
+
--- /dev/null
+From 43394f6cb237bb3bc4de718960d41bb68ac6454a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Sep 2022 19:52:08 +0100
+Subject: parport_pc: Avoid FIFO port location truncation
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+[ Upstream commit ab126f51c93a15093df604f661c9480854c005a3 ]
+
+Match the data type of a temporary holding a reference to the FIFO port
+with the type of the original reference coming from `struct parport',
+avoiding data truncation with LP64 ports such as SPARC64 that refer to
+PCI port I/O locations via their corresponding MMIO addresses and will
+therefore have non-zero bits in the high 32-bit part of the reference.
+And in any case it is cleaner to have the data types matching here.
+
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Link: https://lore.kernel.org/linux-pci/20220419033752.GA1101844@bhelgaas/
+Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Link: https://lore.kernel.org/r/alpine.DEB.2.21.2209231912550.29493@angie.orcam.me.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/parport/parport_pc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/parport/parport_pc.c b/drivers/parport/parport_pc.c
+index 1f17a39eabe8..3bc0027b7844 100644
+--- a/drivers/parport/parport_pc.c
++++ b/drivers/parport/parport_pc.c
+@@ -475,7 +475,7 @@ static size_t parport_pc_fifo_write_block_pio(struct parport *port,
+ const unsigned char *bufp = buf;
+ size_t left = length;
+ unsigned long expire = jiffies + port->physport->cad->timeout;
+- const int fifo = FIFO(port);
++ const unsigned long fifo = FIFO(port);
+ int poll_for = 8; /* 80 usecs */
+ const struct parport_pc_private *priv = port->physport->private_data;
+ const int fifo_depth = priv->fifo_depth;
+--
+2.35.1
+
--- /dev/null
+From 49226e7b2e1fe600822ba0aa9389ec0746e14cf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 16:20:56 +0800
+Subject: pinctrl: devicetree: fix null pointer dereferencing in
+ pinctrl_dt_to_map
+
+From: Zeng Heng <zengheng4@huawei.com>
+
+[ Upstream commit 91d5c5060ee24fe8da88cd585bb43b843d2f0dce ]
+
+Here is the BUG report by KASAN about null pointer dereference:
+
+BUG: KASAN: null-ptr-deref in strcmp+0x2e/0x50
+Read of size 1 at addr 0000000000000000 by task python3/2640
+Call Trace:
+ strcmp
+ __of_find_property
+ of_find_property
+ pinctrl_dt_to_map
+
+kasprintf() would return NULL pointer when kmalloc() fail to allocate.
+So directly return ENOMEM, if kasprintf() return NULL pointer.
+
+Fixes: 57291ce295c0 ("pinctrl: core device tree mapping table parsing support")
+Signed-off-by: Zeng Heng <zengheng4@huawei.com>
+Link: https://lore.kernel.org/r/20221110082056.2014898-1-zengheng4@huawei.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/devicetree.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pinctrl/devicetree.c b/drivers/pinctrl/devicetree.c
+index dbaacde1b36a..362d84c2ead4 100644
+--- a/drivers/pinctrl/devicetree.c
++++ b/drivers/pinctrl/devicetree.c
+@@ -223,6 +223,8 @@ int pinctrl_dt_to_map(struct pinctrl *p, struct pinctrl_dev *pctldev)
+ for (state = 0; ; state++) {
+ /* Retrieve the pinctrl-* property */
+ propname = kasprintf(GFP_KERNEL, "pinctrl-%d", state);
++ if (!propname)
++ return -ENOMEM;
+ prop = of_find_property(np, propname, &size);
+ kfree(propname);
+ if (!prop) {
+--
+2.35.1
+
--- /dev/null
+From 1014bf91eeaef1edeb01b44baf554ebfaf676d08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 17:31:44 +0100
+Subject: platform/x86/intel: pmc: Don't unconditionally attach Intel PMC when
+ virtualized
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roger Pau Monné <roger.pau@citrix.com>
+
+[ Upstream commit 2dbfb3f33350e1e868d3d7ed4c176d8777150878 ]
+
+The current logic in the Intel PMC driver will forcefully attach it
+when detecting any CPU on the intel_pmc_core_platform_ids array,
+even if the matching ACPI device is not present.
+
+There's no checking in pmc_core_probe() to assert that the PMC device
+is present, and hence on virtualized environments the PMC device
+probes successfully, even if the underlying registers are not present.
+Before commit 21ae43570940 ("platform/x86: intel_pmc_core: Substitute PCI
+with CPUID enumeration") the driver would check for the presence of a
+specific PCI device, and that prevented the driver from attaching when
+running virtualized.
+
+Fix by only forcefully attaching the PMC device when not running
+virtualized. Note that virtualized platforms can still get the device
+to load if the appropriate ACPI device is present on the tables
+provided to the VM.
+
+Make an exception for the Xen initial domain, which does have full
+hardware access, and hence can attach to the PMC if present.
+
+Fixes: 21ae43570940 ("platform/x86: intel_pmc_core: Substitute PCI with CPUID enumeration")
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Acked-by: David E. Box <david.e.box@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20221110163145.80374-1-roger.pau@citrix.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel_pmc_core_pltdrv.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/platform/x86/intel_pmc_core_pltdrv.c b/drivers/platform/x86/intel_pmc_core_pltdrv.c
+index e1266f5c6359..42ed02ab8a61 100644
+--- a/drivers/platform/x86/intel_pmc_core_pltdrv.c
++++ b/drivers/platform/x86/intel_pmc_core_pltdrv.c
+@@ -18,6 +18,8 @@
+ #include <asm/cpu_device_id.h>
+ #include <asm/intel-family.h>
+
++#include <xen/xen.h>
++
+ static void intel_pmc_core_release(struct device *dev)
+ {
+ /* Nothing to do. */
+@@ -56,6 +58,13 @@ static int __init pmc_core_platform_init(void)
+ if (acpi_dev_present("INT33A1", NULL, -1))
+ return -ENODEV;
+
++ /*
++ * Skip forcefully attaching the device for VMs. Make an exception for
++ * Xen dom0, which does have full hardware access.
++ */
++ if (cpu_feature_enabled(X86_FEATURE_HYPERVISOR) && !xen_initial_domain())
++ return -ENODEV;
++
+ if (!x86_match_cpu(intel_pmc_core_platform_ids))
+ return -ENODEV;
+
+--
+2.35.1
+
--- /dev/null
+From 0ae626c28f634799c4ee50a8f3288a2343455d79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 13:58:13 +0300
+Subject: serial: 8250: omap: Fix unpaired pm_runtime_put_sync() in
+ omap8250_remove()
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit e3f0c638f428fd66b5871154b62706772045f91a ]
+
+On remove, we get an error for "Runtime PM usage count underflow!". I guess
+this driver is mostly built-in, and this issue has gone unnoticed for a
+while. Somehow I did not catch this issue with my earlier fix done with
+commit 4e0f5cc65098 ("serial: 8250_omap: Fix probe and remove for PM
+runtime").
+
+Fixes: 4e0f5cc65098 ("serial: 8250_omap: Fix probe and remove for PM runtime")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Depends-on: dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter")
+Link: https://lore.kernel.org/r/20221028105813.54290-1-tony@atomide.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_omap.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c
+index 090acaced3b1..6e46524e0e73 100644
+--- a/drivers/tty/serial/8250/8250_omap.c
++++ b/drivers/tty/serial/8250/8250_omap.c
+@@ -1273,6 +1273,11 @@ static int omap8250_probe(struct platform_device *pdev)
+ static int omap8250_remove(struct platform_device *pdev)
+ {
+ struct omap8250_priv *priv = platform_get_drvdata(pdev);
++ int err;
++
++ err = pm_runtime_resume_and_get(&pdev->dev);
++ if (err)
++ return err;
+
+ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ pm_runtime_put_sync(&pdev->dev);
+--
+2.35.1
+
--- /dev/null
+From 4e7bc5a4f5dcaf64ab8fa033219c2b25cf60c02f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 14:00:44 +0300
+Subject: serial: 8250: omap: Flush PM QOS work on remove
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit d0b68629bd2fb61e0171a62f2e8da3db322f5cf6 ]
+
+Rebinding 8250_omap in a loop will at some point produce a warning for
+kernel/power/qos.c:296 cpu_latency_qos_update_request() with error
+"cpu_latency_qos_update_request called for unknown object". Let's flush
+the possibly pending PM QOS work scheduled from omap8250_runtime_suspend()
+before we disable runtime PM.
+
+Fixes: 61929cf0169d ("tty: serial: Add 8250-core based omap driver")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20221028110044.54719-1-tony@atomide.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_omap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c
+index 6e46524e0e73..3d6a159c87f4 100644
+--- a/drivers/tty/serial/8250/8250_omap.c
++++ b/drivers/tty/serial/8250/8250_omap.c
+@@ -1281,6 +1281,7 @@ static int omap8250_remove(struct platform_device *pdev)
+
+ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ pm_runtime_put_sync(&pdev->dev);
++ flush_work(&priv->qos_work);
+ pm_runtime_disable(&pdev->dev);
+ serial8250_unregister_port(priv->line);
+ pm_qos_remove_request(&priv->pm_qos_request);
+--
+2.35.1
+
--- /dev/null
+From e0c093d254cfc0ea47f65edd3f9651f470ce6378 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 13:23:39 +0200
+Subject: serial: 8250_omap: remove wait loop from Errata i202 workaround
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
+
+[ Upstream commit e828e56684d61b17317e0cfdef83791fa61cb76b ]
+
+We were occasionally seeing the "Errata i202: timedout" on an AM335x
+board when repeatedly opening and closing a UART connected to an active
+sender. As new input may arrive at any time, it is possible to miss the
+"RX FIFO empty" condition, forcing the loop to wait until it times out.
+
+Nothing in the i202 Advisory states that such a wait is even necessary;
+other FIFO clear functions like serial8250_clear_fifos() do not wait
+either. For this reason, it seems safe to remove the wait, fixing the
+mentioned issue.
+
+Fixes: 61929cf0169d ("tty: serial: Add 8250-core based omap driver")
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
+Link: https://lore.kernel.org/r/20221013112339.2540767-1-matthias.schiffer@ew.tq-group.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_omap.c | 17 -----------------
+ 1 file changed, 17 deletions(-)
+
+diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c
+index efe793a2fc65..090acaced3b1 100644
+--- a/drivers/tty/serial/8250/8250_omap.c
++++ b/drivers/tty/serial/8250/8250_omap.c
+@@ -169,27 +169,10 @@ static void omap8250_set_mctrl(struct uart_port *port, unsigned int mctrl)
+ static void omap_8250_mdr1_errataset(struct uart_8250_port *up,
+ struct omap8250_priv *priv)
+ {
+- u8 timeout = 255;
+-
+ serial_out(up, UART_OMAP_MDR1, priv->mdr1);
+ udelay(2);
+ serial_out(up, UART_FCR, up->fcr | UART_FCR_CLEAR_XMIT |
+ UART_FCR_CLEAR_RCVR);
+- /*
+- * Wait for FIFO to empty: when empty, RX_FIFO_E bit is 0 and
+- * TX_FIFO_E bit is 1.
+- */
+- while (UART_LSR_THRE != (serial_in(up, UART_LSR) &
+- (UART_LSR_THRE | UART_LSR_DR))) {
+- timeout--;
+- if (!timeout) {
+- /* Should *never* happen. we warn and carry on */
+- dev_crit(up->port.dev, "Errata i202: timedout %x\n",
+- serial_in(up, UART_LSR));
+- break;
+- }
+- udelay(1);
+- }
+ }
+
+ static void omap_8250_get_divisor(struct uart_port *port, unsigned int baud,
+--
+2.35.1
+
--- /dev/null
+From 4916be5f1fdcecc069b2c3d0f9be9df0f1f81328 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Oct 2022 20:13:53 +0800
+Subject: serial: imx: Add missing .thaw_noirq hook
+
+From: Shawn Guo <shawn.guo@linaro.org>
+
+[ Upstream commit 4561d8008a467cb05ac632a215391d6b787f40aa ]
+
+The following warning is seen with non-console UART instance when
+system hibernates.
+
+[ 37.371969] ------------[ cut here ]------------
+[ 37.376599] uart3_root_clk already disabled
+[ 37.380810] WARNING: CPU: 0 PID: 296 at drivers/clk/clk.c:952 clk_core_disable+0xa4/0xb0
+...
+[ 37.506986] Call trace:
+[ 37.509432] clk_core_disable+0xa4/0xb0
+[ 37.513270] clk_disable+0x34/0x50
+[ 37.516672] imx_uart_thaw+0x38/0x5c
+[ 37.520250] platform_pm_thaw+0x30/0x6c
+[ 37.524089] dpm_run_callback.constprop.0+0x3c/0xd4
+[ 37.528972] device_resume+0x7c/0x160
+[ 37.532633] dpm_resume+0xe8/0x230
+[ 37.536036] hibernation_snapshot+0x288/0x430
+[ 37.540397] hibernate+0x10c/0x2e0
+[ 37.543798] state_store+0xc4/0xd0
+[ 37.547203] kobj_attr_store+0x1c/0x30
+[ 37.550953] sysfs_kf_write+0x48/0x60
+[ 37.554619] kernfs_fop_write_iter+0x118/0x1ac
+[ 37.559063] new_sync_write+0xe8/0x184
+[ 37.562812] vfs_write+0x230/0x290
+[ 37.566214] ksys_write+0x68/0xf4
+[ 37.569529] __arm64_sys_write+0x20/0x2c
+[ 37.573452] invoke_syscall.constprop.0+0x50/0xf0
+[ 37.578156] do_el0_svc+0x11c/0x150
+[ 37.581648] el0_svc+0x30/0x140
+[ 37.584792] el0t_64_sync_handler+0xe8/0xf0
+[ 37.588976] el0t_64_sync+0x1a0/0x1a4
+[ 37.592639] ---[ end trace 56e22eec54676d75 ]---
+
+On hibernating, pm core calls into related hooks in sequence like:
+
+ .freeze
+ .freeze_noirq
+ .thaw_noirq
+ .thaw
+
+With .thaw_noirq hook being absent, the clock will be disabled in a
+unbalanced call which results the warning above.
+
+ imx_uart_freeze()
+ clk_prepare_enable()
+ imx_uart_suspend_noirq()
+ clk_disable()
+ imx_uart_thaw
+ clk_disable_unprepare()
+
+Adding the missing .thaw_noirq hook as imx_uart_resume_noirq() will have
+the call sequence corrected as below and thus fix the warning.
+
+ imx_uart_freeze()
+ clk_prepare_enable()
+ imx_uart_suspend_noirq()
+ clk_disable()
+ imx_uart_resume_noirq()
+ clk_enable()
+ imx_uart_thaw
+ clk_disable_unprepare()
+
+Fixes: 09df0b3464e5 ("serial: imx: fix endless loop during suspend")
+Reviewed-by: Martin Kaiser <martin@kaiser.cx>
+Signed-off-by: Shawn Guo <shawn.guo@linaro.org>
+Link: https://lore.kernel.org/r/20221012121353.2346280-1-shawn.guo@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/imx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c
+index 8b41a783b37e..3f5878e367c7 100644
+--- a/drivers/tty/serial/imx.c
++++ b/drivers/tty/serial/imx.c
+@@ -2551,6 +2551,7 @@ static const struct dev_pm_ops imx_uart_pm_ops = {
+ .suspend_noirq = imx_uart_suspend_noirq,
+ .resume_noirq = imx_uart_resume_noirq,
+ .freeze_noirq = imx_uart_suspend_noirq,
++ .thaw_noirq = imx_uart_resume_noirq,
+ .restore_noirq = imx_uart_resume_noirq,
+ .suspend = imx_uart_suspend,
+ .resume = imx_uart_resume,
+--
+2.35.1
+
btrfs-remove-pointless-and-double-ulist-frees-in-err.patch
bluetooth-l2cap-fix-l2cap_global_chan_by_psm.patch
asoc-codecs-jz4725b-fix-spelling-mistake-sourc-sourc.patch
+spi-stm32-print-summary-callbacks-suppressed-message.patch
+asoc-core-fix-use-after-free-in-snd_soc_exit.patch
+serial-8250_omap-remove-wait-loop-from-errata-i202-w.patch
+serial-8250-omap-fix-unpaired-pm_runtime_put_sync-in.patch
+serial-8250-omap-flush-pm-qos-work-on-remove.patch
+serial-imx-add-missing-.thaw_noirq-hook.patch
+tty-n_gsm-fix-sleep-in-atomic-context-bug-in-gsm_con.patch
+asoc-soc-utils-remove-__exit-for-snd_soc_util_exit.patch
+block-sed-opal-kmalloc-the-cmd-resp-buffers.patch
+siox-fix-possible-memory-leak-in-siox_device_add.patch
+parport_pc-avoid-fifo-port-location-truncation.patch
+pinctrl-devicetree-fix-null-pointer-dereferencing-in.patch
+arm64-dts-imx8mm-fix-nand-controller-size-cells.patch
+arm64-dts-imx8mn-fix-nand-controller-size-cells.patch
+ata-libata-transport-fix-double-ata_host_put-in-ata_.patch
+net-bgmac-drop-free_netdev-from-bgmac_enet_remove.patch
+misdn-fix-possible-memory-leak-in-misdn_dsp_element_.patch
+net-liquidio-release-resources-when-liquidio-driver-.patch
+misdn-fix-misuse-of-put_device-in-misdn_register_dev.patch
+net-macvlan-use-built-in-rcu-list-checking.patch
+net-caif-fix-double-disconnect-client-in-chnl_net_op.patch
+bnxt_en-remove-debugfs-when-pci_register_driver-fail.patch
+xen-pcpu-fix-possible-memory-leak-in-register_pcpu.patch
+drbd-use-after-free-in-drbd_create_device.patch
+platform-x86-intel-pmc-don-t-unconditionally-attach-.patch
+net-x25-fix-skb-leak-in-x25_lapb_receive_frame.patch
+cifs-fix-wrong-return-value-checking-when-getflags.patch
+net-thunderbolt-fix-error-handling-in-tbnet_init.patch
+cifs-add-check-for-returning-value-of-smb2_set_info_.patch
--- /dev/null
+From 3d38abe34791e25f7ae87a6c76f8729f5bc555eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 10:13:34 +0800
+Subject: siox: fix possible memory leak in siox_device_add()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 6e63153db50059fb78b8a8447b132664887d24e3 ]
+
+If device_register() returns error in siox_device_add(),
+the name allocated by dev_set_name() need be freed. As
+comment of device_register() says, it should use put_device()
+to give up the reference in the error path. So fix this
+by calling put_device(), then the name can be freed in
+kobject_cleanup(), and sdevice is freed in siox_device_release(),
+set it to null in error path.
+
+Fixes: bbecb07fa0af ("siox: new driver framework for eckelmann SIOX")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/20221104021334.618189-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/siox/siox-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/siox/siox-core.c b/drivers/siox/siox-core.c
+index f8c08fb9891d..e0ffef6e9386 100644
+--- a/drivers/siox/siox-core.c
++++ b/drivers/siox/siox-core.c
+@@ -835,6 +835,8 @@ static struct siox_device *siox_device_add(struct siox_master *smaster,
+
+ err_device_register:
+ /* don't care to make the buffer smaller again */
++ put_device(&sdevice->dev);
++ sdevice = NULL;
+
+ err_buf_alloc:
+ siox_master_unlock(smaster);
+--
+2.35.1
+
--- /dev/null
+From d0c54a3611a28dd3f1f783be5501811043f73cda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 20:35:13 +0200
+Subject: spi: stm32: Print summary 'callbacks suppressed' message
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 195583504be28df5d608a4677dd796117aea875f ]
+
+The original fix "spi: stm32: Rate-limit the 'Communication suspended' message"
+still leads to "stm32h7_spi_irq_thread: 1696 callbacks suppressed" spew in the
+kernel log. Since this 'Communication suspended' message is a debug print, add
+RATELIMIT_MSG_ON_RELEASE flag to inhibit the "callbacks suspended" part during
+normal operation and only print summary at the end.
+
+Fixes: ea8be08cc9358 ("spi: stm32: Rate-limit the 'Communication suspended' message")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Link: https://lore.kernel.org/r/20221018183513.206706-1-marex@denx.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-stm32.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c
+index 9ae16092206d..a1961a973839 100644
+--- a/drivers/spi/spi-stm32.c
++++ b/drivers/spi/spi-stm32.c
+@@ -937,6 +937,7 @@ static irqreturn_t stm32h7_spi_irq_thread(int irq, void *dev_id)
+ static DEFINE_RATELIMIT_STATE(rs,
+ DEFAULT_RATELIMIT_INTERVAL * 10,
+ 1);
++ ratelimit_set_flags(&rs, RATELIMIT_MSG_ON_RELEASE);
+ if (__ratelimit(&rs))
+ dev_dbg_ratelimited(spi->dev, "Communication suspended\n");
+ if (!spi->cur_usedma && (spi->rx_buf && (spi->rx_len > 0)))
+--
+2.35.1
+
--- /dev/null
+From 1d21dc7bcb82177284c1d8ad1d091e652906851e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Oct 2022 12:07:09 +0800
+Subject: tty: n_gsm: fix sleep-in-atomic-context bug in gsm_control_send
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 7b7dfe4833c70a11cdfa51b38705103bd31eddaa ]
+
+The function gsm_dlci_t1() is a timer handler that runs in an
+atomic context, but it calls "kzalloc(..., GFP_KERNEL)" that
+may sleep. As a result, the sleep-in-atomic-context bug will
+happen. The process is shown below:
+
+gsm_dlci_t1()
+ gsm_dlci_open()
+ gsm_modem_update()
+ gsm_modem_upd_via_msc()
+ gsm_control_send()
+ kzalloc(sizeof(.., GFP_KERNEL) //may sleep
+
+This patch changes the gfp_t parameter of kzalloc() from GFP_KERNEL to
+GFP_ATOMIC in order to mitigate the bug.
+
+Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Link: https://lore.kernel.org/r/20221002040709.27849-1-duoming@zju.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/n_gsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
+index 22da64453054..98c67ddf2fd9 100644
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -1413,7 +1413,7 @@ static struct gsm_control *gsm_control_send(struct gsm_mux *gsm,
+ unsigned int command, u8 *data, int clen)
+ {
+ struct gsm_control *ctrl = kzalloc(sizeof(struct gsm_control),
+- GFP_KERNEL);
++ GFP_ATOMIC);
+ unsigned long flags;
+ if (ctrl == NULL)
+ return NULL;
+--
+2.35.1
+
--- /dev/null
+From 89120de5df1f2a6fbf27195556c43b32d42c2fdd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 23:24:41 +0800
+Subject: xen/pcpu: fix possible memory leak in register_pcpu()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit da36a2a76b01b210ffaa55cdc2c99bc8783697c5 ]
+
+In device_add(), dev_set_name() is called to allocate name, if it returns
+error, the name need be freed. As comment of device_register() says, it
+should use put_device() to give up the reference in the error path. So fix
+this by calling put_device(), then the name can be freed in kobject_cleanup().
+
+Fixes: f65c9bb3fb72 ("xen/pcpu: Xen physical cpus online/offline sys interface")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Link: https://lore.kernel.org/r/20221110152441.401630-1-yangyingliang@huawei.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/pcpu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/xen/pcpu.c b/drivers/xen/pcpu.c
+index cdc6daa7a9f6..9cf7085a260b 100644
+--- a/drivers/xen/pcpu.c
++++ b/drivers/xen/pcpu.c
+@@ -228,7 +228,7 @@ static int register_pcpu(struct pcpu *pcpu)
+
+ err = device_register(dev);
+ if (err) {
+- pcpu_release(dev);
++ put_device(dev);
+ return err;
+ }
+
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
