--- /dev/null
+From 15468c678fcafc9427ea016c65e9ee0f4ecbb2ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 20:19:45 +0100
+Subject: ARM: dts: imx7: Fix NAND controller size-cells
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 753395ea1e45c724150070b5785900b6a44bd5fb ]
+
+The NAND controller size-cells should be 0 per DT bindings.
+Fix the following warning produces by DT bindings check:
+"
+nand-controller@33002000: #size-cells:0:0: 0 was expected
+nand-controller@33002000: Unevaluated properties are not allowed ('#address-cells', '#size-cells' were unexpected)
+"
+Fix the missing space in node name too.
+
+Fixes: e7495a45a76de ("ARM: dts: imx7: add GPMI NAND and APBH DMA")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx7s.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi
+index 9e1b0af0aa43..e4ff47110a96 100644
+--- a/arch/arm/boot/dts/imx7s.dtsi
++++ b/arch/arm/boot/dts/imx7s.dtsi
+@@ -1221,10 +1221,10 @@ dma_apbh: dma-apbh@33000000 {
+ clocks = <&clks IMX7D_NAND_USDHC_BUS_RAWNAND_CLK>;
+ };
+
+- gpmi: nand-controller@33002000{
++ gpmi: nand-controller@33002000 {
+ compatible = "fsl,imx7d-gpmi-nand";
+ #address-cells = <1>;
+- #size-cells = <1>;
++ #size-cells = <0>;
+ reg = <0x33002000 0x2000>, <0x33004000 0x4000>;
+ reg-names = "gpmi-nand", "bch";
+ interrupts = <GIC_SPI 14 IRQ_TYPE_LEVEL_HIGH>;
+--
+2.35.1
+
--- /dev/null
+From 6efe9fe5dcad5ad740f4b4a792f21a206803a5bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 20:19:46 +0100
+Subject: arm64: dts: imx8mm: Fix NAND controller size-cells
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 1610233bc2c2cae2dff9e101e6ea5ef69cceb0e9 ]
+
+The NAND controller size-cells should be 0 per DT bindings.
+Fix the following warning produces by DT bindings check:
+"
+nand-controller@33002000: #size-cells:0:0: 0 was expected
+nand-controller@33002000: Unevaluated properties are not allowed ('#address-cells', '#size-cells' were unexpected)
+"
+Fix the missing space in node name too.
+
+Fixes: a05ea40eb384e ("arm64: dts: imx: Add i.mx8mm dtsi support")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mm.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mm.dtsi b/arch/arm64/boot/dts/freescale/imx8mm.dtsi
+index f4d7bb75707d..3490619a9ba9 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mm.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mm.dtsi
+@@ -939,10 +939,10 @@ dma_apbh: dma-controller@33000000 {
+ clocks = <&clk IMX8MM_CLK_NAND_USDHC_BUS_RAWNAND_CLK>;
+ };
+
+- gpmi: nand-controller@33002000{
++ gpmi: nand-controller@33002000 {
+ compatible = "fsl,imx8mm-gpmi-nand", "fsl,imx7d-gpmi-nand";
+ #address-cells = <1>;
+- #size-cells = <1>;
++ #size-cells = <0>;
+ reg = <0x33002000 0x2000>, <0x33004000 0x4000>;
+ reg-names = "gpmi-nand", "bch";
+ interrupts = <GIC_SPI 14 IRQ_TYPE_LEVEL_HIGH>;
+--
+2.35.1
+
--- /dev/null
+From 6da2ed95abf84523cec8a8ed4741c9328fbabe1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 20:19:47 +0100
+Subject: arm64: dts: imx8mn: Fix NAND controller size-cells
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 5468e93b5b1083eaa729f98e59da18c85d9c4126 ]
+
+The NAND controller size-cells should be 0 per DT bindings.
+Fix the following warning produces by DT bindings check:
+"
+nand-controller@33002000: #size-cells:0:0: 0 was expected
+nand-controller@33002000: Unevaluated properties are not allowed ('#address-cells', '#size-cells' were unexpected)
+"
+
+Fixes: 6c3debcbae47a ("arm64: dts: freescale: Add i.MX8MN dtsi support")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mn.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mn.dtsi b/arch/arm64/boot/dts/freescale/imx8mn.dtsi
+index aea723eb2ba3..7dba83041264 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mn.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mn.dtsi
+@@ -809,7 +809,7 @@ dma_apbh: dma-controller@33000000 {
+ gpmi: nand-controller@33002000 {
+ compatible = "fsl,imx8mn-gpmi-nand", "fsl,imx7d-gpmi-nand";
+ #address-cells = <1>;
+- #size-cells = <1>;
++ #size-cells = <0>;
+ reg = <0x33002000 0x2000>, <0x33004000 0x4000>;
+ reg-names = "gpmi-nand", "bch";
+ interrupts = <GIC_SPI 14 IRQ_TYPE_LEVEL_HIGH>;
+--
+2.35.1
+
--- /dev/null
+From e84b4da8737012e88c9ec9571feffe7194b8e786 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 09:01:06 -0700
+Subject: arm64: Fix bit-shifting UB in the MIDR_CPU_MODEL() macro
+
+From: D Scott Phillips <scott@os.amperecomputing.com>
+
+[ Upstream commit 8ec8490a1950efeccb00967698cf7cb2fcd25ca7 ]
+
+CONFIG_UBSAN_SHIFT with gcc-5 complains that the shifting of
+ARM_CPU_IMP_AMPERE (0xC0) into bits [31:24] by MIDR_CPU_MODEL() is
+undefined behavior. Well, sort of, it actually spells the error as:
+
+ arch/arm64/kernel/proton-pack.c: In function 'spectre_bhb_loop_affected':
+ arch/arm64/include/asm/cputype.h:44:2: error: initializer element is not constant
+ (((imp) << MIDR_IMPLEMENTOR_SHIFT) | \
+ ^
+
+This isn't an issue for other Implementor codes, as all the other codes
+have zero in the top bit and so are representable as a signed int.
+
+Cast the implementor code to unsigned in MIDR_CPU_MODEL to remove the
+undefined behavior.
+
+Fixes: 0e5d5ae837c8 ("arm64: Add AMPERE1 to the Spectre-BHB affected list")
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: D Scott Phillips <scott@os.amperecomputing.com>
+Link: https://lore.kernel.org/r/20221102160106.1096948-1-scott@os.amperecomputing.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/cputype.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
+index 457b6bb276bb..9cf5d9551e99 100644
+--- a/arch/arm64/include/asm/cputype.h
++++ b/arch/arm64/include/asm/cputype.h
+@@ -41,7 +41,7 @@
+ (((midr) & MIDR_IMPLEMENTOR_MASK) >> MIDR_IMPLEMENTOR_SHIFT)
+
+ #define MIDR_CPU_MODEL(imp, partnum) \
+- (((imp) << MIDR_IMPLEMENTOR_SHIFT) | \
++ ((_AT(u32, imp) << MIDR_IMPLEMENTOR_SHIFT) | \
+ (0xf << MIDR_ARCHITECTURE_SHIFT) | \
+ ((partnum) << MIDR_PARTNUM_SHIFT))
+
+--
+2.35.1
+
--- /dev/null
+From 245e4fe916656424ea0f74364f995a8818a8b90f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 11:16:03 +0800
+Subject: ASoC: core: Fix use-after-free in snd_soc_exit()
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit 6ec27c53886c8963729885bcf2dd996eba2767a7 ]
+
+KASAN reports a use-after-free:
+
+BUG: KASAN: use-after-free in device_del+0xb5b/0xc60
+Read of size 8 at addr ffff888008655050 by task rmmod/387
+CPU: 2 PID: 387 Comm: rmmod
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
+Call Trace:
+<TASK>
+dump_stack_lvl+0x79/0x9a
+print_report+0x17f/0x47b
+kasan_report+0xbb/0xf0
+device_del+0xb5b/0xc60
+platform_device_del.part.0+0x24/0x200
+platform_device_unregister+0x2e/0x40
+snd_soc_exit+0xa/0x22 [snd_soc_core]
+__do_sys_delete_module.constprop.0+0x34f/0x5b0
+do_syscall_64+0x3a/0x90
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+...
+</TASK>
+
+It's bacause in snd_soc_init(), snd_soc_util_init() is possble to fail,
+but its ret is ignored, which makes soc_dummy_dev unregistered twice.
+
+snd_soc_init()
+ snd_soc_util_init()
+ platform_device_register_simple(soc_dummy_dev)
+ platform_driver_register() # fail
+ platform_device_unregister(soc_dummy_dev)
+ platform_driver_register() # success
+...
+snd_soc_exit()
+ snd_soc_util_exit()
+ # soc_dummy_dev will be unregistered for second time
+
+To fix it, handle error and stop snd_soc_init() when util_init() fail.
+Also clean debugfs when util_init() or driver_register() fail.
+
+Fixes: fb257897bf20 ("ASoC: Work around allmodconfig failure")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Link: https://lore.kernel.org/r/20221028031603.59416-1-chenzhongjin@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index a6d6d10cd471..e9da95ebccc8 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -3178,10 +3178,23 @@ EXPORT_SYMBOL_GPL(snd_soc_of_get_dai_link_codecs);
+
+ static int __init snd_soc_init(void)
+ {
++ int ret;
++
+ snd_soc_debugfs_init();
+- snd_soc_util_init();
++ ret = snd_soc_util_init();
++ if (ret)
++ goto err_util_init;
+
+- return platform_driver_register(&soc_driver);
++ ret = platform_driver_register(&soc_driver);
++ if (ret)
++ goto err_register;
++ return 0;
++
++err_register:
++ snd_soc_util_exit();
++err_util_init:
++ snd_soc_debugfs_exit();
++ return ret;
+ }
+ module_init(snd_soc_init);
+
+--
+2.35.1
+
--- /dev/null
+From b75f4cf90eedb527ba6e323c9b4abd1943c796d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 21:40:31 +0800
+Subject: ASoC: soc-utils: Remove __exit for snd_soc_util_exit()
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit 314d34fe7f0a5836cb0472950c1f17744b4efde8 ]
+
+snd_soc_util_exit() is called in __init snd_soc_init() for cleanup.
+Remove the __exit annotation for it to fix the build warning:
+
+WARNING: modpost: sound/soc/snd-soc-core.o: section mismatch in reference: init_module (section: .init.text) -> snd_soc_util_exit (section: .exit.text)
+
+Fixes: 6ec27c53886c ("ASoC: core: Fix use-after-free in snd_soc_exit()")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Link: https://lore.kernel.org/r/20221031134031.256511-1-chenzhongjin@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/soc-utils.c b/sound/soc/soc-utils.c
+index f27f94ca064b..6b398ffabb02 100644
+--- a/sound/soc/soc-utils.c
++++ b/sound/soc/soc-utils.c
+@@ -171,7 +171,7 @@ int __init snd_soc_util_init(void)
+ return ret;
+ }
+
+-void __exit snd_soc_util_exit(void)
++void snd_soc_util_exit(void)
+ {
+ platform_driver_unregister(&soc_dummy_driver);
+ platform_device_unregister(soc_dummy_dev);
+--
+2.35.1
+
--- /dev/null
+From 0a7bc1b2e3797a8b4a0c91b31314b2c58351c777 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 11:57:59 +0200
+Subject: ASoC: tas2764: Fix set_tdm_slot in case of single slot
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Povišer <povik+lin@cutebit.org>
+
+[ Upstream commit faac764ea1ea6898d93e46c403271fb105c0906e ]
+
+There's a special branch in the set_tdm_slot op for the case of nslots
+being 1, but:
+
+ (1) That branch can never work (there's a check for tx_mask being
+ non-zero, later there's another check for it *being* zero; one or
+ the other always throws -EINVAL).
+
+ (2) The intention of the branch seems to be what the general other
+ branch reduces to in case of nslots being 1.
+
+For those reasons remove the 'nslots being 1' special case.
+
+Fixes: 827ed8a0fa50 ("ASoC: tas2764: Add the driver for the TAS2764")
+Suggested-by: Jos Dehaes <jos.dehaes@gmail.com>
+Signed-off-by: Martin Povišer <povik+lin@cutebit.org>
+Link: https://lore.kernel.org/r/20221027095800.16094-2-povik+lin@cutebit.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tas2764.c | 19 ++++++-------------
+ 1 file changed, 6 insertions(+), 13 deletions(-)
+
+diff --git a/sound/soc/codecs/tas2764.c b/sound/soc/codecs/tas2764.c
+index 8b262e7f5275..c8f6f5122cac 100644
+--- a/sound/soc/codecs/tas2764.c
++++ b/sound/soc/codecs/tas2764.c
+@@ -386,20 +386,13 @@ static int tas2764_set_dai_tdm_slot(struct snd_soc_dai *dai,
+ if (tx_mask == 0 || rx_mask != 0)
+ return -EINVAL;
+
+- if (slots == 1) {
+- if (tx_mask != 1)
+- return -EINVAL;
+- left_slot = 0;
+- right_slot = 0;
++ left_slot = __ffs(tx_mask);
++ tx_mask &= ~(1 << left_slot);
++ if (tx_mask == 0) {
++ right_slot = left_slot;
+ } else {
+- left_slot = __ffs(tx_mask);
+- tx_mask &= ~(1 << left_slot);
+- if (tx_mask == 0) {
+- right_slot = left_slot;
+- } else {
+- right_slot = __ffs(tx_mask);
+- tx_mask &= ~(1 << right_slot);
+- }
++ right_slot = __ffs(tx_mask);
++ tx_mask &= ~(1 << right_slot);
+ }
+
+ if (tx_mask != 0 || left_slot >= slots || right_slot >= slots)
+--
+2.35.1
+
--- /dev/null
+From b4f8e8cfa20eac48d3dd0115185989c2cdd34160 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 11:57:58 +0200
+Subject: ASoC: tas2770: Fix set_tdm_slot in case of single slot
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Povišer <povik+lin@cutebit.org>
+
+[ Upstream commit e59bf547a7dd366f93bfebb7487959580ca6c0ec ]
+
+There's a special branch in the set_tdm_slot op for the case of nslots
+being 1, but:
+
+ (1) That branch can never work (there's a check for tx_mask being
+ non-zero, later there's another check for it *being* zero; one or
+ the other always throws -EINVAL).
+
+ (2) The intention of the branch seems to be what the general other
+ branch reduces to in case of nslots being 1.
+
+For those reasons remove the 'nslots being 1' special case.
+
+Fixes: 1a476abc723e ("tas2770: add tas2770 smart PA kernel driver")
+Suggested-by: Jos Dehaes <jos.dehaes@gmail.com>
+Signed-off-by: Martin Povišer <povik+lin@cutebit.org>
+Link: https://lore.kernel.org/r/20221027095800.16094-1-povik+lin@cutebit.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tas2770.c | 20 ++++++--------------
+ 1 file changed, 6 insertions(+), 14 deletions(-)
+
+diff --git a/sound/soc/codecs/tas2770.c b/sound/soc/codecs/tas2770.c
+index 171bbcc919d5..c213c8096142 100644
+--- a/sound/soc/codecs/tas2770.c
++++ b/sound/soc/codecs/tas2770.c
+@@ -395,21 +395,13 @@ static int tas2770_set_dai_tdm_slot(struct snd_soc_dai *dai,
+ if (tx_mask == 0 || rx_mask != 0)
+ return -EINVAL;
+
+- if (slots == 1) {
+- if (tx_mask != 1)
+- return -EINVAL;
+-
+- left_slot = 0;
+- right_slot = 0;
++ left_slot = __ffs(tx_mask);
++ tx_mask &= ~(1 << left_slot);
++ if (tx_mask == 0) {
++ right_slot = left_slot;
+ } else {
+- left_slot = __ffs(tx_mask);
+- tx_mask &= ~(1 << left_slot);
+- if (tx_mask == 0) {
+- right_slot = left_slot;
+- } else {
+- right_slot = __ffs(tx_mask);
+- tx_mask &= ~(1 << right_slot);
+- }
++ right_slot = __ffs(tx_mask);
++ tx_mask &= ~(1 << right_slot);
+ }
+
+ if (tx_mask != 0 || left_slot >= slots || right_slot >= slots)
+--
+2.35.1
+
--- /dev/null
+From e6b6285b21a4eff130b86413ec7b4fcae78fc716 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 21:40:01 +0800
+Subject: ata: libata-transport: fix double ata_host_put() in ata_tport_add()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 8c76310740807ade5ecdab5888f70ecb6d35732e ]
+
+In the error path in ata_tport_add(), when calling put_device(),
+ata_tport_release() is called, it will put the refcount of 'ap->host'.
+
+And then ata_host_put() is called again, the refcount is decreased
+to 0, ata_host_release() is called, all ports are freed and set to
+null.
+
+When unbinding the device after failure, ata_host_stop() is called
+to release the resources, it leads a null-ptr-deref(), because all
+the ports all freed and null.
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
+CPU: 7 PID: 18671 Comm: modprobe Kdump: loaded Tainted: G E 6.1.0-rc3+ #8
+pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : ata_host_stop+0x3c/0x84 [libata]
+lr : release_nodes+0x64/0xd0
+Call trace:
+ ata_host_stop+0x3c/0x84 [libata]
+ release_nodes+0x64/0xd0
+ devres_release_all+0xbc/0x1b0
+ device_unbind_cleanup+0x20/0x70
+ really_probe+0x158/0x320
+ __driver_probe_device+0x84/0x120
+ driver_probe_device+0x44/0x120
+ __driver_attach+0xb4/0x220
+ bus_for_each_dev+0x78/0xdc
+ driver_attach+0x2c/0x40
+ bus_add_driver+0x184/0x240
+ driver_register+0x80/0x13c
+ __pci_register_driver+0x4c/0x60
+ ahci_pci_driver_init+0x30/0x1000 [ahci]
+
+Fix this by removing redundant ata_host_put() in the error path.
+
+Fixes: 2623c7a5f279 ("libata: add refcounting to ata_host")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-transport.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/ata/libata-transport.c b/drivers/ata/libata-transport.c
+index b33772df9bc6..8a9850bd5d6c 100644
+--- a/drivers/ata/libata-transport.c
++++ b/drivers/ata/libata-transport.c
+@@ -317,7 +317,6 @@ int ata_tport_add(struct device *parent,
+ tport_err:
+ transport_destroy_device(dev);
+ put_device(dev);
+- ata_host_put(ap->host);
+ return error;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From dd4f7a08a825cb8fad2c311dd779312718866636 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 21:40:04 +0800
+Subject: ata: libata-transport: fix error handling in ata_tdev_add()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 1ff36351309e3eadcff297480baf4785e726de9b ]
+
+In ata_tdev_add(), the return value of transport_add_device() is
+not checked. As a result, it causes null-ptr-deref while removing
+the module, because transport_remove_device() is called to remove
+the device that was not added.
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0
+CPU: 13 PID: 13603 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc3+ #36
+pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : device_del+0x48/0x3a0
+lr : device_del+0x44/0x3a0
+Call trace:
+ device_del+0x48/0x3a0
+ attribute_container_class_device_del+0x28/0x40
+ transport_remove_classdev+0x60/0x7c
+ attribute_container_device_trigger+0x118/0x120
+ transport_remove_device+0x20/0x30
+ ata_tdev_delete+0x24/0x50 [libata]
+ ata_tlink_delete+0x40/0xa0 [libata]
+ ata_tport_delete+0x2c/0x60 [libata]
+ ata_port_detach+0x148/0x1b0 [libata]
+ ata_pci_remove_one+0x50/0x80 [libata]
+ ahci_remove_one+0x4c/0x8c [ahci]
+
+Fix this by checking and handling return value of transport_add_device()
+in ata_tdev_add(). In the error path, device_del() is called to delete
+the device which was added earlier in this function, and ata_tdev_free()
+is called to free ata_dev.
+
+Fixes: d9027470b886 ("[libata] Add ATA transport class")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-transport.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libata-transport.c b/drivers/ata/libata-transport.c
+index e386e5f35015..31a66fc0c31d 100644
+--- a/drivers/ata/libata-transport.c
++++ b/drivers/ata/libata-transport.c
+@@ -683,7 +683,13 @@ static int ata_tdev_add(struct ata_device *ata_dev)
+ return error;
+ }
+
+- transport_add_device(dev);
++ error = transport_add_device(dev);
++ if (error) {
++ device_del(dev);
++ ata_tdev_free(ata_dev);
++ return error;
++ }
++
+ transport_configure_device(dev);
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From f6d806a70bf0cc6234eb8f84e5a9237abb0b7851 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 21:40:03 +0800
+Subject: ata: libata-transport: fix error handling in ata_tlink_add()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit cf0816f6322c5c37ee52655f928e91ecf32da103 ]
+
+In ata_tlink_add(), the return value of transport_add_device() is
+not checked. As a result, it causes null-ptr-deref while removing
+the module, because transport_remove_device() is called to remove
+the device that was not added.
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0
+CPU: 33 PID: 13850 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc3+ #12
+pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : device_del+0x48/0x39c
+lr : device_del+0x44/0x39c
+Call trace:
+ device_del+0x48/0x39c
+ attribute_container_class_device_del+0x28/0x40
+ transport_remove_classdev+0x60/0x7c
+ attribute_container_device_trigger+0x118/0x120
+ transport_remove_device+0x20/0x30
+ ata_tlink_delete+0x88/0xb0 [libata]
+ ata_tport_delete+0x2c/0x60 [libata]
+ ata_port_detach+0x148/0x1b0 [libata]
+ ata_pci_remove_one+0x50/0x80 [libata]
+ ahci_remove_one+0x4c/0x8c [ahci]
+
+Fix this by checking and handling return value of transport_add_device()
+in ata_tlink_add().
+
+Fixes: d9027470b886 ("[libata] Add ATA transport class")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-transport.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libata-transport.c b/drivers/ata/libata-transport.c
+index da1b144d8288..e386e5f35015 100644
+--- a/drivers/ata/libata-transport.c
++++ b/drivers/ata/libata-transport.c
+@@ -428,7 +428,9 @@ int ata_tlink_add(struct ata_link *link)
+ goto tlink_err;
+ }
+
+- transport_add_device(dev);
++ error = transport_add_device(dev);
++ if (error)
++ goto tlink_transport_err;
+ transport_configure_device(dev);
+
+ ata_for_each_dev(ata_dev, link, ALL) {
+@@ -443,6 +445,7 @@ int ata_tlink_add(struct ata_link *link)
+ ata_tdev_delete(ata_dev);
+ }
+ transport_remove_device(dev);
++ tlink_transport_err:
+ device_del(dev);
+ tlink_err:
+ transport_destroy_device(dev);
+--
+2.35.1
+
--- /dev/null
+From 70d6c3bd9a817466ee2c2dd40012563d3ccfcb82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 21:40:02 +0800
+Subject: ata: libata-transport: fix error handling in ata_tport_add()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 3613dbe3909dcc637fe6be00e4dc43b4aa0470ee ]
+
+In ata_tport_add(), the return value of transport_add_device() is
+not checked. As a result, it causes null-ptr-deref while removing
+the module, because transport_remove_device() is called to remove
+the device that was not added.
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0
+CPU: 12 PID: 13605 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc3+ #8
+pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : device_del+0x48/0x39c
+lr : device_del+0x44/0x39c
+Call trace:
+ device_del+0x48/0x39c
+ attribute_container_class_device_del+0x28/0x40
+ transport_remove_classdev+0x60/0x7c
+ attribute_container_device_trigger+0x118/0x120
+ transport_remove_device+0x20/0x30
+ ata_tport_delete+0x34/0x60 [libata]
+ ata_port_detach+0x148/0x1b0 [libata]
+ ata_pci_remove_one+0x50/0x80 [libata]
+ ahci_remove_one+0x4c/0x8c [ahci]
+
+Fix this by checking and handling return value of transport_add_device()
+in ata_tport_add().
+
+Fixes: d9027470b886 ("[libata] Add ATA transport class")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-transport.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libata-transport.c b/drivers/ata/libata-transport.c
+index 8a9850bd5d6c..da1b144d8288 100644
+--- a/drivers/ata/libata-transport.c
++++ b/drivers/ata/libata-transport.c
+@@ -301,7 +301,9 @@ int ata_tport_add(struct device *parent,
+ pm_runtime_enable(dev);
+ pm_runtime_forbid(dev);
+
+- transport_add_device(dev);
++ error = transport_add_device(dev);
++ if (error)
++ goto tport_transport_add_err;
+ transport_configure_device(dev);
+
+ error = ata_tlink_add(&ap->link);
+@@ -312,6 +314,7 @@ int ata_tport_add(struct device *parent,
+
+ tport_link_err:
+ transport_remove_device(dev);
++ tport_transport_add_err:
+ device_del(dev);
+
+ tport_err:
+--
+2.35.1
+
--- /dev/null
+From 01015689b8e3c1fa07ced897a410102306aa5e6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 23:39:44 +0300
+Subject: block: sed-opal: kmalloc the cmd/resp buffers
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit f829230dd51974c1f4478900ed30bb77ba530b40 ]
+
+In accordance with [1] the DMA-able memory buffers must be
+cacheline-aligned otherwise the cache writing-back and invalidation
+performed during the mapping may cause the adjacent data being lost. It's
+specifically required for the DMA-noncoherent platforms [2]. Seeing the
+opal_dev.{cmd,resp} buffers are implicitly used for DMAs in the NVME and
+SCSI/SD drivers in framework of the nvme_sec_submit() and sd_sec_submit()
+methods respectively they must be cacheline-aligned to prevent the denoted
+problem. One of the option to guarantee that is to kmalloc the buffers
+[2]. Let's explicitly allocate them then instead of embedding into the
+opal_dev structure instance.
+
+Note this fix was inspired by the commit c94b7f9bab22 ("nvme-hwmon:
+kmalloc the NVME SMART log buffer").
+
+[1] Documentation/core-api/dma-api.rst
+[2] Documentation/core-api/dma-api-howto.rst
+
+Fixes: 455a7b238cd6 ("block: Add Sed-opal library")
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20221107203944.31686-1-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/sed-opal.c | 32 ++++++++++++++++++++++++++++----
+ 1 file changed, 28 insertions(+), 4 deletions(-)
+
+diff --git a/block/sed-opal.c b/block/sed-opal.c
+index daafadbb88ca..0ac5a4f3f226 100644
+--- a/block/sed-opal.c
++++ b/block/sed-opal.c
+@@ -88,8 +88,8 @@ struct opal_dev {
+ u64 lowest_lba;
+
+ size_t pos;
+- u8 cmd[IO_BUFFER_LENGTH];
+- u8 resp[IO_BUFFER_LENGTH];
++ u8 *cmd;
++ u8 *resp;
+
+ struct parsed_resp parsed;
+ size_t prev_d_len;
+@@ -2134,6 +2134,8 @@ void free_opal_dev(struct opal_dev *dev)
+ return;
+
+ clean_opal_dev(dev);
++ kfree(dev->resp);
++ kfree(dev->cmd);
+ kfree(dev);
+ }
+ EXPORT_SYMBOL(free_opal_dev);
+@@ -2146,17 +2148,39 @@ struct opal_dev *init_opal_dev(void *data, sec_send_recv *send_recv)
+ if (!dev)
+ return NULL;
+
++ /*
++ * Presumably DMA-able buffers must be cache-aligned. Kmalloc makes
++ * sure the allocated buffer is DMA-safe in that regard.
++ */
++ dev->cmd = kmalloc(IO_BUFFER_LENGTH, GFP_KERNEL);
++ if (!dev->cmd)
++ goto err_free_dev;
++
++ dev->resp = kmalloc(IO_BUFFER_LENGTH, GFP_KERNEL);
++ if (!dev->resp)
++ goto err_free_cmd;
++
+ INIT_LIST_HEAD(&dev->unlk_lst);
+ mutex_init(&dev->dev_lock);
+ dev->data = data;
+ dev->send_recv = send_recv;
+ if (check_opal_support(dev) != 0) {
+ pr_debug("Opal is not supported on this device\n");
+- kfree(dev);
+- return NULL;
++ goto err_free_resp;
+ }
+
+ return dev;
++
++err_free_resp:
++ kfree(dev->resp);
++
++err_free_cmd:
++ kfree(dev->cmd);
++
++err_free_dev:
++ kfree(dev);
++
++ return NULL;
+ }
+ EXPORT_SYMBOL(init_opal_dev);
+
+--
+2.35.1
+
--- /dev/null
+From 87f960c569ed07639f0fccf0ed9623ca17bf7d27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 15:04:33 +0800
+Subject: bnxt_en: Remove debugfs when pci_register_driver failed
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit 991aef4ee4f6eb999924f429b943441a32835c8f ]
+
+When pci_register_driver failed, we need to remove debugfs,
+which will caused a resource leak, fix it.
+
+Resource leak logs as follows:
+[ 52.184456] debugfs: Directory 'bnxt_en' with parent '/' already present!
+
+Fixes: cabfb09d87bd ("bnxt_en: add debugfs support for DIM")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 8311473d537b..92f54e333395 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -13111,8 +13111,16 @@ static struct pci_driver bnxt_pci_driver = {
+
+ static int __init bnxt_init(void)
+ {
++ int err;
++
+ bnxt_debug_init();
+- return pci_register_driver(&bnxt_pci_driver);
++ err = pci_register_driver(&bnxt_pci_driver);
++ if (err) {
++ bnxt_debug_exit();
++ return err;
++ }
++
++ return 0;
+ }
+
+ static void __exit bnxt_exit(void)
+--
+2.35.1
+
--- /dev/null
+From 43016119d1e8ea90e66852d78d339a871589aeeb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 07:21:28 -0500
+Subject: bpf: Initialize same number of free nodes for each pcpu_freelist
+
+From: Xu Kuohai <xukuohai@huawei.com>
+
+[ Upstream commit 4b45cd81f737d79d0fbfc0d320a1e518e7f0bbf0 ]
+
+pcpu_freelist_populate() initializes nr_elems / num_possible_cpus() + 1
+free nodes for some CPUs, and then possibly one CPU with fewer nodes,
+followed by remaining cpus with 0 nodes. For example, when nr_elems == 256
+and num_possible_cpus() == 32, CPU 0~27 each gets 9 free nodes, CPU 28 gets
+4 free nodes, CPU 29~31 get 0 free nodes, while in fact each CPU should get
+8 nodes equally.
+
+This patch initializes nr_elems / num_possible_cpus() free nodes for each
+CPU firstly, then allocates the remaining free nodes by one for each CPU
+until no free nodes left.
+
+Fixes: e19494edab82 ("bpf: introduce percpu_freelist")
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20221110122128.105214-1-xukuohai@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/percpu_freelist.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/kernel/bpf/percpu_freelist.c b/kernel/bpf/percpu_freelist.c
+index 3d897de89061..bbab8bb4b2fd 100644
+--- a/kernel/bpf/percpu_freelist.c
++++ b/kernel/bpf/percpu_freelist.c
+@@ -102,22 +102,21 @@ void pcpu_freelist_populate(struct pcpu_freelist *s, void *buf, u32 elem_size,
+ u32 nr_elems)
+ {
+ struct pcpu_freelist_head *head;
+- int i, cpu, pcpu_entries;
++ unsigned int cpu, cpu_idx, i, j, n, m;
+
+- pcpu_entries = nr_elems / num_possible_cpus() + 1;
+- i = 0;
++ n = nr_elems / num_possible_cpus();
++ m = nr_elems % num_possible_cpus();
+
++ cpu_idx = 0;
+ for_each_possible_cpu(cpu) {
+-again:
+ head = per_cpu_ptr(s->freelist, cpu);
+- /* No locking required as this is not visible yet. */
+- pcpu_freelist_push_node(head, buf);
+- i++;
+- buf += elem_size;
+- if (i == nr_elems)
+- break;
+- if (i % pcpu_entries)
+- goto again;
++ j = n + (cpu_idx < m ? 1 : 0);
++ for (i = 0; i < j; i++) {
++ /* No locking required as this is not visible yet. */
++ pcpu_freelist_push_node(head, buf);
++ buf += elem_size;
++ }
++ cpu_idx++;
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 2558e541b566c785691fab5b649c8aafd28f37a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 16:16:20 +0800
+Subject: bpf, test_run: Fix alignment problem in bpf_prog_test_run_skb()
+
+From: Baisong Zhong <zhongbaisong@huawei.com>
+
+[ Upstream commit d3fd203f36d46aa29600a72d57a1b61af80e4a25 ]
+
+We got a syzkaller problem because of aarch64 alignment fault
+if KFENCE enabled. When the size from user bpf program is an odd
+number, like 399, 407, etc, it will cause the struct skb_shared_info's
+unaligned access. As seen below:
+
+ BUG: KFENCE: use-after-free read in __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032
+
+ Use-after-free read at 0xffff6254fffac077 (in kfence-#213):
+ __lse_atomic_add arch/arm64/include/asm/atomic_lse.h:26 [inline]
+ arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline]
+ arch_atomic_inc include/linux/atomic-arch-fallback.h:270 [inline]
+ atomic_inc include/asm-generic/atomic-instrumented.h:241 [inline]
+ __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032
+ skb_clone+0xf4/0x214 net/core/skbuff.c:1481
+ ____bpf_clone_redirect net/core/filter.c:2433 [inline]
+ bpf_clone_redirect+0x78/0x1c0 net/core/filter.c:2420
+ bpf_prog_d3839dd9068ceb51+0x80/0x330
+ bpf_dispatcher_nop_func include/linux/bpf.h:728 [inline]
+ bpf_test_run+0x3c0/0x6c0 net/bpf/test_run.c:53
+ bpf_prog_test_run_skb+0x638/0xa7c net/bpf/test_run.c:594
+ bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline]
+ __do_sys_bpf kernel/bpf/syscall.c:4441 [inline]
+ __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381
+
+ kfence-#213: 0xffff6254fffac000-0xffff6254fffac196, size=407, cache=kmalloc-512
+
+ allocated by task 15074 on cpu 0 at 1342.585390s:
+ kmalloc include/linux/slab.h:568 [inline]
+ kzalloc include/linux/slab.h:675 [inline]
+ bpf_test_init.isra.0+0xac/0x290 net/bpf/test_run.c:191
+ bpf_prog_test_run_skb+0x11c/0xa7c net/bpf/test_run.c:512
+ bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline]
+ __do_sys_bpf kernel/bpf/syscall.c:4441 [inline]
+ __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381
+ __arm64_sys_bpf+0x50/0x60 kernel/bpf/syscall.c:4381
+
+To fix the problem, we adjust @size so that (@size + @hearoom) is a
+multiple of SMP_CACHE_BYTES. So we make sure the struct skb_shared_info
+is aligned to a cache line.
+
+Fixes: 1cf1cae963c2 ("bpf: introduce BPF_PROG_TEST_RUN command")
+Signed-off-by: Baisong Zhong <zhongbaisong@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/bpf/20221102081620.1465154-1-zhongbaisong@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bpf/test_run.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
+index 2983e926fe3c..717b01ff9b2b 100644
+--- a/net/bpf/test_run.c
++++ b/net/bpf/test_run.c
+@@ -231,6 +231,7 @@ static void *bpf_test_init(const union bpf_attr *kattr, u32 size,
+ if (user_size > size)
+ return ERR_PTR(-EMSGSIZE);
+
++ size = SKB_DATA_ALIGN(size);
+ data = kzalloc(size + headroom + tailroom, GFP_USER);
+ if (!data)
+ return ERR_PTR(-ENOMEM);
+--
+2.35.1
+
--- /dev/null
+From 5f54e09ad0c447b47e614ed01e5de39707e87309 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 17:27:01 +0300
+Subject: cifs: add check for returning value of SMB2_close_init
+
+From: Anastasia Belova <abelova@astralinux.ru>
+
+[ Upstream commit d520de6cb42e88a1d008b54f935caf9fc05951da ]
+
+If the returning value of SMB2_close_init is an error-value,
+exit the function.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 352d96f3acc6 ("cifs: multichannel: move channel selection above transport layer")
+
+Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2ops.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index 11efd5289ec4..1cc823e96065 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -1266,6 +1266,8 @@ smb2_set_ea(const unsigned int xid, struct cifs_tcon *tcon,
+ rqst[2].rq_nvec = 1;
+ rc = SMB2_close_init(tcon, server,
+ &rqst[2], COMPOUND_FID, COMPOUND_FID, false);
++ if (rc)
++ goto sea_exit;
+ smb2_set_related(&rqst[2]);
+
+ rc = compound_send_recv(xid, ses, server,
+--
+2.35.1
+
--- /dev/null
+From 77daa44043fa54319ba477a18a5445a73ee151eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 17:10:27 +0300
+Subject: cifs: add check for returning value of SMB2_set_info_init
+
+From: Anastasia Belova <abelova@astralinux.ru>
+
+[ Upstream commit a51e5d293dd1c2e7bf6f7be788466cd9b5d280fb ]
+
+If the returning value of SMB2_set_info_init is an error-value,
+exit the function.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 0967e5457954 ("cifs: use a compound for setting an xattr")
+
+Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2ops.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index 1cc823e96065..72368b656b33 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -1256,6 +1256,8 @@ smb2_set_ea(const unsigned int xid, struct cifs_tcon *tcon,
+ COMPOUND_FID, current->tgid,
+ FILE_FULL_EA_INFORMATION,
+ SMB2_O_INFO_FILE, 0, data, size);
++ if (rc)
++ goto sea_exit;
+ smb2_set_next_command(tcon, &rqst[1]);
+ smb2_set_related(&rqst[1]);
+
+--
+2.35.1
+
--- /dev/null
+From d86ae37046f1e4316bf539897cd69f5b1d72a4f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 18:39:34 +0800
+Subject: cifs: Fix wrong return value checking when GETFLAGS
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+[ Upstream commit 92bbd67a55fee50743b42825d1c016e7fd5c79f9 ]
+
+The return value of CIFSGetExtAttr is negative, should be checked
+with -EOPNOTSUPP rather than EOPNOTSUPP.
+
+Fixes: 64a5cfa6db94 ("Allow setting per-file compression via SMB2/3")
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/ioctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/ioctl.c b/fs/cifs/ioctl.c
+index dcde44ff6cf9..e45598b62242 100644
+--- a/fs/cifs/ioctl.c
++++ b/fs/cifs/ioctl.c
+@@ -193,7 +193,7 @@ long cifs_ioctl(struct file *filep, unsigned int command, unsigned long arg)
+ rc = put_user(ExtAttrBits &
+ FS_FL_USER_VISIBLE,
+ (int __user *)arg);
+- if (rc != EOPNOTSUPP)
++ if (rc != -EOPNOTSUPP)
+ break;
+ }
+ #endif /* CONFIG_CIFS_POSIX */
+@@ -222,7 +222,7 @@ long cifs_ioctl(struct file *filep, unsigned int command, unsigned long arg)
+ * pSMBFile->fid.netfid,
+ * extAttrBits,
+ * &ExtAttrMask);
+- * if (rc != EOPNOTSUPP)
++ * if (rc != -EOPNOTSUPP)
+ * break;
+ */
+
+--
+2.35.1
+
--- /dev/null
+From 9670a79b35c9aabf18c0931092994c566d809244 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 16:16:43 +0300
+Subject: drbd: use after free in drbd_create_device()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit a7a1598189228b5007369a9622ccdf587be0730f ]
+
+The drbd_destroy_connection() frees the "connection" so use the _safe()
+iterator to prevent a use after free.
+
+Fixes: b6f85ef9538b ("drbd: Iterate over all connections")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Reviewed-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
+Link: https://lore.kernel.org/r/Y3Jd5iZRbNQ9w6gm@kili
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/drbd/drbd_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c
+index 407527ff6b1f..51450f7c81af 100644
+--- a/drivers/block/drbd/drbd_main.c
++++ b/drivers/block/drbd/drbd_main.c
+@@ -2720,7 +2720,7 @@ static int init_submitter(struct drbd_device *device)
+ enum drbd_ret_code drbd_create_device(struct drbd_config_context *adm_ctx, unsigned int minor)
+ {
+ struct drbd_resource *resource = adm_ctx->resource;
+- struct drbd_connection *connection;
++ struct drbd_connection *connection, *n;
+ struct drbd_device *device;
+ struct drbd_peer_device *peer_device, *tmp_peer_device;
+ struct gendisk *disk;
+@@ -2839,7 +2839,7 @@ enum drbd_ret_code drbd_create_device(struct drbd_config_context *adm_ctx, unsig
+ out_idr_remove_vol:
+ idr_remove(&connection->peer_devices, vnr);
+ out_idr_remove_from_resource:
+- for_each_connection(connection, resource) {
++ for_each_connection_safe(connection, n, resource) {
+ peer_device = idr_remove(&connection->peer_devices, vnr);
+ if (peer_device)
+ kref_put(&connection->kref, drbd_destroy_connection);
+--
+2.35.1
+
--- /dev/null
+From fdc7671f517618b775da55ddd466f587169516fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 15:07:15 +0800
+Subject: drm/drv: Fix potential memory leak in drm_dev_init()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit ff963634f7b2e0dc011349abb3fb81a0d074f443 ]
+
+drm_dev_init() will add drm_dev_init_release() as a callback. When
+drmm_add_action() failed, the release function won't be added. As the
+result, the ref cnt added by device_get() in drm_dev_init() won't be put
+by drm_dev_init_release(), which leads to the memleak. Use
+drmm_add_action_or_reset() instead of drmm_add_action() to prevent
+memleak.
+
+unreferenced object 0xffff88810bc0c800 (size 2048):
+ comm "modprobe", pid 8322, jiffies 4305809845 (age 15.292s)
+ hex dump (first 32 bytes):
+ e8 cc c0 0b 81 88 ff ff ff ff ff ff 00 00 00 00 ................
+ 20 24 3c 0c 81 88 ff ff 18 c8 c0 0b 81 88 ff ff $<.............
+ backtrace:
+ [<000000007251f72d>] __kmalloc+0x4b/0x1c0
+ [<0000000045f21f26>] platform_device_alloc+0x2d/0xe0
+ [<000000004452a479>] platform_device_register_full+0x24/0x1c0
+ [<0000000089f4ea61>] 0xffffffffa0736051
+ [<00000000235b2441>] do_one_initcall+0x7a/0x380
+ [<0000000001a4a177>] do_init_module+0x5c/0x230
+ [<000000002bf8a8e2>] load_module+0x227d/0x2420
+ [<00000000637d6d0a>] __do_sys_finit_module+0xd5/0x140
+ [<00000000c99fc324>] do_syscall_64+0x3f/0x90
+ [<000000004d85aa77>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Fixes: 2cbf7fc6718b ("drm: Use drmm_ for drm_dev_init cleanup")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221101070716.9189-2-shangxiaojing@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
+index 006e3b896cae..4ca995ce19af 100644
+--- a/drivers/gpu/drm/drm_drv.c
++++ b/drivers/gpu/drm/drm_drv.c
+@@ -610,7 +610,7 @@ static int drm_dev_init(struct drm_device *dev,
+ mutex_init(&dev->clientlist_mutex);
+ mutex_init(&dev->master_mutex);
+
+- ret = drmm_add_action(dev, drm_dev_init_release, NULL);
++ ret = drmm_add_action_or_reset(dev, drm_dev_init_release, NULL);
+ if (ret)
+ return ret;
+
+--
+2.35.1
+
--- /dev/null
+From 9bb7cd2687cc11329f04f6167bd9675e6d6dbc97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 15:07:16 +0800
+Subject: drm: Fix potential null-ptr-deref in drm_vblank_destroy_worker()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit 4979524f5a2a8210e87fde2f642b0dc060860821 ]
+
+drm_vblank_init() call drmm_add_action_or_reset() with
+drm_vblank_init_release() as action. If __drmm_add_action() failed, will
+directly call drm_vblank_init_release() with the vblank whose worker is
+NULL. As the resule, a null-ptr-deref will happen in
+kthread_destroy_worker(). Add the NULL check before calling
+drm_vblank_destroy_worker().
+
+BUG: null-ptr-deref
+KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]
+CPU: 5 PID: 961 Comm: modprobe Not tainted 6.0.0-11331-gd465bff130bf-dirty
+RIP: 0010:kthread_destroy_worker+0x25/0xb0
+ Call Trace:
+ <TASK>
+ drm_vblank_init_release+0x124/0x220 [drm]
+ ? drm_crtc_vblank_restore+0x8b0/0x8b0 [drm]
+ __drmm_add_action_or_reset+0x41/0x50 [drm]
+ drm_vblank_init+0x282/0x310 [drm]
+ vkms_init+0x35f/0x1000 [vkms]
+ ? 0xffffffffc4508000
+ ? lock_is_held_type+0xd7/0x130
+ ? __kmem_cache_alloc_node+0x1c2/0x2b0
+ ? lock_is_held_type+0xd7/0x130
+ ? 0xffffffffc4508000
+ do_one_initcall+0xd0/0x4f0
+ ...
+ do_syscall_64+0x35/0x80
+ entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+Fixes: 5e6c2b4f9161 ("drm/vblank: Add vblank works")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221101070716.9189-3-shangxiaojing@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_internal.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_internal.h b/drivers/gpu/drm/drm_internal.h
+index f80e0f28087d..41efe40bc70f 100644
+--- a/drivers/gpu/drm/drm_internal.h
++++ b/drivers/gpu/drm/drm_internal.h
+@@ -116,7 +116,8 @@ static inline void drm_vblank_flush_worker(struct drm_vblank_crtc *vblank)
+
+ static inline void drm_vblank_destroy_worker(struct drm_vblank_crtc *vblank)
+ {
+- kthread_destroy_worker(vblank->worker);
++ if (vblank->worker)
++ kthread_destroy_worker(vblank->worker);
+ }
+
+ int drm_vblank_worker_init(struct drm_vblank_crtc *vblank);
+--
+2.35.1
+
--- /dev/null
+From e7ddd4d5921561f129b6a6ef24afce2e4c6a39d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Aug 2022 16:16:22 +0200
+Subject: drm/panel: simple: set bpc field for logic technologies displays
+
+From: Aishwarya Kothari <aishwarya.kothari@toradex.com>
+
+[ Upstream commit 876153ab068b2507a19aa3ef481f5b00a2cc780f ]
+
+In case bpc is not set for a panel it then throws a WARN(). Add bpc to
+the panels logictechno_lt170410_2whc and logictechno_lt161010_2nh.
+
+Fixes: 5728fe7fa539 ("drm/panel: simple: add display timings for logic technologies displays")
+Signed-off-by: Aishwarya Kothari <aishwarya.kothari@toradex.com>
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220831141622.39605-1-francesco.dolcini@toradex.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-simple.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
+index b7b37082a9d7..1a87cc445b5e 100644
+--- a/drivers/gpu/drm/panel/panel-simple.c
++++ b/drivers/gpu/drm/panel/panel-simple.c
+@@ -2655,6 +2655,7 @@ static const struct display_timing logictechno_lt161010_2nh_timing = {
+ static const struct panel_desc logictechno_lt161010_2nh = {
+ .timings = &logictechno_lt161010_2nh_timing,
+ .num_timings = 1,
++ .bpc = 6,
+ .size = {
+ .width = 154,
+ .height = 86,
+@@ -2684,6 +2685,7 @@ static const struct display_timing logictechno_lt170410_2whc_timing = {
+ static const struct panel_desc logictechno_lt170410_2whc = {
+ .timings = &logictechno_lt170410_2whc_timing,
+ .num_timings = 1,
++ .bpc = 8,
+ .size = {
+ .width = 217,
+ .height = 136,
+--
+2.35.1
+
--- /dev/null
+From bca8461b08c1f79e7cec219993e2978be3b25922 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 19:38:23 +0800
+Subject: mISDN: fix misuse of put_device() in mISDN_register_device()
+
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+
+[ Upstream commit 2d25107e111a85c56f601a5470f1780ec054e6ac ]
+
+We should not release reference by put_device() before calling device_initialize().
+
+Fixes: e7d1d4d9ac0d ("mISDN: fix possible memory leak in mISDN_register_device()")
+Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/mISDN/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/isdn/mISDN/core.c b/drivers/isdn/mISDN/core.c
+index 7ea0100f218a..90ee56d07a6e 100644
+--- a/drivers/isdn/mISDN/core.c
++++ b/drivers/isdn/mISDN/core.c
+@@ -222,7 +222,7 @@ mISDN_register_device(struct mISDNdevice *dev,
+
+ err = get_free_devid();
+ if (err < 0)
+- goto error1;
++ return err;
+ dev->id = err;
+
+ device_initialize(&dev->dev);
+--
+2.35.1
+
--- /dev/null
+From c894d4b0f2bc27203365e23fd691c248dfb5fa4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 21:28:32 +0800
+Subject: mISDN: fix possible memory leak in mISDN_dsp_element_register()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 98a2ac1ca8fd6eca6867726fe238d06e75eb1acd ]
+
+Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's
+bus_id string array"), the name of device is allocated dynamically,
+use put_device() to give up the reference, so that the name can be
+freed in kobject_cleanup() when the refcount is 0.
+
+The 'entry' is going to be freed in mISDN_dsp_dev_release(), so the
+kfree() is removed. list_del() is called in mISDN_dsp_dev_release(),
+so it need be initialized.
+
+Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221109132832.3270119-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/mISDN/dsp_pipeline.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/isdn/mISDN/dsp_pipeline.c b/drivers/isdn/mISDN/dsp_pipeline.c
+index c3b2c99b5cd5..cfbcd9e973c2 100644
+--- a/drivers/isdn/mISDN/dsp_pipeline.c
++++ b/drivers/isdn/mISDN/dsp_pipeline.c
+@@ -77,6 +77,7 @@ int mISDN_dsp_element_register(struct mISDN_dsp_element *elem)
+ if (!entry)
+ return -ENOMEM;
+
++ INIT_LIST_HEAD(&entry->list);
+ entry->elem = elem;
+
+ entry->dev.class = elements_class;
+@@ -107,7 +108,7 @@ int mISDN_dsp_element_register(struct mISDN_dsp_element *elem)
+ device_unregister(&entry->dev);
+ return ret;
+ err1:
+- kfree(entry);
++ put_device(&entry->dev);
+ return ret;
+ }
+ EXPORT_SYMBOL(mISDN_dsp_element_register);
+--
+2.35.1
+
--- /dev/null
+From f6d6a8aa294881b3474f1f34cc8c8a789efa7073 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 17:55:49 +0800
+Subject: net: ag71xx: call phylink_disconnect_phy if ag71xx_hw_enable() fail
+ in ag71xx_open()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit c9b895c6878bdb6789dc1d7af60fd10f4a9f1937 ]
+
+If ag71xx_hw_enable() fails, call phylink_disconnect_phy() to clean up.
+And if phylink_of_phy_connect() fails, nothing needs to be done.
+Compile tested only.
+
+Fixes: 892e09153fa3 ("net: ag71xx: port to phylink")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Link: https://lore.kernel.org/r/20221114095549.40342-1-liujian56@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/atheros/ag71xx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/atheros/ag71xx.c b/drivers/net/ethernet/atheros/ag71xx.c
+index c26c9b0c00d8..fe3ca3af431a 100644
+--- a/drivers/net/ethernet/atheros/ag71xx.c
++++ b/drivers/net/ethernet/atheros/ag71xx.c
+@@ -1468,7 +1468,7 @@ static int ag71xx_open(struct net_device *ndev)
+ if (ret) {
+ netif_err(ag, link, ndev, "phylink_of_phy_connect filed with err: %i\n",
+ ret);
+- goto err;
++ return ret;
+ }
+
+ max_frame_len = ag71xx_max_frame_len(ndev->mtu);
+@@ -1489,6 +1489,7 @@ static int ag71xx_open(struct net_device *ndev)
+
+ err:
+ ag71xx_rings_cleanup(ag);
++ phylink_disconnect_phy(ag->phylink);
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 07806da815d6a1d2e646ce8895c684abe628ce28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 15:01:36 +0000
+Subject: net: bgmac: Drop free_netdev() from bgmac_enet_remove()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 6f928ab8ee9bfbcb0e631c47ea8a16c3d5116ff1 ]
+
+netdev is allocated in bgmac_alloc() with devm_alloc_etherdev() and will
+be auto released in ->remove and ->probe failure path. Using free_netdev()
+in bgmac_enet_remove() leads to double free.
+
+Fixes: 34a5102c3235 ("net: bgmac: allocate struct bgmac just once & don't copy it")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+
+Link: https://lore.kernel.org/r/20221109150136.2991171-1-weiyongjun@huaweicloud.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bgmac.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bgmac.c b/drivers/net/ethernet/broadcom/bgmac.c
+index 6290d8bedc92..9960127f612e 100644
+--- a/drivers/net/ethernet/broadcom/bgmac.c
++++ b/drivers/net/ethernet/broadcom/bgmac.c
+@@ -1568,7 +1568,6 @@ void bgmac_enet_remove(struct bgmac *bgmac)
+ phy_disconnect(bgmac->net_dev->phydev);
+ netif_napi_del(&bgmac->napi);
+ bgmac_dma_free(bgmac);
+- free_netdev(bgmac->net_dev);
+ }
+ EXPORT_SYMBOL_GPL(bgmac_enet_remove);
+
+--
+2.35.1
+
--- /dev/null
+From f4bbf5eb50444414c3e9a5054d6782841c9ae7ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 09:47:34 +0800
+Subject: net: caif: fix double disconnect client in chnl_net_open()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 8fbb53c8bfd8c56ecf1f78dc821778b58f505503 ]
+
+When connecting to client timeout, disconnect client for twice in
+chnl_net_open(). Remove one. Compile tested only.
+
+Fixes: 2aa40aef9deb ("caif: Use link layer MTU instead of fixed MTU")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/caif/chnl_net.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c
+index 42dc080a4dbb..806fb4d84fd3 100644
+--- a/net/caif/chnl_net.c
++++ b/net/caif/chnl_net.c
+@@ -315,9 +315,6 @@ static int chnl_net_open(struct net_device *dev)
+
+ if (result == 0) {
+ pr_debug("connect timeout\n");
+- caif_disconnect_client(dev_net(dev), &priv->chnl);
+- priv->state = CAIF_DISCONNECTED;
+- pr_debug("state disconnected\n");
+ result = -ETIMEDOUT;
+ goto error;
+ }
+--
+2.35.1
+
--- /dev/null
+From cb26e8b2bc4a9153ef12de9cd281844f5f016be6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 02:56:59 +0000
+Subject: net: ena: Fix error handling in ena_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit d349e9be5a2c2d7588a2c4e4bfa0bb3dc1226769 ]
+
+The ena_init() won't destroy workqueue created by
+create_singlethread_workqueue() when pci_register_driver() failed.
+Call destroy_workqueue() when pci_register_driver() failed to prevent the
+resource leak.
+
+Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Acked-by: Shay Agroskin <shayagr@amazon.com>
+Link: https://lore.kernel.org/r/20221114025659.124726-1-yuancan@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+index 52414ac2c901..1722d4091ea3 100644
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -4488,13 +4488,19 @@ static struct pci_driver ena_pci_driver = {
+
+ static int __init ena_init(void)
+ {
++ int ret;
++
+ ena_wq = create_singlethread_workqueue(DRV_MODULE_NAME);
+ if (!ena_wq) {
+ pr_err("Failed to create workqueue\n");
+ return -ENOMEM;
+ }
+
+- return pci_register_driver(&ena_pci_driver);
++ ret = pci_register_driver(&ena_pci_driver);
++ if (ret)
++ destroy_workqueue(ena_wq);
++
++ return ret;
+ }
+
+ static void __exit ena_cleanup(void)
+--
+2.35.1
+
--- /dev/null
+From 7be6cbe564728b107432bf3fabc64ef060bd1f6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 02:16:42 +0000
+Subject: net: hinic: Fix error handling in hinic_module_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 8eab9be56cc6b702a445d2b6d0256aa0992316b3 ]
+
+A problem about hinic create debugfs failed is triggered with the
+following log given:
+
+ [ 931.419023] debugfs: Directory 'hinic' with parent '/' already present!
+
+The reason is that hinic_module_init() returns pci_register_driver()
+directly without checking its return value, if pci_register_driver()
+failed, it returns without destroy the newly created debugfs, resulting
+the debugfs of hinic can never be created later.
+
+ hinic_module_init()
+ hinic_dbg_register_debugfs() # create debugfs directory
+ pci_register_driver()
+ driver_register()
+ bus_add_driver()
+ priv = kzalloc(...) # OOM happened
+ # return without destroy debugfs directory
+
+Fix by removing debugfs when pci_register_driver() returns error.
+
+Fixes: 253ac3a97921 ("hinic: add support to query sq info")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/20221110021642.80378-1-yuancan@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/huawei/hinic/hinic_main.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/huawei/hinic/hinic_main.c b/drivers/net/ethernet/huawei/hinic/hinic_main.c
+index 4f1d585485d7..6ec042d48cd1 100644
+--- a/drivers/net/ethernet/huawei/hinic/hinic_main.c
++++ b/drivers/net/ethernet/huawei/hinic/hinic_main.c
+@@ -1502,8 +1502,15 @@ static struct pci_driver hinic_driver = {
+
+ static int __init hinic_module_init(void)
+ {
++ int ret;
++
+ hinic_dbg_register_debugfs(HINIC_DRV_NAME);
+- return pci_register_driver(&hinic_driver);
++
++ ret = pci_register_driver(&hinic_driver);
++ if (ret)
++ hinic_dbg_unregister_debugfs();
++
++ return ret;
+ }
+
+ static void __exit hinic_module_exit(void)
+--
+2.35.1
+
--- /dev/null
+From f85b92f30389e1cbf94c3af9438c098a46637a2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Nov 2022 09:29:29 +0000
+Subject: net: ionic: Fix error handling in ionic_init_module()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 280c0f7cd0aa4d190619b18243110e052a90775c ]
+
+A problem about ionic create debugfs failed is triggered with the
+following log given:
+
+ [ 415.799514] debugfs: Directory 'ionic' with parent '/' already present!
+
+The reason is that ionic_init_module() returns ionic_bus_register_driver()
+directly without checking its return value, if ionic_bus_register_driver()
+failed, it returns without destroy the newly created debugfs, resulting
+the debugfs of ionic can never be created later.
+
+ ionic_init_module()
+ ionic_debugfs_create() # create debugfs directory
+ ionic_bus_register_driver()
+ pci_register_driver()
+ driver_register()
+ bus_add_driver()
+ priv = kzalloc(...) # OOM happened
+ # return without destroy debugfs directory
+
+Fix by removing debugfs when ionic_bus_register_driver() returns error.
+
+Fixes: fbfb8031533c ("ionic: Add hardware init and device commands")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Acked-by: Shannon Nelson <snelson@pensando.io>
+Link: https://lore.kernel.org/r/20221113092929.19161-1-yuancan@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/pensando/ionic/ionic_main.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_main.c b/drivers/net/ethernet/pensando/ionic/ionic_main.c
+index f60ffef33e0c..00b6985edea0 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_main.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_main.c
+@@ -569,8 +569,14 @@ int ionic_port_reset(struct ionic *ionic)
+
+ static int __init ionic_init_module(void)
+ {
++ int ret;
++
+ ionic_debugfs_create();
+- return ionic_bus_register_driver();
++ ret = ionic_bus_register_driver();
++ if (ret)
++ ionic_debugfs_destroy();
++
++ return ret;
+ }
+
+ static void __exit ionic_cleanup_module(void)
+--
+2.35.1
+
--- /dev/null
+From 90e3859bb4f2a5c1525d164b873c1b0bbe86fb9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 18:30:37 +0800
+Subject: net: liquidio: release resources when liquidio driver open failed
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 8979f428a4afc215e390006e5ea19fd4e22c7ca9 ]
+
+When liquidio driver open failed, it doesn't release resources. Compile
+tested only.
+
+Fixes: 5b07aee11227 ("liquidio: MSIX support for CN23XX")
+Fixes: dbc97bfd3918 ("net: liquidio: Add missing null pointer checks")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/cavium/liquidio/lio_main.c | 34 ++++++++++++++-----
+ 1 file changed, 26 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c
+index e0d18e917108..c4dc6e2ccd6b 100644
+--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c
++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c
+@@ -1798,13 +1798,10 @@ static int liquidio_open(struct net_device *netdev)
+
+ ifstate_set(lio, LIO_IFSTATE_RUNNING);
+
+- if (OCTEON_CN23XX_PF(oct)) {
+- if (!oct->msix_on)
+- if (setup_tx_poll_fn(netdev))
+- return -1;
+- } else {
+- if (setup_tx_poll_fn(netdev))
+- return -1;
++ if (!OCTEON_CN23XX_PF(oct) || (OCTEON_CN23XX_PF(oct) && !oct->msix_on)) {
++ ret = setup_tx_poll_fn(netdev);
++ if (ret)
++ goto err_poll;
+ }
+
+ netif_tx_start_all_queues(netdev);
+@@ -1817,7 +1814,7 @@ static int liquidio_open(struct net_device *netdev)
+ /* tell Octeon to start forwarding packets to host */
+ ret = send_rx_ctrl_cmd(lio, 1);
+ if (ret)
+- return ret;
++ goto err_rx_ctrl;
+
+ /* start periodical statistics fetch */
+ INIT_DELAYED_WORK(&lio->stats_wk.work, lio_fetch_stats);
+@@ -1828,6 +1825,27 @@ static int liquidio_open(struct net_device *netdev)
+ dev_info(&oct->pci_dev->dev, "%s interface is opened\n",
+ netdev->name);
+
++ return 0;
++
++err_rx_ctrl:
++ if (!OCTEON_CN23XX_PF(oct) || (OCTEON_CN23XX_PF(oct) && !oct->msix_on))
++ cleanup_tx_poll_fn(netdev);
++err_poll:
++ if (lio->ptp_clock) {
++ ptp_clock_unregister(lio->ptp_clock);
++ lio->ptp_clock = NULL;
++ }
++
++ if (oct->props[lio->ifidx].napi_enabled == 1) {
++ list_for_each_entry_safe(napi, n, &netdev->napi_list, dev_list)
++ napi_disable(napi);
++
++ oct->props[lio->ifidx].napi_enabled = 0;
++
++ if (OCTEON_CN23XX_PF(oct))
++ oct->droq[0]->ops.poll_mode = 0;
++ }
++
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 63f083d9a459a7bca3794d4d66de0357adf4214c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 09:41:30 +0800
+Subject: net: macvlan: Use built-in RCU list checking
+
+From: Chuang Wang <nashuiliang@gmail.com>
+
+[ Upstream commit 5df1341ea822292275c56744aab9c536d75c33be ]
+
+hlist_for_each_entry_rcu() has built-in RCU and lock checking.
+
+Pass cond argument to hlist_for_each_entry_rcu() to silence false
+lockdep warning when CONFIG_PROVE_RCU_LIST is enabled.
+
+Execute as follow:
+
+ ip link add link eth0 type macvlan mode source macaddr add <MAC-ADDR>
+
+The rtnl_lock is held when macvlan_hash_lookup_source() or
+macvlan_fill_info_macaddr() are called in the non-RCU read side section.
+So, pass lockdep_rtnl_is_held() to silence false lockdep warning.
+
+Fixes: 79cf79abce71 ("macvlan: add source mode")
+Signed-off-by: Chuang Wang <nashuiliang@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macvlan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
+index 6b269a72388b..5d6b4f76b519 100644
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -139,7 +139,7 @@ static struct macvlan_source_entry *macvlan_hash_lookup_source(
+ u32 idx = macvlan_eth_hash(addr);
+ struct hlist_head *h = &vlan->port->vlan_source_hash[idx];
+
+- hlist_for_each_entry_rcu(entry, h, hlist) {
++ hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) {
+ if (ether_addr_equal_64bits(entry->addr, addr) &&
+ entry->vlan == vlan)
+ return entry;
+@@ -1614,7 +1614,7 @@ static int macvlan_fill_info_macaddr(struct sk_buff *skb,
+ struct hlist_head *h = &vlan->port->vlan_source_hash[i];
+ struct macvlan_source_entry *entry;
+
+- hlist_for_each_entry_rcu(entry, h, hlist) {
++ hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) {
+ if (entry->vlan != vlan)
+ continue;
+ if (nla_put(skb, IFLA_MACVLAN_MACADDR, ETH_ALEN, entry->addr))
+--
+2.35.1
+
--- /dev/null
+From 1f5b43399805d3cecbf1cd63e79c1df81bf46b6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 14:22:25 +0000
+Subject: net: thunderbolt: Fix error handling in tbnet_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit f524b7289bbb0c8ffaa2ba3c34c146e43da54fb2 ]
+
+A problem about insmod thunderbolt-net failed is triggered with following
+log given while lsmod does not show thunderbolt_net:
+
+ insmod: ERROR: could not insert module thunderbolt-net.ko: File exists
+
+The reason is that tbnet_init() returns tb_register_service_driver()
+directly without checking its return value, if tb_register_service_driver()
+failed, it returns without removing property directory, resulting the
+property directory can never be created later.
+
+ tbnet_init()
+ tb_register_property_dir() # register property directory
+ tb_register_service_driver()
+ driver_register()
+ bus_add_driver()
+ priv = kzalloc(...) # OOM happened
+ # return without remove property directory
+
+Fix by remove property directory when tb_register_service_driver() returns
+error.
+
+Fixes: e69b6c02b4c3 ("net: Add support for networking over Thunderbolt cable")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/thunderbolt.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/thunderbolt.c b/drivers/net/thunderbolt.c
+index 3160443ef3b9..5d96dc1b00b3 100644
+--- a/drivers/net/thunderbolt.c
++++ b/drivers/net/thunderbolt.c
+@@ -1343,12 +1343,21 @@ static int __init tbnet_init(void)
+ TBNET_MATCH_FRAGS_ID);
+
+ ret = tb_register_property_dir("network", tbnet_dir);
+- if (ret) {
+- tb_property_free_dir(tbnet_dir);
+- return ret;
+- }
++ if (ret)
++ goto err_free_dir;
++
++ ret = tb_register_service_driver(&tbnet_driver);
++ if (ret)
++ goto err_unregister;
+
+- return tb_register_service_driver(&tbnet_driver);
++ return 0;
++
++err_unregister:
++ tb_unregister_property_dir("network", tbnet_dir);
++err_free_dir:
++ tb_property_free_dir(tbnet_dir);
++
++ return ret;
+ }
+ module_init(tbnet_init);
+
+--
+2.35.1
+
--- /dev/null
+From b47e20140f9ec0ff472ce7ab466ff8bfe7502f9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 11:05:19 +0000
+Subject: net/x25: Fix skb leak in x25_lapb_receive_frame()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 2929cceb2fcf0ded7182562e4888afafece82cce ]
+
+x25_lapb_receive_frame() using skb_copy() to get a private copy of
+skb, the new skb should be freed in the undersized/fragmented skb
+error handling path. Otherwise there is a memory leak.
+
+Fixes: cb101ed2c3c7 ("x25: Handle undersized/fragmented skbs")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Martin Schiller <ms@dev.tdt.de>
+Link: https://lore.kernel.org/r/20221114110519.514538-1-weiyongjun@huaweicloud.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/x25/x25_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/x25/x25_dev.c b/net/x25/x25_dev.c
+index 25bf72ee6cad..226397add422 100644
+--- a/net/x25/x25_dev.c
++++ b/net/x25/x25_dev.c
+@@ -117,7 +117,7 @@ int x25_lapb_receive_frame(struct sk_buff *skb, struct net_device *dev,
+
+ if (!pskb_may_pull(skb, 1)) {
+ x25_neigh_put(nb);
+- return 0;
++ goto drop;
+ }
+
+ switch (skb->data[0]) {
+--
+2.35.1
+
--- /dev/null
+From b646d1c814353c298a04e346fa1b180c36bc0e0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Sep 2022 19:52:08 +0100
+Subject: parport_pc: Avoid FIFO port location truncation
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+[ Upstream commit ab126f51c93a15093df604f661c9480854c005a3 ]
+
+Match the data type of a temporary holding a reference to the FIFO port
+with the type of the original reference coming from `struct parport',
+avoiding data truncation with LP64 ports such as SPARC64 that refer to
+PCI port I/O locations via their corresponding MMIO addresses and will
+therefore have non-zero bits in the high 32-bit part of the reference.
+And in any case it is cleaner to have the data types matching here.
+
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Link: https://lore.kernel.org/linux-pci/20220419033752.GA1101844@bhelgaas/
+Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Link: https://lore.kernel.org/r/alpine.DEB.2.21.2209231912550.29493@angie.orcam.me.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/parport/parport_pc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/parport/parport_pc.c b/drivers/parport/parport_pc.c
+index eda4ded4d5e5..925be41eeebe 100644
+--- a/drivers/parport/parport_pc.c
++++ b/drivers/parport/parport_pc.c
+@@ -468,7 +468,7 @@ static size_t parport_pc_fifo_write_block_pio(struct parport *port,
+ const unsigned char *bufp = buf;
+ size_t left = length;
+ unsigned long expire = jiffies + port->physport->cad->timeout;
+- const int fifo = FIFO(port);
++ const unsigned long fifo = FIFO(port);
+ int poll_for = 8; /* 80 usecs */
+ const struct parport_pc_private *priv = port->physport->private_data;
+ const int fifo_depth = priv->fifo_depth;
+--
+2.35.1
+
--- /dev/null
+From c93ca54a01b13f198eeffc5ce1d82a4164d9b9a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 16:20:56 +0800
+Subject: pinctrl: devicetree: fix null pointer dereferencing in
+ pinctrl_dt_to_map
+
+From: Zeng Heng <zengheng4@huawei.com>
+
+[ Upstream commit 91d5c5060ee24fe8da88cd585bb43b843d2f0dce ]
+
+Here is the BUG report by KASAN about null pointer dereference:
+
+BUG: KASAN: null-ptr-deref in strcmp+0x2e/0x50
+Read of size 1 at addr 0000000000000000 by task python3/2640
+Call Trace:
+ strcmp
+ __of_find_property
+ of_find_property
+ pinctrl_dt_to_map
+
+kasprintf() would return NULL pointer when kmalloc() fail to allocate.
+So directly return ENOMEM, if kasprintf() return NULL pointer.
+
+Fixes: 57291ce295c0 ("pinctrl: core device tree mapping table parsing support")
+Signed-off-by: Zeng Heng <zengheng4@huawei.com>
+Link: https://lore.kernel.org/r/20221110082056.2014898-1-zengheng4@huawei.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/devicetree.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pinctrl/devicetree.c b/drivers/pinctrl/devicetree.c
+index 3fb238714718..eac55fee5281 100644
+--- a/drivers/pinctrl/devicetree.c
++++ b/drivers/pinctrl/devicetree.c
+@@ -220,6 +220,8 @@ int pinctrl_dt_to_map(struct pinctrl *p, struct pinctrl_dev *pctldev)
+ for (state = 0; ; state++) {
+ /* Retrieve the pinctrl-* property */
+ propname = kasprintf(GFP_KERNEL, "pinctrl-%d", state);
++ if (!propname)
++ return -ENOMEM;
+ prop = of_find_property(np, propname, &size);
+ kfree(propname);
+ if (!prop) {
+--
+2.35.1
+
--- /dev/null
+From 410f5a071134aab6328af013904a1b848d7a6b7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 17:31:44 +0100
+Subject: platform/x86/intel: pmc: Don't unconditionally attach Intel PMC when
+ virtualized
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roger Pau Monné <roger.pau@citrix.com>
+
+[ Upstream commit 2dbfb3f33350e1e868d3d7ed4c176d8777150878 ]
+
+The current logic in the Intel PMC driver will forcefully attach it
+when detecting any CPU on the intel_pmc_core_platform_ids array,
+even if the matching ACPI device is not present.
+
+There's no checking in pmc_core_probe() to assert that the PMC device
+is present, and hence on virtualized environments the PMC device
+probes successfully, even if the underlying registers are not present.
+Before commit 21ae43570940 ("platform/x86: intel_pmc_core: Substitute PCI
+with CPUID enumeration") the driver would check for the presence of a
+specific PCI device, and that prevented the driver from attaching when
+running virtualized.
+
+Fix by only forcefully attaching the PMC device when not running
+virtualized. Note that virtualized platforms can still get the device
+to load if the appropriate ACPI device is present on the tables
+provided to the VM.
+
+Make an exception for the Xen initial domain, which does have full
+hardware access, and hence can attach to the PMC if present.
+
+Fixes: 21ae43570940 ("platform/x86: intel_pmc_core: Substitute PCI with CPUID enumeration")
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Acked-by: David E. Box <david.e.box@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20221110163145.80374-1-roger.pau@citrix.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel_pmc_core_pltdrv.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/platform/x86/intel_pmc_core_pltdrv.c b/drivers/platform/x86/intel_pmc_core_pltdrv.c
+index 15ca8afdd973..ddfba38c2104 100644
+--- a/drivers/platform/x86/intel_pmc_core_pltdrv.c
++++ b/drivers/platform/x86/intel_pmc_core_pltdrv.c
+@@ -18,6 +18,8 @@
+ #include <asm/cpu_device_id.h>
+ #include <asm/intel-family.h>
+
++#include <xen/xen.h>
++
+ static void intel_pmc_core_release(struct device *dev)
+ {
+ kfree(dev);
+@@ -53,6 +55,13 @@ static int __init pmc_core_platform_init(void)
+ if (acpi_dev_present("INT33A1", NULL, -1))
+ return -ENODEV;
+
++ /*
++ * Skip forcefully attaching the device for VMs. Make an exception for
++ * Xen dom0, which does have full hardware access.
++ */
++ if (cpu_feature_enabled(X86_FEATURE_HYPERVISOR) && !xen_initial_domain())
++ return -ENODEV;
++
+ if (!x86_match_cpu(intel_pmc_core_platform_ids))
+ return -ENODEV;
+
+--
+2.35.1
+
--- /dev/null
+From 3bf9dd0e248819f07d4bb99bcbb2d8343628099c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 17:45:16 -0400
+Subject: sctp: clear out_curr if all frag chunks of current msg are pruned
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 2f201ae14ae0f91dbf1cffea7bb1e29e81d4d108 ]
+
+A crash was reported by Zhen Chen:
+
+ list_del corruption, ffffa035ddf01c18->next is NULL
+ WARNING: CPU: 1 PID: 250682 at lib/list_debug.c:49 __list_del_entry_valid+0x59/0xe0
+ RIP: 0010:__list_del_entry_valid+0x59/0xe0
+ Call Trace:
+ sctp_sched_dequeue_common+0x17/0x70 [sctp]
+ sctp_sched_fcfs_dequeue+0x37/0x50 [sctp]
+ sctp_outq_flush_data+0x85/0x360 [sctp]
+ sctp_outq_uncork+0x77/0xa0 [sctp]
+ sctp_cmd_interpreter.constprop.0+0x164/0x1450 [sctp]
+ sctp_side_effects+0x37/0xe0 [sctp]
+ sctp_do_sm+0xd0/0x230 [sctp]
+ sctp_primitive_SEND+0x2f/0x40 [sctp]
+ sctp_sendmsg_to_asoc+0x3fa/0x5c0 [sctp]
+ sctp_sendmsg+0x3d5/0x440 [sctp]
+ sock_sendmsg+0x5b/0x70
+
+and in sctp_sched_fcfs_dequeue() it dequeued a chunk from stream
+out_curr outq while this outq was empty.
+
+Normally stream->out_curr must be set to NULL once all frag chunks of
+current msg are dequeued, as we can see in sctp_sched_dequeue_done().
+However, in sctp_prsctp_prune_unsent() as it is not a proper dequeue,
+sctp_sched_dequeue_done() is not called to do this.
+
+This patch is to fix it by simply setting out_curr to NULL when the
+last frag chunk of current msg is dequeued from out_curr stream in
+sctp_prsctp_prune_unsent().
+
+Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations")
+Reported-by: Zhen Chen <chenzhen126@huawei.com>
+Tested-by: Caowangbao <caowangbao@huawei.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/outqueue.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
+index 35d5532320f9..83a89dcf75ed 100644
+--- a/net/sctp/outqueue.c
++++ b/net/sctp/outqueue.c
+@@ -403,6 +403,11 @@ static int sctp_prsctp_prune_unsent(struct sctp_association *asoc,
+ sout = SCTP_SO(&asoc->stream, chk->sinfo.sinfo_stream);
+ sout->ext->abandoned_unsent[SCTP_PR_INDEX(PRIO)]++;
+
++ /* clear out_curr if all frag chunks are pruned */
++ if (asoc->stream.out_curr == sout &&
++ list_is_last(&chk->frag_list, &chk->msg->chunks))
++ asoc->stream.out_curr = NULL;
++
+ msg_len -= chk->skb->truesize + sizeof(struct sctp_chunk);
+ sctp_chunk_free(chk);
+ if (msg_len <= 0)
+--
+2.35.1
+
--- /dev/null
+From 8313516492cc424cee071b733e5ff608a9f43932 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 17:45:15 -0400
+Subject: sctp: remove the unnecessary sinfo_stream check in
+ sctp_prsctp_prune_unsent
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 9f0b773210c27a8f5d98ddb2fc4ba60a42a3285f ]
+
+Since commit 5bbbbe32a431 ("sctp: introduce stream scheduler foundations"),
+sctp_stream_outq_migrate() has been called in sctp_stream_init/update to
+removes those chunks to streams higher than the new max. There is no longer
+need to do such check in sctp_prsctp_prune_unsent().
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 2f201ae14ae0 ("sctp: clear out_curr if all frag chunks of current msg are pruned")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/outqueue.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
+index 3fd06a27105d..35d5532320f9 100644
+--- a/net/sctp/outqueue.c
++++ b/net/sctp/outqueue.c
+@@ -384,6 +384,7 @@ static int sctp_prsctp_prune_unsent(struct sctp_association *asoc,
+ {
+ struct sctp_outq *q = &asoc->outqueue;
+ struct sctp_chunk *chk, *temp;
++ struct sctp_stream_out *sout;
+
+ q->sched->unsched_all(&asoc->stream);
+
+@@ -398,12 +399,9 @@ static int sctp_prsctp_prune_unsent(struct sctp_association *asoc,
+ sctp_sched_dequeue_common(q, chk);
+ asoc->sent_cnt_removable--;
+ asoc->abandoned_unsent[SCTP_PR_INDEX(PRIO)]++;
+- if (chk->sinfo.sinfo_stream < asoc->stream.outcnt) {
+- struct sctp_stream_out *streamout =
+- SCTP_SO(&asoc->stream, chk->sinfo.sinfo_stream);
+
+- streamout->ext->abandoned_unsent[SCTP_PR_INDEX(PRIO)]++;
+- }
++ sout = SCTP_SO(&asoc->stream, chk->sinfo.sinfo_stream);
++ sout->ext->abandoned_unsent[SCTP_PR_INDEX(PRIO)]++;
+
+ msg_len -= chk->skb->truesize + sizeof(struct sctp_chunk);
+ sctp_chunk_free(chk);
+--
+2.35.1
+
--- /dev/null
+From 1921484e56eea5c40080515d5381a2c40e98b0f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 09:36:13 +0300
+Subject: serial: 8250: omap: Fix missing PM runtime calls for
+ omap8250_set_mctrl()
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 93810191f5d23652c0b8a1a9b3a4a89d6fd5063e ]
+
+There are cases where omap8250_set_mctrl() may get called after the
+UART has already autoidled causing an asynchronous external abort.
+
+This can happen on ttyport_open():
+
+mem_serial_in from omap8250_set_mctrl+0x38/0xa0
+omap8250_set_mctrl from uart_update_mctrl+0x4c/0x58
+uart_update_mctrl from uart_dtr_rts+0x60/0xa8
+uart_dtr_rts from tty_port_block_til_ready+0xd0/0x2a8
+tty_port_block_til_ready from uart_open+0x14/0x1c
+uart_open from ttyport_open+0x64/0x148
+
+And on ttyport_close():
+
+omap8250_set_mctrl from uart_update_mctrl+0x3c/0x48
+uart_update_mctrl from uart_dtr_rts+0x54/0x9c
+uart_dtr_rts from tty_port_shutdown+0x78/0x9c
+tty_port_shutdown from tty_port_close+0x3c/0x74
+tty_port_close from ttyport_close+0x40/0x58
+
+It can also happen on disassociate_ctty() calling uart_shutdown()
+that ends up calling omap8250_set_mctrl().
+
+Let's fix the issue by adding missing PM runtime calls to
+omap8250_set_mctrl(). To do this, we need to add __omap8250_set_mctrl()
+that can be called from both omap8250_set_mctrl(), and from runtime PM
+resume path when restoring the registers.
+
+Fixes: 61929cf0169d ("tty: serial: Add 8250-core based omap driver")
+Reported-by: Merlijn Wajer <merlijn@wizzup.org>
+Reported-by: Romain Naour <romain.naour@smile.fr>
+Reported-by: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Tested-by: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Depends-on: dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter")
+Link: https://lore.kernel.org/r/20221024063613.25943-1-tony@atomide.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_omap.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c
+index f3744ac805ec..7c7cfd6d48d8 100644
+--- a/drivers/tty/serial/8250/8250_omap.c
++++ b/drivers/tty/serial/8250/8250_omap.c
+@@ -157,7 +157,11 @@ static u32 uart_read(struct uart_8250_port *up, u32 reg)
+ return readl(up->port.membase + (reg << up->port.regshift));
+ }
+
+-static void omap8250_set_mctrl(struct uart_port *port, unsigned int mctrl)
++/*
++ * Called on runtime PM resume path from omap8250_restore_regs(), and
++ * omap8250_set_mctrl().
++ */
++static void __omap8250_set_mctrl(struct uart_port *port, unsigned int mctrl)
+ {
+ struct uart_8250_port *up = up_to_u8250p(port);
+ struct omap8250_priv *priv = up->port.private_data;
+@@ -181,6 +185,20 @@ static void omap8250_set_mctrl(struct uart_port *port, unsigned int mctrl)
+ }
+ }
+
++static void omap8250_set_mctrl(struct uart_port *port, unsigned int mctrl)
++{
++ int err;
++
++ err = pm_runtime_resume_and_get(port->dev);
++ if (err)
++ return;
++
++ __omap8250_set_mctrl(port, mctrl);
++
++ pm_runtime_mark_last_busy(port->dev);
++ pm_runtime_put_autosuspend(port->dev);
++}
++
+ /*
+ * Work Around for Errata i202 (2430, 3430, 3630, 4430 and 4460)
+ * The access to uart register after MDR1 Access
+@@ -341,7 +359,7 @@ static void omap8250_restore_regs(struct uart_8250_port *up)
+
+ omap8250_update_mdr1(up, priv);
+
+- up->port.ops->set_mctrl(&up->port, up->port.mctrl);
++ __omap8250_set_mctrl(&up->port, up->port.mctrl);
+
+ if (up->port.rs485.flags & SER_RS485_ENABLED)
+ serial8250_em485_stop_tx(up);
+--
+2.35.1
+
--- /dev/null
+From 4f9bb4f51046672d8bc65fc99b92c3911c80c26c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 13:58:13 +0300
+Subject: serial: 8250: omap: Fix unpaired pm_runtime_put_sync() in
+ omap8250_remove()
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit e3f0c638f428fd66b5871154b62706772045f91a ]
+
+On remove, we get an error for "Runtime PM usage count underflow!". I guess
+this driver is mostly built-in, and this issue has gone unnoticed for a
+while. Somehow I did not catch this issue with my earlier fix done with
+commit 4e0f5cc65098 ("serial: 8250_omap: Fix probe and remove for PM
+runtime").
+
+Fixes: 4e0f5cc65098 ("serial: 8250_omap: Fix probe and remove for PM runtime")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Depends-on: dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter")
+Link: https://lore.kernel.org/r/20221028105813.54290-1-tony@atomide.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_omap.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c
+index 655553a3c78a..57524950b8dc 100644
+--- a/drivers/tty/serial/8250/8250_omap.c
++++ b/drivers/tty/serial/8250/8250_omap.c
+@@ -1475,6 +1475,11 @@ static int omap8250_probe(struct platform_device *pdev)
+ static int omap8250_remove(struct platform_device *pdev)
+ {
+ struct omap8250_priv *priv = platform_get_drvdata(pdev);
++ int err;
++
++ err = pm_runtime_resume_and_get(&pdev->dev);
++ if (err)
++ return err;
+
+ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ pm_runtime_put_sync(&pdev->dev);
+--
+2.35.1
+
--- /dev/null
+From cda6364b9034901a2320af3e126544ee91dffc98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 14:00:44 +0300
+Subject: serial: 8250: omap: Flush PM QOS work on remove
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit d0b68629bd2fb61e0171a62f2e8da3db322f5cf6 ]
+
+Rebinding 8250_omap in a loop will at some point produce a warning for
+kernel/power/qos.c:296 cpu_latency_qos_update_request() with error
+"cpu_latency_qos_update_request called for unknown object". Let's flush
+the possibly pending PM QOS work scheduled from omap8250_runtime_suspend()
+before we disable runtime PM.
+
+Fixes: 61929cf0169d ("tty: serial: Add 8250-core based omap driver")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20221028110044.54719-1-tony@atomide.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_omap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c
+index 57524950b8dc..3f7379f16a36 100644
+--- a/drivers/tty/serial/8250/8250_omap.c
++++ b/drivers/tty/serial/8250/8250_omap.c
+@@ -1483,6 +1483,7 @@ static int omap8250_remove(struct platform_device *pdev)
+
+ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ pm_runtime_put_sync(&pdev->dev);
++ flush_work(&priv->qos_work);
+ pm_runtime_disable(&pdev->dev);
+ serial8250_unregister_port(priv->line);
+ cpu_latency_qos_remove_request(&priv->pm_qos_request);
+--
+2.35.1
+
--- /dev/null
+From a413188fb48c1a3020cdf83a17759dea71c29c00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jun 2022 13:04:33 +0300
+Subject: serial: 8250: Remove serial_rs485 sanitization from em485
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit 84f2faa7852e1f55d89bb0c99b3a672b87b11f87 ]
+
+Serial core handles serial_rs485 sanitization.
+
+When em485 init fails, there are two possible paths of entry:
+
+ 1) uart_rs485_config (init path) that fully clears port->rs485 on
+ error.
+
+ 2) ioctl path with a pre-existing, valid port->rs485 unto which the
+ kernel falls back on error and port->rs485 should therefore be
+ kept untouched. The temporary rs485 struct is not returned to
+ userspace in case of error so its flag don't matter.
+
+...Thus SER_RS485_ENABLED clearing on error can/should be dropped.
+
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20220606100433.13793-37-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 93810191f5d2 ("serial: 8250: omap: Fix missing PM runtime calls for omap8250_set_mctrl()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_port.c | 18 ++----------------
+ 1 file changed, 2 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
+index f648fd1d7548..7cdfc2458d36 100644
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -661,13 +661,6 @@ int serial8250_em485_config(struct uart_port *port, struct serial_rs485 *rs485)
+ rs485->flags &= ~SER_RS485_RTS_AFTER_SEND;
+ }
+
+- /* clamp the delays to [0, 100ms] */
+- rs485->delay_rts_before_send = min(rs485->delay_rts_before_send, 100U);
+- rs485->delay_rts_after_send = min(rs485->delay_rts_after_send, 100U);
+-
+- memset(rs485->padding, 0, sizeof(rs485->padding));
+- port->rs485 = *rs485;
+-
+ gpiod_set_value(port->rs485_term_gpio,
+ rs485->flags & SER_RS485_TERMINATE_BUS);
+
+@@ -675,15 +668,8 @@ int serial8250_em485_config(struct uart_port *port, struct serial_rs485 *rs485)
+ * Both serial8250_em485_init() and serial8250_em485_destroy()
+ * are idempotent.
+ */
+- if (rs485->flags & SER_RS485_ENABLED) {
+- int ret = serial8250_em485_init(up);
+-
+- if (ret) {
+- rs485->flags &= ~SER_RS485_ENABLED;
+- port->rs485.flags &= ~SER_RS485_ENABLED;
+- }
+- return ret;
+- }
++ if (rs485->flags & SER_RS485_ENABLED)
++ return serial8250_em485_init(up);
+
+ serial8250_em485_destroy(up);
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 5fdc825b65474515f63ac006696ae05fc83210d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 13:23:39 +0200
+Subject: serial: 8250_omap: remove wait loop from Errata i202 workaround
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
+
+[ Upstream commit e828e56684d61b17317e0cfdef83791fa61cb76b ]
+
+We were occasionally seeing the "Errata i202: timedout" on an AM335x
+board when repeatedly opening and closing a UART connected to an active
+sender. As new input may arrive at any time, it is possible to miss the
+"RX FIFO empty" condition, forcing the loop to wait until it times out.
+
+Nothing in the i202 Advisory states that such a wait is even necessary;
+other FIFO clear functions like serial8250_clear_fifos() do not wait
+either. For this reason, it seems safe to remove the wait, fixing the
+mentioned issue.
+
+Fixes: 61929cf0169d ("tty: serial: Add 8250-core based omap driver")
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
+Link: https://lore.kernel.org/r/20221013112339.2540767-1-matthias.schiffer@ew.tq-group.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_omap.c | 17 -----------------
+ 1 file changed, 17 deletions(-)
+
+diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c
+index 7c7cfd6d48d8..655553a3c78a 100644
+--- a/drivers/tty/serial/8250/8250_omap.c
++++ b/drivers/tty/serial/8250/8250_omap.c
+@@ -211,27 +211,10 @@ static void omap8250_set_mctrl(struct uart_port *port, unsigned int mctrl)
+ static void omap_8250_mdr1_errataset(struct uart_8250_port *up,
+ struct omap8250_priv *priv)
+ {
+- u8 timeout = 255;
+-
+ serial_out(up, UART_OMAP_MDR1, priv->mdr1);
+ udelay(2);
+ serial_out(up, UART_FCR, up->fcr | UART_FCR_CLEAR_XMIT |
+ UART_FCR_CLEAR_RCVR);
+- /*
+- * Wait for FIFO to empty: when empty, RX_FIFO_E bit is 0 and
+- * TX_FIFO_E bit is 1.
+- */
+- while (UART_LSR_THRE != (serial_in(up, UART_LSR) &
+- (UART_LSR_THRE | UART_LSR_DR))) {
+- timeout--;
+- if (!timeout) {
+- /* Should *never* happen. we warn and carry on */
+- dev_crit(up->port.dev, "Errata i202: timedout %x\n",
+- serial_in(up, UART_LSR));
+- break;
+- }
+- udelay(1);
+- }
+ }
+
+ static void omap_8250_get_divisor(struct uart_port *port, unsigned int baud,
+--
+2.35.1
+
--- /dev/null
+From 5b9c99280f68c2b4409e96da119ce6ecd4d2ccb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Oct 2022 20:13:53 +0800
+Subject: serial: imx: Add missing .thaw_noirq hook
+
+From: Shawn Guo <shawn.guo@linaro.org>
+
+[ Upstream commit 4561d8008a467cb05ac632a215391d6b787f40aa ]
+
+The following warning is seen with non-console UART instance when
+system hibernates.
+
+[ 37.371969] ------------[ cut here ]------------
+[ 37.376599] uart3_root_clk already disabled
+[ 37.380810] WARNING: CPU: 0 PID: 296 at drivers/clk/clk.c:952 clk_core_disable+0xa4/0xb0
+...
+[ 37.506986] Call trace:
+[ 37.509432] clk_core_disable+0xa4/0xb0
+[ 37.513270] clk_disable+0x34/0x50
+[ 37.516672] imx_uart_thaw+0x38/0x5c
+[ 37.520250] platform_pm_thaw+0x30/0x6c
+[ 37.524089] dpm_run_callback.constprop.0+0x3c/0xd4
+[ 37.528972] device_resume+0x7c/0x160
+[ 37.532633] dpm_resume+0xe8/0x230
+[ 37.536036] hibernation_snapshot+0x288/0x430
+[ 37.540397] hibernate+0x10c/0x2e0
+[ 37.543798] state_store+0xc4/0xd0
+[ 37.547203] kobj_attr_store+0x1c/0x30
+[ 37.550953] sysfs_kf_write+0x48/0x60
+[ 37.554619] kernfs_fop_write_iter+0x118/0x1ac
+[ 37.559063] new_sync_write+0xe8/0x184
+[ 37.562812] vfs_write+0x230/0x290
+[ 37.566214] ksys_write+0x68/0xf4
+[ 37.569529] __arm64_sys_write+0x20/0x2c
+[ 37.573452] invoke_syscall.constprop.0+0x50/0xf0
+[ 37.578156] do_el0_svc+0x11c/0x150
+[ 37.581648] el0_svc+0x30/0x140
+[ 37.584792] el0t_64_sync_handler+0xe8/0xf0
+[ 37.588976] el0t_64_sync+0x1a0/0x1a4
+[ 37.592639] ---[ end trace 56e22eec54676d75 ]---
+
+On hibernating, pm core calls into related hooks in sequence like:
+
+ .freeze
+ .freeze_noirq
+ .thaw_noirq
+ .thaw
+
+With .thaw_noirq hook being absent, the clock will be disabled in a
+unbalanced call which results the warning above.
+
+ imx_uart_freeze()
+ clk_prepare_enable()
+ imx_uart_suspend_noirq()
+ clk_disable()
+ imx_uart_thaw
+ clk_disable_unprepare()
+
+Adding the missing .thaw_noirq hook as imx_uart_resume_noirq() will have
+the call sequence corrected as below and thus fix the warning.
+
+ imx_uart_freeze()
+ clk_prepare_enable()
+ imx_uart_suspend_noirq()
+ clk_disable()
+ imx_uart_resume_noirq()
+ clk_enable()
+ imx_uart_thaw
+ clk_disable_unprepare()
+
+Fixes: 09df0b3464e5 ("serial: imx: fix endless loop during suspend")
+Reviewed-by: Martin Kaiser <martin@kaiser.cx>
+Signed-off-by: Shawn Guo <shawn.guo@linaro.org>
+Link: https://lore.kernel.org/r/20221012121353.2346280-1-shawn.guo@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/imx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c
+index cf3d53165776..164597e2e004 100644
+--- a/drivers/tty/serial/imx.c
++++ b/drivers/tty/serial/imx.c
+@@ -2626,6 +2626,7 @@ static const struct dev_pm_ops imx_uart_pm_ops = {
+ .suspend_noirq = imx_uart_suspend_noirq,
+ .resume_noirq = imx_uart_resume_noirq,
+ .freeze_noirq = imx_uart_suspend_noirq,
++ .thaw_noirq = imx_uart_resume_noirq,
+ .restore_noirq = imx_uart_resume_noirq,
+ .suspend = imx_uart_suspend,
+ .resume = imx_uart_resume,
+--
+2.35.1
+
drm-amd-pm-read-bif-strap-also-for-baco-check.patch
drm-amd-pm-disable-baco-entry-exit-completely-on-sev.patch
drm-amdgpu-disable-baco-on-special-beige_goby-card.patch
+spi-stm32-print-summary-callbacks-suppressed-message.patch
+asoc-core-fix-use-after-free-in-snd_soc_exit.patch
+asoc-tas2770-fix-set_tdm_slot-in-case-of-single-slot.patch
+asoc-tas2764-fix-set_tdm_slot-in-case-of-single-slot.patch
+serial-8250-remove-serial_rs485-sanitization-from-em.patch
+serial-8250-omap-fix-missing-pm-runtime-calls-for-om.patch
+serial-8250_omap-remove-wait-loop-from-errata-i202-w.patch
+serial-8250-omap-fix-unpaired-pm_runtime_put_sync-in.patch
+serial-8250-omap-flush-pm-qos-work-on-remove.patch
+serial-imx-add-missing-.thaw_noirq-hook.patch
+tty-n_gsm-fix-sleep-in-atomic-context-bug-in-gsm_con.patch
+bpf-test_run-fix-alignment-problem-in-bpf_prog_test_.patch
+asoc-soc-utils-remove-__exit-for-snd_soc_util_exit.patch
+sctp-remove-the-unnecessary-sinfo_stream-check-in-sc.patch
+sctp-clear-out_curr-if-all-frag-chunks-of-current-ms.patch
+block-sed-opal-kmalloc-the-cmd-resp-buffers.patch
+arm64-fix-bit-shifting-ub-in-the-midr_cpu_model-macr.patch
+siox-fix-possible-memory-leak-in-siox_device_add.patch
+parport_pc-avoid-fifo-port-location-truncation.patch
+pinctrl-devicetree-fix-null-pointer-dereferencing-in.patch
+drm-panel-simple-set-bpc-field-for-logic-technologie.patch
+drm-drv-fix-potential-memory-leak-in-drm_dev_init.patch
+drm-fix-potential-null-ptr-deref-in-drm_vblank_destr.patch
+arm-dts-imx7-fix-nand-controller-size-cells.patch
+arm64-dts-imx8mm-fix-nand-controller-size-cells.patch
+arm64-dts-imx8mn-fix-nand-controller-size-cells.patch
+ata-libata-transport-fix-double-ata_host_put-in-ata_.patch
+ata-libata-transport-fix-error-handling-in-ata_tport.patch
+ata-libata-transport-fix-error-handling-in-ata_tlink.patch
+ata-libata-transport-fix-error-handling-in-ata_tdev_.patch
+bpf-initialize-same-number-of-free-nodes-for-each-pc.patch
+net-bgmac-drop-free_netdev-from-bgmac_enet_remove.patch
+misdn-fix-possible-memory-leak-in-misdn_dsp_element_.patch
+net-hinic-fix-error-handling-in-hinic_module_init.patch
+net-liquidio-release-resources-when-liquidio-driver-.patch
+misdn-fix-misuse-of-put_device-in-misdn_register_dev.patch
+net-macvlan-use-built-in-rcu-list-checking.patch
+net-caif-fix-double-disconnect-client-in-chnl_net_op.patch
+bnxt_en-remove-debugfs-when-pci_register_driver-fail.patch
+xen-pcpu-fix-possible-memory-leak-in-register_pcpu.patch
+net-ionic-fix-error-handling-in-ionic_init_module.patch
+net-ena-fix-error-handling-in-ena_init.patch
+drbd-use-after-free-in-drbd_create_device.patch
+platform-x86-intel-pmc-don-t-unconditionally-attach-.patch
+cifs-add-check-for-returning-value-of-smb2_close_ini.patch
+net-ag71xx-call-phylink_disconnect_phy-if-ag71xx_hw_.patch
+net-x25-fix-skb-leak-in-x25_lapb_receive_frame.patch
+cifs-fix-wrong-return-value-checking-when-getflags.patch
+net-thunderbolt-fix-error-handling-in-tbnet_init.patch
+cifs-add-check-for-returning-value-of-smb2_set_info_.patch
--- /dev/null
+From a333c6e8317dce7d170f74dedf1f9461dd2996ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 10:13:34 +0800
+Subject: siox: fix possible memory leak in siox_device_add()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 6e63153db50059fb78b8a8447b132664887d24e3 ]
+
+If device_register() returns error in siox_device_add(),
+the name allocated by dev_set_name() need be freed. As
+comment of device_register() says, it should use put_device()
+to give up the reference in the error path. So fix this
+by calling put_device(), then the name can be freed in
+kobject_cleanup(), and sdevice is freed in siox_device_release(),
+set it to null in error path.
+
+Fixes: bbecb07fa0af ("siox: new driver framework for eckelmann SIOX")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/20221104021334.618189-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/siox/siox-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/siox/siox-core.c b/drivers/siox/siox-core.c
+index f8c08fb9891d..e0ffef6e9386 100644
+--- a/drivers/siox/siox-core.c
++++ b/drivers/siox/siox-core.c
+@@ -835,6 +835,8 @@ static struct siox_device *siox_device_add(struct siox_master *smaster,
+
+ err_device_register:
+ /* don't care to make the buffer smaller again */
++ put_device(&sdevice->dev);
++ sdevice = NULL;
+
+ err_buf_alloc:
+ siox_master_unlock(smaster);
+--
+2.35.1
+
--- /dev/null
+From 6fe2efc4b337f4037b8d953d4c107df7261bc374 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 20:35:13 +0200
+Subject: spi: stm32: Print summary 'callbacks suppressed' message
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 195583504be28df5d608a4677dd796117aea875f ]
+
+The original fix "spi: stm32: Rate-limit the 'Communication suspended' message"
+still leads to "stm32h7_spi_irq_thread: 1696 callbacks suppressed" spew in the
+kernel log. Since this 'Communication suspended' message is a debug print, add
+RATELIMIT_MSG_ON_RELEASE flag to inhibit the "callbacks suspended" part during
+normal operation and only print summary at the end.
+
+Fixes: ea8be08cc9358 ("spi: stm32: Rate-limit the 'Communication suspended' message")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Link: https://lore.kernel.org/r/20221018183513.206706-1-marex@denx.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-stm32.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c
+index a6dfc8fef20c..651a6510fb54 100644
+--- a/drivers/spi/spi-stm32.c
++++ b/drivers/spi/spi-stm32.c
+@@ -941,6 +941,7 @@ static irqreturn_t stm32h7_spi_irq_thread(int irq, void *dev_id)
+ static DEFINE_RATELIMIT_STATE(rs,
+ DEFAULT_RATELIMIT_INTERVAL * 10,
+ 1);
++ ratelimit_set_flags(&rs, RATELIMIT_MSG_ON_RELEASE);
+ if (__ratelimit(&rs))
+ dev_dbg_ratelimited(spi->dev, "Communication suspended\n");
+ if (!spi->cur_usedma && (spi->rx_buf && (spi->rx_len > 0)))
+--
+2.35.1
+
--- /dev/null
+From cdd452975ff56f9cd4b34af0e602b286c6f9fb6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Oct 2022 12:07:09 +0800
+Subject: tty: n_gsm: fix sleep-in-atomic-context bug in gsm_control_send
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 7b7dfe4833c70a11cdfa51b38705103bd31eddaa ]
+
+The function gsm_dlci_t1() is a timer handler that runs in an
+atomic context, but it calls "kzalloc(..., GFP_KERNEL)" that
+may sleep. As a result, the sleep-in-atomic-context bug will
+happen. The process is shown below:
+
+gsm_dlci_t1()
+ gsm_dlci_open()
+ gsm_modem_update()
+ gsm_modem_upd_via_msc()
+ gsm_control_send()
+ kzalloc(sizeof(.., GFP_KERNEL) //may sleep
+
+This patch changes the gfp_t parameter of kzalloc() from GFP_KERNEL to
+GFP_ATOMIC in order to mitigate the bug.
+
+Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Link: https://lore.kernel.org/r/20221002040709.27849-1-duoming@zju.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/n_gsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
+index c91a3004931f..e85282825973 100644
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -1416,7 +1416,7 @@ static struct gsm_control *gsm_control_send(struct gsm_mux *gsm,
+ unsigned int command, u8 *data, int clen)
+ {
+ struct gsm_control *ctrl = kzalloc(sizeof(struct gsm_control),
+- GFP_KERNEL);
++ GFP_ATOMIC);
+ unsigned long flags;
+ if (ctrl == NULL)
+ return NULL;
+--
+2.35.1
+
--- /dev/null
+From 57ca004d31277886ad54821eae4646a9f4290c37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 23:24:41 +0800
+Subject: xen/pcpu: fix possible memory leak in register_pcpu()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit da36a2a76b01b210ffaa55cdc2c99bc8783697c5 ]
+
+In device_add(), dev_set_name() is called to allocate name, if it returns
+error, the name need be freed. As comment of device_register() says, it
+should use put_device() to give up the reference in the error path. So fix
+this by calling put_device(), then the name can be freed in kobject_cleanup().
+
+Fixes: f65c9bb3fb72 ("xen/pcpu: Xen physical cpus online/offline sys interface")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Link: https://lore.kernel.org/r/20221110152441.401630-1-yangyingliang@huawei.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/pcpu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/xen/pcpu.c b/drivers/xen/pcpu.c
+index cdc6daa7a9f6..9cf7085a260b 100644
+--- a/drivers/xen/pcpu.c
++++ b/drivers/xen/pcpu.c
+@@ -228,7 +228,7 @@ static int register_pcpu(struct pcpu *pcpu)
+
+ err = device_register(dev);
+ if (err) {
+- pcpu_release(dev);
++ put_device(dev);
+ return err;
+ }
+
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
