--- /dev/null
+From 7cb48ab75aa20ac44b79cf12a0ea5e075c115e08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 22:23:54 +0800
+Subject: btrfs: qgroup: fix sleep from invalid context bug in
+ btrfs_qgroup_inherit()
+
+From: ChenXiaoSong <chenxiaosong2@huawei.com>
+
+[ Upstream commit f7e942b5bb35d8e3af54053d19a6bf04143a3955 ]
+
+Syzkaller reported BUG as follows:
+
+ BUG: sleeping function called from invalid context at
+ include/linux/sched/mm.h:274
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0xcd/0x134
+ __might_resched.cold+0x222/0x26b
+ kmem_cache_alloc+0x2e7/0x3c0
+ update_qgroup_limit_item+0xe1/0x390
+ btrfs_qgroup_inherit+0x147b/0x1ee0
+ create_subvol+0x4eb/0x1710
+ btrfs_mksubvol+0xfe5/0x13f0
+ __btrfs_ioctl_snap_create+0x2b0/0x430
+ btrfs_ioctl_snap_create_v2+0x25a/0x520
+ btrfs_ioctl+0x2a1c/0x5ce0
+ __x64_sys_ioctl+0x193/0x200
+ do_syscall_64+0x35/0x80
+
+Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in
+btrfs_run_qgroups() later outside of the spinlock context.
+
+CC: stable@vger.kernel.org # 4.9+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/qgroup.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
+index d6795c6fdd66..a13a83ec6202 100644
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -1990,14 +1990,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans,
+ dstgroup->rsv_rfer = inherit->lim.rsv_rfer;
+ dstgroup->rsv_excl = inherit->lim.rsv_excl;
+
+- ret = update_qgroup_limit_item(trans, quota_root, dstgroup);
+- if (ret) {
+- fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT;
+- btrfs_info(fs_info,
+- "unable to update quota limit for %llu",
+- dstgroup->qgroupid);
+- goto unlock;
+- }
++ qgroup_dirty(fs_info, dstgroup);
+ }
+
+ if (srcid) {
+--
+2.35.1
+
--- /dev/null
+From a7b5ade53a4a21487f15c7134c9cce658bc032d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 20:09:16 +0800
+Subject: can: cc770: cc770_isa_probe(): add missing free_cc770dev()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 62ec89e74099a3d6995988ed9f2f996b368417ec ]
+
+Add the missing free_cc770dev() before return from cc770_isa_probe()
+in the register_cc770dev() error handling case.
+
+In addition, remove blanks before goto labels.
+
+Fixes: 7e02e5433e00 ("can: cc770: legacy CC770 ISA bus driver")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/all/1668168557-6024-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/cc770/cc770_isa.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/can/cc770/cc770_isa.c b/drivers/net/can/cc770/cc770_isa.c
+index e0d15711e9ac..8df613bc3be3 100644
+--- a/drivers/net/can/cc770/cc770_isa.c
++++ b/drivers/net/can/cc770/cc770_isa.c
+@@ -272,22 +272,24 @@ static int cc770_isa_probe(struct platform_device *pdev)
+ if (err) {
+ dev_err(&pdev->dev,
+ "couldn't register device (err=%d)\n", err);
+- goto exit_unmap;
++ goto exit_free;
+ }
+
+ dev_info(&pdev->dev, "device registered (reg_base=0x%p, irq=%d)\n",
+ priv->reg_base, dev->irq);
+ return 0;
+
+- exit_unmap:
++exit_free:
++ free_cc770dev(dev);
++exit_unmap:
+ if (mem[idx])
+ iounmap(base);
+- exit_release:
++exit_release:
+ if (mem[idx])
+ release_mem_region(mem[idx], iosize);
+ else
+ release_region(port[idx], iosize);
+- exit:
++exit:
+ return err;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 7ab243ee001404aaf57bc8631f84224f9c3eb632 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 20:08:41 +0800
+Subject: can: sja1000_isa: sja1000_isa_probe(): add missing free_sja1000dev()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 92dfd9310a71d28cefe6a2d5174d43fab240e631 ]
+
+Add the missing free_sja1000dev() before return from
+sja1000_isa_probe() in the register_sja1000dev() error handling case.
+
+In addition, remove blanks before goto labels.
+
+Fixes: 2a6ba39ad6a2 ("can: sja1000: legacy SJA1000 ISA bus driver")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/all/1668168521-5540-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/sja1000/sja1000_isa.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/can/sja1000/sja1000_isa.c b/drivers/net/can/sja1000/sja1000_isa.c
+index e97e6d35b300..5187fdabdca9 100644
+--- a/drivers/net/can/sja1000/sja1000_isa.c
++++ b/drivers/net/can/sja1000/sja1000_isa.c
+@@ -213,22 +213,24 @@ static int sja1000_isa_probe(struct platform_device *pdev)
+ if (err) {
+ dev_err(&pdev->dev, "registering %s failed (err=%d)\n",
+ DRV_NAME, err);
+- goto exit_unmap;
++ goto exit_free;
+ }
+
+ dev_info(&pdev->dev, "%s device registered (reg_base=0x%p, irq=%d)\n",
+ DRV_NAME, priv->reg_base, dev->irq);
+ return 0;
+
+- exit_unmap:
++exit_free:
++ free_sja1000dev(dev);
++exit_unmap:
+ if (mem[idx])
+ iounmap(base);
+- exit_release:
++exit_release:
+ if (mem[idx])
+ release_mem_region(mem[idx], iosize);
+ else
+ release_region(port[idx], iosize);
+- exit:
++exit:
+ return err;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 1c8978d516fa95b496b7a8b86e2f6c6a6a7548aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 11:23:13 -0500
+Subject: hwmon: (coretemp) Check for null before removing sysfs attrs
+
+From: Phil Auld <pauld@redhat.com>
+
+[ Upstream commit a89ff5f5cc64b9fe7a992cf56988fd36f56ca82a ]
+
+If coretemp_add_core() gets an error then pdata->core_data[indx]
+is already NULL and has been kfreed. Don't pass that to
+sysfs_remove_group() as that will crash in sysfs_remove_group().
+
+[Shortened for readability]
+[91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label'
+<cpu offline>
+[91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188
+[91855.165103] #PF: supervisor read access in kernel mode
+[91855.194506] #PF: error_code(0x0000) - not-present page
+[91855.224445] PGD 0 P4D 0
+[91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI
+...
+[91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80
+...
+[91855.796571] Call Trace:
+[91855.810524] coretemp_cpu_offline+0x12b/0x1dd [coretemp]
+[91855.841738] ? coretemp_cpu_online+0x180/0x180 [coretemp]
+[91855.871107] cpuhp_invoke_callback+0x105/0x4b0
+[91855.893432] cpuhp_thread_fun+0x8e/0x150
+...
+
+Fix this by checking for NULL first.
+
+Signed-off-by: Phil Auld <pauld@redhat.com>
+Cc: linux-hwmon@vger.kernel.org
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Jean Delvare <jdelvare@suse.com>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20221117162313.3164803-1-pauld@redhat.com
+Fixes: 199e0de7f5df3 ("hwmon: (coretemp) Merge pkgtemp with coretemp")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/coretemp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c
+index be1e380fa1c3..9e81842cff7d 100644
+--- a/drivers/hwmon/coretemp.c
++++ b/drivers/hwmon/coretemp.c
+@@ -557,6 +557,10 @@ static void coretemp_remove_core(struct platform_data *pdata,
+ {
+ struct temp_data *tdata = pdata->core_data[indx];
+
++ /* if we errored on add then this is already gone */
++ if (!tdata)
++ return;
++
+ /* Remove the sysfs attributes */
+ sysfs_remove_group(&pdata->hwmon_dev->kobj, &tdata->attr_group);
+
+--
+2.35.1
+
--- /dev/null
+From 5834052e21e7c9c68c961795f50b9d27117b8e46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 17:33:03 +0800
+Subject: hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 7dec14537c5906b8bf40fd6fd6d9c3850f8df11d ]
+
+As comment of pci_get_domain_bus_and_slot() says, it returns
+a pci device with refcount increment, when finish using it,
+the caller must decrement the reference count by calling
+pci_dev_put(). So call it after using to avoid refcount leak.
+
+Fixes: 14513ee696a0 ("hwmon: (coretemp) Use PCI host bridge ID to identify CPU if necessary")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221118093303.214163-1-yangyingliang@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/coretemp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c
+index 9e81842cff7d..7e796d68e23a 100644
+--- a/drivers/hwmon/coretemp.c
++++ b/drivers/hwmon/coretemp.c
+@@ -256,10 +256,13 @@ static int adjust_tjmax(struct cpuinfo_x86 *c, u32 id, struct device *dev)
+ */
+ if (host_bridge && host_bridge->vendor == PCI_VENDOR_ID_INTEL) {
+ for (i = 0; i < ARRAY_SIZE(tjmax_pci_table); i++) {
+- if (host_bridge->device == tjmax_pci_table[i].device)
++ if (host_bridge->device == tjmax_pci_table[i].device) {
++ pci_dev_put(host_bridge);
+ return tjmax_pci_table[i].tjmax;
++ }
+ }
+ }
++ pci_dev_put(host_bridge);
+
+ for (i = 0; i < ARRAY_SIZE(tjmax_table); i++) {
+ if (strstr(c->x86_model_id, tjmax_table[i].id))
+--
+2.35.1
+
--- /dev/null
+From 8ffe5de157600ae0870a3083cffbf7ec1d1d7384 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Nov 2022 20:56:06 +0800
+Subject: hwmon: (i5500_temp) fix missing pci_disable_device()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 3b7f98f237528c496ea0b689bace0e35eec3e060 ]
+
+pci_disable_device() need be called while module exiting, switch to use
+pcim_enable(), pci_disable_device() will be called in pcim_release().
+
+Fixes: ada072816be1 ("hwmon: (i5500_temp) New driver for the Intel 5500/5520/X58 chipsets")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221112125606.3751430-1-yangyingliang@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/i5500_temp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/i5500_temp.c b/drivers/hwmon/i5500_temp.c
+index 3e3ccbf18b4e..0064249fcc37 100644
+--- a/drivers/hwmon/i5500_temp.c
++++ b/drivers/hwmon/i5500_temp.c
+@@ -117,7 +117,7 @@ static int i5500_temp_probe(struct pci_dev *pdev,
+ u32 tstimer;
+ s8 tsfsc;
+
+- err = pci_enable_device(pdev);
++ err = pcim_enable_device(pdev);
+ if (err) {
+ dev_err(&pdev->dev, "Failed to enable device\n");
+ return err;
+--
+2.35.1
+
--- /dev/null
+From 197cddd3498ddc3d50e1002aa1e829e7d251c54c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 11:44:23 +0800
+Subject: hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit e2a87785aab0dac190ac89be6a9ba955e2c634f2 ]
+
+Smatch report warning as follows:
+
+drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn:
+ '&data->list' not removed from list
+
+If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will
+be freed, but data->list will not be removed from driver_data.bmc_data,
+then list traversal may cause UAF.
+
+Fix by removeing it from driver_data.bmc_data before free().
+
+Fixes: 57c7c3a0fdea ("hwmon: IBM power meter driver")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Link: https://lore.kernel.org/r/20221117034423.2935739-1-cuigaosheng1@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/ibmpex.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hwmon/ibmpex.c b/drivers/hwmon/ibmpex.c
+index 21b9c72f16bd..26a898781371 100644
+--- a/drivers/hwmon/ibmpex.c
++++ b/drivers/hwmon/ibmpex.c
+@@ -517,6 +517,7 @@ static void ibmpex_register_bmc(int iface, struct device *dev)
+ return;
+
+ out_register:
++ list_del(&data->list);
+ hwmon_device_unregister(data->hwmon_dev);
+ out_user:
+ ipmi_destroy_user(data->user);
+--
+2.35.1
+
--- /dev/null
+From c69740cf4b9e6b5fdb778c174044855a95698c40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 15:19:46 +0000
+Subject: iio: health: afe4403: Fix oob read in afe4403_read_raw
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 58143c1ed5882c138a3cd2251a336fc8755f23d9 ]
+
+KASAN report out-of-bounds read as follows:
+
+BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0
+Read of size 4 at addr ffffffffc02ac638 by task cat/279
+
+Call Trace:
+ afe4403_read_raw
+ iio_read_channel_info
+ dev_attr_show
+
+The buggy address belongs to the variable:
+ afe4403_channel_leds+0x18/0xffffffffffffe9e0
+
+This issue can be reproduced by singe command:
+
+ $ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw
+
+The array size of afe4403_channel_leds is less than channels, so access
+with chan->address cause OOB read in afe4403_read_raw. Fix it by moving
+access before use it.
+
+Fixes: b36e8257641a ("iio: health/afe440x: Use regmap fields")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Andrew Davis <afd@ti.com>
+Link: https://lore.kernel.org/r/20221107151946.89260-1-weiyongjun@huaweicloud.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/health/afe4403.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/health/afe4403.c b/drivers/iio/health/afe4403.c
+index 2f07c4d1398c..4756e9645f7d 100644
+--- a/drivers/iio/health/afe4403.c
++++ b/drivers/iio/health/afe4403.c
+@@ -253,14 +253,14 @@ static int afe4403_read_raw(struct iio_dev *indio_dev,
+ int *val, int *val2, long mask)
+ {
+ struct afe4403_data *afe = iio_priv(indio_dev);
+- unsigned int reg = afe4403_channel_values[chan->address];
+- unsigned int field = afe4403_channel_leds[chan->address];
++ unsigned int reg, field;
+ int ret;
+
+ switch (chan->type) {
+ case IIO_INTENSITY:
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
++ reg = afe4403_channel_values[chan->address];
+ ret = afe4403_read(afe, reg, val);
+ if (ret)
+ return ret;
+@@ -270,6 +270,7 @@ static int afe4403_read_raw(struct iio_dev *indio_dev,
+ case IIO_CURRENT:
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
++ field = afe4403_channel_leds[chan->address];
+ ret = regmap_field_read(afe->fields[field], val);
+ if (ret)
+ return ret;
+--
+2.35.1
+
--- /dev/null
+From 33a439ab27abdc5810bb40981d2874fd8daaaf33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 15:20:10 +0000
+Subject: iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit fc92d9e3de0b2d30a3ccc08048a5fad533e4672b ]
+
+KASAN report out-of-bounds read as follows:
+
+BUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380
+Read of size 4 at addr ffffffffc00e4658 by task cat/278
+
+Call Trace:
+ afe4404_read_raw
+ iio_read_channel_info
+ dev_attr_show
+
+The buggy address belongs to the variable:
+ afe4404_channel_leds+0x18/0xffffffffffffe9c0
+
+This issue can be reproduce by singe command:
+
+ $ cat /sys/bus/i2c/devices/0-0058/iio\:device0/in_intensity6_raw
+
+The array size of afe4404_channel_leds and afe4404_channel_offdacs
+are less than channels, so access with chan->address cause OOB read
+in afe4404_[read|write]_raw. Fix it by moving access before use them.
+
+Fixes: b36e8257641a ("iio: health/afe440x: Use regmap fields")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Andrew Davis <afd@ti.com>
+Link: https://lore.kernel.org/r/20221107152010.95937-1-weiyongjun@huaweicloud.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/health/afe4404.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iio/health/afe4404.c b/drivers/iio/health/afe4404.c
+index 5e256b11ac87..29a906411bd8 100644
+--- a/drivers/iio/health/afe4404.c
++++ b/drivers/iio/health/afe4404.c
+@@ -258,20 +258,20 @@ static int afe4404_read_raw(struct iio_dev *indio_dev,
+ int *val, int *val2, long mask)
+ {
+ struct afe4404_data *afe = iio_priv(indio_dev);
+- unsigned int value_reg = afe4404_channel_values[chan->address];
+- unsigned int led_field = afe4404_channel_leds[chan->address];
+- unsigned int offdac_field = afe4404_channel_offdacs[chan->address];
++ unsigned int value_reg, led_field, offdac_field;
+ int ret;
+
+ switch (chan->type) {
+ case IIO_INTENSITY:
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
++ value_reg = afe4404_channel_values[chan->address];
+ ret = regmap_read(afe->regmap, value_reg, val);
+ if (ret)
+ return ret;
+ return IIO_VAL_INT;
+ case IIO_CHAN_INFO_OFFSET:
++ offdac_field = afe4404_channel_offdacs[chan->address];
+ ret = regmap_field_read(afe->fields[offdac_field], val);
+ if (ret)
+ return ret;
+@@ -281,6 +281,7 @@ static int afe4404_read_raw(struct iio_dev *indio_dev,
+ case IIO_CURRENT:
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
++ led_field = afe4404_channel_leds[chan->address];
+ ret = regmap_field_read(afe->fields[led_field], val);
+ if (ret)
+ return ret;
+@@ -303,19 +304,20 @@ static int afe4404_write_raw(struct iio_dev *indio_dev,
+ int val, int val2, long mask)
+ {
+ struct afe4404_data *afe = iio_priv(indio_dev);
+- unsigned int led_field = afe4404_channel_leds[chan->address];
+- unsigned int offdac_field = afe4404_channel_offdacs[chan->address];
++ unsigned int led_field, offdac_field;
+
+ switch (chan->type) {
+ case IIO_INTENSITY:
+ switch (mask) {
+ case IIO_CHAN_INFO_OFFSET:
++ offdac_field = afe4404_channel_offdacs[chan->address];
+ return regmap_field_write(afe->fields[offdac_field], val);
+ }
+ break;
+ case IIO_CURRENT:
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
++ led_field = afe4404_channel_leds[chan->address];
+ return regmap_field_write(afe->fields[led_field], val);
+ }
+ break;
+--
+2.35.1
+
--- /dev/null
+From b4b1b7444d493c7ed3babdba7c6e0e6ba253506a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 16:10:05 +0800
+Subject: net/9p: Fix a potential socket leak in p9_socket_open
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit dcc14cfd7debe11b825cb077e75d91d2575b4cb8 ]
+
+Both p9_fd_create_tcp() and p9_fd_create_unix() will call
+p9_socket_open(). If the creation of p9_trans_fd fails,
+p9_fd_create_tcp() and p9_fd_create_unix() will return an
+error directly instead of releasing the cscoket, which will
+result in a socket leak.
+
+This patch adds sock_release() to fix the leak issue.
+
+Fixes: 6b18662e239a ("9p connect fixes")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+ACKed-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_fd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
+index e70e843ee48f..7e484f5b140c 100644
+--- a/net/9p/trans_fd.c
++++ b/net/9p/trans_fd.c
+@@ -851,8 +851,10 @@ static int p9_socket_open(struct p9_client *client, struct socket *csocket)
+ struct file *file;
+
+ p = kzalloc(sizeof(struct p9_trans_fd), GFP_KERNEL);
+- if (!p)
++ if (!p) {
++ sock_release(csocket);
+ return -ENOMEM;
++ }
+
+ csocket->sk->sk_allocation = GFP_NOIO;
+ file = sock_alloc_file(csocket, 0, NULL);
+--
+2.35.1
+
--- /dev/null
+From d1356b8e193ccb2a13a7f87ccbb99a9a115c8042 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 15:56:04 +0900
+Subject: net: ethernet: renesas: ravb: Fix promiscuous mode after system
+ resumed
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit d66233a312ec9013af3e37e4030b479a20811ec3 ]
+
+After system resumed on some environment board, the promiscuous mode
+is disabled because the SoC turned off. So, call ravb_set_rx_mode() in
+the ravb_resume() to fix the issue.
+
+Reported-by: Tho Vu <tho.vu.wh@renesas.com>
+Fixes: 0184165b2f42 ("ravb: add sleep PM suspend/resume support")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20221128065604.1864391-1-yoshihiro.shimoda.uh@renesas.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index 5452fe4bf12a..2bebf39fe047 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -2183,6 +2183,7 @@ static int __maybe_unused ravb_resume(struct device *dev)
+ ret = ravb_open(ndev);
+ if (ret < 0)
+ return ret;
++ ravb_set_rx_mode(ndev);
+ netif_device_attach(ndev);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From fa76d5085acf6ecf17d72c2c0835ae8f1946ab72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 15:57:24 +0800
+Subject: net: hsr: Fix potential use-after-free
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 7e177d32442b7ed08a9fa61b61724abc548cb248 ]
+
+The skb is delivered to netif_rx() which may free it, after calling this,
+dereferencing skb may trigger use-after-free.
+
+Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Link: https://lore.kernel.org/r/20221125075724.27912-1-yuehaibing@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_forward.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
+index 04b5450c5a55..adfb49760678 100644
+--- a/net/hsr/hsr_forward.c
++++ b/net/hsr/hsr_forward.c
+@@ -207,17 +207,18 @@ static void hsr_deliver_master(struct sk_buff *skb, struct net_device *dev,
+ struct hsr_node *node_src)
+ {
+ bool was_multicast_frame;
+- int res;
++ int res, recv_len;
+
+ was_multicast_frame = (skb->pkt_type == PACKET_MULTICAST);
+ hsr_addr_subst_source(node_src, skb);
+ skb_pull(skb, ETH_HLEN);
++ recv_len = skb->len;
+ res = netif_rx(skb);
+ if (res == NET_RX_DROP) {
+ dev->stats.rx_dropped++;
+ } else {
+ dev->stats.rx_packets++;
+- dev->stats.rx_bytes += skb->len;
++ dev->stats.rx_bytes += recv_len;
+ if (was_multicast_frame)
+ dev->stats.multicast++;
+ }
+--
+2.35.1
+
--- /dev/null
+From 8df2cfbc5b98fe1c94384e6d7b3a6ba830e08469 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 19:22:04 +0800
+Subject: net/mlx5: Fix uninitialized variable bug in outlen_write()
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 3f5769a074c13d8f08455e40586600419e02a880 ]
+
+If sscanf() return 0, outlen is uninitialized and used in kzalloc(),
+this is unexpected. We should return -EINVAL if the string is invalid.
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index b6113620cb1a..043eec677b2c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -1293,8 +1293,8 @@ static ssize_t outlen_write(struct file *filp, const char __user *buf,
+ return -EFAULT;
+
+ err = sscanf(outlen_str, "%d", &outlen);
+- if (err < 0)
+- return err;
++ if (err != 1)
++ return -EINVAL;
+
+ ptr = kzalloc(outlen, GFP_KERNEL);
+ if (!ptr)
+--
+2.35.1
+
--- /dev/null
+From bec4a2971ae3fca54181dd76d96f4bee4ed37fa5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 07:09:17 +0000
+Subject: net: net_netdev: Fix error handling in ntb_netdev_init_module()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit b8f79dccd38edf7db4911c353d9cd792ab13a327 ]
+
+The ntb_netdev_init_module() returns the ntb_transport_register_client()
+directly without checking its return value, if
+ntb_transport_register_client() failed, the NTB client device is not
+unregistered.
+
+Fix by unregister NTB client device when ntb_transport_register_client()
+failed.
+
+Fixes: 548c237c0a99 ("net: Add support for NTB virtual ethernet device")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ntb_netdev.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c
+index 03009f1becdd..bd6c19ceab30 100644
+--- a/drivers/net/ntb_netdev.c
++++ b/drivers/net/ntb_netdev.c
+@@ -500,7 +500,14 @@ static int __init ntb_netdev_init_module(void)
+ rc = ntb_transport_register_client_dev(KBUILD_MODNAME);
+ if (rc)
+ return rc;
+- return ntb_transport_register_client(&ntb_netdev_client);
++
++ rc = ntb_transport_register_client(&ntb_netdev_client);
++ if (rc) {
++ ntb_transport_unregister_client_dev(KBUILD_MODNAME);
++ return rc;
++ }
++
++ return 0;
+ }
+ module_init(ntb_netdev_init_module);
+
+--
+2.35.1
+
--- /dev/null
+From ec3830664d262e531ca5825a4ae08acc11e29b38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 21:28:08 +0800
+Subject: net: phy: fix null-ptr-deref while probe() failed
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 369eb2c9f1f72adbe91e0ea8efb130f0a2ba11a6 ]
+
+I got a null-ptr-deref report as following when doing fault injection test:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000058
+Oops: 0000 [#1] PREEMPT SMP KASAN PTI
+CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+RIP: 0010:klist_put+0x2d/0xd0
+Call Trace:
+ <TASK>
+ klist_remove+0xf1/0x1c0
+ device_release_driver_internal+0x23e/0x2d0
+ bus_remove_device+0x1bd/0x240
+ device_del+0x357/0x770
+ phy_device_remove+0x11/0x30
+ mdiobus_unregister+0xa5/0x140
+ release_nodes+0x6a/0xa0
+ devres_release_all+0xf8/0x150
+ device_unbind_cleanup+0x19/0xd0
+
+//probe path:
+phy_device_register()
+ device_add()
+
+phy_connect
+ phy_attach_direct() //set device driver
+ probe() //it's failed, driver is not bound
+ device_bind_driver() // probe failed, it's not called
+
+//remove path:
+phy_device_remove()
+ device_del()
+ device_release_driver_internal()
+ __device_release_driver() //dev->drv is not NULL
+ klist_remove() <- knode_driver is not added yet, cause null-ptr-deref
+
+In phy_attach_direct(), after setting the 'dev->driver', probe() fails,
+device_bind_driver() is not called, so the knode_driver->n_klist is not
+set, then it causes null-ptr-deref in __device_release_driver() while
+deleting device. Fix this by setting dev->driver to NULL in the error
+path in phy_attach_direct().
+
+Fixes: e13934563db0 ("[PATCH] PHY Layer fixup")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy_device.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index a3ba95e96695..90dbf1b2a33a 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -948,6 +948,7 @@ int phy_attach_direct(struct net_device *dev, struct phy_device *phydev,
+
+ error_module_put:
+ module_put(d->driver->owner);
++ d->driver = NULL;
+ error_put_device:
+ put_device(d);
+ if (ndev_owner != bus->owner)
+--
+2.35.1
+
--- /dev/null
+From fa3410760fa547ce59e203b40ad6a64d5cb065d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 11:18:12 -0500
+Subject: packet: do not set TP_STATUS_CSUM_VALID on CHECKSUM_COMPLETE
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit b85f628aa158a653c006e9c1405a117baef8c868 ]
+
+CHECKSUM_COMPLETE signals that skb->csum stores the sum over the
+entire packet. It does not imply that an embedded l4 checksum
+field has been validated.
+
+Fixes: 682f048bd494 ("af_packet: pass checksum validation status to the user")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20221128161812.640098-1-willemdebruijn.kernel@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 2ae2801dd7be..c43a4f9404fe 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2207,8 +2207,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
+ if (skb->ip_summed == CHECKSUM_PARTIAL)
+ status |= TP_STATUS_CSUMNOTREADY;
+ else if (skb->pkt_type != PACKET_OUTGOING &&
+- (skb->ip_summed == CHECKSUM_COMPLETE ||
+- skb_csum_unnecessary(skb)))
++ skb_csum_unnecessary(skb))
+ status |= TP_STATUS_CSUM_VALID;
+
+ if (snaplen > res)
+@@ -3468,8 +3467,7 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+ if (skb->ip_summed == CHECKSUM_PARTIAL)
+ aux.tp_status |= TP_STATUS_CSUMNOTREADY;
+ else if (skb->pkt_type != PACKET_OUTGOING &&
+- (skb->ip_summed == CHECKSUM_COMPLETE ||
+- skb_csum_unnecessary(skb)))
++ skb_csum_unnecessary(skb))
+ aux.tp_status |= TP_STATUS_CSUM_VALID;
+
+ aux.tp_len = origlen;
+--
+2.35.1
+
--- /dev/null
+From 3af4eb263ae862382b7e2e5224d9d49d0bb07174 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 18:06:42 +0800
+Subject: qlcnic: fix sleep-in-atomic-context bugs caused by msleep
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 8dbd6e4ce1b9c527921643d9e34f188a10d4e893 ]
+
+The watchdog timer is used to monitor whether the process
+of transmitting data is timeout. If we use qlcnic driver,
+the dev_watchdog() that is the timer handler of watchdog
+timer will call qlcnic_tx_timeout() to process the timeout.
+But the qlcnic_tx_timeout() calls msleep(), as a result,
+the sleep-in-atomic-context bugs will happen. The processes
+are shown below:
+
+ (atomic context)
+dev_watchdog
+ qlcnic_tx_timeout
+ qlcnic_83xx_idc_request_reset
+ qlcnic_83xx_lock_driver
+ msleep
+
+---------------------------
+
+ (atomic context)
+dev_watchdog
+ qlcnic_tx_timeout
+ qlcnic_83xx_idc_request_reset
+ qlcnic_83xx_lock_driver
+ qlcnic_83xx_recover_driver_lock
+ msleep
+
+Fix by changing msleep() to mdelay(), the mdelay() is
+busy-waiting and the bugs could be mitigated.
+
+Fixes: 629263acaea3 ("qlcnic: 83xx CNA inter driver communication mechanism")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+index 59b77bb89147..1134060b6962 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+@@ -2992,7 +2992,7 @@ static void qlcnic_83xx_recover_driver_lock(struct qlcnic_adapter *adapter)
+ QLCWRX(adapter->ahw, QLC_83XX_RECOVER_DRV_LOCK, val);
+ dev_info(&adapter->pdev->dev,
+ "%s: lock recovery initiated\n", __func__);
+- msleep(QLC_83XX_DRV_LOCK_RECOVERY_DELAY);
++ mdelay(QLC_83XX_DRV_LOCK_RECOVERY_DELAY);
+ val = QLCRDX(adapter->ahw, QLC_83XX_RECOVER_DRV_LOCK);
+ id = ((val >> 2) & 0xF);
+ if (id == adapter->portnum) {
+@@ -3028,7 +3028,7 @@ int qlcnic_83xx_lock_driver(struct qlcnic_adapter *adapter)
+ if (status)
+ break;
+
+- msleep(QLC_83XX_DRV_LOCK_WAIT_DELAY);
++ mdelay(QLC_83XX_DRV_LOCK_WAIT_DELAY);
+ i++;
+
+ if (i == 1)
+--
+2.35.1
+
tcp-configurable-source-port-perturb-table-size.patch
net-usb-qmi_wwan-add-telit-0x103a-composition.patch
drm-amdgpu-always-register-an-mmu-notifier-for-userptr.patch
+iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch
+iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch
+hwmon-i5500_temp-fix-missing-pci_disable_device.patch
+hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch
+net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch
+can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch
+can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch
+qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch
+net-phy-fix-null-ptr-deref-while-probe-failed.patch
+net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch
+net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch
+net-hsr-fix-potential-use-after-free.patch
+packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch
+net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch
+hwmon-coretemp-check-for-null-before-removing-sysfs-.patch
+hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch
+btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
