--- /dev/null
+From 8fa7eefcf4ba97402dff41db1933b4382448ecf6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Apr 2023 08:42:00 +0200
+Subject: ACPI: video: Add backlight=native DMI quirk for Lenovo Ideapad Z470
+
+From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+
+[ Upstream commit 96b709be183c56293933ef45b8b75f8af268c6de ]
+
+The Lenovo Ideapad Z470 predates Windows 8, so it defaults to using
+acpi_video for backlight control. But this is not functional on this
+model.
+
+Add a DMI quirk to use the native backlight interface which works.
+
+Link: https://bugzilla.suse.com/show_bug.cgi?id=1208724
+Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/video_detect.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
+index b4f16073ef432..866bc20c82397 100644
+--- a/drivers/acpi/video_detect.c
++++ b/drivers/acpi/video_detect.c
+@@ -294,6 +294,15 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
+ DMI_MATCH(DMI_BOARD_NAME, "Lenovo IdeaPad S405"),
+ },
+ },
++ {
++ /* https://bugzilla.suse.com/show_bug.cgi?id=1208724 */
++ .callback = video_detect_force_native,
++ /* Lenovo Ideapad Z470 */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "IdeaPad Z470"),
++ },
++ },
+ {
+ /* https://bugzilla.redhat.com/show_bug.cgi?id=1187004 */
+ .callback = video_detect_force_native,
+--
+2.40.1
+
--- /dev/null
+From aa2fc1a58b1259111070ef55190155f1c2cc82cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jun 2023 22:26:06 +0000
+Subject: ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer
+
+From: Abhishek Mainkar <abmainkar@nvidia.com>
+
+[ Upstream commit 3a21ffdbc825e0919db9da0e27ee5ff2cc8a863e ]
+
+ACPICA commit 90310989a0790032f5a0140741ff09b545af4bc5
+
+According to the ACPI specification 19.6.134, no argument is required to be passed for ASL Timer instruction. For taking care of no argument, AML_NO_OPERAND_RESOLVE flag is added to ASL Timer instruction opcode.
+
+When ASL timer instruction interpreted by ACPI interpreter, getting error. After adding AML_NO_OPERAND_RESOLVE flag to ASL Timer instruction opcode, issue is not observed.
+
+=============================================================
+UBSAN: array-index-out-of-bounds in acpica/dswexec.c:401:12 index -1 is out of range for type 'union acpi_operand_object *[9]'
+CPU: 37 PID: 1678 Comm: cat Not tainted
+6.0.0-dev-th500-6.0.y-1+bcf8c46459e407-generic-64k
+HW name: NVIDIA BIOS v1.1.1-d7acbfc-dirty 12/19/2022 Call trace:
+ dump_backtrace+0xe0/0x130
+ show_stack+0x20/0x60
+ dump_stack_lvl+0x68/0x84
+ dump_stack+0x18/0x34
+ ubsan_epilogue+0x10/0x50
+ __ubsan_handle_out_of_bounds+0x80/0x90
+ acpi_ds_exec_end_op+0x1bc/0x6d8
+ acpi_ps_parse_loop+0x57c/0x618
+ acpi_ps_parse_aml+0x1e0/0x4b4
+ acpi_ps_execute_method+0x24c/0x2b8
+ acpi_ns_evaluate+0x3a8/0x4bc
+ acpi_evaluate_object+0x15c/0x37c
+ acpi_evaluate_integer+0x54/0x15c
+ show_power+0x8c/0x12c [acpi_power_meter]
+
+Link: https://github.com/acpica/acpica/commit/90310989
+Signed-off-by: Abhishek Mainkar <abmainkar@nvidia.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/psopcode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/acpica/psopcode.c b/drivers/acpi/acpica/psopcode.c
+index 8d7dc98bad17b..ca01e02af9cba 100644
+--- a/drivers/acpi/acpica/psopcode.c
++++ b/drivers/acpi/acpica/psopcode.c
+@@ -603,7 +603,7 @@ const struct acpi_opcode_info acpi_gbl_aml_op_info[AML_NUM_OPCODES] = {
+
+ /* 7E */ ACPI_OP("Timer", ARGP_TIMER_OP, ARGI_TIMER_OP, ACPI_TYPE_ANY,
+ AML_CLASS_EXECUTE, AML_TYPE_EXEC_0A_0T_1R,
+- AML_FLAGS_EXEC_0A_0T_1R),
++ AML_FLAGS_EXEC_0A_0T_1R | AML_NO_OPERAND_RESOLVE),
+
+ /* ACPI 5.0 opcodes */
+
+--
+2.40.1
+
--- /dev/null
+From ea618a2ebc0d5bdf558809d44a883137451420e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Aug 2023 09:32:18 +0800
+Subject: alx: fix OOB-read compiler warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: GONG, Ruiqi <gongruiqi1@huawei.com>
+
+[ Upstream commit 3a198c95c95da10ad844cbeade2fe40bdf14c411 ]
+
+The following message shows up when compiling with W=1:
+
+In function ‘fortify_memcpy_chk’,
+ inlined from ‘alx_get_ethtool_stats’ at drivers/net/ethernet/atheros/alx/ethtool.c:297:2:
+./include/linux/fortify-string.h:592:4: error: call to ‘__read_overflow2_field’
+declared with attribute warning: detected read beyond size of field (2nd parameter);
+maybe use struct_group()? [-Werror=attribute-warning]
+ 592 | __read_overflow2_field(q_size_field, size);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In order to get alx stats altogether, alx_get_ethtool_stats() reads
+beyond hw->stats.rx_ok. Fix this warning by directly copying hw->stats,
+and refactor the unnecessarily complicated BUILD_BUG_ON btw.
+
+Signed-off-by: GONG, Ruiqi <gongruiqi1@huawei.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20230821013218.1614265-1-gongruiqi@huaweicloud.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/atheros/alx/ethtool.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/atheros/alx/ethtool.c b/drivers/net/ethernet/atheros/alx/ethtool.c
+index 2f4eabf652e80..51e5aa2c74b34 100644
+--- a/drivers/net/ethernet/atheros/alx/ethtool.c
++++ b/drivers/net/ethernet/atheros/alx/ethtool.c
+@@ -281,9 +281,8 @@ static void alx_get_ethtool_stats(struct net_device *netdev,
+ spin_lock(&alx->stats_lock);
+
+ alx_update_hw_stats(hw);
+- BUILD_BUG_ON(sizeof(hw->stats) - offsetof(struct alx_hw_stats, rx_ok) <
+- ALX_NUM_STATS * sizeof(u64));
+- memcpy(data, &hw->stats.rx_ok, ALX_NUM_STATS * sizeof(u64));
++ BUILD_BUG_ON(sizeof(hw->stats) != ALX_NUM_STATS * sizeof(u64));
++ memcpy(data, &hw->stats, sizeof(hw->stats));
+
+ spin_unlock(&alx->stats_lock);
+ }
+--
+2.40.1
+
--- /dev/null
+From 0c22781ae30cff7781c9f4d57644b710b4798dc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Aug 2023 13:33:12 +0800
+Subject: autofs: fix memory leak of waitqueues in autofs_catatonic_mode
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit ccbe77f7e45dfb4420f7f531b650c00c6e9c7507 ]
+
+Syzkaller reports a memory leak:
+
+BUG: memory leak
+unreferenced object 0xffff88810b279e00 (size 96):
+ comm "syz-executor399", pid 3631, jiffies 4294964921 (age 23.870s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff ..........'.....
+ 08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ..'.............
+ backtrace:
+ [<ffffffff814cfc90>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046
+ [<ffffffff81bb75ca>] kmalloc include/linux/slab.h:576 [inline]
+ [<ffffffff81bb75ca>] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378
+ [<ffffffff81bb88a7>] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593
+ [<ffffffff81bb8c33>] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619
+ [<ffffffff81bb6972>] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897
+ [<ffffffff81bb6a95>] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910
+ [<ffffffff81602a9c>] vfs_ioctl fs/ioctl.c:51 [inline]
+ [<ffffffff81602a9c>] __do_sys_ioctl fs/ioctl.c:870 [inline]
+ [<ffffffff81602a9c>] __se_sys_ioctl fs/ioctl.c:856 [inline]
+ [<ffffffff81602a9c>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856
+ [<ffffffff84608225>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ [<ffffffff84608225>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ [<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+autofs_wait_queue structs should be freed if their wait_ctr becomes zero.
+Otherwise they will be lost.
+
+In this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new
+waitqueue struct is allocated in autofs_wait(), its initial wait_ctr
+equals 2. After that wait_event_killable() is interrupted (it returns
+-ERESTARTSYS), so that 'wq->name.name == NULL' condition may be not
+satisfied. Actually, this condition can be satisfied when
+autofs_wait_release() or autofs_catatonic_mode() is called and, what is
+also important, wait_ctr is decremented in those places. Upon the exit of
+autofs_wait(), wait_ctr is decremented to 1. Then the unmounting process
+begins: kill_sb calls autofs_catatonic_mode(), which should have freed the
+waitqueues, but it only decrements its usage counter to zero which is not
+a correct behaviour.
+
+edit:imk
+This description is of course not correct. The umount performed as a result
+of an expire is a umount of a mount that has been automounted, it's not the
+autofs mount itself. They happen independently, usually after everything
+mounted within the autofs file system has been expired away. If everything
+hasn't been expired away the automount daemon can still exit leaving mounts
+in place. But expires done in both cases will result in a notification that
+calls autofs_wait_release() with a result status. The problem case is the
+summary execution of of the automount daemon. In this case any waiting
+processes won't be woken up until either they are terminated or the mount
+is umounted.
+end edit: imk
+
+So in catatonic mode we should free waitqueues which counter becomes zero.
+
+edit: imk
+Initially I was concerned that the calling of autofs_wait_release() and
+autofs_catatonic_mode() was not mutually exclusive but that can't be the
+case (obviously) because the queue entry (or entries) is removed from the
+list when either of these two functions are called. Consequently the wait
+entry will be freed by only one of these functions or by the woken process
+in autofs_wait() depending on the order of the calls.
+end edit: imk
+
+Reported-by: syzbot+5e53f70e69ff0c0a1c0c@syzkaller.appspotmail.com
+Suggested-by: Takeshi Misawa <jeliantsurux@gmail.com>
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Ian Kent <raven@themaw.net>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Andrei Vagin <avagin@gmail.com>
+Cc: autofs@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Message-Id: <169112719161.7590.6700123246297365841.stgit@donald.themaw.net>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/autofs/waitq.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/autofs/waitq.c b/fs/autofs/waitq.c
+index f6385c6ef0a56..44ba0cd4ebc4f 100644
+--- a/fs/autofs/waitq.c
++++ b/fs/autofs/waitq.c
+@@ -35,8 +35,9 @@ void autofs_catatonic_mode(struct autofs_sb_info *sbi)
+ wq->status = -ENOENT; /* Magic is gone - report failure */
+ kfree(wq->name.name);
+ wq->name.name = NULL;
+- wq->wait_ctr--;
+ wake_up_interruptible(&wq->queue);
++ if (!--wq->wait_ctr)
++ kfree(wq);
+ wq = nwq;
+ }
+ fput(sbi->pipe); /* Close the pipe */
+--
+2.40.1
+
--- /dev/null
+From aaba3962a6821d7db9feb686a8078539121ddaa7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Aug 2023 19:02:28 +0800
+Subject: btrfs: output extra debug info if we failed to find an inline backref
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 7f72f50547b7af4ddf985b07fc56600a4deba281 ]
+
+[BUG]
+Syzbot reported several warning triggered inside
+lookup_inline_extent_backref().
+
+[CAUSE]
+As usual, the reproducer doesn't reliably trigger locally here, but at
+least we know the WARN_ON() is triggered when an inline backref can not
+be found, and it can only be triggered when @insert is true. (I.e.
+inserting a new inline backref, which means the backref should already
+exist)
+
+[ENHANCEMENT]
+After the WARN_ON(), dump all the parameters and the extent tree
+leaf to help debug.
+
+Link: https://syzkaller.appspot.com/bug?extid=d6f9ff86c1d804ba2bc6
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/extent-tree.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index d71f800e8bf60..bb05b0a82c8ba 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -1549,6 +1549,11 @@ int lookup_inline_extent_backref(struct btrfs_trans_handle *trans,
+ err = -ENOENT;
+ goto out;
+ } else if (WARN_ON(ret)) {
++ btrfs_print_leaf(path->nodes[0]);
++ btrfs_err(fs_info,
++"extent item not found for insert, bytenr %llu num_bytes %llu parent %llu root_objectid %llu owner %llu offset %llu",
++ bytenr, num_bytes, parent, root_objectid, owner,
++ offset);
+ err = -EIO;
+ goto out;
+ }
+--
+2.40.1
+
--- /dev/null
+From 33fe6cdd32c82695ba3a2578f3dbbcc018939a3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Aug 2023 09:32:18 +0000
+Subject: crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui()
+
+From: Mark O'Donovan <shiftee@posteo.net>
+
+[ Upstream commit 9e47a758b70167c9301d2b44d2569f86c7796f2d ]
+
+During NVMeTCP Authentication a controller can trigger a kernel
+oops by specifying the 8192 bit Diffie Hellman group and passing
+a correctly sized, but zeroed Diffie Hellamn value.
+mpi_cmp_ui() was detecting this if the second parameter was 0,
+but 1 is passed from dh_is_pubkey_valid(). This causes the null
+pointer u->d to be dereferenced towards the end of mpi_cmp_ui()
+
+Signed-off-by: Mark O'Donovan <shiftee@posteo.net>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/mpi/mpi-cmp.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/mpi/mpi-cmp.c b/lib/mpi/mpi-cmp.c
+index d25e9e96c310f..ceaebe181cd70 100644
+--- a/lib/mpi/mpi-cmp.c
++++ b/lib/mpi/mpi-cmp.c
+@@ -25,8 +25,12 @@ int mpi_cmp_ui(MPI u, unsigned long v)
+ mpi_limb_t limb = v;
+
+ mpi_normalize(u);
+- if (!u->nlimbs && !limb)
+- return 0;
++ if (u->nlimbs == 0) {
++ if (v == 0)
++ return 0;
++ else
++ return -1;
++ }
+ if (u->sign)
+ return -1;
+ if (u->nlimbs > 1)
+--
+2.40.1
+
--- /dev/null
+From 982269200ab4860e888c0990f110b56997417f07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Jun 2023 10:19:06 +0800
+Subject: drm/exynos: fix a possible null-pointer dereference due to data race
+ in exynos_drm_crtc_atomic_disable()
+
+From: Tuo Li <islituo@gmail.com>
+
+[ Upstream commit 2e63972a2de14482d0eae1a03a73e379f1c3f44c ]
+
+The variable crtc->state->event is often protected by the lock
+crtc->dev->event_lock when is accessed. However, it is accessed as a
+condition of an if statement in exynos_drm_crtc_atomic_disable() without
+holding the lock:
+
+ if (crtc->state->event && !crtc->state->active)
+
+However, if crtc->state->event is changed to NULL by another thread right
+after the conditions of the if statement is checked to be true, a
+null-pointer dereference can occur in drm_crtc_send_vblank_event():
+
+ e->pipe = pipe;
+
+To fix this possible null-pointer dereference caused by data race, the
+spin lock coverage is extended to protect the if statement as well as the
+function call to drm_crtc_send_vblank_event().
+
+Reported-by: BassCheck <bass@buaa.edu.cn>
+Link: https://sites.google.com/view/basscheck/home
+Signed-off-by: Tuo Li <islituo@gmail.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Added relevant link.
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
+index 2696289ecc78f..b3e23ace5869c 100644
+--- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
+@@ -43,13 +43,12 @@ static void exynos_drm_crtc_atomic_disable(struct drm_crtc *crtc,
+ if (exynos_crtc->ops->disable)
+ exynos_crtc->ops->disable(exynos_crtc);
+
++ spin_lock_irq(&crtc->dev->event_lock);
+ if (crtc->state->event && !crtc->state->active) {
+- spin_lock_irq(&crtc->dev->event_lock);
+ drm_crtc_send_vblank_event(crtc, crtc->state->event);
+- spin_unlock_irq(&crtc->dev->event_lock);
+-
+ crtc->state->event = NULL;
+ }
++ spin_unlock_irq(&crtc->dev->event_lock);
+ }
+
+ static int exynos_crtc_atomic_check(struct drm_crtc *crtc,
+--
+2.40.1
+
--- /dev/null
+From c19315a7ec4a4512405324487633c87f5beb1e83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Aug 2023 12:03:40 +0200
+Subject: ext2: fix datatype of block number in ext2_xattr_set2()
+
+From: Georg Ottinger <g.ottinger@gmx.at>
+
+[ Upstream commit e88076348425b7d0491c8c98d8732a7df8de7aa3 ]
+
+I run a small server that uses external hard drives for backups. The
+backup software I use uses ext2 filesystems with 4KiB block size and
+the server is running SELinux and therefore relies on xattr. I recently
+upgraded the hard drives from 4TB to 12TB models. I noticed that after
+transferring some TBs I got a filesystem error "Freeing blocks not in
+datazone - block = 18446744071529317386, count = 1" and the backup
+process stopped. Trying to fix the fs with e2fsck resulted in a
+completely corrupted fs. The error probably came from ext2_free_blocks(),
+and because of the large number 18e19 this problem immediately looked
+like some kind of integer overflow. Whereas the 4TB fs was about 1e9
+blocks, the new 12TB is about 3e9 blocks. So, searching the ext2 code,
+I came across the line in fs/ext2/xattr.c:745 where ext2_new_block()
+is called and the resulting block number is stored in the variable block
+as an int datatype. If a block with a block number greater than
+INT32_MAX is returned, this variable overflows and the call to
+sb_getblk() at line fs/ext2/xattr.c:750 fails, then the call to
+ext2_free_blocks() produces the error.
+
+Signed-off-by: Georg Ottinger <g.ottinger@gmx.at>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Message-Id: <20230815100340.22121-1-g.ottinger@gmx.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext2/xattr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c
+index bd1d68ff3a9f8..437175bce22e8 100644
+--- a/fs/ext2/xattr.c
++++ b/fs/ext2/xattr.c
+@@ -664,10 +664,10 @@ ext2_xattr_set2(struct inode *inode, struct buffer_head *old_bh,
+ /* We need to allocate a new block */
+ ext2_fsblk_t goal = ext2_group_first_block_no(sb,
+ EXT2_I(inode)->i_block_group);
+- int block = ext2_new_block(inode, goal, &error);
++ ext2_fsblk_t block = ext2_new_block(inode, goal, &error);
+ if (error)
+ goto cleanup;
+- ea_idebug(inode, "creating block %d", block);
++ ea_idebug(inode, "creating block %lu", block);
+
+ new_bh = sb_getblk(sb, block);
+ if (unlikely(!new_bh)) {
+--
+2.40.1
+
--- /dev/null
+From a1e23bf43e72a54852c81b23b85ce41ed04ac1a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Jul 2023 17:05:42 +0300
+Subject: fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()
+
+From: Andrew Kanner <andrew.kanner@gmail.com>
+
+[ Upstream commit cade5397e5461295f3cb87880534b6a07cafa427 ]
+
+Syzkaller reported the following issue:
+==================================================================
+BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline]
+BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800
+Free of addr ffff888086408000 by task syz-executor.4/12750
+[...]
+Call Trace:
+ <TASK>
+[...]
+ kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482
+ ____kasan_slab_free+0xfb/0x120
+ kasan_slab_free include/linux/kasan.h:177 [inline]
+ slab_free_hook mm/slub.c:1781 [inline]
+ slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
+ slab_free mm/slub.c:3787 [inline]
+ __kmem_cache_free+0x71/0x110 mm/slub.c:3800
+ dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264
+ jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87
+ jfs_put_super+0x86/0x190 fs/jfs/super.c:194
+ generic_shutdown_super+0x130/0x310 fs/super.c:492
+ kill_block_super+0x79/0xd0 fs/super.c:1386
+ deactivate_locked_super+0xa7/0xf0 fs/super.c:332
+ cleanup_mnt+0x494/0x520 fs/namespace.c:1291
+ task_work_run+0x243/0x300 kernel/task_work.c:179
+ resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
+ exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
+ exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
+ syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
+ do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[...]
+ </TASK>
+
+Allocated by task 13352:
+ kasan_save_stack mm/kasan/common.c:45 [inline]
+ kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
+ ____kasan_kmalloc mm/kasan/common.c:371 [inline]
+ __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380
+ kmalloc include/linux/slab.h:580 [inline]
+ dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164
+ jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121
+ jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556
+ mount_bdev+0x26c/0x3a0 fs/super.c:1359
+ legacy_get_tree+0xea/0x180 fs/fs_context.c:610
+ vfs_get_tree+0x88/0x270 fs/super.c:1489
+ do_new_mount+0x289/0xad0 fs/namespace.c:3145
+ do_mount fs/namespace.c:3488 [inline]
+ __do_sys_mount fs/namespace.c:3697 [inline]
+ __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Freed by task 13352:
+ kasan_save_stack mm/kasan/common.c:45 [inline]
+ kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
+ kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518
+ ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
+ kasan_slab_free include/linux/kasan.h:177 [inline]
+ slab_free_hook mm/slub.c:1781 [inline]
+ slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
+ slab_free mm/slub.c:3787 [inline]
+ __kmem_cache_free+0x71/0x110 mm/slub.c:3800
+ dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264
+ jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247
+ jfs_remount+0x3db/0x710 fs/jfs/super.c:454
+ reconfigure_super+0x3bc/0x7b0 fs/super.c:935
+ vfs_fsconfig_locked fs/fsopen.c:254 [inline]
+ __do_sys_fsconfig fs/fsopen.c:439 [inline]
+ __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[...]
+
+JFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in
+dbUnmount().
+
+Syzkaller uses faultinject to reproduce this KASAN double-free
+warning. The issue is triggered if either diMount() or dbMount() fail
+in jfs_remount(), since diUnmount() or dbUnmount() already happened in
+such a case - they will do double-free on next execution: jfs_umount
+or jfs_remount.
+
+Tested on both upstream and jfs-next by syzkaller.
+
+Reported-and-tested-by: syzbot+6a93efb725385bc4b2e9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/000000000000471f2d05f1ce8bad@google.com/T/
+Link: https://syzkaller.appspot.com/bug?extid=6a93efb725385bc4b2e9
+Signed-off-by: Andrew Kanner <andrew.kanner@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index 63ad6b1d575a5..b20fffc8b4c13 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -282,6 +282,7 @@ int dbUnmount(struct inode *ipbmap, int mounterror)
+
+ /* free the memory for the in-memory bmap. */
+ kfree(bmp);
++ JFS_SBI(ipbmap->i_sb)->bmap = NULL;
+
+ return (0);
+ }
+--
+2.40.1
+
--- /dev/null
+From ee4b9b992183fdbd27b0a83713fe17d36318fd02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jun 2023 12:19:23 -0700
+Subject: hw_breakpoint: fix single-stepping when using bpf_overflow_handler
+
+From: Tomislav Novak <tnovak@meta.com>
+
+[ Upstream commit d11a69873d9a7435fe6a48531e165ab80a8b1221 ]
+
+Arm platforms use is_default_overflow_handler() to determine if the
+hw_breakpoint code should single-step over the breakpoint trigger or
+let the custom handler deal with it.
+
+Since bpf_overflow_handler() currently isn't recognized as a default
+handler, attaching a BPF program to a PERF_TYPE_BREAKPOINT event causes
+it to keep firing (the instruction triggering the data abort exception
+is never skipped). For example:
+
+ # bpftrace -e 'watchpoint:0x10000:4:w { print("hit") }' -c ./test
+ Attaching 1 probe...
+ hit
+ hit
+ [...]
+ ^C
+
+(./test performs a single 4-byte store to 0x10000)
+
+This patch replaces the check with uses_default_overflow_handler(),
+which accounts for the bpf_overflow_handler() case by also testing
+if one of the perf_event_output functions gets invoked indirectly,
+via orig_default_handler.
+
+Signed-off-by: Tomislav Novak <tnovak@meta.com>
+Tested-by: Samuel Gosselin <sgosselin@google.com> # arm64
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/linux-arm-kernel/20220923203644.2731604-1-tnovak@fb.com/
+Link: https://lore.kernel.org/r/20230605191923.1219974-1-tnovak@meta.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/hw_breakpoint.c | 8 ++++----
+ arch/arm64/kernel/hw_breakpoint.c | 4 ++--
+ include/linux/perf_event.h | 22 +++++++++++++++++++---
+ 3 files changed, 25 insertions(+), 9 deletions(-)
+
+diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c
+index 2ee5b7f5e7ad0..c71ecd06131ca 100644
+--- a/arch/arm/kernel/hw_breakpoint.c
++++ b/arch/arm/kernel/hw_breakpoint.c
+@@ -631,7 +631,7 @@ int hw_breakpoint_arch_parse(struct perf_event *bp,
+ hw->address &= ~alignment_mask;
+ hw->ctrl.len <<= offset;
+
+- if (is_default_overflow_handler(bp)) {
++ if (uses_default_overflow_handler(bp)) {
+ /*
+ * Mismatch breakpoints are required for single-stepping
+ * breakpoints.
+@@ -803,7 +803,7 @@ static void watchpoint_handler(unsigned long addr, unsigned int fsr,
+ * Otherwise, insert a temporary mismatch breakpoint so that
+ * we can single-step over the watchpoint trigger.
+ */
+- if (!is_default_overflow_handler(wp))
++ if (!uses_default_overflow_handler(wp))
+ continue;
+ step:
+ enable_single_step(wp, instruction_pointer(regs));
+@@ -816,7 +816,7 @@ static void watchpoint_handler(unsigned long addr, unsigned int fsr,
+ info->trigger = addr;
+ pr_debug("watchpoint fired: address = 0x%x\n", info->trigger);
+ perf_bp_event(wp, regs);
+- if (is_default_overflow_handler(wp))
++ if (uses_default_overflow_handler(wp))
+ enable_single_step(wp, instruction_pointer(regs));
+ }
+
+@@ -891,7 +891,7 @@ static void breakpoint_handler(unsigned long unknown, struct pt_regs *regs)
+ info->trigger = addr;
+ pr_debug("breakpoint fired: address = 0x%x\n", addr);
+ perf_bp_event(bp, regs);
+- if (is_default_overflow_handler(bp))
++ if (uses_default_overflow_handler(bp))
+ enable_single_step(bp, addr);
+ goto unlock;
+ }
+diff --git a/arch/arm64/kernel/hw_breakpoint.c b/arch/arm64/kernel/hw_breakpoint.c
+index 9f105fe58595d..5d120e39bf61a 100644
+--- a/arch/arm64/kernel/hw_breakpoint.c
++++ b/arch/arm64/kernel/hw_breakpoint.c
+@@ -661,7 +661,7 @@ static int breakpoint_handler(unsigned long unused, unsigned int esr,
+ perf_bp_event(bp, regs);
+
+ /* Do we need to handle the stepping? */
+- if (is_default_overflow_handler(bp))
++ if (uses_default_overflow_handler(bp))
+ step = 1;
+ unlock:
+ rcu_read_unlock();
+@@ -740,7 +740,7 @@ static u64 get_distance_from_watchpoint(unsigned long addr, u64 val,
+ static int watchpoint_report(struct perf_event *wp, unsigned long addr,
+ struct pt_regs *regs)
+ {
+- int step = is_default_overflow_handler(wp);
++ int step = uses_default_overflow_handler(wp);
+ struct arch_hw_breakpoint *info = counter_arch_bp(wp);
+
+ info->trigger = addr;
+diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
+index efe30b9b11908..f17e08bd294c2 100644
+--- a/include/linux/perf_event.h
++++ b/include/linux/perf_event.h
+@@ -998,15 +998,31 @@ extern void perf_event_output(struct perf_event *event,
+ struct pt_regs *regs);
+
+ static inline bool
+-is_default_overflow_handler(struct perf_event *event)
++__is_default_overflow_handler(perf_overflow_handler_t overflow_handler)
+ {
+- if (likely(event->overflow_handler == perf_event_output_forward))
++ if (likely(overflow_handler == perf_event_output_forward))
+ return true;
+- if (unlikely(event->overflow_handler == perf_event_output_backward))
++ if (unlikely(overflow_handler == perf_event_output_backward))
+ return true;
+ return false;
+ }
+
++#define is_default_overflow_handler(event) \
++ __is_default_overflow_handler((event)->overflow_handler)
++
++#ifdef CONFIG_BPF_SYSCALL
++static inline bool uses_default_overflow_handler(struct perf_event *event)
++{
++ if (likely(is_default_overflow_handler(event)))
++ return true;
++
++ return __is_default_overflow_handler(event->orig_overflow_handler);
++}
++#else
++#define uses_default_overflow_handler(event) \
++ is_default_overflow_handler(event)
++#endif
++
+ extern void
+ perf_event_header__init_id(struct perf_event_header *header,
+ struct perf_sample_data *data,
+--
+2.40.1
+
--- /dev/null
+From 0388b1b21167edaaff53e7415884c328e3b72136 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jul 2023 20:00:18 +0300
+Subject: iio: core: Use min() instead of min_t() to make code more robust
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit cb1d17535061ca295903f97f5cb0af9db719c02c ]
+
+min() has strict type checking and preferred over min_t() for
+unsigned types to avoid overflow. Here it's unclear why min_t()
+was chosen since both variables are of the same type. In any
+case update to use min().
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Nuno Sa <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20230721170022.3461-5-andriy.shevchenko@linux.intel.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/industrialio-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
+index 49d4b4f1a4574..ad9bd2001fbd2 100644
+--- a/drivers/iio/industrialio-core.c
++++ b/drivers/iio/industrialio-core.c
+@@ -323,7 +323,7 @@ static ssize_t iio_debugfs_write_reg(struct file *file,
+ char buf[80];
+ int ret;
+
+- count = min_t(size_t, count, (sizeof(buf)-1));
++ count = min(count, sizeof(buf) - 1);
+ if (copy_from_user(buf, userbuf, count))
+ return -EFAULT;
+
+--
+2.40.1
+
--- /dev/null
+From 91f2737fad46e168eef594fd122536724453bdc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 20:46:28 +0800
+Subject: jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount
+
+From: Liu Shixin via Jfs-discussion <jfs-discussion@lists.sourceforge.net>
+
+[ Upstream commit 6e2bda2c192d0244b5a78b787ef20aa10cb319b7 ]
+
+syzbot found an invalid-free in diUnmount:
+
+BUG: KASAN: double-free in slab_free mm/slub.c:3661 [inline]
+BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3674
+Free of addr ffff88806f410000 by task syz-executor131/3632
+
+ CPU: 0 PID: 3632 Comm: syz-executor131 Not tainted 6.1.0-rc7-syzkaller-00012-gca57f02295f1 #0
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
+ Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
+ print_address_description+0x74/0x340 mm/kasan/report.c:284
+ print_report+0x107/0x1f0 mm/kasan/report.c:395
+ kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:460
+ ____kasan_slab_free+0xfb/0x120
+ kasan_slab_free include/linux/kasan.h:177 [inline]
+ slab_free_hook mm/slub.c:1724 [inline]
+ slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1750
+ slab_free mm/slub.c:3661 [inline]
+ __kmem_cache_free+0x71/0x110 mm/slub.c:3674
+ diUnmount+0xef/0x100 fs/jfs/jfs_imap.c:195
+ jfs_umount+0x108/0x370 fs/jfs/jfs_umount.c:63
+ jfs_put_super+0x86/0x190 fs/jfs/super.c:194
+ generic_shutdown_super+0x130/0x310 fs/super.c:492
+ kill_block_super+0x79/0xd0 fs/super.c:1428
+ deactivate_locked_super+0xa7/0xf0 fs/super.c:332
+ cleanup_mnt+0x494/0x520 fs/namespace.c:1186
+ task_work_run+0x243/0x300 kernel/task_work.c:179
+ exit_task_work include/linux/task_work.h:38 [inline]
+ do_exit+0x664/0x2070 kernel/exit.c:820
+ do_group_exit+0x1fd/0x2b0 kernel/exit.c:950
+ __do_sys_exit_group kernel/exit.c:961 [inline]
+ __se_sys_exit_group kernel/exit.c:959 [inline]
+ __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:959
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[...]
+
+JFS_IP(ipimap)->i_imap is not setting to NULL after free in diUnmount.
+If jfs_remount() free JFS_IP(ipimap)->i_imap but then failed at diMount().
+JFS_IP(ipimap)->i_imap will be freed once again.
+Fix this problem by setting JFS_IP(ipimap)->i_imap to NULL after free.
+
+Reported-by: syzbot+90a11e6b1e810785c6ff@syzkaller.appspotmail.com
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_imap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
+index 93e8c590ff5c0..7565e00e88182 100644
+--- a/fs/jfs/jfs_imap.c
++++ b/fs/jfs/jfs_imap.c
+@@ -208,6 +208,7 @@ int diUnmount(struct inode *ipimap, int mounterror)
+ * free in-memory control structure
+ */
+ kfree(imap);
++ JFS_IP(ipimap)->i_imap = NULL;
+
+ return (0);
+ }
+--
+2.40.1
+
--- /dev/null
+From 1332a1761eea8a5fd0a62101b2a39e8718ce7575 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Aug 2023 16:41:13 +0800
+Subject: kobject: Add sanity check for kset->kobj.ktype in kset_register()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 4d0fe8c52bb3029d83e323c961221156ab98680b ]
+
+When I register a kset in the following way:
+ static struct kset my_kset;
+ kobject_set_name(&my_kset.kobj, "my_kset");
+ ret = kset_register(&my_kset);
+
+A null pointer dereference exception is occurred:
+[ 4453.568337] Unable to handle kernel NULL pointer dereference at \
+virtual address 0000000000000028
+... ...
+[ 4453.810361] Call trace:
+[ 4453.813062] kobject_get_ownership+0xc/0x34
+[ 4453.817493] kobject_add_internal+0x98/0x274
+[ 4453.822005] kset_register+0x5c/0xb4
+[ 4453.825820] my_kobj_init+0x44/0x1000 [my_kset]
+... ...
+
+Because I didn't initialize my_kset.kobj.ktype.
+
+According to the description in Documentation/core-api/kobject.rst:
+ - A ktype is the type of object that embeds a kobject. Every structure
+ that embeds a kobject needs a corresponding ktype.
+
+So add sanity check to make sure kset->kobj.ktype is not NULL.
+
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Link: https://lore.kernel.org/r/20230805084114.1298-2-thunder.leizhen@huaweicloud.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/kobject.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/kobject.c b/lib/kobject.c
+index 97d86dc17c42b..2bab65232925a 100644
+--- a/lib/kobject.c
++++ b/lib/kobject.c
+@@ -829,6 +829,11 @@ int kset_register(struct kset *k)
+ if (!k)
+ return -EINVAL;
+
++ if (!k->kobj.ktype) {
++ pr_err("must have a ktype to be initialized properly!\n");
++ return -EINVAL;
++ }
++
+ kset_init(k);
+ err = kobject_add_internal(&k->kobj);
+ if (err)
+--
+2.40.1
+
--- /dev/null
+From 7bab675ac58e66fe43834d10975b5f9ef78aaa53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Sep 2023 14:25:23 -0700
+Subject: md/raid1: fix error: ISO C90 forbids mixed declarations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nigel Croxon <ncroxon@redhat.com>
+
+[ Upstream commit df203da47f4428bc286fc99318936416253a321c ]
+
+There is a compile error when this commit is added:
+md: raid1: fix potential OOB in raid1_remove_disk()
+
+drivers/md/raid1.c: In function 'raid1_remove_disk':
+drivers/md/raid1.c:1844:9: error: ISO C90 forbids mixed declarations
+and code [-Werror=declaration-after-statement]
+1844 | struct raid1_info *p = conf->mirrors + number;
+ | ^~~~~~
+
+That's because the new code was inserted before the struct.
+The change is move the struct command above this commit.
+
+Fixes: 8b0472b50bcf ("md: raid1: fix potential OOB in raid1_remove_disk()")
+Signed-off-by: Nigel Croxon <ncroxon@redhat.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/46d929d0-2aab-4cf2-b2bf-338963e8ba5a@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid1.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
+index b459a3af94224..5ff06fbcfabf5 100644
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -1783,12 +1783,11 @@ static int raid1_remove_disk(struct mddev *mddev, struct md_rdev *rdev)
+ struct r1conf *conf = mddev->private;
+ int err = 0;
+ int number = rdev->raid_disk;
++ struct raid1_info *p = conf->mirrors + number;
+
+ if (unlikely(number >= conf->raid_disks))
+ goto abort;
+
+- struct raid1_info *p = conf->mirrors + number;
+-
+ if (rdev != p->rdev)
+ p = conf->mirrors + conf->raid_disks + number;
+
+--
+2.40.1
+
--- /dev/null
+From 2943feded63c0fda4436ec45e28f4be70f2ac23f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Jul 2023 15:53:53 +0800
+Subject: md: raid1: fix potential OOB in raid1_remove_disk()
+
+From: Zhang Shurong <zhang_shurong@foxmail.com>
+
+[ Upstream commit 8b0472b50bcf0f19a5119b00a53b63579c8e1e4d ]
+
+If rddev->raid_disk is greater than mddev->raid_disks, there will be
+an out-of-bounds in raid1_remove_disk(). We have already found
+similar reports as follows:
+
+1) commit d17f744e883b ("md-raid10: fix KASAN warning")
+2) commit 1ebc2cec0b7d ("dm raid: fix KASAN warning in raid5_remove_disk")
+
+Fix this bug by checking whether the "number" variable is
+valid.
+
+Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/tencent_0D24426FAC6A21B69AC0C03CE4143A508F09@qq.com
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid1.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
+index 0f8b1fb3d0517..b459a3af94224 100644
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -1783,6 +1783,10 @@ static int raid1_remove_disk(struct mddev *mddev, struct md_rdev *rdev)
+ struct r1conf *conf = mddev->private;
+ int err = 0;
+ int number = rdev->raid_disk;
++
++ if (unlikely(number >= conf->raid_disks))
++ goto abort;
++
+ struct raid1_info *p = conf->mirrors + number;
+
+ if (rdev != p->rdev)
+--
+2.40.1
+
--- /dev/null
+From 4baf2c26adb7e47e4ef50a28107a65e28c2112a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Jul 2023 23:24:11 +0800
+Subject: media: af9005: Fix null-ptr-deref in af9005_i2c_xfer
+
+From: Zhang Shurong <zhang_shurong@foxmail.com>
+
+[ Upstream commit f4ee84f27625ce1fdf41e8483fa0561a1b837d10 ]
+
+In af9005_i2c_xfer, msg is controlled by user. When msg[i].buf
+is null and msg[i].len is zero, former checks on msg[i].buf would be
+passed. Malicious data finally reach af9005_i2c_xfer. If accessing
+msg[i].buf[0] without sanity check, null ptr deref would happen.
+We add check on msg[i].len to prevent crash.
+
+Similar commit:
+commit 0ed554fd769a
+("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
+
+Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/af9005.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/media/usb/dvb-usb/af9005.c b/drivers/media/usb/dvb-usb/af9005.c
+index d2737460c9d3b..60acaaf8b892f 100644
+--- a/drivers/media/usb/dvb-usb/af9005.c
++++ b/drivers/media/usb/dvb-usb/af9005.c
+@@ -431,6 +431,10 @@ static int af9005_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+ if (ret == 0)
+ ret = 2;
+ } else {
++ if (msg[0].len < 2) {
++ ret = -EOPNOTSUPP;
++ goto unlock;
++ }
+ /* write one or more registers */
+ reg = msg[0].buf[0];
+ addr = msg[0].addr;
+@@ -440,6 +444,7 @@ static int af9005_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+ ret = 1;
+ }
+
++unlock:
+ mutex_unlock(&d->i2c_mutex);
+ return ret;
+ }
+--
+2.40.1
+
--- /dev/null
+From b4a29d072084b293d79f633fe93be504c983d9b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Jul 2023 00:02:20 +0800
+Subject: media: anysee: fix null-ptr-deref in anysee_master_xfer
+
+From: Zhang Shurong <zhang_shurong@foxmail.com>
+
+[ Upstream commit c30411266fd67ea3c02a05c157231654d5a3bdc9 ]
+
+In anysee_master_xfer, msg is controlled by user. When msg[i].buf
+is null and msg[i].len is zero, former checks on msg[i].buf would be
+passed. Malicious data finally reach anysee_master_xfer. If accessing
+msg[i].buf[0] without sanity check, null ptr deref would happen.
+We add check on msg[i].len to prevent crash.
+
+Similar commit:
+commit 0ed554fd769a
+("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
+
+Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[hverkuil: add spaces around +]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb-v2/anysee.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/dvb-usb-v2/anysee.c b/drivers/media/usb/dvb-usb-v2/anysee.c
+index 20ee7eea2a91e..83af86505363b 100644
+--- a/drivers/media/usb/dvb-usb-v2/anysee.c
++++ b/drivers/media/usb/dvb-usb-v2/anysee.c
+@@ -211,7 +211,7 @@ static int anysee_master_xfer(struct i2c_adapter *adap, struct i2c_msg *msg,
+
+ while (i < num) {
+ if (num > i + 1 && (msg[i+1].flags & I2C_M_RD)) {
+- if (msg[i].len > 2 || msg[i+1].len > 60) {
++ if (msg[i].len != 2 || msg[i + 1].len > 60) {
+ ret = -EOPNOTSUPP;
+ break;
+ }
+--
+2.40.1
+
--- /dev/null
+From b06c2f7a9264d73587d7e633dd16bd298ce1171c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Jul 2023 00:28:17 +0800
+Subject: media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
+
+From: Zhang Shurong <zhang_shurong@foxmail.com>
+
+[ Upstream commit 1047f9343011f2cedc73c64829686206a7e9fc3f ]
+
+In az6007_i2c_xfer, msg is controlled by user. When msg[i].buf
+is null and msg[i].len is zero, former checks on msg[i].buf would be
+passed. Malicious data finally reach az6007_i2c_xfer. If accessing
+msg[i].buf[0] without sanity check, null ptr deref would happen.
+We add check on msg[i].len to prevent crash.
+
+Similar commit:
+commit 0ed554fd769a
+("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
+
+Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb-v2/az6007.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
+index 8e914be5b7c5e..2f40eb6bdbb83 100644
+--- a/drivers/media/usb/dvb-usb-v2/az6007.c
++++ b/drivers/media/usb/dvb-usb-v2/az6007.c
+@@ -796,6 +796,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
+ if (az6007_xfer_debug)
+ printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n",
+ addr, msgs[i].len);
++ if (msgs[i].len < 1) {
++ ret = -EIO;
++ goto err;
++ }
+ req = AZ6007_I2C_WR;
+ index = msgs[i].buf[0];
+ value = addr | (1 << 8);
+@@ -810,6 +814,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
+ if (az6007_xfer_debug)
+ printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
+ addr, msgs[i].len);
++ if (msgs[i].len < 1) {
++ ret = -EIO;
++ goto err;
++ }
+ req = AZ6007_I2C_RD;
+ index = msgs[i].buf[0];
+ value = addr;
+--
+2.40.1
+
--- /dev/null
+From 24924b3aa7d477683b3c05bfed68f95315996e21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jul 2023 00:06:54 +0800
+Subject: media: dvb-usb-v2: af9035: Fix null-ptr-deref in
+ af9035_i2c_master_xfer
+
+From: Zhang Shurong <zhang_shurong@foxmail.com>
+
+[ Upstream commit 7bf744f2de0a848fb1d717f5831b03db96feae89 ]
+
+In af9035_i2c_master_xfer, msg is controlled by user. When msg[i].buf
+is null and msg[i].len is zero, former checks on msg[i].buf would be
+passed. Malicious data finally reach af9035_i2c_master_xfer. If accessing
+msg[i].buf[0] without sanity check, null ptr deref would happen.
+We add check on msg[i].len to prevent crash.
+
+Similar commit:
+commit 0ed554fd769a
+("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
+
+Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb-v2/af9035.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb-v2/af9035.c b/drivers/media/usb/dvb-usb-v2/af9035.c
+index 1f6c1eefe3892..55c7e7348869b 100644
+--- a/drivers/media/usb/dvb-usb-v2/af9035.c
++++ b/drivers/media/usb/dvb-usb-v2/af9035.c
+@@ -336,6 +336,8 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap,
+ ret = -EOPNOTSUPP;
+ } else if ((msg[0].addr == state->af9033_i2c_addr[0]) ||
+ (msg[0].addr == state->af9033_i2c_addr[1])) {
++ if (msg[0].len < 3 || msg[1].len < 1)
++ return -EOPNOTSUPP;
+ /* demod access via firmware interface */
+ u32 reg = msg[0].buf[0] << 16 | msg[0].buf[1] << 8 |
+ msg[0].buf[2];
+@@ -395,6 +397,8 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap,
+ ret = -EOPNOTSUPP;
+ } else if ((msg[0].addr == state->af9033_i2c_addr[0]) ||
+ (msg[0].addr == state->af9033_i2c_addr[1])) {
++ if (msg[0].len < 3)
++ return -EOPNOTSUPP;
+ /* demod access via firmware interface */
+ u32 reg = msg[0].buf[0] << 16 | msg[0].buf[1] << 8 |
+ msg[0].buf[2];
+@@ -402,10 +406,7 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap,
+ if (msg[0].addr == state->af9033_i2c_addr[1])
+ reg |= 0x100000;
+
+- ret = (msg[0].len >= 3) ? af9035_wr_regs(d, reg,
+- &msg[0].buf[3],
+- msg[0].len - 3)
+- : -EOPNOTSUPP;
++ ret = af9035_wr_regs(d, reg, &msg[0].buf[3], msg[0].len - 3);
+ } else {
+ /* I2C write */
+ u8 buf[MAX_XFER_SIZE];
+--
+2.40.1
+
--- /dev/null
+From e7c263a213253dfe914f77c0ca309766f2cd046d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Jul 2023 18:22:52 +0800
+Subject: media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer()
+
+From: Zhang Shurong <zhang_shurong@foxmail.com>
+
+[ Upstream commit 5ae544d94abc8ff77b1b9bf8774def3fa5689b5b ]
+
+In dw2102_i2c_transfer, msg is controlled by user. When msg[i].buf
+is null and msg[i].len is zero, former checks on msg[i].buf would be
+passed. Malicious data finally reach dw2102_i2c_transfer. If accessing
+msg[i].buf[0] without sanity check, null ptr deref would happen.
+We add check on msg[i].len to prevent crash.
+
+Similar commit:
+commit 950e252cb469
+("[media] dw2102: limit messages to buffer size")
+
+Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dw2102.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c
+index cd0566c0b3de7..a3c5261f9aa41 100644
+--- a/drivers/media/usb/dvb-usb/dw2102.c
++++ b/drivers/media/usb/dvb-usb/dw2102.c
+@@ -131,6 +131,10 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+
+ switch (num) {
+ case 2:
++ if (msg[0].len < 1) {
++ num = -EOPNOTSUPP;
++ break;
++ }
+ /* read stv0299 register */
+ value = msg[0].buf[0];/* register */
+ for (i = 0; i < msg[1].len; i++) {
+@@ -142,6 +146,10 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+ case 1:
+ switch (msg[0].addr) {
+ case 0x68:
++ if (msg[0].len < 2) {
++ num = -EOPNOTSUPP;
++ break;
++ }
+ /* write to stv0299 register */
+ buf6[0] = 0x2a;
+ buf6[1] = msg[0].buf[0];
+@@ -151,6 +159,10 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+ break;
+ case 0x60:
+ if (msg[0].flags == 0) {
++ if (msg[0].len < 4) {
++ num = -EOPNOTSUPP;
++ break;
++ }
+ /* write to tuner pll */
+ buf6[0] = 0x2c;
+ buf6[1] = 5;
+@@ -162,6 +174,10 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+ dw210x_op_rw(d->udev, 0xb2, 0, 0,
+ buf6, 7, DW210X_WRITE_MSG);
+ } else {
++ if (msg[0].len < 1) {
++ num = -EOPNOTSUPP;
++ break;
++ }
+ /* read from tuner */
+ dw210x_op_rw(d->udev, 0xb5, 0, 0,
+ buf6, 1, DW210X_READ_MSG);
+@@ -169,12 +185,20 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+ }
+ break;
+ case (DW2102_RC_QUERY):
++ if (msg[0].len < 2) {
++ num = -EOPNOTSUPP;
++ break;
++ }
+ dw210x_op_rw(d->udev, 0xb8, 0, 0,
+ buf6, 2, DW210X_READ_MSG);
+ msg[0].buf[0] = buf6[0];
+ msg[0].buf[1] = buf6[1];
+ break;
+ case (DW2102_VOLTAGE_CTRL):
++ if (msg[0].len < 1) {
++ num = -EOPNOTSUPP;
++ break;
++ }
+ buf6[0] = 0x30;
+ buf6[1] = msg[0].buf[0];
+ dw210x_op_rw(d->udev, 0xb2, 0, 0,
+--
+2.40.1
+
--- /dev/null
+From 729878905f9da29d8faad7733829be2d6cd96992 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jul 2023 10:23:42 +0200
+Subject: media: pci: cx23885: replace BUG with error return
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 2e1796fd4904fdd6062a8e4589778ea899ea0c8d ]
+
+It was completely unnecessary to use BUG in buffer_prepare().
+Just replace it with an error return. This also fixes a smatch warning:
+
+drivers/media/pci/cx23885/cx23885-video.c:422 buffer_prepare() error: uninitialized symbol 'ret'.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/cx23885/cx23885-video.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/pci/cx23885/cx23885-video.c b/drivers/media/pci/cx23885/cx23885-video.c
+index 2a20c7165e1e8..16564899f1141 100644
+--- a/drivers/media/pci/cx23885/cx23885-video.c
++++ b/drivers/media/pci/cx23885/cx23885-video.c
+@@ -420,7 +420,7 @@ static int buffer_prepare(struct vb2_buffer *vb)
+ dev->height >> 1);
+ break;
+ default:
+- BUG();
++ return -EINVAL; /* should not happen */
+ }
+ dprintk(2, "[%p/%d] buffer_init - %dx%d %dbpp \"%s\" - dma=0x%08lx\n",
+ buf, buf->vb.vb2_buf.index,
+--
+2.40.1
+
--- /dev/null
+From 7867629cceb4c6ddab332c3d8b7f7b9902e17485 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Aug 2023 10:14:30 +0300
+Subject: media: pci: ipu3-cio2: Initialise timing struct to avoid a compiler
+ warning
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+[ Upstream commit 9d7531be3085a8f013cf173ccc4e72e3cf493538 ]
+
+Initialise timing struct in cio2_hw_init() to zero in order to avoid a
+compiler warning. The warning was a false positive.
+
+Reported-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/intel/ipu3/ipu3-cio2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/pci/intel/ipu3/ipu3-cio2.c b/drivers/media/pci/intel/ipu3/ipu3-cio2.c
+index 070ddb52c8231..2c037538c7d8f 100644
+--- a/drivers/media/pci/intel/ipu3/ipu3-cio2.c
++++ b/drivers/media/pci/intel/ipu3/ipu3-cio2.c
+@@ -361,7 +361,7 @@ static int cio2_hw_init(struct cio2_device *cio2, struct cio2_queue *q)
+ void __iomem *const base = cio2->base;
+ u8 lanes, csi2bus = q->csi2.port;
+ u8 sensor_vc = SENSOR_VIR_CH_DFLT;
+- struct cio2_csi2_timing timing;
++ struct cio2_csi2_timing timing = { 0 };
+ int i, r;
+
+ fmt = cio2_find_format(NULL, &q->subdev_fmt.code);
+--
+2.40.1
+
--- /dev/null
+From 42c1e86fd49d51cc8983409a5d49ceb139bda07c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Jul 2023 08:20:51 +0200
+Subject: media: tuners: qt1010: replace BUG_ON with a regular error
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit ee630b29ea44d1851bb6c903f400956604834463 ]
+
+BUG_ON is unnecessary here, and in addition it confuses smatch.
+Replacing this with an error return help resolve this smatch
+warning:
+
+drivers/media/tuners/qt1010.c:350 qt1010_init() error: buffer overflow 'i2c_data' 34 <= 34
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/tuners/qt1010.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/tuners/qt1010.c b/drivers/media/tuners/qt1010.c
+index 32731b6464145..3236e2277ab33 100644
+--- a/drivers/media/tuners/qt1010.c
++++ b/drivers/media/tuners/qt1010.c
+@@ -351,11 +351,12 @@ static int qt1010_init(struct dvb_frontend *fe)
+ else
+ valptr = &tmpval;
+
+- BUG_ON(i >= ARRAY_SIZE(i2c_data) - 1);
+-
+- err = qt1010_init_meas1(priv, i2c_data[i+1].reg,
+- i2c_data[i].reg,
+- i2c_data[i].val, valptr);
++ if (i >= ARRAY_SIZE(i2c_data) - 1)
++ err = -EIO;
++ else
++ err = qt1010_init_meas1(priv, i2c_data[i + 1].reg,
++ i2c_data[i].reg,
++ i2c_data[i].val, valptr);
+ i++;
+ break;
+ }
+--
+2.40.1
+
--- /dev/null
+From b0804ed8ae17af82157d0a4dec0592bc2dd26de9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Jul 2023 12:55:01 +0100
+Subject: PCI: dwc: Provide deinit callback for i.MX
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit fc8b24c28bec19fc0621d108b9ee81ddfdedb25a ]
+
+The i.MX integration for the DesignWare PCI controller has a _host_exit()
+operation which undoes everything that the _host_init() operation does but
+does not wire this up as the host_deinit callback for the core, or call it
+in any path other than suspend. This means that if we ever unwind the
+initial probe of the device, for example because it fails, the regulator
+core complains that the regulators for the device were left enabled:
+
+imx6q-pcie 33800000.pcie: iATU: unroll T, 4 ob, 4 ib, align 64K, limit 16G
+imx6q-pcie 33800000.pcie: Phy link never came up
+imx6q-pcie 33800000.pcie: Phy link never came up
+imx6q-pcie: probe of 33800000.pcie failed with error -110
+------------[ cut here ]------------
+WARNING: CPU: 2 PID: 46 at drivers/regulator/core.c:2396 _regulator_put+0x110/0x128
+
+Wire up the callback so that the core can clean up after itself.
+
+Link: https://lore.kernel.org/r/20230731-pci-imx-regulator-cleanup-v2-1-fc8fa5c9893d@kernel.org
+Tested-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
+Reviewed-by: Richard Zhu <hongxing.zhu@nxp.com>
+Acked-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pci-imx6.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pci/controller/dwc/pci-imx6.c b/drivers/pci/controller/dwc/pci-imx6.c
+index 3b2ceb5667289..c949d11f95507 100644
+--- a/drivers/pci/controller/dwc/pci-imx6.c
++++ b/drivers/pci/controller/dwc/pci-imx6.c
+@@ -642,6 +642,7 @@ static int imx6_pcie_host_init(struct pcie_port *pp)
+
+ static const struct dw_pcie_host_ops imx6_pcie_host_ops = {
+ .host_init = imx6_pcie_host_init,
++ .host_deinit = imx6_pcie_host_exit,
+ };
+
+ static int imx6_add_pcie_port(struct imx6_pcie *imx6_pcie,
+--
+2.40.1
+
--- /dev/null
+From 3a0682ea8230627350ace8ea3e75b62b524c7b4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 09:19:29 +0800
+Subject: powerpc/pseries: fix possible memory leak in ibmebus_bus_init()
+
+From: ruanjinjie <ruanjinjie@huawei.com>
+
+[ Upstream commit afda85b963c12947e298ad85d757e333aa40fd74 ]
+
+If device_register() returns error in ibmebus_bus_init(), name of kobject
+which is allocated in dev_set_name() called in device_add() is leaked.
+
+As comment of device_add() says, it should call put_device() to drop
+the reference count that was set in device_initialize() when it fails,
+so the name can be freed in kobject_cleanup().
+
+Signed-off-by: ruanjinjie <ruanjinjie@huawei.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20221110011929.3709774-1-ruanjinjie@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/ibmebus.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/platforms/pseries/ibmebus.c b/arch/powerpc/platforms/pseries/ibmebus.c
+index c7c1140c13b6c..3fce7508a4fc6 100644
+--- a/arch/powerpc/platforms/pseries/ibmebus.c
++++ b/arch/powerpc/platforms/pseries/ibmebus.c
+@@ -452,6 +452,7 @@ static int __init ibmebus_bus_init(void)
+ if (err) {
+ printk(KERN_WARNING "%s: device_register returned %i\n",
+ __func__, err);
++ put_device(&ibmebus_bus_device);
+ bus_unregister(&ibmebus_bus_type);
+
+ return err;
+--
+2.40.1
+
--- /dev/null
+From 35edf3d2659a04040488dedf89853a513d04019f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Jul 2023 18:26:37 +0300
+Subject: scsi: target: iscsi: Fix buffer overflow in
+ lio_target_nacl_info_show()
+
+From: Konstantin Shelekhin <k.shelekhin@yadro.com>
+
+[ Upstream commit 801f287c93ff95582b0a2d2163f12870a2f076d4 ]
+
+The function lio_target_nacl_info_show() uses sprintf() in a loop to print
+details for every iSCSI connection in a session without checking for the
+buffer length. With enough iSCSI connections it's possible to overflow the
+buffer provided by configfs and corrupt the memory.
+
+This patch replaces sprintf() with sysfs_emit_at() that checks for buffer
+boundries.
+
+Signed-off-by: Konstantin Shelekhin <k.shelekhin@yadro.com>
+Link: https://lore.kernel.org/r/20230722152657.168859-2-k.shelekhin@yadro.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/iscsi/iscsi_target_configfs.c | 54 ++++++++++----------
+ 1 file changed, 27 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c
+index d25cadc4f4f11..ac071abae7e90 100644
+--- a/drivers/target/iscsi/iscsi_target_configfs.c
++++ b/drivers/target/iscsi/iscsi_target_configfs.c
+@@ -516,102 +516,102 @@ static ssize_t lio_target_nacl_info_show(struct config_item *item, char *page)
+ spin_lock_bh(&se_nacl->nacl_sess_lock);
+ se_sess = se_nacl->nacl_sess;
+ if (!se_sess) {
+- rb += sprintf(page+rb, "No active iSCSI Session for Initiator"
++ rb += sysfs_emit_at(page, rb, "No active iSCSI Session for Initiator"
+ " Endpoint: %s\n", se_nacl->initiatorname);
+ } else {
+ sess = se_sess->fabric_sess_ptr;
+
+- rb += sprintf(page+rb, "InitiatorName: %s\n",
++ rb += sysfs_emit_at(page, rb, "InitiatorName: %s\n",
+ sess->sess_ops->InitiatorName);
+- rb += sprintf(page+rb, "InitiatorAlias: %s\n",
++ rb += sysfs_emit_at(page, rb, "InitiatorAlias: %s\n",
+ sess->sess_ops->InitiatorAlias);
+
+- rb += sprintf(page+rb,
++ rb += sysfs_emit_at(page, rb,
+ "LIO Session ID: %u ISID: 0x%6ph TSIH: %hu ",
+ sess->sid, sess->isid, sess->tsih);
+- rb += sprintf(page+rb, "SessionType: %s\n",
++ rb += sysfs_emit_at(page, rb, "SessionType: %s\n",
+ (sess->sess_ops->SessionType) ?
+ "Discovery" : "Normal");
+- rb += sprintf(page+rb, "Session State: ");
++ rb += sysfs_emit_at(page, rb, "Session State: ");
+ switch (sess->session_state) {
+ case TARG_SESS_STATE_FREE:
+- rb += sprintf(page+rb, "TARG_SESS_FREE\n");
++ rb += sysfs_emit_at(page, rb, "TARG_SESS_FREE\n");
+ break;
+ case TARG_SESS_STATE_ACTIVE:
+- rb += sprintf(page+rb, "TARG_SESS_STATE_ACTIVE\n");
++ rb += sysfs_emit_at(page, rb, "TARG_SESS_STATE_ACTIVE\n");
+ break;
+ case TARG_SESS_STATE_LOGGED_IN:
+- rb += sprintf(page+rb, "TARG_SESS_STATE_LOGGED_IN\n");
++ rb += sysfs_emit_at(page, rb, "TARG_SESS_STATE_LOGGED_IN\n");
+ break;
+ case TARG_SESS_STATE_FAILED:
+- rb += sprintf(page+rb, "TARG_SESS_STATE_FAILED\n");
++ rb += sysfs_emit_at(page, rb, "TARG_SESS_STATE_FAILED\n");
+ break;
+ case TARG_SESS_STATE_IN_CONTINUE:
+- rb += sprintf(page+rb, "TARG_SESS_STATE_IN_CONTINUE\n");
++ rb += sysfs_emit_at(page, rb, "TARG_SESS_STATE_IN_CONTINUE\n");
+ break;
+ default:
+- rb += sprintf(page+rb, "ERROR: Unknown Session"
++ rb += sysfs_emit_at(page, rb, "ERROR: Unknown Session"
+ " State!\n");
+ break;
+ }
+
+- rb += sprintf(page+rb, "---------------------[iSCSI Session"
++ rb += sysfs_emit_at(page, rb, "---------------------[iSCSI Session"
+ " Values]-----------------------\n");
+- rb += sprintf(page+rb, " CmdSN/WR : CmdSN/WC : ExpCmdSN"
++ rb += sysfs_emit_at(page, rb, " CmdSN/WR : CmdSN/WC : ExpCmdSN"
+ " : MaxCmdSN : ITT : TTT\n");
+ max_cmd_sn = (u32) atomic_read(&sess->max_cmd_sn);
+- rb += sprintf(page+rb, " 0x%08x 0x%08x 0x%08x 0x%08x"
++ rb += sysfs_emit_at(page, rb, " 0x%08x 0x%08x 0x%08x 0x%08x"
+ " 0x%08x 0x%08x\n",
+ sess->cmdsn_window,
+ (max_cmd_sn - sess->exp_cmd_sn) + 1,
+ sess->exp_cmd_sn, max_cmd_sn,
+ sess->init_task_tag, sess->targ_xfer_tag);
+- rb += sprintf(page+rb, "----------------------[iSCSI"
++ rb += sysfs_emit_at(page, rb, "----------------------[iSCSI"
+ " Connections]-------------------------\n");
+
+ spin_lock(&sess->conn_lock);
+ list_for_each_entry(conn, &sess->sess_conn_list, conn_list) {
+- rb += sprintf(page+rb, "CID: %hu Connection"
++ rb += sysfs_emit_at(page, rb, "CID: %hu Connection"
+ " State: ", conn->cid);
+ switch (conn->conn_state) {
+ case TARG_CONN_STATE_FREE:
+- rb += sprintf(page+rb,
++ rb += sysfs_emit_at(page, rb,
+ "TARG_CONN_STATE_FREE\n");
+ break;
+ case TARG_CONN_STATE_XPT_UP:
+- rb += sprintf(page+rb,
++ rb += sysfs_emit_at(page, rb,
+ "TARG_CONN_STATE_XPT_UP\n");
+ break;
+ case TARG_CONN_STATE_IN_LOGIN:
+- rb += sprintf(page+rb,
++ rb += sysfs_emit_at(page, rb,
+ "TARG_CONN_STATE_IN_LOGIN\n");
+ break;
+ case TARG_CONN_STATE_LOGGED_IN:
+- rb += sprintf(page+rb,
++ rb += sysfs_emit_at(page, rb,
+ "TARG_CONN_STATE_LOGGED_IN\n");
+ break;
+ case TARG_CONN_STATE_IN_LOGOUT:
+- rb += sprintf(page+rb,
++ rb += sysfs_emit_at(page, rb,
+ "TARG_CONN_STATE_IN_LOGOUT\n");
+ break;
+ case TARG_CONN_STATE_LOGOUT_REQUESTED:
+- rb += sprintf(page+rb,
++ rb += sysfs_emit_at(page, rb,
+ "TARG_CONN_STATE_LOGOUT_REQUESTED\n");
+ break;
+ case TARG_CONN_STATE_CLEANUP_WAIT:
+- rb += sprintf(page+rb,
++ rb += sysfs_emit_at(page, rb,
+ "TARG_CONN_STATE_CLEANUP_WAIT\n");
+ break;
+ default:
+- rb += sprintf(page+rb,
++ rb += sysfs_emit_at(page, rb,
+ "ERROR: Unknown Connection State!\n");
+ break;
+ }
+
+- rb += sprintf(page+rb, " Address %pISc %s", &conn->login_sockaddr,
++ rb += sysfs_emit_at(page, rb, " Address %pISc %s", &conn->login_sockaddr,
+ (conn->network_transport == ISCSI_TCP) ?
+ "TCP" : "SCTP");
+- rb += sprintf(page+rb, " StatSN: 0x%08x\n",
++ rb += sysfs_emit_at(page, rb, " StatSN: 0x%08x\n",
+ conn->stat_sn);
+ }
+ spin_unlock(&sess->conn_lock);
+--
+2.40.1
+
--- /dev/null
+From 81bb45686face90d1881206aec554d9615eff2b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Aug 2023 15:56:42 +0200
+Subject: serial: cpm_uart: Avoid suspicious locking
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 36ef11d311f405e55ad8e848c19b212ff71ef536 ]
+
+ CHECK drivers/tty/serial/cpm_uart/cpm_uart_core.c
+drivers/tty/serial/cpm_uart/cpm_uart_core.c:1271:39: warning: context imbalance in 'cpm_uart_console_write' - unexpected unlock
+
+Allthough 'nolock' is not expected to change, sparse find the following
+form suspicious:
+
+ if (unlikely(nolock)) {
+ local_irq_save(flags);
+ } else {
+ spin_lock_irqsave(&pinfo->port.lock, flags);
+ }
+
+ cpm_uart_early_write(pinfo, s, count, true);
+
+ if (unlikely(nolock)) {
+ local_irq_restore(flags);
+ } else {
+ spin_unlock_irqrestore(&pinfo->port.lock, flags);
+ }
+
+Rewrite it a more obvious form:
+
+ if (unlikely(oops_in_progress)) {
+ local_irq_save(flags);
+ cpm_uart_early_write(pinfo, s, count, true);
+ local_irq_restore(flags);
+ } else {
+ spin_lock_irqsave(&pinfo->port.lock, flags);
+ cpm_uart_early_write(pinfo, s, count, true);
+ spin_unlock_irqrestore(&pinfo->port.lock, flags);
+ }
+
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Link: https://lore.kernel.org/r/f7da5cdc9287960185829cfef681a7d8614efa1f.1691068700.git.christophe.leroy@csgroup.eu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/cpm_uart/cpm_uart_core.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/tty/serial/cpm_uart/cpm_uart_core.c b/drivers/tty/serial/cpm_uart/cpm_uart_core.c
+index ad40c75bb58f8..375d4790e058b 100644
+--- a/drivers/tty/serial/cpm_uart/cpm_uart_core.c
++++ b/drivers/tty/serial/cpm_uart/cpm_uart_core.c
+@@ -1269,19 +1269,14 @@ static void cpm_uart_console_write(struct console *co, const char *s,
+ {
+ struct uart_cpm_port *pinfo = &cpm_uart_ports[co->index];
+ unsigned long flags;
+- int nolock = oops_in_progress;
+
+- if (unlikely(nolock)) {
++ if (unlikely(oops_in_progress)) {
+ local_irq_save(flags);
+- } else {
+- spin_lock_irqsave(&pinfo->port.lock, flags);
+- }
+-
+- cpm_uart_early_write(pinfo, s, count, true);
+-
+- if (unlikely(nolock)) {
++ cpm_uart_early_write(pinfo, s, count, true);
+ local_irq_restore(flags);
+ } else {
++ spin_lock_irqsave(&pinfo->port.lock, flags);
++ cpm_uart_early_write(pinfo, s, count, true);
+ spin_unlock_irqrestore(&pinfo->port.lock, flags);
+ }
+ }
+--
+2.40.1
+
kcm-fix-error-handling-for-sock_dgram-in-kcm_sendmsg.patch
drm-amd-display-fix-a-bug-when-searching-for-insert_above_mpcc.patch
parisc-drop-loops_per_jiffy-from-per_cpu-struct.patch
+autofs-fix-memory-leak-of-waitqueues-in-autofs_catat.patch
+btrfs-output-extra-debug-info-if-we-failed-to-find-a.patch
+acpica-add-aml_no_operand_resolve-flag-to-timer.patch
+acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch
+hw_breakpoint-fix-single-stepping-when-using-bpf_ove.patch
+wifi-ath9k-fix-printk-specifier.patch
+wifi-mwifiex-fix-fortify-warning.patch
+crypto-lib-mpi-avoid-null-pointer-deref-in-mpi_cmp_u.patch
+tpm_tis-resend-command-to-recover-from-data-transfer.patch
+alx-fix-oob-read-compiler-warning.patch
+drm-exynos-fix-a-possible-null-pointer-dereference-d.patch
+md-raid1-fix-potential-oob-in-raid1_remove_disk.patch
+ext2-fix-datatype-of-block-number-in-ext2_xattr_set2.patch
+fs-jfs-prevent-double-free-in-dbunmount-after-failed.patch
+jfs-fix-invalid-free-of-jfs_ip-ipimap-i_imap-in-diun.patch
+pci-dwc-provide-deinit-callback-for-i.mx.patch
+powerpc-pseries-fix-possible-memory-leak-in-ibmebus_.patch
+media-dvb-usb-v2-af9035-fix-null-ptr-deref-in-af9035.patch
+media-dw2102-fix-null-ptr-deref-in-dw2102_i2c_transf.patch
+media-af9005-fix-null-ptr-deref-in-af9005_i2c_xfer.patch
+media-anysee-fix-null-ptr-deref-in-anysee_master_xfe.patch
+media-az6007-fix-null-ptr-deref-in-az6007_i2c_xfer.patch
+iio-core-use-min-instead-of-min_t-to-make-code-more-.patch
+media-tuners-qt1010-replace-bug_on-with-a-regular-er.patch
+media-pci-cx23885-replace-bug-with-error-return.patch
+usb-gadget-fsl_qe_udc-validate-endpoint-index-for-ch.patch
+scsi-target-iscsi-fix-buffer-overflow-in-lio_target_.patch
+serial-cpm_uart-avoid-suspicious-locking.patch
+media-pci-ipu3-cio2-initialise-timing-struct-to-avoi.patch
+kobject-add-sanity-check-for-kset-kobj.ktype-in-kset.patch
+md-raid1-fix-error-iso-c90-forbids-mixed-declaration.patch
--- /dev/null
+From d684fc2172935b69277a29fb6d7b5966d9a0f11e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jun 2023 20:02:59 +0200
+Subject: tpm_tis: Resend command to recover from data transfer errors
+
+From: Alexander Steffen <Alexander.Steffen@infineon.com>
+
+[ Upstream commit 280db21e153d8810ce3b93640c63ae922bcb9e8e ]
+
+Similar to the transmission of TPM responses, also the transmission of TPM
+commands may become corrupted. Instead of aborting when detecting such
+issues, try resending the command again.
+
+Signed-off-by: Alexander Steffen <Alexander.Steffen@infineon.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/tpm_tis_core.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c
+index 430a9eac67e19..d1869b9a2ffd3 100644
+--- a/drivers/char/tpm/tpm_tis_core.c
++++ b/drivers/char/tpm/tpm_tis_core.c
+@@ -425,10 +425,17 @@ static int tpm_tis_send_main(struct tpm_chip *chip, const u8 *buf, size_t len)
+ int rc;
+ u32 ordinal;
+ unsigned long dur;
+-
+- rc = tpm_tis_send_data(chip, buf, len);
+- if (rc < 0)
+- return rc;
++ unsigned int try;
++
++ for (try = 0; try < TPM_RETRY; try++) {
++ rc = tpm_tis_send_data(chip, buf, len);
++ if (rc >= 0)
++ /* Data transfer done successfully */
++ break;
++ else if (rc != -EIO)
++ /* Data transfer failed, not recoverable */
++ return rc;
++ }
+
+ /* go and do it */
+ rc = tpm_tis_write8(priv, TPM_STS(priv->locality), TPM_STS_GO);
+--
+2.40.1
+
--- /dev/null
+From d034cff20526be8b91ae6e3f588bfd0e5809df1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jun 2023 16:15:11 +0800
+Subject: usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc
+
+From: Ma Ke <make_ruc2021@163.com>
+
+[ Upstream commit ce9daa2efc0872a9a68ea51dc8000df05893ef2e ]
+
+We should verify the bound of the array to assure that host
+may not manipulate the index to point past endpoint array.
+
+Signed-off-by: Ma Ke <make_ruc2021@163.com>
+Acked-by: Li Yang <leoyang.li@nxp.com>
+Link: https://lore.kernel.org/r/20230628081511.186850-1-make_ruc2021@163.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fsl_qe_udc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/gadget/udc/fsl_qe_udc.c b/drivers/usb/gadget/udc/fsl_qe_udc.c
+index 2707be6282988..63109c6e55068 100644
+--- a/drivers/usb/gadget/udc/fsl_qe_udc.c
++++ b/drivers/usb/gadget/udc/fsl_qe_udc.c
+@@ -1950,6 +1950,8 @@ static void ch9getstatus(struct qe_udc *udc, u8 request_type, u16 value,
+ } else if ((request_type & USB_RECIP_MASK) == USB_RECIP_ENDPOINT) {
+ /* Get endpoint status */
+ int pipe = index & USB_ENDPOINT_NUMBER_MASK;
++ if (pipe >= USB_MAX_ENDPOINTS)
++ goto stall;
+ struct qe_ep *target_ep = &udc->eps[pipe];
+ u16 usep;
+
+--
+2.40.1
+
--- /dev/null
+From f5ef8602c577bd1f290cc2dfbea127aac5f0442a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Jul 2023 12:04:02 +0800
+Subject: wifi: ath9k: fix printk specifier
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dongliang Mu <dzm91@hust.edu.cn>
+
+[ Upstream commit 061115fbfb2ce5870c9a004d68dc63138c07c782 ]
+
+Smatch reports:
+
+ath_pci_probe() warn: argument 4 to %lx specifier is cast from pointer
+ath_ahb_probe() warn: argument 4 to %lx specifier is cast from pointer
+
+Fix it by modifying %lx to %p in the printk format string.
+
+Note that with this change, the pointer address will be printed as a
+hashed value by default. This is appropriate because the kernel
+should not leak kernel pointers to user space in an informational
+message. If someone wants to see the real address for debugging
+purposes, this can be achieved with the no_hash_pointers kernel option.
+
+Signed-off-by: Dongliang Mu <dzm91@hust.edu.cn>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230723040403.296723-1-dzm91@hust.edu.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/ahb.c | 4 ++--
+ drivers/net/wireless/ath/ath9k/pci.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/ahb.c b/drivers/net/wireless/ath/ath9k/ahb.c
+index 63019c3de034d..26023e3b4b9df 100644
+--- a/drivers/net/wireless/ath/ath9k/ahb.c
++++ b/drivers/net/wireless/ath/ath9k/ahb.c
+@@ -136,8 +136,8 @@ static int ath_ahb_probe(struct platform_device *pdev)
+
+ ah = sc->sc_ah;
+ ath9k_hw_name(ah, hw_name, sizeof(hw_name));
+- wiphy_info(hw->wiphy, "%s mem=0x%lx, irq=%d\n",
+- hw_name, (unsigned long)mem, irq);
++ wiphy_info(hw->wiphy, "%s mem=0x%p, irq=%d\n",
++ hw_name, mem, irq);
+
+ return 0;
+
+diff --git a/drivers/net/wireless/ath/ath9k/pci.c b/drivers/net/wireless/ath/ath9k/pci.c
+index 92b2dd396436a..cb3318bd3cad2 100644
+--- a/drivers/net/wireless/ath/ath9k/pci.c
++++ b/drivers/net/wireless/ath/ath9k/pci.c
+@@ -993,8 +993,8 @@ static int ath_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ sc->sc_ah->msi_reg = 0;
+
+ ath9k_hw_name(sc->sc_ah, hw_name, sizeof(hw_name));
+- wiphy_info(hw->wiphy, "%s mem=0x%lx, irq=%d\n",
+- hw_name, (unsigned long)sc->mem, pdev->irq);
++ wiphy_info(hw->wiphy, "%s mem=0x%p, irq=%d\n",
++ hw_name, sc->mem, pdev->irq);
+
+ return 0;
+
+--
+2.40.1
+
--- /dev/null
+From c83e0d914aff1da14b2ef59306e0ea96b7215ffc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jun 2023 11:51:01 +0300
+Subject: wifi: mwifiex: fix fortify warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit dcce94b80a954a8968ff29fafcfb066d6197fa9a ]
+
+When compiling with gcc 13.1 and CONFIG_FORTIFY_SOURCE=y,
+I've noticed the following:
+
+In function ‘fortify_memcpy_chk’,
+ inlined from ‘mwifiex_construct_tdls_action_frame’ at drivers/net/wireless/marvell/mwifiex/tdls.c:765:3,
+ inlined from ‘mwifiex_send_tdls_action_frame’ at drivers/net/wireless/marvell/mwifiex/tdls.c:856:6:
+./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’
+declared with attribute warning: detected read beyond size of field (2nd parameter);
+maybe use struct_group()? [-Wattribute-warning]
+ 529 | __read_overflow2_field(q_size_field, size);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The compiler actually complains on:
+
+memmove(pos + ETH_ALEN, &mgmt->u.action.category,
+ sizeof(mgmt->u.action.u.tdls_discover_resp));
+
+and it happens because the fortification logic interprets this
+as an attempt to overread 1-byte 'u.action.category' member of
+'struct ieee80211_mgmt'. To silence this warning, it's enough
+to pass an address of 'u.action' itself instead of an address
+of its first member.
+
+This also fixes an improper usage of 'sizeof()'. Since 'skb' is
+extended with 'sizeof(mgmt->u.action.u.tdls_discover_resp) + 1'
+bytes (where 1 is actually 'sizeof(mgmt->u.action.category)'),
+I assume that the same number of bytes should be copied.
+
+Suggested-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230629085115.180499-2-dmantipov@yandex.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/tdls.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c
+index b6b7bbe168ebc..12cfc95f02598 100644
+--- a/drivers/net/wireless/marvell/mwifiex/tdls.c
++++ b/drivers/net/wireless/marvell/mwifiex/tdls.c
+@@ -737,6 +737,7 @@ mwifiex_construct_tdls_action_frame(struct mwifiex_private *priv,
+ int ret;
+ u16 capab;
+ struct ieee80211_ht_cap *ht_cap;
++ unsigned int extra;
+ u8 radio, *pos;
+
+ capab = priv->curr_bss_params.bss_descriptor.cap_info_bitmap;
+@@ -755,7 +756,10 @@ mwifiex_construct_tdls_action_frame(struct mwifiex_private *priv,
+
+ switch (action_code) {
+ case WLAN_PUB_ACTION_TDLS_DISCOVER_RES:
+- skb_put(skb, sizeof(mgmt->u.action.u.tdls_discover_resp) + 1);
++ /* See the layout of 'struct ieee80211_mgmt'. */
++ extra = sizeof(mgmt->u.action.u.tdls_discover_resp) +
++ sizeof(mgmt->u.action.category);
++ skb_put(skb, extra);
+ mgmt->u.action.category = WLAN_CATEGORY_PUBLIC;
+ mgmt->u.action.u.tdls_discover_resp.action_code =
+ WLAN_PUB_ACTION_TDLS_DISCOVER_RES;
+@@ -764,8 +768,7 @@ mwifiex_construct_tdls_action_frame(struct mwifiex_private *priv,
+ mgmt->u.action.u.tdls_discover_resp.capability =
+ cpu_to_le16(capab);
+ /* move back for addr4 */
+- memmove(pos + ETH_ALEN, &mgmt->u.action.category,
+- sizeof(mgmt->u.action.u.tdls_discover_resp));
++ memmove(pos + ETH_ALEN, &mgmt->u.action, extra);
+ /* init address 4 */
+ memcpy(pos, bc_addr, ETH_ALEN);
+
+--
+2.40.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
