--- /dev/null
+From 3f7012073ca6ffedb52d379af866d7eca8a6e6e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 20:26:06 +0800
+Subject: 9p/fd: fix issue of list_del corruption in p9_fd_cancel()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 11c10956515b8ec44cf4f2a7b9d8bf8b9dc05ec4 ]
+
+Syz reported the following issue:
+kernel BUG at lib/list_debug.c:53!
+invalid opcode: 0000 [#1] PREEMPT SMP KASAN
+RIP: 0010:__list_del_entry_valid.cold+0x5c/0x72
+Call Trace:
+<TASK>
+p9_fd_cancel+0xb1/0x270
+p9_client_rpc+0x8ea/0xba0
+p9_client_create+0x9c0/0xed0
+v9fs_session_init+0x1e0/0x1620
+v9fs_mount+0xba/0xb80
+legacy_get_tree+0x103/0x200
+vfs_get_tree+0x89/0x2d0
+path_mount+0x4c0/0x1ac0
+__x64_sys_mount+0x33b/0x430
+do_syscall_64+0x35/0x80
+entry_SYSCALL_64_after_hwframe+0x46/0xb0
+</TASK>
+
+The process is as follows:
+Thread A: Thread B:
+p9_poll_workfn() p9_client_create()
+... ...
+ p9_conn_cancel() p9_fd_cancel()
+ list_del() ...
+ ... list_del() //list_del
+ corruption
+There is no lock protection when deleting list in p9_conn_cancel(). After
+deleting list in Thread A, thread B will delete the same list again. It
+will cause issue of list_del corruption.
+
+Setting req->status to REQ_STATUS_ERROR under lock prevents other
+cleanup paths from trying to manipulate req_list.
+The other thread can safely check req->status because it still holds a
+reference to req at this point.
+
+Link: https://lkml.kernel.org/r/20221110122606.383352-1-shaozhengchao@huawei.com
+Fixes: 52f1c45dde91 ("9p: trans_fd/p9_conn_cancel: drop client lock earlier")
+Reported-by: syzbot+9b69b8d10ab4a7d88056@syzkaller.appspotmail.com
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+[Dominique: add description of the fix in commit message]
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_fd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
+index 9b23bf0e278c..da7fcf9d14a9 100644
+--- a/net/9p/trans_fd.c
++++ b/net/9p/trans_fd.c
+@@ -214,9 +214,11 @@ static void p9_conn_cancel(struct p9_conn *m, int err)
+
+ list_for_each_entry_safe(req, rtmp, &m->req_list, req_list) {
+ list_move(&req->req_list, &cancel_list);
++ req->status = REQ_STATUS_ERROR;
+ }
+ list_for_each_entry_safe(req, rtmp, &m->unsent_req_list, req_list) {
+ list_move(&req->req_list, &cancel_list);
++ req->status = REQ_STATUS_ERROR;
+ }
+
+ spin_unlock(&m->client->lock);
+--
+2.35.1
+
--- /dev/null
+From 7beeabeda6577a582e8b169c87b15d95d293a9e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 14:06:48 +0800
+Subject: af_key: Fix send_acquire race with pfkey_register
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 7f57f8165cb6d2c206e2b9ada53b9e2d6d8af42f ]
+
+The function pfkey_send_acquire may race with pfkey_register
+(which could even be in a different name space). This may result
+in a buffer overrun.
+
+Allocating the maximum amount of memory that could be used prevents
+this.
+
+Reported-by: syzbot+1e9af9185d8850e2c2fa@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/key/af_key.c | 32 ++++++++++++++++++++++----------
+ 1 file changed, 22 insertions(+), 10 deletions(-)
+
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index 5f0d6a567a1e..09a0ea651f57 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -2913,7 +2913,7 @@ static int count_ah_combs(const struct xfrm_tmpl *t)
+ break;
+ if (!aalg->pfkey_supported)
+ continue;
+- if (aalg_tmpl_set(t, aalg) && aalg->available)
++ if (aalg_tmpl_set(t, aalg))
+ sz += sizeof(struct sadb_comb);
+ }
+ return sz + sizeof(struct sadb_prop);
+@@ -2931,7 +2931,7 @@ static int count_esp_combs(const struct xfrm_tmpl *t)
+ if (!ealg->pfkey_supported)
+ continue;
+
+- if (!(ealg_tmpl_set(t, ealg) && ealg->available))
++ if (!(ealg_tmpl_set(t, ealg)))
+ continue;
+
+ for (k = 1; ; k++) {
+@@ -2942,16 +2942,17 @@ static int count_esp_combs(const struct xfrm_tmpl *t)
+ if (!aalg->pfkey_supported)
+ continue;
+
+- if (aalg_tmpl_set(t, aalg) && aalg->available)
++ if (aalg_tmpl_set(t, aalg))
+ sz += sizeof(struct sadb_comb);
+ }
+ }
+ return sz + sizeof(struct sadb_prop);
+ }
+
+-static void dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
++static int dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
+ {
+ struct sadb_prop *p;
++ int sz = 0;
+ int i;
+
+ p = skb_put(skb, sizeof(struct sadb_prop));
+@@ -2979,13 +2980,17 @@ static void dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
+ c->sadb_comb_soft_addtime = 20*60*60;
+ c->sadb_comb_hard_usetime = 8*60*60;
+ c->sadb_comb_soft_usetime = 7*60*60;
++ sz += sizeof(*c);
+ }
+ }
++
++ return sz + sizeof(*p);
+ }
+
+-static void dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
++static int dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
+ {
+ struct sadb_prop *p;
++ int sz = 0;
+ int i, k;
+
+ p = skb_put(skb, sizeof(struct sadb_prop));
+@@ -3027,8 +3032,11 @@ static void dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
+ c->sadb_comb_soft_addtime = 20*60*60;
+ c->sadb_comb_hard_usetime = 8*60*60;
+ c->sadb_comb_soft_usetime = 7*60*60;
++ sz += sizeof(*c);
+ }
+ }
++
++ return sz + sizeof(*p);
+ }
+
+ static int key_notify_policy_expire(struct xfrm_policy *xp, const struct km_event *c)
+@@ -3158,6 +3166,7 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct
+ struct sadb_x_sec_ctx *sec_ctx;
+ struct xfrm_sec_ctx *xfrm_ctx;
+ int ctx_size = 0;
++ int alg_size = 0;
+
+ sockaddr_size = pfkey_sockaddr_size(x->props.family);
+ if (!sockaddr_size)
+@@ -3169,16 +3178,16 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct
+ sizeof(struct sadb_x_policy);
+
+ if (x->id.proto == IPPROTO_AH)
+- size += count_ah_combs(t);
++ alg_size = count_ah_combs(t);
+ else if (x->id.proto == IPPROTO_ESP)
+- size += count_esp_combs(t);
++ alg_size = count_esp_combs(t);
+
+ if ((xfrm_ctx = x->security)) {
+ ctx_size = PFKEY_ALIGN8(xfrm_ctx->ctx_len);
+ size += sizeof(struct sadb_x_sec_ctx) + ctx_size;
+ }
+
+- skb = alloc_skb(size + 16, GFP_ATOMIC);
++ skb = alloc_skb(size + alg_size + 16, GFP_ATOMIC);
+ if (skb == NULL)
+ return -ENOMEM;
+
+@@ -3232,10 +3241,13 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct
+ pol->sadb_x_policy_priority = xp->priority;
+
+ /* Set sadb_comb's. */
++ alg_size = 0;
+ if (x->id.proto == IPPROTO_AH)
+- dump_ah_combs(skb, t);
++ alg_size = dump_ah_combs(skb, t);
+ else if (x->id.proto == IPPROTO_ESP)
+- dump_esp_combs(skb, t);
++ alg_size = dump_esp_combs(skb, t);
++
++ hdr->sadb_msg_len += alg_size / 8;
+
+ /* security context */
+ if (xfrm_ctx) {
+--
+2.35.1
+
--- /dev/null
+From ae461e37800a3f0691dd76c80e3e2ec0cc6ebc78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 16:31:15 +0200
+Subject: ARM: dts: am335x-pcm-953: Define fixed regulators in root node
+
+From: Dominik Haller <d.haller@phytec.de>
+
+[ Upstream commit 8950f345a67d8046d2472dd6ea81fa18ef5b4844 ]
+
+Remove the regulators node and define fixed regulators in the root node.
+Prevents the sdhci-omap driver from waiting in probe deferral forever
+because of the missing vmmc-supply and keeps am335x-pcm-953 consistent with
+the other Phytec AM335 boards.
+
+Fixes: bb07a829ec38 ("ARM: dts: Add support for phyCORE-AM335x PCM-953 carrier board")
+Signed-off-by: Dominik Haller <d.haller@phytec.de>
+Message-Id: <20221011143115.248003-1-d.haller@phytec.de>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/am335x-pcm-953.dtsi | 28 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/arch/arm/boot/dts/am335x-pcm-953.dtsi b/arch/arm/boot/dts/am335x-pcm-953.dtsi
+index 572fbd254690..495c55e5b5db 100644
+--- a/arch/arm/boot/dts/am335x-pcm-953.dtsi
++++ b/arch/arm/boot/dts/am335x-pcm-953.dtsi
+@@ -15,22 +15,20 @@ / {
+ compatible = "phytec,am335x-pcm-953", "phytec,am335x-phycore-som", "ti,am33xx";
+
+ /* Power */
+- regulators {
+- vcc3v3: fixedregulator@1 {
+- compatible = "regulator-fixed";
+- regulator-name = "vcc3v3";
+- regulator-min-microvolt = <3300000>;
+- regulator-max-microvolt = <3300000>;
+- regulator-boot-on;
+- };
++ vcc3v3: fixedregulator1 {
++ compatible = "regulator-fixed";
++ regulator-name = "vcc3v3";
++ regulator-min-microvolt = <3300000>;
++ regulator-max-microvolt = <3300000>;
++ regulator-boot-on;
++ };
+
+- vcc1v8: fixedregulator@2 {
+- compatible = "regulator-fixed";
+- regulator-name = "vcc1v8";
+- regulator-min-microvolt = <1800000>;
+- regulator-max-microvolt = <1800000>;
+- regulator-boot-on;
+- };
++ vcc1v8: fixedregulator2 {
++ compatible = "regulator-fixed";
++ regulator-name = "vcc1v8";
++ regulator-min-microvolt = <1800000>;
++ regulator-max-microvolt = <1800000>;
++ regulator-boot-on;
+ };
+
+ /* User IO */
+--
+2.35.1
+
--- /dev/null
+From e22ca8dff67cbab3d1d234db93541c408bbb56f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 19:59:23 +0100
+Subject: ARM: dts: at91: sam9g20ek: enable udc vbus gpio pinctrl
+
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+
+[ Upstream commit 40a2226e8bfacb79dd154dea68febeead9d847e9 ]
+
+We set the PIOC to GPIO mode. This way the pin becomes an
+input signal will be usable by the controller. Without
+this change the udc on the 9g20ek does not work.
+
+Cc: nicolas.ferre@microchip.com
+Cc: ludovic.desroches@microchip.com
+Cc: alexandre.belloni@bootlin.com
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: kernel@pengutronix.de
+Fixes: 5cb4e73575e3 ("ARM: at91: add at91sam9g20ek boards dt support")
+Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20221114185923.1023249-3-m.grzeschik@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/at91sam9g20ek_common.dtsi | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/arch/arm/boot/dts/at91sam9g20ek_common.dtsi b/arch/arm/boot/dts/at91sam9g20ek_common.dtsi
+index ac9a1511e239..b90fc60f2d75 100644
+--- a/arch/arm/boot/dts/at91sam9g20ek_common.dtsi
++++ b/arch/arm/boot/dts/at91sam9g20ek_common.dtsi
+@@ -39,6 +39,13 @@ pinctrl_pck0_as_mck: pck0_as_mck {
+
+ };
+
++ usb1 {
++ pinctrl_usb1_vbus_gpio: usb1_vbus_gpio {
++ atmel,pins =
++ <AT91_PIOC 5 AT91_PERIPH_GPIO AT91_PINCTRL_DEGLITCH>; /* PC5 GPIO */
++ };
++ };
++
+ mmc0_slot1 {
+ pinctrl_board_mmc0_slot1: mmc0_slot1-board {
+ atmel,pins =
+@@ -72,6 +79,8 @@ macb0: ethernet@fffc4000 {
+ };
+
+ usb1: gadget@fffa4000 {
++ pinctrl-0 = <&pinctrl_usb1_vbus_gpio>;
++ pinctrl-names = "default";
+ atmel,vbus-gpio = <&pioC 5 GPIO_ACTIVE_HIGH>;
+ status = "okay";
+ };
+--
+2.35.1
+
--- /dev/null
+From cddffd422043489c67cee19322686c07d05f1649 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 06:20:11 +0000
+Subject: ARM: mxs: fix memory leak in mxs_machine_init()
+
+From: Zheng Yongjun <zhengyongjun3@huawei.com>
+
+[ Upstream commit f31e3c204d1844b8680a442a48868af5ac3d5481 ]
+
+If of_property_read_string() failed, 'soc_dev_attr' should be
+freed before return. Otherwise there is a memory leak.
+
+Fixes: 2046338dcbc6 ("ARM: mxs: Use soc bus infrastructure")
+Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
+Reviewed-by: Marco Felsch <m.felsch@pengutronix.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-mxs/mach-mxs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-mxs/mach-mxs.c b/arch/arm/mach-mxs/mach-mxs.c
+index 1c6062d240c8..4063fc1f435b 100644
+--- a/arch/arm/mach-mxs/mach-mxs.c
++++ b/arch/arm/mach-mxs/mach-mxs.c
+@@ -393,8 +393,10 @@ static void __init mxs_machine_init(void)
+
+ root = of_find_node_by_path("/");
+ ret = of_property_read_string(root, "model", &soc_dev_attr->machine);
+- if (ret)
++ if (ret) {
++ kfree(soc_dev_attr);
+ return;
++ }
+
+ soc_dev_attr->family = "Freescale MXS Family";
+ soc_dev_attr->soc_id = mxs_get_soc_id();
+--
+2.35.1
+
--- /dev/null
+From 50b0afb865030ab1d0225b56048efc99d1caa1ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Nov 2022 19:57:48 -0600
+Subject: bus: sunxi-rsb: Support atomic transfers
+
+From: Samuel Holland <samuel@sholland.org>
+
+[ Upstream commit 077686da0e2162c4ea5ae0df205849c2a7a84479 ]
+
+When communicating with a PMIC during system poweroff (pm_power_off()),
+IRQs are disabled and we are in a RCU read-side critical section, so we
+cannot use wait_for_completion_io_timeout(). Instead, poll the status
+register for transfer completion.
+
+Fixes: d787dcdb9c8f ("bus: sunxi-rsb: Add driver for Allwinner Reduced Serial Bus")
+Signed-off-by: Samuel Holland <samuel@sholland.org>
+Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Link: https://lore.kernel.org/r/20221114015749.28490-3-samuel@sholland.org
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/sunxi-rsb.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c
+index b85d013a9185..d3fb350dc9ee 100644
+--- a/drivers/bus/sunxi-rsb.c
++++ b/drivers/bus/sunxi-rsb.c
+@@ -268,6 +268,9 @@ EXPORT_SYMBOL_GPL(sunxi_rsb_driver_register);
+ /* common code that starts a transfer */
+ static int _sunxi_rsb_run_xfer(struct sunxi_rsb *rsb)
+ {
++ u32 int_mask, status;
++ bool timeout;
++
+ if (readl(rsb->regs + RSB_CTRL) & RSB_CTRL_START_TRANS) {
+ dev_dbg(rsb->dev, "RSB transfer still in progress\n");
+ return -EBUSY;
+@@ -275,13 +278,23 @@ static int _sunxi_rsb_run_xfer(struct sunxi_rsb *rsb)
+
+ reinit_completion(&rsb->complete);
+
+- writel(RSB_INTS_LOAD_BSY | RSB_INTS_TRANS_ERR | RSB_INTS_TRANS_OVER,
+- rsb->regs + RSB_INTE);
++ int_mask = RSB_INTS_LOAD_BSY | RSB_INTS_TRANS_ERR | RSB_INTS_TRANS_OVER;
++ writel(int_mask, rsb->regs + RSB_INTE);
+ writel(RSB_CTRL_START_TRANS | RSB_CTRL_GLOBAL_INT_ENB,
+ rsb->regs + RSB_CTRL);
+
+- if (!wait_for_completion_io_timeout(&rsb->complete,
+- msecs_to_jiffies(100))) {
++ if (irqs_disabled()) {
++ timeout = readl_poll_timeout_atomic(rsb->regs + RSB_INTS,
++ status, (status & int_mask),
++ 10, 100000);
++ writel(status, rsb->regs + RSB_INTS);
++ } else {
++ timeout = !wait_for_completion_io_timeout(&rsb->complete,
++ msecs_to_jiffies(100));
++ status = rsb->status;
++ }
++
++ if (timeout) {
+ dev_dbg(rsb->dev, "RSB timeout\n");
+
+ /* abort the transfer */
+@@ -293,18 +306,18 @@ static int _sunxi_rsb_run_xfer(struct sunxi_rsb *rsb)
+ return -ETIMEDOUT;
+ }
+
+- if (rsb->status & RSB_INTS_LOAD_BSY) {
++ if (status & RSB_INTS_LOAD_BSY) {
+ dev_dbg(rsb->dev, "RSB busy\n");
+ return -EBUSY;
+ }
+
+- if (rsb->status & RSB_INTS_TRANS_ERR) {
+- if (rsb->status & RSB_INTS_TRANS_ERR_ACK) {
++ if (status & RSB_INTS_TRANS_ERR) {
++ if (status & RSB_INTS_TRANS_ERR_ACK) {
+ dev_dbg(rsb->dev, "RSB slave nack\n");
+ return -EINVAL;
+ }
+
+- if (rsb->status & RSB_INTS_TRANS_ERR_DATA) {
++ if (status & RSB_INTS_TRANS_ERR_DATA) {
+ dev_dbg(rsb->dev, "RSB transfer data error\n");
+ return -EIO;
+ }
+--
+2.35.1
+
--- /dev/null
+From 0ed5c5ff2063da87d765434095d9a25cdc1ef8b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 17:49:11 -0800
+Subject: dccp/tcp: Reset saddr on failure after inet6?_hash_connect().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 77934dc6db0d2b111a8f2759e9ad2fb67f5cffa5 ]
+
+When connect() is called on a socket bound to the wildcard address,
+we change the socket's saddr to a local address. If the socket
+fails to connect() to the destination, we have to reset the saddr.
+
+However, when an error occurs after inet_hash6?_connect() in
+(dccp|tcp)_v[46]_conect(), we forget to reset saddr and leave
+the socket bound to the address.
+
+From the user's point of view, whether saddr is reset or not varies
+with errno. Let's fix this inconsistent behaviour.
+
+Note that after this patch, the repro [0] will trigger the WARN_ON()
+in inet_csk_get_port() again, but this patch is not buggy and rather
+fixes a bug papering over the bhash2's bug for which we need another
+fix.
+
+For the record, the repro causes -EADDRNOTAVAIL in inet_hash6_connect()
+by this sequence:
+
+ s1 = socket()
+ s1.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
+ s1.bind(('127.0.0.1', 10000))
+ s1.sendto(b'hello', MSG_FASTOPEN, (('127.0.0.1', 10000)))
+ # or s1.connect(('127.0.0.1', 10000))
+
+ s2 = socket()
+ s2.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
+ s2.bind(('0.0.0.0', 10000))
+ s2.connect(('127.0.0.1', 10000)) # -EADDRNOTAVAIL
+
+ s2.listen(32) # WARN_ON(inet_csk(sk)->icsk_bind2_hash != tb2);
+
+[0]: https://syzkaller.appspot.com/bug?extid=015d756bbd1f8b5c8f09
+
+Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6")
+Fixes: 7c657876b63c ("[DCCP]: Initial implementation")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Acked-by: Joanne Koong <joannelkoong@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dccp/ipv4.c | 2 ++
+ net/dccp/ipv6.c | 2 ++
+ net/ipv4/tcp_ipv4.c | 2 ++
+ net/ipv6/tcp_ipv6.c | 2 ++
+ 4 files changed, 8 insertions(+)
+
+diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
+index 7e93087d1366..c021d5dde8f7 100644
+--- a/net/dccp/ipv4.c
++++ b/net/dccp/ipv4.c
+@@ -134,6 +134,8 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+ * This unhashes the socket and releases the local port, if necessary.
+ */
+ dccp_set_state(sk, DCCP_CLOSED);
++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
++ inet_reset_saddr(sk);
+ ip_rt_put(rt);
+ sk->sk_route_caps = 0;
+ inet->inet_dport = 0;
+diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
+index ae4851fdbe9e..72803e1ea10a 100644
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -957,6 +957,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
+
+ late_failure:
+ dccp_set_state(sk, DCCP_CLOSED);
++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
++ inet_reset_saddr(sk);
+ __sk_dst_reset(sk);
+ failure:
+ inet->inet_dport = 0;
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 9d8c64b92011..8bbdd8e36618 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -265,6 +265,8 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+ * if necessary.
+ */
+ tcp_set_state(sk, TCP_CLOSE);
++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
++ inet_reset_saddr(sk);
+ ip_rt_put(rt);
+ sk->sk_route_caps = 0;
+ inet->inet_dport = 0;
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index 4ef55062d37c..c639431d848c 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -310,6 +310,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
+
+ late_failure:
+ tcp_set_state(sk, TCP_CLOSE);
++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
++ inet_reset_saddr(sk);
+ failure:
+ inet->inet_dport = 0;
+ sk->sk_route_caps = 0;
+--
+2.35.1
+
--- /dev/null
+From 876b1665bee208eaa79887841ed3f0206872e55a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 18:28:06 +0300
+Subject: net/mlx4: Check retval of mlx4_bitmap_init
+
+From: Peter Kosyh <pkosyh@yandex.ru>
+
+[ Upstream commit 594c61ffc77de0a197934aa0f1df9285c68801c6 ]
+
+If mlx4_bitmap_init fails, mlx4_bitmap_alloc_range will dereference
+the NULL pointer (bitmap->table).
+
+Make sure, that mlx4_bitmap_alloc_range called in no error case.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: d57febe1a478 ("net/mlx4: Add A0 hybrid steering")
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Peter Kosyh <pkosyh@yandex.ru>
+Link: https://lore.kernel.org/r/20221117152806.278072-1-pkosyh@yandex.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/qp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/qp.c b/drivers/net/ethernet/mellanox/mlx4/qp.c
+index 73419224367a..6fbc19b143f8 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/qp.c
++++ b/drivers/net/ethernet/mellanox/mlx4/qp.c
+@@ -697,7 +697,8 @@ static int mlx4_create_zones(struct mlx4_dev *dev,
+ err = mlx4_bitmap_init(*bitmap + k, 1,
+ MLX4_QP_TABLE_RAW_ETH_SIZE - 1, 0,
+ 0);
+- mlx4_bitmap_alloc_range(*bitmap + k, 1, 1, 0);
++ if (!err)
++ mlx4_bitmap_alloc_range(*bitmap + k, 1, 1, 0);
+ }
+
+ if (err)
+--
+2.35.1
+
--- /dev/null
+From cdba9226fe9a3471f65683a0b0ed5c599f062444 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 14:55:27 +0800
+Subject: net: pch_gbe: fix potential memleak in pch_gbe_tx_queue()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 2360f9b8c4e81d242d4cbf99d630a2fffa681fab ]
+
+In pch_gbe_xmit_frame(), NETDEV_TX_OK will be returned whether
+pch_gbe_tx_queue() sends data successfully or not, so pch_gbe_tx_queue()
+needs to free skb before returning. But pch_gbe_tx_queue() returns without
+freeing skb in case of dma_map_single() fails. Add dev_kfree_skb_any()
+to fix it.
+
+Fixes: 77555ee72282 ("net: Add Gigabit Ethernet driver of Topcliff PCH")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
+index 22e63ae80a10..119220c79226 100644
+--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
++++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
+@@ -1221,6 +1221,7 @@ static void pch_gbe_tx_queue(struct pch_gbe_adapter *adapter,
+ buffer_info->dma = 0;
+ buffer_info->time_stamp = 0;
+ tx_ring->next_to_use = ring_num;
++ dev_kfree_skb_any(skb);
+ return;
+ }
+ buffer_info->mapped = true;
+--
+2.35.1
+
--- /dev/null
+From 0dd1eb430e8e4d01dc299339dd4ec7b6a1c7722f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 16:50:38 +0800
+Subject: net/qla3xxx: fix potential memleak in ql3xxx_send()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 62a7311fb96c61d281da9852dbee4712fc8c3277 ]
+
+The ql3xxx_send() returns NETDEV_TX_OK without freeing skb in error
+handling case, add dev_kfree_skb_any() to fix it.
+
+Fixes: bd36b0ac5d06 ("qla3xxx: Add support for Qlogic 4032 chip.")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/r/1668675039-21138-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qla3xxx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c
+index 9d384fb3b746..82f13d69631f 100644
+--- a/drivers/net/ethernet/qlogic/qla3xxx.c
++++ b/drivers/net/ethernet/qlogic/qla3xxx.c
+@@ -2476,6 +2476,7 @@ static netdev_tx_t ql3xxx_send(struct sk_buff *skb,
+ skb_shinfo(skb)->nr_frags);
+ if (tx_cb->seg_count == -1) {
+ netdev_err(ndev, "%s: invalid segment count!\n", __func__);
++ dev_kfree_skb_any(skb);
+ return NETDEV_TX_OK;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 67e50768f6d6c5a090516a21f00bf6d4fdf24fec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 16:22:36 +0800
+Subject: net: thunderx: Fix the ACPI memory leak
+
+From: Yu Liao <liaoyu15@huawei.com>
+
+[ Upstream commit 661e5ebbafd26d9d2e3c749f5cf591e55c7364f5 ]
+
+The ACPI buffer memory (string.pointer) should be freed as the buffer is
+not used after returning from bgx_acpi_match_id(), free it to prevent
+memory leak.
+
+Fixes: 46b903a01c05 ("net, thunder, bgx: Add support to get MAC address from ACPI.")
+Signed-off-by: Yu Liao <liaoyu15@huawei.com>
+Link: https://lore.kernel.org/r/20221123082237.1220521-1-liaoyu15@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+index d678f088925c..3dc7cde56894 100644
+--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+@@ -1243,8 +1243,10 @@ static acpi_status bgx_acpi_match_id(acpi_handle handle, u32 lvl,
+ return AE_OK;
+ }
+
+- if (strncmp(string.pointer, bgx_sel, 4))
++ if (strncmp(string.pointer, bgx_sel, 4)) {
++ kfree(string.pointer);
+ return AE_OK;
++ }
+
+ acpi_walk_namespace(ACPI_TYPE_DEVICE, handle, 1,
+ bgx_acpi_register_phy, NULL, bgx, NULL);
+--
+2.35.1
+
--- /dev/null
+From 3d803113f9ca06233797809feb752ae4577253b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 16:24:19 +0800
+Subject: NFC: nci: fix memory leak in nci_rx_data_packet()
+
+From: Liu Shixin <liushixin2@huawei.com>
+
+[ Upstream commit 53270fb0fd77fe786d8c07a0793981d797836b93 ]
+
+Syzbot reported a memory leak about skb:
+
+unreferenced object 0xffff88810e144e00 (size 240):
+ comm "syz-executor284", pid 3701, jiffies 4294952403 (age 12.620s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff83ab79a9>] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:497
+ [<ffffffff82a5cf64>] alloc_skb include/linux/skbuff.h:1267 [inline]
+ [<ffffffff82a5cf64>] virtual_ncidev_write+0x24/0xe0 drivers/nfc/virtual_ncidev.c:116
+ [<ffffffff815f6503>] do_loop_readv_writev fs/read_write.c:759 [inline]
+ [<ffffffff815f6503>] do_loop_readv_writev fs/read_write.c:743 [inline]
+ [<ffffffff815f6503>] do_iter_write+0x253/0x300 fs/read_write.c:863
+ [<ffffffff815f66ed>] vfs_writev+0xdd/0x240 fs/read_write.c:934
+ [<ffffffff815f68f6>] do_writev+0xa6/0x1c0 fs/read_write.c:977
+ [<ffffffff848802d5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ [<ffffffff848802d5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ [<ffffffff84a00087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+In nci_rx_data_packet(), if we don't get a valid conn_info, we will return
+directly but forget to release the skb.
+
+Reported-by: syzbot+cdb9a427d1bc08815104@syzkaller.appspotmail.com
+Fixes: 4aeee6871e8c ("NFC: nci: Add dynamic logical connections support")
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Link: https://lore.kernel.org/r/20221118082419.239475-1-liushixin2@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/nci/data.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c
+index 9e3f9460f14f..5d46d8dfad72 100644
+--- a/net/nfc/nci/data.c
++++ b/net/nfc/nci/data.c
+@@ -291,8 +291,10 @@ void nci_rx_data_packet(struct nci_dev *ndev, struct sk_buff *skb)
+ nci_plen(skb->data));
+
+ conn_info = nci_get_conn_info_by_conn_id(ndev, nci_conn_id(skb->data));
+- if (!conn_info)
++ if (!conn_info) {
++ kfree_skb(skb);
+ return;
++ }
+
+ /* strip the nci data header */
+ skb_pull(skb, NCI_DATA_HDR_SIZE);
+--
+2.35.1
+
--- /dev/null
+From c496f8fab8b7cbc9bdcba020d9da369124d3bfc8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 21:02:49 +0800
+Subject: nfc/nci: fix race with opening and closing
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit 0ad6bded175e829c2ca261529c9dce39a32a042d ]
+
+Previously we leverage NCI_UNREG and the lock inside nci_close_device to
+prevent the race condition between opening a device and closing a
+device. However, it still has problem because a failed opening command
+will erase the NCI_UNREG flag and allow another opening command to
+bypass the status checking.
+
+This fix corrects that by making sure the NCI_UNREG is held.
+
+Reported-by: syzbot+43475bf3cfbd6e41f5b7@syzkaller.appspotmail.com
+Fixes: 48b71a9e66c2 ("NFC: add NCI_UNREG flag to eliminate the race")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/nci/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
+index 99f4573fd917..216228c39acb 100644
+--- a/net/nfc/nci/core.c
++++ b/net/nfc/nci/core.c
+@@ -542,7 +542,7 @@ static int nci_open_device(struct nci_dev *ndev)
+ skb_queue_purge(&ndev->tx_q);
+
+ ndev->ops->close(ndev);
+- ndev->flags = 0;
++ ndev->flags &= BIT(NCI_UNREG);
+ }
+
+ done:
+--
+2.35.1
+
--- /dev/null
+From 64036898b75d9fdb951c4dc8904f08363ebabc12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 18:42:44 -0600
+Subject: nfc: st-nci: fix incorrect validating logic in EVT_TRANSACTION
+
+From: Martin Faltesek <mfaltesek@google.com>
+
+[ Upstream commit c60c152230828825c06e62a8f1ce956d4b659266 ]
+
+The first validation check for EVT_TRANSACTION has two different checks
+tied together with logical AND. One is a check for minimum packet length,
+and the other is for a valid aid_tag. If either condition is true (fails),
+then an error should be triggered. The fix is to change && to ||.
+
+Reported-by: Denis Efremov <denis.e.efremov@oracle.com>
+Reviewed-by: Guenter Roeck <groeck@google.com>
+Fixes: 5d1ceb7f5e56 ("NFC: st21nfcb: Add HCI transaction event support")
+Signed-off-by: Martin Faltesek <mfaltesek@google.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/st-nci/se.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c
+index 85df2e009310..e75929ff330e 100644
+--- a/drivers/nfc/st-nci/se.c
++++ b/drivers/nfc/st-nci/se.c
+@@ -338,7 +338,7 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev,
+ * AID 81 5 to 16
+ * PARAMETERS 82 0 to 255
+ */
+- if (skb->len < NFC_MIN_AID_LENGTH + 2 &&
++ if (skb->len < NFC_MIN_AID_LENGTH + 2 ||
+ skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG)
+ return -EPROTO;
+
+--
+2.35.1
+
--- /dev/null
+From 4b9e815d868f4ab6b5086fe1e9a750c358d6311b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 18:42:45 -0600
+Subject: nfc: st-nci: fix memory leaks in EVT_TRANSACTION
+
+From: Martin Faltesek <mfaltesek@google.com>
+
+[ Upstream commit 440f2ae9c9f06e26f5dcea697a53717fc61a318c ]
+
+Error path does not free previously allocated memory. Add devm_kfree() to
+the failure path.
+
+Reported-by: Denis Efremov <denis.e.efremov@oracle.com>
+Reviewed-by: Guenter Roeck <groeck@google.com>
+Fixes: 5d1ceb7f5e56 ("NFC: st21nfcb: Add HCI transaction event support")
+Signed-off-by: Martin Faltesek <mfaltesek@google.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/st-nci/se.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c
+index e75929ff330e..b1d23b35aac4 100644
+--- a/drivers/nfc/st-nci/se.c
++++ b/drivers/nfc/st-nci/se.c
+@@ -352,8 +352,10 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev,
+
+ /* Check next byte is PARAMETERS tag (82) */
+ if (skb->data[transaction->aid_len + 2] !=
+- NFC_EVT_TRANSACTION_PARAMS_TAG)
++ NFC_EVT_TRANSACTION_PARAMS_TAG) {
++ devm_kfree(dev, transaction);
+ return -EPROTO;
++ }
+
+ transaction->params_len = skb->data[transaction->aid_len + 3];
+ memcpy(transaction->params, skb->data +
+--
+2.35.1
+
--- /dev/null
+From d15c729766a4332f30049091c2890531271d4605 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 13:05:39 +0100
+Subject: s390/crashdump: fix TOD programmable field size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit f44e07a8afdd713ddc1a8832c39372fe5dd86895 ]
+
+The size of the TOD programmable field was incorrectly increased from
+four to eight bytes with commit 1a2c5840acf9 ("s390/dump: cleanup CPU
+save area handling").
+This leads to an elf notes section NT_S390_TODPREG which has a size of
+eight instead of four bytes in case of kdump, however even worse is
+that the contents is incorrect: it is supposed to contain only the
+contents of the TOD programmable field, but in fact contains a mix of
+the TOD programmable field (32 bit upper bits) and parts of the CPU
+timer register (lower 32 bits).
+
+Fix this by simply changing the size of the todpreg field within the
+save area structure. This will implicitly also fix the size of the
+corresponding elf notes sections.
+
+This also gets rid of this compile time warning:
+
+in function ‘fortify_memcpy_chk’,
+ inlined from ‘save_area_add_regs’ at arch/s390/kernel/crash_dump.c:99:2:
+./include/linux/fortify-string.h:413:25: error: call to ‘__read_overflow2_field’
+ declared with attribute warning: detected read beyond size of field
+ (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning]
+ 413 | __read_overflow2_field(q_size_field, size);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Fixes: 1a2c5840acf9 ("s390/dump: cleanup CPU save area handling")
+Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/crash_dump.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/kernel/crash_dump.c b/arch/s390/kernel/crash_dump.c
+index 9b0216d571ad..feb8f332b55c 100644
+--- a/arch/s390/kernel/crash_dump.c
++++ b/arch/s390/kernel/crash_dump.c
+@@ -45,7 +45,7 @@ struct save_area {
+ u64 fprs[16];
+ u32 fpc;
+ u32 prefix;
+- u64 todpreg;
++ u32 todpreg;
+ u64 timer;
+ u64 todcmp;
+ u64 vxrs_low[16];
+--
+2.35.1
+
--- /dev/null
+From c334278f124c7e356aebcee984b669ffb3a5a5c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 17:07:18 +0100
+Subject: s390/dasd: fix no record found for raw_track_access
+
+From: Stefan Haberland <sth@linux.ibm.com>
+
+[ Upstream commit 590ce6d96d6a224b470a3862c33a483d5022bfdb ]
+
+For DASD devices in raw_track_access mode only full track images are
+read and written.
+For this purpose it is not necessary to do search operation in the
+locate record extended function. The documentation even states that
+this might fail if the searched record is not found on a track.
+
+Currently the driver sets a value of 1 in the search field for the first
+record after record zero. This is the default for disks not in
+raw_track_access mode but record 1 might be missing on a completely
+empty track.
+
+There has not been any problem with this on IBM storage servers but it
+might lead to errors with DASD devices on other vendors storage servers.
+
+Fix this by setting the search field to 0. Record zero is always available
+even on a completely empty track.
+
+Fixes: e4dbb0f2b5dd ("[S390] dasd: Add support for raw ECKD access.")
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
+Link: https://lore.kernel.org/r/20221123160719.3002694-4-sth@linux.ibm.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/block/dasd_eckd.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
+index aa651403546f..ab20730865e8 100644
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -3783,7 +3783,6 @@ static struct dasd_ccw_req *dasd_eckd_build_cp_raw(struct dasd_device *startdev,
+ struct dasd_device *basedev;
+ struct req_iterator iter;
+ struct dasd_ccw_req *cqr;
+- unsigned int first_offs;
+ unsigned int trkcount;
+ unsigned long *idaws;
+ unsigned int size;
+@@ -3817,7 +3816,6 @@ static struct dasd_ccw_req *dasd_eckd_build_cp_raw(struct dasd_device *startdev,
+ last_trk = (blk_rq_pos(req) + blk_rq_sectors(req) - 1) /
+ DASD_RAW_SECTORS_PER_TRACK;
+ trkcount = last_trk - first_trk + 1;
+- first_offs = 0;
+
+ if (rq_data_dir(req) == READ)
+ cmd = DASD_ECKD_CCW_READ_TRACK;
+@@ -3861,13 +3859,13 @@ static struct dasd_ccw_req *dasd_eckd_build_cp_raw(struct dasd_device *startdev,
+
+ if (use_prefix) {
+ prefix_LRE(ccw++, data, first_trk, last_trk, cmd, basedev,
+- startdev, 1, first_offs + 1, trkcount, 0, 0);
++ startdev, 1, 0, trkcount, 0, 0);
+ } else {
+ define_extent(ccw++, data, first_trk, last_trk, cmd, basedev, 0);
+ ccw[-1].flags |= CCW_FLAG_CC;
+
+ data += sizeof(struct DE_eckd_data);
+- locate_record_ext(ccw++, data, first_trk, first_offs + 1,
++ locate_record_ext(ccw++, data, first_trk, 0,
+ trkcount, cmd, basedev, 0, 0);
+ }
+
+--
+2.35.1
+
wifi-mac80211-fix-ack-frame-idr-leak-when-mesh-has-n.patch
spi-stm32-fix-stm32_spi_prepare_mbr-that-halves-spi-.patch
mips-pic32-treat-port-as-signed-integer.patch
+af_key-fix-send_acquire-race-with-pfkey_register.patch
+arm-dts-am335x-pcm-953-define-fixed-regulators-in-ro.patch
+bus-sunxi-rsb-support-atomic-transfers.patch
+arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch
+nfc-nci-fix-race-with-opening-and-closing.patch
+net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch
+9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch
+arm-mxs-fix-memory-leak-in-mxs_machine_init.patch
+net-mlx4-check-retval-of-mlx4_bitmap_init.patch
+net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch
+xfrm-fix-ignored-return-value-in-xfrm6_init.patch
+nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch
+dccp-tcp-reset-saddr-on-failure-after-inet6-_hash_co.patch
+s390-dasd-fix-no-record-found-for-raw_track_access.patch
+nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch
+nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch
+net-thunderx-fix-the-acpi-memory-leak.patch
+s390-crashdump-fix-tod-programmable-field-size.patch
--- /dev/null
+From 80516bc9faeabe08d9126032d89d8e0fedead220 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 17:07:13 +0800
+Subject: xfrm: Fix ignored return value in xfrm6_init()
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit 40781bfb836eda57d19c0baa37c7e72590e05fdc ]
+
+When IPv6 module initializing in xfrm6_init(), register_pernet_subsys()
+is possible to fail but its return value is ignored.
+
+If IPv6 initialization fails later and xfrm6_fini() is called,
+removing uninitialized list in xfrm6_net_ops will cause null-ptr-deref:
+
+KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
+CPU: 1 PID: 330 Comm: insmod
+RIP: 0010:unregister_pernet_operations+0xc9/0x450
+Call Trace:
+ <TASK>
+ unregister_pernet_subsys+0x31/0x3e
+ xfrm6_fini+0x16/0x30 [ipv6]
+ ip6_route_init+0xcd/0x128 [ipv6]
+ inet6_init+0x29c/0x602 [ipv6]
+ ...
+
+Fix it by catching the error return value of register_pernet_subsys().
+
+Fixes: 8d068875caca ("xfrm: make gc_thresh configurable in all namespaces")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/xfrm6_policy.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
+index b0d80cef7c2b..44d616d0bd00 100644
+--- a/net/ipv6/xfrm6_policy.c
++++ b/net/ipv6/xfrm6_policy.c
+@@ -412,9 +412,13 @@ int __init xfrm6_init(void)
+ if (ret)
+ goto out_state;
+
+- register_pernet_subsys(&xfrm6_net_ops);
++ ret = register_pernet_subsys(&xfrm6_net_ops);
++ if (ret)
++ goto out_protocol;
+ out:
+ return ret;
++out_protocol:
++ xfrm6_protocol_fini();
+ out_state:
+ xfrm6_state_fini();
+ out_policy:
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
