--- /dev/null
+From ef191039261e6299d0524a779176e2161f7e34a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jun 2023 10:17:32 +0800
+Subject: ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit 79597c8bf64ca99eab385115743131d260339da5 ]
+
+smatch error:
+sound/pci/ac97/ac97_codec.c:2354 snd_ac97_mixer() error:
+we previously assumed 'rac97' could be null (see line 2072)
+
+remove redundant assignment, return error if rac97 is NULL.
+
+Fixes: da3cec35dd3c ("ALSA: Kill snd_assert() in sound/pci/*")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Link: https://lore.kernel.org/r/20230615021732.1972194-1-suhui@nfschina.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/ac97/ac97_codec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c
+index a276c4283c7bb..3f13666a01904 100644
+--- a/sound/pci/ac97/ac97_codec.c
++++ b/sound/pci/ac97/ac97_codec.c
+@@ -2026,8 +2026,8 @@ int snd_ac97_mixer(struct snd_ac97_bus *bus, struct snd_ac97_template *template,
+ .dev_disconnect = snd_ac97_dev_disconnect,
+ };
+
+- if (rac97)
+- *rac97 = NULL;
++ if (!rac97)
++ return -EINVAL;
+ if (snd_BUG_ON(!bus || !template))
+ return -EINVAL;
+ if (snd_BUG_ON(template->num >= 4))
+--
+2.39.2
+
--- /dev/null
+From ad8837c42c62766fa3f8dfe3b124485fc46c71a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jun 2023 00:50:50 +0900
+Subject: ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__
+ guard
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit 92e2921eeafdfca9acd9b83f07d2b7ca099bac24 ]
+
+ASM_NL is useful not only in *.S files but also in .c files for using
+inline assembler in C code.
+
+On ARC, however, ASM_NL is evaluated inconsistently. It is expanded to
+a backquote (`) in *.S files, but a semicolon (;) in *.c files because
+arch/arc/include/asm/linkage.h defines it inside #ifdef __ASSEMBLY__,
+so the definition for C code falls back to the default value defined in
+include/linux/linkage.h.
+
+If ASM_NL is used in inline assembler in .c files, it will result in
+wrong assembly code because a semicolon is not an instruction separator,
+but the start of a comment for ARC.
+
+Move ASM_NL (also __ALIGN and __ALIGN_STR) out of the #ifdef.
+
+Fixes: 9df62f054406 ("arch: use ASM_NL instead of ';' for assembler new line character in the macro")
+Fixes: 8d92e992a785 ("ARC: define __ALIGN_STR and __ALIGN symbols for ARC")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/include/asm/linkage.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arc/include/asm/linkage.h b/arch/arc/include/asm/linkage.h
+index f3d29d4840d58..b89ca8b4d5975 100644
+--- a/arch/arc/include/asm/linkage.h
++++ b/arch/arc/include/asm/linkage.h
+@@ -11,6 +11,10 @@
+
+ #include <asm/dwarf.h>
+
++#define ASM_NL ` /* use '`' to mark new line in macro */
++#define __ALIGN .align 4
++#define __ALIGN_STR __stringify(__ALIGN)
++
+ #ifdef __ASSEMBLY__
+
+ .macro ST2 e, o, off
+@@ -31,10 +35,6 @@
+ #endif
+ .endm
+
+-#define ASM_NL ` /* use '`' to mark new line in macro */
+-#define __ALIGN .align 4
+-#define __ALIGN_STR __stringify(__ALIGN)
+-
+ /* annotation for data we want in DCCM - if enabled in .config */
+ .macro ARCFP_DATA nm
+ #ifdef CONFIG_ARC_HAS_DCCM
+--
+2.39.2
+
--- /dev/null
+From 75acdde2ef23456085ec596574a650610356060a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 May 2019 16:24:15 -0700
+Subject: ARCv2: entry: avoid a branch
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+[ Upstream commit ab854bfcd310b5872fe12eb8d3f2c30fe427f8f7 ]
+
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/include/asm/entry-arcv2.h | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h
+index 3209a67629606..beaf655666cbd 100644
+--- a/arch/arc/include/asm/entry-arcv2.h
++++ b/arch/arc/include/asm/entry-arcv2.h
+@@ -100,12 +100,11 @@
+ ; 2. Upon entry SP is always saved (for any inspection, unwinding etc),
+ ; but on return, restored only if U mode
+
++ lr r9, [AUX_USER_SP] ; U mode SP
++
+ mov.nz r9, sp
+ add.nz r9, r9, SZ_PT_REGS - PT_sp - 4 ; K mode SP
+- bnz 1f
+
+- lr r9, [AUX_USER_SP] ; U mode SP
+-1:
+ PUSH r9 ; SP (pt_regs->sp)
+
+ PUSH fp
+--
+2.39.2
+
--- /dev/null
+From d101114608fd77f1804cd33e13286d0ff46f7084 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Apr 2019 16:55:15 -0700
+Subject: ARCv2: entry: comments about hardware auto-save on taken interrupts
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+[ Upstream commit 45869eb0c0afd72bd5ab2437d4b00915697c044a ]
+
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/include/asm/entry-arcv2.h | 78 ++++++++++++++++++++++++------
+ 1 file changed, 62 insertions(+), 16 deletions(-)
+
+diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h
+index 225e7df2d8ed8..1c3520d1fa420 100644
+--- a/arch/arc/include/asm/entry-arcv2.h
++++ b/arch/arc/include/asm/entry-arcv2.h
+@@ -7,15 +7,54 @@
+ #include <asm/irqflags-arcv2.h>
+ #include <asm/thread_info.h> /* For THREAD_SIZE */
+
++/*
++ * Interrupt/Exception stack layout (pt_regs) for ARCv2
++ * (End of struct aligned to end of page [unless nested])
++ *
++ * INTERRUPT EXCEPTION
++ *
++ * manual --------------------- manual
++ * | orig_r0 |
++ * | event/ECR |
++ * | bta |
++ * | user_r25 |
++ * | gp |
++ * | fp |
++ * | sp |
++ * | r12 |
++ * | r30 |
++ * | r58 |
++ * | r59 |
++ * hw autosave ---------------------
++ * optional | r0 |
++ * | r1 |
++ * ~ ~
++ * | r9 |
++ * | r10 |
++ * | r11 |
++ * | blink |
++ * | lpe |
++ * | lps |
++ * | lpc |
++ * | ei base |
++ * | ldi base |
++ * | jli base |
++ * ---------------------
++ * hw autosave | pc / eret |
++ * mandatory | stat32 / erstatus |
++ * ---------------------
++ */
++
+ /*------------------------------------------------------------------------*/
+ .macro INTERRUPT_PROLOGUE called_from
+-
+- ; Before jumping to Interrupt Vector, hardware micro-ops did following:
++ ; (A) Before jumping to Interrupt Vector, hardware micro-ops did following:
+ ; 1. SP auto-switched to kernel mode stack
+- ; 2. STATUS32.Z flag set to U mode at time of interrupt (U:1, K:0)
+- ; 3. Auto saved: r0-r11, blink, LPE,LPS,LPC, JLI,LDI,EI, PC, STAT32
++ ; 2. STATUS32.Z flag set if in U mode at time of interrupt (U:1,K:0)
++ ; 3. Auto save: (mandatory) Push PC and STAT32 on stack
++ ; hardware does even if CONFIG_ARC_IRQ_NO_AUTOSAVE
++ ; 4. Auto save: (optional) r0-r11, blink, LPE,LPS,LPC, JLI,LDI,EI
+ ;
+- ; Now manually save: r12, sp, fp, gp, r25
++ ; (B) Manually saved some regs: r12,r25,r30, sp,fp,gp, ACCL pair
+
+ #ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE
+ .ifnc \called_from, exception
+@@ -57,14 +96,17 @@
+ ; - U mode: retrieve it from AUX_USER_SP
+ ; - K mode: add the offset from current SP where H/w starts auto push
+ ;
+- ; Utilize the fact that Z bit is set if Intr taken in U mode
++ ; 1. Utilize the fact that Z bit is set if Intr taken in U mode
++ ; 2. Upon entry SP is always saved (for any inspection, unwinding etc),
++ ; but on return, restored only if U mode
++
+ mov.nz r9, sp
+- add.nz r9, r9, SZ_PT_REGS - PT_sp - 4
++ add.nz r9, r9, SZ_PT_REGS - PT_sp - 4 ; K mode SP
+ bnz 1f
+
+- lr r9, [AUX_USER_SP]
++ lr r9, [AUX_USER_SP] ; U mode SP
+ 1:
+- PUSH r9 ; SP
++ PUSH r9 ; SP (pt_regs->sp)
+
+ PUSH fp
+ PUSH gp
+@@ -85,6 +127,8 @@
+ /*------------------------------------------------------------------------*/
+ .macro INTERRUPT_EPILOGUE called_from
+
++ ; INPUT: r0 has STAT32 of calling context
++ ; INPUT: Z flag set if returning to K mode
+ .ifnc \called_from, exception
+ add sp, sp, 12 ; skip BTA/ECR/orig_r0 placeholderss
+ .endif
+@@ -98,9 +142,10 @@
+ POP gp
+ POP fp
+
+- ; Don't touch AUX_USER_SP if returning to K mode (Z bit set)
+- ; (Z bit set on K mode is inverse of INTERRUPT_PROLOGUE)
+- add.z sp, sp, 4
++ ; Restore SP (into AUX_USER_SP) only if returning to U mode
++ ; - for K mode, it will be implicitly restored as stack is unwound
++ ; - Z flag set on K is inverse of what hardware does on interrupt entry
++ ; but that doesn't really matter
+ bz 1f
+
+ POPAX AUX_USER_SP
+@@ -145,11 +190,11 @@
+ /*------------------------------------------------------------------------*/
+ .macro EXCEPTION_PROLOGUE
+
+- ; Before jumping to Exception Vector, hardware micro-ops did following:
++ ; (A) Before jumping to Exception Vector, hardware micro-ops did following:
+ ; 1. SP auto-switched to kernel mode stack
+- ; 2. STATUS32.Z flag set to U mode at time of interrupt (U:1,K:0)
++ ; 2. STATUS32.Z flag set if in U mode at time of exception (U:1,K:0)
+ ;
+- ; Now manually save the complete reg file
++ ; (B) Manually save the complete reg file below
+
+ PUSH r9 ; freeup a register: slot of erstatus
+
+@@ -195,12 +240,13 @@
+ PUSHAX ecr ; r9 contains ECR, expected by EV_Trap
+
+ PUSH r0 ; orig_r0
++ ; OUTPUT: r9 has ECR
+ .endm
+
+ /*------------------------------------------------------------------------*/
+ .macro EXCEPTION_EPILOGUE
+
+- ; Assumes r0 has PT_status32
++ ; INPUT: r0 has STAT32 of calling context
+ btst r0, STATUS_U_BIT ; Z flag set if K, used in INTERRUPT_EPILOGUE
+
+ add sp, sp, 8 ; orig_r0/ECR don't need restoring
+--
+2.39.2
+
--- /dev/null
+From e4c727839b77a24016fb973f42e27538b4d5f0b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Apr 2019 19:16:37 -0700
+Subject: ARCv2: entry: push out the Z flag unclobber from common
+ EXCEPTION_PROLOGUE
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+[ Upstream commit 23c0cbd0c75c3b564850294427fd2be2bc2a015b ]
+
+Upon a taken interrupt/exception from User mode, HS hardware auto sets Z flag.
+This helps shave a few instructions from EXCEPTION_PROLOGUE by eliding
+re-reading ERSTATUS and some bit fiddling.
+
+However TLB Miss Exception handler can clobber the CPU flags and still end
+up in EXCEPTION_PROLOGUE in the slow path handling TLB handling case:
+
+ EV_TLBMissD
+ do_slow_path_pf
+ EV_TLBProtV (aliased to call_do_page_fault)
+ EXCEPTION_PROLOGUE
+
+As a result, EXCEPTION_PROLOGUE need to "unclobber" the Z flag which this
+patch changes. It is now pushed out to TLB Miss Exception handler.
+The reasons beings:
+
+ - The flag restoration is only needed for slowpath TLB Miss Exception
+ handling, but currently being in EXCEPTION_PROLOGUE penalizes all
+ exceptions such as ProtV and syscall Trap, where Z flag is already
+ as expected.
+
+ - Pushing unclobber out to where it was clobbered is much cleaner and
+ also serves to document the fact.
+
+ - Makes EXCEPTION_PROLGUE similar to INTERRUPT_PROLOGUE so easier to
+ refactor the common parts which is what this series aims to do
+
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/include/asm/entry-arcv2.h | 8 --------
+ arch/arc/mm/tlbex.S | 11 +++++++++++
+ 2 files changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h
+index 1c3520d1fa420..3209a67629606 100644
+--- a/arch/arc/include/asm/entry-arcv2.h
++++ b/arch/arc/include/asm/entry-arcv2.h
+@@ -225,14 +225,6 @@
+
+ ; -- for interrupts, regs above are auto-saved by h/w in that order --
+ ; Now do what ISR prologue does (manually save r12, sp, fp, gp, r25)
+- ;
+- ; Set Z flag if this was from U mode (expected by INTERRUPT_PROLOGUE)
+- ; Although H/w exception micro-ops do set Z flag for U mode (just like
+- ; for interrupts), it could get clobbered in case we soft land here from
+- ; a TLB Miss exception handler (tlbex.S)
+-
+- and r10, r10, STATUS_U_MASK
+- xor.f 0, r10, STATUS_U_MASK
+
+ INTERRUPT_PROLOGUE exception
+
+diff --git a/arch/arc/mm/tlbex.S b/arch/arc/mm/tlbex.S
+index 0e1e47a67c736..e50cac799a518 100644
+--- a/arch/arc/mm/tlbex.S
++++ b/arch/arc/mm/tlbex.S
+@@ -396,6 +396,17 @@ EV_TLBMissD_fast_ret: ; additional label for VDK OS-kit instrumentation
+ ;-------- Common routine to call Linux Page Fault Handler -----------
+ do_slow_path_pf:
+
++#ifdef CONFIG_ISA_ARCV2
++ ; Set Z flag if exception in U mode. Hardware micro-ops do this on any
++ ; taken interrupt/exception, and thus is already the case at the entry
++ ; above, but ensuing code would have already clobbered.
++ ; EXCEPTION_PROLOGUE called in slow path, relies on correct Z flag set
++
++ lr r2, [erstatus]
++ and r2, r2, STATUS_U_MASK
++ bxor.f 0, r2, STATUS_U_BIT
++#endif
++
+ ; Restore the 4-scratch regs saved by fast path miss handler
+ TLBMISS_RESTORE_REGS
+
+--
+2.39.2
+
--- /dev/null
+From d0fb99fc001ef3d140785f937db576f9b135eadd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 May 2019 15:36:46 -0700
+Subject: ARCv2: entry: rewrite to enable use of double load/stores LDD/STD
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+[ Upstream commit a4880801a72ecc2dcdfa432f81a754f3e7438567 ]
+
+ - the motivation was to be remove blatent copy-paste due to hasty support
+ of CONFIG_ARC_IRQ_NO_AUTOSAVE support
+
+ - but with refactoring we could use LDD/STD to greatly optimize the code
+
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/include/asm/entry-arcv2.h | 297 ++++++++++++++---------------
+ arch/arc/include/asm/linkage.h | 18 ++
+ arch/arc/kernel/asm-offsets.c | 7 +
+ arch/arc/kernel/entry-arcv2.S | 4 +-
+ 4 files changed, 167 insertions(+), 159 deletions(-)
+
+diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h
+index beaf655666cbd..0733752ce7fe8 100644
+--- a/arch/arc/include/asm/entry-arcv2.h
++++ b/arch/arc/include/asm/entry-arcv2.h
+@@ -46,7 +46,8 @@
+ */
+
+ /*------------------------------------------------------------------------*/
+-.macro INTERRUPT_PROLOGUE called_from
++.macro INTERRUPT_PROLOGUE
++
+ ; (A) Before jumping to Interrupt Vector, hardware micro-ops did following:
+ ; 1. SP auto-switched to kernel mode stack
+ ; 2. STATUS32.Z flag set if in U mode at time of interrupt (U:1,K:0)
+@@ -57,39 +58,87 @@
+ ; (B) Manually saved some regs: r12,r25,r30, sp,fp,gp, ACCL pair
+
+ #ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE
+-.ifnc \called_from, exception
+- st.as r9, [sp, -10] ; save r9 in it's final stack slot
+- sub sp, sp, 12 ; skip JLI, LDI, EI
+-
+- PUSH lp_count
+- PUSHAX lp_start
+- PUSHAX lp_end
+- PUSH blink
+-
+- PUSH r11
+- PUSH r10
+-
+- sub sp, sp, 4 ; skip r9
+-
+- PUSH r8
+- PUSH r7
+- PUSH r6
+- PUSH r5
+- PUSH r4
+- PUSH r3
+- PUSH r2
+- PUSH r1
+- PUSH r0
+-.endif
+-#endif
++ ; carve pt_regs on stack (case #3), PC/STAT32 already on stack
++ sub sp, sp, SZ_PT_REGS - 8
+
+-#ifdef CONFIG_ARC_HAS_ACCL_REGS
+- PUSH r59
+- PUSH r58
++ __SAVE_REGFILE_HARD
++#else
++ ; carve pt_regs on stack (case #4), which grew partially already
++ sub sp, sp, PT_r0
+ #endif
+
+- PUSH r30
+- PUSH r12
++ __SAVE_REGFILE_SOFT
++.endm
++
++/*------------------------------------------------------------------------*/
++.macro EXCEPTION_PROLOGUE
++
++ ; (A) Before jumping to Exception Vector, hardware micro-ops did following:
++ ; 1. SP auto-switched to kernel mode stack
++ ; 2. STATUS32.Z flag set if in U mode at time of exception (U:1,K:0)
++ ;
++ ; (B) Manually save the complete reg file below
++
++ sub sp, sp, SZ_PT_REGS ; carve pt_regs
++
++ ; _HARD saves r10 clobbered by _SOFT as scratch hence comes first
++
++ __SAVE_REGFILE_HARD
++ __SAVE_REGFILE_SOFT
++
++ st r0, [sp] ; orig_r0
++
++ lr r10, [eret]
++ lr r11, [erstatus]
++ ST2 r10, r11, PT_ret
++
++ lr r10, [ecr]
++ lr r11, [erbta]
++ ST2 r10, r11, PT_event
++ mov r9, r10
++
++ ; OUTPUT: r9 has ECR
++.endm
++
++/*------------------------------------------------------------------------
++ * This macro saves the registers manually which would normally be autosaved
++ * by hardware on taken interrupts. It is used by
++ * - exception handlers (which don't have autosave)
++ * - interrupt autosave disabled due to CONFIG_ARC_IRQ_NO_AUTOSAVE
++ */
++.macro __SAVE_REGFILE_HARD
++
++ ST2 r0, r1, PT_r0
++ ST2 r2, r3, PT_r2
++ ST2 r4, r5, PT_r4
++ ST2 r6, r7, PT_r6
++ ST2 r8, r9, PT_r8
++ ST2 r10, r11, PT_r10
++
++ st blink, [sp, PT_blink]
++
++ lr r10, [lp_end]
++ lr r11, [lp_start]
++ ST2 r10, r11, PT_lpe
++
++ st lp_count, [sp, PT_lpc]
++
++ ; skip JLI, LDI, EI for now
++.endm
++
++/*------------------------------------------------------------------------
++ * This macros saves a bunch of other registers which can't be autosaved for
++ * various reasons:
++ * - r12: the last caller saved scratch reg since hardware saves in pairs so r0-r11
++ * - r30: free reg, used by gcc as scratch
++ * - ACCL/ACCH pair when they exist
++ */
++.macro __SAVE_REGFILE_SOFT
++
++ ST2 gp, fp, PT_r26 ; gp (r26), fp (r27)
++
++ st r12, [sp, PT_sp + 4]
++ st r30, [sp, PT_sp + 8]
+
+ ; Saving pt_regs->sp correctly requires some extra work due to the way
+ ; Auto stack switch works
+@@ -100,46 +149,32 @@
+ ; 2. Upon entry SP is always saved (for any inspection, unwinding etc),
+ ; but on return, restored only if U mode
+
+- lr r9, [AUX_USER_SP] ; U mode SP
++ lr r10, [AUX_USER_SP] ; U mode SP
+
+- mov.nz r9, sp
+- add.nz r9, r9, SZ_PT_REGS - PT_sp - 4 ; K mode SP
++ ; ISA requires ADD.nz to have same dest and src reg operands
++ mov.nz r10, sp
++ add.nz r10, r10, SZ_PT_REGS ; K mode SP
+
+- PUSH r9 ; SP (pt_regs->sp)
+-
+- PUSH fp
+- PUSH gp
++ st r10, [sp, PT_sp] ; SP (pt_regs->sp)
+
+ #ifdef CONFIG_ARC_CURR_IN_REG
+- PUSH r25 ; user_r25
++ st r25, [sp, PT_user_r25]
+ GET_CURR_TASK_ON_CPU r25
+-#else
+- sub sp, sp, 4
+ #endif
+
+-.ifnc \called_from, exception
+- sub sp, sp, 12 ; BTA/ECR/orig_r0 placeholder per pt_regs
+-.endif
++#ifdef CONFIG_ARC_HAS_ACCL_REGS
++ ST2 r58, r59, PT_sp + 12
++#endif
+
+ .endm
+
+ /*------------------------------------------------------------------------*/
+-.macro INTERRUPT_EPILOGUE called_from
++.macro __RESTORE_REGFILE_SOFT
+
+- ; INPUT: r0 has STAT32 of calling context
+- ; INPUT: Z flag set if returning to K mode
+-.ifnc \called_from, exception
+- add sp, sp, 12 ; skip BTA/ECR/orig_r0 placeholderss
+-.endif
+-
+-#ifdef CONFIG_ARC_CURR_IN_REG
+- POP r25
+-#else
+- add sp, sp, 4
+-#endif
++ LD2 gp, fp, PT_r26 ; gp (r26), fp (r27)
+
+- POP gp
+- POP fp
++ ld r12, [sp, PT_sp + 4]
++ ld r30, [sp, PT_sp + 8]
+
+ ; Restore SP (into AUX_USER_SP) only if returning to U mode
+ ; - for K mode, it will be implicitly restored as stack is unwound
+@@ -147,129 +182,77 @@
+ ; but that doesn't really matter
+ bz 1f
+
+- POPAX AUX_USER_SP
++ ld r10, [sp, PT_sp] ; SP (pt_regs->sp)
++ sr r10, [AUX_USER_SP]
+ 1:
+- POP r12
+- POP r30
+
+-#ifdef CONFIG_ARC_HAS_ACCL_REGS
+- POP r58
+- POP r59
++#ifdef CONFIG_ARC_CURR_IN_REG
++ ld r25, [sp, PT_user_r25]
+ #endif
+
+-#ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE
+-.ifnc \called_from, exception
+- POP r0
+- POP r1
+- POP r2
+- POP r3
+- POP r4
+- POP r5
+- POP r6
+- POP r7
+- POP r8
+- POP r9
+- POP r10
+- POP r11
+-
+- POP blink
+- POPAX lp_end
+- POPAX lp_start
+-
+- POP r9
+- mov lp_count, r9
+-
+- add sp, sp, 12 ; skip JLI, LDI, EI
+- ld.as r9, [sp, -10] ; reload r9 which got clobbered
+-.endif
++#ifdef CONFIG_ARC_HAS_ACCL_REGS
++ LD2 r58, r59, PT_sp + 12
+ #endif
+-
+ .endm
+
+ /*------------------------------------------------------------------------*/
+-.macro EXCEPTION_PROLOGUE
++.macro __RESTORE_REGFILE_HARD
+
+- ; (A) Before jumping to Exception Vector, hardware micro-ops did following:
+- ; 1. SP auto-switched to kernel mode stack
+- ; 2. STATUS32.Z flag set if in U mode at time of exception (U:1,K:0)
+- ;
+- ; (B) Manually save the complete reg file below
++ ld blink, [sp, PT_blink]
+
+- PUSH r9 ; freeup a register: slot of erstatus
++ LD2 r10, r11, PT_lpe
++ sr r10, [lp_end]
++ sr r11, [lp_start]
+
+- PUSHAX eret
+- sub sp, sp, 12 ; skip JLI, LDI, EI
+- PUSH lp_count
+- PUSHAX lp_start
+- PUSHAX lp_end
+- PUSH blink
++ ld r10, [sp, PT_lpc] ; lp_count can't be target of LD
++ mov lp_count, r10
+
+- PUSH r11
+- PUSH r10
++ LD2 r0, r1, PT_r0
++ LD2 r2, r3, PT_r2
++ LD2 r4, r5, PT_r4
++ LD2 r6, r7, PT_r6
++ LD2 r8, r9, PT_r8
++ LD2 r10, r11, PT_r10
++.endm
+
+- ld.as r9, [sp, 10] ; load stashed r9 (status32 stack slot)
+- lr r10, [erstatus]
+- st.as r10, [sp, 10] ; save status32 at it's right stack slot
+
+- PUSH r9
+- PUSH r8
+- PUSH r7
+- PUSH r6
+- PUSH r5
+- PUSH r4
+- PUSH r3
+- PUSH r2
+- PUSH r1
+- PUSH r0
++/*------------------------------------------------------------------------*/
++.macro INTERRUPT_EPILOGUE
+
+- ; -- for interrupts, regs above are auto-saved by h/w in that order --
+- ; Now do what ISR prologue does (manually save r12, sp, fp, gp, r25)
++ ; INPUT: r0 has STAT32 of calling context
++ ; INPUT: Z flag set if returning to K mode
+
+- INTERRUPT_PROLOGUE exception
++ ; _SOFT clobbers r10 restored by _HARD hence the order
+
+- PUSHAX erbta
+- PUSHAX ecr ; r9 contains ECR, expected by EV_Trap
++ __RESTORE_REGFILE_SOFT
++
++#ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE
++ __RESTORE_REGFILE_HARD
++ add sp, sp, SZ_PT_REGS - 8
++#else
++ add sp, sp, PT_r0
++#endif
+
+- PUSH r0 ; orig_r0
+- ; OUTPUT: r9 has ECR
+ .endm
+
+ /*------------------------------------------------------------------------*/
+ .macro EXCEPTION_EPILOGUE
+
+ ; INPUT: r0 has STAT32 of calling context
+- btst r0, STATUS_U_BIT ; Z flag set if K, used in INTERRUPT_EPILOGUE
+-
+- add sp, sp, 8 ; orig_r0/ECR don't need restoring
+- POPAX erbta
+-
+- INTERRUPT_EPILOGUE exception
+-
+- POP r0
+- POP r1
+- POP r2
+- POP r3
+- POP r4
+- POP r5
+- POP r6
+- POP r7
+- POP r8
+- POP r9
+- POP r10
+- POP r11
+-
+- POP blink
+- POPAX lp_end
+- POPAX lp_start
+-
+- POP r9
+- mov lp_count, r9
+-
+- add sp, sp, 12 ; skip JLI, LDI, EI
+- POPAX eret
+- POPAX erstatus
+-
+- ld.as r9, [sp, -12] ; reload r9 which got clobbered
++
++ btst r0, STATUS_U_BIT ; Z flag set if K, used in restoring SP
++
++ ld r10, [sp, PT_event + 4]
++ sr r10, [erbta]
++
++ LD2 r10, r11, PT_ret
++ sr r10, [eret]
++ sr r11, [erstatus]
++
++ __RESTORE_REGFILE_SOFT
++ __RESTORE_REGFILE_HARD
++
++ add sp, sp, SZ_PT_REGS
+ .endm
+
+ .macro FAKE_RET_FROM_EXCPN
+diff --git a/arch/arc/include/asm/linkage.h b/arch/arc/include/asm/linkage.h
+index 07c8e1a6c56e2..f3d29d4840d58 100644
+--- a/arch/arc/include/asm/linkage.h
++++ b/arch/arc/include/asm/linkage.h
+@@ -13,6 +13,24 @@
+
+ #ifdef __ASSEMBLY__
+
++.macro ST2 e, o, off
++#ifdef CONFIG_ARC_HAS_LL64
++ std \e, [sp, \off]
++#else
++ st \e, [sp, \off]
++ st \o, [sp, \off+4]
++#endif
++.endm
++
++.macro LD2 e, o, off
++#ifdef CONFIG_ARC_HAS_LL64
++ ldd \e, [sp, \off]
++#else
++ ld \e, [sp, \off]
++ ld \o, [sp, \off+4]
++#endif
++.endm
++
+ #define ASM_NL ` /* use '`' to mark new line in macro */
+ #define __ALIGN .align 4
+ #define __ALIGN_STR __stringify(__ALIGN)
+diff --git a/arch/arc/kernel/asm-offsets.c b/arch/arc/kernel/asm-offsets.c
+index ecaf34e9235c2..e90dccecfd833 100644
+--- a/arch/arc/kernel/asm-offsets.c
++++ b/arch/arc/kernel/asm-offsets.c
+@@ -58,7 +58,14 @@ int main(void)
+ DEFINE(PT_r5, offsetof(struct pt_regs, r5));
+ DEFINE(PT_r6, offsetof(struct pt_regs, r6));
+ DEFINE(PT_r7, offsetof(struct pt_regs, r7));
++ DEFINE(PT_r8, offsetof(struct pt_regs, r8));
++ DEFINE(PT_r10, offsetof(struct pt_regs, r10));
++ DEFINE(PT_r26, offsetof(struct pt_regs, r26));
+ DEFINE(PT_ret, offsetof(struct pt_regs, ret));
++ DEFINE(PT_blink, offsetof(struct pt_regs, blink));
++ DEFINE(PT_lpe, offsetof(struct pt_regs, lp_end));
++ DEFINE(PT_lpc, offsetof(struct pt_regs, lp_count));
++ DEFINE(PT_user_r25, offsetof(struct pt_regs, user_r25));
+
+ DEFINE(SZ_CALLEE_REGS, sizeof(struct callee_regs));
+ DEFINE(SZ_PT_REGS, sizeof(struct pt_regs));
+diff --git a/arch/arc/kernel/entry-arcv2.S b/arch/arc/kernel/entry-arcv2.S
+index 562089d62d9d6..6cbf0ee8a20a7 100644
+--- a/arch/arc/kernel/entry-arcv2.S
++++ b/arch/arc/kernel/entry-arcv2.S
+@@ -70,7 +70,7 @@ reserved:
+
+ ENTRY(handle_interrupt)
+
+- INTERRUPT_PROLOGUE irq
++ INTERRUPT_PROLOGUE
+
+ # irq control APIs local_irq_save/restore/disable/enable fiddle with
+ # global interrupt enable bits in STATUS32 (.IE for 1 prio, .E[] for 2 prio)
+@@ -226,7 +226,7 @@ debug_marker_l1:
+ bset.nz r11, r11, AUX_IRQ_ACT_BIT_U ; NZ means U
+ sr r11, [AUX_IRQ_ACT]
+
+- INTERRUPT_EPILOGUE irq
++ INTERRUPT_EPILOGUE
+ rtie
+
+ ;####### Return from Exception / pure kernel mode #######
+--
+2.39.2
+
--- /dev/null
+From b648318ddaf8c9c7c7a842d6e3b8fde1d8af0729 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Jun 2023 19:28:42 +0100
+Subject: ARM: 9303/1: kprobes: avoid missing-declaration warnings
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 1b9c3ddcec6a55e15d3e38e7405e2d078db02020 ]
+
+checker_stack_use_t32strd() and kprobe_handler() can be made static since
+they are not used from other files, while coverage_start_registers()
+and __kprobes_test_case() are used from assembler code, and just need
+a declaration to avoid a warning with the global definition.
+
+arch/arm/probes/kprobes/checkers-common.c:43:18: error: no previous prototype for 'checker_stack_use_t32strd'
+arch/arm/probes/kprobes/core.c:236:16: error: no previous prototype for 'kprobe_handler'
+arch/arm/probes/kprobes/test-core.c:723:10: error: no previous prototype for 'coverage_start_registers'
+arch/arm/probes/kprobes/test-core.c:918:14: error: no previous prototype for '__kprobes_test_case_start'
+arch/arm/probes/kprobes/test-core.c:952:14: error: no previous prototype for '__kprobes_test_case_end_16'
+arch/arm/probes/kprobes/test-core.c:967:14: error: no previous prototype for '__kprobes_test_case_end_32'
+
+Fixes: 6624cf651f1a ("ARM: kprobes: collects stack consumption for store instructions")
+Fixes: 454f3e132d05 ("ARM/kprobes: Remove jprobe arm implementation")
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/probes/kprobes/checkers-common.c | 2 +-
+ arch/arm/probes/kprobes/core.c | 2 +-
+ arch/arm/probes/kprobes/opt-arm.c | 2 --
+ arch/arm/probes/kprobes/test-core.c | 2 +-
+ arch/arm/probes/kprobes/test-core.h | 4 ++++
+ 5 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm/probes/kprobes/checkers-common.c b/arch/arm/probes/kprobes/checkers-common.c
+index 971119c294741..aa10e5e46ebb2 100644
+--- a/arch/arm/probes/kprobes/checkers-common.c
++++ b/arch/arm/probes/kprobes/checkers-common.c
+@@ -48,7 +48,7 @@ enum probes_insn checker_stack_use_imm_0xx(probes_opcode_t insn,
+ * Different from other insn uses imm8, the real addressing offset of
+ * STRD in T32 encoding should be imm8 * 4. See ARMARM description.
+ */
+-enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn,
++static enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn,
+ struct arch_probes_insn *asi,
+ const struct decode_header *h)
+ {
+diff --git a/arch/arm/probes/kprobes/core.c b/arch/arm/probes/kprobes/core.c
+index 62da8e2211e4b..0a7090a65bcad 100644
+--- a/arch/arm/probes/kprobes/core.c
++++ b/arch/arm/probes/kprobes/core.c
+@@ -239,7 +239,7 @@ singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *kcb)
+ * kprobe, and that level is reserved for user kprobe handlers, so we can't
+ * risk encountering a new kprobe in an interrupt handler.
+ */
+-void __kprobes kprobe_handler(struct pt_regs *regs)
++static void __kprobes kprobe_handler(struct pt_regs *regs)
+ {
+ struct kprobe *p, *cur;
+ struct kprobe_ctlblk *kcb;
+diff --git a/arch/arm/probes/kprobes/opt-arm.c b/arch/arm/probes/kprobes/opt-arm.c
+index cf08cb7267670..1516c340a0766 100644
+--- a/arch/arm/probes/kprobes/opt-arm.c
++++ b/arch/arm/probes/kprobes/opt-arm.c
+@@ -158,8 +158,6 @@ __arch_remove_optimized_kprobe(struct optimized_kprobe *op, int dirty)
+ }
+ }
+
+-extern void kprobe_handler(struct pt_regs *regs);
+-
+ static void
+ optimized_callback(struct optimized_kprobe *op, struct pt_regs *regs)
+ {
+diff --git a/arch/arm/probes/kprobes/test-core.c b/arch/arm/probes/kprobes/test-core.c
+index cc237fa9b90fb..1c86c5d980c5b 100644
+--- a/arch/arm/probes/kprobes/test-core.c
++++ b/arch/arm/probes/kprobes/test-core.c
+@@ -723,7 +723,7 @@ static const char coverage_register_lookup[16] = {
+ [REG_TYPE_NOSPPCX] = COVERAGE_ANY_REG | COVERAGE_SP,
+ };
+
+-unsigned coverage_start_registers(const struct decode_header *h)
++static unsigned coverage_start_registers(const struct decode_header *h)
+ {
+ unsigned regs = 0;
+ int i;
+diff --git a/arch/arm/probes/kprobes/test-core.h b/arch/arm/probes/kprobes/test-core.h
+index 94285203e9f74..459ebda077139 100644
+--- a/arch/arm/probes/kprobes/test-core.h
++++ b/arch/arm/probes/kprobes/test-core.h
+@@ -456,3 +456,7 @@ void kprobe_thumb32_test_cases(void);
+ #else
+ void kprobe_arm_test_cases(void);
+ #endif
++
++void __kprobes_test_case_start(void);
++void __kprobes_test_case_end_16(void);
++void __kprobes_test_case_end_32(void);
+--
+2.39.2
+
--- /dev/null
+From 4e52ab7d7ce44846873fd33945aadd2562facd21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 May 2023 14:28:30 +0200
+Subject: ARM: dts: BCM5301X: Drop "clock-names" from the SPI node
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+[ Upstream commit d3c8e2c5757153bbfad70019ec1decbca86f3def ]
+
+There is no such property in the SPI controller binding documentation.
+Also Linux driver doesn't look for it.
+
+This fixes:
+arch/arm/boot/dts/bcm4708-asus-rt-ac56u.dtb: spi@18029200: Unevaluated properties are not allowed ('clock-names' was unexpected)
+ From schema: Documentation/devicetree/bindings/spi/brcm,spi-bcm-qspi.yaml
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Link: https://lore.kernel.org/r/20230503122830.3200-1-zajec5@gmail.com
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/bcm5301x.dtsi | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/bcm5301x.dtsi b/arch/arm/boot/dts/bcm5301x.dtsi
+index 6edc4bd1e7eaf..a6406a347690e 100644
+--- a/arch/arm/boot/dts/bcm5301x.dtsi
++++ b/arch/arm/boot/dts/bcm5301x.dtsi
+@@ -468,7 +468,6 @@ spi@18029200 {
+ "spi_lr_session_done",
+ "spi_lr_overread";
+ clocks = <&iprocmed>;
+- clock-names = "iprocmed";
+ num-cs = <2>;
+ #address-cells = <1>;
+ #size-cells = <0>;
+--
+2.39.2
+
--- /dev/null
+From d144f3f81fdf6521253b26f80c563d4fd016ec06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 17:30:58 +0200
+Subject: ARM: ep93xx: fix missing-prototype warnings
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 419013740ea1e4343d8ade535d999f59fa28e460 ]
+
+ep93xx_clocksource_read() is only called from the file it is declared in,
+while ep93xx_timer_init() is declared in a header that is not included here.
+
+arch/arm/mach-ep93xx/timer-ep93xx.c:120:13: error: no previous prototype for 'ep93xx_timer_init'
+arch/arm/mach-ep93xx/timer-ep93xx.c:63:5: error: no previous prototype for 'ep93xx_clocksource_read'
+
+Fixes: 000bc17817bf ("ARM: ep93xx: switch to GENERIC_CLOCKEVENTS")
+Acked-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+Link: https://lore.kernel.org/r/20230516153109.514251-3-arnd@kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-ep93xx/timer-ep93xx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-ep93xx/timer-ep93xx.c b/arch/arm/mach-ep93xx/timer-ep93xx.c
+index de998830f534f..b07956883e165 100644
+--- a/arch/arm/mach-ep93xx/timer-ep93xx.c
++++ b/arch/arm/mach-ep93xx/timer-ep93xx.c
+@@ -9,6 +9,7 @@
+ #include <linux/io.h>
+ #include <asm/mach/time.h>
+ #include "soc.h"
++#include "platform.h"
+
+ /*************************************************************************
+ * Timer handling for EP93xx
+@@ -60,7 +61,7 @@ static u64 notrace ep93xx_read_sched_clock(void)
+ return ret;
+ }
+
+-u64 ep93xx_clocksource_read(struct clocksource *c)
++static u64 ep93xx_clocksource_read(struct clocksource *c)
+ {
+ u64 ret;
+
+--
+2.39.2
+
--- /dev/null
+From b47a7c0f977c015c3bb169a6ccbe0fb4704473aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 May 2023 10:48:22 +0200
+Subject: arm64: dts: renesas: ulcb-kf: Remove flow control for SCIF1
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 1a2c4e5635177939a088d22fa35c6a7032725663 ]
+
+The schematics are misleading, the flow control is for HSCIF1. We need
+SCIF1 for GNSS/GPS which does not use flow control.
+
+Fixes: c6c816e22bc8 ("arm64: dts: ulcb-kf: enable SCIF1")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20230525084823.4195-2-wsa+renesas@sang-engineering.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/ulcb-kf.dtsi | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi b/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi
+index 8bf3091a899c8..5abffdaf4077e 100644
+--- a/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi
++++ b/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi
+@@ -165,7 +165,7 @@ hscif0_pins: hscif0 {
+ };
+
+ scif1_pins: scif1 {
+- groups = "scif1_data_b", "scif1_ctrl";
++ groups = "scif1_data_b";
+ function = "scif1";
+ };
+
+@@ -178,7 +178,6 @@ usb0_pins: usb0 {
+ &scif1 {
+ pinctrl-0 = <&scif1_pins>;
+ pinctrl-names = "default";
+- uart-has-rtscts;
+
+ status = "okay";
+ };
+--
+2.39.2
+
--- /dev/null
+From 8f45f8cea8f66aefea559e9624ac96ba2ff58970 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 May 2023 21:11:38 +0300
+Subject: ASoC: es8316: Increment max value for ALC Capture Target Volume
+ control
+
+From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+
+[ Upstream commit 6f073429037cd79d7311cd8236311c53f5ea8f01 ]
+
+The following error occurs when trying to restore a previously saved
+ALSA mixer state (tested on a Rock 5B board):
+
+ $ alsactl --no-ucm -f /tmp/asound.state store hw:Analog
+ $ alsactl --no-ucm -I -f /tmp/asound.state restore hw:Analog
+ alsactl: set_control:1475: Cannot write control '2:0:0:ALC Capture Target Volume:0' : Invalid argument
+
+According to ES8316 datasheet, the register at address 0x2B, which is
+related to the above mixer control, contains by default the value 0xB0.
+Considering the corresponding ALC target bits (ALCLVL) are 7:4, the
+control is initialized with 11, which is one step above the maximum
+value allowed by the driver:
+
+ ALCLVL | dB gain
+ -------+--------
+ 0000 | -16.5
+ 0001 | -15.0
+ 0010 | -13.5
+ .... | .....
+ 0111 | -6.0
+ 1000 | -4.5
+ 1001 | -3.0
+ 1010 | -1.5
+ .... | .....
+ 1111 | -1.5
+
+The tests performed using the VU meter feature (--vumeter=TYPE) of
+arecord/aplay confirm the specs are correct and there is no measured
+gain if the 1011-1111 range would have been mapped to 0 dB:
+
+ dB gain | VU meter %
+ --------+-----------
+ -6.0 | 30-31
+ -4.5 | 35-36
+ -3.0 | 42-43
+ -1.5 | 50-51
+ 0.0 | 50-51
+
+Increment the max value allowed for ALC Capture Target Volume control,
+so that it matches the hardware default. Additionally, update the
+related TLV to prevent an artificial extension of the dB gain range.
+
+Fixes: b8b88b70875a ("ASoC: add es8316 codec driver")
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+Link: https://lore.kernel.org/r/20230530181140.483936-2-cristian.ciocaltea@collabora.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/es8316.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/es8316.c b/sound/soc/codecs/es8316.c
+index 57130edaf3aba..834e542021fee 100644
+--- a/sound/soc/codecs/es8316.c
++++ b/sound/soc/codecs/es8316.c
+@@ -45,7 +45,12 @@ static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(dac_vol_tlv, -9600, 50, 1);
+ static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(adc_vol_tlv, -9600, 50, 1);
+ static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_max_gain_tlv, -650, 150, 0);
+ static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_min_gain_tlv, -1200, 150, 0);
+-static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_target_tlv, -1650, 150, 0);
++
++static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(alc_target_tlv,
++ 0, 10, TLV_DB_SCALE_ITEM(-1650, 150, 0),
++ 11, 11, TLV_DB_SCALE_ITEM(-150, 0, 0),
++);
++
+ static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(hpmixer_gain_tlv,
+ 0, 4, TLV_DB_SCALE_ITEM(-1200, 150, 0),
+ 8, 11, TLV_DB_SCALE_ITEM(-450, 150, 0),
+@@ -107,7 +112,7 @@ static const struct snd_kcontrol_new es8316_snd_controls[] = {
+ alc_max_gain_tlv),
+ SOC_SINGLE_TLV("ALC Capture Min Volume", ES8316_ADC_ALC2, 0, 28, 0,
+ alc_min_gain_tlv),
+- SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 10, 0,
++ SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 11, 0,
+ alc_target_tlv),
+ SOC_SINGLE("ALC Capture Hold Time", ES8316_ADC_ALC3, 0, 10, 0),
+ SOC_SINGLE("ALC Capture Decay Time", ES8316_ADC_ALC4, 4, 10, 0),
+--
+2.39.2
+
--- /dev/null
+From cdce24c230c530209c4401a7acb8c7930aa81309 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Apr 2023 06:56:11 +0000
+Subject: clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe
+
+From: Feng Mingxi <m202271825@hust.edu.cn>
+
+[ Upstream commit 8b5bf64c89c7100c921bd807ba39b2eb003061ab ]
+
+Smatch reports:
+drivers/clocksource/timer-cadence-ttc.c:529 ttc_timer_probe()
+warn: 'timer_baseaddr' from of_iomap() not released on lines: 498,508,516.
+
+timer_baseaddr may have the problem of not being released after use,
+I replaced it with the devm_of_iomap() function and added the clk_put()
+function to cleanup the "clk_ce" and "clk_cs".
+
+Fixes: e932900a3279 ("arm: zynq: Use standard timer binding")
+Fixes: 70504f311d4b ("clocksource/drivers/cadence_ttc: Convert init function to return error")
+Signed-off-by: Feng Mingxi <m202271825@hust.edu.cn>
+Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
+Acked-by: Michal Simek <michal.simek@amd.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20230425065611.702917-1-m202271825@hust.edu.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/timer-cadence-ttc.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/clocksource/timer-cadence-ttc.c b/drivers/clocksource/timer-cadence-ttc.c
+index b1df0ded8f521..16b9bfb257564 100644
+--- a/drivers/clocksource/timer-cadence-ttc.c
++++ b/drivers/clocksource/timer-cadence-ttc.c
+@@ -494,10 +494,10 @@ static int __init ttc_timer_probe(struct platform_device *pdev)
+ * and use it. Note that the event timer uses the interrupt and it's the
+ * 2nd TTC hence the irq_of_parse_and_map(,1)
+ */
+- timer_baseaddr = of_iomap(timer, 0);
+- if (!timer_baseaddr) {
++ timer_baseaddr = devm_of_iomap(&pdev->dev, timer, 0, NULL);
++ if (IS_ERR(timer_baseaddr)) {
+ pr_err("ERROR: invalid timer base address\n");
+- return -ENXIO;
++ return PTR_ERR(timer_baseaddr);
+ }
+
+ irq = irq_of_parse_and_map(timer, 1);
+@@ -521,20 +521,27 @@ static int __init ttc_timer_probe(struct platform_device *pdev)
+ clk_ce = of_clk_get(timer, clksel);
+ if (IS_ERR(clk_ce)) {
+ pr_err("ERROR: timer input clock not found\n");
+- return PTR_ERR(clk_ce);
++ ret = PTR_ERR(clk_ce);
++ goto put_clk_cs;
+ }
+
+ ret = ttc_setup_clocksource(clk_cs, timer_baseaddr, timer_width);
+ if (ret)
+- return ret;
++ goto put_clk_ce;
+
+ ret = ttc_setup_clockevent(clk_ce, timer_baseaddr + 4, irq);
+ if (ret)
+- return ret;
++ goto put_clk_ce;
+
+ pr_info("%s #0 at %p, irq=%d\n", timer->name, timer_baseaddr, irq);
+
+ return 0;
++
++put_clk_ce:
++ clk_put(clk_ce);
++put_clk_cs:
++ clk_put(clk_cs);
++ return ret;
+ }
+
+ static const struct of_device_id ttc_timer_of_match[] = {
+--
+2.39.2
+
--- /dev/null
+From 86fdffa20ff885a32027563da0692cd00e56eca0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2019 02:36:28 -0800
+Subject: clocksource/drivers/cadence-ttc: Use ttc driver as platform driver
+
+From: Rajan Vaja <rajan.vaja@xilinx.com>
+
+[ Upstream commit f5ac896b6a23eb46681cdbef440c1d991b04e519 ]
+
+Currently TTC driver is TIMER_OF_DECLARE type driver. Because of
+that, TTC driver may be initialized before other clock drivers. If
+TTC driver is dependent on that clock driver then initialization of
+TTC driver will failed.
+
+So use TTC driver as platform driver instead of using
+TIMER_OF_DECLARE.
+
+Signed-off-by: Rajan Vaja <rajan.vaja@xilinx.com>
+Tested-by: Michal Simek <michal.simek@xilinx.com>
+Acked-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/1573122988-18399-1-git-send-email-rajan.vaja@xilinx.com
+Stable-dep-of: 8b5bf64c89c7 ("clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/timer-cadence-ttc.c | 26 +++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/clocksource/timer-cadence-ttc.c b/drivers/clocksource/timer-cadence-ttc.c
+index a7eb858a84a0f..b1df0ded8f521 100644
+--- a/drivers/clocksource/timer-cadence-ttc.c
++++ b/drivers/clocksource/timer-cadence-ttc.c
+@@ -23,6 +23,8 @@
+ #include <linux/of_irq.h>
+ #include <linux/slab.h>
+ #include <linux/sched_clock.h>
++#include <linux/module.h>
++#include <linux/of_platform.h>
+
+ /*
+ * This driver configures the 2 16/32-bit count-up timers as follows:
+@@ -472,13 +474,7 @@ static int __init ttc_setup_clockevent(struct clk *clk,
+ return err;
+ }
+
+-/**
+- * ttc_timer_init - Initialize the timer
+- *
+- * Initializes the timer hardware and register the clock source and clock event
+- * timers with Linux kernal timer framework
+- */
+-static int __init ttc_timer_init(struct device_node *timer)
++static int __init ttc_timer_probe(struct platform_device *pdev)
+ {
+ unsigned int irq;
+ void __iomem *timer_baseaddr;
+@@ -486,6 +482,7 @@ static int __init ttc_timer_init(struct device_node *timer)
+ static int initialized;
+ int clksel, ret;
+ u32 timer_width = 16;
++ struct device_node *timer = pdev->dev.of_node;
+
+ if (initialized)
+ return 0;
+@@ -540,4 +537,17 @@ static int __init ttc_timer_init(struct device_node *timer)
+ return 0;
+ }
+
+-TIMER_OF_DECLARE(ttc, "cdns,ttc", ttc_timer_init);
++static const struct of_device_id ttc_timer_of_match[] = {
++ {.compatible = "cdns,ttc"},
++ {},
++};
++
++MODULE_DEVICE_TABLE(of, ttc_timer_of_match);
++
++static struct platform_driver ttc_timer_driver = {
++ .driver = {
++ .name = "cdns_ttc_timer",
++ .of_match_table = ttc_timer_of_match,
++ },
++};
++builtin_platform_driver_probe(ttc_timer_driver, ttc_timer_probe);
+--
+2.39.2
+
--- /dev/null
+From ca60c700dea2b20caf43a6b9c00124a3dd36d227 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Sep 2018 05:59:23 +0200
+Subject: clocksource/drivers: Unify the names to timer-* format
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Lezcano <daniel.lezcano@linaro.org>
+
+[ Upstream commit 9d8d47ea6ec6048abc75ccc4486aff1a7db1ff4b ]
+
+In order to make some housekeeping in the directory, this patch renames
+drivers to the timer-* format in order to unify their names.
+
+There is no functional changes.
+
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Acked-by: Vladimir Zapolskiy <vz@mleia.com>
+Acked-by: Liviu Dudau <liviu.dudau@arm.com>
+
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Stable-dep-of: 8b5bf64c89c7 ("clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ MAINTAINERS | 10 +++----
+ drivers/clocksource/Makefile | 26 +++++++++----------
+ ...-armada-370-xp.c => timer-armada-370-xp.c} | 0
+ ...adence_ttc_timer.c => timer-cadence-ttc.c} | 0
+ .../{time-efm32.c => timer-efm32.c} | 0
+ .../{fsl_ftm_timer.c => timer-fsl-ftm.c} | 0
+ .../{time-lpc32xx.c => timer-lpc32xx.c} | 0
+ .../{time-orion.c => timer-orion.c} | 0
+ .../clocksource/{owl-timer.c => timer-owl.c} | 0
+ .../{time-pistachio.c => timer-pistachio.c} | 0
+ .../{qcom-timer.c => timer-qcom.c} | 0
+ .../{versatile.c => timer-versatile.c} | 0
+ .../{vf_pit_timer.c => timer-vf-pit.c} | 0
+ .../{vt8500_timer.c => timer-vt8500.c} | 0
+ .../{zevio-timer.c => timer-zevio.c} | 0
+ 15 files changed, 18 insertions(+), 18 deletions(-)
+ rename drivers/clocksource/{time-armada-370-xp.c => timer-armada-370-xp.c} (100%)
+ rename drivers/clocksource/{cadence_ttc_timer.c => timer-cadence-ttc.c} (100%)
+ rename drivers/clocksource/{time-efm32.c => timer-efm32.c} (100%)
+ rename drivers/clocksource/{fsl_ftm_timer.c => timer-fsl-ftm.c} (100%)
+ rename drivers/clocksource/{time-lpc32xx.c => timer-lpc32xx.c} (100%)
+ rename drivers/clocksource/{time-orion.c => timer-orion.c} (100%)
+ rename drivers/clocksource/{owl-timer.c => timer-owl.c} (100%)
+ rename drivers/clocksource/{time-pistachio.c => timer-pistachio.c} (100%)
+ rename drivers/clocksource/{qcom-timer.c => timer-qcom.c} (100%)
+ rename drivers/clocksource/{versatile.c => timer-versatile.c} (100%)
+ rename drivers/clocksource/{vf_pit_timer.c => timer-vf-pit.c} (100%)
+ rename drivers/clocksource/{vt8500_timer.c => timer-vt8500.c} (100%)
+ rename drivers/clocksource/{zevio-timer.c => timer-zevio.c} (100%)
+
+diff --git a/MAINTAINERS b/MAINTAINERS
+index 3d3d7f5d1c3f1..59003315a9597 100644
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -1180,7 +1180,7 @@ N: owl
+ F: arch/arm/mach-actions/
+ F: arch/arm/boot/dts/owl-*
+ F: arch/arm64/boot/dts/actions/
+-F: drivers/clocksource/owl-*
++F: drivers/clocksource/timer-owl*
+ F: drivers/pinctrl/actions/*
+ F: drivers/soc/actions/
+ F: include/dt-bindings/power/owl-*
+@@ -1603,7 +1603,7 @@ L: linux-arm-kernel@lists.infradead.org (moderated for non-subscribers)
+ S: Maintained
+ F: arch/arm/boot/dts/lpc43*
+ F: drivers/clk/nxp/clk-lpc18xx*
+-F: drivers/clocksource/time-lpc32xx.c
++F: drivers/clocksource/timer-lpc32xx.c
+ F: drivers/i2c/busses/i2c-lpc2k.c
+ F: drivers/memory/pl172.c
+ F: drivers/mtd/spi-nor/nxp-spifi.c
+@@ -2219,7 +2219,7 @@ F: arch/arm/mach-vexpress/
+ F: */*/vexpress*
+ F: */*/*/vexpress*
+ F: drivers/clk/versatile/clk-vexpress-osc.c
+-F: drivers/clocksource/versatile.c
++F: drivers/clocksource/timer-versatile.c
+ N: mps2
+
+ ARM/VFP SUPPORT
+@@ -2241,7 +2241,7 @@ M: Tony Prisk <linux@prisktech.co.nz>
+ L: linux-arm-kernel@lists.infradead.org (moderated for non-subscribers)
+ S: Maintained
+ F: arch/arm/mach-vt8500/
+-F: drivers/clocksource/vt8500_timer.c
++F: drivers/clocksource/timer-vt8500.c
+ F: drivers/i2c/busses/i2c-wmt.c
+ F: drivers/mmc/host/wmt-sdmmc.c
+ F: drivers/pwm/pwm-vt8500.c
+@@ -2306,7 +2306,7 @@ F: drivers/cpuidle/cpuidle-zynq.c
+ F: drivers/block/xsysace.c
+ N: zynq
+ N: xilinx
+-F: drivers/clocksource/cadence_ttc_timer.c
++F: drivers/clocksource/timer-cadence-ttc.c
+ F: drivers/i2c/busses/i2c-cadence.c
+ F: drivers/mmc/host/sdhci-of-arasan.c
+ F: drivers/edac/synopsys_edac.c
+diff --git a/drivers/clocksource/Makefile b/drivers/clocksource/Makefile
+index db51b2427e8a6..e33b21d3f9d8b 100644
+--- a/drivers/clocksource/Makefile
++++ b/drivers/clocksource/Makefile
+@@ -23,8 +23,8 @@ obj-$(CONFIG_FTTMR010_TIMER) += timer-fttmr010.o
+ obj-$(CONFIG_ROCKCHIP_TIMER) += rockchip_timer.o
+ obj-$(CONFIG_CLKSRC_NOMADIK_MTU) += nomadik-mtu.o
+ obj-$(CONFIG_CLKSRC_DBX500_PRCMU) += clksrc-dbx500-prcmu.o
+-obj-$(CONFIG_ARMADA_370_XP_TIMER) += time-armada-370-xp.o
+-obj-$(CONFIG_ORION_TIMER) += time-orion.o
++obj-$(CONFIG_ARMADA_370_XP_TIMER) += timer-armada-370-xp.o
++obj-$(CONFIG_ORION_TIMER) += timer-orion.o
+ obj-$(CONFIG_BCM2835_TIMER) += bcm2835_timer.o
+ obj-$(CONFIG_CLPS711X_TIMER) += clps711x-timer.o
+ obj-$(CONFIG_ATLAS7_TIMER) += timer-atlas7.o
+@@ -36,25 +36,25 @@ obj-$(CONFIG_SUN4I_TIMER) += sun4i_timer.o
+ obj-$(CONFIG_SUN5I_HSTIMER) += timer-sun5i.o
+ obj-$(CONFIG_MESON6_TIMER) += meson6_timer.o
+ obj-$(CONFIG_TEGRA_TIMER) += tegra20_timer.o
+-obj-$(CONFIG_VT8500_TIMER) += vt8500_timer.o
+-obj-$(CONFIG_NSPIRE_TIMER) += zevio-timer.o
++obj-$(CONFIG_VT8500_TIMER) += timer-vt8500.o
++obj-$(CONFIG_NSPIRE_TIMER) += timer-zevio.o
+ obj-$(CONFIG_BCM_KONA_TIMER) += bcm_kona_timer.o
+-obj-$(CONFIG_CADENCE_TTC_TIMER) += cadence_ttc_timer.o
+-obj-$(CONFIG_CLKSRC_EFM32) += time-efm32.o
++obj-$(CONFIG_CADENCE_TTC_TIMER) += timer-cadence-ttc.o
++obj-$(CONFIG_CLKSRC_EFM32) += timer-efm32.o
+ obj-$(CONFIG_CLKSRC_STM32) += timer-stm32.o
+ obj-$(CONFIG_CLKSRC_EXYNOS_MCT) += exynos_mct.o
+-obj-$(CONFIG_CLKSRC_LPC32XX) += time-lpc32xx.o
++obj-$(CONFIG_CLKSRC_LPC32XX) += timer-lpc32xx.o
+ obj-$(CONFIG_CLKSRC_MPS2) += mps2-timer.o
+ obj-$(CONFIG_CLKSRC_SAMSUNG_PWM) += samsung_pwm_timer.o
+-obj-$(CONFIG_FSL_FTM_TIMER) += fsl_ftm_timer.o
+-obj-$(CONFIG_VF_PIT_TIMER) += vf_pit_timer.o
+-obj-$(CONFIG_CLKSRC_QCOM) += qcom-timer.o
++obj-$(CONFIG_FSL_FTM_TIMER) += timer-fsl-ftm.o
++obj-$(CONFIG_VF_PIT_TIMER) += timer-vf-pit.o
++obj-$(CONFIG_CLKSRC_QCOM) += timer-qcom.o
+ obj-$(CONFIG_MTK_TIMER) += timer-mediatek.o
+-obj-$(CONFIG_CLKSRC_PISTACHIO) += time-pistachio.o
++obj-$(CONFIG_CLKSRC_PISTACHIO) += timer-pistachio.o
+ obj-$(CONFIG_CLKSRC_TI_32K) += timer-ti-32k.o
+ obj-$(CONFIG_CLKSRC_NPS) += timer-nps.o
+ obj-$(CONFIG_OXNAS_RPS_TIMER) += timer-oxnas-rps.o
+-obj-$(CONFIG_OWL_TIMER) += owl-timer.o
++obj-$(CONFIG_OWL_TIMER) += timer-owl.o
+ obj-$(CONFIG_SPRD_TIMER) += timer-sprd.o
+ obj-$(CONFIG_NPCM7XX_TIMER) += timer-npcm7xx.o
+
+@@ -66,7 +66,7 @@ obj-$(CONFIG_ARM_TIMER_SP804) += timer-sp804.o
+ obj-$(CONFIG_ARCH_HAS_TICK_BROADCAST) += dummy_timer.o
+ obj-$(CONFIG_KEYSTONE_TIMER) += timer-keystone.o
+ obj-$(CONFIG_INTEGRATOR_AP_TIMER) += timer-integrator-ap.o
+-obj-$(CONFIG_CLKSRC_VERSATILE) += versatile.o
++obj-$(CONFIG_CLKSRC_VERSATILE) += timer-versatile.o
+ obj-$(CONFIG_CLKSRC_MIPS_GIC) += mips-gic-timer.o
+ obj-$(CONFIG_CLKSRC_TANGO_XTAL) += tango_xtal.o
+ obj-$(CONFIG_CLKSRC_IMX_GPT) += timer-imx-gpt.o
+diff --git a/drivers/clocksource/time-armada-370-xp.c b/drivers/clocksource/timer-armada-370-xp.c
+similarity index 100%
+rename from drivers/clocksource/time-armada-370-xp.c
+rename to drivers/clocksource/timer-armada-370-xp.c
+diff --git a/drivers/clocksource/cadence_ttc_timer.c b/drivers/clocksource/timer-cadence-ttc.c
+similarity index 100%
+rename from drivers/clocksource/cadence_ttc_timer.c
+rename to drivers/clocksource/timer-cadence-ttc.c
+diff --git a/drivers/clocksource/time-efm32.c b/drivers/clocksource/timer-efm32.c
+similarity index 100%
+rename from drivers/clocksource/time-efm32.c
+rename to drivers/clocksource/timer-efm32.c
+diff --git a/drivers/clocksource/fsl_ftm_timer.c b/drivers/clocksource/timer-fsl-ftm.c
+similarity index 100%
+rename from drivers/clocksource/fsl_ftm_timer.c
+rename to drivers/clocksource/timer-fsl-ftm.c
+diff --git a/drivers/clocksource/time-lpc32xx.c b/drivers/clocksource/timer-lpc32xx.c
+similarity index 100%
+rename from drivers/clocksource/time-lpc32xx.c
+rename to drivers/clocksource/timer-lpc32xx.c
+diff --git a/drivers/clocksource/time-orion.c b/drivers/clocksource/timer-orion.c
+similarity index 100%
+rename from drivers/clocksource/time-orion.c
+rename to drivers/clocksource/timer-orion.c
+diff --git a/drivers/clocksource/owl-timer.c b/drivers/clocksource/timer-owl.c
+similarity index 100%
+rename from drivers/clocksource/owl-timer.c
+rename to drivers/clocksource/timer-owl.c
+diff --git a/drivers/clocksource/time-pistachio.c b/drivers/clocksource/timer-pistachio.c
+similarity index 100%
+rename from drivers/clocksource/time-pistachio.c
+rename to drivers/clocksource/timer-pistachio.c
+diff --git a/drivers/clocksource/qcom-timer.c b/drivers/clocksource/timer-qcom.c
+similarity index 100%
+rename from drivers/clocksource/qcom-timer.c
+rename to drivers/clocksource/timer-qcom.c
+diff --git a/drivers/clocksource/versatile.c b/drivers/clocksource/timer-versatile.c
+similarity index 100%
+rename from drivers/clocksource/versatile.c
+rename to drivers/clocksource/timer-versatile.c
+diff --git a/drivers/clocksource/vf_pit_timer.c b/drivers/clocksource/timer-vf-pit.c
+similarity index 100%
+rename from drivers/clocksource/vf_pit_timer.c
+rename to drivers/clocksource/timer-vf-pit.c
+diff --git a/drivers/clocksource/vt8500_timer.c b/drivers/clocksource/timer-vt8500.c
+similarity index 100%
+rename from drivers/clocksource/vt8500_timer.c
+rename to drivers/clocksource/timer-vt8500.c
+diff --git a/drivers/clocksource/zevio-timer.c b/drivers/clocksource/timer-zevio.c
+similarity index 100%
+rename from drivers/clocksource/zevio-timer.c
+rename to drivers/clocksource/timer-zevio.c
+--
+2.39.2
+
--- /dev/null
+From 0c67a96251f802879d2f45c09aaab210c2981721 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 May 2023 15:33:34 -0700
+Subject: crypto: nx - fix build warnings when DEBUG_FS is not enabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit b04b076fb56560b39d695ac3744db457e12278fd ]
+
+Fix build warnings when DEBUG_FS is not enabled by using an empty
+do-while loop instead of a value:
+
+In file included from ../drivers/crypto/nx/nx.c:27:
+../drivers/crypto/nx/nx.c: In function 'nx_register_algs':
+../drivers/crypto/nx/nx.h:173:33: warning: statement with no effect [-Wunused-value]
+ 173 | #define NX_DEBUGFS_INIT(drv) (0)
+../drivers/crypto/nx/nx.c:573:9: note: in expansion of macro 'NX_DEBUGFS_INIT'
+ 573 | NX_DEBUGFS_INIT(&nx_driver);
+../drivers/crypto/nx/nx.c: In function 'nx_remove':
+../drivers/crypto/nx/nx.h:174:33: warning: statement with no effect [-Wunused-value]
+ 174 | #define NX_DEBUGFS_FINI(drv) (0)
+../drivers/crypto/nx/nx.c:793:17: note: in expansion of macro 'NX_DEBUGFS_FINI'
+ 793 | NX_DEBUGFS_FINI(&nx_driver);
+
+Also, there is no need to build nx_debugfs.o when DEBUG_FS is not
+enabled, so change the Makefile to accommodate that.
+
+Fixes: ae0222b7289d ("powerpc/crypto: nx driver code supporting nx encryption")
+Fixes: aef7b31c8833 ("powerpc/crypto: Build files for the nx device driver")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Breno Leitão <leitao@debian.org>
+Cc: Nayna Jain <nayna@linux.ibm.com>
+Cc: Paulo Flabiano Smorigo <pfsmorigo@gmail.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: linux-crypto@vger.kernel.org
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: linuxppc-dev@lists.ozlabs.org
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/nx/Makefile | 2 +-
+ drivers/crypto/nx/nx.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/nx/Makefile b/drivers/crypto/nx/Makefile
+index 015155da59c29..76139865d7fa1 100644
+--- a/drivers/crypto/nx/Makefile
++++ b/drivers/crypto/nx/Makefile
+@@ -1,7 +1,6 @@
+ # SPDX-License-Identifier: GPL-2.0
+ obj-$(CONFIG_CRYPTO_DEV_NX_ENCRYPT) += nx-crypto.o
+ nx-crypto-objs := nx.o \
+- nx_debugfs.o \
+ nx-aes-cbc.o \
+ nx-aes-ecb.o \
+ nx-aes-gcm.o \
+@@ -11,6 +10,7 @@ nx-crypto-objs := nx.o \
+ nx-sha256.o \
+ nx-sha512.o
+
++nx-crypto-$(CONFIG_DEBUG_FS) += nx_debugfs.o
+ obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_PSERIES) += nx-compress-pseries.o nx-compress.o
+ obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_POWERNV) += nx-compress-powernv.o nx-compress.o
+ nx-compress-objs := nx-842.o
+diff --git a/drivers/crypto/nx/nx.h b/drivers/crypto/nx/nx.h
+index c3e54af18645c..ebad937a9545c 100644
+--- a/drivers/crypto/nx/nx.h
++++ b/drivers/crypto/nx/nx.h
+@@ -180,8 +180,8 @@ struct nx_sg *nx_walk_and_build(struct nx_sg *, unsigned int,
+ int nx_debugfs_init(struct nx_crypto_driver *);
+ void nx_debugfs_fini(struct nx_crypto_driver *);
+ #else
+-#define NX_DEBUGFS_INIT(drv) (0)
+-#define NX_DEBUGFS_FINI(drv) (0)
++#define NX_DEBUGFS_INIT(drv) do {} while (0)
++#define NX_DEBUGFS_FINI(drv) do {} while (0)
+ #endif
+
+ #define NX_PAGE_NUM(x) ((u64)(x) & 0xfffffffffffff000ULL)
+--
+2.39.2
+
--- /dev/null
+From e827def04dcba9582598bfa29b10f68ed4108f2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 10:50:39 +0200
+Subject: drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H
+
+From: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+
+[ Upstream commit f24b49550814fdee4a98b9552e35e243ccafd4a8 ]
+
+The previous setting was related to the overall dimension and not to the
+active display area.
+In the "PHYSICAL SPECIFICATIONS" section, the datasheet shows the
+following parameters:
+
+ ----------------------------------------------------------
+| Item | Specifications | unit |
+ ----------------------------------------------------------
+| Display area | 98.7 (W) x 57.5 (H) | mm |
+ ----------------------------------------------------------
+| Overall dimension | 105.5(W) x 67.2(H) x 4.96(D) | mm |
+ ----------------------------------------------------------
+
+Fixes: 966fea78adf2 ("drm/panel: simple: Add support for Ampire AM-480272H3TMQW-T01H")
+Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+[narmstrong: fixed Fixes commit id length]
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230516085039.3797303-1-dario.binacchi@amarulasolutions.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-simple.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
+index a424afdcc77a1..35771e0e69fa6 100644
+--- a/drivers/gpu/drm/panel/panel-simple.c
++++ b/drivers/gpu/drm/panel/panel-simple.c
+@@ -405,8 +405,8 @@ static const struct panel_desc ampire_am_480272h3tmqw_t01h = {
+ .num_modes = 1,
+ .bpc = 8,
+ .size = {
+- .width = 105,
+- .height = 67,
++ .width = 99,
++ .height = 58,
+ },
+ .bus_format = MEDIA_BUS_FMT_RGB888_1X24,
+ };
+--
+2.39.2
+
--- /dev/null
+From eeeaa3a9489dc01c08a7ac9ba2b400970310d8f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 May 2023 08:33:27 -0700
+Subject: drm/radeon: fix possible division-by-zero errors
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit 1becc57cd1a905e2aa0e1eca60d2a37744525c4a ]
+
+Function rv740_get_decoded_reference_divider() may return 0 due to
+unpredictable reference divider value calculated in
+radeon_atom_get_clock_dividers(). This will lead to
+division-by-zero error once that value is used as a divider
+in calculating 'clk_s'.
+While unlikely, this issue should nonetheless be prevented so add a
+sanity check for such cases by testing 'decoded_ref' value against 0.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+v2: minor coding style fixes (Alex)
+In practice this should actually happen as the vbios should be
+properly populated.
+
+Fixes: 66229b200598 ("drm/radeon/kms: add dpm support for rv7xx (v4)")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/cypress_dpm.c | 8 ++++++--
+ drivers/gpu/drm/radeon/ni_dpm.c | 8 ++++++--
+ drivers/gpu/drm/radeon/rv740_dpm.c | 8 ++++++--
+ 3 files changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/cypress_dpm.c b/drivers/gpu/drm/radeon/cypress_dpm.c
+index 3eb7899a4035b..2c637e04dfebc 100644
+--- a/drivers/gpu/drm/radeon/cypress_dpm.c
++++ b/drivers/gpu/drm/radeon/cypress_dpm.c
+@@ -558,8 +558,12 @@ static int cypress_populate_mclk_value(struct radeon_device *rdev,
+ ASIC_INTERNAL_MEMORY_SS, vco_freq)) {
+ u32 reference_clock = rdev->clock.mpll.reference_freq;
+ u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div);
+- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate);
+- u32 clk_v = ss.percentage *
++ u32 clk_s, clk_v;
++
++ if (!decoded_ref)
++ return -EINVAL;
++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate);
++ clk_v = ss.percentage *
+ (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625);
+
+ mpll_ss1 &= ~CLKV_MASK;
+diff --git a/drivers/gpu/drm/radeon/ni_dpm.c b/drivers/gpu/drm/radeon/ni_dpm.c
+index a7273c01de34b..2a9d415400f79 100644
+--- a/drivers/gpu/drm/radeon/ni_dpm.c
++++ b/drivers/gpu/drm/radeon/ni_dpm.c
+@@ -2239,8 +2239,12 @@ static int ni_populate_mclk_value(struct radeon_device *rdev,
+ ASIC_INTERNAL_MEMORY_SS, vco_freq)) {
+ u32 reference_clock = rdev->clock.mpll.reference_freq;
+ u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div);
+- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate);
+- u32 clk_v = ss.percentage *
++ u32 clk_s, clk_v;
++
++ if (!decoded_ref)
++ return -EINVAL;
++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate);
++ clk_v = ss.percentage *
+ (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625);
+
+ mpll_ss1 &= ~CLKV_MASK;
+diff --git a/drivers/gpu/drm/radeon/rv740_dpm.c b/drivers/gpu/drm/radeon/rv740_dpm.c
+index afd597ec50858..50290e93c79dc 100644
+--- a/drivers/gpu/drm/radeon/rv740_dpm.c
++++ b/drivers/gpu/drm/radeon/rv740_dpm.c
+@@ -251,8 +251,12 @@ int rv740_populate_mclk_value(struct radeon_device *rdev,
+ ASIC_INTERNAL_MEMORY_SS, vco_freq)) {
+ u32 reference_clock = rdev->clock.mpll.reference_freq;
+ u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div);
+- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate);
+- u32 clk_v = 0x40000 * ss.percentage *
++ u32 clk_s, clk_v;
++
++ if (!decoded_ref)
++ return -EINVAL;
++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate);
++ clk_v = 0x40000 * ss.percentage *
+ (dividers.whole_fb_div + (dividers.frac_fb_div / 8)) / (clk_s * 10000);
+
+ mpll_ss1 &= ~CLKV_MASK;
+--
+2.39.2
+
--- /dev/null
+From 3ed7461ec41add6315b7cb24e8bdc79b6637250c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 11:40:36 +0100
+Subject: evm: Complete description of evm_inode_setattr()
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+[ Upstream commit b1de86d4248b273cb12c4cd7d20c08d459519f7d ]
+
+Add the description for missing parameters of evm_inode_setattr() to
+avoid the warning arising with W=n compile option.
+
+Fixes: 817b54aa45db ("evm: add evm_inode_setattr to prevent updating an invalid security.evm") # v3.2+
+Fixes: c1632a0f1120 ("fs: port ->setattr() to pass mnt_idmap") # v6.3+
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/evm/evm_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
+index 6d1efe1359f17..9c036a41e7347 100644
+--- a/security/integrity/evm/evm_main.c
++++ b/security/integrity/evm/evm_main.c
+@@ -474,7 +474,9 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
+
+ /**
+ * evm_inode_setattr - prevent updating an invalid EVM extended attribute
++ * @idmap: idmap of the mount
+ * @dentry: pointer to the affected dentry
++ * @attr: iattr structure containing the new file attributes
+ *
+ * Permit update of file attributes when files have a valid EVM signature,
+ * except in the case of them having an immutable portable signature.
+--
+2.39.2
+
--- /dev/null
+From 45589c7b202f7e510d68e9201eb4d378e0be55f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Jun 2023 17:42:28 +0200
+Subject: fbdev: omapfb: lcd_mipid: Fix an error handling path in
+ mipid_spi_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 79a3908d1ea6c35157a6d907b1a9d8ec06015e7a ]
+
+If 'mipid_detect()' fails, we must free 'md' to avoid a memory leak.
+
+Fixes: 66d2f99d0bb5 ("omapfb: add support for MIPI-DCS compatible LCDs")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/omap/lcd_mipid.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/omap/lcd_mipid.c b/drivers/video/fbdev/omap/lcd_mipid.c
+index e3a85432f9266..5730355ee5986 100644
+--- a/drivers/video/fbdev/omap/lcd_mipid.c
++++ b/drivers/video/fbdev/omap/lcd_mipid.c
+@@ -576,11 +576,15 @@ static int mipid_spi_probe(struct spi_device *spi)
+
+ r = mipid_detect(md);
+ if (r < 0)
+- return r;
++ goto free_md;
+
+ omapfb_register_panel(&md->panel);
+
+ return 0;
++
++free_md:
++ kfree(md);
++ return r;
+ }
+
+ static int mipid_spi_remove(struct spi_device *spi)
+--
+2.39.2
+
--- /dev/null
+From f8db8de33b48afe5ae3f57f6e8cba66c1e9aa6a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jun 2023 14:32:31 -0700
+Subject: gtp: Fix use-after-free in __gtp_encap_destroy().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit ce3aee7114c575fab32a5e9e939d4bbb3dcca79f ]
+
+syzkaller reported use-after-free in __gtp_encap_destroy(). [0]
+
+It shows the same process freed sk and touched it illegally.
+
+Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock()
+and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data,
+but release_sock() is called after sock_put() releases the last refcnt.
+
+[0]:
+BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
+BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]
+BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
+BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline]
+BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]
+BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178
+Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401
+
+CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:351 [inline]
+ print_report+0xcc/0x620 mm/kasan/report.c:462
+ kasan_report+0xb2/0xe0 mm/kasan/report.c:572
+ check_region_inline mm/kasan/generic.c:181 [inline]
+ kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187
+ instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
+ atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]
+ queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
+ do_raw_spin_lock include/linux/spinlock.h:186 [inline]
+ __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]
+ _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178
+ spin_lock_bh include/linux/spinlock.h:355 [inline]
+ release_sock+0x1f/0x1a0 net/core/sock.c:3526
+ gtp_encap_disable_sock drivers/net/gtp.c:651 [inline]
+ gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664
+ gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728
+ unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841
+ rtnl_delete_link net/core/rtnetlink.c:3216 [inline]
+ rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268
+ rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423
+ netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548
+ netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
+ netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365
+ netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913
+ sock_sendmsg_nosec net/socket.c:724 [inline]
+ sock_sendmsg+0x1b7/0x200 net/socket.c:747
+ ____sys_sendmsg+0x75a/0x990 net/socket.c:2493
+ ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547
+ __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+RIP: 0033:0x7f1168b1fe5d
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48
+RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d
+RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003
+RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000
+ </TASK>
+
+Allocated by task 1483:
+ kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ __kasan_slab_alloc+0x59/0x70 mm/kasan/common.c:328
+ kasan_slab_alloc include/linux/kasan.h:186 [inline]
+ slab_post_alloc_hook mm/slab.h:711 [inline]
+ slab_alloc_node mm/slub.c:3451 [inline]
+ slab_alloc mm/slub.c:3459 [inline]
+ __kmem_cache_alloc_lru mm/slub.c:3466 [inline]
+ kmem_cache_alloc+0x16d/0x340 mm/slub.c:3475
+ sk_prot_alloc+0x5f/0x280 net/core/sock.c:2073
+ sk_alloc+0x34/0x6c0 net/core/sock.c:2132
+ inet6_create net/ipv6/af_inet6.c:192 [inline]
+ inet6_create+0x2c7/0xf20 net/ipv6/af_inet6.c:119
+ __sock_create+0x2a1/0x530 net/socket.c:1535
+ sock_create net/socket.c:1586 [inline]
+ __sys_socket_create net/socket.c:1623 [inline]
+ __sys_socket_create net/socket.c:1608 [inline]
+ __sys_socket+0x137/0x250 net/socket.c:1651
+ __do_sys_socket net/socket.c:1664 [inline]
+ __se_sys_socket net/socket.c:1662 [inline]
+ __x64_sys_socket+0x72/0xb0 net/socket.c:1662
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+Freed by task 2401:
+ kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:521
+ ____kasan_slab_free mm/kasan/common.c:236 [inline]
+ ____kasan_slab_free mm/kasan/common.c:200 [inline]
+ __kasan_slab_free+0x10c/0x1b0 mm/kasan/common.c:244
+ kasan_slab_free include/linux/kasan.h:162 [inline]
+ slab_free_hook mm/slub.c:1781 [inline]
+ slab_free_freelist_hook mm/slub.c:1807 [inline]
+ slab_free mm/slub.c:3786 [inline]
+ kmem_cache_free+0xb4/0x490 mm/slub.c:3808
+ sk_prot_free net/core/sock.c:2113 [inline]
+ __sk_destruct+0x500/0x720 net/core/sock.c:2207
+ sk_destruct+0xc1/0xe0 net/core/sock.c:2222
+ __sk_free+0xed/0x3d0 net/core/sock.c:2233
+ sk_free+0x7c/0xa0 net/core/sock.c:2244
+ sock_put include/net/sock.h:1981 [inline]
+ __gtp_encap_destroy+0x165/0x1b0 drivers/net/gtp.c:634
+ gtp_encap_disable_sock drivers/net/gtp.c:651 [inline]
+ gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664
+ gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728
+ unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841
+ rtnl_delete_link net/core/rtnetlink.c:3216 [inline]
+ rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268
+ rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423
+ netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548
+ netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
+ netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365
+ netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913
+ sock_sendmsg_nosec net/socket.c:724 [inline]
+ sock_sendmsg+0x1b7/0x200 net/socket.c:747
+ ____sys_sendmsg+0x75a/0x990 net/socket.c:2493
+ ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547
+ __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+The buggy address belongs to the object at ffff88800dbef300
+ which belongs to the cache UDPv6 of size 1344
+The buggy address is located 152 bytes inside of
+ freed 1344-byte region [ffff88800dbef300, ffff88800dbef840)
+
+The buggy address belongs to the physical page:
+page:00000000d31bfed5 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800dbeed40 pfn:0xdbe8
+head:00000000d31bfed5 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+memcg:ffff888008ee0801
+flags: 0x100000000010200(slab|head|node=0|zone=1)
+page_type: 0xffffffff()
+raw: 0100000000010200 ffff88800c7a3000 dead000000000122 0000000000000000
+raw: ffff88800dbeed40 0000000080160015 00000001ffffffff ffff888008ee0801
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff88800dbef280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88800dbef300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff88800dbef380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff88800dbef400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88800dbef480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: e198987e7dd7 ("gtp: fix suspicious RCU usage")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Link: https://lore.kernel.org/r/20230622213231.24651-1-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index e18d06cb2173c..2718b0507f713 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -301,7 +301,9 @@ static void __gtp_encap_destroy(struct sock *sk)
+ gtp->sk1u = NULL;
+ udp_sk(sk)->encap_type = 0;
+ rcu_assign_sk_user_data(sk, NULL);
++ release_sock(sk);
+ sock_put(sk);
++ return;
+ }
+ release_sock(sk);
+ }
+--
+2.39.2
+
--- /dev/null
+From afa4aa51e6f9ff115b1cefcc5f7274340691a1f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 12:11:08 +0200
+Subject: hwrng: virtio - add an internal buffer
+
+From: Laurent Vivier <lvivier@redhat.com>
+
+[ Upstream commit bf3175bc50a3754dc427e2f5046e17a9fafc8be7 ]
+
+hwrng core uses two buffers that can be mixed in the
+virtio-rng queue.
+
+If the buffer is provided with wait=0 it is enqueued in the
+virtio-rng queue but unused by the caller.
+On the next call, core provides another buffer but the
+first one is filled instead and the new one queued.
+And the caller reads the data from the new one that is not
+updated, and the data in the first one are lost.
+
+To avoid this mix, virtio-rng needs to use its own unique
+internal buffer at a cost of a data copy to the caller buffer.
+
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Link: https://lore.kernel.org/r/20211028101111.128049-2-lvivier@redhat.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/virtio-rng.c | 43 ++++++++++++++++++++++-------
+ 1 file changed, 33 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c
+index 7abd604e938c2..999f523c80c1e 100644
+--- a/drivers/char/hw_random/virtio-rng.c
++++ b/drivers/char/hw_random/virtio-rng.c
+@@ -30,13 +30,20 @@ static DEFINE_IDA(rng_index_ida);
+ struct virtrng_info {
+ struct hwrng hwrng;
+ struct virtqueue *vq;
+- struct completion have_data;
+ char name[25];
+- unsigned int data_avail;
+ int index;
+ bool busy;
+ bool hwrng_register_done;
+ bool hwrng_removed;
++ /* data transfer */
++ struct completion have_data;
++ unsigned int data_avail;
++ /* minimal size returned by rng_buffer_size() */
++#if SMP_CACHE_BYTES < 32
++ u8 data[32];
++#else
++ u8 data[SMP_CACHE_BYTES];
++#endif
+ };
+
+ static void random_recv_done(struct virtqueue *vq)
+@@ -51,14 +58,14 @@ static void random_recv_done(struct virtqueue *vq)
+ }
+
+ /* The host will fill any buffer we give it with sweet, sweet randomness. */
+-static void register_buffer(struct virtrng_info *vi, u8 *buf, size_t size)
++static void register_buffer(struct virtrng_info *vi)
+ {
+ struct scatterlist sg;
+
+- sg_init_one(&sg, buf, size);
++ sg_init_one(&sg, vi->data, sizeof(vi->data));
+
+ /* There should always be room for one buffer. */
+- virtqueue_add_inbuf(vi->vq, &sg, 1, buf, GFP_KERNEL);
++ virtqueue_add_inbuf(vi->vq, &sg, 1, vi->data, GFP_KERNEL);
+
+ virtqueue_kick(vi->vq);
+ }
+@@ -67,6 +74,8 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
+ {
+ int ret;
+ struct virtrng_info *vi = (struct virtrng_info *)rng->priv;
++ unsigned int chunk;
++ size_t read;
+
+ if (vi->hwrng_removed)
+ return -ENODEV;
+@@ -74,19 +83,33 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
+ if (!vi->busy) {
+ vi->busy = true;
+ reinit_completion(&vi->have_data);
+- register_buffer(vi, buf, size);
++ register_buffer(vi);
+ }
+
+ if (!wait)
+ return 0;
+
+- ret = wait_for_completion_killable(&vi->have_data);
+- if (ret < 0)
+- return ret;
++ read = 0;
++ while (size != 0) {
++ ret = wait_for_completion_killable(&vi->have_data);
++ if (ret < 0)
++ return ret;
++
++ chunk = min_t(unsigned int, size, vi->data_avail);
++ memcpy(buf + read, vi->data, chunk);
++ read += chunk;
++ size -= chunk;
++ vi->data_avail = 0;
++
++ if (size != 0) {
++ reinit_completion(&vi->have_data);
++ register_buffer(vi);
++ }
++ }
+
+ vi->busy = false;
+
+- return vi->data_avail;
++ return read;
+ }
+
+ static void virtio_cleanup(struct hwrng *rng)
+--
+2.39.2
+
--- /dev/null
+From 7ae21313b4da71d05544089d1fdb20bab025446e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 12:11:11 +0200
+Subject: hwrng: virtio - always add a pending request
+
+From: Laurent Vivier <lvivier@redhat.com>
+
+[ Upstream commit 9a4b612d675b03f7fc9fa1957ca399c8223f3954 ]
+
+If we ensure we have already some data available by enqueuing
+again the buffer once data are exhausted, we can return what we
+have without waiting for the device answer.
+
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Link: https://lore.kernel.org/r/20211028101111.128049-5-lvivier@redhat.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/virtio-rng.c | 26 ++++++++++++--------------
+ 1 file changed, 12 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c
+index c88f175e60a4c..a84248c26fd7f 100644
+--- a/drivers/char/hw_random/virtio-rng.c
++++ b/drivers/char/hw_random/virtio-rng.c
+@@ -32,7 +32,6 @@ struct virtrng_info {
+ struct virtqueue *vq;
+ char name[25];
+ int index;
+- bool busy;
+ bool hwrng_register_done;
+ bool hwrng_removed;
+ /* data transfer */
+@@ -56,16 +55,18 @@ static void random_recv_done(struct virtqueue *vq)
+ return;
+
+ vi->data_idx = 0;
+- vi->busy = false;
+
+ complete(&vi->have_data);
+ }
+
+-/* The host will fill any buffer we give it with sweet, sweet randomness. */
+-static void register_buffer(struct virtrng_info *vi)
++static void request_entropy(struct virtrng_info *vi)
+ {
+ struct scatterlist sg;
+
++ reinit_completion(&vi->have_data);
++ vi->data_avail = 0;
++ vi->data_idx = 0;
++
+ sg_init_one(&sg, vi->data, sizeof(vi->data));
+
+ /* There should always be room for one buffer. */
+@@ -81,6 +82,8 @@ static unsigned int copy_data(struct virtrng_info *vi, void *buf,
+ memcpy(buf, vi->data + vi->data_idx, size);
+ vi->data_idx += size;
+ vi->data_avail -= size;
++ if (vi->data_avail == 0)
++ request_entropy(vi);
+ return size;
+ }
+
+@@ -110,13 +113,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
+ * so either size is 0 or data_avail is 0
+ */
+ while (size != 0) {
+- /* data_avail is 0 */
+- if (!vi->busy) {
+- /* no pending request, ask for more */
+- vi->busy = true;
+- reinit_completion(&vi->have_data);
+- register_buffer(vi);
+- }
++ /* data_avail is 0 but a request is pending */
+ ret = wait_for_completion_killable(&vi->have_data);
+ if (ret < 0)
+ return ret;
+@@ -138,8 +135,7 @@ static void virtio_cleanup(struct hwrng *rng)
+ {
+ struct virtrng_info *vi = (struct virtrng_info *)rng->priv;
+
+- if (vi->busy)
+- complete(&vi->have_data);
++ complete(&vi->have_data);
+ }
+
+ static int probe_common(struct virtio_device *vdev)
+@@ -175,6 +171,9 @@ static int probe_common(struct virtio_device *vdev)
+ goto err_find;
+ }
+
++ /* we always have a pending entropy request */
++ request_entropy(vi);
++
+ return 0;
+
+ err_find:
+@@ -193,7 +192,6 @@ static void remove_common(struct virtio_device *vdev)
+ vi->data_idx = 0;
+ complete(&vi->have_data);
+ vdev->config->reset(vdev);
+- vi->busy = false;
+ if (vi->hwrng_register_done)
+ hwrng_unregister(&vi->hwrng);
+ vdev->config->del_vqs(vdev);
+--
+2.39.2
+
--- /dev/null
+From 9c50a382f8e13e6db7abbe15241a4a9c88d4fc4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 12:11:09 +0200
+Subject: hwrng: virtio - don't wait on cleanup
+
+From: Laurent Vivier <lvivier@redhat.com>
+
+[ Upstream commit 2bb31abdbe55742c89f4dc0cc26fcbc8467364f6 ]
+
+When virtio-rng device was dropped by the hwrng core we were forced
+to wait the buffer to come back from the device to not have
+remaining ongoing operation that could spoil the buffer.
+
+But now, as the buffer is internal to the virtio-rng we can release
+the waiting loop immediately, the buffer will be retrieve and use
+when the virtio-rng driver will be selected again.
+
+This avoids to hang on an rng_current write command if the virtio-rng
+device is blocked by a lack of entropy. This allows to select
+another entropy source if the current one is empty.
+
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Link: https://lore.kernel.org/r/20211028101111.128049-3-lvivier@redhat.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/virtio-rng.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c
+index 999f523c80c1e..9a3fbd2b41107 100644
+--- a/drivers/char/hw_random/virtio-rng.c
++++ b/drivers/char/hw_random/virtio-rng.c
+@@ -94,6 +94,11 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
+ ret = wait_for_completion_killable(&vi->have_data);
+ if (ret < 0)
+ return ret;
++ /* if vi->data_avail is 0, we have been interrupted
++ * by a cleanup, but buffer stays in the queue
++ */
++ if (vi->data_avail == 0)
++ return read;
+
+ chunk = min_t(unsigned int, size, vi->data_avail);
+ memcpy(buf + read, vi->data, chunk);
+@@ -117,7 +122,7 @@ static void virtio_cleanup(struct hwrng *rng)
+ struct virtrng_info *vi = (struct virtrng_info *)rng->priv;
+
+ if (vi->busy)
+- wait_for_completion(&vi->have_data);
++ complete(&vi->have_data);
+ }
+
+ static int probe_common(struct virtio_device *vdev)
+--
+2.39.2
+
--- /dev/null
+From 92b8d417f897b6b2b12a75862caf03ab756af0c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 12:11:10 +0200
+Subject: hwrng: virtio - don't waste entropy
+
+From: Laurent Vivier <lvivier@redhat.com>
+
+[ Upstream commit 5c8e933050044d6dd2a000f9a5756ae73cbe7c44 ]
+
+if we don't use all the entropy available in the buffer, keep it
+and use it later.
+
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Link: https://lore.kernel.org/r/20211028101111.128049-4-lvivier@redhat.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/virtio-rng.c | 52 +++++++++++++++++++----------
+ 1 file changed, 35 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c
+index 9a3fbd2b41107..c88f175e60a4c 100644
+--- a/drivers/char/hw_random/virtio-rng.c
++++ b/drivers/char/hw_random/virtio-rng.c
+@@ -38,6 +38,7 @@ struct virtrng_info {
+ /* data transfer */
+ struct completion have_data;
+ unsigned int data_avail;
++ unsigned int data_idx;
+ /* minimal size returned by rng_buffer_size() */
+ #if SMP_CACHE_BYTES < 32
+ u8 data[32];
+@@ -54,6 +55,9 @@ static void random_recv_done(struct virtqueue *vq)
+ if (!virtqueue_get_buf(vi->vq, &vi->data_avail))
+ return;
+
++ vi->data_idx = 0;
++ vi->busy = false;
++
+ complete(&vi->have_data);
+ }
+
+@@ -70,6 +74,16 @@ static void register_buffer(struct virtrng_info *vi)
+ virtqueue_kick(vi->vq);
+ }
+
++static unsigned int copy_data(struct virtrng_info *vi, void *buf,
++ unsigned int size)
++{
++ size = min_t(unsigned int, size, vi->data_avail);
++ memcpy(buf, vi->data + vi->data_idx, size);
++ vi->data_idx += size;
++ vi->data_avail -= size;
++ return size;
++}
++
+ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
+ {
+ int ret;
+@@ -80,17 +94,29 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
+ if (vi->hwrng_removed)
+ return -ENODEV;
+
+- if (!vi->busy) {
+- vi->busy = true;
+- reinit_completion(&vi->have_data);
+- register_buffer(vi);
++ read = 0;
++
++ /* copy available data */
++ if (vi->data_avail) {
++ chunk = copy_data(vi, buf, size);
++ size -= chunk;
++ read += chunk;
+ }
+
+ if (!wait)
+- return 0;
++ return read;
+
+- read = 0;
++ /* We have already copied available entropy,
++ * so either size is 0 or data_avail is 0
++ */
+ while (size != 0) {
++ /* data_avail is 0 */
++ if (!vi->busy) {
++ /* no pending request, ask for more */
++ vi->busy = true;
++ reinit_completion(&vi->have_data);
++ register_buffer(vi);
++ }
+ ret = wait_for_completion_killable(&vi->have_data);
+ if (ret < 0)
+ return ret;
+@@ -100,20 +126,11 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
+ if (vi->data_avail == 0)
+ return read;
+
+- chunk = min_t(unsigned int, size, vi->data_avail);
+- memcpy(buf + read, vi->data, chunk);
+- read += chunk;
++ chunk = copy_data(vi, buf + read, size);
+ size -= chunk;
+- vi->data_avail = 0;
+-
+- if (size != 0) {
+- reinit_completion(&vi->have_data);
+- register_buffer(vi);
+- }
++ read += chunk;
+ }
+
+- vi->busy = false;
+-
+ return read;
+ }
+
+@@ -173,6 +190,7 @@ static void remove_common(struct virtio_device *vdev)
+
+ vi->hwrng_removed = true;
+ vi->data_avail = 0;
++ vi->data_idx = 0;
+ complete(&vi->have_data);
+ vdev->config->reset(vdev);
+ vi->busy = false;
+--
+2.39.2
+
--- /dev/null
+From 939a58b0fd48531e7170994e9836b43eb6a96c4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 May 2023 11:59:32 +0800
+Subject: hwrng: virtio - Fix race on data_avail and actual data
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit ac52578d6e8d300dd50f790f29a24169b1edd26c ]
+
+The virtio rng device kicks off a new entropy request whenever the
+data available reaches zero. When a new request occurs at the end
+of a read operation, that is, when the result of that request is
+only needed by the next reader, then there is a race between the
+writing of the new data and the next reader.
+
+This is because there is no synchronisation whatsoever between the
+writer and the reader.
+
+Fix this by writing data_avail with smp_store_release and reading
+it with smp_load_acquire when we first enter read. The subsequent
+reads are safe because they're either protected by the first load
+acquire, or by the completion mechanism.
+
+Also remove the redundant zeroing of data_idx in random_recv_done
+(data_idx must already be zero at this point) and data_avail in
+request_entropy (ditto).
+
+Reported-by: syzbot+726dc8c62c3536431ceb@syzkaller.appspotmail.com
+Fixes: f7f510ec1957 ("virtio: An entropy device, as suggested by hpa.")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/virtio-rng.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c
+index a84248c26fd7f..58884d8752011 100644
+--- a/drivers/char/hw_random/virtio-rng.c
++++ b/drivers/char/hw_random/virtio-rng.c
+@@ -17,6 +17,7 @@
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
++#include <asm/barrier.h>
+ #include <linux/err.h>
+ #include <linux/hw_random.h>
+ #include <linux/scatterlist.h>
+@@ -49,13 +50,13 @@ struct virtrng_info {
+ static void random_recv_done(struct virtqueue *vq)
+ {
+ struct virtrng_info *vi = vq->vdev->priv;
++ unsigned int len;
+
+ /* We can get spurious callbacks, e.g. shared IRQs + virtio_pci. */
+- if (!virtqueue_get_buf(vi->vq, &vi->data_avail))
++ if (!virtqueue_get_buf(vi->vq, &len))
+ return;
+
+- vi->data_idx = 0;
+-
++ smp_store_release(&vi->data_avail, len);
+ complete(&vi->have_data);
+ }
+
+@@ -64,7 +65,6 @@ static void request_entropy(struct virtrng_info *vi)
+ struct scatterlist sg;
+
+ reinit_completion(&vi->have_data);
+- vi->data_avail = 0;
+ vi->data_idx = 0;
+
+ sg_init_one(&sg, vi->data, sizeof(vi->data));
+@@ -100,7 +100,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
+ read = 0;
+
+ /* copy available data */
+- if (vi->data_avail) {
++ if (smp_load_acquire(&vi->data_avail)) {
+ chunk = copy_data(vi, buf, size);
+ size -= chunk;
+ read += chunk;
+--
+2.39.2
+
--- /dev/null
+From 58240f64a0be015e60403b558eac9ea7b1483365 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Feb 2023 11:56:28 -0500
+Subject: IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors
+
+From: Patrick Kelsey <pat.kelsey@cornelisnetworks.com>
+
+[ Upstream commit fd8958efe8779d3db19c9124fce593ce681ac709 ]
+
+Fix three sources of error involving struct sdma_txreq.num_descs.
+
+When _extend_sdma_tx_descs() extends the descriptor array, it uses the
+value of tx->num_descs to determine how many existing entries from the
+tx's original, internal descriptor array to copy to the newly allocated
+one. As this value was incremented before the call, the copy loop will
+access one entry past the internal descriptor array, copying its contents
+into the corresponding slot in the new array.
+
+If the call to _extend_sdma_tx_descs() fails, _pad_smda_tx_descs() then
+invokes __sdma_tx_clean() which uses the value of tx->num_desc to drive a
+loop that unmaps all descriptor entries in use. As this value was
+incremented before the call, the unmap loop will invoke sdma_unmap_desc()
+on a descriptor entry whose contents consist of whatever random data was
+copied into it during (1), leading to cascading further calls into the
+kernel and driver using arbitrary data.
+
+_sdma_close_tx() was using tx->num_descs instead of tx->num_descs - 1.
+
+Fix all of the above by:
+- Only increment .num_descs after .descp is extended.
+- Use .num_descs - 1 instead of .num_descs for last .descp entry.
+
+Fixes: f4d26d81ad7f ("staging/rdma/hfi1: Add coalescing support for SDMA TX descriptors")
+Link: https://lore.kernel.org/r/167656658879.2223096.10026561343022570690.stgit@awfm-02.cornelisnetworks.com
+Signed-off-by: Brendan Cunningham <bcunningham@cornelisnetworks.com>
+Signed-off-by: Patrick Kelsey <pat.kelsey@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/sdma.c | 4 ++--
+ drivers/infiniband/hw/hfi1/sdma.h | 15 +++++++--------
+ 2 files changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c
+index 33ff9eca28f69..245f9505a9aca 100644
+--- a/drivers/infiniband/hw/hfi1/sdma.c
++++ b/drivers/infiniband/hw/hfi1/sdma.c
+@@ -3202,8 +3202,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx)
+ {
+ int rval = 0;
+
+- tx->num_desc++;
+- if ((unlikely(tx->num_desc == tx->desc_limit))) {
++ if ((unlikely(tx->num_desc + 1 == tx->desc_limit))) {
+ rval = _extend_sdma_tx_descs(dd, tx);
+ if (rval) {
+ __sdma_txclean(dd, tx);
+@@ -3216,6 +3215,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx)
+ SDMA_MAP_NONE,
+ dd->sdma_pad_phys,
+ sizeof(u32) - (tx->packet_len & (sizeof(u32) - 1)));
++ tx->num_desc++;
+ _sdma_close_tx(dd, tx);
+ return rval;
+ }
+diff --git a/drivers/infiniband/hw/hfi1/sdma.h b/drivers/infiniband/hw/hfi1/sdma.h
+index 46c775f255d14..a3dd2f3d56cca 100644
+--- a/drivers/infiniband/hw/hfi1/sdma.h
++++ b/drivers/infiniband/hw/hfi1/sdma.h
+@@ -680,14 +680,13 @@ static inline void sdma_txclean(struct hfi1_devdata *dd, struct sdma_txreq *tx)
+ static inline void _sdma_close_tx(struct hfi1_devdata *dd,
+ struct sdma_txreq *tx)
+ {
+- tx->descp[tx->num_desc].qw[0] |=
+- SDMA_DESC0_LAST_DESC_FLAG;
+- tx->descp[tx->num_desc].qw[1] |=
+- dd->default_desc1;
++ u16 last_desc = tx->num_desc - 1;
++
++ tx->descp[last_desc].qw[0] |= SDMA_DESC0_LAST_DESC_FLAG;
++ tx->descp[last_desc].qw[1] |= dd->default_desc1;
+ if (tx->flags & SDMA_TXREQ_F_URGENT)
+- tx->descp[tx->num_desc].qw[1] |=
+- (SDMA_DESC1_HEAD_TO_HOST_FLAG |
+- SDMA_DESC1_INT_REQ_FLAG);
++ tx->descp[last_desc].qw[1] |= (SDMA_DESC1_HEAD_TO_HOST_FLAG |
++ SDMA_DESC1_INT_REQ_FLAG);
+ }
+
+ static inline int _sdma_txadd_daddr(
+@@ -704,6 +703,7 @@ static inline int _sdma_txadd_daddr(
+ type,
+ addr, len);
+ WARN_ON(len > tx->tlen);
++ tx->num_desc++;
+ tx->tlen -= len;
+ /* special cases for last */
+ if (!tx->tlen) {
+@@ -715,7 +715,6 @@ static inline int _sdma_txadd_daddr(
+ _sdma_close_tx(dd, tx);
+ }
+ }
+- tx->num_desc++;
+ return rval;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 51b90364f500ae4b586dc32e18e61f232983cb55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 17:27:55 -0700
+Subject: Input: adxl34x - do not hardcode interrupt trigger type
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit e96220bce5176ed2309f77f061dcc0430b82b25e ]
+
+Instead of hardcoding IRQ trigger type to IRQF_TRIGGER_HIGH, let's
+respect the settings specified in the firmware description.
+
+Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Acked-by: Michael Hennerich <michael.hennerich@analog.com>
+Link: https://lore.kernel.org/r/20230509203555.549158-1-marex@denx.de
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/adxl34x.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/input/misc/adxl34x.c b/drivers/input/misc/adxl34x.c
+index 3695dd7dbb9b4..ec0c91ec52277 100644
+--- a/drivers/input/misc/adxl34x.c
++++ b/drivers/input/misc/adxl34x.c
+@@ -811,8 +811,7 @@ struct adxl34x *adxl34x_probe(struct device *dev, int irq,
+ AC_WRITE(ac, POWER_CTL, 0);
+
+ err = request_threaded_irq(ac->irq, NULL, adxl34x_irq,
+- IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
+- dev_name(dev), ac);
++ IRQF_ONESHOT, dev_name(dev), ac);
+ if (err) {
+ dev_err(dev, "irq %d busy?\n", ac->irq);
+ goto err_free_mem;
+--
+2.39.2
+
--- /dev/null
+From 569e4104a6ffce321ca0b44f7bcb5c522b3a082f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 May 2023 17:01:45 -0700
+Subject: Input: drv260x - sleep between polling GO bit
+
+From: Luca Weiss <luca@z3ntu.xyz>
+
+[ Upstream commit efef661dfa6bf8cbafe4cd6a97433fcef0118967 ]
+
+When doing the initial startup there's no need to poll without any
+delay and spam the I2C bus.
+
+Let's sleep 15ms between each attempt, which is the same time as used
+in the vendor driver.
+
+Fixes: 7132fe4f5687 ("Input: drv260x - add TI drv260x haptics driver")
+Signed-off-by: Luca Weiss <luca@z3ntu.xyz>
+Link: https://lore.kernel.org/r/20230430-drv260x-improvements-v1-2-1fb28b4cc698@z3ntu.xyz
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/drv260x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/input/misc/drv260x.c b/drivers/input/misc/drv260x.c
+index 17eb84ab4c0b7..fe3fbde989be2 100644
+--- a/drivers/input/misc/drv260x.c
++++ b/drivers/input/misc/drv260x.c
+@@ -443,6 +443,7 @@ static int drv260x_init(struct drv260x_data *haptics)
+ }
+
+ do {
++ usleep_range(15000, 15500);
+ error = regmap_read(haptics->regmap, DRV260X_GO, &cal_buf);
+ if (error) {
+ dev_err(&haptics->client->dev,
+--
+2.39.2
+
--- /dev/null
+From fb27984c7b464c888b054effdf720e797025a50e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jun 2023 17:33:47 +0800
+Subject: ipvlan: Fix return value of ipvlan_queue_xmit()
+
+From: Cambda Zhu <cambda@linux.alibaba.com>
+
+[ Upstream commit 8a9922e7be6d042fa00f894c376473b17a162b66 ]
+
+ipvlan_queue_xmit() should return NET_XMIT_XXX, but
+ipvlan_xmit_mode_l2/l3() returns rx_handler_result_t or NET_RX_XXX
+in some cases. ipvlan_rcv_frame() will only return RX_HANDLER_CONSUMED
+in ipvlan_xmit_mode_l2/l3() because 'local' is true. It's equal to
+NET_XMIT_SUCCESS. But dev_forward_skb() can return NET_RX_SUCCESS or
+NET_RX_DROP, and returning NET_RX_DROP(NET_XMIT_DROP) will increase
+both ipvlan and ipvlan->phy_dev drops counter.
+
+The skb to forward can be treated as xmitted successfully. This patch
+makes ipvlan_queue_xmit() return NET_XMIT_SUCCESS for forward skb.
+
+Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
+Signed-off-by: Cambda Zhu <cambda@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20230626093347.7492-1-cambda@linux.alibaba.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipvlan/ipvlan_core.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
+index eb80d277b56f5..6b6c5a7250a65 100644
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -592,7 +592,8 @@ static int ipvlan_xmit_mode_l3(struct sk_buff *skb, struct net_device *dev)
+ consume_skb(skb);
+ return NET_XMIT_DROP;
+ }
+- return ipvlan_rcv_frame(addr, &skb, true);
++ ipvlan_rcv_frame(addr, &skb, true);
++ return NET_XMIT_SUCCESS;
+ }
+ }
+ out:
+@@ -618,7 +619,8 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev)
+ consume_skb(skb);
+ return NET_XMIT_DROP;
+ }
+- return ipvlan_rcv_frame(addr, &skb, true);
++ ipvlan_rcv_frame(addr, &skb, true);
++ return NET_XMIT_SUCCESS;
+ }
+ }
+ skb = skb_share_check(skb, GFP_ATOMIC);
+@@ -630,7 +632,8 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev)
+ * the skb for the main-dev. At the RX side we just return
+ * RX_PASS for it to be processed further on the stack.
+ */
+- return dev_forward_skb(ipvlan->phy_dev, skb);
++ dev_forward_skb(ipvlan->phy_dev, skb);
++ return NET_XMIT_SUCCESS;
+
+ } else if (is_multicast_ether_addr(eth->h_dest)) {
+ skb_reset_mac_header(skb);
+--
+2.39.2
+
--- /dev/null
+From 4ccd3be2ccc9fa9c3b14d259dc5e795c7d90db2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 18:33:42 +0200
+Subject: irqchip/jcore-aic: Fix missing allocation of IRQ descriptors
+
+From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+
+[ Upstream commit 4848229494a323eeaab62eee5574ef9f7de80374 ]
+
+The initialization function for the J-Core AIC aic_irq_of_init() is
+currently missing the call to irq_alloc_descs() which allocates and
+initializes all the IRQ descriptors. Add missing function call and
+return the error code from irq_alloc_descs() in case the allocation
+fails.
+
+Fixes: 981b58f66cfc ("irqchip/jcore-aic: Add J-Core AIC driver")
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Tested-by: Rob Landley <rob@landley.net>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20230510163343.43090-1-glaubitz@physik.fu-berlin.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-jcore-aic.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/irqchip/irq-jcore-aic.c b/drivers/irqchip/irq-jcore-aic.c
+index 5f47d8ee4ae39..b9dcc8e78c750 100644
+--- a/drivers/irqchip/irq-jcore-aic.c
++++ b/drivers/irqchip/irq-jcore-aic.c
+@@ -68,6 +68,7 @@ static int __init aic_irq_of_init(struct device_node *node,
+ unsigned min_irq = JCORE_AIC2_MIN_HWIRQ;
+ unsigned dom_sz = JCORE_AIC_MAX_HWIRQ+1;
+ struct irq_domain *domain;
++ int ret;
+
+ pr_info("Initializing J-Core AIC\n");
+
+@@ -100,6 +101,12 @@ static int __init aic_irq_of_init(struct device_node *node,
+ jcore_aic.irq_unmask = noop;
+ jcore_aic.name = "AIC";
+
++ ret = irq_alloc_descs(-1, min_irq, dom_sz - min_irq,
++ of_node_to_nid(node));
++
++ if (ret < 0)
++ return ret;
++
+ domain = irq_domain_add_legacy(node, dom_sz - min_irq, min_irq, min_irq,
+ &jcore_aic_irqdomain_ops,
+ &jcore_aic);
+--
+2.39.2
+
--- /dev/null
+From a0040d3dcb0b479ed0a896c972942db0a435106b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 10:35:51 +0100
+Subject: irqchip/jcore-aic: Kill use of irq_create_strict_mappings()
+
+From: Marc Zyngier <maz@kernel.org>
+
+[ Upstream commit 5f8b938bd790cff6542c7fe3c1495c71f89fef1b ]
+
+irq_create_strict_mappings() is a poor way to allow the use of
+a linear IRQ domain as a legacy one. Let's be upfront about it.
+
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20210406093557.1073423-4-maz@kernel.org
+Stable-dep-of: 4848229494a3 ("irqchip/jcore-aic: Fix missing allocation of IRQ descriptors")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-jcore-aic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/irqchip/irq-jcore-aic.c b/drivers/irqchip/irq-jcore-aic.c
+index 033bccb41455c..5f47d8ee4ae39 100644
+--- a/drivers/irqchip/irq-jcore-aic.c
++++ b/drivers/irqchip/irq-jcore-aic.c
+@@ -100,11 +100,11 @@ static int __init aic_irq_of_init(struct device_node *node,
+ jcore_aic.irq_unmask = noop;
+ jcore_aic.name = "AIC";
+
+- domain = irq_domain_add_linear(node, dom_sz, &jcore_aic_irqdomain_ops,
++ domain = irq_domain_add_legacy(node, dom_sz - min_irq, min_irq, min_irq,
++ &jcore_aic_irqdomain_ops,
+ &jcore_aic);
+ if (!domain)
+ return -ENOMEM;
+- irq_create_strict_mappings(domain, min_irq, min_irq, dom_sz - min_irq);
+
+ return 0;
+ }
+--
+2.39.2
+
--- /dev/null
+From 8b2db998a10f3e10565a0bcd7135e3b686532fed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 May 2023 20:34:34 +0800
+Subject: kexec: fix a memory leak in crash_shrink_memory()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 1cba6c4309f03de570202c46f03df3f73a0d4c82 ]
+
+Patch series "kexec: enable kexec_crash_size to support two crash kernel
+regions".
+
+When crashkernel=X fails to reserve region under 4G, it will fall back to
+reserve region above 4G and a region of the default size will also be
+reserved under 4G. Unfortunately, /sys/kernel/kexec_crash_size only
+supports one crash kernel region now, the user cannot sense the low memory
+reserved by reading /sys/kernel/kexec_crash_size. Also, low memory cannot
+be freed by writing this file.
+
+For example:
+resource_size(crashk_res) = 512M
+resource_size(crashk_low_res) = 256M
+
+The result of 'cat /sys/kernel/kexec_crash_size' is 512M, but it should be
+768M. When we execute 'echo 0 > /sys/kernel/kexec_crash_size', the size
+of crashk_res becomes 0 and resource_size(crashk_low_res) is still 256 MB,
+which is incorrect.
+
+Since crashk_res manages the memory with high address and crashk_low_res
+manages the memory with low address, crashk_low_res is shrunken only when
+all crashk_res is shrunken. And because when there is only one crash
+kernel region, crashk_res is always used. Therefore, if all crashk_res is
+shrunken and crashk_low_res still exists, swap them.
+
+This patch (of 6):
+
+If the value of parameter 'new_size' is in the semi-open and semi-closed
+interval (crashk_res.end - KEXEC_CRASH_MEM_ALIGN + 1, crashk_res.end], the
+calculation result of ram_res is:
+
+ ram_res->start = crashk_res.end + 1
+ ram_res->end = crashk_res.end
+
+The operation of insert_resource() fails, and ram_res is not added to
+iomem_resource. As a result, the memory of the control block ram_res is
+leaked.
+
+In fact, on all architectures, the start address and size of crashk_res
+are already aligned by KEXEC_CRASH_MEM_ALIGN. Therefore, we do not need
+to round up crashk_res.start again. Instead, we should round up
+'new_size' in advance.
+
+Link: https://lkml.kernel.org/r/20230527123439.772-1-thunder.leizhen@huawei.com
+Link: https://lkml.kernel.org/r/20230527123439.772-2-thunder.leizhen@huawei.com
+Fixes: 6480e5a09237 ("kdump: add missing RAM resource in crash_shrink_memory()")
+Fixes: 06a7f711246b ("kexec: premit reduction of the reserved memory size")
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Acked-by: Baoquan He <bhe@redhat.com>
+Cc: Cong Wang <amwang@redhat.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kexec_core.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
+index 6b3d7f7211dd6..3666d434a8f59 100644
+--- a/kernel/kexec_core.c
++++ b/kernel/kexec_core.c
+@@ -1020,6 +1020,7 @@ int crash_shrink_memory(unsigned long new_size)
+ start = crashk_res.start;
+ end = crashk_res.end;
+ old_size = (end == 0) ? 0 : end - start + 1;
++ new_size = roundup(new_size, KEXEC_CRASH_MEM_ALIGN);
+ if (new_size >= old_size) {
+ ret = (new_size == old_size) ? 0 : -EINVAL;
+ goto unlock;
+@@ -1031,9 +1032,7 @@ int crash_shrink_memory(unsigned long new_size)
+ goto unlock;
+ }
+
+- start = roundup(start, KEXEC_CRASH_MEM_ALIGN);
+- end = roundup(start + new_size, KEXEC_CRASH_MEM_ALIGN);
+-
++ end = start + new_size;
+ crash_free_reserved_phys_range(end, crashk_res.end);
+
+ if ((start == end) && (crashk_res.parent != NULL))
+--
+2.39.2
+
--- /dev/null
+From 87da1904b8c1c4030f88ea104f42f0a2d6b7bce8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jun 2023 20:06:57 +0100
+Subject: lib/ts_bm: reset initial match offset for every block of text
+
+From: Jeremy Sowden <jeremy@azazel.net>
+
+[ Upstream commit 6f67fbf8192da80c4db01a1800c7fceaca9cf1f9 ]
+
+The `shift` variable which indicates the offset in the string at which
+to start matching the pattern is initialized to `bm->patlen - 1`, but it
+is not reset when a new block is retrieved. This means the implemen-
+tation may start looking at later and later positions in each successive
+block and miss occurrences of the pattern at the beginning. E.g.,
+consider a HTTP packet held in a non-linear skb, where the HTTP request
+line occurs in the second block:
+
+ [... 52 bytes of packet headers ...]
+ GET /bmtest HTTP/1.1\r\nHost: www.example.com\r\n\r\n
+
+and the pattern is "GET /bmtest".
+
+Once the first block comprising the packet headers has been examined,
+`shift` will be pointing to somewhere near the end of the block, and so
+when the second block is examined the request line at the beginning will
+be missed.
+
+Reinitialize the variable for each new block.
+
+Fixes: 8082e4ed0a61 ("[LIB]: Boyer-Moore extension for textsearch infrastructure strike #2")
+Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1390
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/ts_bm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/ts_bm.c b/lib/ts_bm.c
+index 9e66ee4020e90..5de382e79a45a 100644
+--- a/lib/ts_bm.c
++++ b/lib/ts_bm.c
+@@ -64,10 +64,12 @@ static unsigned int bm_find(struct ts_config *conf, struct ts_state *state)
+ struct ts_bm *bm = ts_config_priv(conf);
+ unsigned int i, text_len, consumed = state->offset;
+ const u8 *text;
+- int shift = bm->patlen - 1, bs;
++ int bs;
+ const u8 icase = conf->flags & TS_IGNORECASE;
+
+ for (;;) {
++ int shift = bm->patlen - 1;
++
+ text_len = conf->get_next_block(consumed, &text, conf, state);
+
+ if (unlikely(text_len == 0))
+--
+2.39.2
+
--- /dev/null
+From c42045a300917bf19d72afa28c7485a1e242ad54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 May 2023 21:48:05 +0800
+Subject: md/raid10: check slab-out-of-bounds in md_bitmap_get_counter
+
+From: Li Nan <linan122@huawei.com>
+
+[ Upstream commit 301867b1c16805aebbc306aafa6ecdc68b73c7e5 ]
+
+If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage()
+will return -EINVAL because 'page >= bitmap->pages', but the return value
+was not checked immediately in md_bitmap_get_counter() in order to set
+*blocks value and slab-out-of-bounds occurs.
+
+Move check of 'page >= bitmap->pages' to md_bitmap_get_counter() and
+return directly if true.
+
+Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.")
+Signed-off-by: Li Nan <linan122@huawei.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20230515134808.3936750-2-linan666@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md-bitmap.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
+index 1c4c462787198..7ca81e917aef4 100644
+--- a/drivers/md/md-bitmap.c
++++ b/drivers/md/md-bitmap.c
+@@ -53,14 +53,7 @@ __acquires(bitmap->lock)
+ {
+ unsigned char *mappage;
+
+- if (page >= bitmap->pages) {
+- /* This can happen if bitmap_start_sync goes beyond
+- * End-of-device while looking for a whole page.
+- * It is harmless.
+- */
+- return -EINVAL;
+- }
+-
++ WARN_ON_ONCE(page >= bitmap->pages);
+ if (bitmap->bp[page].hijacked) /* it's hijacked, don't try to alloc */
+ return 0;
+
+@@ -1368,6 +1361,14 @@ __acquires(bitmap->lock)
+ sector_t csize;
+ int err;
+
++ if (page >= bitmap->pages) {
++ /*
++ * This can happen if bitmap_start_sync goes beyond
++ * End-of-device while looking for a whole page or
++ * user set a huge number to sysfs bitmap_set_bits.
++ */
++ return NULL;
++ }
+ err = md_bitmap_checkpage(bitmap, page, create, 0);
+
+ if (bitmap->bp[page].hijacked ||
+--
+2.39.2
+
--- /dev/null
+From 259441acc7d9499e917ec4612b2d9d732e643a53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Jun 2023 17:18:39 +0800
+Subject: md/raid10: fix io loss while replacement replace rdev
+
+From: Li Nan <linan122@huawei.com>
+
+[ Upstream commit 2ae6aaf76912bae53c74b191569d2ab484f24bf3 ]
+
+When removing a disk with replacement, the replacement will be used to
+replace rdev. During this process, there is a brief window in which both
+rdev and replacement are read as NULL in raid10_write_request(). This
+will result in io not being submitted but it should be.
+
+ //remove //write
+ raid10_remove_disk raid10_write_request
+ mirror->rdev = NULL
+ read rdev -> NULL
+ mirror->rdev = mirror->replacement
+ mirror->replacement = NULL
+ read replacement -> NULL
+
+Fix it by reading replacement first and rdev later, meanwhile, use smp_mb()
+to prevent memory reordering.
+
+Fixes: 475b0321a4df ("md/raid10: writes should get directed to replacement as well as original.")
+Signed-off-by: Li Nan <linan122@huawei.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20230602091839.743798-3-linan666@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid10.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
+index f6d2be1d23864..d46056b07c079 100644
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -781,8 +781,16 @@ static struct md_rdev *read_balance(struct r10conf *conf,
+ disk = r10_bio->devs[slot].devnum;
+ rdev = rcu_dereference(conf->mirrors[disk].replacement);
+ if (rdev == NULL || test_bit(Faulty, &rdev->flags) ||
+- r10_bio->devs[slot].addr + sectors > rdev->recovery_offset)
++ r10_bio->devs[slot].addr + sectors >
++ rdev->recovery_offset) {
++ /*
++ * Read replacement first to prevent reading both rdev
++ * and replacement as NULL during replacement replace
++ * rdev.
++ */
++ smp_mb();
+ rdev = rcu_dereference(conf->mirrors[disk].rdev);
++ }
+ if (rdev == NULL ||
+ test_bit(Faulty, &rdev->flags))
+ continue;
+@@ -1400,9 +1408,15 @@ static void raid10_write_request(struct mddev *mddev, struct bio *bio,
+
+ for (i = 0; i < conf->copies; i++) {
+ int d = r10_bio->devs[i].devnum;
+- struct md_rdev *rdev = rcu_dereference(conf->mirrors[d].rdev);
+- struct md_rdev *rrdev = rcu_dereference(
+- conf->mirrors[d].replacement);
++ struct md_rdev *rdev, *rrdev;
++
++ rrdev = rcu_dereference(conf->mirrors[d].replacement);
++ /*
++ * Read replacement first to prevent reading both rdev and
++ * replacement as NULL during replacement replace rdev.
++ */
++ smp_mb();
++ rdev = rcu_dereference(conf->mirrors[d].rdev);
+ if (rdev == rrdev)
+ rrdev = NULL;
+ if (rdev && unlikely(test_bit(Blocked, &rdev->flags))) {
+--
+2.39.2
+
--- /dev/null
+From 06023f86c6d335ab7cbc42c39fdf4677bddab0d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 May 2023 15:25:33 +0800
+Subject: md/raid10: fix overflow of md/safe_mode_delay
+
+From: Li Nan <linan122@huawei.com>
+
+[ Upstream commit 6beb489b2eed25978523f379a605073f99240c50 ]
+
+There is no input check when echo md/safe_mode_delay in safe_delay_store().
+And msec might also overflow when HZ < 1000 in safe_delay_show(), Fix it by
+checking overflow in safe_delay_store() and use unsigned long conversion in
+safe_delay_show().
+
+Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers")
+Signed-off-by: Li Nan <linan122@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20230522072535.1523740-2-linan666@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index f8c111b369928..ad3e666b9d735 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -3671,8 +3671,9 @@ int strict_strtoul_scaled(const char *cp, unsigned long *res, int scale)
+ static ssize_t
+ safe_delay_show(struct mddev *mddev, char *page)
+ {
+- int msec = (mddev->safemode_delay*1000)/HZ;
+- return sprintf(page, "%d.%03d\n", msec/1000, msec%1000);
++ unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ;
++
++ return sprintf(page, "%u.%03u\n", msec/1000, msec%1000);
+ }
+ static ssize_t
+ safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len)
+@@ -3684,7 +3685,7 @@ safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len)
+ return -EINVAL;
+ }
+
+- if (strict_strtoul_scaled(cbuf, &msec, 3) < 0)
++ if (strict_strtoul_scaled(cbuf, &msec, 3) < 0 || msec > UINT_MAX / HZ)
+ return -EINVAL;
+ if (msec == 0)
+ mddev->safemode_delay = 0;
+--
+2.39.2
+
--- /dev/null
+From 3ac2cda1e64e9661ec83abeb47a94e2514a776f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 May 2023 15:25:34 +0800
+Subject: md/raid10: fix wrong setting of max_corr_read_errors
+
+From: Li Nan <linan122@huawei.com>
+
+[ Upstream commit f8b20a405428803bd9881881d8242c9d72c6b2b2 ]
+
+There is no input check when echo md/max_read_errors and overflow might
+occur. Add check of input number.
+
+Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.")
+Signed-off-by: Li Nan <linan122@huawei.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20230522072535.1523740-3-linan666@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index ad3e666b9d735..2e23a898fc978 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -4337,6 +4337,8 @@ max_corrected_read_errors_store(struct mddev *mddev, const char *buf, size_t len
+ rv = kstrtouint(buf, 10, &n);
+ if (rv < 0)
+ return rv;
++ if (n > INT_MAX)
++ return -EINVAL;
+ atomic_set(&mddev->max_corr_read_errors, n);
+ return len;
+ }
+--
+2.39.2
+
--- /dev/null
+From e30b96869547af066175585c4913bfb9bbf5e916 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 22:27:04 +0200
+Subject: memstick r592: make memstick_debug_get_tpc_name() static
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 434587df9f7fd68575f99a889cc5f2efc2eaee5e ]
+
+There are no other files referencing this function, apparently
+it was left global to avoid an 'unused function' warning when
+the only caller is left out. With a 'W=1' build, it causes
+a 'missing prototype' warning though:
+
+drivers/memstick/host/r592.c:47:13: error: no previous prototype for 'memstick_debug_get_tpc_name' [-Werror=missing-prototypes]
+
+Annotate the function as 'static __maybe_unused' to avoid both
+problems.
+
+Fixes: 926341250102 ("memstick: add driver for Ricoh R5C592 card reader")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20230516202714.560929-1-arnd@kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memstick/host/r592.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c
+index edb1b5588b7a0..6360f5c6d3958 100644
+--- a/drivers/memstick/host/r592.c
++++ b/drivers/memstick/host/r592.c
+@@ -47,12 +47,10 @@ static const char *tpc_names[] = {
+ * memstick_debug_get_tpc_name - debug helper that returns string for
+ * a TPC number
+ */
+-const char *memstick_debug_get_tpc_name(int tpc)
++static __maybe_unused const char *memstick_debug_get_tpc_name(int tpc)
+ {
+ return tpc_names[tpc-1];
+ }
+-EXPORT_SYMBOL(memstick_debug_get_tpc_name);
+-
+
+ /* Read a register*/
+ static inline u32 r592_read_reg(struct r592_device *dev, int address)
+--
+2.39.2
+
--- /dev/null
+From 900af37b23eddbb3069809f016b46b3a70a539a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jun 2023 21:09:56 +0900
+Subject: modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24}
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit 56a24b8ce6a7f9c4a21b2276a8644f6f3d8fc14d ]
+
+addend_arm_rel() processes R_ARM_PC24, R_ARM_CALL, R_ARM_JUMP24 in a
+wrong way.
+
+Here, test code.
+
+[test code for R_ARM_JUMP24]
+
+ .section .init.text,"ax"
+ bar:
+ bx lr
+
+ .section .text,"ax"
+ .globl foo
+ foo:
+ b bar
+
+[test code for R_ARM_CALL]
+
+ .section .init.text,"ax"
+ bar:
+ bx lr
+
+ .section .text,"ax"
+ .globl foo
+ foo:
+ push {lr}
+ bl bar
+ pop {pc}
+
+If you compile it with ARM multi_v7_defconfig, modpost will show the
+symbol name, (unknown).
+
+ WARNING: modpost: vmlinux.o: section mismatch in reference: foo (section: .text) -> (unknown) (section: .init.text)
+
+(You need to use GNU linker instead of LLD to reproduce it.)
+
+Fix the code to make modpost show the correct symbol name.
+
+I imported (with adjustment) sign_extend32() from include/linux/bitops.h.
+
+The '+8' is the compensation for pc-relative instruction. It is
+documented in "ELF for the Arm Architecture" [1].
+
+ "If the relocation is pc-relative then compensation for the PC bias
+ (the PC value is 8 bytes ahead of the executing instruction in Arm
+ state and 4 bytes in Thumb state) must be encoded in the relocation
+ by the object producer."
+
+[1]: https://github.com/ARM-software/abi-aa/blob/main/aaelf32/aaelf32.rst
+
+Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm")
+Fixes: 6e2e340b59d2 ("ARM: 7324/1: modpost: Fix section warnings for ARM for many compilers")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/mod/modpost.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
+index 41b1791a9463b..2060a3fe9691d 100644
+--- a/scripts/mod/modpost.c
++++ b/scripts/mod/modpost.c
+@@ -1751,12 +1751,20 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r)
+ #define R_ARM_THM_JUMP19 51
+ #endif
+
++static int32_t sign_extend32(int32_t value, int index)
++{
++ uint8_t shift = 31 - index;
++
++ return (int32_t)(value << shift) >> shift;
++}
++
+ static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r)
+ {
+ unsigned int r_typ = ELF_R_TYPE(r->r_info);
+ Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info);
+ void *loc = reloc_location(elf, sechdr, r);
+ uint32_t inst;
++ int32_t offset;
+
+ switch (r_typ) {
+ case R_ARM_ABS32:
+@@ -1766,6 +1774,10 @@ static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r)
+ case R_ARM_PC24:
+ case R_ARM_CALL:
+ case R_ARM_JUMP24:
++ inst = TO_NATIVE(*(uint32_t *)loc);
++ offset = sign_extend32((inst & 0x00ffffff) << 2, 25);
++ r->r_addend = offset + sym->st_value + 8;
++ break;
+ case R_ARM_THM_CALL:
+ case R_ARM_THM_JUMP24:
+ case R_ARM_THM_JUMP19:
+--
+2.39.2
+
--- /dev/null
+From 0d510b44c12ef373d8102b1be1652f7e485f1bf7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jun 2023 21:09:55 +0900
+Subject: modpost: fix section mismatch message for R_ARM_ABS32
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit b7c63520f6703a25eebb4f8138fed764fcae1c6f ]
+
+addend_arm_rel() processes R_ARM_ABS32 in a wrong way.
+
+Here, test code.
+
+ [test code 1]
+
+ #include <linux/init.h>
+
+ int __initdata foo;
+ int get_foo(void) { return foo; }
+
+If you compile it with ARM versatile_defconfig, modpost will show the
+symbol name, (unknown).
+
+ WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> (unknown) (section: .init.data)
+
+(You need to use GNU linker instead of LLD to reproduce it.)
+
+If you compile it for other architectures, modpost will show the correct
+symbol name.
+
+ WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data)
+
+For R_ARM_ABS32, addend_arm_rel() sets r->r_addend to a wrong value.
+
+I just mimicked the code in arch/arm/kernel/module.c.
+
+However, there is more difficulty for ARM.
+
+Here, test code.
+
+ [test code 2]
+
+ #include <linux/init.h>
+
+ int __initdata foo;
+ int get_foo(void) { return foo; }
+
+ int __initdata bar;
+ int get_bar(void) { return bar; }
+
+With this commit applied, modpost will show the following messages
+for ARM versatile_defconfig:
+
+ WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data)
+ WARNING: modpost: vmlinux.o: section mismatch in reference: get_bar (section: .text) -> foo (section: .init.data)
+
+The reference from 'get_bar' to 'foo' seems wrong.
+
+I have no solution for this because it is true in assembly level.
+
+In the following output, relocation at 0x1c is no longer associated
+with 'bar'. The two relocation entries point to the same symbol, and
+the offset to 'bar' is encoded in the instruction 'r0, [r3, #4]'.
+
+ Disassembly of section .text:
+
+ 00000000 <get_foo>:
+ 0: e59f3004 ldr r3, [pc, #4] @ c <get_foo+0xc>
+ 4: e5930000 ldr r0, [r3]
+ 8: e12fff1e bx lr
+ c: 00000000 .word 0x00000000
+
+ 00000010 <get_bar>:
+ 10: e59f3004 ldr r3, [pc, #4] @ 1c <get_bar+0xc>
+ 14: e5930004 ldr r0, [r3, #4]
+ 18: e12fff1e bx lr
+ 1c: 00000000 .word 0x00000000
+
+ Relocation section '.rel.text' at offset 0x244 contains 2 entries:
+ Offset Info Type Sym.Value Sym. Name
+ 0000000c 00000c02 R_ARM_ABS32 00000000 .init.data
+ 0000001c 00000c02 R_ARM_ABS32 00000000 .init.data
+
+When find_elf_symbol() gets into a situation where relsym->st_name is
+zero, there is no guarantee to get the symbol name as written in C.
+
+I am keeping the current logic because it is useful in many architectures,
+but the symbol name is not always correct depending on the optimization.
+I left some comments in find_tosym().
+
+Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/mod/modpost.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
+index 8c2847ef4e422..41b1791a9463b 100644
+--- a/scripts/mod/modpost.c
++++ b/scripts/mod/modpost.c
+@@ -1260,6 +1260,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr,
+ if (relsym->st_name != 0)
+ return relsym;
+
++ /*
++ * Strive to find a better symbol name, but the resulting name may not
++ * match the symbol referenced in the original code.
++ */
+ relsym_secindex = get_secindex(elf, relsym);
+ for (sym = elf->symtab_start; sym < elf->symtab_stop; sym++) {
+ if (get_secindex(elf, sym) != relsym_secindex)
+@@ -1750,12 +1754,14 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r)
+ static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r)
+ {
+ unsigned int r_typ = ELF_R_TYPE(r->r_info);
++ Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info);
++ void *loc = reloc_location(elf, sechdr, r);
++ uint32_t inst;
+
+ switch (r_typ) {
+ case R_ARM_ABS32:
+- /* From ARM ABI: (S + A) | T */
+- r->r_addend = (int)(long)
+- (elf->symtab_start + ELF_R_SYM(r->r_info));
++ inst = TO_NATIVE(*(uint32_t *)loc);
++ r->r_addend = inst + sym->st_value;
+ break;
+ case R_ARM_PC24:
+ case R_ARM_CALL:
+--
+2.39.2
+
--- /dev/null
+From e30a64ceb7b11cf6fcd324236f5de49d836f811d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Sep 2021 11:10:37 -0700
+Subject: net: create netdev->dev_addr assignment helpers
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 48eab831ae8b9f7002a533fa4235eed63ea1f1a3 ]
+
+Recent work on converting address list to a tree made it obvious
+we need an abstraction around writing netdev->dev_addr. Without
+such abstraction updating the main device address is invisible
+to the core.
+
+Introduce a number of helpers which for now just wrap memcpy()
+but in the future can make necessary changes to the address
+tree.
+
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/etherdevice.h | 12 ++++++++++++
+ include/linux/netdevice.h | 18 ++++++++++++++++++
+ 2 files changed, 30 insertions(+)
+
+diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h
+index e1e9eff096d05..2932a40060c1d 100644
+--- a/include/linux/etherdevice.h
++++ b/include/linux/etherdevice.h
+@@ -291,6 +291,18 @@ static inline void ether_addr_copy(u8 *dst, const u8 *src)
+ #endif
+ }
+
++/**
++ * eth_hw_addr_set - Assign Ethernet address to a net_device
++ * @dev: pointer to net_device structure
++ * @addr: address to assign
++ *
++ * Assign given address to the net_device, addr_assign_type is not changed.
++ */
++static inline void eth_hw_addr_set(struct net_device *dev, const u8 *addr)
++{
++ ether_addr_copy(dev->dev_addr, addr);
++}
++
+ /**
+ * eth_hw_addr_inherit - Copy dev_addr from another net_device
+ * @dst: pointer to net_device to copy dev_addr to
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index 90827d85265b0..7e9df3854420a 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -4079,6 +4079,24 @@ void __hw_addr_unsync_dev(struct netdev_hw_addr_list *list,
+ void __hw_addr_init(struct netdev_hw_addr_list *list);
+
+ /* Functions used for device addresses handling */
++static inline void
++__dev_addr_set(struct net_device *dev, const u8 *addr, size_t len)
++{
++ memcpy(dev->dev_addr, addr, len);
++}
++
++static inline void dev_addr_set(struct net_device *dev, const u8 *addr)
++{
++ __dev_addr_set(dev, addr, dev->addr_len);
++}
++
++static inline void
++dev_addr_mod(struct net_device *dev, unsigned int offset,
++ const u8 *addr, size_t len)
++{
++ memcpy(&dev->dev_addr[offset], addr, len);
++}
++
+ int dev_addr_add(struct net_device *dev, const unsigned char *addr,
+ unsigned char addr_type);
+ int dev_addr_del(struct net_device *dev, const unsigned char *addr,
+--
+2.39.2
+
--- /dev/null
+From c40874c71ae6f5e26f1958101a5a7dd1d049899f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jun 2023 11:23:46 +0000
+Subject: netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param()
+ return value.
+
+From: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
+
+[ Upstream commit f188d30087480eab421cd8ca552fb15f55d57f4d ]
+
+ct_sip_parse_numerical_param() returns only 0 or 1 now.
+But process_register_request() and process_register_response() imply
+checking for a negative value if parsing of a numerical header parameter
+failed.
+The invocation in nf_nat_sip() looks correct:
+ if (ct_sip_parse_numerical_param(...) > 0 &&
+ ...) { ... }
+
+Make the return value of the function ct_sip_parse_numerical_param()
+a tristate to fix all the cases
+a) return 1 if value is found; *val is set
+b) return 0 if value is not found; *val is unchanged
+c) return -1 on error; *val is undefined
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with SVACE.
+
+Fixes: 0f32a40fc91a ("[NETFILTER]: nf_conntrack_sip: create signalling expectations")
+Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_sip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
+index 046f118dea06b..d16aa43ebd4d6 100644
+--- a/net/netfilter/nf_conntrack_sip.c
++++ b/net/netfilter/nf_conntrack_sip.c
+@@ -605,7 +605,7 @@ int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr,
+ start += strlen(name);
+ *val = simple_strtoul(start, &end, 0);
+ if (start == end)
+- return 0;
++ return -1;
+ if (matchoff && matchlen) {
+ *matchoff = start - dptr;
+ *matchlen = end - start;
+--
+2.39.2
+
--- /dev/null
+From 3a75a252bcf5592f5b27882ccbb7d44ddafb7763 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jun 2023 09:43:13 -0700
+Subject: netlink: Add __sock_i_ino() for __netlink_diag_dump().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 25a9c8a4431c364f97f75558cb346d2ad3f53fbb ]
+
+syzbot reported a warning in __local_bh_enable_ip(). [0]
+
+Commit 8d61f926d420 ("netlink: fix potential deadlock in
+netlink_set_err()") converted read_lock(&nl_table_lock) to
+read_lock_irqsave() in __netlink_diag_dump() to prevent a deadlock.
+
+However, __netlink_diag_dump() calls sock_i_ino() that uses
+read_lock_bh() and read_unlock_bh(). If CONFIG_TRACE_IRQFLAGS=y,
+read_unlock_bh() finally enables IRQ even though it should stay
+disabled until the following read_unlock_irqrestore().
+
+Using read_lock() in sock_i_ino() would trigger a lockdep splat
+in another place that was fixed in commit f064af1e500a ("net: fix
+a lockdep splat"), so let's add __sock_i_ino() that would be safe
+to use under BH disabled.
+
+[0]:
+WARNING: CPU: 0 PID: 5012 at kernel/softirq.c:376 __local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376
+Modules linked in:
+CPU: 0 PID: 5012 Comm: syz-executor487 Not tainted 6.4.0-rc7-syzkaller-00202-g6f68fc395f49 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
+RIP: 0010:__local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376
+Code: 45 bf 01 00 00 00 e8 91 5b 0a 00 e8 3c 15 3d 00 fb 65 8b 05 ec e9 b5 7e 85 c0 74 58 5b 5d c3 65 8b 05 b2 b6 b4 7e 85 c0 75 a2 <0f> 0b eb 9e e8 89 15 3d 00 eb 9f 48 89 ef e8 6f 49 18 00 eb a8 0f
+RSP: 0018:ffffc90003a1f3d0 EFLAGS: 00010046
+RAX: 0000000000000000 RBX: 0000000000000201 RCX: 1ffffffff1cf5996
+RDX: 0000000000000000 RSI: 0000000000000201 RDI: ffffffff8805c6f3
+RBP: ffffffff8805c6f3 R08: 0000000000000001 R09: ffff8880152b03a3
+R10: ffffed1002a56074 R11: 0000000000000005 R12: 00000000000073e4
+R13: dffffc0000000000 R14: 0000000000000002 R15: 0000000000000000
+FS: 0000555556726300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000000045ad50 CR3: 000000007c646000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ sock_i_ino+0x83/0xa0 net/core/sock.c:2559
+ __netlink_diag_dump+0x45c/0x790 net/netlink/diag.c:171
+ netlink_diag_dump+0xd6/0x230 net/netlink/diag.c:207
+ netlink_dump+0x570/0xc50 net/netlink/af_netlink.c:2269
+ __netlink_dump_start+0x64b/0x910 net/netlink/af_netlink.c:2374
+ netlink_dump_start include/linux/netlink.h:329 [inline]
+ netlink_diag_handler_dump+0x1ae/0x250 net/netlink/diag.c:238
+ __sock_diag_cmd net/core/sock_diag.c:238 [inline]
+ sock_diag_rcv_msg+0x31e/0x440 net/core/sock_diag.c:269
+ netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2547
+ sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280
+ netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
+ netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365
+ netlink_sendmsg+0x925/0xe30 net/netlink/af_netlink.c:1914
+ sock_sendmsg_nosec net/socket.c:724 [inline]
+ sock_sendmsg+0xde/0x190 net/socket.c:747
+ ____sys_sendmsg+0x71c/0x900 net/socket.c:2503
+ ___sys_sendmsg+0x110/0x1b0 net/socket.c:2557
+ __sys_sendmsg+0xf7/0x1c0 net/socket.c:2586
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7f5303aaabb9
+Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffc7506e548 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5303aaabb9
+RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
+RBP: 00007f5303a6ed60 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5303a6edf0
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ </TASK>
+
+Fixes: 8d61f926d420 ("netlink: fix potential deadlock in netlink_set_err()")
+Reported-by: syzbot+5da61cf6a9bc1902d422@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=5da61cf6a9bc1902d422
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230626164313.52528-1-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 1 +
+ net/core/sock.c | 17 ++++++++++++++---
+ net/netlink/diag.c | 2 +-
+ 3 files changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 616e84d1670df..72739f72e4b90 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1840,6 +1840,7 @@ static inline void sock_graft(struct sock *sk, struct socket *parent)
+ }
+
+ kuid_t sock_i_uid(struct sock *sk);
++unsigned long __sock_i_ino(struct sock *sk);
+ unsigned long sock_i_ino(struct sock *sk);
+
+ static inline kuid_t sock_net_uid(const struct net *net, const struct sock *sk)
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 347a55519d0a5..5b31f3446fc7a 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1939,13 +1939,24 @@ kuid_t sock_i_uid(struct sock *sk)
+ }
+ EXPORT_SYMBOL(sock_i_uid);
+
+-unsigned long sock_i_ino(struct sock *sk)
++unsigned long __sock_i_ino(struct sock *sk)
+ {
+ unsigned long ino;
+
+- read_lock_bh(&sk->sk_callback_lock);
++ read_lock(&sk->sk_callback_lock);
+ ino = sk->sk_socket ? SOCK_INODE(sk->sk_socket)->i_ino : 0;
+- read_unlock_bh(&sk->sk_callback_lock);
++ read_unlock(&sk->sk_callback_lock);
++ return ino;
++}
++EXPORT_SYMBOL(__sock_i_ino);
++
++unsigned long sock_i_ino(struct sock *sk)
++{
++ unsigned long ino;
++
++ local_bh_disable();
++ ino = __sock_i_ino(sk);
++ local_bh_enable();
+ return ino;
+ }
+ EXPORT_SYMBOL(sock_i_ino);
+diff --git a/net/netlink/diag.c b/net/netlink/diag.c
+index 83a0429805e9d..85ee4891c2c7f 100644
+--- a/net/netlink/diag.c
++++ b/net/netlink/diag.c
+@@ -167,7 +167,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
+ NETLINK_CB(cb->skb).portid,
+ cb->nlh->nlmsg_seq,
+ NLM_F_MULTI,
+- sock_i_ino(sk)) < 0) {
++ __sock_i_ino(sk)) < 0) {
+ ret = 1;
+ break;
+ }
+--
+2.39.2
+
--- /dev/null
+From 459b47414fc29c8475bd27d3af1b1a4f95fb993f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jun 2023 17:47:20 +0000
+Subject: netlink: do not hard code device address lenth in fdb dumps
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit aa5406950726e336c5c9585b09799a734b6e77bf ]
+
+syzbot reports that some netdev devices do not have a six bytes
+address [1]
+
+Replace ETH_ALEN by dev->addr_len.
+
+[1] (Case of a device where dev->addr_len = 4)
+
+BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
+BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169
+instrument_copy_to_user include/linux/instrumented.h:114 [inline]
+copyout+0xb8/0x100 lib/iov_iter.c:169
+_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536
+copy_to_iter include/linux/uio.h:206 [inline]
+simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513
+__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419
+skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527
+skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
+netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970
+sock_recvmsg_nosec net/socket.c:1019 [inline]
+sock_recvmsg net/socket.c:1040 [inline]
+____sys_recvmsg+0x283/0x7f0 net/socket.c:2722
+___sys_recvmsg+0x223/0x840 net/socket.c:2764
+do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
+__sys_recvmmsg net/socket.c:2937 [inline]
+__do_sys_recvmmsg net/socket.c:2960 [inline]
+__se_sys_recvmmsg net/socket.c:2953 [inline]
+__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Uninit was stored to memory at:
+__nla_put lib/nlattr.c:1009 [inline]
+nla_put+0x1c6/0x230 lib/nlattr.c:1067
+nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071
+nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline]
+ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456
+rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629
+netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268
+netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995
+sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019
+____sys_recvmsg+0x664/0x7f0 net/socket.c:2720
+___sys_recvmsg+0x223/0x840 net/socket.c:2764
+do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
+__sys_recvmmsg net/socket.c:2937 [inline]
+__do_sys_recvmmsg net/socket.c:2960 [inline]
+__se_sys_recvmmsg net/socket.c:2953 [inline]
+__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Uninit was created at:
+slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716
+slab_alloc_node mm/slub.c:3451 [inline]
+__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490
+kmalloc_trace+0x51/0x200 mm/slab_common.c:1057
+kmalloc include/linux/slab.h:559 [inline]
+__hw_addr_create net/core/dev_addr_lists.c:60 [inline]
+__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118
+__dev_mc_add net/core/dev_addr_lists.c:867 [inline]
+dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885
+igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680
+ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754
+ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708
+addrconf_type_change net/ipv6/addrconf.c:3731 [inline]
+addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699
+notifier_call_chain kernel/notifier.c:93 [inline]
+raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461
+call_netdevice_notifiers_info net/core/dev.c:1935 [inline]
+call_netdevice_notifiers_extack net/core/dev.c:1973 [inline]
+call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987
+bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906
+do_set_master net/core/rtnetlink.c:2626 [inline]
+rtnl_newlink_create net/core/rtnetlink.c:3460 [inline]
+__rtnl_newlink net/core/rtnetlink.c:3660 [inline]
+rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673
+rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395
+netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546
+rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413
+netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
+netlink_unicast+0xf28/0x1230 net/netlink/af_netlink.c:1365
+netlink_sendmsg+0x122f/0x13d0 net/netlink/af_netlink.c:1913
+sock_sendmsg_nosec net/socket.c:724 [inline]
+sock_sendmsg net/socket.c:747 [inline]
+____sys_sendmsg+0x999/0xd50 net/socket.c:2503
+___sys_sendmsg+0x28d/0x3c0 net/socket.c:2557
+__sys_sendmsg net/socket.c:2586 [inline]
+__do_sys_sendmsg net/socket.c:2595 [inline]
+__se_sys_sendmsg net/socket.c:2593 [inline]
+__x64_sys_sendmsg+0x304/0x490 net/socket.c:2593
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Bytes 2856-2857 of 3500 are uninitialized
+Memory access of size 3500 starts at ffff888018d99104
+Data copied to user address 0000000020000480
+
+Fixes: d83b06036048 ("net: add fdb generic dump routine")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Link: https://lore.kernel.org/r/20230621174720.1845040-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 2837cc03f69e2..79f62517e24a5 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -3436,7 +3436,7 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb,
+ ndm->ndm_ifindex = dev->ifindex;
+ ndm->ndm_state = ndm_state;
+
+- if (nla_put(skb, NDA_LLADDR, ETH_ALEN, addr))
++ if (nla_put(skb, NDA_LLADDR, dev->addr_len, addr))
+ goto nla_put_failure;
+ if (vid)
+ if (nla_put(skb, NDA_VLAN, sizeof(u16), &vid))
+@@ -3450,10 +3450,10 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb,
+ return -EMSGSIZE;
+ }
+
+-static inline size_t rtnl_fdb_nlmsg_size(void)
++static inline size_t rtnl_fdb_nlmsg_size(const struct net_device *dev)
+ {
+ return NLMSG_ALIGN(sizeof(struct ndmsg)) +
+- nla_total_size(ETH_ALEN) + /* NDA_LLADDR */
++ nla_total_size(dev->addr_len) + /* NDA_LLADDR */
+ nla_total_size(sizeof(u16)) + /* NDA_VLAN */
+ 0;
+ }
+@@ -3465,7 +3465,7 @@ static void rtnl_fdb_notify(struct net_device *dev, u8 *addr, u16 vid, int type,
+ struct sk_buff *skb;
+ int err = -ENOBUFS;
+
+- skb = nlmsg_new(rtnl_fdb_nlmsg_size(), GFP_ATOMIC);
++ skb = nlmsg_new(rtnl_fdb_nlmsg_size(dev), GFP_ATOMIC);
+ if (!skb)
+ goto errout;
+
+--
+2.39.2
+
--- /dev/null
+From 6845ece794e1aeaadab2f5f1b10d1d35bc668d1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jun 2023 15:43:37 +0000
+Subject: netlink: fix potential deadlock in netlink_set_err()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8d61f926d42045961e6b65191c09e3678d86a9cf ]
+
+syzbot reported a possible deadlock in netlink_set_err() [1]
+
+A similar issue was fixed in commit 1d482e666b8e ("netlink: disable IRQs
+for netlink_lock_table()") in netlink_lock_table()
+
+This patch adds IRQ safety to netlink_set_err() and __netlink_diag_dump()
+which were not covered by cited commit.
+
+[1]
+
+WARNING: possible irq lock inversion dependency detected
+6.4.0-rc6-syzkaller-00240-g4e9f0ec38852 #0 Not tainted
+
+syz-executor.2/23011 just changed the state of lock:
+ffffffff8e1a7a58 (nl_table_lock){.+.?}-{2:2}, at: netlink_set_err+0x2e/0x3a0 net/netlink/af_netlink.c:1612
+but this lock was taken by another, SOFTIRQ-safe lock in the past:
+ (&local->queue_stop_reason_lock){..-.}-{2:2}
+
+and interrupts could create inverse lock ordering between them.
+
+other info that might help us debug this:
+ Possible interrupt unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(nl_table_lock);
+ local_irq_disable();
+ lock(&local->queue_stop_reason_lock);
+ lock(nl_table_lock);
+ <Interrupt>
+ lock(&local->queue_stop_reason_lock);
+
+ *** DEADLOCK ***
+
+Fixes: 1d482e666b8e ("netlink: disable IRQs for netlink_lock_table()")
+Reported-by: syzbot+a7d200a347f912723e5c@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=a7d200a347f912723e5c
+Link: https://lore.kernel.org/netdev/000000000000e38d1605fea5747e@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Johannes Berg <johannes.berg@intel.com>
+Link: https://lore.kernel.org/r/20230621154337.1668594-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlink/af_netlink.c | 5 +++--
+ net/netlink/diag.c | 5 +++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 57fd9b7cfc75f..35ecaa93f213a 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1603,6 +1603,7 @@ static int do_one_set_err(struct sock *sk, struct netlink_set_err_data *p)
+ int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code)
+ {
+ struct netlink_set_err_data info;
++ unsigned long flags;
+ struct sock *sk;
+ int ret = 0;
+
+@@ -1612,12 +1613,12 @@ int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code)
+ /* sk->sk_err wants a positive error value */
+ info.code = -code;
+
+- read_lock(&nl_table_lock);
++ read_lock_irqsave(&nl_table_lock, flags);
+
+ sk_for_each_bound(sk, &nl_table[ssk->sk_protocol].mc_list)
+ ret += do_one_set_err(sk, &info);
+
+- read_unlock(&nl_table_lock);
++ read_unlock_irqrestore(&nl_table_lock, flags);
+ return ret;
+ }
+ EXPORT_SYMBOL(netlink_set_err);
+diff --git a/net/netlink/diag.c b/net/netlink/diag.c
+index 7dda33b9b7849..83a0429805e9d 100644
+--- a/net/netlink/diag.c
++++ b/net/netlink/diag.c
+@@ -93,6 +93,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
+ struct net *net = sock_net(skb->sk);
+ struct netlink_diag_req *req;
+ struct netlink_sock *nlsk;
++ unsigned long flags;
+ struct sock *sk;
+ int num = 2;
+ int ret = 0;
+@@ -151,7 +152,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
+ num++;
+
+ mc_list:
+- read_lock(&nl_table_lock);
++ read_lock_irqsave(&nl_table_lock, flags);
+ sk_for_each_bound(sk, &tbl->mc_list) {
+ if (sk_hashed(sk))
+ continue;
+@@ -172,7 +173,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
+ }
+ num++;
+ }
+- read_unlock(&nl_table_lock);
++ read_unlock_irqrestore(&nl_table_lock, flags);
+
+ done:
+ cb->args[0] = num;
+--
+2.39.2
+
--- /dev/null
+From f2fd3340eff76d7c5d0b33c8a89cb746bb836c1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Jul 2021 16:41:59 +0200
+Subject: nfc: constify several pointers to u8, char and sk_buff
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+[ Upstream commit 3df40eb3a2ea58bf404a38f15a7a2768e4762cb0 ]
+
+Several functions receive pointers to u8, char or sk_buff but do not
+modify the contents so make them const. This allows doing the same for
+local variables and in total makes the code a little bit safer.
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 0d9b41daa590 ("nfc: llcp: fix possible use of uninitialized variable in nfc_llcp_send_connect()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/nfc/nfc.h | 4 ++--
+ net/nfc/core.c | 4 ++--
+ net/nfc/hci/llc_shdlc.c | 10 ++++-----
+ net/nfc/llcp.h | 8 +++----
+ net/nfc/llcp_commands.c | 46 ++++++++++++++++++++++-------------------
+ net/nfc/llcp_core.c | 44 +++++++++++++++++++++------------------
+ net/nfc/nfc.h | 2 +-
+ 7 files changed, 63 insertions(+), 55 deletions(-)
+
+diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h
+index bbdc73a3239df..8b86560b5cfb1 100644
+--- a/include/net/nfc/nfc.h
++++ b/include/net/nfc/nfc.h
+@@ -278,7 +278,7 @@ struct sk_buff *nfc_alloc_send_skb(struct nfc_dev *dev, struct sock *sk,
+ struct sk_buff *nfc_alloc_recv_skb(unsigned int size, gfp_t gfp);
+
+ int nfc_set_remote_general_bytes(struct nfc_dev *dev,
+- u8 *gt, u8 gt_len);
++ const u8 *gt, u8 gt_len);
+ u8 *nfc_get_local_general_bytes(struct nfc_dev *dev, size_t *gb_len);
+
+ int nfc_fw_download_done(struct nfc_dev *dev, const char *firmware_name,
+@@ -292,7 +292,7 @@ int nfc_dep_link_is_up(struct nfc_dev *dev, u32 target_idx,
+ u8 comm_mode, u8 rf_mode);
+
+ int nfc_tm_activated(struct nfc_dev *dev, u32 protocol, u8 comm_mode,
+- u8 *gb, size_t gb_len);
++ const u8 *gb, size_t gb_len);
+ int nfc_tm_deactivated(struct nfc_dev *dev);
+ int nfc_tm_data_received(struct nfc_dev *dev, struct sk_buff *skb);
+
+diff --git a/net/nfc/core.c b/net/nfc/core.c
+index a84f824da051d..dd12ee46ac730 100644
+--- a/net/nfc/core.c
++++ b/net/nfc/core.c
+@@ -646,7 +646,7 @@ int nfc_disable_se(struct nfc_dev *dev, u32 se_idx)
+ return rc;
+ }
+
+-int nfc_set_remote_general_bytes(struct nfc_dev *dev, u8 *gb, u8 gb_len)
++int nfc_set_remote_general_bytes(struct nfc_dev *dev, const u8 *gb, u8 gb_len)
+ {
+ pr_debug("dev_name=%s gb_len=%d\n", dev_name(&dev->dev), gb_len);
+
+@@ -675,7 +675,7 @@ int nfc_tm_data_received(struct nfc_dev *dev, struct sk_buff *skb)
+ EXPORT_SYMBOL(nfc_tm_data_received);
+
+ int nfc_tm_activated(struct nfc_dev *dev, u32 protocol, u8 comm_mode,
+- u8 *gb, size_t gb_len)
++ const u8 *gb, size_t gb_len)
+ {
+ int rc;
+
+diff --git a/net/nfc/hci/llc_shdlc.c b/net/nfc/hci/llc_shdlc.c
+index fe988936ad923..e6863c71f566d 100644
+--- a/net/nfc/hci/llc_shdlc.c
++++ b/net/nfc/hci/llc_shdlc.c
+@@ -134,7 +134,7 @@ static bool llc_shdlc_x_lteq_y_lt_z(int x, int y, int z)
+ return ((y >= x) || (y < z)) ? true : false;
+ }
+
+-static struct sk_buff *llc_shdlc_alloc_skb(struct llc_shdlc *shdlc,
++static struct sk_buff *llc_shdlc_alloc_skb(const struct llc_shdlc *shdlc,
+ int payload_len)
+ {
+ struct sk_buff *skb;
+@@ -148,7 +148,7 @@ static struct sk_buff *llc_shdlc_alloc_skb(struct llc_shdlc *shdlc,
+ }
+
+ /* immediately sends an S frame. */
+-static int llc_shdlc_send_s_frame(struct llc_shdlc *shdlc,
++static int llc_shdlc_send_s_frame(const struct llc_shdlc *shdlc,
+ enum sframe_type sframe_type, int nr)
+ {
+ int r;
+@@ -170,7 +170,7 @@ static int llc_shdlc_send_s_frame(struct llc_shdlc *shdlc,
+ }
+
+ /* immediately sends an U frame. skb may contain optional payload */
+-static int llc_shdlc_send_u_frame(struct llc_shdlc *shdlc,
++static int llc_shdlc_send_u_frame(const struct llc_shdlc *shdlc,
+ struct sk_buff *skb,
+ enum uframe_modifier uframe_modifier)
+ {
+@@ -372,7 +372,7 @@ static void llc_shdlc_connect_complete(struct llc_shdlc *shdlc, int r)
+ wake_up(shdlc->connect_wq);
+ }
+
+-static int llc_shdlc_connect_initiate(struct llc_shdlc *shdlc)
++static int llc_shdlc_connect_initiate(const struct llc_shdlc *shdlc)
+ {
+ struct sk_buff *skb;
+
+@@ -388,7 +388,7 @@ static int llc_shdlc_connect_initiate(struct llc_shdlc *shdlc)
+ return llc_shdlc_send_u_frame(shdlc, skb, U_FRAME_RSET);
+ }
+
+-static int llc_shdlc_connect_send_ua(struct llc_shdlc *shdlc)
++static int llc_shdlc_connect_send_ua(const struct llc_shdlc *shdlc)
+ {
+ struct sk_buff *skb;
+
+diff --git a/net/nfc/llcp.h b/net/nfc/llcp.h
+index 1f68724d44d3b..a070a57fc1516 100644
+--- a/net/nfc/llcp.h
++++ b/net/nfc/llcp.h
+@@ -233,15 +233,15 @@ struct sock *nfc_llcp_accept_dequeue(struct sock *sk, struct socket *newsock);
+
+ /* TLV API */
+ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local,
+- u8 *tlv_array, u16 tlv_array_len);
++ const u8 *tlv_array, u16 tlv_array_len);
+ int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock,
+- u8 *tlv_array, u16 tlv_array_len);
++ const u8 *tlv_array, u16 tlv_array_len);
+
+ /* Commands API */
+ void nfc_llcp_recv(void *data, struct sk_buff *skb, int err);
+-u8 *nfc_llcp_build_tlv(u8 type, u8 *value, u8 value_length, u8 *tlv_length);
++u8 *nfc_llcp_build_tlv(u8 type, const u8 *value, u8 value_length, u8 *tlv_length);
+ struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdres_tlv(u8 tid, u8 sap);
+-struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri,
++struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, const char *uri,
+ size_t uri_len);
+ void nfc_llcp_free_sdp_tlv(struct nfc_llcp_sdp_tlv *sdp);
+ void nfc_llcp_free_sdp_tlv_list(struct hlist_head *sdp_head);
+diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
+index d1fc019e932e0..6dcad7bcf20bb 100644
+--- a/net/nfc/llcp_commands.c
++++ b/net/nfc/llcp_commands.c
+@@ -27,7 +27,7 @@
+ #include "nfc.h"
+ #include "llcp.h"
+
+-static u8 llcp_tlv_length[LLCP_TLV_MAX] = {
++static const u8 llcp_tlv_length[LLCP_TLV_MAX] = {
+ 0,
+ 1, /* VERSION */
+ 2, /* MIUX */
+@@ -41,7 +41,7 @@ static u8 llcp_tlv_length[LLCP_TLV_MAX] = {
+
+ };
+
+-static u8 llcp_tlv8(u8 *tlv, u8 type)
++static u8 llcp_tlv8(const u8 *tlv, u8 type)
+ {
+ if (tlv[0] != type || tlv[1] != llcp_tlv_length[tlv[0]])
+ return 0;
+@@ -49,7 +49,7 @@ static u8 llcp_tlv8(u8 *tlv, u8 type)
+ return tlv[2];
+ }
+
+-static u16 llcp_tlv16(u8 *tlv, u8 type)
++static u16 llcp_tlv16(const u8 *tlv, u8 type)
+ {
+ if (tlv[0] != type || tlv[1] != llcp_tlv_length[tlv[0]])
+ return 0;
+@@ -58,37 +58,37 @@ static u16 llcp_tlv16(u8 *tlv, u8 type)
+ }
+
+
+-static u8 llcp_tlv_version(u8 *tlv)
++static u8 llcp_tlv_version(const u8 *tlv)
+ {
+ return llcp_tlv8(tlv, LLCP_TLV_VERSION);
+ }
+
+-static u16 llcp_tlv_miux(u8 *tlv)
++static u16 llcp_tlv_miux(const u8 *tlv)
+ {
+ return llcp_tlv16(tlv, LLCP_TLV_MIUX) & 0x7ff;
+ }
+
+-static u16 llcp_tlv_wks(u8 *tlv)
++static u16 llcp_tlv_wks(const u8 *tlv)
+ {
+ return llcp_tlv16(tlv, LLCP_TLV_WKS);
+ }
+
+-static u16 llcp_tlv_lto(u8 *tlv)
++static u16 llcp_tlv_lto(const u8 *tlv)
+ {
+ return llcp_tlv8(tlv, LLCP_TLV_LTO);
+ }
+
+-static u8 llcp_tlv_opt(u8 *tlv)
++static u8 llcp_tlv_opt(const u8 *tlv)
+ {
+ return llcp_tlv8(tlv, LLCP_TLV_OPT);
+ }
+
+-static u8 llcp_tlv_rw(u8 *tlv)
++static u8 llcp_tlv_rw(const u8 *tlv)
+ {
+ return llcp_tlv8(tlv, LLCP_TLV_RW) & 0xf;
+ }
+
+-u8 *nfc_llcp_build_tlv(u8 type, u8 *value, u8 value_length, u8 *tlv_length)
++u8 *nfc_llcp_build_tlv(u8 type, const u8 *value, u8 value_length, u8 *tlv_length)
+ {
+ u8 *tlv, length;
+
+@@ -142,7 +142,7 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdres_tlv(u8 tid, u8 sap)
+ return sdres;
+ }
+
+-struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri,
++struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, const char *uri,
+ size_t uri_len)
+ {
+ struct nfc_llcp_sdp_tlv *sdreq;
+@@ -202,9 +202,10 @@ void nfc_llcp_free_sdp_tlv_list(struct hlist_head *head)
+ }
+
+ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local,
+- u8 *tlv_array, u16 tlv_array_len)
++ const u8 *tlv_array, u16 tlv_array_len)
+ {
+- u8 *tlv = tlv_array, type, length, offset = 0;
++ const u8 *tlv = tlv_array;
++ u8 type, length, offset = 0;
+
+ pr_debug("TLV array length %d\n", tlv_array_len);
+
+@@ -251,9 +252,10 @@ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local,
+ }
+
+ int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock,
+- u8 *tlv_array, u16 tlv_array_len)
++ const u8 *tlv_array, u16 tlv_array_len)
+ {
+- u8 *tlv = tlv_array, type, length, offset = 0;
++ const u8 *tlv = tlv_array;
++ u8 type, length, offset = 0;
+
+ pr_debug("TLV array length %d\n", tlv_array_len);
+
+@@ -307,7 +309,7 @@ static struct sk_buff *llcp_add_header(struct sk_buff *pdu,
+ return pdu;
+ }
+
+-static struct sk_buff *llcp_add_tlv(struct sk_buff *pdu, u8 *tlv,
++static struct sk_buff *llcp_add_tlv(struct sk_buff *pdu, const u8 *tlv,
+ u8 tlv_length)
+ {
+ /* XXX Add an skb length check */
+@@ -401,9 +403,10 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock)
+ {
+ struct nfc_llcp_local *local;
+ struct sk_buff *skb;
+- u8 *service_name_tlv = NULL, service_name_tlv_length;
+- u8 *miux_tlv = NULL, miux_tlv_length;
+- u8 *rw_tlv = NULL, rw_tlv_length, rw;
++ const u8 *service_name_tlv = NULL;
++ const u8 *miux_tlv = NULL;
++ const u8 *rw_tlv = NULL;
++ u8 service_name_tlv_length, miux_tlv_length, rw_tlv_length, rw;
+ int err;
+ u16 size = 0;
+ __be16 miux;
+@@ -477,8 +480,9 @@ int nfc_llcp_send_cc(struct nfc_llcp_sock *sock)
+ {
+ struct nfc_llcp_local *local;
+ struct sk_buff *skb;
+- u8 *miux_tlv = NULL, miux_tlv_length;
+- u8 *rw_tlv = NULL, rw_tlv_length, rw;
++ const u8 *miux_tlv = NULL;
++ const u8 *rw_tlv = NULL;
++ u8 miux_tlv_length, rw_tlv_length, rw;
+ int err;
+ u16 size = 0;
+ __be16 miux;
+diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
+index 3290f2275b857..bdc1a9d0965af 100644
+--- a/net/nfc/llcp_core.c
++++ b/net/nfc/llcp_core.c
+@@ -314,7 +314,7 @@ static char *wks[] = {
+ "urn:nfc:sn:snep",
+ };
+
+-static int nfc_llcp_wks_sap(char *service_name, size_t service_name_len)
++static int nfc_llcp_wks_sap(const char *service_name, size_t service_name_len)
+ {
+ int sap, num_wks;
+
+@@ -338,7 +338,7 @@ static int nfc_llcp_wks_sap(char *service_name, size_t service_name_len)
+
+ static
+ struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local,
+- u8 *sn, size_t sn_len)
++ const u8 *sn, size_t sn_len)
+ {
+ struct sock *sk;
+ struct nfc_llcp_sock *llcp_sock, *tmp_sock;
+@@ -535,7 +535,7 @@ static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
+ {
+ u8 *gb_cur, version, version_length;
+ u8 lto_length, wks_length, miux_length;
+- u8 *version_tlv = NULL, *lto_tlv = NULL,
++ const u8 *version_tlv = NULL, *lto_tlv = NULL,
+ *wks_tlv = NULL, *miux_tlv = NULL;
+ __be16 wks = cpu_to_be16(local->local_wks);
+ u8 gb_len = 0;
+@@ -625,7 +625,7 @@ u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len)
+ return local->gb;
+ }
+
+-int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len)
++int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len)
+ {
+ struct nfc_llcp_local *local;
+
+@@ -652,27 +652,27 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len)
+ local->remote_gb_len - 3);
+ }
+
+-static u8 nfc_llcp_dsap(struct sk_buff *pdu)
++static u8 nfc_llcp_dsap(const struct sk_buff *pdu)
+ {
+ return (pdu->data[0] & 0xfc) >> 2;
+ }
+
+-static u8 nfc_llcp_ptype(struct sk_buff *pdu)
++static u8 nfc_llcp_ptype(const struct sk_buff *pdu)
+ {
+ return ((pdu->data[0] & 0x03) << 2) | ((pdu->data[1] & 0xc0) >> 6);
+ }
+
+-static u8 nfc_llcp_ssap(struct sk_buff *pdu)
++static u8 nfc_llcp_ssap(const struct sk_buff *pdu)
+ {
+ return pdu->data[1] & 0x3f;
+ }
+
+-static u8 nfc_llcp_ns(struct sk_buff *pdu)
++static u8 nfc_llcp_ns(const struct sk_buff *pdu)
+ {
+ return pdu->data[2] >> 4;
+ }
+
+-static u8 nfc_llcp_nr(struct sk_buff *pdu)
++static u8 nfc_llcp_nr(const struct sk_buff *pdu)
+ {
+ return pdu->data[2] & 0xf;
+ }
+@@ -814,7 +814,7 @@ static struct nfc_llcp_sock *nfc_llcp_connecting_sock_get(struct nfc_llcp_local
+ }
+
+ static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local,
+- u8 *sn, size_t sn_len)
++ const u8 *sn, size_t sn_len)
+ {
+ struct nfc_llcp_sock *llcp_sock;
+
+@@ -828,9 +828,10 @@ static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local,
+ return llcp_sock;
+ }
+
+-static u8 *nfc_llcp_connect_sn(struct sk_buff *skb, size_t *sn_len)
++static const u8 *nfc_llcp_connect_sn(const struct sk_buff *skb, size_t *sn_len)
+ {
+- u8 *tlv = &skb->data[2], type, length;
++ u8 type, length;
++ const u8 *tlv = &skb->data[2];
+ size_t tlv_array_len = skb->len - LLCP_HEADER_SIZE, offset = 0;
+
+ while (offset < tlv_array_len) {
+@@ -888,7 +889,7 @@ static void nfc_llcp_recv_ui(struct nfc_llcp_local *local,
+ }
+
+ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
+- struct sk_buff *skb)
++ const struct sk_buff *skb)
+ {
+ struct sock *new_sk, *parent;
+ struct nfc_llcp_sock *sock, *new_sock;
+@@ -906,7 +907,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
+ goto fail;
+ }
+ } else {
+- u8 *sn;
++ const u8 *sn;
+ size_t sn_len;
+
+ sn = nfc_llcp_connect_sn(skb, &sn_len);
+@@ -1125,7 +1126,7 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local,
+ }
+
+ static void nfc_llcp_recv_disc(struct nfc_llcp_local *local,
+- struct sk_buff *skb)
++ const struct sk_buff *skb)
+ {
+ struct nfc_llcp_sock *llcp_sock;
+ struct sock *sk;
+@@ -1168,7 +1169,8 @@ static void nfc_llcp_recv_disc(struct nfc_llcp_local *local,
+ nfc_llcp_sock_put(llcp_sock);
+ }
+
+-static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, struct sk_buff *skb)
++static void nfc_llcp_recv_cc(struct nfc_llcp_local *local,
++ const struct sk_buff *skb)
+ {
+ struct nfc_llcp_sock *llcp_sock;
+ struct sock *sk;
+@@ -1201,7 +1203,8 @@ static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, struct sk_buff *skb)
+ nfc_llcp_sock_put(llcp_sock);
+ }
+
+-static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb)
++static void nfc_llcp_recv_dm(struct nfc_llcp_local *local,
++ const struct sk_buff *skb)
+ {
+ struct nfc_llcp_sock *llcp_sock;
+ struct sock *sk;
+@@ -1239,12 +1242,13 @@ static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb)
+ }
+
+ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
+- struct sk_buff *skb)
++ const struct sk_buff *skb)
+ {
+ struct nfc_llcp_sock *llcp_sock;
+- u8 dsap, ssap, *tlv, type, length, tid, sap;
++ u8 dsap, ssap, type, length, tid, sap;
++ const u8 *tlv;
+ u16 tlv_len, offset;
+- char *service_name;
++ const char *service_name;
+ size_t service_name_len;
+ struct nfc_llcp_sdp_tlv *sdp;
+ HLIST_HEAD(llc_sdres_list);
+diff --git a/net/nfc/nfc.h b/net/nfc/nfc.h
+index 6c6f76b370b1e..c792165f523f1 100644
+--- a/net/nfc/nfc.h
++++ b/net/nfc/nfc.h
+@@ -60,7 +60,7 @@ void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx,
+ u8 comm_mode, u8 rf_mode);
+ int nfc_llcp_register_device(struct nfc_dev *dev);
+ void nfc_llcp_unregister_device(struct nfc_dev *dev);
+-int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len);
++int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len);
+ u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len);
+ int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb);
+ struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev);
+--
+2.39.2
+
--- /dev/null
+From 994bdd8700413b10cf79b929542fa04709405edc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 May 2023 13:52:04 +0200
+Subject: nfc: llcp: fix possible use of uninitialized variable in
+ nfc_llcp_send_connect()
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 0d9b41daa5907756a31772d8af8ac5ff25cf17c1 ]
+
+If sock->service_name is NULL, the local variable
+service_name_tlv_length will not be assigned by nfc_llcp_build_tlv(),
+later leading to using value frmo the stack. Smatch warning:
+
+ net/nfc/llcp_commands.c:442 nfc_llcp_send_connect() error: uninitialized symbol 'service_name_tlv_length'.
+
+Fixes: de9e5aeb4f40 ("NFC: llcp: Fix usage of llcp_add_tlv()")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/llcp_commands.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
+index 6dcad7bcf20bb..737c7aa384f44 100644
+--- a/net/nfc/llcp_commands.c
++++ b/net/nfc/llcp_commands.c
+@@ -406,7 +406,8 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock)
+ const u8 *service_name_tlv = NULL;
+ const u8 *miux_tlv = NULL;
+ const u8 *rw_tlv = NULL;
+- u8 service_name_tlv_length, miux_tlv_length, rw_tlv_length, rw;
++ u8 service_name_tlv_length = 0;
++ u8 miux_tlv_length, rw_tlv_length, rw;
+ int err;
+ u16 size = 0;
+ __be16 miux;
+--
+2.39.2
+
--- /dev/null
+From 6c18e9d066dee0688410a364ac9344b0379068e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 May 2023 18:27:44 +0800
+Subject: PCI: Add pci_clear_master() stub for non-CONFIG_PCI
+
+From: Sui Jingfeng <suijingfeng@loongson.cn>
+
+[ Upstream commit 2aa5ac633259843f656eb6ecff4cf01e8e810c5e ]
+
+Add a pci_clear_master() stub when CONFIG_PCI is not set so drivers that
+support both PCI and platform devices don't need #ifdefs or extra Kconfig
+symbols for the PCI parts.
+
+[bhelgaas: commit log]
+Fixes: 6a479079c072 ("PCI: Add pci_clear_master() as opposite of pci_set_master()")
+Link: https://lore.kernel.org/r/20230531102744.2354313-1-suijingfeng@loongson.cn
+Signed-off-by: Sui Jingfeng <suijingfeng@loongson.cn>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/pci.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/pci.h b/include/linux/pci.h
+index 3e06e9790c255..1d1b0bfd51968 100644
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -1643,6 +1643,7 @@ static inline struct pci_dev *pci_get_class(unsigned int class,
+ #define pci_dev_put(dev) do { } while (0)
+
+ static inline void pci_set_master(struct pci_dev *dev) { }
++static inline void pci_clear_master(struct pci_dev *dev) { }
+ static inline int pci_enable_device(struct pci_dev *dev) { return -EIO; }
+ static inline void pci_disable_device(struct pci_dev *dev) { }
+ static inline int pci_assign_resource(struct pci_dev *dev, int i)
+--
+2.39.2
+
--- /dev/null
+From 1305047881df831eb992b45f8488e5dbc824694f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jun 2023 16:41:01 -0700
+Subject: perf dwarf-aux: Fix off-by-one in die_get_varname()
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 3abfcfd847717d232e36963f31a361747c388fe7 ]
+
+The die_get_varname() returns "(unknown_type)" string if it failed to
+find a type for the variable. But it had a space before the opening
+parenthesis and it made the closing parenthesis cut off due to the
+off-by-one in the string length (14).
+
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Fixes: 88fd633cdfa19060 ("perf probe: No need to use formatting strbuf method")
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20230612234102.3909116-1-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/dwarf-aux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
+index 6de57d9ee7cc2..db099dc20a682 100644
+--- a/tools/perf/util/dwarf-aux.c
++++ b/tools/perf/util/dwarf-aux.c
+@@ -1020,7 +1020,7 @@ int die_get_varname(Dwarf_Die *vr_die, struct strbuf *buf)
+ ret = die_get_typename(vr_die, buf);
+ if (ret < 0) {
+ pr_debug("Failed to get type, make it unknown.\n");
+- ret = strbuf_add(buf, " (unknown_type)", 14);
++ ret = strbuf_add(buf, "(unknown_type)", 14);
+ }
+
+ return ret < 0 ? ret : strbuf_addf(buf, "\t%s", dwarf_diename(vr_die));
+--
+2.39.2
+
--- /dev/null
+From 8cc3629d359b1617fe9c7a963a43fb802602ce1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jun 2023 13:53:33 +0300
+Subject: pinctrl: at91-pio4: check return value of devm_kasprintf()
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0 ]
+
+devm_kasprintf() returns a pointer to dynamically allocated memory.
+Pointer could be NULL in case allocation fails. Check pointer validity.
+Identified with coccinelle (kmerr.cocci script).
+
+Fixes: 776180848b57 ("pinctrl: introduce driver for Atmel PIO4 controller")
+Depends-on: 1c4e5c470a56 ("pinctrl: at91: use devm_kasprintf() to avoid potential leaks")
+Depends-on: 5a8f9cf269e8 ("pinctrl: at91-pio4: use proper format specifier for unsigned int")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20230615105333.585304-4-claudiu.beznea@microchip.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-at91-pio4.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pinctrl/pinctrl-at91-pio4.c b/drivers/pinctrl/pinctrl-at91-pio4.c
+index 5b883eb49ce92..cbbda24bf6a80 100644
+--- a/drivers/pinctrl/pinctrl-at91-pio4.c
++++ b/drivers/pinctrl/pinctrl-at91-pio4.c
+@@ -1024,6 +1024,8 @@ static int atmel_pinctrl_probe(struct platform_device *pdev)
+ /* Pin naming convention: P(bank_name)(bank_pin_number). */
+ pin_desc[i].name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "P%c%d",
+ bank + 'A', line);
++ if (!pin_desc[i].name)
++ return -ENOMEM;
+
+ group->name = group_names[i] = pin_desc[i].name;
+ group->pin = pin_desc[i].number;
+--
+2.39.2
+
--- /dev/null
+From 1dab81b0371c72df1a682c0bb10383010b482841 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jun 2023 17:37:34 +0300
+Subject: pinctrl: cherryview: Return correct value if pin in push-pull mode
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 5835196a17be5cfdcad0b617f90cf4abe16951a4 ]
+
+Currently the getter returns ENOTSUPP on pin configured in
+the push-pull mode. Fix this by adding the missed switch case.
+
+Fixes: ccdf81d08dbe ("pinctrl: cherryview: add option to set open-drain pin config")
+Fixes: 6e08d6bbebeb ("pinctrl: Add Intel Cherryview/Braswell pin controller support")
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/intel/pinctrl-cherryview.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c
+index 25932d2a71547..ef8eb42e4d383 100644
+--- a/drivers/pinctrl/intel/pinctrl-cherryview.c
++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c
+@@ -1032,11 +1032,6 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned pin,
+
+ break;
+
+- case PIN_CONFIG_DRIVE_OPEN_DRAIN:
+- if (!(ctrl1 & CHV_PADCTRL1_ODEN))
+- return -EINVAL;
+- break;
+-
+ case PIN_CONFIG_BIAS_HIGH_IMPEDANCE: {
+ u32 cfg;
+
+@@ -1046,6 +1041,16 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned pin,
+ return -EINVAL;
+
+ break;
++
++ case PIN_CONFIG_DRIVE_PUSH_PULL:
++ if (ctrl1 & CHV_PADCTRL1_ODEN)
++ return -EINVAL;
++ break;
++
++ case PIN_CONFIG_DRIVE_OPEN_DRAIN:
++ if (!(ctrl1 & CHV_PADCTRL1_ODEN))
++ return -EINVAL;
++ break;
+ }
+
+ default:
+--
+2.39.2
+
--- /dev/null
+From ef15279e88446b0b4c31771ab1aca4bdc6714705 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Apr 2023 06:07:43 -0700
+Subject: PM: domains: fix integer overflow issues in genpd_parse_state()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit e5d1c8722083f0332dcd3c85fa1273d85fb6bed8 ]
+
+Currently, while calculating residency and latency values, right
+operands may overflow if resulting values are big enough.
+
+To prevent this, albeit unlikely case, play it safe and convert
+right operands to left ones' type s64.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: 30f604283e05 ("PM / Domains: Allow domain power states to be read from DT")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Acked-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/domain.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c
+index e865aa4b25047..b32d3cf4f670d 100644
+--- a/drivers/base/power/domain.c
++++ b/drivers/base/power/domain.c
+@@ -2433,10 +2433,10 @@ static int genpd_parse_state(struct genpd_power_state *genpd_state,
+
+ err = of_property_read_u32(state_node, "min-residency-us", &residency);
+ if (!err)
+- genpd_state->residency_ns = 1000 * residency;
++ genpd_state->residency_ns = 1000LL * residency;
+
+- genpd_state->power_on_latency_ns = 1000 * exit_latency;
+- genpd_state->power_off_latency_ns = 1000 * entry_latency;
++ genpd_state->power_on_latency_ns = 1000LL * exit_latency;
++ genpd_state->power_off_latency_ns = 1000LL * entry_latency;
+ genpd_state->fwnode = &state_node->fwnode;
+
+ return 0;
+--
+2.39.2
+
--- /dev/null
+From 538cb4b674cd354c9bbdaaf06670cfdf71f72bca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Apr 2023 08:12:28 -0700
+Subject: radeon: avoid double free in ci_dpm_init()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit 20c3dffdccbd494e0dd631d1660aeecbff6775f2 ]
+
+Several calls to ci_dpm_fini() will attempt to free resources that
+either have been freed before or haven't been allocated yet. This
+may lead to undefined or dangerous behaviour.
+
+For instance, if r600_parse_extended_power_table() fails, it might
+call r600_free_extended_power_table() as will ci_dpm_fini() later
+during error handling.
+
+Fix this by only freeing pointers to objects previously allocated.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)")
+Co-developed-by: Natalia Petrova <n.petrova@fintech.ru>
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/ci_dpm.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c
+index 90c1afe498bea..ce8b14592b69b 100644
+--- a/drivers/gpu/drm/radeon/ci_dpm.c
++++ b/drivers/gpu/drm/radeon/ci_dpm.c
+@@ -5552,6 +5552,7 @@ static int ci_parse_power_table(struct radeon_device *rdev)
+ u8 frev, crev;
+ u8 *power_state_offset;
+ struct ci_ps *ps;
++ int ret;
+
+ if (!atom_parse_data_header(mode_info->atom_context, index, NULL,
+ &frev, &crev, &data_offset))
+@@ -5581,11 +5582,15 @@ static int ci_parse_power_table(struct radeon_device *rdev)
+ non_clock_array_index = power_state->v2.nonClockInfoIndex;
+ non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *)
+ &non_clock_info_array->nonClockInfo[non_clock_array_index];
+- if (!rdev->pm.power_state[i].clock_info)
+- return -EINVAL;
++ if (!rdev->pm.power_state[i].clock_info) {
++ ret = -EINVAL;
++ goto err_free_ps;
++ }
+ ps = kzalloc(sizeof(struct ci_ps), GFP_KERNEL);
+- if (ps == NULL)
+- return -ENOMEM;
++ if (ps == NULL) {
++ ret = -ENOMEM;
++ goto err_free_ps;
++ }
+ rdev->pm.dpm.ps[i].ps_priv = ps;
+ ci_parse_pplib_non_clock_info(rdev, &rdev->pm.dpm.ps[i],
+ non_clock_info,
+@@ -5625,6 +5630,12 @@ static int ci_parse_power_table(struct radeon_device *rdev)
+ }
+
+ return 0;
++
++err_free_ps:
++ for (i = 0; i < rdev->pm.dpm.num_ps; i++)
++ kfree(rdev->pm.dpm.ps[i].ps_priv);
++ kfree(rdev->pm.dpm.ps);
++ return ret;
+ }
+
+ static int ci_get_vbios_boot_values(struct radeon_device *rdev,
+@@ -5713,25 +5724,26 @@ int ci_dpm_init(struct radeon_device *rdev)
+
+ ret = ci_get_vbios_boot_values(rdev, &pi->vbios_boot_state);
+ if (ret) {
+- ci_dpm_fini(rdev);
++ kfree(rdev->pm.dpm.priv);
+ return ret;
+ }
+
+ ret = r600_get_platform_caps(rdev);
+ if (ret) {
+- ci_dpm_fini(rdev);
++ kfree(rdev->pm.dpm.priv);
+ return ret;
+ }
+
+ ret = r600_parse_extended_power_table(rdev);
+ if (ret) {
+- ci_dpm_fini(rdev);
++ kfree(rdev->pm.dpm.priv);
+ return ret;
+ }
+
+ ret = ci_parse_power_table(rdev);
+ if (ret) {
+- ci_dpm_fini(rdev);
++ kfree(rdev->pm.dpm.priv);
++ r600_free_extended_power_table(rdev);
+ return ret;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 1bc2f94406b03808f08a0f4b770a725753a34849 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 May 2023 16:50:58 +0800
+Subject: samples/bpf: Fix buffer overflow in tcp_basertt
+
+From: Pengcheng Yang <yangpc@wangsu.com>
+
+[ Upstream commit f4dea9689c5fea3d07170c2cb0703e216f1a0922 ]
+
+Using sizeof(nv) or strlen(nv)+1 is correct.
+
+Fixes: c890063e4404 ("bpf: sample BPF_SOCKET_OPS_BASE_RTT program")
+Signed-off-by: Pengcheng Yang <yangpc@wangsu.com>
+Link: https://lore.kernel.org/r/1683276658-2860-1-git-send-email-yangpc@wangsu.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/tcp_basertt_kern.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/samples/bpf/tcp_basertt_kern.c b/samples/bpf/tcp_basertt_kern.c
+index 4bf4fc597db9a..653d233714ad0 100644
+--- a/samples/bpf/tcp_basertt_kern.c
++++ b/samples/bpf/tcp_basertt_kern.c
+@@ -54,7 +54,7 @@ int bpf_basertt(struct bpf_sock_ops *skops)
+ case BPF_SOCK_OPS_BASE_RTT:
+ n = bpf_getsockopt(skops, SOL_TCP, TCP_CONGESTION,
+ cong, sizeof(cong));
+- if (!n && !__builtin_memcmp(cong, nv, sizeof(nv)+1)) {
++ if (!n && !__builtin_memcmp(cong, nv, sizeof(nv))) {
+ /* Set base_rtt to 80us */
+ rv = 80;
+ } else if (n) {
+--
+2.39.2
+
--- /dev/null
+From a2a994777eca5a7c0463e65c84a199840479c744 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 May 2023 22:12:55 +0800
+Subject: scsi: 3w-xxxx: Add error handling for initialization failure in
+ tw_probe()
+
+From: Yuchen Yang <u202114568@hust.edu.cn>
+
+[ Upstream commit 2e2fe5ac695a00ab03cab4db1f4d6be07168ed9d ]
+
+Smatch complains that:
+
+tw_probe() warn: missing error code 'retval'
+
+This patch adds error checking to tw_probe() to handle initialization
+failure. If tw_reset_sequence() function returns a non-zero value, the
+function will return -EINVAL to indicate initialization failure.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yuchen Yang <u202114568@hust.edu.cn>
+Link: https://lore.kernel.org/r/20230505141259.7730-1-u202114568@hust.edu.cn
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/3w-xxxx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c
+index 471366945bd4f..8a61e832607eb 100644
+--- a/drivers/scsi/3w-xxxx.c
++++ b/drivers/scsi/3w-xxxx.c
+@@ -2303,8 +2303,10 @@ static int tw_probe(struct pci_dev *pdev, const struct pci_device_id *dev_id)
+ TW_DISABLE_INTERRUPTS(tw_dev);
+
+ /* Initialize the card */
+- if (tw_reset_sequence(tw_dev))
++ if (tw_reset_sequence(tw_dev)) {
++ retval = -EINVAL;
+ goto out_release_mem_region;
++ }
+
+ /* Set host specific parameters */
+ host->max_id = TW_MAX_UNITS;
+--
+2.39.2
+
scripts-tags.sh-resolve-gtags-empty-index-generation.patch
drm-amdgpu-validate-vm-ioctl-flags.patch
treewide-remove-uninitialized_var-usage.patch
+md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch
+md-raid10-fix-overflow-of-md-safe_mode_delay.patch
+md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch
+md-raid10-fix-io-loss-while-replacement-replace-rdev.patch
+irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch
+irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch
+clocksource-drivers-unify-the-names-to-timer-format.patch
+clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch
+clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch
+pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch
+arm-9303-1-kprobes-avoid-missing-declaration-warning.patch
+evm-complete-description-of-evm_inode_setattr.patch
+wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch
+wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch
+samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch
+wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch
+nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch
+nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch
+wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch
+wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch
+wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch
+wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch
+wl3501_cs-remove-unnecessary-null-check.patch
+wl3501_cs-fix-misspelling-and-provide-missing-docume.patch
+net-create-netdev-dev_addr-assignment-helpers.patch
+wl3501_cs-use-eth_hw_addr_set.patch
+wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch
+wifi-ray_cs-utilize-strnlen-in-parse_addr.patch
+wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch
+wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch
+wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch
+wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch
+watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch
+watchdog-perf-more-properly-prevent-false-positives-.patch
+kexec-fix-a-memory-leak-in-crash_shrink_memory.patch
+memstick-r592-make-memstick_debug_get_tpc_name-stati.patch
+wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch
+wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch
+netlink-fix-potential-deadlock-in-netlink_set_err.patch
+netlink-do-not-hard-code-device-address-lenth-in-fdb.patch
+gtp-fix-use-after-free-in-__gtp_encap_destroy.patch
+lib-ts_bm-reset-initial-match-offset-for-every-block.patch
+netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch
+ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch
+netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch
+radeon-avoid-double-free-in-ci_dpm_init.patch
+input-drv260x-sleep-between-polling-go-bit.patch
+arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch
+input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch
+drm-panel-simple-fix-active-size-for-ampire-am-48027.patch
+arm-ep93xx-fix-missing-prototype-warnings.patch
+asoc-es8316-increment-max-value-for-alc-capture-targ.patch
+soc-fsl-qe-fix-usb.c-build-errors.patch
+ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch
+arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch
+fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch
+drm-radeon-fix-possible-division-by-zero-errors.patch
+alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch
+scsi-3w-xxxx-add-error-handling-for-initialization-f.patch
+pci-add-pci_clear_master-stub-for-non-config_pci.patch
+pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch
+perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch
+pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch
+hwrng-virtio-add-an-internal-buffer.patch
+hwrng-virtio-don-t-wait-on-cleanup.patch
+hwrng-virtio-don-t-waste-entropy.patch
+hwrng-virtio-always-add-a-pending-request.patch
+hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch
+crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch
+modpost-fix-section-mismatch-message-for-r_arm_abs32.patch
+modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch
+arcv2-entry-comments-about-hardware-auto-save-on-tak.patch
+arcv2-entry-push-out-the-z-flag-unclobber-from-commo.patch
+arcv2-entry-avoid-a-branch.patch
+arcv2-entry-rewrite-to-enable-use-of-double-load-sto.patch
+arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch
--- /dev/null
+From 71e654502cd063aaefe7768e183dbd8e7732fa18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 May 2023 15:52:16 -0700
+Subject: soc/fsl/qe: fix usb.c build errors
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 7b1a78babd0d2cd27aa07255dee0c2d7ac0f31e3 ]
+
+Fix build errors in soc/fsl/qe/usb.c when QUICC_ENGINE is not set.
+This happens when PPC_EP88XC is set, which selects CPM1 & CPM.
+When CPM is set, USB_FSL_QE can be set without QUICC_ENGINE
+being set. When USB_FSL_QE is set, QE_USB deafults to y, which
+causes build errors when QUICC_ENGINE is not set. Making
+QE_USB depend on QUICC_ENGINE prevents QE_USB from defaulting to y.
+
+Fixes these build errors:
+
+drivers/soc/fsl/qe/usb.o: in function `qe_usb_clock_set':
+usb.c:(.text+0x1e): undefined reference to `qe_immr'
+powerpc-linux-ld: usb.c:(.text+0x2a): undefined reference to `qe_immr'
+powerpc-linux-ld: usb.c:(.text+0xbc): undefined reference to `qe_setbrg'
+powerpc-linux-ld: usb.c:(.text+0xca): undefined reference to `cmxgcr_lock'
+powerpc-linux-ld: usb.c:(.text+0xce): undefined reference to `cmxgcr_lock'
+
+Fixes: 5e41486c408e ("powerpc/QE: add support for QE USB clocks routing")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/all/202301101500.pillNv6R-lkp@intel.com/
+Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Leo Li <leoyang.li@nxp.com>
+Cc: Masahiro Yamada <masahiroy@kernel.org>
+Cc: Nicolas Schier <nicolas@fjasle.eu>
+Cc: Qiang Zhao <qiang.zhao@nxp.com>
+Cc: linuxppc-dev <linuxppc-dev@lists.ozlabs.org>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: Kumar Gala <galak@kernel.crashing.org>
+Acked-by: Nicolas Schier <nicolas@jasle.eu>
+Signed-off-by: Li Yang <leoyang.li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qe/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/soc/fsl/qe/Kconfig b/drivers/soc/fsl/qe/Kconfig
+index fabba17e9d65b..7ec158e2acf91 100644
+--- a/drivers/soc/fsl/qe/Kconfig
++++ b/drivers/soc/fsl/qe/Kconfig
+@@ -37,6 +37,7 @@ config QE_TDM
+
+ config QE_USB
+ bool
++ depends on QUICC_ENGINE
+ default y if USB_FSL_QE
+ help
+ QE USB Controller support
+--
+2.39.2
+
--- /dev/null
+From 0c282f6c0842390de9ae2a22490760732c735d15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 May 2023 10:18:25 -0700
+Subject: watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on
+ correct config
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 5e008df11c55228a86a1bae692cc2002503572c9 ]
+
+Patch series "watchdog/hardlockup: Add the buddy hardlockup detector", v5.
+
+This patch series adds the "buddy" hardlockup detector. In brief, the
+buddy hardlockup detector can detect hardlockups without arch-level
+support by having CPUs checkup on a "buddy" CPU periodically.
+
+Given the new design of this patch series, testing all combinations is
+fairly difficult. I've attempted to make sure that all combinations of
+CONFIG_ options are good, but it wouldn't surprise me if I missed
+something. I apologize in advance and I'll do my best to fix any
+problems that are found.
+
+This patch (of 18):
+
+The real watchdog_update_hrtimer_threshold() is defined in
+kernel/watchdog_hld.c. That file is included if
+CONFIG_HARDLOCKUP_DETECTOR_PERF and the function is defined in that file
+if CONFIG_HARDLOCKUP_CHECK_TIMESTAMP.
+
+The dummy version of the function in "nmi.h" didn't get that quite right.
+While this doesn't appear to be a huge deal, it's nice to make it
+consistent.
+
+It doesn't break builds because CHECK_TIMESTAMP is only defined by x86 so
+others don't get a double definition, and x86 uses perf lockup detector,
+so it gets the out of line version.
+
+Link: https://lkml.kernel.org/r/20230519101840.v5.18.Ia44852044cdcb074f387e80df6b45e892965d4a1@changeid
+Link: https://lkml.kernel.org/r/20230519101840.v5.1.I8cbb2f4fa740528fcfade4f5439b6cdcdd059251@changeid
+Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Chen-Yu Tsai <wens@csie.org>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Daniel Thompson <daniel.thompson@linaro.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Guenter Roeck <groeck@chromium.org>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Lecopzer Chen <lecopzer.chen@mediatek.com>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Masayoshi Mizuma <msys.mizuma@gmail.com>
+Cc: Matthias Kaehlcke <mka@chromium.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Pingfan Liu <kernelfans@gmail.com>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: "Ravi V. Shankar" <ravi.v.shankar@intel.com>
+Cc: Ricardo Neri <ricardo.neri@intel.com>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Stephen Boyd <swboyd@chromium.org>
+Cc: Sumit Garg <sumit.garg@linaro.org>
+Cc: Tzung-Bi Shih <tzungbi@chromium.org>
+Cc: Will Deacon <will@kernel.org>
+Cc: Colin Cross <ccross@android.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/nmi.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/nmi.h b/include/linux/nmi.h
+index e972d1ae1ee63..6cb593d9ed08a 100644
+--- a/include/linux/nmi.h
++++ b/include/linux/nmi.h
+@@ -197,7 +197,7 @@ u64 hw_nmi_get_sample_period(int watchdog_thresh);
+ #endif
+
+ #if defined(CONFIG_HARDLOCKUP_CHECK_TIMESTAMP) && \
+- defined(CONFIG_HARDLOCKUP_DETECTOR)
++ defined(CONFIG_HARDLOCKUP_DETECTOR_PERF)
+ void watchdog_update_hrtimer_threshold(u64 period);
+ #else
+ static inline void watchdog_update_hrtimer_threshold(u64 period) { }
+--
+2.39.2
+
--- /dev/null
+From 3c6dc6af3bc7f2705b7a426759a9837e74c2a453 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 May 2023 10:18:26 -0700
+Subject: watchdog/perf: more properly prevent false positives with turbo modes
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 4379e59fe5665cfda737e45b8bf2f05321ef049c ]
+
+Currently, in the watchdog_overflow_callback() we first check to see if
+the watchdog had been touched and _then_ we handle the workaround for
+turbo mode. This order should be reversed.
+
+Specifically, "touching" the hardlockup detector's watchdog should avoid
+lockups being detected for one period that should be roughly the same
+regardless of whether we're running turbo or not. That means that we
+should do the extra accounting for turbo _before_ we look at (and clear)
+the global indicating that we've been touched.
+
+NOTE: this fix is made based on code inspection. I am not aware of any
+reports where the old code would have generated false positives. That
+being said, this order seems more correct and also makes it easier down
+the line to share code with the "buddy" hardlockup detector.
+
+Link: https://lkml.kernel.org/r/20230519101840.v5.2.I843b0d1de3e096ba111a179f3adb16d576bef5c7@changeid
+Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Chen-Yu Tsai <wens@csie.org>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Colin Cross <ccross@android.com>
+Cc: Daniel Thompson <daniel.thompson@linaro.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Guenter Roeck <groeck@chromium.org>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Lecopzer Chen <lecopzer.chen@mediatek.com>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Masayoshi Mizuma <msys.mizuma@gmail.com>
+Cc: Matthias Kaehlcke <mka@chromium.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Pingfan Liu <kernelfans@gmail.com>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: "Ravi V. Shankar" <ravi.v.shankar@intel.com>
+Cc: Ricardo Neri <ricardo.neri@intel.com>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Stephen Boyd <swboyd@chromium.org>
+Cc: Sumit Garg <sumit.garg@linaro.org>
+Cc: Tzung-Bi Shih <tzungbi@chromium.org>
+Cc: Will Deacon <will@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/watchdog_hld.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/watchdog_hld.c b/kernel/watchdog_hld.c
+index 71381168dedef..f8e460b4a59d5 100644
+--- a/kernel/watchdog_hld.c
++++ b/kernel/watchdog_hld.c
+@@ -114,14 +114,14 @@ static void watchdog_overflow_callback(struct perf_event *event,
+ /* Ensure the watchdog never gets throttled */
+ event->hw.interrupts = 0;
+
++ if (!watchdog_check_timestamp())
++ return;
++
+ if (__this_cpu_read(watchdog_nmi_touch) == true) {
+ __this_cpu_write(watchdog_nmi_touch, false);
+ return;
+ }
+
+- if (!watchdog_check_timestamp())
+- return;
+-
+ /* check for a hardlockup
+ * This is done by making sure our timer interrupt
+ * is incrementing. The timer interrupt should have
+--
+2.39.2
+
--- /dev/null
+From cf65e68abf8e7ab7b1fbd232bbdf201720676629 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Apr 2023 17:35:01 +0300
+Subject: wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit f24292e827088bba8de7158501ac25a59b064953 ]
+
+For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid
+uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should
+validate pkt_len before accessing the SKB.
+
+For example, the obtained SKB may have been badly constructed with
+pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr
+but after being processed in ath9k_htc_rx_msg() and passed to
+ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI
+command header which should be located inside its data payload.
+
+Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit
+memory can be referenced.
+
+Tested on Qualcomm Atheros Communications AR9271 802.11n .
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
+Reported-and-tested-by: syzbot+f2cb6e0ffdb961921e4d@syzkaller.appspotmail.com
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230424183348.111355-1-pchelkin@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/wmi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c
+index e4ea6f5cc78ab..5e2a610df61cf 100644
+--- a/drivers/net/wireless/ath/ath9k/wmi.c
++++ b/drivers/net/wireless/ath/ath9k/wmi.c
+@@ -218,6 +218,10 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb,
+ if (unlikely(wmi->stopped))
+ goto free_skb;
+
++ /* Validate the obtained SKB. */
++ if (unlikely(skb->len < sizeof(struct wmi_cmd_hdr)))
++ goto free_skb;
++
+ hdr = (struct wmi_cmd_hdr *) skb->data;
+ cmd_id = be16_to_cpu(hdr->command_id);
+
+--
+2.39.2
+
--- /dev/null
+From bbf82c3def2c11aee88ff24f3b0c8cf9599e0071 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jun 2023 16:46:55 +0300
+Subject: wifi: ath9k: convert msecs to jiffies where needed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 2aa083acea9f61be3280184384551178f510ff51 ]
+
+Since 'ieee80211_queue_delayed_work()' expects timeout in
+jiffies and not milliseconds, 'msecs_to_jiffies()' should
+be used in 'ath_restart_work()' and '__ath9k_flush()'.
+
+Fixes: d63ffc45c5d3 ("ath9k: rename tx_complete_work to hw_check_work")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230613134655.248728-1-dmantipov@yandex.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
+index e8e297a04d360..2fdf9858a73d9 100644
+--- a/drivers/net/wireless/ath/ath9k/main.c
++++ b/drivers/net/wireless/ath/ath9k/main.c
+@@ -200,7 +200,7 @@ void ath_cancel_work(struct ath_softc *sc)
+ void ath_restart_work(struct ath_softc *sc)
+ {
+ ieee80211_queue_delayed_work(sc->hw, &sc->hw_check_work,
+- ATH_HW_CHECK_POLL_INT);
++ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT));
+
+ if (AR_SREV_9340(sc->sc_ah) || AR_SREV_9330(sc->sc_ah))
+ ieee80211_queue_delayed_work(sc->hw, &sc->hw_pll_work,
+@@ -2228,7 +2228,7 @@ void __ath9k_flush(struct ieee80211_hw *hw, u32 queues, bool drop,
+ }
+
+ ieee80211_queue_delayed_work(hw, &sc->hw_check_work,
+- ATH_HW_CHECK_POLL_INT);
++ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT));
+ }
+
+ static bool ath9k_tx_frames_pending(struct ieee80211_hw *hw)
+--
+2.39.2
+
--- /dev/null
+From cbdd7ba95d47d114975b51072b4265f8344abe37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 May 2023 18:03:17 +0300
+Subject: wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 061b0cb9327b80d7a0f63a33e7c3e2a91a71f142 ]
+
+A bad USB device is able to construct a service connection response
+message with target endpoint being ENDPOINT0 which is reserved for
+HTC_CTRL_RSVD_SVC and should not be modified to be used for any other
+services.
+
+Reject such service connection responses.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
+Reported-by: syzbot+b68fbebe56d8362907e8@syzkaller.appspotmail.com
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230516150427.79469-1-pchelkin@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc_hst.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
+index 6331c98088e03..d5e5f9cf4ca86 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
+@@ -114,7 +114,13 @@ static void htc_process_conn_rsp(struct htc_target *target,
+
+ if (svc_rspmsg->status == HTC_SERVICE_SUCCESS) {
+ epid = svc_rspmsg->endpoint_id;
+- if (epid < 0 || epid >= ENDPOINT_MAX)
++
++ /* Check that the received epid for the endpoint to attach
++ * a new service is valid. ENDPOINT0 can't be used here as it
++ * is already reserved for HTC_CTRL_RSVD_SVC service and thus
++ * should not be modified.
++ */
++ if (epid <= ENDPOINT0 || epid >= ENDPOINT_MAX)
+ return;
+
+ service_id = be16_to_cpu(svc_rspmsg->service_id);
+--
+2.39.2
+
--- /dev/null
+From 16cb131de7a54b775ccf43c5fa130d76ee3a1901 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Apr 2023 17:35:00 +0300
+Subject: wifi: ath9k: fix AR9003 mac hardware hang check register offset
+ calculation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Peter Seiderer <ps.report@gmx.net>
+
+[ Upstream commit 3e56c80931c7615250fe4bf83f93b57881969266 ]
+
+Fix ath9k_hw_verify_hang()/ar9003_hw_detect_mac_hang() register offset
+calculation (do not overflow the shift for the second register/queues
+above five, use the register layout described in the comments above
+ath9k_hw_verify_hang() instead).
+
+Fixes: 222e04830ff0 ("ath9k: Fix MAC HW hang check for AR9003")
+
+Reported-by: Gregg Wonderly <greggwonderly@seqtechllc.com>
+Link: https://lore.kernel.org/linux-wireless/E3A9C354-0CB7-420C-ADEF-F0177FB722F4@seqtechllc.com/
+Signed-off-by: Peter Seiderer <ps.report@gmx.net>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230422212423.26065-1-ps.report@gmx.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/ar9003_hw.c | 27 ++++++++++++++--------
+ 1 file changed, 18 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/ar9003_hw.c b/drivers/net/wireless/ath/ath9k/ar9003_hw.c
+index 2fe12b0de5b4f..dea8a998fb622 100644
+--- a/drivers/net/wireless/ath/ath9k/ar9003_hw.c
++++ b/drivers/net/wireless/ath/ath9k/ar9003_hw.c
+@@ -1099,17 +1099,22 @@ static bool ath9k_hw_verify_hang(struct ath_hw *ah, unsigned int queue)
+ {
+ u32 dma_dbg_chain, dma_dbg_complete;
+ u8 dcu_chain_state, dcu_complete_state;
++ unsigned int dbg_reg, reg_offset;
+ int i;
+
+- for (i = 0; i < NUM_STATUS_READS; i++) {
+- if (queue < 6)
+- dma_dbg_chain = REG_READ(ah, AR_DMADBG_4);
+- else
+- dma_dbg_chain = REG_READ(ah, AR_DMADBG_5);
++ if (queue < 6) {
++ dbg_reg = AR_DMADBG_4;
++ reg_offset = queue * 5;
++ } else {
++ dbg_reg = AR_DMADBG_5;
++ reg_offset = (queue - 6) * 5;
++ }
+
++ for (i = 0; i < NUM_STATUS_READS; i++) {
++ dma_dbg_chain = REG_READ(ah, dbg_reg);
+ dma_dbg_complete = REG_READ(ah, AR_DMADBG_6);
+
+- dcu_chain_state = (dma_dbg_chain >> (5 * queue)) & 0x1f;
++ dcu_chain_state = (dma_dbg_chain >> reg_offset) & 0x1f;
+ dcu_complete_state = dma_dbg_complete & 0x3;
+
+ if ((dcu_chain_state != 0x6) || (dcu_complete_state != 0x1))
+@@ -1128,6 +1133,7 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah)
+ u8 dcu_chain_state, dcu_complete_state;
+ bool dcu_wait_frdone = false;
+ unsigned long chk_dcu = 0;
++ unsigned int reg_offset;
+ unsigned int i = 0;
+
+ dma_dbg_4 = REG_READ(ah, AR_DMADBG_4);
+@@ -1139,12 +1145,15 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah)
+ goto exit;
+
+ for (i = 0; i < ATH9K_NUM_TX_QUEUES; i++) {
+- if (i < 6)
++ if (i < 6) {
+ chk_dbg = dma_dbg_4;
+- else
++ reg_offset = i * 5;
++ } else {
+ chk_dbg = dma_dbg_5;
++ reg_offset = (i - 6) * 5;
++ }
+
+- dcu_chain_state = (chk_dbg >> (5 * i)) & 0x1f;
++ dcu_chain_state = (chk_dbg >> reg_offset) & 0x1f;
+ if (dcu_chain_state == 0x6) {
+ dcu_wait_frdone = true;
+ chk_dcu |= BIT(i);
+--
+2.39.2
+
--- /dev/null
+From 43e3a8b56606fdc140f08245ff49796f93f86e88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jun 2023 11:37:44 +0200
+Subject: wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit 75086cc6dee046e3fbb3dba148b376d8802f83bc ]
+
+On EDMA capable hardware, ath9k_txq_list_has_key() can enter infinite
+loop if it is called while all txq_fifos have packets that use different
+key that the one we are looking for. Fix it by exiting the loop if all
+txq_fifos have been checked already.
+
+Because this loop is called under spin_lock_bh() (see ath_txq_lock) it
+causes the following rcu stall:
+
+rcu: INFO: rcu_sched self-detected stall on CPU
+ath10k_pci 0000:01:00.0: failed to read temperature -11
+rcu: 1-....: (5254 ticks this GP) idle=189/1/0x4000000000000002 softirq=8442983/8442984 fqs=2579
+ (t=5257 jiffies g=17983297 q=334)
+Task dump for CPU 1:
+task:hostapd state:R running task stack: 0 pid: 297 ppid: 289 flags:0x0000000a
+Call trace:
+ dump_backtrace+0x0/0x170
+ show_stack+0x1c/0x24
+ sched_show_task+0x140/0x170
+ dump_cpu_task+0x48/0x54
+ rcu_dump_cpu_stacks+0xf0/0x134
+ rcu_sched_clock_irq+0x8d8/0x9fc
+ update_process_times+0xa0/0xec
+ tick_sched_timer+0x5c/0xd0
+ __hrtimer_run_queues+0x154/0x320
+ hrtimer_interrupt+0x120/0x2f0
+ arch_timer_handler_virt+0x38/0x44
+ handle_percpu_devid_irq+0x9c/0x1e0
+ handle_domain_irq+0x64/0x90
+ gic_handle_irq+0x78/0xb0
+ call_on_irq_stack+0x28/0x38
+ do_interrupt_handler+0x54/0x5c
+ el1_interrupt+0x2c/0x4c
+ el1h_64_irq_handler+0x14/0x1c
+ el1h_64_irq+0x74/0x78
+ ath9k_txq_has_key+0x1bc/0x250 [ath9k]
+ ath9k_set_key+0x1cc/0x3dc [ath9k]
+ drv_set_key+0x78/0x170
+ ieee80211_key_replace+0x564/0x6cc
+ ieee80211_key_link+0x174/0x220
+ ieee80211_add_key+0x11c/0x300
+ nl80211_new_key+0x12c/0x330
+ genl_family_rcv_msg_doit+0xbc/0x11c
+ genl_rcv_msg+0xd8/0x1c4
+ netlink_rcv_skb+0x40/0x100
+ genl_rcv+0x3c/0x50
+ netlink_unicast+0x1ec/0x2c0
+ netlink_sendmsg+0x198/0x3c0
+ ____sys_sendmsg+0x210/0x250
+ ___sys_sendmsg+0x78/0xc4
+ __sys_sendmsg+0x4c/0x90
+ __arm64_sys_sendmsg+0x28/0x30
+ invoke_syscall.constprop.0+0x60/0x100
+ do_el0_svc+0x48/0xd0
+ el0_svc+0x14/0x50
+ el0t_64_sync_handler+0xa8/0xb0
+ el0t_64_sync+0x158/0x15c
+
+This rcu stall is hard to reproduce as is, but changing ATH_TXFIFO_DEPTH
+from 8 to 2 makes it reasonably easy to reproduce.
+
+Fixes: ca2848022c12 ("ath9k: Postpone key cache entry deletion for TXQ frames reference it")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Tested-by: Nicolas Escande <nico.escande@gmail.com>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230609093744.1985-1-repk@triplefau.lt
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/main.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
+index ee1b9c39bad7a..e8e297a04d360 100644
+--- a/drivers/net/wireless/ath/ath9k/main.c
++++ b/drivers/net/wireless/ath/ath9k/main.c
+@@ -847,7 +847,7 @@ static bool ath9k_txq_list_has_key(struct list_head *txq_list, u32 keyix)
+ static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix)
+ {
+ struct ath_hw *ah = sc->sc_ah;
+- int i;
++ int i, j;
+ struct ath_txq *txq;
+ bool key_in_use = false;
+
+@@ -865,8 +865,9 @@ static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix)
+ if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) {
+ int idx = txq->txq_tailidx;
+
+- while (!key_in_use &&
+- !list_empty(&txq->txq_fifo[idx])) {
++ for (j = 0; !key_in_use &&
++ !list_empty(&txq->txq_fifo[idx]) &&
++ j < ATH_TXFIFO_DEPTH; j++) {
+ key_in_use = ath9k_txq_list_has_key(
+ &txq->txq_fifo[idx], keyix);
+ INCR(idx, ATH_TXFIFO_DEPTH);
+--
+2.39.2
+
--- /dev/null
+From c11669e78c6279d4eb42e332fdcbd353a753cffd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 May 2023 09:53:14 +0200
+Subject: wifi: atmel: Fix an error handling path in atmel_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 6b92e4351a29af52c285fe235e6e4d1a75de04b2 ]
+
+Should atmel_config() fail, some resources need to be released as already
+done in the remove function.
+
+While at it, remove a useless and erroneous comment. The probe is
+atmel_probe(), not atmel_attach().
+
+Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/1e65f174607a83348034197fa7d603bab10ba4a9.1684569156.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/atmel/atmel_cs.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/atmel/atmel_cs.c b/drivers/net/wireless/atmel/atmel_cs.c
+index 7afc9c5329fb1..f5fa1a95b0c15 100644
+--- a/drivers/net/wireless/atmel/atmel_cs.c
++++ b/drivers/net/wireless/atmel/atmel_cs.c
+@@ -73,6 +73,7 @@ struct local_info {
+ static int atmel_probe(struct pcmcia_device *p_dev)
+ {
+ struct local_info *local;
++ int ret;
+
+ dev_dbg(&p_dev->dev, "atmel_attach()\n");
+
+@@ -83,8 +84,16 @@ static int atmel_probe(struct pcmcia_device *p_dev)
+
+ p_dev->priv = local;
+
+- return atmel_config(p_dev);
+-} /* atmel_attach */
++ ret = atmel_config(p_dev);
++ if (ret)
++ goto err_free_priv;
++
++ return 0;
++
++err_free_priv:
++ kfree(p_dev->priv);
++ return ret;
++}
+
+ static void atmel_detach(struct pcmcia_device *link)
+ {
+--
+2.39.2
+
--- /dev/null
+From d6fb7a006f008102f2c65907ae4ba8fed02b5d0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 May 2023 15:53:15 +0200
+Subject: wifi: mwifiex: Fix the size of a memory allocation in
+ mwifiex_ret_802_11_scan()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit d9aef04fcfa81ee4fb2804a21a3712b7bbd936af ]
+
+The type of "mwifiex_adapter->nd_info" is "struct cfg80211_wowlan_nd_info",
+not "struct cfg80211_wowlan_nd_match".
+
+Use struct_size() to ease the computation of the needed size.
+
+The current code over-allocates some memory, so is safe.
+But it wastes 32 bytes.
+
+Fixes: 7d7f07d8c5d3 ("mwifiex: add wowlan net-detect support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/7a6074fb056d2181e058a3cc6048d8155c20aec7.1683371982.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/scan.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
+index c9f6cd2919699..4f0e78ae3dbd0 100644
+--- a/drivers/net/wireless/marvell/mwifiex/scan.c
++++ b/drivers/net/wireless/marvell/mwifiex/scan.c
+@@ -2208,9 +2208,9 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv,
+
+ if (nd_config) {
+ adapter->nd_info =
+- kzalloc(sizeof(struct cfg80211_wowlan_nd_match) +
+- sizeof(struct cfg80211_wowlan_nd_match *) *
+- scan_rsp->number_of_sets, GFP_ATOMIC);
++ kzalloc(struct_size(adapter->nd_info, matches,
++ scan_rsp->number_of_sets),
++ GFP_ATOMIC);
+
+ if (adapter->nd_info)
+ adapter->nd_info->n_matches = scan_rsp->number_of_sets;
+--
+2.39.2
+
--- /dev/null
+From fdea8bce372ab31562ece0fb8bf706052166a8c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 May 2023 09:38:22 +0200
+Subject: wifi: orinoco: Fix an error handling path in orinoco_cs_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 67a81d911c01225f426cc6bee2373df044c1a9b7 ]
+
+Should orinoco_cs_config() fail, some resources need to be released as
+already done in the remove function.
+
+While at it, remove a useless and erroneous comment. The probe is
+orinoco_cs_probe(), not orinoco_cs_attach().
+
+Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/e24735ce4d82901d5f7ea08419eea53bfdde3d65.1684568286.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intersil/orinoco/orinoco_cs.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c
+index a956f965a1e5e..03bfd2482656c 100644
+--- a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c
++++ b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c
+@@ -96,6 +96,7 @@ orinoco_cs_probe(struct pcmcia_device *link)
+ {
+ struct orinoco_private *priv;
+ struct orinoco_pccard *card;
++ int ret;
+
+ priv = alloc_orinocodev(sizeof(*card), &link->dev,
+ orinoco_cs_hard_reset, NULL);
+@@ -107,8 +108,16 @@ orinoco_cs_probe(struct pcmcia_device *link)
+ card->p_dev = link;
+ link->priv = priv;
+
+- return orinoco_cs_config(link);
+-} /* orinoco_cs_attach */
++ ret = orinoco_cs_config(link);
++ if (ret)
++ goto err_free_orinocodev;
++
++ return 0;
++
++err_free_orinocodev:
++ free_orinocodev(priv);
++ return ret;
++}
+
+ static void orinoco_cs_detach(struct pcmcia_device *link)
+ {
+--
+2.39.2
+
--- /dev/null
+From 7a359d8680a5bf516024b7d91b9bde70a5f1ef76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 May 2023 09:29:46 +0200
+Subject: wifi: orinoco: Fix an error handling path in spectrum_cs_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 925244325159824385209e3e0e3f91fa6bf0646c ]
+
+Should spectrum_cs_config() fail, some resources need to be released as
+already done in the remove function.
+
+While at it, remove a useless and erroneous comment. The probe is
+spectrum_cs_probe(), not spectrum_cs_attach().
+
+Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/c0bc0c21c58ca477fc5521607615bafbf2aef8eb.1684567733.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intersil/orinoco/spectrum_cs.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c
+index b60048c95e0a8..011c86e55923e 100644
+--- a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c
++++ b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c
+@@ -157,6 +157,7 @@ spectrum_cs_probe(struct pcmcia_device *link)
+ {
+ struct orinoco_private *priv;
+ struct orinoco_pccard *card;
++ int ret;
+
+ priv = alloc_orinocodev(sizeof(*card), &link->dev,
+ spectrum_cs_hard_reset,
+@@ -169,8 +170,16 @@ spectrum_cs_probe(struct pcmcia_device *link)
+ card->p_dev = link;
+ link->priv = priv;
+
+- return spectrum_cs_config(link);
+-} /* spectrum_cs_attach */
++ ret = spectrum_cs_config(link);
++ if (ret)
++ goto err_free_orinocodev;
++
++ return 0;
++
++err_free_orinocodev:
++ free_orinocodev(priv);
++ return ret;
++}
+
+ static void spectrum_cs_detach(struct pcmcia_device *link)
+ {
+--
+2.39.2
+
--- /dev/null
+From 7d705b4ddd98b5603dec26cc74030feea2eebf60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Jun 2022 19:44:14 +0300
+Subject: wifi: ray_cs: Drop useless status variable in parse_addr()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 4dfc63c002a555a2c3c34d89009532ad803be876 ]
+
+The status variable assigned only once and used also only once.
+Replace it's usage by actual value.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220603164414.48436-2-andriy.shevchenko@linux.intel.com
+Stable-dep-of: 4f8d66a9fb2e ("wifi: ray_cs: Fix an error handling path in ray_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ray_cs.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c
+index f15714f19d0ff..e5cdcee04615f 100644
+--- a/drivers/net/wireless/ray_cs.c
++++ b/drivers/net/wireless/ray_cs.c
+@@ -1653,7 +1653,6 @@ static int parse_addr(char *in_str, UCHAR *out)
+ {
+ int i, k;
+ int len;
+- int status;
+
+ if (in_str == NULL)
+ return 0;
+@@ -1662,7 +1661,6 @@ static int parse_addr(char *in_str, UCHAR *out)
+ return 0;
+ memset(out, 0, ADDRLEN);
+
+- status = 1;
+ i = 5;
+
+ while (len > 0) {
+@@ -1680,7 +1678,7 @@ static int parse_addr(char *in_str, UCHAR *out)
+ if (!i--)
+ break;
+ }
+- return status;
++ return 1;
+ }
+
+ /*===========================================================================*/
+--
+2.39.2
+
--- /dev/null
+From c56ebaf56992bd5ad91919e1bdb623475a1bc379 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 May 2023 10:13:22 +0200
+Subject: wifi: ray_cs: Fix an error handling path in ray_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 4f8d66a9fb2edcd05c1e563456a55a08910bfb37 ]
+
+Should ray_config() fail, some resources need to be released as already
+done in the remove function.
+
+While at it, remove a useless and erroneous comment. The probe is
+ray_probe(), not ray_attach().
+
+Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/8c544d18084f8b37dd108e844f7e79e85ff708ff.1684570373.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ray_cs.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c
+index e5cdcee04615f..edc990d099789 100644
+--- a/drivers/net/wireless/ray_cs.c
++++ b/drivers/net/wireless/ray_cs.c
+@@ -282,13 +282,14 @@ static int ray_probe(struct pcmcia_device *p_dev)
+ {
+ ray_dev_t *local;
+ struct net_device *dev;
++ int ret;
+
+ dev_dbg(&p_dev->dev, "ray_attach()\n");
+
+ /* Allocate space for private device-specific data */
+ dev = alloc_etherdev(sizeof(ray_dev_t));
+ if (!dev)
+- goto fail_alloc_dev;
++ return -ENOMEM;
+
+ local = netdev_priv(dev);
+ local->finder = p_dev;
+@@ -325,11 +326,16 @@ static int ray_probe(struct pcmcia_device *p_dev)
+ timer_setup(&local->timer, NULL, 0);
+
+ this_device = p_dev;
+- return ray_config(p_dev);
++ ret = ray_config(p_dev);
++ if (ret)
++ goto err_free_dev;
++
++ return 0;
+
+-fail_alloc_dev:
+- return -ENOMEM;
+-} /* ray_attach */
++err_free_dev:
++ free_netdev(dev);
++ return ret;
++}
+
+ static void ray_detach(struct pcmcia_device *link)
+ {
+--
+2.39.2
+
--- /dev/null
+From 39183f28dd2fa490bf43101f1f9693db74661545 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Jun 2022 19:44:13 +0300
+Subject: wifi: ray_cs: Utilize strnlen() in parse_addr()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 9e8e9187673cb24324f9165dd47b2b28f60b0b10 ]
+
+Instead of doing simple operations and using an additional variable on stack,
+utilize strnlen() and reuse len variable.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220603164414.48436-1-andriy.shevchenko@linux.intel.com
+Stable-dep-of: 4f8d66a9fb2e ("wifi: ray_cs: Fix an error handling path in ray_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ray_cs.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c
+index 8704bae39e1bf..f15714f19d0ff 100644
+--- a/drivers/net/wireless/ray_cs.c
++++ b/drivers/net/wireless/ray_cs.c
+@@ -1651,31 +1651,29 @@ static void authenticate_timeout(struct timer_list *t)
+ /*===========================================================================*/
+ static int parse_addr(char *in_str, UCHAR *out)
+ {
++ int i, k;
+ int len;
+- int i, j, k;
+ int status;
+
+ if (in_str == NULL)
+ return 0;
+- if ((len = strlen(in_str)) < 2)
++ len = strnlen(in_str, ADDRLEN * 2 + 1) - 1;
++ if (len < 1)
+ return 0;
+ memset(out, 0, ADDRLEN);
+
+ status = 1;
+- j = len - 1;
+- if (j > 12)
+- j = 12;
+ i = 5;
+
+- while (j > 0) {
+- if ((k = hex_to_bin(in_str[j--])) != -1)
++ while (len > 0) {
++ if ((k = hex_to_bin(in_str[len--])) != -1)
+ out[i] = k;
+ else
+ return 0;
+
+- if (j == 0)
++ if (len == 0)
+ break;
+- if ((k = hex_to_bin(in_str[j--])) != -1)
++ if ((k = hex_to_bin(in_str[len--])) != -1)
+ out[i] += k << 4;
+ else
+ return 0;
+--
+2.39.2
+
--- /dev/null
+From 2a7df1bf66097f12bf14a803010334fd8c7d3260 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 May 2023 00:28:59 +0200
+Subject: wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit e74f562328b03fbe9cf438f958464dff3a644dfc ]
+
+It makes no sense to set MMC_PM_KEEP_POWER in shutdown. The flag
+indicates to the MMC subsystem to keep the slot powered on during
+suspend, but in shutdown the slot should actually be powered off.
+Drop this call.
+
+Fixes: 063848c3e155 ("rsi: sdio: Add WOWLAN support for S5 shutdown state")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230527222859.273768-1-marex@denx.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/rsi/rsi_91x_sdio.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/net/wireless/rsi/rsi_91x_sdio.c b/drivers/net/wireless/rsi/rsi_91x_sdio.c
+index 48efe83c58d89..409a3e8305763 100644
+--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c
++++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c
+@@ -1368,9 +1368,6 @@ static void rsi_shutdown(struct device *dev)
+ if (sdev->write_fail)
+ rsi_dbg(INFO_ZONE, "###### Device is not ready #######\n");
+
+- if (rsi_set_sdio_pm_caps(adapter))
+- rsi_dbg(INFO_ZONE, "Setting power management caps failed\n");
+-
+ rsi_dbg(INFO_ZONE, "***** RSI module shut down *****\n");
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 0ca96611eabb69439dd098fe35b02e57573d5f13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 May 2023 10:05:08 +0200
+Subject: wifi: wl3501_cs: Fix an error handling path in wl3501_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 391af06a02e7642039ac5f6c4b2c034ab0992b5d ]
+
+Should wl3501_config() fail, some resources need to be released as already
+done in the remove function.
+
+Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/7cc9c9316489b7d69b36aeb0edd3123538500b41.1684569865.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/wl3501_cs.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
+index 46188a83d8be8..4380c5d8fdd27 100644
+--- a/drivers/net/wireless/wl3501_cs.c
++++ b/drivers/net/wireless/wl3501_cs.c
+@@ -1863,6 +1863,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev)
+ {
+ struct net_device *dev;
+ struct wl3501_card *this;
++ int ret;
+
+ /* The io structure describes IO port mapping */
+ p_dev->resource[0]->end = 16;
+@@ -1874,8 +1875,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev)
+
+ dev = alloc_etherdev(sizeof(struct wl3501_card));
+ if (!dev)
+- goto out_link;
+-
++ return -ENOMEM;
+
+ dev->netdev_ops = &wl3501_netdev_ops;
+ dev->watchdog_timeo = 5 * HZ;
+@@ -1888,9 +1888,15 @@ static int wl3501_probe(struct pcmcia_device *p_dev)
+ netif_stop_queue(dev);
+ p_dev->priv = dev;
+
+- return wl3501_config(p_dev);
+-out_link:
+- return -ENOMEM;
++ ret = wl3501_config(p_dev);
++ if (ret)
++ goto out_free_etherdev;
++
++ return 0;
++
++out_free_etherdev:
++ free_netdev(dev);
++ return ret;
+ }
+
+ static int wl3501_config(struct pcmcia_device *link)
+--
+2.39.2
+
--- /dev/null
+From 547b7019051a368a9dc01f5544d6bb44912e690b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 10:33:51 +0100
+Subject: wl3501_cs: Fix a bunch of formatting issues related to function docs
+
+From: Lee Jones <lee.jones@linaro.org>
+
+[ Upstream commit 2307d0bc9d8b60299f255d1771ce0d997162a957 ]
+
+Fixes the following W=1 kernel build warning(s):
+
+ In file included from drivers/net/wireless/wl3501_cs.c:57:
+ drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'reg_domain' not described in 'iw_valid_channel'
+ drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'channel' not described in 'iw_valid_channel'
+ drivers/net/wireless/wl3501_cs.c:162: warning: Function parameter or member 'reg_domain' not described in 'iw_default_channel'
+ drivers/net/wireless/wl3501_cs.c:248: warning: Function parameter or member 'this' not described in 'wl3501_set_to_wla'
+ drivers/net/wireless/wl3501_cs.c:270: warning: Function parameter or member 'this' not described in 'wl3501_get_from_wla'
+ drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'this' not described in 'wl3501_send_pkt'
+ drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'data' not described in 'wl3501_send_pkt'
+ drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'len' not described in 'wl3501_send_pkt'
+ drivers/net/wireless/wl3501_cs.c:729: warning: Function parameter or member 'this' not described in 'wl3501_block_interrupt'
+ drivers/net/wireless/wl3501_cs.c:746: warning: Function parameter or member 'this' not described in 'wl3501_unblock_interrupt'
+ drivers/net/wireless/wl3501_cs.c:1124: warning: Function parameter or member 'irq' not described in 'wl3501_interrupt'
+ drivers/net/wireless/wl3501_cs.c:1124: warning: Function parameter or member 'dev_id' not described in 'wl3501_interrupt'
+ drivers/net/wireless/wl3501_cs.c:1257: warning: Function parameter or member 'dev' not described in 'wl3501_reset'
+ drivers/net/wireless/wl3501_cs.c:1420: warning: Function parameter or member 'link' not described in 'wl3501_detach'
+
+Cc: Kalle Valo <kvalo@codeaurora.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Fox Chen <mhchen@golf.ccl.itri.org.tw>
+Cc: de Melo <acme@conectiva.com.br>
+Cc: Gustavo Niemeyer <niemeyer@conectiva.com>
+Cc: linux-wireless@vger.kernel.org
+Cc: netdev@vger.kernel.org
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200826093401.1458456-21-lee.jones@linaro.org
+Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/wl3501_cs.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
+index cfde9b94b4b60..78c89e6421f97 100644
+--- a/drivers/net/wireless/wl3501_cs.c
++++ b/drivers/net/wireless/wl3501_cs.c
+@@ -133,8 +133,8 @@ static const struct {
+
+ /**
+ * iw_valid_channel - validate channel in regulatory domain
+- * @reg_comain - regulatory domain
+- * @channel - channel to validate
++ * @reg_comain: regulatory domain
++ * @channel: channel to validate
+ *
+ * Returns 0 if invalid in the specified regulatory domain, non-zero if valid.
+ */
+@@ -153,7 +153,7 @@ static int iw_valid_channel(int reg_domain, int channel)
+
+ /**
+ * iw_default_channel - get default channel for a regulatory domain
+- * @reg_comain - regulatory domain
++ * @reg_domain: regulatory domain
+ *
+ * Returns the default channel for a regulatory domain
+ */
+@@ -236,6 +236,7 @@ static int wl3501_get_flash_mac_addr(struct wl3501_card *this)
+
+ /**
+ * wl3501_set_to_wla - Move 'size' bytes from PC to card
++ * @this: Card
+ * @dest: Card addressing space
+ * @src: PC addressing space
+ * @size: Bytes to move
+@@ -258,6 +259,7 @@ static void wl3501_set_to_wla(struct wl3501_card *this, u16 dest, void *src,
+
+ /**
+ * wl3501_get_from_wla - Move 'size' bytes from card to PC
++ * @this: Card
+ * @src: Card addressing space
+ * @dest: PC addressing space
+ * @size: Bytes to move
+@@ -454,7 +456,7 @@ static int wl3501_pwr_mgmt(struct wl3501_card *this, int suspend)
+
+ /**
+ * wl3501_send_pkt - Send a packet.
+- * @this - card
++ * @this: Card
+ *
+ * Send a packet.
+ *
+@@ -722,7 +724,7 @@ static void wl3501_mgmt_scan_confirm(struct wl3501_card *this, u16 addr)
+
+ /**
+ * wl3501_block_interrupt - Mask interrupt from SUTRO
+- * @this - card
++ * @this: Card
+ *
+ * Mask interrupt from SUTRO. (i.e. SUTRO cannot interrupt the HOST)
+ * Return: 1 if interrupt is originally enabled
+@@ -739,7 +741,7 @@ static int wl3501_block_interrupt(struct wl3501_card *this)
+
+ /**
+ * wl3501_unblock_interrupt - Enable interrupt from SUTRO
+- * @this - card
++ * @this: Card
+ *
+ * Enable interrupt from SUTRO. (i.e. SUTRO can interrupt the HOST)
+ * Return: 1 if interrupt is originally enabled
+@@ -1113,8 +1115,8 @@ static inline void wl3501_ack_interrupt(struct wl3501_card *this)
+
+ /**
+ * wl3501_interrupt - Hardware interrupt from card.
+- * @irq - Interrupt number
+- * @dev_id - net_device
++ * @irq: Interrupt number
++ * @dev_id: net_device
+ *
+ * We must acknowledge the interrupt as soon as possible, and block the
+ * interrupt from the same card immediately to prevent re-entry.
+@@ -1252,7 +1254,7 @@ static int wl3501_close(struct net_device *dev)
+
+ /**
+ * wl3501_reset - Reset the SUTRO.
+- * @dev - network device
++ * @dev: network device
+ *
+ * It is almost the same as wl3501_open(). In fact, we may just wl3501_close()
+ * and wl3501_open() again, but I wouldn't like to free_irq() when the driver
+@@ -1415,7 +1417,7 @@ static struct iw_statistics *wl3501_get_wireless_stats(struct net_device *dev)
+
+ /**
+ * wl3501_detach - deletes a driver "instance"
+- * @link - FILL_IN
++ * @link: FILL_IN
+ *
+ * This deletes a driver "instance". The device is de-registered with Card
+ * Services. If it has been released, all local data structures are freed.
+--
+2.39.2
+
--- /dev/null
+From 95fa0eae9a65ac7aa9641b6c3e2e2baa5a405801 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Nov 2020 11:23:53 +0000
+Subject: wl3501_cs: Fix misspelling and provide missing documentation
+
+From: Lee Jones <lee.jones@linaro.org>
+
+[ Upstream commit 8b8a6f8c3b50193d161c598a6784e721128d6dc3 ]
+
+Fixes the following W=1 kernel build warning(s):
+
+ In file included from drivers/net/wireless/wl3501_cs.c:57:
+ drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'reg_domain' not described in 'iw_valid_channel'
+ drivers/net/wireless/wl3501_cs.c:143: warning: Excess function parameter 'reg_comain' description in 'iw_valid_channel'
+ drivers/net/wireless/wl3501_cs.c:469: warning: Function parameter or member 'data' not described in 'wl3501_send_pkt'
+ drivers/net/wireless/wl3501_cs.c:469: warning: Function parameter or member 'len' not described in 'wl3501_send_pkt'
+
+Cc: Kalle Valo <kvalo@codeaurora.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Fox Chen <mhchen@golf.ccl.itri.org.tw>
+Cc: de Melo <acme@conectiva.com.br>
+Cc: Gustavo Niemeyer <niemeyer@conectiva.com>
+Cc: linux-wireless@vger.kernel.org
+Cc: netdev@vger.kernel.org
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20201102112410.1049272-25-lee.jones@linaro.org
+Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/wl3501_cs.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
+index 5b2383270627c..c6d1a320e244f 100644
+--- a/drivers/net/wireless/wl3501_cs.c
++++ b/drivers/net/wireless/wl3501_cs.c
+@@ -133,7 +133,7 @@ static const struct {
+
+ /**
+ * iw_valid_channel - validate channel in regulatory domain
+- * @reg_comain: regulatory domain
++ * @reg_domain: regulatory domain
+ * @channel: channel to validate
+ *
+ * Returns 0 if invalid in the specified regulatory domain, non-zero if valid.
+@@ -457,11 +457,9 @@ static int wl3501_pwr_mgmt(struct wl3501_card *this, int suspend)
+ /**
+ * wl3501_send_pkt - Send a packet.
+ * @this: Card
+- *
+- * Send a packet.
+- *
+- * data = Ethernet raw frame. (e.g. data[0] - data[5] is Dest MAC Addr,
++ * @data: Ethernet raw frame. (e.g. data[0] - data[5] is Dest MAC Addr,
+ * data[6] - data[11] is Src MAC Addr)
++ * @len: Packet length
+ * Ref: IEEE 802.11
+ */
+ static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len)
+--
+2.39.2
+
--- /dev/null
+From 21a78f971fc1457d7cca18d3b669df8c9ebe7e89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Sep 2020 18:45:58 +0100
+Subject: wl3501_cs: Remove unnecessary NULL check
+
+From: Alex Dewar <alex.dewar90@gmail.com>
+
+[ Upstream commit 1d2a85382282e7c77cbde5650335c3ffc6073fa1 ]
+
+In wl3501_detach(), link->priv is checked for a NULL value before being
+passed to free_netdev(). However, it cannot be NULL at this point as it
+has already been passed to other functions, so just remove the check.
+
+Addresses-Coverity: CID 710499: Null pointer dereferences (REVERSE_INULL)
+Signed-off-by: Alex Dewar <alex.dewar90@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200926174558.9436-1-alex.dewar90@gmail.com
+Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/wl3501_cs.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
+index 78c89e6421f97..5b2383270627c 100644
+--- a/drivers/net/wireless/wl3501_cs.c
++++ b/drivers/net/wireless/wl3501_cs.c
+@@ -1438,9 +1438,7 @@ static void wl3501_detach(struct pcmcia_device *link)
+ wl3501_release(link);
+
+ unregister_netdev(dev);
+-
+- if (link->priv)
+- free_netdev(link->priv);
++ free_netdev(dev);
+ }
+
+ static int wl3501_get_name(struct net_device *dev, struct iw_request_info *info,
+--
+2.39.2
+
--- /dev/null
+From 377134b648d92ee9684576ff1522558cbf0c7a5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Oct 2021 16:50:20 -0700
+Subject: wl3501_cs: use eth_hw_addr_set()
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 18774612246d036c04ce9fee7f67192f96f48725 ]
+
+Commit 406f42fa0d3c ("net-next: When a bond have a massive amount
+of VLANs...") introduced a rbtree for faster Ethernet address look
+up. To maintain netdev->dev_addr in this tree we need to make all
+the writes to it got through appropriate helpers.
+
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211018235021.1279697-15-kuba@kernel.org
+Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/wl3501_cs.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
+index c6d1a320e244f..46188a83d8be8 100644
+--- a/drivers/net/wireless/wl3501_cs.c
++++ b/drivers/net/wireless/wl3501_cs.c
+@@ -1946,8 +1946,7 @@ static int wl3501_config(struct pcmcia_device *link)
+ goto failed;
+ }
+
+- for (i = 0; i < 6; i++)
+- dev->dev_addr[i] = ((char *)&this->mac_addr)[i];
++ eth_hw_addr_set(dev, this->mac_addr);
+
+ /* print probe information */
+ printk(KERN_INFO "%s: wl3501 @ 0x%3.3x, IRQ %d, "
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
