--- /dev/null
+From fa8c561bc36dcddffa537d0d1ce3997b63d949d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 11:16:03 +0800
+Subject: ASoC: core: Fix use-after-free in snd_soc_exit()
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit 6ec27c53886c8963729885bcf2dd996eba2767a7 ]
+
+KASAN reports a use-after-free:
+
+BUG: KASAN: use-after-free in device_del+0xb5b/0xc60
+Read of size 8 at addr ffff888008655050 by task rmmod/387
+CPU: 2 PID: 387 Comm: rmmod
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
+Call Trace:
+<TASK>
+dump_stack_lvl+0x79/0x9a
+print_report+0x17f/0x47b
+kasan_report+0xbb/0xf0
+device_del+0xb5b/0xc60
+platform_device_del.part.0+0x24/0x200
+platform_device_unregister+0x2e/0x40
+snd_soc_exit+0xa/0x22 [snd_soc_core]
+__do_sys_delete_module.constprop.0+0x34f/0x5b0
+do_syscall_64+0x3a/0x90
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+...
+</TASK>
+
+It's bacause in snd_soc_init(), snd_soc_util_init() is possble to fail,
+but its ret is ignored, which makes soc_dummy_dev unregistered twice.
+
+snd_soc_init()
+ snd_soc_util_init()
+ platform_device_register_simple(soc_dummy_dev)
+ platform_driver_register() # fail
+ platform_device_unregister(soc_dummy_dev)
+ platform_driver_register() # success
+...
+snd_soc_exit()
+ snd_soc_util_exit()
+ # soc_dummy_dev will be unregistered for second time
+
+To fix it, handle error and stop snd_soc_init() when util_init() fail.
+Also clean debugfs when util_init() or driver_register() fail.
+
+Fixes: fb257897bf20 ("ASoC: Work around allmodconfig failure")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Link: https://lore.kernel.org/r/20221028031603.59416-1-chenzhongjin@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index 81c3aa167038..033253de5d4b 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -3931,10 +3931,23 @@ EXPORT_SYMBOL_GPL(snd_soc_of_get_dai_link_codecs);
+
+ static int __init snd_soc_init(void)
+ {
++ int ret;
++
+ snd_soc_debugfs_init();
+- snd_soc_util_init();
++ ret = snd_soc_util_init();
++ if (ret)
++ goto err_util_init;
+
+- return platform_driver_register(&soc_driver);
++ ret = platform_driver_register(&soc_driver);
++ if (ret)
++ goto err_register;
++ return 0;
++
++err_register:
++ snd_soc_util_exit();
++err_util_init:
++ snd_soc_debugfs_exit();
++ return ret;
+ }
+ module_init(snd_soc_init);
+
+--
+2.35.1
+
--- /dev/null
+From a327b2809656a75ee6da67b746ada93b9b2f623e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 21:40:31 +0800
+Subject: ASoC: soc-utils: Remove __exit for snd_soc_util_exit()
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit 314d34fe7f0a5836cb0472950c1f17744b4efde8 ]
+
+snd_soc_util_exit() is called in __init snd_soc_init() for cleanup.
+Remove the __exit annotation for it to fix the build warning:
+
+WARNING: modpost: sound/soc/snd-soc-core.o: section mismatch in reference: init_module (section: .init.text) -> snd_soc_util_exit (section: .exit.text)
+
+Fixes: 6ec27c53886c ("ASoC: core: Fix use-after-free in snd_soc_exit()")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Link: https://lore.kernel.org/r/20221031134031.256511-1-chenzhongjin@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/soc-utils.c b/sound/soc/soc-utils.c
+index 393e8f0fe2cc..ec84b75ecbce 100644
+--- a/sound/soc/soc-utils.c
++++ b/sound/soc/soc-utils.c
+@@ -186,7 +186,7 @@ int __init snd_soc_util_init(void)
+ return ret;
+ }
+
+-void __exit snd_soc_util_exit(void)
++void snd_soc_util_exit(void)
+ {
+ platform_device_unregister(soc_dummy_dev);
+ platform_driver_unregister(&soc_dummy_driver);
+--
+2.35.1
+
--- /dev/null
+From eb636ddaf50074551ccea0316b3e65356e94c576 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 18:39:34 +0800
+Subject: cifs: Fix wrong return value checking when GETFLAGS
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+[ Upstream commit 92bbd67a55fee50743b42825d1c016e7fd5c79f9 ]
+
+The return value of CIFSGetExtAttr is negative, should be checked
+with -EOPNOTSUPP rather than EOPNOTSUPP.
+
+Fixes: 64a5cfa6db94 ("Allow setting per-file compression via SMB2/3")
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/ioctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/ioctl.c b/fs/cifs/ioctl.c
+index bdba9e7a9438..c9226567309b 100644
+--- a/fs/cifs/ioctl.c
++++ b/fs/cifs/ioctl.c
+@@ -206,7 +206,7 @@ long cifs_ioctl(struct file *filep, unsigned int command, unsigned long arg)
+ rc = put_user(ExtAttrBits &
+ FS_FL_USER_VISIBLE,
+ (int __user *)arg);
+- if (rc != EOPNOTSUPP)
++ if (rc != -EOPNOTSUPP)
+ break;
+ }
+ #endif /* CONFIG_CIFS_POSIX */
+@@ -235,7 +235,7 @@ long cifs_ioctl(struct file *filep, unsigned int command, unsigned long arg)
+ * pSMBFile->fid.netfid,
+ * extAttrBits,
+ * &ExtAttrMask);
+- * if (rc != EOPNOTSUPP)
++ * if (rc != -EOPNOTSUPP)
+ * break;
+ */
+
+--
+2.35.1
+
--- /dev/null
+From f818aa1231b01ce106664aded6e44f70ff154af4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 19:38:23 +0800
+Subject: mISDN: fix misuse of put_device() in mISDN_register_device()
+
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+
+[ Upstream commit 2d25107e111a85c56f601a5470f1780ec054e6ac ]
+
+We should not release reference by put_device() before calling device_initialize().
+
+Fixes: e7d1d4d9ac0d ("mISDN: fix possible memory leak in mISDN_register_device()")
+Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/mISDN/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/isdn/mISDN/core.c b/drivers/isdn/mISDN/core.c
+index 5cd53b2c47c7..e542439f4950 100644
+--- a/drivers/isdn/mISDN/core.c
++++ b/drivers/isdn/mISDN/core.c
+@@ -231,7 +231,7 @@ mISDN_register_device(struct mISDNdevice *dev,
+
+ err = get_free_devid();
+ if (err < 0)
+- goto error1;
++ return err;
+ dev->id = err;
+
+ device_initialize(&dev->dev);
+--
+2.35.1
+
--- /dev/null
+From b386ab602e3a5c759f0327e6199035dce213b8a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 21:28:32 +0800
+Subject: mISDN: fix possible memory leak in mISDN_dsp_element_register()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 98a2ac1ca8fd6eca6867726fe238d06e75eb1acd ]
+
+Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's
+bus_id string array"), the name of device is allocated dynamically,
+use put_device() to give up the reference, so that the name can be
+freed in kobject_cleanup() when the refcount is 0.
+
+The 'entry' is going to be freed in mISDN_dsp_dev_release(), so the
+kfree() is removed. list_del() is called in mISDN_dsp_dev_release(),
+so it need be initialized.
+
+Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221109132832.3270119-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/mISDN/dsp_pipeline.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/isdn/mISDN/dsp_pipeline.c b/drivers/isdn/mISDN/dsp_pipeline.c
+index e72b4e73cd61..796cae691560 100644
+--- a/drivers/isdn/mISDN/dsp_pipeline.c
++++ b/drivers/isdn/mISDN/dsp_pipeline.c
+@@ -97,6 +97,7 @@ int mISDN_dsp_element_register(struct mISDN_dsp_element *elem)
+ if (!entry)
+ return -ENOMEM;
+
++ INIT_LIST_HEAD(&entry->list);
+ entry->elem = elem;
+
+ entry->dev.class = elements_class;
+@@ -131,7 +132,7 @@ int mISDN_dsp_element_register(struct mISDN_dsp_element *elem)
+ device_unregister(&entry->dev);
+ return ret;
+ err1:
+- kfree(entry);
++ put_device(&entry->dev);
+ return ret;
+ }
+ EXPORT_SYMBOL(mISDN_dsp_element_register);
+--
+2.35.1
+
--- /dev/null
+From adc6a62d6d4c57b0ff48b4dd0e6321e4af8a4b59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 09:47:34 +0800
+Subject: net: caif: fix double disconnect client in chnl_net_open()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 8fbb53c8bfd8c56ecf1f78dc821778b58f505503 ]
+
+When connecting to client timeout, disconnect client for twice in
+chnl_net_open(). Remove one. Compile tested only.
+
+Fixes: 2aa40aef9deb ("caif: Use link layer MTU instead of fixed MTU")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/caif/chnl_net.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c
+index 12063f333897..1bfcfcb68a26 100644
+--- a/net/caif/chnl_net.c
++++ b/net/caif/chnl_net.c
+@@ -316,9 +316,6 @@ static int chnl_net_open(struct net_device *dev)
+
+ if (result == 0) {
+ pr_debug("connect timeout\n");
+- caif_disconnect_client(dev_net(dev), &priv->chnl);
+- priv->state = CAIF_DISCONNECTED;
+- pr_debug("state disconnected\n");
+ result = -ETIMEDOUT;
+ goto error;
+ }
+--
+2.35.1
+
--- /dev/null
+From 9d316f85f81c35195e8304851080eb549d785342 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 11:05:19 +0000
+Subject: net/x25: Fix skb leak in x25_lapb_receive_frame()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 2929cceb2fcf0ded7182562e4888afafece82cce ]
+
+x25_lapb_receive_frame() using skb_copy() to get a private copy of
+skb, the new skb should be freed in the undersized/fragmented skb
+error handling path. Otherwise there is a memory leak.
+
+Fixes: cb101ed2c3c7 ("x25: Handle undersized/fragmented skbs")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Martin Schiller <ms@dev.tdt.de>
+Link: https://lore.kernel.org/r/20221114110519.514538-1-weiyongjun@huaweicloud.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/x25/x25_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/x25/x25_dev.c b/net/x25/x25_dev.c
+index 30f71620d4e3..24f2676e3b66 100644
+--- a/net/x25/x25_dev.c
++++ b/net/x25/x25_dev.c
+@@ -122,7 +122,7 @@ int x25_lapb_receive_frame(struct sk_buff *skb, struct net_device *dev,
+
+ if (!pskb_may_pull(skb, 1)) {
+ x25_neigh_put(nb);
+- return 0;
++ goto drop;
+ }
+
+ switch (skb->data[0]) {
+--
+2.35.1
+
--- /dev/null
+From 3aa4d259ca6d99a3d655ecb4e396ec19e721f983 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Sep 2022 19:52:08 +0100
+Subject: parport_pc: Avoid FIFO port location truncation
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+[ Upstream commit ab126f51c93a15093df604f661c9480854c005a3 ]
+
+Match the data type of a temporary holding a reference to the FIFO port
+with the type of the original reference coming from `struct parport',
+avoiding data truncation with LP64 ports such as SPARC64 that refer to
+PCI port I/O locations via their corresponding MMIO addresses and will
+therefore have non-zero bits in the high 32-bit part of the reference.
+And in any case it is cleaner to have the data types matching here.
+
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Link: https://lore.kernel.org/linux-pci/20220419033752.GA1101844@bhelgaas/
+Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Link: https://lore.kernel.org/r/alpine.DEB.2.21.2209231912550.29493@angie.orcam.me.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/parport/parport_pc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/parport/parport_pc.c b/drivers/parport/parport_pc.c
+index 02e6485c1ed5..8c72d54d8d16 100644
+--- a/drivers/parport/parport_pc.c
++++ b/drivers/parport/parport_pc.c
+@@ -474,7 +474,7 @@ static size_t parport_pc_fifo_write_block_pio(struct parport *port,
+ const unsigned char *bufp = buf;
+ size_t left = length;
+ unsigned long expire = jiffies + port->physport->cad->timeout;
+- const int fifo = FIFO(port);
++ const unsigned long fifo = FIFO(port);
+ int poll_for = 8; /* 80 usecs */
+ const struct parport_pc_private *priv = port->physport->private_data;
+ const int fifo_depth = priv->fifo_depth;
+--
+2.35.1
+
--- /dev/null
+From 0d688106c3a31709aac26a41832a9ad0ab3f5f66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 16:20:56 +0800
+Subject: pinctrl: devicetree: fix null pointer dereferencing in
+ pinctrl_dt_to_map
+
+From: Zeng Heng <zengheng4@huawei.com>
+
+[ Upstream commit 91d5c5060ee24fe8da88cd585bb43b843d2f0dce ]
+
+Here is the BUG report by KASAN about null pointer dereference:
+
+BUG: KASAN: null-ptr-deref in strcmp+0x2e/0x50
+Read of size 1 at addr 0000000000000000 by task python3/2640
+Call Trace:
+ strcmp
+ __of_find_property
+ of_find_property
+ pinctrl_dt_to_map
+
+kasprintf() would return NULL pointer when kmalloc() fail to allocate.
+So directly return ENOMEM, if kasprintf() return NULL pointer.
+
+Fixes: 57291ce295c0 ("pinctrl: core device tree mapping table parsing support")
+Signed-off-by: Zeng Heng <zengheng4@huawei.com>
+Link: https://lore.kernel.org/r/20221110082056.2014898-1-zengheng4@huawei.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/devicetree.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pinctrl/devicetree.c b/drivers/pinctrl/devicetree.c
+index d32aedfc6dd0..29f8abffe99f 100644
+--- a/drivers/pinctrl/devicetree.c
++++ b/drivers/pinctrl/devicetree.c
+@@ -207,6 +207,8 @@ int pinctrl_dt_to_map(struct pinctrl *p)
+ for (state = 0; ; state++) {
+ /* Retrieve the pinctrl-* property */
+ propname = kasprintf(GFP_KERNEL, "pinctrl-%d", state);
++ if (!propname)
++ return -ENOMEM;
+ prop = of_find_property(np, propname, &size);
+ kfree(propname);
+ if (!prop) {
+--
+2.35.1
+
--- /dev/null
+From 2fd7b42e09987951017bb54e932143eb9b6430b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 14:00:44 +0300
+Subject: serial: 8250: omap: Flush PM QOS work on remove
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit d0b68629bd2fb61e0171a62f2e8da3db322f5cf6 ]
+
+Rebinding 8250_omap in a loop will at some point produce a warning for
+kernel/power/qos.c:296 cpu_latency_qos_update_request() with error
+"cpu_latency_qos_update_request called for unknown object". Let's flush
+the possibly pending PM QOS work scheduled from omap8250_runtime_suspend()
+before we disable runtime PM.
+
+Fixes: 61929cf0169d ("tty: serial: Add 8250-core based omap driver")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20221028110044.54719-1-tony@atomide.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_omap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c
+index cecc266b3640..d5962162c590 100644
+--- a/drivers/tty/serial/8250/8250_omap.c
++++ b/drivers/tty/serial/8250/8250_omap.c
+@@ -1234,6 +1234,7 @@ static int omap8250_remove(struct platform_device *pdev)
+
+ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ pm_runtime_put_sync(&pdev->dev);
++ flush_work(&priv->qos_work);
+ pm_runtime_disable(&pdev->dev);
+ serial8250_unregister_port(priv->line);
+ pm_qos_remove_request(&priv->pm_qos_request);
+--
+2.35.1
+
--- /dev/null
+From 6e7d259b44b255705b9b738c410cfed7becbd8cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 13:23:39 +0200
+Subject: serial: 8250_omap: remove wait loop from Errata i202 workaround
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
+
+[ Upstream commit e828e56684d61b17317e0cfdef83791fa61cb76b ]
+
+We were occasionally seeing the "Errata i202: timedout" on an AM335x
+board when repeatedly opening and closing a UART connected to an active
+sender. As new input may arrive at any time, it is possible to miss the
+"RX FIFO empty" condition, forcing the loop to wait until it times out.
+
+Nothing in the i202 Advisory states that such a wait is even necessary;
+other FIFO clear functions like serial8250_clear_fifos() do not wait
+either. For this reason, it seems safe to remove the wait, fixing the
+mentioned issue.
+
+Fixes: 61929cf0169d ("tty: serial: Add 8250-core based omap driver")
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
+Link: https://lore.kernel.org/r/20221013112339.2540767-1-matthias.schiffer@ew.tq-group.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_omap.c | 17 -----------------
+ 1 file changed, 17 deletions(-)
+
+diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c
+index c551407bee07..cecc266b3640 100644
+--- a/drivers/tty/serial/8250/8250_omap.c
++++ b/drivers/tty/serial/8250/8250_omap.c
+@@ -160,27 +160,10 @@ static void omap8250_set_mctrl(struct uart_port *port, unsigned int mctrl)
+ static void omap_8250_mdr1_errataset(struct uart_8250_port *up,
+ struct omap8250_priv *priv)
+ {
+- u8 timeout = 255;
+-
+ serial_out(up, UART_OMAP_MDR1, priv->mdr1);
+ udelay(2);
+ serial_out(up, UART_FCR, up->fcr | UART_FCR_CLEAR_XMIT |
+ UART_FCR_CLEAR_RCVR);
+- /*
+- * Wait for FIFO to empty: when empty, RX_FIFO_E bit is 0 and
+- * TX_FIFO_E bit is 1.
+- */
+- while (UART_LSR_THRE != (serial_in(up, UART_LSR) &
+- (UART_LSR_THRE | UART_LSR_DR))) {
+- timeout--;
+- if (!timeout) {
+- /* Should *never* happen. we warn and carry on */
+- dev_crit(up->port.dev, "Errata i202: timedout %x\n",
+- serial_in(up, UART_LSR));
+- break;
+- }
+- udelay(1);
+- }
+ }
+
+ static void omap_8250_get_divisor(struct uart_port *port, unsigned int baud,
+--
+2.35.1
+
rtc-cmos-fix-build-on-non-acpi-platforms.patch
drm-imx-imx-tve-fix-return-type-of-imx_tve_connector.patch
bluetooth-l2cap-fix-l2cap_global_chan_by_psm.patch
+asoc-core-fix-use-after-free-in-snd_soc_exit.patch
+serial-8250_omap-remove-wait-loop-from-errata-i202-w.patch
+serial-8250-omap-flush-pm-qos-work-on-remove.patch
+tty-n_gsm-fix-sleep-in-atomic-context-bug-in-gsm_con.patch
+asoc-soc-utils-remove-__exit-for-snd_soc_util_exit.patch
+parport_pc-avoid-fifo-port-location-truncation.patch
+pinctrl-devicetree-fix-null-pointer-dereferencing-in.patch
+misdn-fix-possible-memory-leak-in-misdn_dsp_element_.patch
+misdn-fix-misuse-of-put_device-in-misdn_register_dev.patch
+net-caif-fix-double-disconnect-client-in-chnl_net_op.patch
+xen-pcpu-fix-possible-memory-leak-in-register_pcpu.patch
+net-x25-fix-skb-leak-in-x25_lapb_receive_frame.patch
+cifs-fix-wrong-return-value-checking-when-getflags.patch
--- /dev/null
+From d76e5e724949ad40998bdb502718e3d2ea63302a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Oct 2022 12:07:09 +0800
+Subject: tty: n_gsm: fix sleep-in-atomic-context bug in gsm_control_send
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 7b7dfe4833c70a11cdfa51b38705103bd31eddaa ]
+
+The function gsm_dlci_t1() is a timer handler that runs in an
+atomic context, but it calls "kzalloc(..., GFP_KERNEL)" that
+may sleep. As a result, the sleep-in-atomic-context bug will
+happen. The process is shown below:
+
+gsm_dlci_t1()
+ gsm_dlci_open()
+ gsm_modem_update()
+ gsm_modem_upd_via_msc()
+ gsm_control_send()
+ kzalloc(sizeof(.., GFP_KERNEL) //may sleep
+
+This patch changes the gfp_t parameter of kzalloc() from GFP_KERNEL to
+GFP_ATOMIC in order to mitigate the bug.
+
+Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Link: https://lore.kernel.org/r/20221002040709.27849-1-duoming@zju.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/n_gsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
+index 3badb10229ef..1131065a4ef3 100644
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -1377,7 +1377,7 @@ static struct gsm_control *gsm_control_send(struct gsm_mux *gsm,
+ unsigned int command, u8 *data, int clen)
+ {
+ struct gsm_control *ctrl = kzalloc(sizeof(struct gsm_control),
+- GFP_KERNEL);
++ GFP_ATOMIC);
+ unsigned long flags;
+ if (ctrl == NULL)
+ return NULL;
+--
+2.35.1
+
--- /dev/null
+From adec2afe027c466389941a2901de079fd9040f05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 23:24:41 +0800
+Subject: xen/pcpu: fix possible memory leak in register_pcpu()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit da36a2a76b01b210ffaa55cdc2c99bc8783697c5 ]
+
+In device_add(), dev_set_name() is called to allocate name, if it returns
+error, the name need be freed. As comment of device_register() says, it
+should use put_device() to give up the reference in the error path. So fix
+this by calling put_device(), then the name can be freed in kobject_cleanup().
+
+Fixes: f65c9bb3fb72 ("xen/pcpu: Xen physical cpus online/offline sys interface")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Link: https://lore.kernel.org/r/20221110152441.401630-1-yangyingliang@huawei.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/pcpu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/xen/pcpu.c b/drivers/xen/pcpu.c
+index cdc6daa7a9f6..9cf7085a260b 100644
+--- a/drivers/xen/pcpu.c
++++ b/drivers/xen/pcpu.c
+@@ -228,7 +228,7 @@ static int register_pcpu(struct pcpu *pcpu)
+
+ err = device_register(dev);
+ if (err) {
+- pcpu_release(dev);
++ put_device(dev);
+ return err;
+ }
+
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
