--- /dev/null
+From 26273ade77f54716e30dfd40ac6e85ceb54ac0f9 Mon Sep 17 00:00:00 2001
+From: Schspa Shi <schspa@gmail.com>
+Date: Thu, 1 Dec 2022 11:33:10 +0800
+Subject: 9p: set req refcount to zero to avoid uninitialized usage
+
+From: Schspa Shi <schspa@gmail.com>
+
+commit 26273ade77f54716e30dfd40ac6e85ceb54ac0f9 upstream.
+
+When a new request is allocated, the refcount will be zero if it is
+reused, but if the request is newly allocated from slab, it is not fully
+initialized before being added to idr.
+
+If the p9_read_work got a response before the refcount initiated. It will
+use a uninitialized req, which will result in a bad request data struct.
+
+Here is the logs from syzbot.
+
+Corrupted memory at 0xffff88807eade00b [ 0xff 0x07 0x00 0x00 0x00 0x00
+0x00 0x00 . . . . . . . . ] (in kfence-#110):
+ p9_fcall_fini net/9p/client.c:248 [inline]
+ p9_req_put net/9p/client.c:396 [inline]
+ p9_req_put+0x208/0x250 net/9p/client.c:390
+ p9_client_walk+0x247/0x540 net/9p/client.c:1165
+ clone_fid fs/9p/fid.h:21 [inline]
+ v9fs_fid_xattr_set+0xe4/0x2b0 fs/9p/xattr.c:118
+ v9fs_xattr_set fs/9p/xattr.c:100 [inline]
+ v9fs_xattr_handler_set+0x6f/0x120 fs/9p/xattr.c:159
+ __vfs_setxattr+0x119/0x180 fs/xattr.c:182
+ __vfs_setxattr_noperm+0x129/0x5f0 fs/xattr.c:216
+ __vfs_setxattr_locked+0x1d3/0x260 fs/xattr.c:277
+ vfs_setxattr+0x143/0x340 fs/xattr.c:309
+ setxattr+0x146/0x160 fs/xattr.c:617
+ path_setxattr+0x197/0x1c0 fs/xattr.c:636
+ __do_sys_setxattr fs/xattr.c:652 [inline]
+ __se_sys_setxattr fs/xattr.c:648 [inline]
+ __ia32_sys_setxattr+0xc0/0x160 fs/xattr.c:648
+ do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
+ __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
+ do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
+ entry_SYSENTER_compat_after_hwframe+0x70/0x82
+
+Below is a similar scenario, the scenario in the syzbot log looks more
+complicated than this one, but this patch can fix it.
+
+ T21124 p9_read_work
+======================== second trans =================================
+p9_client_walk
+ p9_client_rpc
+ p9_client_prepare_req
+ p9_tag_alloc
+ req = kmem_cache_alloc(p9_req_cache, GFP_NOFS);
+ tag = idr_alloc
+ << preempted >>
+ req->tc.tag = tag;
+ /* req->[refcount/tag] == uninitialized */
+ m->rreq = p9_tag_lookup(m->client, m->rc.tag);
+ /* increments uninitalized refcount */
+
+ refcount_set(&req->refcount, 2);
+ /* cb drops one ref */
+ p9_client_cb(req)
+ /* reader thread drops its ref:
+ request is incorrectly freed */
+ p9_req_put(req)
+ /* use after free and ref underflow */
+ p9_req_put(req)
+
+To fix it, we can initialize the refcount to zero before add to idr.
+
+Link: https://lkml.kernel.org/r/20221201033310.18589-1-schspa@gmail.com
+Cc: stable@vger.kernel.org # 6.0+ due to 6cda12864cb0 ("9p: Drop kref usage")
+Fixes: 728356dedeff ("9p: Add refcount to p9_req_t")
+Reported-by: syzbot+8f1060e2aaf8ca55220b@syzkaller.appspotmail.com
+Signed-off-by: Schspa Shi <schspa@gmail.com>
+Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com>
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/9p/client.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -281,6 +281,11 @@ p9_tag_alloc(struct p9_client *c, int8_t
+ p9pdu_reset(&req->rc);
+ req->t_err = 0;
+ req->status = REQ_STATUS_ALLOC;
++ /* refcount needs to be set to 0 before inserting into the idr
++ * so p9_tag_lookup does not accept a request that is not fully
++ * initialized. refcount_set to 2 below will mark request ready.
++ */
++ refcount_set(&req->refcount, 0);
+ init_waitqueue_head(&req->wq);
+ INIT_LIST_HEAD(&req->req_list);
+
--- /dev/null
+From f8ace2e304c5dd8a7328db9cd2b8a4b1b98d83ec Mon Sep 17 00:00:00 2001
+From: Yuan Can <yuancan@huawei.com>
+Date: Mon, 31 Oct 2022 12:04:43 +0000
+Subject: floppy: Fix memory leak in do_floppy_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+commit f8ace2e304c5dd8a7328db9cd2b8a4b1b98d83ec upstream.
+
+A memory leak was reported when floppy_alloc_disk() failed in
+do_floppy_init().
+
+unreferenced object 0xffff888115ed25a0 (size 8):
+ comm "modprobe", pid 727, jiffies 4295051278 (age 25.529s)
+ hex dump (first 8 bytes):
+ 00 ac 67 5b 81 88 ff ff ..g[....
+ backtrace:
+ [<000000007f457abb>] __kmalloc_node+0x4c/0xc0
+ [<00000000a87bfa9e>] blk_mq_realloc_tag_set_tags.part.0+0x6f/0x180
+ [<000000006f02e8b1>] blk_mq_alloc_tag_set+0x573/0x1130
+ [<0000000066007fd7>] 0xffffffffc06b8b08
+ [<0000000081f5ac40>] do_one_initcall+0xd0/0x4f0
+ [<00000000e26d04ee>] do_init_module+0x1a4/0x680
+ [<000000001bb22407>] load_module+0x6249/0x7110
+ [<00000000ad31ac4d>] __do_sys_finit_module+0x140/0x200
+ [<000000007bddca46>] do_syscall_64+0x35/0x80
+ [<00000000b5afec39>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+unreferenced object 0xffff88810fc30540 (size 32):
+ comm "modprobe", pid 727, jiffies 4295051278 (age 25.529s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<000000007f457abb>] __kmalloc_node+0x4c/0xc0
+ [<000000006b91eab4>] blk_mq_alloc_tag_set+0x393/0x1130
+ [<0000000066007fd7>] 0xffffffffc06b8b08
+ [<0000000081f5ac40>] do_one_initcall+0xd0/0x4f0
+ [<00000000e26d04ee>] do_init_module+0x1a4/0x680
+ [<000000001bb22407>] load_module+0x6249/0x7110
+ [<00000000ad31ac4d>] __do_sys_finit_module+0x140/0x200
+ [<000000007bddca46>] do_syscall_64+0x35/0x80
+ [<00000000b5afec39>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+If the floppy_alloc_disk() failed, disks of current drive will not be set,
+thus the lastest allocated set->tag cannot be freed in the error handling
+path. A simple call graph shown as below:
+
+ floppy_module_init()
+ floppy_init()
+ do_floppy_init()
+ for (drive = 0; drive < N_DRIVE; drive++)
+ blk_mq_alloc_tag_set()
+ blk_mq_alloc_tag_set_tags()
+ blk_mq_realloc_tag_set_tags() # set->tag allocated
+ floppy_alloc_disk()
+ blk_mq_alloc_disk() # error occurred, disks failed to allocated
+
+ ->out_put_disk:
+ for (drive = 0; drive < N_DRIVE; drive++)
+ if (!disks[drive][0]) # the last disks is not set and loop break
+ break;
+ blk_mq_free_tag_set() # the latest allocated set->tag leaked
+
+Fix this problem by free the set->tag of current drive before jump to
+error handling path.
+
+Cc: stable@vger.kernel.org
+Fixes: 302cfee15029 ("floppy: use a separate gendisk for each media format")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+[efremov: added stable list, changed title]
+Signed-off-by: Denis Efremov <efremov@linux.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/floppy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -4587,8 +4587,10 @@ static int __init do_floppy_init(void)
+ goto out_put_disk;
+
+ err = floppy_alloc_disk(drive, 0);
+- if (err)
++ if (err) {
++ blk_mq_free_tag_set(&tag_sets[drive]);
+ goto out_put_disk;
++ }
+
+ timer_setup(&motor_off_timer[drive], motor_off_callback, 0);
+ }
--- /dev/null
+From 67c90d14018775556d5420382ace86521421f9ff Mon Sep 17 00:00:00 2001
+From: Enrik Berkhan <Enrik.Berkhan@inka.de>
+Date: Thu, 3 Nov 2022 23:27:12 +0100
+Subject: HID: mcp2221: don't connect hidraw
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Enrik Berkhan <Enrik.Berkhan@inka.de>
+
+commit 67c90d14018775556d5420382ace86521421f9ff upstream.
+
+The MCP2221 driver should not connect to the hidraw userspace interface,
+as it needs exclusive access to the chip.
+
+If you want to use /dev/hidrawX with the MCP2221, you need to avoid
+binding this driver to the device and use the hid generic driver instead
+(e.g. using udev rules).
+
+Cc: stable@vger.kernel.org
+Reported-by: Sven Zühlsdorf <sven.zuehlsdorf@vigem.de>
+Signed-off-by: Enrik Berkhan <Enrik.Berkhan@inka.de>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Link: https://lore.kernel.org/r/20221103222714.21566-2-Enrik.Berkhan@inka.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-mcp2221.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/hid/hid-mcp2221.c
++++ b/drivers/hid/hid-mcp2221.c
+@@ -840,12 +840,19 @@ static int mcp2221_probe(struct hid_devi
+ return ret;
+ }
+
+- ret = hid_hw_start(hdev, HID_CONNECT_HIDRAW);
++ /*
++ * This driver uses the .raw_event callback and therefore does not need any
++ * HID_CONNECT_xxx flags.
++ */
++ ret = hid_hw_start(hdev, 0);
+ if (ret) {
+ hid_err(hdev, "can't start hardware\n");
+ return ret;
+ }
+
++ hid_info(hdev, "USB HID v%x.%02x Device [%s] on %s\n", hdev->version >> 8,
++ hdev->version & 0xff, hdev->name, hdev->phys);
++
+ ret = hid_hw_open(hdev);
+ if (ret) {
+ hid_err(hdev, "can't open device\n");
+@@ -870,8 +877,7 @@ static int mcp2221_probe(struct hid_devi
+ mcp->adapter.retries = 1;
+ mcp->adapter.dev.parent = &hdev->dev;
+ snprintf(mcp->adapter.name, sizeof(mcp->adapter.name),
+- "MCP2221 usb-i2c bridge on hidraw%d",
+- ((struct hidraw *)hdev->hidraw)->minor);
++ "MCP2221 usb-i2c bridge");
+
+ ret = i2c_add_adapter(&mcp->adapter);
+ if (ret) {
--- /dev/null
+From 1db1f392591aff13fd643f0ec7c1d5e27391d700 Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <killertofu@gmail.com>
+Date: Thu, 1 Dec 2022 15:11:41 -0800
+Subject: HID: wacom: Ensure bootloader PID is usable in hidraw mode
+
+From: Jason Gerecke <killertofu@gmail.com>
+
+commit 1db1f392591aff13fd643f0ec7c1d5e27391d700 upstream.
+
+Some Wacom devices have a special "bootloader" mode that is used for
+firmware flashing. When operating in this mode, the device cannot be
+used for input, and the HID descriptor is not able to be processed by
+the driver. The driver generates an "Unknown device_type" warning and
+then returns an error code from wacom_probe(). This is a problem because
+userspace still needs to be able to interact with the device via hidraw
+to perform the firmware flash.
+
+This commit adds a non-generic device definition for 056a:0094 which
+is used when devices are in "bootloader" mode. It marks the devices
+with a special BOOTLOADER type that is recognized by wacom_probe() and
+wacom_raw_event(). When we see this type we ensure a hidraw device is
+created and otherwise keep our hands off so that userspace is in full
+control.
+
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Tested-by: Tatsunosuke Tobita <tatsunosuke.tobita@wacom.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/wacom_sys.c | 8 ++++++++
+ drivers/hid/wacom_wac.c | 4 ++++
+ drivers/hid/wacom_wac.h | 1 +
+ 3 files changed, 13 insertions(+)
+
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -160,6 +160,9 @@ static int wacom_raw_event(struct hid_de
+ {
+ struct wacom *wacom = hid_get_drvdata(hdev);
+
++ if (wacom->wacom_wac.features.type == BOOTLOADER)
++ return 0;
++
+ if (size > WACOM_PKGLEN_MAX)
+ return 1;
+
+@@ -2792,6 +2795,11 @@ static int wacom_probe(struct hid_device
+ return error;
+ }
+
++ if (features->type == BOOTLOADER) {
++ hid_warn(hdev, "Using device in hidraw-only mode");
++ return hid_hw_start(hdev, HID_CONNECT_HIDRAW);
++ }
++
+ error = wacom_parse_and_register(wacom, false);
+ if (error)
+ return error;
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -4813,6 +4813,9 @@ static const struct wacom_features wacom
+ static const struct wacom_features wacom_features_HID_ANY_ID =
+ { "Wacom HID", .type = HID_GENERIC, .oVid = HID_ANY_ID, .oPid = HID_ANY_ID };
+
++static const struct wacom_features wacom_features_0x94 =
++ { "Wacom Bootloader", .type = BOOTLOADER };
++
+ #define USB_DEVICE_WACOM(prod) \
+ HID_DEVICE(BUS_USB, HID_GROUP_WACOM, USB_VENDOR_ID_WACOM, prod),\
+ .driver_data = (kernel_ulong_t)&wacom_features_##prod
+@@ -4886,6 +4889,7 @@ const struct hid_device_id wacom_ids[] =
+ { USB_DEVICE_WACOM(0x84) },
+ { USB_DEVICE_WACOM(0x90) },
+ { USB_DEVICE_WACOM(0x93) },
++ { USB_DEVICE_WACOM(0x94) },
+ { USB_DEVICE_WACOM(0x97) },
+ { USB_DEVICE_WACOM(0x9A) },
+ { USB_DEVICE_WACOM(0x9F) },
+--- a/drivers/hid/wacom_wac.h
++++ b/drivers/hid/wacom_wac.h
+@@ -242,6 +242,7 @@ enum {
+ MTTPC,
+ MTTPC_B,
+ HID_GENERIC,
++ BOOTLOADER,
+ MAX_TYPE
+ };
+
--- /dev/null
+From 20228a1d5a55e7db0c6720840f2c7d2b48c55f69 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nuno=20S=C3=A1?= <nuno.sa@analog.com>
+Date: Tue, 20 Sep 2022 13:28:07 +0200
+Subject: iio: adc: ad_sigma_delta: do not use internal iio_dev lock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nuno Sá <nuno.sa@analog.com>
+
+commit 20228a1d5a55e7db0c6720840f2c7d2b48c55f69 upstream.
+
+Drop 'mlock' usage by making use of iio_device_claim_direct_mode().
+This change actually makes sure we cannot do a single conversion while
+buffering is enable. Note there was a potential race in the previous
+code since we were only acquiring the lock after checking if the bus is
+enabled.
+
+Fixes: af3008485ea0 ("iio:adc: Add common code for ADI Sigma Delta devices")
+Signed-off-by: Nuno Sá <nuno.sa@analog.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Cc: <Stable@vger.kernel.org> #No rush as race is very old.
+Link: https://lore.kernel.org/r/20220920112821.975359-2-nuno.sa@analog.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ad_sigma_delta.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/adc/ad_sigma_delta.c
++++ b/drivers/iio/adc/ad_sigma_delta.c
+@@ -280,10 +280,10 @@ int ad_sigma_delta_single_conversion(str
+ unsigned int data_reg;
+ int ret = 0;
+
+- if (iio_buffer_enabled(indio_dev))
+- return -EBUSY;
++ ret = iio_device_claim_direct_mode(indio_dev);
++ if (ret)
++ return ret;
+
+- mutex_lock(&indio_dev->mlock);
+ ad_sigma_delta_set_channel(sigma_delta, chan->address);
+
+ spi_bus_lock(sigma_delta->spi->master);
+@@ -322,7 +322,7 @@ out:
+ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
+ sigma_delta->bus_locked = false;
+ spi_bus_unlock(sigma_delta->spi->master);
+- mutex_unlock(&indio_dev->mlock);
++ iio_device_release_direct_mode(indio_dev);
+
+ if (ret)
+ return ret;
--- /dev/null
+From e2af60f5900c6ade53477b494ffb54690eee11f5 Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Date: Tue, 15 Nov 2022 14:23:23 +0100
+Subject: iio: adc128s052: add proper .data members in adc128_of_match table
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+commit e2af60f5900c6ade53477b494ffb54690eee11f5 upstream.
+
+Prior to commit bd5d54e4d49d ("iio: adc128s052: add ACPI _HID
+AANT1280"), the driver unconditionally used spi_get_device_id() to get
+the index into the adc128_config array.
+
+However, with that commit, OF-based boards now incorrectly treat all
+supported sensors as if they are an adc128s052, because all the .data
+members of the adc128_of_match table are implicitly 0. Our board,
+which has an adc122s021, thus exposes 8 channels whereas it really
+only has two.
+
+Fixes: bd5d54e4d49d ("iio: adc128s052: add ACPI _HID AANT1280")
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20221115132324.1078169-1-linux@rasmusvillemoes.dk
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-adc128s052.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/iio/adc/ti-adc128s052.c
++++ b/drivers/iio/adc/ti-adc128s052.c
+@@ -193,13 +193,13 @@ static int adc128_remove(struct spi_devi
+ }
+
+ static const struct of_device_id adc128_of_match[] = {
+- { .compatible = "ti,adc128s052", },
+- { .compatible = "ti,adc122s021", },
+- { .compatible = "ti,adc122s051", },
+- { .compatible = "ti,adc122s101", },
+- { .compatible = "ti,adc124s021", },
+- { .compatible = "ti,adc124s051", },
+- { .compatible = "ti,adc124s101", },
++ { .compatible = "ti,adc128s052", .data = (void*)0L, },
++ { .compatible = "ti,adc122s021", .data = (void*)1L, },
++ { .compatible = "ti,adc122s051", .data = (void*)1L, },
++ { .compatible = "ti,adc122s101", .data = (void*)1L, },
++ { .compatible = "ti,adc124s021", .data = (void*)2L, },
++ { .compatible = "ti,adc124s051", .data = (void*)2L, },
++ { .compatible = "ti,adc124s101", .data = (void*)2L, },
+ { /* sentinel */ },
+ };
+ MODULE_DEVICE_TABLE(of, adc128_of_match);
--- /dev/null
+From 86fdd15e10e404e70ecb2a3bff24d70356d42b36 Mon Sep 17 00:00:00 2001
+From: Zeng Heng <zengheng4@huawei.com>
+Date: Tue, 15 Nov 2022 10:37:12 +0800
+Subject: iio: fix memory leak in iio_device_register_eventset()
+
+From: Zeng Heng <zengheng4@huawei.com>
+
+commit 86fdd15e10e404e70ecb2a3bff24d70356d42b36 upstream.
+
+When iio_device_register_sysfs_group() returns failed,
+iio_device_register_eventset() needs to free attrs array.
+
+Otherwise, kmemleak would scan & report memory leak as below:
+
+unreferenced object 0xffff88810a1cc3c0 (size 32):
+ comm "100-i2c-vcnl302", pid 728, jiffies 4295052307 (age 156.027s)
+ backtrace:
+ __kmalloc+0x46/0x1b0
+ iio_device_register_eventset at drivers/iio/industrialio-event.c:541
+ __iio_device_register at drivers/iio/industrialio-core.c:1959
+ __devm_iio_device_register at drivers/iio/industrialio-core.c:2040
+
+Fixes: 32f171724e5c ("iio: core: rework iio device group creation")
+Signed-off-by: Zeng Heng <zengheng4@huawei.com>
+Link: https://lore.kernel.org/r/20221115023712.3726854-1-zengheng4@huawei.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/industrialio-event.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/industrialio-event.c
++++ b/drivers/iio/industrialio-event.c
+@@ -549,7 +549,7 @@ int iio_device_register_eventset(struct
+
+ ret = iio_device_register_sysfs_group(indio_dev, &ev_int->group);
+ if (ret)
+- goto error_free_setup_event_lines;
++ goto error_free_group_attrs;
+
+ ev_int->ioctl_handler.ioctl = iio_event_ioctl;
+ iio_device_ioctl_handler_register(&iio_dev_opaque->indio_dev,
+@@ -557,6 +557,8 @@ int iio_device_register_eventset(struct
+
+ return 0;
+
++error_free_group_attrs:
++ kfree(ev_int->group.attrs);
+ error_free_setup_event_lines:
+ iio_free_chan_devattr_list(&ev_int->dev_attr_list);
+ kfree(ev_int);
--- /dev/null
+From 85c50197716c60fe57f411339c579462e563ac57 Mon Sep 17 00:00:00 2001
+From: "Isaac J. Manjarres" <isaacmanjarres@google.com>
+Date: Thu, 8 Dec 2022 13:29:01 -0800
+Subject: loop: Fix the max_loop commandline argument treatment when it is set to 0
+
+From: Isaac J. Manjarres <isaacmanjarres@google.com>
+
+commit 85c50197716c60fe57f411339c579462e563ac57 upstream.
+
+Currently, the max_loop commandline argument can be used to specify how
+many loop block devices are created at init time. If it is not
+specified on the commandline, CONFIG_BLK_DEV_LOOP_MIN_COUNT loop block
+devices will be created.
+
+The max_loop commandline argument can be used to override the value of
+CONFIG_BLK_DEV_LOOP_MIN_COUNT. However, when max_loop is set to 0
+through the commandline, the current logic treats it as if it had not
+been set, and creates CONFIG_BLK_DEV_LOOP_MIN_COUNT devices anyway.
+
+Fix this by starting max_loop off as set to CONFIG_BLK_DEV_LOOP_MIN_COUNT.
+This preserves the intended behavior of creating
+CONFIG_BLK_DEV_LOOP_MIN_COUNT loop block devices if the max_loop
+commandline parameter is not specified, and allowing max_loop to
+be respected for all values, including 0.
+
+This allows environments that can create all of their required loop
+block devices on demand to not have to unnecessarily preallocate loop
+block devices.
+
+Fixes: 732850827450 ("remove artificial software max_loop limit")
+Cc: stable@vger.kernel.org
+Cc: Ken Chen <kenchen@google.com>
+Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
+Link: https://lore.kernel.org/r/20221208212902.765781-1-isaacmanjarres@google.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/loop.c | 28 ++++++++++++----------------
+ 1 file changed, 12 insertions(+), 16 deletions(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -2091,7 +2091,16 @@ static const struct block_device_operati
+ /*
+ * And now the modules code and kernel interface.
+ */
+-static int max_loop;
++
++/*
++ * If max_loop is specified, create that many devices upfront.
++ * This also becomes a hard limit. If max_loop is not specified,
++ * create CONFIG_BLK_DEV_LOOP_MIN_COUNT loop devices at module
++ * init time. Loop devices can be requested on-demand with the
++ * /dev/loop-control interface, or be instantiated by accessing
++ * a 'dead' device node.
++ */
++static int max_loop = CONFIG_BLK_DEV_LOOP_MIN_COUNT;
+ module_param(max_loop, int, 0444);
+ MODULE_PARM_DESC(max_loop, "Maximum number of loop devices");
+ module_param(max_part, int, 0444);
+@@ -2536,7 +2545,7 @@ MODULE_ALIAS("devname:loop-control");
+
+ static int __init loop_init(void)
+ {
+- int i, nr;
++ int i;
+ int err;
+
+ part_shift = 0;
+@@ -2564,19 +2573,6 @@ static int __init loop_init(void)
+ goto err_out;
+ }
+
+- /*
+- * If max_loop is specified, create that many devices upfront.
+- * This also becomes a hard limit. If max_loop is not specified,
+- * create CONFIG_BLK_DEV_LOOP_MIN_COUNT loop devices at module
+- * init time. Loop devices can be requested on-demand with the
+- * /dev/loop-control interface, or be instantiated by accessing
+- * a 'dead' device node.
+- */
+- if (max_loop)
+- nr = max_loop;
+- else
+- nr = CONFIG_BLK_DEV_LOOP_MIN_COUNT;
+-
+ err = misc_register(&loop_misc);
+ if (err < 0)
+ goto err_out;
+@@ -2588,7 +2584,7 @@ static int __init loop_init(void)
+ }
+
+ /* pre-create number of devices given by config or max_loop */
+- for (i = 0; i < nr; i++)
++ for (i = 0; i < max_loop; i++)
+ loop_add(i);
+
+ printk(KERN_INFO "loop: module loaded\n");
--- /dev/null
+From cb3543cff90a4448ed560ac86c98033ad5fecda9 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Thu, 15 Dec 2022 11:46:46 +0100
+Subject: regulator: core: fix deadlock on regulator enable
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit cb3543cff90a4448ed560ac86c98033ad5fecda9 upstream.
+
+When updating the operating mode as part of regulator enable, the caller
+has already locked the regulator tree and drms_uA_update() must not try
+to do the same in order not to trigger a deadlock.
+
+The lock inversion is reported by lockdep as:
+
+ ======================================================
+ WARNING: possible circular locking dependency detected
+ 6.1.0-next-20221215 #142 Not tainted
+ ------------------------------------------------------
+ udevd/154 is trying to acquire lock:
+ ffffc11f123d7e50 (regulator_list_mutex){+.+.}-{3:3}, at: regulator_lock_dependent+0x54/0x280
+
+ but task is already holding lock:
+ ffff80000e4c36e8 (regulator_ww_class_acquire){+.+.}-{0:0}, at: regulator_enable+0x34/0x80
+
+ which lock already depends on the new lock.
+
+ ...
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(regulator_ww_class_acquire);
+ lock(regulator_list_mutex);
+ lock(regulator_ww_class_acquire);
+ lock(regulator_list_mutex);
+
+ *** DEADLOCK ***
+
+just before probe of a Qualcomm UFS controller (occasionally) deadlocks
+when enabling one of its regulators.
+
+Fixes: 9243a195be7a ("regulator: core: Change voltage setting path")
+Fixes: f8702f9e4aa7 ("regulator: core: Use ww_mutex for regulators locking")
+Cc: stable@vger.kernel.org # 5.0
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20221215104646.19818-1-johan+linaro@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/regulator/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -962,7 +962,7 @@ static int drms_uA_update(struct regulat
+ /* get input voltage */
+ input_uV = 0;
+ if (rdev->supply)
+- input_uV = regulator_get_voltage(rdev->supply);
++ input_uV = regulator_get_voltage_rdev(rdev->supply->rdev);
+ if (input_uV <= 0)
+ input_uV = rdev->constraints->input_uV;
+ if (input_uV <= 0) {
--- /dev/null
+From 572302af1258459e124437b8f3369357447afac7 Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Thu, 10 Nov 2022 10:46:35 +0100
+Subject: reiserfs: Add missing calls to reiserfs_security_free()
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+commit 572302af1258459e124437b8f3369357447afac7 upstream.
+
+Commit 57fe60df6241 ("reiserfs: add atomic addition of selinux attributes
+during inode creation") defined reiserfs_security_free() to free the name
+and value of a security xattr allocated by the active LSM through
+security_old_inode_init_security(). However, this function is not called
+in the reiserfs code.
+
+Thus, add a call to reiserfs_security_free() whenever
+reiserfs_security_init() is called, and initialize value to NULL, to avoid
+to call kfree() on an uninitialized pointer.
+
+Finally, remove the kfree() for the xattr name, as it is not allocated
+anymore.
+
+Fixes: 57fe60df6241 ("reiserfs: add atomic addition of selinux attributes during inode creation")
+Cc: stable@vger.kernel.org
+Cc: Jeff Mahoney <jeffm@suse.com>
+Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: Mimi Zohar <zohar@linux.ibm.com>
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/reiserfs/namei.c | 4 ++++
+ fs/reiserfs/xattr_security.c | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/reiserfs/namei.c
++++ b/fs/reiserfs/namei.c
+@@ -696,6 +696,7 @@ static int reiserfs_create(struct user_n
+
+ out_failed:
+ reiserfs_write_unlock(dir->i_sb);
++ reiserfs_security_free(&security);
+ return retval;
+ }
+
+@@ -779,6 +780,7 @@ static int reiserfs_mknod(struct user_na
+
+ out_failed:
+ reiserfs_write_unlock(dir->i_sb);
++ reiserfs_security_free(&security);
+ return retval;
+ }
+
+@@ -878,6 +880,7 @@ static int reiserfs_mkdir(struct user_na
+ retval = journal_end(&th);
+ out_failed:
+ reiserfs_write_unlock(dir->i_sb);
++ reiserfs_security_free(&security);
+ return retval;
+ }
+
+@@ -1194,6 +1197,7 @@ static int reiserfs_symlink(struct user_
+ retval = journal_end(&th);
+ out_failed:
+ reiserfs_write_unlock(parent_dir->i_sb);
++ reiserfs_security_free(&security);
+ return retval;
+ }
+
+--- a/fs/reiserfs/xattr_security.c
++++ b/fs/reiserfs/xattr_security.c
+@@ -50,6 +50,7 @@ int reiserfs_security_init(struct inode
+ int error;
+
+ sec->name = NULL;
++ sec->value = NULL;
+
+ /* Don't add selinux attributes on xattrs - they'll never get used */
+ if (IS_PRIVATE(dir))
+@@ -95,7 +96,6 @@ int reiserfs_security_write(struct reise
+
+ void reiserfs_security_free(struct reiserfs_security_handle *sec)
+ {
+- kfree(sec->name);
+ kfree(sec->value);
+ sec->name = NULL;
+ sec->value = NULL;
--- /dev/null
+From d6a9fb87e9d18f3394a9845546bbe868efdccfd2 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Wed, 14 Dec 2022 16:26:03 -0700
+Subject: security: Restrict CONFIG_ZERO_CALL_USED_REGS to gcc or clang > 15.0.6
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit d6a9fb87e9d18f3394a9845546bbe868efdccfd2 upstream.
+
+A bad bug in clang's implementation of -fzero-call-used-regs can result
+in NULL pointer dereferences (see the links above the check for more
+information). Restrict CONFIG_CC_HAS_ZERO_CALL_USED_REGS to either a
+supported GCC version or a clang newer than 15.0.6, which will catch
+both a theoretical 15.0.7 and the upcoming 16.0.0, which will both have
+the bug fixed.
+
+Cc: stable@vger.kernel.org # v5.15+
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20221214232602.4118147-1-nathan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/Kconfig.hardening | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/security/Kconfig.hardening
++++ b/security/Kconfig.hardening
+@@ -240,6 +240,9 @@ config INIT_ON_FREE_DEFAULT_ON
+
+ config CC_HAS_ZERO_CALL_USED_REGS
+ def_bool $(cc-option,-fzero-call-used-regs=used-gpr)
++ # https://github.com/ClangBuiltLinux/linux/issues/1766
++ # https://github.com/llvm/llvm-project/issues/59242
++ depends on !CC_IS_CLANG || CLANG_VERSION > 150006
+
+ config ZERO_CALL_USED_REGS
+ bool "Enable register zeroing on function exit"
usb-dwc3-fix-race-between-dwc3_set_mode-and-__dwc3_set_mode.patch
usb-dwc3-core-defer-probe-on-ulpi_read_id-timeout.patch
xhci-prevent-infinite-loop-in-transaction-errors-recovery-for-streams.patch
+hid-wacom-ensure-bootloader-pid-is-usable-in-hidraw-mode.patch
+hid-mcp2221-don-t-connect-hidraw.patch
+loop-fix-the-max_loop-commandline-argument-treatment-when-it-is-set-to-0.patch
+9p-set-req-refcount-to-zero-to-avoid-uninitialized-usage.patch
+security-restrict-config_zero_call_used_regs-to-gcc-or-clang-15.0.6.patch
+reiserfs-add-missing-calls-to-reiserfs_security_free.patch
+iio-fix-memory-leak-in-iio_device_register_eventset.patch
+iio-adc-ad_sigma_delta-do-not-use-internal-iio_dev-lock.patch
+iio-adc128s052-add-proper-.data-members-in-adc128_of_match-table.patch
+regulator-core-fix-deadlock-on-regulator-enable.patch
+floppy-fix-memory-leak-in-do_floppy_init.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
