Fixes for 5.15

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.15/afs-fix-fileserver-probe-rtt-handling.patch b/queue-5.15/afs-fix-fileserver-probe-rtt-handling.patch
new file mode 100644 (file)
index 0000000..747d197
--- /dev/null
+++ b/queue-5.15/afs-fix-fileserver-probe-rtt-handling.patch
@@ -0,0 +1,50 @@
+From 3d1f1c53020c37e356c6206c1f9e51e7745e69f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 22:02:56 +0000
+Subject: afs: Fix fileserver probe RTT handling
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit ca57f02295f188d6c65ec02202402979880fa6d8 ]
+
+The fileserver probing code attempts to work out the best fileserver to
+use for a volume by retrieving the RTT calculated by AF_RXRPC for the
+probe call sent to each server and comparing them.  Sometimes, however,
+no RTT estimate is available and rxrpc_kernel_get_srtt() returns false,
+leading good fileservers to be given an RTT of UINT_MAX and thus causing
+the rotation algorithm to ignore them.
+
+Fix afs_select_fileserver() to ignore rxrpc_kernel_get_srtt()'s return
+value and just take the estimated RTT it provides - which will be capped
+at 1 second.
+
+Fixes: 1d4adfaf6574 ("rxrpc: Make rxrpc_kernel_get_srtt() indicate validity")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+Tested-by: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Link: https://lore.kernel.org/r/166965503999.3392585.13954054113218099395.stgit@warthog.procyon.org.uk/
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/fs_probe.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/afs/fs_probe.c b/fs/afs/fs_probe.c
+index c0031a3ab42f..3ac5fcf98d0d 100644
+--- a/fs/afs/fs_probe.c
++++ b/fs/afs/fs_probe.c
+@@ -167,8 +167,8 @@ void afs_fileserver_probe_result(struct afs_call *call)
+                       clear_bit(AFS_SERVER_FL_HAS_FS64, &server->flags);
+       }
+ 
+-      if (rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us) &&
+-          rtt_us < server->probe.rtt) {
++      rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us);
++      if (rtt_us < server->probe.rtt) {
+               server->probe.rtt = rtt_us;
+               server->rtt = rtt_us;
+               alist->preferred = index;
+-- 
+2.35.1
+

diff --git a/queue-5.15/aquantia-do-not-purge-addresses-when-setting-the-num.patch b/queue-5.15/aquantia-do-not-purge-addresses-when-setting-the-num.patch
new file mode 100644 (file)
index 0000000..5f1d264
--- /dev/null
+++ b/queue-5.15/aquantia-do-not-purge-addresses-when-setting-the-num.patch
@@ -0,0 +1,91 @@
+From e067020b74c90e38cc9eb90d9482f3aa061c29a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 11:10:08 +0100
+Subject: aquantia: Do not purge addresses when setting the number of rings
+
+From: Izabela Bakollari <ibakolla@redhat.com>
+
+[ Upstream commit 2a83891130512dafb321418a8e7c9c09268d8c59 ]
+
+IPV6 addresses are purged when setting the number of rx/tx
+rings using ethtool -G. The function aq_set_ringparam
+calls dev_close, which removes the addresses. As a solution,
+call an internal function (aq_ndev_close).
+
+Fixes: c1af5427954b ("net: aquantia: Ethtool based ring size configuration")
+Signed-off-by: Izabela Bakollari <ibakolla@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c | 5 +++--
+ drivers/net/ethernet/aquantia/atlantic/aq_main.c    | 4 ++--
+ drivers/net/ethernet/aquantia/atlantic/aq_main.h    | 2 ++
+ 3 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c b/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c
+index a9ef0544e30f..715859cb6560 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c
+@@ -13,6 +13,7 @@
+ #include "aq_ptp.h"
+ #include "aq_filters.h"
+ #include "aq_macsec.h"
++#include "aq_main.h"
+ 
+ #include <linux/ptp_clock_kernel.h>
+ 
+@@ -845,7 +846,7 @@ static int aq_set_ringparam(struct net_device *ndev,
+ 
+       if (netif_running(ndev)) {
+               ndev_running = true;
+-              dev_close(ndev);
++              aq_ndev_close(ndev);
+       }
+ 
+       cfg->rxds = max(ring->rx_pending, hw_caps->rxds_min);
+@@ -861,7 +862,7 @@ static int aq_set_ringparam(struct net_device *ndev,
+               goto err_exit;
+ 
+       if (ndev_running)
+-              err = dev_open(ndev, NULL);
++              err = aq_ndev_open(ndev);
+ 
+ err_exit:
+       return err;
+diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_main.c b/drivers/net/ethernet/aquantia/atlantic/aq_main.c
+index f069312463fb..45ed097bfe49 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_main.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_main.c
+@@ -53,7 +53,7 @@ struct net_device *aq_ndev_alloc(void)
+       return ndev;
+ }
+ 
+-static int aq_ndev_open(struct net_device *ndev)
++int aq_ndev_open(struct net_device *ndev)
+ {
+       struct aq_nic_s *aq_nic = netdev_priv(ndev);
+       int err = 0;
+@@ -83,7 +83,7 @@ static int aq_ndev_open(struct net_device *ndev)
+       return err;
+ }
+ 
+-static int aq_ndev_close(struct net_device *ndev)
++int aq_ndev_close(struct net_device *ndev)
+ {
+       struct aq_nic_s *aq_nic = netdev_priv(ndev);
+       int err = 0;
+diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_main.h b/drivers/net/ethernet/aquantia/atlantic/aq_main.h
+index a5a624b9ce73..2a562ab7a5af 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_main.h
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_main.h
+@@ -14,5 +14,7 @@
+ 
+ void aq_ndev_schedule_work(struct work_struct *work);
+ struct net_device *aq_ndev_alloc(void);
++int aq_ndev_open(struct net_device *ndev);
++int aq_ndev_close(struct net_device *ndev);
+ 
+ #endif /* AQ_MAIN_H */
+-- 
+2.35.1
+

diff --git a/queue-5.15/arm-at91-rm9200-fix-usb-device-clock-id.patch b/queue-5.15/arm-at91-rm9200-fix-usb-device-clock-id.patch
new file mode 100644 (file)
index 0000000..dca3d18
--- /dev/null
+++ b/queue-5.15/arm-at91-rm9200-fix-usb-device-clock-id.patch
@@ -0,0 +1,64 @@
+From 470c5215c2d8d64063bfbc9500f094d9cd79f794 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 19:59:22 +0100
+Subject: ARM: at91: rm9200: fix usb device clock id
+
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+
+[ Upstream commit 57976762428675f259339385d3324d28ee53ec02 ]
+
+Referring to the datasheet the index 2 is the MCKUDP. When enabled, it
+"Enables the automatic disable of the Master Clock of the USB Device
+Port when a suspend condition occurs". We fix the index to the real UDP
+id which "Enables the 48 MHz clock of the USB Device Port".
+
+Cc: nicolas.ferre@microchip.com
+Cc: ludovic.desroches@microchip.com
+Cc: alexandre.belloni@bootlin.com
+Cc: mturquette@baylibre.com
+Cc: sboyd@kernel.org
+Cc: claudiu.beznea@microchip.com
+Cc: linux-clk@vger.kernel.org
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: kernel@pengutronix.de
+Fixes: 02ff48e4d7f7 ("clk: at91: add at91rm9200 pmc driver")
+Fixes: 0e0e528d8260 ("ARM: dts: at91: rm9200: switch to new clock bindings")
+Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20221114185923.1023249-2-m.grzeschik@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/at91rm9200.dtsi | 2 +-
+ drivers/clk/at91/at91rm9200.c     | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/at91rm9200.dtsi b/arch/arm/boot/dts/at91rm9200.dtsi
+index d1181ead18e5..21344fbc89e5 100644
+--- a/arch/arm/boot/dts/at91rm9200.dtsi
++++ b/arch/arm/boot/dts/at91rm9200.dtsi
+@@ -660,7 +660,7 @@ usb1: gadget@fffb0000 {
+                               compatible = "atmel,at91rm9200-udc";
+                               reg = <0xfffb0000 0x4000>;
+                               interrupts = <11 IRQ_TYPE_LEVEL_HIGH 2>;
+-                              clocks = <&pmc PMC_TYPE_PERIPHERAL 11>, <&pmc PMC_TYPE_SYSTEM 2>;
++                              clocks = <&pmc PMC_TYPE_PERIPHERAL 11>, <&pmc PMC_TYPE_SYSTEM 1>;
+                               clock-names = "pclk", "hclk";
+                               status = "disabled";
+                       };
+diff --git a/drivers/clk/at91/at91rm9200.c b/drivers/clk/at91/at91rm9200.c
+index 428a6f4b9ebc..8d36e615cd9d 100644
+--- a/drivers/clk/at91/at91rm9200.c
++++ b/drivers/clk/at91/at91rm9200.c
+@@ -40,7 +40,7 @@ static const struct clk_pll_characteristics rm9200_pll_characteristics = {
+ };
+ 
+ static const struct sck at91rm9200_systemck[] = {
+-      { .n = "udpck", .p = "usbck",    .id = 2 },
++      { .n = "udpck", .p = "usbck",    .id = 1 },
+       { .n = "uhpck", .p = "usbck",    .id = 4 },
+       { .n = "pck0",  .p = "prog0",    .id = 8 },
+       { .n = "pck1",  .p = "prog1",    .id = 9 },
+-- 
+2.35.1
+

diff --git a/queue-5.15/arm64-mte-avoid-setting-pg_mte_tagged-if-no-tags-cle.patch b/queue-5.15/arm64-mte-avoid-setting-pg_mte_tagged-if-no-tags-cle.patch
new file mode 100644 (file)
index 0000000..2004d8e
--- /dev/null
+++ b/queue-5.15/arm64-mte-avoid-setting-pg_mte_tagged-if-no-tags-cle.patch
@@ -0,0 +1,103 @@
+From ab98e40cadfba39e6c6cbdd3c94717de0e111b75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Oct 2022 17:33:54 +0100
+Subject: arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or
+ restored
+
+From: Catalin Marinas <catalin.marinas@arm.com>
+
+[ Upstream commit a8e5e5146ad08d794c58252bab00b261045ef16d ]
+
+Prior to commit 69e3b846d8a7 ("arm64: mte: Sync tags for pages where PTE
+is untagged"), mte_sync_tags() was only called for pte_tagged() entries
+(those mapped with PROT_MTE). Therefore mte_sync_tags() could safely use
+test_and_set_bit(PG_mte_tagged, &page->flags) without inadvertently
+setting PG_mte_tagged on an untagged page.
+
+The above commit was required as guests may enable MTE without any
+control at the stage 2 mapping, nor a PROT_MTE mapping in the VMM.
+However, the side-effect was that any page with a PTE that looked like
+swap (or migration) was getting PG_mte_tagged set automatically. A
+subsequent page copy (e.g. migration) copied the tags to the destination
+page even if the tags were owned by KASAN.
+
+This issue was masked by the page_kasan_tag_reset() call introduced in
+commit e5b8d9218951 ("arm64: mte: reset the page tag in page->flags").
+When this commit was reverted (20794545c146), KASAN started reporting
+access faults because the overriding tags in a page did not match the
+original page->flags (with CONFIG_KASAN_HW_TAGS=y):
+
+  BUG: KASAN: invalid-access in copy_page+0x10/0xd0 arch/arm64/lib/copy_page.S:26
+  Read at addr f5ff000017f2e000 by task syz-executor.1/2218
+  Pointer tag: [f5], memory tag: [f2]
+
+Move the PG_mte_tagged bit setting from mte_sync_tags() to the actual
+place where tags are cleared (mte_sync_page_tags()) or restored
+(mte_restore_tags()).
+
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Reported-by: syzbot+c2c79c6d6eddc5262b77@syzkaller.appspotmail.com
+Fixes: 69e3b846d8a7 ("arm64: mte: Sync tags for pages where PTE is untagged")
+Cc: <stable@vger.kernel.org> # 5.14.x
+Cc: Steven Price <steven.price@arm.com>
+Cc: Andrey Konovalov <andreyknvl@gmail.com>
+Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/0000000000004387dc05e5888ae5@google.com/
+Reviewed-by: Steven Price <steven.price@arm.com>
+Link: https://lore.kernel.org/r/20221006163354.3194102-1-catalin.marinas@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/mte.c | 9 +++++++--
+ arch/arm64/mm/mteswap.c | 7 ++++++-
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/kernel/mte.c b/arch/arm64/kernel/mte.c
+index dacca0684ea3..a3898bac5ae6 100644
+--- a/arch/arm64/kernel/mte.c
++++ b/arch/arm64/kernel/mte.c
+@@ -53,7 +53,12 @@ static void mte_sync_page_tags(struct page *page, pte_t old_pte,
+        * the new page->flags are visible before the tags were updated.
+        */
+       smp_wmb();
+-      mte_clear_page_tags(page_address(page));
++      /*
++       * Test PG_mte_tagged again in case it was racing with another
++       * set_pte_at().
++       */
++      if (!test_and_set_bit(PG_mte_tagged, &page->flags))
++              mte_clear_page_tags(page_address(page));
+ }
+ 
+ void mte_sync_tags(pte_t old_pte, pte_t pte)
+@@ -69,7 +74,7 @@ void mte_sync_tags(pte_t old_pte, pte_t pte)
+ 
+       /* if PG_mte_tagged is set, tags have already been initialised */
+       for (i = 0; i < nr_pages; i++, page++) {
+-              if (!test_and_set_bit(PG_mte_tagged, &page->flags))
++              if (!test_bit(PG_mte_tagged, &page->flags))
+                       mte_sync_page_tags(page, old_pte, check_swap,
+                                          pte_is_tagged);
+       }
+diff --git a/arch/arm64/mm/mteswap.c b/arch/arm64/mm/mteswap.c
+index 7c4ef56265ee..fd6cabc6d033 100644
+--- a/arch/arm64/mm/mteswap.c
++++ b/arch/arm64/mm/mteswap.c
+@@ -62,7 +62,12 @@ bool mte_restore_tags(swp_entry_t entry, struct page *page)
+        * the new page->flags are visible before the tags were updated.
+        */
+       smp_wmb();
+-      mte_restore_page_tags(page_address(page), tags);
++      /*
++       * Test PG_mte_tagged again in case it was racing with another
++       * set_pte_at().
++       */
++      if (!test_and_set_bit(PG_mte_tagged, &page->flags))
++              mte_restore_page_tags(page_address(page), tags);
+ 
+       return true;
+ }
+-- 
+2.35.1
+

diff --git a/queue-5.15/bpf-do-not-copy-spin-lock-field-from-user-in-bpf_sel.patch b/queue-5.15/bpf-do-not-copy-spin-lock-field-from-user-in-bpf_sel.patch
new file mode 100644 (file)
index 0000000..cc24434
--- /dev/null
+++ b/queue-5.15/bpf-do-not-copy-spin-lock-field-from-user-in-bpf_sel.patch
@@ -0,0 +1,42 @@
+From eb3a45a5b9a54c160d61b99becb8c500217b205c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 08:47:19 -0500
+Subject: bpf: Do not copy spin lock field from user in bpf_selem_alloc
+
+From: Xu Kuohai <xukuohai@huawei.com>
+
+[ Upstream commit 836e49e103dfeeff670c934b7d563cbd982fce87 ]
+
+bpf_selem_alloc function is used by inode_storage, sk_storage and
+task_storage maps to set map value, for these map types, there may
+be a spin lock in the map value, so if we use memcpy to copy the whole
+map value from user, the spin lock field may be initialized incorrectly.
+
+Since the spin lock field is zeroed by kzalloc, call copy_map_value
+instead of memcpy to skip copying the spin lock field to fix it.
+
+Fixes: 6ac99e8f23d4 ("bpf: Introduce bpf sk local storage")
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Link: https://lore.kernel.org/r/20221114134720.1057939-2-xukuohai@huawei.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/bpf_local_storage.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/bpf_local_storage.c b/kernel/bpf/bpf_local_storage.c
+index de4d741d99a3..6c2d39a3d558 100644
+--- a/kernel/bpf/bpf_local_storage.c
++++ b/kernel/bpf/bpf_local_storage.c
+@@ -71,7 +71,7 @@ bpf_selem_alloc(struct bpf_local_storage_map *smap, void *owner,
+                               GFP_ATOMIC | __GFP_NOWARN);
+       if (selem) {
+               if (value)
+-                      memcpy(SDATA(selem)->data, value, smap->map.value_size);
++                      copy_map_value(&smap->map, SDATA(selem)->data, value);
+               return selem;
+       }
+ 
+-- 
+2.35.1
+

diff --git a/queue-5.15/bpf-perf-use-subprog-name-when-reporting-subprog-ksy.patch b/queue-5.15/bpf-perf-use-subprog-name-when-reporting-subprog-ksy.patch
new file mode 100644 (file)
index 0000000..6931e9f
--- /dev/null
+++ b/queue-5.15/bpf-perf-use-subprog-name-when-reporting-subprog-ksy.patch
@@ -0,0 +1,57 @@
+From b6c78d7db0d319800f48de5f71355b0d04e3dfd2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 17:57:33 +0800
+Subject: bpf, perf: Use subprog name when reporting subprog ksymbol
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit 47df8a2f78bc34ff170d147d05b121f84e252b85 ]
+
+Since commit bfea9a8574f3 ("bpf: Add name to struct bpf_ksym"), when
+reporting subprog ksymbol to perf, prog name instead of subprog name is
+used. The backtrace of bpf program with subprogs will be incorrect as
+shown below:
+
+  ffffffffc02deace bpf_prog_e44a3057dcb151f8_overwrite+0x66
+  ffffffffc02de9f7 bpf_prog_e44a3057dcb151f8_overwrite+0x9f
+  ffffffffa71d8d4e trace_call_bpf+0xce
+  ffffffffa71c2938 perf_call_bpf_enter.isra.0+0x48
+
+overwrite is the entry program and it invokes the overwrite_htab subprog
+through bpf_loop, but in above backtrace, overwrite program just jumps
+inside itself.
+
+Fixing it by using subprog name when reporting subprog ksymbol. After
+the fix, the output of perf script will be correct as shown below:
+
+  ffffffffc031aad2 bpf_prog_37c0bec7d7c764a4_overwrite_htab+0x66
+  ffffffffc031a9e7 bpf_prog_c7eb827ef4f23e71_overwrite+0x9f
+  ffffffffa3dd8d4e trace_call_bpf+0xce
+  ffffffffa3dc2938 perf_call_bpf_enter.isra.0+0x48
+
+Fixes: bfea9a8574f3 ("bpf: Add name to struct bpf_ksym")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Link: https://lore.kernel.org/bpf/20221114095733.158588-1-houtao@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 60cb300fa0d0..44f982b73640 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -9077,7 +9077,7 @@ static void perf_event_bpf_emit_ksymbols(struct bpf_prog *prog,
+                               PERF_RECORD_KSYMBOL_TYPE_BPF,
+                               (u64)(unsigned long)subprog->bpf_func,
+                               subprog->jited_len, unregister,
+-                              prog->aux->ksym.name);
++                              subprog->aux->ksym.name);
+               }
+       }
+ }
+-- 
+2.35.1
+

diff --git a/queue-5.15/btrfs-free-btrfs_path-before-copying-inodes-to-users.patch b/queue-5.15/btrfs-free-btrfs_path-before-copying-inodes-to-users.patch
new file mode 100644 (file)
index 0000000..4ca368f
--- /dev/null
+++ b/queue-5.15/btrfs-free-btrfs_path-before-copying-inodes-to-users.patch
@@ -0,0 +1,68 @@
+From 08a43df85852e81a083b53fecfc41b066aee5379 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 11:36:28 +0530
+Subject: btrfs: free btrfs_path before copying inodes to userspace
+
+From: Anand Jain <anand.jain@oracle.com>
+
+[ Upstream commit 418ffb9e3cf6c4e2574d3a732b724916684bd133 ]
+
+btrfs_ioctl_logical_to_ino() frees the search path after the userspace
+copy from the temp buffer @inodes. Which potentially can lead to a lock
+splat.
+
+Fix this by freeing the path before we copy @inodes to userspace.
+
+CC: stable@vger.kernel.org # 4.19+
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ioctl.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 143c2462924b..391a4af9c5e5 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -3946,21 +3946,20 @@ static long btrfs_ioctl_logical_to_ino(struct btrfs_fs_info *fs_info,
+               size = min_t(u32, loi->size, SZ_16M);
+       }
+ 
+-      path = btrfs_alloc_path();
+-      if (!path) {
+-              ret = -ENOMEM;
+-              goto out;
+-      }
+-
+       inodes = init_data_container(size);
+       if (IS_ERR(inodes)) {
+               ret = PTR_ERR(inodes);
+-              inodes = NULL;
+-              goto out;
++              goto out_loi;
+       }
+ 
++      path = btrfs_alloc_path();
++      if (!path) {
++              ret = -ENOMEM;
++              goto out;
++      }
+       ret = iterate_inodes_from_logical(loi->logical, fs_info, path,
+                                         inodes, ignore_offset);
++      btrfs_free_path(path);
+       if (ret == -EINVAL)
+               ret = -ENOENT;
+       if (ret < 0)
+@@ -3972,7 +3971,6 @@ static long btrfs_ioctl_logical_to_ino(struct btrfs_fs_info *fs_info,
+               ret = -EFAULT;
+ 
+ out:
+-      btrfs_free_path(path);
+       kvfree(inodes);
+ out_loi:
+       kfree(loi);
+-- 
+2.35.1
+

diff --git a/queue-5.15/btrfs-move-quota_enabled-check-to-rescan_should_stop.patch b/queue-5.15/btrfs-move-quota_enabled-check-to-rescan_should_stop.patch
new file mode 100644 (file)
index 0000000..886f38f
--- /dev/null
+++ b/queue-5.15/btrfs-move-quota_enabled-check-to-rescan_should_stop.patch
@@ -0,0 +1,66 @@
+From 183268770262e1b3a9674e6a87a9564d9f82745e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jan 2022 17:16:18 +0200
+Subject: btrfs: move QUOTA_ENABLED check to rescan_should_stop from
+ btrfs_qgroup_rescan_worker
+
+From: Nikolay Borisov <nborisov@suse.com>
+
+[ Upstream commit db5df254120004471e1c957957ab2f1e612dcbd6 ]
+
+Instead of having 2 places that short circuit the qgroup leaf scan have
+everything in the qgroup_rescan_leaf function. In addition to that, also
+ensure that the inconsistent qgroup flag is set when rescan_should_stop
+returns true. This both retains the old behavior when -EINTR was set in
+the body of the loop and at the same time also extends this behavior
+when scanning is interrupted due to remount or unmount operations.
+
+Signed-off-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: f7e942b5bb35 ("btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/qgroup.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
+index e01065696e9c..b9db096c5286 100644
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -3280,7 +3280,8 @@ static int qgroup_rescan_leaf(struct btrfs_trans_handle *trans,
+ static bool rescan_should_stop(struct btrfs_fs_info *fs_info)
+ {
+       return btrfs_fs_closing(fs_info) ||
+-              test_bit(BTRFS_FS_STATE_REMOUNTING, &fs_info->fs_state);
++              test_bit(BTRFS_FS_STATE_REMOUNTING, &fs_info->fs_state) ||
++              !test_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags);
+ }
+ 
+ static void btrfs_qgroup_rescan_worker(struct btrfs_work *work)
+@@ -3310,11 +3311,9 @@ static void btrfs_qgroup_rescan_worker(struct btrfs_work *work)
+                       err = PTR_ERR(trans);
+                       break;
+               }
+-              if (!test_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags)) {
+-                      err = -EINTR;
+-              } else {
+-                      err = qgroup_rescan_leaf(trans, path);
+-              }
++
++              err = qgroup_rescan_leaf(trans, path);
++
+               if (err > 0)
+                       btrfs_commit_transaction(trans);
+               else
+@@ -3328,7 +3327,7 @@ static void btrfs_qgroup_rescan_worker(struct btrfs_work *work)
+       if (err > 0 &&
+           fs_info->qgroup_flags & BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT) {
+               fs_info->qgroup_flags &= ~BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT;
+-      } else if (err < 0) {
++      } else if (err < 0 || stopped) {
+               fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT;
+       }
+       mutex_unlock(&fs_info->qgroup_rescan_lock);
+-- 
+2.35.1
+

diff --git a/queue-5.15/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch b/queue-5.15/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch
new file mode 100644 (file)
index 0000000..59ac34f
--- /dev/null
+++ b/queue-5.15/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch
@@ -0,0 +1,65 @@
+From d51337ab9ca8788206bb5e515dcdee0b9a136674 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 22:23:54 +0800
+Subject: btrfs: qgroup: fix sleep from invalid context bug in
+ btrfs_qgroup_inherit()
+
+From: ChenXiaoSong <chenxiaosong2@huawei.com>
+
+[ Upstream commit f7e942b5bb35d8e3af54053d19a6bf04143a3955 ]
+
+Syzkaller reported BUG as follows:
+
+  BUG: sleeping function called from invalid context at
+       include/linux/sched/mm.h:274
+  Call Trace:
+   <TASK>
+   dump_stack_lvl+0xcd/0x134
+   __might_resched.cold+0x222/0x26b
+   kmem_cache_alloc+0x2e7/0x3c0
+   update_qgroup_limit_item+0xe1/0x390
+   btrfs_qgroup_inherit+0x147b/0x1ee0
+   create_subvol+0x4eb/0x1710
+   btrfs_mksubvol+0xfe5/0x13f0
+   __btrfs_ioctl_snap_create+0x2b0/0x430
+   btrfs_ioctl_snap_create_v2+0x25a/0x520
+   btrfs_ioctl+0x2a1c/0x5ce0
+   __x64_sys_ioctl+0x193/0x200
+   do_syscall_64+0x35/0x80
+
+Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in
+btrfs_run_qgroups() later outside of the spinlock context.
+
+CC: stable@vger.kernel.org # 4.9+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/qgroup.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
+index b9db096c5286..485abe7faeab 100644
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -2903,14 +2903,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid,
+               dstgroup->rsv_rfer = inherit->lim.rsv_rfer;
+               dstgroup->rsv_excl = inherit->lim.rsv_excl;
+ 
+-              ret = update_qgroup_limit_item(trans, dstgroup);
+-              if (ret) {
+-                      fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT;
+-                      btrfs_info(fs_info,
+-                                 "unable to update quota limit for %llu",
+-                                 dstgroup->qgroupid);
+-                      goto unlock;
+-              }
++              qgroup_dirty(fs_info, dstgroup);
+       }
+ 
+       if (srcid) {
+-- 
+2.35.1
+

diff --git a/queue-5.15/btrfs-sink-iterator-parameter-to-btrfs_ioctl_logical.patch b/queue-5.15/btrfs-sink-iterator-parameter-to-btrfs_ioctl_logical.patch
new file mode 100644 (file)
index 0000000..02b6f9e
--- /dev/null
+++ b/queue-5.15/btrfs-sink-iterator-parameter-to-btrfs_ioctl_logical.patch
@@ -0,0 +1,124 @@
+From 8284c1d7a37f895cf054157841ecf6c76448b4f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jun 2022 19:32:59 +0200
+Subject: btrfs: sink iterator parameter to btrfs_ioctl_logical_to_ino
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit e3059ec06b9f1a96826cc2bb6ed131aac0942446 ]
+
+There's only one function we pass to iterate_inodes_from_logical as
+iterator, so we can drop the indirection and call it directly, after
+moving the function to backref.c
+
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: 418ffb9e3cf6 ("btrfs: free btrfs_path before copying inodes to userspace")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/backref.c | 25 ++++++++++++++++++++++---
+ fs/btrfs/backref.h |  3 +--
+ fs/btrfs/ioctl.c   | 22 +---------------------
+ 3 files changed, 24 insertions(+), 26 deletions(-)
+
+diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c
+index 60bec5a108fa..1ff527bbe54c 100644
+--- a/fs/btrfs/backref.c
++++ b/fs/btrfs/backref.c
+@@ -2060,10 +2060,29 @@ int iterate_extent_inodes(struct btrfs_fs_info *fs_info,
+       return ret;
+ }
+ 
++static int build_ino_list(u64 inum, u64 offset, u64 root, void *ctx)
++{
++      struct btrfs_data_container *inodes = ctx;
++      const size_t c = 3 * sizeof(u64);
++
++      if (inodes->bytes_left >= c) {
++              inodes->bytes_left -= c;
++              inodes->val[inodes->elem_cnt] = inum;
++              inodes->val[inodes->elem_cnt + 1] = offset;
++              inodes->val[inodes->elem_cnt + 2] = root;
++              inodes->elem_cnt += 3;
++      } else {
++              inodes->bytes_missing += c - inodes->bytes_left;
++              inodes->bytes_left = 0;
++              inodes->elem_missed += 3;
++      }
++
++      return 0;
++}
++
+ int iterate_inodes_from_logical(u64 logical, struct btrfs_fs_info *fs_info,
+                               struct btrfs_path *path,
+-                              iterate_extent_inodes_t *iterate, void *ctx,
+-                              bool ignore_offset)
++                              void *ctx, bool ignore_offset)
+ {
+       int ret;
+       u64 extent_item_pos;
+@@ -2081,7 +2100,7 @@ int iterate_inodes_from_logical(u64 logical, struct btrfs_fs_info *fs_info,
+       extent_item_pos = logical - found_key.objectid;
+       ret = iterate_extent_inodes(fs_info, found_key.objectid,
+                                       extent_item_pos, search_commit_root,
+-                                      iterate, ctx, ignore_offset);
++                                      build_ino_list, ctx, ignore_offset);
+ 
+       return ret;
+ }
+diff --git a/fs/btrfs/backref.h b/fs/btrfs/backref.h
+index ba454032dbe2..2759de7d324c 100644
+--- a/fs/btrfs/backref.h
++++ b/fs/btrfs/backref.h
+@@ -35,8 +35,7 @@ int iterate_extent_inodes(struct btrfs_fs_info *fs_info,
+                               bool ignore_offset);
+ 
+ int iterate_inodes_from_logical(u64 logical, struct btrfs_fs_info *fs_info,
+-                              struct btrfs_path *path,
+-                              iterate_extent_inodes_t *iterate, void *ctx,
++                              struct btrfs_path *path, void *ctx,
+                               bool ignore_offset);
+ 
+ int paths_from_inode(u64 inum, struct inode_fs_paths *ipath);
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index d9ff0697132b..143c2462924b 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -3911,26 +3911,6 @@ static long btrfs_ioctl_ino_to_path(struct btrfs_root *root, void __user *arg)
+       return ret;
+ }
+ 
+-static int build_ino_list(u64 inum, u64 offset, u64 root, void *ctx)
+-{
+-      struct btrfs_data_container *inodes = ctx;
+-      const size_t c = 3 * sizeof(u64);
+-
+-      if (inodes->bytes_left >= c) {
+-              inodes->bytes_left -= c;
+-              inodes->val[inodes->elem_cnt] = inum;
+-              inodes->val[inodes->elem_cnt + 1] = offset;
+-              inodes->val[inodes->elem_cnt + 2] = root;
+-              inodes->elem_cnt += 3;
+-      } else {
+-              inodes->bytes_missing += c - inodes->bytes_left;
+-              inodes->bytes_left = 0;
+-              inodes->elem_missed += 3;
+-      }
+-
+-      return 0;
+-}
+-
+ static long btrfs_ioctl_logical_to_ino(struct btrfs_fs_info *fs_info,
+                                       void __user *arg, int version)
+ {
+@@ -3980,7 +3960,7 @@ static long btrfs_ioctl_logical_to_ino(struct btrfs_fs_info *fs_info,
+       }
+ 
+       ret = iterate_inodes_from_logical(loi->logical, fs_info, path,
+-                                        build_ino_list, inodes, ignore_offset);
++                                        inodes, ignore_offset);
+       if (ret == -EINVAL)
+               ret = -ENOENT;
+       if (ret < 0)
+-- 
+2.35.1
+

diff --git a/queue-5.15/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch b/queue-5.15/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch
new file mode 100644 (file)
index 0000000..ae1d4dd
--- /dev/null
+++ b/queue-5.15/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch
@@ -0,0 +1,59 @@
+From 36b52bbc68fbe29e4785e134ae217340311de792 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 20:09:16 +0800
+Subject: can: cc770: cc770_isa_probe(): add missing free_cc770dev()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 62ec89e74099a3d6995988ed9f2f996b368417ec ]
+
+Add the missing free_cc770dev() before return from cc770_isa_probe()
+in the register_cc770dev() error handling case.
+
+In addition, remove blanks before goto labels.
+
+Fixes: 7e02e5433e00 ("can: cc770: legacy CC770 ISA bus driver")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/all/1668168557-6024-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/cc770/cc770_isa.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/can/cc770/cc770_isa.c b/drivers/net/can/cc770/cc770_isa.c
+index 194c86e0f340..8f6dccd5a587 100644
+--- a/drivers/net/can/cc770/cc770_isa.c
++++ b/drivers/net/can/cc770/cc770_isa.c
+@@ -264,22 +264,24 @@ static int cc770_isa_probe(struct platform_device *pdev)
+       if (err) {
+               dev_err(&pdev->dev,
+                       "couldn't register device (err=%d)\n", err);
+-              goto exit_unmap;
++              goto exit_free;
+       }
+ 
+       dev_info(&pdev->dev, "device registered (reg_base=0x%p, irq=%d)\n",
+                priv->reg_base, dev->irq);
+       return 0;
+ 
+- exit_unmap:
++exit_free:
++      free_cc770dev(dev);
++exit_unmap:
+       if (mem[idx])
+               iounmap(base);
+- exit_release:
++exit_release:
+       if (mem[idx])
+               release_mem_region(mem[idx], iosize);
+       else
+               release_region(port[idx], iosize);
+- exit:
++exit:
+       return err;
+ }
+ 
+-- 
+2.35.1
+

diff --git a/queue-5.15/can-etas_es58x-es58x_init_netdev-free-netdev-when-re.patch b/queue-5.15/can-etas_es58x-es58x_init_netdev-free-netdev-when-re.patch
new file mode 100644 (file)
index 0000000..ece2654
--- /dev/null
+++ b/queue-5.15/can-etas_es58x-es58x_init_netdev-free-netdev-when-re.patch
@@ -0,0 +1,46 @@
+From 1315883896aa6c9693ed3763a5dba44c95b92a6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 16:14:44 +0800
+Subject: can: etas_es58x: es58x_init_netdev(): free netdev when
+ register_candev()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 709cb2f9ed2006eb1dc4b36b99d601cd24889ec4 ]
+
+In case of register_candev() fails, clear
+es58x_dev->netdev[channel_idx] and add free_candev(). Otherwise
+es58x_free_netdevs() will unregister the netdev that has never been
+registered.
+
+Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Acked-by: Arunachalam Santhanam <Arunachalam.Santhanam@in.bosch.com>
+Acked-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Link: https://lore.kernel.org/all/1668413685-23354-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/etas_es58x/es58x_core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c
+index cd4e7f356e48..0e6faf962ebb 100644
+--- a/drivers/net/can/usb/etas_es58x/es58x_core.c
++++ b/drivers/net/can/usb/etas_es58x/es58x_core.c
+@@ -2098,8 +2098,11 @@ static int es58x_init_netdev(struct es58x_device *es58x_dev, int channel_idx)
+       netdev->flags |= IFF_ECHO;      /* We support local echo */
+ 
+       ret = register_candev(netdev);
+-      if (ret)
++      if (ret) {
++              es58x_dev->netdev[channel_idx] = NULL;
++              free_candev(netdev);
+               return ret;
++      }
+ 
+       netdev_queue_set_dql_min_limit(netdev_get_tx_queue(netdev, 0),
+                                      es58x_dev->param->dql_min_limit);
+-- 
+2.35.1
+

diff --git a/queue-5.15/can-m_can-add-check-for-devm_clk_get.patch b/queue-5.15/can-m_can-add-check-for-devm_clk_get.patch
new file mode 100644 (file)
index 0000000..3d5d7c1
--- /dev/null
+++ b/queue-5.15/can-m_can-add-check-for-devm_clk_get.patch
@@ -0,0 +1,38 @@
+From 69b63608241bf7dda9251335c500f07efceeb234 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 14:36:51 +0800
+Subject: can: m_can: Add check for devm_clk_get
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 68b4f9e0bdd0f920d7303d07bfe226cd0976961d ]
+
+Since the devm_clk_get may return error,
+it should be better to add check for the cdev->hclk,
+as same as cdev->cclk.
+
+Fixes: f524f829b75a ("can: m_can: Create a m_can platform framework")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Link: https://lore.kernel.org/all/20221123063651.26199-1-jiasheng@iscas.ac.cn
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/m_can/m_can.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
+index c4596fbe6d2f..46ab6155795c 100644
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -1931,7 +1931,7 @@ int m_can_class_get_clocks(struct m_can_classdev *cdev)
+       cdev->hclk = devm_clk_get(cdev->dev, "hclk");
+       cdev->cclk = devm_clk_get(cdev->dev, "cclk");
+ 
+-      if (IS_ERR(cdev->cclk)) {
++      if (IS_ERR(cdev->hclk) || IS_ERR(cdev->cclk)) {
+               dev_err(cdev->dev, "no clock found\n");
+               ret = -ENODEV;
+       }
+-- 
+2.35.1
+

diff --git a/queue-5.15/can-m_can-pci-add-missing-m_can_class_free_dev-in-pr.patch b/queue-5.15/can-m_can-pci-add-missing-m_can_class_free_dev-in-pr.patch
new file mode 100644 (file)
index 0000000..1870a04
--- /dev/null
+++ b/queue-5.15/can-m_can-pci-add-missing-m_can_class_free_dev-in-pr.patch
@@ -0,0 +1,69 @@
+From 4e047a0c44ecc8ca5472bf4b708a4f1f2e63754c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 20:11:23 +0800
+Subject: can: m_can: pci: add missing m_can_class_free_dev() in probe/remove
+ methods
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 1eca1d4cc21b6d0fc5f9a390339804c0afce9439 ]
+
+In m_can_pci_remove() and error handling path of m_can_pci_probe(),
+m_can_class_free_dev() should be called to free resource allocated by
+m_can_class_allocate_dev(), otherwise there will be memleak.
+
+Fixes: cab7ffc0324f ("can: m_can: add PCI glue driver for Intel Elkhart Lake")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Reviewed-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Link: https://lore.kernel.org/all/1668168684-6390-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/m_can/m_can_pci.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/can/m_can/m_can_pci.c b/drivers/net/can/m_can/m_can_pci.c
+index 8f184a852a0a..f2219aa2824b 100644
+--- a/drivers/net/can/m_can/m_can_pci.c
++++ b/drivers/net/can/m_can/m_can_pci.c
+@@ -120,7 +120,7 @@ static int m_can_pci_probe(struct pci_dev *pci, const struct pci_device_id *id)
+ 
+       ret = pci_alloc_irq_vectors(pci, 1, 1, PCI_IRQ_ALL_TYPES);
+       if (ret < 0)
+-              return ret;
++              goto err_free_dev;
+ 
+       mcan_class->dev = &pci->dev;
+       mcan_class->net->irq = pci_irq_vector(pci, 0);
+@@ -132,7 +132,7 @@ static int m_can_pci_probe(struct pci_dev *pci, const struct pci_device_id *id)
+ 
+       ret = m_can_class_register(mcan_class);
+       if (ret)
+-              goto err;
++              goto err_free_irq;
+ 
+       /* Enable interrupt control at CAN wrapper IP */
+       writel(0x1, base + CTL_CSR_INT_CTL_OFFSET);
+@@ -144,8 +144,10 @@ static int m_can_pci_probe(struct pci_dev *pci, const struct pci_device_id *id)
+ 
+       return 0;
+ 
+-err:
++err_free_irq:
+       pci_free_irq_vectors(pci);
++err_free_dev:
++      m_can_class_free_dev(mcan_class->net);
+       return ret;
+ }
+ 
+@@ -161,6 +163,7 @@ static void m_can_pci_remove(struct pci_dev *pci)
+       writel(0x0, priv->base + CTL_CSR_INT_CTL_OFFSET);
+ 
+       m_can_class_unregister(mcan_class);
++      m_can_class_free_dev(mcan_class->net);
+       pci_free_irq_vectors(pci);
+ }
+ 
+-- 
+2.35.1
+

diff --git a/queue-5.15/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch b/queue-5.15/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch
new file mode 100644 (file)
index 0000000..914eaf2
--- /dev/null
+++ b/queue-5.15/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch
@@ -0,0 +1,59 @@
+From 72708ff09d0b1790fce80cf5e489df36179a4692 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 20:08:41 +0800
+Subject: can: sja1000_isa: sja1000_isa_probe(): add missing free_sja1000dev()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 92dfd9310a71d28cefe6a2d5174d43fab240e631 ]
+
+Add the missing free_sja1000dev() before return from
+sja1000_isa_probe() in the register_sja1000dev() error handling case.
+
+In addition, remove blanks before goto labels.
+
+Fixes: 2a6ba39ad6a2 ("can: sja1000: legacy SJA1000 ISA bus driver")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/all/1668168521-5540-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/sja1000/sja1000_isa.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/can/sja1000/sja1000_isa.c b/drivers/net/can/sja1000/sja1000_isa.c
+index d513fac50718..db3e767d5320 100644
+--- a/drivers/net/can/sja1000/sja1000_isa.c
++++ b/drivers/net/can/sja1000/sja1000_isa.c
+@@ -202,22 +202,24 @@ static int sja1000_isa_probe(struct platform_device *pdev)
+       if (err) {
+               dev_err(&pdev->dev, "registering %s failed (err=%d)\n",
+                       DRV_NAME, err);
+-              goto exit_unmap;
++              goto exit_free;
+       }
+ 
+       dev_info(&pdev->dev, "%s device registered (reg_base=0x%p, irq=%d)\n",
+                DRV_NAME, priv->reg_base, dev->irq);
+       return 0;
+ 
+- exit_unmap:
++exit_free:
++      free_sja1000dev(dev);
++exit_unmap:
+       if (mem[idx])
+               iounmap(base);
+- exit_release:
++exit_release:
+       if (mem[idx])
+               release_mem_region(mem[idx], iosize);
+       else
+               release_region(port[idx], iosize);
+- exit:
++exit:
+       return err;
+ }
+ 
+-- 
+2.35.1
+

diff --git a/queue-5.15/drm-amdgpu-partially-revert-drm-amdgpu-update-drm_di.patch b/queue-5.15/drm-amdgpu-partially-revert-drm-amdgpu-update-drm_di.patch
new file mode 100644 (file)
index 0000000..1cb9c98
--- /dev/null
+++ b/queue-5.15/drm-amdgpu-partially-revert-drm-amdgpu-update-drm_di.patch
@@ -0,0 +1,42 @@
+From 4b80605561d005686735914d14eb05ad6c451cb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 12:34:14 -0500
+Subject: drm/amdgpu: Partially revert "drm/amdgpu: update drm_display_info
+ correctly when the edid is read"
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 602ad43c3cd8f15cbb25ce9bb494129edb2024ed ]
+
+This partially reverts 20543be93ca45968f344261c1a997177e51bd7e1.
+
+Calling drm_connector_update_edid_property() in
+amdgpu_connector_free_edid() causes a noticeable pause in
+the system every 10 seconds on polled outputs so revert this
+part of the change.
+
+Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2257
+Cc: Claudio Suarez <cssk@net-c.es>
+Acked-by: Luben Tuikov <luben.tuikov@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+index 34f217544c36..c777aff164b7 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+@@ -328,7 +328,6 @@ static void amdgpu_connector_free_edid(struct drm_connector *connector)
+ 
+       kfree(amdgpu_connector->edid);
+       amdgpu_connector->edid = NULL;
+-      drm_connector_update_edid_property(connector, NULL);
+ }
+ 
+ static int amdgpu_connector_ddc_get_modes(struct drm_connector *connector)
+-- 
+2.35.1
+

diff --git a/queue-5.15/drm-amdgpu-update-drm_display_info-correctly-when-th.patch b/queue-5.15/drm-amdgpu-update-drm_display_info-correctly-when-th.patch
new file mode 100644 (file)
index 0000000..56c1a56
--- /dev/null
+++ b/queue-5.15/drm-amdgpu-update-drm_display_info-correctly-when-th.patch
@@ -0,0 +1,71 @@
+From d7bebddc16594ab7733aaaf48688a1cd59967e3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Oct 2021 13:34:58 +0200
+Subject: drm/amdgpu: update drm_display_info correctly when the edid is read
+
+From: Claudio Suarez <cssk@net-c.es>
+
+[ Upstream commit 20543be93ca45968f344261c1a997177e51bd7e1 ]
+
+drm_display_info is updated by drm_get_edid() or
+drm_connector_update_edid_property(). In the amdgpu driver it is almost
+always updated when the edid is read in amdgpu_connector_get_edid(),
+but not always.  Change amdgpu_connector_get_edid() and
+amdgpu_connector_free_edid() to keep drm_display_info updated.
+
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Claudio Suarez <cssk@net-c.es>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Stable-dep-of: 602ad43c3cd8 ("drm/amdgpu: Partially revert "drm/amdgpu: update drm_display_info correctly when the edid is read"")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c    | 5 ++++-
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +--
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+index 4b1d62ebf8dd..34f217544c36 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+@@ -315,8 +315,10 @@ static void amdgpu_connector_get_edid(struct drm_connector *connector)
+       if (!amdgpu_connector->edid) {
+               /* some laptops provide a hardcoded edid in rom for LCDs */
+               if (((connector->connector_type == DRM_MODE_CONNECTOR_LVDS) ||
+-                   (connector->connector_type == DRM_MODE_CONNECTOR_eDP)))
++                   (connector->connector_type == DRM_MODE_CONNECTOR_eDP))) {
+                       amdgpu_connector->edid = amdgpu_connector_get_hardcoded_edid(adev);
++                      drm_connector_update_edid_property(connector, amdgpu_connector->edid);
++              }
+       }
+ }
+ 
+@@ -326,6 +328,7 @@ static void amdgpu_connector_free_edid(struct drm_connector *connector)
+ 
+       kfree(amdgpu_connector->edid);
+       amdgpu_connector->edid = NULL;
++      drm_connector_update_edid_property(connector, NULL);
+ }
+ 
+ static int amdgpu_connector_ddc_get_modes(struct drm_connector *connector)
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 72e9b9b80c22..0ebabcc8827b 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -2997,13 +2997,12 @@ void amdgpu_dm_update_connector_after_detect(
+                       aconnector->edid =
+                               (struct edid *)sink->dc_edid.raw_edid;
+ 
+-                      drm_connector_update_edid_property(connector,
+-                                                         aconnector->edid);
+                       if (aconnector->dc_link->aux_mode)
+                               drm_dp_cec_set_edid(&aconnector->dm_dp_aux.aux,
+                                                   aconnector->edid);
+               }
+ 
++              drm_connector_update_edid_property(connector, aconnector->edid);
+               amdgpu_dm_update_freesync_caps(connector, aconnector->edid);
+               update_connector_ext_caps(aconnector);
+       } else {
+-- 
+2.35.1
+

diff --git a/queue-5.15/drm-display-dp_mst-fix-drm_dp_mst_add_affected_dsc_c.patch b/queue-5.15/drm-display-dp_mst-fix-drm_dp_mst_add_affected_dsc_c.patch
new file mode 100644 (file)
index 0000000..6a249d7
--- /dev/null
+++ b/queue-5.15/drm-display-dp_mst-fix-drm_dp_mst_add_affected_dsc_c.patch
@@ -0,0 +1,42 @@
+From 220c18216c46299cdf6272efbb2ef1e9537f5e54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 17:17:53 -0500
+Subject: drm/display/dp_mst: Fix drm_dp_mst_add_affected_dsc_crtcs() return
+ code
+
+From: Lyude Paul <lyude@redhat.com>
+
+[ Upstream commit 2f3a1273862cb82cca227630cc7f04ce0c94b6bb ]
+
+Looks like that we're accidentally dropping a pretty important return code
+here. For some reason, we just return -EINVAL if we fail to get the MST
+topology state. This is wrong: error codes are important and should never
+be squashed without being handled, which here seems to have the potential
+to cause a deadlock.
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Reviewed-by: Wayne Lin <Wayne.Lin@amd.com>
+Fixes: 8ec046716ca8 ("drm/dp_mst: Add helper to trigger modeset on affected DSC MST CRTCs")
+Cc: <stable@vger.kernel.org> # v5.6+
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_dp_mst_topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c
+index 9bf9430209b0..0d915fe8b6e4 100644
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -5285,7 +5285,7 @@ int drm_dp_mst_add_affected_dsc_crtcs(struct drm_atomic_state *state, struct drm
+       mst_state = drm_atomic_get_mst_topology_state(state, mgr);
+ 
+       if (IS_ERR(mst_state))
+-              return -EINVAL;
++              return PTR_ERR(mst_state);
+ 
+       list_for_each_entry(pos, &mst_state->vcpis, next) {
+ 
+-- 
+2.35.1
+

diff --git a/queue-5.15/drm-i915-create-a-dummy-object-for-gen6-ppgtt.patch b/queue-5.15/drm-i915-create-a-dummy-object-for-gen6-ppgtt.patch
new file mode 100644 (file)
index 0000000..385115a
--- /dev/null
+++ b/queue-5.15/drm-i915-create-a-dummy-object-for-gen6-ppgtt.patch
@@ -0,0 +1,323 @@
+From c8ffcd58119d380f5f7b201860dfc98a96183b97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 14:20:20 +0000
+Subject: drm/i915: Create a dummy object for gen6 ppgtt
+
+From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+
+[ Upstream commit b0b0f2d225da6fe58417fae37e3f797e2db27b62 ]
+
+We currently have to special case vma->obj being NULL because
+of gen6 ppgtt and mock_engine. Fix gen6 ppgtt, so we may soon
+be able to remove a few checks. As the object only exists as
+a fake object pointing to ggtt, we have no backing storage,
+so no real object is created. It just has to look real enough.
+
+Also kill pin_mutex, it's not compatible with ww locking,
+and we can use the vm lock instead.
+
+v2:
+  - Drop IS_SHRINKABLE and shorten overly long line
+v3:
+  - Checkpatch fix for alignment
+
+Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Reviewed-by: Matthew Auld <matthew.auld@intel.com>
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211117142024.1043017-2-matthew.auld@intel.com
+Stable-dep-of: 20e377e7b2e7 ("drm/i915/gt: Use i915_vm_put on ppgtt_create error paths")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_internal.c |  44 ++++---
+ drivers/gpu/drm/i915/gt/gen6_ppgtt.c         | 123 +++++++++++--------
+ drivers/gpu/drm/i915/gt/gen6_ppgtt.h         |   1 -
+ drivers/gpu/drm/i915/i915_drv.h              |   4 +
+ 4 files changed, 100 insertions(+), 72 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gem/i915_gem_internal.c b/drivers/gpu/drm/i915/gem/i915_gem_internal.c
+index e5ae9c06510c..3c8de65bfb39 100644
+--- a/drivers/gpu/drm/i915/gem/i915_gem_internal.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_internal.c
+@@ -143,24 +143,10 @@ static const struct drm_i915_gem_object_ops i915_gem_object_internal_ops = {
+       .put_pages = i915_gem_object_put_pages_internal,
+ };
+ 
+-/**
+- * i915_gem_object_create_internal: create an object with volatile pages
+- * @i915: the i915 device
+- * @size: the size in bytes of backing storage to allocate for the object
+- *
+- * Creates a new object that wraps some internal memory for private use.
+- * This object is not backed by swappable storage, and as such its contents
+- * are volatile and only valid whilst pinned. If the object is reaped by the
+- * shrinker, its pages and data will be discarded. Equally, it is not a full
+- * GEM object and so not valid for access from userspace. This makes it useful
+- * for hardware interfaces like ringbuffers (which are pinned from the time
+- * the request is written to the time the hardware stops accessing it), but
+- * not for contexts (which need to be preserved when not active for later
+- * reuse). Note that it is not cleared upon allocation.
+- */
+ struct drm_i915_gem_object *
+-i915_gem_object_create_internal(struct drm_i915_private *i915,
+-                              phys_addr_t size)
++__i915_gem_object_create_internal(struct drm_i915_private *i915,
++                                const struct drm_i915_gem_object_ops *ops,
++                                phys_addr_t size)
+ {
+       static struct lock_class_key lock_class;
+       struct drm_i915_gem_object *obj;
+@@ -177,7 +163,7 @@ i915_gem_object_create_internal(struct drm_i915_private *i915,
+               return ERR_PTR(-ENOMEM);
+ 
+       drm_gem_private_object_init(&i915->drm, &obj->base, size);
+-      i915_gem_object_init(obj, &i915_gem_object_internal_ops, &lock_class, 0);
++      i915_gem_object_init(obj, ops, &lock_class, 0);
+       obj->mem_flags |= I915_BO_FLAG_STRUCT_PAGE;
+ 
+       /*
+@@ -197,3 +183,25 @@ i915_gem_object_create_internal(struct drm_i915_private *i915,
+ 
+       return obj;
+ }
++
++/**
++ * i915_gem_object_create_internal: create an object with volatile pages
++ * @i915: the i915 device
++ * @size: the size in bytes of backing storage to allocate for the object
++ *
++ * Creates a new object that wraps some internal memory for private use.
++ * This object is not backed by swappable storage, and as such its contents
++ * are volatile and only valid whilst pinned. If the object is reaped by the
++ * shrinker, its pages and data will be discarded. Equally, it is not a full
++ * GEM object and so not valid for access from userspace. This makes it useful
++ * for hardware interfaces like ringbuffers (which are pinned from the time
++ * the request is written to the time the hardware stops accessing it), but
++ * not for contexts (which need to be preserved when not active for later
++ * reuse). Note that it is not cleared upon allocation.
++ */
++struct drm_i915_gem_object *
++i915_gem_object_create_internal(struct drm_i915_private *i915,
++                              phys_addr_t size)
++{
++      return __i915_gem_object_create_internal(i915, &i915_gem_object_internal_ops, size);
++}
+diff --git a/drivers/gpu/drm/i915/gt/gen6_ppgtt.c b/drivers/gpu/drm/i915/gt/gen6_ppgtt.c
+index 1aee5e6b1b23..557ef25be057 100644
+--- a/drivers/gpu/drm/i915/gt/gen6_ppgtt.c
++++ b/drivers/gpu/drm/i915/gt/gen6_ppgtt.c
+@@ -262,13 +262,10 @@ static void gen6_ppgtt_cleanup(struct i915_address_space *vm)
+ {
+       struct gen6_ppgtt *ppgtt = to_gen6_ppgtt(i915_vm_to_ppgtt(vm));
+ 
+-      __i915_vma_put(ppgtt->vma);
+-
+       gen6_ppgtt_free_pd(ppgtt);
+       free_scratch(vm);
+ 
+       mutex_destroy(&ppgtt->flush);
+-      mutex_destroy(&ppgtt->pin_mutex);
+ 
+       free_pd(&ppgtt->base.vm, ppgtt->base.pd);
+ }
+@@ -331,37 +328,6 @@ static const struct i915_vma_ops pd_vma_ops = {
+       .unbind_vma = pd_vma_unbind,
+ };
+ 
+-static struct i915_vma *pd_vma_create(struct gen6_ppgtt *ppgtt, int size)
+-{
+-      struct i915_ggtt *ggtt = ppgtt->base.vm.gt->ggtt;
+-      struct i915_vma *vma;
+-
+-      GEM_BUG_ON(!IS_ALIGNED(size, I915_GTT_PAGE_SIZE));
+-      GEM_BUG_ON(size > ggtt->vm.total);
+-
+-      vma = i915_vma_alloc();
+-      if (!vma)
+-              return ERR_PTR(-ENOMEM);
+-
+-      i915_active_init(&vma->active, NULL, NULL, 0);
+-
+-      kref_init(&vma->ref);
+-      mutex_init(&vma->pages_mutex);
+-      vma->vm = i915_vm_get(&ggtt->vm);
+-      vma->ops = &pd_vma_ops;
+-      vma->private = ppgtt;
+-
+-      vma->size = size;
+-      vma->fence_size = size;
+-      atomic_set(&vma->flags, I915_VMA_GGTT);
+-      vma->ggtt_view.type = I915_GGTT_VIEW_ROTATED; /* prevent fencing */
+-
+-      INIT_LIST_HEAD(&vma->obj_link);
+-      INIT_LIST_HEAD(&vma->closed_link);
+-
+-      return vma;
+-}
+-
+ int gen6_ppgtt_pin(struct i915_ppgtt *base, struct i915_gem_ww_ctx *ww)
+ {
+       struct gen6_ppgtt *ppgtt = to_gen6_ppgtt(base);
+@@ -378,24 +344,85 @@ int gen6_ppgtt_pin(struct i915_ppgtt *base, struct i915_gem_ww_ctx *ww)
+       if (atomic_add_unless(&ppgtt->pin_count, 1, 0))
+               return 0;
+ 
+-      if (mutex_lock_interruptible(&ppgtt->pin_mutex))
+-              return -EINTR;
++      /* grab the ppgtt resv to pin the object */
++      err = i915_vm_lock_objects(&ppgtt->base.vm, ww);
++      if (err)
++              return err;
+ 
+       /*
+        * PPGTT PDEs reside in the GGTT and consists of 512 entries. The
+        * allocator works in address space sizes, so it's multiplied by page
+        * size. We allocate at the top of the GTT to avoid fragmentation.
+        */
+-      err = 0;
+-      if (!atomic_read(&ppgtt->pin_count))
++      if (!atomic_read(&ppgtt->pin_count)) {
+               err = i915_ggtt_pin(ppgtt->vma, ww, GEN6_PD_ALIGN, PIN_HIGH);
++
++              GEM_BUG_ON(ppgtt->vma->fence);
++              clear_bit(I915_VMA_CAN_FENCE_BIT, __i915_vma_flags(ppgtt->vma));
++      }
+       if (!err)
+               atomic_inc(&ppgtt->pin_count);
+-      mutex_unlock(&ppgtt->pin_mutex);
+ 
+       return err;
+ }
+ 
++static int pd_dummy_obj_get_pages(struct drm_i915_gem_object *obj)
++{
++      obj->mm.pages = ZERO_SIZE_PTR;
++      return 0;
++}
++
++static void pd_dummy_obj_put_pages(struct drm_i915_gem_object *obj,
++                                 struct sg_table *pages)
++{
++}
++
++static const struct drm_i915_gem_object_ops pd_dummy_obj_ops = {
++      .name = "pd_dummy_obj",
++      .get_pages = pd_dummy_obj_get_pages,
++      .put_pages = pd_dummy_obj_put_pages,
++};
++
++static struct i915_page_directory *
++gen6_alloc_top_pd(struct gen6_ppgtt *ppgtt)
++{
++      struct i915_ggtt * const ggtt = ppgtt->base.vm.gt->ggtt;
++      struct i915_page_directory *pd;
++      int err;
++
++      pd = __alloc_pd(I915_PDES);
++      if (unlikely(!pd))
++              return ERR_PTR(-ENOMEM);
++
++      pd->pt.base = __i915_gem_object_create_internal(ppgtt->base.vm.gt->i915,
++                                                      &pd_dummy_obj_ops,
++                                                      I915_PDES * SZ_4K);
++      if (IS_ERR(pd->pt.base)) {
++              err = PTR_ERR(pd->pt.base);
++              pd->pt.base = NULL;
++              goto err_pd;
++      }
++
++      pd->pt.base->base.resv = i915_vm_resv_get(&ppgtt->base.vm);
++      pd->pt.base->shares_resv_from = &ppgtt->base.vm;
++
++      ppgtt->vma = i915_vma_instance(pd->pt.base, &ggtt->vm, NULL);
++      if (IS_ERR(ppgtt->vma)) {
++              err = PTR_ERR(ppgtt->vma);
++              ppgtt->vma = NULL;
++              goto err_pd;
++      }
++
++      /* The dummy object we create is special, override ops.. */
++      ppgtt->vma->ops = &pd_vma_ops;
++      ppgtt->vma->private = ppgtt;
++      return pd;
++
++err_pd:
++      free_pd(&ppgtt->base.vm, pd);
++      return ERR_PTR(err);
++}
++
+ void gen6_ppgtt_unpin(struct i915_ppgtt *base)
+ {
+       struct gen6_ppgtt *ppgtt = to_gen6_ppgtt(base);
+@@ -427,7 +454,6 @@ struct i915_ppgtt *gen6_ppgtt_create(struct intel_gt *gt)
+               return ERR_PTR(-ENOMEM);
+ 
+       mutex_init(&ppgtt->flush);
+-      mutex_init(&ppgtt->pin_mutex);
+ 
+       ppgtt_init(&ppgtt->base, gt);
+       ppgtt->base.vm.pd_shift = ilog2(SZ_4K * SZ_4K / sizeof(gen6_pte_t));
+@@ -442,19 +468,13 @@ struct i915_ppgtt *gen6_ppgtt_create(struct intel_gt *gt)
+       ppgtt->base.vm.alloc_pt_dma = alloc_pt_dma;
+       ppgtt->base.vm.pte_encode = ggtt->vm.pte_encode;
+ 
+-      ppgtt->base.pd = __alloc_pd(I915_PDES);
+-      if (!ppgtt->base.pd) {
+-              err = -ENOMEM;
+-              goto err_free;
+-      }
+-
+       err = gen6_ppgtt_init_scratch(ppgtt);
+       if (err)
+-              goto err_pd;
++              goto err_free;
+ 
+-      ppgtt->vma = pd_vma_create(ppgtt, GEN6_PD_SIZE);
+-      if (IS_ERR(ppgtt->vma)) {
+-              err = PTR_ERR(ppgtt->vma);
++      ppgtt->base.pd = gen6_alloc_top_pd(ppgtt);
++      if (IS_ERR(ppgtt->base.pd)) {
++              err = PTR_ERR(ppgtt->base.pd);
+               goto err_scratch;
+       }
+ 
+@@ -462,10 +482,7 @@ struct i915_ppgtt *gen6_ppgtt_create(struct intel_gt *gt)
+ 
+ err_scratch:
+       free_scratch(&ppgtt->base.vm);
+-err_pd:
+-      free_pd(&ppgtt->base.vm, ppgtt->base.pd);
+ err_free:
+-      mutex_destroy(&ppgtt->pin_mutex);
+       kfree(ppgtt);
+       return ERR_PTR(err);
+ }
+diff --git a/drivers/gpu/drm/i915/gt/gen6_ppgtt.h b/drivers/gpu/drm/i915/gt/gen6_ppgtt.h
+index 6a61a5c3a85a..9b498ca76ac6 100644
+--- a/drivers/gpu/drm/i915/gt/gen6_ppgtt.h
++++ b/drivers/gpu/drm/i915/gt/gen6_ppgtt.h
+@@ -19,7 +19,6 @@ struct gen6_ppgtt {
+       u32 pp_dir;
+ 
+       atomic_t pin_count;
+-      struct mutex pin_mutex;
+ 
+       bool scan_for_unused_pt;
+ };
+diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h
+index 005b1cec7007..236cfee1cbf0 100644
+--- a/drivers/gpu/drm/i915/i915_drv.h
++++ b/drivers/gpu/drm/i915/i915_drv.h
+@@ -1905,6 +1905,10 @@ int i915_gem_evict_vm(struct i915_address_space *vm);
+ struct drm_i915_gem_object *
+ i915_gem_object_create_internal(struct drm_i915_private *dev_priv,
+                               phys_addr_t size);
++struct drm_i915_gem_object *
++__i915_gem_object_create_internal(struct drm_i915_private *dev_priv,
++                                const struct drm_i915_gem_object_ops *ops,
++                                phys_addr_t size);
+ 
+ /* i915_gem_tiling.c */
+ static inline bool i915_gem_object_needs_bit17_swizzle(struct drm_i915_gem_object *obj)
+-- 
+2.35.1
+

diff --git a/queue-5.15/drm-i915-gt-use-i915_vm_put-on-ppgtt_create-error-pa.patch b/queue-5.15/drm-i915-gt-use-i915_vm_put-on-ppgtt_create-error-pa.patch
new file mode 100644 (file)
index 0000000..65e23d6
--- /dev/null
+++ b/queue-5.15/drm-i915-gt-use-i915_vm_put-on-ppgtt_create-error-pa.patch
@@ -0,0 +1,215 @@
+From 7fcce2abc9a65fb4277b80a6251bad2e9535fe17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 16:33:33 +0100
+Subject: drm/i915/gt: Use i915_vm_put on ppgtt_create error paths
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chris Wilson <chris.p.wilson@intel.com>
+
+[ Upstream commit 20e377e7b2e7c327039f10db80ba5bcc1f6c882d ]
+
+Now that the scratch page and page directories have a reference back to
+the i915_address_space, we cannot do an immediate free of the ppgtt upon
+error as those buffer objects will perform a later i915_vm_put in their
+deferred frees.
+
+The downside is that by replacing the onion unwind along the error
+paths, the ppgtt cleanup must handle a partially constructed vm. This
+includes ensuring that the vm->cleanup is set prior to the error path.
+
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/6900
+Signed-off-by: Chris Wilson <chris.p.wilson@intel.com>
+Fixes: 4d8151ae5329 ("drm/i915: Don't free shared locks while shared")
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Cc: Matthew Auld <matthew.auld@intel.com>
+Cc: <stable@vger.kernel.org> # v5.14+
+Reviewed-by: Matthew Auld <matthew.auld@intel.com>
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220926153333.102195-1-matthew.auld@intel.com
+(cherry picked from commit c286558f58535cf97b717b946d6c96d774a09d17)
+Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/gen6_ppgtt.c | 16 ++++----
+ drivers/gpu/drm/i915/gt/gen8_ppgtt.c | 56 ++++++++++++++--------------
+ drivers/gpu/drm/i915/gt/intel_gtt.c  |  3 ++
+ 3 files changed, 40 insertions(+), 35 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/gen6_ppgtt.c b/drivers/gpu/drm/i915/gt/gen6_ppgtt.c
+index 557ef25be057..b257666a26fc 100644
+--- a/drivers/gpu/drm/i915/gt/gen6_ppgtt.c
++++ b/drivers/gpu/drm/i915/gt/gen6_ppgtt.c
+@@ -244,6 +244,7 @@ static int gen6_ppgtt_init_scratch(struct gen6_ppgtt *ppgtt)
+       i915_gem_object_put(vm->scratch[1]);
+ err_scratch0:
+       i915_gem_object_put(vm->scratch[0]);
++      vm->scratch[0] = NULL;
+       return ret;
+ }
+ 
+@@ -265,9 +266,10 @@ static void gen6_ppgtt_cleanup(struct i915_address_space *vm)
+       gen6_ppgtt_free_pd(ppgtt);
+       free_scratch(vm);
+ 
+-      mutex_destroy(&ppgtt->flush);
++      if (ppgtt->base.pd)
++              free_pd(&ppgtt->base.vm, ppgtt->base.pd);
+ 
+-      free_pd(&ppgtt->base.vm, ppgtt->base.pd);
++      mutex_destroy(&ppgtt->flush);
+ }
+ 
+ static int pd_vma_set_pages(struct i915_vma *vma)
+@@ -470,19 +472,17 @@ struct i915_ppgtt *gen6_ppgtt_create(struct intel_gt *gt)
+ 
+       err = gen6_ppgtt_init_scratch(ppgtt);
+       if (err)
+-              goto err_free;
++              goto err_put;
+ 
+       ppgtt->base.pd = gen6_alloc_top_pd(ppgtt);
+       if (IS_ERR(ppgtt->base.pd)) {
+               err = PTR_ERR(ppgtt->base.pd);
+-              goto err_scratch;
++              goto err_put;
+       }
+ 
+       return &ppgtt->base;
+ 
+-err_scratch:
+-      free_scratch(&ppgtt->base.vm);
+-err_free:
+-      kfree(ppgtt);
++err_put:
++      i915_vm_put(&ppgtt->base.vm);
+       return ERR_PTR(err);
+ }
+diff --git a/drivers/gpu/drm/i915/gt/gen8_ppgtt.c b/drivers/gpu/drm/i915/gt/gen8_ppgtt.c
+index 6e0e52eeb87a..0cf604c5a6c2 100644
+--- a/drivers/gpu/drm/i915/gt/gen8_ppgtt.c
++++ b/drivers/gpu/drm/i915/gt/gen8_ppgtt.c
+@@ -196,7 +196,10 @@ static void gen8_ppgtt_cleanup(struct i915_address_space *vm)
+       if (intel_vgpu_active(vm->i915))
+               gen8_ppgtt_notify_vgt(ppgtt, false);
+ 
+-      __gen8_ppgtt_cleanup(vm, ppgtt->pd, gen8_pd_top_count(vm), vm->top);
++      if (ppgtt->pd)
++              __gen8_ppgtt_cleanup(vm, ppgtt->pd,
++                                   gen8_pd_top_count(vm), vm->top);
++
+       free_scratch(vm);
+ }
+ 
+@@ -656,8 +659,10 @@ static int gen8_init_scratch(struct i915_address_space *vm)
+               struct drm_i915_gem_object *obj;
+ 
+               obj = vm->alloc_pt_dma(vm, I915_GTT_PAGE_SIZE_4K);
+-              if (IS_ERR(obj))
++              if (IS_ERR(obj)) {
++                      ret = PTR_ERR(obj);
+                       goto free_scratch;
++              }
+ 
+               ret = map_pt_dma(vm, obj);
+               if (ret) {
+@@ -676,7 +681,8 @@ static int gen8_init_scratch(struct i915_address_space *vm)
+ free_scratch:
+       while (i--)
+               i915_gem_object_put(vm->scratch[i]);
+-      return -ENOMEM;
++      vm->scratch[0] = NULL;
++      return ret;
+ }
+ 
+ static int gen8_preallocate_top_level_pdp(struct i915_ppgtt *ppgtt)
+@@ -753,6 +759,7 @@ gen8_alloc_top_pd(struct i915_address_space *vm)
+  */
+ struct i915_ppgtt *gen8_ppgtt_create(struct intel_gt *gt)
+ {
++      struct i915_page_directory *pd;
+       struct i915_ppgtt *ppgtt;
+       int err;
+ 
+@@ -779,44 +786,39 @@ struct i915_ppgtt *gen8_ppgtt_create(struct intel_gt *gt)
+       else
+               ppgtt->vm.alloc_pt_dma = alloc_pt_dma;
+ 
++      ppgtt->vm.pte_encode = gen8_pte_encode;
++
++      ppgtt->vm.bind_async_flags = I915_VMA_LOCAL_BIND;
++      ppgtt->vm.insert_entries = gen8_ppgtt_insert;
++      ppgtt->vm.insert_page = gen8_ppgtt_insert_entry;
++      ppgtt->vm.allocate_va_range = gen8_ppgtt_alloc;
++      ppgtt->vm.clear_range = gen8_ppgtt_clear;
++      ppgtt->vm.foreach = gen8_ppgtt_foreach;
++      ppgtt->vm.cleanup = gen8_ppgtt_cleanup;
++
+       err = gen8_init_scratch(&ppgtt->vm);
+       if (err)
+-              goto err_free;
++              goto err_put;
+ 
+-      ppgtt->pd = gen8_alloc_top_pd(&ppgtt->vm);
+-      if (IS_ERR(ppgtt->pd)) {
+-              err = PTR_ERR(ppgtt->pd);
+-              goto err_free_scratch;
++      pd = gen8_alloc_top_pd(&ppgtt->vm);
++      if (IS_ERR(pd)) {
++              err = PTR_ERR(pd);
++              goto err_put;
+       }
++      ppgtt->pd = pd;
+ 
+       if (!i915_vm_is_4lvl(&ppgtt->vm)) {
+               err = gen8_preallocate_top_level_pdp(ppgtt);
+               if (err)
+-                      goto err_free_pd;
++                      goto err_put;
+       }
+ 
+-      ppgtt->vm.bind_async_flags = I915_VMA_LOCAL_BIND;
+-      ppgtt->vm.insert_entries = gen8_ppgtt_insert;
+-      ppgtt->vm.insert_page = gen8_ppgtt_insert_entry;
+-      ppgtt->vm.allocate_va_range = gen8_ppgtt_alloc;
+-      ppgtt->vm.clear_range = gen8_ppgtt_clear;
+-      ppgtt->vm.foreach = gen8_ppgtt_foreach;
+-
+-      ppgtt->vm.pte_encode = gen8_pte_encode;
+-
+       if (intel_vgpu_active(gt->i915))
+               gen8_ppgtt_notify_vgt(ppgtt, true);
+ 
+-      ppgtt->vm.cleanup = gen8_ppgtt_cleanup;
+-
+       return ppgtt;
+ 
+-err_free_pd:
+-      __gen8_ppgtt_cleanup(&ppgtt->vm, ppgtt->pd,
+-                           gen8_pd_top_count(&ppgtt->vm), ppgtt->vm.top);
+-err_free_scratch:
+-      free_scratch(&ppgtt->vm);
+-err_free:
+-      kfree(ppgtt);
++err_put:
++      i915_vm_put(&ppgtt->vm);
+       return ERR_PTR(err);
+ }
+diff --git a/drivers/gpu/drm/i915/gt/intel_gtt.c b/drivers/gpu/drm/i915/gt/intel_gtt.c
+index e137dd32b5b8..2d3a979736cc 100644
+--- a/drivers/gpu/drm/i915/gt/intel_gtt.c
++++ b/drivers/gpu/drm/i915/gt/intel_gtt.c
+@@ -341,6 +341,9 @@ void free_scratch(struct i915_address_space *vm)
+ {
+       int i;
+ 
++      if (!vm->scratch[0])
++              return;
++
+       for (i = 0; i <= vm->top; i++)
+               i915_gem_object_put(vm->scratch[i]);
+ }
+-- 
+2.35.1
+

diff --git a/queue-5.15/dsa-lan9303-correct-stat-name.patch b/queue-5.15/dsa-lan9303-correct-stat-name.patch
new file mode 100644 (file)
index 0000000..3bf14de
--- /dev/null
+++ b/queue-5.15/dsa-lan9303-correct-stat-name.patch
@@ -0,0 +1,43 @@
+From cc279a31fac0a706f72fd6778352f820649448ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 13:35:59 -0600
+Subject: dsa: lan9303: Correct stat name
+
+From: Jerry Ray <jerry.ray@microchip.com>
+
+[ Upstream commit 39f59bca275d2d819a8788c0f962e9e89843efc9 ]
+
+This patch changes the reported ethtool statistics for the lan9303
+family of parts covered by this driver.
+
+The TxUnderRun statistic label is renamed to RxShort to accurately
+reflect what stat the device is reporting.  I did not reorder the
+statistics as that might cause problems with existing user code that
+are expecting the stats at a certain offset.
+
+Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303")
+Signed-off-by: Jerry Ray <jerry.ray@microchip.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20221128193559.6572-1-jerry.ray@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/lan9303-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/lan9303-core.c b/drivers/net/dsa/lan9303-core.c
+index 0b6f29ee87b5..59a803e3c8d0 100644
+--- a/drivers/net/dsa/lan9303-core.c
++++ b/drivers/net/dsa/lan9303-core.c
+@@ -959,7 +959,7 @@ static const struct lan9303_mib_desc lan9303_mib[] = {
+       { .offset = LAN9303_MAC_TX_BRDCST_CNT_0, .name = "TxBroad", },
+       { .offset = LAN9303_MAC_TX_PAUSE_CNT_0, .name = "TxPause", },
+       { .offset = LAN9303_MAC_TX_MULCST_CNT_0, .name = "TxMulti", },
+-      { .offset = LAN9303_MAC_RX_UNDSZE_CNT_0, .name = "TxUnderRun", },
++      { .offset = LAN9303_MAC_RX_UNDSZE_CNT_0, .name = "RxShort", },
+       { .offset = LAN9303_MAC_TX_64_CNT_0, .name = "Tx64Byte", },
+       { .offset = LAN9303_MAC_TX_127_CNT_0, .name = "Tx128Byte", },
+       { .offset = LAN9303_MAC_TX_255_CNT_0, .name = "Tx256Byte", },
+-- 
+2.35.1
+

diff --git a/queue-5.15/e100-fix-possible-use-after-free-in-e100_xmit_prepar.patch b/queue-5.15/e100-fix-possible-use-after-free-in-e100_xmit_prepar.patch
new file mode 100644 (file)
index 0000000..22bd4dc
--- /dev/null
+++ b/queue-5.15/e100-fix-possible-use-after-free-in-e100_xmit_prepar.patch
@@ -0,0 +1,45 @@
+From 355a67b7e2b4d1d844cfee4835f71a31eb3ed9e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 01:24:07 +0800
+Subject: e100: Fix possible use after free in e100_xmit_prepare
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 45605c75c52c7ae7bfe902214343aabcfe5ba0ff ]
+
+In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so
+e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will
+resend the skb. But the skb is already freed, which will cause UAF bug
+when the upper layer resends the skb.
+
+Remove the harmful free.
+
+Fixes: 5e5d49422dfb ("e100: Release skb when DMA mapping is failed in e100_xmit_prepare")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e100.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c
+index 36d52246bdc6..8cd371437c99 100644
+--- a/drivers/net/ethernet/intel/e100.c
++++ b/drivers/net/ethernet/intel/e100.c
+@@ -1742,11 +1742,8 @@ static int e100_xmit_prepare(struct nic *nic, struct cb *cb,
+       dma_addr = dma_map_single(&nic->pdev->dev, skb->data, skb->len,
+                                 DMA_TO_DEVICE);
+       /* If we can't map the skb, have the upper layer try later */
+-      if (dma_mapping_error(&nic->pdev->dev, dma_addr)) {
+-              dev_kfree_skb_any(skb);
+-              skb = NULL;
++      if (dma_mapping_error(&nic->pdev->dev, dma_addr))
+               return -ENOMEM;
+-      }
+ 
+       /*
+        * Use the last 4 bytes of the SKB payload packet as the CRC, used for
+-- 
+2.35.1
+

diff --git a/queue-5.15/erofs-fix-order-max_order-warning-due-to-crafted-neg.patch b/queue-5.15/erofs-fix-order-max_order-warning-due-to-crafted-neg.patch
new file mode 100644 (file)
index 0000000..eebc5c3
--- /dev/null
+++ b/queue-5.15/erofs-fix-order-max_order-warning-due-to-crafted-neg.patch
@@ -0,0 +1,43 @@
+From 40a68780653bd91ebbf658469175f3e189cdd685 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 10:39:48 +0800
+Subject: erofs: fix order >= MAX_ORDER warning due to crafted negative i_size
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+[ Upstream commit 1dd73601a1cba37a0ed5f89a8662c90191df5873 ]
+
+As syzbot reported [1], the root cause is that i_size field is a
+signed type, and negative i_size is also less than EROFS_BLKSIZ.
+As a consequence, it's handled as fast symlink unexpectedly.
+
+Let's fall back to the generic path to deal with such unusual i_size.
+
+[1] https://lore.kernel.org/r/000000000000ac8efa05e7feaa1f@google.com
+
+Reported-by: syzbot+f966c13b1b4fc0403b19@syzkaller.appspotmail.com
+Fixes: 431339ba9042 ("staging: erofs: add inode operations")
+Reviewed-by: Yue Hu <huyue2@coolpad.com>
+Link: https://lore.kernel.org/r/20220909023948.28925-1-hsiangkao@linux.alibaba.com
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/erofs/inode.c b/fs/erofs/inode.c
+index a552399e211d..0c293ff6697b 100644
+--- a/fs/erofs/inode.c
++++ b/fs/erofs/inode.c
+@@ -222,7 +222,7 @@ static int erofs_fill_symlink(struct inode *inode, void *data,
+ 
+       /* if it cannot be handled with fast symlink scheme */
+       if (vi->datalayout != EROFS_INODE_FLAT_INLINE ||
+-          inode->i_size >= PAGE_SIZE) {
++          inode->i_size >= PAGE_SIZE || inode->i_size < 0) {
+               inode->i_op = &erofs_symlink_iops;
+               return 0;
+       }
+-- 
+2.35.1
+

diff --git a/queue-5.15/fm10k-fix-error-handling-in-fm10k_init_module.patch b/queue-5.15/fm10k-fix-error-handling-in-fm10k_init_module.patch
new file mode 100644 (file)
index 0000000..0a99d47
--- /dev/null
+++ b/queue-5.15/fm10k-fix-error-handling-in-fm10k_init_module.patch
@@ -0,0 +1,76 @@
+From 2154806ea38c62eefa7aff6bdb636bf59bb7ad98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 08:26:39 +0000
+Subject: fm10k: Fix error handling in fm10k_init_module()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 771a794c0a3c3e7f0d86cc34be4f9537e8c0a20c ]
+
+A problem about modprobe fm10k failed is triggered with the following log
+given:
+
+ Intel(R) Ethernet Switch Host Interface Driver
+ Copyright(c) 2013 - 2019 Intel Corporation.
+ debugfs: Directory 'fm10k' with parent '/' already present!
+
+The reason is that fm10k_init_module() returns fm10k_register_pci_driver()
+directly without checking its return value, if fm10k_register_pci_driver()
+failed, it returns without removing debugfs and destroy workqueue,
+resulting the debugfs of fm10k can never be created later and leaks the
+workqueue.
+
+ fm10k_init_module()
+   alloc_workqueue()
+   fm10k_dbg_init() # create debugfs
+   fm10k_register_pci_driver()
+     pci_register_driver()
+       driver_register()
+         bus_add_driver()
+           priv = kzalloc(...) # OOM happened
+   # return without remove debugfs and destroy workqueue
+
+Fix by remove debugfs and destroy workqueue when
+fm10k_register_pci_driver() returns error.
+
+Fixes: 7461fd913afe ("fm10k: Add support for debugfs")
+Fixes: b382bb1b3e2d ("fm10k: use separate workqueue for fm10k driver")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/fm10k/fm10k_main.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_main.c b/drivers/net/ethernet/intel/fm10k/fm10k_main.c
+index 3362f26d7f99..1b273446621c 100644
+--- a/drivers/net/ethernet/intel/fm10k/fm10k_main.c
++++ b/drivers/net/ethernet/intel/fm10k/fm10k_main.c
+@@ -32,6 +32,8 @@ struct workqueue_struct *fm10k_workqueue;
+  **/
+ static int __init fm10k_init_module(void)
+ {
++      int ret;
++
+       pr_info("%s\n", fm10k_driver_string);
+       pr_info("%s\n", fm10k_copyright);
+ 
+@@ -43,7 +45,13 @@ static int __init fm10k_init_module(void)
+ 
+       fm10k_dbg_init();
+ 
+-      return fm10k_register_pci_driver();
++      ret = fm10k_register_pci_driver();
++      if (ret) {
++              fm10k_dbg_exit();
++              destroy_workqueue(fm10k_workqueue);
++      }
++
++      return ret;
+ }
+ module_init(fm10k_init_module);
+ 
+-- 
+2.35.1
+

diff --git a/queue-5.15/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch b/queue-5.15/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch
new file mode 100644 (file)
index 0000000..4c8197e
--- /dev/null
+++ b/queue-5.15/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch
@@ -0,0 +1,64 @@
+From 8302f5da23901a1ca42142f8d65c901533f29981 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 11:23:13 -0500
+Subject: hwmon: (coretemp) Check for null before removing sysfs attrs
+
+From: Phil Auld <pauld@redhat.com>
+
+[ Upstream commit a89ff5f5cc64b9fe7a992cf56988fd36f56ca82a ]
+
+If coretemp_add_core() gets an error then pdata->core_data[indx]
+is already NULL and has been kfreed. Don't pass that to
+sysfs_remove_group() as that will crash in sysfs_remove_group().
+
+[Shortened for readability]
+[91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label'
+<cpu offline>
+[91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188
+[91855.165103] #PF: supervisor read access in kernel mode
+[91855.194506] #PF: error_code(0x0000) - not-present page
+[91855.224445] PGD 0 P4D 0
+[91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI
+...
+[91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80
+...
+[91855.796571] Call Trace:
+[91855.810524]  coretemp_cpu_offline+0x12b/0x1dd [coretemp]
+[91855.841738]  ? coretemp_cpu_online+0x180/0x180 [coretemp]
+[91855.871107]  cpuhp_invoke_callback+0x105/0x4b0
+[91855.893432]  cpuhp_thread_fun+0x8e/0x150
+...
+
+Fix this by checking for NULL first.
+
+Signed-off-by: Phil Auld <pauld@redhat.com>
+Cc: linux-hwmon@vger.kernel.org
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Jean Delvare <jdelvare@suse.com>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20221117162313.3164803-1-pauld@redhat.com
+Fixes: 199e0de7f5df3 ("hwmon: (coretemp) Merge pkgtemp with coretemp")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/coretemp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c
+index 032129292957..9b49bfc63ffc 100644
+--- a/drivers/hwmon/coretemp.c
++++ b/drivers/hwmon/coretemp.c
+@@ -533,6 +533,10 @@ static void coretemp_remove_core(struct platform_data *pdata, int indx)
+ {
+       struct temp_data *tdata = pdata->core_data[indx];
+ 
++      /* if we errored on add then this is already gone */
++      if (!tdata)
++              return;
++
+       /* Remove the sysfs attributes */
+       sysfs_remove_group(&pdata->hwmon_dev->kobj, &tdata->attr_group);
+ 
+-- 
+2.35.1
+

diff --git a/queue-5.15/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch b/queue-5.15/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch
new file mode 100644 (file)
index 0000000..13ebd83
--- /dev/null
+++ b/queue-5.15/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch
@@ -0,0 +1,45 @@
+From 6b6de73af533adc52be57ddbd1968679f7513224 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 17:33:03 +0800
+Subject: hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 7dec14537c5906b8bf40fd6fd6d9c3850f8df11d ]
+
+As comment of pci_get_domain_bus_and_slot() says, it returns
+a pci device with refcount increment, when finish using it,
+the caller must decrement the reference count by calling
+pci_dev_put(). So call it after using to avoid refcount leak.
+
+Fixes: 14513ee696a0 ("hwmon: (coretemp) Use PCI host bridge ID to identify CPU if necessary")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221118093303.214163-1-yangyingliang@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/coretemp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c
+index 9b49bfc63ffc..42b84ebff057 100644
+--- a/drivers/hwmon/coretemp.c
++++ b/drivers/hwmon/coretemp.c
+@@ -242,10 +242,13 @@ static int adjust_tjmax(struct cpuinfo_x86 *c, u32 id, struct device *dev)
+        */
+       if (host_bridge && host_bridge->vendor == PCI_VENDOR_ID_INTEL) {
+               for (i = 0; i < ARRAY_SIZE(tjmax_pci_table); i++) {
+-                      if (host_bridge->device == tjmax_pci_table[i].device)
++                      if (host_bridge->device == tjmax_pci_table[i].device) {
++                              pci_dev_put(host_bridge);
+                               return tjmax_pci_table[i].tjmax;
++                      }
+               }
+       }
++      pci_dev_put(host_bridge);
+ 
+       for (i = 0; i < ARRAY_SIZE(tjmax_table); i++) {
+               if (strstr(c->x86_model_id, tjmax_table[i].id))
+-- 
+2.35.1
+

diff --git a/queue-5.15/hwmon-i5500_temp-fix-missing-pci_disable_device.patch b/queue-5.15/hwmon-i5500_temp-fix-missing-pci_disable_device.patch
new file mode 100644 (file)
index 0000000..a17d481
--- /dev/null
+++ b/queue-5.15/hwmon-i5500_temp-fix-missing-pci_disable_device.patch
@@ -0,0 +1,37 @@
+From 98ada8ef240a3bba43ad5cc254aac5955bff0d79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Nov 2022 20:56:06 +0800
+Subject: hwmon: (i5500_temp) fix missing pci_disable_device()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 3b7f98f237528c496ea0b689bace0e35eec3e060 ]
+
+pci_disable_device() need be called while module exiting, switch to use
+pcim_enable(), pci_disable_device() will be called in pcim_release().
+
+Fixes: ada072816be1 ("hwmon: (i5500_temp) New driver for the Intel 5500/5520/X58 chipsets")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221112125606.3751430-1-yangyingliang@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/i5500_temp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/i5500_temp.c b/drivers/hwmon/i5500_temp.c
+index 360f5aee1394..d4be03f43fb4 100644
+--- a/drivers/hwmon/i5500_temp.c
++++ b/drivers/hwmon/i5500_temp.c
+@@ -108,7 +108,7 @@ static int i5500_temp_probe(struct pci_dev *pdev,
+       u32 tstimer;
+       s8 tsfsc;
+ 
+-      err = pci_enable_device(pdev);
++      err = pcim_enable_device(pdev);
+       if (err) {
+               dev_err(&pdev->dev, "Failed to enable device\n");
+               return err;
+-- 
+2.35.1
+

diff --git a/queue-5.15/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch b/queue-5.15/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch
new file mode 100644 (file)
index 0000000..e460c9b
--- /dev/null
+++ b/queue-5.15/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch
@@ -0,0 +1,44 @@
+From 8038ff068735c12fcd02530d230269f5d33c1551 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 11:44:23 +0800
+Subject: hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit e2a87785aab0dac190ac89be6a9ba955e2c634f2 ]
+
+Smatch report warning as follows:
+
+drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn:
+  '&data->list' not removed from list
+
+If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will
+be freed, but data->list will not be removed from driver_data.bmc_data,
+then list traversal may cause UAF.
+
+Fix by removeing it from driver_data.bmc_data before free().
+
+Fixes: 57c7c3a0fdea ("hwmon: IBM power meter driver")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Link: https://lore.kernel.org/r/20221117034423.2935739-1-cuigaosheng1@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/ibmpex.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hwmon/ibmpex.c b/drivers/hwmon/ibmpex.c
+index b2ab83c9fd9a..fe90f0536d76 100644
+--- a/drivers/hwmon/ibmpex.c
++++ b/drivers/hwmon/ibmpex.c
+@@ -502,6 +502,7 @@ static void ibmpex_register_bmc(int iface, struct device *dev)
+       return;
+ 
+ out_register:
++      list_del(&data->list);
+       hwmon_device_unregister(data->hwmon_dev);
+ out_user:
+       ipmi_destroy_user(data->user);
+-- 
+2.35.1
+

diff --git a/queue-5.15/hwmon-ina3221-fix-shunt-sum-critical-calculation.patch b/queue-5.15/hwmon-ina3221-fix-shunt-sum-critical-calculation.patch
new file mode 100644 (file)
index 0000000..6820c9c
--- /dev/null
+++ b/queue-5.15/hwmon-ina3221-fix-shunt-sum-critical-calculation.patch
@@ -0,0 +1,47 @@
+From a72e24bf9476b856e772fabca9893051e430d362 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 12:45:08 +0800
+Subject: hwmon: (ina3221) Fix shunt sum critical calculation
+
+From: Ninad Malwade <nmalwade@nvidia.com>
+
+[ Upstream commit b8d27d2ce8dfc207e4b67b929a86f2be76fbc6ef ]
+
+The shunt sum critical limit register value should be left shifted
+by one bit as its LSB-0 is a reserved bit.
+
+Fixes: 2057bdfb7184 ("hwmon: (ina3221) Add summation feature support")
+Signed-off-by: Ninad Malwade <nmalwade@nvidia.com>
+Reviewed-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/20221108044508.23463-1-nmalwade@nvidia.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/ina3221.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/ina3221.c b/drivers/hwmon/ina3221.c
+index 58d3828e2ec0..14586b2fb17d 100644
+--- a/drivers/hwmon/ina3221.c
++++ b/drivers/hwmon/ina3221.c
+@@ -228,7 +228,7 @@ static int ina3221_read_value(struct ina3221_data *ina, unsigned int reg,
+        * Shunt Voltage Sum register has 14-bit value with 1-bit shift
+        * Other Shunt Voltage registers have 12 bits with 3-bit shift
+        */
+-      if (reg == INA3221_SHUNT_SUM)
++      if (reg == INA3221_SHUNT_SUM || reg == INA3221_CRIT_SUM)
+               *val = sign_extend32(regval >> 1, 14);
+       else
+               *val = sign_extend32(regval >> 3, 12);
+@@ -465,7 +465,7 @@ static int ina3221_write_curr(struct device *dev, u32 attr,
+        *     SHUNT_SUM: (1 / 40uV) << 1 = 1 / 20uV
+        *     SHUNT[1-3]: (1 / 40uV) << 3 = 1 / 5uV
+        */
+-      if (reg == INA3221_SHUNT_SUM)
++      if (reg == INA3221_SHUNT_SUM || reg == INA3221_CRIT_SUM)
+               regval = DIV_ROUND_CLOSEST(voltage_uv, 20) & 0xfffe;
+       else
+               regval = DIV_ROUND_CLOSEST(voltage_uv, 5) & 0xfff8;
+-- 
+2.35.1
+

diff --git a/queue-5.15/hwmon-ltc2947-fix-temperature-scaling.patch b/queue-5.15/hwmon-ltc2947-fix-temperature-scaling.patch
new file mode 100644 (file)
index 0000000..1ed3ce9
--- /dev/null
+++ b/queue-5.15/hwmon-ltc2947-fix-temperature-scaling.patch
@@ -0,0 +1,43 @@
+From db2daa1f3f6fc77de3420960e9c261b4609fcaa0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 13:21:08 -0600
+Subject: hwmon: (ltc2947) fix temperature scaling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Derek Nguyen <derek.nguyen@collins.com>
+
+[ Upstream commit 07e06193ead86d4812f431b4d87bbd4161222e3f ]
+
+The LTC2947 datasheet (Rev. B) calls out in the section "Register
+Description: Non-Accumulated Result Registers" (pg. 30) that "To
+calculate temperature, multiply the TEMP register value by 0.204°C
+and add 5.5°C". Fix to add 5.5C and not 0.55C.
+
+Fixes: 9f90fd652bed ("hwmon: Add support for ltc2947")
+Signed-off-by: Derek Nguyen <derek.nguyen@collins.com>
+Signed-off-by: Brandon Maier <brandon.maier@collins.com>
+Link: https://lore.kernel.org/r/20221110192108.20624-1-brandon.maier@collins.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/ltc2947-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/ltc2947-core.c b/drivers/hwmon/ltc2947-core.c
+index 5423466de697..e918490f3ff7 100644
+--- a/drivers/hwmon/ltc2947-core.c
++++ b/drivers/hwmon/ltc2947-core.c
+@@ -396,7 +396,7 @@ static int ltc2947_read_temp(struct device *dev, const u32 attr, long *val,
+               return ret;
+ 
+       /* in milidegrees celcius, temp is given by: */
+-      *val = (__val * 204) + 550;
++      *val = (__val * 204) + 5500;
+ 
+       return 0;
+ }
+-- 
+2.35.1
+

diff --git a/queue-5.15/i40e-fix-error-handling-in-i40e_init_module.patch b/queue-5.15/i40e-fix-error-handling-in-i40e_init_module.patch
new file mode 100644 (file)
index 0000000..c8bb590
--- /dev/null
+++ b/queue-5.15/i40e-fix-error-handling-in-i40e_init_module.patch
@@ -0,0 +1,59 @@
+From 02ad4b17be21a2b3b35de2e7178c05fff026eea1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 09:27:25 +0800
+Subject: i40e: Fix error handling in i40e_init_module()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit 479dd06149425b9e00477f52200872587af76a48 ]
+
+i40e_init_module() won't free the debugfs directory created by
+i40e_dbg_init() when pci_register_driver() failed. Add fail path to
+call i40e_dbg_exit() to remove the debugfs entries to prevent the bug.
+
+i40e: Intel(R) Ethernet Connection XL710 Network Driver
+i40e: Copyright (c) 2013 - 2019 Intel Corporation.
+debugfs: Directory 'i40e' with parent '/' already present!
+
+Fixes: 41c445ff0f48 ("i40e: main driver core")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Tested-by: Gurucharan G <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index ad6f6fe25057..19b5c5677584 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -16494,6 +16494,8 @@ static struct pci_driver i40e_driver = {
+  **/
+ static int __init i40e_init_module(void)
+ {
++      int err;
++
+       pr_info("%s: %s\n", i40e_driver_name, i40e_driver_string);
+       pr_info("%s: %s\n", i40e_driver_name, i40e_copyright);
+ 
+@@ -16511,7 +16513,14 @@ static int __init i40e_init_module(void)
+       }
+ 
+       i40e_dbg_init();
+-      return pci_register_driver(&i40e_driver);
++      err = pci_register_driver(&i40e_driver);
++      if (err) {
++              destroy_workqueue(i40e_wq);
++              i40e_dbg_exit();
++              return err;
++      }
++
++      return 0;
+ }
+ module_init(i40e_init_module);
+ 
+-- 
+2.35.1
+

diff --git a/queue-5.15/iavf-fix-error-handling-in-iavf_init_module.patch b/queue-5.15/iavf-fix-error-handling-in-iavf_init_module.patch
new file mode 100644 (file)
index 0000000..6ff7f0e
--- /dev/null
+++ b/queue-5.15/iavf-fix-error-handling-in-iavf_init_module.patch
@@ -0,0 +1,55 @@
+From 816fe8d7b0a12b084df0b3b773d3c0a8e28772de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 08:26:40 +0000
+Subject: iavf: Fix error handling in iavf_init_module()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 227d8d2f7f2278b8468c5531b0cd0f2a905b4486 ]
+
+The iavf_init_module() won't destroy workqueue when pci_register_driver()
+failed. Call destroy_workqueue() when pci_register_driver() failed to
+prevent the resource leak.
+
+Similar to the handling of u132_hcd_init in commit f276e002793c
+("usb: u132-hcd: fix resource leak")
+
+Fixes: 2803b16c10ea ("i40e/i40evf: Use private workqueue")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index f2f8f2a43a34..82c4f1190e41 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -4341,6 +4341,8 @@ static struct pci_driver iavf_driver = {
+  **/
+ static int __init iavf_init_module(void)
+ {
++      int ret;
++
+       pr_info("iavf: %s\n", iavf_driver_string);
+ 
+       pr_info("%s\n", iavf_copyright);
+@@ -4351,7 +4353,12 @@ static int __init iavf_init_module(void)
+               pr_err("%s: Failed to create workqueue\n", iavf_driver_name);
+               return -ENOMEM;
+       }
+-      return pci_register_driver(&iavf_driver);
++
++      ret = pci_register_driver(&iavf_driver);
++      if (ret)
++              destroy_workqueue(iavf_wq);
++
++      return ret;
+ }
+ 
+ module_init(iavf_init_module);
+-- 
+2.35.1
+

diff --git a/queue-5.15/iavf-remove-redundant-ret-variable.patch b/queue-5.15/iavf-remove-redundant-ret-variable.patch
new file mode 100644 (file)
index 0000000..ae1f65b
--- /dev/null
+++ b/queue-5.15/iavf-remove-redundant-ret-variable.patch
@@ -0,0 +1,68 @@
+From 86b7aa6ffefed242b447616586157c1e10f2221b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Jan 2022 10:46:56 +0000
+Subject: iavf: remove redundant ret variable
+
+From: Minghao Chi <chi.minghao@zte.com.cn>
+
+[ Upstream commit c3fec56e12678c3ad68084048a73818a7968d6b8 ]
+
+Return value directly instead of taking this in another redundant
+variable.
+
+Reported-by: Zeal Robot <zealci@zte.com.cn>
+Signed-off-by: Minghao Chi <chi.minghao@zte.com.cn>
+Signed-off-by: CGEL ZTE <cgel.zte@gmail.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Stable-dep-of: 227d8d2f7f22 ("iavf: Fix error handling in iavf_init_module()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 4b2e99be7ef5..f2f8f2a43a34 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -1448,7 +1448,6 @@ static void iavf_fill_rss_lut(struct iavf_adapter *adapter)
+ static int iavf_init_rss(struct iavf_adapter *adapter)
+ {
+       struct iavf_hw *hw = &adapter->hw;
+-      int ret;
+ 
+       if (!RSS_PF(adapter)) {
+               /* Enable PCTYPES for RSS, TCP/UDP with IPv4/IPv6 */
+@@ -1464,9 +1463,8 @@ static int iavf_init_rss(struct iavf_adapter *adapter)
+ 
+       iavf_fill_rss_lut(adapter);
+       netdev_rss_key_fill((void *)adapter->rss_key, adapter->rss_key_size);
+-      ret = iavf_config_rss(adapter);
+ 
+-      return ret;
++      return iavf_config_rss(adapter);
+ }
+ 
+ /**
+@@ -4343,8 +4341,6 @@ static struct pci_driver iavf_driver = {
+  **/
+ static int __init iavf_init_module(void)
+ {
+-      int ret;
+-
+       pr_info("iavf: %s\n", iavf_driver_string);
+ 
+       pr_info("%s\n", iavf_copyright);
+@@ -4355,8 +4351,7 @@ static int __init iavf_init_module(void)
+               pr_err("%s: Failed to create workqueue\n", iavf_driver_name);
+               return -ENOMEM;
+       }
+-      ret = pci_register_driver(&iavf_driver);
+-      return ret;
++      return pci_register_driver(&iavf_driver);
+ }
+ 
+ module_init(iavf_init_module);
+-- 
+2.35.1
+

diff --git a/queue-5.15/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch b/queue-5.15/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch
new file mode 100644 (file)
index 0000000..4db77b2
--- /dev/null
+++ b/queue-5.15/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch
@@ -0,0 +1,72 @@
+From f860824fa9f63d989854371c67ef72e74899aeaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 15:19:46 +0000
+Subject: iio: health: afe4403: Fix oob read in afe4403_read_raw
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 58143c1ed5882c138a3cd2251a336fc8755f23d9 ]
+
+KASAN report out-of-bounds read as follows:
+
+BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0
+Read of size 4 at addr ffffffffc02ac638 by task cat/279
+
+Call Trace:
+ afe4403_read_raw
+ iio_read_channel_info
+ dev_attr_show
+
+The buggy address belongs to the variable:
+ afe4403_channel_leds+0x18/0xffffffffffffe9e0
+
+This issue can be reproduced by singe command:
+
+ $ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw
+
+The array size of afe4403_channel_leds is less than channels, so access
+with chan->address cause OOB read in afe4403_read_raw. Fix it by moving
+access before use it.
+
+Fixes: b36e8257641a ("iio: health/afe440x: Use regmap fields")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Andrew Davis <afd@ti.com>
+Link: https://lore.kernel.org/r/20221107151946.89260-1-weiyongjun@huaweicloud.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/health/afe4403.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/health/afe4403.c b/drivers/iio/health/afe4403.c
+index d4921385aaf7..b5f959bba422 100644
+--- a/drivers/iio/health/afe4403.c
++++ b/drivers/iio/health/afe4403.c
+@@ -245,14 +245,14 @@ static int afe4403_read_raw(struct iio_dev *indio_dev,
+                           int *val, int *val2, long mask)
+ {
+       struct afe4403_data *afe = iio_priv(indio_dev);
+-      unsigned int reg = afe4403_channel_values[chan->address];
+-      unsigned int field = afe4403_channel_leds[chan->address];
++      unsigned int reg, field;
+       int ret;
+ 
+       switch (chan->type) {
+       case IIO_INTENSITY:
+               switch (mask) {
+               case IIO_CHAN_INFO_RAW:
++                      reg = afe4403_channel_values[chan->address];
+                       ret = afe4403_read(afe, reg, val);
+                       if (ret)
+                               return ret;
+@@ -262,6 +262,7 @@ static int afe4403_read_raw(struct iio_dev *indio_dev,
+       case IIO_CURRENT:
+               switch (mask) {
+               case IIO_CHAN_INFO_RAW:
++                      field = afe4403_channel_leds[chan->address];
+                       ret = regmap_field_read(afe->fields[field], val);
+                       if (ret)
+                               return ret;
+-- 
+2.35.1
+

diff --git a/queue-5.15/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch b/queue-5.15/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch
new file mode 100644 (file)
index 0000000..5226b42
--- /dev/null
+++ b/queue-5.15/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch
@@ -0,0 +1,102 @@
+From 7f860f5aa9cc73524dad01404c88b2d0dd856bb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 15:20:10 +0000
+Subject: iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit fc92d9e3de0b2d30a3ccc08048a5fad533e4672b ]
+
+KASAN report out-of-bounds read as follows:
+
+BUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380
+Read of size 4 at addr ffffffffc00e4658 by task cat/278
+
+Call Trace:
+ afe4404_read_raw
+ iio_read_channel_info
+ dev_attr_show
+
+The buggy address belongs to the variable:
+ afe4404_channel_leds+0x18/0xffffffffffffe9c0
+
+This issue can be reproduce by singe command:
+
+ $ cat /sys/bus/i2c/devices/0-0058/iio\:device0/in_intensity6_raw
+
+The array size of afe4404_channel_leds and afe4404_channel_offdacs
+are less than channels, so access with chan->address cause OOB read
+in afe4404_[read|write]_raw. Fix it by moving access before use them.
+
+Fixes: b36e8257641a ("iio: health/afe440x: Use regmap fields")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Andrew Davis <afd@ti.com>
+Link: https://lore.kernel.org/r/20221107152010.95937-1-weiyongjun@huaweicloud.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/health/afe4404.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iio/health/afe4404.c b/drivers/iio/health/afe4404.c
+index d8a27dfe074a..70f0f6f6351c 100644
+--- a/drivers/iio/health/afe4404.c
++++ b/drivers/iio/health/afe4404.c
+@@ -250,20 +250,20 @@ static int afe4404_read_raw(struct iio_dev *indio_dev,
+                           int *val, int *val2, long mask)
+ {
+       struct afe4404_data *afe = iio_priv(indio_dev);
+-      unsigned int value_reg = afe4404_channel_values[chan->address];
+-      unsigned int led_field = afe4404_channel_leds[chan->address];
+-      unsigned int offdac_field = afe4404_channel_offdacs[chan->address];
++      unsigned int value_reg, led_field, offdac_field;
+       int ret;
+ 
+       switch (chan->type) {
+       case IIO_INTENSITY:
+               switch (mask) {
+               case IIO_CHAN_INFO_RAW:
++                      value_reg = afe4404_channel_values[chan->address];
+                       ret = regmap_read(afe->regmap, value_reg, val);
+                       if (ret)
+                               return ret;
+                       return IIO_VAL_INT;
+               case IIO_CHAN_INFO_OFFSET:
++                      offdac_field = afe4404_channel_offdacs[chan->address];
+                       ret = regmap_field_read(afe->fields[offdac_field], val);
+                       if (ret)
+                               return ret;
+@@ -273,6 +273,7 @@ static int afe4404_read_raw(struct iio_dev *indio_dev,
+       case IIO_CURRENT:
+               switch (mask) {
+               case IIO_CHAN_INFO_RAW:
++                      led_field = afe4404_channel_leds[chan->address];
+                       ret = regmap_field_read(afe->fields[led_field], val);
+                       if (ret)
+                               return ret;
+@@ -295,19 +296,20 @@ static int afe4404_write_raw(struct iio_dev *indio_dev,
+                            int val, int val2, long mask)
+ {
+       struct afe4404_data *afe = iio_priv(indio_dev);
+-      unsigned int led_field = afe4404_channel_leds[chan->address];
+-      unsigned int offdac_field = afe4404_channel_offdacs[chan->address];
++      unsigned int led_field, offdac_field;
+ 
+       switch (chan->type) {
+       case IIO_INTENSITY:
+               switch (mask) {
+               case IIO_CHAN_INFO_OFFSET:
++                      offdac_field = afe4404_channel_offdacs[chan->address];
+                       return regmap_field_write(afe->fields[offdac_field], val);
+               }
+               break;
+       case IIO_CURRENT:
+               switch (mask) {
+               case IIO_CHAN_INFO_RAW:
++                      led_field = afe4404_channel_leds[chan->address];
+                       return regmap_field_write(afe->fields[led_field], val);
+               }
+               break;
+-- 
+2.35.1
+

diff --git a/queue-5.15/iio-light-rpr0521-add-missing-kconfig-dependencies.patch b/queue-5.15/iio-light-rpr0521-add-missing-kconfig-dependencies.patch
new file mode 100644 (file)
index 0000000..a6805a0
--- /dev/null
+++ b/queue-5.15/iio-light-rpr0521-add-missing-kconfig-dependencies.patch
@@ -0,0 +1,47 @@
+From 878ed00b5d9bba8b355bf7b331dc06876b87a53d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 16:47:29 -0500
+Subject: iio: light: rpr0521: add missing Kconfig dependencies
+
+From: Paul Gazzillo <paul@pgazz.com>
+
+[ Upstream commit 6ac12303572ef9ace5603c2c07f5f1b00a33f580 ]
+
+Fix an implicit declaration of function error for rpr0521 under some configs
+
+When CONFIG_RPR0521 is enabled without CONFIG_IIO_TRIGGERED_BUFFER,
+the build results in "implicit declaration of function" errors, e.g.,
+  drivers/iio/light/rpr0521.c:434:3: error: implicit declaration of function
+           'iio_trigger_poll_chained' [-Werror=implicit-function-declaration]
+    434 |   iio_trigger_poll_chained(data->drdy_trigger0);
+        |   ^~~~~~~~~~~~~~~~~~~~~~~~
+
+This fix adds select dependencies to RPR0521's configuration declaration.
+
+Fixes: e12ffd241c00 ("iio: light: rpr0521 triggered buffer")
+Signed-off-by: Paul Gazzillo <paul@pgazz.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216678
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20221110214729.ls5ixav5kxpeftk7@device
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/light/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/iio/light/Kconfig b/drivers/iio/light/Kconfig
+index a62c7b4b8678..b46eac71941c 100644
+--- a/drivers/iio/light/Kconfig
++++ b/drivers/iio/light/Kconfig
+@@ -294,6 +294,8 @@ config RPR0521
+       tristate "ROHM RPR0521 ALS and proximity sensor driver"
+       depends on I2C
+       select REGMAP_I2C
++      select IIO_BUFFER
++      select IIO_TRIGGERED_BUFFER
+       help
+         Say Y here if you want to build support for ROHM's RPR0521
+         ambient light and proximity sensor device.
+-- 
+2.35.1
+

diff --git a/queue-5.15/ixgbevf-fix-resource-leak-in-ixgbevf_init_module.patch b/queue-5.15/ixgbevf-fix-resource-leak-in-ixgbevf_init_module.patch
new file mode 100644 (file)
index 0000000..88106c7
--- /dev/null
+++ b/queue-5.15/ixgbevf-fix-resource-leak-in-ixgbevf_init_module.patch
@@ -0,0 +1,57 @@
+From b35aa8477426fc8d817d16211a272cd0762608c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 10:57:58 +0800
+Subject: ixgbevf: Fix resource leak in ixgbevf_init_module()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit 8cfa238a48f34038464b99d0b4825238c2687181 ]
+
+ixgbevf_init_module() won't destroy the workqueue created by
+create_singlethread_workqueue() when pci_register_driver() failed. Add
+destroy_workqueue() in fail path to prevent the resource leak.
+
+Similar to the handling of u132_hcd_init in commit f276e002793c
+("usb: u132-hcd: fix resource leak")
+
+Fixes: 40a13e2493c9 ("ixgbevf: Use a private workqueue to avoid certain possible hangs")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Reviewed-by: Saeed Mahameed <saeed@kernel.org>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
+index 7ef2e1241a76..0e7ff15af968 100644
+--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
+@@ -4859,6 +4859,8 @@ static struct pci_driver ixgbevf_driver = {
+  **/
+ static int __init ixgbevf_init_module(void)
+ {
++      int err;
++
+       pr_info("%s\n", ixgbevf_driver_string);
+       pr_info("%s\n", ixgbevf_copyright);
+       ixgbevf_wq = create_singlethread_workqueue(ixgbevf_driver_name);
+@@ -4867,7 +4869,13 @@ static int __init ixgbevf_init_module(void)
+               return -ENOMEM;
+       }
+ 
+-      return pci_register_driver(&ixgbevf_driver);
++      err = pci_register_driver(&ixgbevf_driver);
++      if (err) {
++              destroy_workqueue(ixgbevf_wq);
++              return err;
++      }
++
++      return 0;
+ }
+ 
+ module_init(ixgbevf_init_module);
+-- 
+2.35.1
+

diff --git a/queue-5.15/kbuild-fix-wimplicit-function-declaration-in-license.patch b/queue-5.15/kbuild-fix-wimplicit-function-declaration-in-license.patch
new file mode 100644 (file)
index 0000000..f824b01
--- /dev/null
+++ b/queue-5.15/kbuild-fix-wimplicit-function-declaration-in-license.patch
@@ -0,0 +1,50 @@
+From 3f07ef5743bd434f3689f9ceed7a24128dc6b5ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 18:26:34 +0000
+Subject: kbuild: fix -Wimplicit-function-declaration in
+ license_is_gpl_compatible
+
+From: Sam James <sam@gentoo.org>
+
+[ Upstream commit 50c697215a8cc22f0e58c88f06f2716c05a26e85 ]
+
+Add missing <linux/string.h> include for strcmp.
+
+Clang 16 makes -Wimplicit-function-declaration an error by default.
+Unfortunately, out of tree modules may use this in configure scripts,
+which means failure might cause silent miscompilation or misconfiguration.
+
+For more information, see LWN.net [0] or LLVM's Discourse [1], gentoo-dev@ [2],
+or the (new) c-std-porting mailing list [3].
+
+[0] https://lwn.net/Articles/913505/
+[1] https://discourse.llvm.org/t/configure-script-breakage-with-the-new-werror-implicit-function-declaration/65213
+[2] https://archives.gentoo.org/gentoo-dev/message/dd9f2d3082b8b6f8dfbccb0639e6e240
+[3] hosted at lists.linux.dev.
+
+[akpm@linux-foundation.org: remember "linux/"]
+Link: https://lkml.kernel.org/r/20221116182634.2823136-1-sam@gentoo.org
+Signed-off-by: Sam James <sam@gentoo.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/license.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/linux/license.h b/include/linux/license.h
+index 7cce390f120b..ad937f57f2cb 100644
+--- a/include/linux/license.h
++++ b/include/linux/license.h
+@@ -2,6 +2,8 @@
+ #ifndef __LICENSE_H
+ #define __LICENSE_H
+ 
++#include <linux/string.h>
++
+ static inline int license_is_gpl_compatible(const char *license)
+ {
+       return (strcmp(license, "GPL") == 0
+-- 
+2.35.1
+

diff --git a/queue-5.15/libbpf-handle-size-overflow-for-ringbuf-mmap.patch b/queue-5.15/libbpf-handle-size-overflow-for-ringbuf-mmap.patch
new file mode 100644 (file)
index 0000000..209e5d5
--- /dev/null
+++ b/queue-5.15/libbpf-handle-size-overflow-for-ringbuf-mmap.patch
@@ -0,0 +1,67 @@
+From 56ac51db899e1e45cffde9f17644e4625f8d92fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 15:23:49 +0800
+Subject: libbpf: Handle size overflow for ringbuf mmap
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit 927cbb478adf917e0a142b94baa37f06279cc466 ]
+
+The maximum size of ringbuf is 2GB on x86-64 host, so 2 * max_entries
+will overflow u32 when mapping producer page and data pages. Only
+casting max_entries to size_t is not enough, because for 32-bits
+application on 64-bits kernel the size of read-only mmap region
+also could overflow size_t.
+
+So fixing it by casting the size of read-only mmap region into a __u64
+and checking whether or not there will be overflow during mmap.
+
+Fixes: bf99c936f947 ("libbpf: Add BPF ring buffer support")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20221116072351.1168938-3-houtao@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/ringbuf.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/tools/lib/bpf/ringbuf.c b/tools/lib/bpf/ringbuf.c
+index 8bc117bcc7bc..c42ba9358d8c 100644
+--- a/tools/lib/bpf/ringbuf.c
++++ b/tools/lib/bpf/ringbuf.c
+@@ -59,6 +59,7 @@ int ring_buffer__add(struct ring_buffer *rb, int map_fd,
+       __u32 len = sizeof(info);
+       struct epoll_event *e;
+       struct ring *r;
++      __u64 mmap_sz;
+       void *tmp;
+       int err;
+ 
+@@ -97,8 +98,7 @@ int ring_buffer__add(struct ring_buffer *rb, int map_fd,
+       r->mask = info.max_entries - 1;
+ 
+       /* Map writable consumer page */
+-      tmp = mmap(NULL, rb->page_size, PROT_READ | PROT_WRITE, MAP_SHARED,
+-                 map_fd, 0);
++      tmp = mmap(NULL, rb->page_size, PROT_READ | PROT_WRITE, MAP_SHARED, map_fd, 0);
+       if (tmp == MAP_FAILED) {
+               err = -errno;
+               pr_warn("ringbuf: failed to mmap consumer page for map fd=%d: %d\n",
+@@ -111,8 +111,12 @@ int ring_buffer__add(struct ring_buffer *rb, int map_fd,
+        * data size to allow simple reading of samples that wrap around the
+        * end of a ring buffer. See kernel implementation for details.
+        * */
+-      tmp = mmap(NULL, rb->page_size + 2 * info.max_entries, PROT_READ,
+-                 MAP_SHARED, map_fd, rb->page_size);
++      mmap_sz = rb->page_size + 2 * (__u64)info.max_entries;
++      if (mmap_sz != (__u64)(size_t)mmap_sz) {
++              pr_warn("ringbuf: ring buffer size (%u) is too big\n", info.max_entries);
++              return libbpf_err(-E2BIG);
++      }
++      tmp = mmap(NULL, (size_t)mmap_sz, PROT_READ, MAP_SHARED, map_fd, rb->page_size);
+       if (tmp == MAP_FAILED) {
+               err = -errno;
+               ringbuf_unmap_ring(rb, r);
+-- 
+2.35.1
+

diff --git a/queue-5.15/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch b/queue-5.15/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch
new file mode 100644 (file)
index 0000000..6fca4c2
--- /dev/null
+++ b/queue-5.15/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch
@@ -0,0 +1,45 @@
+From d91c6c3c6281865d6a692ea43db5d2098e77818e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 16:10:05 +0800
+Subject: net/9p: Fix a potential socket leak in p9_socket_open
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit dcc14cfd7debe11b825cb077e75d91d2575b4cb8 ]
+
+Both p9_fd_create_tcp() and p9_fd_create_unix() will call
+p9_socket_open(). If the creation of p9_trans_fd fails,
+p9_fd_create_tcp() and p9_fd_create_unix() will return an
+error directly instead of releasing the cscoket, which will
+result in a socket leak.
+
+This patch adds sock_release() to fix the leak issue.
+
+Fixes: 6b18662e239a ("9p connect fixes")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+ACKed-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_fd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
+index 31f2026514f3..e1c2c9242ce2 100644
+--- a/net/9p/trans_fd.c
++++ b/net/9p/trans_fd.c
+@@ -864,8 +864,10 @@ static int p9_socket_open(struct p9_client *client, struct socket *csocket)
+       struct file *file;
+ 
+       p = kzalloc(sizeof(struct p9_trans_fd), GFP_KERNEL);
+-      if (!p)
++      if (!p) {
++              sock_release(csocket);
+               return -ENOMEM;
++      }
+ 
+       csocket->sk->sk_allocation = GFP_NOIO;
+       file = sock_alloc_file(csocket, 0, NULL);
+-- 
+2.35.1
+

diff --git a/queue-5.15/net-ethernet-nixge-fix-null-dereference.patch b/queue-5.15/net-ethernet-nixge-fix-null-dereference.patch
new file mode 100644 (file)
index 0000000..888eba2
--- /dev/null
+++ b/queue-5.15/net-ethernet-nixge-fix-null-dereference.patch
@@ -0,0 +1,75 @@
+From 9511b639ed687567d89ef86c9fda048828b3d286 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 11:43:03 +0300
+Subject: net: ethernet: nixge: fix NULL dereference
+
+From: Yuri Karpov <YKarpov@ispras.ru>
+
+[ Upstream commit 9256db4e45e8b497b0e993cc3ed4ad08eb2389b6 ]
+
+In function nixge_hw_dma_bd_release() dereference of NULL pointer
+priv->rx_bd_v is possible for the case of its allocation failure in
+nixge_hw_dma_bd_init().
+
+Move for() loop with priv->rx_bd_v dereference under the check for
+its validity.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 492caffa8a1a ("net: ethernet: nixge: Add support for National Instruments XGE netdev")
+Signed-off-by: Yuri Karpov <YKarpov@ispras.ru>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ni/nixge.c | 29 +++++++++++++++--------------
+ 1 file changed, 15 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ethernet/ni/nixge.c b/drivers/net/ethernet/ni/nixge.c
+index 057b7419404d..5d0cecf80b38 100644
+--- a/drivers/net/ethernet/ni/nixge.c
++++ b/drivers/net/ethernet/ni/nixge.c
+@@ -249,25 +249,26 @@ static void nixge_hw_dma_bd_release(struct net_device *ndev)
+       struct sk_buff *skb;
+       int i;
+ 
+-      for (i = 0; i < RX_BD_NUM; i++) {
+-              phys_addr = nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i],
+-                                                   phys);
+-
+-              dma_unmap_single(ndev->dev.parent, phys_addr,
+-                               NIXGE_MAX_JUMBO_FRAME_SIZE,
+-                               DMA_FROM_DEVICE);
+-
+-              skb = (struct sk_buff *)(uintptr_t)
+-                      nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i],
+-                                               sw_id_offset);
+-              dev_kfree_skb(skb);
+-      }
++      if (priv->rx_bd_v) {
++              for (i = 0; i < RX_BD_NUM; i++) {
++                      phys_addr = nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i],
++                                                           phys);
++
++                      dma_unmap_single(ndev->dev.parent, phys_addr,
++                                       NIXGE_MAX_JUMBO_FRAME_SIZE,
++                                       DMA_FROM_DEVICE);
++
++                      skb = (struct sk_buff *)(uintptr_t)
++                              nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i],
++                                                       sw_id_offset);
++                      dev_kfree_skb(skb);
++              }
+ 
+-      if (priv->rx_bd_v)
+               dma_free_coherent(ndev->dev.parent,
+                                 sizeof(*priv->rx_bd_v) * RX_BD_NUM,
+                                 priv->rx_bd_v,
+                                 priv->rx_bd_p);
++      }
+ 
+       if (priv->tx_skb)
+               devm_kfree(ndev->dev.parent, priv->tx_skb);
+-- 
+2.35.1
+

diff --git a/queue-5.15/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch b/queue-5.15/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch
new file mode 100644 (file)
index 0000000..bc5e1dd
--- /dev/null
+++ b/queue-5.15/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch
@@ -0,0 +1,41 @@
+From 26ba16a7424b1630182deb86ab8de6d516fde1e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 15:56:04 +0900
+Subject: net: ethernet: renesas: ravb: Fix promiscuous mode after system
+ resumed
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit d66233a312ec9013af3e37e4030b479a20811ec3 ]
+
+After system resumed on some environment board, the promiscuous mode
+is disabled because the SoC turned off. So, call ravb_set_rx_mode() in
+the ravb_resume() to fix the issue.
+
+Reported-by: Tho Vu <tho.vu.wh@renesas.com>
+Fixes: 0184165b2f42 ("ravb: add sleep PM suspend/resume support")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20221128065604.1864391-1-yoshihiro.shimoda.uh@renesas.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index 12420239c8ca..77a19336abec 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -2491,6 +2491,7 @@ static int __maybe_unused ravb_resume(struct device *dev)
+               ret = ravb_open(ndev);
+               if (ret < 0)
+                       return ret;
++              ravb_set_rx_mode(ndev);
+               netif_device_attach(ndev);
+       }
+ 
+-- 
+2.35.1
+

diff --git a/queue-5.15/net-ethernet-ti-am65-cpsw-fix-error-handling-in-am65.patch b/queue-5.15/net-ethernet-ti-am65-cpsw-fix-error-handling-in-am65.patch
new file mode 100644 (file)
index 0000000..9aafa50
--- /dev/null
+++ b/queue-5.15/net-ethernet-ti-am65-cpsw-fix-error-handling-in-am65.patch
@@ -0,0 +1,42 @@
+From b0ff98947d23b13d604baba62d7b0d53c27fdadb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 11:03:08 +0800
+Subject: net: ethernet: ti: am65-cpsw: fix error handling in
+ am65_cpsw_nuss_probe()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 46fb6512538d201d9a5b2bd7138b6751c37fdf0b ]
+
+The am65_cpsw_nuss_cleanup_ndev() function calls unregister_netdev()
+even if register_netdev() fails, which triggers WARN_ON(1) in
+unregister_netdevice_many(). To fix it, make sure that
+unregister_netdev() is called only on registered netdev.
+
+Compile tested only.
+
+Fixes: 84b4aa493249 ("net: ethernet: ti: am65-cpsw: add multi port support in mac-only mode")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+index 901571c2626a..2298b3c38f89 100644
+--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c
++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+@@ -2054,7 +2054,7 @@ static void am65_cpsw_nuss_cleanup_ndev(struct am65_cpsw_common *common)
+ 
+       for (i = 0; i < common->port_num; i++) {
+               port = &common->ports[i];
+-              if (port->ndev)
++              if (port->ndev && port->ndev->reg_state == NETREG_REGISTERED)
+                       unregister_netdev(port->ndev);
+       }
+ }
+-- 
+2.35.1
+

diff --git a/queue-5.15/net-hsr-fix-potential-use-after-free.patch b/queue-5.15/net-hsr-fix-potential-use-after-free.patch
new file mode 100644 (file)
index 0000000..be91eac
--- /dev/null
+++ b/queue-5.15/net-hsr-fix-potential-use-after-free.patch
@@ -0,0 +1,49 @@
+From 61810fec3a0f5b31cb8e38063dc30d982f80f58f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 15:57:24 +0800
+Subject: net: hsr: Fix potential use-after-free
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 7e177d32442b7ed08a9fa61b61724abc548cb248 ]
+
+The skb is delivered to netif_rx() which may free it, after calling this,
+dereferencing skb may trigger use-after-free.
+
+Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Link: https://lore.kernel.org/r/20221125075724.27912-1-yuehaibing@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_forward.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
+index 13f81c246f5f..07892c4b6d0c 100644
+--- a/net/hsr/hsr_forward.c
++++ b/net/hsr/hsr_forward.c
+@@ -309,17 +309,18 @@ static void hsr_deliver_master(struct sk_buff *skb, struct net_device *dev,
+                              struct hsr_node *node_src)
+ {
+       bool was_multicast_frame;
+-      int res;
++      int res, recv_len;
+ 
+       was_multicast_frame = (skb->pkt_type == PACKET_MULTICAST);
+       hsr_addr_subst_source(node_src, skb);
+       skb_pull(skb, ETH_HLEN);
++      recv_len = skb->len;
+       res = netif_rx(skb);
+       if (res == NET_RX_DROP) {
+               dev->stats.rx_dropped++;
+       } else {
+               dev->stats.rx_packets++;
+-              dev->stats.rx_bytes += skb->len;
++              dev->stats.rx_bytes += recv_len;
+               if (was_multicast_frame)
+                       dev->stats.multicast++;
+       }
+-- 
+2.35.1
+

diff --git a/queue-5.15/net-mdiobus-fix-unbalanced-node-reference-count.patch b/queue-5.15/net-mdiobus-fix-unbalanced-node-reference-count.patch
new file mode 100644 (file)
index 0000000..7160dcf
--- /dev/null
+++ b/queue-5.15/net-mdiobus-fix-unbalanced-node-reference-count.patch
@@ -0,0 +1,64 @@
+From 2413d48fafaa5bb353754b9a0f4f945a1995c9df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 23:01:30 +0800
+Subject: net: mdiobus: fix unbalanced node reference count
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit cdde1560118f82498fc9e9a7c1ef7f0ef7755891 ]
+
+I got the following report while doing device(mscc-miim) load test
+with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled:
+
+  OF: ERROR: memory leak, expected refcount 1 instead of 2,
+  of_node_get()/of_node_put() unbalanced - destroy cset entry:
+  attach overlay node /spi/soc@0/mdio@7107009c/ethernet-phy@0
+
+If the 'fwnode' is not an acpi node, the refcount is get in
+fwnode_mdiobus_phy_device_register(), but it has never been
+put when the device is freed in the normal path. So call
+fwnode_handle_put() in phy_device_release() to avoid leak.
+
+If it's an acpi node, it has never been get, but it's put
+in the error path, so call fwnode_handle_get() before
+phy_device_register() to keep get/put operation balanced.
+
+Fixes: bc1bee3b87ee ("net: mdiobus: Introduce fwnode_mdiobus_register_phy()")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20221124150130.609420-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/fwnode_mdio.c | 2 +-
+ drivers/net/phy/phy_device.c   | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/mdio/fwnode_mdio.c b/drivers/net/mdio/fwnode_mdio.c
+index 1c1584fca632..40e745a1d185 100644
+--- a/drivers/net/mdio/fwnode_mdio.c
++++ b/drivers/net/mdio/fwnode_mdio.c
+@@ -120,7 +120,7 @@ int fwnode_mdiobus_register_phy(struct mii_bus *bus,
+               /* Associate the fwnode with the device structure so it
+                * can be looked up later.
+                */
+-              phy->mdio.dev.fwnode = child;
++              phy->mdio.dev.fwnode = fwnode_handle_get(child);
+ 
+               /* All data is now stored in the phy struct, so register it */
+               rc = phy_device_register(phy);
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index 1dd521c99725..996842a1a9a3 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -215,6 +215,7 @@ static void phy_mdio_device_free(struct mdio_device *mdiodev)
+ 
+ static void phy_device_release(struct device *dev)
+ {
++      fwnode_handle_put(dev->fwnode);
+       kfree(to_phy_device(dev));
+ }
+ 
+-- 
+2.35.1
+

diff --git a/queue-5.15/net-mlx5-dr-fix-uninitialized-var-warning.patch b/queue-5.15/net-mlx5-dr-fix-uninitialized-var-warning.patch
new file mode 100644 (file)
index 0000000..df273d2
--- /dev/null
+++ b/queue-5.15/net-mlx5-dr-fix-uninitialized-var-warning.patch
@@ -0,0 +1,51 @@
+From 26d6f6f2d6626c8504ae9da45dd4f2bb0ab22e5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 21:47:07 +0800
+Subject: net/mlx5: DR, Fix uninitialized var warning
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 52f7cf70eb8fac6111786c59ae9dfc5cf2bee710 ]
+
+Smatch warns this:
+
+drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c:81
+ mlx5dr_table_set_miss_action() error: uninitialized symbol 'ret'.
+
+Initializing ret with -EOPNOTSUPP and fix missing action case.
+
+Fixes: 7838e1725394 ("net/mlx5: DR, Expose steering table functionality")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c
+index 4c40178e7d1e..0c7b57bf01d0 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c
+@@ -9,7 +9,7 @@ int mlx5dr_table_set_miss_action(struct mlx5dr_table *tbl,
+       struct mlx5dr_matcher *last_matcher = NULL;
+       struct mlx5dr_htbl_connect_info info;
+       struct mlx5dr_ste_htbl *last_htbl;
+-      int ret;
++      int ret = -EOPNOTSUPP;
+ 
+       if (action && action->action_type != DR_ACTION_TYP_FT)
+               return -EOPNOTSUPP;
+@@ -68,6 +68,9 @@ int mlx5dr_table_set_miss_action(struct mlx5dr_table *tbl,
+               }
+       }
+ 
++      if (ret)
++              goto out;
++
+       /* Release old action */
+       if (tbl->miss_action)
+               refcount_dec(&tbl->miss_action->refcount);
+-- 
+2.35.1
+

diff --git a/queue-5.15/net-mlx5-dr-rename-list-field-in-matcher-struct-to-l.patch b/queue-5.15/net-mlx5-dr-rename-list-field-in-matcher-struct-to-l.patch
new file mode 100644 (file)
index 0000000..798ea0c
--- /dev/null
+++ b/queue-5.15/net-mlx5-dr-rename-list-field-in-matcher-struct-to-l.patch
@@ -0,0 +1,133 @@
+From 4450c7b0e327660d3b1aebe474f81c55197b47f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Nov 2021 17:57:57 +0200
+Subject: net/mlx5: DR, Rename list field in matcher struct to list_node
+
+From: Yevgeny Kliteynik <kliteyn@nvidia.com>
+
+[ Upstream commit 08fac109f7bb5e12ae14def56b3ad57ce67cd9fe ]
+
+In dr_types structs, some list fields are list heads, and some
+are just list nodes that are stored on the other structs' lists.
+Rename the appropriate list field to reflect this distinction.
+
+Signed-off-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
+Stable-dep-of: 52f7cf70eb8f ("net/mlx5: DR, Fix uninitialized var warning")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/steering/dr_matcher.c  | 26 +++++++++----------
+ .../mellanox/mlx5/core/steering/dr_table.c    |  2 +-
+ .../mellanox/mlx5/core/steering/dr_types.h    |  2 +-
+ 3 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c
+index a19e8157c100..0f99d3612f89 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c
+@@ -709,7 +709,7 @@ static int dr_matcher_add_to_tbl(struct mlx5dr_matcher *matcher)
+       int ret;
+ 
+       next_matcher = NULL;
+-      list_for_each_entry(tmp_matcher, &tbl->matcher_list, matcher_list) {
++      list_for_each_entry(tmp_matcher, &tbl->matcher_list, list_node) {
+               if (tmp_matcher->prio >= matcher->prio) {
+                       next_matcher = tmp_matcher;
+                       break;
+@@ -719,11 +719,11 @@ static int dr_matcher_add_to_tbl(struct mlx5dr_matcher *matcher)
+ 
+       prev_matcher = NULL;
+       if (next_matcher && !first)
+-              prev_matcher = list_prev_entry(next_matcher, matcher_list);
++              prev_matcher = list_prev_entry(next_matcher, list_node);
+       else if (!first)
+               prev_matcher = list_last_entry(&tbl->matcher_list,
+                                              struct mlx5dr_matcher,
+-                                             matcher_list);
++                                             list_node);
+ 
+       if (dmn->type == MLX5DR_DOMAIN_TYPE_FDB ||
+           dmn->type == MLX5DR_DOMAIN_TYPE_NIC_RX) {
+@@ -744,12 +744,12 @@ static int dr_matcher_add_to_tbl(struct mlx5dr_matcher *matcher)
+       }
+ 
+       if (prev_matcher)
+-              list_add(&matcher->matcher_list, &prev_matcher->matcher_list);
++              list_add(&matcher->list_node, &prev_matcher->list_node);
+       else if (next_matcher)
+-              list_add_tail(&matcher->matcher_list,
+-                            &next_matcher->matcher_list);
++              list_add_tail(&matcher->list_node,
++                            &next_matcher->list_node);
+       else
+-              list_add(&matcher->matcher_list, &tbl->matcher_list);
++              list_add(&matcher->list_node, &tbl->matcher_list);
+ 
+       return 0;
+ }
+@@ -922,7 +922,7 @@ mlx5dr_matcher_create(struct mlx5dr_table *tbl,
+       matcher->prio = priority;
+       matcher->match_criteria = match_criteria_enable;
+       refcount_set(&matcher->refcount, 1);
+-      INIT_LIST_HEAD(&matcher->matcher_list);
++      INIT_LIST_HEAD(&matcher->list_node);
+ 
+       mlx5dr_domain_lock(tbl->dmn);
+ 
+@@ -985,15 +985,15 @@ static int dr_matcher_remove_from_tbl(struct mlx5dr_matcher *matcher)
+       struct mlx5dr_domain *dmn = tbl->dmn;
+       int ret = 0;
+ 
+-      if (list_is_last(&matcher->matcher_list, &tbl->matcher_list))
++      if (list_is_last(&matcher->list_node, &tbl->matcher_list))
+               next_matcher = NULL;
+       else
+-              next_matcher = list_next_entry(matcher, matcher_list);
++              next_matcher = list_next_entry(matcher, list_node);
+ 
+-      if (matcher->matcher_list.prev == &tbl->matcher_list)
++      if (matcher->list_node.prev == &tbl->matcher_list)
+               prev_matcher = NULL;
+       else
+-              prev_matcher = list_prev_entry(matcher, matcher_list);
++              prev_matcher = list_prev_entry(matcher, list_node);
+ 
+       if (dmn->type == MLX5DR_DOMAIN_TYPE_FDB ||
+           dmn->type == MLX5DR_DOMAIN_TYPE_NIC_RX) {
+@@ -1013,7 +1013,7 @@ static int dr_matcher_remove_from_tbl(struct mlx5dr_matcher *matcher)
+                       return ret;
+       }
+ 
+-      list_del(&matcher->matcher_list);
++      list_del(&matcher->list_node);
+ 
+       return 0;
+ }
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c
+index 30ae3cda6d2e..4c40178e7d1e 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c
+@@ -19,7 +19,7 @@ int mlx5dr_table_set_miss_action(struct mlx5dr_table *tbl,
+       if (!list_empty(&tbl->matcher_list))
+               last_matcher = list_last_entry(&tbl->matcher_list,
+                                              struct mlx5dr_matcher,
+-                                             matcher_list);
++                                             list_node);
+ 
+       if (tbl->dmn->type == MLX5DR_DOMAIN_TYPE_NIC_RX ||
+           tbl->dmn->type == MLX5DR_DOMAIN_TYPE_FDB) {
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h
+index bc206836af6a..9e2102f8bed1 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h
+@@ -891,7 +891,7 @@ struct mlx5dr_matcher {
+       struct mlx5dr_table *tbl;
+       struct mlx5dr_matcher_rx_tx rx;
+       struct mlx5dr_matcher_rx_tx tx;
+-      struct list_head matcher_list;
++      struct list_head list_node;
+       u32 prio;
+       struct mlx5dr_match_param mask;
+       u8 match_criteria;
+-- 
+2.35.1
+

diff --git a/queue-5.15/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch b/queue-5.15/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch
new file mode 100644 (file)
index 0000000..1b2949d
--- /dev/null
+++ b/queue-5.15/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch
@@ -0,0 +1,39 @@
+From ae1cb2c01dbd4ff56639fc8260ca0fbd0629698d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 19:22:04 +0800
+Subject: net/mlx5: Fix uninitialized variable bug in outlen_write()
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 3f5769a074c13d8f08455e40586600419e02a880 ]
+
+If sscanf() return 0, outlen is uninitialized and used in kzalloc(),
+this is unexpected. We should return -EINVAL if the string is invalid.
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index 85190f2f4d50..41c15a65fb45 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -1434,8 +1434,8 @@ static ssize_t outlen_write(struct file *filp, const char __user *buf,
+               return -EFAULT;
+ 
+       err = sscanf(outlen_str, "%d", &outlen);
+-      if (err < 0)
+-              return err;
++      if (err != 1)
++              return -EINVAL;
+ 
+       ptr = kzalloc(outlen, GFP_KERNEL);
+       if (!ptr)
+-- 
+2.35.1
+

diff --git a/queue-5.15/net-mlx5e-fix-use-after-free-when-reverting-terminat.patch b/queue-5.15/net-mlx5e-fix-use-after-free-when-reverting-terminat.patch
new file mode 100644 (file)
index 0000000..ba8aff6
--- /dev/null
+++ b/queue-5.15/net-mlx5e-fix-use-after-free-when-reverting-terminat.patch
@@ -0,0 +1,40 @@
+From 63aef6f3117b1391c4848ff3bb6ce644755a09b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 20:04:29 +0200
+Subject: net/mlx5e: Fix use-after-free when reverting termination table
+
+From: Roi Dayan <roid@nvidia.com>
+
+[ Upstream commit 52c795af04441d76f565c4634f893e5b553df2ae ]
+
+When having multiple dests with termination tables and second one
+or afterwards fails the driver reverts usage of term tables but
+doesn't reset the assignment in attr->dests[num_vport_dests].termtbl
+which case a use-after-free when releasing the rule.
+Fix by resetting the assignment of termtbl to null.
+
+Fixes: 10caabdaad5a ("net/mlx5e: Use termination table for VLAN push actions")
+Signed-off-by: Roi Dayan <roid@nvidia.com>
+Reviewed-by: Maor Dickman <maord@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c  | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c
+index 8f86b62e49e3..1b417b1d1cf8 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c
+@@ -309,6 +309,8 @@ mlx5_eswitch_add_termtbl_rule(struct mlx5_eswitch *esw,
+       for (curr_dest = 0; curr_dest < num_vport_dests; curr_dest++) {
+               struct mlx5_termtbl_handle *tt = attr->dests[curr_dest].termtbl;
+ 
++              attr->dests[curr_dest].termtbl = NULL;
++
+               /* search for the destination associated with the
+                * current term table
+                */
+-- 
+2.35.1
+

diff --git a/queue-5.15/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch b/queue-5.15/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch
new file mode 100644 (file)
index 0000000..40880ff
--- /dev/null
+++ b/queue-5.15/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch
@@ -0,0 +1,48 @@
+From 9f33814dcbd47cda823e5e146fa52063b78b53d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 07:09:17 +0000
+Subject: net: net_netdev: Fix error handling in ntb_netdev_init_module()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit b8f79dccd38edf7db4911c353d9cd792ab13a327 ]
+
+The ntb_netdev_init_module() returns the ntb_transport_register_client()
+directly without checking its return value, if
+ntb_transport_register_client() failed, the NTB client device is not
+unregistered.
+
+Fix by unregister NTB client device when ntb_transport_register_client()
+failed.
+
+Fixes: 548c237c0a99 ("net: Add support for NTB virtual ethernet device")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ntb_netdev.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c
+index a5bab614ff84..1b7d588ff3c5 100644
+--- a/drivers/net/ntb_netdev.c
++++ b/drivers/net/ntb_netdev.c
+@@ -484,7 +484,14 @@ static int __init ntb_netdev_init_module(void)
+       rc = ntb_transport_register_client_dev(KBUILD_MODNAME);
+       if (rc)
+               return rc;
+-      return ntb_transport_register_client(&ntb_netdev_client);
++
++      rc = ntb_transport_register_client(&ntb_netdev_client);
++      if (rc) {
++              ntb_transport_unregister_client_dev(KBUILD_MODNAME);
++              return rc;
++      }
++
++      return 0;
+ }
+ module_init(ntb_netdev_init_module);
+ 
+-- 
+2.35.1
+

diff --git a/queue-5.15/net-phy-fix-null-ptr-deref-while-probe-failed.patch b/queue-5.15/net-phy-fix-null-ptr-deref-while-probe-failed.patch
new file mode 100644 (file)
index 0000000..f03ab3f
--- /dev/null
+++ b/queue-5.15/net-phy-fix-null-ptr-deref-while-probe-failed.patch
@@ -0,0 +1,73 @@
+From a53db464885b99b2d0c985b7efe14a980db4edcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 21:28:08 +0800
+Subject: net: phy: fix null-ptr-deref while probe() failed
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 369eb2c9f1f72adbe91e0ea8efb130f0a2ba11a6 ]
+
+I got a null-ptr-deref report as following when doing fault injection test:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000058
+Oops: 0000 [#1] PREEMPT SMP KASAN PTI
+CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G    B            N 6.1.0-rc3+
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+RIP: 0010:klist_put+0x2d/0xd0
+Call Trace:
+ <TASK>
+ klist_remove+0xf1/0x1c0
+ device_release_driver_internal+0x23e/0x2d0
+ bus_remove_device+0x1bd/0x240
+ device_del+0x357/0x770
+ phy_device_remove+0x11/0x30
+ mdiobus_unregister+0xa5/0x140
+ release_nodes+0x6a/0xa0
+ devres_release_all+0xf8/0x150
+ device_unbind_cleanup+0x19/0xd0
+
+//probe path:
+phy_device_register()
+  device_add()
+
+phy_connect
+  phy_attach_direct() //set device driver
+    probe() //it's failed, driver is not bound
+    device_bind_driver() // probe failed, it's not called
+
+//remove path:
+phy_device_remove()
+  device_del()
+    device_release_driver_internal()
+      __device_release_driver() //dev->drv is not NULL
+        klist_remove() <- knode_driver is not added yet, cause null-ptr-deref
+
+In phy_attach_direct(), after setting the 'dev->driver', probe() fails,
+device_bind_driver() is not called, so the knode_driver->n_klist is not
+set, then it causes null-ptr-deref in __device_release_driver() while
+deleting device. Fix this by setting dev->driver to NULL in the error
+path in phy_attach_direct().
+
+Fixes: e13934563db0 ("[PATCH] PHY Layer fixup")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy_device.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index c5b92ffaffb9..1dd521c99725 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -1518,6 +1518,7 @@ int phy_attach_direct(struct net_device *dev, struct phy_device *phydev,
+ 
+ error_module_put:
+       module_put(d->driver->owner);
++      d->driver = NULL;
+ error_put_device:
+       put_device(d);
+       if (ndev_owner != bus->owner)
+-- 
+2.35.1
+

diff --git a/queue-5.15/net-tun-fix-use-after-free-in-tun_detach.patch b/queue-5.15/net-tun-fix-use-after-free-in-tun_detach.patch
new file mode 100644 (file)
index 0000000..6833a7b
--- /dev/null
+++ b/queue-5.15/net-tun-fix-use-after-free-in-tun_detach.patch
@@ -0,0 +1,90 @@
+From ac181d6e465e964674a4023afe467b3251a5862e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 02:51:34 +0900
+Subject: net: tun: Fix use-after-free in tun_detach()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit 5daadc86f27ea4d691e2131c04310d0418c6cd12 ]
+
+syzbot reported use-after-free in tun_detach() [1].  This causes call
+trace like below:
+
+==================================================================
+BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75
+Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673
+
+CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:284 [inline]
+ print_report+0x15e/0x461 mm/kasan/report.c:395
+ kasan_report+0xbf/0x1f0 mm/kasan/report.c:495
+ notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75
+ call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942
+ call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]
+ call_netdevice_notifiers net/core/dev.c:1997 [inline]
+ netdev_wait_allrefs_any net/core/dev.c:10237 [inline]
+ netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351
+ tun_detach drivers/net/tun.c:704 [inline]
+ tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467
+ __fput+0x27c/0xa90 fs/file_table.c:320
+ task_work_run+0x16f/0x270 kernel/task_work.c:179
+ exit_task_work include/linux/task_work.h:38 [inline]
+ do_exit+0xb3d/0x2a30 kernel/exit.c:820
+ do_group_exit+0xd4/0x2a0 kernel/exit.c:950
+ get_signal+0x21b1/0x2440 kernel/signal.c:2858
+ arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869
+ exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
+ exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
+ syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
+ do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+The cause of the issue is that sock_put() from __tun_detach() drops
+last reference count for struct net, and then notifier_call_chain()
+from netdev_state_change() accesses that struct net.
+
+This patch fixes the issue by calling sock_put() from tun_detach()
+after all necessary accesses for the struct net has done.
+
+Fixes: 83c1f36f9880 ("tun: send netlink notification when the device is modified")
+Reported-by: syzbot+106f9b687cd64ee70cd1@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=96eb7f1ce75ef933697f24eeab928c4a716edefe [1]
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Link: https://lore.kernel.org/r/20221124175134.1589053-1-syoshida@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/tun.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index 575077998d8a..a1dda57c812d 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -687,7 +687,6 @@ static void __tun_detach(struct tun_file *tfile, bool clean)
+               if (tun)
+                       xdp_rxq_info_unreg(&tfile->xdp_rxq);
+               ptr_ring_cleanup(&tfile->tx_ring, tun_ptr_free);
+-              sock_put(&tfile->sk);
+       }
+ }
+ 
+@@ -703,6 +702,9 @@ static void tun_detach(struct tun_file *tfile, bool clean)
+       if (dev)
+               netdev_state_change(dev);
+       rtnl_unlock();
++
++      if (clean)
++              sock_put(&tfile->sk);
+ }
+ 
+ static void tun_detach_all(struct net_device *dev)
+-- 
+2.35.1
+

diff --git a/queue-5.15/net-wwan-iosm-fix-dma_alloc_coherent-incompatible-po.patch b/queue-5.15/net-wwan-iosm-fix-dma_alloc_coherent-incompatible-po.patch
new file mode 100644 (file)
index 0000000..49343e7
--- /dev/null
+++ b/queue-5.15/net-wwan-iosm-fix-dma_alloc_coherent-incompatible-po.patch
@@ -0,0 +1,42 @@
+From 8e9eafccbdcd55d5ac3ac0d11a5e79c94518ba6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 16:08:03 +0530
+Subject: net: wwan: iosm: fix dma_alloc_coherent incompatible pointer type
+
+From: M Chetan Kumar <m.chetan.kumar@linux.intel.com>
+
+[ Upstream commit 4a99e3c8ed888577b947cbed97d88c9706896105 ]
+
+Fix build error reported on armhf while preparing 6.1-rc5
+for Debian.
+
+iosm_ipc_protocol.c:244:36: error: passing argument 3 of
+'dma_alloc_coherent' from incompatible pointer type.
+
+Change phy_ap_shm type from phys_addr_t to dma_addr_t.
+
+Fixes: faed4c6f6f48 ("net: iosm: shared memory protocol")
+Reported-by: Bonaccorso Salvatore <carnil@debian.org>
+Signed-off-by: M Chetan Kumar <m.chetan.kumar@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/iosm/iosm_ipc_protocol.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wwan/iosm/iosm_ipc_protocol.h b/drivers/net/wwan/iosm/iosm_ipc_protocol.h
+index 9b3a6d86ece7..289397c4ea6c 100644
+--- a/drivers/net/wwan/iosm/iosm_ipc_protocol.h
++++ b/drivers/net/wwan/iosm/iosm_ipc_protocol.h
+@@ -122,7 +122,7 @@ struct iosm_protocol {
+       struct iosm_imem *imem;
+       struct ipc_rsp *rsp_ring[IPC_MEM_MSG_ENTRIES];
+       struct device *dev;
+-      phys_addr_t phy_ap_shm;
++      dma_addr_t phy_ap_shm;
+       u32 old_msg_tail;
+ };
+ 
+-- 
+2.35.1
+

diff --git a/queue-5.15/net-wwan-iosm-fix-kernel-test-robot-reported-error.patch b/queue-5.15/net-wwan-iosm-fix-kernel-test-robot-reported-error.patch
new file mode 100644 (file)
index 0000000..934638d
--- /dev/null
+++ b/queue-5.15/net-wwan-iosm-fix-kernel-test-robot-reported-error.patch
@@ -0,0 +1,40 @@
+From 23c703a82f3d902a53ba749e901e9334ca7b3271 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 16:07:46 +0530
+Subject: net: wwan: iosm: fix kernel test robot reported error
+
+From: M Chetan Kumar <m.chetan.kumar@linux.intel.com>
+
+[ Upstream commit 985a02e75881b73a43c9433a718b49d272a9dd6b ]
+
+sparse warnings - iosm_ipc_mux_codec.c:1474 using plain
+integer as NULL pointer.
+
+Use skb_trim() to reset skb tail & len.
+
+Fixes: 9413491e20e1 ("net: iosm: encode or decode datagram")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: M Chetan Kumar <m.chetan.kumar@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/iosm/iosm_ipc_mux_codec.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c b/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c
+index bdb2d32cdb6d..e323fe1ae538 100644
+--- a/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c
++++ b/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c
+@@ -830,8 +830,7 @@ void ipc_mux_ul_encoded_process(struct iosm_mux *ipc_mux, struct sk_buff *skb)
+                       ipc_mux->ul_data_pend_bytes);
+ 
+       /* Reset the skb settings. */
+-      skb->tail = 0;
+-      skb->len = 0;
++      skb_trim(skb, 0);
+ 
+       /* Add the consumed ADB to the free list. */
+       skb_queue_tail((&ipc_mux->ul_adb.free_list), skb);
+-- 
+2.35.1
+

diff --git a/queue-5.15/nvmem-rmem-fix-return-value-check-in-rmem_read.patch b/queue-5.15/nvmem-rmem-fix-return-value-check-in-rmem_read.patch
new file mode 100644 (file)
index 0000000..e940e2c
--- /dev/null
+++ b/queue-5.15/nvmem-rmem-fix-return-value-check-in-rmem_read.patch
@@ -0,0 +1,46 @@
+From 9a3e94c32631cf6270e3ef0fce52c4240cd14367 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 06:38:38 +0000
+Subject: nvmem: rmem: Fix return value check in rmem_read()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 58e92c4a496b27156020a59a98c7f4a92c2b1533 ]
+
+In case of error, the function memremap() returns NULL pointer
+not ERR_PTR(). The IS_ERR() test in the return value check
+should be replaced with NULL test.
+
+Fixes: 5a3fa75a4d9c ("nvmem: Add driver to expose reserved memory as nvmem")
+Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Cc: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20221118063840.6357-3-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvmem/rmem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvmem/rmem.c b/drivers/nvmem/rmem.c
+index b11c3c974b3d..80cb187f1481 100644
+--- a/drivers/nvmem/rmem.c
++++ b/drivers/nvmem/rmem.c
+@@ -37,9 +37,9 @@ static int rmem_read(void *context, unsigned int offset,
+        * but as of Dec 2020 this isn't possible on arm64.
+        */
+       addr = memremap(priv->mem->base, available, MEMREMAP_WB);
+-      if (IS_ERR(addr)) {
++      if (!addr) {
+               dev_err(priv->dev, "Failed to remap memory region\n");
+-              return PTR_ERR(addr);
++              return -ENOMEM;
+       }
+ 
+       count = memory_read_from_buffer(val, bytes, &off, addr, available);
+-- 
+2.35.1
+

diff --git a/queue-5.15/of-property-decrement-node-refcount-in-of_fwnode_get.patch b/queue-5.15/of-property-decrement-node-refcount-in-of_fwnode_get.patch
new file mode 100644 (file)
index 0000000..cce0dbd
--- /dev/null
+++ b/queue-5.15/of-property-decrement-node-refcount-in-of_fwnode_get.patch
@@ -0,0 +1,47 @@
+From 4184ea9254485a982ff4e9046096716b8569f8fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 10:32:09 +0800
+Subject: of: property: decrement node refcount in
+ of_fwnode_get_reference_args()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 60d865bd5a9b15a3961eb1c08bd4155682a3c81e ]
+
+In of_fwnode_get_reference_args(), the refcount of of_args.np has
+been incremented in the case of successful return from
+of_parse_phandle_with_args() or of_parse_phandle_with_fixed_args().
+
+Decrement the refcount if of_args is not returned to the caller of
+of_fwnode_get_reference_args().
+
+Fixes: 3e3119d3088f ("device property: Introduce fwnode_property_get_reference_args")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Frank Rowand <frowand.list@gmail.com>
+Link: https://lore.kernel.org/r/20221121023209.3909759-1-yangyingliang@huawei.com
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/property.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/of/property.c b/drivers/of/property.c
+index a3483484a5a2..acf0d3110357 100644
+--- a/drivers/of/property.c
++++ b/drivers/of/property.c
+@@ -975,8 +975,10 @@ of_fwnode_get_reference_args(const struct fwnode_handle *fwnode,
+                                                      nargs, index, &of_args);
+       if (ret < 0)
+               return ret;
+-      if (!args)
++      if (!args) {
++              of_node_put(of_args.np);
+               return 0;
++      }
+ 
+       args->nargs = of_args.args_count;
+       args->fwnode = of_fwnode_handle(of_args.np);
+-- 
+2.35.1
+

diff --git a/queue-5.15/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch b/queue-5.15/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch
new file mode 100644 (file)
index 0000000..f83f1c3
--- /dev/null
+++ b/queue-5.15/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch
@@ -0,0 +1,49 @@
+From 19c2f187e69d247191060c5e510d0440105e5030 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 11:18:12 -0500
+Subject: packet: do not set TP_STATUS_CSUM_VALID on CHECKSUM_COMPLETE
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit b85f628aa158a653c006e9c1405a117baef8c868 ]
+
+CHECKSUM_COMPLETE signals that skb->csum stores the sum over the
+entire packet. It does not imply that an embedded l4 checksum
+field has been validated.
+
+Fixes: 682f048bd494 ("af_packet: pass checksum validation status to the user")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20221128161812.640098-1-willemdebruijn.kernel@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 968dac3fcf58..ceca0d6c41b5 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2246,8 +2246,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
+       if (skb->ip_summed == CHECKSUM_PARTIAL)
+               status |= TP_STATUS_CSUMNOTREADY;
+       else if (skb->pkt_type != PACKET_OUTGOING &&
+-               (skb->ip_summed == CHECKSUM_COMPLETE ||
+-                skb_csum_unnecessary(skb)))
++               skb_csum_unnecessary(skb))
+               status |= TP_STATUS_CSUM_VALID;
+ 
+       if (snaplen > res)
+@@ -3480,8 +3479,7 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+               if (skb->ip_summed == CHECKSUM_PARTIAL)
+                       aux.tp_status |= TP_STATUS_CSUMNOTREADY;
+               else if (skb->pkt_type != PACKET_OUTGOING &&
+-                       (skb->ip_summed == CHECKSUM_COMPLETE ||
+-                        skb_csum_unnecessary(skb)))
++                       skb_csum_unnecessary(skb))
+                       aux.tp_status |= TP_STATUS_CSUM_VALID;
+ 
+               aux.tp_len = origlen;
+-- 
+2.35.1
+

diff --git a/queue-5.15/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch b/queue-5.15/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch
new file mode 100644 (file)
index 0000000..5fdfec7
--- /dev/null
+++ b/queue-5.15/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch
@@ -0,0 +1,70 @@
+From 82da32c722d7673b0c526a7d5b2ca571f26327d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 18:06:42 +0800
+Subject: qlcnic: fix sleep-in-atomic-context bugs caused by msleep
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 8dbd6e4ce1b9c527921643d9e34f188a10d4e893 ]
+
+The watchdog timer is used to monitor whether the process
+of transmitting data is timeout. If we use qlcnic driver,
+the dev_watchdog() that is the timer handler of watchdog
+timer will call qlcnic_tx_timeout() to process the timeout.
+But the qlcnic_tx_timeout() calls msleep(), as a result,
+the sleep-in-atomic-context bugs will happen. The processes
+are shown below:
+
+   (atomic context)
+dev_watchdog
+  qlcnic_tx_timeout
+    qlcnic_83xx_idc_request_reset
+      qlcnic_83xx_lock_driver
+        msleep
+
+---------------------------
+
+   (atomic context)
+dev_watchdog
+  qlcnic_tx_timeout
+    qlcnic_83xx_idc_request_reset
+      qlcnic_83xx_lock_driver
+        qlcnic_83xx_recover_driver_lock
+          msleep
+
+Fix by changing msleep() to mdelay(), the mdelay() is
+busy-waiting and the bugs could be mitigated.
+
+Fixes: 629263acaea3 ("qlcnic: 83xx CNA inter driver communication mechanism")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+index bd0607680329..2fd5c6fdb500 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+@@ -2991,7 +2991,7 @@ static void qlcnic_83xx_recover_driver_lock(struct qlcnic_adapter *adapter)
+               QLCWRX(adapter->ahw, QLC_83XX_RECOVER_DRV_LOCK, val);
+               dev_info(&adapter->pdev->dev,
+                        "%s: lock recovery initiated\n", __func__);
+-              msleep(QLC_83XX_DRV_LOCK_RECOVERY_DELAY);
++              mdelay(QLC_83XX_DRV_LOCK_RECOVERY_DELAY);
+               val = QLCRDX(adapter->ahw, QLC_83XX_RECOVER_DRV_LOCK);
+               id = ((val >> 2) & 0xF);
+               if (id == adapter->portnum) {
+@@ -3027,7 +3027,7 @@ int qlcnic_83xx_lock_driver(struct qlcnic_adapter *adapter)
+               if (status)
+                       break;
+ 
+-              msleep(QLC_83XX_DRV_LOCK_WAIT_DELAY);
++              mdelay(QLC_83XX_DRV_LOCK_WAIT_DELAY);
+               i++;
+ 
+               if (i == 1)
+-- 
+2.35.1
+

diff --git a/queue-5.15/scripts-faddr2line-fix-regression-in-name-resolution.patch b/queue-5.15/scripts-faddr2line-fix-regression-in-name-resolution.patch
new file mode 100644 (file)
index 0000000..f52d3b2
--- /dev/null
+++ b/queue-5.15/scripts-faddr2line-fix-regression-in-name-resolution.patch
@@ -0,0 +1,79 @@
+From bac03f0c98408784803b83738220f83ffcc540f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 13:22:11 +0530
+Subject: scripts/faddr2line: Fix regression in name resolution on ppc64le
+
+From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+
+[ Upstream commit 2d77de1581bb5b470486edaf17a7d70151131afd ]
+
+Commit 1d1a0e7c5100 ("scripts/faddr2line: Fix overlapping text section
+failures") can cause faddr2line to fail on ppc64le on some
+distributions, while it works fine on other distributions. The failure
+can be attributed to differences in the readelf output.
+
+  $ ./scripts/faddr2line vmlinux find_busiest_group+0x00
+  no match for find_busiest_group+0x00
+
+On ppc64le, readelf adds the localentry tag before the symbol name on
+some distributions, and adds the localentry tag after the symbol name on
+other distributions. This problem has been discussed previously:
+
+  https://lore.kernel.org/bpf/20191211160133.GB4580@calabresa/
+
+This problem can be overcome by filtering out the localentry tags in the
+readelf output. Similar fixes are already present in the kernel by way
+of the following commits:
+
+  1fd6cee127e2 ("libbpf: Fix VERSIONED_SYM_COUNT number parsing")
+  aa915931ac3e ("libbpf: Fix readelf output parsing for Fedora")
+
+[jpoimboe: rework commit log]
+
+Fixes: 1d1a0e7c5100 ("scripts/faddr2line: Fix overlapping text section failures")
+Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Reviewed-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Link: https://lore.kernel.org/r/20220927075211.897152-1-srikar@linux.vnet.ibm.com
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/faddr2line | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/scripts/faddr2line b/scripts/faddr2line
+index 57099687e5e1..9e730b805e87 100755
+--- a/scripts/faddr2line
++++ b/scripts/faddr2line
+@@ -73,7 +73,8 @@ command -v ${ADDR2LINE} >/dev/null 2>&1 || die "${ADDR2LINE} isn't installed"
+ find_dir_prefix() {
+       local objfile=$1
+ 
+-      local start_kernel_addr=$(${READELF} --symbols --wide $objfile | ${AWK} '$8 == "start_kernel" {printf "0x%s", $2}')
++      local start_kernel_addr=$(${READELF} --symbols --wide $objfile | sed 's/\[.*\]//' |
++              ${AWK} '$8 == "start_kernel" {printf "0x%s", $2}')
+       [[ -z $start_kernel_addr ]] && return
+ 
+       local file_line=$(${ADDR2LINE} -e $objfile $start_kernel_addr)
+@@ -177,7 +178,7 @@ __faddr2line() {
+                               found=2
+                               break
+                       fi
+-              done < <(${READELF} --symbols --wide $objfile | ${AWK} -v sec=$sym_sec '$7 == sec' | sort --key=2)
++              done < <(${READELF} --symbols --wide $objfile | sed 's/\[.*\]//' | ${AWK} -v sec=$sym_sec '$7 == sec' | sort --key=2)
+ 
+               if [[ $found = 0 ]]; then
+                       warn "can't find symbol: sym_name: $sym_name sym_sec: $sym_sec sym_addr: $sym_addr sym_elf_size: $sym_elf_size"
+@@ -258,7 +259,7 @@ __faddr2line() {
+ 
+               DONE=1
+ 
+-      done < <(${READELF} --symbols --wide $objfile | ${AWK} -v fn=$sym_name '$4 == "FUNC" && $8 == fn')
++      done < <(${READELF} --symbols --wide $objfile | sed 's/\[.*\]//' | ${AWK} -v fn=$sym_name '$4 == "FUNC" && $8 == fn')
+ }
+ 
+ [[ $# -lt 2 ]] && usage
+-- 
+2.35.1
+

diff --git a/queue-5.15/sctp-fix-memory-leak-in-sctp_stream_outq_migrate.patch b/queue-5.15/sctp-fix-memory-leak-in-sctp_stream_outq_migrate.patch
new file mode 100644 (file)
index 0000000..d8e8151
--- /dev/null
+++ b/queue-5.15/sctp-fix-memory-leak-in-sctp_stream_outq_migrate.patch
@@ -0,0 +1,202 @@
+From 80d98b89935bf003c2688177f2a44eb68ada1958 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Nov 2022 11:17:20 +0800
+Subject: sctp: fix memory leak in sctp_stream_outq_migrate()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 9ed7bfc79542119ac0a9e1ce8a2a5285e43433e9 ]
+
+When sctp_stream_outq_migrate() is called to release stream out resources,
+the memory pointed to by prio_head in stream out is not released.
+
+The memory leak information is as follows:
+ unreferenced object 0xffff88801fe79f80 (size 64):
+   comm "sctp_repo", pid 7957, jiffies 4294951704 (age 36.480s)
+   hex dump (first 32 bytes):
+     80 9f e7 1f 80 88 ff ff 80 9f e7 1f 80 88 ff ff  ................
+     90 9f e7 1f 80 88 ff ff 90 9f e7 1f 80 88 ff ff  ................
+   backtrace:
+     [<ffffffff81b215c6>] kmalloc_trace+0x26/0x60
+     [<ffffffff88ae517c>] sctp_sched_prio_set+0x4cc/0x770
+     [<ffffffff88ad64f2>] sctp_stream_init_ext+0xd2/0x1b0
+     [<ffffffff88aa2604>] sctp_sendmsg_to_asoc+0x1614/0x1a30
+     [<ffffffff88ab7ff1>] sctp_sendmsg+0xda1/0x1ef0
+     [<ffffffff87f765ed>] inet_sendmsg+0x9d/0xe0
+     [<ffffffff8754b5b3>] sock_sendmsg+0xd3/0x120
+     [<ffffffff8755446a>] __sys_sendto+0x23a/0x340
+     [<ffffffff87554651>] __x64_sys_sendto+0xe1/0x1b0
+     [<ffffffff89978b49>] do_syscall_64+0x39/0xb0
+     [<ffffffff89a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Link: https://syzkaller.appspot.com/bug?exrid=29c402e56c4760763cc0
+Fixes: 637784ade221 ("sctp: introduce priority based stream scheduler")
+Reported-by: syzbot+29c402e56c4760763cc0@syzkaller.appspotmail.com
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Link: https://lore.kernel.org/r/20221126031720.378562-1-shaozhengchao@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sctp/stream_sched.h |  2 ++
+ net/sctp/stream.c               | 25 ++++++++++++++++++-------
+ net/sctp/stream_sched.c         |  5 +++++
+ net/sctp/stream_sched_prio.c    | 19 +++++++++++++++++++
+ net/sctp/stream_sched_rr.c      |  5 +++++
+ 5 files changed, 49 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/sctp/stream_sched.h b/include/net/sctp/stream_sched.h
+index 01a70b27e026..65058faea4db 100644
+--- a/include/net/sctp/stream_sched.h
++++ b/include/net/sctp/stream_sched.h
+@@ -26,6 +26,8 @@ struct sctp_sched_ops {
+       int (*init)(struct sctp_stream *stream);
+       /* Init a stream */
+       int (*init_sid)(struct sctp_stream *stream, __u16 sid, gfp_t gfp);
++      /* free a stream */
++      void (*free_sid)(struct sctp_stream *stream, __u16 sid);
+       /* Frees the entire thing */
+       void (*free)(struct sctp_stream *stream);
+ 
+diff --git a/net/sctp/stream.c b/net/sctp/stream.c
+index ef9fceadef8d..ee6514af830f 100644
+--- a/net/sctp/stream.c
++++ b/net/sctp/stream.c
+@@ -52,6 +52,19 @@ static void sctp_stream_shrink_out(struct sctp_stream *stream, __u16 outcnt)
+       }
+ }
+ 
++static void sctp_stream_free_ext(struct sctp_stream *stream, __u16 sid)
++{
++      struct sctp_sched_ops *sched;
++
++      if (!SCTP_SO(stream, sid)->ext)
++              return;
++
++      sched = sctp_sched_ops_from_stream(stream);
++      sched->free_sid(stream, sid);
++      kfree(SCTP_SO(stream, sid)->ext);
++      SCTP_SO(stream, sid)->ext = NULL;
++}
++
+ /* Migrates chunks from stream queues to new stream queues if needed,
+  * but not across associations. Also, removes those chunks to streams
+  * higher than the new max.
+@@ -70,16 +83,14 @@ static void sctp_stream_outq_migrate(struct sctp_stream *stream,
+                * sctp_stream_update will swap ->out pointers.
+                */
+               for (i = 0; i < outcnt; i++) {
+-                      kfree(SCTP_SO(new, i)->ext);
++                      sctp_stream_free_ext(new, i);
+                       SCTP_SO(new, i)->ext = SCTP_SO(stream, i)->ext;
+                       SCTP_SO(stream, i)->ext = NULL;
+               }
+       }
+ 
+-      for (i = outcnt; i < stream->outcnt; i++) {
+-              kfree(SCTP_SO(stream, i)->ext);
+-              SCTP_SO(stream, i)->ext = NULL;
+-      }
++      for (i = outcnt; i < stream->outcnt; i++)
++              sctp_stream_free_ext(stream, i);
+ }
+ 
+ static int sctp_stream_alloc_out(struct sctp_stream *stream, __u16 outcnt,
+@@ -174,9 +185,9 @@ void sctp_stream_free(struct sctp_stream *stream)
+       struct sctp_sched_ops *sched = sctp_sched_ops_from_stream(stream);
+       int i;
+ 
+-      sched->free(stream);
++      sched->unsched_all(stream);
+       for (i = 0; i < stream->outcnt; i++)
+-              kfree(SCTP_SO(stream, i)->ext);
++              sctp_stream_free_ext(stream, i);
+       genradix_free(&stream->out);
+       genradix_free(&stream->in);
+ }
+diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c
+index a2e1d34f52c5..33c2630c2496 100644
+--- a/net/sctp/stream_sched.c
++++ b/net/sctp/stream_sched.c
+@@ -46,6 +46,10 @@ static int sctp_sched_fcfs_init_sid(struct sctp_stream *stream, __u16 sid,
+       return 0;
+ }
+ 
++static void sctp_sched_fcfs_free_sid(struct sctp_stream *stream, __u16 sid)
++{
++}
++
+ static void sctp_sched_fcfs_free(struct sctp_stream *stream)
+ {
+ }
+@@ -96,6 +100,7 @@ static struct sctp_sched_ops sctp_sched_fcfs = {
+       .get = sctp_sched_fcfs_get,
+       .init = sctp_sched_fcfs_init,
+       .init_sid = sctp_sched_fcfs_init_sid,
++      .free_sid = sctp_sched_fcfs_free_sid,
+       .free = sctp_sched_fcfs_free,
+       .enqueue = sctp_sched_fcfs_enqueue,
+       .dequeue = sctp_sched_fcfs_dequeue,
+diff --git a/net/sctp/stream_sched_prio.c b/net/sctp/stream_sched_prio.c
+index 80b5a2c4cbc7..4fc9f2923ed1 100644
+--- a/net/sctp/stream_sched_prio.c
++++ b/net/sctp/stream_sched_prio.c
+@@ -204,6 +204,24 @@ static int sctp_sched_prio_init_sid(struct sctp_stream *stream, __u16 sid,
+       return sctp_sched_prio_set(stream, sid, 0, gfp);
+ }
+ 
++static void sctp_sched_prio_free_sid(struct sctp_stream *stream, __u16 sid)
++{
++      struct sctp_stream_priorities *prio = SCTP_SO(stream, sid)->ext->prio_head;
++      int i;
++
++      if (!prio)
++              return;
++
++      SCTP_SO(stream, sid)->ext->prio_head = NULL;
++      for (i = 0; i < stream->outcnt; i++) {
++              if (SCTP_SO(stream, i)->ext &&
++                  SCTP_SO(stream, i)->ext->prio_head == prio)
++                      return;
++      }
++
++      kfree(prio);
++}
++
+ static void sctp_sched_prio_free(struct sctp_stream *stream)
+ {
+       struct sctp_stream_priorities *prio, *n;
+@@ -323,6 +341,7 @@ static struct sctp_sched_ops sctp_sched_prio = {
+       .get = sctp_sched_prio_get,
+       .init = sctp_sched_prio_init,
+       .init_sid = sctp_sched_prio_init_sid,
++      .free_sid = sctp_sched_prio_free_sid,
+       .free = sctp_sched_prio_free,
+       .enqueue = sctp_sched_prio_enqueue,
+       .dequeue = sctp_sched_prio_dequeue,
+diff --git a/net/sctp/stream_sched_rr.c b/net/sctp/stream_sched_rr.c
+index ff425aed62c7..cc444fe0d67c 100644
+--- a/net/sctp/stream_sched_rr.c
++++ b/net/sctp/stream_sched_rr.c
+@@ -90,6 +90,10 @@ static int sctp_sched_rr_init_sid(struct sctp_stream *stream, __u16 sid,
+       return 0;
+ }
+ 
++static void sctp_sched_rr_free_sid(struct sctp_stream *stream, __u16 sid)
++{
++}
++
+ static void sctp_sched_rr_free(struct sctp_stream *stream)
+ {
+       sctp_sched_rr_unsched_all(stream);
+@@ -177,6 +181,7 @@ static struct sctp_sched_ops sctp_sched_rr = {
+       .get = sctp_sched_rr_get,
+       .init = sctp_sched_rr_init,
+       .init_sid = sctp_sched_rr_init_sid,
++      .free_sid = sctp_sched_rr_free_sid,
+       .free = sctp_sched_rr_free,
+       .enqueue = sctp_sched_rr_enqueue,
+       .dequeue = sctp_sched_rr_dequeue,
+-- 
+2.35.1
+

diff --git a/queue-5.15/serial-stm32-deassert-transmit-enable-on-rs485_confi.patch b/queue-5.15/serial-stm32-deassert-transmit-enable-on-rs485_confi.patch
new file mode 100644 (file)
index 0000000..0f1b9d8
--- /dev/null
+++ b/queue-5.15/serial-stm32-deassert-transmit-enable-on-rs485_confi.patch
@@ -0,0 +1,172 @@
+From de147331681c9fb3b67469adddbcf6adbdc85b1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Sep 2022 11:02:03 +0200
+Subject: serial: stm32: Deassert Transmit Enable on ->rs485_config()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lukas Wunner <lukas@wunner.de>
+
+[ Upstream commit adafbbf6895eb0ce41a313c6ee68870ab9aa93cd ]
+
+The STM32 USART can control RS-485 Transmit Enable in hardware.  Since
+commit 7df5081cbf5e ("serial: stm32: Add RS485 RTS GPIO control"),
+it can alternatively be controlled in software.  That was done to allow
+RS-485 even if the RTS pin is unavailable because it's pinmuxed to a
+different function.
+
+However the commit neglected to deassert Transmit Enable upon invocation
+of the ->rs485_config() callback.  Fix it.
+
+Avoid forward declarations by moving stm32_usart_tx_empty(),
+stm32_usart_rs485_rts_enable() and stm32_usart_rs485_rts_disable()
+further up in the driver.
+
+Fixes: 7df5081cbf5e ("serial: stm32: Add RS485 RTS GPIO control")
+Cc: stable@vger.kernel.org # v5.9+
+Cc: Marek Vasut <marex@denx.de>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Link: https://lore.kernel.org/r/6059eab35dba394468335ef640df8b0050fd9dbd.1662886616.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/stm32-usart.c | 100 ++++++++++++++++---------------
+ 1 file changed, 53 insertions(+), 47 deletions(-)
+
+diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c
+index 3505923947f8..da698e0cd835 100644
+--- a/drivers/tty/serial/stm32-usart.c
++++ b/drivers/tty/serial/stm32-usart.c
+@@ -61,6 +61,53 @@ static void stm32_usart_clr_bits(struct uart_port *port, u32 reg, u32 bits)
+       writel_relaxed(val, port->membase + reg);
+ }
+ 
++static unsigned int stm32_usart_tx_empty(struct uart_port *port)
++{
++      struct stm32_port *stm32_port = to_stm32_port(port);
++      const struct stm32_usart_offsets *ofs = &stm32_port->info->ofs;
++
++      if (readl_relaxed(port->membase + ofs->isr) & USART_SR_TC)
++              return TIOCSER_TEMT;
++
++      return 0;
++}
++
++static void stm32_usart_rs485_rts_enable(struct uart_port *port)
++{
++      struct stm32_port *stm32_port = to_stm32_port(port);
++      struct serial_rs485 *rs485conf = &port->rs485;
++
++      if (stm32_port->hw_flow_control ||
++          !(rs485conf->flags & SER_RS485_ENABLED))
++              return;
++
++      if (rs485conf->flags & SER_RS485_RTS_ON_SEND) {
++              mctrl_gpio_set(stm32_port->gpios,
++                             stm32_port->port.mctrl | TIOCM_RTS);
++      } else {
++              mctrl_gpio_set(stm32_port->gpios,
++                             stm32_port->port.mctrl & ~TIOCM_RTS);
++      }
++}
++
++static void stm32_usart_rs485_rts_disable(struct uart_port *port)
++{
++      struct stm32_port *stm32_port = to_stm32_port(port);
++      struct serial_rs485 *rs485conf = &port->rs485;
++
++      if (stm32_port->hw_flow_control ||
++          !(rs485conf->flags & SER_RS485_ENABLED))
++              return;
++
++      if (rs485conf->flags & SER_RS485_RTS_ON_SEND) {
++              mctrl_gpio_set(stm32_port->gpios,
++                             stm32_port->port.mctrl & ~TIOCM_RTS);
++      } else {
++              mctrl_gpio_set(stm32_port->gpios,
++                             stm32_port->port.mctrl | TIOCM_RTS);
++      }
++}
++
+ static void stm32_usart_config_reg_rs485(u32 *cr1, u32 *cr3, u32 delay_ADE,
+                                        u32 delay_DDE, u32 baud)
+ {
+@@ -149,6 +196,12 @@ static int stm32_usart_config_rs485(struct uart_port *port,
+ 
+       stm32_usart_set_bits(port, ofs->cr1, BIT(cfg->uart_enable_bit));
+ 
++      /* Adjust RTS polarity in case it's driven in software */
++      if (stm32_usart_tx_empty(port))
++              stm32_usart_rs485_rts_disable(port);
++      else
++              stm32_usart_rs485_rts_enable(port);
++
+       return 0;
+ }
+ 
+@@ -341,42 +394,6 @@ static void stm32_usart_tc_interrupt_disable(struct uart_port *port)
+       stm32_usart_clr_bits(port, ofs->cr1, USART_CR1_TCIE);
+ }
+ 
+-static void stm32_usart_rs485_rts_enable(struct uart_port *port)
+-{
+-      struct stm32_port *stm32_port = to_stm32_port(port);
+-      struct serial_rs485 *rs485conf = &port->rs485;
+-
+-      if (stm32_port->hw_flow_control ||
+-          !(rs485conf->flags & SER_RS485_ENABLED))
+-              return;
+-
+-      if (rs485conf->flags & SER_RS485_RTS_ON_SEND) {
+-              mctrl_gpio_set(stm32_port->gpios,
+-                             stm32_port->port.mctrl | TIOCM_RTS);
+-      } else {
+-              mctrl_gpio_set(stm32_port->gpios,
+-                             stm32_port->port.mctrl & ~TIOCM_RTS);
+-      }
+-}
+-
+-static void stm32_usart_rs485_rts_disable(struct uart_port *port)
+-{
+-      struct stm32_port *stm32_port = to_stm32_port(port);
+-      struct serial_rs485 *rs485conf = &port->rs485;
+-
+-      if (stm32_port->hw_flow_control ||
+-          !(rs485conf->flags & SER_RS485_ENABLED))
+-              return;
+-
+-      if (rs485conf->flags & SER_RS485_RTS_ON_SEND) {
+-              mctrl_gpio_set(stm32_port->gpios,
+-                             stm32_port->port.mctrl & ~TIOCM_RTS);
+-      } else {
+-              mctrl_gpio_set(stm32_port->gpios,
+-                             stm32_port->port.mctrl | TIOCM_RTS);
+-      }
+-}
+-
+ static void stm32_usart_transmit_chars_pio(struct uart_port *port)
+ {
+       struct stm32_port *stm32_port = to_stm32_port(port);
+@@ -590,17 +607,6 @@ static irqreturn_t stm32_usart_threaded_interrupt(int irq, void *ptr)
+       return IRQ_HANDLED;
+ }
+ 
+-static unsigned int stm32_usart_tx_empty(struct uart_port *port)
+-{
+-      struct stm32_port *stm32_port = to_stm32_port(port);
+-      const struct stm32_usart_offsets *ofs = &stm32_port->info->ofs;
+-
+-      if (readl_relaxed(port->membase + ofs->isr) & USART_SR_TC)
+-              return TIOCSER_TEMT;
+-
+-      return 0;
+-}
+-
+ static void stm32_usart_set_mctrl(struct uart_port *port, unsigned int mctrl)
+ {
+       struct stm32_port *stm32_port = to_stm32_port(port);
+-- 
+2.35.1
+

diff --git a/queue-5.15/serial-stm32-factor-out-gpio-rts-toggling-into-separ.patch b/queue-5.15/serial-stm32-factor-out-gpio-rts-toggling-into-separ.patch
new file mode 100644 (file)
index 0000000..3a52ef8
--- /dev/null
+++ b/queue-5.15/serial-stm32-factor-out-gpio-rts-toggling-into-separ.patch
@@ -0,0 +1,122 @@
+From 72dc7efee51074a225b188d250ea3025bed5f36e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Apr 2022 18:28:44 +0200
+Subject: serial: stm32: Factor out GPIO RTS toggling into separate function
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 3bcea529b295a993b1b05db63f245ae8030c5acf ]
+
+Pull out the GPIO RTS enable and disable handling into separate function.
+Limit the scope of GPIO RTS toggling only to GPIO emulated RS485 too.
+
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Alexandre Torgue <alexandre.torgue@foss.st.com>
+Cc: Erwan Le Ray <erwan.leray@foss.st.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jean Philippe Romain <jean-philippe.romain@foss.st.com>
+Cc: Valentin Caron <valentin.caron@foss.st.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-stm32@st-md-mailman.stormreply.com
+To: linux-serial@vger.kernel.org
+Link: https://lore.kernel.org/r/20220430162845.244655-1-marex@denx.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: adafbbf6895e ("serial: stm32: Deassert Transmit Enable on ->rs485_config()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/stm32-usart.c | 59 ++++++++++++++++++++------------
+ 1 file changed, 38 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c
+index fc166cc2c856..a1092a8a8243 100644
+--- a/drivers/tty/serial/stm32-usart.c
++++ b/drivers/tty/serial/stm32-usart.c
+@@ -325,6 +325,42 @@ static void stm32_usart_tx_interrupt_disable(struct uart_port *port)
+               stm32_usart_clr_bits(port, ofs->cr1, USART_CR1_TXEIE);
+ }
+ 
++static void stm32_usart_rs485_rts_enable(struct uart_port *port)
++{
++      struct stm32_port *stm32_port = to_stm32_port(port);
++      struct serial_rs485 *rs485conf = &port->rs485;
++
++      if (stm32_port->hw_flow_control ||
++          !(rs485conf->flags & SER_RS485_ENABLED))
++              return;
++
++      if (rs485conf->flags & SER_RS485_RTS_ON_SEND) {
++              mctrl_gpio_set(stm32_port->gpios,
++                             stm32_port->port.mctrl | TIOCM_RTS);
++      } else {
++              mctrl_gpio_set(stm32_port->gpios,
++                             stm32_port->port.mctrl & ~TIOCM_RTS);
++      }
++}
++
++static void stm32_usart_rs485_rts_disable(struct uart_port *port)
++{
++      struct stm32_port *stm32_port = to_stm32_port(port);
++      struct serial_rs485 *rs485conf = &port->rs485;
++
++      if (stm32_port->hw_flow_control ||
++          !(rs485conf->flags & SER_RS485_ENABLED))
++              return;
++
++      if (rs485conf->flags & SER_RS485_RTS_ON_SEND) {
++              mctrl_gpio_set(stm32_port->gpios,
++                             stm32_port->port.mctrl & ~TIOCM_RTS);
++      } else {
++              mctrl_gpio_set(stm32_port->gpios,
++                             stm32_port->port.mctrl | TIOCM_RTS);
++      }
++}
++
+ static void stm32_usart_transmit_chars_pio(struct uart_port *port)
+ {
+       struct stm32_port *stm32_port = to_stm32_port(port);
+@@ -567,40 +603,21 @@ static void stm32_usart_disable_ms(struct uart_port *port)
+ static void stm32_usart_stop_tx(struct uart_port *port)
+ {
+       struct stm32_port *stm32_port = to_stm32_port(port);
+-      struct serial_rs485 *rs485conf = &port->rs485;
+ 
+       stm32_usart_tx_interrupt_disable(port);
+ 
+-      if (rs485conf->flags & SER_RS485_ENABLED) {
+-              if (rs485conf->flags & SER_RS485_RTS_ON_SEND) {
+-                      mctrl_gpio_set(stm32_port->gpios,
+-                                      stm32_port->port.mctrl & ~TIOCM_RTS);
+-              } else {
+-                      mctrl_gpio_set(stm32_port->gpios,
+-                                      stm32_port->port.mctrl | TIOCM_RTS);
+-              }
+-      }
++      stm32_usart_rs485_rts_disable(port);
+ }
+ 
+ /* There are probably characters waiting to be transmitted. */
+ static void stm32_usart_start_tx(struct uart_port *port)
+ {
+-      struct stm32_port *stm32_port = to_stm32_port(port);
+-      struct serial_rs485 *rs485conf = &port->rs485;
+       struct circ_buf *xmit = &port->state->xmit;
+ 
+       if (uart_circ_empty(xmit) && !port->x_char)
+               return;
+ 
+-      if (rs485conf->flags & SER_RS485_ENABLED) {
+-              if (rs485conf->flags & SER_RS485_RTS_ON_SEND) {
+-                      mctrl_gpio_set(stm32_port->gpios,
+-                                      stm32_port->port.mctrl | TIOCM_RTS);
+-              } else {
+-                      mctrl_gpio_set(stm32_port->gpios,
+-                                      stm32_port->port.mctrl & ~TIOCM_RTS);
+-              }
+-      }
++      stm32_usart_rs485_rts_enable(port);
+ 
+       stm32_usart_transmit_chars(port);
+ }
+-- 
+2.35.1
+

diff --git a/queue-5.15/serial-stm32-use-tc-interrupt-to-deassert-gpio-rts-i.patch b/queue-5.15/serial-stm32-use-tc-interrupt-to-deassert-gpio-rts-i.patch
new file mode 100644 (file)
index 0000000..c1ce02d
--- /dev/null
+++ b/queue-5.15/serial-stm32-use-tc-interrupt-to-deassert-gpio-rts-i.patch
@@ -0,0 +1,136 @@
+From 2169877934e06059b364f9a3dd097c7e276cb772 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Apr 2022 18:28:45 +0200
+Subject: serial: stm32: Use TC interrupt to deassert GPIO RTS in RS485 mode
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit d7c76716169ddc37cf6316ff381d34ea807fbfd7 ]
+
+In case the RS485 mode is emulated using GPIO RTS, use the TC interrupt
+to deassert the GPIO RTS, otherwise the GPIO RTS stays asserted after a
+transmission ended and the RS485 cannot work.
+
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Alexandre Torgue <alexandre.torgue@foss.st.com>
+Cc: Erwan Le Ray <erwan.leray@foss.st.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jean Philippe Romain <jean-philippe.romain@foss.st.com>
+Cc: Valentin Caron <valentin.caron@foss.st.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-stm32@st-md-mailman.stormreply.com
+To: linux-serial@vger.kernel.org
+Link: https://lore.kernel.org/r/20220430162845.244655-2-marex@denx.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: adafbbf6895e ("serial: stm32: Deassert Transmit Enable on ->rs485_config()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/stm32-usart.c | 42 ++++++++++++++++++++++++++++++--
+ drivers/tty/serial/stm32-usart.h |  1 +
+ 2 files changed, 41 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c
+index a1092a8a8243..3505923947f8 100644
+--- a/drivers/tty/serial/stm32-usart.c
++++ b/drivers/tty/serial/stm32-usart.c
+@@ -314,6 +314,14 @@ static void stm32_usart_tx_interrupt_enable(struct uart_port *port)
+               stm32_usart_set_bits(port, ofs->cr1, USART_CR1_TXEIE);
+ }
+ 
++static void stm32_usart_tc_interrupt_enable(struct uart_port *port)
++{
++      struct stm32_port *stm32_port = to_stm32_port(port);
++      const struct stm32_usart_offsets *ofs = &stm32_port->info->ofs;
++
++      stm32_usart_set_bits(port, ofs->cr1, USART_CR1_TCIE);
++}
++
+ static void stm32_usart_tx_interrupt_disable(struct uart_port *port)
+ {
+       struct stm32_port *stm32_port = to_stm32_port(port);
+@@ -325,6 +333,14 @@ static void stm32_usart_tx_interrupt_disable(struct uart_port *port)
+               stm32_usart_clr_bits(port, ofs->cr1, USART_CR1_TXEIE);
+ }
+ 
++static void stm32_usart_tc_interrupt_disable(struct uart_port *port)
++{
++      struct stm32_port *stm32_port = to_stm32_port(port);
++      const struct stm32_usart_offsets *ofs = &stm32_port->info->ofs;
++
++      stm32_usart_clr_bits(port, ofs->cr1, USART_CR1_TCIE);
++}
++
+ static void stm32_usart_rs485_rts_enable(struct uart_port *port)
+ {
+       struct stm32_port *stm32_port = to_stm32_port(port);
+@@ -462,6 +478,13 @@ static void stm32_usart_transmit_chars(struct uart_port *port)
+       u32 isr;
+       int ret;
+ 
++      if (!stm32_port->hw_flow_control &&
++          port->rs485.flags & SER_RS485_ENABLED) {
++              stm32_port->txdone = false;
++              stm32_usart_tc_interrupt_disable(port);
++              stm32_usart_rs485_rts_enable(port);
++      }
++
+       if (port->x_char) {
+               if (stm32_port->tx_dma_busy)
+                       stm32_usart_clr_bits(port, ofs->cr3, USART_CR3_DMAT);
+@@ -501,8 +524,14 @@ static void stm32_usart_transmit_chars(struct uart_port *port)
+       if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS)
+               uart_write_wakeup(port);
+ 
+-      if (uart_circ_empty(xmit))
++      if (uart_circ_empty(xmit)) {
+               stm32_usart_tx_interrupt_disable(port);
++              if (!stm32_port->hw_flow_control &&
++                  port->rs485.flags & SER_RS485_ENABLED) {
++                      stm32_port->txdone = true;
++                      stm32_usart_tc_interrupt_enable(port);
++              }
++      }
+ }
+ 
+ static irqreturn_t stm32_usart_interrupt(int irq, void *ptr)
+@@ -515,6 +544,13 @@ static irqreturn_t stm32_usart_interrupt(int irq, void *ptr)
+ 
+       sr = readl_relaxed(port->membase + ofs->isr);
+ 
++      if (!stm32_port->hw_flow_control &&
++          port->rs485.flags & SER_RS485_ENABLED &&
++          (sr & USART_SR_TC)) {
++              stm32_usart_tc_interrupt_disable(port);
++              stm32_usart_rs485_rts_disable(port);
++      }
++
+       if ((sr & USART_SR_RTOF) && ofs->icr != UNDEF_REG)
+               writel_relaxed(USART_ICR_RTOCF,
+                              port->membase + ofs->icr);
+@@ -614,8 +650,10 @@ static void stm32_usart_start_tx(struct uart_port *port)
+ {
+       struct circ_buf *xmit = &port->state->xmit;
+ 
+-      if (uart_circ_empty(xmit) && !port->x_char)
++      if (uart_circ_empty(xmit) && !port->x_char) {
++              stm32_usart_rs485_rts_disable(port);
+               return;
++      }
+ 
+       stm32_usart_rs485_rts_enable(port);
+ 
+diff --git a/drivers/tty/serial/stm32-usart.h b/drivers/tty/serial/stm32-usart.h
+index 07ac291328cd..ad6335155de2 100644
+--- a/drivers/tty/serial/stm32-usart.h
++++ b/drivers/tty/serial/stm32-usart.h
+@@ -267,6 +267,7 @@ struct stm32_port {
+       bool hw_flow_control;
+       bool swap;               /* swap RX & TX pins */
+       bool fifoen;
++      bool txdone;
+       int rxftcfg;            /* RX FIFO threshold CFG      */
+       int txftcfg;            /* TX FIFO threshold CFG      */
+       bool wakeup_src;
+-- 
+2.35.1
+

diff --git a/queue-5.15/series b/queue-5.15/series
new file mode 100644 (file)
index 0000000..998605b
--- /dev/null
+++ b/queue-5.15/series
@@ -0,0 +1,68 @@
+arm64-mte-avoid-setting-pg_mte_tagged-if-no-tags-cle.patch
+serial-stm32-factor-out-gpio-rts-toggling-into-separ.patch
+serial-stm32-use-tc-interrupt-to-deassert-gpio-rts-i.patch
+serial-stm32-deassert-transmit-enable-on-rs485_confi.patch
+drm-i915-create-a-dummy-object-for-gen6-ppgtt.patch
+drm-i915-gt-use-i915_vm_put-on-ppgtt_create-error-pa.patch
+erofs-fix-order-max_order-warning-due-to-crafted-neg.patch
+btrfs-sink-iterator-parameter-to-btrfs_ioctl_logical.patch
+btrfs-free-btrfs_path-before-copying-inodes-to-users.patch
+spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-hi.patch
+btrfs-move-quota_enabled-check-to-rescan_should_stop.patch
+btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch
+drm-display-dp_mst-fix-drm_dp_mst_add_affected_dsc_c.patch
+kbuild-fix-wimplicit-function-declaration-in-license.patch
+drm-amdgpu-update-drm_display_info-correctly-when-th.patch
+drm-amdgpu-partially-revert-drm-amdgpu-update-drm_di.patch
+iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch
+iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch
+iio-light-rpr0521-add-missing-kconfig-dependencies.patch
+bpf-perf-use-subprog-name-when-reporting-subprog-ksy.patch
+scripts-faddr2line-fix-regression-in-name-resolution.patch
+arm-at91-rm9200-fix-usb-device-clock-id.patch
+libbpf-handle-size-overflow-for-ringbuf-mmap.patch
+hwmon-ltc2947-fix-temperature-scaling.patch
+hwmon-ina3221-fix-shunt-sum-critical-calculation.patch
+hwmon-i5500_temp-fix-missing-pci_disable_device.patch
+hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch
+bpf-do-not-copy-spin-lock-field-from-user-in-bpf_sel.patch
+nvmem-rmem-fix-return-value-check-in-rmem_read.patch
+of-property-decrement-node-refcount-in-of_fwnode_get.patch
+ixgbevf-fix-resource-leak-in-ixgbevf_init_module.patch
+i40e-fix-error-handling-in-i40e_init_module.patch
+fm10k-fix-error-handling-in-fm10k_init_module.patch
+iavf-remove-redundant-ret-variable.patch
+iavf-fix-error-handling-in-iavf_init_module.patch
+e100-fix-possible-use-after-free-in-e100_xmit_prepar.patch
+net-mlx5-dr-rename-list-field-in-matcher-struct-to-l.patch
+net-mlx5-dr-fix-uninitialized-var-warning.patch
+net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch
+net-mlx5e-fix-use-after-free-when-reverting-terminat.patch
+can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch
+can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch
+can-etas_es58x-es58x_init_netdev-free-netdev-when-re.patch
+can-m_can-pci-add-missing-m_can_class_free_dev-in-pr.patch
+can-m_can-add-check-for-devm_clk_get.patch
+qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch
+aquantia-do-not-purge-addresses-when-setting-the-num.patch
+wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch
+wifi-cfg80211-don-t-allow-multi-bssid-in-s1g.patch
+wifi-mac8021-fix-possible-oob-access-in-ieee80211_ge.patch
+net-phy-fix-null-ptr-deref-while-probe-failed.patch
+net-ethernet-ti-am65-cpsw-fix-error-handling-in-am65.patch
+net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch
+net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch
+net-ethernet-nixge-fix-null-dereference.patch
+net-wwan-iosm-fix-kernel-test-robot-reported-error.patch
+net-wwan-iosm-fix-dma_alloc_coherent-incompatible-po.patch
+dsa-lan9303-correct-stat-name.patch
+tipc-re-fetch-skb-cb-after-tipc_msg_validate.patch
+net-hsr-fix-potential-use-after-free.patch
+net-mdiobus-fix-unbalanced-node-reference-count.patch
+afs-fix-fileserver-probe-rtt-handling.patch
+net-tun-fix-use-after-free-in-tun_detach.patch
+packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch
+sctp-fix-memory-leak-in-sctp_stream_outq_migrate.patch
+net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch
+hwmon-coretemp-check-for-null-before-removing-sysfs-.patch
+hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch

diff --git a/queue-5.15/spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-hi.patch b/queue-5.15/spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-hi.patch
new file mode 100644 (file)
index 0000000..b1e4ac5
--- /dev/null
+++ b/queue-5.15/spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-hi.patch
@@ -0,0 +1,65 @@
+From 401993472ff6e7d5e143f6a4ed8227b3d5ae4544 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 19:10:00 +0100
+Subject: spi: spi-imx: Fix spi_bus_clk if requested clock is higher than input
+ clock
+
+From: Frieder Schrempf <frieder.schrempf@kontron.de>
+
+[ Upstream commit db2d2dc9a0b58c6faefb6b002fdbed4f0362d1a4 ]
+
+In case the requested bus clock is higher than the input clock, the correct
+dividers (pre = 0, post = 0) are returned from mx51_ecspi_clkdiv(), but
+*fres is left uninitialized and therefore contains an arbitrary value.
+
+This causes trouble for the recently introduced PIO polling feature as the
+value in spi_imx->spi_bus_clk is used there to calculate for which
+transfers to enable PIO polling.
+
+Fix this by setting *fres even if no clock dividers are in use.
+
+This issue was observed on Kontron BL i.MX8MM with an SPI peripheral clock set
+to 50 MHz by default and a requested SPI bus clock of 80 MHz for the SPI NOR
+flash.
+
+With the fix applied the debug message from mx51_ecspi_clkdiv() now prints the
+following:
+
+spi_imx 30820000.spi: mx51_ecspi_clkdiv: fin: 50000000, fspi: 50000000,
+post: 0, pre: 0
+
+Fixes: 6fd8b8503a0d ("spi: spi-imx: Fix out-of-order CS/SCLK operation at low speeds")
+Fixes: 07e759387788 ("spi: spi-imx: add PIO polling support")
+Cc: Marc Kleine-Budde <mkl@pengutronix.de>
+Cc: David Jander <david@protonic.nl>
+Cc: Fabio Estevam <festevam@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Marek Vasut <marex@denx.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
+Tested-by: Fabio Estevam <festevam@gmail.com>
+Acked-by: Marek Vasut <marex@denx.de>
+Link: https://lore.kernel.org/r/20221115181002.2068270-1-frieder@fris.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-imx.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
+index b2dd0a4d2446..890b2cf02149 100644
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -439,8 +439,7 @@ static unsigned int mx51_ecspi_clkdiv(struct spi_imx_data *spi_imx,
+       unsigned int pre, post;
+       unsigned int fin = spi_imx->spi_clk;
+ 
+-      if (unlikely(fspi > fin))
+-              return 0;
++      fspi = min(fspi, fin);
+ 
+       post = fls(fin) - fls(fspi);
+       if (fin > fspi << post)
+-- 
+2.35.1
+

diff --git a/queue-5.15/tipc-re-fetch-skb-cb-after-tipc_msg_validate.patch b/queue-5.15/tipc-re-fetch-skb-cb-after-tipc_msg_validate.patch
new file mode 100644 (file)
index 0000000..f378e7b
--- /dev/null
+++ b/queue-5.15/tipc-re-fetch-skb-cb-after-tipc_msg_validate.patch
@@ -0,0 +1,65 @@
+From de638359fbe0db597e941502fc441de343fa6353 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 12:46:43 -0500
+Subject: tipc: re-fetch skb cb after tipc_msg_validate
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 3067bc61fcfe3081bf4807ce65560f499e895e77 ]
+
+As the call trace shows, the original skb was freed in tipc_msg_validate(),
+and dereferencing the old skb cb would cause an use-after-free crash.
+
+  BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
+  Call Trace:
+   <IRQ>
+   tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
+   tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
+   tipc_rcv+0x744/0x1150 [tipc]
+  ...
+  Allocated by task 47078:
+   kmem_cache_alloc_node+0x158/0x4d0
+   __alloc_skb+0x1c1/0x270
+   tipc_buf_acquire+0x1e/0xe0 [tipc]
+   tipc_msg_create+0x33/0x1c0 [tipc]
+   tipc_link_build_proto_msg+0x38a/0x2100 [tipc]
+   tipc_link_timeout+0x8b8/0xef0 [tipc]
+   tipc_node_timeout+0x2a1/0x960 [tipc]
+   call_timer_fn+0x2d/0x1c0
+  ...
+  Freed by task 47078:
+   tipc_msg_validate+0x7b/0x440 [tipc]
+   tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc]
+   tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
+   tipc_rcv+0x744/0x1150 [tipc]
+
+This patch fixes it by re-fetching the skb cb from the new allocated skb
+after calling tipc_msg_validate().
+
+Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
+Reported-by: Shuang Li <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Link: https://lore.kernel.org/r/1b1cdba762915325bd8ef9a98d0276eb673df2a5.1669398403.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/crypto.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
+index b5074957e881..4243d2ab8adf 100644
+--- a/net/tipc/crypto.c
++++ b/net/tipc/crypto.c
+@@ -1982,6 +1982,9 @@ static void tipc_crypto_rcv_complete(struct net *net, struct tipc_aead *aead,
+       /* Ok, everything's fine, try to synch own keys according to peers' */
+       tipc_crypto_key_synch(rx, *skb);
+ 
++      /* Re-fetch skb cb as skb might be changed in tipc_msg_validate */
++      skb_cb = TIPC_SKB_CB(*skb);
++
+       /* Mark skb decrypted */
+       skb_cb->decrypted = 1;
+ 
+-- 
+2.35.1
+

diff --git a/queue-5.15/wifi-cfg80211-don-t-allow-multi-bssid-in-s1g.patch b/queue-5.15/wifi-cfg80211-don-t-allow-multi-bssid-in-s1g.patch
new file mode 100644 (file)
index 0000000..1d854c4
--- /dev/null
+++ b/queue-5.15/wifi-cfg80211-don-t-allow-multi-bssid-in-s1g.patch
@@ -0,0 +1,52 @@
+From 0ae7ddd3c88b7cd04610597727ad957414cddf34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 12:36:58 +0100
+Subject: wifi: cfg80211: don't allow multi-BSSID in S1G
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit acd3c92acc7aaec50a94d0a7faf7ccd74e952493 ]
+
+In S1G beacon frames there shouldn't be multi-BSSID elements
+since that's not supported, remove that to avoid a potential
+integer underflow and/or misparsing the frames due to the
+different length of the fixed part of the frame.
+
+While at it, initialize non_tx_data so we don't send garbage
+values to the user (even if it doesn't seem to matter now.)
+
+Reported-and-tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
+Fixes: 9eaffe5078ca ("cfg80211: convert S1G beacon to scan results")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 937ec4c2a3bf..ef31e401d791 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -2477,10 +2477,15 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy,
+       const struct cfg80211_bss_ies *ies1, *ies2;
+       size_t ielen = len - offsetof(struct ieee80211_mgmt,
+                                     u.probe_resp.variable);
+-      struct cfg80211_non_tx_bss non_tx_data;
++      struct cfg80211_non_tx_bss non_tx_data = {};
+ 
+       res = cfg80211_inform_single_bss_frame_data(wiphy, data, mgmt,
+                                                   len, gfp);
++
++      /* don't do any further MBSSID handling for S1G */
++      if (ieee80211_is_s1g_beacon(mgmt->frame_control))
++              return res;
++
+       if (!res || !wiphy->support_mbssid ||
+           !cfg80211_find_ie(WLAN_EID_MULTIPLE_BSSID, ie, ielen))
+               return res;
+-- 
+2.35.1
+

diff --git a/queue-5.15/wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch b/queue-5.15/wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch
new file mode 100644 (file)
index 0000000..2cc1625
--- /dev/null
+++ b/queue-5.15/wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch
@@ -0,0 +1,41 @@
+From da79337cc59911f3501f027bbe9a992f4500e7c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 12:36:57 +0100
+Subject: wifi: cfg80211: fix buffer overflow in elem comparison
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 9f16b5c82a025cd4c864737409234ddc44fb166a ]
+
+For vendor elements, the code here assumes that 5 octets
+are present without checking. Since the element itself is
+already checked to fit, we only need to check the length.
+
+Reported-and-tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
+Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 2477d28c2dab..937ec4c2a3bf 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -330,7 +330,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
+                        * determine if they are the same ie.
+                        */
+                       if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) {
+-                              if (!memcmp(tmp_old + 2, tmp + 2, 5)) {
++                              if (tmp_old[1] >= 5 && tmp[1] >= 5 &&
++                                  !memcmp(tmp_old + 2, tmp + 2, 5)) {
+                                       /* same vendor ie, copy from
+                                        * subelement
+                                        */
+-- 
+2.35.1
+

diff --git a/queue-5.15/wifi-mac8021-fix-possible-oob-access-in-ieee80211_ge.patch b/queue-5.15/wifi-mac8021-fix-possible-oob-access-in-ieee80211_ge.patch
new file mode 100644 (file)
index 0000000..01b3bfb
--- /dev/null
+++ b/queue-5.15/wifi-mac8021-fix-possible-oob-access-in-ieee80211_ge.patch
@@ -0,0 +1,67 @@
+From 6979c5f558d37df4ceefd1021cf3777f8eacd617 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 16:19:26 +0100
+Subject: wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 3e8f7abcc3473bc9603323803aeaed4ffcc3a2ab ]
+
+Fix possible out-of-bound access in ieee80211_get_rate_duration routine
+as reported by the following UBSAN report:
+
+UBSAN: array-index-out-of-bounds in net/mac80211/airtime.c:455:47
+index 15 is out of range for type 'u16 [12]'
+CPU: 2 PID: 217 Comm: kworker/u32:10 Not tainted 6.1.0-060100rc3-generic
+Hardware name: Acer Aspire TC-281/Aspire TC-281, BIOS R01-A2 07/18/2017
+Workqueue: mt76 mt76u_tx_status_data [mt76_usb]
+Call Trace:
+ <TASK>
+ show_stack+0x4e/0x61
+ dump_stack_lvl+0x4a/0x6f
+ dump_stack+0x10/0x18
+ ubsan_epilogue+0x9/0x43
+ __ubsan_handle_out_of_bounds.cold+0x42/0x47
+ieee80211_get_rate_duration.constprop.0+0x22f/0x2a0 [mac80211]
+ ? ieee80211_tx_status_ext+0x32e/0x640 [mac80211]
+ ieee80211_calc_rx_airtime+0xda/0x120 [mac80211]
+ ieee80211_calc_tx_airtime+0xb4/0x100 [mac80211]
+ mt76x02_send_tx_status+0x266/0x480 [mt76x02_lib]
+ mt76x02_tx_status_data+0x52/0x80 [mt76x02_lib]
+ mt76u_tx_status_data+0x67/0xd0 [mt76_usb]
+ process_one_work+0x225/0x400
+ worker_thread+0x50/0x3e0
+ ? process_one_work+0x400/0x400
+ kthread+0xe9/0x110
+ ? kthread_complete_and_exit+0x20/0x20
+ ret_from_fork+0x22/0x30
+
+Fixes: db3e1c40cf2f ("mac80211: Import airtime calculation code from mt76")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/airtime.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/mac80211/airtime.c b/net/mac80211/airtime.c
+index 26d2f8ba7029..758ef63669e7 100644
+--- a/net/mac80211/airtime.c
++++ b/net/mac80211/airtime.c
+@@ -457,6 +457,9 @@ static u32 ieee80211_get_rate_duration(struct ieee80211_hw *hw,
+                        (status->encoding == RX_ENC_HE && streams > 8)))
+               return 0;
+ 
++      if (idx >= MCS_GROUP_RATES)
++              return 0;
++
+       duration = airtime_mcs_groups[group].duration[idx];
+       duration <<= airtime_mcs_groups[group].shift;
+       *overhead = 36 + (streams << 2);
+-- 
+2.35.1
+