--- /dev/null
+From 2de3478f0d3e16947b82dece7293ec499433ab10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 11:36:28 +0530
+Subject: btrfs: free btrfs_path before copying inodes to userspace
+
+From: Anand Jain <anand.jain@oracle.com>
+
+[ Upstream commit 418ffb9e3cf6c4e2574d3a732b724916684bd133 ]
+
+btrfs_ioctl_logical_to_ino() frees the search path after the userspace
+copy from the temp buffer @inodes. Which potentially can lead to a lock
+splat.
+
+Fix this by freeing the path before we copy @inodes to userspace.
+
+CC: stable@vger.kernel.org # 4.19+
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ioctl.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 56caaff01067..752b5d265284 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -4961,21 +4961,20 @@ static long btrfs_ioctl_logical_to_ino(struct btrfs_fs_info *fs_info,
+ size = min_t(u32, loi->size, SZ_16M);
+ }
+
+- path = btrfs_alloc_path();
+- if (!path) {
+- ret = -ENOMEM;
+- goto out;
+- }
+-
+ inodes = init_data_container(size);
+ if (IS_ERR(inodes)) {
+ ret = PTR_ERR(inodes);
+- inodes = NULL;
+- goto out;
++ goto out_loi;
+ }
+
++ path = btrfs_alloc_path();
++ if (!path) {
++ ret = -ENOMEM;
++ goto out;
++ }
+ ret = iterate_inodes_from_logical(loi->logical, fs_info, path,
+ build_ino_list, inodes, ignore_offset);
++ btrfs_free_path(path);
+ if (ret == -EINVAL)
+ ret = -ENOENT;
+ if (ret < 0)
+@@ -4987,7 +4986,6 @@ static long btrfs_ioctl_logical_to_ino(struct btrfs_fs_info *fs_info,
+ ret = -EFAULT;
+
+ out:
+- btrfs_free_path(path);
+ kvfree(inodes);
+ out_loi:
+ kfree(loi);
+--
+2.35.1
+
--- /dev/null
+From 8e2f2a3e72126a8870b96d17ed459d9e425b22c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 22:23:54 +0800
+Subject: btrfs: qgroup: fix sleep from invalid context bug in
+ btrfs_qgroup_inherit()
+
+From: ChenXiaoSong <chenxiaosong2@huawei.com>
+
+[ Upstream commit f7e942b5bb35d8e3af54053d19a6bf04143a3955 ]
+
+Syzkaller reported BUG as follows:
+
+ BUG: sleeping function called from invalid context at
+ include/linux/sched/mm.h:274
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0xcd/0x134
+ __might_resched.cold+0x222/0x26b
+ kmem_cache_alloc+0x2e7/0x3c0
+ update_qgroup_limit_item+0xe1/0x390
+ btrfs_qgroup_inherit+0x147b/0x1ee0
+ create_subvol+0x4eb/0x1710
+ btrfs_mksubvol+0xfe5/0x13f0
+ __btrfs_ioctl_snap_create+0x2b0/0x430
+ btrfs_ioctl_snap_create_v2+0x25a/0x520
+ btrfs_ioctl+0x2a1c/0x5ce0
+ __x64_sys_ioctl+0x193/0x200
+ do_syscall_64+0x35/0x80
+
+Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in
+btrfs_run_qgroups() later outside of the spinlock context.
+
+CC: stable@vger.kernel.org # 4.9+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/qgroup.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
+index 886ab4beb579..69b43df186a8 100644
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -2368,14 +2368,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid,
+ dstgroup->rsv_rfer = inherit->lim.rsv_rfer;
+ dstgroup->rsv_excl = inherit->lim.rsv_excl;
+
+- ret = update_qgroup_limit_item(trans, dstgroup);
+- if (ret) {
+- fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT;
+- btrfs_info(fs_info,
+- "unable to update quota limit for %llu",
+- dstgroup->qgroupid);
+- goto unlock;
+- }
++ qgroup_dirty(fs_info, dstgroup);
+ }
+
+ if (srcid) {
+--
+2.35.1
+
--- /dev/null
+From d2cf4fbdb0c53e2cd29ce576fc1286a7a39c5596 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 20:09:16 +0800
+Subject: can: cc770: cc770_isa_probe(): add missing free_cc770dev()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 62ec89e74099a3d6995988ed9f2f996b368417ec ]
+
+Add the missing free_cc770dev() before return from cc770_isa_probe()
+in the register_cc770dev() error handling case.
+
+In addition, remove blanks before goto labels.
+
+Fixes: 7e02e5433e00 ("can: cc770: legacy CC770 ISA bus driver")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/all/1668168557-6024-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/cc770/cc770_isa.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/can/cc770/cc770_isa.c b/drivers/net/can/cc770/cc770_isa.c
+index fcd34698074f..9f2bc66572e4 100644
+--- a/drivers/net/can/cc770/cc770_isa.c
++++ b/drivers/net/can/cc770/cc770_isa.c
+@@ -272,22 +272,24 @@ static int cc770_isa_probe(struct platform_device *pdev)
+ if (err) {
+ dev_err(&pdev->dev,
+ "couldn't register device (err=%d)\n", err);
+- goto exit_unmap;
++ goto exit_free;
+ }
+
+ dev_info(&pdev->dev, "device registered (reg_base=0x%p, irq=%d)\n",
+ priv->reg_base, dev->irq);
+ return 0;
+
+- exit_unmap:
++exit_free:
++ free_cc770dev(dev);
++exit_unmap:
+ if (mem[idx])
+ iounmap(base);
+- exit_release:
++exit_release:
+ if (mem[idx])
+ release_mem_region(mem[idx], iosize);
+ else
+ release_region(port[idx], iosize);
+- exit:
++exit:
+ return err;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From f55a4d38f71a4ecb3e1be94cc50d65b977931252 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 20:08:41 +0800
+Subject: can: sja1000_isa: sja1000_isa_probe(): add missing free_sja1000dev()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 92dfd9310a71d28cefe6a2d5174d43fab240e631 ]
+
+Add the missing free_sja1000dev() before return from
+sja1000_isa_probe() in the register_sja1000dev() error handling case.
+
+In addition, remove blanks before goto labels.
+
+Fixes: 2a6ba39ad6a2 ("can: sja1000: legacy SJA1000 ISA bus driver")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/all/1668168521-5540-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/sja1000/sja1000_isa.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/can/sja1000/sja1000_isa.c b/drivers/net/can/sja1000/sja1000_isa.c
+index 1a2ae6ce8d87..b11f3431fd85 100644
+--- a/drivers/net/can/sja1000/sja1000_isa.c
++++ b/drivers/net/can/sja1000/sja1000_isa.c
+@@ -213,22 +213,24 @@ static int sja1000_isa_probe(struct platform_device *pdev)
+ if (err) {
+ dev_err(&pdev->dev, "registering %s failed (err=%d)\n",
+ DRV_NAME, err);
+- goto exit_unmap;
++ goto exit_free;
+ }
+
+ dev_info(&pdev->dev, "%s device registered (reg_base=0x%p, irq=%d)\n",
+ DRV_NAME, priv->reg_base, dev->irq);
+ return 0;
+
+- exit_unmap:
++exit_free:
++ free_sja1000dev(dev);
++exit_unmap:
+ if (mem[idx])
+ iounmap(base);
+- exit_release:
++exit_release:
+ if (mem[idx])
+ release_mem_region(mem[idx], iosize);
+ else
+ release_region(port[idx], iosize);
+- exit:
++exit:
+ return err;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 7ace5a053afc6c34cb4f81e955171db5be955cbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 13:35:59 -0600
+Subject: dsa: lan9303: Correct stat name
+
+From: Jerry Ray <jerry.ray@microchip.com>
+
+[ Upstream commit 39f59bca275d2d819a8788c0f962e9e89843efc9 ]
+
+This patch changes the reported ethtool statistics for the lan9303
+family of parts covered by this driver.
+
+The TxUnderRun statistic label is renamed to RxShort to accurately
+reflect what stat the device is reporting. I did not reorder the
+statistics as that might cause problems with existing user code that
+are expecting the stats at a certain offset.
+
+Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303")
+Signed-off-by: Jerry Ray <jerry.ray@microchip.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20221128193559.6572-1-jerry.ray@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/lan9303-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/lan9303-core.c b/drivers/net/dsa/lan9303-core.c
+index 70ce37cd94af..03dc075ff4e8 100644
+--- a/drivers/net/dsa/lan9303-core.c
++++ b/drivers/net/dsa/lan9303-core.c
+@@ -966,7 +966,7 @@ static const struct lan9303_mib_desc lan9303_mib[] = {
+ { .offset = LAN9303_MAC_TX_BRDCST_CNT_0, .name = "TxBroad", },
+ { .offset = LAN9303_MAC_TX_PAUSE_CNT_0, .name = "TxPause", },
+ { .offset = LAN9303_MAC_TX_MULCST_CNT_0, .name = "TxMulti", },
+- { .offset = LAN9303_MAC_RX_UNDSZE_CNT_0, .name = "TxUnderRun", },
++ { .offset = LAN9303_MAC_RX_UNDSZE_CNT_0, .name = "RxShort", },
+ { .offset = LAN9303_MAC_TX_64_CNT_0, .name = "Tx64Byte", },
+ { .offset = LAN9303_MAC_TX_127_CNT_0, .name = "Tx128Byte", },
+ { .offset = LAN9303_MAC_TX_255_CNT_0, .name = "Tx256Byte", },
+--
+2.35.1
+
--- /dev/null
+From a1e41203f9c5cce24b449e4ac361aaad5948f182 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 01:24:07 +0800
+Subject: e100: Fix possible use after free in e100_xmit_prepare
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 45605c75c52c7ae7bfe902214343aabcfe5ba0ff ]
+
+In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so
+e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will
+resend the skb. But the skb is already freed, which will cause UAF bug
+when the upper layer resends the skb.
+
+Remove the harmful free.
+
+Fixes: 5e5d49422dfb ("e100: Release skb when DMA mapping is failed in e100_xmit_prepare")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e100.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c
+index c0c30463d214..ec5dc61b879e 100644
+--- a/drivers/net/ethernet/intel/e100.c
++++ b/drivers/net/ethernet/intel/e100.c
+@@ -1745,11 +1745,8 @@ static int e100_xmit_prepare(struct nic *nic, struct cb *cb,
+ dma_addr = dma_map_single(&nic->pdev->dev, skb->data, skb->len,
+ DMA_TO_DEVICE);
+ /* If we can't map the skb, have the upper layer try later */
+- if (dma_mapping_error(&nic->pdev->dev, dma_addr)) {
+- dev_kfree_skb_any(skb);
+- skb = NULL;
++ if (dma_mapping_error(&nic->pdev->dev, dma_addr))
+ return -ENOMEM;
+- }
+
+ /*
+ * Use the last 4 bytes of the SKB payload packet as the CRC, used for
+--
+2.35.1
+
--- /dev/null
+From 7ccd858a8866a3780a3dd928cdc7efdd60442351 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Jan 2021 22:07:36 +0100
+Subject: e100: switch from 'pci_' to 'dma_' API
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 4140ff1ba06d3fc16afd518736940ab742886317 ]
+
+The wrappers in include/linux/pci-dma-compat.h should go away.
+
+The patch has been generated with the coccinelle script below and has been
+hand modified to replace GFP_ with a correct flag.
+It has been compile tested.
+
+When memory is allocated in 'e100_alloc()', GFP_KERNEL can be used because
+it is only called from the probe function and no lock is acquired.
+
+@@
+@@
+- PCI_DMA_BIDIRECTIONAL
++ DMA_BIDIRECTIONAL
+
+@@
+@@
+- PCI_DMA_TODEVICE
++ DMA_TO_DEVICE
+
+@@
+@@
+- PCI_DMA_FROMDEVICE
++ DMA_FROM_DEVICE
+
+@@
+@@
+- PCI_DMA_NONE
++ DMA_NONE
+
+@@
+expression e1, e2, e3;
+@@
+- pci_alloc_consistent(e1, e2, e3)
++ dma_alloc_coherent(&e1->dev, e2, e3, GFP_)
+
+@@
+expression e1, e2, e3;
+@@
+- pci_zalloc_consistent(e1, e2, e3)
++ dma_alloc_coherent(&e1->dev, e2, e3, GFP_)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_free_consistent(e1, e2, e3, e4)
++ dma_free_coherent(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_map_single(e1, e2, e3, e4)
++ dma_map_single(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_unmap_single(e1, e2, e3, e4)
++ dma_unmap_single(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4, e5;
+@@
+- pci_map_page(e1, e2, e3, e4, e5)
++ dma_map_page(&e1->dev, e2, e3, e4, e5)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_unmap_page(e1, e2, e3, e4)
++ dma_unmap_page(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_map_sg(e1, e2, e3, e4)
++ dma_map_sg(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_unmap_sg(e1, e2, e3, e4)
++ dma_unmap_sg(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_dma_sync_single_for_cpu(e1, e2, e3, e4)
++ dma_sync_single_for_cpu(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_dma_sync_single_for_device(e1, e2, e3, e4)
++ dma_sync_single_for_device(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_dma_sync_sg_for_cpu(e1, e2, e3, e4)
++ dma_sync_sg_for_cpu(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_dma_sync_sg_for_device(e1, e2, e3, e4)
++ dma_sync_sg_for_device(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2;
+@@
+- pci_dma_mapping_error(e1, e2)
++ dma_mapping_error(&e1->dev, e2)
+
+@@
+expression e1, e2;
+@@
+- pci_set_dma_mask(e1, e2)
++ dma_set_mask(&e1->dev, e2)
+
+@@
+expression e1, e2;
+@@
+- pci_set_consistent_dma_mask(e1, e2)
++ dma_set_coherent_mask(&e1->dev, e2)
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Link: https://lore.kernel.org/r/20210128210736.749724-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 45605c75c52c ("e100: Fix possible use after free in e100_xmit_prepare")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e100.c | 92 ++++++++++++++++---------------
+ 1 file changed, 49 insertions(+), 43 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c
+index ba5b515c86e2..c0c30463d214 100644
+--- a/drivers/net/ethernet/intel/e100.c
++++ b/drivers/net/ethernet/intel/e100.c
+@@ -1742,10 +1742,10 @@ static int e100_xmit_prepare(struct nic *nic, struct cb *cb,
+ dma_addr_t dma_addr;
+ cb->command = nic->tx_command;
+
+- dma_addr = pci_map_single(nic->pdev,
+- skb->data, skb->len, PCI_DMA_TODEVICE);
++ dma_addr = dma_map_single(&nic->pdev->dev, skb->data, skb->len,
++ DMA_TO_DEVICE);
+ /* If we can't map the skb, have the upper layer try later */
+- if (pci_dma_mapping_error(nic->pdev, dma_addr)) {
++ if (dma_mapping_error(&nic->pdev->dev, dma_addr)) {
+ dev_kfree_skb_any(skb);
+ skb = NULL;
+ return -ENOMEM;
+@@ -1831,10 +1831,10 @@ static int e100_tx_clean(struct nic *nic)
+ dev->stats.tx_packets++;
+ dev->stats.tx_bytes += cb->skb->len;
+
+- pci_unmap_single(nic->pdev,
+- le32_to_cpu(cb->u.tcb.tbd.buf_addr),
+- le16_to_cpu(cb->u.tcb.tbd.size),
+- PCI_DMA_TODEVICE);
++ dma_unmap_single(&nic->pdev->dev,
++ le32_to_cpu(cb->u.tcb.tbd.buf_addr),
++ le16_to_cpu(cb->u.tcb.tbd.size),
++ DMA_TO_DEVICE);
+ dev_kfree_skb_any(cb->skb);
+ cb->skb = NULL;
+ tx_cleaned = 1;
+@@ -1858,10 +1858,10 @@ static void e100_clean_cbs(struct nic *nic)
+ while (nic->cbs_avail != nic->params.cbs.count) {
+ struct cb *cb = nic->cb_to_clean;
+ if (cb->skb) {
+- pci_unmap_single(nic->pdev,
+- le32_to_cpu(cb->u.tcb.tbd.buf_addr),
+- le16_to_cpu(cb->u.tcb.tbd.size),
+- PCI_DMA_TODEVICE);
++ dma_unmap_single(&nic->pdev->dev,
++ le32_to_cpu(cb->u.tcb.tbd.buf_addr),
++ le16_to_cpu(cb->u.tcb.tbd.size),
++ DMA_TO_DEVICE);
+ dev_kfree_skb(cb->skb);
+ }
+ nic->cb_to_clean = nic->cb_to_clean->next;
+@@ -1928,10 +1928,10 @@ static int e100_rx_alloc_skb(struct nic *nic, struct rx *rx)
+
+ /* Init, and map the RFD. */
+ skb_copy_to_linear_data(rx->skb, &nic->blank_rfd, sizeof(struct rfd));
+- rx->dma_addr = pci_map_single(nic->pdev, rx->skb->data,
+- RFD_BUF_LEN, PCI_DMA_BIDIRECTIONAL);
++ rx->dma_addr = dma_map_single(&nic->pdev->dev, rx->skb->data,
++ RFD_BUF_LEN, DMA_BIDIRECTIONAL);
+
+- if (pci_dma_mapping_error(nic->pdev, rx->dma_addr)) {
++ if (dma_mapping_error(&nic->pdev->dev, rx->dma_addr)) {
+ dev_kfree_skb_any(rx->skb);
+ rx->skb = NULL;
+ rx->dma_addr = 0;
+@@ -1944,8 +1944,10 @@ static int e100_rx_alloc_skb(struct nic *nic, struct rx *rx)
+ if (rx->prev->skb) {
+ struct rfd *prev_rfd = (struct rfd *)rx->prev->skb->data;
+ put_unaligned_le32(rx->dma_addr, &prev_rfd->link);
+- pci_dma_sync_single_for_device(nic->pdev, rx->prev->dma_addr,
+- sizeof(struct rfd), PCI_DMA_BIDIRECTIONAL);
++ dma_sync_single_for_device(&nic->pdev->dev,
++ rx->prev->dma_addr,
++ sizeof(struct rfd),
++ DMA_BIDIRECTIONAL);
+ }
+
+ return 0;
+@@ -1964,8 +1966,8 @@ static int e100_rx_indicate(struct nic *nic, struct rx *rx,
+ return -EAGAIN;
+
+ /* Need to sync before taking a peek at cb_complete bit */
+- pci_dma_sync_single_for_cpu(nic->pdev, rx->dma_addr,
+- sizeof(struct rfd), PCI_DMA_BIDIRECTIONAL);
++ dma_sync_single_for_cpu(&nic->pdev->dev, rx->dma_addr,
++ sizeof(struct rfd), DMA_BIDIRECTIONAL);
+ rfd_status = le16_to_cpu(rfd->status);
+
+ netif_printk(nic, rx_status, KERN_DEBUG, nic->netdev,
+@@ -1984,9 +1986,9 @@ static int e100_rx_indicate(struct nic *nic, struct rx *rx,
+
+ if (ioread8(&nic->csr->scb.status) & rus_no_res)
+ nic->ru_running = RU_SUSPENDED;
+- pci_dma_sync_single_for_device(nic->pdev, rx->dma_addr,
+- sizeof(struct rfd),
+- PCI_DMA_FROMDEVICE);
++ dma_sync_single_for_device(&nic->pdev->dev, rx->dma_addr,
++ sizeof(struct rfd),
++ DMA_FROM_DEVICE);
+ return -ENODATA;
+ }
+
+@@ -1998,8 +2000,8 @@ static int e100_rx_indicate(struct nic *nic, struct rx *rx,
+ actual_size = RFD_BUF_LEN - sizeof(struct rfd);
+
+ /* Get data */
+- pci_unmap_single(nic->pdev, rx->dma_addr,
+- RFD_BUF_LEN, PCI_DMA_BIDIRECTIONAL);
++ dma_unmap_single(&nic->pdev->dev, rx->dma_addr, RFD_BUF_LEN,
++ DMA_BIDIRECTIONAL);
+
+ /* If this buffer has the el bit, but we think the receiver
+ * is still running, check to see if it really stopped while
+@@ -2100,22 +2102,25 @@ static void e100_rx_clean(struct nic *nic, unsigned int *work_done,
+ (struct rfd *)new_before_last_rx->skb->data;
+ new_before_last_rfd->size = 0;
+ new_before_last_rfd->command |= cpu_to_le16(cb_el);
+- pci_dma_sync_single_for_device(nic->pdev,
+- new_before_last_rx->dma_addr, sizeof(struct rfd),
+- PCI_DMA_BIDIRECTIONAL);
++ dma_sync_single_for_device(&nic->pdev->dev,
++ new_before_last_rx->dma_addr,
++ sizeof(struct rfd),
++ DMA_BIDIRECTIONAL);
+
+ /* Now that we have a new stopping point, we can clear the old
+ * stopping point. We must sync twice to get the proper
+ * ordering on the hardware side of things. */
+ old_before_last_rfd->command &= ~cpu_to_le16(cb_el);
+- pci_dma_sync_single_for_device(nic->pdev,
+- old_before_last_rx->dma_addr, sizeof(struct rfd),
+- PCI_DMA_BIDIRECTIONAL);
++ dma_sync_single_for_device(&nic->pdev->dev,
++ old_before_last_rx->dma_addr,
++ sizeof(struct rfd),
++ DMA_BIDIRECTIONAL);
+ old_before_last_rfd->size = cpu_to_le16(VLAN_ETH_FRAME_LEN
+ + ETH_FCS_LEN);
+- pci_dma_sync_single_for_device(nic->pdev,
+- old_before_last_rx->dma_addr, sizeof(struct rfd),
+- PCI_DMA_BIDIRECTIONAL);
++ dma_sync_single_for_device(&nic->pdev->dev,
++ old_before_last_rx->dma_addr,
++ sizeof(struct rfd),
++ DMA_BIDIRECTIONAL);
+ }
+
+ if (restart_required) {
+@@ -2137,8 +2142,9 @@ static void e100_rx_clean_list(struct nic *nic)
+ if (nic->rxs) {
+ for (rx = nic->rxs, i = 0; i < count; rx++, i++) {
+ if (rx->skb) {
+- pci_unmap_single(nic->pdev, rx->dma_addr,
+- RFD_BUF_LEN, PCI_DMA_BIDIRECTIONAL);
++ dma_unmap_single(&nic->pdev->dev,
++ rx->dma_addr, RFD_BUF_LEN,
++ DMA_BIDIRECTIONAL);
+ dev_kfree_skb(rx->skb);
+ }
+ }
+@@ -2180,8 +2186,8 @@ static int e100_rx_alloc_list(struct nic *nic)
+ before_last = (struct rfd *)rx->skb->data;
+ before_last->command |= cpu_to_le16(cb_el);
+ before_last->size = 0;
+- pci_dma_sync_single_for_device(nic->pdev, rx->dma_addr,
+- sizeof(struct rfd), PCI_DMA_BIDIRECTIONAL);
++ dma_sync_single_for_device(&nic->pdev->dev, rx->dma_addr,
++ sizeof(struct rfd), DMA_BIDIRECTIONAL);
+
+ nic->rx_to_use = nic->rx_to_clean = nic->rxs;
+ nic->ru_running = RU_SUSPENDED;
+@@ -2378,8 +2384,8 @@ static int e100_loopback_test(struct nic *nic, enum loopback loopback_mode)
+
+ msleep(10);
+
+- pci_dma_sync_single_for_cpu(nic->pdev, nic->rx_to_clean->dma_addr,
+- RFD_BUF_LEN, PCI_DMA_BIDIRECTIONAL);
++ dma_sync_single_for_cpu(&nic->pdev->dev, nic->rx_to_clean->dma_addr,
++ RFD_BUF_LEN, DMA_BIDIRECTIONAL);
+
+ if (memcmp(nic->rx_to_clean->skb->data + sizeof(struct rfd),
+ skb->data, ETH_DATA_LEN))
+@@ -2761,16 +2767,16 @@ static int e100_do_ioctl(struct net_device *netdev, struct ifreq *ifr, int cmd)
+
+ static int e100_alloc(struct nic *nic)
+ {
+- nic->mem = pci_alloc_consistent(nic->pdev, sizeof(struct mem),
+- &nic->dma_addr);
++ nic->mem = dma_alloc_coherent(&nic->pdev->dev, sizeof(struct mem),
++ &nic->dma_addr, GFP_KERNEL);
+ return nic->mem ? 0 : -ENOMEM;
+ }
+
+ static void e100_free(struct nic *nic)
+ {
+ if (nic->mem) {
+- pci_free_consistent(nic->pdev, sizeof(struct mem),
+- nic->mem, nic->dma_addr);
++ dma_free_coherent(&nic->pdev->dev, sizeof(struct mem),
++ nic->mem, nic->dma_addr);
+ nic->mem = NULL;
+ }
+ }
+@@ -2863,7 +2869,7 @@ static int e100_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ goto err_out_disable_pdev;
+ }
+
+- if ((err = pci_set_dma_mask(pdev, DMA_BIT_MASK(32)))) {
++ if ((err = dma_set_mask(&pdev->dev, DMA_BIT_MASK(32)))) {
+ netif_err(nic, probe, nic->netdev, "No usable DMA configuration, aborting\n");
+ goto err_out_free_res;
+ }
+--
+2.35.1
+
--- /dev/null
+From ebb6af956f00c5d892d225481c3075c8eb1094f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 11:23:13 -0500
+Subject: hwmon: (coretemp) Check for null before removing sysfs attrs
+
+From: Phil Auld <pauld@redhat.com>
+
+[ Upstream commit a89ff5f5cc64b9fe7a992cf56988fd36f56ca82a ]
+
+If coretemp_add_core() gets an error then pdata->core_data[indx]
+is already NULL and has been kfreed. Don't pass that to
+sysfs_remove_group() as that will crash in sysfs_remove_group().
+
+[Shortened for readability]
+[91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label'
+<cpu offline>
+[91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188
+[91855.165103] #PF: supervisor read access in kernel mode
+[91855.194506] #PF: error_code(0x0000) - not-present page
+[91855.224445] PGD 0 P4D 0
+[91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI
+...
+[91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80
+...
+[91855.796571] Call Trace:
+[91855.810524] coretemp_cpu_offline+0x12b/0x1dd [coretemp]
+[91855.841738] ? coretemp_cpu_online+0x180/0x180 [coretemp]
+[91855.871107] cpuhp_invoke_callback+0x105/0x4b0
+[91855.893432] cpuhp_thread_fun+0x8e/0x150
+...
+
+Fix this by checking for NULL first.
+
+Signed-off-by: Phil Auld <pauld@redhat.com>
+Cc: linux-hwmon@vger.kernel.org
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Jean Delvare <jdelvare@suse.com>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20221117162313.3164803-1-pauld@redhat.com
+Fixes: 199e0de7f5df3 ("hwmon: (coretemp) Merge pkgtemp with coretemp")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/coretemp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c
+index 6030cb539a7b..02711014aee7 100644
+--- a/drivers/hwmon/coretemp.c
++++ b/drivers/hwmon/coretemp.c
+@@ -546,6 +546,10 @@ static void coretemp_remove_core(struct platform_data *pdata, int indx)
+ {
+ struct temp_data *tdata = pdata->core_data[indx];
+
++ /* if we errored on add then this is already gone */
++ if (!tdata)
++ return;
++
+ /* Remove the sysfs attributes */
+ sysfs_remove_group(&pdata->hwmon_dev->kobj, &tdata->attr_group);
+
+--
+2.35.1
+
--- /dev/null
+From 3c39c04e6ef8661fcadf958ae685f11a27308def Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 17:33:03 +0800
+Subject: hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 7dec14537c5906b8bf40fd6fd6d9c3850f8df11d ]
+
+As comment of pci_get_domain_bus_and_slot() says, it returns
+a pci device with refcount increment, when finish using it,
+the caller must decrement the reference count by calling
+pci_dev_put(). So call it after using to avoid refcount leak.
+
+Fixes: 14513ee696a0 ("hwmon: (coretemp) Use PCI host bridge ID to identify CPU if necessary")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221118093303.214163-1-yangyingliang@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/coretemp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c
+index 02711014aee7..1b2f750577da 100644
+--- a/drivers/hwmon/coretemp.c
++++ b/drivers/hwmon/coretemp.c
+@@ -255,10 +255,13 @@ static int adjust_tjmax(struct cpuinfo_x86 *c, u32 id, struct device *dev)
+ */
+ if (host_bridge && host_bridge->vendor == PCI_VENDOR_ID_INTEL) {
+ for (i = 0; i < ARRAY_SIZE(tjmax_pci_table); i++) {
+- if (host_bridge->device == tjmax_pci_table[i].device)
++ if (host_bridge->device == tjmax_pci_table[i].device) {
++ pci_dev_put(host_bridge);
+ return tjmax_pci_table[i].tjmax;
++ }
+ }
+ }
++ pci_dev_put(host_bridge);
+
+ for (i = 0; i < ARRAY_SIZE(tjmax_table); i++) {
+ if (strstr(c->x86_model_id, tjmax_table[i].id))
+--
+2.35.1
+
--- /dev/null
+From afb5310848ac7a49db0402547157d445801a1ba7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Nov 2022 20:56:06 +0800
+Subject: hwmon: (i5500_temp) fix missing pci_disable_device()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 3b7f98f237528c496ea0b689bace0e35eec3e060 ]
+
+pci_disable_device() need be called while module exiting, switch to use
+pcim_enable(), pci_disable_device() will be called in pcim_release().
+
+Fixes: ada072816be1 ("hwmon: (i5500_temp) New driver for the Intel 5500/5520/X58 chipsets")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221112125606.3751430-1-yangyingliang@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/i5500_temp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/i5500_temp.c b/drivers/hwmon/i5500_temp.c
+index 400e0675a90b..03fa12c78109 100644
+--- a/drivers/hwmon/i5500_temp.c
++++ b/drivers/hwmon/i5500_temp.c
+@@ -117,7 +117,7 @@ static int i5500_temp_probe(struct pci_dev *pdev,
+ u32 tstimer;
+ s8 tsfsc;
+
+- err = pci_enable_device(pdev);
++ err = pcim_enable_device(pdev);
+ if (err) {
+ dev_err(&pdev->dev, "Failed to enable device\n");
+ return err;
+--
+2.35.1
+
--- /dev/null
+From 9e217375b025cc1ddd995c74917e03676a0979a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 11:44:23 +0800
+Subject: hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit e2a87785aab0dac190ac89be6a9ba955e2c634f2 ]
+
+Smatch report warning as follows:
+
+drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn:
+ '&data->list' not removed from list
+
+If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will
+be freed, but data->list will not be removed from driver_data.bmc_data,
+then list traversal may cause UAF.
+
+Fix by removeing it from driver_data.bmc_data before free().
+
+Fixes: 57c7c3a0fdea ("hwmon: IBM power meter driver")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Link: https://lore.kernel.org/r/20221117034423.2935739-1-cuigaosheng1@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/ibmpex.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hwmon/ibmpex.c b/drivers/hwmon/ibmpex.c
+index ab72cabf5a95..e289c845f970 100644
+--- a/drivers/hwmon/ibmpex.c
++++ b/drivers/hwmon/ibmpex.c
+@@ -517,6 +517,7 @@ static void ibmpex_register_bmc(int iface, struct device *dev)
+ return;
+
+ out_register:
++ list_del(&data->list);
+ hwmon_device_unregister(data->hwmon_dev);
+ out_user:
+ ipmi_destroy_user(data->user);
+--
+2.35.1
+
--- /dev/null
+From d84a035e0356d9cc57c8f3e8e3d5a7960910c7d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 15:19:46 +0000
+Subject: iio: health: afe4403: Fix oob read in afe4403_read_raw
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 58143c1ed5882c138a3cd2251a336fc8755f23d9 ]
+
+KASAN report out-of-bounds read as follows:
+
+BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0
+Read of size 4 at addr ffffffffc02ac638 by task cat/279
+
+Call Trace:
+ afe4403_read_raw
+ iio_read_channel_info
+ dev_attr_show
+
+The buggy address belongs to the variable:
+ afe4403_channel_leds+0x18/0xffffffffffffe9e0
+
+This issue can be reproduced by singe command:
+
+ $ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw
+
+The array size of afe4403_channel_leds is less than channels, so access
+with chan->address cause OOB read in afe4403_read_raw. Fix it by moving
+access before use it.
+
+Fixes: b36e8257641a ("iio: health/afe440x: Use regmap fields")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Andrew Davis <afd@ti.com>
+Link: https://lore.kernel.org/r/20221107151946.89260-1-weiyongjun@huaweicloud.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/health/afe4403.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/health/afe4403.c b/drivers/iio/health/afe4403.c
+index 63210a3b1b87..ae5682101181 100644
+--- a/drivers/iio/health/afe4403.c
++++ b/drivers/iio/health/afe4403.c
+@@ -253,14 +253,14 @@ static int afe4403_read_raw(struct iio_dev *indio_dev,
+ int *val, int *val2, long mask)
+ {
+ struct afe4403_data *afe = iio_priv(indio_dev);
+- unsigned int reg = afe4403_channel_values[chan->address];
+- unsigned int field = afe4403_channel_leds[chan->address];
++ unsigned int reg, field;
+ int ret;
+
+ switch (chan->type) {
+ case IIO_INTENSITY:
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
++ reg = afe4403_channel_values[chan->address];
+ ret = afe4403_read(afe, reg, val);
+ if (ret)
+ return ret;
+@@ -270,6 +270,7 @@ static int afe4403_read_raw(struct iio_dev *indio_dev,
+ case IIO_CURRENT:
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
++ field = afe4403_channel_leds[chan->address];
+ ret = regmap_field_read(afe->fields[field], val);
+ if (ret)
+ return ret;
+--
+2.35.1
+
--- /dev/null
+From 726b2dc40220ba715db0142cc79722ce88388aec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 15:20:10 +0000
+Subject: iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit fc92d9e3de0b2d30a3ccc08048a5fad533e4672b ]
+
+KASAN report out-of-bounds read as follows:
+
+BUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380
+Read of size 4 at addr ffffffffc00e4658 by task cat/278
+
+Call Trace:
+ afe4404_read_raw
+ iio_read_channel_info
+ dev_attr_show
+
+The buggy address belongs to the variable:
+ afe4404_channel_leds+0x18/0xffffffffffffe9c0
+
+This issue can be reproduce by singe command:
+
+ $ cat /sys/bus/i2c/devices/0-0058/iio\:device0/in_intensity6_raw
+
+The array size of afe4404_channel_leds and afe4404_channel_offdacs
+are less than channels, so access with chan->address cause OOB read
+in afe4404_[read|write]_raw. Fix it by moving access before use them.
+
+Fixes: b36e8257641a ("iio: health/afe440x: Use regmap fields")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Andrew Davis <afd@ti.com>
+Link: https://lore.kernel.org/r/20221107152010.95937-1-weiyongjun@huaweicloud.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/health/afe4404.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iio/health/afe4404.c b/drivers/iio/health/afe4404.c
+index 23e1ac6501a1..a081cdfd7071 100644
+--- a/drivers/iio/health/afe4404.c
++++ b/drivers/iio/health/afe4404.c
+@@ -258,20 +258,20 @@ static int afe4404_read_raw(struct iio_dev *indio_dev,
+ int *val, int *val2, long mask)
+ {
+ struct afe4404_data *afe = iio_priv(indio_dev);
+- unsigned int value_reg = afe4404_channel_values[chan->address];
+- unsigned int led_field = afe4404_channel_leds[chan->address];
+- unsigned int offdac_field = afe4404_channel_offdacs[chan->address];
++ unsigned int value_reg, led_field, offdac_field;
+ int ret;
+
+ switch (chan->type) {
+ case IIO_INTENSITY:
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
++ value_reg = afe4404_channel_values[chan->address];
+ ret = regmap_read(afe->regmap, value_reg, val);
+ if (ret)
+ return ret;
+ return IIO_VAL_INT;
+ case IIO_CHAN_INFO_OFFSET:
++ offdac_field = afe4404_channel_offdacs[chan->address];
+ ret = regmap_field_read(afe->fields[offdac_field], val);
+ if (ret)
+ return ret;
+@@ -281,6 +281,7 @@ static int afe4404_read_raw(struct iio_dev *indio_dev,
+ case IIO_CURRENT:
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
++ led_field = afe4404_channel_leds[chan->address];
+ ret = regmap_field_read(afe->fields[led_field], val);
+ if (ret)
+ return ret;
+@@ -303,19 +304,20 @@ static int afe4404_write_raw(struct iio_dev *indio_dev,
+ int val, int val2, long mask)
+ {
+ struct afe4404_data *afe = iio_priv(indio_dev);
+- unsigned int led_field = afe4404_channel_leds[chan->address];
+- unsigned int offdac_field = afe4404_channel_offdacs[chan->address];
++ unsigned int led_field, offdac_field;
+
+ switch (chan->type) {
+ case IIO_INTENSITY:
+ switch (mask) {
+ case IIO_CHAN_INFO_OFFSET:
++ offdac_field = afe4404_channel_offdacs[chan->address];
+ return regmap_field_write(afe->fields[offdac_field], val);
+ }
+ break;
+ case IIO_CURRENT:
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
++ led_field = afe4404_channel_leds[chan->address];
+ return regmap_field_write(afe->fields[led_field], val);
+ }
+ break;
+--
+2.35.1
+
--- /dev/null
+From c57f26e5e2d3d2f7352358a36ae7bd1a02590711 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 16:47:29 -0500
+Subject: iio: light: rpr0521: add missing Kconfig dependencies
+
+From: Paul Gazzillo <paul@pgazz.com>
+
+[ Upstream commit 6ac12303572ef9ace5603c2c07f5f1b00a33f580 ]
+
+Fix an implicit declaration of function error for rpr0521 under some configs
+
+When CONFIG_RPR0521 is enabled without CONFIG_IIO_TRIGGERED_BUFFER,
+the build results in "implicit declaration of function" errors, e.g.,
+ drivers/iio/light/rpr0521.c:434:3: error: implicit declaration of function
+ 'iio_trigger_poll_chained' [-Werror=implicit-function-declaration]
+ 434 | iio_trigger_poll_chained(data->drdy_trigger0);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~
+
+This fix adds select dependencies to RPR0521's configuration declaration.
+
+Fixes: e12ffd241c00 ("iio: light: rpr0521 triggered buffer")
+Signed-off-by: Paul Gazzillo <paul@pgazz.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216678
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20221110214729.ls5ixav5kxpeftk7@device
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/light/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/iio/light/Kconfig b/drivers/iio/light/Kconfig
+index d66ea754ffff..485362f0a213 100644
+--- a/drivers/iio/light/Kconfig
++++ b/drivers/iio/light/Kconfig
+@@ -238,6 +238,8 @@ config RPR0521
+ tristate "ROHM RPR0521 ALS and proximity sensor driver"
+ depends on I2C
+ select REGMAP_I2C
++ select IIO_BUFFER
++ select IIO_TRIGGERED_BUFFER
+ help
+ Say Y here if you want to build support for ROHM's RPR0521
+ ambient light and proximity sensor device.
+--
+2.35.1
+
--- /dev/null
+From dfa95278d8646a6d65894eebafaff9f2ebc2225d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 18:26:34 +0000
+Subject: kbuild: fix -Wimplicit-function-declaration in
+ license_is_gpl_compatible
+
+From: Sam James <sam@gentoo.org>
+
+[ Upstream commit 50c697215a8cc22f0e58c88f06f2716c05a26e85 ]
+
+Add missing <linux/string.h> include for strcmp.
+
+Clang 16 makes -Wimplicit-function-declaration an error by default.
+Unfortunately, out of tree modules may use this in configure scripts,
+which means failure might cause silent miscompilation or misconfiguration.
+
+For more information, see LWN.net [0] or LLVM's Discourse [1], gentoo-dev@ [2],
+or the (new) c-std-porting mailing list [3].
+
+[0] https://lwn.net/Articles/913505/
+[1] https://discourse.llvm.org/t/configure-script-breakage-with-the-new-werror-implicit-function-declaration/65213
+[2] https://archives.gentoo.org/gentoo-dev/message/dd9f2d3082b8b6f8dfbccb0639e6e240
+[3] hosted at lists.linux.dev.
+
+[akpm@linux-foundation.org: remember "linux/"]
+Link: https://lkml.kernel.org/r/20221116182634.2823136-1-sam@gentoo.org
+Signed-off-by: Sam James <sam@gentoo.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/license.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/linux/license.h b/include/linux/license.h
+index decdbf43cb5c..87a21d5d6758 100644
+--- a/include/linux/license.h
++++ b/include/linux/license.h
+@@ -1,6 +1,8 @@
+ #ifndef __LICENSE_H
+ #define __LICENSE_H
+
++#include <linux/string.h>
++
+ static inline int license_is_gpl_compatible(const char *license)
+ {
+ return (strcmp(license, "GPL") == 0
+--
+2.35.1
+
--- /dev/null
+From eb9c9b5430444e6310ce50d11646162fb0f6c02f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 16:10:05 +0800
+Subject: net/9p: Fix a potential socket leak in p9_socket_open
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit dcc14cfd7debe11b825cb077e75d91d2575b4cb8 ]
+
+Both p9_fd_create_tcp() and p9_fd_create_unix() will call
+p9_socket_open(). If the creation of p9_trans_fd fails,
+p9_fd_create_tcp() and p9_fd_create_unix() will return an
+error directly instead of releasing the cscoket, which will
+result in a socket leak.
+
+This patch adds sock_release() to fix the leak issue.
+
+Fixes: 6b18662e239a ("9p connect fixes")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+ACKed-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_fd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
+index 6aba06a8261c..e03ff8df1d3f 100644
+--- a/net/9p/trans_fd.c
++++ b/net/9p/trans_fd.c
+@@ -867,8 +867,10 @@ static int p9_socket_open(struct p9_client *client, struct socket *csocket)
+ struct file *file;
+
+ p = kzalloc(sizeof(struct p9_trans_fd), GFP_KERNEL);
+- if (!p)
++ if (!p) {
++ sock_release(csocket);
+ return -ENOMEM;
++ }
+
+ csocket->sk->sk_allocation = GFP_NOIO;
+ file = sock_alloc_file(csocket, 0, NULL);
+--
+2.35.1
+
--- /dev/null
+From 78913f3783d83bfbc8e70a7a80e97e7ea6b9cb75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 15:56:04 +0900
+Subject: net: ethernet: renesas: ravb: Fix promiscuous mode after system
+ resumed
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit d66233a312ec9013af3e37e4030b479a20811ec3 ]
+
+After system resumed on some environment board, the promiscuous mode
+is disabled because the SoC turned off. So, call ravb_set_rx_mode() in
+the ravb_resume() to fix the issue.
+
+Reported-by: Tho Vu <tho.vu.wh@renesas.com>
+Fixes: 0184165b2f42 ("ravb: add sleep PM suspend/resume support")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20221128065604.1864391-1-yoshihiro.shimoda.uh@renesas.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index c24b7ea37e39..9077014f6f40 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -2310,6 +2310,7 @@ static int __maybe_unused ravb_resume(struct device *dev)
+ ret = ravb_open(ndev);
+ if (ret < 0)
+ return ret;
++ ravb_set_rx_mode(ndev);
+ netif_device_attach(ndev);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 89915e561c0eb8c2f62e84f9c86c4cbdb7917d0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 15:57:24 +0800
+Subject: net: hsr: Fix potential use-after-free
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 7e177d32442b7ed08a9fa61b61724abc548cb248 ]
+
+The skb is delivered to netif_rx() which may free it, after calling this,
+dereferencing skb may trigger use-after-free.
+
+Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Link: https://lore.kernel.org/r/20221125075724.27912-1-yuehaibing@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_forward.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
+index 04b5450c5a55..adfb49760678 100644
+--- a/net/hsr/hsr_forward.c
++++ b/net/hsr/hsr_forward.c
+@@ -207,17 +207,18 @@ static void hsr_deliver_master(struct sk_buff *skb, struct net_device *dev,
+ struct hsr_node *node_src)
+ {
+ bool was_multicast_frame;
+- int res;
++ int res, recv_len;
+
+ was_multicast_frame = (skb->pkt_type == PACKET_MULTICAST);
+ hsr_addr_subst_source(node_src, skb);
+ skb_pull(skb, ETH_HLEN);
++ recv_len = skb->len;
+ res = netif_rx(skb);
+ if (res == NET_RX_DROP) {
+ dev->stats.rx_dropped++;
+ } else {
+ dev->stats.rx_packets++;
+- dev->stats.rx_bytes += skb->len;
++ dev->stats.rx_bytes += recv_len;
+ if (was_multicast_frame)
+ dev->stats.multicast++;
+ }
+--
+2.35.1
+
--- /dev/null
+From 526102a294956a4a21bfa37a7109f254795f2612 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 19:22:04 +0800
+Subject: net/mlx5: Fix uninitialized variable bug in outlen_write()
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 3f5769a074c13d8f08455e40586600419e02a880 ]
+
+If sscanf() return 0, outlen is uninitialized and used in kzalloc(),
+this is unexpected. We should return -EINVAL if the string is invalid.
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index a686082762df..14cdac980520 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -1324,8 +1324,8 @@ static ssize_t outlen_write(struct file *filp, const char __user *buf,
+ return -EFAULT;
+
+ err = sscanf(outlen_str, "%d", &outlen);
+- if (err < 0)
+- return err;
++ if (err != 1)
++ return -EINVAL;
+
+ ptr = kzalloc(outlen, GFP_KERNEL);
+ if (!ptr)
+--
+2.35.1
+
--- /dev/null
+From 66ace79cdc22b8627534bc8b555505b87a20890f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 07:09:17 +0000
+Subject: net: net_netdev: Fix error handling in ntb_netdev_init_module()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit b8f79dccd38edf7db4911c353d9cd792ab13a327 ]
+
+The ntb_netdev_init_module() returns the ntb_transport_register_client()
+directly without checking its return value, if
+ntb_transport_register_client() failed, the NTB client device is not
+unregistered.
+
+Fix by unregister NTB client device when ntb_transport_register_client()
+failed.
+
+Fixes: 548c237c0a99 ("net: Add support for NTB virtual ethernet device")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ntb_netdev.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c
+index df8d49ad48c3..33974e7519ce 100644
+--- a/drivers/net/ntb_netdev.c
++++ b/drivers/net/ntb_netdev.c
+@@ -506,7 +506,14 @@ static int __init ntb_netdev_init_module(void)
+ rc = ntb_transport_register_client_dev(KBUILD_MODNAME);
+ if (rc)
+ return rc;
+- return ntb_transport_register_client(&ntb_netdev_client);
++
++ rc = ntb_transport_register_client(&ntb_netdev_client);
++ if (rc) {
++ ntb_transport_unregister_client_dev(KBUILD_MODNAME);
++ return rc;
++ }
++
++ return 0;
+ }
+ module_init(ntb_netdev_init_module);
+
+--
+2.35.1
+
--- /dev/null
+From 65353ec431b6b32ced52a2ed09858ca1e1c746ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 21:28:08 +0800
+Subject: net: phy: fix null-ptr-deref while probe() failed
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 369eb2c9f1f72adbe91e0ea8efb130f0a2ba11a6 ]
+
+I got a null-ptr-deref report as following when doing fault injection test:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000058
+Oops: 0000 [#1] PREEMPT SMP KASAN PTI
+CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+RIP: 0010:klist_put+0x2d/0xd0
+Call Trace:
+ <TASK>
+ klist_remove+0xf1/0x1c0
+ device_release_driver_internal+0x23e/0x2d0
+ bus_remove_device+0x1bd/0x240
+ device_del+0x357/0x770
+ phy_device_remove+0x11/0x30
+ mdiobus_unregister+0xa5/0x140
+ release_nodes+0x6a/0xa0
+ devres_release_all+0xf8/0x150
+ device_unbind_cleanup+0x19/0xd0
+
+//probe path:
+phy_device_register()
+ device_add()
+
+phy_connect
+ phy_attach_direct() //set device driver
+ probe() //it's failed, driver is not bound
+ device_bind_driver() // probe failed, it's not called
+
+//remove path:
+phy_device_remove()
+ device_del()
+ device_release_driver_internal()
+ __device_release_driver() //dev->drv is not NULL
+ klist_remove() <- knode_driver is not added yet, cause null-ptr-deref
+
+In phy_attach_direct(), after setting the 'dev->driver', probe() fails,
+device_bind_driver() is not called, so the knode_driver->n_klist is not
+set, then it causes null-ptr-deref in __device_release_driver() while
+deleting device. Fix this by setting dev->driver to NULL in the error
+path in phy_attach_direct().
+
+Fixes: e13934563db0 ("[PATCH] PHY Layer fixup")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy_device.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index a03d0627efb0..4d29865d97a4 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -1083,6 +1083,7 @@ int phy_attach_direct(struct net_device *dev, struct phy_device *phydev,
+
+ error_module_put:
+ module_put(d->driver->owner);
++ d->driver = NULL;
+ error_put_device:
+ put_device(d);
+ if (ndev_owner != bus->owner)
+--
+2.35.1
+
--- /dev/null
+From 21cde7ee6a5ca7ee97054e3fa951016fc7fc16d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 02:51:34 +0900
+Subject: net: tun: Fix use-after-free in tun_detach()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit 5daadc86f27ea4d691e2131c04310d0418c6cd12 ]
+
+syzbot reported use-after-free in tun_detach() [1]. This causes call
+trace like below:
+
+==================================================================
+BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75
+Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673
+
+CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:284 [inline]
+ print_report+0x15e/0x461 mm/kasan/report.c:395
+ kasan_report+0xbf/0x1f0 mm/kasan/report.c:495
+ notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75
+ call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942
+ call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]
+ call_netdevice_notifiers net/core/dev.c:1997 [inline]
+ netdev_wait_allrefs_any net/core/dev.c:10237 [inline]
+ netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351
+ tun_detach drivers/net/tun.c:704 [inline]
+ tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467
+ __fput+0x27c/0xa90 fs/file_table.c:320
+ task_work_run+0x16f/0x270 kernel/task_work.c:179
+ exit_task_work include/linux/task_work.h:38 [inline]
+ do_exit+0xb3d/0x2a30 kernel/exit.c:820
+ do_group_exit+0xd4/0x2a0 kernel/exit.c:950
+ get_signal+0x21b1/0x2440 kernel/signal.c:2858
+ arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869
+ exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
+ exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
+ syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
+ do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+The cause of the issue is that sock_put() from __tun_detach() drops
+last reference count for struct net, and then notifier_call_chain()
+from netdev_state_change() accesses that struct net.
+
+This patch fixes the issue by calling sock_put() from tun_detach()
+after all necessary accesses for the struct net has done.
+
+Fixes: 83c1f36f9880 ("tun: send netlink notification when the device is modified")
+Reported-by: syzbot+106f9b687cd64ee70cd1@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=96eb7f1ce75ef933697f24eeab928c4a716edefe [1]
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Link: https://lore.kernel.org/r/20221124175134.1589053-1-syoshida@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/tun.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index 8df651999b2b..5194b2ccd4b7 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -756,7 +756,6 @@ static void __tun_detach(struct tun_file *tfile, bool clean)
+ if (tun)
+ xdp_rxq_info_unreg(&tfile->xdp_rxq);
+ ptr_ring_cleanup(&tfile->tx_ring, tun_ptr_free);
+- sock_put(&tfile->sk);
+ }
+ }
+
+@@ -772,6 +771,9 @@ static void tun_detach(struct tun_file *tfile, bool clean)
+ if (dev)
+ netdev_state_change(dev);
+ rtnl_unlock();
++
++ if (clean)
++ sock_put(&tfile->sk);
+ }
+
+ static void tun_detach_all(struct net_device *dev)
+--
+2.35.1
+
--- /dev/null
+From 3fcfc04b30201a937cec535bc89c1dc8622ca264 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 10:32:09 +0800
+Subject: of: property: decrement node refcount in
+ of_fwnode_get_reference_args()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 60d865bd5a9b15a3961eb1c08bd4155682a3c81e ]
+
+In of_fwnode_get_reference_args(), the refcount of of_args.np has
+been incremented in the case of successful return from
+of_parse_phandle_with_args() or of_parse_phandle_with_fixed_args().
+
+Decrement the refcount if of_args is not returned to the caller of
+of_fwnode_get_reference_args().
+
+Fixes: 3e3119d3088f ("device property: Introduce fwnode_property_get_reference_args")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Frank Rowand <frowand.list@gmail.com>
+Link: https://lore.kernel.org/r/20221121023209.3909759-1-yangyingliang@huawei.com
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/property.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/of/property.c b/drivers/of/property.c
+index 43720c2de138..13c7e55f5cba 100644
+--- a/drivers/of/property.c
++++ b/drivers/of/property.c
+@@ -918,8 +918,10 @@ of_fwnode_get_reference_args(const struct fwnode_handle *fwnode,
+ nargs, index, &of_args);
+ if (ret < 0)
+ return ret;
+- if (!args)
++ if (!args) {
++ of_node_put(of_args.np);
+ return 0;
++ }
+
+ args->nargs = of_args.args_count;
+ args->fwnode = of_fwnode_handle(of_args.np);
+--
+2.35.1
+
--- /dev/null
+From bf39f5efca4a5e83b39b0e23020c4f490566a2a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 11:18:12 -0500
+Subject: packet: do not set TP_STATUS_CSUM_VALID on CHECKSUM_COMPLETE
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit b85f628aa158a653c006e9c1405a117baef8c868 ]
+
+CHECKSUM_COMPLETE signals that skb->csum stores the sum over the
+entire packet. It does not imply that an embedded l4 checksum
+field has been validated.
+
+Fixes: 682f048bd494 ("af_packet: pass checksum validation status to the user")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20221128161812.640098-1-willemdebruijn.kernel@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index f654f79e3310..6fa0a9a453a8 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2209,8 +2209,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
+ if (skb->ip_summed == CHECKSUM_PARTIAL)
+ status |= TP_STATUS_CSUMNOTREADY;
+ else if (skb->pkt_type != PACKET_OUTGOING &&
+- (skb->ip_summed == CHECKSUM_COMPLETE ||
+- skb_csum_unnecessary(skb)))
++ skb_csum_unnecessary(skb))
+ status |= TP_STATUS_CSUM_VALID;
+
+ if (snaplen > res)
+@@ -3452,8 +3451,7 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+ if (skb->ip_summed == CHECKSUM_PARTIAL)
+ aux.tp_status |= TP_STATUS_CSUMNOTREADY;
+ else if (skb->pkt_type != PACKET_OUTGOING &&
+- (skb->ip_summed == CHECKSUM_COMPLETE ||
+- skb_csum_unnecessary(skb)))
++ skb_csum_unnecessary(skb))
+ aux.tp_status |= TP_STATUS_CSUM_VALID;
+
+ aux.tp_len = origlen;
+--
+2.35.1
+
--- /dev/null
+From 736c04851068f04b8e75132766744441124c6bfb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 18:06:42 +0800
+Subject: qlcnic: fix sleep-in-atomic-context bugs caused by msleep
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 8dbd6e4ce1b9c527921643d9e34f188a10d4e893 ]
+
+The watchdog timer is used to monitor whether the process
+of transmitting data is timeout. If we use qlcnic driver,
+the dev_watchdog() that is the timer handler of watchdog
+timer will call qlcnic_tx_timeout() to process the timeout.
+But the qlcnic_tx_timeout() calls msleep(), as a result,
+the sleep-in-atomic-context bugs will happen. The processes
+are shown below:
+
+ (atomic context)
+dev_watchdog
+ qlcnic_tx_timeout
+ qlcnic_83xx_idc_request_reset
+ qlcnic_83xx_lock_driver
+ msleep
+
+---------------------------
+
+ (atomic context)
+dev_watchdog
+ qlcnic_tx_timeout
+ qlcnic_83xx_idc_request_reset
+ qlcnic_83xx_lock_driver
+ qlcnic_83xx_recover_driver_lock
+ msleep
+
+Fix by changing msleep() to mdelay(), the mdelay() is
+busy-waiting and the bugs could be mitigated.
+
+Fixes: 629263acaea3 ("qlcnic: 83xx CNA inter driver communication mechanism")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+index d857d44547a5..b3f1f1bd52a8 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+@@ -2993,7 +2993,7 @@ static void qlcnic_83xx_recover_driver_lock(struct qlcnic_adapter *adapter)
+ QLCWRX(adapter->ahw, QLC_83XX_RECOVER_DRV_LOCK, val);
+ dev_info(&adapter->pdev->dev,
+ "%s: lock recovery initiated\n", __func__);
+- msleep(QLC_83XX_DRV_LOCK_RECOVERY_DELAY);
++ mdelay(QLC_83XX_DRV_LOCK_RECOVERY_DELAY);
+ val = QLCRDX(adapter->ahw, QLC_83XX_RECOVER_DRV_LOCK);
+ id = ((val >> 2) & 0xF);
+ if (id == adapter->portnum) {
+@@ -3029,7 +3029,7 @@ int qlcnic_83xx_lock_driver(struct qlcnic_adapter *adapter)
+ if (status)
+ break;
+
+- msleep(QLC_83XX_DRV_LOCK_WAIT_DELAY);
++ mdelay(QLC_83XX_DRV_LOCK_WAIT_DELAY);
+ i++;
+
+ if (i == 1)
+--
+2.35.1
+
--- /dev/null
+From db3c1920da9c3b2d8c52c0422d58e6560b756951 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 13:22:11 +0530
+Subject: scripts/faddr2line: Fix regression in name resolution on ppc64le
+
+From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+
+[ Upstream commit 2d77de1581bb5b470486edaf17a7d70151131afd ]
+
+Commit 1d1a0e7c5100 ("scripts/faddr2line: Fix overlapping text section
+failures") can cause faddr2line to fail on ppc64le on some
+distributions, while it works fine on other distributions. The failure
+can be attributed to differences in the readelf output.
+
+ $ ./scripts/faddr2line vmlinux find_busiest_group+0x00
+ no match for find_busiest_group+0x00
+
+On ppc64le, readelf adds the localentry tag before the symbol name on
+some distributions, and adds the localentry tag after the symbol name on
+other distributions. This problem has been discussed previously:
+
+ https://lore.kernel.org/bpf/20191211160133.GB4580@calabresa/
+
+This problem can be overcome by filtering out the localentry tags in the
+readelf output. Similar fixes are already present in the kernel by way
+of the following commits:
+
+ 1fd6cee127e2 ("libbpf: Fix VERSIONED_SYM_COUNT number parsing")
+ aa915931ac3e ("libbpf: Fix readelf output parsing for Fedora")
+
+[jpoimboe: rework commit log]
+
+Fixes: 1d1a0e7c5100 ("scripts/faddr2line: Fix overlapping text section failures")
+Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Reviewed-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Link: https://lore.kernel.org/r/20220927075211.897152-1-srikar@linux.vnet.ibm.com
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/faddr2line | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/scripts/faddr2line b/scripts/faddr2line
+index 70f8c3ecd555..42c46f498021 100755
+--- a/scripts/faddr2line
++++ b/scripts/faddr2line
+@@ -73,7 +73,8 @@ command -v ${ADDR2LINE} >/dev/null 2>&1 || die "${ADDR2LINE} isn't installed"
+ find_dir_prefix() {
+ local objfile=$1
+
+- local start_kernel_addr=$(${READELF} --symbols --wide $objfile | ${AWK} '$8 == "start_kernel" {printf "0x%s", $2}')
++ local start_kernel_addr=$(${READELF} --symbols --wide $objfile | sed 's/\[.*\]//' |
++ ${AWK} '$8 == "start_kernel" {printf "0x%s", $2}')
+ [[ -z $start_kernel_addr ]] && return
+
+ local file_line=$(${ADDR2LINE} -e $objfile $start_kernel_addr)
+@@ -177,7 +178,7 @@ __faddr2line() {
+ found=2
+ break
+ fi
+- done < <(${READELF} --symbols --wide $objfile | ${AWK} -v sec=$sym_sec '$7 == sec' | sort --key=2)
++ done < <(${READELF} --symbols --wide $objfile | sed 's/\[.*\]//' | ${AWK} -v sec=$sym_sec '$7 == sec' | sort --key=2)
+
+ if [[ $found = 0 ]]; then
+ warn "can't find symbol: sym_name: $sym_name sym_sec: $sym_sec sym_addr: $sym_addr sym_elf_size: $sym_elf_size"
+@@ -258,7 +259,7 @@ __faddr2line() {
+
+ DONE=1
+
+- done < <(${READELF} --symbols --wide $objfile | ${AWK} -v fn=$sym_name '$4 == "FUNC" && $8 == fn')
++ done < <(${READELF} --symbols --wide $objfile | sed 's/\[.*\]//' | ${AWK} -v fn=$sym_name '$4 == "FUNC" && $8 == fn')
+ }
+
+ [[ $# -lt 2 ]] && usage
+--
+2.35.1
+
btrfs-free-btrfs_path-before-copying-subvol-info-to-userspace.patch
drm-amd-dc-dce120-fix-audio-register-mapping-stop-triggering-kasan.patch
drm-amdgpu-always-register-an-mmu-notifier-for-userptr.patch
+btrfs-free-btrfs_path-before-copying-inodes-to-users.patch
+spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-hi.patch
+usb-dwc3-exynos-remove-dead-code.patch
+usb-dwc3-exynos-fix-remove-function.patch
+kbuild-fix-wimplicit-function-declaration-in-license.patch
+iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch
+iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch
+iio-light-rpr0521-add-missing-kconfig-dependencies.patch
+scripts-faddr2line-fix-regression-in-name-resolution.patch
+hwmon-i5500_temp-fix-missing-pci_disable_device.patch
+hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch
+of-property-decrement-node-refcount-in-of_fwnode_get.patch
+e100-switch-from-pci_-to-dma_-api.patch
+e100-fix-possible-use-after-free-in-e100_xmit_prepar.patch
+net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch
+can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch
+can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch
+qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch
+net-phy-fix-null-ptr-deref-while-probe-failed.patch
+net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch
+net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch
+dsa-lan9303-correct-stat-name.patch
+net-hsr-fix-potential-use-after-free.patch
+net-tun-fix-use-after-free-in-tun_detach.patch
+packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch
+net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch
+hwmon-coretemp-check-for-null-before-removing-sysfs-.patch
+hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch
+btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch
--- /dev/null
+From 2ca600dc10dae34c4b387e0b31f85dae31afbca3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 19:10:00 +0100
+Subject: spi: spi-imx: Fix spi_bus_clk if requested clock is higher than input
+ clock
+
+From: Frieder Schrempf <frieder.schrempf@kontron.de>
+
+[ Upstream commit db2d2dc9a0b58c6faefb6b002fdbed4f0362d1a4 ]
+
+In case the requested bus clock is higher than the input clock, the correct
+dividers (pre = 0, post = 0) are returned from mx51_ecspi_clkdiv(), but
+*fres is left uninitialized and therefore contains an arbitrary value.
+
+This causes trouble for the recently introduced PIO polling feature as the
+value in spi_imx->spi_bus_clk is used there to calculate for which
+transfers to enable PIO polling.
+
+Fix this by setting *fres even if no clock dividers are in use.
+
+This issue was observed on Kontron BL i.MX8MM with an SPI peripheral clock set
+to 50 MHz by default and a requested SPI bus clock of 80 MHz for the SPI NOR
+flash.
+
+With the fix applied the debug message from mx51_ecspi_clkdiv() now prints the
+following:
+
+spi_imx 30820000.spi: mx51_ecspi_clkdiv: fin: 50000000, fspi: 50000000,
+post: 0, pre: 0
+
+Fixes: 6fd8b8503a0d ("spi: spi-imx: Fix out-of-order CS/SCLK operation at low speeds")
+Fixes: 07e759387788 ("spi: spi-imx: add PIO polling support")
+Cc: Marc Kleine-Budde <mkl@pengutronix.de>
+Cc: David Jander <david@protonic.nl>
+Cc: Fabio Estevam <festevam@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Marek Vasut <marex@denx.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
+Tested-by: Fabio Estevam <festevam@gmail.com>
+Acked-by: Marek Vasut <marex@denx.de>
+Link: https://lore.kernel.org/r/20221115181002.2068270-1-frieder@fris.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-imx.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
+index 5b6f3655c366..ec2296a4c44d 100644
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -429,8 +429,7 @@ static unsigned int mx51_ecspi_clkdiv(struct spi_imx_data *spi_imx,
+ unsigned int pre, post;
+ unsigned int fin = spi_imx->spi_clk;
+
+- if (unlikely(fspi > fin))
+- return 0;
++ fspi = min(fspi, fin);
+
+ post = fls(fin) - fls(fspi);
+ if (fin > fspi << post)
+--
+2.35.1
+
--- /dev/null
+From e18eb4eb88c815ba06bc291da056ba55580bda1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 16:41:31 +0100
+Subject: usb: dwc3: exynos: Fix remove() function
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+[ Upstream commit e0481e5b3cc12ea7ccf4552d41518c89d3509004 ]
+
+The core DWC3 device node was not properly removed by the custom
+dwc3_exynos_remove_child() function. Replace it with generic
+of_platform_depopulate() which does that job right.
+
+Fixes: adcf20dcd262 ("usb: dwc3: exynos: Use of_platform API to create dwc3 core pdev")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
+Link: https://lore.kernel.org/r/20221110154131.2577-1-m.szyprowski@samsung.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/dwc3-exynos.c | 11 +----------
+ 1 file changed, 1 insertion(+), 10 deletions(-)
+
+diff --git a/drivers/usb/dwc3/dwc3-exynos.c b/drivers/usb/dwc3/dwc3-exynos.c
+index 0a946c66c3bb..3d466ec8f8cc 100644
+--- a/drivers/usb/dwc3/dwc3-exynos.c
++++ b/drivers/usb/dwc3/dwc3-exynos.c
+@@ -28,15 +28,6 @@ struct dwc3_exynos {
+ struct regulator *vdd10;
+ };
+
+-static int dwc3_exynos_remove_child(struct device *dev, void *unused)
+-{
+- struct platform_device *pdev = to_platform_device(dev);
+-
+- platform_device_unregister(pdev);
+-
+- return 0;
+-}
+-
+ static int dwc3_exynos_probe(struct platform_device *pdev)
+ {
+ struct dwc3_exynos *exynos;
+@@ -136,7 +127,7 @@ static int dwc3_exynos_remove(struct platform_device *pdev)
+ {
+ struct dwc3_exynos *exynos = platform_get_drvdata(pdev);
+
+- device_for_each_child(&pdev->dev, NULL, dwc3_exynos_remove_child);
++ of_platform_depopulate(&pdev->dev);
+
+ clk_disable_unprepare(exynos->axius_clk);
+ clk_disable_unprepare(exynos->susp_clk);
+--
+2.35.1
+
--- /dev/null
+From 92d5cd3daef2a3366eac206d227805d63e6f1a5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Sep 2018 10:16:50 +0200
+Subject: usb: dwc3: exynos: Remove dead code
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+[ Upstream commit 1e041b6f313aaa966612a7e415cfc09c90d6b829 ]
+
+All supported Exynos variants provide respective generic PHY framework
+based drivers for controlling USB PHYs, so there is no point
+creating fake USB PHYs based on platform devices. While removing useless
+code, remove calls to runtime PM, which have no effect.
+
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Stable-dep-of: e0481e5b3cc1 ("usb: dwc3: exynos: Fix remove() function")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/dwc3-exynos.c | 75 ----------------------------------
+ 1 file changed, 75 deletions(-)
+
+diff --git a/drivers/usb/dwc3/dwc3-exynos.c b/drivers/usb/dwc3/dwc3-exynos.c
+index a94fb1ba8f2c..0a946c66c3bb 100644
+--- a/drivers/usb/dwc3/dwc3-exynos.c
++++ b/drivers/usb/dwc3/dwc3-exynos.c
+@@ -13,15 +13,11 @@
+ #include <linux/slab.h>
+ #include <linux/platform_device.h>
+ #include <linux/clk.h>
+-#include <linux/usb/otg.h>
+-#include <linux/usb/usb_phy_generic.h>
+ #include <linux/of.h>
+ #include <linux/of_platform.h>
+ #include <linux/regulator/consumer.h>
+
+ struct dwc3_exynos {
+- struct platform_device *usb2_phy;
+- struct platform_device *usb3_phy;
+ struct device *dev;
+
+ struct clk *clk;
+@@ -32,61 +28,6 @@ struct dwc3_exynos {
+ struct regulator *vdd10;
+ };
+
+-static int dwc3_exynos_register_phys(struct dwc3_exynos *exynos)
+-{
+- struct usb_phy_generic_platform_data pdata;
+- struct platform_device *pdev;
+- int ret;
+-
+- memset(&pdata, 0x00, sizeof(pdata));
+-
+- pdev = platform_device_alloc("usb_phy_generic", PLATFORM_DEVID_AUTO);
+- if (!pdev)
+- return -ENOMEM;
+-
+- exynos->usb2_phy = pdev;
+- pdata.type = USB_PHY_TYPE_USB2;
+- pdata.gpio_reset = -1;
+-
+- ret = platform_device_add_data(exynos->usb2_phy, &pdata, sizeof(pdata));
+- if (ret)
+- goto err1;
+-
+- pdev = platform_device_alloc("usb_phy_generic", PLATFORM_DEVID_AUTO);
+- if (!pdev) {
+- ret = -ENOMEM;
+- goto err1;
+- }
+-
+- exynos->usb3_phy = pdev;
+- pdata.type = USB_PHY_TYPE_USB3;
+-
+- ret = platform_device_add_data(exynos->usb3_phy, &pdata, sizeof(pdata));
+- if (ret)
+- goto err2;
+-
+- ret = platform_device_add(exynos->usb2_phy);
+- if (ret)
+- goto err2;
+-
+- ret = platform_device_add(exynos->usb3_phy);
+- if (ret)
+- goto err3;
+-
+- return 0;
+-
+-err3:
+- platform_device_del(exynos->usb2_phy);
+-
+-err2:
+- platform_device_put(exynos->usb3_phy);
+-
+-err1:
+- platform_device_put(exynos->usb2_phy);
+-
+- return ret;
+-}
+-
+ static int dwc3_exynos_remove_child(struct device *dev, void *unused)
+ {
+ struct platform_device *pdev = to_platform_device(dev);
+@@ -164,12 +105,6 @@ static int dwc3_exynos_probe(struct platform_device *pdev)
+ goto vdd10_err;
+ }
+
+- ret = dwc3_exynos_register_phys(exynos);
+- if (ret) {
+- dev_err(dev, "couldn't register PHYs\n");
+- goto phys_err;
+- }
+-
+ if (node) {
+ ret = of_platform_populate(node, NULL, NULL, dev);
+ if (ret) {
+@@ -185,9 +120,6 @@ static int dwc3_exynos_probe(struct platform_device *pdev)
+ return 0;
+
+ populate_err:
+- platform_device_unregister(exynos->usb2_phy);
+- platform_device_unregister(exynos->usb3_phy);
+-phys_err:
+ regulator_disable(exynos->vdd10);
+ vdd10_err:
+ regulator_disable(exynos->vdd33);
+@@ -205,8 +137,6 @@ static int dwc3_exynos_remove(struct platform_device *pdev)
+ struct dwc3_exynos *exynos = platform_get_drvdata(pdev);
+
+ device_for_each_child(&pdev->dev, NULL, dwc3_exynos_remove_child);
+- platform_device_unregister(exynos->usb2_phy);
+- platform_device_unregister(exynos->usb3_phy);
+
+ clk_disable_unprepare(exynos->axius_clk);
+ clk_disable_unprepare(exynos->susp_clk);
+@@ -258,11 +188,6 @@ static int dwc3_exynos_resume(struct device *dev)
+ clk_enable(exynos->clk);
+ clk_enable(exynos->axius_clk);
+
+- /* runtime set active to reflect active state. */
+- pm_runtime_disable(dev);
+- pm_runtime_set_active(dev);
+- pm_runtime_enable(dev);
+-
+ return 0;
+ }
+
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
