Linux 5.4.261

 
ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias() [+ + +]
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Mon Oct 23 20:32:54 2023 +0200

    ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias()
    
    [ Upstream commit 48cf49d31994ff97b33c4044e618560ec84d35fb ]
    
    snprintf() does not return negative values on error.
    
    To know if the buffer was too small, the returned value needs to be
    compared with the length of the passed buffer. If it is greater or
    equal, the output has been truncated, so add checks for the truncation
    to create_pnp_modalias() and create_of_modalias(). Also make them
    return -ENOMEM in that case, as they already do that elsewhere.
    
    Moreover, the remaining size of the buffer used by snprintf() needs to
    be updated after the first write to avoid out-of-bounds access as
    already done correctly in create_pnp_modalias(), but not in
    create_of_modalias(), so change the latter accordingly.
    
    Fixes: 8765c5ba1949 ("ACPI / scan: Rework modalias creation when "compatible" is present")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    [ rjw: Merge two patches into one, combine changelogs, add subject ]
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
arm64: dts: qcom: sdm845-mtp: fix WiFi configuration [+ + +]
Author: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Date:   Sun Aug 27 01:19:11 2023 +0300

    arm64: dts: qcom: sdm845-mtp: fix WiFi configuration
    
    [ Upstream commit b33868a52f342d9b1f20aa5bffe40cbd69bd0a4b ]
    
    Enable the host-cap-8bit quirk on this device. It is required for the
    WiFi to function properly.
    
    Fixes: 022bccb840b7 ("arm64: dts: sdm845: Add WCN3990 WLAN module device node")
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Link: https://lore.kernel.org/r/20230826221915.846937-2-dmitry.baryshkov@linaro.org
    Signed-off-by: Bjorn Andersson <andersson@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ARM: 9321/1: memset: cast the constant byte to unsigned char [+ + +]
Author: Kursad Oney <kursad.oney@broadcom.com>
Date:   Tue Aug 22 15:06:06 2023 +0100

    ARM: 9321/1: memset: cast the constant byte to unsigned char
    
    [ Upstream commit c0e824661f443b8cab3897006c1bbc69fd0e7bc4 ]
    
    memset() description in ISO/IEC 9899:1999 (and elsewhere) says:
    
            The memset function copies the value of c (converted to an
            unsigned char) into each of the first n characters of the
            object pointed to by s.
    
    The kernel's arm32 memset does not cast c to unsigned char. This results
    in the following code to produce erroneous output:
    
            char a[128];
            memset(a, -128, sizeof(a));
    
    This is because gcc will generally emit the following code before
    it calls memset() :
    
            mov   r0, r7
            mvn   r1, #127        ; 0x7f
            bl    00000000 <memset>
    
    r1 ends up with 0xffffff80 before being used by memset() and the
    'a' array will have -128 once in every four bytes while the other
    bytes will be set incorrectly to -1 like this (printing the first
    8 bytes) :
    
            test_module: -128 -1 -1 -1
            test_module: -1 -1 -1 -128
    
    The change here is to 'and' r1 with 255 before it is used.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
    Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Kursad Oney <kursad.oney@broadcom.com>
    Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ARM: dts: qcom: mdm9615: populate vsdcc fixed regulator [+ + +]
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Sun Sep 24 20:39:13 2023 +0200

    ARM: dts: qcom: mdm9615: populate vsdcc fixed regulator
    
    [ Upstream commit 09f8ee81b6da5f76de8b83c8bfc4475b54e101e0 ]
    
    Fixed regulator put under "regulators" node will not be populated,
    unless simple-bus or something similar is used.  Drop the "regulators"
    wrapper node to fix this.
    
    Fixes: 2c5e596524e7 ("ARM: dts: Add MDM9615 dtsi")
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Link: https://lore.kernel.org/r/20230924183914.51414-3-krzysztof.kozlowski@linaro.org
    Signed-off-by: Bjorn Andersson <andersson@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ASoC: ams-delta.c: use component after check [+ + +]
Author: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Date:   Fri Oct 27 00:09:56 2023 +0000

    ASoC: ams-delta.c: use component after check
    
    [ Upstream commit bd0f7498bc9084d8cccc5484cd004b40f314b763 ]
    
            static void cx81801_close()
            {
                    ...
    (A)             struct snd_soc_dapm_context *dapm = &component->card->dapm;
                    ...
    (B)             if (!component)
                            return;
            }
    
    (A) uses component before NULL check (B). This patch moves it after (B).
    
    Fixes: d0fdfe34080c ("ASoC: cx20442: replace codec to component")
    Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
    Closes: https://lore.kernel.org/r/3e608474-e99a-4866-ae98-3054a4221f09@moroto.mountain
    Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
    Link: https://lore.kernel.org/r/87ttqdq623.wl-kuninori.morimoto.gx@renesas.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails [+ + +]
Author: Cezary Rojewski <cezary.rojewski@intel.com>
Date:   Thu Oct 26 10:25:58 2023 +0200

    ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails
    
    [ Upstream commit 168d97844a61db302dec76d44406e9d4d7106b8e ]
    
    Error path in snd_skl_parse_uuids() shall free last allocated module if
    its instance_id allocation fails.
    
    Fixes: f8e066521192 ("ASoC: Intel: Skylake: Fix uuid_module memory leak in failure case")
    Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
    Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
    Link: https://lore.kernel.org/r/20231026082558.1864910-1-amadeuszx.slawinski@linux.intel.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
btrfs: use u64 for buffer sizes in the tree search ioctls [+ + +]
Author: Filipe Manana <fdmanana@suse.com>
Date:   Fri Oct 13 10:05:48 2023 +0100

    btrfs: use u64 for buffer sizes in the tree search ioctls
    
    [ Upstream commit dec96fc2dcb59723e041416b8dc53e011b4bfc2e ]
    
    In the tree search v2 ioctl we use the type size_t, which is an unsigned
    long, to track the buffer size in the local variable 'buf_size'. An
    unsigned long is 32 bits wide on a 32 bits architecture. The buffer size
    defined in struct btrfs_ioctl_search_args_v2 is a u64, so when we later
    try to copy the local variable 'buf_size' to the argument struct, when
    the search returns -EOVERFLOW, we copy only 32 bits which will be a
    problem on big endian systems.
    
    Fix this by using a u64 type for the buffer sizes, not only at
    btrfs_ioctl_tree_search_v2(), but also everywhere down the call chain
    so that we can use the u64 at btrfs_ioctl_tree_search_v2().
    
    Fixes: cc68a8a5a433 ("btrfs: new ioctl TREE_SEARCH_V2")
    Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
    Link: https://lore.kernel.org/linux-btrfs/ce6f4bd6-9453-4ffe-ba00-cee35495e10f@moroto.mountain/
    Signed-off-by: Filipe Manana <fdmanana@suse.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
can: dev: can_restart(): don't crash kernel if carrier is OK [+ + +]
Author: Marc Kleine-Budde <mkl@pengutronix.de>
Date:   Thu Sep 28 21:58:23 2023 +0200

    can: dev: can_restart(): don't crash kernel if carrier is OK
    
    [ Upstream commit fe5c9940dfd8ba0c73672dddb30acd1b7a11d4c7 ]
    
    During testing, I triggered a can_restart() with the netif carrier
    being OK [1]. The BUG_ON, which checks if the carrier is OK, results
    in a fatal kernel crash. This is neither helpful for debugging nor for
    a production system.
    
    [1] The root cause is a race condition in can_restart() which will be
    fixed in the next patch.
    
    Do not crash the kernel, issue an error message instead, and continue
    restarting the CAN device anyway.
    
    Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
    Link: https://lore.kernel.org/all/20231005-can-dev-fix-can-restart-v2-1-91b5c1fd922c@pengutronix.de
    Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

can: dev: can_restart(): fix race condition between controller restart and netif_carrier_on() [+ + +]
Author: Marc Kleine-Budde <mkl@pengutronix.de>
Date:   Fri Sep 29 10:25:11 2023 +0200

    can: dev: can_restart(): fix race condition between controller restart and netif_carrier_on()
    
    [ Upstream commit 6841cab8c4504835e4011689cbdb3351dec693fd ]
    
    This race condition was discovered while updating the at91_can driver
    to use can_bus_off(). The following scenario describes how the
    converted at91_can driver would behave.
    
    When a CAN device goes into BUS-OFF state, the driver usually
    stops/resets the CAN device and calls can_bus_off().
    
    This function sets the netif carrier to off, and (if configured by
    user space) schedules a delayed work that calls can_restart() to
    restart the CAN device.
    
    The can_restart() function first checks if the carrier is off and
    triggers an error message if the carrier is OK.
    
    Then it calls the driver's do_set_mode() function to restart the
    device, then it sets the netif carrier to on. There is a race window
    between these two calls.
    
    The at91 CAN controller (observed on the sama5d3, a single core 32 bit
    ARM CPU) has a hardware limitation. If the device goes into bus-off
    while sending a CAN frame, there is no way to abort the sending of
    this frame. After the controller is enabled again, another attempt is
    made to send it.
    
    If the bus is still faulty, the device immediately goes back to the
    bus-off state. The driver calls can_bus_off(), the netif carrier is
    switched off and another can_restart is scheduled. This occurs within
    the race window before the original can_restart() handler marks the
    netif carrier as OK. This would cause the 2nd can_restart() to be
    called with an OK netif carrier, resulting in an error message.
    
    The flow of the 1st can_restart() looks like this:
    
    can_restart()
        // bail out if netif_carrier is OK
    
        netif_carrier_ok(dev)
        priv->do_set_mode(dev, CAN_MODE_START)
            // enable CAN controller
            // sama5d3 restarts sending old message
    
            // CAN devices goes into BUS_OFF, triggers IRQ
    
    // IRQ handler start
        at91_irq()
            at91_irq_err_line()
                can_bus_off()
                    netif_carrier_off()
                    schedule_delayed_work()
    // IRQ handler end
    
        netif_carrier_on()
    
    The 2nd can_restart() will be called with an OK netif carrier and the
    error message will be printed.
    
    To close the race window, first set the netif carrier to on, then
    restart the controller. In case the restart fails with an error code,
    roll back the netif carrier to off.
    
    Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
    Link: https://lore.kernel.org/all/20231005-can-dev-fix-can-restart-v2-2-91b5c1fd922c@pengutronix.de
    Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
chtls: fix tp->rcv_tstamp initialization [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Oct 20 12:57:36 2023 +0000

    chtls: fix tp->rcv_tstamp initialization
    
    [ Upstream commit 225d9ddbacb102621af6d28ff7bf5a0b4ce249d8 ]
    
    tp->rcv_tstamp should be set to tcp_jiffies, not tcp_time_stamp().
    
    Fixes: cc35c88ae4db ("crypto : chtls - CPL handler definition")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Ayush Sawal <ayush.sawal@chelsio.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
clk: imx: Select MXC_CLK for CLK_IMX8QXP [+ + +]
Author: Abel Vesa <abel.vesa@linaro.org>
Date:   Thu Sep 21 12:23:54 2023 +0300

    clk: imx: Select MXC_CLK for CLK_IMX8QXP
    
    [ Upstream commit 317e69c49b4ceef8aebb47d771498ccb3571bdf9 ]
    
    If the i.MX8QXP clock provider is built-in but the MXC_CLK is
    built as module, build fails:
    
    aarch64-linux-ld: drivers/clk/imx/clk-imx8-acm.o: in function `imx8_acm_clk_probe':
    clk-imx8-acm.c:(.text+0x3d0): undefined reference to `imx_check_clk_hws'
    
    Fix that by selecting MXC_CLK in case of CLK_IMX8QXP.
    
    Fixes: c2cccb6d0b33 ("clk: imx: add imx8qxp clk driver")
    Closes: https://lore.kernel.org/all/8b77219e-b59e-40f1-96f1-980a0b2debcf@infradead.org/
    Reported-by: Randy Dunlap <rdunlap@infradead.org>
    Reviewed-by: Peng Fan <peng.fan@nxp.com>
    Acked-by: Randy Dunlap <rdunlap@infradead.org>
    Tested-by: Randy Dunlap <rdunlap@infradead.org>
    Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: keystone: pll: fix a couple NULL vs IS_ERR() checks [+ + +]
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date:   Thu Oct 5 17:01:57 2023 +0300

    clk: keystone: pll: fix a couple NULL vs IS_ERR() checks
    
    [ Upstream commit a5d14f8b551eb1551c10053653ee8e27f19672fa ]
    
    The clk_register_divider() and clk_register_mux() functions returns
    error pointers on error but this code checks for NULL.  Fix that.
    
    Fixes: b9e0d40c0d83 ("clk: keystone: add Keystone PLL clock driver")
    Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
    Link: https://lore.kernel.org/r/d9da4c97-0da9-499f-9a21-1f8e3f148dc1@moroto.mountain
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data [+ + +]
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Fri Sep 1 10:46:58 2023 +0800

    clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data
    
    [ Upstream commit 0d6e24b422a2166a9297a8286ff2e6ab9a5e8cd3 ]
    
    Add the check for the return value of mtk_alloc_clk_data() in order to
    avoid NULL pointer dereference.
    
    Fixes: e9862118272a ("clk: mediatek: Add MT2701 clock support")
    Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Link: https://lore.kernel.org/r/20230901024658.23405-1-jiasheng@iscas.ac.cn
    Reviewed-by: Markus Schneider-Pargmann <msp@baylibre.com>
    Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data [+ + +]
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Tue Sep 12 17:34:04 2023 +0800

    clk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data
    
    [ Upstream commit 1f57f78fbacf630430bf954e5a84caafdfea30c0 ]
    
    Add the check for the return value of mtk_alloc_clk_data() in order to
    avoid NULL pointer dereference.
    
    Fixes: 710774e04861 ("clk: mediatek: Add MT6779 clock support")
    Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Link: https://lore.kernel.org/r/20230912093407.21505-2-jiasheng@iscas.ac.cn
    Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data [+ + +]
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Tue Sep 12 17:34:05 2023 +0800

    clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data
    
    [ Upstream commit 606f6366a35a3329545e38129804d65ef26ed7d2 ]
    
    Add the check for the return value of mtk_alloc_clk_data() in order to
    avoid NULL pointer dereference.
    
    Fixes: 96596aa06628 ("clk: mediatek: add clk support for MT6797")
    Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Link: https://lore.kernel.org/r/20230912093407.21505-3-jiasheng@iscas.ac.cn
    Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data [+ + +]
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Tue Sep 12 17:34:06 2023 +0800

    clk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data
    
    [ Upstream commit 0884393c63cc9a1772f7121a6645ba7bd76feeb9 ]
    
    Add the check for the return value of mtk_alloc_clk_data() in order to
    avoid NULL pointer dereference.
    
    Fixes: 3b5e748615e7 ("clk: mediatek: add clock support for MT7629 SoC")
    Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Link: https://lore.kernel.org/r/20230912093407.21505-4-jiasheng@iscas.ac.cn
    Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data [+ + +]
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Tue Sep 12 17:34:07 2023 +0800

    clk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data
    
    [ Upstream commit 2befa515c1bb6cdd33c262b909d93d1973a219aa ]
    
    Add the check for the return value of mtk_alloc_clk_data() in order to
    avoid NULL pointer dereference.
    
    Fixes: 3b5e748615e7 ("clk: mediatek: add clock support for MT7629 SoC")
    Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Link: https://lore.kernel.org/r/20230912093407.21505-5-jiasheng@iscas.ac.cn
    Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: npcm7xx: Fix incorrect kfree [+ + +]
Author: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Date:   Sat Sep 23 15:31:27 2023 +0200

    clk: npcm7xx: Fix incorrect kfree
    
    [ Upstream commit bbc5080bef4a245106aa8e8d424ba8847ca7c0ca ]
    
    The corresponding allocation is:
    
    > npcm7xx_clk_data = kzalloc(struct_size(npcm7xx_clk_data, hws,
    >                            NPCM7XX_NUM_CLOCKS), GFP_KERNEL);
    
    ... so, kfree should be applied to npcm7xx_clk_data, not
    npcm7xx_clk_data->hws.
    
    Fixes: fcfd14369856 ("clk: npcm7xx: add clock controller")
    Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
    Link: https://lore.kernel.org/r/20230923133127.1815621-1-j.neuschaefer@gmx.net
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: qcom: clk-rcg2: Fix clock rate overflow for high parent frequencies [+ + +]
Author: Devi Priya <quic_devipriy@quicinc.com>
Date:   Fri Sep 1 13:06:40 2023 +0530

    clk: qcom: clk-rcg2: Fix clock rate overflow for high parent frequencies
    
    [ Upstream commit f7b7d30158cff246667273bd2a62fc93ee0725d2 ]
    
    If the parent clock rate is greater than unsigned long max/2 then
    integer overflow happens when calculating the clock rate on 32-bit systems.
    As RCG2 uses half integer dividers, the clock rate is first being
    multiplied by 2 which will overflow the unsigned long max value.
    Hence, replace the common pattern of doing 64-bit multiplication
    and then a do_div() call with simpler mult_frac call.
    
    Fixes: bcd61c0f535a ("clk: qcom: Add support for root clock generators (RCGs)")
    Signed-off-by: Devi Priya <quic_devipriy@quicinc.com>
    Reviewed-by: Marijn Suijten <marijn.suijten@somainline.org>
    Link: https://lore.kernel.org/r/20230901073640.4973-1-quic_devipriy@quicinc.com
    [bjorn: Also drop unnecessary {} around single statements]
    Signed-off-by: Bjorn Andersson <andersson@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: qcom: gcc-sm8150: Fix gcc_sdcc2_apps_clk_src [+ + +]
Author: Danila Tikhonov <danila@jiaxyga.com>
Date:   Wed Sep 13 20:56:11 2023 +0300

    clk: qcom: gcc-sm8150: Fix gcc_sdcc2_apps_clk_src
    
    [ Upstream commit 7138c244fb293f24ce8ab782961022eff00a10c4 ]
    
    Set .flags = CLK_OPS_PARENT_ENABLE to fix "gcc_sdcc2_apps_clk_src: rcg
    didn't update its configuration" error.
    
    Fixes: 2a1d7eb854bb ("clk: qcom: gcc: Add global clock controller driver for SM8150")
    Tested-by: Arseniy Velikanov <adomerlee@gmail.com>
    Signed-off-by: Danila Tikhonov <danila@jiaxyga.com>
    Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
    Link: https://lore.kernel.org/r/20230913175612.8685-1-danila@jiaxyga.com
    Signed-off-by: Bjorn Andersson <andersson@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: qcom: gcc-sm8150: use ARRAY_SIZE instead of specifying num_parents [+ + +]
Author: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Date:   Tue Apr 6 01:47:41 2021 +0300

    clk: qcom: gcc-sm8150: use ARRAY_SIZE instead of specifying num_parents
    
    [ Upstream commit 60ca4670fd6436c07cea38472ebcee3b00f03bc7 ]
    
    Use ARRAY_SIZE() instead of manually specifying num_parents. This makes
    adding/removing entries to/from parent_data easy and errorproof.
    
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Link: https://lore.kernel.org/r/20210405224743.590029-32-dmitry.baryshkov@linaro.org
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Stable-dep-of: 7138c244fb29 ("clk: qcom: gcc-sm8150: Fix gcc_sdcc2_apps_clk_src")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: scmi: Free scmi_clk allocated when the clocks with invalid info are skipped [+ + +]
Author: Sudeep Holla <sudeep.holla@arm.com>
Date:   Wed Oct 4 20:36:00 2023 +0100

    clk: scmi: Free scmi_clk allocated when the clocks with invalid info are skipped
    
    [ Upstream commit 3537a75e73f3420614a358d0c8b390ea483cc87d ]
    
    Add the missing devm_kfree() when we skip the clocks with invalid or
    missing information from the firmware.
    
    Cc: Cristian Marussi <cristian.marussi@arm.com>
    Cc: Michael Turquette <mturquette@baylibre.com>
    Cc: Stephen Boyd <sboyd@kernel.org>
    Cc: linux-clk@vger.kernel.org
    Fixes: 6d6a1d82eaef ("clk: add support for clocks provided by SCMI")
    Link: https://lore.kernel.org/r/20231004193600.66232-1-sudeep.holla@arm.com
    Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
crypto: caam/jr - fix Chacha20 + Poly1305 self test failure [+ + +]
Author: Gaurav Jain <gaurav.jain@nxp.com>
Date:   Thu Sep 21 18:12:37 2023 +0530

    crypto: caam/jr - fix Chacha20 + Poly1305 self test failure
    
    [ Upstream commit a8d3cdcc092fb2f2882acb6c20473a1be0ef4484 ]
    
    key buffer is not copied in chachapoly_setkey function,
    results in wrong output for encryption/decryption operation.
    
    fix this by memcpy the key in caam_ctx key arrary
    
    Fixes: d6bbd4eea243 ("crypto: caam/jr - add support for Chacha20 + Poly1305")
    Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

crypto: caam/qi2 - fix Chacha20 + Poly1305 self test failure [+ + +]
Author: Gaurav Jain <gaurav.jain@nxp.com>
Date:   Thu Sep 21 15:14:44 2023 +0530

    crypto: caam/qi2 - fix Chacha20 + Poly1305 self test failure
    
    [ Upstream commit 7b8c6aee0d5b864e70c0da82583f9862e374eaf3 ]
    
    key buffer is not copied in chachapoly_setkey function,
    results in wrong output for encryption/decryption operation.
    
    fix this by memcpy the key in caam_ctx key arrary
    
    Fixes: c10a53367901 ("crypto: caam/qi2 - add support for Chacha20 + Poly1305")
    Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Mon Oct 30 13:10:42 2023 -0700

    dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
    
    [ Upstream commit 23be1e0e2a83a8543214d2599a31d9a2185a796b ]
    
    Initially, commit 4237c75c0a35 ("[MLSXFRM]: Auto-labeling of child
    sockets") introduced security_inet_conn_request() in some functions
    where reqsk is allocated.  The hook is added just after the allocation,
    so reqsk's IPv6 remote address was not initialised then.
    
    However, SELinux/Smack started to read it in netlbl_req_setattr()
    after commit e1adea927080 ("calipso: Allow request sockets to be
    relabelled by the lsm.").
    
    Commit 284904aa7946 ("lsm: Relocate the IPv4 security_inet_conn_request()
    hooks") fixed that kind of issue only in TCPv4 because IPv6 labeling was
    not supported at that time.  Finally, the same issue was introduced again
    in IPv6.
    
    Let's apply the same fix on DCCPv6 and TCPv6.
    
    Fixes: e1adea927080 ("calipso: Allow request sockets to be relabelled by the lsm.")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Acked-by: Paul Moore <paul@paul-moore.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
dccp: Call security_inet_conn_request() after setting IPv4 addresses. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Mon Oct 30 13:10:41 2023 -0700

    dccp: Call security_inet_conn_request() after setting IPv4 addresses.
    
    [ Upstream commit fa2df45af13091f76b89adb84a28f13818d5d631 ]
    
    Initially, commit 4237c75c0a35 ("[MLSXFRM]: Auto-labeling of child
    sockets") introduced security_inet_conn_request() in some functions
    where reqsk is allocated.  The hook is added just after the allocation,
    so reqsk's IPv4 remote address was not initialised then.
    
    However, SELinux/Smack started to read it in netlbl_req_setattr()
    after the cited commits.
    
    This bug was partially fixed by commit 284904aa7946 ("lsm: Relocate
    the IPv4 security_inet_conn_request() hooks").
    
    This patch fixes the last bug in DCCPv4.
    
    Fixes: 389fb800ac8b ("netlabel: Label incoming TCP connections correctly in SELinux")
    Fixes: 07feee8f812f ("netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Acked-by: Paul Moore <paul@paul-moore.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc() [+ + +]
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Sat Oct 7 13:13:09 2023 +0200

    dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc()
    
    [ Upstream commit 83c761f568733277ce1f7eb9dc9e890649c29a8c ]
    
    If pxad_alloc_desc() fails on the first dma_pool_alloc() call, then
    sw_desc->nb_desc is zero.
    In such a case pxad_free_desc() is called and it will BUG_ON().
    
    Remove this erroneous BUG_ON().
    
    It is also useless, because if "sw_desc->nb_desc == 0", then, on the first
    iteration of the for loop, i is -1 and the loop will not be executed.
    (both i and sw_desc->nb_desc are 'int')
    
    Fixes: a57e16cf0333 ("dmaengine: pxa: add pxa dmaengine driver")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Link: https://lore.kernel.org/r/c8fc5563c9593c914fde41f0f7d1489a21b45a9a.1696676782.git.christophe.jaillet@wanadoo.fr
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

dmaengine: ti: edma: handle irq_of_parse_and_map() errors [+ + +]
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date:   Fri Sep 15 15:59:59 2023 +0300

    dmaengine: ti: edma: handle irq_of_parse_and_map() errors
    
    [ Upstream commit 14f6d317913f634920a640e9047aa2e66f5bdcb7 ]
    
    Zero is not a valid IRQ for in-kernel code and the irq_of_parse_and_map()
    function returns zero on error.  So this check for valid IRQs should only
    accept values > 0.
    
    Fixes: 2b6b3b742019 ("ARM/dmaengine: edma: Merge the two drivers under drivers/dma/")
    Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
    Acked-by: Peter Ujfalusi <peter.ujfalusi@gmail.com>
    Link: https://lore.kernel.org/r/f15cb6a7-8449-4f79-98b6-34072f04edbc@moroto.mountain
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/radeon: possible buffer overflow [+ + +]
Author: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Date:   Thu Aug 17 19:33:49 2023 +0800

    drm/radeon: possible buffer overflow
    
    [ Upstream commit dd05484f99d16715a88eedfca363828ef9a4c2d4 ]
    
    Buffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is
    checked after access.
    
    Fixes: 5cc4e5fc293b ("drm/radeon: Cleanup HDMI audio interrupt handling for evergreen")
    Co-developed-by: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com>
    Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe() [+ + +]
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Sat Sep 2 19:34:31 2023 +0200

    drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe()
    
    [ Upstream commit 44b968d0d0868b7a9b7a5c64464ada464ff4d532 ]
    
    cdn_dp_audio_codec_init() can fail. So add some error handling.
    
    If component_add() fails, the previous cdn_dp_audio_codec_init() call
    should be undone, as already done in the remove function.
    
    Fixes: 88582f564692 ("drm/rockchip: cdn-dp: Don't unregister audio dev when unbinding")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Link: https://patchwork.freedesktop.org/patch/msgid/8494a41602fadb7439630921a9779640698f2f9f.1693676045.git.christophe.jaillet@wanadoo.fr
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/rockchip: vop: Fix call to crtc reset helper [+ + +]
Author: Jonas Karlman <jonas@kwiboo.se>
Date:   Wed Jun 21 22:33:20 2023 +0000

    drm/rockchip: vop: Fix call to crtc reset helper
    
    [ Upstream commit 5aacd290837828c089a83ac9795c74c4c9e2c923 ]
    
    Allocation of crtc_state may fail in vop_crtc_reset, causing an invalid
    pointer to be passed to __drm_atomic_helper_crtc_reset.
    
    Fix this by adding a NULL check of crtc_state, similar to other drivers.
    
    Fixes: 01e2eaf40c9d ("drm/rockchip: Convert to using __drm_atomic_helper_crtc_reset() for reset.")
    Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
    Reviewed-by: Sascha Hauer <s.hauer@pengutronix.de>
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Link: https://patchwork.freedesktop.org/patch/msgid/20230621223311.2239547-4-jonas@kwiboo.se
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs [+ + +]
Author: Jonas Karlman <jonas@kwiboo.se>
Date:   Wed Jun 21 22:33:17 2023 +0000

    drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs
    
    [ Upstream commit 13fc28804bf10ca0b7bce3efbba95c534836d7ca ]
    
    struct rockchip_crtc_state members such as output_type, output_bpc and
    enable_afbc is always reset to zero in the atomic_duplicate_state crtc
    funcs.
    
    Fix this by using kmemdup on the subclass rockchip_crtc_state struct.
    
    Fixes: 4e257d9eee23 ("drm/rockchip: get rid of rockchip_drm_crtc_mode_config")
    Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
    Reviewed-by: Sascha Hauer <s.hauer@pengutronix.de>
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Link: https://patchwork.freedesktop.org/patch/msgid/20230621223311.2239547-2-jonas@kwiboo.se
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/syncobj: fix DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE [+ + +]
Author: Erik Kurzinger <ekurzinger@nvidia.com>
Date:   Wed Aug 16 09:26:05 2023 -0700

    drm/syncobj: fix DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE
    
    [ Upstream commit 101c9f637efa1655f55876644d4439e552267527 ]
    
    If DRM_IOCTL_SYNCOBJ_TIMELINE_WAIT is invoked with the
    DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE flag set but no fence has yet been
    submitted for the given timeline point the call will fail immediately
    with EINVAL. This does not match the intended behavior where the call
    should wait until the fence has been submitted (or the timeout expires).
    
    The following small example program illustrates the issue. It should
    wait for 5 seconds and then print ETIME, but instead it terminates right
    away after printing EINVAL.
    
      #include <stdio.h>
      #include <fcntl.h>
      #include <time.h>
      #include <errno.h>
      #include <xf86drm.h>
      int main(void)
      {
          int fd = open("/dev/dri/card0", O_RDWR);
          uint32_t syncobj;
          drmSyncobjCreate(fd, 0, &syncobj);
          struct timespec ts;
          clock_gettime(CLOCK_MONOTONIC, &ts);
          uint64_t point = 1;
          if (drmSyncobjTimelineWait(fd, &syncobj, &point, 1,
                                     ts.tv_sec * 1000000000 + ts.tv_nsec + 5000000000, // 5s
                                     DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE, NULL)) {
              printf("drmSyncobjTimelineWait failed %d\n", errno);
          }
      }
    
    Fixes: 01d6c3578379 ("drm/syncobj: add support for timeline point wait v8")
    Signed-off-by: Erik Kurzinger <ekurzinger@nvidia.com>
    Reviewed by: Simon Ser <contact@emersion.fd>
    Signed-off-by: Simon Ser <contact@emersion.fr>
    Link: https://patchwork.freedesktop.org/patch/msgid/1fac96f1-2f3f-f9f9-4eb0-340f27a8f6c0@nvidia.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ext4: move 'ix' sanity check to corrent position [+ + +]
Author: Gou Hao <gouhao@uniontech.com>
Date:   Wed Sep 6 09:33:41 2023 +0800

    ext4: move 'ix' sanity check to corrent position
    
    [ Upstream commit af90a8f4a09ec4a3de20142e37f37205d4687f28 ]
    
    Check 'ix' before it is used.
    
    Fixes: 80e675f906db ("ext4: optimize memmmove lengths in extent/index insertions")
    Signed-off-by: Gou Hao <gouhao@uniontech.com>
    Link: https://lore.kernel.org/r/20230906013341.7199-1-gouhao@uniontech.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
f2fs: fix to initialize map.m_pblk in f2fs_precache_extents() [+ + +]
Author: Chao Yu <chao@kernel.org>
Date:   Sat Oct 7 15:45:52 2023 +0800

    f2fs: fix to initialize map.m_pblk in f2fs_precache_extents()
    
    [ Upstream commit 8b07c1fb0f1ad139373c8253f2fad8bc43fab07d ]
    
    Otherwise, it may print random physical block address in tracepoint
    of f2fs_map_blocks() as below:
    
    f2fs_map_blocks: dev = (253,16), ino = 2297, file offset = 0, start blkaddr = 0xa356c421, len = 0x0, flags = 0
    
    Fixes: c4020b2da4c9 ("f2fs: support F2FS_IOC_PRECACHE_EXTENTS")
    Signed-off-by: Chao Yu <chao@kernel.org>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
fbdev: fsl-diu-fb: mark wr_reg_wa() static [+ + +]
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Wed Nov 8 13:58:42 2023 +0100

    fbdev: fsl-diu-fb: mark wr_reg_wa() static
    
    [ Upstream commit a5035c81847430dfa3482807b07325f29e9e8c09 ]
    
    wr_reg_wa() is not an appropriate name for a global function, and doesn't need
    to be global anyway, so mark it static and avoid the warning:
    
    drivers/video/fbdev/fsl-diu-fb.c:493:6: error: no previous prototype for 'wr_reg_wa' [-Werror=missing-prototypes]
    
    Fixes: 0d9dab39fbbe ("powerpc/5121: fsl-diu-fb: fix issue with re-enabling DIU area descriptor")
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

fbdev: imsttfb: fix a resource leak in probe [+ + +]
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date:   Fri Oct 27 15:05:44 2023 +0300

    fbdev: imsttfb: fix a resource leak in probe
    
    [ Upstream commit aba6ab57a910ad4b940c2024d15f2cdbf5b7f76b ]
    
    I've re-written the error handling but the bug is that if init_imstt()
    fails we need to call iounmap(par->cmap_regs).
    
    Fixes: c75f5a550610 ("fbdev: imsttfb: Fix use after free bug in imsttfb_probe")
    Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

fbdev: imsttfb: Fix error path of imsttfb_probe() [+ + +]
Author: Helge Deller <deller@gmx.de>
Date:   Sat May 27 11:37:29 2023 +0200

    fbdev: imsttfb: Fix error path of imsttfb_probe()
    
    [ Upstream commit 518ecb6a209f6ff678aeadf9f2bf870c0982ca85 ]
    
    Release ressources when init_imstt() returns failure.
    
    Signed-off-by: Helge Deller <deller@gmx.de>
    Stable-dep-of: aba6ab57a910 ("fbdev: imsttfb: fix a resource leak in probe")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
firmware: ti_sci: Mark driver as non removable [+ + +]
Author: Dhruva Gole <d-gole@ti.com>
Date:   Thu Sep 21 14:40:26 2023 +0530

    firmware: ti_sci: Mark driver as non removable
    
    [ Upstream commit 7b7a224b1ba1703583b25a3641ad9798f34d832a ]
    
    The TI-SCI message protocol provides a way to communicate between
    various compute processors with a central system controller entity. It
    provides the fundamental device management capability and clock control
    in the SOCs that it's used in.
    
    The remove function failed to do all the necessary cleanup if
    there are registered users. Some things are freed however which
    likely results in an oops later on.
    
    Ensure that the driver isn't unbound by suppressing its bind and unbind
    sysfs attributes. As the driver is built-in there is no way to remove
    device once bound.
    
    We can also remove the ti_sci_remove call along with the
    ti_sci_debugfs_destroy as there are no callers for it any longer.
    
    Fixes: aa276781a64a ("firmware: Add basic support for TI System Control Interface (TI-SCI) protocol")
    Reported-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Closes: https://lore.kernel.org/linux-arm-kernel/20230216083908.mvmydic5lpi3ogo7@pengutronix.de/
    Suggested-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Signed-off-by: Dhruva Gole <d-gole@ti.com>
    Link: https://lore.kernel.org/r/20230921091025.133130-1-d-gole@ti.com
    Signed-off-by: Nishanth Menon <nm@ti.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

firmware: ti_sci: Replace HTTP links with HTTPS ones [+ + +]
Author: Alexander A. Klimov <grandmaster@al2klimov.de>
Date:   Fri Jul 24 14:43:48 2020 -0700

    firmware: ti_sci: Replace HTTP links with HTTPS ones
    
    [ Upstream commit a6df49f4224324dd8588f6a0d9cff53cd61a196b ]
    
    Rationale:
    Reduces attack surface on kernel devs opening the links for MITM
    as HTTPS traffic is much harder to manipulate.
    
    Deterministic algorithm:
    For each file:
      If not .svg:
        For each line:
          If doesn't contain `\bxmlns\b`:
            For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`:
              If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`:
                If both the HTTP and HTTPS versions
                return 200 OK and serve the same content:
                  Replace HTTP with HTTPS.
    
    Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
    Acked-by: Rob Herring <robh@kernel.org>
    Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
    Stable-dep-of: 7b7a224b1ba1 ("firmware: ti_sci: Mark driver as non removable")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Linux: Fix termination state for idr_for_each_entry_ul() [+ + +]
Author: NeilBrown <neilb@suse.de>
Date:   Tue Oct 24 09:53:33 2023 +1100

    Fix termination state for idr_for_each_entry_ul()
    
    [ Upstream commit e8ae8ad479e2d037daa33756e5e72850a7bd37a9 ]
    
    The comment for idr_for_each_entry_ul() states
    
      after normal termination @entry is left with the value NULL
    
    This is not correct in the case where UINT_MAX has an entry in the idr.
    In that case @entry will be non-NULL after termination.
    No current code depends on the documentation being correct, but to
    save future code we should fix it.
    
    Also fix idr_for_each_entry_continue_ul().  While this is not documented
    as leaving @entry as NULL, the mellanox driver appears to depend on
    it doing so.  So make that explicit in the documentation as well as in
    the code.
    
    Fixes: e33d2b74d805 ("idr: fix overflow case for idr_for_each_entry_ul()")
    Cc: Matthew Wilcox <willy@infradead.org>
    Cc: Chris Mi <chrism@mellanox.com>
    Cc: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
genirq/matrix: Exclude managed interrupts in irq_matrix_allocated() [+ + +]
Author: Chen Yu <yu.c.chen@intel.com>
Date:   Fri Oct 20 15:25:22 2023 +0800

    genirq/matrix: Exclude managed interrupts in irq_matrix_allocated()
    
    [ Upstream commit a0b0bad10587ae2948a7c36ca4ffc206007fbcf3 ]
    
    When a CPU is about to be offlined, x86 validates that all active
    interrupts which are targeted to this CPU can be migrated to the remaining
    online CPUs. If not, the offline operation is aborted.
    
    The validation uses irq_matrix_allocated() to retrieve the number of
    vectors which are allocated on the outgoing CPU. The returned number of
    allocated vectors includes also vectors which are associated to managed
    interrupts.
    
    That's overaccounting because managed interrupts are:
    
      - not migrated when the affinity mask of the interrupt targets only
        the outgoing CPU
    
      - migrated to another CPU, but in that case the vector is already
        pre-allocated on the potential target CPUs and must not be taken into
        account.
    
    As a consequence the check whether the remaining online CPUs have enough
    capacity for migrating the allocated vectors from the outgoing CPU might
    fail incorrectly.
    
    Let irq_matrix_allocated() return only the number of allocated non-managed
    interrupts to make this validation check correct.
    
    [ tglx: Amend changelog and fixup kernel-doc comment ]
    
    Fixes: 2f75d9e1c905 ("genirq: Implement bitmap matrix allocator")
    Reported-by: Wendy Wang <wendy.wang@intel.com>
    Signed-off-by: Chen Yu <yu.c.chen@intel.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Link: https://lore.kernel.org/r/20231020072522.557846-1-yu.c.chen@intel.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
hid: cp2112: Fix duplicate workqueue initialization [+ + +]
Author: Danny Kaehn <danny.kaehn@plexus.com>
Date:   Tue Sep 19 16:22:45 2023 -0500

    hid: cp2112: Fix duplicate workqueue initialization
    
    [ Upstream commit e3c2d2d144c082dd71596953193adf9891491f42 ]
    
    Previously the cp2112 driver called INIT_DELAYED_WORK within
    cp2112_gpio_irq_startup, resulting in duplicate initilizations of the
    workqueue on subsequent IRQ startups following an initial request. This
    resulted in a warning in set_work_data in workqueue.c, as well as a rare
    NULL dereference within process_one_work in workqueue.c.
    
    Initialize the workqueue within _probe instead.
    
    Fixes: 13de9cca514e ("HID: cp2112: add IRQ chip handling")
    Signed-off-by: Danny Kaehn <danny.kaehn@plexus.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
HID: cp2112: Use irqchip template [+ + +]
Author: Linus Walleij <linus.walleij@linaro.org>
Date:   Wed Jul 22 09:56:32 2020 +0200

    HID: cp2112: Use irqchip template
    
    [ Upstream commit 6bfa31756ae905e23050ee10a3b4d3d435122c97 ]
    
    This makes the driver use the irqchip template to assign
    properties to the gpio_irq_chip instead of using the
    explicit calls to gpiochip_irqchip_add(). The irqchip is
    instead added while adding the gpiochip.
    
    Cc: Eudean Sun <eudean@arista.com>
    Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
    Cc: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Stable-dep-of: e3c2d2d144c0 ("hid: cp2112: Fix duplicate workqueue initialization")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
hwmon: (coretemp) Fix potentially truncated sysfs attribute name [+ + +]
Author: Zhang Rui <rui.zhang@intel.com>
Date:   Wed Oct 25 20:23:16 2023 +0800

    hwmon: (coretemp) Fix potentially truncated sysfs attribute name
    
    [ Upstream commit bbfff736d30e5283ad09e748caff979d75ddef7f ]
    
    When build with W=1 and "-Werror=format-truncation", below error is
    observed in coretemp driver,
    
       drivers/hwmon/coretemp.c: In function 'create_core_data':
    >> drivers/hwmon/coretemp.c:393:34: error: '%s' directive output may be truncated writing likely 5 or more bytes into a region of size between 3 and 13 [-Werror=format-truncation=]
         393 |                          "temp%d_%s", attr_no, suffixes[i]);
             |                                  ^~
       drivers/hwmon/coretemp.c:393:26: note: assuming directive output of 5 bytes
         393 |                          "temp%d_%s", attr_no, suffixes[i]);
             |                          ^~~~~~~~~~~
       drivers/hwmon/coretemp.c:392:17: note: 'snprintf' output 7 or more bytes (assuming 22) into a destination of size 19
         392 |                 snprintf(tdata->attr_name[i], CORETEMP_NAME_LENGTH,
             |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         393 |                          "temp%d_%s", attr_no, suffixes[i]);
             |                          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       cc1: all warnings being treated as errors
    
    Given that
    1. '%d' could take 10 charactors,
    2. '%s' could take 10 charactors ("crit_alarm"),
    3. "temp", "_" and the NULL terminator take 6 charactors,
    fix the problem by increasing CORETEMP_NAME_LENGTH to 28.
    
    Signed-off-by: Zhang Rui <rui.zhang@intel.com>
    Fixes: 7108b80a542b ("hwmon/coretemp: Handle large core ID value")
    Reported-by: kernel test robot <lkp@intel.com>
    Closes: https://lore.kernel.org/oe-kbuild-all/202310200443.iD3tUbbK-lkp@intel.com/
    Link: https://lore.kernel.org/r/20231025122316.836400-1-rui.zhang@intel.com
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
hwrng: geode - fix accessing registers [+ + +]
Author: Jonas Gorski <jonas.gorski@gmail.com>
Date:   Sun Sep 10 10:34:17 2023 +0200

    hwrng: geode - fix accessing registers
    
    [ Upstream commit 464bd8ec2f06707f3773676a1bd2c64832a3c805 ]
    
    When the membase and pci_dev pointer were moved to a new struct in priv,
    the actual membase users were left untouched, and they started reading
    out arbitrary memory behind the struct instead of registers. This
    unfortunately turned the RNG into a constant number generator, depending
    on the content of what was at that offset.
    
    To fix this, update geode_rng_data_{read,present}() to also get the
    membase via amd_geode_priv, and properly read from the right addresses
    again.
    
    Fixes: 9f6ec8dc574e ("hwrng: geode - Fix PCI device refcount leak")
    Reported-by: Timur I. Davletshin <timur.davletshin@gmail.com>
    Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217882
    Tested-by: Timur I. Davletshin <timur.davletshin@gmail.com>
    Suggested-by: Jo-Philipp Wich <jo@mein.io>
    Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
i3c: Fix potential refcount leak in i3c_master_register_new_i3c_devs [+ + +]
Author: Dinghao Liu <dinghao.liu@zju.edu.cn>
Date:   Thu Sep 21 16:24:10 2023 +0800

    i3c: Fix potential refcount leak in i3c_master_register_new_i3c_devs
    
    [ Upstream commit cab63f64887616e3c4e31cfd8103320be6ebc8d3 ]
    
    put_device() needs to be called on failure of device_register()
    to give up the reference initialized in it to avoid refcount leak.
    
    Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure")
    Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
    Link: https://lore.kernel.org/r/20230921082410.25548-1-dinghao.liu@zju.edu.cn
    Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
i40e: fix potential memory leaks in i40e_remove() [+ + +]
Author: Andrii Staikov <andrii.staikov@intel.com>
Date:   Fri Sep 8 14:42:01 2023 +0200

    i40e: fix potential memory leaks in i40e_remove()
    
    [ Upstream commit 5ca636d927a106780451d957734f02589b972e2b ]
    
    Instead of freeing memory of a single VSI, make sure
    the memory for all VSIs is cleared before releasing VSIs.
    Add releasing of their resources in a loop with the iteration
    number equal to the number of allocated VSIs.
    
    Fixes: 41c445ff0f48 ("i40e: main driver core")
    Signed-off-by: Andrii Staikov <andrii.staikov@intel.com>
    Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
inet: shrink struct flowi_common [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Oct 25 14:10:37 2023 +0000

    inet: shrink struct flowi_common
    
    [ Upstream commit 1726483b79a72e0150734d5367e4a0238bf8fcff ]
    
    I am looking at syzbot reports triggering kernel stack overflows
    involving a cascade of ipvlan devices.
    
    We can save 8 bytes in struct flowi_common.
    
    This patch alone will not fix the issue, but is a start.
    
    Fixes: 24ba14406c5c ("route: Add multipath_hash in flowi_common to make user-define hash")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: wenxu <wenxu@ucloud.cn>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Link: https://lore.kernel.org/r/20231025141037.3448203-1-edumazet@google.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Input: synaptics-rmi4 - fix use after free in rmi_unregister_function() [+ + +]
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date:   Sun Oct 29 02:53:36 2023 +0000

    Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()
    
    [ Upstream commit eb988e46da2e4eae89f5337e047ce372fe33d5b1 ]
    
    The put_device() calls rmi_release_function() which frees "fn" so the
    dereference on the next line "fn->num_of_irqs" is a use after free.
    Move the put_device() to the end to fix this.
    
    Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain")
    Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
    Link: https://lore.kernel.org/r/706efd36-7561-42f3-adfa-dd1d0bd4f5a1@moroto.mountain
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ipv6: avoid atomic fragment on GSO packets [+ + +]
Author: Yan Zhai <yan@cloudflare.com>
Date:   Tue Oct 24 07:26:40 2023 -0700

    ipv6: avoid atomic fragment on GSO packets
    
    [ Upstream commit 03d6c848bfb406e9ef6d9846d759e97beaeea113 ]
    
    When the ipv6 stack output a GSO packet, if its gso_size is larger than
    dst MTU, then all segments would be fragmented. However, it is possible
    for a GSO packet to have a trailing segment with smaller actual size
    than both gso_size as well as the MTU, which leads to an "atomic
    fragment". Atomic fragments are considered harmful in RFC-8021. An
    Existing report from APNIC also shows that atomic fragments are more
    likely to be dropped even it is equivalent to a no-op [1].
    
    Add an extra check in the GSO slow output path. For each segment from
    the original over-sized packet, if it fits with the path MTU, then avoid
    generating an atomic fragment.
    
    Link: https://www.potaroo.net/presentations/2022-03-01-ipv6-frag.pdf [1]
    Fixes: b210de4f8c97 ("net: ipv6: Validate GSO SKB before finish IPv6 processing")
    Reported-by: David Wragg <dwragg@cloudflare.com>
    Signed-off-by: Yan Zhai <yan@cloudflare.com>
    Link: https://lore.kernel.org/r/90912e3503a242dca0bc36958b11ed03a2696e5e.1698156966.git.yan@cloudflare.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ipvlan: properly track tx_errors [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Oct 26 13:14:46 2023 +0000

    ipvlan: properly track tx_errors
    
    [ Upstream commit ff672b9ffeb3f82135488ac16c5c5eb4b992999b ]
    
    Both ipvlan_process_v4_outbound() and ipvlan_process_v6_outbound()
    increment dev->stats.tx_errors in case of errors.
    
    Unfortunately there are two issues :
    
    1) ipvlan_get_stats64() does not propagate dev->stats.tx_errors to user.
    
    2) Increments are not atomic. KCSAN would complain eventually.
    
    Use DEV_STATS_INC() to not miss an update, and change ipvlan_get_stats64()
    to copy the value back to user.
    
    Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Mahesh Bandewar <maheshb@google.com>
    Link: https://lore.kernel.org/r/20231026131446.3933175-1-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
leds: pwm: convert to atomic PWM API [+ + +]
Author: Uwe Kleine-König <uwe@kleine-koenig.org>
Date:   Fri Jan 24 17:54:08 2020 +0100

    leds: pwm: convert to atomic PWM API
    
    [ Upstream commit dd47a83453e4a5b0d6a91fe702b7fbc1984fb610 ]
    
    pwm_config(), pwm_enable() and pwm_disable() should get removed in the
    long run. So update the driver to use the atomic API that is here to
    stay.
    
    A few side effects:
    
     - led_pwm_set() now returns an error when setting the PWM fails.
     - During .probe() the PWM isn't disabled implicitly by pwm_apply_args()
       any more.
    
    Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
    Tested-by: Jeff LaBundy <jeff@labundy.com>
    Signed-off-by: Pavel Machek <pavel@ucw.cz>
    Stable-dep-of: 76fe464c8e64 ("leds: pwm: Don't disable the PWM when the LED should be off")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

leds: pwm: Don't disable the PWM when the LED should be off [+ + +]
Author: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Date:   Fri Sep 22 21:28:34 2023 +0200

    leds: pwm: Don't disable the PWM when the LED should be off
    
    [ Upstream commit 76fe464c8e64e71b2e4af11edeef0e5d85eeb6aa ]
    
    Disabling a PWM (i.e. calling pwm_apply_state with .enabled = false)
    gives no guarantees what the PWM output does. It might freeze where it
    currently is, or go in a High-Z state or drive the active or inactive
    state, it might even continue to toggle.
    
    To ensure that the LED gets really disabled, don't disable the PWM even
    when .duty_cycle is zero.
    
    This fixes disabling a leds-pwm LED on i.MX28. The PWM on this SoC is
    one of those that freezes its output on disable, so if you disable an
    LED that is full on, it stays on. If you disable a LED with half
    brightness it goes off in 50% of the cases and full on in the other 50%.
    
    Fixes: 41c42ff5dbe2 ("leds: simple driver for pwm driven LEDs")
    Reported-by: Rogan Dawes <rogan@dawes.za.net>
    Reported-by: Fabio Estevam <festevam@denx.de>
    Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Reviewed-by: Fabio Estevam <festevam@denx.de>
    Link: https://lore.kernel.org/r/20230922192834.1695727-1-u.kleine-koenig@pengutronix.de
    Signed-off-by: Lee Jones <lee@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

leds: pwm: simplify if condition [+ + +]
Author: Uwe Kleine-König <uwe@kleine-koenig.org>
Date:   Fri Jan 24 17:54:07 2020 +0100

    leds: pwm: simplify if condition
    
    [ Upstream commit b43a8f01fccbfdddbc7f9b2bbad11b7db3fda4e1 ]
    
    .pwm_period_ns is an unsigned integer. So when led->pwm_period_ns > 0
    is false, we now assign 0 to a value that is already 0, so it doesn't
    hurt and we can skip checking the actual value.
    
    Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
    Tested-by: Jeff LaBundy <jeff@labundy.com>
    Signed-off-by: Pavel Machek <pavel@ucw.cz>
    Stable-dep-of: 76fe464c8e64 ("leds: pwm: Don't disable the PWM when the LED should be off")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu' [+ + +]
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Sat Sep 23 09:15:38 2023 +0200

    leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu'
    
    [ Upstream commit ff50f53276131a3059e8307d11293af388ed2bcd ]
    
    In order to teach the compiler that 'trig->name' will never be truncated,
    we need to tell it that 'cpu' is not negative.
    
    When building with W=1, this fixes the following warnings:
    
      drivers/leds/trigger/ledtrig-cpu.c: In function ‘ledtrig_cpu_init’:
      drivers/leds/trigger/ledtrig-cpu.c:155:56: error: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size 5 [-Werror=format-truncation=]
        155 |                 snprintf(trig->name, MAX_NAME_LEN, "cpu%d", cpu);
            |                                                        ^~
      drivers/leds/trigger/ledtrig-cpu.c:155:52: note: directive argument in the range [-2147483648, 7]
        155 |                 snprintf(trig->name, MAX_NAME_LEN, "cpu%d", cpu);
            |                                                    ^~~~~~~
      drivers/leds/trigger/ledtrig-cpu.c:155:17: note: ‘snprintf’ output between 5 and 15 bytes into a destination of size 8
        155 |                 snprintf(trig->name, MAX_NAME_LEN, "cpu%d", cpu);
            |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Fixes: 8f88731d052d ("led-triggers: create a trigger for CPU activity")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Link: https://lore.kernel.org/r/3f4be7a99933cf8566e630da54f6ab913caac432.1695453322.git.christophe.jaillet@wanadoo.fr
    Signed-off-by: Lee Jones <lee@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ledtrig-cpu: Limit to 8 CPUs [+ + +]
Author: Pavel Machek <pavel@ucw.cz>
Date:   Sat Sep 19 11:34:58 2020 +0200

    ledtrig-cpu: Limit to 8 CPUs
    
    [ Upstream commit abcc131292aa8c7de2c5f0ed76a717436c21de63 ]
    
    Some machines have thousands of CPUs... and trigger mechanisms was not
    really meant for thousands of triggers. I doubt anyone uses this
    trigger on many-CPU machine; but if they do, they'll need to do it
    properly.
    
    Signed-off-by: Pavel Machek <pavel@ucw.cz>
    Stable-dep-of: ff50f5327613 ("leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu'")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
libnvdimm/of_pmem: Use devm_kstrdup instead of kstrdup and check its return value [+ + +]
Author: Chen Ni <nichen@iscas.ac.cn>
Date:   Thu Sep 14 07:03:27 2023 +0000

    libnvdimm/of_pmem: Use devm_kstrdup instead of kstrdup and check its return value
    
    [ Upstream commit 6fd4ebfc4d61e3097b595ab2725d513e3bbd6739 ]
    
    Use devm_kstrdup() instead of kstrdup() and check its return value to
    avoid memory leak.
    
    Fixes: 49bddc73d15c ("libnvdimm/of_pmem: Provide a unique name for bus provider")
    Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
    Reviewed-by: Ira Weiny <ira.weiny@intel.com>
    Reviewed-by: Dave Jiang <dave.jiang@intel.com>
    Signed-off-by: Ira Weiny <ira.weiny@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Linux: Linux 5.4.261 [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Mon Nov 20 10:30:17 2023 +0100

    Linux 5.4.261
    
    Link: https://lore.kernel.org/r/20231115220132.607437515@linuxfoundation.org
    Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
llc: verify mac len before reading mac header [+ + +]
Author: Willem de Bruijn <willemb@google.com>
Date:   Wed Oct 25 19:42:38 2023 -0400

    llc: verify mac len before reading mac header
    
    [ Upstream commit 7b3ba18703a63f6fd487183b9262b08e5632da1b ]
    
    LLC reads the mac header with eth_hdr without verifying that the skb
    has an Ethernet header.
    
    Syzbot was able to enter llc_rcv on a tun device. Tun can insert
    packets without mac len and with user configurable skb->protocol
    (passing a tun_pi header when not configuring IFF_NO_PI).
    
        BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]
        BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111
        llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]
        llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111
        llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218
        __netif_receive_skb_one_core net/core/dev.c:5523 [inline]
        __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637
        netif_receive_skb_internal net/core/dev.c:5723 [inline]
        netif_receive_skb+0x58/0x660 net/core/dev.c:5782
        tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555
        tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002
    
    Add a mac_len test before all three eth_hdr(skb) calls under net/llc.
    
    There are further uses in include/net/llc_pdu.h. All these are
    protected by a test skb->protocol == ETH_P_802_2. Which does not
    protect against this tun scenario.
    
    But the mac_len test added in this patch in llc_fixup_skb will
    indirectly protect those too. That is called from llc_rcv before any
    other LLC code.
    
    It is tempting to just add a blanket mac_len check in llc_rcv, but
    not sure whether that could break valid LLC paths that do not assume
    an Ethernet header. 802.2 LLC may be used on top of non-802.3
    protocols in principle. The below referenced commit shows that used
    to, on top of Token Ring.
    
    At least one of the three eth_hdr uses goes back to before the start
    of git history. But the one that syzbot exercises is introduced in
    this commit. That commit is old enough (2008), that effectively all
    stable kernels should receive this.
    
    Fixes: f83f1768f833 ("[LLC]: skb allocation size for responses")
    Reported-by: syzbot+a8c7be6dee0de1b669cc@syzkaller.appspotmail.com
    Signed-off-by: Willem de Bruijn <willemb@google.com>
    Link: https://lore.kernel.org/r/20231025234251.3796495-1-willemdebruijn.kernel@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
media: bttv: fix use after free error due to btv->timeout timer [+ + +]
Author: Zheng Wang <zyytlz.wz@163.com>
Date:   Thu Apr 13 11:49:42 2023 +0800

    media: bttv: fix use after free error due to btv->timeout timer
    
    [ Upstream commit bd5b50b329e850d467e7bcc07b2b6bde3752fbda ]
    
    There may be some a race condition between timer function
    bttv_irq_timeout and bttv_remove. The timer is setup in
    probe and there is no timer_delete operation in remove
    function. When it hit kfree btv, the function might still be
    invoked, which will cause use after free bug.
    
    This bug is found by static analysis, it may be false positive.
    
    Fix it by adding del_timer_sync invoking to the remove function.
    
    cpu0                cpu1
                      bttv_probe
                        ->timer_setup
                          ->bttv_set_dma
                            ->mod_timer;
    bttv_remove
      ->kfree(btv);
                      ->bttv_irq_timeout
                        ->USE btv
    
    Fixes: 162e6376ac58 ("media: pci: Convert timers to use timer_setup()")
    Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: dvb-usb-v2: af9035: fix missing unlock [+ + +]
Author: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Date:   Fri Oct 6 12:08:45 2023 +0200

    media: dvb-usb-v2: af9035: fix missing unlock
    
    [ Upstream commit f31b2cb85f0ee165d78e1c43f6d69f82cc3b2145 ]
    
    Instead of returning an error, goto the mutex unlock at
    the end of the function.
    
    Fixes smatch warning:
    
    drivers/media/usb/dvb-usb-v2/af9035.c:467 af9035_i2c_master_xfer() warn: inconsistent returns '&d->i2c_mutex'.
      Locked on  : 326,387
      Unlocked on: 465,467
    
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Fixes: 7bf744f2de0a ("media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer")
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: s3c-camif: Avoid inappropriate kfree() [+ + +]
Author: Katya Orlova <e.orlova@ispras.ru>
Date:   Fri Sep 22 14:55:06 2023 +0300

    media: s3c-camif: Avoid inappropriate kfree()
    
    [ Upstream commit 61334819aca018c3416ee6c330a08a49c1524fc3 ]
    
    s3c_camif_register_video_node() works with video_device structure stored
    as a field of camif_vp, so it should not be kfreed.
    But there is video_device_release() on error path that do it.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface")
    Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mfd: dln2: Fix double put in dln2_probe [+ + +]
Author: Dinghao Liu <dinghao.liu@zju.edu.cn>
Date:   Mon Sep 25 10:41:33 2023 +0800

    mfd: dln2: Fix double put in dln2_probe
    
    [ Upstream commit 759c409bc5fc496cbc22cd0b392d3cbb0c0e23eb ]
    
    The dln2_free() already contains usb_put_dev(). Therefore,
    the redundant usb_put_dev() before dln2_free() may lead to
    a double free.
    
    Fixes: 96da8f148396 ("mfd: dln2: Fix memory leak in dln2_probe()")
    Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
    Link: https://lore.kernel.org/r/20230925024134.9683-1-dinghao.liu@zju.edu.cn
    Signed-off-by: Lee Jones <lee@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
misc: st_core: Do not call kfree_skb() under spin_lock_irqsave() [+ + +]
Author: Jinjie Ruan <ruanjinjie@huawei.com>
Date:   Wed Aug 23 11:50:20 2023 +0800

    misc: st_core: Do not call kfree_skb() under spin_lock_irqsave()
    
    [ Upstream commit 4d08c3d12b61022501989f9f071514d2d6f77c47 ]
    
    It is not allowed to call kfree_skb() from hardware interrupt
    context or with hardware interrupts being disabled.
    So replace kfree_skb() with dev_kfree_skb_irq() under
    spin_lock_irqsave(). Compile tested only.
    
    Fixes: 53618cc1e51e ("Staging: sources for ST core")
    Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
    Link: https://lore.kernel.org/r/20230823035020.1281892-1-ruanjinjie@huawei.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
modpost: fix tee MODULE_DEVICE_TABLE built on big-endian host [+ + +]
Author: Masahiro Yamada <masahiroy@kernel.org>
Date:   Sun Oct 8 02:04:44 2023 +0900

    modpost: fix tee MODULE_DEVICE_TABLE built on big-endian host
    
    [ Upstream commit 7f54e00e5842663c2cea501bbbdfa572c94348a3 ]
    
    When MODULE_DEVICE_TABLE(tee, ) is built on a host with a different
    endianness from the target architecture, it results in an incorrect
    MODULE_ALIAS().
    
    For example, see a case where drivers/char/hw_random/optee-rng.c
    is built as a module for ARM little-endian.
    
    If you build it on a little-endian host, you will get the correct
    MODULE_ALIAS:
    
        $ grep MODULE_ALIAS drivers/char/hw_random/optee-rng.mod.c
        MODULE_ALIAS("tee:ab7a617c-b8e7-4d8f-8301-d09b61036b64*");
    
    However, if you build it on a big-endian host, you will get a wrong
    MODULE_ALIAS:
    
        $ grep MODULE_ALIAS drivers/char/hw_random/optee-rng.mod.c
        MODULE_ALIAS("tee:646b0361-9bd0-0183-8f4d-e7b87c617aab*");
    
    The same problem also occurs when you enable CONFIG_CPU_BIG_ENDIAN,
    and build it on a little-endian host.
    
    This issue has been unnoticed because the ARM kernel is configured for
    little-endian by default, and most likely built on a little-endian host
    (cross-build on x86 or native-build on ARM).
    
    The uuid field must not be reversed because uuid_t is an array of __u8.
    
    Fixes: 0fc1db9d1059 ("tee: add bus driver framework for TEE based devices")
    Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
    Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nd_btt: Make BTT lanes preemptible [+ + +]
Author: Tomas Glozar <tglozar@redhat.com>
Date:   Wed Sep 20 07:37:12 2023 +0200

    nd_btt: Make BTT lanes preemptible
    
    [ Upstream commit 36c75ce3bd299878fd9b238e9803d3817ddafbf3 ]
    
    nd_region_acquire_lane uses get_cpu, which disables preemption. This is
    an issue on PREEMPT_RT kernels, since btt_write_pg and also
    nd_region_acquire_lane itself take a spin lock, resulting in BUG:
    sleeping function called from invalid context.
    
    Fix the issue by replacing get_cpu with smp_process_id and
    migrate_disable when needed. This makes BTT operations preemptible, thus
    permitting the use of spin_lock.
    
    BUG example occurring when running ndctl tests on PREEMPT_RT kernel:
    
    BUG: sleeping function called from invalid context at
    kernel/locking/spinlock_rt.c:48
    in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 4903, name:
    libndctl
    preempt_count: 1, expected: 0
    RCU nest depth: 0, expected: 0
    Preemption disabled at:
    [<ffffffffc1313db5>] nd_region_acquire_lane+0x15/0x90 [libnvdimm]
    Call Trace:
     <TASK>
     dump_stack_lvl+0x8e/0xb0
     __might_resched+0x19b/0x250
     rt_spin_lock+0x4c/0x100
     ? btt_write_pg+0x2d7/0x500 [nd_btt]
     btt_write_pg+0x2d7/0x500 [nd_btt]
     ? local_clock_noinstr+0x9/0xc0
     btt_submit_bio+0x16d/0x270 [nd_btt]
     __submit_bio+0x48/0x80
     __submit_bio_noacct+0x7e/0x1e0
     submit_bio_wait+0x58/0xb0
     __blkdev_direct_IO_simple+0x107/0x240
     ? inode_set_ctime_current+0x51/0x110
     ? __pfx_submit_bio_wait_endio+0x10/0x10
     blkdev_write_iter+0x1d8/0x290
     vfs_write+0x237/0x330
     ...
     </TASK>
    
    Fixes: 5212e11fde4d ("nd_btt: atomic sector updates")
    Signed-off-by: Tomas Glozar <tglozar@redhat.com>
    Reviewed-by: Ira Weiny <ira.weiny@intel.com>
    Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
    Signed-off-by: Ira Weiny <ira.weiny@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT [+ + +]
Author: D. Wythe <alibuda@linux.alibaba.com>
Date:   Fri Nov 3 14:07:38 2023 +0800

    net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT
    
    [ Upstream commit 5211c9729484c923f8d2e06bd29f9322cc42bb8f ]
    
    Considering scenario:
    
                                    smc_cdc_rx_handler
    __smc_release
                                    sock_set_flag
    smc_close_active()
    sock_set_flag
    
    __set_bit(DEAD)                 __set_bit(DONE)
    
    Dues to __set_bit is not atomic, the DEAD or DONE might be lost.
    if the DEAD flag lost, the state SMC_CLOSED  will be never be reached
    in smc_close_passive_work:
    
    if (sock_flag(sk, SOCK_DEAD) &&
            smc_close_sent_any_close(conn)) {
            sk->sk_state = SMC_CLOSED;
    } else {
            /* just shutdown, but not yet closed locally */
            sk->sk_state = SMC_APPFINCLOSEWAIT;
    }
    
    Replace sock_set_flags or __set_bit to set_bit will fix this problem.
    Since set_bit is atomic.
    
    Fixes: b38d732477e4 ("smc: socket closing and linkgroup cleanup")
    Signed-off-by: D. Wythe <alibuda@linux.alibaba.com>
    Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net: add DEV_STATS_READ() helper [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Sep 21 08:52:16 2023 +0000

    net: add DEV_STATS_READ() helper
    
    [ Upstream commit 0b068c714ca9479d2783cc333fff5bc2d4a6d45c ]
    
    Companion of DEV_STATS_INC() & DEV_STATS_ADD().
    
    This is going to be used in the series.
    
    Use it in macsec_get_stats64().
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Stable-dep-of: ff672b9ffeb3 ("ipvlan: properly track tx_errors")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: r8169: Disable multicast filter for RTL8168H and RTL8107E [+ + +]
Author: Patrick Thompson <ptf@google.com>
Date:   Mon Oct 30 16:50:14 2023 -0400

    net: r8169: Disable multicast filter for RTL8168H and RTL8107E
    
    [ Upstream commit efa5f1311c4998e9e6317c52bc5ee93b3a0f36df ]
    
    RTL8168H and RTL8107E ethernet adapters erroneously filter unicast
    eapol packets unless allmulti is enabled. These devices correspond to
    RTL_GIGA_MAC_VER_46 and VER_48. Add an exception for VER_46 and VER_48
    in the same way that VER_35 has an exception.
    
    Fixes: 6e1d0b898818 ("r8169:add support for RTL8168H and RTL8107E")
    Signed-off-by: Patrick Thompson <ptf@google.com>
    Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
    Reviewed-by: Heiner Kallweit <hkallweit1@gmail.com>
    Link: https://lore.kernel.org/r/20231030205031.177855-1-ptf@google.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: stmmac: xgmac: Enable support for multiple Flexible PPS outputs [+ + +]
Author: Furong Xu <0x1207@gmail.com>
Date:   Tue Oct 31 10:27:29 2023 +0800

    net: stmmac: xgmac: Enable support for multiple Flexible PPS outputs
    
    [ Upstream commit db456d90a4c1b43b6251fa4348c8adc59b583274 ]
    
    From XGMAC Core 3.20 and later, each Flexible PPS has individual PPSEN bit
    to select Fixed mode or Flexible mode. The PPSEN must be set, or it stays
    in Fixed PPS mode by default.
    XGMAC Core prior 3.20, only PPSEN0(bit 4) is writable. PPSEN{1,2,3} are
    read-only reserved, and they are already in Flexible mode by default, our
    new code always set PPSEN{1,2,3} do not make things worse ;-)
    
    Fixes: 95eaf3cd0a90 ("net: stmmac: dwxgmac: Add Flexible PPS support")
    Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
    Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
    Signed-off-by: Furong Xu <0x1207@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses [+ + +]
Author: Florian Westphal <fw@strlen.de>
Date:   Wed Nov 8 13:18:53 2023 +0100

    netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses
    
    [ Upstream commit 80abbe8a8263106fe45a4f293b92b5c74cc9cc8a ]
    
    The ipv6 redirect target was derived from the ipv4 one, i.e. its
    identical to a 'dnat' with the first (primary) address assigned to the
    network interface.  The code has been moved around to make it usable
    from nf_tables too, but its still the same as it was back when this
    was added in 2012.
    
    IPv6, however, has different types of addresses, if the 'wrong' address
    comes first the redirection does not work.
    
    In Daniels case, the addresses are:
      inet6 ::ffff:192 ...
      inet6 2a01: ...
    
    ... so the function attempts to redirect to the mapped address.
    
    Add more checks before the address is deemed correct:
    1. If the packets' daddr is scoped, search for a scoped address too
    2. skip tentative addresses
    3. skip mapped addresses
    
    Use the first address that appears to match our needs.
    
    Reported-by: Daniel Huhardeaux <tech@tootai.net>
    Closes: https://lore.kernel.org/netfilter/71be06b8-6aa0-4cf9-9e0b-e2839b01b22f@tootai.net/
    Fixes: 115e23ac78f8 ("netfilter: ip6tables: add REDIRECT target")
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: nft_redir: use `struct nf_nat_range2` throughout and deduplicate eval call-backs [+ + +]
Author: Jeremy Sowden <jeremy@azazel.net>
Date:   Wed Mar 15 21:48:01 2023 +0000

    netfilter: nft_redir: use `struct nf_nat_range2` throughout and deduplicate eval call-backs
    
    [ Upstream commit 6f56ad1b92328997e1b1792047099df6f8d7acb5 ]
    
    `nf_nat_redirect_ipv4` takes a `struct nf_nat_ipv4_multi_range_compat`,
    but converts it internally to a `struct nf_nat_range2`.  Change the
    function to take the latter, factor out the code now shared with
    `nf_nat_redirect_ipv6`, move the conversion to the xt_REDIRECT module,
    and update the ipv4 range initialization in the nft_redir module.
    
    Replace a bare hex constant for 127.0.0.1 with a macro.
    
    Remove `WARN_ON`.  `nf_nat_setup_info` calls `nf_ct_is_confirmed`:
    
            /* Can't setup nat info for confirmed ct. */
            if (nf_ct_is_confirmed(ct))
                    return NF_ACCEPT;
    
    This means that `ct` cannot be null or the kernel will crash, and
    implies that `ctinfo` is `IP_CT_NEW` or `IP_CT_RELATED`.
    
    nft_redir has separate ipv4 and ipv6 call-backs which share much of
    their code, and an inet one switch containing a switch that calls one of
    the others based on the family of the packet.  Merge the ipv4 and ipv6
    ones into the inet one in order to get rid of the duplicate code.
    
    Const-qualify the `priv` pointer since we don't need to write through
    it.
    
    Assign `priv->flags` to the range instead of OR-ing it in.
    
    Set the `NF_NAT_RANGE_PROTO_SPECIFIED` flag once during init, rather
    than on every eval.
    
    Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Stable-dep-of: 80abbe8a8263 ("netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: xt_recent: fix (increase) ipv6 literal buffer length [+ + +]
Author: Maciej Żenczykowski <zenczykowski@gmail.com>
Date:   Sun Nov 5 11:56:00 2023 -0800

    netfilter: xt_recent: fix (increase) ipv6 literal buffer length
    
    [ Upstream commit 7b308feb4fd2d1c06919445c65c8fbf8e9fd1781 ]
    
    in6_pton() supports 'low-32-bit dot-decimal representation'
    (this is useful with DNS64/NAT64 networks for example):
    
      # echo +aaaa:bbbb:cccc:dddd:eeee:ffff:1.2.3.4 > /proc/self/net/xt_recent/DEFAULT
      # cat /proc/self/net/xt_recent/DEFAULT
      src=aaaa:bbbb:cccc:dddd:eeee:ffff:0102:0304 ttl: 0 last_seen: 9733848829 oldest_pkt: 1 9733848829
    
    but the provided buffer is too short:
    
      # echo +aaaa:bbbb:cccc:dddd:eeee:ffff:255.255.255.255 > /proc/self/net/xt_recent/DEFAULT
      -bash: echo: write error: Invalid argument
    
    Fixes: 079aa88fe717 ("netfilter: xt_recent: IPv6 support")
    Signed-off-by: Maciej Żenczykowski <zenczykowski@gmail.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
pcmcia: cs: fix possible hung task and memory leak pccardd() [+ + +]
Author: Yang Yingliang <yangyingliang@huawei.com>
Date:   Sat Nov 12 17:25:41 2022 +0800

    pcmcia: cs: fix possible hung task and memory leak pccardd()
    
    [ Upstream commit e3ea1b4847e49234e691c0d66bf030bd65bb7f2b ]
    
    If device_register() returns error in pccardd(), it leads two issues:
    
    1. The socket_released has never been completed, it will block
       pcmcia_unregister_socket(), because of waiting for completion
       of socket_released.
    2. The device name allocated by dev_set_name() is leaked.
    
    Fix this two issues by calling put_device() when device_register() fails.
    socket_released can be completed in pcmcia_release_socket(), the name can
    be freed in kobject_cleanup().
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
    Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

pcmcia: ds: fix possible name leak in error path in pcmcia_device_add() [+ + +]
Author: Yang Yingliang <yangyingliang@huawei.com>
Date:   Sat Nov 12 17:29:24 2022 +0800

    pcmcia: ds: fix possible name leak in error path in pcmcia_device_add()
    
    [ Upstream commit 99e1241049a92dd3e9a90a0f91e32ce390133278 ]
    
    Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's
    bus_id string array"), the name of device is allocated dynamically.
    Therefore, it needs to be freed, which is done by the driver core for
    us once all references to the device are gone. Therefore, move the
    dev_set_name() call immediately before the call device_register(), which
    either succeeds (then the freeing will be done upon subsequent remvoal),
    or puts the reference in the error call. Also, it is not unusual that the
    return value of dev_set_name is not checked.
    
    Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
    Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
    [linux@dominikbrodowski.net: simplification, commit message modified]
    Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

pcmcia: ds: fix refcount leak in pcmcia_device_add() [+ + +]
Author: Yang Yingliang <yangyingliang@huawei.com>
Date:   Sat Nov 12 17:29:23 2022 +0800

    pcmcia: ds: fix refcount leak in pcmcia_device_add()
    
    [ Upstream commit 402ab979b29126068e0b596b641422ff7490214c ]
    
    As the comment of device_register() says, it should use put_device()
    to give up the reference in the error path. Then, insofar resources
    will be freed in pcmcia_release_dev(), the error path is no longer
    needed. In particular, this means that the (previously missing) dropping
    of the reference to &p_dev->function_config->ref is now handled by
    pcmcia_release_dev().
    
    Fixes: 360b65b95bae ("[PATCH] pcmcia: make config_t independent, add reference counting")
    Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
    [linux@dominikbrodowski.net: simplification, commit message rewrite]
    Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
platform/x86: wmi: Fix opening of char device [+ + +]
Author: Armin Wolf <W_Armin@gmx.de>
Date:   Fri Oct 20 23:10:04 2023 +0200

    platform/x86: wmi: Fix opening of char device
    
    [ Upstream commit eba9ac7abab91c8f6d351460239108bef5e7a0b6 ]
    
    Since commit fa1f68db6ca7 ("drivers: misc: pass miscdevice pointer via
    file private data"), the miscdevice stores a pointer to itself inside
    filp->private_data, which means that private_data will not be NULL when
    wmi_char_open() is called. This might cause memory corruption should
    wmi_char_open() be unable to find its driver, something which can
    happen when the associated WMI device is deleted in wmi_free_devices().
    
    Fix the problem by using the miscdevice pointer to retrieve the WMI
    device data associated with a char device using container_of(). This
    also avoids wmi_char_open() picking a wrong WMI device bound to a
    driver with the same name as the original driver.
    
    Fixes: 44b6b7661132 ("platform/x86: wmi: create userspace interface for drivers")
    Signed-off-by: Armin Wolf <W_Armin@gmx.de>
    Link: https://lore.kernel.org/r/20231020211005.38216-5-W_Armin@gmx.de
    Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

platform/x86: wmi: Fix probe failure when failing to register WMI devices [+ + +]
Author: Armin Wolf <W_Armin@gmx.de>
Date:   Fri Oct 20 23:10:03 2023 +0200

    platform/x86: wmi: Fix probe failure when failing to register WMI devices
    
    [ Upstream commit ed85891a276edaf7a867de0e9acd0837bc3008f2 ]
    
    When a WMI device besides the first one somehow fails to register,
    retval is returned while still containing a negative error code. This
    causes the ACPI device fail to probe, leaving behind zombie WMI devices
    leading to various errors later.
    
    Handle the single error path separately and return 0 unconditionally
    after trying to register all WMI devices to solve the issue. Also
    continue to register WMI devices even if some fail to allocate memory.
    
    Fixes: 6ee50aaa9a20 ("platform/x86: wmi: Instantiate all devices before adding them")
    Signed-off-by: Armin Wolf <W_Armin@gmx.de>
    Link: https://lore.kernel.org/r/20231020211005.38216-4-W_Armin@gmx.de
    Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

platform/x86: wmi: remove unnecessary initializations [+ + +]
Author: Barnabás Pőcze <pobrn@protonmail.com>
Date:   Sat Sep 4 17:55:10 2021 +0000

    platform/x86: wmi: remove unnecessary initializations
    
    [ Upstream commit 43aacf838ef7384d985ef5385ecb0124f8c70007 ]
    
    Some pointers are initialized when they are defined,
    but they are almost immediately reassigned in the
    following lines. Remove these superfluous assignments.
    
    Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com>
    Link: https://lore.kernel.org/r/20210904175450.156801-6-pobrn@protonmail.com
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Stable-dep-of: eba9ac7abab9 ("platform/x86: wmi: Fix opening of char device")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
powerpc/imc-pmu: Use the correct spinlock initializer. [+ + +]
Author: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Date:   Thu Mar 9 14:48:31 2023 +0100

    powerpc/imc-pmu: Use the correct spinlock initializer.
    
    [ Upstream commit 007240d59c11f87ac4f6cfc6a1d116630b6b634c ]
    
    The macro __SPIN_LOCK_INITIALIZER() is implementation specific. Users
    that desire to initialize a spinlock in a struct must use
    __SPIN_LOCK_UNLOCKED().
    
    Use __SPIN_LOCK_UNLOCKED() for the spinlock_t in imc_global_refc.
    
    Fixes: 76d588dddc459 ("powerpc/imc-pmu: Fix use of mutex in IRQs disabled section")
    Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://msgid.link/20230309134831.Nz12nqsU@linutronix.de
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
powerpc/pseries: fix potential memory leak in init_cpu_associativity() [+ + +]
Author: Wang Yufen <wangyufen@huawei.com>
Date:   Wed Dec 14 15:46:23 2022 +0800

    powerpc/pseries: fix potential memory leak in init_cpu_associativity()
    
    [ Upstream commit 95f1a128cd728a7257d78e868f1f5a145fc43736 ]
    
    If the vcpu_associativity alloc memory successfully but the
    pcpu_associativity fails to alloc memory, the vcpu_associativity
    memory leaks.
    
    Fixes: d62c8deeb6e6 ("powerpc/pseries: Provide vcpu dispatch statistics")
    Signed-off-by: Wang Yufen <wangyufen@huawei.com>
    Reviewed-by: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://msgid.link/1671003983-10794-1-git-send-email-wangyufen@huawei.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
powerpc/xive: Fix endian conversion size [+ + +]
Author: Benjamin Gray <bgray@linux.ibm.com>
Date:   Wed Oct 11 16:37:00 2023 +1100

    powerpc/xive: Fix endian conversion size
    
    [ Upstream commit ff7a60ab1e065257a0e467c13b519f4debcd7fcf ]
    
    Sparse reports a size mismatch in the endian swap. The Opal
    implementation[1] passes the value as a __be64, and the receiving
    variable out_qsize is a u64, so the use of be32_to_cpu() appears to be
    an error.
    
    [1]: https://github.com/open-power/skiboot/blob/80e2b1dc73/hw/xive.c#L3854
    
    Fixes: 88ec6b93c8e7 ("powerpc/xive: add OPAL extensions for the XIVE native exploitation support")
    Signed-off-by: Benjamin Gray <bgray@linux.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://msgid.link/20231011053711.93427-2-bgray@linux.ibm.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume [+ + +]
Author: Florian Fainelli <florian.fainelli@broadcom.com>
Date:   Wed Oct 4 10:54:14 2023 -0700

    pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume
    
    [ Upstream commit e9bc4411548aaa738905d37851a0146c16b3bb21 ]
    
    The suspend/resume functions currently utilize
    clk_disable()/clk_enable() respectively which may be no-ops with certain
    clock providers such as SCMI. Fix this to use clk_disable_unprepare()
    and clk_prepare_enable() respectively as we should.
    
    Fixes: 3a9f5957020f ("pwm: Add Broadcom BCM7038 PWM controller support")
    Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

pwm: sti: Avoid conditional gotos [+ + +]
Author: Thierry Reding <thierry.reding@gmail.com>
Date:   Wed Nov 11 19:24:29 2020 +0100

    pwm: sti: Avoid conditional gotos
    
    [ Upstream commit fd3ae02bb66f091e55f363d32eca7b4039977bf5 ]
    
    Using gotos for conditional code complicates this code significantly.
    Convert the code to simple conditional blocks to increase readability.
    
    Suggested-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Acked-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
    Stable-dep-of: 2d6812b41e0d ("pwm: sti: Reduce number of allocations and drop usage of chip_data")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

pwm: sti: Reduce number of allocations and drop usage of chip_data [+ + +]
Author: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Date:   Wed Jul 5 10:06:48 2023 +0200

    pwm: sti: Reduce number of allocations and drop usage of chip_data
    
    [ Upstream commit 2d6812b41e0d832919d72c72ebddf361df53ba1b ]
    
    Instead of using one allocation per capture channel, use a single one. Also
    store it in driver data instead of chip data.
    
    This has several advantages:
    
     - driver data isn't cleared when pwm_put() is called
     - Reduces memory fragmentation
    
    Also register the pwm chip only after the per capture channel data is
    initialized as the capture callback relies on this initialization and it
    might be called even before pwmchip_add() returns.
    
    It would be still better to have struct sti_pwm_compat_data and the
    per-channel data struct sti_cpt_ddata in a single memory chunk, but that's
    not easily possible because the number of capture channels isn't known yet
    when the driver data struct is allocated.
    
    Fixes: e926b12c611c ("pwm: Clear chip_data in pwm_put()")
    Reported-by: George Stark <gnstark@sberdevices.ru>
    Fixes: c97267ae831d ("pwm: sti: Add PWM capture callback")
    Link: https://lore.kernel.org/r/20230705080650.2353391-7-u.kleine-koenig@pengutronix.de
    Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
r8169: fix rare issue with broken rx after link-down on RTL8125 [+ + +]
Author: Heiner Kallweit <hkallweit1@gmail.com>
Date:   Thu Oct 12 08:51:13 2023 +0200

    r8169: fix rare issue with broken rx after link-down on RTL8125
    
    [ Upstream commit 621735f590643e3048ca2060c285b80551660601 ]
    
    In very rare cases (I've seen two reports so far about different
    RTL8125 chip versions) it seems the MAC locks up when link goes down
    and requires a software reset to get revived.
    Realtek doesn't publish hw errata information, therefore the root cause
    is unknown. Realtek vendor drivers do a full hw re-initialization on
    each link-up event, the slimmed-down variant here was reported to fix
    the issue for the reporting user.
    It's not fully clear which parts of the NIC are reset as part of the
    software reset, therefore I can't rule out side effects.
    
    Fixes: f1bce4ad2f1c ("r8169: add support for RTL8125")
    Reported-by: Martin Kjær Jørgensen <me@lagy.org>
    Link: https://lore.kernel.org/netdev/97ec2232-3257-316c-c3e7-a08192ce16a6@gmail.com/T/
    Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
    Link: https://lore.kernel.org/r/9edde757-9c3b-4730-be3b-0ef3a374ff71@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

r8169: respect userspace disabling IFF_MULTICAST [+ + +]
Author: Heiner Kallweit <hkallweit1@gmail.com>
Date:   Sun Nov 5 23:43:36 2023 +0100

    r8169: respect userspace disabling IFF_MULTICAST
    
    [ Upstream commit 8999ce4cfc87e61b4143ec2e7b93d8e92e11fa7f ]
    
    So far we ignore the setting of IFF_MULTICAST. Fix this and clear bit
    AcceptMulticast if IFF_MULTICAST isn't set.
    
    Note: Based on the implementations I've seen it doesn't seem to be 100% clear
    what a driver is supposed to do if IFF_ALLMULTI is set but IFF_MULTICAST
    is not. This patch is based on the understanding that IFF_MULTICAST has
    precedence.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
    Link: https://lore.kernel.org/r/4a57ba02-d52d-4369-9f14-3565e6c1f7dc@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

r8169: use tp_to_dev instead of open code [+ + +]
Author: Juhee Kang <claudiajkang@gmail.com>
Date:   Wed Nov 30 01:12:44 2022 +0900

    r8169: use tp_to_dev instead of open code
    
    [ Upstream commit 4b6c6065fca123d419afef005a696f51e6590470 ]
    
    The open code is defined as a helper function(tp_to_dev) on r8169_main.c,
    which the open code is &tp->pci_dev->dev. The helper function was added
    in commit 1e1205b7d3e9 ("r8169: add helper tp_to_dev"). And then later,
    commit f1e911d5d0df ("r8169: add basic phylib support") added
    r8169_phylink_handler function but it didn't use the helper function.
    Thus, tp_to_dev() replaces the open code. This patch doesn't change logic.
    
    Signed-off-by: Juhee Kang <claudiajkang@gmail.com>
    Reviewed-by: Heiner Kallweit <hkallweit1@gmail.com>
    Link: https://lore.kernel.org/r/20221129161244.5356-1-claudiajkang@gmail.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Stable-dep-of: 621735f59064 ("r8169: fix rare issue with broken rx after link-down on RTL8125")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
RDMA/hfi1: Workaround truncation compilation error [+ + +]
Author: Leon Romanovsky <leon@kernel.org>
Date:   Tue Oct 24 18:07:31 2023 +0300

    RDMA/hfi1: Workaround truncation compilation error
    
    [ Upstream commit d4b2d165714c0ce8777d5131f6e0aad617b7adc4 ]
    
    Increase name array to be large enough to overcome the following
    compilation error.
    
    drivers/infiniband/hw/hfi1/efivar.c: In function ‘read_hfi1_efi_var’:
    drivers/infiniband/hw/hfi1/efivar.c:124:44: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
      124 |         snprintf(name, sizeof(name), "%s-%s", prefix_name, kind);
          |                                            ^
    drivers/infiniband/hw/hfi1/efivar.c:124:9: note: ‘snprintf’ output 2 or more bytes (assuming 65) into a destination of size 64
      124 |         snprintf(name, sizeof(name), "%s-%s", prefix_name, kind);
          |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    drivers/infiniband/hw/hfi1/efivar.c:133:52: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
      133 |                 snprintf(name, sizeof(name), "%s-%s", prefix_name, kind);
          |                                                    ^
    drivers/infiniband/hw/hfi1/efivar.c:133:17: note: ‘snprintf’ output 2 or more bytes (assuming 65) into a destination of size 64
      133 |                 snprintf(name, sizeof(name), "%s-%s", prefix_name, kind);
          |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    cc1: all warnings being treated as errors
    make[6]: *** [scripts/Makefile.build:243: drivers/infiniband/hw/hfi1/efivar.o] Error 1
    
    Fixes: c03c08d50b3d ("IB/hfi1: Check upper-case EFI variables")
    Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
    Link: https://lore.kernel.org/r/238fa39a8fd60e87a5ad7e1ca6584fcdf32e9519.1698159993.git.leonro@nvidia.com
    Acked-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
    Signed-off-by: Leon Romanovsky <leon@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
regmap: debugfs: Fix a erroneous check after snprintf() [+ + +]
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Mon Sep 4 22:04:06 2023 +0200

    regmap: debugfs: Fix a erroneous check after snprintf()
    
    [ Upstream commit d3601857e14de6369f00ae19564f1d817d175d19 ]
    
    This error handling looks really strange.
    Check if the string has been truncated instead.
    
    Fixes: f0c2319f9f19 ("regmap: Expose the driver name in debugfs")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Link: https://lore.kernel.org/r/8595de2462c490561f70020a6d11f4d6b652b468.1693857825.git.christophe.jaillet@wanadoo.fr
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

regmap: prevent noinc writes from clobbering cache [+ + +]
Author: Ben Wolsieffer <ben.wolsieffer@hefring.com>
Date:   Wed Nov 1 10:29:27 2023 -0400

    regmap: prevent noinc writes from clobbering cache
    
    [ Upstream commit 984a4afdc87a1fc226fd657b1cd8255c13d3fc1a ]
    
    Currently, noinc writes are cached as if they were standard incrementing
    writes, overwriting unrelated register values in the cache. Instead, we
    want to cache the last value written to the register, as is done in the
    accelerated noinc handler (regmap_noinc_readwrite).
    
    Fixes: cdf6b11daa77 ("regmap: Add regmap_noinc_write API")
    Signed-off-by: Ben Wolsieffer <ben.wolsieffer@hefring.com>
    Link: https://lore.kernel.org/r/20231101142926.2722603-2-ben.wolsieffer@hefring.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Revert "mmc: core: Capture correct oemid-bits for eMMC cards" [+ + +]
Author: Dominique Martinet <dominique.martinet@atmark-techno.com>
Date:   Fri Nov 3 09:42:20 2023 +0900

    Revert "mmc: core: Capture correct oemid-bits for eMMC cards"
    
    commit 421b605edb1ce611dee06cf6fd9a1c1f2fd85ad0 upstream.
    
    This reverts commit 84ee19bffc9306128cd0f1c650e89767079efeff.
    
    The commit above made quirks with an OEMID fail to be applied, as they
    were checking card->cid.oemid for the full 16 bits defined in MMC_FIXUP
    macros but the field would only contain the bottom 8 bits.
    
    eMMC v5.1A might have bogus values in OEMID's higher bits so another fix
    will be made, but it has been decided to revert this until that is ready.
    
    Fixes: 84ee19bffc93 ("mmc: core: Capture correct oemid-bits for eMMC cards")
    Link: https://lkml.kernel.org/r/ZToJsSLHr8RnuTHz@codewreck.org
    Link: https://lkml.kernel.org/r/CAPDyKFqkKibcXnwjnhc3+W1iJBHLeqQ9BpcZrSwhW2u9K2oUtg@mail.gmail.com
    Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
    Cc: stable@vger.kernel.org
    Cc: Alex Fetters <Alex.Fetters@garmin.com>
    Reviewed-by: Avri Altman <avri.altman@wdc.com>
    Link: https://lore.kernel.org/r/20231103004220.1666641-1-asmadeus@codewreck.org
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
rtc: pcf85363: fix wrong mask/val parameters in regmap_update_bits call [+ + +]
Author: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Date:   Fri Oct 13 16:34:21 2023 +0200

    rtc: pcf85363: fix wrong mask/val parameters in regmap_update_bits call
    
    [ Upstream commit 2be36c09b6b07306be33519e1aa70d2e2a2161bb ]
    
    The current implementation passes PIN_IO_INTA_OUT (2) as a mask and
    PIN_IO_INTAPM (GENMASK(1, 0)) as a value.
    Swap the variables to assign mask and value the right way.
    
    This error was first introduced with the alarm support. For better or
    worse it worked as expected because 0x02 was applied as a mask to 0x03,
    resulting 0x02 anyway. This will of course not work for any other value.
    
    Fixes: e5aac267a10a ("rtc: pcf85363: add alarm support")
    Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
    Link: https://lore.kernel.org/r/20231013-topic-pcf85363_regmap_update_bits-v1-1-c454f016f71f@gmail.com
    Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
sched/rt: Provide migrate_disable/enable() inlines [+ + +]
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Sat Feb 8 20:48:29 2020 +0100

    sched/rt: Provide migrate_disable/enable() inlines
    
    [ Upstream commit 66630058e56b26b3a9cf2625e250a8c592dd0207 ]
    
    Code which solely needs to prevent migration of a task uses
    preempt_disable()/enable() pairs. This is the only reliable way to do so
    as setting the task affinity to a single CPU can be undone by a
    setaffinity operation from a different task/process.
    
    RT provides a seperate migrate_disable/enable() mechanism which does not
    disable preemption to achieve the semantic requirements of a (almost) fully
    preemptible kernel.
    
    As it is unclear from looking at a given code path whether the intention is
    to disable preemption or migration, introduce migrate_disable/enable()
    inline functions which can be used to annotate code which merely needs to
    disable migration. Map them to preempt_disable/enable() for now. The RT
    substitution will be provided later.
    
    Code which is annotated that way documents that it has no requirement to
    protect against reentrancy of a preempting task. Either this is not
    required at all or the call sites are already serialized by other means.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Juri Lelli <juri.lelli@redhat.com>
    Cc: Vincent Guittot <vincent.guittot@linaro.org>
    Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
    Cc: Steven Rostedt <rostedt@goodmis.org>
    Cc: Ben Segall <bsegall@google.com>
    Cc: Mel Gorman <mgorman@suse.de>
    Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    Link: https://lore.kernel.org/r/878slclv1u.fsf@nanos.tec.linutronix.de
    Stable-dep-of: 36c75ce3bd29 ("nd_btt: Make BTT lanes preemptible")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
scsi: ufs: core: Leave space for '\0' in utf8 desc string [+ + +]
Author: Daniel Mentz <danielmentz@google.com>
Date:   Tue Oct 17 11:20:26 2023 -0700

    scsi: ufs: core: Leave space for '\0' in utf8 desc string
    
    [ Upstream commit a75a16c62a2540f11eeae4f2b50e95deefb652ea ]
    
    utf16s_to_utf8s does not NULL terminate the output string. For us to be
    able to add a NULL character when utf16s_to_utf8s returns, we need to make
    sure that there is space for such NULL character at the end of the output
    buffer. We can achieve this by passing an output buffer size to
    utf16s_to_utf8s that is one character less than what we allocated.
    
    Other call sites of utf16s_to_utf8s appear to be using the same technique
    where they artificially reduce the buffer size by one to leave space for a
    NULL character or line feed character.
    
    Fixes: 4b828fe156a6 ("scsi: ufs: revamp string descriptor reading")
    Reviewed-by: Mars Cheng <marscheng@google.com>
    Reviewed-by: Bart Van Assche <bvanassche@acm.org>
    Reviewed-by: Yen-lin Lai <yenlinlai@google.com>
    Signed-off-by: Daniel Mentz <danielmentz@google.com>
    Link: https://lore.kernel.org/r/20231017182026.2141163-1-danielmentz@google.com
    Reviewed-by: Avri Altman <avri.altman@wdc.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
sh: bios: Revive earlyprintk support [+ + +]
Author: Geert Uytterhoeven <geert+renesas@glider.be>
Date:   Thu Oct 19 11:46:43 2023 +0200

    sh: bios: Revive earlyprintk support
    
    [ Upstream commit 553f7ac78fbb41b2c93ab9b9d78e42274d27daa9 ]
    
    The SuperH BIOS earlyprintk code is protected by CONFIG_EARLY_PRINTK.
    However, when this protection was added, it was missed that SuperH no
    longer defines an EARLY_PRINTK config symbol since commit
    e76fe57447e88916 ("sh: Remove old early serial console code V2"), so
    BIOS earlyprintk can no longer be used.
    
    Fix this by reviving the EARLY_PRINTK config symbol.
    
    Fixes: d0380e6c3c0f6edb ("early_printk: consolidate random copies of identical code")
    Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
    Link: https://lore.kernel.org/r/c40972dfec3dcc6719808d5df388857360262878.1697708489.git.geert+renesas@glider.be
    Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
soc: qcom: llcc cleanup to get rid of sdm845 specific driver file [+ + +]
Author: Vivek Gautam <vivek.gautam@codeaurora.org>
Date:   Thu Jul 18 18:32:36 2019 +0530

    soc: qcom: llcc cleanup to get rid of sdm845 specific driver file
    
    [ Upstream commit a14b820316e84310b1bad3701a8d4c9159377633 ]
    
    A single file should suffice the need to program the llcc for
    various platforms. Get rid of sdm845 specific driver file to
    make way for a more generic driver.
    
    Signed-off-by: Vivek Gautam <vivek.gautam@codeaurora.org>
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Stable-dep-of: f1a1bc8775b2 ("soc: qcom: llcc: Handle a second device without data corruption")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

soc: qcom: llcc: Handle a second device without data corruption [+ + +]
Author: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Date:   Tue Sep 26 10:32:29 2023 +0200

    soc: qcom: llcc: Handle a second device without data corruption
    
    [ Upstream commit f1a1bc8775b26345aba2be278118999e7f661d3d ]
    
    Usually there is only one llcc device. But if there were a second, even
    a failed probe call would modify the global drv_data pointer. So check
    if drv_data is valid before overwriting it.
    
    Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Fixes: a3134fb09e0b ("drivers: soc: Add LLCC driver")
    Link: https://lore.kernel.org/r/20230926083229.2073890-1-u.kleine-koenig@pengutronix.de
    Signed-off-by: Bjorn Andersson <andersson@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

soc: qcom: Rename llcc-slice to llcc-qcom [+ + +]
Author: Vivek Gautam <vivek.gautam@codeaurora.org>
Date:   Thu Jul 18 18:32:37 2019 +0530

    soc: qcom: Rename llcc-slice to llcc-qcom
    
    [ Upstream commit a0e72a5ba48ae9c6449a32130d74506a854b79d2 ]
    
    The cleaning up was done without changing the driver file name
    to ensure a cleaner bisect. Change the file name now to facilitate
    making the driver generic in subsequent patch.
    
    Signed-off-by: Vivek Gautam <vivek.gautam@codeaurora.org>
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Stable-dep-of: f1a1bc8775b2 ("soc: qcom: llcc: Handle a second device without data corruption")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
spi: spi-zynq-qspi: add spi-mem to driver kconfig dependencies [+ + +]
Author: Amit Kumar Mahapatra <amit.kumar-mahapatra@amd.com>
Date:   Sat Nov 4 00:13:51 2023 +0530

    spi: spi-zynq-qspi: add spi-mem to driver kconfig dependencies
    
    [ Upstream commit c2ded280a4b1b7bd93e53670528504be08d24967 ]
    
    Zynq QSPI driver has been converted to use spi-mem framework so
    add spi-mem to driver kconfig dependencies.
    
    Fixes: 67dca5e580f1 ("spi: spi-mem: Add support for Zynq QSPI controller")
    Signed-off-by: Amit Kumar Mahapatra <amit.kumar-mahapatra@amd.com>
    Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
    Link: https://lore.kernel.org/r/1699037031-702858-1-git-send-email-radhey.shyam.pandey@amd.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tcp: call tcp_try_undo_recovery when an RTOd TFO SYNACK is ACKed [+ + +]
Author: Aananth V <aananthv@google.com>
Date:   Thu Sep 14 14:36:20 2023 +0000

    tcp: call tcp_try_undo_recovery when an RTOd TFO SYNACK is ACKed
    
    [ Upstream commit e326578a21414738de45f77badd332fb00bd0f58 ]
    
    For passive TCP Fast Open sockets that had SYN/ACK timeout and did not
    send more data in SYN_RECV, upon receiving the final ACK in 3WHS, the
    congestion state may awkwardly stay in CA_Loss mode unless the CA state
    was undone due to TCP timestamp checks. However, if
    tcp_rcv_synrecv_state_fastopen() decides not to undo, then we should
    enter CA_Open, because at that point we have received an ACK covering
    the retransmitted SYNACKs. Currently, the icsk_ca_state is only set to
    CA_Open after we receive an ACK for a data-packet. This is because
    tcp_ack does not call tcp_fastretrans_alert (and tcp_process_loss) if
    !prior_packets
    
    Note that tcp_process_loss() calls tcp_try_undo_recovery(), so having
    tcp_rcv_synrecv_state_fastopen() decide that if we're in CA_Loss we
    should call tcp_try_undo_recovery() is consistent with that, and
    low risk.
    
    Fixes: dad8cea7add9 ("tcp: fix TFO SYNACK undo to avoid double-timestamp-undo")
    Signed-off-by: Aananth V <aananthv@google.com>
    Signed-off-by: Neal Cardwell <ncardwell@google.com>
    Signed-off-by: Yuchung Cheng <ycheng@google.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

tcp: fix cookie_init_timestamp() overflows [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Oct 20 12:57:37 2023 +0000

    tcp: fix cookie_init_timestamp() overflows
    
    [ Upstream commit 73ed8e03388d16c12fc577e5c700b58a29045a15 ]
    
    cookie_init_timestamp() is supposed to return a 64bit timestamp
    suitable for both TSval determination and setting of skb->tstamp.
    
    Unfortunately it uses 32bit fields and overflows after
    2^32 * 10^6 nsec (~49 days) of uptime.
    
    Generated TSval are still correct, but skb->tstamp might be set
    far away in the past, potentially confusing other layers.
    
    tcp_ns_to_ts() is changed to return a full 64bit value,
    ts and ts_now variables are changed to u64 type,
    and TSMASK is removed in favor of shifts operations.
    
    While we are at it, change this sequence:
                    ts >>= TSBITS;
                    ts--;
                    ts <<= TSBITS;
                    ts |= options;
    to:
                    ts -= (1UL << TSBITS);
    
    Fixes: 9a568de4818d ("tcp: switch TCP TS option (RFC 7323) to 1ms clock")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

tcp: Remove one extra ktime_get_ns() from cookie_init_timestamp [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Nov 7 11:51:18 2019 -0800

    tcp: Remove one extra ktime_get_ns() from cookie_init_timestamp
    
    [ Upstream commit 200ecef67b8d09d16ec55f91c92751dcc7a38d40 ]
    
    tcp_make_synack() already uses tcp_clock_ns(), and can pass
    the value to cookie_init_timestamp() to avoid another call
    to ktime_get_ns() helper.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Stable-dep-of: 73ed8e03388d ("tcp: fix cookie_init_timestamp() overflows")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tcp_metrics: add missing barriers on delete [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Sep 22 22:03:53 2023 +0000

    tcp_metrics: add missing barriers on delete
    
    [ Upstream commit cbc3a153222805d65f821e10f4f78b6afce06f86 ]
    
    When removing an item from RCU protected list, we must prevent
    store-tearing, using rcu_assign_pointer() or WRITE_ONCE().
    
    Fixes: 04f721c671656 ("tcp_metrics: Rewrite tcp_metrics_flush_all")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Acked-by: Neal Cardwell <ncardwell@google.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

tcp_metrics: do not create an entry from tcp_init_metrics() [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Sep 22 22:03:55 2023 +0000

    tcp_metrics: do not create an entry from tcp_init_metrics()
    
    [ Upstream commit a135798e6e200ecb2f864cecca6d257ba278370c ]
    
    tcp_init_metrics() only wants to get metrics if they were
    previously stored in the cache. Creating an entry is adding
    useless costs, especially when tcp_no_metrics_save is set.
    
    Fixes: 51c5d0c4b169 ("tcp: Maintain dynamic metrics in local cache.")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Acked-by: Neal Cardwell <ncardwell@google.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics() [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Sep 22 22:03:54 2023 +0000

    tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics()
    
    [ Upstream commit 081480014a64a69d901f8ef1ffdd56d6085cf87e ]
    
    We need to set tp->snd_ssthresh to TCP_INFINITE_SSTHRESH
    in the case tcp_get_metrics() fails for some reason.
    
    Fixes: 9ad7c049f0f7 ("tcp: RFC2988bis + taking RTT sample from 3WHS for the passive open side")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Acked-by: Neal Cardwell <ncardwell@google.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tg3: power down device only on SYSTEM_POWER_OFF [+ + +]
Author: George Shuklin <george.shuklin@gmail.com>
Date:   Fri Nov 3 13:50:29 2023 +0200

    tg3: power down device only on SYSTEM_POWER_OFF
    
    [ Upstream commit 9fc3bc7643341dc5be7d269f3d3dbe441d8d7ac3 ]
    
    Dell R650xs servers hangs on reboot if tg3 driver calls
    tg3_power_down.
    
    This happens only if network adapters (BCM5720 for R650xs) were
    initialized using SNP (e.g. by booting ipxe.efi).
    
    The actual problem is on Dell side, but this fix allows servers
    to come back alive after reboot.
    
    Signed-off-by: George Shuklin <george.shuklin@gmail.com>
    Fixes: 2ca1c94ce0b6 ("tg3: Disable tg3 device on system reboot to avoid triggering AER")
    Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
    Reviewed-by: Michael Chan <michael.chan@broadcom.com>
    Link: https://lore.kernel.org/r/20231103115029.83273-1-george.shuklin@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
thermal: core: prevent potential string overflow [+ + +]
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date:   Sat Oct 7 11:59:39 2023 +0300

    thermal: core: prevent potential string overflow
    
    [ Upstream commit c99626092efca3061b387043d4a7399bf75fbdd5 ]
    
    The dev->id value comes from ida_alloc() so it's a number between zero
    and INT_MAX.  If it's too high then these sprintf()s will overflow.
    
    Fixes: 203d3d4aa482 ("the generic thermal sysfs driver")
    Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING [+ + +]
Author: Shigeru Yoshida <syoshida@redhat.com>
Date:   Mon Oct 30 16:55:40 2023 +0900

    tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
    
    [ Upstream commit 19b3f72a41a8751e26bffc093bb7e1cef29ad579 ]
    
    syzbot reported the following uninit-value access issue [1]:
    
    =====================================================
    BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline]
    BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756
     strlen lib/string.c:418 [inline]
     strstr+0xb8/0x2f0 lib/string.c:756
     tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595
     genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline]
     genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
     genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066
     netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545
     genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075
     netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
     netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368
     netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910
     sock_sendmsg_nosec net/socket.c:730 [inline]
     sock_sendmsg net/socket.c:753 [inline]
     ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541
     ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595
     __sys_sendmsg net/socket.c:2624 [inline]
     __do_sys_sendmsg net/socket.c:2633 [inline]
     __se_sys_sendmsg net/socket.c:2631 [inline]
     __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    Uninit was created at:
     slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767
     slab_alloc_node mm/slub.c:3478 [inline]
     kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523
     kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559
     __alloc_skb+0x318/0x740 net/core/skbuff.c:650
     alloc_skb include/linux/skbuff.h:1286 [inline]
     netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline]
     netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885
     sock_sendmsg_nosec net/socket.c:730 [inline]
     sock_sendmsg net/socket.c:753 [inline]
     ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541
     ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595
     __sys_sendmsg net/socket.c:2624 [inline]
     __do_sys_sendmsg net/socket.c:2633 [inline]
     __se_sys_sendmsg net/socket.c:2631 [inline]
     __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    TIPC bearer-related names including link names must be null-terminated
    strings. If a link name which is not null-terminated is passed through
    netlink, strstr() and similar functions can cause buffer overrun. This
    causes the above issue.
    
    This patch changes the nla_policy for bearer-related names from NLA_STRING
    to NLA_NUL_STRING. This resolves the issue by ensuring that only
    null-terminated strings are accepted as bearer-related names.
    
    syzbot reported similar uninit-value issue related to bearer names [2]. The
    root cause of this issue is that a non-null-terminated bearer name was
    passed. This patch also resolved this issue.
    
    Fixes: 7be57fc69184 ("tipc: add link get/dump to new netlink api")
    Fixes: 0655f6a8635b ("tipc: add bearer disable/enable to new netlink api")
    Reported-and-tested-by: syzbot+5138ca807af9d2b42574@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=5138ca807af9d2b42574 [1]
    Reported-and-tested-by: syzbot+9425c47dccbcb4c17d51@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=9425c47dccbcb4c17d51 [2]
    Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
    Reviewed-by: Jiri Pirko <jiri@nvidia.com>
    Link: https://lore.kernel.org/r/20231030075540.3784537-1-syoshida@redhat.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tools: iio: iio_generic_buffer ensure alignment [+ + +]
Author: Matti Vaittinen <mazziesaccount@gmail.com>
Date:   Tue Oct 3 12:57:47 2023 +0300

    tools: iio: iio_generic_buffer ensure alignment
    
    [ Upstream commit 2d3dff577dd0ea8fe9637a13822f7603c4a881c8 ]
    
    The iio_generic_buffer can return garbage values when the total size of
    scan data is not a multiple of the largest element in the scan. This can be
    demonstrated by reading a scan, consisting, for example of one 4-byte and
    one 2-byte element, where the 4-byte element is first in the buffer.
    
    The IIO generic buffer code does not take into account the last two
    padding bytes that are needed to ensure that the 4-byte data for next
    scan is correctly aligned.
    
    Add the padding bytes required to align the next sample with the scan size.
    
    Signed-off-by: Matti Vaittinen <mazziesaccount@gmail.com>
    Fixes: e58537ccce73 ("staging: iio: update example application.")
    Link: https://lore.kernel.org/r/ZRvlm4ktNLu+qmlf@dc78bmyyyyyyyyyyyyydt-3.rev.dnainternet.fi
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

tools: iio: iio_generic_buffer: Fix some integer type and calculation [+ + +]
Author: Chenyuan Mi <michenyuan@huawei.com>
Date:   Tue Jul 25 09:24:07 2023 +0000

    tools: iio: iio_generic_buffer: Fix some integer type and calculation
    
    [ Upstream commit 49d736313d0975ddeb156f4f59801da833f78b30 ]
    
    In function size_from_channelarray(), the return value 'bytes' is defined
    as int type. However, the calcution of 'bytes' in this function is designed
    to use the unsigned int type. So it is necessary to change 'bytes' type to
    unsigned int to avoid integer overflow.
    
    The size_from_channelarray() is called in main() function, its return value
    is directly multipled by 'buf_len' and then used as the malloc() parameter.
    The 'buf_len' is completely controllable by user, thus a multiplication
    overflow may occur here. This could allocate an unexpected small area.
    
    Signed-off-by: Chenyuan Mi <michenyuan@huawei.com>
    Link: https://lore.kernel.org/r/20230725092407.62545-1-michenyuan@huawei.com
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Stable-dep-of: 2d3dff577dd0 ("tools: iio: iio_generic_buffer ensure alignment")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

tools: iio: privatize globals and functions in iio_generic_buffer.c file [+ + +]
Author: Alexandru Ardelean <alexandru.ardelean@analog.com>
Date:   Mon Feb 15 12:40:42 2021 +0200

    tools: iio: privatize globals and functions in iio_generic_buffer.c file
    
    [ Upstream commit ebe5112535b5cf389ca7d337cf6a0c1d885f9880 ]
    
    Mostly a tidy-up.
    But also helps to understand the limits of scope of these functions and
    globals.
    
    Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
    Link: https://lore.kernel.org/r/20210215104043.91251-24-alexandru.ardelean@analog.com
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Stable-dep-of: 2d3dff577dd0 ("tools: iio: iio_generic_buffer ensure alignment")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tty: tty_jobctrl: fix pid memleak in disassociate_ctty() [+ + +]
Author: Yi Yang <yiyang13@huawei.com>
Date:   Thu Aug 31 10:33:29 2023 +0800

    tty: tty_jobctrl: fix pid memleak in disassociate_ctty()
    
    [ Upstream commit 11e7f27b79757b6586645d87b95d5b78375ecdfc ]
    
    There is a pid leakage:
    ------------------------------
    unreferenced object 0xffff88810c181940 (size 224):
      comm "sshd", pid 8191, jiffies 4294946950 (age 524.570s)
      hex dump (first 32 bytes):
        01 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de  .............N..
        ff ff ff ff 6b 6b 6b 6b ff ff ff ff ff ff ff ff  ....kkkk........
      backtrace:
        [<ffffffff814774e6>] kmem_cache_alloc+0x5c6/0x9b0
        [<ffffffff81177342>] alloc_pid+0x72/0x570
        [<ffffffff81140ac4>] copy_process+0x1374/0x2470
        [<ffffffff81141d77>] kernel_clone+0xb7/0x900
        [<ffffffff81142645>] __se_sys_clone+0x85/0xb0
        [<ffffffff8114269b>] __x64_sys_clone+0x2b/0x30
        [<ffffffff83965a72>] do_syscall_64+0x32/0x80
        [<ffffffff83a00085>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
    
    It turns out that there is a race condition between disassociate_ctty() and
    tty_signal_session_leader(), which caused this leakage.
    
    The pid memleak is triggered by the following race:
    task[sshd]                     task[bash]
    -----------------------        -----------------------
                                   disassociate_ctty();
                                   spin_lock_irq(¤t->sighand->siglock);
                                   put_pid(current->signal->tty_old_pgrp);
                                   current->signal->tty_old_pgrp = NULL;
                                   tty = tty_kref_get(current->signal->tty);
                                   spin_unlock_irq(¤t->sighand->siglock);
    tty_vhangup();
    tty_lock(tty);
    ...
    tty_signal_session_leader();
    spin_lock_irq(&p->sighand->siglock);
    ...
    if (tty->ctrl.pgrp) //tty->ctrl.pgrp is not NULL
    p->signal->tty_old_pgrp = get_pid(tty->ctrl.pgrp); //An extra get
    spin_unlock_irq(&p->sighand->siglock);
    ...
    tty_unlock(tty);
                                   if (tty) {
                                       tty_lock(tty);
                                       ...
                                       put_pid(tty->ctrl.pgrp);
                                       tty->ctrl.pgrp = NULL; //It's too late
                                       ...
                                       tty_unlock(tty);
                                   }
    
    The issue is believed to be introduced by commit c8bcd9c5be24 ("tty:
    Fix ->session locking") who moves the unlock of siglock in
    disassociate_ctty() above "if (tty)", making a small window allowing
    tty_signal_session_leader() to kick in. It can be easily reproduced by
    adding a delay before "if (tty)" and at the entrance of
    tty_signal_session_leader().
    
    To fix this issue, we move "put_pid(current->signal->tty_old_pgrp)" after
    "tty->ctrl.pgrp = NULL".
    
    Fixes: c8bcd9c5be24 ("tty: Fix ->session locking")
    Signed-off-by: Yi Yang <yiyang13@huawei.com>
    Co-developed-by: GUO Zihua <guozihua@huawei.com>
    Signed-off-by: GUO Zihua <guozihua@huawei.com>
    Link: https://lore.kernel.org/r/20230831023329.165737-1-yiyang13@huawei.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency [+ + +]
Author: Jia-Ju Bai <baijiaju@buaa.edu.cn>
Date:   Tue Sep 26 10:44:04 2023 +0800

    usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency
    
    [ Upstream commit ef307bc6ef04e8c1ea843231db58e3afaafa9fa6 ]
    
    In _dwc2_hcd_urb_enqueue(), "urb->hcpriv = NULL" is executed without
    holding the lock "hsotg->lock". In _dwc2_hcd_urb_dequeue():
    
        spin_lock_irqsave(&hsotg->lock, flags);
        ...
            if (!urb->hcpriv) {
                    dev_dbg(hsotg->dev, "## urb->hcpriv is NULL ##\n");
                    goto out;
            }
        rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Use urb->hcpriv
        ...
    out:
        spin_unlock_irqrestore(&hsotg->lock, flags);
    
    When _dwc2_hcd_urb_enqueue() and _dwc2_hcd_urb_dequeue() are
    concurrently executed, the NULL check of "urb->hcpriv" can be executed
    before "urb->hcpriv = NULL". After urb->hcpriv is NULL, it can be used
    in the function call to dwc2_hcd_urb_dequeue(), which can cause a NULL
    pointer dereference.
    
    This possible bug is found by an experimental static analysis tool
    developed by myself. This tool analyzes the locking APIs to extract
    function pairs that can be concurrently executed, and then analyzes the
    instructions in the paired functions to identify possible concurrency
    bugs including data races and atomicity violations. The above possible
    bug is reported, when my tool analyzes the source code of Linux 6.5.
    
    To fix this possible bug, "urb->hcpriv = NULL" should be executed with
    holding the lock "hsotg->lock". After using this patch, my tool never
    reports the possible bug, with the kernelconfiguration allyesconfig for
    x86_64. Because I have no associated hardware, I cannot test the patch
    in runtime testing, and just verify it according to the code logic.
    
    Fixes: 33ad261aa62b ("usb: dwc2: host: spinlock urb_enqueue")
    Signed-off-by: Jia-Ju Bai <baijiaju@buaa.edu.cn>
    Link: https://lore.kernel.org/r/20230926024404.832096-1-baijiaju@buaa.edu.cn
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
USB: usbip: fix stub_dev hub disconnect [+ + +]
Author: Jonas Blixt <jonas.blixt@actia.se>
Date:   Thu Jun 15 11:28:10 2023 +0200

    USB: usbip: fix stub_dev hub disconnect
    
    [ Upstream commit 97475763484245916735a1aa9a3310a01d46b008 ]
    
    If a hub is disconnected that has device(s) that's attached to the usbip layer
    the disconnect function might fail because it tries to release the port
    on an already disconnected hub.
    
    Fixes: 6080cd0e9239 ("staging: usbip: claim ports used by shared devices")
    Signed-off-by: Jonas Blixt <jonas.blixt@actia.se>
    Acked-by: Shuah Khan <skhan@linuxfoundation.org>
    Link: https://lore.kernel.org/r/20230615092810.1215490-1-jonas.blixt@actia.se
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
vfs: fix readahead(2) on block devices [+ + +]
Author: Reuben Hawkins <reubenhwk@gmail.com>
Date:   Mon Oct 2 20:57:04 2023 -0500

    vfs: fix readahead(2) on block devices
    
    [ Upstream commit 7116c0af4b8414b2f19fdb366eea213cbd9d91c2 ]
    
    Readahead was factored to call generic_fadvise.  That refactor added an
    S_ISREG restriction which broke readahead on block devices.
    
    In addition to S_ISREG, this change checks S_ISBLK to fix block device
    readahead.  There is no change in behavior with any file type besides block
    devices in this change.
    
    Fixes: 3d8f7615319b ("vfs: implement readahead(2) using POSIX_FADV_WILLNEED")
    Signed-off-by: Reuben Hawkins <reubenhwk@gmail.com>
    Link: https://lore.kernel.org/r/20231003015704.2415-1-reubenhwk@gmail.com
    Reviewed-by: Amir Goldstein <amir73il@gmail.com>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
 
wifi: mt76: mt7603: rework/fix rx pse hang check [+ + +]
Author: Felix Fietkau <nbd@nbd.name>
Date:   Fri Jul 28 09:51:01 2023 +0200

    wifi: mt76: mt7603: rework/fix rx pse hang check
    
    [ Upstream commit baa19b2e4b7bbb509a7ca7939c8785477dcd40ee ]
    
    It turns out that the code in mt7603_rx_pse_busy() does not detect actual
    hardware hangs, it only checks for busy conditions in PSE.
    A reset should only be performed if these conditions are true and if there
    is no rx activity as well.
    Reset the counter whenever a rx interrupt occurs. In order to also deal with
    a fully loaded CPU that leaves interrupts disabled with continuous NAPI
    polling, also check for pending rx interrupts in the function itself.
    
    Fixes: c8846e101502 ("mt76: add driver for MT7603E and MT7628/7688")
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: rtlwifi: fix EDCA limit set by BT coexistence [+ + +]
Author: Dmitry Antipov <dmantipov@yandex.ru>
Date:   Thu Sep 28 08:23:19 2023 +0300

    wifi: rtlwifi: fix EDCA limit set by BT coexistence
    
    [ Upstream commit 3391ee7f9ea508c375d443cd712c2e699be235b4 ]
    
    In 'rtl92c_dm_check_edca_turbo()', 'rtl88e_dm_check_edca_turbo()',
    and 'rtl8723e_dm_check_edca_turbo()', the DL limit should be set
    from the corresponding field of 'rtlpriv->btcoexist' rather than
    UL. Compile tested only.
    
    Fixes: 0529c6b81761 ("rtlwifi: rtl8723ae: Update driver to match 06/28/14 Realtek version")
    Fixes: c151aed6aa14 ("rtlwifi: rtl8188ee: Update driver to match Realtek release of 06282014")
    Fixes: beb5bc402043 ("rtlwifi: rtl8192c-common: Convert common dynamic management routines for addition of rtl8192se and rtl8192de")
    Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
    Acked-by: Ping-Ke Shih <pkshih@realtek.com>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://lore.kernel.org/r/20230928052327.120178-1-dmantipov@yandex.ru
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: rtw88: debug: Fix the NULL vs IS_ERR() bug for debugfs_create_file() [+ + +]
Author: Jinjie Ruan <ruanjinjie@huawei.com>
Date:   Tue Sep 19 13:06:50 2023 +0800

    wifi: rtw88: debug: Fix the NULL vs IS_ERR() bug for debugfs_create_file()
    
    [ Upstream commit 74f7957c9b1b95553faaf146a2553e023a9d1720 ]
    
    Since debugfs_create_file() return ERR_PTR and never return NULL, so use
    IS_ERR() to check it instead of checking NULL.
    
    Fixes: e3037485c68e ("rtw88: new Realtek 802.11ac driver")
    Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
    Acked-by: Ping-Ke Shih <pkshih@realtek.com>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://lore.kernel.org/r/20230919050651.962694-1-ruanjinjie@huawei.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>