stable inclusion
from stable-v5.10.158
commit 4621bdfff5f84e511a7f412cfcfea1e920ae03ed
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=4621bdfff5f84e511a7f412cfcfea1e920ae03ed

--------------------------------

[ Upstream commit 39f59bca ]

This patch changes the reported ethtool statistics for the lan9303
family of parts covered by this driver.

The TxUnderRun statistic label is renamed to RxShort to accurately
reflect what stat the device is reporting.  I did not reorder the
statistics as that might cause problems with existing user code that
are expecting the stats at a certain offset.

Fixes: a1292595 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303")
Signed-off-by: NJerry Ray <jerry.ray@microchip.com>
Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
Link: https://lore.kernel.org/r/20221128193559.6572-1-jerry.ray@microchip.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 45752af0247589e6d3dede577415bfe117b4392c
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=45752af0247589e6d3dede577415bfe117b4392c

--------------------------------

[ Upstream commit 9256db4e ]

In function nixge_hw_dma_bd_release() dereference of NULL pointer
priv->rx_bd_v is possible for the case of its allocation failure in
nixge_hw_dma_bd_init().

Move for() loop with priv->rx_bd_v dereference under the check for
its validity.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 492caffa ("net: ethernet: nixge: Add support for National Instruments XGE netdev")
Signed-off-by: NYuri Karpov <YKarpov@ispras.ru>
Reviewed-by: NMaciej Fijalkowski <maciej.fijalkowski@intel.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit e01c1542379fb395e7da53706df598f38905dfbf
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e01c1542379fb395e7da53706df598f38905dfbf

--------------------------------

[ Upstream commit dcc14cfd ]

Both p9_fd_create_tcp() and p9_fd_create_unix() will call
p9_socket_open(). If the creation of p9_trans_fd fails,
p9_fd_create_tcp() and p9_fd_create_unix() will return an
error directly instead of releasing the cscoket, which will
result in a socket leak.

This patch adds sock_release() to fix the leak issue.

Fixes: 6b18662e ("9p connect fixes")
Signed-off-by: NWang Hai <wanghai38@huawei.com>
ACKed-by: NAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit b080d4668f3f00298077ab32ec50b1128239d421
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b080d4668f3f00298077ab32ec50b1128239d421

--------------------------------

[ Upstream commit b8f79dcc ]

The ntb_netdev_init_module() returns the ntb_transport_register_client()
directly without checking its return value, if
ntb_transport_register_client() failed, the NTB client device is not
unregistered.

Fix by unregister NTB client device when ntb_transport_register_client()
failed.

Fixes: 548c237c ("net: Add support for NTB virtual ethernet device")
Signed-off-by: NYuan Can <yuancan@huawei.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit fe6bc99c27c21348f548966118867ed26a9a372c
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=fe6bc99c27c21348f548966118867ed26a9a372c

--------------------------------

[ Upstream commit 369eb2c9 ]

I got a null-ptr-deref report as following when doing fault injection test:

BUG: kernel NULL pointer dereference, address: 0000000000000058
Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G    B            N 6.1.0-rc3+
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:klist_put+0x2d/0xd0
Call Trace:
 <TASK>
 klist_remove+0xf1/0x1c0
 device_release_driver_internal+0x23e/0x2d0
 bus_remove_device+0x1bd/0x240
 device_del+0x357/0x770
 phy_device_remove+0x11/0x30
 mdiobus_unregister+0xa5/0x140
 release_nodes+0x6a/0xa0
 devres_release_all+0xf8/0x150
 device_unbind_cleanup+0x19/0xd0

//probe path:
phy_device_register()
  device_add()

phy_connect
  phy_attach_direct() //set device driver
    probe() //it's failed, driver is not bound
    device_bind_driver() // probe failed, it's not called

//remove path:
phy_device_remove()
  device_del()
    device_release_driver_internal()
      __device_release_driver() //dev->drv is not NULL
        klist_remove() <- knode_driver is not added yet, cause null-ptr-deref

In phy_attach_direct(), after setting the 'dev->driver', probe() fails,
device_bind_driver() is not called, so the knode_driver->n_klist is not
set, then it causes null-ptr-deref in __device_release_driver() while
deleting device. Fix this by setting dev->driver to NULL in the error
path in phy_attach_direct().

Fixes: e1393456 ("[PATCH] PHY Layer fixup")
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 0184ede0ec61b9cd075babfaa45081b1bf322234
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0184ede0ec61b9cd075babfaa45081b1bf322234

--------------------------------

[ Upstream commit 3e8f7abc ]

Fix possible out-of-bound access in ieee80211_get_rate_duration routine
as reported by the following UBSAN report:

UBSAN: array-index-out-of-bounds in net/mac80211/airtime.c:455:47
index 15 is out of range for type 'u16 [12]'
CPU: 2 PID: 217 Comm: kworker/u32:10 Not tainted 6.1.0-060100rc3-generic
Hardware name: Acer Aspire TC-281/Aspire TC-281, BIOS R01-A2 07/18/2017
Workqueue: mt76 mt76u_tx_status_data [mt76_usb]
Call Trace:
 <TASK>
 show_stack+0x4e/0x61
 dump_stack_lvl+0x4a/0x6f
 dump_stack+0x10/0x18
 ubsan_epilogue+0x9/0x43
 __ubsan_handle_out_of_bounds.cold+0x42/0x47
ieee80211_get_rate_duration.constprop.0+0x22f/0x2a0 [mac80211]
 ? ieee80211_tx_status_ext+0x32e/0x640 [mac80211]
 ieee80211_calc_rx_airtime+0xda/0x120 [mac80211]
 ieee80211_calc_tx_airtime+0xb4/0x100 [mac80211]
 mt76x02_send_tx_status+0x266/0x480 [mt76x02_lib]
 mt76x02_tx_status_data+0x52/0x80 [mt76x02_lib]
 mt76u_tx_status_data+0x67/0xd0 [mt76_usb]
 process_one_work+0x225/0x400
 worker_thread+0x50/0x3e0
 ? process_one_work+0x400/0x400
 kthread+0xe9/0x110
 ? kthread_complete_and_exit+0x20/0x20
 ret_from_fork+0x22/0x30

Fixes: db3e1c40 ("mac80211: Import airtime calculation code from mt76")
Signed-off-by: NLorenzo Bianconi <lorenzo@kernel.org>
Acked-by: NToke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit e2ed90fd3ae023a8c15a59c145d8db41ed6bbbd5
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e2ed90fd3ae023a8c15a59c145d8db41ed6bbbd5

--------------------------------

[ Upstream commit acd3c92a ]

In S1G beacon frames there shouldn't be multi-BSSID elements
since that's not supported, remove that to avoid a potential
integer underflow and/or misparsing the frames due to the
different length of the fixed part of the frame.

While at it, initialize non_tx_data so we don't send garbage
values to the user (even if it doesn't seem to matter now.)
Reported-and-tested-by: NSönke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 9eaffe50 ("cfg80211: convert S1G beacon to scan results")
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 9e6b79a3cd17620d467311b30d56f2648f6880aa
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9e6b79a3cd17620d467311b30d56f2648f6880aa

--------------------------------

[ Upstream commit 9f16b5c8 ]

For vendor elements, the code here assumes that 5 octets
are present without checking. Since the element itself is
already checked to fit, we only need to check the length.
Reported-and-tested-by: NSönke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 0b8fb823 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 6922948c2ec1cc45b11acb8ec2eeb3a8353d572b
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6922948c2ec1cc45b11acb8ec2eeb3a8353d572b

--------------------------------

[ Upstream commit 2a838911 ]

IPV6 addresses are purged when setting the number of rx/tx
rings using ethtool -G. The function aq_set_ringparam
calls dev_close, which removes the addresses. As a solution,
call an internal function (aq_ndev_close).

Fixes: c1af5427 ("net: aquantia: Ethtool based ring size configuration")
Signed-off-by: NIzabela Bakollari <ibakolla@redhat.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit fa59d49a49b06429df16f5353477d35328f02cc8
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=fa59d49a49b06429df16f5353477d35328f02cc8

--------------------------------

[ Upstream commit 8dbd6e4c ]

The watchdog timer is used to monitor whether the process
of transmitting data is timeout. If we use qlcnic driver,
the dev_watchdog() that is the timer handler of watchdog
timer will call qlcnic_tx_timeout() to process the timeout.
But the qlcnic_tx_timeout() calls msleep(), as a result,
the sleep-in-atomic-context bugs will happen. The processes
are shown below:

   (atomic context)
dev_watchdog
  qlcnic_tx_timeout
    qlcnic_83xx_idc_request_reset
      qlcnic_83xx_lock_driver
        msleep

---------------------------

   (atomic context)
dev_watchdog
  qlcnic_tx_timeout
    qlcnic_83xx_idc_request_reset
      qlcnic_83xx_lock_driver
        qlcnic_83xx_recover_driver_lock
          msleep

Fix by changing msleep() to mdelay(), the mdelay() is
busy-waiting and the bugs could be mitigated.

Fixes: 629263ac ("qlcnic: 83xx CNA inter driver communication mechanism")
Signed-off-by: NDuoming Zhou <duoming@zju.edu.cn>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit d753f554f25d110d0c8269a21d9cce02acdc08f9
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d753f554f25d110d0c8269a21d9cce02acdc08f9

--------------------------------

[ Upstream commit 62ec89e7 ]

Add the missing free_cc770dev() before return from cc770_isa_probe()
in the register_cc770dev() error handling case.

In addition, remove blanks before goto labels.

Fixes: 7e02e543 ("can: cc770: legacy CC770 ISA bus driver")
Signed-off-by: NZhang Changzhong <zhangchangzhong@huawei.com>
Link: https://lore.kernel.org/all/1668168557-6024-1-git-send-email-zhangchangzhong@huawei.comSigned-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit e74746bf0453f3af258d03e448744664c839376b
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e74746bf0453f3af258d03e448744664c839376b

--------------------------------

[ Upstream commit 92dfd931 ]

Add the missing free_sja1000dev() before return from
sja1000_isa_probe() in the register_sja1000dev() error handling case.

In addition, remove blanks before goto labels.

Fixes: 2a6ba39a ("can: sja1000: legacy SJA1000 ISA bus driver")
Signed-off-by: NZhang Changzhong <zhangchangzhong@huawei.com>
Link: https://lore.kernel.org/all/1668168521-5540-1-git-send-email-zhangchangzhong@huawei.comSigned-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 0d2f9d95d9fbe993f3c4bafb87d59897b0325aff
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0d2f9d95d9fbe993f3c4bafb87d59897b0325aff

--------------------------------

[ Upstream commit 52c795af ]

When having multiple dests with termination tables and second one
or afterwards fails the driver reverts usage of term tables but
doesn't reset the assignment in attr->dests[num_vport_dests].termtbl
which case a use-after-free when releasing the rule.
Fix by resetting the assignment of termtbl to null.

Fixes: 10caabda ("net/mlx5e: Use termination table for VLAN push actions")
Signed-off-by: NRoi Dayan <roid@nvidia.com>
Reviewed-by: NMaor Dickman <maord@nvidia.com>
Signed-off-by: NSaeed Mahameed <saeedm@nvidia.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 2cb84ff34938cc3cdfe2d90e70cf8a8ced66fd1e
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2cb84ff34938cc3cdfe2d90e70cf8a8ced66fd1e

--------------------------------

[ Upstream commit 3f5769a0 ]

If sscanf() return 0, outlen is uninitialized and used in kzalloc(),
this is unexpected. We should return -EINVAL if the string is invalid.

Fixes: e126ba97 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
Reviewed-by: NLeon Romanovsky <leonro@nvidia.com>
Signed-off-by: NSaeed Mahameed <saeedm@nvidia.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit b775f37d943966f6f77dca402f5a9dedce502c25
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b775f37d943966f6f77dca402f5a9dedce502c25

--------------------------------

[ Upstream commit 45605c75 ]

In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so
e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will
resend the skb. But the skb is already freed, which will cause UAF bug
when the upper layer resends the skb.

Remove the harmful free.

Fixes: 5e5d4942 ("e100: Release skb when DMA mapping is failed in e100_xmit_prepare")
Signed-off-by: NWang Hai <wanghai38@huawei.com>
Reviewed-by: NAlexander Duyck <alexanderduyck@fb.com>
Signed-off-by: NTony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 086f656e447b082c055cab9b059a71cd409e5c60
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=086f656e447b082c055cab9b059a71cd409e5c60

--------------------------------

[ Upstream commit 4140ff1b ]

The wrappers in include/linux/pci-dma-compat.h should go away.

The patch has been generated with the coccinelle script below and has been
hand modified to replace GFP_ with a correct flag.
It has been compile tested.

When memory is allocated in 'e100_alloc()', GFP_KERNEL can be used because
it is only called from the probe function and no lock is acquired.

@@
@@
-    PCI_DMA_BIDIRECTIONAL
+    DMA_BIDIRECTIONAL

@@
@@
-    PCI_DMA_TODEVICE
+    DMA_TO_DEVICE

@@
@@
-    PCI_DMA_FROMDEVICE
+    DMA_FROM_DEVICE

@@
@@
-    PCI_DMA_NONE
+    DMA_NONE

@@
expression e1, e2, e3;
@@
-    pci_alloc_consistent(e1, e2, e3)
+    dma_alloc_coherent(&e1->dev, e2, e3, GFP_)

@@
expression e1, e2, e3;
@@
-    pci_zalloc_consistent(e1, e2, e3)
+    dma_alloc_coherent(&e1->dev, e2, e3, GFP_)

@@
expression e1, e2, e3, e4;
@@
-    pci_free_consistent(e1, e2, e3, e4)
+    dma_free_coherent(&e1->dev, e2, e3, e4)

@@
expression e1, e2, e3, e4;
@@
-    pci_map_single(e1, e2, e3, e4)
+    dma_map_single(&e1->dev, e2, e3, e4)

@@
expression e1, e2, e3, e4;
@@
-    pci_unmap_single(e1, e2, e3, e4)
+    dma_unmap_single(&e1->dev, e2, e3, e4)

@@
expression e1, e2, e3, e4, e5;
@@
-    pci_map_page(e1, e2, e3, e4, e5)
+    dma_map_page(&e1->dev, e2, e3, e4, e5)

@@
expression e1, e2, e3, e4;
@@
-    pci_unmap_page(e1, e2, e3, e4)
+    dma_unmap_page(&e1->dev, e2, e3, e4)

@@
expression e1, e2, e3, e4;
@@
-    pci_map_sg(e1, e2, e3, e4)
+    dma_map_sg(&e1->dev, e2, e3, e4)

@@
expression e1, e2, e3, e4;
@@
-    pci_unmap_sg(e1, e2, e3, e4)
+    dma_unmap_sg(&e1->dev, e2, e3, e4)

@@
expression e1, e2, e3, e4;
@@
-    pci_dma_sync_single_for_cpu(e1, e2, e3, e4)
+    dma_sync_single_for_cpu(&e1->dev, e2, e3, e4)

@@
expression e1, e2, e3, e4;
@@
-    pci_dma_sync_single_for_device(e1, e2, e3, e4)
+    dma_sync_single_for_device(&e1->dev, e2, e3, e4)

@@
expression e1, e2, e3, e4;
@@
-    pci_dma_sync_sg_for_cpu(e1, e2, e3, e4)
+    dma_sync_sg_for_cpu(&e1->dev, e2, e3, e4)

@@
expression e1, e2, e3, e4;
@@
-    pci_dma_sync_sg_for_device(e1, e2, e3, e4)
+    dma_sync_sg_for_device(&e1->dev, e2, e3, e4)

@@
expression e1, e2;
@@
-    pci_dma_mapping_error(e1, e2)
+    dma_mapping_error(&e1->dev, e2)

@@
expression e1, e2;
@@
-    pci_set_dma_mask(e1, e2)
+    dma_set_mask(&e1->dev, e2)

@@
expression e1, e2;
@@
-    pci_set_consistent_dma_mask(e1, e2)
+    dma_set_coherent_mask(&e1->dev, e2)
Signed-off-by: NChristophe JAILLET <christophe.jaillet@wanadoo.fr>
Tested-by: NAaron Brown <aaron.f.brown@intel.com>
Link: https://lore.kernel.org/r/20210128210736.749724-1-christophe.jaillet@wanadoo.frSigned-off-by: NJakub Kicinski <kuba@kernel.org>
Stable-dep-of: 45605c75 ("e100: Fix possible use after free in e100_xmit_prepare")
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 971c55f0763b480e63ceb7a22beb19be2509e5ed
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=971c55f0763b480e63ceb7a22beb19be2509e5ed

--------------------------------

[ Upstream commit 227d8d2f ]

The iavf_init_module() won't destroy workqueue when pci_register_driver()
failed. Call destroy_workqueue() when pci_register_driver() failed to
prevent the resource leak.

Similar to the handling of u132_hcd_init in commit f276e002
("usb: u132-hcd: fix resource leak")

Fixes: 2803b16c ("i40e/i40evf: Use private workqueue")
Signed-off-by: NYuan Can <yuancan@huawei.com>
Tested-by: NKonrad Jankowski <konrad0.jankowski@intel.com>
Signed-off-by: NTony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit d389a4c6987708533000130592ddf33bc48b8b0d
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d389a4c6987708533000130592ddf33bc48b8b0d

--------------------------------

[ Upstream commit c3fec56e ]

Return value directly instead of taking this in another redundant
variable.
Reported-by: NZeal Robot <zealci@zte.com.cn>
Signed-off-by: NMinghao Chi <chi.minghao@zte.com.cn>
Signed-off-by: NCGEL ZTE <cgel.zte@gmail.com>
Tested-by: NKonrad Jankowski <konrad0.jankowski@intel.com>
Signed-off-by: NTony Nguyen <anthony.l.nguyen@intel.com>
Stable-dep-of: 227d8d2f ("iavf: Fix error handling in iavf_init_module()")
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit fd4960ea53625105fb8616096b931a977a63a8e5
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=fd4960ea53625105fb8616096b931a977a63a8e5

--------------------------------

[ Upstream commit 771a794c ]

A problem about modprobe fm10k failed is triggered with the following log
given:

 Intel(R) Ethernet Switch Host Interface Driver
 Copyright(c) 2013 - 2019 Intel Corporation.
 debugfs: Directory 'fm10k' with parent '/' already present!

The reason is that fm10k_init_module() returns fm10k_register_pci_driver()
directly without checking its return value, if fm10k_register_pci_driver()
failed, it returns without removing debugfs and destroy workqueue,
resulting the debugfs of fm10k can never be created later and leaks the
workqueue.

 fm10k_init_module()
   alloc_workqueue()
   fm10k_dbg_init() # create debugfs
   fm10k_register_pci_driver()
     pci_register_driver()
       driver_register()
         bus_add_driver()
           priv = kzalloc(...) # OOM happened
   # return without remove debugfs and destroy workqueue

Fix by remove debugfs and destroy workqueue when
fm10k_register_pci_driver() returns error.

Fixes: 7461fd91 ("fm10k: Add support for debugfs")
Fixes: b382bb1b ("fm10k: use separate workqueue for fm10k driver")
Signed-off-by: NYuan Can <yuancan@huawei.com>
Reviewed-by: NJacob Keller <jacob.e.keller@intel.com>
Signed-off-by: NTony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit dd425cec79baeaad2f93b61647bb41b246856914
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=dd425cec79baeaad2f93b61647bb41b246856914

--------------------------------

[ Upstream commit 479dd061 ]

i40e_init_module() won't free the debugfs directory created by
i40e_dbg_init() when pci_register_driver() failed. Add fail path to
call i40e_dbg_exit() to remove the debugfs entries to prevent the bug.

i40e: Intel(R) Ethernet Connection XL710 Network Driver
i40e: Copyright (c) 2013 - 2019 Intel Corporation.
debugfs: Directory 'i40e' with parent '/' already present!

Fixes: 41c445ff ("i40e: main driver core")
Signed-off-by: NShang XiaoJing <shangxiaojing@huawei.com>
Reviewed-by: NLeon Romanovsky <leonro@nvidia.com>
Tested-by: Gurucharan G <gurucharanx.g@intel.com> (A Contingent worker at Intel)
Signed-off-by: NTony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit f166c62cad798c53300b4b327e44300c73ec492d
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f166c62cad798c53300b4b327e44300c73ec492d

--------------------------------

[ Upstream commit 8cfa238a ]

ixgbevf_init_module() won't destroy the workqueue created by
create_singlethread_workqueue() when pci_register_driver() failed. Add
destroy_workqueue() in fail path to prevent the resource leak.

Similar to the handling of u132_hcd_init in commit f276e002
("usb: u132-hcd: fix resource leak")

Fixes: 40a13e24 ("ixgbevf: Use a private workqueue to avoid certain possible hangs")
Signed-off-by: NShang XiaoJing <shangxiaojing@huawei.com>
Reviewed-by: NSaeed Mahameed <saeed@kernel.org>
Tested-by: NKonrad Jankowski <konrad0.jankowski@intel.com>
Signed-off-by: NTony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 8f7047f418102ff45494f9fe388315ec0fa505e5
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8f7047f418102ff45494f9fe388315ec0fa505e5

--------------------------------

[ Upstream commit 60d865bd ]

In of_fwnode_get_reference_args(), the refcount of of_args.np has
been incremented in the case of successful return from
of_parse_phandle_with_args() or of_parse_phandle_with_fixed_args().

Decrement the refcount if of_args is not returned to the caller of
of_fwnode_get_reference_args().

Fixes: 3e3119d3 ("device property: Introduce fwnode_property_get_reference_args")
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
Reviewed-by: NSakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: NFrank Rowand <frowand.list@gmail.com>
Link: https://lore.kernel.org/r/20221121023209.3909759-1-yangyingliang@huawei.comSigned-off-by: NRob Herring <robh@kernel.org>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit be006212bd530b26f4d9f58de140e3973a225044
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=be006212bd530b26f4d9f58de140e3973a225044

--------------------------------

[ Upstream commit 836e49e1 ]

bpf_selem_alloc function is used by inode_storage, sk_storage and
task_storage maps to set map value, for these map types, there may
be a spin lock in the map value, so if we use memcpy to copy the whole
map value from user, the spin lock field may be initialized incorrectly.

Since the spin lock field is zeroed by kzalloc, call copy_map_value
instead of memcpy to skip copying the spin lock field to fix it.

Fixes: 6ac99e8f ("bpf: Introduce bpf sk local storage")
Signed-off-by: NXu Kuohai <xukuohai@huawei.com>
Link: https://lore.kernel.org/r/20221114134720.1057939-2-xukuohai@huawei.comSigned-off-by: NAlexei Starovoitov <ast@kernel.org>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 90907cd4d11351ff76c9a447bcb5db0e264c47cd
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=90907cd4d11351ff76c9a447bcb5db0e264c47cd

--------------------------------

[ Upstream commit e2a87785 ]

Smatch report warning as follows:

drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn:
  '&data->list' not removed from list

If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will
be freed, but data->list will not be removed from driver_data.bmc_data,
then list traversal may cause UAF.

Fix by removeing it from driver_data.bmc_data before free().

Fixes: 57c7c3a0 ("hwmon: IBM power meter driver")
Signed-off-by: NGaosheng Cui <cuigaosheng1@huawei.com>
Link: https://lore.kernel.org/r/20221117034423.2935739-1-cuigaosheng1@huawei.comSigned-off-by: NGuenter Roeck <linux@roeck-us.net>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 7649bba2633dd1dafb0dc8cd37a46dc86ecee4a2
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7649bba2633dd1dafb0dc8cd37a46dc86ecee4a2

--------------------------------

[ Upstream commit 3b7f98f2 ]

pci_disable_device() need be called while module exiting, switch to use
pcim_enable(), pci_disable_device() will be called in pcim_release().

Fixes: ada07281 ("hwmon: (i5500_temp) New driver for the Intel 5500/5520/X58 chipsets")
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221112125606.3751430-1-yangyingliang@huawei.comSigned-off-by: NGuenter Roeck <linux@roeck-us.net>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit dddfc03f044b1acb10477dad42d51522368b1fbc
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=dddfc03f044b1acb10477dad42d51522368b1fbc

--------------------------------

[ Upstream commit b8d27d2c ]

The shunt sum critical limit register value should be left shifted
by one bit as its LSB-0 is a reserved bit.

Fixes: 2057bdfb ("hwmon: (ina3221) Add summation feature support")
Signed-off-by: NNinad Malwade <nmalwade@nvidia.com>
Reviewed-by: NThierry Reding <treding@nvidia.com>
Link: https://lore.kernel.org/r/20221108044508.23463-1-nmalwade@nvidia.comSigned-off-by: NGuenter Roeck <linux@roeck-us.net>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 984fcd3ec1aafe3cb5a50b3ca2f9b7c97fdc4e1e
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=984fcd3ec1aafe3cb5a50b3ca2f9b7c97fdc4e1e

--------------------------------

[ Upstream commit 07e06193 ]

The LTC2947 datasheet (Rev. B) calls out in the section "Register
Description: Non-Accumulated Result Registers" (pg. 30) that "To
calculate temperature, multiply the TEMP register value by 0.204°C
and add 5.5°C". Fix to add 5.5C and not 0.55C.

Fixes: 9f90fd65 ("hwmon: Add support for ltc2947")
Signed-off-by: NDerek Nguyen <derek.nguyen@collins.com>
Signed-off-by: NBrandon Maier <brandon.maier@collins.com>
Link: https://lore.kernel.org/r/20221110192108.20624-1-brandon.maier@collins.comSigned-off-by: NGuenter Roeck <linux@roeck-us.net>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 8a549ab6724520aa3c07f47e0eba820293551490
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8a549ab6724520aa3c07f47e0eba820293551490

--------------------------------

[ Upstream commit 927cbb47 ]

The maximum size of ringbuf is 2GB on x86-64 host, so 2 * max_entries
will overflow u32 when mapping producer page and data pages. Only
casting max_entries to size_t is not enough, because for 32-bits
application on 64-bits kernel the size of read-only mmap region
also could overflow size_t.

So fixing it by casting the size of read-only mmap region into a __u64
and checking whether or not there will be overflow during mmap.

Fixes: bf99c936 ("libbpf: Add BPF ring buffer support")
Signed-off-by: NHou Tao <houtao1@huawei.com>
Signed-off-by: NAndrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20221116072351.1168938-3-houtao@huaweicloud.comSigned-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit cc140c729c6832eef8eed07cf09b0aa634857603
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=cc140c729c6832eef8eed07cf09b0aa634857603

--------------------------------

[ Upstream commit 57976762 ]

Referring to the datasheet the index 2 is the MCKUDP. When enabled, it
"Enables the automatic disable of the Master Clock of the USB Device
Port when a suspend condition occurs". We fix the index to the real UDP
id which "Enables the 48 MHz clock of the USB Device Port".

Cc: nicolas.ferre@microchip.com
Cc: ludovic.desroches@microchip.com
Cc: alexandre.belloni@bootlin.com
Cc: mturquette@baylibre.com
Cc: sboyd@kernel.org
Cc: claudiu.beznea@microchip.com
Cc: linux-clk@vger.kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Cc: kernel@pengutronix.de
Fixes: 02ff48e4 ("clk: at91: add at91rm9200 pmc driver")
Fixes: 0e0e528d ("ARM: dts: at91: rm9200: switch to new clock bindings")
Reviewed-by: NClaudiu Beznea <claudiu.beznea@microchip.com>
Signed-off-by: NMichael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: NClaudiu Beznea <claudiu.beznea@microchip.com>
Link: https://lore.kernel.org/r/20221114185923.1023249-2-m.grzeschik@pengutronix.deSigned-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 592724b14da7d17d09d9cf0358c3574b4903c10e
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=592724b14da7d17d09d9cf0358c3574b4903c10e

--------------------------------

[ Upstream commit 2d77de15 ]

Commit 1d1a0e7c ("scripts/faddr2line: Fix overlapping text section
failures") can cause faddr2line to fail on ppc64le on some
distributions, while it works fine on other distributions. The failure
can be attributed to differences in the readelf output.

  $ ./scripts/faddr2line vmlinux find_busiest_group+0x00
  no match for find_busiest_group+0x00

On ppc64le, readelf adds the localentry tag before the symbol name on
some distributions, and adds the localentry tag after the symbol name on
other distributions. This problem has been discussed previously:

  https://lore.kernel.org/bpf/20191211160133.GB4580@calabresa/

This problem can be overcome by filtering out the localentry tags in the
readelf output. Similar fixes are already present in the kernel by way
of the following commits:

  1fd6cee1 ("libbpf: Fix VERSIONED_SYM_COUNT number parsing")
  aa915931 ("libbpf: Fix readelf output parsing for Fedora")

[jpoimboe: rework commit log]

Fixes: 1d1a0e7c ("scripts/faddr2line: Fix overlapping text section failures")
Signed-off-by: NSrikar Dronamraju <srikar@linux.vnet.ibm.com>
Acked-by: NNaveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Reviewed-by: NThadeu Lima de Souza Cascardo <cascardo@canonical.com>
Link: https://lore.kernel.org/r/20220927075211.897152-1-srikar@linux.vnet.ibm.comSigned-off-by: NJosh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: NPeter Zijlstra <peterz@infradead.org>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 353c3aaaf3c45227695a016c9aaafe6b43315b56
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=353c3aaaf3c45227695a016c9aaafe6b43315b56

--------------------------------

[ Upstream commit 47df8a2f ]

Since commit bfea9a85 ("bpf: Add name to struct bpf_ksym"), when
reporting subprog ksymbol to perf, prog name instead of subprog name is
used. The backtrace of bpf program with subprogs will be incorrect as
shown below:

  ffffffffc02deace bpf_prog_e44a3057dcb151f8_overwrite+0x66
  ffffffffc02de9f7 bpf_prog_e44a3057dcb151f8_overwrite+0x9f
  ffffffffa71d8d4e trace_call_bpf+0xce
  ffffffffa71c2938 perf_call_bpf_enter.isra.0+0x48

overwrite is the entry program and it invokes the overwrite_htab subprog
through bpf_loop, but in above backtrace, overwrite program just jumps
inside itself.

Fixing it by using subprog name when reporting subprog ksymbol. After
the fix, the output of perf script will be correct as shown below:

  ffffffffc031aad2 bpf_prog_37c0bec7d7c764a4_overwrite_htab+0x66
  ffffffffc031a9e7 bpf_prog_c7eb827ef4f23e71_overwrite+0x9f
  ffffffffa3dd8d4e trace_call_bpf+0xce
  ffffffffa3dc2938 perf_call_bpf_enter.isra.0+0x48

Fixes: bfea9a85 ("bpf: Add name to struct bpf_ksym")
Signed-off-by: NHou Tao <houtao1@huawei.com>
Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
Acked-by: NJiri Olsa <jolsa@kernel.org>
Link: https://lore.kernel.org/bpf/20221114095733.158588-1-houtao@huaweicloud.comSigned-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit d48f6a5784054ffae7d9ef3646419222fc64ab39
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d48f6a5784054ffae7d9ef3646419222fc64ab39

--------------------------------

[ Upstream commit 6ac12303 ]

Fix an implicit declaration of function error for rpr0521 under some configs

When CONFIG_RPR0521 is enabled without CONFIG_IIO_TRIGGERED_BUFFER,
the build results in "implicit declaration of function" errors, e.g.,
  drivers/iio/light/rpr0521.c:434:3: error: implicit declaration of function
           'iio_trigger_poll_chained' [-Werror=implicit-function-declaration]
    434 |   iio_trigger_poll_chained(data->drdy_trigger0);
        |   ^~~~~~~~~~~~~~~~~~~~~~~~

This fix adds select dependencies to RPR0521's configuration declaration.

Fixes: e12ffd24 ("iio: light: rpr0521 triggered buffer")
Signed-off-by: NPaul Gazzillo <paul@pgazz.com>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216678Reviewed-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20221110214729.ls5ixav5kxpeftk7@deviceSigned-off-by: NJonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 5eb114f55b37dbc0487aa9c1913b81bb7837f1c4
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5eb114f55b37dbc0487aa9c1913b81bb7837f1c4

--------------------------------

[ Upstream commit fc92d9e3 ]

KASAN report out-of-bounds read as follows:

BUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380
Read of size 4 at addr ffffffffc00e4658 by task cat/278

Call Trace:
 afe4404_read_raw
 iio_read_channel_info
 dev_attr_show

The buggy address belongs to the variable:
 afe4404_channel_leds+0x18/0xffffffffffffe9c0

This issue can be reproduce by singe command:

 $ cat /sys/bus/i2c/devices/0-0058/iio\:device0/in_intensity6_raw

The array size of afe4404_channel_leds and afe4404_channel_offdacs
are less than channels, so access with chan->address cause OOB read
in afe4404_[read|write]_raw. Fix it by moving access before use them.

Fixes: b36e8257 ("iio: health/afe440x: Use regmap fields")
Signed-off-by: NWei Yongjun <weiyongjun1@huawei.com>
Acked-by: NAndrew Davis <afd@ti.com>
Link: https://lore.kernel.org/r/20221107152010.95937-1-weiyongjun@huaweicloud.comSigned-off-by: NJonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit b1756af172fb80a3edc143772d49e166ec691b6c
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1756af172fb80a3edc143772d49e166ec691b6c

--------------------------------

[ Upstream commit 58143c1e ]

KASAN report out-of-bounds read as follows:

BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0
Read of size 4 at addr ffffffffc02ac638 by task cat/279

Call Trace:
 afe4403_read_raw
 iio_read_channel_info
 dev_attr_show

The buggy address belongs to the variable:
 afe4403_channel_leds+0x18/0xffffffffffffe9e0

This issue can be reproduced by singe command:

 $ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw

The array size of afe4403_channel_leds is less than channels, so access
with chan->address cause OOB read in afe4403_read_raw. Fix it by moving
access before use it.

Fixes: b36e8257 ("iio: health/afe440x: Use regmap fields")
Signed-off-by: NWei Yongjun <weiyongjun1@huawei.com>
Acked-by: NAndrew Davis <afd@ti.com>
Link: https://lore.kernel.org/r/20221107151946.89260-1-weiyongjun@huaweicloud.comSigned-off-by: NJonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 01d7c41eac9129fba80d8aed0060caab4a7dbe09
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=01d7c41eac9129fba80d8aed0060caab4a7dbe09

--------------------------------

[ Upstream commit f7e942b5 ]

Syzkaller reported BUG as follows:

  BUG: sleeping function called from invalid context at
       include/linux/sched/mm.h:274
  Call Trace:
   <TASK>
   dump_stack_lvl+0xcd/0x134
   __might_resched.cold+0x222/0x26b
   kmem_cache_alloc+0x2e7/0x3c0
   update_qgroup_limit_item+0xe1/0x390
   btrfs_qgroup_inherit+0x147b/0x1ee0
   create_subvol+0x4eb/0x1710
   btrfs_mksubvol+0xfe5/0x13f0
   __btrfs_ioctl_snap_create+0x2b0/0x430
   btrfs_ioctl_snap_create_v2+0x25a/0x520
   btrfs_ioctl+0x2a1c/0x5ce0
   __x64_sys_ioctl+0x193/0x200
   do_syscall_64+0x35/0x80

Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in
btrfs_run_qgroups() later outside of the spinlock context.

CC: stable@vger.kernel.org # 4.9+
Reviewed-by: NQu Wenruo <wqu@suse.com>
Signed-off-by: NChenXiaoSong <chenxiaosong2@huawei.com>
Reviewed-by: NDavid Sterba <dsterba@suse.com>
Signed-off-by: NDavid Sterba <dsterba@suse.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit d3f5be82466948405574c6248e5d6f748b7088db
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d3f5be82466948405574c6248e5d6f748b7088db

--------------------------------

[ Upstream commit 602ad43c ]

This partially reverts 20543be9.

Calling drm_connector_update_edid_property() in
amdgpu_connector_free_edid() causes a noticeable pause in
the system every 10 seconds on polled outputs so revert this
part of the change.

Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2257
Cc: Claudio Suarez <cssk@net-c.es>
Acked-by: NLuben Tuikov <luben.tuikov@amd.com>
Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 00570fafc2bc40aa63894ab054342233439c1d12
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=00570fafc2bc40aa63894ab054342233439c1d12

--------------------------------

[ Upstream commit 20543be9 ]

drm_display_info is updated by drm_get_edid() or
drm_connector_update_edid_property(). In the amdgpu driver it is almost
always updated when the edid is read in amdgpu_connector_get_edid(),
but not always.  Change amdgpu_connector_get_edid() and
amdgpu_connector_free_edid() to keep drm_display_info updated.
Reviewed-by: NHarry Wentland <harry.wentland@amd.com>
Signed-off-by: NClaudio Suarez <cssk@net-c.es>
Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
Stable-dep-of: 602ad43c ("drm/amdgpu: Partially revert "drm/amdgpu: update drm_display_info correctly when the edid is read"")
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 44b204730bf32131f064ebc90145092590c7fe95
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=44b204730bf32131f064ebc90145092590c7fe95

--------------------------------

[ Upstream commit 2f3a1273 ]

Looks like that we're accidentally dropping a pretty important return code
here. For some reason, we just return -EINVAL if we fail to get the MST
topology state. This is wrong: error codes are important and should never
be squashed without being handled, which here seems to have the potential
to cause a deadlock.
Signed-off-by: NLyude Paul <lyude@redhat.com>
Reviewed-by: NWayne Lin <Wayne.Lin@amd.com>
Fixes: 8ec04671 ("drm/dp_mst: Add helper to trigger modeset on affected DSC MST CRTCs")
Cc: <stable@vger.kernel.org> # v5.6+
Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 1faf21bdd111c0c6e7b4dc6b9fc353870a140a9b
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1faf21bdd111c0c6e7b4dc6b9fc353870a140a9b

--------------------------------

[ Upstream commit db5df254 ]

Instead of having 2 places that short circuit the qgroup leaf scan have
everything in the qgroup_rescan_leaf function. In addition to that, also
ensure that the inconsistent qgroup flag is set when rescan_should_stop
returns true. This both retains the old behavior when -EINTR was set in
the body of the loop and at the same time also extends this behavior
when scanning is interrupted due to remount or unmount operations.
Signed-off-by: NNikolay Borisov <nborisov@suse.com>
Signed-off-by: NDavid Sterba <dsterba@suse.com>
Stable-dep-of: f7e942b5 ("btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()")
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>

stable inclusion
from stable-v5.10.158
commit 6050872f9f315f1fd09a0cb25a7abf482036357c
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7NTXH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6050872f9f315f1fd09a0cb25a7abf482036357c

--------------------------------

[ Upstream commit db2d2dc9 ]

In case the requested bus clock is higher than the input clock, the correct
dividers (pre = 0, post = 0) are returned from mx51_ecspi_clkdiv(), but
*fres is left uninitialized and therefore contains an arbitrary value.

This causes trouble for the recently introduced PIO polling feature as the
value in spi_imx->spi_bus_clk is used there to calculate for which
transfers to enable PIO polling.

Fix this by setting *fres even if no clock dividers are in use.

This issue was observed on Kontron BL i.MX8MM with an SPI peripheral clock set
to 50 MHz by default and a requested SPI bus clock of 80 MHz for the SPI NOR
flash.

With the fix applied the debug message from mx51_ecspi_clkdiv() now prints the
following:

spi_imx 30820000.spi: mx51_ecspi_clkdiv: fin: 50000000, fspi: 50000000,
post: 0, pre: 0

Fixes: 6fd8b850 ("spi: spi-imx: Fix out-of-order CS/SCLK operation at low speeds")
Fixes: 07e75938 ("spi: spi-imx: add PIO polling support")
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: David Jander <david@protonic.nl>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Marek Vasut <marex@denx.de>
Cc: stable@vger.kernel.org
Signed-off-by: NFrieder Schrempf <frieder.schrempf@kontron.de>
Tested-by: NFabio Estevam <festevam@gmail.com>
Acked-by: NMarek Vasut <marex@denx.de>
Link: https://lore.kernel.org/r/20221115181002.2068270-1-frieder@fris.deSigned-off-by: NMark Brown <broonie@kernel.org>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>