commit 3f2ecb86cb909da0b9157fd2952ad79924cbe5ae
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Fri Dec 11 13:39:07 2020 +0100

    Linux 4.14.212
    
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Link: https://lore.kernel.org/r/20201210142602.099683598@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6e1bed40c8a3e8b93245bca9c60528fdd03f3951
Author: Masami Hiramatsu <mhiramat@kernel.org>
Date:   Thu Dec 3 13:50:37 2020 +0900

    x86/uprobes: Do not use prefixes.nbytes when looping over prefixes.bytes
    
    commit 4e9a5ae8df5b3365183150f6df49e49dece80d8c upstream
    
    Since insn.prefixes.nbytes can be bigger than the size of
    insn.prefixes.bytes[] when a prefix is repeated, the proper check must
    be
    
      insn.prefixes.bytes[i] != 0 and i < 4
    
    instead of using insn.prefixes.nbytes.
    
    Introduce a for_each_insn_prefix() macro for this purpose. Debugged by
    Kees Cook <keescook@chromium.org>.
    
     [ bp: Massage commit message, sync with the respective header in tools/
       and drop "we". ]
    
    Fixes: 2b1444983508 ("uprobes, mm, x86: Add the ability to install and remove uprobes breakpoints")
    Reported-by: syzbot+9b64b619f10f19d19a7c@syzkaller.appspotmail.com
    Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/160697103739.3146288.7437620795200799020.stgit@devnote2
    [sudip: adjust context, use old insn.h]
    Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bdc890dfb093fb24b0c92d2a693a184594c52cd4
Author: Luo Meng <luomeng12@huawei.com>
Date:   Tue Nov 24 17:45:23 2020 -0800

    Input: i8042 - fix error return code in i8042_setup_aux()
    
    commit 855b69857830f8d918d715014f05e59a3f7491a0 upstream.
    
    Fix to return a negative error code from the error handling case
    instead of 0 in function i8042_setup_aux(), as done elsewhere in this
    function.
    
    Fixes: f81134163fc7 ("Input: i8042 - use platform_driver_probe")
    Reported-by: Hulk Robot <hulkci@huawei.com>
    Signed-off-by: Luo Meng <luomeng12@huawei.com>
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Link: https://lore.kernel.org/r/20201123133420.4071187-1-luomeng12@huawei.com
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 083c1c7f1333a794ddf1228edc9dbbdc129edb8d
Author: Zhihao Cheng <chengzhihao1@huawei.com>
Date:   Mon Nov 16 22:10:58 2020 +0800

    i2c: qup: Fix error return code in qup_i2c_bam_schedule_desc()
    
    commit e9acf0298c664f825e6f1158f2a97341bf9e03ca upstream.
    
    Fix to return the error code from qup_i2c_change_state()
    instaed of 0 in qup_i2c_bam_schedule_desc().
    
    Fixes: fbf9921f8b35d9b2 ("i2c: qup: Fix error handling")
    Reported-by: Hulk Robot <hulkci@huawei.com>
    Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
    Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 03c271625a3bc20b80d18c4e28e3eb0d1e662743
Author: Bob Peterson <rpeterso@redhat.com>
Date:   Tue Nov 24 10:44:36 2020 -0500

    gfs2: check for empty rgrp tree in gfs2_ri_update
    
    commit 778721510e84209f78e31e2ccb296ae36d623f5e upstream.
    
    If gfs2 tries to mount a (corrupt) file system that has no resource
    groups it still tries to set preferences on the first one, which causes
    a kernel null pointer dereference. This patch adds a check to function
    gfs2_ri_update so this condition is detected and reported back as an
    error.
    
    Reported-by: syzbot+e3f23ce40269a4c9053a@syzkaller.appspotmail.com
    Signed-off-by: Bob Peterson <rpeterso@redhat.com>
    Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 76dac5d2cb099713db10330b621bc8c97f74981e
Author: Steven Rostedt (VMware) <rostedt@goodmis.org>
Date:   Fri Dec 4 16:36:16 2020 -0500

    tracing: Fix userstacktrace option for instances
    
    commit bcee5278958802b40ee8b26679155a6d9231783e upstream.
    
    When the instances were able to use their own options, the userstacktrace
    option was left hardcoded for the top level. This made the instance
    userstacktrace option bascially into a nop, and will confuse users that set
    it, but nothing happens (I was confused when it happened to me!)
    
    Cc: stable@vger.kernel.org
    Fixes: 16270145ce6b ("tracing: Add trace options for core options to instances")
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2ed216dbbe0a73147bdb90176fabc734db93703a
Author: Peter Ujfalusi <peter.ujfalusi@ti.com>
Date:   Sun Dec 6 13:39:04 2020 +0100

    spi: bcm2835: Release the DMA channel if probe fails after dma_init
    
    [ Upstream commit 666224b43b4bd4612ce3b758c038f9bc5c5e3fcb ]
    
    The DMA channel was not released if either devm_request_irq() or
    devm_spi_register_controller() failed.
    
    Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
    Reviewed-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
    Link: https://lore.kernel.org/r/20191212135550.4634-3-peter.ujfalusi@ti.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    [lukas: backport to 4.19-stable]
    Signed-off-by: Lukas Wunner <lukas@wunner.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e620a73d7ca7a719155c718897a09f46626b2bb6
Author: Lukas Wunner <lukas@wunner.de>
Date:   Sun Dec 6 13:39:02 2020 +0100

    spi: bcm2835: Fix use-after-free on unbind
    
    [ Upstream commit e1483ac030fb4c57734289742f1c1d38dca61e22 ]
    
    bcm2835_spi_remove() accesses the driver's private data after calling
    spi_unregister_controller() even though that function releases the last
    reference on the spi_controller and thereby frees the private data.
    
    Fix by switching over to the new devm_spi_alloc_master() helper which
    keeps the private data accessible until the driver has unbound.
    
    Fixes: f8043872e796 ("spi: add driver for BCM2835")
    Reported-by: Sascha Hauer <s.hauer@pengutronix.de>
    Reported-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: Lukas Wunner <lukas@wunner.de>
    Cc: <stable@vger.kernel.org> # v3.10+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation
    Cc: <stable@vger.kernel.org> # v3.10+
    Cc: Vladimir Oltean <olteanv@gmail.com>
    Tested-by: Florian Fainelli <f.fainelli@gmail.com>
    Acked-by: Florian Fainelli <f.fainelli@gmail.com>
    Link: https://lore.kernel.org/r/ad66e0a0ad96feb848814842ecf5b6a4539ef35c.1605121038.git.lukas@wunner.de
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 11f3e5f49c61ca36c948b51329d7286ace591d44
Author: Lukas Wunner <lukas@wunner.de>
Date:   Sun Dec 6 13:39:01 2020 +0100

    spi: bcm-qspi: Fix use-after-free on unbind
    
    commit 63c5395bb7a9777a33f0e7b5906f2c0170a23692 upstream
    
    bcm_qspi_remove() calls spi_unregister_master() even though
    bcm_qspi_probe() calls devm_spi_register_master().  The spi_master is
    therefore unregistered and freed twice on unbind.
    
    Moreover, since commit 0392727c261b ("spi: bcm-qspi: Handle clock probe
    deferral"), bcm_qspi_probe() leaks the spi_master allocation if the call
    to devm_clk_get_optional() fails.
    
    Fix by switching over to the new devm_spi_alloc_master() helper which
    keeps the private data accessible until the driver has unbound and also
    avoids the spi_master leak on probe.
    
    While at it, fix an ordering issue in bcm_qspi_remove() wherein
    spi_unregister_master() is called after uninitializing the hardware,
    disabling the clock and freeing an IRQ data structure.  The correct
    order is to call spi_unregister_master() *before* those teardown steps
    because bus accesses may still be ongoing until that function returns.
    
    Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver")
    Signed-off-by: Lukas Wunner <lukas@wunner.de>
    Cc: <stable@vger.kernel.org> # v4.9+: 123456789abc: spi: Introduce device-managed SPI controller allocation
    Cc: <stable@vger.kernel.org> # v4.9+
    Cc: Kamal Dasu <kdasu.kdev@gmail.com>
    Acked-by: Florian Fainelli <f.fainelli@gmail.com>
    Tested-by: Florian Fainelli <f.fainelli@gmail.com>
    Link: https://lore.kernel.org/r/5e31a9a59fd1c0d0b795b2fe219f25e5ee855f9d.1605121038.git.lukas@wunner.de
    Signed-off-by: Mark Brown <broonie@kernel.org>
    [sudip: adjust context]
    Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8c45a1c6c951bbe7f95db78fcab46f7337364468
Author: Lukas Wunner <lukas@wunner.de>
Date:   Sun Dec 6 13:39:00 2020 +0100

    spi: Introduce device-managed SPI controller allocation
    
    [ Upstream commit 5e844cc37a5cbaa460e68f9a989d321d63088a89 ]
    
    SPI driver probing currently comprises two steps, whereas removal
    comprises only one step:
    
        spi_alloc_master()
        spi_register_controller()
    
        spi_unregister_controller()
    
    That's because spi_unregister_controller() calls device_unregister()
    instead of device_del(), thereby releasing the reference on the
    spi_controller which was obtained by spi_alloc_master().
    
    An SPI driver's private data is contained in the same memory allocation
    as the spi_controller struct.  Thus, once spi_unregister_controller()
    has been called, the private data is inaccessible.  But some drivers
    need to access it after spi_unregister_controller() to perform further
    teardown steps.
    
    Introduce devm_spi_alloc_master() and devm_spi_alloc_slave(), which
    release a reference on the spi_controller struct only after the driver
    has unbound, thereby keeping the memory allocation accessible.  Change
    spi_unregister_controller() to not release a reference if the
    spi_controller was allocated by one of these new devm functions.
    
    The present commit is small enough to be backportable to stable.
    It allows fixing drivers which use the private data in their ->remove()
    hook after it's been freed.  It also allows fixing drivers which neglect
    to release a reference on the spi_controller in the probe error path.
    
    Long-term, most SPI drivers shall be moved over to the devm functions
    introduced herein.  The few that can't shall be changed in a treewide
    commit to explicitly release the last reference on the controller.
    That commit shall amend spi_unregister_controller() to no longer release
    a reference, thereby completing the migration.
    
    As a result, the behaviour will be less surprising and more consistent
    with subsystems such as IIO, which also includes the private data in the
    allocation of the generic iio_dev struct, but calls device_del() in
    iio_device_unregister().
    
    Signed-off-by: Lukas Wunner <lukas@wunner.de>
    Link: https://lore.kernel.org/r/272bae2ef08abd21388c98e23729886663d19192.1605121038.git.lukas@wunner.de
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6bd835d16072a1a9baead39648c18bd6495a6e7c
Author: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Date:   Mon Dec 7 03:19:20 2020 -0600

    iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs
    
    commit 4165bf015ba9454f45beaad621d16c516d5c5afe upstream.
    
    According to the AMD IOMMU spec, the commit 73db2fc595f3
    ("iommu/amd: Increase interrupt remapping table limit to 512 entries")
    also requires the interrupt table length (IntTabLen) to be set to 9
    (power of 2) in the device table mapping entry (DTE).
    
    Fixes: 73db2fc595f3 ("iommu/amd: Increase interrupt remapping table limit to 512 entries")
    Reported-by: Jerry Snitselaar <jsnitsel@redhat.com>
    Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
    Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
    Link: https://lore.kernel.org/r/20201207091920.3052-1-suravee.suthikulpanit@amd.com
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bccd77063e971a006164968873f4c2918b7188e6
Author: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date:   Sun Nov 29 20:35:23 2020 +0100

    speakup: Reject setting the speakup line discipline outside of speakup
    
    commit f0992098cadb4c9c6a00703b66cafe604e178fea upstream.
    
    Speakup exposing a line discipline allows userland to try to use it,
    while it is deemed to be useless, and thus uselessly exposes potential
    bugs. One of them is simply that in such a case if the line sends data,
    spk_ttyio_receive_buf2 is called and crashes since spk_ttyio_synth
    is NULL.
    
    This change restricts the use of the speakup line discipline to
    speakup drivers, thus avoiding such kind of issues altogether.
    
    Cc: stable@vger.kernel.org
    Reported-by: Shisong Qin <qinshisong1205@gmail.com>
    Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
    Tested-by: Shisong Qin <qinshisong1205@gmail.com>
    Link: https://lore.kernel.org/r/20201129193523.hm3f6n5xrn6fiyyc@function
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9b77be65d82958ebbb7cfe60dbbda6165fe9b3f4
Author: Christian Eggers <ceggers@arri.de>
Date:   Fri Oct 9 13:03:19 2020 +0200

    i2c: imx: Check for I2SR_IAL after every byte
    
    commit 1de67a3dee7a279ebe4d892b359fe3696938ec15 upstream.
    
    Arbitration Lost (IAL) can happen after every single byte transfer. If
    arbitration is lost, the I2C hardware will autonomously switch from
    master mode to slave. If a transfer is not aborted in this state,
    consecutive transfers will not be executed by the hardware and will
    timeout.
    
    Signed-off-by: Christian Eggers <ceggers@arri.de>
    Tested (not extensively) on Vybrid VF500 (Toradex VF50):
    Tested-by: Krzysztof Kozlowski <krzk@kernel.org>
    Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
    Cc: stable@vger.kernel.org
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 693b198d476add6f9cae22907f11c90f5933f6d0
Author: Christian Eggers <ceggers@arri.de>
Date:   Fri Oct 9 13:03:18 2020 +0200

    i2c: imx: Fix reset of I2SR_IAL flag
    
    commit 384a9565f70a876c2e78e58c5ca0bbf0547e4f6d upstream.
    
    According to the "VFxxx Controller Reference Manual" (and the comment
    block starting at line 97), Vybrid requires writing a one for clearing
    an interrupt flag. Syncing the method for clearing I2SR_IIF in
    i2c_imx_isr().
    
    Signed-off-by: Christian Eggers <ceggers@arri.de>
    Fixes: 4b775022f6fd ("i2c: imx: add struct to hold more configurable quirks")
    Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
    Cc: stable@vger.kernel.org
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 95924989190d3db24f15a21f82d426923bcb4364
Author: Qian Cai <qcai@redhat.com>
Date:   Sat Dec 5 22:14:55 2020 -0800

    mm/swapfile: do not sleep with a spin lock held
    
    commit b11a76b37a5aa7b07c3e3eeeaae20b25475bddd3 upstream.
    
    We can't call kvfree() with a spin lock held, so defer it.  Fixes a
    might_sleep() runtime warning.
    
    Fixes: 873d7bcfd066 ("mm/swapfile.c: use kvzalloc for swap_info_struct allocation")
    Signed-off-by: Qian Cai <qcai@redhat.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lkml.kernel.org/r/20201202151549.10350-1-qcai@redhat.com
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fe0119a8577927733a90c8dde48ee6b4af0709be
Author: Paulo Alcantara <pc@cjr.nz>
Date:   Sat Nov 28 16:54:02 2020 -0300

    cifs: fix potential use-after-free in cifs_echo_request()
    
    commit 212253367dc7b49ed3fc194ce71b0992eacaecf2 upstream.
    
    This patch fixes a potential use-after-free bug in
    cifs_echo_request().
    
    For instance,
    
      thread 1
      --------
      cifs_demultiplex_thread()
        clean_demultiplex_info()
          kfree(server)
    
      thread 2 (workqueue)
      --------
      apic_timer_interrupt()
        smp_apic_timer_interrupt()
          irq_exit()
            __do_softirq()
              run_timer_softirq()
                call_timer_fn()
                  cifs_echo_request() <- use-after-free in server ptr
    
    Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
    CC: Stable <stable@vger.kernel.org>
    Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4d5b218caae0dbddb857792efdc12c08a79f64e6
Author: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Date:   Thu Nov 26 23:38:38 2020 +0530

    ftrace: Fix updating FTRACE_FL_TRAMP
    
    commit 4c75b0ff4e4bf7a45b5aef9639799719c28d0073 upstream.
    
    On powerpc, kprobe-direct.tc triggered FTRACE_WARN_ON() in
    ftrace_get_addr_new() followed by the below message:
      Bad trampoline accounting at: 000000004222522f (wake_up_process+0xc/0x20) (f0000001)
    
    The set of steps leading to this involved:
    - modprobe ftrace-direct-too
    - enable_probe
    - modprobe ftrace-direct
    - rmmod ftrace-direct <-- trigger
    
    The problem turned out to be that we were not updating flags in the
    ftrace record properly. From the above message about the trampoline
    accounting being bad, it can be seen that the ftrace record still has
    FTRACE_FL_TRAMP set though ftrace-direct module is going away. This
    happens because we are checking if any ftrace_ops has the
    FTRACE_FL_TRAMP flag set _before_ updating the filter hash.
    
    The fix for this is to look for any _other_ ftrace_ops that also needs
    FTRACE_FL_TRAMP.
    
    Link: https://lkml.kernel.org/r/56c113aa9c3e10c19144a36d9684c7882bf09af5.1606412433.git.naveen.n.rao@linux.vnet.ibm.com
    
    Cc: stable@vger.kernel.org
    Fixes: a124692b698b0 ("ftrace: Enable trampoline when rec count returns back to one")
    Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 406ef9aa3777ac083f19b51ace3658d807d53fe7
Author: Takashi Iwai <tiwai@suse.de>
Date:   Fri Nov 27 15:11:03 2020 +0100

    ALSA: hda/generic: Add option to enforce preferred_dacs pairs
    
    commit 242d990c158d5b1dabd166516e21992baef5f26a upstream.
    
    The generic parser accepts the preferred_dacs[] pairs as a hint for
    assigning a DAC to each pin, but this hint doesn't work always
    effectively.  Currently it's merely a secondary choice after the trial
    with the path index failed.  This made sometimes it difficult to
    assign DACs without mimicking the connection list and/or the badness
    table.
    
    This patch adds a new flag, obey_preferred_dacs, that changes the
    behavior of the parser.  As its name stands, the parser obeys the
    given preferred_dacs[] pairs by skipping the path index matching and
    giving a high penalty if no DAC is assigned by the pairs.  This mode
    will help for assigning the fixed DACs forcibly from the codec
    driver.
    
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20201127141104.11041-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 427d52697c4086efd6ad9975864be6d7cb107cf1
Author: Kailang Yang <kailang@realtek.com>
Date:   Fri Nov 27 14:39:23 2020 +0800

    ALSA: hda/realtek - Add new codec supported for ALC897
    
    commit e5782a5d5054bf1e03cb7fbd87035037c2a22698 upstream.
    
    Enable new codec supported for ALC897.
    
    Signed-off-by: Kailang Yang <kailang@realtek.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/3b00520f304842aab8291eb8d9191bd8@realtek.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8deb3d9018400fab0a7401a910d3341053f5ec82
Author: Jann Horn <jannh@google.com>
Date:   Thu Dec 3 02:25:05 2020 +0100

    tty: Fix ->session locking
    
    commit c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9 upstream.
    
    Currently, locking of ->session is very inconsistent; most places
    protect it using the legacy tty mutex, but disassociate_ctty(),
    __do_SAK(), tiocspgrp() and tiocgsid() don't.
    Two of the writers hold the ctrl_lock (because they already need it for
    ->pgrp), but __proc_set_tty() doesn't do that yet.
    
    On a PREEMPT=y system, an unprivileged user can theoretically abuse
    this broken locking to read 4 bytes of freed memory via TIOCGSID if
    tiocgsid() is preempted long enough at the right point. (Other things
    might also go wrong, especially if root-only ioctls are involved; I'm
    not sure about that.)
    
    Change the locking on ->session such that:
    
     - tty_lock() is held by all writers: By making disassociate_ctty()
       hold it. This should be fine because the same lock can already be
       taken through the call to tty_vhangup_session().
       The tricky part is that we need to shorten the area covered by
       siglock to be able to take tty_lock() without ugly retry logic; as
       far as I can tell, this should be fine, since nothing in the
       signal_struct is touched in the `if (tty)` branch.
     - ctrl_lock is held by all writers: By changing __proc_set_tty() to
       hold the lock a little longer.
     - All readers that aren't holding tty_lock() hold ctrl_lock: By
       adding locking to tiocgsid() and __do_SAK(), and expanding the area
       covered by ctrl_lock in tiocspgrp().
    
    Cc: stable@kernel.org
    Signed-off-by: Jann Horn <jannh@google.com>
    Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 882e038d2cd276163a8fc7bbeffda59ae0924471
Author: Jann Horn <jannh@google.com>
Date:   Thu Dec 3 02:25:04 2020 +0100

    tty: Fix ->pgrp locking in tiocspgrp()
    
    commit 54ffccbf053b5b6ca4f6e45094b942fab92a25fc upstream.
    
    tiocspgrp() takes two tty_struct pointers: One to the tty that userspace
    passed to ioctl() (`tty`) and one to the TTY being changed (`real_tty`).
    These pointers are different when ioctl() is called with a master fd.
    
    To properly lock real_tty->pgrp, we must take real_tty->ctrl_lock.
    
    This bug makes it possible for racing ioctl(TIOCSPGRP, ...) calls on
    both sides of a PTY pair to corrupt the refcount of `struct pid`,
    leading to use-after-free errors.
    
    Fixes: 47f86834bbd4 ("redo locking of tty->pgrp")
    CC: stable@kernel.org
    Signed-off-by: Jann Horn <jannh@google.com>
    Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 490c5c712402e6d194179437da863f9c75ade63f
Author: Bjørn Mork <bjorn@mork.no>
Date:   Tue Dec 1 11:03:18 2020 +0100

    USB: serial: option: fix Quectel BG96 matching
    
    commit c98fff7332dbd6e028969f8c2bda3d7bc7a024d8 upstream.
    
    This is a partial revert of commit 2bb70f0a4b23 ("USB: serial:
    option: support dynamic Quectel USB compositions")
    
    The Quectel BG96 is different from most other modern Quectel modems,
    having serial functions with 3 endpoints using ff/ff/ff and ff/fe/ff
    class/subclass/protocol. Including it in the change to accommodate
    dynamic function mapping was incorrect.
    
    Revert to interface number matching for the BG96, assuming static
    layout of the RMNET function on interface 4. This restores support
    for the serial functions on interfaces 2 and 3.
    
    Full lsusb output for the BG96:
    
    Bus 002 Device 003: ID 2c7c:0296
    Device Descriptor:
     bLength                18
     bDescriptorType         1
     bcdUSB               2.00
     bDeviceClass            0 (Defined at Interface level)
     bDeviceSubClass         0
     bDeviceProtocol         0
     bMaxPacketSize0        64
     idVendor           0x2c7c
     idProduct          0x0296
     bcdDevice            0.00
     iManufacturer           3 Qualcomm, Incorporated
     iProduct                2 Qualcomm CDMA Technologies MSM
     iSerial                 4 d1098243
     bNumConfigurations      1
     Configuration Descriptor:
       bLength                 9
       bDescriptorType         2
       wTotalLength          145
       bNumInterfaces          5
       bConfigurationValue     1
       iConfiguration          1 Qualcomm Configuration
       bmAttributes         0xe0
         Self Powered
         Remote Wakeup
       MaxPower              500mA
       Interface Descriptor:
         bLength                 9
         bDescriptorType         4
         bInterfaceNumber        0
         bAlternateSetting       0
         bNumEndpoints           2
         bInterfaceClass       255 Vendor Specific Class
         bInterfaceSubClass    255 Vendor Specific Subclass
         bInterfaceProtocol    255 Vendor Specific Protocol
         iInterface              0
         Endpoint Descriptor:
           bLength                 7
           bDescriptorType         5
           bEndpointAddress     0x81  EP 1 IN
           bmAttributes            2
             Transfer Type            Bulk
             Synch Type               None
             Usage Type               Data
           wMaxPacketSize     0x0200  1x 512 bytes
           bInterval               0
         Endpoint Descriptor:
           bLength                 7
           bDescriptorType         5
           bEndpointAddress     0x01  EP 1 OUT
           bmAttributes            2
             Transfer Type            Bulk
             Synch Type               None
             Usage Type               Data
           wMaxPacketSize     0x0200  1x 512 bytes
           bInterval               0
       Interface Descriptor:
         bLength                 9
         bDescriptorType         4
         bInterfaceNumber        1
         bAlternateSetting       0
         bNumEndpoints           2
         bInterfaceClass       255 Vendor Specific Class
         bInterfaceSubClass    255 Vendor Specific Subclass
         bInterfaceProtocol    255 Vendor Specific Protocol
         iInterface              0
         Endpoint Descriptor:
           bLength                 7
           bDescriptorType         5
           bEndpointAddress     0x82  EP 2 IN
           bmAttributes            2
             Transfer Type            Bulk
             Synch Type               None
             Usage Type               Data
           wMaxPacketSize     0x0200  1x 512 bytes
           bInterval               0
         Endpoint Descriptor:
           bLength                 7
           bDescriptorType         5
           bEndpointAddress     0x02  EP 2 OUT
           bmAttributes            2
             Transfer Type            Bulk
             Synch Type               None
             Usage Type               Data
           wMaxPacketSize     0x0200  1x 512 bytes
           bInterval               0
       Interface Descriptor:
         bLength                 9
         bDescriptorType         4
         bInterfaceNumber        2
         bAlternateSetting       0
         bNumEndpoints           3
         bInterfaceClass       255 Vendor Specific Class
         bInterfaceSubClass    255 Vendor Specific Subclass
         bInterfaceProtocol    255 Vendor Specific Protocol
         iInterface              0
         Endpoint Descriptor:
           bLength                 7
           bDescriptorType         5
           bEndpointAddress     0x83  EP 3 IN
           bmAttributes            3
             Transfer Type            Interrupt
             Synch Type               None
             Usage Type               Data
           wMaxPacketSize     0x0040  1x 64 bytes
           bInterval               5
         Endpoint Descriptor:
           bLength                 7
           bDescriptorType         5
           bEndpointAddress     0x84  EP 4 IN
           bmAttributes            2
             Transfer Type            Bulk
             Synch Type               None
             Usage Type               Data
           wMaxPacketSize     0x0200  1x 512 bytes
           bInterval               0
         Endpoint Descriptor:
           bLength                 7
           bDescriptorType         5
           bEndpointAddress     0x03  EP 3 OUT
           bmAttributes            2
             Transfer Type            Bulk
             Synch Type               None
             Usage Type               Data
           wMaxPacketSize     0x0200  1x 512 bytes
           bInterval               0
       Interface Descriptor:
         bLength                 9
         bDescriptorType         4
         bInterfaceNumber        3
         bAlternateSetting       0
         bNumEndpoints           3
         bInterfaceClass       255 Vendor Specific Class
         bInterfaceSubClass    254
         bInterfaceProtocol    255
         iInterface              0
         Endpoint Descriptor:
           bLength                 7
           bDescriptorType         5
           bEndpointAddress     0x85  EP 5 IN
           bmAttributes            3
             Transfer Type            Interrupt
             Synch Type               None
             Usage Type               Data
           wMaxPacketSize     0x0040  1x 64 bytes
           bInterval               5
         Endpoint Descriptor:
           bLength                 7
           bDescriptorType         5
           bEndpointAddress     0x86  EP 6 IN
           bmAttributes            2
             Transfer Type            Bulk
             Synch Type               None
             Usage Type               Data
           wMaxPacketSize     0x0200  1x 512 bytes
           bInterval               0
         Endpoint Descriptor:
           bLength                 7
           bDescriptorType         5
           bEndpointAddress     0x04  EP 4 OUT
           bmAttributes            2
             Transfer Type            Bulk
             Synch Type               None
             Usage Type               Data
           wMaxPacketSize     0x0200  1x 512 bytes
           bInterval               0
       Interface Descriptor:
         bLength                 9
         bDescriptorType         4
         bInterfaceNumber        4
         bAlternateSetting       0
         bNumEndpoints           3
         bInterfaceClass       255 Vendor Specific Class
         bInterfaceSubClass    255 Vendor Specific Subclass
         bInterfaceProtocol    255 Vendor Specific Protocol
         iInterface              0
         Endpoint Descriptor:
           bLength                 7
           bDescriptorType         5
           bEndpointAddress     0x87  EP 7 IN
           bmAttributes            3
             Transfer Type            Interrupt
             Synch Type               None
             Usage Type               Data
           wMaxPacketSize     0x0040  1x 64 bytes
           bInterval               5
         Endpoint Descriptor:
           bLength                 7
           bDescriptorType         5
           bEndpointAddress     0x88  EP 8 IN
           bmAttributes            2
             Transfer Type            Bulk
             Synch Type               None
             Usage Type               Data
           wMaxPacketSize     0x0200  1x 512 bytes
           bInterval               0
         Endpoint Descriptor:
           bLength                 7
           bDescriptorType         5
           bEndpointAddress     0x05  EP 5 OUT
           bmAttributes            2
             Transfer Type            Bulk
             Synch Type               None
             Usage Type               Data
           wMaxPacketSize     0x0200  1x 512 bytes
           bInterval               0
    Device Qualifier (for other device speed):
     bLength                10
     bDescriptorType         6
     bcdUSB               2.00
     bDeviceClass            0 (Defined at Interface level)
     bDeviceSubClass         0
     bDeviceProtocol         0
     bMaxPacketSize0        64
     bNumConfigurations      1
    Device Status:     0x0000
     (Bus Powered)
    
    Cc: Sebastian Sjoholm <sebastian.sjoholm@gmail.com>
    Fixes: 2bb70f0a4b23 ("USB: serial: option: support dynamic Quectel USB compositions")
    Signed-off-by: Bjørn Mork <bjorn@mork.no>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3f517f819096b36bc49e77bd8f7aee7fd4ac943a
Author: Giacinto Cifelli <gciofono@gmail.com>
Date:   Wed Nov 25 15:53:04 2020 +0100

    USB: serial: option: add support for Thales Cinterion EXS82
    
    commit 6d6556c04ebaeaf4e7fa8b791c97e2a7c41b38a3 upstream.
    
    There is a single option port in this modem, and it is used as debug port.
    
    lsusb -v for this device:
    
    Bus 001 Device 002: ID 1e2d:006c
    Device Descriptor:
      bLength                18
      bDescriptorType         1
      bcdUSB               2.00
      bDeviceClass          239 Miscellaneous Device
      bDeviceSubClass         2 ?
      bDeviceProtocol         1 Interface Association
      bMaxPacketSize0        64
      idVendor           0x1e2d
      idProduct          0x006c
      bcdDevice            0.00
      iManufacturer           4
      iProduct                3
      iSerial                 5
      bNumConfigurations      1
      Configuration Descriptor:
        bLength                 9
        bDescriptorType         2
        wTotalLength          243
        bNumInterfaces          7
        bConfigurationValue     1
        iConfiguration          2
        bmAttributes         0xe0
          Self Powered
          Remote Wakeup
        MaxPower              500mA
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        0
          bAlternateSetting       0
          bNumEndpoints           2
          bInterfaceClass       255 Vendor Specific Class
          bInterfaceSubClass    255 Vendor Specific Subclass
          bInterfaceProtocol    255 Vendor Specific Protocol
          iInterface              0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x81  EP 1 IN
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0200  1x 512 bytes
            bInterval               0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x01  EP 1 OUT
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0200  1x 512 bytes
            bInterval               0
        Interface Association:
          bLength                 8
          bDescriptorType        11
          bFirstInterface         1
          bInterfaceCount         2
          bFunctionClass          2 Communications
          bFunctionSubClass       2 Abstract (modem)
          bFunctionProtocol       1 AT-commands (v.25ter)
          iFunction               0
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        1
          bAlternateSetting       0
          bNumEndpoints           1
          bInterfaceClass         2 Communications
          bInterfaceSubClass      2 Abstract (modem)
          bInterfaceProtocol      1 AT-commands (v.25ter)
          iInterface              0
          CDC Header:
            bcdCDC               1.10
          CDC ACM:
            bmCapabilities       0x02
              line coding and serial state
          CDC Call Management:
            bmCapabilities       0x03
              call management
              use DataInterface
            bDataInterface          2
          CDC Union:
            bMasterInterface        1
            bSlaveInterface         2
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x82  EP 2 IN
            bmAttributes            3
              Transfer Type            Interrupt
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0040  1x 64 bytes
            bInterval               5
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        2
          bAlternateSetting       0
          bNumEndpoints           2
          bInterfaceClass        10 CDC Data
          bInterfaceSubClass      0 Unused
          bInterfaceProtocol      0
          iInterface              0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x83  EP 3 IN
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0200  1x 512 bytes
            bInterval               0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x02  EP 2 OUT
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0200  1x 512 bytes
            bInterval               0
        Interface Association:
          bLength                 8
          bDescriptorType        11
          bFirstInterface         3
          bInterfaceCount         2
          bFunctionClass          2 Communications
          bFunctionSubClass       2 Abstract (modem)
          bFunctionProtocol       1 AT-commands (v.25ter)
          iFunction               0
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        3
          bAlternateSetting       0
          bNumEndpoints           1
          bInterfaceClass         2 Communications
          bInterfaceSubClass      2 Abstract (modem)
          bInterfaceProtocol      1 AT-commands (v.25ter)
          iInterface              0
          CDC Header:
            bcdCDC               1.10
          CDC ACM:
            bmCapabilities       0x02
              line coding and serial state
          CDC Call Management:
            bmCapabilities       0x03
              call management
              use DataInterface
            bDataInterface          4
          CDC Union:
            bMasterInterface        3
            bSlaveInterface         4
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x84  EP 4 IN
            bmAttributes            3
              Transfer Type            Interrupt
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0040  1x 64 bytes
            bInterval               5
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        4
          bAlternateSetting       0
          bNumEndpoints           2
          bInterfaceClass        10 CDC Data
          bInterfaceSubClass      0 Unused
          bInterfaceProtocol      0
          iInterface              0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x85  EP 5 IN
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0200  1x 512 bytes
            bInterval               0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x03  EP 3 OUT
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0200  1x 512 bytes
            bInterval               0
        Interface Association:
          bLength                 8
          bDescriptorType        11
          bFirstInterface         5
          bInterfaceCount         2
          bFunctionClass          2 Communications
          bFunctionSubClass       2 Abstract (modem)
          bFunctionProtocol       1 AT-commands (v.25ter)
          iFunction               0
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        5
          bAlternateSetting       0
          bNumEndpoints           1
          bInterfaceClass         2 Communications
          bInterfaceSubClass      6 Ethernet Networking
          bInterfaceProtocol      0
          iInterface              0
          CDC Header:
            bcdCDC               1.10
          CDC Ethernet:
            iMacAddress                      1 (??)
            bmEthernetStatistics    0x00000000
            wMaxSegmentSize              16384
            wNumberMCFilters            0x0001
            bNumberPowerFilters              0
          CDC Union:
            bMasterInterface        5
            bSlaveInterface         6
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x86  EP 6 IN
            bmAttributes            3
              Transfer Type            Interrupt
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0040  1x 64 bytes
            bInterval               5
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        6
          bAlternateSetting       0
          bNumEndpoints           0
          bInterfaceClass        10 CDC Data
          bInterfaceSubClass      0 Unused
          bInterfaceProtocol      0
          iInterface              0
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        6
          bAlternateSetting       1
          bNumEndpoints           2
          bInterfaceClass        10 CDC Data
          bInterfaceSubClass      0 Unused
          bInterfaceProtocol      0
          iInterface              0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x87  EP 7 IN
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0200  1x 512 bytes
            bInterval               0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x04  EP 4 OUT
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0200  1x 512 bytes
            bInterval               0
    
    Signed-off-by: Giacinto Cifelli <gciofono@gmail.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bc435a0dfb3c81b18ed8d9d4cfab42597416750e
Author: Vincent Palatin <vpalatin@chromium.org>
Date:   Fri Nov 20 10:28:28 2020 +0100

    USB: serial: option: add Fibocom NL668 variants
    
    commit 5e4d659b10fde14403adb2e215df4a3168fe8465 upstream.
    
    Update the USB serial option driver support for the Fibocom NL668 Cat.4
    LTE modules as there are actually several different variants.
    Got clarifications from Fibocom, there are distinct products:
    - VID:PID 1508:1001, NL668 for IOT (no MBIM interface)
    - VID:PID 2cb7:01a0, NL668-AM and NL652-EU are laptop M.2 cards (with
      MBIM interfaces for Windows/Linux/Chrome OS), respectively for Americas
      and Europe.
    
    usb-devices output for the laptop M.2 cards:
    T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  4 Spd=480 MxCh= 0
    D:  Ver= 2.00 Cls=ef(misc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=2cb7 ProdID=01a0 Rev=03.18
    S:  Manufacturer=Fibocom Wireless Inc.
    S:  Product=Fibocom NL652-EU Modem
    S:  SerialNumber=0123456789ABCDEF
    C:  #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
    I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
    I:  If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
    I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
    I:  If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
    
    Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 058e0da58be02b56248b7bf2ebe6f3b32fd44bf6
Author: Johan Hovold <johan@kernel.org>
Date:   Thu Dec 3 10:11:59 2020 +0100

    USB: serial: ch341: sort device-id entries
    
    commit bf193bfc12dbc3754fc8a6e0e1e3702f1af2f772 upstream.
    
    Keep the device-id entries sorted to make it easier to add new ones in
    the right spot.
    
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e9e0515b9ec9a2d5efca21573a89c9f7880db3b1
Author: Jan-Niklas Burfeind <kernel@aiyionpri.me>
Date:   Thu Dec 3 04:03:59 2020 +0100

    USB: serial: ch341: add new Product ID for CH341A
    
    commit 46ee4abb10a07bd8f8ce910ee6b4ae6a947d7f63 upstream.
    
    Add PID for CH340 that's found on a ch341 based Programmer made by keeyees.
    The specific device that contains the serial converter is described
    here: http://www.keeyees.com/a/Products/ej/36.html
    
    The driver works flawlessly as soon as the new PID (0x5512) is added to
    it.
    
    Signed-off-by: Jan-Niklas Burfeind <kernel@aiyionpri.me>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a345fe6935b1d47afd8d238578c156d349942588
Author: Johan Hovold <johan@kernel.org>
Date:   Fri Dec 4 09:55:19 2020 +0100

    USB: serial: kl5kusb105: fix memleak on open
    
    commit 3f203f057edfcf6bd02c6b942799262bfcf31f73 upstream.
    
    Fix memory leak of control-message transfer buffer on successful open().
    
    Fixes: 6774d5f53271 ("USB: serial: kl5kusb105: fix open error path")
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 84f747ade2fbbe5ab5cc8ff6a0cbad434cb2c553
Author: Vamsi Krishna Samavedam <vskrishn@codeaurora.org>
Date:   Mon Nov 30 12:34:53 2020 -0800

    usb: gadget: f_fs: Use local copy of descriptors for userspace copy
    
    commit a4b98a7512f18534ce33a7e98e49115af59ffa00 upstream.
    
    The function may be unbound causing the ffs_ep and its descriptors
    to be freed while userspace is in the middle of an ioctl requesting
    the same descriptors. Avoid dangling pointer reference by first
    making a local copy of desctiptors before releasing the spinlock.
    
    Fixes: c559a3534109 ("usb: gadget: f_fs: add ioctl returning ep descriptor")
    Reviewed-by: Peter Chen <peter.chen@nxp.com>
    Signed-off-by: Vamsi Krishna Samavedam <vskrishn@codeaurora.org>
    Signed-off-by: Jack Pham <jackp@codeaurora.org>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20201130203453.28154-1-jackp@codeaurora.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 502bbb8480c38ae6caa4f890b98db3b2a4ae919a
Author: Toke Høiland-Jørgensen <toke@redhat.com>
Date:   Tue Jul 7 13:03:25 2020 +0200

    vlan: consolidate VLAN parsing code and limit max parsing depth
    
    [ Upstream commit 469aceddfa3ed16e17ee30533fae45e90f62efd8 ]
    
    Toshiaki pointed out that we now have two very similar functions to extract
    the L3 protocol number in the presence of VLAN tags. And Daniel pointed out
    that the unbounded parsing loop makes it possible for maliciously crafted
    packets to loop through potentially hundreds of tags.
    
    Fix both of these issues by consolidating the two parsing functions and
    limiting the VLAN tag parsing to a max depth of 8 tags. As part of this,
    switch over __vlan_get_protocol() to use skb_header_pointer() instead of
    pskb_may_pull(), to avoid the possible side effects of the latter and keep
    the skb pointer 'const' through all the parsing functions.
    
    v2:
    - Use limit of 8 tags instead of 32 (matching XMIT_RECURSION_LIMIT)
    
    Reported-by: Toshiaki Makita <toshiaki.makita1@gmail.com>
    Reported-by: Daniel Borkmann <daniel@iogearbox.net>
    Fixes: d7bf2ebebc2b ("sched: consistently handle layer3 header accesses in the presence of VLANs")
    Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 272b1fcf1cab41fc46c5affb61cb74e4786bcec1
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Sat Jun 6 11:31:50 2020 +0200

    pinctrl: baytrail: Fix pin being driven low for a while on gpiod_get(..., GPIOD_OUT_HIGH)
    
    commit 156abe2961601d60a8c2a60c6dc8dd6ce7adcdaf upstream
    
    The pins on the Bay Trail SoC have separate input-buffer and output-buffer
    enable bits and a read of the level bit of the value register will always
    return the value from the input-buffer.
    
    The BIOS of a device may configure a pin in output-only mode, only enabling
    the output buffer, and write 1 to the level bit to drive the pin high.
    This 1 written to the level bit will be stored inside the data-latch of the
    output buffer.
    
    But a subsequent read of the value register will return 0 for the level bit
    because the input-buffer is disabled. This causes a read-modify-write as
    done by byt_gpio_set_direction() to write 0 to the level bit, driving the
    pin low!
    
    Before this commit byt_gpio_direction_output() relied on
    pinctrl_gpio_direction_output() to set the direction, followed by a call
    to byt_gpio_set() to apply the selected value. This causes the pin to
    go low between the pinctrl_gpio_direction_output() and byt_gpio_set()
    calls.
    
    Change byt_gpio_direction_output() to directly make the register
    modifications itself instead. Replacing the 2 subsequent writes to the
    value register with a single write.
    
    Note that the pinctrl code does not keep track internally of the direction,
    so not going through pinctrl_gpio_direction_output() is not an issue.
    
    This issue was noticed on a Trekstor SurfTab Twin 10.1. When the panel is
    already on at boot (no external monitor connected), then the i915 driver
    does a gpiod_get(..., GPIOD_OUT_HIGH) for the panel-enable GPIO. The
    temporarily going low of that GPIO was causing the panel to reset itself
    after which it would not show an image until it was turned off and back on
    again (until a full modeset was done on it). This commit fixes this.
    
    This commit also updates the byt_gpio_direction_input() to use direct
    register accesses instead of going through pinctrl_gpio_direction_input(),
    to keep it consistent with byt_gpio_direction_output().
    
    Note for backporting, this commit depends on:
    commit e2b74419e5cc ("pinctrl: baytrail: Replace WARN with dev_info_once
    when setting direct-irq pin to output")
    
    Cc: stable@vger.kernel.org
    Fixes: 86e3ef812fe3 ("pinctrl: baytrail: Update gpio chip operations")
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    [sudip: use byt_gpio and vg->pdev->dev for dev_info()]
    Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 857ce4a6ed2db58627db8b8ae48e4cb9a346b4c7
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Wed Jan 1 15:52:43 2020 +0100

    pinctrl: baytrail: Replace WARN with dev_info_once when setting direct-irq pin to output
    
    commit e2b74419e5cc7cfc58f3e785849f73f8fa0af5b3 upstream
    
    Suspending Goodix touchscreens requires changing the interrupt pin to
    output before sending them a power-down command. Followed by wiggling
    the interrupt pin to wake the device up, after which it is put back
    in input mode.
    
    On Cherry Trail device the interrupt pin is listed as a GpioInt ACPI
    resource so we can do this without problems as long as we release the
    IRQ before changing the pin to output mode.
    
    On Bay Trail devices with a Goodix touchscreen direct-irq mode is used
    in combination with listing the pin as a normal GpioIo resource. This
    works fine, but this triggers the WARN in byt_gpio_set_direction-s output
    path because direct-irq support is enabled on the pin.
    
    This commit replaces the WARN call with a dev_info_once call, fixing a
    bunch of WARN splats in dmesg on each suspend/resume cycle.
    
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>