commit 3242aa3a635c0958671ee1e4b0958dcc7c4e5c79
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Tue Feb 23 14:00:34 2021 +0100

    Linux 4.14.222
    
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Tested-by: Jason Self <jason@bluehome.net>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Link: https://lore.kernel.org/r/20210222121027.174911182@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3017f5e12bbfe19add7dc921caddc2a1c0066814
Author: Lai Jiangshan <laijs@linux.alibaba.com>
Date:   Thu Dec 17 23:41:18 2020 +0800

    kvm: check tlbs_dirty directly
    
    commit 88bf56d04bc3564542049ec4ec168a8b60d0b48c upstream
    
    In kvm_mmu_notifier_invalidate_range_start(), tlbs_dirty is used as:
            need_tlb_flush |= kvm->tlbs_dirty;
    with need_tlb_flush's type being int and tlbs_dirty's type being long.
    
    It means that tlbs_dirty is always used as int and the higher 32 bits
    is useless.  We need to check tlbs_dirty in a correct way and this
    change checks it directly without propagating it to need_tlb_flush.
    
    Note: it's _extremely_ unlikely this neglecting of higher 32 bits can
    cause problems in practice.  It would require encountering tlbs_dirty
    on a 4 billion count boundary, and KVM would need to be using shadow
    paging or be running a nested guest.
    
    Cc: stable@vger.kernel.org
    Fixes: a4ee1ca4a36e ("KVM: MMU: delay flush all tlbs on sync_page path")
    Signed-off-by: Lai Jiangshan <laijs@linux.alibaba.com>
    Message-Id: <20201217154118.16497-1-jiangshanlai@gmail.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    [sudip: adjust context]
    Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2afb9a5a42ab910589d3a3da96d365cb7085ff8b
Author: Manish Narani <manish.narani@xilinx.com>
Date:   Tue Nov 17 12:43:35 2020 +0530

    usb: gadget: u_ether: Fix MTU size mismatch with RX packet size
    
    commit 0a88fa221ce911c331bf700d2214c5b2f77414d3 upstream
    
    Fix the MTU size issue with RX packet size as the host sends the packet
    with extra bytes containing ethernet header. This causes failure when
    user sets the MTU size to the maximum i.e. 15412. In this case the
    ethernet packet received will be of length 15412 plus the ethernet header
    length. This patch fixes the issue where there is a check that RX packet
    length must not be more than max packet length.
    
    Fixes: bba787a860fa ("usb: gadget: ether: Allow jumbo frames")
    Signed-off-by: Manish Narani <manish.narani@xilinx.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/1605597215-122027-1-git-send-email-manish.narani@xilinx.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2c7a2cf336a2fb94e6c78b9ae4331581a311d01f
Author: John Greb <h3x4m3r0n@gmail.com>
Date:   Sun May 6 20:01:57 2018 +0000

    USB: Gadget Ethernet: Re-enable Jumbo frames.
    
    commit eea52743eb5654ec6f52b0e8b4aefec952543697 upstream
    
    Fixes: <b3e3893e1253> ("net: use core MTU range checking")
    which patched only one of two functions used to setup the
    USB Gadget Ethernet driver, causing a serious performance
    regression in the ability to increase mtu size above 1500.
    
    Signed-off-by: John Greb <h3x4m3r0n@gmail.com>
    Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
    Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 944a2bc49082d73ca6fc700cc16ca3863b228617
Author: Arun Easi <aeasi@marvell.com>
Date:   Wed Dec 2 05:23:04 2020 -0800

    scsi: qla2xxx: Fix crash during driver load on big endian machines
    
    commit 8de309e7299a00b3045fb274f82b326f356404f0 upstream
    
    Crash stack:
            [576544.715489] Unable to handle kernel paging request for data at address 0xd00000000f970000
            [576544.715497] Faulting instruction address: 0xd00000000f880f64
            [576544.715503] Oops: Kernel access of bad area, sig: 11 [#1]
            [576544.715506] SMP NR_CPUS=2048 NUMA pSeries
            :
            [576544.715703] NIP [d00000000f880f64] .qla27xx_fwdt_template_valid+0x94/0x100 [qla2xxx]
            [576544.715722] LR [d00000000f7952dc] .qla24xx_load_risc_flash+0x2fc/0x590 [qla2xxx]
            [576544.715726] Call Trace:
            [576544.715731] [c0000004d0ffb000] [c0000006fe02c350] 0xc0000006fe02c350 (unreliable)
            [576544.715750] [c0000004d0ffb080] [d00000000f7952dc] .qla24xx_load_risc_flash+0x2fc/0x590 [qla2xxx]
            [576544.715770] [c0000004d0ffb170] [d00000000f7aa034] .qla81xx_load_risc+0x84/0x1a0 [qla2xxx]
            [576544.715789] [c0000004d0ffb210] [d00000000f79f7c8] .qla2x00_setup_chip+0xc8/0x910 [qla2xxx]
            [576544.715808] [c0000004d0ffb300] [d00000000f7a631c] .qla2x00_initialize_adapter+0x4dc/0xb00 [qla2xxx]
            [576544.715826] [c0000004d0ffb3e0] [d00000000f78ce28] .qla2x00_probe_one+0xf08/0x2200 [qla2xxx]
    
    Link: https://lore.kernel.org/r/20201202132312.19966-8-njavali@marvell.com
    Fixes: f73cb695d3ec ("[SCSI] qla2xxx: Add support for ISP2071.")
    Cc: stable@vger.kernel.org
    Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
    Signed-off-by: Arun Easi <aeasi@marvell.com>
    Signed-off-by: Nilesh Javali <njavali@marvell.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    [sudip: adjust context]
    Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5571633988e02a1107720544a57ab4878c4446be
Author: Jan Beulich <jbeulich@suse.com>
Date:   Mon Feb 15 08:56:44 2021 +0100

    xen-blkback: fix error handling in xen_blkbk_map()
    
    commit 871997bc9e423f05c7da7c9178e62dde5df2a7f8 upstream.
    
    The function uses a goto-based loop, which may lead to an earlier error
    getting discarded by a later iteration. Exit this ad-hoc loop when an
    error was encountered.
    
    The out-of-memory error path additionally fails to fill a structure
    field looked at by xen_blkbk_unmap_prepare() before inspecting the
    handle which does get properly set (to BLKBACK_INVALID_HANDLE).
    
    Since the earlier exiting from the ad-hoc loop requires the same field
    filling (invalidation) as that on the out-of-memory path, fold both
    paths. While doing so, drop the pr_alert(), as extra log messages aren't
    going to help the situation (the kernel will log oom conditions already
    anyway).
    
    This is XSA-365.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Reviewed-by: Juergen Gross <jgross@suse.com>
    Reviewed-by: Julien Grall <julien@xen.org>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7910839db1ca4d0cd4789872621a023f985e50e0
Author: Jan Beulich <jbeulich@suse.com>
Date:   Mon Feb 15 08:55:57 2021 +0100

    xen-scsiback: don't "handle" error by BUG()
    
    commit 7c77474b2d22176d2bfb592ec74e0f2cb71352c9 upstream.
    
    In particular -ENOMEM may come back here, from set_foreign_p2m_mapping().
    Don't make problems worse, the more that handling elsewhere (together
    with map's status fields now indicating whether a mapping wasn't even
    attempted, and hence has to be considered failed) doesn't require this
    odd way of dealing with errors.
    
    This is part of XSA-362.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9ca595810e8fbc541c388abdb4d2ed9ef20a2e06
Author: Jan Beulich <jbeulich@suse.com>
Date:   Mon Feb 15 08:55:31 2021 +0100

    xen-netback: don't "handle" error by BUG()
    
    commit 3194a1746e8aabe86075fd3c5e7cf1f4632d7f16 upstream.
    
    In particular -ENOMEM may come back here, from set_foreign_p2m_mapping().
    Don't make problems worse, the more that handling elsewhere (together
    with map's status fields now indicating whether a mapping wasn't even
    attempted, and hence has to be considered failed) doesn't require this
    odd way of dealing with errors.
    
    This is part of XSA-362.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fd8ec8c708953323feb7c6177d894d39a23b08e4
Author: Jan Beulich <jbeulich@suse.com>
Date:   Mon Feb 15 08:54:51 2021 +0100

    xen-blkback: don't "handle" error by BUG()
    
    commit 5a264285ed1cd32e26d9de4f3c8c6855e467fd63 upstream.
    
    In particular -ENOMEM may come back here, from set_foreign_p2m_mapping().
    Don't make problems worse, the more that handling elsewhere (together
    with map's status fields now indicating whether a mapping wasn't even
    attempted, and hence has to be considered failed) doesn't require this
    odd way of dealing with errors.
    
    This is part of XSA-362.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4514b5e3445540384fd647ce26afae2300274c6a
Author: Stefano Stabellini <stefano.stabellini@xilinx.com>
Date:   Mon Feb 15 08:53:44 2021 +0100

    xen/arm: don't ignore return errors from set_phys_to_machine
    
    commit 36bf1dfb8b266e089afa9b7b984217f17027bf35 upstream.
    
    set_phys_to_machine can fail due to lack of memory, see the kzalloc call
    in arch/arm/xen/p2m.c:__set_phys_to_machine_multi.
    
    Don't ignore the potential return error in set_foreign_p2m_mapping,
    returning it to the caller instead.
    
    This is part of XSA-361.
    
    Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Julien Grall <jgrall@amazon.com>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9c12c61144be8d11d010646a71021c1da08d7710
Author: Jan Beulich <jbeulich@suse.com>
Date:   Mon Feb 15 08:52:27 2021 +0100

    Xen/gntdev: correct error checking in gntdev_map_grant_pages()
    
    commit ebee0eab08594b2bd5db716288a4f1ae5936e9bc upstream.
    
    Failure of the kernel part of the mapping operation should also be
    indicated as an error to the caller, or else it may assume the
    respective kernel VA is okay to access.
    
    Furthermore gnttab_map_refs() failing still requires recording
    successfully mapped handles, so they can be unmapped subsequently. This
    in turn requires there to be a way to tell full hypercall failure from
    partial success - preset map_op status fields such that they won't
    "happen" to look as if the operation succeeded.
    
    Also again use GNTST_okay instead of implying its value (zero).
    
    This is part of XSA-361.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 84e240c8aab4831a8312746cb4b346ce77a8f568
Author: Jan Beulich <jbeulich@suse.com>
Date:   Mon Feb 15 08:51:07 2021 +0100

    Xen/gntdev: correct dev_bus_addr handling in gntdev_map_grant_pages()
    
    commit dbe5283605b3bc12ca45def09cc721a0a5c853a2 upstream.
    
    We may not skip setting the field in the unmap structure when
    GNTMAP_device_map is in use - such an unmap would fail to release the
    respective resources (a page ref in the hypervisor). Otoh the field
    doesn't need setting at all when GNTMAP_device_map is not in use.
    
    To record the value for unmapping, we also better don't use our local
    p2m: In particular after a subsequent change it may not have got updated
    for all the batch elements. Instead it can simply be taken from the
    respective map's results.
    
    We can additionally avoid playing this game altogether for the kernel
    part of the mappings in (x86) PV mode.
    
    This is part of XSA-361.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 232ba596896a7654a931ab28868562dd8b6b3904
Author: Jan Beulich <jbeulich@suse.com>
Date:   Mon Feb 15 08:50:08 2021 +0100

    Xen/x86: also check kernel mapping in set_foreign_p2m_mapping()
    
    commit b512e1b077e5ccdbd6e225b15d934ab12453b70a upstream.
    
    We should not set up further state if either mapping failed; paying
    attention to just the user mapping's status isn't enough.
    
    Also use GNTST_okay instead of implying its value (zero).
    
    This is part of XSA-361.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit da2e2a5c88abfe0974b4b8575c798fcafb552fc9
Author: Jan Beulich <jbeulich@suse.com>
Date:   Mon Feb 15 08:49:34 2021 +0100

    Xen/x86: don't bail early from clear_foreign_p2m_mapping()
    
    commit a35f2ef3b7376bfd0a57f7844bd7454389aae1fc upstream.
    
    Its sibling (set_foreign_p2m_mapping()) as well as the sibling of its
    only caller (gnttab_map_refs()) don't clean up after themselves in case
    of error. Higher level callers are expected to do so. However, in order
    for that to really clean up any partially set up state, the operation
    should not terminate upon encountering an entry in unexpected state. It
    is particularly relevant to notice here that set_foreign_p2m_mapping()
    would skip setting up a p2m entry if its grant mapping failed, but it
    would continue to set up further p2m entries as long as their mappings
    succeeded.
    
    Arguably down the road set_foreign_p2m_mapping() may want its page state
    related WARN_ON() also converted to an error return.
    
    This is part of XSA-361.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4480921923080f037efc8ae7c32fb9cdcf06573f
Author: Vasily Gorbik <gor@linux.ibm.com>
Date:   Mon Aug 6 15:17:44 2018 +0200

    tracing: Avoid calling cc-option -mrecord-mcount for every Makefile
    
    commit 07d0408120216b60625c9a5b8012d1c3a907984d upstream.
    
    Currently if CONFIG_FTRACE_MCOUNT_RECORD is enabled -mrecord-mcount
    compiler flag support is tested for every Makefile.
    
    Top 4 cc-option usages:
        511 -mrecord-mcount
         11  -fno-stack-protector
          9 -Wno-override-init
          2 -fsched-pressure
    
    To address that move cc-option from scripts/Makefile.build to top Makefile
    and export CC_USING_RECORD_MCOUNT to be used in original place.
    
    While doing that also add -mrecord-mcount to CC_FLAGS_FTRACE (if gcc
    actually supports it).
    
    Link: http://lkml.kernel.org/r/patch-2.thread-aa7b8d.git-de935bace15a.your-ad-here.call-01533557518-ext-9465@work.hours
    
    Acked-by: Andi Kleen <ak@linux.intel.com>
    Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cfc6eb148982ce916112d50569ee4930c24f0758
Author: Greg Thelen <gthelen@google.com>
Date:   Fri Jun 8 14:47:46 2018 -0700

    tracing: Fix SKIP_STACK_VALIDATION=1 build due to bad merge with -mrecord-mcount
    
    commit ed7d40bc67b8353c677b38c6cdddcdc310c0f452 upstream.
    
    Non gcc-5 builds with CONFIG_STACK_VALIDATION=y and
    SKIP_STACK_VALIDATION=1 fail.
    Example output:
      /bin/sh: init/.tmp_main.o: Permission denied
    
    commit 96f60dfa5819 ("trace: Use -mcount-record for dynamic ftrace"),
    added a mismatched endif.  This causes cmd_objtool to get mistakenly
    set.
    
    Relocate endif to balance the newly added -record-mcount check.
    
    Link: http://lkml.kernel.org/r/20180608214746.136554-1-gthelen@google.com
    
    Fixes: 96f60dfa5819 ("trace: Use -mcount-record for dynamic ftrace")
    Acked-by: Andi Kleen <ak@linux.intel.com>
    Tested-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Greg Thelen <gthelen@google.com>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0788a22d85fea3b23b0a979f35d0a0a1a734ecc3
Author: Andi Kleen <ak@linux.intel.com>
Date:   Mon Nov 27 13:34:13 2017 -0800

    trace: Use -mcount-record for dynamic ftrace
    
    commit 96f60dfa5819a065bfdd2f2ba0df7d9cbce7f4dd upstream.
    
    gcc 5 supports a new -mcount-record option to generate ftrace
    tables directly. This avoids the need to run record_mcount
    manually.
    
    Use this option when available.
    
    So far doesn't use -mcount-nop, which also exists now.
    
    This is needed to make ftrace work with LTO because the
    normal record-mcount script doesn't run over the link
    time output.
    
    It should also improve build times slightly in the general
    case.
    Link: http://lkml.kernel.org/r/20171127213423.27218-12-andi@firstfloor.org
    
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0d38200da5d9c26508fb5435e36ccd1345825ef3
Author: Borislav Petkov <bp@suse.de>
Date:   Mon Feb 8 16:43:30 2021 +0100

    x86/build: Disable CET instrumentation in the kernel for 32-bit too
    
    commit 256b92af784d5043eeb7d559b6d5963dcc2ecb10 upstream.
    
    Commit
    
      20bf2b378729 ("x86/build: Disable CET instrumentation in the kernel")
    
    disabled CET instrumentation which gets added by default by the Ubuntu
    gcc9 and 10 by default, but did that only for 64-bit builds. It would
    still fail when building a 32-bit target. So disable CET for all x86
    builds.
    
    Fixes: 20bf2b378729 ("x86/build: Disable CET instrumentation in the kernel")
    Reported-by: AC <achirvasub@gmail.com>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Tested-by: AC <achirvasub@gmail.com>
    Link: https://lkml.kernel.org/r/YCCIgMHkzh/xT4ex@arch-chirva.localdomain
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 307f2d629bd4bc3e97e25e3d5f964c74ba6c2026
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Fri Feb 12 20:52:54 2021 -0800

    h8300: fix PREEMPTION build, TI_PRE_COUNT undefined
    
    [ Upstream commit ade9679c159d5bbe14fb7e59e97daf6062872e2b ]
    
    Fix a build error for undefined 'TI_PRE_COUNT' by adding it to
    asm-offsets.c.
    
      h8300-linux-ld: arch/h8300/kernel/entry.o: in function `resume_kernel': (.text+0x29a): undefined reference to `TI_PRE_COUNT'
    
    Link: https://lkml.kernel.org/r/20210212021650.22740-1-rdunlap@infradead.org
    Fixes: df2078b8daa7 ("h8300: Low level entry")
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Reported-by: kernel test robot <lkp@intel.com>
    Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit de3ae58f88ce0af5a0c6ebb565c542a1691ce3b1
Author: Alain Volmat <alain.volmat@foss.st.com>
Date:   Fri Feb 5 09:51:40 2021 +0100

    i2c: stm32f7: fix configuration of the digital filter
    
    [ Upstream commit 3d6a3d3a2a7a3a60a824e7c04e95fd50dec57812 ]
    
    The digital filter related computation are present in the driver
    however the programming of the filter within the IP is missing.
    The maximum value for the DNF is wrong and should be 15 instead of 16.
    
    Fixes: aeb068c57214 ("i2c: i2c-stm32f7: add driver")
    
    Signed-off-by: Alain Volmat <alain.volmat@foss.st.com>
    Signed-off-by: Pierre-Yves MORDRET <pierre-yves.mordret@foss.st.com>
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit dbdc5fefe89f542f21b79ad30b948c72b0ce0ea7
Author: Stefano Garzarella <sgarzare@redhat.com>
Date:   Tue Feb 9 09:52:19 2021 +0100

    vsock: fix locking in vsock_shutdown()
    
    commit 1c5fae9c9a092574398a17facc31c533791ef232 upstream.
    
    In vsock_shutdown() we touched some socket fields without holding the
    socket lock, such as 'state' and 'sk_flags'.
    
    Also, after the introduction of multi-transport, we are accessing
    'vsk->transport' in vsock_send_shutdown() without holding the lock
    and this call can be made while the connection is in progress, so
    the transport can change in the meantime.
    
    To avoid issues, we hold the socket lock when we enter in
    vsock_shutdown() and release it when we leave.
    
    Among the transports that implement the 'shutdown' callback, only
    hyperv_transport acquired the lock. Since the caller now holds it,
    we no longer take it.
    
    Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
    Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e3bb32acc6f51fe0c41513e7ca1f4baba92f8fb7
Author: Stefano Garzarella <sgarzare@redhat.com>
Date:   Mon Feb 8 15:44:54 2021 +0100

    vsock/virtio: update credit only if socket is not closed
    
    commit ce7536bc7398e2ae552d2fabb7e0e371a9f1fe46 upstream.
    
    If the socket is closed or is being released, some resources used by
    virtio_transport_space_update() such as 'vsk->trans' may be released.
    
    To avoid a use after free bug we should only update the available credit
    when we are sure the socket is still open and we have the lock held.
    
    Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko")
    Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
    Acked-by: Michael S. Tsirkin <mst@redhat.com>
    Link: https://lore.kernel.org/r/20210208144454.84438-1-sgarzare@redhat.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8d403a809c8f3e0dda2c1ff22d3ffad015349b02
Author: Edwin Peer <edwin.peer@broadcom.com>
Date:   Fri Feb 5 17:37:32 2021 -0800

    net: watchdog: hold device global xmit lock during tx disable
    
    commit 3aa6bce9af0e25b735c9c1263739a5639a336ae8 upstream.
    
    Prevent netif_tx_disable() running concurrently with dev_watchdog() by
    taking the device global xmit lock. Otherwise, the recommended:
    
            netif_carrier_off(dev);
            netif_tx_disable(dev);
    
    driver shutdown sequence can happen after the watchdog has already
    checked carrier, resulting in possible false alarms. This is because
    netif_tx_lock() only sets the frozen bit without maintaining the locks
    on the individual queues.
    
    Fixes: c3f26a269c24 ("netdev: Fix lockdep warnings in multiqueue configurations.")
    Signed-off-by: Edwin Peer <edwin.peer@broadcom.com>
    Reviewed-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8326059944a67ae36d9c59e769a63a745fa4fef1
Author: Norbert Slusarek <nslusarek@gmx.net>
Date:   Fri Feb 5 13:14:05 2021 +0100

    net/vmw_vsock: improve locking in vsock_connect_timeout()
    
    commit 3d0bc44d39bca615b72637e340317b7899b7f911 upstream.
    
    A possible locking issue in vsock_connect_timeout() was recognized by
    Eric Dumazet which might cause a null pointer dereference in
    vsock_transport_cancel_pkt(). This patch assures that
    vsock_transport_cancel_pkt() will be called within the lock, so a race
    condition won't occur which could result in vsk->transport to be set to NULL.
    
    Fixes: 380feae0def7 ("vsock: cancel packets when failing to connect")
    Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Norbert Slusarek <nslusarek@gmx.net>
    Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
    Link: https://lore.kernel.org/r/trinity-f8e0937a-cf0e-4d80-a76e-d9a958ba3ef1-1612535522360@3c-app-gmx-bap12
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 910df5c00bb3c8e6c4ad28e6f83d951780af640d
Author: Serge Semin <Sergey.Semin@baikalelectronics.ru>
Date:   Thu Dec 10 11:50:07 2020 +0300

    usb: dwc3: ulpi: Replace CPU-based busyloop with Protocol-based one
    
    commit fca3f138105727c3a22edda32d02f91ce1bf11c9 upstream
    
    Originally the procedure of the ULPI transaction finish detection has been
    developed as a simple busy-loop with just decrementing counter and no
    delays. It's wrong since on different systems the loop will take a
    different time to complete. So if the system bus and CPU are fast enough
    to overtake the ULPI bus and the companion PHY reaction, then we'll get to
    take a false timeout error. Fix this by converting the busy-loop procedure
    to take the standard bus speed, address value and the registers access
    mode into account for the busy-loop delay calculation.
    
    Here is the way the fix works. It's known that the ULPI bus is clocked
    with 60MHz signal. In accordance with [1] the ULPI bus protocol is created
    so to spend 5 and 6 clock periods for immediate register write and read
    operations respectively, and 6 and 7 clock periods - for the extended
    register writes and reads. Based on that we can easily pre-calculate the
    time which will be needed for the controller to perform a requested IO
    operation. Note we'll still preserve the attempts counter in case if the
    DWC USB3 controller has got some internals delays.
    
    [1] UTMI+ Low Pin Interface (ULPI) Specification, Revision 1.1,
        October 20, 2004, pp. 30 - 36.
    
    Fixes: 88bc9d194ff6 ("usb: dwc3: add ULPI interface support")
    Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
    Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
    Link: https://lore.kernel.org/r/20201210085008.13264-3-Sergey.Semin@baikalelectronics.ru
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    [sudip: adjust context]
    Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bf94aede8055df7d5af5445f08b708fadd628bc3
Author: Felipe Balbi <balbi@kernel.org>
Date:   Thu Aug 13 08:30:38 2020 +0300

    usb: dwc3: ulpi: fix checkpatch warning
    
    commit 2a499b45295206e7f3dc76edadde891c06cc4447 upstream
    
    no functional changes.
    
    Signed-off-by: Felipe Balbi <balbi@kernel.org>
    Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f66f9f73e0303e0b498529cc72febbbfa11e2103
Author: Florian Westphal <fw@strlen.de>
Date:   Fri Feb 5 12:56:43 2021 +0100

    netfilter: conntrack: skip identical origin tuple in same zone only
    
    [ Upstream commit 07998281c268592963e1cd623fe6ab0270b65ae4 ]
    
    The origin skip check needs to re-test the zone. Else, we might skip
    a colliding tuple in the reply direction.
    
    This only occurs when using 'directional zones' where origin tuples
    reside in different zones but the reply tuples share the same zone.
    
    This causes the new conntrack entry to be dropped at confirmation time
    because NAT clash resolution was elided.
    
    Fixes: 4e35c1cb9460240 ("netfilter: nf_nat: skip nat clash resolution for same-origin entries")
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 18b4830f5764421ea13e475e8f6e449905eb6d1d
Author: Juergen Gross <jgross@suse.com>
Date:   Tue Feb 2 08:09:38 2021 +0100

    xen/netback: avoid race in xenvif_rx_ring_slots_available()
    
    [ Upstream commit ec7d8e7dd3a59528e305a18e93f1cb98f7faf83b ]
    
    Since commit 23025393dbeb3b8b3 ("xen/netback: use lateeoi irq binding")
    xenvif_rx_ring_slots_available() is no longer called only from the rx
    queue kernel thread, so it needs to access the rx queue with the
    associated queue held.
    
    Reported-by: Igor Druzhinin <igor.druzhinin@citrix.com>
    Fixes: 23025393dbeb3b8b3 ("xen/netback: use lateeoi irq binding")
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Acked-by: Wei Liu <wl@xen.org>
    Link: https://lore.kernel.org/r/20210202070938.7863-1-jgross@suse.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c7559fe4df16c31d1126ba74e6c79bd6f4917f20
Author: Jozsef Kadlecsik <kadlec@mail.kfki.hu>
Date:   Fri Jan 29 20:57:43 2021 +0100

    netfilter: xt_recent: Fix attempt to update deleted entry
    
    [ Upstream commit b1bdde33b72366da20d10770ab7a49fe87b5e190 ]
    
    When both --reap and --update flag are specified, there's a code
    path at which the entry to be updated is reaped beforehand,
    which then leads to kernel crash. Reap only entries which won't be
    updated.
    
    Fixes kernel bugzilla #207773.
    
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=207773
    Reported-by: Reindl Harald <h.reindl@thelounge.net>
    Fixes: 0079c5aee348 ("netfilter: xt_recent: add an entry reaper")
    Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 766107351731ae223ebf60ca22bdfeb47ce6acc8
Author: Bui Quang Minh <minhquangbui99@gmail.com>
Date:   Wed Jan 27 06:36:53 2021 +0000

    bpf: Check for integer overflow when using roundup_pow_of_two()
    
    [ Upstream commit 6183f4d3a0a2ad230511987c6c362ca43ec0055f ]
    
    On 32-bit architecture, roundup_pow_of_two() can return 0 when the argument
    has upper most bit set due to resulting 1UL << 32. Add a check for this case.
    
    Fixes: d5a3b1f69186 ("bpf: introduce BPF_MAP_TYPE_STACK_TRACE")
    Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Link: https://lore.kernel.org/bpf/20210127063653.3576-1-minhquangbui99@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6c8acb4ef560bba93bbbf1459b74f16a7a34e511
Author: Roman Gushchin <guro@fb.com>
Date:   Thu Feb 4 18:32:36 2021 -0800

    memblock: do not start bottom-up allocations with kernel_end
    
    [ Upstream commit 2dcb3964544177c51853a210b6ad400de78ef17d ]
    
    With kaslr the kernel image is placed at a random place, so starting the
    bottom-up allocation with the kernel_end can result in an allocation
    failure and a warning like this one:
    
      hugetlb_cma: reserve 2048 MiB, up to 2048 MiB per node
      ------------[ cut here ]------------
      memblock: bottom-up allocation failed, memory hotremove may be affected
      WARNING: CPU: 0 PID: 0 at mm/memblock.c:332 memblock_find_in_range_node+0x178/0x25a
      Modules linked in:
      CPU: 0 PID: 0 Comm: swapper Not tainted 5.10.0+ #1169
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
      RIP: 0010:memblock_find_in_range_node+0x178/0x25a
      Code: e9 6d ff ff ff 48 85 c0 0f 85 da 00 00 00 80 3d 9b 35 df 00 00 75 15 48 c7 c7 c0 75 59 88 c6 05 8b 35 df 00 01 e8 25 8a fa ff <0f> 0b 48 c7 44 24 20 ff ff ff ff 44 89 e6 44 89 ea 48 c7 c1 70 5c
      RSP: 0000:ffffffff88803d18 EFLAGS: 00010086 ORIG_RAX: 0000000000000000
      RAX: 0000000000000000 RBX: 0000000240000000 RCX: 00000000ffffdfff
      RDX: 00000000ffffdfff RSI: 00000000ffffffea RDI: 0000000000000046
      RBP: 0000000100000000 R08: ffffffff88922788 R09: 0000000000009ffb
      R10: 00000000ffffe000 R11: 3fffffffffffffff R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000080000000 R15: 00000001fb42c000
      FS:  0000000000000000(0000) GS:ffffffff88f71000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffa080fb401000 CR3: 00000001fa80a000 CR4: 00000000000406b0
      Call Trace:
        memblock_alloc_range_nid+0x8d/0x11e
        cma_declare_contiguous_nid+0x2c4/0x38c
        hugetlb_cma_reserve+0xdc/0x128
        flush_tlb_one_kernel+0xc/0x20
        native_set_fixmap+0x82/0xd0
        flat_get_apic_id+0x5/0x10
        register_lapic_address+0x8e/0x97
        setup_arch+0x8a5/0xc3f
        start_kernel+0x66/0x547
        load_ucode_bsp+0x4c/0xcd
        secondary_startup_64_no_verify+0xb0/0xbb
      random: get_random_bytes called from __warn+0xab/0x110 with crng_init=0
      ---[ end trace f151227d0b39be70 ]---
    
    At the same time, the kernel image is protected with memblock_reserve(),
    so we can just start searching at PAGE_SIZE.  In this case the bottom-up
    allocation has the same chances to success as a top-down allocation, so
    there is no reason to fallback in the case of a failure.  All together it
    simplifies the logic.
    
    Link: https://lkml.kernel.org/r/20201217201214.3414100-2-guro@fb.com
    Fixes: 8fabc623238e ("powerpc: Ensure that swiotlb buffer is allocated from low memory")
    Signed-off-by: Roman Gushchin <guro@fb.com>
    Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
    Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
    Cc: Michal Hocko <mhocko@kernel.org>
    Cc: Rik van Riel <riel@surriel.com>
    Cc: Wonhyuk Yang <vvghjk1234@gmail.com>
    Cc: Thiago Jung Bauermann <bauerman@linux.ibm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b71cc506778eb283b752400e234784ee86b5891c
Author: Russell King <rmk+kernel@armlinux.org.uk>
Date:   Fri Jan 29 10:19:07 2021 +0000

    ARM: ensure the signal page contains defined contents
    
    [ Upstream commit 9c698bff66ab4914bb3d71da7dc6112519bde23e ]
    
    Ensure that the signal page contains our poison instruction to increase
    the protection against ROP attacks and also contains well defined
    contents.
    
    Acked-by: Will Deacon <will@kernel.org>
    Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5cbab23d70faea73d8fd372413e9135b0c1caf13
Author: Alexandre Belloni <alexandre.belloni@bootlin.com>
Date:   Wed Feb 3 10:03:20 2021 +0100

    ARM: dts: lpc32xx: Revert set default clock rate of HCLK PLL
    
    [ Upstream commit 5638159f6d93b99ec9743ac7f65563fca3cf413d ]
    
    This reverts commit c17e9377aa81664d94b4f2102559fcf2a01ec8e7.
    
    The lpc32xx clock driver is not able to actually change the PLL rate as
    this would require reparenting ARM_CLK, DDRAM_CLK, PERIPH_CLK to SYSCLK,
    then stop the PLL, update the register, restart the PLL and wait for the
    PLL to lock and finally reparent ARM_CLK, DDRAM_CLK, PERIPH_CLK to HCLK
    PLL.
    
    Currently, the HCLK driver simply updates the registers but this has no
    real effect and all the clock rate calculation end up being wrong. This is
    especially annoying for the peripheral (e.g. UARTs, I2C, SPI).
    
    Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
    Tested-by: Gregory CLEMENT <gregory.clement@bootlin.com>
    Link: https://lore.kernel.org/r/20210203090320.GA3760268@piout.net'
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4dfce60487d6594612b9269e878d722522496198
Author: Amir Goldstein <amir73il@gmail.com>
Date:   Sat Dec 19 12:16:08 2020 +0200

    ovl: skip getxattr of security labels
    
    [ Upstream commit 03fedf93593c82538b18476d8c4f0e8f8435ea70 ]
    
    When inode has no listxattr op of its own (e.g. squashfs) vfs_listxattr
    calls the LSM inode_listsecurity hooks to list the xattrs that LSMs will
    intercept in inode_getxattr hooks.
    
    When selinux LSM is installed but not initialized, it will list the
    security.selinux xattr in inode_listsecurity, but will not intercept it
    in inode_getxattr.  This results in -ENODATA for a getxattr call for an
    xattr returned by listxattr.
    
    This situation was manifested as overlayfs failure to copy up lower
    files from squashfs when selinux is built-in but not initialized,
    because ovl_copy_xattr() iterates the lower inode xattrs by
    vfs_listxattr() and vfs_getxattr().
    
    ovl_copy_xattr() skips copy up of security labels that are indentified by
    inode_copy_up_xattr LSM hooks, but it does that after vfs_getxattr().
    Since we are not going to copy them, skip vfs_getxattr() of the security
    labels.
    
    Reported-by: Michael Labriola <michael.d.labriola@gmail.com>
    Tested-by: Michael Labriola <michael.d.labriola@gmail.com>
    Link: https://lore.kernel.org/linux-unionfs/2nv9d47zt7.fsf@aldarion.sourceruckus.org/
    Signed-off-by: Amir Goldstein <amir73il@gmail.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 83515cf735cc53fb7030703c2a1881fe4a98f2a0
Author: Miklos Szeredi <mszeredi@redhat.com>
Date:   Thu Jan 28 10:22:48 2021 +0100

    cap: fix conversions on getxattr
    
    [ Upstream commit f2b00be488730522d0fb7a8a5de663febdcefe0a ]
    
    If a capability is stored on disk in v2 format cap_inode_getsecurity() will
    currently return in v2 format unconditionally.
    
    This is wrong: v2 cap should be equivalent to a v3 cap with zero rootid,
    and so the same conversions performed on it.
    
    If the rootid cannot be mapped, v3 is returned unconverted.  Fix this so
    that both v2 and v3 return -EOVERFLOW if the rootid (or the owner of the fs
    user namespace in case of v2) cannot be mapped into the current user
    namespace.
    
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7b6887b4d09af91f1a8cd905b627ce7f1408071c
Author: Miklos Szeredi <mszeredi@redhat.com>
Date:   Thu Jan 28 10:22:48 2021 +0100

    ovl: perform vfs_getxattr() with mounter creds
    
    [ Upstream commit 554677b97257b0b69378bd74e521edb7e94769ff ]
    
    The vfs_getxattr() in ovl_xattr_set() is used to check whether an xattr
    exist on a lower layer file that is to be removed.  If the xattr does not
    exist, then no need to copy up the file.
    
    This call of vfs_getxattr() wasn't wrapped in credential override, and this
    is probably okay.  But for consitency wrap this instance as well.
    
    Reported-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a9313a5cacaa2fc9c230d614b4c3011fbc3f6fbd
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Wed Jan 20 13:49:41 2021 +0100

    platform/x86: hp-wmi: Disable tablet-mode reporting by default
    
    [ Upstream commit 67fbe02a5cebc3c653610f12e3c0424e58450153 ]
    
    Recently userspace has started making more use of SW_TABLET_MODE
    (when an input-dev reports this).
    
    Specifically recent GNOME3 versions will:
    
    1.  When SW_TABLET_MODE is reported and is reporting 0:
    1.1 Disable accelerometer-based screen auto-rotation
    1.2 Disable automatically showing the on-screen keyboard when a
        text-input field is focussed
    
    2.  When SW_TABLET_MODE is reported and is reporting 1:
    2.1 Ignore input-events from the builtin keyboard and touchpad
        (this is for 360° hinges style 2-in-1s where the keyboard and
         touchpads are accessible on the back of the tablet when folded
         into tablet-mode)
    
    This means that claiming to support SW_TABLET_MODE when it does not
    actually work / reports correct values has bad side-effects.
    
    The check in the hp-wmi code which is used to decide if the input-dev
    should claim SW_TABLET_MODE support, only checks if the
    HPWMI_HARDWARE_QUERY is supported. It does *not* check if the hardware
    actually is capable of reporting SW_TABLET_MODE.
    
    This leads to the hp-wmi input-dev claiming SW_TABLET_MODE support,
    while in reality it will always report 0 as SW_TABLET_MODE value.
    This has been seen on a "HP ENVY x360 Convertible 15-cp0xxx" and
    this likely is the case on a whole lot of other HP models.
    
    This problem causes both auto-rotation and on-screen keyboard
    support to not work on affected x360 models.
    
    There is no easy fix for this, but since userspace expects
    SW_TABLET_MODE reporting to be reliable when advertised it is
    better to not claim/report SW_TABLET_MODE support at all, then
    to claim to support it while it does not work.
    
    To avoid the mentioned problems, add a new enable_tablet_mode_sw
    module-parameter which defaults to false.
    
    Note I've made this an int using the standard -1=auto, 0=off, 1=on
    triplett, with the hope that in the future we can come up with a
    better way to detect SW_TABLET_MODE support. ATM the default
    auto option just does the same as off.
    
    BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1918255
    Cc: Stefan Brüns <stefan.bruens@rwth-aachen.de>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Acked-by: Mark Gross <mgross@linux.intel.com>
    Link: https://lore.kernel.org/r/20210120124941.73409-1-hdegoede@redhat.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9b66feaab4926529d0a7b8d477df209b416b29a7
Author: Marc Zyngier <maz@kernel.org>
Date:   Sat Aug 15 13:51:12 2020 +0100

    arm64: dts: rockchip: Fix PCIe DT properties on rk3399
    
    [ Upstream commit 43f20b1c6140896916f4e91aacc166830a7ba849 ]
    
    It recently became apparent that the lack of a 'device_type = "pci"'
    in the PCIe root complex node for rk3399 is a violation of the PCI
    binding, as documented in IEEE Std 1275-1994. Changes to the kernel's
    parsing of the DT made such violation fatal, as drivers cannot
    probe the controller anymore.
    
    Add the missing property makes the PCIe node compliant. While we
    are at it, drop the pointless linux,pci-domain property, which only
    makes sense when there are multiple host bridges.
    
    Signed-off-by: Marc Zyngier <maz@kernel.org>
    Link: https://lore.kernel.org/r/20200815125112.462652-3-maz@kernel.org
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5c780be5180bc49a66b8640da604661d4c83a559
Author: Jaedon Shin <jaedon.shin@gmail.com>
Date:   Tue Feb 6 12:13:21 2018 +0900

    MIPS: BMIPS: Fix section mismatch warning
    
    commit 627f4a2bdf113ab88abc65cb505c89cbf615eae0 upstream.
    
    Remove the __init annotation from bmips_cpu_setup() to avoid the
    following warning.
    
    WARNING: vmlinux.o(.text+0x35c950): Section mismatch in reference from the function brcmstb_pm_s3() to the function .init.text:bmips_cpu_setup()
    The function brcmstb_pm_s3() references
    the function __init bmips_cpu_setup().
    This is often because brcmstb_pm_s3 lacks a __init
    annotation or the annotation of bmips_cpu_setup is wrong.
    
    Signed-off-by: Jaedon Shin <jaedon.shin@gmail.com>
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: Florian Fainelli <f.fainelli@gmail.com>
    Cc: Kevin Cernekee <cernekee@gmail.com>
    Cc: linux-mips@linux-mips.org
    Reviewed-by: James Hogan <jhogan@kernel.org>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Patchwork: https://patchwork.linux-mips.org/patch/18589/
    Signed-off-by: James Hogan <jhogan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 11c2ecc5753c086df827f3bd2d755181a5eb2b73
Author: Julien Grall <jgrall@amazon.com>
Date:   Wed Feb 10 17:06:54 2021 +0000

    arm/xen: Don't probe xenbus as part of an early initcall
    
    commit c4295ab0b485b8bc50d2264bcae2acd06f25caaf upstream.
    
    After Commit 3499ba8198cad ("xen: Fix event channel callback via
    INTX/GSI"), xenbus_probe() will be called too early on Arm. This will
    recent to a guest hang during boot.
    
    If the hang wasn't there, we would have ended up to call
    xenbus_probe() twice (the second time is in xenbus_probe_initcall()).
    
    We don't need to initialize xenbus_probe() early for Arm guest.
    Therefore, the call in xen_guest_init() is now removed.
    
    After this change, there is no more external caller for xenbus_probe().
    So the function is turned to a static one. Interestingly there were two
    prototypes for it.
    
    Cc: stable@vger.kernel.org
    Fixes: 3499ba8198cad ("xen: Fix event channel callback via INTX/GSI")
    Reported-by: Ian Jackson <iwj@xenproject.org>
    Signed-off-by: Julien Grall <jgrall@amazon.com>
    Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
    Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
    Link: https://lore.kernel.org/r/20210210170654.5377-1-julien@xen.org
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e46d433754420b4d6513ca389403de88a0910279
Author: Steven Rostedt (VMware) <rostedt@goodmis.org>
Date:   Wed Feb 10 11:53:22 2021 -0500

    tracing: Check length before giving out the filter buffer
    
    commit b220c049d5196dd94d992dd2dc8cba1a5e6123bf upstream.
    
    When filters are used by trace events, a page is allocated on each CPU and
    used to copy the trace event fields to this page before writing to the ring
    buffer. The reason to use the filter and not write directly into the ring
    buffer is because a filter may discard the event and there's more overhead
    on discarding from the ring buffer than the extra copy.
    
    The problem here is that there is no check against the size being allocated
    when using this page. If an event asks for more than a page size while being
    filtered, it will get only a page, leading to the caller writing more that
    what was allocated.
    
    Check the length of the request, and if it is more than PAGE_SIZE minus the
    header default back to allocating from the ring buffer directly. The ring
    buffer may reject the event if its too big anyway, but it wont overflow.
    
    Link: https://lore.kernel.org/ath10k/1612839593-2308-1-git-send-email-wgong@codeaurora.org/
    
    Cc: stable@vger.kernel.org
    Fixes: 0fc1b09ff1ff4 ("tracing: Use temp buffer when filtering events")
    Reported-by: Wen Gong <wgong@codeaurora.org>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c6cb6af4665e6241ce2d201386fb93e4200d79f7
Author: Steven Rostedt (VMware) <rostedt@goodmis.org>
Date:   Fri Feb 5 15:40:04 2021 -0500

    tracing: Do not count ftrace events in top level enable output
    
    commit 256cfdd6fdf70c6fcf0f7c8ddb0ebd73ce8f3bc9 upstream.
    
    The file /sys/kernel/tracing/events/enable is used to enable all events by
    echoing in "1", or disabling all events when echoing in "0". To know if all
    events are enabled, disabled, or some are enabled but not all of them,
    cating the file should show either "1" (all enabled), "0" (all disabled), or
    "X" (some enabled but not all of them). This works the same as the "enable"
    files in the individule system directories (like tracing/events/sched/enable).
    
    But when all events are enabled, the top level "enable" file shows "X". The
    reason is that its checking the "ftrace" events, which are special events
    that only exist for their format files. These include the format for the
    function tracer events, that are enabled when the function tracer is
    enabled, but not by the "enable" file. The check includes these events,
    which will always be disabled, and even though all true events are enabled,
    the top level "enable" file will show "X" instead of "1".
    
    To fix this, have the check test the event's flags to see if it has the
    "IGNORE_ENABLE" flag set, and if so, not test it.
    
    Cc: stable@vger.kernel.org
    Fixes: 553552ce1796c ("tracing: Combine event filter_active and enable into single flags field")
    Reported-by: "Yordan Karadzhov (VMware)" <y.karadz@gmail.com>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ff49cace7b8cf00d27665f7536a863d406963d06
Author: Phillip Lougher <phillip@squashfs.org.uk>
Date:   Tue Feb 9 13:42:00 2021 -0800

    squashfs: add more sanity checks in xattr id lookup
    
    commit 506220d2ba21791314af569211ffd8870b8208fa upstream.
    
    Sysbot has reported a warning where a kmalloc() attempt exceeds the
    maximum limit.  This has been identified as corruption of the xattr_ids
    count when reading the xattr id lookup table.
    
    This patch adds a number of additional sanity checks to detect this
    corruption and others.
    
    1. It checks for a corrupted xattr index read from the inode.  This could
       be because the metadata block is uncompressed, or because the
       "compression" bit has been corrupted (turning a compressed block
       into an uncompressed block).  This would cause an out of bounds read.
    
    2. It checks against corruption of the xattr_ids count.  This can either
       lead to the above kmalloc failure, or a smaller than expected
       table to be read.
    
    3. It checks the contents of the index table for corruption.
    
    [phillip@squashfs.org.uk: fix checkpatch issue]
      Link: https://lkml.kernel.org/r/270245655.754655.1612770082682@webmail.123-reg.co.uk
    
    Link: https://lkml.kernel.org/r/20210204130249.4495-5-phillip@squashfs.org.uk
    Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
    Reported-by: syzbot+2ccea6339d368360800d@syzkaller.appspotmail.com
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 69396cfd7908dee7a833068bcc2d7122ce9264f9
Author: Phillip Lougher <phillip@squashfs.org.uk>
Date:   Tue Feb 9 13:41:56 2021 -0800

    squashfs: add more sanity checks in inode lookup
    
    commit eabac19e40c095543def79cb6ffeb3a8588aaff4 upstream.
    
    Sysbot has reported an "slab-out-of-bounds read" error which has been
    identified as being caused by a corrupted "ino_num" value read from the
    inode.  This could be because the metadata block is uncompressed, or
    because the "compression" bit has been corrupted (turning a compressed
    block into an uncompressed block).
    
    This patch adds additional sanity checks to detect this, and the
    following corruption.
    
    1. It checks against corruption of the inodes count.  This can either
       lead to a larger table to be read, or a smaller than expected
       table to be read.
    
       In the case of a too large inodes count, this would often have been
       trapped by the existing sanity checks, but this patch introduces
       a more exact check, which can identify too small values.
    
    2. It checks the contents of the index table for corruption.
    
    [phillip@squashfs.org.uk: fix checkpatch issue]
      Link: https://lkml.kernel.org/r/527909353.754618.1612769948607@webmail.123-reg.co.uk
    
    Link: https://lkml.kernel.org/r/20210204130249.4495-4-phillip@squashfs.org.uk
    Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
    Reported-by: syzbot+04419e3ff19d2970ea28@syzkaller.appspotmail.com
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8d9ca7e328ef7a0625f50e3033bda4666c783133
Author: Phillip Lougher <phillip@squashfs.org.uk>
Date:   Tue Feb 9 13:41:53 2021 -0800

    squashfs: add more sanity checks in id lookup
    
    commit f37aa4c7366e23f91b81d00bafd6a7ab54e4a381 upstream.
    
    Sysbot has reported a number of "slab-out-of-bounds reads" and
    "use-after-free read" errors which has been identified as being caused
    by a corrupted index value read from the inode.  This could be because
    the metadata block is uncompressed, or because the "compression" bit has
    been corrupted (turning a compressed block into an uncompressed block).
    
    This patch adds additional sanity checks to detect this, and the
    following corruption.
    
    1. It checks against corruption of the ids count.  This can either
       lead to a larger table to be read, or a smaller than expected
       table to be read.
    
       In the case of a too large ids count, this would often have been
       trapped by the existing sanity checks, but this patch introduces
       a more exact check, which can identify too small values.
    
    2. It checks the contents of the index table for corruption.
    
    Link: https://lkml.kernel.org/r/20210204130249.4495-3-phillip@squashfs.org.uk
    Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
    Reported-by: syzbot+b06d57ba83f604522af2@syzkaller.appspotmail.com
    Reported-by: syzbot+c021ba012da41ee9807c@syzkaller.appspotmail.com
    Reported-by: syzbot+5024636e8b5fd19f0f19@syzkaller.appspotmail.com
    Reported-by: syzbot+bcbc661df46657d0fa4f@syzkaller.appspotmail.com
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d24cf6d0d72a871f7fc6d96970bd4745ec59ac77
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Thu Jan 30 22:11:04 2020 -0800

    memcg: fix a crash in wb_workfn when a device disappears
    
    [ Upstream commit 68f23b89067fdf187763e75a56087550624fdbee ]
    
    Without memcg, there is a one-to-one mapping between the bdi and
    bdi_writeback structures.  In this world, things are fairly
    straightforward; the first thing bdi_unregister() does is to shutdown
    the bdi_writeback structure (or wb), and part of that writeback ensures
    that no other work queued against the wb, and that the wb is fully
    drained.
    
    With memcg, however, there is a one-to-many relationship between the bdi
    and bdi_writeback structures; that is, there are multiple wb objects
    which can all point to a single bdi.  There is a refcount which prevents
    the bdi object from being released (and hence, unregistered).  So in
    theory, the bdi_unregister() *should* only get called once its refcount
    goes to zero (bdi_put will drop the refcount, and when it is zero,
    release_bdi gets called, which calls bdi_unregister).
    
    Unfortunately, del_gendisk() in block/gen_hd.c never got the memo about
    the Brave New memcg World, and calls bdi_unregister directly.  It does
    this without informing the file system, or the memcg code, or anything
    else.  This causes the root wb associated with the bdi to be
    unregistered, but none of the memcg-specific wb's are shutdown.  So when
    one of these wb's are woken up to do delayed work, they try to
    dereference their wb->bdi->dev to fetch the device name, but
    unfortunately bdi->dev is now NULL, thanks to the bdi_unregister()
    called by del_gendisk().  As a result, *boom*.
    
    Fortunately, it looks like the rest of the writeback path is perfectly
    happy with bdi->dev and bdi->owner being NULL, so the simplest fix is to
    create a bdi_dev_name() function which can handle bdi->dev being NULL.
    This also allows us to bulletproof the writeback tracepoints to prevent
    them from dereferencing a NULL pointer and crashing the kernel if one is
    tracing with memcg's enabled, and an iSCSI device dies or a USB storage
    stick is pulled.
    
    The most common way of triggering this will be hotremoval of a device
    while writeback with memcg enabled is going on.  It was triggering
    several times a day in a heavily loaded production environment.
    
    Google Bug Id: 145475544
    
    Link: https://lore.kernel.org/r/20191227194829.150110-1-tytso@mit.edu
    Link: http://lkml.kernel.org/r/20191228005211.163952-1-tytso@mit.edu
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: Chris Mason <clm@fb.com>
    Cc: Tejun Heo <tj@kernel.org>
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fe4c89150d9b2fbfb013c35f4ffc1f8d93d33cca
Author: Qian Cai <cai@lca.pw>
Date:   Wed Sep 25 16:46:16 2019 -0700

    include/trace/events/writeback.h: fix -Wstringop-truncation warnings
    
    [ Upstream commit d1a445d3b86c9341ce7a0954c23be0edb5c9bec5 ]
    
    There are many of those warnings.
    
    In file included from ./arch/powerpc/include/asm/paca.h:15,
                     from ./arch/powerpc/include/asm/current.h:13,
                     from ./include/linux/thread_info.h:21,
                     from ./include/asm-generic/preempt.h:5,
                     from ./arch/powerpc/include/generated/asm/preempt.h:1,
                     from ./include/linux/preempt.h:78,
                     from ./include/linux/spinlock.h:51,
                     from fs/fs-writeback.c:19:
    In function 'strncpy',
        inlined from 'perf_trace_writeback_page_template' at
    ./include/trace/events/writeback.h:56:1:
    ./include/linux/string.h:260:9: warning: '__builtin_strncpy' specified
    bound 32 equals destination size [-Wstringop-truncation]
      return __builtin_strncpy(p, q, size);
             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Fix it by using the new strscpy_pad() which was introduced in "lib/string:
    Add strscpy_pad() function" and will always be NUL-terminated instead of
    strncpy().  Also, change strlcpy() to use strscpy_pad() in this file for
    consistency.
    
    Link: http://lkml.kernel.org/r/1564075099-27750-1-git-send-email-cai@lca.pw
    Fixes: 455b2864686d ("writeback: Initial tracing support")
    Fixes: 028c2dd184c0 ("writeback: Add tracing to balance_dirty_pages")
    Fixes: e84d0a4f8e39 ("writeback: trace event writeback_queue_io")
    Fixes: b48c104d2211 ("writeback: trace event bdi_dirty_ratelimit")
    Fixes: cc1676d917f3 ("writeback: Move requeueing when I_SYNC set to writeback_sb_inodes()")
    Fixes: 9fb0a7da0c52 ("writeback: add more tracepoints")
    Signed-off-by: Qian Cai <cai@lca.pw>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Cc: Tobin C. Harding <tobin@kernel.org>
    Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Tejun Heo <tj@kernel.org>
    Cc: Dave Chinner <dchinner@redhat.com>
    Cc: Fengguang Wu <fengguang.wu@intel.com>
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: Joe Perches <joe@perches.com>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Jann Horn <jannh@google.com>
    Cc: Jonathan Corbet <corbet@lwn.net>
    Cc: Nitin Gote <nitin.r.gote@intel.com>
    Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
    Cc: Stephen Kitt <steve@sk2.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fe072e50be403fc52c426c15073b8c38ce301416
Author: Tobin C. Harding <tobin@kernel.org>
Date:   Fri Apr 5 12:58:58 2019 +1100

    lib/string: Add strscpy_pad() function
    
    [ Upstream commit 458a3bf82df4fe1f951d0f52b1e0c1e9d5a88a3b ]
    
    We have a function to copy strings safely and we have a function to copy
    strings and zero the tail of the destination (if source string is
    shorter than destination buffer) but we do not have a function to do
    both at once.  This means developers must write this themselves if they
    desire this functionality.  This is a chore, and also leaves us open to
    off by one errors unnecessarily.
    
    Add a function that calls strscpy() then memset()s the tail to zero if
    the source string is shorter than the destination buffer.
    
    Acked-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Tobin C. Harding <tobin@kernel.org>
    Signed-off-by: Shuah Khan <shuah@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8019d7074d061d6511ca33fcb40f0b1a67ab4279
Author: Dave Wysochanski <dwysocha@redhat.com>
Date:   Thu Jan 21 16:17:24 2021 -0500

    SUNRPC: Handle 0 length opaque XDR object data properly
    
    [ Upstream commit e4a7d1f7707eb44fd953a31dd59eff82009d879c ]
    
    When handling an auth_gss downcall, it's possible to get 0-length
    opaque object for the acceptor.  In the case of a 0-length XDR
    object, make sure simple_get_netobj() fills in dest->data = NULL,
    and does not continue to kmemdup() which will set
    dest->data = ZERO_SIZE_PTR for the acceptor.
    
    The trace event code can handle NULL but not ZERO_SIZE_PTR for a
    string, and so without this patch the rpcgss_context trace event
    will crash the kernel as follows:
    
    [  162.887992] BUG: kernel NULL pointer dereference, address: 0000000000000010
    [  162.898693] #PF: supervisor read access in kernel mode
    [  162.900830] #PF: error_code(0x0000) - not-present page
    [  162.902940] PGD 0 P4D 0
    [  162.904027] Oops: 0000 [#1] SMP PTI
    [  162.905493] CPU: 4 PID: 4321 Comm: rpc.gssd Kdump: loaded Not tainted 5.10.0 #133
    [  162.908548] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
    [  162.910978] RIP: 0010:strlen+0x0/0x20
    [  162.912505] Code: 48 89 f9 74 09 48 83 c1 01 80 39 00 75 f7 31 d2 44 0f b6 04 16 44 88 04 11 48 83 c2 01 45 84 c0 75 ee c3 0f 1f 80 00 00 00 00 <80> 3f 00 74 10 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 31
    [  162.920101] RSP: 0018:ffffaec900c77d90 EFLAGS: 00010202
    [  162.922263] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000fffde697
    [  162.925158] RDX: 000000000000002f RSI: 0000000000000080 RDI: 0000000000000010
    [  162.928073] RBP: 0000000000000010 R08: 0000000000000e10 R09: 0000000000000000
    [  162.930976] R10: ffff8e698a590cb8 R11: 0000000000000001 R12: 0000000000000e10
    [  162.933883] R13: 00000000fffde697 R14: 000000010034d517 R15: 0000000000070028
    [  162.936777] FS:  00007f1e1eb93700(0000) GS:ffff8e6ab7d00000(0000) knlGS:0000000000000000
    [  162.940067] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  162.942417] CR2: 0000000000000010 CR3: 0000000104eba000 CR4: 00000000000406e0
    [  162.945300] Call Trace:
    [  162.946428]  trace_event_raw_event_rpcgss_context+0x84/0x140 [auth_rpcgss]
    [  162.949308]  ? __kmalloc_track_caller+0x35/0x5a0
    [  162.951224]  ? gss_pipe_downcall+0x3a3/0x6a0 [auth_rpcgss]
    [  162.953484]  gss_pipe_downcall+0x585/0x6a0 [auth_rpcgss]
    [  162.955953]  rpc_pipe_write+0x58/0x70 [sunrpc]
    [  162.957849]  vfs_write+0xcb/0x2c0
    [  162.959264]  ksys_write+0x68/0xe0
    [  162.960706]  do_syscall_64+0x33/0x40
    [  162.962238]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [  162.964346] RIP: 0033:0x7f1e1f1e57df
    
    Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 29160df8096f77be81fd96beb61355b0f5bb6bad
Author: Dave Wysochanski <dwysocha@redhat.com>
Date:   Thu Jan 21 16:17:23 2021 -0500

    SUNRPC: Move simple_get_bytes and simple_get_netobj into private header
    
    [ Upstream commit ba6dfce47c4d002d96cd02a304132fca76981172 ]
    
    Remove duplicated helper functions to parse opaque XDR objects
    and place inside new file net/sunrpc/auth_gss/auth_gss_internal.h.
    In the new file carry the license and copyright from the source file
    net/sunrpc/auth_gss/auth_gss.c.  Finally, update the comment inside
    include/linux/sunrpc/xdr.h since lockd is not the only user of
    struct xdr_netobj.
    
    Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0dc0b337599fc06d0fb0ea6fa9de504edbb48b07
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Fri Jan 22 14:52:41 2021 +0200

    iwlwifi: mvm: guard against device removal in reprobe
    
    [ Upstream commit 7a21b1d4a728a483f07c638ccd8610d4b4f12684 ]
    
    If we get into a problem severe enough to attempt a reprobe,
    we schedule a worker to do that. However, if the problem gets
    more severe and the device is actually destroyed before this
    worker has a chance to run, we use a free device. Bump up the
    reference count of the device until the worker runs to avoid
    this situation.
    
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/iwlwifi.20210122144849.871f0892e4b2.I94819e11afd68d875f3e242b98bef724b8236f1e@changeid
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4728105ccfa99a0f29ce05b4e4abeba7adeaae01
Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Date:   Fri Jan 15 13:05:55 2021 +0200

    iwlwifi: pcie: add a NULL check in iwl_pcie_txq_unmap
    
    [ Upstream commit 98c7d21f957b10d9c07a3a60a3a5a8f326a197e5 ]
    
    I hit a NULL pointer exception in this function when the
    init flow went really bad.
    
    Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
    Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/iwlwifi.20210115130252.2e8da9f2c132.I0234d4b8ddaf70aaa5028a20c863255e05bc1f84@changeid
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 82835d76d7c3084ac33001d8d73d33c21a9c14bf
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Fri Jan 15 13:05:48 2021 +0200

    iwlwifi: mvm: take mutex for calling iwl_mvm_get_sync_time()
    
    [ Upstream commit 5c56d862c749669d45c256f581eac4244be00d4d ]
    
    We need to take the mutex to call iwl_mvm_get_sync_time(), do it.
    
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/iwlwifi.20210115130252.4bb5ccf881a6.I62973cbb081e80aa5b0447a5c3b9c3251a65cf6b@changeid
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2efbcd80850e58de8477a6ed977029897f7bba2a
Author: Trond Myklebust <trond.myklebust@hammerspace.com>
Date:   Thu Jan 21 17:11:42 2021 -0500

    pNFS/NFSv4: Try to return invalid layout in pnfs_layout_process()
    
    [ Upstream commit 08bd8dbe88825760e953759d7ec212903a026c75 ]
    
    If the server returns a new stateid that does not match the one in our
    cache, then try to return the one we hold instead of just invalidating
    it on the client side. This ensures that both client and server will
    agree that the stateid is invalid.
    
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1ca96f32c3c544e7b8e5481ded540be221ace350
Author: Cong Wang <cong.wang@bytedance.com>
Date:   Sat Dec 26 16:50:20 2020 -0800

    af_key: relax availability checks for skb size calculation
    
    [ Upstream commit afbc293add6466f8f3f0c3d944d85f53709c170f ]
    
    xfrm_probe_algs() probes kernel crypto modules and changes the
    availability of struct xfrm_algo_desc. But there is a small window
    where ealg->available and aalg->available get changed between
    count_ah_combs()/count_esp_combs() and dump_ah_combs()/dump_esp_combs(),
    in this case we may allocate a smaller skb but later put a larger
    amount of data and trigger the panic in skb_put().
    
    Fix this by relaxing the checks when counting the size, that is,
    skipping the test of ->available. We may waste some memory for a few
    of sizeof(struct sadb_comb), but it is still much better than a panic.
    
    Reported-by: syzbot+b2bf2652983d23734c5c@syzkaller.appspotmail.com
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Cong Wang <cong.wang@bytedance.com>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a4dfa805d0b641701caceb8680cc2b816c45dd2b
Author: Sibi Sankar <sibis@codeaurora.org>
Date:   Thu Jul 23 01:40:45 2020 +0530

    remoteproc: qcom_q6v5_mss: Validate MBA firmware size before load
    
    commit e013f455d95add874f310dc47c608e8c70692ae5 upstream
    
    The following mem abort is observed when the mba firmware size exceeds
    the allocated mba region. MBA firmware size is restricted to a maximum
    size of 1M and remaining memory region is used by modem debug policy
    firmware when available. Hence verify whether the MBA firmware size lies
    within the allocated memory region and is not greater than 1M before
    loading.
    
    Err Logs:
    Unable to handle kernel paging request at virtual address
    Mem abort info:
    ...
    Call trace:
      __memcpy+0x110/0x180
      rproc_start+0x40/0x218
      rproc_boot+0x5b4/0x608
      state_store+0x54/0xf8
      dev_attr_store+0x44/0x60
      sysfs_kf_write+0x58/0x80
      kernfs_fop_write+0x140/0x230
      vfs_write+0xc4/0x208
      ksys_write+0x74/0xf8
      __arm64_sys_write+0x24/0x30
    ...
    
    Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Fixes: 051fb70fd4ea4 ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")
    Cc: stable@vger.kernel.org
    Signed-off-by: Sibi Sankar <sibis@codeaurora.org>
    Link: https://lore.kernel.org/r/20200722201047.12975-2-sibis@codeaurora.org
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    [sudip: manual backport to old file path]
    Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5de4af51fea838f05da5eea221f43ca1fbaa3be0
Author: Sibi Sankar <sibis@codeaurora.org>
Date:   Thu Jul 23 01:40:46 2020 +0530

    remoteproc: qcom_q6v5_mss: Validate modem blob firmware size before load
    
    commit 135b9e8d1cd8ba5ac9ad9bcf24b464b7b052e5b8 upstream
    
    The following mem abort is observed when one of the modem blob firmware
    size exceeds the allocated mpss region. Fix this by restricting the copy
    size to segment size using request_firmware_into_buf before load.
    
    Err Logs:
    Unable to handle kernel paging request at virtual address
    Mem abort info:
    ...
    Call trace:
      __memcpy+0x110/0x180
      rproc_start+0xd0/0x190
      rproc_boot+0x404/0x550
      state_store+0x54/0xf8
      dev_attr_store+0x44/0x60
      sysfs_kf_write+0x58/0x80
      kernfs_fop_write+0x140/0x230
      vfs_write+0xc4/0x208
      ksys_write+0x74/0xf8
    ...
    
    Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Fixes: 051fb70fd4ea4 ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")
    Cc: stable@vger.kernel.org
    Signed-off-by: Sibi Sankar <sibis@codeaurora.org>
    Link: https://lore.kernel.org/r/20200722201047.12975-3-sibis@codeaurora.org
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    [sudip: manual backport to old file path]
    Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7ffd979613681d33dc9f71becd817cfd54734103
Author: Steven Rostedt (VMware) <rostedt@goodmis.org>
Date:   Fri Jan 29 10:13:53 2021 -0500

    fgraph: Initialize tracing_graph_pause at task creation
    
    commit 7e0a9220467dbcfdc5bc62825724f3e52e50ab31 upstream.
    
    On some archs, the idle task can call into cpu_suspend(). The cpu_suspend()
    will disable or pause function graph tracing, as there's some paths in
    bringing down the CPU that can have issues with its return address being
    modified. The task_struct structure has a "tracing_graph_pause" atomic
    counter, that when set to something other than zero, the function graph
    tracer will not modify the return address.
    
    The problem is that the tracing_graph_pause counter is initialized when the
    function graph tracer is enabled. This can corrupt the counter for the idle
    task if it is suspended in these architectures.
    
       CPU 1                                CPU 2
       -----                                -----
      do_idle()
        cpu_suspend()
          pause_graph_tracing()
              task_struct->tracing_graph_pause++ (0 -> 1)
    
                                    start_graph_tracing()
                                      for_each_online_cpu(cpu) {
                                        ftrace_graph_init_idle_task(cpu)
                                          task-struct->tracing_graph_pause = 0 (1 -> 0)
    
          unpause_graph_tracing()
              task_struct->tracing_graph_pause-- (0 -> -1)
    
    The above should have gone from 1 to zero, and enabled function graph
    tracing again. But instead, it is set to -1, which keeps it disabled.
    
    There's no reason that the field tracing_graph_pause on the task_struct can
    not be initialized at boot up.
    
    Cc: stable@vger.kernel.org
    Fixes: 380c4b1411ccd ("tracing/function-graph-tracer: append the tracing_graph_flag")
    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=211339
    Reported-by: pierre.gondois@arm.com
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>