commit ac3af4beac439ebccd17746c9f2fd227e88107aa
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Mar 17 16:43:52 2021 +0100

    Linux 4.19.181
    
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Tested-by: Jason Self <jason@bluehome.net>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Link: https://lore.kernel.org/r/20210315135740.245494252@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d8887e85efca1e5d90e3d31281ee9c3b1028ffdc
Author: Juergen Gross <jgross@suse.com>
Date:   Mon Mar 15 09:22:38 2021 +0100

    xen/events: avoid handling the same event on two cpus at the same time
    
    commit b6622798bc50b625a1e62f82c7190df40c1f5b21 upstream.
    
    When changing the cpu affinity of an event it can happen today that
    (with some unlucky timing) the same event will be handled on the old
    and the new cpu at the same time.
    
    Avoid that by adding an "event active" flag to the per-event data and
    call the handler only if this flag isn't set.
    
    Cc: stable@vger.kernel.org
    Reported-by: Julien Grall <julien@xen.org>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Reviewed-by: Julien Grall <jgrall@amazon.com>
    Link: https://lore.kernel.org/r/20210306161833.4552-4-jgross@suse.com
    Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3a19f808cb2bc8d0320c3ba5ec4ba525b3d6640c
Author: Juergen Gross <jgross@suse.com>
Date:   Mon Mar 15 09:22:37 2021 +0100

    xen/events: don't unmask an event channel when an eoi is pending
    
    commit 25da4618af240fbec6112401498301a6f2bc9702 upstream.
    
    An event channel should be kept masked when an eoi is pending for it.
    When being migrated to another cpu it might be unmasked, though.
    
    In order to avoid this keep three different flags for each event channel
    to be able to distinguish "normal" masking/unmasking from eoi related
    masking/unmasking and temporary masking. The event channel should only
    be able to generate an interrupt if all flags are cleared.
    
    Cc: stable@vger.kernel.org
    Fixes: 54c9de89895e ("xen/events: add a new "late EOI" evtchn framework")
    Reported-by: Julien Grall <julien@xen.org>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Reviewed-by: Julien Grall <jgrall@amazon.com>
    Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    Tested-by: Ross Lagerwall <ross.lagerwall@citrix.com>
    Link: https://lore.kernel.org/r/20210306161833.4552-3-jgross@suse.com
    
    [boris -- corrected Fixed tag format]
    
    Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a6a76d7234cc283e6527b4afaf91a4cb261b13c1
Author: Juergen Gross <jgross@suse.com>
Date:   Mon Mar 15 09:22:37 2021 +0100

    xen/events: reset affinity of 2-level event when tearing it down
    
    commit 9e77d96b8e2724ed00380189f7b0ded61113b39f upstream.
    
    When creating a new event channel with 2-level events the affinity
    needs to be reset initially in order to avoid using an old affinity
    from earlier usage of the event channel port. So when tearing an event
    channel down reset all affinity bits.
    
    The same applies to the affinity when onlining a vcpu: all old
    affinity settings for this vcpu must be reset. As percpu events get
    initialized before the percpu event channel hook is called,
    resetting of the affinities happens after offlining a vcpu (this is
    working, as initial percpu memory is zeroed out).
    
    Cc: stable@vger.kernel.org
    Reported-by: Julien Grall <julien@xen.org>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Reviewed-by: Julien Grall <jgrall@amazon.com>
    Link: https://lore.kernel.org/r/20210306161833.4552-2-jgross@suse.com
    Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5c603b65ab5625cb4c11feb690a761f688b40f13
Author: Marc Zyngier <maz@kernel.org>
Date:   Mon Mar 15 11:08:33 2021 +0000

    KVM: arm64: Fix exclusive limit for IPA size
    
    Commit 262b003d059c6671601a19057e9fe1a5e7f23722 upstream.
    
    When registering a memslot, we check the size and location of that
    memslot against the IPA size to ensure that we can provide guest
    access to the whole of the memory.
    
    Unfortunately, this check rejects memslot that end-up at the exact
    limit of the addressing capability for a given IPA size. For example,
    it refuses the creation of a 2GB memslot at 0x8000000 with a 32bit
    IPA space.
    
    Fix it by relaxing the check to accept a memslot reaching the
    limit of the IPA space.
    
    Fixes: c3058d5da222 ("arm/arm64: KVM: Ensure memslots are within KVM_PHYS_SIZE")
    Reviewed-by: Eric Auger <eric.auger@redhat.com>
    Signed-off-by: Marc Zyngier <maz@kernel.org>
    Cc: stable@vger.kernel.org # 4.4, 4.9, 4.14, 4.19
    Reviewed-by: Andrew Jones <drjones@redhat.com>
    Link: https://lore.kernel.org/r/20210311100016.3830038-3-maz@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 01625d81a25883aede7a6ef8df0f0f17425915aa
Author: Boyang Yu <byu@arista.com>
Date:   Fri Jun 28 19:06:36 2019 +0000

    hwmon: (lm90) Fix max6658 sporadic wrong temperature reading
    
    commit 62456189f3292c62f87aef363f204886dc1d4b48 upstream.
    
    max6658 may report unrealistically high temperature during
    the driver initialization, for which, its overtemp alarm pin
    also gets asserted. For certain devices implementing overtemp
    protection based on that pin, it may further trigger a reset to
    the device. By reproducing the problem, the wrong reading is
    found to be coincident with changing the conversion rate.
    
    To mitigate this issue, set the stop bit before changing the
    conversion rate and unset it thereafter. After such change, the
    wrong reading is not reproduced. Apply this change only to the
    max6657 kind for now, controlled by flag LM90_PAUSE_ON_CONFIG.
    
    Signed-off-by: Boyang Yu <byu@arista.com>
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Cc: Paul Menzel <pmenzel@molgen.mpg.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 01e91de2cd0edb6fb3b223c9df43247682bbdb2b
Author: Josh Poimboeuf <jpoimboe@redhat.com>
Date:   Fri Feb 5 08:24:02 2021 -0600

    x86/unwind/orc: Disable KASAN checking in the ORC unwinder, part 2
    
    commit e504e74cc3a2c092b05577ce3e8e013fae7d94e6 upstream.
    
    KASAN reserves "redzone" areas between stack frames in order to detect
    stack overruns.  A read or write to such an area triggers a KASAN
    "stack-out-of-bounds" BUG.
    
    Normally, the ORC unwinder stays in-bounds and doesn't access the
    redzone.  But sometimes it can't find ORC metadata for a given
    instruction.  This can happen for code which is missing ORC metadata, or
    for generated code.  In such cases, the unwinder attempts to fall back
    to frame pointers, as a best-effort type thing.
    
    This fallback often works, but when it doesn't, the unwinder can get
    confused and go off into the weeds into the KASAN redzone, triggering
    the aforementioned KASAN BUG.
    
    But in this case, the unwinder's confusion is actually harmless and
    working as designed.  It already has checks in place to prevent
    off-stack accesses, but those checks get short-circuited by the KASAN
    BUG.  And a BUG is a lot more disruptive than a harmless unwinder
    warning.
    
    Disable the KASAN checks by using READ_ONCE_NOCHECK() for all stack
    accesses.  This finishes the job started by commit 881125bfe65b
    ("x86/unwind: Disable KASAN checking in the ORC unwinder"), which only
    partially fixed the issue.
    
    Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder")
    Reported-by: Ivan Babrou <ivan@cloudflare.com>
    Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Tested-by: Ivan Babrou <ivan@cloudflare.com>
    Cc: stable@kernel.org
    Link: https://lkml.kernel.org/r/9583327904ebbbeda399eca9c56d6c7085ac20fe.1612534649.git.jpoimboe@redhat.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3fe116e33a855bbfdd32dc207e9be2a41e3ed3a6
Author: Lior Ribak <liorribak@gmail.com>
Date:   Fri Mar 12 21:07:41 2021 -0800

    binfmt_misc: fix possible deadlock in bm_register_write
    
    commit e7850f4d844e0acfac7e570af611d89deade3146 upstream.
    
    There is a deadlock in bm_register_write:
    
    First, in the begining of the function, a lock is taken on the binfmt_misc
    root inode with inode_lock(d_inode(root)).
    
    Then, if the user used the MISC_FMT_OPEN_FILE flag, the function will call
    open_exec on the user-provided interpreter.
    
    open_exec will call a path lookup, and if the path lookup process includes
    the root of binfmt_misc, it will try to take a shared lock on its inode
    again, but it is already locked, and the code will get stuck in a deadlock
    
    To reproduce the bug:
    $ echo ":iiiii:E::ii::/proc/sys/fs/binfmt_misc/bla:F" > /proc/sys/fs/binfmt_misc/register
    
    backtrace of where the lock occurs (#5):
    0  schedule () at ./arch/x86/include/asm/current.h:15
    1  0xffffffff81b51237 in rwsem_down_read_slowpath (sem=0xffff888003b202e0, count=<optimized out>, state=state@entry=2) at kernel/locking/rwsem.c:992
    2  0xffffffff81b5150a in __down_read_common (state=2, sem=<optimized out>) at kernel/locking/rwsem.c:1213
    3  __down_read (sem=<optimized out>) at kernel/locking/rwsem.c:1222
    4  down_read (sem=<optimized out>) at kernel/locking/rwsem.c:1355
    5  0xffffffff811ee22a in inode_lock_shared (inode=<optimized out>) at ./include/linux/fs.h:783
    6  open_last_lookups (op=0xffffc9000022fe34, file=0xffff888004098600, nd=0xffffc9000022fd10) at fs/namei.c:3177
    7  path_openat (nd=nd@entry=0xffffc9000022fd10, op=op@entry=0xffffc9000022fe34, flags=flags@entry=65) at fs/namei.c:3366
    8  0xffffffff811efe1c in do_filp_open (dfd=<optimized out>, pathname=pathname@entry=0xffff8880031b9000, op=op@entry=0xffffc9000022fe34) at fs/namei.c:3396
    9  0xffffffff811e493f in do_open_execat (fd=fd@entry=-100, name=name@entry=0xffff8880031b9000, flags=<optimized out>, flags@entry=0) at fs/exec.c:913
    10 0xffffffff811e4a92 in open_exec (name=<optimized out>) at fs/exec.c:948
    11 0xffffffff8124aa84 in bm_register_write (file=<optimized out>, buffer=<optimized out>, count=19, ppos=<optimized out>) at fs/binfmt_misc.c:682
    12 0xffffffff811decd2 in vfs_write (file=file@entry=0xffff888004098500, buf=buf@entry=0xa758d0 ":iiiii:E::ii::i:CF
    ", count=count@entry=19, pos=pos@entry=0xffffc9000022ff10) at fs/read_write.c:603
    13 0xffffffff811defda in ksys_write (fd=<optimized out>, buf=0xa758d0 ":iiiii:E::ii::i:CF
    ", count=19) at fs/read_write.c:658
    14 0xffffffff81b49813 in do_syscall_64 (nr=<optimized out>, regs=0xffffc9000022ff58) at arch/x86/entry/common.c:46
    15 0xffffffff81c0007c in entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:120
    
    To solve the issue, the open_exec call is moved to before the write
    lock is taken by bm_register_write
    
    Link: https://lkml.kernel.org/r/20210228224414.95962-1-liorribak@gmail.com
    Fixes: 948b701a607f1 ("binfmt_misc: add persistent opened binary handler for containers")
    Signed-off-by: Lior Ribak <liorribak@gmail.com>
    Acked-by: Helge Deller <deller@gmx.de>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0df0c1bb5f18f8101bdbdf7dbba780192fa2bba5
Author: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Date:   Thu Mar 4 07:34:11 2021 +0530

    powerpc/64s: Fix instruction encoding for lis in ppc_function_entry()
    
    commit cea15316ceee2d4a51dfdecd79e08a438135416c upstream.
    
    'lis r2,N' is 'addis r2,0,N' and the instruction encoding in the macro
    LIS_R2 is incorrect (it currently maps to 'addis r0,r2,N'). Fix the
    same.
    
    Fixes: c71b7eff426f ("powerpc: Add ABIv2 support to ppc_function_entry")
    Cc: stable@vger.kernel.org # v3.16+
    Reported-by: Jiri Olsa <jolsa@redhat.com>
    Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
    Acked-by: Segher Boessenkool <segher@kernel.crashing.org>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20210304020411.16796-1-naveen.n.rao@linux.vnet.ibm.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5bd7642bd62805a91f5e90d4af8b5465515273f5
Author: Matthew Wilcox (Oracle) <willy@infradead.org>
Date:   Fri Mar 12 21:08:03 2021 -0800

    include/linux/sched/mm.h: use rcu_dereference in in_vfork()
    
    [ Upstream commit 149fc787353f65b7e72e05e7b75d34863266c3e2 ]
    
    Fix a sparse warning by using rcu_dereference().  Technically this is a
    bug and a sufficiently aggressive compiler could reload the `real_parent'
    pointer outside the protection of the rcu lock (and access freed memory),
    but I think it's pretty unlikely to happen.
    
    Link: https://lkml.kernel.org/r/20210221194207.1351703-1-willy@infradead.org
    Fixes: b18dc5f291c0 ("mm, oom: skip vforked tasks from being selected")
    Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
    Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>
    Acked-by: Michal Hocko <mhocko@suse.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 25d754fa5df92c732ff24e78e5452580cb4db767
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Fri Mar 12 21:07:04 2021 -0800

    stop_machine: mark helpers __always_inline
    
    [ Upstream commit cbf78d85079cee662c45749ef4f744d41be85d48 ]
    
    With clang-13, some functions only get partially inlined, with a
    specialized version referring to a global variable.  This triggers a
    harmless build-time check for the intel-rng driver:
    
    WARNING: modpost: drivers/char/hw_random/intel-rng.o(.text+0xe): Section mismatch in reference from the function stop_machine() to the function .init.text:intel_rng_hw_init()
    The function stop_machine() references
    the function __init intel_rng_hw_init().
    This is often because stop_machine lacks a __init
    annotation or the annotation of intel_rng_hw_init is wrong.
    
    In this instance, an easy workaround is to force the stop_machine()
    function to be inline, along with related interfaces that did not show the
    same behavior at the moment, but theoretically could.
    
    The combination of the two patches listed below triggers the behavior in
    clang-13, but individually these commits are correct.
    
    Link: https://lkml.kernel.org/r/20210225130153.1956990-1-arnd@kernel.org
    Fixes: fe5595c07400 ("stop_machine: Provide stop_machine_cpuslocked()")
    Fixes: ee527cd3a20c ("Use stop_machine_run in the Intel RNG driver")
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Cc: Nathan Chancellor <nathan@kernel.org>
    Cc: Nick Desaulniers <ndesaulniers@google.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    Cc: "Paul E. McKenney" <paulmck@kernel.org>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Prarit Bhargava <prarit@redhat.com>
    Cc: Daniel Bristot de Oliveira <bristot@redhat.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Valentin Schneider <valentin.schneider@arm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit eda5858d4867f1681b42e8b13e5eac3fba29e915
Author: Anna-Maria Behnsen <anna-maria@linutronix.de>
Date:   Tue Feb 23 17:02:40 2021 +0100

    hrtimer: Update softirq_expires_next correctly after __hrtimer_get_next_event()
    
    [ Upstream commit 46eb1701c046cc18c032fa68f3c8ccbf24483ee4 ]
    
    hrtimer_force_reprogram() and hrtimer_interrupt() invokes
    __hrtimer_get_next_event() to find the earliest expiry time of hrtimer
    bases. __hrtimer_get_next_event() does not update
    cpu_base::[softirq_]_expires_next to preserve reprogramming logic. That
    needs to be done at the callsites.
    
    hrtimer_force_reprogram() updates cpu_base::softirq_expires_next only when
    the first expiring timer is a softirq timer and the soft interrupt is not
    activated. That's wrong because cpu_base::softirq_expires_next is left
    stale when the first expiring timer of all bases is a timer which expires
    in hard interrupt context. hrtimer_interrupt() does never update
    cpu_base::softirq_expires_next which is wrong too.
    
    That becomes a problem when clock_settime() sets CLOCK_REALTIME forward and
    the first soft expiring timer is in the CLOCK_REALTIME_SOFT base. Setting
    CLOCK_REALTIME forward moves the clock MONOTONIC based expiry time of that
    timer before the stale cpu_base::softirq_expires_next.
    
    cpu_base::softirq_expires_next is cached to make the check for raising the
    soft interrupt fast. In the above case the soft interrupt won't be raised
    until clock monotonic reaches the stale cpu_base::softirq_expires_next
    value. That's incorrect, but what's worse it that if the softirq timer
    becomes the first expiring timer of all clock bases after the hard expiry
    timer has been handled the reprogramming of the clockevent from
    hrtimer_interrupt() will result in an interrupt storm. That happens because
    the reprogramming does not use cpu_base::softirq_expires_next, it uses
    __hrtimer_get_next_event() which returns the actual expiry time. Once clock
    MONOTONIC reaches cpu_base::softirq_expires_next the soft interrupt is
    raised and the storm subsides.
    
    Change the logic in hrtimer_force_reprogram() to evaluate the soft and hard
    bases seperately, update softirq_expires_next and handle the case when a
    soft expiring timer is the first of all bases by comparing the expiry times
    and updating the required cpu base fields. Split this functionality into a
    separate function to be able to use it in hrtimer_interrupt() as well
    without copy paste.
    
    Fixes: 5da70160462e ("hrtimer: Implement support for softirq based hrtimers")
    Reported-by: Mikael Beckius <mikael.beckius@windriver.com>
    Suggested-by: Thomas Gleixner <tglx@linutronix.de>
    Tested-by: Mikael Beckius <mikael.beckius@windriver.com>
    Signed-off-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Link: https://lore.kernel.org/r/20210223160240.27518-1-anna-maria@linutronix.de
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9123463620132ada85caf5dc664b168f480b0cc4
Author: Daiyue Zhang <zhangdaiyue1@huawei.com>
Date:   Mon Mar 1 14:10:53 2021 +0800

    configfs: fix a use-after-free in __configfs_open_file
    
    [ Upstream commit 14fbbc8297728e880070f7b077b3301a8c698ef9 ]
    
    Commit b0841eefd969 ("configfs: provide exclusion between IO and removals")
    uses ->frag_dead to mark the fragment state, thus no bothering with extra
    refcount on config_item when opening a file. The configfs_get_config_item
    was removed in __configfs_open_file, but not with config_item_put. So the
    refcount on config_item will lost its balance, causing use-after-free
    issues in some occasions like this:
    
    Test:
    1. Mount configfs on /config with read-only items:
    drwxrwx--- 289 root   root            0 2021-04-01 11:55 /config
    drwxr-xr-x   2 root   root            0 2021-04-01 11:54 /config/a
    --w--w--w-   1 root   root         4096 2021-04-01 11:53 /config/a/1.txt
    ......
    
    2. Then run:
    for file in /config
    do
    echo $file
    grep -R 'key' $file
    done
    
    3. __configfs_open_file will be called in parallel, the first one
    got called will do:
    if (file->f_mode & FMODE_READ) {
            if (!(inode->i_mode & S_IRUGO))
                    goto out_put_module;
                            config_item_put(buffer->item);
                                    kref_put()
                                            package_details_release()
                                                    kfree()
    
    the other one will run into use-after-free issues like this:
    BUG: KASAN: use-after-free in __configfs_open_file+0x1bc/0x3b0
    Read of size 8 at addr fffffff155f02480 by task grep/13096
    CPU: 0 PID: 13096 Comm: grep VIP: 00 Tainted: G        W       4.14.116-kasan #1
    TGID: 13096 Comm: grep
    Call trace:
    dump_stack+0x118/0x160
    kasan_report+0x22c/0x294
    __asan_load8+0x80/0x88
    __configfs_open_file+0x1bc/0x3b0
    configfs_open_file+0x28/0x34
    do_dentry_open+0x2cc/0x5c0
    vfs_open+0x80/0xe0
    path_openat+0xd8c/0x2988
    do_filp_open+0x1c4/0x2fc
    do_sys_open+0x23c/0x404
    SyS_openat+0x38/0x48
    
    Allocated by task 2138:
    kasan_kmalloc+0xe0/0x1ac
    kmem_cache_alloc_trace+0x334/0x394
    packages_make_item+0x4c/0x180
    configfs_mkdir+0x358/0x740
    vfs_mkdir2+0x1bc/0x2e8
    SyS_mkdirat+0x154/0x23c
    el0_svc_naked+0x34/0x38
    
    Freed by task 13096:
    kasan_slab_free+0xb8/0x194
    kfree+0x13c/0x910
    package_details_release+0x524/0x56c
    kref_put+0xc4/0x104
    config_item_put+0x24/0x34
    __configfs_open_file+0x35c/0x3b0
    configfs_open_file+0x28/0x34
    do_dentry_open+0x2cc/0x5c0
    vfs_open+0x80/0xe0
    path_openat+0xd8c/0x2988
    do_filp_open+0x1c4/0x2fc
    do_sys_open+0x23c/0x404
    SyS_openat+0x38/0x48
    el0_svc_naked+0x34/0x38
    
    To fix this issue, remove the config_item_put in
    __configfs_open_file to balance the refcount of config_item.
    
    Fixes: b0841eefd969 ("configfs: provide exclusion between IO and removals")
    Signed-off-by: Daiyue Zhang <zhangdaiyue1@huawei.com>
    Signed-off-by: Yi Chen <chenyi77@huawei.com>
    Signed-off-by: Ge Qiu <qiuge@huawei.com>
    Reviewed-by: Chao Yu <yuchao0@huawei.com>
    Acked-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 868090ae2673a9a374c44a06107aacd524f47564
Author: Jia-Ju Bai <baijiaju1990@gmail.com>
Date:   Tue Mar 9 19:30:17 2021 -0800

    block: rsxx: fix error return code of rsxx_pci_probe()
    
    [ Upstream commit df66617bfe87487190a60783d26175b65d2502ce ]
    
    When create_singlethread_workqueue returns NULL to card->event_wq, no
    error return code of rsxx_pci_probe() is assigned.
    
    To fix this bug, st is assigned with -ENOMEM in this case.
    
    Fixes: 8722ff8cdbfa ("block: IBM RamSan 70/80 device driver")
    Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
    Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
    Link: https://lore.kernel.org/r/20210310033017.4023-1-baijiaju1990@gmail.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2a71011eb68eaf5de554c4080e8d74b2572783b0
Author: Ondrej Mosnacek <omosnace@redhat.com>
Date:   Fri Jan 15 18:43:56 2021 +0100

    NFSv4.2: fix return value of _nfs4_get_security_label()
    
    [ Upstream commit 53cb245454df5b13d7063162afd7a785aed6ebf2 ]
    
    An xattr 'get' handler is expected to return the length of the value on
    success, yet _nfs4_get_security_label() (and consequently also
    nfs4_xattr_get_nfs4_label(), which is used as an xattr handler) returns
    just 0 on success.
    
    Fix this by returning label.len instead, which contains the length of
    the result.
    
    Fixes: aa9c2669626c ("NFS: Client implementation of Labeled-NFS")
    Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
    Reviewed-by: James Morris <jamorris@linux.microsoft.com>
    Reviewed-by: Paul Moore <paul@paul-moore.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c6eff7384dff326ee7cb790aac6e3e81da5d0802
Author: Sergey Shtylyov <s.shtylyov@omprussia.ru>
Date:   Sun Feb 28 23:26:34 2021 +0300

    sh_eth: fix TRSCER mask for R7S72100
    
    [ Upstream commit 75be7fb7f978202c4c3a1a713af4485afb2ff5f6 ]
    
    According  to  the RZ/A1H Group, RZ/A1M Group User's Manual: Hardware,
    Rev. 4.00, the TRSCER register has bit 9 reserved, hence we can't use
    the driver's default TRSCER mask.  Add the explicit initializer for
    sh_eth_cpu_data::trscer_err_mask for R7S72100.
    
    Fixes: db893473d313 ("sh_eth: Add support for r7s72100")
    Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 098831d9b0590a65cf2ae0b857ccdb1358511894
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Feb 23 14:30:50 2021 +0000

    staging: comedi: pcl818: Fix endian problem for AI command data
    
    commit 148e34fd33d53740642db523724226de14ee5281 upstream.
    
    The analog input subdevice supports Comedi asynchronous commands that
    use Comedi's 16-bit sample format.  However, the call to
    `comedi_buf_write_samples()` is passing the address of a 32-bit integer
    parameter.  On bigendian machines, this will copy 2 bytes from the wrong
    end of the 32-bit value.  Fix it by changing the type of the parameter
    holding the sample value to `unsigned short`.
    
    [Note: the bug was introduced in commit edf4537bcbf5 ("staging: comedi:
    pcl818: use comedi_buf_write_samples()") but the patch applies better to
    commit d615416de615 ("staging: comedi: pcl818: introduce
    pcl818_ai_write_sample()").]
    
    Fixes: d615416de615 ("staging: comedi: pcl818: introduce pcl818_ai_write_sample()")
    Cc: <stable@vger.kernel.org> # 4.0+
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Link: https://lore.kernel.org/r/20210223143055.257402-10-abbotti@mev.co.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0551ab36507249af02a2fe509bc115ad02c640c9
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Feb 23 14:30:49 2021 +0000

    staging: comedi: pcl711: Fix endian problem for AI command data
    
    commit a084303a645896e834883f2c5170d044410dfdb3 upstream.
    
    The analog input subdevice supports Comedi asynchronous commands that
    use Comedi's 16-bit sample format.  However, the call to
    `comedi_buf_write_samples()` is passing the address of a 32-bit integer
    variable.  On bigendian machines, this will copy 2 bytes from the wrong
    end of the 32-bit value.  Fix it by changing the type of the variable
    holding the sample value to `unsigned short`.
    
    Fixes: 1f44c034de2e ("staging: comedi: pcl711: use comedi_buf_write_samples()")
    Cc: <stable@vger.kernel.org> # 3.19+
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Link: https://lore.kernel.org/r/20210223143055.257402-9-abbotti@mev.co.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 34d39386b842504b7d9ce43d0c92213aa56e410d
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Feb 23 14:30:48 2021 +0000

    staging: comedi: me4000: Fix endian problem for AI command data
    
    commit b39dfcced399d31e7c4b7341693b18e01c8f655e upstream.
    
    The analog input subdevice supports Comedi asynchronous commands that
    use Comedi's 16-bit sample format.  However, the calls to
    `comedi_buf_write_samples()` are passing the address of a 32-bit integer
    variable.  On bigendian machines, this will copy 2 bytes from the wrong
    end of the 32-bit value.  Fix it by changing the type of the variable
    holding the sample value to `unsigned short`.
    
    Fixes: de88924f67d1 ("staging: comedi: me4000: use comedi_buf_write_samples()")
    Cc: <stable@vger.kernel.org> # 3.19+
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Link: https://lore.kernel.org/r/20210223143055.257402-8-abbotti@mev.co.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9a1b8987877a9811396fe5d61002ebe70643d39e
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Feb 23 14:30:47 2021 +0000

    staging: comedi: dmm32at: Fix endian problem for AI command data
    
    commit 54999c0d94b3c26625f896f8e3460bc029821578 upstream.
    
    The analog input subdevice supports Comedi asynchronous commands that
    use Comedi's 16-bit sample format.  However, the call to
    `comedi_buf_write_samples()` is passing the address of a 32-bit integer
    variable.  On bigendian machines, this will copy 2 bytes from the wrong
    end of the 32-bit value.  Fix it by changing the type of the variable
    holding the sample value to `unsigned short`.
    
    [Note: the bug was introduced in commit 1700529b24cc ("staging: comedi:
    dmm32at: use comedi_buf_write_samples()") but the patch applies better
    to the later (but in the same kernel release) commit 0c0eadadcbe6e
    ("staging: comedi: dmm32at: introduce dmm32_ai_get_sample()").]
    
    Fixes: 0c0eadadcbe6e ("staging: comedi: dmm32at: introduce dmm32_ai_get_sample()")
    Cc: <stable@vger.kernel.org> # 3.19+
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Link: https://lore.kernel.org/r/20210223143055.257402-7-abbotti@mev.co.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 33859dbeb97a9ab63a3ba5e881df60be69323a72
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Feb 23 14:30:46 2021 +0000

    staging: comedi: das800: Fix endian problem for AI command data
    
    commit 459b1e8c8fe97fcba0bd1b623471713dce2c5eaf upstream.
    
    The analog input subdevice supports Comedi asynchronous commands that
    use Comedi's 16-bit sample format.  However, the call to
    `comedi_buf_write_samples()` is passing the address of a 32-bit integer
    variable.  On bigendian machines, this will copy 2 bytes from the wrong
    end of the 32-bit value.  Fix it by changing the type of the variable
    holding the sample value to `unsigned short`.
    
    Fixes: ad9eb43c93d8 ("staging: comedi: das800: use comedi_buf_write_samples()")
    Cc: <stable@vger.kernel.org> # 3.19+
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Link: https://lore.kernel.org/r/20210223143055.257402-6-abbotti@mev.co.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d079c097128d3d1bd0c6925a2be3207547d013aa
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Feb 23 14:30:45 2021 +0000

    staging: comedi: das6402: Fix endian problem for AI command data
    
    commit 1c0f20b78781b9ca50dc3ecfd396d0db5b141890 upstream.
    
    The analog input subdevice supports Comedi asynchronous commands that
    use Comedi's 16-bit sample format.  However, the call to
    `comedi_buf_write_samples()` is passing the address of a 32-bit integer
    variable.  On bigendian machines, this will copy 2 bytes from the wrong
    end of the 32-bit value.  Fix it by changing the type of the variable
    holding the sample value to `unsigned short`.
    
    Fixes: d1d24cb65ee3 ("staging: comedi: das6402: read analog input samples in interrupt handler")
    Cc: <stable@vger.kernel.org> # 3.19+
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Link: https://lore.kernel.org/r/20210223143055.257402-5-abbotti@mev.co.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e83788603af8d1d274c8b8e797bdc8b510929f6a
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Feb 23 14:30:44 2021 +0000

    staging: comedi: adv_pci1710: Fix endian problem for AI command data
    
    commit b2e78630f733a76508b53ba680528ca39c890e82 upstream.
    
    The analog input subdevice supports Comedi asynchronous commands that
    use Comedi's 16-bit sample format.  However, the calls to
    `comedi_buf_write_samples()` are passing the address of a 32-bit integer
    variable.  On bigendian machines, this will copy 2 bytes from the wrong
    end of the 32-bit value.  Fix it by changing the type of the variables
    holding the sample value to `unsigned short`.  The type of the `val`
    parameter of `pci1710_ai_read_sample()` is changed to `unsigned short *`
    accordingly.  The type of the `val` variable in `pci1710_ai_insn_read()`
    is also changed to `unsigned short` since its address is passed to
    `pci1710_ai_read_sample()`.
    
    Fixes: a9c3a015c12f ("staging: comedi: adv_pci1710: use comedi_buf_write_samples()")
    Cc: <stable@vger.kernel.org> # 4.0+
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Link: https://lore.kernel.org/r/20210223143055.257402-4-abbotti@mev.co.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c5fc0c03d7835d0831e4aff41edcfe6576361290
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Feb 23 14:30:43 2021 +0000

    staging: comedi: addi_apci_1500: Fix endian problem for command sample
    
    commit ac0bbf55ed3be75fde1f8907e91ecd2fd589bde3 upstream.
    
    The digital input subdevice supports Comedi asynchronous commands that
    read interrupt status information.  This uses 16-bit Comedi samples (of
    which only the bottom 8 bits contain status information).  However, the
    interrupt handler is calling `comedi_buf_write_samples()` with the
    address of a 32-bit variable `unsigned int status`.  On a bigendian
    machine, this will copy 2 bytes from the wrong end of the variable.  Fix
    it by changing the type of the variable to `unsigned short`.
    
    Fixes: a8c66b684efa ("staging: comedi: addi_apci_1500: rewrite the subdevice support functions")
    Cc: <stable@vger.kernel.org> #4.0+
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Link: https://lore.kernel.org/r/20210223143055.257402-3-abbotti@mev.co.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 35815df53afce631943c5fd8f83ce042871114b6
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Feb 23 14:30:42 2021 +0000

    staging: comedi: addi_apci_1032: Fix endian problem for COS sample
    
    commit 25317f428a78fde71b2bf3f24d05850f08a73a52 upstream.
    
    The Change-Of-State (COS) subdevice supports Comedi asynchronous
    commands to read 16-bit change-of-state values.  However, the interrupt
    handler is calling `comedi_buf_write_samples()` with the address of a
    32-bit integer `&s->state`.  On bigendian architectures, it will copy 2
    bytes from the wrong end of the 32-bit integer.  Fix it by transferring
    the value via a 16-bit integer.
    
    Fixes: 6bb45f2b0c86 ("staging: comedi: addi_apci_1032: use comedi_buf_write_samples()")
    Cc: <stable@vger.kernel.org> # 3.19+
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Link: https://lore.kernel.org/r/20210223143055.257402-2-abbotti@mev.co.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 536bdf60889da2b39fadc36aa537135066e83b97
Author: Lee Gibson <leegib@gmail.com>
Date:   Fri Feb 26 14:51:57 2021 +0000

    staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan
    
    commit 8687bf9ef9551bcf93897e33364d121667b1aadf upstream.
    
    Function _rtl92e_wx_set_scan calls memcpy without checking the length.
    A user could control that length and trigger a buffer overflow.
    Fix by checking the length is within the maximum allowed size.
    
    Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Lee Gibson <leegib@gmail.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20210226145157.424065-1-leegib@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1855eec8f4408a963058d43c22db356a93df6c5a
Author: Lee Gibson <leegib@gmail.com>
Date:   Mon Mar 1 13:26:48 2021 +0000

    staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd
    
    commit b93c1e3981af19527beee1c10a2bef67a228c48c upstream.
    
    Function r8712_sitesurvey_cmd calls memcpy without checking the length.
    A user could control that length and trigger a buffer overflow.
    Fix by checking the length is within the maximum allowed size.
    
    Signed-off-by: Lee Gibson <leegib@gmail.com>
    Link: https://lore.kernel.org/r/20210301132648.420296-1-leegib@gmail.com
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 85fbf331d57d60cd2fb1115f71cde9a8fd1a34bf
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Mar 2 14:19:39 2021 +0300

    staging: ks7010: prevent buffer overflow in ks_wlan_set_scan()
    
    commit e163b9823a0b08c3bb8dc4f5b4b5c221c24ec3e5 upstream.
    
    The user can specify a "req->essid_len" of up to 255 but if it's
    over IW_ESSID_MAX_SIZE (32) that can lead to memory corruption.
    
    Fixes: 13a9930d15b4 ("staging: ks7010: add driver from Nanonote extra-repository")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/YD4fS8+HmM/Qmrw6@mwanda
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d8e7e2732c40bb68216ce5178bb664faaaab4362
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Mar 5 11:56:32 2021 +0300

    staging: rtl8188eu: fix potential memory corruption in rtw_check_beacon_data()
    
    commit d4ac640322b06095128a5c45ba4a1e80929fe7f3 upstream.
    
    The "ie_len" is a value in the 1-255 range that comes from the user.  We
    have to cap it to ensure that it's not too large or it could lead to
    memory corruption.
    
    Fixes: 9a7fe54ddc3a ("staging: r8188eu: Add source files for new driver - part 1")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/YEHyQCrFZKTXyT7J@mwanda
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 514cf1f593c0ddeb86b9c923554c076f3651cc6b
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Wed Feb 24 11:45:59 2021 +0300

    staging: rtl8712: unterminated string leads to read overflow
    
    commit d660f4f42ccea50262c6ee90c8e7ad19a69fb225 upstream.
    
    The memdup_user() function does not necessarily return a NUL terminated
    string so this can lead to a read overflow.  Switch from memdup_user()
    to strndup_user() to fix this bug.
    
    Fixes: c6dc001f2add ("staging: r8712u: Merging Realtek's latest (v2.6.6). Various fixes.")
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Link: https://lore.kernel.org/r/YDYSR+1rj26NRhvb@mwanda
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit eda4378094de16090d74eacea3d8c10f7719ed25
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Mar 5 11:58:03 2021 +0300

    staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan()
    
    commit 74b6b20df8cfe90ada777d621b54c32e69e27cd7 upstream.
    
    This code has a check to prevent read overflow but it needs another
    check to prevent writing beyond the end of the ->ssid[] array.
    
    Fixes: a2c60d42d97c ("staging: r8188eu: Add files for new driver - part 16")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/YEHymwsnHewzoam7@mwanda
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2b7a58254b73503ad404e615c50de7c728219ca8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Mar 5 11:12:49 2021 +0300

    staging: rtl8192u: fix ->ssid overflow in r8192_wx_set_scan()
    
    commit 87107518d7a93fec6cdb2559588862afeee800fb upstream.
    
    We need to cap len at IW_ESSID_MAX_SIZE (32) to avoid memory corruption.
    This can be controlled by the user via the ioctl.
    
    Fixes: 5f53d8ca3d5d ("Staging: add rtl8192SU wireless usb driver")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/YEHoAWMOSZBUw91F@mwanda
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 293bf7dbc396f74bfdc48e959e267a96282b1f52
Author: Shuah Khan <skhan@linuxfoundation.org>
Date:   Sun Mar 7 20:53:31 2021 -0700

    usbip: fix vudc usbip_sockfd_store races leading to gpf
    
    commit 46613c9dfa964c0c60b5385dbdf5aaa18be52a9c upstream.
    
    usbip_sockfd_store() is invoked when user requests attach (import)
    detach (unimport) usb gadget device from usbip host. vhci_hcd sends
    import request and usbip_sockfd_store() exports the device if it is
    free for export.
    
    Export and unexport are governed by local state and shared state
    - Shared state (usbip device status, sockfd) - sockfd and Device
      status are used to determine if stub should be brought up or shut
      down. Device status is shared between host and client.
    - Local state (tcp_socket, rx and tx thread task_struct ptrs)
      A valid tcp_socket controls rx and tx thread operations while the
      device is in exported state.
    - While the device is exported, device status is marked used and socket,
      sockfd, and thread pointers are valid.
    
    Export sequence (stub-up) includes validating the socket and creating
    receive (rx) and transmit (tx) threads to talk to the client to provide
    access to the exported device. rx and tx threads depends on local and
    shared state to be correct and in sync.
    
    Unexport (stub-down) sequence shuts the socket down and stops the rx and
    tx threads. Stub-down sequence relies on local and shared states to be
    in sync.
    
    There are races in updating the local and shared status in the current
    stub-up sequence resulting in crashes. These stem from starting rx and
    tx threads before local and global state is updated correctly to be in
    sync.
    
    1. Doesn't handle kthread_create() error and saves invalid ptr in local
       state that drives rx and tx threads.
    2. Updates tcp_socket and sockfd,  starts stub_rx and stub_tx threads
       before updating usbip_device status to SDEV_ST_USED. This opens up a
       race condition between the threads and usbip_sockfd_store() stub up
       and down handling.
    
    Fix the above problems:
    - Stop using kthread_get_run() macro to create/start threads.
    - Create threads and get task struct reference.
    - Add kthread_create() failure handling and bail out.
    - Hold usbip_device lock to update local and shared states after
      creating rx and tx threads.
    - Update usbip_device status to SDEV_ST_USED.
    - Update usbip_device tcp_socket, sockfd, tcp_rx, and tcp_tx
    - Start threads after usbip_device (tcp_socket, sockfd, tcp_rx, tcp_tx,
      and status) is complete.
    
    Credit goes to syzbot and Tetsuo Handa for finding and root-causing the
    kthread_get_run() improper error handling problem and others. This is a
    hard problem to find and debug since the races aren't seen in a normal
    case. Fuzzing forces the race window to be small enough for the
    kthread_get_run() error path bug and starting threads before updating the
    local and shared state bug in the stub-up sequence.
    
    Fixes: 9720b4bc76a83807 ("staging/usbip: convert to kthread")
    Cc: stable@vger.kernel.org
    Reported-by: syzbot <syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com>
    Reported-by: syzbot <syzbot+bf1a360e305ee719e364@syzkaller.appspotmail.com>
    Reported-by: syzbot <syzbot+95ce4b142579611ef0a9@syzkaller.appspotmail.com>
    Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
    Link: https://lore.kernel.org/r/b1c08b983ffa185449c9f0f7d1021dc8c8454b60.1615171203.git.skhan@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit da095f77a04ce63963b89f0815ad8382cf4a3e37
Author: Shuah Khan <skhan@linuxfoundation.org>
Date:   Sun Mar 7 20:53:30 2021 -0700

    usbip: fix vhci_hcd attach_store() races leading to gpf
    
    commit 718ad9693e3656120064b715fe931f43a6201e67 upstream.
    
    attach_store() is invoked when user requests import (attach) a device
    from usbip host.
    
    Attach and detach are governed by local state and shared state
    - Shared state (usbip device status) - Device status is used to manage
      the attach and detach operations on import-able devices.
    - Local state (tcp_socket, rx and tx thread task_struct ptrs)
      A valid tcp_socket controls rx and tx thread operations while the
      device is in exported state.
    - Device has to be in the right state to be attached and detached.
    
    Attach sequence includes validating the socket and creating receive (rx)
    and transmit (tx) threads to talk to the host to get access to the
    imported device. rx and tx threads depends on local and shared state to
    be correct and in sync.
    
    Detach sequence shuts the socket down and stops the rx and tx threads.
    Detach sequence relies on local and shared states to be in sync.
    
    There are races in updating the local and shared status in the current
    attach sequence resulting in crashes. These stem from starting rx and
    tx threads before local and global state is updated correctly to be in
    sync.
    
    1. Doesn't handle kthread_create() error and saves invalid ptr in local
       state that drives rx and tx threads.
    2. Updates tcp_socket and sockfd,  starts stub_rx and stub_tx threads
       before updating usbip_device status to VDEV_ST_NOTASSIGNED. This opens
       up a race condition between the threads, port connect, and detach
       handling.
    
    Fix the above problems:
    - Stop using kthread_get_run() macro to create/start threads.
    - Create threads and get task struct reference.
    - Add kthread_create() failure handling and bail out.
    - Hold vhci and usbip_device locks to update local and shared states after
      creating rx and tx threads.
    - Update usbip_device status to VDEV_ST_NOTASSIGNED.
    - Update usbip_device tcp_socket, sockfd, tcp_rx, and tcp_tx
    - Start threads after usbip_device (tcp_socket, sockfd, tcp_rx, tcp_tx,
      and status) is complete.
    
    Credit goes to syzbot and Tetsuo Handa for finding and root-causing the
    kthread_get_run() improper error handling problem and others. This is
    hard problem to find and debug since the races aren't seen in a normal
    case. Fuzzing forces the race window to be small enough for the
    kthread_get_run() error path bug and starting threads before updating the
    local and shared state bug in the attach sequence.
    - Update usbip_device tcp_rx and tcp_tx pointers holding vhci and
      usbip_device locks.
    
    Tested with syzbot reproducer:
    - https://syzkaller.appspot.com/text?tag=ReproC&x=14801034d00000
    
    Fixes: 9720b4bc76a83807 ("staging/usbip: convert to kthread")
    Cc: stable@vger.kernel.org
    Reported-by: syzbot <syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com>
    Reported-by: syzbot <syzbot+bf1a360e305ee719e364@syzkaller.appspotmail.com>
    Reported-by: syzbot <syzbot+95ce4b142579611ef0a9@syzkaller.appspotmail.com>
    Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
    Link: https://lore.kernel.org/r/bb434bd5d7a64fbec38b5ecfb838a6baef6eb12b.1615171203.git.skhan@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c6b0ca71d3cd561decd39c1c4132c2d10a496e1a
Author: Shuah Khan <skhan@linuxfoundation.org>
Date:   Sun Mar 7 20:53:29 2021 -0700

    usbip: fix stub_dev usbip_sockfd_store() races leading to gpf
    
    commit 9380afd6df70e24eacbdbde33afc6a3950965d22 upstream.
    
    usbip_sockfd_store() is invoked when user requests attach (import)
    detach (unimport) usb device from usbip host. vhci_hcd sends import
    request and usbip_sockfd_store() exports the device if it is free
    for export.
    
    Export and unexport are governed by local state and shared state
    - Shared state (usbip device status, sockfd) - sockfd and Device
      status are used to determine if stub should be brought up or shut
      down.
    - Local state (tcp_socket, rx and tx thread task_struct ptrs)
      A valid tcp_socket controls rx and tx thread operations while the
      device is in exported state.
    - While the device is exported, device status is marked used and socket,
      sockfd, and thread pointers are valid.
    
    Export sequence (stub-up) includes validating the socket and creating
    receive (rx) and transmit (tx) threads to talk to the client to provide
    access to the exported device. rx and tx threads depends on local and
    shared state to be correct and in sync.
    
    Unexport (stub-down) sequence shuts the socket down and stops the rx and
    tx threads. Stub-down sequence relies on local and shared states to be
    in sync.
    
    There are races in updating the local and shared status in the current
    stub-up sequence resulting in crashes. These stem from starting rx and
    tx threads before local and global state is updated correctly to be in
    sync.
    
    1. Doesn't handle kthread_create() error and saves invalid ptr in local
       state that drives rx and tx threads.
    2. Updates tcp_socket and sockfd,  starts stub_rx and stub_tx threads
       before updating usbip_device status to SDEV_ST_USED. This opens up a
       race condition between the threads and usbip_sockfd_store() stub up
       and down handling.
    
    Fix the above problems:
    - Stop using kthread_get_run() macro to create/start threads.
    - Create threads and get task struct reference.
    - Add kthread_create() failure handling and bail out.
    - Hold usbip_device lock to update local and shared states after
      creating rx and tx threads.
    - Update usbip_device status to SDEV_ST_USED.
    - Update usbip_device tcp_socket, sockfd, tcp_rx, and tcp_tx
    - Start threads after usbip_device (tcp_socket, sockfd, tcp_rx, tcp_tx,
      and status) is complete.
    
    Credit goes to syzbot and Tetsuo Handa for finding and root-causing the
    kthread_get_run() improper error handling problem and others. This is a
    hard problem to find and debug since the races aren't seen in a normal
    case. Fuzzing forces the race window to be small enough for the
    kthread_get_run() error path bug and starting threads before updating the
    local and shared state bug in the stub-up sequence.
    
    Tested with syzbot reproducer:
    - https://syzkaller.appspot.com/text?tag=ReproC&x=14801034d00000
    
    Fixes: 9720b4bc76a83807 ("staging/usbip: convert to kthread")
    Cc: stable@vger.kernel.org
    Reported-by: syzbot <syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com>
    Reported-by: syzbot <syzbot+bf1a360e305ee719e364@syzkaller.appspotmail.com>
    Reported-by: syzbot <syzbot+95ce4b142579611ef0a9@syzkaller.appspotmail.com>
    Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
    Link: https://lore.kernel.org/r/268a0668144d5ff36ec7d87fdfa90faf583b7ccc.1615171203.git.skhan@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f7586f6536281a87746816442a0201584ff44c54
Author: Shuah Khan <skhan@linuxfoundation.org>
Date:   Sun Mar 7 20:53:28 2021 -0700

    usbip: fix vudc to check for stream socket
    
    commit 6801854be94fe8819b3894979875ea31482f5658 upstream.
    
    Fix usbip_sockfd_store() to validate the passed in file descriptor is
    a stream socket. If the file descriptor passed was a SOCK_DGRAM socket,
    sock_recvmsg() can't detect end of stream.
    
    Cc: stable@vger.kernel.org
    Suggested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
    Link: https://lore.kernel.org/r/387a670316002324113ac7ea1e8b53f4085d0c95.1615171203.git.skhan@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 29e44faa84682fdfe34815852dd3480d86f509df
Author: Shuah Khan <skhan@linuxfoundation.org>
Date:   Sun Mar 7 20:53:27 2021 -0700

    usbip: fix vhci_hcd to check for stream socket
    
    commit f55a0571690c4aae03180e001522538c0927432f upstream.
    
    Fix attach_store() to validate the passed in file descriptor is a
    stream socket. If the file descriptor passed was a SOCK_DGRAM socket,
    sock_recvmsg() can't detect end of stream.
    
    Cc: stable@vger.kernel.org
    Suggested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
    Link: https://lore.kernel.org/r/52712aa308915bda02cece1589e04ee8b401d1f3.1615171203.git.skhan@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 156be7533d585c30c6fcc1703d27a261f7788e0b
Author: Shuah Khan <skhan@linuxfoundation.org>
Date:   Sun Mar 7 20:53:26 2021 -0700

    usbip: fix stub_dev to check for stream socket
    
    commit 47ccc8fc2c9c94558b27b6f9e2582df32d29e6e8 upstream.
    
    Fix usbip_sockfd_store() to validate the passed in file descriptor is
    a stream socket. If the file descriptor passed was a SOCK_DGRAM socket,
    sock_recvmsg() can't detect end of stream.
    
    Cc: stable@vger.kernel.org
    Suggested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
    Link: https://lore.kernel.org/r/e942d2bd03afb8e8552bd2a5d84e18d17670d521.1615171203.git.skhan@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c354eace997c44cebbc6ba45eb9cfd7404739a97
Author: Sebastian Reichel <sebastian.reichel@collabora.com>
Date:   Tue Feb 23 17:44:18 2021 +0100

    USB: serial: cp210x: add some more GE USB IDs
    
    commit 42213a0190b535093a604945db05a4225bf43885 upstream.
    
    GE CS1000 has some more custom USB IDs for CP2102N; add them
    to the driver to have working auto-probing.
    
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 204afc46bf4b33b4eaa5e2b65028ab6ea6d401e3
Author: Karan Singhal <karan.singhal@acuitybrands.com>
Date:   Tue Feb 16 11:03:10 2021 -0500

    USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter
    
    commit ca667a33207daeaf9c62b106815728718def60ec upstream.
    
    IDs of nLight Air Adapter, Acuity Brands, Inc.:
    vid: 10c4
    pid: 88d8
    
    Signed-off-by: Karan Singhal <karan.singhal@acuitybrands.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 428fb11b1e0f08dbf0da051cd33c0e67d3c19883
Author: Niv Sardi <xaiki@evilgiggle.com>
Date:   Mon Mar 1 17:16:12 2021 -0300

    USB: serial: ch341: add new Product ID
    
    commit 5563b3b6420362c8a1f468ca04afe6d5f0a8d0a3 upstream.
    
    Add PID for CH340 that's found on cheap programmers.
    
    The driver works flawlessly as soon as the new PID (0x9986) is added to it.
    These look like ANU232MI but ship with a ch341 inside. They have no special
    identifiers (mine only has the string "DB9D20130716" printed on the PCB and
    nothing identifiable on the packaging. The merchant i bought it from
    doesn't sell these anymore).
    
    the lsusb -v output is:
    Bus 001 Device 009: ID 9986:7523
    Device Descriptor:
      bLength                18
      bDescriptorType         1
      bcdUSB               1.10
      bDeviceClass          255 Vendor Specific Class
      bDeviceSubClass         0
      bDeviceProtocol         0
      bMaxPacketSize0         8
      idVendor           0x9986
      idProduct          0x7523
      bcdDevice            2.54
      iManufacturer           0
      iProduct                0
      iSerial                 0
      bNumConfigurations      1
      Configuration Descriptor:
        bLength                 9
        bDescriptorType         2
        wTotalLength       0x0027
        bNumInterfaces          1
        bConfigurationValue     1
        iConfiguration          0
        bmAttributes         0x80
          (Bus Powered)
        MaxPower               96mA
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        0
          bAlternateSetting       0
          bNumEndpoints           3
          bInterfaceClass       255 Vendor Specific Class
          bInterfaceSubClass      1
          bInterfaceProtocol      2
          iInterface              0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x82  EP 2 IN
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0020  1x 32 bytes
            bInterval               0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x02  EP 2 OUT
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0020  1x 32 bytes
            bInterval               0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x81  EP 1 IN
            bmAttributes            3
              Transfer Type            Interrupt
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0008  1x 8 bytes
            bInterval               1
    
    Signed-off-by: Niv Sardi <xaiki@evilgiggle.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1d7056fa8b0830225d28857b048e0ad1755e241f
Author: Pavel Skripkin <paskripkin@gmail.com>
Date:   Tue Mar 2 02:01:52 2021 +0300

    USB: serial: io_edgeport: fix memory leak in edge_startup
    
    commit cfdc67acc785e01a8719eeb7012709d245564701 upstream.
    
    sysbot found memory leak in edge_startup().
    The problem was that when an error was received from the usb_submit_urb(),
    nothing was cleaned up.
    
    Reported-by: syzbot+59f777bdcbdd7eea5305@syzkaller.appspotmail.com
    Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
    Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver")
    Cc: stable@vger.kernel.org      # 2.6.21: c5c0c55598ce
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8914e5b739e31e486a2d9f82779c4aefc76b70fd
Author: Forest Crossman <cyrozap@gmail.com>
Date:   Thu Mar 11 13:53:52 2021 +0200

    usb: xhci: Fix ASMedia ASM1042A and ASM3242 DMA addressing
    
    commit b71c669ad8390dd1c866298319ff89fe68b45653 upstream.
    
    I've confirmed that both the ASMedia ASM1042A and ASM3242 have the same
    problem as the ASM1142 and ASM2142/ASM3142, where they lose some of the
    upper bits of 64-bit DMA addresses. As with the other chips, this can
    cause problems on systems where the upper bits matter, and adding the
    XHCI_NO_64BIT_SUPPORT quirk completely fixes the issue.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Forest Crossman <cyrozap@gmail.com>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/20210311115353.2137560-4-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 15a9dce0a522d6c879e3d36383e2b69c75755721
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Thu Mar 11 13:53:51 2021 +0200

    xhci: Improve detection of device initiated wake signal.
    
    commit 253f588c70f66184b1f3a9bbb428b49bbda73e80 upstream.
    
    A xHC USB 3 port might miss the first wake signal from a USB 3 device
    if the port LFPS reveiver isn't enabled fast enough after xHC resume.
    
    xHC host will anyway be resumed by a PME# signal, but will go back to
    suspend if no port activity is seen.
    The device resends the U3 LFPS wake signal after a 100ms delay, but
    by then host is already suspended, starting all over from the
    beginning of this issue.
    
    USB 3 specs say U3 wake LFPS signal is sent for max 10ms, then device
    needs to delay 100ms before resending the wake.
    
    Don't suspend immediately if port activity isn't detected in resume.
    Instead add a retry. If there is no port activity then delay for 120ms,
    and re-check for port activity.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/20210311115353.2137560-3-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5eb1b1c9b125a7c6743944b0ff8a4f8e5f896022
Author: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Date:   Mon Mar 8 10:55:38 2021 +0900

    usb: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM
    
    commit b1d25e6ee57c2605845595b6c61340d734253eb3 upstream.
    
    According to the datasheet, this controller has a restriction
    which "set an endpoint number so that combinations of the DIR bit and
    the EPNUM bits do not overlap.". However, since the udc core driver is
    possible to assign a bulk pipe as an interrupt endpoint, an endpoint
    number may not match the pipe number. After that, when user rebinds
    another gadget driver, this driver broke the restriction because
    the driver didn't clear any configuration in usb_ep_disable().
    
    Example:
     # modprobe g_ncm
     Then, EP3 = pipe 3, EP4 = pipe 4, EP5 = pipe 6
     # rmmod g_ncm
     # modprobe g_hid
     Then, EP3 = pipe 6, EP4 = pipe 7.
     So, pipe 3 and pipe 6 are set as EP3.
    
    So, clear PIPECFG register in usbhs_pipe_free().
    
    Fixes: dfb87b8bfe09 ("usb: renesas_usbhs: gadget: fix re-enabling pipe without re-connecting")
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
    Link: https://lore.kernel.org/r/1615168538-26101-1-git-send-email-yoshihiro.shimoda.uh@renesas.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4235a6a7c4fc9bc2ccde3f548d5dbc919f81c5ed
Author: Pete Zaitcev <zaitcev@redhat.com>
Date:   Wed Mar 3 22:10:53 2021 -0600

    USB: usblp: fix a hang in poll() if disconnected
    
    commit 9de2c43acf37a17dc4c69ff78bb099b80fb74325 upstream.
    
    Apparently an application that opens a device and calls select()
    on it, will hang if the decice is disconnected. It's a little
    surprising that we had this bug for 15 years, but apparently
    nobody ever uses select() with a printer: only write() and read(),
    and those work fine. Well, you can also select() with a timeout.
    
    The fix is modeled after devio.c. A few other drivers check the
    condition first, then do not add the wait queue in case the
    device is disconnected. We doubt that's completely race-free.
    So, this patch adds the process first, then locks properly
    and checks for the disconnect.
    
    Reviewed-by: Zqiang <qiang.zhang@windriver.com>
    Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20210303221053.1cf3313e@suzdal.zaitcev.lan
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d919ff7f2b6b20cff6d95bb12fe3067cb58a88f5
Author: Matthias Kaehlcke <mka@chromium.org>
Date:   Tue Mar 2 10:37:03 2021 -0800

    usb: dwc3: qcom: Honor wakeup enabled/disabled state
    
    commit 2664deb0930643149d61cddbb66ada527ae180bd upstream.
    
    The dwc3-qcom currently enables wakeup interrupts unconditionally
    when suspending, however this should not be done when wakeup is
    disabled (e.g. through the sysfs attribute power/wakeup). Only
    enable wakeup interrupts when device_may_wakeup() returns true.
    
    Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver")
    Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20210302103659.v2.1.I44954d9e1169f2cf5c44e6454d357c75ddfa99a2@changeid
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 90cd1b647bf507cd31d81723593ac3e911fafc33
Author: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Date:   Mon Mar 1 13:49:32 2021 +0200

    usb: gadget: f_uac1: stop playback on function disable
    
    commit cc2ac63d4cf72104e0e7f58bb846121f0f51bb19 upstream.
    
    There is missing playback stop/cleanup in case of
    gadget's ->disable callback that happens on
    events like USB host resetting or gadget disconnection
    
    Fixes: 0591bc236015 ("usb: gadget: add f_uac1 variant based on a new u_audio api")
    Cc: <stable@vger.kernel.org> # 4.13+
    Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
    Link: https://lore.kernel.org/r/1614599375-8803-3-git-send-email-ruslan.bilovol@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 59adc66fc2bf2ea4468f07ea6b7e8c29f1be2eaa
Author: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Date:   Mon Mar 1 13:49:31 2021 +0200

    usb: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot
    
    commit 789ea77310f0200c84002884ffd628e2baf3ad8a upstream.
    
    As per UAC2 Audio Data Formats spec (2.3.1.1 USB Packets),
    if the sampling rate is a constant, the allowable variation
    of number of audio slots per virtual frame is +/- 1 audio slot.
    
    It means that endpoint should be able to accept/send +1 audio
    slot.
    
    Previous endpoint max_packet_size calculation code
    was adding sometimes +1 audio slot due to DIV_ROUND_UP
    behaviour which was rounding up to closest integer.
    However this doesn't work if the numbers are divisible.
    
    It had no any impact with Linux hosts which ignore
    this issue, but in case of more strict Windows it
    caused rejected enumeration
    
    Thus always add +1 audio slot to endpoint's max packet size
    
    Fixes: 913e4a90b6f9 ("usb: gadget: f_uac2: finalize wMaxPacketSize according to bandwidth")
    Cc: Peter Chen <peter.chen@freescale.com>
    Cc: <stable@vger.kernel.org> #v4.3+
    Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
    Link: https://lore.kernel.org/r/1614599375-8803-2-git-send-email-ruslan.bilovol@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e1ae0a8944c47f731b42a3ad12a2fa007288a979
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Feb 15 15:57:16 2021 +0000

    USB: gadget: u_ether: Fix a configfs return code
    
    commit 650bf52208d804ad5ee449c58102f8dc43175573 upstream.
    
    If the string is invalid, this should return -EINVAL instead of 0.
    
    Fixes: 73517cf49bd4 ("usb: gadget: add RNDIS configfs options for class/subclass/protocol")
    Cc: stable <stable@vger.kernel.org>
    Acked-by: Lorenzo Colitti <lorenzo@google.com>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Link: https://lore.kernel.org/r/YCqZ3P53yyIg5cn7@mwanda
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cbee45861fe8046c021faaab3f137cb629e649f9
Author: Yorick de Wid <ydewid@gmail.com>
Date:   Sat Feb 13 15:49:02 2021 +0100

    Goodix Fingerprint device is not a modem
    
    commit 4d8654e81db7346f915eca9f1aff18f385cab621 upstream.
    
    The CDC ACM driver is false matching the Goodix Fingerprint device
    against the USB_CDC_ACM_PROTO_AT_V25TER.
    
    The Goodix Fingerprint device is a biometrics sensor that should be
    handled in user-space. libfprint has some support for Goodix
    fingerprint sensors, although not for this particular one. It is
    possible that the vendor allocates a PID per OEM (Lenovo, Dell etc).
    If this happens to be the case then more devices from the same vendor
    could potentially match the ACM modem module table.
    
    Signed-off-by: Yorick de Wid <ydewid@gmail.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20210213144901.53199-1-ydewid@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5827d47f7c2b2bf300eac587cc5ff901f03ca599
Author: Frank Li <lznuaa@gmail.com>
Date:   Wed Mar 3 11:42:48 2021 -0600

    mmc: cqhci: Fix random crash when remove mmc module/card
    
    commit f06391c45e83f9a731045deb23df7cc3814fd795 upstream.
    
    [ 6684.493350] Unable to handle kernel paging request at virtual address ffff800011c5b0f0
    [ 6684.498531] mmc0: card 0001 removed
    [ 6684.501556] Mem abort info:
    [ 6684.509681]   ESR = 0x96000047
    [ 6684.512786]   EC = 0x25: DABT (current EL), IL = 32 bits
    [ 6684.518394]   SET = 0, FnV = 0
    [ 6684.521707]   EA = 0, S1PTW = 0
    [ 6684.524998] Data abort info:
    [ 6684.528236]   ISV = 0, ISS = 0x00000047
    [ 6684.532986]   CM = 0, WnR = 1
    [ 6684.536129] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000081b22000
    [ 6684.543923] [ffff800011c5b0f0] pgd=00000000bffff003, p4d=00000000bffff003, pud=00000000bfffe003, pmd=00000000900e1003, pte=0000000000000000
    [ 6684.557915] Internal error: Oops: 96000047 [#1] PREEMPT SMP
    [ 6684.564240] Modules linked in: sdhci_esdhc_imx(-) sdhci_pltfm sdhci cqhci mmc_block mmc_core fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine rng_core authenc libdes crct10dif_ce flexcan can_dev caam error [last unloaded: mmc_core]
    [ 6684.587281] CPU: 0 PID: 79138 Comm: kworker/0:3H Not tainted 5.10.9-01410-g3ba33182767b-dirty #10
    [ 6684.596160] Hardware name: Freescale i.MX8DXL EVK (DT)
    [ 6684.601320] Workqueue: kblockd blk_mq_run_work_fn
    
    [ 6684.606094] pstate: 40000005 (nZcv daif -PAN -UAO -TCO BTYPE=--)
    [ 6684.612286] pc : cqhci_request+0x148/0x4e8 [cqhci]
    ^GMessage from syslogd@  at Thu Jan  1 01:51:24 1970 ...[ 6684.617085] lr : cqhci_request+0x314/0x4e8 [cqhci]
    [ 6684.626734] sp : ffff80001243b9f0
    [ 6684.630049] x29: ffff80001243b9f0 x28: ffff00002c3dd000
    [ 6684.635367] x27: 0000000000000001 x26: 0000000000000001
    [ 6684.640690] x25: ffff00002c451000 x24: 000000000000000f
    [ 6684.646007] x23: ffff000017e71c80 x22: ffff00002c451000
    [ 6684.651326] x21: ffff00002c0f3550 x20: ffff00002c0f3550
    [ 6684.656651] x19: ffff000017d46880 x18: ffff00002cea1500
    [ 6684.661977] x17: 0000000000000000 x16: 0000000000000000
    [ 6684.667294] x15: 000001ee628e3ed1 x14: 0000000000000278
    [ 6684.672610] x13: 0000000000000001 x12: 0000000000000001
    [ 6684.677927] x11: 0000000000000000 x10: 0000000000000000
    [ 6684.683243] x9 : 000000000000002b x8 : 0000000000001000
    [ 6684.688560] x7 : 0000000000000010 x6 : ffff00002c0f3678
    [ 6684.693886] x5 : 000000000000000f x4 : ffff800011c5b000
    [ 6684.699211] x3 : 000000000002d988 x2 : 0000000000000008
    [ 6684.704537] x1 : 00000000000000f0 x0 : 0002d9880008102f
    [ 6684.709854] Call trace:
    [ 6684.712313]  cqhci_request+0x148/0x4e8 [cqhci]
    [ 6684.716803]  mmc_cqe_start_req+0x58/0x68 [mmc_core]
    [ 6684.721698]  mmc_blk_mq_issue_rq+0x460/0x810 [mmc_block]
    [ 6684.727018]  mmc_mq_queue_rq+0x118/0x2b0 [mmc_block]
    
    The problem occurs when cqhci_request() get called after cqhci_disable() as
    it leads to access of allocated memory that has already been freed. Let's
    fix the problem by calling cqhci_disable() a bit later in the remove path.
    
    Signed-off-by: Frank Li <Frank.Li@nxp.com>
    Diagnosed-by: Adrian Hunter <adrian.hunter@intel.com>
    Acked-by: Adrian Hunter <adrian.hunter@intel.com>
    Link: https://lore.kernel.org/r/20210303174248.542175-1-Frank.Li@nxp.com
    Fixes: f690f4409ddd ("mmc: mmc: Enable CQE's")
    Cc: stable@vger.kernel.org
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 07032218bd77b8de358d631ed82b5e66bb7097d0
Author: Adrian Hunter <adrian.hunter@intel.com>
Date:   Wed Mar 3 11:26:14 2021 +0200

    mmc: core: Fix partition switch time for eMMC
    
    commit 66fbacccbab91e6e55d9c8f1fc0910a8eb6c81f7 upstream.
    
    Avoid the following warning by always defining partition switch time:
    
     [    3.209874] mmc1: unspecified timeout for CMD6 - use generic
     [    3.222780] ------------[ cut here ]------------
     [    3.233363] WARNING: CPU: 1 PID: 111 at drivers/mmc/core/mmc_ops.c:575 __mmc_switch+0x200/0x204
    
    Reported-by: Paul Fertser <fercerpav@gmail.com>
    Fixes: 1c447116d017 ("mmc: mmc: Fix partition switch timeout for some eMMCs")
    Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
    Link: https://lore.kernel.org/r/168bbfd6-0c5b-5ace-ab41-402e7937c46e@intel.com
    Cc: stable@vger.kernel.org
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 31c02782dead88ecd574e7d117541f6cba7ebc8b
Author: Stefan Haberland <sth@linux.ibm.com>
Date:   Fri Mar 5 13:54:39 2021 +0100

    s390/dasd: fix hanging IO request during DASD driver unbind
    
    commit 66f669a272898feb1c69b770e1504aa2ec7723d1 upstream.
    
    Prevent that an IO request is build during device shutdown initiated by
    a driver unbind. This request will never be able to be processed or
    canceled and will hang forever. This will lead also to a hanging unbind.
    
    Fix by checking not only if the device is in READY state but also check
    that there is no device offline initiated before building a new IO request.
    
    Fixes: e443343e509a ("s390/dasd: blk-mq conversion")
    
    Cc: <stable@vger.kernel.org> # v4.14+
    Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
    Tested-by: Bjoern Walk <bwalk@linux.ibm.com>
    Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bccaf335ea17b491947ec3e9b451760a23be40d8
Author: Stefan Haberland <sth@linux.ibm.com>
Date:   Fri Mar 5 13:54:38 2021 +0100

    s390/dasd: fix hanging DASD driver unbind
    
    commit 7d365bd0bff3c0310c39ebaffc9a8458e036d666 upstream.
    
    In case of an unbind of the DASD device driver the function
    dasd_generic_remove() is called which shuts down the device.
    Among others this functions removes the int_handler from the cdev.
    During shutdown the device cancels all outstanding IO requests and waits
    for completion of the clear request.
    Unfortunately the clear interrupt will never be received when there is no
    interrupt handler connected.
    
    Fix by moving the int_handler removal after the call to the state machine
    where no request or interrupt is outstanding.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
    Tested-by: Bjoern Walk <bwalk@linux.ibm.com>
    Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 88187374016de18d2febf1f1cb25199e784f5301
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Fri Mar 12 15:07:09 2021 -0600

    Revert 95ebabde382c ("capabilities: Don't allow writing ambiguous v3 file capabilities")
    
    commit 3b0c2d3eaa83da259d7726192cf55a137769012f upstream.
    
    It turns out that there are in fact userspace implementations that
    care and this recent change caused a regression.
    
    https://github.com/containers/buildah/issues/3071
    
    As the motivation for the original change was future development,
    and the impact is existing real world code just revert this change
    and allow the ambiguity in v3 file caps.
    
    Cc: stable@vger.kernel.org
    Fixes: 95ebabde382c ("capabilities: Don't allow writing ambiguous v3 file capabilities")
    Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3ddeb82b6dd6a16d3c0867173fa5a76231535dc4
Author: Takashi Iwai <tiwai@suse.de>
Date:   Thu Mar 4 09:50:09 2021 +0100

    ALSA: usb-audio: Apply the control quirk to Plantronics headsets
    
    commit 06abcb18b3a021ba1a3f2020cbefb3ed04e59e72 upstream.
    
    Other Plantronics headset models seem requiring the same workaround as
    C320-M to add the 20ms delay for the control messages, too.  Apply the
    workaround generically for devices with the vendor ID 0x047f.
    
    Note that the problem didn't surface before 5.11 just with luck.
    Since 5.11 got a big code rewrite about the stream handling, the
    parameter setup procedure has changed, and this seemed triggering the
    problem more often.
    
    BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1182552
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20210304085009.4770-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2f9f44cec3a3a5d284be08079ab41e4024d68d83
Author: Takashi Iwai <tiwai@suse.de>
Date:   Thu Mar 4 09:30:21 2021 +0100

    ALSA: usb-audio: Fix "cannot get freq eq" errors on Dell AE515 sound bar
    
    commit fec60c3bc5d1713db2727cdffc638d48f9c07dc3 upstream.
    
    Dell AE515 sound bar (413c:a506) spews the error messages when the
    driver tries to read the current sample frequency, hence it needs to
    be on the list in snd_usb_get_sample_rate_quirk().
    
    BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=211551
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20210304083021.2152-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 36b16052dcca7594c5dffb12106b68261e82e91e
Author: Takashi Iwai <tiwai@suse.de>
Date:   Wed Mar 10 12:28:08 2021 +0100

    ALSA: hda: Avoid spurious unsol event handling during S3/S4
    
    commit 5ff9dde42e8c72ed8102eb8cb62e03f9dc2103ab upstream.
    
    When HD-audio bus receives unsolicited events during its system
    suspend/resume (S3 and S4) phase, the controller driver may still try
    to process events although the codec chips are already (or yet)
    powered down.  This might screw up the codec communication, resulting
    in CORB/RIRB errors.  Such events should be rather skipped, as the
    codec chip status such as the jack status will be fully refreshed at
    the system resume time.
    
    Since we're tracking the system suspend/resume state in codec
    power.power_state field, let's add the check in the common unsol event
    handler entry point to filter out such events.
    
    BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1182377
    Tested-by: Abhishek Sahu <abhsahu@nvidia.com>
    Cc: <stable@vger.kernel.org> # 183ab39eb0ea: ALSA: hda: Initialize power_state
    Link: https://lore.kernel.org/r/20210310112809.9215-3-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9bcc7be7041fe21408a59fad47a9a6b64c300eac
Author: Takashi Iwai <tiwai@suse.de>
Date:   Mon Mar 8 17:07:26 2021 +0100

    ALSA: hda: Drop the BATCH workaround for AMD controllers
    
    commit 28e96c1693ec1cdc963807611f8b5ad400431e82 upstream.
    
    The commit c02f77d32d2c ("ALSA: hda - Workaround for crackled sound on
    AMD controller (1022:1457)") introduced a few workarounds for the
    recent AMD HD-audio controller, and one of them is the forced BATCH
    PCM mode so that PulseAudio avoids the timer-based scheduling.  This
    was thought to cover for some badly working applications, but this
    actually worsens for more others.  In total, this wasn't a good idea
    to enforce it.
    
    This is a partial revert of the commit above for dropping the PCM
    BATCH enforcement part to recover from the regression again.
    
    Fixes: c02f77d32d2c ("ALSA: hda - Workaround for crackled sound on AMD controller (1022:1457)")
    BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=195303
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20210308160726.22930-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e8cc748c2e2dd07c53066ab67565ebaa08ced33b
Author: Takashi Iwai <tiwai@suse.de>
Date:   Wed Mar 10 12:28:09 2021 +0100

    ALSA: hda/hdmi: Cancel pending works before suspend
    
    commit eea46a0879bcca23e15071f9968c0f6e6596e470 upstream.
    
    The per_pin->work might be still floating at the suspend, and this may
    hit the access to the hardware at an unexpected timing.  Cancel the
    work properly at the suspend callback for avoiding the buggy access.
    
    Note that the bug doesn't trigger easily in the recent kernels since
    the work is queued only when the repoll count is set, and usually it's
    only at the resume callback, but it's still possible to hit in
    theory.
    
    BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1182377
    Reported-and-tested-by: Abhishek Sahu <abhsahu@nvidia.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20210310112809.9215-4-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8e051ec2af280a07f3e9eeec7df0bbaa08208767
Author: John Ernberg <john.ernberg@actia.se>
Date:   Wed Mar 3 18:14:39 2021 +0000

    ALSA: usb: Add Plantronics C320-M USB ctrl msg delay quirk
    
    commit fc7c5c208eb7bc2df3a9f4234f14eca250001cb6 upstream.
    
    The microphone in the Plantronics C320-M headset will randomly
    fail to initialize properly, at least when using Microsoft Teams.
    Introducing a 20ms delay on the control messages appears to
    resolve the issue.
    
    Link: https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/issues/1065
    Tested-by: Andreas Kempe <kempe@lysator.liu.se>
    Signed-off-by: John Ernberg <john.ernberg@actia.se>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20210303181405.39835-1-john.ernberg@actia.se
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 14e4d57cbafe0927a080bd6b635e997ab347aa07
Author: Aleksandr Miloserdov <a.miloserdov@yadro.com>
Date:   Tue Feb 9 10:22:02 2021 +0300

    scsi: target: core: Prevent underflow for service actions
    
    [ Upstream commit 14d24e2cc77411301e906a8cf41884739de192de ]
    
    TCM buffer length doesn't necessarily equal 8 + ADDITIONAL LENGTH which
    might be considered an underflow in case of Data-In size being greater than
    8 + ADDITIONAL LENGTH. So truncate buffer length to prevent underflow.
    
    Link: https://lore.kernel.org/r/20210209072202.41154-3-a.miloserdov@yadro.com
    Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
    Reviewed-by: Bodo Stroesser <bostroesser@gmail.com>
    Signed-off-by: Aleksandr Miloserdov <a.miloserdov@yadro.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7abc17dced7593cf40a46f8f9b1aafd634a0ebb1
Author: Aleksandr Miloserdov <a.miloserdov@yadro.com>
Date:   Tue Feb 9 10:22:01 2021 +0300

    scsi: target: core: Add cmd length set before cmd complete
    
    [ Upstream commit 1c73e0c5e54d5f7d77f422a10b03ebe61eaed5ad ]
    
    TCM doesn't properly handle underflow case for service actions. One way to
    prevent it is to always complete command with
    target_complete_cmd_with_length(), however it requires access to data_sg,
    which is not always available.
    
    This change introduces target_set_cmd_data_length() function which allows
    to set command data length before completing it.
    
    Link: https://lore.kernel.org/r/20210209072202.41154-2-a.miloserdov@yadro.com
    Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
    Reviewed-by: Bodo Stroesser <bostroesser@gmail.com>
    Signed-off-by: Aleksandr Miloserdov <a.miloserdov@yadro.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1e1749c5ac5fc8705483e61cf364c10b6a67d684
Author: Mike Christie <michael.christie@oracle.com>
Date:   Sat Feb 6 22:46:00 2021 -0600

    scsi: libiscsi: Fix iscsi_prep_scsi_cmd_pdu() error handling
    
    [ Upstream commit d28d48c699779973ab9a3bd0e5acfa112bd4fdef ]
    
    If iscsi_prep_scsi_cmd_pdu() fails we try to add it back to the cmdqueue,
    but we leave it partially setup. We don't have functions that can undo the
    pdu and init task setup. We only have cleanup_task which can clean up both
    parts. So this has us just fail the cmd and go through the standard cleanup
    routine and then have the SCSI midlayer retry it like is done when it fails
    in the queuecommand path.
    
    Link: https://lore.kernel.org/r/20210207044608.27585-2-michael.christie@oracle.com
    Reviewed-by: Lee Duncan <lduncan@suse.com>
    Signed-off-by: Mike Christie <michael.christie@oracle.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9b2384daf9525492b325ab1310c46f71442b134d
Author: Heiko Carstens <hca@linux.ibm.com>
Date:   Wed Feb 17 07:13:02 2021 +0100

    s390/smp: __smp_rescan_cpus() - move cpumask away from stack
    
    [ Upstream commit 62c8dca9e194326802b43c60763f856d782b225c ]
    
    Avoid a potentially large stack frame and overflow by making
    "cpumask_t avail" a static variable. There is no concurrent
    access due to the existing locking.
    
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 105e4f983100d20029bf0afd7c15c4d55cc11b40
Author: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
Date:   Fri Oct 30 07:14:30 2020 +0000

    i40e: Fix memory leak in i40e_probe
    
    [ Upstream commit 58cab46c622d6324e47bd1c533693c94498e4172 ]
    
    Struct i40e_veb is allocated in function i40e_setup_pf_switch, and
    stored to an array field veb inside struct i40e_pf. However when
    i40e_setup_misc_vector fails, this memory leaks.
    
    Fix this by calling exit and teardown functions.
    
    Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
    Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6a8b02ead7f7ed10af3dbe180c524e0b5ce16c6e
Author: Geert Uytterhoeven <geert+renesas@glider.be>
Date:   Tue Feb 2 11:03:32 2021 +0100

    PCI: Fix pci_register_io_range() memory leak
    
    [ Upstream commit f6bda644fa3a7070621c3bf12cd657f69a42f170 ]
    
    Kmemleak reports:
    
      unreferenced object 0xc328de40 (size 64):
        comm "kworker/1:1", pid 21, jiffies 4294938212 (age 1484.670s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 e0 d8 fc eb 00 00 00 00  ................
          00 00 10 fe 00 00 00 00 00 00 00 00 00 00 00 00  ................
    
      backtrace:
        [<ad758d10>] pci_register_io_range+0x3c/0x80
        [<2c7f139e>] of_pci_range_to_resource+0x48/0xc0
        [<f079ecc8>] devm_of_pci_get_host_bridge_resources.constprop.0+0x2ac/0x3ac
        [<e999753b>] devm_of_pci_bridge_init+0x60/0x1b8
        [<a895b229>] devm_pci_alloc_host_bridge+0x54/0x64
        [<e451ddb0>] rcar_pcie_probe+0x2c/0x644
    
    In case a PCI host driver's probe is deferred, the same I/O range may be
    allocated again, and be ignored, causing a memory leak.
    
    Fix this by (a) letting logic_pio_register_range() return -EEXIST if the
    passed range already exists, so pci_register_io_range() will free it, and
    by (b) making pci_register_io_range() not consider -EEXIST an error
    condition.
    
    Link: https://lore.kernel.org/r/20210202100332.829047-1-geert+renesas@glider.be
    Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b63a6e166844dbe64571db7a989d261e4fa6fd4f
Author: Krzysztof Wilczyński <kw@linux.com>
Date:   Wed Jan 20 18:48:10 2021 +0000

    PCI: mediatek: Add missing of_node_put() to fix reference leak
    
    [ Upstream commit 42814c438aac79746d310f413a27d5b0b959c5de ]
    
    The for_each_available_child_of_node helper internally makes use of the
    of_get_next_available_child() which performs an of_node_get() on each
    iteration when searching for next available child node.
    
    Should an available child node be found, then it would return a device
    node pointer with reference count incremented, thus early return from
    the middle of the loop requires an explicit of_node_put() to prevent
    reference count leak.
    
    To stop the reference leak, explicitly call of_node_put() before
    returning after an error occurred.
    
    Link: https://lore.kernel.org/r/20210120184810.3068794-1-kw@linux.com
    Signed-off-by: Krzysztof Wilczyński <kw@linux.com>
    Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 639f1e04b721814d3fe60e24c86cfffd1516c051
Author: Martin Kaiser <martin@kaiser.cx>
Date:   Fri Jan 15 22:24:35 2021 +0100

    PCI: xgene-msi: Fix race in installing chained irq handler
    
    [ Upstream commit a93c00e5f975f23592895b7e83f35de2d36b7633 ]
    
    Fix a race where a pending interrupt could be received and the handler
    called before the handler's data has been setup, by converting to
    irq_set_chained_handler_and_data().
    
    See also 2cf5a03cb29d ("PCI/keystone: Fix race in installing chained IRQ
    handler").
    
    Based on the mail discussion, it seems ok to drop the error handling.
    
    Link: https://lore.kernel.org/r/20210115212435.19940-3-martin@kaiser.cx
    Signed-off-by: Martin Kaiser <martin@kaiser.cx>
    Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a882f473dece02f77e621cdd54e06e07f310e0c5
Author: Khalid Aziz <khalid.aziz@oracle.com>
Date:   Fri Oct 23 11:56:11 2020 -0600

    sparc64: Use arch_validate_flags() to validate ADI flag
    
    [ Upstream commit 147d8622f2a26ef34beacc60e1ed8b66c2fa457f ]
    
    When userspace calls mprotect() to enable ADI on an address range,
    do_mprotect_pkey() calls arch_validate_prot() to validate new
    protection flags. arch_validate_prot() for sparc looks at the first
    VMA associated with address range to verify if ADI can indeed be
    enabled on this address range. This has two issues - (1) Address
    range might cover multiple VMAs while arch_validate_prot() looks at
    only the first VMA, (2) arch_validate_prot() peeks at VMA without
    holding mmap lock which can result in race condition.
    
    arch_validate_flags() from commit c462ac288f2c ("mm: Introduce
    arch_validate_flags()") allows for VMA flags to be validated for all
    VMAs that cover the address range given by user while holding mmap
    lock. This patch updates sparc code to move the VMA check from
    arch_validate_prot() to arch_validate_flags() to fix above two
    issues.
    
    Suggested-by: Jann Horn <jannh@google.com>
    Suggested-by: Christoph Hellwig <hch@infradead.org>
    Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: Khalid Aziz <khalid.aziz@oracle.com>
    Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit cb206ed9a020cca3b0e036dc5e5bde7d156391fb
Author: Andreas Larsson <andreas@gaisler.com>
Date:   Fri Feb 5 14:20:31 2021 +0100

    sparc32: Limit memblock allocation to low memory
    
    [ Upstream commit bda166930c37604ffa93f2425426af6921ec575a ]
    
    Commit cca079ef8ac29a7c02192d2bad2ffe4c0c5ffdd0 changed sparc32 to use
    memblocks instead of bootmem, but also made high memory available via
    memblock allocation which does not work together with e.g. phys_to_virt
    and can lead to kernel panic.
    
    This changes back to only low memory being allocatable in the early
    stages, now using memblock allocation.
    
    Signed-off-by: Andreas Larsson <andreas@gaisler.com>
    Acked-by: Mike Rapoport <rppt@linux.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b6d302a8613f8335c4a57db944f09c5565a0d235
Author: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
Date:   Fri Feb 5 04:14:52 2021 -0500

    powerpc/perf: Record counter overflow always if SAMPLE_IP is unset
    
    [ Upstream commit d137845c973147a22622cc76c7b0bc16f6206323 ]
    
    While sampling for marked events, currently we record the sample only
    if the SIAR valid bit of Sampled Instruction Event Register (SIER) is
    set. SIAR_VALID bit is used for fetching the instruction address from
    Sampled Instruction Address Register(SIAR). But there are some
    usecases, where the user is interested only in the PMU stats at each
    counter overflow and the exact IP of the overflow event is not
    required. Dropping SIAR invalid samples will fail to record some of
    the counter overflows in such cases.
    
    Example of such usecase is dumping the PMU stats (event counts) after
    some regular amount of instructions/events from the userspace (ex: via
    ptrace). Here counter overflow is indicated to userspace via signal
    handler, and captured by monitoring and enabling I/O signaling on the
    event file descriptor. In these cases, we expect to get
    sample/overflow indication after each specified sample_period.
    
    Perf event attribute will not have PERF_SAMPLE_IP set in the
    sample_type if exact IP of the overflow event is not requested. So
    while profiling if SAMPLE_IP is not set, just record the counter
    overflow irrespective of SIAR_VALID check.
    
    Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
    [mpe: Reflow comment and if formatting]
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/1612516492-1428-1-git-send-email-atrajeev@linux.vnet.ibm.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b960e8dc768be3a0de10a0f17a7e4d60b7a5460c
Author: Nicholas Piggin <npiggin@gmail.com>
Date:   Sat Jan 30 23:08:35 2021 +1000

    powerpc: improve handling of unrecoverable system reset
    
    [ Upstream commit 11cb0a25f71818ca7ab4856548ecfd83c169aa4d ]
    
    If an unrecoverable system reset hits in process context, the system
    does not have to panic. Similar to machine check, call nmi_exit()
    before die().
    
    Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20210130130852.2952424-26-npiggin@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2f43ab9673662124074f7265cf9cec37ce174fab
Author: Oliver O'Halloran <oohall@gmail.com>
Date:   Tue Nov 3 15:35:06 2020 +1100

    powerpc/pci: Add ppc_md.discover_phbs()
    
    [ Upstream commit 5537fcb319d016ce387f818dd774179bc03217f5 ]
    
    On many powerpc platforms the discovery and initalisation of
    pci_controllers (PHBs) happens inside of setup_arch(). This is very early
    in boot (pre-initcalls) and means that we're initialising the PHB long
    before many basic kernel services (slab allocator, debugfs, a real ioremap)
    are available.
    
    On PowerNV this causes an additional problem since we map the PHB registers
    with ioremap(). As of commit d538aadc2718 ("powerpc/ioremap: warn on early
    use of ioremap()") a warning is printed because we're using the "incorrect"
    API to setup and MMIO mapping in searly boot. The kernel does provide
    early_ioremap(), but that is not intended to create long-lived MMIO
    mappings and a seperate warning is printed by generic code if
    early_ioremap() mappings are "leaked."
    
    This is all fixable with dumb hacks like using early_ioremap() to setup
    the initial mapping then replacing it with a real ioremap later on in
    boot, but it does raise the question: Why the hell are we setting up the
    PHB's this early in boot?
    
    The old and wise claim it's due to "hysterical rasins." Aside from amused
    grapes there doesn't appear to be any real reason to maintain the current
    behaviour. Already most of the newer embedded platforms perform PHB
    discovery in an arch_initcall and between the end of setup_arch() and the
    start of initcalls none of the generic kernel code does anything PCI
    related. On powerpc scanning PHBs occurs in a subsys_initcall so it should
    be possible to move the PHB discovery to a core, postcore or arch initcall.
    
    This patch adds the ppc_md.discover_phbs hook and a core_initcall stub that
    calls it. The core_initcalls are the earliest to be called so this will
    any possibly issues with dependency between initcalls. This isn't just an
    academic issue either since on pseries and PowerNV EEH init occurs in an
    arch_initcall and depends on the pci_controllers being available, similarly
    the creation of pci_dns occurs at core_initcall_sync (i.e. between core and
    postcore initcalls). These problems need to be addressed seperately.
    
    Reported-by: kernel test robot <lkp@intel.com>
    Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
    [mpe: Make discover_phbs() static]
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20201103043523.916109-1-oohall@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 670ed36a0288e5fdb71785f18d6eb0586c957c46
Author: Chaotian Jing <chaotian.jing@mediatek.com>
Date:   Fri Dec 18 15:16:11 2020 +0800

    mmc: mediatek: fix race condition between msdc_request_timeout and irq
    
    [ Upstream commit 0354ca6edd464a2cf332f390581977b8699ed081 ]
    
    when get request SW timeout, if CMD/DAT xfer done irq coming right now,
    then there is race between the msdc_request_timeout work and irq handler,
    and the host->cmd and host->data may set to NULL in irq handler. also,
    current flow ensure that only one path can go to msdc_request_done(), so
    no need check the return value of cancel_delayed_work().
    
    Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
    Link: https://lore.kernel.org/r/20201218071611.12276-1-chaotian.jing@mediatek.com
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1d086905b5db519d5de2a1d7f29836e245e32230
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Tue Dec 8 21:35:27 2020 +0100

    mmc: mxs-mmc: Fix a resource leak in an error handling path in 'mxs_mmc_probe()'
    
    [ Upstream commit 0bb7e560f821c7770973a94e346654c4bdccd42c ]
    
    If 'mmc_of_parse()' fails, we must undo the previous 'dma_request_chan()'
    call.
    
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Link: https://lore.kernel.org/r/20201208203527.49262-1-christophe.jaillet@wanadoo.fr
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c7c74e6fd6be6f543560caa5c14c244763212302
Author: Steven J. Magnani <magnani@ieee.org>
Date:   Thu Jan 7 17:41:16 2021 -0600

    udf: fix silent AED tagLocation corruption
    
    [ Upstream commit 63c9e47a1642fc817654a1bc18a6ec4bbcc0f056 ]
    
    When extending a file, udf_do_extend_file() may enter following empty
    indirect extent. At the end of udf_do_extend_file() we revert prev_epos
    to point to the last written extent. However if we end up not adding any
    further extent in udf_do_extend_file(), the reverting points prev_epos
    into the header area of the AED and following updates of the extents
    (in udf_update_extents()) will corrupt the header.
    
    Make sure that we do not follow indirect extent if we are not going to
    add any more extents so that returning back to the last written extent
    works correctly.
    
    Link: https://lore.kernel.org/r/20210107234116.6190-2-magnani@ieee.org
    Signed-off-by: Steven J. Magnani <magnani@ieee.org>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ebe4ab975208f8cf08a44464342cb864c0a0ed18
Author: Wolfram Sang <wsa+renesas@sang-engineering.com>
Date:   Wed Dec 23 18:21:52 2020 +0100

    i2c: rcar: optimize cacheline to minimize HW race condition
    
    [ Upstream commit 25c2e0fb5fefb8d7847214cf114d94c7aad8e9ce ]
    
    'flags' and 'io' are needed first, so they should be at the beginning of
    the private struct.
    
    Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
    Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit acf0610a2db3911569f07d254ed73ef0727a0abc
Author: Guangbin Huang <huangguangbin2@huawei.com>
Date:   Sat Feb 27 11:05:58 2021 +0800

    net: phy: fix save wrong speed and duplex problem if autoneg is on
    
    [ Upstream commit d9032dba5a2b2bbf0fdce67c8795300ec9923b43 ]
    
    If phy uses generic driver and autoneg is on, enter command
    "ethtool -s eth0 speed 50" will not change phy speed actually, but
    command "ethtool eth0" shows speed is 50Mb/s because phydev->speed
    has been set to 50 and no update later.
    
    And duplex setting has same problem too.
    
    However, if autoneg is on, phy only changes speed and duplex according to
    phydev->advertising, but not phydev->speed and phydev->duplex. So in this
    case, phydev->speed and phydev->duplex don't need to be set in function
    phy_ethtool_ksettings_set() if autoneg is on.
    
    Fixes: 51e2a3846eab ("PHY: Avoid unnecessary aneg restarts")
    Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
    Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6264d03c0382a3d9ab415647e800a6aef1f23486
Author: Biju Das <biju.das.jz@bp.renesas.com>
Date:   Mon Mar 1 13:08:27 2021 +0100

    media: v4l: vsp1: Fix bru null pointer access
    
    commit ac8d82f586c8692b501cb974604a71ef0e22a04c upstream.
    
    RZ/G2L SoC has only BRS. This patch fixes null pointer access,when only
    BRS is enabled.
    
    Fixes: cbb7fa49c7466("media: v4l: vsp1: Rename BRU to BRx")
    Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f418a9d0bd79633859ab7b7b2362f9319d395f5d
Author: Biju Das <biju.das.jz@bp.renesas.com>
Date:   Mon Mar 1 13:08:28 2021 +0100

    media: v4l: vsp1: Fix uif null pointer access
    
    commit 6732f313938027a910e1f7351951ff52c0329e70 upstream.
    
    RZ/G2L SoC has no UIF. This patch fixes null pointer access, when UIF
    module is not used.
    
    Fixes: 5e824f989e6e8("media: v4l: vsp1: Integrate DISCOM in display pipeline")
    Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8ebbf254c83488fc63226349bb8c35842a3ba5ad
Author: Maxim Mikityanskiy <maxtram95@gmail.com>
Date:   Fri Feb 5 23:51:39 2021 +0100

    media: usbtv: Fix deadlock on suspend
    
    commit 8a7e27fd5cd696ba564a3f62cedef7269cfd0723 upstream.
    
    usbtv doesn't support power management, so on system suspend the
    .disconnect callback of the driver is called. The teardown sequence
    includes a call to snd_card_free. Its implementation waits until the
    refcount of the sound card device drops to zero, however, if its file is
    open, snd_card_file_add takes a reference, which can't be dropped during
    the suspend, because the userspace processes are already frozen at this
    point. snd_card_free waits for completion forever, leading to a hang on
    suspend.
    
    This commit fixes this deadlock condition by replacing snd_card_free
    with snd_card_free_when_closed, that doesn't wait until all references
    are released, allowing suspend to progress.
    
    Fixes: 63ddf68de52e ("[media] usbtv: add audio support")
    Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 92c476c8f4225cc397448bf165e68da709dd6fb0
Author: Sergey Shtylyov <s.shtylyov@omprussia.ru>
Date:   Sun Feb 28 23:27:32 2021 +0300

    sh_eth: fix TRSCER mask for R7S9210
    
    commit 165bc5a4f30eee4735845aa7dbd6b738643f2603 upstream.
    
    According  to the RZ/A2M Group User's Manual: Hardware, Rev. 2.00,
    the TRSCER register has bit 9 reserved, hence we can't use the driver's
    default TRSCER mask.  Add the explicit initializer for sh_eth_cpu_data::
    trscer_err_mask for R7S9210.
    
    Fixes: 6e0bb04d0e4f ("sh_eth: Add R7S9210 support")
    Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 49f3cfae0cf708578b6d9f343d139618fcdaa9b9
Author: Eric Farman <farman@linux.ibm.com>
Date:   Mon Mar 1 19:33:24 2021 +0100

    s390/cio: return -EFAULT if copy_to_user() fails
    
    commit d9c48a948d29bcb22f4fe61a81b718ef6de561a0 upstream.
    
    Fixes: 120e214e504f ("vfio: ccw: realize VFIO_DEVICE_G(S)ET_IRQ_INFO ioctls")
    Signed-off-by: Eric Farman <farman@linux.ibm.com>
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8fbbf2b3849419e31731902d7478b0c934732632
Author: Artem Lapkin <art@khadas.com>
Date:   Tue Mar 2 12:22:02 2021 +0800

    drm: meson_drv add shutdown function
    
    commit fa0c16caf3d73ab4d2e5d6fa2ef2394dbec91791 upstream.
    
    Problem: random stucks on reboot stage about 1/20 stuck/reboots
    // debug kernel log
    [    4.496660] reboot: kernel restart prepare CMD:(null)
    [    4.498114] meson_ee_pwrc c883c000.system-controller:power-controller: shutdown begin
    [    4.503949] meson_ee_pwrc c883c000.system-controller:power-controller: shutdown domain 0:VPU...
    ...STUCK...
    
    Solution: add shutdown function to meson_drm driver
    // debug kernel log
    [    5.231896] reboot: kernel restart prepare CMD:(null)
    [    5.246135] [drm:meson_drv_shutdown]
    ...
    [    5.259271] meson_ee_pwrc c883c000.system-controller:power-controller: shutdown begin
    [    5.274688] meson_ee_pwrc c883c000.system-controller:power-controller: shutdown domain 0:VPU...
    [    5.338331] reboot: Restarting system
    [    5.358293] psci: PSCI_0_2_FN_SYSTEM_RESET reboot_mode:0 cmd:(null)
    bl31 reboot reason: 0xd
    bl31 reboot reason: 0x0
    system cmd  1.
    ...REBOOT...
    
    Tested: on VIM1 VIM2 VIM3 VIM3L khadas sbcs - 1000+ successful reboots
    and Odroid boards, WeTek Play2 (GXBB)
    
    Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller")
    Signed-off-by: Artem Lapkin <art@khadas.com>
    Tested-by: Christian Hewitt <christianshewitt@gmail.com>
    Acked-by: Neil Armstrong <narmstrong@baylibre.com>
    Acked-by: Kevin Hilman <khilman@baylibre.com>
    Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20210302042202.3728113-1-art@khadas.com
    Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e8cd674e1ec08bca28bb97c99c96c5cf8504134e
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Mon Feb 22 11:06:43 2021 +0100

    drm/compat: Clear bounce structures
    
    commit de066e116306baf3a6a62691ac63cfc0b1dabddb upstream.
    
    Some of them have gaps, or fields we don't clear. Native ioctl code
    does full copies plus zero-extends on size mismatch, so nothing can
    leak. But compat is more hand-rolled so need to be careful.
    
    None of these matter for performance, so just memset.
    
    Also I didn't fix up the CONFIG_DRM_LEGACY or CONFIG_DRM_AGP ioctl, those
    are security holes anyway.
    
    Acked-by: Maxime Ripard <mripard@kernel.org>
    Reported-by: syzbot+620cf21140fc7e772a5d@syzkaller.appspotmail.com # vblank ioctl
    Cc: syzbot+620cf21140fc7e772a5d@syzkaller.appspotmail.com
    Cc: stable@vger.kernel.org
    Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20210222100643.400935-1-daniel.vetter@ffwll.ch
    (cherry picked from commit e926c474ebee404441c838d18224cd6f246a71b7)
    Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 21d62e816d3fd2591bba822ab7b74a21dcf56f89
Author: Wang Qing <wangqing@vivo.com>
Date:   Mon Mar 1 20:01:33 2021 +0800

    s390/cio: return -EFAULT if copy_to_user() fails again
    
    commit 51c44babdc19aaf882e1213325a0ba291573308f upstream.
    
    The copy_to_user() function returns the number of bytes remaining to be
    copied, but we want to return -EFAULT if the copy doesn't complete.
    
    Fixes: e01bcdd61320 ("vfio: ccw: realize VFIO_DEVICE_GET_REGION_INFO ioctl")
    Signed-off-by: Wang Qing <wangqing@vivo.com>
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Link: https://lore.kernel.org/r/1614600093-13992-1-git-send-email-wangqing@vivo.com
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6b687917f0ce3ba9fcb68f029d942e365a867aac
Author: Ian Rogers <irogers@google.com>
Date:   Fri Feb 26 14:14:31 2021 -0800

    perf traceevent: Ensure read cmdlines are null terminated.
    
    commit 137a5258939aca56558f3a23eb229b9c4b293917 upstream.
    
    Issue detected by address sanitizer.
    
    Fixes: cd4ceb63438e9e28 ("perf util: Save pid-cmdline mapping into tracing header")
    Signed-off-by: Ian Rogers <irogers@google.com>
    Acked-by: Namhyung Kim <namhyung@kernel.org>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Stephane Eranian <eranian@google.com>
    Link: http://lore.kernel.org/lkml/20210226221431.1985458-1-irogers@google.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 07c50b7976c2fbcaded80f01393d19a0a23d71aa
Author: Danielle Ratson <danieller@nvidia.com>
Date:   Thu Feb 25 18:57:19 2021 +0200

    selftests: forwarding: Fix race condition in mirror installation
    
    commit edcbf5137f093b5502f5f6b97cce3cbadbde27aa upstream.
    
    When mirroring to a gretap in hardware the device expects to be
    programmed with the egress port and all the encapsulating headers. This
    requires the driver to resolve the path the packet will take in the
    software data path and program the device accordingly.
    
    If the path cannot be resolved (in this case because of an unresolved
    neighbor), then mirror installation fails until the path is resolved.
    This results in a race that causes the test to sometimes fail.
    
    Fix this by setting the neighbor's state to permanent, so that it is
    always valid.
    
    Fixes: b5b029399fa6d ("selftests: forwarding: mirror_gre_bridge_1d_vlan: Add STP test")
    Signed-off-by: Danielle Ratson <danieller@nvidia.com>
    Reviewed-by: Petr Machata <petrm@nvidia.com>
    Signed-off-by: Ido Schimmel <idosch@nvidia.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9f46d28c19a165e23d26a2465952bedb5fd74b0e
Author: Joakim Zhang <qiangqing.zhang@nxp.com>
Date:   Thu Feb 25 17:01:11 2021 +0800

    net: stmmac: fix watchdog timeout during suspend/resume stress test
    
    commit c511819d138de38e1637eedb645c207e09680d0f upstream.
    
    stmmac_xmit() call stmmac_tx_timer_arm() at the end to modify tx timer to
    do the transmission cleanup work. Imagine such a situation, stmmac enters
    suspend immediately after tx timer modified, it's expire callback
    stmmac_tx_clean() would not be invoked. This could affect BQL, since
    netdev_tx_sent_queue() has been called, but netdev_tx_completed_queue()
    have not been involved, as a result, dql_avail(&dev_queue->dql) finally
    always return a negative value.
    
    __dev_queue_xmit->__dev_xmit_skb->qdisc_run->__qdisc_run->qdisc_restart->dequeue_skb:
            if ((q->flags & TCQ_F_ONETXQUEUE) &&
                    netif_xmit_frozen_or_stopped(txq)) // __QUEUE_STATE_STACK_XOFF is set
    
    Net core will stop transmitting any more. Finillay, net watchdong would timeout.
    To fix this issue, we should call netdev_tx_reset_queue() in stmmac_resume().
    
    Fixes: 54139cf3bb33 ("net: stmmac: adding multiple buffers for rx")
    Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 42b8f308f2bf57618ca9c136842be439359369c4
Author: Joakim Zhang <qiangqing.zhang@nxp.com>
Date:   Thu Feb 25 17:01:10 2021 +0800

    net: stmmac: stop each tx channel independently
    
    commit a3e860a83397bf761ec1128a3f0ba186445992c6 upstream.
    
    If clear GMAC_CONFIG_TE bit, it would stop all tx channels, but users
    may only want to stop specific tx channel.
    
    Fixes: 48863ce5940f ("stmmac: add DMA support for GMAC 4.xx")
    Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e8c9b54ff89e3d379a42fa4b5e37e56a96ea0cab
Author: Jia-Ju Bai <baijiaju1990@gmail.com>
Date:   Mon Mar 8 01:13:55 2021 -0800

    net: qrtr: fix error return code of qrtr_sendmsg()
    
    commit 179d0ba0c454057a65929c46af0d6ad986754781 upstream.
    
    When sock_alloc_send_skb() returns NULL to skb, no error return code of
    qrtr_sendmsg() is assigned.
    To fix this bug, rc is assigned with -ENOMEM in this case.
    
    Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets")
    Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
    Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9808f032c4d971cbf2b01411a0a2a8ee0040efe3
Author: Paul Cercueil <paul@crapouillou.net>
Date:   Sun Mar 7 13:17:48 2021 +0000

    net: davicom: Fix regulator not turned off on driver removal
    
    commit cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b upstream.
    
    We must disable the regulator that was enabled in the probe function.
    
    Fixes: 7994fe55a4a2 ("dm9000: Add regulator and reset support to dm9000")
    Signed-off-by: Paul Cercueil <paul@crapouillou.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6b8089f06d3a8fca9409e513e9c5168f1e4b99ef
Author: Paul Cercueil <paul@crapouillou.net>
Date:   Sun Mar 7 13:17:47 2021 +0000

    net: davicom: Fix regulator not turned off on failed probe
    
    commit ac88c531a5b38877eba2365a3f28f0c8b513dc33 upstream.
    
    When the probe fails or requests to be defered, we must disable the
    regulator that was previously enabled.
    
    Fixes: 7994fe55a4a2 ("dm9000: Add regulator and reset support to dm9000")
    Signed-off-by: Paul Cercueil <paul@crapouillou.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ec6424034cc257ac150ffc1ac32a8c421f912dbb
Author: Xie He <xie.he.0141@gmail.com>
Date:   Sun Mar 7 03:33:07 2021 -0800

    net: lapbether: Remove netif_start_queue / netif_stop_queue
    
    commit f7d9d4854519fdf4d45c70a4d953438cd88e7e58 upstream.
    
    For the devices in this driver, the default qdisc is "noqueue",
    because their "tx_queue_len" is 0.
    
    In function "__dev_queue_xmit" in "net/core/dev.c", devices with the
    "noqueue" qdisc are specially handled. Packets are transmitted without
    being queued after a "dev->flags & IFF_UP" check. However, it's possible
    that even if this check succeeds, "ops->ndo_stop" may still have already
    been called. This is because in "__dev_close_many", "ops->ndo_stop" is
    called before clearing the "IFF_UP" flag.
    
    If we call "netif_stop_queue" in "ops->ndo_stop", then it's possible in
    "__dev_queue_xmit", it sees the "IFF_UP" flag is present, and then it
    checks "netif_xmit_stopped" and finds that the queue is already stopped.
    In this case, it will complain that:
    "Virtual device ... asks to queue packet!"
    
    To prevent "__dev_queue_xmit" from generating this complaint, we should
    not call "netif_stop_queue" in "ops->ndo_stop".
    
    We also don't need to call "netif_start_queue" in "ops->ndo_open",
    because after a netdev is allocated and registered, the
    "__QUEUE_STATE_DRV_XOFF" flag is initially not set, so there is no need
    to call "netif_start_queue" to clear it.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Xie He <xie.he.0141@gmail.com>
    Acked-by: Martin Schiller <ms@dev.tdt.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a44af1c69737f9e64d5134c34eb9d5c4c2e04da1
Author: Paul Moore <paul@paul-moore.com>
Date:   Thu Mar 4 16:29:51 2021 -0500

    cipso,calipso: resolve a number of problems with the DOI refcounts
    
    commit ad5d07f4a9cd671233ae20983848874731102c08 upstream.
    
    The current CIPSO and CALIPSO refcounting scheme for the DOI
    definitions is a bit flawed in that we:
    
    1. Don't correctly match gets/puts in netlbl_cipsov4_list().
    2. Decrement the refcount on each attempt to remove the DOI from the
       DOI list, only removing it from the list once the refcount drops
       to zero.
    
    This patch fixes these problems by adding the missing "puts" to
    netlbl_cipsov4_list() and introduces a more conventional, i.e.
    not-buggy, refcounting mechanism to the DOI definitions.  Upon the
    addition of a DOI to the DOI list, it is initialized with a refcount
    of one, removing a DOI from the list removes it from the list and
    drops the refcount by one; "gets" and "puts" behave as expected with
    respect to refcounts, increasing and decreasing the DOI's refcount by
    one.
    
    Fixes: b1edeb102397 ("netlabel: Replace protocol/NetLabel linking with refrerence counts")
    Fixes: d7cce01504a0 ("netlabel: Add support for removing a CALIPSO DOI.")
    Reported-by: syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com
    Signed-off-by: Paul Moore <paul@paul-moore.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1466f689ec0539246eba5ec995984a9eaa460740
Author: Daniele Palmas <dnlplm@gmail.com>
Date:   Thu Mar 4 14:15:13 2021 +0100

    net: usb: qmi_wwan: allow qmimux add/del with master up
    
    commit 6c59cff38e66584ae3ac6c2f0cbd8d039c710ba7 upstream.
    
    There's no reason for preventing the creation and removal
    of qmimux network interfaces when the underlying interface
    is up.
    
    This makes qmi_wwan mux implementation more similar to the
    rmnet one, simplifying userspace management of the same
    logical interfaces.
    
    Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support")
    Reported-by: Aleksander Morgado <aleksander@aleksander.es>
    Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
    Acked-by: Bjørn Mork <bjorn@mork.no>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7618f5e2f64fb15c3dc8ea980e79ece686b5d38c
Author: Maximilian Heyne <mheyne@amazon.de>
Date:   Thu Mar 4 14:43:17 2021 +0000

    net: sched: avoid duplicates in classes dump
    
    commit bfc2560563586372212b0a8aeca7428975fa91fe upstream.
    
    This is a follow up of commit ea3274695353 ("net: sched: avoid
    duplicates in qdisc dump") which has fixed the issue only for the qdisc
    dump.
    
    The duplicate printing also occurs when dumping the classes via
      tc class show dev eth0
    
    Fixes: 59cc1f61f09c ("net: sched: convert qdisc linked list to hashtable")
    Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 75756ebd0e0994de7d4386b4e014bf293e3c3a64
Author: Ong Boon Leong <boon.leong.ong@intel.com>
Date:   Wed Mar 3 20:38:40 2021 +0530

    net: stmmac: fix incorrect DMA channel intr enable setting of EQoS v4.10
    
    commit 879c348c35bb5fb758dd881d8a97409c1862dae8 upstream.
    
    We introduce dwmac410_dma_init_channel() here for both EQoS v4.10 and
    above which use different DMA_CH(n)_Interrupt_Enable bit definitions for
    NIE and AIE.
    
    Fixes: 48863ce5940f ("stmmac: add DMA support for GMAC 4.xx")
    Signed-off-by: Ong Boon Leong <boon.leong.ong@intel.com>
    Signed-off-by: Ramesh Babu B <ramesh.babu.b@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ea64cbd9aff6d435f426ba7f9964389317a7eedf
Author: Kevin(Yudong) Yang <yyd@google.com>
Date:   Wed Mar 3 09:43:54 2021 -0500

    net/mlx4_en: update moderation when config reset
    
    commit 00ff801bb8ce6711e919af4530b6ffa14a22390a upstream.
    
    This patch fixes a bug that the moderation config will not be
    applied when calling mlx4_en_reset_config. For example, when
    turning on rx timestamping, mlx4_en_reset_config() will be called,
    causing the NIC to forget previous moderation config.
    
    This fix is in phase with a previous fix:
    commit 79c54b6bbf06 ("net/mlx4_en: Fix TX moderation info loss
    after set_ringparam is called")
    
    Tested: Before this patch, on a host with NIC using mlx4, run
    netserver and stream TCP to the host at full utilization.
    $ sar -I SUM 1
                     INTR    intr/s
    14:03:56          sum  48758.00
    
    After rx hwtstamp is enabled:
    $ sar -I SUM 1
    14:10:38          sum 317771.00
    We see the moderation is not working properly and issued 7x more
    interrupts.
    
    After the patch, and turned on rx hwtstamp, the rate of interrupts
    is as expected:
    $ sar -I SUM 1
    14:52:11          sum  49332.00
    
    Fixes: 79c54b6bbf06 ("net/mlx4_en: Fix TX moderation info loss after set_ringparam is called")
    Signed-off-by: Kevin(Yudong) Yang <yyd@google.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: Neal Cardwell <ncardwell@google.com>
    CC: Tariq Toukan <tariqt@nvidia.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit caccf9f64ec8842a72450e9956181e5b53acd0c9
Author: Balazs Nemeth <bnemeth@redhat.com>
Date:   Tue Mar 9 12:31:01 2021 +0100

    net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0
    
    commit d348ede32e99d3a04863e9f9b28d224456118c27 upstream.
    
    A packet with skb_inner_network_header(skb) == skb_network_header(skb)
    and ETH_P_MPLS_UC will prevent mpls_gso_segment from pulling any headers
    from the packet. Subsequently, the call to skb_mac_gso_segment will
    again call mpls_gso_segment with the same packet leading to an infinite
    loop. In addition, ensure that the header length is a multiple of four,
    which should hold irrespective of the number of stacked labels.
    
    Signed-off-by: Balazs Nemeth <bnemeth@redhat.com>
    Acked-by: Willem de Bruijn <willemb@google.com>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 54ef8243c3c8e90f1ea5792e6752e021a25c8eb3
Author: Balazs Nemeth <bnemeth@redhat.com>
Date:   Tue Mar 9 12:31:00 2021 +0100

    net: check if protocol extracted by virtio_net_hdr_set_proto is correct
    
    commit 924a9bc362a5223cd448ca08c3dde21235adc310 upstream.
    
    For gso packets, virtio_net_hdr_set_proto sets the protocol (if it isn't
    set) based on the type in the virtio net hdr, but the skb could contain
    anything since it could come from packet_snd through a raw socket. If
    there is a mismatch between what virtio_net_hdr_set_proto sets and
    the actual protocol, then the skb could be handled incorrectly later
    on.
    
    An example where this poses an issue is with the subsequent call to
    skb_flow_dissect_flow_keys_basic which relies on skb->protocol being set
    correctly. A specially crafted packet could fool
    skb_flow_dissect_flow_keys_basic preventing EINVAL to be returned.
    
    Avoid blindly trusting the information provided by the virtio net header
    by checking that the protocol in the packet actually matches the
    protocol set by virtio_net_hdr_set_proto. Note that since the protocol
    is only checked if skb->dev implements header_ops->parse_protocol,
    packets from devices without the implementation are not checked at this
    stage.
    
    Fixes: 9274124f023b ("net: stricter validation of untrusted gso packets")
    Signed-off-by: Balazs Nemeth <bnemeth@redhat.com>
    Acked-by: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7deeaa5ab6551a61c7ab05c793042e26cd3c46de
Author: Sergey Shtylyov <s.shtylyov@omprussia.ru>
Date:   Sun Feb 28 23:25:43 2021 +0300

    sh_eth: fix TRSCER mask for SH771x
    
    commit 8c91bc3d44dfef8284af384877fbe61117e8b7d1 upstream.
    
    According  to  the SH7710, SH7712, SH7713 Group User's Manual: Hardware,
    Rev. 3.00, the TRSCER register actually has only bit 7 valid (and named
    differently), with all the other bits reserved. Apparently, this was not
    the case with some early revisions of the manual as we have the other
    bits declared (and set) in the original driver.  Follow the suit and add
    the explicit sh_eth_cpu_data::trscer_err_mask initializer for SH771x...
    
    Fixes: 86a74ff21a7a ("net: sh_eth: add support for Renesas SuperH Ethernet")
    Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c6afb0eeed94a7d504acdfdde7128573ec6a9e3e
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed Mar 10 10:18:04 2021 -0800

    Revert "mm, slub: consider rest of partial list if acquire_slab() fails"
    
    commit 9b1ea29bc0d7b94d420f96a0f4121403efc3dd85 upstream.
    
    This reverts commit 8ff60eb052eeba95cfb3efe16b08c9199f8121cf.
    
    The kernel test robot reports a huge performance regression due to the
    commit, and the reason seems fairly straightforward: when there is
    contention on the page list (which is what causes acquire_slab() to
    fail), we do _not_ want to just loop and try again, because that will
    transfer the contention to the 'n->list_lock' spinlock we hold, and
    just make things even worse.
    
    This is admittedly likely a problem only on big machines - the kernel
    test robot report comes from a 96-thread dual socket Intel Xeon Gold
    6252 setup, but the regression there really is quite noticeable:
    
       -47.9% regression of stress-ng.rawpkt.ops_per_sec
    
    and the commit that was marked as being fixed (7ced37197196: "slub:
    Acquire_slab() avoid loop") actually did the loop exit early very
    intentionally (the hint being that "avoid loop" part of that commit
    message), exactly to avoid this issue.
    
    The correct thing to do may be to pick some kind of reasonable middle
    ground: instead of breaking out of the loop on the very first sign of
    contention, or trying over and over and over again, the right thing may
    be to re-try _once_, and then give up on the second failure (or pick
    your favorite value for "once"..).
    
    Reported-by: kernel test robot <oliver.sang@intel.com>
    Link: https://lore.kernel.org/lkml/20210301080404.GF12822@xsang-OptiPlex-9020/
    Cc: Jann Horn <jannh@google.com>
    Cc: David Rientjes <rientjes@google.com>
    Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
    Acked-by: Christoph Lameter <cl@linux.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 25628fdc85fc53105ed1d698bac03f5200514d18
Author: Joe Lawrence <joe.lawrence@redhat.com>
Date:   Tue Nov 20 15:19:18 2018 -0500

    scripts/recordmcount.{c,pl}: support -ffunction-sections .text.* section names
    
    commit 9c8e2f6d3d361439cc6744a094f1c15681b55269 upstream.
    
    When building with -ffunction-sections, the compiler will place each
    function into its own ELF section, prefixed with ".text".  For example,
    a simple test module with functions test_module_do_work() and
    test_module_wq_func():
    
      % objdump --section-headers test_module.o | awk '/\.text/{print $2}'
      .text
      .text.test_module_do_work
      .text.test_module_wq_func
      .init.text
      .exit.text
    
    Adjust the recordmcount scripts to look for ".text" as a section name
    prefix.  This will ensure that those functions will be included in the
    __mcount_loc relocations:
    
      % objdump --reloc --section __mcount_loc test_module.o
      OFFSET           TYPE              VALUE
      0000000000000000 R_X86_64_64       .text.test_module_do_work
      0000000000000008 R_X86_64_64       .text.test_module_wq_func
      0000000000000010 R_X86_64_64       .init.text
    
    Link: http://lkml.kernel.org/r/1542745158-25392-2-git-send-email-joe.lawrence@redhat.com
    
    Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Cc: Manoj Gupta <manojgupta@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3cbf408b5ae6d384fffc9dabe4f5cad2f3906d89
Author: Paulo Alcantara <pc@cjr.nz>
Date:   Mon Mar 8 12:00:49 2021 -0300

    cifs: return proper error code in statfs(2)
    
    commit 14302ee3301b3a77b331cc14efb95bf7184c73cc upstream.
    
    In cifs_statfs(), if server->ops->queryfs is not NULL, then we should
    use its return value rather than always returning 0.  Instead, use rc
    variable as it is properly set to 0 in case there is no
    server->ops->queryfs.
    
    Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
    Reviewed-by: Aurelien Aptel <aaptel@suse.com>
    Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
    CC: <stable@vger.kernel.org>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 319f460237fc2965a80aa9a055044e1da7b3692a
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Mar 12 00:33:23 2021 -0800

    tcp: add sanity tests to TCP_QUEUE_SEQ
    
    [ Upstream commit 8811f4a9836e31c14ecdf79d9f3cb7c5d463265d ]
    
    Qingyu Li reported a syzkaller bug where the repro
    changes RCV SEQ _after_ restoring data in the receive queue.
    
    mprotect(0x4aa000, 12288, PROT_READ)    = 0
    mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
    mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
    mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
    socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 3
    setsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0
    connect(3, {sa_family=AF_INET6, sin6_port=htons(0), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}, 28) = 0
    setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [1], 4) = 0
    sendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="0x0000000000000003\0\0", iov_len=20}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 20
    setsockopt(3, SOL_TCP, TCP_REPAIR, [0], 4) = 0
    setsockopt(3, SOL_TCP, TCP_QUEUE_SEQ, [128], 4) = 0
    recvfrom(3, NULL, 20, 0, NULL, NULL)    = -1 ECONNRESET (Connection reset by peer)
    
    syslog shows:
    [  111.205099] TCP recvmsg seq # bug 2: copied 80, seq 0, rcvnxt 80, fl 0
    [  111.207894] WARNING: CPU: 1 PID: 356 at net/ipv4/tcp.c:2343 tcp_recvmsg_locked+0x90e/0x29a0
    
    This should not be allowed. TCP_QUEUE_SEQ should only be used
    when queues are empty.
    
    This patch fixes this case, and the tx path as well.
    
    Fixes: ee9952831cfd ("tcp: Initial repair mode")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Pavel Emelyanov <xemul@parallels.com>
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=212005
    Reported-by: Qingyu Li <ieatmuttonchuan@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 92ba49b27efd409fd27bdcd5bbb2946d8a02938c
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Mar 12 00:33:22 2021 -0800

    tcp: annotate tp->write_seq lockless reads
    
    [ Upstream commit 0f31746452e6793ad6271337438af8f4defb8940 ]
    
    There are few places where we fetch tp->write_seq while
    this field can change from IRQ or other cpu.
    
    We need to add READ_ONCE() annotations, and also make
    sure write sides use corresponding WRITE_ONCE() to avoid
    store-tearing.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7209e120966c5557106caed20cb4bb08ab26d5d3
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Mar 12 00:33:21 2021 -0800

    tcp: annotate tp->copied_seq lockless reads
    
    [ Upstream commit 7db48e983930285b765743ebd665aecf9850582b ]
    
    There are few places where we fetch tp->copied_seq while
    this field can change from IRQ or other cpu.
    
    We need to add READ_ONCE() annotations, and also make
    sure write sides use corresponding WRITE_ONCE() to avoid
    store-tearing.
    
    Note that tcp_inq_hint() was already using READ_ONCE(tp->copied_seq)
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5a94173fa19229504653f7f7b35c1b3aebf665e6
Author: Lorenzo Bianconi <lorenzo@kernel.org>
Date:   Sun Feb 7 12:48:31 2021 +0100

    mt76: dma: do not report truncated frames to mac80211
    
    commit d0bd52c591a1070c54dc428e926660eb4f981099 upstream.
    
    Commit b102f0c522cf6 ("mt76: fix array overflow on receiving too many
    fragments for a packet") fixes a possible OOB access but it introduces a
    memory leak since the pending frame is not released to page_frag_cache
    if the frag array of skb_shared_info is full. Commit 93a1d4791c10
    ("mt76: dma: fix a possible memory leak in mt76_add_fragment()") fixes
    the issue but does not free the truncated skb that is forwarded to
    mac80211 layer. Fix the leftover issue discarding even truncated skbs.
    
    Fixes: 93a1d4791c10 ("mt76: dma: fix a possible memory leak in mt76_add_fragment()")
    Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/a03166fcc8214644333c68674a781836e0f57576.1612697217.git.lorenzo@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 072d8778f66ccc8452e82db6d1e83b315466fa81
Author: Vasily Averin <vvs@virtuozzo.com>
Date:   Sat Feb 27 11:27:45 2021 +0300

    netfilter: x_tables: gpf inside xt_find_revision()
    
    commit 8e24edddad152b998b37a7f583175137ed2e04a5 upstream.
    
    nested target/match_revfn() calls work with xt[NFPROTO_UNSPEC] lists
    without taking xt[NFPROTO_UNSPEC].mutex. This can race with module unload
    and cause host to crash:
    
    general protection fault: 0000 [#1]
    Modules linked in: ... [last unloaded: xt_cluster]
    CPU: 0 PID: 542455 Comm: iptables
    RIP: 0010:[<ffffffff8ffbd518>]  [<ffffffff8ffbd518>] strcmp+0x18/0x40
    RDX: 0000000000000003 RSI: ffff9a5a5d9abe10 RDI: dead000000000111
    R13: ffff9a5a5d9abe10 R14: ffff9a5a5d9abd8c R15: dead000000000100
    (VvS: %R15 -- &xt_match,  %RDI -- &xt_match.name,
    xt_cluster unregister match in xt[NFPROTO_UNSPEC].match list)
    Call Trace:
     [<ffffffff902ccf44>] match_revfn+0x54/0xc0
     [<ffffffff902ccf9f>] match_revfn+0xaf/0xc0
     [<ffffffff902cd01e>] xt_find_revision+0x6e/0xf0
     [<ffffffffc05a5be0>] do_ipt_get_ctl+0x100/0x420 [ip_tables]
     [<ffffffff902cc6bf>] nf_getsockopt+0x4f/0x70
     [<ffffffff902dd99e>] ip_getsockopt+0xde/0x100
     [<ffffffff903039b5>] raw_getsockopt+0x25/0x50
     [<ffffffff9026c5da>] sock_common_getsockopt+0x1a/0x20
     [<ffffffff9026b89d>] SyS_getsockopt+0x7d/0xf0
     [<ffffffff903cbf92>] system_call_fastpath+0x25/0x2a
    
    Fixes: 656caff20e1 ("netfilter 04/09: x_tables: fix match/target revision lookup")
    Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
    Reviewed-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4a2937d8fffdd070333e6abcabb4827032d437f8
Author: Joakim Zhang <qiangqing.zhang@nxp.com>
Date:   Thu Feb 18 19:00:36 2021 +0800

    can: flexcan: enable RX FIFO after FRZ/HALT valid
    
    commit ec15e27cc8904605846a354bb1f808ea1432f853 upstream.
    
    RX FIFO enable failed could happen when do system reboot stress test:
    
    [    0.303958] flexcan 5a8d0000.can: 5a8d0000.can supply xceiver not found, using dummy regulator
    [    0.304281] flexcan 5a8d0000.can (unnamed net_device) (uninitialized): Could not enable RX FIFO, unsupported core
    [    0.314640] flexcan 5a8d0000.can: registering netdev failed
    [    0.320728] flexcan 5a8e0000.can: 5a8e0000.can supply xceiver not found, using dummy regulator
    [    0.320991] flexcan 5a8e0000.can (unnamed net_device) (uninitialized): Could not enable RX FIFO, unsupported core
    [    0.331360] flexcan 5a8e0000.can: registering netdev failed
    [    0.337444] flexcan 5a8f0000.can: 5a8f0000.can supply xceiver not found, using dummy regulator
    [    0.337716] flexcan 5a8f0000.can (unnamed net_device) (uninitialized): Could not enable RX FIFO, unsupported core
    [    0.348117] flexcan 5a8f0000.can: registering netdev failed
    
    RX FIFO should be enabled after the FRZ/HALT are valid. But the current
    code enable RX FIFO and FRZ/HALT at the same time.
    
    Fixes: e955cead03117 ("CAN: Add Flexcan CAN controller driver")
    Link: https://lore.kernel.org/r/20210218110037.16591-3-qiangqing.zhang@nxp.com
    Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f5db2131612953474e7476a0841384986b05670c
Author: Joakim Zhang <qiangqing.zhang@nxp.com>
Date:   Thu Feb 18 19:00:35 2021 +0800

    can: flexcan: assert FRZ bit in flexcan_chip_freeze()
    
    commit 449052cfebf624b670faa040245d3feed770d22f upstream.
    
    Assert HALT bit to enter freeze mode, there is a premise that FRZ bit is
    asserted. This patch asserts FRZ bit in flexcan_chip_freeze, although
    the reset value is 1b'1. This is a prepare patch, later patch will
    invoke flexcan_chip_freeze() to enter freeze mode, which polling freeze
    mode acknowledge.
    
    Fixes: b1aa1c7a2165b ("can: flexcan: fix transition from and to freeze mode in chip_{,un}freeze")
    Link: https://lore.kernel.org/r/20210218110037.16591-2-qiangqing.zhang@nxp.com
    Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d7ca4e9bdf094ea4398941166d8032733c96e666
Author: Oleksij Rempel <linux@rempel-privat.de>
Date:   Fri Feb 26 10:24:56 2021 +0100

    can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership
    
    commit e940e0895a82c6fbaa259f2615eb52b57ee91a7e upstream.
    
    There are two ref count variables controlling the free()ing of a socket:
    - struct sock::sk_refcnt - which is changed by sock_hold()/sock_put()
    - struct sock::sk_wmem_alloc - which accounts the memory allocated by
      the skbs in the send path.
    
    In case there are still TX skbs on the fly and the socket() is closed,
    the struct sock::sk_refcnt reaches 0. In the TX-path the CAN stack
    clones an "echo" skb, calls sock_hold() on the original socket and
    references it. This produces the following back trace:
    
    | WARNING: CPU: 0 PID: 280 at lib/refcount.c:25 refcount_warn_saturate+0x114/0x134
    | refcount_t: addition on 0; use-after-free.
    | Modules linked in: coda_vpu(E) v4l2_jpeg(E) videobuf2_vmalloc(E) imx_vdoa(E)
    | CPU: 0 PID: 280 Comm: test_can.sh Tainted: G            E     5.11.0-04577-gf8ff6603c617 #203
    | Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
    | Backtrace:
    | [<80bafea4>] (dump_backtrace) from [<80bb0280>] (show_stack+0x20/0x24) r7:00000000 r6:600f0113 r5:00000000 r4:81441220
    | [<80bb0260>] (show_stack) from [<80bb593c>] (dump_stack+0xa0/0xc8)
    | [<80bb589c>] (dump_stack) from [<8012b268>] (__warn+0xd4/0x114) r9:00000019 r8:80f4a8c2 r7:83e4150c r6:00000000 r5:00000009 r4:80528f90
    | [<8012b194>] (__warn) from [<80bb09c4>] (warn_slowpath_fmt+0x88/0xc8) r9:83f26400 r8:80f4a8d1 r7:00000009 r6:80528f90 r5:00000019 r4:80f4a8c2
    | [<80bb0940>] (warn_slowpath_fmt) from [<80528f90>] (refcount_warn_saturate+0x114/0x134) r8:00000000 r7:00000000 r6:82b44000 r5:834e5600 r4:83f4d540
    | [<80528e7c>] (refcount_warn_saturate) from [<8079a4c8>] (__refcount_add.constprop.0+0x4c/0x50)
    | [<8079a47c>] (__refcount_add.constprop.0) from [<8079a57c>] (can_put_echo_skb+0xb0/0x13c)
    | [<8079a4cc>] (can_put_echo_skb) from [<8079ba98>] (flexcan_start_xmit+0x1c4/0x230) r9:00000010 r8:83f48610 r7:0fdc0000 r6:0c080000 r5:82b44000 r4:834e5600
    | [<8079b8d4>] (flexcan_start_xmit) from [<80969078>] (netdev_start_xmit+0x44/0x70) r9:814c0ba0 r8:80c8790c r7:00000000 r6:834e5600 r5:82b44000 r4:82ab1f00
    | [<80969034>] (netdev_start_xmit) from [<809725a4>] (dev_hard_start_xmit+0x19c/0x318) r9:814c0ba0 r8:00000000 r7:82ab1f00 r6:82b44000 r5:00000000 r4:834e5600
    | [<80972408>] (dev_hard_start_xmit) from [<809c6584>] (sch_direct_xmit+0xcc/0x264) r10:834e5600 r9:00000000 r8:00000000 r7:82b44000 r6:82ab1f00 r5:834e5600 r4:83f27400
    | [<809c64b8>] (sch_direct_xmit) from [<809c6c0c>] (__qdisc_run+0x4f0/0x534)
    
    To fix this problem, only set skb ownership to sockets which have still
    a ref count > 0.
    
    Fixes: 0ae89beb283a ("can: add destructor for self generated skbs")
    Cc: Oliver Hartkopp <socketcan@hartkopp.net>
    Cc: Andre Naujoks <nautsch2@gmail.com>
    Link: https://lore.kernel.org/r/20210226092456.27126-1-o.rempel@pengutronix.de
    Suggested-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
    Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6eef125294f50a3bd68de12263073a1abba7ab70
Author: Maxim Mikityanskiy <maximmi@mellanox.com>
Date:   Thu Feb 21 12:39:58 2019 +0000

    net: Introduce parse_protocol header_ops callback
    
    commit e78b2915517e8fcadb1bc130ad6aeac7099e510c upstream.
    
    Introduce a new optional header_ops callback called parse_protocol and a
    wrapper function dev_parse_header_protocol, similar to dev_parse_header.
    
    The new callback's purpose is to extract the protocol number from the L2
    header, the format of which is known to the driver, but not to the upper
    layers of the stack.
    
    Signed-off-by: Maxim Mikityanskiy <maximmi@mellanox.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e5008f2e9157247e7758d8f19707033a2956e08c
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Fri Feb 26 22:22:48 2021 +0100

    net: Fix gro aggregation for udp encaps with zero csum
    
    commit 89e5c58fc1e2857ccdaae506fb8bc5fed57ee063 upstream.
    
    We noticed a GRO issue for UDP-based encaps such as vxlan/geneve when the
    csum for the UDP header itself is 0. In that case, GRO aggregation does
    not take place on the phys dev, but instead is deferred to the vxlan/geneve
    driver (see trace below).
    
    The reason is essentially that GRO aggregation bails out in udp_gro_receive()
    for such case when drivers marked the skb with CHECKSUM_UNNECESSARY (ice, i40e,
    others) where for non-zero csums 2abb7cdc0dc8 ("udp: Add support for doing
    checksum unnecessary conversion") promotes those skbs to CHECKSUM_COMPLETE
    and napi context has csum_valid set. This is however not the case for zero
    UDP csum (here: csum_cnt is still 0 and csum_valid continues to be false).
    
    At the same time 57c67ff4bd92 ("udp: additional GRO support") added matches
    on !uh->check ^ !uh2->check as part to determine candidates for aggregation,
    so it certainly is expected to handle zero csums in udp_gro_receive(). The
    purpose of the check added via 662880f44203 ("net: Allow GRO to use and set
    levels of checksum unnecessary") seems to catch bad csum and stop aggregation
    right away.
    
    One way to fix aggregation in the zero case is to only perform the !csum_valid
    check in udp_gro_receive() if uh->check is infact non-zero.
    
    Before:
    
      [...]
      swapper     0 [008]   731.946506: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497100400 len=1500   (1)
      swapper     0 [008]   731.946507: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497100200 len=1500
      swapper     0 [008]   731.946507: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497101100 len=1500
      swapper     0 [008]   731.946508: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497101700 len=1500
      swapper     0 [008]   731.946508: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497101b00 len=1500
      swapper     0 [008]   731.946508: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497100600 len=1500
      swapper     0 [008]   731.946508: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497100f00 len=1500
      swapper     0 [008]   731.946509: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497100a00 len=1500
      swapper     0 [008]   731.946516: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497100500 len=1500
      swapper     0 [008]   731.946516: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497100700 len=1500
      swapper     0 [008]   731.946516: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497101d00 len=1500   (2)
      swapper     0 [008]   731.946517: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497101000 len=1500
      swapper     0 [008]   731.946517: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497101c00 len=1500
      swapper     0 [008]   731.946517: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497101400 len=1500
      swapper     0 [008]   731.946518: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497100e00 len=1500
      swapper     0 [008]   731.946518: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497101600 len=1500
      swapper     0 [008]   731.946521: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497100800 len=774
      swapper     0 [008]   731.946530: net:netif_receive_skb: dev=test_vxlan skbaddr=0xffff966497100400 len=14032 (1)
      swapper     0 [008]   731.946530: net:netif_receive_skb: dev=test_vxlan skbaddr=0xffff966497101d00 len=9112  (2)
      [...]
    
      # netperf -H 10.55.10.4 -t TCP_STREAM -l 20
      MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.55.10.4 () port 0 AF_INET : demo
      Recv   Send    Send
      Socket Socket  Message  Elapsed
      Size   Size    Size     Time     Throughput
      bytes  bytes   bytes    secs.    10^6bits/sec
    
       87380  16384  16384    20.01    13129.24
    
    After:
    
      [...]
      swapper     0 [026]   521.862641: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff93ab0d479000 len=11286 (1)
      swapper     0 [026]   521.862643: net:netif_receive_skb: dev=test_vxlan skbaddr=0xffff93ab0d479000 len=11236 (1)
      swapper     0 [026]   521.862650: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff93ab0d478500 len=2898  (2)
      swapper     0 [026]   521.862650: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff93ab0d479f00 len=8490  (3)
      swapper     0 [026]   521.862653: net:netif_receive_skb: dev=test_vxlan skbaddr=0xffff93ab0d478500 len=2848  (2)
      swapper     0 [026]   521.862653: net:netif_receive_skb: dev=test_vxlan skbaddr=0xffff93ab0d479f00 len=8440  (3)
      [...]
    
      # netperf -H 10.55.10.4 -t TCP_STREAM -l 20
      MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.55.10.4 () port 0 AF_INET : demo
      Recv   Send    Send
      Socket Socket  Message  Elapsed
      Size   Size    Size     Time     Throughput
      bytes  bytes   bytes    secs.    10^6bits/sec
    
       87380  16384  16384    20.01    24576.53
    
    Fixes: 57c67ff4bd92 ("udp: additional GRO support")
    Fixes: 662880f44203 ("net: Allow GRO to use and set levels of checksum unnecessary")
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Cc: Eric Dumazet <edumazet@google.com>
    Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
    Cc: Tom Herbert <tom@herbertland.com>
    Acked-by: Willem de Bruijn <willemb@google.com>
    Acked-by: John Fastabend <john.fastabend@gmail.com>
    Link: https://lore.kernel.org/r/20210226212248.8300-1-daniel@iogearbox.net
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 66f38d74d6cde40e5b93bec2c9def12259abd8db
Author: Felix Fietkau <nbd@nbd.name>
Date:   Sun Feb 14 19:49:11 2021 +0100

    ath9k: fix transmitting to stations in dynamic SMPS mode
    
    commit 3b9ea7206d7e1fdd7419cbd10badd3b2c80d04b4 upstream.
    
    When transmitting to a receiver in dynamic SMPS mode, all transmissions that
    use multiple spatial streams need to be sent using CTS-to-self or RTS/CTS to
    give the receiver's extra chains some time to wake up.
    This fixes the tx rate getting stuck at <= MCS7 for some clients, especially
    Intel ones, which make aggressive use of SMPS.
    
    Cc: stable@vger.kernel.org
    Reported-by: Martin Kennedy <hurricos@gmail.com>
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/20210214184911.96702-1-nbd@nbd.name
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 67158e6078e517c2a78889909a1a60717073767d
Author: Jakub Kicinski <kuba@kernel.org>
Date:   Fri Mar 5 14:17:29 2021 -0800

    ethernet: alx: fix order of calls on resume
    
    commit a4dcfbc4ee2218abd567d81d795082d8d4afcdf6 upstream.
    
    netif_device_attach() will unpause the queues so we can't call
    it before __alx_open(). This went undetected until
    commit b0999223f224 ("alx: add ability to allocate and free
    alx_napi structures") but now if stack tries to xmit immediately
    on resume before __alx_open() we'll crash on the NAPI being null:
    
     BUG: kernel NULL pointer dereference, address: 0000000000000198
     CPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G           OE 5.10.0-3-amd64 #1 Debian 5.10.13-1
     Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77-D3H, BIOS F15 11/14/2013
     RIP: 0010:alx_start_xmit+0x34/0x650 [alx]
     Code: 41 56 41 55 41 54 55 53 48 83 ec 20 0f b7 57 7c 8b 8e b0
    0b 00 00 39 ca 72 06 89 d0 31 d2 f7 f1 89 d2 48 8b 84 df
     RSP: 0018:ffffb09240083d28 EFLAGS: 00010297
     RAX: 0000000000000000 RBX: ffffa04d80ae7800 RCX: 0000000000000004
     RDX: 0000000000000000 RSI: ffffa04d80afa000 RDI: ffffa04e92e92a00
     RBP: 0000000000000042 R08: 0000000000000100 R09: ffffa04ea3146700
     R10: 0000000000000014 R11: 0000000000000000 R12: ffffa04e92e92100
     R13: 0000000000000001 R14: ffffa04e92e92a00 R15: ffffa04e92e92a00
     FS:  0000000000000000(0000) GS:ffffa0508f600000(0000) knlGS:0000000000000000
     i915 0000:00:02.0: vblank wait timed out on crtc 0
     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     CR2: 0000000000000198 CR3: 000000004460a001 CR4: 00000000001706f0
     Call Trace:
      dev_hard_start_xmit+0xc7/0x1e0
      sch_direct_xmit+0x10f/0x310
    
    Cc: <stable@vger.kernel.org> # 4.9+
    Fixes: bc2bebe8de8e ("alx: remove WoL support")
    Reported-by: Zbynek Michl <zbynek.michl@gmail.com>
    Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983595
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Tested-by: Zbynek Michl <zbynek.michl@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 40333481b20d7b2fff40a89630a47072ecb7b650
Author: Dmitry V. Levin <ldv@altlinux.org>
Date:   Mon Feb 22 08:00:00 2021 +0000

    uapi: nfnetlink_cthelper.h: fix userspace compilation error
    
    commit c33cb0020ee6dd96cc9976d6085a7d8422f6dbed upstream.
    
    Apparently, <linux/netfilter/nfnetlink_cthelper.h> and
    <linux/netfilter/nfnetlink_acct.h> could not be included into the same
    compilation unit because of a cut-and-paste typo in the former header.
    
    Fixes: 12f7a505331e6 ("netfilter: add user-space connection tracking helper infrastructure")
    Cc: <stable@vger.kernel.org> # v3.6
    Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>