commit b4454811f122c6a0a330ced6b854e6ef32c37857
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Apr 7 12:48:52 2021 +0200

    Linux 4.19.185
    
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Tested-by: Jason Self <jason@bluehome.net>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Hulk Robot <hulkrobot@huawei.com>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Pavel Machek (CIP) <pavel@denx.de>
    Link: https://lore.kernel.org/r/20210405085022.562176619@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5369cc42ab21a93cbc9a8f3f8c7a004bbe023178
Author: Du Cheng <ducheng2@gmail.com>
Date:   Fri Mar 12 16:14:21 2021 +0800

    drivers: video: fbcon: fix NULL dereference in fbcon_cursor()
    
    commit 01faae5193d6190b7b3aa93dae43f514e866d652 upstream.
    
    add null-check on function pointer before dereference on ops->cursor
    
    Reported-by: syzbot+b67aaae8d3a927f68d20@syzkaller.appspotmail.com
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Du Cheng <ducheng2@gmail.com>
    Link: https://lore.kernel.org/r/20210312081421.452405-1-ducheng2@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7eb9eb82fc0287810ea23f5f84c40e7e4701b11f
Author: Atul Gopinathan <atulgopinathan@gmail.com>
Date:   Tue Mar 23 17:04:14 2021 +0530

    staging: rtl8192e: Change state information from u16 to u8
    
    commit e78836ae76d20f38eed8c8c67f21db97529949da upstream.
    
    The "u16 CcxRmState[2];" array field in struct "rtllib_network" has 4
    bytes in total while the operations performed on this array through-out
    the code base are only 2 bytes.
    
    The "CcxRmState" field is fed only 2 bytes of data using memcpy():
    
    (In rtllib_rx.c:1972)
            memcpy(network->CcxRmState, &info_element->data[4], 2)
    
    With "info_element->data[]" being a u8 array, if 2 bytes are written
    into "CcxRmState" (whose one element is u16 size), then the 2 u8
    elements from "data[]" gets squashed and written into the first element
    ("CcxRmState[0]") while the second element ("CcxRmState[1]") is never
    fed with any data.
    
    Same in file rtllib_rx.c:2522:
             memcpy(dst->CcxRmState, src->CcxRmState, 2);
    
    The above line duplicates "src" data to "dst" but only writes 2 bytes
    (and not 4, which is the actual size). Again, only 1st element gets the
    value while the 2nd element remains uninitialized.
    
    This later makes operations done with CcxRmState unpredictable in the
    following lines as the 1st element is having a squashed number while the
    2nd element is having an uninitialized random number.
    
    rtllib_rx.c:1973:    if (network->CcxRmState[0] != 0)
    rtllib_rx.c:1977:    network->MBssidMask = network->CcxRmState[1] & 0x07;
    
    network->MBssidMask is also of type u8 and not u16.
    
    Fix this by changing the type of "CcxRmState" from u16 to u8 so that the
    data written into this array and read from it make sense and are not
    random values.
    
    NOTE: The wrong initialization of "CcxRmState" can be seen in the
    following commit:
    
    commit ecdfa44610fa ("Staging: add Realtek 8192 PCI wireless driver")
    
    The above commit created a file `rtl8192e/ieee80211.h` which used to
    have the faulty line. The file has been deleted (or possibly renamed)
    with the contents copied in to a new file `rtl8192e/rtllib.h` along with
    additional code in the commit 94a799425eee (tagged in Fixes).
    
    Fixes: 94a799425eee ("From: wlanfae <wlanfae@realtek.com> [PATCH 1/8] rtl8192e: Import new version of driver from realtek")
    Cc: stable@vger.kernel.org
    Signed-off-by: Atul Gopinathan <atulgopinathan@gmail.com>
    Link: https://lore.kernel.org/r/20210323113413.29179-2-atulgopinathan@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8c745f10167b2cd84231dca9cc7c5232f5bfad55
Author: Atul Gopinathan <atulgopinathan@gmail.com>
Date:   Tue Mar 23 17:04:12 2021 +0530

    staging: rtl8192e: Fix incorrect source in memcpy()
    
    commit 72ad25fbbb78930f892b191637359ab5b94b3190 upstream.
    
    The variable "info_element" is of the following type:
    
            struct rtllib_info_element *info_element
    
    defined in drivers/staging/rtl8192e/rtllib.h:
    
            struct rtllib_info_element {
                    u8 id;
                    u8 len;
                    u8 data[];
            } __packed;
    
    The "len" field defines the size of the "data[]" array. The code is
    supposed to check if "info_element->len" is greater than 4 and later
    equal to 6. If this is satisfied then, the last two bytes (the 4th and
    5th element of u8 "data[]" array) are copied into "network->CcxRmState".
    
    Right now the code uses "memcpy()" with the source as "&info_element[4]"
    which would copy in wrong and unintended information. The struct
    "rtllib_info_element" has a size of 2 bytes for "id" and "len",
    therefore indexing will be done in interval of 2 bytes. So,
    "info_element[4]" would point to data which is beyond the memory
    allocated for this pointer (that is, at x+8, while "info_element" has
    been allocated only from x to x+7 (2 + 6 => 8 bytes)).
    
    This patch rectifies this error by using "&info_element->data[4]" which
    correctly copies the last two bytes of "data[]".
    
    NOTE: The faulty line of code came from the following commit:
    
    commit ecdfa44610fa ("Staging: add Realtek 8192 PCI wireless driver")
    
    The above commit created the file `rtl8192e/ieee80211/ieee80211_rx.c`
    which had the faulty line of code. This file has been deleted (or
    possibly renamed) with the contents copied in to a new file
    `rtl8192e/rtllib_rx.c` along with additional code in the commit
    94a799425eee (tagged in Fixes).
    
    Fixes: 94a799425eee ("From: wlanfae <wlanfae@realtek.com> [PATCH 1/8] rtl8192e: Import new version of driver from realtek")
    Cc: stable@vger.kernel.org
    Signed-off-by: Atul Gopinathan <atulgopinathan@gmail.com>
    Link: https://lore.kernel.org/r/20210323113413.29179-1-atulgopinathan@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ecfcbf237d8c609ae148bde05b03cfd81a7c01e4
Author: Artur Petrosyan <Arthur.Petrosyan@synopsys.com>
Date:   Fri Mar 26 14:24:46 2021 +0400

    usb: dwc2: Fix HPRT0.PrtSusp bit setting for HiKey 960 board.
    
    commit 5e3bbae8ee3d677a0aa2919dc62b5c60ea01ba61 upstream.
    
    Increased the waiting timeout for HPRT0.PrtSusp register field
    to be set, because on HiKey 960 board HPRT0.PrtSusp wasn't
    generated with the existing timeout.
    
    Cc: <stable@vger.kernel.org> # 4.18
    Fixes: 22bb5cfdf13a ("usb: dwc2: Fix host exit from hibernation flow.")
    Signed-off-by: Artur Petrosyan <Arthur.Petrosyan@synopsys.com>
    Acked-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
    Link: https://lore.kernel.org/r/20210326102447.8F7FEA005D@mailhost.synopsys.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 45590624bf389fff5ac10664c153991e36a1ef59
Author: Tong Zhang <ztong0001@gmail.com>
Date:   Wed Mar 17 19:04:00 2021 -0400

    usb: gadget: udc: amd5536udc_pci fix null-ptr-dereference
    
    commit 72035f4954f0bca2d8c47cf31b3629c42116f5b7 upstream.
    
    init_dma_pools() calls dma_pool_create(...dev->dev) to create dma pool.
    however, dev->dev is actually set after calling init_dma_pools(), which
    effectively makes dma_pool_create(..NULL) and cause crash.
    To fix this issue, init dma only after dev->dev is set.
    
    [    1.317993] RIP: 0010:dma_pool_create+0x83/0x290
    [    1.323257] Call Trace:
    [    1.323390]  ? pci_write_config_word+0x27/0x30
    [    1.323626]  init_dma_pools+0x41/0x1a0 [snps_udc_core]
    [    1.323899]  udc_pci_probe+0x202/0x2b1 [amd5536udc_pci]
    
    Fixes: 7c51247a1f62 (usb: gadget: udc: Provide correct arguments for 'dma_pool_create')
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Tong Zhang <ztong0001@gmail.com>
    Link: https://lore.kernel.org/r/20210317230400.357756-1-ztong0001@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 27b936e21df6d2dadefac8d0977653e4fd3df1fe
Author: Johan Hovold <johan@kernel.org>
Date:   Mon Mar 22 16:53:12 2021 +0100

    USB: cdc-acm: fix use-after-free after probe failure
    
    commit 4e49bf376c0451ad2eae2592e093659cde12be9a upstream.
    
    If tty-device registration fails the driver would fail to release the
    data interface. When the device is later disconnected, the disconnect
    callback would still be called for the data interface and would go about
    releasing already freed resources.
    
    Fixes: c93d81955005 ("usb: cdc-acm: fix error handling in acm_probe()")
    Cc: stable@vger.kernel.org      # 3.9
    Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>
    Acked-by: Oliver Neukum <oneukum@suse.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Link: https://lore.kernel.org/r/20210322155318.9837-3-johan@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3d45948f5ebd4b3b4c1e137408c4ebea080bf209
Author: Johan Hovold <johan@kernel.org>
Date:   Mon Mar 22 16:53:11 2021 +0100

    USB: cdc-acm: fix double free on probe failure
    
    commit 7180495cb3d0e2a2860d282a468b4146c21da78f upstream.
    
    If tty-device registration fails the driver copy of any Country
    Selection functional descriptor would end up being freed twice; first
    explicitly in the error path and then again in the tty-port destructor.
    
    Drop the first erroneous free that was left when fixing a tty-port
    resource leak.
    
    Fixes: cae2bc768d17 ("usb: cdc-acm: Decrement tty port's refcount if probe() fail")
    Cc: stable@vger.kernel.org      # 4.19
    Cc: Jaejoong Kim <climbbb.kim@gmail.com>
    Acked-by: Oliver Neukum <oneukum@suse.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Link: https://lore.kernel.org/r/20210322155318.9837-2-johan@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7a9231e30c8faf49c403d56f9de1b680a5a18398
Author: Oliver Neukum <oneukum@suse.com>
Date:   Thu Mar 11 14:01:26 2021 +0100

    USB: cdc-acm: downgrade message to debug
    
    commit e4c77070ad45fc940af1d7fb1e637c349e848951 upstream.
    
    This failure is so common that logging an error here amounts
    to spamming log files.
    
    Reviewed-by: Bruno Thomsen <bruno.thomsen@gmail.com>
    Signed-off-by: Oliver Neukum <oneukum@suse.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20210311130126.15972-2-oneukum@suse.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 42765dad5cba273619cb17270aa507def5b459d3
Author: Oliver Neukum <oneukum@suse.com>
Date:   Thu Mar 11 14:01:25 2021 +0100

    USB: cdc-acm: untangle a circular dependency between callback and softint
    
    commit 6069e3e927c8fb3a1947b07d1a561644ea960248 upstream.
    
    We have a cycle of callbacks scheduling works which submit
    URBs with thos callbacks. This needs to be blocked, stopped
    and unblocked to untangle the circle.
    
    The issue leads to faults like:
    
    [   55.068392] Unable to handle kernel paging request at virtual address 6b6b6c03
    [   55.075624] pgd = be866494
    [   55.078335] [6b6b6c03] *pgd=00000000
    [   55.081924] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
    [   55.087238] Modules linked in: ppp_async crc_ccitt ppp_generic slhc
    xt_TCPMSS xt_tcpmss xt_hl nf_log_ipv6 nf_log_ipv4 nf_log_common
    xt_policy xt_limit xt_conntrack xt_tcpudp xt_pkttype ip6table_mangle
    iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4
    iptable_mangle ip6table_filter ip6_tables iptable_filter ip_tables
    des_generic md5 sch_fq_codel cdc_mbim cdc_wdm cdc_ncm usbnet mii
    cdc_acm usb_storage ip_tunnel xfrm_user xfrm6_tunnel tunnel6
    xfrm4_tunnel tunnel4 esp6 esp4 ah6 ah4 xfrm_algo xt_LOG xt_LED
    xt_comment x_tables ipv6
    [   55.134954] CPU: 0 PID: 82 Comm: kworker/0:2 Tainted: G
       T 5.8.17 #1
    [   55.142526] Hardware name: Freescale i.MX7 Dual (Device Tree)
    [   55.148304] Workqueue: events acm_softint [cdc_acm]
    [   55.153196] PC is at kobject_get+0x10/0xa4
    [   55.157302] LR is at usb_get_dev+0x14/0x1c
    [   55.161402] pc : [<8047c06c>]    lr : [<80560448>]    psr: 20000193
    [   55.167671] sp : bca39ea8  ip : 00007374  fp : bf6cbd80
    [   55.172899] r10: 00000000  r9 : bdd92284  r8 : bdd92008
    [   55.178128] r7 : 6b6b6b6b  r6 : fffffffe  r5 : 60000113  r4 : 6b6b6be3
    [   55.184658] r3 : 6b6b6b6b  r2 : 00000111  r1 : 00000000  r0 : 6b6b6be3
    [   55.191191] Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM Segment none
    [   55.198417] Control: 10c5387d  Table: bcf0c06a  DAC: 00000051
    [   55.204168] Process kworker/0:2 (pid: 82, stack limit = 0x9bdd2a89)
    [   55.210439] Stack: (0xbca39ea8 to 0xbca3a000)
    [   55.214805] 9ea0:                   bf6cbd80 80769a50 6b6b6b6b 80560448 bdeb0500 8056bfe8
    [   55.222991] 9ec0: 00000002 b76da000 00000000 bdeb0500 bdd92448 bca38000 bdeb0510 8056d69c
    [   55.231177] 9ee0: bca38000 00000000 80c050fc 00000000 bca39f44 09d42015 00000000 00000001
    [   55.239363] 9f00: bdd92448 bdd92438 bdd92000 7f1158c4 bdd92448 bca2ee00 bf6cbd80 bf6cef00
    [   55.247549] 9f20: 00000000 00000000 00000000 801412d8 bf6cbd98 80c03d00 bca2ee00 bf6cbd80
    [   55.255735] 9f40: bca2ee14 bf6cbd98 80c03d00 00000008 bca38000 80141568 00000000 80c446ae
    [   55.263921] 9f60: 00000000 bc9ed880 bc9f0700 bca38000 bc117eb4 80141524 bca2ee00 bc9ed8a4
    [   55.272107] 9f80: 00000000 80147cc8 00000000 bc9f0700 80147b84 00000000 00000000 00000000
    [   55.280292] 9fa0: 00000000 00000000 00000000 80100148 00000000 00000000 00000000 00000000
    [   55.288477] 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    [   55.296662] 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
    [   55.304860] [<8047c06c>] (kobject_get) from [<80560448>] (usb_get_dev+0x14/0x1c)
    [   55.312271] [<80560448>] (usb_get_dev) from [<8056bfe8>] (usb_hcd_unlink_urb+0x50/0xd8)
    [   55.320286] [<8056bfe8>] (usb_hcd_unlink_urb) from [<8056d69c>] (usb_kill_urb.part.0+0x44/0xd0)
    [   55.329004] [<8056d69c>] (usb_kill_urb.part.0) from [<7f1158c4>] (acm_softint+0x4c/0x10c [cdc_acm])
    [   55.338082] [<7f1158c4>] (acm_softint [cdc_acm]) from [<801412d8>] (process_one_work+0x19c/0x3e8)
    [   55.346969] [<801412d8>] (process_one_work) from [<80141568>] (worker_thread+0x44/0x4dc)
    [   55.355072] [<80141568>] (worker_thread) from [<80147cc8>] (kthread+0x144/0x180)
    [   55.362481] [<80147cc8>] (kthread) from [<80100148>] (ret_from_fork+0x14/0x2c)
    [   55.369706] Exception stack(0xbca39fb0 to 0xbca39ff8)
    
    Tested-by: Bruno Thomsen <bruno.thomsen@gmail.com>
    Signed-off-by: Oliver Neukum <oneukum@suse.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20210311130126.15972-1-oneukum@suse.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1e63430a1fe941e537e4dba96944326576dd4f4d
Author: Oliver Neukum <oneukum@suse.com>
Date:   Thu Mar 11 14:37:14 2021 +0100

    cdc-acm: fix BREAK rx code path adding necessary calls
    
    commit 08dff274edda54310d6f1cf27b62fddf0f8d146e upstream.
    
    Counting break events is nice but we should actually report them to
    the tty layer.
    
    Fixes: 5a6a62bdb9257 ("cdc-acm: add TIOCMIWAIT")
    Signed-off-by: Oliver Neukum <oneukum@suse.com>
    Link: https://lore.kernel.org/r/20210311133714.31881-1-oneukum@suse.com
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d8ae07e00afc91f8f94730e2916a9251e7c03c62
Author: Chunfeng Yun <chunfeng.yun@mediatek.com>
Date:   Tue Mar 23 15:02:46 2021 +0800

    usb: xhci-mtk: fix broken streams issue on 0.96 xHCI
    
    commit 6f978a30c9bb12dab1302d0f06951ee290f5e600 upstream.
    
    The MediaTek 0.96 xHCI controller on some platforms does not
    support bulk stream even HCCPARAMS says supporting, due to MaxPSASize
    is set a default value 1 by mistake, here use XHCI_BROKEN_STREAMS
    quirk to fix it.
    
    Fixes: 94a631d91ad3 ("usb: xhci-mtk: check hcc_params after adding primary hcd")
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
    Link: https://lore.kernel.org/r/1616482975-17841-4-git-send-email-chunfeng.yun@mediatek.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8bcd7958a34401dc21c9c66d0062cf34b9e6a6a5
Author: Tony Lindgren <tony@atomide.com>
Date:   Wed Mar 24 09:11:41 2021 +0200

    usb: musb: Fix suspend with devices connected for a64
    
    commit 92af4fc6ec331228aca322ca37c8aea7b150a151 upstream.
    
    Pinephone running on Allwinner A64 fails to suspend with USB devices
    connected as reported by Bhushan Shah <bshah@kde.org>. Reverting
    commit 5fbf7a253470 ("usb: musb: fix idling for suspend after
    disconnect interrupt") fixes the issue.
    
    Let's add suspend checks also for suspend after disconnect interrupt
    quirk handling like we already do elsewhere.
    
    Fixes: 5fbf7a253470 ("usb: musb: fix idling for suspend after disconnect interrupt")
    Reported-by: Bhushan Shah <bshah@kde.org>
    Tested-by: Bhushan Shah <bshah@kde.org>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Link: https://lore.kernel.org/r/20210324071142.42264-1-tony@atomide.com
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8753ca82aa1a4afb162ea0e214d6d75d03e2f781
Author: Vincent Palatin <vpalatin@chromium.org>
Date:   Fri Mar 19 13:48:02 2021 +0100

    USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem
    
    commit 0bd860493f81eb2a46173f6f5e44cc38331c8dbd upstream.
    
    This LTE modem (M.2 card) has a bug in its power management:
    there is some kind of race condition for U3 wake-up between the host and
    the device. The modem firmware sometimes crashes/locks when both events
    happen at the same time and the modem fully drops off the USB bus (and
    sometimes re-enumerates, sometimes just gets stuck until the next
    reboot).
    
    Tested with the modem wired to the XHCI controller on an AMD 3015Ce
    platform. Without the patch, the modem dropped of the USB bus 5 times in
    3 days. With the quirk, it stayed connected for a week while the
    'runtime_suspended_time' counter incremented as excepted.
    
    Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
    Link: https://lore.kernel.org/r/20210319124802.2315195-1-vpalatin@chromium.org
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 22191cd9e65566eb71eb84fd7a24a42db5c421f5
Author: Shuah Khan <skhan@linuxfoundation.org>
Date:   Wed Mar 24 17:06:54 2021 -0600

    usbip: vhci_hcd fix shift out-of-bounds in vhci_hub_control()
    
    commit 1cc5ed25bdade86de2650a82b2730108a76de20c upstream.
    
    Fix shift out-of-bounds in vhci_hub_control() SetPortFeature handling.
    
    UBSAN: shift-out-of-bounds in drivers/usb/usbip/vhci_hcd.c:605:42
    shift exponent 768 is too large for 32-bit type 'int'
    
    Reported-by: syzbot+3dea30b047f41084de66@syzkaller.appspotmail.com
    Cc: stable@vger.kernel.org
    Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
    Link: https://lore.kernel.org/r/20210324230654.34798-1-skhan@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 89a2c28a3b67c7d918218f57e4bb7b591f7e5d0f
Author: Zheyu Ma <zheyuma97@gmail.com>
Date:   Sat Apr 3 06:58:36 2021 +0000

    firewire: nosy: Fix a use-after-free bug in nosy_ioctl()
    
    [ Upstream commit 829933ef05a951c8ff140e814656d73e74915faf ]
    
    For each device, the nosy driver allocates a pcilynx structure.
    A use-after-free might happen in the following scenario:
    
     1. Open nosy device for the first time and call ioctl with command
        NOSY_IOC_START, then a new client A will be malloced and added to
        doubly linked list.
     2. Open nosy device for the second time and call ioctl with command
        NOSY_IOC_START, then a new client B will be malloced and added to
        doubly linked list.
     3. Call ioctl with command NOSY_IOC_START for client A, then client A
        will be readded to the doubly linked list. Now the doubly linked
        list is messed up.
     4. Close the first nosy device and nosy_release will be called. In
        nosy_release, client A will be unlinked and freed.
     5. Close the second nosy device, and client A will be referenced,
        resulting in UAF.
    
    The root cause of this bug is that the element in the doubly linked list
    is reentered into the list.
    
    Fix this bug by adding a check before inserting a client.  If a client
    is already in the linked list, don't insert it.
    
    The following KASAN report reveals it:
    
       BUG: KASAN: use-after-free in nosy_release+0x1ea/0x210
       Write of size 8 at addr ffff888102ad7360 by task poc
       CPU: 3 PID: 337 Comm: poc Not tainted 5.12.0-rc5+ #6
       Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
       Call Trace:
         nosy_release+0x1ea/0x210
         __fput+0x1e2/0x840
         task_work_run+0xe8/0x180
         exit_to_user_mode_prepare+0x114/0x120
         syscall_exit_to_user_mode+0x1d/0x40
         entry_SYSCALL_64_after_hwframe+0x44/0xae
    
       Allocated by task 337:
         nosy_open+0x154/0x4d0
         misc_open+0x2ec/0x410
         chrdev_open+0x20d/0x5a0
         do_dentry_open+0x40f/0xe80
         path_openat+0x1cf9/0x37b0
         do_filp_open+0x16d/0x390
         do_sys_openat2+0x11d/0x360
         __x64_sys_open+0xfd/0x1a0
         do_syscall_64+0x33/0x40
         entry_SYSCALL_64_after_hwframe+0x44/0xae
    
       Freed by task 337:
         kfree+0x8f/0x210
         nosy_release+0x158/0x210
         __fput+0x1e2/0x840
         task_work_run+0xe8/0x180
         exit_to_user_mode_prepare+0x114/0x120
         syscall_exit_to_user_mode+0x1d/0x40
         entry_SYSCALL_64_after_hwframe+0x44/0xae
    
       The buggy address belongs to the object at ffff888102ad7300 which belongs to the cache kmalloc-128 of size 128
       The buggy address is located 96 bytes inside of 128-byte region [ffff888102ad7300, ffff888102ad7380)
    
    [ Modified to use 'list_empty()' inside proper lock  - Linus ]
    
    Link: https://lore.kernel.org/lkml/1617433116-5930-1-git-send-email-zheyuma97@gmail.com/
    Reported-and-tested-by: 马哲宇 (Zheyu Ma) <zheyuma97@gmail.com>
    Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
    Cc: Greg Kroah-Hartman <greg@kroah.com>
    Cc: Stefan Richter <stefanr@s5r6.in-berlin.de>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1c0c462130a51af92e04d0c4989c351793d59633
Author: Dinghao Liu <dinghao.liu@zju.edu.cn>
Date:   Tue Jan 19 16:10:55 2021 +0800

    extcon: Fix error handling in extcon_dev_register
    
    [ Upstream commit d3bdd1c3140724967ca4136755538fa7c05c2b4e ]
    
    When devm_kcalloc() fails, we should execute device_unregister()
    to unregister edev->dev from system.
    
    Fixes: 046050f6e623e ("extcon: Update the prototype of extcon_register_notifier() with enum extcon")
    Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
    Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a9807cc346257489fda17a40b6d212aa0c18fe36
Author: Krzysztof Kozlowski <krzk@kernel.org>
Date:   Thu Dec 31 09:52:52 2020 +0100

    extcon: Add stubs for extcon_register_notifier_all() functions
    
    [ Upstream commit c9570d4a5efd04479b3cd09c39b571eb031d94f4 ]
    
    Add stubs for extcon_register_notifier_all() function for !CONFIG_EXTCON
    case.  This is useful for compile testing and for drivers which use
    EXTCON but do not require it (therefore do not depend on CONFIG_EXTCON).
    
    Fixes: 815429b39d94 ("extcon: Add new extcon_register_notifier_all() to monitor all external connectors")
    Reported-by: kernel test robot <lkp@intel.com>
    Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
    Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 09c94402ce6fe769e54fd2b28bc78cdb205f116b
Author: Wang Panzhenzhuan <randy.wang@rock-chips.com>
Date:   Tue Feb 23 18:07:25 2021 +0800

    pinctrl: rockchip: fix restore error in resume
    
    commit c971af25cda94afe71617790826a86253e88eab0 upstream.
    
    The restore in resume should match to suspend which only set for RK3288
    SoCs pinctrl.
    
    Fixes: 8dca933127024 ("pinctrl: rockchip: save and restore gpio6_c6 pinmux in suspend/resume")
    Reviewed-by: Jianqun Xu <jay.xu@rock-chips.com>
    Reviewed-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Wang Panzhenzhuan <randy.wang@rock-chips.com>
    Signed-off-by: Jianqun Xu <jay.xu@rock-chips.com>
    Link: https://lore.kernel.org/r/20210223100725.269240-1-jay.xu@rock-chips.com
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bfb13004eda3bc659ad1e8f2402d556fa40ea8e1
Author: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Date:   Sun Mar 21 23:37:49 2021 +0900

    reiserfs: update reiserfs_xattrs_initialized() condition
    
    commit 5e46d1b78a03d52306f21f77a4e4a144b6d31486 upstream.
    
    syzbot is reporting NULL pointer dereference at reiserfs_security_init()
    [1], for commit ab17c4f02156c4f7 ("reiserfs: fixup xattr_root caching")
    is assuming that REISERFS_SB(s)->xattr_root != NULL in
    reiserfs_xattr_jcreate_nblocks() despite that commit made
    REISERFS_SB(sb)->priv_root != NULL && REISERFS_SB(s)->xattr_root == NULL
    case possible.
    
    I guess that commit 6cb4aff0a77cc0e6 ("reiserfs: fix oops while creating
    privroot with selinux enabled") wanted to check xattr_root != NULL
    before reiserfs_xattr_jcreate_nblocks(), for the changelog is talking
    about the xattr root.
    
      The issue is that while creating the privroot during mount
      reiserfs_security_init calls reiserfs_xattr_jcreate_nblocks which
      dereferences the xattr root. The xattr root doesn't exist, so we get
      an oops.
    
    Therefore, update reiserfs_xattrs_initialized() to check both the
    privroot and the xattr root.
    
    Link: https://syzkaller.appspot.com/bug?id=8abaedbdeb32c861dc5340544284167dd0e46cde # [1]
    Reported-and-tested-by: syzbot <syzbot+690cb1e51970435f9775@syzkaller.appspotmail.com>
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Fixes: 6cb4aff0a77c ("reiserfs: fix oops while creating privroot with selinux enabled")
    Acked-by: Jeff Mahoney <jeffm@suse.com>
    Acked-by: Jan Kara <jack@suse.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1dc36738242a0b5441fa3457c1d4f37b42f5c805
Author: Xℹ Ruoyao <xry111@mengyan1223.wang>
Date:   Tue Mar 30 23:33:34 2021 +0800

    drm/amdgpu: check alignment on CPU page for bo map
    
    commit e3512fb67093fabdf27af303066627b921ee9bd8 upstream.
    
    The page table of AMDGPU requires an alignment to CPU page so we should
    check ioctl parameters for it.  Return -EINVAL if some parameter is
    unaligned to CPU page, instead of corrupt the page table sliently.
    
    Reviewed-by: Christian König <christian.koenig@amd.com>
    Signed-off-by: Xi Ruoyao <xry111@mengyan1223.wang>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a01ad85e8cd46abc8579f9da859351f3b5447eb5
Author: Nirmoy Das <nirmoy.das@amd.com>
Date:   Fri Mar 26 16:08:10 2021 +0100

    drm/amdgpu: fix offset calculation in amdgpu_vm_bo_clear_mappings()
    
    commit 5e61b84f9d3ddfba73091f9fbc940caae1c9eb22 upstream.
    
    Offset calculation wasn't correct as start addresses are in pfn
    not in bytes.
    
    CC: stable@vger.kernel.org
    Signed-off-by: Nirmoy Das <nirmoy.das@amd.com>
    Reviewed-by: Christian König <christian.koenig@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7d1b3f635a6ad5137c06a1ebc7ddade9fe6e9c8c
Author: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
Date:   Mon Mar 29 21:42:08 2021 -0700

    mm: fix race by making init_zero_pfn() early_initcall
    
    commit e720e7d0e983bf05de80b231bccc39f1487f0f16 upstream.
    
    There are code paths that rely on zero_pfn to be fully initialized
    before core_initcall.  For example, wq_sysfs_init() is a core_initcall
    function that eventually results in a call to kernel_execve, which
    causes a page fault with a subsequent mmput.  If zero_pfn is not
    initialized by then it may not get cleaned up properly and result in an
    error:
    
      BUG: Bad rss-counter state mm:(ptrval) type:MM_ANONPAGES val:1
    
    Here is an analysis of the race as seen on a MIPS device. On this
    particular MT7621 device (Ubiquiti ER-X), zero_pfn is PFN 0 until
    initialized, at which point it becomes PFN 5120:
    
      1. wq_sysfs_init calls into kobject_uevent_env at core_initcall:
           kobject_uevent_env+0x7e4/0x7ec
           kset_register+0x68/0x88
           bus_register+0xdc/0x34c
           subsys_virtual_register+0x34/0x78
           wq_sysfs_init+0x1c/0x4c
           do_one_initcall+0x50/0x1a8
           kernel_init_freeable+0x230/0x2c8
           kernel_init+0x10/0x100
           ret_from_kernel_thread+0x14/0x1c
    
      2. kobject_uevent_env() calls call_usermodehelper_exec() which executes
         kernel_execve asynchronously.
    
      3. Memory allocations in kernel_execve cause a page fault, bumping the
         MM reference counter:
           add_mm_counter_fast+0xb4/0xc0
           handle_mm_fault+0x6e4/0xea0
           __get_user_pages.part.78+0x190/0x37c
           __get_user_pages_remote+0x128/0x360
           get_arg_page+0x34/0xa0
           copy_string_kernel+0x194/0x2a4
           kernel_execve+0x11c/0x298
           call_usermodehelper_exec_async+0x114/0x194
    
      4. In case zero_pfn has not been initialized yet, zap_pte_range does
         not decrement the MM_ANONPAGES RSS counter and the BUG message is
         triggered shortly afterwards when __mmdrop checks the ref counters:
           __mmdrop+0x98/0x1d0
           free_bprm+0x44/0x118
           kernel_execve+0x160/0x1d8
           call_usermodehelper_exec_async+0x114/0x194
           ret_from_kernel_thread+0x14/0x1c
    
    To avoid races such as described above, initialize init_zero_pfn at
    early_initcall level.  Depending on the architecture, ZERO_PAGE is
    either constant or gets initialized even earlier, at paging_init, so
    there is no issue with initializing zero_pfn earlier.
    
    Link: https://lkml.kernel.org/r/CALCv0x2YqOXEAy2Q=hafjhHCtTHVodChv1qpM=niAXOpqEbt7w@mail.gmail.com
    Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: stable@vger.kernel.org
    Tested-by: 周琰杰 (Zhou Yanjie) <zhouyanjie@wanyeetech.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5363e9b9aaf82730cc57a1943d75528bfceb5888
Author: Steven Rostedt (VMware) <rostedt@goodmis.org>
Date:   Thu Apr 1 13:54:40 2021 -0400

    tracing: Fix stack trace event size
    
    commit 9deb193af69d3fd6dd8e47f292b67c805a787010 upstream.
    
    Commit cbc3b92ce037 fixed an issue to modify the macros of the stack trace
    event so that user space could parse it properly. Originally the stack
    trace format to user space showed that the called stack was a dynamic
    array. But it is not actually a dynamic array, in the way that other
    dynamic event arrays worked, and this broke user space parsing for it. The
    update was to make the array look to have 8 entries in it. Helper
    functions were added to make it parse it correctly, as the stack was
    dynamic, but was determined by the size of the event stored.
    
    Although this fixed user space on how it read the event, it changed the
    internal structure used for the stack trace event. It changed the array
    size from [0] to [8] (added 8 entries). This increased the size of the
    stack trace event by 8 words. The size reserved on the ring buffer was the
    size of the stack trace event plus the number of stack entries found in
    the stack trace. That commit caused the amount to be 8 more than what was
    needed because it did not expect the caller field to have any size. This
    produced 8 entries of garbage (and reading random data) from the stack
    trace event:
    
              <idle>-0       [002] d... 1976396.837549: <stack trace>
     => trace_event_raw_event_sched_switch
     => __traceiter_sched_switch
     => __schedule
     => schedule_idle
     => do_idle
     => cpu_startup_entry
     => secondary_startup_64_no_verify
     => 0xc8c5e150ffff93de
     => 0xffff93de
     => 0
     => 0
     => 0xc8c5e17800000000
     => 0x1f30affff93de
     => 0x00000004
     => 0x200000000
    
    Instead, subtract the size of the caller field from the size of the event
    to make sure that only the amount needed to store the stack trace is
    reserved.
    
    Link: https://lore.kernel.org/lkml/your-ad-here.call-01617191565-ext-9692@work.hours/
    
    Cc: stable@vger.kernel.org
    Fixes: cbc3b92ce037 ("tracing: Set kernel_stack's caller size properly")
    Reported-by: Vasily Gorbik <gor@linux.ibm.com>
    Tested-by: Vasily Gorbik <gor@linux.ibm.com>
    Acked-by: Vasily Gorbik <gor@linux.ibm.com>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5f40a359356b05ec28a802d6c60babdee3f90e44
Author: Adrian Hunter <adrian.hunter@intel.com>
Date:   Fri Mar 26 12:56:18 2021 +0200

    PM: runtime: Fix ordering in pm_runtime_get_suppliers()
    
    commit c0c33442f7203704aef345647e14c2fb86071001 upstream.
    
    rpm_active indicates how many times the supplier usage_count has been
    incremented. Consequently it must be updated after pm_runtime_get_sync() of
    the supplier, not before.
    
    Fixes: 4c06c4e6cf63 ("driver core: Fix possible supplier PM-usage counter imbalance")
    Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
    Cc: 5.1+ <stable@vger.kernel.org> # 5.1+
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4e5e97b164e90b4ad28cf617f3164581cd4f4b11
Author: Adrian Hunter <adrian.hunter@intel.com>
Date:   Fri Mar 26 12:56:19 2021 +0200

    PM: runtime: Fix race getting/putting suppliers at probe
    
    commit 9dfacc54a8661bc8be6e08cffee59596ec59f263 upstream.
    
    pm_runtime_put_suppliers() must not decrement rpm_active unless the
    consumer is suspended. That is because, otherwise, it could suspend
    suppliers for an active consumer.
    
    That can happen as follows:
    
     static int driver_probe_device(struct device_driver *drv, struct device *dev)
     {
            int ret = 0;
    
            if (!device_is_registered(dev))
                    return -ENODEV;
    
            dev->can_match = true;
            pr_debug("bus: '%s': %s: matched device %s with driver %s\n",
                     drv->bus->name, __func__, dev_name(dev), drv->name);
    
            pm_runtime_get_suppliers(dev);
            if (dev->parent)
                    pm_runtime_get_sync(dev->parent);
    
     At this point, dev can runtime suspend so rpm_put_suppliers() can run,
     rpm_active becomes 1 (the lowest value).
    
            pm_runtime_barrier(dev);
            if (initcall_debug)
                    ret = really_probe_debug(dev, drv);
            else
                    ret = really_probe(dev, drv);
    
     Probe callback can have runtime resumed dev, and then runtime put
     so dev is awaiting autosuspend, but rpm_active is 2.
    
            pm_request_idle(dev);
    
            if (dev->parent)
                    pm_runtime_put(dev->parent);
    
            pm_runtime_put_suppliers(dev);
    
     Now pm_runtime_put_suppliers() will put the supplier
     i.e. rpm_active 2 -> 1, but consumer can still be active.
    
            return ret;
     }
    
    Fix by checking the runtime status. For any status other than
    RPM_SUSPENDED, rpm_active can be considered to be "owned" by
    rpm_[get/put]_suppliers() and pm_runtime_put_suppliers() need do nothing.
    
    Reported-by: Asutosh Das <asutoshd@codeaurora.org>
    Fixes: 4c06c4e6cf63 ("driver core: Fix possible supplier PM-usage counter imbalance")
    Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
    Cc: 5.1+ <stable@vger.kernel.org> # 5.1+
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4e355c46578740de006d73b7174650e977edf464
Author: Hui Wang <hui.wang@canonical.com>
Date:   Sat Mar 20 17:15:42 2021 +0800

    ALSA: hda/realtek: call alc_update_headset_mode() in hp_automute_hook
    
    commit e54f30befa7990b897189b44a56c1138c6bfdbb5 upstream.
    
    We found the alc_update_headset_mode() is not called on some machines
    when unplugging the headset, as a result, the mode of the
    ALC_HEADSET_MODE_UNPLUGGED can't be set, then the current_headset_type
    is not cleared, if users plug a differnt type of headset next time,
    the determine_headset_type() will not be called and the audio jack is
    set to the headset type of previous time.
    
    On the Dell machines which connect the dmic to the PCH, if we open
    the gnome-sound-setting and unplug the headset, this issue will
    happen. Those machines disable the auto-mute by ucm and has no
    internal mic in the input source, so the update_headset_mode() will
    not be called by cap_sync_hook or automute_hook when unplugging, and
    because the gnome-sound-setting is opened, the codec will not enter
    the runtime_suspend state, so the update_headset_mode() will not be
    called by alc_resume when unplugging. In this case the
    hp_automute_hook is called when unplugging, so add
    update_headset_mode() calling to this function.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Hui Wang <hui.wang@canonical.com>
    Link: https://lore.kernel.org/r/20210320091542.6748-2-hui.wang@canonical.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9323456500e3fbc21e78b03da35341390cb1510d
Author: Hui Wang <hui.wang@canonical.com>
Date:   Sat Mar 20 17:15:41 2021 +0800

    ALSA: hda/realtek: fix a determine_headset_type issue for a Dell AIO
    
    commit febf22565549ea7111e7d45e8f2d64373cc66b11 upstream.
    
    We found a recording issue on a Dell AIO, users plug a headset-mic and
    select headset-mic from UI, but can't record any sound from
    headset-mic. The root cause is the determine_headset_type() returns a
    wrong type, e.g. users plug a ctia type headset, but that function
    returns omtp type.
    
    On this machine, the internal mic is not connected to the codec, the
    "Input Source" is headset mic by default. And when users plug a
    headset, the determine_headset_type() will be called immediately, the
    codec on this AIO is alc274, the delay time for this codec in the
    determine_headset_type() is only 80ms, the delay is too short to
    correctly determine the headset type, the fail rate is nearly 99% when
    users plug the headset with the normal speed.
    
    Other codecs set several hundred ms delay time, so here I change the
    delay time to 850ms for alc2x4 series, after this change, the fail
    rate is zero unless users plug the headset slowly on purpose.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Hui Wang <hui.wang@canonical.com>
    Link: https://lore.kernel.org/r/20210320091542.6748-1-hui.wang@canonical.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b28bba2282a44ee5c79025993b703a75cd69118d
Author: Ikjoon Jang <ikjn@chromium.org>
Date:   Wed Mar 24 18:51:52 2021 +0800

    ALSA: usb-audio: Apply sample rate quirk to Logitech Connect
    
    commit 625bd5a616ceda4840cd28f82e957c8ced394b6a upstream.
    
    Logitech ConferenceCam Connect is a compound USB device with UVC and
    UAC. Not 100% reproducible but sometimes it keeps responding STALL to
    every control transfer once it receives get_freq request.
    
    This patch adds 046d:0x084c to a snd_usb_get_sample_rate_quirk list.
    
    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203419
    Signed-off-by: Ikjoon Jang <ikjn@chromium.org>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20210324105153.2322881-1-ikjn@chromium.org
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8c1a77ae15ce70a72f26f4bb83c50f769011220c
Author: Jesper Dangaard Brouer <brouer@redhat.com>
Date:   Tue Feb 9 14:38:09 2021 +0100

    bpf: Remove MTU check in __bpf_skb_max_len
    
    commit 6306c1189e77a513bf02720450bb43bd4ba5d8ae upstream.
    
    Multiple BPF-helpers that can manipulate/increase the size of the SKB uses
    __bpf_skb_max_len() as the max-length. This function limit size against
    the current net_device MTU (skb->dev->mtu).
    
    When a BPF-prog grow the packet size, then it should not be limited to the
    MTU. The MTU is a transmit limitation, and software receiving this packet
    should be allowed to increase the size. Further more, current MTU check in
    __bpf_skb_max_len uses the MTU from ingress/current net_device, which in
    case of redirects uses the wrong net_device.
    
    This patch keeps a sanity max limit of SKB_MAX_ALLOC (16KiB). The real limit
    is elsewhere in the system. Jesper's testing[1] showed it was not possible
    to exceed 8KiB when expanding the SKB size via BPF-helper. The limiting
    factor is the define KMALLOC_MAX_CACHE_SIZE which is 8192 for
    SLUB-allocator (CONFIG_SLUB) in-case PAGE_SIZE is 4096. This define is
    in-effect due to this being called from softirq context see code
    __gfp_pfmemalloc_flags() and __do_kmalloc_node(). Jakub's testing showed
    that frames above 16KiB can cause NICs to reset (but not crash). Keep this
    sanity limit at this level as memory layer can differ based on kernel
    config.
    
    [1] https://github.com/xdp-project/bpf-examples/tree/master/MTU-tests
    
    Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Acked-by: John Fastabend <john.fastabend@gmail.com>
    Link: https://lore.kernel.org/bpf/161287788936.790810.2937823995775097177.stgit@firesoul
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ddf294aedf4680a2c3627169c291be1432c9a1c6
Author: Tong Zhang <ztong0001@gmail.com>
Date:   Mon Feb 15 14:17:56 2021 -0500

    net: wan/lmc: unregister device when no matching device is found
    
    [ Upstream commit 62e69bc419772638369eff8ff81340bde8aceb61 ]
    
    lmc set sc->lmc_media pointer when there is a matching device.
    However, when no matching device is found, this pointer is NULL
    and the following dereference will result in a null-ptr-deref.
    
    To fix this issue, unregister the hdlc device and return an error.
    
    [    4.569359] BUG: KASAN: null-ptr-deref in lmc_init_one.cold+0x2b6/0x55d [lmc]
    [    4.569748] Read of size 8 at addr 0000000000000008 by task modprobe/95
    [    4.570102]
    [    4.570187] CPU: 0 PID: 95 Comm: modprobe Not tainted 5.11.0-rc7 #94
    [    4.570527] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-48-gd9c812dda519-preb4
    [    4.571125] Call Trace:
    [    4.571261]  dump_stack+0x7d/0xa3
    [    4.571445]  kasan_report.cold+0x10c/0x10e
    [    4.571667]  ? lmc_init_one.cold+0x2b6/0x55d [lmc]
    [    4.571932]  lmc_init_one.cold+0x2b6/0x55d [lmc]
    [    4.572186]  ? lmc_mii_readreg+0xa0/0xa0 [lmc]
    [    4.572432]  local_pci_probe+0x6f/0xb0
    [    4.572639]  pci_device_probe+0x171/0x240
    [    4.572857]  ? pci_device_remove+0xe0/0xe0
    [    4.573080]  ? kernfs_create_link+0xb6/0x110
    [    4.573315]  ? sysfs_do_create_link_sd.isra.0+0x76/0xe0
    [    4.573598]  really_probe+0x161/0x420
    [    4.573799]  driver_probe_device+0x6d/0xd0
    [    4.574022]  device_driver_attach+0x82/0x90
    [    4.574249]  ? device_driver_attach+0x90/0x90
    [    4.574485]  __driver_attach+0x60/0x100
    [    4.574694]  ? device_driver_attach+0x90/0x90
    [    4.574931]  bus_for_each_dev+0xe1/0x140
    [    4.575146]  ? subsys_dev_iter_exit+0x10/0x10
    [    4.575387]  ? klist_node_init+0x61/0x80
    [    4.575602]  bus_add_driver+0x254/0x2a0
    [    4.575812]  driver_register+0xd3/0x150
    [    4.576021]  ? 0xffffffffc0018000
    [    4.576202]  do_one_initcall+0x84/0x250
    [    4.576411]  ? trace_event_raw_event_initcall_finish+0x150/0x150
    [    4.576733]  ? unpoison_range+0xf/0x30
    [    4.576938]  ? ____kasan_kmalloc.constprop.0+0x84/0xa0
    [    4.577219]  ? unpoison_range+0xf/0x30
    [    4.577423]  ? unpoison_range+0xf/0x30
    [    4.577628]  do_init_module+0xf8/0x350
    [    4.577833]  load_module+0x3fe6/0x4340
    [    4.578038]  ? vm_unmap_ram+0x1d0/0x1d0
    [    4.578247]  ? ____kasan_kmalloc.constprop.0+0x84/0xa0
    [    4.578526]  ? module_frob_arch_sections+0x20/0x20
    [    4.578787]  ? __do_sys_finit_module+0x108/0x170
    [    4.579037]  __do_sys_finit_module+0x108/0x170
    [    4.579278]  ? __ia32_sys_init_module+0x40/0x40
    [    4.579523]  ? file_open_root+0x200/0x200
    [    4.579742]  ? do_sys_open+0x85/0xe0
    [    4.579938]  ? filp_open+0x50/0x50
    [    4.580125]  ? exit_to_user_mode_prepare+0xfc/0x130
    [    4.580390]  do_syscall_64+0x33/0x40
    [    4.580586]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [    4.580859] RIP: 0033:0x7f1a724c3cf7
    [    4.581054] Code: 48 89 57 30 48 8b 04 24 48 89 47 38 e9 1d a0 02 00 48 89 f8 48 89 f7 48 89 d6 48 891
    [    4.582043] RSP: 002b:00007fff44941c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
    [    4.582447] RAX: ffffffffffffffda RBX: 00000000012ada70 RCX: 00007f1a724c3cf7
    [    4.582827] RDX: 0000000000000000 RSI: 00000000012ac9e0 RDI: 0000000000000003
    [    4.583207] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000001
    [    4.583587] R10: 00007f1a72527300 R11: 0000000000000246 R12: 00000000012ac9e0
    [    4.583968] R13: 0000000000000000 R14: 00000000012acc90 R15: 0000000000000001
    [    4.584349] ==================================================================
    
    Signed-off-by: Tong Zhang <ztong0001@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f5881ea990e2ef0e4ecacd5e2a4209fdb7b55dc8
Author: Doug Brown <doug@schmorgal.com>
Date:   Thu Feb 11 21:27:54 2021 -0800

    appletalk: Fix skb allocation size in loopback case
    
    [ Upstream commit 39935dccb21c60f9bbf1bb72d22ab6fd14ae7705 ]
    
    If a DDP broadcast packet is sent out to a non-gateway target, it is
    also looped back. There is a potential for the loopback device to have a
    longer hardware header length than the original target route's device,
    which can result in the skb not being created with enough room for the
    loopback device's hardware header. This patch fixes the issue by
    determining that a loopback will be necessary prior to allocating the
    skb, and if so, ensuring the skb has enough room.
    
    This was discovered while testing a new driver that creates a LocalTalk
    network interface (LTALK_HLEN = 1). It caused an skb_under_panic.
    
    Signed-off-by: Doug Brown <doug@schmorgal.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b9033e1759b706b0f20d474737fe760a5dc059af
Author: Nathan Rossi <nathan.rossi@digi.com>
Date:   Thu Feb 11 05:17:57 2021 +0000

    net: ethernet: aquantia: Handle error cleanup of start on open
    
    [ Upstream commit 8a28af7a3e85ddf358f8c41e401a33002f7a9587 ]
    
    The aq_nic_start function can fail in a variety of cases which leaves
    the device in broken state.
    
    An example case where the start function fails is the
    request_threaded_irq which can be interrupted, resulting in a EINTR
    result. This can be manually triggered by bringing the link up (e.g. ip
    link set up) and triggering a SIGINT on the initiating process (e.g.
    Ctrl+C). This would put the device into a half configured state.
    Subsequently bringing the link up again would cause the napi_enable to
    BUG.
    
    In order to correctly clean up the failed attempt to start a device call
    aq_nic_stop.
    
    Signed-off-by: Nathan Rossi <nathan.rossi@digi.com>
    Reviewed-by: Igor Russkikh <irusskikh@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1662f2c161b9da377b389f3b0747d223e8a8f3c3
Author: Shuah Khan <skhan@linuxfoundation.org>
Date:   Wed Feb 10 14:21:07 2021 -0700

    ath10k: hold RCU lock when calling ieee80211_find_sta_by_ifaddr()
    
    [ Upstream commit 09078368d516918666a0122f2533dc73676d3d7e ]
    
    ieee80211_find_sta_by_ifaddr() must be called under the RCU lock and
    the resulting pointer is only valid under RCU lock as well.
    
    Fix ath10k_wmi_tlv_op_pull_peer_stats_info() to hold RCU lock before it
    calls ieee80211_find_sta_by_ifaddr() and release it when the resulting
    pointer is no longer needed.
    
    This problem was found while reviewing code to debug RCU warn from
    ath10k_wmi_tlv_parse_peer_stats_info().
    
    Link: https://lore.kernel.org/linux-wireless/7230c9e5-2632-b77e-c4f9-10eca557a5bb@linuxfoundation.org/
    Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/20210210212107.40373-1-skhan@linuxfoundation.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 80a66a99c3020aff62dd0a7bab54683d680bf162
Author: Luca Pesce <luca.pesce@vimar.com>
Date:   Thu Dec 24 11:51:59 2020 +0100

    brcmfmac: clear EAP/association status bits on linkdown events
    
    [ Upstream commit e862a3e4088070de352fdafe9bd9e3ae0a95a33c ]
    
    This ensure that previous association attempts do not leave stale statuses
    on subsequent attempts.
    
    This fixes the WARN_ON(!cr->bss)) from __cfg80211_connect_result() when
    connecting to an AP after a previous connection failure (e.g. where EAP fails
    due to incorrect psk but association succeeded). In some scenarios, indeed,
    brcmf_is_linkup() was reporting a link up event too early due to stale
    BRCMF_VIF_STATUS_ASSOC_SUCCESS bit, thus reporting to cfg80211 a connection
    result with a zeroed bssid (vif->profile.bssid is still empty), causing the
    WARN_ON due to the call to cfg80211_get_bss() with the empty bssid.
    
    Signed-off-by: Luca Pesce <luca.pesce@vimar.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/1608807119-21785-1-git-send-email-luca.pesce@vimar.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 67d7b2693fecead6e504424840a692a0ac016f2f
Author: zhangyi (F) <yi.zhang@huawei.com>
Date:   Wed Mar 3 21:17:03 2021 +0800

    ext4: do not iput inode under running transaction in ext4_rename()
    
    [ Upstream commit 5dccdc5a1916d4266edd251f20bbbb113a5c495f ]
    
    In ext4_rename(), when RENAME_WHITEOUT failed to add new entry into
    directory, it ends up dropping new created whiteout inode under the
    running transaction. After commit <9b88f9fb0d2> ("ext4: Do not iput inode
    under running transaction"), we follow the assumptions that evict() does
    not get called from a transaction context but in ext4_rename() it breaks
    this suggestion. Although it's not a real problem, better to obey it, so
    this patch add inode to orphan list and stop transaction before final
    iput().
    
    Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
    Link: https://lore.kernel.org/r/20210303131703.330415-2-yi.zhang@huawei.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d9d89d57bee95d62198872fda2832b50d5a55527
Author: Waiman Long <longman@redhat.com>
Date:   Tue Mar 16 11:31:16 2021 -0400

    locking/ww_mutex: Simplify use_ww_ctx & ww_ctx handling
    
    [ Upstream commit 5de2055d31ea88fd9ae9709ac95c372a505a60fa ]
    
    The use_ww_ctx flag is passed to mutex_optimistic_spin(), but the
    function doesn't use it. The frequent use of the (use_ww_ctx && ww_ctx)
    combination is repetitive.
    
    In fact, ww_ctx should not be used at all if !use_ww_ctx.  Simplify
    ww_mutex code by dropping use_ww_ctx from mutex_optimistic_spin() an
    clear ww_ctx if !use_ww_ctx. In this way, we can replace (use_ww_ctx &&
    ww_ctx) by just (ww_ctx).
    
    Signed-off-by: Waiman Long <longman@redhat.com>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Acked-by: Davidlohr Bueso <dbueso@suse.de>
    Link: https://lore.kernel.org/r/20210316153119.13802-2-longman@redhat.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5e17dcfec440a1fbc2e4caceda1c266306caa0c0
Author: Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
Date:   Tue Dec 8 00:23:01 2020 +0530

    thermal/core: Add NULL pointer check before using cooling device stats
    
    [ Upstream commit 2046a24ae121cd107929655a6aaf3b8c5beea01f ]
    
    There is a possible chance that some cooling device stats buffer
    allocation fails due to very high cooling device max state value.
    Later cooling device update sysfs can try to access stats data
    for the same cooling device. It will lead to NULL pointer
    dereference issue.
    
    Add a NULL pointer check before accessing thermal cooling device
    stats data. It fixes the following bug
    
    [ 26.812833] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004
    [ 27.122960] Call trace:
    [ 27.122963] do_raw_spin_lock+0x18/0xe8
    [ 27.122966] _raw_spin_lock+0x24/0x30
    [ 27.128157] thermal_cooling_device_stats_update+0x24/0x98
    [ 27.128162] cur_state_store+0x88/0xb8
    [ 27.128166] dev_attr_store+0x40/0x58
    [ 27.128169] sysfs_kf_write+0x50/0x68
    [ 27.133358] kernfs_fop_write+0x12c/0x1c8
    [ 27.133362] __vfs_write+0x54/0x160
    [ 27.152297] vfs_write+0xcc/0x188
    [ 27.157132] ksys_write+0x78/0x108
    [ 27.162050] ksys_write+0xf8/0x108
    [ 27.166968] __arm_smccc_hvc+0x158/0x4b0
    [ 27.166973] __arm_smccc_hvc+0x9c/0x4b0
    [ 27.186005] el0_svc+0x8/0xc
    
    Signed-off-by: Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
    Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
    Link: https://lore.kernel.org/r/1607367181-24589-1-git-send-email-manafm@codeaurora.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit bd1aa59a895a8e122b541af646fe9df12c9c15c1
Author: Sameer Pujar <spujar@nvidia.com>
Date:   Mon Mar 15 23:01:32 2021 +0530

    ASoC: rt5659: Update MCLK rate in set_sysclk()
    
    [ Upstream commit dbf54a9534350d6aebbb34f5c1c606b81a4f35dd ]
    
    Simple-card/audio-graph-card drivers do not handle MCLK clock when it
    is specified in the codec device node. The expectation here is that,
    the codec should actually own up the MCLK clock and do necessary setup
    in the driver.
    
    Suggested-by: Mark Brown <broonie@kernel.org>
    Suggested-by: Michael Walle <michael@walle.cc>
    Signed-off-by: Sameer Pujar <spujar@nvidia.com>
    Link: https://lore.kernel.org/r/1615829492-8972-3-git-send-email-spujar@nvidia.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1fd2bf77bd5d054fb6e8e68cedd55c020aa82e85
Author: Tong Zhang <ztong0001@gmail.com>
Date:   Mon Mar 15 15:58:12 2021 -0400

    staging: comedi: cb_pcidas64: fix request_irq() warn
    
    [ Upstream commit d2d106fe3badfc3bf0dd3899d1c3f210c7203eab ]
    
    request_irq() wont accept a name which contains slash so we need to
    repalce it with something else -- otherwise it will trigger a warning
    and the entry in /proc/irq/ will not be created
    since the .name might be used by userspace and we don't want to break
    userspace, so we are changing the parameters passed to request_irq()
    
    [    1.565966] name 'pci-das6402/16'
    [    1.566149] WARNING: CPU: 0 PID: 184 at fs/proc/generic.c:180 __xlate_proc_name+0x93/0xb0
    [    1.568923] RIP: 0010:__xlate_proc_name+0x93/0xb0
    [    1.574200] Call Trace:
    [    1.574722]  proc_mkdir+0x18/0x20
    [    1.576629]  request_threaded_irq+0xfe/0x160
    [    1.576859]  auto_attach+0x60a/0xc40 [cb_pcidas64]
    
    Suggested-by: Ian Abbott <abbotti@mev.co.uk>
    Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
    Signed-off-by: Tong Zhang <ztong0001@gmail.com>
    Link: https://lore.kernel.org/r/20210315195814.4692-1-ztong0001@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 25e27db0decf4e19bb4d6abff9edf0a23cb14874
Author: Tong Zhang <ztong0001@gmail.com>
Date:   Mon Mar 15 15:59:14 2021 -0400

    staging: comedi: cb_pcidas: fix request_irq() warn
    
    [ Upstream commit 2e5848a3d86f03024ae096478bdb892ab3d79131 ]
    
    request_irq() wont accept a name which contains slash so we need to
    repalce it with something else -- otherwise it will trigger a warning
    and the entry in /proc/irq/ will not be created
    since the .name might be used by userspace and we don't want to break
    userspace, so we are changing the parameters passed to request_irq()
    
    [    1.630764] name 'pci-das1602/16'
    [    1.630950] WARNING: CPU: 0 PID: 181 at fs/proc/generic.c:180 __xlate_proc_name+0x93/0xb0
    [    1.634009] RIP: 0010:__xlate_proc_name+0x93/0xb0
    [    1.639441] Call Trace:
    [    1.639976]  proc_mkdir+0x18/0x20
    [    1.641946]  request_threaded_irq+0xfe/0x160
    [    1.642186]  cb_pcidas_auto_attach+0xf4/0x610 [cb_pcidas]
    
    Suggested-by: Ian Abbott <abbotti@mev.co.uk>
    Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
    Signed-off-by: Tong Zhang <ztong0001@gmail.com>
    Link: https://lore.kernel.org/r/20210315195914.4801-1-ztong0001@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f8422c0f1e4955f8b24072c750ca0f83f188d0f3
Author: Alexey Dobriyan <adobriyan@gmail.com>
Date:   Sun Mar 14 18:32:46 2021 +0300

    scsi: qla2xxx: Fix broken #endif placement
    
    [ Upstream commit 5999b9e5b1f8a2f5417b755130919b3ac96f5550 ]
    
    Only half of the file is under include guard because terminating #endif
    is placed too early.
    
    Link: https://lore.kernel.org/r/YE4snvoW1SuwcXAn@localhost.localdomain
    Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
    Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 31216d487aa054eef8be53a957cbf00233f46272
Author: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
Date:   Wed Mar 10 22:46:36 2021 -0800

    scsi: st: Fix a use after free in st_open()
    
    [ Upstream commit c8c165dea4c8f5ad67b1240861e4f6c5395fa4ac ]
    
    In st_open(), if STp->in_use is true, STp will be freed by
    scsi_tape_put(). However, STp is still used by DEBC_printk() after. It is
    better to DEBC_printk() before scsi_tape_put().
    
    Link: https://lore.kernel.org/r/20210311064636.10522-1-lyl2019@mail.ustc.edu.cn
    Acked-by: Kai Mäkisara <kai.makisara@kolumbus.fi>
    Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b04795103ae9316478015b1907b3fcd714426caf
Author: Laurent Vivier <lvivier@redhat.com>
Date:   Fri Mar 12 15:09:13 2021 +0100

    vhost: Fix vhost_vq_reset()
    
    [ Upstream commit beb691e69f4dec7bfe8b81b509848acfd1f0dbf9 ]
    
    vhost_reset_is_le() is vhost_init_is_le(), and in the case of
    cross-endian legacy, vhost_init_is_le() depends on vq->user_be.
    
    vq->user_be is set by vhost_disable_cross_endian().
    
    But in vhost_vq_reset(), we have:
    
        vhost_reset_is_le(vq);
        vhost_disable_cross_endian(vq);
    
    And so user_be is used before being set.
    
    To fix that, reverse the lines order as there is no other dependency
    between them.
    
    Signed-off-by: Laurent Vivier <lvivier@redhat.com>
    Link: https://lore.kernel.org/r/20210312140913.788592-1-lvivier@redhat.com
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f5b401fa295c7903d3a4f4a2f931ce5a35704ef3
Author: Lucas Tanure <tanureal@opensource.cirrus.com>
Date:   Fri Mar 5 17:34:32 2021 +0000

    ASoC: cs42l42: Always wait at least 3ms after reset
    
    [ Upstream commit 19325cfea04446bc79b36bffd4978af15f46a00e ]
    
    This delay is part of the power-up sequence defined in the datasheet.
    A runtime_resume is a power-up so must also include the delay.
    
    Signed-off-by: Lucas Tanure <tanureal@opensource.cirrus.com>
    Link: https://lore.kernel.org/r/20210305173442.195740-6-tanureal@opensource.cirrus.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9fe7e16afa26598e4a4f4bd5ee09f0220a7c878f
Author: Lucas Tanure <tanureal@opensource.cirrus.com>
Date:   Fri Mar 5 17:34:30 2021 +0000

    ASoC: cs42l42: Fix mixer volume control
    
    [ Upstream commit 72d904763ae6a8576e7ad034f9da4f0e3c44bf24 ]
    
    The minimum value is 0x3f (-63dB), which also is mute
    
    Signed-off-by: Lucas Tanure <tanureal@opensource.cirrus.com>
    Link: https://lore.kernel.org/r/20210305173442.195740-4-tanureal@opensource.cirrus.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 90939cc94cdf9218ffdf231bbbf065740e50cff9
Author: Lucas Tanure <tanureal@opensource.cirrus.com>
Date:   Fri Mar 5 17:34:29 2021 +0000

    ASoC: cs42l42: Fix channel width support
    
    [ Upstream commit 2bdc4f5c6838f7c3feb4fe68e4edbeea158ec0a2 ]
    
    Remove the hard coded 32 bits width and replace with the correct width
    calculated by params_width.
    
    Signed-off-by: Lucas Tanure <tanureal@opensource.cirrus.com>
    Link: https://lore.kernel.org/r/20210305173442.195740-3-tanureal@opensource.cirrus.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d9301f23ec9158b71a9eec3520983d5dc4251a5c
Author: Lucas Tanure <tanureal@opensource.cirrus.com>
Date:   Fri Mar 5 17:34:28 2021 +0000

    ASoC: cs42l42: Fix Bitclock polarity inversion
    
    [ Upstream commit e793c965519b8b7f2fea51a48398405e2a501729 ]
    
    The driver was setting bit clock polarity opposite to intended polarity.
    Also simplify the code by grouping ADC and DAC clock configurations into
    a single field.
    
    Signed-off-by: Lucas Tanure <tanureal@opensource.cirrus.com>
    Link: https://lore.kernel.org/r/20210305173442.195740-2-tanureal@opensource.cirrus.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5f6bb2f4e3276dfe63e67e61c3e3e9c94c4ee39a
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Sun Feb 28 17:04:41 2021 +0100

    ASoC: es8316: Simplify adc_pga_gain_tlv table
    
    [ Upstream commit bb18c678754ce1514100fb4c0bf6113b5af36c48 ]
    
    Most steps in this table are steps of 3dB (300 centi-dB), so we can
    simplify the table.
    
    This not only reduces the amount of space it takes inside the kernel,
    this also makes alsa-lib's mixer code actually accept the table, where
    as before this change alsa-lib saw the "ADC PGA Gain" control as a
    control without a dB scale.
    
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Link: https://lore.kernel.org/r/20210228160441.241110-1-hdegoede@redhat.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit de7f092233a70d1c10f8f4639fb15d544a797626
Author: Benjamin Rood <benjaminjrood@gmail.com>
Date:   Fri Feb 19 13:33:08 2021 -0500

    ASoC: sgtl5000: set DAP_AVC_CTRL register to correct default value on probe
    
    [ Upstream commit f86f58e3594fb0ab1993d833d3b9a2496f3c928c ]
    
    According to the SGTL5000 datasheet [1], the DAP_AVC_CTRL register has
    the following bit field definitions:
    
    | BITS  | FIELD       | RW | RESET | DEFINITION                        |
    | 15    | RSVD        | RO | 0x0   | Reserved                          |
    | 14    | RSVD        | RW | 0x1   | Reserved                          |
    | 13:12 | MAX_GAIN    | RW | 0x1   | Max Gain of AVC in expander mode  |
    | 11:10 | RSVD        | RO | 0x0   | Reserved                          |
    | 9:8   | LBI_RESP    | RW | 0x1   | Integrator Response               |
    | 7:6   | RSVD        | RO | 0x0   | Reserved                          |
    | 5     | HARD_LMT_EN | RW | 0x0   | Enable hard limiter mode          |
    | 4:1   | RSVD        | RO | 0x0   | Reserved                          |
    | 0     | EN          | RW | 0x0   | Enable/Disable AVC                |
    
    The original default value written to the DAP_AVC_CTRL register during
    sgtl5000_i2c_probe() was 0x0510.  This would incorrectly write values to
    bits 4 and 10, which are defined as RESERVED.  It would also not set
    bits 12 and 14 to their correct RESET values of 0x1, and instead set
    them to 0x0.  While the DAP_AVC module is effectively disabled because
    the EN bit is 0, this default value is still writing invalid values to
    registers that are marked as read-only and RESERVED as well as not
    setting bits 12 and 14 to their correct default values as defined by the
    datasheet.
    
    The correct value that should be written to the DAP_AVC_CTRL register is
    0x5100, which configures the register bits to the default values defined
    by the datasheet, and prevents any writes to bits defined as
    'read-only'.  Generally speaking, it is best practice to NOT attempt to
    write values to registers/bits defined as RESERVED, as it generally
    produces unwanted/undefined behavior, or errors.
    
    Also, all credit for this patch should go to my colleague Dan MacDonald
    <dmacdonald@curbellmedical.com> for finding this error in the first
    place.
    
    [1] https://www.nxp.com/docs/en/data-sheet/SGTL5000.pdf
    
    Signed-off-by: Benjamin Rood <benjaminjrood@gmail.com>
    Reviewed-by: Fabio Estevam <festevam@gmail.com>
    Link: https://lore.kernel.org/r/20210219183308.GA2117@ubuntu-dev
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c0021e520db060da4bfd21e0b8b448d8ebad2e14
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Fri Feb 26 15:38:14 2021 +0100

    ASoC: rt5651: Fix dac- and adc- vol-tlv values being off by a factor of 10
    
    [ Upstream commit eee51df776bd6cac10a76b2779a9fdee3f622b2b ]
    
    The adc_vol_tlv volume-control has a range from -17.625 dB to +30 dB,
    not -176.25 dB to + 300 dB. This wrong scale is esp. a problem in userspace
    apps which translate the dB scale to a linear scale. With the logarithmic
    dB scale being of by a factor of 10 we loose all precision in the lower
    area of the range when apps translate things to a linear scale.
    
    E.g. the 0 dB default, which corresponds with a value of 47 of the
    0 - 127 range for the control, would be shown as 0/100 in alsa-mixer.
    
    Since the centi-dB values used in the TLV struct cannot represent the
    0.375 dB step size used by these controls, change the TLV definition
    for them to specify a min and max value instead of min + stepsize.
    
    Note this mirrors commit 3f31f7d9b540 ("ASoC: rt5670: Fix dac- and adc-
    vol-tlv values being off by a factor of 10") which made the exact same
    change to the rt5670 codec driver.
    
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Link: https://lore.kernel.org/r/20210226143817.84287-3-hdegoede@redhat.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4a8a478dbad92923549e74da7582205b9bfd24ad
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Fri Feb 26 15:38:13 2021 +0100

    ASoC: rt5640: Fix dac- and adc- vol-tlv values being off by a factor of 10
    
    [ Upstream commit cfa26ed1f9f885c2fd8f53ca492989d1e16d0199 ]
    
    The adc_vol_tlv volume-control has a range from -17.625 dB to +30 dB,
    not -176.25 dB to + 300 dB. This wrong scale is esp. a problem in userspace
    apps which translate the dB scale to a linear scale. With the logarithmic
    dB scale being of by a factor of 10 we loose all precision in the lower
    area of the range when apps translate things to a linear scale.
    
    E.g. the 0 dB default, which corresponds with a value of 47 of the
    0 - 127 range for the control, would be shown as 0/100 in alsa-mixer.
    
    Since the centi-dB values used in the TLV struct cannot represent the
    0.375 dB step size used by these controls, change the TLV definition
    for them to specify a min and max value instead of min + stepsize.
    
    Note this mirrors commit 3f31f7d9b540 ("ASoC: rt5670: Fix dac- and adc-
    vol-tlv values being off by a factor of 10") which made the exact same
    change to the rt5670 codec driver.
    
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Link: https://lore.kernel.org/r/20210226143817.84287-2-hdegoede@redhat.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b18e44ebe077d85da17d4971dbc9203d724f1b15
Author: J. Bruce Fields <bfields@redhat.com>
Date:   Tue Mar 2 10:48:38 2021 -0500

    rpc: fix NULL dereference on kmalloc failure
    
    [ Upstream commit 0ddc942394013f08992fc379ca04cffacbbe3dae ]
    
    I think this is unlikely but possible:
    
    svc_authenticate sets rq_authop and calls svcauth_gss_accept.  The
    kmalloc(sizeof(*svcdata), GFP_KERNEL) fails, leaving rq_auth_data NULL,
    and returning SVC_DENIED.
    
    This causes svc_process_common to go to err_bad_auth, and eventually
    call svc_authorise.  That calls ->release == svcauth_gss_release, which
    tries to dereference rq_auth_data.
    
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Link: https://lore.kernel.org/linux-nfs/3F1B347F-B809-478F-A1E9-0BE98E22B0F0@oracle.com/T/#t
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c08c68a7def6947db8b662d5c534ee7e5a84ee74
Author: Zhaolong Zhang <zhangzl2013@126.com>
Date:   Tue Mar 2 17:42:31 2021 +0800

    ext4: fix bh ref count on error paths
    
    [ Upstream commit c915fb80eaa6194fa9bd0a4487705cd5b0dda2f1 ]
    
    __ext4_journalled_writepage should drop bhs' ref count on error paths
    
    Signed-off-by: Zhaolong Zhang <zhangzl2013@126.com>
    Link: https://lore.kernel.org/r/1614678151-70481-1-git-send-email-zhangzl2013@126.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1cf636535f7a7f440559724a7b11bb505776e410
Author: Jakub Kicinski <kuba@kernel.org>
Date:   Wed Mar 17 09:55:15 2021 -0700

    ipv6: weaken the v4mapped source check
    
    [ Upstream commit dcc32f4f183ab8479041b23a1525d48233df1d43 ]
    
    This reverts commit 6af1799aaf3f1bc8defedddfa00df3192445bbf3.
    
    Commit 6af1799aaf3f ("ipv6: drop incoming packets having a v4mapped
    source address") introduced an input check against v4mapped addresses.
    Use of such addresses on the wire is indeed questionable and not
    allowed on public Internet. As the commit pointed out
    
      https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02
    
    lists potential issues.
    
    Unfortunately there are applications which use v4mapped addresses,
    and breaking them is a clear regression. For example v4mapped
    addresses (or any semi-valid addresses, really) may be used
    for uni-direction event streams or packet export.
    
    Since the issue which sparked the addition of the check was with
    TCP and request_socks in particular push the check down to TCPv6
    and DCCP. This restores the ability to receive UDPv6 packets with
    v4mapped address as the source.
    
    Keep using the IPSTATS_MIB_INHDRERRORS statistic to minimize the
    user-visible changes.
    
    Fixes: 6af1799aaf3f ("ipv6: drop incoming packets having a v4mapped source address")
    Reported-by: Sunyi Shao <sunyishao@fb.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Acked-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f9501b8da468caa7132455ec6e2952d4cbfa8335
Author: Alexander Ovechkin <ovov@yandex-team.ru>
Date:   Mon Mar 29 20:55:41 2021 +0300

    tcp: relookup sock for RST+ACK packets handled by obsolete req sock
    
    commit 7233da86697efef41288f8b713c10c2499cffe85 upstream.
    
    Currently tcp_check_req can be called with obsolete req socket for which big
    socket have been already created (because of CPU race or early demux
    assigning req socket to multiple packets in gro batch).
    
    Commit e0f9759f530bf789e984 ("tcp: try to keep packet if SYN_RCV race
    is lost") added retry in case when tcp_check_req is called for PSH|ACK packet.
    But if client sends RST+ACK immediatly after connection being
    established (it is performing healthcheck, for example) retry does not
    occur. In that case tcp_check_req tries to close req socket,
    leaving big socket active.
    
    Fixes: e0f9759f530b ("tcp: try to keep packet if SYN_RCV race is lost")
    Signed-off-by: Alexander Ovechkin <ovov@yandex-team.ru>
    Reported-by: Oleg Senin <olegsenin@yandex-team.ru>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9539977384b167a4e893b60a0e02fabd6e608c7d
Author: David Brazdil <dbrazdil@google.com>
Date:   Mon Mar 29 18:24:43 2021 +0000

    selinux: vsock: Set SID for socket returned by accept()
    
    [ Upstream commit 1f935e8e72ec28dddb2dc0650b3b6626a293d94b ]
    
    For AF_VSOCK, accept() currently returns sockets that are unlabelled.
    Other socket families derive the child's SID from the SID of the parent
    and the SID of the incoming packet. This is typically done as the
    connected socket is placed in the queue that accept() removes from.
    
    Reuse the existing 'security_sk_clone' hook to copy the SID from the
    parent (server) socket to the child. There is no packet SID in this
    case.
    
    Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
    Signed-off-by: David Brazdil <dbrazdil@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>