commit 10d9c6f92756c1b9049e409cd5e7faed40f95294
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Mon Apr 13 10:31:35 2020 +0200

    Linux 4.4.219

commit 5ff569d8719b525d1e34fd39d5f95220aa4a93dd
Author: Hans Verkuil <hans.verkuil@cisco.com>
Date:   Mon Aug 27 10:07:42 2018 +0200

    drm_dp_mst_topology: fix broken drm_dp_sideband_parse_remote_dpcd_read()
    
    commit a4c30a4861c54af78c4eb8b7855524c1a96d9f80 upstream.
    
    When parsing the reply of a DP_REMOTE_DPCD_READ DPCD command the
    result is wrong due to a missing idx increment.
    
    This was never noticed since DP_REMOTE_DPCD_READ is currently not
    used, but if you enable it, then it is all wrong.
    
    Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
    Reviewed-by: Lyude Paul <lyude@redhat.com>
    Acked-by: Alex Deucher <alexander.deucher@amd.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/e72ddac2-1dc0-100a-d816-9ac98ac009dd@xs4all.nl
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8d1995d71f638717ee23f257b0f7de4d5ea2f132
Author: Taniya Das <tdas@codeaurora.org>
Date:   Wed May 8 23:54:53 2019 +0530

    clk: qcom: rcg: Return failure for RCG update
    
    commit 21ea4b62e1f3dc258001a68da98c9663a9dbd6c7 upstream.
    
    In case of update config failure, return -EBUSY, so that consumers could
    handle the failure gracefully.
    
    Signed-off-by: Taniya Das <tdas@codeaurora.org>
    Link: https://lkml.kernel.org/r/1557339895-21952-2-git-send-email-tdas@codeaurora.org
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d103eca9f7b9b0953aaa176f4bfb95bbb825f333
Author: Avihai Horon <avihaih@mellanox.com>
Date:   Wed Mar 18 12:17:41 2020 +0200

    RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow
    
    commit 987914ab841e2ec281a35b54348ab109b4c0bb4e upstream.
    
    After a successful allocation of path_rec, num_paths is set to 1, but any
    error after such allocation will leave num_paths uncleared.
    
    This causes to de-referencing a NULL pointer later on. Hence, num_paths
    needs to be set back to 0 if such an error occurs.
    
    The following crash from syzkaller revealed it.
    
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      CPU: 0 PID: 357 Comm: syz-executor060 Not tainted 4.18.0+ #311
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
      RIP: 0010:ib_copy_path_rec_to_user+0x94/0x3e0
      Code: f1 f1 f1 f1 c7 40 0c 00 00 f4 f4 65 48 8b 04 25 28 00 00 00 48 89
      45 c8 31 c0 e8 d7 60 24 ff 48 8d 7b 4c 48 89 f8 48 c1 e8 03 <42> 0f b6
      14 30 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
      RSP: 0018:ffff88006586f980 EFLAGS: 00010207
      RAX: 0000000000000009 RBX: 0000000000000000 RCX: 1ffff1000d5fe475
      RDX: ffff8800621e17c0 RSI: ffffffff820d45f9 RDI: 000000000000004c
      RBP: ffff88006586fa50 R08: ffffed000cb0df73 R09: ffffed000cb0df72
      R10: ffff88006586fa70 R11: ffffed000cb0df73 R12: 1ffff1000cb0df30
      R13: ffff88006586fae8 R14: dffffc0000000000 R15: ffff88006aff2200
      FS: 00000000016fc880(0000) GS:ffff88006d000000(0000)
      knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020000040 CR3: 0000000063fec000 CR4: 00000000000006b0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
      ? ib_copy_path_rec_from_user+0xcc0/0xcc0
      ? __mutex_unlock_slowpath+0xfc/0x670
      ? wait_for_completion+0x3b0/0x3b0
      ? ucma_query_route+0x818/0xc60
      ucma_query_route+0x818/0xc60
      ? ucma_listen+0x1b0/0x1b0
      ? sched_clock_cpu+0x18/0x1d0
      ? sched_clock_cpu+0x18/0x1d0
      ? ucma_listen+0x1b0/0x1b0
      ? ucma_write+0x292/0x460
      ucma_write+0x292/0x460
      ? ucma_close_id+0x60/0x60
      ? sched_clock_cpu+0x18/0x1d0
      ? sched_clock_cpu+0x18/0x1d0
      __vfs_write+0xf7/0x620
      ? ucma_close_id+0x60/0x60
      ? kernel_read+0x110/0x110
      ? time_hardirqs_on+0x19/0x580
      ? lock_acquire+0x18b/0x3a0
      ? finish_task_switch+0xf3/0x5d0
      ? _raw_spin_unlock_irq+0x29/0x40
      ? _raw_spin_unlock_irq+0x29/0x40
      ? finish_task_switch+0x1be/0x5d0
      ? __switch_to_asm+0x34/0x70
      ? __switch_to_asm+0x40/0x70
      ? security_file_permission+0x172/0x1e0
      vfs_write+0x192/0x460
      ksys_write+0xc6/0x1a0
      ? __ia32_sys_read+0xb0/0xb0
      ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
      ? do_syscall_64+0x1d/0x470
      do_syscall_64+0x9e/0x470
      entry_SYSCALL_64_after_hwframe+0x49/0xbe
    
    Fixes: 3c86aa70bf67 ("RDMA/cm: Add RDMA CM support for IBoE devices")
    Link: https://lore.kernel.org/r/20200318101741.47211-1-leon@kernel.org
    Signed-off-by: Avihai Horon <avihaih@mellanox.com>
    Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
    Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
    Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5c26e92ec5193158b5d87e81ec3a754460ce13bf
Author: Qiujun Huang <hqjagain@gmail.com>
Date:   Sun Mar 8 17:45:27 2020 +0800

    Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl
    
    commit 71811cac8532b2387b3414f7cd8fe9e497482864 upstream.
    
    Needn't call 'rfcomm_dlc_put' here, because 'rfcomm_dlc_exists' didn't
    increase dlc->refcnt.
    
    Reported-by: syzbot+4496e82090657320efc6@syzkaller.appspotmail.com
    Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
    Suggested-by: Hillf Danton <hdanton@sina.com>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2c735183134dde3c483bbab9e22e34f1e03ba696
Author: Kaike Wan <kaike.wan@intel.com>
Date:   Thu Mar 26 12:38:14 2020 -0400

    IB/hfi1: Call kobject_put() when kobject_init_and_add() fails
    
    commit dfb5394f804ed4fcea1fc925be275a38d66712ab upstream.
    
    When kobject_init_and_add() returns an error in the function
    hfi1_create_port_files(), the function kobject_put() is not called for the
    corresponding kobject, which potentially leads to memory leak.
    
    This patch fixes the issue by calling kobject_put() even if
    kobject_init_and_add() fails.
    
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200326163813.21129.44280.stgit@awfm-01.aw.intel.com
    Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
    Signed-off-by: Kaike Wan <kaike.wan@intel.com>
    Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
    Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c4e0295d3bf2650312167a302b39e1f0442bf3e5
Author: Paul Cercueil <paul@crapouillou.net>
Date:   Fri Mar 6 23:29:27 2020 +0100

    ASoC: jz4740-i2s: Fix divider written at incorrect offset in register
    
    commit 9401d5aa328e64617d87abd59af1c91cace4c3e4 upstream.
    
    The 4-bit divider value was written at offset 8, while the jz4740
    programming manual locates it at offset 0.
    
    Fixes: 26b0aad80a86 ("ASoC: jz4740: Add dynamic sampling rate support to jz4740-i2s")
    Signed-off-by: Paul Cercueil <paul@crapouillou.net>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20200306222931.39664-2-paul@crapouillou.net
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f379ca6fecc6ea026ada458b9cba9bd2c8630a6c
Author: Ross Lagerwall <ross.lagerwall@citrix.com>
Date:   Thu Jun 21 14:00:21 2018 +0100

    xen-netfront: Update features after registering netdev
    
    commit 45c8184c1bed1ca8a7f02918552063a00b909bf5 upstream.
    
    Update the features after calling register_netdev() otherwise the
    device features are not set up correctly and it not possible to change
    the MTU of the device. After this change, the features reported by
    ethtool match the device's features before the commit which introduced
    the issue and it is possible to change the device's MTU.
    
    Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open")
    Reported-by: Liam Shepherd <liam@dancer.es>
    Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
    Reviewed-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 731563186f54f7a490e5f870ac81836149184d53
Author: Ross Lagerwall <ross.lagerwall@citrix.com>
Date:   Thu Jun 21 14:00:20 2018 +0100

    xen-netfront: Fix mismatched rtnl_unlock
    
    commit cb257783c2927b73614b20f915a91ff78aa6f3e8 upstream.
    
    Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open")
    Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
    Reviewed-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8872445ae5cd3653c2f49cdb2c46536cd4895ddb
Author: Gustavo A. R. Silva <gustavo@embeddedor.com>
Date:   Mon Mar 18 11:14:39 2019 -0500

    power: supply: axp288_charger: Fix unchecked return value
    
    commit c3422ad5f84a66739ec6a37251ca27638c85b6be upstream.
    
    Currently there is no check on platform_get_irq() return value
    in case it fails, hence never actually reporting any errors and
    causing unexpected behavior when using such value as argument
    for function regmap_irq_get_virq().
    
    Fix this by adding a proper check, a message reporting any errors
    and returning *pirq*
    
    Addresses-Coverity-ID: 1443940 ("Improper use of negative value")
    Fixes: 843735b788a4 ("power: axp288_charger: axp288 charger driver")
    Cc: stable@vger.kernel.org
    Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>

commit e4149be608f464bd232f4531a770000f3c7e1f6e
Author: David Ahern <dsahern@kernel.org>
Date:   Wed Apr 1 21:02:25 2020 -0700

    tools/accounting/getdelays.c: fix netlink attribute length
    
    commit 4054ab64e29bb05b3dfe758fff3c38a74ba753bb upstream.
    
    A recent change to the netlink code: 6e237d099fac ("netlink: Relax attr
    validation for fixed length types") logs a warning when programs send
    messages with invalid attributes (e.g., wrong length for a u32).  Yafang
    reported this error message for tools/accounting/getdelays.c.
    
    send_cmd() is wrongly adding 1 to the attribute length.  As noted in
    include/uapi/linux/netlink.h nla_len should be NLA_HDRLEN + payload
    length, so drop the +1.
    
    Fixes: 9e06d3f9f6b1 ("per task delay accounting taskstats interface: documentation fix")
    Reported-by: Yafang Shao <laoar.shao@gmail.com>
    Signed-off-by: David Ahern <dsahern@kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Tested-by: Yafang Shao <laoar.shao@gmail.com>
    Cc: Johannes Berg <johannes@sipsolutions.net>
    Cc: Shailabh Nagar <nagar@watson.ibm.com>
    Cc: <stable@vger.kernel.org>
    Link: http://lkml.kernel.org/r/20200327173111.63922-1-dsahern@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 43929dcdeb09f9da3ea329a724fb68c64ded3c41
Author: Jason A. Donenfeld <Jason@zx2c4.com>
Date:   Fri Feb 21 21:10:37 2020 +0100

    random: always use batched entropy for get_random_u{32,64}
    
    commit 69efea712f5b0489e67d07565aad5c94e09a3e52 upstream.
    
    It turns out that RDRAND is pretty slow. Comparing these two
    constructions:
    
      for (i = 0; i < CHACHA_BLOCK_SIZE; i += sizeof(ret))
        arch_get_random_long(&ret);
    
    and
    
      long buf[CHACHA_BLOCK_SIZE / sizeof(long)];
      extract_crng((u8 *)buf);
    
    it amortizes out to 352 cycles per long for the top one and 107 cycles
    per long for the bottom one, on Coffee Lake Refresh, Intel Core i9-9880H.
    
    And importantly, the top one has the drawback of not benefiting from the
    real rng, whereas the bottom one has all the nice benefits of using our
    own chacha rng. As get_random_u{32,64} gets used in more places (perhaps
    beyond what it was originally intended for when it was introduced as
    get_random_{int,long} back in the md5 monstrosity era), it seems like it
    might be a good thing to strengthen its posture a tiny bit. Doing this
    should only be stronger and not any weaker because that pool is already
    initialized with a bunch of rdrand data (when available). This way, we
    get the benefits of the hardware rng as well as our own rng.
    
    Another benefit of this is that we no longer hit pitfalls of the recent
    stream of AMD bugs in RDRAND. One often used code pattern for various
    things is:
    
      do {
            val = get_random_u32();
      } while (hash_table_contains_key(val));
    
    That recent AMD bug rendered that pattern useless, whereas we're really
    very certain that chacha20 output will give pretty distributed numbers,
    no matter what.
    
    So, this simplification seems better both from a security perspective
    and from a performance perspective.
    
    Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Link: https://lore.kernel.org/r/20200221201037.30231-1-Jason@zx2c4.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f7dd0134a169df7dd9b68b6c135fe10629e66599
Author: Richard Palethorpe <rpalethorpe@suse.com>
Date:   Wed Apr 1 12:06:39 2020 +0200

    slcan: Don't transmit uninitialized stack data in padding
    
    [ Upstream commit b9258a2cece4ec1f020715fe3554bc2e360f6264 ]
    
    struct can_frame contains some padding which is not explicitly zeroed in
    slc_bump. This uninitialized data will then be transmitted if the stack
    initialization hardening feature is not enabled (CONFIG_INIT_STACK_ALL).
    
    This commit just zeroes the whole struct including the padding.
    
    Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
    Fixes: a1044e36e457 ("can: add slcan driver for serial/USB-serial CAN adapters")
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Cc: linux-can@vger.kernel.org
    Cc: netdev@vger.kernel.org
    Cc: security@kernel.org
    Cc: wg@grandegger.com
    Cc: mkl@pengutronix.de
    Cc: davem@davemloft.net
    Acked-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2a63744e67e6c6609e8ad620b1e24b1b324ece05
Author: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
Date:   Fri Apr 3 10:23:29 2020 +0800

    net: stmmac: dwmac1000: fix out-of-bounds mac address reg setting
    
    [ Upstream commit 3e1221acf6a8f8595b5ce354bab4327a69d54d18 ]
    
    Commit 9463c4455900 ("net: stmmac: dwmac1000: Clear unused address
    entries") cleared the unused mac address entries, but introduced an
    out-of bounds mac address register programming bug -- After setting
    the secondary unicast mac addresses, the "reg" value has reached
    netdev_uc_count() + 1, thus we should only clear address entries
    if (addr < perfect_addr_number)
    
    Fixes: 9463c4455900 ("net: stmmac: dwmac1000: Clear unused address entries")
    Signed-off-by: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4489253d0625c4841620160b2461925b695c651c
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Wed Apr 1 21:10:58 2020 -0700

    mm: mempolicy: require at least one nodeid for MPOL_PREFERRED
    
    commit aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd upstream.
    
    Using an empty (malformed) nodelist that is not caught during mount option
    parsing leads to a stack-out-of-bounds access.
    
    The option string that was used was: "mpol=prefer:,".  However,
    MPOL_PREFERRED requires a single node number, which is not being provided
    here.
    
    Add a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's
    nodeid.
    
    Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display")
    Reported-by: Entropy Moe <3ntr0py1337@gmail.com>
    Reported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Tested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com
    Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
    Link: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 80c4e3a257b95fec296eb1ea1b320a0fa1396182
Author: Daniel Jordan <daniel.m.jordan@oracle.com>
Date:   Tue Dec 3 14:31:11 2019 -0500

    padata: always acquire cpu_hotplug_lock before pinst->lock
    
    commit 38228e8848cd7dd86ccb90406af32de0cad24be3 upstream.
    
    lockdep complains when padata's paths to update cpumasks via CPU hotplug
    and sysfs are both taken:
    
      # echo 0 > /sys/devices/system/cpu/cpu1/online
      # echo ff > /sys/kernel/pcrypt/pencrypt/parallel_cpumask
    
      ======================================================
      WARNING: possible circular locking dependency detected
      5.4.0-rc8-padata-cpuhp-v3+ #1 Not tainted
      ------------------------------------------------------
      bash/205 is trying to acquire lock:
      ffffffff8286bcd0 (cpu_hotplug_lock.rw_sem){++++}, at: padata_set_cpumask+0x2b/0x120
    
      but task is already holding lock:
      ffff8880001abfa0 (&pinst->lock){+.+.}, at: padata_set_cpumask+0x26/0x120
    
      which lock already depends on the new lock.
    
    padata doesn't take cpu_hotplug_lock and pinst->lock in a consistent
    order.  Which should be first?  CPU hotplug calls into padata with
    cpu_hotplug_lock already held, so it should have priority.
    
    Fixes: 6751fb3c0e0c ("padata: Use get_online_cpus/put_online_cpus")
    Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
    Cc: Eric Biggers <ebiggers@kernel.org>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: linux-crypto@vger.kernel.org
    Cc: linux-kernel@vger.kernel.org
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 13684ec1e913847fa2aedae7b739336d96143c5d
Author: Krzysztof Opasiak <k.opasiak@samsung.com>
Date:   Sun May 22 11:08:13 2016 +0200

    usb: gadget: printer: Drop unused device qualifier descriptor
    
    commit e5a89162161d498170e7e39e6cfd2f71458c2b00 upstream.
    
    This descriptor is never used. Currently device qualifier
    descriptor is generated by compossite code, so no need to
    keep it in function file.
    
    Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
    Signed-off-by: Krzysztof Opasiak <kopasiak90@gmail.com>
    Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
    Cc: Nick Desaulniers <ndesaulniers@google.com>
    Cc: Nathan Chancellor <natechancellor@gmail.com>
    Cc: kbuild test robot <lkp@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0f207c5613e43e4d62c77ec0e3190be42cf76657
Author: Krzysztof Opasiak <k.opasiak@samsung.com>
Date:   Sun May 22 11:08:14 2016 +0200

    usb: gadget: uac2: Drop unused device qualifier descriptor
    
    commit d4529f9be1d72919f75f76f31773c4e98d03ce6b upstream.
    
    This descriptor is never used. Currently device qualifier
    descriptor is generated by compossite code so no need to
    keep it in function file.
    
    Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
    Signed-off-by: Krzysztof Opasiak <kopasiak90@gmail.com>
    Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
    Cc: Nick Desaulniers <ndesaulniers@google.com>
    Cc: Nathan Chancellor <natechancellor@gmail.com>
    Cc: kbuild test robot <lkp@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d845bf594d68d309a39ce8df72942e2b3fbbb176
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Thu Apr 2 18:32:50 2020 +0100

    l2tp: fix race between l2tp_session_delete() and l2tp_tunnel_closeall()
    
    commit b228a94066406b6c456321d69643b0d7ce11cfa6 upstream.
    
    There are several ways to remove L2TP sessions:
    
      * deleting a session explicitly using the netlink interface (with
        L2TP_CMD_SESSION_DELETE),
      * deleting the session's parent tunnel (either by closing the
        tunnel's file descriptor or using the netlink interface),
      * closing the PPPOL2TP file descriptor of a PPP pseudo-wire.
    
    In some cases, when these methods are used concurrently on the same
    session, the session can be removed twice, leading to use-after-free
    bugs.
    
    This patch adds a 'dead' flag, used by l2tp_session_delete() and
    l2tp_tunnel_closeall() to prevent them from stepping on each other's
    toes.
    
    The session deletion path used when closing a PPPOL2TP file descriptor
    doesn't need to be adapted. It already has to ensure that a session
    remains valid for the lifetime of its PPPOL2TP file descriptor.
    So it takes an extra reference on the session in the ->session_close()
    callback (pppol2tp_session_close()), which is eventually dropped
    in the ->sk_destruct() callback of the PPPOL2TP socket
    (pppol2tp_session_destruct()).
    Still, __l2tp_session_unhash() and l2tp_session_queue_purge() can be
    called twice and even concurrently for a given session, but thanks to
    proper locking and re-initialisation of list fields, this is not an
    issue.
    
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b2c1c59e89b5b2953bd46208d7989fdda22222bf
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Thu Apr 2 18:32:49 2020 +0100

    l2tp: ensure sessions are freed after their PPPOL2TP socket
    
    commit cdd10c9627496ad25c87ce6394e29752253c69d3 upstream.
    
    If l2tp_tunnel_delete() or l2tp_tunnel_closeall() deletes a session
    right after pppol2tp_release() orphaned its socket, then the 'sock'
    variable of the pppol2tp_session_close() callback is NULL. Yet the
    session is still used by pppol2tp_release().
    
    Therefore we need to take an extra reference in any case, to prevent
    l2tp_tunnel_delete() or l2tp_tunnel_closeall() from freeing the session.
    
    Since the pppol2tp_session_close() callback is only set if the session
    is associated to a PPPOL2TP socket and that both l2tp_tunnel_delete()
    and l2tp_tunnel_closeall() hold the PPPOL2TP socket before calling
    pppol2tp_session_close(), we're sure that pppol2tp_session_close() and
    pppol2tp_session_destruct() are paired and called in the right order.
    So the reference taken by the former will be released by the later.
    
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3cc61eae6d29dbb95b394f2f7938be8fb198b9d0
Author: Gao Feng <fgao@ikuai8.com>
Date:   Thu Apr 2 18:32:48 2020 +0100

    l2tp: Refactor the codes with existing macros instead of literal number
    
    commit 54c151d9ed1321e6e623c80ffe42cd2eb1571744 upstream.
    
    Use PPP_ALLSTATIONS, PPP_UI, and SEND_SHUTDOWN instead of 0xff,
    0x03, and 2 separately.
    
    Signed-off-by: Gao Feng <fgao@ikuai8.com>
    Acked-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e613c62082429796e6b29e893b554a51c7ef5b07
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Thu Apr 2 18:32:47 2020 +0100

    l2tp: fix duplicate session creation
    
    commit dbdbc73b44782e22b3b4b6e8b51e7a3d245f3086 upstream.
    
    l2tp_session_create() relies on its caller for checking for duplicate
    sessions. This is racy since a session can be concurrently inserted
    after the caller's verification.
    
    Fix this by letting l2tp_session_create() verify sessions uniqueness
    upon insertion. Callers need to be adapted to check for
    l2tp_session_create()'s return code instead of calling
    l2tp_session_find().
    
    pppol2tp_connect() is a bit special because it has to work on existing
    sessions (if they're not connected) or to create a new session if none
    is found. When acting on a preexisting session, a reference must be
    held or it could go away on us. So we have to use l2tp_session_get()
    instead of l2tp_session_find() and drop the reference before exiting.
    
    Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
    Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bbece67424d9990f25b68416ba51384cabdb9a59
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Thu Apr 2 18:32:46 2020 +0100

    l2tp: ensure session can't get removed during pppol2tp_session_ioctl()
    
    commit 57377d63547861919ee634b845c7caa38de4a452 upstream.
    
    Holding a reference on session is required before calling
    pppol2tp_session_ioctl(). The session could get freed while processing the
    ioctl otherwise. Since pppol2tp_session_ioctl() uses the session's socket,
    we also need to take a reference on it in l2tp_session_get().
    
    Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 128db36faef7b3061225de94713ae8e3c5b4082e
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Thu Apr 2 18:32:45 2020 +0100

    l2tp: fix race in l2tp_recv_common()
    
    commit 61b9a047729bb230978178bca6729689d0c50ca2 upstream.
    
    Taking a reference on sessions in l2tp_recv_common() is racy; this
    has to be done by the callers.
    
    To this end, a new function is required (l2tp_session_get()) to
    atomically lookup a session and take a reference on it. Callers then
    have to manually drop this reference.
    
    Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d7021e80e2321e7befa3e60dc24f48767eedd56c
Author: Shmulik Ladkani <shmulik.ladkani@gmail.com>
Date:   Thu May 26 20:16:36 2016 +0300

    net: l2tp: Make l2tp_ip6 namespace aware
    
    commit 0e6b5259824e97a0f7e7b450421ff12865d3b0e2 upstream.
    
    l2tp_ip6 tunnel and session lookups were still using init_net, although
    the l2tp core infrastructure already supports lookups keyed by 'net'.
    
    As a result, l2tp_ip6_recv discarded packets for tunnels/sessions
    created in namespaces other than the init_net.
    
    Fix, by using dev_net(skb->dev) or sock_net(sk) where appropriate.
    
    Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 890a9c4b3feff8287fa0ee2f82a8d788beeb8235
Author: phil.turnbull@oracle.com <phil.turnbull@oracle.com>
Date:   Tue Jul 26 15:14:35 2016 -0400

    l2tp: Correctly return -EBADF from pppol2tp_getname.
    
    commit 4ac36a4adaf80013a60013d6f829f5863d5d0e05 upstream.
    
    If 'tunnel' is NULL we should return -EBADF but the 'end_put_sess' path
    unconditionally sets 'error' back to zero. Rework the error path so it
    more closely matches pppol2tp_sendmsg.
    
    Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
    Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b4a7e78cb78bbfaa582c8e67e1b6a7e205757050
Author: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Date:   Thu Mar 26 20:47:46 2020 -0300

    sctp: fix possibly using a bad saddr with a given dst
    
    [ Upstream commit 582eea230536a6f104097dd46205822005d5fe3a ]
    
    Under certain circumstances, depending on the order of addresses on the
    interfaces, it could be that sctp_v[46]_get_dst() would return a dst
    with a mismatched struct flowi.
    
    For example, if when walking through the bind addresses and the first
    one is not a match, it saves the dst as a fallback (added in
    410f03831c07), but not the flowi. Then if the next one is also not a
    match, the previous dst will be returned but with the flowi information
    for the 2nd address, which is wrong.
    
    The fix is to use a locally stored flowi that can be used for such
    attempts, and copy it to the parameter only in case it is a possible
    match, together with the corresponding dst entry.
    
    The patch updates IPv6 code mostly just to be in sync. Even though the issue
    is also present there, it fallback is not expected to work with IPv6.
    
    Fixes: 410f03831c07 ("sctp: add routing output fallback")
    Reported-by: Jin Meng <meng.a.jin@nokia-sbell.com>
    Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Tested-by: Xin Long <lucien.xin@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b31b3101e102ab073f9631f0449864576a927f8d
Author: William Dauchy <w.dauchy@criteo.com>
Date:   Fri Mar 27 19:56:39 2020 +0100

    net, ip_tunnel: fix interface lookup with no key
    
    [ Upstream commit 25629fdaff2ff509dd0b3f5ff93d70a75e79e0a1 ]
    
    when creating a new ipip interface with no local/remote configuration,
    the lookup is done with TUNNEL_NO_KEY flag, making it impossible to
    match the new interface (only possible match being fallback or metada
    case interface); e.g: `ip link add tunl1 type ipip dev eth0`
    
    To fix this case, adding a flag check before the key comparison so we
    permit to match an interface with no local/remote config; it also avoids
    breaking possible userland tools relying on TUNNEL_NO_KEY flag and
    uninitialised key.
    
    context being on my side, I'm creating an extra ipip interface attached
    to the physical one, and moving it to a dedicated namespace.
    
    Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
    Signed-off-by: William Dauchy <w.dauchy@criteo.com>
    Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f3be59fa69f694db08ea5053529bfad33c230583
Author: Qian Cai <cai@lca.pw>
Date:   Wed Mar 25 18:01:00 2020 -0400

    ipv4: fix a RCU-list lock in fib_triestat_seq_show
    
    [ Upstream commit fbe4e0c1b298b4665ee6915266c9d6c5b934ef4a ]
    
    fib_triestat_seq_show() calls hlist_for_each_entry_rcu(tb, head,
    tb_hlist) without rcu_read_lock() will trigger a warning,
    
     net/ipv4/fib_trie.c:2579 RCU-list traversed in non-reader section!!
    
     other info that might help us debug this:
    
     rcu_scheduler_active = 2, debug_locks = 1
     1 lock held by proc01/115277:
      #0: c0000014507acf00 (&p->lock){+.+.}-{3:3}, at: seq_read+0x58/0x670
    
     Call Trace:
      dump_stack+0xf4/0x164 (unreliable)
      lockdep_rcu_suspicious+0x140/0x164
      fib_triestat_seq_show+0x750/0x880
      seq_read+0x1a0/0x670
      proc_reg_read+0x10c/0x1b0
      __vfs_read+0x3c/0x70
      vfs_read+0xac/0x170
      ksys_read+0x7c/0x140
      system_call+0x5c/0x68
    
    Fix it by adding a pair of rcu_read_lock/unlock() and use
    cond_resched_rcu() to avoid the situation where walking of a large
    number of items  may prevent scheduling for a long time.
    
    Signed-off-by: Qian Cai <cai@lca.pw>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0944250e93a4e3f31ce39900bb677ad0f00b58ea
Author: Gerd Hoffmann <kraxel@redhat.com>
Date:   Fri Mar 13 09:41:52 2020 +0100

    drm/bochs: downgrade pci_request_region failure from error to warning
    
    [ Upstream commit 8c34cd1a7f089dc03933289c5d4a4d1489549828 ]
    
    Shutdown of firmware framebuffer has a bunch of problems.  Because
    of this the framebuffer region might still be reserved even after
    drm_fb_helper_remove_conflicting_pci_framebuffers() returned.
    
    Don't consider pci_request_region() failure for the framebuffer
    region as fatal error to workaround this issue.
    
    Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
    Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
    Acked-by: Sam Ravnborg <sam@ravnborg.org>
    Link: http://patchwork.freedesktop.org/patch/msgid/20200313084152.2734-1-kraxel@redhat.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>