commit 0dc4b955f01eae10c6923c86234ef9768137797f
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Jan 5 12:30:28 2022 +0100

    Linux 4.4.298
    
    Link: https://lore.kernel.org/r/20220103142050.763904028@linuxfoundation.org
    Tested-by: Pavel Machek (CIP) <pavel@denx.de>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 15579e1301f856ad9385d720c9267c11032a5022
Author: Muchun Song <songmuchun@bytedance.com>
Date:   Tue Dec 28 18:41:45 2021 +0800

    net: fix use-after-free in tw_timer_handler
    
    commit e22e45fc9e41bf9fcc1e92cfb78eb92786728ef0 upstream.
    
    A real world panic issue was found as follow in Linux 5.4.
    
        BUG: unable to handle page fault for address: ffffde49a863de28
        PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0
        RIP: 0010:tw_timer_handler+0x20/0x40
        Call Trace:
         <IRQ>
         call_timer_fn+0x2b/0x120
         run_timer_softirq+0x1ef/0x450
         __do_softirq+0x10d/0x2b8
         irq_exit+0xc7/0xd0
         smp_apic_timer_interrupt+0x68/0x120
         apic_timer_interrupt+0xf/0x20
    
    This issue was also reported since 2017 in the thread [1],
    unfortunately, the issue was still can be reproduced after fixing
    DCCP.
    
    The ipv4_mib_exit_net is called before tcp_sk_exit_batch when a net
    namespace is destroyed since tcp_sk_ops is registered befrore
    ipv4_mib_ops, which means tcp_sk_ops is in the front of ipv4_mib_ops
    in the list of pernet_list. There will be a use-after-free on
    net->mib.net_statistics in tw_timer_handler after ipv4_mib_exit_net
    if there are some inflight time-wait timers.
    
    This bug is not introduced by commit f2bf415cfed7 ("mib: add net to
    NET_ADD_STATS_BH") since the net_statistics is a global variable
    instead of dynamic allocation and freeing. Actually, commit
    61a7e26028b9 ("mib: put net statistics on struct net") introduces
    the bug since it put net statistics on struct net and free it when
    net namespace is destroyed.
    
    Moving init_ipv4_mibs() to the front of tcp_init() to fix this bug
    and replace pr_crit() with panic() since continuing is meaningless
    when init_ipv4_mibs() fails.
    
    [1] https://groups.google.com/g/syzkaller/c/p1tn-_Kc6l4/m/smuL_FMAAgAJ?pli=1
    
    Fixes: 61a7e26028b9 ("mib: put net statistics on struct net")
    Signed-off-by: Muchun Song <songmuchun@bytedance.com>
    Cc: Cong Wang <cong.wang@bytedance.com>
    Cc: Fam Zheng <fam.zheng@bytedance.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20211228104145.9426-1-songmuchun@bytedance.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f5cfbc0e795a724aa559b92c533125c82105bb61
Author: Leo L. Schwab <ewhac@ewhac.org>
Date:   Thu Dec 30 21:05:00 2021 -0800

    Input: spaceball - fix parsing of movement data packets
    
    commit bc7ec91718c49d938849697cfad98fcd9877cc26 upstream.
    
    The spaceball.c module was not properly parsing the movement reports
    coming from the device.  The code read axis data as signed 16-bit
    little-endian values starting at offset 2.
    
    In fact, axis data in Spaceball movement reports are signed 16-bit
    big-endian values starting at offset 3.  This was determined first by
    visually inspecting the data packets, and later verified by consulting:
    http://spacemice.org/pdf/SpaceBall_2003-3003_Protocol.pdf
    
    If this ever worked properly, it was in the time before Git...
    
    Signed-off-by: Leo L. Schwab <ewhac@ewhac.org>
    Link: https://lore.kernel.org/r/20211221101630.1146385-1-ewhac@ewhac.org
    Cc: stable@vger.kernel.org
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d2cb2bf39a6d17ef4bdc0e59c1a35cf5751ad8f4
Author: Pavel Skripkin <paskripkin@gmail.com>
Date:   Thu Dec 30 20:57:46 2021 -0800

    Input: appletouch - initialize work before device registration
    
    commit 9f3ccdc3f6ef10084ceb3a47df0961bec6196fd0 upstream.
    
    Syzbot has reported warning in __flush_work(). This warning is caused by
    work->func == NULL, which means missing work initialization.
    
    This may happen, since input_dev->close() calls
    cancel_work_sync(&dev->work), but dev->work initalization happens _after_
    input_register_device() call.
    
    So this patch moves dev->work initialization before registering input
    device
    
    Fixes: 5a6eb676d3bc ("Input: appletouch - improve powersaving for Geyser3 devices")
    Reported-and-tested-by: syzbot+b88c5eae27386b252bbd@syzkaller.appspotmail.com
    Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
    Link: https://lore.kernel.org/r/20211230141151.17300-1-paskripkin@gmail.com
    Cc: stable@vger.kernel.org
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4b76f130f6fe283a8815fa6b212b6a859c2f01ee
Author: Alexey Makhalov <amakhalov@vmware.com>
Date:   Mon Dec 20 11:05:14 2021 -0800

    scsi: vmw_pvscsi: Set residual data length conditionally
    
    commit 142c779d05d1fef75134c3cb63f52ccbc96d9e1f upstream.
    
    The PVSCSI implementation in the VMware hypervisor under specific
    configuration ("SCSI Bus Sharing" set to "Physical") returns zero dataLen
    in the completion descriptor for READ CAPACITY(16). As a result, the kernel
    can not detect proper disk geometry. This can be recognized by the kernel
    message:
    
      [ 0.776588] sd 1:0:0:0: [sdb] Sector size 0 reported, assuming 512.
    
    The PVSCSI implementation in QEMU does not set dataLen at all, keeping it
    zeroed. This leads to a boot hang as was reported by Shmulik Ladkani.
    
    It is likely that the controller returns the garbage at the end of the
    buffer. Residual length should be set by the driver in that case. The SCSI
    layer will erase corresponding data. See commit bdb2b8cab439 ("[SCSI] erase
    invalid data returned by device") for details.
    
    Commit e662502b3a78 ("scsi: vmw_pvscsi: Set correct residual data length")
    introduced the issue by setting residual length unconditionally, causing
    the SCSI layer to erase the useful payload beyond dataLen when this value
    is returned as 0.
    
    As a result, considering existing issues in implementations of PVSCSI
    controllers, we do not want to call scsi_set_resid() when dataLen ==
    0. Calling scsi_set_resid() has no effect if dataLen equals buffer length.
    
    Link: https://lore.kernel.org/lkml/20210824120028.30d9c071@blondie/
    Link: https://lore.kernel.org/r/20211220190514.55935-1-amakhalov@vmware.com
    Fixes: e662502b3a78 ("scsi: vmw_pvscsi: Set correct residual data length")
    Cc: Matt Wang <wwentao@vmware.com>
    Cc: Martin K. Petersen <martin.petersen@oracle.com>
    Cc: Vishal Bhakta <vbhakta@vmware.com>
    Cc: VMware PV-Drivers <pv-drivers@vmware.com>
    Cc: James E.J. Bottomley <jejb@linux.ibm.com>
    Cc: linux-scsi@vger.kernel.org
    Cc: stable@vger.kernel.org
    Reported-and-suggested-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
    Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f976dd7011150244a7ba820f2c331e9fb253befa
Author: Vincent Pelletier <plr.vincent@gmail.com>
Date:   Sat Dec 18 02:18:40 2021 +0000

    usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.
    
    commit b1e0887379422975f237d43d8839b751a6bcf154 upstream.
    
    ffs_data_clear is indirectly called from both ffs_fs_kill_sb and
    ffs_ep0_release, so it ends up being called twice when userland closes ep0
    and then unmounts f_fs.
    If userland provided an eventfd along with function's USB descriptors, it
    ends up calling eventfd_ctx_put as many times, causing a refcount
    underflow.
    NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.
    
    Also, set epfiles to NULL right after de-allocating it, for readability.
    
    For completeness, ffs_data_clear actually ends up being called thrice, the
    last call being before the whole ffs structure gets freed, so when this
    specific sequence happens there is a second underflow happening (but not
    being reported):
    
    /sys/kernel/debug/tracing# modprobe usb_f_fs
    /sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter
    /sys/kernel/debug/tracing# echo function > current_tracer
    /sys/kernel/debug/tracing# echo 1 > tracing_on
    (setup gadget, run and kill function userland process, teardown gadget)
    /sys/kernel/debug/tracing# echo 0 > tracing_on
    /sys/kernel/debug/tracing# cat trace
     smartcard-openp-436     [000] .....  1946.208786: ffs_data_clear <-ffs_data_closed
     smartcard-openp-431     [000] .....  1946.279147: ffs_data_clear <-ffs_data_closed
     smartcard-openp-431     [000] .n...  1946.905512: ffs_data_clear <-ffs_data_put
    
    Warning output corresponding to above trace:
    [ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c
    [ 1946.293094] refcount_t: underflow; use-after-free.
    [ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)
    [ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G         C OE     5.15.0-1-rpi #1  Debian 5.15.3-1
    [ 1946.417950] Hardware name: BCM2835
    [ 1946.425442] Backtrace:
    [ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)
    [ 1946.448226]  r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c
    [ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)
    [ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)
    [ 1946.482067]  r5:c04a948c r4:c0a71dc8
    [ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)
    [ 1946.506758]  r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04
    [ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)
    [ 1946.535309]  r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0
    [ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)
    [ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])
    [ 1946.582664]  r5:c3b84c00 r4:c2695b00
    [ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])
    [ 1946.609608]  r5:bf54d014 r4:c2695b00
    [ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])
    [ 1946.636217]  r7:c0dfcb84 r6:c3a12260 r5:bf54d014 r4:c229f000
    [ 1946.646273] [<bf547d74>] (ffs_fs_kill_sb [usb_f_fs]) from [<c0326d50>] (deactivate_locked_super+0x54/0x9c)
    [ 1946.664893]  r5:bf54d014 r4:c229f000
    [ 1946.672921] [<c0326cfc>] (deactivate_locked_super) from [<c0326df8>] (deactivate_super+0x60/0x64)
    [ 1946.690722]  r5:c2a09000 r4:c229f000
    [ 1946.698706] [<c0326d98>] (deactivate_super) from [<c0349a28>] (cleanup_mnt+0xe4/0x14c)
    [ 1946.715553]  r5:c2a09000 r4:00000000
    [ 1946.723528] [<c0349944>] (cleanup_mnt) from [<c0349b08>] (__cleanup_mnt+0x1c/0x20)
    [ 1946.739922]  r7:c0dfcb84 r6:c3a12260 r5:c3a126fc r4:00000000
    [ 1946.750088] [<c0349aec>] (__cleanup_mnt) from [<c0143d10>] (task_work_run+0x84/0xb8)
    [ 1946.766602] [<c0143c8c>] (task_work_run) from [<c010bdc8>] (do_work_pending+0x470/0x56c)
    [ 1946.783540]  r7:5ac3c35a r6:c0d0424c r5:c200bfb0 r4:c200a000
    [ 1946.793614] [<c010b958>] (do_work_pending) from [<c01000c0>] (slow_work_pending+0xc/0x20)
    [ 1946.810553] Exception stack(0xc200bfb0 to 0xc200bff8)
    [ 1946.820129] bfa0:                                     00000000 00000000 000000aa b5e21430
    [ 1946.837104] bfc0: bef867a0 00000001 bef86840 00000034 bef86838 bef86790 bef86794 bef867a0
    [ 1946.854125] bfe0: 00000000 bef86798 b67b7a1c b6d626a4 60000010 b5a23760
    [ 1946.865335]  r10:00000000 r9:c200a000 r8:c0100224 r7:00000034 r6:bef86840 r5:00000001
    [ 1946.881914]  r4:bef867a0
    [ 1946.888793] ---[ end trace 7387f2a9725b28d0 ]---
    
    Fixes: 5e33f6fdf735 ("usb: gadget: ffs: add eventfd notification about ffs events")
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
    Link: https://lore.kernel.org/r/f79eeea29f3f98de6782a064ec0f7351ad2f598f.1639793920.git.plr.vincent@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5721e8ee46e2fa41fdf224bbcc9ea3200323cbb8
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Tue Dec 21 13:28:25 2021 +0200

    xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set.
    
    commit e4844092581ceec22489b66c42edc88bc6079783 upstream.
    
    The Fresco Logic FL1100 controller needs the TRUST_TX_LENGTH quirk like
    other Fresco controllers, but should not have the BROKEN_MSI quirks set.
    
    BROKEN_MSI quirk causes issues in detecting usb drives connected to docks
    with this FL1100 controller.
    The BROKEN_MSI flag was apparently accidentally set together with the
    TRUST_TX_LENGTH quirk
    
    Original patch went to stable so this should go there as well.
    
    Fixes: ea0f69d82119 ("xhci: Enable trust tx length quirk for Fresco FL11 USB controller")
    Cc: stable@vger.kernel.org
    cc: Nikolay Martynov <mar.kolya@gmail.com>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/20211221112825.54690-2-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f637d1eb646ca8b82c0b7511cda9c565aeba17be
Author: Dmitry V. Levin <ldv@altlinux.org>
Date:   Sun Dec 26 16:01:27 2021 +0300

    uapi: fix linux/nfc.h userspace compilation errors
    
    commit 7175f02c4e5f5a9430113ab9ca0fd0ce98b28a51 upstream.
    
    Replace sa_family_t with __kernel_sa_family_t to fix the following
    linux/nfc.h userspace compilation errors:
    
    /usr/include/linux/nfc.h:266:2: error: unknown type name 'sa_family_t'
      sa_family_t sa_family;
    /usr/include/linux/nfc.h:274:2: error: unknown type name 'sa_family_t'
      sa_family_t sa_family;
    
    Fixes: 23b7869c0fd0 ("NFC: add the NFC socket raw protocol")
    Fixes: d646960f7986 ("NFC: Initial LLCP support")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
    Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ce46aae2bfa94c7723abdef74f4a425997807b50
Author: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Date:   Sun Dec 26 13:03:47 2021 +0100

    nfc: uapi: use kernel size_t to fix user-space builds
    
    commit 79b69a83705e621b258ac6d8ae6d3bfdb4b930aa upstream.
    
    Fix user-space builds if it includes /usr/include/linux/nfc.h before
    some of other headers:
    
      /usr/include/linux/nfc.h:281:9: error: unknown type name ‘size_t’
        281 |         size_t service_name_len;
            |         ^~~~~~
    
    Fixes: d646960f7986 ("NFC: Initial LLCP support")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7c573f3229096fed04472fb26c904863b7e61a79
Author: Tom Rix <trix@redhat.com>
Date:   Fri Dec 24 07:07:39 2021 -0800

    selinux: initialize proto variable in selinux_ip_postroute_compat()
    
    commit 732bc2ff080c447f8524f40c970c481f5da6eed3 upstream.
    
    Clang static analysis reports this warning
    
    hooks.c:5765:6: warning: 4th function call argument is an uninitialized
                    value
            if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    selinux_parse_skb() can return ok without setting proto.  The later call
    to selinux_xfrm_postroute_last() does an early check of proto and can
    return ok if the garbage proto value matches.  So initialize proto.
    
    Cc: stable@vger.kernel.org
    Fixes: eef9b41622f2 ("selinux: cleanup selinux_xfrm_sock_rcv_skb() and selinux_xfrm_postroute_last()")
    Signed-off-by: Tom Rix <trix@redhat.com>
    [PM: typo/spelling and checkpatch.pl description fixes]
    Signed-off-by: Paul Moore <paul@paul-moore.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 11ade93ff764111a690c4dfa34c14be968c72e9a
Author: Heiko Carstens <hca@linux.ibm.com>
Date:   Thu Dec 23 17:43:14 2021 +0100

    recordmcount.pl: fix typo in s390 mcount regex
    
    commit 4eb1782eaa9fa1c224ad1fa0d13a9f09c3ab2d80 upstream.
    
    Commit 85bf17b28f97 ("recordmcount.pl: look for jgnop instruction as well
    as bcrl on s390") added a new alternative mnemonic for the existing brcl
    instruction. This is required for the combination old gcc version (pre 9.0)
    and binutils since version 2.37.
    However at the same time this commit introduced a typo, replacing brcl with
    bcrl. As a result no mcount locations are detected anymore with old gcc
    versions (pre 9.0) and binutils before version 2.37.
    Fix this by using the correct mnemonic again.
    
    Reported-by: Miroslav Benes <mbenes@suse.cz>
    Cc: Jerome Marchand <jmarchan@redhat.com>
    Cc: <stable@vger.kernel.org>
    Fixes: 85bf17b28f97 ("recordmcount.pl: look for jgnop instruction as well as bcrl on s390")
    Link: https://lore.kernel.org/r/alpine.LSU.2.21.2112230949520.19849@pobox.suse.cz
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e9056226a8f27eea059df2de1714c6a28aaeb208
Author: Wang Qing <wangqing@vivo.com>
Date:   Tue Dec 14 04:18:36 2021 -0800

    platform/x86: apple-gmux: use resource_size() with res
    
    [ Upstream commit eb66fb03a727cde0ab9b1a3858de55c26f3007da ]
    
    This should be (res->end - res->start + 1) here actually,
    use resource_size() derectly.
    
    Signed-off-by: Wang Qing <wangqing@vivo.com>
    Link: https://lore.kernel.org/r/1639484316-75873-1-git-send-email-wangqing@vivo.com
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>