commit cb83ddcd5332fcc3efd52ba994976efc4dd6061e
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Mar 17 16:34:35 2021 +0100

    Linux 4.14.226
    
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Tested-by: Jason Self <jason@bluehome.net>
    Tested-by: Hulk Robot <hulkrobot@huawei.com>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Link: https://lore.kernel.org/r/20210315135740.245494252@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 97b20ecfe833fec10333943b54fa82ba3323c9b1
Author: Juergen Gross <jgross@suse.com>
Date:   Mon Mar 15 09:22:38 2021 +0100

    xen/events: avoid handling the same event on two cpus at the same time
    
    commit b6622798bc50b625a1e62f82c7190df40c1f5b21 upstream.
    
    When changing the cpu affinity of an event it can happen today that
    (with some unlucky timing) the same event will be handled on the old
    and the new cpu at the same time.
    
    Avoid that by adding an "event active" flag to the per-event data and
    call the handler only if this flag isn't set.
    
    Cc: stable@vger.kernel.org
    Reported-by: Julien Grall <julien@xen.org>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Reviewed-by: Julien Grall <jgrall@amazon.com>
    Link: https://lore.kernel.org/r/20210306161833.4552-4-jgross@suse.com
    Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0aa39010948bd56d0357299dd871bbde0d9f223e
Author: Juergen Gross <jgross@suse.com>
Date:   Mon Mar 15 09:22:37 2021 +0100

    xen/events: don't unmask an event channel when an eoi is pending
    
    commit 25da4618af240fbec6112401498301a6f2bc9702 upstream.
    
    An event channel should be kept masked when an eoi is pending for it.
    When being migrated to another cpu it might be unmasked, though.
    
    In order to avoid this keep three different flags for each event channel
    to be able to distinguish "normal" masking/unmasking from eoi related
    masking/unmasking and temporary masking. The event channel should only
    be able to generate an interrupt if all flags are cleared.
    
    Cc: stable@vger.kernel.org
    Fixes: 54c9de89895e ("xen/events: add a new "late EOI" evtchn framework")
    Reported-by: Julien Grall <julien@xen.org>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Reviewed-by: Julien Grall <jgrall@amazon.com>
    Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    Tested-by: Ross Lagerwall <ross.lagerwall@citrix.com>
    Link: https://lore.kernel.org/r/20210306161833.4552-3-jgross@suse.com
    
    [boris -- corrected Fixed tag format]
    
    Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1801b1779d5ea43aef3d796a9dc495f76a08f0f5
Author: Juergen Gross <jgross@suse.com>
Date:   Mon Mar 15 09:22:37 2021 +0100

    xen/events: reset affinity of 2-level event when tearing it down
    
    commit 9e77d96b8e2724ed00380189f7b0ded61113b39f upstream.
    
    When creating a new event channel with 2-level events the affinity
    needs to be reset initially in order to avoid using an old affinity
    from earlier usage of the event channel port. So when tearing an event
    channel down reset all affinity bits.
    
    The same applies to the affinity when onlining a vcpu: all old
    affinity settings for this vcpu must be reset. As percpu events get
    initialized before the percpu event channel hook is called,
    resetting of the affinities happens after offlining a vcpu (this is
    working, as initial percpu memory is zeroed out).
    
    Cc: stable@vger.kernel.org
    Reported-by: Julien Grall <julien@xen.org>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Reviewed-by: Julien Grall <jgrall@amazon.com>
    Link: https://lore.kernel.org/r/20210306161833.4552-2-jgross@suse.com
    Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 593b7ff46bc064f2acac9ed6b7baa3189d2bcd90
Author: Navid Emamdoost <navid.emamdoost@gmail.com>
Date:   Sat Mar 13 18:29:49 2021 +0100

    iio: imu: adis16400: release allocated memory on failure
    
    commit ab612b1daf415b62c58e130cb3d0f30b255a14d0 upstream.
    
    In adis_update_scan_mode, if allocation for adis->buffer fails,
    previously allocated adis->xfer needs to be released.
    
    Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
    Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ccb7c819942daaeda58978d26fb45a3a48c2f8f6
Author: Marc Zyngier <maz@kernel.org>
Date:   Mon Mar 15 11:08:33 2021 +0000

    KVM: arm64: Fix exclusive limit for IPA size
    
    Commit 262b003d059c6671601a19057e9fe1a5e7f23722 upstream.
    
    When registering a memslot, we check the size and location of that
    memslot against the IPA size to ensure that we can provide guest
    access to the whole of the memory.
    
    Unfortunately, this check rejects memslot that end-up at the exact
    limit of the addressing capability for a given IPA size. For example,
    it refuses the creation of a 2GB memslot at 0x8000000 with a 32bit
    IPA space.
    
    Fix it by relaxing the check to accept a memslot reaching the
    limit of the IPA space.
    
    Fixes: c3058d5da222 ("arm/arm64: KVM: Ensure memslots are within KVM_PHYS_SIZE")
    Reviewed-by: Eric Auger <eric.auger@redhat.com>
    Signed-off-by: Marc Zyngier <maz@kernel.org>
    Cc: stable@vger.kernel.org # 4.4, 4.9, 4.14, 4.19
    Reviewed-by: Andrew Jones <drjones@redhat.com>
    Link: https://lore.kernel.org/r/20210311100016.3830038-3-maz@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e8a6799d81fd00e8d9755640bf91c192d0c1f79f
Author: Boyang Yu <byu@arista.com>
Date:   Fri Jun 28 19:06:36 2019 +0000

    hwmon: (lm90) Fix max6658 sporadic wrong temperature reading
    
    commit 62456189f3292c62f87aef363f204886dc1d4b48 upstream.
    
    max6658 may report unrealistically high temperature during
    the driver initialization, for which, its overtemp alarm pin
    also gets asserted. For certain devices implementing overtemp
    protection based on that pin, it may further trigger a reset to
    the device. By reproducing the problem, the wrong reading is
    found to be coincident with changing the conversion rate.
    
    To mitigate this issue, set the stop bit before changing the
    conversion rate and unset it thereafter. After such change, the
    wrong reading is not reproduced. Apply this change only to the
    max6657 kind for now, controlled by flag LM90_PAUSE_ON_CONFIG.
    
    Signed-off-by: Boyang Yu <byu@arista.com>
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Cc: Paul Menzel <pmenzel@molgen.mpg.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4a8b4124ea4156ca52918b66c750a69c6d932aa5
Author: Lior Ribak <liorribak@gmail.com>
Date:   Fri Mar 12 21:07:41 2021 -0800

    binfmt_misc: fix possible deadlock in bm_register_write
    
    commit e7850f4d844e0acfac7e570af611d89deade3146 upstream.
    
    There is a deadlock in bm_register_write:
    
    First, in the begining of the function, a lock is taken on the binfmt_misc
    root inode with inode_lock(d_inode(root)).
    
    Then, if the user used the MISC_FMT_OPEN_FILE flag, the function will call
    open_exec on the user-provided interpreter.
    
    open_exec will call a path lookup, and if the path lookup process includes
    the root of binfmt_misc, it will try to take a shared lock on its inode
    again, but it is already locked, and the code will get stuck in a deadlock
    
    To reproduce the bug:
    $ echo ":iiiii:E::ii::/proc/sys/fs/binfmt_misc/bla:F" > /proc/sys/fs/binfmt_misc/register
    
    backtrace of where the lock occurs (#5):
    0  schedule () at ./arch/x86/include/asm/current.h:15
    1  0xffffffff81b51237 in rwsem_down_read_slowpath (sem=0xffff888003b202e0, count=<optimized out>, state=state@entry=2) at kernel/locking/rwsem.c:992
    2  0xffffffff81b5150a in __down_read_common (state=2, sem=<optimized out>) at kernel/locking/rwsem.c:1213
    3  __down_read (sem=<optimized out>) at kernel/locking/rwsem.c:1222
    4  down_read (sem=<optimized out>) at kernel/locking/rwsem.c:1355
    5  0xffffffff811ee22a in inode_lock_shared (inode=<optimized out>) at ./include/linux/fs.h:783
    6  open_last_lookups (op=0xffffc9000022fe34, file=0xffff888004098600, nd=0xffffc9000022fd10) at fs/namei.c:3177
    7  path_openat (nd=nd@entry=0xffffc9000022fd10, op=op@entry=0xffffc9000022fe34, flags=flags@entry=65) at fs/namei.c:3366
    8  0xffffffff811efe1c in do_filp_open (dfd=<optimized out>, pathname=pathname@entry=0xffff8880031b9000, op=op@entry=0xffffc9000022fe34) at fs/namei.c:3396
    9  0xffffffff811e493f in do_open_execat (fd=fd@entry=-100, name=name@entry=0xffff8880031b9000, flags=<optimized out>, flags@entry=0) at fs/exec.c:913
    10 0xffffffff811e4a92 in open_exec (name=<optimized out>) at fs/exec.c:948
    11 0xffffffff8124aa84 in bm_register_write (file=<optimized out>, buffer=<optimized out>, count=19, ppos=<optimized out>) at fs/binfmt_misc.c:682
    12 0xffffffff811decd2 in vfs_write (file=file@entry=0xffff888004098500, buf=buf@entry=0xa758d0 ":iiiii:E::ii::i:CF
    ", count=count@entry=19, pos=pos@entry=0xffffc9000022ff10) at fs/read_write.c:603
    13 0xffffffff811defda in ksys_write (fd=<optimized out>, buf=0xa758d0 ":iiiii:E::ii::i:CF
    ", count=19) at fs/read_write.c:658
    14 0xffffffff81b49813 in do_syscall_64 (nr=<optimized out>, regs=0xffffc9000022ff58) at arch/x86/entry/common.c:46
    15 0xffffffff81c0007c in entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:120
    
    To solve the issue, the open_exec call is moved to before the write
    lock is taken by bm_register_write
    
    Link: https://lkml.kernel.org/r/20210228224414.95962-1-liorribak@gmail.com
    Fixes: 948b701a607f1 ("binfmt_misc: add persistent opened binary handler for containers")
    Signed-off-by: Lior Ribak <liorribak@gmail.com>
    Acked-by: Helge Deller <deller@gmx.de>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9faa57d306d9e2849e1d08ae59b3333a335e022c
Author: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Date:   Thu Mar 4 07:34:11 2021 +0530

    powerpc/64s: Fix instruction encoding for lis in ppc_function_entry()
    
    commit cea15316ceee2d4a51dfdecd79e08a438135416c upstream.
    
    'lis r2,N' is 'addis r2,0,N' and the instruction encoding in the macro
    LIS_R2 is incorrect (it currently maps to 'addis r0,r2,N'). Fix the
    same.
    
    Fixes: c71b7eff426f ("powerpc: Add ABIv2 support to ppc_function_entry")
    Cc: stable@vger.kernel.org # v3.16+
    Reported-by: Jiri Olsa <jolsa@redhat.com>
    Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
    Acked-by: Segher Boessenkool <segher@kernel.crashing.org>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20210304020411.16796-1-naveen.n.rao@linux.vnet.ibm.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 997e68565f8dcfe2aa2a40a9e6fc38693f97d4dd
Author: Matthew Wilcox (Oracle) <willy@infradead.org>
Date:   Fri Mar 12 21:08:03 2021 -0800

    include/linux/sched/mm.h: use rcu_dereference in in_vfork()
    
    [ Upstream commit 149fc787353f65b7e72e05e7b75d34863266c3e2 ]
    
    Fix a sparse warning by using rcu_dereference().  Technically this is a
    bug and a sufficiently aggressive compiler could reload the `real_parent'
    pointer outside the protection of the rcu lock (and access freed memory),
    but I think it's pretty unlikely to happen.
    
    Link: https://lkml.kernel.org/r/20210221194207.1351703-1-willy@infradead.org
    Fixes: b18dc5f291c0 ("mm, oom: skip vforked tasks from being selected")
    Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
    Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>
    Acked-by: Michal Hocko <mhocko@suse.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 44bd240d69668fb03aa2e0abb9b30a1b28d60002
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Fri Mar 12 21:07:04 2021 -0800

    stop_machine: mark helpers __always_inline
    
    [ Upstream commit cbf78d85079cee662c45749ef4f744d41be85d48 ]
    
    With clang-13, some functions only get partially inlined, with a
    specialized version referring to a global variable.  This triggers a
    harmless build-time check for the intel-rng driver:
    
    WARNING: modpost: drivers/char/hw_random/intel-rng.o(.text+0xe): Section mismatch in reference from the function stop_machine() to the function .init.text:intel_rng_hw_init()
    The function stop_machine() references
    the function __init intel_rng_hw_init().
    This is often because stop_machine lacks a __init
    annotation or the annotation of intel_rng_hw_init is wrong.
    
    In this instance, an easy workaround is to force the stop_machine()
    function to be inline, along with related interfaces that did not show the
    same behavior at the moment, but theoretically could.
    
    The combination of the two patches listed below triggers the behavior in
    clang-13, but individually these commits are correct.
    
    Link: https://lkml.kernel.org/r/20210225130153.1956990-1-arnd@kernel.org
    Fixes: fe5595c07400 ("stop_machine: Provide stop_machine_cpuslocked()")
    Fixes: ee527cd3a20c ("Use stop_machine_run in the Intel RNG driver")
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Cc: Nathan Chancellor <nathan@kernel.org>
    Cc: Nick Desaulniers <ndesaulniers@google.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    Cc: "Paul E. McKenney" <paulmck@kernel.org>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Prarit Bhargava <prarit@redhat.com>
    Cc: Daniel Bristot de Oliveira <bristot@redhat.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Valentin Schneider <valentin.schneider@arm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4769013f841ed35bdce3b11b64349d0c166ee0a2
Author: Daiyue Zhang <zhangdaiyue1@huawei.com>
Date:   Mon Mar 1 14:10:53 2021 +0800

    configfs: fix a use-after-free in __configfs_open_file
    
    [ Upstream commit 14fbbc8297728e880070f7b077b3301a8c698ef9 ]
    
    Commit b0841eefd969 ("configfs: provide exclusion between IO and removals")
    uses ->frag_dead to mark the fragment state, thus no bothering with extra
    refcount on config_item when opening a file. The configfs_get_config_item
    was removed in __configfs_open_file, but not with config_item_put. So the
    refcount on config_item will lost its balance, causing use-after-free
    issues in some occasions like this:
    
    Test:
    1. Mount configfs on /config with read-only items:
    drwxrwx--- 289 root   root            0 2021-04-01 11:55 /config
    drwxr-xr-x   2 root   root            0 2021-04-01 11:54 /config/a
    --w--w--w-   1 root   root         4096 2021-04-01 11:53 /config/a/1.txt
    ......
    
    2. Then run:
    for file in /config
    do
    echo $file
    grep -R 'key' $file
    done
    
    3. __configfs_open_file will be called in parallel, the first one
    got called will do:
    if (file->f_mode & FMODE_READ) {
            if (!(inode->i_mode & S_IRUGO))
                    goto out_put_module;
                            config_item_put(buffer->item);
                                    kref_put()
                                            package_details_release()
                                                    kfree()
    
    the other one will run into use-after-free issues like this:
    BUG: KASAN: use-after-free in __configfs_open_file+0x1bc/0x3b0
    Read of size 8 at addr fffffff155f02480 by task grep/13096
    CPU: 0 PID: 13096 Comm: grep VIP: 00 Tainted: G        W       4.14.116-kasan #1
    TGID: 13096 Comm: grep
    Call trace:
    dump_stack+0x118/0x160
    kasan_report+0x22c/0x294
    __asan_load8+0x80/0x88
    __configfs_open_file+0x1bc/0x3b0
    configfs_open_file+0x28/0x34
    do_dentry_open+0x2cc/0x5c0
    vfs_open+0x80/0xe0
    path_openat+0xd8c/0x2988
    do_filp_open+0x1c4/0x2fc
    do_sys_open+0x23c/0x404
    SyS_openat+0x38/0x48
    
    Allocated by task 2138:
    kasan_kmalloc+0xe0/0x1ac
    kmem_cache_alloc_trace+0x334/0x394
    packages_make_item+0x4c/0x180
    configfs_mkdir+0x358/0x740
    vfs_mkdir2+0x1bc/0x2e8
    SyS_mkdirat+0x154/0x23c
    el0_svc_naked+0x34/0x38
    
    Freed by task 13096:
    kasan_slab_free+0xb8/0x194
    kfree+0x13c/0x910
    package_details_release+0x524/0x56c
    kref_put+0xc4/0x104
    config_item_put+0x24/0x34
    __configfs_open_file+0x35c/0x3b0
    configfs_open_file+0x28/0x34
    do_dentry_open+0x2cc/0x5c0
    vfs_open+0x80/0xe0
    path_openat+0xd8c/0x2988
    do_filp_open+0x1c4/0x2fc
    do_sys_open+0x23c/0x404
    SyS_openat+0x38/0x48
    el0_svc_naked+0x34/0x38
    
    To fix this issue, remove the config_item_put in
    __configfs_open_file to balance the refcount of config_item.
    
    Fixes: b0841eefd969 ("configfs: provide exclusion between IO and removals")
    Signed-off-by: Daiyue Zhang <zhangdaiyue1@huawei.com>
    Signed-off-by: Yi Chen <chenyi77@huawei.com>
    Signed-off-by: Ge Qiu <qiuge@huawei.com>
    Reviewed-by: Chao Yu <yuchao0@huawei.com>
    Acked-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 78bda6e4ddd601db1adcba2296babc5a95f94d49
Author: Jia-Ju Bai <baijiaju1990@gmail.com>
Date:   Tue Mar 9 19:30:17 2021 -0800

    block: rsxx: fix error return code of rsxx_pci_probe()
    
    [ Upstream commit df66617bfe87487190a60783d26175b65d2502ce ]
    
    When create_singlethread_workqueue returns NULL to card->event_wq, no
    error return code of rsxx_pci_probe() is assigned.
    
    To fix this bug, st is assigned with -ENOMEM in this case.
    
    Fixes: 8722ff8cdbfa ("block: IBM RamSan 70/80 device driver")
    Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
    Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
    Link: https://lore.kernel.org/r/20210310033017.4023-1-baijiaju1990@gmail.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6c7a708686c5968b3c0c120eaade6c4fdec90f2c
Author: Ondrej Mosnacek <omosnace@redhat.com>
Date:   Fri Jan 15 18:43:56 2021 +0100

    NFSv4.2: fix return value of _nfs4_get_security_label()
    
    [ Upstream commit 53cb245454df5b13d7063162afd7a785aed6ebf2 ]
    
    An xattr 'get' handler is expected to return the length of the value on
    success, yet _nfs4_get_security_label() (and consequently also
    nfs4_xattr_get_nfs4_label(), which is used as an xattr handler) returns
    just 0 on success.
    
    Fix this by returning label.len instead, which contains the length of
    the result.
    
    Fixes: aa9c2669626c ("NFS: Client implementation of Labeled-NFS")
    Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
    Reviewed-by: James Morris <jamorris@linux.microsoft.com>
    Reviewed-by: Paul Moore <paul@paul-moore.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 876bb39c4f684cb11a5a9f4bbcc519b9c149d1b0
Author: Sergey Shtylyov <s.shtylyov@omprussia.ru>
Date:   Sun Feb 28 23:26:34 2021 +0300

    sh_eth: fix TRSCER mask for R7S72100
    
    [ Upstream commit 75be7fb7f978202c4c3a1a713af4485afb2ff5f6 ]
    
    According  to  the RZ/A1H Group, RZ/A1M Group User's Manual: Hardware,
    Rev. 4.00, the TRSCER register has bit 9 reserved, hence we can't use
    the driver's default TRSCER mask.  Add the explicit initializer for
    sh_eth_cpu_data::trscer_err_mask for R7S72100.
    
    Fixes: db893473d313 ("sh_eth: Add support for r7s72100")
    Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9fce2b2b086bf3c735fd962b12c6321469bf60ba
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Feb 23 14:30:50 2021 +0000

    staging: comedi: pcl818: Fix endian problem for AI command data
    
    commit 148e34fd33d53740642db523724226de14ee5281 upstream.
    
    The analog input subdevice supports Comedi asynchronous commands that
    use Comedi's 16-bit sample format.  However, the call to
    `comedi_buf_write_samples()` is passing the address of a 32-bit integer
    parameter.  On bigendian machines, this will copy 2 bytes from the wrong
    end of the 32-bit value.  Fix it by changing the type of the parameter
    holding the sample value to `unsigned short`.
    
    [Note: the bug was introduced in commit edf4537bcbf5 ("staging: comedi:
    pcl818: use comedi_buf_write_samples()") but the patch applies better to
    commit d615416de615 ("staging: comedi: pcl818: introduce
    pcl818_ai_write_sample()").]
    
    Fixes: d615416de615 ("staging: comedi: pcl818: introduce pcl818_ai_write_sample()")
    Cc: <stable@vger.kernel.org> # 4.0+
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Link: https://lore.kernel.org/r/20210223143055.257402-10-abbotti@mev.co.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1467c0adafbd86c25f72b6d08a34165209a476ab
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Feb 23 14:30:49 2021 +0000

    staging: comedi: pcl711: Fix endian problem for AI command data
    
    commit a084303a645896e834883f2c5170d044410dfdb3 upstream.
    
    The analog input subdevice supports Comedi asynchronous commands that
    use Comedi's 16-bit sample format.  However, the call to
    `comedi_buf_write_samples()` is passing the address of a 32-bit integer
    variable.  On bigendian machines, this will copy 2 bytes from the wrong
    end of the 32-bit value.  Fix it by changing the type of the variable
    holding the sample value to `unsigned short`.
    
    Fixes: 1f44c034de2e ("staging: comedi: pcl711: use comedi_buf_write_samples()")
    Cc: <stable@vger.kernel.org> # 3.19+
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Link: https://lore.kernel.org/r/20210223143055.257402-9-abbotti@mev.co.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d46b4b8f208bcb550380e6c508bf972f56b070c2
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Feb 23 14:30:48 2021 +0000

    staging: comedi: me4000: Fix endian problem for AI command data
    
    commit b39dfcced399d31e7c4b7341693b18e01c8f655e upstream.
    
    The analog input subdevice supports Comedi asynchronous commands that
    use Comedi's 16-bit sample format.  However, the calls to
    `comedi_buf_write_samples()` are passing the address of a 32-bit integer
    variable.  On bigendian machines, this will copy 2 bytes from the wrong
    end of the 32-bit value.  Fix it by changing the type of the variable
    holding the sample value to `unsigned short`.
    
    Fixes: de88924f67d1 ("staging: comedi: me4000: use comedi_buf_write_samples()")
    Cc: <stable@vger.kernel.org> # 3.19+
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Link: https://lore.kernel.org/r/20210223143055.257402-8-abbotti@mev.co.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e3755505e12e2307db86873442ec8ee488bfc564
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Feb 23 14:30:47 2021 +0000

    staging: comedi: dmm32at: Fix endian problem for AI command data
    
    commit 54999c0d94b3c26625f896f8e3460bc029821578 upstream.
    
    The analog input subdevice supports Comedi asynchronous commands that
    use Comedi's 16-bit sample format.  However, the call to
    `comedi_buf_write_samples()` is passing the address of a 32-bit integer
    variable.  On bigendian machines, this will copy 2 bytes from the wrong
    end of the 32-bit value.  Fix it by changing the type of the variable
    holding the sample value to `unsigned short`.
    
    [Note: the bug was introduced in commit 1700529b24cc ("staging: comedi:
    dmm32at: use comedi_buf_write_samples()") but the patch applies better
    to the later (but in the same kernel release) commit 0c0eadadcbe6e
    ("staging: comedi: dmm32at: introduce dmm32_ai_get_sample()").]
    
    Fixes: 0c0eadadcbe6e ("staging: comedi: dmm32at: introduce dmm32_ai_get_sample()")
    Cc: <stable@vger.kernel.org> # 3.19+
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Link: https://lore.kernel.org/r/20210223143055.257402-7-abbotti@mev.co.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5b4dd43185fadb97c8779e9fb8f1ea9bf0ecca54
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Feb 23 14:30:46 2021 +0000

    staging: comedi: das800: Fix endian problem for AI command data
    
    commit 459b1e8c8fe97fcba0bd1b623471713dce2c5eaf upstream.
    
    The analog input subdevice supports Comedi asynchronous commands that
    use Comedi's 16-bit sample format.  However, the call to
    `comedi_buf_write_samples()` is passing the address of a 32-bit integer
    variable.  On bigendian machines, this will copy 2 bytes from the wrong
    end of the 32-bit value.  Fix it by changing the type of the variable
    holding the sample value to `unsigned short`.
    
    Fixes: ad9eb43c93d8 ("staging: comedi: das800: use comedi_buf_write_samples()")
    Cc: <stable@vger.kernel.org> # 3.19+
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Link: https://lore.kernel.org/r/20210223143055.257402-6-abbotti@mev.co.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4c350143b08bcbdd31e84d9fcae875dd318d3726
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Feb 23 14:30:45 2021 +0000

    staging: comedi: das6402: Fix endian problem for AI command data
    
    commit 1c0f20b78781b9ca50dc3ecfd396d0db5b141890 upstream.
    
    The analog input subdevice supports Comedi asynchronous commands that
    use Comedi's 16-bit sample format.  However, the call to
    `comedi_buf_write_samples()` is passing the address of a 32-bit integer
    variable.  On bigendian machines, this will copy 2 bytes from the wrong
    end of the 32-bit value.  Fix it by changing the type of the variable
    holding the sample value to `unsigned short`.
    
    Fixes: d1d24cb65ee3 ("staging: comedi: das6402: read analog input samples in interrupt handler")
    Cc: <stable@vger.kernel.org> # 3.19+
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Link: https://lore.kernel.org/r/20210223143055.257402-5-abbotti@mev.co.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e274c193ae9d0e8f0f8cecc261f23bb80fd6859e
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Feb 23 14:30:44 2021 +0000

    staging: comedi: adv_pci1710: Fix endian problem for AI command data
    
    commit b2e78630f733a76508b53ba680528ca39c890e82 upstream.
    
    The analog input subdevice supports Comedi asynchronous commands that
    use Comedi's 16-bit sample format.  However, the calls to
    `comedi_buf_write_samples()` are passing the address of a 32-bit integer
    variable.  On bigendian machines, this will copy 2 bytes from the wrong
    end of the 32-bit value.  Fix it by changing the type of the variables
    holding the sample value to `unsigned short`.  The type of the `val`
    parameter of `pci1710_ai_read_sample()` is changed to `unsigned short *`
    accordingly.  The type of the `val` variable in `pci1710_ai_insn_read()`
    is also changed to `unsigned short` since its address is passed to
    `pci1710_ai_read_sample()`.
    
    Fixes: a9c3a015c12f ("staging: comedi: adv_pci1710: use comedi_buf_write_samples()")
    Cc: <stable@vger.kernel.org> # 4.0+
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Link: https://lore.kernel.org/r/20210223143055.257402-4-abbotti@mev.co.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b7e8cd32bf62ea75d788e7006679d1bfbe12b0de
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Feb 23 14:30:43 2021 +0000

    staging: comedi: addi_apci_1500: Fix endian problem for command sample
    
    commit ac0bbf55ed3be75fde1f8907e91ecd2fd589bde3 upstream.
    
    The digital input subdevice supports Comedi asynchronous commands that
    read interrupt status information.  This uses 16-bit Comedi samples (of
    which only the bottom 8 bits contain status information).  However, the
    interrupt handler is calling `comedi_buf_write_samples()` with the
    address of a 32-bit variable `unsigned int status`.  On a bigendian
    machine, this will copy 2 bytes from the wrong end of the variable.  Fix
    it by changing the type of the variable to `unsigned short`.
    
    Fixes: a8c66b684efa ("staging: comedi: addi_apci_1500: rewrite the subdevice support functions")
    Cc: <stable@vger.kernel.org> #4.0+
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Link: https://lore.kernel.org/r/20210223143055.257402-3-abbotti@mev.co.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9e40d802524dafa34cc444ebbec210dcf8f3e3e3
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Feb 23 14:30:42 2021 +0000

    staging: comedi: addi_apci_1032: Fix endian problem for COS sample
    
    commit 25317f428a78fde71b2bf3f24d05850f08a73a52 upstream.
    
    The Change-Of-State (COS) subdevice supports Comedi asynchronous
    commands to read 16-bit change-of-state values.  However, the interrupt
    handler is calling `comedi_buf_write_samples()` with the address of a
    32-bit integer `&s->state`.  On bigendian architectures, it will copy 2
    bytes from the wrong end of the 32-bit integer.  Fix it by transferring
    the value via a 16-bit integer.
    
    Fixes: 6bb45f2b0c86 ("staging: comedi: addi_apci_1032: use comedi_buf_write_samples()")
    Cc: <stable@vger.kernel.org> # 3.19+
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Link: https://lore.kernel.org/r/20210223143055.257402-2-abbotti@mev.co.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f5f8232114272c6d8c53614889324c2b2e2c45f8
Author: Lee Gibson <leegib@gmail.com>
Date:   Fri Feb 26 14:51:57 2021 +0000

    staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan
    
    commit 8687bf9ef9551bcf93897e33364d121667b1aadf upstream.
    
    Function _rtl92e_wx_set_scan calls memcpy without checking the length.
    A user could control that length and trigger a buffer overflow.
    Fix by checking the length is within the maximum allowed size.
    
    Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Lee Gibson <leegib@gmail.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20210226145157.424065-1-leegib@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8fccad1a2f5efe1f2b0874ceb9fb81aca2732655
Author: Lee Gibson <leegib@gmail.com>
Date:   Mon Mar 1 13:26:48 2021 +0000

    staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd
    
    commit b93c1e3981af19527beee1c10a2bef67a228c48c upstream.
    
    Function r8712_sitesurvey_cmd calls memcpy without checking the length.
    A user could control that length and trigger a buffer overflow.
    Fix by checking the length is within the maximum allowed size.
    
    Signed-off-by: Lee Gibson <leegib@gmail.com>
    Link: https://lore.kernel.org/r/20210301132648.420296-1-leegib@gmail.com
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9085704d042d18ac2e84685e92547c1a9cbe02b3
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Mar 2 14:19:39 2021 +0300

    staging: ks7010: prevent buffer overflow in ks_wlan_set_scan()
    
    commit e163b9823a0b08c3bb8dc4f5b4b5c221c24ec3e5 upstream.
    
    The user can specify a "req->essid_len" of up to 255 but if it's
    over IW_ESSID_MAX_SIZE (32) that can lead to memory corruption.
    
    Fixes: 13a9930d15b4 ("staging: ks7010: add driver from Nanonote extra-repository")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/YD4fS8+HmM/Qmrw6@mwanda
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9d6a72270f35dc77569f8f7ceac9ade407d71772
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Mar 5 11:56:32 2021 +0300

    staging: rtl8188eu: fix potential memory corruption in rtw_check_beacon_data()
    
    commit d4ac640322b06095128a5c45ba4a1e80929fe7f3 upstream.
    
    The "ie_len" is a value in the 1-255 range that comes from the user.  We
    have to cap it to ensure that it's not too large or it could lead to
    memory corruption.
    
    Fixes: 9a7fe54ddc3a ("staging: r8188eu: Add source files for new driver - part 1")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/YEHyQCrFZKTXyT7J@mwanda
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bf873575f32bbdcf5b07086f23fec12e7c7f55f5
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Wed Feb 24 11:45:59 2021 +0300

    staging: rtl8712: unterminated string leads to read overflow
    
    commit d660f4f42ccea50262c6ee90c8e7ad19a69fb225 upstream.
    
    The memdup_user() function does not necessarily return a NUL terminated
    string so this can lead to a read overflow.  Switch from memdup_user()
    to strndup_user() to fix this bug.
    
    Fixes: c6dc001f2add ("staging: r8712u: Merging Realtek's latest (v2.6.6). Various fixes.")
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Link: https://lore.kernel.org/r/YDYSR+1rj26NRhvb@mwanda
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 33cdc63f0e07abf637ba326b6016731be958088d
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Mar 5 11:58:03 2021 +0300

    staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan()
    
    commit 74b6b20df8cfe90ada777d621b54c32e69e27cd7 upstream.
    
    This code has a check to prevent read overflow but it needs another
    check to prevent writing beyond the end of the ->ssid[] array.
    
    Fixes: a2c60d42d97c ("staging: r8188eu: Add files for new driver - part 16")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/YEHymwsnHewzoam7@mwanda
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6f7815d623c117ee44d109c52f7679bbc1daeb15
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Mar 5 11:12:49 2021 +0300

    staging: rtl8192u: fix ->ssid overflow in r8192_wx_set_scan()
    
    commit 87107518d7a93fec6cdb2559588862afeee800fb upstream.
    
    We need to cap len at IW_ESSID_MAX_SIZE (32) to avoid memory corruption.
    This can be controlled by the user via the ioctl.
    
    Fixes: 5f53d8ca3d5d ("Staging: add rtl8192SU wireless usb driver")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/YEHoAWMOSZBUw91F@mwanda
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 68b55e874ae8df7a43debc8cfceed5819b739a83
Author: Shuah Khan <skhan@linuxfoundation.org>
Date:   Sun Mar 7 20:53:30 2021 -0700

    usbip: fix vhci_hcd attach_store() races leading to gpf
    
    commit 718ad9693e3656120064b715fe931f43a6201e67 upstream.
    
    attach_store() is invoked when user requests import (attach) a device
    from usbip host.
    
    Attach and detach are governed by local state and shared state
    - Shared state (usbip device status) - Device status is used to manage
      the attach and detach operations on import-able devices.
    - Local state (tcp_socket, rx and tx thread task_struct ptrs)
      A valid tcp_socket controls rx and tx thread operations while the
      device is in exported state.
    - Device has to be in the right state to be attached and detached.
    
    Attach sequence includes validating the socket and creating receive (rx)
    and transmit (tx) threads to talk to the host to get access to the
    imported device. rx and tx threads depends on local and shared state to
    be correct and in sync.
    
    Detach sequence shuts the socket down and stops the rx and tx threads.
    Detach sequence relies on local and shared states to be in sync.
    
    There are races in updating the local and shared status in the current
    attach sequence resulting in crashes. These stem from starting rx and
    tx threads before local and global state is updated correctly to be in
    sync.
    
    1. Doesn't handle kthread_create() error and saves invalid ptr in local
       state that drives rx and tx threads.
    2. Updates tcp_socket and sockfd,  starts stub_rx and stub_tx threads
       before updating usbip_device status to VDEV_ST_NOTASSIGNED. This opens
       up a race condition between the threads, port connect, and detach
       handling.
    
    Fix the above problems:
    - Stop using kthread_get_run() macro to create/start threads.
    - Create threads and get task struct reference.
    - Add kthread_create() failure handling and bail out.
    - Hold vhci and usbip_device locks to update local and shared states after
      creating rx and tx threads.
    - Update usbip_device status to VDEV_ST_NOTASSIGNED.
    - Update usbip_device tcp_socket, sockfd, tcp_rx, and tcp_tx
    - Start threads after usbip_device (tcp_socket, sockfd, tcp_rx, tcp_tx,
      and status) is complete.
    
    Credit goes to syzbot and Tetsuo Handa for finding and root-causing the
    kthread_get_run() improper error handling problem and others. This is
    hard problem to find and debug since the races aren't seen in a normal
    case. Fuzzing forces the race window to be small enough for the
    kthread_get_run() error path bug and starting threads before updating the
    local and shared state bug in the attach sequence.
    - Update usbip_device tcp_rx and tcp_tx pointers holding vhci and
      usbip_device locks.
    
    Tested with syzbot reproducer:
    - https://syzkaller.appspot.com/text?tag=ReproC&x=14801034d00000
    
    Fixes: 9720b4bc76a83807 ("staging/usbip: convert to kthread")
    Cc: stable@vger.kernel.org
    Reported-by: syzbot <syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com>
    Reported-by: syzbot <syzbot+bf1a360e305ee719e364@syzkaller.appspotmail.com>
    Reported-by: syzbot <syzbot+95ce4b142579611ef0a9@syzkaller.appspotmail.com>
    Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
    Link: https://lore.kernel.org/r/bb434bd5d7a64fbec38b5ecfb838a6baef6eb12b.1615171203.git.skhan@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 04f879ba79b056041972122c1dc597b79d2464e5
Author: Shuah Khan <skhan@linuxfoundation.org>
Date:   Sun Mar 7 20:53:29 2021 -0700

    usbip: fix stub_dev usbip_sockfd_store() races leading to gpf
    
    commit 9380afd6df70e24eacbdbde33afc6a3950965d22 upstream.
    
    usbip_sockfd_store() is invoked when user requests attach (import)
    detach (unimport) usb device from usbip host. vhci_hcd sends import
    request and usbip_sockfd_store() exports the device if it is free
    for export.
    
    Export and unexport are governed by local state and shared state
    - Shared state (usbip device status, sockfd) - sockfd and Device
      status are used to determine if stub should be brought up or shut
      down.
    - Local state (tcp_socket, rx and tx thread task_struct ptrs)
      A valid tcp_socket controls rx and tx thread operations while the
      device is in exported state.
    - While the device is exported, device status is marked used and socket,
      sockfd, and thread pointers are valid.
    
    Export sequence (stub-up) includes validating the socket and creating
    receive (rx) and transmit (tx) threads to talk to the client to provide
    access to the exported device. rx and tx threads depends on local and
    shared state to be correct and in sync.
    
    Unexport (stub-down) sequence shuts the socket down and stops the rx and
    tx threads. Stub-down sequence relies on local and shared states to be
    in sync.
    
    There are races in updating the local and shared status in the current
    stub-up sequence resulting in crashes. These stem from starting rx and
    tx threads before local and global state is updated correctly to be in
    sync.
    
    1. Doesn't handle kthread_create() error and saves invalid ptr in local
       state that drives rx and tx threads.
    2. Updates tcp_socket and sockfd,  starts stub_rx and stub_tx threads
       before updating usbip_device status to SDEV_ST_USED. This opens up a
       race condition between the threads and usbip_sockfd_store() stub up
       and down handling.
    
    Fix the above problems:
    - Stop using kthread_get_run() macro to create/start threads.
    - Create threads and get task struct reference.
    - Add kthread_create() failure handling and bail out.
    - Hold usbip_device lock to update local and shared states after
      creating rx and tx threads.
    - Update usbip_device status to SDEV_ST_USED.
    - Update usbip_device tcp_socket, sockfd, tcp_rx, and tcp_tx
    - Start threads after usbip_device (tcp_socket, sockfd, tcp_rx, tcp_tx,
      and status) is complete.
    
    Credit goes to syzbot and Tetsuo Handa for finding and root-causing the
    kthread_get_run() improper error handling problem and others. This is a
    hard problem to find and debug since the races aren't seen in a normal
    case. Fuzzing forces the race window to be small enough for the
    kthread_get_run() error path bug and starting threads before updating the
    local and shared state bug in the stub-up sequence.
    
    Tested with syzbot reproducer:
    - https://syzkaller.appspot.com/text?tag=ReproC&x=14801034d00000
    
    Fixes: 9720b4bc76a83807 ("staging/usbip: convert to kthread")
    Cc: stable@vger.kernel.org
    Reported-by: syzbot <syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com>
    Reported-by: syzbot <syzbot+bf1a360e305ee719e364@syzkaller.appspotmail.com>
    Reported-by: syzbot <syzbot+95ce4b142579611ef0a9@syzkaller.appspotmail.com>
    Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
    Link: https://lore.kernel.org/r/268a0668144d5ff36ec7d87fdfa90faf583b7ccc.1615171203.git.skhan@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 66ea0d31eec230385c0fc19f5abe26d9d49e0a0a
Author: Shuah Khan <skhan@linuxfoundation.org>
Date:   Sun Mar 7 20:53:28 2021 -0700

    usbip: fix vudc to check for stream socket
    
    commit 6801854be94fe8819b3894979875ea31482f5658 upstream.
    
    Fix usbip_sockfd_store() to validate the passed in file descriptor is
    a stream socket. If the file descriptor passed was a SOCK_DGRAM socket,
    sock_recvmsg() can't detect end of stream.
    
    Cc: stable@vger.kernel.org
    Suggested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
    Link: https://lore.kernel.org/r/387a670316002324113ac7ea1e8b53f4085d0c95.1615171203.git.skhan@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2aa95d91da76815a1166add7601f325ed320e2f2
Author: Shuah Khan <skhan@linuxfoundation.org>
Date:   Sun Mar 7 20:53:27 2021 -0700

    usbip: fix vhci_hcd to check for stream socket
    
    commit f55a0571690c4aae03180e001522538c0927432f upstream.
    
    Fix attach_store() to validate the passed in file descriptor is a
    stream socket. If the file descriptor passed was a SOCK_DGRAM socket,
    sock_recvmsg() can't detect end of stream.
    
    Cc: stable@vger.kernel.org
    Suggested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
    Link: https://lore.kernel.org/r/52712aa308915bda02cece1589e04ee8b401d1f3.1615171203.git.skhan@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 83d4495d63d70604444c1d817e793efecc46af2a
Author: Shuah Khan <skhan@linuxfoundation.org>
Date:   Sun Mar 7 20:53:26 2021 -0700

    usbip: fix stub_dev to check for stream socket
    
    commit 47ccc8fc2c9c94558b27b6f9e2582df32d29e6e8 upstream.
    
    Fix usbip_sockfd_store() to validate the passed in file descriptor is
    a stream socket. If the file descriptor passed was a SOCK_DGRAM socket,
    sock_recvmsg() can't detect end of stream.
    
    Cc: stable@vger.kernel.org
    Suggested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
    Link: https://lore.kernel.org/r/e942d2bd03afb8e8552bd2a5d84e18d17670d521.1615171203.git.skhan@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 838096b2c07f8244738e26615645b91ccfb66ae5
Author: Sebastian Reichel <sebastian.reichel@collabora.com>
Date:   Tue Feb 23 17:44:18 2021 +0100

    USB: serial: cp210x: add some more GE USB IDs
    
    commit 42213a0190b535093a604945db05a4225bf43885 upstream.
    
    GE CS1000 has some more custom USB IDs for CP2102N; add them
    to the driver to have working auto-probing.
    
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6f6cc57b02882a6d62a982716db80f4290d938d5
Author: Karan Singhal <karan.singhal@acuitybrands.com>
Date:   Tue Feb 16 11:03:10 2021 -0500

    USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter
    
    commit ca667a33207daeaf9c62b106815728718def60ec upstream.
    
    IDs of nLight Air Adapter, Acuity Brands, Inc.:
    vid: 10c4
    pid: 88d8
    
    Signed-off-by: Karan Singhal <karan.singhal@acuitybrands.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a21bbd853bec1df64c919f90d5463ae60af9ff47
Author: Niv Sardi <xaiki@evilgiggle.com>
Date:   Mon Mar 1 17:16:12 2021 -0300

    USB: serial: ch341: add new Product ID
    
    commit 5563b3b6420362c8a1f468ca04afe6d5f0a8d0a3 upstream.
    
    Add PID for CH340 that's found on cheap programmers.
    
    The driver works flawlessly as soon as the new PID (0x9986) is added to it.
    These look like ANU232MI but ship with a ch341 inside. They have no special
    identifiers (mine only has the string "DB9D20130716" printed on the PCB and
    nothing identifiable on the packaging. The merchant i bought it from
    doesn't sell these anymore).
    
    the lsusb -v output is:
    Bus 001 Device 009: ID 9986:7523
    Device Descriptor:
      bLength                18
      bDescriptorType         1
      bcdUSB               1.10
      bDeviceClass          255 Vendor Specific Class
      bDeviceSubClass         0
      bDeviceProtocol         0
      bMaxPacketSize0         8
      idVendor           0x9986
      idProduct          0x7523
      bcdDevice            2.54
      iManufacturer           0
      iProduct                0
      iSerial                 0
      bNumConfigurations      1
      Configuration Descriptor:
        bLength                 9
        bDescriptorType         2
        wTotalLength       0x0027
        bNumInterfaces          1
        bConfigurationValue     1
        iConfiguration          0
        bmAttributes         0x80
          (Bus Powered)
        MaxPower               96mA
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        0
          bAlternateSetting       0
          bNumEndpoints           3
          bInterfaceClass       255 Vendor Specific Class
          bInterfaceSubClass      1
          bInterfaceProtocol      2
          iInterface              0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x82  EP 2 IN
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0020  1x 32 bytes
            bInterval               0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x02  EP 2 OUT
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0020  1x 32 bytes
            bInterval               0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x81  EP 1 IN
            bmAttributes            3
              Transfer Type            Interrupt
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0008  1x 8 bytes
            bInterval               1
    
    Signed-off-by: Niv Sardi <xaiki@evilgiggle.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1e6d1e8593e7ad0f1ccacf3c626e0603b91daec8
Author: Pavel Skripkin <paskripkin@gmail.com>
Date:   Tue Mar 2 02:01:52 2021 +0300

    USB: serial: io_edgeport: fix memory leak in edge_startup
    
    commit cfdc67acc785e01a8719eeb7012709d245564701 upstream.
    
    sysbot found memory leak in edge_startup().
    The problem was that when an error was received from the usb_submit_urb(),
    nothing was cleaned up.
    
    Reported-by: syzbot+59f777bdcbdd7eea5305@syzkaller.appspotmail.com
    Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
    Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver")
    Cc: stable@vger.kernel.org      # 2.6.21: c5c0c55598ce
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0e624b1db4672a18e65a42b47aadb6c622a2a015
Author: Forest Crossman <cyrozap@gmail.com>
Date:   Thu Mar 11 13:53:52 2021 +0200

    usb: xhci: Fix ASMedia ASM1042A and ASM3242 DMA addressing
    
    commit b71c669ad8390dd1c866298319ff89fe68b45653 upstream.
    
    I've confirmed that both the ASMedia ASM1042A and ASM3242 have the same
    problem as the ASM1142 and ASM2142/ASM3142, where they lose some of the
    upper bits of 64-bit DMA addresses. As with the other chips, this can
    cause problems on systems where the upper bits matter, and adding the
    XHCI_NO_64BIT_SUPPORT quirk completely fixes the issue.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Forest Crossman <cyrozap@gmail.com>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/20210311115353.2137560-4-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 061dede8bee0e265123b25856c3307f2e83b5b2c
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Thu Mar 11 13:53:51 2021 +0200

    xhci: Improve detection of device initiated wake signal.
    
    commit 253f588c70f66184b1f3a9bbb428b49bbda73e80 upstream.
    
    A xHC USB 3 port might miss the first wake signal from a USB 3 device
    if the port LFPS reveiver isn't enabled fast enough after xHC resume.
    
    xHC host will anyway be resumed by a PME# signal, but will go back to
    suspend if no port activity is seen.
    The device resends the U3 LFPS wake signal after a 100ms delay, but
    by then host is already suspended, starting all over from the
    beginning of this issue.
    
    USB 3 specs say U3 wake LFPS signal is sent for max 10ms, then device
    needs to delay 100ms before resending the wake.
    
    Don't suspend immediately if port activity isn't detected in resume.
    Instead add a retry. If there is no port activity then delay for 120ms,
    and re-check for port activity.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/20210311115353.2137560-3-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 892d0f41ff40d0dcf00766468afe691a29320a47
Author: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Date:   Mon Mar 8 10:55:38 2021 +0900

    usb: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM
    
    commit b1d25e6ee57c2605845595b6c61340d734253eb3 upstream.
    
    According to the datasheet, this controller has a restriction
    which "set an endpoint number so that combinations of the DIR bit and
    the EPNUM bits do not overlap.". However, since the udc core driver is
    possible to assign a bulk pipe as an interrupt endpoint, an endpoint
    number may not match the pipe number. After that, when user rebinds
    another gadget driver, this driver broke the restriction because
    the driver didn't clear any configuration in usb_ep_disable().
    
    Example:
     # modprobe g_ncm
     Then, EP3 = pipe 3, EP4 = pipe 4, EP5 = pipe 6
     # rmmod g_ncm
     # modprobe g_hid
     Then, EP3 = pipe 6, EP4 = pipe 7.
     So, pipe 3 and pipe 6 are set as EP3.
    
    So, clear PIPECFG register in usbhs_pipe_free().
    
    Fixes: dfb87b8bfe09 ("usb: renesas_usbhs: gadget: fix re-enabling pipe without re-connecting")
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
    Link: https://lore.kernel.org/r/1615168538-26101-1-git-send-email-yoshihiro.shimoda.uh@renesas.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 82cb52786bb6e18b20e3e5aa4bb0e547cb852f2a
Author: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Date:   Mon Mar 1 13:49:32 2021 +0200

    usb: gadget: f_uac1: stop playback on function disable
    
    commit cc2ac63d4cf72104e0e7f58bb846121f0f51bb19 upstream.
    
    There is missing playback stop/cleanup in case of
    gadget's ->disable callback that happens on
    events like USB host resetting or gadget disconnection
    
    Fixes: 0591bc236015 ("usb: gadget: add f_uac1 variant based on a new u_audio api")
    Cc: <stable@vger.kernel.org> # 4.13+
    Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
    Link: https://lore.kernel.org/r/1614599375-8803-3-git-send-email-ruslan.bilovol@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 45ea7e161b206257b3712d537a9f18bc75c89724
Author: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Date:   Mon Mar 1 13:49:31 2021 +0200

    usb: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot
    
    commit 789ea77310f0200c84002884ffd628e2baf3ad8a upstream.
    
    As per UAC2 Audio Data Formats spec (2.3.1.1 USB Packets),
    if the sampling rate is a constant, the allowable variation
    of number of audio slots per virtual frame is +/- 1 audio slot.
    
    It means that endpoint should be able to accept/send +1 audio
    slot.
    
    Previous endpoint max_packet_size calculation code
    was adding sometimes +1 audio slot due to DIV_ROUND_UP
    behaviour which was rounding up to closest integer.
    However this doesn't work if the numbers are divisible.
    
    It had no any impact with Linux hosts which ignore
    this issue, but in case of more strict Windows it
    caused rejected enumeration
    
    Thus always add +1 audio slot to endpoint's max packet size
    
    Fixes: 913e4a90b6f9 ("usb: gadget: f_uac2: finalize wMaxPacketSize according to bandwidth")
    Cc: Peter Chen <peter.chen@freescale.com>
    Cc: <stable@vger.kernel.org> #v4.3+
    Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
    Link: https://lore.kernel.org/r/1614599375-8803-2-git-send-email-ruslan.bilovol@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a73840c8f354079680b4b849b68c1ad2d79d52f6
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Feb 15 15:57:16 2021 +0000

    USB: gadget: u_ether: Fix a configfs return code
    
    commit 650bf52208d804ad5ee449c58102f8dc43175573 upstream.
    
    If the string is invalid, this should return -EINVAL instead of 0.
    
    Fixes: 73517cf49bd4 ("usb: gadget: add RNDIS configfs options for class/subclass/protocol")
    Cc: stable <stable@vger.kernel.org>
    Acked-by: Lorenzo Colitti <lorenzo@google.com>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Link: https://lore.kernel.org/r/YCqZ3P53yyIg5cn7@mwanda
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ebcbbc55925e58421483e792105521988d24994f
Author: Yorick de Wid <ydewid@gmail.com>
Date:   Sat Feb 13 15:49:02 2021 +0100

    Goodix Fingerprint device is not a modem
    
    commit 4d8654e81db7346f915eca9f1aff18f385cab621 upstream.
    
    The CDC ACM driver is false matching the Goodix Fingerprint device
    against the USB_CDC_ACM_PROTO_AT_V25TER.
    
    The Goodix Fingerprint device is a biometrics sensor that should be
    handled in user-space. libfprint has some support for Goodix
    fingerprint sensors, although not for this particular one. It is
    possible that the vendor allocates a PID per OEM (Lenovo, Dell etc).
    If this happens to be the case then more devices from the same vendor
    could potentially match the ACM modem module table.
    
    Signed-off-by: Yorick de Wid <ydewid@gmail.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20210213144901.53199-1-ydewid@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 90c58a548d3a93c11e8aac5a0f609a090bbc9c29
Author: Adrian Hunter <adrian.hunter@intel.com>
Date:   Wed Mar 3 11:26:14 2021 +0200

    mmc: core: Fix partition switch time for eMMC
    
    commit 66fbacccbab91e6e55d9c8f1fc0910a8eb6c81f7 upstream.
    
    Avoid the following warning by always defining partition switch time:
    
     [    3.209874] mmc1: unspecified timeout for CMD6 - use generic
     [    3.222780] ------------[ cut here ]------------
     [    3.233363] WARNING: CPU: 1 PID: 111 at drivers/mmc/core/mmc_ops.c:575 __mmc_switch+0x200/0x204
    
    Reported-by: Paul Fertser <fercerpav@gmail.com>
    Fixes: 1c447116d017 ("mmc: mmc: Fix partition switch timeout for some eMMCs")
    Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
    Link: https://lore.kernel.org/r/168bbfd6-0c5b-5ace-ab41-402e7937c46e@intel.com
    Cc: stable@vger.kernel.org
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8ce9c0b414ed1a95734cb2489587f5ffd38cd554
Author: Stefan Haberland <sth@linux.ibm.com>
Date:   Fri Mar 5 13:54:39 2021 +0100

    s390/dasd: fix hanging IO request during DASD driver unbind
    
    commit 66f669a272898feb1c69b770e1504aa2ec7723d1 upstream.
    
    Prevent that an IO request is build during device shutdown initiated by
    a driver unbind. This request will never be able to be processed or
    canceled and will hang forever. This will lead also to a hanging unbind.
    
    Fix by checking not only if the device is in READY state but also check
    that there is no device offline initiated before building a new IO request.
    
    Fixes: e443343e509a ("s390/dasd: blk-mq conversion")
    
    Cc: <stable@vger.kernel.org> # v4.14+
    Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
    Tested-by: Bjoern Walk <bwalk@linux.ibm.com>
    Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3bf1f5e9d776b4840dc9db315c8a02c46cb019f9
Author: Stefan Haberland <sth@linux.ibm.com>
Date:   Fri Mar 5 13:54:38 2021 +0100

    s390/dasd: fix hanging DASD driver unbind
    
    commit 7d365bd0bff3c0310c39ebaffc9a8458e036d666 upstream.
    
    In case of an unbind of the DASD device driver the function
    dasd_generic_remove() is called which shuts down the device.
    Among others this functions removes the int_handler from the cdev.
    During shutdown the device cancels all outstanding IO requests and waits
    for completion of the clear request.
    Unfortunately the clear interrupt will never be received when there is no
    interrupt handler connected.
    
    Fix by moving the int_handler removal after the call to the state machine
    where no request or interrupt is outstanding.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
    Tested-by: Bjoern Walk <bwalk@linux.ibm.com>
    Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f95ea27037e279d51d1d515c4dd3bc59198eb88a
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Fri Mar 12 15:07:09 2021 -0600

    Revert 95ebabde382c ("capabilities: Don't allow writing ambiguous v3 file capabilities")
    
    commit 3b0c2d3eaa83da259d7726192cf55a137769012f upstream.
    
    It turns out that there are in fact userspace implementations that
    care and this recent change caused a regression.
    
    https://github.com/containers/buildah/issues/3071
    
    As the motivation for the original change was future development,
    and the impact is existing real world code just revert this change
    and allow the ambiguity in v3 file caps.
    
    Cc: stable@vger.kernel.org
    Fixes: 95ebabde382c ("capabilities: Don't allow writing ambiguous v3 file capabilities")
    Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f3a8be52784e8cf8ae2fd7ab07cd02d2f4fc176b
Author: Takashi Iwai <tiwai@suse.de>
Date:   Thu Mar 4 09:30:21 2021 +0100

    ALSA: usb-audio: Fix "cannot get freq eq" errors on Dell AE515 sound bar
    
    commit fec60c3bc5d1713db2727cdffc638d48f9c07dc3 upstream.
    
    Dell AE515 sound bar (413c:a506) spews the error messages when the
    driver tries to read the current sample frequency, hence it needs to
    be on the list in snd_usb_get_sample_rate_quirk().
    
    BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=211551
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20210304083021.2152-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 295954c30e725d50a532a34929b591ec8dd3989a
Author: Takashi Iwai <tiwai@suse.de>
Date:   Wed Mar 10 12:28:08 2021 +0100

    ALSA: hda: Avoid spurious unsol event handling during S3/S4
    
    commit 5ff9dde42e8c72ed8102eb8cb62e03f9dc2103ab upstream.
    
    When HD-audio bus receives unsolicited events during its system
    suspend/resume (S3 and S4) phase, the controller driver may still try
    to process events although the codec chips are already (or yet)
    powered down.  This might screw up the codec communication, resulting
    in CORB/RIRB errors.  Such events should be rather skipped, as the
    codec chip status such as the jack status will be fully refreshed at
    the system resume time.
    
    Since we're tracking the system suspend/resume state in codec
    power.power_state field, let's add the check in the common unsol event
    handler entry point to filter out such events.
    
    BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1182377
    Tested-by: Abhishek Sahu <abhsahu@nvidia.com>
    Cc: <stable@vger.kernel.org> # 183ab39eb0ea: ALSA: hda: Initialize power_state
    Link: https://lore.kernel.org/r/20210310112809.9215-3-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 51123fd6324ebd421deb1f6741fb355652cf1426
Author: Takashi Iwai <tiwai@suse.de>
Date:   Mon Mar 8 17:07:26 2021 +0100

    ALSA: hda: Drop the BATCH workaround for AMD controllers
    
    commit 28e96c1693ec1cdc963807611f8b5ad400431e82 upstream.
    
    The commit c02f77d32d2c ("ALSA: hda - Workaround for crackled sound on
    AMD controller (1022:1457)") introduced a few workarounds for the
    recent AMD HD-audio controller, and one of them is the forced BATCH
    PCM mode so that PulseAudio avoids the timer-based scheduling.  This
    was thought to cover for some badly working applications, but this
    actually worsens for more others.  In total, this wasn't a good idea
    to enforce it.
    
    This is a partial revert of the commit above for dropping the PCM
    BATCH enforcement part to recover from the regression again.
    
    Fixes: c02f77d32d2c ("ALSA: hda - Workaround for crackled sound on AMD controller (1022:1457)")
    BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=195303
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20210308160726.22930-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cb03a7a0138b6aef3aa9cc1d9971e6d701df96aa
Author: Takashi Iwai <tiwai@suse.de>
Date:   Wed Mar 10 12:28:09 2021 +0100

    ALSA: hda/hdmi: Cancel pending works before suspend
    
    commit eea46a0879bcca23e15071f9968c0f6e6596e470 upstream.
    
    The per_pin->work might be still floating at the suspend, and this may
    hit the access to the hardware at an unexpected timing.  Cancel the
    work properly at the suspend callback for avoiding the buggy access.
    
    Note that the bug doesn't trigger easily in the recent kernels since
    the work is queued only when the repoll count is set, and usually it's
    only at the resume callback, but it's still possible to hit in
    theory.
    
    BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1182377
    Reported-and-tested-by: Abhishek Sahu <abhsahu@nvidia.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20210310112809.9215-4-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e22dc0b3869395e45d9a92ebbb8fb6cc775845cd
Author: Mike Christie <michael.christie@oracle.com>
Date:   Sat Feb 6 22:46:00 2021 -0600

    scsi: libiscsi: Fix iscsi_prep_scsi_cmd_pdu() error handling
    
    [ Upstream commit d28d48c699779973ab9a3bd0e5acfa112bd4fdef ]
    
    If iscsi_prep_scsi_cmd_pdu() fails we try to add it back to the cmdqueue,
    but we leave it partially setup. We don't have functions that can undo the
    pdu and init task setup. We only have cleanup_task which can clean up both
    parts. So this has us just fail the cmd and go through the standard cleanup
    routine and then have the SCSI midlayer retry it like is done when it fails
    in the queuecommand path.
    
    Link: https://lore.kernel.org/r/20210207044608.27585-2-michael.christie@oracle.com
    Reviewed-by: Lee Duncan <lduncan@suse.com>
    Signed-off-by: Mike Christie <michael.christie@oracle.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 30b560866423aee60d1314532dec9eb5813920db
Author: Heiko Carstens <hca@linux.ibm.com>
Date:   Wed Feb 17 07:13:02 2021 +0100

    s390/smp: __smp_rescan_cpus() - move cpumask away from stack
    
    [ Upstream commit 62c8dca9e194326802b43c60763f856d782b225c ]
    
    Avoid a potentially large stack frame and overflow by making
    "cpumask_t avail" a static variable. There is no concurrent
    access due to the existing locking.
    
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a5bf6afe74dd7506ff7fd131fa301f3b8aa205ba
Author: Krzysztof Wilczyński <kw@linux.com>
Date:   Wed Jan 20 18:48:10 2021 +0000

    PCI: mediatek: Add missing of_node_put() to fix reference leak
    
    [ Upstream commit 42814c438aac79746d310f413a27d5b0b959c5de ]
    
    The for_each_available_child_of_node helper internally makes use of the
    of_get_next_available_child() which performs an of_node_get() on each
    iteration when searching for next available child node.
    
    Should an available child node be found, then it would return a device
    node pointer with reference count incremented, thus early return from
    the middle of the loop requires an explicit of_node_put() to prevent
    reference count leak.
    
    To stop the reference leak, explicitly call of_node_put() before
    returning after an error occurred.
    
    Link: https://lore.kernel.org/r/20210120184810.3068794-1-kw@linux.com
    Signed-off-by: Krzysztof Wilczyński <kw@linux.com>
    Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1d706778b4ec6e41b7cbf0e2894fbe57c552ce47
Author: Martin Kaiser <martin@kaiser.cx>
Date:   Fri Jan 15 22:24:35 2021 +0100

    PCI: xgene-msi: Fix race in installing chained irq handler
    
    [ Upstream commit a93c00e5f975f23592895b7e83f35de2d36b7633 ]
    
    Fix a race where a pending interrupt could be received and the handler
    called before the handler's data has been setup, by converting to
    irq_set_chained_handler_and_data().
    
    See also 2cf5a03cb29d ("PCI/keystone: Fix race in installing chained IRQ
    handler").
    
    Based on the mail discussion, it seems ok to drop the error handling.
    
    Link: https://lore.kernel.org/r/20210115212435.19940-3-martin@kaiser.cx
    Signed-off-by: Martin Kaiser <martin@kaiser.cx>
    Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3bfe2efebead140ae3e724c3c7087224f812ab37
Author: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
Date:   Fri Feb 5 04:14:52 2021 -0500

    powerpc/perf: Record counter overflow always if SAMPLE_IP is unset
    
    [ Upstream commit d137845c973147a22622cc76c7b0bc16f6206323 ]
    
    While sampling for marked events, currently we record the sample only
    if the SIAR valid bit of Sampled Instruction Event Register (SIER) is
    set. SIAR_VALID bit is used for fetching the instruction address from
    Sampled Instruction Address Register(SIAR). But there are some
    usecases, where the user is interested only in the PMU stats at each
    counter overflow and the exact IP of the overflow event is not
    required. Dropping SIAR invalid samples will fail to record some of
    the counter overflows in such cases.
    
    Example of such usecase is dumping the PMU stats (event counts) after
    some regular amount of instructions/events from the userspace (ex: via
    ptrace). Here counter overflow is indicated to userspace via signal
    handler, and captured by monitoring and enabling I/O signaling on the
    event file descriptor. In these cases, we expect to get
    sample/overflow indication after each specified sample_period.
    
    Perf event attribute will not have PERF_SAMPLE_IP set in the
    sample_type if exact IP of the overflow event is not requested. So
    while profiling if SAMPLE_IP is not set, just record the counter
    overflow irrespective of SIAR_VALID check.
    
    Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
    [mpe: Reflow comment and if formatting]
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/1612516492-1428-1-git-send-email-atrajeev@linux.vnet.ibm.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 282ae0b08d8628481a6cbb86b7a90ea863a3988a
Author: Nicholas Piggin <npiggin@gmail.com>
Date:   Sat Jan 30 23:08:35 2021 +1000

    powerpc: improve handling of unrecoverable system reset
    
    [ Upstream commit 11cb0a25f71818ca7ab4856548ecfd83c169aa4d ]
    
    If an unrecoverable system reset hits in process context, the system
    does not have to panic. Similar to machine check, call nmi_exit()
    before die().
    
    Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20210130130852.2952424-26-npiggin@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6a0734c88395faa99f97f6bc398da8fd0267f661
Author: Chaotian Jing <chaotian.jing@mediatek.com>
Date:   Fri Dec 18 15:16:11 2020 +0800

    mmc: mediatek: fix race condition between msdc_request_timeout and irq
    
    [ Upstream commit 0354ca6edd464a2cf332f390581977b8699ed081 ]
    
    when get request SW timeout, if CMD/DAT xfer done irq coming right now,
    then there is race between the msdc_request_timeout work and irq handler,
    and the host->cmd and host->data may set to NULL in irq handler. also,
    current flow ensure that only one path can go to msdc_request_done(), so
    no need check the return value of cancel_delayed_work().
    
    Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
    Link: https://lore.kernel.org/r/20201218071611.12276-1-chaotian.jing@mediatek.com
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e24109bf5fcb784e18b3e69f938fcd2dd195d07c
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Tue Dec 8 21:35:27 2020 +0100

    mmc: mxs-mmc: Fix a resource leak in an error handling path in 'mxs_mmc_probe()'
    
    [ Upstream commit 0bb7e560f821c7770973a94e346654c4bdccd42c ]
    
    If 'mmc_of_parse()' fails, we must undo the previous 'dma_request_chan()'
    call.
    
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Link: https://lore.kernel.org/r/20201208203527.49262-1-christophe.jaillet@wanadoo.fr
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9a0c8402fd341b6e4f87b6f049dd0bd2f6fafe03
Author: Steven J. Magnani <magnani@ieee.org>
Date:   Thu Jan 7 17:41:16 2021 -0600

    udf: fix silent AED tagLocation corruption
    
    [ Upstream commit 63c9e47a1642fc817654a1bc18a6ec4bbcc0f056 ]
    
    When extending a file, udf_do_extend_file() may enter following empty
    indirect extent. At the end of udf_do_extend_file() we revert prev_epos
    to point to the last written extent. However if we end up not adding any
    further extent in udf_do_extend_file(), the reverting points prev_epos
    into the header area of the AED and following updates of the extents
    (in udf_update_extents()) will corrupt the header.
    
    Make sure that we do not follow indirect extent if we are not going to
    add any more extents so that returning back to the last written extent
    works correctly.
    
    Link: https://lore.kernel.org/r/20210107234116.6190-2-magnani@ieee.org
    Signed-off-by: Steven J. Magnani <magnani@ieee.org>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 75593df99b8af54a2028e14da1584a5d748deec2
Author: Guangbin Huang <huangguangbin2@huawei.com>
Date:   Sat Feb 27 11:05:58 2021 +0800

    net: phy: fix save wrong speed and duplex problem if autoneg is on
    
    [ Upstream commit d9032dba5a2b2bbf0fdce67c8795300ec9923b43 ]
    
    If phy uses generic driver and autoneg is on, enter command
    "ethtool -s eth0 speed 50" will not change phy speed actually, but
    command "ethtool eth0" shows speed is 50Mb/s because phydev->speed
    has been set to 50 and no update later.
    
    And duplex setting has same problem too.
    
    However, if autoneg is on, phy only changes speed and duplex according to
    phydev->advertising, but not phydev->speed and phydev->duplex. So in this
    case, phydev->speed and phydev->duplex don't need to be set in function
    phy_ethtool_ksettings_set() if autoneg is on.
    
    Fixes: 51e2a3846eab ("PHY: Avoid unnecessary aneg restarts")
    Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
    Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f197ef408f31db886cab97ad83a086210fd6db13
Author: Maxim Mikityanskiy <maxtram95@gmail.com>
Date:   Fri Feb 5 23:51:39 2021 +0100

    media: usbtv: Fix deadlock on suspend
    
    commit 8a7e27fd5cd696ba564a3f62cedef7269cfd0723 upstream.
    
    usbtv doesn't support power management, so on system suspend the
    .disconnect callback of the driver is called. The teardown sequence
    includes a call to snd_card_free. Its implementation waits until the
    refcount of the sound card device drops to zero, however, if its file is
    open, snd_card_file_add takes a reference, which can't be dropped during
    the suspend, because the userspace processes are already frozen at this
    point. snd_card_free waits for completion forever, leading to a hang on
    suspend.
    
    This commit fixes this deadlock condition by replacing snd_card_free
    with snd_card_free_when_closed, that doesn't wait until all references
    are released, allowing suspend to progress.
    
    Fixes: 63ddf68de52e ("[media] usbtv: add audio support")
    Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ce8235bcf1f77d9a7d7467163d184062c64e3417
Author: Eric Farman <farman@linux.ibm.com>
Date:   Mon Mar 1 19:33:24 2021 +0100

    s390/cio: return -EFAULT if copy_to_user() fails
    
    commit d9c48a948d29bcb22f4fe61a81b718ef6de561a0 upstream.
    
    Fixes: 120e214e504f ("vfio: ccw: realize VFIO_DEVICE_G(S)ET_IRQ_INFO ioctls")
    Signed-off-by: Eric Farman <farman@linux.ibm.com>
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8a5160cc8488776ddc48ea045860dab015f47390
Author: Artem Lapkin <art@khadas.com>
Date:   Tue Mar 2 12:22:02 2021 +0800

    drm: meson_drv add shutdown function
    
    commit fa0c16caf3d73ab4d2e5d6fa2ef2394dbec91791 upstream.
    
    Problem: random stucks on reboot stage about 1/20 stuck/reboots
    // debug kernel log
    [    4.496660] reboot: kernel restart prepare CMD:(null)
    [    4.498114] meson_ee_pwrc c883c000.system-controller:power-controller: shutdown begin
    [    4.503949] meson_ee_pwrc c883c000.system-controller:power-controller: shutdown domain 0:VPU...
    ...STUCK...
    
    Solution: add shutdown function to meson_drm driver
    // debug kernel log
    [    5.231896] reboot: kernel restart prepare CMD:(null)
    [    5.246135] [drm:meson_drv_shutdown]
    ...
    [    5.259271] meson_ee_pwrc c883c000.system-controller:power-controller: shutdown begin
    [    5.274688] meson_ee_pwrc c883c000.system-controller:power-controller: shutdown domain 0:VPU...
    [    5.338331] reboot: Restarting system
    [    5.358293] psci: PSCI_0_2_FN_SYSTEM_RESET reboot_mode:0 cmd:(null)
    bl31 reboot reason: 0xd
    bl31 reboot reason: 0x0
    system cmd  1.
    ...REBOOT...
    
    Tested: on VIM1 VIM2 VIM3 VIM3L khadas sbcs - 1000+ successful reboots
    and Odroid boards, WeTek Play2 (GXBB)
    
    Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller")
    Signed-off-by: Artem Lapkin <art@khadas.com>
    Tested-by: Christian Hewitt <christianshewitt@gmail.com>
    Acked-by: Neil Armstrong <narmstrong@baylibre.com>
    Acked-by: Kevin Hilman <khilman@baylibre.com>
    Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20210302042202.3728113-1-art@khadas.com
    Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit beefac3c93bcc67208bad9f5e851204a7d7682b6
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Mon Feb 22 11:06:43 2021 +0100

    drm/compat: Clear bounce structures
    
    commit de066e116306baf3a6a62691ac63cfc0b1dabddb upstream.
    
    Some of them have gaps, or fields we don't clear. Native ioctl code
    does full copies plus zero-extends on size mismatch, so nothing can
    leak. But compat is more hand-rolled so need to be careful.
    
    None of these matter for performance, so just memset.
    
    Also I didn't fix up the CONFIG_DRM_LEGACY or CONFIG_DRM_AGP ioctl, those
    are security holes anyway.
    
    Acked-by: Maxime Ripard <mripard@kernel.org>
    Reported-by: syzbot+620cf21140fc7e772a5d@syzkaller.appspotmail.com # vblank ioctl
    Cc: syzbot+620cf21140fc7e772a5d@syzkaller.appspotmail.com
    Cc: stable@vger.kernel.org
    Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20210222100643.400935-1-daniel.vetter@ffwll.ch
    (cherry picked from commit e926c474ebee404441c838d18224cd6f246a71b7)
    Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 87515f38983d913cf196f0fadf2bef7f9dd4f84e
Author: Wang Qing <wangqing@vivo.com>
Date:   Mon Mar 1 20:01:33 2021 +0800

    s390/cio: return -EFAULT if copy_to_user() fails again
    
    commit 51c44babdc19aaf882e1213325a0ba291573308f upstream.
    
    The copy_to_user() function returns the number of bytes remaining to be
    copied, but we want to return -EFAULT if the copy doesn't complete.
    
    Fixes: e01bcdd61320 ("vfio: ccw: realize VFIO_DEVICE_GET_REGION_INFO ioctl")
    Signed-off-by: Wang Qing <wangqing@vivo.com>
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Link: https://lore.kernel.org/r/1614600093-13992-1-git-send-email-wangqing@vivo.com
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f5e60f4b4eebc34382664e8c8287bd81b5a27b5b
Author: Ian Rogers <irogers@google.com>
Date:   Fri Feb 26 14:14:31 2021 -0800

    perf traceevent: Ensure read cmdlines are null terminated.
    
    commit 137a5258939aca56558f3a23eb229b9c4b293917 upstream.
    
    Issue detected by address sanitizer.
    
    Fixes: cd4ceb63438e9e28 ("perf util: Save pid-cmdline mapping into tracing header")
    Signed-off-by: Ian Rogers <irogers@google.com>
    Acked-by: Namhyung Kim <namhyung@kernel.org>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Stephane Eranian <eranian@google.com>
    Link: http://lore.kernel.org/lkml/20210226221431.1985458-1-irogers@google.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f39592bc29e39102917b2de9e5ad770bb6d654cf
Author: Joakim Zhang <qiangqing.zhang@nxp.com>
Date:   Thu Feb 25 17:01:10 2021 +0800

    net: stmmac: stop each tx channel independently
    
    commit a3e860a83397bf761ec1128a3f0ba186445992c6 upstream.
    
    If clear GMAC_CONFIG_TE bit, it would stop all tx channels, but users
    may only want to stop specific tx channel.
    
    Fixes: 48863ce5940f ("stmmac: add DMA support for GMAC 4.xx")
    Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9c49181c201d434186ca6b1a7b52e29f4169f6f8
Author: Paul Cercueil <paul@crapouillou.net>
Date:   Sun Mar 7 13:17:48 2021 +0000

    net: davicom: Fix regulator not turned off on driver removal
    
    commit cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b upstream.
    
    We must disable the regulator that was enabled in the probe function.
    
    Fixes: 7994fe55a4a2 ("dm9000: Add regulator and reset support to dm9000")
    Signed-off-by: Paul Cercueil <paul@crapouillou.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0a66ff03676cc4834878204a0669c9a377b7f2e0
Author: Paul Cercueil <paul@crapouillou.net>
Date:   Sun Mar 7 13:17:47 2021 +0000

    net: davicom: Fix regulator not turned off on failed probe
    
    commit ac88c531a5b38877eba2365a3f28f0c8b513dc33 upstream.
    
    When the probe fails or requests to be defered, we must disable the
    regulator that was previously enabled.
    
    Fixes: 7994fe55a4a2 ("dm9000: Add regulator and reset support to dm9000")
    Signed-off-by: Paul Cercueil <paul@crapouillou.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e054e4b54821e2c19b056060ac04a195ad69a7b2
Author: Xie He <xie.he.0141@gmail.com>
Date:   Sun Mar 7 03:33:07 2021 -0800

    net: lapbether: Remove netif_start_queue / netif_stop_queue
    
    commit f7d9d4854519fdf4d45c70a4d953438cd88e7e58 upstream.
    
    For the devices in this driver, the default qdisc is "noqueue",
    because their "tx_queue_len" is 0.
    
    In function "__dev_queue_xmit" in "net/core/dev.c", devices with the
    "noqueue" qdisc are specially handled. Packets are transmitted without
    being queued after a "dev->flags & IFF_UP" check. However, it's possible
    that even if this check succeeds, "ops->ndo_stop" may still have already
    been called. This is because in "__dev_close_many", "ops->ndo_stop" is
    called before clearing the "IFF_UP" flag.
    
    If we call "netif_stop_queue" in "ops->ndo_stop", then it's possible in
    "__dev_queue_xmit", it sees the "IFF_UP" flag is present, and then it
    checks "netif_xmit_stopped" and finds that the queue is already stopped.
    In this case, it will complain that:
    "Virtual device ... asks to queue packet!"
    
    To prevent "__dev_queue_xmit" from generating this complaint, we should
    not call "netif_stop_queue" in "ops->ndo_stop".
    
    We also don't need to call "netif_start_queue" in "ops->ndo_open",
    because after a netdev is allocated and registered, the
    "__QUEUE_STATE_DRV_XOFF" flag is initially not set, so there is no need
    to call "netif_start_queue" to clear it.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Xie He <xie.he.0141@gmail.com>
    Acked-by: Martin Schiller <ms@dev.tdt.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ab44f7317c16ddcf9ee12ba2aca60771266c2dc6
Author: Paul Moore <paul@paul-moore.com>
Date:   Thu Mar 4 16:29:51 2021 -0500

    cipso,calipso: resolve a number of problems with the DOI refcounts
    
    commit ad5d07f4a9cd671233ae20983848874731102c08 upstream.
    
    The current CIPSO and CALIPSO refcounting scheme for the DOI
    definitions is a bit flawed in that we:
    
    1. Don't correctly match gets/puts in netlbl_cipsov4_list().
    2. Decrement the refcount on each attempt to remove the DOI from the
       DOI list, only removing it from the list once the refcount drops
       to zero.
    
    This patch fixes these problems by adding the missing "puts" to
    netlbl_cipsov4_list() and introduces a more conventional, i.e.
    not-buggy, refcounting mechanism to the DOI definitions.  Upon the
    addition of a DOI to the DOI list, it is initialized with a refcount
    of one, removing a DOI from the list removes it from the list and
    drops the refcount by one; "gets" and "puts" behave as expected with
    respect to refcounts, increasing and decreasing the DOI's refcount by
    one.
    
    Fixes: b1edeb102397 ("netlabel: Replace protocol/NetLabel linking with refrerence counts")
    Fixes: d7cce01504a0 ("netlabel: Add support for removing a CALIPSO DOI.")
    Reported-by: syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com
    Signed-off-by: Paul Moore <paul@paul-moore.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1735f75ada2ce7f671c33211a90eae89030f644d
Author: Daniele Palmas <dnlplm@gmail.com>
Date:   Thu Mar 4 14:15:13 2021 +0100

    net: usb: qmi_wwan: allow qmimux add/del with master up
    
    commit 6c59cff38e66584ae3ac6c2f0cbd8d039c710ba7 upstream.
    
    There's no reason for preventing the creation and removal
    of qmimux network interfaces when the underlying interface
    is up.
    
    This makes qmi_wwan mux implementation more similar to the
    rmnet one, simplifying userspace management of the same
    logical interfaces.
    
    Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support")
    Reported-by: Aleksander Morgado <aleksander@aleksander.es>
    Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
    Acked-by: Bjørn Mork <bjorn@mork.no>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e37189da53b0d8eb15832282dae3af8b11fb970e
Author: Maximilian Heyne <mheyne@amazon.de>
Date:   Thu Mar 4 14:43:17 2021 +0000

    net: sched: avoid duplicates in classes dump
    
    commit bfc2560563586372212b0a8aeca7428975fa91fe upstream.
    
    This is a follow up of commit ea3274695353 ("net: sched: avoid
    duplicates in qdisc dump") which has fixed the issue only for the qdisc
    dump.
    
    The duplicate printing also occurs when dumping the classes via
      tc class show dev eth0
    
    Fixes: 59cc1f61f09c ("net: sched: convert qdisc linked list to hashtable")
    Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8f902697c37e8d283e8a46efabe94c4616b1a726
Author: Ong Boon Leong <boon.leong.ong@intel.com>
Date:   Wed Mar 3 20:38:40 2021 +0530

    net: stmmac: fix incorrect DMA channel intr enable setting of EQoS v4.10
    
    commit 879c348c35bb5fb758dd881d8a97409c1862dae8 upstream.
    
    We introduce dwmac410_dma_init_channel() here for both EQoS v4.10 and
    above which use different DMA_CH(n)_Interrupt_Enable bit definitions for
    NIE and AIE.
    
    Fixes: 48863ce5940f ("stmmac: add DMA support for GMAC 4.xx")
    Signed-off-by: Ong Boon Leong <boon.leong.ong@intel.com>
    Signed-off-by: Ramesh Babu B <ramesh.babu.b@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b0f7fe847aa6ec2ad14bb174a142bd7feb83f351
Author: Kevin(Yudong) Yang <yyd@google.com>
Date:   Wed Mar 3 09:43:54 2021 -0500

    net/mlx4_en: update moderation when config reset
    
    commit 00ff801bb8ce6711e919af4530b6ffa14a22390a upstream.
    
    This patch fixes a bug that the moderation config will not be
    applied when calling mlx4_en_reset_config. For example, when
    turning on rx timestamping, mlx4_en_reset_config() will be called,
    causing the NIC to forget previous moderation config.
    
    This fix is in phase with a previous fix:
    commit 79c54b6bbf06 ("net/mlx4_en: Fix TX moderation info loss
    after set_ringparam is called")
    
    Tested: Before this patch, on a host with NIC using mlx4, run
    netserver and stream TCP to the host at full utilization.
    $ sar -I SUM 1
                     INTR    intr/s
    14:03:56          sum  48758.00
    
    After rx hwtstamp is enabled:
    $ sar -I SUM 1
    14:10:38          sum 317771.00
    We see the moderation is not working properly and issued 7x more
    interrupts.
    
    After the patch, and turned on rx hwtstamp, the rate of interrupts
    is as expected:
    $ sar -I SUM 1
    14:52:11          sum  49332.00
    
    Fixes: 79c54b6bbf06 ("net/mlx4_en: Fix TX moderation info loss after set_ringparam is called")
    Signed-off-by: Kevin(Yudong) Yang <yyd@google.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: Neal Cardwell <ncardwell@google.com>
    CC: Tariq Toukan <tariqt@nvidia.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit afa77d3ae19729f49ace4905ee38100349122a79
Author: Sergey Shtylyov <s.shtylyov@omprussia.ru>
Date:   Sun Feb 28 23:25:43 2021 +0300

    sh_eth: fix TRSCER mask for SH771x
    
    commit 8c91bc3d44dfef8284af384877fbe61117e8b7d1 upstream.
    
    According  to  the SH7710, SH7712, SH7713 Group User's Manual: Hardware,
    Rev. 3.00, the TRSCER register actually has only bit 7 valid (and named
    differently), with all the other bits reserved. Apparently, this was not
    the case with some early revisions of the manual as we have the other
    bits declared (and set) in the original driver.  Follow the suit and add
    the explicit sh_eth_cpu_data::trscer_err_mask initializer for SH771x...
    
    Fixes: 86a74ff21a7a ("net: sh_eth: add support for Renesas SuperH Ethernet")
    Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a3c3a543b5f6f5ee7d6c791aff2a6d9dc3ce47e0
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed Mar 10 10:18:04 2021 -0800

    Revert "mm, slub: consider rest of partial list if acquire_slab() fails"
    
    commit 9b1ea29bc0d7b94d420f96a0f4121403efc3dd85 upstream.
    
    This reverts commit 8ff60eb052eeba95cfb3efe16b08c9199f8121cf.
    
    The kernel test robot reports a huge performance regression due to the
    commit, and the reason seems fairly straightforward: when there is
    contention on the page list (which is what causes acquire_slab() to
    fail), we do _not_ want to just loop and try again, because that will
    transfer the contention to the 'n->list_lock' spinlock we hold, and
    just make things even worse.
    
    This is admittedly likely a problem only on big machines - the kernel
    test robot report comes from a 96-thread dual socket Intel Xeon Gold
    6252 setup, but the regression there really is quite noticeable:
    
       -47.9% regression of stress-ng.rawpkt.ops_per_sec
    
    and the commit that was marked as being fixed (7ced37197196: "slub:
    Acquire_slab() avoid loop") actually did the loop exit early very
    intentionally (the hint being that "avoid loop" part of that commit
    message), exactly to avoid this issue.
    
    The correct thing to do may be to pick some kind of reasonable middle
    ground: instead of breaking out of the loop on the very first sign of
    contention, or trying over and over and over again, the right thing may
    be to re-try _once_, and then give up on the second failure (or pick
    your favorite value for "once"..).
    
    Reported-by: kernel test robot <oliver.sang@intel.com>
    Link: https://lore.kernel.org/lkml/20210301080404.GF12822@xsang-OptiPlex-9020/
    Cc: Jann Horn <jannh@google.com>
    Cc: David Rientjes <rientjes@google.com>
    Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
    Acked-by: Christoph Lameter <cl@linux.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 63c1a97c0e81b1c79a477db7c5e48e71f08bafd4
Author: Joe Lawrence <joe.lawrence@redhat.com>
Date:   Tue Nov 20 15:19:18 2018 -0500

    scripts/recordmcount.{c,pl}: support -ffunction-sections .text.* section names
    
    commit 9c8e2f6d3d361439cc6744a094f1c15681b55269 upstream.
    
    When building with -ffunction-sections, the compiler will place each
    function into its own ELF section, prefixed with ".text".  For example,
    a simple test module with functions test_module_do_work() and
    test_module_wq_func():
    
      % objdump --section-headers test_module.o | awk '/\.text/{print $2}'
      .text
      .text.test_module_do_work
      .text.test_module_wq_func
      .init.text
      .exit.text
    
    Adjust the recordmcount scripts to look for ".text" as a section name
    prefix.  This will ensure that those functions will be included in the
    __mcount_loc relocations:
    
      % objdump --reloc --section __mcount_loc test_module.o
      OFFSET           TYPE              VALUE
      0000000000000000 R_X86_64_64       .text.test_module_do_work
      0000000000000008 R_X86_64_64       .text.test_module_wq_func
      0000000000000010 R_X86_64_64       .init.text
    
    Link: http://lkml.kernel.org/r/1542745158-25392-2-git-send-email-joe.lawrence@redhat.com
    
    Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Cc: Manoj Gupta <manojgupta@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 18968aa8865de82122be99406c39db3d9b29d13c
Author: Paulo Alcantara <pc@cjr.nz>
Date:   Mon Mar 8 12:00:49 2021 -0300

    cifs: return proper error code in statfs(2)
    
    commit 14302ee3301b3a77b331cc14efb95bf7184c73cc upstream.
    
    In cifs_statfs(), if server->ops->queryfs is not NULL, then we should
    use its return value rather than always returning 0.  Instead, use rc
    variable as it is properly set to 0 in case there is no
    server->ops->queryfs.
    
    Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
    Reviewed-by: Aurelien Aptel <aaptel@suse.com>
    Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
    CC: <stable@vger.kernel.org>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8895531156701ecc5a70a59e2050b0e4be7ac125
Author: Vasily Averin <vvs@virtuozzo.com>
Date:   Sat Feb 27 11:27:45 2021 +0300

    netfilter: x_tables: gpf inside xt_find_revision()
    
    commit 8e24edddad152b998b37a7f583175137ed2e04a5 upstream.
    
    nested target/match_revfn() calls work with xt[NFPROTO_UNSPEC] lists
    without taking xt[NFPROTO_UNSPEC].mutex. This can race with module unload
    and cause host to crash:
    
    general protection fault: 0000 [#1]
    Modules linked in: ... [last unloaded: xt_cluster]
    CPU: 0 PID: 542455 Comm: iptables
    RIP: 0010:[<ffffffff8ffbd518>]  [<ffffffff8ffbd518>] strcmp+0x18/0x40
    RDX: 0000000000000003 RSI: ffff9a5a5d9abe10 RDI: dead000000000111
    R13: ffff9a5a5d9abe10 R14: ffff9a5a5d9abd8c R15: dead000000000100
    (VvS: %R15 -- &xt_match,  %RDI -- &xt_match.name,
    xt_cluster unregister match in xt[NFPROTO_UNSPEC].match list)
    Call Trace:
     [<ffffffff902ccf44>] match_revfn+0x54/0xc0
     [<ffffffff902ccf9f>] match_revfn+0xaf/0xc0
     [<ffffffff902cd01e>] xt_find_revision+0x6e/0xf0
     [<ffffffffc05a5be0>] do_ipt_get_ctl+0x100/0x420 [ip_tables]
     [<ffffffff902cc6bf>] nf_getsockopt+0x4f/0x70
     [<ffffffff902dd99e>] ip_getsockopt+0xde/0x100
     [<ffffffff903039b5>] raw_getsockopt+0x25/0x50
     [<ffffffff9026c5da>] sock_common_getsockopt+0x1a/0x20
     [<ffffffff9026b89d>] SyS_getsockopt+0x7d/0xf0
     [<ffffffff903cbf92>] system_call_fastpath+0x25/0x2a
    
    Fixes: 656caff20e1 ("netfilter 04/09: x_tables: fix match/target revision lookup")
    Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
    Reviewed-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ce59ffca5c49aeb99e48fb33ae75a806a1f82491
Author: Joakim Zhang <qiangqing.zhang@nxp.com>
Date:   Thu Feb 18 19:00:36 2021 +0800

    can: flexcan: enable RX FIFO after FRZ/HALT valid
    
    commit ec15e27cc8904605846a354bb1f808ea1432f853 upstream.
    
    RX FIFO enable failed could happen when do system reboot stress test:
    
    [    0.303958] flexcan 5a8d0000.can: 5a8d0000.can supply xceiver not found, using dummy regulator
    [    0.304281] flexcan 5a8d0000.can (unnamed net_device) (uninitialized): Could not enable RX FIFO, unsupported core
    [    0.314640] flexcan 5a8d0000.can: registering netdev failed
    [    0.320728] flexcan 5a8e0000.can: 5a8e0000.can supply xceiver not found, using dummy regulator
    [    0.320991] flexcan 5a8e0000.can (unnamed net_device) (uninitialized): Could not enable RX FIFO, unsupported core
    [    0.331360] flexcan 5a8e0000.can: registering netdev failed
    [    0.337444] flexcan 5a8f0000.can: 5a8f0000.can supply xceiver not found, using dummy regulator
    [    0.337716] flexcan 5a8f0000.can (unnamed net_device) (uninitialized): Could not enable RX FIFO, unsupported core
    [    0.348117] flexcan 5a8f0000.can: registering netdev failed
    
    RX FIFO should be enabled after the FRZ/HALT are valid. But the current
    code enable RX FIFO and FRZ/HALT at the same time.
    
    Fixes: e955cead03117 ("CAN: Add Flexcan CAN controller driver")
    Link: https://lore.kernel.org/r/20210218110037.16591-3-qiangqing.zhang@nxp.com
    Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bb7c9039a396cf1640639f5257eb5e1f4d719ac6
Author: Joakim Zhang <qiangqing.zhang@nxp.com>
Date:   Thu Feb 18 19:00:35 2021 +0800

    can: flexcan: assert FRZ bit in flexcan_chip_freeze()
    
    commit 449052cfebf624b670faa040245d3feed770d22f upstream.
    
    Assert HALT bit to enter freeze mode, there is a premise that FRZ bit is
    asserted. This patch asserts FRZ bit in flexcan_chip_freeze, although
    the reset value is 1b'1. This is a prepare patch, later patch will
    invoke flexcan_chip_freeze() to enter freeze mode, which polling freeze
    mode acknowledge.
    
    Fixes: b1aa1c7a2165b ("can: flexcan: fix transition from and to freeze mode in chip_{,un}freeze")
    Link: https://lore.kernel.org/r/20210218110037.16591-2-qiangqing.zhang@nxp.com
    Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ca4e8562c52aac6fd75ad6bf8f2234e91a631837
Author: Oleksij Rempel <linux@rempel-privat.de>
Date:   Fri Feb 26 10:24:56 2021 +0100

    can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership
    
    commit e940e0895a82c6fbaa259f2615eb52b57ee91a7e upstream.
    
    There are two ref count variables controlling the free()ing of a socket:
    - struct sock::sk_refcnt - which is changed by sock_hold()/sock_put()
    - struct sock::sk_wmem_alloc - which accounts the memory allocated by
      the skbs in the send path.
    
    In case there are still TX skbs on the fly and the socket() is closed,
    the struct sock::sk_refcnt reaches 0. In the TX-path the CAN stack
    clones an "echo" skb, calls sock_hold() on the original socket and
    references it. This produces the following back trace:
    
    | WARNING: CPU: 0 PID: 280 at lib/refcount.c:25 refcount_warn_saturate+0x114/0x134
    | refcount_t: addition on 0; use-after-free.
    | Modules linked in: coda_vpu(E) v4l2_jpeg(E) videobuf2_vmalloc(E) imx_vdoa(E)
    | CPU: 0 PID: 280 Comm: test_can.sh Tainted: G            E     5.11.0-04577-gf8ff6603c617 #203
    | Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
    | Backtrace:
    | [<80bafea4>] (dump_backtrace) from [<80bb0280>] (show_stack+0x20/0x24) r7:00000000 r6:600f0113 r5:00000000 r4:81441220
    | [<80bb0260>] (show_stack) from [<80bb593c>] (dump_stack+0xa0/0xc8)
    | [<80bb589c>] (dump_stack) from [<8012b268>] (__warn+0xd4/0x114) r9:00000019 r8:80f4a8c2 r7:83e4150c r6:00000000 r5:00000009 r4:80528f90
    | [<8012b194>] (__warn) from [<80bb09c4>] (warn_slowpath_fmt+0x88/0xc8) r9:83f26400 r8:80f4a8d1 r7:00000009 r6:80528f90 r5:00000019 r4:80f4a8c2
    | [<80bb0940>] (warn_slowpath_fmt) from [<80528f90>] (refcount_warn_saturate+0x114/0x134) r8:00000000 r7:00000000 r6:82b44000 r5:834e5600 r4:83f4d540
    | [<80528e7c>] (refcount_warn_saturate) from [<8079a4c8>] (__refcount_add.constprop.0+0x4c/0x50)
    | [<8079a47c>] (__refcount_add.constprop.0) from [<8079a57c>] (can_put_echo_skb+0xb0/0x13c)
    | [<8079a4cc>] (can_put_echo_skb) from [<8079ba98>] (flexcan_start_xmit+0x1c4/0x230) r9:00000010 r8:83f48610 r7:0fdc0000 r6:0c080000 r5:82b44000 r4:834e5600
    | [<8079b8d4>] (flexcan_start_xmit) from [<80969078>] (netdev_start_xmit+0x44/0x70) r9:814c0ba0 r8:80c8790c r7:00000000 r6:834e5600 r5:82b44000 r4:82ab1f00
    | [<80969034>] (netdev_start_xmit) from [<809725a4>] (dev_hard_start_xmit+0x19c/0x318) r9:814c0ba0 r8:00000000 r7:82ab1f00 r6:82b44000 r5:00000000 r4:834e5600
    | [<80972408>] (dev_hard_start_xmit) from [<809c6584>] (sch_direct_xmit+0xcc/0x264) r10:834e5600 r9:00000000 r8:00000000 r7:82b44000 r6:82ab1f00 r5:834e5600 r4:83f27400
    | [<809c64b8>] (sch_direct_xmit) from [<809c6c0c>] (__qdisc_run+0x4f0/0x534)
    
    To fix this problem, only set skb ownership to sockets which have still
    a ref count > 0.
    
    Fixes: 0ae89beb283a ("can: add destructor for self generated skbs")
    Cc: Oliver Hartkopp <socketcan@hartkopp.net>
    Cc: Andre Naujoks <nautsch2@gmail.com>
    Link: https://lore.kernel.org/r/20210226092456.27126-1-o.rempel@pengutronix.de
    Suggested-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
    Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5ea5d57c09f95b577ce1bcaab6a5be3f453a7b39
Author: Balazs Nemeth <bnemeth@redhat.com>
Date:   Tue Mar 9 12:31:01 2021 +0100

    net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0
    
    commit d348ede32e99d3a04863e9f9b28d224456118c27 upstream.
    
    A packet with skb_inner_network_header(skb) == skb_network_header(skb)
    and ETH_P_MPLS_UC will prevent mpls_gso_segment from pulling any headers
    from the packet. Subsequently, the call to skb_mac_gso_segment will
    again call mpls_gso_segment with the same packet leading to an infinite
    loop. In addition, ensure that the header length is a multiple of four,
    which should hold irrespective of the number of stacked labels.
    
    Signed-off-by: Balazs Nemeth <bnemeth@redhat.com>
    Acked-by: Willem de Bruijn <willemb@google.com>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ea3fb2ce5fa794d02135f5c079e05cd6fc3f545d
Author: Balazs Nemeth <bnemeth@redhat.com>
Date:   Tue Mar 9 12:31:00 2021 +0100

    net: check if protocol extracted by virtio_net_hdr_set_proto is correct
    
    commit 924a9bc362a5223cd448ca08c3dde21235adc310 upstream.
    
    For gso packets, virtio_net_hdr_set_proto sets the protocol (if it isn't
    set) based on the type in the virtio net hdr, but the skb could contain
    anything since it could come from packet_snd through a raw socket. If
    there is a mismatch between what virtio_net_hdr_set_proto sets and
    the actual protocol, then the skb could be handled incorrectly later
    on.
    
    An example where this poses an issue is with the subsequent call to
    skb_flow_dissect_flow_keys_basic which relies on skb->protocol being set
    correctly. A specially crafted packet could fool
    skb_flow_dissect_flow_keys_basic preventing EINVAL to be returned.
    
    Avoid blindly trusting the information provided by the virtio net header
    by checking that the protocol in the packet actually matches the
    protocol set by virtio_net_hdr_set_proto. Note that since the protocol
    is only checked if skb->dev implements header_ops->parse_protocol,
    packets from devices without the implementation are not checked at this
    stage.
    
    Fixes: 9274124f023b ("net: stricter validation of untrusted gso packets")
    Signed-off-by: Balazs Nemeth <bnemeth@redhat.com>
    Acked-by: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b2c2bd7c2891797cae92ce425113e42b23d30c4e
Author: Maxim Mikityanskiy <maximmi@mellanox.com>
Date:   Thu Feb 21 12:39:58 2019 +0000

    net: Introduce parse_protocol header_ops callback
    
    commit e78b2915517e8fcadb1bc130ad6aeac7099e510c upstream.
    
    Introduce a new optional header_ops callback called parse_protocol and a
    wrapper function dev_parse_header_protocol, similar to dev_parse_header.
    
    The new callback's purpose is to extract the protocol number from the L2
    header, the format of which is known to the driver, but not to the upper
    layers of the stack.
    
    Signed-off-by: Maxim Mikityanskiy <maximmi@mellanox.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5aac598c4e897c86ebdcae24391b3a672af47153
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Fri Feb 26 22:22:48 2021 +0100

    net: Fix gro aggregation for udp encaps with zero csum
    
    commit 89e5c58fc1e2857ccdaae506fb8bc5fed57ee063 upstream.
    
    We noticed a GRO issue for UDP-based encaps such as vxlan/geneve when the
    csum for the UDP header itself is 0. In that case, GRO aggregation does
    not take place on the phys dev, but instead is deferred to the vxlan/geneve
    driver (see trace below).
    
    The reason is essentially that GRO aggregation bails out in udp_gro_receive()
    for such case when drivers marked the skb with CHECKSUM_UNNECESSARY (ice, i40e,
    others) where for non-zero csums 2abb7cdc0dc8 ("udp: Add support for doing
    checksum unnecessary conversion") promotes those skbs to CHECKSUM_COMPLETE
    and napi context has csum_valid set. This is however not the case for zero
    UDP csum (here: csum_cnt is still 0 and csum_valid continues to be false).
    
    At the same time 57c67ff4bd92 ("udp: additional GRO support") added matches
    on !uh->check ^ !uh2->check as part to determine candidates for aggregation,
    so it certainly is expected to handle zero csums in udp_gro_receive(). The
    purpose of the check added via 662880f44203 ("net: Allow GRO to use and set
    levels of checksum unnecessary") seems to catch bad csum and stop aggregation
    right away.
    
    One way to fix aggregation in the zero case is to only perform the !csum_valid
    check in udp_gro_receive() if uh->check is infact non-zero.
    
    Before:
    
      [...]
      swapper     0 [008]   731.946506: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497100400 len=1500   (1)
      swapper     0 [008]   731.946507: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497100200 len=1500
      swapper     0 [008]   731.946507: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497101100 len=1500
      swapper     0 [008]   731.946508: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497101700 len=1500
      swapper     0 [008]   731.946508: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497101b00 len=1500
      swapper     0 [008]   731.946508: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497100600 len=1500
      swapper     0 [008]   731.946508: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497100f00 len=1500
      swapper     0 [008]   731.946509: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497100a00 len=1500
      swapper     0 [008]   731.946516: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497100500 len=1500
      swapper     0 [008]   731.946516: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497100700 len=1500
      swapper     0 [008]   731.946516: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497101d00 len=1500   (2)
      swapper     0 [008]   731.946517: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497101000 len=1500
      swapper     0 [008]   731.946517: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497101c00 len=1500
      swapper     0 [008]   731.946517: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497101400 len=1500
      swapper     0 [008]   731.946518: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497100e00 len=1500
      swapper     0 [008]   731.946518: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497101600 len=1500
      swapper     0 [008]   731.946521: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff966497100800 len=774
      swapper     0 [008]   731.946530: net:netif_receive_skb: dev=test_vxlan skbaddr=0xffff966497100400 len=14032 (1)
      swapper     0 [008]   731.946530: net:netif_receive_skb: dev=test_vxlan skbaddr=0xffff966497101d00 len=9112  (2)
      [...]
    
      # netperf -H 10.55.10.4 -t TCP_STREAM -l 20
      MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.55.10.4 () port 0 AF_INET : demo
      Recv   Send    Send
      Socket Socket  Message  Elapsed
      Size   Size    Size     Time     Throughput
      bytes  bytes   bytes    secs.    10^6bits/sec
    
       87380  16384  16384    20.01    13129.24
    
    After:
    
      [...]
      swapper     0 [026]   521.862641: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff93ab0d479000 len=11286 (1)
      swapper     0 [026]   521.862643: net:netif_receive_skb: dev=test_vxlan skbaddr=0xffff93ab0d479000 len=11236 (1)
      swapper     0 [026]   521.862650: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff93ab0d478500 len=2898  (2)
      swapper     0 [026]   521.862650: net:netif_receive_skb: dev=enp10s0f0  skbaddr=0xffff93ab0d479f00 len=8490  (3)
      swapper     0 [026]   521.862653: net:netif_receive_skb: dev=test_vxlan skbaddr=0xffff93ab0d478500 len=2848  (2)
      swapper     0 [026]   521.862653: net:netif_receive_skb: dev=test_vxlan skbaddr=0xffff93ab0d479f00 len=8440  (3)
      [...]
    
      # netperf -H 10.55.10.4 -t TCP_STREAM -l 20
      MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.55.10.4 () port 0 AF_INET : demo
      Recv   Send    Send
      Socket Socket  Message  Elapsed
      Size   Size    Size     Time     Throughput
      bytes  bytes   bytes    secs.    10^6bits/sec
    
       87380  16384  16384    20.01    24576.53
    
    Fixes: 57c67ff4bd92 ("udp: additional GRO support")
    Fixes: 662880f44203 ("net: Allow GRO to use and set levels of checksum unnecessary")
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Cc: Eric Dumazet <edumazet@google.com>
    Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
    Cc: Tom Herbert <tom@herbertland.com>
    Acked-by: Willem de Bruijn <willemb@google.com>
    Acked-by: John Fastabend <john.fastabend@gmail.com>
    Link: https://lore.kernel.org/r/20210226212248.8300-1-daniel@iogearbox.net
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 86a468a39e1ea120a4f5ca28456a5c1d4730b532
Author: Felix Fietkau <nbd@nbd.name>
Date:   Sun Feb 14 19:49:11 2021 +0100

    ath9k: fix transmitting to stations in dynamic SMPS mode
    
    commit 3b9ea7206d7e1fdd7419cbd10badd3b2c80d04b4 upstream.
    
    When transmitting to a receiver in dynamic SMPS mode, all transmissions that
    use multiple spatial streams need to be sent using CTS-to-self or RTS/CTS to
    give the receiver's extra chains some time to wake up.
    This fixes the tx rate getting stuck at <= MCS7 for some clients, especially
    Intel ones, which make aggressive use of SMPS.
    
    Cc: stable@vger.kernel.org
    Reported-by: Martin Kennedy <hurricos@gmail.com>
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/20210214184911.96702-1-nbd@nbd.name
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7543145ff42a94c581d9f41b01c3dd96806f2e13
Author: Jakub Kicinski <kuba@kernel.org>
Date:   Fri Mar 5 14:17:29 2021 -0800

    ethernet: alx: fix order of calls on resume
    
    commit a4dcfbc4ee2218abd567d81d795082d8d4afcdf6 upstream.
    
    netif_device_attach() will unpause the queues so we can't call
    it before __alx_open(). This went undetected until
    commit b0999223f224 ("alx: add ability to allocate and free
    alx_napi structures") but now if stack tries to xmit immediately
    on resume before __alx_open() we'll crash on the NAPI being null:
    
     BUG: kernel NULL pointer dereference, address: 0000000000000198
     CPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G           OE 5.10.0-3-amd64 #1 Debian 5.10.13-1
     Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77-D3H, BIOS F15 11/14/2013
     RIP: 0010:alx_start_xmit+0x34/0x650 [alx]
     Code: 41 56 41 55 41 54 55 53 48 83 ec 20 0f b7 57 7c 8b 8e b0
    0b 00 00 39 ca 72 06 89 d0 31 d2 f7 f1 89 d2 48 8b 84 df
     RSP: 0018:ffffb09240083d28 EFLAGS: 00010297
     RAX: 0000000000000000 RBX: ffffa04d80ae7800 RCX: 0000000000000004
     RDX: 0000000000000000 RSI: ffffa04d80afa000 RDI: ffffa04e92e92a00
     RBP: 0000000000000042 R08: 0000000000000100 R09: ffffa04ea3146700
     R10: 0000000000000014 R11: 0000000000000000 R12: ffffa04e92e92100
     R13: 0000000000000001 R14: ffffa04e92e92a00 R15: ffffa04e92e92a00
     FS:  0000000000000000(0000) GS:ffffa0508f600000(0000) knlGS:0000000000000000
     i915 0000:00:02.0: vblank wait timed out on crtc 0
     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     CR2: 0000000000000198 CR3: 000000004460a001 CR4: 00000000001706f0
     Call Trace:
      dev_hard_start_xmit+0xc7/0x1e0
      sch_direct_xmit+0x10f/0x310
    
    Cc: <stable@vger.kernel.org> # 4.9+
    Fixes: bc2bebe8de8e ("alx: remove WoL support")
    Reported-by: Zbynek Michl <zbynek.michl@gmail.com>
    Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983595
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Tested-by: Zbynek Michl <zbynek.michl@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ff3801699f5416a0406b4fc67186eb28d38878bc
Author: Dmitry V. Levin <ldv@altlinux.org>
Date:   Mon Feb 22 08:00:00 2021 +0000

    uapi: nfnetlink_cthelper.h: fix userspace compilation error
    
    commit c33cb0020ee6dd96cc9976d6085a7d8422f6dbed upstream.
    
    Apparently, <linux/netfilter/nfnetlink_cthelper.h> and
    <linux/netfilter/nfnetlink_acct.h> could not be included into the same
    compilation unit because of a cut-and-paste typo in the former header.
    
    Fixes: 12f7a505331e6 ("netfilter: add user-space connection tracking helper infrastructure")
    Cc: <stable@vger.kernel.org> # v3.6
    Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>