commit 2f9c581dbde4e48aa0c002ddf3892d6bcd89c1a2
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Feb 3 23:16:18 2021 +0100

    Linux 4.4.255
    
    Tested-by: Pavel Machek (CIP) <pavel@denx.de>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Link: https://lore.kernel.org/r/20210202132941.180062901@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b6dac2c198d593bd7bc08ece114f811b5979e363
Author: Pan Bian <bianpan2016@163.com>
Date:   Thu Jan 21 07:37:45 2021 -0800

    NFC: fix possible resource leak
    
    commit d8f923c3ab96dbbb4e3c22d1afc1dc1d3b195cd8 upstream.
    
    Put the device to avoid resource leak on path that the polling flag is
    invalid.
    
    Fixes: a831b9132065 ("NFC: Do not return EBUSY when stopping a poll that's already stopped")
    Signed-off-by: Pan Bian <bianpan2016@163.com>
    Link: https://lore.kernel.org/r/20210121153745.122184-1-bianpan2016@163.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 074013e1d28d5e1158c7018730cd34570bc713c1
Author: Pan Bian <bianpan2016@163.com>
Date:   Thu Jan 21 07:27:48 2021 -0800

    NFC: fix resource leak when target index is invalid
    
    commit 3a30537cee233fb7da302491b28c832247d89bbe upstream.
    
    Goto to the label put_dev instead of the label error to fix potential
    resource leak on path that the target index is invalid.
    
    Fixes: c4fbb6515a4d ("NFC: The core part should generate the target index")
    Signed-off-by: Pan Bian <bianpan2016@163.com>
    Link: https://lore.kernel.org/r/20210121152748.98409-1-bianpan2016@163.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cf682c5219ae01fba97dd06782dc49a6495f43d3
Author: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Date:   Tue Feb 2 01:09:37 2021 +0100

    iommu/vt-d: Don't dereference iommu_device if IOMMU_API is not built
    
    commit 9def3b1a07c41e21c68a0eb353e3e569fdd1d2b1 upstream.
    
    Since commit c40aaaac1018 ("iommu/vt-d: Gracefully handle DMAR units
    with no supported address widths") dmar.c needs struct iommu_device to
    be selected. We can drop this dependency by not dereferencing struct
    iommu_device if IOMMU_API is not selected and by reusing the information
    stored in iommu->drhd->ignored instead.
    
    This fixes the following build error when IOMMU_API is not selected:
    
    drivers/iommu/dmar.c: In function ‘free_iommu’:
    drivers/iommu/dmar.c:1139:41: error: ‘struct iommu_device’ has no member named ‘ops’
     1139 |  if (intel_iommu_enabled && iommu->iommu.ops) {
                                                    ^
    
    Fixes: c40aaaac1018 ("iommu/vt-d: Gracefully handle DMAR units with no supported address widths")
    Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
    Acked-by: Lu Baolu <baolu.lu@linux.intel.com>
    Acked-by: David Woodhouse <dwmw@amazon.co.uk>
    Link: https://lore.kernel.org/r/20201013073055.11262-1-brgl@bgdev.pl
    Signed-off-by: Joerg Roedel <jroedel@suse.de>
    [ - context change due to moving drivers/iommu/dmar.c to
        drivers/iommu/intel/dmar.c
      - set the drhr in the iommu like in upstream commit b1012ca8dc4f
        ("iommu/vt-d: Skip TE disabling on quirky gfx dedicated iommu") ]
    Signed-off-by: Filippo Sironi <sironi@amazon.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e4f10aec71e59715aa94c5f25e4de6b290105adc
Author: David Woodhouse <dwmw@amazon.co.uk>
Date:   Tue Feb 2 01:09:36 2021 +0100

    iommu/vt-d: Gracefully handle DMAR units with no supported address widths
    
    commit c40aaaac1018ff1382f2d35df5129a6bcea3df6b upstream.
    
    Instead of bailing out completely, such a unit can still be used for
    interrupt remapping.
    
    Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
    Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
    Link: https://lore.kernel.org/linux-iommu/549928db2de6532117f36c9c810373c14cf76f51.camel@infradead.org/
    Signed-off-by: Joerg Roedel <jroedel@suse.de>
    [ - context change due to moving drivers/iommu/dmar.c to
        drivers/iommu/intel/dmar.c
      - remove the unused err_unmap label
      - use iommu->iommu_dev instead of iommu->iommu.ops to decide whether
        when freeing ]
    Signed-off-by: Filippo Sironi <sironi@amazon.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ee607baae70b012cc3e5efe7520ea0187ba4372c
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Jan 21 09:08:05 2021 +0300

    can: dev: prevent potential information leak in can_fill_info()
    
    [ Upstream commit b552766c872f5b0d90323b24e4c9e8fa67486dd5 ]
    
    The "bec" struct isn't necessarily always initialized. For example, the
    mcp251xfd_get_berr_counter() function doesn't initialize anything if the
    interface is down.
    
    Fixes: 52c793f24054 ("can: netlink support for bus-error reporting and counters")
    Link: https://lore.kernel.org/r/YAkaRdRJncsJO8Ve@mwanda
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9f1f71f1d4bdf2003780e40a20cf0dea5900a182
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Fri Jan 22 17:11:16 2021 +0100

    mac80211: pause TX while changing interface type
    
    [ Upstream commit 054c9939b4800a91475d8d89905827bf9e1ad97a ]
    
    syzbot reported a crash that happened when changing the interface
    type around a lot, and while it might have been easy to fix just
    the symptom there, a little deeper investigation found that really
    the reason is that we allowed packets to be transmitted while in
    the middle of changing the interface type.
    
    Disallow TX by stopping the queues while changing the type.
    
    Fixes: 34d4bc4d41d2 ("mac80211: support runtime interface type changes")
    Reported-by: syzbot+d7a3b15976bf7de2238a@syzkaller.appspotmail.com
    Link: https://lore.kernel.org/r/20210122171115.b321f98f4d4f.I6997841933c17b093535c31d29355be3c0c39628@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8b97c8c934c81583ced691c6116f932060580185
Author: Kamal Heib <kamalheib1@gmail.com>
Date:   Thu Jan 14 21:14:23 2021 +0200

    RDMA/cxgb4: Fix the reported max_recv_sge value
    
    [ Upstream commit a372173bf314d374da4dd1155549d8ca7fc44709 ]
    
    The max_recv_sge value is wrongly reported when calling query_qp, This is
    happening due to a typo when assigning the max_recv_sge value, the value
    of sq_max_sges was assigned instead of rq_max_sges.
    
    Fixes: 3e5c02c9ef9a ("iw_cxgb4: Support query_qp() verb")
    Link: https://lore.kernel.org/r/20210114191423.423529-1-kamalheib1@gmail.com
    Signed-off-by: Kamal Heib <kamalheib1@gmail.com>
    Reviewed-by: Potnuri Bharat Teja <bharat@chelsio.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit bdf1634d5e9db4de8aff50ac4b64437d85b2a02c
Author: Shmulik Ladkani <shmulik@metanetworks.com>
Date:   Mon Dec 14 15:38:32 2020 +0200

    xfrm: Fix oops in xfrm_replay_advance_bmp
    
    [ Upstream commit 56ce7c25ae1525d83cf80a880cf506ead1914250 ]
    
    When setting xfrm replay_window to values higher than 32, a rare
    page-fault occurs in xfrm_replay_advance_bmp:
    
      BUG: unable to handle page fault for address: ffff8af350ad7920
      #PF: supervisor write access in kernel mode
      #PF: error_code(0x0002) - not-present page
      PGD ad001067 P4D ad001067 PUD 0
      Oops: 0002 [#1] SMP PTI
      CPU: 3 PID: 30 Comm: ksoftirqd/3 Kdump: loaded Not tainted 5.4.52-050452-generic #202007160732
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
      RIP: 0010:xfrm_replay_advance_bmp+0xbb/0x130
      RSP: 0018:ffffa1304013ba40 EFLAGS: 00010206
      RAX: 000000000000010d RBX: 0000000000000002 RCX: 00000000ffffff4b
      RDX: 0000000000000018 RSI: 00000000004c234c RDI: 00000000ffb3dbff
      RBP: ffffa1304013ba50 R08: ffff8af330ad7920 R09: 0000000007fffffa
      R10: 0000000000000800 R11: 0000000000000010 R12: ffff8af29d6258c0
      R13: ffff8af28b95c700 R14: 0000000000000000 R15: ffff8af29d6258fc
      FS:  0000000000000000(0000) GS:ffff8af339ac0000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffff8af350ad7920 CR3: 0000000015ee4000 CR4: 00000000001406e0
      Call Trace:
       xfrm_input+0x4e5/0xa10
       xfrm4_rcv_encap+0xb5/0xe0
       xfrm4_udp_encap_rcv+0x140/0x1c0
    
    Analysis revealed offending code is when accessing:
    
            replay_esn->bmp[nr] |= (1U << bitnr);
    
    with 'nr' being 0x07fffffa.
    
    This happened in an SMP system when reordering of packets was present;
    A packet arrived with a "too old" sequence number (outside the window,
    i.e 'diff > replay_window'), and therefore the following calculation:
    
                            bitnr = replay_esn->replay_window - (diff - pos);
    
    yields a negative result, but since bitnr is u32 we get a large unsigned
    quantity (in crash dump above: 0xffffff4b seen in ecx).
    
    This was supposed to be protected by xfrm_input()'s former call to:
    
                    if (x->repl->check(x, skb, seq)) {
    
    However, the state's spinlock x->lock is *released* after '->check()'
    is performed, and gets re-acquired before '->advance()' - which gives a
    chance for a different core to update the xfrm state, e.g. by advancing
    'replay_esn->seq' when it encounters more packets - leading to a
    'diff > replay_window' situation when original core continues to
    xfrm_replay_advance_bmp().
    
    An attempt to fix this issue was suggested in commit bcf66bf54aab
    ("xfrm: Perform a replay check after return from async codepaths"),
    by calling 'x->repl->recheck()' after lock is re-acquired, but fix
    applied only to asyncronous crypto algorithms.
    
    Augment the fix, by *always* calling 'recheck()' - irrespective if we're
    using async crypto.
    
    Fixes: 0ebea8ef3559 ("[IPSEC]: Move state lock into x->type->input")
    Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit bb3c0b319bb04f05303456b2cd101dde9459ac3f
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Sat Jan 16 19:20:15 2021 +0100

    netfilter: nft_dynset: add timeout extension to template
    
    commit 0c5b7a501e7400869ee905b4f7af3d6717802bcb upstream.
    
    Otherwise, the newly create element shows no timeout when listing the
    ruleset. If the set definition does not specify a default timeout, then
    the set element only shows the expiration time, but not the timeout.
    This is a problem when restoring a stateful ruleset listing since it
    skips the timeout policy entirely.
    
    Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates")
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 73acc9bd999ec0a50ea07284fd982341df7b5e45
Author: Max Krummenacher <max.oss.09@gmail.com>
Date:   Mon Jan 11 16:17:04 2021 +0100

    ARM: imx: build suspend-imx6.S with arm instruction set
    
    commit a88afa46b86ff461c89cc33fc3a45267fff053e8 upstream.
    
    When the kernel is configured to use the Thumb-2 instruction set
    "suspend-to-memory" fails to resume. Observed on a Colibri iMX6ULL
    (i.MX 6ULL) and Apalis iMX6 (i.MX 6Q).
    
    It looks like the CPU resumes unconditionally in ARM instruction mode
    and then chokes on the presented Thumb-2 code it should execute.
    
    Fix this by using the arm instruction set for all code in
    suspend-imx6.S.
    
    Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
    Fixes: df595746fa69 ("ARM: imx: add suspend in ocram support for i.mx6q")
    Acked-by: Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f2a9957e5c08b1b1caacd18a3dc4c0a1bdb7b463
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Mon Feb 1 15:12:14 2021 +0000

    futex: Prevent exit livelock
    
    commit 3ef240eaff36b8119ac9e2ea17cbf41179c930ba upstream.
    
    Oleg provided the following test case:
    
    int main(void)
    {
            struct sched_param sp = {};
    
            sp.sched_priority = 2;
            assert(sched_setscheduler(0, SCHED_FIFO, &sp) == 0);
    
            int lock = vfork();
            if (!lock) {
                    sp.sched_priority = 1;
                    assert(sched_setscheduler(0, SCHED_FIFO, &sp) == 0);
                    _exit(0);
            }
    
            syscall(__NR_futex, &lock, FUTEX_LOCK_PI, 0,0,0);
            return 0;
    }
    
    This creates an unkillable RT process spinning in futex_lock_pi() on a UP
    machine or if the process is affine to a single CPU. The reason is:
    
     parent                                 child
    
      set FIFO prio 2
    
      vfork()                       ->      set FIFO prio 1
       implies wait_for_child()             sched_setscheduler(...)
                                            exit()
                                            do_exit()
                                            ....
                                            mm_release()
                                              tsk->futex_state = FUTEX_STATE_EXITING;
                                              exit_futex(); (NOOP in this case)
                                              complete() --> wakes parent
      sys_futex()
        loop infinite because
        tsk->futex_state == FUTEX_STATE_EXITING
    
    The same problem can happen just by regular preemption as well:
    
      task holds futex
      ...
      do_exit()
        tsk->futex_state = FUTEX_STATE_EXITING;
    
      --> preemption (unrelated wakeup of some other higher prio task, e.g. timer)
    
      switch_to(other_task)
    
      return to user
      sys_futex()
            loop infinite as above
    
    Just for the fun of it the futex exit cleanup could trigger the wakeup
    itself before the task sets its futex state to DEAD.
    
    To cure this, the handling of the exiting owner is changed so:
    
       - A refcount is held on the task
    
       - The task pointer is stored in a caller visible location
    
       - The caller drops all locks (hash bucket, mmap_sem) and blocks
         on task::futex_exit_mutex. When the mutex is acquired then
         the exiting task has completed the cleanup and the state
         is consistent and can be reevaluated.
    
    This is not a pretty solution, but there is no choice other than returning
    an error code to user space, which would break the state consistency
    guarantee and open another can of problems including regressions.
    
    For stable backports the preparatory commits ac31c7ff8624 .. ba31c1a48538
    are required as well, but for anything older than 5.3.y the backports are
    going to be provided when this hits mainline as the other dependencies for
    those kernels are definitely not stable material.
    
    Fixes: 778e9a9c3e71 ("pi-futex: fix exit races and locking problems")
    Reported-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Ingo Molnar <mingo@kernel.org>
    Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Stable Team <stable@vger.kernel.org>
    Link: https://lkml.kernel.org/r/20191106224557.041676471@linutronix.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit aa2f795a5bc171282a79c55d0a4e55cfdcea2845
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Mon Feb 1 15:12:13 2021 +0000

    futex: Provide distinct return value when owner is exiting
    
    commit ac31c7ff8624409ba3c4901df9237a616c187a5d upstream.
    
    attach_to_pi_owner() returns -EAGAIN for various cases:
    
     - Owner task is exiting
     - Futex value has changed
    
    The caller drops the held locks (hash bucket, mmap_sem) and retries the
    operation. In case of the owner task exiting this can result in a live
    lock.
    
    As a preparatory step for seperating those cases, provide a distinct return
    value (EBUSY) for the owner exiting case.
    
    No functional change.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Ingo Molnar <mingo@kernel.org>
    Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Link: https://lkml.kernel.org/r/20191106224556.935606117@linutronix.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 26f05b30e97d3bc30a20b52719d726f062539807
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Mon Feb 1 15:12:12 2021 +0000

    futex: Add mutex around futex exit
    
    commit 3f186d974826847a07bc7964d79ec4eded475ad9 upstream.
    
    The mutex will be used in subsequent changes to replace the busy looping of
    a waiter when the futex owner is currently executing the exit cleanup to
    prevent a potential live lock.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Ingo Molnar <mingo@kernel.org>
    Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Link: https://lkml.kernel.org/r/20191106224556.845798895@linutronix.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 39947bfd796393ab623ecb3374d6507d398a0113
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Mon Feb 1 15:12:11 2021 +0000

    futex: Provide state handling for exec() as well
    
    commit af8cbda2cfcaa5515d61ec500498d46e9a8247e2 upstream.
    
    exec() attempts to handle potentially held futexes gracefully by running
    the futex exit handling code like exit() does.
    
    The current implementation has no protection against concurrent incoming
    waiters. The reason is that the futex state cannot be set to
    FUTEX_STATE_DEAD after the cleanup because the task struct is still active
    and just about to execute the new binary.
    
    While its arguably buggy when a task holds a futex over exec(), for
    consistency sake the state handling can at least cover the actual futex
    exit cleanup section. This provides state consistency protection accross
    the cleanup. As the futex state of the task becomes FUTEX_STATE_OK after the
    cleanup has been finished, this cannot prevent subsequent attempts to
    attach to the task in case that the cleanup was not successfull in mopping
    up all leftovers.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Ingo Molnar <mingo@kernel.org>
    Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Link: https://lkml.kernel.org/r/20191106224556.753355618@linutronix.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6eaebabf3bca8ff10ca5542c3d3d72ad829db934
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Mon Feb 1 15:12:10 2021 +0000

    futex: Sanitize exit state handling
    
    commit 4a8e991b91aca9e20705d434677ac013974e0e30 upstream.
    
    Instead of having a smp_mb() and an empty lock/unlock of task::pi_lock move
    the state setting into to the lock section.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Ingo Molnar <mingo@kernel.org>
    Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Link: https://lkml.kernel.org/r/20191106224556.645603214@linutronix.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 40da511f787b75a80efa3ae5d3f90753a795a9e4
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Mon Feb 1 15:12:09 2021 +0000

    futex: Mark the begin of futex exit explicitly
    
    commit 18f694385c4fd77a09851fd301236746ca83f3cb upstream.
    
    Instead of relying on PF_EXITING use an explicit state for the futex exit
    and set it in the futex exit function. This moves the smp barrier and the
    lock/unlock serialization into the futex code.
    
    As with the DEAD state this is restricted to the exit path as exec
    continues to use the same task struct.
    
    This allows to simplify that logic in a next step.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Ingo Molnar <mingo@kernel.org>
    Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Link: https://lkml.kernel.org/r/20191106224556.539409004@linutronix.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit da81e2f3e1cb8bf5bb1323370c5e331606841260
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Mon Feb 1 15:12:08 2021 +0000

    futex: Set task::futex_state to DEAD right after handling futex exit
    
    commit f24f22435dcc11389acc87e5586239c1819d217c upstream.
    
    Setting task::futex_state in do_exit() is rather arbitrarily placed for no
    reason. Move it into the futex code.
    
    Note, this is only done for the exit cleanup as the exec cleanup cannot set
    the state to FUTEX_STATE_DEAD because the task struct is still in active
    use.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Ingo Molnar <mingo@kernel.org>
    Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Link: https://lkml.kernel.org/r/20191106224556.439511191@linutronix.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 74937389334294f9565813154d9f16da46cac8f3
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Mon Feb 1 15:12:07 2021 +0000

    futex: Split futex_mm_release() for exit/exec
    
    commit 150d71584b12809144b8145b817e83b81158ae5f upstream.
    
    To allow separate handling of the futex exit state in the futex exit code
    for exit and exec, split futex_mm_release() into two functions and invoke
    them from the corresponding exit/exec_mm_release() callsites.
    
    Preparatory only, no functional change.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Ingo Molnar <mingo@kernel.org>
    Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Link: https://lkml.kernel.org/r/20191106224556.332094221@linutronix.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 93d2eb4077a953965ccc2f452cc3bd8483e32a21
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Mon Feb 1 15:12:06 2021 +0000

    exit/exec: Seperate mm_release()
    
    commit 4610ba7ad877fafc0a25a30c6c82015304120426 upstream.
    
    mm_release() contains the futex exit handling. mm_release() is called from
    do_exit()->exit_mm() and from exec()->exec_mm().
    
    In the exit_mm() case PF_EXITING and the futex state is updated. In the
    exec_mm() case these states are not touched.
    
    As the futex exit code needs further protections against exit races, this
    needs to be split into two functions.
    
    Preparatory only, no functional change.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Ingo Molnar <mingo@kernel.org>
    Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Link: https://lkml.kernel.org/r/20191106224556.240518241@linutronix.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0838b8271ad99c8b1cfea47fc9054ccbce6c0e88
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Mon Feb 1 15:12:05 2021 +0000

    futex: Replace PF_EXITPIDONE with a state
    
    commit 3d4775df0a89240f671861c6ab6e8d59af8e9e41 upstream.
    
    The futex exit handling relies on PF_ flags. That's suboptimal as it
    requires a smp_mb() and an ugly lock/unlock of the exiting tasks pi_lock in
    the middle of do_exit() to enforce the observability of PF_EXITING in the
    futex code.
    
    Add a futex_state member to task_struct and convert the PF_EXITPIDONE logic
    over to the new state. The PF_EXITING dependency will be cleaned up in a
    later step.
    
    This prepares for handling various futex exit issues later.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Ingo Molnar <mingo@kernel.org>
    Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Link: https://lkml.kernel.org/r/20191106224556.149449274@linutronix.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8d2b511c52c4ba36da1803f4f94f6dfe9c1cbf84
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Mon Feb 1 15:12:04 2021 +0000

    futex: Move futex exit handling into futex code
    
    commit ba31c1a48538992316cc71ce94fa9cd3e7b427c0 upstream.
    
    The futex exit handling is #ifdeffed into mm_release() which is not pretty
    to begin with. But upcoming changes to address futex exit races need to add
    more functionality to this exit code.
    
    Split it out into a function, move it into futex code and make the various
    futex exit functions static.
    
    Preparatory only and no functional change.
    
    Folded build fix from Borislav.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Ingo Molnar <mingo@kernel.org>
    Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Link: https://lkml.kernel.org/r/20191106224556.049705556@linutronix.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ad940f6d96e218b7398773c9a1d1522e970c8832
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Mon Feb 1 15:12:03 2021 +0000

    y2038: futex: Move compat implementation into futex.c
    
    commit 04e7712f4460585e5eed5b853fd8b82a9943958f upstream.
    
    We are going to share the compat_sys_futex() handler between 64-bit
    architectures and 32-bit architectures that need to deal with both 32-bit
    and 64-bit time_t, and this is easier if both entry points are in the
    same file.
    
    In fact, most other system call handlers do the same thing these days, so
    let's follow the trend here and merge all of futex_compat.c into futex.c.
    
    In the process, a few minor changes have to be done to make sure everything
    still makes sense: handle_futex_death() and futex_cmpxchg_enabled() become
    local symbol, and the compat version of the fetch_robust_entry() function
    gets renamed to compat_fetch_robust_entry() to avoid a symbol clash.
    
    This is intended as a purely cosmetic patch, no behavior should
    change.
    
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    [Lee: Back-ported to satisfy a build dependency]
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit beffdc16d0372fe7231c992d7b0ace15c3c9637e
Author: Lorenzo Bianconi <lorenzo@kernel.org>
Date:   Thu Jan 14 18:10:52 2021 +0100

    mt7601u: fix rx buffer refcounting
    
    commit d24c790577ef01bfa01da2b131313a38c843a634 upstream.
    
    Fix the following crash due to erroneous page refcounting:
    
    [   32.445919] BUG: Bad page state in process swapper/1  pfn:11f65a
    [   32.447409] page:00000000938f0632 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x11f65a
    [   32.449605] flags: 0x8000000000000000()
    [   32.450421] raw: 8000000000000000 ffffffff825b0148 ffffea00045ae988 0000000000000000
    [   32.451795] raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000
    [   32.452999] page dumped because: nonzero mapcount
    [   32.453888] Modules linked in:
    [   32.454492] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.11.0-rc2+ #1976
    [   32.455695] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-1.fc33 04/01/2014
    [   32.457157] Call Trace:
    [   32.457636]  <IRQ>
    [   32.457993]  dump_stack+0x77/0x97
    [   32.458576]  bad_page.cold+0x65/0x96
    [   32.459198]  get_page_from_freelist+0x46a/0x11f0
    [   32.460008]  __alloc_pages_nodemask+0x10a/0x2b0
    [   32.460794]  mt7601u_rx_tasklet+0x651/0x720
    [   32.461505]  tasklet_action_common.constprop.0+0x6b/0xd0
    [   32.462343]  __do_softirq+0x152/0x46c
    [   32.462928]  asm_call_irq_on_stack+0x12/0x20
    [   32.463610]  </IRQ>
    [   32.463953]  do_softirq_own_stack+0x5b/0x70
    [   32.464582]  irq_exit_rcu+0x9f/0xe0
    [   32.465028]  common_interrupt+0xae/0x1a0
    [   32.465536]  asm_common_interrupt+0x1e/0x40
    [   32.466071] RIP: 0010:default_idle+0x18/0x20
    [   32.468981] RSP: 0018:ffffc90000077f00 EFLAGS: 00000246
    [   32.469648] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
    [   32.470550] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff81aac3dd
    [   32.471463] RBP: ffff88810022ab00 R08: 0000000000000001 R09: 0000000000000001
    [   32.472335] R10: 0000000000000046 R11: 0000000000005aa0 R12: 0000000000000000
    [   32.473235] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
    [   32.474139]  ? default_idle_call+0x4d/0x200
    [   32.474681]  default_idle_call+0x74/0x200
    [   32.475192]  do_idle+0x1d5/0x250
    [   32.475612]  cpu_startup_entry+0x19/0x20
    [   32.476114]  secondary_startup_64_no_verify+0xb0/0xbb
    [   32.476765] Disabling lock debugging due to kernel taint
    
    Fixes: c869f77d6abb ("add mt7601u driver")
    Co-developed-by: Felix Fietkau <nbd@nbd.name>
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
    Acked-by: Jakub Kicinski <kubakici@wp.pl>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/62b2380c8c2091834cfad05e1059b55f945bd114.1610643952.git.lorenzo@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6f798baef017e713b55a49d7b8d9ea9ff2140589
Author: Lorenzo Bianconi <lorenzo@kernel.org>
Date:   Sun Jan 17 22:46:01 2021 +0100

    mt7601u: fix kernel crash unplugging the device
    
    commit 0acb20a5438c36e0cf2b8bf255f314b59fcca6ef upstream.
    
    The following crash log can occur unplugging the usb dongle since,
    after the urb poison in mt7601u_free_tx_queue(), usb_submit_urb() will
    always fail resulting in a skb kfree while the skb has been already
    queued.
    
    Fix the issue enqueuing the skb only if usb_submit_urb() succeed.
    
    Hardware name: Hewlett-Packard 500-539ng/2B2C, BIOS 80.06 04/01/2015
    Workqueue: usb_hub_wq hub_event
    RIP: 0010:skb_trim+0x2c/0x30
    RSP: 0000:ffffb4c88005bba8 EFLAGS: 00010206
    RAX: 000000004ad483ee RBX: ffff9a236625dee0 RCX: 000000000000662f
    RDX: 000000000000000c RSI: 0000000000000000 RDI: ffff9a2343179300
    RBP: ffff9a2343179300 R08: 0000000000000001 R09: 0000000000000000
    R10: ffff9a23748f7840 R11: 0000000000000001 R12: ffff9a236625e4d4
    R13: ffff9a236625dee0 R14: 0000000000001080 R15: 0000000000000008
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007fd410a34ef8 CR3: 00000001416ee001 CR4: 00000000001706f0
    Call Trace:
     mt7601u_tx_status+0x3e/0xa0 [mt7601u]
     mt7601u_dma_cleanup+0xca/0x110 [mt7601u]
     mt7601u_cleanup+0x22/0x30 [mt7601u]
     mt7601u_disconnect+0x22/0x60 [mt7601u]
     usb_unbind_interface+0x8a/0x270
     ? kernfs_find_ns+0x35/0xd0
     __device_release_driver+0x17a/0x230
     device_release_driver+0x24/0x30
     bus_remove_device+0xdb/0x140
     device_del+0x18b/0x430
     ? kobject_put+0x98/0x1d0
     usb_disable_device+0xc6/0x1f0
     usb_disconnect.cold+0x7e/0x20a
     hub_event+0xbf3/0x1870
     process_one_work+0x1b6/0x350
     worker_thread+0x53/0x3e0
     ? process_one_work+0x350/0x350
     kthread+0x11b/0x140
     ? __kthread_bind_mask+0x60/0x60
     ret_from_fork+0x22/0x30
    
    Fixes: 23377c200b2eb ("mt7601u: fix possible memory leak when the device is disconnected")
    Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
    Acked-by: Jakub Kicinski <kubakici@wp.pl>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/3b85219f669a63a8ced1f43686de05915a580489.1610919247.git.lorenzo@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cb69f6371f26a76ccd2fe3ad506e4b2747aeb3cc
Author: Like Xu <like.xu@linux.intel.com>
Date:   Wed Dec 30 16:19:16 2020 +0800

    KVM: x86/pmu: Fix HW_REF_CPU_CYCLES event pseudo-encoding in intel_arch_events[]
    
    commit 98dd2f108e448988d91e296173e773b06fb978b8 upstream.
    
    The HW_REF_CPU_CYCLES event on the fixed counter 2 is pseudo-encoded as
    0x0300 in the intel_perfmon_event_map[]. Correct its usage.
    
    Fixes: 62079d8a4312 ("KVM: PMU: add proper support for fixed counter 2")
    Signed-off-by: Like Xu <like.xu@linux.intel.com>
    Message-Id: <20201230081916.63417-1-like.xu@linux.intel.com>
    Reviewed-by: Sean Christopherson <seanjc@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit eeaf7e8a200b62ee0b5a71c428862179766b219a
Author: Giacinto Cifelli <gciofono@gmail.com>
Date:   Wed Jan 20 05:56:50 2021 +0100

    net: usb: qmi_wwan: added support for Thales Cinterion PLSx3 modem family
    
    commit 7e0e63d09516e96994c879f07c5a3c3269d7015e upstream.
    
    Bus 003 Device 009: ID 1e2d:006f
    Device Descriptor:
      bLength                18
      bDescriptorType         1
      bcdUSB               2.00
      bDeviceClass          239 Miscellaneous Device
      bDeviceSubClass         2 ?
      bDeviceProtocol         1 Interface Association
      bMaxPacketSize0        64
      idVendor           0x1e2d
      idProduct          0x006f
      bcdDevice            0.00
      iManufacturer           3 Cinterion Wireless Modules
      iProduct                2 PLSx3
      iSerial                 4 fa3c1419
      bNumConfigurations      1
      Configuration Descriptor:
        bLength                 9
        bDescriptorType         2
        wTotalLength          303
        bNumInterfaces          9
        bConfigurationValue     1
        iConfiguration          1 Cinterion Configuration
        bmAttributes         0xe0
          Self Powered
          Remote Wakeup
        MaxPower              500mA
        Interface Association:
          bLength                 8
          bDescriptorType        11
          bFirstInterface         0
          bInterfaceCount         2
          bFunctionClass          2 Communications
          bFunctionSubClass       2 Abstract (modem)
          bFunctionProtocol       1 AT-commands (v.25ter)
          iFunction               0
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        0
          bAlternateSetting       0
          bNumEndpoints           1
          bInterfaceClass         2 Communications
          bInterfaceSubClass      2 Abstract (modem)
          bInterfaceProtocol      1 AT-commands (v.25ter)
          iInterface              0
          CDC Header:
            bcdCDC               1.10
          CDC ACM:
            bmCapabilities       0x02
              line coding and serial state
          CDC Call Management:
            bmCapabilities       0x03
              call management
              use DataInterface
            bDataInterface          1
          CDC Union:
            bMasterInterface        0
            bSlaveInterface         1
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x81  EP 1 IN
            bmAttributes            3
              Transfer Type            Interrupt
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0040  1x 64 bytes
            bInterval               5
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        1
          bAlternateSetting       0
          bNumEndpoints           2
          bInterfaceClass        10 CDC Data
          bInterfaceSubClass      0 Unused
          bInterfaceProtocol      0
          iInterface              0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x82  EP 2 IN
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0200  1x 512 bytes
            bInterval               0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x01  EP 1 OUT
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0200  1x 512 bytes
            bInterval               0
        Interface Association:
          bLength                 8
          bDescriptorType        11
          bFirstInterface         2
          bInterfaceCount         2
          bFunctionClass          2 Communications
          bFunctionSubClass       2 Abstract (modem)
          bFunctionProtocol       1 AT-commands (v.25ter)
          iFunction               0
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        2
          bAlternateSetting       0
          bNumEndpoints           1
          bInterfaceClass         2 Communications
          bInterfaceSubClass      2 Abstract (modem)
          bInterfaceProtocol      1 AT-commands (v.25ter)
          iInterface              0
          CDC Header:
            bcdCDC               1.10
          CDC ACM:
            bmCapabilities       0x02
              line coding and serial state
          CDC Call Management:
            bmCapabilities       0x03
              call management
              use DataInterface
            bDataInterface          3
          CDC Union:
            bMasterInterface        2
            bSlaveInterface         3
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x83  EP 3 IN
            bmAttributes            3
              Transfer Type            Interrupt
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0040  1x 64 bytes
            bInterval               5
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        3
          bAlternateSetting       0
          bNumEndpoints           2
          bInterfaceClass        10 CDC Data
          bInterfaceSubClass      0 Unused
          bInterfaceProtocol      0
          iInterface              0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x84  EP 4 IN
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0200  1x 512 bytes
            bInterval               0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x02  EP 2 OUT
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0200  1x 512 bytes
            bInterval               0
        Interface Association:
          bLength                 8
          bDescriptorType        11
          bFirstInterface         4
          bInterfaceCount         2
          bFunctionClass          2 Communications
          bFunctionSubClass       2 Abstract (modem)
          bFunctionProtocol       1 AT-commands (v.25ter)
          iFunction               0
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        4
          bAlternateSetting       0
          bNumEndpoints           1
          bInterfaceClass         2 Communications
          bInterfaceSubClass      2 Abstract (modem)
          bInterfaceProtocol      1 AT-commands (v.25ter)
          iInterface              0
          CDC Header:
            bcdCDC               1.10
          CDC ACM:
            bmCapabilities       0x02
              line coding and serial state
          CDC Call Management:
            bmCapabilities       0x03
              call management
              use DataInterface
            bDataInterface          5
          CDC Union:
            bMasterInterface        4
            bSlaveInterface         5
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x85  EP 5 IN
            bmAttributes            3
              Transfer Type            Interrupt
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0040  1x 64 bytes
            bInterval               5
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        5
          bAlternateSetting       0
          bNumEndpoints           2
          bInterfaceClass        10 CDC Data
          bInterfaceSubClass      0 Unused
          bInterfaceProtocol      0
          iInterface              0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x86  EP 6 IN
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0200  1x 512 bytes
            bInterval               0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x03  EP 3 OUT
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0200  1x 512 bytes
            bInterval               0
        Interface Association:
          bLength                 8
          bDescriptorType        11
          bFirstInterface         6
          bInterfaceCount         2
          bFunctionClass          2 Communications
          bFunctionSubClass       2 Abstract (modem)
          bFunctionProtocol       1 AT-commands (v.25ter)
          iFunction               0
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        6
          bAlternateSetting       0
          bNumEndpoints           1
          bInterfaceClass         2 Communications
          bInterfaceSubClass      2 Abstract (modem)
          bInterfaceProtocol      1 AT-commands (v.25ter)
          iInterface              0
          CDC Header:
            bcdCDC               1.10
          CDC ACM:
            bmCapabilities       0x02
              line coding and serial state
          CDC Call Management:
            bmCapabilities       0x03
              call management
              use DataInterface
            bDataInterface          7
          CDC Union:
            bMasterInterface        6
            bSlaveInterface         7
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x87  EP 7 IN
            bmAttributes            3
              Transfer Type            Interrupt
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0040  1x 64 bytes
            bInterval               5
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        7
          bAlternateSetting       0
          bNumEndpoints           2
          bInterfaceClass        10 CDC Data
          bInterfaceSubClass      0 Unused
          bInterfaceProtocol      0
          iInterface              0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x88  EP 8 IN
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0200  1x 512 bytes
            bInterval               0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x04  EP 4 OUT
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0200  1x 512 bytes
            bInterval               0
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        8
          bAlternateSetting       0
          bNumEndpoints           3
          bInterfaceClass       255 Vendor Specific Class
          bInterfaceSubClass    255 Vendor Specific Subclass
          bInterfaceProtocol    255 Vendor Specific Protocol
          iInterface              0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x89  EP 9 IN
            bmAttributes            3
              Transfer Type            Interrupt
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0040  1x 64 bytes
            bInterval               5
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x8a  EP 10 IN
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0200  1x 512 bytes
            bInterval               0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x05  EP 5 OUT
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0200  1x 512 bytes
            bInterval               0
    Device Qualifier (for other device speed):
      bLength                10
      bDescriptorType         6
      bcdUSB               2.00
      bDeviceClass          239 Miscellaneous Device
      bDeviceSubClass         2 ?
      bDeviceProtocol         1 Interface Association
      bMaxPacketSize0        64
      bNumConfigurations      1
    Device Status:     0x0000
      (Bus Powered)
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Giacinto Cifelli <gciofono@gmail.com>
    Acked-by: Bjørn Mork <bjorn@mork.no>
    Link: https://lore.kernel.org/r/20210120045650.10855-1-gciofono@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 65ffc738644d6c153355e38958acc7260c4e341d
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Thu Jan 21 17:16:22 2021 +0100

    wext: fix NULL-ptr-dereference with cfg80211's lack of commit()
    
    commit 5122565188bae59d507d90a9a9fd2fd6107f4439 upstream.
    
    Since cfg80211 doesn't implement commit, we never really cared about
    that code there (and it's configured out w/o CONFIG_WIRELESS_EXT).
    After all, since it has no commit, it shouldn't return -EIWCOMMIT to
    indicate commit is needed.
    
    However, EIWCOMMIT is actually an alias for EINPROGRESS, which _can_
    happen if e.g. we try to change the frequency but we're already in
    the process of connecting to some network, and drivers could return
    that value (or even cfg80211 itself might).
    
    This then causes us to crash because dev->wireless_handlers is NULL
    but we try to check dev->wireless_handlers->standard[0].
    
    Fix this by also checking dev->wireless_handlers. Also simplify the
    code a little bit.
    
    Cc: stable@vger.kernel.org
    Reported-by: syzbot+444248c79e117bc99f46@syzkaller.appspotmail.com
    Reported-by: syzbot+8b2a88a09653d4084179@syzkaller.appspotmail.com
    Link: https://lore.kernel.org/r/20210121171621.2076e4a37d5a.I5d9c72220fe7bb133fb718751da0180a57ecba4e@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4bb12fd84f73666f7fb53338bb8fc0d1a8dd50b8
Author: Kai-Heng Feng <kai.heng.feng@canonical.com>
Date:   Fri Jan 22 20:53:02 2021 +0800

    ACPI: sysfs: Prefer "compatible" modalias
    
    commit 36af2d5c4433fb40ee2af912c4ac0a30991aecfc upstream.
    
    Commit 8765c5ba1949 ("ACPI / scan: Rework modalias creation when
    "compatible" is present") may create two "MODALIAS=" in one uevent
    file if specific conditions are met.
    
    This breaks systemd-udevd, which assumes each "key" in one uevent file
    to be unique. The internal implementation of systemd-udevd overwrites
    the first MODALIAS with the second one, so its kmod rule doesn't load
    the driver for the first MODALIAS.
    
    So if both the ACPI modalias and the OF modalias are present, use the
    latter to ensure that there will be only one MODALIAS.
    
    Link: https://github.com/systemd/systemd/pull/18163
    Suggested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
    Fixes: 8765c5ba1949 ("ACPI / scan: Rework modalias creation when "compatible" is present")
    Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
    Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: 4.1+ <stable@vger.kernel.org> # 4.1+
    [ rjw: Subject and changelog edits ]
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>