commit 5e3c511539228fa03c8d00d61b5b5f32333ed0b0
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Jun 10 20:24:58 2020 +0200

    Linux 5.4.46

commit 9504466c9038497bc72f80715dc4ee8c3d90ed13
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Tue Jun 9 19:29:42 2020 +0200

    Revert "net/mlx5: Annotate mutex destroy for root ns"
    
    This reverts commit 3f4f034a8676e366857861e76c3ad11ae059b2fb which is
    commit 9ca415399dae133b00273a4283ef31d003a6818d upstream.
    
    It was backported incorrectly, Paul writes at:
            https://lore.kernel.org/r/20200607203425.GD23662@windriver.com
    
            I happened to notice this commit:
    
            9ca415399dae - "net/mlx5: Annotate mutex destroy for root ns"
    
            ...was backported to 4.19 and 5.4 and v5.6 in linux-stable.
    
            It patches del_sw_root_ns() - which only exists after v5.7-rc7 from:
    
            6eb7a268a99b - "net/mlx5: Don't maintain a case of del_sw_func being
            null"
    
            which creates the one line del_sw_root_ns stub function around
            kfree(node) by breaking it out of tree_put_node().
    
            In the absense of del_sw_root_ns - the backport finds an identical one
            line kfree stub fcn - named del_sw_prio from this earlier commit:
    
            139ed6c6c46a - "net/mlx5: Fix steering memory leak"  [in v4.15-rc5]
    
            and then puts the mutex_destroy() into that (wrong) function, instead of
            putting it into tree_put_node where the root ns case used to be hand
    
    Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
    Cc: Roi Dayan <roid@mellanox.com>
    Cc: Mark Bloch <markb@mellanox.com>
    Cc: Saeed Mahameed <saeedm@mellanox.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c06c03bba03f18f2f75b3c280b4a5351cadc7be3
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Mon May 4 18:47:25 2020 +0200

    uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned
    
    commit 013b2deba9a6b80ca02f4fafd7dedf875e9b4450 upstream.
    
    uprobe_write_opcode() must not cross page boundary; prepare_uprobe()
    relies on arch_uprobe_analyze_insn() which should validate "vaddr" but
    some architectures (csky, s390, and sparc) don't do this.
    
    We can remove the BUG_ON() check in prepare_uprobe() and validate the
    offset early in __uprobe_register(). The new IS_ALIGNED() check matches
    the alignment check in arch_prepare_kprobe() on supported architectures,
    so I think that all insns must be aligned to UPROBE_SWBP_INSN_SIZE.
    
    Another problem is __update_ref_ctr() which was wrong from the very
    beginning, it can read/write outside of kmap'ed page unless "vaddr" is
    aligned to sizeof(short), __uprobe_register() should check this too.
    
    Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
    Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Reviewed-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
    Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
    Tested-by: Sven Schnelle <svens@linux.ibm.com>
    Cc: Steven Rostedt <rostedt@goodmis.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 590459086bc9f0dd96bc99281939ffd0db85d9aa
Author: Josh Poimboeuf <jpoimboe@redhat.com>
Date:   Mon Apr 27 20:46:13 2020 +0200

    x86/speculation: Add Ivy Bridge to affected list
    
    commit 3798cc4d106e91382bfe016caa2edada27c2bb3f upstream
    
    Make the docs match the code.
    
    Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit faf187abda946bcb7edc097213e46cb3983e0f9f
Author: Mark Gross <mgross@linux.intel.com>
Date:   Thu Apr 16 18:21:51 2020 +0200

    x86/speculation: Add SRBDS vulnerability and mitigation documentation
    
    commit 7222a1b5b87417f22265c92deea76a6aecd0fb0f upstream
    
    Add documentation for the SRBDS vulnerability and its mitigation.
    
     [ bp: Massage.
       jpoimboe: sysfs table strings. ]
    
    Signed-off-by: Mark Gross <mgross@linux.intel.com>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Tony Luck <tony.luck@intel.com>
    Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b0f61a0503ade07fd9ea2350b1500d40fff352e6
Author: Mark Gross <mgross@linux.intel.com>
Date:   Thu Apr 16 17:54:04 2020 +0200

    x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation
    
    commit 7e5b3c267d256822407a22fdce6afdf9cd13f9fb upstream
    
    SRBDS is an MDS-like speculative side channel that can leak bits from the
    random number generator (RNG) across cores and threads. New microcode
    serializes the processor access during the execution of RDRAND and
    RDSEED. This ensures that the shared buffer is overwritten before it is
    released for reuse.
    
    While it is present on all affected CPU models, the microcode mitigation
    is not needed on models that enumerate ARCH_CAPABILITIES[MDS_NO] in the
    cases where TSX is not supported or has been disabled with TSX_CTRL.
    
    The mitigation is activated by default on affected processors and it
    increases latency for RDRAND and RDSEED instructions. Among other
    effects this will reduce throughput from /dev/urandom.
    
    * Enable administrator to configure the mitigation off when desired using
      either mitigations=off or srbds=off.
    
    * Export vulnerability status via sysfs
    
    * Rename file-scoped macros to apply for non-whitelist table initializations.
    
     [ bp: Massage,
       - s/VULNBL_INTEL_STEPPING/VULNBL_INTEL_STEPPINGS/g,
       - do not read arch cap MSR a second time in tsx_fused_off() - just pass it in,
       - flip check in cpu_set_bug_bits() to save an indentation level,
       - reflow comments.
       jpoimboe: s/Mitigated/Mitigation/ in user-visible strings
       tglx: Dropped the fused off magic for now
     ]
    
    Signed-off-by: Mark Gross <mgross@linux.intel.com>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Tony Luck <tony.luck@intel.com>
    Reviewed-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
    Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dab0161b8a0bc6a86319412e39b221670ca758ca
Author: Mark Gross <mgross@linux.intel.com>
Date:   Thu Apr 16 17:32:42 2020 +0200

    x86/cpu: Add 'table' argument to cpu_matches()
    
    commit 93920f61c2ad7edb01e63323832585796af75fc9 upstream
    
    To make cpu_matches() reusable for other matching tables, have it take a
    pointer to a x86_cpu_id table as an argument.
    
     [ bp: Flip arguments order. ]
    
    Signed-off-by: Mark Gross <mgross@linux.intel.com>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 749ec6b48a9a41f95154cd5aa61053aaeb7c7aff
Author: Mark Gross <mgross@linux.intel.com>
Date:   Thu Apr 16 17:23:10 2020 +0200

    x86/cpu: Add a steppings field to struct x86_cpu_id
    
    commit e9d7144597b10ff13ff2264c059f7d4a7fbc89ac upstream
    
    Intel uses the same family/model for several CPUs. Sometimes the
    stepping must be checked to tell them apart.
    
    On x86 there can be at most 16 steppings. Add a steppings bitmask to
    x86_cpu_id and a X86_MATCH_VENDOR_FAMILY_MODEL_STEPPING_FEATURE macro
    and support for matching against family/model/stepping.
    
     [ bp: Massage.
       tglx: Lightweight variant for backporting ]
    
    Signed-off-by: Mark Gross <mgross@linux.intel.com>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Tony Luck <tony.luck@intel.com>
    Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e4e57f7bca44848470a9e25e0c5efce07070511f
Author: Tony W Wang-oc <TonyWWang-oc@zhaoxin.com>
Date:   Fri Jan 17 10:24:31 2020 +0800

    x86/speculation/spectre_v2: Exclude Zhaoxin CPUs from SPECTRE_V2
    
    commit 1e41a766c98b481400ab8c5a7aa8ea63a1bb03de upstream.
    
    New Zhaoxin family 7 CPUs are not affected by SPECTRE_V2. So define a
    separate cpu_vuln_whitelist bit NO_SPECTRE_V2 and add these CPUs to the cpu
    vulnerability whitelist.
    
    Signed-off-by: Tony W Wang-oc <TonyWWang-oc@zhaoxin.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Link: https://lore.kernel.org/r/1579227872-26972-2-git-send-email-TonyWWang-oc@zhaoxin.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c2baba26ac5ef69c827fa9d62ce2f975d45c5b37
Author: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Date:   Fri May 22 12:33:41 2020 +0100

    nvmem: qfprom: remove incorrect write support
    
    commit 8d9eb0d6d59a5d7028c80a30831143d3e75515a7 upstream.
    
    qfprom has different address spaces for read and write. Reads are
    always done from corrected address space, where as writes are done
    on raw address space.
    Writing to corrected address space is invalid and ignored, so it
    does not make sense to have this support in the driver which only
    supports corrected address space regions at the moment.
    
    Fixes: 4ab11996b489 ("nvmem: qfprom: Add Qualcomm QFPROM support.")
    Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    Reviewed-by: Douglas Anderson <dianders@chromium.org>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200522113341.7728-1-srinivas.kandagatla@linaro.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b3e3f4cb8c6bb5371a4d9889d4e4cf44222595ed
Author: Oliver Neukum <oneukum@suse.com>
Date:   Tue May 26 14:44:20 2020 +0200

    CDC-ACM: heed quirk also in error handling
    
    commit 97fe809934dd2b0b37dfef3a2fc70417f485d7af upstream.
    
    If buffers are iterated over in the error case, the lower limits
    for quirky devices must be heeded.
    
    Signed-off-by: Oliver Neukum <oneukum@suse.com>
    Reported-by: Jean Rene Dawin <jdawin@math.uni-bielefeld.de>
    Fixes: a4e7279cd1d19 ("cdc-acm: introduce a cool down")
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200526124420.22160-1-oneukum@suse.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4992c7618818ba5ac6cb60d9e94403f0a928c13c
Author: Pascal Terjan <pterjan@google.com>
Date:   Sat May 23 22:12:47 2020 +0100

    staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK
    
    commit 15ea976a1f12b5fd76b1bd6ff3eb5132fd28047f upstream.
    
    The value in shared headers was fixed 9 years ago in commit 8d661f1e462d
    ("ieee80211: correct IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK macro") and
    while looking at using shared headers for other duplicated constants
    I noticed this driver uses the old value.
    
    The macros are also defined twice in this file so I am deleting the
    second definition.
    
    Signed-off-by: Pascal Terjan <pterjan@google.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200523211247.23262-1-pterjan@google.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 784ac0e82920a685d3f9c30ef02a4a608e3b250c
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Tue May 26 16:56:32 2020 +0200

    tty: hvc_console, fix crashes on parallel open/close
    
    commit 24eb2377f977fe06d84fca558f891f95bc28a449 upstream.
    
    hvc_open sets tty->driver_data to NULL when open fails at some point.
    Typically, the failure happens in hp->ops->notifier_add(). If there is
    a racing process which tries to open such mangled tty, which was not
    closed yet, the process will crash in hvc_open as tty->driver_data is
    NULL.
    
    All this happens because close wants to know whether open failed or not.
    But ->open should not NULL this and other tty fields for ->close to be
    happy. ->open should call tty_port_set_initialized(true) and close
    should check by tty_port_initialized() instead. So do this properly in
    this driver.
    
    So this patch removes these from ->open:
    * tty_port_tty_set(&hp->port, NULL). This happens on last close.
    * tty->driver_data = NULL. Dtto.
    * tty_port_put(&hp->port). This happens in shutdown and until now, this
      must have been causing a reference underflow, if I am not missing
      something.
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Cc: stable <stable@vger.kernel.org>
    Reported-and-tested-by: Raghavendra <rananta@codeaurora.org>
    Link: https://lore.kernel.org/r/20200526145632.13879-1-jslaby@suse.cz
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9619c2f746f7991486d556789e8675f1d1a0a67d
Author: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Date:   Mon May 25 16:27:40 2020 -0700

    vt: keyboard: avoid signed integer overflow in k_ascii
    
    commit b86dab054059b970111b5516ae548efaae5b3aae upstream.
    
    When k_ascii is invoked several times in a row there is a potential for
    signed integer overflow:
    
    UBSAN: Undefined behaviour in drivers/tty/vt/keyboard.c:888:19 signed integer overflow:
    10 * 1111111111 cannot be represented in type 'int'
    CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.11 #1
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
    Call Trace:
     <IRQ>
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0xce/0x128 lib/dump_stack.c:118
     ubsan_epilogue+0xe/0x30 lib/ubsan.c:154
     handle_overflow+0xdc/0xf0 lib/ubsan.c:184
     __ubsan_handle_mul_overflow+0x2a/0x40 lib/ubsan.c:205
     k_ascii+0xbf/0xd0 drivers/tty/vt/keyboard.c:888
     kbd_keycode drivers/tty/vt/keyboard.c:1477 [inline]
     kbd_event+0x888/0x3be0 drivers/tty/vt/keyboard.c:1495
    
    While it can be worked around by using check_mul_overflow()/
    check_add_overflow(), it is better to introduce a separate flag to
    signal that number pad is being used to compose a symbol, and
    change type of the accumulator from signed to unsigned, thus
    avoiding undefined behavior when it overflows.
    
    Reported-by: Kyungtae Kim <kt0755@gmail.com>
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200525232740.GA262061@dtor-ws
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2d0c87d34dabf494aa1f3edd0b963ef2a9e067f0
Author: Dinghao Liu <dinghao.liu@zju.edu.cn>
Date:   Sun May 24 21:50:49 2020 -0500

    usb: musb: Fix runtime PM imbalance on error
    
    commit e4befc121df03dc8ed2ac1031c98f9538e244bae upstream.
    
    When copy_from_user() returns an error code, there
    is a runtime PM usage counter imbalance.
    
    Fix this by moving copy_from_user() to the beginning
    of this function.
    
    Fixes: 7b6c1b4c0e1e ("usb: musb: fix runtime PM in debugfs")
    
    Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
    Cc: stable@vger.kernel.org
    Signed-off-by: Bin Liu <b-liu@ti.com>
    Link: https://lore.kernel.org/r/20200525025049.3400-7-b-liu@ti.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e8f57f50e31b26aaa2f663bd434b5ba74280157f
Author: Bin Liu <b-liu@ti.com>
Date:   Sun May 24 21:50:45 2020 -0500

    usb: musb: start session in resume for host port
    
    commit 7f88a5ac393f39319f69b8b20cc8d5759878d1a1 upstream.
    
    Commit 17539f2f4f0b ("usb: musb: fix enumeration after resume") replaced
    musb_start() in musb_resume() to not override softconnect bit, but it
    doesn't restart the session for host port which was done in musb_start().
    The session could be disabled in musb_suspend(), which leads the host
    port doesn't stay in host mode.
    
    So let's start the session specifically for host port in musb_resume().
    
    Fixes: 17539f2f4f0b ("usb: musb: fix enumeration after resume")
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Bin Liu <b-liu@ti.com>
    Link: https://lore.kernel.org/r/20200525025049.3400-3-b-liu@ti.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8d130bf2fcab7b2bb094bb03a437fe16eada1654
Author: Fabrice Gasnier <fabrice.gasnier@st.com>
Date:   Tue May 12 15:27:05 2020 +0200

    iio: adc: stm32-adc: fix a wrong error message when probing interrupts
    
    commit 10134ec3f8cefa6a40fe84987f1795e9e0da9715 upstream.
    
    A wrong error message is printed out currently, like on STM32MP15:
    - stm32-adc-core 48003000.adc: IRQ index 2 not found.
    
    This is seen since commit 7723f4c5ecdb ("driver core: platform: Add an
    error message to platform_get_irq*()").
    The STM32 ADC core driver wrongly requests up to 3 interrupt lines. It
    should request only the necessary IRQs, based on the compatible:
    - stm32f4/h7 ADCs share a common interrupt
    - stm32mp1, has one interrupt line per ADC.
    So add the number of required interrupts to the compatible data.
    
    Fixes: d58c67d1d851 ("iio: adc: stm32-adc: add support for STM32MP1")
    Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com>
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e98b0548b2f83abf70a6e80ab13bb05cccd3e826
Author: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Date:   Sun May 17 18:30:00 2020 +0100

    iio:chemical:pms7003: Fix timestamp alignment and prevent data leak.
    
    commit 13e945631c2ffb946c0af342812a3cd39227de6e upstream.
    
    One of a class of bugs pointed out by Lars in a recent review.
    iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
    to the size of the timestamp (8 bytes).  This is not guaranteed in
    this driver which uses an array of smaller elements on the stack.
    As Lars also noted this anti pattern can involve a leak of data to
    userspace and that indeed can happen here.  We close both issues by
    moving to a suitable structure in the iio_priv() data with alignment
    explicitly requested.  This data is allocated with kzalloc so no
    data can leak appart from previous readings.
    
    Fixes: a1d642266c14 ("iio: chemical: add support for Plantower PMS7003 sensor")
    Reported-by: Lars-Peter Clausen <lars@metafoo.de>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Cc: <Stable@vger.kernel.org>
    Acked-by: Tomasz Duszynski <tomasz.duszynski@octakon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9b0e734fde6d2dbf8b2086e700f319a3703a3b2f
Author: Mathieu Othacehe <m.othacehe@gmail.com>
Date:   Sun May 3 11:29:55 2020 +0200

    iio: vcnl4000: Fix i2c swapped word reading.
    
    commit 18dfb5326370991c81a6d1ed6d1aeee055cb8c05 upstream.
    
    The bytes returned by the i2c reading need to be swapped
    unconditionally. Otherwise, on be16 platforms, an incorrect value will be
    returned.
    
    Taking the slow path via next merge window as its been around a while
    and we have a patch set dependent on this which would be held up.
    
    Fixes: 62a1efb9f868 ("iio: add vcnl4000 combined ALS and proximity sensor")
    Signed-off-by: Mathieu Othacehe <m.othacehe@gmail.com>
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 940530f60c602ad74b9cff4deae296a0b1717352
Author: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Date:   Sun May 17 18:29:59 2020 +0100

    iio:chemical:sps30: Fix timestamp alignment
    
    commit a5bf6fdd19c327bcfd9073a8740fa19ca4525fd4 upstream.
    
    One of a class of bugs pointed out by Lars in a recent review.
    iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
    to the size of the timestamp (8 bytes).  This is not guaranteed in
    this driver which uses an array of smaller elements on the stack.
    
    Fixes: 232e0f6ddeae ("iio: chemical: add support for Sensirion SPS30 sensor")
    Reported-by: Lars-Peter Clausen <lars@metafoo.de>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Cc: <Stable@vger.kernel.org>
    Acked-by: Tomasz Duszynski <tomasz.duszynski@octakon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0fac736dbac64888e767c9bc367fe2645c201dac
Author: Michael Hanselmann <public@hansmi.ch>
Date:   Tue Mar 31 23:37:18 2020 +0000

    USB: serial: ch341: add basis for quirk detection
    
    commit c404bf4aa9236cb4d1068e499ae42acf48a6ff97 upstream.
    
    A subset of CH341 devices does not support all features, namely the
    prescaler is limited to a reduced precision and there is no support for
    sending a RS232 break condition. This patch adds a detection function
    which will be extended to set quirk flags as they're implemented.
    
    The author's affected device has an imprint of "340" on the
    turquoise-colored plug, but not all such devices appear to be affected.
    
    Signed-off-by: Michael Hanselmann <public@hansmi.ch>
    Link: https://lore.kernel.org/r/1e1ae0da6082bb528a44ef323d4e1d3733d38858.1585697281.git.public@hansmi.ch
    [ johan: use long type for quirks; rephrase and use port device for
             messages; handle short reads; set quirk flags directly in
             helper function ]
    Cc: stable <stable@vger.kernel.org>     # 5.5
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9060d48b42062b9a2903e3dac4b51b97c37a6a20
Author: Daniele Palmas <dnlplm@gmail.com>
Date:   Mon May 25 23:11:06 2020 +0200

    USB: serial: option: add Telit LE910C1-EUX compositions
    
    commit 399ad9477c523f721f8e51d4f824bdf7267f120c upstream.
    
    Add Telit LE910C1-EUX compositions:
    
            0x1031: tty, tty, tty, rmnet
            0x1033: tty, tty, tty, ecm
    
    Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
    Link: https://lore.kernel.org/r/20200525211106.27338-1-dnlplm@gmail.com
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5555c8f569fa46ecce9916e375dc2950302176e5
Author: Bin Liu <b-liu@ti.com>
Date:   Wed May 13 16:36:46 2020 -0500

    USB: serial: usb_wwan: do not resubmit rx urb on fatal errors
    
    commit 986c1748c84d7727defeaeca74a73b37f7d5cce1 upstream.
    
    usb_wwan_indat_callback() shouldn't resubmit rx urb if the previous urb
    status is a fatal error. Or the usb controller would keep processing the
    new urbs then run into interrupt storm, and has no chance to recover.
    
    Fixes: 6c1ee66a0b2b ("USB-Serial: Fix error handling of usb_wwan")
    Cc: stable@vger.kernel.org
    Signed-off-by: Bin Liu <b-liu@ti.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f366d3a21f1252b33b3220f9ef4819e9b66b0019
Author: Matt Jolly <Kangie@footclan.ninja>
Date:   Thu May 21 10:43:58 2020 +1000

    USB: serial: qcserial: add DW5816e QDL support
    
    commit 3429444abdd9dbd5faebd9bee552ec6162b17ad6 upstream.
    
    Add support for Dell Wireless 5816e Download Mode (AKA boot & hold mode /
    QDL download mode) to drivers/usb/serial/qcserial.c
    
    This is required to update device firmware.
    
    Signed-off-by: Matt Jolly <Kangie@footclan.ninja>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b3ebd9830c6026c98f03f7047c9d608573773f13
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu May 28 14:57:47 2020 -0700

    net: be more gentle about silly gso requests coming from user
    
    [ Upstream commit 7c6d2ecbda83150b2036a2b36b21381ad4667762 ]
    
    Recent change in virtio_net_hdr_to_skb() broke some packetdrill tests.
    
    When --mss=XXX option is set, packetdrill always provide gso_type & gso_size
    for its inbound packets, regardless of packet size.
    
            if (packet->tcp && packet->mss) {
                    if (packet->ipv4)
                            gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
                    else
                            gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV6;
                    gso.gso_size = packet->mss;
            }
    
    Since many other programs could do the same, relax virtio_net_hdr_to_skb()
    to no longer return an error, but instead ignore gso settings.
    
    This keeps Willem intent to make sure no malicious packet could
    reach gso stack.
    
    Note that TCP stack has a special logic in tcp_set_skb_tso_segs()
    to clear gso_size for small packets.
    
    Fixes: 6dd912f82680 ("net: check untrusted gso_size at kernel entry")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Willem de Bruijn <willemb@google.com>
    Acked-by: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a93417dfc1b0e6773fd9cd7e42663c5338a3d826
Author: Willem de Bruijn <willemb@google.com>
Date:   Mon May 25 15:07:40 2020 -0400

    net: check untrusted gso_size at kernel entry
    
    [ Upstream commit 6dd912f82680761d8fb6b1bb274a69d4c7010988 ]
    
    Syzkaller again found a path to a kernel crash through bad gso input:
    a packet with gso size exceeding len.
    
    These packets are dropped in tcp_gso_segment and udp[46]_ufo_fragment.
    But they may affect gso size calculations earlier in the path.
    
    Now that we have thlen as of commit 9274124f023b ("net: stricter
    validation of untrusted gso packets"), check gso_size at entry too.
    
    Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.")
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a0220334975079095a6bc9348227d34896beb001
Author: Stefano Garzarella <sgarzare@redhat.com>
Date:   Wed May 27 09:56:55 2020 +0200

    vsock: fix timeout in vsock_accept()
    
    [ Upstream commit 7e0afbdfd13d1e708fe96e31c46c4897101a6a43 ]
    
    The accept(2) is an "input" socket interface, so we should use
    SO_RCVTIMEO instead of SO_SNDTIMEO to set the timeout.
    
    So this patch replace sock_sndtimeo() with sock_rcvtimeo() to
    use the right timeout in the vsock_accept().
    
    Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
    Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
    Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 646345a153507bf876a182919e80df47b8beabcc
Author: Heinrich Kuhn <heinrich.kuhn@netronome.com>
Date:   Wed May 27 09:44:20 2020 +0200

    nfp: flower: fix used time of merge flow statistics
    
    [ Upstream commit 5b186cd60f033110960a3db424ffbd6de4cee528 ]
    
    Prior to this change the correct value for the used counter is calculated
    but not stored nor, therefore, propagated to user-space. In use-cases such
    as OVS use-case at least this results in active flows being removed from
    the hardware datapath. Which results in both unnecessary flow tear-down
    and setup, and packet processing on the host.
    
    This patch addresses the problem by saving the calculated used value
    which allows the value to propagate to user-space.
    
    Found by inspection.
    
    Fixes: aa6ce2ea0c93 ("nfp: flower: support stats update for merge flows")
    Signed-off-by: Heinrich Kuhn <heinrich.kuhn@netronome.com>
    Signed-off-by: Simon Horman <simon.horman@netronome.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 165508e456b1dd04ef680cf3d0d20133dfc84292
Author: Chuhong Yuan <hslester96@gmail.com>
Date:   Thu May 28 18:20:37 2020 +0800

    NFC: st21nfca: add missed kfree_skb() in an error path
    
    [ Upstream commit 3decabdc714ca56c944f4669b4cdec5c2c1cea23 ]
    
    st21nfca_tm_send_atr_res() misses to call kfree_skb() in an error path.
    Add the missed function call to fix it.
    
    Fixes: 1892bf844ea0 ("NFC: st21nfca: Adding P2P support to st21nfca in Initiator & Target mode")
    Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 87adb76710d0119cee1fabdfa5ad5b0ed8f6ad12
Author: Daniele Palmas <dnlplm@gmail.com>
Date:   Mon May 25 23:25:37 2020 +0200

    net: usb: qmi_wwan: add Telit LE910C1-EUX composition
    
    [ Upstream commit 591612aa578cd7148b7b9d74869ef40118978389 ]
    
    Add support for Telit LE910C1-EUX composition
    
    0x1031: tty, tty, tty, rmnet
    Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
    Acked-by: Bjørn Mork <bjorn@mork.no>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit de8f81077be2ef01c6ddad2c0fbb3e24b4696fca
Author: Fugang Duan <fugang.duan@nxp.com>
Date:   Mon May 25 16:18:14 2020 +0800

    net: stmmac: enable timestamp snapshot for required PTP packets in dwmac v5.10a
    
    [ Upstream commit f2fb6b6275eba9d312957ca44c487bd780da6169 ]
    
    For rx filter 'HWTSTAMP_FILTER_PTP_V2_EVENT', it should be
    PTP v2/802.AS1, any layer, any kind of event packet, but HW only
    take timestamp snapshot for below PTP message: sync, Pdelay_req,
    Pdelay_resp.
    
    Then it causes below issue when test E2E case:
    ptp4l[2479.534]: port 1: received DELAY_REQ without timestamp
    ptp4l[2481.423]: port 1: received DELAY_REQ without timestamp
    ptp4l[2481.758]: port 1: received DELAY_REQ without timestamp
    ptp4l[2483.524]: port 1: received DELAY_REQ without timestamp
    ptp4l[2484.233]: port 1: received DELAY_REQ without timestamp
    ptp4l[2485.750]: port 1: received DELAY_REQ without timestamp
    ptp4l[2486.888]: port 1: received DELAY_REQ without timestamp
    ptp4l[2487.265]: port 1: received DELAY_REQ without timestamp
    ptp4l[2487.316]: port 1: received DELAY_REQ without timestamp
    
    Timestamp snapshot dependency on register bits in received path:
    SNAPTYPSEL TSMSTRENA TSEVNTENA  PTP_Messages
    01         x         0          SYNC, Follow_Up, Delay_Req,
                                    Delay_Resp, Pdelay_Req, Pdelay_Resp,
                                    Pdelay_Resp_Follow_Up
    01         0         1          SYNC, Pdelay_Req, Pdelay_Resp
    
    For dwmac v5.10a, enabling all events by setting register
    DWC_EQOS_TIME_STAMPING[SNAPTYPSEL] to 2’b01, clearing bit [TSEVNTENA]
    to 0’b0, which can support all required events.
    
    Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fb915f061e9eae214d9bae4d0d7f6d254ab79728
Author: Mark Bloch <markb@mellanox.com>
Date:   Wed May 20 17:32:08 2020 +0000

    net/mlx5: Fix crash upon suspend/resume
    
    [ Upstream commit 8fc3e29be9248048f449793502c15af329f35c6e ]
    
    Currently a Linux system with the mlx5 NIC always crashes upon
    hibernation - suspend/resume.
    
    Add basic callbacks so the NIC could be suspended and resumed.
    
    Fixes: 9603b61de1ee ("mlx5: Move pci device handling from mlx5_ib to mlx5_core")
    Tested-by: Dexuan Cui <decui@microsoft.com>
    Signed-off-by: Mark Bloch <markb@mellanox.com>
    Reviewed-by: Moshe Shemesh <moshe@mellanox.com>
    Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5fc8f9a348000faf571473e73498ae493fbe1423
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri May 29 11:20:53 2020 -0700

    l2tp: do not use inet_hash()/inet_unhash()
    
    [ Upstream commit 02c71b144c811bcdd865e0a1226d0407d11357e8 ]
    
    syzbot recently found a way to crash the kernel [1]
    
    Issue here is that inet_hash() & inet_unhash() are currently
    only meant to be used by TCP & DCCP, since only these protocols
    provide the needed hashinfo pointer.
    
    L2TP uses a single list (instead of a hash table)
    
    This old bug became an issue after commit 610236587600
    ("bpf: Add new cgroup attach type to enable sock modifications")
    since after this commit, sk_common_release() can be called
    while the L2TP socket is still considered 'hashed'.
    
    general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
    KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
    CPU: 0 PID: 7063 Comm: syz-executor654 Not tainted 5.7.0-rc6-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    RIP: 0010:inet_unhash+0x11f/0x770 net/ipv4/inet_hashtables.c:600
    Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e dd 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 55 05 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00
    RSP: 0018:ffffc90001777d30 EFLAGS: 00010202
    RAX: dffffc0000000000 RBX: ffff88809a6df940 RCX: ffffffff8697c242
    RDX: 0000000000000001 RSI: ffffffff8697c251 RDI: 0000000000000008
    RBP: 0000000000000000 R08: ffff88809f3ae1c0 R09: fffffbfff1514cc1
    R10: ffffffff8a8a6607 R11: fffffbfff1514cc0 R12: ffff88809a6df9b0
    R13: 0000000000000007 R14: 0000000000000000 R15: ffffffff873a4d00
    FS:  0000000001d2b880(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00000000006cd090 CR3: 000000009403a000 CR4: 00000000001406f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     sk_common_release+0xba/0x370 net/core/sock.c:3210
     inet_create net/ipv4/af_inet.c:390 [inline]
     inet_create+0x966/0xe00 net/ipv4/af_inet.c:248
     __sock_create+0x3cb/0x730 net/socket.c:1428
     sock_create net/socket.c:1479 [inline]
     __sys_socket+0xef/0x200 net/socket.c:1521
     __do_sys_socket net/socket.c:1530 [inline]
     __se_sys_socket net/socket.c:1528 [inline]
     __x64_sys_socket+0x6f/0xb0 net/socket.c:1528
     do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
     entry_SYSCALL_64_after_hwframe+0x49/0xb3
    RIP: 0033:0x441e29
    Code: e8 fc b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
    RSP: 002b:00007ffdce184148 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
    RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441e29
    RDX: 0000000000000073 RSI: 0000000000000002 RDI: 0000000000000002
    RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
    R13: 0000000000402c30 R14: 0000000000000000 R15: 0000000000000000
    Modules linked in:
    ---[ end trace 23b6578228ce553e ]---
    RIP: 0010:inet_unhash+0x11f/0x770 net/ipv4/inet_hashtables.c:600
    Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e dd 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 55 05 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00
    RSP: 0018:ffffc90001777d30 EFLAGS: 00010202
    RAX: dffffc0000000000 RBX: ffff88809a6df940 RCX: ffffffff8697c242
    RDX: 0000000000000001 RSI: ffffffff8697c251 RDI: 0000000000000008
    RBP: 0000000000000000 R08: ffff88809f3ae1c0 R09: fffffbfff1514cc1
    R10: ffffffff8a8a6607 R11: fffffbfff1514cc0 R12: ffff88809a6df9b0
    R13: 0000000000000007 R14: 0000000000000000 R15: ffffffff873a4d00
    FS:  0000000001d2b880(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00000000006cd090 CR3: 000000009403a000 CR4: 00000000001406f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    
    Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: James Chapman <jchapman@katalix.com>
    Cc: Andrii Nakryiko <andriin@fb.com>
    Reported-by: syzbot+3610d489778b57cc8031@syzkaller.appspotmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1b7693c092521989201fc8df80e6cfb7644e4d73
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri May 29 11:32:25 2020 -0700

    l2tp: add sk_family checks to l2tp_validate_socket
    
    [ Upstream commit d9a81a225277686eb629938986d97629ea102633 ]
    
    syzbot was able to trigger a crash after using an ISDN socket
    and fool l2tp.
    
    Fix this by making sure the UDP socket is of the proper family.
    
    BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78
    Write of size 1 at addr ffff88808ed0c590 by task syz-executor.5/3018
    
    CPU: 0 PID: 3018 Comm: syz-executor.5 Not tainted 5.7.0-rc6-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x188/0x20d lib/dump_stack.c:118
     print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:382
     __kasan_report.cold+0x20/0x38 mm/kasan/report.c:511
     kasan_report+0x33/0x50 mm/kasan/common.c:625
     setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78
     l2tp_tunnel_register+0xb15/0xdd0 net/l2tp/l2tp_core.c:1523
     l2tp_nl_cmd_tunnel_create+0x4b2/0xa60 net/l2tp/l2tp_netlink.c:249
     genl_family_rcv_msg_doit net/netlink/genetlink.c:673 [inline]
     genl_family_rcv_msg net/netlink/genetlink.c:718 [inline]
     genl_rcv_msg+0x627/0xdf0 net/netlink/genetlink.c:735
     netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469
     genl_rcv+0x24/0x40 net/netlink/genetlink.c:746
     netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
     netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329
     netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918
     sock_sendmsg_nosec net/socket.c:652 [inline]
     sock_sendmsg+0xcf/0x120 net/socket.c:672
     ____sys_sendmsg+0x6e6/0x810 net/socket.c:2352
     ___sys_sendmsg+0x100/0x170 net/socket.c:2406
     __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
     do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
     entry_SYSCALL_64_after_hwframe+0x49/0xb3
    RIP: 0033:0x45ca29
    Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
    RSP: 002b:00007effe76edc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
    RAX: ffffffffffffffda RBX: 00000000004fe1c0 RCX: 000000000045ca29
    RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005
    RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
    R13: 000000000000094e R14: 00000000004d5d00 R15: 00007effe76ee6d4
    
    Allocated by task 3018:
     save_stack+0x1b/0x40 mm/kasan/common.c:49
     set_track mm/kasan/common.c:57 [inline]
     __kasan_kmalloc mm/kasan/common.c:495 [inline]
     __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
     __do_kmalloc mm/slab.c:3656 [inline]
     __kmalloc+0x161/0x7a0 mm/slab.c:3665
     kmalloc include/linux/slab.h:560 [inline]
     sk_prot_alloc+0x223/0x2f0 net/core/sock.c:1612
     sk_alloc+0x36/0x1100 net/core/sock.c:1666
     data_sock_create drivers/isdn/mISDN/socket.c:600 [inline]
     mISDN_sock_create+0x272/0x400 drivers/isdn/mISDN/socket.c:796
     __sock_create+0x3cb/0x730 net/socket.c:1428
     sock_create net/socket.c:1479 [inline]
     __sys_socket+0xef/0x200 net/socket.c:1521
     __do_sys_socket net/socket.c:1530 [inline]
     __se_sys_socket net/socket.c:1528 [inline]
     __x64_sys_socket+0x6f/0xb0 net/socket.c:1528
     do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
     entry_SYSCALL_64_after_hwframe+0x49/0xb3
    
    Freed by task 2484:
     save_stack+0x1b/0x40 mm/kasan/common.c:49
     set_track mm/kasan/common.c:57 [inline]
     kasan_set_free_info mm/kasan/common.c:317 [inline]
     __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
     __cache_free mm/slab.c:3426 [inline]
     kfree+0x109/0x2b0 mm/slab.c:3757
     kvfree+0x42/0x50 mm/util.c:603
     __free_fdtable+0x2d/0x70 fs/file.c:31
     put_files_struct fs/file.c:420 [inline]
     put_files_struct+0x248/0x2e0 fs/file.c:413
     exit_files+0x7e/0xa0 fs/file.c:445
     do_exit+0xb04/0x2dd0 kernel/exit.c:791
     do_group_exit+0x125/0x340 kernel/exit.c:894
     get_signal+0x47b/0x24e0 kernel/signal.c:2739
     do_signal+0x81/0x2240 arch/x86/kernel/signal.c:784
     exit_to_usermode_loop+0x26c/0x360 arch/x86/entry/common.c:161
     prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
     syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
     do_syscall_64+0x6b1/0x7d0 arch/x86/entry/common.c:305
     entry_SYSCALL_64_after_hwframe+0x49/0xb3
    
    The buggy address belongs to the object at ffff88808ed0c000
     which belongs to the cache kmalloc-2k of size 2048
    The buggy address is located 1424 bytes inside of
     2048-byte region [ffff88808ed0c000, ffff88808ed0c800)
    The buggy address belongs to the page:
    page:ffffea00023b4300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
    flags: 0xfffe0000000200(slab)
    raw: 00fffe0000000200 ffffea0002838208 ffffea00015ba288 ffff8880aa000e00
    raw: 0000000000000000 ffff88808ed0c000 0000000100000001 0000000000000000
    page dumped because: kasan: bad access detected
    
    Memory state around the buggy address:
     ffff88808ed0c480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ffff88808ed0c500: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
    >ffff88808ed0c580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                             ^
     ffff88808ed0c600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     ffff88808ed0c680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    
    Fixes: 6b9f34239b00 ("l2tp: fix races in tunnel creation")
    Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: James Chapman <jchapman@katalix.com>
    Cc: Guillaume Nault <gnault@redhat.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Acked-by: Guillaume Nault <gnault@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 449c723240851300681282b50c28920dbee346eb
Author: Yang Yingliang <yangyingliang@huawei.com>
Date:   Sat May 30 11:34:33 2020 +0800

    devinet: fix memleak in inetdev_init()
    
    [ Upstream commit 1b49cd71b52403822731dc9f283185d1da355f97 ]
    
    When devinet_sysctl_register() failed, the memory allocated
    in neigh_parms_alloc() should be freed.
    
    Fixes: 20e61da7ffcf ("ipv4: fail early when creating netdev named all or default")
    Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
    Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>