--- /dev/null
+From af505cad9567f7a500d34bf183696d570d7f6810 Mon Sep 17 00:00:00 2001
+From: Nirmoy Das <nirmoy.das@amd.com>
+Date: Thu, 2 Sep 2021 12:29:17 +0200
+Subject: debugfs: debugfs_create_file_size(): use IS_ERR to check for error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nirmoy Das <nirmoy.das@amd.com>
+
+commit af505cad9567f7a500d34bf183696d570d7f6810 upstream.
+
+debugfs_create_file() returns encoded error so use IS_ERR for checking
+return value.
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Nirmoy Das <nirmoy.das@amd.com>
+Fixes: ff9fb72bc077 ("debugfs: return error values, not NULL")
+Cc: stable <stable@vger.kernel.org>
+References: https://gitlab.freedesktop.org/drm/amd/-/issues/1686
+Link: https://lore.kernel.org/r/20210902102917.2233-1-nirmoy.das@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/debugfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/debugfs/inode.c
++++ b/fs/debugfs/inode.c
+@@ -522,7 +522,7 @@ struct dentry *debugfs_create_file_size(
+ {
+ struct dentry *de = debugfs_create_file(name, mode, parent, data, fops);
+
+- if (de)
++ if (!IS_ERR(de))
+ d_inode(de)->i_size = file_size;
+ return de;
+ }
--- /dev/null
+From 9b2f72cc0aa4bb444541bb87581c35b7508b37d3 Mon Sep 17 00:00:00 2001
+From: Chen Jingwen <chenjingwen6@huawei.com>
+Date: Tue, 28 Sep 2021 20:56:57 +0800
+Subject: elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings
+
+From: Chen Jingwen <chenjingwen6@huawei.com>
+
+commit 9b2f72cc0aa4bb444541bb87581c35b7508b37d3 upstream.
+
+In commit b212921b13bd ("elf: don't use MAP_FIXED_NOREPLACE for elf
+executable mappings") we still leave MAP_FIXED_NOREPLACE in place for
+load_elf_interp.
+
+Unfortunately, this will cause kernel to fail to start with:
+
+ 1 (init): Uhuuh, elf segment at 00003ffff7ffd000 requested but the memory is mapped already
+ Failed to execute /init (error -17)
+
+The reason is that the elf interpreter (ld.so) has overlapping segments.
+
+ readelf -l ld-2.31.so
+ Program Headers:
+ Type Offset VirtAddr PhysAddr
+ FileSiz MemSiz Flags Align
+ LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
+ 0x000000000002c94c 0x000000000002c94c R E 0x10000
+ LOAD 0x000000000002dae0 0x000000000003dae0 0x000000000003dae0
+ 0x00000000000021e8 0x0000000000002320 RW 0x10000
+ LOAD 0x000000000002fe00 0x000000000003fe00 0x000000000003fe00
+ 0x00000000000011ac 0x0000000000001328 RW 0x10000
+
+The reason for this problem is the same as described in commit
+ad55eac74f20 ("elf: enforce MAP_FIXED on overlaying elf segments").
+
+Not only executable binaries, elf interpreters (e.g. ld.so) can have
+overlapping elf segments, so we better drop MAP_FIXED_NOREPLACE and go
+back to MAP_FIXED in load_elf_interp.
+
+Fixes: 4ed28639519c ("fs, elf: drop MAP_FIXED usage from elf_map")
+Cc: <stable@vger.kernel.org> # v4.19
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Chen Jingwen <chenjingwen6@huawei.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/binfmt_elf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -583,7 +583,7 @@ static unsigned long load_elf_interp(str
+
+ vaddr = eppnt->p_vaddr;
+ if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
+- elf_type |= MAP_FIXED_NOREPLACE;
++ elf_type |= MAP_FIXED;
+ else if (no_base && interp_elf_ex->e_type == ET_DYN)
+ load_addr = -vaddr;
+
--- /dev/null
+From 75ca6ad408f459f00b09a64f04c774559848c097 Mon Sep 17 00:00:00 2001
+From: Ritesh Harjani <riteshh@linux.ibm.com>
+Date: Sat, 5 Jun 2021 10:39:32 +0530
+Subject: ext4: fix loff_t overflow in ext4_max_bitmap_size()
+
+From: Ritesh Harjani <riteshh@linux.ibm.com>
+
+commit 75ca6ad408f459f00b09a64f04c774559848c097 upstream.
+
+We should use unsigned long long rather than loff_t to avoid
+overflow in ext4_max_bitmap_size() for comparison before returning.
+w/o this patch sbi->s_bitmap_maxbytes was becoming a negative
+value due to overflow of upper_limit (with has_huge_files as true)
+
+Below is a quick test to trigger it on a 64KB pagesize system.
+
+sudo mkfs.ext4 -b 65536 -O ^has_extents,^64bit /dev/loop2
+sudo mount /dev/loop2 /mnt
+sudo echo "hello" > /mnt/hello -> This will error out with
+ "echo: write error: File too large"
+
+Signed-off-by: Ritesh Harjani <riteshh@linux.ibm.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Link: https://lore.kernel.org/r/594f409e2c543e90fd836b78188dfa5c575065ba.1622867594.git.riteshh@linux.ibm.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2830,17 +2830,17 @@ static loff_t ext4_max_size(int blkbits,
+ */
+ static loff_t ext4_max_bitmap_size(int bits, int has_huge_files)
+ {
+- loff_t res = EXT4_NDIR_BLOCKS;
++ unsigned long long upper_limit, res = EXT4_NDIR_BLOCKS;
+ int meta_blocks;
+- loff_t upper_limit;
+- /* This is calculated to be the largest file size for a dense, block
++
++ /*
++ * This is calculated to be the largest file size for a dense, block
+ * mapped file such that the file's total number of 512-byte sectors,
+ * including data and all indirect blocks, does not exceed (2^48 - 1).
+ *
+ * __u32 i_blocks_lo and _u16 i_blocks_high represent the total
+ * number of 512-byte sectors of the file.
+ */
+-
+ if (!has_huge_files) {
+ /*
+ * !has_huge_files or implies that the inode i_block field
+@@ -2883,7 +2883,7 @@ static loff_t ext4_max_bitmap_size(int b
+ if (res > MAX_LFS_FILESIZE)
+ res = MAX_LFS_FILESIZE;
+
+- return res;
++ return (loff_t)res;
+ }
+
+ static ext4_fsblk_t descriptor_loc(struct super_block *sb,
--- /dev/null
+From 42cb447410d024e9d54139ae9c21ea132a8c384c Mon Sep 17 00:00:00 2001
+From: yangerkun <yangerkun@huawei.com>
+Date: Tue, 14 Sep 2021 19:14:15 +0800
+Subject: ext4: fix potential infinite loop in ext4_dx_readdir()
+
+From: yangerkun <yangerkun@huawei.com>
+
+commit 42cb447410d024e9d54139ae9c21ea132a8c384c upstream.
+
+When ext4_htree_fill_tree() fails, ext4_dx_readdir() can run into an
+infinite loop since if info->last_pos != ctx->pos this will reset the
+directory scan and reread the failing entry. For example:
+
+1. a dx_dir which has 3 block, block 0 as dx_root block, block 1/2 as
+ leaf block which own the ext4_dir_entry_2
+2. block 1 read ok and call_filldir which will fill the dirent and update
+ the ctx->pos
+3. block 2 read fail, but we has already fill some dirent, so we will
+ return back to userspace will a positive return val(see ksys_getdents64)
+4. the second ext4_dx_readdir will reset the world since info->last_pos
+ != ctx->pos, and will also init the curr_hash which pos to block 1
+5. So we will read block1 too, and once block2 still read fail, we can
+ only fill one dirent because the hash of the entry in block1(besides
+ the last one) won't greater than curr_hash
+6. this time, we forget update last_pos too since the read for block2
+ will fail, and since we has got the one entry, ksys_getdents64 can
+ return success
+7. Latter we will trapped in a loop with step 4~6
+
+Cc: stable@kernel.org
+Signed-off-by: yangerkun <yangerkun@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Link: https://lore.kernel.org/r/20210914111415.3921954-1-yangerkun@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/dir.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/dir.c
++++ b/fs/ext4/dir.c
+@@ -536,7 +536,7 @@ static int ext4_dx_readdir(struct file *
+ struct dir_private_info *info = file->private_data;
+ struct inode *inode = file_inode(file);
+ struct fname *fname;
+- int ret;
++ int ret = 0;
+
+ if (!info) {
+ info = ext4_htree_create_dir_info(file, ctx->pos);
+@@ -584,7 +584,7 @@ static int ext4_dx_readdir(struct file *
+ info->curr_minor_hash,
+ &info->next_hash);
+ if (ret < 0)
+- return ret;
++ goto finished;
+ if (ret == 0) {
+ ctx->pos = ext4_get_htree_eof(file);
+ break;
+@@ -615,7 +615,7 @@ static int ext4_dx_readdir(struct file *
+ }
+ finished:
+ info->last_pos = ctx->pos;
+- return 0;
++ return ret < 0 ? ret : 0;
+ }
+
+ static int ext4_dir_open(struct inode * inode, struct file * filp)
--- /dev/null
+From 6fed83957f21eff11c8496e9f24253b03d2bc1dc Mon Sep 17 00:00:00 2001
+From: Jeffle Xu <jefflexu@linux.alibaba.com>
+Date: Mon, 23 Aug 2021 14:13:58 +0800
+Subject: ext4: fix reserved space counter leakage
+
+From: Jeffle Xu <jefflexu@linux.alibaba.com>
+
+commit 6fed83957f21eff11c8496e9f24253b03d2bc1dc upstream.
+
+When ext4_insert_delayed block receives and recovers from an error from
+ext4_es_insert_delayed_block(), e.g., ENOMEM, it does not release the
+space it has reserved for that block insertion as it should. One effect
+of this bug is that s_dirtyclusters_counter is not decremented and
+remains incorrectly elevated until the file system has been unmounted.
+This can result in premature ENOSPC returns and apparent loss of free
+space.
+
+Another effect of this bug is that
+/sys/fs/ext4/<dev>/delayed_allocation_blocks can remain non-zero even
+after syncfs has been executed on the filesystem.
+
+Besides, add check for s_dirtyclusters_counter when inode is going to be
+evicted and freed. s_dirtyclusters_counter can still keep non-zero until
+inode is written back in .evict_inode(), and thus the check is delayed
+to .destroy_inode().
+
+Fixes: 51865fda28e5 ("ext4: let ext4 maintain extent status tree")
+Cc: stable@kernel.org
+Suggested-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Jeffle Xu <jefflexu@linux.alibaba.com>
+Reviewed-by: Eric Whitney <enwlinux@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Link: https://lore.kernel.org/r/20210823061358.84473-1-jefflexu@linux.alibaba.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/inode.c | 5 +++++
+ fs/ext4/super.c | 6 ++++++
+ 2 files changed, 11 insertions(+)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -1782,6 +1782,7 @@ static int ext4_insert_delayed_block(str
+ struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
+ int ret;
+ bool allocated = false;
++ bool reserved = false;
+
+ /*
+ * If the cluster containing lblk is shared with a delayed,
+@@ -1798,6 +1799,7 @@ static int ext4_insert_delayed_block(str
+ ret = ext4_da_reserve_space(inode);
+ if (ret != 0) /* ENOSPC */
+ goto errout;
++ reserved = true;
+ } else { /* bigalloc */
+ if (!ext4_es_scan_clu(inode, &ext4_es_is_delonly, lblk)) {
+ if (!ext4_es_scan_clu(inode,
+@@ -1810,6 +1812,7 @@ static int ext4_insert_delayed_block(str
+ ret = ext4_da_reserve_space(inode);
+ if (ret != 0) /* ENOSPC */
+ goto errout;
++ reserved = true;
+ } else {
+ allocated = true;
+ }
+@@ -1820,6 +1823,8 @@ static int ext4_insert_delayed_block(str
+ }
+
+ ret = ext4_es_insert_delayed_block(inode, lblk, allocated);
++ if (ret && reserved)
++ ext4_da_release_space(inode, 1);
+
+ errout:
+ return ret;
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -1141,6 +1141,12 @@ static void ext4_destroy_inode(struct in
+ true);
+ dump_stack();
+ }
++
++ if (EXT4_I(inode)->i_reserved_data_blocks)
++ ext4_msg(inode->i_sb, KERN_ERR,
++ "Inode %lu (%p): i_reserved_data_blocks (%u) not cleared!",
++ inode->i_ino, EXT4_I(inode),
++ EXT4_I(inode)->i_reserved_data_blocks);
+ }
+
+ static void init_once(void *foo)
--- /dev/null
+From 22d65765f211cc83186fd8b87521159f354c0da9 Mon Sep 17 00:00:00 2001
+From: Andrej Shadura <andrew.shadura@collabora.co.uk>
+Date: Thu, 16 Sep 2021 17:33:11 +0100
+Subject: HID: u2fzero: ignore incomplete packets without data
+
+From: Andrej Shadura <andrew.shadura@collabora.co.uk>
+
+commit 22d65765f211cc83186fd8b87521159f354c0da9 upstream.
+
+Since the actual_length calculation is performed unsigned, packets
+shorter than 7 bytes (e.g. packets without data or otherwise truncated)
+or non-received packets ("zero" bytes) can cause buffer overflow.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=214437
+Fixes: 42337b9d4d958("HID: add driver for U2F Zero built-in LED and RNG")
+Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-u2fzero.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-u2fzero.c
++++ b/drivers/hid/hid-u2fzero.c
+@@ -198,7 +198,9 @@ static int u2fzero_rng_read(struct hwrng
+ }
+
+ ret = u2fzero_recv(dev, &req, &resp);
+- if (ret < 0)
++
++ /* ignore errors or packets without data */
++ if (ret < offsetof(struct u2f_hid_msg, init.data))
+ return 0;
+
+ /* only take the minimum amount of data it is safe to take */
--- /dev/null
+From 445c8132727728dc297492a7d9fc074af3e94ba3 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Sep 2021 13:46:20 +0200
+Subject: ipack: ipoctal: fix missing allocation-failure check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 445c8132727728dc297492a7d9fc074af3e94ba3 upstream.
+
+Add the missing error handling when allocating the transmit buffer to
+avoid dereferencing a NULL pointer in write() should the allocation
+ever fail.
+
+Fixes: ba4dc61fe8c5 ("Staging: ipack: add support for IP-OCTAL mezzanine board")
+Cc: stable@vger.kernel.org # 3.5
+Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210917114622.5412-5-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ipack/devices/ipoctal.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/ipack/devices/ipoctal.c
++++ b/drivers/ipack/devices/ipoctal.c
+@@ -388,7 +388,9 @@ static int ipoctal_inst_slot(struct ipoc
+
+ channel = &ipoctal->channel[i];
+ tty_port_init(&channel->tty_port);
+- tty_port_alloc_xmit_buf(&channel->tty_port);
++ res = tty_port_alloc_xmit_buf(&channel->tty_port);
++ if (res)
++ continue;
+ channel->tty_port.ops = &ipoctal_tty_port_ops;
+
+ ipoctal_reset_stats(&channel->stats);
--- /dev/null
+From bb8a4fcb2136508224c596a7e665bdba1d7c3c27 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Sep 2021 13:46:21 +0200
+Subject: ipack: ipoctal: fix module reference leak
+
+From: Johan Hovold <johan@kernel.org>
+
+commit bb8a4fcb2136508224c596a7e665bdba1d7c3c27 upstream.
+
+A reference to the carrier module was taken on every open but was only
+released once when the final reference to the tty struct was dropped.
+
+Fix this by taking the module reference and initialising the tty driver
+data when installing the tty.
+
+Fixes: 82a82340bab6 ("ipoctal: get carrier driver to avoid rmmod")
+Cc: stable@vger.kernel.org # 3.18
+Cc: Federico Vaga <federico.vaga@cern.ch>
+Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210917114622.5412-6-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ipack/devices/ipoctal.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+--- a/drivers/ipack/devices/ipoctal.c
++++ b/drivers/ipack/devices/ipoctal.c
+@@ -84,22 +84,34 @@ static int ipoctal_port_activate(struct
+ return 0;
+ }
+
+-static int ipoctal_open(struct tty_struct *tty, struct file *file)
++static int ipoctal_install(struct tty_driver *driver, struct tty_struct *tty)
+ {
+ struct ipoctal_channel *channel = dev_get_drvdata(tty->dev);
+ struct ipoctal *ipoctal = chan_to_ipoctal(channel, tty->index);
+- int err;
+-
+- tty->driver_data = channel;
++ int res;
+
+ if (!ipack_get_carrier(ipoctal->dev))
+ return -EBUSY;
+
+- err = tty_port_open(&channel->tty_port, tty, file);
+- if (err)
+- ipack_put_carrier(ipoctal->dev);
++ res = tty_standard_install(driver, tty);
++ if (res)
++ goto err_put_carrier;
++
++ tty->driver_data = channel;
++
++ return 0;
++
++err_put_carrier:
++ ipack_put_carrier(ipoctal->dev);
++
++ return res;
++}
++
++static int ipoctal_open(struct tty_struct *tty, struct file *file)
++{
++ struct ipoctal_channel *channel = tty->driver_data;
+
+- return err;
++ return tty_port_open(&channel->tty_port, tty, file);
+ }
+
+ static void ipoctal_reset_stats(struct ipoctal_stats *stats)
+@@ -665,6 +677,7 @@ static void ipoctal_cleanup(struct tty_s
+
+ static const struct tty_operations ipoctal_fops = {
+ .ioctl = NULL,
++ .install = ipoctal_install,
+ .open = ipoctal_open,
+ .close = ipoctal_close,
+ .write = ipoctal_write_tty,
--- /dev/null
+From a89936cce87d60766a75732a9e7e25c51164f47c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Sep 2021 13:46:17 +0200
+Subject: ipack: ipoctal: fix stack information leak
+
+From: Johan Hovold <johan@kernel.org>
+
+commit a89936cce87d60766a75732a9e7e25c51164f47c upstream.
+
+The tty driver name is used also after registering the driver and must
+specifically not be allocated on the stack to avoid leaking information
+to user space (or triggering an oops).
+
+Drivers should not try to encode topology information in the tty device
+name but this one snuck in through staging without anyone noticing and
+another driver has since copied this malpractice.
+
+Fixing the ABI is a separate issue, but this at least plugs the security
+hole.
+
+Fixes: ba4dc61fe8c5 ("Staging: ipack: add support for IP-OCTAL mezzanine board")
+Cc: stable@vger.kernel.org # 3.5
+Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210917114622.5412-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ipack/devices/ipoctal.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/drivers/ipack/devices/ipoctal.c
++++ b/drivers/ipack/devices/ipoctal.c
+@@ -266,7 +266,6 @@ static int ipoctal_inst_slot(struct ipoc
+ int res;
+ int i;
+ struct tty_driver *tty;
+- char name[20];
+ struct ipoctal_channel *channel;
+ struct ipack_region *region;
+ void __iomem *addr;
+@@ -357,8 +356,11 @@ static int ipoctal_inst_slot(struct ipoc
+ /* Fill struct tty_driver with ipoctal data */
+ tty->owner = THIS_MODULE;
+ tty->driver_name = KBUILD_MODNAME;
+- sprintf(name, KBUILD_MODNAME ".%d.%d.", bus_nr, slot);
+- tty->name = name;
++ tty->name = kasprintf(GFP_KERNEL, KBUILD_MODNAME ".%d.%d.", bus_nr, slot);
++ if (!tty->name) {
++ res = -ENOMEM;
++ goto err_put_driver;
++ }
+ tty->major = 0;
+
+ tty->minor_start = 0;
+@@ -374,8 +376,7 @@ static int ipoctal_inst_slot(struct ipoc
+ res = tty_register_driver(tty);
+ if (res) {
+ dev_err(&ipoctal->dev->dev, "Can't register tty driver.\n");
+- put_tty_driver(tty);
+- return res;
++ goto err_free_name;
+ }
+
+ /* Save struct tty_driver for use it when uninstalling the device */
+@@ -412,6 +413,13 @@ static int ipoctal_inst_slot(struct ipoc
+ ipoctal_irq_handler, ipoctal);
+
+ return 0;
++
++err_free_name:
++ kfree(tty->name);
++err_put_driver:
++ put_tty_driver(tty);
++
++ return res;
+ }
+
+ static inline int ipoctal_copy_write_buffer(struct ipoctal_channel *channel,
+@@ -700,6 +708,7 @@ static void __ipoctal_remove(struct ipoc
+ }
+
+ tty_unregister_driver(ipoctal->tty_drv);
++ kfree(ipoctal->tty_drv->name);
+ put_tty_driver(ipoctal->tty_drv);
+ kfree(ipoctal);
+ }
--- /dev/null
+From cd20d59291d1790dc74248476e928f57fc455189 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Sep 2021 13:46:19 +0200
+Subject: ipack: ipoctal: fix tty-registration error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit cd20d59291d1790dc74248476e928f57fc455189 upstream.
+
+Registration of the ipoctal tty devices is unlikely to fail, but if it
+ever does, make sure not to deregister a never registered tty device
+(and dereference a NULL pointer) when the driver is later unbound.
+
+Fixes: 2afb41d9d30d ("Staging: ipack/devices/ipoctal: Check tty_register_device return value.")
+Cc: stable@vger.kernel.org # 3.7
+Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210917114622.5412-4-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ipack/devices/ipoctal.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/ipack/devices/ipoctal.c
++++ b/drivers/ipack/devices/ipoctal.c
+@@ -35,6 +35,7 @@ struct ipoctal_channel {
+ unsigned int pointer_read;
+ unsigned int pointer_write;
+ struct tty_port tty_port;
++ bool tty_registered;
+ union scc2698_channel __iomem *regs;
+ union scc2698_block __iomem *block_regs;
+ unsigned int board_id;
+@@ -399,9 +400,11 @@ static int ipoctal_inst_slot(struct ipoc
+ i, NULL, channel, NULL);
+ if (IS_ERR(tty_dev)) {
+ dev_err(&ipoctal->dev->dev, "Failed to register tty device.\n");
++ tty_port_free_xmit_buf(&channel->tty_port);
+ tty_port_destroy(&channel->tty_port);
+ continue;
+ }
++ channel->tty_registered = true;
+ }
+
+ /*
+@@ -702,6 +705,10 @@ static void __ipoctal_remove(struct ipoc
+
+ for (i = 0; i < NR_CHANNELS; i++) {
+ struct ipoctal_channel *channel = &ipoctal->channel[i];
++
++ if (!channel->tty_registered)
++ continue;
++
+ tty_unregister_device(ipoctal->tty_drv, i);
+ tty_port_free_xmit_buf(&channel->tty_port);
+ tty_port_destroy(&channel->tty_port);
--- /dev/null
+From 65c001df517a7bf9be8621b53d43c89f426ce8d6 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Sep 2021 13:46:18 +0200
+Subject: ipack: ipoctal: fix tty registration race
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 65c001df517a7bf9be8621b53d43c89f426ce8d6 upstream.
+
+Make sure to set the tty class-device driver data before registering the
+tty to avoid having a racing open() dereference a NULL pointer.
+
+Fixes: 9c1d784afc6f ("Staging: ipack/devices/ipoctal: Get rid of ipoctal_list.")
+Cc: stable@vger.kernel.org # 3.7
+Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210917114622.5412-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ipack/devices/ipoctal.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ipack/devices/ipoctal.c
++++ b/drivers/ipack/devices/ipoctal.c
+@@ -395,13 +395,13 @@ static int ipoctal_inst_slot(struct ipoc
+ spin_lock_init(&channel->lock);
+ channel->pointer_read = 0;
+ channel->pointer_write = 0;
+- tty_dev = tty_port_register_device(&channel->tty_port, tty, i, NULL);
++ tty_dev = tty_port_register_device_attr(&channel->tty_port, tty,
++ i, NULL, channel, NULL);
+ if (IS_ERR(tty_dev)) {
+ dev_err(&ipoctal->dev->dev, "Failed to register tty device.\n");
+ tty_port_destroy(&channel->tty_port);
+ continue;
+ }
+- dev_set_drvdata(tty_dev, channel);
+ }
+
+ /*
--- /dev/null
+From 31096c3e8b1163c6e966bf4d1f36d8b699008f84 Mon Sep 17 00:00:00 2001
+From: Leon Yu <leoyu@nvidia.com>
+Date: Fri, 22 May 2020 23:29:43 +0800
+Subject: net: stmmac: don't attach interface until resume finishes
+
+From: Leon Yu <leoyu@nvidia.com>
+
+commit 31096c3e8b1163c6e966bf4d1f36d8b699008f84 upstream.
+
+Commit 14b41a2959fb ("net: stmmac: Delete txtimer in suspend") was the
+first attempt to fix a race between mod_timer() and setup_timer()
+during stmmac_resume(). However the issue still exists as the commit
+only addressed half of the issue.
+
+Same race can still happen as stmmac_resume() re-attaches interface
+way too early - even before hardware is fully initialized. Worse,
+doing so allows network traffic to restart and stmmac_tx_timer_arm()
+being called in the middle of stmmac_resume(), which re-init tx timers
+in stmmac_init_coalesce(). timer_list will be corrupted and system
+crashes as a result of race between mod_timer() and setup_timer().
+
+ systemd--1995 2.... 552950018us : stmmac_suspend: 4994
+ ksoftirq-9 0..s2 553123133us : stmmac_tx_timer_arm: 2276
+ systemd--1995 0.... 553127896us : stmmac_resume: 5101
+ systemd--320 7...2 553132752us : stmmac_tx_timer_arm: 2276
+ (sd-exec-1999 5...2 553135204us : stmmac_tx_timer_arm: 2276
+ ---------------------------------
+ pc : run_timer_softirq+0x468/0x5e0
+ lr : run_timer_softirq+0x570/0x5e0
+ Call trace:
+ run_timer_softirq+0x468/0x5e0
+ __do_softirq+0x124/0x398
+ irq_exit+0xd8/0xe0
+ __handle_domain_irq+0x6c/0xc0
+ gic_handle_irq+0x60/0xb0
+ el1_irq+0xb8/0x180
+ arch_cpu_idle+0x38/0x230
+ default_idle_call+0x24/0x3c
+ do_idle+0x1e0/0x2b8
+ cpu_startup_entry+0x28/0x48
+ secondary_start_kernel+0x1b4/0x208
+
+Fix this by deferring netif_device_attach() to the end of
+stmmac_resume().
+
+Signed-off-by: Leon Yu <leoyu@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Macpaul Lin <macpaul.lin@mediatek.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -4855,8 +4855,6 @@ int stmmac_resume(struct device *dev)
+ stmmac_mdio_reset(priv->mii);
+ }
+
+- netif_device_attach(ndev);
+-
+ mutex_lock(&priv->lock);
+
+ stmmac_reset_queues_param(priv);
+@@ -4880,6 +4878,8 @@ int stmmac_resume(struct device *dev)
+
+ phylink_mac_change(priv->phylink, true);
+
++ netif_device_attach(ndev);
++
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(stmmac_resume);
--- /dev/null
+From a9f5970767d11eadc805d5283f202612c7ba1f59 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 27 Sep 2021 17:29:24 -0700
+Subject: net: udp: annotate data race around udp_sk(sk)->corkflag
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit a9f5970767d11eadc805d5283f202612c7ba1f59 upstream.
+
+up->corkflag field can be read or written without any lock.
+Annotate accesses to avoid possible syzbot/KCSAN reports.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/udp.c | 10 +++++-----
+ net/ipv6/udp.c | 2 +-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -981,7 +981,7 @@ int udp_sendmsg(struct sock *sk, struct
+ __be16 dport;
+ u8 tos;
+ int err, is_udplite = IS_UDPLITE(sk);
+- int corkreq = up->corkflag || msg->msg_flags&MSG_MORE;
++ int corkreq = READ_ONCE(up->corkflag) || msg->msg_flags&MSG_MORE;
+ int (*getfrag)(void *, char *, int, int, int, struct sk_buff *);
+ struct sk_buff *skb;
+ struct ip_options_data opt_copy;
+@@ -1289,7 +1289,7 @@ int udp_sendpage(struct sock *sk, struct
+ }
+
+ up->len += size;
+- if (!(up->corkflag || (flags&MSG_MORE)))
++ if (!(READ_ONCE(up->corkflag) || (flags&MSG_MORE)))
+ ret = udp_push_pending_frames(sk);
+ if (!ret)
+ ret = size;
+@@ -2551,9 +2551,9 @@ int udp_lib_setsockopt(struct sock *sk,
+ switch (optname) {
+ case UDP_CORK:
+ if (val != 0) {
+- up->corkflag = 1;
++ WRITE_ONCE(up->corkflag, 1);
+ } else {
+- up->corkflag = 0;
++ WRITE_ONCE(up->corkflag, 0);
+ lock_sock(sk);
+ push_pending_frames(sk);
+ release_sock(sk);
+@@ -2676,7 +2676,7 @@ int udp_lib_getsockopt(struct sock *sk,
+
+ switch (optname) {
+ case UDP_CORK:
+- val = up->corkflag;
++ val = READ_ONCE(up->corkflag);
+ break;
+
+ case UDP_ENCAP:
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1231,7 +1231,7 @@ int udpv6_sendmsg(struct sock *sk, struc
+ int addr_len = msg->msg_namelen;
+ bool connected = false;
+ int ulen = len;
+- int corkreq = up->corkflag || msg->msg_flags&MSG_MORE;
++ int corkreq = READ_ONCE(up->corkflag) || msg->msg_flags&MSG_MORE;
+ int err;
+ int is_udplite = IS_UDPLITE(sk);
+ int (*getfrag)(void *, char *, int, int, int, struct sk_buff *);
net-sched-flower-protect-fl_walk-with-rcu.patch
af_unix-fix-races-in-sk_peer_pid-and-sk_peer_cred-ac.patch
perf-x86-intel-update-event-constraints-for-icx.patch
+elf-don-t-use-map_fixed_noreplace-for-elf-interpreter-mappings.patch
+debugfs-debugfs_create_file_size-use-is_err-to-check-for-error.patch
+ipack-ipoctal-fix-stack-information-leak.patch
+ipack-ipoctal-fix-tty-registration-race.patch
+ipack-ipoctal-fix-tty-registration-error-handling.patch
+ipack-ipoctal-fix-missing-allocation-failure-check.patch
+ipack-ipoctal-fix-module-reference-leak.patch
+ext4-fix-loff_t-overflow-in-ext4_max_bitmap_size.patch
+ext4-fix-reserved-space-counter-leakage.patch
+ext4-fix-potential-infinite-loop-in-ext4_dx_readdir.patch
+hid-u2fzero-ignore-incomplete-packets-without-data.patch
+net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch
+net-stmmac-don-t-attach-interface-until-resume-finishes.patch