From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 29 Oct 2021 08:15:02 +0000 (+0200)
Subject: 5.14-stable patches
X-Git-Tag: v4.4.291~31
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f81b63a85330a8b674cfd0fee1058d5b25cd2e5c;p=thirdparty%2Fkernel%2Fstable-queue.git

5.14-stable patches

added patches:
	ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch
	net-tls-fix-flipped-sign-in-tls_err_abort-calls.patch
	nfc-port100-fix-using-errno-as-command-type-mask.patch
	pinctrl-amd-disable-and-mask-interrupts-on-probe.patch
	revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
	revert-pinctrl-bcm-ns-support-updated-dt-binding-as-syscon-subnode.patch
	tipc-fix-size-validations-for-the-msg_crypto-type.patch
	usbnet-fix-error-return-code-in-usbnet_probe.patch
	usbnet-sanity-check-for-maxpacket.patch
---

diff --git a/queue-5.14/ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch b/queue-5.14/ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch
new file mode 100644
index 00000000000..bead79f01e5
--- /dev/null
+++ b/queue-5.14/ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch
@@ -0,0 +1,38 @@
+From a0023bb9dd9bc439d44604eeec62426a990054cd Mon Sep 17 00:00:00 2001
+From: Zheyu Ma <zheyuma97@gmail.com>
+Date: Fri, 22 Oct 2021 09:12:26 +0000
+Subject: ata: sata_mv: Fix the error handling of mv_chip_id()
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+commit a0023bb9dd9bc439d44604eeec62426a990054cd upstream.
+
+mv_init_host() propagates the value returned by mv_chip_id() which in turn
+gets propagated by mv_pci_init_one() and hits local_pci_probe().
+
+During the process of driver probing, the probe function should return < 0
+for failure, otherwise, the kernel will treat value > 0 as success.
+
+Since this is a bug rather than a recoverable runtime error we should
+use dev_alert() instead of dev_err().
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/sata_mv.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/sata_mv.c
++++ b/drivers/ata/sata_mv.c
+@@ -3896,8 +3896,8 @@ static int mv_chip_id(struct ata_host *h
+ 		break;
+ 
+ 	default:
+-		dev_err(host->dev, "BUG: invalid board index %u\n", board_idx);
+-		return 1;
++		dev_alert(host->dev, "BUG: invalid board index %u\n", board_idx);
++		return -EINVAL;
+ 	}
+ 
+ 	hpriv->hp_flags = hp_flags;
diff --git a/queue-5.14/net-tls-fix-flipped-sign-in-tls_err_abort-calls.patch b/queue-5.14/net-tls-fix-flipped-sign-in-tls_err_abort-calls.patch
new file mode 100644
index 00000000000..b7a650bbf02
--- /dev/null
+++ b/queue-5.14/net-tls-fix-flipped-sign-in-tls_err_abort-calls.patch
@@ -0,0 +1,140 @@
+From da353fac65fede6b8b4cfe207f0d9408e3121105 Mon Sep 17 00:00:00 2001
+From: Daniel Jordan <daniel.m.jordan@oracle.com>
+Date: Wed, 27 Oct 2021 17:59:20 -0400
+Subject: net/tls: Fix flipped sign in tls_err_abort() calls
+
+From: Daniel Jordan <daniel.m.jordan@oracle.com>
+
+commit da353fac65fede6b8b4cfe207f0d9408e3121105 upstream.
+
+sk->sk_err appears to expect a positive value, a convention that ktls
+doesn't always follow and that leads to memory corruption in other code.
+For instance,
+
+    [kworker]
+    tls_encrypt_done(..., err=<negative error from crypto request>)
+      tls_err_abort(.., err)
+        sk->sk_err = err;
+
+    [task]
+    splice_from_pipe_feed
+      ...
+        tls_sw_do_sendpage
+          if (sk->sk_err) {
+            ret = -sk->sk_err;  // ret is positive
+
+    splice_from_pipe_feed (continued)
+      ret = actor(...)  // ret is still positive and interpreted as bytes
+                        // written, resulting in underflow of buf->len and
+                        // sd->len, leading to huge buf->offset and bogus
+                        // addresses computed in later calls to actor()
+
+Fix all tls_err_abort() callers to pass a negative error code
+consistently and centralize the error-prone sign flip there, throwing in
+a warning to catch future misuse and uninlining the function so it
+really does only warn once.
+
+Cc: stable@vger.kernel.org
+Fixes: c46234ebb4d1e ("tls: RX path for ktls")
+Reported-by: syzbot+b187b77c8474f9648fae@syzkaller.appspotmail.com
+Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tls.h |    9 ++-------
+ net/tls/tls_sw.c  |   17 +++++++++++++----
+ 2 files changed, 15 insertions(+), 11 deletions(-)
+
+--- a/include/net/tls.h
++++ b/include/net/tls.h
+@@ -358,6 +358,7 @@ int tls_sk_query(struct sock *sk, int op
+ 		int __user *optlen);
+ int tls_sk_attach(struct sock *sk, int optname, char __user *optval,
+ 		  unsigned int optlen);
++void tls_err_abort(struct sock *sk, int err);
+ 
+ int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx);
+ void tls_sw_strparser_arm(struct sock *sk, struct tls_context *ctx);
+@@ -466,12 +467,6 @@ static inline bool tls_is_sk_tx_device_o
+ #endif
+ }
+ 
+-static inline void tls_err_abort(struct sock *sk, int err)
+-{
+-	sk->sk_err = err;
+-	sk_error_report(sk);
+-}
+-
+ static inline bool tls_bigint_increment(unsigned char *seq, int len)
+ {
+ 	int i;
+@@ -512,7 +507,7 @@ static inline void tls_advance_record_sn
+ 					 struct cipher_context *ctx)
+ {
+ 	if (tls_bigint_increment(ctx->rec_seq, prot->rec_seq_size))
+-		tls_err_abort(sk, EBADMSG);
++		tls_err_abort(sk, -EBADMSG);
+ 
+ 	if (prot->version != TLS_1_3_VERSION &&
+ 	    prot->cipher_type != TLS_CIPHER_CHACHA20_POLY1305)
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -35,6 +35,7 @@
+  * SOFTWARE.
+  */
+ 
++#include <linux/bug.h>
+ #include <linux/sched/signal.h>
+ #include <linux/module.h>
+ #include <linux/splice.h>
+@@ -43,6 +44,14 @@
+ #include <net/strparser.h>
+ #include <net/tls.h>
+ 
++noinline void tls_err_abort(struct sock *sk, int err)
++{
++	WARN_ON_ONCE(err >= 0);
++	/* sk->sk_err should contain a positive error code. */
++	sk->sk_err = -err;
++	sk_error_report(sk);
++}
++
+ static int __skb_nsg(struct sk_buff *skb, int offset, int len,
+                      unsigned int recursion_level)
+ {
+@@ -419,7 +428,7 @@ int tls_tx_records(struct sock *sk, int
+ 
+ tx_err:
+ 	if (rc < 0 && rc != -EAGAIN)
+-		tls_err_abort(sk, EBADMSG);
++		tls_err_abort(sk, -EBADMSG);
+ 
+ 	return rc;
+ }
+@@ -763,7 +772,7 @@ static int tls_push_record(struct sock *
+ 			       msg_pl->sg.size + prot->tail_size, i);
+ 	if (rc < 0) {
+ 		if (rc != -EINPROGRESS) {
+-			tls_err_abort(sk, EBADMSG);
++			tls_err_abort(sk, -EBADMSG);
+ 			if (split) {
+ 				tls_ctx->pending_open_record_frags = true;
+ 				tls_merge_open_record(sk, rec, tmp, orig_end);
+@@ -1827,7 +1836,7 @@ int tls_sw_recvmsg(struct sock *sk,
+ 		err = decrypt_skb_update(sk, skb, &msg->msg_iter,
+ 					 &chunk, &zc, async_capable);
+ 		if (err < 0 && err != -EINPROGRESS) {
+-			tls_err_abort(sk, EBADMSG);
++			tls_err_abort(sk, -EBADMSG);
+ 			goto recv_end;
+ 		}
+ 
+@@ -2007,7 +2016,7 @@ ssize_t tls_sw_splice_read(struct socket
+ 		}
+ 
+ 		if (err < 0) {
+-			tls_err_abort(sk, EBADMSG);
++			tls_err_abort(sk, -EBADMSG);
+ 			goto splice_read_end;
+ 		}
+ 		ctx->decrypted = 1;
diff --git a/queue-5.14/nfc-port100-fix-using-errno-as-command-type-mask.patch b/queue-5.14/nfc-port100-fix-using-errno-as-command-type-mask.patch
new file mode 100644
index 00000000000..a5f23a85c86
--- /dev/null
+++ b/queue-5.14/nfc-port100-fix-using-errno-as-command-type-mask.patch
@@ -0,0 +1,43 @@
+From 2195f2062e4cc93870da8e71c318ef98a1c51cef Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Date: Mon, 25 Oct 2021 16:49:36 +0200
+Subject: nfc: port100: fix using -ERRNO as command type mask
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+commit 2195f2062e4cc93870da8e71c318ef98a1c51cef upstream.
+
+During probing, the driver tries to get a list (mask) of supported
+command types in port100_get_command_type_mask() function.  The value
+is u64 and 0 is treated as invalid mask (no commands supported).  The
+function however returns also -ERRNO as u64 which will be interpret as
+valid command mask.
+
+Return 0 on every error case of port100_get_command_type_mask(), so the
+probing will stop.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 0347a6ab300a ("NFC: port100: Commands mechanism implementation")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/port100.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/nfc/port100.c
++++ b/drivers/nfc/port100.c
+@@ -1003,11 +1003,11 @@ static u64 port100_get_command_type_mask
+ 
+ 	skb = port100_alloc_skb(dev, 0);
+ 	if (!skb)
+-		return -ENOMEM;
++		return 0;
+ 
+ 	resp = port100_send_cmd_sync(dev, PORT100_CMD_GET_COMMAND_TYPE, skb);
+ 	if (IS_ERR(resp))
+-		return PTR_ERR(resp);
++		return 0;
+ 
+ 	if (resp->len < 8)
+ 		mask = 0;
diff --git a/queue-5.14/pinctrl-amd-disable-and-mask-interrupts-on-probe.patch b/queue-5.14/pinctrl-amd-disable-and-mask-interrupts-on-probe.patch
new file mode 100644
index 00000000000..d0f5fe4f3f6
--- /dev/null
+++ b/queue-5.14/pinctrl-amd-disable-and-mask-interrupts-on-probe.patch
@@ -0,0 +1,73 @@
+From 4e5a04be88fe335ad5331f4f8c17f4ebd357e065 Mon Sep 17 00:00:00 2001
+From: Sachi King <nakato@nakato.io>
+Date: Sat, 9 Oct 2021 14:32:40 +1100
+Subject: pinctrl: amd: disable and mask interrupts on probe
+
+From: Sachi King <nakato@nakato.io>
+
+commit 4e5a04be88fe335ad5331f4f8c17f4ebd357e065 upstream.
+
+Some systems such as the Microsoft Surface Laptop 4 leave interrupts
+enabled and configured for use in sleep states on boot, which cause
+unexpected behaviour such as spurious wakes and failed resumes in
+s2idle states.
+
+As interrupts should not be enabled until they are claimed and
+explicitly enabled, disabling any interrupts mistakenly left enabled by
+firmware should be safe.
+
+Signed-off-by: Sachi King <nakato@nakato.io>
+Link: https://lore.kernel.org/r/20211009033240.21543-1-nakato@nakato.io
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-amd.c |   31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+--- a/drivers/pinctrl/pinctrl-amd.c
++++ b/drivers/pinctrl/pinctrl-amd.c
+@@ -832,6 +832,34 @@ static const struct pinconf_ops amd_pinc
+ 	.pin_config_group_set = amd_pinconf_group_set,
+ };
+ 
++static void amd_gpio_irq_init(struct amd_gpio *gpio_dev)
++{
++	struct pinctrl_desc *desc = gpio_dev->pctrl->desc;
++	unsigned long flags;
++	u32 pin_reg, mask;
++	int i;
++
++	mask = BIT(WAKE_CNTRL_OFF_S0I3) | BIT(WAKE_CNTRL_OFF_S3) |
++		BIT(INTERRUPT_MASK_OFF) | BIT(INTERRUPT_ENABLE_OFF) |
++		BIT(WAKE_CNTRL_OFF_S4);
++
++	for (i = 0; i < desc->npins; i++) {
++		int pin = desc->pins[i].number;
++		const struct pin_desc *pd = pin_desc_get(gpio_dev->pctrl, pin);
++
++		if (!pd)
++			continue;
++
++		raw_spin_lock_irqsave(&gpio_dev->lock, flags);
++
++		pin_reg = readl(gpio_dev->base + i * 4);
++		pin_reg &= ~mask;
++		writel(pin_reg, gpio_dev->base + i * 4);
++
++		raw_spin_unlock_irqrestore(&gpio_dev->lock, flags);
++	}
++}
++
+ #ifdef CONFIG_PM_SLEEP
+ static bool amd_gpio_should_save(struct amd_gpio *gpio_dev, unsigned int pin)
+ {
+@@ -969,6 +997,9 @@ static int amd_gpio_probe(struct platfor
+ 		return PTR_ERR(gpio_dev->pctrl);
+ 	}
+ 
++	/* Disable and mask interrupts */
++	amd_gpio_irq_init(gpio_dev);
++
+ 	girq = &gpio_dev->gc.irq;
+ 	girq->chip = &amd_gpio_irqchip;
+ 	/* This will let us handle the parent IRQ in the driver */
diff --git a/queue-5.14/revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch b/queue-5.14/revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
new file mode 100644
index 00000000000..6b404fee93f
--- /dev/null
+++ b/queue-5.14/revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
@@ -0,0 +1,44 @@
+From 10eff1f5788b6ffac212c254e2f3666219576889 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 30 Sep 2021 20:49:42 +0300
+Subject: Revert "net: mdiobus: Fix memory leak in __mdiobus_register"
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 10eff1f5788b6ffac212c254e2f3666219576889 upstream.
+
+This reverts commit ab609f25d19858513919369ff3d9a63c02cd9e2e.
+
+This patch is correct in the sense that we _should_ call device_put() in
+case of device_register() failure, but the problem in this code is more
+vast.
+
+We need to set bus->state to UNMDIOBUS_REGISTERED before calling
+device_register() to correctly release the device in mdiobus_free().
+This patch prevents us from doing it, since in case of device_register()
+failure put_device() will be called 2 times and it will cause UAF or
+something else.
+
+Also, Reported-by: tag in revered commit was wrong, since syzbot
+reported different leak in same function.
+
+Link: https://lore.kernel.org/netdev/20210928092657.GI2048@kadam/
+Acked-by: Yanfei Xu <yanfei.xu@windriver.com>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Link: https://lore.kernel.org/r/f12fb1faa4eccf0f355788225335eb4309ff2599.1633024062.git.paskripkin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mdio_bus.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -548,7 +548,6 @@ int __mdiobus_register(struct mii_bus *b
+ 	err = device_register(&bus->dev);
+ 	if (err) {
+ 		pr_err("mii_bus %s failed to register\n", bus->id);
+-		put_device(&bus->dev);
+ 		return -EINVAL;
+ 	}
+ 
diff --git a/queue-5.14/revert-pinctrl-bcm-ns-support-updated-dt-binding-as-syscon-subnode.patch b/queue-5.14/revert-pinctrl-bcm-ns-support-updated-dt-binding-as-syscon-subnode.patch
new file mode 100644
index 00000000000..2e1ce549ed5
--- /dev/null
+++ b/queue-5.14/revert-pinctrl-bcm-ns-support-updated-dt-binding-as-syscon-subnode.patch
@@ -0,0 +1,110 @@
+From 6dba4bdfd7a30e77b848a45404b224588bf989e5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Fri, 8 Oct 2021 22:59:38 +0200
+Subject: Revert "pinctrl: bcm: ns: support updated DT binding as syscon subnode"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: RafaÅ MiÅecki <rafal@milecki.pl>
+
+commit 6dba4bdfd7a30e77b848a45404b224588bf989e5 upstream.
+
+This reverts commit a49d784d5a8272d0f63c448fe8dc69e589db006e.
+
+The updated binding was wrong / invalid and has been reverted. There
+isn't any upstream kernel DTS using it and Broadcom isn't known to use
+it neither. There is close to zero chance this will cause regression for
+anyone.
+
+Actually in-kernel bcm5301x.dtsi still uses the old good binding and so
+it's broken since the driver update. This revert fixes it.
+
+Signed-off-by: RafaÅ MiÅecki <rafal@milecki.pl>
+Link: https://lore.kernel.org/r/20211008205938.29925-3-zajec5@gmail.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/bcm/pinctrl-ns.c |   29 ++++++++++-------------------
+ 1 file changed, 10 insertions(+), 19 deletions(-)
+
+--- a/drivers/pinctrl/bcm/pinctrl-ns.c
++++ b/drivers/pinctrl/bcm/pinctrl-ns.c
+@@ -5,7 +5,6 @@
+ 
+ #include <linux/err.h>
+ #include <linux/io.h>
+-#include <linux/mfd/syscon.h>
+ #include <linux/module.h>
+ #include <linux/of.h>
+ #include <linux/of_device.h>
+@@ -13,7 +12,6 @@
+ #include <linux/pinctrl/pinctrl.h>
+ #include <linux/pinctrl/pinmux.h>
+ #include <linux/platform_device.h>
+-#include <linux/regmap.h>
+ #include <linux/slab.h>
+ 
+ #define FLAG_BCM4708		BIT(1)
+@@ -24,8 +22,7 @@ struct ns_pinctrl {
+ 	struct device *dev;
+ 	unsigned int chipset_flag;
+ 	struct pinctrl_dev *pctldev;
+-	struct regmap *regmap;
+-	u32 offset;
++	void __iomem *base;
+ 
+ 	struct pinctrl_desc pctldesc;
+ 	struct ns_pinctrl_group *groups;
+@@ -232,9 +229,9 @@ static int ns_pinctrl_set_mux(struct pin
+ 		unset |= BIT(pin_number);
+ 	}
+ 
+-	regmap_read(ns_pinctrl->regmap, ns_pinctrl->offset, &tmp);
++	tmp = readl(ns_pinctrl->base);
+ 	tmp &= ~unset;
+-	regmap_write(ns_pinctrl->regmap, ns_pinctrl->offset, tmp);
++	writel(tmp, ns_pinctrl->base);
+ 
+ 	return 0;
+ }
+@@ -266,13 +263,13 @@ static const struct of_device_id ns_pinc
+ static int ns_pinctrl_probe(struct platform_device *pdev)
+ {
+ 	struct device *dev = &pdev->dev;
+-	struct device_node *np = dev->of_node;
+ 	const struct of_device_id *of_id;
+ 	struct ns_pinctrl *ns_pinctrl;
+ 	struct pinctrl_desc *pctldesc;
+ 	struct pinctrl_pin_desc *pin;
+ 	struct ns_pinctrl_group *group;
+ 	struct ns_pinctrl_function *function;
++	struct resource *res;
+ 	int i;
+ 
+ 	ns_pinctrl = devm_kzalloc(dev, sizeof(*ns_pinctrl), GFP_KERNEL);
+@@ -290,18 +287,12 @@ static int ns_pinctrl_probe(struct platf
+ 		return -EINVAL;
+ 	ns_pinctrl->chipset_flag = (uintptr_t)of_id->data;
+ 
+-	ns_pinctrl->regmap = syscon_node_to_regmap(of_get_parent(np));
+-	if (IS_ERR(ns_pinctrl->regmap)) {
+-		int err = PTR_ERR(ns_pinctrl->regmap);
+-
+-		dev_err(dev, "Failed to map pinctrl regs: %d\n", err);
+-
+-		return err;
+-	}
+-
+-	if (of_property_read_u32(np, "offset", &ns_pinctrl->offset)) {
+-		dev_err(dev, "Failed to get register offset\n");
+-		return -ENOENT;
++	res = platform_get_resource_byname(pdev, IORESOURCE_MEM,
++					   "cru_gpio_control");
++	ns_pinctrl->base = devm_ioremap_resource(dev, res);
++	if (IS_ERR(ns_pinctrl->base)) {
++		dev_err(dev, "Failed to map pinctrl regs\n");
++		return PTR_ERR(ns_pinctrl->base);
+ 	}
+ 
+ 	memcpy(pctldesc, &ns_pinctrl_desc, sizeof(*pctldesc));
diff --git a/queue-5.14/series b/queue-5.14/series
index 4c074cd49fc..29438639367 100644
--- a/queue-5.14/series
+++ b/queue-5.14/series
@@ -5,3 +5,12 @@ arm-9138-1-fix-link-warning-with-xip-frame-pointer.patch
 arm-9139-1-kprobes-fix-arch_init_kprobes-prototype.patch
 arm-9141-1-only-warn-about-xip-address-when-not-compile-testing.patch
 arm-9148-1-handle-config_cpu_endian_be32-in-arch-arm-kernel-head.s.patch
+usbnet-sanity-check-for-maxpacket.patch
+usbnet-fix-error-return-code-in-usbnet_probe.patch
+revert-pinctrl-bcm-ns-support-updated-dt-binding-as-syscon-subnode.patch
+pinctrl-amd-disable-and-mask-interrupts-on-probe.patch
+ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch
+tipc-fix-size-validations-for-the-msg_crypto-type.patch
+nfc-port100-fix-using-errno-as-command-type-mask.patch
+revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
+net-tls-fix-flipped-sign-in-tls_err_abort-calls.patch
diff --git a/queue-5.14/tipc-fix-size-validations-for-the-msg_crypto-type.patch b/queue-5.14/tipc-fix-size-validations-for-the-msg_crypto-type.patch
new file mode 100644
index 00000000000..44afa44f2c3
--- /dev/null
+++ b/queue-5.14/tipc-fix-size-validations-for-the-msg_crypto-type.patch
@@ -0,0 +1,93 @@
+From fa40d9734a57bcbfa79a280189799f76c88f7bb0 Mon Sep 17 00:00:00 2001
+From: Max VA <maxv@sentinelone.com>
+Date: Mon, 25 Oct 2021 17:31:53 +0200
+Subject: tipc: fix size validations for the MSG_CRYPTO type
+
+From: Max VA <maxv@sentinelone.com>
+
+commit fa40d9734a57bcbfa79a280189799f76c88f7bb0 upstream.
+
+The function tipc_crypto_key_rcv is used to parse MSG_CRYPTO messages
+to receive keys from other nodes in the cluster in order to decrypt any
+further messages from them.
+This patch verifies that any supplied sizes in the message body are
+valid for the received message.
+
+Fixes: 1ef6f7c9390f ("tipc: add automatic session key exchange")
+Signed-off-by: Max VA <maxv@sentinelone.com>
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/crypto.c |   32 +++++++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+--- a/net/tipc/crypto.c
++++ b/net/tipc/crypto.c
+@@ -2285,43 +2285,53 @@ static bool tipc_crypto_key_rcv(struct t
+ 	u16 key_gen = msg_key_gen(hdr);
+ 	u16 size = msg_data_sz(hdr);
+ 	u8 *data = msg_data(hdr);
++	unsigned int keylen;
++
++	/* Verify whether the size can exist in the packet */
++	if (unlikely(size < sizeof(struct tipc_aead_key) + TIPC_AEAD_KEYLEN_MIN)) {
++		pr_debug("%s: message data size is too small\n", rx->name);
++		goto exit;
++	}
++
++	keylen = ntohl(*((__be32 *)(data + TIPC_AEAD_ALG_NAME)));
++
++	/* Verify the supplied size values */
++	if (unlikely(size != keylen + sizeof(struct tipc_aead_key) ||
++		     keylen > TIPC_AEAD_KEY_SIZE_MAX)) {
++		pr_debug("%s: invalid MSG_CRYPTO key size\n", rx->name);
++		goto exit;
++	}
+ 
+ 	spin_lock(&rx->lock);
+ 	if (unlikely(rx->skey || (key_gen == rx->key_gen && rx->key.keys))) {
+ 		pr_err("%s: key existed <%p>, gen %d vs %d\n", rx->name,
+ 		       rx->skey, key_gen, rx->key_gen);
+-		goto exit;
++		goto exit_unlock;
+ 	}
+ 
+ 	/* Allocate memory for the key */
+ 	skey = kmalloc(size, GFP_ATOMIC);
+ 	if (unlikely(!skey)) {
+ 		pr_err("%s: unable to allocate memory for skey\n", rx->name);
+-		goto exit;
++		goto exit_unlock;
+ 	}
+ 
+ 	/* Copy key from msg data */
+-	skey->keylen = ntohl(*((__be32 *)(data + TIPC_AEAD_ALG_NAME)));
++	skey->keylen = keylen;
+ 	memcpy(skey->alg_name, data, TIPC_AEAD_ALG_NAME);
+ 	memcpy(skey->key, data + TIPC_AEAD_ALG_NAME + sizeof(__be32),
+ 	       skey->keylen);
+ 
+-	/* Sanity check */
+-	if (unlikely(size != tipc_aead_key_size(skey))) {
+-		kfree(skey);
+-		skey = NULL;
+-		goto exit;
+-	}
+-
+ 	rx->key_gen = key_gen;
+ 	rx->skey_mode = msg_key_mode(hdr);
+ 	rx->skey = skey;
+ 	rx->nokey = 0;
+ 	mb(); /* for nokey flag */
+ 
+-exit:
++exit_unlock:
+ 	spin_unlock(&rx->lock);
+ 
++exit:
+ 	/* Schedule the key attaching on this crypto */
+ 	if (likely(skey && queue_delayed_work(tx->wq, &rx->work, 0)))
+ 		return true;
diff --git a/queue-5.14/usbnet-fix-error-return-code-in-usbnet_probe.patch b/queue-5.14/usbnet-fix-error-return-code-in-usbnet_probe.patch
new file mode 100644
index 00000000000..340b302bb95
--- /dev/null
+++ b/queue-5.14/usbnet-fix-error-return-code-in-usbnet_probe.patch
@@ -0,0 +1,32 @@
+From 6f7c88691191e6c52ef2543d6f1da8d360b27a24 Mon Sep 17 00:00:00 2001
+From: Wang Hai <wanghai38@huawei.com>
+Date: Tue, 26 Oct 2021 20:40:15 +0800
+Subject: usbnet: fix error return code in usbnet_probe()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+commit 6f7c88691191e6c52ef2543d6f1da8d360b27a24 upstream.
+
+Return error code if usb_maxpacket() returns 0 in usbnet_probe()
+
+Fixes: 397430b50a36 ("usbnet: sanity check for maxpacket")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211026124015.3025136-1-wanghai38@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1790,6 +1790,7 @@ usbnet_probe (struct usb_interface *udev
+ 	dev->maxpacket = usb_maxpacket (dev->udev, dev->out, 1);
+ 	if (dev->maxpacket == 0) {
+ 		/* that is a broken device */
++		status = -ENODEV;
+ 		goto out4;
+ 	}
+ 
diff --git a/queue-5.14/usbnet-sanity-check-for-maxpacket.patch b/queue-5.14/usbnet-sanity-check-for-maxpacket.patch
new file mode 100644
index 00000000000..4a4f6a4bdc9
--- /dev/null
+++ b/queue-5.14/usbnet-sanity-check-for-maxpacket.patch
@@ -0,0 +1,37 @@
+From 397430b50a363d8b7bdda00522123f82df6adc5e Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 21 Oct 2021 14:29:44 +0200
+Subject: usbnet: sanity check for maxpacket
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 397430b50a363d8b7bdda00522123f82df6adc5e upstream.
+
+maxpacket of 0 makes no sense and oopses as we need to divide
+by it. Give up.
+
+V2: fixed typo in log and stylistic issues
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+76bb1d34ffa0adc03baa@syzkaller.appspotmail.com
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211021122944.21816-1-oneukum@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1788,6 +1788,10 @@ usbnet_probe (struct usb_interface *udev
+ 	if (!dev->rx_urb_size)
+ 		dev->rx_urb_size = dev->hard_mtu;
+ 	dev->maxpacket = usb_maxpacket (dev->udev, dev->out, 1);
++	if (dev->maxpacket == 0) {
++		/* that is a broken device */
++		goto out4;
++	}
+ 
+ 	/* let userspace know we have a random address */
+ 	if (ether_addr_equal(net->dev_addr, node_id))
