Merge 5.10.112 into android12-5.10-lts

Changes in 5.10.112
	drm/amdkfd: Use drm_priv to pass VM from KFD to amdgpu
	hamradio: defer 6pack kfree after unregister_netdev
	hamradio: remove needs_free_netdev to avoid UAF
	cpuidle: PSCI: Move the `has_lpi` check to the beginning of the function
	ACPI: processor idle: Check for architectural support for LPI
	btrfs: remove unused variable in btrfs_{start,write}_dirty_block_groups()
	drm/msm: Add missing put_task_struct() in debugfs path
	memory: atmel-ebi: Fix missing of_node_put in atmel_ebi_probe
	firmware: arm_scmi: Fix sorting of retrieved clock rates
	media: rockchip/rga: do proper error checking in probe
	SUNRPC: Fix the svc_deferred_event trace class
	net/sched: flower: fix parsing of ethertype following VLAN header
	veth: Ensure eth header is in skb's linear part
	gpiolib: acpi: use correct format characters
	net: mdio: Alphabetically sort header inclusion
	mlxsw: i2c: Fix initialization error flow
	net/sched: fix initialization order when updating chain 0 head
	net: dsa: felix: suppress -EPROBE_DEFER errors
	net: ethernet: stmmac: fix altr_tse_pcs function when using a fixed-link
	net/sched: taprio: Check if socket flags are valid
	cfg80211: hold bss_lock while updating nontrans_list
	drm/msm: Fix range size vs end confusion
	drm/msm/dsi: Use connector directly in msm_dsi_manager_connector_init()
	net/smc: Fix NULL pointer dereference in smc_pnet_find_ib()
	scsi: pm80xx: Mask and unmask upper interrupt vectors 32-63
	scsi: pm80xx: Enable upper inbound, outbound queues
	scsi: iscsi: Stop queueing during ep_disconnect
	scsi: iscsi: Force immediate failure during shutdown
	scsi: iscsi: Use system_unbound_wq for destroy_work
	scsi: iscsi: Rel ref after iscsi_lookup_endpoint()
	scsi: iscsi: Fix in-kernel conn failure handling
	scsi: iscsi: Move iscsi_ep_disconnect()
	scsi: iscsi: Fix offload conn cleanup when iscsid restarts
	scsi: iscsi: Fix conn cleanup and stop race during iscsid restart
	sctp: Initialize daddr on peeled off socket
	testing/selftests/mqueue: Fix mq_perf_tests to free the allocated cpu set
	perf tools: Fix misleading add event PMU debug message
	nfc: nci: add flush_workqueue to prevent uaf
	cifs: potential buffer overflow in handling symlinks
	dm mpath: only use ktime_get_ns() in historical selector
	net: bcmgenet: Revert "Use stronger register read/writes to assure ordering"
	drm/amd: Add USBC connector ID
	btrfs: fix fallocate to use file_modified to update permissions consistently
	btrfs: do not warn for free space inode in cow_file_range
	drm/amd/display: fix audio format not updated after edid updated
	drm/amd/display: FEC check in timing validation
	drm/amd/display: Update VTEM Infopacket definition
	drm/amdkfd: Fix Incorrect VMIDs passed to HWS
	drm/amdgpu/vcn: improve vcn dpg stop procedure
	drm/amdkfd: Check for potential null return of kmalloc_array()
	Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer
	scsi: target: tcmu: Fix possible page UAF
	scsi: lpfc: Fix queue failures when recovering from PCI parity error
	scsi: ibmvscsis: Increase INITIAL_SRP_LIMIT to 1024
	net: micrel: fix KS8851_MLL Kconfig
	ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs
	gpu: ipu-v3: Fix dev_dbg frequency output
	regulator: wm8994: Add an off-on delay for WM8994 variant
	arm64: alternatives: mark patch_alternative() as `noinstr`
	tlb: hugetlb: Add more sizes to tlb_remove_huge_tlb_entry
	net: axienet: setup mdio unconditionally
	net: usb: aqc111: Fix out-of-bounds accesses in RX fixup
	myri10ge: fix an incorrect free for skb in myri10ge_sw_tso
	drm/amd/display: Revert FEC check in validation
	drm/amd/display: Fix allocate_mst_payload assert on resume
	scsi: mvsas: Add PCI ID of RocketRaid 2640
	scsi: megaraid_sas: Target with invalid LUN ID is deleted during scan
	drivers: net: slip: fix NPD bug in sl_tx_timeout()
	perf/imx_ddr: Fix undefined behavior due to shift overflowing the constant
	mm, page_alloc: fix build_zonerefs_node()
	mm: fix unexpected zeroed page mapping with zram swap
	mm: kmemleak: take a full lowmem check in kmemleak_*_phys()
	KVM: x86/mmu: Resolve nx_huge_pages when kvm.ko is loaded
	memory: renesas-rpc-if: fix platform-device leak in error path
	gcc-plugins: latent_entropy: use /dev/urandom
	ath9k: Properly clear TX status area before reporting to mac80211
	ath9k: Fix usage of driver-private space in tx_info
	btrfs: fix root ref counts in error handling in btrfs_get_root_ref
	btrfs: mark resumed async balance as writing
	ALSA: hda/realtek: Add quirk for Clevo PD50PNT
	ALSA: hda/realtek: add quirk for Lenovo Thinkpad X12 speakers
	ALSA: pcm: Test for "silence" field in struct "pcm_format_data"
	nl80211: correctly check NL80211_ATTR_REG_ALPHA2 size
	ipv6: fix panic when forwarding a pkt with no in6 dev
	drm/amd/display: don't ignore alpha property on pre-multiplied mode
	drm/amdgpu: Enable gfxoff quirk on MacBook Pro
	genirq/affinity: Consider that CPUs on nodes can be unbalanced
	tick/nohz: Use WARN_ON_ONCE() to prevent console saturation
	ARM: davinci: da850-evm: Avoid NULL pointer dereference
	dm integrity: fix memory corruption when tag_size is less than digest size
	smp: Fix offline cpu check in flush_smp_call_function_queue()
	i2c: pasemi: Wait for write xfers to finish
	timers: Fix warning condition in __run_timers()
	dma-direct: avoid redundant memory sync for swiotlb
	scsi: iscsi: Fix endpoint reuse regression
	scsi: iscsi: Fix unbound endpoint error handling
	ax25: add refcount in ax25_dev to avoid UAF bugs
	ax25: fix reference count leaks of ax25_dev
	ax25: fix UAF bugs of net_device caused by rebinding operation
	ax25: Fix refcount leaks caused by ax25_cb_del()
	ax25: fix UAF bug in ax25_send_control()
	ax25: fix NPD bug in ax25_disconnect
	ax25: Fix NULL pointer dereferences in ax25 timers
	ax25: Fix UAF bugs in ax25 timers
	Linux 5.10.112

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I9ce7b432f335445dbfb4a67a34a8a1c279011954

scripts/gcc-plugins/latent_entropy_plugin.c

@@ -86,25 +86,31 @@ static struct plugin_info latent_entropy_plugin_info = {
 	.help		= "disable\tturn off latent entropy instrumentation\n",
 };
 
-static unsigned HOST_WIDE_INT seed;
-/*
- * get_random_seed() (this is a GCC function) generates the seed.
- * This is a simple random generator without any cryptographic security because
- * the entropy doesn't come from here.
- */
+static unsigned HOST_WIDE_INT deterministic_seed;
+static unsigned HOST_WIDE_INT rnd_buf[32];
+static size_t rnd_idx = ARRAY_SIZE(rnd_buf);
+static int urandom_fd = -1;
+
 static unsigned HOST_WIDE_INT get_random_const(void)
 {
-	unsigned int i;
-	unsigned HOST_WIDE_INT ret = 0;
-
-	for (i = 0; i < 8 * sizeof(ret); i++) {
-		ret = (ret << 1) | (seed & 1);
-		seed >>= 1;
-		if (ret & 1)
-			seed ^= 0xD800000000000000ULL;
+	if (deterministic_seed) {
+		unsigned HOST_WIDE_INT w = deterministic_seed;
+		w ^= w << 13;
+		w ^= w >> 7;
+		w ^= w << 17;
+		deterministic_seed = w;
+		return deterministic_seed;
 	}
 
-	return ret;
+	if (urandom_fd < 0) {
+		urandom_fd = open("/dev/urandom", O_RDONLY);
+		gcc_assert(urandom_fd >= 0);
+	}
+	if (rnd_idx >= ARRAY_SIZE(rnd_buf)) {
+		gcc_assert(read(urandom_fd, rnd_buf, sizeof(rnd_buf)) == sizeof(rnd_buf));
+		rnd_idx = 0;
+	}
+	return rnd_buf[rnd_idx++];
 }
 
 static tree tree_get_random_const(tree type)
@@ -549,8 +555,6 @@ static void latent_entropy_start_unit(void *gcc_data __unused,
 	tree type, id;
 	int quals;
 
-	seed = get_random_seed(false);
-
 	if (in_lto_p)
 		return;
 
@@ -585,6 +589,12 @@ __visible int plugin_init(struct plugin_name_args *plugin_info,
 	const struct plugin_argument * const argv = plugin_info->argv;
 	int i;
 
+	/*
+	 * Call get_random_seed() with noinit=true, so that this returns
+	 * 0 in the case where no seed has been passed via -frandom-seed.
+	 */
+	deterministic_seed = get_random_seed(true);
+
 	static const struct ggc_root_tab gt_ggc_r_gt_latent_entropy[] = {
 		{
 			.base = &latent_entropy_decl,