Merge branch 'bullseye-bugfixes-before-d-i-rc3' into 'sid'

Add bugfixes targetting bullseye before d-i RC3 release

See merge request kernel-team/linux!379

10 files changed, 596 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 2a5164ddbc4f..7ef4af9d2f32 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+linux (5.10.46-3) UNRELEASED; urgency=medium
+
+  * [armhf] Add mdio-aspeed to nic-modules.
+    Thanks to Joel Stanley <joel@jms.id.au> (Closes: #991262)
+  * Revert "drm/amdgpu/gfx9: fix the doorbell missing when in CGPG issue."
+    (Closes: #990312)
+  * Revert "drm/amdgpu/gfx10: enlarge CP_MEC_DOORBELL_RANGE_UPPER to cover full
+    doorbell." (Closes: #990312)
+  * Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl
+    (CVE-2021-3612)
+  * sctp: validate from_addr_param return (CVE-2021-3655)
+  * sctp: add size validation when walking chunks (CVE-2021-3655)
+  * [s390x] sclp_vt220: fix console name to match device (Closes: #961056)
+  * block: return the correct bvec when checking for gaps
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 25 Jul 2021 10:18:06 +0200
+
 linux (5.10.46-2) unstable; urgency=medium
 
   * swiotlb: manipulate orig_addr when tlb_addr has offset (Closes: #989778)
diff --git a/debian/installer/modules/armhf-armmp/nic-modules b/debian/installer/modules/armhf-armmp/nic-modules
index ed8489e87722..2f94f2d83167 100644
--- a/debian/installer/modules/armhf-armmp/nic-modules
+++ b/debian/installer/modules/armhf-armmp/nic-modules
@@ -11,3 +11,4 @@ sun4i-emac
 xgmac
 ti_cpsw
 davinci_mdio
+mdio-aspeed
diff --git a/debian/patches/bugfix/all/Input-joydev-prevent-use-of-not-validated-data-in-JS.patch b/debian/patches/bugfix/all/Input-joydev-prevent-use-of-not-validated-data-in-JS.patch
new file mode 100644
index 000000000000..f290f052d457
--- /dev/null
+++ b/debian/patches/bugfix/all/Input-joydev-prevent-use-of-not-validated-data-in-JS.patch
@@ -0,0 +1,58 @@
+From: Alexander Larkin <avlarkin82@gmail.com>
+Date: Sun, 4 Jul 2021 22:39:36 -0700
+Subject: Input: joydev - prevent use of not validated data in JSIOCSBTNMAP
+ ioctl
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=b4c35e9e8061b2386da1aa0d708e991204e76c45
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3612
+
+commit f8f84af5da9ee04ef1d271528656dac42a090d00 upstream.
+
+Even though we validate user-provided inputs we then traverse past
+validated data when applying the new map. The issue was originally
+discovered by Murray McAllister with this simple POC (if the following
+is executed by an unprivileged user it will instantly panic the system):
+
+int main(void) {
+	int fd, ret;
+	unsigned int buffer[10000];
+
+	fd = open("/dev/input/js0", O_RDONLY);
+	if (fd == -1)
+		printf("Error opening file\n");
+
+	ret = ioctl(fd, JSIOCSBTNMAP & ~IOCSIZE_MASK, &buffer);
+	printf("%d\n", ret);
+}
+
+The solution is to traverse internal buffer which is guaranteed to only
+contain valid date when constructing the map.
+
+Fixes: 182d679b2298 ("Input: joydev - prevent potential read overflow in ioctl")
+Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones")
+Reported-by: Murray McAllister <murray.mcallister@gmail.com>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Alexander Larkin <avlarkin82@gmail.com>
+Link: https://lore.kernel.org/r/20210620120030.1513655-1-avlarkin82@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/joydev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/input/joydev.c b/drivers/input/joydev.c
+index 430dc6975004..675fcd0952a2 100644
+--- a/drivers/input/joydev.c
++++ b/drivers/input/joydev.c
+@@ -500,7 +500,7 @@ static int joydev_handle_JSIOCSBTNMAP(struct joydev *joydev,
+ 	memcpy(joydev->keypam, keypam, len);
+ 
+ 	for (i = 0; i < joydev->nkey; i++)
+-		joydev->keymap[keypam[i] - BTN_MISC] = i;
++		joydev->keymap[joydev->keypam[i] - BTN_MISC] = i;
+ 
+  out:
+ 	kfree(keypam);
+-- 
+2.32.0
+
diff --git a/debian/patches/bugfix/all/Revert-drm-amdgpu-gfx10-enlarge-CP_MEC_DOORBELL_RANG.patch b/debian/patches/bugfix/all/Revert-drm-amdgpu-gfx10-enlarge-CP_MEC_DOORBELL_RANG.patch
new file mode 100644
index 000000000000..e437826828e2
--- /dev/null
+++ b/debian/patches/bugfix/all/Revert-drm-amdgpu-gfx10-enlarge-CP_MEC_DOORBELL_RANG.patch
@@ -0,0 +1,44 @@
+From: Yifan Zhang <yifan1.zhang@amd.com>
+Date: Sat, 19 Jun 2021 11:39:43 +0800
+Subject: Revert "drm/amdgpu/gfx10: enlarge CP_MEC_DOORBELL_RANGE_UPPER to
+ cover full doorbell."
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=fea853aca3210c21dfcf07bb82d501b7fd1900a7
+Bug-Debian: https://bugs.debian.org/990312
+
+commit baacf52a473b24e10322b67757ddb92ab8d86717 upstream.
+
+This reverts commit 1c0b0efd148d5b24c4932ddb3fa03c8edd6097b3.
+
+Reason for revert: Side effect of enlarging CP_MEC_DOORBELL_RANGE may
+cause some APUs fail to enter gfxoff in certain user cases.
+
+Signed-off-by: Yifan Zhang <yifan1.zhang@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+index 3c92dacbc24a..fc8da5fed779 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+@@ -6590,12 +6590,8 @@ static int gfx_v10_0_kiq_init_register(struct amdgpu_ring *ring)
+ 	if (ring->use_doorbell) {
+ 		WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_LOWER,
+ 			(adev->doorbell_index.kiq * 2) << 2);
+-		/* If GC has entered CGPG, ringing doorbell > first page doesn't
+-		 * wakeup GC. Enlarge CP_MEC_DOORBELL_RANGE_UPPER to workaround
+-		 * this issue.
+-		 */
+ 		WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_UPPER,
+-			(adev->doorbell.size - 4));
++			(adev->doorbell_index.userqueue_end * 2) << 2);
+ 	}
+ 
+ 	WREG32_SOC15(GC, 0, mmCP_HQD_PQ_DOORBELL_CONTROL,
+-- 
+2.32.0
+
diff --git a/debian/patches/bugfix/all/Revert-drm-amdgpu-gfx9-fix-the-doorbell-missing-when.patch b/debian/patches/bugfix/all/Revert-drm-amdgpu-gfx9-fix-the-doorbell-missing-when.patch
new file mode 100644
index 000000000000..1ee611c1719a
--- /dev/null
+++ b/debian/patches/bugfix/all/Revert-drm-amdgpu-gfx9-fix-the-doorbell-missing-when.patch
@@ -0,0 +1,44 @@
+From: Yifan Zhang <yifan1.zhang@amd.com>
+Date: Sat, 19 Jun 2021 11:40:54 +0800
+Subject: Revert "drm/amdgpu/gfx9: fix the doorbell missing when in CGPG
+ issue."
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=1bd81429d53ded4e111616c755a64fad80849354
+Bug-Debian: https://bugs.debian.org/990312
+
+commit ee5468b9f1d3bf48082eed351dace14598e8ca39 upstream.
+
+This reverts commit 4cbbe34807938e6e494e535a68d5ff64edac3f20.
+
+Reason for revert: side effect of enlarging CP_MEC_DOORBELL_RANGE may
+cause some APUs fail to enter gfxoff in certain user cases.
+
+Signed-off-by: Yifan Zhang <yifan1.zhang@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+index 1859d293ef71..fb15e8b5af32 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+@@ -3619,12 +3619,8 @@ static int gfx_v9_0_kiq_init_register(struct amdgpu_ring *ring)
+ 	if (ring->use_doorbell) {
+ 		WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_LOWER,
+ 					(adev->doorbell_index.kiq * 2) << 2);
+-		/* If GC has entered CGPG, ringing doorbell > first page doesn't
+-		 * wakeup GC. Enlarge CP_MEC_DOORBELL_RANGE_UPPER to workaround
+-		 * this issue.
+-		 */
+ 		WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_UPPER,
+-					(adev->doorbell.size - 4));
++					(adev->doorbell_index.userqueue_end * 2) << 2);
+ 	}
+ 
+ 	WREG32_SOC15_RLC(GC, 0, mmCP_HQD_PQ_DOORBELL_CONTROL,
+-- 
+2.32.0
+
diff --git a/debian/patches/bugfix/all/block-return-the-correct-bvec-when-checking-for-gaps.patch b/debian/patches/bugfix/all/block-return-the-correct-bvec-when-checking-for-gaps.patch
new file mode 100644
index 000000000000..b7763776eefb
--- /dev/null
+++ b/debian/patches/bugfix/all/block-return-the-correct-bvec-when-checking-for-gaps.patch
@@ -0,0 +1,83 @@
+From: Long Li <longli@microsoft.com>
+Date: Mon, 7 Jun 2021 12:34:05 -0700
+Subject: block: return the correct bvec when checking for gaps
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=c98d9318dc99bf8822708dbab3f3ace946df7fe9
+
+commit c9c9762d4d44dcb1b2ba90cfb4122dc11ceebf31 upstream.
+
+After commit 07173c3ec276 ("block: enable multipage bvecs"), a bvec can
+have multiple pages. But bio_will_gap() still assumes one page bvec while
+checking for merging. If the pages in the bvec go across the
+seg_boundary_mask, this check for merging can potentially succeed if only
+the 1st page is tested, and can fail if all the pages are tested.
+
+Later, when SCSI builds the SG list the same check for merging is done in
+__blk_segment_map_sg_merge() with all the pages in the bvec tested. This
+time the check may fail if the pages in bvec go across the
+seg_boundary_mask (but tested okay in bio_will_gap() earlier, so those
+BIOs were merged). If this check fails, we end up with a broken SG list
+for drivers assuming the SG list not having offsets in intermediate pages.
+This results in incorrect pages written to the disk.
+
+Fix this by returning the multi-page bvec when testing gaps for merging.
+
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Cc: Pavel Begunkov <asml.silence@gmail.com>
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+Cc: Jeffle Xu <jefflexu@linux.alibaba.com>
+Cc: linux-kernel@vger.kernel.org
+Cc: stable@vger.kernel.org
+Fixes: 07173c3ec276 ("block: enable multipage bvecs")
+Signed-off-by: Long Li <longli@microsoft.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/1623094445-22332-1-git-send-email-longli@linuxonhyperv.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/bio.h | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/include/linux/bio.h b/include/linux/bio.h
+index c6d765382926..23b7a73cd757 100644
+--- a/include/linux/bio.h
++++ b/include/linux/bio.h
+@@ -38,9 +38,6 @@
+ #define bio_offset(bio)		bio_iter_offset((bio), (bio)->bi_iter)
+ #define bio_iovec(bio)		bio_iter_iovec((bio), (bio)->bi_iter)
+ 
+-#define bio_multiple_segments(bio)				\
+-	((bio)->bi_iter.bi_size != bio_iovec(bio).bv_len)
+-
+ #define bvec_iter_sectors(iter)	((iter).bi_size >> 9)
+ #define bvec_iter_end_sector(iter) ((iter).bi_sector + bvec_iter_sectors((iter)))
+ 
+@@ -252,7 +249,7 @@ static inline void bio_clear_flag(struct bio *bio, unsigned int bit)
+ 
+ static inline void bio_get_first_bvec(struct bio *bio, struct bio_vec *bv)
+ {
+-	*bv = bio_iovec(bio);
++	*bv = mp_bvec_iter_bvec(bio->bi_io_vec, bio->bi_iter);
+ }
+ 
+ static inline void bio_get_last_bvec(struct bio *bio, struct bio_vec *bv)
+@@ -260,10 +257,9 @@ static inline void bio_get_last_bvec(struct bio *bio, struct bio_vec *bv)
+ 	struct bvec_iter iter = bio->bi_iter;
+ 	int idx;
+ 
+-	if (unlikely(!bio_multiple_segments(bio))) {
+-		*bv = bio_iovec(bio);
+-		return;
+-	}
++	bio_get_first_bvec(bio, bv);
++	if (bv->bv_len == bio->bi_iter.bi_size)
++		return;		/* this bio only has a single bvec */
+ 
+ 	bio_advance_iter(bio, &iter, iter.bi_size);
+ 
+-- 
+2.32.0
+
diff --git a/debian/patches/bugfix/all/sctp-add-size-validation-when-walking-chunks.patch b/debian/patches/bugfix/all/sctp-add-size-validation-when-walking-chunks.patch
new file mode 100644
index 000000000000..80085baf02c8
--- /dev/null
+++ b/debian/patches/bugfix/all/sctp-add-size-validation-when-walking-chunks.patch
@@ -0,0 +1,41 @@
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Mon, 28 Jun 2021 16:13:42 -0300
+Subject: sctp: add size validation when walking chunks
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=6ef81a5c0e22233e13c748e813c54d3bf0145782
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3655
+
+[ Upstream commit 50619dbf8db77e98d821d615af4f634d08e22698 ]
+
+The first chunk in a packet is ensured to be present at the beginning of
+sctp_rcv(), as a packet needs to have at least 1 chunk. But the second
+one, may not be completely available and ch->length can be over
+uninitialized memory.
+
+Fix here is by only trying to walk on the next chunk if there is enough to
+hold at least the header, and then proceed with the ch->length validation
+that is already there.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sctp/input.c b/net/sctp/input.c
+index 8924e2e142c8..f72bff93745c 100644
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -1247,7 +1247,7 @@ static struct sctp_association *__sctp_rcv_walk_lookup(struct net *net,
+ 
+ 		ch = (struct sctp_chunkhdr *)ch_end;
+ 		chunk_num++;
+-	} while (ch_end < skb_tail_pointer(skb));
++	} while (ch_end + sizeof(*ch) < skb_tail_pointer(skb));
+ 
+ 	return asoc;
+ }
+-- 
+2.32.0
+
diff --git a/debian/patches/bugfix/all/sctp-validate-from_addr_param-return.patch b/debian/patches/bugfix/all/sctp-validate-from_addr_param-return.patch
new file mode 100644
index 000000000000..6ac54f4c2293
--- /dev/null
+++ b/debian/patches/bugfix/all/sctp-validate-from_addr_param-return.patch
@@ -0,0 +1,239 @@
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Mon, 28 Jun 2021 16:13:41 -0300
+Subject: sctp: validate from_addr_param return
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=d4dbef7046e24669278eba4455e9e8053ead6ba0
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3655
+
+[ Upstream commit 0c5dc070ff3d6246d22ddd931f23a6266249e3db ]
+
+Ilja reported that, simply putting it, nothing was validating that
+from_addr_param functions were operating on initialized memory. That is,
+the parameter itself was being validated by sctp_walk_params, but it
+doesn't check for types and their specific sizes and it could be a 0-length
+one, causing from_addr_param to potentially work over the next parameter or
+even uninitialized memory.
+
+The fix here is to, in all calls to from_addr_param, check if enough space
+is there for the wanted IP address type.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sctp/structs.h |  2 +-
+ net/sctp/bind_addr.c       | 19 +++++++++++--------
+ net/sctp/input.c           |  6 ++++--
+ net/sctp/ipv6.c            |  7 ++++++-
+ net/sctp/protocol.c        |  7 ++++++-
+ net/sctp/sm_make_chunk.c   | 29 ++++++++++++++++-------------
+ 6 files changed, 44 insertions(+), 26 deletions(-)
+
+diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
+index 0bdff38eb4bb..51d698f2656f 100644
+--- a/include/net/sctp/structs.h
++++ b/include/net/sctp/structs.h
+@@ -458,7 +458,7 @@ struct sctp_af {
+ 					 int saddr);
+ 	void		(*from_sk)	(union sctp_addr *,
+ 					 struct sock *sk);
+-	void		(*from_addr_param) (union sctp_addr *,
++	bool		(*from_addr_param) (union sctp_addr *,
+ 					    union sctp_addr_param *,
+ 					    __be16 port, int iif);
+ 	int		(*to_addr_param) (const union sctp_addr *,
+diff --git a/net/sctp/bind_addr.c b/net/sctp/bind_addr.c
+index 53e5ed79f63f..59e653b528b1 100644
+--- a/net/sctp/bind_addr.c
++++ b/net/sctp/bind_addr.c
+@@ -270,22 +270,19 @@ int sctp_raw_to_bind_addrs(struct sctp_bind_addr *bp, __u8 *raw_addr_list,
+ 		rawaddr = (union sctp_addr_param *)raw_addr_list;
+ 
+ 		af = sctp_get_af_specific(param_type2af(param->type));
+-		if (unlikely(!af)) {
++		if (unlikely(!af) ||
++		    !af->from_addr_param(&addr, rawaddr, htons(port), 0)) {
+ 			retval = -EINVAL;
+-			sctp_bind_addr_clean(bp);
+-			break;
++			goto out_err;
+ 		}
+ 
+-		af->from_addr_param(&addr, rawaddr, htons(port), 0);
+ 		if (sctp_bind_addr_state(bp, &addr) != -1)
+ 			goto next;
+ 		retval = sctp_add_bind_addr(bp, &addr, sizeof(addr),
+ 					    SCTP_ADDR_SRC, gfp);
+-		if (retval) {
++		if (retval)
+ 			/* Can't finish building the list, clean up. */
+-			sctp_bind_addr_clean(bp);
+-			break;
+-		}
++			goto out_err;
+ 
+ next:
+ 		len = ntohs(param->length);
+@@ -294,6 +291,12 @@ int sctp_raw_to_bind_addrs(struct sctp_bind_addr *bp, __u8 *raw_addr_list,
+ 	}
+ 
+ 	return retval;
++
++out_err:
++	if (retval)
++		sctp_bind_addr_clean(bp);
++
++	return retval;
+ }
+ 
+ /********************************************************************
+diff --git a/net/sctp/input.c b/net/sctp/input.c
+index d508f6f3dd08..8924e2e142c8 100644
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -1131,7 +1131,8 @@ static struct sctp_association *__sctp_rcv_init_lookup(struct net *net,
+ 		if (!af)
+ 			continue;
+ 
+-		af->from_addr_param(paddr, params.addr, sh->source, 0);
++		if (!af->from_addr_param(paddr, params.addr, sh->source, 0))
++			continue;
+ 
+ 		asoc = __sctp_lookup_association(net, laddr, paddr, transportp);
+ 		if (asoc)
+@@ -1174,7 +1175,8 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
+ 	if (unlikely(!af))
+ 		return NULL;
+ 
+-	af->from_addr_param(&paddr, param, peer_port, 0);
++	if (af->from_addr_param(&paddr, param, peer_port, 0))
++		return NULL;
+ 
+ 	return __sctp_lookup_association(net, laddr, &paddr, transportp);
+ }
+diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
+index c8074f435d3e..d594b949ae82 100644
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -530,15 +530,20 @@ static void sctp_v6_to_sk_daddr(union sctp_addr *addr, struct sock *sk)
+ }
+ 
+ /* Initialize a sctp_addr from an address parameter. */
+-static void sctp_v6_from_addr_param(union sctp_addr *addr,
++static bool sctp_v6_from_addr_param(union sctp_addr *addr,
+ 				    union sctp_addr_param *param,
+ 				    __be16 port, int iif)
+ {
++	if (ntohs(param->v6.param_hdr.length) < sizeof(struct sctp_ipv6addr_param))
++		return false;
++
+ 	addr->v6.sin6_family = AF_INET6;
+ 	addr->v6.sin6_port = port;
+ 	addr->v6.sin6_flowinfo = 0; /* BUG */
+ 	addr->v6.sin6_addr = param->v6.addr;
+ 	addr->v6.sin6_scope_id = iif;
++
++	return true;
+ }
+ 
+ /* Initialize an address parameter from a sctp_addr and return the length
+diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
+index 25833238fe93..47fb87ce489f 100644
+--- a/net/sctp/protocol.c
++++ b/net/sctp/protocol.c
+@@ -253,14 +253,19 @@ static void sctp_v4_to_sk_daddr(union sctp_addr *addr, struct sock *sk)
+ }
+ 
+ /* Initialize a sctp_addr from an address parameter. */
+-static void sctp_v4_from_addr_param(union sctp_addr *addr,
++static bool sctp_v4_from_addr_param(union sctp_addr *addr,
+ 				    union sctp_addr_param *param,
+ 				    __be16 port, int iif)
+ {
++	if (ntohs(param->v4.param_hdr.length) < sizeof(struct sctp_ipv4addr_param))
++		return false;
++
+ 	addr->v4.sin_family = AF_INET;
+ 	addr->v4.sin_port = port;
+ 	addr->v4.sin_addr.s_addr = param->v4.addr.s_addr;
+ 	memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
++
++	return true;
+ }
+ 
+ /* Initialize an address parameter from a sctp_addr and return the length
+diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
+index b9d6babe2870..7411fa442821 100644
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -2329,11 +2329,13 @@ int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk,
+ 
+ 	/* Process the initialization parameters.  */
+ 	sctp_walk_params(param, peer_init, init_hdr.params) {
+-		if (!src_match && (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
+-		    param.p->type == SCTP_PARAM_IPV6_ADDRESS)) {
++		if (!src_match &&
++		    (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
++		     param.p->type == SCTP_PARAM_IPV6_ADDRESS)) {
+ 			af = sctp_get_af_specific(param_type2af(param.p->type));
+-			af->from_addr_param(&addr, param.addr,
+-					    chunk->sctp_hdr->source, 0);
++			if (!af->from_addr_param(&addr, param.addr,
++						 chunk->sctp_hdr->source, 0))
++				continue;
+ 			if (sctp_cmp_addr_exact(sctp_source(chunk), &addr))
+ 				src_match = 1;
+ 		}
+@@ -2514,7 +2516,8 @@ static int sctp_process_param(struct sctp_association *asoc,
+ 			break;
+ do_addr_param:
+ 		af = sctp_get_af_specific(param_type2af(param.p->type));
+-		af->from_addr_param(&addr, param.addr, htons(asoc->peer.port), 0);
++		if (!af->from_addr_param(&addr, param.addr, htons(asoc->peer.port), 0))
++			break;
+ 		scope = sctp_scope(peer_addr);
+ 		if (sctp_in_scope(net, &addr, scope))
+ 			if (!sctp_assoc_add_peer(asoc, &addr, gfp, SCTP_UNCONFIRMED))
+@@ -2615,15 +2618,13 @@ static int sctp_process_param(struct sctp_association *asoc,
+ 		addr_param = param.v + sizeof(struct sctp_addip_param);
+ 
+ 		af = sctp_get_af_specific(param_type2af(addr_param->p.type));
+-		if (af == NULL)
++		if (!af)
+ 			break;
+ 
+-		af->from_addr_param(&addr, addr_param,
+-				    htons(asoc->peer.port), 0);
++		if (!af->from_addr_param(&addr, addr_param,
++					 htons(asoc->peer.port), 0))
++			break;
+ 
+-		/* if the address is invalid, we can't process it.
+-		 * XXX: see spec for what to do.
+-		 */
+ 		if (!af->addr_valid(&addr, NULL, NULL))
+ 			break;
+ 
+@@ -3037,7 +3038,8 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
+ 	if (unlikely(!af))
+ 		return SCTP_ERROR_DNS_FAILED;
+ 
+-	af->from_addr_param(&addr, addr_param, htons(asoc->peer.port), 0);
++	if (!af->from_addr_param(&addr, addr_param, htons(asoc->peer.port), 0))
++		return SCTP_ERROR_DNS_FAILED;
+ 
+ 	/* ADDIP 4.2.1  This parameter MUST NOT contain a broadcast
+ 	 * or multicast address.
+@@ -3314,7 +3316,8 @@ static void sctp_asconf_param_success(struct sctp_association *asoc,
+ 
+ 	/* We have checked the packet before, so we do not check again.	*/
+ 	af = sctp_get_af_specific(param_type2af(addr_param->p.type));
+-	af->from_addr_param(&addr, addr_param, htons(bp->port), 0);
++	if (!af->from_addr_param(&addr, addr_param, htons(bp->port), 0))
++		return;
+ 
+ 	switch (asconf_param->param_hdr.type) {
+ 	case SCTP_PARAM_ADD_IP:
+-- 
+2.32.0
+
diff --git a/debian/patches/bugfix/s390x/s390-sclp_vt220-fix-console-name-to-match-device.patch b/debian/patches/bugfix/s390x/s390-sclp_vt220-fix-console-name-to-match-device.patch
new file mode 100644
index 000000000000..173177912886
--- /dev/null
+++ b/debian/patches/bugfix/s390x/s390-sclp_vt220-fix-console-name-to-match-device.patch
@@ -0,0 +1,62 @@
+From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Date: Tue, 27 Apr 2021 21:40:10 +0200
+Subject: s390/sclp_vt220: fix console name to match device
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=78cddc9aa6be2122da9ee3a4d2fff0be5db08cea
+Bug-Debian: https://bugs.debian.org/961056
+
+[ Upstream commit b7d91d230a119fdcc334d10c9889ce9c5e15118b ]
+
+Console name reported in /proc/consoles:
+
+  ttyS1                -W- (EC p  )    4:65
+
+does not match the char device name:
+
+  crw--w----    1 root     root        4,  65 May 17 12:18 /dev/ttysclp0
+
+so debian-installer inside a QEMU s390x instance gets confused and fails
+to start with the following error:
+
+  steal-ctty: No such file or directory
+
+Signed-off-by: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Link: https://lore.kernel.org/r/20210427194010.9330-1-vvidic@valentin-vidic.from.hr
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/setup.c       | 2 +-
+ drivers/s390/char/sclp_vt220.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c
+index 83a3f346e5bd..5cd9d20af31e 100644
+--- a/arch/s390/kernel/setup.c
++++ b/arch/s390/kernel/setup.c
+@@ -166,7 +166,7 @@ static void __init set_preferred_console(void)
+ 	else if (CONSOLE_IS_3270)
+ 		add_preferred_console("tty3270", 0, NULL);
+ 	else if (CONSOLE_IS_VT220)
+-		add_preferred_console("ttyS", 1, NULL);
++		add_preferred_console("ttysclp", 0, NULL);
+ 	else if (CONSOLE_IS_HVC)
+ 		add_preferred_console("hvc", 0, NULL);
+ }
+diff --git a/drivers/s390/char/sclp_vt220.c b/drivers/s390/char/sclp_vt220.c
+index 3f9a6ef650fa..3c2ed6d01387 100644
+--- a/drivers/s390/char/sclp_vt220.c
++++ b/drivers/s390/char/sclp_vt220.c
+@@ -35,8 +35,8 @@
+ #define SCLP_VT220_MINOR		65
+ #define SCLP_VT220_DRIVER_NAME		"sclp_vt220"
+ #define SCLP_VT220_DEVICE_NAME		"ttysclp"
+-#define SCLP_VT220_CONSOLE_NAME		"ttyS"
+-#define SCLP_VT220_CONSOLE_INDEX	1	/* console=ttyS1 */
++#define SCLP_VT220_CONSOLE_NAME		"ttysclp"
++#define SCLP_VT220_CONSOLE_INDEX	0	/* console=ttysclp0 */
+ 
+ /* Representation of a single write request */
+ struct sclp_vt220_request {
+-- 
+2.32.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 8bd961bc9912..93ca000393db 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -78,6 +78,7 @@ bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch
 bugfix/x86/x86-32-disable-3dnow-in-generic-config.patch
 bugfix/arm/ARM-dts-sun8i-h3-orangepi-plus-Fix-ethernet-phy-mode.patch
 bugfix/x86/platform-x86-toshiba_haps-Fix-missing-newline-in-pr_.patch
+bugfix/s390x/s390-sclp_vt220-fix-console-name-to-match-device.patch
 
 # Arch features
 features/arm64/arm64-dts-rockchip-Add-basic-support-for-Kobol-s-Hel.patch
@@ -97,6 +98,9 @@ debian/makefile-do-not-check-for-libelf-when-building-oot-module.patch
 bugfix/all/partially-revert-net-socket-implement-64-bit-timestamps.patch
 bugfix/all/Revert-PCI-PM-Do-not-read-power-state-in-pci_enable_.patch
 bugfix/all/swiotlb-manipulate-orig_addr-when-tlb_addr-has-offse.patch
+bugfix/all/Revert-drm-amdgpu-gfx9-fix-the-doorbell-missing-when.patch
+bugfix/all/Revert-drm-amdgpu-gfx10-enlarge-CP_MEC_DOORBELL_RANG.patch
+bugfix/all/block-return-the-correct-bvec-when-checking-for-gaps.patch
 
 # Miscellaneous features
 
@@ -121,6 +125,9 @@ bugfix/all/vfs-move-cap_convert_nscap-call-into-vfs_setxattr.patch
 bugfix/all/can-bcm-delay-release-of-struct-bcm_op-after-synchro.patch
 bugfix/all/KVM-do-not-allow-mapping-valid-but-non-reference-cou.patch
 bugfix/all/seq_file-Disallow-extremely-large-seq-buffer-allocat.patch
+bugfix/all/Input-joydev-prevent-use-of-not-validated-data-in-JS.patch
+bugfix/all/sctp-validate-from_addr_param-return.patch
+bugfix/all/sctp-add-size-validation-when-walking-chunks.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch