--- /dev/null
+From 2331b0105e67a98fc696fac037ca43cea7c80e05 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 19 Jun 2019 14:18:31 +0200
+Subject: acpi/arm64: ignore 5.1 FADTs that are reported as 5.0
+
+[ Upstream commit 2af22f3ec3ca452f1e79b967f634708ff01ced8a ]
+
+Some Qualcomm Snapdragon based laptops built to run Microsoft Windows
+are clearly ACPI 5.1 based, given that that is the first ACPI revision
+that supports ARM, and introduced the FADT 'arm_boot_flags' field,
+which has a non-zero field on those systems.
+
+So in these cases, infer from the ARM boot flags that the FADT must be
+5.1 or later, and treat it as 5.1.
+
+Acked-by: Sudeep Holla <sudeep.holla@arm.com>
+Tested-by: Lee Jones <lee.jones@linaro.org>
+Reviewed-by: Graeme Gregory <graeme.gregory@linaro.org>
+Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Acked-by: Hanjun Guo <guohanjun@huawei.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/acpi.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/kernel/acpi.c b/arch/arm64/kernel/acpi.c
+index ed46dc188b22..970f15c76bac 100644
+--- a/arch/arm64/kernel/acpi.c
++++ b/arch/arm64/kernel/acpi.c
+@@ -154,10 +154,14 @@ static int __init acpi_fadt_sanity_check(void)
+ */
+ if (table->revision < 5 ||
+ (table->revision == 5 && fadt->minor_revision < 1)) {
+- pr_err("Unsupported FADT revision %d.%d, should be 5.1+\n",
++ pr_err(FW_BUG "Unsupported FADT revision %d.%d, should be 5.1+\n",
+ table->revision, fadt->minor_revision);
+- ret = -EINVAL;
+- goto out;
++
++ if (!fadt->arm_boot_flags) {
++ ret = -EINVAL;
++ goto out;
++ }
++ pr_err("FADT has ARM boot flags set, assuming 5.1\n");
+ }
+
+ if (!(fadt->flags & ACPI_FADT_HW_REDUCED)) {
+--
+2.20.1
+
--- /dev/null
+From c57ed94608df03746adfa6a092e966c8bf5d19cf Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Mon, 17 Jun 2019 13:31:45 +0200
+Subject: ACPICA: Clear status of GPEs on first direct enable
+
+[ Upstream commit 44758bafa53602f2581a6857bb20b55d4d8ad5b2 ]
+
+ACPI GPEs (other than the EC one) can be enabled in two situations.
+First, the GPEs with existing _Lxx and _Exx methods are enabled
+implicitly by ACPICA during system initialization. Second, the
+GPEs without these methods (like GPEs listed by _PRW objects for
+wakeup devices) need to be enabled directly by the code that is
+going to use them (e.g. ACPI power management or device drivers).
+
+In the former case, if the status of a given GPE is set to start
+with, its handler method (either _Lxx or _Exx) needs to be invoked
+to take care of the events (possibly) signaled before the GPE was
+enabled. In the latter case, however, the first caller of
+acpi_enable_gpe() for a given GPE should not be expected to care
+about any events that might be signaled through it earlier. In
+that case, it is better to clear the status of the GPE before
+enabling it, to prevent stale events from triggering unwanted
+actions (like spurious system resume, for example).
+
+For this reason, modify acpi_ev_add_gpe_reference() to take an
+additional boolean argument indicating whether or not the GPE
+status needs to be cleared when its reference counter changes from
+zero to one and make acpi_enable_gpe() pass TRUE to it through
+that new argument.
+
+Fixes: 18996f2db918 ("ACPICA: Events: Stop unconditionally clearing ACPI IRQs during suspend/resume")
+Reported-by: Furquan Shaikh <furquan@google.com>
+Tested-by: Furquan Shaikh <furquan@google.com>
+Tested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/acevents.h | 3 ++-
+ drivers/acpi/acpica/evgpe.c | 8 +++++++-
+ drivers/acpi/acpica/evgpeblk.c | 2 +-
+ drivers/acpi/acpica/evxface.c | 2 +-
+ drivers/acpi/acpica/evxfgpe.c | 2 +-
+ 5 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/acpi/acpica/acevents.h b/drivers/acpi/acpica/acevents.h
+index 704bebbd35b0..298180bf7e3c 100644
+--- a/drivers/acpi/acpica/acevents.h
++++ b/drivers/acpi/acpica/acevents.h
+@@ -69,7 +69,8 @@ acpi_status
+ acpi_ev_mask_gpe(struct acpi_gpe_event_info *gpe_event_info, u8 is_masked);
+
+ acpi_status
+-acpi_ev_add_gpe_reference(struct acpi_gpe_event_info *gpe_event_info);
++acpi_ev_add_gpe_reference(struct acpi_gpe_event_info *gpe_event_info,
++ u8 clear_on_enable);
+
+ acpi_status
+ acpi_ev_remove_gpe_reference(struct acpi_gpe_event_info *gpe_event_info);
+diff --git a/drivers/acpi/acpica/evgpe.c b/drivers/acpi/acpica/evgpe.c
+index e10fec99a182..4b5d3b4c627a 100644
+--- a/drivers/acpi/acpica/evgpe.c
++++ b/drivers/acpi/acpica/evgpe.c
+@@ -146,6 +146,7 @@ acpi_ev_mask_gpe(struct acpi_gpe_event_info *gpe_event_info, u8 is_masked)
+ * FUNCTION: acpi_ev_add_gpe_reference
+ *
+ * PARAMETERS: gpe_event_info - Add a reference to this GPE
++ * clear_on_enable - Clear GPE status before enabling it
+ *
+ * RETURN: Status
+ *
+@@ -155,7 +156,8 @@ acpi_ev_mask_gpe(struct acpi_gpe_event_info *gpe_event_info, u8 is_masked)
+ ******************************************************************************/
+
+ acpi_status
+-acpi_ev_add_gpe_reference(struct acpi_gpe_event_info *gpe_event_info)
++acpi_ev_add_gpe_reference(struct acpi_gpe_event_info *gpe_event_info,
++ u8 clear_on_enable)
+ {
+ acpi_status status = AE_OK;
+
+@@ -170,6 +172,10 @@ acpi_ev_add_gpe_reference(struct acpi_gpe_event_info *gpe_event_info)
+
+ /* Enable on first reference */
+
++ if (clear_on_enable) {
++ (void)acpi_hw_clear_gpe(gpe_event_info);
++ }
++
+ status = acpi_ev_update_gpe_enable_mask(gpe_event_info);
+ if (ACPI_SUCCESS(status)) {
+ status = acpi_ev_enable_gpe(gpe_event_info);
+diff --git a/drivers/acpi/acpica/evgpeblk.c b/drivers/acpi/acpica/evgpeblk.c
+index b253063b09d3..8d96270ed8c7 100644
+--- a/drivers/acpi/acpica/evgpeblk.c
++++ b/drivers/acpi/acpica/evgpeblk.c
+@@ -453,7 +453,7 @@ acpi_ev_initialize_gpe_block(struct acpi_gpe_xrupt_info *gpe_xrupt_info,
+ continue;
+ }
+
+- status = acpi_ev_add_gpe_reference(gpe_event_info);
++ status = acpi_ev_add_gpe_reference(gpe_event_info, FALSE);
+ if (ACPI_FAILURE(status)) {
+ ACPI_EXCEPTION((AE_INFO, status,
+ "Could not enable GPE 0x%02X",
+diff --git a/drivers/acpi/acpica/evxface.c b/drivers/acpi/acpica/evxface.c
+index febc332b00ac..841557bda641 100644
+--- a/drivers/acpi/acpica/evxface.c
++++ b/drivers/acpi/acpica/evxface.c
+@@ -971,7 +971,7 @@ acpi_remove_gpe_handler(acpi_handle gpe_device,
+ ACPI_GPE_DISPATCH_METHOD) ||
+ (ACPI_GPE_DISPATCH_TYPE(handler->original_flags) ==
+ ACPI_GPE_DISPATCH_NOTIFY)) && handler->originally_enabled) {
+- (void)acpi_ev_add_gpe_reference(gpe_event_info);
++ (void)acpi_ev_add_gpe_reference(gpe_event_info, FALSE);
+ if (ACPI_GPE_IS_POLLING_NEEDED(gpe_event_info)) {
+
+ /* Poll edge triggered GPEs to handle existing events */
+diff --git a/drivers/acpi/acpica/evxfgpe.c b/drivers/acpi/acpica/evxfgpe.c
+index b2d5f66cc1b0..4188731e7c40 100644
+--- a/drivers/acpi/acpica/evxfgpe.c
++++ b/drivers/acpi/acpica/evxfgpe.c
+@@ -108,7 +108,7 @@ acpi_status acpi_enable_gpe(acpi_handle gpe_device, u32 gpe_number)
+ if (gpe_event_info) {
+ if (ACPI_GPE_DISPATCH_TYPE(gpe_event_info->flags) !=
+ ACPI_GPE_DISPATCH_NONE) {
+- status = acpi_ev_add_gpe_reference(gpe_event_info);
++ status = acpi_ev_add_gpe_reference(gpe_event_info, TRUE);
+ if (ACPI_SUCCESS(status) &&
+ ACPI_GPE_IS_POLLING_NEEDED(gpe_event_info)) {
+
+--
+2.20.1
+
--- /dev/null
+From 5552c498e20cf5c1d50c5abe784613362d580db3 Mon Sep 17 00:00:00 2001
+From: Jeremy Sowden <jeremy@azazel.net>
+Date: Sat, 25 May 2019 19:09:35 +0100
+Subject: af_key: fix leaks in key_pol_get_resp and dump_sp.
+
+[ Upstream commit 7c80eb1c7e2b8420477fbc998971d62a648035d9 ]
+
+In both functions, if pfkey_xfrm_policy2msg failed we leaked the newly
+allocated sk_buff. Free it on error.
+
+Fixes: 55569ce256ce ("Fix conversion between IPSEC_MODE_xxx and XFRM_MODE_xxx.")
+Reported-by: syzbot+4f0529365f7f2208d9f0@syzkaller.appspotmail.com
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/key/af_key.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index 0b79c9aa8eb1..1982f9f31deb 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -2442,8 +2442,10 @@ static int key_pol_get_resp(struct sock *sk, struct xfrm_policy *xp, const struc
+ goto out;
+ }
+ err = pfkey_xfrm_policy2msg(out_skb, xp, dir);
+- if (err < 0)
++ if (err < 0) {
++ kfree_skb(out_skb);
+ goto out;
++ }
+
+ out_hdr = (struct sadb_msg *) out_skb->data;
+ out_hdr->sadb_msg_version = hdr->sadb_msg_version;
+@@ -2694,8 +2696,10 @@ static int dump_sp(struct xfrm_policy *xp, int dir, int count, void *ptr)
+ return PTR_ERR(out_skb);
+
+ err = pfkey_xfrm_policy2msg(out_skb, xp, dir);
+- if (err < 0)
++ if (err < 0) {
++ kfree_skb(out_skb);
+ return err;
++ }
+
+ out_hdr = (struct sadb_msg *) out_skb->data;
+ out_hdr->sadb_msg_version = pfk->dump.msg_version;
+--
+2.20.1
+
--- /dev/null
+From 319249741a0496abebdf3bb24ebf13e59a18d498 Mon Sep 17 00:00:00 2001
+From: Julien Thierry <julien.thierry@arm.com>
+Date: Tue, 11 Jun 2019 10:38:06 +0100
+Subject: arm64: Do not enable IRQs for ct_user_exit
+
+[ Upstream commit 9034f6251572a4744597c51dea5ab73a55f2b938 ]
+
+For el0_dbg and el0_error, DAIF bits get explicitly cleared before
+calling ct_user_exit.
+
+When context tracking is disabled, DAIF gets set (almost) immediately
+after. When context tracking is enabled, among the first things done
+is disabling IRQs.
+
+What is actually needed is:
+- PSR.D = 0 so the system can be debugged (should be already the case)
+- PSR.A = 0 so async error can be handled during context tracking
+
+Do not clear PSR.I in those two locations.
+
+Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Reviewed-by: James Morse <james.morse@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Julien Thierry <julien.thierry@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/entry.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
+index 8556876c9109..5f800384cb9a 100644
+--- a/arch/arm64/kernel/entry.S
++++ b/arch/arm64/kernel/entry.S
+@@ -824,7 +824,7 @@ el0_dbg:
+ mov x1, x25
+ mov x2, sp
+ bl do_debug_exception
+- enable_daif
++ enable_da_f
+ ct_user_exit
+ b ret_to_user
+ el0_inv:
+@@ -876,7 +876,7 @@ el0_error_naked:
+ enable_dbg
+ mov x0, sp
+ bl do_serror
+- enable_daif
++ enable_da_f
+ ct_user_exit
+ b ret_to_user
+ ENDPROC(el0_error)
+--
+2.20.1
+
--- /dev/null
+From 0634371a51673d1e91572375eb692819d145f357 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Tue, 25 Jun 2019 21:20:17 -0700
+Subject: arm64/efi: Mark __efistub_stext_offset as an absolute symbol
+ explicitly
+
+[ Upstream commit aa69fb62bea15126e744af2e02acc0d6cf3ed4da ]
+
+After r363059 and r363928 in LLVM, a build using ld.lld as the linker
+with CONFIG_RANDOMIZE_BASE enabled fails like so:
+
+ld.lld: error: relocation R_AARCH64_ABS32 cannot be used against symbol
+__efistub_stext_offset; recompile with -fPIC
+
+Fangrui and Peter figured out that ld.lld is incorrectly considering
+__efistub_stext_offset as a relative symbol because of the order in
+which symbols are evaluated. _text is treated as an absolute symbol
+and stext is a relative symbol, making __efistub_stext_offset a
+relative symbol.
+
+Adding ABSOLUTE will force ld.lld to evalute this expression in the
+right context and does not change ld.bfd's behavior. ld.lld will
+need to be fixed but the developers do not see a quick or simple fix
+without some research (see the linked issue for further explanation).
+Add this simple workaround so that ld.lld can continue to link kernels.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/561
+Link: https://github.com/llvm/llvm-project/commit/025a815d75d2356f2944136269aa5874721ec236
+Link: https://github.com/llvm/llvm-project/commit/249fde85832c33f8b06c6b4ac65d1c4b96d23b83
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Debugged-by: Fangrui Song <maskray@google.com>
+Debugged-by: Peter Smith <peter.smith@linaro.org>
+Suggested-by: Fangrui Song <maskray@google.com>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+[will: add comment]
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/image.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/image.h b/arch/arm64/kernel/image.h
+index 8da289dc843a..eff6a564ab80 100644
+--- a/arch/arm64/kernel/image.h
++++ b/arch/arm64/kernel/image.h
+@@ -73,7 +73,11 @@
+
+ #ifdef CONFIG_EFI
+
+-__efistub_stext_offset = stext - _text;
++/*
++ * Use ABSOLUTE() to avoid ld.lld treating this as a relative symbol:
++ * https://github.com/ClangBuiltLinux/linux/issues/561
++ */
++__efistub_stext_offset = ABSOLUTE(stext - _text);
+
+ /*
+ * The EFI stub has its own symbol namespace prefixed by __efistub_, to
+--
+2.20.1
+
--- /dev/null
+From d83681e869bb2346e283093f50537862aee26fa7 Mon Sep 17 00:00:00 2001
+From: Miles Chen <miles.chen@mediatek.com>
+Date: Wed, 29 May 2019 00:08:20 +0800
+Subject: arm64: mm: make CONFIG_ZONE_DMA32 configurable
+
+[ Upstream commit 0c1f14ed12262f45a3af1d588e4d7bd12438b8f5 ]
+
+This change makes CONFIG_ZONE_DMA32 defuly y and allows users
+to overwrite it only when CONFIG_EXPERT=y.
+
+For the SoCs that do not need CONFIG_ZONE_DMA32, this is the
+first step to manage all available memory by a single
+zone(normal zone) to reduce the overhead of multiple zones.
+
+The change also fixes a build error when CONFIG_NUMA=y and
+CONFIG_ZONE_DMA32=n.
+
+arch/arm64/mm/init.c:195:17: error: use of undeclared identifier 'ZONE_DMA32'
+ max_zone_pfns[ZONE_DMA32] = PFN_DOWN(max_zone_dma_phys());
+
+Change since v1:
+1. only expose CONFIG_ZONE_DMA32 when CONFIG_EXPERT=y
+2. remove redundant IS_ENABLED(CONFIG_ZONE_DMA32)
+
+Cc: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Miles Chen <miles.chen@mediatek.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/Kconfig | 3 ++-
+ arch/arm64/mm/init.c | 5 +++--
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+index 8790a29d0af4..e3ebece79617 100644
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -251,7 +251,8 @@ config GENERIC_CALIBRATE_DELAY
+ def_bool y
+
+ config ZONE_DMA32
+- def_bool y
++ bool "Support DMA32 zone" if EXPERT
++ default y
+
+ config HAVE_GENERIC_GUP
+ def_bool y
+diff --git a/arch/arm64/mm/init.c b/arch/arm64/mm/init.c
+index 774c3e17c798..29d2f425806e 100644
+--- a/arch/arm64/mm/init.c
++++ b/arch/arm64/mm/init.c
+@@ -233,8 +233,9 @@ static void __init zone_sizes_init(unsigned long min, unsigned long max)
+ {
+ unsigned long max_zone_pfns[MAX_NR_ZONES] = {0};
+
+- if (IS_ENABLED(CONFIG_ZONE_DMA32))
+- max_zone_pfns[ZONE_DMA32] = PFN_DOWN(max_zone_dma_phys());
++#ifdef CONFIG_ZONE_DMA32
++ max_zone_pfns[ZONE_DMA32] = PFN_DOWN(max_zone_dma_phys());
++#endif
+ max_zone_pfns[ZONE_NORMAL] = max;
+
+ free_area_init_nodes(max_zone_pfns);
+--
+2.20.1
+
--- /dev/null
+From 4e5dfda33080d73930b0c1dad953fe8b3046886e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?=
+ <amadeuszx.slawinski@linux.intel.com>
+Date: Mon, 17 Jun 2019 13:36:42 +0200
+Subject: ASoC: Intel: hdac_hdmi: Set ops to NULL on remove
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 0f6ff78540bd1b4df1e0f17806b0ce2e1dff0d78 ]
+
+When we unload Skylake driver we may end up calling
+hdac_component_master_unbind(), it uses acomp->audio_ops, which we set
+in hdmi_codec_probe(), so we need to set it to NULL in hdmi_codec_remove(),
+otherwise we will dereference no longer existing pointer.
+
+Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/hdac_hdmi.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/sound/soc/codecs/hdac_hdmi.c b/sound/soc/codecs/hdac_hdmi.c
+index 63487240b61e..098196610542 100644
+--- a/sound/soc/codecs/hdac_hdmi.c
++++ b/sound/soc/codecs/hdac_hdmi.c
+@@ -1854,6 +1854,12 @@ static void hdmi_codec_remove(struct snd_soc_component *component)
+ {
+ struct hdac_hdmi_priv *hdmi = snd_soc_component_get_drvdata(component);
+ struct hdac_device *hdev = hdmi->hdev;
++ int ret;
++
++ ret = snd_hdac_acomp_register_notifier(hdev->bus, NULL);
++ if (ret < 0)
++ dev_err(&hdev->dev, "notifier unregister failed: err: %d\n",
++ ret);
+
+ pm_runtime_disable(&hdev->dev);
+ }
+--
+2.20.1
+
--- /dev/null
+From 5b6ba80c33890e2107d70ece63b8f97b79013074 Mon Sep 17 00:00:00 2001
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Thu, 13 Jun 2019 13:42:32 +0200
+Subject: ASoC: meson: axg-tdm: fix sample clock inversion
+
+[ Upstream commit cb36ff785e868992e96e8b9e5a0c2822b680a9e2 ]
+
+The content of SND_SOC_DAIFMT_FORMAT_MASK is a number, not a bitfield,
+so the test to check if the format is i2s is wrong. Because of this the
+clock setting may be wrong. For example, the sample clock gets inverted
+in DSP B mode, when it should not.
+
+Fix the lrclk invert helper function
+
+Fixes: 1a11d88f499c ("ASoC: meson: add tdm formatter base driver")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/axg-tdm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/meson/axg-tdm.h b/sound/soc/meson/axg-tdm.h
+index e578b6f40a07..5774ce0916d4 100644
+--- a/sound/soc/meson/axg-tdm.h
++++ b/sound/soc/meson/axg-tdm.h
+@@ -40,7 +40,7 @@ struct axg_tdm_iface {
+
+ static inline bool axg_tdm_lrclk_invert(unsigned int fmt)
+ {
+- return (fmt & SND_SOC_DAIFMT_I2S) ^
++ return ((fmt & SND_SOC_DAIFMT_FORMAT_MASK) == SND_SOC_DAIFMT_I2S) ^
+ !!(fmt & (SND_SOC_DAIFMT_IB_IF | SND_SOC_DAIFMT_NB_IF));
+ }
+
+--
+2.20.1
+
--- /dev/null
+From fa82b58ea6710f16e92d4198c2743fca0c2fdcf5 Mon Sep 17 00:00:00 2001
+From: Anilkumar Kolli <akolli@codeaurora.org>
+Date: Wed, 6 Mar 2019 23:06:11 +0530
+Subject: ath: DFS JP domain W56 fixed pulse type 3 RADAR detection
+
+[ Upstream commit d8792393a783158cbb2c39939cb897dc5e5299b6 ]
+
+Increase pulse width range from 1-2usec to 0-4usec.
+During data traffic HW occasionally fails detecting radar pulses,
+so that SW cannot get enough radar reports to achieve the success rate.
+
+Tested ath10k hw and fw:
+ * QCA9888(10.4-3.5.1-00052)
+ * QCA4019(10.4-3.2.1.1-00017)
+ * QCA9984(10.4-3.6-00104)
+ * QCA988X(10.2.4-1.0-00041)
+
+Tested ath9k hw: AR9300
+
+Tested-by: Tamizh chelvam <tamizhr@codeaurora.org>
+Signed-off-by: Tamizh chelvam <tamizhr@codeaurora.org>
+Signed-off-by: Anilkumar Kolli <akolli@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/dfs_pattern_detector.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/dfs_pattern_detector.c b/drivers/net/wireless/ath/dfs_pattern_detector.c
+index d52b31b45df7..a274eb0d1968 100644
+--- a/drivers/net/wireless/ath/dfs_pattern_detector.c
++++ b/drivers/net/wireless/ath/dfs_pattern_detector.c
+@@ -111,7 +111,7 @@ static const struct radar_detector_specs jp_radar_ref_types[] = {
+ JP_PATTERN(0, 0, 1, 1428, 1428, 1, 18, 29, false),
+ JP_PATTERN(1, 2, 3, 3846, 3846, 1, 18, 29, false),
+ JP_PATTERN(2, 0, 1, 1388, 1388, 1, 18, 50, false),
+- JP_PATTERN(3, 1, 2, 4000, 4000, 1, 18, 50, false),
++ JP_PATTERN(3, 0, 4, 4000, 4000, 1, 18, 50, false),
+ JP_PATTERN(4, 0, 5, 150, 230, 1, 23, 50, false),
+ JP_PATTERN(5, 6, 10, 200, 500, 1, 16, 50, false),
+ JP_PATTERN(6, 11, 20, 200, 500, 1, 12, 50, false),
+--
+2.20.1
+
--- /dev/null
+From 851f402bf238c7ff1c1c2ad684799c077044a7ac Mon Sep 17 00:00:00 2001
+From: Claire Chang <tientzu@chromium.org>
+Date: Thu, 23 May 2019 15:15:34 +0800
+Subject: ath10k: add missing error handling
+
+[ Upstream commit 4b553f3ca4cbde67399aa3a756c37eb92145b8a1 ]
+
+In function ath10k_sdio_mbox_rx_alloc() [sdio.c],
+ath10k_sdio_mbox_alloc_rx_pkt() is called without handling the error cases.
+This will make the driver think the allocation for skb is successful and
+try to access the skb. If we enable failslab, system will easily crash with
+NULL pointer dereferencing.
+
+Call trace of CONFIG_FAILSLAB:
+ath10k_sdio_irq_handler+0x570/0xa88 [ath10k_sdio]
+process_sdio_pending_irqs+0x4c/0x174
+sdio_run_irqs+0x3c/0x64
+sdio_irq_work+0x1c/0x28
+
+Fixes: d96db25d2025 ("ath10k: add initial SDIO support")
+Signed-off-by: Claire Chang <tientzu@chromium.org>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/sdio.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c
+index 7f61591ce0de..cb527a21f1ac 100644
+--- a/drivers/net/wireless/ath/ath10k/sdio.c
++++ b/drivers/net/wireless/ath/ath10k/sdio.c
+@@ -613,6 +613,10 @@ static int ath10k_sdio_mbox_rx_alloc(struct ath10k *ar,
+ full_len,
+ last_in_bundle,
+ last_in_bundle);
++ if (ret) {
++ ath10k_warn(ar, "alloc_rx_pkt error %d\n", ret);
++ goto err;
++ }
+ }
+
+ ar_sdio->n_rx_pkts = i;
+--
+2.20.1
+
--- /dev/null
+From 3a5989cd150f4d9e46003e5ac5ef4339b27be1ff Mon Sep 17 00:00:00 2001
+From: Wen Gong <wgong@codeaurora.org>
+Date: Mon, 29 Apr 2019 19:17:12 +0800
+Subject: ath10k: add peer id check in ath10k_peer_find_by_id
+
+[ Upstream commit 49ed34b835e231aa941257394716bc689bc98d9f ]
+
+For some SDIO chip, the peer id is 65535 for MPDU with error status,
+then test_bit will trigger buffer overflow for peer's memory, if kasan
+enabled, it will report error.
+
+Reason is when station is in disconnecting status, firmware do not delete
+the peer info since it not disconnected completely, meanwhile some AP will
+still send data packet to station, then hardware will receive the packet
+and send to firmware, firmware's logic will report peer id of 65535 for
+MPDU with error status.
+
+Add check for overflow the size of peer's peer_ids will avoid the buffer
+overflow access.
+
+Call trace of kasan:
+dump_backtrace+0x0/0x2ec
+show_stack+0x20/0x2c
+__dump_stack+0x20/0x28
+dump_stack+0xc8/0xec
+print_address_description+0x74/0x240
+kasan_report+0x250/0x26c
+__asan_report_load8_noabort+0x20/0x2c
+ath10k_peer_find_by_id+0x180/0x1e4 [ath10k_core]
+ath10k_htt_t2h_msg_handler+0x100c/0x2fd4 [ath10k_core]
+ath10k_htt_htc_t2h_msg_handler+0x20/0x34 [ath10k_core]
+ath10k_sdio_irq_handler+0xcc8/0x1678 [ath10k_sdio]
+process_sdio_pending_irqs+0xec/0x370
+sdio_run_irqs+0x68/0xe4
+sdio_irq_work+0x1c/0x28
+process_one_work+0x3d8/0x8b0
+worker_thread+0x508/0x7cc
+kthread+0x24c/0x264
+ret_from_fork+0x10/0x18
+
+Tested with QCA6174 SDIO with firmware
+WLAN.RMH.4.4.1-00007-QCARMSWP-1.
+
+Signed-off-by: Wen Gong <wgong@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/txrx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/txrx.c b/drivers/net/wireless/ath/ath10k/txrx.c
+index cda164f6e9f6..6f62ddc0494c 100644
+--- a/drivers/net/wireless/ath/ath10k/txrx.c
++++ b/drivers/net/wireless/ath/ath10k/txrx.c
+@@ -156,6 +156,9 @@ struct ath10k_peer *ath10k_peer_find_by_id(struct ath10k *ar, int peer_id)
+ {
+ struct ath10k_peer *peer;
+
++ if (peer_id >= BITS_PER_TYPE(peer->peer_ids))
++ return NULL;
++
+ lockdep_assert_held(&ar->data_lock);
+
+ list_for_each_entry(peer, &ar->peers, list)
+--
+2.20.1
+
--- /dev/null
+From b5ed3bc4a7667ae71f6e5a2f7650a928b9e8d4df Mon Sep 17 00:00:00 2001
+From: Wen Gong <wgong@codeaurora.org>
+Date: Thu, 27 Jun 2019 21:21:51 +0300
+Subject: ath10k: destroy sdio workqueue while remove sdio module
+
+[ Upstream commit 3ed39f8e747a7aafeec07bb244f2c3a1bdca5730 ]
+
+The workqueue need to flush and destory while remove sdio module,
+otherwise it will have thread which is not destory after remove
+sdio modules.
+
+Tested with QCA6174 SDIO with firmware
+WLAN.RMH.4.4.1-00007-QCARMSWP-1.
+
+Signed-off-by: Wen Gong <wgong@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/sdio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c
+index cb527a21f1ac..686759b5613f 100644
+--- a/drivers/net/wireless/ath/ath10k/sdio.c
++++ b/drivers/net/wireless/ath/ath10k/sdio.c
+@@ -2073,6 +2073,9 @@ static void ath10k_sdio_remove(struct sdio_func *func)
+ cancel_work_sync(&ar_sdio->wr_async_work);
+ ath10k_core_unregister(ar);
+ ath10k_core_destroy(ar);
++
++ flush_workqueue(ar_sdio->workqueue);
++ destroy_workqueue(ar_sdio->workqueue);
+ }
+
+ static const struct sdio_device_id ath10k_sdio_devices[] = {
+--
+2.20.1
+
--- /dev/null
+From bbdccce301d9cc7117d0746e7f3e6ed2311c8945 Mon Sep 17 00:00:00 2001
+From: Surabhi Vishnoi <svishnoi@codeaurora.org>
+Date: Wed, 17 Apr 2019 14:01:46 +0530
+Subject: ath10k: Do not send probe response template for mesh
+
+[ Upstream commit 97354f2c432788e3163134df6bb144f4b6289d87 ]
+
+Currently mac80211 do not support probe response template for
+mesh point. When WMI_SERVICE_BEACON_OFFLOAD is enabled, host
+driver tries to configure probe response template for mesh, but
+it fails because the interface type is not NL80211_IFTYPE_AP but
+NL80211_IFTYPE_MESH_POINT.
+
+To avoid this failure, skip sending probe response template to
+firmware for mesh point.
+
+Tested HW: WCN3990/QCA6174/QCA9984
+
+Signed-off-by: Surabhi Vishnoi <svishnoi@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index f3b1cfacfe9d..1419f9d1505f 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -1624,6 +1624,10 @@ static int ath10k_mac_setup_prb_tmpl(struct ath10k_vif *arvif)
+ if (arvif->vdev_type != WMI_VDEV_TYPE_AP)
+ return 0;
+
++ /* For mesh, probe response and beacon share the same template */
++ if (ieee80211_vif_is_mesh(vif))
++ return 0;
++
+ prb = ieee80211_proberesp_get(hw, vif);
+ if (!prb) {
+ ath10k_warn(ar, "failed to get probe resp template from mac80211\n");
+--
+2.20.1
+
--- /dev/null
+From e33e78d6993271b7e82fcabc9ff8c6b634183124 Mon Sep 17 00:00:00 2001
+From: Miaoqing Pan <miaoqing@codeaurora.org>
+Date: Thu, 30 May 2019 09:49:20 +0800
+Subject: ath10k: fix PCIE device wake up failed
+
+[ Upstream commit 011d4111c8c602ea829fa4917af1818eb0500a90 ]
+
+Observed PCIE device wake up failed after ~120 iterations of
+soft-reboot test. The error message is
+"ath10k_pci 0000:01:00.0: failed to wake up device : -110"
+
+The call trace as below:
+ath10k_pci_probe -> ath10k_pci_force_wake -> ath10k_pci_wake_wait ->
+ath10k_pci_is_awake
+
+Once trigger the device to wake up, we will continuously check the RTC
+state until it returns RTC_STATE_V_ON or timeout.
+
+But for QCA99x0 chips, we use wrong value for RTC_STATE_V_ON.
+Occasionally, we get 0x7 on the fist read, we thought as a failure
+case, but actually is the right value, also verified with the spec.
+So fix the issue by changing RTC_STATE_V_ON from 0x5 to 0x7, passed
+~2000 iterations.
+
+Tested HW: QCA9984
+
+Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/hw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/hw.c b/drivers/net/wireless/ath/ath10k/hw.c
+index 677535b3d207..476e0535f06f 100644
+--- a/drivers/net/wireless/ath/ath10k/hw.c
++++ b/drivers/net/wireless/ath/ath10k/hw.c
+@@ -168,7 +168,7 @@ const struct ath10k_hw_values qca6174_values = {
+ };
+
+ const struct ath10k_hw_values qca99x0_values = {
+- .rtc_state_val_on = 5,
++ .rtc_state_val_on = 7,
+ .ce_count = 12,
+ .msi_assign_ce_max = 12,
+ .num_target_ce_config_wlan = 10,
+--
+2.20.1
+
--- /dev/null
+From ea9339d5cce705f92d2fb9751c5e0748c765ad70 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 4 Apr 2019 11:56:51 +0300
+Subject: ath6kl: add some bounds checking
+
+[ Upstream commit 5d6751eaff672ea77642e74e92e6c0ac7f9709ab ]
+
+The "ev->traffic_class" and "reply->ac" variables come from the network
+and they're used as an offset into the wmi->stream_exist_for_ac[] array.
+Those variables are u8 so they can be 0-255 but the stream_exist_for_ac[]
+array only has WMM_NUM_AC (4) elements. We need to add a couple bounds
+checks to prevent array overflows.
+
+I also modified one existing check from "if (traffic_class > 3) {" to
+"if (traffic_class >= WMM_NUM_AC) {" just to make them all consistent.
+
+Fixes: bdcd81707973 (" Add ath6kl cleaned up driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath6kl/wmi.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
+index 777acc564ac9..bc7916f2add0 100644
+--- a/drivers/net/wireless/ath/ath6kl/wmi.c
++++ b/drivers/net/wireless/ath/ath6kl/wmi.c
+@@ -1178,6 +1178,10 @@ static int ath6kl_wmi_pstream_timeout_event_rx(struct wmi *wmi, u8 *datap,
+ return -EINVAL;
+
+ ev = (struct wmi_pstream_timeout_event *) datap;
++ if (ev->traffic_class >= WMM_NUM_AC) {
++ ath6kl_err("invalid traffic class: %d\n", ev->traffic_class);
++ return -EINVAL;
++ }
+
+ /*
+ * When the pstream (fat pipe == AC) timesout, it means there were
+@@ -1519,6 +1523,10 @@ static int ath6kl_wmi_cac_event_rx(struct wmi *wmi, u8 *datap, int len,
+ return -EINVAL;
+
+ reply = (struct wmi_cac_event *) datap;
++ if (reply->ac >= WMM_NUM_AC) {
++ ath6kl_err("invalid AC: %d\n", reply->ac);
++ return -EINVAL;
++ }
+
+ if ((reply->cac_indication == CAC_INDICATION_ADMISSION_RESP) &&
+ (reply->status_code != IEEE80211_TSPEC_STATUS_ADMISS_ACCEPTED)) {
+@@ -2635,7 +2643,7 @@ int ath6kl_wmi_delete_pstream_cmd(struct wmi *wmi, u8 if_idx, u8 traffic_class,
+ u16 active_tsids = 0;
+ int ret;
+
+- if (traffic_class > 3) {
++ if (traffic_class >= WMM_NUM_AC) {
+ ath6kl_err("invalid traffic class: %d\n", traffic_class);
+ return -EINVAL;
+ }
+--
+2.20.1
+
--- /dev/null
+From 45d42dd10f31cc756c27ffbf0e355c314bff972f Mon Sep 17 00:00:00 2001
+From: Tim Schumacher <timschumi@gmx.de>
+Date: Mon, 18 Mar 2019 20:05:57 +0100
+Subject: ath9k: Check for errors when reading SREV register
+
+[ Upstream commit 2f90c7e5d09437a4d8d5546feaae9f1cf48cfbe1 ]
+
+Right now, if an error is encountered during the SREV register
+read (i.e. an EIO in ath9k_regread()), that error code gets
+passed all the way to __ath9k_hw_init(), where it is visible
+during the "Chip rev not supported" message.
+
+ ath9k_htc 1-1.4:1.0: ath9k_htc: HTC initialized with 33 credits
+ ath: phy2: Mac Chip Rev 0x0f.3 is not supported by this driver
+ ath: phy2: Unable to initialize hardware; initialization status: -95
+ ath: phy2: Unable to initialize hardware; initialization status: -95
+ ath9k_htc: Failed to initialize the device
+
+Check for -EIO explicitly in ath9k_hw_read_revisions() and return
+a boolean based on the success of the operation. Check for that in
+__ath9k_hw_init() and abort with a more debugging-friendly message
+if reading the revisions wasn't successful.
+
+ ath9k_htc 1-1.4:1.0: ath9k_htc: HTC initialized with 33 credits
+ ath: phy2: Failed to read SREV register
+ ath: phy2: Could not read hardware revision
+ ath: phy2: Unable to initialize hardware; initialization status: -95
+ ath: phy2: Unable to initialize hardware; initialization status: -95
+ ath9k_htc: Failed to initialize the device
+
+This helps when debugging by directly showing the first point of
+failure and it could prevent possible errors if a 0x0f.3 revision
+is ever supported.
+
+Signed-off-by: Tim Schumacher <timschumi@gmx.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/hw.c | 32 +++++++++++++++++++++--------
+ 1 file changed, 23 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c
+index bb319f22761f..b4f7ee423d40 100644
+--- a/drivers/net/wireless/ath/ath9k/hw.c
++++ b/drivers/net/wireless/ath/ath9k/hw.c
+@@ -252,8 +252,9 @@ void ath9k_hw_get_channel_centers(struct ath_hw *ah,
+ /* Chip Revisions */
+ /******************/
+
+-static void ath9k_hw_read_revisions(struct ath_hw *ah)
++static bool ath9k_hw_read_revisions(struct ath_hw *ah)
+ {
++ u32 srev;
+ u32 val;
+
+ if (ah->get_mac_revision)
+@@ -269,25 +270,33 @@ static void ath9k_hw_read_revisions(struct ath_hw *ah)
+ val = REG_READ(ah, AR_SREV);
+ ah->hw_version.macRev = MS(val, AR_SREV_REVISION2);
+ }
+- return;
++ return true;
+ case AR9300_DEVID_AR9340:
+ ah->hw_version.macVersion = AR_SREV_VERSION_9340;
+- return;
++ return true;
+ case AR9300_DEVID_QCA955X:
+ ah->hw_version.macVersion = AR_SREV_VERSION_9550;
+- return;
++ return true;
+ case AR9300_DEVID_AR953X:
+ ah->hw_version.macVersion = AR_SREV_VERSION_9531;
+- return;
++ return true;
+ case AR9300_DEVID_QCA956X:
+ ah->hw_version.macVersion = AR_SREV_VERSION_9561;
+- return;
++ return true;
+ }
+
+- val = REG_READ(ah, AR_SREV) & AR_SREV_ID;
++ srev = REG_READ(ah, AR_SREV);
++
++ if (srev == -EIO) {
++ ath_err(ath9k_hw_common(ah),
++ "Failed to read SREV register");
++ return false;
++ }
++
++ val = srev & AR_SREV_ID;
+
+ if (val == 0xFF) {
+- val = REG_READ(ah, AR_SREV);
++ val = srev;
+ ah->hw_version.macVersion =
+ (val & AR_SREV_VERSION2) >> AR_SREV_TYPE2_S;
+ ah->hw_version.macRev = MS(val, AR_SREV_REVISION2);
+@@ -306,6 +315,8 @@ static void ath9k_hw_read_revisions(struct ath_hw *ah)
+ if (ah->hw_version.macVersion == AR_SREV_VERSION_5416_PCIE)
+ ah->is_pciexpress = true;
+ }
++
++ return true;
+ }
+
+ /************************************/
+@@ -559,7 +570,10 @@ static int __ath9k_hw_init(struct ath_hw *ah)
+ struct ath_common *common = ath9k_hw_common(ah);
+ int r = 0;
+
+- ath9k_hw_read_revisions(ah);
++ if (!ath9k_hw_read_revisions(ah)) {
++ ath_err(common, "Could not read hardware revisions");
++ return -EOPNOTSUPP;
++ }
+
+ switch (ah->hw_version.macVersion) {
+ case AR_SREV_VERSION_5416_PCI:
+--
+2.20.1
+
--- /dev/null
+From b3f827ec42b186123d71c982f3360ff773b0682c Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 2 Jun 2019 10:57:31 +0200
+Subject: batman-adv: Fix duplicated OGMs on NETDEV_UP
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 9e6b5648bbc4cd48fab62cecbb81e9cc3c6e7e88 ]
+
+The state of slave interfaces are handled differently depending on whether
+the interface is up or not. All active interfaces (IFF_UP) will transmit
+OGMs. But for B.A.T.M.A.N. IV, also non-active interfaces are scheduling
+(low TTL) OGMs on active interfaces. The code which setups and schedules
+the OGMs must therefore already be called when the interfaces gets added as
+slave interface and the transmit function must then check whether it has to
+send out the OGM or not on the specific slave interface.
+
+But the commit f0d97253fb5f ("batman-adv: remove ogm_emit and ogm_schedule
+API calls") moved the setup code from the enable function to the activate
+function. The latter is called either when the added slave was already up
+when batadv_hardif_enable_interface processed the new interface or when a
+NETDEV_UP event was received for this slave interfac. As result, each
+NETDEV_UP would schedule a new OGM worker for the interface and thus OGMs
+would be send a lot more than expected.
+
+Fixes: f0d97253fb5f ("batman-adv: remove ogm_emit and ogm_schedule API calls")
+Reported-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Tested-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/bat_iv_ogm.c | 4 ++--
+ net/batman-adv/hard-interface.c | 3 +++
+ net/batman-adv/types.h | 3 +++
+ 3 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
+index 73bf6a93a3cf..0b7b36fa0d5c 100644
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -2485,7 +2485,7 @@ batadv_iv_ogm_neigh_is_sob(struct batadv_neigh_node *neigh1,
+ return ret;
+ }
+
+-static void batadv_iv_iface_activate(struct batadv_hard_iface *hard_iface)
++static void batadv_iv_iface_enabled(struct batadv_hard_iface *hard_iface)
+ {
+ /* begin scheduling originator messages on that interface */
+ batadv_iv_ogm_schedule(hard_iface);
+@@ -2825,8 +2825,8 @@ static void batadv_iv_gw_dump(struct sk_buff *msg, struct netlink_callback *cb,
+ static struct batadv_algo_ops batadv_batman_iv __read_mostly = {
+ .name = "BATMAN_IV",
+ .iface = {
+- .activate = batadv_iv_iface_activate,
+ .enable = batadv_iv_ogm_iface_enable,
++ .enabled = batadv_iv_iface_enabled,
+ .disable = batadv_iv_ogm_iface_disable,
+ .update_mac = batadv_iv_ogm_iface_update_mac,
+ .primary_set = batadv_iv_ogm_primary_iface_set,
+diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
+index 08690d06b7be..36f0962040d1 100644
+--- a/net/batman-adv/hard-interface.c
++++ b/net/batman-adv/hard-interface.c
+@@ -821,6 +821,9 @@ int batadv_hardif_enable_interface(struct batadv_hard_iface *hard_iface,
+
+ batadv_hardif_recalc_extra_skbroom(soft_iface);
+
++ if (bat_priv->algo_ops->iface.enabled)
++ bat_priv->algo_ops->iface.enabled(hard_iface);
++
+ out:
+ return 0;
+
+diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
+index eeee3e61c625..fdba8a144d73 100644
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -2130,6 +2130,9 @@ struct batadv_algo_iface_ops {
+ /** @enable: init routing info when hard-interface is enabled */
+ int (*enable)(struct batadv_hard_iface *hard_iface);
+
++ /** @enabled: notification when hard-interface was enabled (optional) */
++ void (*enabled)(struct batadv_hard_iface *hard_iface);
++
+ /** @disable: de-init routing info when hard-interface is disabled */
+ void (*disable)(struct batadv_hard_iface *hard_iface);
+
+--
+2.20.1
+
--- /dev/null
+From 9523ab303333cb9a3af3828b99a840bbc09c0a05 Mon Sep 17 00:00:00 2001
+From: Jeremy Sowden <jeremy@azazel.net>
+Date: Tue, 21 May 2019 20:58:57 +0100
+Subject: batman-adv: fix for leaked TVLV handler.
+
+[ Upstream commit 17f78dd1bd624a4dd78ed5db3284a63ee807fcc3 ]
+
+A handler for BATADV_TVLV_ROAM was being registered when the
+translation-table was initialized, but not unregistered when the
+translation-table was freed. Unregister it.
+
+Fixes: 122edaa05940 ("batman-adv: tvlv - convert roaming adv packet to use tvlv unicast packets")
+Reported-by: syzbot+d454a826e670502484b8@syzkaller.appspotmail.com
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: Sven Eckelmann <sven@narfation.org
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/translation-table.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index 359ec1a6e822..9fa5389ea244 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -3821,6 +3821,8 @@ static void batadv_tt_purge(struct work_struct *work)
+ */
+ void batadv_tt_free(struct batadv_priv *bat_priv)
+ {
++ batadv_tvlv_handler_unregister(bat_priv, BATADV_TVLV_ROAM, 1);
++
+ batadv_tvlv_container_unregister(bat_priv, BATADV_TVLV_TT, 1);
+ batadv_tvlv_handler_unregister(bat_priv, BATADV_TVLV_TT, 1);
+
+--
+2.20.1
+
--- /dev/null
+From aa9e10c095139de91f6f212d93a60edf9446f031 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:48 +0800
+Subject: bcache: acquire bch_register_lock later in cached_dev_free()
+
+[ Upstream commit 80265d8dfd77792e133793cef44a21323aac2908 ]
+
+When enable lockdep engine, a lockdep warning can be observed when
+reboot or shutdown system,
+
+[ 3142.764557][ T1] bcache: bcache_reboot() Stopping all devices:
+[ 3142.776265][ T2649]
+[ 3142.777159][ T2649] ======================================================
+[ 3142.780039][ T2649] WARNING: possible circular locking dependency detected
+[ 3142.782869][ T2649] 5.2.0-rc4-lp151.20-default+ #1 Tainted: G W
+[ 3142.785684][ T2649] ------------------------------------------------------
+[ 3142.788479][ T2649] kworker/3:67/2649 is trying to acquire lock:
+[ 3142.790738][ T2649] 00000000aaf02291 ((wq_completion)bcache_writeback_wq){+.+.}, at: flush_workqueue+0x87/0x4c0
+[ 3142.794678][ T2649]
+[ 3142.794678][ T2649] but task is already holding lock:
+[ 3142.797402][ T2649] 000000004fcf89c5 (&bch_register_lock){+.+.}, at: cached_dev_free+0x17/0x120 [bcache]
+[ 3142.801462][ T2649]
+[ 3142.801462][ T2649] which lock already depends on the new lock.
+[ 3142.801462][ T2649]
+[ 3142.805277][ T2649]
+[ 3142.805277][ T2649] the existing dependency chain (in reverse order) is:
+[ 3142.808902][ T2649]
+[ 3142.808902][ T2649] -> #2 (&bch_register_lock){+.+.}:
+[ 3142.812396][ T2649] __mutex_lock+0x7a/0x9d0
+[ 3142.814184][ T2649] cached_dev_free+0x17/0x120 [bcache]
+[ 3142.816415][ T2649] process_one_work+0x2a4/0x640
+[ 3142.818413][ T2649] worker_thread+0x39/0x3f0
+[ 3142.820276][ T2649] kthread+0x125/0x140
+[ 3142.822061][ T2649] ret_from_fork+0x3a/0x50
+[ 3142.823965][ T2649]
+[ 3142.823965][ T2649] -> #1 ((work_completion)(&cl->work)#2){+.+.}:
+[ 3142.827244][ T2649] process_one_work+0x277/0x640
+[ 3142.829160][ T2649] worker_thread+0x39/0x3f0
+[ 3142.830958][ T2649] kthread+0x125/0x140
+[ 3142.832674][ T2649] ret_from_fork+0x3a/0x50
+[ 3142.834915][ T2649]
+[ 3142.834915][ T2649] -> #0 ((wq_completion)bcache_writeback_wq){+.+.}:
+[ 3142.838121][ T2649] lock_acquire+0xb4/0x1c0
+[ 3142.840025][ T2649] flush_workqueue+0xae/0x4c0
+[ 3142.842035][ T2649] drain_workqueue+0xa9/0x180
+[ 3142.844042][ T2649] destroy_workqueue+0x17/0x250
+[ 3142.846142][ T2649] cached_dev_free+0x52/0x120 [bcache]
+[ 3142.848530][ T2649] process_one_work+0x2a4/0x640
+[ 3142.850663][ T2649] worker_thread+0x39/0x3f0
+[ 3142.852464][ T2649] kthread+0x125/0x140
+[ 3142.854106][ T2649] ret_from_fork+0x3a/0x50
+[ 3142.855880][ T2649]
+[ 3142.855880][ T2649] other info that might help us debug this:
+[ 3142.855880][ T2649]
+[ 3142.859663][ T2649] Chain exists of:
+[ 3142.859663][ T2649] (wq_completion)bcache_writeback_wq --> (work_completion)(&cl->work)#2 --> &bch_register_lock
+[ 3142.859663][ T2649]
+[ 3142.865424][ T2649] Possible unsafe locking scenario:
+[ 3142.865424][ T2649]
+[ 3142.868022][ T2649] CPU0 CPU1
+[ 3142.869885][ T2649] ---- ----
+[ 3142.871751][ T2649] lock(&bch_register_lock);
+[ 3142.873379][ T2649] lock((work_completion)(&cl->work)#2);
+[ 3142.876399][ T2649] lock(&bch_register_lock);
+[ 3142.879727][ T2649] lock((wq_completion)bcache_writeback_wq);
+[ 3142.882064][ T2649]
+[ 3142.882064][ T2649] *** DEADLOCK ***
+[ 3142.882064][ T2649]
+[ 3142.885060][ T2649] 3 locks held by kworker/3:67/2649:
+[ 3142.887245][ T2649] #0: 00000000e774cdd0 ((wq_completion)events){+.+.}, at: process_one_work+0x21e/0x640
+[ 3142.890815][ T2649] #1: 00000000f7df89da ((work_completion)(&cl->work)#2){+.+.}, at: process_one_work+0x21e/0x640
+[ 3142.894884][ T2649] #2: 000000004fcf89c5 (&bch_register_lock){+.+.}, at: cached_dev_free+0x17/0x120 [bcache]
+[ 3142.898797][ T2649]
+[ 3142.898797][ T2649] stack backtrace:
+[ 3142.900961][ T2649] CPU: 3 PID: 2649 Comm: kworker/3:67 Tainted: G W 5.2.0-rc4-lp151.20-default+ #1
+[ 3142.904789][ T2649] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018
+[ 3142.909168][ T2649] Workqueue: events cached_dev_free [bcache]
+[ 3142.911422][ T2649] Call Trace:
+[ 3142.912656][ T2649] dump_stack+0x85/0xcb
+[ 3142.914181][ T2649] print_circular_bug+0x19a/0x1f0
+[ 3142.916193][ T2649] __lock_acquire+0x16cd/0x1850
+[ 3142.917936][ T2649] ? __lock_acquire+0x6a8/0x1850
+[ 3142.919704][ T2649] ? lock_acquire+0xb4/0x1c0
+[ 3142.921335][ T2649] ? find_held_lock+0x34/0xa0
+[ 3142.923052][ T2649] lock_acquire+0xb4/0x1c0
+[ 3142.924635][ T2649] ? flush_workqueue+0x87/0x4c0
+[ 3142.926375][ T2649] flush_workqueue+0xae/0x4c0
+[ 3142.928047][ T2649] ? flush_workqueue+0x87/0x4c0
+[ 3142.929824][ T2649] ? drain_workqueue+0xa9/0x180
+[ 3142.931686][ T2649] drain_workqueue+0xa9/0x180
+[ 3142.933534][ T2649] destroy_workqueue+0x17/0x250
+[ 3142.935787][ T2649] cached_dev_free+0x52/0x120 [bcache]
+[ 3142.937795][ T2649] process_one_work+0x2a4/0x640
+[ 3142.939803][ T2649] worker_thread+0x39/0x3f0
+[ 3142.941487][ T2649] ? process_one_work+0x640/0x640
+[ 3142.943389][ T2649] kthread+0x125/0x140
+[ 3142.944894][ T2649] ? kthread_create_worker_on_cpu+0x70/0x70
+[ 3142.947744][ T2649] ret_from_fork+0x3a/0x50
+[ 3142.970358][ T2649] bcache: bcache_device_free() bcache0 stopped
+
+Here is how the deadlock happens.
+1) bcache_reboot() calls bcache_device_stop(), then inside
+ bcache_device_stop() BCACHE_DEV_CLOSING bit is set on d->flags.
+ Then closure_queue(&d->cl) is called to invoke cached_dev_flush().
+2) In cached_dev_flush(), cached_dev_free() is called by continu_at().
+3) In cached_dev_free(), when stopping the writeback kthread of the
+ cached device by kthread_stop(), dc->writeback_thread will be waken
+ up to quite the kthread while-loop, then cached_dev_put() is called
+ in bch_writeback_thread().
+4) Calling cached_dev_put() in writeback kthread may drop dc->count to
+ 0, then dc->detach kworker is scheduled, which is initialized as
+ cached_dev_detach_finish().
+5) Inside cached_dev_detach_finish(), the last line of code is to call
+ closure_put(&dc->disk.cl), which drops the last reference counter of
+ closrure dc->disk.cl, then the callback cached_dev_flush() gets
+ called.
+Now cached_dev_flush() is called for second time in the code path, the
+first time is in step 2). And again bch_register_lock will be acquired
+again, and a A-A lock (lockdep terminology) is happening.
+
+The root cause of the above A-A lock is in cached_dev_free(), mutex
+bch_register_lock is held before stopping writeback kthread and other
+kworkers. Fortunately now we have variable 'bcache_is_reboot', which may
+prevent device registration or unregistration during reboot/shutdown
+time, so it is unncessary to hold bch_register_lock such early now.
+
+This is how this patch fixes the reboot/shutdown time A-A lock issue:
+After moving mutex_lock(&bch_register_lock) to a later location where
+before atomic_read(&dc->running) in cached_dev_free(), such A-A lock
+problem can be solved without any reboot time registration race.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index 2409507d7bff..ca39cf20aa96 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1180,8 +1180,6 @@ static void cached_dev_free(struct closure *cl)
+ {
+ struct cached_dev *dc = container_of(cl, struct cached_dev, disk.cl);
+
+- mutex_lock(&bch_register_lock);
+-
+ if (test_and_clear_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags))
+ cancel_writeback_rate_update_dwork(dc);
+
+@@ -1192,6 +1190,8 @@ static void cached_dev_free(struct closure *cl)
+ if (!IS_ERR_OR_NULL(dc->status_update_thread))
+ kthread_stop(dc->status_update_thread);
+
++ mutex_lock(&bch_register_lock);
++
+ if (atomic_read(&dc->running))
+ bd_unlink_disk_holder(dc->bdev, dc->disk.disk);
+ bcache_device_free(&dc->disk);
+--
+2.20.1
+
--- /dev/null
+From 64539a31c440f5d2766d9952a238119091b4b2ea Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:25 +0800
+Subject: bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush()
+
+[ Upstream commit b387e9b58679c60f5b1e4313939bd4878204fc37 ]
+
+When system memory is in heavy pressure, bch_gc_thread_start() from
+run_cache_set() may fail due to out of memory. In such condition,
+c->gc_thread is assigned to -ENOMEM, not NULL pointer. Then in following
+failure code path bch_cache_set_error(), when cache_set_flush() gets
+called, the code piece to stop c->gc_thread is broken,
+ if (!IS_ERR_OR_NULL(c->gc_thread))
+ kthread_stop(c->gc_thread);
+
+And KASAN catches such NULL pointer deference problem, with the warning
+information:
+
+[ 561.207881] ==================================================================
+[ 561.207900] BUG: KASAN: null-ptr-deref in kthread_stop+0x3b/0x440
+[ 561.207904] Write of size 4 at addr 000000000000001c by task kworker/15:1/313
+
+[ 561.207913] CPU: 15 PID: 313 Comm: kworker/15:1 Tainted: G W 5.0.0-vanilla+ #3
+[ 561.207916] Hardware name: Lenovo ThinkSystem SR650 -[7X05CTO1WW]-/-[7X05CTO1WW]-, BIOS -[IVE136T-2.10]- 03/22/2019
+[ 561.207935] Workqueue: events cache_set_flush [bcache]
+[ 561.207940] Call Trace:
+[ 561.207948] dump_stack+0x9a/0xeb
+[ 561.207955] ? kthread_stop+0x3b/0x440
+[ 561.207960] ? kthread_stop+0x3b/0x440
+[ 561.207965] kasan_report+0x176/0x192
+[ 561.207973] ? kthread_stop+0x3b/0x440
+[ 561.207981] kthread_stop+0x3b/0x440
+[ 561.207995] cache_set_flush+0xd4/0x6d0 [bcache]
+[ 561.208008] process_one_work+0x856/0x1620
+[ 561.208015] ? find_held_lock+0x39/0x1d0
+[ 561.208028] ? drain_workqueue+0x380/0x380
+[ 561.208048] worker_thread+0x87/0xb80
+[ 561.208058] ? __kthread_parkme+0xb6/0x180
+[ 561.208067] ? process_one_work+0x1620/0x1620
+[ 561.208072] kthread+0x326/0x3e0
+[ 561.208079] ? kthread_create_worker_on_cpu+0xc0/0xc0
+[ 561.208090] ret_from_fork+0x3a/0x50
+[ 561.208110] ==================================================================
+[ 561.208113] Disabling lock debugging due to kernel taint
+[ 561.208115] irq event stamp: 11800231
+[ 561.208126] hardirqs last enabled at (11800231): [<ffffffff83008538>] do_syscall_64+0x18/0x410
+[ 561.208127] BUG: unable to handle kernel NULL pointer dereference at 000000000000001c
+[ 561.208129] #PF error: [WRITE]
+[ 561.312253] hardirqs last disabled at (11800230): [<ffffffff830052ff>] trace_hardirqs_off_thunk+0x1a/0x1c
+[ 561.312259] softirqs last enabled at (11799832): [<ffffffff850005c7>] __do_softirq+0x5c7/0x8c3
+[ 561.405975] PGD 0 P4D 0
+[ 561.442494] softirqs last disabled at (11799821): [<ffffffff831add2c>] irq_exit+0x1ac/0x1e0
+[ 561.791359] Oops: 0002 [#1] SMP KASAN NOPTI
+[ 561.791362] CPU: 15 PID: 313 Comm: kworker/15:1 Tainted: G B W 5.0.0-vanilla+ #3
+[ 561.791363] Hardware name: Lenovo ThinkSystem SR650 -[7X05CTO1WW]-/-[7X05CTO1WW]-, BIOS -[IVE136T-2.10]- 03/22/2019
+[ 561.791371] Workqueue: events cache_set_flush [bcache]
+[ 561.791374] RIP: 0010:kthread_stop+0x3b/0x440
+[ 561.791376] Code: 00 00 65 8b 05 26 d5 e0 7c 89 c0 48 0f a3 05 ec aa df 02 0f 82 dc 02 00 00 4c 8d 63 20 be 04 00 00 00 4c 89 e7 e8 65 c5 53 00 <f0> ff 43 20 48 8d 7b 24 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48
+[ 561.791377] RSP: 0018:ffff88872fc8fd10 EFLAGS: 00010286
+[ 561.838895] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838916] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838934] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838948] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838966] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838979] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838996] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 563.067028] RAX: 0000000000000000 RBX: fffffffffffffffc RCX: ffffffff832dd314
+[ 563.067030] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000297
+[ 563.067032] RBP: ffff88872fc8fe88 R08: fffffbfff0b8213d R09: fffffbfff0b8213d
+[ 563.067034] R10: 0000000000000001 R11: fffffbfff0b8213c R12: 000000000000001c
+[ 563.408618] R13: ffff88dc61cc0f68 R14: ffff888102b94900 R15: ffff88dc61cc0f68
+[ 563.408620] FS: 0000000000000000(0000) GS:ffff888f7dc00000(0000) knlGS:0000000000000000
+[ 563.408622] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 563.408623] CR2: 000000000000001c CR3: 0000000f48a1a004 CR4: 00000000007606e0
+[ 563.408625] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 563.408627] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 563.904795] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 563.915796] PKRU: 55555554
+[ 563.915797] Call Trace:
+[ 563.915807] cache_set_flush+0xd4/0x6d0 [bcache]
+[ 563.915812] process_one_work+0x856/0x1620
+[ 564.001226] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 564.033563] ? find_held_lock+0x39/0x1d0
+[ 564.033567] ? drain_workqueue+0x380/0x380
+[ 564.033574] worker_thread+0x87/0xb80
+[ 564.062823] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 564.118042] ? __kthread_parkme+0xb6/0x180
+[ 564.118046] ? process_one_work+0x1620/0x1620
+[ 564.118048] kthread+0x326/0x3e0
+[ 564.118050] ? kthread_create_worker_on_cpu+0xc0/0xc0
+[ 564.167066] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 564.252441] ret_from_fork+0x3a/0x50
+[ 564.252447] Modules linked in: msr rpcrdma sunrpc rdma_ucm ib_iser ib_umad rdma_cm ib_ipoib i40iw configfs iw_cm ib_cm libiscsi scsi_transport_iscsi mlx4_ib ib_uverbs mlx4_en ib_core nls_iso8859_1 nls_cp437 vfat fat intel_rapl skx_edac x86_pkg_temp_thermal coretemp iTCO_wdt iTCO_vendor_support crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel ses raid0 aesni_intel cdc_ether enclosure usbnet ipmi_ssif joydev aes_x86_64 i40e scsi_transport_sas mii bcache md_mod crypto_simd mei_me ioatdma crc64 ptp cryptd pcspkr i2c_i801 mlx4_core glue_helper pps_core mei lpc_ich dca wmi ipmi_si ipmi_devintf nd_pmem dax_pmem nd_btt ipmi_msghandler device_dax pcc_cpufreq button hid_generic usbhid mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect xhci_pci sysimgblt fb_sys_fops xhci_hcd ttm megaraid_sas drm usbcore nfit libnvdimm sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua efivarfs
+[ 564.299390] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 564.348360] CR2: 000000000000001c
+[ 564.348362] ---[ end trace b7f0e5cc7b2103b0 ]---
+
+Therefore, it is not enough to only check whether c->gc_thread is NULL,
+we should use IS_ERR_OR_NULL() to check both NULL pointer and error
+value.
+
+This patch changes the above buggy code piece in this way,
+ if (!IS_ERR_OR_NULL(c->gc_thread))
+ kthread_stop(c->gc_thread);
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index ca39cf20aa96..be8054c04eb7 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1552,7 +1552,7 @@ static void cache_set_flush(struct closure *cl)
+ kobject_put(&c->internal);
+ kobject_del(&c->kobj);
+
+- if (c->gc_thread)
++ if (!IS_ERR_OR_NULL(c->gc_thread))
+ kthread_stop(c->gc_thread);
+
+ if (!IS_ERR_OR_NULL(c->root))
+--
+2.20.1
+
--- /dev/null
+From 517ae9aa0d1bfb85606ef7de0e83b26c2024da56 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:36 +0800
+Subject: bcache: check CACHE_SET_IO_DISABLE bit in bch_journal()
+
+[ Upstream commit 383ff2183ad16a8842d1fbd9dd3e1cbd66813e64 ]
+
+When too many I/O errors happen on cache set and CACHE_SET_IO_DISABLE
+bit is set, bch_journal() may continue to work because the journaling
+bkey might be still in write set yet. The caller of bch_journal() may
+believe the journal still work but the truth is in-memory journal write
+set won't be written into cache device any more. This behavior may
+introduce potential inconsistent metadata status.
+
+This patch checks CACHE_SET_IO_DISABLE bit at the head of bch_journal(),
+if the bit is set, bch_journal() returns NULL immediately to notice
+caller to know journal does not work.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/journal.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c
+index f880e5eba8dd..8d4d63b51553 100644
+--- a/drivers/md/bcache/journal.c
++++ b/drivers/md/bcache/journal.c
+@@ -810,6 +810,10 @@ atomic_t *bch_journal(struct cache_set *c,
+ struct journal_write *w;
+ atomic_t *ret;
+
++ /* No journaling if CACHE_SET_IO_DISABLE set already */
++ if (unlikely(test_bit(CACHE_SET_IO_DISABLE, &c->flags)))
++ return NULL;
++
+ if (!CACHE_SYNC(&c->sb))
+ return NULL;
+
+--
+2.20.1
+
--- /dev/null
+From a06e56e8d8e0c83480ef6bf2acdfc41bdb343a55 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:35 +0800
+Subject: bcache: check CACHE_SET_IO_DISABLE in allocator code
+
+[ Upstream commit e775339e1ae1205b47d94881db124c11385e597c ]
+
+If CACHE_SET_IO_DISABLE of a cache set flag is set by too many I/O
+errors, currently allocator routines can still continue allocate
+space which may introduce inconsistent metadata state.
+
+This patch checkes CACHE_SET_IO_DISABLE bit in following allocator
+routines,
+- bch_bucket_alloc()
+- __bch_bucket_alloc_set()
+Once CACHE_SET_IO_DISABLE is set on cache set, the allocator routines
+may reject allocation request earlier to avoid potential inconsistent
+metadata.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/alloc.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/md/bcache/alloc.c b/drivers/md/bcache/alloc.c
+index de85b3af3b39..9c3beb1e382b 100644
+--- a/drivers/md/bcache/alloc.c
++++ b/drivers/md/bcache/alloc.c
+@@ -393,6 +393,11 @@ long bch_bucket_alloc(struct cache *ca, unsigned int reserve, bool wait)
+ struct bucket *b;
+ long r;
+
++
++ /* No allocation if CACHE_SET_IO_DISABLE bit is set */
++ if (unlikely(test_bit(CACHE_SET_IO_DISABLE, &ca->set->flags)))
++ return -1;
++
+ /* fastpath */
+ if (fifo_pop(&ca->free[RESERVE_NONE], r) ||
+ fifo_pop(&ca->free[reserve], r))
+@@ -484,6 +489,10 @@ int __bch_bucket_alloc_set(struct cache_set *c, unsigned int reserve,
+ {
+ int i;
+
++ /* No allocation if CACHE_SET_IO_DISABLE bit is set */
++ if (unlikely(test_bit(CACHE_SET_IO_DISABLE, &c->flags)))
++ return -1;
++
+ lockdep_assert_held(&c->bucket_lock);
+ BUG_ON(!n || n > c->caches_loaded || n > 8);
+
+--
+2.20.1
+
--- /dev/null
+From d3e049f329dc57fda992205f7b7de3c9e438226b Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:49 +0800
+Subject: bcache: fix potential deadlock in cached_def_free()
+
+[ Upstream commit 7e865eba00a3df2dc8c4746173a8ca1c1c7f042e ]
+
+When enable lockdep and reboot system with a writeback mode bcache
+device, the following potential deadlock warning is reported by lockdep
+engine.
+
+[ 101.536569][ T401] kworker/2:2/401 is trying to acquire lock:
+[ 101.538575][ T401] 00000000bbf6e6c7 ((wq_completion)bcache_writeback_wq){+.+.}, at: flush_workqueue+0x87/0x4c0
+[ 101.542054][ T401]
+[ 101.542054][ T401] but task is already holding lock:
+[ 101.544587][ T401] 00000000f5f305b3 ((work_completion)(&cl->work)#2){+.+.}, at: process_one_work+0x21e/0x640
+[ 101.548386][ T401]
+[ 101.548386][ T401] which lock already depends on the new lock.
+[ 101.548386][ T401]
+[ 101.551874][ T401]
+[ 101.551874][ T401] the existing dependency chain (in reverse order) is:
+[ 101.555000][ T401]
+[ 101.555000][ T401] -> #1 ((work_completion)(&cl->work)#2){+.+.}:
+[ 101.557860][ T401] process_one_work+0x277/0x640
+[ 101.559661][ T401] worker_thread+0x39/0x3f0
+[ 101.561340][ T401] kthread+0x125/0x140
+[ 101.562963][ T401] ret_from_fork+0x3a/0x50
+[ 101.564718][ T401]
+[ 101.564718][ T401] -> #0 ((wq_completion)bcache_writeback_wq){+.+.}:
+[ 101.567701][ T401] lock_acquire+0xb4/0x1c0
+[ 101.569651][ T401] flush_workqueue+0xae/0x4c0
+[ 101.571494][ T401] drain_workqueue+0xa9/0x180
+[ 101.573234][ T401] destroy_workqueue+0x17/0x250
+[ 101.575109][ T401] cached_dev_free+0x44/0x120 [bcache]
+[ 101.577304][ T401] process_one_work+0x2a4/0x640
+[ 101.579357][ T401] worker_thread+0x39/0x3f0
+[ 101.581055][ T401] kthread+0x125/0x140
+[ 101.582709][ T401] ret_from_fork+0x3a/0x50
+[ 101.584592][ T401]
+[ 101.584592][ T401] other info that might help us debug this:
+[ 101.584592][ T401]
+[ 101.588355][ T401] Possible unsafe locking scenario:
+[ 101.588355][ T401]
+[ 101.590974][ T401] CPU0 CPU1
+[ 101.592889][ T401] ---- ----
+[ 101.594743][ T401] lock((work_completion)(&cl->work)#2);
+[ 101.596785][ T401] lock((wq_completion)bcache_writeback_wq);
+[ 101.600072][ T401] lock((work_completion)(&cl->work)#2);
+[ 101.602971][ T401] lock((wq_completion)bcache_writeback_wq);
+[ 101.605255][ T401]
+[ 101.605255][ T401] *** DEADLOCK ***
+[ 101.605255][ T401]
+[ 101.608310][ T401] 2 locks held by kworker/2:2/401:
+[ 101.610208][ T401] #0: 00000000cf2c7d17 ((wq_completion)events){+.+.}, at: process_one_work+0x21e/0x640
+[ 101.613709][ T401] #1: 00000000f5f305b3 ((work_completion)(&cl->work)#2){+.+.}, at: process_one_work+0x21e/0x640
+[ 101.617480][ T401]
+[ 101.617480][ T401] stack backtrace:
+[ 101.619539][ T401] CPU: 2 PID: 401 Comm: kworker/2:2 Tainted: G W 5.2.0-rc4-lp151.20-default+ #1
+[ 101.623225][ T401] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018
+[ 101.627210][ T401] Workqueue: events cached_dev_free [bcache]
+[ 101.629239][ T401] Call Trace:
+[ 101.630360][ T401] dump_stack+0x85/0xcb
+[ 101.631777][ T401] print_circular_bug+0x19a/0x1f0
+[ 101.633485][ T401] __lock_acquire+0x16cd/0x1850
+[ 101.635184][ T401] ? __lock_acquire+0x6a8/0x1850
+[ 101.636863][ T401] ? lock_acquire+0xb4/0x1c0
+[ 101.638421][ T401] ? find_held_lock+0x34/0xa0
+[ 101.640015][ T401] lock_acquire+0xb4/0x1c0
+[ 101.641513][ T401] ? flush_workqueue+0x87/0x4c0
+[ 101.643248][ T401] flush_workqueue+0xae/0x4c0
+[ 101.644832][ T401] ? flush_workqueue+0x87/0x4c0
+[ 101.646476][ T401] ? drain_workqueue+0xa9/0x180
+[ 101.648303][ T401] drain_workqueue+0xa9/0x180
+[ 101.649867][ T401] destroy_workqueue+0x17/0x250
+[ 101.651503][ T401] cached_dev_free+0x44/0x120 [bcache]
+[ 101.653328][ T401] process_one_work+0x2a4/0x640
+[ 101.655029][ T401] worker_thread+0x39/0x3f0
+[ 101.656693][ T401] ? process_one_work+0x640/0x640
+[ 101.658501][ T401] kthread+0x125/0x140
+[ 101.660012][ T401] ? kthread_create_worker_on_cpu+0x70/0x70
+[ 101.661985][ T401] ret_from_fork+0x3a/0x50
+[ 101.691318][ T401] bcache: bcache_device_free() bcache0 stopped
+
+Here is how the above potential deadlock may happen in reboot/shutdown
+code path,
+1) bcache_reboot() is called firstly in the reboot/shutdown code path,
+ then in bcache_reboot(), bcache_device_stop() is called.
+2) bcache_device_stop() sets BCACHE_DEV_CLOSING on d->falgs, then call
+ closure_queue(&d->cl) to invoke cached_dev_flush(). And in turn
+ cached_dev_flush() calls cached_dev_free() via closure_at()
+3) In cached_dev_free(), after stopped writebach kthread
+ dc->writeback_thread, the kwork dc->writeback_write_wq is stopping by
+ destroy_workqueue().
+4) Inside destroy_workqueue(), drain_workqueue() is called. Inside
+ drain_workqueue(), flush_workqueue() is called. Then wq->lockdep_map
+ is acquired by lock_map_acquire() in flush_workqueue(). After the
+ lock acquired the rest part of flush_workqueue() just wait for the
+ workqueue to complete.
+5) Now we look back at writeback thread routine bch_writeback_thread(),
+ in the main while-loop, write_dirty() is called via continue_at() in
+ read_dirty_submit(), which is called via continue_at() in while-loop
+ level called function read_dirty(). Inside write_dirty() it may be
+ re-called on workqueeu dc->writeback_write_wq via continue_at().
+ It means when the writeback kthread is stopped in cached_dev_free()
+ there might be still one kworker queued on dc->writeback_write_wq
+ to execute write_dirty() again.
+6) Now this kworker is scheduled on dc->writeback_write_wq to run by
+ process_one_work() (which is called by worker_thread()). Before
+ calling the kwork routine, wq->lockdep_map is acquired.
+7) But wq->lockdep_map is acquired already in step 4), so a A-A lock
+ (lockdep terminology) scenario happens.
+
+Indeed on multiple cores syatem, the above deadlock is very rare to
+happen, just as the code comments in process_one_work() says,
+2263 * AFAICT there is no possible deadlock scenario between the
+2264 * flush_work() and complete() primitives (except for
+ single-threaded
+2265 * workqueues), so hiding them isn't a problem.
+
+But it is still good to fix such lockdep warning, even no one running
+bcache on single core system.
+
+The fix is simple. This patch solves the above potential deadlock by,
+- Do not destroy workqueue dc->writeback_write_wq in cached_dev_free().
+- Flush and destroy dc->writeback_write_wq in writebach kthread routine
+ bch_writeback_thread(), where after quit the thread main while-loop
+ and before cached_dev_put() is called.
+
+By this fix, dc->writeback_write_wq will be stopped and destroy before
+the writeback kthread stopped, so the chance for a A-A locking on
+wq->lockdep_map is disappeared, such A-A deadlock won't happen
+any more.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 2 --
+ drivers/md/bcache/writeback.c | 4 ++++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index be8054c04eb7..173a2be72eeb 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1185,8 +1185,6 @@ static void cached_dev_free(struct closure *cl)
+
+ if (!IS_ERR_OR_NULL(dc->writeback_thread))
+ kthread_stop(dc->writeback_thread);
+- if (dc->writeback_write_wq)
+- destroy_workqueue(dc->writeback_write_wq);
+ if (!IS_ERR_OR_NULL(dc->status_update_thread))
+ kthread_stop(dc->status_update_thread);
+
+diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.c
+index 08c3a9f9676c..6e72bb6c00f2 100644
+--- a/drivers/md/bcache/writeback.c
++++ b/drivers/md/bcache/writeback.c
+@@ -708,6 +708,10 @@ static int bch_writeback_thread(void *arg)
+ }
+ }
+
++ if (dc->writeback_write_wq) {
++ flush_workqueue(dc->writeback_write_wq);
++ destroy_workqueue(dc->writeback_write_wq);
++ }
+ cached_dev_put(dc);
+ wait_for_kthread_stop();
+
+--
+2.20.1
+
--- /dev/null
+From eb888910656041bf8ea0035b95442c9aa0055104 Mon Sep 17 00:00:00 2001
+From: Dennis Zhou <dennis@kernel.org>
+Date: Thu, 23 May 2019 16:10:18 -0400
+Subject: blk-iolatency: only account submitted bios
+
+[ Upstream commit a3fb01ba5af066521f3f3421839e501bb2c71805 ]
+
+As is, iolatency recognizes done_bio and cleanup as ending paths. If a
+request is marked REQ_NOWAIT and fails to get a request, the bio is
+cleaned up via rq_qos_cleanup() and ended in bio_wouldblock_error().
+This results in underflowing the inflight counter. Fix this by only
+accounting bios that were actually submitted.
+
+Signed-off-by: Dennis Zhou <dennis@kernel.org>
+Cc: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-iolatency.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/block/blk-iolatency.c b/block/blk-iolatency.c
+index 6b8396ccb5c4..75df47ad2e79 100644
+--- a/block/blk-iolatency.c
++++ b/block/blk-iolatency.c
+@@ -565,6 +565,10 @@ static void blkcg_iolatency_done_bio(struct rq_qos *rqos, struct bio *bio)
+ if (!blkg)
+ return;
+
++ /* We didn't actually submit this bio, don't account it. */
++ if (bio->bi_status == BLK_STS_AGAIN)
++ return;
++
+ iolat = blkg_to_lat(bio->bi_blkg);
+ if (!iolat)
+ return;
+--
+2.20.1
+
--- /dev/null
+From b221c926aeeab063faf277b783e44648de2bab57 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Thu, 13 Jun 2019 15:30:41 -0700
+Subject: blkcg, writeback: dead memcgs shouldn't contribute to writeback
+ ownership arbitration
+
+[ Upstream commit 6631142229005e1b1c311a09efe9fb3cfdac8559 ]
+
+wbc_account_io() collects information on cgroup ownership of writeback
+pages to determine which cgroup should own the inode. Pages can stay
+associated with dead memcgs but we want to avoid attributing IOs to
+dead blkcgs as much as possible as the association is likely to be
+stale. However, currently, pages associated with dead memcgs
+contribute to the accounting delaying and/or confusing the
+arbitration.
+
+Fix it by ignoring pages associated with dead memcgs.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Cc: Jan Kara <jack@suse.cz>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fs-writeback.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
+index 9544e2f8b79f..7ee86d8f313d 100644
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -721,6 +721,7 @@ void wbc_detach_inode(struct writeback_control *wbc)
+ void wbc_account_io(struct writeback_control *wbc, struct page *page,
+ size_t bytes)
+ {
++ struct cgroup_subsys_state *css;
+ int id;
+
+ /*
+@@ -732,7 +733,12 @@ void wbc_account_io(struct writeback_control *wbc, struct page *page,
+ if (!wbc->wb)
+ return;
+
+- id = mem_cgroup_css_from_page(page)->id;
++ css = mem_cgroup_css_from_page(page);
++ /* dead cgroups shouldn't contribute to inode ownership arbitration */
++ if (!(css->flags & CSS_ONLINE))
++ return;
++
++ id = css->id;
+
+ if (id == wbc->wb_id) {
+ wbc->wb_bytes += bytes;
+--
+2.20.1
+
--- /dev/null
+From 7c3b7211fe23e2dbe5207a91ea9cf62ca88ad9f5 Mon Sep 17 00:00:00 2001
+From: Bob Liu <bob.liu@oracle.com>
+Date: Sat, 15 Jun 2019 01:43:48 -0600
+Subject: block: null_blk: fix race condition for null_del_dev
+
+[ Upstream commit 7602843fd873cae43a444b83b14dfdd114a9659c ]
+
+Dulicate call of null_del_dev() will trigger null pointer error like below.
+The reason is a race condition between nullb_device_power_store() and
+nullb_group_drop_item().
+
+ CPU#0 CPU#1
+ ---------------- -----------------
+ do_rmdir()
+ >configfs_rmdir()
+ >client_drop_item()
+ >nullb_group_drop_item()
+ nullb_device_power_store()
+ >null_del_dev()
+
+ >test_and_clear_bit(NULLB_DEV_FL_UP
+ >null_del_dev()
+ ^^^^^
+ Duplicated null_dev_dev() triger null pointer error
+
+ >clear_bit(NULLB_DEV_FL_UP
+
+The fix could be keep the sequnce of clear NULLB_DEV_FL_UP and null_del_dev().
+
+[ 698.613600] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
+[ 698.613608] #PF error: [normal kernel read fault]
+[ 698.613611] PGD 0 P4D 0
+[ 698.613619] Oops: 0000 [#1] SMP PTI
+[ 698.613627] CPU: 3 PID: 6382 Comm: rmdir Not tainted 5.0.0+ #35
+[ 698.613631] Hardware name: LENOVO 20LJS2EV08/20LJS2EV08, BIOS R0SET33W (1.17 ) 07/18/2018
+[ 698.613644] RIP: 0010:null_del_dev+0xc/0x110 [null_blk]
+[ 698.613649] Code: 00 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b eb 97 e8 47 bb 2a e8 0f 1f 80 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 54 53 <8b> 77 18 48 89 fb 4c 8b 27 48 c7 c7 40 57 1e c1 e8 bf c7 cb e8 48
+[ 698.613654] RSP: 0018:ffffb887888bfde0 EFLAGS: 00010286
+[ 698.613659] RAX: 0000000000000000 RBX: ffff9d436d92bc00 RCX: ffff9d43a9184681
+[ 698.613663] RDX: ffffffffc11e5c30 RSI: 0000000068be6540 RDI: 0000000000000000
+[ 698.613667] RBP: ffffb887888bfdf0 R08: 0000000000000001 R09: 0000000000000000
+[ 698.613671] R10: ffffb887888bfdd8 R11: 0000000000000f16 R12: ffff9d436d92bc08
+[ 698.613675] R13: ffff9d436d94e630 R14: ffffffffc11e5088 R15: ffffffffc11e5000
+[ 698.613680] FS: 00007faa68be6540(0000) GS:ffff9d43d14c0000(0000) knlGS:0000000000000000
+[ 698.613685] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 698.613689] CR2: 0000000000000018 CR3: 000000042f70c002 CR4: 00000000003606e0
+[ 698.613693] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 698.613697] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 698.613700] Call Trace:
+[ 698.613712] nullb_group_drop_item+0x50/0x70 [null_blk]
+[ 698.613722] client_drop_item+0x29/0x40
+[ 698.613728] configfs_rmdir+0x1ed/0x300
+[ 698.613738] vfs_rmdir+0xb2/0x130
+[ 698.613743] do_rmdir+0x1c7/0x1e0
+[ 698.613750] __x64_sys_rmdir+0x17/0x20
+[ 698.613759] do_syscall_64+0x5a/0x110
+[ 698.613768] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Signed-off-by: Bob Liu <bob.liu@oracle.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/null_blk_main.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/block/null_blk_main.c b/drivers/block/null_blk_main.c
+index 093b614d6524..c5c0b7c89481 100644
+--- a/drivers/block/null_blk_main.c
++++ b/drivers/block/null_blk_main.c
+@@ -321,11 +321,12 @@ static ssize_t nullb_device_power_store(struct config_item *item,
+ set_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags);
+ dev->power = newp;
+ } else if (dev->power && !newp) {
+- mutex_lock(&lock);
+- dev->power = newp;
+- null_del_dev(dev->nullb);
+- mutex_unlock(&lock);
+- clear_bit(NULLB_DEV_FL_UP, &dev->flags);
++ if (test_and_clear_bit(NULLB_DEV_FL_UP, &dev->flags)) {
++ mutex_lock(&lock);
++ dev->power = newp;
++ null_del_dev(dev->nullb);
++ mutex_unlock(&lock);
++ }
+ clear_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From ed11485c3a3ed1a595726389cb797adb2c934b6e Mon Sep 17 00:00:00 2001
+From: Josua Mayer <josua.mayer@jm0.eu>
+Date: Sat, 6 Jul 2019 17:54:46 +0200
+Subject: Bluetooth: 6lowpan: search for destination address in all peers
+
+[ Upstream commit b188b03270b7f8568fc714101ce82fbf5e811c5a ]
+
+Handle overlooked case where the target address is assigned to a peer
+and neither route nor gateway exist.
+
+For one peer, no checks are performed to see if it is meant to receive
+packets for a given address.
+
+As soon as there is a second peer however, checks are performed
+to deal with routes and gateways for handling complex setups with
+multiple hops to a target address.
+This logic assumed that no route and no gateway imply that the
+destination address can not be reached, which is false in case of a
+direct peer.
+
+Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
+Tested-by: Michael Scott <mike@foundries.io>
+Signed-off-by: Josua Mayer <josua.mayer@jm0.eu>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/6lowpan.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
+index 4e2576fc0c59..357475cceec6 100644
+--- a/net/bluetooth/6lowpan.c
++++ b/net/bluetooth/6lowpan.c
+@@ -187,10 +187,16 @@ static inline struct lowpan_peer *peer_lookup_dst(struct lowpan_btle_dev *dev,
+ }
+
+ if (!rt) {
+- nexthop = &lowpan_cb(skb)->gw;
+-
+- if (ipv6_addr_any(nexthop))
+- return NULL;
++ if (ipv6_addr_any(&lowpan_cb(skb)->gw)) {
++ /* There is neither route nor gateway,
++ * probably the destination is a direct peer.
++ */
++ nexthop = daddr;
++ } else {
++ /* There is a known gateway
++ */
++ nexthop = &lowpan_cb(skb)->gw;
++ }
+ } else {
+ nexthop = rt6_nexthop(rt, daddr);
+
+--
+2.20.1
+
--- /dev/null
+From e3155a2d251b417d23ed3af9eeea4a7e676bf3cc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jo=C3=A3o=20Paulo=20Rechi=20Vita?= <jprvita@gmail.com>
+Date: Thu, 23 May 2019 13:32:01 -0700
+Subject: Bluetooth: Add new 13d3:3491 QCA_ROME device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 44d34af2e4cfd0c5357182f8b43f3e0a1fe30a2e ]
+
+Without the QCA ROME setup routine this adapter fails to establish a SCO
+connection.
+
+T: Bus=01 Lev=01 Prnt=01 Port=08 Cnt=01 Dev#= 2 Spd=12 MxCh= 0
+D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=13d3 ProdID=3491 Rev=00.01
+C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
+I: If#=0x0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+I: If#=0x1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+
+Signed-off-by: João Paulo Rechi Vita <jprvita@endlessm.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 40a4f95f6178..f494fa30a912 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -277,6 +277,7 @@ static const struct usb_device_id blacklist_table[] = {
+ { USB_DEVICE(0x04ca, 0x3015), .driver_info = BTUSB_QCA_ROME },
+ { USB_DEVICE(0x04ca, 0x3016), .driver_info = BTUSB_QCA_ROME },
+ { USB_DEVICE(0x04ca, 0x301a), .driver_info = BTUSB_QCA_ROME },
++ { USB_DEVICE(0x13d3, 0x3491), .driver_info = BTUSB_QCA_ROME },
+ { USB_DEVICE(0x13d3, 0x3496), .driver_info = BTUSB_QCA_ROME },
+
+ /* Broadcom BCM2035 */
+--
+2.20.1
+
--- /dev/null
+From ba58081f6f4f665b8de3da813d93f7c04cd30784 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jo=C3=A3o=20Paulo=20Rechi=20Vita?= <jprvita@gmail.com>
+Date: Thu, 23 May 2019 13:32:02 -0700
+Subject: Bluetooth: Add new 13d3:3501 QCA_ROME device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 881cec4f6b4da78e54b73c046a60f39315964c7d ]
+
+Without the QCA ROME setup routine this adapter fails to establish a SCO
+connection.
+
+T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 2 Spd=12 MxCh= 0
+D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=13d3 ProdID=3501 Rev=00.01
+C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
+I: If#=0x0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+I: If#=0x1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+
+Signed-off-by: João Paulo Rechi Vita <jprvita@endlessm.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index f494fa30a912..75cf605f54e5 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -279,6 +279,7 @@ static const struct usb_device_id blacklist_table[] = {
+ { USB_DEVICE(0x04ca, 0x301a), .driver_info = BTUSB_QCA_ROME },
+ { USB_DEVICE(0x13d3, 0x3491), .driver_info = BTUSB_QCA_ROME },
+ { USB_DEVICE(0x13d3, 0x3496), .driver_info = BTUSB_QCA_ROME },
++ { USB_DEVICE(0x13d3, 0x3501), .driver_info = BTUSB_QCA_ROME },
+
+ /* Broadcom BCM2035 */
+ { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 },
+--
+2.20.1
+
--- /dev/null
+From 9a324a7ee53702a237ff08fad42e74f1dceac572 Mon Sep 17 00:00:00 2001
+From: Matias Karhumaa <matias.karhumaa@gmail.com>
+Date: Tue, 21 May 2019 13:07:22 +0300
+Subject: Bluetooth: Check state in l2cap_disconnect_rsp
+
+[ Upstream commit 28261da8a26f4915aa257d12d506c6ba179d961f ]
+
+Because of both sides doing L2CAP disconnection at the same time, it
+was possible to receive L2CAP Disconnection Response with CID that was
+already freed. That caused problems if CID was already reused and L2CAP
+Connection Request with same CID was sent out. Before this patch kernel
+deleted channel context regardless of the state of the channel.
+
+Example where leftover Disconnection Response (frame #402) causes local
+device to delete L2CAP channel which was not yet connected. This in
+turn confuses remote device's stack because same CID is re-used without
+properly disconnecting.
+
+Btmon capture before patch:
+** snip **
+> ACL Data RX: Handle 43 flags 0x02 dlen 8 #394 [hci1] 10.748949
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 2}
+ RFCOMM: Disconnect (DISC) (0x43)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x53 poll/final 1
+ Length: 0
+ FCS: 0xfd
+< ACL Data TX: Handle 43 flags 0x00 dlen 8 #395 [hci1] 10.749062
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 2}
+ RFCOMM: Unnumbered Ack (UA) (0x63)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x73 poll/final 1
+ Length: 0
+ FCS: 0xd7
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #396 [hci1] 10.749073
+ L2CAP: Disconnection Request (0x06) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+> HCI Event: Number of Completed Packets (0x13) plen 5 #397 [hci1] 10.752391
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> HCI Event: Number of Completed Packets (0x13) plen 5 #398 [hci1] 10.753394
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #399 [hci1] 10.756499
+ L2CAP: Disconnection Request (0x06) ident 26 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #400 [hci1] 10.756548
+ L2CAP: Disconnection Response (0x07) ident 26 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #401 [hci1] 10.757459
+ L2CAP: Connection Request (0x02) ident 18 len 4
+ PSM: 1 (0x0001)
+ Source CID: 65
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #402 [hci1] 10.759148
+ L2CAP: Disconnection Response (0x07) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+= bluetoothd: 00:1E:AB:4C:56:54: error updating services: Input/o.. 10.759447
+> HCI Event: Number of Completed Packets (0x13) plen 5 #403 [hci1] 10.759386
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #404 [hci1] 10.760397
+ L2CAP: Connection Request (0x02) ident 27 len 4
+ PSM: 3 (0x0003)
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 16 #405 [hci1] 10.760441
+ L2CAP: Connection Response (0x03) ident 27 len 8
+ Destination CID: 65
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+< ACL Data TX: Handle 43 flags 0x00 dlen 27 #406 [hci1] 10.760449
+ L2CAP: Configure Request (0x04) ident 19 len 19
+ Destination CID: 65
+ Flags: 0x0000
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 1013
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Basic (0x00)
+ TX window size: 0
+ Max transmit: 0
+ Retransmission timeout: 0
+ Monitor timeout: 0
+ Maximum PDU size: 0
+> HCI Event: Number of Completed Packets (0x13) plen 5 #407 [hci1] 10.761399
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 16 #408 [hci1] 10.762942
+ L2CAP: Connection Response (0x03) ident 18 len 8
+ Destination CID: 66
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+*snip*
+
+Similar case after the patch:
+*snip*
+> ACL Data RX: Handle 43 flags 0x02 dlen 8 #22702 [hci0] 1664.411056
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 3}
+ RFCOMM: Disconnect (DISC) (0x43)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x53 poll/final 1
+ Length: 0
+ FCS: 0xfd
+< ACL Data TX: Handle 43 flags 0x00 dlen 8 #22703 [hci0] 1664.411136
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 3}
+ RFCOMM: Unnumbered Ack (UA) (0x63)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x73 poll/final 1
+ Length: 0
+ FCS: 0xd7
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22704 [hci0] 1664.411143
+ L2CAP: Disconnection Request (0x06) ident 11 len 4
+ Destination CID: 65
+ Source CID: 65
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22705 [hci0] 1664.414009
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22706 [hci0] 1664.415007
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22707 [hci0] 1664.418674
+ L2CAP: Disconnection Request (0x06) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22708 [hci0] 1664.418762
+ L2CAP: Disconnection Response (0x07) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22709 [hci0] 1664.421073
+ L2CAP: Connection Request (0x02) ident 12 len 4
+ PSM: 1 (0x0001)
+ Source CID: 65
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22710 [hci0] 1664.421371
+ L2CAP: Disconnection Response (0x07) ident 11 len 4
+ Destination CID: 65
+ Source CID: 65
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22711 [hci0] 1664.424082
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22712 [hci0] 1664.425040
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22713 [hci0] 1664.426103
+ L2CAP: Connection Request (0x02) ident 18 len 4
+ PSM: 3 (0x0003)
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 16 #22714 [hci0] 1664.426186
+ L2CAP: Connection Response (0x03) ident 18 len 8
+ Destination CID: 66
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+< ACL Data TX: Handle 43 flags 0x00 dlen 27 #22715 [hci0] 1664.426196
+ L2CAP: Configure Request (0x04) ident 13 len 19
+ Destination CID: 65
+ Flags: 0x0000
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 1013
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Basic (0x00)
+ TX window size: 0
+ Max transmit: 0
+ Retransmission timeout: 0
+ Monitor timeout: 0
+ Maximum PDU size: 0
+> ACL Data RX: Handle 43 flags 0x02 dlen 16 #22716 [hci0] 1664.428804
+ L2CAP: Connection Response (0x03) ident 12 len 8
+ Destination CID: 66
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+*snip*
+
+Fix is to check that channel is in state BT_DISCONN before deleting the
+channel.
+
+This bug was found while fuzzing Bluez's OBEX implementation using
+Synopsys Defensics.
+
+Reported-by: Matti Kamunen <matti.kamunen@synopsys.com>
+Reported-by: Ari Timonen <ari.timonen@synopsys.com>
+Signed-off-by: Matias Karhumaa <matias.karhumaa@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 879d5432bf77..260ef5426e0c 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -4384,6 +4384,12 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
+
+ l2cap_chan_lock(chan);
+
++ if (chan->state != BT_DISCONN) {
++ l2cap_chan_unlock(chan);
++ mutex_unlock(&conn->chan_lock);
++ return 0;
++ }
++
+ l2cap_chan_hold(chan);
+ l2cap_chan_del(chan, 0);
+
+--
+2.20.1
+
--- /dev/null
+From a4a89da3c4d6c8581665f8e7acb1637d5224e651 Mon Sep 17 00:00:00 2001
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+Date: Tue, 28 May 2019 15:42:58 +0200
+Subject: Bluetooth: hci_bcsp: Fix memory leak in rx_skb
+
+[ Upstream commit 4ce9146e0370fcd573f0372d9b4e5a211112567c ]
+
+Syzkaller found that it is possible to provoke a memory leak by
+never freeing rx_skb in struct bcsp_struct.
+
+Fix by freeing in bcsp_close()
+
+Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
+Reported-by: syzbot+98162c885993b72f19c4@syzkaller.appspotmail.com
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_bcsp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c
+index 1a7f0c82fb36..66fe1e6dc631 100644
+--- a/drivers/bluetooth/hci_bcsp.c
++++ b/drivers/bluetooth/hci_bcsp.c
+@@ -759,6 +759,11 @@ static int bcsp_close(struct hci_uart *hu)
+ skb_queue_purge(&bcsp->rel);
+ skb_queue_purge(&bcsp->unrel);
+
++ if (bcsp->rx_skb) {
++ kfree_skb(bcsp->rx_skb);
++ bcsp->rx_skb = NULL;
++ }
++
+ kfree(bcsp);
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 6a8b8dc9543ae5ed255474ca7f5fbd1873b7d9c3 Mon Sep 17 00:00:00 2001
+From: csonsino <csonsino@gmail.com>
+Date: Wed, 12 Jun 2019 15:00:52 -0600
+Subject: Bluetooth: validate BLE connection interval updates
+
+[ Upstream commit c49a8682fc5d298d44e8d911f4fa14690ea9485e ]
+
+Problem: The Linux Bluetooth stack yields complete control over the BLE
+connection interval to the remote device.
+
+The Linux Bluetooth stack provides access to the BLE connection interval
+min and max values through /sys/kernel/debug/bluetooth/hci0/
+conn_min_interval and /sys/kernel/debug/bluetooth/hci0/conn_max_interval.
+These values are used for initial BLE connections, but the remote device
+has the ability to request a connection parameter update. In the event
+that the remote side requests to change the connection interval, the Linux
+kernel currently only validates that the desired value is within the
+acceptable range in the Bluetooth specification (6 - 3200, corresponding to
+7.5ms - 4000ms). There is currently no validation that the desired value
+requested by the remote device is within the min/max limits specified in
+the conn_min_interval/conn_max_interval configurations. This essentially
+leads to Linux yielding complete control over the connection interval to
+the remote device.
+
+The proposed patch adds a verification step to the connection parameter
+update mechanism, ensuring that the desired value is within the min/max
+bounds of the current connection. If the desired value is outside of the
+current connection min/max values, then the connection parameter update
+request is rejected and the negative response is returned to the remote
+device. Recall that the initial connection is established using the local
+conn_min_interval/conn_max_interval values, so this allows the Linux
+administrator to retain control over the BLE connection interval.
+
+The one downside that I see is that the current default Linux values for
+conn_min_interval and conn_max_interval typically correspond to 30ms and
+50ms respectively. If this change were accepted, then it is feasible that
+some devices would no longer be able to negotiate to their desired
+connection interval values. This might be remedied by setting the default
+Linux conn_min_interval and conn_max_interval values to the widest
+supported range (6 - 3200 / 7.5ms - 4000ms). This could lead to the same
+behavior as the current implementation, where the remote device could
+request to change the connection interval value to any value that is
+permitted by the Bluetooth specification, and Linux would accept the
+desired value.
+
+Signed-off-by: Carey Sonsino <csonsino@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 5 +++++
+ net/bluetooth/l2cap_core.c | 9 ++++++++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 3e7badb3ac2d..0adcddb211fa 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -5545,6 +5545,11 @@ static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
+ return send_conn_param_neg_reply(hdev, handle,
+ HCI_ERROR_UNKNOWN_CONN_ID);
+
++ if (min < hcon->le_conn_min_interval ||
++ max > hcon->le_conn_max_interval)
++ return send_conn_param_neg_reply(hdev, handle,
++ HCI_ERROR_INVALID_LL_PARAMS);
++
+ if (hci_check_conn_params(min, max, latency, timeout))
+ return send_conn_param_neg_reply(hdev, handle,
+ HCI_ERROR_INVALID_LL_PARAMS);
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 260ef5426e0c..a54dadf4a6ca 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -5287,7 +5287,14 @@ static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
+
+ memset(&rsp, 0, sizeof(rsp));
+
+- err = hci_check_conn_params(min, max, latency, to_multiplier);
++ if (min < hcon->le_conn_min_interval ||
++ max > hcon->le_conn_max_interval) {
++ BT_DBG("requested connection interval exceeds current bounds.");
++ err = -EINVAL;
++ } else {
++ err = hci_check_conn_params(min, max, latency, to_multiplier);
++ }
++
+ if (err)
+ rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
+ else
+--
+2.20.1
+
--- /dev/null
+From 86249efbff2248d5965379a008b5aeb907e7c642 Mon Sep 17 00:00:00 2001
+From: "Guilherme G. Piccoli" <gpiccoli@canonical.com>
+Date: Thu, 27 Jun 2019 13:31:33 -0300
+Subject: bnx2x: Prevent ptp_task to be rescheduled indefinitely
+
+[ Upstream commit 3c91f25c2f72ba6001775a5932857c1d2131c531 ]
+
+Currently bnx2x ptp worker tries to read a register with timestamp
+information in case of TX packet timestamping and in case it fails,
+the routine reschedules itself indefinitely. This was reported as a
+kworker always at 100% of CPU usage, which was narrowed down to be
+bnx2x ptp_task.
+
+By following the ioctl handler, we could narrow down the problem to
+an NTP tool (chrony) requesting HW timestamping from bnx2x NIC with
+RX filter zeroed; this isn't reproducible for example with ptp4l
+(from linuxptp) since this tool requests a supported RX filter.
+It seems NIC FW timestamp mechanism cannot work well with
+RX_FILTER_NONE - driver's PTP filter init routine skips a register
+write to the adapter if there's not a supported filter request.
+
+This patch addresses the problem of bnx2x ptp thread's everlasting
+reschedule by retrying the register read 10 times; between the read
+attempts the thread sleeps for an increasing amount of time starting
+in 1ms to give FW some time to perform the timestamping. If it still
+fails after all retries, we bail out in order to prevent an unbound
+resource consumption from bnx2x.
+
+The patch also adds an ethtool statistic for accounting the skipped
+TX timestamp packets and it reduces the priority of timestamping
+error messages to prevent log flooding. The code was tested using
+both linuxptp and chrony.
+
+Reported-and-tested-by: Przemyslaw Hausman <przemyslaw.hausman@canonical.com>
+Suggested-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Signed-off-by: Guilherme G. Piccoli <gpiccoli@canonical.com>
+Acked-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 5 ++-
+ .../ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 4 ++-
+ .../net/ethernet/broadcom/bnx2x/bnx2x_main.c | 33 ++++++++++++++-----
+ .../net/ethernet/broadcom/bnx2x/bnx2x_stats.h | 3 ++
+ 4 files changed, 34 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+index 5a727d4729da..e3ce29951c5e 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -3858,9 +3858,12 @@ netdev_tx_t bnx2x_start_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP)) {
+ if (!(bp->flags & TX_TIMESTAMPING_EN)) {
++ bp->eth_stats.ptp_skip_tx_ts++;
+ BNX2X_ERR("Tx timestamping was not enabled, this packet will not be timestamped\n");
+ } else if (bp->ptp_tx_skb) {
+- BNX2X_ERR("The device supports only a single outstanding packet to timestamp, this packet will not be timestamped\n");
++ bp->eth_stats.ptp_skip_tx_ts++;
++ netdev_err_once(bp->dev,
++ "Device supports only a single outstanding packet to timestamp, this packet won't be timestamped\n");
+ } else {
+ skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
+ /* schedule check for Tx timestamp */
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
+index c428b0655c26..00f9ed93360c 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
+@@ -182,7 +182,9 @@ static const struct {
+ { STATS_OFFSET32(driver_filtered_tx_pkt),
+ 4, false, "driver_filtered_tx_pkt" },
+ { STATS_OFFSET32(eee_tx_lpi),
+- 4, true, "Tx LPI entry count"}
++ 4, true, "Tx LPI entry count"},
++ { STATS_OFFSET32(ptp_skip_tx_ts),
++ 4, false, "ptp_skipped_tx_tstamp" },
+ };
+
+ #define BNX2X_NUM_STATS ARRAY_SIZE(bnx2x_stats_arr)
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+index a585f1025a58..2c9af0f420e5 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+@@ -15244,11 +15244,24 @@ static void bnx2x_ptp_task(struct work_struct *work)
+ u32 val_seq;
+ u64 timestamp, ns;
+ struct skb_shared_hwtstamps shhwtstamps;
++ bool bail = true;
++ int i;
++
++ /* FW may take a while to complete timestamping; try a bit and if it's
++ * still not complete, may indicate an error state - bail out then.
++ */
++ for (i = 0; i < 10; i++) {
++ /* Read Tx timestamp registers */
++ val_seq = REG_RD(bp, port ? NIG_REG_P1_TLLH_PTP_BUF_SEQID :
++ NIG_REG_P0_TLLH_PTP_BUF_SEQID);
++ if (val_seq & 0x10000) {
++ bail = false;
++ break;
++ }
++ msleep(1 << i);
++ }
+
+- /* Read Tx timestamp registers */
+- val_seq = REG_RD(bp, port ? NIG_REG_P1_TLLH_PTP_BUF_SEQID :
+- NIG_REG_P0_TLLH_PTP_BUF_SEQID);
+- if (val_seq & 0x10000) {
++ if (!bail) {
+ /* There is a valid timestamp value */
+ timestamp = REG_RD(bp, port ? NIG_REG_P1_TLLH_PTP_BUF_TS_MSB :
+ NIG_REG_P0_TLLH_PTP_BUF_TS_MSB);
+@@ -15263,16 +15276,18 @@ static void bnx2x_ptp_task(struct work_struct *work)
+ memset(&shhwtstamps, 0, sizeof(shhwtstamps));
+ shhwtstamps.hwtstamp = ns_to_ktime(ns);
+ skb_tstamp_tx(bp->ptp_tx_skb, &shhwtstamps);
+- dev_kfree_skb_any(bp->ptp_tx_skb);
+- bp->ptp_tx_skb = NULL;
+
+ DP(BNX2X_MSG_PTP, "Tx timestamp, timestamp cycles = %llu, ns = %llu\n",
+ timestamp, ns);
+ } else {
+- DP(BNX2X_MSG_PTP, "There is no valid Tx timestamp yet\n");
+- /* Reschedule to keep checking for a valid timestamp value */
+- schedule_work(&bp->ptp_task);
++ DP(BNX2X_MSG_PTP,
++ "Tx timestamp is not recorded (register read=%u)\n",
++ val_seq);
++ bp->eth_stats.ptp_skip_tx_ts++;
+ }
++
++ dev_kfree_skb_any(bp->ptp_tx_skb);
++ bp->ptp_tx_skb = NULL;
+ }
+
+ void bnx2x_set_rx_ts(struct bnx2x *bp, struct sk_buff *skb)
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.h
+index b2644ed13d06..d55e63692cf3 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.h
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.h
+@@ -207,6 +207,9 @@ struct bnx2x_eth_stats {
+ u32 driver_filtered_tx_pkt;
+ /* src: Clear-on-Read register; Will not survive PMF Migration */
+ u32 eee_tx_lpi;
++
++ /* PTP */
++ u32 ptp_skip_tx_ts;
+ };
+
+ struct bnx2x_eth_q_stats {
+--
+2.20.1
+
--- /dev/null
+From a5a198120d9965ab2831fbdc40d9757205a33459 Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Mon, 1 Jul 2019 20:40:24 -0700
+Subject: bonding: validate ip header before check IPPROTO_IGMP
+
+[ Upstream commit 9d1bc24b52fb8c5d859f9a47084bf1179470e04c ]
+
+bond_xmit_roundrobin() checks for IGMP packets but it parses
+the IP header even before checking skb->protocol.
+
+We should validate the IP header with pskb_may_pull() before
+using iph->protocol.
+
+Reported-and-tested-by: syzbot+e5be16aa39ad6e755391@syzkaller.appspotmail.com
+Fixes: a2fd940f4cff ("bonding: fix broken multicast with round-robin mode")
+Cc: Jay Vosburgh <j.vosburgh@gmail.com>
+Cc: Veaceslav Falico <vfalico@gmail.com>
+Cc: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 37 ++++++++++++++++++++-------------
+ 1 file changed, 23 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 7e162fff01ab..be0b785becd0 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3852,8 +3852,8 @@ static netdev_tx_t bond_xmit_roundrobin(struct sk_buff *skb,
+ struct net_device *bond_dev)
+ {
+ struct bonding *bond = netdev_priv(bond_dev);
+- struct iphdr *iph = ip_hdr(skb);
+ struct slave *slave;
++ int slave_cnt;
+ u32 slave_id;
+
+ /* Start with the curr_active_slave that joined the bond as the
+@@ -3862,23 +3862,32 @@ static netdev_tx_t bond_xmit_roundrobin(struct sk_buff *skb,
+ * send the join/membership reports. The curr_active_slave found
+ * will send all of this type of traffic.
+ */
+- if (iph->protocol == IPPROTO_IGMP && skb->protocol == htons(ETH_P_IP)) {
+- slave = rcu_dereference(bond->curr_active_slave);
+- if (slave)
+- bond_dev_queue_xmit(bond, skb, slave->dev);
+- else
+- bond_xmit_slave_id(bond, skb, 0);
+- } else {
+- int slave_cnt = READ_ONCE(bond->slave_cnt);
++ if (skb->protocol == htons(ETH_P_IP)) {
++ int noff = skb_network_offset(skb);
++ struct iphdr *iph;
+
+- if (likely(slave_cnt)) {
+- slave_id = bond_rr_gen_slave_id(bond);
+- bond_xmit_slave_id(bond, skb, slave_id % slave_cnt);
+- } else {
+- bond_tx_drop(bond_dev, skb);
++ if (unlikely(!pskb_may_pull(skb, noff + sizeof(*iph))))
++ goto non_igmp;
++
++ iph = ip_hdr(skb);
++ if (iph->protocol == IPPROTO_IGMP) {
++ slave = rcu_dereference(bond->curr_active_slave);
++ if (slave)
++ bond_dev_queue_xmit(bond, skb, slave->dev);
++ else
++ bond_xmit_slave_id(bond, skb, 0);
++ return NETDEV_TX_OK;
+ }
+ }
+
++non_igmp:
++ slave_cnt = READ_ONCE(bond->slave_cnt);
++ if (likely(slave_cnt)) {
++ slave_id = bond_rr_gen_slave_id(bond);
++ bond_xmit_slave_id(bond, skb, slave_id % slave_cnt);
++ } else {
++ bond_tx_drop(bond_dev, skb);
++ }
+ return NETDEV_TX_OK;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 09eae01ba7b079d079c07f186f576a584e9a4a28 Mon Sep 17 00:00:00 2001
+From: Baruch Siach <baruch@tkos.co.il>
+Date: Fri, 28 Jun 2019 07:08:45 +0300
+Subject: bpf: fix uapi bpf_prog_info fields alignment
+
+[ Upstream commit 0472301a28f6cf53a6bc5783e48a2d0bbff4682f ]
+
+Merge commit 1c8c5a9d38f60 ("Merge
+git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next") undid the
+fix from commit 36f9814a494 ("bpf: fix uapi hole for 32 bit compat
+applications") by taking the gpl_compatible 1-bit field definition from
+commit b85fab0e67b162 ("bpf: Add gpl_compatible flag to struct
+bpf_prog_info") as is. That breaks architectures with 16-bit alignment
+like m68k. Add 31-bit pad after gpl_compatible to restore alignment of
+following fields.
+
+Thanks to Dmitry V. Levin his analysis of this bug history.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Acked-by: Song Liu <songliubraving@fb.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/bpf.h | 1 +
+ tools/include/uapi/linux/bpf.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
+index 2932600ce271..d143e277cdaf 100644
+--- a/include/uapi/linux/bpf.h
++++ b/include/uapi/linux/bpf.h
+@@ -2486,6 +2486,7 @@ struct bpf_prog_info {
+ char name[BPF_OBJ_NAME_LEN];
+ __u32 ifindex;
+ __u32 gpl_compatible:1;
++ __u32 :31; /* alignment pad */
+ __u64 netns_dev;
+ __u64 netns_ino;
+ __u32 nr_jited_ksyms;
+diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
+index 66917a4eba27..bf4cd924aed5 100644
+--- a/tools/include/uapi/linux/bpf.h
++++ b/tools/include/uapi/linux/bpf.h
+@@ -2484,6 +2484,7 @@ struct bpf_prog_info {
+ char name[BPF_OBJ_NAME_LEN];
+ __u32 ifindex;
+ __u32 gpl_compatible:1;
++ __u32 :31; /* alignment pad */
+ __u64 netns_dev;
+ __u64 netns_ino;
+ __u32 nr_jited_ksyms;
+--
+2.20.1
+
--- /dev/null
+From a01038da60c43130e4ab4db107fdd919690864e5 Mon Sep 17 00:00:00 2001
+From: Leo Yan <leo.yan@linaro.org>
+Date: Tue, 2 Jul 2019 18:25:31 +0800
+Subject: bpf, libbpf, smatch: Fix potential NULL pointer dereference
+
+[ Upstream commit 33bae185f74d49a0d7b1bfaafb8e959efce0f243 ]
+
+Based on the following report from Smatch, fix the potential NULL
+pointer dereference check:
+
+ tools/lib/bpf/libbpf.c:3493
+ bpf_prog_load_xattr() warn: variable dereferenced before check 'attr'
+ (see line 3483)
+
+ 3479 int bpf_prog_load_xattr(const struct bpf_prog_load_attr *attr,
+ 3480 struct bpf_object **pobj, int *prog_fd)
+ 3481 {
+ 3482 struct bpf_object_open_attr open_attr = {
+ 3483 .file = attr->file,
+ 3484 .prog_type = attr->prog_type,
+ ^^^^^^
+ 3485 };
+
+At the head of function, it directly access 'attr' without checking
+if it's NULL pointer. This patch moves the values assignment after
+validating 'attr' and 'attr->file'.
+
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index bdb94939fd60..a350f97e3a1a 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -2293,10 +2293,7 @@ int bpf_prog_load(const char *file, enum bpf_prog_type type,
+ int bpf_prog_load_xattr(const struct bpf_prog_load_attr *attr,
+ struct bpf_object **pobj, int *prog_fd)
+ {
+- struct bpf_object_open_attr open_attr = {
+- .file = attr->file,
+- .prog_type = attr->prog_type,
+- };
++ struct bpf_object_open_attr open_attr = {};
+ struct bpf_program *prog, *first_prog = NULL;
+ enum bpf_attach_type expected_attach_type;
+ enum bpf_prog_type prog_type;
+@@ -2309,6 +2306,9 @@ int bpf_prog_load_xattr(const struct bpf_prog_load_attr *attr,
+ if (!attr->file)
+ return -EINVAL;
+
++ open_attr.file = attr->file;
++ open_attr.prog_type = attr->prog_type;
++
+ obj = bpf_object__open_xattr(&open_attr);
+ if (IS_ERR_OR_NULL(obj))
+ return -ENOENT;
+--
+2.20.1
+
--- /dev/null
+From a6df1ed080b7b565f21c39e75b7651313020b871 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Valdis=20Kl=C4=93tnieks?= <valdis.kletnieks@vt.edu>
+Date: Thu, 6 Jun 2019 22:39:27 -0400
+Subject: bpf: silence warning messages in core
+
+[ Upstream commit aee450cbe482a8c2f6fa5b05b178ef8b8ff107ca ]
+
+Compiling kernel/bpf/core.c with W=1 causes a flood of warnings:
+
+kernel/bpf/core.c:1198:65: warning: initialized field overwritten [-Woverride-init]
+ 1198 | #define BPF_INSN_3_TBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = true
+ | ^~~~
+kernel/bpf/core.c:1087:2: note: in expansion of macro 'BPF_INSN_3_TBL'
+ 1087 | INSN_3(ALU, ADD, X), \
+ | ^~~~~~
+kernel/bpf/core.c:1202:3: note: in expansion of macro 'BPF_INSN_MAP'
+ 1202 | BPF_INSN_MAP(BPF_INSN_2_TBL, BPF_INSN_3_TBL),
+ | ^~~~~~~~~~~~
+kernel/bpf/core.c:1198:65: note: (near initialization for 'public_insntable[12]')
+ 1198 | #define BPF_INSN_3_TBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = true
+ | ^~~~
+kernel/bpf/core.c:1087:2: note: in expansion of macro 'BPF_INSN_3_TBL'
+ 1087 | INSN_3(ALU, ADD, X), \
+ | ^~~~~~
+kernel/bpf/core.c:1202:3: note: in expansion of macro 'BPF_INSN_MAP'
+ 1202 | BPF_INSN_MAP(BPF_INSN_2_TBL, BPF_INSN_3_TBL),
+ | ^~~~~~~~~~~~
+
+98 copies of the above.
+
+The attached patch silences the warnings, because we *know* we're overwriting
+the default initializer. That leaves bpf/core.c with only 6 other warnings,
+which become more visible in comparison.
+
+Signed-off-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
+Acked-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/bpf/Makefile b/kernel/bpf/Makefile
+index 0488b8258321..ffc39a7e028d 100644
+--- a/kernel/bpf/Makefile
++++ b/kernel/bpf/Makefile
+@@ -1,5 +1,6 @@
+ # SPDX-License-Identifier: GPL-2.0
+ obj-y := core.o
++CFLAGS_core.o += $(call cc-disable-warning, override-init)
+
+ obj-$(CONFIG_BPF_SYSCALL) += syscall.o verifier.o inode.o helpers.o tnum.o
+ obj-$(CONFIG_BPF_SYSCALL) += hashtab.o arraymap.o percpu_freelist.o bpf_lru_list.o lpm_trie.o map_in_map.o
+--
+2.20.1
+
--- /dev/null
+From fbcf7a909183820c4b0f67e7872d4f2ea49de07a Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Thu, 30 May 2019 12:50:43 +0200
+Subject: clocksource/drivers/exynos_mct: Increase priority over ARM arch timer
+
+[ Upstream commit 6282edb72bed5324352522d732080d4c1b9dfed6 ]
+
+Exynos SoCs based on CA7/CA15 have 2 timer interfaces: custom Exynos MCT
+(Multi Core Timer) and standard ARM Architected Timers.
+
+There are use cases, where both timer interfaces are used simultanously.
+One of such examples is using Exynos MCT for the main system timer and
+ARM Architected Timers for the KVM and virtualized guests (KVM requires
+arch timers).
+
+Exynos Multi-Core Timer driver (exynos_mct) must be however started
+before ARM Architected Timers (arch_timer), because they both share some
+common hardware blocks (global system counter) and turning on MCT is
+needed to get ARM Architected Timer working properly.
+
+To ensure selecting Exynos MCT as the main system timer, increase MCT
+timer rating. To ensure proper starting order of both timers during
+suspend/resume cycle, increase MCT hotplug priority over ARM Archictected
+Timers.
+
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/exynos_mct.c | 4 ++--
+ include/linux/cpuhotplug.h | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clocksource/exynos_mct.c b/drivers/clocksource/exynos_mct.c
+index d55c30f6981d..aaf5bfa9bd9c 100644
+--- a/drivers/clocksource/exynos_mct.c
++++ b/drivers/clocksource/exynos_mct.c
+@@ -211,7 +211,7 @@ static void exynos4_frc_resume(struct clocksource *cs)
+
+ static struct clocksource mct_frc = {
+ .name = "mct-frc",
+- .rating = 400,
++ .rating = 450, /* use value higher than ARM arch timer */
+ .read = exynos4_frc_read,
+ .mask = CLOCKSOURCE_MASK(32),
+ .flags = CLOCK_SOURCE_IS_CONTINUOUS,
+@@ -466,7 +466,7 @@ static int exynos4_mct_starting_cpu(unsigned int cpu)
+ evt->set_state_oneshot_stopped = set_state_shutdown;
+ evt->tick_resume = set_state_shutdown;
+ evt->features = CLOCK_EVT_FEAT_PERIODIC | CLOCK_EVT_FEAT_ONESHOT;
+- evt->rating = 450;
++ evt->rating = 500; /* use value higher than ARM arch timer */
+
+ exynos4_mct_write(TICK_BASE_CNT, mevt->base + MCT_L_TCNTB_OFFSET);
+
+diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h
+index dec0372efe2e..d67c0035165c 100644
+--- a/include/linux/cpuhotplug.h
++++ b/include/linux/cpuhotplug.h
+@@ -116,10 +116,10 @@ enum cpuhp_state {
+ CPUHP_AP_PERF_ARM_ACPI_STARTING,
+ CPUHP_AP_PERF_ARM_STARTING,
+ CPUHP_AP_ARM_L2X0_STARTING,
++ CPUHP_AP_EXYNOS4_MCT_TIMER_STARTING,
+ CPUHP_AP_ARM_ARCH_TIMER_STARTING,
+ CPUHP_AP_ARM_GLOBAL_TIMER_STARTING,
+ CPUHP_AP_JCORE_TIMER_STARTING,
+- CPUHP_AP_EXYNOS4_MCT_TIMER_STARTING,
+ CPUHP_AP_ARM_TWD_STARTING,
+ CPUHP_AP_QCOM_TIMER_STARTING,
+ CPUHP_AP_ARMADA_TIMER_STARTING,
+--
+2.20.1
+
--- /dev/null
+From eb90698971d3be212425a9126ab2e4d66ffe71b8 Mon Sep 17 00:00:00 2001
+From: Abhishek Goel <huntbag@linux.vnet.ibm.com>
+Date: Wed, 29 May 2019 04:30:33 -0500
+Subject: cpupower : frequency-set -r option misses the last cpu in related cpu
+ list
+
+[ Upstream commit 04507c0a9385cc8280f794a36bfff567c8cc1042 ]
+
+To set frequency on specific cpus using cpupower, following syntax can
+be used :
+cpupower -c #i frequency-set -f #f -r
+
+While setting frequency using cpupower frequency-set command, if we use
+'-r' option, it is expected to set frequency for all cpus related to
+cpu #i. But it is observed to be missing the last cpu in related cpu
+list. This patch fixes the problem.
+
+Signed-off-by: Abhishek Goel <huntbag@linux.vnet.ibm.com>
+Reviewed-by: Thomas Renninger <trenn@suse.de>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/cpupower/utils/cpufreq-set.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/power/cpupower/utils/cpufreq-set.c b/tools/power/cpupower/utils/cpufreq-set.c
+index 1eef0aed6423..08a405593a79 100644
+--- a/tools/power/cpupower/utils/cpufreq-set.c
++++ b/tools/power/cpupower/utils/cpufreq-set.c
+@@ -306,6 +306,8 @@ int cmd_freq_set(int argc, char **argv)
+ bitmask_setbit(cpus_chosen, cpus->cpu);
+ cpus = cpus->next;
+ }
++ /* Set the last cpu in related cpus list */
++ bitmask_setbit(cpus_chosen, cpus->cpu);
+ cpufreq_put_related_cpus(cpus);
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From 064aae79e65f053c96b01838eb3d677714f6f801 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 18 Jun 2019 14:13:47 +0200
+Subject: crypto: asymmetric_keys - select CRYPTO_HASH where needed
+
+[ Upstream commit 90acc0653d2bee203174e66d519fbaaa513502de ]
+
+Build testing with some core crypto options disabled revealed
+a few modules that are missing CRYPTO_HASH:
+
+crypto/asymmetric_keys/x509_public_key.o: In function `x509_get_sig_params':
+x509_public_key.c:(.text+0x4c7): undefined reference to `crypto_alloc_shash'
+x509_public_key.c:(.text+0x5e5): undefined reference to `crypto_shash_digest'
+crypto/asymmetric_keys/pkcs7_verify.o: In function `pkcs7_digest.isra.0':
+pkcs7_verify.c:(.text+0xab): undefined reference to `crypto_alloc_shash'
+pkcs7_verify.c:(.text+0x1b2): undefined reference to `crypto_shash_digest'
+pkcs7_verify.c:(.text+0x3c1): undefined reference to `crypto_shash_update'
+pkcs7_verify.c:(.text+0x411): undefined reference to `crypto_shash_finup'
+
+This normally doesn't show up in randconfig tests because there is
+a large number of other options that select CRYPTO_HASH.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/asymmetric_keys/Kconfig | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
+index f3702e533ff4..d8a73d94bb30 100644
+--- a/crypto/asymmetric_keys/Kconfig
++++ b/crypto/asymmetric_keys/Kconfig
+@@ -15,6 +15,7 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ select MPILIB
+ select CRYPTO_HASH_INFO
+ select CRYPTO_AKCIPHER
++ select CRYPTO_HASH
+ help
+ This option provides support for asymmetric public key type handling.
+ If signature generation and/or verification are to be used,
+@@ -34,6 +35,7 @@ config X509_CERTIFICATE_PARSER
+ config PKCS7_MESSAGE_PARSER
+ tristate "PKCS#7 message parser"
+ depends on X509_CERTIFICATE_PARSER
++ select CRYPTO_HASH
+ select ASN1
+ select OID_REGISTRY
+ help
+@@ -56,6 +58,7 @@ config SIGNED_PE_FILE_VERIFICATION
+ bool "Support for PE file signature verification"
+ depends on PKCS7_MESSAGE_PARSER=y
+ depends on SYSTEM_DATA_VERIFICATION
++ select CRYPTO_HASH
+ select ASN1
+ select OID_REGISTRY
+ help
+--
+2.20.1
+
--- /dev/null
+From c00e3f47852dc659c245a342f3d357fc32f35f3f Mon Sep 17 00:00:00 2001
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Mon, 27 May 2019 16:51:06 +0200
+Subject: crypto: inside-secure - do not rely on the hardware last bit for
+ result descriptors
+
+[ Upstream commit 89332590427235680236b9470e851afc49b3caa1 ]
+
+When performing a transformation the hardware is given result
+descriptors to save the result data. Those result descriptors are
+batched using a 'first' and a 'last' bit. There are cases were more
+descriptors than needed are given to the engine, leading to the engine
+only using some of them, and not setting the last bit on the last
+descriptor we gave. This causes issues were the driver and the hardware
+aren't in sync anymore about the number of result descriptors given (as
+the driver do not give a pool of descriptor to use for any
+transformation, but a pool of descriptors to use *per* transformation).
+
+This patch fixes it by attaching the number of given result descriptors
+to the requests, and by using this number instead of the 'last' bit
+found on the descriptors to process them.
+
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../crypto/inside-secure/safexcel_cipher.c | 24 ++++++++++++++-----
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/crypto/inside-secure/safexcel_cipher.c b/drivers/crypto/inside-secure/safexcel_cipher.c
+index 3aef1d43e435..42a3830fbd19 100644
+--- a/drivers/crypto/inside-secure/safexcel_cipher.c
++++ b/drivers/crypto/inside-secure/safexcel_cipher.c
+@@ -51,6 +51,8 @@ struct safexcel_cipher_ctx {
+
+ struct safexcel_cipher_req {
+ enum safexcel_cipher_direction direction;
++ /* Number of result descriptors associated to the request */
++ unsigned int rdescs;
+ bool needs_inv;
+ };
+
+@@ -333,7 +335,10 @@ static int safexcel_handle_req_result(struct safexcel_crypto_priv *priv, int rin
+
+ *ret = 0;
+
+- do {
++ if (unlikely(!sreq->rdescs))
++ return 0;
++
++ while (sreq->rdescs--) {
+ rdesc = safexcel_ring_next_rptr(priv, &priv->ring[ring].rdr);
+ if (IS_ERR(rdesc)) {
+ dev_err(priv->dev,
+@@ -346,7 +351,7 @@ static int safexcel_handle_req_result(struct safexcel_crypto_priv *priv, int rin
+ *ret = safexcel_rdesc_check_errors(priv, rdesc);
+
+ ndesc++;
+- } while (!rdesc->last_seg);
++ }
+
+ safexcel_complete(priv, ring);
+
+@@ -501,6 +506,7 @@ static int safexcel_send_req(struct crypto_async_request *base, int ring,
+ static int safexcel_handle_inv_result(struct safexcel_crypto_priv *priv,
+ int ring,
+ struct crypto_async_request *base,
++ struct safexcel_cipher_req *sreq,
+ bool *should_complete, int *ret)
+ {
+ struct safexcel_cipher_ctx *ctx = crypto_tfm_ctx(base->tfm);
+@@ -509,7 +515,10 @@ static int safexcel_handle_inv_result(struct safexcel_crypto_priv *priv,
+
+ *ret = 0;
+
+- do {
++ if (unlikely(!sreq->rdescs))
++ return 0;
++
++ while (sreq->rdescs--) {
+ rdesc = safexcel_ring_next_rptr(priv, &priv->ring[ring].rdr);
+ if (IS_ERR(rdesc)) {
+ dev_err(priv->dev,
+@@ -522,7 +531,7 @@ static int safexcel_handle_inv_result(struct safexcel_crypto_priv *priv,
+ *ret = safexcel_rdesc_check_errors(priv, rdesc);
+
+ ndesc++;
+- } while (!rdesc->last_seg);
++ }
+
+ safexcel_complete(priv, ring);
+
+@@ -564,7 +573,7 @@ static int safexcel_skcipher_handle_result(struct safexcel_crypto_priv *priv,
+
+ if (sreq->needs_inv) {
+ sreq->needs_inv = false;
+- err = safexcel_handle_inv_result(priv, ring, async,
++ err = safexcel_handle_inv_result(priv, ring, async, sreq,
+ should_complete, ret);
+ } else {
+ err = safexcel_handle_req_result(priv, ring, async, req->src,
+@@ -587,7 +596,7 @@ static int safexcel_aead_handle_result(struct safexcel_crypto_priv *priv,
+
+ if (sreq->needs_inv) {
+ sreq->needs_inv = false;
+- err = safexcel_handle_inv_result(priv, ring, async,
++ err = safexcel_handle_inv_result(priv, ring, async, sreq,
+ should_complete, ret);
+ } else {
+ err = safexcel_handle_req_result(priv, ring, async, req->src,
+@@ -633,6 +642,8 @@ static int safexcel_skcipher_send(struct crypto_async_request *async, int ring,
+ ret = safexcel_send_req(async, ring, sreq, req->src,
+ req->dst, req->cryptlen, 0, 0, req->iv,
+ commands, results);
++
++ sreq->rdescs = *results;
+ return ret;
+ }
+
+@@ -655,6 +666,7 @@ static int safexcel_aead_send(struct crypto_async_request *async, int ring,
+ req->cryptlen, req->assoclen,
+ crypto_aead_authsize(tfm), req->iv,
+ commands, results);
++ sreq->rdescs = *results;
+ return ret;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 23b9400a7660c39510f4cb71f6468c71ecbec2f8 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 18 Jun 2019 13:19:42 +0200
+Subject: crypto: serpent - mark __serpent_setkey_sbox noinline
+
+[ Upstream commit 473971187d6727609951858c63bf12b0307ef015 ]
+
+The same bug that gcc hit in the past is apparently now showing
+up with clang, which decides to inline __serpent_setkey_sbox:
+
+crypto/serpent_generic.c:268:5: error: stack frame size of 2112 bytes in function '__serpent_setkey' [-Werror,-Wframe-larger-than=]
+
+Marking it 'noinline' reduces the stack usage from 2112 bytes to
+192 and 96 bytes, respectively, and seems to generate more
+useful object code.
+
+Fixes: c871c10e4ea7 ("crypto: serpent - improve __serpent_setkey with UBSAN")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/serpent_generic.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/serpent_generic.c b/crypto/serpent_generic.c
+index 7c3382facc82..600bd288881d 100644
+--- a/crypto/serpent_generic.c
++++ b/crypto/serpent_generic.c
+@@ -229,7 +229,13 @@
+ x4 ^= x2; \
+ })
+
+-static void __serpent_setkey_sbox(u32 r0, u32 r1, u32 r2, u32 r3, u32 r4, u32 *k)
++/*
++ * both gcc and clang have misoptimized this function in the past,
++ * producing horrible object code from spilling temporary variables
++ * on the stack. Forcing this part out of line avoids that.
++ */
++static noinline void __serpent_setkey_sbox(u32 r0, u32 r1, u32 r2,
++ u32 r3, u32 r4, u32 *k)
+ {
+ k += 100;
+ S3(r3, r4, r0, r1, r2); store_and_load_keys(r1, r2, r4, r3, 28, 24);
+--
+2.20.1
+
--- /dev/null
+From e1865e1b69be0cee2fbded719b54a877a91c04d6 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Tue, 21 May 2019 13:34:18 +0000
+Subject: crypto: talitos - Align SEC1 accesses to 32 bits boundaries.
+
+[ Upstream commit c9cca7034b34a2d82e9a03b757de2485c294851c ]
+
+The MPC885 reference manual states:
+
+SEC Lite-initiated 8xx writes can occur only on 32-bit-word boundaries, but
+reads can occur on any byte boundary. Writing back a header read from a
+non-32-bit-word boundary will yield unpredictable results.
+
+In order to ensure that, cra_alignmask is set to 3 for SEC1.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Fixes: 9c4a79653b35 ("crypto: talitos - Freescale integrated security engine (SEC) driver")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/talitos.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
+index 254f711f1934..41b288bdcdbf 100644
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -3193,7 +3193,10 @@ static struct talitos_crypto_alg *talitos_alg_alloc(struct device *dev,
+ alg->cra_priority = t_alg->algt.priority;
+ else
+ alg->cra_priority = TALITOS_CRA_PRIORITY;
+- alg->cra_alignmask = 0;
++ if (has_ftr_sec1(priv))
++ alg->cra_alignmask = 3;
++ else
++ alg->cra_alignmask = 0;
+ alg->cra_ctxsize = sizeof(struct talitos_ctx);
+ alg->cra_flags |= CRYPTO_ALG_KERN_DRIVER_ONLY;
+
+--
+2.20.1
+
--- /dev/null
+From 1f7987bdf1c0ba5957c69b315154ede8627e1f40 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Wed, 15 May 2019 12:29:03 +0000
+Subject: crypto: talitos - fix skcipher failure due to wrong output IV
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 3e03e792865ae48b8cfc69a0b4d65f02f467389f ]
+
+Selftests report the following:
+
+[ 2.984845] alg: skcipher: cbc-aes-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place"
+[ 2.995377] 00000000: 3d af ba 42 9d 9e b4 30 b4 22 da 80 2c 9f ac 41
+[ 3.032673] alg: skcipher: cbc-des-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place"
+[ 3.043185] 00000000: fe dc ba 98 76 54 32 10
+[ 3.063238] alg: skcipher: cbc-3des-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place"
+[ 3.073818] 00000000: 7d 33 88 93 0f 93 b2 42
+
+This above dumps show that the actual output IV is indeed the input IV.
+This is due to the IV not being copied back into the request.
+
+This patch fixes that.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/talitos.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
+index 5849075d54c7..d46f58c13433 100644
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -1553,11 +1553,15 @@ static void ablkcipher_done(struct device *dev,
+ int err)
+ {
+ struct ablkcipher_request *areq = context;
++ struct crypto_ablkcipher *cipher = crypto_ablkcipher_reqtfm(areq);
++ struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher);
++ unsigned int ivsize = crypto_ablkcipher_ivsize(cipher);
+ struct talitos_edesc *edesc;
+
+ edesc = container_of(desc, struct talitos_edesc, desc);
+
+ common_nonsnoop_unmap(dev, edesc, areq);
++ memcpy(areq->info, ctx->iv, ivsize);
+
+ kfree(edesc);
+
+--
+2.20.1
+
--- /dev/null
+From 44d407601f8808a09074e2389c44f67676bf5363 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Tue, 21 May 2019 13:34:17 +0000
+Subject: crypto: talitos - properly handle split ICV.
+
+[ Upstream commit eae55a586c3c8b50982bad3c3426e9c9dd7a0075 ]
+
+The driver assumes that the ICV is as a single piece in the last
+element of the scatterlist. This assumption is wrong.
+
+This patch ensures that the ICV is properly handled regardless of
+the scatterlist layout.
+
+Fixes: 9c4a79653b35 ("crypto: talitos - Freescale integrated security engine (SEC) driver")
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/talitos.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
+index d46f58c13433..254f711f1934 100644
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -1001,7 +1001,6 @@ static void ipsec_esp_encrypt_done(struct device *dev,
+ unsigned int authsize = crypto_aead_authsize(authenc);
+ unsigned int ivsize = crypto_aead_ivsize(authenc);
+ struct talitos_edesc *edesc;
+- struct scatterlist *sg;
+ void *icvdata;
+
+ edesc = container_of(desc, struct talitos_edesc, desc);
+@@ -1015,9 +1014,8 @@ static void ipsec_esp_encrypt_done(struct device *dev,
+ else
+ icvdata = &edesc->link_tbl[edesc->src_nents +
+ edesc->dst_nents + 2];
+- sg = sg_last(areq->dst, edesc->dst_nents);
+- memcpy((char *)sg_virt(sg) + sg->length - authsize,
+- icvdata, authsize);
++ sg_pcopy_from_buffer(areq->dst, edesc->dst_nents ? : 1, icvdata,
++ authsize, areq->assoclen + areq->cryptlen);
+ }
+
+ dma_unmap_single(dev, edesc->iv_dma, ivsize, DMA_TO_DEVICE);
+@@ -1035,7 +1033,6 @@ static void ipsec_esp_decrypt_swauth_done(struct device *dev,
+ struct crypto_aead *authenc = crypto_aead_reqtfm(req);
+ unsigned int authsize = crypto_aead_authsize(authenc);
+ struct talitos_edesc *edesc;
+- struct scatterlist *sg;
+ char *oicv, *icv;
+ struct talitos_private *priv = dev_get_drvdata(dev);
+ bool is_sec1 = has_ftr_sec1(priv);
+@@ -1045,9 +1042,18 @@ static void ipsec_esp_decrypt_swauth_done(struct device *dev,
+ ipsec_esp_unmap(dev, edesc, req);
+
+ if (!err) {
++ char icvdata[SHA512_DIGEST_SIZE];
++ int nents = edesc->dst_nents ? : 1;
++ unsigned int len = req->assoclen + req->cryptlen;
++
+ /* auth check */
+- sg = sg_last(req->dst, edesc->dst_nents ? : 1);
+- icv = (char *)sg_virt(sg) + sg->length - authsize;
++ if (nents > 1) {
++ sg_pcopy_to_buffer(req->dst, nents, icvdata, authsize,
++ len - authsize);
++ icv = icvdata;
++ } else {
++ icv = (char *)sg_virt(req->dst) + len - authsize;
++ }
+
+ if (edesc->dma_len) {
+ if (is_sec1)
+@@ -1463,7 +1469,6 @@ static int aead_decrypt(struct aead_request *req)
+ struct talitos_ctx *ctx = crypto_aead_ctx(authenc);
+ struct talitos_private *priv = dev_get_drvdata(ctx->dev);
+ struct talitos_edesc *edesc;
+- struct scatterlist *sg;
+ void *icvdata;
+
+ req->cryptlen -= authsize;
+@@ -1497,9 +1502,8 @@ static int aead_decrypt(struct aead_request *req)
+ else
+ icvdata = &edesc->link_tbl[0];
+
+- sg = sg_last(req->src, edesc->src_nents ? : 1);
+-
+- memcpy(icvdata, (char *)sg_virt(sg) + sg->length - authsize, authsize);
++ sg_pcopy_to_buffer(req->src, edesc->src_nents ? : 1, icvdata, authsize,
++ req->assoclen + req->cryptlen - authsize);
+
+ return ipsec_esp(edesc, req, ipsec_esp_decrypt_swauth_done);
+ }
+--
+2.20.1
+
--- /dev/null
+From c6942b51b3353fb1b83ce630e0162d02971bc864 Mon Sep 17 00:00:00 2001
+From: Sven Van Asbroeck <thesven73@gmail.com>
+Date: Mon, 24 Jun 2019 10:07:31 -0400
+Subject: dmaengine: imx-sdma: fix use-after-free on probe error path
+
+[ Upstream commit 2b8066c3deb9140fdf258417a51479b2aeaa7622 ]
+
+If probe() fails anywhere beyond the point where
+sdma_get_firmware() is called, then a kernel oops may occur.
+
+Problematic sequence of events:
+1. probe() calls sdma_get_firmware(), which schedules the
+ firmware callback to run when firmware becomes available,
+ using the sdma instance structure as the context
+2. probe() encounters an error, which deallocates the
+ sdma instance structure
+3. firmware becomes available, firmware callback is
+ called with deallocated sdma instance structure
+4. use after free - kernel oops !
+
+Solution: only attempt to load firmware when we're certain
+that probe() will succeed. This guarantees that the firmware
+callback's context will remain valid.
+
+Note that the remove() path is unaffected by this issue: the
+firmware loader will increment the driver module's use count,
+ensuring that the module cannot be unloaded while the
+firmware callback is pending or running.
+
+Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Reviewed-by: Robin Gong <yibin.gong@nxp.com>
+[vkoul: fixed braces for if condition]
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/imx-sdma.c | 48 ++++++++++++++++++++++++------------------
+ 1 file changed, 27 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c
+index 1c658ec3cbf4..3f5a01cb4ab4 100644
+--- a/drivers/dma/imx-sdma.c
++++ b/drivers/dma/imx-sdma.c
+@@ -2039,27 +2039,6 @@ static int sdma_probe(struct platform_device *pdev)
+ if (pdata && pdata->script_addrs)
+ sdma_add_scripts(sdma, pdata->script_addrs);
+
+- if (pdata) {
+- ret = sdma_get_firmware(sdma, pdata->fw_name);
+- if (ret)
+- dev_warn(&pdev->dev, "failed to get firmware from platform data\n");
+- } else {
+- /*
+- * Because that device tree does not encode ROM script address,
+- * the RAM script in firmware is mandatory for device tree
+- * probe, otherwise it fails.
+- */
+- ret = of_property_read_string(np, "fsl,sdma-ram-script-name",
+- &fw_name);
+- if (ret)
+- dev_warn(&pdev->dev, "failed to get firmware name\n");
+- else {
+- ret = sdma_get_firmware(sdma, fw_name);
+- if (ret)
+- dev_warn(&pdev->dev, "failed to get firmware from device tree\n");
+- }
+- }
+-
+ sdma->dma_device.dev = &pdev->dev;
+
+ sdma->dma_device.device_alloc_chan_resources = sdma_alloc_chan_resources;
+@@ -2103,6 +2082,33 @@ static int sdma_probe(struct platform_device *pdev)
+ of_node_put(spba_bus);
+ }
+
++ /*
++ * Kick off firmware loading as the very last step:
++ * attempt to load firmware only if we're not on the error path, because
++ * the firmware callback requires a fully functional and allocated sdma
++ * instance.
++ */
++ if (pdata) {
++ ret = sdma_get_firmware(sdma, pdata->fw_name);
++ if (ret)
++ dev_warn(&pdev->dev, "failed to get firmware from platform data\n");
++ } else {
++ /*
++ * Because that device tree does not encode ROM script address,
++ * the RAM script in firmware is mandatory for device tree
++ * probe, otherwise it fails.
++ */
++ ret = of_property_read_string(np, "fsl,sdma-ram-script-name",
++ &fw_name);
++ if (ret) {
++ dev_warn(&pdev->dev, "failed to get firmware name\n");
++ } else {
++ ret = sdma_get_firmware(sdma, fw_name);
++ if (ret)
++ dev_warn(&pdev->dev, "failed to get firmware from device tree\n");
++ }
++ }
++
+ return 0;
+
+ err_register:
+--
+2.20.1
+
--- /dev/null
+From 7ae415feb88a5f8e155cb71e612abeba7b0ab08b Mon Sep 17 00:00:00 2001
+From: Eiichi Tsukata <devel@etsukata.com>
+Date: Wed, 26 Jun 2019 14:40:11 +0900
+Subject: EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
+
+[ Upstream commit d8655e7630dafa88bc37f101640e39c736399771 ]
+
+Commit 9da21b1509d8 ("EDAC: Poll timeout cannot be zero, p2") assumes
+edac_mc_poll_msec to be unsigned long, but the type of the variable still
+remained as int. Setting edac_mc_poll_msec can trigger out-of-bounds
+write.
+
+Reproducer:
+
+ # echo 1001 > /sys/module/edac_core/parameters/edac_mc_poll_msec
+
+KASAN report:
+
+ BUG: KASAN: global-out-of-bounds in edac_set_poll_msec+0x140/0x150
+ Write of size 8 at addr ffffffffb91b2d00 by task bash/1996
+
+ CPU: 1 PID: 1996 Comm: bash Not tainted 5.2.0-rc6+ #23
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
+ Call Trace:
+ dump_stack+0xca/0x13e
+ print_address_description.cold+0x5/0x246
+ __kasan_report.cold+0x75/0x9a
+ ? edac_set_poll_msec+0x140/0x150
+ kasan_report+0xe/0x20
+ edac_set_poll_msec+0x140/0x150
+ ? dimmdev_location_show+0x30/0x30
+ ? vfs_lock_file+0xe0/0xe0
+ ? _raw_spin_lock+0x87/0xe0
+ param_attr_store+0x1b5/0x310
+ ? param_array_set+0x4f0/0x4f0
+ module_attr_store+0x58/0x80
+ ? module_attr_show+0x80/0x80
+ sysfs_kf_write+0x13d/0x1a0
+ kernfs_fop_write+0x2bc/0x460
+ ? sysfs_kf_bin_read+0x270/0x270
+ ? kernfs_notify+0x1f0/0x1f0
+ __vfs_write+0x81/0x100
+ vfs_write+0x1e1/0x560
+ ksys_write+0x126/0x250
+ ? __ia32_sys_read+0xb0/0xb0
+ ? do_syscall_64+0x1f/0x390
+ do_syscall_64+0xc1/0x390
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7fa7caa5e970
+ Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 04
+ RSP: 002b:00007fff6acfdfe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+ RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa7caa5e970
+ RDX: 0000000000000005 RSI: 0000000000e95c08 RDI: 0000000000000001
+ RBP: 0000000000e95c08 R08: 00007fa7cad1e760 R09: 00007fa7cb36a700
+ R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000005
+ R13: 0000000000000001 R14: 00007fa7cad1d600 R15: 0000000000000005
+
+ The buggy address belongs to the variable:
+ edac_mc_poll_msec+0x0/0x40
+
+ Memory state around the buggy address:
+ ffffffffb91b2c00: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa
+ ffffffffb91b2c80: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa
+ >ffffffffb91b2d00: 04 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
+ ^
+ ffffffffb91b2d80: 04 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+ ffffffffb91b2e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+Fix it by changing the type of edac_mc_poll_msec to unsigned int.
+The reason why this patch adopts unsigned int rather than unsigned long
+is msecs_to_jiffies() assumes arg to be unsigned int. We can avoid
+integer conversion bugs and unsigned int will be large enough for
+edac_mc_poll_msec.
+
+Reviewed-by: James Morse <james.morse@arm.com>
+Fixes: 9da21b1509d8 ("EDAC: Poll timeout cannot be zero, p2")
+Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/edac_mc_sysfs.c | 16 ++++++++--------
+ drivers/edac/edac_module.h | 2 +-
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
+index e50610b5bd06..d4545a9222a0 100644
+--- a/drivers/edac/edac_mc_sysfs.c
++++ b/drivers/edac/edac_mc_sysfs.c
+@@ -26,7 +26,7 @@
+ static int edac_mc_log_ue = 1;
+ static int edac_mc_log_ce = 1;
+ static int edac_mc_panic_on_ue;
+-static int edac_mc_poll_msec = 1000;
++static unsigned int edac_mc_poll_msec = 1000;
+
+ /* Getter functions for above */
+ int edac_mc_get_log_ue(void)
+@@ -45,30 +45,30 @@ int edac_mc_get_panic_on_ue(void)
+ }
+
+ /* this is temporary */
+-int edac_mc_get_poll_msec(void)
++unsigned int edac_mc_get_poll_msec(void)
+ {
+ return edac_mc_poll_msec;
+ }
+
+ static int edac_set_poll_msec(const char *val, const struct kernel_param *kp)
+ {
+- unsigned long l;
++ unsigned int i;
+ int ret;
+
+ if (!val)
+ return -EINVAL;
+
+- ret = kstrtoul(val, 0, &l);
++ ret = kstrtouint(val, 0, &i);
+ if (ret)
+ return ret;
+
+- if (l < 1000)
++ if (i < 1000)
+ return -EINVAL;
+
+- *((unsigned long *)kp->arg) = l;
++ *((unsigned int *)kp->arg) = i;
+
+ /* notify edac_mc engine to reset the poll period */
+- edac_mc_reset_delay_period(l);
++ edac_mc_reset_delay_period(i);
+
+ return 0;
+ }
+@@ -82,7 +82,7 @@ MODULE_PARM_DESC(edac_mc_log_ue,
+ module_param(edac_mc_log_ce, int, 0644);
+ MODULE_PARM_DESC(edac_mc_log_ce,
+ "Log correctable error to console: 0=off 1=on");
+-module_param_call(edac_mc_poll_msec, edac_set_poll_msec, param_get_int,
++module_param_call(edac_mc_poll_msec, edac_set_poll_msec, param_get_uint,
+ &edac_mc_poll_msec, 0644);
+ MODULE_PARM_DESC(edac_mc_poll_msec, "Polling period in milliseconds");
+
+diff --git a/drivers/edac/edac_module.h b/drivers/edac/edac_module.h
+index dec88dcea036..c9f0e73872a6 100644
+--- a/drivers/edac/edac_module.h
++++ b/drivers/edac/edac_module.h
+@@ -36,7 +36,7 @@ extern int edac_mc_get_log_ue(void);
+ extern int edac_mc_get_log_ce(void);
+ extern int edac_mc_get_panic_on_ue(void);
+ extern int edac_get_poll_msec(void);
+-extern int edac_mc_get_poll_msec(void);
++extern unsigned int edac_mc_get_poll_msec(void);
+
+ unsigned edac_dimm_info_location(struct dimm_info *dimm, char *buf,
+ unsigned len);
+--
+2.20.1
+
--- /dev/null
+From 8b42398b8054258973fa2f1a602ab35cf97ef689 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Thu, 18 Apr 2019 10:27:18 +0800
+Subject: EDAC/sysfs: Fix memory leak when creating a csrow object
+
+[ Upstream commit 585fb3d93d32dbe89e718b85009f9c322cc554cd ]
+
+In edac_create_csrow_object(), the reference to the object is not
+released when adding the device to the device hierarchy fails
+(device_add()). This may result in a memory leak.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: James Morse <james.morse@arm.com>
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: https://lkml.kernel.org/r/1555554438-103953-1-git-send-email-bianpan2016@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/edac_mc_sysfs.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
+index 20374b8248f0..e50610b5bd06 100644
+--- a/drivers/edac/edac_mc_sysfs.c
++++ b/drivers/edac/edac_mc_sysfs.c
+@@ -404,6 +404,8 @@ static inline int nr_pages_per_csrow(struct csrow_info *csrow)
+ static int edac_create_csrow_object(struct mem_ctl_info *mci,
+ struct csrow_info *csrow, int index)
+ {
++ int err;
++
+ csrow->dev.type = &csrow_attr_type;
+ csrow->dev.bus = mci->bus;
+ csrow->dev.groups = csrow_dev_groups;
+@@ -416,7 +418,11 @@ static int edac_create_csrow_object(struct mem_ctl_info *mci,
+ edac_dbg(0, "creating (virtual) csrow node %s\n",
+ dev_name(&csrow->dev));
+
+- return device_add(&csrow->dev);
++ err = device_add(&csrow->dev);
++ if (err)
++ put_device(&csrow->dev);
++
++ return err;
+ }
+
+ /* Create a CSROW object under specifed edac_mc_device */
+--
+2.20.1
+
--- /dev/null
+From 762dcbbaae38eba19a55579cc9ed021972bbe9b7 Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@ispras.ru>
+Date: Fri, 12 Jul 2019 21:55:20 +0300
+Subject: floppy: fix div-by-zero in setup_format_params
+
+[ Upstream commit f3554aeb991214cbfafd17d55e2bfddb50282e32 ]
+
+This fixes a divide by zero error in the setup_format_params function of
+the floppy driver.
+
+Two consecutive ioctls can trigger the bug: The first one should set the
+drive geometry with such .sect and .rate values for the F_SECT_PER_TRACK
+to become zero. Next, the floppy format operation should be called.
+
+A floppy disk is not required to be inserted. An unprivileged user
+could trigger the bug if the device is accessible.
+
+The patch checks F_SECT_PER_TRACK for a non-zero value in the
+set_geometry function. The proper check should involve a reasonable
+upper limit for the .sect and .rate fields, but it could change the
+UAPI.
+
+The patch also checks F_SECT_PER_TRACK in the setup_format_params, and
+cancels the formatting operation in case of zero.
+
+The bug was found by syzkaller.
+
+Signed-off-by: Denis Efremov <efremov@ispras.ru>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/floppy.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index a8de56f1936d..b1425b218606 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -2119,6 +2119,9 @@ static void setup_format_params(int track)
+ raw_cmd->kernel_data = floppy_track_buffer;
+ raw_cmd->length = 4 * F_SECT_PER_TRACK;
+
++ if (!F_SECT_PER_TRACK)
++ return;
++
+ /* allow for about 30ms for data transport per track */
+ head_shift = (F_SECT_PER_TRACK + 5) / 6;
+
+@@ -3243,6 +3246,8 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
+ /* sanity checking for parameters. */
+ if (g->sect <= 0 ||
+ g->head <= 0 ||
++ /* check for zero in F_SECT_PER_TRACK */
++ (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
+ g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
+ /* check if reserved bits are set */
+ (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0)
+--
+2.20.1
+
--- /dev/null
+From 46de254ae41c466729f8940b790238a98d91d3bd Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@ispras.ru>
+Date: Fri, 12 Jul 2019 21:55:22 +0300
+Subject: floppy: fix invalid pointer dereference in drive_name
+
+[ Upstream commit 9b04609b784027968348796a18f601aed9db3789 ]
+
+This fixes the invalid pointer dereference in the drive_name function of
+the floppy driver.
+
+The native_format field of the struct floppy_drive_params is used as
+floppy_type array index in the drive_name function. Thus, the field
+should be checked the same way as the autodetect field.
+
+To trigger the bug, one could use a value out of range and set the drive
+parameters with the FDSETDRVPRM ioctl. Next, FDGETDRVTYP ioctl should
+be used to call the drive_name. A floppy disk is not required to be
+inserted.
+
+CAP_SYS_ADMIN is required to call FDSETDRVPRM.
+
+The patch adds the check for a value of the native_format field to be in
+the '0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array
+indices.
+
+The bug was found by syzkaller.
+
+Signed-off-by: Denis Efremov <efremov@ispras.ru>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/floppy.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index dd49737effbf..8d69a8af8b78 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3391,7 +3391,8 @@ static int fd_getgeo(struct block_device *bdev, struct hd_geometry *geo)
+ return 0;
+ }
+
+-static bool valid_floppy_drive_params(const short autodetect[8])
++static bool valid_floppy_drive_params(const short autodetect[8],
++ int native_format)
+ {
+ size_t floppy_type_size = ARRAY_SIZE(floppy_type);
+ size_t i = 0;
+@@ -3402,6 +3403,9 @@ static bool valid_floppy_drive_params(const short autodetect[8])
+ return false;
+ }
+
++ if (native_format < 0 || native_format >= floppy_type_size)
++ return false;
++
+ return true;
+ }
+
+@@ -3531,7 +3535,8 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int
+ SUPBOUND(size, strlen((const char *)outparam) + 1);
+ break;
+ case FDSETDRVPRM:
+- if (!valid_floppy_drive_params(inparam.dp.autodetect))
++ if (!valid_floppy_drive_params(inparam.dp.autodetect,
++ inparam.dp.native_format))
+ return -EINVAL;
+ *UDP = inparam.dp;
+ break;
+@@ -3730,7 +3735,7 @@ static int compat_setdrvprm(int drive,
+ return -EPERM;
+ if (copy_from_user(&v, arg, sizeof(struct compat_floppy_drive_params)))
+ return -EFAULT;
+- if (!valid_floppy_drive_params(v.autodetect))
++ if (!valid_floppy_drive_params(v.autodetect, v.native_format))
+ return -EINVAL;
+ mutex_lock(&floppy_mutex);
+ UDP->cmos = v.cmos;
+--
+2.20.1
+
--- /dev/null
+From b7fda244cfa6a9dff5688db9cb5e6e705b561d20 Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@ispras.ru>
+Date: Fri, 12 Jul 2019 21:55:23 +0300
+Subject: floppy: fix out-of-bounds read in copy_buffer
+
+[ Upstream commit da99466ac243f15fbba65bd261bfc75ffa1532b6 ]
+
+This fixes a global out-of-bounds read access in the copy_buffer
+function of the floppy driver.
+
+The FDDEFPRM ioctl allows one to set the geometry of a disk. The sect
+and head fields (unsigned int) of the floppy_drive structure are used to
+compute the max_sector (int) in the make_raw_rw_request function. It is
+possible to overflow the max_sector. Next, max_sector is passed to the
+copy_buffer function and used in one of the memcpy calls.
+
+An unprivileged user could trigger the bug if the device is accessible,
+but requires a floppy disk to be inserted.
+
+The patch adds the check for the .sect * .head multiplication for not
+overflowing in the set_geometry function.
+
+The bug was found by syzkaller.
+
+Signed-off-by: Denis Efremov <efremov@ispras.ru>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/floppy.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 8d69a8af8b78..4a9a4d12721a 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3244,8 +3244,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
+ int cnt;
+
+ /* sanity checking for parameters. */
+- if (g->sect <= 0 ||
+- g->head <= 0 ||
++ if ((int)g->sect <= 0 ||
++ (int)g->head <= 0 ||
++ /* check for overflow in max_sector */
++ (int)(g->sect * g->head) <= 0 ||
+ /* check for zero in F_SECT_PER_TRACK */
+ (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
+ g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
+--
+2.20.1
+
--- /dev/null
+From 4b1f4a2962eeb3b453cba4c782546f48e5547051 Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@ispras.ru>
+Date: Fri, 12 Jul 2019 21:55:21 +0300
+Subject: floppy: fix out-of-bounds read in next_valid_format
+
+[ Upstream commit 5635f897ed83fd539df78e98ba69ee91592f9bb8 ]
+
+This fixes a global out-of-bounds read access in the next_valid_format
+function of the floppy driver.
+
+The values from autodetect field of the struct floppy_drive_params are
+used as indices for the floppy_type array in the next_valid_format
+function 'floppy_type[DP->autodetect[probed_format]].sect'.
+
+To trigger the bug, one could use a value out of range and set the drive
+parameters with the FDSETDRVPRM ioctl. A floppy disk is not required to
+be inserted.
+
+CAP_SYS_ADMIN is required to call FDSETDRVPRM.
+
+The patch adds the check for values of the autodetect field to be in the
+'0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array indices.
+
+The bug was found by syzkaller.
+
+Signed-off-by: Denis Efremov <efremov@ispras.ru>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/floppy.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index b1425b218606..dd49737effbf 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3391,6 +3391,20 @@ static int fd_getgeo(struct block_device *bdev, struct hd_geometry *geo)
+ return 0;
+ }
+
++static bool valid_floppy_drive_params(const short autodetect[8])
++{
++ size_t floppy_type_size = ARRAY_SIZE(floppy_type);
++ size_t i = 0;
++
++ for (i = 0; i < 8; ++i) {
++ if (autodetect[i] < 0 ||
++ autodetect[i] >= floppy_type_size)
++ return false;
++ }
++
++ return true;
++}
++
+ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int cmd,
+ unsigned long param)
+ {
+@@ -3517,6 +3531,8 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int
+ SUPBOUND(size, strlen((const char *)outparam) + 1);
+ break;
+ case FDSETDRVPRM:
++ if (!valid_floppy_drive_params(inparam.dp.autodetect))
++ return -EINVAL;
+ *UDP = inparam.dp;
+ break;
+ case FDGETDRVPRM:
+@@ -3714,6 +3730,8 @@ static int compat_setdrvprm(int drive,
+ return -EPERM;
+ if (copy_from_user(&v, arg, sizeof(struct compat_floppy_drive_params)))
+ return -EFAULT;
++ if (!valid_floppy_drive_params(v.autodetect))
++ return -EINVAL;
+ mutex_lock(&floppy_mutex);
+ UDP->cmos = v.cmos;
+ UDP->max_dtr = v.max_dtr;
+--
+2.20.1
+
--- /dev/null
+From 777c332a6dd790f91f6eb0a91fbfd117eb28d14f Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 20 May 2019 09:29:42 -0700
+Subject: fscrypt: clean up some BUG_ON()s in block encryption/decryption
+
+[ Upstream commit eeacfdc68a104967162dfcba60f53f6f5b62a334 ]
+
+Replace some BUG_ON()s with WARN_ON_ONCE() and returning an error code,
+and move the check for len divisible by FS_CRYPTO_BLOCK_SIZE into
+fscrypt_crypt_block() so that it's done for both encryption and
+decryption, not just encryption.
+
+Reviewed-by: Chandan Rajendra <chandan@linux.ibm.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/crypto/crypto.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/fs/crypto/crypto.c b/fs/crypto/crypto.c
+index 0f46cf550907..c83ddff3ff4a 100644
+--- a/fs/crypto/crypto.c
++++ b/fs/crypto/crypto.c
+@@ -149,7 +149,10 @@ int fscrypt_do_page_crypto(const struct inode *inode, fscrypt_direction_t rw,
+ struct crypto_skcipher *tfm = ci->ci_ctfm;
+ int res = 0;
+
+- BUG_ON(len == 0);
++ if (WARN_ON_ONCE(len <= 0))
++ return -EINVAL;
++ if (WARN_ON_ONCE(len % FS_CRYPTO_BLOCK_SIZE != 0))
++ return -EINVAL;
+
+ BUILD_BUG_ON(sizeof(iv) != FS_IV_SIZE);
+ BUILD_BUG_ON(AES_BLOCK_SIZE != FS_IV_SIZE);
+@@ -241,8 +244,6 @@ struct page *fscrypt_encrypt_page(const struct inode *inode,
+ struct page *ciphertext_page = page;
+ int err;
+
+- BUG_ON(len % FS_CRYPTO_BLOCK_SIZE != 0);
+-
+ if (inode->i_sb->s_cop->flags & FS_CFLG_OWN_PAGES) {
+ /* with inplace-encryption we just encrypt the page */
+ err = fscrypt_do_page_crypto(inode, FS_ENCRYPT, lblk_num, page,
+@@ -254,7 +255,8 @@ struct page *fscrypt_encrypt_page(const struct inode *inode,
+ return ciphertext_page;
+ }
+
+- BUG_ON(!PageLocked(page));
++ if (WARN_ON_ONCE(!PageLocked(page)))
++ return ERR_PTR(-EINVAL);
+
+ ctx = fscrypt_get_ctx(inode, gfp_flags);
+ if (IS_ERR(ctx))
+@@ -302,8 +304,9 @@ EXPORT_SYMBOL(fscrypt_encrypt_page);
+ int fscrypt_decrypt_page(const struct inode *inode, struct page *page,
+ unsigned int len, unsigned int offs, u64 lblk_num)
+ {
+- if (!(inode->i_sb->s_cop->flags & FS_CFLG_OWN_PAGES))
+- BUG_ON(!PageLocked(page));
++ if (WARN_ON_ONCE(!PageLocked(page) &&
++ !(inode->i_sb->s_cop->flags & FS_CFLG_OWN_PAGES)))
++ return -EINVAL;
+
+ return fscrypt_do_page_crypto(inode, FS_DECRYPT, lblk_num, page, page,
+ len, offs, GFP_NOFS);
+--
+2.20.1
+
--- /dev/null
+From 4e8b638aeb33c7c8287ea959f73f0289a664050b Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Mon, 10 Jun 2019 20:10:44 +0300
+Subject: gpio: omap: ensure irq is enabled before wakeup
+
+[ Upstream commit c859e0d479b3b4f6132fc12637c51e01492f31f6 ]
+
+Documentation states:
+
+ NOTE: There must be a correlation between the wake-up enable and
+ interrupt-enable registers. If a GPIO pin has a wake-up configured
+ on it, it must also have the corresponding interrupt enabled (on
+ one of the two interrupt lines).
+
+Ensure that this condition is always satisfied by enabling the detection
+events after enabling the interrupt, and disabling the detection before
+disabling the interrupt. This ensures interrupt/wakeup events can not
+happen until both the wakeup and interrupt enables correlate.
+
+If we do any clearing, clear between the interrupt enable/disable and
+trigger setting.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Tested-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-omap.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c
+index 9254bcf7f647..feabac40743e 100644
+--- a/drivers/gpio/gpio-omap.c
++++ b/drivers/gpio/gpio-omap.c
+@@ -837,9 +837,9 @@ static void omap_gpio_irq_shutdown(struct irq_data *d)
+
+ raw_spin_lock_irqsave(&bank->lock, flags);
+ bank->irq_usage &= ~(BIT(offset));
+- omap_set_gpio_irqenable(bank, offset, 0);
+- omap_clear_gpio_irqstatus(bank, offset);
+ omap_set_gpio_triggering(bank, offset, IRQ_TYPE_NONE);
++ omap_clear_gpio_irqstatus(bank, offset);
++ omap_set_gpio_irqenable(bank, offset, 0);
+ if (!LINE_USED(bank->mod_usage, offset))
+ omap_clear_gpio_debounce(bank, offset);
+ omap_disable_gpio_module(bank, offset);
+@@ -881,8 +881,8 @@ static void omap_gpio_mask_irq(struct irq_data *d)
+ unsigned long flags;
+
+ raw_spin_lock_irqsave(&bank->lock, flags);
+- omap_set_gpio_irqenable(bank, offset, 0);
+ omap_set_gpio_triggering(bank, offset, IRQ_TYPE_NONE);
++ omap_set_gpio_irqenable(bank, offset, 0);
+ raw_spin_unlock_irqrestore(&bank->lock, flags);
+ }
+
+@@ -894,9 +894,6 @@ static void omap_gpio_unmask_irq(struct irq_data *d)
+ unsigned long flags;
+
+ raw_spin_lock_irqsave(&bank->lock, flags);
+- if (trigger)
+- omap_set_gpio_triggering(bank, offset, trigger);
+-
+ omap_set_gpio_irqenable(bank, offset, 1);
+
+ /*
+@@ -904,9 +901,13 @@ static void omap_gpio_unmask_irq(struct irq_data *d)
+ * is cleared, thus after the handler has run. OMAP4 needs this done
+ * after enabing the interrupt to clear the wakeup status.
+ */
+- if (bank->level_mask & BIT(offset))
++ if (bank->regs->leveldetect0 && bank->regs->wkup_en &&
++ trigger & (IRQ_TYPE_LEVEL_HIGH | IRQ_TYPE_LEVEL_LOW))
+ omap_clear_gpio_irqstatus(bank, offset);
+
++ if (trigger)
++ omap_set_gpio_triggering(bank, offset, trigger);
++
+ raw_spin_unlock_irqrestore(&bank->lock, flags);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 85328b0ebb887f765ce2c54bff2ae2c731f2a094 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Mon, 10 Jun 2019 20:10:45 +0300
+Subject: gpio: omap: fix lack of irqstatus_raw0 for OMAP4
+
+[ Upstream commit 64ea3e9094a1f13b96c33244a3fb3a0f45690bd2 ]
+
+Commit 384ebe1c2849 ("gpio/omap: Add DT support to GPIO driver") added
+the register definition tables to the gpio-omap driver. Subsequently to
+that commit, commit 4e962e8998cc ("gpio/omap: remove cpu_is_omapxxxx()
+checks from *_runtime_resume()") added definitions for irqstatus_raw*
+registers to the legacy OMAP4 definitions, but missed the DT
+definitions.
+
+This causes an unintentional change of behaviour for the 1.101 errata
+workaround on OMAP4 platforms. Fix this oversight.
+
+Fixes: 4e962e8998cc ("gpio/omap: remove cpu_is_omapxxxx() checks from *_runtime_resume()")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Tested-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-omap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c
+index 6fa430d98517..9254bcf7f647 100644
+--- a/drivers/gpio/gpio-omap.c
++++ b/drivers/gpio/gpio-omap.c
+@@ -1687,6 +1687,8 @@ static struct omap_gpio_reg_offs omap4_gpio_regs = {
+ .clr_dataout = OMAP4_GPIO_CLEARDATAOUT,
+ .irqstatus = OMAP4_GPIO_IRQSTATUS0,
+ .irqstatus2 = OMAP4_GPIO_IRQSTATUS1,
++ .irqstatus_raw0 = OMAP4_GPIO_IRQSTATUSRAW0,
++ .irqstatus_raw1 = OMAP4_GPIO_IRQSTATUSRAW1,
+ .irqenable = OMAP4_GPIO_IRQSTATUSSET0,
+ .irqenable2 = OMAP4_GPIO_IRQSTATUSSET1,
+ .set_irqenable = OMAP4_GPIO_IRQSTATUSSET0,
+--
+2.20.1
+
--- /dev/null
+From a683e05ea32d664b7227542f515b28f42bfdb5ec Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Mon, 1 Jul 2019 16:27:38 +0200
+Subject: gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants
+
+[ Upstream commit 3285170f28a850638794cdfe712eb6d93e51e706 ]
+
+Commit 372e722ea4dd4ca1 ("gpiolib: use descriptors internally") renamed
+the functions to use a "gpiod" prefix, and commit 79a9becda8940deb
+("gpiolib: export descriptor-based GPIO interface") introduced the "raw"
+variants, but both changes forgot to update the comments.
+
+Readd a similar reference to gpiod_set_value(), which was accidentally
+removed by commit 1e77fc82110ac36f ("gpio: Add missing open drain/source
+handling to gpiod_set_value_cansleep()").
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20190701142738.25219-1-geert+renesas@glider.be
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index fd713326dcfc..4a48c7c47709 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -2877,7 +2877,7 @@ int gpiod_get_array_value_complex(bool raw, bool can_sleep,
+ int gpiod_get_raw_value(const struct gpio_desc *desc)
+ {
+ VALIDATE_DESC(desc);
+- /* Should be using gpio_get_value_cansleep() */
++ /* Should be using gpiod_get_raw_value_cansleep() */
+ WARN_ON(desc->gdev->chip->can_sleep);
+ return gpiod_get_raw_value_commit(desc);
+ }
+@@ -2898,7 +2898,7 @@ int gpiod_get_value(const struct gpio_desc *desc)
+ int value;
+
+ VALIDATE_DESC(desc);
+- /* Should be using gpio_get_value_cansleep() */
++ /* Should be using gpiod_get_value_cansleep() */
+ WARN_ON(desc->gdev->chip->can_sleep);
+
+ value = gpiod_get_raw_value_commit(desc);
+@@ -3123,7 +3123,7 @@ int gpiod_set_array_value_complex(bool raw, bool can_sleep,
+ void gpiod_set_raw_value(struct gpio_desc *desc, int value)
+ {
+ VALIDATE_DESC_VOID(desc);
+- /* Should be using gpiod_set_value_cansleep() */
++ /* Should be using gpiod_set_raw_value_cansleep() */
+ WARN_ON(desc->gdev->chip->can_sleep);
+ gpiod_set_raw_value_commit(desc, value);
+ }
+@@ -3164,6 +3164,7 @@ static void gpiod_set_value_nocheck(struct gpio_desc *desc, int value)
+ void gpiod_set_value(struct gpio_desc *desc, int value)
+ {
+ VALIDATE_DESC_VOID(desc);
++ /* Should be using gpiod_set_value_cansleep() */
+ WARN_ON(desc->gdev->chip->can_sleep);
+ gpiod_set_value_nocheck(desc, value);
+ }
+--
+2.20.1
+
--- /dev/null
+From 70bd970187d36e6cf3876a67e740de11095ed1c3 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Wed, 3 Jul 2019 00:24:04 +0900
+Subject: gtp: add missing gtp_encap_disable_sock() in gtp_encap_enable()
+
+[ Upstream commit e30155fd23c9c141cbe7d99b786e10a83a328837 ]
+
+If an invalid role is sent from user space, gtp_encap_enable() will fail.
+Then, it should call gtp_encap_disable_sock() but current code doesn't.
+It makes memory leak.
+
+Fixes: 91ed81f9abc7 ("gtp: support SGSN-side tunnels")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index 7a145172d503..83488f2bf7a0 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -847,8 +847,13 @@ static int gtp_encap_enable(struct gtp_dev *gtp, struct nlattr *data[])
+
+ if (data[IFLA_GTP_ROLE]) {
+ role = nla_get_u32(data[IFLA_GTP_ROLE]);
+- if (role > GTP_ROLE_SGSN)
++ if (role > GTP_ROLE_SGSN) {
++ if (sk0)
++ gtp_encap_disable_sock(sk0);
++ if (sk1u)
++ gtp_encap_disable_sock(sk1u);
+ return -EINVAL;
++ }
+ }
+
+ gtp->sk0 = sk0;
+--
+2.20.1
+
--- /dev/null
+From db8192be982ddfbf261be28bc03a09fb406fae21 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Wed, 3 Jul 2019 00:23:13 +0900
+Subject: gtp: fix Illegal context switch in RCU read-side critical section.
+
+[ Upstream commit 3f167e1921865b379a9becf03828e7202c7b4917 ]
+
+ipv4_pdp_add() is called in RCU read-side critical section.
+So GFP_KERNEL should not be used in the function.
+This patch make ipv4_pdp_add() to use GFP_ATOMIC instead of GFP_KERNEL.
+
+Test commands:
+gtp-link add gtp1 &
+gtp-tunnel add gtp1 v1 100 200 1.1.1.1 2.2.2.2
+
+Splat looks like:
+[ 130.618881] =============================
+[ 130.626382] WARNING: suspicious RCU usage
+[ 130.626994] 5.2.0-rc6+ #50 Not tainted
+[ 130.627622] -----------------------------
+[ 130.628223] ./include/linux/rcupdate.h:266 Illegal context switch in RCU read-side critical section!
+[ 130.629684]
+[ 130.629684] other info that might help us debug this:
+[ 130.629684]
+[ 130.631022]
+[ 130.631022] rcu_scheduler_active = 2, debug_locks = 1
+[ 130.632136] 4 locks held by gtp-tunnel/1025:
+[ 130.632925] #0: 000000002b93c8b7 (cb_lock){++++}, at: genl_rcv+0x15/0x40
+[ 130.634159] #1: 00000000f17bc999 (genl_mutex){+.+.}, at: genl_rcv_msg+0xfb/0x130
+[ 130.635487] #2: 00000000c644ed8e (rtnl_mutex){+.+.}, at: gtp_genl_new_pdp+0x18c/0x1150 [gtp]
+[ 130.636936] #3: 0000000007a1cde7 (rcu_read_lock){....}, at: gtp_genl_new_pdp+0x187/0x1150 [gtp]
+[ 130.638348]
+[ 130.638348] stack backtrace:
+[ 130.639062] CPU: 1 PID: 1025 Comm: gtp-tunnel Not tainted 5.2.0-rc6+ #50
+[ 130.641318] Call Trace:
+[ 130.641707] dump_stack+0x7c/0xbb
+[ 130.642252] ___might_sleep+0x2c0/0x3b0
+[ 130.642862] kmem_cache_alloc_trace+0x1cd/0x2b0
+[ 130.643591] gtp_genl_new_pdp+0x6c5/0x1150 [gtp]
+[ 130.644371] genl_family_rcv_msg+0x63a/0x1030
+[ 130.645074] ? mutex_lock_io_nested+0x1090/0x1090
+[ 130.645845] ? genl_unregister_family+0x630/0x630
+[ 130.646592] ? debug_show_all_locks+0x2d0/0x2d0
+[ 130.647293] ? check_flags.part.40+0x440/0x440
+[ 130.648099] genl_rcv_msg+0xa3/0x130
+[ ... ]
+
+Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index f45a806b6c06..6f1ad7ccaea6 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -958,7 +958,7 @@ static int ipv4_pdp_add(struct gtp_dev *gtp, struct sock *sk,
+
+ }
+
+- pctx = kmalloc(sizeof(struct pdp_ctx), GFP_KERNEL);
++ pctx = kmalloc(sizeof(*pctx), GFP_ATOMIC);
+ if (pctx == NULL)
+ return -ENOMEM;
+
+--
+2.20.1
+
--- /dev/null
+From 3206fc072be5edd7bcf5bd355a3c8ee80f22b09f Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Wed, 3 Jul 2019 00:20:51 +0900
+Subject: gtp: fix suspicious RCU usage
+
+[ Upstream commit e198987e7dd7d3645a53875151cd6f8fc425b706 ]
+
+gtp_encap_enable_socket() and gtp_encap_destroy() are not protected
+by rcu_read_lock(). and it's not safe to write sk->sk_user_data.
+This patch make these functions to use lock_sock() instead of
+rcu_dereference_sk_user_data().
+
+Test commands:
+ gtp-link add gtp1
+
+Splat looks like:
+[ 83.238315] =============================
+[ 83.239127] WARNING: suspicious RCU usage
+[ 83.239702] 5.2.0-rc6+ #49 Not tainted
+[ 83.240268] -----------------------------
+[ 83.241205] drivers/net/gtp.c:799 suspicious rcu_dereference_check() usage!
+[ 83.243828]
+[ 83.243828] other info that might help us debug this:
+[ 83.243828]
+[ 83.246325]
+[ 83.246325] rcu_scheduler_active = 2, debug_locks = 1
+[ 83.247314] 1 lock held by gtp-link/1008:
+[ 83.248523] #0: 0000000017772c7f (rtnl_mutex){+.+.}, at: __rtnl_newlink+0x5f5/0x11b0
+[ 83.251503]
+[ 83.251503] stack backtrace:
+[ 83.252173] CPU: 0 PID: 1008 Comm: gtp-link Not tainted 5.2.0-rc6+ #49
+[ 83.253271] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 83.254562] Call Trace:
+[ 83.254995] dump_stack+0x7c/0xbb
+[ 83.255567] gtp_encap_enable_socket+0x2df/0x360 [gtp]
+[ 83.256415] ? gtp_find_dev+0x1a0/0x1a0 [gtp]
+[ 83.257161] ? memset+0x1f/0x40
+[ 83.257843] gtp_newlink+0x90/0xa21 [gtp]
+[ 83.258497] ? __netlink_ns_capable+0xc3/0xf0
+[ 83.259260] __rtnl_newlink+0xb9f/0x11b0
+[ 83.260022] ? rtnl_link_unregister+0x230/0x230
+[ ... ]
+
+Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index 83488f2bf7a0..f45a806b6c06 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -293,12 +293,14 @@ static void gtp_encap_destroy(struct sock *sk)
+ {
+ struct gtp_dev *gtp;
+
+- gtp = rcu_dereference_sk_user_data(sk);
++ lock_sock(sk);
++ gtp = sk->sk_user_data;
+ if (gtp) {
+ udp_sk(sk)->encap_type = 0;
+ rcu_assign_sk_user_data(sk, NULL);
+ sock_put(sk);
+ }
++ release_sock(sk);
+ }
+
+ static void gtp_encap_disable_sock(struct sock *sk)
+@@ -800,7 +802,8 @@ static struct sock *gtp_encap_enable_socket(int fd, int type,
+ goto out_sock;
+ }
+
+- if (rcu_dereference_sk_user_data(sock->sk)) {
++ lock_sock(sock->sk);
++ if (sock->sk->sk_user_data) {
+ sk = ERR_PTR(-EBUSY);
+ goto out_sock;
+ }
+@@ -816,6 +819,7 @@ static struct sock *gtp_encap_enable_socket(int fd, int type,
+ setup_udp_tunnel_sock(sock_net(sock->sk), sock, &tuncfg);
+
+ out_sock:
++ release_sock(sock->sk);
+ sockfd_put(sock);
+ return sk;
+ }
+--
+2.20.1
+
--- /dev/null
+From 28bfaf6c8095329a7c2688ed2e72ec9e73658a47 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Wed, 3 Jul 2019 00:22:25 +0900
+Subject: gtp: fix use-after-free in gtp_encap_destroy()
+
+[ Upstream commit 1788b8569f5de27da09087fa3f6580d2aa04cc75 ]
+
+gtp_encap_destroy() is called twice.
+1. When interface is deleted.
+2. When udp socket is destroyed.
+either gtp->sk0 or gtp->sk1u could be freed by sock_put() in
+gtp_encap_destroy(). so, when gtp_encap_destroy() is called again,
+it would uses freed sk pointer.
+
+patch makes gtp_encap_destroy() to set either gtp->sk0 or gtp->sk1u to
+null. in addition, both gtp->sk0 and gtp->sk1u pointer are protected
+by rtnl_lock. so, rtnl_lock() is added.
+
+Test command:
+ gtp-link add gtp1 &
+ killall gtp-link
+ ip link del gtp1
+
+Splat looks like:
+[ 83.182767] BUG: KASAN: use-after-free in __lock_acquire+0x3a20/0x46a0
+[ 83.184128] Read of size 8 at addr ffff8880cc7d5360 by task ip/1008
+[ 83.185567] CPU: 1 PID: 1008 Comm: ip Not tainted 5.2.0-rc6+ #50
+[ 83.188469] Call Trace:
+[ ... ]
+[ 83.200126] lock_acquire+0x141/0x380
+[ 83.200575] ? lock_sock_nested+0x3a/0xf0
+[ 83.201069] _raw_spin_lock_bh+0x38/0x70
+[ 83.201551] ? lock_sock_nested+0x3a/0xf0
+[ 83.202044] lock_sock_nested+0x3a/0xf0
+[ 83.202520] gtp_encap_destroy+0x18/0xe0 [gtp]
+[ 83.203065] gtp_encap_disable.isra.14+0x13/0x50 [gtp]
+[ 83.203687] gtp_dellink+0x56/0x170 [gtp]
+[ 83.204190] rtnl_delete_link+0xb4/0x100
+[ ... ]
+[ 83.236513] Allocated by task 976:
+[ 83.236925] save_stack+0x19/0x80
+[ 83.237332] __kasan_kmalloc.constprop.3+0xa0/0xd0
+[ 83.237894] kmem_cache_alloc+0xd8/0x280
+[ 83.238360] sk_prot_alloc.isra.42+0x50/0x200
+[ 83.238874] sk_alloc+0x32/0x940
+[ 83.239264] inet_create+0x283/0xc20
+[ 83.239684] __sock_create+0x2dd/0x540
+[ 83.240136] __sys_socket+0xca/0x1a0
+[ 83.240550] __x64_sys_socket+0x6f/0xb0
+[ 83.240998] do_syscall_64+0x9c/0x450
+[ 83.241466] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 83.242061]
+[ 83.242249] Freed by task 0:
+[ 83.242616] save_stack+0x19/0x80
+[ 83.243013] __kasan_slab_free+0x111/0x150
+[ 83.243498] kmem_cache_free+0x89/0x250
+[ 83.244444] __sk_destruct+0x38f/0x5a0
+[ 83.245366] rcu_core+0x7e9/0x1c20
+[ 83.245766] __do_softirq+0x213/0x8fa
+
+Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index 6f1ad7ccaea6..61e9b288d2dc 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -289,13 +289,17 @@ static int gtp1u_udp_encap_recv(struct gtp_dev *gtp, struct sk_buff *skb)
+ return gtp_rx(pctx, skb, hdrlen, gtp->role);
+ }
+
+-static void gtp_encap_destroy(struct sock *sk)
++static void __gtp_encap_destroy(struct sock *sk)
+ {
+ struct gtp_dev *gtp;
+
+ lock_sock(sk);
+ gtp = sk->sk_user_data;
+ if (gtp) {
++ if (gtp->sk0 == sk)
++ gtp->sk0 = NULL;
++ else
++ gtp->sk1u = NULL;
+ udp_sk(sk)->encap_type = 0;
+ rcu_assign_sk_user_data(sk, NULL);
+ sock_put(sk);
+@@ -303,12 +307,19 @@ static void gtp_encap_destroy(struct sock *sk)
+ release_sock(sk);
+ }
+
++static void gtp_encap_destroy(struct sock *sk)
++{
++ rtnl_lock();
++ __gtp_encap_destroy(sk);
++ rtnl_unlock();
++}
++
+ static void gtp_encap_disable_sock(struct sock *sk)
+ {
+ if (!sk)
+ return;
+
+- gtp_encap_destroy(sk);
++ __gtp_encap_destroy(sk);
+ }
+
+ static void gtp_encap_disable(struct gtp_dev *gtp)
+@@ -1047,6 +1058,7 @@ static int gtp_genl_new_pdp(struct sk_buff *skb, struct genl_info *info)
+ return -EINVAL;
+ }
+
++ rtnl_lock();
+ rcu_read_lock();
+
+ gtp = gtp_find_dev(sock_net(skb->sk), info->attrs);
+@@ -1071,6 +1083,7 @@ static int gtp_genl_new_pdp(struct sk_buff *skb, struct genl_info *info)
+
+ out_unlock:
+ rcu_read_unlock();
++ rtnl_unlock();
+ return err;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 8fd4f3a51a9a74ef453be88b5b076c75459227f4 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Wed, 3 Jul 2019 00:23:42 +0900
+Subject: gtp: fix use-after-free in gtp_newlink()
+
+[ Upstream commit a2bed90704c68d3763bf24decb1b781a45395de8 ]
+
+Current gtp_newlink() could be called after unregister_pernet_subsys().
+gtp_newlink() uses gtp_net but it can be destroyed by
+unregister_pernet_subsys().
+So unregister_pernet_subsys() should be called after
+rtnl_link_unregister().
+
+Test commands:
+ #SHELL 1
+ while :
+ do
+ for i in {1..5}
+ do
+ ./gtp-link add gtp$i &
+ done
+ killall gtp-link
+ done
+
+ #SHELL 2
+ while :
+ do
+ modprobe -rv gtp
+ done
+
+Splat looks like:
+[ 753.176631] BUG: KASAN: use-after-free in gtp_newlink+0x9b4/0xa5c [gtp]
+[ 753.177722] Read of size 8 at addr ffff8880d48f2458 by task gtp-link/7126
+[ 753.179082] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G W 5.2.0-rc6+ #50
+[ 753.185801] Call Trace:
+[ 753.186264] dump_stack+0x7c/0xbb
+[ 753.186863] ? gtp_newlink+0x9b4/0xa5c [gtp]
+[ 753.187583] print_address_description+0xc7/0x240
+[ 753.188382] ? gtp_newlink+0x9b4/0xa5c [gtp]
+[ 753.189097] ? gtp_newlink+0x9b4/0xa5c [gtp]
+[ 753.189846] __kasan_report+0x12a/0x16f
+[ 753.190542] ? gtp_newlink+0x9b4/0xa5c [gtp]
+[ 753.191298] kasan_report+0xe/0x20
+[ 753.191893] gtp_newlink+0x9b4/0xa5c [gtp]
+[ 753.192580] ? __netlink_ns_capable+0xc3/0xf0
+[ 753.193370] __rtnl_newlink+0xb9f/0x11b0
+[ ... ]
+[ 753.241201] Allocated by task 7186:
+[ 753.241844] save_stack+0x19/0x80
+[ 753.242399] __kasan_kmalloc.constprop.3+0xa0/0xd0
+[ 753.243192] __kmalloc+0x13e/0x300
+[ 753.243764] ops_init+0xd6/0x350
+[ 753.244314] register_pernet_operations+0x249/0x6f0
+[ ... ]
+[ 753.251770] Freed by task 7178:
+[ 753.252288] save_stack+0x19/0x80
+[ 753.252833] __kasan_slab_free+0x111/0x150
+[ 753.253962] kfree+0xc7/0x280
+[ 753.254509] ops_free_list.part.11+0x1c4/0x2d0
+[ 753.255241] unregister_pernet_operations+0x262/0x390
+[ ... ]
+[ 753.285883] list_add corruption. next->prev should be prev (ffff8880d48f2458), but was ffff8880d497d878. (next.
+[ 753.287241] ------------[ cut here ]------------
+[ 753.287794] kernel BUG at lib/list_debug.c:25!
+[ 753.288364] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
+[ 753.289099] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G B W 5.2.0-rc6+ #50
+[ 753.291036] RIP: 0010:__list_add_valid+0x74/0xd0
+[ 753.291589] Code: 48 39 da 75 27 48 39 f5 74 36 48 39 dd 74 31 48 83 c4 08 b8 01 00 00 00 5b 5d c3 48 89 d9 48b
+[ 753.293779] RSP: 0018:ffff8880cae8f398 EFLAGS: 00010286
+[ 753.294401] RAX: 0000000000000075 RBX: ffff8880d497d878 RCX: 0000000000000000
+[ 753.296260] RDX: 0000000000000075 RSI: 0000000000000008 RDI: ffffed10195d1e69
+[ 753.297070] RBP: ffff8880cd250ae0 R08: ffffed101b4bff21 R09: ffffed101b4bff21
+[ 753.297899] R10: 0000000000000001 R11: ffffed101b4bff20 R12: ffff8880d497d878
+[ 753.298703] R13: 0000000000000000 R14: ffff8880cd250ae0 R15: ffff8880d48f2458
+[ 753.299564] FS: 00007f5f79805740(0000) GS:ffff8880da400000(0000) knlGS:0000000000000000
+[ 753.300533] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 753.301231] CR2: 00007fe8c7ef4f10 CR3: 00000000b71a6006 CR4: 00000000000606f0
+[ 753.302183] Call Trace:
+[ 753.302530] gtp_newlink+0x5f6/0xa5c [gtp]
+[ 753.303037] ? __netlink_ns_capable+0xc3/0xf0
+[ 753.303576] __rtnl_newlink+0xb9f/0x11b0
+[ 753.304092] ? rtnl_link_unregister+0x230/0x230
+
+Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index 61e9b288d2dc..d178d5bad7e4 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -1385,9 +1385,9 @@ late_initcall(gtp_init);
+
+ static void __exit gtp_fini(void)
+ {
+- unregister_pernet_subsys(>p_net_ops);
+ genl_unregister_family(>p_genl_family);
+ rtnl_link_unregister(>p_link_ops);
++ unregister_pernet_subsys(>p_net_ops);
+
+ pr_info("GTP module unloaded\n");
+ }
+--
+2.20.1
+
--- /dev/null
+From 4a8f083835f4e5a29119adca983cd4df26bbe78d Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 19 Jun 2019 15:30:44 +0100
+Subject: iavf: fix dereference of null rx_buffer pointer
+
+[ Upstream commit 9fe06a51287b2d41baef7ece94df34b5abf19b90 ]
+
+A recent commit efa14c3985828d ("iavf: allow null RX descriptors") added
+a null pointer sanity check on rx_buffer, however, rx_buffer is being
+dereferenced before that check, which implies a null pointer dereference
+bug can potentially occur. Fix this by only dereferencing rx_buffer
+until after the null pointer check.
+
+Addresses-Coverity: ("Dereference before null check")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40evf/i40e_txrx.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40evf/i40e_txrx.c b/drivers/net/ethernet/intel/i40evf/i40e_txrx.c
+index a9730711e257..b56d22b530a7 100644
+--- a/drivers/net/ethernet/intel/i40evf/i40e_txrx.c
++++ b/drivers/net/ethernet/intel/i40evf/i40e_txrx.c
+@@ -1291,7 +1291,7 @@ static struct sk_buff *i40e_construct_skb(struct i40e_ring *rx_ring,
+ struct i40e_rx_buffer *rx_buffer,
+ unsigned int size)
+ {
+- void *va = page_address(rx_buffer->page) + rx_buffer->page_offset;
++ void *va;
+ #if (PAGE_SIZE < 8192)
+ unsigned int truesize = i40e_rx_pg_size(rx_ring) / 2;
+ #else
+@@ -1301,6 +1301,7 @@ static struct sk_buff *i40e_construct_skb(struct i40e_ring *rx_ring,
+ struct sk_buff *skb;
+
+ /* prefetch first cache line of first page */
++ va = page_address(rx_buffer->page) + rx_buffer->page_offset;
+ prefetch(va);
+ #if L1_CACHE_BYTES < 128
+ prefetch(va + L1_CACHE_BYTES);
+@@ -1355,7 +1356,7 @@ static struct sk_buff *i40e_build_skb(struct i40e_ring *rx_ring,
+ struct i40e_rx_buffer *rx_buffer,
+ unsigned int size)
+ {
+- void *va = page_address(rx_buffer->page) + rx_buffer->page_offset;
++ void *va;
+ #if (PAGE_SIZE < 8192)
+ unsigned int truesize = i40e_rx_pg_size(rx_ring) / 2;
+ #else
+@@ -1365,6 +1366,7 @@ static struct sk_buff *i40e_build_skb(struct i40e_ring *rx_ring,
+ struct sk_buff *skb;
+
+ /* prefetch first cache line of first page */
++ va = page_address(rx_buffer->page) + rx_buffer->page_offset;
+ prefetch(va);
+ #if L1_CACHE_BYTES < 128
+ prefetch(va + L1_CACHE_BYTES);
+--
+2.20.1
+
--- /dev/null
+From 2b5c40057d08fa7f8d27d782d395beaf7f7e67f6 Mon Sep 17 00:00:00 2001
+From: Vedang Patel <vedang.patel@intel.com>
+Date: Tue, 25 Jun 2019 15:07:12 -0700
+Subject: igb: clear out skb->tstamp after reading the txtime
+
+[ Upstream commit 1e08511d5d01884a3c9070afd52a47799312074a ]
+
+If a packet which is utilizing the launchtime feature (via SO_TXTIME socket
+option) also requests the hardware transmit timestamp, the hardware
+timestamp is not delivered to the userspace. This is because the value in
+skb->tstamp is mistaken as the software timestamp.
+
+Applications, like ptp4l, request a hardware timestamp by setting the
+SOF_TIMESTAMPING_TX_HARDWARE socket option. Whenever a new timestamp is
+detected by the driver (this work is done in igb_ptp_tx_work() which calls
+igb_ptp_tx_hwtstamps() in igb_ptp.c[1]), it will queue the timestamp in the
+ERR_QUEUE for the userspace to read. When the userspace is ready, it will
+issue a recvmsg() call to collect this timestamp. The problem is in this
+recvmsg() call. If the skb->tstamp is not cleared out, it will be
+interpreted as a software timestamp and the hardware tx timestamp will not
+be successfully sent to the userspace. Look at skb_is_swtx_tstamp() and the
+callee function __sock_recv_timestamp() in net/socket.c for more details.
+
+Signed-off-by: Vedang Patel <vedang.patel@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 5aa083d9a6c9..ab76a5f77cd0 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -5703,6 +5703,7 @@ static void igb_tx_ctxtdesc(struct igb_ring *tx_ring,
+ */
+ if (tx_ring->launchtime_enable) {
+ ts = ns_to_timespec64(first->skb->tstamp);
++ first->skb->tstamp = 0;
+ context_desc->seqnum_seed = cpu_to_le32(ts.tv_nsec / 32);
+ } else {
+ context_desc->seqnum_seed = 0;
+--
+2.20.1
+
--- /dev/null
+From 9b30f474de6fa4d37c6b0524f79a0de436f0c672 Mon Sep 17 00:00:00 2001
+From: Eric Auger <eric.auger@redhat.com>
+Date: Mon, 3 Jun 2019 08:53:30 +0200
+Subject: iommu: Fix a leak in iommu_insert_resv_region
+
+[ Upstream commit ad0834dedaa15c3a176f783c0373f836e44b4700 ]
+
+In case we expand an existing region, we unlink
+this latter and insert the larger one. In
+that case we should free the original region after
+the insertion. Also we can immediately return.
+
+Fixes: 6c65fb318e8b ("iommu: iommu_get_group_resv_regions")
+
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iommu.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
+index 8c15c5980299..bc14825edc9c 100644
+--- a/drivers/iommu/iommu.c
++++ b/drivers/iommu/iommu.c
+@@ -211,18 +211,21 @@ static int iommu_insert_resv_region(struct iommu_resv_region *new,
+ pos = pos->next;
+ } else if ((start >= a) && (end <= b)) {
+ if (new->type == type)
+- goto done;
++ return 0;
+ else
+ pos = pos->next;
+ } else {
+ if (new->type == type) {
+ phys_addr_t new_start = min(a, start);
+ phys_addr_t new_end = max(b, end);
++ int ret;
+
+ list_del(&entry->list);
+ entry->start = new_start;
+ entry->length = new_end - new_start + 1;
+- iommu_insert_resv_region(entry, regions);
++ ret = iommu_insert_resv_region(entry, regions);
++ kfree(entry);
++ return ret;
+ } else {
+ pos = pos->next;
+ }
+@@ -235,7 +238,6 @@ static int iommu_insert_resv_region(struct iommu_resv_region *new,
+ return -ENOMEM;
+
+ list_add_tail(®ion->list, pos);
+-done:
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 43d8da6fd8d25d1875494d473163b726f668c751 Mon Sep 17 00:00:00 2001
+From: Denis Kirjanov <kda@linux-powerpc.org>
+Date: Mon, 17 Jun 2019 10:53:40 +0200
+Subject: ipoib: correcly show a VF hardware address
+
+[ Upstream commit 64d701c608fea362881e823b666327f5d28d7ffd ]
+
+in the case of IPoIB with SRIOV enabled hardware
+ip link show command incorrecly prints
+0 instead of a VF hardware address.
+
+Before:
+11: ib1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2044 qdisc pfifo_fast
+state UP mode DEFAULT group default qlen 256
+ link/infiniband
+80:00:00:66:fe:80:00:00:00:00:00:00:24:8a:07:03:00:a4:3e:7c brd
+00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff
+ vf 0 MAC 00:00:00:00:00:00, spoof checking off, link-state disable,
+trust off, query_rss off
+...
+After:
+11: ib1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2044 qdisc pfifo_fast
+state UP mode DEFAULT group default qlen 256
+ link/infiniband
+80:00:00:66:fe:80:00:00:00:00:00:00:24:8a:07:03:00:a4:3e:7c brd
+00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff
+ vf 0 link/infiniband
+80:00:00:66:fe:80:00:00:00:00:00:00:24:8a:07:03:00:a4:3e:7c brd
+00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff, spoof
+checking off, link-state disable, trust off, query_rss off
+
+v1->v2: just copy an address without modifing ifla_vf_mac
+v2->v3: update the changelog
+
+Signed-off-by: Denis Kirjanov <kda@linux-powerpc.org>
+Acked-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+index 30f840f874b3..009615499b37 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+@@ -1997,6 +1997,7 @@ static int ipoib_get_vf_config(struct net_device *dev, int vf,
+ return err;
+
+ ivf->vf = vf;
++ memcpy(ivf->mac, dev->dev_addr, dev->addr_len);
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From d710d981ad5e32ef56eabb4353f7b6d419d482be Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 18 Jun 2019 13:22:13 +0200
+Subject: ipsec: select crypto ciphers for xfrm_algo
+
+[ Upstream commit 597179b0ba550bd83fab1a9d57c42a9343c58514 ]
+
+kernelci.org reports failed builds on arc because of what looks
+like an old missed 'select' statement:
+
+net/xfrm/xfrm_algo.o: In function `xfrm_probe_algs':
+xfrm_algo.c:(.text+0x1e8): undefined reference to `crypto_has_ahash'
+
+I don't see this in randconfig builds on other architectures, but
+it's fairly clear we want to select the hash code for it, like we
+do for all its other users. As Herbert points out, CRYPTO_BLKCIPHER
+is also required even though it has not popped up in build tests.
+
+Fixes: 17bc19702221 ("ipsec: Use skcipher and ahash when probing algorithms")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig
+index 4a9ee2d83158..372c91faa283 100644
+--- a/net/xfrm/Kconfig
++++ b/net/xfrm/Kconfig
+@@ -14,6 +14,8 @@ config XFRM_ALGO
+ tristate
+ select XFRM
+ select CRYPTO
++ select CRYPTO_HASH
++ select CRYPTO_BLKCIPHER
+
+ config XFRM_USER
+ tristate "Transformation user configuration interface"
+--
+2.20.1
+
--- /dev/null
+From 99a94289c428293ccbdd0d4408fdf6c8126fb933 Mon Sep 17 00:00:00 2001
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Sun, 26 May 2019 23:14:06 +0200
+Subject: ipset: Fix memory accounting for hash types on resize
+
+[ Upstream commit 11921796f4799ca9c61c4b22cc54d84aa69f8a35 ]
+
+If a fresh array block is allocated during resize, the current in-memory
+set size should be increased by the size of the block, not replaced by it.
+
+Before the fix, adding entries to a hash set type, leading to a table
+resize, caused an inconsistent memory size to be reported. This becomes
+more obvious when swapping sets with similar sizes:
+
+ # cat hash_ip_size.sh
+ #!/bin/sh
+ FAIL_RETRIES=10
+
+ tries=0
+ while [ ${tries} -lt ${FAIL_RETRIES} ]; do
+ ipset create t1 hash:ip
+ for i in `seq 1 4345`; do
+ ipset add t1 1.2.$((i / 255)).$((i % 255))
+ done
+ t1_init="$(ipset list t1|sed -n 's/Size in memory: \(.*\)/\1/p')"
+
+ ipset create t2 hash:ip
+ for i in `seq 1 4360`; do
+ ipset add t2 1.2.$((i / 255)).$((i % 255))
+ done
+ t2_init="$(ipset list t2|sed -n 's/Size in memory: \(.*\)/\1/p')"
+
+ ipset swap t1 t2
+ t1_swap="$(ipset list t1|sed -n 's/Size in memory: \(.*\)/\1/p')"
+ t2_swap="$(ipset list t2|sed -n 's/Size in memory: \(.*\)/\1/p')"
+
+ ipset destroy t1
+ ipset destroy t2
+ tries=$((tries + 1))
+
+ if [ ${t1_init} -lt 10000 ] || [ ${t2_init} -lt 10000 ]; then
+ echo "FAIL after ${tries} tries:"
+ echo "T1 size ${t1_init}, after swap ${t1_swap}"
+ echo "T2 size ${t2_init}, after swap ${t2_swap}"
+ exit 1
+ fi
+ done
+ echo "PASS"
+ # echo -n 'func hash_ip4_resize +p' > /sys/kernel/debug/dynamic_debug/control
+ # ./hash_ip_size.sh
+ [ 2035.018673] attempt to resize set t1 from 10 to 11, t 00000000fe6551fa
+ [ 2035.078583] set t1 resized from 10 (00000000fe6551fa) to 11 (00000000172a0163)
+ [ 2035.080353] Table destroy by resize 00000000fe6551fa
+ FAIL after 4 tries:
+ T1 size 9064, after swap 71128
+ T2 size 71128, after swap 9064
+
+Reported-by: NOYB <JunkYardMail1@Frontier.com>
+Fixes: 9e41f26a505c ("netfilter: ipset: Count non-static extension memory for userspace")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_hash_gen.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
+index 8a33dac4e805..ddfe06d7530b 100644
+--- a/net/netfilter/ipset/ip_set_hash_gen.h
++++ b/net/netfilter/ipset/ip_set_hash_gen.h
+@@ -625,7 +625,7 @@ mtype_resize(struct ip_set *set, bool retried)
+ goto cleanup;
+ }
+ m->size = AHASH_INIT_SIZE;
+- extsize = ext_size(AHASH_INIT_SIZE, dsize);
++ extsize += ext_size(AHASH_INIT_SIZE, dsize);
+ RCU_INIT_POINTER(hbucket(t, key), m);
+ } else if (m->pos >= m->size) {
+ struct hbucket *ht;
+--
+2.20.1
+
--- /dev/null
+From 0752914403a3c3300bf1ff0884c6c967338a6b13 Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Tue, 4 Jun 2019 21:56:35 +0300
+Subject: ipvs: defer hook registration to avoid leaks
+
+[ Upstream commit cf47a0b882a4e5f6b34c7949d7b293e9287f1972 ]
+
+syzkaller reports for memory leak when registering hooks [1]
+
+As we moved the nf_unregister_net_hooks() call into
+__ip_vs_dev_cleanup(), defer the nf_register_net_hooks()
+call, so that hooks are allocated and freed from same
+pernet_operations (ipvs_core_dev_ops).
+
+[1]
+BUG: memory leak
+unreferenced object 0xffff88810acd8a80 (size 96):
+ comm "syz-executor073", pid 7254, jiffies 4294950560 (age 22.250s)
+ hex dump (first 32 bytes):
+ 02 00 00 00 00 00 00 00 50 8b bb 82 ff ff ff ff ........P.......
+ 00 00 00 00 00 00 00 00 00 77 bb 82 ff ff ff ff .........w......
+ backtrace:
+ [<0000000013db61f1>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
+ [<0000000013db61f1>] slab_post_alloc_hook mm/slab.h:439 [inline]
+ [<0000000013db61f1>] slab_alloc_node mm/slab.c:3269 [inline]
+ [<0000000013db61f1>] kmem_cache_alloc_node_trace+0x15b/0x2a0 mm/slab.c:3597
+ [<000000001a27307d>] __do_kmalloc_node mm/slab.c:3619 [inline]
+ [<000000001a27307d>] __kmalloc_node+0x38/0x50 mm/slab.c:3627
+ [<0000000025054add>] kmalloc_node include/linux/slab.h:590 [inline]
+ [<0000000025054add>] kvmalloc_node+0x4a/0xd0 mm/util.c:431
+ [<0000000050d1bc00>] kvmalloc include/linux/mm.h:637 [inline]
+ [<0000000050d1bc00>] kvzalloc include/linux/mm.h:645 [inline]
+ [<0000000050d1bc00>] allocate_hook_entries_size+0x3b/0x60 net/netfilter/core.c:61
+ [<00000000e8abe142>] nf_hook_entries_grow+0xae/0x270 net/netfilter/core.c:128
+ [<000000004b94797c>] __nf_register_net_hook+0x9a/0x170 net/netfilter/core.c:337
+ [<00000000d1545cbc>] nf_register_net_hook+0x34/0xc0 net/netfilter/core.c:464
+ [<00000000876c9b55>] nf_register_net_hooks+0x53/0xc0 net/netfilter/core.c:480
+ [<000000002ea868e0>] __ip_vs_init+0xe8/0x170 net/netfilter/ipvs/ip_vs_core.c:2280
+ [<000000002eb2d451>] ops_init+0x4c/0x140 net/core/net_namespace.c:130
+ [<000000000284ec48>] setup_net+0xde/0x230 net/core/net_namespace.c:316
+ [<00000000a70600fa>] copy_net_ns+0xf0/0x1e0 net/core/net_namespace.c:439
+ [<00000000ff26c15e>] create_new_namespaces+0x141/0x2a0 kernel/nsproxy.c:107
+ [<00000000b103dc79>] copy_namespaces+0xa1/0xe0 kernel/nsproxy.c:165
+ [<000000007cc008a2>] copy_process.part.0+0x11fd/0x2150 kernel/fork.c:2035
+ [<00000000c344af7c>] copy_process kernel/fork.c:1800 [inline]
+ [<00000000c344af7c>] _do_fork+0x121/0x4f0 kernel/fork.c:2369
+
+Reported-by: syzbot+722da59ccb264bc19910@syzkaller.appspotmail.com
+Fixes: 719c7d563c17 ("ipvs: Fix use-after-free in ip_vs_in")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_core.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
+index 62c0e80dcd71..a71f777d1353 100644
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -2218,7 +2218,6 @@ static const struct nf_hook_ops ip_vs_ops[] = {
+ static int __net_init __ip_vs_init(struct net *net)
+ {
+ struct netns_ipvs *ipvs;
+- int ret;
+
+ ipvs = net_generic(net, ip_vs_net_id);
+ if (ipvs == NULL)
+@@ -2250,17 +2249,11 @@ static int __net_init __ip_vs_init(struct net *net)
+ if (ip_vs_sync_net_init(ipvs) < 0)
+ goto sync_fail;
+
+- ret = nf_register_net_hooks(net, ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
+- if (ret < 0)
+- goto hook_fail;
+-
+ return 0;
+ /*
+ * Error handling
+ */
+
+-hook_fail:
+- ip_vs_sync_net_cleanup(ipvs);
+ sync_fail:
+ ip_vs_conn_net_cleanup(ipvs);
+ conn_fail:
+@@ -2290,6 +2283,19 @@ static void __net_exit __ip_vs_cleanup(struct net *net)
+ net->ipvs = NULL;
+ }
+
++static int __net_init __ip_vs_dev_init(struct net *net)
++{
++ int ret;
++
++ ret = nf_register_net_hooks(net, ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
++ if (ret < 0)
++ goto hook_fail;
++ return 0;
++
++hook_fail:
++ return ret;
++}
++
+ static void __net_exit __ip_vs_dev_cleanup(struct net *net)
+ {
+ struct netns_ipvs *ipvs = net_ipvs(net);
+@@ -2309,6 +2315,7 @@ static struct pernet_operations ipvs_core_ops = {
+ };
+
+ static struct pernet_operations ipvs_core_dev_ops = {
++ .init = __ip_vs_dev_init,
+ .exit = __ip_vs_dev_cleanup,
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 5f2d1995fb28127190b827f1d4b6a5f44d0a29b1 Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Tue, 18 Jun 2019 23:07:36 +0300
+Subject: ipvs: fix tinfo memory leak in start_sync_thread
+
+[ Upstream commit 5db7c8b9f9fc2aeec671ae3ca6375752c162e0e7 ]
+
+syzkaller reports for memory leak in start_sync_thread [1]
+
+As Eric points out, kthread may start and stop before the
+threadfn function is called, so there is no chance the
+data (tinfo in our case) to be released in thread.
+
+Fix this by releasing tinfo in the controlling code instead.
+
+[1]
+BUG: memory leak
+unreferenced object 0xffff8881206bf700 (size 32):
+ comm "syz-executor761", pid 7268, jiffies 4294943441 (age 20.470s)
+ hex dump (first 32 bytes):
+ 00 40 7c 09 81 88 ff ff 80 45 b8 21 81 88 ff ff .@|......E.!....
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<0000000057619e23>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
+ [<0000000057619e23>] slab_post_alloc_hook mm/slab.h:439 [inline]
+ [<0000000057619e23>] slab_alloc mm/slab.c:3326 [inline]
+ [<0000000057619e23>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
+ [<0000000086ce5479>] kmalloc include/linux/slab.h:547 [inline]
+ [<0000000086ce5479>] start_sync_thread+0x5d2/0xe10 net/netfilter/ipvs/ip_vs_sync.c:1862
+ [<000000001a9229cc>] do_ip_vs_set_ctl+0x4c5/0x780 net/netfilter/ipvs/ip_vs_ctl.c:2402
+ [<00000000ece457c8>] nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
+ [<00000000ece457c8>] nf_setsockopt+0x4c/0x80 net/netfilter/nf_sockopt.c:115
+ [<00000000942f62d4>] ip_setsockopt net/ipv4/ip_sockglue.c:1258 [inline]
+ [<00000000942f62d4>] ip_setsockopt+0x9b/0xb0 net/ipv4/ip_sockglue.c:1238
+ [<00000000a56a8ffd>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2616
+ [<00000000fa895401>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3130
+ [<0000000095eef4cf>] __sys_setsockopt+0x98/0x120 net/socket.c:2078
+ [<000000009747cf88>] __do_sys_setsockopt net/socket.c:2089 [inline]
+ [<000000009747cf88>] __se_sys_setsockopt net/socket.c:2086 [inline]
+ [<000000009747cf88>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2086
+ [<00000000ded8ba80>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
+ [<00000000893b4ac8>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Reported-by: syzbot+7e2e50c8adfccd2e5041@syzkaller.appspotmail.com
+Suggested-by: Eric Biggers <ebiggers@kernel.org>
+Fixes: 998e7a76804b ("ipvs: Use kthread_run() instead of doing a double-fork via kernel_thread()")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip_vs.h | 6 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 4 -
+ net/netfilter/ipvs/ip_vs_sync.c | 134 +++++++++++++++++---------------
+ 3 files changed, 76 insertions(+), 68 deletions(-)
+
+diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
+index a0d2e0bb9a94..0e3c0d83bd99 100644
+--- a/include/net/ip_vs.h
++++ b/include/net/ip_vs.h
+@@ -806,11 +806,12 @@ struct ipvs_master_sync_state {
+ struct ip_vs_sync_buff *sync_buff;
+ unsigned long sync_queue_len;
+ unsigned int sync_queue_delay;
+- struct task_struct *master_thread;
+ struct delayed_work master_wakeup_work;
+ struct netns_ipvs *ipvs;
+ };
+
++struct ip_vs_sync_thread_data;
++
+ /* How much time to keep dests in trash */
+ #define IP_VS_DEST_TRASH_PERIOD (120 * HZ)
+
+@@ -941,7 +942,8 @@ struct netns_ipvs {
+ spinlock_t sync_lock;
+ struct ipvs_master_sync_state *ms;
+ spinlock_t sync_buff_lock;
+- struct task_struct **backup_threads;
++ struct ip_vs_sync_thread_data *master_tinfo;
++ struct ip_vs_sync_thread_data *backup_tinfo;
+ int threads_mask;
+ volatile int sync_state;
+ struct mutex sync_mutex;
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 2d4e048762f6..3df94a499126 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2382,9 +2382,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ cfg.syncid = dm->syncid;
+ ret = start_sync_thread(ipvs, &cfg, dm->state);
+ } else {
+- mutex_lock(&ipvs->sync_mutex);
+ ret = stop_sync_thread(ipvs, dm->state);
+- mutex_unlock(&ipvs->sync_mutex);
+ }
+ goto out_dec;
+ }
+@@ -3492,10 +3490,8 @@ static int ip_vs_genl_del_daemon(struct netns_ipvs *ipvs, struct nlattr **attrs)
+ if (!attrs[IPVS_DAEMON_ATTR_STATE])
+ return -EINVAL;
+
+- mutex_lock(&ipvs->sync_mutex);
+ ret = stop_sync_thread(ipvs,
+ nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]));
+- mutex_unlock(&ipvs->sync_mutex);
+ return ret;
+ }
+
+diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
+index d4020c5e831d..ecb71062fcb3 100644
+--- a/net/netfilter/ipvs/ip_vs_sync.c
++++ b/net/netfilter/ipvs/ip_vs_sync.c
+@@ -195,6 +195,7 @@ union ip_vs_sync_conn {
+ #define IPVS_OPT_F_PARAM (1 << (IPVS_OPT_PARAM-1))
+
+ struct ip_vs_sync_thread_data {
++ struct task_struct *task;
+ struct netns_ipvs *ipvs;
+ struct socket *sock;
+ char *buf;
+@@ -374,8 +375,11 @@ static inline void sb_queue_tail(struct netns_ipvs *ipvs,
+ max(IPVS_SYNC_SEND_DELAY, 1));
+ ms->sync_queue_len++;
+ list_add_tail(&sb->list, &ms->sync_queue);
+- if ((++ms->sync_queue_delay) == IPVS_SYNC_WAKEUP_RATE)
+- wake_up_process(ms->master_thread);
++ if ((++ms->sync_queue_delay) == IPVS_SYNC_WAKEUP_RATE) {
++ int id = (int)(ms - ipvs->ms);
++
++ wake_up_process(ipvs->master_tinfo[id].task);
++ }
+ } else
+ ip_vs_sync_buff_release(sb);
+ spin_unlock(&ipvs->sync_lock);
+@@ -1636,8 +1640,10 @@ static void master_wakeup_work_handler(struct work_struct *work)
+ spin_lock_bh(&ipvs->sync_lock);
+ if (ms->sync_queue_len &&
+ ms->sync_queue_delay < IPVS_SYNC_WAKEUP_RATE) {
++ int id = (int)(ms - ipvs->ms);
++
+ ms->sync_queue_delay = IPVS_SYNC_WAKEUP_RATE;
+- wake_up_process(ms->master_thread);
++ wake_up_process(ipvs->master_tinfo[id].task);
+ }
+ spin_unlock_bh(&ipvs->sync_lock);
+ }
+@@ -1703,10 +1709,6 @@ static int sync_thread_master(void *data)
+ if (sb)
+ ip_vs_sync_buff_release(sb);
+
+- /* release the sending multicast socket */
+- sock_release(tinfo->sock);
+- kfree(tinfo);
+-
+ return 0;
+ }
+
+@@ -1740,11 +1742,6 @@ static int sync_thread_backup(void *data)
+ }
+ }
+
+- /* release the sending multicast socket */
+- sock_release(tinfo->sock);
+- kfree(tinfo->buf);
+- kfree(tinfo);
+-
+ return 0;
+ }
+
+@@ -1752,8 +1749,8 @@ static int sync_thread_backup(void *data)
+ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ int state)
+ {
+- struct ip_vs_sync_thread_data *tinfo = NULL;
+- struct task_struct **array = NULL, *task;
++ struct ip_vs_sync_thread_data *ti = NULL, *tinfo;
++ struct task_struct *task;
+ struct net_device *dev;
+ char *name;
+ int (*threadfn)(void *data);
+@@ -1822,7 +1819,7 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ threadfn = sync_thread_master;
+ } else if (state == IP_VS_STATE_BACKUP) {
+ result = -EEXIST;
+- if (ipvs->backup_threads)
++ if (ipvs->backup_tinfo)
+ goto out_early;
+
+ ipvs->bcfg = *c;
+@@ -1849,28 +1846,22 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ master_wakeup_work_handler);
+ ms->ipvs = ipvs;
+ }
+- } else {
+- array = kcalloc(count, sizeof(struct task_struct *),
+- GFP_KERNEL);
+- result = -ENOMEM;
+- if (!array)
+- goto out;
+ }
++ result = -ENOMEM;
++ ti = kcalloc(count, sizeof(struct ip_vs_sync_thread_data),
++ GFP_KERNEL);
++ if (!ti)
++ goto out;
+
+ for (id = 0; id < count; id++) {
+- result = -ENOMEM;
+- tinfo = kmalloc(sizeof(*tinfo), GFP_KERNEL);
+- if (!tinfo)
+- goto out;
++ tinfo = &ti[id];
+ tinfo->ipvs = ipvs;
+- tinfo->sock = NULL;
+ if (state == IP_VS_STATE_BACKUP) {
++ result = -ENOMEM;
+ tinfo->buf = kmalloc(ipvs->bcfg.sync_maxlen,
+ GFP_KERNEL);
+ if (!tinfo->buf)
+ goto out;
+- } else {
+- tinfo->buf = NULL;
+ }
+ tinfo->id = id;
+ if (state == IP_VS_STATE_MASTER)
+@@ -1885,17 +1876,15 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ result = PTR_ERR(task);
+ goto out;
+ }
+- tinfo = NULL;
+- if (state == IP_VS_STATE_MASTER)
+- ipvs->ms[id].master_thread = task;
+- else
+- array[id] = task;
++ tinfo->task = task;
+ }
+
+ /* mark as active */
+
+- if (state == IP_VS_STATE_BACKUP)
+- ipvs->backup_threads = array;
++ if (state == IP_VS_STATE_MASTER)
++ ipvs->master_tinfo = ti;
++ else
++ ipvs->backup_tinfo = ti;
+ spin_lock_bh(&ipvs->sync_buff_lock);
+ ipvs->sync_state |= state;
+ spin_unlock_bh(&ipvs->sync_buff_lock);
+@@ -1910,29 +1899,31 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+
+ out:
+ /* We do not need RTNL lock anymore, release it here so that
+- * sock_release below and in the kthreads can use rtnl_lock
+- * to leave the mcast group.
++ * sock_release below can use rtnl_lock to leave the mcast group.
+ */
+ rtnl_unlock();
+- count = id;
+- while (count-- > 0) {
+- if (state == IP_VS_STATE_MASTER)
+- kthread_stop(ipvs->ms[count].master_thread);
+- else
+- kthread_stop(array[count]);
++ id = min(id, count - 1);
++ if (ti) {
++ for (tinfo = ti + id; tinfo >= ti; tinfo--) {
++ if (tinfo->task)
++ kthread_stop(tinfo->task);
++ }
+ }
+ if (!(ipvs->sync_state & IP_VS_STATE_MASTER)) {
+ kfree(ipvs->ms);
+ ipvs->ms = NULL;
+ }
+ mutex_unlock(&ipvs->sync_mutex);
+- if (tinfo) {
+- if (tinfo->sock)
+- sock_release(tinfo->sock);
+- kfree(tinfo->buf);
+- kfree(tinfo);
++
++ /* No more mutexes, release socks */
++ if (ti) {
++ for (tinfo = ti + id; tinfo >= ti; tinfo--) {
++ if (tinfo->sock)
++ sock_release(tinfo->sock);
++ kfree(tinfo->buf);
++ }
++ kfree(ti);
+ }
+- kfree(array);
+ return result;
+
+ out_early:
+@@ -1944,15 +1935,18 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+
+ int stop_sync_thread(struct netns_ipvs *ipvs, int state)
+ {
+- struct task_struct **array;
++ struct ip_vs_sync_thread_data *ti, *tinfo;
+ int id;
+ int retc = -EINVAL;
+
+ IP_VS_DBG(7, "%s(): pid %d\n", __func__, task_pid_nr(current));
+
++ mutex_lock(&ipvs->sync_mutex);
+ if (state == IP_VS_STATE_MASTER) {
++ retc = -ESRCH;
+ if (!ipvs->ms)
+- return -ESRCH;
++ goto err;
++ ti = ipvs->master_tinfo;
+
+ /*
+ * The lock synchronizes with sb_queue_tail(), so that we don't
+@@ -1971,38 +1965,56 @@ int stop_sync_thread(struct netns_ipvs *ipvs, int state)
+ struct ipvs_master_sync_state *ms = &ipvs->ms[id];
+ int ret;
+
++ tinfo = &ti[id];
+ pr_info("stopping master sync thread %d ...\n",
+- task_pid_nr(ms->master_thread));
++ task_pid_nr(tinfo->task));
+ cancel_delayed_work_sync(&ms->master_wakeup_work);
+- ret = kthread_stop(ms->master_thread);
++ ret = kthread_stop(tinfo->task);
+ if (retc >= 0)
+ retc = ret;
+ }
+ kfree(ipvs->ms);
+ ipvs->ms = NULL;
++ ipvs->master_tinfo = NULL;
+ } else if (state == IP_VS_STATE_BACKUP) {
+- if (!ipvs->backup_threads)
+- return -ESRCH;
++ retc = -ESRCH;
++ if (!ipvs->backup_tinfo)
++ goto err;
++ ti = ipvs->backup_tinfo;
+
+ ipvs->sync_state &= ~IP_VS_STATE_BACKUP;
+- array = ipvs->backup_threads;
+ retc = 0;
+ for (id = ipvs->threads_mask; id >= 0; id--) {
+ int ret;
+
++ tinfo = &ti[id];
+ pr_info("stopping backup sync thread %d ...\n",
+- task_pid_nr(array[id]));
+- ret = kthread_stop(array[id]);
++ task_pid_nr(tinfo->task));
++ ret = kthread_stop(tinfo->task);
+ if (retc >= 0)
+ retc = ret;
+ }
+- kfree(array);
+- ipvs->backup_threads = NULL;
++ ipvs->backup_tinfo = NULL;
++ } else {
++ goto err;
+ }
++ id = ipvs->threads_mask;
++ mutex_unlock(&ipvs->sync_mutex);
++
++ /* No more mutexes, release socks */
++ for (tinfo = ti + id; tinfo >= ti; tinfo--) {
++ if (tinfo->sock)
++ sock_release(tinfo->sock);
++ kfree(tinfo->buf);
++ }
++ kfree(ti);
+
+ /* decrease the module use count */
+ ip_vs_use_count_dec();
++ return retc;
+
++err:
++ mutex_unlock(&ipvs->sync_mutex);
+ return retc;
+ }
+
+@@ -2021,7 +2033,6 @@ void ip_vs_sync_net_cleanup(struct netns_ipvs *ipvs)
+ {
+ int retc;
+
+- mutex_lock(&ipvs->sync_mutex);
+ retc = stop_sync_thread(ipvs, IP_VS_STATE_MASTER);
+ if (retc && retc != -ESRCH)
+ pr_err("Failed to stop Master Daemon\n");
+@@ -2029,5 +2040,4 @@ void ip_vs_sync_net_cleanup(struct netns_ipvs *ipvs)
+ retc = stop_sync_thread(ipvs, IP_VS_STATE_BACKUP);
+ if (retc && retc != -ESRCH)
+ pr_err("Failed to stop Backup Daemon\n");
+- mutex_unlock(&ipvs->sync_mutex);
+ }
+--
+2.20.1
+
--- /dev/null
+From 268f1f926b61e0f2239f0e7eb138fa81ee55e9ff Mon Sep 17 00:00:00 2001
+From: Xingyu Chen <xingyu.chen@amlogic.com>
+Date: Sat, 8 Jun 2019 21:04:10 +0200
+Subject: irqchip/meson-gpio: Add support for Meson-G12A SoC
+
+[ Upstream commit c64a9e804ccf86eb202bfd1c6a8c5233c75a0431 ]
+
+The Meson-G12A SoC uses the same GPIO interrupt controller IP block as the
+other Meson SoCs, A totle of 100 pins can be spied on, which is the sum of:
+
+- 223:100 undefined (no interrupt)
+- 99:97 3 pins on bank GPIOE
+- 96:77 20 pins on bank GPIOX
+- 76:61 16 pins on bank GPIOA
+- 60:53 8 pins on bank GPIOC
+- 52:37 16 pins on bank BOOT
+- 36:28 9 pins on bank GPIOH
+- 27:12 16 pins on bank GPIOZ
+- 11:0 12 pins in the AO domain
+
+Signed-off-by: Xingyu Chen <xingyu.chen@amlogic.com>
+Signed-off-by: Jianxin Pan <jianxin.pan@amlogic.com>
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-meson-gpio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/irqchip/irq-meson-gpio.c b/drivers/irqchip/irq-meson-gpio.c
+index 7b531fd075b8..7599b10ecf09 100644
+--- a/drivers/irqchip/irq-meson-gpio.c
++++ b/drivers/irqchip/irq-meson-gpio.c
+@@ -73,6 +73,7 @@ static const struct of_device_id meson_irq_gpio_matches[] = {
+ { .compatible = "amlogic,meson-gxbb-gpio-intc", .data = &gxbb_params },
+ { .compatible = "amlogic,meson-gxl-gpio-intc", .data = &gxl_params },
+ { .compatible = "amlogic,meson-axg-gpio-intc", .data = &axg_params },
++ { .compatible = "amlogic,meson-g12a-gpio-intc", .data = &axg_params },
+ { }
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 24ad9947ccabfaaa39cd324f92a7c21284b288aa Mon Sep 17 00:00:00 2001
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Date: Mon, 15 Apr 2019 16:45:04 +0300
+Subject: iwlwifi: mvm: Drop large non sta frames
+
+[ Upstream commit ac70499ee97231a418dc1a4d6c9dc102e8f64631 ]
+
+In some buggy scenarios we could possible attempt to transmit frames larger
+than maximum MSDU size. Since our devices don't know how to handle this,
+it may result in asserts, hangs etc.
+This can happen, for example, when we receive a large multicast frame
+and try to transmit it back to the air in AP mode.
+Since in a legal scenario this should never happen, drop such frames and
+warn about it.
+
+Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+index 2d21f0a1fa00..ffae299c3492 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -641,6 +641,9 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mvm *mvm, struct sk_buff *skb)
+
+ memcpy(&info, skb->cb, sizeof(info));
+
++ if (WARN_ON_ONCE(skb->len > IEEE80211_MAX_DATA_LEN + hdrlen))
++ return -1;
++
+ if (WARN_ON_ONCE(info.flags & IEEE80211_TX_CTL_AMPDU))
+ return -1;
+
+--
+2.20.1
+
--- /dev/null
+From 4041d49dfe0a36e0c1f7b3cb92019c548afc65c9 Mon Sep 17 00:00:00 2001
+From: "Mauro S. M. Rodrigues" <maurosr@linux.vnet.ibm.com>
+Date: Thu, 23 May 2019 16:11:12 -0300
+Subject: ixgbe: Check DDM existence in transceiver before access
+
+[ Upstream commit 655c91414579d7bb115a4f7898ee726fc18e0984 ]
+
+Some transceivers may comply with SFF-8472 but not implement the Digital
+Diagnostic Monitoring (DDM) interface described in it. The existence of
+such area is specified by bit 6 of byte 92, set to 1 if implemented.
+
+Currently, due to not checking this bit ixgbe fails trying to read SFP
+module's eeprom with the follow message:
+
+ethtool -m enP51p1s0f0
+Cannot get Module EEPROM data: Input/output error
+
+Because it fails to read the additional 256 bytes in which it was assumed
+to exist the DDM data.
+
+This issue was noticed using a Mellanox Passive DAC PN 01FT738. The eeprom
+data was confirmed by Mellanox as correct and present in other Passive
+DACs in from other manufacturers.
+
+Signed-off-by: "Mauro S. M. Rodrigues" <maurosr@linux.vnet.ibm.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 3 ++-
+ drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+index e5a8461fe6a9..8829bd95d0d3 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+@@ -3223,7 +3223,8 @@ static int ixgbe_get_module_info(struct net_device *dev,
+ page_swap = true;
+ }
+
+- if (sff8472_rev == IXGBE_SFF_SFF_8472_UNSUP || page_swap) {
++ if (sff8472_rev == IXGBE_SFF_SFF_8472_UNSUP || page_swap ||
++ !(addr_mode & IXGBE_SFF_DDM_IMPLEMENTED)) {
+ /* We have a SFP, but it does not support SFF-8472 */
+ modinfo->type = ETH_MODULE_SFF_8079;
+ modinfo->eeprom_len = ETH_MODULE_SFF_8079_LEN;
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h
+index 64e44e01c973..c56baad04ee6 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h
+@@ -45,6 +45,7 @@
+ #define IXGBE_SFF_SOFT_RS_SELECT_10G 0x8
+ #define IXGBE_SFF_SOFT_RS_SELECT_1G 0x0
+ #define IXGBE_SFF_ADDRESSING_MODE 0x4
++#define IXGBE_SFF_DDM_IMPLEMENTED 0x40
+ #define IXGBE_SFF_QSFP_DA_ACTIVE_CABLE 0x1
+ #define IXGBE_SFF_QSFP_DA_PASSIVE_CABLE 0x8
+ #define IXGBE_SFF_QSFP_CONNECTOR_NOT_SEPARABLE 0x23
+--
+2.20.1
+
--- /dev/null
+From df0469461a4b6b339f59031688984e245d17a364 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 24 Jun 2019 09:32:50 -0700
+Subject: libata: don't request sense data on !ZAC ATA devices
+
+[ Upstream commit ca156e006add67e4beea7896be395160735e09b0 ]
+
+ZAC support added sense data requesting on error for both ZAC and ATA
+devices. This seems to cause erratic error handling behaviors on some
+SSDs where the device reports sense data availability and then
+delivers the wrong content making EH take the wrong actions. The
+failure mode was sporadic on a LITE-ON ssd and couldn't be reliably
+reproduced.
+
+There is no value in requesting sense data from non-ZAC ATA devices
+while there's a significant risk of introducing EH misbehaviors which
+are difficult to reproduce and fix. Let's do the sense data dancing
+only for ZAC devices.
+
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Tested-by: Masato Suzuki <masato.suzuki@wdc.com>
+Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-eh.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
+index 01306c018398..ccc80ff57eb2 100644
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -1490,7 +1490,7 @@ static int ata_eh_read_log_10h(struct ata_device *dev,
+ tf->hob_lbah = buf[10];
+ tf->nsect = buf[12];
+ tf->hob_nsect = buf[13];
+- if (ata_id_has_ncq_autosense(dev->id))
++ if (dev->class == ATA_DEV_ZAC && ata_id_has_ncq_autosense(dev->id))
+ tf->auxiliary = buf[14] << 16 | buf[15] << 8 | buf[16];
+
+ return 0;
+@@ -1737,7 +1737,8 @@ void ata_eh_analyze_ncq_error(struct ata_link *link)
+ memcpy(&qc->result_tf, &tf, sizeof(tf));
+ qc->result_tf.flags = ATA_TFLAG_ISADDR | ATA_TFLAG_LBA | ATA_TFLAG_LBA48;
+ qc->err_mask |= AC_ERR_DEV | AC_ERR_NCQ;
+- if ((qc->result_tf.command & ATA_SENSE) || qc->result_tf.auxiliary) {
++ if (dev->class == ATA_DEV_ZAC &&
++ ((qc->result_tf.command & ATA_SENSE) || qc->result_tf.auxiliary)) {
+ char sense_key, asc, ascq;
+
+ sense_key = (qc->result_tf.auxiliary >> 16) & 0xff;
+@@ -1791,10 +1792,11 @@ static unsigned int ata_eh_analyze_tf(struct ata_queued_cmd *qc,
+ }
+
+ switch (qc->dev->class) {
+- case ATA_DEV_ATA:
+ case ATA_DEV_ZAC:
+ if (stat & ATA_SENSE)
+ ata_eh_request_sense(qc, qc->scsicmd);
++ /* fall through */
++ case ATA_DEV_ATA:
+ if (err & ATA_ICRC)
+ qc->err_mask |= AC_ERR_ATA_BUS;
+ if (err & (ATA_UNC | ATA_AMNF))
+--
+2.20.1
+
--- /dev/null
+From e1cd82b80e9db3ac04403eb26aed59b7533339f9 Mon Sep 17 00:00:00 2001
+From: Heiner Litz <hlitz@ucsc.edu>
+Date: Fri, 21 Jun 2019 11:11:59 +0200
+Subject: lightnvm: pblk: fix freeing of merged pages
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 510fd8ea98fcb586c01aef93d87c060a159ac30a ]
+
+bio_add_pc_page() may merge pages when a bio is padded due to a flush.
+Fix iteration over the bio to free the correct pages in case of a merge.
+
+Signed-off-by: Heiner Litz <hlitz@ucsc.edu>
+Reviewed-by: Javier González <javier@javigon.com>
+Signed-off-by: Matias Bjørling <mb@lightnvm.io>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/lightnvm/pblk-core.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/lightnvm/pblk-core.c b/drivers/lightnvm/pblk-core.c
+index 95be6e36c7dd..80710c62ac29 100644
+--- a/drivers/lightnvm/pblk-core.c
++++ b/drivers/lightnvm/pblk-core.c
+@@ -288,14 +288,16 @@ void pblk_free_rqd(struct pblk *pblk, struct nvm_rq *rqd, int type)
+ void pblk_bio_free_pages(struct pblk *pblk, struct bio *bio, int off,
+ int nr_pages)
+ {
+- struct bio_vec bv;
+- int i;
+-
+- WARN_ON(off + nr_pages != bio->bi_vcnt);
+-
+- for (i = off; i < nr_pages + off; i++) {
+- bv = bio->bi_io_vec[i];
+- mempool_free(bv.bv_page, &pblk->page_bio_pool);
++ struct bio_vec *bv;
++ struct page *page;
++ int i, e, nbv = 0;
++
++ for (i = 0; i < bio->bi_vcnt; i++) {
++ bv = &bio->bi_io_vec[i];
++ page = bv->bv_page;
++ for (e = 0; e < bv->bv_len; e += PBLK_EXPOSED_PAGE_SIZE, nbv++)
++ if (nbv >= off)
++ mempool_free(page++, &pblk->page_bio_pool);
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From a73395aba5d71d9dbc8cadc8c56e3869629f9885 Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Fri, 24 May 2019 23:15:09 +0300
+Subject: locking/lockdep: Fix merging of hlocks with non-zero references
+
+[ Upstream commit d9349850e188b8b59e5322fda17ff389a1c0cd7d ]
+
+The sequence
+
+ static DEFINE_WW_CLASS(test_ww_class);
+
+ struct ww_acquire_ctx ww_ctx;
+ struct ww_mutex ww_lock_a;
+ struct ww_mutex ww_lock_b;
+ struct ww_mutex ww_lock_c;
+ struct mutex lock_c;
+
+ ww_acquire_init(&ww_ctx, &test_ww_class);
+
+ ww_mutex_init(&ww_lock_a, &test_ww_class);
+ ww_mutex_init(&ww_lock_b, &test_ww_class);
+ ww_mutex_init(&ww_lock_c, &test_ww_class);
+
+ mutex_init(&lock_c);
+
+ ww_mutex_lock(&ww_lock_a, &ww_ctx);
+
+ mutex_lock(&lock_c);
+
+ ww_mutex_lock(&ww_lock_b, &ww_ctx);
+ ww_mutex_lock(&ww_lock_c, &ww_ctx);
+
+ mutex_unlock(&lock_c); (*)
+
+ ww_mutex_unlock(&ww_lock_c);
+ ww_mutex_unlock(&ww_lock_b);
+ ww_mutex_unlock(&ww_lock_a);
+
+ ww_acquire_fini(&ww_ctx); (**)
+
+will trigger the following error in __lock_release() when calling
+mutex_release() at **:
+
+ DEBUG_LOCKS_WARN_ON(depth <= 0)
+
+The problem is that the hlock merging happening at * updates the
+references for test_ww_class incorrectly to 3 whereas it should've
+updated it to 4 (representing all the instances for ww_ctx and
+ww_lock_[abc]).
+
+Fix this by updating the references during merging correctly taking into
+account that we can have non-zero references (both for the hlock that we
+merge into another hlock or for the hlock we are merging into).
+
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Link: https://lkml.kernel.org/r/20190524201509.9199-2-imre.deak@intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/lockdep.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
+index 26b57e24476f..e810e8cb17e1 100644
+--- a/kernel/locking/lockdep.c
++++ b/kernel/locking/lockdep.c
+@@ -3326,17 +3326,17 @@ static int __lock_acquire(struct lockdep_map *lock, unsigned int subclass,
+ if (depth) {
+ hlock = curr->held_locks + depth - 1;
+ if (hlock->class_idx == class_idx && nest_lock) {
+- if (hlock->references) {
+- /*
+- * Check: unsigned int references:12, overflow.
+- */
+- if (DEBUG_LOCKS_WARN_ON(hlock->references == (1 << 12)-1))
+- return 0;
++ if (!references)
++ references++;
+
++ if (!hlock->references)
+ hlock->references++;
+- } else {
+- hlock->references = 2;
+- }
++
++ hlock->references += references;
++
++ /* Overflow */
++ if (DEBUG_LOCKS_WARN_ON(hlock->references < references))
++ return 0;
+
+ return 1;
+ }
+--
+2.20.1
+
--- /dev/null
+From 53194f1d4f7a67ffc29c7c1dc96be8124e9d1f27 Mon Sep 17 00:00:00 2001
+From: Marco Felsch <m.felsch@pengutronix.de>
+Date: Tue, 18 Jun 2019 12:45:11 -0400
+Subject: media: coda: fix last buffer handling in V4L2_ENC_CMD_STOP
+
+[ Upstream commit f3775f89852d167990b0d718587774cf00d22ac2 ]
+
+coda_encoder_cmd() is racy, as the last scheduled picture run worker can
+still be in-flight while the ENC_CMD_STOP command is issued. Depending
+on the exact timing the sequence numbers might already be changed, but
+the last buffer might not have been put on the destination queue yet.
+
+In this case the current implementation would prematurely wake the
+destination queue with last_buffer_dequeued=true, causing userspace to
+call streamoff before the last buffer is handled.
+
+Close this race window by synchronizing with the pic_run_worker before
+doing the sequence check.
+
+Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
+[l.stach@pengutronix.de: switch to flush_work, reword commit message]
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/coda/coda-common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/platform/coda/coda-common.c b/drivers/media/platform/coda/coda-common.c
+index 19d92edcc981..4b0220f40b42 100644
+--- a/drivers/media/platform/coda/coda-common.c
++++ b/drivers/media/platform/coda/coda-common.c
+@@ -997,6 +997,8 @@ static int coda_encoder_cmd(struct file *file, void *fh,
+ /* Set the stream-end flag on this context */
+ ctx->bit_stream_param |= CODA_BIT_STREAM_END_FLAG;
+
++ flush_work(&ctx->pic_run_work);
++
+ /* If there is no buffer in flight, wake up */
+ if (!ctx->streamon_out || ctx->qsequence == ctx->osequence) {
+ dst_vq = v4l2_m2m_get_vq(ctx->fh.m2m_ctx,
+--
+2.20.1
+
--- /dev/null
+From 339736bdda2aab384c9717ea0868494aaf581be2 Mon Sep 17 00:00:00 2001
+From: Philipp Zabel <p.zabel@pengutronix.de>
+Date: Tue, 18 Jun 2019 12:45:10 -0400
+Subject: media: coda: fix mpeg2 sequence number handling
+
+[ Upstream commit 56d159a4ec6d8da7313aac6fcbb95d8fffe689ba ]
+
+Sequence number handling assumed that the BIT processor frame number
+starts counting at 1, but this is not true for the MPEG-2 decoder,
+which starts at 0. Fix the sequence counter offset detection to handle
+this.
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/coda/coda-bit.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
+index a3cfefdbee12..25ef0c928a81 100644
+--- a/drivers/media/platform/coda/coda-bit.c
++++ b/drivers/media/platform/coda/coda-bit.c
+@@ -1728,6 +1728,7 @@ static int __coda_start_decoding(struct coda_ctx *ctx)
+ v4l2_err(&dev->v4l2_dev, "CODA_COMMAND_SEQ_INIT timeout\n");
+ return ret;
+ }
++ ctx->sequence_offset = ~0U;
+ ctx->initialized = 1;
+
+ /* Update kfifo out pointer from coda bitstream read pointer */
+@@ -2147,7 +2148,9 @@ static void coda_finish_decode(struct coda_ctx *ctx)
+ v4l2_err(&dev->v4l2_dev,
+ "decoded frame index out of range: %d\n", decoded_idx);
+ } else {
+- val = coda_read(dev, CODA_RET_DEC_PIC_FRAME_NUM) - 1;
++ val = coda_read(dev, CODA_RET_DEC_PIC_FRAME_NUM);
++ if (ctx->sequence_offset == -1)
++ ctx->sequence_offset = val;
+ val -= ctx->sequence_offset;
+ spin_lock_irqsave(&ctx->buffer_meta_lock, flags);
+ if (!list_empty(&ctx->buffer_meta_list)) {
+--
+2.20.1
+
--- /dev/null
+From bdaa8c1ef743b06f9ca2e38f42c4e2aeee0f5326 Mon Sep 17 00:00:00 2001
+From: Philipp Zabel <p.zabel@pengutronix.de>
+Date: Tue, 18 Jun 2019 12:45:22 -0400
+Subject: media: coda: increment sequence offset for the last returned frame
+
+[ Upstream commit b3b7d96817cdb8b6fc353867705275dce8f41ccc ]
+
+If no more frames are decoded in bitstream end mode, and a previously
+decoded frame has been returned, the firmware still increments the frame
+number. To avoid a sequence number mismatch after decoder restart,
+increment the sequence_offset correction parameter.
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/coda/coda-bit.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
+index 25ef0c928a81..925581d65ad8 100644
+--- a/drivers/media/platform/coda/coda-bit.c
++++ b/drivers/media/platform/coda/coda-bit.c
+@@ -2143,6 +2143,9 @@ static void coda_finish_decode(struct coda_ctx *ctx)
+ else if (ctx->display_idx < 0)
+ ctx->hold = true;
+ } else if (decoded_idx == -2) {
++ if (ctx->display_idx >= 0 &&
++ ctx->display_idx < ctx->num_internal_frames)
++ ctx->sequence_offset++;
+ /* no frame was decoded, we still return remaining buffers */
+ } else if (decoded_idx < 0 || decoded_idx >= ctx->num_internal_frames) {
+ v4l2_err(&dev->v4l2_dev,
+--
+2.20.1
+
--- /dev/null
+From a08daad7dfb6637a9855e844b00653b6c9c467ce Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 30 Apr 2019 09:07:36 -0400
+Subject: media: dvb: usb: fix use after free in dvb_usb_device_exit
+
+[ Upstream commit 6cf97230cd5f36b7665099083272595c55d72be7 ]
+
+dvb_usb_device_exit() frees and uses the device name in that order.
+Fix by storing the name in a buffer before freeing it.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+26ec41e9f788b3eba396@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+index 40ca4eafb137..39ac22486bcd 100644
+--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
++++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+@@ -287,12 +287,15 @@ EXPORT_SYMBOL(dvb_usb_device_init);
+ void dvb_usb_device_exit(struct usb_interface *intf)
+ {
+ struct dvb_usb_device *d = usb_get_intfdata(intf);
+- const char *name = "generic DVB-USB module";
++ const char *default_name = "generic DVB-USB module";
++ char name[40];
+
+ usb_set_intfdata(intf, NULL);
+ if (d != NULL && d->desc != NULL) {
+- name = d->desc->name;
++ strscpy(name, d->desc->name, sizeof(name));
+ dvb_usb_exit(d);
++ } else {
++ strscpy(name, default_name, sizeof(name));
+ }
+ info("%s successfully deinitialized and disconnected.", name);
+
+--
+2.20.1
+
--- /dev/null
+From 6871ea421af9f8aa26984634d6f3bad26fddd77d Mon Sep 17 00:00:00 2001
+From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Date: Wed, 15 May 2019 11:39:12 -0400
+Subject: media: fdp1: Support M3N and E3 platforms
+
+[ Upstream commit 4e8c120de9268fc26f583268b9d22e7d37c4595f ]
+
+New Gen3 R-Car platforms incorporate the FDP1 with an updated version
+register. No code change is required to support these targets, but they
+will currently report an error stating that the device can not be
+identified.
+
+Update the driver to match against the new device types.
+
+Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/rcar_fdp1.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/media/platform/rcar_fdp1.c b/drivers/media/platform/rcar_fdp1.c
+index 2a15b7cca338..0d1467028811 100644
+--- a/drivers/media/platform/rcar_fdp1.c
++++ b/drivers/media/platform/rcar_fdp1.c
+@@ -257,6 +257,8 @@ MODULE_PARM_DESC(debug, "activate debug info");
+ #define FD1_IP_H3_ES1 0x02010101
+ #define FD1_IP_M3W 0x02010202
+ #define FD1_IP_H3 0x02010203
++#define FD1_IP_M3N 0x02010204
++#define FD1_IP_E3 0x02010205
+
+ /* LUTs */
+ #define FD1_LUT_DIF_ADJ 0x1000
+@@ -2365,6 +2367,12 @@ static int fdp1_probe(struct platform_device *pdev)
+ case FD1_IP_H3:
+ dprintk(fdp1, "FDP1 Version R-Car H3\n");
+ break;
++ case FD1_IP_M3N:
++ dprintk(fdp1, "FDP1 Version R-Car M3N\n");
++ break;
++ case FD1_IP_E3:
++ dprintk(fdp1, "FDP1 Version R-Car E3\n");
++ break;
+ default:
+ dev_err(fdp1->dev, "FDP1 Unidentifiable (0x%08x)\n",
+ hw_version);
+--
+2.20.1
+
--- /dev/null
+From 9b3f7014a677d7e74d34da8235dc27f4edabc906 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Thu, 20 Jun 2019 07:43:41 -0400
+Subject: media: hdpvr: fix locking and a missing msleep
+
+[ Upstream commit 6bc5a4a1927556ff9adce1aa95ea408c95453225 ]
+
+This driver has three locking issues:
+
+- The wait_event_interruptible() condition calls hdpvr_get_next_buffer(dev)
+ which uses a mutex, which is not allowed. Rewrite with list_empty_careful()
+ that doesn't need locking.
+
+- In hdpvr_read() the call to hdpvr_stop_streaming() didn't lock io_mutex,
+ but it should have since stop_streaming expects that.
+
+- In hdpvr_device_release() io_mutex was locked when calling flush_work(),
+ but there it shouldn't take that mutex since the work done by flush_work()
+ also wants to lock that mutex.
+
+There are also two other changes (suggested by Keith):
+
+- msecs_to_jiffies(4000); (a NOP) should have been msleep(4000).
+- Change v4l2_dbg to v4l2_info to always log if streaming had to be restarted.
+
+Reported-by: Keith Pyle <kpyle@austin.rr.com>
+Suggested-by: Keith Pyle <kpyle@austin.rr.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/hdpvr/hdpvr-video.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/usb/hdpvr/hdpvr-video.c b/drivers/media/usb/hdpvr/hdpvr-video.c
+index 1b89c77bad66..0615996572e4 100644
+--- a/drivers/media/usb/hdpvr/hdpvr-video.c
++++ b/drivers/media/usb/hdpvr/hdpvr-video.c
+@@ -439,7 +439,7 @@ static ssize_t hdpvr_read(struct file *file, char __user *buffer, size_t count,
+ /* wait for the first buffer */
+ if (!(file->f_flags & O_NONBLOCK)) {
+ if (wait_event_interruptible(dev->wait_data,
+- hdpvr_get_next_buffer(dev)))
++ !list_empty_careful(&dev->rec_buff_list)))
+ return -ERESTARTSYS;
+ }
+
+@@ -465,10 +465,17 @@ static ssize_t hdpvr_read(struct file *file, char __user *buffer, size_t count,
+ goto err;
+ }
+ if (!err) {
+- v4l2_dbg(MSG_INFO, hdpvr_debug, &dev->v4l2_dev,
+- "timeout: restart streaming\n");
++ v4l2_info(&dev->v4l2_dev,
++ "timeout: restart streaming\n");
++ mutex_lock(&dev->io_mutex);
+ hdpvr_stop_streaming(dev);
+- msecs_to_jiffies(4000);
++ mutex_unlock(&dev->io_mutex);
++ /*
++ * The FW needs about 4 seconds after streaming
++ * stopped before it is ready to restart
++ * streaming.
++ */
++ msleep(4000);
+ err = hdpvr_start_streaming(dev);
+ if (err) {
+ ret = err;
+@@ -1133,9 +1140,7 @@ static void hdpvr_device_release(struct video_device *vdev)
+ struct hdpvr_device *dev = video_get_drvdata(vdev);
+
+ hdpvr_delete(dev);
+- mutex_lock(&dev->io_mutex);
+ flush_work(&dev->worker);
+- mutex_unlock(&dev->io_mutex);
+
+ v4l2_device_unregister(&dev->v4l2_dev);
+ v4l2_ctrl_handler_free(&dev->hdl);
+--
+2.20.1
+
--- /dev/null
+From c316c301eac2a6b3af64a461d1259aaaad09ebc5 Mon Sep 17 00:00:00 2001
+From: Anders Roxell <anders.roxell@linaro.org>
+Date: Wed, 12 Jun 2019 12:19:35 -0400
+Subject: media: i2c: fix warning same module names
+
+[ Upstream commit b2ce5617dad254230551feda3599f2cc68e53ad8 ]
+
+When building with CONFIG_VIDEO_ADV7511 and CONFIG_DRM_I2C_ADV7511
+enabled as loadable modules, we see the following warning:
+
+ drivers/gpu/drm/bridge/adv7511/adv7511.ko
+ drivers/media/i2c/adv7511.ko
+
+Rework so that the file is named adv7511-v4l2.c.
+
+Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/Makefile | 2 +-
+ drivers/media/i2c/{adv7511.c => adv7511-v4l2.c} | 5 +++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+ rename drivers/media/i2c/{adv7511.c => adv7511-v4l2.c} (99%)
+
+diff --git a/drivers/media/i2c/Makefile b/drivers/media/i2c/Makefile
+index a94eb03d10d4..520b3c3bf48c 100644
+--- a/drivers/media/i2c/Makefile
++++ b/drivers/media/i2c/Makefile
+@@ -36,7 +36,7 @@ obj-$(CONFIG_VIDEO_ADV748X) += adv748x/
+ obj-$(CONFIG_VIDEO_ADV7604) += adv7604.o
+ obj-$(CONFIG_VIDEO_ADV7842) += adv7842.o
+ obj-$(CONFIG_VIDEO_AD9389B) += ad9389b.o
+-obj-$(CONFIG_VIDEO_ADV7511) += adv7511.o
++obj-$(CONFIG_VIDEO_ADV7511) += adv7511-v4l2.o
+ obj-$(CONFIG_VIDEO_VPX3220) += vpx3220.o
+ obj-$(CONFIG_VIDEO_VS6624) += vs6624.o
+ obj-$(CONFIG_VIDEO_BT819) += bt819.o
+diff --git a/drivers/media/i2c/adv7511.c b/drivers/media/i2c/adv7511-v4l2.c
+similarity index 99%
+rename from drivers/media/i2c/adv7511.c
+rename to drivers/media/i2c/adv7511-v4l2.c
+index 88349b5053cc..6869bb593a68 100644
+--- a/drivers/media/i2c/adv7511.c
++++ b/drivers/media/i2c/adv7511-v4l2.c
+@@ -5,6 +5,11 @@
+ * Copyright 2013 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+ */
+
++/*
++ * This file is named adv7511-v4l2.c so it doesn't conflict with the Analog
++ * Device ADV7511 (config fragment CONFIG_DRM_I2C_ADV7511).
++ */
++
+
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+--
+2.20.1
+
--- /dev/null
+From f8b5686e535b1e6c7c5308227143813436382aa5 Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Sun, 5 May 2019 10:00:23 -0400
+Subject: media: marvell-ccic: fix DMA s/g desc number calculation
+
+[ Upstream commit 0c7aa32966dab0b8a7424e1b34c7f206817953ec ]
+
+The commit d790b7eda953 ("[media] vb2-dma-sg: move dma_(un)map_sg here")
+left dma_desc_nent unset. It previously contained the number of DMA
+descriptors as returned from dma_map_sg().
+
+We can now (since the commit referred to above) obtain the same value from
+the sg_table and drop dma_desc_nent altogether.
+
+Tested on OLPC XO-1.75 machine. Doesn't affect the OLPC XO-1's Cafe
+driver, since that one doesn't do DMA.
+
+[mchehab+samsung@kernel.org: fix a checkpatch warning]
+
+Fixes: d790b7eda953 ("[media] vb2-dma-sg: move dma_(un)map_sg here")
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/marvell-ccic/mcam-core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/marvell-ccic/mcam-core.c b/drivers/media/platform/marvell-ccic/mcam-core.c
+index dfdbd4354b74..eeee15ff007d 100644
+--- a/drivers/media/platform/marvell-ccic/mcam-core.c
++++ b/drivers/media/platform/marvell-ccic/mcam-core.c
+@@ -200,7 +200,6 @@ struct mcam_vb_buffer {
+ struct list_head queue;
+ struct mcam_dma_desc *dma_desc; /* Descriptor virtual address */
+ dma_addr_t dma_desc_pa; /* Descriptor physical address */
+- int dma_desc_nent; /* Number of mapped descriptors */
+ };
+
+ static inline struct mcam_vb_buffer *vb_to_mvb(struct vb2_v4l2_buffer *vb)
+@@ -608,9 +607,11 @@ static void mcam_dma_contig_done(struct mcam_camera *cam, int frame)
+ static void mcam_sg_next_buffer(struct mcam_camera *cam)
+ {
+ struct mcam_vb_buffer *buf;
++ struct sg_table *sg_table;
+
+ buf = list_first_entry(&cam->buffers, struct mcam_vb_buffer, queue);
+ list_del_init(&buf->queue);
++ sg_table = vb2_dma_sg_plane_desc(&buf->vb_buf.vb2_buf, 0);
+ /*
+ * Very Bad Not Good Things happen if you don't clear
+ * C1_DESC_ENA before making any descriptor changes.
+@@ -618,7 +619,7 @@ static void mcam_sg_next_buffer(struct mcam_camera *cam)
+ mcam_reg_clear_bit(cam, REG_CTRL1, C1_DESC_ENA);
+ mcam_reg_write(cam, REG_DMA_DESC_Y, buf->dma_desc_pa);
+ mcam_reg_write(cam, REG_DESC_LEN_Y,
+- buf->dma_desc_nent*sizeof(struct mcam_dma_desc));
++ sg_table->nents * sizeof(struct mcam_dma_desc));
+ mcam_reg_write(cam, REG_DESC_LEN_U, 0);
+ mcam_reg_write(cam, REG_DESC_LEN_V, 0);
+ mcam_reg_set_bit(cam, REG_CTRL1, C1_DESC_ENA);
+--
+2.20.1
+
--- /dev/null
+From 4bbe982e5403742055c40827efe0ddf3f89e80e5 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Mon, 27 May 2019 05:31:13 -0400
+Subject: media: mc-device.c: don't memset __user pointer contents
+
+[ Upstream commit 518fa4e0e0da97ea2e17c95ab57647ce748a96e2 ]
+
+You can't memset the contents of a __user pointer. Instead, call copy_to_user to
+copy links.reserved (which is zeroed) to the user memory.
+
+This fixes this sparse warning:
+
+SPARSE:drivers/media/mc/mc-device.c drivers/media/mc/mc-device.c:521:16: warning: incorrect type in argument 1 (different address spaces)
+
+Fixes: f49308878d720 ("media: media_device_enum_links32: clean a reserved field")
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/media-device.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c
+index ba344e6f0139..ed518b1f82e4 100644
+--- a/drivers/media/media-device.c
++++ b/drivers/media/media-device.c
+@@ -503,8 +503,9 @@ static long media_device_enum_links32(struct media_device *mdev,
+ if (ret)
+ return ret;
+
+- memset(ulinks->reserved, 0, sizeof(ulinks->reserved));
+-
++ if (copy_to_user(ulinks->reserved, links.reserved,
++ sizeof(ulinks->reserved)))
++ return -EFAULT;
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 851d9937a7a7ce6544b12fc1349b7049f8c8d472 Mon Sep 17 00:00:00 2001
+From: Jungo Lin <jungo.lin@mediatek.com>
+Date: Tue, 2 Apr 2019 21:44:27 -0400
+Subject: media: media_device_enum_links32: clean a reserved field
+
+[ Upstream commit f49308878d7202e07d8761238e01bd0e5fce2750 ]
+
+In v4l2-compliance utility, test MEDIA_IOC_ENUM_ENTITIES
+will check whether reserved field of media_links_enum filled
+with zero.
+
+However, for 32 bit program, the reserved field is missing
+copy from kernel space to user space in media_device_enum_links32
+function.
+
+This patch adds the cleaning a reserved field logic in
+media_device_enum_links32 function.
+
+Signed-off-by: Jungo Lin <jungo.lin@mediatek.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/media-device.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c
+index 3bae24b15eaa..ba344e6f0139 100644
+--- a/drivers/media/media-device.c
++++ b/drivers/media/media-device.c
+@@ -487,6 +487,7 @@ static long media_device_enum_links32(struct media_device *mdev,
+ {
+ struct media_links_enum links;
+ compat_uptr_t pads_ptr, links_ptr;
++ int ret;
+
+ memset(&links, 0, sizeof(links));
+
+@@ -498,7 +499,13 @@ static long media_device_enum_links32(struct media_device *mdev,
+ links.pads = compat_ptr(pads_ptr);
+ links.links = compat_ptr(links_ptr);
+
+- return media_device_enum_links(mdev, &links);
++ ret = media_device_enum_links(mdev, &links);
++ if (ret)
++ return ret;
++
++ memset(ulinks->reserved, 0, sizeof(ulinks->reserved));
++
++ return 0;
+ }
+
+ #define MEDIA_IOC_ENUM_LINKS32 _IOWR('|', 0x02, struct media_links_enum32)
+--
+2.20.1
+
--- /dev/null
+From 6e969a0f17c49adfed2370fe986e47e520e0e538 Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Wed, 17 Apr 2019 10:06:39 -0400
+Subject: media: ov7740: avoid invalid framesize setting
+
+[ Upstream commit 6e4ab830ac6d6a0d7cd7f87dc5d6536369bf24a8 ]
+
+If the requested framesize by VIDIOC_SUBDEV_S_FMT is larger than supported
+framesizes, it causes an out of bounds array access and the resulting
+framesize is unexpected.
+
+Avoid out of bounds array access and select the default framesize.
+
+Cc: Wenyou Yang <wenyou.yang@microchip.com>
+Cc: Eugen Hristev <eugen.hristev@microchip.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov7740.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/ov7740.c b/drivers/media/i2c/ov7740.c
+index f5a1ee90a6c5..8a6a7a5929aa 100644
+--- a/drivers/media/i2c/ov7740.c
++++ b/drivers/media/i2c/ov7740.c
+@@ -761,7 +761,11 @@ static int ov7740_try_fmt_internal(struct v4l2_subdev *sd,
+
+ fsize++;
+ }
+-
++ if (i >= ARRAY_SIZE(ov7740_framesizes)) {
++ fsize = &ov7740_framesizes[0];
++ fmt->width = fsize->width;
++ fmt->height = fsize->height;
++ }
+ if (ret_frmsize != NULL)
+ *ret_frmsize = fsize;
+
+--
+2.20.1
+
--- /dev/null
+From 3ef8a2fb940575a9fbad0020066d12d9bbb6c2e8 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Wed, 12 Jun 2019 09:57:57 -0400
+Subject: media: s5p-mfc: fix reading min scratch buffer size on MFC v6/v7
+
+[ Upstream commit be22203aec440c1761ce8542c2636ac6c8951e3a ]
+
+MFC v6 and v7 has no register to read min scratch buffer size, so it has
+to be read conditionally only if hardware supports it. This fixes following
+NULL pointer exception on SoCs with MFC v6/v7:
+
+8<--- cut here ---
+Unable to handle kernel NULL pointer dereference at virtual address 00000000
+pgd = f25837f9
+[00000000] *pgd=bd93d835
+Internal error: Oops: 17 [#1] PREEMPT SMP ARM
+Modules linked in: btmrvl_sdio btmrvl bluetooth mwifiex_sdio mwifiex ecdh_generic ecc
+Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
+PC is at s5p_mfc_get_min_scratch_buf_size+0x30/0x3c
+LR is at s5p_mfc_get_min_scratch_buf_size+0x28/0x3c
+...
+[<c074f998>] (s5p_mfc_get_min_scratch_buf_size) from [<c0745bc0>] (s5p_mfc_irq+0x814/0xa5c)
+[<c0745bc0>] (s5p_mfc_irq) from [<c019a218>] (__handle_irq_event_percpu+0x64/0x3f8)
+[<c019a218>] (__handle_irq_event_percpu) from [<c019a5d8>] (handle_irq_event_percpu+0x2c/0x7c)
+[<c019a5d8>] (handle_irq_event_percpu) from [<c019a660>] (handle_irq_event+0x38/0x5c)
+[<c019a660>] (handle_irq_event) from [<c019ebc4>] (handle_fasteoi_irq+0xc4/0x180)
+[<c019ebc4>] (handle_fasteoi_irq) from [<c0199270>] (generic_handle_irq+0x24/0x34)
+[<c0199270>] (generic_handle_irq) from [<c0199888>] (__handle_domain_irq+0x7c/0xec)
+[<c0199888>] (__handle_domain_irq) from [<c04ac298>] (gic_handle_irq+0x58/0x9c)
+[<c04ac298>] (gic_handle_irq) from [<c0101ab0>] (__irq_svc+0x70/0xb0)
+Exception stack(0xe73ddc60 to 0xe73ddca8)
+...
+[<c0101ab0>] (__irq_svc) from [<c01967d8>] (console_unlock+0x5a8/0x6a8)
+[<c01967d8>] (console_unlock) from [<c01981d0>] (vprintk_emit+0x118/0x2d8)
+[<c01981d0>] (vprintk_emit) from [<c01983b0>] (vprintk_default+0x20/0x28)
+[<c01983b0>] (vprintk_default) from [<c01989b4>] (printk+0x30/0x54)
+[<c01989b4>] (printk) from [<c07500b8>] (s5p_mfc_init_decode_v6+0x1d4/0x284)
+[<c07500b8>] (s5p_mfc_init_decode_v6) from [<c07230d0>] (vb2_start_streaming+0x24/0x150)
+[<c07230d0>] (vb2_start_streaming) from [<c0724e4c>] (vb2_core_streamon+0x11c/0x15c)
+[<c0724e4c>] (vb2_core_streamon) from [<c07478b8>] (vidioc_streamon+0x64/0xa0)
+[<c07478b8>] (vidioc_streamon) from [<c0709640>] (__video_do_ioctl+0x28c/0x45c)
+[<c0709640>] (__video_do_ioctl) from [<c0709bc8>] (video_usercopy+0x260/0x8a4)
+[<c0709bc8>] (video_usercopy) from [<c02b3820>] (do_vfs_ioctl+0xb0/0x9fc)
+[<c02b3820>] (do_vfs_ioctl) from [<c02b41a0>] (ksys_ioctl+0x34/0x58)
+[<c02b41a0>] (ksys_ioctl) from [<c0101000>] (ret_fast_syscall+0x0/0x28)
+Exception stack(0xe73ddfa8 to 0xe73ddff0)
+...
+---[ end trace 376cf5ba6e0bee93 ]---
+
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+index ca11f8a7569d..4b8516c35bc2 100644
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+@@ -527,7 +527,8 @@ static void s5p_mfc_handle_seq_done(struct s5p_mfc_ctx *ctx,
+ dev);
+ ctx->mv_count = s5p_mfc_hw_call(dev->mfc_ops, get_mv_count,
+ dev);
+- ctx->scratch_buf_size = s5p_mfc_hw_call(dev->mfc_ops,
++ if (FW_HAS_E_MIN_SCRATCH_BUF(dev))
++ ctx->scratch_buf_size = s5p_mfc_hw_call(dev->mfc_ops,
+ get_min_scratch_buf_size, dev);
+ if (ctx->img_width == 0 || ctx->img_height == 0)
+ ctx->state = MFCINST_ERROR;
+--
+2.20.1
+
--- /dev/null
+From 14561125465475874eb7f30ba340ab9b530ed32c Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Thu, 13 Jun 2019 06:48:34 -0400
+Subject: media: s5p-mfc: Make additional clocks optional
+
+[ Upstream commit e08efef8fe7db87206314c19b341612c719f891a ]
+
+Since the beginning the second clock ('special', 'sclk') was optional and
+it is not available on some variants of Exynos SoCs (i.e. Exynos5420 with
+v7 of MFC hardware).
+
+However commit 1bce6fb3edf1 ("[media] s5p-mfc: Rework clock handling")
+made handling of all specified clocks mandatory. This patch restores
+original behavior of the driver and fixes its operation on
+Exynos5420 SoCs.
+
+Fixes: 1bce6fb3edf1 ("[media] s5p-mfc: Rework clock handling")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc_pm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c
+index eb85cedc5ef3..5e080f32b0e8 100644
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c
+@@ -38,6 +38,11 @@ int s5p_mfc_init_pm(struct s5p_mfc_dev *dev)
+ for (i = 0; i < pm->num_clocks; i++) {
+ pm->clocks[i] = devm_clk_get(pm->device, pm->clk_names[i]);
+ if (IS_ERR(pm->clocks[i])) {
++ /* additional clocks are optional */
++ if (i && PTR_ERR(pm->clocks[i]) == -ENOENT) {
++ pm->clocks[i] = NULL;
++ continue;
++ }
+ mfc_err("Failed to get clock: %s\n",
+ pm->clk_names[i]);
+ return PTR_ERR(pm->clocks[i]);
+--
+2.20.1
+
--- /dev/null
+From 6df22aa3e280ff409bf230c7cf4d86de2f6e500e Mon Sep 17 00:00:00 2001
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+Date: Mon, 27 May 2019 08:14:55 -0400
+Subject: media: saa7164: fix remove_proc_entry warning
+
+[ Upstream commit 50710eeefbc1ed25375942aad0c4d1eb4af0f330 ]
+
+if saa7164_proc_create() fails, saa7164_fini() will trigger a warning,
+
+name 'saa7164'
+WARNING: CPU: 1 PID: 6311 at fs/proc/generic.c:672 remove_proc_entry+0x1e8/0x3a0
+ ? remove_proc_entry+0x1e8/0x3a0
+ ? try_stop_module+0x7b/0x240
+ ? proc_readdir+0x70/0x70
+ ? rcu_read_lock_sched_held+0xd7/0x100
+ saa7164_fini+0x13/0x1f [saa7164]
+ __x64_sys_delete_module+0x30c/0x480
+ ? __ia32_sys_delete_module+0x480/0x480
+ ? __x64_sys_clock_gettime+0x11e/0x1c0
+ ? __x64_sys_timer_create+0x1a0/0x1a0
+ ? trace_hardirqs_off_caller+0x40/0x180
+ ? do_syscall_64+0x18/0x450
+ do_syscall_64+0x9f/0x450
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fix it by checking the return of proc_create_single() before
+calling remove_proc_entry().
+
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[hverkuil-cisco@xs4all.nl: use 0444 instead of S_IRUGO]
+[hverkuil-cisco@xs4all.nl: use pr_info instead of KERN_INFO]
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/saa7164/saa7164-core.c | 33 ++++++++++++++++--------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/pci/saa7164/saa7164-core.c b/drivers/media/pci/saa7164/saa7164-core.c
+index d697e1ad929c..5102519df108 100644
+--- a/drivers/media/pci/saa7164/saa7164-core.c
++++ b/drivers/media/pci/saa7164/saa7164-core.c
+@@ -1122,16 +1122,25 @@ static int saa7164_proc_show(struct seq_file *m, void *v)
+ return 0;
+ }
+
++static struct proc_dir_entry *saa7164_pe;
++
+ static int saa7164_proc_create(void)
+ {
+- struct proc_dir_entry *pe;
+-
+- pe = proc_create_single("saa7164", S_IRUGO, NULL, saa7164_proc_show);
+- if (!pe)
++ saa7164_pe = proc_create_single("saa7164", 0444, NULL, saa7164_proc_show);
++ if (!saa7164_pe)
+ return -ENOMEM;
+
+ return 0;
+ }
++
++static void saa7164_proc_destroy(void)
++{
++ if (saa7164_pe)
++ remove_proc_entry("saa7164", NULL);
++}
++#else
++static int saa7164_proc_create(void) { return 0; }
++static void saa7164_proc_destroy(void) {}
+ #endif
+
+ static int saa7164_thread_function(void *data)
+@@ -1503,19 +1512,21 @@ static struct pci_driver saa7164_pci_driver = {
+
+ static int __init saa7164_init(void)
+ {
+- printk(KERN_INFO "saa7164 driver loaded\n");
++ int ret = pci_register_driver(&saa7164_pci_driver);
++
++ if (ret)
++ return ret;
+
+-#ifdef CONFIG_PROC_FS
+ saa7164_proc_create();
+-#endif
+- return pci_register_driver(&saa7164_pci_driver);
++
++ pr_info("saa7164 driver loaded\n");
++
++ return 0;
+ }
+
+ static void __exit saa7164_fini(void)
+ {
+-#ifdef CONFIG_PROC_FS
+- remove_proc_entry("saa7164", NULL);
+-#endif
++ saa7164_proc_destroy();
+ pci_unregister_driver(&saa7164_pci_driver);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From dca6fcd6ed3b4e474d45a1d32f0e0a8d8bdd2bc0 Mon Sep 17 00:00:00 2001
+From: Daniel Gomez <dagmcr@gmail.com>
+Date: Mon, 22 Apr 2019 15:10:20 -0400
+Subject: media: spi: IR LED: add missing of table registration
+
+[ Upstream commit 24e4cf770371df6ad49ed873f21618d9878f64c8 ]
+
+MODULE_DEVICE_TABLE(of, <of_match_table> should be called to complete DT
+OF mathing mechanism and register it.
+
+Before this patch:
+modinfo drivers/media/rc/ir-spi.ko | grep alias
+
+After this patch:
+modinfo drivers/media/rc/ir-spi.ko | grep alias
+alias: of:N*T*Cir-spi-ledC*
+alias: of:N*T*Cir-spi-led
+
+Reported-by: Javier Martinez Canillas <javier@dowhile0.org>
+Signed-off-by: Daniel Gomez <dagmcr@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/rc/ir-spi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/rc/ir-spi.c b/drivers/media/rc/ir-spi.c
+index 66334e8d63ba..c58f2d38a458 100644
+--- a/drivers/media/rc/ir-spi.c
++++ b/drivers/media/rc/ir-spi.c
+@@ -161,6 +161,7 @@ static const struct of_device_id ir_spi_of_match[] = {
+ { .compatible = "ir-spi-led" },
+ {},
+ };
++MODULE_DEVICE_TABLE(of, ir_spi_of_match);
+
+ static struct spi_driver ir_spi_driver = {
+ .probe = ir_spi_probe,
+--
+2.20.1
+
--- /dev/null
+From 33af53339319c7793a7e639461a2c9397e4953ec Mon Sep 17 00:00:00 2001
+From: Shailendra Verma <shailendra.v@samsung.com>
+Date: Thu, 24 Nov 2016 23:57:34 -0500
+Subject: media: staging: media: davinci_vpfe: - Fix for memory leak if decoder
+ initialization fails.
+
+[ Upstream commit 6995a659101bd4effa41cebb067f9dc18d77520d ]
+
+Fix to avoid possible memory leak if the decoder initialization
+got failed.Free the allocated memory for file handle object
+before return in case decoder initialization fails.
+
+Signed-off-by: Shailendra Verma <shailendra.v@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/davinci_vpfe/vpfe_video.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/staging/media/davinci_vpfe/vpfe_video.c b/drivers/staging/media/davinci_vpfe/vpfe_video.c
+index 1269a983455e..13b890b9ef18 100644
+--- a/drivers/staging/media/davinci_vpfe/vpfe_video.c
++++ b/drivers/staging/media/davinci_vpfe/vpfe_video.c
+@@ -422,6 +422,9 @@ static int vpfe_open(struct file *file)
+ /* If decoder is not initialized. initialize it */
+ if (!video->initialized && vpfe_update_pipe_state(video)) {
+ mutex_unlock(&video->lock);
++ v4l2_fh_del(&handle->vfh);
++ v4l2_fh_exit(&handle->vfh);
++ kfree(handle);
+ return -ENODEV;
+ }
+ /* Increment device users counter */
+--
+2.20.1
+
--- /dev/null
+From 244b146b06ee6493121aed4ec3713a91e5e2294f Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 30 Apr 2019 08:28:14 -0400
+Subject: media: uvcvideo: Fix access to uninitialized fields on probe error
+
+[ Upstream commit 11a087f484bf15ff65f0a9f277aa5a61fd07ed2a ]
+
+We need to check whether this work we are canceling actually is
+initialized.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+2e1ef9188251d9cc7944@syzkaller.appspotmail.com
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_ctrl.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
+index 467b1ddaf4e7..f2854337cdca 100644
+--- a/drivers/media/usb/uvc/uvc_ctrl.c
++++ b/drivers/media/usb/uvc/uvc_ctrl.c
+@@ -2350,7 +2350,9 @@ void uvc_ctrl_cleanup_device(struct uvc_device *dev)
+ struct uvc_entity *entity;
+ unsigned int i;
+
+- cancel_work_sync(&dev->async_ctrl.work);
++ /* Can be uninitialized if we are aborting on probe error. */
++ if (dev->async_ctrl.work.func)
++ cancel_work_sync(&dev->async_ctrl.work);
+
+ /* Free controls and control mappings for all entities. */
+ list_for_each_entry(entity, &dev->entities, list) {
+--
+2.20.1
+
--- /dev/null
+From a4c4d2a646ff8888cf5e7a250c6b582a002baa52 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Almeida?= <andrealmeid@collabora.com>
+Date: Mon, 17 Jun 2019 12:28:02 -0400
+Subject: media: vimc: cap: check v4l2_fill_pixfmt return value
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 77ae46e11df5c96bb4582633851f838f5d954df4 ]
+
+v4l2_fill_pixfmt() returns -EINVAL if the pixelformat used as parameter is
+invalid or if the user is trying to use a multiplanar format with the
+singleplanar API. Currently, the vimc_cap_try_fmt_vid_cap() returns such
+value, but vimc_cap_s_fmt_vid_cap() is ignoring it. Fix that and returns
+an error value if vimc_cap_try_fmt_vid_cap() has failed.
+
+Signed-off-by: André Almeida <andrealmeid@collabora.com>
+Suggested-by: Helen Koike <helen.koike@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vimc/vimc-capture.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/vimc/vimc-capture.c b/drivers/media/platform/vimc/vimc-capture.c
+index 65d657daf66f..8e014cc485f0 100644
+--- a/drivers/media/platform/vimc/vimc-capture.c
++++ b/drivers/media/platform/vimc/vimc-capture.c
+@@ -132,12 +132,15 @@ static int vimc_cap_s_fmt_vid_cap(struct file *file, void *priv,
+ struct v4l2_format *f)
+ {
+ struct vimc_cap_device *vcap = video_drvdata(file);
++ int ret;
+
+ /* Do not change the format while stream is on */
+ if (vb2_is_busy(&vcap->queue))
+ return -EBUSY;
+
+- vimc_cap_try_fmt_vid_cap(file, priv, f);
++ ret = vimc_cap_try_fmt_vid_cap(file, priv, f);
++ if (ret)
++ return ret;
+
+ dev_dbg(vcap->dev, "%s: format update: "
+ "old:%dx%d (0x%x, %d, %d, %d, %d) "
+--
+2.20.1
+
--- /dev/null
+From 74713ead2f6ae38af0312b45ec107eaa04e917aa Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 22 Mar 2019 22:51:06 -0400
+Subject: media: vpss: fix a potential NULL pointer dereference
+
+[ Upstream commit e08f0761234def47961d3252eac09ccedfe4c6a0 ]
+
+In case ioremap fails, the fix returns -ENOMEM to avoid NULL
+pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/davinci/vpss.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/media/platform/davinci/vpss.c b/drivers/media/platform/davinci/vpss.c
+index 19cf6853411e..89a86c19579b 100644
+--- a/drivers/media/platform/davinci/vpss.c
++++ b/drivers/media/platform/davinci/vpss.c
+@@ -518,6 +518,11 @@ static int __init vpss_init(void)
+ return -EBUSY;
+
+ oper_cfg.vpss_regs_base2 = ioremap(VPSS_CLK_CTRL, 4);
++ if (unlikely(!oper_cfg.vpss_regs_base2)) {
++ release_mem_region(VPSS_CLK_CTRL, 4);
++ return -ENOMEM;
++ }
++
+ writel(VPSS_CLK_CTRL_VENCCLKEN |
+ VPSS_CLK_CTRL_DACCLKEN, oper_cfg.vpss_regs_base2);
+
+--
+2.20.1
+
--- /dev/null
+From 8f0a69772e30916bb45a638b35f6338c6e576a65 Mon Sep 17 00:00:00 2001
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+Date: Thu, 30 May 2019 03:25:49 -0400
+Subject: media: wl128x: Fix some error handling in fm_v4l2_init_video_device()
+
+[ Upstream commit 69fbb3f47327d959830c94bf31893972b8c8f700 ]
+
+X-Originating-IP: [10.175.113.25]
+X-CFilter-Loop: Reflected
+The fm_v4l2_init_video_device() forget to unregister v4l2/video device
+in the error path, it could lead to UAF issue, eg,
+
+ BUG: KASAN: use-after-free in atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline]
+ BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:28 [inline]
+ BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206
+ Read of size 8 at addr ffff8881e84a7c70 by task v4l_id/3659
+
+ CPU: 1 PID: 3659 Comm: v4l_id Not tainted 5.1.0 #8
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+ Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xa9/0x10e lib/dump_stack.c:113
+ print_address_description+0x65/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline]
+ atomic_long_read include/asm-generic/atomic-long.h:28 [inline]
+ __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206
+ fm_v4l2_fops_open+0xac/0x120 [fm_drv]
+ v4l2_open+0x191/0x390 [videodev]
+ chrdev_open+0x20d/0x570 fs/char_dev.c:417
+ do_dentry_open+0x700/0xf30 fs/open.c:777
+ do_last fs/namei.c:3416 [inline]
+ path_openat+0x7c4/0x2a90 fs/namei.c:3532
+ do_filp_open+0x1a5/0x2b0 fs/namei.c:3563
+ do_sys_open+0x302/0x490 fs/open.c:1069
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7f8180c17c8e
+ ...
+ Allocated by task 3642:
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:497
+ fm_drv_init+0x13/0x1000 [fm_drv]
+ do_one_initcall+0xbc/0x47d init/main.c:901
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+ Freed by task 3642:
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459
+ slab_free_hook mm/slub.c:1429 [inline]
+ slab_free_freelist_hook mm/slub.c:1456 [inline]
+ slab_free mm/slub.c:3003 [inline]
+ kfree+0xe1/0x270 mm/slub.c:3958
+ fm_drv_init+0x1e6/0x1000 [fm_drv]
+ do_one_initcall+0xbc/0x47d init/main.c:901
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Add relevant unregister functions to fix it.
+
+Cc: Hans Verkuil <hans.verkuil@cisco.com>
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/radio/wl128x/fmdrv_v4l2.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/radio/wl128x/fmdrv_v4l2.c b/drivers/media/radio/wl128x/fmdrv_v4l2.c
+index dccdf6558e6a..33abc8616ecb 100644
+--- a/drivers/media/radio/wl128x/fmdrv_v4l2.c
++++ b/drivers/media/radio/wl128x/fmdrv_v4l2.c
+@@ -549,6 +549,7 @@ int fm_v4l2_init_video_device(struct fmdev *fmdev, int radio_nr)
+
+ /* Register with V4L2 subsystem as RADIO device */
+ if (video_register_device(&gradio_dev, VFL_TYPE_RADIO, radio_nr)) {
++ v4l2_device_unregister(&fmdev->v4l2_dev);
+ fmerr("Could not register video device\n");
+ return -ENOMEM;
+ }
+@@ -562,6 +563,8 @@ int fm_v4l2_init_video_device(struct fmdev *fmdev, int radio_nr)
+ if (ret < 0) {
+ fmerr("(fmdev): Can't init ctrl handler\n");
+ v4l2_ctrl_handler_free(&fmdev->ctrl_handler);
++ video_unregister_device(fmdev->radio_dev);
++ v4l2_device_unregister(&fmdev->v4l2_dev);
+ return -EBUSY;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 5ac8ccd3f20229bf3165b95dccb65a9ea987e505 Mon Sep 17 00:00:00 2001
+From: Stefan Hellermann <stefan@the2masters.de>
+Date: Mon, 17 Jun 2019 15:43:59 +0200
+Subject: MIPS: ath79: fix ar933x uart parity mode
+
+[ Upstream commit db13a5ba2732755cf13320f3987b77cf2a71e790 ]
+
+While trying to get the uart with parity working I found setting even
+parity enabled odd parity insted. Fix the register settings to match
+the datasheet of AR9331.
+
+A similar patch was created by 8devices, but not sent upstream.
+https://github.com/8devices/openwrt-8devices/commit/77c5586ade3bb72cda010afad3f209ed0c98ea7c
+
+Signed-off-by: Stefan Hellermann <stefan@the2masters.de>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: linux-mips@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/mach-ath79/ar933x_uart.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/include/asm/mach-ath79/ar933x_uart.h b/arch/mips/include/asm/mach-ath79/ar933x_uart.h
+index c2917b39966b..bba2c8837951 100644
+--- a/arch/mips/include/asm/mach-ath79/ar933x_uart.h
++++ b/arch/mips/include/asm/mach-ath79/ar933x_uart.h
+@@ -27,8 +27,8 @@
+ #define AR933X_UART_CS_PARITY_S 0
+ #define AR933X_UART_CS_PARITY_M 0x3
+ #define AR933X_UART_CS_PARITY_NONE 0
+-#define AR933X_UART_CS_PARITY_ODD 1
+-#define AR933X_UART_CS_PARITY_EVEN 2
++#define AR933X_UART_CS_PARITY_ODD 2
++#define AR933X_UART_CS_PARITY_EVEN 3
+ #define AR933X_UART_CS_IF_MODE_S 2
+ #define AR933X_UART_CS_IF_MODE_M 0x3
+ #define AR933X_UART_CS_IF_MODE_NONE 0
+--
+2.20.1
+
--- /dev/null
+From 555276de8680300ccee0740929ba0262d1359fb5 Mon Sep 17 00:00:00 2001
+From: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+Date: Wed, 19 Jun 2019 15:08:18 +0100
+Subject: MIPS: fix build on non-linux hosts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 1196364f21ffe5d1e6d83cafd6a2edb89404a3ae ]
+
+calc_vmlinuz_load_addr.c requires SZ_64K to be defined for alignment
+purposes. It included "../../../../include/linux/sizes.h" to define
+that size, however "sizes.h" tries to include <linux/const.h> which
+assumes linux system headers. These may not exist eg. the following
+error was encountered when building Linux for OpenWrt under macOS:
+
+In file included from arch/mips/boot/compressed/calc_vmlinuz_load_addr.c:16:
+arch/mips/boot/compressed/../../../../include/linux/sizes.h:11:10: fatal error: 'linux/const.h' file not found
+ ^~~~~~~~~~
+
+Change makefile to force building on local linux headers instead of
+system headers. Also change eye-watering relative reference in include
+file spec.
+
+Thanks to Jo-Philip Wich & Petr Štetiar for assistance in tracking this
+down & fixing.
+
+Suggested-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: linux-mips@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/boot/compressed/Makefile | 2 ++
+ arch/mips/boot/compressed/calc_vmlinuz_load_addr.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/mips/boot/compressed/Makefile b/arch/mips/boot/compressed/Makefile
+index 3c453a1f1ff1..172801ed35b8 100644
+--- a/arch/mips/boot/compressed/Makefile
++++ b/arch/mips/boot/compressed/Makefile
+@@ -78,6 +78,8 @@ OBJCOPYFLAGS_piggy.o := --add-section=.image=$(obj)/vmlinux.bin.z \
+ $(obj)/piggy.o: $(obj)/dummy.o $(obj)/vmlinux.bin.z FORCE
+ $(call if_changed,objcopy)
+
++HOSTCFLAGS_calc_vmlinuz_load_addr.o += $(LINUXINCLUDE)
++
+ # Calculate the load address of the compressed kernel image
+ hostprogs-y := calc_vmlinuz_load_addr
+
+diff --git a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
+index 542c3ede9722..d14f75ec8273 100644
+--- a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
++++ b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
+@@ -13,7 +13,7 @@
+ #include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+-#include "../../../../include/linux/sizes.h"
++#include <linux/sizes.h>
+
+ int main(int argc, char *argv[])
+ {
+--
+2.20.1
+
--- /dev/null
+From 4b9881c8c17887dc90e8321d0656b34a2a9af08a Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Fri, 7 Jun 2019 13:48:09 +0200
+Subject: mt7601u: do not schedule rx_tasklet when the device has been
+ disconnected
+
+[ Upstream commit 4079e8ccabc3b6d1b503f2376123cb515d14921f ]
+
+Do not schedule rx_tasklet when the usb dongle is disconnected.
+Moreover do not grub rx_lock in mt7601u_kill_rx since usb_poison_urb
+can run concurrently with urb completion and we can unlink urbs from rx
+ring in any order.
+This patch fixes the common kernel warning reported when
+the device is removed.
+
+[ 24.921354] usb 3-14: USB disconnect, device number 7
+[ 24.921593] ------------[ cut here ]------------
+[ 24.921594] RX urb mismatch
+[ 24.921675] WARNING: CPU: 4 PID: 163 at drivers/net/wireless/mediatek/mt7601u/dma.c:200 mt7601u_complete_rx+0xcb/0xd0 [mt7601u]
+[ 24.921769] CPU: 4 PID: 163 Comm: kworker/4:2 Tainted: G OE 4.19.31-041931-generic #201903231635
+[ 24.921770] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z97 Extreme4, BIOS P1.30 05/23/2014
+[ 24.921782] Workqueue: usb_hub_wq hub_event
+[ 24.921797] RIP: 0010:mt7601u_complete_rx+0xcb/0xd0 [mt7601u]
+[ 24.921800] RSP: 0018:ffff9bd9cfd03d08 EFLAGS: 00010086
+[ 24.921802] RAX: 0000000000000000 RBX: ffff9bd9bf043540 RCX: 0000000000000006
+[ 24.921803] RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff9bd9cfd16420
+[ 24.921804] RBP: ffff9bd9cfd03d28 R08: 0000000000000002 R09: 00000000000003a8
+[ 24.921805] R10: 0000002f485fca34 R11: 0000000000000000 R12: ffff9bd9bf043c1c
+[ 24.921806] R13: ffff9bd9c62fa3c0 R14: 0000000000000082 R15: 0000000000000000
+[ 24.921807] FS: 0000000000000000(0000) GS:ffff9bd9cfd00000(0000) knlGS:0000000000000000
+[ 24.921808] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 24.921808] CR2: 00007fb2648b0000 CR3: 0000000142c0a004 CR4: 00000000001606e0
+[ 24.921809] Call Trace:
+[ 24.921812] <IRQ>
+[ 24.921819] __usb_hcd_giveback_urb+0x8b/0x140
+[ 24.921821] usb_hcd_giveback_urb+0xca/0xe0
+[ 24.921828] xhci_giveback_urb_in_irq.isra.42+0x82/0xf0
+[ 24.921834] handle_cmd_completion+0xe02/0x10d0
+[ 24.921837] xhci_irq+0x274/0x4a0
+[ 24.921838] xhci_msi_irq+0x11/0x20
+[ 24.921851] __handle_irq_event_percpu+0x44/0x190
+[ 24.921856] handle_irq_event_percpu+0x32/0x80
+[ 24.921861] handle_irq_event+0x3b/0x5a
+[ 24.921867] handle_edge_irq+0x80/0x190
+[ 24.921874] handle_irq+0x20/0x30
+[ 24.921889] do_IRQ+0x4e/0xe0
+[ 24.921891] common_interrupt+0xf/0xf
+[ 24.921892] </IRQ>
+[ 24.921900] RIP: 0010:usb_hcd_flush_endpoint+0x78/0x180
+[ 24.921354] usb 3-14: USB disconnect, device number 7
+
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt7601u/dma.c | 33 +++++++++++----------
+ 1 file changed, 18 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt7601u/dma.c b/drivers/net/wireless/mediatek/mt7601u/dma.c
+index 7f3e3983b781..bc36712cfffc 100644
+--- a/drivers/net/wireless/mediatek/mt7601u/dma.c
++++ b/drivers/net/wireless/mediatek/mt7601u/dma.c
+@@ -193,10 +193,23 @@ static void mt7601u_complete_rx(struct urb *urb)
+ struct mt7601u_rx_queue *q = &dev->rx_q;
+ unsigned long flags;
+
+- spin_lock_irqsave(&dev->rx_lock, flags);
++ /* do no schedule rx tasklet if urb has been unlinked
++ * or the device has been removed
++ */
++ switch (urb->status) {
++ case -ECONNRESET:
++ case -ESHUTDOWN:
++ case -ENOENT:
++ return;
++ default:
++ dev_err_ratelimited(dev->dev, "rx urb failed: %d\n",
++ urb->status);
++ /* fall through */
++ case 0:
++ break;
++ }
+
+- if (mt7601u_urb_has_error(urb))
+- dev_err(dev->dev, "Error: RX urb failed:%d\n", urb->status);
++ spin_lock_irqsave(&dev->rx_lock, flags);
+ if (WARN_ONCE(q->e[q->end].urb != urb, "RX urb mismatch"))
+ goto out;
+
+@@ -363,19 +376,9 @@ int mt7601u_dma_enqueue_tx(struct mt7601u_dev *dev, struct sk_buff *skb,
+ static void mt7601u_kill_rx(struct mt7601u_dev *dev)
+ {
+ int i;
+- unsigned long flags;
+
+- spin_lock_irqsave(&dev->rx_lock, flags);
+-
+- for (i = 0; i < dev->rx_q.entries; i++) {
+- int next = dev->rx_q.end;
+-
+- spin_unlock_irqrestore(&dev->rx_lock, flags);
+- usb_poison_urb(dev->rx_q.e[next].urb);
+- spin_lock_irqsave(&dev->rx_lock, flags);
+- }
+-
+- spin_unlock_irqrestore(&dev->rx_lock, flags);
++ for (i = 0; i < dev->rx_q.entries; i++)
++ usb_poison_urb(dev->rx_q.e[i].urb);
+ }
+
+ static int mt7601u_submit_rx_buf(struct mt7601u_dev *dev,
+--
+2.20.1
+
--- /dev/null
+From a68127f923720792c96e57bf9754bd39707434d1 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Fri, 7 Jun 2019 13:48:10 +0200
+Subject: mt7601u: fix possible memory leak when the device is disconnected
+
+[ Upstream commit 23377c200b2eb48a60d0f228b2a2e75ed6ee6060 ]
+
+When the device is disconnected while passing traffic it is possible
+to receive out of order urbs causing a memory leak since the skb linked
+to the current tx urb is not removed. Fix the issue deallocating the skb
+cleaning up the tx ring. Moreover this patch fixes the following kernel
+warning
+
+[ 57.480771] usb 1-1: USB disconnect, device number 2
+[ 57.483451] ------------[ cut here ]------------
+[ 57.483462] TX urb mismatch
+[ 57.483481] WARNING: CPU: 1 PID: 32 at drivers/net/wireless/mediatek/mt7601u/dma.c:245 mt7601u_complete_tx+0x165/00
+[ 57.483483] Modules linked in:
+[ 57.483496] CPU: 1 PID: 32 Comm: kworker/1:1 Not tainted 5.2.0-rc1+ #72
+[ 57.483498] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-2.fc30 04/01/2014
+[ 57.483502] Workqueue: usb_hub_wq hub_event
+[ 57.483507] RIP: 0010:mt7601u_complete_tx+0x165/0x1e0
+[ 57.483510] Code: 8b b5 10 04 00 00 8b 8d 14 04 00 00 eb 8b 80 3d b1 cb e1 00 00 75 9e 48 c7 c7 a4 ea 05 82 c6 05 f
+[ 57.483513] RSP: 0000:ffffc900000a0d28 EFLAGS: 00010092
+[ 57.483516] RAX: 000000000000000f RBX: ffff88802c0a62c0 RCX: ffffc900000a0c2c
+[ 57.483518] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff810a8371
+[ 57.483520] RBP: ffff88803ced6858 R08: 0000000000000000 R09: 0000000000000001
+[ 57.483540] R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000046
+[ 57.483542] R13: ffff88802c0a6c88 R14: ffff88803baab540 R15: ffff88803a0cc078
+[ 57.483548] FS: 0000000000000000(0000) GS:ffff88803eb00000(0000) knlGS:0000000000000000
+[ 57.483550] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 57.483552] CR2: 000055e7f6780100 CR3: 0000000028c86000 CR4: 00000000000006a0
+[ 57.483554] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 57.483556] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 57.483559] Call Trace:
+[ 57.483561] <IRQ>
+[ 57.483565] __usb_hcd_giveback_urb+0x77/0xe0
+[ 57.483570] xhci_giveback_urb_in_irq.isra.0+0x8b/0x140
+[ 57.483574] handle_cmd_completion+0xf5b/0x12c0
+[ 57.483577] xhci_irq+0x1f6/0x1810
+[ 57.483581] ? lockdep_hardirqs_on+0x9e/0x180
+[ 57.483584] ? _raw_spin_unlock_irq+0x24/0x30
+[ 57.483588] __handle_irq_event_percpu+0x3a/0x260
+[ 57.483592] handle_irq_event_percpu+0x1c/0x60
+[ 57.483595] handle_irq_event+0x2f/0x4c
+[ 57.483599] handle_edge_irq+0x7e/0x1a0
+[ 57.483603] handle_irq+0x17/0x20
+[ 57.483607] do_IRQ+0x54/0x110
+[ 57.483610] common_interrupt+0xf/0xf
+[ 57.483612] </IRQ>
+
+Acked-by: Jakub Kicinski <kubakici@wp.pl>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt7601u/dma.c | 21 ++++++++++++++++-----
+ drivers/net/wireless/mediatek/mt7601u/tx.c | 4 ++--
+ 2 files changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt7601u/dma.c b/drivers/net/wireless/mediatek/mt7601u/dma.c
+index bc36712cfffc..47cebb2ec05c 100644
+--- a/drivers/net/wireless/mediatek/mt7601u/dma.c
++++ b/drivers/net/wireless/mediatek/mt7601u/dma.c
+@@ -241,14 +241,25 @@ static void mt7601u_complete_tx(struct urb *urb)
+ struct sk_buff *skb;
+ unsigned long flags;
+
+- spin_lock_irqsave(&dev->tx_lock, flags);
++ switch (urb->status) {
++ case -ECONNRESET:
++ case -ESHUTDOWN:
++ case -ENOENT:
++ return;
++ default:
++ dev_err_ratelimited(dev->dev, "tx urb failed: %d\n",
++ urb->status);
++ /* fall through */
++ case 0:
++ break;
++ }
+
+- if (mt7601u_urb_has_error(urb))
+- dev_err(dev->dev, "Error: TX urb failed:%d\n", urb->status);
++ spin_lock_irqsave(&dev->tx_lock, flags);
+ if (WARN_ONCE(q->e[q->start].urb != urb, "TX urb mismatch"))
+ goto out;
+
+ skb = q->e[q->start].skb;
++ q->e[q->start].skb = NULL;
+ trace_mt_tx_dma_done(dev, skb);
+
+ __skb_queue_tail(&dev->tx_skb_done, skb);
+@@ -448,10 +459,10 @@ static void mt7601u_free_tx_queue(struct mt7601u_tx_queue *q)
+ {
+ int i;
+
+- WARN_ON(q->used);
+-
+ for (i = 0; i < q->entries; i++) {
+ usb_poison_urb(q->e[i].urb);
++ if (q->e[i].skb)
++ mt7601u_tx_status(q->dev, q->e[i].skb);
+ usb_free_urb(q->e[i].urb);
+ }
+ }
+diff --git a/drivers/net/wireless/mediatek/mt7601u/tx.c b/drivers/net/wireless/mediatek/mt7601u/tx.c
+index 3600e911a63e..4d81c45722fb 100644
+--- a/drivers/net/wireless/mediatek/mt7601u/tx.c
++++ b/drivers/net/wireless/mediatek/mt7601u/tx.c
+@@ -117,9 +117,9 @@ void mt7601u_tx_status(struct mt7601u_dev *dev, struct sk_buff *skb)
+ info->status.rates[0].idx = -1;
+ info->flags |= IEEE80211_TX_STAT_ACK;
+
+- spin_lock(&dev->mac_lock);
++ spin_lock_bh(&dev->mac_lock);
+ ieee80211_tx_status(dev->hw, skb);
+- spin_unlock(&dev->mac_lock);
++ spin_unlock_bh(&dev->mac_lock);
+ }
+
+ static int mt7601u_skb_rooms(struct mt7601u_dev *dev, struct sk_buff *skb)
+--
+2.20.1
+
--- /dev/null
+From 2a731aa96d5f3979b9a5a8b9a6bec67b8f379ba6 Mon Sep 17 00:00:00 2001
+From: Robert Hancock <hancock@sedsystems.ca>
+Date: Thu, 6 Jun 2019 16:28:17 -0600
+Subject: net: axienet: Fix race condition causing TX hang
+
+[ Upstream commit 7de44285c1f69ccfbe8be1d6a16fcd956681fee6 ]
+
+It is possible that the interrupt handler fires and frees up space in
+the TX ring in between checking for sufficient TX ring space and
+stopping the TX queue in axienet_start_xmit. If this happens, the
+queue wake from the interrupt handler will occur before the queue is
+stopped, causing a lost wakeup and the adapter's transmit hanging.
+
+To avoid this, after stopping the queue, check again whether there is
+sufficient space in the TX ring. If so, wake up the queue again.
+
+Signed-off-by: Robert Hancock <hancock@sedsystems.ca>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/xilinx/xilinx_axienet_main.c | 20 ++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+index 7cfd7ff38e86..66b30ebd45ee 100644
+--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+@@ -614,6 +614,10 @@ static void axienet_start_xmit_done(struct net_device *ndev)
+
+ ndev->stats.tx_packets += packets;
+ ndev->stats.tx_bytes += size;
++
++ /* Matches barrier in axienet_start_xmit */
++ smp_mb();
++
+ netif_wake_queue(ndev);
+ }
+
+@@ -668,9 +672,19 @@ static int axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ cur_p = &lp->tx_bd_v[lp->tx_bd_tail];
+
+ if (axienet_check_tx_bd_space(lp, num_frag)) {
+- if (!netif_queue_stopped(ndev))
+- netif_stop_queue(ndev);
+- return NETDEV_TX_BUSY;
++ if (netif_queue_stopped(ndev))
++ return NETDEV_TX_BUSY;
++
++ netif_stop_queue(ndev);
++
++ /* Matches barrier in axienet_start_xmit_done */
++ smp_mb();
++
++ /* Space might have just been freed - check again */
++ if (axienet_check_tx_bd_space(lp, num_frag))
++ return NETDEV_TX_BUSY;
++
++ netif_wake_queue(ndev);
+ }
+
+ if (skb->ip_summed == CHECKSUM_PARTIAL) {
+--
+2.20.1
+
--- /dev/null
+From d1433593a3cab3c3b720d15139f96656549880d5 Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Thu, 6 Jun 2019 09:40:33 -0300
+Subject: net: fec: Do not use netdev messages too early
+
+[ Upstream commit a19a0582363b9a5f8ba812f34f1b8df394898780 ]
+
+When a valid MAC address is not found the current messages
+are shown:
+
+fec 2188000.ethernet (unnamed net_device) (uninitialized): Invalid MAC address: 00:00:00:00:00:00
+fec 2188000.ethernet (unnamed net_device) (uninitialized): Using random MAC address: aa:9f:25:eb:7e:aa
+
+Since the network device has not been registered at this point, it is better
+to use dev_err()/dev_info() instead, which will provide cleaner log
+messages like these:
+
+fec 2188000.ethernet: Invalid MAC address: 00:00:00:00:00:00
+fec 2188000.ethernet: Using random MAC address: aa:9f:25:eb:7e:aa
+
+Tested on a imx6dl-pico-pi board.
+
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index bf715a367273..4cf80de4c471 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -1689,10 +1689,10 @@ static void fec_get_mac(struct net_device *ndev)
+ */
+ if (!is_valid_ether_addr(iap)) {
+ /* Report it and use a random ethernet address instead */
+- netdev_err(ndev, "Invalid MAC address: %pM\n", iap);
++ dev_err(&fep->pdev->dev, "Invalid MAC address: %pM\n", iap);
+ eth_hw_addr_random(ndev);
+- netdev_info(ndev, "Using random MAC address: %pM\n",
+- ndev->dev_addr);
++ dev_info(&fep->pdev->dev, "Using random MAC address: %pM\n",
++ ndev->dev_addr);
+ return;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From f5d2c5dedda62bf3f54546605405dd07988a9083 Mon Sep 17 00:00:00 2001
+From: Yunsheng Lin <linyunsheng@huawei.com>
+Date: Fri, 28 Jun 2019 19:50:10 +0800
+Subject: net: hns3: add some error checking in hclge_tm module
+
+[ Upstream commit 04f25edb48c441fc278ecc154c270f16966cbb90 ]
+
+When hdev->tx_sch_mode is HCLGE_FLAG_VNET_BASE_SCH_MODE, the
+hclge_tm_schd_mode_vnet_base_cfg calls hclge_tm_pri_schd_mode_cfg
+with vport->vport_id as pri_id, which is used as index for
+hdev->tm_info.tc_info, it will cause out of bound access issue
+if vport_id is equal to or larger than HNAE3_MAX_TC.
+
+Also hardware only support maximum speed of HCLGE_ETHER_MAX_RATE.
+
+So this patch adds two checks for above cases.
+
+Fixes: 848440544b41 ("net: hns3: Add support of TX Scheduler & Shaper to HNS3 driver")
+Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
+index 48235dc2dd56..11e9259ca040 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
+@@ -54,7 +54,8 @@ static int hclge_shaper_para_calc(u32 ir, u8 shaper_level,
+ u32 tick;
+
+ /* Calc tick */
+- if (shaper_level >= HCLGE_SHAPER_LVL_CNT)
++ if (shaper_level >= HCLGE_SHAPER_LVL_CNT ||
++ ir > HCLGE_ETHER_MAX_RATE)
+ return -EINVAL;
+
+ tick = tick_array[shaper_level];
+@@ -1057,6 +1058,9 @@ static int hclge_tm_schd_mode_vnet_base_cfg(struct hclge_vport *vport)
+ int ret;
+ u8 i;
+
++ if (vport->vport_id >= HNAE3_MAX_TC)
++ return -EINVAL;
++
+ ret = hclge_tm_pri_schd_mode_cfg(hdev, vport->vport_id);
+ if (ret)
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From 79a843cdbde36fab40c91197b8f4ad31d6ff3b8b Mon Sep 17 00:00:00 2001
+From: Yonglong Liu <liuyonglong@huawei.com>
+Date: Fri, 28 Jun 2019 19:50:11 +0800
+Subject: net: hns3: fix a -Wformat-nonliteral compile warning
+
+[ Upstream commit 18d219b783da61a6cc77581f55fc4af2fa16bc36 ]
+
+When setting -Wformat=2, there is a compiler warning like this:
+
+hclge_main.c:xxx:x: warning: format not a string literal and no
+format arguments [-Wformat-nonliteral]
+strs[i].desc);
+^~~~
+
+This patch adds missing format parameter "%s" to snprintf() to
+fix it.
+
+Fixes: 46a3df9f9718 ("Add HNS3 Acceleration Engine & Compatibility Layer Support")
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index 4648c6a9d9e8..89ca69fa2b97 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -663,8 +663,7 @@ static u8 *hclge_comm_get_strings(u32 stringset,
+ return buff;
+
+ for (i = 0; i < size; i++) {
+- snprintf(buff, ETH_GSTRING_LEN,
+- strs[i].desc);
++ snprintf(buff, ETH_GSTRING_LEN, "%s", strs[i].desc);
+ buff = buff + ETH_GSTRING_LEN;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From f13fad76962aa80897b1ac06a7d7cacaf2858c6a Mon Sep 17 00:00:00 2001
+From: Yunsheng Lin <linyunsheng@huawei.com>
+Date: Thu, 13 Jun 2019 17:12:30 +0800
+Subject: net: hns3: fix for skb leak when doing selftest
+
+[ Upstream commit 8f9eed1a8791b83eb1c54c261d68424717e4111e ]
+
+If hns3_nic_net_xmit does not return NETDEV_TX_BUSY when doing
+a loopback selftest, the skb is not freed in hns3_clean_tx_ring
+or hns3_nic_net_xmit, which causes skb not freed problem.
+
+This patch fixes it by freeing skb when hns3_nic_net_xmit does
+not return NETDEV_TX_OK.
+
+Fixes: c39c4d98dc65 ("net: hns3: Add mac loopback selftest support in hns3 driver")
+
+Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+index 9684ad015c42..6a3c6b02a77c 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+@@ -245,11 +245,13 @@ static int hns3_lp_run_test(struct net_device *ndev, enum hnae3_loop mode)
+
+ skb_get(skb);
+ tx_ret = hns3_nic_net_xmit(skb, ndev);
+- if (tx_ret == NETDEV_TX_OK)
++ if (tx_ret == NETDEV_TX_OK) {
+ good_cnt++;
+- else
++ } else {
++ kfree_skb(skb);
+ netdev_err(ndev, "hns3_lb_run_test xmit failed: %d\n",
+ tx_ret);
++ }
+ }
+ if (good_cnt != HNS3_NIC_LB_TEST_PKT_NUM) {
+ ret_val = HNS3_NIC_LB_TEST_TX_CNT_ERR;
+--
+2.20.1
+
--- /dev/null
+From df181ef94f21ff3d42548fbc634c30a99573522e Mon Sep 17 00:00:00 2001
+From: Weihang Li <liweihang@hisilicon.com>
+Date: Mon, 3 Jun 2019 10:09:18 +0800
+Subject: net: hns3: set ops to null when unregister ad_dev
+
+[ Upstream commit 594a81b39525f0a17e92c2e0b167ae1400650380 ]
+
+The hclge/hclgevf and hns3 module can be unloaded independently,
+when hclge/hclgevf unloaded firstly, the ops of ae_dev should
+be set to NULL, otherwise it will cause an use-after-free problem.
+
+Fixes: 38caee9d3ee8 ("net: hns3: Add support of the HNAE3 framework")
+Signed-off-by: Weihang Li <liweihang@hisilicon.com>
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hnae3.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.c b/drivers/net/ethernet/hisilicon/hns3/hnae3.c
+index fff5be8078ac..0594a6c3dccd 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.c
+@@ -229,6 +229,7 @@ void hnae3_unregister_ae_algo(struct hnae3_ae_algo *ae_algo)
+
+ ae_algo->ops->uninit_ae_dev(ae_dev);
+ hnae3_set_bit(ae_dev->flag, HNAE3_DEV_INITED_B, 0);
++ ae_dev->ops = NULL;
+ }
+
+ list_del(&ae_algo->node);
+@@ -316,6 +317,7 @@ void hnae3_unregister_ae_dev(struct hnae3_ae_dev *ae_dev)
+
+ ae_algo->ops->uninit_ae_dev(ae_dev);
+ hnae3_set_bit(ae_dev->flag, HNAE3_DEV_INITED_B, 0);
++ ae_dev->ops = NULL;
+ }
+
+ list_del(&ae_dev->node);
+--
+2.20.1
+
--- /dev/null
+From 1ba5bc46890d8a5ef19544b93d2c3992b784c7e8 Mon Sep 17 00:00:00 2001
+From: Josua Mayer <josua@solid-run.com>
+Date: Tue, 9 Jul 2019 15:01:01 +0200
+Subject: net: mvmdio: defer probe of orion-mdio if a clock is not ready
+
+[ Upstream commit 433a06d7d74e677c40b1148c70c48677ff62fb6b ]
+
+Defer probing of the orion-mdio interface when getting a clock returns
+EPROBE_DEFER. This avoids locking up the Armada 8k SoC when mdio is used
+before all clocks have been enabled.
+
+Signed-off-by: Josua Mayer <josua@solid-run.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvmdio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/mvmdio.c b/drivers/net/ethernet/marvell/mvmdio.c
+index c5dac6bd2be4..903836e334d8 100644
+--- a/drivers/net/ethernet/marvell/mvmdio.c
++++ b/drivers/net/ethernet/marvell/mvmdio.c
+@@ -321,6 +321,10 @@ static int orion_mdio_probe(struct platform_device *pdev)
+
+ for (i = 0; i < ARRAY_SIZE(dev->clk); i++) {
+ dev->clk[i] = of_clk_get(pdev->dev.of_node, i);
++ if (PTR_ERR(dev->clk[i]) == -EPROBE_DEFER) {
++ ret = -EPROBE_DEFER;
++ goto out_clk;
++ }
+ if (IS_ERR(dev->clk[i]))
+ break;
+ clk_prepare_enable(dev->clk[i]);
+@@ -362,6 +366,7 @@ static int orion_mdio_probe(struct platform_device *pdev)
+ if (dev->err_interrupt > 0)
+ writel(0, dev->regs + MVMDIO_ERR_INT_MASK);
+
++out_clk:
+ for (i = 0; i < ARRAY_SIZE(dev->clk); i++) {
+ if (IS_ERR(dev->clk[i]))
+ break;
+--
+2.20.1
+
--- /dev/null
+From 724f40d922f8b38abb09e15d5fcf23821167d38b Mon Sep 17 00:00:00 2001
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Date: Thu, 20 Jun 2019 11:42:45 +0200
+Subject: net: mvpp2: prs: Don't override the sign bit in SRAM parser shift
+
+[ Upstream commit 8ec3ede559956f8ad58db7b57d25ac724bab69e9 ]
+
+The Header Parser allows identifying various fields in the packet
+headers, used for various kind of filtering and classification
+steps.
+
+This is a re-entrant process, where the offset in the packet header
+depends on the previous lookup results. This offset is represented in
+the SRAM results of the TCAM, as a shift to be operated.
+
+This shift can be negative in some cases, such as in IPv6 parsing.
+
+This commit prevents overriding the sign bit when setting the shift
+value, which could cause instabilities when parsing IPv6 flows.
+
+Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit")
+Suggested-by: Alan Winkowski <walan@marvell.com>
+Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
+index ae2240074d8e..5692c6087bbb 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
+@@ -312,7 +312,8 @@ static void mvpp2_prs_sram_shift_set(struct mvpp2_prs_entry *pe, int shift,
+ }
+
+ /* Set value */
+- pe->sram[MVPP2_BIT_TO_WORD(MVPP2_PRS_SRAM_SHIFT_OFFS)] = shift & MVPP2_PRS_SRAM_SHIFT_MASK;
++ pe->sram[MVPP2_BIT_TO_WORD(MVPP2_PRS_SRAM_SHIFT_OFFS)] |=
++ shift & MVPP2_PRS_SRAM_SHIFT_MASK;
+
+ /* Reset and set operation */
+ mvpp2_prs_sram_bits_clear(pe, MVPP2_PRS_SRAM_OP_SEL_SHIFT_OFFS,
+--
+2.20.1
+
--- /dev/null
+From db8cb5d9242d74c1a013009fa25ce3b76db0e30f Mon Sep 17 00:00:00 2001
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+Date: Tue, 28 May 2019 20:38:09 +0300
+Subject: net: phy: Check against net_device being NULL
+
+[ Upstream commit 82c76aca81187b3d28a6fb3062f6916450ce955e ]
+
+In general, we don't want MAC drivers calling phy_attach_direct with the
+net_device being NULL. Add checks against this in all the functions
+calling it: phy_attach() and phy_connect_direct().
+
+Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Suggested-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy_device.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index 8a96d985a52f..6144146aec29 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -757,6 +757,9 @@ int phy_connect_direct(struct net_device *dev, struct phy_device *phydev,
+ {
+ int rc;
+
++ if (!dev)
++ return -EINVAL;
++
+ rc = phy_attach_direct(dev, phydev, phydev->dev_flags, interface);
+ if (rc)
+ return rc;
+@@ -1098,6 +1101,9 @@ struct phy_device *phy_attach(struct net_device *dev, const char *bus_id,
+ struct device *d;
+ int rc;
+
++ if (!dev)
++ return ERR_PTR(-EINVAL);
++
+ /* Search the list of PHY devices on the mdio bus for the
+ * PHY with the requested name
+ */
+--
+2.20.1
+
--- /dev/null
+From 57a7556f956ea9c2a419ae8389f8342a8faec034 Mon Sep 17 00:00:00 2001
+From: Robert Hancock <hancock@sedsystems.ca>
+Date: Fri, 7 Jun 2019 10:42:36 -0600
+Subject: net: sfp: add mutex to prevent concurrent state checks
+
+[ Upstream commit 2158e856f56bb762ef90f3ec244d41a519826f75 ]
+
+sfp_check_state can potentially be called by both a threaded IRQ handler
+and delayed work. If it is concurrently called, it could result in
+incorrect state management. Add a st_mutex to protect the state - this
+lock gets taken outside of code that checks and handle state changes, and
+the existing sm_mutex nests inside of it.
+
+Suggested-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Robert Hancock <hancock@sedsystems.ca>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/sfp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c
+index 8807a806cc47..418522aa2f71 100644
+--- a/drivers/net/phy/sfp.c
++++ b/drivers/net/phy/sfp.c
+@@ -185,10 +185,11 @@ struct sfp {
+ struct gpio_desc *gpio[GPIO_MAX];
+
+ bool attached;
++ struct mutex st_mutex; /* Protects state */
+ unsigned int state;
+ struct delayed_work poll;
+ struct delayed_work timeout;
+- struct mutex sm_mutex;
++ struct mutex sm_mutex; /* Protects state machine */
+ unsigned char sm_mod_state;
+ unsigned char sm_dev_state;
+ unsigned short sm_state;
+@@ -1718,6 +1719,7 @@ static void sfp_check_state(struct sfp *sfp)
+ {
+ unsigned int state, i, changed;
+
++ mutex_lock(&sfp->st_mutex);
+ state = sfp_get_state(sfp);
+ changed = state ^ sfp->state;
+ changed &= SFP_F_PRESENT | SFP_F_LOS | SFP_F_TX_FAULT;
+@@ -1743,6 +1745,7 @@ static void sfp_check_state(struct sfp *sfp)
+ sfp_sm_event(sfp, state & SFP_F_LOS ?
+ SFP_E_LOS_HIGH : SFP_E_LOS_LOW);
+ rtnl_unlock();
++ mutex_unlock(&sfp->st_mutex);
+ }
+
+ static irqreturn_t sfp_irq(int irq, void *data)
+@@ -1773,6 +1776,7 @@ static struct sfp *sfp_alloc(struct device *dev)
+ sfp->dev = dev;
+
+ mutex_init(&sfp->sm_mutex);
++ mutex_init(&sfp->st_mutex);
+ INIT_DELAYED_WORK(&sfp->poll, sfp_poll);
+ INIT_DELAYED_WORK(&sfp->timeout, sfp_timeout);
+
+--
+2.20.1
+
--- /dev/null
+From 21452edd8b1b380afd98ce71574a011125e62e0b Mon Sep 17 00:00:00 2001
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+Date: Fri, 24 May 2019 10:20:21 +0200
+Subject: net: stmmac: dwmac1000: Clear unused address entries
+
+[ Upstream commit 9463c445590091202659cdfdd44b236acadfbd84 ]
+
+In case we don't use a given address entry we need to clear it because
+it could contain previous values that are no longer valid.
+
+Found out while running stmmac selftests.
+
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Cc: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
+index 0877bde6e860..21d131347e2e 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
+@@ -216,6 +216,12 @@ static void dwmac1000_set_filter(struct mac_device_info *hw,
+ GMAC_ADDR_LOW(reg));
+ reg++;
+ }
++
++ while (reg <= perfect_addr_number) {
++ writel(0, ioaddr + GMAC_ADDR_HIGH(reg));
++ writel(0, ioaddr + GMAC_ADDR_LOW(reg));
++ reg++;
++ }
+ }
+
+ #ifdef FRAME_FILTER_DEBUG
+--
+2.20.1
+
--- /dev/null
+From e0df7485a6610a695ccf1914e5b9847040e8add4 Mon Sep 17 00:00:00 2001
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+Date: Fri, 24 May 2019 10:20:25 +0200
+Subject: net: stmmac: dwmac4/5: Clear unused address entries
+
+[ Upstream commit 0620ec6c62a5a07625b65f699adc5d1b90394ee6 ]
+
+In case we don't use a given address entry we need to clear it because
+it could contain previous values that are no longer valid.
+
+Found out while running stmmac selftests.
+
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Cc: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+index 7e5d5db0d516..a2f3db39221e 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+@@ -444,14 +444,20 @@ static void dwmac4_set_filter(struct mac_device_info *hw,
+ * are required
+ */
+ value |= GMAC_PACKET_FILTER_PR;
+- } else if (!netdev_uc_empty(dev)) {
+- int reg = 1;
++ } else {
+ struct netdev_hw_addr *ha;
++ int reg = 1;
+
+ netdev_for_each_uc_addr(ha, dev) {
+ dwmac4_set_umac_addr(hw, ha->addr, reg);
+ reg++;
+ }
++
++ while (reg <= GMAC_MAX_PERFECT_ADDRESSES) {
++ writel(0, ioaddr + GMAC_ADDR_HIGH(reg));
++ writel(0, ioaddr + GMAC_ADDR_LOW(reg));
++ reg++;
++ }
+ }
+
+ writel(value, ioaddr + GMAC_PACKET_FILTER);
+--
+2.20.1
+
--- /dev/null
+From 0325dc632c6e7272d10b294880c682b068d671f3 Mon Sep 17 00:00:00 2001
+From: Biao Huang <biao.huang@mediatek.com>
+Date: Mon, 3 Jun 2019 09:58:06 +0800
+Subject: net: stmmac: dwmac4: fix flow control issue
+
+[ Upstream commit ee326fd01e79dfa42014d55931260b68b9fa3273 ]
+
+Current dwmac4_flow_ctrl will not clear
+GMAC_RX_FLOW_CTRL_RFE/GMAC_RX_FLOW_CTRL_RFE bits,
+so MAC hw will keep flow control on although expecting
+flow control off by ethtool. Add codes to fix it.
+
+Fixes: 477286b53f55 ("stmmac: add GMAC4 core support")
+Signed-off-by: Biao Huang <biao.huang@mediatek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+index a2f3db39221e..d0e6e1503581 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+@@ -475,8 +475,9 @@ static void dwmac4_flow_ctrl(struct mac_device_info *hw, unsigned int duplex,
+ if (fc & FLOW_RX) {
+ pr_debug("\tReceive Flow-Control ON\n");
+ flow |= GMAC_RX_FLOW_CTRL_RFE;
+- writel(flow, ioaddr + GMAC_RX_FLOW_CTRL);
+ }
++ writel(flow, ioaddr + GMAC_RX_FLOW_CTRL);
++
+ if (fc & FLOW_TX) {
+ pr_debug("\tTransmit Flow-Control ON\n");
+
+@@ -484,7 +485,7 @@ static void dwmac4_flow_ctrl(struct mac_device_info *hw, unsigned int duplex,
+ pr_debug("\tduplex mode: PAUSE %d\n", pause_time);
+
+ for (queue = 0; queue < tx_cnt; queue++) {
+- flow |= GMAC_TX_FLOW_CTRL_TFE;
++ flow = GMAC_TX_FLOW_CTRL_TFE;
+
+ if (duplex)
+ flow |=
+@@ -492,6 +493,9 @@ static void dwmac4_flow_ctrl(struct mac_device_info *hw, unsigned int duplex,
+
+ writel(flow, ioaddr + GMAC_QX_TX_FLOW_CTRL(queue));
+ }
++ } else {
++ for (queue = 0; queue < tx_cnt; queue++)
++ writel(0, ioaddr + GMAC_QX_TX_FLOW_CTRL(queue));
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 20437ea0ba2b9f7562e010140e12eda4dfb1f845 Mon Sep 17 00:00:00 2001
+From: Biao Huang <biao.huang@mediatek.com>
+Date: Mon, 3 Jun 2019 09:58:05 +0800
+Subject: net: stmmac: modify default value of tx-frames
+
+[ Upstream commit d2facb4b3983425f6776c24dd678a82dbe673773 ]
+
+the default value of tx-frames is 25, it's too late when
+passing tstamp to stack, then the ptp4l will fail:
+
+ptp4l -i eth0 -f gPTP.cfg -m
+ptp4l: selected /dev/ptp0 as PTP clock
+ptp4l: port 1: INITIALIZING to LISTENING on INITIALIZE
+ptp4l: port 0: INITIALIZING to LISTENING on INITIALIZE
+ptp4l: port 1: link up
+ptp4l: timed out while polling for tx timestamp
+ptp4l: increasing tx_timestamp_timeout may correct this issue,
+ but it is likely caused by a driver bug
+ptp4l: port 1: send peer delay response failed
+ptp4l: port 1: LISTENING to FAULTY on FAULT_DETECTED (FT_UNSPECIFIED)
+
+ptp4l tests pass when changing the tx-frames from 25 to 1 with
+ethtool -C option.
+It should be fine to set tx-frames default value to 1, so ptp4l will pass
+by default.
+
+Signed-off-by: Biao Huang <biao.huang@mediatek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/common.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/common.h b/drivers/net/ethernet/stmicro/stmmac/common.h
+index 272b9ca66314..b069b3a2453b 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/common.h
++++ b/drivers/net/ethernet/stmicro/stmmac/common.h
+@@ -261,7 +261,7 @@ struct stmmac_safety_stats {
+ #define STMMAC_COAL_TX_TIMER 1000
+ #define STMMAC_MAX_COAL_TX_TICK 100000
+ #define STMMAC_TX_MAX_FRAMES 256
+-#define STMMAC_TX_FRAMES 25
++#define STMMAC_TX_FRAMES 1
+
+ /* Packets types */
+ enum packets_types {
+--
+2.20.1
+
--- /dev/null
+From b7cf1a3ec290c995bd5c8cc2718201321d0464dd Mon Sep 17 00:00:00 2001
+From: Icenowy Zheng <icenowy@aosc.io>
+Date: Thu, 20 Jun 2019 15:47:44 +0200
+Subject: net: stmmac: sun8i: force select external PHY when no internal one
+
+[ Upstream commit 0fec7e72ae1391bb2d7527efb54fe6ae88acabce ]
+
+The PHY selection bit also exists on SoCs without an internal PHY; if it's
+set to 1 (internal PHY, default value) then the MAC will not make use of
+any PHY on such SoCs.
+
+This problem appears when adapting for H6, which has no real internal PHY
+(the "internal PHY" on H6 is not on-die, but on a co-packaged AC200 chip,
+connected via RMII interface at GPIO bank A).
+
+Force the PHY selection bit to 0 when the SOC doesn't have an internal PHY,
+to address the problem of a wrong default value.
+
+Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
+Signed-off-by: Ondrej Jirman <megous@megous.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
+index 49a896a16391..79c91526f3ec 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
+@@ -893,6 +893,11 @@ static int sun8i_dwmac_set_syscon(struct stmmac_priv *priv)
+ * address. No need to mask it again.
+ */
+ reg |= 1 << H3_EPHY_ADDR_SHIFT;
++ } else {
++ /* For SoCs without internal PHY the PHY selection bit should be
++ * set to 0 (external PHY).
++ */
++ reg &= ~H3_EPHY_SELECT;
+ }
+
+ if (!of_property_read_u32(node, "allwinner,tx-delay-ps", &val)) {
+--
+2.20.1
+
--- /dev/null
+From 6fae1039c231cb622195dae3f58f0196ed7c239a Mon Sep 17 00:00:00 2001
+From: Phong Tran <tranmanphong@gmail.com>
+Date: Tue, 2 Jul 2019 07:10:08 +0700
+Subject: net: usb: asix: init MAC address buffers
+
+[ Upstream commit 78226f6eaac80bf30256a33a4926c194ceefdf36 ]
+
+This is for fixing bug KMSAN: uninit-value in ax88772_bind
+
+Tested by
+https://groups.google.com/d/msg/syzkaller-bugs/aFQurGotng4/eB_HlNhhCwAJ
+
+Reported-by: syzbot+8a3fc6674bbc3978ed4e@syzkaller.appspotmail.com
+
+syzbot found the following crash on:
+
+HEAD commit: f75e4cfe kmsan: use kmsan_handle_urb() in urb.c
+git tree: kmsan
+console output: https://syzkaller.appspot.com/x/log.txt?x=136d720ea00000
+kernel config:
+https://syzkaller.appspot.com/x/.config?x=602468164ccdc30a
+dashboard link:
+https://syzkaller.appspot.com/bug?extid=8a3fc6674bbc3978ed4e
+compiler: clang version 9.0.0 (/home/glider/llvm/clang
+06d00afa61eef8f7f501ebdb4e8612ea43ec2d78)
+syz repro:
+https://syzkaller.appspot.com/x/repro.syz?x=12788316a00000
+C reproducer: https://syzkaller.appspot.com/x/repro.c?x=120359aaa00000
+
+==================================================================
+BUG: KMSAN: uninit-value in is_valid_ether_addr
+include/linux/etherdevice.h:200 [inline]
+BUG: KMSAN: uninit-value in asix_set_netdev_dev_addr
+drivers/net/usb/asix_devices.c:73 [inline]
+BUG: KMSAN: uninit-value in ax88772_bind+0x93d/0x11e0
+drivers/net/usb/asix_devices.c:724
+CPU: 0 PID: 3348 Comm: kworker/0:2 Not tainted 5.1.0+ #1
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Workqueue: usb_hub_wq hub_event
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x191/0x1f0 lib/dump_stack.c:113
+ kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622
+ __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310
+ is_valid_ether_addr include/linux/etherdevice.h:200 [inline]
+ asix_set_netdev_dev_addr drivers/net/usb/asix_devices.c:73 [inline]
+ ax88772_bind+0x93d/0x11e0 drivers/net/usb/asix_devices.c:724
+ usbnet_probe+0x10f5/0x3940 drivers/net/usb/usbnet.c:1728
+ usb_probe_interface+0xd66/0x1320 drivers/usb/core/driver.c:361
+ really_probe+0xdae/0x1d80 drivers/base/dd.c:513
+ driver_probe_device+0x1b3/0x4f0 drivers/base/dd.c:671
+ __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:778
+ bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454
+ __device_attach+0x454/0x730 drivers/base/dd.c:844
+ device_initial_probe+0x4a/0x60 drivers/base/dd.c:891
+ bus_probe_device+0x137/0x390 drivers/base/bus.c:514
+ device_add+0x288d/0x30e0 drivers/base/core.c:2106
+ usb_set_configuration+0x30dc/0x3750 drivers/usb/core/message.c:2027
+ generic_probe+0xe7/0x280 drivers/usb/core/generic.c:210
+ usb_probe_device+0x14c/0x200 drivers/usb/core/driver.c:266
+ really_probe+0xdae/0x1d80 drivers/base/dd.c:513
+ driver_probe_device+0x1b3/0x4f0 drivers/base/dd.c:671
+ __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:778
+ bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454
+ __device_attach+0x454/0x730 drivers/base/dd.c:844
+ device_initial_probe+0x4a/0x60 drivers/base/dd.c:891
+ bus_probe_device+0x137/0x390 drivers/base/bus.c:514
+ device_add+0x288d/0x30e0 drivers/base/core.c:2106
+ usb_new_device+0x23e5/0x2ff0 drivers/usb/core/hub.c:2534
+ hub_port_connect drivers/usb/core/hub.c:5089 [inline]
+ hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
+ port_event drivers/usb/core/hub.c:5350 [inline]
+ hub_event+0x48d1/0x7290 drivers/usb/core/hub.c:5432
+ process_one_work+0x1572/0x1f00 kernel/workqueue.c:2269
+ process_scheduled_works kernel/workqueue.c:2331 [inline]
+ worker_thread+0x189c/0x2460 kernel/workqueue.c:2417
+ kthread+0x4b5/0x4f0 kernel/kthread.c:254
+ ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355
+
+Signed-off-by: Phong Tran <tranmanphong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/asix_devices.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
+index 3d93993e74da..2eca4168af2f 100644
+--- a/drivers/net/usb/asix_devices.c
++++ b/drivers/net/usb/asix_devices.c
+@@ -238,7 +238,7 @@ static void asix_phy_reset(struct usbnet *dev, unsigned int reset_bits)
+ static int ax88172_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+ int ret = 0;
+- u8 buf[ETH_ALEN];
++ u8 buf[ETH_ALEN] = {0};
+ int i;
+ unsigned long gpio_bits = dev->driver_info->data;
+
+@@ -689,7 +689,7 @@ static int asix_resume(struct usb_interface *intf)
+ static int ax88772_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+ int ret, i;
+- u8 buf[ETH_ALEN], chipcode = 0;
++ u8 buf[ETH_ALEN] = {0}, chipcode = 0;
+ u32 phyid;
+ struct asix_common_private *priv;
+
+@@ -1073,7 +1073,7 @@ static const struct net_device_ops ax88178_netdev_ops = {
+ static int ax88178_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+ int ret;
+- u8 buf[ETH_ALEN];
++ u8 buf[ETH_ALEN] = {0};
+
+ usbnet_get_endpoints(dev,intf);
+
+--
+2.20.1
+
--- /dev/null
+From 0eed050a160799797ec7822662df59e1cdd54f09 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Tue, 18 Jun 2019 17:47:13 +0200
+Subject: ntp: Limit TAI-UTC offset
+
+[ Upstream commit d897a4ab11dc8a9fda50d2eccc081a96a6385998 ]
+
+Don't allow the TAI-UTC offset of the system clock to be set by adjtimex()
+to a value larger than 100000 seconds.
+
+This prevents an overflow in the conversion to int, prevents the CLOCK_TAI
+clock from getting too far ahead of the CLOCK_REALTIME clock, and it is
+still large enough to allow leap seconds to be inserted at the maximum rate
+currently supported by the kernel (once per day) for the next ~270 years,
+however unlikely it is that someone can survive a catastrophic event which
+slowed down the rotation of the Earth so much.
+
+Reported-by: Weikang shi <swkhack@gmail.com>
+Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Prarit Bhargava <prarit@redhat.com>
+Cc: Richard Cochran <richardcochran@gmail.com>
+Cc: Stephen Boyd <sboyd@kernel.org>
+Link: https://lkml.kernel.org/r/20190618154713.20929-1-mlichvar@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/ntp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
+index 6b23cd584295..e1110a7bd3e6 100644
+--- a/kernel/time/ntp.c
++++ b/kernel/time/ntp.c
+@@ -43,6 +43,7 @@ static u64 tick_length_base;
+ #define MAX_TICKADJ 500LL /* usecs */
+ #define MAX_TICKADJ_SCALED \
+ (((MAX_TICKADJ * NSEC_PER_USEC) << NTP_SCALE_SHIFT) / NTP_INTERVAL_FREQ)
++#define MAX_TAI_OFFSET 100000
+
+ /*
+ * phase-lock loop variables
+@@ -698,7 +699,8 @@ static inline void process_adjtimex_modes(const struct timex *txc, s32 *time_tai
+ time_constant = max(time_constant, 0l);
+ }
+
+- if (txc->modes & ADJ_TAI && txc->constant >= 0)
++ if (txc->modes & ADJ_TAI &&
++ txc->constant >= 0 && txc->constant <= MAX_TAI_OFFSET)
+ *time_tai = txc->constant;
+
+ if (txc->modes & ADJ_OFFSET)
+--
+2.20.1
+
--- /dev/null
+From 37e11cc6f616a06c8b3d64f1aa738e9545376ca3 Mon Sep 17 00:00:00 2001
+From: Anton Eidelman <anton@lightbitslabs.com>
+Date: Thu, 20 Jun 2019 08:48:10 +0200
+Subject: nvme: fix possible io failures when removing multipathed ns
+
+[ Upstream commit 2181e455612a8db2761eabbf126640552a451e96 ]
+
+When a shared namespace is removed, we call blk_cleanup_queue()
+when the device can still be accessed as the current path and this can
+result in submission to a dying queue. Hence, direct_make_request()
+called by our mpath device may fail (propagating the failure to userspace).
+Instead, we want to failover this I/O to a different path if one exists.
+Thus, before we cleanup the request queue, we make sure that the device is
+cleared from the current path nor it can be selected again as such.
+
+Fix this by:
+- clear the ns from the head->list and synchronize rcu to make sure there is
+ no concurrent path search that restores it as the current path
+- clear the mpath current path in order to trigger a subsequent path search
+ and sync srcu to wait for any ongoing request submissions
+- safely continue to namespace removal and blk_cleanup_queue
+
+Signed-off-by: Anton Eidelman <anton@lightbitslabs.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index d8869d978c34..e26d1191c5ad 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -3168,6 +3168,14 @@ static void nvme_ns_remove(struct nvme_ns *ns)
+ return;
+
+ nvme_fault_inject_fini(ns);
++
++ mutex_lock(&ns->ctrl->subsys->lock);
++ list_del_rcu(&ns->siblings);
++ mutex_unlock(&ns->ctrl->subsys->lock);
++ synchronize_rcu(); /* guarantee not available in head->list */
++ nvme_mpath_clear_current_path(ns);
++ synchronize_srcu(&ns->head->srcu); /* wait for concurrent submissions */
++
+ if (ns->disk && ns->disk->flags & GENHD_FL_UP) {
+ sysfs_remove_group(&disk_to_dev(ns->disk)->kobj,
+ &nvme_ns_id_attr_group);
+@@ -3179,16 +3187,10 @@ static void nvme_ns_remove(struct nvme_ns *ns)
+ blk_integrity_unregister(ns->disk);
+ }
+
+- mutex_lock(&ns->ctrl->subsys->lock);
+- list_del_rcu(&ns->siblings);
+- nvme_mpath_clear_current_path(ns);
+- mutex_unlock(&ns->ctrl->subsys->lock);
+-
+ down_write(&ns->ctrl->namespaces_rwsem);
+ list_del_init(&ns->list);
+ up_write(&ns->ctrl->namespaces_rwsem);
+
+- synchronize_srcu(&ns->head->srcu);
+ nvme_mpath_check_last_path(ns);
+ nvme_put_ns(ns);
+ }
+--
+2.20.1
+
--- /dev/null
+From 3f69f053c72fe20b6caad7104c30391a69521938 Mon Sep 17 00:00:00 2001
+From: Minwoo Im <minwoo.im.dev@gmail.com>
+Date: Sun, 9 Jun 2019 03:35:20 +0900
+Subject: nvme-pci: properly report state change failure in nvme_reset_work
+
+[ Upstream commit cee6c269b016ba89c62e34d6bccb103ee2c7de4f ]
+
+If the state change to NVME_CTRL_CONNECTING fails, the dmesg is going to
+be like:
+
+ [ 293.689160] nvme nvme0: failed to mark controller CONNECTING
+ [ 293.689160] nvme nvme0: Removing after probe failure status: 0
+
+Even it prints the first line to indicate the situation, the second line
+is not proper because the status is 0 which means normally success of
+the previous operation.
+
+This patch makes it indicate the proper error value when it fails.
+ [ 25.932367] nvme nvme0: failed to mark controller CONNECTING
+ [ 25.932369] nvme nvme0: Removing after probe failure status: -16
+
+This situation is able to be easily reproduced by:
+ root@target:~# rmmod nvme && modprobe nvme && rmmod nvme
+
+Signed-off-by: Minwoo Im <minwoo.im.dev@gmail.com>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index c8eeecc58115..03e72e2f57f5 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2294,6 +2294,7 @@ static void nvme_reset_work(struct work_struct *work)
+ if (!nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_CONNECTING)) {
+ dev_warn(dev->ctrl.device,
+ "failed to mark controller CONNECTING\n");
++ result = -EBUSY;
+ goto out;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 86a28ac1755ef08ff11457f3ede3209a24549042 Mon Sep 17 00:00:00 2001
+From: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Date: Sat, 8 Jun 2019 13:01:02 -0700
+Subject: nvme-pci: set the errno on ctrl state change error
+
+[ Upstream commit e71afda49335620e3d9adf56015676db33a3bd86 ]
+
+This patch removes the confusing assignment of the variable result at
+the time of declaration and sets the value in error cases next to the
+places where the actual error is happening.
+
+Here we also set the result value to -ENODEV when we fail at the final
+ctrl state transition in nvme_reset_work(). Without this assignment
+result will hold 0 from nvme_setup_io_queue() and on failure 0 will be
+passed to he nvme_remove_dead_ctrl() from final state transition.
+
+Signed-off-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 03e72e2f57f5..0a5d064f82ca 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2253,11 +2253,13 @@ static void nvme_reset_work(struct work_struct *work)
+ struct nvme_dev *dev =
+ container_of(work, struct nvme_dev, ctrl.reset_work);
+ bool was_suspend = !!(dev->ctrl.ctrl_config & NVME_CC_SHN_NORMAL);
+- int result = -ENODEV;
++ int result;
+ enum nvme_ctrl_state new_state = NVME_CTRL_LIVE;
+
+- if (WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING))
++ if (WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING)) {
++ result = -ENODEV;
+ goto out;
++ }
+
+ /*
+ * If we're called to reset a live controller first shut it down before
+@@ -2355,6 +2357,7 @@ static void nvme_reset_work(struct work_struct *work)
+ if (!nvme_change_ctrl_state(&dev->ctrl, new_state)) {
+ dev_warn(dev->ctrl.device,
+ "failed to mark controller state %d\n", new_state);
++ result = -ENODEV;
+ goto out;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From dad9d7fe5bc2c98ecfb7bd70f8da9e46dd8646a2 Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Tue, 28 May 2019 16:02:56 -0300
+Subject: perf annotate TUI browser: Do not use member from variable within its
+ own initialization
+
+[ Upstream commit da2019633f0b5c105ce658aada333422d8cb28fe ]
+
+Some compilers will complain when using a member of a struct to
+initialize another member, in the same struct initialization.
+
+For instance:
+
+ debian:8 Debian clang version 3.5.0-10 (tags/RELEASE_350/final) (based on LLVM 3.5.0)
+ oraclelinux:7 clang version 3.4.2 (tags/RELEASE_34/dot2-final)
+
+Produce:
+
+ ui/browsers/annotate.c:104:12: error: variable 'ops' is uninitialized when used within its own initialization [-Werror,-Wuninitialized]
+ (!ops.current_entry ||
+ ^~~
+ 1 error generated.
+
+So use an extra variable, initialized just before that struct, to have
+the value used in the expressions used to init two of the struct
+members.
+
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Fixes: c298304bd747 ("perf annotate: Use a ops table for annotation_line__write()")
+Link: https://lkml.kernel.org/n/tip-f9nexro58q62l3o9hez8hr0i@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/ui/browsers/annotate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/ui/browsers/annotate.c b/tools/perf/ui/browsers/annotate.c
+index 1d00e5ec7906..a3c255228d62 100644
+--- a/tools/perf/ui/browsers/annotate.c
++++ b/tools/perf/ui/browsers/annotate.c
+@@ -96,11 +96,12 @@ static void annotate_browser__write(struct ui_browser *browser, void *entry, int
+ struct annotate_browser *ab = container_of(browser, struct annotate_browser, b);
+ struct annotation *notes = browser__annotation(browser);
+ struct annotation_line *al = list_entry(entry, struct annotation_line, node);
++ const bool is_current_entry = ui_browser__is_current_entry(browser, row);
+ struct annotation_write_ops ops = {
+ .first_line = row == 0,
+- .current_entry = ui_browser__is_current_entry(browser, row),
++ .current_entry = is_current_entry,
+ .change_color = (!notes->options->hide_src_code &&
+- (!ops.current_entry ||
++ (!is_current_entry ||
+ (browser->use_navkeypressed &&
+ !browser->navkeypressed))),
+ .width = browser->width,
+--
+2.20.1
+
--- /dev/null
+From e31cd0199ff202289e903a35e328c0f18ca9dc21 Mon Sep 17 00:00:00 2001
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+Date: Wed, 5 Jun 2019 10:16:33 -0600
+Subject: perf cs-etm: Properly set the value of 'old' and 'head' in snapshot
+ mode
+
+[ Upstream commit e45c48a9a4d20ebc7b639a62c3ef8f4b08007027 ]
+
+This patch adds the necessary intelligence to properly compute the value
+of 'old' and 'head' when operating in snapshot mode. That way we can
+get the latest information in the AUX buffer and be compatible with the
+generic AUX ring buffer mechanic.
+
+Tester notes:
+
+> Leo, have you had the chance to test/review this one? Suzuki?
+
+Sure. I applied this patch on the perf/core branch (with latest
+commit 3e4fbf36c1e3 'perf augmented_raw_syscalls: Move reading
+filename to the loop') and passed testing with below steps:
+
+ # perf record -e cs_etm/@tmc_etr0/ -S -m,64 --per-thread ./sort &
+ [1] 19097
+ Bubble sorting array of 30000 elements
+
+ # kill -USR2 19097
+ # kill -USR2 19097
+ # kill -USR2 19097
+ [ perf record: Woken up 4 times to write data ]
+ [ perf record: Captured and wrote 0.753 MB perf.data ]
+
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Tested-by: Leo Yan <leo.yan@linaro.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Suzuki Poulouse <suzuki.poulose@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Link: http://lkml.kernel.org/r/20190605161633.12245-1-mathieu.poirier@linaro.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/arch/arm/util/cs-etm.c | 127 +++++++++++++++++++++++++++++-
+ 1 file changed, 123 insertions(+), 4 deletions(-)
+
+diff --git a/tools/perf/arch/arm/util/cs-etm.c b/tools/perf/arch/arm/util/cs-etm.c
+index 2f595cd73da6..16af6c3b1365 100644
+--- a/tools/perf/arch/arm/util/cs-etm.c
++++ b/tools/perf/arch/arm/util/cs-etm.c
+@@ -32,6 +32,8 @@ struct cs_etm_recording {
+ struct auxtrace_record itr;
+ struct perf_pmu *cs_etm_pmu;
+ struct perf_evlist *evlist;
++ int wrapped_cnt;
++ bool *wrapped;
+ bool snapshot_mode;
+ size_t snapshot_size;
+ };
+@@ -495,16 +497,131 @@ static int cs_etm_info_fill(struct auxtrace_record *itr,
+ return 0;
+ }
+
+-static int cs_etm_find_snapshot(struct auxtrace_record *itr __maybe_unused,
++static int cs_etm_alloc_wrapped_array(struct cs_etm_recording *ptr, int idx)
++{
++ bool *wrapped;
++ int cnt = ptr->wrapped_cnt;
++
++ /* Make @ptr->wrapped as big as @idx */
++ while (cnt <= idx)
++ cnt++;
++
++ /*
++ * Free'ed in cs_etm_recording_free(). Using realloc() to avoid
++ * cross compilation problems where the host's system supports
++ * reallocarray() but not the target.
++ */
++ wrapped = realloc(ptr->wrapped, cnt * sizeof(bool));
++ if (!wrapped)
++ return -ENOMEM;
++
++ wrapped[cnt - 1] = false;
++ ptr->wrapped_cnt = cnt;
++ ptr->wrapped = wrapped;
++
++ return 0;
++}
++
++static bool cs_etm_buffer_has_wrapped(unsigned char *buffer,
++ size_t buffer_size, u64 head)
++{
++ u64 i, watermark;
++ u64 *buf = (u64 *)buffer;
++ size_t buf_size = buffer_size;
++
++ /*
++ * We want to look the very last 512 byte (chosen arbitrarily) in
++ * the ring buffer.
++ */
++ watermark = buf_size - 512;
++
++ /*
++ * @head is continuously increasing - if its value is equal or greater
++ * than the size of the ring buffer, it has wrapped around.
++ */
++ if (head >= buffer_size)
++ return true;
++
++ /*
++ * The value of @head is somewhere within the size of the ring buffer.
++ * This can be that there hasn't been enough data to fill the ring
++ * buffer yet or the trace time was so long that @head has numerically
++ * wrapped around. To find we need to check if we have data at the very
++ * end of the ring buffer. We can reliably do this because mmap'ed
++ * pages are zeroed out and there is a fresh mapping with every new
++ * session.
++ */
++
++ /* @head is less than 512 byte from the end of the ring buffer */
++ if (head > watermark)
++ watermark = head;
++
++ /*
++ * Speed things up by using 64 bit transactions (see "u64 *buf" above)
++ */
++ watermark >>= 3;
++ buf_size >>= 3;
++
++ /*
++ * If we find trace data at the end of the ring buffer, @head has
++ * been there and has numerically wrapped around at least once.
++ */
++ for (i = watermark; i < buf_size; i++)
++ if (buf[i])
++ return true;
++
++ return false;
++}
++
++static int cs_etm_find_snapshot(struct auxtrace_record *itr,
+ int idx, struct auxtrace_mmap *mm,
+- unsigned char *data __maybe_unused,
++ unsigned char *data,
+ u64 *head, u64 *old)
+ {
++ int err;
++ bool wrapped;
++ struct cs_etm_recording *ptr =
++ container_of(itr, struct cs_etm_recording, itr);
++
++ /*
++ * Allocate memory to keep track of wrapping if this is the first
++ * time we deal with this *mm.
++ */
++ if (idx >= ptr->wrapped_cnt) {
++ err = cs_etm_alloc_wrapped_array(ptr, idx);
++ if (err)
++ return err;
++ }
++
++ /*
++ * Check to see if *head has wrapped around. If it hasn't only the
++ * amount of data between *head and *old is snapshot'ed to avoid
++ * bloating the perf.data file with zeros. But as soon as *head has
++ * wrapped around the entire size of the AUX ring buffer it taken.
++ */
++ wrapped = ptr->wrapped[idx];
++ if (!wrapped && cs_etm_buffer_has_wrapped(data, mm->len, *head)) {
++ wrapped = true;
++ ptr->wrapped[idx] = true;
++ }
++
+ pr_debug3("%s: mmap index %d old head %zu new head %zu size %zu\n",
+ __func__, idx, (size_t)*old, (size_t)*head, mm->len);
+
+- *old = *head;
+- *head += mm->len;
++ /* No wrap has occurred, we can just use *head and *old. */
++ if (!wrapped)
++ return 0;
++
++ /*
++ * *head has wrapped around - adjust *head and *old to pickup the
++ * entire content of the AUX buffer.
++ */
++ if (*head >= mm->len) {
++ *old = *head - mm->len;
++ } else {
++ *head += mm->len;
++ *old = *head - mm->len;
++ }
+
+ return 0;
+ }
+@@ -545,6 +662,8 @@ static void cs_etm_recording_free(struct auxtrace_record *itr)
+ {
+ struct cs_etm_recording *ptr =
+ container_of(itr, struct cs_etm_recording, itr);
++
++ zfree(&ptr->wrapped);
+ free(ptr);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From da05d56693c12a840cd1e51cd6720614759b0062 Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Mon, 17 Jun 2019 14:32:53 -0300
+Subject: perf evsel: Make perf_evsel__name() accept a NULL argument
+
+[ Upstream commit fdbdd7e8580eac9bdafa532746c865644d125e34 ]
+
+In which case it simply returns "unknown", like when it can't figure out
+the evsel->name value.
+
+This makes this code more robust and fixes a problem in 'perf trace'
+where a NULL evsel was being passed to a routine that only used the
+evsel for printing its name when a invalid syscall id was passed.
+
+Reported-by: Leo Yan <leo.yan@linaro.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lkml.kernel.org/n/tip-f30ztaasku3z935cn3ak3h53@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/evsel.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
+index b65ad5a273eb..4fad92213609 100644
+--- a/tools/perf/util/evsel.c
++++ b/tools/perf/util/evsel.c
+@@ -590,6 +590,9 @@ const char *perf_evsel__name(struct perf_evsel *evsel)
+ {
+ char bf[128];
+
++ if (!evsel)
++ goto out_unknown;
++
+ if (evsel->name)
+ return evsel->name;
+
+@@ -626,7 +629,10 @@ const char *perf_evsel__name(struct perf_evsel *evsel)
+
+ evsel->name = strdup(bf);
+
+- return evsel->name ?: "unknown";
++ if (evsel->name)
++ return evsel->name;
++out_unknown:
++ return "unknown";
+ }
+
+ const char *perf_evsel__group_name(struct perf_evsel *evsel)
+--
+2.20.1
+
--- /dev/null
+From aa6765fa256a77d11f413645f87bc8e430515cc9 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@redhat.com>
+Date: Fri, 31 May 2019 15:13:21 +0200
+Subject: perf jvmti: Address gcc string overflow warning for strncpy()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 279ab04dbea1370d2eac0f854270369ccaef8a44 ]
+
+We are getting false positive gcc warning when we compile with gcc9 (9.1.1):
+
+ CC jvmti/libjvmti.o
+ In file included from /usr/include/string.h:494,
+ from jvmti/libjvmti.c:5:
+ In function ‘strncpy’,
+ inlined from ‘copy_class_filename.constprop’ at jvmti/libjvmti.c:166:3:
+ /usr/include/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ specified bound depends on the length of the source argument [-Werror=stringop-overflow=]
+ 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ jvmti/libjvmti.c: In function ‘copy_class_filename.constprop’:
+ jvmti/libjvmti.c:165:26: note: length computed here
+ 165 | size_t file_name_len = strlen(file_name);
+ | ^~~~~~~~~~~~~~~~~
+ cc1: all warnings being treated as errors
+
+As per Arnaldo's suggestion use strlcpy(), which does the same thing and keeps
+gcc silent.
+
+Suggested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ben Gainey <ben.gainey@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Link: http://lkml.kernel.org/r/20190531131321.GB1281@krava
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/jvmti/libjvmti.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/jvmti/libjvmti.c b/tools/perf/jvmti/libjvmti.c
+index 6add3e982614..3361d98a4edd 100644
+--- a/tools/perf/jvmti/libjvmti.c
++++ b/tools/perf/jvmti/libjvmti.c
+@@ -1,5 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0
+ #include <linux/compiler.h>
++#include <linux/string.h>
+ #include <sys/types.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -150,8 +151,7 @@ copy_class_filename(const char * class_sign, const char * file_name, char * resu
+ result[i] = '\0';
+ } else {
+ /* fallback case */
+- size_t file_name_len = strlen(file_name);
+- strncpy(result, file_name, file_name_len < max_length ? file_name_len : max_length);
++ strlcpy(result, file_name, max_length);
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 86b194cf76dcbc7aacadb5a3bbcb158d545cc0b2 Mon Sep 17 00:00:00 2001
+From: Thomas Richter <tmricht@linux.ibm.com>
+Date: Thu, 23 May 2019 10:25:21 +0200
+Subject: perf report: Fix OOM error in TUI mode on s390
+
+[ Upstream commit 8a07aa4e9b7b0222129c07afff81634a884b2866 ]
+
+Debugging a OOM error using the TUI interface revealed this issue
+on s390:
+
+[tmricht@m83lp54 perf]$ cat /proc/kallsyms |sort
+....
+00000001119b7158 B radix_tree_node_cachep
+00000001119b8000 B __bss_stop
+00000001119b8000 B _end
+000003ff80002850 t autofs_mount [autofs4]
+000003ff80002868 t autofs_show_options [autofs4]
+000003ff80002a98 t autofs_evict_inode [autofs4]
+....
+
+There is a huge gap between the last kernel symbol
+__bss_stop/_end and the first kernel module symbol
+autofs_mount (from autofs4 module).
+
+After reading the kernel symbol table via functions:
+
+ dso__load()
+ +--> dso__load_kernel_sym()
+ +--> dso__load_kallsyms()
+ +--> __dso_load_kallsyms()
+ +--> symbols__fixup_end()
+
+the symbol __bss_stop has a start address of 1119b8000 and
+an end address of 3ff80002850, as can be seen by this debug statement:
+
+ symbols__fixup_end __bss_stop start:0x1119b8000 end:0x3ff80002850
+
+The size of symbol __bss_stop is 0x3fe6e64a850 bytes!
+It is the last kernel symbol and fills up the space until
+the first kernel module symbol.
+
+This size kills the TUI interface when executing the following
+code:
+
+ process_sample_event()
+ hist_entry_iter__add()
+ hist_iter__report_callback()
+ hist_entry__inc_addr_samples()
+ symbol__inc_addr_samples(symbol = __bss_stop)
+ symbol__cycles_hist()
+ annotated_source__alloc_histograms(...,
+ symbol__size(sym),
+ ...)
+
+This function allocates memory to save sample histograms.
+The symbol_size() marco is defined as sym->end - sym->start, which
+results in above value of 0x3fe6e64a850 bytes and
+the call to calloc() in annotated_source__alloc_histograms() fails.
+
+The histgram memory allocation might fail, make this failure
+no-fatal and continue processing.
+
+Output before:
+[tmricht@m83lp54 perf]$ ./perf --debug stderr=1 report -vvvvv \
+ -i ~/slow.data 2>/tmp/2
+[tmricht@m83lp54 perf]$ tail -5 /tmp/2
+ __symbol__inc_addr_samples(875): ENOMEM! sym->name=__bss_stop,
+ start=0x1119b8000, addr=0x2aa0005eb08, end=0x3ff80002850,
+ func: 0
+problem adding hist entry, skipping event
+0x938b8 [0x8]: failed to process type: 68 [Cannot allocate memory]
+[tmricht@m83lp54 perf]$
+
+Output after:
+[tmricht@m83lp54 perf]$ ./perf --debug stderr=1 report -vvvvv \
+ -i ~/slow.data 2>/tmp/2
+[tmricht@m83lp54 perf]$ tail -5 /tmp/2
+ symbol__inc_addr_samples map:0x1597830 start:0x110730000 end:0x3ff80002850
+ symbol__hists notes->src:0x2aa2a70 nr_hists:1
+ symbol__inc_addr_samples sym:unlink_anon_vmas src:0x2aa2a70
+ __symbol__inc_addr_samples: addr=0x11094c69e
+ 0x11094c670 unlink_anon_vmas: period++ [addr: 0x11094c69e, 0x2e, evidx=0]
+ => nr_samples: 1, period: 526008
+[tmricht@m83lp54 perf]$
+
+There is no error about failed memory allocation and the TUI interface
+shows all entries.
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+Link: http://lkml.kernel.org/r/90cb5607-3e12-5167-682d-978eba7dafa8@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/annotate.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
+index dfee110b3a58..c357051dd2b6 100644
+--- a/tools/perf/util/annotate.c
++++ b/tools/perf/util/annotate.c
+@@ -911,9 +911,8 @@ static int symbol__inc_addr_samples(struct symbol *sym, struct map *map,
+ if (sym == NULL)
+ return 0;
+ src = symbol__hists(sym, evsel->evlist->nr_entries);
+- if (src == NULL)
+- return -ENOMEM;
+- return __symbol__inc_addr_samples(sym, map, src, evsel->idx, addr, sample);
++ return (src) ? __symbol__inc_addr_samples(sym, map, src, evsel->idx,
++ addr, sample) : 0;
+ }
+
+ static int symbol__account_cycles(u64 addr, u64 start,
+--
+2.20.1
+
--- /dev/null
+From 775023d6a83633a4bcaa9e641b03c043636896c3 Mon Sep 17 00:00:00 2001
+From: Andi Kleen <ak@linux.intel.com>
+Date: Mon, 24 Jun 2019 12:37:10 -0700
+Subject: perf stat: Fix group lookup for metric group
+
+[ Upstream commit 2f87f33f4226523df9c9cc28f9874ea02fcc3d3f ]
+
+The metric group code tries to find a group it added earlier in the
+evlist. Fix the lookup to handle groups with partially overlaps
+correctly. When a sub string match fails and we reset the match, we have
+to compare the first element again.
+
+I also renamed the find_evsel function to find_evsel_group to make its
+purpose clearer.
+
+With the earlier changes this fixes:
+
+Before:
+
+ % perf stat -M UPI,IPC sleep 1
+ ...
+ 1,032,922 uops_retired.retire_slots # 1.1 UPI
+ 1,896,096 inst_retired.any
+ 1,896,096 inst_retired.any
+ 1,177,254 cpu_clk_unhalted.thread
+
+After:
+
+ % perf stat -M UPI,IPC sleep 1
+ ...
+ 1,013,193 uops_retired.retire_slots # 1.1 UPI
+ 932,033 inst_retired.any
+ 932,033 inst_retired.any # 0.9 IPC
+ 1,091,245 cpu_clk_unhalted.thread
+
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Fixes: b18f3e365019 ("perf stat: Support JSON metrics in perf stat")
+Link: http://lkml.kernel.org/r/20190624193711.35241-4-andi@firstfloor.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/metricgroup.c | 47 ++++++++++++++++++++++++++---------
+ 1 file changed, 35 insertions(+), 12 deletions(-)
+
+diff --git a/tools/perf/util/metricgroup.c b/tools/perf/util/metricgroup.c
+index a28f9b5cc4ff..8b3dafe3fac3 100644
+--- a/tools/perf/util/metricgroup.c
++++ b/tools/perf/util/metricgroup.c
+@@ -94,26 +94,49 @@ struct egroup {
+ const char *metric_expr;
+ };
+
+-static struct perf_evsel *find_evsel(struct perf_evlist *perf_evlist,
+- const char **ids,
+- int idnum,
+- struct perf_evsel **metric_events)
++static bool record_evsel(int *ind, struct perf_evsel **start,
++ int idnum,
++ struct perf_evsel **metric_events,
++ struct perf_evsel *ev)
++{
++ metric_events[*ind] = ev;
++ if (*ind == 0)
++ *start = ev;
++ if (++*ind == idnum) {
++ metric_events[*ind] = NULL;
++ return true;
++ }
++ return false;
++}
++
++static struct perf_evsel *find_evsel_group(struct perf_evlist *perf_evlist,
++ const char **ids,
++ int idnum,
++ struct perf_evsel **metric_events)
+ {
+ struct perf_evsel *ev, *start = NULL;
+ int ind = 0;
+
+ evlist__for_each_entry (perf_evlist, ev) {
++ if (ev->collect_stat)
++ continue;
+ if (!strcmp(ev->name, ids[ind])) {
+- metric_events[ind] = ev;
+- if (ind == 0)
+- start = ev;
+- if (++ind == idnum) {
+- metric_events[ind] = NULL;
++ if (record_evsel(&ind, &start, idnum,
++ metric_events, ev))
+ return start;
+- }
+ } else {
++ /*
++ * We saw some other event that is not
++ * in our list of events. Discard
++ * the whole match and start again.
++ */
+ ind = 0;
+ start = NULL;
++ if (!strcmp(ev->name, ids[ind])) {
++ if (record_evsel(&ind, &start, idnum,
++ metric_events, ev))
++ return start;
++ }
+ }
+ }
+ /*
+@@ -143,8 +166,8 @@ static int metricgroup__setup_events(struct list_head *groups,
+ ret = -ENOMEM;
+ break;
+ }
+- evsel = find_evsel(perf_evlist, eg->ids, eg->idnum,
+- metric_events);
++ evsel = find_evsel_group(perf_evlist, eg->ids, eg->idnum,
++ metric_events);
+ if (!evsel) {
+ pr_debug("Cannot resolve %s: %s\n",
+ eg->metric_name, eg->metric_expr);
+--
+2.20.1
+
--- /dev/null
+From 31cfa2680ec794243499d95cbf59206876e3c7e3 Mon Sep 17 00:00:00 2001
+From: Andi Kleen <ak@linux.intel.com>
+Date: Mon, 24 Jun 2019 12:37:08 -0700
+Subject: perf stat: Make metric event lookup more robust
+
+[ Upstream commit 145c407c808352acd625be793396fd4f33c794f8 ]
+
+After setting up metric groups through the event parser, the metricgroup
+code looks them up again in the event list.
+
+Make sure we only look up events that haven't been used by some other
+metric. The data structures currently cannot handle more than one metric
+per event. This avoids problems with multiple events partially
+overlapping.
+
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Link: http://lkml.kernel.org/r/20190624193711.35241-2-andi@firstfloor.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/stat-shadow.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/stat-shadow.c b/tools/perf/util/stat-shadow.c
+index 99990f5f2512..bbb0e042d8e5 100644
+--- a/tools/perf/util/stat-shadow.c
++++ b/tools/perf/util/stat-shadow.c
+@@ -303,7 +303,7 @@ static struct perf_evsel *perf_stat__find_event(struct perf_evlist *evsel_list,
+ struct perf_evsel *c2;
+
+ evlist__for_each_entry (evsel_list, c2) {
+- if (!strcasecmp(c2->name, name))
++ if (!strcasecmp(c2->name, name) && !c2->collect_stat)
+ return c2;
+ }
+ return NULL;
+@@ -342,7 +342,8 @@ void perf_stat__collect_metric_expr(struct perf_evlist *evsel_list)
+ if (leader) {
+ /* Search in group */
+ for_each_group_member (oc, leader) {
+- if (!strcasecmp(oc->name, metric_names[i])) {
++ if (!strcasecmp(oc->name, metric_names[i]) &&
++ !oc->collect_stat) {
+ found = true;
+ break;
+ }
+--
+2.20.1
+
--- /dev/null
+From 1d7fb59b2f7d942fbb59e03f55cee92179a5205e Mon Sep 17 00:00:00 2001
+From: Thomas Richter <tmricht@linux.ibm.com>
+Date: Tue, 4 Jun 2019 07:35:04 +0200
+Subject: perf test 6: Fix missing kvm module load for s390
+
+[ Upstream commit 53fe307dfd309e425b171f6272d64296a54f4dff ]
+
+Command
+
+ # perf test -Fv 6
+
+fails with error
+
+ running test 100 'kvm-s390:kvm_s390_create_vm' failed to parse
+ event 'kvm-s390:kvm_s390_create_vm', err -1, str 'unknown tracepoint'
+ event syntax error: 'kvm-s390:kvm_s390_create_vm'
+ \___ unknown tracepoint
+
+when the kvm module is not loaded or not built in.
+
+Fix this by adding a valid function which tests if the module
+is loaded. Loaded modules (or builtin KVM support) have a
+directory named
+ /sys/kernel/debug/tracing/events/kvm-s390
+for this tracepoint.
+
+Check for existence of this directory.
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+Link: http://lkml.kernel.org/r/20190604053504.43073-1-tmricht@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/parse-events.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/tools/perf/tests/parse-events.c b/tools/perf/tests/parse-events.c
+index 3b97ac018d5a..532c95e8fa6b 100644
+--- a/tools/perf/tests/parse-events.c
++++ b/tools/perf/tests/parse-events.c
+@@ -18,6 +18,32 @@
+ #define PERF_TP_SAMPLE_TYPE (PERF_SAMPLE_RAW | PERF_SAMPLE_TIME | \
+ PERF_SAMPLE_CPU | PERF_SAMPLE_PERIOD)
+
++#if defined(__s390x__)
++/* Return true if kvm module is available and loaded. Test this
++ * and retun success when trace point kvm_s390_create_vm
++ * exists. Otherwise this test always fails.
++ */
++static bool kvm_s390_create_vm_valid(void)
++{
++ char *eventfile;
++ bool rc = false;
++
++ eventfile = get_events_file("kvm-s390");
++
++ if (eventfile) {
++ DIR *mydir = opendir(eventfile);
++
++ if (mydir) {
++ rc = true;
++ closedir(mydir);
++ }
++ put_events_file(eventfile);
++ }
++
++ return rc;
++}
++#endif
++
+ static int test__checkevent_tracepoint(struct perf_evlist *evlist)
+ {
+ struct perf_evsel *evsel = perf_evlist__first(evlist);
+@@ -1622,6 +1648,7 @@ static struct evlist_test test__events[] = {
+ {
+ .name = "kvm-s390:kvm_s390_create_vm",
+ .check = test__checkevent_tracepoint,
++ .valid = kvm_s390_create_vm_valid,
+ .id = 100,
+ },
+ #endif
+--
+2.20.1
+
--- /dev/null
+From 950c17fd5322f46a4114df927df624d541c04b27 Mon Sep 17 00:00:00 2001
+From: Seeteena Thoufeek <s1seetee@linux.vnet.ibm.com>
+Date: Thu, 27 Jun 2019 15:46:54 +0530
+Subject: perf tests: Fix record+probe_libc_inet_pton.sh for powerpc64
+
+[ Upstream commit bff5a556c149804de29347a88a884d25e4e4e3a2 ]
+
+'probe libc's inet_pton & backtrace it with ping' testcase sometimes
+fails on powerpc because distro ping binary does not have symbol
+information and thus it prints "[unknown]" function name in the
+backtrace.
+
+Accept "[unknown]" as valid function name for powerpc as well.
+
+ # perf test -v "probe libc's inet_pton & backtrace it with ping"
+
+Before:
+
+ 59: probe libc's inet_pton & backtrace it with ping :
+ --- start ---
+ test child forked, pid 79695
+ ping 79718 [077] 96483.787025: probe_libc:inet_pton: (7fff83a754c8)
+ 7fff83a754c8 __GI___inet_pton+0x8 (/usr/lib64/power9/libc-2.28.so)
+ 7fff83a2b7a0 gaih_inet.constprop.7+0x1020
+ (/usr/lib64/power9/libc-2.28.so)
+ 7fff83a2c170 getaddrinfo+0x160 (/usr/lib64/power9/libc-2.28.so)
+ 1171830f4 [unknown] (/usr/bin/ping)
+ FAIL: expected backtrace entry
+ ".*\+0x[[:xdigit:]]+[[:space:]]\(.*/bin/ping.*\)$"
+ got "1171830f4 [unknown] (/usr/bin/ping)"
+ test child finished with -1
+ ---- end ----
+ probe libc's inet_pton & backtrace it with ping: FAILED!
+
+After:
+
+ 59: probe libc's inet_pton & backtrace it with ping :
+ --- start ---
+ test child forked, pid 79085
+ ping 79108 [045] 96400.214177: probe_libc:inet_pton: (7fffbb9654c8)
+ 7fffbb9654c8 __GI___inet_pton+0x8 (/usr/lib64/power9/libc-2.28.so)
+ 7fffbb91b7a0 gaih_inet.constprop.7+0x1020
+ (/usr/lib64/power9/libc-2.28.so)
+ 7fffbb91c170 getaddrinfo+0x160 (/usr/lib64/power9/libc-2.28.so)
+ 132e830f4 [unknown] (/usr/bin/ping)
+ test child finished with 0
+ ---- end ----
+ probe libc's inet_pton & backtrace it with ping: Ok
+
+Signed-off-by: Seeteena Thoufeek <s1seetee@linux.vnet.ibm.com>
+Reviewed-by: Kim Phillips <kim.phillips@amd.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Hendrik Brueckner <brueckner@linux.ibm.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Michael Petlan <mpetlan@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sandipan Das <sandipan@linux.ibm.com>
+Fixes: 1632936480a5 ("perf tests: Fix record+probe_libc_inet_pton.sh without ping's debuginfo")
+Link: http://lkml.kernel.org/r/1561630614-3216-1-git-send-email-s1seetee@linux.vnet.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/shell/record+probe_libc_inet_pton.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/tests/shell/record+probe_libc_inet_pton.sh b/tools/perf/tests/shell/record+probe_libc_inet_pton.sh
+index cab7b0aea6ea..f5837f28f3af 100755
+--- a/tools/perf/tests/shell/record+probe_libc_inet_pton.sh
++++ b/tools/perf/tests/shell/record+probe_libc_inet_pton.sh
+@@ -43,7 +43,7 @@ trace_libc_inet_pton_backtrace() {
+ eventattr='max-stack=4'
+ echo "gaih_inet.*\+0x[[:xdigit:]]+[[:space:]]\($libc\)$" >> $expected
+ echo "getaddrinfo\+0x[[:xdigit:]]+[[:space:]]\($libc\)$" >> $expected
+- echo ".*\+0x[[:xdigit:]]+[[:space:]]\(.*/bin/ping.*\)$" >> $expected
++ echo ".*(\+0x[[:xdigit:]]+|\[unknown\])[[:space:]]\(.*/bin/ping.*\)$" >> $expected
+ ;;
+ *)
+ eventattr='max-stack=3'
+--
+2.20.1
+
--- /dev/null
+From 4acba89a7e5c6bbedd5e2057cc9d3e9c24a9ddab Mon Sep 17 00:00:00 2001
+From: Kyle Meyer <kyle.meyer@hpe.com>
+Date: Thu, 20 Jun 2019 14:36:30 -0500
+Subject: perf tools: Increase MAX_NR_CPUS and MAX_CACHES
+
+[ Upstream commit 9f94c7f947e919c343b30f080285af53d0fa9902 ]
+
+Attempting to profile 1024 or more CPUs with perf causes two errors:
+
+ perf record -a
+ [ perf record: Woken up X times to write data ]
+ way too many cpu caches..
+ [ perf record: Captured and wrote X MB perf.data (X samples) ]
+
+ perf report -C 1024
+ Error: failed to set cpu bitmap
+ Requested CPU 1024 too large. Consider raising MAX_NR_CPUS
+
+ Increasing MAX_NR_CPUS from 1024 to 2048 and redefining MAX_CACHES as
+ MAX_NR_CPUS * 4 returns normal functionality to perf:
+
+ perf record -a
+ [ perf record: Woken up X times to write data ]
+ [ perf record: Captured and wrote X MB perf.data (X samples) ]
+
+ perf report -C 1024
+ ...
+
+Signed-off-by: Kyle Meyer <kyle.meyer@hpe.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20190620193630.154025-1-meyerk@stormcage.eag.rdlabs.hpecorp.net
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/perf.h | 2 +-
+ tools/perf/util/header.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/perf.h b/tools/perf/perf.h
+index 21bf7f5a3cf5..19d435a9623b 100644
+--- a/tools/perf/perf.h
++++ b/tools/perf/perf.h
+@@ -26,7 +26,7 @@ static inline unsigned long long rdclock(void)
+ }
+
+ #ifndef MAX_NR_CPUS
+-#define MAX_NR_CPUS 1024
++#define MAX_NR_CPUS 2048
+ #endif
+
+ extern const char *input_name;
+diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
+index b9a82598e2ac..7f2e3b1c746c 100644
+--- a/tools/perf/util/header.c
++++ b/tools/perf/util/header.c
+@@ -1173,7 +1173,7 @@ static int build_caches(struct cpu_cache_level caches[], u32 size, u32 *cntp)
+ return 0;
+ }
+
+-#define MAX_CACHES 2000
++#define MAX_CACHES (MAX_NR_CPUS * 4)
+
+ static int write_cache(struct feat_fd *ff,
+ struct perf_evlist *evlist __maybe_unused)
+--
+2.20.1
+
--- /dev/null
+From fe2e549b7bd8a6c753c52b153c912511c2ccdd33 Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Tue, 30 Apr 2019 17:53:43 -0700
+Subject: perf/x86/intel/uncore: Handle invalid event coding for free-running
+ counter
+
+[ Upstream commit 543ac280b3576c0009e8c0fcd4d6bfc9978d7bd0 ]
+
+Counting with invalid event coding for free-running counter may cause
+OOPs, e.g. uncore_iio_free_running_0/event=1/.
+
+Current code only validate the event with free-running event format,
+event=0xff,umask=0xXY. Non-free-running event format never be checked
+for the PMU with free-running counters.
+
+Add generic hw_config() to check and reject the invalid event coding
+for free-running PMU.
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: acme@kernel.org
+Cc: eranian@google.com
+Fixes: 0f519f0352e3 ("perf/x86/intel/uncore: Support IIO free-running counters on SKX")
+Link: https://lkml.kernel.org/r/1556672028-119221-2-git-send-email-kan.liang@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore.h | 10 ++++++++++
+ arch/x86/events/intel/uncore_snbep.c | 1 +
+ 2 files changed, 11 insertions(+)
+
+diff --git a/arch/x86/events/intel/uncore.h b/arch/x86/events/intel/uncore.h
+index cc6dd4f78158..42fa3974c421 100644
+--- a/arch/x86/events/intel/uncore.h
++++ b/arch/x86/events/intel/uncore.h
+@@ -402,6 +402,16 @@ static inline bool is_freerunning_event(struct perf_event *event)
+ (((cfg >> 8) & 0xff) >= UNCORE_FREERUNNING_UMASK_START);
+ }
+
++/* Check and reject invalid config */
++static inline int uncore_freerunning_hw_config(struct intel_uncore_box *box,
++ struct perf_event *event)
++{
++ if (is_freerunning_event(event))
++ return 0;
++
++ return -EINVAL;
++}
++
+ static inline void uncore_disable_box(struct intel_uncore_box *box)
+ {
+ if (box->pmu->type->ops->disable_box)
+diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
+index b10e04387f38..8e4e8e423839 100644
+--- a/arch/x86/events/intel/uncore_snbep.c
++++ b/arch/x86/events/intel/uncore_snbep.c
+@@ -3585,6 +3585,7 @@ static struct uncore_event_desc skx_uncore_iio_freerunning_events[] = {
+
+ static struct intel_uncore_ops skx_uncore_iio_freerunning_ops = {
+ .read_counter = uncore_msr_read_counter,
++ .hw_config = uncore_freerunning_hw_config,
+ };
+
+ static struct attribute *skx_uncore_iio_freerunning_formats_attr[] = {
+--
+2.20.1
+
--- /dev/null
+From 42a705f473c9c66c3dfd954227ee5265d7fd4dca Mon Sep 17 00:00:00 2001
+From: Michal Kalderon <michal.kalderon@marvell.com>
+Date: Thu, 13 Jun 2019 11:29:42 +0300
+Subject: qed: iWARP - Fix tc for MPA ll2 connection
+
+[ Upstream commit cb94d52b93c74fe1f2595734fabeda9f8ae891ee ]
+
+The driver needs to assign a lossless traffic class for the MPA ll2
+connection to ensure no packets are dropped when returning from the
+driver as they will never be re-transmitted by the peer.
+
+Fixes: ae3488ff37dc ("qed: Add ll2 connection for processing unaligned MPA packets")
+Signed-off-by: Ariel Elior <ariel.elior@marvell.com>
+Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_iwarp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c
+index b7471e48db7b..7002a660b6b4 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c
+@@ -2709,6 +2709,8 @@ qed_iwarp_ll2_start(struct qed_hwfn *p_hwfn,
+ data.input.rx_num_desc = n_ooo_bufs * 2;
+ data.input.tx_num_desc = data.input.rx_num_desc;
+ data.input.tx_max_bds_per_packet = QED_IWARP_MAX_BDS_PER_FPDU;
++ data.input.tx_tc = PKT_LB_TC;
++ data.input.tx_dest = QED_LL2_TX_DEST_LB;
+ data.p_connection_handle = &iwarp_info->ll2_mpa_handle;
+ data.input.secondary_queue = true;
+ data.cbs = &cbs;
+--
+2.20.1
+
--- /dev/null
+From ecf9242d0f99d383cf462b700f5ad8383de07b04 Mon Sep 17 00:00:00 2001
+From: Michal Kalderon <michal.kalderon@marvell.com>
+Date: Sun, 26 May 2019 15:22:25 +0300
+Subject: qed: Set the doorbell address correctly
+
+[ Upstream commit 8366d520019f366fabd6c7a13032bdcd837e18d4 ]
+
+In 100g mode the doorbell bar is united for both engines. Set
+the correct offset in the hwfn so that the doorbell returned
+for RoCE is in the affined hwfn.
+
+Signed-off-by: Ariel Elior <ariel.elior@marvell.com>
+Signed-off-by: Denis Bolotin <denis.bolotin@marvell.com>
+Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_dev.c | 29 ++++++++++++++--------
+ drivers/net/ethernet/qlogic/qed/qed_rdma.c | 2 +-
+ 2 files changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+index 4dd82a1612aa..a6a9688db307 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+@@ -3096,6 +3096,7 @@ static void qed_nvm_info_free(struct qed_hwfn *p_hwfn)
+ static int qed_hw_prepare_single(struct qed_hwfn *p_hwfn,
+ void __iomem *p_regview,
+ void __iomem *p_doorbells,
++ u64 db_phys_addr,
+ enum qed_pci_personality personality)
+ {
+ int rc = 0;
+@@ -3103,6 +3104,7 @@ static int qed_hw_prepare_single(struct qed_hwfn *p_hwfn,
+ /* Split PCI bars evenly between hwfns */
+ p_hwfn->regview = p_regview;
+ p_hwfn->doorbells = p_doorbells;
++ p_hwfn->db_phys_addr = db_phys_addr;
+
+ if (IS_VF(p_hwfn->cdev))
+ return qed_vf_hw_prepare(p_hwfn);
+@@ -3198,7 +3200,9 @@ int qed_hw_prepare(struct qed_dev *cdev,
+ /* Initialize the first hwfn - will learn number of hwfns */
+ rc = qed_hw_prepare_single(p_hwfn,
+ cdev->regview,
+- cdev->doorbells, personality);
++ cdev->doorbells,
++ cdev->db_phys_addr,
++ personality);
+ if (rc)
+ return rc;
+
+@@ -3207,22 +3211,25 @@ int qed_hw_prepare(struct qed_dev *cdev,
+ /* Initialize the rest of the hwfns */
+ if (cdev->num_hwfns > 1) {
+ void __iomem *p_regview, *p_doorbell;
+- u8 __iomem *addr;
++ u64 db_phys_addr;
++ u32 offset;
+
+ /* adjust bar offset for second engine */
+- addr = cdev->regview +
+- qed_hw_bar_size(p_hwfn, p_hwfn->p_main_ptt,
+- BAR_ID_0) / 2;
+- p_regview = addr;
++ offset = qed_hw_bar_size(p_hwfn, p_hwfn->p_main_ptt,
++ BAR_ID_0) / 2;
++ p_regview = cdev->regview + offset;
+
+- addr = cdev->doorbells +
+- qed_hw_bar_size(p_hwfn, p_hwfn->p_main_ptt,
+- BAR_ID_1) / 2;
+- p_doorbell = addr;
++ offset = qed_hw_bar_size(p_hwfn, p_hwfn->p_main_ptt,
++ BAR_ID_1) / 2;
++
++ p_doorbell = cdev->doorbells + offset;
++
++ db_phys_addr = cdev->db_phys_addr + offset;
+
+ /* prepare second hw function */
+ rc = qed_hw_prepare_single(&cdev->hwfns[1], p_regview,
+- p_doorbell, personality);
++ p_doorbell, db_phys_addr,
++ personality);
+
+ /* in case of error, need to free the previously
+ * initiliazed hwfn 0.
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_rdma.c b/drivers/net/ethernet/qlogic/qed/qed_rdma.c
+index 7873d6dfd91f..13802b825d65 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_rdma.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_rdma.c
+@@ -803,7 +803,7 @@ static int qed_rdma_add_user(void *rdma_cxt,
+ dpi_start_offset +
+ ((out_params->dpi) * p_hwfn->dpi_size));
+
+- out_params->dpi_phys_addr = p_hwfn->cdev->db_phys_addr +
++ out_params->dpi_phys_addr = p_hwfn->db_phys_addr +
+ dpi_start_offset +
+ ((out_params->dpi) * p_hwfn->dpi_size);
+
+--
+2.20.1
+
--- /dev/null
+From a4b3f91ce3c42d56a6a8d22d378b080dee383a3e Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Sat, 20 Apr 2019 12:53:05 +0200
+Subject: RAS/CEC: Fix pfn insertion
+
+[ Upstream commit 6d8e294bf5f0e85c34e8b14b064e2965f53f38b0 ]
+
+When inserting random PFNs for debugging the CEC through
+(debugfs)/ras/cec/pfn, depending on the return value of pfn_set(),
+multiple values get inserted per a single write.
+
+That is because simple_attr_write() interprets a retval of 0 as
+success and claims the whole input. However, pfn_set() returns the
+cec_add_elem() value, which, if > 0 and smaller than the whole input
+length, makes glibc continue issuing the write syscall until there's
+input left:
+
+ pfn_set
+ simple_attr_write
+ debugfs_attr_write
+ full_proxy_write
+ vfs_write
+ ksys_write
+ do_syscall_64
+ entry_SYSCALL_64_after_hwframe
+
+leading to those repeated calls.
+
+Return 0 to fix that.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ras/cec.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ras/cec.c b/drivers/ras/cec.c
+index f85d6b7a1984..5d2b2c02cbbe 100644
+--- a/drivers/ras/cec.c
++++ b/drivers/ras/cec.c
+@@ -369,7 +369,9 @@ static int pfn_set(void *data, u64 val)
+ {
+ *(u64 *)data = val;
+
+- return cec_add_elem(val);
++ cec_add_elem(val);
++
++ return 0;
+ }
+
+ DEFINE_DEBUGFS_ATTRIBUTE(pfn_ops, u64_get, pfn_set, "0x%llx\n");
+--
+2.20.1
+
--- /dev/null
+From e0ac4ce8d506a5da28af9f74c2416bd624b8e4a5 Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Tue, 21 May 2019 16:48:43 -0400
+Subject: rcu: Force inlining of rcu_read_lock()
+
+[ Upstream commit 6da9f775175e516fc7229ceaa9b54f8f56aa7924 ]
+
+When debugging options are turned on, the rcu_read_lock() function
+might not be inlined. This results in lockdep's print_lock() function
+printing "rcu_read_lock+0x0/0x70" instead of rcu_read_lock()'s caller.
+For example:
+
+[ 10.579995] =============================
+[ 10.584033] WARNING: suspicious RCU usage
+[ 10.588074] 4.18.0.memcg_v2+ #1 Not tainted
+[ 10.593162] -----------------------------
+[ 10.597203] include/linux/rcupdate.h:281 Illegal context switch in
+RCU read-side critical section!
+[ 10.606220]
+[ 10.606220] other info that might help us debug this:
+[ 10.606220]
+[ 10.614280]
+[ 10.614280] rcu_scheduler_active = 2, debug_locks = 1
+[ 10.620853] 3 locks held by systemd/1:
+[ 10.624632] #0: (____ptrval____) (&type->i_mutex_dir_key#5){.+.+}, at: lookup_slow+0x42/0x70
+[ 10.633232] #1: (____ptrval____) (rcu_read_lock){....}, at: rcu_read_lock+0x0/0x70
+[ 10.640954] #2: (____ptrval____) (rcu_read_lock){....}, at: rcu_read_lock+0x0/0x70
+
+These "rcu_read_lock+0x0/0x70" strings are not providing any useful
+information. This commit therefore forces inlining of the rcu_read_lock()
+function so that rcu_read_lock()'s caller is instead shown.
+
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/rcupdate.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h
+index e102c5bccbb9..68cbe111420b 100644
+--- a/include/linux/rcupdate.h
++++ b/include/linux/rcupdate.h
+@@ -620,7 +620,7 @@ static inline void rcu_preempt_sleep_check(void) { }
+ * read-side critical sections may be preempted and they may also block, but
+ * only when acquiring spinlocks that are subject to priority inheritance.
+ */
+-static inline void rcu_read_lock(void)
++static __always_inline void rcu_read_lock(void)
+ {
+ __rcu_read_lock();
+ __acquire(RCU);
+--
+2.20.1
+
--- /dev/null
+From 08cc326fb6fe9fc99ef1e2f5e759e471c2223526 Mon Sep 17 00:00:00 2001
+From: Daniel Baluta <daniel.baluta@nxp.com>
+Date: Fri, 17 May 2019 13:23:49 +0000
+Subject: regmap: debugfs: Fix memory leak in regmap_debugfs_init
+
+[ Upstream commit 2899872b627e99b7586fe3b6c9f861da1b4d5072 ]
+
+As detected by kmemleak running on i.MX6ULL board:
+
+nreferenced object 0xd8366600 (size 64):
+ comm "swapper/0", pid 1, jiffies 4294937370 (age 933.220s)
+ hex dump (first 32 bytes):
+ 64 75 6d 6d 79 2d 69 6f 6d 75 78 63 2d 67 70 72 dummy-iomuxc-gpr
+ 40 32 30 65 34 30 30 30 00 e3 f3 ab fe d1 1b dd @20e4000........
+ backtrace:
+ [<b0402aec>] kasprintf+0x2c/0x54
+ [<a6fbad2c>] regmap_debugfs_init+0x7c/0x31c
+ [<9c8d91fa>] __regmap_init+0xb5c/0xcf4
+ [<5b1c3d2a>] of_syscon_register+0x164/0x2c4
+ [<596a5d80>] syscon_node_to_regmap+0x64/0x90
+ [<49bd597b>] imx6ul_init_machine+0x34/0xa0
+ [<250a4dac>] customize_machine+0x1c/0x30
+ [<2d19fdaf>] do_one_initcall+0x7c/0x398
+ [<e6084469>] kernel_init_freeable+0x328/0x448
+ [<168c9101>] kernel_init+0x8/0x114
+ [<913268aa>] ret_from_fork+0x14/0x20
+ [<ce7b131a>] 0x0
+
+Root cause is that map->debugfs_name is allocated using kasprintf
+and then the pointer is lost by assigning it other memory address.
+
+Reported-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: Daniel Baluta <daniel.baluta@nxp.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/regmap/regmap-debugfs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/base/regmap/regmap-debugfs.c b/drivers/base/regmap/regmap-debugfs.c
+index 87b562e49a43..c9687c8b2347 100644
+--- a/drivers/base/regmap/regmap-debugfs.c
++++ b/drivers/base/regmap/regmap-debugfs.c
+@@ -575,6 +575,8 @@ void regmap_debugfs_init(struct regmap *map, const char *name)
+ }
+
+ if (!strcmp(name, "dummy")) {
++ kfree(map->debugfs_name);
++
+ map->debugfs_name = kasprintf(GFP_KERNEL, "dummy%d",
+ dummy_index);
+ name = map->debugfs_name;
+--
+2.20.1
+
--- /dev/null
+From 2afd894d6adc8fa3fab302f46981fc5b90a52afc Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Wed, 12 Jun 2019 12:03:43 +0100
+Subject: regmap: fix bulk writes on paged registers
+
+[ Upstream commit db057679de3e9e6a03c1bcd5aee09b0d25fd9f5b ]
+
+On buses like SlimBus and SoundWire which does not support
+gather_writes yet in regmap, A bulk write on paged register
+would be silently ignored after programming page.
+This is because local variable 'ret' value in regmap_raw_write_impl()
+gets reset to 0 once page register is written successfully and the
+code below checks for 'ret' value to be -ENOTSUPP before linearising
+the write buffer to send to bus->write().
+
+Fix this by resetting the 'ret' value to -ENOTSUPP in cases where
+gather_writes() is not supported or single register write is
+not possible.
+
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/regmap/regmap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
+index 0360a90ad6b6..6c9f6988bc09 100644
+--- a/drivers/base/regmap/regmap.c
++++ b/drivers/base/regmap/regmap.c
+@@ -1618,6 +1618,8 @@ static int _regmap_raw_write_impl(struct regmap *map, unsigned int reg,
+ map->format.reg_bytes +
+ map->format.pad_bytes,
+ val, val_len);
++ else
++ ret = -ENOTSUPP;
+
+ /* If that didn't work fall back on linearising by hand. */
+ if (ret == -ENOTSUPP) {
+--
+2.20.1
+
--- /dev/null
+From 9c0b7436acee97fc33e8e7e0ea7cd5f2662bb29a Mon Sep 17 00:00:00 2001
+From: Ferdinand Blomqvist <ferdinand.blomqvist@gmail.com>
+Date: Thu, 20 Jun 2019 17:10:34 +0300
+Subject: rslib: Fix decoding of shortened codes
+
+[ Upstream commit 2034a42d1747fc1e1eeef2c6f1789c4d0762cb9c ]
+
+The decoding of shortenend codes is broken. It only works as expected if
+there are no erasures.
+
+When decoding with erasures, Lambda (the error and erasure locator
+polynomial) is initialized from the given erasure positions. The pad
+parameter is not accounted for by the initialisation code, and hence
+Lambda is initialized from incorrect erasure positions.
+
+The fix is to adjust the erasure positions by the supplied pad.
+
+Signed-off-by: Ferdinand Blomqvist <ferdinand.blomqvist@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190620141039.9874-3-ferdinand.blomqvist@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/reed_solomon/decode_rs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/reed_solomon/decode_rs.c b/lib/reed_solomon/decode_rs.c
+index 1db74eb098d0..3313bf944ff1 100644
+--- a/lib/reed_solomon/decode_rs.c
++++ b/lib/reed_solomon/decode_rs.c
+@@ -99,9 +99,9 @@
+ if (no_eras > 0) {
+ /* Init lambda to be the erasure locator polynomial */
+ lambda[1] = alpha_to[rs_modnn(rs,
+- prim * (nn - 1 - eras_pos[0]))];
++ prim * (nn - 1 - (eras_pos[0] + pad)))];
+ for (i = 1; i < no_eras; i++) {
+- u = rs_modnn(rs, prim * (nn - 1 - eras_pos[i]));
++ u = rs_modnn(rs, prim * (nn - 1 - (eras_pos[i] + pad)));
+ for (j = i + 1; j > 0; j--) {
+ tmp = index_of[lambda[j - 1]];
+ if (tmp != nn) {
+--
+2.20.1
+
--- /dev/null
+From 09a01e6bd53236e8951196954b0b2f760f06fd7c Mon Sep 17 00:00:00 2001
+From: Ferdinand Blomqvist <ferdinand.blomqvist@gmail.com>
+Date: Thu, 20 Jun 2019 17:10:37 +0300
+Subject: rslib: Fix handling of of caller provided syndrome
+
+[ Upstream commit ef4d6a8556b637ad27c8c2a2cff1dda3da38e9a9 ]
+
+Check if the syndrome provided by the caller is zero, and act
+accordingly.
+
+Signed-off-by: Ferdinand Blomqvist <ferdinand.blomqvist@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190620141039.9874-6-ferdinand.blomqvist@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/reed_solomon/decode_rs.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/lib/reed_solomon/decode_rs.c b/lib/reed_solomon/decode_rs.c
+index 3313bf944ff1..121beb2f0930 100644
+--- a/lib/reed_solomon/decode_rs.c
++++ b/lib/reed_solomon/decode_rs.c
+@@ -42,8 +42,18 @@
+ BUG_ON(pad < 0 || pad >= nn);
+
+ /* Does the caller provide the syndrome ? */
+- if (s != NULL)
+- goto decode;
++ if (s != NULL) {
++ for (i = 0; i < nroots; i++) {
++ /* The syndrome is in index form,
++ * so nn represents zero
++ */
++ if (s[i] != nn)
++ goto decode;
++ }
++
++ /* syndrome is zero, no errors to correct */
++ return 0;
++ }
+
+ /* form the syndromes; i.e., evaluate data(x) at roots of
+ * g(x) */
+--
+2.20.1
+
--- /dev/null
+From 9890c14d6dd00511b7bca554c5acf2fe100c6247 Mon Sep 17 00:00:00 2001
+From: Ping-Ke Shih <pkshih@realtek.com>
+Date: Wed, 29 May 2019 14:57:30 +0800
+Subject: rtlwifi: rtl8192cu: fix error handle when usb probe failed
+
+[ Upstream commit 6c0ed66f1a5b84e2a812c7c2d6571a5621bf3396 ]
+
+rtl_usb_probe() must do error handle rtl_deinit_core() only if
+rtl_init_core() is done, otherwise goto error_out2.
+
+| usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
+| rtl_usb: reg 0xf0, usbctrl_vendorreq TimeOut! status:0xffffffb9 value=0x0
+| rtl8192cu: Chip version 0x10
+| rtl_usb: reg 0xa, usbctrl_vendorreq TimeOut! status:0xffffffb9 value=0x0
+| rtl_usb: Too few input end points found
+| INFO: trying to register non-static key.
+| the code is fine but needs lockdep annotation.
+| turning off the locking correctness validator.
+| CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3
+| Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+| Google 01/01/2011
+| Workqueue: usb_hub_wq hub_event
+| Call Trace:
+| __dump_stack lib/dump_stack.c:77 [inline]
+| dump_stack+0xe8/0x16e lib/dump_stack.c:113
+| assign_lock_key kernel/locking/lockdep.c:786 [inline]
+| register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095
+| __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582
+| lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211
+| __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
+| _raw_spin_lock_irqsave+0x44/0x60 kernel/locking/spinlock.c:152
+| rtl_c2hcmd_launcher+0xd1/0x390
+| drivers/net/wireless/realtek/rtlwifi/base.c:2344
+| rtl_deinit_core+0x25/0x2d0 drivers/net/wireless/realtek/rtlwifi/base.c:574
+| rtl_usb_probe.cold+0x861/0xa70
+| drivers/net/wireless/realtek/rtlwifi/usb.c:1093
+| usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361
+| really_probe+0x2da/0xb10 drivers/base/dd.c:509
+| driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
+| __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
+| bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
+| __device_attach+0x223/0x3a0 drivers/base/dd.c:844
+| bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
+| device_add+0xad2/0x16e0 drivers/base/core.c:2106
+| usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021
+| generic_probe+0xa2/0xda drivers/usb/core/generic.c:210
+| usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266
+| really_probe+0x2da/0xb10 drivers/base/dd.c:509
+| driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
+| __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
+| bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
+| __device_attach+0x223/0x3a0 drivers/base/dd.c:844
+| bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
+| device_add+0xad2/0x16e0 drivers/base/core.c:2106
+| usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534
+| hub_port_connect drivers/usb/core/hub.c:5089 [inline]
+| hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
+| port_event drivers/usb/core/hub.c:5350 [inline]
+| hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432
+| process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
+| worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
+| kthread+0x313/0x420 kernel/kthread.c:253
+| ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
+
+Reported-by: syzbot+1fcc5ef45175fc774231@syzkaller.appspotmail.com
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/usb.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
+index 2ac5004d7a40..5adb939afee8 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
+@@ -1081,13 +1081,13 @@ int rtl_usb_probe(struct usb_interface *intf,
+ rtlpriv->cfg->ops->read_eeprom_info(hw);
+ err = _rtl_usb_init(hw);
+ if (err)
+- goto error_out;
++ goto error_out2;
+ rtl_usb_init_sw(hw);
+ /* Init mac80211 sw */
+ err = rtl_init_core(hw);
+ if (err) {
+ pr_err("Can't allocate sw for mac80211\n");
+- goto error_out;
++ goto error_out2;
+ }
+ if (rtlpriv->cfg->ops->init_sw_vars(hw)) {
+ pr_err("Can't init_sw_vars\n");
+@@ -1108,6 +1108,7 @@ int rtl_usb_probe(struct usb_interface *intf,
+
+ error_out:
+ rtl_deinit_core(hw);
++error_out2:
+ _rtl_usb_io_handler_release(hw);
+ usb_put_dev(udev);
+ complete(&rtlpriv->firmware_loading_complete);
+--
+2.20.1
+
--- /dev/null
+From ff74c571f43d44a2f795af30fd99631256502163 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 2 Jul 2019 16:04:19 +0100
+Subject: rxrpc: Fix oops in tracepoint
+
+[ Upstream commit 99f0eae653b2db64917d0b58099eb51e300b311d ]
+
+If the rxrpc_eproto tracepoint is enabled, an oops will be cause by the
+trace line that rxrpc_extract_header() tries to emit when a protocol error
+occurs (typically because the packet is short) because the call argument is
+NULL.
+
+Fix this by using ?: to assume 0 as the debug_id if call is NULL.
+
+This can then be induced by:
+
+ echo -e '\0\0\0\0\0\0\0\0' | ncat -4u --send-only <addr> 20001
+
+where addr has the following program running on it:
+
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
+ #include <sys/socket.h>
+ #include <arpa/inet.h>
+ #include <linux/rxrpc.h>
+ int main(void)
+ {
+ struct sockaddr_rxrpc srx;
+ int fd;
+ memset(&srx, 0, sizeof(srx));
+ srx.srx_family = AF_RXRPC;
+ srx.srx_service = 0;
+ srx.transport_type = AF_INET;
+ srx.transport_len = sizeof(srx.transport.sin);
+ srx.transport.sin.sin_family = AF_INET;
+ srx.transport.sin.sin_port = htons(0x4e21);
+ fd = socket(AF_RXRPC, SOCK_DGRAM, AF_INET6);
+ bind(fd, (struct sockaddr *)&srx, sizeof(srx));
+ sleep(20);
+ return 0;
+ }
+
+It results in the following oops.
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000340
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ ...
+ RIP: 0010:trace_event_raw_event_rxrpc_rx_eproto+0x47/0xac
+ ...
+ Call Trace:
+ <IRQ>
+ rxrpc_extract_header+0x86/0x171
+ ? rcu_read_lock_sched_held+0x5d/0x63
+ ? rxrpc_new_skb+0xd4/0x109
+ rxrpc_input_packet+0xef/0x14fc
+ ? rxrpc_input_data+0x986/0x986
+ udp_queue_rcv_one_skb+0xbf/0x3d0
+ udp_unicast_rcv_skb.isra.8+0x64/0x71
+ ip_protocol_deliver_rcu+0xe4/0x1b4
+ ip_local_deliver+0xf0/0x154
+ __netif_receive_skb_one_core+0x50/0x6c
+ netif_receive_skb_internal+0x26b/0x2e9
+ napi_gro_receive+0xf8/0x1da
+ rtl8169_poll+0x303/0x4c4
+ net_rx_action+0x10e/0x333
+ __do_softirq+0x1a5/0x38f
+ irq_exit+0x54/0xc4
+ do_IRQ+0xda/0xf8
+ common_interrupt+0xf/0xf
+ </IRQ>
+ ...
+ ? cpuidle_enter_state+0x23c/0x34d
+ cpuidle_enter+0x2a/0x36
+ do_idle+0x163/0x1ea
+ cpu_startup_entry+0x1d/0x1f
+ start_secondary+0x157/0x172
+ secondary_startup_64+0xa4/0xb0
+
+Fixes: a25e21f0bcd2 ("rxrpc, afs: Use debug_ids rather than pointers in traces")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/rxrpc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h
+index 6d182746afab..147546e0c11b 100644
+--- a/include/trace/events/rxrpc.h
++++ b/include/trace/events/rxrpc.h
+@@ -1381,7 +1381,7 @@ TRACE_EVENT(rxrpc_rx_eproto,
+ ),
+
+ TP_fast_assign(
+- __entry->call = call->debug_id;
++ __entry->call = call ? call->debug_id : 0;
+ __entry->serial = serial;
+ __entry->why = why;
+ ),
+--
+2.20.1
+
--- /dev/null
+From 84c42cf5c015f43302bf25142564d74b1fd108eb Mon Sep 17 00:00:00 2001
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Mon, 3 Jun 2019 07:47:04 +0200
+Subject: s390/qdio: handle PENDING state for QEBSM devices
+
+[ Upstream commit 04310324c6f482921c071444833e70fe861b73d9 ]
+
+When a CQ-enabled device uses QEBSM for SBAL state inspection,
+get_buf_states() can return the PENDING state for an Output Queue.
+get_outbound_buffer_frontier() isn't prepared for this, and any PENDING
+buffer will permanently stall all further completion processing on this
+Queue.
+
+This isn't a concern for non-QEBSM devices, as get_buf_states() for such
+devices will manually turn PENDING buffers into EMPTY ones.
+
+Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks")
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/qdio_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c
+index 9c7d9da42ba0..4ac4a73037f5 100644
+--- a/drivers/s390/cio/qdio_main.c
++++ b/drivers/s390/cio/qdio_main.c
+@@ -749,6 +749,7 @@ static int get_outbound_buffer_frontier(struct qdio_q *q)
+
+ switch (state) {
+ case SLSB_P_OUTPUT_EMPTY:
++ case SLSB_P_OUTPUT_PENDING:
+ /* the adapter got it */
+ DBF_DEV_EVENT(DBF_INFO, q->irq_ptr,
+ "out empty:%1d %02x", q->nr, count);
+--
+2.20.1
+
--- /dev/null
+From 05515efa68dced1e2bfb0267ca491c9baf272fc1 Mon Sep 17 00:00:00 2001
+From: Gao Xiang <gaoxiang25@huawei.com>
+Date: Mon, 3 Jun 2019 17:13:38 +0800
+Subject: sched/core: Add __sched tag for io_schedule()
+
+[ Upstream commit e3b929b0a184edb35531153c5afcaebb09014f9d ]
+
+Non-inline io_schedule() was introduced in:
+
+ commit 10ab56434f2f ("sched/core: Separate out io_schedule_prepare() and io_schedule_finish()")
+
+Keep in line with io_schedule_timeout(), otherwise "/proc/<pid>/wchan" will
+report io_schedule() rather than its callers when waiting for IO.
+
+Reported-by: Jilong Kou <koujilong@huawei.com>
+Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Tejun Heo <tj@kernel.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Miao Xie <miaoxie@huawei.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 10ab56434f2f ("sched/core: Separate out io_schedule_prepare() and io_schedule_finish()")
+Link: https://lkml.kernel.org/r/20190603091338.2695-1-gaoxiang25@huawei.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 6859ea1d5c04..795c63ca44a9 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -5133,7 +5133,7 @@ long __sched io_schedule_timeout(long timeout)
+ }
+ EXPORT_SYMBOL(io_schedule_timeout);
+
+-void io_schedule(void)
++void __sched io_schedule(void)
+ {
+ int token;
+
+--
+2.20.1
+
--- /dev/null
+From e8020ad44b4c0b0421dbe734f20e3ada2b1244f7 Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Mon, 3 Jun 2019 17:11:44 -0400
+Subject: sched/fair: Fix "runnable_avg_yN_inv" not used warnings
+
+[ Upstream commit 509466b7d480bc5d22e90b9fbe6122ae0e2fbe39 ]
+
+runnable_avg_yN_inv[] is only used in kernel/sched/pelt.c but was
+included in several other places because they need other macros all
+came from kernel/sched/sched-pelt.h which was generated by
+Documentation/scheduler/sched-pelt. As the result, it causes compilation
+a lot of warnings,
+
+ kernel/sched/sched-pelt.h:4:18: warning: 'runnable_avg_yN_inv' defined but not used [-Wunused-const-variable=]
+ kernel/sched/sched-pelt.h:4:18: warning: 'runnable_avg_yN_inv' defined but not used [-Wunused-const-variable=]
+ kernel/sched/sched-pelt.h:4:18: warning: 'runnable_avg_yN_inv' defined but not used [-Wunused-const-variable=]
+ ...
+
+Silence it by appending the __maybe_unused attribute for it, so all
+generated variables and macros can still be kept in the same file.
+
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/1559596304-31581-1-git-send-email-cai@lca.pw
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/scheduler/sched-pelt.c | 3 ++-
+ kernel/sched/sched-pelt.h | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/scheduler/sched-pelt.c b/Documentation/scheduler/sched-pelt.c
+index e4219139386a..7238b355919c 100644
+--- a/Documentation/scheduler/sched-pelt.c
++++ b/Documentation/scheduler/sched-pelt.c
+@@ -20,7 +20,8 @@ void calc_runnable_avg_yN_inv(void)
+ int i;
+ unsigned int x;
+
+- printf("static const u32 runnable_avg_yN_inv[] = {");
++ /* To silence -Wunused-but-set-variable warnings. */
++ printf("static const u32 runnable_avg_yN_inv[] __maybe_unused = {");
+ for (i = 0; i < HALFLIFE; i++) {
+ x = ((1UL<<32)-1)*pow(y, i);
+
+diff --git a/kernel/sched/sched-pelt.h b/kernel/sched/sched-pelt.h
+index a26473674fb7..c529706bed11 100644
+--- a/kernel/sched/sched-pelt.h
++++ b/kernel/sched/sched-pelt.h
+@@ -1,7 +1,7 @@
+ /* SPDX-License-Identifier: GPL-2.0 */
+ /* Generated by Documentation/scheduler/sched-pelt; do not modify. */
+
+-static const u32 runnable_avg_yN_inv[] = {
++static const u32 runnable_avg_yN_inv[] __maybe_unused = {
+ 0xffffffff, 0xfa83b2da, 0xf5257d14, 0xefe4b99a, 0xeac0c6e6, 0xe5b906e6,
+ 0xe0ccdeeb, 0xdbfbb796, 0xd744fcc9, 0xd2a81d91, 0xce248c14, 0xc9b9bd85,
+ 0xc5672a10, 0xc12c4cc9, 0xbd08a39e, 0xb8fbaf46, 0xb504f333, 0xb123f581,
+--
+2.20.1
+
--- /dev/null
+From 464971f41c1606a6ce1d5b7eb64f3457e6962148 Mon Sep 17 00:00:00 2001
+From: Maurizio Lombardi <mlombard@redhat.com>
+Date: Wed, 26 Jun 2019 19:27:34 +0200
+Subject: scsi: iscsi: set auth_protocol back to NULL if CHAP_A value is not
+ supported
+
+[ Upstream commit 5dd6c49339126c2c8df2179041373222362d6e49 ]
+
+If the CHAP_A value is not supported, the chap_server_open() function
+should free the auth_protocol pointer and set it to NULL, or we will leave
+a dangling pointer around.
+
+[ 66.010905] Unsupported CHAP_A value
+[ 66.011660] Security negotiation failed.
+[ 66.012443] iSCSI Login negotiation failed.
+[ 68.413924] general protection fault: 0000 [#1] SMP PTI
+[ 68.414962] CPU: 0 PID: 1562 Comm: targetcli Kdump: loaded Not tainted 4.18.0-80.el8.x86_64 #1
+[ 68.416589] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+[ 68.417677] RIP: 0010:__kmalloc_track_caller+0xc2/0x210
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Reviewed-by: Chris Leech <cleech@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/iscsi/iscsi_target_auth.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c
+index 4e680d753941..e2fa3a3bc81d 100644
+--- a/drivers/target/iscsi/iscsi_target_auth.c
++++ b/drivers/target/iscsi/iscsi_target_auth.c
+@@ -89,6 +89,12 @@ static int chap_check_algorithm(const char *a_str)
+ return CHAP_DIGEST_UNKNOWN;
+ }
+
++static void chap_close(struct iscsi_conn *conn)
++{
++ kfree(conn->auth_protocol);
++ conn->auth_protocol = NULL;
++}
++
+ static struct iscsi_chap *chap_server_open(
+ struct iscsi_conn *conn,
+ struct iscsi_node_auth *auth,
+@@ -126,7 +132,7 @@ static struct iscsi_chap *chap_server_open(
+ case CHAP_DIGEST_UNKNOWN:
+ default:
+ pr_err("Unsupported CHAP_A value\n");
+- kfree(conn->auth_protocol);
++ chap_close(conn);
+ return NULL;
+ }
+
+@@ -141,19 +147,13 @@ static struct iscsi_chap *chap_server_open(
+ * Generate Challenge.
+ */
+ if (chap_gen_challenge(conn, 1, aic_str, aic_len) < 0) {
+- kfree(conn->auth_protocol);
++ chap_close(conn);
+ return NULL;
+ }
+
+ return chap;
+ }
+
+-static void chap_close(struct iscsi_conn *conn)
+-{
+- kfree(conn->auth_protocol);
+- conn->auth_protocol = NULL;
+-}
+-
+ static int chap_server_compute_md5(
+ struct iscsi_conn *conn,
+ struct iscsi_node_auth *auth,
+--
+2.20.1
+
--- /dev/null
+From fad5738c1b8576febc00e83cb0648e7f8146c907 Mon Sep 17 00:00:00 2001
+From: Jiri Benc <jbenc@redhat.com>
+Date: Tue, 2 Jul 2019 19:40:31 +0200
+Subject: selftests: bpf: fix inlines in test_lwt_seg6local
+
+[ Upstream commit 11aca65ec4db09527d3e9b6b41a0615b7da4386b ]
+
+Selftests are reporting this failure in test_lwt_seg6local.sh:
+
++ ip netns exec ns2 ip -6 route add fb00::6 encap bpf in obj test_lwt_seg6local.o sec encap_srh dev veth2
+Error fetching program/map!
+Failed to parse eBPF program: Operation not permitted
+
+The problem is __attribute__((always_inline)) alone is not enough to prevent
+clang from inserting those functions in .text. In that case, .text is not
+marked as relocateable.
+
+See the output of objdump -h test_lwt_seg6local.o:
+
+Idx Name Size VMA LMA File off Algn
+ 0 .text 00003530 0000000000000000 0000000000000000 00000040 2**3
+ CONTENTS, ALLOC, LOAD, READONLY, CODE
+
+This causes the iproute bpf loader to fail in bpf_fetch_prog_sec:
+bpf_has_call_data returns true but bpf_fetch_prog_relo fails as there's no
+relocateable .text section in the file.
+
+To fix this, convert to 'static __always_inline'.
+
+v2: Use 'static __always_inline' instead of 'static inline
+ __attribute__((always_inline))'
+
+Fixes: c99a84eac026 ("selftests/bpf: test for seg6local End.BPF action")
+Signed-off-by: Jiri Benc <jbenc@redhat.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_lwt_seg6local.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/test_lwt_seg6local.c b/tools/testing/selftests/bpf/test_lwt_seg6local.c
+index 0575751bc1bc..e2f6ed0a583d 100644
+--- a/tools/testing/selftests/bpf/test_lwt_seg6local.c
++++ b/tools/testing/selftests/bpf/test_lwt_seg6local.c
+@@ -61,7 +61,7 @@ struct sr6_tlv_t {
+ unsigned char value[0];
+ } BPF_PACKET_HEADER;
+
+-__attribute__((always_inline)) struct ip6_srh_t *get_srh(struct __sk_buff *skb)
++static __always_inline struct ip6_srh_t *get_srh(struct __sk_buff *skb)
+ {
+ void *cursor, *data_end;
+ struct ip6_srh_t *srh;
+@@ -95,7 +95,7 @@ __attribute__((always_inline)) struct ip6_srh_t *get_srh(struct __sk_buff *skb)
+ return srh;
+ }
+
+-__attribute__((always_inline))
++static __always_inline
+ int update_tlv_pad(struct __sk_buff *skb, uint32_t new_pad,
+ uint32_t old_pad, uint32_t pad_off)
+ {
+@@ -125,7 +125,7 @@ int update_tlv_pad(struct __sk_buff *skb, uint32_t new_pad,
+ return 0;
+ }
+
+-__attribute__((always_inline))
++static __always_inline
+ int is_valid_tlv_boundary(struct __sk_buff *skb, struct ip6_srh_t *srh,
+ uint32_t *tlv_off, uint32_t *pad_size,
+ uint32_t *pad_off)
+@@ -184,7 +184,7 @@ int is_valid_tlv_boundary(struct __sk_buff *skb, struct ip6_srh_t *srh,
+ return 0;
+ }
+
+-__attribute__((always_inline))
++static __always_inline
+ int add_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh, uint32_t tlv_off,
+ struct sr6_tlv_t *itlv, uint8_t tlv_size)
+ {
+@@ -228,7 +228,7 @@ int add_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh, uint32_t tlv_off,
+ return update_tlv_pad(skb, new_pad, pad_size, pad_off);
+ }
+
+-__attribute__((always_inline))
++static __always_inline
+ int delete_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh,
+ uint32_t tlv_off)
+ {
+@@ -266,7 +266,7 @@ int delete_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh,
+ return update_tlv_pad(skb, new_pad, pad_size, pad_off);
+ }
+
+-__attribute__((always_inline))
++static __always_inline
+ int has_egr_tlv(struct __sk_buff *skb, struct ip6_srh_t *srh)
+ {
+ int tlv_offset = sizeof(struct ip6_t) + sizeof(struct ip6_srh_t) +
+--
+2.20.1
+
--- /dev/null
+From cf2e5fe4fad76c097ae6823832c77e7e97418fe5 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Wed, 12 Jun 2019 10:12:26 +0200
+Subject: selinux: fix empty write to keycreate file
+
+[ Upstream commit 464c258aa45b09f16aa0f05847ed8895873262d9 ]
+
+When sid == 0 (we are resetting keycreate_sid to the default value), we
+should skip the KEY__CREATE check.
+
+Before this patch, doing a zero-sized write to /proc/self/keycreate
+would check if the current task can create unlabeled keys (which would
+usually fail with -EACCESS and generate an AVC). Now it skips the check
+and correctly sets the task's keycreate_sid to 0.
+
+Bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1719067
+
+Tested using the reproducer from the report above.
+
+Fixes: 4eb582cf1fbd ("[PATCH] keys: add a way to store the appropriate context for newly-created keys")
+Reported-by: Kir Kolyshkin <kir@sacred.ru>
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/selinux/hooks.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 70bad15ed7a0..109ab510bdb1 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -6550,11 +6550,12 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
+ } else if (!strcmp(name, "fscreate")) {
+ tsec->create_sid = sid;
+ } else if (!strcmp(name, "keycreate")) {
+- error = avc_has_perm(&selinux_state,
+- mysid, sid, SECCLASS_KEY, KEY__CREATE,
+- NULL);
+- if (error)
+- goto abort_change;
++ if (sid) {
++ error = avc_has_perm(&selinux_state, mysid, sid,
++ SECCLASS_KEY, KEY__CREATE, NULL);
++ if (error)
++ goto abort_change;
++ }
+ tsec->keycreate_sid = sid;
+ } else if (!strcmp(name, "sockcreate")) {
+ tsec->sockcreate_sid = sid;
+--
+2.20.1
+
--- /dev/null
+mips-ath79-fix-ar933x-uart-parity-mode.patch
+mips-fix-build-on-non-linux-hosts.patch
+arm64-efi-mark-__efistub_stext_offset-as-an-absolute.patch
+scsi-iscsi-set-auth_protocol-back-to-null-if-chap_a-.patch
+dmaengine-imx-sdma-fix-use-after-free-on-probe-error.patch
+wil6210-fix-potential-out-of-bounds-read.patch
+ath10k-do-not-send-probe-response-template-for-mesh.patch
+ath9k-check-for-errors-when-reading-srev-register.patch
+ath6kl-add-some-bounds-checking.patch
+ath10k-add-peer-id-check-in-ath10k_peer_find_by_id.patch
+wil6210-fix-spurious-interrupts-in-3-msi.patch
+ath-dfs-jp-domain-w56-fixed-pulse-type-3-radar-detec.patch
+regmap-debugfs-fix-memory-leak-in-regmap_debugfs_ini.patch
+batman-adv-fix-for-leaked-tvlv-handler.patch
+media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch
+media-spi-ir-led-add-missing-of-table-registration.patch
+crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch
+media-ov7740-avoid-invalid-framesize-setting.patch
+media-marvell-ccic-fix-dma-s-g-desc-number-calculati.patch
+media-vpss-fix-a-potential-null-pointer-dereference.patch
+media-media_device_enum_links32-clean-a-reserved-fie.patch
+net-stmmac-dwmac1000-clear-unused-address-entries.patch
+net-stmmac-dwmac4-5-clear-unused-address-entries.patch
+qed-set-the-doorbell-address-correctly.patch
+signal-pid_namespace-fix-reboot_pid_ns-to-use-send_s.patch
+signal-cifs-fix-cifs_put_tcp_session-to-call-send_si.patch
+af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch
+xfrm-fix-xfrm-sel-prefix-length-validation.patch
+fscrypt-clean-up-some-bug_on-s-in-block-encryption-d.patch
+perf-annotate-tui-browser-do-not-use-member-from-var.patch
+media-mc-device.c-don-t-memset-__user-pointer-conten.patch
+media-saa7164-fix-remove_proc_entry-warning.patch
+media-staging-media-davinci_vpfe-fix-for-memory-leak.patch
+net-phy-check-against-net_device-being-null.patch
+crypto-talitos-properly-handle-split-icv.patch
+crypto-talitos-align-sec1-accesses-to-32-bits-bounda.patch
+tua6100-avoid-build-warnings.patch
+batman-adv-fix-duplicated-ogms-on-netdev_up.patch
+locking-lockdep-fix-merging-of-hlocks-with-non-zero-.patch
+media-wl128x-fix-some-error-handling-in-fm_v4l2_init.patch
+net-hns3-set-ops-to-null-when-unregister-ad_dev.patch
+cpupower-frequency-set-r-option-misses-the-last-cpu-.patch
+arm64-mm-make-config_zone_dma32-configurable.patch
+perf-jvmti-address-gcc-string-overflow-warning-for-s.patch
+net-stmmac-dwmac4-fix-flow-control-issue.patch
+net-stmmac-modify-default-value-of-tx-frames.patch
+crypto-inside-secure-do-not-rely-on-the-hardware-las.patch
+net-fec-do-not-use-netdev-messages-too-early.patch
+net-axienet-fix-race-condition-causing-tx-hang.patch
+s390-qdio-handle-pending-state-for-qebsm-devices.patch
+ras-cec-fix-pfn-insertion.patch
+net-sfp-add-mutex-to-prevent-concurrent-state-checks.patch
+ipset-fix-memory-accounting-for-hash-types-on-resize.patch
+perf-cs-etm-properly-set-the-value-of-old-and-head-i.patch
+perf-test-6-fix-missing-kvm-module-load-for-s390.patch
+perf-report-fix-oom-error-in-tui-mode-on-s390.patch
+irqchip-meson-gpio-add-support-for-meson-g12a-soc.patch
+media-uvcvideo-fix-access-to-uninitialized-fields-on.patch
+media-fdp1-support-m3n-and-e3-platforms.patch
+iommu-fix-a-leak-in-iommu_insert_resv_region.patch
+gpio-omap-fix-lack-of-irqstatus_raw0-for-omap4.patch
+gpio-omap-ensure-irq-is-enabled-before-wakeup.patch
+regmap-fix-bulk-writes-on-paged-registers.patch
+bpf-silence-warning-messages-in-core.patch
+media-s5p-mfc-fix-reading-min-scratch-buffer-size-on.patch
+selinux-fix-empty-write-to-keycreate-file.patch
+x86-cpu-add-ice-lake-nnpi-to-intel-family.patch
+asoc-meson-axg-tdm-fix-sample-clock-inversion.patch
+rcu-force-inlining-of-rcu_read_lock.patch
+x86-cpufeatures-add-fdp_excptn_only-and-zero_fcs_fds.patch
+qed-iwarp-fix-tc-for-mpa-ll2-connection.patch
+net-hns3-fix-for-skb-leak-when-doing-selftest.patch
+block-null_blk-fix-race-condition-for-null_del_dev.patch
+blkcg-writeback-dead-memcgs-shouldn-t-contribute-to-.patch
+xfrm-fix-sa-selector-validation.patch
+sched-core-add-__sched-tag-for-io_schedule.patch
+sched-fair-fix-runnable_avg_yn_inv-not-used-warnings.patch
+perf-x86-intel-uncore-handle-invalid-event-coding-fo.patch
+x86-atomic-fix-smp_mb__-before-after-_atomic.patch
+perf-evsel-make-perf_evsel__name-accept-a-null-argum.patch
+vhost_net-disable-zerocopy-by-default.patch
+ipoib-correcly-show-a-vf-hardware-address.patch
+x86-cacheinfo-fix-a-wtype-limits-warning.patch
+blk-iolatency-only-account-submitted-bios.patch
+acpica-clear-status-of-gpes-on-first-direct-enable.patch
+edac-sysfs-fix-memory-leak-when-creating-a-csrow-obj.patch
+nvme-fix-possible-io-failures-when-removing-multipat.patch
+nvme-pci-properly-report-state-change-failure-in-nvm.patch
+nvme-pci-set-the-errno-on-ctrl-state-change-error.patch
+lightnvm-pblk-fix-freeing-of-merged-pages.patch
+arm64-do-not-enable-irqs-for-ct_user_exit.patch
+ipsec-select-crypto-ciphers-for-xfrm_algo.patch
+ipvs-defer-hook-registration-to-avoid-leaks.patch
+media-s5p-mfc-make-additional-clocks-optional.patch
+media-i2c-fix-warning-same-module-names.patch
+ntp-limit-tai-utc-offset.patch
+timer_list-guard-procfs-specific-code.patch
+acpi-arm64-ignore-5.1-fadts-that-are-reported-as-5.0.patch
+media-coda-fix-mpeg2-sequence-number-handling.patch
+media-coda-fix-last-buffer-handling-in-v4l2_enc_cmd_.patch
+media-coda-increment-sequence-offset-for-the-last-re.patch
+media-vimc-cap-check-v4l2_fill_pixfmt-return-value.patch
+media-hdpvr-fix-locking-and-a-missing-msleep.patch
+net-stmmac-sun8i-force-select-external-phy-when-no-i.patch
+rtlwifi-rtl8192cu-fix-error-handle-when-usb-probe-fa.patch
+mt7601u-do-not-schedule-rx_tasklet-when-the-device-h.patch
+x86-build-add-set-e-to-mkcapflags.sh-to-delete-broke.patch
+mt7601u-fix-possible-memory-leak-when-the-device-is-.patch
+ipvs-fix-tinfo-memory-leak-in-start_sync_thread.patch
+ath10k-add-missing-error-handling.patch
+ath10k-fix-pcie-device-wake-up-failed.patch
+perf-tools-increase-max_nr_cpus-and-max_caches.patch
+asoc-intel-hdac_hdmi-set-ops-to-null-on-remove.patch
+libata-don-t-request-sense-data-on-zac-ata-devices.patch
+clocksource-drivers-exynos_mct-increase-priority-ove.patch
+xsk-properly-terminate-assignment-in-xskq_produce_fl.patch
+rslib-fix-decoding-of-shortened-codes.patch
+rslib-fix-handling-of-of-caller-provided-syndrome.patch
+ixgbe-check-ddm-existence-in-transceiver-before-acce.patch
+crypto-serpent-mark-__serpent_setkey_sbox-noinline.patch
+crypto-asymmetric_keys-select-crypto_hash-where-need.patch
+wil6210-drop-old-event-after-wmi_call-timeout.patch
+edac-fix-global-out-of-bounds-write-when-setting-eda.patch
+bcache-check-cache_set_io_disable-in-allocator-code.patch
+bcache-check-cache_set_io_disable-bit-in-bch_journal.patch
+bcache-acquire-bch_register_lock-later-in-cached_dev.patch
+bcache-check-c-gc_thread-by-is_err_or_null-in-cache_.patch
+bcache-fix-potential-deadlock-in-cached_def_free.patch
+net-hns3-fix-a-wformat-nonliteral-compile-warning.patch
+net-hns3-add-some-error-checking-in-hclge_tm-module.patch
+ath10k-destroy-sdio-workqueue-while-remove-sdio-modu.patch
+net-mvpp2-prs-don-t-override-the-sign-bit-in-sram-pa.patch
+igb-clear-out-skb-tstamp-after-reading-the-txtime.patch
+iwlwifi-mvm-drop-large-non-sta-frames.patch
+bpf-fix-uapi-bpf_prog_info-fields-alignment.patch
+perf-stat-make-metric-event-lookup-more-robust.patch
+perf-stat-fix-group-lookup-for-metric-group.patch
+bnx2x-prevent-ptp_task-to-be-rescheduled-indefinitel.patch
+net-usb-asix-init-mac-address-buffers.patch
+rxrpc-fix-oops-in-tracepoint.patch
+bpf-libbpf-smatch-fix-potential-null-pointer-derefer.patch
+selftests-bpf-fix-inlines-in-test_lwt_seg6local.patch
+bonding-validate-ip-header-before-check-ipproto_igmp.patch
+gpiolib-fix-references-to-gpiod_-gs-et_-value_cansle.patch
+tools-bpftool-fix-json-dump-crash-on-powerpc.patch
+bluetooth-hci_bcsp-fix-memory-leak-in-rx_skb.patch
+bluetooth-add-new-13d3-3491-qca_rome-device.patch
+bluetooth-add-new-13d3-3501-qca_rome-device.patch
+bluetooth-6lowpan-search-for-destination-address-in-.patch
+perf-tests-fix-record-probe_libc_inet_pton.sh-for-po.patch
+bluetooth-check-state-in-l2cap_disconnect_rsp.patch
+gtp-add-missing-gtp_encap_disable_sock-in-gtp_encap_.patch
+bluetooth-validate-ble-connection-interval-updates.patch
+gtp-fix-suspicious-rcu-usage.patch
+gtp-fix-illegal-context-switch-in-rcu-read-side-crit.patch
+gtp-fix-use-after-free-in-gtp_encap_destroy.patch
+gtp-fix-use-after-free-in-gtp_newlink.patch
+net-mvmdio-defer-probe-of-orion-mdio-if-a-clock-is-n.patch
+iavf-fix-dereference-of-null-rx_buffer-pointer.patch
+floppy-fix-div-by-zero-in-setup_format_params.patch
+floppy-fix-out-of-bounds-read-in-next_valid_format.patch
+floppy-fix-invalid-pointer-dereference-in-drive_name.patch
+floppy-fix-out-of-bounds-read-in-copy_buffer.patch
--- /dev/null
+From be4ea26fa58b1a1b0d8ff750d0f40645c444b890 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 15 May 2019 12:33:50 -0500
+Subject: signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of
+ force_sig
+
+[ Upstream commit 72abe3bcf0911d69b46c1e8bdb5612675e0ac42c ]
+
+The locking in force_sig_info is not prepared to deal with a task that
+exits or execs (as sighand may change). The is not a locking problem
+in force_sig as force_sig is only built to handle synchronous
+exceptions.
+
+Further the function force_sig_info changes the signal state if the
+signal is ignored, or blocked or if SIGNAL_UNKILLABLE will prevent the
+delivery of the signal. The signal SIGKILL can not be ignored and can
+not be blocked and SIGNAL_UNKILLABLE won't prevent it from being
+delivered.
+
+So using force_sig rather than send_sig for SIGKILL is confusing
+and pointless.
+
+Because it won't impact the sending of the signal and and because
+using force_sig is wrong, replace force_sig with send_sig.
+
+Cc: Namjae Jeon <namjae.jeon@samsung.com>
+Cc: Jeff Layton <jlayton@primarydata.com>
+Cc: Steve French <smfrench@gmail.com>
+Fixes: a5c3e1c725af ("Revert "cifs: No need to send SIGKILL to demux_thread during umount"")
+Fixes: e7ddee9037e7 ("cifs: disable sharing session and tcon and add new TCP sharing code")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/connect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index f31339db45fd..82b3af47bce3 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -2428,7 +2428,7 @@ cifs_put_tcp_session(struct TCP_Server_Info *server, int from_reconnect)
+
+ task = xchg(&server->tsk, NULL);
+ if (task)
+- force_sig(SIGKILL, task);
++ send_sig(SIGKILL, task, 1);
+ }
+
+ static struct TCP_Server_Info *
+--
+2.20.1
+
--- /dev/null
+From 483a8fd4f8551f3a816031f1100b38ec4aaafcff Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 15 May 2019 12:29:52 -0500
+Subject: signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig
+
+[ Upstream commit f9070dc94542093fd516ae4ccea17ef46a4362c5 ]
+
+The locking in force_sig_info is not prepared to deal with a task that
+exits or execs (as sighand may change). The is not a locking problem
+in force_sig as force_sig is only built to handle synchronous
+exceptions.
+
+Further the function force_sig_info changes the signal state if the
+signal is ignored, or blocked or if SIGNAL_UNKILLABLE will prevent the
+delivery of the signal. The signal SIGKILL can not be ignored and can
+not be blocked and SIGNAL_UNKILLABLE won't prevent it from being
+delivered.
+
+So using force_sig rather than send_sig for SIGKILL is confusing
+and pointless.
+
+Because it won't impact the sending of the signal and and because
+using force_sig is wrong, replace force_sig with send_sig.
+
+Cc: Daniel Lezcano <daniel.lezcano@free.fr>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Fixes: cf3f89214ef6 ("pidns: add reboot_pid_ns() to handle the reboot syscall")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/pid_namespace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
+index 2a2ac53d8b8b..95271f180687 100644
+--- a/kernel/pid_namespace.c
++++ b/kernel/pid_namespace.c
+@@ -325,7 +325,7 @@ int reboot_pid_ns(struct pid_namespace *pid_ns, int cmd)
+ }
+
+ read_lock(&tasklist_lock);
+- force_sig(SIGKILL, pid_ns->child_reaper);
++ send_sig(SIGKILL, pid_ns->child_reaper, 1);
+ read_unlock(&tasklist_lock);
+
+ do_exit(0);
+--
+2.20.1
+
--- /dev/null
+From 517cb608aba7fd90c374fa5ae33775a45e1f518e Mon Sep 17 00:00:00 2001
+From: Nathan Huckleberry <nhuck@google.com>
+Date: Fri, 14 Jun 2019 11:16:04 -0700
+Subject: timer_list: Guard procfs specific code
+
+[ Upstream commit a9314773a91a1d3b36270085246a6715a326ff00 ]
+
+With CONFIG_PROC_FS=n the following warning is emitted:
+
+kernel/time/timer_list.c:361:36: warning: unused variable
+'timer_list_sops' [-Wunused-const-variable]
+ static const struct seq_operations timer_list_sops = {
+
+Add #ifdef guard around procfs specific code.
+
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Cc: john.stultz@linaro.org
+Cc: sboyd@kernel.org
+Cc: clang-built-linux@googlegroups.com
+Link: https://github.com/ClangBuiltLinux/linux/issues/534
+Link: https://lkml.kernel.org/r/20190614181604.112297-1-nhuck@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/timer_list.c | 36 +++++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
+
+diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c
+index d647dabdac97..07afcfe2a61b 100644
+--- a/kernel/time/timer_list.c
++++ b/kernel/time/timer_list.c
+@@ -287,23 +287,6 @@ static inline void timer_list_header(struct seq_file *m, u64 now)
+ SEQ_printf(m, "\n");
+ }
+
+-static int timer_list_show(struct seq_file *m, void *v)
+-{
+- struct timer_list_iter *iter = v;
+-
+- if (iter->cpu == -1 && !iter->second_pass)
+- timer_list_header(m, iter->now);
+- else if (!iter->second_pass)
+- print_cpu(m, iter->cpu, iter->now);
+-#ifdef CONFIG_GENERIC_CLOCKEVENTS
+- else if (iter->cpu == -1 && iter->second_pass)
+- timer_list_show_tickdevices_header(m);
+- else
+- print_tickdevice(m, tick_get_device(iter->cpu), iter->cpu);
+-#endif
+- return 0;
+-}
+-
+ void sysrq_timer_list_show(void)
+ {
+ u64 now = ktime_to_ns(ktime_get());
+@@ -322,6 +305,24 @@ void sysrq_timer_list_show(void)
+ return;
+ }
+
++#ifdef CONFIG_PROC_FS
++static int timer_list_show(struct seq_file *m, void *v)
++{
++ struct timer_list_iter *iter = v;
++
++ if (iter->cpu == -1 && !iter->second_pass)
++ timer_list_header(m, iter->now);
++ else if (!iter->second_pass)
++ print_cpu(m, iter->cpu, iter->now);
++#ifdef CONFIG_GENERIC_CLOCKEVENTS
++ else if (iter->cpu == -1 && iter->second_pass)
++ timer_list_show_tickdevices_header(m);
++ else
++ print_tickdevice(m, tick_get_device(iter->cpu), iter->cpu);
++#endif
++ return 0;
++}
++
+ static void *move_iter(struct timer_list_iter *iter, loff_t offset)
+ {
+ for (; offset; offset--) {
+@@ -381,3 +382,4 @@ static int __init init_timer_list_procfs(void)
+ return 0;
+ }
+ __initcall(init_timer_list_procfs);
++#endif
+--
+2.20.1
+
--- /dev/null
+From 088a4ba0538b678567436a09ceef095a5b66f902 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@redhat.com>
+Date: Fri, 5 Jul 2019 14:10:31 +0200
+Subject: tools: bpftool: Fix json dump crash on powerpc
+
+[ Upstream commit aa52bcbe0e72fac36b1862db08b9c09c4caefae3 ]
+
+Michael reported crash with by bpf program in json mode on powerpc:
+
+ # bpftool prog -p dump jited id 14
+ [{
+ "name": "0xd00000000a9aa760",
+ "insns": [{
+ "pc": "0x0",
+ "operation": "nop",
+ "operands": [null
+ ]
+ },{
+ "pc": "0x4",
+ "operation": "nop",
+ "operands": [null
+ ]
+ },{
+ "pc": "0x8",
+ "operation": "mflr",
+ Segmentation fault (core dumped)
+
+The code is assuming char pointers in format, which is not always
+true at least for powerpc. Fixing this by dumping the whole string
+into buffer based on its format.
+
+Please note that libopcodes code does not check return values from
+fprintf callback, but as per Jakub suggestion returning -1 on allocation
+failure so we do the best effort to propagate the error.
+
+Fixes: 107f041212c1 ("tools: bpftool: add JSON output for `bpftool prog dump jited *` command")
+Reported-by: Michael Petlan <mpetlan@redhat.com>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Reviewed-by: Quentin Monnet <quentin.monnet@netronome.com>
+Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/jit_disasm.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/tools/bpf/bpftool/jit_disasm.c b/tools/bpf/bpftool/jit_disasm.c
+index 87439320ef70..73d7252729fa 100644
+--- a/tools/bpf/bpftool/jit_disasm.c
++++ b/tools/bpf/bpftool/jit_disasm.c
+@@ -10,6 +10,8 @@
+ * Licensed under the GNU General Public License, version 2.0 (GPLv2)
+ */
+
++#define _GNU_SOURCE
++#include <stdio.h>
+ #include <stdarg.h>
+ #include <stdint.h>
+ #include <stdio.h>
+@@ -51,11 +53,13 @@ static int fprintf_json(void *out, const char *fmt, ...)
+ char *s;
+
+ va_start(ap, fmt);
++ if (vasprintf(&s, fmt, ap) < 0)
++ return -1;
++ va_end(ap);
++
+ if (!oper_count) {
+ int i;
+
+- s = va_arg(ap, char *);
+-
+ /* Strip trailing spaces */
+ i = strlen(s) - 1;
+ while (s[i] == ' ')
+@@ -68,11 +72,10 @@ static int fprintf_json(void *out, const char *fmt, ...)
+ } else if (!strcmp(fmt, ",")) {
+ /* Skip */
+ } else {
+- s = va_arg(ap, char *);
+ jsonw_string(json_wtr, s);
+ oper_count++;
+ }
+- va_end(ap);
++ free(s);
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 7e3b8b430b6f994f86e69ceae93e082255a68048 Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Thu, 30 May 2019 11:36:15 -0700
+Subject: tua6100: Avoid build warnings.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 621ccc6cc5f8d6730b740d31d4818227866c93c9 ]
+
+Rename _P to _P_VAL and _R to _R_VAL to avoid global
+namespace conflicts:
+
+drivers/media/dvb-frontends/tua6100.c: In function ‘tua6100_set_params’:
+drivers/media/dvb-frontends/tua6100.c:79: warning: "_P" redefined
+ #define _P 32
+
+In file included from ./include/acpi/platform/aclinux.h:54,
+ from ./include/acpi/platform/acenv.h:152,
+ from ./include/acpi/acpi.h:22,
+ from ./include/linux/acpi.h:34,
+ from ./include/linux/i2c.h:17,
+ from drivers/media/dvb-frontends/tua6100.h:30,
+ from drivers/media/dvb-frontends/tua6100.c:32:
+./include/linux/ctype.h:14: note: this is the location of the previous definition
+ #define _P 0x10 /* punct */
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/tua6100.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/dvb-frontends/tua6100.c b/drivers/media/dvb-frontends/tua6100.c
+index b233b7be0b84..e6aaf4973aef 100644
+--- a/drivers/media/dvb-frontends/tua6100.c
++++ b/drivers/media/dvb-frontends/tua6100.c
+@@ -75,8 +75,8 @@ static int tua6100_set_params(struct dvb_frontend *fe)
+ struct i2c_msg msg1 = { .addr = priv->i2c_address, .flags = 0, .buf = reg1, .len = 4 };
+ struct i2c_msg msg2 = { .addr = priv->i2c_address, .flags = 0, .buf = reg2, .len = 3 };
+
+-#define _R 4
+-#define _P 32
++#define _R_VAL 4
++#define _P_VAL 32
+ #define _ri 4000000
+
+ // setup register 0
+@@ -91,14 +91,14 @@ static int tua6100_set_params(struct dvb_frontend *fe)
+ else
+ reg1[1] = 0x0c;
+
+- if (_P == 64)
++ if (_P_VAL == 64)
+ reg1[1] |= 0x40;
+ if (c->frequency >= 1525000)
+ reg1[1] |= 0x80;
+
+ // register 2
+- reg2[1] = (_R >> 8) & 0x03;
+- reg2[2] = _R;
++ reg2[1] = (_R_VAL >> 8) & 0x03;
++ reg2[2] = _R_VAL;
+ if (c->frequency < 1455000)
+ reg2[1] |= 0x1c;
+ else if (c->frequency < 1630000)
+@@ -110,18 +110,18 @@ static int tua6100_set_params(struct dvb_frontend *fe)
+ * The N divisor ratio (note: c->frequency is in kHz, but we
+ * need it in Hz)
+ */
+- prediv = (c->frequency * _R) / (_ri / 1000);
+- div = prediv / _P;
++ prediv = (c->frequency * _R_VAL) / (_ri / 1000);
++ div = prediv / _P_VAL;
+ reg1[1] |= (div >> 9) & 0x03;
+ reg1[2] = div >> 1;
+ reg1[3] = (div << 7);
+- priv->frequency = ((div * _P) * (_ri / 1000)) / _R;
++ priv->frequency = ((div * _P_VAL) * (_ri / 1000)) / _R_VAL;
+
+ // Finally, calculate and store the value for A
+- reg1[3] |= (prediv - (div*_P)) & 0x7f;
++ reg1[3] |= (prediv - (div*_P_VAL)) & 0x7f;
+
+-#undef _R
+-#undef _P
++#undef _R_VAL
++#undef _P_VAL
+ #undef _ri
+
+ if (fe->ops.i2c_gate_ctrl)
+--
+2.20.1
+
--- /dev/null
+From 72245e1a80904fc617a0bcceba84ba8e07c74700 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Mon, 17 Jun 2019 05:20:54 -0400
+Subject: vhost_net: disable zerocopy by default
+
+[ Upstream commit 098eadce3c622c07b328d0a43dda379b38cf7c5e ]
+
+Vhost_net was known to suffer from HOL[1] issues which is not easy to
+fix. Several downstream disable the feature by default. What's more,
+the datapath was split and datacopy path got the support of batching
+and XDP support recently which makes it faster than zerocopy part for
+small packets transmission.
+
+It looks to me that disable zerocopy by default is more
+appropriate. It cold be enabled by default again in the future if we
+fix the above issues.
+
+[1] https://patchwork.kernel.org/patch/3787671/
+
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
+index 39155d7cc894..ae704658b528 100644
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -36,7 +36,7 @@
+
+ #include "vhost.h"
+
+-static int experimental_zcopytx = 1;
++static int experimental_zcopytx = 0;
+ module_param(experimental_zcopytx, int, 0444);
+ MODULE_PARM_DESC(experimental_zcopytx, "Enable Zero Copy TX;"
+ " 1 -Enable; 0 - Disable");
+--
+2.20.1
+
--- /dev/null
+From 1eb60a3a5c6265bfa2f92283ea91c384c203a4b9 Mon Sep 17 00:00:00 2001
+From: Ahmad Masri <amasri@codeaurora.org>
+Date: Sun, 16 Jun 2019 10:26:07 +0300
+Subject: wil6210: drop old event after wmi_call timeout
+
+[ Upstream commit 1a276003111c0404f6bfeffe924c5a21f482428b ]
+
+This change fixes a rare race condition of handling WMI events after
+wmi_call expires.
+
+wmi_recv_cmd immediately handles an event when reply_buf is defined and
+a wmi_call is waiting for the event.
+However, in case the wmi_call has already timed-out, there will be no
+waiting/running wmi_call and the event will be queued in WMI queue and
+will be handled later in wmi_event_handle.
+Meanwhile, a new similar wmi_call for the same command and event may
+be issued. In this case, when handling the queued event we got WARN_ON
+printed.
+
+Fixing this case as a valid timeout and drop the unexpected event.
+
+Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wil6210/wmi.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c
+index 6e3b3031f29b..2010f771478d 100644
+--- a/drivers/net/wireless/ath/wil6210/wmi.c
++++ b/drivers/net/wireless/ath/wil6210/wmi.c
+@@ -2816,7 +2816,18 @@ static void wmi_event_handle(struct wil6210_priv *wil,
+ /* check if someone waits for this event */
+ if (wil->reply_id && wil->reply_id == id &&
+ wil->reply_mid == mid) {
+- WARN_ON(wil->reply_buf);
++ if (wil->reply_buf) {
++ /* event received while wmi_call is waiting
++ * with a buffer. Such event should be handled
++ * in wmi_recv_cmd function. Handling the event
++ * here means a previous wmi_call was timeout.
++ * Drop the event and do not handle it.
++ */
++ wil_err(wil,
++ "Old event (%d, %s) while wmi_call is waiting. Drop it and Continue waiting\n",
++ id, eventid2name(id));
++ return;
++ }
+
+ wmi_evt_call_handler(vif, id, evt_data,
+ len - sizeof(*wmi));
+--
+2.20.1
+
--- /dev/null
+From 64ceced96901b4bdae579f7b358c587d18acd8ec Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 15 Apr 2019 09:56:46 -0500
+Subject: wil6210: fix potential out-of-bounds read
+
+[ Upstream commit bfabdd6997323adbedccb13a3fed1967fb8cf8f5 ]
+
+Notice that *rc* can evaluate to up to 5, include/linux/netdevice.h:
+
+enum gro_result {
+ GRO_MERGED,
+ GRO_MERGED_FREE,
+ GRO_HELD,
+ GRO_NORMAL,
+ GRO_DROP,
+ GRO_CONSUMED,
+};
+typedef enum gro_result gro_result_t;
+
+In case *rc* evaluates to 5, we end up having an out-of-bounds read
+at drivers/net/wireless/ath/wil6210/txrx.c:821:
+
+ wil_dbg_txrx(wil, "Rx complete %d bytes => %s\n",
+ len, gro_res_str[rc]);
+
+Fix this by adding element "GRO_CONSUMED" to array gro_res_str.
+
+Addresses-Coverity-ID: 1444666 ("Out-of-bounds read")
+Fixes: 194b482b5055 ("wil6210: Debug print GRO Rx result")
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Reviewed-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wil6210/txrx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/wil6210/txrx.c b/drivers/net/wireless/ath/wil6210/txrx.c
+index 75c8aa297107..1b1b58e0129a 100644
+--- a/drivers/net/wireless/ath/wil6210/txrx.c
++++ b/drivers/net/wireless/ath/wil6210/txrx.c
+@@ -736,6 +736,7 @@ void wil_netif_rx_any(struct sk_buff *skb, struct net_device *ndev)
+ [GRO_HELD] = "GRO_HELD",
+ [GRO_NORMAL] = "GRO_NORMAL",
+ [GRO_DROP] = "GRO_DROP",
++ [GRO_CONSUMED] = "GRO_CONSUMED",
+ };
+
+ wil->txrx_ops.get_netif_rx_params(skb, &cid, &security);
+--
+2.20.1
+
--- /dev/null
+From 1853f35da53d3380c44b0efb96cf47c8d7725791 Mon Sep 17 00:00:00 2001
+From: Maya Erez <merez@codeaurora.org>
+Date: Fri, 26 Apr 2019 18:43:29 +0300
+Subject: wil6210: fix spurious interrupts in 3-msi
+
+[ Upstream commit e10b0eddd5235aa5aef4e40b970e34e735611a80 ]
+
+Interrupt is set in ICM (ICR & ~IMV) rising trigger.
+As the driver masks the IRQ after clearing it, there can
+be a race where an additional spurious interrupt is triggered
+when the driver unmask the IRQ.
+This can happen in case HW triggers an interrupt after the clear
+and before the mask.
+
+To prevent the second spurious interrupt the driver needs to mask the
+IRQ before reading and clearing it.
+
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wil6210/interrupt.c | 65 ++++++++++++--------
+ 1 file changed, 40 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/wil6210/interrupt.c b/drivers/net/wireless/ath/wil6210/interrupt.c
+index 5d287a8e1b45..0655cd884514 100644
+--- a/drivers/net/wireless/ath/wil6210/interrupt.c
++++ b/drivers/net/wireless/ath/wil6210/interrupt.c
+@@ -296,21 +296,24 @@ void wil_configure_interrupt_moderation(struct wil6210_priv *wil)
+ static irqreturn_t wil6210_irq_rx(int irq, void *cookie)
+ {
+ struct wil6210_priv *wil = cookie;
+- u32 isr = wil_ioread32_and_clear(wil->csr +
+- HOSTADDR(RGF_DMA_EP_RX_ICR) +
+- offsetof(struct RGF_ICR, ICR));
++ u32 isr;
+ bool need_unmask = true;
+
++ wil6210_mask_irq_rx(wil);
++
++ isr = wil_ioread32_and_clear(wil->csr +
++ HOSTADDR(RGF_DMA_EP_RX_ICR) +
++ offsetof(struct RGF_ICR, ICR));
++
+ trace_wil6210_irq_rx(isr);
+ wil_dbg_irq(wil, "ISR RX 0x%08x\n", isr);
+
+ if (unlikely(!isr)) {
+ wil_err_ratelimited(wil, "spurious IRQ: RX\n");
++ wil6210_unmask_irq_rx(wil);
+ return IRQ_NONE;
+ }
+
+- wil6210_mask_irq_rx(wil);
+-
+ /* RX_DONE and RX_HTRSH interrupts are the same if interrupt
+ * moderation is not used. Interrupt moderation may cause RX
+ * buffer overflow while RX_DONE is delayed. The required
+@@ -355,21 +358,24 @@ static irqreturn_t wil6210_irq_rx(int irq, void *cookie)
+ static irqreturn_t wil6210_irq_rx_edma(int irq, void *cookie)
+ {
+ struct wil6210_priv *wil = cookie;
+- u32 isr = wil_ioread32_and_clear(wil->csr +
+- HOSTADDR(RGF_INT_GEN_RX_ICR) +
+- offsetof(struct RGF_ICR, ICR));
++ u32 isr;
+ bool need_unmask = true;
+
++ wil6210_mask_irq_rx_edma(wil);
++
++ isr = wil_ioread32_and_clear(wil->csr +
++ HOSTADDR(RGF_INT_GEN_RX_ICR) +
++ offsetof(struct RGF_ICR, ICR));
++
+ trace_wil6210_irq_rx(isr);
+ wil_dbg_irq(wil, "ISR RX 0x%08x\n", isr);
+
+ if (unlikely(!isr)) {
+ wil_err(wil, "spurious IRQ: RX\n");
++ wil6210_unmask_irq_rx_edma(wil);
+ return IRQ_NONE;
+ }
+
+- wil6210_mask_irq_rx_edma(wil);
+-
+ if (likely(isr & BIT_RX_STATUS_IRQ)) {
+ wil_dbg_irq(wil, "RX status ring\n");
+ isr &= ~BIT_RX_STATUS_IRQ;
+@@ -403,21 +409,24 @@ static irqreturn_t wil6210_irq_rx_edma(int irq, void *cookie)
+ static irqreturn_t wil6210_irq_tx_edma(int irq, void *cookie)
+ {
+ struct wil6210_priv *wil = cookie;
+- u32 isr = wil_ioread32_and_clear(wil->csr +
+- HOSTADDR(RGF_INT_GEN_TX_ICR) +
+- offsetof(struct RGF_ICR, ICR));
++ u32 isr;
+ bool need_unmask = true;
+
++ wil6210_mask_irq_tx_edma(wil);
++
++ isr = wil_ioread32_and_clear(wil->csr +
++ HOSTADDR(RGF_INT_GEN_TX_ICR) +
++ offsetof(struct RGF_ICR, ICR));
++
+ trace_wil6210_irq_tx(isr);
+ wil_dbg_irq(wil, "ISR TX 0x%08x\n", isr);
+
+ if (unlikely(!isr)) {
+ wil_err(wil, "spurious IRQ: TX\n");
++ wil6210_unmask_irq_tx_edma(wil);
+ return IRQ_NONE;
+ }
+
+- wil6210_mask_irq_tx_edma(wil);
+-
+ if (likely(isr & BIT_TX_STATUS_IRQ)) {
+ wil_dbg_irq(wil, "TX status ring\n");
+ isr &= ~BIT_TX_STATUS_IRQ;
+@@ -446,21 +455,24 @@ static irqreturn_t wil6210_irq_tx_edma(int irq, void *cookie)
+ static irqreturn_t wil6210_irq_tx(int irq, void *cookie)
+ {
+ struct wil6210_priv *wil = cookie;
+- u32 isr = wil_ioread32_and_clear(wil->csr +
+- HOSTADDR(RGF_DMA_EP_TX_ICR) +
+- offsetof(struct RGF_ICR, ICR));
++ u32 isr;
+ bool need_unmask = true;
+
++ wil6210_mask_irq_tx(wil);
++
++ isr = wil_ioread32_and_clear(wil->csr +
++ HOSTADDR(RGF_DMA_EP_TX_ICR) +
++ offsetof(struct RGF_ICR, ICR));
++
+ trace_wil6210_irq_tx(isr);
+ wil_dbg_irq(wil, "ISR TX 0x%08x\n", isr);
+
+ if (unlikely(!isr)) {
+ wil_err_ratelimited(wil, "spurious IRQ: TX\n");
++ wil6210_unmask_irq_tx(wil);
+ return IRQ_NONE;
+ }
+
+- wil6210_mask_irq_tx(wil);
+-
+ if (likely(isr & BIT_DMA_EP_TX_ICR_TX_DONE)) {
+ wil_dbg_irq(wil, "TX done\n");
+ isr &= ~BIT_DMA_EP_TX_ICR_TX_DONE;
+@@ -532,20 +544,23 @@ static bool wil_validate_mbox_regs(struct wil6210_priv *wil)
+ static irqreturn_t wil6210_irq_misc(int irq, void *cookie)
+ {
+ struct wil6210_priv *wil = cookie;
+- u32 isr = wil_ioread32_and_clear(wil->csr +
+- HOSTADDR(RGF_DMA_EP_MISC_ICR) +
+- offsetof(struct RGF_ICR, ICR));
++ u32 isr;
++
++ wil6210_mask_irq_misc(wil, false);
++
++ isr = wil_ioread32_and_clear(wil->csr +
++ HOSTADDR(RGF_DMA_EP_MISC_ICR) +
++ offsetof(struct RGF_ICR, ICR));
+
+ trace_wil6210_irq_misc(isr);
+ wil_dbg_irq(wil, "ISR MISC 0x%08x\n", isr);
+
+ if (!isr) {
+ wil_err(wil, "spurious IRQ: MISC\n");
++ wil6210_unmask_irq_misc(wil, false);
+ return IRQ_NONE;
+ }
+
+- wil6210_mask_irq_misc(wil, false);
+-
+ if (isr & ISR_MISC_FW_ERROR) {
+ u32 fw_assert_code = wil_r(wil, wil->rgf_fw_assert_code_addr);
+ u32 ucode_assert_code =
+--
+2.20.1
+
--- /dev/null
+From f45707a4e74d925de3279109516cd012c6b393b0 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 24 Apr 2019 13:38:23 +0200
+Subject: x86/atomic: Fix smp_mb__{before,after}_atomic()
+
+[ Upstream commit 69d927bba39517d0980462efc051875b7f4db185 ]
+
+Recent probing at the Linux Kernel Memory Model uncovered a
+'surprise'. Strongly ordered architectures where the atomic RmW
+primitive implies full memory ordering and
+smp_mb__{before,after}_atomic() are a simple barrier() (such as x86)
+fail for:
+
+ *x = 1;
+ atomic_inc(u);
+ smp_mb__after_atomic();
+ r0 = *y;
+
+Because, while the atomic_inc() implies memory order, it
+(surprisingly) does not provide a compiler barrier. This then allows
+the compiler to re-order like so:
+
+ atomic_inc(u);
+ *x = 1;
+ smp_mb__after_atomic();
+ r0 = *y;
+
+Which the CPU is then allowed to re-order (under TSO rules) like:
+
+ atomic_inc(u);
+ r0 = *y;
+ *x = 1;
+
+And this very much was not intended. Therefore strengthen the atomic
+RmW ops to include a compiler barrier.
+
+NOTE: atomic_{or,and,xor} and the bitops already had the compiler
+barrier.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/atomic_t.txt | 3 +++
+ arch/x86/include/asm/atomic.h | 8 ++++----
+ arch/x86/include/asm/atomic64_64.h | 8 ++++----
+ arch/x86/include/asm/barrier.h | 4 ++--
+ 4 files changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/Documentation/atomic_t.txt b/Documentation/atomic_t.txt
+index 913396ac5824..ed0d814df7e0 100644
+--- a/Documentation/atomic_t.txt
++++ b/Documentation/atomic_t.txt
+@@ -177,6 +177,9 @@ These helper barriers exist because architectures have varying implicit
+ ordering on their SMP atomic primitives. For example our TSO architectures
+ provide full ordered atomics and these barriers are no-ops.
+
++NOTE: when the atomic RmW ops are fully ordered, they should also imply a
++compiler barrier.
++
+ Thus:
+
+ atomic_fetch_add();
+diff --git a/arch/x86/include/asm/atomic.h b/arch/x86/include/asm/atomic.h
+index ce84388e540c..d266a4066289 100644
+--- a/arch/x86/include/asm/atomic.h
++++ b/arch/x86/include/asm/atomic.h
+@@ -54,7 +54,7 @@ static __always_inline void arch_atomic_add(int i, atomic_t *v)
+ {
+ asm volatile(LOCK_PREFIX "addl %1,%0"
+ : "+m" (v->counter)
+- : "ir" (i));
++ : "ir" (i) : "memory");
+ }
+
+ /**
+@@ -68,7 +68,7 @@ static __always_inline void arch_atomic_sub(int i, atomic_t *v)
+ {
+ asm volatile(LOCK_PREFIX "subl %1,%0"
+ : "+m" (v->counter)
+- : "ir" (i));
++ : "ir" (i) : "memory");
+ }
+
+ /**
+@@ -95,7 +95,7 @@ static __always_inline bool arch_atomic_sub_and_test(int i, atomic_t *v)
+ static __always_inline void arch_atomic_inc(atomic_t *v)
+ {
+ asm volatile(LOCK_PREFIX "incl %0"
+- : "+m" (v->counter));
++ : "+m" (v->counter) :: "memory");
+ }
+ #define arch_atomic_inc arch_atomic_inc
+
+@@ -108,7 +108,7 @@ static __always_inline void arch_atomic_inc(atomic_t *v)
+ static __always_inline void arch_atomic_dec(atomic_t *v)
+ {
+ asm volatile(LOCK_PREFIX "decl %0"
+- : "+m" (v->counter));
++ : "+m" (v->counter) :: "memory");
+ }
+ #define arch_atomic_dec arch_atomic_dec
+
+diff --git a/arch/x86/include/asm/atomic64_64.h b/arch/x86/include/asm/atomic64_64.h
+index 5f851d92eecd..55ca027f8c1c 100644
+--- a/arch/x86/include/asm/atomic64_64.h
++++ b/arch/x86/include/asm/atomic64_64.h
+@@ -45,7 +45,7 @@ static __always_inline void arch_atomic64_add(long i, atomic64_t *v)
+ {
+ asm volatile(LOCK_PREFIX "addq %1,%0"
+ : "=m" (v->counter)
+- : "er" (i), "m" (v->counter));
++ : "er" (i), "m" (v->counter) : "memory");
+ }
+
+ /**
+@@ -59,7 +59,7 @@ static inline void arch_atomic64_sub(long i, atomic64_t *v)
+ {
+ asm volatile(LOCK_PREFIX "subq %1,%0"
+ : "=m" (v->counter)
+- : "er" (i), "m" (v->counter));
++ : "er" (i), "m" (v->counter) : "memory");
+ }
+
+ /**
+@@ -87,7 +87,7 @@ static __always_inline void arch_atomic64_inc(atomic64_t *v)
+ {
+ asm volatile(LOCK_PREFIX "incq %0"
+ : "=m" (v->counter)
+- : "m" (v->counter));
++ : "m" (v->counter) : "memory");
+ }
+ #define arch_atomic64_inc arch_atomic64_inc
+
+@@ -101,7 +101,7 @@ static __always_inline void arch_atomic64_dec(atomic64_t *v)
+ {
+ asm volatile(LOCK_PREFIX "decq %0"
+ : "=m" (v->counter)
+- : "m" (v->counter));
++ : "m" (v->counter) : "memory");
+ }
+ #define arch_atomic64_dec arch_atomic64_dec
+
+diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h
+index 14de0432d288..84f848c2541a 100644
+--- a/arch/x86/include/asm/barrier.h
++++ b/arch/x86/include/asm/barrier.h
+@@ -80,8 +80,8 @@ do { \
+ })
+
+ /* Atomic operations are already serializing on x86 */
+-#define __smp_mb__before_atomic() barrier()
+-#define __smp_mb__after_atomic() barrier()
++#define __smp_mb__before_atomic() do { } while (0)
++#define __smp_mb__after_atomic() do { } while (0)
+
+ #include <asm-generic/barrier.h>
+
+--
+2.20.1
+
--- /dev/null
+From e1426d7aea922a23c086d48150be95a39f5498a5 Mon Sep 17 00:00:00 2001
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Tue, 25 Jun 2019 16:26:22 +0900
+Subject: x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c
+
+[ Upstream commit bc53d3d777f81385c1bb08b07bd1c06450ecc2c1 ]
+
+Without 'set -e', shell scripts continue running even after any
+error occurs. The missed 'set -e' is a typical bug in shell scripting.
+
+For example, when a disk space shortage occurs while this script is
+running, it actually ends up with generating a truncated capflags.c.
+
+Yet, mkcapflags.sh continues running and exits with 0. So, the build
+system assumes it has succeeded.
+
+It will not be re-generated in the next invocation of Make since its
+timestamp is newer than that of any of the source files.
+
+Add 'set -e' so that any error in this script is caught and propagated
+to the build system.
+
+Since 9c2af1c7377a ("kbuild: add .DELETE_ON_ERROR special target"),
+make automatically deletes the target on any failure. So, the broken
+capflags.c will be deleted automatically.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Link: https://lkml.kernel.org/r/20190625072622.17679-1-yamada.masahiro@socionext.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mkcapflags.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/kernel/cpu/mkcapflags.sh b/arch/x86/kernel/cpu/mkcapflags.sh
+index d0dfb892c72f..aed45b8895d5 100644
+--- a/arch/x86/kernel/cpu/mkcapflags.sh
++++ b/arch/x86/kernel/cpu/mkcapflags.sh
+@@ -4,6 +4,8 @@
+ # Generate the x86_cap/bug_flags[] arrays from include/asm/cpufeatures.h
+ #
+
++set -e
++
+ IN=$1
+ OUT=$2
+
+--
+2.20.1
+
--- /dev/null
+From 40736ab7a9bc2118539af8c62fd3d2e2f0fc860f Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Wed, 19 Jun 2019 10:32:53 -0400
+Subject: x86/cacheinfo: Fix a -Wtype-limits warning
+
+[ Upstream commit 1b7aebf0487613033aff26420e32fa2076d52846 ]
+
+cpuinfo_x86.x86_model is an unsigned type, so comparing against zero
+will generate a compilation warning:
+
+ arch/x86/kernel/cpu/cacheinfo.c: In function 'cacheinfo_amd_init_llc_id':
+ arch/x86/kernel/cpu/cacheinfo.c:662:19: warning: comparison is always true \
+ due to limited range of data type [-Wtype-limits]
+
+Remove the unnecessary lower bound check.
+
+ [ bp: Massage. ]
+
+Fixes: 68091ee7ac3c ("x86/CPU/AMD: Calculate last level cache ID from number of sharing threads")
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Pu Wen <puwen@hygon.cn>
+Cc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/1560954773-11967-1-git-send-email-cai@lca.pw
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/cacheinfo.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/cacheinfo.c b/arch/x86/kernel/cpu/cacheinfo.c
+index 0c5fcbd998cf..9d863e8f9b3f 100644
+--- a/arch/x86/kernel/cpu/cacheinfo.c
++++ b/arch/x86/kernel/cpu/cacheinfo.c
+@@ -651,8 +651,7 @@ void cacheinfo_amd_init_llc_id(struct cpuinfo_x86 *c, int cpu, u8 node_id)
+ if (c->x86 < 0x17) {
+ /* LLC is at the node level. */
+ per_cpu(cpu_llc_id, cpu) = node_id;
+- } else if (c->x86 == 0x17 &&
+- c->x86_model >= 0 && c->x86_model <= 0x1F) {
++ } else if (c->x86 == 0x17 && c->x86_model <= 0x1F) {
+ /*
+ * LLC is at the core complex level.
+ * Core complex ID is ApicId[3] for these processors.
+--
+2.20.1
+
--- /dev/null
+From ad9efa936c932245ec53d5ceaf12414f3b6fc34a Mon Sep 17 00:00:00 2001
+From: Rajneesh Bhardwaj <rajneesh.bhardwaj@linux.intel.com>
+Date: Thu, 6 Jun 2019 06:54:19 +0530
+Subject: x86/cpu: Add Ice Lake NNPI to Intel family
+
+[ Upstream commit e32d045cd4ba06b59878323e434bad010e78e658 ]
+
+Add the CPUID model number of Ice Lake Neural Network Processor for Deep
+Learning Inference (ICL-NNPI) to the Intel family list. Ice Lake NNPI uses
+model number 0x9D and this will be documented in a future version of Intel
+Software Development Manual.
+
+Signed-off-by: Rajneesh Bhardwaj <rajneesh.bhardwaj@linux.intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: bp@suse.de
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: platform-driver-x86@vger.kernel.org
+Cc: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Cc: Len Brown <lenb@kernel.org>
+Cc: Linux PM <linux-pm@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20190606012419.13250-1-rajneesh.bhardwaj@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/intel-family.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h
+index 2e38fb82b91d..aebedbaf5260 100644
+--- a/arch/x86/include/asm/intel-family.h
++++ b/arch/x86/include/asm/intel-family.h
+@@ -56,6 +56,7 @@
+ #define INTEL_FAM6_ICELAKE_XEON_D 0x6C
+ #define INTEL_FAM6_ICELAKE_DESKTOP 0x7D
+ #define INTEL_FAM6_ICELAKE_MOBILE 0x7E
++#define INTEL_FAM6_ICELAKE_NNPI 0x9D
+
+ /* "Small Core" Processors (Atom) */
+
+--
+2.20.1
+
--- /dev/null
+From 6456d82f975c6f81e326d8bea1dfb88cab7c4919 Mon Sep 17 00:00:00 2001
+From: Aaron Lewis <aaronlewis@google.com>
+Date: Wed, 5 Jun 2019 15:02:52 -0700
+Subject: x86/cpufeatures: Add FDP_EXCPTN_ONLY and ZERO_FCS_FDS
+
+[ Upstream commit cbb99c0f588737ec98c333558922ce47e9a95827 ]
+
+Add the CPUID enumeration for Intel's de-feature bits to accommodate
+passing these de-features through to kvm guests.
+
+These de-features are (from SDM vol 1, section 8.1.8):
+ - X86_FEATURE_FDP_EXCPTN_ONLY: If CPUID.(EAX=07H,ECX=0H):EBX[bit 6] = 1, the
+ data pointer (FDP) is updated only for the x87 non-control instructions that
+ incur unmasked x87 exceptions.
+ - X86_FEATURE_ZERO_FCS_FDS: If CPUID.(EAX=07H,ECX=0H):EBX[bit 13] = 1, the
+ processor deprecates FCS and FDS; it saves each as 0000H.
+
+Signed-off-by: Aaron Lewis <aaronlewis@google.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Frederic Weisbecker <frederic@kernel.org>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Cc: marcorr@google.com
+Cc: Peter Feiner <pfeiner@google.com>
+Cc: pshier@google.com
+Cc: Robert Hoo <robert.hu@linux.intel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Thomas Lendacky <Thomas.Lendacky@amd.com>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20190605220252.103406-1-aaronlewis@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/cpufeatures.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
+index 69037da75ea0..0cf704933f23 100644
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -239,12 +239,14 @@
+ #define X86_FEATURE_BMI1 ( 9*32+ 3) /* 1st group bit manipulation extensions */
+ #define X86_FEATURE_HLE ( 9*32+ 4) /* Hardware Lock Elision */
+ #define X86_FEATURE_AVX2 ( 9*32+ 5) /* AVX2 instructions */
++#define X86_FEATURE_FDP_EXCPTN_ONLY ( 9*32+ 6) /* "" FPU data pointer updated only on x87 exceptions */
+ #define X86_FEATURE_SMEP ( 9*32+ 7) /* Supervisor Mode Execution Protection */
+ #define X86_FEATURE_BMI2 ( 9*32+ 8) /* 2nd group bit manipulation extensions */
+ #define X86_FEATURE_ERMS ( 9*32+ 9) /* Enhanced REP MOVSB/STOSB instructions */
+ #define X86_FEATURE_INVPCID ( 9*32+10) /* Invalidate Processor Context ID */
+ #define X86_FEATURE_RTM ( 9*32+11) /* Restricted Transactional Memory */
+ #define X86_FEATURE_CQM ( 9*32+12) /* Cache QoS Monitoring */
++#define X86_FEATURE_ZERO_FCS_FDS ( 9*32+13) /* "" Zero out FPU CS and FPU DS */
+ #define X86_FEATURE_MPX ( 9*32+14) /* Memory Protection Extension */
+ #define X86_FEATURE_RDT_A ( 9*32+15) /* Resource Director Technology Allocation */
+ #define X86_FEATURE_AVX512F ( 9*32+16) /* AVX-512 Foundation */
+--
+2.20.1
+
--- /dev/null
+From c6d0b2daa6df44acab547cda60681476a00f5dd4 Mon Sep 17 00:00:00 2001
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Fri, 14 Jun 2019 11:13:55 +0200
+Subject: xfrm: fix sa selector validation
+
+[ Upstream commit b8d6d0079757cbd1b69724cfd1c08e2171c68cee ]
+
+After commit b38ff4075a80, the following command does not work anymore:
+$ ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 34 reqid 1 \
+ mode tunnel enc 'cbc(aes)' 0xb0abdba8b782ad9d364ec81e3a7d82a1 auth-trunc \
+ 'hmac(sha1)' 0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6 96 flag align4
+
+In fact, the selector is not mandatory, allow the user to provide an empty
+selector.
+
+Fixes: b38ff4075a80 ("xfrm: Fix xfrm sel prefix length validation")
+CC: Anirudh Gupta <anirudh.gupta@sophos.com>
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index d80d54e663c0..1484bc99a537 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -166,6 +166,9 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
+ }
+
+ switch (p->sel.family) {
++ case AF_UNSPEC:
++ break;
++
+ case AF_INET:
+ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
+ goto out;
+--
+2.20.1
+
--- /dev/null
+From 757944e907ba747aafe76ac83ede73ce203756a7 Mon Sep 17 00:00:00 2001
+From: Anirudh Gupta <anirudhrudr@gmail.com>
+Date: Tue, 21 May 2019 20:59:47 +0530
+Subject: xfrm: Fix xfrm sel prefix length validation
+
+[ Upstream commit b38ff4075a80b4da5cb2202d7965332ca0efb213 ]
+
+Family of src/dst can be different from family of selector src/dst.
+Use xfrm selector family to validate address prefix length,
+while verifying new sa from userspace.
+
+Validated patch with this command:
+ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \
+reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \
+0x1111016400000000000000000000000044440001 128 \
+sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5
+
+Fixes: 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.")
+Signed-off-by: Anirudh Gupta <anirudh.gupta@sophos.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 2122f89f6155..d80d54e663c0 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -150,6 +150,22 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
+
+ err = -EINVAL;
+ switch (p->family) {
++ case AF_INET:
++ break;
++
++ case AF_INET6:
++#if IS_ENABLED(CONFIG_IPV6)
++ break;
++#else
++ err = -EAFNOSUPPORT;
++ goto out;
++#endif
++
++ default:
++ goto out;
++ }
++
++ switch (p->sel.family) {
+ case AF_INET:
+ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
+ goto out;
+--
+2.20.1
+
--- /dev/null
+From 32923179a69877a458a81c81bf7da6a06edf9410 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Tue, 25 Jun 2019 11:23:52 -0700
+Subject: xsk: Properly terminate assignment in xskq_produce_flush_desc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit f7019b7b0ad14bde732b8953161994edfc384953 ]
+
+Clang warns:
+
+In file included from net/xdp/xsk_queue.c:10:
+net/xdp/xsk_queue.h:292:2: warning: expression result unused
+[-Wunused-value]
+ WRITE_ONCE(q->ring->producer, q->prod_tail);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+include/linux/compiler.h:284:6: note: expanded from macro 'WRITE_ONCE'
+ __u.__val; \
+ ~~~ ^~~~~
+1 warning generated.
+
+The q->prod_tail assignment has a comma at the end, not a semi-colon.
+Fix that so clang no longer warns and everything works as expected.
+
+Fixes: c497176cb2e4 ("xsk: add Rx receive functions and poll support")
+Link: https://github.com/ClangBuiltLinux/linux/issues/544
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Acked-by: Nick Desaulniers <ndesaulniers@google.com>
+Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
+Acked-by: Björn Töpel <bjorn.topel@intel.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xsk_queue.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/xdp/xsk_queue.h b/net/xdp/xsk_queue.h
+index 8a64b150be54..fe96c0d039f2 100644
+--- a/net/xdp/xsk_queue.h
++++ b/net/xdp/xsk_queue.h
+@@ -239,7 +239,7 @@ static inline void xskq_produce_flush_desc(struct xsk_queue *q)
+ /* Order producer and data */
+ smp_wmb();
+
+- q->prod_tail = q->prod_head,
++ q->prod_tail = q->prod_head;
+ WRITE_ONCE(q->ring->producer, q->prod_tail);
+ }
+
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
