--- /dev/null
+From 3f8af37138d2c1a506633e1f63e642ec019b588c Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sat, 13 Apr 2019 10:04:49 +0200
+Subject: ALSA: hda: Initialize power_state field properly
+
+[ Upstream commit 183ab39eb0ea9879bb68422a83e65f750f3192f0 ]
+
+The recent commit 98081ca62cba ("ALSA: hda - Record the current power
+state before suspend/resume calls") made the HD-audio driver to store
+the PM state in power_state field. This forgot, however, the
+initialization at power up. Although the codec drivers usually don't
+need to refer to this field in the normal operation, let's initialize
+it properly for consistency.
+
+Fixes: 98081ca62cba ("ALSA: hda - Record the current power state before suspend/resume calls")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_codec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
+index 21de8145f1a6..a6233775e779 100644
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -971,6 +971,7 @@ int snd_hda_codec_device_new(struct hda_bus *bus, struct snd_card *card,
+
+ /* power-up all before initialization */
+ hda_set_power_state(codec, AC_PWRST_D0);
++ codec->core.dev.power.power_state = PMSG_ON;
+
+ snd_hda_codec_proc_new(codec);
+
+--
+2.20.1
+
--- /dev/null
+From 0d98fff4237824bc80e61763870b55e14cc6ade4 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Tue, 11 Dec 2018 12:14:12 +0100
+Subject: bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K
+
+[ Upstream commit fdadd04931c2d7cd294dc5b2b342863f94be53a3 ]
+
+Michael and Sandipan report:
+
+ Commit ede95a63b5 introduced a bpf_jit_limit tuneable to limit BPF
+ JIT allocations. At compile time it defaults to PAGE_SIZE * 40000,
+ and is adjusted again at init time if MODULES_VADDR is defined.
+
+ For ppc64 kernels, MODULES_VADDR isn't defined, so we're stuck with
+ the compile-time default at boot-time, which is 0x9c400000 when
+ using 64K page size. This overflows the signed 32-bit bpf_jit_limit
+ value:
+
+ root@ubuntu:/tmp# cat /proc/sys/net/core/bpf_jit_limit
+ -1673527296
+
+ and can cause various unexpected failures throughout the network
+ stack. In one case `strace dhclient eth0` reported:
+
+ setsockopt(5, SOL_SOCKET, SO_ATTACH_FILTER, {len=11, filter=0x105dd27f8},
+ 16) = -1 ENOTSUPP (Unknown error 524)
+
+ and similar failures can be seen with tools like tcpdump. This doesn't
+ always reproduce however, and I'm not sure why. The more consistent
+ failure I've seen is an Ubuntu 18.04 KVM guest booted on a POWER9
+ host would time out on systemd/netplan configuring a virtio-net NIC
+ with no noticeable errors in the logs.
+
+Given this and also given that in near future some architectures like
+arm64 will have a custom area for BPF JIT image allocations we should
+get rid of the BPF_JIT_LIMIT_DEFAULT fallback / default entirely. For
+4.21, we have an overridable bpf_jit_alloc_exec(), bpf_jit_free_exec()
+so therefore add another overridable bpf_jit_alloc_exec_limit() helper
+function which returns the possible size of the memory area for deriving
+the default heuristic in bpf_jit_charge_init().
+
+Like bpf_jit_alloc_exec() and bpf_jit_free_exec(), the new
+bpf_jit_alloc_exec_limit() assumes that module_alloc() is the default
+JIT memory provider, and therefore in case archs implement their custom
+module_alloc() we use MODULES_{END,_VADDR} for limits and otherwise for
+vmalloc_exec() cases like on ppc64 we use VMALLOC_{END,_START}.
+
+Additionally, for archs supporting large page sizes, we should change
+the sysctl to be handled as long to not run into sysctl restrictions
+in future.
+
+Fixes: ede95a63b5e8 ("bpf: add bpf_jit_limit knob to restrict unpriv allocations")
+Reported-by: Sandipan Das <sandipan@linux.ibm.com>
+Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/filter.h | 2 +-
+ kernel/bpf/core.c | 21 +++++++++++++++------
+ net/core/sysctl_net_core.c | 20 +++++++++++++++++---
+ 3 files changed, 33 insertions(+), 10 deletions(-)
+
+diff --git a/include/linux/filter.h b/include/linux/filter.h
+index d52a7484aeb2..3705c6f10b17 100644
+--- a/include/linux/filter.h
++++ b/include/linux/filter.h
+@@ -837,7 +837,7 @@ bpf_run_sk_reuseport(struct sock_reuseport *reuse, struct sock *sk,
+ extern int bpf_jit_enable;
+ extern int bpf_jit_harden;
+ extern int bpf_jit_kallsyms;
+-extern int bpf_jit_limit;
++extern long bpf_jit_limit;
+
+ typedef void (*bpf_jit_fill_hole_t)(void *area, unsigned int size);
+
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index bad9985b8a08..36be400c3e65 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -366,13 +366,11 @@ void bpf_prog_kallsyms_del_all(struct bpf_prog *fp)
+ }
+
+ #ifdef CONFIG_BPF_JIT
+-# define BPF_JIT_LIMIT_DEFAULT (PAGE_SIZE * 40000)
+-
+ /* All BPF JIT sysctl knobs here. */
+ int bpf_jit_enable __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_ALWAYS_ON);
+ int bpf_jit_harden __read_mostly;
+ int bpf_jit_kallsyms __read_mostly;
+-int bpf_jit_limit __read_mostly = BPF_JIT_LIMIT_DEFAULT;
++long bpf_jit_limit __read_mostly;
+
+ static __always_inline void
+ bpf_get_prog_addr_region(const struct bpf_prog *prog,
+@@ -583,16 +581,27 @@ int bpf_get_kallsym(unsigned int symnum, unsigned long *value, char *type,
+
+ static atomic_long_t bpf_jit_current;
+
++/* Can be overridden by an arch's JIT compiler if it has a custom,
++ * dedicated BPF backend memory area, or if neither of the two
++ * below apply.
++ */
++u64 __weak bpf_jit_alloc_exec_limit(void)
++{
+ #if defined(MODULES_VADDR)
++ return MODULES_END - MODULES_VADDR;
++#else
++ return VMALLOC_END - VMALLOC_START;
++#endif
++}
++
+ static int __init bpf_jit_charge_init(void)
+ {
+ /* Only used as heuristic here to derive limit. */
+- bpf_jit_limit = min_t(u64, round_up((MODULES_END - MODULES_VADDR) >> 2,
+- PAGE_SIZE), INT_MAX);
++ bpf_jit_limit = min_t(u64, round_up(bpf_jit_alloc_exec_limit() >> 2,
++ PAGE_SIZE), LONG_MAX);
+ return 0;
+ }
+ pure_initcall(bpf_jit_charge_init);
+-#endif
+
+ static int bpf_jit_charge_modmem(u32 pages)
+ {
+diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
+index 37b4667128a3..d67ec17f2cc8 100644
+--- a/net/core/sysctl_net_core.c
++++ b/net/core/sysctl_net_core.c
+@@ -28,6 +28,8 @@ static int two __maybe_unused = 2;
+ static int min_sndbuf = SOCK_MIN_SNDBUF;
+ static int min_rcvbuf = SOCK_MIN_RCVBUF;
+ static int max_skb_frags = MAX_SKB_FRAGS;
++static long long_one __maybe_unused = 1;
++static long long_max __maybe_unused = LONG_MAX;
+
+ static int net_msg_warn; /* Unused, but still a sysctl */
+
+@@ -289,6 +291,17 @@ proc_dointvec_minmax_bpf_restricted(struct ctl_table *table, int write,
+
+ return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
+ }
++
++static int
++proc_dolongvec_minmax_bpf_restricted(struct ctl_table *table, int write,
++ void __user *buffer, size_t *lenp,
++ loff_t *ppos)
++{
++ if (!capable(CAP_SYS_ADMIN))
++ return -EPERM;
++
++ return proc_doulongvec_minmax(table, write, buffer, lenp, ppos);
++}
+ #endif
+
+ static struct ctl_table net_core_table[] = {
+@@ -398,10 +411,11 @@ static struct ctl_table net_core_table[] = {
+ {
+ .procname = "bpf_jit_limit",
+ .data = &bpf_jit_limit,
+- .maxlen = sizeof(int),
++ .maxlen = sizeof(long),
+ .mode = 0600,
+- .proc_handler = proc_dointvec_minmax_bpf_restricted,
+- .extra1 = &one,
++ .proc_handler = proc_dolongvec_minmax_bpf_restricted,
++ .extra1 = &long_one,
++ .extra2 = &long_max,
+ },
+ #endif
+ {
+--
+2.20.1
+
--- /dev/null
+From 4c988a55f5682f024eea1953a5dc867f4564bc94 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= <noralf@tronnes.org>
+Date: Sun, 10 Feb 2019 14:10:39 +0100
+Subject: drm/fb-helper: generic: Don't take module ref for fbcon
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 6ab20a05f4c7ed45632e24d5397d6284e192567d ]
+
+It's now safe to let fbcon unbind automatically on fbdev unregister.
+The crash problem was fixed in commit 2122b40580dd
+("fbdev: fbcon: Fix unregister crash when more than one framebuffer")
+
+Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190210131039.52664-13-noralf@tronnes.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_fb_helper.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
+index a0663f44e218..8b546fde139d 100644
+--- a/drivers/gpu/drm/drm_fb_helper.c
++++ b/drivers/gpu/drm/drm_fb_helper.c
+@@ -2957,7 +2957,8 @@ static int drm_fbdev_fb_open(struct fb_info *info, int user)
+ {
+ struct drm_fb_helper *fb_helper = info->par;
+
+- if (!try_module_get(fb_helper->dev->driver->fops->owner))
++ /* No need to take a ref for fbcon because it unbinds on unregister */
++ if (user && !try_module_get(fb_helper->dev->driver->fops->owner))
+ return -ENODEV;
+
+ return 0;
+@@ -2967,7 +2968,8 @@ static int drm_fbdev_fb_release(struct fb_info *info, int user)
+ {
+ struct drm_fb_helper *fb_helper = info->par;
+
+- module_put(fb_helper->dev->driver->fops->owner);
++ if (user)
++ module_put(fb_helper->dev->driver->fops->owner);
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 11fc99f1db35b432271743a4886ae6be6fa4696c Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Tue, 1 Jan 2019 00:11:30 -0800
+Subject: f2fs: don't access node/meta inode mapping after iput
+
+[ Upstream commit 7c77bf7de1574ac7a31a2b76f4927404307d13e7 ]
+
+This fixes wrong access of address spaces of node and meta inodes after iput.
+
+Fixes: 60aa4d5536ab ("f2fs: fix use-after-free issue when accessing sbi->stat_info")
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/debug.c | 19 ++++++++++++-------
+ fs/f2fs/super.c | 5 +++++
+ 2 files changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/fs/f2fs/debug.c b/fs/f2fs/debug.c
+index ebe649d9793c..bbe155465ca0 100644
+--- a/fs/f2fs/debug.c
++++ b/fs/f2fs/debug.c
+@@ -94,8 +94,10 @@ static void update_general_status(struct f2fs_sb_info *sbi)
+ si->free_secs = free_sections(sbi);
+ si->prefree_count = prefree_segments(sbi);
+ si->dirty_count = dirty_segments(sbi);
+- si->node_pages = NODE_MAPPING(sbi)->nrpages;
+- si->meta_pages = META_MAPPING(sbi)->nrpages;
++ if (sbi->node_inode)
++ si->node_pages = NODE_MAPPING(sbi)->nrpages;
++ if (sbi->meta_inode)
++ si->meta_pages = META_MAPPING(sbi)->nrpages;
+ si->nats = NM_I(sbi)->nat_cnt;
+ si->dirty_nats = NM_I(sbi)->dirty_nat_cnt;
+ si->sits = MAIN_SEGS(sbi);
+@@ -168,7 +170,6 @@ static void update_sit_info(struct f2fs_sb_info *sbi)
+ static void update_mem_info(struct f2fs_sb_info *sbi)
+ {
+ struct f2fs_stat_info *si = F2FS_STAT(sbi);
+- unsigned npages;
+ int i;
+
+ if (si->base_mem)
+@@ -251,10 +252,14 @@ static void update_mem_info(struct f2fs_sb_info *sbi)
+ sizeof(struct extent_node);
+
+ si->page_mem = 0;
+- npages = NODE_MAPPING(sbi)->nrpages;
+- si->page_mem += (unsigned long long)npages << PAGE_SHIFT;
+- npages = META_MAPPING(sbi)->nrpages;
+- si->page_mem += (unsigned long long)npages << PAGE_SHIFT;
++ if (sbi->node_inode) {
++ unsigned npages = NODE_MAPPING(sbi)->nrpages;
++ si->page_mem += (unsigned long long)npages << PAGE_SHIFT;
++ }
++ if (sbi->meta_inode) {
++ unsigned npages = META_MAPPING(sbi)->nrpages;
++ si->page_mem += (unsigned long long)npages << PAGE_SHIFT;
++ }
+ }
+
+ static int stat_show(struct seq_file *s, void *v)
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index 2264f27fd26d..1871031e2d5e 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1050,7 +1050,10 @@ static void f2fs_put_super(struct super_block *sb)
+ f2fs_bug_on(sbi, sbi->fsync_node_num);
+
+ iput(sbi->node_inode);
++ sbi->node_inode = NULL;
++
+ iput(sbi->meta_inode);
++ sbi->meta_inode = NULL;
+
+ /*
+ * iput() can update stat information, if f2fs_write_checkpoint()
+@@ -3166,6 +3169,7 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
+ f2fs_release_ino_entry(sbi, true);
+ truncate_inode_pages_final(NODE_MAPPING(sbi));
+ iput(sbi->node_inode);
++ sbi->node_inode = NULL;
+ free_stats:
+ f2fs_destroy_stats(sbi);
+ free_nm:
+@@ -3178,6 +3182,7 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
+ free_meta_inode:
+ make_bad_inode(sbi->meta_inode);
+ iput(sbi->meta_inode);
++ sbi->meta_inode = NULL;
+ free_io_dummy:
+ mempool_destroy(sbi->write_io_dummy);
+ free_percpu:
+--
+2.20.1
+
--- /dev/null
+From 67064982a48219091d421b3a3782a3eb5035a268 Mon Sep 17 00:00:00 2001
+From: Petr Mladek <pmladek@suse.com>
+Date: Thu, 27 Jun 2019 10:13:34 +0200
+Subject: ftrace/x86: Remove possible deadlock between register_kprobe() and
+ ftrace_run_update_code()
+
+[ Upstream commit d5b844a2cf507fc7642c9ae80a9d585db3065c28 ]
+
+The commit 9f255b632bf12c4dd7 ("module: Fix livepatch/ftrace module text
+permissions race") causes a possible deadlock between register_kprobe()
+and ftrace_run_update_code() when ftrace is using stop_machine().
+
+The existing dependency chain (in reverse order) is:
+
+-> #1 (text_mutex){+.+.}:
+ validate_chain.isra.21+0xb32/0xd70
+ __lock_acquire+0x4b8/0x928
+ lock_acquire+0x102/0x230
+ __mutex_lock+0x88/0x908
+ mutex_lock_nested+0x32/0x40
+ register_kprobe+0x254/0x658
+ init_kprobes+0x11a/0x168
+ do_one_initcall+0x70/0x318
+ kernel_init_freeable+0x456/0x508
+ kernel_init+0x22/0x150
+ ret_from_fork+0x30/0x34
+ kernel_thread_starter+0x0/0xc
+
+-> #0 (cpu_hotplug_lock.rw_sem){++++}:
+ check_prev_add+0x90c/0xde0
+ validate_chain.isra.21+0xb32/0xd70
+ __lock_acquire+0x4b8/0x928
+ lock_acquire+0x102/0x230
+ cpus_read_lock+0x62/0xd0
+ stop_machine+0x2e/0x60
+ arch_ftrace_update_code+0x2e/0x40
+ ftrace_run_update_code+0x40/0xa0
+ ftrace_startup+0xb2/0x168
+ register_ftrace_function+0x64/0x88
+ klp_patch_object+0x1a2/0x290
+ klp_enable_patch+0x554/0x980
+ do_one_initcall+0x70/0x318
+ do_init_module+0x6e/0x250
+ load_module+0x1782/0x1990
+ __s390x_sys_finit_module+0xaa/0xf0
+ system_call+0xd8/0x2d0
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(text_mutex);
+ lock(cpu_hotplug_lock.rw_sem);
+ lock(text_mutex);
+ lock(cpu_hotplug_lock.rw_sem);
+
+It is similar problem that has been solved by the commit 2d1e38f56622b9b
+("kprobes: Cure hotplug lock ordering issues"). Many locks are involved.
+To be on the safe side, text_mutex must become a low level lock taken
+after cpu_hotplug_lock.rw_sem.
+
+This can't be achieved easily with the current ftrace design.
+For example, arm calls set_all_modules_text_rw() already in
+ftrace_arch_code_modify_prepare(), see arch/arm/kernel/ftrace.c.
+This functions is called:
+
+ + outside stop_machine() from ftrace_run_update_code()
+ + without stop_machine() from ftrace_module_enable()
+
+Fortunately, the problematic fix is needed only on x86_64. It is
+the only architecture that calls set_all_modules_text_rw()
+in ftrace path and supports livepatching at the same time.
+
+Therefore it is enough to move text_mutex handling from the generic
+kernel/trace/ftrace.c into arch/x86/kernel/ftrace.c:
+
+ ftrace_arch_code_modify_prepare()
+ ftrace_arch_code_modify_post_process()
+
+This patch basically reverts the ftrace part of the problematic
+commit 9f255b632bf12c4dd7 ("module: Fix livepatch/ftrace module
+text permissions race"). And provides x86_64 specific-fix.
+
+Some refactoring of the ftrace code will be needed when livepatching
+is implemented for arm or nds32. These architectures call
+set_all_modules_text_rw() and use stop_machine() at the same time.
+
+Link: http://lkml.kernel.org/r/20190627081334.12793-1-pmladek@suse.com
+
+Fixes: 9f255b632bf12c4dd7 ("module: Fix livepatch/ftrace module text permissions race")
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Reported-by: Miroslav Benes <mbenes@suse.cz>
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+[
+ As reviewed by Miroslav Benes <mbenes@suse.cz>, removed return value of
+ ftrace_run_update_code() as it is a void function.
+]
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/ftrace.c | 3 +++
+ kernel/trace/ftrace.c | 10 +---------
+ 2 files changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c
+index 9f033dfd2766..50d309662d78 100644
+--- a/arch/x86/kernel/ftrace.c
++++ b/arch/x86/kernel/ftrace.c
+@@ -22,6 +22,7 @@
+ #include <linux/init.h>
+ #include <linux/list.h>
+ #include <linux/module.h>
++#include <linux/memory.h>
+
+ #include <trace/syscall.h>
+
+@@ -35,6 +36,7 @@
+
+ int ftrace_arch_code_modify_prepare(void)
+ {
++ mutex_lock(&text_mutex);
+ set_kernel_text_rw();
+ set_all_modules_text_rw();
+ return 0;
+@@ -44,6 +46,7 @@ int ftrace_arch_code_modify_post_process(void)
+ {
+ set_all_modules_text_ro();
+ set_kernel_text_ro();
++ mutex_unlock(&text_mutex);
+ return 0;
+ }
+
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index 0a0bb839ac5e..118ecce14386 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -35,7 +35,6 @@
+ #include <linux/hash.h>
+ #include <linux/rcupdate.h>
+ #include <linux/kprobes.h>
+-#include <linux/memory.h>
+
+ #include <trace/events/sched.h>
+
+@@ -2628,12 +2627,10 @@ static void ftrace_run_update_code(int command)
+ {
+ int ret;
+
+- mutex_lock(&text_mutex);
+-
+ ret = ftrace_arch_code_modify_prepare();
+ FTRACE_WARN_ON(ret);
+ if (ret)
+- goto out_unlock;
++ return;
+
+ /*
+ * By default we use stop_machine() to modify the code.
+@@ -2645,9 +2642,6 @@ static void ftrace_run_update_code(int command)
+
+ ret = ftrace_arch_code_modify_post_process();
+ FTRACE_WARN_ON(ret);
+-
+-out_unlock:
+- mutex_unlock(&text_mutex);
+ }
+
+ static void ftrace_run_modify_code(struct ftrace_ops *ops, int command,
+@@ -5771,7 +5765,6 @@ void ftrace_module_enable(struct module *mod)
+ struct ftrace_page *pg;
+
+ mutex_lock(&ftrace_lock);
+- mutex_lock(&text_mutex);
+
+ if (ftrace_disabled)
+ goto out_unlock;
+@@ -5833,7 +5826,6 @@ void ftrace_module_enable(struct module *mod)
+ ftrace_arch_code_modify_post_process();
+
+ out_unlock:
+- mutex_unlock(&text_mutex);
+ mutex_unlock(&ftrace_lock);
+
+ process_cached_mods(mod->name);
+--
+2.20.1
+
--- /dev/null
+From a33f49fb2dfd4b59e35f0081674eec288099b987 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 3 May 2019 08:24:44 -0700
+Subject: ip6: fix skb leak in ip6frag_expire_frag_queue()
+
+[ Upstream commit 47d3d7fdb10a21c223036b58bd70ffdc24a472c4 ]
+
+Since ip6frag_expire_frag_queue() now pulls the head skb
+from frag queue, we should no longer use skb_get(), since
+this leads to an skb leak.
+
+Stefan Bader initially reported a problem in 4.4.stable [1] caused
+by the skb_get(), so this patch should also fix this issue.
+
+296583.091021] kernel BUG at /build/linux-6VmqmP/linux-4.4.0/net/core/skbuff.c:1207!
+[296583.091734] Call Trace:
+[296583.091749] [<ffffffff81740e50>] __pskb_pull_tail+0x50/0x350
+[296583.091764] [<ffffffff8183939a>] _decode_session6+0x26a/0x400
+[296583.091779] [<ffffffff817ec719>] __xfrm_decode_session+0x39/0x50
+[296583.091795] [<ffffffff818239d0>] icmpv6_route_lookup+0xf0/0x1c0
+[296583.091809] [<ffffffff81824421>] icmp6_send+0x5e1/0x940
+[296583.091823] [<ffffffff81753238>] ? __netif_receive_skb+0x18/0x60
+[296583.091838] [<ffffffff817532b2>] ? netif_receive_skb_internal+0x32/0xa0
+[296583.091858] [<ffffffffc0199f74>] ? ixgbe_clean_rx_irq+0x594/0xac0 [ixgbe]
+[296583.091876] [<ffffffffc04eb260>] ? nf_ct_net_exit+0x50/0x50 [nf_defrag_ipv6]
+[296583.091893] [<ffffffff8183d431>] icmpv6_send+0x21/0x30
+[296583.091906] [<ffffffff8182b500>] ip6_expire_frag_queue+0xe0/0x120
+[296583.091921] [<ffffffffc04eb27f>] nf_ct_frag6_expire+0x1f/0x30 [nf_defrag_ipv6]
+[296583.091938] [<ffffffff810f3b57>] call_timer_fn+0x37/0x140
+[296583.091951] [<ffffffffc04eb260>] ? nf_ct_net_exit+0x50/0x50 [nf_defrag_ipv6]
+[296583.091968] [<ffffffff810f5464>] run_timer_softirq+0x234/0x330
+[296583.091982] [<ffffffff8108a339>] __do_softirq+0x109/0x2b0
+
+Fixes: d4289fcc9b16 ("net: IP6 defrag: use rbtrees for IPv6 defrag")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Stefan Bader <stefan.bader@canonical.com>
+Cc: Peter Oskolkov <posk@google.com>
+Cc: Florian Westphal <fw@strlen.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ipv6_frag.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/include/net/ipv6_frag.h b/include/net/ipv6_frag.h
+index 28aa9b30aece..1f77fb4dc79d 100644
+--- a/include/net/ipv6_frag.h
++++ b/include/net/ipv6_frag.h
+@@ -94,7 +94,6 @@ ip6frag_expire_frag_queue(struct net *net, struct frag_queue *fq)
+ goto out;
+
+ head->dev = dev;
+- skb_get(head);
+ spin_unlock(&fq->q.lock);
+
+ icmpv6_send(head, ICMPV6_TIME_EXCEED, ICMPV6_EXC_FRAGTIME, 0);
+--
+2.20.1
+
--- /dev/null
+From e2b436b234b0281a95f7f582969ce01a515b3a6e Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Mon, 18 Feb 2019 11:29:29 +0100
+Subject: mac80211: mesh: fix missing unlock on error in table_path_del()
+
+[ Upstream commit f2ffff085d287eec499f1fccd682796ad8010303 ]
+
+spin_lock_bh() is used in table_path_del() but rcu_read_unlock()
+is used for unlocking. Fix it by using spin_unlock_bh() instead
+of rcu_read_unlock() in the error handling case.
+
+Fixes: b4c3fbe63601 ("mac80211: Use linked list instead of rhashtable walk for mesh tables")
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh_pathtbl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
+index 49a90217622b..ac1f5db52994 100644
+--- a/net/mac80211/mesh_pathtbl.c
++++ b/net/mac80211/mesh_pathtbl.c
+@@ -627,7 +627,7 @@ static int table_path_del(struct mesh_table *tbl,
+ spin_lock_bh(&tbl->walk_lock);
+ mpath = rhashtable_lookup_fast(&tbl->rhead, addr, mesh_rht_params);
+ if (!mpath) {
+- rcu_read_unlock();
++ spin_unlock_bh(&tbl->walk_lock);
+ return -ENXIO;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 0174372c38195a3a4e0c067d904ca9ed68d265c1 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Mon, 7 Jan 2019 07:04:14 -0500
+Subject: media: s5p-mfc: fix incorrect bus assignment in virtual child device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 1e0d0a5fd38192f23304ea2fc2b531fea7c74247 ]
+
+Virtual MFC codec's child devices must not be assigned to platform bus,
+because they are allocated as raw 'struct device' and don't have the
+corresponding 'platform' part. This fixes NULL pointer access revealed
+recently by commit a66d972465d1 ("devres: Align data[] to
+ARCH_KMALLOC_MINALIGN").
+
+Fixes: c79667dd93b0 ("media: s5p-mfc: replace custom reserved memory handling code with generic one")
+
+Reported-by: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Tested-by: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+index 927a1235408d..ca11f8a7569d 100644
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+@@ -1089,7 +1089,6 @@ static struct device *s5p_mfc_alloc_memdev(struct device *dev,
+ device_initialize(child);
+ dev_set_name(child, "%s:%s", dev_name(dev), name);
+ child->parent = dev;
+- child->bus = dev->bus;
+ child->coherent_dma_mask = dev->coherent_dma_mask;
+ child->dma_mask = dev->dma_mask;
+ child->release = s5p_mfc_memdev_release;
+--
+2.20.1
+
--- /dev/null
+From 37bfe82dd8f483c28f260dce5afcb8f0fd668689 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Wed, 19 Dec 2018 06:08:41 +0000
+Subject: mlxsw: spectrum: Handle VLAN device unlinking
+
+[ Upstream commit e149113a74c35f0a28d1bfe17d2505a03563c1d5 ]
+
+In commit 993107fea5ee ("mlxsw: spectrum_switchdev: Fix VLAN device
+deletion via ioctl") I fixed a bug caused by the fact that the driver
+views differently the deletion of a VLAN device when it is deleted via
+an ioctl and netlink.
+
+Instead of relying on a specific order of events (device being
+unregistered vs. VLAN filter being updated), simply make sure that the
+driver performs the necessary cleanup when the VLAN device is unlinked,
+which always happens before the other two events.
+
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reviewed-by: Petr Machata <petrm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+index ff2f6b8e2fab..0cab06046e5d 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+@@ -4681,6 +4681,16 @@ static int mlxsw_sp_netdevice_port_upper_event(struct net_device *lower_dev,
+ } else if (netif_is_macvlan(upper_dev)) {
+ if (!info->linking)
+ mlxsw_sp_rif_macvlan_del(mlxsw_sp, upper_dev);
++ } else if (is_vlan_dev(upper_dev)) {
++ struct net_device *br_dev;
++
++ if (!netif_is_bridge_port(upper_dev))
++ break;
++ if (info->linking)
++ break;
++ br_dev = netdev_master_upper_dev_get(upper_dev);
++ mlxsw_sp_port_bridge_leave(mlxsw_sp_port, upper_dev,
++ br_dev);
+ }
+ break;
+ }
+--
+2.20.1
+
--- /dev/null
+From 2c73ff4431ea307d5729a37d668a54517c36ad44 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 5 Apr 2019 14:59:16 +0100
+Subject: net: hns: fix unsigned comparison to less than zero
+
+[ Upstream commit ea401685a20b5d631957f024bda86e1f6118eb20 ]
+
+Currently mskid is unsigned and hence comparisons with negative
+error return values are always false. Fix this by making mskid an
+int.
+
+Fixes: f058e46855dc ("net: hns: fix ICMP6 neighbor solicitation messages discard problem")
+Addresses-Coverity: ("Operands don't affect result")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c
+index f5ff07cb2b72..f2b0b587a1be 100644
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c
+@@ -2777,7 +2777,7 @@ static void set_promisc_tcam_enable(struct dsaf_device *dsaf_dev, u32 port)
+ struct hns_mac_cb *mac_cb;
+ u8 addr[ETH_ALEN] = {0};
+ u8 port_num;
+- u16 mskid;
++ int mskid;
+
+ /* promisc use vague table match with vlanid = 0 & macaddr = 0 */
+ hns_dsaf_set_mac_key(dsaf_dev, &mac_key, 0x00, port, addr);
+--
+2.20.1
+
--- /dev/null
+From 998c894bd4c308ec74ef84060dcc182bb59fe976 Mon Sep 17 00:00:00 2001
+From: Salil Mehta <salil.mehta@huawei.com>
+Date: Mon, 18 Feb 2019 17:40:32 +0000
+Subject: net: hns: Fixes the missing put_device in positive leg for roce reset
+
+[ Upstream commit 4d96e13ee9cd1f7f801e8c7f4b12f09d1da4a5d8 ]
+
+This patch fixes the missing device reference release-after-use in
+the positive leg of the roce reset API of the HNS DSAF.
+
+Fixes: c969c6e7ab8c ("net: hns: Fix object reference leaks in hns_dsaf_roce_reset()")
+Reported-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Salil Mehta <salil.mehta@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c
+index fdff5526d2e8..f5ff07cb2b72 100644
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c
+@@ -3149,6 +3149,9 @@ int hns_dsaf_roce_reset(struct fwnode_handle *dsaf_fwnode, bool dereset)
+ dsaf_set_bit(credit, DSAF_SBM_ROCEE_CFG_CRD_EN_B, 1);
+ dsaf_write_dev(dsaf_dev, DSAF_SBM_ROCEE_CFG_REG_REG, credit);
+ }
++
++ put_device(&pdev->dev);
++
+ return 0;
+ }
+ EXPORT_SYMBOL(hns_dsaf_roce_reset);
+--
+2.20.1
+
--- /dev/null
+From ee78f59c4e2db0e07f54fb055c4de7a1369e7a3c Mon Sep 17 00:00:00 2001
+From: Ursula Braun <ubraun@linux.ibm.com>
+Date: Thu, 11 Apr 2019 11:17:34 +0200
+Subject: net/smc: move unhash before release of clcsock
+
+[ Upstream commit f61bca58f6c36e666c2b807697f25e5e98708162 ]
+
+Commit <26d92e951fe0>
+("net/smc: move unhash as early as possible in smc_release()")
+fixes one occurrence in the smc code, but the same pattern exists
+in other places. This patch covers the remaining occurrences and
+makes sure, the unhash operation is done before the smc->clcsock is
+released. This avoids a potential use-after-free in smc_diag_dump().
+
+Reviewed-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index e6e506b2db99..9bbab6ba2dab 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -848,11 +848,11 @@ static int smc_clcsock_accept(struct smc_sock *lsmc, struct smc_sock **new_smc)
+ if (rc < 0)
+ lsk->sk_err = -rc;
+ if (rc < 0 || lsk->sk_state == SMC_CLOSED) {
++ new_sk->sk_prot->unhash(new_sk);
+ if (new_clcsock)
+ sock_release(new_clcsock);
+ new_sk->sk_state = SMC_CLOSED;
+ sock_set_flag(new_sk, SOCK_DEAD);
+- new_sk->sk_prot->unhash(new_sk);
+ sock_put(new_sk); /* final */
+ *new_smc = NULL;
+ goto out;
+@@ -903,11 +903,11 @@ struct sock *smc_accept_dequeue(struct sock *parent,
+
+ smc_accept_unlink(new_sk);
+ if (new_sk->sk_state == SMC_CLOSED) {
++ new_sk->sk_prot->unhash(new_sk);
+ if (isk->clcsock) {
+ sock_release(isk->clcsock);
+ isk->clcsock = NULL;
+ }
+- new_sk->sk_prot->unhash(new_sk);
+ sock_put(new_sk); /* final */
+ continue;
+ }
+@@ -932,6 +932,7 @@ void smc_close_non_accepted(struct sock *sk)
+ sock_set_flag(sk, SOCK_DEAD);
+ sk->sk_shutdown |= SHUTDOWN_MASK;
+ }
++ sk->sk_prot->unhash(sk);
+ if (smc->clcsock) {
+ struct socket *tcp;
+
+@@ -947,7 +948,6 @@ void smc_close_non_accepted(struct sock *sk)
+ smc_conn_free(&smc->conn);
+ }
+ release_sock(sk);
+- sk->sk_prot->unhash(sk);
+ sock_put(sk); /* final sock_put */
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 447d05e723b06f8aa1a9cba0f7b4c0029924663c Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <gnault@redhat.com>
+Date: Thu, 6 Jun 2019 18:04:00 +0200
+Subject: netfilter: ipv6: nf_defrag: accept duplicate fragments again
+
+[ Upstream commit 8a3dca632538c550930ce8bafa8c906b130d35cf ]
+
+When fixing the skb leak introduced by the conversion to rbtree, I
+forgot about the special case of duplicate fragments. The condition
+under the 'insert_error' label isn't effective anymore as
+nf_ct_frg6_gather() doesn't override the returned value anymore. So
+duplicate fragments now get NF_DROP verdict.
+
+To accept duplicate fragments again, handle them specially as soon as
+inet_frag_queue_insert() reports them. Return -EINPROGRESS which will
+translate to NF_STOLEN verdict, like any accepted fragment. However,
+such packets don't carry any new information and aren't queued, so we
+just drop them immediately.
+
+Fixes: a0d56cb911ca ("netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
+index 73c29ddcfb95..35d5a76867d0 100644
+--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
+@@ -265,8 +265,14 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
+
+ prev = fq->q.fragments_tail;
+ err = inet_frag_queue_insert(&fq->q, skb, offset, end);
+- if (err)
++ if (err) {
++ if (err == IPFRAG_DUP) {
++ /* No error for duplicates, pretend they got queued. */
++ kfree_skb(skb);
++ return -EINPROGRESS;
++ }
+ goto insert_error;
++ }
+
+ if (dev)
+ fq->iif = dev->ifindex;
+@@ -304,8 +310,6 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
+ return -EINPROGRESS;
+
+ insert_error:
+- if (err == IPFRAG_DUP)
+- goto err;
+ inet_frag_kill(&fq->q);
+ err:
+ skb_dst_drop(skb);
+--
+2.20.1
+
--- /dev/null
+From 8163173eece0e5e99992246a2ac7f2b140c63fa9 Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <gnault@redhat.com>
+Date: Sun, 2 Jun 2019 15:13:47 +0200
+Subject: netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments
+
+[ Upstream commit a0d56cb911ca301de81735f1d73c2aab424654ba ]
+
+With commit 997dd9647164 ("net: IP6 defrag: use rbtrees in
+nf_conntrack_reasm.c"), nf_ct_frag6_reasm() is now called from
+nf_ct_frag6_queue(). With this change, nf_ct_frag6_queue() can fail
+after the skb has been added to the fragment queue and
+nf_ct_frag6_gather() was adapted to handle this case.
+
+But nf_ct_frag6_queue() can still fail before the fragment has been
+queued. nf_ct_frag6_gather() can't handle this case anymore, because it
+has no way to know if nf_ct_frag6_queue() queued the fragment before
+failing. If it didn't, the skb is lost as the error code is overwritten
+with -EINPROGRESS.
+
+Fix this by setting -EINPROGRESS directly in nf_ct_frag6_queue(), so
+that nf_ct_frag6_gather() can propagate the error as is.
+
+Fixes: 997dd9647164 ("net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
+index cb1b4772dac0..73c29ddcfb95 100644
+--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
+@@ -293,7 +293,11 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
+ skb->_skb_refdst = 0UL;
+ err = nf_ct_frag6_reasm(fq, skb, prev, dev);
+ skb->_skb_refdst = orefdst;
+- return err;
++
++ /* After queue has assumed skb ownership, only 0 or
++ * -EINPROGRESS must be returned.
++ */
++ return err ? -EINPROGRESS : 0;
+ }
+
+ skb_dst_drop(skb);
+@@ -481,12 +485,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
+ ret = 0;
+ }
+
+- /* after queue has assumed skb ownership, only 0 or -EINPROGRESS
+- * must be returned.
+- */
+- if (ret)
+- ret = -EINPROGRESS;
+-
+ spin_unlock_bh(&fq->q.lock);
+ inet_frag_put(&fq->q);
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From c0437e7fd41b72e8c4fbaecbadd5a9c8ebf71cbf Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Wed, 19 Dec 2018 20:53:18 -0800
+Subject: rds: Fix warning.
+
+[ Upstream commit d84e7bc0595a7e146ad0ddb80b240cea77825245 ]
+
+>> net/rds/send.c:1109:42: warning: Using plain integer as NULL pointer
+
+Fixes: ea010070d0a7 ("net/rds: fix warn in rds_message_alloc_sgs")
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rds/send.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/rds/send.c b/net/rds/send.c
+index ec2267cbf85f..26e2c2305f7a 100644
+--- a/net/rds/send.c
++++ b/net/rds/send.c
+@@ -1106,9 +1106,11 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
+ sock_flag(rds_rs_to_sk(rs), SOCK_ZEROCOPY));
+ int num_sgs = ceil(payload_len, PAGE_SIZE);
+ int namelen;
+- struct rds_iov_vector_arr vct = {0};
++ struct rds_iov_vector_arr vct;
+ int ind;
+
++ memset(&vct, 0, sizeof(vct));
++
+ /* expect 1 RDMA CMSG per rds_sendmsg. can still grow if more needed. */
+ vct.incr = 1;
+
+--
+2.20.1
+
--- /dev/null
+From 398a6471a8252603acf658a71727b93345652d23 Mon Sep 17 00:00:00 2001
+From: Guoqing Jiang <gqjiang@suse.com>
+Date: Tue, 9 Apr 2019 16:16:38 +0800
+Subject: sc16is7xx: move label 'err_spi' to correct section
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit e00164a0f000de893944981f41a568c981aca658 ]
+
+err_spi is used when SERIAL_SC16IS7XX_SPI is enabled, so make
+the label only available under SERIAL_SC16IS7XX_SPI option.
+Otherwise, the below warning appears.
+
+drivers/tty/serial/sc16is7xx.c:1523:1: warning: label ‘err_spi’ defined but not used [-Wunused-label]
+ err_spi:
+ ^~~~~~~
+
+Signed-off-by: Guoqing Jiang <gqjiang@suse.com>
+Fixes: ac0cdb3d9901 ("sc16is7xx: missing unregister/delete driver on error in sc16is7xx_init()")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/sc16is7xx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c
+index 55b178c1bd65..372cc7ff228f 100644
+--- a/drivers/tty/serial/sc16is7xx.c
++++ b/drivers/tty/serial/sc16is7xx.c
+@@ -1494,10 +1494,12 @@ static int __init sc16is7xx_init(void)
+ #endif
+ return ret;
+
++#ifdef CONFIG_SERIAL_SC16IS7XX_SPI
+ err_spi:
+ #ifdef CONFIG_SERIAL_SC16IS7XX_I2C
+ i2c_del_driver(&sc16is7xx_i2c_uart_driver);
+ #endif
++#endif
+ err_i2c:
+ uart_unregister_driver(&sc16is7xx_uart);
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From 06e8fde50faf42bc8addf4b0dd0fdae95c677dbc Mon Sep 17 00:00:00 2001
+From: Xiubo Li <xiubli@redhat.com>
+Date: Tue, 22 Jan 2019 18:10:51 +0800
+Subject: scsi: tcmu: fix use after free
+
+[ Upstream commit 40d883b091758472c79b81fa1c0e0347e24a9cff ]
+
+Fixes: a94a2572b977 ("scsi: tcmu: avoid cmd/qfull timers updated whenever a new cmd comes")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Mike Christie <mchristi@redhat.com>
+Signed-off-by: Xiubo Li <xiubli@redhat.com>
+Reviewed-by: Mike Christie <mchristi@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_user.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
+index ac7620120491..c46efa47d68a 100644
+--- a/drivers/target/target_core_user.c
++++ b/drivers/target/target_core_user.c
+@@ -1317,12 +1317,13 @@ static int tcmu_check_expired_cmd(int id, void *p, void *data)
+ * target_complete_cmd will translate this to LUN COMM FAILURE
+ */
+ scsi_status = SAM_STAT_CHECK_CONDITION;
++ list_del_init(&cmd->queue_entry);
+ } else {
++ list_del_init(&cmd->queue_entry);
+ idr_remove(&udev->commands, id);
+ tcmu_free_cmd(cmd);
+ scsi_status = SAM_STAT_TASK_SET_FULL;
+ }
+- list_del_init(&cmd->queue_entry);
+
+ pr_debug("Timing out cmd %u on dev %s that is %s.\n",
+ id, udev->name, is_running ? "inflight" : "queued");
+--
+2.20.1
+
--- /dev/null
+From c5f26bf7f376be363a5da01e09adb39c13e0f823 Mon Sep 17 00:00:00 2001
+From: David Ahern <dsahern@gmail.com>
+Date: Mon, 29 Apr 2019 10:30:09 -0700
+Subject: selftests: fib_rule_tests: Fix icmp proto with ipv6
+
+[ Upstream commit 15d55bae4e3c43cd9f87fd93c73a263e172d34e1 ]
+
+A recent commit returns an error if icmp is used as the ip-proto for
+IPv6 fib rules. Update fib_rule_tests to send ipv6-icmp instead of icmp.
+
+Fixes: 5e1a99eae8499 ("ipv4: Add ICMPv6 support when parse route ipproto")
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/fib_rule_tests.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/fib_rule_tests.sh b/tools/testing/selftests/net/fib_rule_tests.sh
+index dbd90ca73e44..1ba069967fa2 100755
+--- a/tools/testing/selftests/net/fib_rule_tests.sh
++++ b/tools/testing/selftests/net/fib_rule_tests.sh
+@@ -148,8 +148,8 @@ fib_rule6_test()
+
+ fib_check_iproute_support "ipproto" "ipproto"
+ if [ $? -eq 0 ]; then
+- match="ipproto icmp"
+- fib_rule6_test_match_n_redirect "$match" "$match" "ipproto icmp match"
++ match="ipproto ipv6-icmp"
++ fib_rule6_test_match_n_redirect "$match" "$match" "ipproto ipv6-icmp match"
+ fi
+ }
+
+--
+2.20.1
+
ftrace-x86-remove-possible-deadlock-between-register_kprobe-and-ftrace_run_update_code.patch
mm-vmscan.c-prevent-useless-kswapd-loops.patch
btrfs-ensure-replaced-device-doesn-t-have-pending-chunk-allocation.patch
+tty-rocket-fix-incorrect-forward-declaration-of-rp_i.patch
+ftrace-x86-remove-possible-deadlock-between-register.patch
+mlxsw-spectrum-handle-vlan-device-unlinking.patch
+net-smc-move-unhash-before-release-of-clcsock.patch
+media-s5p-mfc-fix-incorrect-bus-assignment-in-virtua.patch
+drm-fb-helper-generic-don-t-take-module-ref-for-fbco.patch
+f2fs-don-t-access-node-meta-inode-mapping-after-iput.patch
+mac80211-mesh-fix-missing-unlock-on-error-in-table_p.patch
+scsi-tcmu-fix-use-after-free.patch
+selftests-fib_rule_tests-fix-icmp-proto-with-ipv6.patch
+x86-boot-compressed-64-do-not-corrupt-edx-on-efer.lm.patch
+net-hns-fixes-the-missing-put_device-in-positive-leg.patch
+alsa-hda-initialize-power_state-field-properly.patch
+rds-fix-warning.patch
+ip6-fix-skb-leak-in-ip6frag_expire_frag_queue.patch
+netfilter-ipv6-nf_defrag-fix-leakage-of-unqueued-fra.patch
+sc16is7xx-move-label-err_spi-to-correct-section.patch
+net-hns-fix-unsigned-comparison-to-less-than-zero.patch
+bpf-fix-bpf_jit_limit-knob-for-page_size-64k.patch
+netfilter-ipv6-nf_defrag-accept-duplicate-fragments-.patch
--- /dev/null
+From d253807a6af7658e21a8b93c68d25d2e112b39c9 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 6 May 2019 11:28:23 -0700
+Subject: tty: rocket: fix incorrect forward declaration of 'rp_init()'
+
+[ Upstream commit 423ea3255424b954947d167681b71ded1b8fca53 ]
+
+Make the forward declaration actually match the real function
+definition, something that previous versions of gcc had just ignored.
+
+This is another patch to fix new warnings from gcc-9 before I start the
+merge window pulls. I don't want to miss legitimate new warnings just
+because my system update brought a new compiler with new warnings.
+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/rocket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/rocket.c b/drivers/tty/rocket.c
+index b121d8f8f3d7..27aeca30eeae 100644
+--- a/drivers/tty/rocket.c
++++ b/drivers/tty/rocket.c
+@@ -266,7 +266,7 @@ MODULE_PARM_DESC(pc104_3, "set interface types for ISA(PC104) board #3 (e.g. pc1
+ module_param_array(pc104_4, ulong, NULL, 0);
+ MODULE_PARM_DESC(pc104_4, "set interface types for ISA(PC104) board #4 (e.g. pc104_4=232,232,485,485,...");
+
+-static int rp_init(void);
++static int __init rp_init(void);
+ static void rp_cleanup_module(void);
+
+ module_init(rp_init);
+--
+2.20.1
+
--- /dev/null
+From 2d8fa497803d39d915983d5cba612489ae75162a Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Wed, 6 Feb 2019 14:52:53 +0300
+Subject: x86/boot/compressed/64: Do not corrupt EDX on EFER.LME=1 setting
+
+[ Upstream commit 45b13b424faafb81c8c44541f093a682fdabdefc ]
+
+RDMSR in the trampoline code overwrites EDX but that register is used
+to indicate whether 5-level paging has to be enabled and if clobbered,
+leads to failure to boot on a 5-level paging machine.
+
+Preserve EDX on the stack while we are dealing with EFER.
+
+Fixes: b677dfae5aa1 ("x86/boot/compressed/64: Set EFER.LME=1 in 32-bit trampoline before returning to long mode")
+Reported-by: Kyle D Pelton <kyle.d.pelton@intel.com>
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: dave.hansen@linux.intel.com
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Wei Huang <wei@redhat.com>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20190206115253.1907-1-kirill.shutemov@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/boot/compressed/head_64.S | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
+index f105ae8651c9..f62e347862cc 100644
+--- a/arch/x86/boot/compressed/head_64.S
++++ b/arch/x86/boot/compressed/head_64.S
+@@ -602,10 +602,12 @@ ENTRY(trampoline_32bit_src)
+ 3:
+ /* Set EFER.LME=1 as a precaution in case hypervsior pulls the rug */
+ pushl %ecx
++ pushl %edx
+ movl $MSR_EFER, %ecx
+ rdmsr
+ btsl $_EFER_LME, %eax
+ wrmsr
++ popl %edx
+ popl %ecx
+
+ /* Enable PAE and LA57 (if required) paging modes */
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
