--- /dev/null
+From f44bd766125d991845e3563a3661a3e2870e1113 Mon Sep 17 00:00:00 2001
+From: Vladimir Murzin <vladimir.murzin@arm.com>
+Date: Wed, 20 Feb 2019 11:43:05 +0000
+Subject: arm64: Relax GIC version check during early boot
+
+[ Upstream commit 74698f6971f25d045301139413578865fc2bd8f9 ]
+
+Updates to the GIC architecture allow ID_AA64PFR0_EL1.GIC to have
+values other than 0 or 1. At the moment, Linux is quite strict in the
+way it handles this field at early boot stage (cpufeature is fine) and
+will refuse to use the system register CPU interface if it doesn't
+find the value 1.
+
+Fixes: 021f653791ad17e03f98aaa7fb933816ae16f161 ("irqchip: gic-v3: Initial support for GICv3")
+Reported-by: Chase Conklin <Chase.Conklin@arm.com>
+Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/head.S | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
+index 5c4b8d6e8ba0..fcb224df471d 100644
+--- a/arch/arm64/kernel/head.S
++++ b/arch/arm64/kernel/head.S
+@@ -295,8 +295,7 @@ CPU_LE( bic x0, x0, #(3 << 24) ) // Clear the EE and E0E bits for EL1
+ /* GICv3 system register access */
+ mrs x0, id_aa64pfr0_el1
+ ubfx x0, x0, #24, #4
+- cmp x0, #1
+- b.ne 3f
++ cbz x0, 3f
+
+ mrs_s x0, ICC_SRE_EL2
+ orr x0, x0, #ICC_SRE_EL2_SRE // Set ICC_SRE_EL2.SRE==1
+--
+2.19.1
+
--- /dev/null
+From 841054a1d943f4e83ce3235e756536b657d40978 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 14 Feb 2019 16:20:15 +0000
+Subject: assoc_array: Fix shortcut creation
+
+[ Upstream commit bb2ba2d75a2d673e76ddaf13a9bd30d6a8b1bb08 ]
+
+Fix the creation of shortcuts for which the length of the index key value
+is an exact multiple of the machine word size. The problem is that the
+code that blanks off the unused bits of the shortcut value malfunctions if
+the number of bits in the last word equals machine word size. This is due
+to the "<<" operator being given a shift of zero in this case, and so the
+mask that should be all zeros is all ones instead. This causes the
+subsequent masking operation to clear everything rather than clearing
+nothing.
+
+Ordinarily, the presence of the hash at the beginning of the tree index key
+makes the issue very hard to test for, but in this case, it was encountered
+due to a development mistake that caused the hash output to be either 0
+(keyring) or 1 (non-keyring) only. This made it susceptible to the
+keyctl/unlink/valid test in the keyutils package.
+
+The fix is simply to skip the blanking if the shift would be 0. For
+example, an index key that is 64 bits long would produce a 0 shift and thus
+a 'blank' of all 1s. This would then be inverted and AND'd onto the
+index_key, incorrectly clearing the entire last word.
+
+Fixes: 3cb989501c26 ("Add a generic associative array implementation.")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/assoc_array.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/lib/assoc_array.c b/lib/assoc_array.c
+index 0d122543bd63..1db287fffb67 100644
+--- a/lib/assoc_array.c
++++ b/lib/assoc_array.c
+@@ -780,9 +780,11 @@ all_leaves_cluster_together:
+ new_s0->index_key[i] =
+ ops->get_key_chunk(index_key, i * ASSOC_ARRAY_KEY_CHUNK_SIZE);
+
+- blank = ULONG_MAX << (level & ASSOC_ARRAY_KEY_CHUNK_MASK);
+- pr_devel("blank off [%zu] %d: %lx\n", keylen - 1, level, blank);
+- new_s0->index_key[keylen - 1] &= ~blank;
++ if (level & ASSOC_ARRAY_KEY_CHUNK_MASK) {
++ blank = ULONG_MAX << (level & ASSOC_ARRAY_KEY_CHUNK_MASK);
++ pr_devel("blank off [%zu] %d: %lx\n", keylen - 1, level, blank);
++ new_s0->index_key[keylen - 1] &= ~blank;
++ }
+
+ /* This now reduces to a node splitting exercise for which we'll need
+ * to regenerate the disparity table.
+--
+2.19.1
+
--- /dev/null
+From ea7ef28c964835e457918623ee9a578eeccd10b8 Mon Sep 17 00:00:00 2001
+From: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Date: Tue, 5 Feb 2019 16:42:53 +0530
+Subject: i2c: cadence: Fix the hold bit setting
+
+[ Upstream commit d358def706880defa4c9e87381c5bf086a97d5f9 ]
+
+In case the hold bit is not needed we are carrying the old values.
+Fix the same by resetting the bit when not needed.
+
+Fixes the sporadic i2c bus lockups on National Instruments
+Zynq-based devices.
+
+Fixes: df8eb5691c48 ("i2c: Add driver for Cadence I2C controller")
+Reported-by: Kyle Roeschley <kyle.roeschley@ni.com>
+Acked-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Tested-by: Kyle Roeschley <kyle.roeschley@ni.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-cadence.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c
+index c604f4c3ac0d..c50a015018fe 100644
+--- a/drivers/i2c/busses/i2c-cadence.c
++++ b/drivers/i2c/busses/i2c-cadence.c
+@@ -320,8 +320,10 @@ static void cdns_i2c_mrecv(struct cdns_i2c *id)
+ * Check for the message size against FIFO depth and set the
+ * 'hold bus' bit if it is greater than FIFO depth.
+ */
+- if (id->recv_count > CDNS_I2C_FIFO_DEPTH)
++ if ((id->recv_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag)
+ ctrl_reg |= CDNS_I2C_CR_HOLD;
++ else
++ ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD;
+
+ cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET);
+
+@@ -375,8 +377,11 @@ static void cdns_i2c_msend(struct cdns_i2c *id)
+ * Check for the message size against FIFO depth and set the
+ * 'hold bus' bit if it is greater than FIFO depth.
+ */
+- if (id->send_count > CDNS_I2C_FIFO_DEPTH)
++ if ((id->send_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag)
+ ctrl_reg |= CDNS_I2C_CR_HOLD;
++ else
++ ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD;
++
+ cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET);
+
+ /* Clear the interrupts in interrupt status register. */
+--
+2.19.1
+
--- /dev/null
+From 4b6948eb789193bbf93042c72c97a4f935491f82 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Thu, 7 Feb 2019 14:39:40 -0800
+Subject: Input: matrix_keypad - use flush_delayed_work()
+
+[ Upstream commit a342083abe576db43594a32d458a61fa81f7cb32 ]
+
+We should be using flush_delayed_work() instead of flush_work() in
+matrix_keypad_stop() to ensure that we are not missing work that is
+scheduled but not yet put in the workqueue (i.e. its delay timer has not
+expired yet).
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/matrix_keypad.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/input/keyboard/matrix_keypad.c b/drivers/input/keyboard/matrix_keypad.c
+index 176bdd140769..a1b9753e0616 100644
+--- a/drivers/input/keyboard/matrix_keypad.c
++++ b/drivers/input/keyboard/matrix_keypad.c
+@@ -220,7 +220,7 @@ static void matrix_keypad_stop(struct input_dev *dev)
+ keypad->stopped = true;
+ spin_unlock_irq(&keypad->lock);
+
+- flush_work(&keypad->work.work);
++ flush_delayed_work(&keypad->work);
+ /*
+ * matrix_keypad_scan() will leave IRQs enabled;
+ * we should disable them now.
+--
+2.19.1
+
--- /dev/null
+From 90ef175398deddcea4b0c2a2feae6babd7ebd8f1 Mon Sep 17 00:00:00 2001
+From: Gabriel Fernandez <gabriel.fernandez@st.com>
+Date: Sat, 16 Feb 2019 21:10:16 -0800
+Subject: Input: st-keyscan - fix potential zalloc NULL dereference
+
+[ Upstream commit 2439d37e1bf8a34d437573c086572abe0f3f1b15 ]
+
+This patch fixes the following static checker warning:
+
+drivers/input/keyboard/st-keyscan.c:156 keyscan_probe()
+error: potential zalloc NULL dereference: 'keypad_data->input_dev'
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Gabriel Fernandez <gabriel.fernandez@st.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/st-keyscan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/input/keyboard/st-keyscan.c b/drivers/input/keyboard/st-keyscan.c
+index de7be4f03d91..ebf9f643d910 100644
+--- a/drivers/input/keyboard/st-keyscan.c
++++ b/drivers/input/keyboard/st-keyscan.c
+@@ -153,6 +153,8 @@ static int keyscan_probe(struct platform_device *pdev)
+
+ input_dev->id.bustype = BUS_HOST;
+
++ keypad_data->input_dev = input_dev;
++
+ error = keypad_matrix_key_parse_dt(keypad_data);
+ if (error)
+ return error;
+@@ -168,8 +170,6 @@ static int keyscan_probe(struct platform_device *pdev)
+
+ input_set_drvdata(input_dev, keypad_data);
+
+- keypad_data->input_dev = input_dev;
+-
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ keypad_data->base = devm_ioremap_resource(&pdev->dev, res);
+ if (IS_ERR(keypad_data->base))
+--
+2.19.1
+
--- /dev/null
+From 7b3eef0f60b36cee8ff2b751044a142c7b27af14 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 21 Feb 2019 22:42:01 +0800
+Subject: mdio_bus: Fix use-after-free on device_register fails
+
+[ Upstream commit 6ff7b060535e87c2ae14dd8548512abfdda528fb ]
+
+KASAN has found use-after-free in fixed_mdio_bus_init,
+commit 0c692d07842a ("drivers/net/phy/mdio_bus.c: call
+put_device on device_register() failure") call put_device()
+while device_register() fails,give up the last reference
+to the device and allow mdiobus_release to be executed
+,kfreeing the bus. However in most drives, mdiobus_free
+be called to free the bus while mdiobus_register fails.
+use-after-free occurs when access bus again, this patch
+revert it to let mdiobus_free free the bus.
+
+KASAN report details as below:
+
+BUG: KASAN: use-after-free in mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
+Read of size 4 at addr ffff8881dc824d78 by task syz-executor.0/3524
+
+CPU: 1 PID: 3524 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xfa/0x1ce lib/dump_stack.c:113
+ print_address_description+0x65/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
+ fixed_mdio_bus_init+0x283/0x1000 [fixed_phy]
+ ? 0xffffffffc0e40000
+ ? 0xffffffffc0e40000
+ ? 0xffffffffc0e40000
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f6215c19c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
+RBP: 00007f6215c19c70 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6215c1a6bc
+R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004
+
+Allocated by task 3524:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
+ kmalloc include/linux/slab.h:545 [inline]
+ kzalloc include/linux/slab.h:740 [inline]
+ mdiobus_alloc_size+0x54/0x1b0 drivers/net/phy/mdio_bus.c:143
+ fixed_mdio_bus_init+0x163/0x1000 [fixed_phy]
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 3524:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
+ slab_free_hook mm/slub.c:1409 [inline]
+ slab_free_freelist_hook mm/slub.c:1436 [inline]
+ slab_free mm/slub.c:2986 [inline]
+ kfree+0xe1/0x270 mm/slub.c:3938
+ device_release+0x78/0x200 drivers/base/core.c:919
+ kobject_cleanup lib/kobject.c:662 [inline]
+ kobject_release lib/kobject.c:691 [inline]
+ kref_put include/linux/kref.h:67 [inline]
+ kobject_put+0x146/0x240 lib/kobject.c:708
+ put_device+0x1c/0x30 drivers/base/core.c:2060
+ __mdiobus_register+0x483/0x560 drivers/net/phy/mdio_bus.c:382
+ fixed_mdio_bus_init+0x26b/0x1000 [fixed_phy]
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8881dc824c80
+ which belongs to the cache kmalloc-2k of size 2048
+The buggy address is located 248 bytes inside of
+ 2048-byte region [ffff8881dc824c80, ffff8881dc825480)
+The buggy address belongs to the page:
+page:ffffea0007720800 count:1 mapcount:0 mapping:ffff8881f6c02800 index:0x0 compound_mapcount: 0
+flags: 0x2fffc0000010200(slab|head)
+raw: 02fffc0000010200 0000000000000000 0000000500000001 ffff8881f6c02800
+raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881dc824c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff8881dc824c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff8881dc824d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff8881dc824d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8881dc824e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: 0c692d07842a ("drivers/net/phy/mdio_bus.c: call put_device on device_register() failure")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mdio_bus.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
+index 50051f271b10..8dfd1aeb8fab 100644
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -261,7 +261,6 @@ int mdiobus_register(struct mii_bus *bus)
+ err = device_register(&bus->dev);
+ if (err) {
+ pr_err("mii_bus %s failed to register\n", bus->id);
+- put_device(&bus->dev);
+ return -EINVAL;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From c10e7f56c98af101b7af458f19bb8a212cca0f2d Mon Sep 17 00:00:00 2001
+From: Yu Zhao <yuzhao@google.com>
+Date: Tue, 12 Feb 2019 15:35:58 -0800
+Subject: mm/gup: fix gup_pmd_range() for dax
+
+[ Upstream commit 414fd080d125408cb15d04ff4907e1dd8145c8c7 ]
+
+For dax pmd, pmd_trans_huge() returns false but pmd_huge() returns true
+on x86. So the function works as long as hugetlb is configured.
+However, dax doesn't depend on hugetlb.
+
+Link: http://lkml.kernel.org/r/20190111034033.601-1-yuzhao@google.com
+Signed-off-by: Yu Zhao <yuzhao@google.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Huang Ying <ying.huang@intel.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Keith Busch <keith.busch@intel.com>
+Cc: "Michael S . Tsirkin" <mst@redhat.com>
+Cc: John Hubbard <jhubbard@nvidia.com>
+Cc: Wei Yang <richard.weiyang@gmail.com>
+Cc: Mike Rapoport <rppt@linux.ibm.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/gup.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/mm/gup.c b/mm/gup.c
+index ce1630bf0b95..29a36fae8624 100644
+--- a/mm/gup.c
++++ b/mm/gup.c
+@@ -885,7 +885,8 @@ static int gup_pmd_range(pud_t pud, unsigned long addr, unsigned long end,
+ if (pmd_none(pmd) || pmd_trans_splitting(pmd))
+ return 0;
+
+- if (unlikely(pmd_trans_huge(pmd) || pmd_huge(pmd))) {
++ if (unlikely(pmd_trans_huge(pmd) || pmd_huge(pmd) ||
++ pmd_devmap(pmd))) {
+ /*
+ * NUMA hinting faults need to be handled in the GUP
+ * slowpath for accounting purposes and so that they
+--
+2.19.1
+
--- /dev/null
+From b5382511a65617df9f933b467a2fb4a17445a3b5 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Fri, 15 Feb 2019 13:55:47 +0000
+Subject: net: marvell: mvneta: fix DMA debug warning
+
+[ Upstream commit a8fef9ba58c9966ddb1fec916d8d8137c9d8bc89 ]
+
+Booting 4.20 on SolidRun Clearfog issues this warning with DMA API
+debug enabled:
+
+WARNING: CPU: 0 PID: 555 at kernel/dma/debug.c:1230 check_sync+0x514/0x5bc
+mvneta f1070000.ethernet: DMA-API: device driver tries to sync DMA memory it has not allocated [device address=0x000000002dd7dc00] [size=240 bytes]
+Modules linked in: ahci mv88e6xxx dsa_core xhci_plat_hcd xhci_hcd devlink armada_thermal marvell_cesa des_generic ehci_orion phy_armada38x_comphy mcp3021 spi_orion evbug sfp mdio_i2c ip_tables x_tables
+CPU: 0 PID: 555 Comm: bridge-network- Not tainted 4.20.0+ #291
+Hardware name: Marvell Armada 380/385 (Device Tree)
+[<c0019638>] (unwind_backtrace) from [<c0014888>] (show_stack+0x10/0x14)
+[<c0014888>] (show_stack) from [<c07f54e0>] (dump_stack+0x9c/0xd4)
+[<c07f54e0>] (dump_stack) from [<c00312bc>] (__warn+0xf8/0x124)
+[<c00312bc>] (__warn) from [<c00313b0>] (warn_slowpath_fmt+0x38/0x48)
+[<c00313b0>] (warn_slowpath_fmt) from [<c00b0370>] (check_sync+0x514/0x5bc)
+[<c00b0370>] (check_sync) from [<c00b04f8>] (debug_dma_sync_single_range_for_cpu+0x6c/0x74)
+[<c00b04f8>] (debug_dma_sync_single_range_for_cpu) from [<c051bd14>] (mvneta_poll+0x298/0xf58)
+[<c051bd14>] (mvneta_poll) from [<c0656194>] (net_rx_action+0x128/0x424)
+[<c0656194>] (net_rx_action) from [<c000a230>] (__do_softirq+0xf0/0x540)
+[<c000a230>] (__do_softirq) from [<c00386e0>] (irq_exit+0x124/0x144)
+[<c00386e0>] (irq_exit) from [<c009b5e0>] (__handle_domain_irq+0x58/0xb0)
+[<c009b5e0>] (__handle_domain_irq) from [<c03a63c4>] (gic_handle_irq+0x48/0x98)
+[<c03a63c4>] (gic_handle_irq) from [<c0009a10>] (__irq_svc+0x70/0x98)
+...
+
+This appears to be caused by mvneta_rx_hwbm() calling
+dma_sync_single_range_for_cpu() with the wrong struct device pointer,
+as the buffer manager device pointer is used to map and unmap the
+buffer. Fix this.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
+index 6212177781d5..922c4afc767b 100644
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -1482,7 +1482,7 @@ static int mvneta_rx(struct mvneta_port *pp, int rx_todo,
+ if (unlikely(!skb))
+ goto err_drop_frame;
+
+- dma_sync_single_range_for_cpu(dev->dev.parent,
++ dma_sync_single_range_for_cpu(&pp->bm_priv->pdev->dev,
+ rx_desc->buf_phys_addr,
+ MVNETA_MH_SIZE + NET_SKB_PAD,
+ rx_bytes,
+--
+2.19.1
+
--- /dev/null
+From 8a22410e35c7016949b119a484d2bd0f525d43cf Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Sat, 16 Feb 2019 00:20:54 +0300
+Subject: net: mv643xx_eth: disable clk on error path in
+ mv643xx_eth_shared_probe()
+
+[ Upstream commit e928b5d6b75e239feb9c6d5488974b6646a0ebc8 ]
+
+If mv643xx_eth_shared_of_probe() fails, mv643xx_eth_shared_probe()
+leaves clk enabled.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mv643xx_eth.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c
+index d44560d1d268..5fcf026d3528 100644
+--- a/drivers/net/ethernet/marvell/mv643xx_eth.c
++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c
+@@ -2814,7 +2814,7 @@ static int mv643xx_eth_shared_probe(struct platform_device *pdev)
+
+ ret = mv643xx_eth_shared_of_probe(pdev);
+ if (ret)
+- return ret;
++ goto err_put_clk;
+ pd = dev_get_platdata(&pdev->dev);
+
+ msp->tx_csum_limit = (pd != NULL && pd->tx_csum_limit) ?
+@@ -2822,6 +2822,11 @@ static int mv643xx_eth_shared_probe(struct platform_device *pdev)
+ infer_hw_params(msp);
+
+ return 0;
++
++err_put_clk:
++ if (!IS_ERR(msp->clk))
++ clk_disable_unprepare(msp->clk);
++ return ret;
+ }
+
+ static int mv643xx_eth_shared_remove(struct platform_device *pdev)
+--
+2.19.1
+
--- /dev/null
+From e9b19a9947cef6829fd5f7a7134f57b6d3d5bb77 Mon Sep 17 00:00:00 2001
+From: Mao Wenan <maowenan@huawei.com>
+Date: Fri, 22 Feb 2019 14:57:23 +0800
+Subject: net: set static variable an initial value in atl2_probe()
+
+[ Upstream commit 4593403fa516a5a4cffe6883c5062d60932cbfbe ]
+
+cards_found is a static variable, but when it enters atl2_probe(),
+cards_found is set to zero, the value is not consistent with last probe,
+so next behavior is not our expect.
+
+Signed-off-by: Mao Wenan <maowenan@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/atheros/atlx/atl2.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/atheros/atlx/atl2.c b/drivers/net/ethernet/atheros/atlx/atl2.c
+index 5086ec9214c3..ceae4d56105d 100644
+--- a/drivers/net/ethernet/atheros/atlx/atl2.c
++++ b/drivers/net/ethernet/atheros/atlx/atl2.c
+@@ -1338,13 +1338,11 @@ static int atl2_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ {
+ struct net_device *netdev;
+ struct atl2_adapter *adapter;
+- static int cards_found;
++ static int cards_found = 0;
+ unsigned long mmio_start;
+ int mmio_len;
+ int err;
+
+- cards_found = 0;
+-
+ err = pci_enable_device(pdev);
+ if (err)
+ return err;
+--
+2.19.1
+
--- /dev/null
+From e89a83607b768169ade5f3030456a2534addcf53 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 15 Feb 2019 12:16:51 -0800
+Subject: net: systemport: Fix reception of BPDUs
+
+[ Upstream commit a40061ea2e39494104602b3048751341bda374a1 ]
+
+SYSTEMPORT has its RXCHK parser block that attempts to validate the
+packet structures, unfortunately setting the L2 header check bit will
+cause Bridge PDUs (BPDUs) to be incorrectly rejected because they look
+like LLC/SNAP packets with a non-IPv4 or non-IPv6 Ethernet Type.
+
+Fixes: 4e8aedfe78c7 ("net: systemport: Turn on offloads by default")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c
+index dbe35e9277c3..c81e0139fe74 100644
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -126,6 +126,10 @@ static int bcm_sysport_set_rx_csum(struct net_device *dev,
+
+ priv->rx_chk_en = !!(wanted & NETIF_F_RXCSUM);
+ reg = rxchk_readl(priv, RXCHK_CONTROL);
++ /* Clear L2 header checks, which would prevent BPDUs
++ * from being received.
++ */
++ reg &= ~RXCHK_L2_HDR_DIS;
+ if (priv->rx_chk_en)
+ reg |= RXCHK_EN;
+ else
+--
+2.19.1
+
--- /dev/null
+From 1069d07a8e877ba935e3d6c8b10d3ebc7055f135 Mon Sep 17 00:00:00 2001
+From: Stefan Haberland <sth@linux.ibm.com>
+Date: Wed, 21 Nov 2018 12:39:47 +0100
+Subject: s390/dasd: fix using offset into zero size array error
+
+[ Upstream commit 4a8ef6999bce998fa5813023a9a6b56eea329dba ]
+
+Dan Carpenter reported the following:
+
+The patch 52898025cf7d: "[S390] dasd: security and PSF update patch
+for EMC CKD ioctl" from Mar 8, 2010, leads to the following static
+checker warning:
+
+ drivers/s390/block/dasd_eckd.c:4486 dasd_symm_io()
+ error: using offset into zero size array 'psf_data[]'
+
+drivers/s390/block/dasd_eckd.c
+ 4458 /* Copy parms from caller */
+ 4459 rc = -EFAULT;
+ 4460 if (copy_from_user(&usrparm, argp, sizeof(usrparm)))
+ ^^^^^^^
+The user can specify any "usrparm.psf_data_len". They choose zero by
+mistake.
+
+ 4461 goto out;
+ 4462 if (is_compat_task()) {
+ 4463 /* Make sure pointers are sane even on 31 bit. */
+ 4464 rc = -EINVAL;
+ 4465 if ((usrparm.psf_data >> 32) != 0)
+ 4466 goto out;
+ 4467 if ((usrparm.rssd_result >> 32) != 0)
+ 4468 goto out;
+ 4469 usrparm.psf_data &= 0x7fffffffULL;
+ 4470 usrparm.rssd_result &= 0x7fffffffULL;
+ 4471 }
+ 4472 /* alloc I/O data area */
+ 4473 psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL
+ | GFP_DMA);
+ 4474 rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL
+ | GFP_DMA);
+ 4475 if (!psf_data || !rssd_result) {
+
+kzalloc() returns a ZERO_SIZE_PTR (0x16).
+
+ 4476 rc = -ENOMEM;
+ 4477 goto out_free;
+ 4478 }
+ 4479
+ 4480 /* get syscall header from user space */
+ 4481 rc = -EFAULT;
+ 4482 if (copy_from_user(psf_data,
+ 4483 (void __user *)(unsigned long)
+ usrparm.psf_data,
+ 4484 usrparm.psf_data_len))
+
+That all works great.
+
+ 4485 goto out_free;
+ 4486 psf0 = psf_data[0];
+ 4487 psf1 = psf_data[1];
+
+But now we're assuming that "->psf_data_len" was at least 2 bytes.
+
+Fix this by checking the user specified length psf_data_len.
+
+Fixes: 52898025cf7d ("[S390] dasd: security and PSF update patch for EMC CKD ioctl")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/block/dasd_eckd.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
+index ff1ab6da8cff..4bbcdf991c26 100644
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -3990,6 +3990,14 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp)
+ usrparm.psf_data &= 0x7fffffffULL;
+ usrparm.rssd_result &= 0x7fffffffULL;
+ }
++ /* at least 2 bytes are accessed and should be allocated */
++ if (usrparm.psf_data_len < 2) {
++ DBF_DEV_EVENT(DBF_WARNING, device,
++ "Symmetrix ioctl invalid data length %d",
++ usrparm.psf_data_len);
++ rc = -EINVAL;
++ goto out;
++ }
+ /* alloc I/O data area */
+ psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL | GFP_DMA);
+ rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL | GFP_DMA);
+--
+2.19.1
+
--- /dev/null
+From fc95563045e57d7b1717d34b38818a38efe7f16e Mon Sep 17 00:00:00 2001
+From: Anoob Soman <anoob.soman@citrix.com>
+Date: Wed, 13 Feb 2019 13:21:39 +0800
+Subject: scsi: libiscsi: Fix race between iscsi_xmit_task and
+ iscsi_complete_task
+
+[ Upstream commit 79edd00dc6a96644d76b4a1cb97d94d49e026768 ]
+
+When a target sends Check Condition, whilst initiator is busy xmiting
+re-queued data, could lead to race between iscsi_complete_task() and
+iscsi_xmit_task() and eventually crashing with the following kernel
+backtrace.
+
+[3326150.987523] ALERT: BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
+[3326150.987549] ALERT: IP: [<ffffffffa05ce70d>] iscsi_xmit_task+0x2d/0xc0 [libiscsi]
+[3326150.987571] WARN: PGD 569c8067 PUD 569c9067 PMD 0
+[3326150.987582] WARN: Oops: 0002 [#1] SMP
+[3326150.987593] WARN: Modules linked in: tun nfsv3 nfs fscache dm_round_robin
+[3326150.987762] WARN: CPU: 2 PID: 8399 Comm: kworker/u32:1 Tainted: G O 4.4.0+2 #1
+[3326150.987774] WARN: Hardware name: Dell Inc. PowerEdge R720/0W7JN5, BIOS 2.5.4 01/22/2016
+[3326150.987790] WARN: Workqueue: iscsi_q_13 iscsi_xmitworker [libiscsi]
+[3326150.987799] WARN: task: ffff8801d50f3800 ti: ffff8801f5458000 task.ti: ffff8801f5458000
+[3326150.987810] WARN: RIP: e030:[<ffffffffa05ce70d>] [<ffffffffa05ce70d>] iscsi_xmit_task+0x2d/0xc0 [libiscsi]
+[3326150.987825] WARN: RSP: e02b:ffff8801f545bdb0 EFLAGS: 00010246
+[3326150.987831] WARN: RAX: 00000000ffffffc3 RBX: ffff880282d2ab20 RCX: ffff88026b6ac480
+[3326150.987842] WARN: RDX: 0000000000000000 RSI: 00000000fffffe01 RDI: ffff880282d2ab20
+[3326150.987852] WARN: RBP: ffff8801f545bdc8 R08: 0000000000000000 R09: 0000000000000008
+[3326150.987862] WARN: R10: 0000000000000000 R11: 000000000000fe88 R12: 0000000000000000
+[3326150.987872] WARN: R13: ffff880282d2abe8 R14: ffff880282d2abd8 R15: ffff880282d2ac08
+[3326150.987890] WARN: FS: 00007f5a866b4840(0000) GS:ffff88028a640000(0000) knlGS:0000000000000000
+[3326150.987900] WARN: CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033
+[3326150.987907] WARN: CR2: 0000000000000078 CR3: 0000000070244000 CR4: 0000000000042660
+[3326150.987918] WARN: Stack:
+[3326150.987924] WARN: ffff880282d2ad58 ffff880282d2ab20 ffff880282d2abe8 ffff8801f545be18
+[3326150.987938] WARN: ffffffffa05cea90 ffff880282d2abf8 ffff88026b59cc80 ffff88026b59cc00
+[3326150.987951] WARN: ffff88022acf32c0 ffff880289491800 ffff880255a80800 0000000000000400
+[3326150.987964] WARN: Call Trace:
+[3326150.987975] WARN: [<ffffffffa05cea90>] iscsi_xmitworker+0x2f0/0x360 [libiscsi]
+[3326150.987988] WARN: [<ffffffff8108862c>] process_one_work+0x1fc/0x3b0
+[3326150.987997] WARN: [<ffffffff81088f95>] worker_thread+0x2a5/0x470
+[3326150.988006] WARN: [<ffffffff8159cad8>] ? __schedule+0x648/0x870
+[3326150.988015] WARN: [<ffffffff81088cf0>] ? rescuer_thread+0x300/0x300
+[3326150.988023] WARN: [<ffffffff8108ddf5>] kthread+0xd5/0xe0
+[3326150.988031] WARN: [<ffffffff8108dd20>] ? kthread_stop+0x110/0x110
+[3326150.988040] WARN: [<ffffffff815a0bcf>] ret_from_fork+0x3f/0x70
+[3326150.988048] WARN: [<ffffffff8108dd20>] ? kthread_stop+0x110/0x110
+[3326150.988127] ALERT: RIP [<ffffffffa05ce70d>] iscsi_xmit_task+0x2d/0xc0 [libiscsi]
+[3326150.988138] WARN: RSP <ffff8801f545bdb0>
+[3326150.988144] WARN: CR2: 0000000000000078
+[3326151.020366] WARN: ---[ end trace 1c60974d4678d81b ]---
+
+Commit 6f8830f5bbab ("scsi: libiscsi: add lock around task lists to fix
+list corruption regression") introduced "taskqueuelock" to fix list
+corruption during the race, but this wasn't enough.
+
+Re-setting of conn->task to NULL, could race with iscsi_xmit_task().
+iscsi_complete_task()
+{
+ ....
+ if (conn->task == task)
+ conn->task = NULL;
+}
+
+conn->task in iscsi_xmit_task() could be NULL and so will be task.
+__iscsi_get_task(task) will crash (NullPtr de-ref), trying to access
+refcount.
+
+iscsi_xmit_task()
+{
+ struct iscsi_task *task = conn->task;
+
+ __iscsi_get_task(task);
+}
+
+This commit will take extra conn->session->back_lock in iscsi_xmit_task()
+to ensure iscsi_xmit_task() waits for iscsi_complete_task(), if
+iscsi_complete_task() wins the race. If iscsi_xmit_task() wins the race,
+iscsi_xmit_task() increments task->refcount
+(__iscsi_get_task) ensuring iscsi_complete_task() will not iscsi_free_task().
+
+Signed-off-by: Anoob Soman <anoob.soman@citrix.com>
+Signed-off-by: Bob Liu <bob.liu@oracle.com>
+Acked-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libiscsi.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
+index 56441a5ec3d7..d9a061ac8e7f 100644
+--- a/drivers/scsi/libiscsi.c
++++ b/drivers/scsi/libiscsi.c
+@@ -1448,7 +1448,13 @@ static int iscsi_xmit_task(struct iscsi_conn *conn)
+ if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx))
+ return -ENODATA;
+
++ spin_lock_bh(&conn->session->back_lock);
++ if (conn->task == NULL) {
++ spin_unlock_bh(&conn->session->back_lock);
++ return -ENODATA;
++ }
+ __iscsi_get_task(task);
++ spin_unlock_bh(&conn->session->back_lock);
+ spin_unlock_bh(&conn->session->frwd_lock);
+ rc = conn->session->tt->xmit_task(task);
+ spin_lock_bh(&conn->session->frwd_lock);
+--
+2.19.1
+
--- /dev/null
+From 28fce9c67b5f32cd28e88d55a3c78bc02688cf00 Mon Sep 17 00:00:00 2001
+From: John Garry <john.garry@huawei.com>
+Date: Fri, 15 Feb 2019 00:37:57 +0800
+Subject: scsi: libsas: Fix rphy phy_identifier for PHYs with end devices
+ attached
+
+[ Upstream commit ffeafdd2bf0b280d67ec1a47ea6287910d271f3f ]
+
+The sysfs phy_identifier attribute for a sas_end_device comes from the rphy
+phy_identifier value.
+
+Currently this is not being set for rphys with an end device attached, so
+we see incorrect symlinks from systemd disk/by-path:
+
+root@localhost:~# ls -l /dev/disk/by-path/
+total 0
+lrwxrwxrwx 1 root root 9 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0 -> ../../sdb
+lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part1 -> ../../sdb1
+lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part2 -> ../../sdb2
+lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part3 -> ../../sdc3
+
+Indeed, each sas_end_device phy_identifier value is 0:
+
+root@localhost:/# more sys/class/sas_device/end_device-0\:0\:2/phy_identifier
+0
+root@localhost:/# more sys/class/sas_device/end_device-0\:0\:10/phy_identifier
+0
+
+This patch fixes the discovery code to set the phy_identifier. With this,
+we now get proper symlinks:
+
+root@localhost:~# ls -l /dev/disk/by-path/
+total 0
+lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy10-lun-0 -> ../../sdg
+lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy11-lun-0 -> ../../sdh
+lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy2-lun-0 -> ../../sda
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy2-lun-0-part1 -> ../../sda1
+lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0 -> ../../sdb
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0-part1 -> ../../sdb1
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0-part2 -> ../../sdb2
+lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0 -> ../../sdc
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part1 -> ../../sdc1
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part2 -> ../../sdc2
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part3 -> ../../sdc3
+lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy5-lun-0 -> ../../sdd
+lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0 -> ../../sde
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part1 -> ../../sde1
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part2 -> ../../sde2
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part3 -> ../../sde3
+lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0 -> ../../sdf
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part1 -> ../../sdf1
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part2 -> ../../sdf2
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part3 -> ../../sdf3
+
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Reported-by: dann frazier <dann.frazier@canonical.com>
+Signed-off-by: John Garry <john.garry@huawei.com>
+Reviewed-by: Jason Yan <yanaijie@huawei.com>
+Tested-by: dann frazier <dann.frazier@canonical.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libsas/sas_expander.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
+index e2630aea4e9f..22450abf0a03 100644
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -818,6 +818,7 @@ static struct domain_device *sas_ex_discover_end_dev(
+ rphy = sas_end_device_alloc(phy->port);
+ if (!rphy)
+ goto out_free;
++ rphy->identify.phy_identifier = phy_id;
+
+ child->rphy = rphy;
+ get_device(&rphy->dev);
+@@ -845,6 +846,7 @@ static struct domain_device *sas_ex_discover_end_dev(
+
+ child->rphy = rphy;
+ get_device(&rphy->dev);
++ rphy->identify.phy_identifier = phy_id;
+ sas_fill_in_rphy(child, rphy);
+
+ list_add_tail(&child->disco_list_node, &parent->port->disco_list);
+--
+2.19.1
+
9p-net-fix-memory-leak-in-p9_client_create.patch
asoc-fsl_esai-fix-register-setting-issue-in-right_j-mode.patch
crypto-ahash-fix-another-early-termination-in-hash-walk.patch
+s390-dasd-fix-using-offset-into-zero-size-array-erro.patch
+input-matrix_keypad-use-flush_delayed_work.patch
+team-avoid-complex-list-operations-in-team_nl_cmd_op.patch
+mm-gup-fix-gup_pmd_range-for-dax.patch
+i2c-cadence-fix-the-hold-bit-setting.patch
+input-st-keyscan-fix-potential-zalloc-null-dereferen.patch
+assoc_array-fix-shortcut-creation.patch
+scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch
+scsi-libsas-fix-rphy-phy_identifier-for-phys-with-en.patch
+net-systemport-fix-reception-of-bpdus.patch
+net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch
+arm64-relax-gic-version-check-during-early-boot.patch
+net-marvell-mvneta-fix-dma-debug-warning.patch
+tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch
+mdio_bus-fix-use-after-free-on-device_register-fails.patch-13169
+net-set-static-variable-an-initial-value-in-atl2_pro.patch
--- /dev/null
+From c677ba18b2cc94ea2e13bf60709085582121d36c Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Mon, 11 Feb 2019 21:59:51 -0800
+Subject: team: avoid complex list operations in team_nl_cmd_options_set()
+
+[ Upstream commit 2fdeee2549231b1f989f011bb18191f5660d3745 ]
+
+The current opt_inst_list operations inside team_nl_cmd_options_set()
+is too complex to track:
+
+ LIST_HEAD(opt_inst_list);
+ nla_for_each_nested(...) {
+ list_for_each_entry(opt_inst, &team->option_inst_list, list) {
+ if (__team_option_inst_tmp_find(&opt_inst_list, opt_inst))
+ continue;
+ list_add(&opt_inst->tmp_list, &opt_inst_list);
+ }
+ }
+ team_nl_send_event_options_get(team, &opt_inst_list);
+
+as while we retrieve 'opt_inst' from team->option_inst_list, it could
+be added to the local 'opt_inst_list' for multiple times. The
+__team_option_inst_tmp_find() doesn't work, as the setter
+team_mode_option_set() still calls team->ops.exit() which uses
+->tmp_list too in __team_options_change_check().
+
+Simplify the list operations by moving the 'opt_inst_list' and
+team_nl_send_event_options_get() into the nla_for_each_nested() loop so
+that it can be guranteed that we won't insert a same list entry for
+multiple times. Therefore, __team_option_inst_tmp_find() can be removed
+too.
+
+Fixes: 4fb0534fb7bb ("team: avoid adding twice the same option to the event list")
+Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message")
+Reported-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com
+Reported-by: syzbot+68ee510075cf64260cc4@syzkaller.appspotmail.com
+Cc: Jiri Pirko <jiri@resnulli.us>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Reviewed-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/team/team.c | 27 +++++----------------------
+ 1 file changed, 5 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index 3e0f7116380d..eb04b348edf3 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -253,17 +253,6 @@ static void __team_option_inst_mark_removed_port(struct team *team,
+ }
+ }
+
+-static bool __team_option_inst_tmp_find(const struct list_head *opts,
+- const struct team_option_inst *needle)
+-{
+- struct team_option_inst *opt_inst;
+-
+- list_for_each_entry(opt_inst, opts, tmp_list)
+- if (opt_inst == needle)
+- return true;
+- return false;
+-}
+-
+ static int __team_options_register(struct team *team,
+ const struct team_option *option,
+ size_t option_count)
+@@ -2435,7 +2424,6 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info)
+ int err = 0;
+ int i;
+ struct nlattr *nl_option;
+- LIST_HEAD(opt_inst_list);
+
+ team = team_nl_team_get(info);
+ if (!team)
+@@ -2451,6 +2439,7 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info)
+ struct nlattr *opt_attrs[TEAM_ATTR_OPTION_MAX + 1];
+ struct nlattr *attr;
+ struct nlattr *attr_data;
++ LIST_HEAD(opt_inst_list);
+ enum team_option_type opt_type;
+ int opt_port_ifindex = 0; /* != 0 for per-port options */
+ u32 opt_array_index = 0;
+@@ -2554,23 +2543,17 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info)
+ if (err)
+ goto team_put;
+ opt_inst->changed = true;
+-
+- /* dumb/evil user-space can send us duplicate opt,
+- * keep only the last one
+- */
+- if (__team_option_inst_tmp_find(&opt_inst_list,
+- opt_inst))
+- continue;
+-
+ list_add(&opt_inst->tmp_list, &opt_inst_list);
+ }
+ if (!opt_found) {
+ err = -ENOENT;
+ goto team_put;
+ }
+- }
+
+- err = team_nl_send_event_options_get(team, &opt_inst_list);
++ err = team_nl_send_event_options_get(team, &opt_inst_list);
++ if (err)
++ break;
++ }
+
+ team_put:
+ team_nl_team_put(team);
+--
+2.19.1
+
--- /dev/null
+From dff76959d55c9506ec3af81719f497b104098c63 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Thu, 21 Feb 2019 08:48:09 -0800
+Subject: tmpfs: fix link accounting when a tmpfile is linked in
+
+[ Upstream commit 1062af920c07f5b54cf5060fde3339da6df0cf6b ]
+
+tmpfs has a peculiarity of accounting hard links as if they were
+separate inodes: so that when the number of inodes is limited, as it is
+by default, a user cannot soak up an unlimited amount of unreclaimable
+dcache memory just by repeatedly linking a file.
+
+But when v3.11 added O_TMPFILE, and the ability to use linkat() on the
+fd, we missed accommodating this new case in tmpfs: "df -i" shows that
+an extra "inode" remains accounted after the file is unlinked and the fd
+closed and the actual inode evicted. If a user repeatedly links
+tmpfiles into a tmpfs, the limit will be hit (ENOSPC) even after they
+are deleted.
+
+Just skip the extra reservation from shmem_link() in this case: there's
+a sense in which this first link of a tmpfile is then cheaper than a
+hard link of another file, but the accounting works out, and there's
+still good limiting, so no need to do anything more complicated.
+
+Link: http://lkml.kernel.org/r/alpine.LSU.2.11.1902182134370.7035@eggly.anvils
+Fixes: f4e0c30c191 ("allow the temp files created by open() to be linked to")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Reported-by: Matej Kupljen <matej.kupljen@gmail.com>
+Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/shmem.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/mm/shmem.c b/mm/shmem.c
+index 64c33e3dbe69..b40b13c94e03 100644
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -2286,10 +2286,14 @@ static int shmem_link(struct dentry *old_dentry, struct inode *dir, struct dentr
+ * No ordinary (disk based) filesystem counts links as inodes;
+ * but each new link needs a new dentry, pinning lowmem, and
+ * tmpfs dentries cannot be pruned until they are unlinked.
++ * But if an O_TMPFILE file is linked into the tmpfs, the
++ * first link must skip that, to get the accounting right.
+ */
+- ret = shmem_reserve_inode(inode->i_sb);
+- if (ret)
+- goto out;
++ if (inode->i_nlink) {
++ ret = shmem_reserve_inode(inode->i_sb);
++ if (ret)
++ goto out;
++ }
+
+ dir->i_size += BOGO_DIRENT_SIZE;
+ inode->i_ctime = dir->i_ctime = dir->i_mtime = CURRENT_TIME;
+--
+2.19.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
