--- /dev/null
+From 23ef2a8aea13486004622afb1fdfd0ec8fe24d30 Mon Sep 17 00:00:00 2001
+From: Ricard Wanderlof <ricard.wanderlof@axis.com>
+Date: Wed, 24 Jul 2019 11:38:44 +0200
+Subject: ASoC: Fail card instantiation if DAI format setup fails
+
+[ Upstream commit 40aa5383e393d72f6aa3943a4e7b1aae25a1e43b ]
+
+If the DAI format setup fails, there is no valid communication format
+between CPU and CODEC, so fail card instantiation, rather than continue
+with a card that will most likely not function properly.
+
+Signed-off-by: Ricard Wanderlof <ricardw@axis.com>
+Link: https://lore.kernel.org/r/alpine.DEB.2.20.1907241132350.6338@lnxricardw1.se.axis.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index b927f9c81d922..8d10a24d38e06 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -1357,8 +1357,11 @@ static int soc_probe_link_dais(struct snd_soc_card *card, int num, int order)
+ }
+ }
+
+- if (dai_link->dai_fmt)
+- snd_soc_runtime_set_dai_fmt(rtd, dai_link->dai_fmt);
++ if (dai_link->dai_fmt) {
++ ret = snd_soc_runtime_set_dai_fmt(rtd, dai_link->dai_fmt);
++ if (ret)
++ return ret;
++ }
+
+ ret = soc_post_component_init(rtd, dai_link->name);
+ if (ret)
+--
+2.20.1
+
--- /dev/null
+From 804cca6edfb77e32352f60bca511a88507c3abdd Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Fri, 26 Jul 2019 09:42:43 +0300
+Subject: ASoC: ti: davinci-mcasp: Correct slot_width posed constraint
+
+[ Upstream commit 1e112c35e3c96db7c8ca6ddaa96574f00c06e7db ]
+
+The slot_width is a property for the bus while the constraint for
+SNDRV_PCM_HW_PARAM_SAMPLE_BITS is for the in memory format.
+
+Applying slot_width constraint to sample_bits works most of the time, but
+it will blacklist valid formats in some cases.
+
+With slot_width 24 we can support S24_3LE and S24_LE formats as they both
+look the same on the bus, but a a 24 constraint on sample_bits would not
+allow S24_LE as it is stored in 32bits in memory.
+
+Implement a simple hw_rule function to allow all formats which require less
+or equal number of bits on the bus as slot_width (if configured).
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Link: https://lore.kernel.org/r/20190726064244.3762-2-peter.ujfalusi@ti.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/davinci/davinci-mcasp.c | 43 ++++++++++++++++++++++++-------
+ 1 file changed, 34 insertions(+), 9 deletions(-)
+
+diff --git a/sound/soc/davinci/davinci-mcasp.c b/sound/soc/davinci/davinci-mcasp.c
+index 512ec25c9ead1..2f7be6cee98e9 100644
+--- a/sound/soc/davinci/davinci-mcasp.c
++++ b/sound/soc/davinci/davinci-mcasp.c
+@@ -1128,6 +1128,28 @@ static int davinci_mcasp_trigger(struct snd_pcm_substream *substream,
+ return ret;
+ }
+
++static int davinci_mcasp_hw_rule_slot_width(struct snd_pcm_hw_params *params,
++ struct snd_pcm_hw_rule *rule)
++{
++ struct davinci_mcasp_ruledata *rd = rule->private;
++ struct snd_mask *fmt = hw_param_mask(params, SNDRV_PCM_HW_PARAM_FORMAT);
++ struct snd_mask nfmt;
++ int i, slot_width;
++
++ snd_mask_none(&nfmt);
++ slot_width = rd->mcasp->slot_width;
++
++ for (i = 0; i <= SNDRV_PCM_FORMAT_LAST; i++) {
++ if (snd_mask_test(fmt, i)) {
++ if (snd_pcm_format_width(i) <= slot_width) {
++ snd_mask_set(&nfmt, i);
++ }
++ }
++ }
++
++ return snd_mask_refine(fmt, &nfmt);
++}
++
+ static const unsigned int davinci_mcasp_dai_rates[] = {
+ 8000, 11025, 16000, 22050, 32000, 44100, 48000, 64000,
+ 88200, 96000, 176400, 192000,
+@@ -1219,7 +1241,7 @@ static int davinci_mcasp_startup(struct snd_pcm_substream *substream,
+ struct davinci_mcasp_ruledata *ruledata =
+ &mcasp->ruledata[substream->stream];
+ u32 max_channels = 0;
+- int i, dir;
++ int i, dir, ret;
+ int tdm_slots = mcasp->tdm_slots;
+
+ if (mcasp->tdm_mask[substream->stream])
+@@ -1244,6 +1266,7 @@ static int davinci_mcasp_startup(struct snd_pcm_substream *substream,
+ max_channels++;
+ }
+ ruledata->serializers = max_channels;
++ ruledata->mcasp = mcasp;
+ max_channels *= tdm_slots;
+ /*
+ * If the already active stream has less channels than the calculated
+@@ -1269,20 +1292,22 @@ static int davinci_mcasp_startup(struct snd_pcm_substream *substream,
+ 0, SNDRV_PCM_HW_PARAM_CHANNELS,
+ &mcasp->chconstr[substream->stream]);
+
+- if (mcasp->slot_width)
+- snd_pcm_hw_constraint_minmax(substream->runtime,
+- SNDRV_PCM_HW_PARAM_SAMPLE_BITS,
+- 8, mcasp->slot_width);
++ if (mcasp->slot_width) {
++ /* Only allow formats require <= slot_width bits on the bus */
++ ret = snd_pcm_hw_rule_add(substream->runtime, 0,
++ SNDRV_PCM_HW_PARAM_FORMAT,
++ davinci_mcasp_hw_rule_slot_width,
++ ruledata,
++ SNDRV_PCM_HW_PARAM_FORMAT, -1);
++ if (ret)
++ return ret;
++ }
+
+ /*
+ * If we rely on implicit BCLK divider setting we should
+ * set constraints based on what we can provide.
+ */
+ if (mcasp->bclk_master && mcasp->bclk_div == 0 && mcasp->sysclk_freq) {
+- int ret;
+-
+- ruledata->mcasp = mcasp;
+-
+ ret = snd_pcm_hw_rule_add(substream->runtime, 0,
+ SNDRV_PCM_HW_PARAM_RATE,
+ davinci_mcasp_hw_rule_rate,
+--
+2.20.1
+
--- /dev/null
+From 9ba6950ef93de9eac70083d38dc958d01e2b1301 Mon Sep 17 00:00:00 2001
+From: Thomas Falcon <tlfalcon@linux.ibm.com>
+Date: Tue, 16 Jul 2019 17:25:10 -0500
+Subject: bonding: Force slave speed check after link state recovery for
+ 802.3ad
+
+[ Upstream commit 12185dfe44360f814ac4ead9d22ad2af7511b2e9 ]
+
+The following scenario was encountered during testing of logical
+partition mobility on pseries partitions with bonded ibmvnic
+adapters in LACP mode.
+
+1. Driver receives a signal that the device has been
+ swapped, and it needs to reset to initialize the new
+ device.
+
+2. Driver reports loss of carrier and begins initialization.
+
+3. Bonding driver receives NETDEV_CHANGE notifier and checks
+ the slave's current speed and duplex settings. Because these
+ are unknown at the time, the bond sets its link state to
+ BOND_LINK_FAIL and handles the speed update, clearing
+ AD_PORT_LACP_ENABLE.
+
+4. Driver finishes recovery and reports that the carrier is on.
+
+5. Bond receives a new notification and checks the speed again.
+ The speeds are valid but miimon has not altered the link
+ state yet. AD_PORT_LACP_ENABLE remains off.
+
+Because the slave's link state is still BOND_LINK_FAIL,
+no further port checks are made when it recovers. Though
+the slave devices are operational and have valid speed
+and duplex settings, the bond will not send LACPDU's. The
+simplest fix I can see is to force another speed check
+in bond_miimon_commit. This way the bond will update
+AD_PORT_LACP_ENABLE if needed when transitioning from
+BOND_LINK_FAIL to BOND_LINK_UP.
+
+CC: Jarod Wilson <jarod@redhat.com>
+CC: Jay Vosburgh <j.vosburgh@gmail.com>
+CC: Veaceslav Falico <vfalico@gmail.com>
+CC: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 168f2331194ff..fd6aff9f0052e 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2081,6 +2081,15 @@ static void bond_miimon_commit(struct bonding *bond)
+ bond_for_each_slave(bond, slave, iter) {
+ switch (slave->new_link) {
+ case BOND_LINK_NOCHANGE:
++ /* For 802.3ad mode, check current slave speed and
++ * duplex again in case its port was disabled after
++ * invalid speed/duplex reporting but recovered before
++ * link monitoring could make a decision on the actual
++ * link status
++ */
++ if (BOND_MODE(bond) == BOND_MODE_8023AD &&
++ slave->link == BOND_LINK_UP)
++ bond_3ad_adapter_speed_duplex_changed(slave);
+ continue;
+
+ case BOND_LINK_UP:
+--
+2.20.1
+
--- /dev/null
+From 580b3e34f67abb3ef9d23171005238110d170888 Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Date: Mon, 24 Jun 2019 08:34:13 +0000
+Subject: can: dev: call netif_carrier_off() in register_candev()
+
+[ Upstream commit c63845609c4700488e5eacd6ab4d06d5d420e5ef ]
+
+CONFIG_CAN_LEDS is deprecated. When trying to use the generic netdev
+trigger as suggested, there's a small inconsistency with the link
+property: The LED is on initially, stays on when the device is brought
+up, and then turns off (as expected) when the device is brought down.
+
+Make sure the LED always reflects the state of the CAN device.
+
+Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/dev.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
+index 8b7c6425b681d..9dd968ee792e0 100644
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -1065,6 +1065,8 @@ static struct rtnl_link_ops can_link_ops __read_mostly = {
+ int register_candev(struct net_device *dev)
+ {
+ dev->rtnl_link_ops = &can_link_ops;
++ netif_carrier_off(dev);
++
+ return register_netdev(dev);
+ }
+ EXPORT_SYMBOL_GPL(register_candev);
+--
+2.20.1
+
--- /dev/null
+From 1fbcf172ef67f5072d07263db0aa84e116fbf664 Mon Sep 17 00:00:00 2001
+From: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Date: Wed, 31 Jul 2019 15:25:59 +0800
+Subject: can: peak_usb: force the string buffer NULL-terminated
+
+[ Upstream commit e787f19373b8a5fa24087800ed78314fd17b984a ]
+
+strncpy() does not ensure NULL-termination when the input string size
+equals to the destination buffer size IFNAMSIZ. The output string is
+passed to dev_info() which relies on the NULL-termination.
+
+Use strlcpy() instead.
+
+This issue is identified by a Coccinelle script.
+
+Signed-off-by: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+index e13bc27b42911..b1d68f49b3989 100644
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+@@ -881,7 +881,7 @@ static void peak_usb_disconnect(struct usb_interface *intf)
+
+ dev_prev_siblings = dev->prev_siblings;
+ dev->state &= ~PCAN_USB_STATE_CONNECTED;
+- strncpy(name, netdev->name, IFNAMSIZ);
++ strlcpy(name, netdev->name, IFNAMSIZ);
+
+ unregister_netdev(netdev);
+
+--
+2.20.1
+
--- /dev/null
+From 7eedbbb858422aa1d1a5bb703cf247ce1650bcaa Mon Sep 17 00:00:00 2001
+From: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Date: Wed, 31 Jul 2019 15:31:14 +0800
+Subject: can: sja1000: force the string buffer NULL-terminated
+
+[ Upstream commit cd28aa2e056cd1ea79fc5f24eed0ce868c6cab5c ]
+
+strncpy() does not ensure NULL-termination when the input string size
+equals to the destination buffer size IFNAMSIZ. The output string
+'name' is passed to dev_info which relies on NULL-termination.
+
+Use strlcpy() instead.
+
+This issue is identified by a Coccinelle script.
+
+Signed-off-by: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/sja1000/peak_pcmcia.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/sja1000/peak_pcmcia.c b/drivers/net/can/sja1000/peak_pcmcia.c
+index dd56133cc4616..fc9f8b01ecae2 100644
+--- a/drivers/net/can/sja1000/peak_pcmcia.c
++++ b/drivers/net/can/sja1000/peak_pcmcia.c
+@@ -487,7 +487,7 @@ static void pcan_free_channels(struct pcan_pccard *card)
+ if (!netdev)
+ continue;
+
+- strncpy(name, netdev->name, IFNAMSIZ);
++ strlcpy(name, netdev->name, IFNAMSIZ);
+
+ unregister_sja1000dev(netdev);
+
+--
+2.20.1
+
--- /dev/null
+From c87f760b5fef54f493d26660b3d9523c5f788187 Mon Sep 17 00:00:00 2001
+From: Ilya Trukhanov <lahvuun@gmail.com>
+Date: Tue, 2 Jul 2019 13:37:16 +0300
+Subject: HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT
+
+[ Upstream commit 65f11c72780fa9d598df88def045ccb6a885cf80 ]
+
+Enable force feedback for the Thrustmaster Dual Trigger 2 in 1 Rumble Force
+gamepad. Compared to other Thrustmaster devices, left and right rumble
+motors here are swapped.
+
+Signed-off-by: Ilya Trukhanov <lahvuun@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-tmff.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/hid/hid-tmff.c b/drivers/hid/hid-tmff.c
+index b83376077d722..cfa0cb22c9b3c 100644
+--- a/drivers/hid/hid-tmff.c
++++ b/drivers/hid/hid-tmff.c
+@@ -34,6 +34,8 @@
+
+ #include "hid-ids.h"
+
++#define THRUSTMASTER_DEVICE_ID_2_IN_1_DT 0xb320
++
+ static const signed short ff_rumble[] = {
+ FF_RUMBLE,
+ -1
+@@ -88,6 +90,7 @@ static int tmff_play(struct input_dev *dev, void *data,
+ struct hid_field *ff_field = tmff->ff_field;
+ int x, y;
+ int left, right; /* Rumbling */
++ int motor_swap;
+
+ switch (effect->type) {
+ case FF_CONSTANT:
+@@ -112,6 +115,13 @@ static int tmff_play(struct input_dev *dev, void *data,
+ ff_field->logical_minimum,
+ ff_field->logical_maximum);
+
++ /* 2-in-1 strong motor is left */
++ if (hid->product == THRUSTMASTER_DEVICE_ID_2_IN_1_DT) {
++ motor_swap = left;
++ left = right;
++ right = motor_swap;
++ }
++
+ dbg_hid("(left,right)=(%08x, %08x)\n", left, right);
+ ff_field->value[0] = left;
+ ff_field->value[1] = right;
+@@ -238,6 +248,8 @@ static const struct hid_device_id tm_devices[] = {
+ .driver_data = (unsigned long)ff_rumble },
+ { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb304), /* FireStorm Dual Power 2 (and 3) */
+ .driver_data = (unsigned long)ff_rumble },
++ { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, THRUSTMASTER_DEVICE_ID_2_IN_1_DT), /* Dual Trigger 2-in-1 */
++ .driver_data = (unsigned long)ff_rumble },
+ { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb323), /* Dual Trigger 3-in-1 (PC Mode) */
+ .driver_data = (unsigned long)ff_rumble },
+ { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb324), /* Dual Trigger 3-in-1 (PS3 Mode) */
+--
+2.20.1
+
--- /dev/null
+From df6128f7338d3d2376981b6d613b71a9f1fa754a Mon Sep 17 00:00:00 2001
+From: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>
+Date: Wed, 31 Jul 2019 15:17:23 +0200
+Subject: isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on
+ the stack
+
+[ Upstream commit d8a1de3d5bb881507602bc02e004904828f88711 ]
+
+Since linux 4.9 it is not possible to use buffers on the stack for DMA transfers.
+
+During usb probe the driver crashes with "transfer buffer is on stack" message.
+
+This fix k-allocates a buffer to be used on "read_reg_atomic", which is a macro
+that calls "usb_control_msg" under the hood.
+
+Kernel 4.19 backtrace:
+
+usb_hcd_submit_urb+0x3e5/0x900
+? sched_clock+0x9/0x10
+? log_store+0x203/0x270
+? get_random_u32+0x6f/0x90
+? cache_alloc_refill+0x784/0x8a0
+usb_submit_urb+0x3b4/0x550
+usb_start_wait_urb+0x4e/0xd0
+usb_control_msg+0xb8/0x120
+hfcsusb_probe+0x6bc/0xb40 [hfcsusb]
+usb_probe_interface+0xc2/0x260
+really_probe+0x176/0x280
+driver_probe_device+0x49/0x130
+__driver_attach+0xa9/0xb0
+? driver_probe_device+0x130/0x130
+bus_for_each_dev+0x5a/0x90
+driver_attach+0x14/0x20
+? driver_probe_device+0x130/0x130
+bus_add_driver+0x157/0x1e0
+driver_register+0x51/0xe0
+usb_register_driver+0x5d/0x120
+? 0xf81ed000
+hfcsusb_drv_init+0x17/0x1000 [hfcsusb]
+do_one_initcall+0x44/0x190
+? free_unref_page_commit+0x6a/0xd0
+do_init_module+0x46/0x1c0
+load_module+0x1dc1/0x2400
+sys_init_module+0xed/0x120
+do_fast_syscall_32+0x7a/0x200
+entry_SYSENTER_32+0x6b/0xbe
+
+Signed-off-by: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/hardware/mISDN/hfcsusb.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
+index 6f19530ba2a93..726fba452f5f6 100644
+--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
+@@ -1701,13 +1701,23 @@ hfcsusb_stop_endpoint(struct hfcsusb *hw, int channel)
+ static int
+ setup_hfcsusb(struct hfcsusb *hw)
+ {
++ void *dmabuf = kmalloc(sizeof(u_char), GFP_KERNEL);
+ u_char b;
++ int ret;
+
+ if (debug & DBG_HFC_CALL_TRACE)
+ printk(KERN_DEBUG "%s: %s\n", hw->name, __func__);
+
++ if (!dmabuf)
++ return -ENOMEM;
++
++ ret = read_reg_atomic(hw, HFCUSB_CHIP_ID, dmabuf);
++
++ memcpy(&b, dmabuf, sizeof(u_char));
++ kfree(dmabuf);
++
+ /* check the chip id */
+- if (read_reg_atomic(hw, HFCUSB_CHIP_ID, &b) != 1) {
++ if (ret != 1) {
+ printk(KERN_DEBUG "%s: %s: cannot read chip id\n",
+ hw->name, __func__);
+ return 1;
+--
+2.20.1
+
--- /dev/null
+From d2ae9d48dbc203bef57bd4a76a4be73784a94983 Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Fri, 26 Jul 2019 16:27:36 +0800
+Subject: isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in
+ start_isoc_chain()
+
+[ Upstream commit a0d57a552b836206ad7705a1060e6e1ce5a38203 ]
+
+In start_isoc_chain(), usb_alloc_urb() on line 1392 may fail
+and return NULL. At this time, fifo->iso[i].urb is assigned to NULL.
+
+Then, fifo->iso[i].urb is used at some places, such as:
+LINE 1405: fill_isoc_urb(fifo->iso[i].urb, ...)
+ urb->number_of_packets = num_packets;
+ urb->transfer_flags = URB_ISO_ASAP;
+ urb->actual_length = 0;
+ urb->interval = interval;
+LINE 1416: fifo->iso[i].urb->...
+LINE 1419: fifo->iso[i].urb->...
+
+Thus, possible null-pointer dereferences may occur.
+
+To fix these bugs, "continue" is added to avoid using fifo->iso[i].urb
+when it is NULL.
+
+These bugs are found by a static analysis tool STCheck written by us.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/hardware/mISDN/hfcsusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
+index c60c7998af173..6f19530ba2a93 100644
+--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
+@@ -1402,6 +1402,7 @@ start_isoc_chain(struct usb_fifo *fifo, int num_packets_per_urb,
+ printk(KERN_DEBUG
+ "%s: %s: alloc urb for fifo %i failed",
+ hw->name, __func__, fifo->fifonum);
++ continue;
+ }
+ fifo->iso[i].owner_fifo = (struct usb_fifo *) fifo;
+ fifo->iso[i].indx = i;
+--
+2.20.1
+
--- /dev/null
+From 829a98e5b786f3237d5a3b139cea7cbe0867452b Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 7 Aug 2019 12:23:57 -0600
+Subject: libata: add SG safety checks in SFF pio transfers
+
+[ Upstream commit 752ead44491e8c91e14d7079625c5916b30921c5 ]
+
+Abort processing of a command if we run out of mapped data in the
+SG list. This should never happen, but a previous bug caused it to
+be possible. Play it safe and attempt to abort nicely if we don't
+have more SG segments left.
+
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-sff.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c
+index 18de4c4570682..1d8901fc0bfa9 100644
+--- a/drivers/ata/libata-sff.c
++++ b/drivers/ata/libata-sff.c
+@@ -703,6 +703,10 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
+ unsigned int offset;
+ unsigned char *buf;
+
++ if (!qc->cursg) {
++ qc->curbytes = qc->nbytes;
++ return;
++ }
+ if (qc->curbytes == qc->nbytes - qc->sect_size)
+ ap->hsm_task_state = HSM_ST_LAST;
+
+@@ -742,6 +746,8 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
+
+ if (qc->cursg_ofs == qc->cursg->length) {
+ qc->cursg = sg_next(qc->cursg);
++ if (!qc->cursg)
++ ap->hsm_task_state = HSM_ST_LAST;
+ qc->cursg_ofs = 0;
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From cb1407f6783cd633a2800f39df903a463fd52449 Mon Sep 17 00:00:00 2001
+From: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+Date: Mon, 13 May 2019 13:47:25 +0200
+Subject: MIPS: kernel: only use i8253 clocksource with periodic clockevent
+
+[ Upstream commit a07e3324538a989b7cdbf2c679be6a7f9df2544f ]
+
+i8253 clocksource needs a free running timer. This could only
+be used, if i8253 clockevent is set up as periodic.
+
+Signed-off-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/i8253.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/mips/kernel/i8253.c b/arch/mips/kernel/i8253.c
+index c5bc344fc745c..73039746ae364 100644
+--- a/arch/mips/kernel/i8253.c
++++ b/arch/mips/kernel/i8253.c
+@@ -31,7 +31,8 @@ void __init setup_pit_timer(void)
+
+ static int __init init_pit_clocksource(void)
+ {
+- if (num_possible_cpus() > 1) /* PIT does not scale! */
++ if (num_possible_cpus() > 1 || /* PIT does not scale! */
++ !clockevent_state_periodic(&i8253_clockevent))
+ return 0;
+
+ return clocksource_i8253_init();
+--
+2.20.1
+
--- /dev/null
+From 9c369ecceecd8e6cdbf4130d403d9845de930203 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Tue, 6 Aug 2019 10:55:12 +0200
+Subject: net: cxgb3_main: Fix a resource leak in a error path in 'init_one()'
+
+[ Upstream commit debea2cd3193ac868289e8893c3a719c265b0612 ]
+
+A call to 'kfree_skb()' is missing in the error handling path of
+'init_one()'.
+This is already present in 'remove_one()' but is missing here.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+index 3dd4c39640dc4..bee615cddbdd8 100644
+--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+@@ -3260,7 +3260,7 @@ static int init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ if (!adapter->regs) {
+ dev_err(&pdev->dev, "cannot map device registers\n");
+ err = -ENOMEM;
+- goto out_free_adapter;
++ goto out_free_adapter_nofail;
+ }
+
+ adapter->pdev = pdev;
+@@ -3378,6 +3378,9 @@ out_free_dev:
+ if (adapter->port[i])
+ free_netdev(adapter->port[i]);
+
++out_free_adapter_nofail:
++ kfree_skb(adapter->nofail_skb);
++
+ out_free_adapter:
+ kfree(adapter);
+
+--
+2.20.1
+
--- /dev/null
+From ef97219a430113adcc4ebb773cf1bb4e83460e69 Mon Sep 17 00:00:00 2001
+From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Date: Sat, 3 Aug 2019 20:31:41 +0800
+Subject: net: hisilicon: Fix dma_map_single failed on arm64
+
+[ Upstream commit 96a50c0d907ac8f5c3d6b051031a19eb8a2b53e3 ]
+
+On the arm64 platform, executing "ifconfig eth0 up" will fail,
+returning "ifconfig: SIOCSIFFLAGS: Input/output error."
+
+ndev->dev is not initialized, dma_map_single->get_dma_ops->
+dummy_dma_ops->__dummy_map_page will return DMA_ERROR_CODE
+directly, so when we use dma_map_single, the first parameter
+is to use the device of platform_device.
+
+Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hip04_eth.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c
+index a88d233df4e82..def831c89d354 100644
+--- a/drivers/net/ethernet/hisilicon/hip04_eth.c
++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c
+@@ -157,6 +157,7 @@ struct hip04_priv {
+ unsigned int reg_inten;
+
+ struct napi_struct napi;
++ struct device *dev;
+ struct net_device *ndev;
+
+ struct tx_desc *tx_desc;
+@@ -387,7 +388,7 @@ static int hip04_tx_reclaim(struct net_device *ndev, bool force)
+ }
+
+ if (priv->tx_phys[tx_tail]) {
+- dma_unmap_single(&ndev->dev, priv->tx_phys[tx_tail],
++ dma_unmap_single(priv->dev, priv->tx_phys[tx_tail],
+ priv->tx_skb[tx_tail]->len,
+ DMA_TO_DEVICE);
+ priv->tx_phys[tx_tail] = 0;
+@@ -437,8 +438,8 @@ static int hip04_mac_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ return NETDEV_TX_BUSY;
+ }
+
+- phys = dma_map_single(&ndev->dev, skb->data, skb->len, DMA_TO_DEVICE);
+- if (dma_mapping_error(&ndev->dev, phys)) {
++ phys = dma_map_single(priv->dev, skb->data, skb->len, DMA_TO_DEVICE);
++ if (dma_mapping_error(priv->dev, phys)) {
+ dev_kfree_skb(skb);
+ return NETDEV_TX_OK;
+ }
+@@ -506,7 +507,7 @@ static int hip04_rx_poll(struct napi_struct *napi, int budget)
+ if (unlikely(!skb))
+ net_dbg_ratelimited("build_skb failed\n");
+
+- dma_unmap_single(&ndev->dev, priv->rx_phys[priv->rx_head],
++ dma_unmap_single(priv->dev, priv->rx_phys[priv->rx_head],
+ RX_BUF_SIZE, DMA_FROM_DEVICE);
+ priv->rx_phys[priv->rx_head] = 0;
+
+@@ -534,9 +535,9 @@ static int hip04_rx_poll(struct napi_struct *napi, int budget)
+ buf = netdev_alloc_frag(priv->rx_buf_size);
+ if (!buf)
+ goto done;
+- phys = dma_map_single(&ndev->dev, buf,
++ phys = dma_map_single(priv->dev, buf,
+ RX_BUF_SIZE, DMA_FROM_DEVICE);
+- if (dma_mapping_error(&ndev->dev, phys))
++ if (dma_mapping_error(priv->dev, phys))
+ goto done;
+ priv->rx_buf[priv->rx_head] = buf;
+ priv->rx_phys[priv->rx_head] = phys;
+@@ -639,9 +640,9 @@ static int hip04_mac_open(struct net_device *ndev)
+ for (i = 0; i < RX_DESC_NUM; i++) {
+ dma_addr_t phys;
+
+- phys = dma_map_single(&ndev->dev, priv->rx_buf[i],
++ phys = dma_map_single(priv->dev, priv->rx_buf[i],
+ RX_BUF_SIZE, DMA_FROM_DEVICE);
+- if (dma_mapping_error(&ndev->dev, phys))
++ if (dma_mapping_error(priv->dev, phys))
+ return -EIO;
+
+ priv->rx_phys[i] = phys;
+@@ -675,7 +676,7 @@ static int hip04_mac_stop(struct net_device *ndev)
+
+ for (i = 0; i < RX_DESC_NUM; i++) {
+ if (priv->rx_phys[i]) {
+- dma_unmap_single(&ndev->dev, priv->rx_phys[i],
++ dma_unmap_single(priv->dev, priv->rx_phys[i],
+ RX_BUF_SIZE, DMA_FROM_DEVICE);
+ priv->rx_phys[i] = 0;
+ }
+@@ -826,6 +827,7 @@ static int hip04_mac_probe(struct platform_device *pdev)
+ return -ENOMEM;
+
+ priv = netdev_priv(ndev);
++ priv->dev = d;
+ priv->ndev = ndev;
+ platform_set_drvdata(pdev, ndev);
+
+--
+2.20.1
+
--- /dev/null
+From f39445fc843dc85baeb6ad869588f8e831acbb9e Mon Sep 17 00:00:00 2001
+From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Date: Sat, 3 Aug 2019 20:31:40 +0800
+Subject: net: hisilicon: fix hip04-xmit never return TX_BUSY
+
+[ Upstream commit f2243b82785942be519016067ee6c55a063bbfe2 ]
+
+TX_DESC_NUM is 256, in tx_count, the maximum value of
+mod(TX_DESC_NUM - 1) is 254, the variable "count" in
+the hip04_mac_start_xmit function is never equal to
+(TX_DESC_NUM - 1), so hip04_mac_start_xmit never
+return NETDEV_TX_BUSY.
+
+tx_count is modified to mod(TX_DESC_NUM) so that
+the maximum value of tx_count can reach
+(TX_DESC_NUM - 1), then hip04_mac_start_xmit can reurn
+NETDEV_TX_BUSY.
+
+Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hip04_eth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c
+index fdf8a477bec9c..a88d233df4e82 100644
+--- a/drivers/net/ethernet/hisilicon/hip04_eth.c
++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c
+@@ -185,7 +185,7 @@ struct hip04_priv {
+
+ static inline unsigned int tx_count(unsigned int head, unsigned int tail)
+ {
+- return (head - tail) % (TX_DESC_NUM - 1);
++ return (head - tail) % TX_DESC_NUM;
+ }
+
+ static void hip04_config_port(struct net_device *ndev, u32 speed, u32 duplex)
+--
+2.20.1
+
--- /dev/null
+From fa7d8b3cc90f08175caa62e077a44b800b06bab6 Mon Sep 17 00:00:00 2001
+From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Date: Sat, 3 Aug 2019 20:31:39 +0800
+Subject: net: hisilicon: make hip04_tx_reclaim non-reentrant
+
+[ Upstream commit 1a2c070ae805910a853b4a14818481ed2e17c727 ]
+
+If hip04_tx_reclaim is interrupted while it is running
+and then __napi_schedule continues to execute
+hip04_rx_poll->hip04_tx_reclaim, reentrancy occurs
+and oops is generated. So you need to mask the interrupt
+during the hip04_tx_reclaim run.
+
+The kernel oops exception stack is as follows:
+
+Unable to handle kernel NULL pointer dereference
+at virtual address 00000050
+pgd = c0003000
+[00000050] *pgd=80000000a04003, *pmd=00000000
+Internal error: Oops: 206 [#1] SMP ARM
+Modules linked in: hip04_eth mtdblock mtd_blkdevs mtd
+ohci_platform ehci_platform ohci_hcd ehci_hcd
+vfat fat sd_mod usb_storage scsi_mod usbcore usb_common
+CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 4.4.185 #1
+Hardware name: Hisilicon A15
+task: c0a250e0 task.stack: c0a00000
+PC is at hip04_tx_reclaim+0xe0/0x17c [hip04_eth]
+LR is at hip04_tx_reclaim+0x30/0x17c [hip04_eth]
+pc : [<bf30c3a4>] lr : [<bf30c2f4>] psr: 600e0313
+sp : c0a01d88 ip : 00000000 fp : c0601f9c
+r10: 00000000 r9 : c3482380 r8 : 00000001
+r7 : 00000000 r6 : 000000e1 r5 : c3482000 r4 : 0000000c
+r3 : f2209800 r2 : 00000000 r1 : 00000000 r0 : 00000000
+Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel
+Control: 32c5387d Table: 03d28c80 DAC: 55555555
+Process swapper/0 (pid: 0, stack limit = 0xc0a00190)
+Stack: (0xc0a01d88 to 0xc0a02000)
+[<bf30c3a4>] (hip04_tx_reclaim [hip04_eth]) from [<bf30d2e0>]
+ (hip04_rx_poll+0x88/0x368 [hip04_eth])
+[<bf30d2e0>] (hip04_rx_poll [hip04_eth]) from [<c04c2d9c>] (net_rx_action+0x114/0x34c)
+[<c04c2d9c>] (net_rx_action) from [<c021eed8>] (__do_softirq+0x218/0x318)
+[<c021eed8>] (__do_softirq) from [<c021f284>] (irq_exit+0x88/0xac)
+[<c021f284>] (irq_exit) from [<c0240090>] (msa_irq_exit+0x11c/0x1d4)
+[<c0240090>] (msa_irq_exit) from [<c02677e0>] (__handle_domain_irq+0x110/0x148)
+[<c02677e0>] (__handle_domain_irq) from [<c0201588>] (gic_handle_irq+0xd4/0x118)
+[<c0201588>] (gic_handle_irq) from [<c0551700>] (__irq_svc+0x40/0x58)
+Exception stack(0xc0a01f30 to 0xc0a01f78)
+1f20: c0ae8b40 00000000 00000000 00000000
+1f40: 00000002 ffffe000 c0601f9c 00000000 ffffffff c0a2257c c0a22440 c0831a38
+1f60: c0a01ec4 c0a01f80 c0203714 c0203718 600e0213 ffffffff
+[<c0551700>] (__irq_svc) from [<c0203718>] (arch_cpu_idle+0x20/0x3c)
+[<c0203718>] (arch_cpu_idle) from [<c025bfd8>] (cpu_startup_entry+0x244/0x29c)
+[<c025bfd8>] (cpu_startup_entry) from [<c054b0d8>] (rest_init+0xc8/0x10c)
+[<c054b0d8>] (rest_init) from [<c0800c58>] (start_kernel+0x468/0x514)
+Code: a40599e5 016086e2 018088e2 7660efe6 (503090e5)
+---[ end trace 1db21d6d09c49d74 ]---
+Kernel panic - not syncing: Fatal exception in interrupt
+CPU3: stopping
+CPU: 3 PID: 0 Comm: swapper/3 Tainted: G D O 4.4.185 #1
+
+Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hip04_eth.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c
+index 60c727b0b7ab2..fdf8a477bec9c 100644
+--- a/drivers/net/ethernet/hisilicon/hip04_eth.c
++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c
+@@ -497,6 +497,9 @@ static int hip04_rx_poll(struct napi_struct *napi, int budget)
+ u16 len;
+ u32 err;
+
++ /* clean up tx descriptors */
++ tx_remaining = hip04_tx_reclaim(ndev, false);
++
+ while (cnt && !last) {
+ buf = priv->rx_buf[priv->rx_head];
+ skb = build_skb(buf, priv->rx_buf_size);
+@@ -554,8 +557,7 @@ static int hip04_rx_poll(struct napi_struct *napi, int budget)
+ }
+ napi_complete(napi);
+ done:
+- /* clean up tx descriptors and start a new timer if necessary */
+- tx_remaining = hip04_tx_reclaim(ndev, false);
++ /* start a new timer if necessary */
+ if (rx < budget && tx_remaining)
+ hip04_start_tx_timer(priv);
+
+--
+2.20.1
+
--- /dev/null
+From 23ca3f9c54ca20ca33ba814a51c2f694826beed5 Mon Sep 17 00:00:00 2001
+From: Bob Ham <bob.ham@puri.sm>
+Date: Wed, 24 Jul 2019 07:52:27 -0700
+Subject: net: usb: qmi_wwan: Add the BroadMobi BM818 card
+
+[ Upstream commit 9a07406b00cdc6ec689dc142540739575c717f3c ]
+
+The BroadMobi BM818 M.2 card uses the QMI protocol
+
+Signed-off-by: Bob Ham <bob.ham@puri.sm>
+Signed-off-by: Angus Ainslie (Purism) <angus@akkea.ca>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index ee6fefe92af43..4391430e25273 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -719,6 +719,7 @@ static const struct usb_device_id products[] = {
+ {QMI_FIXED_INTF(0x2001, 0x7e35, 4)}, /* D-Link DWM-222 */
+ {QMI_FIXED_INTF(0x2020, 0x2031, 4)}, /* Olicard 600 */
+ {QMI_FIXED_INTF(0x2020, 0x2033, 4)}, /* BroadMobi BM806U */
++ {QMI_FIXED_INTF(0x2020, 0x2060, 4)}, /* BroadMobi BM818 */
+ {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */
+ {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */
+ {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */
+--
+2.20.1
+
--- /dev/null
+From 417895132af51bfff398efa0fc8c57ca9d4e7e30 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Sat, 20 Jul 2019 07:22:45 -0500
+Subject: netfilter: ebtables: fix a memory leak bug in compat
+
+[ Upstream commit 15a78ba1844a8e052c1226f930133de4cef4e7ad ]
+
+In compat_do_replace(), a temporary buffer is allocated through vmalloc()
+to hold entries copied from the user space. The buffer address is firstly
+saved to 'newinfo->entries', and later on assigned to 'entries_tmp'. Then
+the entries in this temporary buffer is copied to the internal kernel
+structure through compat_copy_entries(). If this copy process fails,
+compat_do_replace() should be terminated. However, the allocated temporary
+buffer is not freed on this path, leading to a memory leak.
+
+To fix the bug, free the buffer before returning from compat_do_replace().
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/netfilter/ebtables.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 1a87cf78fadc4..d9471e3ef2161 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -2280,8 +2280,10 @@ static int compat_do_replace(struct net *net, void __user *user,
+ state.buf_kern_len = size64;
+
+ ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
+- if (WARN_ON(ret < 0))
++ if (WARN_ON(ret < 0)) {
++ vfree(entries_tmp);
+ goto out_unlock;
++ }
+
+ vfree(entries_tmp);
+ tmp.entries_size = size64;
+--
+2.20.1
+
--- /dev/null
+From 8f95fbe76d60896375584e482eda7c044252d653 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Sat, 3 Aug 2019 10:11:27 -0400
+Subject: NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()
+
+[ Upstream commit c77e22834ae9a11891cb613bd9a551be1b94f2bc ]
+
+John Hubbard reports seeing the following stack trace:
+
+nfs4_do_reclaim
+ rcu_read_lock /* we are now in_atomic() and must not sleep */
+ nfs4_purge_state_owners
+ nfs4_free_state_owner
+ nfs4_destroy_seqid_counter
+ rpc_destroy_wait_queue
+ cancel_delayed_work_sync
+ __cancel_work_timer
+ __flush_work
+ start_flush_work
+ might_sleep:
+ (kernel/workqueue.c:2975: BUG)
+
+The solution is to separate out the freeing of the state owners
+from nfs4_purge_state_owners(), and perform that outside the atomic
+context.
+
+Reported-by: John Hubbard <jhubbard@nvidia.com>
+Fixes: 0aaaf5c424c7f ("NFS: Cache state owners after files are closed")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4_fs.h | 3 ++-
+ fs/nfs/nfs4client.c | 5 ++++-
+ fs/nfs/nfs4state.c | 27 ++++++++++++++++++++++-----
+ 3 files changed, 28 insertions(+), 7 deletions(-)
+
+diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h
+index 4afdee420d253..9f15696f55b9f 100644
+--- a/fs/nfs/nfs4_fs.h
++++ b/fs/nfs/nfs4_fs.h
+@@ -416,7 +416,8 @@ static inline void nfs4_schedule_session_recovery(struct nfs4_session *session,
+
+ extern struct nfs4_state_owner *nfs4_get_state_owner(struct nfs_server *, struct rpc_cred *, gfp_t);
+ extern void nfs4_put_state_owner(struct nfs4_state_owner *);
+-extern void nfs4_purge_state_owners(struct nfs_server *);
++extern void nfs4_purge_state_owners(struct nfs_server *, struct list_head *);
++extern void nfs4_free_state_owners(struct list_head *head);
+ extern struct nfs4_state * nfs4_get_open_state(struct inode *, struct nfs4_state_owner *);
+ extern void nfs4_put_open_state(struct nfs4_state *);
+ extern void nfs4_close_state(struct nfs4_state *, fmode_t);
+diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c
+index ae91d1e450be7..dac20f31f01f8 100644
+--- a/fs/nfs/nfs4client.c
++++ b/fs/nfs/nfs4client.c
+@@ -685,9 +685,12 @@ found:
+
+ static void nfs4_destroy_server(struct nfs_server *server)
+ {
++ LIST_HEAD(freeme);
++
+ nfs_server_return_all_delegations(server);
+ unset_pnfs_layoutdriver(server);
+- nfs4_purge_state_owners(server);
++ nfs4_purge_state_owners(server, &freeme);
++ nfs4_free_state_owners(&freeme);
+ }
+
+ /*
+diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
+index 5be61affeefd8..ef3ed2b1fd278 100644
+--- a/fs/nfs/nfs4state.c
++++ b/fs/nfs/nfs4state.c
+@@ -611,24 +611,39 @@ void nfs4_put_state_owner(struct nfs4_state_owner *sp)
+ /**
+ * nfs4_purge_state_owners - Release all cached state owners
+ * @server: nfs_server with cached state owners to release
++ * @head: resulting list of state owners
+ *
+ * Called at umount time. Remaining state owners will be on
+ * the LRU with ref count of zero.
++ * Note that the state owners are not freed, but are added
++ * to the list @head, which can later be used as an argument
++ * to nfs4_free_state_owners.
+ */
+-void nfs4_purge_state_owners(struct nfs_server *server)
++void nfs4_purge_state_owners(struct nfs_server *server, struct list_head *head)
+ {
+ struct nfs_client *clp = server->nfs_client;
+ struct nfs4_state_owner *sp, *tmp;
+- LIST_HEAD(doomed);
+
+ spin_lock(&clp->cl_lock);
+ list_for_each_entry_safe(sp, tmp, &server->state_owners_lru, so_lru) {
+- list_move(&sp->so_lru, &doomed);
++ list_move(&sp->so_lru, head);
+ nfs4_remove_state_owner_locked(sp);
+ }
+ spin_unlock(&clp->cl_lock);
++}
+
+- list_for_each_entry_safe(sp, tmp, &doomed, so_lru) {
++/**
++ * nfs4_purge_state_owners - Release all cached state owners
++ * @head: resulting list of state owners
++ *
++ * Frees a list of state owners that was generated by
++ * nfs4_purge_state_owners
++ */
++void nfs4_free_state_owners(struct list_head *head)
++{
++ struct nfs4_state_owner *sp, *tmp;
++
++ list_for_each_entry_safe(sp, tmp, head, so_lru) {
+ list_del(&sp->so_lru);
+ nfs4_free_state_owner(sp);
+ }
+@@ -1724,12 +1739,13 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
+ struct nfs4_state_owner *sp;
+ struct nfs_server *server;
+ struct rb_node *pos;
++ LIST_HEAD(freeme);
+ int status = 0;
+
+ restart:
+ rcu_read_lock();
+ list_for_each_entry_rcu(server, &clp->cl_superblocks, client_link) {
+- nfs4_purge_state_owners(server);
++ nfs4_purge_state_owners(server, &freeme);
+ spin_lock(&clp->cl_lock);
+ for (pos = rb_first(&server->state_owners);
+ pos != NULL;
+@@ -1758,6 +1774,7 @@ restart:
+ spin_unlock(&clp->cl_lock);
+ }
+ rcu_read_unlock();
++ nfs4_free_state_owners(&freeme);
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From f01e1cf18de37e3d5d3b13dcc0b6c7c3b0d83dda Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Thu, 1 Aug 2019 16:26:42 +0200
+Subject: perf bench numa: Fix cpu0 binding
+
+[ Upstream commit 6bbfe4e602691b90ac866712bd4c43c51e546a60 ]
+
+Michael reported an issue with perf bench numa failing with binding to
+cpu0 with '-0' option.
+
+ # perf bench numa mem -p 3 -t 1 -P 512 -s 100 -zZcm0 --thp 1 -M 1 -ddd
+ # Running 'numa/mem' benchmark:
+
+ # Running main, "perf bench numa numa-mem -p 3 -t 1 -P 512 -s 100 -zZcm0 --thp 1 -M 1 -ddd"
+ binding to node 0, mask: 0000000000000001 => -1
+ perf: bench/numa.c:356: bind_to_memnode: Assertion `!(ret)' failed.
+ Aborted (core dumped)
+
+This happens when the cpu0 is not part of node0, which is the benchmark
+assumption and we can see that's not the case for some powerpc servers.
+
+Using correct node for cpu0 binding.
+
+Reported-by: Michael Petlan <mpetlan@redhat.com>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
+Link: http://lkml.kernel.org/r/20190801142642.28004-1-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/bench/numa.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c
+index df41deed0320e..3bfba81d19118 100644
+--- a/tools/perf/bench/numa.c
++++ b/tools/perf/bench/numa.c
+@@ -370,8 +370,10 @@ static u8 *alloc_data(ssize_t bytes0, int map_flags,
+
+ /* Allocate and initialize all memory on CPU#0: */
+ if (init_cpu0) {
+- orig_mask = bind_to_node(0);
+- bind_to_memnode(0);
++ int node = numa_node_of_cpu(0);
++
++ orig_mask = bind_to_node(node);
++ bind_to_memnode(node);
+ }
+
+ bytes = bytes0 + HPSIZE;
+--
+2.20.1
+
--- /dev/null
+From dc8c977d63aed9680ae6f4ca01fb83673ba3b385 Mon Sep 17 00:00:00 2001
+From: Naresh Kamboju <naresh.kamboju () linaro ! org>
+Date: Wed, 7 Aug 2019 13:58:14 +0000
+Subject: selftests: kvm: Adding config fragments
+
+[ Upstream commit c096397c78f766db972f923433031f2dec01cae0 ]
+
+selftests kvm test cases need pre-required kernel configs for the test
+to get pass.
+
+Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kvm/config | 3 +++
+ 1 file changed, 3 insertions(+)
+ create mode 100644 tools/testing/selftests/kvm/config
+
+diff --git a/tools/testing/selftests/kvm/config b/tools/testing/selftests/kvm/config
+new file mode 100644
+index 0000000000000..63ed533f73d6e
+--- /dev/null
++++ b/tools/testing/selftests/kvm/config
+@@ -0,0 +1,3 @@
++CONFIG_KVM=y
++CONFIG_KVM_INTEL=y
++CONFIG_KVM_AMD=y
+--
+2.20.1
+
--- /dev/null
+hid-add-044f-b320-thrustmaster-inc.-2-in-1-dt.patch
+mips-kernel-only-use-i8253-clocksource-with-periodic.patch
+netfilter-ebtables-fix-a-memory-leak-bug-in-compat.patch
+bonding-force-slave-speed-check-after-link-state-rec.patch
+can-dev-call-netif_carrier_off-in-register_candev.patch
+asoc-fail-card-instantiation-if-dai-format-setup-fai.patch
+st21nfca_connectivity_event_received-null-check-the-.patch
+st_nci_hci_connectivity_event_received-null-check-th.patch
+asoc-ti-davinci-mcasp-correct-slot_width-posed-const.patch
+net-usb-qmi_wwan-add-the-broadmobi-bm818-card.patch
+isdn-misdn-hfcsusb-fix-possible-null-pointer-derefer.patch
+isdn-hfcsusb-fix-misdn-driver-crash-caused-by-transf.patch
+perf-bench-numa-fix-cpu0-binding.patch
+can-sja1000-force-the-string-buffer-null-terminated.patch
+can-peak_usb-force-the-string-buffer-null-terminated.patch
+nfsv4-fix-a-potential-sleep-while-atomic-in-nfs4_do_.patch
+net-cxgb3_main-fix-a-resource-leak-in-a-error-path-i.patch
+net-hisilicon-make-hip04_tx_reclaim-non-reentrant.patch
+net-hisilicon-fix-hip04-xmit-never-return-tx_busy.patch
+net-hisilicon-fix-dma_map_single-failed-on-arm64.patch
+libata-add-sg-safety-checks-in-sff-pio-transfers.patch
+selftests-kvm-adding-config-fragments.patch
--- /dev/null
+From d6401fbd6ed5f973d309ffb170e1347ebcb9313e Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Tue, 23 Jul 2019 17:04:30 -0500
+Subject: st21nfca_connectivity_event_received: null check the allocation
+
+[ Upstream commit 9891d06836e67324c9e9c4675ed90fc8b8110034 ]
+
+devm_kzalloc may fail and return null. So the null check is needed.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/st21nfca/se.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/nfc/st21nfca/se.c b/drivers/nfc/st21nfca/se.c
+index c79d99b24c961..f1b96b5255e08 100644
+--- a/drivers/nfc/st21nfca/se.c
++++ b/drivers/nfc/st21nfca/se.c
+@@ -327,6 +327,8 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
+
+ transaction = (struct nfc_evt_transaction *)devm_kzalloc(dev,
+ skb->len - 2, GFP_KERNEL);
++ if (!transaction)
++ return -ENOMEM;
+
+ transaction->aid_len = skb->data[1];
+ memcpy(transaction->aid, &skb->data[2],
+--
+2.20.1
+
--- /dev/null
+From 10ab0295f273b8d70aa9ea107cf66028e0b3dea9 Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Tue, 23 Jul 2019 17:11:51 -0500
+Subject: st_nci_hci_connectivity_event_received: null check the allocation
+
+[ Upstream commit 3008e06fdf0973770370f97d5f1fba3701d8281d ]
+
+devm_kzalloc may fail and return NULL. So the null check is needed.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/st-nci/se.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c
+index dbab722a06546..6f9d9b90ac645 100644
+--- a/drivers/nfc/st-nci/se.c
++++ b/drivers/nfc/st-nci/se.c
+@@ -346,6 +346,8 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev,
+
+ transaction = (struct nfc_evt_transaction *)devm_kzalloc(dev,
+ skb->len - 2, GFP_KERNEL);
++ if (!transaction)
++ return -ENOMEM;
+
+ transaction->aid_len = skb->data[1];
+ memcpy(transaction->aid, &skb->data[2], transaction->aid_len);
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
