--- /dev/null
+From 60d18895d753f0576f6ce8f54030b397eaca8d61 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Date: Fri, 7 Jun 2019 11:02:01 +0200
+Subject: ARM: davinci: da850-evm: call regulator_has_full_constraints()
+
+[ Upstream commit 0c0c9b5753cd04601b17de09da1ed2885a3b42fe ]
+
+The BB expander at 0x21 i2c bus 1 fails to probe on da850-evm because
+the board doesn't set has_full_constraints to true in the regulator
+API.
+
+Call regulator_has_full_constraints() at the end of board registration
+just like we do in da850-lcdk and da830-evm.
+
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-davinci/board-da850-evm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm/mach-davinci/board-da850-evm.c b/arch/arm/mach-davinci/board-da850-evm.c
+index 2f6ac1afa804..686e7e6f2eb3 100644
+--- a/arch/arm/mach-davinci/board-da850-evm.c
++++ b/arch/arm/mach-davinci/board-da850-evm.c
+@@ -1464,6 +1464,8 @@ static __init void da850_evm_init(void)
+ if (ret)
+ pr_warn("%s: dsp/rproc registration failed: %d\n",
+ __func__, ret);
++
++ regulator_has_full_constraints();
+ }
+
+ #ifdef CONFIG_SERIAL_8250_CONSOLE
+--
+2.20.1
+
--- /dev/null
+From 2d68c44329dbbe26761074f34ef110129e33a058 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Date: Fri, 7 Jun 2019 16:33:50 +0200
+Subject: ARM: davinci: da8xx: specify dma_coherent_mask for lcdc
+
+[ Upstream commit 68f2515bb31a664ba3e2bc1eb78dd9f529b10067 ]
+
+The lcdc device is missing the dma_coherent_mask definition causing the
+following warning on da850-evm:
+
+da8xx_lcdc da8xx_lcdc.0: found Sharp_LK043T1DG01 panel
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 1 at kernel/dma/mapping.c:247 dma_alloc_attrs+0xc8/0x110
+Modules linked in:
+CPU: 0 PID: 1 Comm: swapper Not tainted 5.2.0-rc3-00077-g16d72dd4891f #18
+Hardware name: DaVinci DA850/OMAP-L138/AM18x EVM
+[<c000fce8>] (unwind_backtrace) from [<c000d900>] (show_stack+0x10/0x14)
+[<c000d900>] (show_stack) from [<c001a4f8>] (__warn+0xec/0x114)
+[<c001a4f8>] (__warn) from [<c001a634>] (warn_slowpath_null+0x3c/0x48)
+[<c001a634>] (warn_slowpath_null) from [<c0065860>] (dma_alloc_attrs+0xc8/0x110)
+[<c0065860>] (dma_alloc_attrs) from [<c02820f8>] (fb_probe+0x228/0x5a8)
+[<c02820f8>] (fb_probe) from [<c02d3e9c>] (platform_drv_probe+0x48/0x9c)
+[<c02d3e9c>] (platform_drv_probe) from [<c02d221c>] (really_probe+0x1d8/0x2d4)
+[<c02d221c>] (really_probe) from [<c02d2474>] (driver_probe_device+0x5c/0x168)
+[<c02d2474>] (driver_probe_device) from [<c02d2728>] (device_driver_attach+0x58/0x60)
+[<c02d2728>] (device_driver_attach) from [<c02d27b0>] (__driver_attach+0x80/0xbc)
+[<c02d27b0>] (__driver_attach) from [<c02d047c>] (bus_for_each_dev+0x64/0xb4)
+[<c02d047c>] (bus_for_each_dev) from [<c02d1590>] (bus_add_driver+0xe4/0x1d8)
+[<c02d1590>] (bus_add_driver) from [<c02d301c>] (driver_register+0x78/0x10c)
+[<c02d301c>] (driver_register) from [<c000a5c0>] (do_one_initcall+0x48/0x1bc)
+[<c000a5c0>] (do_one_initcall) from [<c05cae6c>] (kernel_init_freeable+0x10c/0x1d8)
+[<c05cae6c>] (kernel_init_freeable) from [<c048a000>] (kernel_init+0x8/0xf4)
+[<c048a000>] (kernel_init) from [<c00090e0>] (ret_from_fork+0x14/0x34)
+Exception stack(0xc6837fb0 to 0xc6837ff8)
+7fa0: 00000000 00000000 00000000 00000000
+7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+7fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+---[ end trace 8a8073511be81dd2 ]---
+
+Add a 32-bit mask to the platform device's definition.
+
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-davinci/devices-da8xx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm/mach-davinci/devices-da8xx.c b/arch/arm/mach-davinci/devices-da8xx.c
+index 22440c05d66a..7120f93eab0b 100644
+--- a/arch/arm/mach-davinci/devices-da8xx.c
++++ b/arch/arm/mach-davinci/devices-da8xx.c
+@@ -699,6 +699,9 @@ static struct platform_device da8xx_lcdc_device = {
+ .id = 0,
+ .num_resources = ARRAY_SIZE(da8xx_lcdc_resources),
+ .resource = da8xx_lcdc_resources,
++ .dev = {
++ .coherent_dma_mask = DMA_BIT_MASK(32),
++ }
+ };
+
+ int __init da8xx_register_lcdc(struct da8xx_lcdc_platform_data *pdata)
+--
+2.20.1
+
--- /dev/null
+From 866fe6a58a720a322da0a69255964ea01f6fa0f6 Mon Sep 17 00:00:00 2001
+From: Teresa Remmet <t.remmet@phytec.de>
+Date: Fri, 24 May 2019 15:19:57 +0200
+Subject: ARM: dts: am335x phytec boards: Fix cd-gpios active level
+
+[ Upstream commit 8a0098c05a272c9a68f6885e09755755b612459c ]
+
+Active level of the mmc1 cd gpio needs to be low instead of high.
+Fix PCM-953 and phyBOARD-WEGA.
+
+Signed-off-by: Teresa Remmet <t.remmet@phytec.de>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/am335x-pcm-953.dtsi | 2 +-
+ arch/arm/boot/dts/am335x-wega.dtsi | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/am335x-pcm-953.dtsi b/arch/arm/boot/dts/am335x-pcm-953.dtsi
+index 1ec8e0d80191..572fbd254690 100644
+--- a/arch/arm/boot/dts/am335x-pcm-953.dtsi
++++ b/arch/arm/boot/dts/am335x-pcm-953.dtsi
+@@ -197,7 +197,7 @@
+ bus-width = <4>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&mmc1_pins>;
+- cd-gpios = <&gpio0 6 GPIO_ACTIVE_HIGH>;
++ cd-gpios = <&gpio0 6 GPIO_ACTIVE_LOW>;
+ status = "okay";
+ };
+
+diff --git a/arch/arm/boot/dts/am335x-wega.dtsi b/arch/arm/boot/dts/am335x-wega.dtsi
+index 8ce541739b24..83e4fe595e37 100644
+--- a/arch/arm/boot/dts/am335x-wega.dtsi
++++ b/arch/arm/boot/dts/am335x-wega.dtsi
+@@ -157,7 +157,7 @@
+ bus-width = <4>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&mmc1_pins>;
+- cd-gpios = <&gpio0 6 GPIO_ACTIVE_HIGH>;
++ cd-gpios = <&gpio0 6 GPIO_ACTIVE_LOW>;
+ status = "okay";
+ };
+
+--
+2.20.1
+
--- /dev/null
+From ae33e85b4c160d7d6cbdd2d203f1d3bbb45a7909 Mon Sep 17 00:00:00 2001
+From: "Mauro S. M. Rodrigues" <maurosr@linux.vnet.ibm.com>
+Date: Thu, 13 Jun 2019 16:25:40 -0300
+Subject: bnx2x: Check if transceiver implements DDM before access
+
+[ Upstream commit cf18cecca911c0db96b868072665347efe6df46f ]
+
+Some transceivers may comply with SFF-8472 even though they do not
+implement the Digital Diagnostic Monitoring (DDM) interface described in
+the spec. The existence of such area is specified by the 6th bit of byte
+92, set to 1 if implemented.
+
+Currently, without checking this bit, bnx2x fails trying to read sfp
+module's EEPROM with the follow message:
+
+ethtool -m enP5p1s0f1
+Cannot get Module EEPROM data: Input/output error
+
+Because it fails to read the additional 256 bytes in which it is assumed
+to exist the DDM data.
+
+This issue was noticed using a Mellanox Passive DAC PN 01FT738. The EEPROM
+data was confirmed by Mellanox as correct and similar to other Passive
+DACs from other manufacturers.
+
+Signed-off-by: Mauro S. M. Rodrigues <maurosr@linux.vnet.ibm.com>
+Acked-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 ++-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
+index 3fd1085a093f..65bc1929d1a8 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
+@@ -1581,7 +1581,8 @@ static int bnx2x_get_module_info(struct net_device *dev,
+ }
+
+ if (!sff8472_comp ||
+- (diag_type & SFP_EEPROM_DIAG_ADDR_CHANGE_REQ)) {
++ (diag_type & SFP_EEPROM_DIAG_ADDR_CHANGE_REQ) ||
++ !(diag_type & SFP_EEPROM_DDM_IMPLEMENTED)) {
+ modinfo->type = ETH_MODULE_SFF_8079;
+ modinfo->eeprom_len = ETH_MODULE_SFF_8079_LEN;
+ } else {
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h
+index b7d251108c19..7115f5025664 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h
+@@ -62,6 +62,7 @@
+ #define SFP_EEPROM_DIAG_TYPE_ADDR 0x5c
+ #define SFP_EEPROM_DIAG_TYPE_SIZE 1
+ #define SFP_EEPROM_DIAG_ADDR_CHANGE_REQ (1<<2)
++#define SFP_EEPROM_DDM_IMPLEMENTED (1<<6)
+ #define SFP_EEPROM_SFF_8472_COMP_ADDR 0x5e
+ #define SFP_EEPROM_SFF_8472_COMP_SIZE 1
+
+--
+2.20.1
+
--- /dev/null
+From 23643c9cfedf4d7afa2635b300a7de9e3810b636 Mon Sep 17 00:00:00 2001
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Fri, 24 May 2019 08:01:00 -0700
+Subject: bpf: sockmap, fix use after free from sleep in psock backlog
+ workqueue
+
+[ Upstream commit bd95e678e0f6e18351ecdc147ca819145db9ed7b ]
+
+Backlog work for psock (sk_psock_backlog) might sleep while waiting
+for memory to free up when sending packets. However, while sleeping
+the socket may be closed and removed from the map by the user space
+side.
+
+This breaks an assumption in sk_stream_wait_memory, which expects the
+wait queue to be still there when it wakes up resulting in a
+use-after-free shown below. To fix his mark sendmsg as MSG_DONTWAIT
+to avoid the sleep altogether. We already set the flag for the
+sendpage case but we missed the case were sendmsg is used.
+Sockmap is currently the only user of skb_send_sock_locked() so only
+the sockmap paths should be impacted.
+
+==================================================================
+BUG: KASAN: use-after-free in remove_wait_queue+0x31/0x70
+Write of size 8 at addr ffff888069a0c4e8 by task kworker/0:2/110
+
+CPU: 0 PID: 110 Comm: kworker/0:2 Not tainted 5.0.0-rc2-00335-g28f9d1a3d4fe-dirty #14
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014
+Workqueue: events sk_psock_backlog
+Call Trace:
+ print_address_description+0x6e/0x2b0
+ ? remove_wait_queue+0x31/0x70
+ kasan_report+0xfd/0x177
+ ? remove_wait_queue+0x31/0x70
+ ? remove_wait_queue+0x31/0x70
+ remove_wait_queue+0x31/0x70
+ sk_stream_wait_memory+0x4dd/0x5f0
+ ? sk_stream_wait_close+0x1b0/0x1b0
+ ? wait_woken+0xc0/0xc0
+ ? tcp_current_mss+0xc5/0x110
+ tcp_sendmsg_locked+0x634/0x15d0
+ ? tcp_set_state+0x2e0/0x2e0
+ ? __kasan_slab_free+0x1d1/0x230
+ ? kmem_cache_free+0x70/0x140
+ ? sk_psock_backlog+0x40c/0x4b0
+ ? process_one_work+0x40b/0x660
+ ? worker_thread+0x82/0x680
+ ? kthread+0x1b9/0x1e0
+ ? ret_from_fork+0x1f/0x30
+ ? check_preempt_curr+0xaf/0x130
+ ? iov_iter_kvec+0x5f/0x70
+ ? kernel_sendmsg_locked+0xa0/0xe0
+ skb_send_sock_locked+0x273/0x3c0
+ ? skb_splice_bits+0x180/0x180
+ ? start_thread+0xe0/0xe0
+ ? update_min_vruntime.constprop.27+0x88/0xc0
+ sk_psock_backlog+0xb3/0x4b0
+ ? strscpy+0xbf/0x1e0
+ process_one_work+0x40b/0x660
+ worker_thread+0x82/0x680
+ ? process_one_work+0x660/0x660
+ kthread+0x1b9/0x1e0
+ ? __kthread_create_on_node+0x250/0x250
+ ret_from_fork+0x1f/0x30
+
+Fixes: 20bf50de3028c ("skbuff: Function to send an skbuf on a socket")
+Reported-by: Jakub Sitnicki <jakub@cloudflare.com>
+Tested-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skbuff.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 2b3b0307dd89..6d9fd7d4bdfa 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -2299,6 +2299,7 @@ int skb_send_sock_locked(struct sock *sk, struct sk_buff *skb, int offset,
+ kv.iov_base = skb->data + offset;
+ kv.iov_len = slen;
+ memset(&msg, 0, sizeof(msg));
++ msg.msg_flags = MSG_DONTWAIT;
+
+ ret = kernel_sendmsg_locked(sk, &msg, &kv, 1, slen);
+ if (ret <= 0)
+--
+2.20.1
+
--- /dev/null
+From f2f822f65970ae0aebffdab424ba76e71e6d1771 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 16 May 2019 22:36:26 +0800
+Subject: can: af_can: Fix error path of can_init()
+
+[ Upstream commit c5a3aed1cd3152429348ee1fe5cdcca65fe901ce ]
+
+This patch add error path for can_init() to avoid possible crash if some
+error occurs.
+
+Fixes: 0d66548a10cb ("[CAN]: Add PF_CAN core module")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/af_can.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/net/can/af_can.c b/net/can/af_can.c
+index 9de9678fa7d0..46c85731d16f 100644
+--- a/net/can/af_can.c
++++ b/net/can/af_can.c
+@@ -959,6 +959,8 @@ static struct pernet_operations can_pernet_ops __read_mostly = {
+
+ static __init int can_init(void)
+ {
++ int err;
++
+ /* check for correct padding to be able to use the structs similarly */
+ BUILD_BUG_ON(offsetof(struct can_frame, can_dlc) !=
+ offsetof(struct canfd_frame, len) ||
+@@ -972,15 +974,31 @@ static __init int can_init(void)
+ if (!rcv_cache)
+ return -ENOMEM;
+
+- register_pernet_subsys(&can_pernet_ops);
++ err = register_pernet_subsys(&can_pernet_ops);
++ if (err)
++ goto out_pernet;
+
+ /* protocol register */
+- sock_register(&can_family_ops);
+- register_netdevice_notifier(&can_netdev_notifier);
++ err = sock_register(&can_family_ops);
++ if (err)
++ goto out_sock;
++ err = register_netdevice_notifier(&can_netdev_notifier);
++ if (err)
++ goto out_notifier;
++
+ dev_add_pack(&can_packet);
+ dev_add_pack(&canfd_packet);
+
+ return 0;
++
++out_notifier:
++ sock_unregister(PF_CAN);
++out_sock:
++ unregister_pernet_subsys(&can_pernet_ops);
++out_pernet:
++ kmem_cache_destroy(rcv_cache);
++
++ return err;
+ }
+
+ static __exit void can_exit(void)
+--
+2.20.1
+
--- /dev/null
+From 5e2241b1eeb70186fc2e064d4d1d007138c68748 Mon Sep 17 00:00:00 2001
+From: Eugen Hristev <eugen.hristev@microchip.com>
+Date: Mon, 4 Mar 2019 14:44:13 +0000
+Subject: can: m_can: implement errata "Needless activation of MRAF irq"
+
+[ Upstream commit 3e82f2f34c930a2a0a9e69fdc2de2f2f1388b442 ]
+
+During frame reception while the MCAN is in Error Passive state and the
+Receive Error Counter has thevalue MCAN_ECR.REC = 127, it may happen
+that MCAN_IR.MRAF is set although there was no Message RAM access
+failure. If MCAN_IR.MRAF is enabled, an interrupt to the Host CPU is
+generated.
+
+Work around:
+The Message RAM Access Failure interrupt routine needs to check whether
+
+ MCAN_ECR.RP = '1' and MCAN_ECR.REC = '127'.
+
+In this case, reset MCAN_IR.MRAF. No further action is required.
+This affects versions older than 3.2.0
+
+Errata explained on Sama5d2 SoC which includes this hardware block:
+http://ww1.microchip.com/downloads/en/DeviceDoc/SAMA5D2-Family-Silicon-Errata-and-Data-Sheet-Clarification-DS80000803B.pdf
+chapter 6.2
+
+Reproducibility: If 2 devices with m_can are connected back to back,
+configuring different bitrate on them will lead to interrupt storm on
+the receiving side, with error "Message RAM access failure occurred".
+Another way is to have a bad hardware connection. Bad wire connection
+can lead to this issue as well.
+
+This patch fixes the issue according to provided workaround.
+
+Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
+Reviewed-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/m_can/m_can.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
+index d3ce904e929e..ebad93ac8f11 100644
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -818,6 +818,27 @@ static int m_can_poll(struct napi_struct *napi, int quota)
+ if (!irqstatus)
+ goto end;
+
++ /* Errata workaround for issue "Needless activation of MRAF irq"
++ * During frame reception while the MCAN is in Error Passive state
++ * and the Receive Error Counter has the value MCAN_ECR.REC = 127,
++ * it may happen that MCAN_IR.MRAF is set although there was no
++ * Message RAM access failure.
++ * If MCAN_IR.MRAF is enabled, an interrupt to the Host CPU is generated
++ * The Message RAM Access Failure interrupt routine needs to check
++ * whether MCAN_ECR.RP = ’1’ and MCAN_ECR.REC = 127.
++ * In this case, reset MCAN_IR.MRAF. No further action is required.
++ */
++ if ((priv->version <= 31) && (irqstatus & IR_MRAF) &&
++ (m_can_read(priv, M_CAN_ECR) & ECR_RP)) {
++ struct can_berr_counter bec;
++
++ __m_can_get_berr_counter(dev, &bec);
++ if (bec.rxerr == 127) {
++ m_can_write(priv, M_CAN_IR, IR_MRAF);
++ irqstatus &= ~IR_MRAF;
++ }
++ }
++
+ psr = m_can_read(priv, M_CAN_PSR);
+ if (irqstatus & IR_ERR_STATE)
+ work_done += m_can_handle_state_errors(dev, psr);
+--
+2.20.1
+
--- /dev/null
+From 4fad01ba2a4c7ee0ea37126c04fd9393c7c7118c Mon Sep 17 00:00:00 2001
+From: Sean Nyekjaer <sean@geanix.com>
+Date: Tue, 7 May 2019 11:34:36 +0200
+Subject: can: mcp251x: add support for mcp25625
+
+[ Upstream commit 35b7fa4d07c43ad79b88e6462119e7140eae955c ]
+
+Fully compatible with mcp2515, the mcp25625 have integrated transceiver.
+
+This patch adds support for the mcp25625 to the existing mcp251x driver.
+
+Signed-off-by: Sean Nyekjaer <sean@geanix.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/spi/Kconfig | 5 +++--
+ drivers/net/can/spi/mcp251x.c | 25 ++++++++++++++++---------
+ 2 files changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/can/spi/Kconfig b/drivers/net/can/spi/Kconfig
+index 8f2e0dd7b756..792e9c6c4a2f 100644
+--- a/drivers/net/can/spi/Kconfig
++++ b/drivers/net/can/spi/Kconfig
+@@ -8,9 +8,10 @@ config CAN_HI311X
+ Driver for the Holt HI311x SPI CAN controllers.
+
+ config CAN_MCP251X
+- tristate "Microchip MCP251x SPI CAN controllers"
++ tristate "Microchip MCP251x and MCP25625 SPI CAN controllers"
+ depends on HAS_DMA
+ ---help---
+- Driver for the Microchip MCP251x SPI CAN controllers.
++ Driver for the Microchip MCP251x and MCP25625 SPI CAN
++ controllers.
+
+ endmenu
+diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c
+index f3f05fea8e1f..d8c448beab24 100644
+--- a/drivers/net/can/spi/mcp251x.c
++++ b/drivers/net/can/spi/mcp251x.c
+@@ -1,5 +1,5 @@
+ /*
+- * CAN bus driver for Microchip 251x CAN Controller with SPI Interface
++ * CAN bus driver for Microchip 251x/25625 CAN Controller with SPI Interface
+ *
+ * MCP2510 support and bug fixes by Christian Pellegrin
+ * <chripell@evolware.org>
+@@ -41,7 +41,7 @@
+ * static struct spi_board_info spi_board_info[] = {
+ * {
+ * .modalias = "mcp2510",
+- * // or "mcp2515" depending on your controller
++ * // "mcp2515" or "mcp25625" depending on your controller
+ * .platform_data = &mcp251x_info,
+ * .irq = IRQ_EINT13,
+ * .max_speed_hz = 2*1000*1000,
+@@ -238,6 +238,7 @@ static const struct can_bittiming_const mcp251x_bittiming_const = {
+ enum mcp251x_model {
+ CAN_MCP251X_MCP2510 = 0x2510,
+ CAN_MCP251X_MCP2515 = 0x2515,
++ CAN_MCP251X_MCP25625 = 0x25625,
+ };
+
+ struct mcp251x_priv {
+@@ -280,7 +281,6 @@ static inline int mcp251x_is_##_model(struct spi_device *spi) \
+ }
+
+ MCP251X_IS(2510);
+-MCP251X_IS(2515);
+
+ static void mcp251x_clean(struct net_device *net)
+ {
+@@ -640,7 +640,7 @@ static int mcp251x_hw_reset(struct spi_device *spi)
+
+ /* Wait for oscillator startup timer after reset */
+ mdelay(MCP251X_OST_DELAY_MS);
+-
++
+ reg = mcp251x_read_reg(spi, CANSTAT);
+ if ((reg & CANCTRL_REQOP_MASK) != CANCTRL_REQOP_CONF)
+ return -ENODEV;
+@@ -821,9 +821,8 @@ static irqreturn_t mcp251x_can_ist(int irq, void *dev_id)
+ /* receive buffer 0 */
+ if (intf & CANINTF_RX0IF) {
+ mcp251x_hw_rx(spi, 0);
+- /*
+- * Free one buffer ASAP
+- * (The MCP2515 does this automatically.)
++ /* Free one buffer ASAP
++ * (The MCP2515/25625 does this automatically.)
+ */
+ if (mcp251x_is_2510(spi))
+ mcp251x_write_bits(spi, CANINTF, CANINTF_RX0IF, 0x00);
+@@ -832,7 +831,7 @@ static irqreturn_t mcp251x_can_ist(int irq, void *dev_id)
+ /* receive buffer 1 */
+ if (intf & CANINTF_RX1IF) {
+ mcp251x_hw_rx(spi, 1);
+- /* the MCP2515 does this automatically */
++ /* The MCP2515/25625 does this automatically. */
+ if (mcp251x_is_2510(spi))
+ clear_intf |= CANINTF_RX1IF;
+ }
+@@ -1007,6 +1006,10 @@ static const struct of_device_id mcp251x_of_match[] = {
+ .compatible = "microchip,mcp2515",
+ .data = (void *)CAN_MCP251X_MCP2515,
+ },
++ {
++ .compatible = "microchip,mcp25625",
++ .data = (void *)CAN_MCP251X_MCP25625,
++ },
+ { }
+ };
+ MODULE_DEVICE_TABLE(of, mcp251x_of_match);
+@@ -1020,6 +1023,10 @@ static const struct spi_device_id mcp251x_id_table[] = {
+ .name = "mcp2515",
+ .driver_data = (kernel_ulong_t)CAN_MCP251X_MCP2515,
+ },
++ {
++ .name = "mcp25625",
++ .driver_data = (kernel_ulong_t)CAN_MCP251X_MCP25625,
++ },
+ { }
+ };
+ MODULE_DEVICE_TABLE(spi, mcp251x_id_table);
+@@ -1260,5 +1267,5 @@ module_spi_driver(mcp251x_can_driver);
+
+ MODULE_AUTHOR("Chris Elston <celston@katalix.com>, "
+ "Christian Pellegrin <chripell@evolware.org>");
+-MODULE_DESCRIPTION("Microchip 251x CAN driver");
++MODULE_DESCRIPTION("Microchip 251x/25625 CAN driver");
+ MODULE_LICENSE("GPL v2");
+--
+2.20.1
+
--- /dev/null
+From daaa791e28e3da33da5d17fe124d46fba21ddc09 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 18 Jun 2019 16:18:43 +0300
+Subject: drm: return -EFAULT if copy_to_user() fails
+
+[ Upstream commit 74b67efa8d7b4f90137f0ab9a80dd319da050350 ]
+
+The copy_from_user() function returns the number of bytes remaining
+to be copied but we want to return a negative error code. Otherwise
+the callers treat it as a successful copy.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190618131843.GA29463@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_bufs.c | 5 ++++-
+ drivers/gpu/drm/drm_ioc32.c | 5 ++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c
+index 0f05b8d8fefa..b829fde80f7b 100644
+--- a/drivers/gpu/drm/drm_bufs.c
++++ b/drivers/gpu/drm/drm_bufs.c
+@@ -1321,7 +1321,10 @@ static int copy_one_buf(void *data, int count, struct drm_buf_entry *from)
+ .size = from->buf_size,
+ .low_mark = from->low_mark,
+ .high_mark = from->high_mark};
+- return copy_to_user(to, &v, offsetof(struct drm_buf_desc, flags));
++
++ if (copy_to_user(to, &v, offsetof(struct drm_buf_desc, flags)))
++ return -EFAULT;
++ return 0;
+ }
+
+ int drm_legacy_infobufs(struct drm_device *dev, void *data,
+diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
+index f8e96e648acf..bfeeb6a56135 100644
+--- a/drivers/gpu/drm/drm_ioc32.c
++++ b/drivers/gpu/drm/drm_ioc32.c
+@@ -372,7 +372,10 @@ static int copy_one_buf32(void *data, int count, struct drm_buf_entry *from)
+ .size = from->buf_size,
+ .low_mark = from->low_mark,
+ .high_mark = from->high_mark};
+- return copy_to_user(to + count, &v, offsetof(drm_buf_desc32_t, flags));
++
++ if (copy_to_user(to + count, &v, offsetof(drm_buf_desc32_t, flags)))
++ return -EFAULT;
++ return 0;
+ }
+
+ static int drm_legacy_infobufs32(struct drm_device *dev, void *data,
+--
+2.20.1
+
--- /dev/null
+From 5a4a4d25afd501ad8ada02ebe38092f8baf83c39 Mon Sep 17 00:00:00 2001
+From: Sean Nyekjaer <sean@geanix.com>
+Date: Tue, 7 May 2019 11:34:37 +0200
+Subject: dt-bindings: can: mcp251x: add mcp25625 support
+
+[ Upstream commit 0df82dcd55832a99363ab7f9fab954fcacdac3ae ]
+
+Fully compatible with mcp2515, the mcp25625 have integrated transceiver.
+
+This patch add the mcp25625 to the device tree bindings documentation.
+
+Signed-off-by: Sean Nyekjaer <sean@geanix.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt b/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt
+index ee3723beb701..33b38716b77f 100644
+--- a/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt
++++ b/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt
+@@ -4,6 +4,7 @@ Required properties:
+ - compatible: Should be one of the following:
+ - "microchip,mcp2510" for MCP2510.
+ - "microchip,mcp2515" for MCP2515.
++ - "microchip,mcp25625" for MCP25625.
+ - reg: SPI chip select.
+ - clocks: The clock feeding the CAN controller.
+ - interrupt-parent: The parent interrupt controller.
+--
+2.20.1
+
--- /dev/null
+From 4d7dba57d555119a4cef994a5339d0e43b5ee008 Mon Sep 17 00:00:00 2001
+From: Thomas Falcon <tlfalcon@linux.ibm.com>
+Date: Fri, 7 Jun 2019 16:03:54 -0500
+Subject: ibmvnic: Refresh device multicast list after reset
+
+[ Upstream commit be32a24372cf162e825332da1a7ccef058d4f20b ]
+
+It was observed that multicast packets were no longer received after
+a device reset. The fix is to resend the current multicast list to
+the backing device after recovery.
+
+Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index c914b338691b..956fbb164e6f 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1489,6 +1489,9 @@ static int do_reset(struct ibmvnic_adapter *adapter,
+ return 0;
+ }
+
++ /* refresh device's multicast list */
++ ibmvnic_set_multi(netdev);
++
+ /* kick napi */
+ for (i = 0; i < adapter->req_rx_queues; i++)
+ napi_schedule(&adapter->napi[i]);
+--
+2.20.1
+
--- /dev/null
+From 17c5fa028b1d215e30af32e8da608fd034acf216 Mon Sep 17 00:00:00 2001
+From: Aaron Ma <aaron.ma@canonical.com>
+Date: Mon, 20 May 2019 22:09:10 -0700
+Subject: Input: elantech - enable middle button support on 2 ThinkPads
+
+[ Upstream commit aa440de3058a3ef530851f9ef373fbb5f694dbc3 ]
+
+Adding 2 new touchpad PNPIDs to enable middle button support.
+
+Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/mouse/elantech.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
+index fda33fc3ffcc..ab4888d043f0 100644
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -1191,6 +1191,8 @@ static const char * const middle_button_pnp_ids[] = {
+ "LEN2132", /* ThinkPad P52 */
+ "LEN2133", /* ThinkPad P72 w/ NFC */
+ "LEN2134", /* ThinkPad P72 */
++ "LEN0407",
++ "LEN0408",
+ NULL
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 5f8a7c35a6b00717bc854476931863d99bc213a7 Mon Sep 17 00:00:00 2001
+From: Anson Huang <anson.huang@nxp.com>
+Date: Tue, 11 Jun 2019 17:50:44 -0700
+Subject: Input: imx_keypad - make sure keyboard can always wake up system
+
+[ Upstream commit ce9a53eb3dbca89e7ad86673d94ab886e9bea704 ]
+
+There are several scenarios that keyboard can NOT wake up system
+from suspend, e.g., if a keyboard is depressed between system
+device suspend phase and device noirq suspend phase, the keyboard
+ISR will be called and both keyboard depress and release interrupts
+will be disabled, then keyboard will no longer be able to wake up
+system. Another scenario would be, if a keyboard is kept depressed,
+and then system goes into suspend, the expected behavior would be
+when keyboard is released, system will be waked up, but current
+implementation can NOT achieve that, because both depress and release
+interrupts are disabled in ISR, and the event check is still in
+progress.
+
+To fix these issues, need to make sure keyboard's depress or release
+interrupt is enabled after noirq device suspend phase, this patch
+moves the suspend/resume callback to noirq suspend/resume phase, and
+enable the corresponding interrupt according to current keyboard status.
+
+Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/imx_keypad.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/input/keyboard/imx_keypad.c b/drivers/input/keyboard/imx_keypad.c
+index 2165f3dd328b..842c0235471d 100644
+--- a/drivers/input/keyboard/imx_keypad.c
++++ b/drivers/input/keyboard/imx_keypad.c
+@@ -530,11 +530,12 @@ static int imx_keypad_probe(struct platform_device *pdev)
+ return 0;
+ }
+
+-static int __maybe_unused imx_kbd_suspend(struct device *dev)
++static int __maybe_unused imx_kbd_noirq_suspend(struct device *dev)
+ {
+ struct platform_device *pdev = to_platform_device(dev);
+ struct imx_keypad *kbd = platform_get_drvdata(pdev);
+ struct input_dev *input_dev = kbd->input_dev;
++ unsigned short reg_val = readw(kbd->mmio_base + KPSR);
+
+ /* imx kbd can wake up system even clock is disabled */
+ mutex_lock(&input_dev->mutex);
+@@ -544,13 +545,20 @@ static int __maybe_unused imx_kbd_suspend(struct device *dev)
+
+ mutex_unlock(&input_dev->mutex);
+
+- if (device_may_wakeup(&pdev->dev))
++ if (device_may_wakeup(&pdev->dev)) {
++ if (reg_val & KBD_STAT_KPKD)
++ reg_val |= KBD_STAT_KRIE;
++ if (reg_val & KBD_STAT_KPKR)
++ reg_val |= KBD_STAT_KDIE;
++ writew(reg_val, kbd->mmio_base + KPSR);
++
+ enable_irq_wake(kbd->irq);
++ }
+
+ return 0;
+ }
+
+-static int __maybe_unused imx_kbd_resume(struct device *dev)
++static int __maybe_unused imx_kbd_noirq_resume(struct device *dev)
+ {
+ struct platform_device *pdev = to_platform_device(dev);
+ struct imx_keypad *kbd = platform_get_drvdata(pdev);
+@@ -574,7 +582,9 @@ static int __maybe_unused imx_kbd_resume(struct device *dev)
+ return ret;
+ }
+
+-static SIMPLE_DEV_PM_OPS(imx_kbd_pm_ops, imx_kbd_suspend, imx_kbd_resume);
++static const struct dev_pm_ops imx_kbd_pm_ops = {
++ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(imx_kbd_noirq_suspend, imx_kbd_noirq_resume)
++};
+
+ static struct platform_driver imx_keypad_driver = {
+ .driver = {
+--
+2.20.1
+
--- /dev/null
+From 3907c45a9b3051c7b7d93aa535f5bb7981b84d49 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 17 Jun 2019 21:34:14 +0800
+Subject: ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL
+
+[ Upstream commit 6f6a8622057c92408930c31698394fae1557b188 ]
+
+A similar fix to Patch "ip_tunnel: allow not to count pkts on tstats by
+setting skb's dev to NULL" is also needed by ip6_tunnel.
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip6_tunnel.h | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h
+index d66f70f63734..3b0e3cdee1c3 100644
+--- a/include/net/ip6_tunnel.h
++++ b/include/net/ip6_tunnel.h
+@@ -152,9 +152,12 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb,
+ memset(skb->cb, 0, sizeof(struct inet6_skb_parm));
+ pkt_len = skb->len - skb_inner_network_offset(skb);
+ err = ip6_local_out(dev_net(skb_dst(skb)->dev), sk, skb);
+- if (unlikely(net_xmit_eval(err)))
+- pkt_len = -1;
+- iptunnel_xmit_stats(dev, pkt_len);
++
++ if (dev) {
++ if (unlikely(net_xmit_eval(err)))
++ pkt_len = -1;
++ iptunnel_xmit_stats(dev, pkt_len);
++ }
+ }
+ #endif
+ #endif
+--
+2.20.1
+
--- /dev/null
+From e6fdbe281f20d7f1ff620ffe2832bc8924dabfbf Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Wed, 29 May 2019 16:39:54 +0300
+Subject: iwlwifi: Fix double-free problems in iwl_req_fw_callback()
+
+[ Upstream commit a8627176b0de7ba3f4524f641ddff4abf23ae4e4 ]
+
+In the error handling code of iwl_req_fw_callback(), iwl_dealloc_ucode()
+is called to free data. In iwl_drv_stop(), iwl_dealloc_ucode() is called
+again, which can cause double-free problems.
+
+To fix this bug, the call to iwl_dealloc_ucode() in
+iwl_req_fw_callback() is deleted.
+
+This bug is found by a runtime fuzzing tool named FIZZER written by us.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+index 99676d6c4713..6c10b8c4ddbe 100644
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+@@ -1509,7 +1509,6 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context)
+ goto free;
+
+ out_free_fw:
+- iwl_dealloc_ucode(drv);
+ release_firmware(ucode_raw);
+ out_unbind:
+ complete(&drv->request_firmware_complete);
+--
+2.20.1
+
--- /dev/null
+From 150235229fa192cf78b82676b962b943961502a2 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Thu, 6 Jun 2019 11:58:07 +0100
+Subject: KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy
+
+[ Upstream commit 4729ec8c1e1145234aeeebad5d96d77f4ccbb00a ]
+
+kvm_device->destroy() seems to be supposed to free its kvm_device
+struct, but vgic_its_destroy() is not currently doing this,
+resulting in a memory leak, resulting in kmemleak reports such as
+the following:
+
+unreferenced object 0xffff800aeddfe280 (size 128):
+ comm "qemu-system-aar", pid 13799, jiffies 4299827317 (age 1569.844s)
+ [...]
+ backtrace:
+ [<00000000a08b80e2>] kmem_cache_alloc+0x178/0x208
+ [<00000000dcad2bd3>] kvm_vm_ioctl+0x350/0xbc0
+
+Fix it.
+
+Cc: Andre Przywara <andre.przywara@arm.com>
+Fixes: 1085fdc68c60 ("KVM: arm64: vgic-its: Introduce new KVM ITS device")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ virt/kvm/arm/vgic/vgic-its.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c
+index dc06f5e40041..526d808ecbbd 100644
+--- a/virt/kvm/arm/vgic/vgic-its.c
++++ b/virt/kvm/arm/vgic/vgic-its.c
+@@ -1677,6 +1677,7 @@ static void vgic_its_destroy(struct kvm_device *kvm_dev)
+ mutex_unlock(&its->its_lock);
+
+ kfree(its);
++ kfree(kvm_dev);/* alloc by kvm_ioctl_create_device, free by .destroy */
+ }
+
+ int vgic_its_has_attr_regs(struct kvm_device *dev,
+--
+2.20.1
+
--- /dev/null
+From fae10144cdad26ccd76daf5e289ef7bbd0dcdeaf Mon Sep 17 00:00:00 2001
+From: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
+Date: Tue, 28 May 2019 16:36:16 -0700
+Subject: mac80211: free peer keys before vif down in mesh
+
+[ Upstream commit 0112fa557c3bb3a002bc85760dc3761d737264d3 ]
+
+freeing peer keys after vif down is resulting in peer key uninstall
+to fail due to interface lookup failure. so fix that.
+
+Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
+index aca054539f4a..c6edae051e9b 100644
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -922,6 +922,7 @@ void ieee80211_stop_mesh(struct ieee80211_sub_if_data *sdata)
+
+ /* flush STAs and mpaths on this iface */
+ sta_info_flush(sdata);
++ ieee80211_free_keys(sdata, true);
+ mesh_path_flush_by_iface(sdata);
+
+ /* stop the beacon */
+--
+2.20.1
+
--- /dev/null
+From 0422db4caef29b01a6dd53211b4dc859a87a3e96 Mon Sep 17 00:00:00 2001
+From: Thomas Pedersen <thomas@eero.com>
+Date: Fri, 24 May 2019 21:16:24 -0700
+Subject: mac80211: mesh: fix RCU warning
+
+[ Upstream commit 551842446ed695641a00782cd118cbb064a416a1 ]
+
+ifmsh->csa is an RCU-protected pointer. The writer context
+in ieee80211_mesh_finish_csa() is already mutually
+exclusive with wdev->sdata.mtx, but the RCU checker did
+not know this. Use rcu_dereference_protected() to avoid a
+warning.
+
+fixes the following warning:
+
+[ 12.519089] =============================
+[ 12.520042] WARNING: suspicious RCU usage
+[ 12.520652] 5.1.0-rc7-wt+ #16 Tainted: G W
+[ 12.521409] -----------------------------
+[ 12.521972] net/mac80211/mesh.c:1223 suspicious rcu_dereference_check() usage!
+[ 12.522928] other info that might help us debug this:
+[ 12.523984] rcu_scheduler_active = 2, debug_locks = 1
+[ 12.524855] 5 locks held by kworker/u8:2/152:
+[ 12.525438] #0: 00000000057be08c ((wq_completion)phy0){+.+.}, at: process_one_work+0x1a2/0x620
+[ 12.526607] #1: 0000000059c6b07a ((work_completion)(&sdata->csa_finalize_work)){+.+.}, at: process_one_work+0x1a2/0x620
+[ 12.528001] #2: 00000000f184ba7d (&wdev->mtx){+.+.}, at: ieee80211_csa_finalize_work+0x2f/0x90
+[ 12.529116] #3: 00000000831a1f54 (&local->mtx){+.+.}, at: ieee80211_csa_finalize_work+0x47/0x90
+[ 12.530233] #4: 00000000fd06f988 (&local->chanctx_mtx){+.+.}, at: ieee80211_csa_finalize_work+0x51/0x90
+
+Signed-off-by: Thomas Pedersen <thomas@eero.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
+index 96e57d7c2872..aca054539f4a 100644
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -1209,7 +1209,8 @@ int ieee80211_mesh_finish_csa(struct ieee80211_sub_if_data *sdata)
+ ifmsh->chsw_ttl = 0;
+
+ /* Remove the CSA and MCSP elements from the beacon */
+- tmp_csa_settings = rcu_dereference(ifmsh->csa);
++ tmp_csa_settings = rcu_dereference_protected(ifmsh->csa,
++ lockdep_is_held(&sdata->wdev.mtx));
+ RCU_INIT_POINTER(ifmsh->csa, NULL);
+ if (tmp_csa_settings)
+ kfree_rcu(tmp_csa_settings, rcu_head);
+@@ -1231,6 +1232,8 @@ int ieee80211_mesh_csa_beacon(struct ieee80211_sub_if_data *sdata,
+ struct mesh_csa_settings *tmp_csa_settings;
+ int ret = 0;
+
++ lockdep_assert_held(&sdata->wdev.mtx);
++
+ tmp_csa_settings = kmalloc(sizeof(*tmp_csa_settings),
+ GFP_ATOMIC);
+ if (!tmp_csa_settings)
+--
+2.20.1
+
--- /dev/null
+From 3f133d24e70e235731ee12a68e63a460a17b36be Mon Sep 17 00:00:00 2001
+From: Yibo Zhao <yiboz@codeaurora.org>
+Date: Fri, 14 Jun 2019 19:01:52 +0800
+Subject: mac80211: only warn once on chanctx_conf being NULL
+
+[ Upstream commit 563572340173865a9a356e6bb02579e6998a876d ]
+
+In multiple SSID cases, it takes time to prepare every AP interface
+to be ready in initializing phase. If a sta already knows everything it
+needs to join one of the APs and sends authentication to the AP which
+is not fully prepared at this point of time, AP's channel context
+could be NULL. As a result, warning message occurs.
+
+Even worse, if the AP is under attack via tools such as MDK3 and massive
+authentication requests are received in a very short time, console will
+be hung due to kernel warning messages.
+
+WARN_ON_ONCE() could be a better way for indicating warning messages
+without duplicate messages to flood the console.
+
+Johannes: We still need to address the underlying problem, but we
+ don't really have a good handle on it yet. Suppress the
+ worst side-effects for now.
+
+Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
+Signed-off-by: Yibo Zhao <yiboz@codeaurora.org>
+[johannes: add note, change subject]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/ieee80211_i.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index a133acb43eb1..0e209a88d88a 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -1405,7 +1405,7 @@ ieee80211_get_sband(struct ieee80211_sub_if_data *sdata)
+ rcu_read_lock();
+ chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+
+- if (WARN_ON(!chanctx_conf)) {
++ if (WARN_ON_ONCE(!chanctx_conf)) {
+ rcu_read_unlock();
+ return NULL;
+ }
+--
+2.20.1
+
--- /dev/null
+From c698c74b13743e286eeb5c2d71e313af5b5f0256 Mon Sep 17 00:00:00 2001
+From: Mariusz Tkaczyk <mariusz.tkaczyk@intel.com>
+Date: Thu, 13 Jun 2019 16:11:41 +0200
+Subject: md: fix for divide error in status_resync
+
+[ Upstream commit 9642fa73d073527b0cbc337cc17a47d545d82cd2 ]
+
+Stopping external metadata arrays during resync/recovery causes
+retries, loop of interrupting and starting reconstruction, until it
+hit at good moment to stop completely. While these retries
+curr_mark_cnt can be small- especially on HDD drives, so subtraction
+result can be smaller than 0. However it is casted to uint without
+checking. As a result of it the status bar in /proc/mdstat while stopping
+is strange (it jumps between 0% and 99%).
+
+The real problem occurs here after commit 72deb455b5ec ("block: remove
+CONFIG_LBDAF"). Sector_div() macro has been changed, now the
+divisor is casted to uint32. For db = -8 the divisior(db/32-1) becomes 0.
+
+Check if db value can be really counted and replace these macro by
+div64_u64() inline.
+
+Signed-off-by: Mariusz Tkaczyk <mariusz.tkaczyk@intel.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 36 ++++++++++++++++++++++--------------
+ 1 file changed, 22 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index b27a69388dcd..764ed9c46629 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -7605,9 +7605,9 @@ static void status_unused(struct seq_file *seq)
+ static int status_resync(struct seq_file *seq, struct mddev *mddev)
+ {
+ sector_t max_sectors, resync, res;
+- unsigned long dt, db;
+- sector_t rt;
+- int scale;
++ unsigned long dt, db = 0;
++ sector_t rt, curr_mark_cnt, resync_mark_cnt;
++ int scale, recovery_active;
+ unsigned int per_milli;
+
+ if (test_bit(MD_RECOVERY_SYNC, &mddev->recovery) ||
+@@ -7677,22 +7677,30 @@ static int status_resync(struct seq_file *seq, struct mddev *mddev)
+ * db: blocks written from mark until now
+ * rt: remaining time
+ *
+- * rt is a sector_t, so could be 32bit or 64bit.
+- * So we divide before multiply in case it is 32bit and close
+- * to the limit.
+- * We scale the divisor (db) by 32 to avoid losing precision
+- * near the end of resync when the number of remaining sectors
+- * is close to 'db'.
+- * We then divide rt by 32 after multiplying by db to compensate.
+- * The '+1' avoids division by zero if db is very small.
++ * rt is a sector_t, which is always 64bit now. We are keeping
++ * the original algorithm, but it is not really necessary.
++ *
++ * Original algorithm:
++ * So we divide before multiply in case it is 32bit and close
++ * to the limit.
++ * We scale the divisor (db) by 32 to avoid losing precision
++ * near the end of resync when the number of remaining sectors
++ * is close to 'db'.
++ * We then divide rt by 32 after multiplying by db to compensate.
++ * The '+1' avoids division by zero if db is very small.
+ */
+ dt = ((jiffies - mddev->resync_mark) / HZ);
+ if (!dt) dt++;
+- db = (mddev->curr_mark_cnt - atomic_read(&mddev->recovery_active))
+- - mddev->resync_mark_cnt;
++
++ curr_mark_cnt = mddev->curr_mark_cnt;
++ recovery_active = atomic_read(&mddev->recovery_active);
++ resync_mark_cnt = mddev->resync_mark_cnt;
++
++ if (curr_mark_cnt >= (recovery_active + resync_mark_cnt))
++ db = curr_mark_cnt - (recovery_active + resync_mark_cnt);
+
+ rt = max_sectors - resync; /* number of remaining sectors */
+- sector_div(rt, db/32+1);
++ rt = div64_u64(rt, db/32+1);
+ rt *= dt;
+ rt >>= 5;
+
+--
+2.20.1
+
--- /dev/null
+From 7b122a25756983f4db0eaf2c465a9a028018492f Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Tue, 11 Jun 2019 10:19:46 +0300
+Subject: mlxsw: spectrum: Disallow prio-tagged packets when PVID is removed
+
+[ Upstream commit 4b14cc313f076c37b646cee06a85f0db59cf216c ]
+
+When PVID is removed from a bridge port, the Linux bridge drops both
+untagged and prio-tagged packets. Align mlxsw with this behavior.
+
+Fixes: 148f472da5db ("mlxsw: reg: Add the Switch Port Acceptable Frame Types register")
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/reg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/reg.h b/drivers/net/ethernet/mellanox/mlxsw/reg.h
+index 5acfbe5b8b9d..8ab7a4f98a07 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/reg.h
++++ b/drivers/net/ethernet/mellanox/mlxsw/reg.h
+@@ -911,7 +911,7 @@ static inline void mlxsw_reg_spaft_pack(char *payload, u8 local_port,
+ MLXSW_REG_ZERO(spaft, payload);
+ mlxsw_reg_spaft_local_port_set(payload, local_port);
+ mlxsw_reg_spaft_allow_untagged_set(payload, allow_untagged);
+- mlxsw_reg_spaft_allow_prio_tagged_set(payload, true);
++ mlxsw_reg_spaft_allow_prio_tagged_set(payload, allow_untagged);
+ mlxsw_reg_spaft_allow_tagged_set(payload, true);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 1d48e7631795e4d1672d2c6100d849c7e943eb6c Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 29 May 2019 14:52:19 +0200
+Subject: mwifiex: Fix possible buffer overflows at parsing bss descriptor
+
+[ Upstream commit 13ec7f10b87f5fc04c4ccbd491c94c7980236a74 ]
+
+mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in
+a couple places without checking the destination size. Since the
+source is given from user-space, this may trigger a heap buffer
+overflow.
+
+Fix it by putting the length check before performing memcpy().
+
+This fix addresses CVE-2019-3846.
+
+Reported-by: huangwen <huangwen@venustech.com.cn>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/scan.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
+index c9d41ed77fc7..c08a4574c396 100644
+--- a/drivers/net/wireless/marvell/mwifiex/scan.c
++++ b/drivers/net/wireless/marvell/mwifiex/scan.c
+@@ -1244,6 +1244,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ }
+ switch (element_id) {
+ case WLAN_EID_SSID:
++ if (element_len > IEEE80211_MAX_SSID_LEN)
++ return -EINVAL;
+ bss_entry->ssid.ssid_len = element_len;
+ memcpy(bss_entry->ssid.ssid, (current_ptr + 2),
+ element_len);
+@@ -1253,6 +1255,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ break;
+
+ case WLAN_EID_SUPP_RATES:
++ if (element_len > MWIFIEX_SUPPORTED_RATES)
++ return -EINVAL;
+ memcpy(bss_entry->data_rates, current_ptr + 2,
+ element_len);
+ memcpy(bss_entry->supported_rates, current_ptr + 2,
+--
+2.20.1
+
--- /dev/null
+From 4457fa962d2bbd2b3b778ec8abe30293ecd51a6f Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Date: Wed, 19 Jun 2019 10:02:13 +0000
+Subject: net: dsa: mv88e6xxx: fix shift of FID bits in
+ mv88e6185_g1_vtu_loadpurge()
+
+[ Upstream commit 48620e341659f6e4b978ec229f6944dabe6df709 ]
+
+The comment is correct, but the code ends up moving the bits four
+places too far, into the VTUOp field.
+
+Fixes: 11ea809f1a74 (net: dsa: mv88e6xxx: support 256 databases)
+Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/global1_vtu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/global1_vtu.c b/drivers/net/dsa/mv88e6xxx/global1_vtu.c
+index 8c8a0ec3d6e9..f260bd30c73a 100644
+--- a/drivers/net/dsa/mv88e6xxx/global1_vtu.c
++++ b/drivers/net/dsa/mv88e6xxx/global1_vtu.c
+@@ -416,7 +416,7 @@ int mv88e6185_g1_vtu_loadpurge(struct mv88e6xxx_chip *chip,
+ * VTU DBNum[7:4] are located in VTU Operation 11:8
+ */
+ op |= entry->fid & 0x000f;
+- op |= (entry->fid & 0x00f0) << 8;
++ op |= (entry->fid & 0x00f0) << 4;
+ }
+
+ return mv88e6xxx_g1_vtu_op(chip, op);
+--
+2.20.1
+
--- /dev/null
+From 109647bf4cce91d17d30fc60f3d5d93aefb39438 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Mon, 17 Jun 2019 17:12:49 +0100
+Subject: net: lio_core: fix potential sign-extension overflow on large shift
+
+[ Upstream commit 9476274093a0e79b905f4cd6cf6d149f65e02c17 ]
+
+Left shifting the signed int value 1 by 31 bits has undefined behaviour
+and the shift amount oq_no can be as much as 63. Fix this by using
+BIT_ULL(oq_no) instead.
+
+Addresses-Coverity: ("Bad shift operation")
+Fixes: f21fb3ed364b ("Add support of Cavium Liquidio ethernet adapters")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/liquidio/lio_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/liquidio/lio_core.c b/drivers/net/ethernet/cavium/liquidio/lio_core.c
+index 23f6b60030c5..8c16298a252d 100644
+--- a/drivers/net/ethernet/cavium/liquidio/lio_core.c
++++ b/drivers/net/ethernet/cavium/liquidio/lio_core.c
+@@ -854,7 +854,7 @@ static void liquidio_schedule_droq_pkt_handlers(struct octeon_device *oct)
+
+ if (droq->ops.poll_mode) {
+ droq->ops.napi_fn(droq);
+- oct_priv->napi_mask |= (1 << oq_no);
++ oct_priv->napi_mask |= BIT_ULL(oq_no);
+ } else {
+ tasklet_schedule(&oct_priv->droq_tasklet);
+ }
+--
+2.20.1
+
--- /dev/null
+From fb6a3daf376f2d245281006a302a9464f0170b1d Mon Sep 17 00:00:00 2001
+From: Lin Yi <teroincn@163.com>
+Date: Mon, 10 Jun 2019 10:16:56 +0800
+Subject: net :sunrpc :clnt :Fix xps refcount imbalance on the error path
+
+[ Upstream commit b96226148491505318228ac52624956bd98f9e0c ]
+
+rpc_clnt_add_xprt take a reference to struct rpc_xprt_switch, but forget
+to release it before return, may lead to a memory leak.
+
+Signed-off-by: Lin Yi <teroincn@163.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/clnt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
+index 6d118357d9dc..9259529e0412 100644
+--- a/net/sunrpc/clnt.c
++++ b/net/sunrpc/clnt.c
+@@ -2706,6 +2706,7 @@ int rpc_clnt_add_xprt(struct rpc_clnt *clnt,
+ xprt = xprt_iter_xprt(&clnt->cl_xpi);
+ if (xps == NULL || xprt == NULL) {
+ rcu_read_unlock();
++ xprt_switch_put(xps);
+ return -EAGAIN;
+ }
+ resvport = xprt->resvport;
+--
+2.20.1
+
--- /dev/null
+From 615a3e398cc02d36d1fecfec76b734b4695539a9 Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <gnault@redhat.com>
+Date: Thu, 6 Jun 2019 18:04:00 +0200
+Subject: netfilter: ipv6: nf_defrag: accept duplicate fragments again
+
+[ Upstream commit 8a3dca632538c550930ce8bafa8c906b130d35cf ]
+
+When fixing the skb leak introduced by the conversion to rbtree, I
+forgot about the special case of duplicate fragments. The condition
+under the 'insert_error' label isn't effective anymore as
+nf_ct_frg6_gather() doesn't override the returned value anymore. So
+duplicate fragments now get NF_DROP verdict.
+
+To accept duplicate fragments again, handle them specially as soon as
+inet_frag_queue_insert() reports them. Return -EINPROGRESS which will
+translate to NF_STOLEN verdict, like any accepted fragment. However,
+such packets don't carry any new information and aren't queued, so we
+just drop them immediately.
+
+Fixes: a0d56cb911ca ("netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
+index 73c29ddcfb95..35d5a76867d0 100644
+--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
+@@ -265,8 +265,14 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
+
+ prev = fq->q.fragments_tail;
+ err = inet_frag_queue_insert(&fq->q, skb, offset, end);
+- if (err)
++ if (err) {
++ if (err == IPFRAG_DUP) {
++ /* No error for duplicates, pretend they got queued. */
++ kfree_skb(skb);
++ return -EINPROGRESS;
++ }
+ goto insert_error;
++ }
+
+ if (dev)
+ fq->iif = dev->ifindex;
+@@ -304,8 +310,6 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
+ return -EINPROGRESS;
+
+ insert_error:
+- if (err == IPFRAG_DUP)
+- goto err;
+ inet_frag_kill(&fq->q);
+ err:
+ skb_dst_drop(skb);
+--
+2.20.1
+
--- /dev/null
+From 842a519363e894eb1f63bcbfc9fbf477fc2bf101 Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <gnault@redhat.com>
+Date: Sun, 2 Jun 2019 15:13:47 +0200
+Subject: netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments
+
+[ Upstream commit a0d56cb911ca301de81735f1d73c2aab424654ba ]
+
+With commit 997dd9647164 ("net: IP6 defrag: use rbtrees in
+nf_conntrack_reasm.c"), nf_ct_frag6_reasm() is now called from
+nf_ct_frag6_queue(). With this change, nf_ct_frag6_queue() can fail
+after the skb has been added to the fragment queue and
+nf_ct_frag6_gather() was adapted to handle this case.
+
+But nf_ct_frag6_queue() can still fail before the fragment has been
+queued. nf_ct_frag6_gather() can't handle this case anymore, because it
+has no way to know if nf_ct_frag6_queue() queued the fragment before
+failing. If it didn't, the skb is lost as the error code is overwritten
+with -EINPROGRESS.
+
+Fix this by setting -EINPROGRESS directly in nf_ct_frag6_queue(), so
+that nf_ct_frag6_gather() can propagate the error as is.
+
+Fixes: 997dd9647164 ("net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
+index cb1b4772dac0..73c29ddcfb95 100644
+--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
+@@ -293,7 +293,11 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
+ skb->_skb_refdst = 0UL;
+ err = nf_ct_frag6_reasm(fq, skb, prev, dev);
+ skb->_skb_refdst = orefdst;
+- return err;
++
++ /* After queue has assumed skb ownership, only 0 or
++ * -EINPROGRESS must be returned.
++ */
++ return err ? -EINPROGRESS : 0;
+ }
+
+ skb_dst_drop(skb);
+@@ -481,12 +485,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
+ ret = 0;
+ }
+
+- /* after queue has assumed skb ownership, only 0 or -EINPROGRESS
+- * must be returned.
+- */
+- if (ret)
+- ret = -EINPROGRESS;
+-
+ spin_unlock_bh(&fq->q.lock);
+ inet_frag_put(&fq->q);
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From b6d645fcf05d7f43a372dd02b77d6cff984eb0a9 Mon Sep 17 00:00:00 2001
+From: Reinhard Speyerer <rspmn@arcor.de>
+Date: Wed, 12 Jun 2019 19:02:13 +0200
+Subject: qmi_wwan: add support for QMAP padding in the RX path
+
+[ Upstream commit 61356088ace1866a847a727d4d40da7bf00b67fc ]
+
+The QMAP code in the qmi_wwan driver is based on the CodeAurora GobiNet
+driver which does not process QMAP padding in the RX path correctly.
+Add support for QMAP padding to qmimux_rx_fixup() according to the
+description of the rmnet driver.
+
+Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support")
+Cc: Daniele Palmas <dnlplm@gmail.com>
+Signed-off-by: Reinhard Speyerer <rspmn@arcor.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/qmi_wwan.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index 063daa3435e4..75fe5c5abec4 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -153,7 +153,7 @@ static bool qmimux_has_slaves(struct usbnet *dev)
+
+ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ {
+- unsigned int len, offset = 0;
++ unsigned int len, offset = 0, pad_len, pkt_len;
+ struct qmimux_hdr *hdr;
+ struct net_device *net;
+ struct sk_buff *skbn;
+@@ -171,10 +171,16 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ if (hdr->pad & 0x80)
+ goto skip;
+
++ /* extract padding length and check for valid length info */
++ pad_len = hdr->pad & 0x3f;
++ if (len == 0 || pad_len >= len)
++ goto skip;
++ pkt_len = len - pad_len;
++
+ net = qmimux_find_dev(dev, hdr->mux_id);
+ if (!net)
+ goto skip;
+- skbn = netdev_alloc_skb(net, len);
++ skbn = netdev_alloc_skb(net, pkt_len);
+ if (!skbn)
+ return 0;
+ skbn->dev = net;
+@@ -191,7 +197,7 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ goto skip;
+ }
+
+- skb_put_data(skbn, skb->data + offset + qmimux_hdr_sz, len);
++ skb_put_data(skbn, skb->data + offset + qmimux_hdr_sz, pkt_len);
+ if (netif_rx(skbn) != NET_RX_SUCCESS)
+ return 0;
+
+--
+2.20.1
+
--- /dev/null
+From a303b875e6a524744559825462ca90917d430d07 Mon Sep 17 00:00:00 2001
+From: Reinhard Speyerer <rspmn@arcor.de>
+Date: Wed, 12 Jun 2019 19:03:15 +0200
+Subject: qmi_wwan: avoid RCU stalls on device disconnect when in QMAP mode
+
+[ Upstream commit a8fdde1cb830e560208af42b6c10750137f53eb3 ]
+
+Switch qmimux_unregister_device() and qmi_wwan_disconnect() to
+use unregister_netdevice_queue() and unregister_netdevice_many()
+instead of unregister_netdevice(). This avoids RCU stalls which
+have been observed on device disconnect in certain setups otherwise.
+
+Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support")
+Cc: Daniele Palmas <dnlplm@gmail.com>
+Signed-off-by: Reinhard Speyerer <rspmn@arcor.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/qmi_wwan.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index 75fe5c5abec4..76c4afac71f7 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -247,13 +247,14 @@ static int qmimux_register_device(struct net_device *real_dev, u8 mux_id)
+ return err;
+ }
+
+-static void qmimux_unregister_device(struct net_device *dev)
++static void qmimux_unregister_device(struct net_device *dev,
++ struct list_head *head)
+ {
+ struct qmimux_priv *priv = netdev_priv(dev);
+ struct net_device *real_dev = priv->real_dev;
+
+ netdev_upper_dev_unlink(real_dev, dev);
+- unregister_netdevice(dev);
++ unregister_netdevice_queue(dev, head);
+
+ /* Get rid of the reference to real_dev */
+ dev_put(real_dev);
+@@ -424,7 +425,7 @@ static ssize_t del_mux_store(struct device *d, struct device_attribute *attr, c
+ ret = -EINVAL;
+ goto err;
+ }
+- qmimux_unregister_device(del_dev);
++ qmimux_unregister_device(del_dev, NULL);
+
+ if (!qmimux_has_slaves(dev))
+ info->flags &= ~QMI_WWAN_FLAG_MUX;
+@@ -1423,6 +1424,7 @@ static void qmi_wwan_disconnect(struct usb_interface *intf)
+ struct qmi_wwan_state *info;
+ struct list_head *iter;
+ struct net_device *ldev;
++ LIST_HEAD(list);
+
+ /* called twice if separate control and data intf */
+ if (!dev)
+@@ -1435,8 +1437,9 @@ static void qmi_wwan_disconnect(struct usb_interface *intf)
+ }
+ rcu_read_lock();
+ netdev_for_each_upper_dev_rcu(dev->net, ldev, iter)
+- qmimux_unregister_device(ldev);
++ qmimux_unregister_device(ldev, &list);
+ rcu_read_unlock();
++ unregister_netdevice_many(&list);
+ rtnl_unlock();
+ info->flags &= ~QMI_WWAN_FLAG_MUX;
+ }
+--
+2.20.1
+
--- /dev/null
+From ba3eea8660ca131098a1c32a3ef4560aea65b908 Mon Sep 17 00:00:00 2001
+From: Reinhard Speyerer <rspmn@arcor.de>
+Date: Wed, 12 Jun 2019 19:03:50 +0200
+Subject: qmi_wwan: extend permitted QMAP mux_id value range
+
+[ Upstream commit 36815b416fa48766ac5a98e4b2dc3ebc5887222e ]
+
+Permit mux_id values up to 254 to be used in qmimux_register_device()
+for compatibility with ip(8) and the rmnet driver.
+
+Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support")
+Cc: Daniele Palmas <dnlplm@gmail.com>
+Signed-off-by: Reinhard Speyerer <rspmn@arcor.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/ABI/testing/sysfs-class-net-qmi | 4 ++--
+ drivers/net/usb/qmi_wwan.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Documentation/ABI/testing/sysfs-class-net-qmi b/Documentation/ABI/testing/sysfs-class-net-qmi
+index 7122d6264c49..c310db4ccbc2 100644
+--- a/Documentation/ABI/testing/sysfs-class-net-qmi
++++ b/Documentation/ABI/testing/sysfs-class-net-qmi
+@@ -29,7 +29,7 @@ Contact: Bjørn Mork <bjorn@mork.no>
+ Description:
+ Unsigned integer.
+
+- Write a number ranging from 1 to 127 to add a qmap mux
++ Write a number ranging from 1 to 254 to add a qmap mux
+ based network device, supported by recent Qualcomm based
+ modems.
+
+@@ -46,5 +46,5 @@ Contact: Bjørn Mork <bjorn@mork.no>
+ Description:
+ Unsigned integer.
+
+- Write a number ranging from 1 to 127 to delete a previously
++ Write a number ranging from 1 to 254 to delete a previously
+ created qmap mux based network device.
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index 76c4afac71f7..4b0144b2a252 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -363,8 +363,8 @@ static ssize_t add_mux_store(struct device *d, struct device_attribute *attr, c
+ if (kstrtou8(buf, 0, &mux_id))
+ return -EINVAL;
+
+- /* mux_id [1 - 0x7f] range empirically found */
+- if (mux_id < 1 || mux_id > 0x7f)
++ /* mux_id [1 - 254] for compatibility with ip(8) and the rmnet driver */
++ if (mux_id < 1 || mux_id > 254)
+ return -EINVAL;
+
+ if (!rtnl_trylock())
+--
+2.20.1
+
--- /dev/null
+From 62d748f24f7a15f261ceea1248af8471754b75dd Mon Sep 17 00:00:00 2001
+From: yangerkun <yangerkun@huawei.com>
+Date: Tue, 26 Mar 2019 22:00:02 +0800
+Subject: quota: fix a problem about transfer quota
+
+[ Upstream commit c6d9c35d16f1bafd3fec64b865e569e48cbcb514 ]
+
+Run below script as root, dquot_add_space will return -EDQUOT since
+__dquot_transfer call dquot_add_space with flags=0, and dquot_add_space
+think it's a preallocation. Fix it by set flags as DQUOT_SPACE_WARN.
+
+mkfs.ext4 -O quota,project /dev/vdb
+mount -o prjquota /dev/vdb /mnt
+setquota -P 23 1 1 0 0 /dev/vdb
+dd if=/dev/zero of=/mnt/test-file bs=4K count=1
+chattr -p 23 test-file
+
+Fixes: 7b9ca4c61bc2 ("quota: Reduce contention on dq_data_lock")
+Signed-off-by: yangerkun <yangerkun@huawei.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/quota/dquot.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
+index 4cd0c2336624..9c81fd973418 100644
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -1989,8 +1989,8 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to)
+ &warn_to[cnt]);
+ if (ret)
+ goto over_quota;
+- ret = dquot_add_space(transfer_to[cnt], cur_space, rsv_space, 0,
+- &warn_to[cnt]);
++ ret = dquot_add_space(transfer_to[cnt], cur_space, rsv_space,
++ DQUOT_SPACE_WARN, &warn_to[cnt]);
+ if (ret) {
+ spin_lock(&transfer_to[cnt]->dq_dqb_lock);
+ dquot_decr_inodes(transfer_to[cnt], inode_usage);
+--
+2.20.1
+
--- /dev/null
+From 2a21d633700970d9b0f77406aa902380e004a704 Mon Sep 17 00:00:00 2001
+From: Chang-Hsien Tsai <luke.tw@gmail.com>
+Date: Sun, 19 May 2019 09:05:44 +0000
+Subject: samples, bpf: fix to change the buffer size for read()
+
+[ Upstream commit f7c2d64bac1be2ff32f8e4f500c6e5429c1003e0 ]
+
+If the trace for read is larger than 4096, the return
+value sz will be 4096. This results in off-by-one error
+on buf:
+
+ static char buf[4096];
+ ssize_t sz;
+
+ sz = read(trace_fd, buf, sizeof(buf));
+ if (sz > 0) {
+ buf[sz] = 0;
+ puts(buf);
+ }
+
+Signed-off-by: Chang-Hsien Tsai <luke.tw@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/bpf_load.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/samples/bpf/bpf_load.c b/samples/bpf/bpf_load.c
+index 2325d7ad76df..e8e8b756dc52 100644
+--- a/samples/bpf/bpf_load.c
++++ b/samples/bpf/bpf_load.c
+@@ -613,7 +613,7 @@ void read_trace_pipe(void)
+ static char buf[4096];
+ ssize_t sz;
+
+- sz = read(trace_fd, buf, sizeof(buf));
++ sz = read(trace_fd, buf, sizeof(buf) - 1);
+ if (sz > 0) {
+ buf[sz] = 0;
+ puts(buf);
+--
+2.20.1
+
crypto-talitos-rename-alternative-aead-algos.patch
+input-elantech-enable-middle-button-support-on-2-thi.patch
+samples-bpf-fix-to-change-the-buffer-size-for-read.patch
+bpf-sockmap-fix-use-after-free-from-sleep-in-psock-b.patch
+staging-iio-ad7150-fix-threshold-mode-config-bit.patch
+mac80211-mesh-fix-rcu-warning.patch
+mac80211-free-peer-keys-before-vif-down-in-mesh.patch
+mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch
+iwlwifi-fix-double-free-problems-in-iwl_req_fw_callb.patch
+netfilter-ipv6-nf_defrag-fix-leakage-of-unqueued-fra.patch
+netfilter-ipv6-nf_defrag-accept-duplicate-fragments-.patch
+dt-bindings-can-mcp251x-add-mcp25625-support.patch
+can-mcp251x-add-support-for-mcp25625.patch
+can-m_can-implement-errata-needless-activation-of-mr.patch
+can-af_can-fix-error-path-of-can_init.patch
+ibmvnic-refresh-device-multicast-list-after-reset.patch
+arm-dts-am335x-phytec-boards-fix-cd-gpios-active-lev.patch
+input-imx_keypad-make-sure-keyboard-can-always-wake-.patch
+kvm-arm-arm64-vgic-fix-kvm_device-leak-in-vgic_its_d.patch
+mlxsw-spectrum-disallow-prio-tagged-packets-when-pvi.patch
+arm-davinci-da850-evm-call-regulator_has_full_constr.patch
+arm-davinci-da8xx-specify-dma_coherent_mask-for-lcdc.patch
+mac80211-only-warn-once-on-chanctx_conf-being-null.patch
+qmi_wwan-add-support-for-qmap-padding-in-the-rx-path.patch
+qmi_wwan-avoid-rcu-stalls-on-device-disconnect-when-.patch
+qmi_wwan-extend-permitted-qmap-mux_id-value-range.patch
+md-fix-for-divide-error-in-status_resync.patch
+bnx2x-check-if-transceiver-implements-ddm-before-acc.patch
+drm-return-efault-if-copy_to_user-fails.patch
+ip6_tunnel-allow-not-to-count-pkts-on-tstats-by-pass.patch
+net-lio_core-fix-potential-sign-extension-overflow-o.patch
+quota-fix-a-problem-about-transfer-quota.patch
+net-dsa-mv88e6xxx-fix-shift-of-fid-bits-in-mv88e6185.patch
+net-sunrpc-clnt-fix-xps-refcount-imbalance-on-the-er.patch
--- /dev/null
+From 0026ce38fa1eb241b2b95a206da604466823a451 Mon Sep 17 00:00:00 2001
+From: Melissa Wen <melissa.srw@gmail.com>
+Date: Sat, 18 May 2019 22:04:56 -0300
+Subject: staging:iio:ad7150: fix threshold mode config bit
+
+[ Upstream commit df4d737ee4d7205aaa6275158aeebff87fd14488 ]
+
+According to the AD7150 configuration register description, bit 7 assumes
+value 1 when the threshold mode is fixed and 0 when it is adaptive,
+however, the operation that identifies this mode was considering the
+opposite values.
+
+This patch renames the boolean variable to describe it correctly and
+properly replaces it in the places where it is used.
+
+Fixes: 531efd6aa0991 ("staging:iio:adc:ad7150: chan_spec conv + i2c_smbus commands + drop unused poweroff timeout control.")
+Signed-off-by: Melissa Wen <melissa.srw@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/iio/cdc/ad7150.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/staging/iio/cdc/ad7150.c b/drivers/staging/iio/cdc/ad7150.c
+index a6f249e9c1e1..4d218d554878 100644
+--- a/drivers/staging/iio/cdc/ad7150.c
++++ b/drivers/staging/iio/cdc/ad7150.c
+@@ -6,6 +6,7 @@
+ * Licensed under the GPL-2 or later.
+ */
+
++#include <linux/bitfield.h>
+ #include <linux/interrupt.h>
+ #include <linux/device.h>
+ #include <linux/kernel.h>
+@@ -129,7 +130,7 @@ static int ad7150_read_event_config(struct iio_dev *indio_dev,
+ {
+ int ret;
+ u8 threshtype;
+- bool adaptive;
++ bool thrfixed;
+ struct ad7150_chip_info *chip = iio_priv(indio_dev);
+
+ ret = i2c_smbus_read_byte_data(chip->client, AD7150_CFG);
+@@ -137,21 +138,23 @@ static int ad7150_read_event_config(struct iio_dev *indio_dev,
+ return ret;
+
+ threshtype = (ret >> 5) & 0x03;
+- adaptive = !!(ret & 0x80);
++
++ /*check if threshold mode is fixed or adaptive*/
++ thrfixed = FIELD_GET(AD7150_CFG_FIX, ret);
+
+ switch (type) {
+ case IIO_EV_TYPE_MAG_ADAPTIVE:
+ if (dir == IIO_EV_DIR_RISING)
+- return adaptive && (threshtype == 0x1);
+- return adaptive && (threshtype == 0x0);
++ return !thrfixed && (threshtype == 0x1);
++ return !thrfixed && (threshtype == 0x0);
+ case IIO_EV_TYPE_THRESH_ADAPTIVE:
+ if (dir == IIO_EV_DIR_RISING)
+- return adaptive && (threshtype == 0x3);
+- return adaptive && (threshtype == 0x2);
++ return !thrfixed && (threshtype == 0x3);
++ return !thrfixed && (threshtype == 0x2);
+ case IIO_EV_TYPE_THRESH:
+ if (dir == IIO_EV_DIR_RISING)
+- return !adaptive && (threshtype == 0x1);
+- return !adaptive && (threshtype == 0x0);
++ return thrfixed && (threshtype == 0x1);
++ return thrfixed && (threshtype == 0x0);
+ default:
+ break;
+ }
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
