--- /dev/null
+From eb4e619dd4ea9e060f6f82b0b1b0134d7e9053f1 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 19 Jun 2019 14:18:31 +0200
+Subject: acpi/arm64: ignore 5.1 FADTs that are reported as 5.0
+
+[ Upstream commit 2af22f3ec3ca452f1e79b967f634708ff01ced8a ]
+
+Some Qualcomm Snapdragon based laptops built to run Microsoft Windows
+are clearly ACPI 5.1 based, given that that is the first ACPI revision
+that supports ARM, and introduced the FADT 'arm_boot_flags' field,
+which has a non-zero field on those systems.
+
+So in these cases, infer from the ARM boot flags that the FADT must be
+5.1 or later, and treat it as 5.1.
+
+Acked-by: Sudeep Holla <sudeep.holla@arm.com>
+Tested-by: Lee Jones <lee.jones@linaro.org>
+Reviewed-by: Graeme Gregory <graeme.gregory@linaro.org>
+Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Acked-by: Hanjun Guo <guohanjun@huawei.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/acpi.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/kernel/acpi.c b/arch/arm64/kernel/acpi.c
+index d1ce8e2f98b9..4d0577d09681 100644
+--- a/arch/arm64/kernel/acpi.c
++++ b/arch/arm64/kernel/acpi.c
+@@ -141,10 +141,14 @@ static int __init acpi_fadt_sanity_check(void)
+ */
+ if (table->revision < 5 ||
+ (table->revision == 5 && fadt->minor_revision < 1)) {
+- pr_err("Unsupported FADT revision %d.%d, should be 5.1+\n",
++ pr_err(FW_BUG "Unsupported FADT revision %d.%d, should be 5.1+\n",
+ table->revision, fadt->minor_revision);
+- ret = -EINVAL;
+- goto out;
++
++ if (!fadt->arm_boot_flags) {
++ ret = -EINVAL;
++ goto out;
++ }
++ pr_err("FADT has ARM boot flags set, assuming 5.1\n");
+ }
+
+ if (!(fadt->flags & ACPI_FADT_HW_REDUCED)) {
+--
+2.20.1
+
--- /dev/null
+From 200a252155e9846cc08b385cda06a9faf5bf287f Mon Sep 17 00:00:00 2001
+From: Jeremy Sowden <jeremy@azazel.net>
+Date: Sat, 25 May 2019 19:09:35 +0100
+Subject: af_key: fix leaks in key_pol_get_resp and dump_sp.
+
+[ Upstream commit 7c80eb1c7e2b8420477fbc998971d62a648035d9 ]
+
+In both functions, if pfkey_xfrm_policy2msg failed we leaked the newly
+allocated sk_buff. Free it on error.
+
+Fixes: 55569ce256ce ("Fix conversion between IPSEC_MODE_xxx and XFRM_MODE_xxx.")
+Reported-by: syzbot+4f0529365f7f2208d9f0@syzkaller.appspotmail.com
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/key/af_key.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index 3ba903ff2bb0..36db179d848e 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -2463,8 +2463,10 @@ static int key_pol_get_resp(struct sock *sk, struct xfrm_policy *xp, const struc
+ goto out;
+ }
+ err = pfkey_xfrm_policy2msg(out_skb, xp, dir);
+- if (err < 0)
++ if (err < 0) {
++ kfree_skb(out_skb);
+ goto out;
++ }
+
+ out_hdr = (struct sadb_msg *) out_skb->data;
+ out_hdr->sadb_msg_version = hdr->sadb_msg_version;
+@@ -2717,8 +2719,10 @@ static int dump_sp(struct xfrm_policy *xp, int dir, int count, void *ptr)
+ return PTR_ERR(out_skb);
+
+ err = pfkey_xfrm_policy2msg(out_skb, xp, dir);
+- if (err < 0)
++ if (err < 0) {
++ kfree_skb(out_skb);
+ return err;
++ }
+
+ out_hdr = (struct sadb_msg *) out_skb->data;
+ out_hdr->sadb_msg_version = pfk->dump.msg_version;
+--
+2.20.1
+
--- /dev/null
+From 3e3302e5a42c22ef66bd92d39346b7d679c7f954 Mon Sep 17 00:00:00 2001
+From: Anilkumar Kolli <akolli@codeaurora.org>
+Date: Wed, 6 Mar 2019 23:06:11 +0530
+Subject: ath: DFS JP domain W56 fixed pulse type 3 RADAR detection
+
+[ Upstream commit d8792393a783158cbb2c39939cb897dc5e5299b6 ]
+
+Increase pulse width range from 1-2usec to 0-4usec.
+During data traffic HW occasionally fails detecting radar pulses,
+so that SW cannot get enough radar reports to achieve the success rate.
+
+Tested ath10k hw and fw:
+ * QCA9888(10.4-3.5.1-00052)
+ * QCA4019(10.4-3.2.1.1-00017)
+ * QCA9984(10.4-3.6-00104)
+ * QCA988X(10.2.4-1.0-00041)
+
+Tested ath9k hw: AR9300
+
+Tested-by: Tamizh chelvam <tamizhr@codeaurora.org>
+Signed-off-by: Tamizh chelvam <tamizhr@codeaurora.org>
+Signed-off-by: Anilkumar Kolli <akolli@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/dfs_pattern_detector.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/dfs_pattern_detector.c b/drivers/net/wireless/ath/dfs_pattern_detector.c
+index 2303ef96299d..0835828ffed7 100644
+--- a/drivers/net/wireless/ath/dfs_pattern_detector.c
++++ b/drivers/net/wireless/ath/dfs_pattern_detector.c
+@@ -111,7 +111,7 @@ static const struct radar_detector_specs jp_radar_ref_types[] = {
+ JP_PATTERN(0, 0, 1, 1428, 1428, 1, 18, 29, false),
+ JP_PATTERN(1, 2, 3, 3846, 3846, 1, 18, 29, false),
+ JP_PATTERN(2, 0, 1, 1388, 1388, 1, 18, 50, false),
+- JP_PATTERN(3, 1, 2, 4000, 4000, 1, 18, 50, false),
++ JP_PATTERN(3, 0, 4, 4000, 4000, 1, 18, 50, false),
+ JP_PATTERN(4, 0, 5, 150, 230, 1, 23, 50, false),
+ JP_PATTERN(5, 6, 10, 200, 500, 1, 16, 50, false),
+ JP_PATTERN(6, 11, 20, 200, 500, 1, 12, 50, false),
+--
+2.20.1
+
--- /dev/null
+From b8cfc34d8c569bbf9c8813beff0143d82fce7af1 Mon Sep 17 00:00:00 2001
+From: Surabhi Vishnoi <svishnoi@codeaurora.org>
+Date: Wed, 17 Apr 2019 14:01:46 +0530
+Subject: ath10k: Do not send probe response template for mesh
+
+[ Upstream commit 97354f2c432788e3163134df6bb144f4b6289d87 ]
+
+Currently mac80211 do not support probe response template for
+mesh point. When WMI_SERVICE_BEACON_OFFLOAD is enabled, host
+driver tries to configure probe response template for mesh, but
+it fails because the interface type is not NL80211_IFTYPE_AP but
+NL80211_IFTYPE_MESH_POINT.
+
+To avoid this failure, skip sending probe response template to
+firmware for mesh point.
+
+Tested HW: WCN3990/QCA6174/QCA9984
+
+Signed-off-by: Surabhi Vishnoi <svishnoi@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index 398068ad0b62..5a0138c1c045 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -1502,6 +1502,10 @@ static int ath10k_mac_setup_prb_tmpl(struct ath10k_vif *arvif)
+ if (arvif->vdev_type != WMI_VDEV_TYPE_AP)
+ return 0;
+
++ /* For mesh, probe response and beacon share the same template */
++ if (ieee80211_vif_is_mesh(vif))
++ return 0;
++
+ prb = ieee80211_proberesp_get(hw, vif);
+ if (!prb) {
+ ath10k_warn(ar, "failed to get probe resp template from mac80211\n");
+--
+2.20.1
+
--- /dev/null
+From d9cc08b73c24b955906be224fe872d9a183e1d85 Mon Sep 17 00:00:00 2001
+From: Miaoqing Pan <miaoqing@codeaurora.org>
+Date: Thu, 30 May 2019 09:49:20 +0800
+Subject: ath10k: fix PCIE device wake up failed
+
+[ Upstream commit 011d4111c8c602ea829fa4917af1818eb0500a90 ]
+
+Observed PCIE device wake up failed after ~120 iterations of
+soft-reboot test. The error message is
+"ath10k_pci 0000:01:00.0: failed to wake up device : -110"
+
+The call trace as below:
+ath10k_pci_probe -> ath10k_pci_force_wake -> ath10k_pci_wake_wait ->
+ath10k_pci_is_awake
+
+Once trigger the device to wake up, we will continuously check the RTC
+state until it returns RTC_STATE_V_ON or timeout.
+
+But for QCA99x0 chips, we use wrong value for RTC_STATE_V_ON.
+Occasionally, we get 0x7 on the fist read, we thought as a failure
+case, but actually is the right value, also verified with the spec.
+So fix the issue by changing RTC_STATE_V_ON from 0x5 to 0x7, passed
+~2000 iterations.
+
+Tested HW: QCA9984
+
+Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/hw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/hw.c b/drivers/net/wireless/ath/ath10k/hw.c
+index 7b84d08a5154..12d6549e45a1 100644
+--- a/drivers/net/wireless/ath/ath10k/hw.c
++++ b/drivers/net/wireless/ath/ath10k/hw.c
+@@ -128,7 +128,7 @@ const struct ath10k_hw_values qca6174_values = {
+ };
+
+ const struct ath10k_hw_values qca99x0_values = {
+- .rtc_state_val_on = 5,
++ .rtc_state_val_on = 7,
+ .ce_count = 12,
+ .msi_assign_ce_max = 12,
+ .num_target_ce_config_wlan = 10,
+--
+2.20.1
+
--- /dev/null
+From f9a94e8657a2559014df86adadb10a67cc5d7fa2 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 4 Apr 2019 11:56:51 +0300
+Subject: ath6kl: add some bounds checking
+
+[ Upstream commit 5d6751eaff672ea77642e74e92e6c0ac7f9709ab ]
+
+The "ev->traffic_class" and "reply->ac" variables come from the network
+and they're used as an offset into the wmi->stream_exist_for_ac[] array.
+Those variables are u8 so they can be 0-255 but the stream_exist_for_ac[]
+array only has WMM_NUM_AC (4) elements. We need to add a couple bounds
+checks to prevent array overflows.
+
+I also modified one existing check from "if (traffic_class > 3) {" to
+"if (traffic_class >= WMM_NUM_AC) {" just to make them all consistent.
+
+Fixes: bdcd81707973 (" Add ath6kl cleaned up driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath6kl/wmi.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
+index a5e1de75a4a3..b2ec254f154e 100644
+--- a/drivers/net/wireless/ath/ath6kl/wmi.c
++++ b/drivers/net/wireless/ath/ath6kl/wmi.c
+@@ -1178,6 +1178,10 @@ static int ath6kl_wmi_pstream_timeout_event_rx(struct wmi *wmi, u8 *datap,
+ return -EINVAL;
+
+ ev = (struct wmi_pstream_timeout_event *) datap;
++ if (ev->traffic_class >= WMM_NUM_AC) {
++ ath6kl_err("invalid traffic class: %d\n", ev->traffic_class);
++ return -EINVAL;
++ }
+
+ /*
+ * When the pstream (fat pipe == AC) timesout, it means there were
+@@ -1519,6 +1523,10 @@ static int ath6kl_wmi_cac_event_rx(struct wmi *wmi, u8 *datap, int len,
+ return -EINVAL;
+
+ reply = (struct wmi_cac_event *) datap;
++ if (reply->ac >= WMM_NUM_AC) {
++ ath6kl_err("invalid AC: %d\n", reply->ac);
++ return -EINVAL;
++ }
+
+ if ((reply->cac_indication == CAC_INDICATION_ADMISSION_RESP) &&
+ (reply->status_code != IEEE80211_TSPEC_STATUS_ADMISS_ACCEPTED)) {
+@@ -2631,7 +2639,7 @@ int ath6kl_wmi_delete_pstream_cmd(struct wmi *wmi, u8 if_idx, u8 traffic_class,
+ u16 active_tsids = 0;
+ int ret;
+
+- if (traffic_class > 3) {
++ if (traffic_class >= WMM_NUM_AC) {
+ ath6kl_err("invalid traffic class: %d\n", traffic_class);
+ return -EINVAL;
+ }
+--
+2.20.1
+
--- /dev/null
+From 9e1a36cd101916dc455d39b187b3ba03a85bbb94 Mon Sep 17 00:00:00 2001
+From: Tim Schumacher <timschumi@gmx.de>
+Date: Mon, 18 Mar 2019 20:05:57 +0100
+Subject: ath9k: Check for errors when reading SREV register
+
+[ Upstream commit 2f90c7e5d09437a4d8d5546feaae9f1cf48cfbe1 ]
+
+Right now, if an error is encountered during the SREV register
+read (i.e. an EIO in ath9k_regread()), that error code gets
+passed all the way to __ath9k_hw_init(), where it is visible
+during the "Chip rev not supported" message.
+
+ ath9k_htc 1-1.4:1.0: ath9k_htc: HTC initialized with 33 credits
+ ath: phy2: Mac Chip Rev 0x0f.3 is not supported by this driver
+ ath: phy2: Unable to initialize hardware; initialization status: -95
+ ath: phy2: Unable to initialize hardware; initialization status: -95
+ ath9k_htc: Failed to initialize the device
+
+Check for -EIO explicitly in ath9k_hw_read_revisions() and return
+a boolean based on the success of the operation. Check for that in
+__ath9k_hw_init() and abort with a more debugging-friendly message
+if reading the revisions wasn't successful.
+
+ ath9k_htc 1-1.4:1.0: ath9k_htc: HTC initialized with 33 credits
+ ath: phy2: Failed to read SREV register
+ ath: phy2: Could not read hardware revision
+ ath: phy2: Unable to initialize hardware; initialization status: -95
+ ath: phy2: Unable to initialize hardware; initialization status: -95
+ ath9k_htc: Failed to initialize the device
+
+This helps when debugging by directly showing the first point of
+failure and it could prevent possible errors if a 0x0f.3 revision
+is ever supported.
+
+Signed-off-by: Tim Schumacher <timschumi@gmx.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/hw.c | 32 +++++++++++++++++++++--------
+ 1 file changed, 23 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c
+index 4435c7bbb625..d50e2e8bd998 100644
+--- a/drivers/net/wireless/ath/ath9k/hw.c
++++ b/drivers/net/wireless/ath/ath9k/hw.c
+@@ -250,8 +250,9 @@ void ath9k_hw_get_channel_centers(struct ath_hw *ah,
+ /* Chip Revisions */
+ /******************/
+
+-static void ath9k_hw_read_revisions(struct ath_hw *ah)
++static bool ath9k_hw_read_revisions(struct ath_hw *ah)
+ {
++ u32 srev;
+ u32 val;
+
+ if (ah->get_mac_revision)
+@@ -267,25 +268,33 @@ static void ath9k_hw_read_revisions(struct ath_hw *ah)
+ val = REG_READ(ah, AR_SREV);
+ ah->hw_version.macRev = MS(val, AR_SREV_REVISION2);
+ }
+- return;
++ return true;
+ case AR9300_DEVID_AR9340:
+ ah->hw_version.macVersion = AR_SREV_VERSION_9340;
+- return;
++ return true;
+ case AR9300_DEVID_QCA955X:
+ ah->hw_version.macVersion = AR_SREV_VERSION_9550;
+- return;
++ return true;
+ case AR9300_DEVID_AR953X:
+ ah->hw_version.macVersion = AR_SREV_VERSION_9531;
+- return;
++ return true;
+ case AR9300_DEVID_QCA956X:
+ ah->hw_version.macVersion = AR_SREV_VERSION_9561;
+- return;
++ return true;
+ }
+
+- val = REG_READ(ah, AR_SREV) & AR_SREV_ID;
++ srev = REG_READ(ah, AR_SREV);
++
++ if (srev == -EIO) {
++ ath_err(ath9k_hw_common(ah),
++ "Failed to read SREV register");
++ return false;
++ }
++
++ val = srev & AR_SREV_ID;
+
+ if (val == 0xFF) {
+- val = REG_READ(ah, AR_SREV);
++ val = srev;
+ ah->hw_version.macVersion =
+ (val & AR_SREV_VERSION2) >> AR_SREV_TYPE2_S;
+ ah->hw_version.macRev = MS(val, AR_SREV_REVISION2);
+@@ -304,6 +313,8 @@ static void ath9k_hw_read_revisions(struct ath_hw *ah)
+ if (ah->hw_version.macVersion == AR_SREV_VERSION_5416_PCIE)
+ ah->is_pciexpress = true;
+ }
++
++ return true;
+ }
+
+ /************************************/
+@@ -556,7 +567,10 @@ static int __ath9k_hw_init(struct ath_hw *ah)
+ struct ath_common *common = ath9k_hw_common(ah);
+ int r = 0;
+
+- ath9k_hw_read_revisions(ah);
++ if (!ath9k_hw_read_revisions(ah)) {
++ ath_err(common, "Could not read hardware revisions");
++ return -EOPNOTSUPP;
++ }
+
+ switch (ah->hw_version.macVersion) {
+ case AR_SREV_VERSION_5416_PCI:
+--
+2.20.1
+
--- /dev/null
+From 875e894c5906edc9597f2862e6f54e426f9f592e Mon Sep 17 00:00:00 2001
+From: Jeremy Sowden <jeremy@azazel.net>
+Date: Tue, 21 May 2019 20:58:57 +0100
+Subject: batman-adv: fix for leaked TVLV handler.
+
+[ Upstream commit 17f78dd1bd624a4dd78ed5db3284a63ee807fcc3 ]
+
+A handler for BATADV_TVLV_ROAM was being registered when the
+translation-table was initialized, but not unregistered when the
+translation-table was freed. Unregister it.
+
+Fixes: 122edaa05940 ("batman-adv: tvlv - convert roaming adv packet to use tvlv unicast packets")
+Reported-by: syzbot+d454a826e670502484b8@syzkaller.appspotmail.com
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: Sven Eckelmann <sven@narfation.org
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/translation-table.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index f2079acb555d..ffd49b40e76a 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -3158,6 +3158,8 @@ static void batadv_tt_purge(struct work_struct *work)
+
+ void batadv_tt_free(struct batadv_priv *bat_priv)
+ {
++ batadv_tvlv_handler_unregister(bat_priv, BATADV_TVLV_ROAM, 1);
++
+ batadv_tvlv_container_unregister(bat_priv, BATADV_TVLV_TT, 1);
+ batadv_tvlv_handler_unregister(bat_priv, BATADV_TVLV_TT, 1);
+
+--
+2.20.1
+
--- /dev/null
+From b9d8da72b405e39f6637b1426f753a135943ec06 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:25 +0800
+Subject: bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush()
+
+[ Upstream commit b387e9b58679c60f5b1e4313939bd4878204fc37 ]
+
+When system memory is in heavy pressure, bch_gc_thread_start() from
+run_cache_set() may fail due to out of memory. In such condition,
+c->gc_thread is assigned to -ENOMEM, not NULL pointer. Then in following
+failure code path bch_cache_set_error(), when cache_set_flush() gets
+called, the code piece to stop c->gc_thread is broken,
+ if (!IS_ERR_OR_NULL(c->gc_thread))
+ kthread_stop(c->gc_thread);
+
+And KASAN catches such NULL pointer deference problem, with the warning
+information:
+
+[ 561.207881] ==================================================================
+[ 561.207900] BUG: KASAN: null-ptr-deref in kthread_stop+0x3b/0x440
+[ 561.207904] Write of size 4 at addr 000000000000001c by task kworker/15:1/313
+
+[ 561.207913] CPU: 15 PID: 313 Comm: kworker/15:1 Tainted: G W 5.0.0-vanilla+ #3
+[ 561.207916] Hardware name: Lenovo ThinkSystem SR650 -[7X05CTO1WW]-/-[7X05CTO1WW]-, BIOS -[IVE136T-2.10]- 03/22/2019
+[ 561.207935] Workqueue: events cache_set_flush [bcache]
+[ 561.207940] Call Trace:
+[ 561.207948] dump_stack+0x9a/0xeb
+[ 561.207955] ? kthread_stop+0x3b/0x440
+[ 561.207960] ? kthread_stop+0x3b/0x440
+[ 561.207965] kasan_report+0x176/0x192
+[ 561.207973] ? kthread_stop+0x3b/0x440
+[ 561.207981] kthread_stop+0x3b/0x440
+[ 561.207995] cache_set_flush+0xd4/0x6d0 [bcache]
+[ 561.208008] process_one_work+0x856/0x1620
+[ 561.208015] ? find_held_lock+0x39/0x1d0
+[ 561.208028] ? drain_workqueue+0x380/0x380
+[ 561.208048] worker_thread+0x87/0xb80
+[ 561.208058] ? __kthread_parkme+0xb6/0x180
+[ 561.208067] ? process_one_work+0x1620/0x1620
+[ 561.208072] kthread+0x326/0x3e0
+[ 561.208079] ? kthread_create_worker_on_cpu+0xc0/0xc0
+[ 561.208090] ret_from_fork+0x3a/0x50
+[ 561.208110] ==================================================================
+[ 561.208113] Disabling lock debugging due to kernel taint
+[ 561.208115] irq event stamp: 11800231
+[ 561.208126] hardirqs last enabled at (11800231): [<ffffffff83008538>] do_syscall_64+0x18/0x410
+[ 561.208127] BUG: unable to handle kernel NULL pointer dereference at 000000000000001c
+[ 561.208129] #PF error: [WRITE]
+[ 561.312253] hardirqs last disabled at (11800230): [<ffffffff830052ff>] trace_hardirqs_off_thunk+0x1a/0x1c
+[ 561.312259] softirqs last enabled at (11799832): [<ffffffff850005c7>] __do_softirq+0x5c7/0x8c3
+[ 561.405975] PGD 0 P4D 0
+[ 561.442494] softirqs last disabled at (11799821): [<ffffffff831add2c>] irq_exit+0x1ac/0x1e0
+[ 561.791359] Oops: 0002 [#1] SMP KASAN NOPTI
+[ 561.791362] CPU: 15 PID: 313 Comm: kworker/15:1 Tainted: G B W 5.0.0-vanilla+ #3
+[ 561.791363] Hardware name: Lenovo ThinkSystem SR650 -[7X05CTO1WW]-/-[7X05CTO1WW]-, BIOS -[IVE136T-2.10]- 03/22/2019
+[ 561.791371] Workqueue: events cache_set_flush [bcache]
+[ 561.791374] RIP: 0010:kthread_stop+0x3b/0x440
+[ 561.791376] Code: 00 00 65 8b 05 26 d5 e0 7c 89 c0 48 0f a3 05 ec aa df 02 0f 82 dc 02 00 00 4c 8d 63 20 be 04 00 00 00 4c 89 e7 e8 65 c5 53 00 <f0> ff 43 20 48 8d 7b 24 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48
+[ 561.791377] RSP: 0018:ffff88872fc8fd10 EFLAGS: 00010286
+[ 561.838895] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838916] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838934] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838948] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838966] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838979] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838996] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 563.067028] RAX: 0000000000000000 RBX: fffffffffffffffc RCX: ffffffff832dd314
+[ 563.067030] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000297
+[ 563.067032] RBP: ffff88872fc8fe88 R08: fffffbfff0b8213d R09: fffffbfff0b8213d
+[ 563.067034] R10: 0000000000000001 R11: fffffbfff0b8213c R12: 000000000000001c
+[ 563.408618] R13: ffff88dc61cc0f68 R14: ffff888102b94900 R15: ffff88dc61cc0f68
+[ 563.408620] FS: 0000000000000000(0000) GS:ffff888f7dc00000(0000) knlGS:0000000000000000
+[ 563.408622] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 563.408623] CR2: 000000000000001c CR3: 0000000f48a1a004 CR4: 00000000007606e0
+[ 563.408625] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 563.408627] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 563.904795] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 563.915796] PKRU: 55555554
+[ 563.915797] Call Trace:
+[ 563.915807] cache_set_flush+0xd4/0x6d0 [bcache]
+[ 563.915812] process_one_work+0x856/0x1620
+[ 564.001226] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 564.033563] ? find_held_lock+0x39/0x1d0
+[ 564.033567] ? drain_workqueue+0x380/0x380
+[ 564.033574] worker_thread+0x87/0xb80
+[ 564.062823] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 564.118042] ? __kthread_parkme+0xb6/0x180
+[ 564.118046] ? process_one_work+0x1620/0x1620
+[ 564.118048] kthread+0x326/0x3e0
+[ 564.118050] ? kthread_create_worker_on_cpu+0xc0/0xc0
+[ 564.167066] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 564.252441] ret_from_fork+0x3a/0x50
+[ 564.252447] Modules linked in: msr rpcrdma sunrpc rdma_ucm ib_iser ib_umad rdma_cm ib_ipoib i40iw configfs iw_cm ib_cm libiscsi scsi_transport_iscsi mlx4_ib ib_uverbs mlx4_en ib_core nls_iso8859_1 nls_cp437 vfat fat intel_rapl skx_edac x86_pkg_temp_thermal coretemp iTCO_wdt iTCO_vendor_support crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel ses raid0 aesni_intel cdc_ether enclosure usbnet ipmi_ssif joydev aes_x86_64 i40e scsi_transport_sas mii bcache md_mod crypto_simd mei_me ioatdma crc64 ptp cryptd pcspkr i2c_i801 mlx4_core glue_helper pps_core mei lpc_ich dca wmi ipmi_si ipmi_devintf nd_pmem dax_pmem nd_btt ipmi_msghandler device_dax pcc_cpufreq button hid_generic usbhid mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect xhci_pci sysimgblt fb_sys_fops xhci_hcd ttm megaraid_sas drm usbcore nfit libnvdimm sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua efivarfs
+[ 564.299390] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 564.348360] CR2: 000000000000001c
+[ 564.348362] ---[ end trace b7f0e5cc7b2103b0 ]---
+
+Therefore, it is not enough to only check whether c->gc_thread is NULL,
+we should use IS_ERR_OR_NULL() to check both NULL pointer and error
+value.
+
+This patch changes the above buggy code piece in this way,
+ if (!IS_ERR_OR_NULL(c->gc_thread))
+ kthread_stop(c->gc_thread);
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index 02757b90e402..e42092146083 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1403,7 +1403,7 @@ static void cache_set_flush(struct closure *cl)
+ kobject_put(&c->internal);
+ kobject_del(&c->kobj);
+
+- if (c->gc_thread)
++ if (!IS_ERR_OR_NULL(c->gc_thread))
+ kthread_stop(c->gc_thread);
+
+ if (!IS_ERR_OR_NULL(c->root))
+--
+2.20.1
+
--- /dev/null
+From 2b7b04b72f5a46f30fcbe614cebd865ce5fc8063 Mon Sep 17 00:00:00 2001
+From: Josua Mayer <josua.mayer@jm0.eu>
+Date: Sat, 6 Jul 2019 17:54:46 +0200
+Subject: Bluetooth: 6lowpan: search for destination address in all peers
+
+[ Upstream commit b188b03270b7f8568fc714101ce82fbf5e811c5a ]
+
+Handle overlooked case where the target address is assigned to a peer
+and neither route nor gateway exist.
+
+For one peer, no checks are performed to see if it is meant to receive
+packets for a given address.
+
+As soon as there is a second peer however, checks are performed
+to deal with routes and gateways for handling complex setups with
+multiple hops to a target address.
+This logic assumed that no route and no gateway imply that the
+destination address can not be reached, which is false in case of a
+direct peer.
+
+Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
+Tested-by: Michael Scott <mike@foundries.io>
+Signed-off-by: Josua Mayer <josua.mayer@jm0.eu>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/6lowpan.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
+index 795ddd8b2f77..4cd6b8d811ff 100644
+--- a/net/bluetooth/6lowpan.c
++++ b/net/bluetooth/6lowpan.c
+@@ -184,10 +184,16 @@ static inline struct lowpan_peer *peer_lookup_dst(struct lowpan_dev *dev,
+ }
+
+ if (!rt) {
+- nexthop = &lowpan_cb(skb)->gw;
+-
+- if (ipv6_addr_any(nexthop))
+- return NULL;
++ if (ipv6_addr_any(&lowpan_cb(skb)->gw)) {
++ /* There is neither route nor gateway,
++ * probably the destination is a direct peer.
++ */
++ nexthop = daddr;
++ } else {
++ /* There is a known gateway
++ */
++ nexthop = &lowpan_cb(skb)->gw;
++ }
+ } else {
+ nexthop = rt6_nexthop(rt, daddr);
+
+--
+2.20.1
+
--- /dev/null
+From da2cb9dda10d7e1cb32504381fb07b085afe3dfd Mon Sep 17 00:00:00 2001
+From: Matias Karhumaa <matias.karhumaa@gmail.com>
+Date: Tue, 21 May 2019 13:07:22 +0300
+Subject: Bluetooth: Check state in l2cap_disconnect_rsp
+
+[ Upstream commit 28261da8a26f4915aa257d12d506c6ba179d961f ]
+
+Because of both sides doing L2CAP disconnection at the same time, it
+was possible to receive L2CAP Disconnection Response with CID that was
+already freed. That caused problems if CID was already reused and L2CAP
+Connection Request with same CID was sent out. Before this patch kernel
+deleted channel context regardless of the state of the channel.
+
+Example where leftover Disconnection Response (frame #402) causes local
+device to delete L2CAP channel which was not yet connected. This in
+turn confuses remote device's stack because same CID is re-used without
+properly disconnecting.
+
+Btmon capture before patch:
+** snip **
+> ACL Data RX: Handle 43 flags 0x02 dlen 8 #394 [hci1] 10.748949
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 2}
+ RFCOMM: Disconnect (DISC) (0x43)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x53 poll/final 1
+ Length: 0
+ FCS: 0xfd
+< ACL Data TX: Handle 43 flags 0x00 dlen 8 #395 [hci1] 10.749062
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 2}
+ RFCOMM: Unnumbered Ack (UA) (0x63)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x73 poll/final 1
+ Length: 0
+ FCS: 0xd7
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #396 [hci1] 10.749073
+ L2CAP: Disconnection Request (0x06) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+> HCI Event: Number of Completed Packets (0x13) plen 5 #397 [hci1] 10.752391
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> HCI Event: Number of Completed Packets (0x13) plen 5 #398 [hci1] 10.753394
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #399 [hci1] 10.756499
+ L2CAP: Disconnection Request (0x06) ident 26 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #400 [hci1] 10.756548
+ L2CAP: Disconnection Response (0x07) ident 26 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #401 [hci1] 10.757459
+ L2CAP: Connection Request (0x02) ident 18 len 4
+ PSM: 1 (0x0001)
+ Source CID: 65
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #402 [hci1] 10.759148
+ L2CAP: Disconnection Response (0x07) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+= bluetoothd: 00:1E:AB:4C:56:54: error updating services: Input/o.. 10.759447
+> HCI Event: Number of Completed Packets (0x13) plen 5 #403 [hci1] 10.759386
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #404 [hci1] 10.760397
+ L2CAP: Connection Request (0x02) ident 27 len 4
+ PSM: 3 (0x0003)
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 16 #405 [hci1] 10.760441
+ L2CAP: Connection Response (0x03) ident 27 len 8
+ Destination CID: 65
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+< ACL Data TX: Handle 43 flags 0x00 dlen 27 #406 [hci1] 10.760449
+ L2CAP: Configure Request (0x04) ident 19 len 19
+ Destination CID: 65
+ Flags: 0x0000
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 1013
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Basic (0x00)
+ TX window size: 0
+ Max transmit: 0
+ Retransmission timeout: 0
+ Monitor timeout: 0
+ Maximum PDU size: 0
+> HCI Event: Number of Completed Packets (0x13) plen 5 #407 [hci1] 10.761399
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 16 #408 [hci1] 10.762942
+ L2CAP: Connection Response (0x03) ident 18 len 8
+ Destination CID: 66
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+*snip*
+
+Similar case after the patch:
+*snip*
+> ACL Data RX: Handle 43 flags 0x02 dlen 8 #22702 [hci0] 1664.411056
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 3}
+ RFCOMM: Disconnect (DISC) (0x43)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x53 poll/final 1
+ Length: 0
+ FCS: 0xfd
+< ACL Data TX: Handle 43 flags 0x00 dlen 8 #22703 [hci0] 1664.411136
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 3}
+ RFCOMM: Unnumbered Ack (UA) (0x63)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x73 poll/final 1
+ Length: 0
+ FCS: 0xd7
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22704 [hci0] 1664.411143
+ L2CAP: Disconnection Request (0x06) ident 11 len 4
+ Destination CID: 65
+ Source CID: 65
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22705 [hci0] 1664.414009
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22706 [hci0] 1664.415007
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22707 [hci0] 1664.418674
+ L2CAP: Disconnection Request (0x06) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22708 [hci0] 1664.418762
+ L2CAP: Disconnection Response (0x07) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22709 [hci0] 1664.421073
+ L2CAP: Connection Request (0x02) ident 12 len 4
+ PSM: 1 (0x0001)
+ Source CID: 65
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22710 [hci0] 1664.421371
+ L2CAP: Disconnection Response (0x07) ident 11 len 4
+ Destination CID: 65
+ Source CID: 65
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22711 [hci0] 1664.424082
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22712 [hci0] 1664.425040
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22713 [hci0] 1664.426103
+ L2CAP: Connection Request (0x02) ident 18 len 4
+ PSM: 3 (0x0003)
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 16 #22714 [hci0] 1664.426186
+ L2CAP: Connection Response (0x03) ident 18 len 8
+ Destination CID: 66
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+< ACL Data TX: Handle 43 flags 0x00 dlen 27 #22715 [hci0] 1664.426196
+ L2CAP: Configure Request (0x04) ident 13 len 19
+ Destination CID: 65
+ Flags: 0x0000
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 1013
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Basic (0x00)
+ TX window size: 0
+ Max transmit: 0
+ Retransmission timeout: 0
+ Monitor timeout: 0
+ Maximum PDU size: 0
+> ACL Data RX: Handle 43 flags 0x02 dlen 16 #22716 [hci0] 1664.428804
+ L2CAP: Connection Response (0x03) ident 12 len 8
+ Destination CID: 66
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+*snip*
+
+Fix is to check that channel is in state BT_DISCONN before deleting the
+channel.
+
+This bug was found while fuzzing Bluez's OBEX implementation using
+Synopsys Defensics.
+
+Reported-by: Matti Kamunen <matti.kamunen@synopsys.com>
+Reported-by: Ari Timonen <ari.timonen@synopsys.com>
+Signed-off-by: Matias Karhumaa <matias.karhumaa@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 46afd560f242..c25f1e4846cd 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -4363,6 +4363,12 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
+
+ l2cap_chan_lock(chan);
+
++ if (chan->state != BT_DISCONN) {
++ l2cap_chan_unlock(chan);
++ mutex_unlock(&conn->chan_lock);
++ return 0;
++ }
++
+ l2cap_chan_hold(chan);
+ l2cap_chan_del(chan, 0);
+
+--
+2.20.1
+
--- /dev/null
+From 4f212364bae71d6d764313135e659642d1caa1e2 Mon Sep 17 00:00:00 2001
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+Date: Tue, 28 May 2019 15:42:58 +0200
+Subject: Bluetooth: hci_bcsp: Fix memory leak in rx_skb
+
+[ Upstream commit 4ce9146e0370fcd573f0372d9b4e5a211112567c ]
+
+Syzkaller found that it is possible to provoke a memory leak by
+never freeing rx_skb in struct bcsp_struct.
+
+Fix by freeing in bcsp_close()
+
+Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
+Reported-by: syzbot+98162c885993b72f19c4@syzkaller.appspotmail.com
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_bcsp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c
+index d0b615a932d1..9833b53a8b50 100644
+--- a/drivers/bluetooth/hci_bcsp.c
++++ b/drivers/bluetooth/hci_bcsp.c
+@@ -729,6 +729,11 @@ static int bcsp_close(struct hci_uart *hu)
+ skb_queue_purge(&bcsp->rel);
+ skb_queue_purge(&bcsp->unrel);
+
++ if (bcsp->rx_skb) {
++ kfree_skb(bcsp->rx_skb);
++ bcsp->rx_skb = NULL;
++ }
++
+ kfree(bcsp);
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 7672ae07fac8c7012953791cdbfa8644ce31cd5f Mon Sep 17 00:00:00 2001
+From: csonsino <csonsino@gmail.com>
+Date: Wed, 12 Jun 2019 15:00:52 -0600
+Subject: Bluetooth: validate BLE connection interval updates
+
+[ Upstream commit c49a8682fc5d298d44e8d911f4fa14690ea9485e ]
+
+Problem: The Linux Bluetooth stack yields complete control over the BLE
+connection interval to the remote device.
+
+The Linux Bluetooth stack provides access to the BLE connection interval
+min and max values through /sys/kernel/debug/bluetooth/hci0/
+conn_min_interval and /sys/kernel/debug/bluetooth/hci0/conn_max_interval.
+These values are used for initial BLE connections, but the remote device
+has the ability to request a connection parameter update. In the event
+that the remote side requests to change the connection interval, the Linux
+kernel currently only validates that the desired value is within the
+acceptable range in the Bluetooth specification (6 - 3200, corresponding to
+7.5ms - 4000ms). There is currently no validation that the desired value
+requested by the remote device is within the min/max limits specified in
+the conn_min_interval/conn_max_interval configurations. This essentially
+leads to Linux yielding complete control over the connection interval to
+the remote device.
+
+The proposed patch adds a verification step to the connection parameter
+update mechanism, ensuring that the desired value is within the min/max
+bounds of the current connection. If the desired value is outside of the
+current connection min/max values, then the connection parameter update
+request is rejected and the negative response is returned to the remote
+device. Recall that the initial connection is established using the local
+conn_min_interval/conn_max_interval values, so this allows the Linux
+administrator to retain control over the BLE connection interval.
+
+The one downside that I see is that the current default Linux values for
+conn_min_interval and conn_max_interval typically correspond to 30ms and
+50ms respectively. If this change were accepted, then it is feasible that
+some devices would no longer be able to negotiate to their desired
+connection interval values. This might be remedied by setting the default
+Linux conn_min_interval and conn_max_interval values to the widest
+supported range (6 - 3200 / 7.5ms - 4000ms). This could lead to the same
+behavior as the current implementation, where the remote device could
+request to change the connection interval value to any value that is
+permitted by the Bluetooth specification, and Linux would accept the
+desired value.
+
+Signed-off-by: Carey Sonsino <csonsino@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 5 +++++
+ net/bluetooth/l2cap_core.c | 9 ++++++++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 37fe2b158c2a..c4e94f34d048 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -5062,6 +5062,11 @@ static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
+ return send_conn_param_neg_reply(hdev, handle,
+ HCI_ERROR_UNKNOWN_CONN_ID);
+
++ if (min < hcon->le_conn_min_interval ||
++ max > hcon->le_conn_max_interval)
++ return send_conn_param_neg_reply(hdev, handle,
++ HCI_ERROR_INVALID_LL_PARAMS);
++
+ if (hci_check_conn_params(min, max, latency, timeout))
+ return send_conn_param_neg_reply(hdev, handle,
+ HCI_ERROR_INVALID_LL_PARAMS);
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index c25f1e4846cd..8cfba78d26f6 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -5266,7 +5266,14 @@ static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
+
+ memset(&rsp, 0, sizeof(rsp));
+
+- err = hci_check_conn_params(min, max, latency, to_multiplier);
++ if (min < hcon->le_conn_min_interval ||
++ max > hcon->le_conn_max_interval) {
++ BT_DBG("requested connection interval exceeds current bounds.");
++ err = -EINVAL;
++ } else {
++ err = hci_check_conn_params(min, max, latency, to_multiplier);
++ }
++
+ if (err)
+ rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
+ else
+--
+2.20.1
+
--- /dev/null
+From 1ad80766d20ebc3a031862852ee49c51b9e7e000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Valdis=20Kl=C4=93tnieks?= <valdis.kletnieks@vt.edu>
+Date: Thu, 6 Jun 2019 22:39:27 -0400
+Subject: bpf: silence warning messages in core
+
+[ Upstream commit aee450cbe482a8c2f6fa5b05b178ef8b8ff107ca ]
+
+Compiling kernel/bpf/core.c with W=1 causes a flood of warnings:
+
+kernel/bpf/core.c:1198:65: warning: initialized field overwritten [-Woverride-init]
+ 1198 | #define BPF_INSN_3_TBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = true
+ | ^~~~
+kernel/bpf/core.c:1087:2: note: in expansion of macro 'BPF_INSN_3_TBL'
+ 1087 | INSN_3(ALU, ADD, X), \
+ | ^~~~~~
+kernel/bpf/core.c:1202:3: note: in expansion of macro 'BPF_INSN_MAP'
+ 1202 | BPF_INSN_MAP(BPF_INSN_2_TBL, BPF_INSN_3_TBL),
+ | ^~~~~~~~~~~~
+kernel/bpf/core.c:1198:65: note: (near initialization for 'public_insntable[12]')
+ 1198 | #define BPF_INSN_3_TBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = true
+ | ^~~~
+kernel/bpf/core.c:1087:2: note: in expansion of macro 'BPF_INSN_3_TBL'
+ 1087 | INSN_3(ALU, ADD, X), \
+ | ^~~~~~
+kernel/bpf/core.c:1202:3: note: in expansion of macro 'BPF_INSN_MAP'
+ 1202 | BPF_INSN_MAP(BPF_INSN_2_TBL, BPF_INSN_3_TBL),
+ | ^~~~~~~~~~~~
+
+98 copies of the above.
+
+The attached patch silences the warnings, because we *know* we're overwriting
+the default initializer. That leaves bpf/core.c with only 6 other warnings,
+which become more visible in comparison.
+
+Signed-off-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
+Acked-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/bpf/Makefile b/kernel/bpf/Makefile
+index 13272582eee0..677991f29d66 100644
+--- a/kernel/bpf/Makefile
++++ b/kernel/bpf/Makefile
+@@ -1,4 +1,5 @@
+ obj-y := core.o
++CFLAGS_core.o += $(call cc-disable-warning, override-init)
+
+ obj-$(CONFIG_BPF_SYSCALL) += syscall.o verifier.o inode.o helpers.o
+ obj-$(CONFIG_BPF_SYSCALL) += hashtab.o arraymap.o
+--
+2.20.1
+
--- /dev/null
+From 0db9de10af8e0ca4a71feca1cd61a7b3bc700a4d Mon Sep 17 00:00:00 2001
+From: Abhishek Goel <huntbag@linux.vnet.ibm.com>
+Date: Wed, 29 May 2019 04:30:33 -0500
+Subject: cpupower : frequency-set -r option misses the last cpu in related cpu
+ list
+
+[ Upstream commit 04507c0a9385cc8280f794a36bfff567c8cc1042 ]
+
+To set frequency on specific cpus using cpupower, following syntax can
+be used :
+cpupower -c #i frequency-set -f #f -r
+
+While setting frequency using cpupower frequency-set command, if we use
+'-r' option, it is expected to set frequency for all cpus related to
+cpu #i. But it is observed to be missing the last cpu in related cpu
+list. This patch fixes the problem.
+
+Signed-off-by: Abhishek Goel <huntbag@linux.vnet.ibm.com>
+Reviewed-by: Thomas Renninger <trenn@suse.de>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/cpupower/utils/cpufreq-set.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/power/cpupower/utils/cpufreq-set.c b/tools/power/cpupower/utils/cpufreq-set.c
+index 0fbd1a22c0a9..2f86935094ca 100644
+--- a/tools/power/cpupower/utils/cpufreq-set.c
++++ b/tools/power/cpupower/utils/cpufreq-set.c
+@@ -306,6 +306,8 @@ int cmd_freq_set(int argc, char **argv)
+ bitmask_setbit(cpus_chosen, cpus->cpu);
+ cpus = cpus->next;
+ }
++ /* Set the last cpu in related cpus list */
++ bitmask_setbit(cpus_chosen, cpus->cpu);
+ cpufreq_put_related_cpus(cpus);
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From e09b1e6c013c0adbd2d5425ebb9bd5bd5a8a12f3 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Wed, 15 May 2019 12:29:03 +0000
+Subject: crypto: talitos - fix skcipher failure due to wrong output IV
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 3e03e792865ae48b8cfc69a0b4d65f02f467389f ]
+
+Selftests report the following:
+
+[ 2.984845] alg: skcipher: cbc-aes-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place"
+[ 2.995377] 00000000: 3d af ba 42 9d 9e b4 30 b4 22 da 80 2c 9f ac 41
+[ 3.032673] alg: skcipher: cbc-des-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place"
+[ 3.043185] 00000000: fe dc ba 98 76 54 32 10
+[ 3.063238] alg: skcipher: cbc-3des-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place"
+[ 3.073818] 00000000: 7d 33 88 93 0f 93 b2 42
+
+This above dumps show that the actual output IV is indeed the input IV.
+This is due to the IV not being copied back into the request.
+
+This patch fixes that.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/talitos.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
+index 62ce93568e11..a000c2667392 100644
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -1446,11 +1446,15 @@ static void ablkcipher_done(struct device *dev,
+ int err)
+ {
+ struct ablkcipher_request *areq = context;
++ struct crypto_ablkcipher *cipher = crypto_ablkcipher_reqtfm(areq);
++ struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher);
++ unsigned int ivsize = crypto_ablkcipher_ivsize(cipher);
+ struct talitos_edesc *edesc;
+
+ edesc = container_of(desc, struct talitos_edesc, desc);
+
+ common_nonsnoop_unmap(dev, edesc, areq);
++ memcpy(areq->info, ctx->iv, ivsize);
+
+ kfree(edesc);
+
+--
+2.20.1
+
--- /dev/null
+From d689c51e376415c47cdf2ba9c0e5a557f6fbdd22 Mon Sep 17 00:00:00 2001
+From: Sven Van Asbroeck <thesven73@gmail.com>
+Date: Mon, 24 Jun 2019 10:07:31 -0400
+Subject: dmaengine: imx-sdma: fix use-after-free on probe error path
+
+[ Upstream commit 2b8066c3deb9140fdf258417a51479b2aeaa7622 ]
+
+If probe() fails anywhere beyond the point where
+sdma_get_firmware() is called, then a kernel oops may occur.
+
+Problematic sequence of events:
+1. probe() calls sdma_get_firmware(), which schedules the
+ firmware callback to run when firmware becomes available,
+ using the sdma instance structure as the context
+2. probe() encounters an error, which deallocates the
+ sdma instance structure
+3. firmware becomes available, firmware callback is
+ called with deallocated sdma instance structure
+4. use after free - kernel oops !
+
+Solution: only attempt to load firmware when we're certain
+that probe() will succeed. This guarantees that the firmware
+callback's context will remain valid.
+
+Note that the remove() path is unaffected by this issue: the
+firmware loader will increment the driver module's use count,
+ensuring that the module cannot be unloaded while the
+firmware callback is pending or running.
+
+Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Reviewed-by: Robin Gong <yibin.gong@nxp.com>
+[vkoul: fixed braces for if condition]
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/imx-sdma.c | 48 ++++++++++++++++++++++++------------------
+ 1 file changed, 27 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c
+index 4054747af0cb..dd97dbf6618c 100644
+--- a/drivers/dma/imx-sdma.c
++++ b/drivers/dma/imx-sdma.c
+@@ -1786,27 +1786,6 @@ static int sdma_probe(struct platform_device *pdev)
+ if (pdata && pdata->script_addrs)
+ sdma_add_scripts(sdma, pdata->script_addrs);
+
+- if (pdata) {
+- ret = sdma_get_firmware(sdma, pdata->fw_name);
+- if (ret)
+- dev_warn(&pdev->dev, "failed to get firmware from platform data\n");
+- } else {
+- /*
+- * Because that device tree does not encode ROM script address,
+- * the RAM script in firmware is mandatory for device tree
+- * probe, otherwise it fails.
+- */
+- ret = of_property_read_string(np, "fsl,sdma-ram-script-name",
+- &fw_name);
+- if (ret)
+- dev_warn(&pdev->dev, "failed to get firmware name\n");
+- else {
+- ret = sdma_get_firmware(sdma, fw_name);
+- if (ret)
+- dev_warn(&pdev->dev, "failed to get firmware from device tree\n");
+- }
+- }
+-
+ sdma->dma_device.dev = &pdev->dev;
+
+ sdma->dma_device.device_alloc_chan_resources = sdma_alloc_chan_resources;
+@@ -1848,6 +1827,33 @@ static int sdma_probe(struct platform_device *pdev)
+ of_node_put(spba_bus);
+ }
+
++ /*
++ * Kick off firmware loading as the very last step:
++ * attempt to load firmware only if we're not on the error path, because
++ * the firmware callback requires a fully functional and allocated sdma
++ * instance.
++ */
++ if (pdata) {
++ ret = sdma_get_firmware(sdma, pdata->fw_name);
++ if (ret)
++ dev_warn(&pdev->dev, "failed to get firmware from platform data\n");
++ } else {
++ /*
++ * Because that device tree does not encode ROM script address,
++ * the RAM script in firmware is mandatory for device tree
++ * probe, otherwise it fails.
++ */
++ ret = of_property_read_string(np, "fsl,sdma-ram-script-name",
++ &fw_name);
++ if (ret) {
++ dev_warn(&pdev->dev, "failed to get firmware name\n");
++ } else {
++ ret = sdma_get_firmware(sdma, fw_name);
++ if (ret)
++ dev_warn(&pdev->dev, "failed to get firmware from device tree\n");
++ }
++ }
++
+ return 0;
+
+ err_register:
+--
+2.20.1
+
--- /dev/null
+From 12154734b16b789eb34a57f753e7665f7810eabf Mon Sep 17 00:00:00 2001
+From: Eiichi Tsukata <devel@etsukata.com>
+Date: Wed, 26 Jun 2019 14:40:11 +0900
+Subject: EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
+
+[ Upstream commit d8655e7630dafa88bc37f101640e39c736399771 ]
+
+Commit 9da21b1509d8 ("EDAC: Poll timeout cannot be zero, p2") assumes
+edac_mc_poll_msec to be unsigned long, but the type of the variable still
+remained as int. Setting edac_mc_poll_msec can trigger out-of-bounds
+write.
+
+Reproducer:
+
+ # echo 1001 > /sys/module/edac_core/parameters/edac_mc_poll_msec
+
+KASAN report:
+
+ BUG: KASAN: global-out-of-bounds in edac_set_poll_msec+0x140/0x150
+ Write of size 8 at addr ffffffffb91b2d00 by task bash/1996
+
+ CPU: 1 PID: 1996 Comm: bash Not tainted 5.2.0-rc6+ #23
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
+ Call Trace:
+ dump_stack+0xca/0x13e
+ print_address_description.cold+0x5/0x246
+ __kasan_report.cold+0x75/0x9a
+ ? edac_set_poll_msec+0x140/0x150
+ kasan_report+0xe/0x20
+ edac_set_poll_msec+0x140/0x150
+ ? dimmdev_location_show+0x30/0x30
+ ? vfs_lock_file+0xe0/0xe0
+ ? _raw_spin_lock+0x87/0xe0
+ param_attr_store+0x1b5/0x310
+ ? param_array_set+0x4f0/0x4f0
+ module_attr_store+0x58/0x80
+ ? module_attr_show+0x80/0x80
+ sysfs_kf_write+0x13d/0x1a0
+ kernfs_fop_write+0x2bc/0x460
+ ? sysfs_kf_bin_read+0x270/0x270
+ ? kernfs_notify+0x1f0/0x1f0
+ __vfs_write+0x81/0x100
+ vfs_write+0x1e1/0x560
+ ksys_write+0x126/0x250
+ ? __ia32_sys_read+0xb0/0xb0
+ ? do_syscall_64+0x1f/0x390
+ do_syscall_64+0xc1/0x390
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7fa7caa5e970
+ Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 04
+ RSP: 002b:00007fff6acfdfe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+ RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa7caa5e970
+ RDX: 0000000000000005 RSI: 0000000000e95c08 RDI: 0000000000000001
+ RBP: 0000000000e95c08 R08: 00007fa7cad1e760 R09: 00007fa7cb36a700
+ R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000005
+ R13: 0000000000000001 R14: 00007fa7cad1d600 R15: 0000000000000005
+
+ The buggy address belongs to the variable:
+ edac_mc_poll_msec+0x0/0x40
+
+ Memory state around the buggy address:
+ ffffffffb91b2c00: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa
+ ffffffffb91b2c80: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa
+ >ffffffffb91b2d00: 04 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
+ ^
+ ffffffffb91b2d80: 04 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+ ffffffffb91b2e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+Fix it by changing the type of edac_mc_poll_msec to unsigned int.
+The reason why this patch adopts unsigned int rather than unsigned long
+is msecs_to_jiffies() assumes arg to be unsigned int. We can avoid
+integer conversion bugs and unsigned int will be large enough for
+edac_mc_poll_msec.
+
+Reviewed-by: James Morse <james.morse@arm.com>
+Fixes: 9da21b1509d8 ("EDAC: Poll timeout cannot be zero, p2")
+Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/edac_mc_sysfs.c | 16 ++++++++--------
+ drivers/edac/edac_module.h | 2 +-
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
+index 0c53f2d54765..d459cf4b8579 100644
+--- a/drivers/edac/edac_mc_sysfs.c
++++ b/drivers/edac/edac_mc_sysfs.c
+@@ -26,7 +26,7 @@
+ static int edac_mc_log_ue = 1;
+ static int edac_mc_log_ce = 1;
+ static int edac_mc_panic_on_ue;
+-static int edac_mc_poll_msec = 1000;
++static unsigned int edac_mc_poll_msec = 1000;
+
+ /* Getter functions for above */
+ int edac_mc_get_log_ue(void)
+@@ -45,30 +45,30 @@ int edac_mc_get_panic_on_ue(void)
+ }
+
+ /* this is temporary */
+-int edac_mc_get_poll_msec(void)
++unsigned int edac_mc_get_poll_msec(void)
+ {
+ return edac_mc_poll_msec;
+ }
+
+ static int edac_set_poll_msec(const char *val, struct kernel_param *kp)
+ {
+- unsigned long l;
++ unsigned int i;
+ int ret;
+
+ if (!val)
+ return -EINVAL;
+
+- ret = kstrtoul(val, 0, &l);
++ ret = kstrtouint(val, 0, &i);
+ if (ret)
+ return ret;
+
+- if (l < 1000)
++ if (i < 1000)
+ return -EINVAL;
+
+- *((unsigned long *)kp->arg) = l;
++ *((unsigned int *)kp->arg) = i;
+
+ /* notify edac_mc engine to reset the poll period */
+- edac_mc_reset_delay_period(l);
++ edac_mc_reset_delay_period(i);
+
+ return 0;
+ }
+@@ -82,7 +82,7 @@ MODULE_PARM_DESC(edac_mc_log_ue,
+ module_param(edac_mc_log_ce, int, 0644);
+ MODULE_PARM_DESC(edac_mc_log_ce,
+ "Log correctable error to console: 0=off 1=on");
+-module_param_call(edac_mc_poll_msec, edac_set_poll_msec, param_get_int,
++module_param_call(edac_mc_poll_msec, edac_set_poll_msec, param_get_uint,
+ &edac_mc_poll_msec, 0644);
+ MODULE_PARM_DESC(edac_mc_poll_msec, "Polling period in milliseconds");
+
+diff --git a/drivers/edac/edac_module.h b/drivers/edac/edac_module.h
+index b95a48fc723d..c7a7a0891eb6 100644
+--- a/drivers/edac/edac_module.h
++++ b/drivers/edac/edac_module.h
+@@ -33,7 +33,7 @@ extern int edac_mc_get_log_ue(void);
+ extern int edac_mc_get_log_ce(void);
+ extern int edac_mc_get_panic_on_ue(void);
+ extern int edac_get_poll_msec(void);
+-extern int edac_mc_get_poll_msec(void);
++extern unsigned int edac_mc_get_poll_msec(void);
+
+ unsigned edac_dimm_info_location(struct dimm_info *dimm, char *buf,
+ unsigned len);
+--
+2.20.1
+
--- /dev/null
+From 4428c340a93b4396d13a98fd46572ae25bc2f1b3 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Thu, 18 Apr 2019 10:27:18 +0800
+Subject: EDAC/sysfs: Fix memory leak when creating a csrow object
+
+[ Upstream commit 585fb3d93d32dbe89e718b85009f9c322cc554cd ]
+
+In edac_create_csrow_object(), the reference to the object is not
+released when adding the device to the device hierarchy fails
+(device_add()). This may result in a memory leak.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: James Morse <james.morse@arm.com>
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: https://lkml.kernel.org/r/1555554438-103953-1-git-send-email-bianpan2016@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/edac_mc_sysfs.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
+index 3c8f19f5ac81..0c53f2d54765 100644
+--- a/drivers/edac/edac_mc_sysfs.c
++++ b/drivers/edac/edac_mc_sysfs.c
+@@ -426,6 +426,8 @@ static inline int nr_pages_per_csrow(struct csrow_info *csrow)
+ static int edac_create_csrow_object(struct mem_ctl_info *mci,
+ struct csrow_info *csrow, int index)
+ {
++ int err;
++
+ csrow->dev.type = &csrow_attr_type;
+ csrow->dev.bus = mci->bus;
+ csrow->dev.groups = csrow_dev_groups;
+@@ -438,7 +440,11 @@ static int edac_create_csrow_object(struct mem_ctl_info *mci,
+ edac_dbg(0, "creating (virtual) csrow node %s\n",
+ dev_name(&csrow->dev));
+
+- return device_add(&csrow->dev);
++ err = device_add(&csrow->dev);
++ if (err)
++ put_device(&csrow->dev);
++
++ return err;
+ }
+
+ /* Create a CSROW object under specifed edac_mc_device */
+--
+2.20.1
+
--- /dev/null
+From 33b5b1783bcff0ca134b4d7b2b1e3da3d83b5f43 Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@ispras.ru>
+Date: Fri, 12 Jul 2019 21:55:20 +0300
+Subject: floppy: fix div-by-zero in setup_format_params
+
+[ Upstream commit f3554aeb991214cbfafd17d55e2bfddb50282e32 ]
+
+This fixes a divide by zero error in the setup_format_params function of
+the floppy driver.
+
+Two consecutive ioctls can trigger the bug: The first one should set the
+drive geometry with such .sect and .rate values for the F_SECT_PER_TRACK
+to become zero. Next, the floppy format operation should be called.
+
+A floppy disk is not required to be inserted. An unprivileged user
+could trigger the bug if the device is accessible.
+
+The patch checks F_SECT_PER_TRACK for a non-zero value in the
+set_geometry function. The proper check should involve a reasonable
+upper limit for the .sect and .rate fields, but it could change the
+UAPI.
+
+The patch also checks F_SECT_PER_TRACK in the setup_format_params, and
+cancels the formatting operation in case of zero.
+
+The bug was found by syzkaller.
+
+Signed-off-by: Denis Efremov <efremov@ispras.ru>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/floppy.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 2daa5b84abbc..42ae1d2d8243 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -2113,6 +2113,9 @@ static void setup_format_params(int track)
+ raw_cmd->kernel_data = floppy_track_buffer;
+ raw_cmd->length = 4 * F_SECT_PER_TRACK;
+
++ if (!F_SECT_PER_TRACK)
++ return;
++
+ /* allow for about 30ms for data transport per track */
+ head_shift = (F_SECT_PER_TRACK + 5) / 6;
+
+@@ -3235,6 +3238,8 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
+ /* sanity checking for parameters. */
+ if (g->sect <= 0 ||
+ g->head <= 0 ||
++ /* check for zero in F_SECT_PER_TRACK */
++ (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
+ g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
+ /* check if reserved bits are set */
+ (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0)
+--
+2.20.1
+
--- /dev/null
+From ab1e593f24d8a821cb8b37e8c3562e72c4fb1cd0 Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@ispras.ru>
+Date: Fri, 12 Jul 2019 21:55:23 +0300
+Subject: floppy: fix out-of-bounds read in copy_buffer
+
+[ Upstream commit da99466ac243f15fbba65bd261bfc75ffa1532b6 ]
+
+This fixes a global out-of-bounds read access in the copy_buffer
+function of the floppy driver.
+
+The FDDEFPRM ioctl allows one to set the geometry of a disk. The sect
+and head fields (unsigned int) of the floppy_drive structure are used to
+compute the max_sector (int) in the make_raw_rw_request function. It is
+possible to overflow the max_sector. Next, max_sector is passed to the
+copy_buffer function and used in one of the memcpy calls.
+
+An unprivileged user could trigger the bug if the device is accessible,
+but requires a floppy disk to be inserted.
+
+The patch adds the check for the .sect * .head multiplication for not
+overflowing in the set_geometry function.
+
+The bug was found by syzkaller.
+
+Signed-off-by: Denis Efremov <efremov@ispras.ru>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/floppy.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 42ae1d2d8243..7516fed84ae9 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3236,8 +3236,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
+ int cnt;
+
+ /* sanity checking for parameters. */
+- if (g->sect <= 0 ||
+- g->head <= 0 ||
++ if ((int)g->sect <= 0 ||
++ (int)g->head <= 0 ||
++ /* check for overflow in max_sector */
++ (int)(g->sect * g->head) <= 0 ||
+ /* check for zero in F_SECT_PER_TRACK */
+ (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
+ g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
+--
+2.20.1
+
--- /dev/null
+From 67e086a16ebf9aba5345b883906f5eacd20f6364 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Mon, 10 Jun 2019 20:10:44 +0300
+Subject: gpio: omap: ensure irq is enabled before wakeup
+
+[ Upstream commit c859e0d479b3b4f6132fc12637c51e01492f31f6 ]
+
+Documentation states:
+
+ NOTE: There must be a correlation between the wake-up enable and
+ interrupt-enable registers. If a GPIO pin has a wake-up configured
+ on it, it must also have the corresponding interrupt enabled (on
+ one of the two interrupt lines).
+
+Ensure that this condition is always satisfied by enabling the detection
+events after enabling the interrupt, and disabling the detection before
+disabling the interrupt. This ensures interrupt/wakeup events can not
+happen until both the wakeup and interrupt enables correlate.
+
+If we do any clearing, clear between the interrupt enable/disable and
+trigger setting.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Tested-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-omap.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c
+index f23136825a6e..6e65c02baad1 100644
+--- a/drivers/gpio/gpio-omap.c
++++ b/drivers/gpio/gpio-omap.c
+@@ -821,9 +821,9 @@ static void omap_gpio_irq_shutdown(struct irq_data *d)
+
+ raw_spin_lock_irqsave(&bank->lock, flags);
+ bank->irq_usage &= ~(BIT(offset));
+- omap_set_gpio_irqenable(bank, offset, 0);
+- omap_clear_gpio_irqstatus(bank, offset);
+ omap_set_gpio_triggering(bank, offset, IRQ_TYPE_NONE);
++ omap_clear_gpio_irqstatus(bank, offset);
++ omap_set_gpio_irqenable(bank, offset, 0);
+ if (!LINE_USED(bank->mod_usage, offset))
+ omap_clear_gpio_debounce(bank, offset);
+ omap_disable_gpio_module(bank, offset);
+@@ -865,8 +865,8 @@ static void omap_gpio_mask_irq(struct irq_data *d)
+ unsigned long flags;
+
+ raw_spin_lock_irqsave(&bank->lock, flags);
+- omap_set_gpio_irqenable(bank, offset, 0);
+ omap_set_gpio_triggering(bank, offset, IRQ_TYPE_NONE);
++ omap_set_gpio_irqenable(bank, offset, 0);
+ raw_spin_unlock_irqrestore(&bank->lock, flags);
+ }
+
+@@ -878,9 +878,6 @@ static void omap_gpio_unmask_irq(struct irq_data *d)
+ unsigned long flags;
+
+ raw_spin_lock_irqsave(&bank->lock, flags);
+- if (trigger)
+- omap_set_gpio_triggering(bank, offset, trigger);
+-
+ omap_set_gpio_irqenable(bank, offset, 1);
+
+ /*
+@@ -888,9 +885,13 @@ static void omap_gpio_unmask_irq(struct irq_data *d)
+ * is cleared, thus after the handler has run. OMAP4 needs this done
+ * after enabing the interrupt to clear the wakeup status.
+ */
+- if (bank->level_mask & BIT(offset))
++ if (bank->regs->leveldetect0 && bank->regs->wkup_en &&
++ trigger & (IRQ_TYPE_LEVEL_HIGH | IRQ_TYPE_LEVEL_LOW))
+ omap_clear_gpio_irqstatus(bank, offset);
+
++ if (trigger)
++ omap_set_gpio_triggering(bank, offset, trigger);
++
+ raw_spin_unlock_irqrestore(&bank->lock, flags);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From fe4c92c8172cc1b0d664e8b525bd7a1819f6809a Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Mon, 10 Jun 2019 20:10:45 +0300
+Subject: gpio: omap: fix lack of irqstatus_raw0 for OMAP4
+
+[ Upstream commit 64ea3e9094a1f13b96c33244a3fb3a0f45690bd2 ]
+
+Commit 384ebe1c2849 ("gpio/omap: Add DT support to GPIO driver") added
+the register definition tables to the gpio-omap driver. Subsequently to
+that commit, commit 4e962e8998cc ("gpio/omap: remove cpu_is_omapxxxx()
+checks from *_runtime_resume()") added definitions for irqstatus_raw*
+registers to the legacy OMAP4 definitions, but missed the DT
+definitions.
+
+This causes an unintentional change of behaviour for the 1.101 errata
+workaround on OMAP4 platforms. Fix this oversight.
+
+Fixes: 4e962e8998cc ("gpio/omap: remove cpu_is_omapxxxx() checks from *_runtime_resume()")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Tested-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-omap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c
+index c8c49b1d5f9f..f23136825a6e 100644
+--- a/drivers/gpio/gpio-omap.c
++++ b/drivers/gpio/gpio-omap.c
+@@ -1611,6 +1611,8 @@ static struct omap_gpio_reg_offs omap4_gpio_regs = {
+ .clr_dataout = OMAP4_GPIO_CLEARDATAOUT,
+ .irqstatus = OMAP4_GPIO_IRQSTATUS0,
+ .irqstatus2 = OMAP4_GPIO_IRQSTATUS1,
++ .irqstatus_raw0 = OMAP4_GPIO_IRQSTATUSRAW0,
++ .irqstatus_raw1 = OMAP4_GPIO_IRQSTATUSRAW1,
+ .irqenable = OMAP4_GPIO_IRQSTATUSSET0,
+ .irqenable2 = OMAP4_GPIO_IRQSTATUSSET1,
+ .set_irqenable = OMAP4_GPIO_IRQSTATUSSET0,
+--
+2.20.1
+
--- /dev/null
+From 3bb504f8aef31269a6e8ca77911cbf94e0f24795 Mon Sep 17 00:00:00 2001
+From: "Mauro S. M. Rodrigues" <maurosr@linux.vnet.ibm.com>
+Date: Thu, 23 May 2019 16:11:12 -0300
+Subject: ixgbe: Check DDM existence in transceiver before access
+
+[ Upstream commit 655c91414579d7bb115a4f7898ee726fc18e0984 ]
+
+Some transceivers may comply with SFF-8472 but not implement the Digital
+Diagnostic Monitoring (DDM) interface described in it. The existence of
+such area is specified by bit 6 of byte 92, set to 1 if implemented.
+
+Currently, due to not checking this bit ixgbe fails trying to read SFP
+module's eeprom with the follow message:
+
+ethtool -m enP51p1s0f0
+Cannot get Module EEPROM data: Input/output error
+
+Because it fails to read the additional 256 bytes in which it was assumed
+to exist the DDM data.
+
+This issue was noticed using a Mellanox Passive DAC PN 01FT738. The eeprom
+data was confirmed by Mellanox as correct and present in other Passive
+DACs in from other manufacturers.
+
+Signed-off-by: "Mauro S. M. Rodrigues" <maurosr@linux.vnet.ibm.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 3 ++-
+ drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+index d681273bd39d..9d38634071a4 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+@@ -3133,7 +3133,8 @@ static int ixgbe_get_module_info(struct net_device *dev,
+ page_swap = true;
+ }
+
+- if (sff8472_rev == IXGBE_SFF_SFF_8472_UNSUP || page_swap) {
++ if (sff8472_rev == IXGBE_SFF_SFF_8472_UNSUP || page_swap ||
++ !(addr_mode & IXGBE_SFF_DDM_IMPLEMENTED)) {
+ /* We have a SFP, but it does not support SFF-8472 */
+ modinfo->type = ETH_MODULE_SFF_8079;
+ modinfo->eeprom_len = ETH_MODULE_SFF_8079_LEN;
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h
+index 5abd66c84d00..7b7dc6d7d159 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h
+@@ -70,6 +70,7 @@
+ #define IXGBE_SFF_SOFT_RS_SELECT_10G 0x8
+ #define IXGBE_SFF_SOFT_RS_SELECT_1G 0x0
+ #define IXGBE_SFF_ADDRESSING_MODE 0x4
++#define IXGBE_SFF_DDM_IMPLEMENTED 0x40
+ #define IXGBE_SFF_QSFP_DA_ACTIVE_CABLE 0x1
+ #define IXGBE_SFF_QSFP_DA_PASSIVE_CABLE 0x8
+ #define IXGBE_SFF_QSFP_CONNECTOR_NOT_SEPARABLE 0x23
+--
+2.20.1
+
--- /dev/null
+From 7499e918f1d34257dc723fc7911122c954872fe4 Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Fri, 24 May 2019 23:15:09 +0300
+Subject: locking/lockdep: Fix merging of hlocks with non-zero references
+
+[ Upstream commit d9349850e188b8b59e5322fda17ff389a1c0cd7d ]
+
+The sequence
+
+ static DEFINE_WW_CLASS(test_ww_class);
+
+ struct ww_acquire_ctx ww_ctx;
+ struct ww_mutex ww_lock_a;
+ struct ww_mutex ww_lock_b;
+ struct ww_mutex ww_lock_c;
+ struct mutex lock_c;
+
+ ww_acquire_init(&ww_ctx, &test_ww_class);
+
+ ww_mutex_init(&ww_lock_a, &test_ww_class);
+ ww_mutex_init(&ww_lock_b, &test_ww_class);
+ ww_mutex_init(&ww_lock_c, &test_ww_class);
+
+ mutex_init(&lock_c);
+
+ ww_mutex_lock(&ww_lock_a, &ww_ctx);
+
+ mutex_lock(&lock_c);
+
+ ww_mutex_lock(&ww_lock_b, &ww_ctx);
+ ww_mutex_lock(&ww_lock_c, &ww_ctx);
+
+ mutex_unlock(&lock_c); (*)
+
+ ww_mutex_unlock(&ww_lock_c);
+ ww_mutex_unlock(&ww_lock_b);
+ ww_mutex_unlock(&ww_lock_a);
+
+ ww_acquire_fini(&ww_ctx); (**)
+
+will trigger the following error in __lock_release() when calling
+mutex_release() at **:
+
+ DEBUG_LOCKS_WARN_ON(depth <= 0)
+
+The problem is that the hlock merging happening at * updates the
+references for test_ww_class incorrectly to 3 whereas it should've
+updated it to 4 (representing all the instances for ww_ctx and
+ww_lock_[abc]).
+
+Fix this by updating the references during merging correctly taking into
+account that we can have non-zero references (both for the hlock that we
+merge into another hlock or for the hlock we are merging into).
+
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Link: https://lkml.kernel.org/r/20190524201509.9199-2-imre.deak@intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/lockdep.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
+index 774ab79d3ec7..f2df5f86af28 100644
+--- a/kernel/locking/lockdep.c
++++ b/kernel/locking/lockdep.c
+@@ -3128,17 +3128,17 @@ static int __lock_acquire(struct lockdep_map *lock, unsigned int subclass,
+ if (depth) {
+ hlock = curr->held_locks + depth - 1;
+ if (hlock->class_idx == class_idx && nest_lock) {
+- if (hlock->references) {
+- /*
+- * Check: unsigned int references:12, overflow.
+- */
+- if (DEBUG_LOCKS_WARN_ON(hlock->references == (1 << 12)-1))
+- return 0;
++ if (!references)
++ references++;
+
++ if (!hlock->references)
+ hlock->references++;
+- } else {
+- hlock->references = 2;
+- }
++
++ hlock->references += references;
++
++ /* Overflow */
++ if (DEBUG_LOCKS_WARN_ON(hlock->references < references))
++ return 0;
+
+ return 1;
+ }
+--
+2.20.1
+
--- /dev/null
+From f47562ab5fe4e4c9794f91733fd299895d3e5939 Mon Sep 17 00:00:00 2001
+From: Philipp Zabel <p.zabel@pengutronix.de>
+Date: Tue, 18 Jun 2019 12:45:10 -0400
+Subject: media: coda: fix mpeg2 sequence number handling
+
+[ Upstream commit 56d159a4ec6d8da7313aac6fcbb95d8fffe689ba ]
+
+Sequence number handling assumed that the BIT processor frame number
+starts counting at 1, but this is not true for the MPEG-2 decoder,
+which starts at 0. Fix the sequence counter offset detection to handle
+this.
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/coda/coda-bit.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
+index a4639813cf35..a7ed2dba7a0e 100644
+--- a/drivers/media/platform/coda/coda-bit.c
++++ b/drivers/media/platform/coda/coda-bit.c
+@@ -1581,6 +1581,7 @@ static int __coda_start_decoding(struct coda_ctx *ctx)
+ coda_write(dev, 0, CODA_REG_BIT_BIT_STREAM_PARAM);
+ return -ETIMEDOUT;
+ }
++ ctx->sequence_offset = ~0U;
+ ctx->initialized = 1;
+
+ /* Update kfifo out pointer from coda bitstream read pointer */
+@@ -1971,7 +1972,9 @@ static void coda_finish_decode(struct coda_ctx *ctx)
+ v4l2_err(&dev->v4l2_dev,
+ "decoded frame index out of range: %d\n", decoded_idx);
+ } else {
+- val = coda_read(dev, CODA_RET_DEC_PIC_FRAME_NUM) - 1;
++ val = coda_read(dev, CODA_RET_DEC_PIC_FRAME_NUM);
++ if (ctx->sequence_offset == -1)
++ ctx->sequence_offset = val;
+ val -= ctx->sequence_offset;
+ spin_lock_irqsave(&ctx->buffer_meta_lock, flags);
+ if (!list_empty(&ctx->buffer_meta_list)) {
+--
+2.20.1
+
--- /dev/null
+From 58d51f4d917cb7b80063569746b80becb4980511 Mon Sep 17 00:00:00 2001
+From: Philipp Zabel <p.zabel@pengutronix.de>
+Date: Tue, 18 Jun 2019 12:45:22 -0400
+Subject: media: coda: increment sequence offset for the last returned frame
+
+[ Upstream commit b3b7d96817cdb8b6fc353867705275dce8f41ccc ]
+
+If no more frames are decoded in bitstream end mode, and a previously
+decoded frame has been returned, the firmware still increments the frame
+number. To avoid a sequence number mismatch after decoder restart,
+increment the sequence_offset correction parameter.
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/coda/coda-bit.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
+index a7ed2dba7a0e..b19e70b83f4a 100644
+--- a/drivers/media/platform/coda/coda-bit.c
++++ b/drivers/media/platform/coda/coda-bit.c
+@@ -1967,6 +1967,9 @@ static void coda_finish_decode(struct coda_ctx *ctx)
+ else if (ctx->display_idx < 0)
+ ctx->hold = true;
+ } else if (decoded_idx == -2) {
++ if (ctx->display_idx >= 0 &&
++ ctx->display_idx < ctx->num_internal_frames)
++ ctx->sequence_offset++;
+ /* no frame was decoded, we still return remaining buffers */
+ } else if (decoded_idx < 0 || decoded_idx >= ctx->num_internal_frames) {
+ v4l2_err(&dev->v4l2_dev,
+--
+2.20.1
+
--- /dev/null
+From 2dc89a181b1745a5f9f9d69b7fd49251637a5b2d Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 30 Apr 2019 09:07:36 -0400
+Subject: media: dvb: usb: fix use after free in dvb_usb_device_exit
+
+[ Upstream commit 6cf97230cd5f36b7665099083272595c55d72be7 ]
+
+dvb_usb_device_exit() frees and uses the device name in that order.
+Fix by storing the name in a buffer before freeing it.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+26ec41e9f788b3eba396@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+index 1adf325012f7..97a89ef7e4c1 100644
+--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
++++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+@@ -286,12 +286,15 @@ EXPORT_SYMBOL(dvb_usb_device_init);
+ void dvb_usb_device_exit(struct usb_interface *intf)
+ {
+ struct dvb_usb_device *d = usb_get_intfdata(intf);
+- const char *name = "generic DVB-USB module";
++ const char *default_name = "generic DVB-USB module";
++ char name[40];
+
+ usb_set_intfdata(intf, NULL);
+ if (d != NULL && d->desc != NULL) {
+- name = d->desc->name;
++ strscpy(name, d->desc->name, sizeof(name));
+ dvb_usb_exit(d);
++ } else {
++ strscpy(name, default_name, sizeof(name));
+ }
+ info("%s successfully deinitialized and disconnected.", name);
+
+--
+2.20.1
+
--- /dev/null
+From a82fb65e14d942cc3de67e2d0190a207efaa0e8b Mon Sep 17 00:00:00 2001
+From: Anders Roxell <anders.roxell@linaro.org>
+Date: Wed, 12 Jun 2019 12:19:35 -0400
+Subject: media: i2c: fix warning same module names
+
+[ Upstream commit b2ce5617dad254230551feda3599f2cc68e53ad8 ]
+
+When building with CONFIG_VIDEO_ADV7511 and CONFIG_DRM_I2C_ADV7511
+enabled as loadable modules, we see the following warning:
+
+ drivers/gpu/drm/bridge/adv7511/adv7511.ko
+ drivers/media/i2c/adv7511.ko
+
+Rework so that the file is named adv7511-v4l2.c.
+
+Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/Makefile | 2 +-
+ drivers/media/i2c/{adv7511.c => adv7511-v4l2.c} | 5 +++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+ rename drivers/media/i2c/{adv7511.c => adv7511-v4l2.c} (99%)
+
+diff --git a/drivers/media/i2c/Makefile b/drivers/media/i2c/Makefile
+index 07db257abfc1..d5711def1fff 100644
+--- a/drivers/media/i2c/Makefile
++++ b/drivers/media/i2c/Makefile
+@@ -28,7 +28,7 @@ obj-$(CONFIG_VIDEO_ADV7393) += adv7393.o
+ obj-$(CONFIG_VIDEO_ADV7604) += adv7604.o
+ obj-$(CONFIG_VIDEO_ADV7842) += adv7842.o
+ obj-$(CONFIG_VIDEO_AD9389B) += ad9389b.o
+-obj-$(CONFIG_VIDEO_ADV7511) += adv7511.o
++obj-$(CONFIG_VIDEO_ADV7511) += adv7511-v4l2.o
+ obj-$(CONFIG_VIDEO_VPX3220) += vpx3220.o
+ obj-$(CONFIG_VIDEO_VS6624) += vs6624.o
+ obj-$(CONFIG_VIDEO_BT819) += bt819.o
+diff --git a/drivers/media/i2c/adv7511.c b/drivers/media/i2c/adv7511-v4l2.c
+similarity index 99%
+rename from drivers/media/i2c/adv7511.c
+rename to drivers/media/i2c/adv7511-v4l2.c
+index c24839cfcc35..b35400e4e9af 100644
+--- a/drivers/media/i2c/adv7511.c
++++ b/drivers/media/i2c/adv7511-v4l2.c
+@@ -17,6 +17,11 @@
+ * SOFTWARE.
+ */
+
++/*
++ * This file is named adv7511-v4l2.c so it doesn't conflict with the Analog
++ * Device ADV7511 (config fragment CONFIG_DRM_I2C_ADV7511).
++ */
++
+
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+--
+2.20.1
+
--- /dev/null
+From 16139327aa21a7a4aef36a1ebb412fa622d71e16 Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Sun, 5 May 2019 10:00:23 -0400
+Subject: media: marvell-ccic: fix DMA s/g desc number calculation
+
+[ Upstream commit 0c7aa32966dab0b8a7424e1b34c7f206817953ec ]
+
+The commit d790b7eda953 ("[media] vb2-dma-sg: move dma_(un)map_sg here")
+left dma_desc_nent unset. It previously contained the number of DMA
+descriptors as returned from dma_map_sg().
+
+We can now (since the commit referred to above) obtain the same value from
+the sg_table and drop dma_desc_nent altogether.
+
+Tested on OLPC XO-1.75 machine. Doesn't affect the OLPC XO-1's Cafe
+driver, since that one doesn't do DMA.
+
+[mchehab+samsung@kernel.org: fix a checkpatch warning]
+
+Fixes: d790b7eda953 ("[media] vb2-dma-sg: move dma_(un)map_sg here")
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/marvell-ccic/mcam-core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/marvell-ccic/mcam-core.c b/drivers/media/platform/marvell-ccic/mcam-core.c
+index aa2b44041d3f..22fe771d4dd2 100644
+--- a/drivers/media/platform/marvell-ccic/mcam-core.c
++++ b/drivers/media/platform/marvell-ccic/mcam-core.c
+@@ -209,7 +209,6 @@ struct mcam_vb_buffer {
+ struct list_head queue;
+ struct mcam_dma_desc *dma_desc; /* Descriptor virtual address */
+ dma_addr_t dma_desc_pa; /* Descriptor physical address */
+- int dma_desc_nent; /* Number of mapped descriptors */
+ };
+
+ static inline struct mcam_vb_buffer *vb_to_mvb(struct vb2_v4l2_buffer *vb)
+@@ -616,9 +615,11 @@ static void mcam_dma_contig_done(struct mcam_camera *cam, int frame)
+ static void mcam_sg_next_buffer(struct mcam_camera *cam)
+ {
+ struct mcam_vb_buffer *buf;
++ struct sg_table *sg_table;
+
+ buf = list_first_entry(&cam->buffers, struct mcam_vb_buffer, queue);
+ list_del_init(&buf->queue);
++ sg_table = vb2_dma_sg_plane_desc(&buf->vb_buf.vb2_buf, 0);
+ /*
+ * Very Bad Not Good Things happen if you don't clear
+ * C1_DESC_ENA before making any descriptor changes.
+@@ -626,7 +627,7 @@ static void mcam_sg_next_buffer(struct mcam_camera *cam)
+ mcam_reg_clear_bit(cam, REG_CTRL1, C1_DESC_ENA);
+ mcam_reg_write(cam, REG_DMA_DESC_Y, buf->dma_desc_pa);
+ mcam_reg_write(cam, REG_DESC_LEN_Y,
+- buf->dma_desc_nent*sizeof(struct mcam_dma_desc));
++ sg_table->nents * sizeof(struct mcam_dma_desc));
+ mcam_reg_write(cam, REG_DESC_LEN_U, 0);
+ mcam_reg_write(cam, REG_DESC_LEN_V, 0);
+ mcam_reg_set_bit(cam, REG_CTRL1, C1_DESC_ENA);
+--
+2.20.1
+
--- /dev/null
+From 4cbe4a37a843982c9c5247880874ab28084198d5 Mon Sep 17 00:00:00 2001
+From: Shailendra Verma <shailendra.v@samsung.com>
+Date: Thu, 24 Nov 2016 23:57:34 -0500
+Subject: media: staging: media: davinci_vpfe: - Fix for memory leak if decoder
+ initialization fails.
+
+[ Upstream commit 6995a659101bd4effa41cebb067f9dc18d77520d ]
+
+Fix to avoid possible memory leak if the decoder initialization
+got failed.Free the allocated memory for file handle object
+before return in case decoder initialization fails.
+
+Signed-off-by: Shailendra Verma <shailendra.v@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/davinci_vpfe/vpfe_video.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/staging/media/davinci_vpfe/vpfe_video.c b/drivers/staging/media/davinci_vpfe/vpfe_video.c
+index 0fdff91624fd..43474f562b43 100644
+--- a/drivers/staging/media/davinci_vpfe/vpfe_video.c
++++ b/drivers/staging/media/davinci_vpfe/vpfe_video.c
+@@ -406,6 +406,9 @@ static int vpfe_open(struct file *file)
+ /* If decoder is not initialized. initialize it */
+ if (!video->initialized && vpfe_update_pipe_state(video)) {
+ mutex_unlock(&video->lock);
++ v4l2_fh_del(&handle->vfh);
++ v4l2_fh_exit(&handle->vfh);
++ kfree(handle);
+ return -ENODEV;
+ }
+ /* Increment device users counter */
+--
+2.20.1
+
--- /dev/null
+From f7daf7b7310381fc2e824a8a2a1e346725a69ad8 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 22 Mar 2019 22:51:06 -0400
+Subject: media: vpss: fix a potential NULL pointer dereference
+
+[ Upstream commit e08f0761234def47961d3252eac09ccedfe4c6a0 ]
+
+In case ioremap fails, the fix returns -ENOMEM to avoid NULL
+pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/davinci/vpss.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/media/platform/davinci/vpss.c b/drivers/media/platform/davinci/vpss.c
+index fce86f17dffc..c2c68988e38a 100644
+--- a/drivers/media/platform/davinci/vpss.c
++++ b/drivers/media/platform/davinci/vpss.c
+@@ -523,6 +523,11 @@ static int __init vpss_init(void)
+ return -EBUSY;
+
+ oper_cfg.vpss_regs_base2 = ioremap(VPSS_CLK_CTRL, 4);
++ if (unlikely(!oper_cfg.vpss_regs_base2)) {
++ release_mem_region(VPSS_CLK_CTRL, 4);
++ return -ENOMEM;
++ }
++
+ writel(VPSS_CLK_CTRL_VENCCLKEN |
+ VPSS_CLK_CTRL_DACCLKEN, oper_cfg.vpss_regs_base2);
+
+--
+2.20.1
+
--- /dev/null
+From 530a47d1d1baff7c9a447da2f9f8257ac4bc7e4c Mon Sep 17 00:00:00 2001
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+Date: Thu, 30 May 2019 03:25:49 -0400
+Subject: media: wl128x: Fix some error handling in fm_v4l2_init_video_device()
+
+[ Upstream commit 69fbb3f47327d959830c94bf31893972b8c8f700 ]
+
+X-Originating-IP: [10.175.113.25]
+X-CFilter-Loop: Reflected
+The fm_v4l2_init_video_device() forget to unregister v4l2/video device
+in the error path, it could lead to UAF issue, eg,
+
+ BUG: KASAN: use-after-free in atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline]
+ BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:28 [inline]
+ BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206
+ Read of size 8 at addr ffff8881e84a7c70 by task v4l_id/3659
+
+ CPU: 1 PID: 3659 Comm: v4l_id Not tainted 5.1.0 #8
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+ Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xa9/0x10e lib/dump_stack.c:113
+ print_address_description+0x65/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline]
+ atomic_long_read include/asm-generic/atomic-long.h:28 [inline]
+ __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206
+ fm_v4l2_fops_open+0xac/0x120 [fm_drv]
+ v4l2_open+0x191/0x390 [videodev]
+ chrdev_open+0x20d/0x570 fs/char_dev.c:417
+ do_dentry_open+0x700/0xf30 fs/open.c:777
+ do_last fs/namei.c:3416 [inline]
+ path_openat+0x7c4/0x2a90 fs/namei.c:3532
+ do_filp_open+0x1a5/0x2b0 fs/namei.c:3563
+ do_sys_open+0x302/0x490 fs/open.c:1069
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7f8180c17c8e
+ ...
+ Allocated by task 3642:
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:497
+ fm_drv_init+0x13/0x1000 [fm_drv]
+ do_one_initcall+0xbc/0x47d init/main.c:901
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+ Freed by task 3642:
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459
+ slab_free_hook mm/slub.c:1429 [inline]
+ slab_free_freelist_hook mm/slub.c:1456 [inline]
+ slab_free mm/slub.c:3003 [inline]
+ kfree+0xe1/0x270 mm/slub.c:3958
+ fm_drv_init+0x1e6/0x1000 [fm_drv]
+ do_one_initcall+0xbc/0x47d init/main.c:901
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Add relevant unregister functions to fix it.
+
+Cc: Hans Verkuil <hans.verkuil@cisco.com>
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/radio/wl128x/fmdrv_v4l2.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/radio/wl128x/fmdrv_v4l2.c b/drivers/media/radio/wl128x/fmdrv_v4l2.c
+index fb42f0fd0c1f..add26eac1677 100644
+--- a/drivers/media/radio/wl128x/fmdrv_v4l2.c
++++ b/drivers/media/radio/wl128x/fmdrv_v4l2.c
+@@ -553,6 +553,7 @@ int fm_v4l2_init_video_device(struct fmdev *fmdev, int radio_nr)
+
+ /* Register with V4L2 subsystem as RADIO device */
+ if (video_register_device(&gradio_dev, VFL_TYPE_RADIO, radio_nr)) {
++ v4l2_device_unregister(&fmdev->v4l2_dev);
+ fmerr("Could not register video device\n");
+ return -ENOMEM;
+ }
+@@ -566,6 +567,8 @@ int fm_v4l2_init_video_device(struct fmdev *fmdev, int radio_nr)
+ if (ret < 0) {
+ fmerr("(fmdev): Can't init ctrl handler\n");
+ v4l2_ctrl_handler_free(&fmdev->ctrl_handler);
++ video_unregister_device(fmdev->radio_dev);
++ v4l2_device_unregister(&fmdev->v4l2_dev);
+ return -EBUSY;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 586842a740ace6cf84f58eca36adfbe47d3e1d88 Mon Sep 17 00:00:00 2001
+From: Stefan Hellermann <stefan@the2masters.de>
+Date: Mon, 17 Jun 2019 15:43:59 +0200
+Subject: MIPS: ath79: fix ar933x uart parity mode
+
+[ Upstream commit db13a5ba2732755cf13320f3987b77cf2a71e790 ]
+
+While trying to get the uart with parity working I found setting even
+parity enabled odd parity insted. Fix the register settings to match
+the datasheet of AR9331.
+
+A similar patch was created by 8devices, but not sent upstream.
+https://github.com/8devices/openwrt-8devices/commit/77c5586ade3bb72cda010afad3f209ed0c98ea7c
+
+Signed-off-by: Stefan Hellermann <stefan@the2masters.de>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: linux-mips@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/mach-ath79/ar933x_uart.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/include/asm/mach-ath79/ar933x_uart.h b/arch/mips/include/asm/mach-ath79/ar933x_uart.h
+index c2917b39966b..bba2c8837951 100644
+--- a/arch/mips/include/asm/mach-ath79/ar933x_uart.h
++++ b/arch/mips/include/asm/mach-ath79/ar933x_uart.h
+@@ -27,8 +27,8 @@
+ #define AR933X_UART_CS_PARITY_S 0
+ #define AR933X_UART_CS_PARITY_M 0x3
+ #define AR933X_UART_CS_PARITY_NONE 0
+-#define AR933X_UART_CS_PARITY_ODD 1
+-#define AR933X_UART_CS_PARITY_EVEN 2
++#define AR933X_UART_CS_PARITY_ODD 2
++#define AR933X_UART_CS_PARITY_EVEN 3
+ #define AR933X_UART_CS_IF_MODE_S 2
+ #define AR933X_UART_CS_IF_MODE_M 0x3
+ #define AR933X_UART_CS_IF_MODE_NONE 0
+--
+2.20.1
+
--- /dev/null
+From 9e6fd761317cf19e0e353852daf7313c4f718a1a Mon Sep 17 00:00:00 2001
+From: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+Date: Wed, 19 Jun 2019 15:08:18 +0100
+Subject: MIPS: fix build on non-linux hosts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 1196364f21ffe5d1e6d83cafd6a2edb89404a3ae ]
+
+calc_vmlinuz_load_addr.c requires SZ_64K to be defined for alignment
+purposes. It included "../../../../include/linux/sizes.h" to define
+that size, however "sizes.h" tries to include <linux/const.h> which
+assumes linux system headers. These may not exist eg. the following
+error was encountered when building Linux for OpenWrt under macOS:
+
+In file included from arch/mips/boot/compressed/calc_vmlinuz_load_addr.c:16:
+arch/mips/boot/compressed/../../../../include/linux/sizes.h:11:10: fatal error: 'linux/const.h' file not found
+ ^~~~~~~~~~
+
+Change makefile to force building on local linux headers instead of
+system headers. Also change eye-watering relative reference in include
+file spec.
+
+Thanks to Jo-Philip Wich & Petr Štetiar for assistance in tracking this
+down & fixing.
+
+Suggested-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: linux-mips@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/boot/compressed/Makefile | 2 ++
+ arch/mips/boot/compressed/calc_vmlinuz_load_addr.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/mips/boot/compressed/Makefile b/arch/mips/boot/compressed/Makefile
+index d5bdee115f22..d4918a2bca1b 100644
+--- a/arch/mips/boot/compressed/Makefile
++++ b/arch/mips/boot/compressed/Makefile
+@@ -66,6 +66,8 @@ OBJCOPYFLAGS_piggy.o := --add-section=.image=$(obj)/vmlinux.bin.z \
+ $(obj)/piggy.o: $(obj)/dummy.o $(obj)/vmlinux.bin.z FORCE
+ $(call if_changed,objcopy)
+
++HOSTCFLAGS_calc_vmlinuz_load_addr.o += $(LINUXINCLUDE)
++
+ # Calculate the load address of the compressed kernel image
+ hostprogs-y := calc_vmlinuz_load_addr
+
+diff --git a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
+index 542c3ede9722..d14f75ec8273 100644
+--- a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
++++ b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
+@@ -13,7 +13,7 @@
+ #include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+-#include "../../../../include/linux/sizes.h"
++#include <linux/sizes.h>
+
+ int main(int argc, char *argv[])
+ {
+--
+2.20.1
+
--- /dev/null
+From 95b7fff8efb50e1a8b76a38ca6a0474b946996a8 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Fri, 7 Jun 2019 13:48:09 +0200
+Subject: mt7601u: do not schedule rx_tasklet when the device has been
+ disconnected
+
+[ Upstream commit 4079e8ccabc3b6d1b503f2376123cb515d14921f ]
+
+Do not schedule rx_tasklet when the usb dongle is disconnected.
+Moreover do not grub rx_lock in mt7601u_kill_rx since usb_poison_urb
+can run concurrently with urb completion and we can unlink urbs from rx
+ring in any order.
+This patch fixes the common kernel warning reported when
+the device is removed.
+
+[ 24.921354] usb 3-14: USB disconnect, device number 7
+[ 24.921593] ------------[ cut here ]------------
+[ 24.921594] RX urb mismatch
+[ 24.921675] WARNING: CPU: 4 PID: 163 at drivers/net/wireless/mediatek/mt7601u/dma.c:200 mt7601u_complete_rx+0xcb/0xd0 [mt7601u]
+[ 24.921769] CPU: 4 PID: 163 Comm: kworker/4:2 Tainted: G OE 4.19.31-041931-generic #201903231635
+[ 24.921770] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z97 Extreme4, BIOS P1.30 05/23/2014
+[ 24.921782] Workqueue: usb_hub_wq hub_event
+[ 24.921797] RIP: 0010:mt7601u_complete_rx+0xcb/0xd0 [mt7601u]
+[ 24.921800] RSP: 0018:ffff9bd9cfd03d08 EFLAGS: 00010086
+[ 24.921802] RAX: 0000000000000000 RBX: ffff9bd9bf043540 RCX: 0000000000000006
+[ 24.921803] RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff9bd9cfd16420
+[ 24.921804] RBP: ffff9bd9cfd03d28 R08: 0000000000000002 R09: 00000000000003a8
+[ 24.921805] R10: 0000002f485fca34 R11: 0000000000000000 R12: ffff9bd9bf043c1c
+[ 24.921806] R13: ffff9bd9c62fa3c0 R14: 0000000000000082 R15: 0000000000000000
+[ 24.921807] FS: 0000000000000000(0000) GS:ffff9bd9cfd00000(0000) knlGS:0000000000000000
+[ 24.921808] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 24.921808] CR2: 00007fb2648b0000 CR3: 0000000142c0a004 CR4: 00000000001606e0
+[ 24.921809] Call Trace:
+[ 24.921812] <IRQ>
+[ 24.921819] __usb_hcd_giveback_urb+0x8b/0x140
+[ 24.921821] usb_hcd_giveback_urb+0xca/0xe0
+[ 24.921828] xhci_giveback_urb_in_irq.isra.42+0x82/0xf0
+[ 24.921834] handle_cmd_completion+0xe02/0x10d0
+[ 24.921837] xhci_irq+0x274/0x4a0
+[ 24.921838] xhci_msi_irq+0x11/0x20
+[ 24.921851] __handle_irq_event_percpu+0x44/0x190
+[ 24.921856] handle_irq_event_percpu+0x32/0x80
+[ 24.921861] handle_irq_event+0x3b/0x5a
+[ 24.921867] handle_edge_irq+0x80/0x190
+[ 24.921874] handle_irq+0x20/0x30
+[ 24.921889] do_IRQ+0x4e/0xe0
+[ 24.921891] common_interrupt+0xf/0xf
+[ 24.921892] </IRQ>
+[ 24.921900] RIP: 0010:usb_hcd_flush_endpoint+0x78/0x180
+[ 24.921354] usb 3-14: USB disconnect, device number 7
+
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt7601u/dma.c | 33 +++++++++++----------
+ 1 file changed, 18 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt7601u/dma.c b/drivers/net/wireless/mediatek/mt7601u/dma.c
+index 57a80cfa39b1..6ba30129a3d8 100644
+--- a/drivers/net/wireless/mediatek/mt7601u/dma.c
++++ b/drivers/net/wireless/mediatek/mt7601u/dma.c
+@@ -193,10 +193,23 @@ static void mt7601u_complete_rx(struct urb *urb)
+ struct mt7601u_rx_queue *q = &dev->rx_q;
+ unsigned long flags;
+
+- spin_lock_irqsave(&dev->rx_lock, flags);
++ /* do no schedule rx tasklet if urb has been unlinked
++ * or the device has been removed
++ */
++ switch (urb->status) {
++ case -ECONNRESET:
++ case -ESHUTDOWN:
++ case -ENOENT:
++ return;
++ default:
++ dev_err_ratelimited(dev->dev, "rx urb failed: %d\n",
++ urb->status);
++ /* fall through */
++ case 0:
++ break;
++ }
+
+- if (mt7601u_urb_has_error(urb))
+- dev_err(dev->dev, "Error: RX urb failed:%d\n", urb->status);
++ spin_lock_irqsave(&dev->rx_lock, flags);
+ if (WARN_ONCE(q->e[q->end].urb != urb, "RX urb mismatch"))
+ goto out;
+
+@@ -363,19 +376,9 @@ int mt7601u_dma_enqueue_tx(struct mt7601u_dev *dev, struct sk_buff *skb,
+ static void mt7601u_kill_rx(struct mt7601u_dev *dev)
+ {
+ int i;
+- unsigned long flags;
+
+- spin_lock_irqsave(&dev->rx_lock, flags);
+-
+- for (i = 0; i < dev->rx_q.entries; i++) {
+- int next = dev->rx_q.end;
+-
+- spin_unlock_irqrestore(&dev->rx_lock, flags);
+- usb_poison_urb(dev->rx_q.e[next].urb);
+- spin_lock_irqsave(&dev->rx_lock, flags);
+- }
+-
+- spin_unlock_irqrestore(&dev->rx_lock, flags);
++ for (i = 0; i < dev->rx_q.entries; i++)
++ usb_poison_urb(dev->rx_q.e[i].urb);
+ }
+
+ static int mt7601u_submit_rx_buf(struct mt7601u_dev *dev,
+--
+2.20.1
+
--- /dev/null
+From 34dabb5a762948efa778662b635c25fddfe6f94a Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Fri, 7 Jun 2019 13:48:10 +0200
+Subject: mt7601u: fix possible memory leak when the device is disconnected
+
+[ Upstream commit 23377c200b2eb48a60d0f228b2a2e75ed6ee6060 ]
+
+When the device is disconnected while passing traffic it is possible
+to receive out of order urbs causing a memory leak since the skb linked
+to the current tx urb is not removed. Fix the issue deallocating the skb
+cleaning up the tx ring. Moreover this patch fixes the following kernel
+warning
+
+[ 57.480771] usb 1-1: USB disconnect, device number 2
+[ 57.483451] ------------[ cut here ]------------
+[ 57.483462] TX urb mismatch
+[ 57.483481] WARNING: CPU: 1 PID: 32 at drivers/net/wireless/mediatek/mt7601u/dma.c:245 mt7601u_complete_tx+0x165/00
+[ 57.483483] Modules linked in:
+[ 57.483496] CPU: 1 PID: 32 Comm: kworker/1:1 Not tainted 5.2.0-rc1+ #72
+[ 57.483498] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-2.fc30 04/01/2014
+[ 57.483502] Workqueue: usb_hub_wq hub_event
+[ 57.483507] RIP: 0010:mt7601u_complete_tx+0x165/0x1e0
+[ 57.483510] Code: 8b b5 10 04 00 00 8b 8d 14 04 00 00 eb 8b 80 3d b1 cb e1 00 00 75 9e 48 c7 c7 a4 ea 05 82 c6 05 f
+[ 57.483513] RSP: 0000:ffffc900000a0d28 EFLAGS: 00010092
+[ 57.483516] RAX: 000000000000000f RBX: ffff88802c0a62c0 RCX: ffffc900000a0c2c
+[ 57.483518] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff810a8371
+[ 57.483520] RBP: ffff88803ced6858 R08: 0000000000000000 R09: 0000000000000001
+[ 57.483540] R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000046
+[ 57.483542] R13: ffff88802c0a6c88 R14: ffff88803baab540 R15: ffff88803a0cc078
+[ 57.483548] FS: 0000000000000000(0000) GS:ffff88803eb00000(0000) knlGS:0000000000000000
+[ 57.483550] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 57.483552] CR2: 000055e7f6780100 CR3: 0000000028c86000 CR4: 00000000000006a0
+[ 57.483554] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 57.483556] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 57.483559] Call Trace:
+[ 57.483561] <IRQ>
+[ 57.483565] __usb_hcd_giveback_urb+0x77/0xe0
+[ 57.483570] xhci_giveback_urb_in_irq.isra.0+0x8b/0x140
+[ 57.483574] handle_cmd_completion+0xf5b/0x12c0
+[ 57.483577] xhci_irq+0x1f6/0x1810
+[ 57.483581] ? lockdep_hardirqs_on+0x9e/0x180
+[ 57.483584] ? _raw_spin_unlock_irq+0x24/0x30
+[ 57.483588] __handle_irq_event_percpu+0x3a/0x260
+[ 57.483592] handle_irq_event_percpu+0x1c/0x60
+[ 57.483595] handle_irq_event+0x2f/0x4c
+[ 57.483599] handle_edge_irq+0x7e/0x1a0
+[ 57.483603] handle_irq+0x17/0x20
+[ 57.483607] do_IRQ+0x54/0x110
+[ 57.483610] common_interrupt+0xf/0xf
+[ 57.483612] </IRQ>
+
+Acked-by: Jakub Kicinski <kubakici@wp.pl>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt7601u/dma.c | 21 ++++++++++++++++-----
+ drivers/net/wireless/mediatek/mt7601u/tx.c | 4 ++--
+ 2 files changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt7601u/dma.c b/drivers/net/wireless/mediatek/mt7601u/dma.c
+index 6ba30129a3d8..3d0b9324d5bf 100644
+--- a/drivers/net/wireless/mediatek/mt7601u/dma.c
++++ b/drivers/net/wireless/mediatek/mt7601u/dma.c
+@@ -241,14 +241,25 @@ static void mt7601u_complete_tx(struct urb *urb)
+ struct sk_buff *skb;
+ unsigned long flags;
+
+- spin_lock_irqsave(&dev->tx_lock, flags);
++ switch (urb->status) {
++ case -ECONNRESET:
++ case -ESHUTDOWN:
++ case -ENOENT:
++ return;
++ default:
++ dev_err_ratelimited(dev->dev, "tx urb failed: %d\n",
++ urb->status);
++ /* fall through */
++ case 0:
++ break;
++ }
+
+- if (mt7601u_urb_has_error(urb))
+- dev_err(dev->dev, "Error: TX urb failed:%d\n", urb->status);
++ spin_lock_irqsave(&dev->tx_lock, flags);
+ if (WARN_ONCE(q->e[q->start].urb != urb, "TX urb mismatch"))
+ goto out;
+
+ skb = q->e[q->start].skb;
++ q->e[q->start].skb = NULL;
+ trace_mt_tx_dma_done(dev, skb);
+
+ __skb_queue_tail(&dev->tx_skb_done, skb);
+@@ -448,10 +459,10 @@ static void mt7601u_free_tx_queue(struct mt7601u_tx_queue *q)
+ {
+ int i;
+
+- WARN_ON(q->used);
+-
+ for (i = 0; i < q->entries; i++) {
+ usb_poison_urb(q->e[i].urb);
++ if (q->e[i].skb)
++ mt7601u_tx_status(q->dev, q->e[i].skb);
+ usb_free_urb(q->e[i].urb);
+ }
+ }
+diff --git a/drivers/net/wireless/mediatek/mt7601u/tx.c b/drivers/net/wireless/mediatek/mt7601u/tx.c
+index a0a33dc8f6bc..a1b6db2a8937 100644
+--- a/drivers/net/wireless/mediatek/mt7601u/tx.c
++++ b/drivers/net/wireless/mediatek/mt7601u/tx.c
+@@ -117,9 +117,9 @@ void mt7601u_tx_status(struct mt7601u_dev *dev, struct sk_buff *skb)
+ info->status.rates[0].idx = -1;
+ info->flags |= IEEE80211_TX_STAT_ACK;
+
+- spin_lock(&dev->mac_lock);
++ spin_lock_bh(&dev->mac_lock);
+ ieee80211_tx_status(dev->hw, skb);
+- spin_unlock(&dev->mac_lock);
++ spin_unlock_bh(&dev->mac_lock);
+ }
+
+ static int mt7601u_skb_rooms(struct mt7601u_dev *dev, struct sk_buff *skb)
+--
+2.20.1
+
--- /dev/null
+From 82f1532fbcedde16edbd809d85a394c514153c54 Mon Sep 17 00:00:00 2001
+From: Robert Hancock <hancock@sedsystems.ca>
+Date: Thu, 6 Jun 2019 16:28:17 -0600
+Subject: net: axienet: Fix race condition causing TX hang
+
+[ Upstream commit 7de44285c1f69ccfbe8be1d6a16fcd956681fee6 ]
+
+It is possible that the interrupt handler fires and frees up space in
+the TX ring in between checking for sufficient TX ring space and
+stopping the TX queue in axienet_start_xmit. If this happens, the
+queue wake from the interrupt handler will occur before the queue is
+stopped, causing a lost wakeup and the adapter's transmit hanging.
+
+To avoid this, after stopping the queue, check again whether there is
+sufficient space in the TX ring. If so, wake up the queue again.
+
+Signed-off-by: Robert Hancock <hancock@sedsystems.ca>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/xilinx/xilinx_axienet_main.c | 20 ++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+index 58ba579793f8..f1e969128a4e 100644
+--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+@@ -613,6 +613,10 @@ static void axienet_start_xmit_done(struct net_device *ndev)
+
+ ndev->stats.tx_packets += packets;
+ ndev->stats.tx_bytes += size;
++
++ /* Matches barrier in axienet_start_xmit */
++ smp_mb();
++
+ netif_wake_queue(ndev);
+ }
+
+@@ -667,9 +671,19 @@ static int axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ cur_p = &lp->tx_bd_v[lp->tx_bd_tail];
+
+ if (axienet_check_tx_bd_space(lp, num_frag)) {
+- if (!netif_queue_stopped(ndev))
+- netif_stop_queue(ndev);
+- return NETDEV_TX_BUSY;
++ if (netif_queue_stopped(ndev))
++ return NETDEV_TX_BUSY;
++
++ netif_stop_queue(ndev);
++
++ /* Matches barrier in axienet_start_xmit_done */
++ smp_mb();
++
++ /* Space might have just been freed - check again */
++ if (axienet_check_tx_bd_space(lp, num_frag))
++ return NETDEV_TX_BUSY;
++
++ netif_wake_queue(ndev);
+ }
+
+ if (skb->ip_summed == CHECKSUM_PARTIAL) {
+--
+2.20.1
+
--- /dev/null
+From aadfaddcb2ab76bf6ad39097a776372bd397fff5 Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Thu, 6 Jun 2019 09:40:33 -0300
+Subject: net: fec: Do not use netdev messages too early
+
+[ Upstream commit a19a0582363b9a5f8ba812f34f1b8df394898780 ]
+
+When a valid MAC address is not found the current messages
+are shown:
+
+fec 2188000.ethernet (unnamed net_device) (uninitialized): Invalid MAC address: 00:00:00:00:00:00
+fec 2188000.ethernet (unnamed net_device) (uninitialized): Using random MAC address: aa:9f:25:eb:7e:aa
+
+Since the network device has not been registered at this point, it is better
+to use dev_err()/dev_info() instead, which will provide cleaner log
+messages like these:
+
+fec 2188000.ethernet: Invalid MAC address: 00:00:00:00:00:00
+fec 2188000.ethernet: Using random MAC address: aa:9f:25:eb:7e:aa
+
+Tested on a imx6dl-pico-pi board.
+
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index ae8e4fc22e7b..0ee164d09f39 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -1699,10 +1699,10 @@ static void fec_get_mac(struct net_device *ndev)
+ */
+ if (!is_valid_ether_addr(iap)) {
+ /* Report it and use a random ethernet address instead */
+- netdev_err(ndev, "Invalid MAC address: %pM\n", iap);
++ dev_err(&fep->pdev->dev, "Invalid MAC address: %pM\n", iap);
+ eth_hw_addr_random(ndev);
+- netdev_info(ndev, "Using random MAC address: %pM\n",
+- ndev->dev_addr);
++ dev_info(&fep->pdev->dev, "Using random MAC address: %pM\n",
++ ndev->dev_addr);
+ return;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From dceba4857e8cafde6aff896ba820bfd2c8428586 Mon Sep 17 00:00:00 2001
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+Date: Tue, 28 May 2019 20:38:09 +0300
+Subject: net: phy: Check against net_device being NULL
+
+[ Upstream commit 82c76aca81187b3d28a6fb3062f6916450ce955e ]
+
+In general, we don't want MAC drivers calling phy_attach_direct with the
+net_device being NULL. Add checks against this in all the functions
+calling it: phy_attach() and phy_connect_direct().
+
+Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Suggested-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy_device.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index 70f26b30729c..c6a87834723d 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -472,6 +472,9 @@ int phy_connect_direct(struct net_device *dev, struct phy_device *phydev,
+ {
+ int rc;
+
++ if (!dev)
++ return -EINVAL;
++
+ rc = phy_attach_direct(dev, phydev, phydev->dev_flags, interface);
+ if (rc)
+ return rc;
+@@ -704,6 +707,9 @@ struct phy_device *phy_attach(struct net_device *dev, const char *bus_id,
+ struct device *d;
+ int rc;
+
++ if (!dev)
++ return ERR_PTR(-EINVAL);
++
+ /* Search the list of PHY devices on the mdio bus for the
+ * PHY with the requested name
+ */
+--
+2.20.1
+
--- /dev/null
+From 4293c60f7f1a47a2bc3117b70522a7ba3a7eb73f Mon Sep 17 00:00:00 2001
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+Date: Fri, 24 May 2019 10:20:21 +0200
+Subject: net: stmmac: dwmac1000: Clear unused address entries
+
+[ Upstream commit 9463c445590091202659cdfdd44b236acadfbd84 ]
+
+In case we don't use a given address entry we need to clear it because
+it could contain previous values that are no longer valid.
+
+Found out while running stmmac selftests.
+
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Cc: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
+index 371a669d69fd..1df84c8de9d7 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
+@@ -187,6 +187,12 @@ static void dwmac1000_set_filter(struct mac_device_info *hw,
+ GMAC_ADDR_LOW(reg));
+ reg++;
+ }
++
++ while (reg <= perfect_addr_number) {
++ writel(0, ioaddr + GMAC_ADDR_HIGH(reg));
++ writel(0, ioaddr + GMAC_ADDR_LOW(reg));
++ reg++;
++ }
+ }
+
+ #ifdef FRAME_FILTER_DEBUG
+--
+2.20.1
+
--- /dev/null
+From 4854f22d91d39968a006a02dbc4ab200aa1e2b50 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Tue, 18 Jun 2019 17:47:13 +0200
+Subject: ntp: Limit TAI-UTC offset
+
+[ Upstream commit d897a4ab11dc8a9fda50d2eccc081a96a6385998 ]
+
+Don't allow the TAI-UTC offset of the system clock to be set by adjtimex()
+to a value larger than 100000 seconds.
+
+This prevents an overflow in the conversion to int, prevents the CLOCK_TAI
+clock from getting too far ahead of the CLOCK_REALTIME clock, and it is
+still large enough to allow leap seconds to be inserted at the maximum rate
+currently supported by the kernel (once per day) for the next ~270 years,
+however unlikely it is that someone can survive a catastrophic event which
+slowed down the rotation of the Earth so much.
+
+Reported-by: Weikang shi <swkhack@gmail.com>
+Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Prarit Bhargava <prarit@redhat.com>
+Cc: Richard Cochran <richardcochran@gmail.com>
+Cc: Stephen Boyd <sboyd@kernel.org>
+Link: https://lkml.kernel.org/r/20190618154713.20929-1-mlichvar@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/ntp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
+index 0e0dc5d89911..bbe767b1f454 100644
+--- a/kernel/time/ntp.c
++++ b/kernel/time/ntp.c
+@@ -39,6 +39,7 @@ static u64 tick_length_base;
+ #define MAX_TICKADJ 500LL /* usecs */
+ #define MAX_TICKADJ_SCALED \
+ (((MAX_TICKADJ * NSEC_PER_USEC) << NTP_SCALE_SHIFT) / NTP_INTERVAL_FREQ)
++#define MAX_TAI_OFFSET 100000
+
+ /*
+ * phase-lock loop variables
+@@ -633,7 +634,8 @@ static inline void process_adjtimex_modes(struct timex *txc,
+ time_constant = max(time_constant, 0l);
+ }
+
+- if (txc->modes & ADJ_TAI && txc->constant >= 0)
++ if (txc->modes & ADJ_TAI &&
++ txc->constant >= 0 && txc->constant <= MAX_TAI_OFFSET)
+ *time_tai = txc->constant;
+
+ if (txc->modes & ADJ_OFFSET)
+--
+2.20.1
+
--- /dev/null
+From ff519cdce8abde3a7697c36a536b4b51f5735b98 Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Mon, 17 Jun 2019 14:32:53 -0300
+Subject: perf evsel: Make perf_evsel__name() accept a NULL argument
+
+[ Upstream commit fdbdd7e8580eac9bdafa532746c865644d125e34 ]
+
+In which case it simply returns "unknown", like when it can't figure out
+the evsel->name value.
+
+This makes this code more robust and fixes a problem in 'perf trace'
+where a NULL evsel was being passed to a routine that only used the
+evsel for printing its name when a invalid syscall id was passed.
+
+Reported-by: Leo Yan <leo.yan@linaro.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lkml.kernel.org/n/tip-f30ztaasku3z935cn3ak3h53@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/evsel.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
+index 97fde9275f42..a8507fee654b 100644
+--- a/tools/perf/util/evsel.c
++++ b/tools/perf/util/evsel.c
+@@ -491,6 +491,9 @@ const char *perf_evsel__name(struct perf_evsel *evsel)
+ {
+ char bf[128];
+
++ if (!evsel)
++ goto out_unknown;
++
+ if (evsel->name)
+ return evsel->name;
+
+@@ -527,7 +530,10 @@ const char *perf_evsel__name(struct perf_evsel *evsel)
+
+ evsel->name = strdup(bf);
+
+- return evsel->name ?: "unknown";
++ if (evsel->name)
++ return evsel->name;
++out_unknown:
++ return "unknown";
+ }
+
+ const char *perf_evsel__group_name(struct perf_evsel *evsel)
+--
+2.20.1
+
--- /dev/null
+From 2061607bee6e2e4977ce618f7cc4acef9b25cf55 Mon Sep 17 00:00:00 2001
+From: Thomas Richter <tmricht@linux.ibm.com>
+Date: Tue, 4 Jun 2019 07:35:04 +0200
+Subject: perf test 6: Fix missing kvm module load for s390
+
+[ Upstream commit 53fe307dfd309e425b171f6272d64296a54f4dff ]
+
+Command
+
+ # perf test -Fv 6
+
+fails with error
+
+ running test 100 'kvm-s390:kvm_s390_create_vm' failed to parse
+ event 'kvm-s390:kvm_s390_create_vm', err -1, str 'unknown tracepoint'
+ event syntax error: 'kvm-s390:kvm_s390_create_vm'
+ \___ unknown tracepoint
+
+when the kvm module is not loaded or not built in.
+
+Fix this by adding a valid function which tests if the module
+is loaded. Loaded modules (or builtin KVM support) have a
+directory named
+ /sys/kernel/debug/tracing/events/kvm-s390
+for this tracepoint.
+
+Check for existence of this directory.
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+Link: http://lkml.kernel.org/r/20190604053504.43073-1-tmricht@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/parse-events.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/tools/perf/tests/parse-events.c b/tools/perf/tests/parse-events.c
+index 54af2f2e2ee4..1a35ab044c11 100644
+--- a/tools/perf/tests/parse-events.c
++++ b/tools/perf/tests/parse-events.c
+@@ -12,6 +12,32 @@
+ #define PERF_TP_SAMPLE_TYPE (PERF_SAMPLE_RAW | PERF_SAMPLE_TIME | \
+ PERF_SAMPLE_CPU | PERF_SAMPLE_PERIOD)
+
++#if defined(__s390x__)
++/* Return true if kvm module is available and loaded. Test this
++ * and retun success when trace point kvm_s390_create_vm
++ * exists. Otherwise this test always fails.
++ */
++static bool kvm_s390_create_vm_valid(void)
++{
++ char *eventfile;
++ bool rc = false;
++
++ eventfile = get_events_file("kvm-s390");
++
++ if (eventfile) {
++ DIR *mydir = opendir(eventfile);
++
++ if (mydir) {
++ rc = true;
++ closedir(mydir);
++ }
++ put_events_file(eventfile);
++ }
++
++ return rc;
++}
++#endif
++
+ static int test__checkevent_tracepoint(struct perf_evlist *evlist)
+ {
+ struct perf_evsel *evsel = perf_evlist__first(evlist);
+@@ -1561,6 +1587,7 @@ static struct evlist_test test__events[] = {
+ {
+ .name = "kvm-s390:kvm_s390_create_vm",
+ .check = test__checkevent_tracepoint,
++ .valid = kvm_s390_create_vm_valid,
+ .id = 100,
+ },
+ #endif
+--
+2.20.1
+
--- /dev/null
+From 1ba69c4a2d5022312cc1d0071e549ba70443139f Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Tue, 21 May 2019 16:48:43 -0400
+Subject: rcu: Force inlining of rcu_read_lock()
+
+[ Upstream commit 6da9f775175e516fc7229ceaa9b54f8f56aa7924 ]
+
+When debugging options are turned on, the rcu_read_lock() function
+might not be inlined. This results in lockdep's print_lock() function
+printing "rcu_read_lock+0x0/0x70" instead of rcu_read_lock()'s caller.
+For example:
+
+[ 10.579995] =============================
+[ 10.584033] WARNING: suspicious RCU usage
+[ 10.588074] 4.18.0.memcg_v2+ #1 Not tainted
+[ 10.593162] -----------------------------
+[ 10.597203] include/linux/rcupdate.h:281 Illegal context switch in
+RCU read-side critical section!
+[ 10.606220]
+[ 10.606220] other info that might help us debug this:
+[ 10.606220]
+[ 10.614280]
+[ 10.614280] rcu_scheduler_active = 2, debug_locks = 1
+[ 10.620853] 3 locks held by systemd/1:
+[ 10.624632] #0: (____ptrval____) (&type->i_mutex_dir_key#5){.+.+}, at: lookup_slow+0x42/0x70
+[ 10.633232] #1: (____ptrval____) (rcu_read_lock){....}, at: rcu_read_lock+0x0/0x70
+[ 10.640954] #2: (____ptrval____) (rcu_read_lock){....}, at: rcu_read_lock+0x0/0x70
+
+These "rcu_read_lock+0x0/0x70" strings are not providing any useful
+information. This commit therefore forces inlining of the rcu_read_lock()
+function so that rcu_read_lock()'s caller is instead shown.
+
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/rcupdate.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h
+index addd03641e1a..0a93e9d1708e 100644
+--- a/include/linux/rcupdate.h
++++ b/include/linux/rcupdate.h
+@@ -852,7 +852,7 @@ static inline void rcu_preempt_sleep_check(void)
+ * read-side critical sections may be preempted and they may also block, but
+ * only when acquiring spinlocks that are subject to priority inheritance.
+ */
+-static inline void rcu_read_lock(void)
++static __always_inline void rcu_read_lock(void)
+ {
+ __rcu_read_lock();
+ __acquire(RCU);
+--
+2.20.1
+
--- /dev/null
+From 83de584e1de770a02de02ca709f3fee6768acfda Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Wed, 12 Jun 2019 12:03:43 +0100
+Subject: regmap: fix bulk writes on paged registers
+
+[ Upstream commit db057679de3e9e6a03c1bcd5aee09b0d25fd9f5b ]
+
+On buses like SlimBus and SoundWire which does not support
+gather_writes yet in regmap, A bulk write on paged register
+would be silently ignored after programming page.
+This is because local variable 'ret' value in regmap_raw_write_impl()
+gets reset to 0 once page register is written successfully and the
+code below checks for 'ret' value to be -ENOTSUPP before linearising
+the write buffer to send to bus->write().
+
+Fix this by resetting the 'ret' value to -ENOTSUPP in cases where
+gather_writes() is not supported or single register write is
+not possible.
+
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/regmap/regmap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
+index fd377b956199..77cabde977ed 100644
+--- a/drivers/base/regmap/regmap.c
++++ b/drivers/base/regmap/regmap.c
+@@ -1358,6 +1358,8 @@ int _regmap_raw_write(struct regmap *map, unsigned int reg,
+ map->format.reg_bytes +
+ map->format.pad_bytes,
+ val, val_len);
++ else
++ ret = -ENOTSUPP;
+
+ /* If that didn't work fall back on linearising by hand. */
+ if (ret == -ENOTSUPP) {
+--
+2.20.1
+
--- /dev/null
+From 73d9f117f07ccbddb2aedcfab680ea92fdd66ce5 Mon Sep 17 00:00:00 2001
+From: Ferdinand Blomqvist <ferdinand.blomqvist@gmail.com>
+Date: Thu, 20 Jun 2019 17:10:34 +0300
+Subject: rslib: Fix decoding of shortened codes
+
+[ Upstream commit 2034a42d1747fc1e1eeef2c6f1789c4d0762cb9c ]
+
+The decoding of shortenend codes is broken. It only works as expected if
+there are no erasures.
+
+When decoding with erasures, Lambda (the error and erasure locator
+polynomial) is initialized from the given erasure positions. The pad
+parameter is not accounted for by the initialisation code, and hence
+Lambda is initialized from incorrect erasure positions.
+
+The fix is to adjust the erasure positions by the supplied pad.
+
+Signed-off-by: Ferdinand Blomqvist <ferdinand.blomqvist@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190620141039.9874-3-ferdinand.blomqvist@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/reed_solomon/decode_rs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/reed_solomon/decode_rs.c b/lib/reed_solomon/decode_rs.c
+index 0ec3f257ffdf..8eed0f9ac495 100644
+--- a/lib/reed_solomon/decode_rs.c
++++ b/lib/reed_solomon/decode_rs.c
+@@ -99,9 +99,9 @@
+ if (no_eras > 0) {
+ /* Init lambda to be the erasure locator polynomial */
+ lambda[1] = alpha_to[rs_modnn(rs,
+- prim * (nn - 1 - eras_pos[0]))];
++ prim * (nn - 1 - (eras_pos[0] + pad)))];
+ for (i = 1; i < no_eras; i++) {
+- u = rs_modnn(rs, prim * (nn - 1 - eras_pos[i]));
++ u = rs_modnn(rs, prim * (nn - 1 - (eras_pos[i] + pad)));
+ for (j = i + 1; j > 0; j--) {
+ tmp = index_of[lambda[j - 1]];
+ if (tmp != nn) {
+--
+2.20.1
+
--- /dev/null
+From 3c610bd76c9a3edae38496df02641a21859355fc Mon Sep 17 00:00:00 2001
+From: Ferdinand Blomqvist <ferdinand.blomqvist@gmail.com>
+Date: Thu, 20 Jun 2019 17:10:37 +0300
+Subject: rslib: Fix handling of of caller provided syndrome
+
+[ Upstream commit ef4d6a8556b637ad27c8c2a2cff1dda3da38e9a9 ]
+
+Check if the syndrome provided by the caller is zero, and act
+accordingly.
+
+Signed-off-by: Ferdinand Blomqvist <ferdinand.blomqvist@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190620141039.9874-6-ferdinand.blomqvist@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/reed_solomon/decode_rs.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/lib/reed_solomon/decode_rs.c b/lib/reed_solomon/decode_rs.c
+index 8eed0f9ac495..a5d313381539 100644
+--- a/lib/reed_solomon/decode_rs.c
++++ b/lib/reed_solomon/decode_rs.c
+@@ -42,8 +42,18 @@
+ BUG_ON(pad < 0 || pad >= nn);
+
+ /* Does the caller provide the syndrome ? */
+- if (s != NULL)
+- goto decode;
++ if (s != NULL) {
++ for (i = 0; i < nroots; i++) {
++ /* The syndrome is in index form,
++ * so nn represents zero
++ */
++ if (s[i] != nn)
++ goto decode;
++ }
++
++ /* syndrome is zero, no errors to correct */
++ return 0;
++ }
+
+ /* form the syndromes; i.e., evaluate data(x) at roots of
+ * g(x) */
+--
+2.20.1
+
--- /dev/null
+From 5901259fffe1afe6dda891afb1b0ede86a99733f Mon Sep 17 00:00:00 2001
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Mon, 3 Jun 2019 07:47:04 +0200
+Subject: s390/qdio: handle PENDING state for QEBSM devices
+
+[ Upstream commit 04310324c6f482921c071444833e70fe861b73d9 ]
+
+When a CQ-enabled device uses QEBSM for SBAL state inspection,
+get_buf_states() can return the PENDING state for an Output Queue.
+get_outbound_buffer_frontier() isn't prepared for this, and any PENDING
+buffer will permanently stall all further completion processing on this
+Queue.
+
+This isn't a concern for non-QEBSM devices, as get_buf_states() for such
+devices will manually turn PENDING buffers into EMPTY ones.
+
+Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks")
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/qdio_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c
+index d64b401f3d05..8d7fc3b6ca63 100644
+--- a/drivers/s390/cio/qdio_main.c
++++ b/drivers/s390/cio/qdio_main.c
+@@ -752,6 +752,7 @@ static int get_outbound_buffer_frontier(struct qdio_q *q)
+
+ switch (state) {
+ case SLSB_P_OUTPUT_EMPTY:
++ case SLSB_P_OUTPUT_PENDING:
+ /* the adapter got it */
+ DBF_DEV_EVENT(DBF_INFO, q->irq_ptr,
+ "out empty:%1d %02x", q->nr, count);
+--
+2.20.1
+
--- /dev/null
+mips-ath79-fix-ar933x-uart-parity-mode.patch
+mips-fix-build-on-non-linux-hosts.patch
+dmaengine-imx-sdma-fix-use-after-free-on-probe-error.patch
+ath10k-do-not-send-probe-response-template-for-mesh.patch
+ath9k-check-for-errors-when-reading-srev-register.patch
+ath6kl-add-some-bounds-checking.patch
+ath-dfs-jp-domain-w56-fixed-pulse-type-3-radar-detec.patch
+batman-adv-fix-for-leaked-tvlv-handler.patch
+media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch
+crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch
+media-marvell-ccic-fix-dma-s-g-desc-number-calculati.patch
+media-vpss-fix-a-potential-null-pointer-dereference.patch
+net-stmmac-dwmac1000-clear-unused-address-entries.patch
+signal-pid_namespace-fix-reboot_pid_ns-to-use-send_s.patch
+signal-cifs-fix-cifs_put_tcp_session-to-call-send_si.patch
+af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch
+xfrm-fix-xfrm-sel-prefix-length-validation.patch
+media-staging-media-davinci_vpfe-fix-for-memory-leak.patch
+net-phy-check-against-net_device-being-null.patch
+tua6100-avoid-build-warnings.patch
+locking-lockdep-fix-merging-of-hlocks-with-non-zero-.patch
+media-wl128x-fix-some-error-handling-in-fm_v4l2_init.patch
+cpupower-frequency-set-r-option-misses-the-last-cpu-.patch
+net-fec-do-not-use-netdev-messages-too-early.patch
+net-axienet-fix-race-condition-causing-tx-hang.patch
+s390-qdio-handle-pending-state-for-qebsm-devices.patch
+perf-test-6-fix-missing-kvm-module-load-for-s390.patch
+gpio-omap-fix-lack-of-irqstatus_raw0-for-omap4.patch
+gpio-omap-ensure-irq-is-enabled-before-wakeup.patch
+regmap-fix-bulk-writes-on-paged-registers.patch
+bpf-silence-warning-messages-in-core.patch
+rcu-force-inlining-of-rcu_read_lock.patch
+xfrm-fix-sa-selector-validation.patch
+perf-evsel-make-perf_evsel__name-accept-a-null-argum.patch
+vhost_net-disable-zerocopy-by-default.patch
+edac-sysfs-fix-memory-leak-when-creating-a-csrow-obj.patch
+media-i2c-fix-warning-same-module-names.patch
+ntp-limit-tai-utc-offset.patch
+timer_list-guard-procfs-specific-code.patch
+acpi-arm64-ignore-5.1-fadts-that-are-reported-as-5.0.patch
+media-coda-fix-mpeg2-sequence-number-handling.patch
+media-coda-increment-sequence-offset-for-the-last-re.patch
+mt7601u-do-not-schedule-rx_tasklet-when-the-device-h.patch
+x86-build-add-set-e-to-mkcapflags.sh-to-delete-broke.patch
+mt7601u-fix-possible-memory-leak-when-the-device-is-.patch
+ath10k-fix-pcie-device-wake-up-failed.patch
+rslib-fix-decoding-of-shortened-codes.patch
+rslib-fix-handling-of-of-caller-provided-syndrome.patch
+ixgbe-check-ddm-existence-in-transceiver-before-acce.patch
+edac-fix-global-out-of-bounds-write-when-setting-eda.patch
+bcache-check-c-gc_thread-by-is_err_or_null-in-cache_.patch
+bluetooth-hci_bcsp-fix-memory-leak-in-rx_skb.patch
+bluetooth-6lowpan-search-for-destination-address-in-.patch
+bluetooth-check-state-in-l2cap_disconnect_rsp.patch
+bluetooth-validate-ble-connection-interval-updates.patch
+floppy-fix-div-by-zero-in-setup_format_params.patch
+floppy-fix-out-of-bounds-read-in-copy_buffer.patch
--- /dev/null
+From ec86d93ce747ccb2c5ed3b4c2017abb3edafcbc1 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 15 May 2019 12:33:50 -0500
+Subject: signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of
+ force_sig
+
+[ Upstream commit 72abe3bcf0911d69b46c1e8bdb5612675e0ac42c ]
+
+The locking in force_sig_info is not prepared to deal with a task that
+exits or execs (as sighand may change). The is not a locking problem
+in force_sig as force_sig is only built to handle synchronous
+exceptions.
+
+Further the function force_sig_info changes the signal state if the
+signal is ignored, or blocked or if SIGNAL_UNKILLABLE will prevent the
+delivery of the signal. The signal SIGKILL can not be ignored and can
+not be blocked and SIGNAL_UNKILLABLE won't prevent it from being
+delivered.
+
+So using force_sig rather than send_sig for SIGKILL is confusing
+and pointless.
+
+Because it won't impact the sending of the signal and and because
+using force_sig is wrong, replace force_sig with send_sig.
+
+Cc: Namjae Jeon <namjae.jeon@samsung.com>
+Cc: Jeff Layton <jlayton@primarydata.com>
+Cc: Steve French <smfrench@gmail.com>
+Fixes: a5c3e1c725af ("Revert "cifs: No need to send SIGKILL to demux_thread during umount"")
+Fixes: e7ddee9037e7 ("cifs: disable sharing session and tcon and add new TCP sharing code")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/connect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index 9cb72fd40eff..bc7c287a2e17 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -2246,7 +2246,7 @@ cifs_put_tcp_session(struct TCP_Server_Info *server, int from_reconnect)
+
+ task = xchg(&server->tsk, NULL);
+ if (task)
+- force_sig(SIGKILL, task);
++ send_sig(SIGKILL, task, 1);
+ }
+
+ static struct TCP_Server_Info *
+--
+2.20.1
+
--- /dev/null
+From 0d8645b76adf3bd106de66465ef5f1ea3d83d431 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 15 May 2019 12:29:52 -0500
+Subject: signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig
+
+[ Upstream commit f9070dc94542093fd516ae4ccea17ef46a4362c5 ]
+
+The locking in force_sig_info is not prepared to deal with a task that
+exits or execs (as sighand may change). The is not a locking problem
+in force_sig as force_sig is only built to handle synchronous
+exceptions.
+
+Further the function force_sig_info changes the signal state if the
+signal is ignored, or blocked or if SIGNAL_UNKILLABLE will prevent the
+delivery of the signal. The signal SIGKILL can not be ignored and can
+not be blocked and SIGNAL_UNKILLABLE won't prevent it from being
+delivered.
+
+So using force_sig rather than send_sig for SIGKILL is confusing
+and pointless.
+
+Because it won't impact the sending of the signal and and because
+using force_sig is wrong, replace force_sig with send_sig.
+
+Cc: Daniel Lezcano <daniel.lezcano@free.fr>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Fixes: cf3f89214ef6 ("pidns: add reboot_pid_ns() to handle the reboot syscall")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/pid_namespace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
+index 567ecc826bc8..6353372801f2 100644
+--- a/kernel/pid_namespace.c
++++ b/kernel/pid_namespace.c
+@@ -325,7 +325,7 @@ int reboot_pid_ns(struct pid_namespace *pid_ns, int cmd)
+ }
+
+ read_lock(&tasklist_lock);
+- force_sig(SIGKILL, pid_ns->child_reaper);
++ send_sig(SIGKILL, pid_ns->child_reaper, 1);
+ read_unlock(&tasklist_lock);
+
+ do_exit(0);
+--
+2.20.1
+
--- /dev/null
+From ff03f55b7da947982594a07385a9d2823cce4f03 Mon Sep 17 00:00:00 2001
+From: Nathan Huckleberry <nhuck@google.com>
+Date: Fri, 14 Jun 2019 11:16:04 -0700
+Subject: timer_list: Guard procfs specific code
+
+[ Upstream commit a9314773a91a1d3b36270085246a6715a326ff00 ]
+
+With CONFIG_PROC_FS=n the following warning is emitted:
+
+kernel/time/timer_list.c:361:36: warning: unused variable
+'timer_list_sops' [-Wunused-const-variable]
+ static const struct seq_operations timer_list_sops = {
+
+Add #ifdef guard around procfs specific code.
+
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Cc: john.stultz@linaro.org
+Cc: sboyd@kernel.org
+Cc: clang-built-linux@googlegroups.com
+Link: https://github.com/ClangBuiltLinux/linux/issues/534
+Link: https://lkml.kernel.org/r/20190614181604.112297-1-nhuck@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/timer_list.c | 36 +++++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
+
+diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c
+index 1407ed20ea93..b7c5d230b4b2 100644
+--- a/kernel/time/timer_list.c
++++ b/kernel/time/timer_list.c
+@@ -299,23 +299,6 @@ static inline void timer_list_header(struct seq_file *m, u64 now)
+ SEQ_printf(m, "\n");
+ }
+
+-static int timer_list_show(struct seq_file *m, void *v)
+-{
+- struct timer_list_iter *iter = v;
+-
+- if (iter->cpu == -1 && !iter->second_pass)
+- timer_list_header(m, iter->now);
+- else if (!iter->second_pass)
+- print_cpu(m, iter->cpu, iter->now);
+-#ifdef CONFIG_GENERIC_CLOCKEVENTS
+- else if (iter->cpu == -1 && iter->second_pass)
+- timer_list_show_tickdevices_header(m);
+- else
+- print_tickdevice(m, tick_get_device(iter->cpu), iter->cpu);
+-#endif
+- return 0;
+-}
+-
+ void sysrq_timer_list_show(void)
+ {
+ u64 now = ktime_to_ns(ktime_get());
+@@ -334,6 +317,24 @@ void sysrq_timer_list_show(void)
+ return;
+ }
+
++#ifdef CONFIG_PROC_FS
++static int timer_list_show(struct seq_file *m, void *v)
++{
++ struct timer_list_iter *iter = v;
++
++ if (iter->cpu == -1 && !iter->second_pass)
++ timer_list_header(m, iter->now);
++ else if (!iter->second_pass)
++ print_cpu(m, iter->cpu, iter->now);
++#ifdef CONFIG_GENERIC_CLOCKEVENTS
++ else if (iter->cpu == -1 && iter->second_pass)
++ timer_list_show_tickdevices_header(m);
++ else
++ print_tickdevice(m, tick_get_device(iter->cpu), iter->cpu);
++#endif
++ return 0;
++}
++
+ static void *move_iter(struct timer_list_iter *iter, loff_t offset)
+ {
+ for (; offset; offset--) {
+@@ -405,3 +406,4 @@ static int __init init_timer_list_procfs(void)
+ return 0;
+ }
+ __initcall(init_timer_list_procfs);
++#endif
+--
+2.20.1
+
--- /dev/null
+From 0e4fd819d6e63e0ed0ea41941ba3e28e61332301 Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Thu, 30 May 2019 11:36:15 -0700
+Subject: tua6100: Avoid build warnings.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 621ccc6cc5f8d6730b740d31d4818227866c93c9 ]
+
+Rename _P to _P_VAL and _R to _R_VAL to avoid global
+namespace conflicts:
+
+drivers/media/dvb-frontends/tua6100.c: In function ‘tua6100_set_params’:
+drivers/media/dvb-frontends/tua6100.c:79: warning: "_P" redefined
+ #define _P 32
+
+In file included from ./include/acpi/platform/aclinux.h:54,
+ from ./include/acpi/platform/acenv.h:152,
+ from ./include/acpi/acpi.h:22,
+ from ./include/linux/acpi.h:34,
+ from ./include/linux/i2c.h:17,
+ from drivers/media/dvb-frontends/tua6100.h:30,
+ from drivers/media/dvb-frontends/tua6100.c:32:
+./include/linux/ctype.h:14: note: this is the location of the previous definition
+ #define _P 0x10 /* punct */
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/tua6100.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/dvb-frontends/tua6100.c b/drivers/media/dvb-frontends/tua6100.c
+index 029384d1fddd..7a3e91cda5df 100644
+--- a/drivers/media/dvb-frontends/tua6100.c
++++ b/drivers/media/dvb-frontends/tua6100.c
+@@ -80,8 +80,8 @@ static int tua6100_set_params(struct dvb_frontend *fe)
+ struct i2c_msg msg1 = { .addr = priv->i2c_address, .flags = 0, .buf = reg1, .len = 4 };
+ struct i2c_msg msg2 = { .addr = priv->i2c_address, .flags = 0, .buf = reg2, .len = 3 };
+
+-#define _R 4
+-#define _P 32
++#define _R_VAL 4
++#define _P_VAL 32
+ #define _ri 4000000
+
+ // setup register 0
+@@ -96,14 +96,14 @@ static int tua6100_set_params(struct dvb_frontend *fe)
+ else
+ reg1[1] = 0x0c;
+
+- if (_P == 64)
++ if (_P_VAL == 64)
+ reg1[1] |= 0x40;
+ if (c->frequency >= 1525000)
+ reg1[1] |= 0x80;
+
+ // register 2
+- reg2[1] = (_R >> 8) & 0x03;
+- reg2[2] = _R;
++ reg2[1] = (_R_VAL >> 8) & 0x03;
++ reg2[2] = _R_VAL;
+ if (c->frequency < 1455000)
+ reg2[1] |= 0x1c;
+ else if (c->frequency < 1630000)
+@@ -115,18 +115,18 @@ static int tua6100_set_params(struct dvb_frontend *fe)
+ * The N divisor ratio (note: c->frequency is in kHz, but we
+ * need it in Hz)
+ */
+- prediv = (c->frequency * _R) / (_ri / 1000);
+- div = prediv / _P;
++ prediv = (c->frequency * _R_VAL) / (_ri / 1000);
++ div = prediv / _P_VAL;
+ reg1[1] |= (div >> 9) & 0x03;
+ reg1[2] = div >> 1;
+ reg1[3] = (div << 7);
+- priv->frequency = ((div * _P) * (_ri / 1000)) / _R;
++ priv->frequency = ((div * _P_VAL) * (_ri / 1000)) / _R_VAL;
+
+ // Finally, calculate and store the value for A
+- reg1[3] |= (prediv - (div*_P)) & 0x7f;
++ reg1[3] |= (prediv - (div*_P_VAL)) & 0x7f;
+
+-#undef _R
+-#undef _P
++#undef _R_VAL
++#undef _P_VAL
+ #undef _ri
+
+ if (fe->ops.i2c_gate_ctrl)
+--
+2.20.1
+
--- /dev/null
+From 8b8ffa69fd39c461545e46e02ca3717d33779c77 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Mon, 17 Jun 2019 05:20:54 -0400
+Subject: vhost_net: disable zerocopy by default
+
+[ Upstream commit 098eadce3c622c07b328d0a43dda379b38cf7c5e ]
+
+Vhost_net was known to suffer from HOL[1] issues which is not easy to
+fix. Several downstream disable the feature by default. What's more,
+the datapath was split and datacopy path got the support of batching
+and XDP support recently which makes it faster than zerocopy part for
+small packets transmission.
+
+It looks to me that disable zerocopy by default is more
+appropriate. It cold be enabled by default again in the future if we
+fix the above issues.
+
+[1] https://patchwork.kernel.org/patch/3787671/
+
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
+index 645b2197930e..f46317135224 100644
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -30,7 +30,7 @@
+
+ #include "vhost.h"
+
+-static int experimental_zcopytx = 1;
++static int experimental_zcopytx = 0;
+ module_param(experimental_zcopytx, int, 0444);
+ MODULE_PARM_DESC(experimental_zcopytx, "Enable Zero Copy TX;"
+ " 1 -Enable; 0 - Disable");
+--
+2.20.1
+
--- /dev/null
+From fd2fb42b709995a9980ad25fa13f5b5ad1401429 Mon Sep 17 00:00:00 2001
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Tue, 25 Jun 2019 16:26:22 +0900
+Subject: x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c
+
+[ Upstream commit bc53d3d777f81385c1bb08b07bd1c06450ecc2c1 ]
+
+Without 'set -e', shell scripts continue running even after any
+error occurs. The missed 'set -e' is a typical bug in shell scripting.
+
+For example, when a disk space shortage occurs while this script is
+running, it actually ends up with generating a truncated capflags.c.
+
+Yet, mkcapflags.sh continues running and exits with 0. So, the build
+system assumes it has succeeded.
+
+It will not be re-generated in the next invocation of Make since its
+timestamp is newer than that of any of the source files.
+
+Add 'set -e' so that any error in this script is caught and propagated
+to the build system.
+
+Since 9c2af1c7377a ("kbuild: add .DELETE_ON_ERROR special target"),
+make automatically deletes the target on any failure. So, the broken
+capflags.c will be deleted automatically.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Link: https://lkml.kernel.org/r/20190625072622.17679-1-yamada.masahiro@socionext.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mkcapflags.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/kernel/cpu/mkcapflags.sh b/arch/x86/kernel/cpu/mkcapflags.sh
+index 6988c74409a8..711b74e0e623 100644
+--- a/arch/x86/kernel/cpu/mkcapflags.sh
++++ b/arch/x86/kernel/cpu/mkcapflags.sh
+@@ -3,6 +3,8 @@
+ # Generate the x86_cap/bug_flags[] arrays from include/asm/cpufeatures.h
+ #
+
++set -e
++
+ IN=$1
+ OUT=$2
+
+--
+2.20.1
+
--- /dev/null
+From 1a8df74a58c13124f78ce53ee9cbf3353b4f133c Mon Sep 17 00:00:00 2001
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Fri, 14 Jun 2019 11:13:55 +0200
+Subject: xfrm: fix sa selector validation
+
+[ Upstream commit b8d6d0079757cbd1b69724cfd1c08e2171c68cee ]
+
+After commit b38ff4075a80, the following command does not work anymore:
+$ ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 34 reqid 1 \
+ mode tunnel enc 'cbc(aes)' 0xb0abdba8b782ad9d364ec81e3a7d82a1 auth-trunc \
+ 'hmac(sha1)' 0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6 96 flag align4
+
+In fact, the selector is not mandatory, allow the user to provide an empty
+selector.
+
+Fixes: b38ff4075a80 ("xfrm: Fix xfrm sel prefix length validation")
+CC: Anirudh Gupta <anirudh.gupta@sophos.com>
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 10fda9a39cc2..8cc2a9df84fd 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -166,6 +166,9 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
+ }
+
+ switch (p->sel.family) {
++ case AF_UNSPEC:
++ break;
++
+ case AF_INET:
+ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
+ goto out;
+--
+2.20.1
+
--- /dev/null
+From 93242211e011a20ea8893d42c96375b6d45d03f6 Mon Sep 17 00:00:00 2001
+From: Anirudh Gupta <anirudhrudr@gmail.com>
+Date: Tue, 21 May 2019 20:59:47 +0530
+Subject: xfrm: Fix xfrm sel prefix length validation
+
+[ Upstream commit b38ff4075a80b4da5cb2202d7965332ca0efb213 ]
+
+Family of src/dst can be different from family of selector src/dst.
+Use xfrm selector family to validate address prefix length,
+while verifying new sa from userspace.
+
+Validated patch with this command:
+ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \
+reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \
+0x1111016400000000000000000000000044440001 128 \
+sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5
+
+Fixes: 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.")
+Signed-off-by: Anirudh Gupta <anirudh.gupta@sophos.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index b04c03043976..10fda9a39cc2 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -150,6 +150,22 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
+
+ err = -EINVAL;
+ switch (p->family) {
++ case AF_INET:
++ break;
++
++ case AF_INET6:
++#if IS_ENABLED(CONFIG_IPV6)
++ break;
++#else
++ err = -EAFNOSUPPORT;
++ goto out;
++#endif
++
++ default:
++ goto out;
++ }
++
++ switch (p->sel.family) {
+ case AF_INET:
+ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
+ goto out;
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
