--- /dev/null
+From 76256eacb55f5fe6f970f58229fd209d3f69be12 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue, 26 Mar 2019 01:38:58 +0000
+Subject: ceph: fix use-after-free on symlink traversal
+
+[ Upstream commit daf5cc27eed99afdea8d96e71b89ba41f5406ef6 ]
+
+free the symlink body after the same RCU delay we have for freeing the
+struct inode itself, so that traversal during RCU pathwalk wouldn't step
+into freed memory.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ fs/ceph/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
+index 7a1df90c7771..7641fcf83ac8 100644
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -472,6 +472,7 @@ static void ceph_i_callback(struct rcu_head *head)
+ struct inode *inode = container_of(head, struct inode, i_rcu);
+ struct ceph_inode_info *ci = ceph_inode(inode);
+
++ kfree(ci->i_symlink);
+ kmem_cache_free(ceph_inode_cachep, ci);
+ }
+
+@@ -503,7 +504,6 @@ void ceph_destroy_inode(struct inode *inode)
+ ceph_put_snap_realm(mdsc, realm);
+ }
+
+- kfree(ci->i_symlink);
+ while ((n = rb_first(&ci->i_fragtree)) != NULL) {
+ frag = rb_entry(n, struct ceph_inode_frag, node);
+ rb_erase(n, &ci->i_fragtree);
+--
+2.19.1
+
--- /dev/null
+From e0dbebd6ce259b7b0b6e0c572e2a20e0956b46e1 Mon Sep 17 00:00:00 2001
+From: Changbin Du <changbin.du@gmail.com>
+Date: Mon, 25 Mar 2019 15:16:47 +0000
+Subject: kconfig/[mn]conf: handle backspace (^H) key
+
+[ Upstream commit 9c38f1f044080392603c497ecca4d7d09876ff99 ]
+
+Backspace is not working on some terminal emulators which do not send the
+key code defined by terminfo. Terminals either send '^H' (8) or '^?' (127).
+But currently only '^?' is handled. Let's also handle '^H' for those
+terminals.
+
+Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ scripts/kconfig/lxdialog/inputbox.c | 3 ++-
+ scripts/kconfig/nconf.c | 2 +-
+ scripts/kconfig/nconf.gui.c | 3 ++-
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c
+index d58de1dc5360..510049a7bd1d 100644
+--- a/scripts/kconfig/lxdialog/inputbox.c
++++ b/scripts/kconfig/lxdialog/inputbox.c
+@@ -126,7 +126,8 @@ int dialog_inputbox(const char *title, const char *prompt, int height, int width
+ case KEY_DOWN:
+ break;
+ case KEY_BACKSPACE:
+- case 127:
++ case 8: /* ^H */
++ case 127: /* ^? */
+ if (pos) {
+ wattrset(dialog, dlg.inputbox.atr);
+ if (input_x == 0) {
+diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
+index 984489ef2b46..e570f6c9b3ad 100644
+--- a/scripts/kconfig/nconf.c
++++ b/scripts/kconfig/nconf.c
+@@ -1046,7 +1046,7 @@ static int do_match(int key, struct match_state *state, int *ans)
+ state->match_direction = FIND_NEXT_MATCH_UP;
+ *ans = get_mext_match(state->pattern,
+ state->match_direction);
+- } else if (key == KEY_BACKSPACE || key == 127) {
++ } else if (key == KEY_BACKSPACE || key == 8 || key == 127) {
+ state->pattern[strlen(state->pattern)-1] = '\0';
+ adj_match_dir(&state->match_direction);
+ } else
+diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c
+index 4b2f44c20caf..9a65035cf787 100644
+--- a/scripts/kconfig/nconf.gui.c
++++ b/scripts/kconfig/nconf.gui.c
+@@ -439,7 +439,8 @@ int dialog_inputbox(WINDOW *main_window,
+ case KEY_F(F_EXIT):
+ case KEY_F(F_BACK):
+ break;
+- case 127:
++ case 8: /* ^H */
++ case 127: /* ^? */
+ case KEY_BACKSPACE:
+ if (cursor_position > 0) {
+ memmove(&result[cursor_position-1],
+--
+2.19.1
+
--- /dev/null
+From 35aeae47f2b407a6492cb5149b4bbd2ad6fa5822 Mon Sep 17 00:00:00 2001
+From: raymond pang <raymondpangxd@gmail.com>
+Date: Thu, 28 Mar 2019 12:19:25 +0000
+Subject: libata: fix using DMA buffers on stack
+
+[ Upstream commit dd08a8d9a66de4b54575c294a92630299f7e0fe7 ]
+
+When CONFIG_VMAP_STACK=y, __pa() returns incorrect physical address for
+a stack virtual address. Stack DMA buffers must be avoided.
+
+Signed-off-by: raymond pang <raymondpangxd@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/ata/libata-zpodd.c | 34 ++++++++++++++++++++++++----------
+ 1 file changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c
+index 0ad96c647541..7017a81d53cf 100644
+--- a/drivers/ata/libata-zpodd.c
++++ b/drivers/ata/libata-zpodd.c
+@@ -51,38 +51,52 @@ static int eject_tray(struct ata_device *dev)
+ /* Per the spec, only slot type and drawer type ODD can be supported */
+ static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev)
+ {
+- char buf[16];
++ char *buf;
+ unsigned int ret;
+- struct rm_feature_desc *desc = (void *)(buf + 8);
++ struct rm_feature_desc *desc;
+ struct ata_taskfile tf;
+ static const char cdb[] = { GPCMD_GET_CONFIGURATION,
+ 2, /* only 1 feature descriptor requested */
+ 0, 3, /* 3, removable medium feature */
+ 0, 0, 0,/* reserved */
+- 0, sizeof(buf),
++ 0, 16,
+ 0, 0, 0,
+ };
+
++ buf = kzalloc(16, GFP_KERNEL);
++ if (!buf)
++ return ODD_MECH_TYPE_UNSUPPORTED;
++ desc = (void *)(buf + 8);
++
+ ata_tf_init(dev, &tf);
+ tf.flags = ATA_TFLAG_ISADDR | ATA_TFLAG_DEVICE;
+ tf.command = ATA_CMD_PACKET;
+ tf.protocol = ATAPI_PROT_PIO;
+- tf.lbam = sizeof(buf);
++ tf.lbam = 16;
+
+ ret = ata_exec_internal(dev, &tf, cdb, DMA_FROM_DEVICE,
+- buf, sizeof(buf), 0);
+- if (ret)
++ buf, 16, 0);
++ if (ret) {
++ kfree(buf);
+ return ODD_MECH_TYPE_UNSUPPORTED;
++ }
+
+- if (be16_to_cpu(desc->feature_code) != 3)
++ if (be16_to_cpu(desc->feature_code) != 3) {
++ kfree(buf);
+ return ODD_MECH_TYPE_UNSUPPORTED;
++ }
+
+- if (desc->mech_type == 0 && desc->load == 0 && desc->eject == 1)
++ if (desc->mech_type == 0 && desc->load == 0 && desc->eject == 1) {
++ kfree(buf);
+ return ODD_MECH_TYPE_SLOT;
+- else if (desc->mech_type == 1 && desc->load == 0 && desc->eject == 1)
++ } else if (desc->mech_type == 1 && desc->load == 0 &&
++ desc->eject == 1) {
++ kfree(buf);
+ return ODD_MECH_TYPE_DRAWER;
+- else
++ } else {
++ kfree(buf);
+ return ODD_MECH_TYPE_UNSUPPORTED;
++ }
+ }
+
+ /* Test if ODD is zero power ready by sense code */
+--
+2.19.1
+
--- /dev/null
+From f32e8b1f2d51402bed35c4a8833fd4aa62054eb8 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Fri, 22 Mar 2019 11:04:08 +0800
+Subject: net: ibm: fix possible object reference leak
+
+[ Upstream commit be693df3cf9dd113ff1d2c0d8150199efdba37f6 ]
+
+The call to ehea_get_eth_dn returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/net/ethernet/ibm/ehea/ehea_main.c:3163:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3154, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Douglas Miller <dougmill@linux.ibm.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: netdev@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ehea/ehea_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/ibm/ehea/ehea_main.c b/drivers/net/ethernet/ibm/ehea/ehea_main.c
+index 566b17db135a..a718066bb99f 100644
+--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c
++++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c
+@@ -3183,6 +3183,7 @@ static ssize_t ehea_probe_port(struct device *dev,
+
+ if (ehea_add_adapter_mr(adapter)) {
+ pr_err("creating MR failed\n");
++ of_node_put(eth_dn);
+ return -EIO;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From c8fd2241b41efaa127d5f467cbfdb9eab70cde14 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 20 Mar 2019 15:02:00 +0100
+Subject: net: ks8851: Delay requesting IRQ until opened
+
+[ Upstream commit d268f31552794abf5b6aa5af31021643411f25f5 ]
+
+The ks8851 driver currently requests the IRQ before registering the
+net_device. Because the net_device name is used as IRQ name and is
+still "eth%d" when the IRQ is requested, it's impossibe to tell IRQs
+apart if multiple ks8851 chips are present. Most other drivers delay
+requesting the IRQ until the net_device is opened. Do the same.
+
+The driver doesn't enable interrupts on the chip before opening the
+net_device and disables them when closing it, so there doesn't seem to
+be a need to request the IRQ already on probe.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: Frank Pavlic <f.pavlic@kunbus.de>
+Cc: Ben Dooks <ben.dooks@codethink.co.uk>
+Cc: Tristram Ha <Tristram.Ha@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/micrel/ks8851.c | 24 +++++++++++-------------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c
+index e218e45dcf35..f90a1396535a 100644
+--- a/drivers/net/ethernet/micrel/ks8851.c
++++ b/drivers/net/ethernet/micrel/ks8851.c
+@@ -797,6 +797,15 @@ static void ks8851_tx_work(struct work_struct *work)
+ static int ks8851_net_open(struct net_device *dev)
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
++ int ret;
++
++ ret = request_threaded_irq(dev->irq, NULL, ks8851_irq,
++ IRQF_TRIGGER_LOW | IRQF_ONESHOT,
++ dev->name, ks);
++ if (ret < 0) {
++ netdev_err(dev, "failed to get irq\n");
++ return ret;
++ }
+
+ /* lock the card, even if we may not actually be doing anything
+ * else at the moment */
+@@ -911,6 +920,8 @@ static int ks8851_net_stop(struct net_device *dev)
+ dev_kfree_skb(txb);
+ }
+
++ free_irq(dev->irq, ks);
++
+ return 0;
+ }
+
+@@ -1542,14 +1553,6 @@ static int ks8851_probe(struct spi_device *spi)
+ ks8851_read_selftest(ks);
+ ks8851_init_mac(ks);
+
+- ret = request_threaded_irq(spi->irq, NULL, ks8851_irq,
+- IRQF_TRIGGER_LOW | IRQF_ONESHOT,
+- ndev->name, ks);
+- if (ret < 0) {
+- dev_err(&spi->dev, "failed to get irq\n");
+- goto err_irq;
+- }
+-
+ ret = register_netdev(ndev);
+ if (ret) {
+ dev_err(&spi->dev, "failed to register network device\n");
+@@ -1562,11 +1565,7 @@ static int ks8851_probe(struct spi_device *spi)
+
+ return 0;
+
+-
+ err_netdev:
+- free_irq(ndev->irq, ks);
+-
+-err_irq:
+ err_id:
+ if (gpio_is_valid(gpio))
+ gpio_set_value(gpio, 0);
+@@ -1587,7 +1586,6 @@ static int ks8851_remove(struct spi_device *spi)
+ dev_info(&spi->dev, "remove\n");
+
+ unregister_netdev(priv->netdev);
+- free_irq(spi->irq, priv);
+ if (gpio_is_valid(priv->gpio))
+ gpio_set_value(priv->gpio, 0);
+ regulator_disable(priv->vdd_reg);
+--
+2.19.1
+
--- /dev/null
+From d7ad39b32d99e7a2d80317ea4a735b71ef489dcc Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 20 Mar 2019 15:02:00 +0100
+Subject: net: ks8851: Dequeue RX packets explicitly
+
+[ Upstream commit 536d3680fd2dab5c39857d62a3e084198fc74ff9 ]
+
+The ks8851 driver lets the chip auto-dequeue received packets once they
+have been read in full. It achieves that by setting the ADRFE flag in
+the RXQCR register ("Auto-Dequeue RXQ Frame Enable").
+
+However if allocation of a packet's socket buffer or retrieval of the
+packet over the SPI bus fails, the packet will not have been read in
+full and is not auto-dequeued. Such partial retrieval of a packet
+confuses the chip's RX queue management: On the next RX interrupt,
+the first packet read from the queue will be the one left there
+previously and this one can be retrieved without issues. But for any
+newly received packets, the frame header status and byte count registers
+(RXFHSR and RXFHBCR) contain bogus values, preventing their retrieval.
+
+The chip allows explicitly dequeueing a packet from the RX queue by
+setting the RRXEF flag in the RXQCR register ("Release RX Error Frame").
+This could be used to dequeue the packet in case of an error, but if
+that error is a failed SPI transfer, it is unknown if the packet was
+transferred in full and was auto-dequeued or if it was only transferred
+in part and requires an explicit dequeue. The safest approach is thus
+to always dequeue packets explicitly and forgo auto-dequeueing.
+
+Without this change, I've witnessed packet retrieval break completely
+when an SPI DMA transfer fails, requiring a chip reset. Explicit
+dequeueing magically fixes this and makes packet retrieval absolutely
+robust for me.
+
+The chip's documentation suggests auto-dequeuing and uses the RRXEF
+flag only to dequeue error frames which the driver doesn't want to
+retrieve. But that seems to be a fair-weather approach.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: Frank Pavlic <f.pavlic@kunbus.de>
+Cc: Ben Dooks <ben.dooks@codethink.co.uk>
+Cc: Tristram Ha <Tristram.Ha@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/micrel/ks8851.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c
+index 66d4ab703f45..4a29e191819f 100644
+--- a/drivers/net/ethernet/micrel/ks8851.c
++++ b/drivers/net/ethernet/micrel/ks8851.c
+@@ -547,9 +547,8 @@ static void ks8851_rx_pkts(struct ks8851_net *ks)
+ /* set dma read address */
+ ks8851_wrreg16(ks, KS_RXFDPR, RXFDPR_RXFPAI | 0x00);
+
+- /* start the packet dma process, and set auto-dequeue rx */
+- ks8851_wrreg16(ks, KS_RXQCR,
+- ks->rc_rxqcr | RXQCR_SDA | RXQCR_ADRFE);
++ /* start DMA access */
++ ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_SDA);
+
+ if (rxlen > 4) {
+ unsigned int rxalign;
+@@ -580,7 +579,8 @@ static void ks8851_rx_pkts(struct ks8851_net *ks)
+ }
+ }
+
+- ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr);
++ /* end DMA access and dequeue packet */
++ ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_RRXEF);
+ }
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 3ef78a5399eefc2f5f44b31cc0fb86eeab0b89ce Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 20 Mar 2019 15:02:00 +0100
+Subject: net: ks8851: Reassert reset pin if chip ID check fails
+
+[ Upstream commit 761cfa979a0c177d6c2d93ef5585cd79ae49a7d5 ]
+
+Commit 73fdeb82e963 ("net: ks8851: Add optional vdd_io regulator and
+reset gpio") amended the ks8851 driver to briefly assert the chip's
+reset pin on probe. It also amended the probe routine's error path to
+reassert the reset pin if a subsequent initialization step fails.
+
+However the commit misplaced reassertion of the reset pin in the error
+path such that it is not performed if the check of the Chip ID and
+Enable Register (CIDER) fails. The error path is therefore slightly
+asymmetrical to the probe routine's body. Fix it.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: Frank Pavlic <f.pavlic@kunbus.de>
+Cc: Stephen Boyd <sboyd@codeaurora.org>
+Cc: Nishanth Menon <nm@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/micrel/ks8851.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c
+index 4a29e191819f..e218e45dcf35 100644
+--- a/drivers/net/ethernet/micrel/ks8851.c
++++ b/drivers/net/ethernet/micrel/ks8851.c
+@@ -1567,9 +1567,9 @@ static int ks8851_probe(struct spi_device *spi)
+ free_irq(ndev->irq, ks);
+
+ err_irq:
++err_id:
+ if (gpio_is_valid(gpio))
+ gpio_set_value(gpio, 0);
+-err_id:
+ regulator_disable(ks->vdd_reg);
+ err_reg:
+ regulator_disable(ks->vdd_io);
+--
+2.19.1
+
--- /dev/null
+From 5874c56fb67880111df3e42dee56eaf122ef8e85 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 20 Mar 2019 15:02:00 +0100
+Subject: net: ks8851: Set initial carrier state to down
+
+[ Upstream commit 9624bafa5f6418b9ca5b3f66d1f6a6a2e8bf6d4c ]
+
+The ks8851 chip's initial carrier state is down. A Link Change Interrupt
+is signaled once interrupts are enabled if the carrier is up.
+
+The ks8851 driver has it backwards by assuming that the initial carrier
+state is up. The state is therefore misrepresented if the interface is
+opened with no cable attached. Fix it.
+
+The Link Change interrupt is sometimes not signaled unless the P1MBSR
+register (which contains the Link Status bit) is read on ->ndo_open().
+This might be a hardware erratum. Read the register by calling
+mii_check_link(), which has the desirable side effect of setting the
+carrier state to down if the cable was detached while the interface was
+closed.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: Frank Pavlic <f.pavlic@kunbus.de>
+Cc: Ben Dooks <ben.dooks@codethink.co.uk>
+Cc: Tristram Ha <Tristram.Ha@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/micrel/ks8851.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c
+index f90a1396535a..8a94add287de 100644
+--- a/drivers/net/ethernet/micrel/ks8851.c
++++ b/drivers/net/ethernet/micrel/ks8851.c
+@@ -870,6 +870,7 @@ static int ks8851_net_open(struct net_device *dev)
+ netif_dbg(ks, ifup, ks->netdev, "network device up\n");
+
+ mutex_unlock(&ks->lock);
++ mii_check_link(&ks->mii);
+ return 0;
+ }
+
+@@ -1527,6 +1528,7 @@ static int ks8851_probe(struct spi_device *spi)
+
+ spi_set_drvdata(spi, ks);
+
++ netif_carrier_off(ks->netdev);
+ ndev->if_port = IF_PORT_100BASET;
+ ndev->netdev_ops = &ks8851_netdev_ops;
+ ndev->irq = spi->irq;
+--
+2.19.1
+
--- /dev/null
+From efa1485657d52df58f596b2b50830a4b47ce6f5a Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Thu, 14 Mar 2019 15:31:40 -0500
+Subject: qlcnic: Avoid potential NULL pointer dereference
+
+[ Upstream commit 5bf7295fe34a5251b1d241b9736af4697b590670 ]
+
+netdev_alloc_skb can fail and return a NULL pointer which is
+dereferenced without a check. The patch avoids such a scenario.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c
+index 0a2318cad34d..63ebc491057b 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c
+@@ -1038,6 +1038,8 @@ int qlcnic_do_lb_test(struct qlcnic_adapter *adapter, u8 mode)
+
+ for (i = 0; i < QLCNIC_NUM_ILB_PKT; i++) {
+ skb = netdev_alloc_skb(adapter->netdev, QLCNIC_ILB_PKT_SIZE);
++ if (!skb)
++ break;
+ qlcnic_create_loopback_buff(skb->data, adapter->mac_addr);
+ skb_put(skb, QLCNIC_ILB_PKT_SIZE);
+ adapter->ahw->diag_cnt = 0;
+--
+2.19.1
+
--- /dev/null
+From 60eb85c9e5de239f52be27ed562484002e7dd19d Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Thu, 14 Mar 2019 01:30:59 -0500
+Subject: scsi: qla4xxx: fix a potential NULL pointer dereference
+
+[ Upstream commit fba1bdd2a9a93f3e2181ec1936a3c2f6b37e7ed6 ]
+
+In case iscsi_lookup_endpoint fails, the fix returns -EINVAL to avoid NULL
+pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Acked-by: Manish Rangankar <mrangankar@marvell.com>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/scsi/qla4xxx/ql4_os.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
+index a9fac1eb8306..28f6d5ef04e0 100644
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -3213,6 +3213,8 @@ static int qla4xxx_conn_bind(struct iscsi_cls_session *cls_session,
+ if (iscsi_conn_bind(cls_session, cls_conn, is_leading))
+ return -EINVAL;
+ ep = iscsi_lookup_endpoint(transport_fd);
++ if (!ep)
++ return -EINVAL;
+ conn = cls_conn->dd_data;
+ qla_conn = conn->dd_data;
+ qla_conn->qla_ep = ep->dd_data;
+--
+2.19.1
+
--- /dev/null
+From f0ded278a184906eda2e2adf9cce2f1c3201715c Mon Sep 17 00:00:00 2001
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Tue, 26 Mar 2019 14:37:00 +0100
+Subject: scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element
+ RSCN
+
+[ Upstream commit c8206579175c34a2546de8a74262456278a7795a ]
+
+If an incoming ELS of type RSCN contains more than one element, zfcp
+suboptimally causes repeated erp trigger NOP trace records for each
+previously failed port. These could be ports that went away. It loops over
+each RSCN element, and for each of those in an inner loop over all
+zfcp_ports.
+
+The trigger to recover failed ports should be just the reception of some
+RSCN, no matter how many elements it has. So we can loop over failed ports
+separately, and only then loop over each RSCN element to handle the
+non-failed ports.
+
+The call chain was:
+
+ zfcp_fc_incoming_rscn
+ for (i = 1; i < no_entries; i++)
+ _zfcp_fc_incoming_rscn
+ list_for_each_entry(port, &adapter->port_list, list)
+ if (masked port->d_id match) zfcp_fc_test_link
+ if (!port->d_id) zfcp_erp_port_reopen "fcrscn1" <===
+
+In order the reduce the "flooding" of the REC trace area in such cases, we
+factor out handling the failed ports to be outside of the entries loop:
+
+ zfcp_fc_incoming_rscn
+ if (no_entries > 1) <===
+ list_for_each_entry(port, &adapter->port_list, list) <===
+ if (!port->d_id) zfcp_erp_port_reopen "fcrscn1" <===
+ for (i = 1; i < no_entries; i++)
+ _zfcp_fc_incoming_rscn
+ list_for_each_entry(port, &adapter->port_list, list)
+ if (masked port->d_id match) zfcp_fc_test_link
+
+Abbreviated example trace records before this code change:
+
+Tag : fcrscn1
+WWPN : 0x500507630310d327
+ERP want : 0x02
+ERP need : 0x02
+
+Tag : fcrscn1
+WWPN : 0x500507630310d327
+ERP want : 0x02
+ERP need : 0x00 NOP => superfluous trace record
+
+The last trace entry repeats if there are more than 2 RSCN elements.
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Reviewed-by: Jens Remus <jremus@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/s390/scsi/zfcp_fc.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/s390/scsi/zfcp_fc.c b/drivers/s390/scsi/zfcp_fc.c
+index ca28e1c66115..f9d59262da88 100644
+--- a/drivers/s390/scsi/zfcp_fc.c
++++ b/drivers/s390/scsi/zfcp_fc.c
+@@ -195,10 +195,6 @@ static void _zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req, u32 range,
+ list_for_each_entry(port, &adapter->port_list, list) {
+ if ((port->d_id & range) == (ntoh24(page->rscn_fid) & range))
+ zfcp_fc_test_link(port);
+- if (!port->d_id)
+- zfcp_erp_port_reopen(port,
+- ZFCP_STATUS_COMMON_ERP_FAILED,
+- "fcrscn1");
+ }
+ read_unlock_irqrestore(&adapter->port_list_lock, flags);
+ }
+@@ -206,6 +202,7 @@ static void _zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req, u32 range,
+ static void zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req)
+ {
+ struct fsf_status_read_buffer *status_buffer = (void *)fsf_req->data;
++ struct zfcp_adapter *adapter = fsf_req->adapter;
+ struct fc_els_rscn *head;
+ struct fc_els_rscn_page *page;
+ u16 i;
+@@ -218,6 +215,22 @@ static void zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req)
+ /* see FC-FS */
+ no_entries = head->rscn_plen / sizeof(struct fc_els_rscn_page);
+
++ if (no_entries > 1) {
++ /* handle failed ports */
++ unsigned long flags;
++ struct zfcp_port *port;
++
++ read_lock_irqsave(&adapter->port_list_lock, flags);
++ list_for_each_entry(port, &adapter->port_list, list) {
++ if (port->d_id)
++ continue;
++ zfcp_erp_port_reopen(port,
++ ZFCP_STATUS_COMMON_ERP_FAILED,
++ "fcrscn1");
++ }
++ read_unlock_irqrestore(&adapter->port_list_lock, flags);
++ }
++
+ for (i = 1; i < no_entries; i++) {
+ /* skip head and start with 1st element */
+ page++;
+--
+2.19.1
+
ipv4-add-sanity-checks-in-ipv4_link_failure.patch
team-fix-possible-recursive-locking-when-add-slaves.patch
net-stmmac-move-stmmac_check_ether_addr-to-driver-probe.patch
+qlcnic-avoid-potential-null-pointer-dereference.patch
+usb-gadget-net2280-fix-overrun-of-out-messages.patch
+usb-gadget-net2272-fix-net2272_dequeue.patch
+net-ks8851-dequeue-rx-packets-explicitly.patch
+net-ks8851-reassert-reset-pin-if-chip-id-check-fails.patch
+net-ks8851-delay-requesting-irq-until-opened.patch
+net-ks8851-set-initial-carrier-state-to-down.patch
+net-ibm-fix-possible-object-reference-leak.patch
+scsi-qla4xxx-fix-a-potential-null-pointer-dereferenc.patch
+usb-u132-hcd-fix-resource-leak.patch
+ceph-fix-use-after-free-on-symlink-traversal.patch
+scsi-zfcp-reduce-flood-of-fcrscn1-trace-records-on-m.patch
+libata-fix-using-dma-buffers-on-stack.patch
+kconfig-mn-conf-handle-backspace-h-key.patch
--- /dev/null
+From 651b886420bf3afca1cf203a454d1a1266f4e6d2 Mon Sep 17 00:00:00 2001
+From: Guido Kiener <guido@kiener-muenchen.de>
+Date: Mon, 18 Mar 2019 09:18:34 +0100
+Subject: usb: gadget: net2272: Fix net2272_dequeue()
+
+[ Upstream commit 091dacc3cc10979ab0422f0a9f7fcc27eee97e69 ]
+
+Restore the status of ep->stopped in function net2272_dequeue().
+
+When the given request is not found in the endpoint queue
+the function returns -EINVAL without restoring the state of
+ep->stopped. Thus the endpoint keeps blocked and does not transfer
+any data anymore.
+
+This fix is only compile-tested, since we do not have a
+corresponding hardware. An analogous fix was tested in the sibling
+driver. See "usb: gadget: net2280: Fix net2280_dequeue()"
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Guido Kiener <guido.kiener@rohde-schwarz.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/net2272.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/gadget/udc/net2272.c b/drivers/usb/gadget/udc/net2272.c
+index 4b2444e75840..83d0544338ca 100644
+--- a/drivers/usb/gadget/udc/net2272.c
++++ b/drivers/usb/gadget/udc/net2272.c
+@@ -962,6 +962,7 @@ net2272_dequeue(struct usb_ep *_ep, struct usb_request *_req)
+ break;
+ }
+ if (&req->req != _req) {
++ ep->stopped = stopped;
+ spin_unlock_irqrestore(&ep->dev->lock, flags);
+ return -EINVAL;
+ }
+--
+2.19.1
+
--- /dev/null
+From 83dedb7a0e14f19cba66b93d2543d253eb1da47c Mon Sep 17 00:00:00 2001
+From: Guido Kiener <guido@kiener-muenchen.de>
+Date: Tue, 19 Mar 2019 19:12:03 +0100
+Subject: usb: gadget: net2280: Fix overrun of OUT messages
+
+[ Upstream commit 9d6a54c1430647355a5e23434881b2ca3d192b48 ]
+
+The OUT endpoint normally blocks (NAK) subsequent packets when a
+short packet was received and returns an incomplete queue entry to
+the gadget driver. Thereby the gadget driver can detect a short packet
+when reading queue entries with a length that is not equal to a
+multiple of packet size.
+
+The start_queue() function enables receiving OUT packets regardless of
+the content of the OUT FIFO. This results in a race: With the current
+code, it's possible that the "!ep->is_in && (readl(&ep->regs->ep_stat)
+& BIT(NAK_OUT_PACKETS))" test in start_dma() will fail, then a short
+packet will be received, and then start_queue() will call
+stop_out_naking(). That's what we don't want (OUT naking gets turned
+off while there is data in the FIFO) because then the next driver
+request might receive a mixture of old and new packets.
+
+With the patch, this race can't occur because the FIFO's state is
+tested after we know that OUT naking is already turned on, and OUT
+naking is stopped only when both of the conditions are met. This
+ensures that all received data is delivered to the gadget driver,
+which can detect a short packet now before new packets are appended
+to the last short packet.
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Guido Kiener <guido.kiener@rohde-schwarz.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/net2280.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c
+index 8d13337e2dde..931765208286 100644
+--- a/drivers/usb/gadget/udc/net2280.c
++++ b/drivers/usb/gadget/udc/net2280.c
+@@ -800,9 +800,6 @@ static void start_queue(struct net2280_ep *ep, u32 dmactl, u32 td_dma)
+ (void) readl(&ep->dev->pci->pcimstctl);
+
+ writel(BIT(DMA_START), &dma->dmastat);
+-
+- if (!ep->is_in)
+- stop_out_naking(ep);
+ }
+
+ static void start_dma(struct net2280_ep *ep, struct net2280_request *req)
+@@ -841,6 +838,7 @@ static void start_dma(struct net2280_ep *ep, struct net2280_request *req)
+ writel(BIT(DMA_START), &dma->dmastat);
+ return;
+ }
++ stop_out_naking(ep);
+ }
+
+ tmp = dmactl_default;
+--
+2.19.1
+
--- /dev/null
+From 8779df829037dc55ec17fc4730127ce09cea300f Mon Sep 17 00:00:00 2001
+From: Mukesh Ojha <mojha@codeaurora.org>
+Date: Tue, 26 Mar 2019 13:42:22 +0530
+Subject: usb: u132-hcd: fix resource leak
+
+[ Upstream commit f276e002793cdb820862e8ea8f76769d56bba575 ]
+
+if platform_driver_register fails, cleanup the allocated resource
+gracefully.
+
+Signed-off-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/usb/host/u132-hcd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/host/u132-hcd.c b/drivers/usb/host/u132-hcd.c
+index ab5128755672..3d9ce725d1df 100644
+--- a/drivers/usb/host/u132-hcd.c
++++ b/drivers/usb/host/u132-hcd.c
+@@ -3234,6 +3234,9 @@ static int __init u132_hcd_init(void)
+ printk(KERN_INFO "driver %s\n", hcd_name);
+ workqueue = create_singlethread_workqueue("u132");
+ retval = platform_driver_register(&u132_platform_driver);
++ if (retval)
++ destroy_workqueue(workqueue);
++
+ return retval;
+ }
+
+--
+2.19.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
