--- /dev/null
+From f29a510f5e59e5d256236f3f731d8587bdbcf8c3 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 19 Jun 2019 14:18:31 +0200
+Subject: acpi/arm64: ignore 5.1 FADTs that are reported as 5.0
+
+[ Upstream commit 2af22f3ec3ca452f1e79b967f634708ff01ced8a ]
+
+Some Qualcomm Snapdragon based laptops built to run Microsoft Windows
+are clearly ACPI 5.1 based, given that that is the first ACPI revision
+that supports ARM, and introduced the FADT 'arm_boot_flags' field,
+which has a non-zero field on those systems.
+
+So in these cases, infer from the ARM boot flags that the FADT must be
+5.1 or later, and treat it as 5.1.
+
+Acked-by: Sudeep Holla <sudeep.holla@arm.com>
+Tested-by: Lee Jones <lee.jones@linaro.org>
+Reviewed-by: Graeme Gregory <graeme.gregory@linaro.org>
+Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Acked-by: Hanjun Guo <guohanjun@huawei.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/acpi.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/kernel/acpi.c b/arch/arm64/kernel/acpi.c
+index 252a6d9c1da5..1a95d135def2 100644
+--- a/arch/arm64/kernel/acpi.c
++++ b/arch/arm64/kernel/acpi.c
+@@ -157,10 +157,14 @@ static int __init acpi_fadt_sanity_check(void)
+ */
+ if (table->revision < 5 ||
+ (table->revision == 5 && fadt->minor_revision < 1)) {
+- pr_err("Unsupported FADT revision %d.%d, should be 5.1+\n",
++ pr_err(FW_BUG "Unsupported FADT revision %d.%d, should be 5.1+\n",
+ table->revision, fadt->minor_revision);
+- ret = -EINVAL;
+- goto out;
++
++ if (!fadt->arm_boot_flags) {
++ ret = -EINVAL;
++ goto out;
++ }
++ pr_err("FADT has ARM boot flags set, assuming 5.1\n");
+ }
+
+ if (!(fadt->flags & ACPI_FADT_HW_REDUCED)) {
+--
+2.20.1
+
--- /dev/null
+From f66803b2b6fdb21a723892d2da68b3532babacc5 Mon Sep 17 00:00:00 2001
+From: Jeremy Sowden <jeremy@azazel.net>
+Date: Sat, 25 May 2019 19:09:35 +0100
+Subject: af_key: fix leaks in key_pol_get_resp and dump_sp.
+
+[ Upstream commit 7c80eb1c7e2b8420477fbc998971d62a648035d9 ]
+
+In both functions, if pfkey_xfrm_policy2msg failed we leaked the newly
+allocated sk_buff. Free it on error.
+
+Fixes: 55569ce256ce ("Fix conversion between IPSEC_MODE_xxx and XFRM_MODE_xxx.")
+Reported-by: syzbot+4f0529365f7f2208d9f0@syzkaller.appspotmail.com
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/key/af_key.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index 3ba903ff2bb0..36db179d848e 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -2463,8 +2463,10 @@ static int key_pol_get_resp(struct sock *sk, struct xfrm_policy *xp, const struc
+ goto out;
+ }
+ err = pfkey_xfrm_policy2msg(out_skb, xp, dir);
+- if (err < 0)
++ if (err < 0) {
++ kfree_skb(out_skb);
+ goto out;
++ }
+
+ out_hdr = (struct sadb_msg *) out_skb->data;
+ out_hdr->sadb_msg_version = hdr->sadb_msg_version;
+@@ -2717,8 +2719,10 @@ static int dump_sp(struct xfrm_policy *xp, int dir, int count, void *ptr)
+ return PTR_ERR(out_skb);
+
+ err = pfkey_xfrm_policy2msg(out_skb, xp, dir);
+- if (err < 0)
++ if (err < 0) {
++ kfree_skb(out_skb);
+ return err;
++ }
+
+ out_hdr = (struct sadb_msg *) out_skb->data;
+ out_hdr->sadb_msg_version = pfk->dump.msg_version;
+--
+2.20.1
+
--- /dev/null
+From b85e8bb976f7227e127f342de935136c8ee6bcfc Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Tue, 25 Jun 2019 21:20:17 -0700
+Subject: arm64/efi: Mark __efistub_stext_offset as an absolute symbol
+ explicitly
+
+[ Upstream commit aa69fb62bea15126e744af2e02acc0d6cf3ed4da ]
+
+After r363059 and r363928 in LLVM, a build using ld.lld as the linker
+with CONFIG_RANDOMIZE_BASE enabled fails like so:
+
+ld.lld: error: relocation R_AARCH64_ABS32 cannot be used against symbol
+__efistub_stext_offset; recompile with -fPIC
+
+Fangrui and Peter figured out that ld.lld is incorrectly considering
+__efistub_stext_offset as a relative symbol because of the order in
+which symbols are evaluated. _text is treated as an absolute symbol
+and stext is a relative symbol, making __efistub_stext_offset a
+relative symbol.
+
+Adding ABSOLUTE will force ld.lld to evalute this expression in the
+right context and does not change ld.bfd's behavior. ld.lld will
+need to be fixed but the developers do not see a quick or simple fix
+without some research (see the linked issue for further explanation).
+Add this simple workaround so that ld.lld can continue to link kernels.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/561
+Link: https://github.com/llvm/llvm-project/commit/025a815d75d2356f2944136269aa5874721ec236
+Link: https://github.com/llvm/llvm-project/commit/249fde85832c33f8b06c6b4ac65d1c4b96d23b83
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Debugged-by: Fangrui Song <maskray@google.com>
+Debugged-by: Peter Smith <peter.smith@linaro.org>
+Suggested-by: Fangrui Song <maskray@google.com>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+[will: add comment]
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/image.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/image.h b/arch/arm64/kernel/image.h
+index c7fcb232fe47..d3e8c901274d 100644
+--- a/arch/arm64/kernel/image.h
++++ b/arch/arm64/kernel/image.h
+@@ -73,7 +73,11 @@
+
+ #ifdef CONFIG_EFI
+
+-__efistub_stext_offset = stext - _text;
++/*
++ * Use ABSOLUTE() to avoid ld.lld treating this as a relative symbol:
++ * https://github.com/ClangBuiltLinux/linux/issues/561
++ */
++__efistub_stext_offset = ABSOLUTE(stext - _text);
+
+ /*
+ * Prevent the symbol aliases below from being emitted into the kallsyms
+--
+2.20.1
+
--- /dev/null
+From f48893853c520d0d695b4d861152788b442f4358 Mon Sep 17 00:00:00 2001
+From: Anilkumar Kolli <akolli@codeaurora.org>
+Date: Wed, 6 Mar 2019 23:06:11 +0530
+Subject: ath: DFS JP domain W56 fixed pulse type 3 RADAR detection
+
+[ Upstream commit d8792393a783158cbb2c39939cb897dc5e5299b6 ]
+
+Increase pulse width range from 1-2usec to 0-4usec.
+During data traffic HW occasionally fails detecting radar pulses,
+so that SW cannot get enough radar reports to achieve the success rate.
+
+Tested ath10k hw and fw:
+ * QCA9888(10.4-3.5.1-00052)
+ * QCA4019(10.4-3.2.1.1-00017)
+ * QCA9984(10.4-3.6-00104)
+ * QCA988X(10.2.4-1.0-00041)
+
+Tested ath9k hw: AR9300
+
+Tested-by: Tamizh chelvam <tamizhr@codeaurora.org>
+Signed-off-by: Tamizh chelvam <tamizhr@codeaurora.org>
+Signed-off-by: Anilkumar Kolli <akolli@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/dfs_pattern_detector.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/dfs_pattern_detector.c b/drivers/net/wireless/ath/dfs_pattern_detector.c
+index 4100ffd42a43..78146607f16e 100644
+--- a/drivers/net/wireless/ath/dfs_pattern_detector.c
++++ b/drivers/net/wireless/ath/dfs_pattern_detector.c
+@@ -111,7 +111,7 @@ static const struct radar_detector_specs jp_radar_ref_types[] = {
+ JP_PATTERN(0, 0, 1, 1428, 1428, 1, 18, 29, false),
+ JP_PATTERN(1, 2, 3, 3846, 3846, 1, 18, 29, false),
+ JP_PATTERN(2, 0, 1, 1388, 1388, 1, 18, 50, false),
+- JP_PATTERN(3, 1, 2, 4000, 4000, 1, 18, 50, false),
++ JP_PATTERN(3, 0, 4, 4000, 4000, 1, 18, 50, false),
+ JP_PATTERN(4, 0, 5, 150, 230, 1, 23, 50, false),
+ JP_PATTERN(5, 6, 10, 200, 500, 1, 16, 50, false),
+ JP_PATTERN(6, 11, 20, 200, 500, 1, 12, 50, false),
+--
+2.20.1
+
--- /dev/null
+From 90ab189db2116019849098e46878262ceaba5960 Mon Sep 17 00:00:00 2001
+From: Surabhi Vishnoi <svishnoi@codeaurora.org>
+Date: Wed, 17 Apr 2019 14:01:46 +0530
+Subject: ath10k: Do not send probe response template for mesh
+
+[ Upstream commit 97354f2c432788e3163134df6bb144f4b6289d87 ]
+
+Currently mac80211 do not support probe response template for
+mesh point. When WMI_SERVICE_BEACON_OFFLOAD is enabled, host
+driver tries to configure probe response template for mesh, but
+it fails because the interface type is not NL80211_IFTYPE_AP but
+NL80211_IFTYPE_MESH_POINT.
+
+To avoid this failure, skip sending probe response template to
+firmware for mesh point.
+
+Tested HW: WCN3990/QCA6174/QCA9984
+
+Signed-off-by: Surabhi Vishnoi <svishnoi@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index fb632a454fc2..1588fe8110d0 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -1596,6 +1596,10 @@ static int ath10k_mac_setup_prb_tmpl(struct ath10k_vif *arvif)
+ if (arvif->vdev_type != WMI_VDEV_TYPE_AP)
+ return 0;
+
++ /* For mesh, probe response and beacon share the same template */
++ if (ieee80211_vif_is_mesh(vif))
++ return 0;
++
+ prb = ieee80211_proberesp_get(hw, vif);
+ if (!prb) {
+ ath10k_warn(ar, "failed to get probe resp template from mac80211\n");
+--
+2.20.1
+
--- /dev/null
+From 56a043000e32953bcc0eae04874d4031d9b78e38 Mon Sep 17 00:00:00 2001
+From: Miaoqing Pan <miaoqing@codeaurora.org>
+Date: Thu, 30 May 2019 09:49:20 +0800
+Subject: ath10k: fix PCIE device wake up failed
+
+[ Upstream commit 011d4111c8c602ea829fa4917af1818eb0500a90 ]
+
+Observed PCIE device wake up failed after ~120 iterations of
+soft-reboot test. The error message is
+"ath10k_pci 0000:01:00.0: failed to wake up device : -110"
+
+The call trace as below:
+ath10k_pci_probe -> ath10k_pci_force_wake -> ath10k_pci_wake_wait ->
+ath10k_pci_is_awake
+
+Once trigger the device to wake up, we will continuously check the RTC
+state until it returns RTC_STATE_V_ON or timeout.
+
+But for QCA99x0 chips, we use wrong value for RTC_STATE_V_ON.
+Occasionally, we get 0x7 on the fist read, we thought as a failure
+case, but actually is the right value, also verified with the spec.
+So fix the issue by changing RTC_STATE_V_ON from 0x5 to 0x7, passed
+~2000 iterations.
+
+Tested HW: QCA9984
+
+Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/hw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/hw.c b/drivers/net/wireless/ath/ath10k/hw.c
+index 675e75d66db2..14dc6548701c 100644
+--- a/drivers/net/wireless/ath/ath10k/hw.c
++++ b/drivers/net/wireless/ath/ath10k/hw.c
+@@ -157,7 +157,7 @@ const struct ath10k_hw_values qca6174_values = {
+ };
+
+ const struct ath10k_hw_values qca99x0_values = {
+- .rtc_state_val_on = 5,
++ .rtc_state_val_on = 7,
+ .ce_count = 12,
+ .msi_assign_ce_max = 12,
+ .num_target_ce_config_wlan = 10,
+--
+2.20.1
+
--- /dev/null
+From bf71c00d1591b08f2737ec00a7b0bbbde04707af Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 4 Apr 2019 11:56:51 +0300
+Subject: ath6kl: add some bounds checking
+
+[ Upstream commit 5d6751eaff672ea77642e74e92e6c0ac7f9709ab ]
+
+The "ev->traffic_class" and "reply->ac" variables come from the network
+and they're used as an offset into the wmi->stream_exist_for_ac[] array.
+Those variables are u8 so they can be 0-255 but the stream_exist_for_ac[]
+array only has WMM_NUM_AC (4) elements. We need to add a couple bounds
+checks to prevent array overflows.
+
+I also modified one existing check from "if (traffic_class > 3) {" to
+"if (traffic_class >= WMM_NUM_AC) {" just to make them all consistent.
+
+Fixes: bdcd81707973 (" Add ath6kl cleaned up driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath6kl/wmi.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
+index 3fd1cc98fd2f..55609fc4e50e 100644
+--- a/drivers/net/wireless/ath/ath6kl/wmi.c
++++ b/drivers/net/wireless/ath/ath6kl/wmi.c
+@@ -1178,6 +1178,10 @@ static int ath6kl_wmi_pstream_timeout_event_rx(struct wmi *wmi, u8 *datap,
+ return -EINVAL;
+
+ ev = (struct wmi_pstream_timeout_event *) datap;
++ if (ev->traffic_class >= WMM_NUM_AC) {
++ ath6kl_err("invalid traffic class: %d\n", ev->traffic_class);
++ return -EINVAL;
++ }
+
+ /*
+ * When the pstream (fat pipe == AC) timesout, it means there were
+@@ -1519,6 +1523,10 @@ static int ath6kl_wmi_cac_event_rx(struct wmi *wmi, u8 *datap, int len,
+ return -EINVAL;
+
+ reply = (struct wmi_cac_event *) datap;
++ if (reply->ac >= WMM_NUM_AC) {
++ ath6kl_err("invalid AC: %d\n", reply->ac);
++ return -EINVAL;
++ }
+
+ if ((reply->cac_indication == CAC_INDICATION_ADMISSION_RESP) &&
+ (reply->status_code != IEEE80211_TSPEC_STATUS_ADMISS_ACCEPTED)) {
+@@ -2635,7 +2643,7 @@ int ath6kl_wmi_delete_pstream_cmd(struct wmi *wmi, u8 if_idx, u8 traffic_class,
+ u16 active_tsids = 0;
+ int ret;
+
+- if (traffic_class > 3) {
++ if (traffic_class >= WMM_NUM_AC) {
+ ath6kl_err("invalid traffic class: %d\n", traffic_class);
+ return -EINVAL;
+ }
+--
+2.20.1
+
--- /dev/null
+From 85e1524cb392cf9c9fb674e4c85d1e024f4d5cb0 Mon Sep 17 00:00:00 2001
+From: Tim Schumacher <timschumi@gmx.de>
+Date: Mon, 18 Mar 2019 20:05:57 +0100
+Subject: ath9k: Check for errors when reading SREV register
+
+[ Upstream commit 2f90c7e5d09437a4d8d5546feaae9f1cf48cfbe1 ]
+
+Right now, if an error is encountered during the SREV register
+read (i.e. an EIO in ath9k_regread()), that error code gets
+passed all the way to __ath9k_hw_init(), where it is visible
+during the "Chip rev not supported" message.
+
+ ath9k_htc 1-1.4:1.0: ath9k_htc: HTC initialized with 33 credits
+ ath: phy2: Mac Chip Rev 0x0f.3 is not supported by this driver
+ ath: phy2: Unable to initialize hardware; initialization status: -95
+ ath: phy2: Unable to initialize hardware; initialization status: -95
+ ath9k_htc: Failed to initialize the device
+
+Check for -EIO explicitly in ath9k_hw_read_revisions() and return
+a boolean based on the success of the operation. Check for that in
+__ath9k_hw_init() and abort with a more debugging-friendly message
+if reading the revisions wasn't successful.
+
+ ath9k_htc 1-1.4:1.0: ath9k_htc: HTC initialized with 33 credits
+ ath: phy2: Failed to read SREV register
+ ath: phy2: Could not read hardware revision
+ ath: phy2: Unable to initialize hardware; initialization status: -95
+ ath: phy2: Unable to initialize hardware; initialization status: -95
+ ath9k_htc: Failed to initialize the device
+
+This helps when debugging by directly showing the first point of
+failure and it could prevent possible errors if a 0x0f.3 revision
+is ever supported.
+
+Signed-off-by: Tim Schumacher <timschumi@gmx.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/hw.c | 32 +++++++++++++++++++++--------
+ 1 file changed, 23 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c
+index 951bac2caf12..e7fca78cdd96 100644
+--- a/drivers/net/wireless/ath/ath9k/hw.c
++++ b/drivers/net/wireless/ath/ath9k/hw.c
+@@ -250,8 +250,9 @@ void ath9k_hw_get_channel_centers(struct ath_hw *ah,
+ /* Chip Revisions */
+ /******************/
+
+-static void ath9k_hw_read_revisions(struct ath_hw *ah)
++static bool ath9k_hw_read_revisions(struct ath_hw *ah)
+ {
++ u32 srev;
+ u32 val;
+
+ if (ah->get_mac_revision)
+@@ -267,25 +268,33 @@ static void ath9k_hw_read_revisions(struct ath_hw *ah)
+ val = REG_READ(ah, AR_SREV);
+ ah->hw_version.macRev = MS(val, AR_SREV_REVISION2);
+ }
+- return;
++ return true;
+ case AR9300_DEVID_AR9340:
+ ah->hw_version.macVersion = AR_SREV_VERSION_9340;
+- return;
++ return true;
+ case AR9300_DEVID_QCA955X:
+ ah->hw_version.macVersion = AR_SREV_VERSION_9550;
+- return;
++ return true;
+ case AR9300_DEVID_AR953X:
+ ah->hw_version.macVersion = AR_SREV_VERSION_9531;
+- return;
++ return true;
+ case AR9300_DEVID_QCA956X:
+ ah->hw_version.macVersion = AR_SREV_VERSION_9561;
+- return;
++ return true;
+ }
+
+- val = REG_READ(ah, AR_SREV) & AR_SREV_ID;
++ srev = REG_READ(ah, AR_SREV);
++
++ if (srev == -EIO) {
++ ath_err(ath9k_hw_common(ah),
++ "Failed to read SREV register");
++ return false;
++ }
++
++ val = srev & AR_SREV_ID;
+
+ if (val == 0xFF) {
+- val = REG_READ(ah, AR_SREV);
++ val = srev;
+ ah->hw_version.macVersion =
+ (val & AR_SREV_VERSION2) >> AR_SREV_TYPE2_S;
+ ah->hw_version.macRev = MS(val, AR_SREV_REVISION2);
+@@ -304,6 +313,8 @@ static void ath9k_hw_read_revisions(struct ath_hw *ah)
+ if (ah->hw_version.macVersion == AR_SREV_VERSION_5416_PCIE)
+ ah->is_pciexpress = true;
+ }
++
++ return true;
+ }
+
+ /************************************/
+@@ -557,7 +568,10 @@ static int __ath9k_hw_init(struct ath_hw *ah)
+ struct ath_common *common = ath9k_hw_common(ah);
+ int r = 0;
+
+- ath9k_hw_read_revisions(ah);
++ if (!ath9k_hw_read_revisions(ah)) {
++ ath_err(common, "Could not read hardware revisions");
++ return -EOPNOTSUPP;
++ }
+
+ switch (ah->hw_version.macVersion) {
+ case AR_SREV_VERSION_5416_PCI:
+--
+2.20.1
+
--- /dev/null
+From 58b77c9796edfb1163987ca64285c1b520414c5c Mon Sep 17 00:00:00 2001
+From: Jeremy Sowden <jeremy@azazel.net>
+Date: Tue, 21 May 2019 20:58:57 +0100
+Subject: batman-adv: fix for leaked TVLV handler.
+
+[ Upstream commit 17f78dd1bd624a4dd78ed5db3284a63ee807fcc3 ]
+
+A handler for BATADV_TVLV_ROAM was being registered when the
+translation-table was initialized, but not unregistered when the
+translation-table was freed. Unregister it.
+
+Fixes: 122edaa05940 ("batman-adv: tvlv - convert roaming adv packet to use tvlv unicast packets")
+Reported-by: syzbot+d454a826e670502484b8@syzkaller.appspotmail.com
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: Sven Eckelmann <sven@narfation.org
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/translation-table.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index af4a02ad8503..1fab9bcf535d 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -3700,6 +3700,8 @@ static void batadv_tt_purge(struct work_struct *work)
+
+ void batadv_tt_free(struct batadv_priv *bat_priv)
+ {
++ batadv_tvlv_handler_unregister(bat_priv, BATADV_TVLV_ROAM, 1);
++
+ batadv_tvlv_container_unregister(bat_priv, BATADV_TVLV_TT, 1);
+ batadv_tvlv_handler_unregister(bat_priv, BATADV_TVLV_TT, 1);
+
+--
+2.20.1
+
--- /dev/null
+From e513a614f45a4979e6fa51c4b17256e3bac4574f Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 28 Jun 2019 19:59:25 +0800
+Subject: bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush()
+
+[ Upstream commit b387e9b58679c60f5b1e4313939bd4878204fc37 ]
+
+When system memory is in heavy pressure, bch_gc_thread_start() from
+run_cache_set() may fail due to out of memory. In such condition,
+c->gc_thread is assigned to -ENOMEM, not NULL pointer. Then in following
+failure code path bch_cache_set_error(), when cache_set_flush() gets
+called, the code piece to stop c->gc_thread is broken,
+ if (!IS_ERR_OR_NULL(c->gc_thread))
+ kthread_stop(c->gc_thread);
+
+And KASAN catches such NULL pointer deference problem, with the warning
+information:
+
+[ 561.207881] ==================================================================
+[ 561.207900] BUG: KASAN: null-ptr-deref in kthread_stop+0x3b/0x440
+[ 561.207904] Write of size 4 at addr 000000000000001c by task kworker/15:1/313
+
+[ 561.207913] CPU: 15 PID: 313 Comm: kworker/15:1 Tainted: G W 5.0.0-vanilla+ #3
+[ 561.207916] Hardware name: Lenovo ThinkSystem SR650 -[7X05CTO1WW]-/-[7X05CTO1WW]-, BIOS -[IVE136T-2.10]- 03/22/2019
+[ 561.207935] Workqueue: events cache_set_flush [bcache]
+[ 561.207940] Call Trace:
+[ 561.207948] dump_stack+0x9a/0xeb
+[ 561.207955] ? kthread_stop+0x3b/0x440
+[ 561.207960] ? kthread_stop+0x3b/0x440
+[ 561.207965] kasan_report+0x176/0x192
+[ 561.207973] ? kthread_stop+0x3b/0x440
+[ 561.207981] kthread_stop+0x3b/0x440
+[ 561.207995] cache_set_flush+0xd4/0x6d0 [bcache]
+[ 561.208008] process_one_work+0x856/0x1620
+[ 561.208015] ? find_held_lock+0x39/0x1d0
+[ 561.208028] ? drain_workqueue+0x380/0x380
+[ 561.208048] worker_thread+0x87/0xb80
+[ 561.208058] ? __kthread_parkme+0xb6/0x180
+[ 561.208067] ? process_one_work+0x1620/0x1620
+[ 561.208072] kthread+0x326/0x3e0
+[ 561.208079] ? kthread_create_worker_on_cpu+0xc0/0xc0
+[ 561.208090] ret_from_fork+0x3a/0x50
+[ 561.208110] ==================================================================
+[ 561.208113] Disabling lock debugging due to kernel taint
+[ 561.208115] irq event stamp: 11800231
+[ 561.208126] hardirqs last enabled at (11800231): [<ffffffff83008538>] do_syscall_64+0x18/0x410
+[ 561.208127] BUG: unable to handle kernel NULL pointer dereference at 000000000000001c
+[ 561.208129] #PF error: [WRITE]
+[ 561.312253] hardirqs last disabled at (11800230): [<ffffffff830052ff>] trace_hardirqs_off_thunk+0x1a/0x1c
+[ 561.312259] softirqs last enabled at (11799832): [<ffffffff850005c7>] __do_softirq+0x5c7/0x8c3
+[ 561.405975] PGD 0 P4D 0
+[ 561.442494] softirqs last disabled at (11799821): [<ffffffff831add2c>] irq_exit+0x1ac/0x1e0
+[ 561.791359] Oops: 0002 [#1] SMP KASAN NOPTI
+[ 561.791362] CPU: 15 PID: 313 Comm: kworker/15:1 Tainted: G B W 5.0.0-vanilla+ #3
+[ 561.791363] Hardware name: Lenovo ThinkSystem SR650 -[7X05CTO1WW]-/-[7X05CTO1WW]-, BIOS -[IVE136T-2.10]- 03/22/2019
+[ 561.791371] Workqueue: events cache_set_flush [bcache]
+[ 561.791374] RIP: 0010:kthread_stop+0x3b/0x440
+[ 561.791376] Code: 00 00 65 8b 05 26 d5 e0 7c 89 c0 48 0f a3 05 ec aa df 02 0f 82 dc 02 00 00 4c 8d 63 20 be 04 00 00 00 4c 89 e7 e8 65 c5 53 00 <f0> ff 43 20 48 8d 7b 24 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48
+[ 561.791377] RSP: 0018:ffff88872fc8fd10 EFLAGS: 00010286
+[ 561.838895] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838916] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838934] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838948] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838966] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838979] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 561.838996] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 563.067028] RAX: 0000000000000000 RBX: fffffffffffffffc RCX: ffffffff832dd314
+[ 563.067030] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000297
+[ 563.067032] RBP: ffff88872fc8fe88 R08: fffffbfff0b8213d R09: fffffbfff0b8213d
+[ 563.067034] R10: 0000000000000001 R11: fffffbfff0b8213c R12: 000000000000001c
+[ 563.408618] R13: ffff88dc61cc0f68 R14: ffff888102b94900 R15: ffff88dc61cc0f68
+[ 563.408620] FS: 0000000000000000(0000) GS:ffff888f7dc00000(0000) knlGS:0000000000000000
+[ 563.408622] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 563.408623] CR2: 000000000000001c CR3: 0000000f48a1a004 CR4: 00000000007606e0
+[ 563.408625] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 563.408627] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 563.904795] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 563.915796] PKRU: 55555554
+[ 563.915797] Call Trace:
+[ 563.915807] cache_set_flush+0xd4/0x6d0 [bcache]
+[ 563.915812] process_one_work+0x856/0x1620
+[ 564.001226] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 564.033563] ? find_held_lock+0x39/0x1d0
+[ 564.033567] ? drain_workqueue+0x380/0x380
+[ 564.033574] worker_thread+0x87/0xb80
+[ 564.062823] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 564.118042] ? __kthread_parkme+0xb6/0x180
+[ 564.118046] ? process_one_work+0x1620/0x1620
+[ 564.118048] kthread+0x326/0x3e0
+[ 564.118050] ? kthread_create_worker_on_cpu+0xc0/0xc0
+[ 564.167066] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 564.252441] ret_from_fork+0x3a/0x50
+[ 564.252447] Modules linked in: msr rpcrdma sunrpc rdma_ucm ib_iser ib_umad rdma_cm ib_ipoib i40iw configfs iw_cm ib_cm libiscsi scsi_transport_iscsi mlx4_ib ib_uverbs mlx4_en ib_core nls_iso8859_1 nls_cp437 vfat fat intel_rapl skx_edac x86_pkg_temp_thermal coretemp iTCO_wdt iTCO_vendor_support crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel ses raid0 aesni_intel cdc_ether enclosure usbnet ipmi_ssif joydev aes_x86_64 i40e scsi_transport_sas mii bcache md_mod crypto_simd mei_me ioatdma crc64 ptp cryptd pcspkr i2c_i801 mlx4_core glue_helper pps_core mei lpc_ich dca wmi ipmi_si ipmi_devintf nd_pmem dax_pmem nd_btt ipmi_msghandler device_dax pcc_cpufreq button hid_generic usbhid mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect xhci_pci sysimgblt fb_sys_fops xhci_hcd ttm megaraid_sas drm usbcore nfit libnvdimm sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua efivarfs
+[ 564.299390] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree.
+[ 564.348360] CR2: 000000000000001c
+[ 564.348362] ---[ end trace b7f0e5cc7b2103b0 ]---
+
+Therefore, it is not enough to only check whether c->gc_thread is NULL,
+we should use IS_ERR_OR_NULL() to check both NULL pointer and error
+value.
+
+This patch changes the above buggy code piece in this way,
+ if (!IS_ERR_OR_NULL(c->gc_thread))
+ kthread_stop(c->gc_thread);
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index 9f2588eaaf5f..c5bc3e5e921e 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1405,7 +1405,7 @@ static void cache_set_flush(struct closure *cl)
+ kobject_put(&c->internal);
+ kobject_del(&c->kobj);
+
+- if (c->gc_thread)
++ if (!IS_ERR_OR_NULL(c->gc_thread))
+ kthread_stop(c->gc_thread);
+
+ if (!IS_ERR_OR_NULL(c->root))
+--
+2.20.1
+
--- /dev/null
+From b122c041ed1b65c8db9eb19cdb62b3c58476c8c4 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Thu, 13 Jun 2019 15:30:41 -0700
+Subject: blkcg, writeback: dead memcgs shouldn't contribute to writeback
+ ownership arbitration
+
+[ Upstream commit 6631142229005e1b1c311a09efe9fb3cfdac8559 ]
+
+wbc_account_io() collects information on cgroup ownership of writeback
+pages to determine which cgroup should own the inode. Pages can stay
+associated with dead memcgs but we want to avoid attributing IOs to
+dead blkcgs as much as possible as the association is likely to be
+stale. However, currently, pages associated with dead memcgs
+contribute to the accounting delaying and/or confusing the
+arbitration.
+
+Fix it by ignoring pages associated with dead memcgs.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Cc: Jan Kara <jack@suse.cz>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fs-writeback.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
+index 8b93d4b98428..baaed9369ab4 100644
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -721,6 +721,7 @@ void wbc_detach_inode(struct writeback_control *wbc)
+ void wbc_account_io(struct writeback_control *wbc, struct page *page,
+ size_t bytes)
+ {
++ struct cgroup_subsys_state *css;
+ int id;
+
+ /*
+@@ -732,7 +733,12 @@ void wbc_account_io(struct writeback_control *wbc, struct page *page,
+ if (!wbc->wb)
+ return;
+
+- id = mem_cgroup_css_from_page(page)->id;
++ css = mem_cgroup_css_from_page(page);
++ /* dead cgroups shouldn't contribute to inode ownership arbitration */
++ if (!(css->flags & CSS_ONLINE))
++ return;
++
++ id = css->id;
+
+ if (id == wbc->wb_id) {
+ wbc->wb_bytes += bytes;
+--
+2.20.1
+
--- /dev/null
+From df3edb037a2eb888b7f0dd04511e9b5ebb406277 Mon Sep 17 00:00:00 2001
+From: Josua Mayer <josua.mayer@jm0.eu>
+Date: Sat, 6 Jul 2019 17:54:46 +0200
+Subject: Bluetooth: 6lowpan: search for destination address in all peers
+
+[ Upstream commit b188b03270b7f8568fc714101ce82fbf5e811c5a ]
+
+Handle overlooked case where the target address is assigned to a peer
+and neither route nor gateway exist.
+
+For one peer, no checks are performed to see if it is meant to receive
+packets for a given address.
+
+As soon as there is a second peer however, checks are performed
+to deal with routes and gateways for handling complex setups with
+multiple hops to a target address.
+This logic assumed that no route and no gateway imply that the
+destination address can not be reached, which is false in case of a
+direct peer.
+
+Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
+Tested-by: Michael Scott <mike@foundries.io>
+Signed-off-by: Josua Mayer <josua.mayer@jm0.eu>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/6lowpan.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
+index de7b82ece499..21096c882223 100644
+--- a/net/bluetooth/6lowpan.c
++++ b/net/bluetooth/6lowpan.c
+@@ -187,10 +187,16 @@ static inline struct lowpan_peer *peer_lookup_dst(struct lowpan_btle_dev *dev,
+ }
+
+ if (!rt) {
+- nexthop = &lowpan_cb(skb)->gw;
+-
+- if (ipv6_addr_any(nexthop))
+- return NULL;
++ if (ipv6_addr_any(&lowpan_cb(skb)->gw)) {
++ /* There is neither route nor gateway,
++ * probably the destination is a direct peer.
++ */
++ nexthop = daddr;
++ } else {
++ /* There is a known gateway
++ */
++ nexthop = &lowpan_cb(skb)->gw;
++ }
+ } else {
+ nexthop = rt6_nexthop(rt, daddr);
+
+--
+2.20.1
+
--- /dev/null
+From 28b07247620421438d48a63276f9615419d689f2 Mon Sep 17 00:00:00 2001
+From: Matias Karhumaa <matias.karhumaa@gmail.com>
+Date: Tue, 21 May 2019 13:07:22 +0300
+Subject: Bluetooth: Check state in l2cap_disconnect_rsp
+
+[ Upstream commit 28261da8a26f4915aa257d12d506c6ba179d961f ]
+
+Because of both sides doing L2CAP disconnection at the same time, it
+was possible to receive L2CAP Disconnection Response with CID that was
+already freed. That caused problems if CID was already reused and L2CAP
+Connection Request with same CID was sent out. Before this patch kernel
+deleted channel context regardless of the state of the channel.
+
+Example where leftover Disconnection Response (frame #402) causes local
+device to delete L2CAP channel which was not yet connected. This in
+turn confuses remote device's stack because same CID is re-used without
+properly disconnecting.
+
+Btmon capture before patch:
+** snip **
+> ACL Data RX: Handle 43 flags 0x02 dlen 8 #394 [hci1] 10.748949
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 2}
+ RFCOMM: Disconnect (DISC) (0x43)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x53 poll/final 1
+ Length: 0
+ FCS: 0xfd
+< ACL Data TX: Handle 43 flags 0x00 dlen 8 #395 [hci1] 10.749062
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 2}
+ RFCOMM: Unnumbered Ack (UA) (0x63)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x73 poll/final 1
+ Length: 0
+ FCS: 0xd7
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #396 [hci1] 10.749073
+ L2CAP: Disconnection Request (0x06) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+> HCI Event: Number of Completed Packets (0x13) plen 5 #397 [hci1] 10.752391
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> HCI Event: Number of Completed Packets (0x13) plen 5 #398 [hci1] 10.753394
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #399 [hci1] 10.756499
+ L2CAP: Disconnection Request (0x06) ident 26 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #400 [hci1] 10.756548
+ L2CAP: Disconnection Response (0x07) ident 26 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #401 [hci1] 10.757459
+ L2CAP: Connection Request (0x02) ident 18 len 4
+ PSM: 1 (0x0001)
+ Source CID: 65
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #402 [hci1] 10.759148
+ L2CAP: Disconnection Response (0x07) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+= bluetoothd: 00:1E:AB:4C:56:54: error updating services: Input/o.. 10.759447
+> HCI Event: Number of Completed Packets (0x13) plen 5 #403 [hci1] 10.759386
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #404 [hci1] 10.760397
+ L2CAP: Connection Request (0x02) ident 27 len 4
+ PSM: 3 (0x0003)
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 16 #405 [hci1] 10.760441
+ L2CAP: Connection Response (0x03) ident 27 len 8
+ Destination CID: 65
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+< ACL Data TX: Handle 43 flags 0x00 dlen 27 #406 [hci1] 10.760449
+ L2CAP: Configure Request (0x04) ident 19 len 19
+ Destination CID: 65
+ Flags: 0x0000
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 1013
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Basic (0x00)
+ TX window size: 0
+ Max transmit: 0
+ Retransmission timeout: 0
+ Monitor timeout: 0
+ Maximum PDU size: 0
+> HCI Event: Number of Completed Packets (0x13) plen 5 #407 [hci1] 10.761399
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 16 #408 [hci1] 10.762942
+ L2CAP: Connection Response (0x03) ident 18 len 8
+ Destination CID: 66
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+*snip*
+
+Similar case after the patch:
+*snip*
+> ACL Data RX: Handle 43 flags 0x02 dlen 8 #22702 [hci0] 1664.411056
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 3}
+ RFCOMM: Disconnect (DISC) (0x43)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x53 poll/final 1
+ Length: 0
+ FCS: 0xfd
+< ACL Data TX: Handle 43 flags 0x00 dlen 8 #22703 [hci0] 1664.411136
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 3}
+ RFCOMM: Unnumbered Ack (UA) (0x63)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x73 poll/final 1
+ Length: 0
+ FCS: 0xd7
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22704 [hci0] 1664.411143
+ L2CAP: Disconnection Request (0x06) ident 11 len 4
+ Destination CID: 65
+ Source CID: 65
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22705 [hci0] 1664.414009
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22706 [hci0] 1664.415007
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22707 [hci0] 1664.418674
+ L2CAP: Disconnection Request (0x06) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22708 [hci0] 1664.418762
+ L2CAP: Disconnection Response (0x07) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22709 [hci0] 1664.421073
+ L2CAP: Connection Request (0x02) ident 12 len 4
+ PSM: 1 (0x0001)
+ Source CID: 65
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22710 [hci0] 1664.421371
+ L2CAP: Disconnection Response (0x07) ident 11 len 4
+ Destination CID: 65
+ Source CID: 65
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22711 [hci0] 1664.424082
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22712 [hci0] 1664.425040
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22713 [hci0] 1664.426103
+ L2CAP: Connection Request (0x02) ident 18 len 4
+ PSM: 3 (0x0003)
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 16 #22714 [hci0] 1664.426186
+ L2CAP: Connection Response (0x03) ident 18 len 8
+ Destination CID: 66
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+< ACL Data TX: Handle 43 flags 0x00 dlen 27 #22715 [hci0] 1664.426196
+ L2CAP: Configure Request (0x04) ident 13 len 19
+ Destination CID: 65
+ Flags: 0x0000
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 1013
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Basic (0x00)
+ TX window size: 0
+ Max transmit: 0
+ Retransmission timeout: 0
+ Monitor timeout: 0
+ Maximum PDU size: 0
+> ACL Data RX: Handle 43 flags 0x02 dlen 16 #22716 [hci0] 1664.428804
+ L2CAP: Connection Response (0x03) ident 12 len 8
+ Destination CID: 66
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+*snip*
+
+Fix is to check that channel is in state BT_DISCONN before deleting the
+channel.
+
+This bug was found while fuzzing Bluez's OBEX implementation using
+Synopsys Defensics.
+
+Reported-by: Matti Kamunen <matti.kamunen@synopsys.com>
+Reported-by: Ari Timonen <ari.timonen@synopsys.com>
+Signed-off-by: Matias Karhumaa <matias.karhumaa@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index ec9b5d159591..48d23abfe799 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -4374,6 +4374,12 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
+
+ l2cap_chan_lock(chan);
+
++ if (chan->state != BT_DISCONN) {
++ l2cap_chan_unlock(chan);
++ mutex_unlock(&conn->chan_lock);
++ return 0;
++ }
++
+ l2cap_chan_hold(chan);
+ l2cap_chan_del(chan, 0);
+
+--
+2.20.1
+
--- /dev/null
+From b4e7a4cec7a4d81b448807c7daa8c6988b475410 Mon Sep 17 00:00:00 2001
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+Date: Tue, 28 May 2019 15:42:58 +0200
+Subject: Bluetooth: hci_bcsp: Fix memory leak in rx_skb
+
+[ Upstream commit 4ce9146e0370fcd573f0372d9b4e5a211112567c ]
+
+Syzkaller found that it is possible to provoke a memory leak by
+never freeing rx_skb in struct bcsp_struct.
+
+Fix by freeing in bcsp_close()
+
+Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
+Reported-by: syzbot+98162c885993b72f19c4@syzkaller.appspotmail.com
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_bcsp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c
+index a2c921faaa12..34e04bf87a62 100644
+--- a/drivers/bluetooth/hci_bcsp.c
++++ b/drivers/bluetooth/hci_bcsp.c
+@@ -759,6 +759,11 @@ static int bcsp_close(struct hci_uart *hu)
+ skb_queue_purge(&bcsp->rel);
+ skb_queue_purge(&bcsp->unrel);
+
++ if (bcsp->rx_skb) {
++ kfree_skb(bcsp->rx_skb);
++ bcsp->rx_skb = NULL;
++ }
++
+ kfree(bcsp);
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 8cf5c53ca631ae36bfa2680d9c1fcb1991b5d133 Mon Sep 17 00:00:00 2001
+From: csonsino <csonsino@gmail.com>
+Date: Wed, 12 Jun 2019 15:00:52 -0600
+Subject: Bluetooth: validate BLE connection interval updates
+
+[ Upstream commit c49a8682fc5d298d44e8d911f4fa14690ea9485e ]
+
+Problem: The Linux Bluetooth stack yields complete control over the BLE
+connection interval to the remote device.
+
+The Linux Bluetooth stack provides access to the BLE connection interval
+min and max values through /sys/kernel/debug/bluetooth/hci0/
+conn_min_interval and /sys/kernel/debug/bluetooth/hci0/conn_max_interval.
+These values are used for initial BLE connections, but the remote device
+has the ability to request a connection parameter update. In the event
+that the remote side requests to change the connection interval, the Linux
+kernel currently only validates that the desired value is within the
+acceptable range in the Bluetooth specification (6 - 3200, corresponding to
+7.5ms - 4000ms). There is currently no validation that the desired value
+requested by the remote device is within the min/max limits specified in
+the conn_min_interval/conn_max_interval configurations. This essentially
+leads to Linux yielding complete control over the connection interval to
+the remote device.
+
+The proposed patch adds a verification step to the connection parameter
+update mechanism, ensuring that the desired value is within the min/max
+bounds of the current connection. If the desired value is outside of the
+current connection min/max values, then the connection parameter update
+request is rejected and the negative response is returned to the remote
+device. Recall that the initial connection is established using the local
+conn_min_interval/conn_max_interval values, so this allows the Linux
+administrator to retain control over the BLE connection interval.
+
+The one downside that I see is that the current default Linux values for
+conn_min_interval and conn_max_interval typically correspond to 30ms and
+50ms respectively. If this change were accepted, then it is feasible that
+some devices would no longer be able to negotiate to their desired
+connection interval values. This might be remedied by setting the default
+Linux conn_min_interval and conn_max_interval values to the widest
+supported range (6 - 3200 / 7.5ms - 4000ms). This could lead to the same
+behavior as the current implementation, where the remote device could
+request to change the connection interval value to any value that is
+permitted by the Bluetooth specification, and Linux would accept the
+desired value.
+
+Signed-off-by: Carey Sonsino <csonsino@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 5 +++++
+ net/bluetooth/l2cap_core.c | 9 ++++++++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 6f78489fdb13..163a239bda91 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -5089,6 +5089,11 @@ static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
+ return send_conn_param_neg_reply(hdev, handle,
+ HCI_ERROR_UNKNOWN_CONN_ID);
+
++ if (min < hcon->le_conn_min_interval ||
++ max > hcon->le_conn_max_interval)
++ return send_conn_param_neg_reply(hdev, handle,
++ HCI_ERROR_INVALID_LL_PARAMS);
++
+ if (hci_check_conn_params(min, max, latency, timeout))
+ return send_conn_param_neg_reply(hdev, handle,
+ HCI_ERROR_INVALID_LL_PARAMS);
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 48d23abfe799..4912e80dacef 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -5277,7 +5277,14 @@ static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
+
+ memset(&rsp, 0, sizeof(rsp));
+
+- err = hci_check_conn_params(min, max, latency, to_multiplier);
++ if (min < hcon->le_conn_min_interval ||
++ max > hcon->le_conn_max_interval) {
++ BT_DBG("requested connection interval exceeds current bounds.");
++ err = -EINVAL;
++ } else {
++ err = hci_check_conn_params(min, max, latency, to_multiplier);
++ }
++
+ if (err)
+ rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
+ else
+--
+2.20.1
+
--- /dev/null
+From 08c0944a213a9233fcb55f099b5666d5c93b7711 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Valdis=20Kl=C4=93tnieks?= <valdis.kletnieks@vt.edu>
+Date: Thu, 6 Jun 2019 22:39:27 -0400
+Subject: bpf: silence warning messages in core
+
+[ Upstream commit aee450cbe482a8c2f6fa5b05b178ef8b8ff107ca ]
+
+Compiling kernel/bpf/core.c with W=1 causes a flood of warnings:
+
+kernel/bpf/core.c:1198:65: warning: initialized field overwritten [-Woverride-init]
+ 1198 | #define BPF_INSN_3_TBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = true
+ | ^~~~
+kernel/bpf/core.c:1087:2: note: in expansion of macro 'BPF_INSN_3_TBL'
+ 1087 | INSN_3(ALU, ADD, X), \
+ | ^~~~~~
+kernel/bpf/core.c:1202:3: note: in expansion of macro 'BPF_INSN_MAP'
+ 1202 | BPF_INSN_MAP(BPF_INSN_2_TBL, BPF_INSN_3_TBL),
+ | ^~~~~~~~~~~~
+kernel/bpf/core.c:1198:65: note: (near initialization for 'public_insntable[12]')
+ 1198 | #define BPF_INSN_3_TBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = true
+ | ^~~~
+kernel/bpf/core.c:1087:2: note: in expansion of macro 'BPF_INSN_3_TBL'
+ 1087 | INSN_3(ALU, ADD, X), \
+ | ^~~~~~
+kernel/bpf/core.c:1202:3: note: in expansion of macro 'BPF_INSN_MAP'
+ 1202 | BPF_INSN_MAP(BPF_INSN_2_TBL, BPF_INSN_3_TBL),
+ | ^~~~~~~~~~~~
+
+98 copies of the above.
+
+The attached patch silences the warnings, because we *know* we're overwriting
+the default initializer. That leaves bpf/core.c with only 6 other warnings,
+which become more visible in comparison.
+
+Signed-off-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
+Acked-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/bpf/Makefile b/kernel/bpf/Makefile
+index eed911d091da..5a590f22b4d4 100644
+--- a/kernel/bpf/Makefile
++++ b/kernel/bpf/Makefile
+@@ -1,4 +1,5 @@
+ obj-y := core.o
++CFLAGS_core.o += $(call cc-disable-warning, override-init)
+
+ obj-$(CONFIG_BPF_SYSCALL) += syscall.o verifier.o inode.o helpers.o
+ obj-$(CONFIG_BPF_SYSCALL) += hashtab.o arraymap.o percpu_freelist.o
+--
+2.20.1
+
--- /dev/null
+From fa00c8ee32b357153fcc01a4b49ffb646286511e Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Thu, 30 May 2019 12:50:43 +0200
+Subject: clocksource/drivers/exynos_mct: Increase priority over ARM arch timer
+
+[ Upstream commit 6282edb72bed5324352522d732080d4c1b9dfed6 ]
+
+Exynos SoCs based on CA7/CA15 have 2 timer interfaces: custom Exynos MCT
+(Multi Core Timer) and standard ARM Architected Timers.
+
+There are use cases, where both timer interfaces are used simultanously.
+One of such examples is using Exynos MCT for the main system timer and
+ARM Architected Timers for the KVM and virtualized guests (KVM requires
+arch timers).
+
+Exynos Multi-Core Timer driver (exynos_mct) must be however started
+before ARM Architected Timers (arch_timer), because they both share some
+common hardware blocks (global system counter) and turning on MCT is
+needed to get ARM Architected Timer working properly.
+
+To ensure selecting Exynos MCT as the main system timer, increase MCT
+timer rating. To ensure proper starting order of both timers during
+suspend/resume cycle, increase MCT hotplug priority over ARM Archictected
+Timers.
+
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/exynos_mct.c | 4 ++--
+ include/linux/cpuhotplug.h | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clocksource/exynos_mct.c b/drivers/clocksource/exynos_mct.c
+index fb0cf8b74516..d32248e2ceab 100644
+--- a/drivers/clocksource/exynos_mct.c
++++ b/drivers/clocksource/exynos_mct.c
+@@ -211,7 +211,7 @@ static void exynos4_frc_resume(struct clocksource *cs)
+
+ static struct clocksource mct_frc = {
+ .name = "mct-frc",
+- .rating = 400,
++ .rating = 450, /* use value higher than ARM arch timer */
+ .read = exynos4_frc_read,
+ .mask = CLOCKSOURCE_MASK(32),
+ .flags = CLOCK_SOURCE_IS_CONTINUOUS,
+@@ -466,7 +466,7 @@ static int exynos4_mct_starting_cpu(unsigned int cpu)
+ evt->set_state_oneshot_stopped = set_state_shutdown;
+ evt->tick_resume = set_state_shutdown;
+ evt->features = CLOCK_EVT_FEAT_PERIODIC | CLOCK_EVT_FEAT_ONESHOT;
+- evt->rating = 450;
++ evt->rating = 500; /* use value higher than ARM arch timer */
+
+ exynos4_mct_write(TICK_BASE_CNT, mevt->base + MCT_L_TCNTB_OFFSET);
+
+diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h
+index c9447a689522..1ab0273560ae 100644
+--- a/include/linux/cpuhotplug.h
++++ b/include/linux/cpuhotplug.h
+@@ -77,10 +77,10 @@ enum cpuhp_state {
+ CPUHP_AP_PERF_ARM_HW_BREAKPOINT_STARTING,
+ CPUHP_AP_PERF_ARM_STARTING,
+ CPUHP_AP_ARM_L2X0_STARTING,
++ CPUHP_AP_EXYNOS4_MCT_TIMER_STARTING,
+ CPUHP_AP_ARM_ARCH_TIMER_STARTING,
+ CPUHP_AP_ARM_GLOBAL_TIMER_STARTING,
+ CPUHP_AP_JCORE_TIMER_STARTING,
+- CPUHP_AP_EXYNOS4_MCT_TIMER_STARTING,
+ CPUHP_AP_ARM_TWD_STARTING,
+ CPUHP_AP_METAG_TIMER_STARTING,
+ CPUHP_AP_QCOM_TIMER_STARTING,
+--
+2.20.1
+
--- /dev/null
+From 5a971b1e230e6d194b7305d358fe9da7118e9724 Mon Sep 17 00:00:00 2001
+From: Abhishek Goel <huntbag@linux.vnet.ibm.com>
+Date: Wed, 29 May 2019 04:30:33 -0500
+Subject: cpupower : frequency-set -r option misses the last cpu in related cpu
+ list
+
+[ Upstream commit 04507c0a9385cc8280f794a36bfff567c8cc1042 ]
+
+To set frequency on specific cpus using cpupower, following syntax can
+be used :
+cpupower -c #i frequency-set -f #f -r
+
+While setting frequency using cpupower frequency-set command, if we use
+'-r' option, it is expected to set frequency for all cpus related to
+cpu #i. But it is observed to be missing the last cpu in related cpu
+list. This patch fixes the problem.
+
+Signed-off-by: Abhishek Goel <huntbag@linux.vnet.ibm.com>
+Reviewed-by: Thomas Renninger <trenn@suse.de>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/cpupower/utils/cpufreq-set.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/power/cpupower/utils/cpufreq-set.c b/tools/power/cpupower/utils/cpufreq-set.c
+index 1eef0aed6423..08a405593a79 100644
+--- a/tools/power/cpupower/utils/cpufreq-set.c
++++ b/tools/power/cpupower/utils/cpufreq-set.c
+@@ -306,6 +306,8 @@ int cmd_freq_set(int argc, char **argv)
+ bitmask_setbit(cpus_chosen, cpus->cpu);
+ cpus = cpus->next;
+ }
++ /* Set the last cpu in related cpus list */
++ bitmask_setbit(cpus_chosen, cpus->cpu);
+ cpufreq_put_related_cpus(cpus);
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From 0165cfcdd5f4cb820f41530eecf1c2216a33b406 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 18 Jun 2019 14:13:47 +0200
+Subject: crypto: asymmetric_keys - select CRYPTO_HASH where needed
+
+[ Upstream commit 90acc0653d2bee203174e66d519fbaaa513502de ]
+
+Build testing with some core crypto options disabled revealed
+a few modules that are missing CRYPTO_HASH:
+
+crypto/asymmetric_keys/x509_public_key.o: In function `x509_get_sig_params':
+x509_public_key.c:(.text+0x4c7): undefined reference to `crypto_alloc_shash'
+x509_public_key.c:(.text+0x5e5): undefined reference to `crypto_shash_digest'
+crypto/asymmetric_keys/pkcs7_verify.o: In function `pkcs7_digest.isra.0':
+pkcs7_verify.c:(.text+0xab): undefined reference to `crypto_alloc_shash'
+pkcs7_verify.c:(.text+0x1b2): undefined reference to `crypto_shash_digest'
+pkcs7_verify.c:(.text+0x3c1): undefined reference to `crypto_shash_update'
+pkcs7_verify.c:(.text+0x411): undefined reference to `crypto_shash_finup'
+
+This normally doesn't show up in randconfig tests because there is
+a large number of other options that select CRYPTO_HASH.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/asymmetric_keys/Kconfig | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
+index 331f6baf2df8..13f3de68b479 100644
+--- a/crypto/asymmetric_keys/Kconfig
++++ b/crypto/asymmetric_keys/Kconfig
+@@ -14,6 +14,7 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ select MPILIB
+ select CRYPTO_HASH_INFO
+ select CRYPTO_AKCIPHER
++ select CRYPTO_HASH
+ help
+ This option provides support for asymmetric public key type handling.
+ If signature generation and/or verification are to be used,
+@@ -33,6 +34,7 @@ config X509_CERTIFICATE_PARSER
+ config PKCS7_MESSAGE_PARSER
+ tristate "PKCS#7 message parser"
+ depends on X509_CERTIFICATE_PARSER
++ select CRYPTO_HASH
+ select ASN1
+ select OID_REGISTRY
+ help
+@@ -55,6 +57,7 @@ config SIGNED_PE_FILE_VERIFICATION
+ bool "Support for PE file signature verification"
+ depends on PKCS7_MESSAGE_PARSER=y
+ depends on SYSTEM_DATA_VERIFICATION
++ select CRYPTO_HASH
+ select ASN1
+ select OID_REGISTRY
+ help
+--
+2.20.1
+
--- /dev/null
+From 0d26cbf048d047ee567381fe1296f9d70b2cd4c0 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Tue, 21 May 2019 13:34:18 +0000
+Subject: crypto: talitos - Align SEC1 accesses to 32 bits boundaries.
+
+[ Upstream commit c9cca7034b34a2d82e9a03b757de2485c294851c ]
+
+The MPC885 reference manual states:
+
+SEC Lite-initiated 8xx writes can occur only on 32-bit-word boundaries, but
+reads can occur on any byte boundary. Writing back a header read from a
+non-32-bit-word boundary will yield unpredictable results.
+
+In order to ensure that, cra_alignmask is set to 3 for SEC1.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Fixes: 9c4a79653b35 ("crypto: talitos - Freescale integrated security engine (SEC) driver")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/talitos.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
+index e7864aa494a1..ea8595d2c3d8 100644
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -3119,7 +3119,10 @@ static struct talitos_crypto_alg *talitos_alg_alloc(struct device *dev,
+ alg->cra_priority = t_alg->algt.priority;
+ else
+ alg->cra_priority = TALITOS_CRA_PRIORITY;
+- alg->cra_alignmask = 0;
++ if (has_ftr_sec1(priv))
++ alg->cra_alignmask = 3;
++ else
++ alg->cra_alignmask = 0;
+ alg->cra_ctxsize = sizeof(struct talitos_ctx);
+ alg->cra_flags |= CRYPTO_ALG_KERN_DRIVER_ONLY;
+
+--
+2.20.1
+
--- /dev/null
+From ab06d860b2a6e497c1bbe72c2198dc368a34d967 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Wed, 15 May 2019 12:29:03 +0000
+Subject: crypto: talitos - fix skcipher failure due to wrong output IV
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 3e03e792865ae48b8cfc69a0b4d65f02f467389f ]
+
+Selftests report the following:
+
+[ 2.984845] alg: skcipher: cbc-aes-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place"
+[ 2.995377] 00000000: 3d af ba 42 9d 9e b4 30 b4 22 da 80 2c 9f ac 41
+[ 3.032673] alg: skcipher: cbc-des-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place"
+[ 3.043185] 00000000: fe dc ba 98 76 54 32 10
+[ 3.063238] alg: skcipher: cbc-3des-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place"
+[ 3.073818] 00000000: 7d 33 88 93 0f 93 b2 42
+
+This above dumps show that the actual output IV is indeed the input IV.
+This is due to the IV not being copied back into the request.
+
+This patch fixes that.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/talitos.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
+index 5a24a484ecc7..0b12772c7919 100644
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -1544,11 +1544,15 @@ static void ablkcipher_done(struct device *dev,
+ int err)
+ {
+ struct ablkcipher_request *areq = context;
++ struct crypto_ablkcipher *cipher = crypto_ablkcipher_reqtfm(areq);
++ struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher);
++ unsigned int ivsize = crypto_ablkcipher_ivsize(cipher);
+ struct talitos_edesc *edesc;
+
+ edesc = container_of(desc, struct talitos_edesc, desc);
+
+ common_nonsnoop_unmap(dev, edesc, areq);
++ memcpy(areq->info, ctx->iv, ivsize);
+
+ kfree(edesc);
+
+--
+2.20.1
+
--- /dev/null
+From e108b2898a88ac654e978f0ec40f426e6aefe2f5 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Tue, 21 May 2019 13:34:17 +0000
+Subject: crypto: talitos - properly handle split ICV.
+
+[ Upstream commit eae55a586c3c8b50982bad3c3426e9c9dd7a0075 ]
+
+The driver assumes that the ICV is as a single piece in the last
+element of the scatterlist. This assumption is wrong.
+
+This patch ensures that the ICV is properly handled regardless of
+the scatterlist layout.
+
+Fixes: 9c4a79653b35 ("crypto: talitos - Freescale integrated security engine (SEC) driver")
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/talitos.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
+index 0b12772c7919..e7864aa494a1 100644
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -984,7 +984,6 @@ static void ipsec_esp_encrypt_done(struct device *dev,
+ struct crypto_aead *authenc = crypto_aead_reqtfm(areq);
+ unsigned int authsize = crypto_aead_authsize(authenc);
+ struct talitos_edesc *edesc;
+- struct scatterlist *sg;
+ void *icvdata;
+
+ edesc = container_of(desc, struct talitos_edesc, desc);
+@@ -998,9 +997,8 @@ static void ipsec_esp_encrypt_done(struct device *dev,
+ else
+ icvdata = &edesc->link_tbl[edesc->src_nents +
+ edesc->dst_nents + 2];
+- sg = sg_last(areq->dst, edesc->dst_nents);
+- memcpy((char *)sg_virt(sg) + sg->length - authsize,
+- icvdata, authsize);
++ sg_pcopy_from_buffer(areq->dst, edesc->dst_nents ? : 1, icvdata,
++ authsize, areq->assoclen + areq->cryptlen);
+ }
+
+ kfree(edesc);
+@@ -1016,7 +1014,6 @@ static void ipsec_esp_decrypt_swauth_done(struct device *dev,
+ struct crypto_aead *authenc = crypto_aead_reqtfm(req);
+ unsigned int authsize = crypto_aead_authsize(authenc);
+ struct talitos_edesc *edesc;
+- struct scatterlist *sg;
+ char *oicv, *icv;
+ struct talitos_private *priv = dev_get_drvdata(dev);
+ bool is_sec1 = has_ftr_sec1(priv);
+@@ -1026,9 +1023,18 @@ static void ipsec_esp_decrypt_swauth_done(struct device *dev,
+ ipsec_esp_unmap(dev, edesc, req);
+
+ if (!err) {
++ char icvdata[SHA512_DIGEST_SIZE];
++ int nents = edesc->dst_nents ? : 1;
++ unsigned int len = req->assoclen + req->cryptlen;
++
+ /* auth check */
+- sg = sg_last(req->dst, edesc->dst_nents ? : 1);
+- icv = (char *)sg_virt(sg) + sg->length - authsize;
++ if (nents > 1) {
++ sg_pcopy_to_buffer(req->dst, nents, icvdata, authsize,
++ len - authsize);
++ icv = icvdata;
++ } else {
++ icv = (char *)sg_virt(req->dst) + len - authsize;
++ }
+
+ if (edesc->dma_len) {
+ if (is_sec1)
+@@ -1458,7 +1464,6 @@ static int aead_decrypt(struct aead_request *req)
+ struct talitos_ctx *ctx = crypto_aead_ctx(authenc);
+ struct talitos_private *priv = dev_get_drvdata(ctx->dev);
+ struct talitos_edesc *edesc;
+- struct scatterlist *sg;
+ void *icvdata;
+
+ req->cryptlen -= authsize;
+@@ -1493,9 +1498,8 @@ static int aead_decrypt(struct aead_request *req)
+ else
+ icvdata = &edesc->link_tbl[0];
+
+- sg = sg_last(req->src, edesc->src_nents ? : 1);
+-
+- memcpy(icvdata, (char *)sg_virt(sg) + sg->length - authsize, authsize);
++ sg_pcopy_to_buffer(req->src, edesc->src_nents ? : 1, icvdata, authsize,
++ req->assoclen + req->cryptlen - authsize);
+
+ return ipsec_esp(edesc, req, ipsec_esp_decrypt_swauth_done);
+ }
+--
+2.20.1
+
--- /dev/null
+From 1956945fda1fd9f0c9f20388e81321baa0981dcf Mon Sep 17 00:00:00 2001
+From: Sven Van Asbroeck <thesven73@gmail.com>
+Date: Mon, 24 Jun 2019 10:07:31 -0400
+Subject: dmaengine: imx-sdma: fix use-after-free on probe error path
+
+[ Upstream commit 2b8066c3deb9140fdf258417a51479b2aeaa7622 ]
+
+If probe() fails anywhere beyond the point where
+sdma_get_firmware() is called, then a kernel oops may occur.
+
+Problematic sequence of events:
+1. probe() calls sdma_get_firmware(), which schedules the
+ firmware callback to run when firmware becomes available,
+ using the sdma instance structure as the context
+2. probe() encounters an error, which deallocates the
+ sdma instance structure
+3. firmware becomes available, firmware callback is
+ called with deallocated sdma instance structure
+4. use after free - kernel oops !
+
+Solution: only attempt to load firmware when we're certain
+that probe() will succeed. This guarantees that the firmware
+callback's context will remain valid.
+
+Note that the remove() path is unaffected by this issue: the
+firmware loader will increment the driver module's use count,
+ensuring that the module cannot be unloaded while the
+firmware callback is pending or running.
+
+Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Reviewed-by: Robin Gong <yibin.gong@nxp.com>
+[vkoul: fixed braces for if condition]
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/imx-sdma.c | 48 ++++++++++++++++++++++++------------------
+ 1 file changed, 27 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c
+index 84856ac75a09..9f240b2d85a5 100644
+--- a/drivers/dma/imx-sdma.c
++++ b/drivers/dma/imx-sdma.c
+@@ -1821,27 +1821,6 @@ static int sdma_probe(struct platform_device *pdev)
+ if (pdata && pdata->script_addrs)
+ sdma_add_scripts(sdma, pdata->script_addrs);
+
+- if (pdata) {
+- ret = sdma_get_firmware(sdma, pdata->fw_name);
+- if (ret)
+- dev_warn(&pdev->dev, "failed to get firmware from platform data\n");
+- } else {
+- /*
+- * Because that device tree does not encode ROM script address,
+- * the RAM script in firmware is mandatory for device tree
+- * probe, otherwise it fails.
+- */
+- ret = of_property_read_string(np, "fsl,sdma-ram-script-name",
+- &fw_name);
+- if (ret)
+- dev_warn(&pdev->dev, "failed to get firmware name\n");
+- else {
+- ret = sdma_get_firmware(sdma, fw_name);
+- if (ret)
+- dev_warn(&pdev->dev, "failed to get firmware from device tree\n");
+- }
+- }
+-
+ sdma->dma_device.dev = &pdev->dev;
+
+ sdma->dma_device.device_alloc_chan_resources = sdma_alloc_chan_resources;
+@@ -1883,6 +1862,33 @@ static int sdma_probe(struct platform_device *pdev)
+ of_node_put(spba_bus);
+ }
+
++ /*
++ * Kick off firmware loading as the very last step:
++ * attempt to load firmware only if we're not on the error path, because
++ * the firmware callback requires a fully functional and allocated sdma
++ * instance.
++ */
++ if (pdata) {
++ ret = sdma_get_firmware(sdma, pdata->fw_name);
++ if (ret)
++ dev_warn(&pdev->dev, "failed to get firmware from platform data\n");
++ } else {
++ /*
++ * Because that device tree does not encode ROM script address,
++ * the RAM script in firmware is mandatory for device tree
++ * probe, otherwise it fails.
++ */
++ ret = of_property_read_string(np, "fsl,sdma-ram-script-name",
++ &fw_name);
++ if (ret) {
++ dev_warn(&pdev->dev, "failed to get firmware name\n");
++ } else {
++ ret = sdma_get_firmware(sdma, fw_name);
++ if (ret)
++ dev_warn(&pdev->dev, "failed to get firmware from device tree\n");
++ }
++ }
++
+ return 0;
+
+ err_register:
+--
+2.20.1
+
--- /dev/null
+From faf155632d9ec88ea93d605af144913f58792dd4 Mon Sep 17 00:00:00 2001
+From: Eiichi Tsukata <devel@etsukata.com>
+Date: Wed, 26 Jun 2019 14:40:11 +0900
+Subject: EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
+
+[ Upstream commit d8655e7630dafa88bc37f101640e39c736399771 ]
+
+Commit 9da21b1509d8 ("EDAC: Poll timeout cannot be zero, p2") assumes
+edac_mc_poll_msec to be unsigned long, but the type of the variable still
+remained as int. Setting edac_mc_poll_msec can trigger out-of-bounds
+write.
+
+Reproducer:
+
+ # echo 1001 > /sys/module/edac_core/parameters/edac_mc_poll_msec
+
+KASAN report:
+
+ BUG: KASAN: global-out-of-bounds in edac_set_poll_msec+0x140/0x150
+ Write of size 8 at addr ffffffffb91b2d00 by task bash/1996
+
+ CPU: 1 PID: 1996 Comm: bash Not tainted 5.2.0-rc6+ #23
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
+ Call Trace:
+ dump_stack+0xca/0x13e
+ print_address_description.cold+0x5/0x246
+ __kasan_report.cold+0x75/0x9a
+ ? edac_set_poll_msec+0x140/0x150
+ kasan_report+0xe/0x20
+ edac_set_poll_msec+0x140/0x150
+ ? dimmdev_location_show+0x30/0x30
+ ? vfs_lock_file+0xe0/0xe0
+ ? _raw_spin_lock+0x87/0xe0
+ param_attr_store+0x1b5/0x310
+ ? param_array_set+0x4f0/0x4f0
+ module_attr_store+0x58/0x80
+ ? module_attr_show+0x80/0x80
+ sysfs_kf_write+0x13d/0x1a0
+ kernfs_fop_write+0x2bc/0x460
+ ? sysfs_kf_bin_read+0x270/0x270
+ ? kernfs_notify+0x1f0/0x1f0
+ __vfs_write+0x81/0x100
+ vfs_write+0x1e1/0x560
+ ksys_write+0x126/0x250
+ ? __ia32_sys_read+0xb0/0xb0
+ ? do_syscall_64+0x1f/0x390
+ do_syscall_64+0xc1/0x390
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7fa7caa5e970
+ Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 04
+ RSP: 002b:00007fff6acfdfe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+ RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa7caa5e970
+ RDX: 0000000000000005 RSI: 0000000000e95c08 RDI: 0000000000000001
+ RBP: 0000000000e95c08 R08: 00007fa7cad1e760 R09: 00007fa7cb36a700
+ R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000005
+ R13: 0000000000000001 R14: 00007fa7cad1d600 R15: 0000000000000005
+
+ The buggy address belongs to the variable:
+ edac_mc_poll_msec+0x0/0x40
+
+ Memory state around the buggy address:
+ ffffffffb91b2c00: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa
+ ffffffffb91b2c80: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa
+ >ffffffffb91b2d00: 04 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
+ ^
+ ffffffffb91b2d80: 04 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+ ffffffffb91b2e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+Fix it by changing the type of edac_mc_poll_msec to unsigned int.
+The reason why this patch adopts unsigned int rather than unsigned long
+is msecs_to_jiffies() assumes arg to be unsigned int. We can avoid
+integer conversion bugs and unsigned int will be large enough for
+edac_mc_poll_msec.
+
+Reviewed-by: James Morse <james.morse@arm.com>
+Fixes: 9da21b1509d8 ("EDAC: Poll timeout cannot be zero, p2")
+Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/edac_mc_sysfs.c | 16 ++++++++--------
+ drivers/edac/edac_module.h | 2 +-
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
+index 203ebe348b77..d59641194860 100644
+--- a/drivers/edac/edac_mc_sysfs.c
++++ b/drivers/edac/edac_mc_sysfs.c
+@@ -26,7 +26,7 @@
+ static int edac_mc_log_ue = 1;
+ static int edac_mc_log_ce = 1;
+ static int edac_mc_panic_on_ue;
+-static int edac_mc_poll_msec = 1000;
++static unsigned int edac_mc_poll_msec = 1000;
+
+ /* Getter functions for above */
+ int edac_mc_get_log_ue(void)
+@@ -45,30 +45,30 @@ int edac_mc_get_panic_on_ue(void)
+ }
+
+ /* this is temporary */
+-int edac_mc_get_poll_msec(void)
++unsigned int edac_mc_get_poll_msec(void)
+ {
+ return edac_mc_poll_msec;
+ }
+
+ static int edac_set_poll_msec(const char *val, struct kernel_param *kp)
+ {
+- unsigned long l;
++ unsigned int i;
+ int ret;
+
+ if (!val)
+ return -EINVAL;
+
+- ret = kstrtoul(val, 0, &l);
++ ret = kstrtouint(val, 0, &i);
+ if (ret)
+ return ret;
+
+- if (l < 1000)
++ if (i < 1000)
+ return -EINVAL;
+
+- *((unsigned long *)kp->arg) = l;
++ *((unsigned int *)kp->arg) = i;
+
+ /* notify edac_mc engine to reset the poll period */
+- edac_mc_reset_delay_period(l);
++ edac_mc_reset_delay_period(i);
+
+ return 0;
+ }
+@@ -82,7 +82,7 @@ MODULE_PARM_DESC(edac_mc_log_ue,
+ module_param(edac_mc_log_ce, int, 0644);
+ MODULE_PARM_DESC(edac_mc_log_ce,
+ "Log correctable error to console: 0=off 1=on");
+-module_param_call(edac_mc_poll_msec, edac_set_poll_msec, param_get_int,
++module_param_call(edac_mc_poll_msec, edac_set_poll_msec, param_get_uint,
+ &edac_mc_poll_msec, 0644);
+ MODULE_PARM_DESC(edac_mc_poll_msec, "Polling period in milliseconds");
+
+diff --git a/drivers/edac/edac_module.h b/drivers/edac/edac_module.h
+index cfaacb99c973..c36f9f721fb2 100644
+--- a/drivers/edac/edac_module.h
++++ b/drivers/edac/edac_module.h
+@@ -33,7 +33,7 @@ extern int edac_mc_get_log_ue(void);
+ extern int edac_mc_get_log_ce(void);
+ extern int edac_mc_get_panic_on_ue(void);
+ extern int edac_get_poll_msec(void);
+-extern int edac_mc_get_poll_msec(void);
++extern unsigned int edac_mc_get_poll_msec(void);
+
+ unsigned edac_dimm_info_location(struct dimm_info *dimm, char *buf,
+ unsigned len);
+--
+2.20.1
+
--- /dev/null
+From c2ede1fc7b5626950c870b229fa8e100134ae3cd Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Thu, 18 Apr 2019 10:27:18 +0800
+Subject: EDAC/sysfs: Fix memory leak when creating a csrow object
+
+[ Upstream commit 585fb3d93d32dbe89e718b85009f9c322cc554cd ]
+
+In edac_create_csrow_object(), the reference to the object is not
+released when adding the device to the device hierarchy fails
+(device_add()). This may result in a memory leak.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: James Morse <james.morse@arm.com>
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: https://lkml.kernel.org/r/1555554438-103953-1-git-send-email-bianpan2016@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/edac_mc_sysfs.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
+index 40d792e96b75..203ebe348b77 100644
+--- a/drivers/edac/edac_mc_sysfs.c
++++ b/drivers/edac/edac_mc_sysfs.c
+@@ -426,6 +426,8 @@ static inline int nr_pages_per_csrow(struct csrow_info *csrow)
+ static int edac_create_csrow_object(struct mem_ctl_info *mci,
+ struct csrow_info *csrow, int index)
+ {
++ int err;
++
+ csrow->dev.type = &csrow_attr_type;
+ csrow->dev.bus = mci->bus;
+ csrow->dev.groups = csrow_dev_groups;
+@@ -438,7 +440,11 @@ static int edac_create_csrow_object(struct mem_ctl_info *mci,
+ edac_dbg(0, "creating (virtual) csrow node %s\n",
+ dev_name(&csrow->dev));
+
+- return device_add(&csrow->dev);
++ err = device_add(&csrow->dev);
++ if (err)
++ put_device(&csrow->dev);
++
++ return err;
+ }
+
+ /* Create a CSROW object under specifed edac_mc_device */
+--
+2.20.1
+
--- /dev/null
+From 77163150bdc22c8ec7a3564d95b02bbbe0392bda Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@ispras.ru>
+Date: Fri, 12 Jul 2019 21:55:20 +0300
+Subject: floppy: fix div-by-zero in setup_format_params
+
+[ Upstream commit f3554aeb991214cbfafd17d55e2bfddb50282e32 ]
+
+This fixes a divide by zero error in the setup_format_params function of
+the floppy driver.
+
+Two consecutive ioctls can trigger the bug: The first one should set the
+drive geometry with such .sect and .rate values for the F_SECT_PER_TRACK
+to become zero. Next, the floppy format operation should be called.
+
+A floppy disk is not required to be inserted. An unprivileged user
+could trigger the bug if the device is accessible.
+
+The patch checks F_SECT_PER_TRACK for a non-zero value in the
+set_geometry function. The proper check should involve a reasonable
+upper limit for the .sect and .rate fields, but it could change the
+UAPI.
+
+The patch also checks F_SECT_PER_TRACK in the setup_format_params, and
+cancels the formatting operation in case of zero.
+
+The bug was found by syzkaller.
+
+Signed-off-by: Denis Efremov <efremov@ispras.ru>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/floppy.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 6914c6e1e1a8..bb9b50d1d828 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -2113,6 +2113,9 @@ static void setup_format_params(int track)
+ raw_cmd->kernel_data = floppy_track_buffer;
+ raw_cmd->length = 4 * F_SECT_PER_TRACK;
+
++ if (!F_SECT_PER_TRACK)
++ return;
++
+ /* allow for about 30ms for data transport per track */
+ head_shift = (F_SECT_PER_TRACK + 5) / 6;
+
+@@ -3235,6 +3238,8 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
+ /* sanity checking for parameters. */
+ if (g->sect <= 0 ||
+ g->head <= 0 ||
++ /* check for zero in F_SECT_PER_TRACK */
++ (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
+ g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
+ /* check if reserved bits are set */
+ (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0)
+--
+2.20.1
+
--- /dev/null
+From f08ab6458e0c83d14ac4e9856018fbb79b583feb Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@ispras.ru>
+Date: Fri, 12 Jul 2019 21:55:23 +0300
+Subject: floppy: fix out-of-bounds read in copy_buffer
+
+[ Upstream commit da99466ac243f15fbba65bd261bfc75ffa1532b6 ]
+
+This fixes a global out-of-bounds read access in the copy_buffer
+function of the floppy driver.
+
+The FDDEFPRM ioctl allows one to set the geometry of a disk. The sect
+and head fields (unsigned int) of the floppy_drive structure are used to
+compute the max_sector (int) in the make_raw_rw_request function. It is
+possible to overflow the max_sector. Next, max_sector is passed to the
+copy_buffer function and used in one of the memcpy calls.
+
+An unprivileged user could trigger the bug if the device is accessible,
+but requires a floppy disk to be inserted.
+
+The patch adds the check for the .sect * .head multiplication for not
+overflowing in the set_geometry function.
+
+The bug was found by syzkaller.
+
+Signed-off-by: Denis Efremov <efremov@ispras.ru>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/floppy.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index bb9b50d1d828..de76b66893aa 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3236,8 +3236,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
+ int cnt;
+
+ /* sanity checking for parameters. */
+- if (g->sect <= 0 ||
+- g->head <= 0 ||
++ if ((int)g->sect <= 0 ||
++ (int)g->head <= 0 ||
++ /* check for overflow in max_sector */
++ (int)(g->sect * g->head) <= 0 ||
+ /* check for zero in F_SECT_PER_TRACK */
+ (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
+ g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
+--
+2.20.1
+
--- /dev/null
+From e5fec4fa296287b8ce718dbafd4fde7a60719079 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Mon, 10 Jun 2019 20:10:44 +0300
+Subject: gpio: omap: ensure irq is enabled before wakeup
+
+[ Upstream commit c859e0d479b3b4f6132fc12637c51e01492f31f6 ]
+
+Documentation states:
+
+ NOTE: There must be a correlation between the wake-up enable and
+ interrupt-enable registers. If a GPIO pin has a wake-up configured
+ on it, it must also have the corresponding interrupt enabled (on
+ one of the two interrupt lines).
+
+Ensure that this condition is always satisfied by enabling the detection
+events after enabling the interrupt, and disabling the detection before
+disabling the interrupt. This ensures interrupt/wakeup events can not
+happen until both the wakeup and interrupt enables correlate.
+
+If we do any clearing, clear between the interrupt enable/disable and
+trigger setting.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Tested-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-omap.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c
+index bd12b433f964..fc841ce24db7 100644
+--- a/drivers/gpio/gpio-omap.c
++++ b/drivers/gpio/gpio-omap.c
+@@ -786,9 +786,9 @@ static void omap_gpio_irq_shutdown(struct irq_data *d)
+
+ raw_spin_lock_irqsave(&bank->lock, flags);
+ bank->irq_usage &= ~(BIT(offset));
+- omap_set_gpio_irqenable(bank, offset, 0);
+- omap_clear_gpio_irqstatus(bank, offset);
+ omap_set_gpio_triggering(bank, offset, IRQ_TYPE_NONE);
++ omap_clear_gpio_irqstatus(bank, offset);
++ omap_set_gpio_irqenable(bank, offset, 0);
+ if (!LINE_USED(bank->mod_usage, offset))
+ omap_clear_gpio_debounce(bank, offset);
+ omap_disable_gpio_module(bank, offset);
+@@ -830,8 +830,8 @@ static void omap_gpio_mask_irq(struct irq_data *d)
+ unsigned long flags;
+
+ raw_spin_lock_irqsave(&bank->lock, flags);
+- omap_set_gpio_irqenable(bank, offset, 0);
+ omap_set_gpio_triggering(bank, offset, IRQ_TYPE_NONE);
++ omap_set_gpio_irqenable(bank, offset, 0);
+ raw_spin_unlock_irqrestore(&bank->lock, flags);
+ }
+
+@@ -843,9 +843,6 @@ static void omap_gpio_unmask_irq(struct irq_data *d)
+ unsigned long flags;
+
+ raw_spin_lock_irqsave(&bank->lock, flags);
+- if (trigger)
+- omap_set_gpio_triggering(bank, offset, trigger);
+-
+ omap_set_gpio_irqenable(bank, offset, 1);
+
+ /*
+@@ -853,9 +850,13 @@ static void omap_gpio_unmask_irq(struct irq_data *d)
+ * is cleared, thus after the handler has run. OMAP4 needs this done
+ * after enabing the interrupt to clear the wakeup status.
+ */
+- if (bank->level_mask & BIT(offset))
++ if (bank->regs->leveldetect0 && bank->regs->wkup_en &&
++ trigger & (IRQ_TYPE_LEVEL_HIGH | IRQ_TYPE_LEVEL_LOW))
+ omap_clear_gpio_irqstatus(bank, offset);
+
++ if (trigger)
++ omap_set_gpio_triggering(bank, offset, trigger);
++
+ raw_spin_unlock_irqrestore(&bank->lock, flags);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 7bd355f43aca1e89c29544fb7039be3cfdbf9437 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Mon, 10 Jun 2019 20:10:45 +0300
+Subject: gpio: omap: fix lack of irqstatus_raw0 for OMAP4
+
+[ Upstream commit 64ea3e9094a1f13b96c33244a3fb3a0f45690bd2 ]
+
+Commit 384ebe1c2849 ("gpio/omap: Add DT support to GPIO driver") added
+the register definition tables to the gpio-omap driver. Subsequently to
+that commit, commit 4e962e8998cc ("gpio/omap: remove cpu_is_omapxxxx()
+checks from *_runtime_resume()") added definitions for irqstatus_raw*
+registers to the legacy OMAP4 definitions, but missed the DT
+definitions.
+
+This causes an unintentional change of behaviour for the 1.101 errata
+workaround on OMAP4 platforms. Fix this oversight.
+
+Fixes: 4e962e8998cc ("gpio/omap: remove cpu_is_omapxxxx() checks from *_runtime_resume()")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Tested-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-omap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c
+index 038882183bdf..bd12b433f964 100644
+--- a/drivers/gpio/gpio-omap.c
++++ b/drivers/gpio/gpio-omap.c
+@@ -1585,6 +1585,8 @@ static struct omap_gpio_reg_offs omap4_gpio_regs = {
+ .clr_dataout = OMAP4_GPIO_CLEARDATAOUT,
+ .irqstatus = OMAP4_GPIO_IRQSTATUS0,
+ .irqstatus2 = OMAP4_GPIO_IRQSTATUS1,
++ .irqstatus_raw0 = OMAP4_GPIO_IRQSTATUSRAW0,
++ .irqstatus_raw1 = OMAP4_GPIO_IRQSTATUSRAW1,
+ .irqenable = OMAP4_GPIO_IRQSTATUSSET0,
+ .irqenable2 = OMAP4_GPIO_IRQSTATUSSET1,
+ .set_irqenable = OMAP4_GPIO_IRQSTATUSSET0,
+--
+2.20.1
+
--- /dev/null
+From 9d21e11ff1639db87d8a87c89a603d09b46856c3 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Mon, 1 Jul 2019 16:27:38 +0200
+Subject: gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants
+
+[ Upstream commit 3285170f28a850638794cdfe712eb6d93e51e706 ]
+
+Commit 372e722ea4dd4ca1 ("gpiolib: use descriptors internally") renamed
+the functions to use a "gpiod" prefix, and commit 79a9becda8940deb
+("gpiolib: export descriptor-based GPIO interface") introduced the "raw"
+variants, but both changes forgot to update the comments.
+
+Readd a similar reference to gpiod_set_value(), which was accidentally
+removed by commit 1e77fc82110ac36f ("gpio: Add missing open drain/source
+handling to gpiod_set_value_cansleep()").
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20190701142738.25219-1-geert+renesas@glider.be
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index 9e2fe12c2858..a3251faa3ed8 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -2411,7 +2411,7 @@ static int _gpiod_get_raw_value(const struct gpio_desc *desc)
+ int gpiod_get_raw_value(const struct gpio_desc *desc)
+ {
+ VALIDATE_DESC(desc);
+- /* Should be using gpio_get_value_cansleep() */
++ /* Should be using gpiod_get_raw_value_cansleep() */
+ WARN_ON(desc->gdev->chip->can_sleep);
+ return _gpiod_get_raw_value(desc);
+ }
+@@ -2432,7 +2432,7 @@ int gpiod_get_value(const struct gpio_desc *desc)
+ int value;
+
+ VALIDATE_DESC(desc);
+- /* Should be using gpio_get_value_cansleep() */
++ /* Should be using gpiod_get_value_cansleep() */
+ WARN_ON(desc->gdev->chip->can_sleep);
+
+ value = _gpiod_get_raw_value(desc);
+@@ -2608,7 +2608,7 @@ void gpiod_set_array_value_complex(bool raw, bool can_sleep,
+ void gpiod_set_raw_value(struct gpio_desc *desc, int value)
+ {
+ VALIDATE_DESC_VOID(desc);
+- /* Should be using gpiod_set_value_cansleep() */
++ /* Should be using gpiod_set_raw_value_cansleep() */
+ WARN_ON(desc->gdev->chip->can_sleep);
+ _gpiod_set_raw_value(desc, value);
+ }
+--
+2.20.1
+
--- /dev/null
+From dda131c02f2fd7d62e410b9446a38ef5f4a5752b Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Wed, 3 Jul 2019 00:23:13 +0900
+Subject: gtp: fix Illegal context switch in RCU read-side critical section.
+
+[ Upstream commit 3f167e1921865b379a9becf03828e7202c7b4917 ]
+
+ipv4_pdp_add() is called in RCU read-side critical section.
+So GFP_KERNEL should not be used in the function.
+This patch make ipv4_pdp_add() to use GFP_ATOMIC instead of GFP_KERNEL.
+
+Test commands:
+gtp-link add gtp1 &
+gtp-tunnel add gtp1 v1 100 200 1.1.1.1 2.2.2.2
+
+Splat looks like:
+[ 130.618881] =============================
+[ 130.626382] WARNING: suspicious RCU usage
+[ 130.626994] 5.2.0-rc6+ #50 Not tainted
+[ 130.627622] -----------------------------
+[ 130.628223] ./include/linux/rcupdate.h:266 Illegal context switch in RCU read-side critical section!
+[ 130.629684]
+[ 130.629684] other info that might help us debug this:
+[ 130.629684]
+[ 130.631022]
+[ 130.631022] rcu_scheduler_active = 2, debug_locks = 1
+[ 130.632136] 4 locks held by gtp-tunnel/1025:
+[ 130.632925] #0: 000000002b93c8b7 (cb_lock){++++}, at: genl_rcv+0x15/0x40
+[ 130.634159] #1: 00000000f17bc999 (genl_mutex){+.+.}, at: genl_rcv_msg+0xfb/0x130
+[ 130.635487] #2: 00000000c644ed8e (rtnl_mutex){+.+.}, at: gtp_genl_new_pdp+0x18c/0x1150 [gtp]
+[ 130.636936] #3: 0000000007a1cde7 (rcu_read_lock){....}, at: gtp_genl_new_pdp+0x187/0x1150 [gtp]
+[ 130.638348]
+[ 130.638348] stack backtrace:
+[ 130.639062] CPU: 1 PID: 1025 Comm: gtp-tunnel Not tainted 5.2.0-rc6+ #50
+[ 130.641318] Call Trace:
+[ 130.641707] dump_stack+0x7c/0xbb
+[ 130.642252] ___might_sleep+0x2c0/0x3b0
+[ 130.642862] kmem_cache_alloc_trace+0x1cd/0x2b0
+[ 130.643591] gtp_genl_new_pdp+0x6c5/0x1150 [gtp]
+[ 130.644371] genl_family_rcv_msg+0x63a/0x1030
+[ 130.645074] ? mutex_lock_io_nested+0x1090/0x1090
+[ 130.645845] ? genl_unregister_family+0x630/0x630
+[ 130.646592] ? debug_show_all_locks+0x2d0/0x2d0
+[ 130.647293] ? check_flags.part.40+0x440/0x440
+[ 130.648099] genl_rcv_msg+0xa3/0x130
+[ ... ]
+
+Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index cb206e5526c4..60df6e391ad2 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -952,7 +952,7 @@ static int ipv4_pdp_add(struct net_device *dev, struct genl_info *info)
+
+ }
+
+- pctx = kmalloc(sizeof(struct pdp_ctx), GFP_KERNEL);
++ pctx = kmalloc(sizeof(*pctx), GFP_ATOMIC);
+ if (pctx == NULL)
+ return -ENOMEM;
+
+--
+2.20.1
+
--- /dev/null
+From 6eeb1144a826d3ff192bbf9404c87639586f6347 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Wed, 3 Jul 2019 00:23:42 +0900
+Subject: gtp: fix use-after-free in gtp_newlink()
+
+[ Upstream commit a2bed90704c68d3763bf24decb1b781a45395de8 ]
+
+Current gtp_newlink() could be called after unregister_pernet_subsys().
+gtp_newlink() uses gtp_net but it can be destroyed by
+unregister_pernet_subsys().
+So unregister_pernet_subsys() should be called after
+rtnl_link_unregister().
+
+Test commands:
+ #SHELL 1
+ while :
+ do
+ for i in {1..5}
+ do
+ ./gtp-link add gtp$i &
+ done
+ killall gtp-link
+ done
+
+ #SHELL 2
+ while :
+ do
+ modprobe -rv gtp
+ done
+
+Splat looks like:
+[ 753.176631] BUG: KASAN: use-after-free in gtp_newlink+0x9b4/0xa5c [gtp]
+[ 753.177722] Read of size 8 at addr ffff8880d48f2458 by task gtp-link/7126
+[ 753.179082] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G W 5.2.0-rc6+ #50
+[ 753.185801] Call Trace:
+[ 753.186264] dump_stack+0x7c/0xbb
+[ 753.186863] ? gtp_newlink+0x9b4/0xa5c [gtp]
+[ 753.187583] print_address_description+0xc7/0x240
+[ 753.188382] ? gtp_newlink+0x9b4/0xa5c [gtp]
+[ 753.189097] ? gtp_newlink+0x9b4/0xa5c [gtp]
+[ 753.189846] __kasan_report+0x12a/0x16f
+[ 753.190542] ? gtp_newlink+0x9b4/0xa5c [gtp]
+[ 753.191298] kasan_report+0xe/0x20
+[ 753.191893] gtp_newlink+0x9b4/0xa5c [gtp]
+[ 753.192580] ? __netlink_ns_capable+0xc3/0xf0
+[ 753.193370] __rtnl_newlink+0xb9f/0x11b0
+[ ... ]
+[ 753.241201] Allocated by task 7186:
+[ 753.241844] save_stack+0x19/0x80
+[ 753.242399] __kasan_kmalloc.constprop.3+0xa0/0xd0
+[ 753.243192] __kmalloc+0x13e/0x300
+[ 753.243764] ops_init+0xd6/0x350
+[ 753.244314] register_pernet_operations+0x249/0x6f0
+[ ... ]
+[ 753.251770] Freed by task 7178:
+[ 753.252288] save_stack+0x19/0x80
+[ 753.252833] __kasan_slab_free+0x111/0x150
+[ 753.253962] kfree+0xc7/0x280
+[ 753.254509] ops_free_list.part.11+0x1c4/0x2d0
+[ 753.255241] unregister_pernet_operations+0x262/0x390
+[ ... ]
+[ 753.285883] list_add corruption. next->prev should be prev (ffff8880d48f2458), but was ffff8880d497d878. (next.
+[ 753.287241] ------------[ cut here ]------------
+[ 753.287794] kernel BUG at lib/list_debug.c:25!
+[ 753.288364] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
+[ 753.289099] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G B W 5.2.0-rc6+ #50
+[ 753.291036] RIP: 0010:__list_add_valid+0x74/0xd0
+[ 753.291589] Code: 48 39 da 75 27 48 39 f5 74 36 48 39 dd 74 31 48 83 c4 08 b8 01 00 00 00 5b 5d c3 48 89 d9 48b
+[ 753.293779] RSP: 0018:ffff8880cae8f398 EFLAGS: 00010286
+[ 753.294401] RAX: 0000000000000075 RBX: ffff8880d497d878 RCX: 0000000000000000
+[ 753.296260] RDX: 0000000000000075 RSI: 0000000000000008 RDI: ffffed10195d1e69
+[ 753.297070] RBP: ffff8880cd250ae0 R08: ffffed101b4bff21 R09: ffffed101b4bff21
+[ 753.297899] R10: 0000000000000001 R11: ffffed101b4bff20 R12: ffff8880d497d878
+[ 753.298703] R13: 0000000000000000 R14: ffff8880cd250ae0 R15: ffff8880d48f2458
+[ 753.299564] FS: 00007f5f79805740(0000) GS:ffff8880da400000(0000) knlGS:0000000000000000
+[ 753.300533] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 753.301231] CR2: 00007fe8c7ef4f10 CR3: 00000000b71a6006 CR4: 00000000000606f0
+[ 753.302183] Call Trace:
+[ 753.302530] gtp_newlink+0x5f6/0xa5c [gtp]
+[ 753.303037] ? __netlink_ns_capable+0xc3/0xf0
+[ 753.303576] __rtnl_newlink+0xb9f/0x11b0
+[ 753.304092] ? rtnl_link_unregister+0x230/0x230
+
+Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index 60df6e391ad2..7e1df403a37d 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -1358,9 +1358,9 @@ late_initcall(gtp_init);
+
+ static void __exit gtp_fini(void)
+ {
+- unregister_pernet_subsys(>p_net_ops);
+ genl_unregister_family(>p_genl_family);
+ rtnl_link_unregister(>p_link_ops);
++ unregister_pernet_subsys(>p_net_ops);
+
+ pr_info("GTP module unloaded\n");
+ }
+--
+2.20.1
+
--- /dev/null
+From d3f9974330bf3390b3f71700e8195eee11c76e7d Mon Sep 17 00:00:00 2001
+From: Denis Kirjanov <kda@linux-powerpc.org>
+Date: Mon, 17 Jun 2019 10:53:40 +0200
+Subject: ipoib: correcly show a VF hardware address
+
+[ Upstream commit 64d701c608fea362881e823b666327f5d28d7ffd ]
+
+in the case of IPoIB with SRIOV enabled hardware
+ip link show command incorrecly prints
+0 instead of a VF hardware address.
+
+Before:
+11: ib1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2044 qdisc pfifo_fast
+state UP mode DEFAULT group default qlen 256
+ link/infiniband
+80:00:00:66:fe:80:00:00:00:00:00:00:24:8a:07:03:00:a4:3e:7c brd
+00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff
+ vf 0 MAC 00:00:00:00:00:00, spoof checking off, link-state disable,
+trust off, query_rss off
+...
+After:
+11: ib1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2044 qdisc pfifo_fast
+state UP mode DEFAULT group default qlen 256
+ link/infiniband
+80:00:00:66:fe:80:00:00:00:00:00:00:24:8a:07:03:00:a4:3e:7c brd
+00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff
+ vf 0 link/infiniband
+80:00:00:66:fe:80:00:00:00:00:00:00:24:8a:07:03:00:a4:3e:7c brd
+00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff, spoof
+checking off, link-state disable, trust off, query_rss off
+
+v1->v2: just copy an address without modifing ifla_vf_mac
+v2->v3: update the changelog
+
+Signed-off-by: Denis Kirjanov <kda@linux-powerpc.org>
+Acked-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+index 17c5bc7e8957..45504febbc2a 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+@@ -1751,6 +1751,7 @@ static int ipoib_get_vf_config(struct net_device *dev, int vf,
+ return err;
+
+ ivf->vf = vf;
++ memcpy(ivf->mac, dev->dev_addr, dev->addr_len);
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 641f1aa21a33fd867df6c51a9027ec7a43567caf Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 18 Jun 2019 13:22:13 +0200
+Subject: ipsec: select crypto ciphers for xfrm_algo
+
+[ Upstream commit 597179b0ba550bd83fab1a9d57c42a9343c58514 ]
+
+kernelci.org reports failed builds on arc because of what looks
+like an old missed 'select' statement:
+
+net/xfrm/xfrm_algo.o: In function `xfrm_probe_algs':
+xfrm_algo.c:(.text+0x1e8): undefined reference to `crypto_has_ahash'
+
+I don't see this in randconfig builds on other architectures, but
+it's fairly clear we want to select the hash code for it, like we
+do for all its other users. As Herbert points out, CRYPTO_BLKCIPHER
+is also required even though it has not popped up in build tests.
+
+Fixes: 17bc19702221 ("ipsec: Use skcipher and ahash when probing algorithms")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig
+index bda1a13628a8..c09336b5a028 100644
+--- a/net/xfrm/Kconfig
++++ b/net/xfrm/Kconfig
+@@ -9,6 +9,8 @@ config XFRM_ALGO
+ tristate
+ select XFRM
+ select CRYPTO
++ select CRYPTO_HASH
++ select CRYPTO_BLKCIPHER
+
+ config XFRM_USER
+ tristate "Transformation user configuration interface"
+--
+2.20.1
+
--- /dev/null
+From 117ab742e733425e833912a6e02b5c8a4d9070c0 Mon Sep 17 00:00:00 2001
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Date: Mon, 15 Apr 2019 16:45:04 +0300
+Subject: iwlwifi: mvm: Drop large non sta frames
+
+[ Upstream commit ac70499ee97231a418dc1a4d6c9dc102e8f64631 ]
+
+In some buggy scenarios we could possible attempt to transmit frames larger
+than maximum MSDU size. Since our devices don't know how to handle this,
+it may result in asserts, hangs etc.
+This can happen, for example, when we receive a large multicast frame
+and try to transmit it back to the air in AP mode.
+Since in a legal scenario this should never happen, drop such frames and
+warn about it.
+
+Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+index bd7ff562d82d..1aa74b87599f 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -551,6 +551,9 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mvm *mvm, struct sk_buff *skb)
+
+ memcpy(&info, skb->cb, sizeof(info));
+
++ if (WARN_ON_ONCE(skb->len > IEEE80211_MAX_DATA_LEN + hdrlen))
++ return -1;
++
+ if (WARN_ON_ONCE(info.flags & IEEE80211_TX_CTL_AMPDU))
+ return -1;
+
+--
+2.20.1
+
--- /dev/null
+From 14c082b1507b19e1f8de4d28a50e01669e1c2471 Mon Sep 17 00:00:00 2001
+From: "Mauro S. M. Rodrigues" <maurosr@linux.vnet.ibm.com>
+Date: Thu, 23 May 2019 16:11:12 -0300
+Subject: ixgbe: Check DDM existence in transceiver before access
+
+[ Upstream commit 655c91414579d7bb115a4f7898ee726fc18e0984 ]
+
+Some transceivers may comply with SFF-8472 but not implement the Digital
+Diagnostic Monitoring (DDM) interface described in it. The existence of
+such area is specified by bit 6 of byte 92, set to 1 if implemented.
+
+Currently, due to not checking this bit ixgbe fails trying to read SFP
+module's eeprom with the follow message:
+
+ethtool -m enP51p1s0f0
+Cannot get Module EEPROM data: Input/output error
+
+Because it fails to read the additional 256 bytes in which it was assumed
+to exist the DDM data.
+
+This issue was noticed using a Mellanox Passive DAC PN 01FT738. The eeprom
+data was confirmed by Mellanox as correct and present in other Passive
+DACs in from other manufacturers.
+
+Signed-off-by: "Mauro S. M. Rodrigues" <maurosr@linux.vnet.ibm.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 3 ++-
+ drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+index a137e060c185..bbc23e88de89 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+@@ -3192,7 +3192,8 @@ static int ixgbe_get_module_info(struct net_device *dev,
+ page_swap = true;
+ }
+
+- if (sff8472_rev == IXGBE_SFF_SFF_8472_UNSUP || page_swap) {
++ if (sff8472_rev == IXGBE_SFF_SFF_8472_UNSUP || page_swap ||
++ !(addr_mode & IXGBE_SFF_DDM_IMPLEMENTED)) {
+ /* We have a SFP, but it does not support SFF-8472 */
+ modinfo->type = ETH_MODULE_SFF_8079;
+ modinfo->eeprom_len = ETH_MODULE_SFF_8079_LEN;
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h
+index cc735ec3e045..25090b4880b3 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h
+@@ -70,6 +70,7 @@
+ #define IXGBE_SFF_SOFT_RS_SELECT_10G 0x8
+ #define IXGBE_SFF_SOFT_RS_SELECT_1G 0x0
+ #define IXGBE_SFF_ADDRESSING_MODE 0x4
++#define IXGBE_SFF_DDM_IMPLEMENTED 0x40
+ #define IXGBE_SFF_QSFP_DA_ACTIVE_CABLE 0x1
+ #define IXGBE_SFF_QSFP_DA_PASSIVE_CABLE 0x8
+ #define IXGBE_SFF_QSFP_CONNECTOR_NOT_SEPARABLE 0x23
+--
+2.20.1
+
--- /dev/null
+From 1e912765b2e675a26fcea3b23eb0844070492f8d Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 24 Jun 2019 09:32:50 -0700
+Subject: libata: don't request sense data on !ZAC ATA devices
+
+[ Upstream commit ca156e006add67e4beea7896be395160735e09b0 ]
+
+ZAC support added sense data requesting on error for both ZAC and ATA
+devices. This seems to cause erratic error handling behaviors on some
+SSDs where the device reports sense data availability and then
+delivers the wrong content making EH take the wrong actions. The
+failure mode was sporadic on a LITE-ON ssd and couldn't be reliably
+reproduced.
+
+There is no value in requesting sense data from non-ZAC ATA devices
+while there's a significant risk of introducing EH misbehaviors which
+are difficult to reproduce and fix. Let's do the sense data dancing
+only for ZAC devices.
+
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Tested-by: Masato Suzuki <masato.suzuki@wdc.com>
+Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-eh.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
+index 90c38778bc1f..16f8fda89981 100644
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -1600,7 +1600,7 @@ static int ata_eh_read_log_10h(struct ata_device *dev,
+ tf->hob_lbah = buf[10];
+ tf->nsect = buf[12];
+ tf->hob_nsect = buf[13];
+- if (ata_id_has_ncq_autosense(dev->id))
++ if (dev->class == ATA_DEV_ZAC && ata_id_has_ncq_autosense(dev->id))
+ tf->auxiliary = buf[14] << 16 | buf[15] << 8 | buf[16];
+
+ return 0;
+@@ -1849,7 +1849,8 @@ void ata_eh_analyze_ncq_error(struct ata_link *link)
+ memcpy(&qc->result_tf, &tf, sizeof(tf));
+ qc->result_tf.flags = ATA_TFLAG_ISADDR | ATA_TFLAG_LBA | ATA_TFLAG_LBA48;
+ qc->err_mask |= AC_ERR_DEV | AC_ERR_NCQ;
+- if ((qc->result_tf.command & ATA_SENSE) || qc->result_tf.auxiliary) {
++ if (dev->class == ATA_DEV_ZAC &&
++ ((qc->result_tf.command & ATA_SENSE) || qc->result_tf.auxiliary)) {
+ char sense_key, asc, ascq;
+
+ sense_key = (qc->result_tf.auxiliary >> 16) & 0xff;
+@@ -1903,10 +1904,11 @@ static unsigned int ata_eh_analyze_tf(struct ata_queued_cmd *qc,
+ }
+
+ switch (qc->dev->class) {
+- case ATA_DEV_ATA:
+ case ATA_DEV_ZAC:
+ if (stat & ATA_SENSE)
+ ata_eh_request_sense(qc, qc->scsicmd);
++ /* fall through */
++ case ATA_DEV_ATA:
+ if (err & ATA_ICRC)
+ qc->err_mask |= AC_ERR_ATA_BUS;
+ if (err & (ATA_UNC | ATA_AMNF))
+--
+2.20.1
+
--- /dev/null
+From 93f47047ba86ea180b6492b231e0582d0b2c3b8f Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Fri, 24 May 2019 23:15:09 +0300
+Subject: locking/lockdep: Fix merging of hlocks with non-zero references
+
+[ Upstream commit d9349850e188b8b59e5322fda17ff389a1c0cd7d ]
+
+The sequence
+
+ static DEFINE_WW_CLASS(test_ww_class);
+
+ struct ww_acquire_ctx ww_ctx;
+ struct ww_mutex ww_lock_a;
+ struct ww_mutex ww_lock_b;
+ struct ww_mutex ww_lock_c;
+ struct mutex lock_c;
+
+ ww_acquire_init(&ww_ctx, &test_ww_class);
+
+ ww_mutex_init(&ww_lock_a, &test_ww_class);
+ ww_mutex_init(&ww_lock_b, &test_ww_class);
+ ww_mutex_init(&ww_lock_c, &test_ww_class);
+
+ mutex_init(&lock_c);
+
+ ww_mutex_lock(&ww_lock_a, &ww_ctx);
+
+ mutex_lock(&lock_c);
+
+ ww_mutex_lock(&ww_lock_b, &ww_ctx);
+ ww_mutex_lock(&ww_lock_c, &ww_ctx);
+
+ mutex_unlock(&lock_c); (*)
+
+ ww_mutex_unlock(&ww_lock_c);
+ ww_mutex_unlock(&ww_lock_b);
+ ww_mutex_unlock(&ww_lock_a);
+
+ ww_acquire_fini(&ww_ctx); (**)
+
+will trigger the following error in __lock_release() when calling
+mutex_release() at **:
+
+ DEBUG_LOCKS_WARN_ON(depth <= 0)
+
+The problem is that the hlock merging happening at * updates the
+references for test_ww_class incorrectly to 3 whereas it should've
+updated it to 4 (representing all the instances for ww_ctx and
+ww_lock_[abc]).
+
+Fix this by updating the references during merging correctly taking into
+account that we can have non-zero references (both for the hlock that we
+merge into another hlock or for the hlock we are merging into).
+
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Link: https://lkml.kernel.org/r/20190524201509.9199-2-imre.deak@intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/lockdep.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
+index 26fc428476b9..4b27aaffdf35 100644
+--- a/kernel/locking/lockdep.c
++++ b/kernel/locking/lockdep.c
+@@ -3260,17 +3260,17 @@ static int __lock_acquire(struct lockdep_map *lock, unsigned int subclass,
+ if (depth) {
+ hlock = curr->held_locks + depth - 1;
+ if (hlock->class_idx == class_idx && nest_lock) {
+- if (hlock->references) {
+- /*
+- * Check: unsigned int references:12, overflow.
+- */
+- if (DEBUG_LOCKS_WARN_ON(hlock->references == (1 << 12)-1))
+- return 0;
++ if (!references)
++ references++;
+
++ if (!hlock->references)
+ hlock->references++;
+- } else {
+- hlock->references = 2;
+- }
++
++ hlock->references += references;
++
++ /* Overflow */
++ if (DEBUG_LOCKS_WARN_ON(hlock->references < references))
++ return 0;
+
+ return 1;
+ }
+--
+2.20.1
+
--- /dev/null
+From 0690ce2ea087e0eaeecb2bf57fdb6ab0b02bfc19 Mon Sep 17 00:00:00 2001
+From: Philipp Zabel <p.zabel@pengutronix.de>
+Date: Tue, 18 Jun 2019 12:45:10 -0400
+Subject: media: coda: fix mpeg2 sequence number handling
+
+[ Upstream commit 56d159a4ec6d8da7313aac6fcbb95d8fffe689ba ]
+
+Sequence number handling assumed that the BIT processor frame number
+starts counting at 1, but this is not true for the MPEG-2 decoder,
+which starts at 0. Fix the sequence counter offset detection to handle
+this.
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/coda/coda-bit.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
+index 717ee9a6a80e..1b8024f86b0f 100644
+--- a/drivers/media/platform/coda/coda-bit.c
++++ b/drivers/media/platform/coda/coda-bit.c
+@@ -1581,6 +1581,7 @@ static int __coda_start_decoding(struct coda_ctx *ctx)
+ coda_write(dev, 0, CODA_REG_BIT_BIT_STREAM_PARAM);
+ return -ETIMEDOUT;
+ }
++ ctx->sequence_offset = ~0U;
+ ctx->initialized = 1;
+
+ /* Update kfifo out pointer from coda bitstream read pointer */
+@@ -1971,7 +1972,9 @@ static void coda_finish_decode(struct coda_ctx *ctx)
+ v4l2_err(&dev->v4l2_dev,
+ "decoded frame index out of range: %d\n", decoded_idx);
+ } else {
+- val = coda_read(dev, CODA_RET_DEC_PIC_FRAME_NUM) - 1;
++ val = coda_read(dev, CODA_RET_DEC_PIC_FRAME_NUM);
++ if (ctx->sequence_offset == -1)
++ ctx->sequence_offset = val;
+ val -= ctx->sequence_offset;
+ spin_lock_irqsave(&ctx->buffer_meta_lock, flags);
+ if (!list_empty(&ctx->buffer_meta_list)) {
+--
+2.20.1
+
--- /dev/null
+From 3c185bf583e55988b3461aaea1c474702d184ccf Mon Sep 17 00:00:00 2001
+From: Philipp Zabel <p.zabel@pengutronix.de>
+Date: Tue, 18 Jun 2019 12:45:22 -0400
+Subject: media: coda: increment sequence offset for the last returned frame
+
+[ Upstream commit b3b7d96817cdb8b6fc353867705275dce8f41ccc ]
+
+If no more frames are decoded in bitstream end mode, and a previously
+decoded frame has been returned, the firmware still increments the frame
+number. To avoid a sequence number mismatch after decoder restart,
+increment the sequence_offset correction parameter.
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/coda/coda-bit.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
+index 1b8024f86b0f..df4643956c96 100644
+--- a/drivers/media/platform/coda/coda-bit.c
++++ b/drivers/media/platform/coda/coda-bit.c
+@@ -1967,6 +1967,9 @@ static void coda_finish_decode(struct coda_ctx *ctx)
+ else if (ctx->display_idx < 0)
+ ctx->hold = true;
+ } else if (decoded_idx == -2) {
++ if (ctx->display_idx >= 0 &&
++ ctx->display_idx < ctx->num_internal_frames)
++ ctx->sequence_offset++;
+ /* no frame was decoded, we still return remaining buffers */
+ } else if (decoded_idx < 0 || decoded_idx >= ctx->num_internal_frames) {
+ v4l2_err(&dev->v4l2_dev,
+--
+2.20.1
+
--- /dev/null
+From 5200ee1d6b05ddd6cb34c2adf70becc26a39e0b4 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 30 Apr 2019 09:07:36 -0400
+Subject: media: dvb: usb: fix use after free in dvb_usb_device_exit
+
+[ Upstream commit 6cf97230cd5f36b7665099083272595c55d72be7 ]
+
+dvb_usb_device_exit() frees and uses the device name in that order.
+Fix by storing the name in a buffer before freeing it.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+26ec41e9f788b3eba396@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+index 84308569e7dc..b3413404f91a 100644
+--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
++++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+@@ -287,12 +287,15 @@ EXPORT_SYMBOL(dvb_usb_device_init);
+ void dvb_usb_device_exit(struct usb_interface *intf)
+ {
+ struct dvb_usb_device *d = usb_get_intfdata(intf);
+- const char *name = "generic DVB-USB module";
++ const char *default_name = "generic DVB-USB module";
++ char name[40];
+
+ usb_set_intfdata(intf, NULL);
+ if (d != NULL && d->desc != NULL) {
+- name = d->desc->name;
++ strscpy(name, d->desc->name, sizeof(name));
+ dvb_usb_exit(d);
++ } else {
++ strscpy(name, default_name, sizeof(name));
+ }
+ info("%s successfully deinitialized and disconnected.", name);
+
+--
+2.20.1
+
--- /dev/null
+From e209e96630bcaa4dc91733b7306d89eb4379b4f8 Mon Sep 17 00:00:00 2001
+From: Anders Roxell <anders.roxell@linaro.org>
+Date: Wed, 12 Jun 2019 12:19:35 -0400
+Subject: media: i2c: fix warning same module names
+
+[ Upstream commit b2ce5617dad254230551feda3599f2cc68e53ad8 ]
+
+When building with CONFIG_VIDEO_ADV7511 and CONFIG_DRM_I2C_ADV7511
+enabled as loadable modules, we see the following warning:
+
+ drivers/gpu/drm/bridge/adv7511/adv7511.ko
+ drivers/media/i2c/adv7511.ko
+
+Rework so that the file is named adv7511-v4l2.c.
+
+Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/Makefile | 2 +-
+ drivers/media/i2c/{adv7511.c => adv7511-v4l2.c} | 5 +++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+ rename drivers/media/i2c/{adv7511.c => adv7511-v4l2.c} (99%)
+
+diff --git a/drivers/media/i2c/Makefile b/drivers/media/i2c/Makefile
+index 92773b2e6225..bfe0afc209b8 100644
+--- a/drivers/media/i2c/Makefile
++++ b/drivers/media/i2c/Makefile
+@@ -29,7 +29,7 @@ obj-$(CONFIG_VIDEO_ADV7393) += adv7393.o
+ obj-$(CONFIG_VIDEO_ADV7604) += adv7604.o
+ obj-$(CONFIG_VIDEO_ADV7842) += adv7842.o
+ obj-$(CONFIG_VIDEO_AD9389B) += ad9389b.o
+-obj-$(CONFIG_VIDEO_ADV7511) += adv7511.o
++obj-$(CONFIG_VIDEO_ADV7511) += adv7511-v4l2.o
+ obj-$(CONFIG_VIDEO_VPX3220) += vpx3220.o
+ obj-$(CONFIG_VIDEO_VS6624) += vs6624.o
+ obj-$(CONFIG_VIDEO_BT819) += bt819.o
+diff --git a/drivers/media/i2c/adv7511.c b/drivers/media/i2c/adv7511-v4l2.c
+similarity index 99%
+rename from drivers/media/i2c/adv7511.c
+rename to drivers/media/i2c/adv7511-v4l2.c
+index 5f1c8ee8a50e..b87c9e7ff146 100644
+--- a/drivers/media/i2c/adv7511.c
++++ b/drivers/media/i2c/adv7511-v4l2.c
+@@ -17,6 +17,11 @@
+ * SOFTWARE.
+ */
+
++/*
++ * This file is named adv7511-v4l2.c so it doesn't conflict with the Analog
++ * Device ADV7511 (config fragment CONFIG_DRM_I2C_ADV7511).
++ */
++
+
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+--
+2.20.1
+
--- /dev/null
+From 543fc973a7dfda220387813455f9cce4fa1a791d Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Sun, 5 May 2019 10:00:23 -0400
+Subject: media: marvell-ccic: fix DMA s/g desc number calculation
+
+[ Upstream commit 0c7aa32966dab0b8a7424e1b34c7f206817953ec ]
+
+The commit d790b7eda953 ("[media] vb2-dma-sg: move dma_(un)map_sg here")
+left dma_desc_nent unset. It previously contained the number of DMA
+descriptors as returned from dma_map_sg().
+
+We can now (since the commit referred to above) obtain the same value from
+the sg_table and drop dma_desc_nent altogether.
+
+Tested on OLPC XO-1.75 machine. Doesn't affect the OLPC XO-1's Cafe
+driver, since that one doesn't do DMA.
+
+[mchehab+samsung@kernel.org: fix a checkpatch warning]
+
+Fixes: d790b7eda953 ("[media] vb2-dma-sg: move dma_(un)map_sg here")
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/marvell-ccic/mcam-core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/marvell-ccic/mcam-core.c b/drivers/media/platform/marvell-ccic/mcam-core.c
+index af59bf4dca2d..a74bfb9afc8d 100644
+--- a/drivers/media/platform/marvell-ccic/mcam-core.c
++++ b/drivers/media/platform/marvell-ccic/mcam-core.c
+@@ -209,7 +209,6 @@ struct mcam_vb_buffer {
+ struct list_head queue;
+ struct mcam_dma_desc *dma_desc; /* Descriptor virtual address */
+ dma_addr_t dma_desc_pa; /* Descriptor physical address */
+- int dma_desc_nent; /* Number of mapped descriptors */
+ };
+
+ static inline struct mcam_vb_buffer *vb_to_mvb(struct vb2_v4l2_buffer *vb)
+@@ -616,9 +615,11 @@ static void mcam_dma_contig_done(struct mcam_camera *cam, int frame)
+ static void mcam_sg_next_buffer(struct mcam_camera *cam)
+ {
+ struct mcam_vb_buffer *buf;
++ struct sg_table *sg_table;
+
+ buf = list_first_entry(&cam->buffers, struct mcam_vb_buffer, queue);
+ list_del_init(&buf->queue);
++ sg_table = vb2_dma_sg_plane_desc(&buf->vb_buf.vb2_buf, 0);
+ /*
+ * Very Bad Not Good Things happen if you don't clear
+ * C1_DESC_ENA before making any descriptor changes.
+@@ -626,7 +627,7 @@ static void mcam_sg_next_buffer(struct mcam_camera *cam)
+ mcam_reg_clear_bit(cam, REG_CTRL1, C1_DESC_ENA);
+ mcam_reg_write(cam, REG_DMA_DESC_Y, buf->dma_desc_pa);
+ mcam_reg_write(cam, REG_DESC_LEN_Y,
+- buf->dma_desc_nent*sizeof(struct mcam_dma_desc));
++ sg_table->nents * sizeof(struct mcam_dma_desc));
+ mcam_reg_write(cam, REG_DESC_LEN_U, 0);
+ mcam_reg_write(cam, REG_DESC_LEN_V, 0);
+ mcam_reg_set_bit(cam, REG_CTRL1, C1_DESC_ENA);
+--
+2.20.1
+
--- /dev/null
+From c65dae5db76add95727edd7431afe767b5019720 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Mon, 27 May 2019 05:31:13 -0400
+Subject: media: mc-device.c: don't memset __user pointer contents
+
+[ Upstream commit 518fa4e0e0da97ea2e17c95ab57647ce748a96e2 ]
+
+You can't memset the contents of a __user pointer. Instead, call copy_to_user to
+copy links.reserved (which is zeroed) to the user memory.
+
+This fixes this sparse warning:
+
+SPARSE:drivers/media/mc/mc-device.c drivers/media/mc/mc-device.c:521:16: warning: incorrect type in argument 1 (different address spaces)
+
+Fixes: f49308878d720 ("media: media_device_enum_links32: clean a reserved field")
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/media-device.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c
+index 6062c0cfa632..73a2dba475d0 100644
+--- a/drivers/media/media-device.c
++++ b/drivers/media/media-device.c
+@@ -490,8 +490,9 @@ static long media_device_enum_links32(struct media_device *mdev,
+ if (ret)
+ return ret;
+
+- memset(ulinks->reserved, 0, sizeof(ulinks->reserved));
+-
++ if (copy_to_user(ulinks->reserved, links.reserved,
++ sizeof(ulinks->reserved)))
++ return -EFAULT;
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From ce80728bd28416d912fbde5bf92ccbbbc2c1ee54 Mon Sep 17 00:00:00 2001
+From: Jungo Lin <jungo.lin@mediatek.com>
+Date: Tue, 2 Apr 2019 21:44:27 -0400
+Subject: media: media_device_enum_links32: clean a reserved field
+
+[ Upstream commit f49308878d7202e07d8761238e01bd0e5fce2750 ]
+
+In v4l2-compliance utility, test MEDIA_IOC_ENUM_ENTITIES
+will check whether reserved field of media_links_enum filled
+with zero.
+
+However, for 32 bit program, the reserved field is missing
+copy from kernel space to user space in media_device_enum_links32
+function.
+
+This patch adds the cleaning a reserved field logic in
+media_device_enum_links32 function.
+
+Signed-off-by: Jungo Lin <jungo.lin@mediatek.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/media-device.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c
+index 6f46c59415fe..6062c0cfa632 100644
+--- a/drivers/media/media-device.c
++++ b/drivers/media/media-device.c
+@@ -474,6 +474,7 @@ static long media_device_enum_links32(struct media_device *mdev,
+ {
+ struct media_links_enum links;
+ compat_uptr_t pads_ptr, links_ptr;
++ int ret;
+
+ memset(&links, 0, sizeof(links));
+
+@@ -485,7 +486,13 @@ static long media_device_enum_links32(struct media_device *mdev,
+ links.pads = compat_ptr(pads_ptr);
+ links.links = compat_ptr(links_ptr);
+
+- return media_device_enum_links(mdev, &links);
++ ret = media_device_enum_links(mdev, &links);
++ if (ret)
++ return ret;
++
++ memset(ulinks->reserved, 0, sizeof(ulinks->reserved));
++
++ return 0;
+ }
+
+ #define MEDIA_IOC_ENUM_LINKS32 _IOWR('|', 0x02, struct media_links_enum32)
+--
+2.20.1
+
--- /dev/null
+From 1a836bc3c5aa7ab2101f2677d236c36c6bce88ab Mon Sep 17 00:00:00 2001
+From: Shailendra Verma <shailendra.v@samsung.com>
+Date: Thu, 24 Nov 2016 23:57:34 -0500
+Subject: media: staging: media: davinci_vpfe: - Fix for memory leak if decoder
+ initialization fails.
+
+[ Upstream commit 6995a659101bd4effa41cebb067f9dc18d77520d ]
+
+Fix to avoid possible memory leak if the decoder initialization
+got failed.Free the allocated memory for file handle object
+before return in case decoder initialization fails.
+
+Signed-off-by: Shailendra Verma <shailendra.v@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/davinci_vpfe/vpfe_video.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/staging/media/davinci_vpfe/vpfe_video.c b/drivers/staging/media/davinci_vpfe/vpfe_video.c
+index 89dd6b989254..e0440807b4ed 100644
+--- a/drivers/staging/media/davinci_vpfe/vpfe_video.c
++++ b/drivers/staging/media/davinci_vpfe/vpfe_video.c
+@@ -423,6 +423,9 @@ static int vpfe_open(struct file *file)
+ /* If decoder is not initialized. initialize it */
+ if (!video->initialized && vpfe_update_pipe_state(video)) {
+ mutex_unlock(&video->lock);
++ v4l2_fh_del(&handle->vfh);
++ v4l2_fh_exit(&handle->vfh);
++ kfree(handle);
+ return -ENODEV;
+ }
+ /* Increment device users counter */
+--
+2.20.1
+
--- /dev/null
+From ca89d32dead158559c6cff666ada52062d9aed1a Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 22 Mar 2019 22:51:06 -0400
+Subject: media: vpss: fix a potential NULL pointer dereference
+
+[ Upstream commit e08f0761234def47961d3252eac09ccedfe4c6a0 ]
+
+In case ioremap fails, the fix returns -ENOMEM to avoid NULL
+pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/davinci/vpss.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/media/platform/davinci/vpss.c b/drivers/media/platform/davinci/vpss.c
+index fce86f17dffc..c2c68988e38a 100644
+--- a/drivers/media/platform/davinci/vpss.c
++++ b/drivers/media/platform/davinci/vpss.c
+@@ -523,6 +523,11 @@ static int __init vpss_init(void)
+ return -EBUSY;
+
+ oper_cfg.vpss_regs_base2 = ioremap(VPSS_CLK_CTRL, 4);
++ if (unlikely(!oper_cfg.vpss_regs_base2)) {
++ release_mem_region(VPSS_CLK_CTRL, 4);
++ return -ENOMEM;
++ }
++
+ writel(VPSS_CLK_CTRL_VENCCLKEN |
+ VPSS_CLK_CTRL_DACCLKEN, oper_cfg.vpss_regs_base2);
+
+--
+2.20.1
+
--- /dev/null
+From 7c86c20c2404a6a3be6e03e8373d8318b3f89d86 Mon Sep 17 00:00:00 2001
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+Date: Thu, 30 May 2019 03:25:49 -0400
+Subject: media: wl128x: Fix some error handling in fm_v4l2_init_video_device()
+
+[ Upstream commit 69fbb3f47327d959830c94bf31893972b8c8f700 ]
+
+X-Originating-IP: [10.175.113.25]
+X-CFilter-Loop: Reflected
+The fm_v4l2_init_video_device() forget to unregister v4l2/video device
+in the error path, it could lead to UAF issue, eg,
+
+ BUG: KASAN: use-after-free in atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline]
+ BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:28 [inline]
+ BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206
+ Read of size 8 at addr ffff8881e84a7c70 by task v4l_id/3659
+
+ CPU: 1 PID: 3659 Comm: v4l_id Not tainted 5.1.0 #8
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+ Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xa9/0x10e lib/dump_stack.c:113
+ print_address_description+0x65/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline]
+ atomic_long_read include/asm-generic/atomic-long.h:28 [inline]
+ __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206
+ fm_v4l2_fops_open+0xac/0x120 [fm_drv]
+ v4l2_open+0x191/0x390 [videodev]
+ chrdev_open+0x20d/0x570 fs/char_dev.c:417
+ do_dentry_open+0x700/0xf30 fs/open.c:777
+ do_last fs/namei.c:3416 [inline]
+ path_openat+0x7c4/0x2a90 fs/namei.c:3532
+ do_filp_open+0x1a5/0x2b0 fs/namei.c:3563
+ do_sys_open+0x302/0x490 fs/open.c:1069
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7f8180c17c8e
+ ...
+ Allocated by task 3642:
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:497
+ fm_drv_init+0x13/0x1000 [fm_drv]
+ do_one_initcall+0xbc/0x47d init/main.c:901
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+ Freed by task 3642:
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459
+ slab_free_hook mm/slub.c:1429 [inline]
+ slab_free_freelist_hook mm/slub.c:1456 [inline]
+ slab_free mm/slub.c:3003 [inline]
+ kfree+0xe1/0x270 mm/slub.c:3958
+ fm_drv_init+0x1e6/0x1000 [fm_drv]
+ do_one_initcall+0xbc/0x47d init/main.c:901
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Add relevant unregister functions to fix it.
+
+Cc: Hans Verkuil <hans.verkuil@cisco.com>
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/radio/wl128x/fmdrv_v4l2.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/radio/wl128x/fmdrv_v4l2.c b/drivers/media/radio/wl128x/fmdrv_v4l2.c
+index fb42f0fd0c1f..add26eac1677 100644
+--- a/drivers/media/radio/wl128x/fmdrv_v4l2.c
++++ b/drivers/media/radio/wl128x/fmdrv_v4l2.c
+@@ -553,6 +553,7 @@ int fm_v4l2_init_video_device(struct fmdev *fmdev, int radio_nr)
+
+ /* Register with V4L2 subsystem as RADIO device */
+ if (video_register_device(&gradio_dev, VFL_TYPE_RADIO, radio_nr)) {
++ v4l2_device_unregister(&fmdev->v4l2_dev);
+ fmerr("Could not register video device\n");
+ return -ENOMEM;
+ }
+@@ -566,6 +567,8 @@ int fm_v4l2_init_video_device(struct fmdev *fmdev, int radio_nr)
+ if (ret < 0) {
+ fmerr("(fmdev): Can't init ctrl handler\n");
+ v4l2_ctrl_handler_free(&fmdev->ctrl_handler);
++ video_unregister_device(fmdev->radio_dev);
++ v4l2_device_unregister(&fmdev->v4l2_dev);
+ return -EBUSY;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 2a671f1e24b767468319c516d5fe83a690f5f647 Mon Sep 17 00:00:00 2001
+From: Stefan Hellermann <stefan@the2masters.de>
+Date: Mon, 17 Jun 2019 15:43:59 +0200
+Subject: MIPS: ath79: fix ar933x uart parity mode
+
+[ Upstream commit db13a5ba2732755cf13320f3987b77cf2a71e790 ]
+
+While trying to get the uart with parity working I found setting even
+parity enabled odd parity insted. Fix the register settings to match
+the datasheet of AR9331.
+
+A similar patch was created by 8devices, but not sent upstream.
+https://github.com/8devices/openwrt-8devices/commit/77c5586ade3bb72cda010afad3f209ed0c98ea7c
+
+Signed-off-by: Stefan Hellermann <stefan@the2masters.de>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: linux-mips@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/mach-ath79/ar933x_uart.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/include/asm/mach-ath79/ar933x_uart.h b/arch/mips/include/asm/mach-ath79/ar933x_uart.h
+index c2917b39966b..bba2c8837951 100644
+--- a/arch/mips/include/asm/mach-ath79/ar933x_uart.h
++++ b/arch/mips/include/asm/mach-ath79/ar933x_uart.h
+@@ -27,8 +27,8 @@
+ #define AR933X_UART_CS_PARITY_S 0
+ #define AR933X_UART_CS_PARITY_M 0x3
+ #define AR933X_UART_CS_PARITY_NONE 0
+-#define AR933X_UART_CS_PARITY_ODD 1
+-#define AR933X_UART_CS_PARITY_EVEN 2
++#define AR933X_UART_CS_PARITY_ODD 2
++#define AR933X_UART_CS_PARITY_EVEN 3
+ #define AR933X_UART_CS_IF_MODE_S 2
+ #define AR933X_UART_CS_IF_MODE_M 0x3
+ #define AR933X_UART_CS_IF_MODE_NONE 0
+--
+2.20.1
+
--- /dev/null
+From ca0703c714b3bcef5a0cfb66f57e083f1c1d2c56 Mon Sep 17 00:00:00 2001
+From: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+Date: Wed, 19 Jun 2019 15:08:18 +0100
+Subject: MIPS: fix build on non-linux hosts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 1196364f21ffe5d1e6d83cafd6a2edb89404a3ae ]
+
+calc_vmlinuz_load_addr.c requires SZ_64K to be defined for alignment
+purposes. It included "../../../../include/linux/sizes.h" to define
+that size, however "sizes.h" tries to include <linux/const.h> which
+assumes linux system headers. These may not exist eg. the following
+error was encountered when building Linux for OpenWrt under macOS:
+
+In file included from arch/mips/boot/compressed/calc_vmlinuz_load_addr.c:16:
+arch/mips/boot/compressed/../../../../include/linux/sizes.h:11:10: fatal error: 'linux/const.h' file not found
+ ^~~~~~~~~~
+
+Change makefile to force building on local linux headers instead of
+system headers. Also change eye-watering relative reference in include
+file spec.
+
+Thanks to Jo-Philip Wich & Petr Štetiar for assistance in tracking this
+down & fixing.
+
+Suggested-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: linux-mips@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/boot/compressed/Makefile | 2 ++
+ arch/mips/boot/compressed/calc_vmlinuz_load_addr.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/mips/boot/compressed/Makefile b/arch/mips/boot/compressed/Makefile
+index 90aca95fe314..ad31c76c7a29 100644
+--- a/arch/mips/boot/compressed/Makefile
++++ b/arch/mips/boot/compressed/Makefile
+@@ -75,6 +75,8 @@ OBJCOPYFLAGS_piggy.o := --add-section=.image=$(obj)/vmlinux.bin.z \
+ $(obj)/piggy.o: $(obj)/dummy.o $(obj)/vmlinux.bin.z FORCE
+ $(call if_changed,objcopy)
+
++HOSTCFLAGS_calc_vmlinuz_load_addr.o += $(LINUXINCLUDE)
++
+ # Calculate the load address of the compressed kernel image
+ hostprogs-y := calc_vmlinuz_load_addr
+
+diff --git a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
+index 542c3ede9722..d14f75ec8273 100644
+--- a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
++++ b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
+@@ -13,7 +13,7 @@
+ #include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+-#include "../../../../include/linux/sizes.h"
++#include <linux/sizes.h>
+
+ int main(int argc, char *argv[])
+ {
+--
+2.20.1
+
--- /dev/null
+From 3b891e11a93f2b3b1cf12966c86e0b0fba5088c7 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Fri, 7 Jun 2019 13:48:09 +0200
+Subject: mt7601u: do not schedule rx_tasklet when the device has been
+ disconnected
+
+[ Upstream commit 4079e8ccabc3b6d1b503f2376123cb515d14921f ]
+
+Do not schedule rx_tasklet when the usb dongle is disconnected.
+Moreover do not grub rx_lock in mt7601u_kill_rx since usb_poison_urb
+can run concurrently with urb completion and we can unlink urbs from rx
+ring in any order.
+This patch fixes the common kernel warning reported when
+the device is removed.
+
+[ 24.921354] usb 3-14: USB disconnect, device number 7
+[ 24.921593] ------------[ cut here ]------------
+[ 24.921594] RX urb mismatch
+[ 24.921675] WARNING: CPU: 4 PID: 163 at drivers/net/wireless/mediatek/mt7601u/dma.c:200 mt7601u_complete_rx+0xcb/0xd0 [mt7601u]
+[ 24.921769] CPU: 4 PID: 163 Comm: kworker/4:2 Tainted: G OE 4.19.31-041931-generic #201903231635
+[ 24.921770] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z97 Extreme4, BIOS P1.30 05/23/2014
+[ 24.921782] Workqueue: usb_hub_wq hub_event
+[ 24.921797] RIP: 0010:mt7601u_complete_rx+0xcb/0xd0 [mt7601u]
+[ 24.921800] RSP: 0018:ffff9bd9cfd03d08 EFLAGS: 00010086
+[ 24.921802] RAX: 0000000000000000 RBX: ffff9bd9bf043540 RCX: 0000000000000006
+[ 24.921803] RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff9bd9cfd16420
+[ 24.921804] RBP: ffff9bd9cfd03d28 R08: 0000000000000002 R09: 00000000000003a8
+[ 24.921805] R10: 0000002f485fca34 R11: 0000000000000000 R12: ffff9bd9bf043c1c
+[ 24.921806] R13: ffff9bd9c62fa3c0 R14: 0000000000000082 R15: 0000000000000000
+[ 24.921807] FS: 0000000000000000(0000) GS:ffff9bd9cfd00000(0000) knlGS:0000000000000000
+[ 24.921808] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 24.921808] CR2: 00007fb2648b0000 CR3: 0000000142c0a004 CR4: 00000000001606e0
+[ 24.921809] Call Trace:
+[ 24.921812] <IRQ>
+[ 24.921819] __usb_hcd_giveback_urb+0x8b/0x140
+[ 24.921821] usb_hcd_giveback_urb+0xca/0xe0
+[ 24.921828] xhci_giveback_urb_in_irq.isra.42+0x82/0xf0
+[ 24.921834] handle_cmd_completion+0xe02/0x10d0
+[ 24.921837] xhci_irq+0x274/0x4a0
+[ 24.921838] xhci_msi_irq+0x11/0x20
+[ 24.921851] __handle_irq_event_percpu+0x44/0x190
+[ 24.921856] handle_irq_event_percpu+0x32/0x80
+[ 24.921861] handle_irq_event+0x3b/0x5a
+[ 24.921867] handle_edge_irq+0x80/0x190
+[ 24.921874] handle_irq+0x20/0x30
+[ 24.921889] do_IRQ+0x4e/0xe0
+[ 24.921891] common_interrupt+0xf/0xf
+[ 24.921892] </IRQ>
+[ 24.921900] RIP: 0010:usb_hcd_flush_endpoint+0x78/0x180
+[ 24.921354] usb 3-14: USB disconnect, device number 7
+
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt7601u/dma.c | 33 +++++++++++----------
+ 1 file changed, 18 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt7601u/dma.c b/drivers/net/wireless/mediatek/mt7601u/dma.c
+index a8bc064bc14f..838ad9a4be51 100644
+--- a/drivers/net/wireless/mediatek/mt7601u/dma.c
++++ b/drivers/net/wireless/mediatek/mt7601u/dma.c
+@@ -193,10 +193,23 @@ static void mt7601u_complete_rx(struct urb *urb)
+ struct mt7601u_rx_queue *q = &dev->rx_q;
+ unsigned long flags;
+
+- spin_lock_irqsave(&dev->rx_lock, flags);
++ /* do no schedule rx tasklet if urb has been unlinked
++ * or the device has been removed
++ */
++ switch (urb->status) {
++ case -ECONNRESET:
++ case -ESHUTDOWN:
++ case -ENOENT:
++ return;
++ default:
++ dev_err_ratelimited(dev->dev, "rx urb failed: %d\n",
++ urb->status);
++ /* fall through */
++ case 0:
++ break;
++ }
+
+- if (mt7601u_urb_has_error(urb))
+- dev_err(dev->dev, "Error: RX urb failed:%d\n", urb->status);
++ spin_lock_irqsave(&dev->rx_lock, flags);
+ if (WARN_ONCE(q->e[q->end].urb != urb, "RX urb mismatch"))
+ goto out;
+
+@@ -363,19 +376,9 @@ int mt7601u_dma_enqueue_tx(struct mt7601u_dev *dev, struct sk_buff *skb,
+ static void mt7601u_kill_rx(struct mt7601u_dev *dev)
+ {
+ int i;
+- unsigned long flags;
+
+- spin_lock_irqsave(&dev->rx_lock, flags);
+-
+- for (i = 0; i < dev->rx_q.entries; i++) {
+- int next = dev->rx_q.end;
+-
+- spin_unlock_irqrestore(&dev->rx_lock, flags);
+- usb_poison_urb(dev->rx_q.e[next].urb);
+- spin_lock_irqsave(&dev->rx_lock, flags);
+- }
+-
+- spin_unlock_irqrestore(&dev->rx_lock, flags);
++ for (i = 0; i < dev->rx_q.entries; i++)
++ usb_poison_urb(dev->rx_q.e[i].urb);
+ }
+
+ static int mt7601u_submit_rx_buf(struct mt7601u_dev *dev,
+--
+2.20.1
+
--- /dev/null
+From 68683528b535ffd704ef122e7efb5e648d3f367c Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Fri, 7 Jun 2019 13:48:10 +0200
+Subject: mt7601u: fix possible memory leak when the device is disconnected
+
+[ Upstream commit 23377c200b2eb48a60d0f228b2a2e75ed6ee6060 ]
+
+When the device is disconnected while passing traffic it is possible
+to receive out of order urbs causing a memory leak since the skb linked
+to the current tx urb is not removed. Fix the issue deallocating the skb
+cleaning up the tx ring. Moreover this patch fixes the following kernel
+warning
+
+[ 57.480771] usb 1-1: USB disconnect, device number 2
+[ 57.483451] ------------[ cut here ]------------
+[ 57.483462] TX urb mismatch
+[ 57.483481] WARNING: CPU: 1 PID: 32 at drivers/net/wireless/mediatek/mt7601u/dma.c:245 mt7601u_complete_tx+0x165/00
+[ 57.483483] Modules linked in:
+[ 57.483496] CPU: 1 PID: 32 Comm: kworker/1:1 Not tainted 5.2.0-rc1+ #72
+[ 57.483498] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-2.fc30 04/01/2014
+[ 57.483502] Workqueue: usb_hub_wq hub_event
+[ 57.483507] RIP: 0010:mt7601u_complete_tx+0x165/0x1e0
+[ 57.483510] Code: 8b b5 10 04 00 00 8b 8d 14 04 00 00 eb 8b 80 3d b1 cb e1 00 00 75 9e 48 c7 c7 a4 ea 05 82 c6 05 f
+[ 57.483513] RSP: 0000:ffffc900000a0d28 EFLAGS: 00010092
+[ 57.483516] RAX: 000000000000000f RBX: ffff88802c0a62c0 RCX: ffffc900000a0c2c
+[ 57.483518] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff810a8371
+[ 57.483520] RBP: ffff88803ced6858 R08: 0000000000000000 R09: 0000000000000001
+[ 57.483540] R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000046
+[ 57.483542] R13: ffff88802c0a6c88 R14: ffff88803baab540 R15: ffff88803a0cc078
+[ 57.483548] FS: 0000000000000000(0000) GS:ffff88803eb00000(0000) knlGS:0000000000000000
+[ 57.483550] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 57.483552] CR2: 000055e7f6780100 CR3: 0000000028c86000 CR4: 00000000000006a0
+[ 57.483554] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 57.483556] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 57.483559] Call Trace:
+[ 57.483561] <IRQ>
+[ 57.483565] __usb_hcd_giveback_urb+0x77/0xe0
+[ 57.483570] xhci_giveback_urb_in_irq.isra.0+0x8b/0x140
+[ 57.483574] handle_cmd_completion+0xf5b/0x12c0
+[ 57.483577] xhci_irq+0x1f6/0x1810
+[ 57.483581] ? lockdep_hardirqs_on+0x9e/0x180
+[ 57.483584] ? _raw_spin_unlock_irq+0x24/0x30
+[ 57.483588] __handle_irq_event_percpu+0x3a/0x260
+[ 57.483592] handle_irq_event_percpu+0x1c/0x60
+[ 57.483595] handle_irq_event+0x2f/0x4c
+[ 57.483599] handle_edge_irq+0x7e/0x1a0
+[ 57.483603] handle_irq+0x17/0x20
+[ 57.483607] do_IRQ+0x54/0x110
+[ 57.483610] common_interrupt+0xf/0xf
+[ 57.483612] </IRQ>
+
+Acked-by: Jakub Kicinski <kubakici@wp.pl>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt7601u/dma.c | 21 ++++++++++++++++-----
+ drivers/net/wireless/mediatek/mt7601u/tx.c | 4 ++--
+ 2 files changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt7601u/dma.c b/drivers/net/wireless/mediatek/mt7601u/dma.c
+index 838ad9a4be51..56cad16e70ca 100644
+--- a/drivers/net/wireless/mediatek/mt7601u/dma.c
++++ b/drivers/net/wireless/mediatek/mt7601u/dma.c
+@@ -241,14 +241,25 @@ static void mt7601u_complete_tx(struct urb *urb)
+ struct sk_buff *skb;
+ unsigned long flags;
+
+- spin_lock_irqsave(&dev->tx_lock, flags);
++ switch (urb->status) {
++ case -ECONNRESET:
++ case -ESHUTDOWN:
++ case -ENOENT:
++ return;
++ default:
++ dev_err_ratelimited(dev->dev, "tx urb failed: %d\n",
++ urb->status);
++ /* fall through */
++ case 0:
++ break;
++ }
+
+- if (mt7601u_urb_has_error(urb))
+- dev_err(dev->dev, "Error: TX urb failed:%d\n", urb->status);
++ spin_lock_irqsave(&dev->tx_lock, flags);
+ if (WARN_ONCE(q->e[q->start].urb != urb, "TX urb mismatch"))
+ goto out;
+
+ skb = q->e[q->start].skb;
++ q->e[q->start].skb = NULL;
+ trace_mt_tx_dma_done(dev, skb);
+
+ __skb_queue_tail(&dev->tx_skb_done, skb);
+@@ -448,10 +459,10 @@ static void mt7601u_free_tx_queue(struct mt7601u_tx_queue *q)
+ {
+ int i;
+
+- WARN_ON(q->used);
+-
+ for (i = 0; i < q->entries; i++) {
+ usb_poison_urb(q->e[i].urb);
++ if (q->e[i].skb)
++ mt7601u_tx_status(q->dev, q->e[i].skb);
+ usb_free_urb(q->e[i].urb);
+ }
+ }
+diff --git a/drivers/net/wireless/mediatek/mt7601u/tx.c b/drivers/net/wireless/mediatek/mt7601u/tx.c
+index ad77bec1ba0f..2cb1883c0d33 100644
+--- a/drivers/net/wireless/mediatek/mt7601u/tx.c
++++ b/drivers/net/wireless/mediatek/mt7601u/tx.c
+@@ -117,9 +117,9 @@ void mt7601u_tx_status(struct mt7601u_dev *dev, struct sk_buff *skb)
+ info->status.rates[0].idx = -1;
+ info->flags |= IEEE80211_TX_STAT_ACK;
+
+- spin_lock(&dev->mac_lock);
++ spin_lock_bh(&dev->mac_lock);
+ ieee80211_tx_status(dev->hw, skb);
+- spin_unlock(&dev->mac_lock);
++ spin_unlock_bh(&dev->mac_lock);
+ }
+
+ static int mt7601u_skb_rooms(struct mt7601u_dev *dev, struct sk_buff *skb)
+--
+2.20.1
+
--- /dev/null
+From e32c5e1e833e8d6636f1de62545013b555bfafe7 Mon Sep 17 00:00:00 2001
+From: Robert Hancock <hancock@sedsystems.ca>
+Date: Thu, 6 Jun 2019 16:28:17 -0600
+Subject: net: axienet: Fix race condition causing TX hang
+
+[ Upstream commit 7de44285c1f69ccfbe8be1d6a16fcd956681fee6 ]
+
+It is possible that the interrupt handler fires and frees up space in
+the TX ring in between checking for sufficient TX ring space and
+stopping the TX queue in axienet_start_xmit. If this happens, the
+queue wake from the interrupt handler will occur before the queue is
+stopped, causing a lost wakeup and the adapter's transmit hanging.
+
+To avoid this, after stopping the queue, check again whether there is
+sufficient space in the TX ring. If so, wake up the queue again.
+
+Signed-off-by: Robert Hancock <hancock@sedsystems.ca>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/xilinx/xilinx_axienet_main.c | 20 ++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+index a8afc92cbfca..5f21ddff9e0f 100644
+--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+@@ -612,6 +612,10 @@ static void axienet_start_xmit_done(struct net_device *ndev)
+
+ ndev->stats.tx_packets += packets;
+ ndev->stats.tx_bytes += size;
++
++ /* Matches barrier in axienet_start_xmit */
++ smp_mb();
++
+ netif_wake_queue(ndev);
+ }
+
+@@ -666,9 +670,19 @@ static int axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ cur_p = &lp->tx_bd_v[lp->tx_bd_tail];
+
+ if (axienet_check_tx_bd_space(lp, num_frag)) {
+- if (!netif_queue_stopped(ndev))
+- netif_stop_queue(ndev);
+- return NETDEV_TX_BUSY;
++ if (netif_queue_stopped(ndev))
++ return NETDEV_TX_BUSY;
++
++ netif_stop_queue(ndev);
++
++ /* Matches barrier in axienet_start_xmit_done */
++ smp_mb();
++
++ /* Space might have just been freed - check again */
++ if (axienet_check_tx_bd_space(lp, num_frag))
++ return NETDEV_TX_BUSY;
++
++ netif_wake_queue(ndev);
+ }
+
+ if (skb->ip_summed == CHECKSUM_PARTIAL) {
+--
+2.20.1
+
--- /dev/null
+From ea832507b790593fe24141548245dbaec49c4f2e Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Thu, 6 Jun 2019 09:40:33 -0300
+Subject: net: fec: Do not use netdev messages too early
+
+[ Upstream commit a19a0582363b9a5f8ba812f34f1b8df394898780 ]
+
+When a valid MAC address is not found the current messages
+are shown:
+
+fec 2188000.ethernet (unnamed net_device) (uninitialized): Invalid MAC address: 00:00:00:00:00:00
+fec 2188000.ethernet (unnamed net_device) (uninitialized): Using random MAC address: aa:9f:25:eb:7e:aa
+
+Since the network device has not been registered at this point, it is better
+to use dev_err()/dev_info() instead, which will provide cleaner log
+messages like these:
+
+fec 2188000.ethernet: Invalid MAC address: 00:00:00:00:00:00
+fec 2188000.ethernet: Using random MAC address: aa:9f:25:eb:7e:aa
+
+Tested on a imx6dl-pico-pi board.
+
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index 1eb34109b207..92ea760c4822 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -1685,10 +1685,10 @@ static void fec_get_mac(struct net_device *ndev)
+ */
+ if (!is_valid_ether_addr(iap)) {
+ /* Report it and use a random ethernet address instead */
+- netdev_err(ndev, "Invalid MAC address: %pM\n", iap);
++ dev_err(&fep->pdev->dev, "Invalid MAC address: %pM\n", iap);
+ eth_hw_addr_random(ndev);
+- netdev_info(ndev, "Using random MAC address: %pM\n",
+- ndev->dev_addr);
++ dev_info(&fep->pdev->dev, "Using random MAC address: %pM\n",
++ ndev->dev_addr);
+ return;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 6523c93351cd8c6e00bf4b4f2ae96b83d6d41f04 Mon Sep 17 00:00:00 2001
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+Date: Tue, 28 May 2019 20:38:09 +0300
+Subject: net: phy: Check against net_device being NULL
+
+[ Upstream commit 82c76aca81187b3d28a6fb3062f6916450ce955e ]
+
+In general, we don't want MAC drivers calling phy_attach_direct with the
+net_device being NULL. Add checks against this in all the functions
+calling it: phy_attach() and phy_connect_direct().
+
+Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Suggested-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy_device.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index 5048a6df6a8e..5c2c72b1ef8b 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -673,6 +673,9 @@ int phy_connect_direct(struct net_device *dev, struct phy_device *phydev,
+ {
+ int rc;
+
++ if (!dev)
++ return -EINVAL;
++
+ rc = phy_attach_direct(dev, phydev, phydev->dev_flags, interface);
+ if (rc)
+ return rc;
+@@ -965,6 +968,9 @@ struct phy_device *phy_attach(struct net_device *dev, const char *bus_id,
+ struct device *d;
+ int rc;
+
++ if (!dev)
++ return ERR_PTR(-EINVAL);
++
+ /* Search the list of PHY devices on the mdio bus for the
+ * PHY with the requested name
+ */
+--
+2.20.1
+
--- /dev/null
+From de2cd0f8552261cce910d10cc41177bed19d25e3 Mon Sep 17 00:00:00 2001
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+Date: Fri, 24 May 2019 10:20:21 +0200
+Subject: net: stmmac: dwmac1000: Clear unused address entries
+
+[ Upstream commit 9463c445590091202659cdfdd44b236acadfbd84 ]
+
+In case we don't use a given address entry we need to clear it because
+it could contain previous values that are no longer valid.
+
+Found out while running stmmac selftests.
+
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Cc: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
+index 7d19029e2564..093e58e94075 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
+@@ -213,6 +213,12 @@ static void dwmac1000_set_filter(struct mac_device_info *hw,
+ GMAC_ADDR_LOW(reg));
+ reg++;
+ }
++
++ while (reg <= perfect_addr_number) {
++ writel(0, ioaddr + GMAC_ADDR_HIGH(reg));
++ writel(0, ioaddr + GMAC_ADDR_LOW(reg));
++ reg++;
++ }
+ }
+
+ #ifdef FRAME_FILTER_DEBUG
+--
+2.20.1
+
--- /dev/null
+From cba98fbcb6f0ae764b5e99ac842c595acb3edf8f Mon Sep 17 00:00:00 2001
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+Date: Fri, 24 May 2019 10:20:25 +0200
+Subject: net: stmmac: dwmac4/5: Clear unused address entries
+
+[ Upstream commit 0620ec6c62a5a07625b65f699adc5d1b90394ee6 ]
+
+In case we don't use a given address entry we need to clear it because
+it could contain previous values that are no longer valid.
+
+Found out while running stmmac selftests.
+
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Cc: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+index 51019b794be5..f46f2bfc2cc0 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+@@ -173,14 +173,20 @@ static void dwmac4_set_filter(struct mac_device_info *hw,
+ * are required
+ */
+ value |= GMAC_PACKET_FILTER_PR;
+- } else if (!netdev_uc_empty(dev)) {
+- int reg = 1;
++ } else {
+ struct netdev_hw_addr *ha;
++ int reg = 1;
+
+ netdev_for_each_uc_addr(ha, dev) {
+ dwmac4_set_umac_addr(hw, ha->addr, reg);
+ reg++;
+ }
++
++ while (reg <= GMAC_MAX_PERFECT_ADDRESSES) {
++ writel(0, ioaddr + GMAC_ADDR_HIGH(reg));
++ writel(0, ioaddr + GMAC_ADDR_LOW(reg));
++ reg++;
++ }
+ }
+
+ writel(value, ioaddr + GMAC_PACKET_FILTER);
+--
+2.20.1
+
--- /dev/null
+From 3c7e7c6abc33f8f374fff8462c81b77f776d7e5c Mon Sep 17 00:00:00 2001
+From: Phong Tran <tranmanphong@gmail.com>
+Date: Tue, 2 Jul 2019 07:10:08 +0700
+Subject: net: usb: asix: init MAC address buffers
+
+[ Upstream commit 78226f6eaac80bf30256a33a4926c194ceefdf36 ]
+
+This is for fixing bug KMSAN: uninit-value in ax88772_bind
+
+Tested by
+https://groups.google.com/d/msg/syzkaller-bugs/aFQurGotng4/eB_HlNhhCwAJ
+
+Reported-by: syzbot+8a3fc6674bbc3978ed4e@syzkaller.appspotmail.com
+
+syzbot found the following crash on:
+
+HEAD commit: f75e4cfe kmsan: use kmsan_handle_urb() in urb.c
+git tree: kmsan
+console output: https://syzkaller.appspot.com/x/log.txt?x=136d720ea00000
+kernel config:
+https://syzkaller.appspot.com/x/.config?x=602468164ccdc30a
+dashboard link:
+https://syzkaller.appspot.com/bug?extid=8a3fc6674bbc3978ed4e
+compiler: clang version 9.0.0 (/home/glider/llvm/clang
+06d00afa61eef8f7f501ebdb4e8612ea43ec2d78)
+syz repro:
+https://syzkaller.appspot.com/x/repro.syz?x=12788316a00000
+C reproducer: https://syzkaller.appspot.com/x/repro.c?x=120359aaa00000
+
+==================================================================
+BUG: KMSAN: uninit-value in is_valid_ether_addr
+include/linux/etherdevice.h:200 [inline]
+BUG: KMSAN: uninit-value in asix_set_netdev_dev_addr
+drivers/net/usb/asix_devices.c:73 [inline]
+BUG: KMSAN: uninit-value in ax88772_bind+0x93d/0x11e0
+drivers/net/usb/asix_devices.c:724
+CPU: 0 PID: 3348 Comm: kworker/0:2 Not tainted 5.1.0+ #1
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Workqueue: usb_hub_wq hub_event
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x191/0x1f0 lib/dump_stack.c:113
+ kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622
+ __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310
+ is_valid_ether_addr include/linux/etherdevice.h:200 [inline]
+ asix_set_netdev_dev_addr drivers/net/usb/asix_devices.c:73 [inline]
+ ax88772_bind+0x93d/0x11e0 drivers/net/usb/asix_devices.c:724
+ usbnet_probe+0x10f5/0x3940 drivers/net/usb/usbnet.c:1728
+ usb_probe_interface+0xd66/0x1320 drivers/usb/core/driver.c:361
+ really_probe+0xdae/0x1d80 drivers/base/dd.c:513
+ driver_probe_device+0x1b3/0x4f0 drivers/base/dd.c:671
+ __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:778
+ bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454
+ __device_attach+0x454/0x730 drivers/base/dd.c:844
+ device_initial_probe+0x4a/0x60 drivers/base/dd.c:891
+ bus_probe_device+0x137/0x390 drivers/base/bus.c:514
+ device_add+0x288d/0x30e0 drivers/base/core.c:2106
+ usb_set_configuration+0x30dc/0x3750 drivers/usb/core/message.c:2027
+ generic_probe+0xe7/0x280 drivers/usb/core/generic.c:210
+ usb_probe_device+0x14c/0x200 drivers/usb/core/driver.c:266
+ really_probe+0xdae/0x1d80 drivers/base/dd.c:513
+ driver_probe_device+0x1b3/0x4f0 drivers/base/dd.c:671
+ __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:778
+ bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454
+ __device_attach+0x454/0x730 drivers/base/dd.c:844
+ device_initial_probe+0x4a/0x60 drivers/base/dd.c:891
+ bus_probe_device+0x137/0x390 drivers/base/bus.c:514
+ device_add+0x288d/0x30e0 drivers/base/core.c:2106
+ usb_new_device+0x23e5/0x2ff0 drivers/usb/core/hub.c:2534
+ hub_port_connect drivers/usb/core/hub.c:5089 [inline]
+ hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
+ port_event drivers/usb/core/hub.c:5350 [inline]
+ hub_event+0x48d1/0x7290 drivers/usb/core/hub.c:5432
+ process_one_work+0x1572/0x1f00 kernel/workqueue.c:2269
+ process_scheduled_works kernel/workqueue.c:2331 [inline]
+ worker_thread+0x189c/0x2460 kernel/workqueue.c:2417
+ kthread+0x4b5/0x4f0 kernel/kthread.c:254
+ ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355
+
+Signed-off-by: Phong Tran <tranmanphong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/asix_devices.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
+index 393fd3ed6b94..4b12b6da3fab 100644
+--- a/drivers/net/usb/asix_devices.c
++++ b/drivers/net/usb/asix_devices.c
+@@ -237,7 +237,7 @@ static void asix_phy_reset(struct usbnet *dev, unsigned int reset_bits)
+ static int ax88172_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+ int ret = 0;
+- u8 buf[ETH_ALEN];
++ u8 buf[ETH_ALEN] = {0};
+ int i;
+ unsigned long gpio_bits = dev->driver_info->data;
+
+@@ -687,7 +687,7 @@ static int asix_resume(struct usb_interface *intf)
+ static int ax88772_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+ int ret, i;
+- u8 buf[ETH_ALEN], chipcode = 0;
++ u8 buf[ETH_ALEN] = {0}, chipcode = 0;
+ u32 phyid;
+ struct asix_common_private *priv;
+
+@@ -1064,7 +1064,7 @@ static const struct net_device_ops ax88178_netdev_ops = {
+ static int ax88178_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+ int ret;
+- u8 buf[ETH_ALEN];
++ u8 buf[ETH_ALEN] = {0};
+
+ usbnet_get_endpoints(dev,intf);
+
+--
+2.20.1
+
--- /dev/null
+From 915f0b7a80b70622f29183dc087ad53137cf388e Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Tue, 18 Jun 2019 17:47:13 +0200
+Subject: ntp: Limit TAI-UTC offset
+
+[ Upstream commit d897a4ab11dc8a9fda50d2eccc081a96a6385998 ]
+
+Don't allow the TAI-UTC offset of the system clock to be set by adjtimex()
+to a value larger than 100000 seconds.
+
+This prevents an overflow in the conversion to int, prevents the CLOCK_TAI
+clock from getting too far ahead of the CLOCK_REALTIME clock, and it is
+still large enough to allow leap seconds to be inserted at the maximum rate
+currently supported by the kernel (once per day) for the next ~270 years,
+however unlikely it is that someone can survive a catastrophic event which
+slowed down the rotation of the Earth so much.
+
+Reported-by: Weikang shi <swkhack@gmail.com>
+Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Prarit Bhargava <prarit@redhat.com>
+Cc: Richard Cochran <richardcochran@gmail.com>
+Cc: Stephen Boyd <sboyd@kernel.org>
+Link: https://lkml.kernel.org/r/20190618154713.20929-1-mlichvar@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/ntp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
+index 0a16419006f3..4bdb59604526 100644
+--- a/kernel/time/ntp.c
++++ b/kernel/time/ntp.c
+@@ -42,6 +42,7 @@ static u64 tick_length_base;
+ #define MAX_TICKADJ 500LL /* usecs */
+ #define MAX_TICKADJ_SCALED \
+ (((MAX_TICKADJ * NSEC_PER_USEC) << NTP_SCALE_SHIFT) / NTP_INTERVAL_FREQ)
++#define MAX_TAI_OFFSET 100000
+
+ /*
+ * phase-lock loop variables
+@@ -639,7 +640,8 @@ static inline void process_adjtimex_modes(struct timex *txc,
+ time_constant = max(time_constant, 0l);
+ }
+
+- if (txc->modes & ADJ_TAI && txc->constant >= 0)
++ if (txc->modes & ADJ_TAI &&
++ txc->constant >= 0 && txc->constant <= MAX_TAI_OFFSET)
+ *time_tai = txc->constant;
+
+ if (txc->modes & ADJ_OFFSET)
+--
+2.20.1
+
--- /dev/null
+From 22d045cac6bfd3654556fc979d271c862847a3b3 Mon Sep 17 00:00:00 2001
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+Date: Wed, 5 Jun 2019 10:16:33 -0600
+Subject: perf cs-etm: Properly set the value of 'old' and 'head' in snapshot
+ mode
+
+[ Upstream commit e45c48a9a4d20ebc7b639a62c3ef8f4b08007027 ]
+
+This patch adds the necessary intelligence to properly compute the value
+of 'old' and 'head' when operating in snapshot mode. That way we can
+get the latest information in the AUX buffer and be compatible with the
+generic AUX ring buffer mechanic.
+
+Tester notes:
+
+> Leo, have you had the chance to test/review this one? Suzuki?
+
+Sure. I applied this patch on the perf/core branch (with latest
+commit 3e4fbf36c1e3 'perf augmented_raw_syscalls: Move reading
+filename to the loop') and passed testing with below steps:
+
+ # perf record -e cs_etm/@tmc_etr0/ -S -m,64 --per-thread ./sort &
+ [1] 19097
+ Bubble sorting array of 30000 elements
+
+ # kill -USR2 19097
+ # kill -USR2 19097
+ # kill -USR2 19097
+ [ perf record: Woken up 4 times to write data ]
+ [ perf record: Captured and wrote 0.753 MB perf.data ]
+
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Tested-by: Leo Yan <leo.yan@linaro.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Suzuki Poulouse <suzuki.poulose@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Link: http://lkml.kernel.org/r/20190605161633.12245-1-mathieu.poirier@linaro.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/arch/arm/util/cs-etm.c | 127 +++++++++++++++++++++++++++++-
+ 1 file changed, 123 insertions(+), 4 deletions(-)
+
+diff --git a/tools/perf/arch/arm/util/cs-etm.c b/tools/perf/arch/arm/util/cs-etm.c
+index 47d584da5819..f6cff278aa5d 100644
+--- a/tools/perf/arch/arm/util/cs-etm.c
++++ b/tools/perf/arch/arm/util/cs-etm.c
+@@ -41,6 +41,8 @@ struct cs_etm_recording {
+ struct auxtrace_record itr;
+ struct perf_pmu *cs_etm_pmu;
+ struct perf_evlist *evlist;
++ int wrapped_cnt;
++ bool *wrapped;
+ bool snapshot_mode;
+ size_t snapshot_size;
+ };
+@@ -458,16 +460,131 @@ static int cs_etm_info_fill(struct auxtrace_record *itr,
+ return 0;
+ }
+
+-static int cs_etm_find_snapshot(struct auxtrace_record *itr __maybe_unused,
++static int cs_etm_alloc_wrapped_array(struct cs_etm_recording *ptr, int idx)
++{
++ bool *wrapped;
++ int cnt = ptr->wrapped_cnt;
++
++ /* Make @ptr->wrapped as big as @idx */
++ while (cnt <= idx)
++ cnt++;
++
++ /*
++ * Free'ed in cs_etm_recording_free(). Using realloc() to avoid
++ * cross compilation problems where the host's system supports
++ * reallocarray() but not the target.
++ */
++ wrapped = realloc(ptr->wrapped, cnt * sizeof(bool));
++ if (!wrapped)
++ return -ENOMEM;
++
++ wrapped[cnt - 1] = false;
++ ptr->wrapped_cnt = cnt;
++ ptr->wrapped = wrapped;
++
++ return 0;
++}
++
++static bool cs_etm_buffer_has_wrapped(unsigned char *buffer,
++ size_t buffer_size, u64 head)
++{
++ u64 i, watermark;
++ u64 *buf = (u64 *)buffer;
++ size_t buf_size = buffer_size;
++
++ /*
++ * We want to look the very last 512 byte (chosen arbitrarily) in
++ * the ring buffer.
++ */
++ watermark = buf_size - 512;
++
++ /*
++ * @head is continuously increasing - if its value is equal or greater
++ * than the size of the ring buffer, it has wrapped around.
++ */
++ if (head >= buffer_size)
++ return true;
++
++ /*
++ * The value of @head is somewhere within the size of the ring buffer.
++ * This can be that there hasn't been enough data to fill the ring
++ * buffer yet or the trace time was so long that @head has numerically
++ * wrapped around. To find we need to check if we have data at the very
++ * end of the ring buffer. We can reliably do this because mmap'ed
++ * pages are zeroed out and there is a fresh mapping with every new
++ * session.
++ */
++
++ /* @head is less than 512 byte from the end of the ring buffer */
++ if (head > watermark)
++ watermark = head;
++
++ /*
++ * Speed things up by using 64 bit transactions (see "u64 *buf" above)
++ */
++ watermark >>= 3;
++ buf_size >>= 3;
++
++ /*
++ * If we find trace data at the end of the ring buffer, @head has
++ * been there and has numerically wrapped around at least once.
++ */
++ for (i = watermark; i < buf_size; i++)
++ if (buf[i])
++ return true;
++
++ return false;
++}
++
++static int cs_etm_find_snapshot(struct auxtrace_record *itr,
+ int idx, struct auxtrace_mmap *mm,
+- unsigned char *data __maybe_unused,
++ unsigned char *data,
+ u64 *head, u64 *old)
+ {
++ int err;
++ bool wrapped;
++ struct cs_etm_recording *ptr =
++ container_of(itr, struct cs_etm_recording, itr);
++
++ /*
++ * Allocate memory to keep track of wrapping if this is the first
++ * time we deal with this *mm.
++ */
++ if (idx >= ptr->wrapped_cnt) {
++ err = cs_etm_alloc_wrapped_array(ptr, idx);
++ if (err)
++ return err;
++ }
++
++ /*
++ * Check to see if *head has wrapped around. If it hasn't only the
++ * amount of data between *head and *old is snapshot'ed to avoid
++ * bloating the perf.data file with zeros. But as soon as *head has
++ * wrapped around the entire size of the AUX ring buffer it taken.
++ */
++ wrapped = ptr->wrapped[idx];
++ if (!wrapped && cs_etm_buffer_has_wrapped(data, mm->len, *head)) {
++ wrapped = true;
++ ptr->wrapped[idx] = true;
++ }
++
+ pr_debug3("%s: mmap index %d old head %zu new head %zu size %zu\n",
+ __func__, idx, (size_t)*old, (size_t)*head, mm->len);
+
+- *old = *head;
+- *head += mm->len;
++ /* No wrap has occurred, we can just use *head and *old. */
++ if (!wrapped)
++ return 0;
++
++ /*
++ * *head has wrapped around - adjust *head and *old to pickup the
++ * entire content of the AUX buffer.
++ */
++ if (*head >= mm->len) {
++ *old = *head - mm->len;
++ } else {
++ *head += mm->len;
++ *old = *head - mm->len;
++ }
+
+ return 0;
+ }
+@@ -508,6 +625,8 @@ static void cs_etm_recording_free(struct auxtrace_record *itr)
+ {
+ struct cs_etm_recording *ptr =
+ container_of(itr, struct cs_etm_recording, itr);
++
++ zfree(&ptr->wrapped);
+ free(ptr);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From cea895233682111c3a4ef8e8e55ab567d7a32f13 Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Mon, 17 Jun 2019 14:32:53 -0300
+Subject: perf evsel: Make perf_evsel__name() accept a NULL argument
+
+[ Upstream commit fdbdd7e8580eac9bdafa532746c865644d125e34 ]
+
+In which case it simply returns "unknown", like when it can't figure out
+the evsel->name value.
+
+This makes this code more robust and fixes a problem in 'perf trace'
+where a NULL evsel was being passed to a routine that only used the
+evsel for printing its name when a invalid syscall id was passed.
+
+Reported-by: Leo Yan <leo.yan@linaro.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lkml.kernel.org/n/tip-f30ztaasku3z935cn3ak3h53@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/evsel.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
+index a62f79558146..758d0108c5a5 100644
+--- a/tools/perf/util/evsel.c
++++ b/tools/perf/util/evsel.c
+@@ -558,6 +558,9 @@ const char *perf_evsel__name(struct perf_evsel *evsel)
+ {
+ char bf[128];
+
++ if (!evsel)
++ goto out_unknown;
++
+ if (evsel->name)
+ return evsel->name;
+
+@@ -594,7 +597,10 @@ const char *perf_evsel__name(struct perf_evsel *evsel)
+
+ evsel->name = strdup(bf);
+
+- return evsel->name ?: "unknown";
++ if (evsel->name)
++ return evsel->name;
++out_unknown:
++ return "unknown";
+ }
+
+ const char *perf_evsel__group_name(struct perf_evsel *evsel)
+--
+2.20.1
+
--- /dev/null
+From 5108c199524e93ed31b82f2fa0aa27f59079a277 Mon Sep 17 00:00:00 2001
+From: Thomas Richter <tmricht@linux.ibm.com>
+Date: Tue, 4 Jun 2019 07:35:04 +0200
+Subject: perf test 6: Fix missing kvm module load for s390
+
+[ Upstream commit 53fe307dfd309e425b171f6272d64296a54f4dff ]
+
+Command
+
+ # perf test -Fv 6
+
+fails with error
+
+ running test 100 'kvm-s390:kvm_s390_create_vm' failed to parse
+ event 'kvm-s390:kvm_s390_create_vm', err -1, str 'unknown tracepoint'
+ event syntax error: 'kvm-s390:kvm_s390_create_vm'
+ \___ unknown tracepoint
+
+when the kvm module is not loaded or not built in.
+
+Fix this by adding a valid function which tests if the module
+is loaded. Loaded modules (or builtin KVM support) have a
+directory named
+ /sys/kernel/debug/tracing/events/kvm-s390
+for this tracepoint.
+
+Check for existence of this directory.
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+Link: http://lkml.kernel.org/r/20190604053504.43073-1-tmricht@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/parse-events.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/tools/perf/tests/parse-events.c b/tools/perf/tests/parse-events.c
+index aa9276bfe3e9..9134a0c3e99d 100644
+--- a/tools/perf/tests/parse-events.c
++++ b/tools/perf/tests/parse-events.c
+@@ -12,6 +12,32 @@
+ #define PERF_TP_SAMPLE_TYPE (PERF_SAMPLE_RAW | PERF_SAMPLE_TIME | \
+ PERF_SAMPLE_CPU | PERF_SAMPLE_PERIOD)
+
++#if defined(__s390x__)
++/* Return true if kvm module is available and loaded. Test this
++ * and retun success when trace point kvm_s390_create_vm
++ * exists. Otherwise this test always fails.
++ */
++static bool kvm_s390_create_vm_valid(void)
++{
++ char *eventfile;
++ bool rc = false;
++
++ eventfile = get_events_file("kvm-s390");
++
++ if (eventfile) {
++ DIR *mydir = opendir(eventfile);
++
++ if (mydir) {
++ rc = true;
++ closedir(mydir);
++ }
++ put_events_file(eventfile);
++ }
++
++ return rc;
++}
++#endif
++
+ static int test__checkevent_tracepoint(struct perf_evlist *evlist)
+ {
+ struct perf_evsel *evsel = perf_evlist__first(evlist);
+@@ -1593,6 +1619,7 @@ static struct evlist_test test__events[] = {
+ {
+ .name = "kvm-s390:kvm_s390_create_vm",
+ .check = test__checkevent_tracepoint,
++ .valid = kvm_s390_create_vm_valid,
+ .id = 100,
+ },
+ #endif
+--
+2.20.1
+
--- /dev/null
+From 9fb7d08d8a1ecff76c56419828ddfbd53fe6694e Mon Sep 17 00:00:00 2001
+From: Kyle Meyer <kyle.meyer@hpe.com>
+Date: Thu, 20 Jun 2019 14:36:30 -0500
+Subject: perf tools: Increase MAX_NR_CPUS and MAX_CACHES
+
+[ Upstream commit 9f94c7f947e919c343b30f080285af53d0fa9902 ]
+
+Attempting to profile 1024 or more CPUs with perf causes two errors:
+
+ perf record -a
+ [ perf record: Woken up X times to write data ]
+ way too many cpu caches..
+ [ perf record: Captured and wrote X MB perf.data (X samples) ]
+
+ perf report -C 1024
+ Error: failed to set cpu bitmap
+ Requested CPU 1024 too large. Consider raising MAX_NR_CPUS
+
+ Increasing MAX_NR_CPUS from 1024 to 2048 and redefining MAX_CACHES as
+ MAX_NR_CPUS * 4 returns normal functionality to perf:
+
+ perf record -a
+ [ perf record: Woken up X times to write data ]
+ [ perf record: Captured and wrote X MB perf.data (X samples) ]
+
+ perf report -C 1024
+ ...
+
+Signed-off-by: Kyle Meyer <kyle.meyer@hpe.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20190620193630.154025-1-meyerk@stormcage.eag.rdlabs.hpecorp.net
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/perf.h | 2 +-
+ tools/perf/util/header.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/perf.h b/tools/perf/perf.h
+index 8f8d895d5b74..3b9d56125ee2 100644
+--- a/tools/perf/perf.h
++++ b/tools/perf/perf.h
+@@ -23,7 +23,7 @@ static inline unsigned long long rdclock(void)
+ }
+
+ #ifndef MAX_NR_CPUS
+-#define MAX_NR_CPUS 1024
++#define MAX_NR_CPUS 2048
+ #endif
+
+ extern const char *input_name;
+diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
+index de9b369d2d2e..283148104ffb 100644
+--- a/tools/perf/util/header.c
++++ b/tools/perf/util/header.c
+@@ -1008,7 +1008,7 @@ static int build_caches(struct cpu_cache_level caches[], u32 size, u32 *cntp)
+ return 0;
+ }
+
+-#define MAX_CACHES 2000
++#define MAX_CACHES (MAX_NR_CPUS * 4)
+
+ static int write_cache(int fd, struct perf_header *h __maybe_unused,
+ struct perf_evlist *evlist __maybe_unused)
+--
+2.20.1
+
--- /dev/null
+From a894d2b2836cea02130e3c7c4d12955101b3509f Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Tue, 21 May 2019 16:48:43 -0400
+Subject: rcu: Force inlining of rcu_read_lock()
+
+[ Upstream commit 6da9f775175e516fc7229ceaa9b54f8f56aa7924 ]
+
+When debugging options are turned on, the rcu_read_lock() function
+might not be inlined. This results in lockdep's print_lock() function
+printing "rcu_read_lock+0x0/0x70" instead of rcu_read_lock()'s caller.
+For example:
+
+[ 10.579995] =============================
+[ 10.584033] WARNING: suspicious RCU usage
+[ 10.588074] 4.18.0.memcg_v2+ #1 Not tainted
+[ 10.593162] -----------------------------
+[ 10.597203] include/linux/rcupdate.h:281 Illegal context switch in
+RCU read-side critical section!
+[ 10.606220]
+[ 10.606220] other info that might help us debug this:
+[ 10.606220]
+[ 10.614280]
+[ 10.614280] rcu_scheduler_active = 2, debug_locks = 1
+[ 10.620853] 3 locks held by systemd/1:
+[ 10.624632] #0: (____ptrval____) (&type->i_mutex_dir_key#5){.+.+}, at: lookup_slow+0x42/0x70
+[ 10.633232] #1: (____ptrval____) (rcu_read_lock){....}, at: rcu_read_lock+0x0/0x70
+[ 10.640954] #2: (____ptrval____) (rcu_read_lock){....}, at: rcu_read_lock+0x0/0x70
+
+These "rcu_read_lock+0x0/0x70" strings are not providing any useful
+information. This commit therefore forces inlining of the rcu_read_lock()
+function so that rcu_read_lock()'s caller is instead shown.
+
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/rcupdate.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h
+index aa2935779e43..96037ba940ee 100644
+--- a/include/linux/rcupdate.h
++++ b/include/linux/rcupdate.h
+@@ -866,7 +866,7 @@ static inline void rcu_preempt_sleep_check(void)
+ * read-side critical sections may be preempted and they may also block, but
+ * only when acquiring spinlocks that are subject to priority inheritance.
+ */
+-static inline void rcu_read_lock(void)
++static __always_inline void rcu_read_lock(void)
+ {
+ __rcu_read_lock();
+ __acquire(RCU);
+--
+2.20.1
+
--- /dev/null
+From fe0eac36443916d353f74b833e54e72c7a74c9d0 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Wed, 12 Jun 2019 12:03:43 +0100
+Subject: regmap: fix bulk writes on paged registers
+
+[ Upstream commit db057679de3e9e6a03c1bcd5aee09b0d25fd9f5b ]
+
+On buses like SlimBus and SoundWire which does not support
+gather_writes yet in regmap, A bulk write on paged register
+would be silently ignored after programming page.
+This is because local variable 'ret' value in regmap_raw_write_impl()
+gets reset to 0 once page register is written successfully and the
+code below checks for 'ret' value to be -ENOTSUPP before linearising
+the write buffer to send to bus->write().
+
+Fix this by resetting the 'ret' value to -ENOTSUPP in cases where
+gather_writes() is not supported or single register write is
+not possible.
+
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/regmap/regmap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
+index 69c84fddfe8a..1799a1dfa46e 100644
+--- a/drivers/base/regmap/regmap.c
++++ b/drivers/base/regmap/regmap.c
+@@ -1506,6 +1506,8 @@ int _regmap_raw_write(struct regmap *map, unsigned int reg,
+ map->format.reg_bytes +
+ map->format.pad_bytes,
+ val, val_len);
++ else
++ ret = -ENOTSUPP;
+
+ /* If that didn't work fall back on linearising by hand. */
+ if (ret == -ENOTSUPP) {
+--
+2.20.1
+
--- /dev/null
+From 7b1d90f01973ec924c075fd9a471d154727383fe Mon Sep 17 00:00:00 2001
+From: Ferdinand Blomqvist <ferdinand.blomqvist@gmail.com>
+Date: Thu, 20 Jun 2019 17:10:34 +0300
+Subject: rslib: Fix decoding of shortened codes
+
+[ Upstream commit 2034a42d1747fc1e1eeef2c6f1789c4d0762cb9c ]
+
+The decoding of shortenend codes is broken. It only works as expected if
+there are no erasures.
+
+When decoding with erasures, Lambda (the error and erasure locator
+polynomial) is initialized from the given erasure positions. The pad
+parameter is not accounted for by the initialisation code, and hence
+Lambda is initialized from incorrect erasure positions.
+
+The fix is to adjust the erasure positions by the supplied pad.
+
+Signed-off-by: Ferdinand Blomqvist <ferdinand.blomqvist@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190620141039.9874-3-ferdinand.blomqvist@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/reed_solomon/decode_rs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/reed_solomon/decode_rs.c b/lib/reed_solomon/decode_rs.c
+index 0ec3f257ffdf..8eed0f9ac495 100644
+--- a/lib/reed_solomon/decode_rs.c
++++ b/lib/reed_solomon/decode_rs.c
+@@ -99,9 +99,9 @@
+ if (no_eras > 0) {
+ /* Init lambda to be the erasure locator polynomial */
+ lambda[1] = alpha_to[rs_modnn(rs,
+- prim * (nn - 1 - eras_pos[0]))];
++ prim * (nn - 1 - (eras_pos[0] + pad)))];
+ for (i = 1; i < no_eras; i++) {
+- u = rs_modnn(rs, prim * (nn - 1 - eras_pos[i]));
++ u = rs_modnn(rs, prim * (nn - 1 - (eras_pos[i] + pad)));
+ for (j = i + 1; j > 0; j--) {
+ tmp = index_of[lambda[j - 1]];
+ if (tmp != nn) {
+--
+2.20.1
+
--- /dev/null
+From 06dc46b3b17dffa8a5f41da237125e2d850b9f28 Mon Sep 17 00:00:00 2001
+From: Ferdinand Blomqvist <ferdinand.blomqvist@gmail.com>
+Date: Thu, 20 Jun 2019 17:10:37 +0300
+Subject: rslib: Fix handling of of caller provided syndrome
+
+[ Upstream commit ef4d6a8556b637ad27c8c2a2cff1dda3da38e9a9 ]
+
+Check if the syndrome provided by the caller is zero, and act
+accordingly.
+
+Signed-off-by: Ferdinand Blomqvist <ferdinand.blomqvist@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190620141039.9874-6-ferdinand.blomqvist@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/reed_solomon/decode_rs.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/lib/reed_solomon/decode_rs.c b/lib/reed_solomon/decode_rs.c
+index 8eed0f9ac495..a5d313381539 100644
+--- a/lib/reed_solomon/decode_rs.c
++++ b/lib/reed_solomon/decode_rs.c
+@@ -42,8 +42,18 @@
+ BUG_ON(pad < 0 || pad >= nn);
+
+ /* Does the caller provide the syndrome ? */
+- if (s != NULL)
+- goto decode;
++ if (s != NULL) {
++ for (i = 0; i < nroots; i++) {
++ /* The syndrome is in index form,
++ * so nn represents zero
++ */
++ if (s[i] != nn)
++ goto decode;
++ }
++
++ /* syndrome is zero, no errors to correct */
++ return 0;
++ }
+
+ /* form the syndromes; i.e., evaluate data(x) at roots of
+ * g(x) */
+--
+2.20.1
+
--- /dev/null
+From 77d400548c8398f2195d86d8da3da53d9efdd0af Mon Sep 17 00:00:00 2001
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Mon, 3 Jun 2019 07:47:04 +0200
+Subject: s390/qdio: handle PENDING state for QEBSM devices
+
+[ Upstream commit 04310324c6f482921c071444833e70fe861b73d9 ]
+
+When a CQ-enabled device uses QEBSM for SBAL state inspection,
+get_buf_states() can return the PENDING state for an Output Queue.
+get_outbound_buffer_frontier() isn't prepared for this, and any PENDING
+buffer will permanently stall all further completion processing on this
+Queue.
+
+This isn't a concern for non-QEBSM devices, as get_buf_states() for such
+devices will manually turn PENDING buffers into EMPTY ones.
+
+Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks")
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/qdio_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c
+index 18ab84e9c6b2..58cd0e0c9680 100644
+--- a/drivers/s390/cio/qdio_main.c
++++ b/drivers/s390/cio/qdio_main.c
+@@ -758,6 +758,7 @@ static int get_outbound_buffer_frontier(struct qdio_q *q)
+
+ switch (state) {
+ case SLSB_P_OUTPUT_EMPTY:
++ case SLSB_P_OUTPUT_PENDING:
+ /* the adapter got it */
+ DBF_DEV_EVENT(DBF_INFO, q->irq_ptr,
+ "out empty:%1d %02x", q->nr, count);
+--
+2.20.1
+
--- /dev/null
+mips-ath79-fix-ar933x-uart-parity-mode.patch
+mips-fix-build-on-non-linux-hosts.patch
+arm64-efi-mark-__efistub_stext_offset-as-an-absolute.patch
+dmaengine-imx-sdma-fix-use-after-free-on-probe-error.patch
+ath10k-do-not-send-probe-response-template-for-mesh.patch
+ath9k-check-for-errors-when-reading-srev-register.patch
+ath6kl-add-some-bounds-checking.patch
+ath-dfs-jp-domain-w56-fixed-pulse-type-3-radar-detec.patch
+batman-adv-fix-for-leaked-tvlv-handler.patch
+media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch
+crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch
+media-marvell-ccic-fix-dma-s-g-desc-number-calculati.patch
+media-vpss-fix-a-potential-null-pointer-dereference.patch
+media-media_device_enum_links32-clean-a-reserved-fie.patch
+net-stmmac-dwmac1000-clear-unused-address-entries.patch
+net-stmmac-dwmac4-5-clear-unused-address-entries.patch
+signal-pid_namespace-fix-reboot_pid_ns-to-use-send_s.patch
+signal-cifs-fix-cifs_put_tcp_session-to-call-send_si.patch
+af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch
+xfrm-fix-xfrm-sel-prefix-length-validation.patch
+media-mc-device.c-don-t-memset-__user-pointer-conten.patch
+media-staging-media-davinci_vpfe-fix-for-memory-leak.patch
+net-phy-check-against-net_device-being-null.patch
+crypto-talitos-properly-handle-split-icv.patch
+crypto-talitos-align-sec1-accesses-to-32-bits-bounda.patch
+tua6100-avoid-build-warnings.patch
+locking-lockdep-fix-merging-of-hlocks-with-non-zero-.patch
+media-wl128x-fix-some-error-handling-in-fm_v4l2_init.patch
+cpupower-frequency-set-r-option-misses-the-last-cpu-.patch
+net-fec-do-not-use-netdev-messages-too-early.patch
+net-axienet-fix-race-condition-causing-tx-hang.patch
+s390-qdio-handle-pending-state-for-qebsm-devices.patch
+perf-cs-etm-properly-set-the-value-of-old-and-head-i.patch
+perf-test-6-fix-missing-kvm-module-load-for-s390.patch
+gpio-omap-fix-lack-of-irqstatus_raw0-for-omap4.patch
+gpio-omap-ensure-irq-is-enabled-before-wakeup.patch
+regmap-fix-bulk-writes-on-paged-registers.patch
+bpf-silence-warning-messages-in-core.patch
+rcu-force-inlining-of-rcu_read_lock.patch
+blkcg-writeback-dead-memcgs-shouldn-t-contribute-to-.patch
+xfrm-fix-sa-selector-validation.patch
+perf-evsel-make-perf_evsel__name-accept-a-null-argum.patch
+vhost_net-disable-zerocopy-by-default.patch
+ipoib-correcly-show-a-vf-hardware-address.patch
+edac-sysfs-fix-memory-leak-when-creating-a-csrow-obj.patch
+ipsec-select-crypto-ciphers-for-xfrm_algo.patch
+media-i2c-fix-warning-same-module-names.patch
+ntp-limit-tai-utc-offset.patch
+timer_list-guard-procfs-specific-code.patch
+acpi-arm64-ignore-5.1-fadts-that-are-reported-as-5.0.patch
+media-coda-fix-mpeg2-sequence-number-handling.patch
+media-coda-increment-sequence-offset-for-the-last-re.patch
+mt7601u-do-not-schedule-rx_tasklet-when-the-device-h.patch
+x86-build-add-set-e-to-mkcapflags.sh-to-delete-broke.patch
+mt7601u-fix-possible-memory-leak-when-the-device-is-.patch
+ath10k-fix-pcie-device-wake-up-failed.patch
+perf-tools-increase-max_nr_cpus-and-max_caches.patch
+libata-don-t-request-sense-data-on-zac-ata-devices.patch
+clocksource-drivers-exynos_mct-increase-priority-ove.patch
+rslib-fix-decoding-of-shortened-codes.patch
+rslib-fix-handling-of-of-caller-provided-syndrome.patch
+ixgbe-check-ddm-existence-in-transceiver-before-acce.patch
+crypto-asymmetric_keys-select-crypto_hash-where-need.patch
+edac-fix-global-out-of-bounds-write-when-setting-eda.patch
+bcache-check-c-gc_thread-by-is_err_or_null-in-cache_.patch
+iwlwifi-mvm-drop-large-non-sta-frames.patch
+net-usb-asix-init-mac-address-buffers.patch
+gpiolib-fix-references-to-gpiod_-gs-et_-value_cansle.patch
+bluetooth-hci_bcsp-fix-memory-leak-in-rx_skb.patch
+bluetooth-6lowpan-search-for-destination-address-in-.patch
+bluetooth-check-state-in-l2cap_disconnect_rsp.patch
+bluetooth-validate-ble-connection-interval-updates.patch
+gtp-fix-illegal-context-switch-in-rcu-read-side-crit.patch
+gtp-fix-use-after-free-in-gtp_newlink.patch
+floppy-fix-div-by-zero-in-setup_format_params.patch
+floppy-fix-out-of-bounds-read-in-copy_buffer.patch
--- /dev/null
+From 6b774dc4e8d1e50db4a4c639b79c6f337f244728 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 15 May 2019 12:33:50 -0500
+Subject: signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of
+ force_sig
+
+[ Upstream commit 72abe3bcf0911d69b46c1e8bdb5612675e0ac42c ]
+
+The locking in force_sig_info is not prepared to deal with a task that
+exits or execs (as sighand may change). The is not a locking problem
+in force_sig as force_sig is only built to handle synchronous
+exceptions.
+
+Further the function force_sig_info changes the signal state if the
+signal is ignored, or blocked or if SIGNAL_UNKILLABLE will prevent the
+delivery of the signal. The signal SIGKILL can not be ignored and can
+not be blocked and SIGNAL_UNKILLABLE won't prevent it from being
+delivered.
+
+So using force_sig rather than send_sig for SIGKILL is confusing
+and pointless.
+
+Because it won't impact the sending of the signal and and because
+using force_sig is wrong, replace force_sig with send_sig.
+
+Cc: Namjae Jeon <namjae.jeon@samsung.com>
+Cc: Jeff Layton <jlayton@primarydata.com>
+Cc: Steve French <smfrench@gmail.com>
+Fixes: a5c3e1c725af ("Revert "cifs: No need to send SIGKILL to demux_thread during umount"")
+Fixes: e7ddee9037e7 ("cifs: disable sharing session and tcon and add new TCP sharing code")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/connect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index f291ed0c155d..d1019cbf7a52 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -2221,7 +2221,7 @@ cifs_put_tcp_session(struct TCP_Server_Info *server, int from_reconnect)
+
+ task = xchg(&server->tsk, NULL);
+ if (task)
+- force_sig(SIGKILL, task);
++ send_sig(SIGKILL, task, 1);
+ }
+
+ static struct TCP_Server_Info *
+--
+2.20.1
+
--- /dev/null
+From b0d35ff72292bf037353af3975656cc93063f0b1 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 15 May 2019 12:29:52 -0500
+Subject: signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig
+
+[ Upstream commit f9070dc94542093fd516ae4ccea17ef46a4362c5 ]
+
+The locking in force_sig_info is not prepared to deal with a task that
+exits or execs (as sighand may change). The is not a locking problem
+in force_sig as force_sig is only built to handle synchronous
+exceptions.
+
+Further the function force_sig_info changes the signal state if the
+signal is ignored, or blocked or if SIGNAL_UNKILLABLE will prevent the
+delivery of the signal. The signal SIGKILL can not be ignored and can
+not be blocked and SIGNAL_UNKILLABLE won't prevent it from being
+delivered.
+
+So using force_sig rather than send_sig for SIGKILL is confusing
+and pointless.
+
+Because it won't impact the sending of the signal and and because
+using force_sig is wrong, replace force_sig with send_sig.
+
+Cc: Daniel Lezcano <daniel.lezcano@free.fr>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Fixes: cf3f89214ef6 ("pidns: add reboot_pid_ns() to handle the reboot syscall")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/pid_namespace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
+index 3976dd57db78..0eab538841fd 100644
+--- a/kernel/pid_namespace.c
++++ b/kernel/pid_namespace.c
+@@ -344,7 +344,7 @@ int reboot_pid_ns(struct pid_namespace *pid_ns, int cmd)
+ }
+
+ read_lock(&tasklist_lock);
+- force_sig(SIGKILL, pid_ns->child_reaper);
++ send_sig(SIGKILL, pid_ns->child_reaper, 1);
+ read_unlock(&tasklist_lock);
+
+ do_exit(0);
+--
+2.20.1
+
--- /dev/null
+From b9f4629be5e6c00acf9b5f04655fb9886bcbadf1 Mon Sep 17 00:00:00 2001
+From: Nathan Huckleberry <nhuck@google.com>
+Date: Fri, 14 Jun 2019 11:16:04 -0700
+Subject: timer_list: Guard procfs specific code
+
+[ Upstream commit a9314773a91a1d3b36270085246a6715a326ff00 ]
+
+With CONFIG_PROC_FS=n the following warning is emitted:
+
+kernel/time/timer_list.c:361:36: warning: unused variable
+'timer_list_sops' [-Wunused-const-variable]
+ static const struct seq_operations timer_list_sops = {
+
+Add #ifdef guard around procfs specific code.
+
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Cc: john.stultz@linaro.org
+Cc: sboyd@kernel.org
+Cc: clang-built-linux@googlegroups.com
+Link: https://github.com/ClangBuiltLinux/linux/issues/534
+Link: https://lkml.kernel.org/r/20190614181604.112297-1-nhuck@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/timer_list.c | 36 +++++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
+
+diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c
+index 1407ed20ea93..b7c5d230b4b2 100644
+--- a/kernel/time/timer_list.c
++++ b/kernel/time/timer_list.c
+@@ -299,23 +299,6 @@ static inline void timer_list_header(struct seq_file *m, u64 now)
+ SEQ_printf(m, "\n");
+ }
+
+-static int timer_list_show(struct seq_file *m, void *v)
+-{
+- struct timer_list_iter *iter = v;
+-
+- if (iter->cpu == -1 && !iter->second_pass)
+- timer_list_header(m, iter->now);
+- else if (!iter->second_pass)
+- print_cpu(m, iter->cpu, iter->now);
+-#ifdef CONFIG_GENERIC_CLOCKEVENTS
+- else if (iter->cpu == -1 && iter->second_pass)
+- timer_list_show_tickdevices_header(m);
+- else
+- print_tickdevice(m, tick_get_device(iter->cpu), iter->cpu);
+-#endif
+- return 0;
+-}
+-
+ void sysrq_timer_list_show(void)
+ {
+ u64 now = ktime_to_ns(ktime_get());
+@@ -334,6 +317,24 @@ void sysrq_timer_list_show(void)
+ return;
+ }
+
++#ifdef CONFIG_PROC_FS
++static int timer_list_show(struct seq_file *m, void *v)
++{
++ struct timer_list_iter *iter = v;
++
++ if (iter->cpu == -1 && !iter->second_pass)
++ timer_list_header(m, iter->now);
++ else if (!iter->second_pass)
++ print_cpu(m, iter->cpu, iter->now);
++#ifdef CONFIG_GENERIC_CLOCKEVENTS
++ else if (iter->cpu == -1 && iter->second_pass)
++ timer_list_show_tickdevices_header(m);
++ else
++ print_tickdevice(m, tick_get_device(iter->cpu), iter->cpu);
++#endif
++ return 0;
++}
++
+ static void *move_iter(struct timer_list_iter *iter, loff_t offset)
+ {
+ for (; offset; offset--) {
+@@ -405,3 +406,4 @@ static int __init init_timer_list_procfs(void)
+ return 0;
+ }
+ __initcall(init_timer_list_procfs);
++#endif
+--
+2.20.1
+
--- /dev/null
+From f90e3f94dc5a620355cabf4729c7e0c7919827fa Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Thu, 30 May 2019 11:36:15 -0700
+Subject: tua6100: Avoid build warnings.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 621ccc6cc5f8d6730b740d31d4818227866c93c9 ]
+
+Rename _P to _P_VAL and _R to _R_VAL to avoid global
+namespace conflicts:
+
+drivers/media/dvb-frontends/tua6100.c: In function ‘tua6100_set_params’:
+drivers/media/dvb-frontends/tua6100.c:79: warning: "_P" redefined
+ #define _P 32
+
+In file included from ./include/acpi/platform/aclinux.h:54,
+ from ./include/acpi/platform/acenv.h:152,
+ from ./include/acpi/acpi.h:22,
+ from ./include/linux/acpi.h:34,
+ from ./include/linux/i2c.h:17,
+ from drivers/media/dvb-frontends/tua6100.h:30,
+ from drivers/media/dvb-frontends/tua6100.c:32:
+./include/linux/ctype.h:14: note: this is the location of the previous definition
+ #define _P 0x10 /* punct */
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/tua6100.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/dvb-frontends/tua6100.c b/drivers/media/dvb-frontends/tua6100.c
+index 6da12b9e55eb..02c734b8718b 100644
+--- a/drivers/media/dvb-frontends/tua6100.c
++++ b/drivers/media/dvb-frontends/tua6100.c
+@@ -80,8 +80,8 @@ static int tua6100_set_params(struct dvb_frontend *fe)
+ struct i2c_msg msg1 = { .addr = priv->i2c_address, .flags = 0, .buf = reg1, .len = 4 };
+ struct i2c_msg msg2 = { .addr = priv->i2c_address, .flags = 0, .buf = reg2, .len = 3 };
+
+-#define _R 4
+-#define _P 32
++#define _R_VAL 4
++#define _P_VAL 32
+ #define _ri 4000000
+
+ // setup register 0
+@@ -96,14 +96,14 @@ static int tua6100_set_params(struct dvb_frontend *fe)
+ else
+ reg1[1] = 0x0c;
+
+- if (_P == 64)
++ if (_P_VAL == 64)
+ reg1[1] |= 0x40;
+ if (c->frequency >= 1525000)
+ reg1[1] |= 0x80;
+
+ // register 2
+- reg2[1] = (_R >> 8) & 0x03;
+- reg2[2] = _R;
++ reg2[1] = (_R_VAL >> 8) & 0x03;
++ reg2[2] = _R_VAL;
+ if (c->frequency < 1455000)
+ reg2[1] |= 0x1c;
+ else if (c->frequency < 1630000)
+@@ -115,18 +115,18 @@ static int tua6100_set_params(struct dvb_frontend *fe)
+ * The N divisor ratio (note: c->frequency is in kHz, but we
+ * need it in Hz)
+ */
+- prediv = (c->frequency * _R) / (_ri / 1000);
+- div = prediv / _P;
++ prediv = (c->frequency * _R_VAL) / (_ri / 1000);
++ div = prediv / _P_VAL;
+ reg1[1] |= (div >> 9) & 0x03;
+ reg1[2] = div >> 1;
+ reg1[3] = (div << 7);
+- priv->frequency = ((div * _P) * (_ri / 1000)) / _R;
++ priv->frequency = ((div * _P_VAL) * (_ri / 1000)) / _R_VAL;
+
+ // Finally, calculate and store the value for A
+- reg1[3] |= (prediv - (div*_P)) & 0x7f;
++ reg1[3] |= (prediv - (div*_P_VAL)) & 0x7f;
+
+-#undef _R
+-#undef _P
++#undef _R_VAL
++#undef _P_VAL
+ #undef _ri
+
+ if (fe->ops.i2c_gate_ctrl)
+--
+2.20.1
+
--- /dev/null
+From 5896265d12bbd8195e1335f50caa0c7e5929c4d7 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Mon, 17 Jun 2019 05:20:54 -0400
+Subject: vhost_net: disable zerocopy by default
+
+[ Upstream commit 098eadce3c622c07b328d0a43dda379b38cf7c5e ]
+
+Vhost_net was known to suffer from HOL[1] issues which is not easy to
+fix. Several downstream disable the feature by default. What's more,
+the datapath was split and datacopy path got the support of batching
+and XDP support recently which makes it faster than zerocopy part for
+small packets transmission.
+
+It looks to me that disable zerocopy by default is more
+appropriate. It cold be enabled by default again in the future if we
+fix the above issues.
+
+[1] https://patchwork.kernel.org/patch/3787671/
+
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
+index 681d0eade82f..75e1089dfb01 100644
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -30,7 +30,7 @@
+
+ #include "vhost.h"
+
+-static int experimental_zcopytx = 1;
++static int experimental_zcopytx = 0;
+ module_param(experimental_zcopytx, int, 0444);
+ MODULE_PARM_DESC(experimental_zcopytx, "Enable Zero Copy TX;"
+ " 1 -Enable; 0 - Disable");
+--
+2.20.1
+
--- /dev/null
+From 42d1a05466fd938486b5f94acdaed7d7fe761416 Mon Sep 17 00:00:00 2001
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Tue, 25 Jun 2019 16:26:22 +0900
+Subject: x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c
+
+[ Upstream commit bc53d3d777f81385c1bb08b07bd1c06450ecc2c1 ]
+
+Without 'set -e', shell scripts continue running even after any
+error occurs. The missed 'set -e' is a typical bug in shell scripting.
+
+For example, when a disk space shortage occurs while this script is
+running, it actually ends up with generating a truncated capflags.c.
+
+Yet, mkcapflags.sh continues running and exits with 0. So, the build
+system assumes it has succeeded.
+
+It will not be re-generated in the next invocation of Make since its
+timestamp is newer than that of any of the source files.
+
+Add 'set -e' so that any error in this script is caught and propagated
+to the build system.
+
+Since 9c2af1c7377a ("kbuild: add .DELETE_ON_ERROR special target"),
+make automatically deletes the target on any failure. So, the broken
+capflags.c will be deleted automatically.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Link: https://lkml.kernel.org/r/20190625072622.17679-1-yamada.masahiro@socionext.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mkcapflags.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/kernel/cpu/mkcapflags.sh b/arch/x86/kernel/cpu/mkcapflags.sh
+index 6988c74409a8..711b74e0e623 100644
+--- a/arch/x86/kernel/cpu/mkcapflags.sh
++++ b/arch/x86/kernel/cpu/mkcapflags.sh
+@@ -3,6 +3,8 @@
+ # Generate the x86_cap/bug_flags[] arrays from include/asm/cpufeatures.h
+ #
+
++set -e
++
+ IN=$1
+ OUT=$2
+
+--
+2.20.1
+
--- /dev/null
+From 8be486167fbaa6d61bd5b3a7d2348f08edda6e98 Mon Sep 17 00:00:00 2001
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Fri, 14 Jun 2019 11:13:55 +0200
+Subject: xfrm: fix sa selector validation
+
+[ Upstream commit b8d6d0079757cbd1b69724cfd1c08e2171c68cee ]
+
+After commit b38ff4075a80, the following command does not work anymore:
+$ ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 34 reqid 1 \
+ mode tunnel enc 'cbc(aes)' 0xb0abdba8b782ad9d364ec81e3a7d82a1 auth-trunc \
+ 'hmac(sha1)' 0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6 96 flag align4
+
+In fact, the selector is not mandatory, allow the user to provide an empty
+selector.
+
+Fixes: b38ff4075a80 ("xfrm: Fix xfrm sel prefix length validation")
+CC: Anirudh Gupta <anirudh.gupta@sophos.com>
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index df4b7fc721f6..f3e9d500fa5a 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -166,6 +166,9 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
+ }
+
+ switch (p->sel.family) {
++ case AF_UNSPEC:
++ break;
++
+ case AF_INET:
+ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
+ goto out;
+--
+2.20.1
+
--- /dev/null
+From 56124b2e920b7037001b2c36b67d66f82607f8e4 Mon Sep 17 00:00:00 2001
+From: Anirudh Gupta <anirudhrudr@gmail.com>
+Date: Tue, 21 May 2019 20:59:47 +0530
+Subject: xfrm: Fix xfrm sel prefix length validation
+
+[ Upstream commit b38ff4075a80b4da5cb2202d7965332ca0efb213 ]
+
+Family of src/dst can be different from family of selector src/dst.
+Use xfrm selector family to validate address prefix length,
+while verifying new sa from userspace.
+
+Validated patch with this command:
+ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \
+reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \
+0x1111016400000000000000000000000044440001 128 \
+sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5
+
+Fixes: 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.")
+Signed-off-by: Anirudh Gupta <anirudh.gupta@sophos.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index ca5c79bfd9a5..df4b7fc721f6 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -150,6 +150,22 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
+
+ err = -EINVAL;
+ switch (p->family) {
++ case AF_INET:
++ break;
++
++ case AF_INET6:
++#if IS_ENABLED(CONFIG_IPV6)
++ break;
++#else
++ err = -EAFNOSUPPORT;
++ goto out;
++#endif
++
++ default:
++ goto out;
++ }
++
++ switch (p->sel.family) {
+ case AF_INET:
+ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
+ goto out;
+--
+2.20.1
+