--- /dev/null
+From 8c11a1f04e2ac0b13af6b774b92d65bc4210ea8a Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Date: Fri, 7 Jun 2019 11:02:01 +0200
+Subject: ARM: davinci: da850-evm: call regulator_has_full_constraints()
+
+[ Upstream commit 0c0c9b5753cd04601b17de09da1ed2885a3b42fe ]
+
+The BB expander at 0x21 i2c bus 1 fails to probe on da850-evm because
+the board doesn't set has_full_constraints to true in the regulator
+API.
+
+Call regulator_has_full_constraints() at the end of board registration
+just like we do in da850-lcdk and da830-evm.
+
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-davinci/board-da850-evm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm/mach-davinci/board-da850-evm.c b/arch/arm/mach-davinci/board-da850-evm.c
+index 1fdc9283a8c5..2450936b91d0 100644
+--- a/arch/arm/mach-davinci/board-da850-evm.c
++++ b/arch/arm/mach-davinci/board-da850-evm.c
+@@ -1479,6 +1479,8 @@ static __init void da850_evm_init(void)
+ if (ret)
+ pr_warn("%s: dsp/rproc registration failed: %d\n",
+ __func__, ret);
++
++ regulator_has_full_constraints();
+ }
+
+ #ifdef CONFIG_SERIAL_8250_CONSOLE
+--
+2.20.1
+
--- /dev/null
+From 07dd7fe98731fd7adc5e8a991c39b73b20b2b17c Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Date: Fri, 7 Jun 2019 16:33:50 +0200
+Subject: ARM: davinci: da8xx: specify dma_coherent_mask for lcdc
+
+[ Upstream commit 68f2515bb31a664ba3e2bc1eb78dd9f529b10067 ]
+
+The lcdc device is missing the dma_coherent_mask definition causing the
+following warning on da850-evm:
+
+da8xx_lcdc da8xx_lcdc.0: found Sharp_LK043T1DG01 panel
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 1 at kernel/dma/mapping.c:247 dma_alloc_attrs+0xc8/0x110
+Modules linked in:
+CPU: 0 PID: 1 Comm: swapper Not tainted 5.2.0-rc3-00077-g16d72dd4891f #18
+Hardware name: DaVinci DA850/OMAP-L138/AM18x EVM
+[<c000fce8>] (unwind_backtrace) from [<c000d900>] (show_stack+0x10/0x14)
+[<c000d900>] (show_stack) from [<c001a4f8>] (__warn+0xec/0x114)
+[<c001a4f8>] (__warn) from [<c001a634>] (warn_slowpath_null+0x3c/0x48)
+[<c001a634>] (warn_slowpath_null) from [<c0065860>] (dma_alloc_attrs+0xc8/0x110)
+[<c0065860>] (dma_alloc_attrs) from [<c02820f8>] (fb_probe+0x228/0x5a8)
+[<c02820f8>] (fb_probe) from [<c02d3e9c>] (platform_drv_probe+0x48/0x9c)
+[<c02d3e9c>] (platform_drv_probe) from [<c02d221c>] (really_probe+0x1d8/0x2d4)
+[<c02d221c>] (really_probe) from [<c02d2474>] (driver_probe_device+0x5c/0x168)
+[<c02d2474>] (driver_probe_device) from [<c02d2728>] (device_driver_attach+0x58/0x60)
+[<c02d2728>] (device_driver_attach) from [<c02d27b0>] (__driver_attach+0x80/0xbc)
+[<c02d27b0>] (__driver_attach) from [<c02d047c>] (bus_for_each_dev+0x64/0xb4)
+[<c02d047c>] (bus_for_each_dev) from [<c02d1590>] (bus_add_driver+0xe4/0x1d8)
+[<c02d1590>] (bus_add_driver) from [<c02d301c>] (driver_register+0x78/0x10c)
+[<c02d301c>] (driver_register) from [<c000a5c0>] (do_one_initcall+0x48/0x1bc)
+[<c000a5c0>] (do_one_initcall) from [<c05cae6c>] (kernel_init_freeable+0x10c/0x1d8)
+[<c05cae6c>] (kernel_init_freeable) from [<c048a000>] (kernel_init+0x8/0xf4)
+[<c048a000>] (kernel_init) from [<c00090e0>] (ret_from_fork+0x14/0x34)
+Exception stack(0xc6837fb0 to 0xc6837ff8)
+7fa0: 00000000 00000000 00000000 00000000
+7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+7fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+---[ end trace 8a8073511be81dd2 ]---
+
+Add a 32-bit mask to the platform device's definition.
+
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-davinci/devices-da8xx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm/mach-davinci/devices-da8xx.c b/arch/arm/mach-davinci/devices-da8xx.c
+index b8dc674e06bc..261240913b45 100644
+--- a/arch/arm/mach-davinci/devices-da8xx.c
++++ b/arch/arm/mach-davinci/devices-da8xx.c
+@@ -686,6 +686,9 @@ static struct platform_device da8xx_lcdc_device = {
+ .id = 0,
+ .num_resources = ARRAY_SIZE(da8xx_lcdc_resources),
+ .resource = da8xx_lcdc_resources,
++ .dev = {
++ .coherent_dma_mask = DMA_BIT_MASK(32),
++ }
+ };
+
+ int __init da8xx_register_lcdc(struct da8xx_lcdc_platform_data *pdata)
+--
+2.20.1
+
--- /dev/null
+From 31327c75067f2b989eed561bc61c11136c4aed83 Mon Sep 17 00:00:00 2001
+From: Teresa Remmet <t.remmet@phytec.de>
+Date: Fri, 24 May 2019 15:19:57 +0200
+Subject: ARM: dts: am335x phytec boards: Fix cd-gpios active level
+
+[ Upstream commit 8a0098c05a272c9a68f6885e09755755b612459c ]
+
+Active level of the mmc1 cd gpio needs to be low instead of high.
+Fix PCM-953 and phyBOARD-WEGA.
+
+Signed-off-by: Teresa Remmet <t.remmet@phytec.de>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/am335x-pcm-953.dtsi | 2 +-
+ arch/arm/boot/dts/am335x-wega.dtsi | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/am335x-pcm-953.dtsi b/arch/arm/boot/dts/am335x-pcm-953.dtsi
+index 1ec8e0d80191..572fbd254690 100644
+--- a/arch/arm/boot/dts/am335x-pcm-953.dtsi
++++ b/arch/arm/boot/dts/am335x-pcm-953.dtsi
+@@ -197,7 +197,7 @@
+ bus-width = <4>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&mmc1_pins>;
+- cd-gpios = <&gpio0 6 GPIO_ACTIVE_HIGH>;
++ cd-gpios = <&gpio0 6 GPIO_ACTIVE_LOW>;
+ status = "okay";
+ };
+
+diff --git a/arch/arm/boot/dts/am335x-wega.dtsi b/arch/arm/boot/dts/am335x-wega.dtsi
+index 8ce541739b24..83e4fe595e37 100644
+--- a/arch/arm/boot/dts/am335x-wega.dtsi
++++ b/arch/arm/boot/dts/am335x-wega.dtsi
+@@ -157,7 +157,7 @@
+ bus-width = <4>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&mmc1_pins>;
+- cd-gpios = <&gpio0 6 GPIO_ACTIVE_HIGH>;
++ cd-gpios = <&gpio0 6 GPIO_ACTIVE_LOW>;
+ status = "okay";
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 957ee468e645093e4a7f8122354ff009e8fa7c2d Mon Sep 17 00:00:00 2001
+From: Keerthy <j-keerthy@ti.com>
+Date: Fri, 17 May 2019 06:44:08 +0530
+Subject: ARM: dts: dra71x: Disable rtc target module
+
+[ Upstream commit fe9edfe648ac444150ec95da1fb10e2728cc9789 ]
+
+Introduce dra71x.dtsi to include dra71x specific changes.
+rtc is fused out on dra71 and accessing target module
+register is causing a boot crash hence disable it.
+
+Fixes: 549fce068a3112 ("ARM: dts: dra7: Add l4 interconnect hierarchy and ti-sysc data")
+Signed-off-by: Keerthy <j-keerthy@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/dra71-evm.dts | 2 +-
+ arch/arm/boot/dts/dra71x.dtsi | 13 +++++++++++++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+ create mode 100644 arch/arm/boot/dts/dra71x.dtsi
+
+diff --git a/arch/arm/boot/dts/dra71-evm.dts b/arch/arm/boot/dts/dra71-evm.dts
+index 82cc7ec37af0..c496ae83e27e 100644
+--- a/arch/arm/boot/dts/dra71-evm.dts
++++ b/arch/arm/boot/dts/dra71-evm.dts
+@@ -6,7 +6,7 @@
+ * published by the Free Software Foundation.
+ */
+
+-#include "dra72-evm-common.dtsi"
++#include "dra71x.dtsi"
+ #include "dra7-mmc-iodelay.dtsi"
+ #include "dra72x-mmc-iodelay.dtsi"
+ #include <dt-bindings/net/ti-dp83867.h>
+diff --git a/arch/arm/boot/dts/dra71x.dtsi b/arch/arm/boot/dts/dra71x.dtsi
+new file mode 100644
+index 000000000000..aad7394902a6
+--- /dev/null
++++ b/arch/arm/boot/dts/dra71x.dtsi
+@@ -0,0 +1,13 @@
++/*
++ * Copyright (C) 2019 Texas Instruments Incorporated - http://www.ti.com/
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 2 as
++ * published by the Free Software Foundation.
++ */
++
++#include "dra72-evm-common.dtsi"
++
++&rtctarget {
++ status = "disabled";
++};
+--
+2.20.1
+
--- /dev/null
+From b4aee42bdcd83c4f2440687c075744161037cbc8 Mon Sep 17 00:00:00 2001
+From: Keerthy <j-keerthy@ti.com>
+Date: Fri, 17 May 2019 06:44:09 +0530
+Subject: ARM: dts: dra71x: Disable usb4_tm target module
+
+[ Upstream commit 34b1b8061de3215208db9accfe60cc3f5b40178f ]
+
+usb4_tm is unsed on dra71 and accessing the module
+with ti,sysc is causing a boot crash hence disable its target
+module.
+
+Fixes: 549fce068a3112 ("ARM: dts: dra7: Add l4 interconnect hierarchy and ti-sysc data")
+Signed-off-by: Keerthy <j-keerthy@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/dra71x.dtsi | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/arm/boot/dts/dra71x.dtsi b/arch/arm/boot/dts/dra71x.dtsi
+index aad7394902a6..695a08ed0360 100644
+--- a/arch/arm/boot/dts/dra71x.dtsi
++++ b/arch/arm/boot/dts/dra71x.dtsi
+@@ -11,3 +11,7 @@
+ &rtctarget {
+ status = "disabled";
+ };
++
++&usb4_tm {
++ status = "disabled";
++};
+--
+2.20.1
+
--- /dev/null
+From 2fa66ed77bb63b37157481f27f6263c1ad00c499 Mon Sep 17 00:00:00 2001
+From: Keerthy <j-keerthy@ti.com>
+Date: Fri, 17 May 2019 06:44:06 +0530
+Subject: ARM: dts: dra76x: Disable rtc target module
+
+[ Upstream commit f7b9cb944a5d41fdede4e928a47e9d5fce5169d7 ]
+
+rtc is fused out on dra76 and accessing target module
+register is causing a boot crash hence disable it.
+
+Fixes: 549fce068a3112 ("ARM: dts: dra7: Add l4 interconnect hierarchy and ti-sysc data")
+Signed-off-by: Keerthy <j-keerthy@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/dra7-l4.dtsi | 2 +-
+ arch/arm/boot/dts/dra76x.dtsi | 4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/dra7-l4.dtsi b/arch/arm/boot/dts/dra7-l4.dtsi
+index 414f1cd68733..73f5c050f586 100644
+--- a/arch/arm/boot/dts/dra7-l4.dtsi
++++ b/arch/arm/boot/dts/dra7-l4.dtsi
+@@ -3543,7 +3543,7 @@
+ };
+ };
+
+- target-module@38000 { /* 0x48838000, ap 29 12.0 */
++ rtctarget: target-module@38000 { /* 0x48838000, ap 29 12.0 */
+ compatible = "ti,sysc-omap4-simple", "ti,sysc";
+ ti,hwmods = "rtcss";
+ reg = <0x38074 0x4>,
+diff --git a/arch/arm/boot/dts/dra76x.dtsi b/arch/arm/boot/dts/dra76x.dtsi
+index 9ee45aa365d8..5c437271d307 100644
+--- a/arch/arm/boot/dts/dra76x.dtsi
++++ b/arch/arm/boot/dts/dra76x.dtsi
+@@ -81,3 +81,7 @@
+ reg = <0x3fc>;
+ };
+ };
++
++&rtctarget {
++ status = "disabled";
++};
+--
+2.20.1
+
--- /dev/null
+From fa506e84c13b2e03449a8fbb350acff838b0d24f Mon Sep 17 00:00:00 2001
+From: Keerthy <j-keerthy@ti.com>
+Date: Fri, 17 May 2019 06:44:07 +0530
+Subject: ARM: dts: dra76x: Disable usb4_tm target module
+
+[ Upstream commit b07bd27e02b9108ce8412cc2dc6faf621f57d224 ]
+
+usb4_tm is unsed on dra76 and accessing the module
+with ti,sysc is causing a boot crash hence disable its target
+module.
+
+Fixes: 549fce068a3112 ("ARM: dts: dra7: Add l4 interconnect hierarchy and ti-sysc data")
+Signed-off-by: Keerthy <j-keerthy@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/dra76x.dtsi | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/arm/boot/dts/dra76x.dtsi b/arch/arm/boot/dts/dra76x.dtsi
+index 5c437271d307..82b3dc90b7d6 100644
+--- a/arch/arm/boot/dts/dra76x.dtsi
++++ b/arch/arm/boot/dts/dra76x.dtsi
+@@ -85,3 +85,7 @@
+ &rtctarget {
+ status = "disabled";
+ };
++
++&usb4_tm {
++ status = "disabled";
++};
+--
+2.20.1
+
--- /dev/null
+From bba31e331236ccfd6cff0627cf07b0643d9e1e59 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Thu, 30 May 2019 00:25:23 -0700
+Subject: ARM: dts: Drop bogus CLKSEL for timer12 on dra7
+
+[ Upstream commit 34f61de87017aff3c8306280d196dddb1e168a88 ]
+
+There is no CLKSEL for timer12 on dra7 unlike for timer1. This
+causes issues on booting the device that Tomi noticed if
+DEBUG_SLAB is enabled and the clkctrl clock does not properly
+handle non-existing clock. Let's drop the bogus CLKSEL clock,
+the clkctrl clock handling gets fixed separately.
+
+Cc: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Cc: Tero Kristo <t-kristo@ti.com>
+Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Reported-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Tested-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Tested-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Fixes: 4ed0dfe3cf39 ("ARM: dts: dra7: Move l4 child devices to probe them with ti-sysc")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/dra7-l4.dtsi | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/dra7-l4.dtsi b/arch/arm/boot/dts/dra7-l4.dtsi
+index 73f5c050f586..17f0d8e93622 100644
+--- a/arch/arm/boot/dts/dra7-l4.dtsi
++++ b/arch/arm/boot/dts/dra7-l4.dtsi
+@@ -4450,8 +4450,6 @@
+ timer12: timer@0 {
+ compatible = "ti,omap5430-timer";
+ reg = <0x0 0x80>;
+- clocks = <&wkupaon_clkctrl DRA7_WKUPAON_TIMER12_CLKCTRL 24>;
+- clock-names = "fck";
+ interrupts = <GIC_SPI 90 IRQ_TYPE_LEVEL_HIGH>;
+ ti,timer-alwon;
+ ti,timer-secure;
+--
+2.20.1
+
--- /dev/null
+From ae97812ab86d784c4d1688f08dd6e62ab212e629 Mon Sep 17 00:00:00 2001
+From: "Mauro S. M. Rodrigues" <maurosr@linux.vnet.ibm.com>
+Date: Thu, 13 Jun 2019 16:25:40 -0300
+Subject: bnx2x: Check if transceiver implements DDM before access
+
+[ Upstream commit cf18cecca911c0db96b868072665347efe6df46f ]
+
+Some transceivers may comply with SFF-8472 even though they do not
+implement the Digital Diagnostic Monitoring (DDM) interface described in
+the spec. The existence of such area is specified by the 6th bit of byte
+92, set to 1 if implemented.
+
+Currently, without checking this bit, bnx2x fails trying to read sfp
+module's EEPROM with the follow message:
+
+ethtool -m enP5p1s0f1
+Cannot get Module EEPROM data: Input/output error
+
+Because it fails to read the additional 256 bytes in which it is assumed
+to exist the DDM data.
+
+This issue was noticed using a Mellanox Passive DAC PN 01FT738. The EEPROM
+data was confirmed by Mellanox as correct and similar to other Passive
+DACs from other manufacturers.
+
+Signed-off-by: Mauro S. M. Rodrigues <maurosr@linux.vnet.ibm.com>
+Acked-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 ++-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
+index 749d0ef44371..59f227fcc68b 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
+@@ -1609,7 +1609,8 @@ static int bnx2x_get_module_info(struct net_device *dev,
+ }
+
+ if (!sff8472_comp ||
+- (diag_type & SFP_EEPROM_DIAG_ADDR_CHANGE_REQ)) {
++ (diag_type & SFP_EEPROM_DIAG_ADDR_CHANGE_REQ) ||
++ !(diag_type & SFP_EEPROM_DDM_IMPLEMENTED)) {
+ modinfo->type = ETH_MODULE_SFF_8079;
+ modinfo->eeprom_len = ETH_MODULE_SFF_8079_LEN;
+ } else {
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h
+index b7d251108c19..7115f5025664 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h
+@@ -62,6 +62,7 @@
+ #define SFP_EEPROM_DIAG_TYPE_ADDR 0x5c
+ #define SFP_EEPROM_DIAG_TYPE_SIZE 1
+ #define SFP_EEPROM_DIAG_ADDR_CHANGE_REQ (1<<2)
++#define SFP_EEPROM_DDM_IMPLEMENTED (1<<6)
+ #define SFP_EEPROM_SFF_8472_COMP_ADDR 0x5e
+ #define SFP_EEPROM_SFF_8472_COMP_SIZE 1
+
+--
+2.20.1
+
--- /dev/null
+From 291691c8e7958e53dcddc30e7436078c83f4dbaf Mon Sep 17 00:00:00 2001
+From: Toshiaki Makita <toshiaki.makita1@gmail.com>
+Date: Fri, 14 Jun 2019 17:20:14 +0900
+Subject: bpf, devmap: Add missing bulk queue free
+
+[ Upstream commit edabf4d9dd905acd60048ea1579943801e3a4876 ]
+
+dev_map_free() forgot to free bulk queue when freeing its entries.
+
+Fixes: 5d053f9da431 ("bpf: devmap prepare xdp frames for bulking")
+Signed-off-by: Toshiaki Makita <toshiaki.makita1@gmail.com>
+Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/devmap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
+index e001fb1a96b1..a126d95d12de 100644
+--- a/kernel/bpf/devmap.c
++++ b/kernel/bpf/devmap.c
+@@ -186,6 +186,7 @@ static void dev_map_free(struct bpf_map *map)
+ if (!dev)
+ continue;
+
++ free_percpu(dev->bulkq);
+ dev_put(dev->dev);
+ kfree(dev);
+ }
+--
+2.20.1
+
--- /dev/null
+From aee1eff077f884c6036a789c37ba7d39e862ce47 Mon Sep 17 00:00:00 2001
+From: Toshiaki Makita <toshiaki.makita1@gmail.com>
+Date: Fri, 14 Jun 2019 17:20:15 +0900
+Subject: bpf, devmap: Add missing RCU read lock on flush
+
+[ Upstream commit 86723c8640633bee4b4588d3c7784ee7a0032f65 ]
+
+.ndo_xdp_xmit() assumes it is called under RCU. For example virtio_net
+uses RCU to detect it has setup the resources for tx. The assumption
+accidentally broke when introducing bulk queue in devmap.
+
+Fixes: 5d053f9da431 ("bpf: devmap prepare xdp frames for bulking")
+Reported-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Toshiaki Makita <toshiaki.makita1@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/devmap.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
+index a126d95d12de..1defea4b2755 100644
+--- a/kernel/bpf/devmap.c
++++ b/kernel/bpf/devmap.c
+@@ -282,6 +282,7 @@ void __dev_map_flush(struct bpf_map *map)
+ unsigned long *bitmap = this_cpu_ptr(dtab->flush_needed);
+ u32 bit;
+
++ rcu_read_lock();
+ for_each_set_bit(bit, bitmap, map->max_entries) {
+ struct bpf_dtab_netdev *dev = READ_ONCE(dtab->netdev_map[bit]);
+ struct xdp_bulk_queue *bq;
+@@ -297,6 +298,7 @@ void __dev_map_flush(struct bpf_map *map)
+
+ __clear_bit(bit, bitmap);
+ }
++ rcu_read_unlock();
+ }
+
+ /* rcu_read_lock (from syscall and BPF contexts) ensures that if a delete and/or
+@@ -389,6 +391,7 @@ static void dev_map_flush_old(struct bpf_dtab_netdev *dev)
+
+ int cpu;
+
++ rcu_read_lock();
+ for_each_online_cpu(cpu) {
+ bitmap = per_cpu_ptr(dev->dtab->flush_needed, cpu);
+ __clear_bit(dev->bit, bitmap);
+@@ -396,6 +399,7 @@ static void dev_map_flush_old(struct bpf_dtab_netdev *dev)
+ bq = per_cpu_ptr(dev->bulkq, cpu);
+ bq_xmit_all(dev, bq, XDP_XMIT_FLUSH, false);
+ }
++ rcu_read_unlock();
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 72ad92eff18345148bccee900de00bf8a62a53fa Mon Sep 17 00:00:00 2001
+From: Toshiaki Makita <toshiaki.makita1@gmail.com>
+Date: Fri, 14 Jun 2019 17:20:13 +0900
+Subject: bpf, devmap: Fix premature entry free on destroying map
+
+[ Upstream commit d4dd153d551634683fccf8881f606fa9f3dfa1ef ]
+
+dev_map_free() waits for flush_needed bitmap to be empty in order to
+ensure all flush operations have completed before freeing its entries.
+However the corresponding clear_bit() was called before using the
+entries, so the entries could be used after free.
+
+All access to the entries needs to be done before clearing the bit.
+It seems commit a5e2da6e9787 ("bpf: netdev is never null in
+__dev_map_flush") accidentally changed the clear_bit() and memory access
+order.
+
+Note that the problem happens only in __dev_map_flush(), not in
+dev_map_flush_old(). dev_map_flush_old() is called only after nulling
+out the corresponding netdev_map entry, so dev_map_free() never frees
+the entry thus no such race happens there.
+
+Fixes: a5e2da6e9787 ("bpf: netdev is never null in __dev_map_flush")
+Signed-off-by: Toshiaki Makita <toshiaki.makita1@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/devmap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
+index 1e525d70f833..e001fb1a96b1 100644
+--- a/kernel/bpf/devmap.c
++++ b/kernel/bpf/devmap.c
+@@ -291,10 +291,10 @@ void __dev_map_flush(struct bpf_map *map)
+ if (unlikely(!dev))
+ continue;
+
+- __clear_bit(bit, bitmap);
+-
+ bq = this_cpu_ptr(dev->bulkq);
+ bq_xmit_all(dev, bq, XDP_XMIT_FLUSH, true);
++
++ __clear_bit(bit, bitmap);
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From a7f3a9f8fd4158361b10e280adf1402d215f4dac Mon Sep 17 00:00:00 2001
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Thu, 13 Jun 2019 00:21:39 +0530
+Subject: bpf: fix div64 overflow tests to properly detect errors
+
+[ Upstream commit 3e0682695199bad51dd898fe064d1564637ff77a ]
+
+If the result of the division is LLONG_MIN, current tests do not detect
+the error since the return value is truncated to a 32-bit value and ends
+up being 0.
+
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/bpf/verifier/div_overflow.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/verifier/div_overflow.c b/tools/testing/selftests/bpf/verifier/div_overflow.c
+index bd3f38dbe796..acab4f00819f 100644
+--- a/tools/testing/selftests/bpf/verifier/div_overflow.c
++++ b/tools/testing/selftests/bpf/verifier/div_overflow.c
+@@ -29,8 +29,11 @@
+ "DIV64 overflow, check 1",
+ .insns = {
+ BPF_MOV64_IMM(BPF_REG_1, -1),
+- BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
+- BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
++ BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
++ BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
++ BPF_MOV32_IMM(BPF_REG_0, 0),
++ BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 1),
++ BPF_MOV32_IMM(BPF_REG_0, 1),
+ BPF_EXIT_INSN(),
+ },
+ .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+@@ -40,8 +43,11 @@
+ {
+ "DIV64 overflow, check 2",
+ .insns = {
+- BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
+- BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
++ BPF_LD_IMM64(BPF_REG_1, LLONG_MIN),
++ BPF_ALU64_IMM(BPF_DIV, BPF_REG_1, -1),
++ BPF_MOV32_IMM(BPF_REG_0, 0),
++ BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_1, 1),
++ BPF_MOV32_IMM(BPF_REG_0, 1),
+ BPF_EXIT_INSN(),
+ },
+ .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+--
+2.20.1
+
--- /dev/null
+From b237832a59ef85f0fa9ae38db98aec3de360ea28 Mon Sep 17 00:00:00 2001
+From: Luke Nelson <luke.r.nels@gmail.com>
+Date: Thu, 30 May 2019 15:29:22 -0700
+Subject: bpf, riscv: clear high 32 bits for ALU32 add/sub/neg/lsh/rsh/arsh
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 1e692f09e091bf5c8b38384f297d6dae5dbf0f12 ]
+
+In BPF, 32-bit ALU operations should zero-extend their results into
+the 64-bit registers.
+
+The current BPF JIT on RISC-V emits incorrect instructions that perform
+sign extension only (e.g., addw, subw) on 32-bit add, sub, lsh, rsh,
+arsh, and neg. This behavior diverges from the interpreter and JITs
+for other architectures.
+
+This patch fixes the bugs by performing zero extension on the destination
+register of 32-bit ALU operations.
+
+Fixes: 2353ecc6f91f ("bpf, riscv: add BPF JIT for RV64G")
+Cc: Xi Wang <xi.wang@gmail.com>
+Signed-off-by: Luke Nelson <luke.r.nels@gmail.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Acked-by: Björn Töpel <bjorn.topel@gmail.com>
+Reviewed-by: Palmer Dabbelt <palmer@sifive.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/net/bpf_jit_comp.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/arch/riscv/net/bpf_jit_comp.c b/arch/riscv/net/bpf_jit_comp.c
+index e5c8d675bd6e..426d5c33ea90 100644
+--- a/arch/riscv/net/bpf_jit_comp.c
++++ b/arch/riscv/net/bpf_jit_comp.c
+@@ -751,10 +751,14 @@ static int emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx,
+ case BPF_ALU | BPF_ADD | BPF_X:
+ case BPF_ALU64 | BPF_ADD | BPF_X:
+ emit(is64 ? rv_add(rd, rd, rs) : rv_addw(rd, rd, rs), ctx);
++ if (!is64)
++ emit_zext_32(rd, ctx);
+ break;
+ case BPF_ALU | BPF_SUB | BPF_X:
+ case BPF_ALU64 | BPF_SUB | BPF_X:
+ emit(is64 ? rv_sub(rd, rd, rs) : rv_subw(rd, rd, rs), ctx);
++ if (!is64)
++ emit_zext_32(rd, ctx);
+ break;
+ case BPF_ALU | BPF_AND | BPF_X:
+ case BPF_ALU64 | BPF_AND | BPF_X:
+@@ -795,14 +799,20 @@ static int emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx,
+ case BPF_ALU | BPF_LSH | BPF_X:
+ case BPF_ALU64 | BPF_LSH | BPF_X:
+ emit(is64 ? rv_sll(rd, rd, rs) : rv_sllw(rd, rd, rs), ctx);
++ if (!is64)
++ emit_zext_32(rd, ctx);
+ break;
+ case BPF_ALU | BPF_RSH | BPF_X:
+ case BPF_ALU64 | BPF_RSH | BPF_X:
+ emit(is64 ? rv_srl(rd, rd, rs) : rv_srlw(rd, rd, rs), ctx);
++ if (!is64)
++ emit_zext_32(rd, ctx);
+ break;
+ case BPF_ALU | BPF_ARSH | BPF_X:
+ case BPF_ALU64 | BPF_ARSH | BPF_X:
+ emit(is64 ? rv_sra(rd, rd, rs) : rv_sraw(rd, rd, rs), ctx);
++ if (!is64)
++ emit_zext_32(rd, ctx);
+ break;
+
+ /* dst = -dst */
+@@ -810,6 +820,8 @@ static int emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx,
+ case BPF_ALU64 | BPF_NEG:
+ emit(is64 ? rv_sub(rd, RV_REG_ZERO, rd) :
+ rv_subw(rd, RV_REG_ZERO, rd), ctx);
++ if (!is64)
++ emit_zext_32(rd, ctx);
+ break;
+
+ /* dst = BSWAP##imm(dst) */
+@@ -964,14 +976,20 @@ static int emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx,
+ case BPF_ALU | BPF_LSH | BPF_K:
+ case BPF_ALU64 | BPF_LSH | BPF_K:
+ emit(is64 ? rv_slli(rd, rd, imm) : rv_slliw(rd, rd, imm), ctx);
++ if (!is64)
++ emit_zext_32(rd, ctx);
+ break;
+ case BPF_ALU | BPF_RSH | BPF_K:
+ case BPF_ALU64 | BPF_RSH | BPF_K:
+ emit(is64 ? rv_srli(rd, rd, imm) : rv_srliw(rd, rd, imm), ctx);
++ if (!is64)
++ emit_zext_32(rd, ctx);
+ break;
+ case BPF_ALU | BPF_ARSH | BPF_K:
+ case BPF_ALU64 | BPF_ARSH | BPF_K:
+ emit(is64 ? rv_srai(rd, rd, imm) : rv_sraiw(rd, rd, imm), ctx);
++ if (!is64)
++ emit_zext_32(rd, ctx);
+ break;
+
+ /* JUMP off */
+--
+2.20.1
+
--- /dev/null
+From 746d883980f137055acf4b7de58c5783c6815f44 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= <bjorn.topel@gmail.com>
+Date: Tue, 21 May 2019 15:46:22 +0200
+Subject: bpf, riscv: clear target register high 32-bits for and/or/xor on
+ ALU32
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit fe121ee531d1362810bfd30f38a1b88b1d3d376c ]
+
+When using 32-bit subregisters (ALU32), the RISC-V JIT would not clear
+the high 32-bits of the target register and therefore generate
+incorrect code.
+
+E.g., in the following code:
+
+ $ cat test.c
+ unsigned int f(unsigned long long a,
+ unsigned int b)
+ {
+ return (unsigned int)a & b;
+ }
+
+ $ clang-9 -target bpf -O2 -emit-llvm -S test.c -o - | \
+ llc-9 -mattr=+alu32 -mcpu=v3
+ .text
+ .file "test.c"
+ .globl f
+ .p2align 3
+ .type f,@function
+ f:
+ r0 = r1
+ w0 &= w2
+ exit
+ .Lfunc_end0:
+ .size f, .Lfunc_end0-f
+
+The JIT would not clear the high 32-bits of r0 after the
+and-operation, which in this case might give an incorrect return
+value.
+
+After this patch, that is not the case, and the upper 32-bits are
+cleared.
+
+Reported-by: Jiong Wang <jiong.wang@netronome.com>
+Fixes: 2353ecc6f91f ("bpf, riscv: add BPF JIT for RV64G")
+Signed-off-by: Björn Töpel <bjorn.topel@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/net/bpf_jit_comp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/riscv/net/bpf_jit_comp.c b/arch/riscv/net/bpf_jit_comp.c
+index 80b12aa5e10d..e5c8d675bd6e 100644
+--- a/arch/riscv/net/bpf_jit_comp.c
++++ b/arch/riscv/net/bpf_jit_comp.c
+@@ -759,14 +759,20 @@ static int emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx,
+ case BPF_ALU | BPF_AND | BPF_X:
+ case BPF_ALU64 | BPF_AND | BPF_X:
+ emit(rv_and(rd, rd, rs), ctx);
++ if (!is64)
++ emit_zext_32(rd, ctx);
+ break;
+ case BPF_ALU | BPF_OR | BPF_X:
+ case BPF_ALU64 | BPF_OR | BPF_X:
+ emit(rv_or(rd, rd, rs), ctx);
++ if (!is64)
++ emit_zext_32(rd, ctx);
+ break;
+ case BPF_ALU | BPF_XOR | BPF_X:
+ case BPF_ALU64 | BPF_XOR | BPF_X:
+ emit(rv_xor(rd, rd, rs), ctx);
++ if (!is64)
++ emit_zext_32(rd, ctx);
+ break;
+ case BPF_ALU | BPF_MUL | BPF_X:
+ case BPF_ALU64 | BPF_MUL | BPF_X:
+--
+2.20.1
+
--- /dev/null
+From 2f7407066baf057f293818c9543259072593ae3b Mon Sep 17 00:00:00 2001
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Fri, 24 May 2019 08:01:00 -0700
+Subject: bpf: sockmap, fix use after free from sleep in psock backlog
+ workqueue
+
+[ Upstream commit bd95e678e0f6e18351ecdc147ca819145db9ed7b ]
+
+Backlog work for psock (sk_psock_backlog) might sleep while waiting
+for memory to free up when sending packets. However, while sleeping
+the socket may be closed and removed from the map by the user space
+side.
+
+This breaks an assumption in sk_stream_wait_memory, which expects the
+wait queue to be still there when it wakes up resulting in a
+use-after-free shown below. To fix his mark sendmsg as MSG_DONTWAIT
+to avoid the sleep altogether. We already set the flag for the
+sendpage case but we missed the case were sendmsg is used.
+Sockmap is currently the only user of skb_send_sock_locked() so only
+the sockmap paths should be impacted.
+
+==================================================================
+BUG: KASAN: use-after-free in remove_wait_queue+0x31/0x70
+Write of size 8 at addr ffff888069a0c4e8 by task kworker/0:2/110
+
+CPU: 0 PID: 110 Comm: kworker/0:2 Not tainted 5.0.0-rc2-00335-g28f9d1a3d4fe-dirty #14
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014
+Workqueue: events sk_psock_backlog
+Call Trace:
+ print_address_description+0x6e/0x2b0
+ ? remove_wait_queue+0x31/0x70
+ kasan_report+0xfd/0x177
+ ? remove_wait_queue+0x31/0x70
+ ? remove_wait_queue+0x31/0x70
+ remove_wait_queue+0x31/0x70
+ sk_stream_wait_memory+0x4dd/0x5f0
+ ? sk_stream_wait_close+0x1b0/0x1b0
+ ? wait_woken+0xc0/0xc0
+ ? tcp_current_mss+0xc5/0x110
+ tcp_sendmsg_locked+0x634/0x15d0
+ ? tcp_set_state+0x2e0/0x2e0
+ ? __kasan_slab_free+0x1d1/0x230
+ ? kmem_cache_free+0x70/0x140
+ ? sk_psock_backlog+0x40c/0x4b0
+ ? process_one_work+0x40b/0x660
+ ? worker_thread+0x82/0x680
+ ? kthread+0x1b9/0x1e0
+ ? ret_from_fork+0x1f/0x30
+ ? check_preempt_curr+0xaf/0x130
+ ? iov_iter_kvec+0x5f/0x70
+ ? kernel_sendmsg_locked+0xa0/0xe0
+ skb_send_sock_locked+0x273/0x3c0
+ ? skb_splice_bits+0x180/0x180
+ ? start_thread+0xe0/0xe0
+ ? update_min_vruntime.constprop.27+0x88/0xc0
+ sk_psock_backlog+0xb3/0x4b0
+ ? strscpy+0xbf/0x1e0
+ process_one_work+0x40b/0x660
+ worker_thread+0x82/0x680
+ ? process_one_work+0x660/0x660
+ kthread+0x1b9/0x1e0
+ ? __kthread_create_on_node+0x250/0x250
+ ret_from_fork+0x1f/0x30
+
+Fixes: 20bf50de3028c ("skbuff: Function to send an skbuf on a socket")
+Reported-by: Jakub Sitnicki <jakub@cloudflare.com>
+Tested-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skbuff.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index e5bfd42fd083..4ea96fbf3b49 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -2309,6 +2309,7 @@ int skb_send_sock_locked(struct sock *sk, struct sk_buff *skb, int offset,
+ kv.iov_base = skb->data + offset;
+ kv.iov_len = slen;
+ memset(&msg, 0, sizeof(msg));
++ msg.msg_flags = MSG_DONTWAIT;
+
+ ret = kernel_sendmsg_locked(sk, &msg, &kv, 1, slen);
+ if (ret <= 0)
+--
+2.20.1
+
--- /dev/null
+From b02cc129de3c9b3ece70cd5e357b57ce5604580c Mon Sep 17 00:00:00 2001
+From: Jakub Sitnicki <jakub@cloudflare.com>
+Date: Wed, 22 May 2019 12:01:42 +0200
+Subject: bpf: sockmap, restore sk_write_space when psock gets dropped
+
+[ Upstream commit 186bcc3dcd106dc52d706117f912054b616666e1 ]
+
+Once psock gets unlinked from its sock (sk_psock_drop), user-space can
+still trigger a call to sk->sk_write_space by setting TCP_NOTSENT_LOWAT
+socket option. This causes a null-ptr-deref because we try to read
+psock->saved_write_space from sk_psock_write_space:
+
+==================================================================
+BUG: KASAN: null-ptr-deref in sk_psock_write_space+0x69/0x80
+Read of size 8 at addr 00000000000001a0 by task sockmap-echo/131
+
+CPU: 0 PID: 131 Comm: sockmap-echo Not tainted 5.2.0-rc1-00094-gf49aa1de9836 #81
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+?-20180724_192412-buildhw-07.phx2.fedoraproject.org-1.fc29 04/01/2014
+Call Trace:
+ ? sk_psock_write_space+0x69/0x80
+ __kasan_report.cold.2+0x5/0x3f
+ ? sk_psock_write_space+0x69/0x80
+ kasan_report+0xe/0x20
+ sk_psock_write_space+0x69/0x80
+ tcp_setsockopt+0x69a/0xfc0
+ ? tcp_shutdown+0x70/0x70
+ ? fsnotify+0x5b0/0x5f0
+ ? remove_wait_queue+0x90/0x90
+ ? __fget_light+0xa5/0xf0
+ __sys_setsockopt+0xe6/0x180
+ ? sockfd_lookup_light+0xb0/0xb0
+ ? vfs_write+0x195/0x210
+ ? ksys_write+0xc9/0x150
+ ? __x64_sys_read+0x50/0x50
+ ? __bpf_trace_x86_fpu+0x10/0x10
+ __x64_sys_setsockopt+0x61/0x70
+ do_syscall_64+0xc5/0x520
+ ? vmacache_find+0xc0/0x110
+ ? syscall_return_slowpath+0x110/0x110
+ ? handle_mm_fault+0xb4/0x110
+ ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
+ ? trace_hardirqs_off_caller+0x4b/0x120
+ ? trace_hardirqs_off_thunk+0x1a/0x3a
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x7f2e5e7cdcce
+Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b1 66 2e 0f 1f 84 00 00 00 00 00
+0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 36 00 00 00 0f 05 <48> 3d 01 f0 ff
+ff 73 01 c3 48 8b 0d 8a 11 0c 00 f7 d8 64 89 01 48
+RSP: 002b:00007ffed011b778 EFLAGS: 00000206 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f2e5e7cdcce
+RDX: 0000000000000019 RSI: 0000000000000006 RDI: 0000000000000007
+RBP: 00007ffed011b790 R08: 0000000000000004 R09: 00007f2e5e84ee80
+R10: 00007ffed011b788 R11: 0000000000000206 R12: 00007ffed011b78c
+R13: 00007ffed011b788 R14: 0000000000000007 R15: 0000000000000068
+==================================================================
+
+Restore the saved sk_write_space callback when psock is being dropped to
+fix the crash.
+
+Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/skmsg.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h
+index 178a3933a71b..50ced8aba9db 100644
+--- a/include/linux/skmsg.h
++++ b/include/linux/skmsg.h
+@@ -351,6 +351,8 @@ static inline void sk_psock_update_proto(struct sock *sk,
+ static inline void sk_psock_restore_proto(struct sock *sk,
+ struct sk_psock *psock)
+ {
++ sk->sk_write_space = psock->saved_write_space;
++
+ if (psock->sk_proto) {
+ sk->sk_prot = psock->sk_proto;
+ psock->sk_proto = NULL;
+--
+2.20.1
+
--- /dev/null
+From 5613a2490ce70f13436c2bcb6efd69cd94fd12f5 Mon Sep 17 00:00:00 2001
+From: Alexei Starovoitov <ast@kernel.org>
+Date: Fri, 14 Jun 2019 15:43:28 -0700
+Subject: bpf, x64: fix stack layout of JITed bpf code
+
+[ Upstream commit fe8d9571dc50232b569242fac7ea6332a654f186 ]
+
+Since commit 177366bf7ceb the %rbp stopped pointing to %rbp of the
+previous stack frame. That broke frame pointer based stack unwinding.
+This commit is a partial revert of it.
+Note that the location of tail_call_cnt is fixed, since the verifier
+enforces MAX_BPF_STACK stack size for programs with tail calls.
+
+Fixes: 177366bf7ceb ("bpf: change x86 JITed program stack layout")
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/net/bpf_jit_comp.c | 74 +++++++++++--------------------------
+ 1 file changed, 21 insertions(+), 53 deletions(-)
+
+diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
+index afabf597c855..d88bc0935886 100644
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -190,9 +190,7 @@ struct jit_context {
+ #define BPF_MAX_INSN_SIZE 128
+ #define BPF_INSN_SAFETY 64
+
+-#define AUX_STACK_SPACE 40 /* Space for RBX, R13, R14, R15, tailcnt */
+-
+-#define PROLOGUE_SIZE 37
++#define PROLOGUE_SIZE 20
+
+ /*
+ * Emit x86-64 prologue code for BPF program and check its size.
+@@ -203,44 +201,19 @@ static void emit_prologue(u8 **pprog, u32 stack_depth, bool ebpf_from_cbpf)
+ u8 *prog = *pprog;
+ int cnt = 0;
+
+- /* push rbp */
+- EMIT1(0x55);
+-
+- /* mov rbp,rsp */
+- EMIT3(0x48, 0x89, 0xE5);
+-
+- /* sub rsp, rounded_stack_depth + AUX_STACK_SPACE */
+- EMIT3_off32(0x48, 0x81, 0xEC,
+- round_up(stack_depth, 8) + AUX_STACK_SPACE);
+-
+- /* sub rbp, AUX_STACK_SPACE */
+- EMIT4(0x48, 0x83, 0xED, AUX_STACK_SPACE);
+-
+- /* mov qword ptr [rbp+0],rbx */
+- EMIT4(0x48, 0x89, 0x5D, 0);
+- /* mov qword ptr [rbp+8],r13 */
+- EMIT4(0x4C, 0x89, 0x6D, 8);
+- /* mov qword ptr [rbp+16],r14 */
+- EMIT4(0x4C, 0x89, 0x75, 16);
+- /* mov qword ptr [rbp+24],r15 */
+- EMIT4(0x4C, 0x89, 0x7D, 24);
+-
++ EMIT1(0x55); /* push rbp */
++ EMIT3(0x48, 0x89, 0xE5); /* mov rbp, rsp */
++ /* sub rsp, rounded_stack_depth */
++ EMIT3_off32(0x48, 0x81, 0xEC, round_up(stack_depth, 8));
++ EMIT1(0x53); /* push rbx */
++ EMIT2(0x41, 0x55); /* push r13 */
++ EMIT2(0x41, 0x56); /* push r14 */
++ EMIT2(0x41, 0x57); /* push r15 */
+ if (!ebpf_from_cbpf) {
+- /*
+- * Clear the tail call counter (tail_call_cnt): for eBPF tail
+- * calls we need to reset the counter to 0. It's done in two
+- * instructions, resetting RAX register to 0, and moving it
+- * to the counter location.
+- */
+-
+- /* xor eax, eax */
+- EMIT2(0x31, 0xc0);
+- /* mov qword ptr [rbp+32], rax */
+- EMIT4(0x48, 0x89, 0x45, 32);
+-
++ /* zero init tail_call_cnt */
++ EMIT2(0x6a, 0x00);
+ BUILD_BUG_ON(cnt != PROLOGUE_SIZE);
+ }
+-
+ *pprog = prog;
+ }
+
+@@ -285,13 +258,13 @@ static void emit_bpf_tail_call(u8 **pprog)
+ * if (tail_call_cnt > MAX_TAIL_CALL_CNT)
+ * goto out;
+ */
+- EMIT2_off32(0x8B, 0x85, 36); /* mov eax, dword ptr [rbp + 36] */
++ EMIT2_off32(0x8B, 0x85, -36 - MAX_BPF_STACK); /* mov eax, dword ptr [rbp - 548] */
+ EMIT3(0x83, 0xF8, MAX_TAIL_CALL_CNT); /* cmp eax, MAX_TAIL_CALL_CNT */
+ #define OFFSET2 (30 + RETPOLINE_RAX_BPF_JIT_SIZE)
+ EMIT2(X86_JA, OFFSET2); /* ja out */
+ label2 = cnt;
+ EMIT3(0x83, 0xC0, 0x01); /* add eax, 1 */
+- EMIT2_off32(0x89, 0x85, 36); /* mov dword ptr [rbp + 36], eax */
++ EMIT2_off32(0x89, 0x85, -36 - MAX_BPF_STACK); /* mov dword ptr [rbp -548], eax */
+
+ /* prog = array->ptrs[index]; */
+ EMIT4_off32(0x48, 0x8B, 0x84, 0xD6, /* mov rax, [rsi + rdx * 8 + offsetof(...)] */
+@@ -1040,19 +1013,14 @@ xadd: if (is_imm8(insn->off))
+ seen_exit = true;
+ /* Update cleanup_addr */
+ ctx->cleanup_addr = proglen;
+- /* mov rbx, qword ptr [rbp+0] */
+- EMIT4(0x48, 0x8B, 0x5D, 0);
+- /* mov r13, qword ptr [rbp+8] */
+- EMIT4(0x4C, 0x8B, 0x6D, 8);
+- /* mov r14, qword ptr [rbp+16] */
+- EMIT4(0x4C, 0x8B, 0x75, 16);
+- /* mov r15, qword ptr [rbp+24] */
+- EMIT4(0x4C, 0x8B, 0x7D, 24);
+-
+- /* add rbp, AUX_STACK_SPACE */
+- EMIT4(0x48, 0x83, 0xC5, AUX_STACK_SPACE);
+- EMIT1(0xC9); /* leave */
+- EMIT1(0xC3); /* ret */
++ if (!bpf_prog_was_classic(bpf_prog))
++ EMIT1(0x5B); /* get rid of tail_call_cnt */
++ EMIT2(0x41, 0x5F); /* pop r15 */
++ EMIT2(0x41, 0x5E); /* pop r14 */
++ EMIT2(0x41, 0x5D); /* pop r13 */
++ EMIT1(0x5B); /* pop rbx */
++ EMIT1(0xC9); /* leave */
++ EMIT1(0xC3); /* ret */
+ break;
+
+ default:
+--
+2.20.1
+
--- /dev/null
+From 94cea6e8278cca4d8021789e11e2ce55b20a98f8 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 16 May 2019 22:36:26 +0800
+Subject: can: af_can: Fix error path of can_init()
+
+[ Upstream commit c5a3aed1cd3152429348ee1fe5cdcca65fe901ce ]
+
+This patch add error path for can_init() to avoid possible crash if some
+error occurs.
+
+Fixes: 0d66548a10cb ("[CAN]: Add PF_CAN core module")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/af_can.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/net/can/af_can.c b/net/can/af_can.c
+index e386d654116d..04132b0b5d36 100644
+--- a/net/can/af_can.c
++++ b/net/can/af_can.c
+@@ -959,6 +959,8 @@ static struct pernet_operations can_pernet_ops __read_mostly = {
+
+ static __init int can_init(void)
+ {
++ int err;
++
+ /* check for correct padding to be able to use the structs similarly */
+ BUILD_BUG_ON(offsetof(struct can_frame, can_dlc) !=
+ offsetof(struct canfd_frame, len) ||
+@@ -972,15 +974,31 @@ static __init int can_init(void)
+ if (!rcv_cache)
+ return -ENOMEM;
+
+- register_pernet_subsys(&can_pernet_ops);
++ err = register_pernet_subsys(&can_pernet_ops);
++ if (err)
++ goto out_pernet;
+
+ /* protocol register */
+- sock_register(&can_family_ops);
+- register_netdevice_notifier(&can_netdev_notifier);
++ err = sock_register(&can_family_ops);
++ if (err)
++ goto out_sock;
++ err = register_netdevice_notifier(&can_netdev_notifier);
++ if (err)
++ goto out_notifier;
++
+ dev_add_pack(&can_packet);
+ dev_add_pack(&canfd_packet);
+
+ return 0;
++
++out_notifier:
++ sock_unregister(PF_CAN);
++out_sock:
++ unregister_pernet_subsys(&can_pernet_ops);
++out_pernet:
++ kmem_cache_destroy(rcv_cache);
++
++ return err;
+ }
+
+ static __exit void can_exit(void)
+--
+2.20.1
+
--- /dev/null
+From dde5cc2a5fecc401201c123bc5c333ded2b6d059 Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Tue, 4 Jun 2019 15:49:42 -0300
+Subject: can: flexcan: Remove unneeded registration message
+
+[ Upstream commit eb503004a7e563d543c9cb869907156de7efe720 ]
+
+Currently the following message is observed when the flexcan
+driver is probed:
+
+flexcan 2090000.flexcan: device registered (reg_base=(ptrval), irq=23)
+
+The reason for printing 'ptrval' is explained at
+Documentation/core-api/printk-formats.rst:
+
+"Pointers printed without a specifier extension (i.e unadorned %p) are
+hashed to prevent leaking information about the kernel memory layout. This
+has the added benefit of providing a unique identifier. On 64-bit machines
+the first 32 bits are zeroed. The kernel will print ``(ptrval)`` until it
+gathers enough entropy."
+
+Instead of passing %pK, which can print the correct address, simply
+remove the entire message as it is not really that useful.
+
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/flexcan.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
+index f97c628eb2ad..f2fe344593d5 100644
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -1583,9 +1583,6 @@ static int flexcan_probe(struct platform_device *pdev)
+ dev_dbg(&pdev->dev, "failed to setup stop-mode\n");
+ }
+
+- dev_info(&pdev->dev, "device registered (reg_base=%p, irq=%d)\n",
+- priv->regs, dev->irq);
+-
+ return 0;
+
+ failed_register:
+--
+2.20.1
+
--- /dev/null
+From 4f5f6fcc59134873ae90f8d2244c7c890c21060a Mon Sep 17 00:00:00 2001
+From: Eugen Hristev <eugen.hristev@microchip.com>
+Date: Mon, 4 Mar 2019 14:44:13 +0000
+Subject: can: m_can: implement errata "Needless activation of MRAF irq"
+
+[ Upstream commit 3e82f2f34c930a2a0a9e69fdc2de2f2f1388b442 ]
+
+During frame reception while the MCAN is in Error Passive state and the
+Receive Error Counter has thevalue MCAN_ECR.REC = 127, it may happen
+that MCAN_IR.MRAF is set although there was no Message RAM access
+failure. If MCAN_IR.MRAF is enabled, an interrupt to the Host CPU is
+generated.
+
+Work around:
+The Message RAM Access Failure interrupt routine needs to check whether
+
+ MCAN_ECR.RP = '1' and MCAN_ECR.REC = '127'.
+
+In this case, reset MCAN_IR.MRAF. No further action is required.
+This affects versions older than 3.2.0
+
+Errata explained on Sama5d2 SoC which includes this hardware block:
+http://ww1.microchip.com/downloads/en/DeviceDoc/SAMA5D2-Family-Silicon-Errata-and-Data-Sheet-Clarification-DS80000803B.pdf
+chapter 6.2
+
+Reproducibility: If 2 devices with m_can are connected back to back,
+configuring different bitrate on them will lead to interrupt storm on
+the receiving side, with error "Message RAM access failure occurred".
+Another way is to have a bad hardware connection. Bad wire connection
+can lead to this issue as well.
+
+This patch fixes the issue according to provided workaround.
+
+Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
+Reviewed-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/m_can/m_can.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
+index 9b449400376b..deb274a19ba0 100644
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -822,6 +822,27 @@ static int m_can_poll(struct napi_struct *napi, int quota)
+ if (!irqstatus)
+ goto end;
+
++ /* Errata workaround for issue "Needless activation of MRAF irq"
++ * During frame reception while the MCAN is in Error Passive state
++ * and the Receive Error Counter has the value MCAN_ECR.REC = 127,
++ * it may happen that MCAN_IR.MRAF is set although there was no
++ * Message RAM access failure.
++ * If MCAN_IR.MRAF is enabled, an interrupt to the Host CPU is generated
++ * The Message RAM Access Failure interrupt routine needs to check
++ * whether MCAN_ECR.RP = ’1’ and MCAN_ECR.REC = 127.
++ * In this case, reset MCAN_IR.MRAF. No further action is required.
++ */
++ if ((priv->version <= 31) && (irqstatus & IR_MRAF) &&
++ (m_can_read(priv, M_CAN_ECR) & ECR_RP)) {
++ struct can_berr_counter bec;
++
++ __m_can_get_berr_counter(dev, &bec);
++ if (bec.rxerr == 127) {
++ m_can_write(priv, M_CAN_IR, IR_MRAF);
++ irqstatus &= ~IR_MRAF;
++ }
++ }
++
+ psr = m_can_read(priv, M_CAN_PSR);
+ if (irqstatus & IR_ERR_STATE)
+ work_done += m_can_handle_state_errors(dev, psr);
+--
+2.20.1
+
--- /dev/null
+From 0bd41a538f4de86dca84ebf901b1360eba9ae77f Mon Sep 17 00:00:00 2001
+From: Sean Nyekjaer <sean@geanix.com>
+Date: Tue, 7 May 2019 11:34:36 +0200
+Subject: can: mcp251x: add support for mcp25625
+
+[ Upstream commit 35b7fa4d07c43ad79b88e6462119e7140eae955c ]
+
+Fully compatible with mcp2515, the mcp25625 have integrated transceiver.
+
+This patch adds support for the mcp25625 to the existing mcp251x driver.
+
+Signed-off-by: Sean Nyekjaer <sean@geanix.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/spi/Kconfig | 5 +++--
+ drivers/net/can/spi/mcp251x.c | 25 ++++++++++++++++---------
+ 2 files changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/can/spi/Kconfig b/drivers/net/can/spi/Kconfig
+index 8f2e0dd7b756..792e9c6c4a2f 100644
+--- a/drivers/net/can/spi/Kconfig
++++ b/drivers/net/can/spi/Kconfig
+@@ -8,9 +8,10 @@ config CAN_HI311X
+ Driver for the Holt HI311x SPI CAN controllers.
+
+ config CAN_MCP251X
+- tristate "Microchip MCP251x SPI CAN controllers"
++ tristate "Microchip MCP251x and MCP25625 SPI CAN controllers"
+ depends on HAS_DMA
+ ---help---
+- Driver for the Microchip MCP251x SPI CAN controllers.
++ Driver for the Microchip MCP251x and MCP25625 SPI CAN
++ controllers.
+
+ endmenu
+diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c
+index e90817608645..da64e71a62ee 100644
+--- a/drivers/net/can/spi/mcp251x.c
++++ b/drivers/net/can/spi/mcp251x.c
+@@ -1,5 +1,5 @@
+ /*
+- * CAN bus driver for Microchip 251x CAN Controller with SPI Interface
++ * CAN bus driver for Microchip 251x/25625 CAN Controller with SPI Interface
+ *
+ * MCP2510 support and bug fixes by Christian Pellegrin
+ * <chripell@evolware.org>
+@@ -41,7 +41,7 @@
+ * static struct spi_board_info spi_board_info[] = {
+ * {
+ * .modalias = "mcp2510",
+- * // or "mcp2515" depending on your controller
++ * // "mcp2515" or "mcp25625" depending on your controller
+ * .platform_data = &mcp251x_info,
+ * .irq = IRQ_EINT13,
+ * .max_speed_hz = 2*1000*1000,
+@@ -238,6 +238,7 @@ static const struct can_bittiming_const mcp251x_bittiming_const = {
+ enum mcp251x_model {
+ CAN_MCP251X_MCP2510 = 0x2510,
+ CAN_MCP251X_MCP2515 = 0x2515,
++ CAN_MCP251X_MCP25625 = 0x25625,
+ };
+
+ struct mcp251x_priv {
+@@ -280,7 +281,6 @@ static inline int mcp251x_is_##_model(struct spi_device *spi) \
+ }
+
+ MCP251X_IS(2510);
+-MCP251X_IS(2515);
+
+ static void mcp251x_clean(struct net_device *net)
+ {
+@@ -639,7 +639,7 @@ static int mcp251x_hw_reset(struct spi_device *spi)
+
+ /* Wait for oscillator startup timer after reset */
+ mdelay(MCP251X_OST_DELAY_MS);
+-
++
+ reg = mcp251x_read_reg(spi, CANSTAT);
+ if ((reg & CANCTRL_REQOP_MASK) != CANCTRL_REQOP_CONF)
+ return -ENODEV;
+@@ -820,9 +820,8 @@ static irqreturn_t mcp251x_can_ist(int irq, void *dev_id)
+ /* receive buffer 0 */
+ if (intf & CANINTF_RX0IF) {
+ mcp251x_hw_rx(spi, 0);
+- /*
+- * Free one buffer ASAP
+- * (The MCP2515 does this automatically.)
++ /* Free one buffer ASAP
++ * (The MCP2515/25625 does this automatically.)
+ */
+ if (mcp251x_is_2510(spi))
+ mcp251x_write_bits(spi, CANINTF, CANINTF_RX0IF, 0x00);
+@@ -831,7 +830,7 @@ static irqreturn_t mcp251x_can_ist(int irq, void *dev_id)
+ /* receive buffer 1 */
+ if (intf & CANINTF_RX1IF) {
+ mcp251x_hw_rx(spi, 1);
+- /* the MCP2515 does this automatically */
++ /* The MCP2515/25625 does this automatically. */
+ if (mcp251x_is_2510(spi))
+ clear_intf |= CANINTF_RX1IF;
+ }
+@@ -1006,6 +1005,10 @@ static const struct of_device_id mcp251x_of_match[] = {
+ .compatible = "microchip,mcp2515",
+ .data = (void *)CAN_MCP251X_MCP2515,
+ },
++ {
++ .compatible = "microchip,mcp25625",
++ .data = (void *)CAN_MCP251X_MCP25625,
++ },
+ { }
+ };
+ MODULE_DEVICE_TABLE(of, mcp251x_of_match);
+@@ -1019,6 +1022,10 @@ static const struct spi_device_id mcp251x_id_table[] = {
+ .name = "mcp2515",
+ .driver_data = (kernel_ulong_t)CAN_MCP251X_MCP2515,
+ },
++ {
++ .name = "mcp25625",
++ .driver_data = (kernel_ulong_t)CAN_MCP251X_MCP25625,
++ },
+ { }
+ };
+ MODULE_DEVICE_TABLE(spi, mcp251x_id_table);
+@@ -1259,5 +1266,5 @@ module_spi_driver(mcp251x_can_driver);
+
+ MODULE_AUTHOR("Chris Elston <celston@katalix.com>, "
+ "Christian Pellegrin <chripell@evolware.org>");
+-MODULE_DESCRIPTION("Microchip 251x CAN driver");
++MODULE_DESCRIPTION("Microchip 251x/25625 CAN driver");
+ MODULE_LICENSE("GPL v2");
+--
+2.20.1
+
--- /dev/null
+From 6a9f71859ab3bccf137dc23bf76af3d0acf67214 Mon Sep 17 00:00:00 2001
+From: Avraham Stern <avraham.stern@intel.com>
+Date: Wed, 29 May 2019 15:25:28 +0300
+Subject: cfg80211: report measurement start TSF correctly
+
+[ Upstream commit b65842025335711e2a0259feb4dbadb0c9ffb6d9 ]
+
+Instead of reporting the AP's TSF, host time was reported. Fix it.
+
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/pmsr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c
+index 5e2ab01d325c..d06d514f0bba 100644
+--- a/net/wireless/pmsr.c
++++ b/net/wireless/pmsr.c
+@@ -1,6 +1,6 @@
+ /* SPDX-License-Identifier: GPL-2.0 */
+ /*
+- * Copyright (C) 2018 Intel Corporation
++ * Copyright (C) 2018 - 2019 Intel Corporation
+ */
+ #ifndef __PMSR_H
+ #define __PMSR_H
+@@ -446,7 +446,7 @@ static int nl80211_pmsr_send_result(struct sk_buff *msg,
+
+ if (res->ap_tsf_valid &&
+ nla_put_u64_64bit(msg, NL80211_PMSR_RESP_ATTR_AP_TSF,
+- res->host_time, NL80211_PMSR_RESP_ATTR_PAD))
++ res->ap_tsf, NL80211_PMSR_RESP_ATTR_PAD))
+ goto error;
+
+ if (res->final && nla_put_flag(msg, NL80211_PMSR_RESP_ATTR_FINAL))
+--
+2.20.1
+
--- /dev/null
+From 4bca654580165c5bd8c9d07206616ef9dbed961a Mon Sep 17 00:00:00 2001
+From: Mordechay Goodstein <mordechay.goodstein@intel.com>
+Date: Wed, 29 May 2019 15:25:31 +0300
+Subject: cfg80211: util: fix bit count off by one
+
+[ Upstream commit 1a473d6092d5d182914bea854ce0b21e6d12519d ]
+
+The bits of Rx MCS Map in VHT capability were enumerated
+with index transform - index i -> (i + 1) bit => nss i. BUG!
+while it should be - index i -> (i + 1) bit => (i + 1) nss.
+
+The bug was exposed in commit a53b2a0b1245 ("iwlwifi: mvm: implement VHT
+extended NSS support in rs.c"), where iwlwifi started using the
+function.
+
+Signed-off-by: Mordechay Goodstein <mordechay.goodstein@intel.com>
+Fixes: b0aa75f0b1b2 ("ieee80211: add new VHT capability fields/parsing")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/wireless/util.c b/net/wireless/util.c
+index 5a03f38788e7..5ac66a571e33 100644
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -1989,7 +1989,7 @@ int ieee80211_get_vht_max_nss(struct ieee80211_vht_cap *cap,
+ continue;
+
+ if (supp >= mcs_encoding) {
+- max_vht_nss = i;
++ max_vht_nss = i + 1;
+ break;
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From 5b750156b86f5a5e639e2a34dc5d9197eae6b990 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 18 Jun 2019 16:18:43 +0300
+Subject: drm: return -EFAULT if copy_to_user() fails
+
+[ Upstream commit 74b67efa8d7b4f90137f0ab9a80dd319da050350 ]
+
+The copy_from_user() function returns the number of bytes remaining
+to be copied but we want to return a negative error code. Otherwise
+the callers treat it as a successful copy.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190618131843.GA29463@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_bufs.c | 5 ++++-
+ drivers/gpu/drm/drm_ioc32.c | 5 ++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c
+index e407adb033e7..4fbc34425570 100644
+--- a/drivers/gpu/drm/drm_bufs.c
++++ b/drivers/gpu/drm/drm_bufs.c
+@@ -1332,7 +1332,10 @@ static int copy_one_buf(void *data, int count, struct drm_buf_entry *from)
+ .size = from->buf_size,
+ .low_mark = from->low_mark,
+ .high_mark = from->high_mark};
+- return copy_to_user(to, &v, offsetof(struct drm_buf_desc, flags));
++
++ if (copy_to_user(to, &v, offsetof(struct drm_buf_desc, flags)))
++ return -EFAULT;
++ return 0;
+ }
+
+ int drm_legacy_infobufs(struct drm_device *dev, void *data,
+diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
+index 0e3043e08c69..f8672238d444 100644
+--- a/drivers/gpu/drm/drm_ioc32.c
++++ b/drivers/gpu/drm/drm_ioc32.c
+@@ -372,7 +372,10 @@ static int copy_one_buf32(void *data, int count, struct drm_buf_entry *from)
+ .size = from->buf_size,
+ .low_mark = from->low_mark,
+ .high_mark = from->high_mark};
+- return copy_to_user(to + count, &v, offsetof(drm_buf_desc32_t, flags));
++
++ if (copy_to_user(to + count, &v, offsetof(drm_buf_desc32_t, flags)))
++ return -EFAULT;
++ return 0;
+ }
+
+ static int drm_legacy_infobufs32(struct drm_device *dev, void *data,
+--
+2.20.1
+
--- /dev/null
+From 17d1da9a70adc53373adfd3daf00055b2c28c579 Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Mon, 3 Jun 2019 16:44:15 -0400
+Subject: drm/vmwgfx: fix a warning due to missing dma_parms
+
+[ Upstream commit 39916897cd815a0ee07ba1f6820cf88a63e459fc ]
+
+Booting up with DMA_API_DEBUG_SG=y generates a warning due to the driver
+forgot to set dma_parms appropriately. Set it just after vmw_dma_masks()
+in vmw_driver_load().
+
+DMA-API: vmwgfx 0000:00:0f.0: mapping sg segment longer than device
+claims to support [len=2097152] [max=65536]
+WARNING: CPU: 2 PID: 261 at kernel/dma/debug.c:1232
+debug_dma_map_sg+0x360/0x480
+Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop
+Reference Platform, BIOS 6.00 04/13/2018
+RIP: 0010:debug_dma_map_sg+0x360/0x480
+Call Trace:
+ vmw_ttm_map_dma+0x3b1/0x5b0 [vmwgfx]
+ vmw_bo_map_dma+0x25/0x30 [vmwgfx]
+ vmw_otables_setup+0x2a8/0x750 [vmwgfx]
+ vmw_request_device_late+0x78/0xc0 [vmwgfx]
+ vmw_request_device+0xee/0x4e0 [vmwgfx]
+ vmw_driver_load.cold+0x757/0xd84 [vmwgfx]
+ drm_dev_register+0x1ff/0x340 [drm]
+ drm_get_pci_dev+0x110/0x290 [drm]
+ vmw_probe+0x15/0x20 [vmwgfx]
+ local_pci_probe+0x7a/0xc0
+ pci_device_probe+0x1b9/0x290
+ really_probe+0x1b5/0x630
+ driver_probe_device+0xa3/0x1a0
+ device_driver_attach+0x94/0xa0
+ __driver_attach+0xdd/0x1c0
+ bus_for_each_dev+0xfe/0x150
+ driver_attach+0x2d/0x40
+ bus_add_driver+0x290/0x350
+ driver_register+0xdc/0x1d0
+ __pci_register_driver+0xda/0xf0
+ vmwgfx_init+0x34/0x1000 [vmwgfx]
+ do_one_initcall+0xe5/0x40a
+ do_init_module+0x10f/0x3a0
+ load_module+0x16a5/0x1a40
+ __se_sys_finit_module+0x183/0x1c0
+ __x64_sys_finit_module+0x43/0x50
+ do_syscall_64+0xc8/0x606
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: fb1d9738ca05 ("drm/vmwgfx: Add DRM driver for VMware Virtual GPU")
+Co-developed-by: Thomas Hellstrom <thellstrom@vmware.com>
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+index 9d2e1ce5c0a6..b77374ea3825 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+@@ -747,6 +747,9 @@ static int vmw_driver_load(struct drm_device *dev, unsigned long chipset)
+ if (unlikely(ret != 0))
+ goto out_err0;
+
++ dma_set_max_seg_size(dev->dev, min_t(unsigned int, U32_MAX & PAGE_MASK,
++ SCATTERLIST_MAX_SEGMENT));
++
+ if (dev_priv->capabilities & SVGA_CAP_GMR2) {
+ DRM_INFO("Max GMR ids is %u\n",
+ (unsigned)dev_priv->max_gmr_ids);
+--
+2.20.1
+
--- /dev/null
+From 345485f167df4c55cf5dfe99e0eb160502c5da8f Mon Sep 17 00:00:00 2001
+From: Thomas Hellstrom <thellstrom@vmware.com>
+Date: Tue, 4 Jun 2019 13:54:26 +0200
+Subject: drm/vmwgfx: Honor the sg list segment size limitation
+
+[ Upstream commit bde15555ba61c7f664f40fd3c6fdbdb63f784c9b ]
+
+When building sg tables, honor the device sg list segment size limitation.
+
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Reviewed-by: Deepak Rawat <drawat@vmware.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c
+index a3357ff7540d..97adee1f0575 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c
+@@ -454,11 +454,11 @@ static int vmw_ttm_map_dma(struct vmw_ttm_tt *vmw_tt)
+ if (unlikely(ret != 0))
+ return ret;
+
+- ret = sg_alloc_table_from_pages(&vmw_tt->sgt, vsgt->pages,
+- vsgt->num_pages, 0,
+- (unsigned long)
+- vsgt->num_pages << PAGE_SHIFT,
+- GFP_KERNEL);
++ ret = __sg_alloc_table_from_pages
++ (&vmw_tt->sgt, vsgt->pages, vsgt->num_pages, 0,
++ (unsigned long) vsgt->num_pages << PAGE_SHIFT,
++ dma_get_max_seg_size(dev_priv->dev->dev),
++ GFP_KERNEL);
+ if (unlikely(ret != 0))
+ goto out_sg_alloc_fail;
+
+--
+2.20.1
+
--- /dev/null
+From 31d80fc0225e5093b4a75b6abb95964e3f195da3 Mon Sep 17 00:00:00 2001
+From: Sean Nyekjaer <sean@geanix.com>
+Date: Tue, 7 May 2019 11:34:37 +0200
+Subject: dt-bindings: can: mcp251x: add mcp25625 support
+
+[ Upstream commit 0df82dcd55832a99363ab7f9fab954fcacdac3ae ]
+
+Fully compatible with mcp2515, the mcp25625 have integrated transceiver.
+
+This patch add the mcp25625 to the device tree bindings documentation.
+
+Signed-off-by: Sean Nyekjaer <sean@geanix.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt b/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt
+index 188c8bd4eb67..5a0111d4de58 100644
+--- a/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt
++++ b/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt
+@@ -4,6 +4,7 @@ Required properties:
+ - compatible: Should be one of the following:
+ - "microchip,mcp2510" for MCP2510.
+ - "microchip,mcp2515" for MCP2515.
++ - "microchip,mcp25625" for MCP25625.
+ - reg: SPI chip select.
+ - clocks: The clock feeding the CAN controller.
+ - interrupts: Should contain IRQ line for the CAN controller.
+--
+2.20.1
+
--- /dev/null
+From 1a9db80f6965245d6d61579b6651e5c800a8c7b9 Mon Sep 17 00:00:00 2001
+From: Steve Longerbeam <slongerbeam@gmail.com>
+Date: Tue, 11 Jun 2019 18:16:57 -0700
+Subject: gpu: ipu-v3: image-convert: Fix image downsize coefficients
+
+[ Upstream commit 912bbf7e9ca422099935dd69d3ff0fd62db24882 ]
+
+The output of the IC downsizer unit in both dimensions must be <= 1024
+before being passed to the IC resizer unit. This was causing corrupted
+images when:
+
+input_dim > 1024, and
+input_dim / 2 < output_dim < input_dim
+
+Some broken examples were 1920x1080 -> 1024x768 and 1920x1080 ->
+1280x1080.
+
+Fixes: 70b9b6b3bcb21 ("gpu: ipu-v3: image-convert: calculate per-tile
+resize coefficients")
+
+Signed-off-by: Steve Longerbeam <slongerbeam@gmail.com>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/ipu-v3/ipu-image-convert.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/ipu-v3/ipu-image-convert.c b/drivers/gpu/ipu-v3/ipu-image-convert.c
+index 19d3b85e0e98..e9803e2151f9 100644
+--- a/drivers/gpu/ipu-v3/ipu-image-convert.c
++++ b/drivers/gpu/ipu-v3/ipu-image-convert.c
+@@ -409,12 +409,14 @@ static int calc_image_resize_coefficients(struct ipu_image_convert_ctx *ctx,
+ if (WARN_ON(resized_width == 0 || resized_height == 0))
+ return -EINVAL;
+
+- while (downsized_width >= resized_width * 2) {
++ while (downsized_width > 1024 ||
++ downsized_width >= resized_width * 2) {
+ downsized_width >>= 1;
+ downsize_coeff_h++;
+ }
+
+- while (downsized_height >= resized_height * 2) {
++ while (downsized_height > 1024 ||
++ downsized_height >= resized_height * 2) {
+ downsized_height >>= 1;
+ downsize_coeff_v++;
+ }
+--
+2.20.1
+
--- /dev/null
+From 82a91921cd75f15b9d471a67b8f88b09746e451f Mon Sep 17 00:00:00 2001
+From: Steve Longerbeam <slongerbeam@gmail.com>
+Date: Tue, 11 Jun 2019 18:16:56 -0700
+Subject: gpu: ipu-v3: image-convert: Fix input bytesperline for packed formats
+
+[ Upstream commit bca4d70cf1b8f6478a711c448a3a1e47b794b162 ]
+
+The input bytesperline calculation for packed pixel formats was
+incorrect. The min/max clamping values must be multiplied by the
+packed bits-per-pixel. This was causing corrupted converted images
+when the input format was RGB4 (probably also other input packed
+formats).
+
+Fixes: d966e23d61a2c ("gpu: ipu-v3: image-convert: fix bytesperline
+adjustment")
+
+Reported-by: Harsha Manjula Mallikarjun <Harsha.ManjulaMallikarjun@in.bosch.com>
+Suggested-by: Harsha Manjula Mallikarjun <Harsha.ManjulaMallikarjun@in.bosch.com>
+Signed-off-by: Steve Longerbeam <slongerbeam@gmail.com>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/ipu-v3/ipu-image-convert.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/ipu-v3/ipu-image-convert.c b/drivers/gpu/ipu-v3/ipu-image-convert.c
+index 0d971985f8c9..19d3b85e0e98 100644
+--- a/drivers/gpu/ipu-v3/ipu-image-convert.c
++++ b/drivers/gpu/ipu-v3/ipu-image-convert.c
+@@ -1942,7 +1942,9 @@ void ipu_image_convert_adjust(struct ipu_image *in, struct ipu_image *out,
+ clamp_align(in->pix.width, 2 << w_align_in, MAX_W,
+ w_align_in) :
+ clamp_align((in->pix.width * infmt->bpp) >> 3,
+- 2 << w_align_in, MAX_W, w_align_in);
++ ((2 << w_align_in) * infmt->bpp) >> 3,
++ (MAX_W * infmt->bpp) >> 3,
++ w_align_in);
+ in->pix.sizeimage = infmt->planar ?
+ (in->pix.height * in->pix.bytesperline * infmt->bpp) >> 3 :
+ in->pix.height * in->pix.bytesperline;
+--
+2.20.1
+
--- /dev/null
+From 286d250d66e1f63f4c72173c2d4bad25ff1a6b29 Mon Sep 17 00:00:00 2001
+From: Steve Longerbeam <slongerbeam@gmail.com>
+Date: Tue, 11 Jun 2019 18:16:55 -0700
+Subject: gpu: ipu-v3: image-convert: Fix input bytesperline width/height align
+
+[ Upstream commit ff391ecd65a1b8324c49046c3db98d9c8ab29af9 ]
+
+The output width and height alignment values were being used in the
+input bytesperline calculation. Fix by separating local vars w_align
+and h_align into w_align_in, h_align_in, w_align_out, and h_align_out.
+
+Fixes: d966e23d61a2c ("gpu: ipu-v3: image-convert: fix bytesperline
+adjustment")
+
+Signed-off-by: Steve Longerbeam <slongerbeam@gmail.com>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/ipu-v3/ipu-image-convert.c | 32 +++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/gpu/ipu-v3/ipu-image-convert.c b/drivers/gpu/ipu-v3/ipu-image-convert.c
+index 13103ab86050..0d971985f8c9 100644
+--- a/drivers/gpu/ipu-v3/ipu-image-convert.c
++++ b/drivers/gpu/ipu-v3/ipu-image-convert.c
+@@ -1885,7 +1885,8 @@ void ipu_image_convert_adjust(struct ipu_image *in, struct ipu_image *out,
+ enum ipu_rotate_mode rot_mode)
+ {
+ const struct ipu_image_pixfmt *infmt, *outfmt;
+- u32 w_align, h_align;
++ u32 w_align_out, h_align_out;
++ u32 w_align_in, h_align_in;
+
+ infmt = get_format(in->pix.pixelformat);
+ outfmt = get_format(out->pix.pixelformat);
+@@ -1917,22 +1918,31 @@ void ipu_image_convert_adjust(struct ipu_image *in, struct ipu_image *out,
+ }
+
+ /* align input width/height */
+- w_align = ilog2(tile_width_align(IMAGE_CONVERT_IN, infmt, rot_mode));
+- h_align = ilog2(tile_height_align(IMAGE_CONVERT_IN, infmt, rot_mode));
+- in->pix.width = clamp_align(in->pix.width, MIN_W, MAX_W, w_align);
+- in->pix.height = clamp_align(in->pix.height, MIN_H, MAX_H, h_align);
++ w_align_in = ilog2(tile_width_align(IMAGE_CONVERT_IN, infmt,
++ rot_mode));
++ h_align_in = ilog2(tile_height_align(IMAGE_CONVERT_IN, infmt,
++ rot_mode));
++ in->pix.width = clamp_align(in->pix.width, MIN_W, MAX_W,
++ w_align_in);
++ in->pix.height = clamp_align(in->pix.height, MIN_H, MAX_H,
++ h_align_in);
+
+ /* align output width/height */
+- w_align = ilog2(tile_width_align(IMAGE_CONVERT_OUT, outfmt, rot_mode));
+- h_align = ilog2(tile_height_align(IMAGE_CONVERT_OUT, outfmt, rot_mode));
+- out->pix.width = clamp_align(out->pix.width, MIN_W, MAX_W, w_align);
+- out->pix.height = clamp_align(out->pix.height, MIN_H, MAX_H, h_align);
++ w_align_out = ilog2(tile_width_align(IMAGE_CONVERT_OUT, outfmt,
++ rot_mode));
++ h_align_out = ilog2(tile_height_align(IMAGE_CONVERT_OUT, outfmt,
++ rot_mode));
++ out->pix.width = clamp_align(out->pix.width, MIN_W, MAX_W,
++ w_align_out);
++ out->pix.height = clamp_align(out->pix.height, MIN_H, MAX_H,
++ h_align_out);
+
+ /* set input/output strides and image sizes */
+ in->pix.bytesperline = infmt->planar ?
+- clamp_align(in->pix.width, 2 << w_align, MAX_W, w_align) :
++ clamp_align(in->pix.width, 2 << w_align_in, MAX_W,
++ w_align_in) :
+ clamp_align((in->pix.width * infmt->bpp) >> 3,
+- 2 << w_align, MAX_W, w_align);
++ 2 << w_align_in, MAX_W, w_align_in);
+ in->pix.sizeimage = infmt->planar ?
+ (in->pix.height * in->pix.bytesperline * infmt->bpp) >> 3 :
+ in->pix.height * in->pix.bytesperline;
+--
+2.20.1
+
--- /dev/null
+From c756d42cf5c1cff7b923fb7e022311a15f9f3dee Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 14 Jun 2019 12:32:38 -0400
+Subject: IB/hfi1: Create inline to get extended headers
+
+[ Upstream commit 9755f72496664eec70bc804104118b5797b6bf63 ]
+
+This paves the way for another patch that reacts to a
+flush sdma completion for RC.
+
+Fixes: 81cd3891f021 ("IB/hfi1: Add support for 16B Management Packets")
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/hfi.h | 31 +++++++++++++++++++++++++++++++
+ drivers/infiniband/hw/hfi1/rc.c | 21 +--------------------
+ 2 files changed, 32 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/hfi.h b/drivers/infiniband/hw/hfi1/hfi.h
+index 048b5d73ba39..d85b16a3aaaf 100644
+--- a/drivers/infiniband/hw/hfi1/hfi.h
++++ b/drivers/infiniband/hw/hfi1/hfi.h
+@@ -539,6 +539,37 @@ static inline void hfi1_16B_set_qpn(struct opa_16b_mgmt *mgmt,
+ mgmt->src_qpn = cpu_to_be32(src_qp & OPA_16B_MGMT_QPN_MASK);
+ }
+
++/**
++ * hfi1_get_rc_ohdr - get extended header
++ * @opah - the opaheader
++ */
++static inline struct ib_other_headers *
++hfi1_get_rc_ohdr(struct hfi1_opa_header *opah)
++{
++ struct ib_other_headers *ohdr;
++ struct ib_header *hdr = NULL;
++ struct hfi1_16b_header *hdr_16b = NULL;
++
++ /* Find out where the BTH is */
++ if (opah->hdr_type == HFI1_PKT_TYPE_9B) {
++ hdr = &opah->ibh;
++ if (ib_get_lnh(hdr) == HFI1_LRH_BTH)
++ ohdr = &hdr->u.oth;
++ else
++ ohdr = &hdr->u.l.oth;
++ } else {
++ u8 l4;
++
++ hdr_16b = &opah->opah;
++ l4 = hfi1_16B_get_l4(hdr_16b);
++ if (l4 == OPA_16B_L4_IB_LOCAL)
++ ohdr = &hdr_16b->u.oth;
++ else
++ ohdr = &hdr_16b->u.l.oth;
++ }
++ return ohdr;
++}
++
+ struct rvt_sge_state;
+
+ /*
+diff --git a/drivers/infiniband/hw/hfi1/rc.c b/drivers/infiniband/hw/hfi1/rc.c
+index 5991211d72bd..82f101878e33 100644
+--- a/drivers/infiniband/hw/hfi1/rc.c
++++ b/drivers/infiniband/hw/hfi1/rc.c
+@@ -1711,8 +1711,6 @@ void hfi1_rc_send_complete(struct rvt_qp *qp, struct hfi1_opa_header *opah)
+ struct ib_other_headers *ohdr;
+ struct hfi1_qp_priv *priv = qp->priv;
+ struct rvt_swqe *wqe;
+- struct ib_header *hdr = NULL;
+- struct hfi1_16b_header *hdr_16b = NULL;
+ u32 opcode, head, tail;
+ u32 psn;
+ struct tid_rdma_request *req;
+@@ -1721,24 +1719,7 @@ void hfi1_rc_send_complete(struct rvt_qp *qp, struct hfi1_opa_header *opah)
+ if (!(ib_rvt_state_ops[qp->state] & RVT_SEND_OR_FLUSH_OR_RECV_OK))
+ return;
+
+- /* Find out where the BTH is */
+- if (priv->hdr_type == HFI1_PKT_TYPE_9B) {
+- hdr = &opah->ibh;
+- if (ib_get_lnh(hdr) == HFI1_LRH_BTH)
+- ohdr = &hdr->u.oth;
+- else
+- ohdr = &hdr->u.l.oth;
+- } else {
+- u8 l4;
+-
+- hdr_16b = &opah->opah;
+- l4 = hfi1_16B_get_l4(hdr_16b);
+- if (l4 == OPA_16B_L4_IB_LOCAL)
+- ohdr = &hdr_16b->u.oth;
+- else
+- ohdr = &hdr_16b->u.l.oth;
+- }
+-
++ ohdr = hfi1_get_rc_ohdr(opah);
+ opcode = ib_bth_get_opcode(ohdr);
+ if ((opcode >= OP(RDMA_READ_RESPONSE_FIRST) &&
+ opcode <= OP(ATOMIC_ACKNOWLEDGE)) ||
+--
+2.20.1
+
--- /dev/null
+From 5a8e54cfb33010ec8585c3ccabcec015c0c17e1e Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 14 Jun 2019 12:33:06 -0400
+Subject: IB/hfi1: Handle port down properly in pio
+
+[ Upstream commit 942a899335707fc9cfc97cb382a60734b2ff4e03 ]
+
+The call to sc_buffer_alloc currently returns NULL (no buffer) or
+a buffer descriptor.
+
+There is a third case when the port is down. Currently that
+returns NULL and this prevents the caller from properly handling the
+sc_buffer_alloc() failure. A verbs code link test after the call is
+racy so the indication needs to come from the state check inside the allocation
+routine to be valid.
+
+Fix by encoding the ECOMM failure like SDMA. IS_ERR_OR_NULL() tests
+are added at all call sites. For verbs send, this needs to treat any
+error by returning a completion without any MMIO copy.
+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/pio.c | 5 +++--
+ drivers/infiniband/hw/hfi1/rc.c | 2 +-
+ drivers/infiniband/hw/hfi1/ud.c | 4 ++--
+ drivers/infiniband/hw/hfi1/verbs.c | 4 ++--
+ 4 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/pio.c b/drivers/infiniband/hw/hfi1/pio.c
+index 1ee47838d4de..17ea224fbecb 100644
+--- a/drivers/infiniband/hw/hfi1/pio.c
++++ b/drivers/infiniband/hw/hfi1/pio.c
+@@ -1443,7 +1443,8 @@ void sc_stop(struct send_context *sc, int flag)
+ * @cb: optional callback to call when the buffer is finished sending
+ * @arg: argument for cb
+ *
+- * Return a pointer to a PIO buffer if successful, NULL if not enough room.
++ * Return a pointer to a PIO buffer, NULL if not enough room, -ECOMM
++ * when link is down.
+ */
+ struct pio_buf *sc_buffer_alloc(struct send_context *sc, u32 dw_len,
+ pio_release_cb cb, void *arg)
+@@ -1459,7 +1460,7 @@ struct pio_buf *sc_buffer_alloc(struct send_context *sc, u32 dw_len,
+ spin_lock_irqsave(&sc->alloc_lock, flags);
+ if (!(sc->flags & SCF_ENABLED)) {
+ spin_unlock_irqrestore(&sc->alloc_lock, flags);
+- goto done;
++ return ERR_PTR(-ECOMM);
+ }
+
+ retry:
+diff --git a/drivers/infiniband/hw/hfi1/rc.c b/drivers/infiniband/hw/hfi1/rc.c
+index 24cbac277bf0..b7b74222eaf0 100644
+--- a/drivers/infiniband/hw/hfi1/rc.c
++++ b/drivers/infiniband/hw/hfi1/rc.c
+@@ -1434,7 +1434,7 @@ void hfi1_send_rc_ack(struct hfi1_packet *packet, bool is_fecn)
+ pbc = create_pbc(ppd, pbc_flags, qp->srate_mbps,
+ sc_to_vlt(ppd->dd, sc5), plen);
+ pbuf = sc_buffer_alloc(rcd->sc, plen, NULL, NULL);
+- if (!pbuf) {
++ if (IS_ERR_OR_NULL(pbuf)) {
+ /*
+ * We have no room to send at the moment. Pass
+ * responsibility for sending the ACK to the send engine
+diff --git a/drivers/infiniband/hw/hfi1/ud.c b/drivers/infiniband/hw/hfi1/ud.c
+index f88ad425664a..4cb0fce5c096 100644
+--- a/drivers/infiniband/hw/hfi1/ud.c
++++ b/drivers/infiniband/hw/hfi1/ud.c
+@@ -683,7 +683,7 @@ void return_cnp_16B(struct hfi1_ibport *ibp, struct rvt_qp *qp,
+ pbc = create_pbc(ppd, pbc_flags, qp->srate_mbps, vl, plen);
+ if (ctxt) {
+ pbuf = sc_buffer_alloc(ctxt, plen, NULL, NULL);
+- if (pbuf) {
++ if (!IS_ERR_OR_NULL(pbuf)) {
+ trace_pio_output_ibhdr(ppd->dd, &hdr, sc5);
+ ppd->dd->pio_inline_send(ppd->dd, pbuf, pbc,
+ &hdr, hwords);
+@@ -738,7 +738,7 @@ void return_cnp(struct hfi1_ibport *ibp, struct rvt_qp *qp, u32 remote_qpn,
+ pbc = create_pbc(ppd, pbc_flags, qp->srate_mbps, vl, plen);
+ if (ctxt) {
+ pbuf = sc_buffer_alloc(ctxt, plen, NULL, NULL);
+- if (pbuf) {
++ if (!IS_ERR_OR_NULL(pbuf)) {
+ trace_pio_output_ibhdr(ppd->dd, &hdr, sc5);
+ ppd->dd->pio_inline_send(ppd->dd, pbuf, pbc,
+ &hdr, hwords);
+diff --git a/drivers/infiniband/hw/hfi1/verbs.c b/drivers/infiniband/hw/hfi1/verbs.c
+index 63d62ac7434a..117e73cd69d7 100644
+--- a/drivers/infiniband/hw/hfi1/verbs.c
++++ b/drivers/infiniband/hw/hfi1/verbs.c
+@@ -1039,10 +1039,10 @@ int hfi1_verbs_send_pio(struct rvt_qp *qp, struct hfi1_pkt_state *ps,
+ if (cb)
+ iowait_pio_inc(&priv->s_iowait);
+ pbuf = sc_buffer_alloc(sc, plen, cb, qp);
+- if (unlikely(!pbuf)) {
++ if (unlikely(IS_ERR_OR_NULL(pbuf))) {
+ if (cb)
+ verbs_pio_complete(qp, 0);
+- if (ppd->host_link_state != HLS_UP_ACTIVE) {
++ if (IS_ERR(pbuf)) {
+ /*
+ * If we have filled the PIO buffers to capacity and are
+ * not in an active state this request is not going to
+--
+2.20.1
+
--- /dev/null
+From 931eaaa3e85d9818e48f799a8aa69a9d6fccfffa Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 14 Jun 2019 12:33:00 -0400
+Subject: IB/hfi1: Handle wakeup of orphaned QPs for pio
+
+[ Upstream commit 099a884ba4c00145cef283d36e050726311c2e95 ]
+
+Once a send context is taken down due to a link failure, any QPs waiting
+for pio credits will stay on the waitlist indefinitely.
+
+Fix by wakeing up all QPs linked to piowait list.
+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/pio.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/infiniband/hw/hfi1/pio.c b/drivers/infiniband/hw/hfi1/pio.c
+index a1de566fe95e..1ee47838d4de 100644
+--- a/drivers/infiniband/hw/hfi1/pio.c
++++ b/drivers/infiniband/hw/hfi1/pio.c
+@@ -952,6 +952,22 @@ void sc_disable(struct send_context *sc)
+ }
+ }
+ spin_unlock(&sc->release_lock);
++
++ write_seqlock(&sc->waitlock);
++ while (!list_empty(&sc->piowait)) {
++ struct iowait *wait;
++ struct rvt_qp *qp;
++ struct hfi1_qp_priv *priv;
++
++ wait = list_first_entry(&sc->piowait, struct iowait, list);
++ qp = iowait_to_qp(wait);
++ priv = qp->priv;
++ list_del_init(&priv->s_iowait.list);
++ priv->s_iowait.lock = NULL;
++ hfi1_qp_wakeup(qp, RVT_S_WAIT_PIO | HFI1_S_WAIT_PIO_DRAIN);
++ }
++ write_sequnlock(&sc->waitlock);
++
+ spin_unlock_irq(&sc->alloc_lock);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 6bfede6d4fd394accbbdae7b9f5345ef746bdfc2 Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 14 Jun 2019 12:32:44 -0400
+Subject: IB/hfi1: Use aborts to trigger RC throttling
+
+[ Upstream commit 4bb02e9572af1383038d83ad196d7166c515f2ee ]
+
+SDMA and pio flushes will cause a lot of packets to be transmitted
+after a link has gone down, using a lot of CPU to retransmit
+packets.
+
+Fix for RC QPs by recognizing the flush status and:
+- Forcing a timer start
+- Putting the QP into a "send one" mode
+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Reviewed-by: Kaike Wan <kaike.wan@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/rc.c | 30 ++++++++++++++++++++++++++++++
+ drivers/infiniband/hw/hfi1/verbs.c | 10 ++++++----
+ drivers/infiniband/hw/hfi1/verbs.h | 1 +
+ 3 files changed, 37 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/rc.c b/drivers/infiniband/hw/hfi1/rc.c
+index 82f101878e33..24cbac277bf0 100644
+--- a/drivers/infiniband/hw/hfi1/rc.c
++++ b/drivers/infiniband/hw/hfi1/rc.c
+@@ -1703,6 +1703,36 @@ static void reset_sending_psn(struct rvt_qp *qp, u32 psn)
+ }
+ }
+
++/**
++ * hfi1_rc_verbs_aborted - handle abort status
++ * @qp: the QP
++ * @opah: the opa header
++ *
++ * This code modifies both ACK bit in BTH[2]
++ * and the s_flags to go into send one mode.
++ *
++ * This serves to throttle the send engine to only
++ * send a single packet in the likely case the
++ * a link has gone down.
++ */
++void hfi1_rc_verbs_aborted(struct rvt_qp *qp, struct hfi1_opa_header *opah)
++{
++ struct ib_other_headers *ohdr = hfi1_get_rc_ohdr(opah);
++ u8 opcode = ib_bth_get_opcode(ohdr);
++ u32 psn;
++
++ /* ignore responses */
++ if ((opcode >= OP(RDMA_READ_RESPONSE_FIRST) &&
++ opcode <= OP(ATOMIC_ACKNOWLEDGE)) ||
++ opcode == TID_OP(READ_RESP) ||
++ opcode == TID_OP(WRITE_RESP))
++ return;
++
++ psn = ib_bth_get_psn(ohdr) | IB_BTH_REQ_ACK;
++ ohdr->bth[2] = cpu_to_be32(psn);
++ qp->s_flags |= RVT_S_SEND_ONE;
++}
++
+ /*
+ * This should be called with the QP s_lock held and interrupts disabled.
+ */
+diff --git a/drivers/infiniband/hw/hfi1/verbs.c b/drivers/infiniband/hw/hfi1/verbs.c
+index ea68eeba3f22..63d62ac7434a 100644
+--- a/drivers/infiniband/hw/hfi1/verbs.c
++++ b/drivers/infiniband/hw/hfi1/verbs.c
+@@ -638,6 +638,8 @@ static void verbs_sdma_complete(
+ struct hfi1_opa_header *hdr;
+
+ hdr = &tx->phdr.hdr;
++ if (unlikely(status == SDMA_TXREQ_S_ABORTED))
++ hfi1_rc_verbs_aborted(qp, hdr);
+ hfi1_rc_send_complete(qp, hdr);
+ }
+ spin_unlock(&qp->s_lock);
+@@ -1095,15 +1097,15 @@ int hfi1_verbs_send_pio(struct rvt_qp *qp, struct hfi1_pkt_state *ps,
+ &ps->s_txreq->phdr.hdr, ib_is_sc5(sc5));
+
+ pio_bail:
++ spin_lock_irqsave(&qp->s_lock, flags);
+ if (qp->s_wqe) {
+- spin_lock_irqsave(&qp->s_lock, flags);
+ rvt_send_complete(qp, qp->s_wqe, wc_status);
+- spin_unlock_irqrestore(&qp->s_lock, flags);
+ } else if (qp->ibqp.qp_type == IB_QPT_RC) {
+- spin_lock_irqsave(&qp->s_lock, flags);
++ if (unlikely(wc_status == IB_WC_GENERAL_ERR))
++ hfi1_rc_verbs_aborted(qp, &ps->s_txreq->phdr.hdr);
+ hfi1_rc_send_complete(qp, &ps->s_txreq->phdr.hdr);
+- spin_unlock_irqrestore(&qp->s_lock, flags);
+ }
++ spin_unlock_irqrestore(&qp->s_lock, flags);
+
+ ret = 0;
+
+diff --git a/drivers/infiniband/hw/hfi1/verbs.h b/drivers/infiniband/hw/hfi1/verbs.h
+index 62ace0b2d17a..1714c0f6475d 100644
+--- a/drivers/infiniband/hw/hfi1/verbs.h
++++ b/drivers/infiniband/hw/hfi1/verbs.h
+@@ -415,6 +415,7 @@ void hfi1_rc_hdrerr(
+
+ u8 ah_to_sc(struct ib_device *ibdev, struct rdma_ah_attr *ah_attr);
+
++void hfi1_rc_verbs_aborted(struct rvt_qp *qp, struct hfi1_opa_header *opah);
+ void hfi1_rc_send_complete(struct rvt_qp *qp, struct hfi1_opa_header *opah);
+
+ void hfi1_ud_rcv(struct hfi1_packet *packet);
+--
+2.20.1
+
--- /dev/null
+From f64395a12b33ea4792c76d4a3e82a9cace02ae19 Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 14 Jun 2019 12:32:50 -0400
+Subject: IB/hfi1: Wakeup QPs orphaned on wait list after flush
+
+[ Upstream commit f972775b1cc0441ae22c9f8d06dd16b118463632 ]
+
+Once an SDMA engine is taken down due to a link failure, any waiting QPs
+that do not have outstanding descriptors in the ring will stay
+on the dmawait list as long as the port is down.
+
+Since there is no timer running, they will stay there for a long time.
+
+The fix is to wake up all iowaits linked to dmawait. The send engine
+will build and post packets that get flushed back.
+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Reviewed-by: Kaike Wan <kaike.wan@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/sdma.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c
+index 70828de7436b..28b66bd70b74 100644
+--- a/drivers/infiniband/hw/hfi1/sdma.c
++++ b/drivers/infiniband/hw/hfi1/sdma.c
+@@ -405,6 +405,7 @@ static void sdma_flush(struct sdma_engine *sde)
+ struct sdma_txreq *txp, *txp_next;
+ LIST_HEAD(flushlist);
+ unsigned long flags;
++ uint seq;
+
+ /* flush from head to tail */
+ sdma_flush_descq(sde);
+@@ -415,6 +416,22 @@ static void sdma_flush(struct sdma_engine *sde)
+ /* flush from flush list */
+ list_for_each_entry_safe(txp, txp_next, &flushlist, list)
+ complete_tx(sde, txp, SDMA_TXREQ_S_ABORTED);
++ /* wakeup QPs orphaned on the dmawait list */
++ do {
++ struct iowait *w, *nw;
++
++ seq = read_seqbegin(&sde->waitlock);
++ if (!list_empty(&sde->dmawait)) {
++ write_seqlock(&sde->waitlock);
++ list_for_each_entry_safe(w, nw, &sde->dmawait, list) {
++ if (w->wakeup) {
++ w->wakeup(w, SDMA_AVAIL_REASON);
++ list_del_init(&w->list);
++ }
++ }
++ write_sequnlock(&sde->waitlock);
++ }
++ } while (read_seqretry(&sde->waitlock, seq));
+ }
+
+ /*
+--
+2.20.1
+
--- /dev/null
+From 3fd474a993facb999eccf8a5c1f49f08cad34248 Mon Sep 17 00:00:00 2001
+From: Thomas Falcon <tlfalcon@linux.ibm.com>
+Date: Fri, 7 Jun 2019 16:03:53 -0500
+Subject: ibmvnic: Do not close unopened driver during reset
+
+[ Upstream commit 1f94608b0ce141be5286dde31270590bdf35b86a ]
+
+Check driver state before halting it during a reset. If the driver is
+not running, do nothing. Otherwise, a request to deactivate a down link
+can cause an error and the reset will fail.
+
+Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index 3dfb2d131eb7..71bf895409a1 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1751,7 +1751,8 @@ static int do_reset(struct ibmvnic_adapter *adapter,
+
+ ibmvnic_cleanup(netdev);
+
+- if (adapter->reset_reason != VNIC_RESET_MOBILITY &&
++ if (reset_state == VNIC_OPEN &&
++ adapter->reset_reason != VNIC_RESET_MOBILITY &&
+ adapter->reset_reason != VNIC_RESET_FAILOVER) {
+ rc = __ibmvnic_close(netdev);
+ if (rc)
+--
+2.20.1
+
--- /dev/null
+From 0d7a173e06c2293698e448e644e7da30387e05ec Mon Sep 17 00:00:00 2001
+From: Thomas Falcon <tlfalcon@linux.ibm.com>
+Date: Fri, 7 Jun 2019 16:03:55 -0500
+Subject: ibmvnic: Fix unchecked return codes of memory allocations
+
+[ Upstream commit 7c940b1a5291e5069d561f5b8f0e51db6b7a259a ]
+
+The return values for these memory allocations are unchecked,
+which may cause an oops if the driver does not handle them after
+a failure. Fix by checking the function's return code.
+
+Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index 664e52fa7919..0e4029c54241 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -438,9 +438,10 @@ static int reset_rx_pools(struct ibmvnic_adapter *adapter)
+ if (rx_pool->buff_size != be64_to_cpu(size_array[i])) {
+ free_long_term_buff(adapter, &rx_pool->long_term_buff);
+ rx_pool->buff_size = be64_to_cpu(size_array[i]);
+- alloc_long_term_buff(adapter, &rx_pool->long_term_buff,
+- rx_pool->size *
+- rx_pool->buff_size);
++ rc = alloc_long_term_buff(adapter,
++ &rx_pool->long_term_buff,
++ rx_pool->size *
++ rx_pool->buff_size);
+ } else {
+ rc = reset_long_term_buff(adapter,
+ &rx_pool->long_term_buff);
+@@ -706,9 +707,9 @@ static int init_tx_pools(struct net_device *netdev)
+ return rc;
+ }
+
+- init_one_tx_pool(netdev, &adapter->tso_pool[i],
+- IBMVNIC_TSO_BUFS,
+- IBMVNIC_TSO_BUF_SZ);
++ rc = init_one_tx_pool(netdev, &adapter->tso_pool[i],
++ IBMVNIC_TSO_BUFS,
++ IBMVNIC_TSO_BUF_SZ);
+ if (rc) {
+ release_tx_pools(adapter);
+ return rc;
+--
+2.20.1
+
--- /dev/null
+From c5b45193d4e792f8be576523e32a91c39a6ed4e4 Mon Sep 17 00:00:00 2001
+From: Thomas Falcon <tlfalcon@linux.ibm.com>
+Date: Fri, 7 Jun 2019 16:03:54 -0500
+Subject: ibmvnic: Refresh device multicast list after reset
+
+[ Upstream commit be32a24372cf162e825332da1a7ccef058d4f20b ]
+
+It was observed that multicast packets were no longer received after
+a device reset. The fix is to resend the current multicast list to
+the backing device after recovery.
+
+Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index 71bf895409a1..664e52fa7919 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1851,6 +1851,9 @@ static int do_reset(struct ibmvnic_adapter *adapter,
+ return 0;
+ }
+
++ /* refresh device's multicast list */
++ ibmvnic_set_multi(netdev);
++
+ /* kick napi */
+ for (i = 0; i < adapter->req_rx_queues; i++)
+ napi_schedule(&adapter->napi[i]);
+--
+2.20.1
+
--- /dev/null
+From 31d069702fdd62ca4d4bf77527072d957079bf89 Mon Sep 17 00:00:00 2001
+From: Aaron Ma <aaron.ma@canonical.com>
+Date: Mon, 20 May 2019 22:09:10 -0700
+Subject: Input: elantech - enable middle button support on 2 ThinkPads
+
+[ Upstream commit aa440de3058a3ef530851f9ef373fbb5f694dbc3 ]
+
+Adding 2 new touchpad PNPIDs to enable middle button support.
+
+Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/mouse/elantech.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
+index a7f8b1614559..530142b5a115 100644
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -1189,6 +1189,8 @@ static const char * const middle_button_pnp_ids[] = {
+ "LEN2132", /* ThinkPad P52 */
+ "LEN2133", /* ThinkPad P72 w/ NFC */
+ "LEN2134", /* ThinkPad P72 */
++ "LEN0407",
++ "LEN0408",
+ NULL
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 20b0a2261db52a0c5d5a7acb43c824ddc9b1e011 Mon Sep 17 00:00:00 2001
+From: Anson Huang <anson.huang@nxp.com>
+Date: Tue, 11 Jun 2019 17:50:44 -0700
+Subject: Input: imx_keypad - make sure keyboard can always wake up system
+
+[ Upstream commit ce9a53eb3dbca89e7ad86673d94ab886e9bea704 ]
+
+There are several scenarios that keyboard can NOT wake up system
+from suspend, e.g., if a keyboard is depressed between system
+device suspend phase and device noirq suspend phase, the keyboard
+ISR will be called and both keyboard depress and release interrupts
+will be disabled, then keyboard will no longer be able to wake up
+system. Another scenario would be, if a keyboard is kept depressed,
+and then system goes into suspend, the expected behavior would be
+when keyboard is released, system will be waked up, but current
+implementation can NOT achieve that, because both depress and release
+interrupts are disabled in ISR, and the event check is still in
+progress.
+
+To fix these issues, need to make sure keyboard's depress or release
+interrupt is enabled after noirq device suspend phase, this patch
+moves the suspend/resume callback to noirq suspend/resume phase, and
+enable the corresponding interrupt according to current keyboard status.
+
+Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/imx_keypad.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/input/keyboard/imx_keypad.c b/drivers/input/keyboard/imx_keypad.c
+index 539cb670de41..ae9c51cc85f9 100644
+--- a/drivers/input/keyboard/imx_keypad.c
++++ b/drivers/input/keyboard/imx_keypad.c
+@@ -526,11 +526,12 @@ static int imx_keypad_probe(struct platform_device *pdev)
+ return 0;
+ }
+
+-static int __maybe_unused imx_kbd_suspend(struct device *dev)
++static int __maybe_unused imx_kbd_noirq_suspend(struct device *dev)
+ {
+ struct platform_device *pdev = to_platform_device(dev);
+ struct imx_keypad *kbd = platform_get_drvdata(pdev);
+ struct input_dev *input_dev = kbd->input_dev;
++ unsigned short reg_val = readw(kbd->mmio_base + KPSR);
+
+ /* imx kbd can wake up system even clock is disabled */
+ mutex_lock(&input_dev->mutex);
+@@ -540,13 +541,20 @@ static int __maybe_unused imx_kbd_suspend(struct device *dev)
+
+ mutex_unlock(&input_dev->mutex);
+
+- if (device_may_wakeup(&pdev->dev))
++ if (device_may_wakeup(&pdev->dev)) {
++ if (reg_val & KBD_STAT_KPKD)
++ reg_val |= KBD_STAT_KRIE;
++ if (reg_val & KBD_STAT_KPKR)
++ reg_val |= KBD_STAT_KDIE;
++ writew(reg_val, kbd->mmio_base + KPSR);
++
+ enable_irq_wake(kbd->irq);
++ }
+
+ return 0;
+ }
+
+-static int __maybe_unused imx_kbd_resume(struct device *dev)
++static int __maybe_unused imx_kbd_noirq_resume(struct device *dev)
+ {
+ struct platform_device *pdev = to_platform_device(dev);
+ struct imx_keypad *kbd = platform_get_drvdata(pdev);
+@@ -570,7 +578,9 @@ static int __maybe_unused imx_kbd_resume(struct device *dev)
+ return ret;
+ }
+
+-static SIMPLE_DEV_PM_OPS(imx_kbd_pm_ops, imx_kbd_suspend, imx_kbd_resume);
++static const struct dev_pm_ops imx_kbd_pm_ops = {
++ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(imx_kbd_noirq_suspend, imx_kbd_noirq_resume)
++};
+
+ static struct platform_driver imx_keypad_driver = {
+ .driver = {
+--
+2.20.1
+
--- /dev/null
+From 52454c76d5b73873064c2324add04e0eabd69ae6 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 17 Jun 2019 21:34:14 +0800
+Subject: ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL
+
+[ Upstream commit 6f6a8622057c92408930c31698394fae1557b188 ]
+
+A similar fix to Patch "ip_tunnel: allow not to count pkts on tstats by
+setting skb's dev to NULL" is also needed by ip6_tunnel.
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip6_tunnel.h | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h
+index 69b4bcf880c9..028eaea1c854 100644
+--- a/include/net/ip6_tunnel.h
++++ b/include/net/ip6_tunnel.h
+@@ -158,9 +158,12 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb,
+ memset(skb->cb, 0, sizeof(struct inet6_skb_parm));
+ pkt_len = skb->len - skb_inner_network_offset(skb);
+ err = ip6_local_out(dev_net(skb_dst(skb)->dev), sk, skb);
+- if (unlikely(net_xmit_eval(err)))
+- pkt_len = -1;
+- iptunnel_xmit_stats(dev, pkt_len);
++
++ if (dev) {
++ if (unlikely(net_xmit_eval(err)))
++ pkt_len = -1;
++ iptunnel_xmit_stats(dev, pkt_len);
++ }
+ }
+ #endif
+ #endif
+--
+2.20.1
+
--- /dev/null
+From 9dbe81764672efb5435d8459049e3716de952d5c Mon Sep 17 00:00:00 2001
+From: Shahar S Matityahu <shahar.s.matityahu@intel.com>
+Date: Wed, 29 May 2019 16:39:51 +0300
+Subject: iwlwifi: clear persistence bit according to device family
+
+[ Upstream commit 44f61b5c832c4085fcf476484efeaeef96dcfb8b ]
+
+The driver attempts to clear persistence bit on any device familiy even
+though only 9000 and 22000 families require it. Clear the bit only on
+the relevant device families.
+
+Each HW has different address to the write protection register. Use the
+right register for each HW
+
+Signed-off-by: Shahar S Matityahu <shahar.s.matityahu@intel.com>
+Fixes: 8954e1eb2270 ("iwlwifi: trans: Clear persistence bit when starting the FW")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/iwl-prph.h | 7 ++-
+ .../net/wireless/intel/iwlwifi/pcie/trans.c | 46 +++++++++++++------
+ 2 files changed, 39 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-prph.h b/drivers/net/wireless/intel/iwlwifi/iwl-prph.h
+index 1af9f9e1ecd4..0c0799d13e15 100644
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-prph.h
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-prph.h
+@@ -402,7 +402,12 @@ enum aux_misc_master1_en {
+ #define AUX_MISC_MASTER1_SMPHR_STATUS 0xA20800
+ #define RSA_ENABLE 0xA24B08
+ #define PREG_AUX_BUS_WPROT_0 0xA04CC0
+-#define PREG_PRPH_WPROT_0 0xA04CE0
++
++/* device family 9000 WPROT register */
++#define PREG_PRPH_WPROT_9000 0xA04CE0
++/* device family 22000 WPROT register */
++#define PREG_PRPH_WPROT_22000 0xA04D00
++
+ #define SB_CPU_1_STATUS 0xA01E30
+ #define SB_CPU_2_STATUS 0xA01E34
+ #define UMAG_SB_CPU_1_STATUS 0xA038C0
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+index c4375b868901..2a03d34afa3b 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+@@ -1696,26 +1696,26 @@ static int iwl_pcie_init_msix_handler(struct pci_dev *pdev,
+ return 0;
+ }
+
+-static int _iwl_trans_pcie_start_hw(struct iwl_trans *trans, bool low_power)
++static int iwl_trans_pcie_clear_persistence_bit(struct iwl_trans *trans)
+ {
+- struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
+- u32 hpm;
+- int err;
+-
+- lockdep_assert_held(&trans_pcie->mutex);
++ u32 hpm, wprot;
+
+- err = iwl_pcie_prepare_card_hw(trans);
+- if (err) {
+- IWL_ERR(trans, "Error while preparing HW: %d\n", err);
+- return err;
++ switch (trans->cfg->device_family) {
++ case IWL_DEVICE_FAMILY_9000:
++ wprot = PREG_PRPH_WPROT_9000;
++ break;
++ case IWL_DEVICE_FAMILY_22000:
++ wprot = PREG_PRPH_WPROT_22000;
++ break;
++ default:
++ return 0;
+ }
+
+ hpm = iwl_read_umac_prph_no_grab(trans, HPM_DEBUG);
+ if (hpm != 0xa5a5a5a0 && (hpm & PERSISTENCE_BIT)) {
+- int wfpm_val = iwl_read_umac_prph_no_grab(trans,
+- PREG_PRPH_WPROT_0);
++ u32 wprot_val = iwl_read_umac_prph_no_grab(trans, wprot);
+
+- if (wfpm_val & PREG_WFPM_ACCESS) {
++ if (wprot_val & PREG_WFPM_ACCESS) {
+ IWL_ERR(trans,
+ "Error, can not clear persistence bit\n");
+ return -EPERM;
+@@ -1724,6 +1724,26 @@ static int _iwl_trans_pcie_start_hw(struct iwl_trans *trans, bool low_power)
+ hpm & ~PERSISTENCE_BIT);
+ }
+
++ return 0;
++}
++
++static int _iwl_trans_pcie_start_hw(struct iwl_trans *trans, bool low_power)
++{
++ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
++ int err;
++
++ lockdep_assert_held(&trans_pcie->mutex);
++
++ err = iwl_pcie_prepare_card_hw(trans);
++ if (err) {
++ IWL_ERR(trans, "Error while preparing HW: %d\n", err);
++ return err;
++ }
++
++ err = iwl_trans_pcie_clear_persistence_bit(trans);
++ if (err)
++ return err;
++
+ iwl_trans_pcie_sw_reset(trans);
+
+ err = iwl_pcie_apm_init(trans);
+--
+2.20.1
+
--- /dev/null
+From df4cf8004fb2fb6a5ae76b93bb080682c529b7ae Mon Sep 17 00:00:00 2001
+From: Matt Chen <matt.chen@intel.com>
+Date: Wed, 29 May 2019 16:39:53 +0300
+Subject: iwlwifi: fix AX201 killer sku loading firmware issue
+
+[ Upstream commit b17dc0632a17fbfe66b34ee7c24e1cc10cfc503e ]
+
+When try to bring up the AX201 2 killer sku, we
+run into:
+[81261.392463] iwlwifi 0000:01:00.0: loaded firmware version 46.8c20f243.0 op_mode iwlmvm
+[81261.407407] iwlwifi 0000:01:00.0: Detected Intel(R) Dual Band Wireless AX 22000, REV=0x340
+[81262.424778] iwlwifi 0000:01:00.0: Collecting data: trigger 16 fired.
+[81262.673359] iwlwifi 0000:01:00.0: Start IWL Error Log Dump:
+[81262.673365] iwlwifi 0000:01:00.0: Status: 0x00000000, count: -906373681
+[81262.673368] iwlwifi 0000:01:00.0: Loaded firmware version: 46.8c20f243.0
+[81262.673371] iwlwifi 0000:01:00.0: 0x507C015D | ADVANCED_SYSASSERT
+
+Fix this issue by adding 2 more cfg to avoid modifying the
+original cfg configuration.
+
+Signed-off-by: Matt Chen <matt.chen@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+index 2a03d34afa3b..80695584e406 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+@@ -3585,7 +3585,9 @@ struct iwl_trans *iwl_trans_pcie_alloc(struct pci_dev *pdev,
+ }
+ } else if (CSR_HW_RF_ID_TYPE_CHIP_ID(trans->hw_rf_id) ==
+ CSR_HW_RF_ID_TYPE_CHIP_ID(CSR_HW_RF_ID_TYPE_HR) &&
+- (trans->cfg != &iwl_ax200_cfg_cc ||
++ ((trans->cfg != &iwl_ax200_cfg_cc &&
++ trans->cfg != &killer1650x_2ax_cfg &&
++ trans->cfg != &killer1650w_2ax_cfg) ||
+ trans->hw_rev == CSR_HW_REV_TYPE_QNJ_B0)) {
+ u32 hw_status;
+
+--
+2.20.1
+
--- /dev/null
+From 3af5428792984be6dbd81356ffbfe12a5e3d5e26 Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Wed, 29 May 2019 16:39:54 +0300
+Subject: iwlwifi: Fix double-free problems in iwl_req_fw_callback()
+
+[ Upstream commit a8627176b0de7ba3f4524f641ddff4abf23ae4e4 ]
+
+In the error handling code of iwl_req_fw_callback(), iwl_dealloc_ucode()
+is called to free data. In iwl_drv_stop(), iwl_dealloc_ucode() is called
+again, which can cause double-free problems.
+
+To fix this bug, the call to iwl_dealloc_ucode() in
+iwl_req_fw_callback() is deleted.
+
+This bug is found by a runtime fuzzing tool named FIZZER written by us.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+index 689a65b11cc3..4fd1737d768b 100644
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+@@ -1579,7 +1579,6 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context)
+ goto free;
+
+ out_free_fw:
+- iwl_dealloc_ucode(drv);
+ release_firmware(ucode_raw);
+ out_unbind:
+ complete(&drv->request_firmware_complete);
+--
+2.20.1
+
--- /dev/null
+From c167f719976c7738f1f62069273c03c6061488c7 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Wed, 29 May 2019 16:39:50 +0300
+Subject: iwlwifi: fix load in rfkill flow for unified firmware
+
+[ Upstream commit b3500b472c880b5abe90ffd5c4a25aa736f906ad ]
+
+When we have a single image (same firmware image for INIT and
+OPERATIONAL), we couldn't load the driver and register to the
+stack if we had hardware RF-Kill asserted.
+
+Fix this. This required a few changes:
+
+1) Run the firmware as part of the INIT phase even if its
+ ucode_type is not IWL_UCODE_INIT.
+2) Send the commands that are sent to the unified image in
+ INIT flow even in RF-Kill.
+3) Don't ask the transport to stop the hardware upon RF-Kill
+ interrupt if the RF-Kill is asserted.
+4) Allow the RF-Kill interrupt to take us out of L1A so that
+ the RF-Kill interrupt will be received by the host (to
+ enable the radio).
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 23 ++++++++++++++-----
+ .../net/wireless/intel/iwlwifi/mvm/mac80211.c | 2 +-
+ drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 2 +-
+ drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 17 ++++++++++----
+ .../wireless/intel/iwlwifi/pcie/internal.h | 2 +-
+ 5 files changed, 33 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+index ab68b5d53ec9..153717587aeb 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -311,6 +311,8 @@ static int iwl_mvm_load_ucode_wait_alive(struct iwl_mvm *mvm,
+ int ret;
+ enum iwl_ucode_type old_type = mvm->fwrt.cur_fw_img;
+ static const u16 alive_cmd[] = { MVM_ALIVE };
++ bool run_in_rfkill =
++ ucode_type == IWL_UCODE_INIT || iwl_mvm_has_unified_ucode(mvm);
+
+ if (ucode_type == IWL_UCODE_REGULAR &&
+ iwl_fw_dbg_conf_usniffer(mvm->fw, FW_DBG_START_FROM_ALIVE) &&
+@@ -328,7 +330,12 @@ static int iwl_mvm_load_ucode_wait_alive(struct iwl_mvm *mvm,
+ alive_cmd, ARRAY_SIZE(alive_cmd),
+ iwl_alive_fn, &alive_data);
+
+- ret = iwl_trans_start_fw(mvm->trans, fw, ucode_type == IWL_UCODE_INIT);
++ /*
++ * We want to load the INIT firmware even in RFKILL
++ * For the unified firmware case, the ucode_type is not
++ * INIT, but we still need to run it.
++ */
++ ret = iwl_trans_start_fw(mvm->trans, fw, run_in_rfkill);
+ if (ret) {
+ iwl_fw_set_current_image(&mvm->fwrt, old_type);
+ iwl_remove_notification(&mvm->notif_wait, &alive_wait);
+@@ -433,7 +440,8 @@ static int iwl_run_unified_mvm_ucode(struct iwl_mvm *mvm, bool read_nvm)
+ * commands
+ */
+ ret = iwl_mvm_send_cmd_pdu(mvm, WIDE_ID(SYSTEM_GROUP,
+- INIT_EXTENDED_CFG_CMD), 0,
++ INIT_EXTENDED_CFG_CMD),
++ CMD_SEND_IN_RFKILL,
+ sizeof(init_cfg), &init_cfg);
+ if (ret) {
+ IWL_ERR(mvm, "Failed to run init config command: %d\n",
+@@ -457,7 +465,8 @@ static int iwl_run_unified_mvm_ucode(struct iwl_mvm *mvm, bool read_nvm)
+ }
+
+ ret = iwl_mvm_send_cmd_pdu(mvm, WIDE_ID(REGULATORY_AND_NVM_GROUP,
+- NVM_ACCESS_COMPLETE), 0,
++ NVM_ACCESS_COMPLETE),
++ CMD_SEND_IN_RFKILL,
+ sizeof(nvm_complete), &nvm_complete);
+ if (ret) {
+ IWL_ERR(mvm, "Failed to run complete NVM access: %d\n",
+@@ -482,6 +491,8 @@ static int iwl_run_unified_mvm_ucode(struct iwl_mvm *mvm, bool read_nvm)
+ }
+ }
+
++ mvm->rfkill_safe_init_done = true;
++
+ return 0;
+
+ error:
+@@ -526,7 +537,7 @@ int iwl_run_init_mvm_ucode(struct iwl_mvm *mvm, bool read_nvm)
+
+ lockdep_assert_held(&mvm->mutex);
+
+- if (WARN_ON_ONCE(mvm->calibrating))
++ if (WARN_ON_ONCE(mvm->rfkill_safe_init_done))
+ return 0;
+
+ iwl_init_notification_wait(&mvm->notif_wait,
+@@ -576,7 +587,7 @@ int iwl_run_init_mvm_ucode(struct iwl_mvm *mvm, bool read_nvm)
+ goto remove_notif;
+ }
+
+- mvm->calibrating = true;
++ mvm->rfkill_safe_init_done = true;
+
+ /* Send TX valid antennas before triggering calibrations */
+ ret = iwl_send_tx_ant_cfg(mvm, iwl_mvm_get_valid_tx_ant(mvm));
+@@ -612,7 +623,7 @@ int iwl_run_init_mvm_ucode(struct iwl_mvm *mvm, bool read_nvm)
+ remove_notif:
+ iwl_remove_notification(&mvm->notif_wait, &calib_wait);
+ out:
+- mvm->calibrating = false;
++ mvm->rfkill_safe_init_done = false;
+ if (iwlmvm_mod_params.init_dbg && !mvm->nvm_data) {
+ /* we want to debug INIT and we have no NVM - fake */
+ mvm->nvm_data = kzalloc(sizeof(struct iwl_nvm_data) +
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+index 6a3b11dd2edf..4ddf620c267d 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -1211,7 +1211,7 @@ static void iwl_mvm_restart_cleanup(struct iwl_mvm *mvm)
+
+ mvm->scan_status = 0;
+ mvm->ps_disabled = false;
+- mvm->calibrating = false;
++ mvm->rfkill_safe_init_done = false;
+
+ /* just in case one was running */
+ iwl_mvm_cleanup_roc_te(mvm);
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+index a50dc53df086..b698d55ace1b 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+@@ -877,7 +877,7 @@ struct iwl_mvm {
+ struct iwl_mvm_vif *bf_allowed_vif;
+
+ bool hw_registered;
+- bool calibrating;
++ bool rfkill_safe_init_done;
+ bool support_umac_log;
+
+ u32 ampdu_ref;
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+index 13681b03c10e..20115770e75a 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+@@ -1222,7 +1222,8 @@ void iwl_mvm_set_hw_ctkill_state(struct iwl_mvm *mvm, bool state)
+ static bool iwl_mvm_set_hw_rfkill_state(struct iwl_op_mode *op_mode, bool state)
+ {
+ struct iwl_mvm *mvm = IWL_OP_MODE_GET_MVM(op_mode);
+- bool calibrating = READ_ONCE(mvm->calibrating);
++ bool rfkill_safe_init_done = READ_ONCE(mvm->rfkill_safe_init_done);
++ bool unified = iwl_mvm_has_unified_ucode(mvm);
+
+ if (state)
+ set_bit(IWL_MVM_STATUS_HW_RFKILL, &mvm->status);
+@@ -1231,15 +1232,23 @@ static bool iwl_mvm_set_hw_rfkill_state(struct iwl_op_mode *op_mode, bool state)
+
+ iwl_mvm_set_rfkill_state(mvm);
+
+- /* iwl_run_init_mvm_ucode is waiting for results, abort it */
+- if (calibrating)
++ /* iwl_run_init_mvm_ucode is waiting for results, abort it. */
++ if (rfkill_safe_init_done)
+ iwl_abort_notification_waits(&mvm->notif_wait);
+
++ /*
++ * Don't ask the transport to stop the firmware. We'll do it
++ * after cfg80211 takes us down.
++ */
++ if (unified)
++ return false;
++
+ /*
+ * Stop the device if we run OPERATIONAL firmware or if we are in the
+ * middle of the calibrations.
+ */
+- return state && (mvm->fwrt.cur_fw_img != IWL_UCODE_INIT || calibrating);
++ return state && (mvm->fwrt.cur_fw_img != IWL_UCODE_INIT ||
++ rfkill_safe_init_done);
+ }
+
+ static void iwl_mvm_free_skb(struct iwl_op_mode *op_mode, struct sk_buff *skb)
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/internal.h b/drivers/net/wireless/intel/iwlwifi/pcie/internal.h
+index 59213164f35e..2afce5c41322 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/internal.h
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/internal.h
+@@ -948,7 +948,7 @@ static inline void iwl_enable_rfkill_int(struct iwl_trans *trans)
+ MSIX_HW_INT_CAUSES_REG_RF_KILL);
+ }
+
+- if (trans->cfg->device_family == IWL_DEVICE_FAMILY_9000) {
++ if (trans->cfg->device_family >= IWL_DEVICE_FAMILY_9000) {
+ /*
+ * On 9000-series devices this bit isn't enabled by default, so
+ * when we power down the device we need set the bit to allow it
+--
+2.20.1
+
--- /dev/null
+From a64db4fbb7f3ad49feec2a0ff1920db98fbf034a Mon Sep 17 00:00:00 2001
+From: Andrew Jones <drjones@redhat.com>
+Date: Mon, 27 May 2019 13:46:19 +0200
+Subject: KVM: arm/arm64: Fix emulated ptimer irq injection
+
+[ Upstream commit e4e5a865e9a9e8e47ac1959b629e9f3ae3b062f2 ]
+
+The emulated ptimer needs to track the level changes, otherwise the
+the interrupt will never get deasserted, resulting in the guest getting
+stuck in an interrupt storm if it enables ptimer interrupts. This was
+found with kvm-unit-tests; the ptimer tests hung as soon as interrupts
+were enabled. Typical Linux guests don't have a problem as they prefer
+using the virtual timer.
+
+Fixes: bee038a674875 ("KVM: arm/arm64: Rework the timer code to use a timer_map")
+Signed-off-by: Andrew Jones <drjones@redhat.com>
+[Simplified the patch to res we only care about emulated timers here]
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ virt/kvm/arm/arch_timer.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/virt/kvm/arm/arch_timer.c b/virt/kvm/arm/arch_timer.c
+index 7fc272ecae16..1b1c449ceaf4 100644
+--- a/virt/kvm/arm/arch_timer.c
++++ b/virt/kvm/arm/arch_timer.c
+@@ -321,14 +321,15 @@ static void kvm_timer_update_irq(struct kvm_vcpu *vcpu, bool new_level,
+ }
+ }
+
++/* Only called for a fully emulated timer */
+ static void timer_emulate(struct arch_timer_context *ctx)
+ {
+ bool should_fire = kvm_timer_should_fire(ctx);
+
+ trace_kvm_timer_emulate(ctx, should_fire);
+
+- if (should_fire) {
+- kvm_timer_update_irq(ctx->vcpu, true, ctx);
++ if (should_fire != ctx->irq.level) {
++ kvm_timer_update_irq(ctx->vcpu, should_fire, ctx);
+ return;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 6df8464bd832add81fb6a9461aee61806c8a9343 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Thu, 6 Jun 2019 11:58:07 +0100
+Subject: KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy
+
+[ Upstream commit 4729ec8c1e1145234aeeebad5d96d77f4ccbb00a ]
+
+kvm_device->destroy() seems to be supposed to free its kvm_device
+struct, but vgic_its_destroy() is not currently doing this,
+resulting in a memory leak, resulting in kmemleak reports such as
+the following:
+
+unreferenced object 0xffff800aeddfe280 (size 128):
+ comm "qemu-system-aar", pid 13799, jiffies 4299827317 (age 1569.844s)
+ [...]
+ backtrace:
+ [<00000000a08b80e2>] kmem_cache_alloc+0x178/0x208
+ [<00000000dcad2bd3>] kvm_vm_ioctl+0x350/0xbc0
+
+Fix it.
+
+Cc: Andre Przywara <andre.przywara@arm.com>
+Fixes: 1085fdc68c60 ("KVM: arm64: vgic-its: Introduce new KVM ITS device")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ virt/kvm/arm/vgic/vgic-its.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c
+index 44ceaccb18cf..8c9fe831bce4 100644
+--- a/virt/kvm/arm/vgic/vgic-its.c
++++ b/virt/kvm/arm/vgic/vgic-its.c
+@@ -1734,6 +1734,7 @@ static void vgic_its_destroy(struct kvm_device *kvm_dev)
+
+ mutex_unlock(&its->its_lock);
+ kfree(its);
++ kfree(kvm_dev);/* alloc by kvm_ioctl_create_device, free by .destroy */
+ }
+
+ static int vgic_its_has_attr_regs(struct kvm_device *dev,
+--
+2.20.1
+
--- /dev/null
+From 7f857d66ce1b19123ba54ed2434ed67b0f39d154 Mon Sep 17 00:00:00 2001
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Thu, 13 Jun 2019 13:35:02 +0200
+Subject: KVM: nVMX: use correct clean fields when copying from eVMCS
+
+[ Upstream commit f9bc5227652df4900eff12a9b8b38e9a8c7c78ea ]
+
+Unfortunately, a couple of mistakes were made while implementing
+Enlightened VMCS support, in particular, wrong clean fields were
+used in copy_enlightened_to_vmcs12():
+- exception_bitmap is covered by CONTROL_EXCPN;
+- vm_exit_controls/pin_based_vm_exec_control/secondary_vm_exec_control
+ are covered by CONTROL_GRP1.
+
+Fixes: 945679e301ea0 ("KVM: nVMX: add enlightened VMCS state")
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx/nested.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
+index 5fa0c17d0b41..4ca834d22169 100644
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -1404,7 +1404,7 @@ static int copy_enlightened_to_vmcs12(struct vcpu_vmx *vmx)
+ }
+
+ if (unlikely(!(evmcs->hv_clean_fields &
+- HV_VMX_ENLIGHTENED_CLEAN_FIELD_CONTROL_PROC))) {
++ HV_VMX_ENLIGHTENED_CLEAN_FIELD_CONTROL_EXCPN))) {
+ vmcs12->exception_bitmap = evmcs->exception_bitmap;
+ }
+
+@@ -1444,7 +1444,7 @@ static int copy_enlightened_to_vmcs12(struct vcpu_vmx *vmx)
+ }
+
+ if (unlikely(!(evmcs->hv_clean_fields &
+- HV_VMX_ENLIGHTENED_CLEAN_FIELD_HOST_GRP1))) {
++ HV_VMX_ENLIGHTENED_CLEAN_FIELD_CONTROL_GRP1))) {
+ vmcs12->pin_based_vm_exec_control =
+ evmcs->pin_based_vm_exec_control;
+ vmcs12->vm_exit_controls = evmcs->vm_exit_controls;
+--
+2.20.1
+
--- /dev/null
+From 13f9c9f87724d48e6584c92a027fd3fe824a8b64 Mon Sep 17 00:00:00 2001
+From: Naftali Goldstein <naftali.goldstein@intel.com>
+Date: Wed, 29 May 2019 15:25:30 +0300
+Subject: mac80211: do not start any work during reconfigure flow
+
+[ Upstream commit f8891461a277ec0afc493fd30cd975a38048a038 ]
+
+It is not a good idea to try to perform any work (e.g. send an auth
+frame) during reconfigure flow.
+
+Prevent this from happening, and at the end of the reconfigure flow
+requeue all the works.
+
+Signed-off-by: Naftali Goldstein <naftali.goldstein@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/ieee80211_i.h | 7 +++++++
+ net/mac80211/util.c | 4 ++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index 4118704cb0e7..6708c1640207 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -2034,6 +2034,13 @@ void __ieee80211_flush_queues(struct ieee80211_local *local,
+
+ static inline bool ieee80211_can_run_worker(struct ieee80211_local *local)
+ {
++ /*
++ * It's unsafe to try to do any work during reconfigure flow.
++ * When the flow ends the work will be requeued.
++ */
++ if (local->in_reconfig)
++ return false;
++
+ /*
+ * If quiescing is set, we are racing with __ieee80211_suspend.
+ * __ieee80211_suspend flushes the workers after setting quiescing,
+diff --git a/net/mac80211/util.c b/net/mac80211/util.c
+index 447a55ae9df1..3400e2da7297 100644
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -2442,6 +2442,10 @@ int ieee80211_reconfig(struct ieee80211_local *local)
+ mutex_lock(&local->mtx);
+ ieee80211_start_next_roc(local);
+ mutex_unlock(&local->mtx);
++
++ /* Requeue all works */
++ list_for_each_entry(sdata, &local->interfaces, list)
++ ieee80211_queue_work(&local->hw, &sdata->work);
+ }
+
+ ieee80211_wake_queues_by_reason(hw, IEEE80211_MAX_QUEUE_MAP,
+--
+2.20.1
+
--- /dev/null
+From 77fedf8da0295708be607a41a52f6dc2704268ec Mon Sep 17 00:00:00 2001
+From: John Crispin <john@phrozen.org>
+Date: Thu, 23 May 2019 10:27:24 +0200
+Subject: mac80211: fix rate reporting inside cfg80211_calculate_bitrate_he()
+
+[ Upstream commit 25d16d124a5e249e947c0487678b61dcff25cf8b ]
+
+The reported rate is not scaled down correctly. After applying this patch,
+the function will behave just like the v/ht equivalents.
+
+Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
+Signed-off-by: John Crispin <john@phrozen.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/wireless/util.c b/net/wireless/util.c
+index 75899b62bdc9..5a03f38788e7 100644
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -1237,7 +1237,7 @@ static u32 cfg80211_calculate_bitrate_he(struct rate_info *rate)
+ if (rate->he_dcm)
+ result /= 2;
+
+- return result;
++ return result / 10000;
+ }
+
+ u32 cfg80211_calculate_bitrate(struct rate_info *rate)
+--
+2.20.1
+
--- /dev/null
+From e949b74c232d67699c869df2278dd91993dae594 Mon Sep 17 00:00:00 2001
+From: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
+Date: Tue, 28 May 2019 16:36:16 -0700
+Subject: mac80211: free peer keys before vif down in mesh
+
+[ Upstream commit 0112fa557c3bb3a002bc85760dc3761d737264d3 ]
+
+freeing peer keys after vif down is resulting in peer key uninstall
+to fail due to interface lookup failure. so fix that.
+
+Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
+index d5aba5029cb0..fe44f0d98de0 100644
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -929,6 +929,7 @@ void ieee80211_stop_mesh(struct ieee80211_sub_if_data *sdata)
+
+ /* flush STAs and mpaths on this iface */
+ sta_info_flush(sdata);
++ ieee80211_free_keys(sdata, true);
+ mesh_path_flush_by_iface(sdata);
+
+ /* stop the beacon */
+--
+2.20.1
+
--- /dev/null
+From 6c151064a5f9ef83577bb233eb72cf57debd317b Mon Sep 17 00:00:00 2001
+From: Thomas Pedersen <thomas@eero.com>
+Date: Fri, 24 May 2019 21:16:24 -0700
+Subject: mac80211: mesh: fix RCU warning
+
+[ Upstream commit 551842446ed695641a00782cd118cbb064a416a1 ]
+
+ifmsh->csa is an RCU-protected pointer. The writer context
+in ieee80211_mesh_finish_csa() is already mutually
+exclusive with wdev->sdata.mtx, but the RCU checker did
+not know this. Use rcu_dereference_protected() to avoid a
+warning.
+
+fixes the following warning:
+
+[ 12.519089] =============================
+[ 12.520042] WARNING: suspicious RCU usage
+[ 12.520652] 5.1.0-rc7-wt+ #16 Tainted: G W
+[ 12.521409] -----------------------------
+[ 12.521972] net/mac80211/mesh.c:1223 suspicious rcu_dereference_check() usage!
+[ 12.522928] other info that might help us debug this:
+[ 12.523984] rcu_scheduler_active = 2, debug_locks = 1
+[ 12.524855] 5 locks held by kworker/u8:2/152:
+[ 12.525438] #0: 00000000057be08c ((wq_completion)phy0){+.+.}, at: process_one_work+0x1a2/0x620
+[ 12.526607] #1: 0000000059c6b07a ((work_completion)(&sdata->csa_finalize_work)){+.+.}, at: process_one_work+0x1a2/0x620
+[ 12.528001] #2: 00000000f184ba7d (&wdev->mtx){+.+.}, at: ieee80211_csa_finalize_work+0x2f/0x90
+[ 12.529116] #3: 00000000831a1f54 (&local->mtx){+.+.}, at: ieee80211_csa_finalize_work+0x47/0x90
+[ 12.530233] #4: 00000000fd06f988 (&local->chanctx_mtx){+.+.}, at: ieee80211_csa_finalize_work+0x51/0x90
+
+Signed-off-by: Thomas Pedersen <thomas@eero.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
+index 766e5e5bab8a..d5aba5029cb0 100644
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -1220,7 +1220,8 @@ int ieee80211_mesh_finish_csa(struct ieee80211_sub_if_data *sdata)
+ ifmsh->chsw_ttl = 0;
+
+ /* Remove the CSA and MCSP elements from the beacon */
+- tmp_csa_settings = rcu_dereference(ifmsh->csa);
++ tmp_csa_settings = rcu_dereference_protected(ifmsh->csa,
++ lockdep_is_held(&sdata->wdev.mtx));
+ RCU_INIT_POINTER(ifmsh->csa, NULL);
+ if (tmp_csa_settings)
+ kfree_rcu(tmp_csa_settings, rcu_head);
+@@ -1242,6 +1243,8 @@ int ieee80211_mesh_csa_beacon(struct ieee80211_sub_if_data *sdata,
+ struct mesh_csa_settings *tmp_csa_settings;
+ int ret = 0;
+
++ lockdep_assert_held(&sdata->wdev.mtx);
++
+ tmp_csa_settings = kmalloc(sizeof(*tmp_csa_settings),
+ GFP_ATOMIC);
+ if (!tmp_csa_settings)
+--
+2.20.1
+
--- /dev/null
+From 944d670ed5aa644b930252fe5833e1c667427e61 Mon Sep 17 00:00:00 2001
+From: Yibo Zhao <yiboz@codeaurora.org>
+Date: Fri, 14 Jun 2019 19:01:52 +0800
+Subject: mac80211: only warn once on chanctx_conf being NULL
+
+[ Upstream commit 563572340173865a9a356e6bb02579e6998a876d ]
+
+In multiple SSID cases, it takes time to prepare every AP interface
+to be ready in initializing phase. If a sta already knows everything it
+needs to join one of the APs and sends authentication to the AP which
+is not fully prepared at this point of time, AP's channel context
+could be NULL. As a result, warning message occurs.
+
+Even worse, if the AP is under attack via tools such as MDK3 and massive
+authentication requests are received in a very short time, console will
+be hung due to kernel warning messages.
+
+WARN_ON_ONCE() could be a better way for indicating warning messages
+without duplicate messages to flood the console.
+
+Johannes: We still need to address the underlying problem, but we
+ don't really have a good handle on it yet. Suppress the
+ worst side-effects for now.
+
+Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
+Signed-off-by: Yibo Zhao <yiboz@codeaurora.org>
+[johannes: add note, change subject]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/ieee80211_i.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index c875d45f1e1d..4118704cb0e7 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -1434,7 +1434,7 @@ ieee80211_get_sband(struct ieee80211_sub_if_data *sdata)
+ rcu_read_lock();
+ chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+
+- if (WARN_ON(!chanctx_conf)) {
++ if (WARN_ON_ONCE(!chanctx_conf)) {
+ rcu_read_unlock();
+ return NULL;
+ }
+--
+2.20.1
+
--- /dev/null
+From 14efb7e864ffdc5c5752eaf0d5baad77066aa8f2 Mon Sep 17 00:00:00 2001
+From: Mariusz Tkaczyk <mariusz.tkaczyk@intel.com>
+Date: Thu, 13 Jun 2019 16:11:41 +0200
+Subject: md: fix for divide error in status_resync
+
+[ Upstream commit 9642fa73d073527b0cbc337cc17a47d545d82cd2 ]
+
+Stopping external metadata arrays during resync/recovery causes
+retries, loop of interrupting and starting reconstruction, until it
+hit at good moment to stop completely. While these retries
+curr_mark_cnt can be small- especially on HDD drives, so subtraction
+result can be smaller than 0. However it is casted to uint without
+checking. As a result of it the status bar in /proc/mdstat while stopping
+is strange (it jumps between 0% and 99%).
+
+The real problem occurs here after commit 72deb455b5ec ("block: remove
+CONFIG_LBDAF"). Sector_div() macro has been changed, now the
+divisor is casted to uint32. For db = -8 the divisior(db/32-1) becomes 0.
+
+Check if db value can be really counted and replace these macro by
+div64_u64() inline.
+
+Signed-off-by: Mariusz Tkaczyk <mariusz.tkaczyk@intel.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 36 ++++++++++++++++++++++--------------
+ 1 file changed, 22 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 295ff09cff4c..84aec3647994 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -7617,9 +7617,9 @@ static void status_unused(struct seq_file *seq)
+ static int status_resync(struct seq_file *seq, struct mddev *mddev)
+ {
+ sector_t max_sectors, resync, res;
+- unsigned long dt, db;
+- sector_t rt;
+- int scale;
++ unsigned long dt, db = 0;
++ sector_t rt, curr_mark_cnt, resync_mark_cnt;
++ int scale, recovery_active;
+ unsigned int per_milli;
+
+ if (test_bit(MD_RECOVERY_SYNC, &mddev->recovery) ||
+@@ -7708,22 +7708,30 @@ static int status_resync(struct seq_file *seq, struct mddev *mddev)
+ * db: blocks written from mark until now
+ * rt: remaining time
+ *
+- * rt is a sector_t, so could be 32bit or 64bit.
+- * So we divide before multiply in case it is 32bit and close
+- * to the limit.
+- * We scale the divisor (db) by 32 to avoid losing precision
+- * near the end of resync when the number of remaining sectors
+- * is close to 'db'.
+- * We then divide rt by 32 after multiplying by db to compensate.
+- * The '+1' avoids division by zero if db is very small.
++ * rt is a sector_t, which is always 64bit now. We are keeping
++ * the original algorithm, but it is not really necessary.
++ *
++ * Original algorithm:
++ * So we divide before multiply in case it is 32bit and close
++ * to the limit.
++ * We scale the divisor (db) by 32 to avoid losing precision
++ * near the end of resync when the number of remaining sectors
++ * is close to 'db'.
++ * We then divide rt by 32 after multiplying by db to compensate.
++ * The '+1' avoids division by zero if db is very small.
+ */
+ dt = ((jiffies - mddev->resync_mark) / HZ);
+ if (!dt) dt++;
+- db = (mddev->curr_mark_cnt - atomic_read(&mddev->recovery_active))
+- - mddev->resync_mark_cnt;
++
++ curr_mark_cnt = mddev->curr_mark_cnt;
++ recovery_active = atomic_read(&mddev->recovery_active);
++ resync_mark_cnt = mddev->resync_mark_cnt;
++
++ if (curr_mark_cnt >= (recovery_active + resync_mark_cnt))
++ db = curr_mark_cnt - (recovery_active + resync_mark_cnt);
+
+ rt = max_sectors - resync; /* number of remaining sectors */
+- sector_div(rt, db/32+1);
++ rt = div64_u64(rt, db/32+1);
+ rt *= dt;
+ rt >>= 5;
+
+--
+2.20.1
+
--- /dev/null
+From 03a988bb08a79f2f8a8ef106781386ce01af2bf2 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Tue, 11 Jun 2019 10:19:46 +0300
+Subject: mlxsw: spectrum: Disallow prio-tagged packets when PVID is removed
+
+[ Upstream commit 4b14cc313f076c37b646cee06a85f0db59cf216c ]
+
+When PVID is removed from a bridge port, the Linux bridge drops both
+untagged and prio-tagged packets. Align mlxsw with this behavior.
+
+Fixes: 148f472da5db ("mlxsw: reg: Add the Switch Port Acceptable Frame Types register")
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/reg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/reg.h b/drivers/net/ethernet/mellanox/mlxsw/reg.h
+index eb4c5e8964cd..5865597577d6 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/reg.h
++++ b/drivers/net/ethernet/mellanox/mlxsw/reg.h
+@@ -997,7 +997,7 @@ static inline void mlxsw_reg_spaft_pack(char *payload, u8 local_port,
+ MLXSW_REG_ZERO(spaft, payload);
+ mlxsw_reg_spaft_local_port_set(payload, local_port);
+ mlxsw_reg_spaft_allow_untagged_set(payload, allow_untagged);
+- mlxsw_reg_spaft_allow_prio_tagged_set(payload, true);
++ mlxsw_reg_spaft_allow_prio_tagged_set(payload, allow_untagged);
+ mlxsw_reg_spaft_allow_tagged_set(payload, true);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 995272940e1cb2e4d8e7716d671198026316f0ca Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Tue, 11 Jun 2019 22:03:43 +0200
+Subject: mmc: core: complete HS400 before checking status
+
+[ Upstream commit b0e370b95a3b231d0fb5d1958cce85ef57196fe6 ]
+
+We don't have a reproducible error case, yet our BSP team suggested that
+the mmc_switch_status() command in mmc_select_hs400() should come after
+the callback into the driver completing HS400 setup. It makes sense to
+me because we want the status of a fully setup HS400, so it will
+increase the reliability of the mmc_switch_status() command.
+
+Reported-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Fixes: ba6c7ac3a2f4 ("mmc: core: more fine-grained hooks for HS400 tuning")
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/core/mmc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c
+index 3e786ba204c3..671bfcceea6a 100644
+--- a/drivers/mmc/core/mmc.c
++++ b/drivers/mmc/core/mmc.c
+@@ -1212,13 +1212,13 @@ static int mmc_select_hs400(struct mmc_card *card)
+ mmc_set_timing(host, MMC_TIMING_MMC_HS400);
+ mmc_set_bus_speed(card);
+
++ if (host->ops->hs400_complete)
++ host->ops->hs400_complete(host);
++
+ err = mmc_switch_status(card);
+ if (err)
+ goto out_err;
+
+- if (host->ops->hs400_complete)
+- host->ops->hs400_complete(host);
+-
+ return 0;
+
+ out_err:
+--
+2.20.1
+
--- /dev/null
+From 2d464e73695bd93fc20bc9296004d7cee8bc6c58 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 31 May 2019 15:18:41 +0200
+Subject: mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()
+
+[ Upstream commit 69ae4f6aac1578575126319d3f55550e7e440449 ]
+
+A few places in mwifiex_uap_parse_tail_ies() perform memcpy()
+unconditionally, which may lead to either buffer overflow or read over
+boundary.
+
+This patch addresses the issues by checking the read size and the
+destination size at each place more properly. Along with the fixes,
+the patch cleans up the code slightly by introducing a temporary
+variable for the token size, and unifies the error path with the
+standard goto statement.
+
+Reported-by: huangwen <huangwen@venustech.com.cn>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/ie.c | 47 +++++++++++++++--------
+ 1 file changed, 31 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/ie.c b/drivers/net/wireless/marvell/mwifiex/ie.c
+index 6845eb57b39a..653d347a9a19 100644
+--- a/drivers/net/wireless/marvell/mwifiex/ie.c
++++ b/drivers/net/wireless/marvell/mwifiex/ie.c
+@@ -329,6 +329,8 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv,
+ struct ieee80211_vendor_ie *vendorhdr;
+ u16 gen_idx = MWIFIEX_AUTO_IDX_MASK, ie_len = 0;
+ int left_len, parsed_len = 0;
++ unsigned int token_len;
++ int err = 0;
+
+ if (!info->tail || !info->tail_len)
+ return 0;
+@@ -344,6 +346,12 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv,
+ */
+ while (left_len > sizeof(struct ieee_types_header)) {
+ hdr = (void *)(info->tail + parsed_len);
++ token_len = hdr->len + sizeof(struct ieee_types_header);
++ if (token_len > left_len) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ switch (hdr->element_id) {
+ case WLAN_EID_SSID:
+ case WLAN_EID_SUPP_RATES:
+@@ -361,17 +369,20 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv,
+ if (cfg80211_find_vendor_ie(WLAN_OUI_MICROSOFT,
+ WLAN_OUI_TYPE_MICROSOFT_WMM,
+ (const u8 *)hdr,
+- hdr->len + sizeof(struct ieee_types_header)))
++ token_len))
+ break;
+ /* fall through */
+ default:
+- memcpy(gen_ie->ie_buffer + ie_len, hdr,
+- hdr->len + sizeof(struct ieee_types_header));
+- ie_len += hdr->len + sizeof(struct ieee_types_header);
++ if (ie_len + token_len > IEEE_MAX_IE_SIZE) {
++ err = -EINVAL;
++ goto out;
++ }
++ memcpy(gen_ie->ie_buffer + ie_len, hdr, token_len);
++ ie_len += token_len;
+ break;
+ }
+- left_len -= hdr->len + sizeof(struct ieee_types_header);
+- parsed_len += hdr->len + sizeof(struct ieee_types_header);
++ left_len -= token_len;
++ parsed_len += token_len;
+ }
+
+ /* parse only WPA vendor IE from tail, WMM IE is configured by
+@@ -381,15 +392,17 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv,
+ WLAN_OUI_TYPE_MICROSOFT_WPA,
+ info->tail, info->tail_len);
+ if (vendorhdr) {
+- memcpy(gen_ie->ie_buffer + ie_len, vendorhdr,
+- vendorhdr->len + sizeof(struct ieee_types_header));
+- ie_len += vendorhdr->len + sizeof(struct ieee_types_header);
++ token_len = vendorhdr->len + sizeof(struct ieee_types_header);
++ if (ie_len + token_len > IEEE_MAX_IE_SIZE) {
++ err = -EINVAL;
++ goto out;
++ }
++ memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, token_len);
++ ie_len += token_len;
+ }
+
+- if (!ie_len) {
+- kfree(gen_ie);
+- return 0;
+- }
++ if (!ie_len)
++ goto out;
+
+ gen_ie->ie_index = cpu_to_le16(gen_idx);
+ gen_ie->mgmt_subtype_mask = cpu_to_le16(MGMT_MASK_BEACON |
+@@ -399,13 +412,15 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv,
+
+ if (mwifiex_update_uap_custom_ie(priv, gen_ie, &gen_idx, NULL, NULL,
+ NULL, NULL)) {
+- kfree(gen_ie);
+- return -1;
++ err = -EINVAL;
++ goto out;
+ }
+
+ priv->gen_idx = gen_idx;
++
++ out:
+ kfree(gen_ie);
+- return 0;
++ return err;
+ }
+
+ /* This function parses different IEs-head & tail IEs, beacon IEs,
+--
+2.20.1
+
--- /dev/null
+From b066993f350be97a80ed1acdccf4280bbe10a3f0 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 29 May 2019 14:52:19 +0200
+Subject: mwifiex: Fix possible buffer overflows at parsing bss descriptor
+
+[ Upstream commit 13ec7f10b87f5fc04c4ccbd491c94c7980236a74 ]
+
+mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in
+a couple places without checking the destination size. Since the
+source is given from user-space, this may trigger a heap buffer
+overflow.
+
+Fix it by putting the length check before performing memcpy().
+
+This fix addresses CVE-2019-3846.
+
+Reported-by: huangwen <huangwen@venustech.com.cn>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/scan.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
+index 935778ec9a1b..64ab6fe78c0d 100644
+--- a/drivers/net/wireless/marvell/mwifiex/scan.c
++++ b/drivers/net/wireless/marvell/mwifiex/scan.c
+@@ -1247,6 +1247,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ }
+ switch (element_id) {
+ case WLAN_EID_SSID:
++ if (element_len > IEEE80211_MAX_SSID_LEN)
++ return -EINVAL;
+ bss_entry->ssid.ssid_len = element_len;
+ memcpy(bss_entry->ssid.ssid, (current_ptr + 2),
+ element_len);
+@@ -1256,6 +1258,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ break;
+
+ case WLAN_EID_SUPP_RATES:
++ if (element_len > MWIFIEX_SUPPORTED_RATES)
++ return -EINVAL;
+ memcpy(bss_entry->data_rates, current_ptr + 2,
+ element_len);
+ memcpy(bss_entry->supported_rates, current_ptr + 2,
+--
+2.20.1
+
--- /dev/null
+From 65edea920e1becec18f002e2416b65942d7895e2 Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Date: Wed, 19 Jun 2019 10:02:13 +0000
+Subject: net: dsa: mv88e6xxx: fix shift of FID bits in
+ mv88e6185_g1_vtu_loadpurge()
+
+[ Upstream commit 48620e341659f6e4b978ec229f6944dabe6df709 ]
+
+The comment is correct, but the code ends up moving the bits four
+places too far, into the VTUOp field.
+
+Fixes: 11ea809f1a74 (net: dsa: mv88e6xxx: support 256 databases)
+Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/global1_vtu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/global1_vtu.c b/drivers/net/dsa/mv88e6xxx/global1_vtu.c
+index 058326924f3e..7a6667e0b9f9 100644
+--- a/drivers/net/dsa/mv88e6xxx/global1_vtu.c
++++ b/drivers/net/dsa/mv88e6xxx/global1_vtu.c
+@@ -419,7 +419,7 @@ int mv88e6185_g1_vtu_loadpurge(struct mv88e6xxx_chip *chip,
+ * VTU DBNum[7:4] are located in VTU Operation 11:8
+ */
+ op |= entry->fid & 0x000f;
+- op |= (entry->fid & 0x00f0) << 8;
++ op |= (entry->fid & 0x00f0) << 4;
+ }
+
+ return mv88e6xxx_g1_vtu_op(chip, op);
+--
+2.20.1
+
--- /dev/null
+From 07476a0c8c070b1ae6c86e979af34882d95c2162 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Mon, 17 Jun 2019 17:12:49 +0100
+Subject: net: lio_core: fix potential sign-extension overflow on large shift
+
+[ Upstream commit 9476274093a0e79b905f4cd6cf6d149f65e02c17 ]
+
+Left shifting the signed int value 1 by 31 bits has undefined behaviour
+and the shift amount oq_no can be as much as 63. Fix this by using
+BIT_ULL(oq_no) instead.
+
+Addresses-Coverity: ("Bad shift operation")
+Fixes: f21fb3ed364b ("Add support of Cavium Liquidio ethernet adapters")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/liquidio/lio_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/liquidio/lio_core.c b/drivers/net/ethernet/cavium/liquidio/lio_core.c
+index 1c50c10b5a16..d7e805749a5b 100644
+--- a/drivers/net/ethernet/cavium/liquidio/lio_core.c
++++ b/drivers/net/ethernet/cavium/liquidio/lio_core.c
+@@ -964,7 +964,7 @@ static void liquidio_schedule_droq_pkt_handlers(struct octeon_device *oct)
+
+ if (droq->ops.poll_mode) {
+ droq->ops.napi_fn(droq);
+- oct_priv->napi_mask |= (1 << oq_no);
++ oct_priv->napi_mask |= BIT_ULL(oq_no);
+ } else {
+ tasklet_schedule(&oct_priv->droq_tasklet);
+ }
+--
+2.20.1
+
--- /dev/null
+From bd8b486a0656fb799c7eec577a848d3541d14aac Mon Sep 17 00:00:00 2001
+From: Michael Schmitz <schmitzmic@gmail.com>
+Date: Fri, 7 Jun 2019 17:37:34 +1200
+Subject: net: phy: rename Asix Electronics PHY driver
+
+[ Upstream commit a9520543b123bbd7275a0ab8d0375a5412683b41 ]
+
+[Resent to net instead of net-next - may clash with Anders Roxell's patch
+series addressing duplicate module names]
+
+Commit 31dd83b96641 ("net-next: phy: new Asix Electronics PHY driver")
+introduced a new PHY driver drivers/net/phy/asix.c that causes a module
+name conflict with a pre-existiting driver (drivers/net/usb/asix.c).
+
+The PHY driver is used by the X-Surf 100 ethernet card driver, and loaded
+by that driver via its PHY ID. A rename of the driver looks unproblematic.
+
+Rename PHY driver to ax88796b.c in order to resolve name conflict.
+
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+Tested-by: Michael Schmitz <schmitzmic@gmail.com>
+Fixes: 31dd83b96641 ("net-next: phy: new Asix Electronics PHY driver")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/8390/Kconfig | 2 +-
+ drivers/net/phy/Kconfig | 2 +-
+ drivers/net/phy/Makefile | 2 +-
+ drivers/net/phy/{asix.c => ax88796b.c} | 0
+ 4 files changed, 3 insertions(+), 3 deletions(-)
+ rename drivers/net/phy/{asix.c => ax88796b.c} (100%)
+
+diff --git a/drivers/net/ethernet/8390/Kconfig b/drivers/net/ethernet/8390/Kconfig
+index f2f0264c58ba..443b34e2725f 100644
+--- a/drivers/net/ethernet/8390/Kconfig
++++ b/drivers/net/ethernet/8390/Kconfig
+@@ -49,7 +49,7 @@ config XSURF100
+ tristate "Amiga XSurf 100 AX88796/NE2000 clone support"
+ depends on ZORRO
+ select AX88796
+- select ASIX_PHY
++ select AX88796B_PHY
+ help
+ This driver is for the Individual Computers X-Surf 100 Ethernet
+ card (based on the Asix AX88796 chip). If you have such a card,
+diff --git a/drivers/net/phy/Kconfig b/drivers/net/phy/Kconfig
+index 520657945b82..b0c13f8c2b62 100644
+--- a/drivers/net/phy/Kconfig
++++ b/drivers/net/phy/Kconfig
+@@ -242,7 +242,7 @@ config AQUANTIA_PHY
+ ---help---
+ Currently supports the Aquantia AQ1202, AQ2104, AQR105, AQR405
+
+-config ASIX_PHY
++config AX88796B_PHY
+ tristate "Asix PHYs"
+ help
+ Currently supports the Asix Electronics PHY found in the X-Surf 100
+diff --git a/drivers/net/phy/Makefile b/drivers/net/phy/Makefile
+index ece5dae67174..6d44ab91fbf6 100644
+--- a/drivers/net/phy/Makefile
++++ b/drivers/net/phy/Makefile
+@@ -51,7 +51,7 @@ ifdef CONFIG_HWMON
+ aquantia-objs += aquantia_hwmon.o
+ endif
+ obj-$(CONFIG_AQUANTIA_PHY) += aquantia.o
+-obj-$(CONFIG_ASIX_PHY) += asix.o
++obj-$(CONFIG_AX88796B_PHY) += ax88796b.o
+ obj-$(CONFIG_AT803X_PHY) += at803x.o
+ obj-$(CONFIG_BCM63XX_PHY) += bcm63xx.o
+ obj-$(CONFIG_BCM7XXX_PHY) += bcm7xxx.o
+diff --git a/drivers/net/phy/asix.c b/drivers/net/phy/ax88796b.c
+similarity index 100%
+rename from drivers/net/phy/asix.c
+rename to drivers/net/phy/ax88796b.c
+--
+2.20.1
+
--- /dev/null
+From 0d31d83dba286431d9a021aa8a44caaf043996d1 Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <gnault@redhat.com>
+Date: Thu, 6 Jun 2019 18:04:00 +0200
+Subject: netfilter: ipv6: nf_defrag: accept duplicate fragments again
+
+[ Upstream commit 8a3dca632538c550930ce8bafa8c906b130d35cf ]
+
+When fixing the skb leak introduced by the conversion to rbtree, I
+forgot about the special case of duplicate fragments. The condition
+under the 'insert_error' label isn't effective anymore as
+nf_ct_frg6_gather() doesn't override the returned value anymore. So
+duplicate fragments now get NF_DROP verdict.
+
+To accept duplicate fragments again, handle them specially as soon as
+inet_frag_queue_insert() reports them. Return -EINPROGRESS which will
+translate to NF_STOLEN verdict, like any accepted fragment. However,
+such packets don't carry any new information and aren't queued, so we
+just drop them immediately.
+
+Fixes: a0d56cb911ca ("netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
+index 5b3f65e29b6f..8951de8b568f 100644
+--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
+@@ -265,8 +265,14 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
+
+ prev = fq->q.fragments_tail;
+ err = inet_frag_queue_insert(&fq->q, skb, offset, end);
+- if (err)
++ if (err) {
++ if (err == IPFRAG_DUP) {
++ /* No error for duplicates, pretend they got queued. */
++ kfree_skb(skb);
++ return -EINPROGRESS;
++ }
+ goto insert_error;
++ }
+
+ if (dev)
+ fq->iif = dev->ifindex;
+@@ -304,8 +310,6 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
+ return -EINPROGRESS;
+
+ insert_error:
+- if (err == IPFRAG_DUP)
+- goto err;
+ inet_frag_kill(&fq->q);
+ err:
+ skb_dst_drop(skb);
+--
+2.20.1
+
--- /dev/null
+From 91a2740ed9480732eb178c280205fbffa3993cf7 Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <gnault@redhat.com>
+Date: Sun, 2 Jun 2019 15:13:47 +0200
+Subject: netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments
+
+[ Upstream commit a0d56cb911ca301de81735f1d73c2aab424654ba ]
+
+With commit 997dd9647164 ("net: IP6 defrag: use rbtrees in
+nf_conntrack_reasm.c"), nf_ct_frag6_reasm() is now called from
+nf_ct_frag6_queue(). With this change, nf_ct_frag6_queue() can fail
+after the skb has been added to the fragment queue and
+nf_ct_frag6_gather() was adapted to handle this case.
+
+But nf_ct_frag6_queue() can still fail before the fragment has been
+queued. nf_ct_frag6_gather() can't handle this case anymore, because it
+has no way to know if nf_ct_frag6_queue() queued the fragment before
+failing. If it didn't, the skb is lost as the error code is overwritten
+with -EINPROGRESS.
+
+Fix this by setting -EINPROGRESS directly in nf_ct_frag6_queue(), so
+that nf_ct_frag6_gather() can propagate the error as is.
+
+Fixes: 997dd9647164 ("net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
+index 3de0e9b0a482..5b3f65e29b6f 100644
+--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
+@@ -293,7 +293,11 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
+ skb->_skb_refdst = 0UL;
+ err = nf_ct_frag6_reasm(fq, skb, prev, dev);
+ skb->_skb_refdst = orefdst;
+- return err;
++
++ /* After queue has assumed skb ownership, only 0 or
++ * -EINPROGRESS must be returned.
++ */
++ return err ? -EINPROGRESS : 0;
+ }
+
+ skb_dst_drop(skb);
+@@ -480,12 +484,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
+ ret = 0;
+ }
+
+- /* after queue has assumed skb ownership, only 0 or -EINPROGRESS
+- * must be returned.
+- */
+- if (ret)
+- ret = -EINPROGRESS;
+-
+ spin_unlock_bh(&fq->q.lock);
+ inet_frag_put(&fq->q);
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From d77eea744013e0b3d7dd6879ada93ee7494be9e5 Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Fri, 7 Jun 2019 06:37:30 -0400
+Subject: NFS4: Only set creation opendata if O_CREAT
+
+[ Upstream commit 909105199a682cb09c500acd443d34b182846c9c ]
+
+We can end up in nfs4_opendata_alloc during task exit, in which case
+current->fs has already been cleaned up. This leads to a crash in
+current_umask().
+
+Fix this by only setting creation opendata if we are actually doing an open
+with O_CREAT. We can drop the check for NULL nfs4_open_createattrs, since
+O_CREAT will never be set for the recovery path.
+
+Suggested-by: Trond Myklebust <trondmy@hammerspace.com>
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index eeee100785a5..fd2c19eea647 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1234,10 +1234,20 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
+ atomic_inc(&sp->so_count);
+ p->o_arg.open_flags = flags;
+ p->o_arg.fmode = fmode & (FMODE_READ|FMODE_WRITE);
+- p->o_arg.umask = current_umask();
+ p->o_arg.claim = nfs4_map_atomic_open_claim(server, claim);
+ p->o_arg.share_access = nfs4_map_atomic_open_share(server,
+ fmode, flags);
++ if (flags & O_CREAT) {
++ p->o_arg.umask = current_umask();
++ p->o_arg.label = nfs4_label_copy(p->a_label, label);
++ if (c->sattr != NULL && c->sattr->ia_valid != 0) {
++ p->o_arg.u.attrs = &p->attrs;
++ memcpy(&p->attrs, c->sattr, sizeof(p->attrs));
++
++ memcpy(p->o_arg.u.verifier.data, c->verf,
++ sizeof(p->o_arg.u.verifier.data));
++ }
++ }
+ /* don't put an ACCESS op in OPEN compound if O_EXCL, because ACCESS
+ * will return permission denied for all bits until close */
+ if (!(flags & O_EXCL)) {
+@@ -1261,7 +1271,6 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
+ p->o_arg.server = server;
+ p->o_arg.bitmask = nfs4_bitmask(server, label);
+ p->o_arg.open_bitmap = &nfs4_fattr_bitmap[0];
+- p->o_arg.label = nfs4_label_copy(p->a_label, label);
+ switch (p->o_arg.claim) {
+ case NFS4_OPEN_CLAIM_NULL:
+ case NFS4_OPEN_CLAIM_DELEGATE_CUR:
+@@ -1274,13 +1283,6 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
+ case NFS4_OPEN_CLAIM_DELEG_PREV_FH:
+ p->o_arg.fh = NFS_FH(d_inode(dentry));
+ }
+- if (c != NULL && c->sattr != NULL && c->sattr->ia_valid != 0) {
+- p->o_arg.u.attrs = &p->attrs;
+- memcpy(&p->attrs, c->sattr, sizeof(p->attrs));
+-
+- memcpy(p->o_arg.u.verifier.data, c->verf,
+- sizeof(p->o_arg.u.verifier.data));
+- }
+ p->c_arg.fh = &p->o_res.fh;
+ p->c_arg.stateid = &p->o_res.stateid;
+ p->c_arg.seqid = p->o_arg.seqid;
+--
+2.20.1
+
--- /dev/null
+From a90402f621e1b3c40134cd326033077c0272ce58 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Thu, 13 Jun 2019 10:24:46 +0200
+Subject: powerpc: enable a 30-bit ZONE_DMA for 32-bit pmac
+
+[ Upstream commit 9739ab7eda459f0669ec9807e0d9be5020bab88c ]
+
+With the strict dma mask checking introduced with the switch to
+the generic DMA direct code common wifi chips on 32-bit powerbooks
+stopped working. Add a 30-bit ZONE_DMA to the 32-bit pmac builds
+to allow them to reliably allocate dma coherent memory.
+
+Fixes: 65a21b71f948 ("powerpc/dma: remove dma_nommu_dma_supported")
+Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Tested-by: Larry Finger <Larry.Finger@lwfinger.net>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Tested-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/page.h | 7 +++++++
+ arch/powerpc/mm/mem.c | 3 ++-
+ arch/powerpc/platforms/powermac/Kconfig | 1 +
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/include/asm/page.h b/arch/powerpc/include/asm/page.h
+index ed870468ef6f..d408711d09fb 100644
+--- a/arch/powerpc/include/asm/page.h
++++ b/arch/powerpc/include/asm/page.h
+@@ -330,6 +330,13 @@ struct vm_area_struct;
+ #endif /* __ASSEMBLY__ */
+ #include <asm/slice.h>
+
++/*
++ * Allow 30-bit DMA for very limited Broadcom wifi chips on many powerbooks.
++ */
++#ifdef CONFIG_PPC32
++#define ARCH_ZONE_DMA_BITS 30
++#else
+ #define ARCH_ZONE_DMA_BITS 31
++#endif
+
+ #endif /* _ASM_POWERPC_PAGE_H */
+diff --git a/arch/powerpc/mm/mem.c b/arch/powerpc/mm/mem.c
+index f6787f90e158..b98ce400a889 100644
+--- a/arch/powerpc/mm/mem.c
++++ b/arch/powerpc/mm/mem.c
+@@ -255,7 +255,8 @@ void __init paging_init(void)
+ (long int)((top_of_ram - total_ram) >> 20));
+
+ #ifdef CONFIG_ZONE_DMA
+- max_zone_pfns[ZONE_DMA] = min(max_low_pfn, 0x7fffffffUL >> PAGE_SHIFT);
++ max_zone_pfns[ZONE_DMA] = min(max_low_pfn,
++ ((1UL << ARCH_ZONE_DMA_BITS) - 1) >> PAGE_SHIFT);
+ #endif
+ max_zone_pfns[ZONE_NORMAL] = max_low_pfn;
+ #ifdef CONFIG_HIGHMEM
+diff --git a/arch/powerpc/platforms/powermac/Kconfig b/arch/powerpc/platforms/powermac/Kconfig
+index f834a19ed772..c02d8c503b29 100644
+--- a/arch/powerpc/platforms/powermac/Kconfig
++++ b/arch/powerpc/platforms/powermac/Kconfig
+@@ -7,6 +7,7 @@ config PPC_PMAC
+ select PPC_INDIRECT_PCI if PPC32
+ select PPC_MPC106 if PPC32
+ select PPC_NATIVE
++ select ZONE_DMA if PPC32
+ default y
+
+ config PPC_PMAC64
+--
+2.20.1
+
--- /dev/null
+From 75e678a80d6a8c64862b49319acef4e175c83a66 Mon Sep 17 00:00:00 2001
+From: Reinhard Speyerer <rspmn@arcor.de>
+Date: Wed, 12 Jun 2019 19:02:13 +0200
+Subject: qmi_wwan: add support for QMAP padding in the RX path
+
+[ Upstream commit 61356088ace1866a847a727d4d40da7bf00b67fc ]
+
+The QMAP code in the qmi_wwan driver is based on the CodeAurora GobiNet
+driver which does not process QMAP padding in the RX path correctly.
+Add support for QMAP padding to qmimux_rx_fixup() according to the
+description of the rmnet driver.
+
+Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support")
+Cc: Daniele Palmas <dnlplm@gmail.com>
+Signed-off-by: Reinhard Speyerer <rspmn@arcor.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/qmi_wwan.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index e657d8947125..090227118d3d 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -153,7 +153,7 @@ static bool qmimux_has_slaves(struct usbnet *dev)
+
+ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ {
+- unsigned int len, offset = 0;
++ unsigned int len, offset = 0, pad_len, pkt_len;
+ struct qmimux_hdr *hdr;
+ struct net_device *net;
+ struct sk_buff *skbn;
+@@ -171,10 +171,16 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ if (hdr->pad & 0x80)
+ goto skip;
+
++ /* extract padding length and check for valid length info */
++ pad_len = hdr->pad & 0x3f;
++ if (len == 0 || pad_len >= len)
++ goto skip;
++ pkt_len = len - pad_len;
++
+ net = qmimux_find_dev(dev, hdr->mux_id);
+ if (!net)
+ goto skip;
+- skbn = netdev_alloc_skb(net, len);
++ skbn = netdev_alloc_skb(net, pkt_len);
+ if (!skbn)
+ return 0;
+ skbn->dev = net;
+@@ -191,7 +197,7 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ goto skip;
+ }
+
+- skb_put_data(skbn, skb->data + offset + qmimux_hdr_sz, len);
++ skb_put_data(skbn, skb->data + offset + qmimux_hdr_sz, pkt_len);
+ if (netif_rx(skbn) != NET_RX_SUCCESS)
+ return 0;
+
+--
+2.20.1
+
--- /dev/null
+From a89f79c84aded835fbe29b44b85629bea19ce476 Mon Sep 17 00:00:00 2001
+From: Reinhard Speyerer <rspmn@arcor.de>
+Date: Wed, 12 Jun 2019 19:03:15 +0200
+Subject: qmi_wwan: avoid RCU stalls on device disconnect when in QMAP mode
+
+[ Upstream commit a8fdde1cb830e560208af42b6c10750137f53eb3 ]
+
+Switch qmimux_unregister_device() and qmi_wwan_disconnect() to
+use unregister_netdevice_queue() and unregister_netdevice_many()
+instead of unregister_netdevice(). This avoids RCU stalls which
+have been observed on device disconnect in certain setups otherwise.
+
+Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support")
+Cc: Daniele Palmas <dnlplm@gmail.com>
+Signed-off-by: Reinhard Speyerer <rspmn@arcor.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/qmi_wwan.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index 090227118d3d..44ada5c38756 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -247,13 +247,14 @@ static int qmimux_register_device(struct net_device *real_dev, u8 mux_id)
+ return err;
+ }
+
+-static void qmimux_unregister_device(struct net_device *dev)
++static void qmimux_unregister_device(struct net_device *dev,
++ struct list_head *head)
+ {
+ struct qmimux_priv *priv = netdev_priv(dev);
+ struct net_device *real_dev = priv->real_dev;
+
+ netdev_upper_dev_unlink(real_dev, dev);
+- unregister_netdevice(dev);
++ unregister_netdevice_queue(dev, head);
+
+ /* Get rid of the reference to real_dev */
+ dev_put(real_dev);
+@@ -424,7 +425,7 @@ static ssize_t del_mux_store(struct device *d, struct device_attribute *attr, c
+ ret = -EINVAL;
+ goto err;
+ }
+- qmimux_unregister_device(del_dev);
++ qmimux_unregister_device(del_dev, NULL);
+
+ if (!qmimux_has_slaves(dev))
+ info->flags &= ~QMI_WWAN_FLAG_MUX;
+@@ -1434,6 +1435,7 @@ static void qmi_wwan_disconnect(struct usb_interface *intf)
+ struct qmi_wwan_state *info;
+ struct list_head *iter;
+ struct net_device *ldev;
++ LIST_HEAD(list);
+
+ /* called twice if separate control and data intf */
+ if (!dev)
+@@ -1446,8 +1448,9 @@ static void qmi_wwan_disconnect(struct usb_interface *intf)
+ }
+ rcu_read_lock();
+ netdev_for_each_upper_dev_rcu(dev->net, ldev, iter)
+- qmimux_unregister_device(ldev);
++ qmimux_unregister_device(ldev, &list);
+ rcu_read_unlock();
++ unregister_netdevice_many(&list);
+ rtnl_unlock();
+ info->flags &= ~QMI_WWAN_FLAG_MUX;
+ }
+--
+2.20.1
+
--- /dev/null
+From 4702c028ec6dbdc2647cb04001f74cd0e3a2f157 Mon Sep 17 00:00:00 2001
+From: Reinhard Speyerer <rspmn@arcor.de>
+Date: Wed, 12 Jun 2019 19:03:50 +0200
+Subject: qmi_wwan: extend permitted QMAP mux_id value range
+
+[ Upstream commit 36815b416fa48766ac5a98e4b2dc3ebc5887222e ]
+
+Permit mux_id values up to 254 to be used in qmimux_register_device()
+for compatibility with ip(8) and the rmnet driver.
+
+Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support")
+Cc: Daniele Palmas <dnlplm@gmail.com>
+Signed-off-by: Reinhard Speyerer <rspmn@arcor.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/ABI/testing/sysfs-class-net-qmi | 4 ++--
+ drivers/net/usb/qmi_wwan.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Documentation/ABI/testing/sysfs-class-net-qmi b/Documentation/ABI/testing/sysfs-class-net-qmi
+index 7122d6264c49..c310db4ccbc2 100644
+--- a/Documentation/ABI/testing/sysfs-class-net-qmi
++++ b/Documentation/ABI/testing/sysfs-class-net-qmi
+@@ -29,7 +29,7 @@ Contact: Bjørn Mork <bjorn@mork.no>
+ Description:
+ Unsigned integer.
+
+- Write a number ranging from 1 to 127 to add a qmap mux
++ Write a number ranging from 1 to 254 to add a qmap mux
+ based network device, supported by recent Qualcomm based
+ modems.
+
+@@ -46,5 +46,5 @@ Contact: Bjørn Mork <bjorn@mork.no>
+ Description:
+ Unsigned integer.
+
+- Write a number ranging from 1 to 127 to delete a previously
++ Write a number ranging from 1 to 254 to delete a previously
+ created qmap mux based network device.
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index 44ada5c38756..128c8a327d8e 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -363,8 +363,8 @@ static ssize_t add_mux_store(struct device *d, struct device_attribute *attr, c
+ if (kstrtou8(buf, 0, &mux_id))
+ return -EINVAL;
+
+- /* mux_id [1 - 0x7f] range empirically found */
+- if (mux_id < 1 || mux_id > 0x7f)
++ /* mux_id [1 - 254] for compatibility with ip(8) and the rmnet driver */
++ if (mux_id < 1 || mux_id > 254)
+ return -EINVAL;
+
+ if (!rtnl_trylock())
+--
+2.20.1
+
--- /dev/null
+From fd275848f7fda7b61524be7d83b0c87a600f1b2a Mon Sep 17 00:00:00 2001
+From: yangerkun <yangerkun@huawei.com>
+Date: Tue, 26 Mar 2019 22:00:02 +0800
+Subject: quota: fix a problem about transfer quota
+
+[ Upstream commit c6d9c35d16f1bafd3fec64b865e569e48cbcb514 ]
+
+Run below script as root, dquot_add_space will return -EDQUOT since
+__dquot_transfer call dquot_add_space with flags=0, and dquot_add_space
+think it's a preallocation. Fix it by set flags as DQUOT_SPACE_WARN.
+
+mkfs.ext4 -O quota,project /dev/vdb
+mount -o prjquota /dev/vdb /mnt
+setquota -P 23 1 1 0 0 /dev/vdb
+dd if=/dev/zero of=/mnt/test-file bs=4K count=1
+chattr -p 23 test-file
+
+Fixes: 7b9ca4c61bc2 ("quota: Reduce contention on dq_data_lock")
+Signed-off-by: yangerkun <yangerkun@huawei.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/quota/dquot.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
+index fc20e06c56ba..dd1783ea7003 100644
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -1993,8 +1993,8 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to)
+ &warn_to[cnt]);
+ if (ret)
+ goto over_quota;
+- ret = dquot_add_space(transfer_to[cnt], cur_space, rsv_space, 0,
+- &warn_to[cnt]);
++ ret = dquot_add_space(transfer_to[cnt], cur_space, rsv_space,
++ DQUOT_SPACE_WARN, &warn_to[cnt]);
+ if (ret) {
+ spin_lock(&transfer_to[cnt]->dq_dqb_lock);
+ dquot_decr_inodes(transfer_to[cnt], inode_usage);
+--
+2.20.1
+
--- /dev/null
+From b5f01a89118b437872be34e47c050a3686872de2 Mon Sep 17 00:00:00 2001
+From: Kevin Hilman <khilman@baylibre.com>
+Date: Wed, 5 Jun 2019 10:50:42 -0700
+Subject: RISC-V: defconfig: enable clocks, serial console
+
+[ Upstream commit 3b025f2bc98973f181d926192b0ceb6ced0f86d2 ]
+
+Enable PRCI clock driver and serial console by default, so the default
+upstream defconfig is bootable to a serial console.
+
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Paul Walmsley <paul.walmsley@sifive.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/configs/defconfig | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/riscv/configs/defconfig b/arch/riscv/configs/defconfig
+index 2fd3461e50ab..4f02967e55de 100644
+--- a/arch/riscv/configs/defconfig
++++ b/arch/riscv/configs/defconfig
+@@ -49,6 +49,8 @@ CONFIG_SERIAL_8250=y
+ CONFIG_SERIAL_8250_CONSOLE=y
+ CONFIG_SERIAL_OF_PLATFORM=y
+ CONFIG_SERIAL_EARLYCON_RISCV_SBI=y
++CONFIG_SERIAL_SIFIVE=y
++CONFIG_SERIAL_SIFIVE_CONSOLE=y
+ CONFIG_HVC_RISCV_SBI=y
+ # CONFIG_PTP_1588_CLOCK is not set
+ CONFIG_DRM=y
+@@ -64,6 +66,8 @@ CONFIG_USB_OHCI_HCD_PLATFORM=y
+ CONFIG_USB_STORAGE=y
+ CONFIG_USB_UAS=y
+ CONFIG_VIRTIO_MMIO=y
++CONFIG_CLK_SIFIVE=y
++CONFIG_CLK_SIFIVE_FU540_PRCI=y
+ CONFIG_SIFIVE_PLIC=y
+ CONFIG_EXT4_FS=y
+ CONFIG_EXT4_FS_POSIX_ACL=y
+--
+2.20.1
+
--- /dev/null
+From 7697b4335603d55c1e143390359c88957020c3c0 Mon Sep 17 00:00:00 2001
+From: Nick Hu <nickhu@andestech.com>
+Date: Thu, 30 May 2019 15:01:17 +0800
+Subject: riscv: Fix udelay in RV32.
+
+[ Upstream commit d0e1f2110a5eeb6e410b2dd37d98bc5b30da7bc7 ]
+
+In RV32, udelay would delay the wrong cycle. When it shifts right
+"UDELAY_SHIFT" bits, it either delays 0 cycle or 1 cycle. It only works
+correctly in RV64. Because the 'ucycles' always needs to be 64 bits
+variable.
+
+Signed-off-by: Nick Hu <nickhu@andestech.com>
+Reviewed-by: Palmer Dabbelt <palmer@sifive.com>
+[paul.walmsley@sifive.com: fixed minor spelling error]
+Signed-off-by: Paul Walmsley <paul.walmsley@sifive.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/lib/delay.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/lib/delay.c b/arch/riscv/lib/delay.c
+index dce8ae24c6d3..ee6853c1e341 100644
+--- a/arch/riscv/lib/delay.c
++++ b/arch/riscv/lib/delay.c
+@@ -88,7 +88,7 @@ EXPORT_SYMBOL(__delay);
+
+ void udelay(unsigned long usecs)
+ {
+- unsigned long ucycles = usecs * lpj_fine * UDELAY_MULT;
++ u64 ucycles = (u64)usecs * lpj_fine * UDELAY_MULT;
+
+ if (unlikely(usecs > MAX_UDELAY_US)) {
+ __delay((u64)usecs * riscv_timebase / 1000000ULL);
+--
+2.20.1
+
--- /dev/null
+From 8c518c2110e54edd8789953835bf54d47414aff5 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Tue, 4 Jun 2019 13:10:51 +0200
+Subject: s390/boot: disable address-of-packed-member warning
+
+[ Upstream commit f9364df30420987e77599c4789ec0065c609a507 ]
+
+Get rid of gcc9 warnings like this:
+
+arch/s390/boot/ipl_report.c: In function 'find_bootdata_space':
+arch/s390/boot/ipl_report.c:42:26: warning: taking address of packed member of 'struct ipl_rb_components' may result in an unaligned pointer value [-Waddress-of-packed-member]
+ 42 | for_each_rb_entry(comp, comps)
+ | ^~~~~
+
+This is effectively the s390 variant of commit 20c6c1890455
+("x86/boot: Disable the address-of-packed-member compiler warning").
+
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/s390/Makefile b/arch/s390/Makefile
+index e21053e5e0da..bbd2dab6730e 100644
+--- a/arch/s390/Makefile
++++ b/arch/s390/Makefile
+@@ -24,6 +24,7 @@ KBUILD_CFLAGS_DECOMPRESSOR += -DDISABLE_BRANCH_PROFILING -D__NO_FORTIFY
+ KBUILD_CFLAGS_DECOMPRESSOR += -fno-delete-null-pointer-checks -msoft-float
+ KBUILD_CFLAGS_DECOMPRESSOR += -fno-asynchronous-unwind-tables
+ KBUILD_CFLAGS_DECOMPRESSOR += $(call cc-option,-ffreestanding)
++KBUILD_CFLAGS_DECOMPRESSOR += $(call cc-disable-warning, address-of-packed-member)
+ KBUILD_CFLAGS_DECOMPRESSOR += $(if $(CONFIG_DEBUG_INFO),-g)
+ KBUILD_CFLAGS_DECOMPRESSOR += $(if $(CONFIG_DEBUG_INFO_DWARF4), $(call cc-option, -gdwarf-4,))
+ UTS_MACHINE := s390x
+--
+2.20.1
+
--- /dev/null
+From fe02bb66e930339c53695d9536f671d2b58e4ae3 Mon Sep 17 00:00:00 2001
+From: Chang-Hsien Tsai <luke.tw@gmail.com>
+Date: Sun, 19 May 2019 09:05:44 +0000
+Subject: samples, bpf: fix to change the buffer size for read()
+
+[ Upstream commit f7c2d64bac1be2ff32f8e4f500c6e5429c1003e0 ]
+
+If the trace for read is larger than 4096, the return
+value sz will be 4096. This results in off-by-one error
+on buf:
+
+ static char buf[4096];
+ ssize_t sz;
+
+ sz = read(trace_fd, buf, sizeof(buf));
+ if (sz > 0) {
+ buf[sz] = 0;
+ puts(buf);
+ }
+
+Signed-off-by: Chang-Hsien Tsai <luke.tw@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/bpf_load.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/samples/bpf/bpf_load.c b/samples/bpf/bpf_load.c
+index eae7b635343d..6e87cc831e84 100644
+--- a/samples/bpf/bpf_load.c
++++ b/samples/bpf/bpf_load.c
+@@ -678,7 +678,7 @@ void read_trace_pipe(void)
+ static char buf[4096];
+ ssize_t sz;
+
+- sz = read(trace_fd, buf, sizeof(buf));
++ sz = read(trace_fd, buf, sizeof(buf) - 1);
+ if (sz > 0) {
+ buf[sz] = 0;
+ puts(buf);
+--
+2.20.1
+
--- /dev/null
+From d80560276fd0c3a419d3f53e6044ead8ded6c3cf Mon Sep 17 00:00:00 2001
+From: Matteo Croce <mcroce@redhat.com>
+Date: Mon, 20 May 2019 23:49:38 +0200
+Subject: samples, bpf: suppress compiler warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit a195cefff49f60054998333e81ee95170ce8bf92 ]
+
+GCC 9 fails to calculate the size of local constant strings and produces a
+false positive:
+
+samples/bpf/task_fd_query_user.c: In function ‘test_debug_fs_uprobe’:
+samples/bpf/task_fd_query_user.c:242:67: warning: ‘%s’ directive output may be truncated writing up to 255 bytes into a region of size 215 [-Wformat-truncation=]
+ 242 | snprintf(buf, sizeof(buf), "/sys/kernel/debug/tracing/events/%ss/%s/id",
+ | ^~
+ 243 | event_type, event_alias);
+ | ~~~~~~~~~~~
+samples/bpf/task_fd_query_user.c:242:2: note: ‘snprintf’ output between 45 and 300 bytes into a destination of size 256
+ 242 | snprintf(buf, sizeof(buf), "/sys/kernel/debug/tracing/events/%ss/%s/id",
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 243 | event_type, event_alias);
+ | ~~~~~~~~~~~~~~~~~~~~~~~~
+
+Workaround this by lowering the buffer size to a reasonable value.
+Related GCC Bugzilla: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83431
+
+Signed-off-by: Matteo Croce <mcroce@redhat.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/task_fd_query_user.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/samples/bpf/task_fd_query_user.c b/samples/bpf/task_fd_query_user.c
+index aff2b4ae914e..e39938058223 100644
+--- a/samples/bpf/task_fd_query_user.c
++++ b/samples/bpf/task_fd_query_user.c
+@@ -216,7 +216,7 @@ static int test_debug_fs_uprobe(char *binary_path, long offset, bool is_return)
+ {
+ const char *event_type = "uprobe";
+ struct perf_event_attr attr = {};
+- char buf[256], event_alias[256];
++ char buf[256], event_alias[sizeof("test_1234567890")];
+ __u64 probe_offset, probe_addr;
+ __u32 len, prog_id, fd_type;
+ int err, res, kfd, efd;
+--
+2.20.1
+
--- /dev/null
+From c75bac3caca8ba3225fac97ce10279b30a516326 Mon Sep 17 00:00:00 2001
+From: Nilesh Javali <njavali@marvell.com>
+Date: Wed, 12 Jun 2019 01:05:41 -0700
+Subject: scsi: qedi: Check targetname while finding boot target information
+
+[ Upstream commit 1ac3549ed58cdfdaf43bbf31ac260e2381cc0dae ]
+
+The kernel panic was observed during iSCSI discovery via offload with below
+call trace,
+
+[ 2115.646901] BUG: unable to handle kernel NULL pointer dereference at (null)
+[ 2115.646909] IP: [<ffffffffacf7f0cc>] strncmp+0xc/0x60
+[ 2115.646927] PGD 0
+[ 2115.646932] Oops: 0000 [#1] SMP
+[ 2115.647107] CPU: 24 PID: 264 Comm: kworker/24:1 Kdump: loaded Tainted: G
+ OE ------------ 3.10.0-957.el7.x86_64 #1
+[ 2115.647133] Workqueue: slowpath-13:00. qed_slowpath_task [qed]
+[ 2115.647135] task: ffff8d66af80b0c0 ti: ffff8d66afb80000 task.ti: ffff8d66afb80000
+[ 2115.647136] RIP: 0010:[<ffffffffacf7f0cc>] [<ffffffffacf7f0cc>] strncmp+0xc/0x60
+[ 2115.647141] RSP: 0018:ffff8d66afb83c68 EFLAGS: 00010206
+[ 2115.647143] RAX: 0000000000000001 RBX: 0000000000000007 RCX: 000000000000000a
+[ 2115.647144] RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff8d632b3ba040
+[ 2115.647145] RBP: ffff8d66afb83c68 R08: 0000000000000000 R09: 000000000000ffff
+[ 2115.647147] R10: 0000000000000007 R11: 0000000000000800 R12: ffff8d66a30007a0
+[ 2115.647148] R13: ffff8d66747a3c10 R14: ffff8d632b3ba000 R15: ffff8d66747a32f8
+[ 2115.647149] FS: 0000000000000000(0000) GS:ffff8d66aff00000(0000) knlGS:0000000000000000
+[ 2115.647151] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 2115.647152] CR2: 0000000000000000 CR3: 0000000509610000 CR4: 00000000007607e0
+[ 2115.647153] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 2115.647154] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 2115.647155] PKRU: 00000000
+[ 2115.647157] Call Trace:
+[ 2115.647165] [<ffffffffc0634cc5>] qedi_get_protocol_tlv_data+0x2c5/0x510 [qedi]
+[ 2115.647184] [<ffffffffc05968f5>] ? qed_mfw_process_tlv_req+0x245/0xbe0 [qed]
+[ 2115.647195] [<ffffffffc05496cb>] qed_mfw_fill_tlv_data+0x4b/0xb0 [qed]
+[ 2115.647206] [<ffffffffc0596911>] qed_mfw_process_tlv_req+0x261/0xbe0 [qed]
+[ 2115.647215] [<ffffffffacce0e8e>] ? dequeue_task_fair+0x41e/0x660
+[ 2115.647221] [<ffffffffacc2a59e>] ? __switch_to+0xce/0x580
+[ 2115.647230] [<ffffffffc0546013>] qed_slowpath_task+0xa3/0x160 [qed]
+[ 2115.647278] RIP [<ffffffffacf7f0cc>] strncmp+0xc/0x60
+
+Fix kernel panic by validating the session targetname before providing TLV
+data and confirming the presence of boot targets.
+
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Reviewed-by: Chris Leech <cleech@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedi/qedi_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c
+index e5db9a9954dc..a6ff7be0210a 100644
+--- a/drivers/scsi/qedi/qedi_main.c
++++ b/drivers/scsi/qedi/qedi_main.c
+@@ -990,6 +990,9 @@ static int qedi_find_boot_info(struct qedi_ctx *qedi,
+ if (!iscsi_is_session_online(cls_sess))
+ continue;
+
++ if (!sess->targetname)
++ continue;
++
+ if (pri_ctrl_flags) {
+ if (!strcmp(pri_tgt->iscsi_name, sess->targetname) &&
+ !strcmp(pri_tgt->ip_addr, ep_ip_addr)) {
+--
+2.20.1
+
crypto-talitos-fix-hash-on-sec1.patch
crypto-lrw-use-correct-alignmask.patch
crypto-talitos-rename-alternative-aead-algos.patch
+arm-dts-dra76x-disable-rtc-target-module.patch
+arm-dts-dra76x-disable-usb4_tm-target-module.patch
+arm-dts-dra71x-disable-rtc-target-module.patch
+arm-dts-dra71x-disable-usb4_tm-target-module.patch
+soc-brcmstb-fix-error-path-for-unsupported-cpus.patch
+soc-bcm-brcmstb-biuctrl-register-writes-require-a-ba.patch
+input-elantech-enable-middle-button-support-on-2-thi.patch
+samples-bpf-fix-to-change-the-buffer-size-for-read.patch
+samples-bpf-suppress-compiler-warning.patch
+bpf-riscv-clear-target-register-high-32-bits-for-and.patch
+bpf-sockmap-restore-sk_write_space-when-psock-gets-d.patch
+mac80211-fix-rate-reporting-inside-cfg80211_calculat.patch
+bpf-sockmap-fix-use-after-free-from-sleep-in-psock-b.patch
+soundwire-stream-fix-out-of-boundary-access-on-port-.patch
+staging-iio-ad7150-fix-threshold-mode-config-bit.patch
+mac80211-mesh-fix-rcu-warning.patch
+mac80211-free-peer-keys-before-vif-down-in-mesh.patch
+arm-dts-drop-bogus-clksel-for-timer12-on-dra7.patch
+mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch
+bpf-riscv-clear-high-32-bits-for-alu32-add-sub-neg-l.patch
+iwlwifi-fix-load-in-rfkill-flow-for-unified-firmware.patch
+iwlwifi-clear-persistence-bit-according-to-device-fa.patch
+iwlwifi-fix-ax201-killer-sku-loading-firmware-issue.patch
+iwlwifi-fix-double-free-problems-in-iwl_req_fw_callb.patch
+mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_.patch
+netfilter-ipv6-nf_defrag-fix-leakage-of-unqueued-fra.patch
+tools-bpftool-fix-json-output-when-lookup-fails.patch
+soundwire-stream-fix-bad-unlock-balance.patch
+soundwire-intel-set-dai-min-and-max-channels-correct.patch
+netfilter-ipv6-nf_defrag-accept-duplicate-fragments-.patch
+dt-bindings-can-mcp251x-add-mcp25625-support.patch
+can-mcp251x-add-support-for-mcp25625.patch
+can-m_can-implement-errata-needless-activation-of-mr.patch
+can-af_can-fix-error-path-of-can_init.patch
+can-flexcan-remove-unneeded-registration-message.patch
+net-phy-rename-asix-electronics-phy-driver.patch
+ibmvnic-do-not-close-unopened-driver-during-reset.patch
+ibmvnic-refresh-device-multicast-list-after-reset.patch
+ibmvnic-fix-unchecked-return-codes-of-memory-allocat.patch
+arm-dts-am335x-phytec-boards-fix-cd-gpios-active-lev.patch
+s390-boot-disable-address-of-packed-member-warning.patch
+risc-v-defconfig-enable-clocks-serial-console.patch
+drm-vmwgfx-honor-the-sg-list-segment-size-limitation.patch
+drm-vmwgfx-fix-a-warning-due-to-missing-dma_parms.patch
+riscv-fix-udelay-in-rv32.patch
+input-imx_keypad-make-sure-keyboard-can-always-wake-.patch
+xdp-check-device-pointer-before-clearing.patch
+kvm-arm-arm64-vgic-fix-kvm_device-leak-in-vgic_its_d.patch
+mlxsw-spectrum-disallow-prio-tagged-packets-when-pvi.patch
+kvm-nvmx-use-correct-clean-fields-when-copying-from-.patch
+bpf-fix-div64-overflow-tests-to-properly-detect-erro.patch
+arm-davinci-da850-evm-call-regulator_has_full_constr.patch
+arm-davinci-da8xx-specify-dma_coherent_mask-for-lcdc.patch
+gpu-ipu-v3-image-convert-fix-input-bytesperline-widt.patch
+gpu-ipu-v3-image-convert-fix-input-bytesperline-for-.patch
+gpu-ipu-v3-image-convert-fix-image-downsize-coeffici.patch
+mac80211-only-warn-once-on-chanctx_conf-being-null.patch
+mac80211-do-not-start-any-work-during-reconfigure-fl.patch
+cfg80211-util-fix-bit-count-off-by-one.patch
+cfg80211-report-measurement-start-tsf-correctly.patch
+bpf-devmap-fix-premature-entry-free-on-destroying-ma.patch
+bpf-devmap-add-missing-bulk-queue-free.patch
+bpf-devmap-add-missing-rcu-read-lock-on-flush.patch
+bpf-x64-fix-stack-layout-of-jited-bpf-code.patch
+qmi_wwan-add-support-for-qmap-padding-in-the-rx-path.patch
+qmi_wwan-avoid-rcu-stalls-on-device-disconnect-when-.patch
+qmi_wwan-extend-permitted-qmap-mux_id-value-range.patch
+mmc-core-complete-hs400-before-checking-status.patch
+ib-hfi1-create-inline-to-get-extended-headers.patch
+ib-hfi1-use-aborts-to-trigger-rc-throttling.patch
+ib-hfi1-wakeup-qps-orphaned-on-wait-list-after-flush.patch
+ib-hfi1-handle-wakeup-of-orphaned-qps-for-pio.patch
+ib-hfi1-handle-port-down-properly-in-pio.patch
+md-fix-for-divide-error-in-status_resync.patch
+bnx2x-check-if-transceiver-implements-ddm-before-acc.patch
+drm-return-efault-if-copy_to_user-fails.patch
+ip6_tunnel-allow-not-to-count-pkts-on-tstats-by-pass.patch
+net-lio_core-fix-potential-sign-extension-overflow-o.patch
+scsi-qedi-check-targetname-while-finding-boot-target.patch
+powerpc-enable-a-30-bit-zone_dma-for-32-bit-pmac.patch
+quota-fix-a-problem-about-transfer-quota.patch
+net-dsa-mv88e6xxx-fix-shift-of-fid-bits-in-mv88e6185.patch
+kvm-arm-arm64-fix-emulated-ptimer-irq-injection.patch
+nfs4-only-set-creation-opendata-if-o_creat.patch
--- /dev/null
+From a038789bee92eb62fee846544da1205070cca0fa Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 12 Apr 2019 10:15:26 -0700
+Subject: soc: bcm: brcmstb: biuctrl: Register writes require a barrier
+
+[ Upstream commit 6b23af0783a54efb348f0bd781b7850636023dbb ]
+
+The BIUCTRL register writes require that a data barrier be inserted
+after comitting the write to the register for the block to latch in the
+recently written values. Reads have no such requirement and are not
+changed.
+
+Fixes: 34642650e5bc ("soc: Move brcmstb to bcm/brcmstb")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/bcm/brcmstb/biuctrl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/bcm/brcmstb/biuctrl.c b/drivers/soc/bcm/brcmstb/biuctrl.c
+index c16273b31b94..20b63bee5b09 100644
+--- a/drivers/soc/bcm/brcmstb/biuctrl.c
++++ b/drivers/soc/bcm/brcmstb/biuctrl.c
+@@ -56,7 +56,7 @@ static inline void cbc_writel(u32 val, int reg)
+ if (offset == -1)
+ return;
+
+- writel_relaxed(val, cpubiuctrl_base + offset);
++ writel(val, cpubiuctrl_base + offset);
+ }
+
+ enum cpubiuctrl_regs {
+--
+2.20.1
+
--- /dev/null
+From 1bf5a85036c271f880a4782aeff75c3bb1c90a2a Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Sun, 7 Apr 2019 14:19:07 -0700
+Subject: soc: brcmstb: Fix error path for unsupported CPUs
+
+[ Upstream commit 490cad5a3ad6ef0bfd3168a5063140b982f3b22a ]
+
+In case setup_hifcpubiuctrl_regs() returns an error, because of e.g:
+an unsupported CPU type, just catch that error and return instead of
+blindly continuing with the initialization. This fixes a NULL pointer
+de-reference with the code continuing without having a proper array of
+registers to use.
+
+Fixes: 22f7a9116eba ("soc: brcmstb: Correct CPU_CREDIT_REG offset for Brahma-B53 CPUs")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/bcm/brcmstb/biuctrl.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/soc/bcm/brcmstb/biuctrl.c b/drivers/soc/bcm/brcmstb/biuctrl.c
+index 6d89ebf13b8a..c16273b31b94 100644
+--- a/drivers/soc/bcm/brcmstb/biuctrl.c
++++ b/drivers/soc/bcm/brcmstb/biuctrl.c
+@@ -246,7 +246,9 @@ static int __init brcmstb_biuctrl_init(void)
+ if (!np)
+ return 0;
+
+- setup_hifcpubiuctrl_regs(np);
++ ret = setup_hifcpubiuctrl_regs(np);
++ if (ret)
++ return ret;
+
+ ret = mcp_write_pairing_set();
+ if (ret) {
+--
+2.20.1
+
--- /dev/null
+From 42c27194246c68e8590330431e5a0ce0f25900e7 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Thu, 6 Jun 2019 12:23:04 +0100
+Subject: soundwire: intel: set dai min and max channels correctly
+
+[ Upstream commit 39194128701bf2af9bbc420ffe6e3cb5d2c16061 ]
+
+Looks like there is a copy paste error.
+This patch fixes it!
+
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/intel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soundwire/intel.c b/drivers/soundwire/intel.c
+index fd8d034cfec1..5ba641858e21 100644
+--- a/drivers/soundwire/intel.c
++++ b/drivers/soundwire/intel.c
+@@ -714,8 +714,8 @@ static int intel_create_dai(struct sdw_cdns *cdns,
+ return -ENOMEM;
+ }
+
+- dais[i].playback.channels_min = 1;
+- dais[i].playback.channels_max = max_ch;
++ dais[i].capture.channels_min = 1;
++ dais[i].capture.channels_max = max_ch;
+ dais[i].capture.rates = SNDRV_PCM_RATE_48000;
+ dais[i].capture.formats = SNDRV_PCM_FMTBIT_S16_LE;
+ }
+--
+2.20.1
+
--- /dev/null
+From 348a82b76cbc22e51ecab0e8d81aa3ed3de8a385 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Thu, 6 Jun 2019 12:22:22 +0100
+Subject: soundwire: stream: fix bad unlock balance
+
+[ Upstream commit 9315d904c7e8f38886e2820fa6cb8d0fa723ea21 ]
+
+the msg lock is taken for multi-link cases only but released
+unconditionally, leading to an unlock balance warning for single-link usages
+This patch fixes this.
+
+ =====================================
+ WARNING: bad unlock balance detected!
+ 5.1.0-16506-gc1c383a6f0a2-dirty #1523 Tainted: G W
+ -------------------------------------
+ aplay/2954 is trying to release lock (&bus->msg_lock) at:
+ do_bank_switch+0x21c/0x480
+ but there are no more locks to release!
+
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Acked-by: Sanyog Kale <sanyog.r.kale@intel.com>
+[vkoul: edited the change log as suggested by Pierre]
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/stream.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c
+index 00618de2ee12..794ced434cf2 100644
+--- a/drivers/soundwire/stream.c
++++ b/drivers/soundwire/stream.c
+@@ -805,7 +805,8 @@ static int do_bank_switch(struct sdw_stream_runtime *stream)
+ goto error;
+ }
+
+- mutex_unlock(&bus->msg_lock);
++ if (bus->multi_link)
++ mutex_unlock(&bus->msg_lock);
+ }
+
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From 14781a4447be3f1ac706de8cc34e4f55fb9b27e7 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Wed, 22 May 2019 17:24:43 +0100
+Subject: soundwire: stream: fix out of boundary access on port properties
+
+[ Upstream commit 03ecad90d3798be11b033248bbd4bbff4425a1c7 ]
+
+Assigning local iterator to array element and using it again for
+indexing would cross the array boundary.
+Fix this by directly referring array element without using the local
+variable.
+
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/stream.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c
+index bd879b1a76c8..00618de2ee12 100644
+--- a/drivers/soundwire/stream.c
++++ b/drivers/soundwire/stream.c
+@@ -1401,9 +1401,7 @@ struct sdw_dpn_prop *sdw_get_slave_dpn_prop(struct sdw_slave *slave,
+ }
+
+ for (i = 0; i < num_ports; i++) {
+- dpn_prop = &dpn_prop[i];
+-
+- if (dpn_prop->num == port_num)
++ if (dpn_prop[i].num == port_num)
+ return &dpn_prop[i];
+ }
+
+--
+2.20.1
+
--- /dev/null
+From a33c35e2b3caaf1159632fb374f97cf45193d928 Mon Sep 17 00:00:00 2001
+From: Melissa Wen <melissa.srw@gmail.com>
+Date: Sat, 18 May 2019 22:04:56 -0300
+Subject: staging:iio:ad7150: fix threshold mode config bit
+
+[ Upstream commit df4d737ee4d7205aaa6275158aeebff87fd14488 ]
+
+According to the AD7150 configuration register description, bit 7 assumes
+value 1 when the threshold mode is fixed and 0 when it is adaptive,
+however, the operation that identifies this mode was considering the
+opposite values.
+
+This patch renames the boolean variable to describe it correctly and
+properly replaces it in the places where it is used.
+
+Fixes: 531efd6aa0991 ("staging:iio:adc:ad7150: chan_spec conv + i2c_smbus commands + drop unused poweroff timeout control.")
+Signed-off-by: Melissa Wen <melissa.srw@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/iio/cdc/ad7150.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/staging/iio/cdc/ad7150.c b/drivers/staging/iio/cdc/ad7150.c
+index 24f74ce60f80..14596aa7eaf1 100644
+--- a/drivers/staging/iio/cdc/ad7150.c
++++ b/drivers/staging/iio/cdc/ad7150.c
+@@ -6,6 +6,7 @@
+ * Licensed under the GPL-2 or later.
+ */
+
++#include <linux/bitfield.h>
+ #include <linux/interrupt.h>
+ #include <linux/device.h>
+ #include <linux/kernel.h>
+@@ -131,7 +132,7 @@ static int ad7150_read_event_config(struct iio_dev *indio_dev,
+ {
+ int ret;
+ u8 threshtype;
+- bool adaptive;
++ bool thrfixed;
+ struct ad7150_chip_info *chip = iio_priv(indio_dev);
+
+ ret = i2c_smbus_read_byte_data(chip->client, AD7150_CFG);
+@@ -139,21 +140,23 @@ static int ad7150_read_event_config(struct iio_dev *indio_dev,
+ return ret;
+
+ threshtype = (ret >> 5) & 0x03;
+- adaptive = !!(ret & 0x80);
++
++ /*check if threshold mode is fixed or adaptive*/
++ thrfixed = FIELD_GET(AD7150_CFG_FIX, ret);
+
+ switch (type) {
+ case IIO_EV_TYPE_MAG_ADAPTIVE:
+ if (dir == IIO_EV_DIR_RISING)
+- return adaptive && (threshtype == 0x1);
+- return adaptive && (threshtype == 0x0);
++ return !thrfixed && (threshtype == 0x1);
++ return !thrfixed && (threshtype == 0x0);
+ case IIO_EV_TYPE_THRESH_ADAPTIVE:
+ if (dir == IIO_EV_DIR_RISING)
+- return adaptive && (threshtype == 0x3);
+- return adaptive && (threshtype == 0x2);
++ return !thrfixed && (threshtype == 0x3);
++ return !thrfixed && (threshtype == 0x2);
+ case IIO_EV_TYPE_THRESH:
+ if (dir == IIO_EV_DIR_RISING)
+- return !adaptive && (threshtype == 0x1);
+- return !adaptive && (threshtype == 0x0);
++ return thrfixed && (threshtype == 0x1);
++ return thrfixed && (threshtype == 0x0);
+ default:
+ break;
+ }
+--
+2.20.1
+
--- /dev/null
+From 12b1822498cf4da8f9bd07271367dadc1664a584 Mon Sep 17 00:00:00 2001
+From: Krzesimir Nowak <krzesimir@kinvolk.io>
+Date: Wed, 5 Jun 2019 21:17:06 +0200
+Subject: tools: bpftool: Fix JSON output when lookup fails
+
+[ Upstream commit 1884c066579a7a274dd981a4d9639ca63db66a23 ]
+
+In commit 9a5ab8bf1d6d ("tools: bpftool: turn err() and info() macros
+into functions") one case of error reporting was special cased, so it
+could report a lookup error for a specific key when dumping the map
+element. What the code forgot to do is to wrap the key and value keys
+into a JSON object, so an example output of pretty JSON dump of a
+sockhash map (which does not support looking up its values) is:
+
+[
+ "key": ["0x0a","0x41","0x00","0x02","0x1f","0x78","0x00","0x00"
+ ],
+ "value": {
+ "error": "Operation not supported"
+ },
+ "key": ["0x0a","0x41","0x00","0x02","0x1f","0x78","0x00","0x01"
+ ],
+ "value": {
+ "error": "Operation not supported"
+ }
+]
+
+Note the key-value pairs inside the toplevel array. They should be
+wrapped inside a JSON object, otherwise it is an invalid JSON. This
+commit fixes this, so the output now is:
+
+[{
+ "key": ["0x0a","0x41","0x00","0x02","0x1f","0x78","0x00","0x00"
+ ],
+ "value": {
+ "error": "Operation not supported"
+ }
+ },{
+ "key": ["0x0a","0x41","0x00","0x02","0x1f","0x78","0x00","0x01"
+ ],
+ "value": {
+ "error": "Operation not supported"
+ }
+ }
+]
+
+Fixes: 9a5ab8bf1d6d ("tools: bpftool: turn err() and info() macros into functions")
+Cc: Quentin Monnet <quentin.monnet@netronome.com>
+Signed-off-by: Krzesimir Nowak <krzesimir@kinvolk.io>
+Acked-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/map.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/bpf/bpftool/map.c b/tools/bpf/bpftool/map.c
+index 994a7e0d16fb..14f581b562bd 100644
+--- a/tools/bpf/bpftool/map.c
++++ b/tools/bpf/bpftool/map.c
+@@ -713,12 +713,14 @@ static int dump_map_elem(int fd, void *key, void *value,
+ return 0;
+
+ if (json_output) {
++ jsonw_start_object(json_wtr);
+ jsonw_name(json_wtr, "key");
+ print_hex_data_json(key, map_info->key_size);
+ jsonw_name(json_wtr, "value");
+ jsonw_start_object(json_wtr);
+ jsonw_string_field(json_wtr, "error", strerror(lookup_errno));
+ jsonw_end_object(json_wtr);
++ jsonw_end_object(json_wtr);
+ } else {
+ if (errno == ENOENT)
+ print_entry_plain(map_info, key, NULL);
+--
+2.20.1
+
--- /dev/null
+From 2c350358c3e38fdbe89ea96d15b95b8ffe97ad45 Mon Sep 17 00:00:00 2001
+From: Ilya Maximets <i.maximets@samsung.com>
+Date: Fri, 7 Jun 2019 20:27:32 +0300
+Subject: xdp: check device pointer before clearing
+
+[ Upstream commit 01d76b5317003e019ace561a9b775f51aafdfdc4 ]
+
+We should not call 'ndo_bpf()' or 'dev_put()' with NULL argument.
+
+Fixes: c9b47cc1fabc ("xsk: fix bug when trying to use both copy and zero-copy on one queue id")
+Signed-off-by: Ilya Maximets <i.maximets@samsung.com>
+Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xdp_umem.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c
+index 989e52386c35..2f7e2c33a812 100644
+--- a/net/xdp/xdp_umem.c
++++ b/net/xdp/xdp_umem.c
+@@ -143,6 +143,9 @@ static void xdp_umem_clear_dev(struct xdp_umem *umem)
+ struct netdev_bpf bpf;
+ int err;
+
++ if (!umem->dev)
++ return;
++
+ if (umem->zc) {
+ bpf.command = XDP_SETUP_XSK_UMEM;
+ bpf.xsk.umem = NULL;
+@@ -156,11 +159,9 @@ static void xdp_umem_clear_dev(struct xdp_umem *umem)
+ WARN(1, "failed to disable umem!\n");
+ }
+
+- if (umem->dev) {
+- rtnl_lock();
+- xdp_clear_umem_at_qid(umem->dev, umem->queue_id);
+- rtnl_unlock();
+- }
++ rtnl_lock();
++ xdp_clear_umem_at_qid(umem->dev, umem->queue_id);
++ rtnl_unlock();
+
+ if (umem->zc) {
+ dev_put(umem->dev);
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
