--- /dev/null
+From 706ad6746a66546daf96d4e4a95e46faf6cf689a Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Sun, 3 Nov 2019 00:09:20 +0900
+Subject: ALSA: bebob: fix to detect configured source of sampling clock for Focusrite Saffire Pro i/o series
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 706ad6746a66546daf96d4e4a95e46faf6cf689a upstream.
+
+For Focusrite Saffire Pro i/o, the lowest 8 bits of register represents
+configured source of sampling clock. The next lowest 8 bits represents
+whether the configured source is actually detected or not just after
+the register is changed for the source.
+
+Current implementation evaluates whole the register to detect configured
+source. This results in failure due to the next lowest 8 bits when the
+source is connected in advance.
+
+This commit fixes the bug.
+
+Fixes: 25784ec2d034 ("ALSA: bebob: Add support for Focusrite Saffire/SaffirePro series")
+Cc: <stable@vger.kernel.org> # v3.16+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Link: https://lore.kernel.org/r/20191102150920.20367-1-o-takashi@sakamocchi.jp
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/bebob/bebob_focusrite.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/firewire/bebob/bebob_focusrite.c
++++ b/sound/firewire/bebob/bebob_focusrite.c
+@@ -28,6 +28,8 @@
+ #define SAFFIRE_CLOCK_SOURCE_SPDIF 1
+
+ /* clock sources as returned from register of Saffire Pro 10 and 26 */
++#define SAFFIREPRO_CLOCK_SOURCE_SELECT_MASK 0x000000ff
++#define SAFFIREPRO_CLOCK_SOURCE_DETECT_MASK 0x0000ff00
+ #define SAFFIREPRO_CLOCK_SOURCE_INTERNAL 0
+ #define SAFFIREPRO_CLOCK_SOURCE_SKIP 1 /* never used on hardware */
+ #define SAFFIREPRO_CLOCK_SOURCE_SPDIF 2
+@@ -190,6 +192,7 @@ saffirepro_both_clk_src_get(struct snd_b
+ map = saffirepro_clk_maps[1];
+
+ /* In a case that this driver cannot handle the value of register. */
++ value &= SAFFIREPRO_CLOCK_SOURCE_SELECT_MASK;
+ if (value >= SAFFIREPRO_CLOCK_SOURCE_COUNT || map[value] < 0) {
+ err = -EIO;
+ goto end;
--- /dev/null
+From 15c2b3cc09a31620914955cb2a89c277c18ee999 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 5 Nov 2019 14:43:16 +0100
+Subject: ALSA: hda/ca0132 - Fix possible workqueue stall
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 15c2b3cc09a31620914955cb2a89c277c18ee999 upstream.
+
+The unsolicited event handler for the headphone jack on CA0132 codec
+driver tries to reschedule the another delayed work with
+cancel_delayed_work_sync(). It's no good idea, unfortunately,
+especially after we changed the work queue to the standard global
+one; this may lead to a stall because both works are using the same
+global queue.
+
+Fix it by dropping the _sync but does call cancel_delayed_work()
+instead.
+
+Fixes: 993884f6a26c ("ALSA: hda/ca0132 - Delay HP amp turnon.")
+BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1155836
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191105134316.19294-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_ca0132.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_ca0132.c
++++ b/sound/pci/hda/patch_ca0132.c
+@@ -4440,7 +4440,7 @@ static void hp_callback(struct hda_codec
+ /* Delay enabling the HP amp, to let the mic-detection
+ * state machine run.
+ */
+- cancel_delayed_work_sync(&spec->unsol_hp_work);
++ cancel_delayed_work(&spec->unsol_hp_work);
+ schedule_delayed_work(&spec->unsol_hp_work, msecs_to_jiffies(500));
+ tbl = snd_hda_jack_tbl_get(codec, cb->nid);
+ if (tbl)
--- /dev/null
+From foo@baz Sun 10 Nov 2019 06:53:36 PM CET
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 7 Nov 2019 09:48:01 +0100
+Subject: CDC-NCM: handle incomplete transfer of MTU
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit 332f989a3b0041b810836c5c3747e59aad7e9d0b ]
+
+A malicious device may give half an answer when asked
+for its MTU. The driver will proceed after this with
+a garbage MTU. Anything but a complete answer must be treated
+as an error.
+
+V2: used sizeof as request by Alexander
+
+Reported-and-tested-by: syzbot+0631d878823ce2411636@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/cdc_ncm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -533,8 +533,8 @@ static void cdc_ncm_set_dgram_size(struc
+ /* read current mtu value from device */
+ err = usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE,
+ USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_INTERFACE,
+- 0, iface_no, &max_datagram_size, 2);
+- if (err < 0) {
++ 0, iface_no, &max_datagram_size, sizeof(max_datagram_size));
++ if (err < sizeof(max_datagram_size)) {
+ dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n");
+ goto out;
+ }
+@@ -545,7 +545,7 @@ static void cdc_ncm_set_dgram_size(struc
+ max_datagram_size = cpu_to_le16(ctx->max_datagram_size);
+ err = usbnet_write_cmd(dev, USB_CDC_SET_MAX_DATAGRAM_SIZE,
+ USB_TYPE_CLASS | USB_DIR_OUT | USB_RECIP_INTERFACE,
+- 0, iface_no, &max_datagram_size, 2);
++ 0, iface_no, &max_datagram_size, sizeof(max_datagram_size));
+ if (err < 0)
+ dev_dbg(&dev->intf->dev, "SET_MAX_DATAGRAM_SIZE failed\n");
+
--- /dev/null
+From 3e8fc0075e24338b1117cdff6a79477427b8dbed Mon Sep 17 00:00:00 2001
+From: Mel Gorman <mgorman@techsingularity.net>
+Date: Tue, 5 Nov 2019 21:16:27 -0800
+Subject: mm, meminit: recalculate pcpu batch and high limits after init completes
+
+From: Mel Gorman <mgorman@techsingularity.net>
+
+commit 3e8fc0075e24338b1117cdff6a79477427b8dbed upstream.
+
+Deferred memory initialisation updates zone->managed_pages during the
+initialisation phase but before that finishes, the per-cpu page
+allocator (pcpu) calculates the number of pages allocated/freed in
+batches as well as the maximum number of pages allowed on a per-cpu
+list. As zone->managed_pages is not up to date yet, the pcpu
+initialisation calculates inappropriately low batch and high values.
+
+This increases zone lock contention quite severely in some cases with
+the degree of severity depending on how many CPUs share a local zone and
+the size of the zone. A private report indicated that kernel build
+times were excessive with extremely high system CPU usage. A perf
+profile indicated that a large chunk of time was lost on zone->lock
+contention.
+
+This patch recalculates the pcpu batch and high values after deferred
+initialisation completes for every populated zone in the system. It was
+tested on a 2-socket AMD EPYC 2 machine using a kernel compilation
+workload -- allmodconfig and all available CPUs.
+
+mmtests configuration: config-workload-kernbench-max Configuration was
+modified to build on a fresh XFS partition.
+
+kernbench
+ 5.4.0-rc3 5.4.0-rc3
+ vanilla resetpcpu-v2
+Amean user-256 13249.50 ( 0.00%) 16401.31 * -23.79%*
+Amean syst-256 14760.30 ( 0.00%) 4448.39 * 69.86%*
+Amean elsp-256 162.42 ( 0.00%) 119.13 * 26.65%*
+Stddev user-256 42.97 ( 0.00%) 19.15 ( 55.43%)
+Stddev syst-256 336.87 ( 0.00%) 6.71 ( 98.01%)
+Stddev elsp-256 2.46 ( 0.00%) 0.39 ( 84.03%)
+
+ 5.4.0-rc3 5.4.0-rc3
+ vanilla resetpcpu-v2
+Duration User 39766.24 49221.79
+Duration System 44298.10 13361.67
+Duration Elapsed 519.11 388.87
+
+The patch reduces system CPU usage by 69.86% and total build time by
+26.65%. The variance of system CPU usage is also much reduced.
+
+Before, this was the breakdown of batch and high values over all zones
+was:
+
+ 256 batch: 1
+ 256 batch: 63
+ 512 batch: 7
+ 256 high: 0
+ 256 high: 378
+ 512 high: 42
+
+512 pcpu pagesets had a batch limit of 7 and a high limit of 42. After
+the patch:
+
+ 256 batch: 1
+ 768 batch: 63
+ 256 high: 0
+ 768 high: 378
+
+[mgorman@techsingularity.net: fix merge/linkage snafu]
+ Link: http://lkml.kernel.org/r/20191023084705.GD3016@techsingularity.netLink: http://lkml.kernel.org/r/20191021094808.28824-2-mgorman@techsingularity.net
+Signed-off-by: Mel Gorman <mgorman@techsingularity.net>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: David Hildenbrand <david@redhat.com>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Qian Cai <cai@lca.pw>
+Cc: <stable@vger.kernel.org> [4.1+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page_alloc.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -2010,6 +2010,14 @@ void drain_all_pages(struct zone *zone)
+ int cpu;
+
+ /*
++ * The number of managed pages has changed due to the initialisation
++ * so the pcpu batch and high limits needs to be updated or the limits
++ * will be artificially small.
++ */
++ for_each_populated_zone(zone)
++ zone_pcp_update(zone);
++
++ /*
+ * Allocate in the BSS so we wont require allocation in
+ * direct reclaim path for CONFIG_CPUMASK_OFFSTACK=y
+ */
+@@ -6868,7 +6876,6 @@ void free_contig_range(unsigned long pfn
+ }
+ #endif
+
+-#ifdef CONFIG_MEMORY_HOTPLUG
+ /*
+ * The zone indicated has a new number of managed_pages; batch sizes and percpu
+ * page high values need to be recalulated.
+@@ -6882,7 +6889,6 @@ void __meminit zone_pcp_update(struct zo
+ per_cpu_ptr(zone->pageset, cpu));
+ mutex_unlock(&pcp_batch_high_lock);
+ }
+-#endif
+
+ void zone_pcp_reset(struct zone *zone)
+ {
--- /dev/null
+From abaed0112c1db08be15a784a2c5c8a8b3063cdd3 Mon Sep 17 00:00:00 2001
+From: Michal Hocko <mhocko@suse.com>
+Date: Tue, 5 Nov 2019 21:16:40 -0800
+Subject: mm, vmstat: hide /proc/pagetypeinfo from normal users
+
+From: Michal Hocko <mhocko@suse.com>
+
+commit abaed0112c1db08be15a784a2c5c8a8b3063cdd3 upstream.
+
+/proc/pagetypeinfo is a debugging tool to examine internal page
+allocator state wrt to fragmentation. It is not very useful for any
+other use so normal users really do not need to read this file.
+
+Waiman Long has noticed that reading this file can have negative side
+effects because zone->lock is necessary for gathering data and that a)
+interferes with the page allocator and its users and b) can lead to hard
+lockups on large machines which have very long free_list.
+
+Reduce both issues by simply not exporting the file to regular users.
+
+Link: http://lkml.kernel.org/r/20191025072610.18526-2-mhocko@kernel.org
+Fixes: 467c996c1e19 ("Print out statistics in relation to fragmentation avoidance to /proc/pagetypeinfo")
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Reported-by: Waiman Long <longman@redhat.com>
+Acked-by: Mel Gorman <mgorman@suse.de>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: Waiman Long <longman@redhat.com>
+Acked-by: Rafael Aquini <aquini@redhat.com>
+Acked-by: David Rientjes <rientjes@google.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Roman Gushchin <guro@fb.com>
+Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Cc: Jann Horn <jannh@google.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/vmstat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/vmstat.c
++++ b/mm/vmstat.c
+@@ -1589,7 +1589,7 @@ static int __init setup_vmstat(void)
+ #endif
+ #ifdef CONFIG_PROC_FS
+ proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
+- proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
++ proc_create("pagetypeinfo", 0400, NULL, &pagetypeinfo_file_ops);
+ proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
+ proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
+ #endif
--- /dev/null
+From foo@baz Sun 10 Nov 2019 06:53:36 PM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 7 Nov 2019 20:08:19 -0800
+Subject: net: fix data-race in neigh_event_send()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 1b53d64435d56902fc234ff2507142d971a09687 ]
+
+KCSAN reported the following data-race [1]
+
+The fix will also prevent the compiler from optimizing out
+the condition.
+
+[1]
+
+BUG: KCSAN: data-race in neigh_resolve_output / neigh_resolve_output
+
+write to 0xffff8880a41dba78 of 8 bytes by interrupt on cpu 1:
+ neigh_event_send include/net/neighbour.h:443 [inline]
+ neigh_resolve_output+0x78/0x480 net/core/neighbour.c:1474
+ neigh_output include/net/neighbour.h:511 [inline]
+ ip_finish_output2+0x4af/0xe40 net/ipv4/ip_output.c:228
+ __ip_finish_output net/ipv4/ip_output.c:308 [inline]
+ __ip_finish_output+0x23a/0x490 net/ipv4/ip_output.c:290
+ ip_finish_output+0x41/0x160 net/ipv4/ip_output.c:318
+ NF_HOOK_COND include/linux/netfilter.h:294 [inline]
+ ip_output+0xdf/0x210 net/ipv4/ip_output.c:432
+ dst_output include/net/dst.h:436 [inline]
+ ip_local_out+0x74/0x90 net/ipv4/ip_output.c:125
+ __ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532
+ ip_queue_xmit+0x45/0x60 include/net/ip.h:237
+ __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169
+ tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline]
+ __tcp_retransmit_skb+0x4bd/0x15f0 net/ipv4/tcp_output.c:2976
+ tcp_retransmit_skb+0x36/0x1a0 net/ipv4/tcp_output.c:2999
+ tcp_retransmit_timer+0x719/0x16d0 net/ipv4/tcp_timer.c:515
+ tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:598
+ tcp_write_timer+0xd1/0xf0 net/ipv4/tcp_timer.c:618
+
+read to 0xffff8880a41dba78 of 8 bytes by interrupt on cpu 0:
+ neigh_event_send include/net/neighbour.h:442 [inline]
+ neigh_resolve_output+0x57/0x480 net/core/neighbour.c:1474
+ neigh_output include/net/neighbour.h:511 [inline]
+ ip_finish_output2+0x4af/0xe40 net/ipv4/ip_output.c:228
+ __ip_finish_output net/ipv4/ip_output.c:308 [inline]
+ __ip_finish_output+0x23a/0x490 net/ipv4/ip_output.c:290
+ ip_finish_output+0x41/0x160 net/ipv4/ip_output.c:318
+ NF_HOOK_COND include/linux/netfilter.h:294 [inline]
+ ip_output+0xdf/0x210 net/ipv4/ip_output.c:432
+ dst_output include/net/dst.h:436 [inline]
+ ip_local_out+0x74/0x90 net/ipv4/ip_output.c:125
+ __ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532
+ ip_queue_xmit+0x45/0x60 include/net/ip.h:237
+ __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169
+ tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline]
+ __tcp_retransmit_skb+0x4bd/0x15f0 net/ipv4/tcp_output.c:2976
+ tcp_retransmit_skb+0x36/0x1a0 net/ipv4/tcp_output.c:2999
+ tcp_retransmit_timer+0x719/0x16d0 net/ipv4/tcp_timer.c:515
+ tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:598
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc3+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/neighbour.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/net/neighbour.h
++++ b/include/net/neighbour.h
+@@ -425,8 +425,8 @@ static inline int neigh_event_send(struc
+ {
+ unsigned long now = jiffies;
+
+- if (neigh->used != now)
+- neigh->used = now;
++ if (READ_ONCE(neigh->used) != now)
++ WRITE_ONCE(neigh->used, now);
+ if (!(neigh->nud_state&(NUD_CONNECTED|NUD_DELAY|NUD_PROBE)))
+ return __neigh_event_send(neigh, skb);
+ return 0;
--- /dev/null
+From foo@baz Sun 10 Nov 2019 06:53:36 PM CET
+From: Pan Bian <bianpan2016@163.com>
+Date: Tue, 5 Nov 2019 16:34:07 +0800
+Subject: NFC: fdp: fix incorrect free object
+
+From: Pan Bian <bianpan2016@163.com>
+
+[ Upstream commit 517ce4e93368938b204451285e53014549804868 ]
+
+The address of fw_vsc_cfg is on stack. Releasing it with devm_kfree() is
+incorrect, which may result in a system crash or other security impacts.
+The expected object to free is *fw_vsc_cfg.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/fdp/i2c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nfc/fdp/i2c.c
++++ b/drivers/nfc/fdp/i2c.c
+@@ -268,7 +268,7 @@ static void fdp_nci_i2c_read_device_prop
+ *fw_vsc_cfg, len);
+
+ if (r) {
+- devm_kfree(dev, fw_vsc_cfg);
++ devm_kfree(dev, *fw_vsc_cfg);
+ goto vsc_read_err;
+ }
+ } else {
--- /dev/null
+From foo@baz Sun 10 Nov 2019 06:53:36 PM CET
+From: Pan Bian <bianpan2016@163.com>
+Date: Thu, 7 Nov 2019 14:29:50 +0800
+Subject: nfc: netlink: fix double device reference drop
+
+From: Pan Bian <bianpan2016@163.com>
+
+[ Upstream commit 025ec40b81d785a98f76b8bdb509ac10773b4f12 ]
+
+The function nfc_put_device(dev) is called twice to drop the reference
+to dev when there is no associated local llcp. Remove one of them to fix
+the bug.
+
+Fixes: 52feb444a903 ("NFC: Extend netlink interface for LTO, RW, and MIUX parameters support")
+Fixes: d9b8d8e19b07 ("NFC: llcp: Service Name Lookup netlink interface")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/netlink.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -1066,7 +1066,6 @@ static int nfc_genl_llc_set_params(struc
+
+ local = nfc_llcp_find_local(dev);
+ if (!local) {
+- nfc_put_device(dev);
+ rc = -ENODEV;
+ goto exit;
+ }
+@@ -1126,7 +1125,6 @@ static int nfc_genl_llc_sdreq(struct sk_
+
+ local = nfc_llcp_find_local(dev);
+ if (!local) {
+- nfc_put_device(dev);
+ rc = -ENODEV;
+ goto exit;
+ }
--- /dev/null
+From foo@baz Sun 10 Nov 2019 06:53:36 PM CET
+From: Pan Bian <bianpan2016@163.com>
+Date: Thu, 7 Nov 2019 09:33:20 +0800
+Subject: NFC: st21nfca: fix double free
+
+From: Pan Bian <bianpan2016@163.com>
+
+[ Upstream commit 99a8efbb6e30b72ac98cecf81103f847abffb1e5 ]
+
+The variable nfcid_skb is not changed in the callee nfc_hci_get_param()
+if error occurs. Consequently, the freed variable nfcid_skb will be
+freed again, resulting in a double free bug. Set nfcid_skb to NULL after
+releasing it to fix the bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/st21nfca/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/nfc/st21nfca/core.c
++++ b/drivers/nfc/st21nfca/core.c
+@@ -726,6 +726,7 @@ static int st21nfca_hci_complete_target_
+ NFC_PROTO_FELICA_MASK;
+ } else {
+ kfree_skb(nfcid_skb);
++ nfcid_skb = NULL;
+ /* P2P in type A */
+ r = nfc_hci_get_param(hdev, ST21NFCA_RF_READER_F_GATE,
+ ST21NFCA_RF_READER_F_NFCID1,
--- /dev/null
+From foo@baz Sun 10 Nov 2019 06:53:36 PM CET
+From: Manish Chopra <manishc@marvell.com>
+Date: Fri, 8 Nov 2019 02:42:30 -0800
+Subject: qede: fix NULL pointer deref in __qede_remove()
+
+From: Manish Chopra <manishc@marvell.com>
+
+[ Upstream commit deabc87111c690097c03765ea017cd500f7376fc ]
+
+While rebooting the system with SR-IOV vfs enabled leads
+to below crash due to recurrence of __qede_remove() on the VF
+devices (first from .shutdown() flow of the VF itself and
+another from PF's .shutdown() flow executing pci_disable_sriov())
+
+This patch adds a safeguard in __qede_remove() flow to fix this,
+so that driver doesn't attempt to remove "already removed" devices.
+
+[ 194.360134] BUG: unable to handle kernel NULL pointer dereference at 00000000000008dc
+[ 194.360227] IP: [<ffffffffc03553c4>] __qede_remove+0x24/0x130 [qede]
+[ 194.360304] PGD 0
+[ 194.360325] Oops: 0000 [#1] SMP
+[ 194.360360] Modules linked in: tcp_lp fuse tun bridge stp llc devlink bonding ip_set nfnetlink ib_isert iscsi_target_mod ib_srpt target_core_mod ib_srp scsi_transport_srp scsi_tgt ib_ipoib ib_umad rpcrdma sunrpc rdma_ucm ib_uverbs ib_iser rdma_cm iw_cm ib_cm libiscsi scsi_transport_iscsi dell_smbios iTCO_wdt iTCO_vendor_support dell_wmi_descriptor dcdbas vfat fat pcc_cpufreq skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd qedr ib_core pcspkr ses enclosure joydev ipmi_ssif sg i2c_i801 lpc_ich mei_me mei wmi ipmi_si ipmi_devintf ipmi_msghandler tpm_crb acpi_pad acpi_power_meter xfs libcrc32c sd_mod crc_t10dif crct10dif_generic crct10dif_pclmul crct10dif_common crc32c_intel mgag200
+[ 194.361044] qede i2c_algo_bit drm_kms_helper qed syscopyarea sysfillrect nvme sysimgblt fb_sys_fops ttm nvme_core mpt3sas crc8 ptp drm pps_core ahci raid_class scsi_transport_sas libahci libata drm_panel_orientation_quirks nfit libnvdimm dm_mirror dm_region_hash dm_log dm_mod [last unloaded: ip_tables]
+[ 194.361297] CPU: 51 PID: 7996 Comm: reboot Kdump: loaded Not tainted 3.10.0-1062.el7.x86_64 #1
+[ 194.361359] Hardware name: Dell Inc. PowerEdge MX840c/0740HW, BIOS 2.4.6 10/15/2019
+[ 194.361412] task: ffff9cea9b360000 ti: ffff9ceabebdc000 task.ti: ffff9ceabebdc000
+[ 194.361463] RIP: 0010:[<ffffffffc03553c4>] [<ffffffffc03553c4>] __qede_remove+0x24/0x130 [qede]
+[ 194.361534] RSP: 0018:ffff9ceabebdfac0 EFLAGS: 00010282
+[ 194.361570] RAX: 0000000000000000 RBX: ffff9cd013846098 RCX: 0000000000000000
+[ 194.361621] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9cd013846098
+[ 194.361668] RBP: ffff9ceabebdfae8 R08: 0000000000000000 R09: 0000000000000000
+[ 194.361715] R10: 00000000bfe14201 R11: ffff9ceabfe141e0 R12: 0000000000000000
+[ 194.361762] R13: ffff9cd013846098 R14: 0000000000000000 R15: ffff9ceab5e48000
+[ 194.361810] FS: 00007f799c02d880(0000) GS:ffff9ceacb0c0000(0000) knlGS:0000000000000000
+[ 194.361865] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 194.361903] CR2: 00000000000008dc CR3: 0000001bdac76000 CR4: 00000000007607e0
+[ 194.361953] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 194.362002] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 194.362051] PKRU: 55555554
+[ 194.362073] Call Trace:
+[ 194.362109] [<ffffffffc0355500>] qede_remove+0x10/0x20 [qede]
+[ 194.362180] [<ffffffffb97d0f3e>] pci_device_remove+0x3e/0xc0
+[ 194.362240] [<ffffffffb98b3c52>] __device_release_driver+0x82/0xf0
+[ 194.362285] [<ffffffffb98b3ce3>] device_release_driver+0x23/0x30
+[ 194.362343] [<ffffffffb97c86d4>] pci_stop_bus_device+0x84/0xa0
+[ 194.362388] [<ffffffffb97c87e2>] pci_stop_and_remove_bus_device+0x12/0x20
+[ 194.362450] [<ffffffffb97f153f>] pci_iov_remove_virtfn+0xaf/0x160
+[ 194.362496] [<ffffffffb97f1aec>] sriov_disable+0x3c/0xf0
+[ 194.362534] [<ffffffffb97f1bc3>] pci_disable_sriov+0x23/0x30
+[ 194.362599] [<ffffffffc02f83c3>] qed_sriov_disable+0x5e3/0x650 [qed]
+[ 194.362658] [<ffffffffb9622df6>] ? kfree+0x106/0x140
+[ 194.362709] [<ffffffffc02cc0c0>] ? qed_free_stream_mem+0x70/0x90 [qed]
+[ 194.362754] [<ffffffffb9622df6>] ? kfree+0x106/0x140
+[ 194.362803] [<ffffffffc02cd659>] qed_slowpath_stop+0x1a9/0x1d0 [qed]
+[ 194.362854] [<ffffffffc035544e>] __qede_remove+0xae/0x130 [qede]
+[ 194.362904] [<ffffffffc03554e0>] qede_shutdown+0x10/0x20 [qede]
+[ 194.362956] [<ffffffffb97cf90a>] pci_device_shutdown+0x3a/0x60
+[ 194.363010] [<ffffffffb98b180b>] device_shutdown+0xfb/0x1f0
+[ 194.363066] [<ffffffffb94b66c6>] kernel_restart_prepare+0x36/0x40
+[ 194.363107] [<ffffffffb94b66e2>] kernel_restart+0x12/0x60
+[ 194.363146] [<ffffffffb94b6959>] SYSC_reboot+0x229/0x260
+[ 194.363196] [<ffffffffb95f200d>] ? handle_mm_fault+0x39d/0x9b0
+[ 194.363253] [<ffffffffb942b621>] ? __switch_to+0x151/0x580
+[ 194.363304] [<ffffffffb9b7ec28>] ? __schedule+0x448/0x9c0
+[ 194.363343] [<ffffffffb94b69fe>] SyS_reboot+0xe/0x10
+[ 194.363387] [<ffffffffb9b8bede>] system_call_fastpath+0x25/0x2a
+[ 194.363430] Code: f9 e9 37 ff ff ff 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 4c 8d af 98 00 00 00 41 54 4c 89 ef 41 89 f4 53 e8 4c e4 55 f9 <80> b8 dc 08 00 00 01 48 89 c3 4c 8d b8 c0 08 00 00 4c 8b b0 c0
+[ 194.363712] RIP [<ffffffffc03553c4>] __qede_remove+0x24/0x130 [qede]
+[ 194.363764] RSP <ffff9ceabebdfac0>
+[ 194.363791] CR2: 00000000000008dc
+
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: Sudarsana Kalluru <skalluru@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_main.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qede/qede_main.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c
+@@ -1465,8 +1465,16 @@ enum qede_remove_mode {
+ static void __qede_remove(struct pci_dev *pdev, enum qede_remove_mode mode)
+ {
+ struct net_device *ndev = pci_get_drvdata(pdev);
+- struct qede_dev *edev = netdev_priv(ndev);
+- struct qed_dev *cdev = edev->cdev;
++ struct qede_dev *edev;
++ struct qed_dev *cdev;
++
++ if (!ndev) {
++ dev_info(&pdev->dev, "Device has already been removed\n");
++ return;
++ }
++
++ edev = netdev_priv(ndev);
++ cdev = edev->cdev;
+
+ DP_INFO(edev, "Starting qede_remove\n");
+
--- /dev/null
+cdc-ncm-handle-incomplete-transfer-of-mtu.patch
+net-fix-data-race-in-neigh_event_send.patch
+nfc-fdp-fix-incorrect-free-object.patch
+nfc-st21nfca-fix-double-free.patch
+qede-fix-null-pointer-deref-in-__qede_remove.patch
+nfc-netlink-fix-double-device-reference-drop.patch
+alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch
+alsa-hda-ca0132-fix-possible-workqueue-stall.patch
+mm-meminit-recalculate-pcpu-batch-and-high-limits-after-init-completes.patch
+mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
