--- /dev/null
+From cb4b0b6c49ed214be4ea58d9aff89e3e5e27b946 Mon Sep 17 00:00:00 2001
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+Date: Thu, 18 Jul 2019 09:43:33 +0100
+Subject: ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks
+
+[ Upstream commit 8dd26dff00c0636b1d8621acaeef3f6f3a39dd77 ]
+
+DPCM uses snd_soc_dapm_dai_get_connected_widgets to build a
+list of the widgets connected to a specific front end DAI so it
+can search through this list for available back end DAIs. The
+custom_stop_condition was added to is_connected_ep to facilitate this
+list not containing more widgets than is necessary. Doing so both
+speeds up the DPCM handling as less widgets need to be searched and
+avoids issues with CODEC to CODEC links as these would be confused
+with back end DAIs if they appeared in the list of available widgets.
+
+custom_stop_condition was implemented by aborting the graph walk
+when the condition is triggered, however there is an issue with this
+approach. Whilst walking the graph is_connected_ep should update the
+endpoints cache on each widget, if the walk is aborted the number
+of attached end points is unknown for that sub-graph. When the stop
+condition triggered, the original patch ignored the triggering widget
+and returned zero connected end points; a later patch updated this
+to set the triggering widget's cache to 1 and return that. Both of
+these approaches result in inaccurate values being stored in various
+end point caches as the values propagate back through the graph,
+which can result in later issues with widgets powering/not powering
+unexpectedly.
+
+As the original goal was to reduce the size of the widget list passed
+to the DPCM code, the simplest solution is to limit the functionality
+of the custom_stop_condition to the widget list. This means the rest
+of the graph will still be processed resulting in correct end point
+caches, but only widgets up to the stop condition will be added to the
+returned widget list.
+
+Fixes: 6742064aef7f ("ASoC: dapm: support user-defined stop condition in dai_get_connected_widgets")
+Fixes: 5fdd022c2026 ("ASoC: dpcm: play nice with CODEC<->CODEC links")
+Fixes: 09464974eaa8 ("ASoC: dapm: Fix to return correct path list in is_connected_ep.")
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20190718084333.15598-1-ckeepax@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-dapm.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
+index 3bfc788372f31..4ce57510b6236 100644
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -1145,8 +1145,8 @@ static __always_inline int is_connected_ep(struct snd_soc_dapm_widget *widget,
+ list_add_tail(&widget->work_list, list);
+
+ if (custom_stop_condition && custom_stop_condition(widget, dir)) {
+- widget->endpoints[dir] = 1;
+- return widget->endpoints[dir];
++ list = NULL;
++ custom_stop_condition = NULL;
+ }
+
+ if ((widget->is_ep & SND_SOC_DAPM_DIR_TO_EP(dir)) && widget->connected) {
+@@ -1183,8 +1183,8 @@ static __always_inline int is_connected_ep(struct snd_soc_dapm_widget *widget,
+ *
+ * Optionally, can be supplied with a function acting as a stopping condition.
+ * This function takes the dapm widget currently being examined and the walk
+- * direction as an arguments, it should return true if the walk should be
+- * stopped and false otherwise.
++ * direction as an arguments, it should return true if widgets from that point
++ * in the graph onwards should not be added to the widget list.
+ */
+ static int is_connected_output_ep(struct snd_soc_dapm_widget *widget,
+ struct list_head *list,
+--
+2.20.1
+
--- /dev/null
+From 291ce1d22a62d963e147642cd4b41a72b56f8cff Mon Sep 17 00:00:00 2001
+From: Ricard Wanderlof <ricard.wanderlof@axis.com>
+Date: Wed, 24 Jul 2019 11:38:44 +0200
+Subject: ASoC: Fail card instantiation if DAI format setup fails
+
+[ Upstream commit 40aa5383e393d72f6aa3943a4e7b1aae25a1e43b ]
+
+If the DAI format setup fails, there is no valid communication format
+between CPU and CODEC, so fail card instantiation, rather than continue
+with a card that will most likely not function properly.
+
+Signed-off-by: Ricard Wanderlof <ricardw@axis.com>
+Link: https://lore.kernel.org/r/alpine.DEB.2.20.1907241132350.6338@lnxricardw1.se.axis.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index 62aa320c20708..dafc3b7f8d723 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -1513,8 +1513,11 @@ static int soc_probe_link_dais(struct snd_soc_card *card,
+ }
+ }
+
+- if (dai_link->dai_fmt)
+- snd_soc_runtime_set_dai_fmt(rtd, dai_link->dai_fmt);
++ if (dai_link->dai_fmt) {
++ ret = snd_soc_runtime_set_dai_fmt(rtd, dai_link->dai_fmt);
++ if (ret)
++ return ret;
++ }
+
+ ret = soc_post_component_init(rtd, dai_link->name);
+ if (ret)
+--
+2.20.1
+
--- /dev/null
+From 7e8ee7c529376b34ea46378b90bedc1893c5219f Mon Sep 17 00:00:00 2001
+From: Cheng-Yi Chiang <cychiang@chromium.org>
+Date: Fri, 26 Jul 2019 12:42:02 +0800
+Subject: ASoC: rockchip: Fix mono capture
+
+[ Upstream commit 789e162a6255325325bd321ab0cd51dc7e285054 ]
+
+This reverts commit db51707b9c9aeedd310ebce60f15d5bb006567e0.
+Revert "ASoC: rockchip: i2s: Support mono capture"
+
+Previous discussion in
+
+https://patchwork.kernel.org/patch/10147153/
+
+explains the issue of the patch.
+While device is configured as 1-ch, hardware is still
+generating a 2-ch stream.
+When user space reads the data and assumes it is a 1-ch stream,
+the rate will be slower by 2x.
+
+Revert the change so 1-ch is not supported.
+User space can selectively take one channel data out of two channel
+if 1-ch is preferred.
+Currently, both channels record identical data.
+
+Signed-off-by: Cheng-Yi Chiang <cychiang@chromium.org>
+Link: https://lore.kernel.org/r/20190726044202.26866-1-cychiang@chromium.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/rockchip/rockchip_i2s.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/rockchip/rockchip_i2s.c b/sound/soc/rockchip/rockchip_i2s.c
+index 60d43d53a8f5e..11399f81c92f9 100644
+--- a/sound/soc/rockchip/rockchip_i2s.c
++++ b/sound/soc/rockchip/rockchip_i2s.c
+@@ -329,7 +329,6 @@ static int rockchip_i2s_hw_params(struct snd_pcm_substream *substream,
+ val |= I2S_CHN_4;
+ break;
+ case 2:
+- case 1:
+ val |= I2S_CHN_2;
+ break;
+ default:
+@@ -462,7 +461,7 @@ static struct snd_soc_dai_driver rockchip_i2s_dai = {
+ },
+ .capture = {
+ .stream_name = "Capture",
+- .channels_min = 1,
++ .channels_min = 2,
+ .channels_max = 2,
+ .rates = SNDRV_PCM_RATE_8000_192000,
+ .formats = (SNDRV_PCM_FMTBIT_S8 |
+@@ -662,7 +661,7 @@ static int rockchip_i2s_probe(struct platform_device *pdev)
+ }
+
+ if (!of_property_read_u32(node, "rockchip,capture-channels", &val)) {
+- if (val >= 1 && val <= 8)
++ if (val >= 2 && val <= 8)
+ soc_dai->capture.channels_max = val;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 7c3f53c020dcae6b5588a4370d3cb2d37b12f7d2 Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Fri, 26 Jul 2019 09:42:43 +0300
+Subject: ASoC: ti: davinci-mcasp: Correct slot_width posed constraint
+
+[ Upstream commit 1e112c35e3c96db7c8ca6ddaa96574f00c06e7db ]
+
+The slot_width is a property for the bus while the constraint for
+SNDRV_PCM_HW_PARAM_SAMPLE_BITS is for the in memory format.
+
+Applying slot_width constraint to sample_bits works most of the time, but
+it will blacklist valid formats in some cases.
+
+With slot_width 24 we can support S24_3LE and S24_LE formats as they both
+look the same on the bus, but a a 24 constraint on sample_bits would not
+allow S24_LE as it is stored in 32bits in memory.
+
+Implement a simple hw_rule function to allow all formats which require less
+or equal number of bits on the bus as slot_width (if configured).
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Link: https://lore.kernel.org/r/20190726064244.3762-2-peter.ujfalusi@ti.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/davinci/davinci-mcasp.c | 43 ++++++++++++++++++++++++-------
+ 1 file changed, 34 insertions(+), 9 deletions(-)
+
+diff --git a/sound/soc/davinci/davinci-mcasp.c b/sound/soc/davinci/davinci-mcasp.c
+index 160b2764b2ad8..6a8c279a4b20b 100644
+--- a/sound/soc/davinci/davinci-mcasp.c
++++ b/sound/soc/davinci/davinci-mcasp.c
+@@ -1150,6 +1150,28 @@ static int davinci_mcasp_trigger(struct snd_pcm_substream *substream,
+ return ret;
+ }
+
++static int davinci_mcasp_hw_rule_slot_width(struct snd_pcm_hw_params *params,
++ struct snd_pcm_hw_rule *rule)
++{
++ struct davinci_mcasp_ruledata *rd = rule->private;
++ struct snd_mask *fmt = hw_param_mask(params, SNDRV_PCM_HW_PARAM_FORMAT);
++ struct snd_mask nfmt;
++ int i, slot_width;
++
++ snd_mask_none(&nfmt);
++ slot_width = rd->mcasp->slot_width;
++
++ for (i = 0; i <= SNDRV_PCM_FORMAT_LAST; i++) {
++ if (snd_mask_test(fmt, i)) {
++ if (snd_pcm_format_width(i) <= slot_width) {
++ snd_mask_set(&nfmt, i);
++ }
++ }
++ }
++
++ return snd_mask_refine(fmt, &nfmt);
++}
++
+ static const unsigned int davinci_mcasp_dai_rates[] = {
+ 8000, 11025, 16000, 22050, 32000, 44100, 48000, 64000,
+ 88200, 96000, 176400, 192000,
+@@ -1257,7 +1279,7 @@ static int davinci_mcasp_startup(struct snd_pcm_substream *substream,
+ struct davinci_mcasp_ruledata *ruledata =
+ &mcasp->ruledata[substream->stream];
+ u32 max_channels = 0;
+- int i, dir;
++ int i, dir, ret;
+ int tdm_slots = mcasp->tdm_slots;
+
+ /* Do not allow more then one stream per direction */
+@@ -1286,6 +1308,7 @@ static int davinci_mcasp_startup(struct snd_pcm_substream *substream,
+ max_channels++;
+ }
+ ruledata->serializers = max_channels;
++ ruledata->mcasp = mcasp;
+ max_channels *= tdm_slots;
+ /*
+ * If the already active stream has less channels than the calculated
+@@ -1311,20 +1334,22 @@ static int davinci_mcasp_startup(struct snd_pcm_substream *substream,
+ 0, SNDRV_PCM_HW_PARAM_CHANNELS,
+ &mcasp->chconstr[substream->stream]);
+
+- if (mcasp->slot_width)
+- snd_pcm_hw_constraint_minmax(substream->runtime,
+- SNDRV_PCM_HW_PARAM_SAMPLE_BITS,
+- 8, mcasp->slot_width);
++ if (mcasp->slot_width) {
++ /* Only allow formats require <= slot_width bits on the bus */
++ ret = snd_pcm_hw_rule_add(substream->runtime, 0,
++ SNDRV_PCM_HW_PARAM_FORMAT,
++ davinci_mcasp_hw_rule_slot_width,
++ ruledata,
++ SNDRV_PCM_HW_PARAM_FORMAT, -1);
++ if (ret)
++ return ret;
++ }
+
+ /*
+ * If we rely on implicit BCLK divider setting we should
+ * set constraints based on what we can provide.
+ */
+ if (mcasp->bclk_master && mcasp->bclk_div == 0 && mcasp->sysclk_freq) {
+- int ret;
+-
+- ruledata->mcasp = mcasp;
+-
+ ret = snd_pcm_hw_rule_add(substream->runtime, 0,
+ SNDRV_PCM_HW_PARAM_RATE,
+ davinci_mcasp_hw_rule_rate,
+--
+2.20.1
+
--- /dev/null
+From 3fde5c35d08619e5fd544341faf624d8769ca73a Mon Sep 17 00:00:00 2001
+From: Paolo Valente <paolo.valente@linaro.org>
+Date: Wed, 7 Aug 2019 19:21:11 +0200
+Subject: block, bfq: handle NULL return value by bfq_init_rq()
+
+[ Upstream commit fd03177c33b287c6541f4048f1d67b7b45a1abc9 ]
+
+As reported in [1], the call bfq_init_rq(rq) may return NULL in case
+of OOM (in particular, if rq->elv.icq is NULL because memory
+allocation failed in failed in ioc_create_icq()).
+
+This commit handles this circumstance.
+
+[1] https://lkml.org/lkml/2019/7/22/824
+
+Cc: Hsin-Yi Wang <hsinyi@google.com>
+Cc: Nicolas Boichat <drinkcat@chromium.org>
+Cc: Doug Anderson <dianders@chromium.org>
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Reported-by: Hsin-Yi Wang <hsinyi@google.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index becd793a258c8..d8d2ac294b0c0 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -1886,9 +1886,14 @@ static void bfq_request_merged(struct request_queue *q, struct request *req,
+ blk_rq_pos(container_of(rb_prev(&req->rb_node),
+ struct request, rb_node))) {
+ struct bfq_queue *bfqq = bfq_init_rq(req);
+- struct bfq_data *bfqd = bfqq->bfqd;
++ struct bfq_data *bfqd;
+ struct request *prev, *next_rq;
+
++ if (!bfqq)
++ return;
++
++ bfqd = bfqq->bfqd;
++
+ /* Reposition request in its sort_list */
+ elv_rb_del(&bfqq->sort_list, req);
+ elv_rb_add(&bfqq->sort_list, req);
+@@ -1930,6 +1935,9 @@ static void bfq_requests_merged(struct request_queue *q, struct request *rq,
+ struct bfq_queue *bfqq = bfq_init_rq(rq),
+ *next_bfqq = bfq_init_rq(next);
+
++ if (!bfqq)
++ return;
++
+ /*
+ * If next and rq belong to the same bfq_queue and next is older
+ * than rq, then reposition rq in the fifo (by substituting next
+@@ -4590,12 +4598,12 @@ static void bfq_insert_request(struct blk_mq_hw_ctx *hctx, struct request *rq,
+
+ spin_lock_irq(&bfqd->lock);
+ bfqq = bfq_init_rq(rq);
+- if (at_head || blk_rq_is_passthrough(rq)) {
++ if (!bfqq || at_head || blk_rq_is_passthrough(rq)) {
+ if (at_head)
+ list_add(&rq->queuelist, &bfqd->dispatch);
+ else
+ list_add_tail(&rq->queuelist, &bfqd->dispatch);
+- } else { /* bfqq is assumed to be non null here */
++ } else {
+ idle_timer_disabled = __bfq_insert_request(bfqd, rq);
+ /*
+ * Update bfqq, because, if a queue merge has occurred
+--
+2.20.1
+
--- /dev/null
+From 90fea1c52920aac58e976314ce68940241bf0e71 Mon Sep 17 00:00:00 2001
+From: Thomas Falcon <tlfalcon@linux.ibm.com>
+Date: Tue, 16 Jul 2019 17:25:10 -0500
+Subject: bonding: Force slave speed check after link state recovery for
+ 802.3ad
+
+[ Upstream commit 12185dfe44360f814ac4ead9d22ad2af7511b2e9 ]
+
+The following scenario was encountered during testing of logical
+partition mobility on pseries partitions with bonded ibmvnic
+adapters in LACP mode.
+
+1. Driver receives a signal that the device has been
+ swapped, and it needs to reset to initialize the new
+ device.
+
+2. Driver reports loss of carrier and begins initialization.
+
+3. Bonding driver receives NETDEV_CHANGE notifier and checks
+ the slave's current speed and duplex settings. Because these
+ are unknown at the time, the bond sets its link state to
+ BOND_LINK_FAIL and handles the speed update, clearing
+ AD_PORT_LACP_ENABLE.
+
+4. Driver finishes recovery and reports that the carrier is on.
+
+5. Bond receives a new notification and checks the speed again.
+ The speeds are valid but miimon has not altered the link
+ state yet. AD_PORT_LACP_ENABLE remains off.
+
+Because the slave's link state is still BOND_LINK_FAIL,
+no further port checks are made when it recovers. Though
+the slave devices are operational and have valid speed
+and duplex settings, the bond will not send LACPDU's. The
+simplest fix I can see is to force another speed check
+in bond_miimon_commit. This way the bond will update
+AD_PORT_LACP_ENABLE if needed when transitioning from
+BOND_LINK_FAIL to BOND_LINK_UP.
+
+CC: Jarod Wilson <jarod@redhat.com>
+CC: Jay Vosburgh <j.vosburgh@gmail.com>
+CC: Veaceslav Falico <vfalico@gmail.com>
+CC: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 8f14f85b8e95e..0d2392c4b625a 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2190,6 +2190,15 @@ static void bond_miimon_commit(struct bonding *bond)
+ bond_for_each_slave(bond, slave, iter) {
+ switch (slave->new_link) {
+ case BOND_LINK_NOCHANGE:
++ /* For 802.3ad mode, check current slave speed and
++ * duplex again in case its port was disabled after
++ * invalid speed/duplex reporting but recovered before
++ * link monitoring could make a decision on the actual
++ * link status
++ */
++ if (BOND_MODE(bond) == BOND_MODE_8023AD &&
++ slave->link == BOND_LINK_UP)
++ bond_3ad_adapter_speed_duplex_changed(slave);
+ continue;
+
+ case BOND_LINK_UP:
+--
+2.20.1
+
--- /dev/null
+From 59f2469422744f5ee295a46e265956d5f30ee3ce Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Date: Mon, 24 Jun 2019 08:34:13 +0000
+Subject: can: dev: call netif_carrier_off() in register_candev()
+
+[ Upstream commit c63845609c4700488e5eacd6ab4d06d5d420e5ef ]
+
+CONFIG_CAN_LEDS is deprecated. When trying to use the generic netdev
+trigger as suggested, there's a small inconsistency with the link
+property: The LED is on initially, stays on when the device is brought
+up, and then turns off (as expected) when the device is brought down.
+
+Make sure the LED always reflects the state of the CAN device.
+
+Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/dev.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
+index c05e4d50d43d7..bd127ce3aba24 100644
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -1260,6 +1260,8 @@ int register_candev(struct net_device *dev)
+ return -EINVAL;
+
+ dev->rtnl_link_ops = &can_link_ops;
++ netif_carrier_off(dev);
++
+ return register_netdev(dev);
+ }
+ EXPORT_SYMBOL_GPL(register_candev);
+--
+2.20.1
+
--- /dev/null
+From 97b86eb5736e730dfcb0ea9e85434c75450f87eb Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Sat, 18 May 2019 17:35:43 +0800
+Subject: can: gw: Fix error path of cgw_module_init
+
+[ Upstream commit b7a14297f102b6e2ce6f16feffebbb9bde1e9b55 ]
+
+This patch add error path for cgw_module_init to avoid possible crash if
+some error occurs.
+
+Fixes: c1aabdf379bc ("can-gw: add netlink based CAN routing")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/gw.c | 48 +++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 33 insertions(+), 15 deletions(-)
+
+diff --git a/net/can/gw.c b/net/can/gw.c
+index 53859346dc9a9..bd2161470e456 100644
+--- a/net/can/gw.c
++++ b/net/can/gw.c
+@@ -1046,32 +1046,50 @@ static __init int cgw_module_init(void)
+ pr_info("can: netlink gateway (rev " CAN_GW_VERSION ") max_hops=%d\n",
+ max_hops);
+
+- register_pernet_subsys(&cangw_pernet_ops);
++ ret = register_pernet_subsys(&cangw_pernet_ops);
++ if (ret)
++ return ret;
++
++ ret = -ENOMEM;
+ cgw_cache = kmem_cache_create("can_gw", sizeof(struct cgw_job),
+ 0, 0, NULL);
+-
+ if (!cgw_cache)
+- return -ENOMEM;
++ goto out_cache_create;
+
+ /* set notifier */
+ notifier.notifier_call = cgw_notifier;
+- register_netdevice_notifier(¬ifier);
++ ret = register_netdevice_notifier(¬ifier);
++ if (ret)
++ goto out_register_notifier;
+
+ ret = rtnl_register_module(THIS_MODULE, PF_CAN, RTM_GETROUTE,
+ NULL, cgw_dump_jobs, 0);
+- if (ret) {
+- unregister_netdevice_notifier(¬ifier);
+- kmem_cache_destroy(cgw_cache);
+- return -ENOBUFS;
+- }
+-
+- /* Only the first call to rtnl_register_module can fail */
+- rtnl_register_module(THIS_MODULE, PF_CAN, RTM_NEWROUTE,
+- cgw_create_job, NULL, 0);
+- rtnl_register_module(THIS_MODULE, PF_CAN, RTM_DELROUTE,
+- cgw_remove_job, NULL, 0);
++ if (ret)
++ goto out_rtnl_register1;
++
++ ret = rtnl_register_module(THIS_MODULE, PF_CAN, RTM_NEWROUTE,
++ cgw_create_job, NULL, 0);
++ if (ret)
++ goto out_rtnl_register2;
++ ret = rtnl_register_module(THIS_MODULE, PF_CAN, RTM_DELROUTE,
++ cgw_remove_job, NULL, 0);
++ if (ret)
++ goto out_rtnl_register3;
+
+ return 0;
++
++out_rtnl_register3:
++ rtnl_unregister(PF_CAN, RTM_NEWROUTE);
++out_rtnl_register2:
++ rtnl_unregister(PF_CAN, RTM_GETROUTE);
++out_rtnl_register1:
++ unregister_netdevice_notifier(¬ifier);
++out_register_notifier:
++ kmem_cache_destroy(cgw_cache);
++out_cache_create:
++ unregister_pernet_subsys(&cangw_pernet_ops);
++
++ return ret;
+ }
+
+ static __exit void cgw_module_exit(void)
+--
+2.20.1
+
--- /dev/null
+From 10d4018f3e04e68c381ee8055337dfd50697411c Mon Sep 17 00:00:00 2001
+From: Weitao Hou <houweitaoo@gmail.com>
+Date: Tue, 25 Jun 2019 20:50:48 +0800
+Subject: can: mcp251x: add error check when wq alloc failed
+
+[ Upstream commit 375f755899b8fc21196197e02aab26257df26e85 ]
+
+add error check when workqueue alloc failed, and remove redundant code
+to make it clear.
+
+Fixes: e0000163e30e ("can: Driver for the Microchip MCP251x SPI CAN controllers")
+Signed-off-by: Weitao Hou <houweitaoo@gmail.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Tested-by: Sean Nyekjaer <sean@geanix.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/spi/mcp251x.c | 49 ++++++++++++++++-------------------
+ 1 file changed, 22 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c
+index da64e71a62ee2..fccb6bf21fada 100644
+--- a/drivers/net/can/spi/mcp251x.c
++++ b/drivers/net/can/spi/mcp251x.c
+@@ -678,17 +678,6 @@ static int mcp251x_power_enable(struct regulator *reg, int enable)
+ return regulator_disable(reg);
+ }
+
+-static void mcp251x_open_clean(struct net_device *net)
+-{
+- struct mcp251x_priv *priv = netdev_priv(net);
+- struct spi_device *spi = priv->spi;
+-
+- free_irq(spi->irq, priv);
+- mcp251x_hw_sleep(spi);
+- mcp251x_power_enable(priv->transceiver, 0);
+- close_candev(net);
+-}
+-
+ static int mcp251x_stop(struct net_device *net)
+ {
+ struct mcp251x_priv *priv = netdev_priv(net);
+@@ -954,37 +943,43 @@ static int mcp251x_open(struct net_device *net)
+ flags | IRQF_ONESHOT, DEVICE_NAME, priv);
+ if (ret) {
+ dev_err(&spi->dev, "failed to acquire irq %d\n", spi->irq);
+- mcp251x_power_enable(priv->transceiver, 0);
+- close_candev(net);
+- goto open_unlock;
++ goto out_close;
+ }
+
+ priv->wq = alloc_workqueue("mcp251x_wq", WQ_FREEZABLE | WQ_MEM_RECLAIM,
+ 0);
++ if (!priv->wq) {
++ ret = -ENOMEM;
++ goto out_clean;
++ }
+ INIT_WORK(&priv->tx_work, mcp251x_tx_work_handler);
+ INIT_WORK(&priv->restart_work, mcp251x_restart_work_handler);
+
+ ret = mcp251x_hw_reset(spi);
+- if (ret) {
+- mcp251x_open_clean(net);
+- goto open_unlock;
+- }
++ if (ret)
++ goto out_free_wq;
+ ret = mcp251x_setup(net, spi);
+- if (ret) {
+- mcp251x_open_clean(net);
+- goto open_unlock;
+- }
++ if (ret)
++ goto out_free_wq;
+ ret = mcp251x_set_normal_mode(spi);
+- if (ret) {
+- mcp251x_open_clean(net);
+- goto open_unlock;
+- }
++ if (ret)
++ goto out_free_wq;
+
+ can_led_event(net, CAN_LED_EVENT_OPEN);
+
+ netif_wake_queue(net);
++ mutex_unlock(&priv->mcp_lock);
+
+-open_unlock:
++ return 0;
++
++out_free_wq:
++ destroy_workqueue(priv->wq);
++out_clean:
++ free_irq(spi->irq, priv);
++ mcp251x_hw_sleep(spi);
++out_close:
++ mcp251x_power_enable(priv->transceiver, 0);
++ close_candev(net);
+ mutex_unlock(&priv->mcp_lock);
+ return ret;
+ }
+--
+2.20.1
+
--- /dev/null
+From d9dd407b07403b9ebf596c87ed90f9b076a22b36 Mon Sep 17 00:00:00 2001
+From: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Date: Wed, 31 Jul 2019 15:25:59 +0800
+Subject: can: peak_usb: force the string buffer NULL-terminated
+
+[ Upstream commit e787f19373b8a5fa24087800ed78314fd17b984a ]
+
+strncpy() does not ensure NULL-termination when the input string size
+equals to the destination buffer size IFNAMSIZ. The output string is
+passed to dev_info() which relies on the NULL-termination.
+
+Use strlcpy() instead.
+
+This issue is identified by a Coccinelle script.
+
+Signed-off-by: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+index 740ef47eab017..43b0fa2b99322 100644
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+@@ -863,7 +863,7 @@ static void peak_usb_disconnect(struct usb_interface *intf)
+
+ dev_prev_siblings = dev->prev_siblings;
+ dev->state &= ~PCAN_USB_STATE_CONNECTED;
+- strncpy(name, netdev->name, IFNAMSIZ);
++ strlcpy(name, netdev->name, IFNAMSIZ);
+
+ unregister_netdev(netdev);
+
+--
+2.20.1
+
--- /dev/null
+From 890b7699ff8e5b67900a1dd7143e12f1afae1ac6 Mon Sep 17 00:00:00 2001
+From: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Date: Wed, 31 Jul 2019 15:31:14 +0800
+Subject: can: sja1000: force the string buffer NULL-terminated
+
+[ Upstream commit cd28aa2e056cd1ea79fc5f24eed0ce868c6cab5c ]
+
+strncpy() does not ensure NULL-termination when the input string size
+equals to the destination buffer size IFNAMSIZ. The output string
+'name' is passed to dev_info which relies on NULL-termination.
+
+Use strlcpy() instead.
+
+This issue is identified by a Coccinelle script.
+
+Signed-off-by: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/sja1000/peak_pcmcia.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/sja1000/peak_pcmcia.c b/drivers/net/can/sja1000/peak_pcmcia.c
+index b8c39ede7cd51..179bfcd541f2f 100644
+--- a/drivers/net/can/sja1000/peak_pcmcia.c
++++ b/drivers/net/can/sja1000/peak_pcmcia.c
+@@ -487,7 +487,7 @@ static void pcan_free_channels(struct pcan_pccard *card)
+ if (!netdev)
+ continue;
+
+- strncpy(name, netdev->name, IFNAMSIZ);
++ strlcpy(name, netdev->name, IFNAMSIZ);
+
+ unregister_sja1000dev(netdev);
+
+--
+2.20.1
+
--- /dev/null
+From ec0917d86c6a57e300ab650b1ca6bc078e025981 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Fri, 2 Aug 2019 11:46:16 -0700
+Subject: drm/rockchip: Suspend DP late
+
+[ Upstream commit f7ccbed656f78212593ca965d9a8f34bf24e0aab ]
+
+In commit fe64ba5c6323 ("drm/rockchip: Resume DP early") we moved
+resume to be early but left suspend at its normal time. This seems
+like it could be OK, but casues problems if a suspend gets interrupted
+partway through. The OS only balances matching suspend/resume levels.
+...so if suspend was called then resume will be called. If suspend
+late was called then resume early will be called. ...but if suspend
+was called resume early might not get called. This leads to an
+unbalance in the clock enables / disables.
+
+Lets take the simple fix and just move suspend to be late to match.
+This makes the PM core take proper care in keeping things balanced.
+
+Fixes: fe64ba5c6323 ("drm/rockchip: Resume DP early")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190802184616.44822-1-dianders@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/analogix_dp-rockchip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c b/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c
+index 080f053521950..6a4da3a0ff1c3 100644
+--- a/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c
++++ b/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c
+@@ -436,7 +436,7 @@ static int rockchip_dp_resume(struct device *dev)
+
+ static const struct dev_pm_ops rockchip_dp_pm_ops = {
+ #ifdef CONFIG_PM_SLEEP
+- .suspend = rockchip_dp_suspend,
++ .suspend_late = rockchip_dp_suspend,
+ .resume_early = rockchip_dp_resume,
+ #endif
+ };
+--
+2.20.1
+
--- /dev/null
+From fecbaf0254158af54a10e520d035923f4d395f9b Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Mon, 24 Jun 2019 09:39:59 -0700
+Subject: drm/vmwgfx: fix memory leak when too many retries have occurred
+
+[ Upstream commit 6b7c3b86f0b63134b2ab56508921a0853ffa687a ]
+
+Currently when too many retries have occurred there is a memory
+leak on the allocation for reply on the error return path. Fix
+this by kfree'ing reply before returning.
+
+Addresses-Coverity: ("Resource leak")
+Fixes: a9cd9c044aa9 ("drm/vmwgfx: Add a check to handle host message failure")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Deepak Rawat <drawat@vmware.com>
+Signed-off-by: Deepak Rawat <drawat@vmware.com>
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_msg.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
+index e4e09d47c5c0e..59e9d05ab928b 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
+@@ -389,8 +389,10 @@ static int vmw_recv_msg(struct rpc_channel *channel, void **msg,
+ break;
+ }
+
+- if (retries == RETRIES)
++ if (retries == RETRIES) {
++ kfree(reply);
+ return -EINVAL;
++ }
+
+ *msg_len = reply_len;
+ *msg = reply;
+--
+2.20.1
+
--- /dev/null
+From af689f1223fc59cad7e7fa4202dd1b404b8148e3 Mon Sep 17 00:00:00 2001
+From: Ilya Trukhanov <lahvuun@gmail.com>
+Date: Tue, 2 Jul 2019 13:37:16 +0300
+Subject: HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT
+
+[ Upstream commit 65f11c72780fa9d598df88def045ccb6a885cf80 ]
+
+Enable force feedback for the Thrustmaster Dual Trigger 2 in 1 Rumble Force
+gamepad. Compared to other Thrustmaster devices, left and right rumble
+motors here are swapped.
+
+Signed-off-by: Ilya Trukhanov <lahvuun@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-tmff.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/hid/hid-tmff.c b/drivers/hid/hid-tmff.c
+index bea8def64f437..30b8c3256c991 100644
+--- a/drivers/hid/hid-tmff.c
++++ b/drivers/hid/hid-tmff.c
+@@ -34,6 +34,8 @@
+
+ #include "hid-ids.h"
+
++#define THRUSTMASTER_DEVICE_ID_2_IN_1_DT 0xb320
++
+ static const signed short ff_rumble[] = {
+ FF_RUMBLE,
+ -1
+@@ -88,6 +90,7 @@ static int tmff_play(struct input_dev *dev, void *data,
+ struct hid_field *ff_field = tmff->ff_field;
+ int x, y;
+ int left, right; /* Rumbling */
++ int motor_swap;
+
+ switch (effect->type) {
+ case FF_CONSTANT:
+@@ -112,6 +115,13 @@ static int tmff_play(struct input_dev *dev, void *data,
+ ff_field->logical_minimum,
+ ff_field->logical_maximum);
+
++ /* 2-in-1 strong motor is left */
++ if (hid->product == THRUSTMASTER_DEVICE_ID_2_IN_1_DT) {
++ motor_swap = left;
++ left = right;
++ right = motor_swap;
++ }
++
+ dbg_hid("(left,right)=(%08x, %08x)\n", left, right);
+ ff_field->value[0] = left;
+ ff_field->value[1] = right;
+@@ -238,6 +248,8 @@ static const struct hid_device_id tm_devices[] = {
+ .driver_data = (unsigned long)ff_rumble },
+ { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb304), /* FireStorm Dual Power 2 (and 3) */
+ .driver_data = (unsigned long)ff_rumble },
++ { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, THRUSTMASTER_DEVICE_ID_2_IN_1_DT), /* Dual Trigger 2-in-1 */
++ .driver_data = (unsigned long)ff_rumble },
+ { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb323), /* Dual Trigger 3-in-1 (PC Mode) */
+ .driver_data = (unsigned long)ff_rumble },
+ { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb324), /* Dual Trigger 3-in-1 (PS3 Mode) */
+--
+2.20.1
+
--- /dev/null
+From e5351bd83b9624d76841d87e0ef52ea214184466 Mon Sep 17 00:00:00 2001
+From: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Date: Tue, 11 Jun 2019 14:13:20 +0200
+Subject: HID: input: fix a4tech horizontal wheel custom usage
+
+[ Upstream commit 1c703b53e5bfb5c2205c30f0fb157ce271fd42fb ]
+
+Some a4tech mice use the 'GenericDesktop.00b8' usage to inform whether
+the previous wheel report was horizontal or vertical. Before
+c01908a14bf73 ("HID: input: add mapping for "Toggle Display" key") this
+usage was being mapped to 'Relative.Misc'. After the patch it's simply
+ignored (usage->type == 0 & usage->code == 0). Which ultimately makes
+hid-a4tech ignore the WHEEL/HWHEEL selection event, as it has no
+usage->type.
+
+We shouldn't rely on a mapping for that usage as it's nonstandard and
+doesn't really map to an input event. So we bypass the mapping and make
+sure the custom event handling properly handles both reports.
+
+Fixes: c01908a14bf73 ("HID: input: add mapping for "Toggle Display" key")
+Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-a4tech.c | 30 +++++++++++++++++++++++++++---
+ 1 file changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hid/hid-a4tech.c b/drivers/hid/hid-a4tech.c
+index 9428ea7cdf8a0..c52bd163abb3e 100644
+--- a/drivers/hid/hid-a4tech.c
++++ b/drivers/hid/hid-a4tech.c
+@@ -26,12 +26,36 @@
+ #define A4_2WHEEL_MOUSE_HACK_7 0x01
+ #define A4_2WHEEL_MOUSE_HACK_B8 0x02
+
++#define A4_WHEEL_ORIENTATION (HID_UP_GENDESK | 0x000000b8)
++
+ struct a4tech_sc {
+ unsigned long quirks;
+ unsigned int hw_wheel;
+ __s32 delayed_value;
+ };
+
++static int a4_input_mapping(struct hid_device *hdev, struct hid_input *hi,
++ struct hid_field *field, struct hid_usage *usage,
++ unsigned long **bit, int *max)
++{
++ struct a4tech_sc *a4 = hid_get_drvdata(hdev);
++
++ if (a4->quirks & A4_2WHEEL_MOUSE_HACK_B8 &&
++ usage->hid == A4_WHEEL_ORIENTATION) {
++ /*
++ * We do not want to have this usage mapped to anything as it's
++ * nonstandard and doesn't really behave like an HID report.
++ * It's only selecting the orientation (vertical/horizontal) of
++ * the previous mouse wheel report. The input_events will be
++ * generated once both reports are recorded in a4_event().
++ */
++ return -1;
++ }
++
++ return 0;
++
++}
++
+ static int a4_input_mapped(struct hid_device *hdev, struct hid_input *hi,
+ struct hid_field *field, struct hid_usage *usage,
+ unsigned long **bit, int *max)
+@@ -53,8 +77,7 @@ static int a4_event(struct hid_device *hdev, struct hid_field *field,
+ struct a4tech_sc *a4 = hid_get_drvdata(hdev);
+ struct input_dev *input;
+
+- if (!(hdev->claimed & HID_CLAIMED_INPUT) || !field->hidinput ||
+- !usage->type)
++ if (!(hdev->claimed & HID_CLAIMED_INPUT) || !field->hidinput)
+ return 0;
+
+ input = field->hidinput->input;
+@@ -65,7 +88,7 @@ static int a4_event(struct hid_device *hdev, struct hid_field *field,
+ return 1;
+ }
+
+- if (usage->hid == 0x000100b8) {
++ if (usage->hid == A4_WHEEL_ORIENTATION) {
+ input_event(input, EV_REL, value ? REL_HWHEEL :
+ REL_WHEEL, a4->delayed_value);
+ return 1;
+@@ -129,6 +152,7 @@ MODULE_DEVICE_TABLE(hid, a4_devices);
+ static struct hid_driver a4_driver = {
+ .name = "a4tech",
+ .id_table = a4_devices,
++ .input_mapping = a4_input_mapping,
+ .input_mapped = a4_input_mapped,
+ .event = a4_event,
+ .probe = a4_probe,
+--
+2.20.1
+
--- /dev/null
+From 7109f218cce4d8ffa8ca6df6272c083b462551a1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Istv=C3=A1n=20V=C3=A1radi?= <ivaradi@varadiistvan.hu>
+Date: Wed, 24 Jul 2019 20:09:18 +0200
+Subject: HID: quirks: Set the INCREMENT_USAGE_ON_DUPLICATE quirk on Saitek X52
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 7bc74853fd61432ec59f812a40425bf6d8c986a4 ]
+
+The Saitek X52 joystick has a pair of axes that are originally
+(by the Windows driver) used as mouse pointer controls. The corresponding
+usage->hid values are 0x50024 and 0x50026. Thus they are handled
+as unknown axes and both get mapped to ABS_MISC. The quirk makes
+the second axis to be mapped to ABS_MISC1 and thus made available
+separately.
+
+[jkosina@suse.cz: squashed two patches into one]
+Signed-off-by: István Váradi <ivaradi@varadiistvan.hu>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-quirks.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 2898bb0619454..4a2fa57ddcb84 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -971,6 +971,7 @@
+ #define USB_DEVICE_ID_SAITEK_RAT7 0x0cd7
+ #define USB_DEVICE_ID_SAITEK_RAT9 0x0cfa
+ #define USB_DEVICE_ID_SAITEK_MMO7 0x0cd0
++#define USB_DEVICE_ID_SAITEK_X52 0x075c
+
+ #define USB_VENDOR_ID_SAMSUNG 0x0419
+ #define USB_DEVICE_ID_SAMSUNG_IR_REMOTE 0x0001
+diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
+index d29c7c9cd185d..e553f6fae7a4c 100644
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -143,6 +143,7 @@ static const struct hid_device_id hid_quirks[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_RETROUSB, USB_DEVICE_ID_RETROUSB_SNES_RETROPAD), HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE },
+ { HID_USB_DEVICE(USB_VENDOR_ID_RETROUSB, USB_DEVICE_ID_RETROUSB_SNES_RETROPORT), HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE },
+ { HID_USB_DEVICE(USB_VENDOR_ID_SAITEK, USB_DEVICE_ID_SAITEK_RUMBLEPAD), HID_QUIRK_BADPAD },
++ { HID_USB_DEVICE(USB_VENDOR_ID_SAITEK, USB_DEVICE_ID_SAITEK_X52), HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE },
+ { HID_USB_DEVICE(USB_VENDOR_ID_SEMICO, USB_DEVICE_ID_SEMICO_USB_KEYKOARD2), HID_QUIRK_NO_INIT_REPORTS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_SEMICO, USB_DEVICE_ID_SEMICO_USB_KEYKOARD), HID_QUIRK_NO_INIT_REPORTS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_SENNHEISER, USB_DEVICE_ID_SENNHEISER_BTD500USB), HID_QUIRK_NOGET },
+--
+2.20.1
+
--- /dev/null
+From 560ba6faf1389ae0922c2541b8df7604ae12aa02 Mon Sep 17 00:00:00 2001
+From: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>
+Date: Wed, 31 Jul 2019 15:17:23 +0200
+Subject: isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on
+ the stack
+
+[ Upstream commit d8a1de3d5bb881507602bc02e004904828f88711 ]
+
+Since linux 4.9 it is not possible to use buffers on the stack for DMA transfers.
+
+During usb probe the driver crashes with "transfer buffer is on stack" message.
+
+This fix k-allocates a buffer to be used on "read_reg_atomic", which is a macro
+that calls "usb_control_msg" under the hood.
+
+Kernel 4.19 backtrace:
+
+usb_hcd_submit_urb+0x3e5/0x900
+? sched_clock+0x9/0x10
+? log_store+0x203/0x270
+? get_random_u32+0x6f/0x90
+? cache_alloc_refill+0x784/0x8a0
+usb_submit_urb+0x3b4/0x550
+usb_start_wait_urb+0x4e/0xd0
+usb_control_msg+0xb8/0x120
+hfcsusb_probe+0x6bc/0xb40 [hfcsusb]
+usb_probe_interface+0xc2/0x260
+really_probe+0x176/0x280
+driver_probe_device+0x49/0x130
+__driver_attach+0xa9/0xb0
+? driver_probe_device+0x130/0x130
+bus_for_each_dev+0x5a/0x90
+driver_attach+0x14/0x20
+? driver_probe_device+0x130/0x130
+bus_add_driver+0x157/0x1e0
+driver_register+0x51/0xe0
+usb_register_driver+0x5d/0x120
+? 0xf81ed000
+hfcsusb_drv_init+0x17/0x1000 [hfcsusb]
+do_one_initcall+0x44/0x190
+? free_unref_page_commit+0x6a/0xd0
+do_init_module+0x46/0x1c0
+load_module+0x1dc1/0x2400
+sys_init_module+0xed/0x120
+do_fast_syscall_32+0x7a/0x200
+entry_SYSENTER_32+0x6b/0xbe
+
+Signed-off-by: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/hardware/mISDN/hfcsusb.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
+index cfdb130cb1008..c952002c6301d 100644
+--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
+@@ -1705,13 +1705,23 @@ hfcsusb_stop_endpoint(struct hfcsusb *hw, int channel)
+ static int
+ setup_hfcsusb(struct hfcsusb *hw)
+ {
++ void *dmabuf = kmalloc(sizeof(u_char), GFP_KERNEL);
+ u_char b;
++ int ret;
+
+ if (debug & DBG_HFC_CALL_TRACE)
+ printk(KERN_DEBUG "%s: %s\n", hw->name, __func__);
+
++ if (!dmabuf)
++ return -ENOMEM;
++
++ ret = read_reg_atomic(hw, HFCUSB_CHIP_ID, dmabuf);
++
++ memcpy(&b, dmabuf, sizeof(u_char));
++ kfree(dmabuf);
++
+ /* check the chip id */
+- if (read_reg_atomic(hw, HFCUSB_CHIP_ID, &b) != 1) {
++ if (ret != 1) {
+ printk(KERN_DEBUG "%s: %s: cannot read chip id\n",
+ hw->name, __func__);
+ return 1;
+--
+2.20.1
+
--- /dev/null
+From 8d650031a57237801b769e7142eff88455619928 Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Fri, 26 Jul 2019 16:27:36 +0800
+Subject: isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in
+ start_isoc_chain()
+
+[ Upstream commit a0d57a552b836206ad7705a1060e6e1ce5a38203 ]
+
+In start_isoc_chain(), usb_alloc_urb() on line 1392 may fail
+and return NULL. At this time, fifo->iso[i].urb is assigned to NULL.
+
+Then, fifo->iso[i].urb is used at some places, such as:
+LINE 1405: fill_isoc_urb(fifo->iso[i].urb, ...)
+ urb->number_of_packets = num_packets;
+ urb->transfer_flags = URB_ISO_ASAP;
+ urb->actual_length = 0;
+ urb->interval = interval;
+LINE 1416: fifo->iso[i].urb->...
+LINE 1419: fifo->iso[i].urb->...
+
+Thus, possible null-pointer dereferences may occur.
+
+To fix these bugs, "continue" is added to avoid using fifo->iso[i].urb
+when it is NULL.
+
+These bugs are found by a static analysis tool STCheck written by us.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/hardware/mISDN/hfcsusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
+index 060dc7fd66c1d..cfdb130cb1008 100644
+--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
+@@ -1406,6 +1406,7 @@ start_isoc_chain(struct usb_fifo *fifo, int num_packets_per_urb,
+ printk(KERN_DEBUG
+ "%s: %s: alloc urb for fifo %i failed",
+ hw->name, __func__, fifo->fifonum);
++ continue;
+ }
+ fifo->iso[i].owner_fifo = (struct usb_fifo *) fifo;
+ fifo->iso[i].indx = i;
+--
+2.20.1
+
--- /dev/null
+From c32513ffc1e6dc3cb0de0ca21db59c072ee151f2 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Mon, 5 Aug 2019 10:34:51 +0100
+Subject: KVM: arm: Don't write junk to CP15 registers on reset
+
+[ Upstream commit c69509c70aa45a8c4954c88c629a64acf4ee4a36 ]
+
+At the moment, the way we reset CP15 registers is mildly insane:
+We write junk to them, call the reset functions, and then check that
+we have something else in them.
+
+The "fun" thing is that this can happen while the guest is running
+(PSCI, for example). If anything in KVM has to evaluate the state
+of a CP15 register while junk is in there, bad thing may happen.
+
+Let's stop doing that. Instead, we track that we have called a
+reset function for that register, and assume that the reset
+function has done something.
+
+In the end, the very need of this reset check is pretty dubious,
+as it doesn't check everything (a lot of the CP15 reg leave outside
+of the cp15_regs[] array). It may well be axed in the near future.
+
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kvm/coproc.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/arch/arm/kvm/coproc.c b/arch/arm/kvm/coproc.c
+index fd6cde23bb5d0..871fa50a09f19 100644
+--- a/arch/arm/kvm/coproc.c
++++ b/arch/arm/kvm/coproc.c
+@@ -658,13 +658,22 @@ int kvm_handle_cp14_64(struct kvm_vcpu *vcpu, struct kvm_run *run)
+ }
+
+ static void reset_coproc_regs(struct kvm_vcpu *vcpu,
+- const struct coproc_reg *table, size_t num)
++ const struct coproc_reg *table, size_t num,
++ unsigned long *bmap)
+ {
+ unsigned long i;
+
+ for (i = 0; i < num; i++)
+- if (table[i].reset)
++ if (table[i].reset) {
++ int reg = table[i].reg;
++
+ table[i].reset(vcpu, &table[i]);
++ if (reg > 0 && reg < NR_CP15_REGS) {
++ set_bit(reg, bmap);
++ if (table[i].is_64bit)
++ set_bit(reg + 1, bmap);
++ }
++ }
+ }
+
+ static struct coproc_params decode_32bit_hsr(struct kvm_vcpu *vcpu)
+@@ -1439,17 +1448,15 @@ void kvm_reset_coprocs(struct kvm_vcpu *vcpu)
+ {
+ size_t num;
+ const struct coproc_reg *table;
+-
+- /* Catch someone adding a register without putting in reset entry. */
+- memset(vcpu->arch.ctxt.cp15, 0x42, sizeof(vcpu->arch.ctxt.cp15));
++ DECLARE_BITMAP(bmap, NR_CP15_REGS) = { 0, };
+
+ /* Generic chip reset first (so target could override). */
+- reset_coproc_regs(vcpu, cp15_regs, ARRAY_SIZE(cp15_regs));
++ reset_coproc_regs(vcpu, cp15_regs, ARRAY_SIZE(cp15_regs), bmap);
+
+ table = get_target_table(vcpu->arch.target, &num);
+- reset_coproc_regs(vcpu, table, num);
++ reset_coproc_regs(vcpu, table, num, bmap);
+
+ for (num = 1; num < NR_CP15_REGS; num++)
+- WARN(vcpu_cp15(vcpu, num) == 0x42424242,
++ WARN(!test_bit(num, bmap),
+ "Didn't reset vcpu_cp15(vcpu, %zi)", num);
+ }
+--
+2.20.1
+
--- /dev/null
+From 164ef9dc267c317b5bab128373ac0aeccba71455 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Mon, 5 Aug 2019 10:34:51 +0100
+Subject: KVM: arm64: Don't write junk to sysregs on reset
+
+[ Upstream commit 03fdfb2690099c19160a3f2c5b77db60b3afeded ]
+
+At the moment, the way we reset system registers is mildly insane:
+We write junk to them, call the reset functions, and then check that
+we have something else in them.
+
+The "fun" thing is that this can happen while the guest is running
+(PSCI, for example). If anything in KVM has to evaluate the state
+of a system register while junk is in there, bad thing may happen.
+
+Let's stop doing that. Instead, we track that we have called a
+reset function for that register, and assume that the reset
+function has done something. This requires fixing a couple of
+sysreg refinition in the trap table.
+
+In the end, the very need of this reset check is pretty dubious,
+as it doesn't check everything (a lot of the sysregs leave outside of
+the sys_regs[] array). It may well be axed in the near future.
+
+Tested-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kvm/sys_regs.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
+index d112af75680bb..6da2bbdb9648f 100644
+--- a/arch/arm64/kvm/sys_regs.c
++++ b/arch/arm64/kvm/sys_regs.c
+@@ -626,7 +626,7 @@ static void reset_pmcr(struct kvm_vcpu *vcpu, const struct sys_reg_desc *r)
+ */
+ val = ((pmcr & ~ARMV8_PMU_PMCR_MASK)
+ | (ARMV8_PMU_PMCR_MASK & 0xdecafbad)) & (~ARMV8_PMU_PMCR_E);
+- __vcpu_sys_reg(vcpu, PMCR_EL0) = val;
++ __vcpu_sys_reg(vcpu, r->reg) = val;
+ }
+
+ static bool check_pmu_access_disabled(struct kvm_vcpu *vcpu, u64 flags)
+@@ -968,13 +968,13 @@ static bool access_pmuserenr(struct kvm_vcpu *vcpu, struct sys_reg_params *p,
+ /* Silly macro to expand the DBG{BCR,BVR,WVR,WCR}n_EL1 registers in one go */
+ #define DBG_BCR_BVR_WCR_WVR_EL1(n) \
+ { SYS_DESC(SYS_DBGBVRn_EL1(n)), \
+- trap_bvr, reset_bvr, n, 0, get_bvr, set_bvr }, \
++ trap_bvr, reset_bvr, 0, 0, get_bvr, set_bvr }, \
+ { SYS_DESC(SYS_DBGBCRn_EL1(n)), \
+- trap_bcr, reset_bcr, n, 0, get_bcr, set_bcr }, \
++ trap_bcr, reset_bcr, 0, 0, get_bcr, set_bcr }, \
+ { SYS_DESC(SYS_DBGWVRn_EL1(n)), \
+- trap_wvr, reset_wvr, n, 0, get_wvr, set_wvr }, \
++ trap_wvr, reset_wvr, 0, 0, get_wvr, set_wvr }, \
+ { SYS_DESC(SYS_DBGWCRn_EL1(n)), \
+- trap_wcr, reset_wcr, n, 0, get_wcr, set_wcr }
++ trap_wcr, reset_wcr, 0, 0, get_wcr, set_wcr }
+
+ /* Macro to expand the PMEVCNTRn_EL0 register */
+ #define PMU_PMEVCNTR_EL0(n) \
+@@ -1359,7 +1359,7 @@ static const struct sys_reg_desc sys_reg_descs[] = {
+
+ { SYS_DESC(SYS_CSSELR_EL1), NULL, reset_unknown, CSSELR_EL1 },
+
+- { SYS_DESC(SYS_PMCR_EL0), access_pmcr, reset_pmcr, },
++ { SYS_DESC(SYS_PMCR_EL0), access_pmcr, reset_pmcr, PMCR_EL0 },
+ { SYS_DESC(SYS_PMCNTENSET_EL0), access_pmcnten, reset_unknown, PMCNTENSET_EL0 },
+ { SYS_DESC(SYS_PMCNTENCLR_EL0), access_pmcnten, NULL, PMCNTENSET_EL0 },
+ { SYS_DESC(SYS_PMOVSCLR_EL0), access_pmovs, NULL, PMOVSSET_EL0 },
+@@ -2072,13 +2072,19 @@ static int emulate_sys_reg(struct kvm_vcpu *vcpu,
+ }
+
+ static void reset_sys_reg_descs(struct kvm_vcpu *vcpu,
+- const struct sys_reg_desc *table, size_t num)
++ const struct sys_reg_desc *table, size_t num,
++ unsigned long *bmap)
+ {
+ unsigned long i;
+
+ for (i = 0; i < num; i++)
+- if (table[i].reset)
++ if (table[i].reset) {
++ int reg = table[i].reg;
++
+ table[i].reset(vcpu, &table[i]);
++ if (reg > 0 && reg < NR_SYS_REGS)
++ set_bit(reg, bmap);
++ }
+ }
+
+ /**
+@@ -2576,18 +2582,16 @@ void kvm_reset_sys_regs(struct kvm_vcpu *vcpu)
+ {
+ size_t num;
+ const struct sys_reg_desc *table;
+-
+- /* Catch someone adding a register without putting in reset entry. */
+- memset(&vcpu->arch.ctxt.sys_regs, 0x42, sizeof(vcpu->arch.ctxt.sys_regs));
++ DECLARE_BITMAP(bmap, NR_SYS_REGS) = { 0, };
+
+ /* Generic chip reset first (so target could override). */
+- reset_sys_reg_descs(vcpu, sys_reg_descs, ARRAY_SIZE(sys_reg_descs));
++ reset_sys_reg_descs(vcpu, sys_reg_descs, ARRAY_SIZE(sys_reg_descs), bmap);
+
+ table = get_target_table(vcpu->arch.target, true, &num);
+- reset_sys_reg_descs(vcpu, table, num);
++ reset_sys_reg_descs(vcpu, table, num, bmap);
+
+ for (num = 1; num < NR_SYS_REGS; num++) {
+- if (WARN(__vcpu_sys_reg(vcpu, num) == 0x4242424242424242,
++ if (WARN(!test_bit(num, bmap),
+ "Didn't reset __vcpu_sys_reg(%zi)\n", num))
+ break;
+ }
+--
+2.20.1
+
--- /dev/null
+From cd6e73bf4742958c33bae553ce37264d8026c32c Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 7 Aug 2019 12:23:57 -0600
+Subject: libata: add SG safety checks in SFF pio transfers
+
+[ Upstream commit 752ead44491e8c91e14d7079625c5916b30921c5 ]
+
+Abort processing of a command if we run out of mapped data in the
+SG list. This should never happen, but a previous bug caused it to
+be possible. Play it safe and attempt to abort nicely if we don't
+have more SG segments left.
+
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-sff.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c
+index c5ea0fc635e54..873cc09060551 100644
+--- a/drivers/ata/libata-sff.c
++++ b/drivers/ata/libata-sff.c
+@@ -674,6 +674,10 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
+ unsigned int offset;
+ unsigned char *buf;
+
++ if (!qc->cursg) {
++ qc->curbytes = qc->nbytes;
++ return;
++ }
+ if (qc->curbytes == qc->nbytes - qc->sect_size)
+ ap->hsm_task_state = HSM_ST_LAST;
+
+@@ -699,6 +703,8 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
+
+ if (qc->cursg_ofs == qc->cursg->length) {
+ qc->cursg = sg_next(qc->cursg);
++ if (!qc->cursg)
++ ap->hsm_task_state = HSM_ST_LAST;
+ qc->cursg_ofs = 0;
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From 3dcb3826f692a8392e548a67aec5b0ca9178c3b3 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 7 Aug 2019 12:20:52 -0600
+Subject: libata: have ata_scsi_rw_xlat() fail invalid passthrough requests
+
+[ Upstream commit 2d7271501720038381d45fb3dcbe4831228fc8cc ]
+
+For passthrough requests, libata-scsi takes what the user passes in
+as gospel. This can be problematic if the user fills in the CDB
+incorrectly. One example of that is in request sizes. For read/write
+commands, the CDB contains fields describing the transfer length of
+the request. These should match with the SG_IO header fields, but
+libata-scsi currently does no validation of that.
+
+Check that the number of blocks in the CDB for passthrough requests
+matches what was mapped into the request. If the CDB asks for more
+data then the validated SG_IO header fields, error it.
+
+Reported-by: Krishna Ram Prakash R <krp@gtux.in>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-scsi.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
+index 1984fc78c750b..3a64fa4aaf7e3 100644
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -1803,6 +1803,21 @@ nothing_to_do:
+ return 1;
+ }
+
++static bool ata_check_nblocks(struct scsi_cmnd *scmd, u32 n_blocks)
++{
++ struct request *rq = scmd->request;
++ u32 req_blocks;
++
++ if (!blk_rq_is_passthrough(rq))
++ return true;
++
++ req_blocks = blk_rq_bytes(rq) / scmd->device->sector_size;
++ if (n_blocks > req_blocks)
++ return false;
++
++ return true;
++}
++
+ /**
+ * ata_scsi_rw_xlat - Translate SCSI r/w command into an ATA one
+ * @qc: Storage for translated ATA taskfile
+@@ -1847,6 +1862,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc)
+ scsi_10_lba_len(cdb, &block, &n_block);
+ if (cdb[1] & (1 << 3))
+ tf_flags |= ATA_TFLAG_FUA;
++ if (!ata_check_nblocks(scmd, n_block))
++ goto invalid_fld;
+ break;
+ case READ_6:
+ case WRITE_6:
+@@ -1861,6 +1878,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc)
+ */
+ if (!n_block)
+ n_block = 256;
++ if (!ata_check_nblocks(scmd, n_block))
++ goto invalid_fld;
+ break;
+ case READ_16:
+ case WRITE_16:
+@@ -1871,6 +1890,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc)
+ scsi_16_lba_len(cdb, &block, &n_block);
+ if (cdb[1] & (1 << 3))
+ tf_flags |= ATA_TFLAG_FUA;
++ if (!ata_check_nblocks(scmd, n_block))
++ goto invalid_fld;
+ break;
+ default:
+ DPRINTK("no-byte command\n");
+--
+2.20.1
+
--- /dev/null
+From 5a1818eb313bc34131b3e9cf6dbef34a9ba95101 Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Mon, 29 Jul 2019 16:23:32 +0800
+Subject: mac80211_hwsim: Fix possible null-pointer dereferences in
+ hwsim_dump_radio_nl()
+
+[ Upstream commit b55f3b841099e641bdb2701d361a4c304e2dbd6f ]
+
+In hwsim_dump_radio_nl(), when genlmsg_put() on line 3617 fails, hdr is
+assigned to NULL. Then hdr is used on lines 3622 and 3623:
+ genl_dump_check_consistent(cb, hdr);
+ genlmsg_end(skb, hdr);
+
+Thus, possible null-pointer dereferences may occur.
+
+To fix these bugs, hdr is used here when it is not NULL.
+
+This bug is found by a static analysis tool STCheck written by us.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Link: https://lore.kernel.org/r/20190729082332.28895-1-baijiaju1990@gmail.com
+[put braces on all branches]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
+index 7cd428c0af433..ce2dd06af62e8 100644
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -3502,10 +3502,12 @@ static int hwsim_dump_radio_nl(struct sk_buff *skb,
+ hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid,
+ cb->nlh->nlmsg_seq, &hwsim_genl_family,
+ NLM_F_MULTI, HWSIM_CMD_GET_RADIO);
+- if (!hdr)
++ if (hdr) {
++ genl_dump_check_consistent(cb, hdr);
++ genlmsg_end(skb, hdr);
++ } else {
+ res = -EMSGSIZE;
+- genl_dump_check_consistent(cb, hdr);
+- genlmsg_end(skb, hdr);
++ }
+ }
+
+ done:
+--
+2.20.1
+
--- /dev/null
+From dde27cc28e5216a30bbc27ce69540eb1889f3352 Mon Sep 17 00:00:00 2001
+From: Vladimir Kondratiev <vladimir.kondratiev@linux.intel.com>
+Date: Tue, 16 Jul 2019 10:36:56 +0300
+Subject: mips: fix cacheinfo
+
+[ Upstream commit b8bea8a5e5d942e62203416ab41edecaed4fda02 ]
+
+Because CONFIG_OF defined for MIPS, cacheinfo attempts to fill information
+from DT, ignoring data filled by architecture routine. This leads to error
+reported
+
+ cacheinfo: Unable to detect cache hierarchy for CPU 0
+
+Way to fix this provided in
+commit fac51482577d ("drivers: base: cacheinfo: fix x86 with
+ CONFIG_OF enabled")
+
+Utilize same mechanism to report that cacheinfo set by architecture
+specific function
+
+Signed-off-by: Vladimir Kondratiev <vladimir.kondratiev@linux.intel.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/cacheinfo.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/mips/kernel/cacheinfo.c b/arch/mips/kernel/cacheinfo.c
+index 97d5239ca47ba..428ef21892039 100644
+--- a/arch/mips/kernel/cacheinfo.c
++++ b/arch/mips/kernel/cacheinfo.c
+@@ -80,6 +80,8 @@ static int __populate_cache_leaves(unsigned int cpu)
+ if (c->tcache.waysize)
+ populate_cache(tcache, this_leaf, 3, CACHE_TYPE_UNIFIED);
+
++ this_cpu_ci->cpu_map_populated = true;
++
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From de31d7a5e2d518d06285579e3341f4f59eef0a3f Mon Sep 17 00:00:00 2001
+From: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+Date: Mon, 13 May 2019 13:47:25 +0200
+Subject: MIPS: kernel: only use i8253 clocksource with periodic clockevent
+
+[ Upstream commit a07e3324538a989b7cdbf2c679be6a7f9df2544f ]
+
+i8253 clocksource needs a free running timer. This could only
+be used, if i8253 clockevent is set up as periodic.
+
+Signed-off-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/i8253.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/mips/kernel/i8253.c b/arch/mips/kernel/i8253.c
+index 5f209f111e59e..df7ddd246eaac 100644
+--- a/arch/mips/kernel/i8253.c
++++ b/arch/mips/kernel/i8253.c
+@@ -32,7 +32,8 @@ void __init setup_pit_timer(void)
+
+ static int __init init_pit_clocksource(void)
+ {
+- if (num_possible_cpus() > 1) /* PIT does not scale! */
++ if (num_possible_cpus() > 1 || /* PIT does not scale! */
++ !clockevent_state_periodic(&i8253_clockevent))
+ return 0;
+
+ return clocksource_i8253_init();
+--
+2.20.1
+
--- /dev/null
+From 93f3a9288cec1a060527f3b02d3421a73962c415 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Tue, 6 Aug 2019 10:55:12 +0200
+Subject: net: cxgb3_main: Fix a resource leak in a error path in 'init_one()'
+
+[ Upstream commit debea2cd3193ac868289e8893c3a719c265b0612 ]
+
+A call to 'kfree_skb()' is missing in the error handling path of
+'init_one()'.
+This is already present in 'remove_one()' but is missing here.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+index c34ea385fe4a5..6be6de0774b61 100644
+--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+@@ -3270,7 +3270,7 @@ static int init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ if (!adapter->regs) {
+ dev_err(&pdev->dev, "cannot map device registers\n");
+ err = -ENOMEM;
+- goto out_free_adapter;
++ goto out_free_adapter_nofail;
+ }
+
+ adapter->pdev = pdev;
+@@ -3398,6 +3398,9 @@ out_free_dev:
+ if (adapter->port[i])
+ free_netdev(adapter->port[i]);
+
++out_free_adapter_nofail:
++ kfree_skb(adapter->nofail_skb);
++
+ out_free_adapter:
+ kfree(adapter);
+
+--
+2.20.1
+
--- /dev/null
+From 486fb2321612e27dca9b0373e3a6f2330d2c6b09 Mon Sep 17 00:00:00 2001
+From: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Date: Wed, 31 Jul 2019 16:15:42 +0800
+Subject: net/ethernet/qlogic/qed: force the string buffer NULL-terminated
+
+[ Upstream commit 3690c8c9a8edff0db077a38783112d8fe12a7dd2 ]
+
+strncpy() does not ensure NULL-termination when the input string
+size equals to the destination buffer size 30.
+The output string is passed to qed_int_deassertion_aeu_bit()
+which calls DP_INFO() and relies NULL-termination.
+
+Use strlcpy instead. The other conditional branch above strncpy()
+needs no fix as snprintf() ensures NULL-termination.
+
+This issue is identified by a Coccinelle script.
+
+Signed-off-by: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_int.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_int.c b/drivers/net/ethernet/qlogic/qed/qed_int.c
+index b22f464ea3fa7..f9e475075d3ea 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_int.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_int.c
+@@ -939,7 +939,7 @@ static int qed_int_deassertion(struct qed_hwfn *p_hwfn,
+ snprintf(bit_name, 30,
+ p_aeu->bit_name, num);
+ else
+- strncpy(bit_name,
++ strlcpy(bit_name,
+ p_aeu->bit_name, 30);
+
+ /* We now need to pass bitmask in its
+--
+2.20.1
+
--- /dev/null
+From 55da4c58a015f6842536db8b2256649d3391a72a Mon Sep 17 00:00:00 2001
+From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Date: Sat, 3 Aug 2019 20:31:41 +0800
+Subject: net: hisilicon: Fix dma_map_single failed on arm64
+
+[ Upstream commit 96a50c0d907ac8f5c3d6b051031a19eb8a2b53e3 ]
+
+On the arm64 platform, executing "ifconfig eth0 up" will fail,
+returning "ifconfig: SIOCSIFFLAGS: Input/output error."
+
+ndev->dev is not initialized, dma_map_single->get_dma_ops->
+dummy_dma_ops->__dummy_map_page will return DMA_ERROR_CODE
+directly, so when we use dma_map_single, the first parameter
+is to use the device of platform_device.
+
+Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hip04_eth.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c
+index fe3b1637fd5f4..a91d49dd92ea6 100644
+--- a/drivers/net/ethernet/hisilicon/hip04_eth.c
++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c
+@@ -157,6 +157,7 @@ struct hip04_priv {
+ unsigned int reg_inten;
+
+ struct napi_struct napi;
++ struct device *dev;
+ struct net_device *ndev;
+
+ struct tx_desc *tx_desc;
+@@ -387,7 +388,7 @@ static int hip04_tx_reclaim(struct net_device *ndev, bool force)
+ }
+
+ if (priv->tx_phys[tx_tail]) {
+- dma_unmap_single(&ndev->dev, priv->tx_phys[tx_tail],
++ dma_unmap_single(priv->dev, priv->tx_phys[tx_tail],
+ priv->tx_skb[tx_tail]->len,
+ DMA_TO_DEVICE);
+ priv->tx_phys[tx_tail] = 0;
+@@ -437,8 +438,8 @@ static int hip04_mac_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ return NETDEV_TX_BUSY;
+ }
+
+- phys = dma_map_single(&ndev->dev, skb->data, skb->len, DMA_TO_DEVICE);
+- if (dma_mapping_error(&ndev->dev, phys)) {
++ phys = dma_map_single(priv->dev, skb->data, skb->len, DMA_TO_DEVICE);
++ if (dma_mapping_error(priv->dev, phys)) {
+ dev_kfree_skb(skb);
+ return NETDEV_TX_OK;
+ }
+@@ -508,7 +509,7 @@ static int hip04_rx_poll(struct napi_struct *napi, int budget)
+ goto refill;
+ }
+
+- dma_unmap_single(&ndev->dev, priv->rx_phys[priv->rx_head],
++ dma_unmap_single(priv->dev, priv->rx_phys[priv->rx_head],
+ RX_BUF_SIZE, DMA_FROM_DEVICE);
+ priv->rx_phys[priv->rx_head] = 0;
+
+@@ -537,9 +538,9 @@ refill:
+ buf = netdev_alloc_frag(priv->rx_buf_size);
+ if (!buf)
+ goto done;
+- phys = dma_map_single(&ndev->dev, buf,
++ phys = dma_map_single(priv->dev, buf,
+ RX_BUF_SIZE, DMA_FROM_DEVICE);
+- if (dma_mapping_error(&ndev->dev, phys))
++ if (dma_mapping_error(priv->dev, phys))
+ goto done;
+ priv->rx_buf[priv->rx_head] = buf;
+ priv->rx_phys[priv->rx_head] = phys;
+@@ -642,9 +643,9 @@ static int hip04_mac_open(struct net_device *ndev)
+ for (i = 0; i < RX_DESC_NUM; i++) {
+ dma_addr_t phys;
+
+- phys = dma_map_single(&ndev->dev, priv->rx_buf[i],
++ phys = dma_map_single(priv->dev, priv->rx_buf[i],
+ RX_BUF_SIZE, DMA_FROM_DEVICE);
+- if (dma_mapping_error(&ndev->dev, phys))
++ if (dma_mapping_error(priv->dev, phys))
+ return -EIO;
+
+ priv->rx_phys[i] = phys;
+@@ -678,7 +679,7 @@ static int hip04_mac_stop(struct net_device *ndev)
+
+ for (i = 0; i < RX_DESC_NUM; i++) {
+ if (priv->rx_phys[i]) {
+- dma_unmap_single(&ndev->dev, priv->rx_phys[i],
++ dma_unmap_single(priv->dev, priv->rx_phys[i],
+ RX_BUF_SIZE, DMA_FROM_DEVICE);
+ priv->rx_phys[i] = 0;
+ }
+@@ -822,6 +823,7 @@ static int hip04_mac_probe(struct platform_device *pdev)
+ return -ENOMEM;
+
+ priv = netdev_priv(ndev);
++ priv->dev = d;
+ priv->ndev = ndev;
+ platform_set_drvdata(pdev, ndev);
+ SET_NETDEV_DEV(ndev, &pdev->dev);
+--
+2.20.1
+
--- /dev/null
+From 68813f28959baafdb8e8e9870601a5c2ccc01ac3 Mon Sep 17 00:00:00 2001
+From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Date: Sat, 3 Aug 2019 20:31:40 +0800
+Subject: net: hisilicon: fix hip04-xmit never return TX_BUSY
+
+[ Upstream commit f2243b82785942be519016067ee6c55a063bbfe2 ]
+
+TX_DESC_NUM is 256, in tx_count, the maximum value of
+mod(TX_DESC_NUM - 1) is 254, the variable "count" in
+the hip04_mac_start_xmit function is never equal to
+(TX_DESC_NUM - 1), so hip04_mac_start_xmit never
+return NETDEV_TX_BUSY.
+
+tx_count is modified to mod(TX_DESC_NUM) so that
+the maximum value of tx_count can reach
+(TX_DESC_NUM - 1), then hip04_mac_start_xmit can reurn
+NETDEV_TX_BUSY.
+
+Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hip04_eth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c
+index 57c0afa25f9fb..fe3b1637fd5f4 100644
+--- a/drivers/net/ethernet/hisilicon/hip04_eth.c
++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c
+@@ -185,7 +185,7 @@ struct hip04_priv {
+
+ static inline unsigned int tx_count(unsigned int head, unsigned int tail)
+ {
+- return (head - tail) % (TX_DESC_NUM - 1);
++ return (head - tail) % TX_DESC_NUM;
+ }
+
+ static void hip04_config_port(struct net_device *ndev, u32 speed, u32 duplex)
+--
+2.20.1
+
--- /dev/null
+From 9bdea0bc1af54f29c0b7fb448e1f92828a327a63 Mon Sep 17 00:00:00 2001
+From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Date: Sat, 3 Aug 2019 20:31:39 +0800
+Subject: net: hisilicon: make hip04_tx_reclaim non-reentrant
+
+[ Upstream commit 1a2c070ae805910a853b4a14818481ed2e17c727 ]
+
+If hip04_tx_reclaim is interrupted while it is running
+and then __napi_schedule continues to execute
+hip04_rx_poll->hip04_tx_reclaim, reentrancy occurs
+and oops is generated. So you need to mask the interrupt
+during the hip04_tx_reclaim run.
+
+The kernel oops exception stack is as follows:
+
+Unable to handle kernel NULL pointer dereference
+at virtual address 00000050
+pgd = c0003000
+[00000050] *pgd=80000000a04003, *pmd=00000000
+Internal error: Oops: 206 [#1] SMP ARM
+Modules linked in: hip04_eth mtdblock mtd_blkdevs mtd
+ohci_platform ehci_platform ohci_hcd ehci_hcd
+vfat fat sd_mod usb_storage scsi_mod usbcore usb_common
+CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 4.4.185 #1
+Hardware name: Hisilicon A15
+task: c0a250e0 task.stack: c0a00000
+PC is at hip04_tx_reclaim+0xe0/0x17c [hip04_eth]
+LR is at hip04_tx_reclaim+0x30/0x17c [hip04_eth]
+pc : [<bf30c3a4>] lr : [<bf30c2f4>] psr: 600e0313
+sp : c0a01d88 ip : 00000000 fp : c0601f9c
+r10: 00000000 r9 : c3482380 r8 : 00000001
+r7 : 00000000 r6 : 000000e1 r5 : c3482000 r4 : 0000000c
+r3 : f2209800 r2 : 00000000 r1 : 00000000 r0 : 00000000
+Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel
+Control: 32c5387d Table: 03d28c80 DAC: 55555555
+Process swapper/0 (pid: 0, stack limit = 0xc0a00190)
+Stack: (0xc0a01d88 to 0xc0a02000)
+[<bf30c3a4>] (hip04_tx_reclaim [hip04_eth]) from [<bf30d2e0>]
+ (hip04_rx_poll+0x88/0x368 [hip04_eth])
+[<bf30d2e0>] (hip04_rx_poll [hip04_eth]) from [<c04c2d9c>] (net_rx_action+0x114/0x34c)
+[<c04c2d9c>] (net_rx_action) from [<c021eed8>] (__do_softirq+0x218/0x318)
+[<c021eed8>] (__do_softirq) from [<c021f284>] (irq_exit+0x88/0xac)
+[<c021f284>] (irq_exit) from [<c0240090>] (msa_irq_exit+0x11c/0x1d4)
+[<c0240090>] (msa_irq_exit) from [<c02677e0>] (__handle_domain_irq+0x110/0x148)
+[<c02677e0>] (__handle_domain_irq) from [<c0201588>] (gic_handle_irq+0xd4/0x118)
+[<c0201588>] (gic_handle_irq) from [<c0551700>] (__irq_svc+0x40/0x58)
+Exception stack(0xc0a01f30 to 0xc0a01f78)
+1f20: c0ae8b40 00000000 00000000 00000000
+1f40: 00000002 ffffe000 c0601f9c 00000000 ffffffff c0a2257c c0a22440 c0831a38
+1f60: c0a01ec4 c0a01f80 c0203714 c0203718 600e0213 ffffffff
+[<c0551700>] (__irq_svc) from [<c0203718>] (arch_cpu_idle+0x20/0x3c)
+[<c0203718>] (arch_cpu_idle) from [<c025bfd8>] (cpu_startup_entry+0x244/0x29c)
+[<c025bfd8>] (cpu_startup_entry) from [<c054b0d8>] (rest_init+0xc8/0x10c)
+[<c054b0d8>] (rest_init) from [<c0800c58>] (start_kernel+0x468/0x514)
+Code: a40599e5 016086e2 018088e2 7660efe6 (503090e5)
+---[ end trace 1db21d6d09c49d74 ]---
+Kernel panic - not syncing: Fatal exception in interrupt
+CPU3: stopping
+CPU: 3 PID: 0 Comm: swapper/3 Tainted: G D O 4.4.185 #1
+
+Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hip04_eth.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c
+index 6127697ede120..57c0afa25f9fb 100644
+--- a/drivers/net/ethernet/hisilicon/hip04_eth.c
++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c
+@@ -497,6 +497,9 @@ static int hip04_rx_poll(struct napi_struct *napi, int budget)
+ u16 len;
+ u32 err;
+
++ /* clean up tx descriptors */
++ tx_remaining = hip04_tx_reclaim(ndev, false);
++
+ while (cnt && !last) {
+ buf = priv->rx_buf[priv->rx_head];
+ skb = build_skb(buf, priv->rx_buf_size);
+@@ -557,8 +560,7 @@ refill:
+ }
+ napi_complete_done(napi, rx);
+ done:
+- /* clean up tx descriptors and start a new timer if necessary */
+- tx_remaining = hip04_tx_reclaim(ndev, false);
++ /* start a new timer if necessary */
+ if (rx < budget && tx_remaining)
+ hip04_start_tx_timer(priv);
+
+--
+2.20.1
+
--- /dev/null
+From 492b0949b435091565b595d0e4533514ce517e26 Mon Sep 17 00:00:00 2001
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Date: Fri, 19 Jul 2019 16:38:48 +0200
+Subject: net: mvpp2: Don't check for 3 consecutive Idle frames for 10G links
+
+[ Upstream commit bba18318e7d1d5c8b0bbafd65010a0cee3c65608 ]
+
+PPv2's XLGMAC can wait for 3 idle frames before triggering a link up
+event. This can cause the link to be stuck low when there's traffic on
+the interface, so disable this feature.
+
+Fixes: 4bb043262878 ("net: mvpp2: phylink support")
+Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index 6455511457ca3..9b608d23ff7ee 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -4412,9 +4412,9 @@ static void mvpp2_xlg_config(struct mvpp2_port *port, unsigned int mode,
+ if (state->pause & MLO_PAUSE_RX)
+ ctrl0 |= MVPP22_XLG_CTRL0_RX_FLOW_CTRL_EN;
+
+- ctrl4 &= ~MVPP22_XLG_CTRL4_MACMODSELECT_GMAC;
+- ctrl4 |= MVPP22_XLG_CTRL4_FWD_FC | MVPP22_XLG_CTRL4_FWD_PFC |
+- MVPP22_XLG_CTRL4_EN_IDLE_CHECK;
++ ctrl4 &= ~(MVPP22_XLG_CTRL4_MACMODSELECT_GMAC |
++ MVPP22_XLG_CTRL4_EN_IDLE_CHECK);
++ ctrl4 |= MVPP22_XLG_CTRL4_FWD_FC | MVPP22_XLG_CTRL4_FWD_PFC;
+
+ writel(ctrl0, port->base + MVPP22_XLG_CTRL0_REG);
+ writel(ctrl4, port->base + MVPP22_XLG_CTRL4_REG);
+--
+2.20.1
+
--- /dev/null
+From bc7b7b3369bf8cd6f96a671003c8ad1d22ad30c1 Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Tue, 30 Jul 2019 16:08:13 +0800
+Subject: net: phy: phy_led_triggers: Fix a possible null-pointer dereference
+ in phy_led_trigger_change_speed()
+
+[ Upstream commit 271da132e29b5341c31eca6ba6a72ea1302ebac8 ]
+
+In phy_led_trigger_change_speed(), there is an if statement on line 48
+to check whether phy->last_triggered is NULL:
+ if (!phy->last_triggered)
+
+When phy->last_triggered is NULL, it is used on line 52:
+ led_trigger_event(&phy->last_triggered->trigger, LED_OFF);
+
+Thus, a possible null-pointer dereference may occur.
+
+To fix this bug, led_trigger_event(&phy->last_triggered->trigger,
+LED_OFF) is called when phy->last_triggered is not NULL.
+
+This bug is found by a static analysis tool STCheck written by
+the OSLAB group in Tsinghua University.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy_led_triggers.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/phy_led_triggers.c b/drivers/net/phy/phy_led_triggers.c
+index 491efc1bf5c48..7278eca70f9f3 100644
+--- a/drivers/net/phy/phy_led_triggers.c
++++ b/drivers/net/phy/phy_led_triggers.c
+@@ -58,8 +58,9 @@ void phy_led_trigger_change_speed(struct phy_device *phy)
+ if (!phy->last_triggered)
+ led_trigger_event(&phy->led_link_trigger->trigger,
+ LED_FULL);
++ else
++ led_trigger_event(&phy->last_triggered->trigger, LED_OFF);
+
+- led_trigger_event(&phy->last_triggered->trigger, LED_OFF);
+ led_trigger_event(&plt->trigger, LED_FULL);
+ phy->last_triggered = plt;
+ }
+--
+2.20.1
+
--- /dev/null
+From d37783abb074e3308f2b89b5ffd7ea8dee6cf7ee Mon Sep 17 00:00:00 2001
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+Date: Tue, 6 Aug 2019 15:16:17 +0200
+Subject: net: stmmac: Fix issues when number of Queues >= 4
+
+[ Upstream commit e8df7e8c233a18d2704e37ecff47583b494789d3 ]
+
+When queues >= 4 we use different registers but we were not subtracting
+the offset of 4. Fix this.
+
+Found out by Coverity.
+
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 4 ++++
+ drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+index d0e6e1503581f..48cf5e2b24417 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+@@ -88,6 +88,8 @@ static void dwmac4_rx_queue_priority(struct mac_device_info *hw,
+ u32 value;
+
+ base_register = (queue < 4) ? GMAC_RXQ_CTRL2 : GMAC_RXQ_CTRL3;
++ if (queue >= 4)
++ queue -= 4;
+
+ value = readl(ioaddr + base_register);
+
+@@ -105,6 +107,8 @@ static void dwmac4_tx_queue_priority(struct mac_device_info *hw,
+ u32 value;
+
+ base_register = (queue < 4) ? GMAC_TXQ_PRTY_MAP0 : GMAC_TXQ_PRTY_MAP1;
++ if (queue >= 4)
++ queue -= 4;
+
+ value = readl(ioaddr + base_register);
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
+index d182f82f7b586..870302a7177e2 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
+@@ -106,6 +106,8 @@ static void dwxgmac2_rx_queue_prio(struct mac_device_info *hw, u32 prio,
+ u32 value, reg;
+
+ reg = (queue < 4) ? XGMAC_RXQ_CTRL2 : XGMAC_RXQ_CTRL3;
++ if (queue >= 4)
++ queue -= 4;
+
+ value = readl(ioaddr + reg);
+ value &= ~XGMAC_PSRQ(queue);
+@@ -169,6 +171,8 @@ static void dwxgmac2_map_mtl_to_dma(struct mac_device_info *hw, u32 queue,
+ u32 value, reg;
+
+ reg = (queue < 4) ? XGMAC_MTL_RXQ_DMA_MAP0 : XGMAC_MTL_RXQ_DMA_MAP1;
++ if (queue >= 4)
++ queue -= 4;
+
+ value = readl(ioaddr + reg);
+ value &= ~XGMAC_QxMDMACH(queue);
+--
+2.20.1
+
--- /dev/null
+From 72f1b0c51253ee14e7720ebbdb21aa81c9290a50 Mon Sep 17 00:00:00 2001
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+Date: Tue, 6 Aug 2019 15:16:18 +0200
+Subject: net: stmmac: tc: Do not return a fragment entry
+
+[ Upstream commit 4a6a1385a4db5f42258a40fcd497cbfd22075968 ]
+
+Do not try to return a fragment entry from TC list. Otherwise we may not
+clean properly allocated entries.
+
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
+index 58ea18af9813a..37c0bc699cd9c 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
+@@ -37,7 +37,7 @@ static struct stmmac_tc_entry *tc_find_entry(struct stmmac_priv *priv,
+ entry = &priv->tc_entries[i];
+ if (!entry->in_use && !first && free)
+ first = entry;
+- if (entry->handle == loc && !free)
++ if ((entry->handle == loc) && !free && !entry->is_frag)
+ dup = entry;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 260e98d835e774df57966cfe8120dc3ab3c0d0ea Mon Sep 17 00:00:00 2001
+From: Bob Ham <bob.ham@puri.sm>
+Date: Wed, 24 Jul 2019 07:52:27 -0700
+Subject: net: usb: qmi_wwan: Add the BroadMobi BM818 card
+
+[ Upstream commit 9a07406b00cdc6ec689dc142540739575c717f3c ]
+
+The BroadMobi BM818 M.2 card uses the QMI protocol
+
+Signed-off-by: Bob Ham <bob.ham@puri.sm>
+Signed-off-by: Angus Ainslie (Purism) <angus@akkea.ca>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index 128c8a327d8ee..51017c6bb3bcb 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1231,6 +1231,7 @@ static const struct usb_device_id products[] = {
+ {QMI_FIXED_INTF(0x2001, 0x7e35, 4)}, /* D-Link DWM-222 */
+ {QMI_FIXED_INTF(0x2020, 0x2031, 4)}, /* Olicard 600 */
+ {QMI_FIXED_INTF(0x2020, 0x2033, 4)}, /* BroadMobi BM806U */
++ {QMI_FIXED_INTF(0x2020, 0x2060, 4)}, /* BroadMobi BM818 */
+ {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */
+ {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */
+ {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */
+--
+2.20.1
+
--- /dev/null
+From 4ca9a32e9f771390fc1ed3d087386c23a13e780a Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Sat, 20 Jul 2019 07:22:45 -0500
+Subject: netfilter: ebtables: fix a memory leak bug in compat
+
+[ Upstream commit 15a78ba1844a8e052c1226f930133de4cef4e7ad ]
+
+In compat_do_replace(), a temporary buffer is allocated through vmalloc()
+to hold entries copied from the user space. The buffer address is firstly
+saved to 'newinfo->entries', and later on assigned to 'entries_tmp'. Then
+the entries in this temporary buffer is copied to the internal kernel
+structure through compat_copy_entries(). If this copy process fails,
+compat_do_replace() should be terminated. However, the allocated temporary
+buffer is not freed on this path, leading to a memory leak.
+
+To fix the bug, free the buffer before returning from compat_do_replace().
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/netfilter/ebtables.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 995b3842ba7c0..62ffc989a44a2 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -2274,8 +2274,10 @@ static int compat_do_replace(struct net *net, void __user *user,
+ state.buf_kern_len = size64;
+
+ ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
+- if (WARN_ON(ret < 0))
++ if (WARN_ON(ret < 0)) {
++ vfree(entries_tmp);
+ goto out_unlock;
++ }
+
+ vfree(entries_tmp);
+ tmp.entries_size = size64;
+--
+2.20.1
+
--- /dev/null
+From 4c3b539cc966ab0d3815010942854994cc698469 Mon Sep 17 00:00:00 2001
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Mon, 24 Jun 2019 15:20:11 +0200
+Subject: netfilter: ipset: Actually allow destination MAC address for
+ hash:ip,mac sets too
+
+[ Upstream commit b89d15480d0cacacae1a0fe0b3da01b529f2914f ]
+
+In commit 8cc4ccf58379 ("ipset: Allow matching on destination MAC address
+for mac and ipmac sets"), ipset.git commit 1543514c46a7, I removed the
+KADT check that prevents matching on destination MAC addresses for
+hash:mac sets, but forgot to remove the same check for hash:ip,mac set.
+
+Drop this check: functionality is now commented in man pages and there's
+no reason to restrict to source MAC address matching anymore.
+
+Reported-by: Chen Yi <yiche@redhat.com>
+Fixes: 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_hash_ipmac.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/net/netfilter/ipset/ip_set_hash_ipmac.c b/net/netfilter/ipset/ip_set_hash_ipmac.c
+index fd87de3ed55b3..75c21c8b76514 100644
+--- a/net/netfilter/ipset/ip_set_hash_ipmac.c
++++ b/net/netfilter/ipset/ip_set_hash_ipmac.c
+@@ -95,10 +95,6 @@ hash_ipmac4_kadt(struct ip_set *set, const struct sk_buff *skb,
+ struct hash_ipmac4_elem e = { .ip = 0, { .foo[0] = 0, .foo[1] = 0 } };
+ struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
+
+- /* MAC can be src only */
+- if (!(opt->flags & IPSET_DIM_TWO_SRC))
+- return 0;
+-
+ if (skb_mac_header(skb) < skb->head ||
+ (skb_mac_header(skb) + ETH_HLEN) > skb->data)
+ return -EINVAL;
+--
+2.20.1
+
--- /dev/null
+From 8740c0fb04f9be195bf86f1963c4addb1fb1e083 Mon Sep 17 00:00:00 2001
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Mon, 24 Jun 2019 15:20:12 +0200
+Subject: netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and
+ hash:ip,mac sets
+
+[ Upstream commit 1b4a75108d5bc153daf965d334e77e8e94534f96 ]
+
+In commit 8cc4ccf58379 ("ipset: Allow matching on destination MAC address
+for mac and ipmac sets"), ipset.git commit 1543514c46a7, I added to the
+KADT functions for sets matching on MAC addreses the copy of source or
+destination MAC address depending on the configured match.
+
+This was done correctly for hash:mac, but for hash:ip,mac and
+bitmap:ip,mac, copying and pasting the same code block presents an
+obvious problem: in these two set types, the MAC address is the second
+dimension, not the first one, and we are actually selecting the MAC
+address depending on whether the first dimension (IP address) specifies
+source or destination.
+
+Fix this by checking for the IPSET_DIM_TWO_SRC flag in option flags.
+
+This way, mixing source and destination matches for the two dimensions
+of ip,mac set types works as expected. With this setup:
+
+ ip netns add A
+ ip link add veth1 type veth peer name veth2 netns A
+ ip addr add 192.0.2.1/24 dev veth1
+ ip -net A addr add 192.0.2.2/24 dev veth2
+ ip link set veth1 up
+ ip -net A link set veth2 up
+
+ dst=$(ip netns exec A cat /sys/class/net/veth2/address)
+
+ ip netns exec A ipset create test_bitmap bitmap:ip,mac range 192.0.0.0/16
+ ip netns exec A ipset add test_bitmap 192.0.2.1,${dst}
+ ip netns exec A iptables -A INPUT -m set ! --match-set test_bitmap src,dst -j DROP
+
+ ip netns exec A ipset create test_hash hash:ip,mac
+ ip netns exec A ipset add test_hash 192.0.2.1,${dst}
+ ip netns exec A iptables -A INPUT -m set ! --match-set test_hash src,dst -j DROP
+
+ipset correctly matches a test packet:
+
+ # ping -c1 192.0.2.2 >/dev/null
+ # echo $?
+ 0
+
+Reported-by: Chen Yi <yiche@redhat.com>
+Fixes: 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 +-
+ net/netfilter/ipset/ip_set_hash_ipmac.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+index 13ade5782847b..4f01321e793ce 100644
+--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
++++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+@@ -230,7 +230,7 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
+
+ e.id = ip_to_id(map, ip);
+
+- if (opt->flags & IPSET_DIM_ONE_SRC)
++ if (opt->flags & IPSET_DIM_TWO_SRC)
+ ether_addr_copy(e.ether, eth_hdr(skb)->h_source);
+ else
+ ether_addr_copy(e.ether, eth_hdr(skb)->h_dest);
+diff --git a/net/netfilter/ipset/ip_set_hash_ipmac.c b/net/netfilter/ipset/ip_set_hash_ipmac.c
+index 75c21c8b76514..16ec822e40447 100644
+--- a/net/netfilter/ipset/ip_set_hash_ipmac.c
++++ b/net/netfilter/ipset/ip_set_hash_ipmac.c
+@@ -99,7 +99,7 @@ hash_ipmac4_kadt(struct ip_set *set, const struct sk_buff *skb,
+ (skb_mac_header(skb) + ETH_HLEN) > skb->data)
+ return -EINVAL;
+
+- if (opt->flags & IPSET_DIM_ONE_SRC)
++ if (opt->flags & IPSET_DIM_TWO_SRC)
+ ether_addr_copy(e.ether, eth_hdr(skb)->h_source);
+ else
+ ether_addr_copy(e.ether, eth_hdr(skb)->h_dest);
+--
+2.20.1
+
--- /dev/null
+From 8ccb34e3dc214e20853f81fe446fc630961428ba Mon Sep 17 00:00:00 2001
+From: Jozsef Kadlecsik <kadlec@netfilter.org>
+Date: Tue, 23 Jul 2019 10:25:55 +0200
+Subject: netfilter: ipset: Fix rename concurrency with listing
+
+[ Upstream commit 6c1f7e2c1b96ab9b09ac97c4df2bd9dc327206f6 ]
+
+Shijie Luo reported that when stress-testing ipset with multiple concurrent
+create, rename, flush, list, destroy commands, it can result
+
+ipset <version>: Broken LIST kernel message: missing DATA part!
+
+error messages and broken list results. The problem was the rename operation
+was not properly handled with respect of listing. The patch fixes the issue.
+
+Reported-by: Shijie Luo <luoshijie1@huawei.com>
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
+index 1577f2f76060d..e2538c5786714 100644
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -1157,7 +1157,7 @@ static int ip_set_rename(struct net *net, struct sock *ctnl,
+ return -ENOENT;
+
+ write_lock_bh(&ip_set_ref_lock);
+- if (set->ref != 0) {
++ if (set->ref != 0 || set->ref_netlink != 0) {
+ ret = -IPSET_ERR_REFERENCED;
+ goto out;
+ }
+--
+2.20.1
+
--- /dev/null
+From 61508e662998028641257e58fde2beda2548b3a5 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Sat, 3 Aug 2019 13:39:24 -0400
+Subject: NFS: Fix regression whereby fscache errors are appearing on 'nofsc'
+ mounts
+
+[ Upstream commit dea1bb35c5f35e0577cfc61f79261d80b8715221 ]
+
+People are reporing seeing fscache errors being reported concerning
+duplicate cookies even in cases where they are not setting up fscache
+at all. The rule needs to be that if fscache is not enabled, then it
+should have no side effects at all.
+
+To ensure this is the case, we disable fscache completely on all superblocks
+for which the 'fsc' mount option was not set. In order to avoid issues
+with '-oremount', we also disable the ability to turn fscache on via
+remount.
+
+Fixes: f1fe29b4a02d ("NFS: Use i_writecount to control whether...")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=200145
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Cc: Steve Dickson <steved@redhat.com>
+Cc: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/fscache.c | 7 ++++++-
+ fs/nfs/fscache.h | 2 +-
+ fs/nfs/super.c | 1 +
+ 3 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfs/fscache.c b/fs/nfs/fscache.c
+index 4dc887813c71d..a7bc4e0494f92 100644
+--- a/fs/nfs/fscache.c
++++ b/fs/nfs/fscache.c
+@@ -118,6 +118,10 @@ void nfs_fscache_get_super_cookie(struct super_block *sb, const char *uniq, int
+ struct rb_node **p, *parent;
+ int diff;
+
++ nfss->fscache_key = NULL;
++ nfss->fscache = NULL;
++ if (!(nfss->options & NFS_OPTION_FSCACHE))
++ return;
+ if (!uniq) {
+ uniq = "";
+ ulen = 1;
+@@ -230,10 +234,11 @@ void nfs_fscache_release_super_cookie(struct super_block *sb)
+ void nfs_fscache_init_inode(struct inode *inode)
+ {
+ struct nfs_fscache_inode_auxdata auxdata;
++ struct nfs_server *nfss = NFS_SERVER(inode);
+ struct nfs_inode *nfsi = NFS_I(inode);
+
+ nfsi->fscache = NULL;
+- if (!S_ISREG(inode->i_mode))
++ if (!(nfss->fscache && S_ISREG(inode->i_mode)))
+ return;
+
+ memset(&auxdata, 0, sizeof(auxdata));
+diff --git a/fs/nfs/fscache.h b/fs/nfs/fscache.h
+index 161ba2edb9d04..6363ea9568581 100644
+--- a/fs/nfs/fscache.h
++++ b/fs/nfs/fscache.h
+@@ -186,7 +186,7 @@ static inline void nfs_fscache_wait_on_invalidate(struct inode *inode)
+ */
+ static inline const char *nfs_server_fscache_state(struct nfs_server *server)
+ {
+- if (server->fscache && (server->options & NFS_OPTION_FSCACHE))
++ if (server->fscache)
+ return "yes";
+ return "no ";
+ }
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index 6df9b85caf205..d90efdea9fbd6 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -2239,6 +2239,7 @@ nfs_compare_remount_data(struct nfs_server *nfss,
+ data->acdirmin != nfss->acdirmin / HZ ||
+ data->acdirmax != nfss->acdirmax / HZ ||
+ data->timeo != (10U * nfss->client->cl_timeout->to_initval / HZ) ||
++ (data->options & NFS_OPTION_FSCACHE) != (nfss->options & NFS_OPTION_FSCACHE) ||
+ data->nfs_server.port != nfss->port ||
+ data->nfs_server.addrlen != nfss->nfs_client->cl_addrlen ||
+ !rpc_cmp_addr((struct sockaddr *)&data->nfs_server.address,
+--
+2.20.1
+
--- /dev/null
+From 8276c550c3a3fbb514fcaed66c2c60db3a942365 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Sat, 3 Aug 2019 10:11:27 -0400
+Subject: NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()
+
+[ Upstream commit c77e22834ae9a11891cb613bd9a551be1b94f2bc ]
+
+John Hubbard reports seeing the following stack trace:
+
+nfs4_do_reclaim
+ rcu_read_lock /* we are now in_atomic() and must not sleep */
+ nfs4_purge_state_owners
+ nfs4_free_state_owner
+ nfs4_destroy_seqid_counter
+ rpc_destroy_wait_queue
+ cancel_delayed_work_sync
+ __cancel_work_timer
+ __flush_work
+ start_flush_work
+ might_sleep:
+ (kernel/workqueue.c:2975: BUG)
+
+The solution is to separate out the freeing of the state owners
+from nfs4_purge_state_owners(), and perform that outside the atomic
+context.
+
+Reported-by: John Hubbard <jhubbard@nvidia.com>
+Fixes: 0aaaf5c424c7f ("NFS: Cache state owners after files are closed")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4_fs.h | 3 ++-
+ fs/nfs/nfs4client.c | 5 ++++-
+ fs/nfs/nfs4state.c | 27 ++++++++++++++++++++++-----
+ 3 files changed, 28 insertions(+), 7 deletions(-)
+
+diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h
+index 63287d911c088..5b61520dce888 100644
+--- a/fs/nfs/nfs4_fs.h
++++ b/fs/nfs/nfs4_fs.h
+@@ -469,7 +469,8 @@ static inline void nfs4_schedule_session_recovery(struct nfs4_session *session,
+
+ extern struct nfs4_state_owner *nfs4_get_state_owner(struct nfs_server *, struct rpc_cred *, gfp_t);
+ extern void nfs4_put_state_owner(struct nfs4_state_owner *);
+-extern void nfs4_purge_state_owners(struct nfs_server *);
++extern void nfs4_purge_state_owners(struct nfs_server *, struct list_head *);
++extern void nfs4_free_state_owners(struct list_head *head);
+ extern struct nfs4_state * nfs4_get_open_state(struct inode *, struct nfs4_state_owner *);
+ extern void nfs4_put_open_state(struct nfs4_state *);
+ extern void nfs4_close_state(struct nfs4_state *, fmode_t);
+diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c
+index 8f53455c47653..86991bcfbeb12 100644
+--- a/fs/nfs/nfs4client.c
++++ b/fs/nfs/nfs4client.c
+@@ -754,9 +754,12 @@ out:
+
+ static void nfs4_destroy_server(struct nfs_server *server)
+ {
++ LIST_HEAD(freeme);
++
+ nfs_server_return_all_delegations(server);
+ unset_pnfs_layoutdriver(server);
+- nfs4_purge_state_owners(server);
++ nfs4_purge_state_owners(server, &freeme);
++ nfs4_free_state_owners(&freeme);
+ }
+
+ /*
+diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
+index 3ba2087469ac8..c36ef75f2054b 100644
+--- a/fs/nfs/nfs4state.c
++++ b/fs/nfs/nfs4state.c
+@@ -628,24 +628,39 @@ void nfs4_put_state_owner(struct nfs4_state_owner *sp)
+ /**
+ * nfs4_purge_state_owners - Release all cached state owners
+ * @server: nfs_server with cached state owners to release
++ * @head: resulting list of state owners
+ *
+ * Called at umount time. Remaining state owners will be on
+ * the LRU with ref count of zero.
++ * Note that the state owners are not freed, but are added
++ * to the list @head, which can later be used as an argument
++ * to nfs4_free_state_owners.
+ */
+-void nfs4_purge_state_owners(struct nfs_server *server)
++void nfs4_purge_state_owners(struct nfs_server *server, struct list_head *head)
+ {
+ struct nfs_client *clp = server->nfs_client;
+ struct nfs4_state_owner *sp, *tmp;
+- LIST_HEAD(doomed);
+
+ spin_lock(&clp->cl_lock);
+ list_for_each_entry_safe(sp, tmp, &server->state_owners_lru, so_lru) {
+- list_move(&sp->so_lru, &doomed);
++ list_move(&sp->so_lru, head);
+ nfs4_remove_state_owner_locked(sp);
+ }
+ spin_unlock(&clp->cl_lock);
++}
+
+- list_for_each_entry_safe(sp, tmp, &doomed, so_lru) {
++/**
++ * nfs4_purge_state_owners - Release all cached state owners
++ * @head: resulting list of state owners
++ *
++ * Frees a list of state owners that was generated by
++ * nfs4_purge_state_owners
++ */
++void nfs4_free_state_owners(struct list_head *head)
++{
++ struct nfs4_state_owner *sp, *tmp;
++
++ list_for_each_entry_safe(sp, tmp, head, so_lru) {
+ list_del(&sp->so_lru);
+ nfs4_free_state_owner(sp);
+ }
+@@ -1843,12 +1858,13 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
+ struct nfs4_state_owner *sp;
+ struct nfs_server *server;
+ struct rb_node *pos;
++ LIST_HEAD(freeme);
+ int status = 0;
+
+ restart:
+ rcu_read_lock();
+ list_for_each_entry_rcu(server, &clp->cl_superblocks, client_link) {
+- nfs4_purge_state_owners(server);
++ nfs4_purge_state_owners(server, &freeme);
+ spin_lock(&clp->cl_lock);
+ for (pos = rb_first(&server->state_owners);
+ pos != NULL;
+@@ -1877,6 +1893,7 @@ restart:
+ spin_unlock(&clp->cl_lock);
+ }
+ rcu_read_unlock();
++ nfs4_free_state_owners(&freeme);
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 69a79a28a76ecd3c38fca82c704e8a51f390baf0 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Thu, 1 Aug 2019 16:26:42 +0200
+Subject: perf bench numa: Fix cpu0 binding
+
+[ Upstream commit 6bbfe4e602691b90ac866712bd4c43c51e546a60 ]
+
+Michael reported an issue with perf bench numa failing with binding to
+cpu0 with '-0' option.
+
+ # perf bench numa mem -p 3 -t 1 -P 512 -s 100 -zZcm0 --thp 1 -M 1 -ddd
+ # Running 'numa/mem' benchmark:
+
+ # Running main, "perf bench numa numa-mem -p 3 -t 1 -P 512 -s 100 -zZcm0 --thp 1 -M 1 -ddd"
+ binding to node 0, mask: 0000000000000001 => -1
+ perf: bench/numa.c:356: bind_to_memnode: Assertion `!(ret)' failed.
+ Aborted (core dumped)
+
+This happens when the cpu0 is not part of node0, which is the benchmark
+assumption and we can see that's not the case for some powerpc servers.
+
+Using correct node for cpu0 binding.
+
+Reported-by: Michael Petlan <mpetlan@redhat.com>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
+Link: http://lkml.kernel.org/r/20190801142642.28004-1-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/bench/numa.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c
+index fa56fde6e8d80..91c0a4434da27 100644
+--- a/tools/perf/bench/numa.c
++++ b/tools/perf/bench/numa.c
+@@ -378,8 +378,10 @@ static u8 *alloc_data(ssize_t bytes0, int map_flags,
+
+ /* Allocate and initialize all memory on CPU#0: */
+ if (init_cpu0) {
+- orig_mask = bind_to_node(0);
+- bind_to_memnode(0);
++ int node = numa_node_of_cpu(0);
++
++ orig_mask = bind_to_node(node);
++ bind_to_memnode(node);
+ }
+
+ bytes = bytes0 + HPSIZE;
+--
+2.20.1
+
--- /dev/null
+From c6c4954b1a2de4b669ab03a130da5997c051f53c Mon Sep 17 00:00:00 2001
+From: He Zhe <zhe.he@windriver.com>
+Date: Fri, 2 Aug 2019 16:29:52 +0800
+Subject: perf cpumap: Fix writing to illegal memory in handling cpumap mask
+
+[ Upstream commit 5f5e25f1c7933a6e1673515c0b1d5acd82fea1ed ]
+
+cpu_map__snprint_mask() would write to illegal memory pointed by
+zalloc(0) when there is only one cpu.
+
+This patch fixes the calculation and adds sanity check against the input
+parameters.
+
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Alexey Budankov <alexey.budankov@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Fixes: 4400ac8a9a90 ("perf cpumap: Introduce cpu_map__snprint_mask()")
+Link: http://lkml.kernel.org/r/1564734592-15624-2-git-send-email-zhe.he@windriver.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/cpumap.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c
+index 383674f448fcd..f93846edc1e0d 100644
+--- a/tools/perf/util/cpumap.c
++++ b/tools/perf/util/cpumap.c
+@@ -701,7 +701,10 @@ size_t cpu_map__snprint_mask(struct cpu_map *map, char *buf, size_t size)
+ unsigned char *bitmap;
+ int last_cpu = cpu_map__cpu(map, map->nr - 1);
+
+- bitmap = zalloc((last_cpu + 7) / 8);
++ if (buf == NULL)
++ return 0;
++
++ bitmap = zalloc(last_cpu / 8 + 1);
+ if (bitmap == NULL) {
+ buf[0] = '\0';
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From cd1dffd4eb4b422e6fd2f8279b62c1dd5d388573 Mon Sep 17 00:00:00 2001
+From: He Zhe <zhe.he@windriver.com>
+Date: Fri, 2 Aug 2019 16:29:51 +0800
+Subject: perf ftrace: Fix failure to set cpumask when only one cpu is present
+
+[ Upstream commit cf30ae726c011e0372fd4c2d588466c8b50a8907 ]
+
+The buffer containing the string used to set cpumask is overwritten at
+the end of the string later in cpu_map__snprint_mask due to not enough
+memory space, when there is only one cpu.
+
+And thus causes the following failure:
+
+ $ perf ftrace ls
+ failed to reset ftrace
+ $
+
+This patch fixes the calculation of the cpumask string size.
+
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Alexey Budankov <alexey.budankov@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Fixes: dc23103278c5 ("perf ftrace: Add support for -a and -C option")
+Link: http://lkml.kernel.org/r/1564734592-15624-1-git-send-email-zhe.he@windriver.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-ftrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-ftrace.c b/tools/perf/builtin-ftrace.c
+index f42f228e88992..137955197ba8d 100644
+--- a/tools/perf/builtin-ftrace.c
++++ b/tools/perf/builtin-ftrace.c
+@@ -174,7 +174,7 @@ static int set_tracing_cpumask(struct cpu_map *cpumap)
+ int last_cpu;
+
+ last_cpu = cpu_map__cpu(cpumap, cpumap->nr - 1);
+- mask_size = (last_cpu + 3) / 4 + 1;
++ mask_size = last_cpu / 4 + 2; /* one more byte for EOS */
+ mask_size += last_cpu / 32; /* ',' is needed for every 32th cpus */
+
+ cpumask = malloc(mask_size);
+--
+2.20.1
+
--- /dev/null
+From b9ce35f68b4ae690669f066917d97e2100a5d190 Mon Sep 17 00:00:00 2001
+From: Jin Yao <yao.jin@linux.intel.com>
+Date: Mon, 29 Jul 2019 15:27:55 +0800
+Subject: perf pmu-events: Fix missing "cpu_clk_unhalted.core" event
+
+[ Upstream commit 8e6e5bea2e34c61291d00cb3f47560341aa84bc3 ]
+
+The events defined in pmu-events JSON are parsed and added into perf
+tool. For fixed counters, we handle the encodings between JSON and perf
+by using a static array fixed[].
+
+But the fixed[] has missed an important event "cpu_clk_unhalted.core".
+
+For example, on the Tremont platform,
+
+ [root@localhost ~]# perf stat -e cpu_clk_unhalted.core -a
+ event syntax error: 'cpu_clk_unhalted.core'
+ \___ parser error
+
+With this patch, the event cpu_clk_unhalted.core can be parsed.
+
+ [root@localhost perf]# ./perf stat -e cpu_clk_unhalted.core -a -vvv
+ ------------------------------------------------------------
+ perf_event_attr:
+ type 4
+ size 112
+ config 0x3c
+ sample_type IDENTIFIER
+ read_format TOTAL_TIME_ENABLED|TOTAL_TIME_RUNNING
+ disabled 1
+ inherit 1
+ exclude_guest 1
+ ------------------------------------------------------------
+...
+
+Signed-off-by: Jin Yao <yao.jin@linux.intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jin Yao <yao.jin@intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20190729072755.2166-1-yao.jin@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/pmu-events/jevents.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/pmu-events/jevents.c b/tools/perf/pmu-events/jevents.c
+index 68c92bb599eef..6b36b71106695 100644
+--- a/tools/perf/pmu-events/jevents.c
++++ b/tools/perf/pmu-events/jevents.c
+@@ -450,6 +450,7 @@ static struct fixed {
+ { "inst_retired.any_p", "event=0xc0" },
+ { "cpu_clk_unhalted.ref", "event=0x0,umask=0x03" },
+ { "cpu_clk_unhalted.thread", "event=0x3c" },
++ { "cpu_clk_unhalted.core", "event=0x3c" },
+ { "cpu_clk_unhalted.thread_any", "event=0x3c,any=1" },
+ { NULL, NULL},
+ };
+--
+2.20.1
+
--- /dev/null
+From 05acc884c82d9b052c5331e7ceef27eaa423125a Mon Sep 17 00:00:00 2001
+From: Michal Kalderon <michal.kalderon@marvell.com>
+Date: Thu, 25 Jul 2019 13:59:55 +0300
+Subject: qed: RDMA - Fix the hw_ver returned in device attributes
+
+[ Upstream commit 81af04b432fdfabcdbd2c06be2ee647e3ca41a22 ]
+
+The hw_ver field was initialized to zero. Return the chip revision.
+This is relevant for rdma driver.
+
+Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_rdma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_rdma.c b/drivers/net/ethernet/qlogic/qed/qed_rdma.c
+index 13802b825d65a..909422d939033 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_rdma.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_rdma.c
+@@ -442,7 +442,7 @@ static void qed_rdma_init_devinfo(struct qed_hwfn *p_hwfn,
+ /* Vendor specific information */
+ dev->vendor_id = cdev->vendor_id;
+ dev->vendor_part_id = cdev->device_id;
+- dev->hw_ver = 0;
++ dev->hw_ver = cdev->chip_rev;
+ dev->fw_ver = (FW_MAJOR_VERSION << 24) | (FW_MINOR_VERSION << 16) |
+ (FW_REVISION_VERSION << 8) | (FW_ENGINEERING_VERSION);
+
+--
+2.20.1
+
--- /dev/null
+From b50e0584e73e8505334d2da52f9a81d532f6f9e9 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 30 Jul 2019 14:42:50 +0100
+Subject: rxrpc: Fix potential deadlock
+
+[ Upstream commit 60034d3d146b11922ab1db613bce062dddc0327a ]
+
+There is a potential deadlock in rxrpc_peer_keepalive_dispatch() whereby
+rxrpc_put_peer() is called with the peer_hash_lock held, but if it reduces
+the peer's refcount to 0, rxrpc_put_peer() calls __rxrpc_put_peer() - which
+the tries to take the already held lock.
+
+Fix this by providing a version of rxrpc_put_peer() that can be called in
+situations where the lock is already held.
+
+The bug may produce the following lockdep report:
+
+============================================
+WARNING: possible recursive locking detected
+5.2.0-next-20190718 #41 Not tainted
+--------------------------------------------
+kworker/0:3/21678 is trying to acquire lock:
+00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at: spin_lock_bh
+/./include/linux/spinlock.h:343 [inline]
+00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at:
+__rxrpc_put_peer /net/rxrpc/peer_object.c:415 [inline]
+00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at:
+rxrpc_put_peer+0x2d3/0x6a0 /net/rxrpc/peer_object.c:435
+
+but task is already holding lock:
+00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at: spin_lock_bh
+/./include/linux/spinlock.h:343 [inline]
+00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at:
+rxrpc_peer_keepalive_dispatch /net/rxrpc/peer_event.c:378 [inline]
+00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at:
+rxrpc_peer_keepalive_worker+0x6b3/0xd02 /net/rxrpc/peer_event.c:430
+
+Fixes: 330bdcfadcee ("rxrpc: Fix the keepalive generator [ver #2]")
+Reported-by: syzbot+72af434e4b3417318f84@syzkaller.appspotmail.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/ar-internal.h | 1 +
+ net/rxrpc/peer_event.c | 2 +-
+ net/rxrpc/peer_object.c | 18 ++++++++++++++++++
+ 3 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
+index 03e0fc8c183f0..a4c341828b72f 100644
+--- a/net/rxrpc/ar-internal.h
++++ b/net/rxrpc/ar-internal.h
+@@ -1057,6 +1057,7 @@ void rxrpc_destroy_all_peers(struct rxrpc_net *);
+ struct rxrpc_peer *rxrpc_get_peer(struct rxrpc_peer *);
+ struct rxrpc_peer *rxrpc_get_peer_maybe(struct rxrpc_peer *);
+ void rxrpc_put_peer(struct rxrpc_peer *);
++void rxrpc_put_peer_locked(struct rxrpc_peer *);
+
+ /*
+ * proc.c
+diff --git a/net/rxrpc/peer_event.c b/net/rxrpc/peer_event.c
+index bd2fa3b7caa7e..dc7fdaf20445b 100644
+--- a/net/rxrpc/peer_event.c
++++ b/net/rxrpc/peer_event.c
+@@ -375,7 +375,7 @@ static void rxrpc_peer_keepalive_dispatch(struct rxrpc_net *rxnet,
+ spin_lock_bh(&rxnet->peer_hash_lock);
+ list_add_tail(&peer->keepalive_link,
+ &rxnet->peer_keepalive[slot & mask]);
+- rxrpc_put_peer(peer);
++ rxrpc_put_peer_locked(peer);
+ }
+
+ spin_unlock_bh(&rxnet->peer_hash_lock);
+diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c
+index 5691b7d266ca0..71547e8673b99 100644
+--- a/net/rxrpc/peer_object.c
++++ b/net/rxrpc/peer_object.c
+@@ -440,6 +440,24 @@ void rxrpc_put_peer(struct rxrpc_peer *peer)
+ }
+ }
+
++/*
++ * Drop a ref on a peer record where the caller already holds the
++ * peer_hash_lock.
++ */
++void rxrpc_put_peer_locked(struct rxrpc_peer *peer)
++{
++ const void *here = __builtin_return_address(0);
++ int n;
++
++ n = atomic_dec_return(&peer->usage);
++ trace_rxrpc_peer(peer, rxrpc_peer_put, n, here);
++ if (n == 0) {
++ hash_del_rcu(&peer->hash_link);
++ list_del_init(&peer->keepalive_link);
++ kfree_rcu(peer, rcu);
++ }
++}
++
+ /*
+ * Make sure all peer records have been discarded.
+ */
+--
+2.20.1
+
--- /dev/null
+From dc2b19d308af6ef7a3cd90e0ce4d198c1f1557a7 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 30 Jul 2019 14:42:50 +0100
+Subject: rxrpc: Fix the lack of notification when sendmsg() fails on a DATA
+ packet
+
+[ Upstream commit c69565ee6681e151e2bb80502930a16e04b553d1 ]
+
+Fix the fact that a notification isn't sent to the recvmsg side to indicate
+a call failed when sendmsg() fails to transmit a DATA packet with the error
+ENETUNREACH, EHOSTUNREACH or ECONNREFUSED.
+
+Without this notification, the afs client just sits there waiting for the
+call to complete in some manner (which it's not now going to do), which
+also pins the rxrpc call in place.
+
+This can be seen if the client has a scope-level IPv6 address, but not a
+global-level IPv6 address, and we try and transmit an operation to a
+server's IPv6 address.
+
+Looking in /proc/net/rxrpc/calls shows completed calls just sat there with
+an abort code of RX_USER_ABORT and an error code of -ENETUNREACH.
+
+Fixes: c54e43d752c7 ("rxrpc: Fix missing start of call timeout")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/sendmsg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
+index be01f9c5d963d..5d6ab4f6fd7ab 100644
+--- a/net/rxrpc/sendmsg.c
++++ b/net/rxrpc/sendmsg.c
+@@ -230,6 +230,7 @@ static void rxrpc_queue_packet(struct rxrpc_sock *rx, struct rxrpc_call *call,
+ rxrpc_set_call_completion(call,
+ RXRPC_CALL_LOCAL_ERROR,
+ 0, ret);
++ rxrpc_notify_socket(call);
+ goto out;
+ }
+ _debug("need instant resend %d", ret);
+--
+2.20.1
+
--- /dev/null
+From dad39ec36889db758045411e204bcf89eaa7af90 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Mon, 5 Aug 2019 14:25:16 +0200
+Subject: s390: put _stext and _etext into .text section
+
+[ Upstream commit 24350fdadbdec780406a1ef988e6cd3875e374a8 ]
+
+Perf relies on _etext and _stext symbols being one of 't', 'T', 'v' or
+'V'. Put them into .text section to guarantee that.
+
+Also moves padding to page boundary inside .text which has an effect that
+.text section is now padded with nops rather than 0's, which apparently
+has been the initial intention for specifying 0x0700 fill expression.
+
+Reported-by: Thomas Richter <tmricht@linux.ibm.com>
+Tested-by: Thomas Richter <tmricht@linux.ibm.com>
+Suggested-by: Andreas Krebbel <krebbel@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/vmlinux.lds.S | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/arch/s390/kernel/vmlinux.lds.S b/arch/s390/kernel/vmlinux.lds.S
+index b43f8d33a3697..18ede6e806b91 100644
+--- a/arch/s390/kernel/vmlinux.lds.S
++++ b/arch/s390/kernel/vmlinux.lds.S
+@@ -31,10 +31,9 @@ PHDRS {
+ SECTIONS
+ {
+ . = 0x100000;
+- _stext = .; /* Start of text section */
+ .text : {
+- /* Text and read-only data */
+- _text = .;
++ _stext = .; /* Start of text section */
++ _text = .; /* Text and read-only data */
+ HEAD_TEXT
+ TEXT_TEXT
+ SCHED_TEXT
+@@ -46,11 +45,10 @@ SECTIONS
+ *(.text.*_indirect_*)
+ *(.fixup)
+ *(.gnu.warning)
++ . = ALIGN(PAGE_SIZE);
++ _etext = .; /* End of text section */
+ } :text = 0x0700
+
+- . = ALIGN(PAGE_SIZE);
+- _etext = .; /* End of text section */
+-
+ NOTES :text :note
+
+ .dummy : { *(.dummy) } :data
+--
+2.20.1
+
--- /dev/null
+From 1fac94fdf11850cc5d96bda26e6631689172058c Mon Sep 17 00:00:00 2001
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+Date: Fri, 19 Jul 2019 11:06:11 +0200
+Subject: selftests/bpf: fix sendmsg6_prog on s390
+
+[ Upstream commit c8eee4135a456bc031d67cadc454e76880d1afd8 ]
+
+"sendmsg6: rewrite IP & port (C)" fails on s390, because the code in
+sendmsg_v6_prog() assumes that (ctx->user_ip6[0] & 0xFFFF) refers to
+leading IPv6 address digits, which is not the case on big-endian
+machines.
+
+Since checking bitwise operations doesn't seem to be the point of the
+test, replace two short comparisons with a single int comparison.
+
+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Acked-by: Andrey Ignatov <rdna@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/sendmsg6_prog.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/sendmsg6_prog.c b/tools/testing/selftests/bpf/sendmsg6_prog.c
+index 5aeaa284fc474..a680628204108 100644
+--- a/tools/testing/selftests/bpf/sendmsg6_prog.c
++++ b/tools/testing/selftests/bpf/sendmsg6_prog.c
+@@ -41,8 +41,7 @@ int sendmsg_v6_prog(struct bpf_sock_addr *ctx)
+ }
+
+ /* Rewrite destination. */
+- if ((ctx->user_ip6[0] & 0xFFFF) == bpf_htons(0xFACE) &&
+- ctx->user_ip6[0] >> 16 == bpf_htons(0xB00C)) {
++ if (ctx->user_ip6[0] == bpf_htonl(0xFACEB00C)) {
+ ctx->user_ip6[0] = bpf_htonl(DST_REWRITE_IP6_0);
+ ctx->user_ip6[1] = bpf_htonl(DST_REWRITE_IP6_1);
+ ctx->user_ip6[2] = bpf_htonl(DST_REWRITE_IP6_2);
+--
+2.20.1
+
--- /dev/null
+From fa13fc596460662699485768524b010a21f0acee Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Tue, 23 Jul 2019 11:19:25 +0300
+Subject: selftests: forwarding: gre_multipath: Enable IPv4 forwarding
+
+[ Upstream commit efa7b79f675da0efafe3f32ba0d6efe916cf4867 ]
+
+The test did not enable IPv4 forwarding during its setup phase, which
+causes the test to fail on machines where IPv4 forwarding is disabled.
+
+Fixes: 54818c4c4b93 ("selftests: forwarding: Test multipath tunneling")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-by: Stephen Suryaputra <ssuryaextr@gmail.com>
+Tested-by: Stephen Suryaputra <ssuryaextr@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/forwarding/gre_multipath.sh | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tools/testing/selftests/net/forwarding/gre_multipath.sh b/tools/testing/selftests/net/forwarding/gre_multipath.sh
+index cca2baa03fb81..37d7297e1cf8a 100755
+--- a/tools/testing/selftests/net/forwarding/gre_multipath.sh
++++ b/tools/testing/selftests/net/forwarding/gre_multipath.sh
+@@ -187,12 +187,16 @@ setup_prepare()
+ sw1_create
+ sw2_create
+ h2_create
++
++ forwarding_enable
+ }
+
+ cleanup()
+ {
+ pre_cleanup
+
++ forwarding_restore
++
+ h2_destroy
+ sw2_destroy
+ sw1_destroy
+--
+2.20.1
+
--- /dev/null
+From 429ea4df794d58bfc7c709755deca28dbe28ab45 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Tue, 23 Jul 2019 11:19:26 +0300
+Subject: selftests: forwarding: gre_multipath: Fix flower filters
+
+[ Upstream commit 1be79d89b7ae96e004911bd228ce8c2b5cc6415f ]
+
+The TC filters used in the test do not work with veth devices because the
+outer Ethertype is 802.1Q and not IPv4. The test passes with mlxsw
+netdevs since the hardware always looks at "The first Ethertype that
+does not point to either: VLAN, CNTAG or configurable Ethertype".
+
+Fix this by matching on the VLAN ID instead, but on the ingress side.
+The reason why this is not performed at egress is explained in the
+commit cited below.
+
+Fixes: 541ad323db3a ("selftests: forwarding: gre_multipath: Update next-hop statistics match criteria")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-by: Stephen Suryaputra <ssuryaextr@gmail.com>
+Tested-by: Stephen Suryaputra <ssuryaextr@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/net/forwarding/gre_multipath.sh | 24 +++++++++----------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/tools/testing/selftests/net/forwarding/gre_multipath.sh b/tools/testing/selftests/net/forwarding/gre_multipath.sh
+index 37d7297e1cf8a..a8d8e8b3dc819 100755
+--- a/tools/testing/selftests/net/forwarding/gre_multipath.sh
++++ b/tools/testing/selftests/net/forwarding/gre_multipath.sh
+@@ -93,18 +93,10 @@ sw1_create()
+ ip route add vrf v$ol1 192.0.2.16/28 \
+ nexthop dev g1a \
+ nexthop dev g1b
+-
+- tc qdisc add dev $ul1 clsact
+- tc filter add dev $ul1 egress pref 111 prot ipv4 \
+- flower dst_ip 192.0.2.66 action pass
+- tc filter add dev $ul1 egress pref 222 prot ipv4 \
+- flower dst_ip 192.0.2.82 action pass
+ }
+
+ sw1_destroy()
+ {
+- tc qdisc del dev $ul1 clsact
+-
+ ip route del vrf v$ol1 192.0.2.16/28
+
+ ip route del vrf v$ol1 192.0.2.82/32 via 192.0.2.146
+@@ -139,10 +131,18 @@ sw2_create()
+ ip route add vrf v$ol2 192.0.2.0/28 \
+ nexthop dev g2a \
+ nexthop dev g2b
++
++ tc qdisc add dev $ul2 clsact
++ tc filter add dev $ul2 ingress pref 111 prot 802.1Q \
++ flower vlan_id 111 action pass
++ tc filter add dev $ul2 ingress pref 222 prot 802.1Q \
++ flower vlan_id 222 action pass
+ }
+
+ sw2_destroy()
+ {
++ tc qdisc del dev $ul2 clsact
++
+ ip route del vrf v$ol2 192.0.2.0/28
+
+ ip route del vrf v$ol2 192.0.2.81/32 via 192.0.2.145
+@@ -215,15 +215,15 @@ multipath4_test()
+ nexthop dev g1a weight $weight1 \
+ nexthop dev g1b weight $weight2
+
+- local t0_111=$(tc_rule_stats_get $ul1 111 egress)
+- local t0_222=$(tc_rule_stats_get $ul1 222 egress)
++ local t0_111=$(tc_rule_stats_get $ul2 111 ingress)
++ local t0_222=$(tc_rule_stats_get $ul2 222 ingress)
+
+ ip vrf exec v$h1 \
+ $MZ $h1 -q -p 64 -A 192.0.2.1 -B 192.0.2.18 \
+ -d 1msec -t udp "sp=1024,dp=0-32768"
+
+- local t1_111=$(tc_rule_stats_get $ul1 111 egress)
+- local t1_222=$(tc_rule_stats_get $ul1 222 egress)
++ local t1_111=$(tc_rule_stats_get $ul2 111 ingress)
++ local t1_222=$(tc_rule_stats_get $ul2 222 ingress)
+
+ local d111=$((t1_111 - t0_111))
+ local d222=$((t1_222 - t0_222))
+--
+2.20.1
+
--- /dev/null
+From 5067de95997d402b1a6352ec3f9732cf56504061 Mon Sep 17 00:00:00 2001
+From: Naresh Kamboju <naresh.kamboju () linaro ! org>
+Date: Wed, 7 Aug 2019 13:58:14 +0000
+Subject: selftests: kvm: Adding config fragments
+
+[ Upstream commit c096397c78f766db972f923433031f2dec01cae0 ]
+
+selftests kvm test cases need pre-required kernel configs for the test
+to get pass.
+
+Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kvm/config | 3 +++
+ 1 file changed, 3 insertions(+)
+ create mode 100644 tools/testing/selftests/kvm/config
+
+diff --git a/tools/testing/selftests/kvm/config b/tools/testing/selftests/kvm/config
+new file mode 100644
+index 0000000000000..63ed533f73d6e
+--- /dev/null
++++ b/tools/testing/selftests/kvm/config
+@@ -0,0 +1,3 @@
++CONFIG_KVM=y
++CONFIG_KVM_INTEL=y
++CONFIG_KVM_AMD=y
+--
+2.20.1
+
--- /dev/null
+hid-add-044f-b320-thrustmaster-inc.-2-in-1-dt.patch
+mips-kernel-only-use-i8253-clocksource-with-periodic.patch
+mips-fix-cacheinfo.patch
+netfilter-ebtables-fix-a-memory-leak-bug-in-compat.patch
+asoc-dapm-fix-handling-of-custom_stop_condition-on-d.patch
+selftests-bpf-fix-sendmsg6_prog-on-s390.patch
+bonding-force-slave-speed-check-after-link-state-rec.patch
+net-mvpp2-don-t-check-for-3-consecutive-idle-frames-.patch
+selftests-forwarding-gre_multipath-enable-ipv4-forwa.patch
+selftests-forwarding-gre_multipath-fix-flower-filter.patch
+can-dev-call-netif_carrier_off-in-register_candev.patch
+can-mcp251x-add-error-check-when-wq-alloc-failed.patch
+can-gw-fix-error-path-of-cgw_module_init.patch
+asoc-fail-card-instantiation-if-dai-format-setup-fai.patch
+st21nfca_connectivity_event_received-null-check-the-.patch
+st_nci_hci_connectivity_event_received-null-check-th.patch
+asoc-rockchip-fix-mono-capture.patch
+asoc-ti-davinci-mcasp-correct-slot_width-posed-const.patch
+net-usb-qmi_wwan-add-the-broadmobi-bm818-card.patch
+qed-rdma-fix-the-hw_ver-returned-in-device-attribute.patch
+isdn-misdn-hfcsusb-fix-possible-null-pointer-derefer.patch
+mac80211_hwsim-fix-possible-null-pointer-dereference.patch
+netfilter-ipset-actually-allow-destination-mac-addre.patch
+netfilter-ipset-copy-the-right-mac-address-in-bitmap.patch
+netfilter-ipset-fix-rename-concurrency-with-listing.patch
+rxrpc-fix-potential-deadlock.patch
+rxrpc-fix-the-lack-of-notification-when-sendmsg-fail.patch
+isdn-hfcsusb-fix-misdn-driver-crash-caused-by-transf.patch
+net-phy-phy_led_triggers-fix-a-possible-null-pointer.patch
+perf-bench-numa-fix-cpu0-binding.patch
+can-sja1000-force-the-string-buffer-null-terminated.patch
+can-peak_usb-force-the-string-buffer-null-terminated.patch
+net-ethernet-qlogic-qed-force-the-string-buffer-null.patch
+nfsv4-fix-a-potential-sleep-while-atomic-in-nfs4_do_.patch
+nfs-fix-regression-whereby-fscache-errors-are-appear.patch
+hid-quirks-set-the-increment_usage_on_duplicate-quir.patch
+hid-input-fix-a4tech-horizontal-wheel-custom-usage.patch
+drm-rockchip-suspend-dp-late.patch
+smb3-fix-potential-memory-leak-when-processing-compo.patch
+smb3-kernel-oops-mounting-a-encryptdata-share-with-c.patch
+s390-put-_stext-and-_etext-into-.text-section.patch
+net-cxgb3_main-fix-a-resource-leak-in-a-error-path-i.patch
+net-stmmac-fix-issues-when-number-of-queues-4.patch
+net-stmmac-tc-do-not-return-a-fragment-entry.patch
+net-hisilicon-make-hip04_tx_reclaim-non-reentrant.patch
+net-hisilicon-fix-hip04-xmit-never-return-tx_busy.patch
+net-hisilicon-fix-dma_map_single-failed-on-arm64.patch
+libata-have-ata_scsi_rw_xlat-fail-invalid-passthroug.patch
+libata-add-sg-safety-checks-in-sff-pio-transfers.patch
+x86-lib-cpu-address-missing-prototypes-warning.patch
+drm-vmwgfx-fix-memory-leak-when-too-many-retries-hav.patch
+block-bfq-handle-null-return-value-by-bfq_init_rq.patch
+perf-ftrace-fix-failure-to-set-cpumask-when-only-one.patch
+perf-cpumap-fix-writing-to-illegal-memory-in-handlin.patch
+perf-pmu-events-fix-missing-cpu_clk_unhalted.core-ev.patch
+kvm-arm64-don-t-write-junk-to-sysregs-on-reset.patch
+kvm-arm-don-t-write-junk-to-cp15-registers-on-reset.patch
+selftests-kvm-adding-config-fragments.patch
--- /dev/null
+From 0bed557084f5542665be4486a7049408af003770 Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <pshilov@microsoft.com>
+Date: Mon, 22 Jul 2019 11:38:22 -0700
+Subject: SMB3: Fix potential memory leak when processing compound chain
+
+[ Upstream commit 3edeb4a4146dc3b54d6fa71b7ee0585cb52ebfdf ]
+
+When a reconnect happens in the middle of processing a compound chain
+the code leaks a buffer from the memory pool. Fix this by properly
+checking for a return code and freeing buffers in case of error.
+
+Also maintain a buf variable to be equal to either smallbuf or bigbuf
+depending on a response buffer size while parsing a chain and when
+returning to the caller.
+
+Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2ops.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index 0ccf8f9b63a2e..97fdbec54db97 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -3121,7 +3121,6 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
+ {
+ int ret, length;
+ char *buf = server->smallbuf;
+- char *tmpbuf;
+ struct smb2_sync_hdr *shdr;
+ unsigned int pdu_length = server->pdu_size;
+ unsigned int buf_size;
+@@ -3151,18 +3150,15 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
+ return length;
+
+ next_is_large = server->large_buf;
+- one_more:
++one_more:
+ shdr = (struct smb2_sync_hdr *)buf;
+ if (shdr->NextCommand) {
+- if (next_is_large) {
+- tmpbuf = server->bigbuf;
++ if (next_is_large)
+ next_buffer = (char *)cifs_buf_get();
+- } else {
+- tmpbuf = server->smallbuf;
++ else
+ next_buffer = (char *)cifs_small_buf_get();
+- }
+ memcpy(next_buffer,
+- tmpbuf + le32_to_cpu(shdr->NextCommand),
++ buf + le32_to_cpu(shdr->NextCommand),
+ pdu_length - le32_to_cpu(shdr->NextCommand));
+ }
+
+@@ -3191,12 +3187,21 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
+ pdu_length -= le32_to_cpu(shdr->NextCommand);
+ server->large_buf = next_is_large;
+ if (next_is_large)
+- server->bigbuf = next_buffer;
++ server->bigbuf = buf = next_buffer;
+ else
+- server->smallbuf = next_buffer;
+-
+- buf += le32_to_cpu(shdr->NextCommand);
++ server->smallbuf = buf = next_buffer;
+ goto one_more;
++ } else if (ret != 0) {
++ /*
++ * ret != 0 here means that we didn't get to handle_mid() thus
++ * server->smallbuf and server->bigbuf are still valid. We need
++ * to free next_buffer because it is not going to be used
++ * anywhere.
++ */
++ if (next_is_large)
++ free_rsp_buf(CIFS_LARGE_BUFFER, next_buffer);
++ else
++ free_rsp_buf(CIFS_SMALL_BUFFER, next_buffer);
+ }
+
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From 73fd628be75cf15bdeeb3e0f401a3576ff8cb0a8 Mon Sep 17 00:00:00 2001
+From: Sebastien Tisserant <stisserant@wallix.com>
+Date: Thu, 1 Aug 2019 12:06:08 -0500
+Subject: SMB3: Kernel oops mounting a encryptData share with
+ CONFIG_DEBUG_VIRTUAL
+
+[ Upstream commit ee9d66182392695535cc9fccfcb40c16f72de2a9 ]
+
+Fix kernel oops when mounting a encryptData CIFS share with
+CONFIG_DEBUG_VIRTUAL
+
+Signed-off-by: Sebastien Tisserant <stisserant@wallix.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2ops.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index 97fdbec54db97..cc9e846a38658 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -2545,7 +2545,15 @@ fill_transform_hdr(struct smb2_transform_hdr *tr_hdr, unsigned int orig_len,
+ static inline void smb2_sg_set_buf(struct scatterlist *sg, const void *buf,
+ unsigned int buflen)
+ {
+- sg_set_page(sg, virt_to_page(buf), buflen, offset_in_page(buf));
++ void *addr;
++ /*
++ * VMAP_STACK (at least) puts stack into the vmalloc address space
++ */
++ if (is_vmalloc_addr(buf))
++ addr = vmalloc_to_page(buf);
++ else
++ addr = virt_to_page(buf);
++ sg_set_page(sg, addr, buflen, offset_in_page(buf));
+ }
+
+ /* Assumes the first rqst has a transform header as the first iov.
+--
+2.20.1
+
--- /dev/null
+From 8535849a68fc85ca5b08668fd42c9ba669c3d57f Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Tue, 23 Jul 2019 17:04:30 -0500
+Subject: st21nfca_connectivity_event_received: null check the allocation
+
+[ Upstream commit 9891d06836e67324c9e9c4675ed90fc8b8110034 ]
+
+devm_kzalloc may fail and return null. So the null check is needed.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/st21nfca/se.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/nfc/st21nfca/se.c b/drivers/nfc/st21nfca/se.c
+index 4bed9e842db38..fd967a38a94a5 100644
+--- a/drivers/nfc/st21nfca/se.c
++++ b/drivers/nfc/st21nfca/se.c
+@@ -328,6 +328,8 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
+
+ transaction = (struct nfc_evt_transaction *)devm_kzalloc(dev,
+ skb->len - 2, GFP_KERNEL);
++ if (!transaction)
++ return -ENOMEM;
+
+ transaction->aid_len = skb->data[1];
+ memcpy(transaction->aid, &skb->data[2],
+--
+2.20.1
+
--- /dev/null
+From e41c80f735bdfa51a0322881b2a6f321ce58177f Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Tue, 23 Jul 2019 17:11:51 -0500
+Subject: st_nci_hci_connectivity_event_received: null check the allocation
+
+[ Upstream commit 3008e06fdf0973770370f97d5f1fba3701d8281d ]
+
+devm_kzalloc may fail and return NULL. So the null check is needed.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/st-nci/se.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c
+index f55d082ace715..5d6e7e931bc6c 100644
+--- a/drivers/nfc/st-nci/se.c
++++ b/drivers/nfc/st-nci/se.c
+@@ -344,6 +344,8 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev,
+
+ transaction = (struct nfc_evt_transaction *)devm_kzalloc(dev,
+ skb->len - 2, GFP_KERNEL);
++ if (!transaction)
++ return -ENOMEM;
+
+ transaction->aid_len = skb->data[1];
+ memcpy(transaction->aid, &skb->data[2], transaction->aid_len);
+--
+2.20.1
+
--- /dev/null
+From 2d900f1f92d142ac82c4f11e15c7e730997b8a6e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Valdis=20Kl=C4=93tnieks?= <valdis.kletnieks@vt.edu>
+Date: Wed, 7 Aug 2019 23:27:17 -0400
+Subject: x86/lib/cpu: Address missing prototypes warning
+
+[ Upstream commit 04f5bda84b0712d6f172556a7e8dca9ded5e73b9 ]
+
+When building with W=1, warnings about missing prototypes are emitted:
+
+ CC arch/x86/lib/cpu.o
+arch/x86/lib/cpu.c:5:14: warning: no previous prototype for 'x86_family' [-Wmissing-prototypes]
+ 5 | unsigned int x86_family(unsigned int sig)
+ | ^~~~~~~~~~
+arch/x86/lib/cpu.c:18:14: warning: no previous prototype for 'x86_model' [-Wmissing-prototypes]
+ 18 | unsigned int x86_model(unsigned int sig)
+ | ^~~~~~~~~
+arch/x86/lib/cpu.c:33:14: warning: no previous prototype for 'x86_stepping' [-Wmissing-prototypes]
+ 33 | unsigned int x86_stepping(unsigned int sig)
+ | ^~~~~~~~~~~~
+
+Add the proper include file so the prototypes are there.
+
+Signed-off-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/42513.1565234837@turing-police
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/lib/cpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/lib/cpu.c b/arch/x86/lib/cpu.c
+index 2dd1fe13a37b3..19f707992db22 100644
+--- a/arch/x86/lib/cpu.c
++++ b/arch/x86/lib/cpu.c
+@@ -1,5 +1,6 @@
+ #include <linux/types.h>
+ #include <linux/export.h>
++#include <asm/cpu.h>
+
+ unsigned int x86_family(unsigned int sig)
+ {
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
