--- /dev/null
+From 6a631d453fe6870c5a14bf4ae1584c0ee4ea8e06 Mon Sep 17 00:00:00 2001
+From: Sekhar Nori <nsekhar@ti.com>
+Date: Wed, 20 Feb 2019 16:36:52 +0530
+Subject: ARM: davinci: fix build failure with allnoconfig
+
+[ Upstream commit 2dbed152e2d4c3fe2442284918d14797898b1e8a ]
+
+allnoconfig build with just ARCH_DAVINCI enabled
+fails because drivers/clk/davinci/* depends on
+REGMAP being enabled.
+
+Fix it by selecting REGMAP_MMIO when building in
+DaVinci support.
+
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Reviewed-by: David Lechner <david@lechnology.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ arch/arm/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index cd4c74daf71e..51794c7fa6d5 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -612,6 +612,7 @@ config ARCH_DAVINCI
+ select HAVE_IDE
+ select PM_GENERIC_DOMAINS if PM
+ select PM_GENERIC_DOMAINS_OF if PM && OF
++ select REGMAP_MMIO
+ select RESET_CONTROLLER
+ select USE_OF
+ select ZONE_DMA
+--
+2.19.1
+
--- /dev/null
+From b4fd0efec3cba99a2fb8c548bca06164e37b6108 Mon Sep 17 00:00:00 2001
+From: Helen Koike <helen.koike@collabora.com>
+Date: Mon, 4 Mar 2019 18:48:37 -0300
+Subject: ARM: dts: bcm283x: Fix hdmi hpd gpio pull
+
+[ Upstream commit 544e784188f1dd7c797c70b213385e67d92005b6 ]
+
+Raspberry pi board model B revison 2 have the hot plug detector gpio
+active high (and not low as it was in the dts).
+
+Signed-off-by: Helen Koike <helen.koike@collabora.com>
+Fixes: 49ac67e0c39c ("ARM: bcm2835: Add VC4 to the device tree.")
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts b/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts
+index 5641d162dfdb..28e7513ce617 100644
+--- a/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts
++++ b/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts
+@@ -93,7 +93,7 @@
+ };
+
+ &hdmi {
+- hpd-gpios = <&gpio 46 GPIO_ACTIVE_LOW>;
++ hpd-gpios = <&gpio 46 GPIO_ACTIVE_HIGH>;
+ };
+
+ &pwm {
+--
+2.19.1
+
--- /dev/null
+From b8945a516b9472b8431068c1f70b0607b263e593 Mon Sep 17 00:00:00 2001
+From: Masanari Iida <standby24x7@gmail.com>
+Date: Tue, 19 Mar 2019 01:30:09 +0900
+Subject: ARM: dts: imx6qdl: Fix typo in imx6qdl-icore-rqs.dtsi
+
+[ Upstream commit 41b37f4c0fa67185691bcbd30201cad566f2f0d1 ]
+
+This patch fixes a spelling typo.
+
+Signed-off-by: Masanari Iida <standby24x7@gmail.com>
+Fixes: cc42603de320 ("ARM: dts: imx6q-icore-rqs: Add Engicam IMX6 Q7 initial support")
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6qdl-icore-rqs.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/imx6qdl-icore-rqs.dtsi b/arch/arm/boot/dts/imx6qdl-icore-rqs.dtsi
+index acc3b11fba2a..cde3025d9603 100644
+--- a/arch/arm/boot/dts/imx6qdl-icore-rqs.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-icore-rqs.dtsi
+@@ -298,7 +298,7 @@
+ pinctrl-2 = <&pinctrl_usdhc3_200mhz>;
+ vmcc-supply = <®_sd3_vmmc>;
+ cd-gpios = <&gpio1 1 GPIO_ACTIVE_LOW>;
+- bus-witdh = <4>;
++ bus-width = <4>;
+ no-1-8-v;
+ status = "okay";
+ };
+@@ -309,7 +309,7 @@
+ pinctrl-1 = <&pinctrl_usdhc4_100mhz>;
+ pinctrl-2 = <&pinctrl_usdhc4_200mhz>;
+ vmcc-supply = <®_sd4_vmmc>;
+- bus-witdh = <8>;
++ bus-width = <8>;
+ no-1-8-v;
+ non-removable;
+ status = "okay";
+--
+2.19.1
+
--- /dev/null
+From 7e2bf91d36a282fe1e82f88fb472d36c7f285429 Mon Sep 17 00:00:00 2001
+From: Marco Felsch <m.felsch@pengutronix.de>
+Date: Mon, 4 Mar 2019 11:49:40 +0100
+Subject: ARM: dts: pfla02: increase phy reset duration
+
+[ Upstream commit 032f85c9360fb1a08385c584c2c4ed114b33c260 ]
+
+Increase the reset duration to ensure correct phy functionality. The
+reset duration is taken from barebox commit 52fdd510de ("ARM: dts:
+pfla02: use long enough reset for ethernet phy"):
+
+ Use a longer reset time for ethernet phy Micrel KSZ9031RNX. Otherwise a
+ small percentage of modules have 'transmission timeouts' errors like
+
+ barebox@Phytec phyFLEX-i.MX6 Quad Carrier-Board:/ ifup eth0
+ warning: No MAC address set. Using random address 7e:94:4d:02:f8:f3
+ eth0: 1000Mbps full duplex link detected
+ eth0: transmission timeout
+ T eth0: transmission timeout
+ T eth0: transmission timeout
+ T eth0: transmission timeout
+ T eth0: transmission timeout
+
+Cc: Stefan Christ <s.christ@phytec.de>
+Cc: Christian Hemp <c.hemp@phytec.de>
+Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
+Fixes: 3180f956668e ("ARM: dts: Phytec imx6q pfla02 and pbab01 support")
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi
+index ed1aafd56973..fe4e89d773f5 100644
+--- a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi
+@@ -89,6 +89,7 @@
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_enet>;
+ phy-mode = "rgmii";
++ phy-reset-duration = <10>; /* in msecs */
+ phy-reset-gpios = <&gpio3 23 GPIO_ACTIVE_LOW>;
+ phy-supply = <&vdd_eth_io_reg>;
+ status = "disabled";
+--
+2.19.1
+
--- /dev/null
+From f5c686b42ce061b948df09ff580b5d55d9e4a35f Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Fri, 1 Mar 2019 16:56:46 +0800
+Subject: ARM: imx51: fix a leaked reference by adding missing of_node_put
+
+[ Upstream commit 0c17e83fe423467e3ccf0a02f99bd050a73bbeb4 ]
+
+The call to of_get_next_child returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./arch/arm/mach-imx/mach-imx51.c:64:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 57, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: Shawn Guo <shawnguo@kernel.org>
+Cc: Sascha Hauer <s.hauer@pengutronix.de>
+Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
+Cc: Fabio Estevam <festevam@gmail.com>
+Cc: NXP Linux Team <linux-imx@nxp.com>
+Cc: Lucas Stach <l.stach@pengutronix.de>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ arch/arm/mach-imx/mach-imx51.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/mach-imx/mach-imx51.c b/arch/arm/mach-imx/mach-imx51.c
+index c7169c2f94c4..08c7892866c2 100644
+--- a/arch/arm/mach-imx/mach-imx51.c
++++ b/arch/arm/mach-imx/mach-imx51.c
+@@ -59,6 +59,7 @@ static void __init imx51_m4if_setup(void)
+ return;
+
+ m4if_base = of_iomap(np, 0);
++ of_node_put(np);
+ if (!m4if_base) {
+ pr_err("Unable to map M4IF registers\n");
+ return;
+--
+2.19.1
+
--- /dev/null
+From 8eb2fed488b6e08bf50b44a269c309ab46bb6b3c Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue, 26 Mar 2019 01:38:58 +0000
+Subject: ceph: fix use-after-free on symlink traversal
+
+[ Upstream commit daf5cc27eed99afdea8d96e71b89ba41f5406ef6 ]
+
+free the symlink body after the same RCU delay we have for freeing the
+struct inode itself, so that traversal during RCU pathwalk wouldn't step
+into freed memory.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ fs/ceph/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
+index 4055ab4d5c52..3e518c2ae2bf 100644
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -524,6 +524,7 @@ static void ceph_i_callback(struct rcu_head *head)
+ struct inode *inode = container_of(head, struct inode, i_rcu);
+ struct ceph_inode_info *ci = ceph_inode(inode);
+
++ kfree(ci->i_symlink);
+ kmem_cache_free(ceph_inode_cachep, ci);
+ }
+
+@@ -561,7 +562,6 @@ void ceph_destroy_inode(struct inode *inode)
+ ceph_put_snap_realm(mdsc, realm);
+ }
+
+- kfree(ci->i_symlink);
+ while ((n = rb_first(&ci->i_fragtree)) != NULL) {
+ frag = rb_entry(n, struct ceph_inode_frag, node);
+ rb_erase(n, &ci->i_fragtree);
+--
+2.19.1
+
--- /dev/null
+From ce63a383f71c7d79d28ae3a824b49688d020e090 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= <noralf@tronnes.org>
+Date: Fri, 8 Feb 2019 15:01:02 +0100
+Subject: drm: Fix drm_release() and device unplug
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 3f04e0a6cfebf48152ac64502346cdc258811f79 ]
+
+If userspace has open fd(s) when drm_dev_unplug() is run, it will result
+in drm_dev_unregister() being called twice. First in drm_dev_unplug() and
+then later in drm_release() through the call to drm_put_dev().
+
+Since userspace already holds a ref on drm_device through the drm_minor,
+it's not necessary to add extra ref counting based on no open file
+handles. Instead just drm_dev_put() unconditionally in drm_dev_unplug().
+
+We now have this:
+- Userpace holds a ref on drm_device as long as there's open fd(s)
+- The driver holds a ref on drm_device as long as it's bound to the
+ struct device
+
+When both sides are done with drm_device, it is released.
+
+Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
+Reviewed-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Reviewed-by: Sean Paul <sean@poorly.run>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190208140103.28919-2-noralf@tronnes.org
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_drv.c | 6 +-----
+ drivers/gpu/drm/drm_file.c | 6 ++----
+ 2 files changed, 3 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
+index ea4941da9b27..0201ccb22f4c 100644
+--- a/drivers/gpu/drm/drm_drv.c
++++ b/drivers/gpu/drm/drm_drv.c
+@@ -381,11 +381,7 @@ void drm_dev_unplug(struct drm_device *dev)
+ synchronize_srcu(&drm_unplug_srcu);
+
+ drm_dev_unregister(dev);
+-
+- mutex_lock(&drm_global_mutex);
+- if (dev->open_count == 0)
+- drm_dev_put(dev);
+- mutex_unlock(&drm_global_mutex);
++ drm_dev_put(dev);
+ }
+ EXPORT_SYMBOL(drm_dev_unplug);
+
+diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c
+index ffa8dc35515f..e4ccb52c67ea 100644
+--- a/drivers/gpu/drm/drm_file.c
++++ b/drivers/gpu/drm/drm_file.c
+@@ -479,11 +479,9 @@ int drm_release(struct inode *inode, struct file *filp)
+
+ drm_file_free(file_priv);
+
+- if (!--dev->open_count) {
++ if (!--dev->open_count)
+ drm_lastclose(dev);
+- if (drm_dev_is_unplugged(dev))
+- drm_put_dev(dev);
+- }
++
+ mutex_unlock(&drm_global_mutex);
+
+ drm_minor_release(minor);
+--
+2.19.1
+
--- /dev/null
+From a93b00b9ffa50600cd0792db7ca4e3ff7ed67538 Mon Sep 17 00:00:00 2001
+From: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Date: Fri, 22 Mar 2019 15:26:56 +0000
+Subject: drm/meson: Fix invalid pointer in meson_drv_unbind()
+
+[ Upstream commit 776e78677f514ecddd12dba48b9040958999bd5a ]
+
+meson_drv_bind() registers a meson_drm struct as the device's privdata,
+but meson_drv_unbind() tries to retrieve a drm_device. This may cause a
+segfault on shutdown:
+
+[ 5194.593429] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000197
+ ...
+[ 5194.788850] Call trace:
+[ 5194.791349] drm_dev_unregister+0x1c/0x118 [drm]
+[ 5194.795848] meson_drv_unbind+0x50/0x78 [meson_drm]
+
+Retrieve the right pointer in meson_drv_unbind().
+
+Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller")
+Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Acked-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190322152657.13752-1-jean-philippe.brucker@arm.com
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_drv.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c
+index 611ac340fb28..4a72fa53a1d5 100644
+--- a/drivers/gpu/drm/meson/meson_drv.c
++++ b/drivers/gpu/drm/meson/meson_drv.c
+@@ -317,8 +317,8 @@ static int meson_drv_bind(struct device *dev)
+
+ static void meson_drv_unbind(struct device *dev)
+ {
+- struct drm_device *drm = dev_get_drvdata(dev);
+- struct meson_drm *priv = drm->dev_private;
++ struct meson_drm *priv = dev_get_drvdata(dev);
++ struct drm_device *drm = priv->drm;
+
+ drm_dev_unregister(drm);
+ drm_kms_helper_poll_fini(drm);
+--
+2.19.1
+
--- /dev/null
+From ddb521ddb9e40a98479d56dfcacdcf99a8d6d688 Mon Sep 17 00:00:00 2001
+From: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Date: Fri, 22 Mar 2019 15:26:57 +0000
+Subject: drm/meson: Uninstall IRQ handler
+
+[ Upstream commit 2d8f92897ad816f5dda54b2ed2fd9f2d7cb1abde ]
+
+meson_drv_unbind() doesn't unregister the IRQ handler, which can lead to
+use-after-free if the IRQ fires after unbind:
+
+[ 64.656876] Unable to handle kernel paging request at virtual address ffff000011706dbc
+...
+[ 64.662001] pc : meson_irq+0x18/0x30 [meson_drm]
+
+I'm assuming that a similar problem could happen on the error path of
+bind(), so uninstall the IRQ handler there as well.
+
+Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller")
+Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Acked-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190322152657.13752-2-jean-philippe.brucker@arm.com
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_drv.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c
+index 4a72fa53a1d5..588b3b0c8315 100644
+--- a/drivers/gpu/drm/meson/meson_drv.c
++++ b/drivers/gpu/drm/meson/meson_drv.c
+@@ -300,10 +300,12 @@ static int meson_drv_bind_master(struct device *dev, bool has_components)
+
+ ret = drm_dev_register(drm, 0);
+ if (ret)
+- goto free_drm;
++ goto uninstall_irq;
+
+ return 0;
+
++uninstall_irq:
++ drm_irq_uninstall(drm);
+ free_drm:
+ drm_dev_put(drm);
+
+@@ -321,6 +323,7 @@ static void meson_drv_unbind(struct device *dev)
+ struct drm_device *drm = priv->drm;
+
+ drm_dev_unregister(drm);
++ drm_irq_uninstall(drm);
+ drm_kms_helper_poll_fini(drm);
+ drm_fbdev_cma_fini(priv->fbdev);
+ drm_mode_config_cleanup(drm);
+--
+2.19.1
+
--- /dev/null
+From b997e3ca60787c199e355cbafc7cb907122e3ab6 Mon Sep 17 00:00:00 2001
+From: Thierry Reding <treding@nvidia.com>
+Date: Mon, 11 Feb 2019 11:51:20 +0100
+Subject: drm/tegra: hub: Fix dereference before check
+
+[ Upstream commit 7cf77b273a8fc51e7de622fa6691abd4436a9a6b ]
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/gpu/drm/tegra/hub.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/tegra/hub.c b/drivers/gpu/drm/tegra/hub.c
+index 8f4fcbb515fb..bb97cad1eb69 100644
+--- a/drivers/gpu/drm/tegra/hub.c
++++ b/drivers/gpu/drm/tegra/hub.c
+@@ -378,14 +378,16 @@ static int tegra_shared_plane_atomic_check(struct drm_plane *plane,
+ static void tegra_shared_plane_atomic_disable(struct drm_plane *plane,
+ struct drm_plane_state *old_state)
+ {
+- struct tegra_dc *dc = to_tegra_dc(old_state->crtc);
+ struct tegra_plane *p = to_tegra_plane(plane);
++ struct tegra_dc *dc;
+ u32 value;
+
+ /* rien ne va plus */
+ if (!old_state || !old_state->crtc)
+ return;
+
++ dc = to_tegra_dc(old_state->crtc);
++
+ /*
+ * XXX Legacy helpers seem to sometimes call ->atomic_disable() even
+ * on planes that are already disabled. Make sure we fallback to the
+--
+2.19.1
+
--- /dev/null
+From 9141872fb9f49ca439d1207305ebc594de893e55 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Sun, 24 Mar 2019 18:10:02 -0500
+Subject: gpio: aspeed: fix a potential NULL pointer dereference
+
+[ Upstream commit 6cf4511e9729c00a7306cf94085f9cc3c52ee723 ]
+
+In case devm_kzalloc, the patch returns ENOMEM to avoid potential
+NULL pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/gpio/gpio-aspeed.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpio/gpio-aspeed.c b/drivers/gpio/gpio-aspeed.c
+index 2342e154029b..b696ec35efb3 100644
+--- a/drivers/gpio/gpio-aspeed.c
++++ b/drivers/gpio/gpio-aspeed.c
+@@ -1225,6 +1225,8 @@ static int __init aspeed_gpio_probe(struct platform_device *pdev)
+
+ gpio->offset_timer =
+ devm_kzalloc(&pdev->dev, gpio->chip.ngpio, GFP_KERNEL);
++ if (!gpio->offset_timer)
++ return -ENOMEM;
+
+ return aspeed_gpio_setup_irqs(gpio, pdev);
+ }
+--
+2.19.1
+
--- /dev/null
+From ace9a16cf41a80a09258e5cd6b2bb98079322fae Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Thu, 28 Mar 2019 14:13:47 +0100
+Subject: gpio: of: Fix of_gpiochip_add() error path
+
+[ Upstream commit f7299d441a4da8a5088e651ea55023525a793a13 ]
+
+If the call to of_gpiochip_scan_gpios() in of_gpiochip_add() fails, no
+error handling is performed. This lead to the need of callers to call
+of_gpiochip_remove() on failure, which causes "BAD of_node_put() on ..."
+if the failure happened before the call to of_node_get().
+
+Fix this by adding proper error handling.
+
+Note that calling gpiochip_remove_pin_ranges() multiple times causes no
+harm: subsequent calls are a no-op.
+
+Fixes: dfbd379ba9b7431e ("gpio: of: Return error if gpio hog configuration failed")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib-of.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c
+index d4e7a09598fa..e0f149bdf98f 100644
+--- a/drivers/gpio/gpiolib-of.c
++++ b/drivers/gpio/gpiolib-of.c
+@@ -646,7 +646,13 @@ int of_gpiochip_add(struct gpio_chip *chip)
+
+ of_node_get(chip->of_node);
+
+- return of_gpiochip_scan_gpios(chip);
++ status = of_gpiochip_scan_gpios(chip);
++ if (status) {
++ of_node_put(chip->of_node);
++ gpiochip_remove_pin_ranges(chip);
++ }
++
++ return status;
+ }
+
+ void of_gpiochip_remove(struct gpio_chip *chip)
+--
+2.19.1
+
--- /dev/null
+From 27604e82f749d65480f8f5dd623d6230476daab2 Mon Sep 17 00:00:00 2001
+From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Date: Fri, 15 Mar 2019 12:56:49 +0200
+Subject: i2c: i801: Add support for Intel Comet Lake
+
+[ Upstream commit 5cd1c56c42beb6d228cc8d4373fdc5f5ec78a5ad ]
+
+Add PCI ID for Intel Comet Lake PCH.
+
+Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ Documentation/i2c/busses/i2c-i801 | 1 +
+ drivers/i2c/busses/Kconfig | 1 +
+ drivers/i2c/busses/i2c-i801.c | 4 ++++
+ 3 files changed, 6 insertions(+)
+
+diff --git a/Documentation/i2c/busses/i2c-i801 b/Documentation/i2c/busses/i2c-i801
+index d1ee484a787d..ee9984f35868 100644
+--- a/Documentation/i2c/busses/i2c-i801
++++ b/Documentation/i2c/busses/i2c-i801
+@@ -36,6 +36,7 @@ Supported adapters:
+ * Intel Cannon Lake (PCH)
+ * Intel Cedar Fork (PCH)
+ * Intel Ice Lake (PCH)
++ * Intel Comet Lake (PCH)
+ Datasheets: Publicly available at the Intel website
+
+ On Intel Patsburg and later chipsets, both the normal host SMBus controller
+diff --git a/drivers/i2c/busses/Kconfig b/drivers/i2c/busses/Kconfig
+index ac4b09642f63..8f803812ea24 100644
+--- a/drivers/i2c/busses/Kconfig
++++ b/drivers/i2c/busses/Kconfig
+@@ -131,6 +131,7 @@ config I2C_I801
+ Cannon Lake (PCH)
+ Cedar Fork (PCH)
+ Ice Lake (PCH)
++ Comet Lake (PCH)
+
+ This driver can also be built as a module. If so, the module
+ will be called i2c-i801.
+diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c
+index c91e145ef5a5..679c6c41f64b 100644
+--- a/drivers/i2c/busses/i2c-i801.c
++++ b/drivers/i2c/busses/i2c-i801.c
+@@ -71,6 +71,7 @@
+ * Cannon Lake-LP (PCH) 0x9da3 32 hard yes yes yes
+ * Cedar Fork (PCH) 0x18df 32 hard yes yes yes
+ * Ice Lake-LP (PCH) 0x34a3 32 hard yes yes yes
++ * Comet Lake (PCH) 0x02a3 32 hard yes yes yes
+ *
+ * Features supported by this driver:
+ * Software PEC no
+@@ -240,6 +241,7 @@
+ #define PCI_DEVICE_ID_INTEL_LEWISBURG_SSKU_SMBUS 0xa223
+ #define PCI_DEVICE_ID_INTEL_KABYLAKE_PCH_H_SMBUS 0xa2a3
+ #define PCI_DEVICE_ID_INTEL_CANNONLAKE_H_SMBUS 0xa323
++#define PCI_DEVICE_ID_INTEL_COMETLAKE_SMBUS 0x02a3
+
+ struct i801_mux_config {
+ char *gpio_chip;
+@@ -1038,6 +1040,7 @@ static const struct pci_device_id i801_ids[] = {
+ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CANNONLAKE_H_SMBUS) },
+ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CANNONLAKE_LP_SMBUS) },
+ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICELAKE_LP_SMBUS) },
++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_COMETLAKE_SMBUS) },
+ { 0, }
+ };
+
+@@ -1534,6 +1537,7 @@ static int i801_probe(struct pci_dev *dev, const struct pci_device_id *id)
+ case PCI_DEVICE_ID_INTEL_DNV_SMBUS:
+ case PCI_DEVICE_ID_INTEL_KABYLAKE_PCH_H_SMBUS:
+ case PCI_DEVICE_ID_INTEL_ICELAKE_LP_SMBUS:
++ case PCI_DEVICE_ID_INTEL_COMETLAKE_SMBUS:
+ priv->features |= FEATURE_I2C_BLOCK_READ;
+ priv->features |= FEATURE_IRQ;
+ priv->features |= FEATURE_SMBUS_PEC;
+--
+2.19.1
+
--- /dev/null
+From 01e8d54e7819390545900422d0dcde2cb9b426e5 Mon Sep 17 00:00:00 2001
+From: Li RongQing <lirongqing@baidu.com>
+Date: Tue, 19 Feb 2019 13:10:29 +0800
+Subject: ieee802154: hwsim: propagate genlmsg_reply return code
+
+[ Upstream commit 19b39a25388e71390e059906c979f87be4ef0c71 ]
+
+genlmsg_reply can fail, so propagate its return code
+
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ieee802154/mac802154_hwsim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
+index 624bff4d3636..f1ed1744801c 100644
+--- a/drivers/net/ieee802154/mac802154_hwsim.c
++++ b/drivers/net/ieee802154/mac802154_hwsim.c
+@@ -332,7 +332,7 @@ static int hwsim_get_radio_nl(struct sk_buff *msg, struct genl_info *info)
+ goto out_err;
+ }
+
+- genlmsg_reply(skb, info);
++ res = genlmsg_reply(skb, info);
+ break;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From c9b9cd338b95f30d0cbc126a6ea8694bdda9d8ad Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Thu, 28 Mar 2019 11:44:59 +0100
+Subject: iommu/amd: Reserve exclusion range in iova-domain
+
+[ Upstream commit 8aafaaf2212192012f5bae305bb31cdf7681d777 ]
+
+If a device has an exclusion range specified in the IVRS
+table, this region needs to be reserved in the iova-domain
+of that device. This hasn't happened until now and can cause
+data corruption on data transfered with these devices.
+
+Treat exclusion ranges as reserved regions in the iommu-core
+to fix the problem.
+
+Fixes: be2a022c0dd0 ('x86, AMD IOMMU: add functions to parse IOMMU memory mapping requirements for devices')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Reviewed-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/iommu/amd_iommu.c | 9 ++++++---
+ drivers/iommu/amd_iommu_init.c | 7 ++++---
+ drivers/iommu/amd_iommu_types.h | 2 ++
+ 3 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index 0b3877681e4a..8d9920ff4134 100644
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -3119,21 +3119,24 @@ static void amd_iommu_get_resv_regions(struct device *dev,
+ return;
+
+ list_for_each_entry(entry, &amd_iommu_unity_map, list) {
++ int type, prot = 0;
+ size_t length;
+- int prot = 0;
+
+ if (devid < entry->devid_start || devid > entry->devid_end)
+ continue;
+
++ type = IOMMU_RESV_DIRECT;
+ length = entry->address_end - entry->address_start;
+ if (entry->prot & IOMMU_PROT_IR)
+ prot |= IOMMU_READ;
+ if (entry->prot & IOMMU_PROT_IW)
+ prot |= IOMMU_WRITE;
++ if (entry->prot & IOMMU_UNITY_MAP_FLAG_EXCL_RANGE)
++ /* Exclusion range */
++ type = IOMMU_RESV_RESERVED;
+
+ region = iommu_alloc_resv_region(entry->address_start,
+- length, prot,
+- IOMMU_RESV_DIRECT);
++ length, prot, type);
+ if (!region) {
+ pr_err("Out of memory allocating dm-regions for %s\n",
+ dev_name(dev));
+diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
+index e062ab9687c7..be3801d43d48 100644
+--- a/drivers/iommu/amd_iommu_init.c
++++ b/drivers/iommu/amd_iommu_init.c
+@@ -2001,6 +2001,9 @@ static int __init init_unity_map_range(struct ivmd_header *m)
+ if (e == NULL)
+ return -ENOMEM;
+
++ if (m->flags & IVMD_FLAG_EXCL_RANGE)
++ init_exclusion_range(m);
++
+ switch (m->type) {
+ default:
+ kfree(e);
+@@ -2047,9 +2050,7 @@ static int __init init_memory_definitions(struct acpi_table_header *table)
+
+ while (p < end) {
+ m = (struct ivmd_header *)p;
+- if (m->flags & IVMD_FLAG_EXCL_RANGE)
+- init_exclusion_range(m);
+- else if (m->flags & IVMD_FLAG_UNITY_MAP)
++ if (m->flags & (IVMD_FLAG_UNITY_MAP | IVMD_FLAG_EXCL_RANGE))
+ init_unity_map_range(m);
+
+ p += m->length;
+diff --git a/drivers/iommu/amd_iommu_types.h b/drivers/iommu/amd_iommu_types.h
+index e2b342e65a7b..69f3d4c95b53 100644
+--- a/drivers/iommu/amd_iommu_types.h
++++ b/drivers/iommu/amd_iommu_types.h
+@@ -373,6 +373,8 @@
+ #define IOMMU_PROT_IR 0x01
+ #define IOMMU_PROT_IW 0x02
+
++#define IOMMU_UNITY_MAP_FLAG_EXCL_RANGE (1 << 2)
++
+ /* IOMMU capabilities */
+ #define IOMMU_CAP_IOTLB 24
+ #define IOMMU_CAP_NPCACHE 26
+--
+2.19.1
+
--- /dev/null
+From 9d74714c941d85dc8d0132447dfd0a64c9f02c27 Mon Sep 17 00:00:00 2001
+From: Changbin Du <changbin.du@gmail.com>
+Date: Mon, 25 Mar 2019 15:16:47 +0000
+Subject: kconfig/[mn]conf: handle backspace (^H) key
+
+[ Upstream commit 9c38f1f044080392603c497ecca4d7d09876ff99 ]
+
+Backspace is not working on some terminal emulators which do not send the
+key code defined by terminfo. Terminals either send '^H' (8) or '^?' (127).
+But currently only '^?' is handled. Let's also handle '^H' for those
+terminals.
+
+Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ scripts/kconfig/lxdialog/inputbox.c | 3 ++-
+ scripts/kconfig/nconf.c | 2 +-
+ scripts/kconfig/nconf.gui.c | 3 ++-
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c
+index fe82ff6d744e..b15c8d1744f5 100644
+--- a/scripts/kconfig/lxdialog/inputbox.c
++++ b/scripts/kconfig/lxdialog/inputbox.c
+@@ -126,7 +126,8 @@ int dialog_inputbox(const char *title, const char *prompt, int height, int width
+ case KEY_DOWN:
+ break;
+ case KEY_BACKSPACE:
+- case 127:
++ case 8: /* ^H */
++ case 127: /* ^? */
+ if (pos) {
+ wattrset(dialog, dlg.inputbox.atr);
+ if (input_x == 0) {
+diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
+index 1ef232ae5ab9..c8ff1c99dd5c 100644
+--- a/scripts/kconfig/nconf.c
++++ b/scripts/kconfig/nconf.c
+@@ -1049,7 +1049,7 @@ static int do_match(int key, struct match_state *state, int *ans)
+ state->match_direction = FIND_NEXT_MATCH_UP;
+ *ans = get_mext_match(state->pattern,
+ state->match_direction);
+- } else if (key == KEY_BACKSPACE || key == 127) {
++ } else if (key == KEY_BACKSPACE || key == 8 || key == 127) {
+ state->pattern[strlen(state->pattern)-1] = '\0';
+ adj_match_dir(&state->match_direction);
+ } else
+diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c
+index 88874acfda36..820fc9256532 100644
+--- a/scripts/kconfig/nconf.gui.c
++++ b/scripts/kconfig/nconf.gui.c
+@@ -440,7 +440,8 @@ int dialog_inputbox(WINDOW *main_window,
+ case KEY_F(F_EXIT):
+ case KEY_F(F_BACK):
+ break;
+- case 127:
++ case 8: /* ^H */
++ case 127: /* ^? */
+ case KEY_BACKSPACE:
+ if (cursor_position > 0) {
+ memmove(&result[cursor_position-1],
+--
+2.19.1
+
--- /dev/null
+From 371df420295d76b0df436130dc5afc127b19b99f Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Tue, 19 Mar 2019 12:56:23 +0000
+Subject: KVM: arm/arm64: vgic-its: Take the srcu lock when parsing the
+ memslots
+
+[ Upstream commit 7494cec6cb3ba7385a6a223b81906384f15aae34 ]
+
+Calling kvm_is_visible_gfn() implies that we're parsing the memslots,
+and doing this without the srcu lock is frown upon:
+
+[12704.164532] =============================
+[12704.164544] WARNING: suspicious RCU usage
+[12704.164560] 5.1.0-rc1-00008-g600025238f51-dirty #16 Tainted: G W
+[12704.164573] -----------------------------
+[12704.164589] ./include/linux/kvm_host.h:605 suspicious rcu_dereference_check() usage!
+[12704.164602] other info that might help us debug this:
+[12704.164616] rcu_scheduler_active = 2, debug_locks = 1
+[12704.164631] 6 locks held by qemu-system-aar/13968:
+[12704.164644] #0: 000000007ebdae4f (&kvm->lock){+.+.}, at: vgic_its_set_attr+0x244/0x3a0
+[12704.164691] #1: 000000007d751022 (&its->its_lock){+.+.}, at: vgic_its_set_attr+0x250/0x3a0
+[12704.164726] #2: 00000000219d2706 (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
+[12704.164761] #3: 00000000a760aecd (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
+[12704.164794] #4: 000000000ef8e31d (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
+[12704.164827] #5: 000000007a872093 (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
+[12704.164861] stack backtrace:
+[12704.164878] CPU: 2 PID: 13968 Comm: qemu-system-aar Tainted: G W 5.1.0-rc1-00008-g600025238f51-dirty #16
+[12704.164887] Hardware name: rockchip evb_rk3399/evb_rk3399, BIOS 2019.04-rc3-00124-g2feec69fb1 03/15/2019
+[12704.164896] Call trace:
+[12704.164910] dump_backtrace+0x0/0x138
+[12704.164920] show_stack+0x24/0x30
+[12704.164934] dump_stack+0xbc/0x104
+[12704.164946] lockdep_rcu_suspicious+0xcc/0x110
+[12704.164958] gfn_to_memslot+0x174/0x190
+[12704.164969] kvm_is_visible_gfn+0x28/0x70
+[12704.164980] vgic_its_check_id.isra.0+0xec/0x1e8
+[12704.164991] vgic_its_save_tables_v0+0x1ac/0x330
+[12704.165001] vgic_its_set_attr+0x298/0x3a0
+[12704.165012] kvm_device_ioctl_attr+0x9c/0xd8
+[12704.165022] kvm_device_ioctl+0x8c/0xf8
+[12704.165035] do_vfs_ioctl+0xc8/0x960
+[12704.165045] ksys_ioctl+0x8c/0xa0
+[12704.165055] __arm64_sys_ioctl+0x28/0x38
+[12704.165067] el0_svc_common+0xd8/0x138
+[12704.165078] el0_svc_handler+0x38/0x78
+[12704.165089] el0_svc+0x8/0xc
+
+Make sure the lock is taken when doing this.
+
+Fixes: bf308242ab98 ("KVM: arm/arm64: VGIC/ITS: protect kvm_read_guest() calls with SRCU lock")
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ virt/kvm/arm/vgic/vgic-its.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c
+index c1071ed888e2..621bb004067e 100644
+--- a/virt/kvm/arm/vgic/vgic-its.c
++++ b/virt/kvm/arm/vgic/vgic-its.c
+@@ -760,8 +760,9 @@ static bool vgic_its_check_id(struct vgic_its *its, u64 baser, u32 id,
+ int l1_tbl_size = GITS_BASER_NR_PAGES(baser) * SZ_64K;
+ u64 indirect_ptr, type = GITS_BASER_TYPE(baser);
+ int esz = GITS_BASER_ENTRY_SIZE(baser);
+- int index;
++ int index, idx;
+ gfn_t gfn;
++ bool ret;
+
+ switch (type) {
+ case GITS_BASER_TYPE_DEVICE:
+@@ -788,7 +789,8 @@ static bool vgic_its_check_id(struct vgic_its *its, u64 baser, u32 id,
+
+ if (eaddr)
+ *eaddr = addr;
+- return kvm_is_visible_gfn(its->dev->kvm, gfn);
++
++ goto out;
+ }
+
+ /* calculate and check the index into the 1st level */
+@@ -822,7 +824,12 @@ static bool vgic_its_check_id(struct vgic_its *its, u64 baser, u32 id,
+
+ if (eaddr)
+ *eaddr = indirect_ptr;
+- return kvm_is_visible_gfn(its->dev->kvm, gfn);
++
++out:
++ idx = srcu_read_lock(&its->dev->kvm->srcu);
++ ret = kvm_is_visible_gfn(its->dev->kvm, gfn);
++ srcu_read_unlock(&its->dev->kvm->srcu, idx);
++ return ret;
+ }
+
+ static int vgic_its_alloc_collection(struct vgic_its *its,
+--
+2.19.1
+
--- /dev/null
+From 5e05e4db6ac53356eb7c55bdd317eca5b2a178bc Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Tue, 19 Mar 2019 12:47:11 +0000
+Subject: KVM: arm/arm64: vgic-its: Take the srcu lock when writing to guest
+ memory
+
+[ Upstream commit a6ecfb11bf37743c1ac49b266595582b107b61d4 ]
+
+When halting a guest, QEMU flushes the virtual ITS caches, which
+amounts to writing to the various tables that the guest has allocated.
+
+When doing this, we fail to take the srcu lock, and the kernel
+shouts loudly if running a lockdep kernel:
+
+[ 69.680416] =============================
+[ 69.680819] WARNING: suspicious RCU usage
+[ 69.681526] 5.1.0-rc1-00008-g600025238f51-dirty #18 Not tainted
+[ 69.682096] -----------------------------
+[ 69.682501] ./include/linux/kvm_host.h:605 suspicious rcu_dereference_check() usage!
+[ 69.683225]
+[ 69.683225] other info that might help us debug this:
+[ 69.683225]
+[ 69.683975]
+[ 69.683975] rcu_scheduler_active = 2, debug_locks = 1
+[ 69.684598] 6 locks held by qemu-system-aar/4097:
+[ 69.685059] #0: 0000000034196013 (&kvm->lock){+.+.}, at: vgic_its_set_attr+0x244/0x3a0
+[ 69.686087] #1: 00000000f2ed935e (&its->its_lock){+.+.}, at: vgic_its_set_attr+0x250/0x3a0
+[ 69.686919] #2: 000000005e71ea54 (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
+[ 69.687698] #3: 00000000c17e548d (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
+[ 69.688475] #4: 00000000ba386017 (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
+[ 69.689978] #5: 00000000c2c3c335 (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
+[ 69.690729]
+[ 69.690729] stack backtrace:
+[ 69.691151] CPU: 2 PID: 4097 Comm: qemu-system-aar Not tainted 5.1.0-rc1-00008-g600025238f51-dirty #18
+[ 69.691984] Hardware name: rockchip evb_rk3399/evb_rk3399, BIOS 2019.04-rc3-00124-g2feec69fb1 03/15/2019
+[ 69.692831] Call trace:
+[ 69.694072] lockdep_rcu_suspicious+0xcc/0x110
+[ 69.694490] gfn_to_memslot+0x174/0x190
+[ 69.694853] kvm_write_guest+0x50/0xb0
+[ 69.695209] vgic_its_save_tables_v0+0x248/0x330
+[ 69.695639] vgic_its_set_attr+0x298/0x3a0
+[ 69.696024] kvm_device_ioctl_attr+0x9c/0xd8
+[ 69.696424] kvm_device_ioctl+0x8c/0xf8
+[ 69.696788] do_vfs_ioctl+0xc8/0x960
+[ 69.697128] ksys_ioctl+0x8c/0xa0
+[ 69.697445] __arm64_sys_ioctl+0x28/0x38
+[ 69.697817] el0_svc_common+0xd8/0x138
+[ 69.698173] el0_svc_handler+0x38/0x78
+[ 69.698528] el0_svc+0x8/0xc
+
+The fix is to obviously take the srcu lock, just like we do on the
+read side of things since bf308242ab98. One wonders why this wasn't
+fixed at the same time, but hey...
+
+Fixes: bf308242ab98 ("KVM: arm/arm64: VGIC/ITS: protect kvm_read_guest() calls with SRCU lock")
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ arch/arm/include/asm/kvm_mmu.h | 11 +++++++++++
+ arch/arm64/include/asm/kvm_mmu.h | 11 +++++++++++
+ virt/kvm/arm/vgic/vgic-its.c | 8 ++++----
+ virt/kvm/arm/vgic/vgic-v3.c | 4 ++--
+ 4 files changed, 28 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm/include/asm/kvm_mmu.h b/arch/arm/include/asm/kvm_mmu.h
+index 265ea9cf7df7..523c499e42db 100644
+--- a/arch/arm/include/asm/kvm_mmu.h
++++ b/arch/arm/include/asm/kvm_mmu.h
+@@ -317,6 +317,17 @@ static inline int kvm_read_guest_lock(struct kvm *kvm,
+ return ret;
+ }
+
++static inline int kvm_write_guest_lock(struct kvm *kvm, gpa_t gpa,
++ const void *data, unsigned long len)
++{
++ int srcu_idx = srcu_read_lock(&kvm->srcu);
++ int ret = kvm_write_guest(kvm, gpa, data, len);
++
++ srcu_read_unlock(&kvm->srcu, srcu_idx);
++
++ return ret;
++}
++
+ static inline void *kvm_get_hyp_vector(void)
+ {
+ switch(read_cpuid_part()) {
+diff --git a/arch/arm64/include/asm/kvm_mmu.h b/arch/arm64/include/asm/kvm_mmu.h
+index d6fff7de5539..b2558447c67d 100644
+--- a/arch/arm64/include/asm/kvm_mmu.h
++++ b/arch/arm64/include/asm/kvm_mmu.h
+@@ -394,6 +394,17 @@ static inline int kvm_read_guest_lock(struct kvm *kvm,
+ return ret;
+ }
+
++static inline int kvm_write_guest_lock(struct kvm *kvm, gpa_t gpa,
++ const void *data, unsigned long len)
++{
++ int srcu_idx = srcu_read_lock(&kvm->srcu);
++ int ret = kvm_write_guest(kvm, gpa, data, len);
++
++ srcu_read_unlock(&kvm->srcu, srcu_idx);
++
++ return ret;
++}
++
+ #ifdef CONFIG_KVM_INDIRECT_VECTORS
+ /*
+ * EL2 vectors can be mapped and rerouted in a number of ways,
+diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c
+index f376c82afb61..c1071ed888e2 100644
+--- a/virt/kvm/arm/vgic/vgic-its.c
++++ b/virt/kvm/arm/vgic/vgic-its.c
+@@ -1935,7 +1935,7 @@ static int vgic_its_save_ite(struct vgic_its *its, struct its_device *dev,
+ ((u64)ite->irq->intid << KVM_ITS_ITE_PINTID_SHIFT) |
+ ite->collection->collection_id;
+ val = cpu_to_le64(val);
+- return kvm_write_guest(kvm, gpa, &val, ite_esz);
++ return kvm_write_guest_lock(kvm, gpa, &val, ite_esz);
+ }
+
+ /**
+@@ -2082,7 +2082,7 @@ static int vgic_its_save_dte(struct vgic_its *its, struct its_device *dev,
+ (itt_addr_field << KVM_ITS_DTE_ITTADDR_SHIFT) |
+ (dev->num_eventid_bits - 1));
+ val = cpu_to_le64(val);
+- return kvm_write_guest(kvm, ptr, &val, dte_esz);
++ return kvm_write_guest_lock(kvm, ptr, &val, dte_esz);
+ }
+
+ /**
+@@ -2262,7 +2262,7 @@ static int vgic_its_save_cte(struct vgic_its *its,
+ ((u64)collection->target_addr << KVM_ITS_CTE_RDBASE_SHIFT) |
+ collection->collection_id);
+ val = cpu_to_le64(val);
+- return kvm_write_guest(its->dev->kvm, gpa, &val, esz);
++ return kvm_write_guest_lock(its->dev->kvm, gpa, &val, esz);
+ }
+
+ static int vgic_its_restore_cte(struct vgic_its *its, gpa_t gpa, int esz)
+@@ -2333,7 +2333,7 @@ static int vgic_its_save_collection_table(struct vgic_its *its)
+ */
+ val = 0;
+ BUG_ON(cte_esz > sizeof(val));
+- ret = kvm_write_guest(its->dev->kvm, gpa, &val, cte_esz);
++ ret = kvm_write_guest_lock(its->dev->kvm, gpa, &val, cte_esz);
+ return ret;
+ }
+
+diff --git a/virt/kvm/arm/vgic/vgic-v3.c b/virt/kvm/arm/vgic/vgic-v3.c
+index 9c0dd234ebe8..3f2350a4d4ab 100644
+--- a/virt/kvm/arm/vgic/vgic-v3.c
++++ b/virt/kvm/arm/vgic/vgic-v3.c
+@@ -358,7 +358,7 @@ int vgic_v3_lpi_sync_pending_status(struct kvm *kvm, struct vgic_irq *irq)
+ if (status) {
+ /* clear consumed data */
+ val &= ~(1 << bit_nr);
+- ret = kvm_write_guest(kvm, ptr, &val, 1);
++ ret = kvm_write_guest_lock(kvm, ptr, &val, 1);
+ if (ret)
+ return ret;
+ }
+@@ -409,7 +409,7 @@ int vgic_v3_save_pending_tables(struct kvm *kvm)
+ else
+ val &= ~(1 << bit_nr);
+
+- ret = kvm_write_guest(kvm, ptr, &val, 1);
++ ret = kvm_write_guest_lock(kvm, ptr, &val, 1);
+ if (ret)
+ return ret;
+ }
+--
+2.19.1
+
--- /dev/null
+From f613ed80638adf40be4702f761873ff8da5de703 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Mon, 4 Mar 2019 17:37:44 +0000
+Subject: KVM: arm64: Reset the PMU in preemptible context
+
+[ Upstream commit ebff0b0e3d3c862c16c487959db5e0d879632559 ]
+
+We've become very cautious to now always reset the vcpu when nothing
+is loaded on the physical CPU. To do so, we now disable preemption
+and do a kvm_arch_vcpu_put() to make sure we have all the state
+in memory (and that it won't be loaded behind out back).
+
+This now causes issues with resetting the PMU, which calls into perf.
+Perf itself uses mutexes, which clashes with the lack of preemption.
+It is worth realizing that the PMU is fully emulated, and that
+no PMU state is ever loaded on the physical CPU. This means we can
+perfectly reset the PMU outside of the non-preemptible section.
+
+Fixes: e761a927bc9a ("KVM: arm/arm64: Reset the VCPU without preemption and vcpu state loaded")
+Reported-by: Julien Grall <julien.grall@arm.com>
+Tested-by: Julien Grall <julien.grall@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ arch/arm64/kvm/reset.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/kvm/reset.c b/arch/arm64/kvm/reset.c
+index 18b9a522a2b3..0688816f19e2 100644
+--- a/arch/arm64/kvm/reset.c
++++ b/arch/arm64/kvm/reset.c
+@@ -117,6 +117,9 @@ int kvm_reset_vcpu(struct kvm_vcpu *vcpu)
+ int ret = -EINVAL;
+ bool loaded;
+
++ /* Reset PMU outside of the non-preemptible section */
++ kvm_pmu_vcpu_reset(vcpu);
++
+ preempt_disable();
+ loaded = (vcpu->cpu != -1);
+ if (loaded)
+@@ -164,9 +167,6 @@ int kvm_reset_vcpu(struct kvm_vcpu *vcpu)
+ vcpu->arch.reset_state.reset = false;
+ }
+
+- /* Reset PMU */
+- kvm_pmu_vcpu_reset(vcpu);
+-
+ /* Default workaround setup is enabled (if supported) */
+ if (kvm_arm_have_ssbd() == KVM_SSBD_KERNEL)
+ vcpu->arch.workaround_flags |= VCPU_WORKAROUND_2_FLAG;
+--
+2.19.1
+
--- /dev/null
+From f14f187b508f32f81a0505d2a66d80d8dd00a729 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Sat, 9 Mar 2019 00:04:11 -0600
+Subject: leds: pca9532: fix a potential NULL pointer dereference
+
+[ Upstream commit 0aab8e4df4702b31314a27ec4b0631dfad0fae0a ]
+
+In case of_match_device cannot find a match, return -EINVAL to avoid
+NULL pointer dereference.
+
+Fixes: fa4191a609f2 ("leds: pca9532: Add device tree support")
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/leds/leds-pca9532.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/leds/leds-pca9532.c b/drivers/leds/leds-pca9532.c
+index 7fea18b0c15d..7cb4d685a1f1 100644
+--- a/drivers/leds/leds-pca9532.c
++++ b/drivers/leds/leds-pca9532.c
+@@ -513,6 +513,7 @@ static int pca9532_probe(struct i2c_client *client,
+ const struct i2c_device_id *id)
+ {
+ int devid;
++ const struct of_device_id *of_id;
+ struct pca9532_data *data = i2c_get_clientdata(client);
+ struct pca9532_platform_data *pca9532_pdata =
+ dev_get_platdata(&client->dev);
+@@ -528,8 +529,11 @@ static int pca9532_probe(struct i2c_client *client,
+ dev_err(&client->dev, "no platform data\n");
+ return -EINVAL;
+ }
+- devid = (int)(uintptr_t)of_match_device(
+- of_pca9532_leds_match, &client->dev)->data;
++ of_id = of_match_device(of_pca9532_leds_match,
++ &client->dev);
++ if (unlikely(!of_id))
++ return -EINVAL;
++ devid = (int)(uintptr_t) of_id->data;
+ } else {
+ devid = id->driver_data;
+ }
+--
+2.19.1
+
--- /dev/null
+From acc50433eff595657b4381c9d51780920725a666 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Thu, 28 Feb 2019 22:57:33 +0100
+Subject: leds: trigger: netdev: fix refcnt leak on interface rename
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 4cb6560514fa19d556954b88128f3846fee66a03 ]
+
+Renaming a netdev-trigger-tracked interface was resulting in an
+unbalanced dev_hold().
+
+Example:
+> iw phy phy0 interface add foo type __ap
+> echo netdev > trigger
+> echo foo > device_name
+> ip link set foo name bar
+> iw dev bar del
+[ 237.355366] unregister_netdevice: waiting for bar to become free. Usage count = 1
+[ 247.435362] unregister_netdevice: waiting for bar to become free. Usage count = 1
+[ 257.545366] unregister_netdevice: waiting for bar to become free. Usage count = 1
+
+Above problem was caused by trigger checking a dev->name which obviously
+changes after renaming an interface. It meant missing all further events
+including the NETDEV_UNREGISTER which is required for calling dev_put().
+
+This change fixes that by:
+1) Comparing device struct *address* for notification-filtering purposes
+2) Dropping unneeded NETDEV_CHANGENAME code (no behavior change)
+
+Fixes: 06f502f57d0d ("leds: trigger: Introduce a NETDEV trigger")
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/leds/trigger/ledtrig-netdev.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/leds/trigger/ledtrig-netdev.c b/drivers/leds/trigger/ledtrig-netdev.c
+index 3dd3ed46d473..167a94c02d05 100644
+--- a/drivers/leds/trigger/ledtrig-netdev.c
++++ b/drivers/leds/trigger/ledtrig-netdev.c
+@@ -301,11 +301,11 @@ static int netdev_trig_notify(struct notifier_block *nb,
+ container_of(nb, struct led_netdev_data, notifier);
+
+ if (evt != NETDEV_UP && evt != NETDEV_DOWN && evt != NETDEV_CHANGE
+- && evt != NETDEV_REGISTER && evt != NETDEV_UNREGISTER
+- && evt != NETDEV_CHANGENAME)
++ && evt != NETDEV_REGISTER && evt != NETDEV_UNREGISTER)
+ return NOTIFY_DONE;
+
+- if (strcmp(dev->name, trigger_data->device_name))
++ if (!(dev == trigger_data->net_dev ||
++ (evt == NETDEV_REGISTER && !strcmp(dev->name, trigger_data->device_name))))
+ return NOTIFY_DONE;
+
+ cancel_delayed_work_sync(&trigger_data->work);
+@@ -320,12 +320,9 @@ static int netdev_trig_notify(struct notifier_block *nb,
+ dev_hold(dev);
+ trigger_data->net_dev = dev;
+ break;
+- case NETDEV_CHANGENAME:
+ case NETDEV_UNREGISTER:
+- if (trigger_data->net_dev) {
+- dev_put(trigger_data->net_dev);
+- trigger_data->net_dev = NULL;
+- }
++ dev_put(trigger_data->net_dev);
++ trigger_data->net_dev = NULL;
+ break;
+ case NETDEV_UP:
+ case NETDEV_CHANGE:
+--
+2.19.1
+
--- /dev/null
+From 0955f5f9c8271613be031d5611600aa975d43c5b Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Date: Thu, 14 Mar 2019 15:06:14 +0100
+Subject: leds: trigger: netdev: use memcpy in device_name_store
+
+[ Upstream commit 909346433064b8d840dc82af26161926b8d37558 ]
+
+If userspace doesn't end the input with a newline (which can easily
+happen if the write happens from a C program that does write(fd,
+iface, strlen(iface))), we may end up including garbage from a
+previous, longer value in the device_name. For example
+
+# cat device_name
+
+# printf 'eth12' > device_name
+# cat device_name
+eth12
+# printf 'eth3' > device_name
+# cat device_name
+eth32
+
+I highly doubt anybody is relying on this behaviour, so switch to
+simply copying the bytes (we've already checked that size is <
+IFNAMSIZ) and unconditionally zero-terminate it; of course, we also
+still have to strip a trailing newline.
+
+This is also preparation for future patches.
+
+Fixes: 06f502f57d0d ("leds: trigger: Introduce a NETDEV trigger")
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/leds/trigger/ledtrig-netdev.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/leds/trigger/ledtrig-netdev.c b/drivers/leds/trigger/ledtrig-netdev.c
+index 167a94c02d05..136f86a1627d 100644
+--- a/drivers/leds/trigger/ledtrig-netdev.c
++++ b/drivers/leds/trigger/ledtrig-netdev.c
+@@ -122,7 +122,8 @@ static ssize_t device_name_store(struct device *dev,
+ trigger_data->net_dev = NULL;
+ }
+
+- strncpy(trigger_data->device_name, buf, size);
++ memcpy(trigger_data->device_name, buf, size);
++ trigger_data->device_name[size] = 0;
+ if (size > 0 && trigger_data->device_name[size - 1] == '\n')
+ trigger_data->device_name[size - 1] = 0;
+
+--
+2.19.1
+
--- /dev/null
+From 63c30310673a03bb5164b71a415a833ec232f845 Mon Sep 17 00:00:00 2001
+From: raymond pang <raymondpangxd@gmail.com>
+Date: Thu, 28 Mar 2019 12:19:25 +0000
+Subject: libata: fix using DMA buffers on stack
+
+[ Upstream commit dd08a8d9a66de4b54575c294a92630299f7e0fe7 ]
+
+When CONFIG_VMAP_STACK=y, __pa() returns incorrect physical address for
+a stack virtual address. Stack DMA buffers must be avoided.
+
+Signed-off-by: raymond pang <raymondpangxd@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/ata/libata-zpodd.c | 34 ++++++++++++++++++++++++----------
+ 1 file changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c
+index b3ed8f9953a8..173e6f2dd9af 100644
+--- a/drivers/ata/libata-zpodd.c
++++ b/drivers/ata/libata-zpodd.c
+@@ -52,38 +52,52 @@ static int eject_tray(struct ata_device *dev)
+ /* Per the spec, only slot type and drawer type ODD can be supported */
+ static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev)
+ {
+- char buf[16];
++ char *buf;
+ unsigned int ret;
+- struct rm_feature_desc *desc = (void *)(buf + 8);
++ struct rm_feature_desc *desc;
+ struct ata_taskfile tf;
+ static const char cdb[] = { GPCMD_GET_CONFIGURATION,
+ 2, /* only 1 feature descriptor requested */
+ 0, 3, /* 3, removable medium feature */
+ 0, 0, 0,/* reserved */
+- 0, sizeof(buf),
++ 0, 16,
+ 0, 0, 0,
+ };
+
++ buf = kzalloc(16, GFP_KERNEL);
++ if (!buf)
++ return ODD_MECH_TYPE_UNSUPPORTED;
++ desc = (void *)(buf + 8);
++
+ ata_tf_init(dev, &tf);
+ tf.flags = ATA_TFLAG_ISADDR | ATA_TFLAG_DEVICE;
+ tf.command = ATA_CMD_PACKET;
+ tf.protocol = ATAPI_PROT_PIO;
+- tf.lbam = sizeof(buf);
++ tf.lbam = 16;
+
+ ret = ata_exec_internal(dev, &tf, cdb, DMA_FROM_DEVICE,
+- buf, sizeof(buf), 0);
+- if (ret)
++ buf, 16, 0);
++ if (ret) {
++ kfree(buf);
+ return ODD_MECH_TYPE_UNSUPPORTED;
++ }
+
+- if (be16_to_cpu(desc->feature_code) != 3)
++ if (be16_to_cpu(desc->feature_code) != 3) {
++ kfree(buf);
+ return ODD_MECH_TYPE_UNSUPPORTED;
++ }
+
+- if (desc->mech_type == 0 && desc->load == 0 && desc->eject == 1)
++ if (desc->mech_type == 0 && desc->load == 0 && desc->eject == 1) {
++ kfree(buf);
+ return ODD_MECH_TYPE_SLOT;
+- else if (desc->mech_type == 1 && desc->load == 0 && desc->eject == 1)
++ } else if (desc->mech_type == 1 && desc->load == 0 &&
++ desc->eject == 1) {
++ kfree(buf);
+ return ODD_MECH_TYPE_DRAWER;
+- else
++ } else {
++ kfree(buf);
+ return ODD_MECH_TYPE_UNSUPPORTED;
++ }
+ }
+
+ /* Test if ODD is zero power ready by sense code */
+--
+2.19.1
+
--- /dev/null
+From 91f07131a5d22c5deb5badc3a9f9f5d10ad42b0d Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Fri, 22 Mar 2019 11:04:09 +0800
+Subject: net: ethernet: ti: fix possible object reference leak
+
+[ Upstream commit 75eac7b5f68b0a0671e795ac636457ee27cc11d8 ]
+
+The call to of_get_child_by_name returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/net/ethernet/ti/netcp_ethss.c:3661:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3654, but without a corresponding object release within this function.
+./drivers/net/ethernet/ti/netcp_ethss.c:3665:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3654, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Wingman Kwok <w-kwok2@ti.com>
+Cc: Murali Karicheri <m-karicheri2@ti.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: netdev@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/netcp_ethss.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/ti/netcp_ethss.c b/drivers/net/ethernet/ti/netcp_ethss.c
+index 72b98e27c992..d177dfd1df89 100644
+--- a/drivers/net/ethernet/ti/netcp_ethss.c
++++ b/drivers/net/ethernet/ti/netcp_ethss.c
+@@ -3655,12 +3655,16 @@ static int gbe_probe(struct netcp_device *netcp_device, struct device *dev,
+
+ ret = netcp_txpipe_init(&gbe_dev->tx_pipe, netcp_device,
+ gbe_dev->dma_chan_name, gbe_dev->tx_queue_id);
+- if (ret)
++ if (ret) {
++ of_node_put(interfaces);
+ return ret;
++ }
+
+ ret = netcp_txpipe_open(&gbe_dev->tx_pipe);
+- if (ret)
++ if (ret) {
++ of_node_put(interfaces);
+ return ret;
++ }
+
+ /* Create network interfaces */
+ INIT_LIST_HEAD(&gbe_dev->gbe_intf_head);
+--
+2.19.1
+
--- /dev/null
+From f978e0658ae40e6f96241697bbddb72a7665da0b Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Fri, 22 Mar 2019 11:04:08 +0800
+Subject: net: ibm: fix possible object reference leak
+
+[ Upstream commit be693df3cf9dd113ff1d2c0d8150199efdba37f6 ]
+
+The call to ehea_get_eth_dn returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/net/ethernet/ibm/ehea/ehea_main.c:3163:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3154, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Douglas Miller <dougmill@linux.ibm.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: netdev@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ehea/ehea_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/ibm/ehea/ehea_main.c b/drivers/net/ethernet/ibm/ehea/ehea_main.c
+index 03f64f40b2a3..506f78322d74 100644
+--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c
++++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c
+@@ -3161,6 +3161,7 @@ static ssize_t ehea_probe_port(struct device *dev,
+
+ if (ehea_add_adapter_mr(adapter)) {
+ pr_err("creating MR failed\n");
++ of_node_put(eth_dn);
+ return -EIO;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 5305dc39bbce770d502159112fa95e3cbd105ce9 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Mon, 11 Mar 2019 02:25:17 -0500
+Subject: net: ieee802154: fix a potential NULL pointer dereference
+
+[ Upstream commit 2795e8c251614ac0784c9d41008551109f665716 ]
+
+In case alloc_ordered_workqueue fails, the fix releases
+sources and returns -ENOMEM to avoid NULL pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Acked-by: Michael Hennerich <michael.hennerich@analog.com>
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ieee802154/adf7242.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c
+index cd1d8faccca5..cd6b95e673a5 100644
+--- a/drivers/net/ieee802154/adf7242.c
++++ b/drivers/net/ieee802154/adf7242.c
+@@ -1268,6 +1268,10 @@ static int adf7242_probe(struct spi_device *spi)
+ INIT_DELAYED_WORK(&lp->work, adf7242_rx_cal_work);
+ lp->wqueue = alloc_ordered_workqueue(dev_name(&spi->dev),
+ WQ_MEM_RECLAIM);
++ if (unlikely(!lp->wqueue)) {
++ ret = -ENOMEM;
++ goto err_hw_init;
++ }
+
+ ret = adf7242_hw_init(lp);
+ if (ret)
+--
+2.19.1
+
--- /dev/null
+From a48d9d11fa3a31c10a50375b7d8ebdbaad632e39 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 20 Mar 2019 15:02:00 +0100
+Subject: net: ks8851: Delay requesting IRQ until opened
+
+[ Upstream commit d268f31552794abf5b6aa5af31021643411f25f5 ]
+
+The ks8851 driver currently requests the IRQ before registering the
+net_device. Because the net_device name is used as IRQ name and is
+still "eth%d" when the IRQ is requested, it's impossibe to tell IRQs
+apart if multiple ks8851 chips are present. Most other drivers delay
+requesting the IRQ until the net_device is opened. Do the same.
+
+The driver doesn't enable interrupts on the chip before opening the
+net_device and disables them when closing it, so there doesn't seem to
+be a need to request the IRQ already on probe.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: Frank Pavlic <f.pavlic@kunbus.de>
+Cc: Ben Dooks <ben.dooks@codethink.co.uk>
+Cc: Tristram Ha <Tristram.Ha@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/micrel/ks8851.c | 24 +++++++++++-------------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c
+index 1633fa5c709c..c9faec4c5b25 100644
+--- a/drivers/net/ethernet/micrel/ks8851.c
++++ b/drivers/net/ethernet/micrel/ks8851.c
+@@ -785,6 +785,15 @@ static void ks8851_tx_work(struct work_struct *work)
+ static int ks8851_net_open(struct net_device *dev)
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
++ int ret;
++
++ ret = request_threaded_irq(dev->irq, NULL, ks8851_irq,
++ IRQF_TRIGGER_LOW | IRQF_ONESHOT,
++ dev->name, ks);
++ if (ret < 0) {
++ netdev_err(dev, "failed to get irq\n");
++ return ret;
++ }
+
+ /* lock the card, even if we may not actually be doing anything
+ * else at the moment */
+@@ -899,6 +908,8 @@ static int ks8851_net_stop(struct net_device *dev)
+ dev_kfree_skb(txb);
+ }
+
++ free_irq(dev->irq, ks);
++
+ return 0;
+ }
+
+@@ -1529,14 +1540,6 @@ static int ks8851_probe(struct spi_device *spi)
+ ks8851_read_selftest(ks);
+ ks8851_init_mac(ks);
+
+- ret = request_threaded_irq(spi->irq, NULL, ks8851_irq,
+- IRQF_TRIGGER_LOW | IRQF_ONESHOT,
+- ndev->name, ks);
+- if (ret < 0) {
+- dev_err(&spi->dev, "failed to get irq\n");
+- goto err_irq;
+- }
+-
+ ret = register_netdev(ndev);
+ if (ret) {
+ dev_err(&spi->dev, "failed to register network device\n");
+@@ -1549,11 +1552,7 @@ static int ks8851_probe(struct spi_device *spi)
+
+ return 0;
+
+-
+ err_netdev:
+- free_irq(ndev->irq, ks);
+-
+-err_irq:
+ err_id:
+ if (gpio_is_valid(gpio))
+ gpio_set_value(gpio, 0);
+@@ -1574,7 +1573,6 @@ static int ks8851_remove(struct spi_device *spi)
+ dev_info(&spi->dev, "remove\n");
+
+ unregister_netdev(priv->netdev);
+- free_irq(spi->irq, priv);
+ if (gpio_is_valid(priv->gpio))
+ gpio_set_value(priv->gpio, 0);
+ regulator_disable(priv->vdd_reg);
+--
+2.19.1
+
--- /dev/null
+From 0de220c4829f5ff145d25a94b4fa1319f2636b54 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 20 Mar 2019 15:02:00 +0100
+Subject: net: ks8851: Dequeue RX packets explicitly
+
+[ Upstream commit 536d3680fd2dab5c39857d62a3e084198fc74ff9 ]
+
+The ks8851 driver lets the chip auto-dequeue received packets once they
+have been read in full. It achieves that by setting the ADRFE flag in
+the RXQCR register ("Auto-Dequeue RXQ Frame Enable").
+
+However if allocation of a packet's socket buffer or retrieval of the
+packet over the SPI bus fails, the packet will not have been read in
+full and is not auto-dequeued. Such partial retrieval of a packet
+confuses the chip's RX queue management: On the next RX interrupt,
+the first packet read from the queue will be the one left there
+previously and this one can be retrieved without issues. But for any
+newly received packets, the frame header status and byte count registers
+(RXFHSR and RXFHBCR) contain bogus values, preventing their retrieval.
+
+The chip allows explicitly dequeueing a packet from the RX queue by
+setting the RRXEF flag in the RXQCR register ("Release RX Error Frame").
+This could be used to dequeue the packet in case of an error, but if
+that error is a failed SPI transfer, it is unknown if the packet was
+transferred in full and was auto-dequeued or if it was only transferred
+in part and requires an explicit dequeue. The safest approach is thus
+to always dequeue packets explicitly and forgo auto-dequeueing.
+
+Without this change, I've witnessed packet retrieval break completely
+when an SPI DMA transfer fails, requiring a chip reset. Explicit
+dequeueing magically fixes this and makes packet retrieval absolutely
+robust for me.
+
+The chip's documentation suggests auto-dequeuing and uses the RRXEF
+flag only to dequeue error frames which the driver doesn't want to
+retrieve. But that seems to be a fair-weather approach.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: Frank Pavlic <f.pavlic@kunbus.de>
+Cc: Ben Dooks <ben.dooks@codethink.co.uk>
+Cc: Tristram Ha <Tristram.Ha@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/micrel/ks8851.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c
+index bd6e9014bc74..a93f8e842c07 100644
+--- a/drivers/net/ethernet/micrel/ks8851.c
++++ b/drivers/net/ethernet/micrel/ks8851.c
+@@ -535,9 +535,8 @@ static void ks8851_rx_pkts(struct ks8851_net *ks)
+ /* set dma read address */
+ ks8851_wrreg16(ks, KS_RXFDPR, RXFDPR_RXFPAI | 0x00);
+
+- /* start the packet dma process, and set auto-dequeue rx */
+- ks8851_wrreg16(ks, KS_RXQCR,
+- ks->rc_rxqcr | RXQCR_SDA | RXQCR_ADRFE);
++ /* start DMA access */
++ ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_SDA);
+
+ if (rxlen > 4) {
+ unsigned int rxalign;
+@@ -568,7 +567,8 @@ static void ks8851_rx_pkts(struct ks8851_net *ks)
+ }
+ }
+
+- ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr);
++ /* end DMA access and dequeue packet */
++ ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_RRXEF);
+ }
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 5baef84fabe5176ce3b4d3201f0fb5e6a326fcab Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 20 Mar 2019 15:02:00 +0100
+Subject: net: ks8851: Reassert reset pin if chip ID check fails
+
+[ Upstream commit 761cfa979a0c177d6c2d93ef5585cd79ae49a7d5 ]
+
+Commit 73fdeb82e963 ("net: ks8851: Add optional vdd_io regulator and
+reset gpio") amended the ks8851 driver to briefly assert the chip's
+reset pin on probe. It also amended the probe routine's error path to
+reassert the reset pin if a subsequent initialization step fails.
+
+However the commit misplaced reassertion of the reset pin in the error
+path such that it is not performed if the check of the Chip ID and
+Enable Register (CIDER) fails. The error path is therefore slightly
+asymmetrical to the probe routine's body. Fix it.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: Frank Pavlic <f.pavlic@kunbus.de>
+Cc: Stephen Boyd <sboyd@codeaurora.org>
+Cc: Nishanth Menon <nm@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/micrel/ks8851.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c
+index a93f8e842c07..1633fa5c709c 100644
+--- a/drivers/net/ethernet/micrel/ks8851.c
++++ b/drivers/net/ethernet/micrel/ks8851.c
+@@ -1554,9 +1554,9 @@ static int ks8851_probe(struct spi_device *spi)
+ free_irq(ndev->irq, ks);
+
+ err_irq:
++err_id:
+ if (gpio_is_valid(gpio))
+ gpio_set_value(gpio, 0);
+-err_id:
+ regulator_disable(ks->vdd_reg);
+ err_reg:
+ regulator_disable(ks->vdd_io);
+--
+2.19.1
+
--- /dev/null
+From bd49baca736adcf6f89633833cca239afb1ce850 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 20 Mar 2019 15:02:00 +0100
+Subject: net: ks8851: Set initial carrier state to down
+
+[ Upstream commit 9624bafa5f6418b9ca5b3f66d1f6a6a2e8bf6d4c ]
+
+The ks8851 chip's initial carrier state is down. A Link Change Interrupt
+is signaled once interrupts are enabled if the carrier is up.
+
+The ks8851 driver has it backwards by assuming that the initial carrier
+state is up. The state is therefore misrepresented if the interface is
+opened with no cable attached. Fix it.
+
+The Link Change interrupt is sometimes not signaled unless the P1MBSR
+register (which contains the Link Status bit) is read on ->ndo_open().
+This might be a hardware erratum. Read the register by calling
+mii_check_link(), which has the desirable side effect of setting the
+carrier state to down if the cable was detached while the interface was
+closed.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: Frank Pavlic <f.pavlic@kunbus.de>
+Cc: Ben Dooks <ben.dooks@codethink.co.uk>
+Cc: Tristram Ha <Tristram.Ha@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/micrel/ks8851.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c
+index c9faec4c5b25..b83b070a9eec 100644
+--- a/drivers/net/ethernet/micrel/ks8851.c
++++ b/drivers/net/ethernet/micrel/ks8851.c
+@@ -858,6 +858,7 @@ static int ks8851_net_open(struct net_device *dev)
+ netif_dbg(ks, ifup, ks->netdev, "network device up\n");
+
+ mutex_unlock(&ks->lock);
++ mii_check_link(&ks->mii);
+ return 0;
+ }
+
+@@ -1519,6 +1520,7 @@ static int ks8851_probe(struct spi_device *spi)
+
+ spi_set_drvdata(spi, ks);
+
++ netif_carrier_off(ks->netdev);
+ ndev->if_port = IF_PORT_100BASET;
+ ndev->netdev_ops = &ks8851_netdev_ops;
+ ndev->irq = spi->irq;
+--
+2.19.1
+
--- /dev/null
+From 8a4d394890d0cf436c6ad3f4c563dfa65508cad2 Mon Sep 17 00:00:00 2001
+From: Harini Katakam <harini.katakam@xilinx.com>
+Date: Wed, 20 Mar 2019 19:12:22 +0530
+Subject: net: macb: Add null check for PCLK and HCLK
+
+[ Upstream commit cd5afa91f078c0787be0a62b5ef90301c00b0271 ]
+
+Both PCLK and HCLK are "required" clocks according to macb devicetree
+documentation. There is a chance that devm_clk_get doesn't return a
+negative error but just a NULL clock structure instead. In such a case
+the driver proceeds as usual and uses pclk value 0 to calculate MDC
+divisor which is incorrect. Hence fix the same in clock initialization.
+
+Signed-off-by: Harini Katakam <harini.katakam@xilinx.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 8abea1c3844f..7d7b51383adf 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -3323,14 +3323,20 @@ static int macb_clk_init(struct platform_device *pdev, struct clk **pclk,
+ *hclk = devm_clk_get(&pdev->dev, "hclk");
+ }
+
+- if (IS_ERR(*pclk)) {
++ if (IS_ERR_OR_NULL(*pclk)) {
+ err = PTR_ERR(*pclk);
++ if (!err)
++ err = -ENODEV;
++
+ dev_err(&pdev->dev, "failed to get macb_clk (%u)\n", err);
+ return err;
+ }
+
+- if (IS_ERR(*hclk)) {
++ if (IS_ERR_OR_NULL(*hclk)) {
+ err = PTR_ERR(*hclk);
++ if (!err)
++ err = -ENODEV;
++
+ dev_err(&pdev->dev, "failed to get hclk (%u)\n", err);
+ return err;
+ }
+--
+2.19.1
+
--- /dev/null
+From 8f5f7da8788f38577346f143214c729c6727f7a9 Mon Sep 17 00:00:00 2001
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Wed, 20 Mar 2019 15:00:15 +0100
+Subject: net/sched: don't dereference a->goto_chain to read the chain index
+
+[ Upstream commit fe384e2fa36ca084a456fd30558cccc75b4b3fbd ]
+
+callers of tcf_gact_goto_chain_index() can potentially read an old value
+of the chain index, or even dereference a NULL 'goto_chain' pointer,
+because 'goto_chain' and 'tcfa_action' are read in the traffic path
+without caring of concurrent write in the control path. The most recent
+value of chain index can be read also from a->tcfa_action (it's encoded
+there together with TC_ACT_GOTO_CHAIN bits), so we don't really need to
+dereference 'goto_chain': just read the chain id from the control action.
+
+Fixes: e457d86ada27 ("net: sched: add couple of goto_chain helpers")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ include/net/tc_act/tc_gact.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/tc_act/tc_gact.h b/include/net/tc_act/tc_gact.h
+index ef8dd0db70ce..56935bf027a7 100644
+--- a/include/net/tc_act/tc_gact.h
++++ b/include/net/tc_act/tc_gact.h
+@@ -56,7 +56,7 @@ static inline bool is_tcf_gact_goto_chain(const struct tc_action *a)
+
+ static inline u32 tcf_gact_goto_chain_index(const struct tc_action *a)
+ {
+- return a->goto_chain->index;
++ return READ_ONCE(a->tcfa_action) & TC_ACT_EXT_VAL_MASK;
+ }
+
+ #endif /* __NET_TC_GACT_H */
+--
+2.19.1
+
--- /dev/null
+From 4dd60308a7b3ff5e4f984b8a3abc4f81d1bdbedb Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@nokia.com>
+Date: Thu, 14 Mar 2019 21:43:19 +0200
+Subject: net: stmmac: don't set own bit too early for jumbo frames
+
+[ Upstream commit 80acbed9f8fca1db3fbe915540b756f048aa0fd7 ]
+
+Commit 0e80bdc9a72d ("stmmac: first frame prep at the end of xmit
+routine") overlooked jumbo frames when re-ordering the code, and as a
+result the own bit was not getting set anymore for the first jumbo frame
+descriptor. Commit 487e2e22ab79 ("net: stmmac: Set OWN bit for jumbo
+frames") tried to fix this, but now the bit is getting set too early and
+the DMA may start while we are still setting up the remaining descriptors.
+And with the chain mode the own bit remains still unset.
+
+Fix by setting the own bit at the end of xmit also with jumbo frames.
+
+Fixes: 0e80bdc9a72d ("stmmac: first frame prep at the end of xmit routine")
+Fixes: 487e2e22ab79 ("net: stmmac: Set OWN bit for jumbo frames")
+Signed-off-by: Aaro Koskinen <aaro.koskinen@nokia.com>
+Acked-by: Jose Abreu <joabreu@synopsys.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 62460a5b4ad9..39c105092214 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -3195,14 +3195,16 @@ static netdev_tx_t stmmac_xmit(struct sk_buff *skb, struct net_device *dev)
+ stmmac_prepare_tx_desc(priv, first, 1, nopaged_len,
+ csum_insertion, priv->mode, 1, last_segment,
+ skb->len);
+-
+- /* The own bit must be the latest setting done when prepare the
+- * descriptor and then barrier is needed to make sure that
+- * all is coherent before granting the DMA engine.
+- */
+- wmb();
++ } else {
++ stmmac_set_tx_owner(priv, first);
+ }
+
++ /* The own bit must be the latest setting done when prepare the
++ * descriptor and then barrier is needed to make sure that
++ * all is coherent before granting the DMA engine.
++ */
++ wmb();
++
+ netdev_tx_sent_queue(netdev_get_tx_queue(dev, queue), skb->len);
+
+ stmmac_enable_dma_transmission(priv, priv->ioaddr);
+--
+2.19.1
+
--- /dev/null
+From 2e992ca9f0cea80430bd5a993aaf5f4c61da4b4d Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Fri, 22 Mar 2019 11:04:07 +0800
+Subject: net: xilinx: fix possible object reference leak
+
+[ Upstream commit fa3a419d2f674b431d38748cb58fb7da17ee8949 ]
+
+The call to of_parse_phandle returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/net/ethernet/xilinx/xilinx_axienet_main.c:1624:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1569, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Anirudha Sarangi <anirudh@xilinx.com>
+Cc: John Linn <John.Linn@xilinx.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Michal Simek <michal.simek@xilinx.com>
+Cc: netdev@vger.kernel.org
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+index f24f48f33802..7cfd7ff38e86 100644
+--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+@@ -1574,12 +1574,14 @@ static int axienet_probe(struct platform_device *pdev)
+ ret = of_address_to_resource(np, 0, &dmares);
+ if (ret) {
+ dev_err(&pdev->dev, "unable to get DMA resource\n");
++ of_node_put(np);
+ goto free_netdev;
+ }
+ lp->dma_regs = devm_ioremap_resource(&pdev->dev, &dmares);
+ if (IS_ERR(lp->dma_regs)) {
+ dev_err(&pdev->dev, "could not map DMA regs\n");
+ ret = PTR_ERR(lp->dma_regs);
++ of_node_put(np);
+ goto free_netdev;
+ }
+ lp->rx_irq = irq_of_parse_and_map(np, 1);
+--
+2.19.1
+
--- /dev/null
+From eb57ae4766453a6378c1171feeb05eb69552fe03 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Wed, 13 Mar 2019 16:33:29 +0800
+Subject: netfilter: bridge: set skb transport_header before entering
+ NF_INET_PRE_ROUTING
+
+[ Upstream commit e166e4fdaced850bee3d5ee12a5740258fb30587 ]
+
+Since Commit 21d1196a35f5 ("ipv4: set transport header earlier"),
+skb->transport_header has been always set before entering INET
+netfilter. This patch is to set skb->transport_header for bridge
+before entering INET netfilter by bridge-nf-call-iptables.
+
+It also fixes an issue that sctp_error() couldn't compute a right
+csum due to unset skb->transport_header.
+
+Fixes: e6d8b64b34aa ("net: sctp: fix and consolidate SCTP checksumming code")
+Reported-by: Li Shuang <shuali@redhat.com>
+Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ net/bridge/br_netfilter_hooks.c | 1 +
+ net/bridge/br_netfilter_ipv6.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index 3b0a03b92080..212c184c1eee 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -515,6 +515,7 @@ static unsigned int br_nf_pre_routing(void *priv,
+ nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr;
+
+ skb->protocol = htons(ETH_P_IP);
++ skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4;
+
+ NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb,
+ skb->dev, NULL,
+diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c
+index 5811208863b7..09d5e0c7b3ba 100644
+--- a/net/bridge/br_netfilter_ipv6.c
++++ b/net/bridge/br_netfilter_ipv6.c
+@@ -235,6 +235,8 @@ unsigned int br_nf_pre_routing_ipv6(void *priv,
+ nf_bridge->ipv6_daddr = ipv6_hdr(skb)->daddr;
+
+ skb->protocol = htons(ETH_P_IPV6);
++ skb->transport_header = skb->network_header + sizeof(struct ipv6hdr);
++
+ NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, state->net, state->sk, skb,
+ skb->dev, NULL,
+ br_nf_pre_routing_finish_ipv6);
+--
+2.19.1
+
--- /dev/null
+From f9b9ab5e50a2924897287b4752ee48a2876b4fed Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 13 Mar 2019 22:15:59 +0100
+Subject: netfilter: fix NETFILTER_XT_TARGET_TEE dependencies
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit d1fa381033eb718df5c602f64b6e88676138dfc6 ]
+
+With NETFILTER_XT_TARGET_TEE=y and IP6_NF_IPTABLES=m, we get a link
+error when referencing the NF_DUP_IPV6 module:
+
+net/netfilter/xt_TEE.o: In function `tee_tg6':
+xt_TEE.c:(.text+0x14): undefined reference to `nf_dup_ipv6'
+
+The problem here is the 'select NF_DUP_IPV6 if IP6_NF_IPTABLES'
+that forces NF_DUP_IPV6 to be =m as well rather than setting it
+to =y as was intended here. Adding a soft dependency on
+IP6_NF_IPTABLES avoids that broken configuration.
+
+Fixes: 5d400a4933e8 ("netfilter: Kconfig: Change select IPv6 dependencies")
+Cc: Máté Eckl <ecklm94@gmail.com>
+Cc: Taehee Yoo <ap420073@gmail.com>
+Link: https://patchwork.ozlabs.org/patch/999498/
+Link: https://lore.kernel.org/patchwork/patch/960062/
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ net/netfilter/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
+index f61c306de1d0..e0fb56d67d42 100644
+--- a/net/netfilter/Kconfig
++++ b/net/netfilter/Kconfig
+@@ -1003,6 +1003,7 @@ config NETFILTER_XT_TARGET_TEE
+ depends on NETFILTER_ADVANCED
+ depends on IPV6 || IPV6=n
+ depends on !NF_CONNTRACK || NF_CONNTRACK
++ depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES
+ select NF_DUP_IPV4
+ select NF_DUP_IPV6 if IP6_NF_IPTABLES
+ ---help---
+--
+2.19.1
+
--- /dev/null
+From 3b808844d0589abeeaffbf908576db4a05ab400e Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Thu, 14 Mar 2019 02:58:18 -0500
+Subject: netfilter: ip6t_srh: fix NULL pointer dereferences
+
+[ Upstream commit 6d65561f3d5ec933151939c543d006b79044e7a6 ]
+
+skb_header_pointer may return NULL. The current code dereference
+its return values without a NULL check.
+
+The fix inserts the checks to avoid NULL pointer dereferences.
+
+Fixes: 202a8ff545cc ("netfilter: add IPv6 segment routing header 'srh' match")
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ net/ipv6/netfilter/ip6t_srh.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c
+index 1059894a6f4c..4cb83fb69844 100644
+--- a/net/ipv6/netfilter/ip6t_srh.c
++++ b/net/ipv6/netfilter/ip6t_srh.c
+@@ -210,6 +210,8 @@ static bool srh1_mt6(const struct sk_buff *skb, struct xt_action_param *par)
+ psidoff = srhoff + sizeof(struct ipv6_sr_hdr) +
+ ((srh->segments_left + 1) * sizeof(struct in6_addr));
+ psid = skb_header_pointer(skb, psidoff, sizeof(_psid), &_psid);
++ if (!psid)
++ return false;
+ if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_PSID,
+ ipv6_masked_addr_cmp(psid, &srhinfo->psid_msk,
+ &srhinfo->psid_addr)))
+@@ -223,6 +225,8 @@ static bool srh1_mt6(const struct sk_buff *skb, struct xt_action_param *par)
+ nsidoff = srhoff + sizeof(struct ipv6_sr_hdr) +
+ ((srh->segments_left - 1) * sizeof(struct in6_addr));
+ nsid = skb_header_pointer(skb, nsidoff, sizeof(_nsid), &_nsid);
++ if (!nsid)
++ return false;
+ if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_NSID,
+ ipv6_masked_addr_cmp(nsid, &srhinfo->nsid_msk,
+ &srhinfo->nsid_addr)))
+@@ -233,6 +237,8 @@ static bool srh1_mt6(const struct sk_buff *skb, struct xt_action_param *par)
+ if (srhinfo->mt_flags & IP6T_SRH_LSID) {
+ lsidoff = srhoff + sizeof(struct ipv6_sr_hdr);
+ lsid = skb_header_pointer(skb, lsidoff, sizeof(_lsid), &_lsid);
++ if (!lsid)
++ return false;
+ if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LSID,
+ ipv6_masked_addr_cmp(lsid, &srhinfo->lsid_msk,
+ &srhinfo->lsid_addr)))
+--
+2.19.1
+
--- /dev/null
+From b3163a5690f1087cbcaedcff5b90c13a883c43d0 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 12 Mar 2019 12:10:59 +0100
+Subject: netfilter: nft_set_rbtree: check for inactive element after flag
+ mismatch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 05b7639da55f5555b9866a1f4b7e8995232a6323 ]
+
+Otherwise, we hit bogus ENOENT when removing elements.
+
+Fixes: e701001e7cbe ("netfilter: nft_rbtree: allow adjacent intervals with dynamic updates")
+Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ net/netfilter/nft_set_rbtree.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
+index 0e5ec126f6ad..b3e75f9cb686 100644
+--- a/net/netfilter/nft_set_rbtree.c
++++ b/net/netfilter/nft_set_rbtree.c
+@@ -302,10 +302,6 @@ static void *nft_rbtree_deactivate(const struct net *net,
+ else if (d > 0)
+ parent = parent->rb_right;
+ else {
+- if (!nft_set_elem_active(&rbe->ext, genmask)) {
+- parent = parent->rb_left;
+- continue;
+- }
+ if (nft_rbtree_interval_end(rbe) &&
+ !nft_rbtree_interval_end(this)) {
+ parent = parent->rb_left;
+@@ -314,6 +310,9 @@ static void *nft_rbtree_deactivate(const struct net *net,
+ nft_rbtree_interval_end(this)) {
+ parent = parent->rb_right;
+ continue;
++ } else if (!nft_set_elem_active(&rbe->ext, genmask)) {
++ parent = parent->rb_left;
++ continue;
+ }
+ nft_rbtree_flush(net, set, rbe);
+ return rbe;
+--
+2.19.1
+
--- /dev/null
+From 33da9be9b925a92faae41fcef29e12a1182b04af Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Thu, 21 Mar 2019 17:57:56 -0400
+Subject: NFS: Fix a typo in nfs_init_timeout_values()
+
+[ Upstream commit 5a698243930c441afccec04e4d5dc8febfd2b775 ]
+
+Specifying a retrans=0 mount parameter to a NFS/TCP mount, is
+inadvertently causing the NFS client to rewrite any specified
+timeout parameter to the default of 60 seconds.
+
+Fixes: a956beda19a6 ("NFS: Allow the mount option retrans=0")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ fs/nfs/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/client.c b/fs/nfs/client.c
+index 96d5f8135eb9..751ca65da8a3 100644
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -459,7 +459,7 @@ void nfs_init_timeout_values(struct rpc_timeout *to, int proto,
+ case XPRT_TRANSPORT_RDMA:
+ if (retrans == NFS_UNSPEC_RETRANS)
+ to->to_retries = NFS_DEF_TCP_RETRANS;
+- if (timeo == NFS_UNSPEC_TIMEO || to->to_retries == 0)
++ if (timeo == NFS_UNSPEC_TIMEO || to->to_initval == 0)
+ to->to_initval = NFS_DEF_TCP_TIMEO * HZ / 10;
+ if (to->to_initval > NFS_MAX_TCP_TIMEOUT)
+ to->to_initval = NFS_MAX_TCP_TIMEOUT;
+--
+2.19.1
+
--- /dev/null
+From 6b6dde7f4b3cf7ff30a0dd684a37dd3acf64fa28 Mon Sep 17 00:00:00 2001
+From: Martin George <marting@netapp.com>
+Date: Wed, 27 Mar 2019 09:52:56 +0100
+Subject: nvme-multipath: relax ANA state check
+
+[ Upstream commit cc2278c413c3a06a93c23ee8722e4dd3d621de12 ]
+
+When undergoing state transitions I/O might be requeued, hence
+we should always call nvme_mpath_set_live() to schedule requeue_work
+whenever the nvme device is live, independent on whether the
+old state was live or not.
+
+Signed-off-by: Martin George <marting@netapp.com>
+Signed-off-by: Gargi Srinivas <sring@netapp.com>
+Signed-off-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index da8f5ad30c71..260248fbb8fe 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -349,15 +349,12 @@ static inline bool nvme_state_is_live(enum nvme_ana_state state)
+ static void nvme_update_ns_ana_state(struct nvme_ana_group_desc *desc,
+ struct nvme_ns *ns)
+ {
+- enum nvme_ana_state old;
+-
+ mutex_lock(&ns->head->lock);
+- old = ns->ana_state;
+ ns->ana_grpid = le32_to_cpu(desc->grpid);
+ ns->ana_state = desc->state;
+ clear_bit(NVME_NS_ANA_PENDING, &ns->flags);
+
+- if (nvme_state_is_live(ns->ana_state) && !nvme_state_is_live(old))
++ if (nvme_state_is_live(ns->ana_state))
+ nvme_mpath_set_live(ns);
+ mutex_unlock(&ns->head->lock);
+ }
+--
+2.19.1
+
--- /dev/null
+From 9ddf5b2dcd1d7de1ecb40d719b669ac486c1b957 Mon Sep 17 00:00:00 2001
+From: Wei Li <liwei391@huawei.com>
+Date: Thu, 28 Feb 2019 17:20:03 +0800
+Subject: perf machine: Update kernel map address and re-order properly
+
+[ Upstream commit 977c7a6d1e263ff1d755f28595b99e4bc0c48a9f ]
+
+Since commit 1fb87b8e9599 ("perf machine: Don't search for active kernel
+start in __machine__create_kernel_maps"), the __machine__create_kernel_maps()
+just create a map what start and end are both zero. Though the address will be
+updated later, the order of map in the rbtree may be incorrect.
+
+The commit ee05d21791db ("perf machine: Set main kernel end address properly")
+fixed the logic in machine__create_kernel_maps(), but it's still wrong in
+function machine__process_kernel_mmap_event().
+
+To reproduce this issue, we need an environment which the module address
+is before the kernel text segment. I tested it on an aarch64 machine with
+kernel 4.19.25:
+
+ [root@localhost hulk]# grep _stext /proc/kallsyms
+ ffff000008081000 T _stext
+ [root@localhost hulk]# grep _etext /proc/kallsyms
+ ffff000009780000 R _etext
+ [root@localhost hulk]# tail /proc/modules
+ hisi_sas_v2_hw 77824 0 - Live 0xffff00000191d000
+ nvme_core 126976 7 nvme, Live 0xffff0000018b6000
+ mdio 20480 1 ixgbe, Live 0xffff0000018ab000
+ hisi_sas_main 106496 1 hisi_sas_v2_hw, Live 0xffff000001861000
+ hns_mdio 20480 2 - Live 0xffff000001822000
+ hnae 28672 3 hns_dsaf,hns_enet_drv, Live 0xffff000001815000
+ dm_mirror 40960 0 - Live 0xffff000001804000
+ dm_region_hash 32768 1 dm_mirror, Live 0xffff0000017f5000
+ dm_log 32768 2 dm_mirror,dm_region_hash, Live 0xffff0000017e7000
+ dm_mod 315392 17 dm_mirror,dm_log, Live 0xffff000001780000
+ [root@localhost hulk]#
+
+Before fix:
+
+ [root@localhost bin]# perf record sleep 3
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 0.011 MB perf.data (9 samples) ]
+ [root@localhost bin]# perf buildid-list -i perf.data
+ 4c4e46c971ca935f781e603a09b52a92e8bdfee8 [vdso]
+ [root@localhost bin]# perf buildid-list -i perf.data -H
+ 0000000000000000000000000000000000000000 /proc/kcore
+ [root@localhost bin]#
+
+After fix:
+
+ [root@localhost tools]# ./perf/perf record sleep 3
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 0.011 MB perf.data (9 samples) ]
+ [root@localhost tools]# ./perf/perf buildid-list -i perf.data
+ 28a6c690262896dbd1b5e1011ed81623e6db0610 [kernel.kallsyms]
+ 106c14ce6e4acea3453e484dc604d66666f08a2f [vdso]
+ [root@localhost tools]# ./perf/perf buildid-list -i perf.data -H
+ 28a6c690262896dbd1b5e1011ed81623e6db0610 /proc/kcore
+
+Signed-off-by: Wei Li <liwei391@huawei.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Hanjun Guo <guohanjun@huawei.com>
+Cc: Kim Phillips <kim.phillips@arm.com>
+Cc: Li Bin <huawei.libin@huawei.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20190228092003.34071-1-liwei391@huawei.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ tools/perf/util/machine.c | 32 ++++++++++++++++++++------------
+ 1 file changed, 20 insertions(+), 12 deletions(-)
+
+diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c
+index b1508ce3e412..076718a7b3ea 100644
+--- a/tools/perf/util/machine.c
++++ b/tools/perf/util/machine.c
+@@ -1358,6 +1358,20 @@ static void machine__set_kernel_mmap(struct machine *machine,
+ machine->vmlinux_map->end = ~0ULL;
+ }
+
++static void machine__update_kernel_mmap(struct machine *machine,
++ u64 start, u64 end)
++{
++ struct map *map = machine__kernel_map(machine);
++
++ map__get(map);
++ map_groups__remove(&machine->kmaps, map);
++
++ machine__set_kernel_mmap(machine, start, end);
++
++ map_groups__insert(&machine->kmaps, map);
++ map__put(map);
++}
++
+ int machine__create_kernel_maps(struct machine *machine)
+ {
+ struct dso *kernel = machine__get_kernel(machine);
+@@ -1390,17 +1404,11 @@ int machine__create_kernel_maps(struct machine *machine)
+ goto out_put;
+ }
+
+- /* we have a real start address now, so re-order the kmaps */
+- map = machine__kernel_map(machine);
+-
+- map__get(map);
+- map_groups__remove(&machine->kmaps, map);
+-
+- /* assume it's the last in the kmaps */
+- machine__set_kernel_mmap(machine, addr, ~0ULL);
+-
+- map_groups__insert(&machine->kmaps, map);
+- map__put(map);
++ /*
++ * we have a real start address now, so re-order the kmaps
++ * assume it's the last in the kmaps
++ */
++ machine__update_kernel_mmap(machine, addr, ~0ULL);
+ }
+
+ if (machine__create_extra_kernel_maps(machine, kernel))
+@@ -1536,7 +1544,7 @@ static int machine__process_kernel_mmap_event(struct machine *machine,
+ if (strstr(kernel->long_name, "vmlinux"))
+ dso__set_short_name(kernel, "[kernel.vmlinux]", false);
+
+- machine__set_kernel_mmap(machine, event->mmap.start,
++ machine__update_kernel_mmap(machine, event->mmap.start,
+ event->mmap.start + event->mmap.len);
+
+ /*
+--
+2.19.1
+
--- /dev/null
+From c90699b222c0733874e43b08676fa3956418317a Mon Sep 17 00:00:00 2001
+From: Andrei Vagin <avagin@gmail.com>
+Date: Thu, 28 Mar 2019 20:44:13 -0700
+Subject: ptrace: take into account saved_sigmask in PTRACE{GET,SET}SIGMASK
+
+[ Upstream commit fcfc2aa0185f4a731d05a21e9f359968fdfd02e7 ]
+
+There are a few system calls (pselect, ppoll, etc) which replace a task
+sigmask while they are running in a kernel-space
+
+When a task calls one of these syscalls, the kernel saves a current
+sigmask in task->saved_sigmask and sets a syscall sigmask.
+
+On syscall-exit-stop, ptrace traps a task before restoring the
+saved_sigmask, so PTRACE_GETSIGMASK returns the syscall sigmask and
+PTRACE_SETSIGMASK does nothing, because its sigmask is replaced by
+saved_sigmask, when the task returns to user-space.
+
+This patch fixes this problem. PTRACE_GETSIGMASK returns saved_sigmask
+if it's set. PTRACE_SETSIGMASK drops the TIF_RESTORE_SIGMASK flag.
+
+Link: http://lkml.kernel.org/r/20181120060616.6043-1-avagin@gmail.com
+Fixes: 29000caecbe8 ("ptrace: add ability to get/set signal-blocked mask")
+Signed-off-by: Andrei Vagin <avagin@gmail.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ include/linux/sched/signal.h | 18 ++++++++++++++++++
+ kernel/ptrace.c | 15 +++++++++++++--
+ 2 files changed, 31 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h
+index 1be35729c2c5..660d78c9af6c 100644
+--- a/include/linux/sched/signal.h
++++ b/include/linux/sched/signal.h
+@@ -417,10 +417,20 @@ static inline void set_restore_sigmask(void)
+ set_thread_flag(TIF_RESTORE_SIGMASK);
+ WARN_ON(!test_thread_flag(TIF_SIGPENDING));
+ }
++
++static inline void clear_tsk_restore_sigmask(struct task_struct *tsk)
++{
++ clear_tsk_thread_flag(tsk, TIF_RESTORE_SIGMASK);
++}
++
+ static inline void clear_restore_sigmask(void)
+ {
+ clear_thread_flag(TIF_RESTORE_SIGMASK);
+ }
++static inline bool test_tsk_restore_sigmask(struct task_struct *tsk)
++{
++ return test_tsk_thread_flag(tsk, TIF_RESTORE_SIGMASK);
++}
+ static inline bool test_restore_sigmask(void)
+ {
+ return test_thread_flag(TIF_RESTORE_SIGMASK);
+@@ -438,6 +448,10 @@ static inline void set_restore_sigmask(void)
+ current->restore_sigmask = true;
+ WARN_ON(!test_thread_flag(TIF_SIGPENDING));
+ }
++static inline void clear_tsk_restore_sigmask(struct task_struct *tsk)
++{
++ tsk->restore_sigmask = false;
++}
+ static inline void clear_restore_sigmask(void)
+ {
+ current->restore_sigmask = false;
+@@ -446,6 +460,10 @@ static inline bool test_restore_sigmask(void)
+ {
+ return current->restore_sigmask;
+ }
++static inline bool test_tsk_restore_sigmask(struct task_struct *tsk)
++{
++ return tsk->restore_sigmask;
++}
+ static inline bool test_and_clear_restore_sigmask(void)
+ {
+ if (!current->restore_sigmask)
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index 21fec73d45d4..fc0d667f5792 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -29,6 +29,7 @@
+ #include <linux/hw_breakpoint.h>
+ #include <linux/cn_proc.h>
+ #include <linux/compat.h>
++#include <linux/sched/signal.h>
+
+ /*
+ * Access another process' address space via ptrace.
+@@ -925,18 +926,26 @@ int ptrace_request(struct task_struct *child, long request,
+ ret = ptrace_setsiginfo(child, &siginfo);
+ break;
+
+- case PTRACE_GETSIGMASK:
++ case PTRACE_GETSIGMASK: {
++ sigset_t *mask;
++
+ if (addr != sizeof(sigset_t)) {
+ ret = -EINVAL;
+ break;
+ }
+
+- if (copy_to_user(datavp, &child->blocked, sizeof(sigset_t)))
++ if (test_tsk_restore_sigmask(child))
++ mask = &child->saved_sigmask;
++ else
++ mask = &child->blocked;
++
++ if (copy_to_user(datavp, mask, sizeof(sigset_t)))
+ ret = -EFAULT;
+ else
+ ret = 0;
+
+ break;
++ }
+
+ case PTRACE_SETSIGMASK: {
+ sigset_t new_set;
+@@ -962,6 +971,8 @@ int ptrace_request(struct task_struct *child, long request,
+ child->blocked = new_set;
+ spin_unlock_irq(&child->sighand->siglock);
+
++ clear_tsk_restore_sigmask(child);
++
+ ret = 0;
+ break;
+ }
+--
+2.19.1
+
--- /dev/null
+From 5824d789d86c5a856268c8d5f7657e525ee8bfcc Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Thu, 14 Mar 2019 15:31:40 -0500
+Subject: qlcnic: Avoid potential NULL pointer dereference
+
+[ Upstream commit 5bf7295fe34a5251b1d241b9736af4697b590670 ]
+
+netdev_alloc_skb can fail and return a NULL pointer which is
+dereferenced without a check. The patch avoids such a scenario.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c
+index 3b0adda7cc9c..a4cd6f2cfb86 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c
+@@ -1048,6 +1048,8 @@ int qlcnic_do_lb_test(struct qlcnic_adapter *adapter, u8 mode)
+
+ for (i = 0; i < QLCNIC_NUM_ILB_PKT; i++) {
+ skb = netdev_alloc_skb(adapter->netdev, QLCNIC_ILB_PKT_SIZE);
++ if (!skb)
++ break;
+ qlcnic_create_loopback_buff(skb->data, adapter->mac_addr);
+ skb_put(skb, QLCNIC_ILB_PKT_SIZE);
+ adapter->ahw->diag_cnt = 0;
+--
+2.19.1
+
--- /dev/null
+From a2d9ed34ca209ff7e92c87193994267e5ef91086 Mon Sep 17 00:00:00 2001
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Date: Mon, 4 Mar 2019 12:33:28 +0100
+Subject: s390: limit brk randomization to 32MB
+
+[ Upstream commit cd479eccd2e057116d504852814402a1e68ead80 ]
+
+For a 64-bit process the randomization of the program break is quite
+large with 1GB. That is as big as the randomization of the anonymous
+mapping base, for a test case started with '/lib/ld64.so.1 <exec>'
+it can happen that the heap is placed after the stack. To avoid
+this limit the program break randomization to 32MB for 64-bit and
+keep 8MB for 31-bit.
+
+Reported-by: Stefan Liebler <stli@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ arch/s390/include/asm/elf.h | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/arch/s390/include/asm/elf.h b/arch/s390/include/asm/elf.h
+index 7d22a474a040..f74639a05f0f 100644
+--- a/arch/s390/include/asm/elf.h
++++ b/arch/s390/include/asm/elf.h
+@@ -252,11 +252,14 @@ do { \
+
+ /*
+ * Cache aliasing on the latest machines calls for a mapping granularity
+- * of 512KB. For 64-bit processes use a 512KB alignment and a randomization
+- * of up to 1GB. For 31-bit processes the virtual address space is limited,
+- * use no alignment and limit the randomization to 8MB.
++ * of 512KB for the anonymous mapping base. For 64-bit processes use a
++ * 512KB alignment and a randomization of up to 1GB. For 31-bit processes
++ * the virtual address space is limited, use no alignment and limit the
++ * randomization to 8MB.
++ * For the additional randomization of the program break use 32MB for
++ * 64-bit and 8MB for 31-bit.
+ */
+-#define BRK_RND_MASK (is_compat_task() ? 0x7ffUL : 0x3ffffUL)
++#define BRK_RND_MASK (is_compat_task() ? 0x7ffUL : 0x1fffUL)
+ #define MMAP_RND_MASK (is_compat_task() ? 0x7ffUL : 0x3ff80UL)
+ #define MMAP_ALIGN_MASK (is_compat_task() ? 0 : 0x7fUL)
+ #define STACK_RND_MASK MMAP_RND_MASK
+--
+2.19.1
+
--- /dev/null
+From 42b73bfaa9d0c8c65da5848c32d707c8915375f9 Mon Sep 17 00:00:00 2001
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Mon, 18 Mar 2019 16:40:55 +0100
+Subject: s390/qeth: fix race when initializing the IP address table
+
+[ Upstream commit 7221b727f0079a32aca91f657141e1de564d4b97 ]
+
+The ucast IP table is utilized by some of the L3-specific sysfs attributes
+that qeth_l3_create_device_attributes() provides. So initialize the table
+_before_ registering the attributes.
+
+Fixes: ebccc7397e4a ("s390/qeth: add missing hash table initializations")
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/s390/net/qeth_l3_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c
+index 7f71ca0d08e7..9c5e801b3f6c 100644
+--- a/drivers/s390/net/qeth_l3_main.c
++++ b/drivers/s390/net/qeth_l3_main.c
+@@ -2586,12 +2586,14 @@ static int qeth_l3_probe_device(struct ccwgroup_device *gdev)
+ struct qeth_card *card = dev_get_drvdata(&gdev->dev);
+ int rc;
+
++ hash_init(card->ip_htable);
++
+ if (gdev->dev.type == &qeth_generic_devtype) {
+ rc = qeth_l3_create_device_attributes(&gdev->dev);
+ if (rc)
+ return rc;
+ }
+- hash_init(card->ip_htable);
++
+ hash_init(card->ip_mc_htable);
+ card->options.layer2 = 0;
+ card->info.hwtrap = 0;
+--
+2.19.1
+
--- /dev/null
+From 6d608d2bcf28b604b01f7be3d5e413df5de3f6b8 Mon Sep 17 00:00:00 2001
+From: Mao Wenan <maowenan@huawei.com>
+Date: Fri, 8 Mar 2019 22:08:31 +0800
+Subject: sc16is7xx: missing unregister/delete driver on error in
+ sc16is7xx_init()
+
+[ Upstream commit ac0cdb3d990108df795b676cd0d0e65ac34b2273 ]
+
+Add the missing uart_unregister_driver() and i2c_del_driver() before return
+from sc16is7xx_init() in the error handling case.
+
+Signed-off-by: Mao Wenan <maowenan@huawei.com>
+Reviewed-by: Vladimir Zapolskiy <vz@mleia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/tty/serial/sc16is7xx.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c
+index 47b41159a8bc..55b178c1bd65 100644
+--- a/drivers/tty/serial/sc16is7xx.c
++++ b/drivers/tty/serial/sc16is7xx.c
+@@ -1481,7 +1481,7 @@ static int __init sc16is7xx_init(void)
+ ret = i2c_add_driver(&sc16is7xx_i2c_uart_driver);
+ if (ret < 0) {
+ pr_err("failed to init sc16is7xx i2c --> %d\n", ret);
+- return ret;
++ goto err_i2c;
+ }
+ #endif
+
+@@ -1489,10 +1489,18 @@ static int __init sc16is7xx_init(void)
+ ret = spi_register_driver(&sc16is7xx_spi_uart_driver);
+ if (ret < 0) {
+ pr_err("failed to init sc16is7xx spi --> %d\n", ret);
+- return ret;
++ goto err_spi;
+ }
+ #endif
+ return ret;
++
++err_spi:
++#ifdef CONFIG_SERIAL_SC16IS7XX_I2C
++ i2c_del_driver(&sc16is7xx_i2c_uart_driver);
++#endif
++err_i2c:
++ uart_unregister_driver(&sc16is7xx_uart);
++ return ret;
+ }
+ module_init(sc16is7xx_init);
+
+--
+2.19.1
+
--- /dev/null
+From 970cdd963c3d7eb86f5bb9fa5a0bf0dade3b0abd Mon Sep 17 00:00:00 2001
+From: Dave Carroll <david.carroll@microsemi.com>
+Date: Fri, 22 Mar 2019 12:16:03 -0600
+Subject: scsi: aacraid: Insure we don't access PCIe space during AER/EEH
+
+[ Upstream commit b6554cfe09e1f610aed7d57164ab7760be57acd9 ]
+
+There are a few windows during AER/EEH when we can access PCIe I/O mapped
+registers. This will harden the access to insure we do not allow PCIe
+access during errors
+
+Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
+Reviewed-by: Sagar Biradar <sagar.biradar@microchip.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/scsi/aacraid/aacraid.h | 7 ++++++-
+ drivers/scsi/aacraid/commsup.c | 4 ++--
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/aacraid/aacraid.h b/drivers/scsi/aacraid/aacraid.h
+index 39eb415987fc..074760f21014 100644
+--- a/drivers/scsi/aacraid/aacraid.h
++++ b/drivers/scsi/aacraid/aacraid.h
+@@ -2639,9 +2639,14 @@ static inline unsigned int cap_to_cyls(sector_t capacity, unsigned divisor)
+ return capacity;
+ }
+
++static inline int aac_pci_offline(struct aac_dev *dev)
++{
++ return pci_channel_offline(dev->pdev) || dev->handle_pci_error;
++}
++
+ static inline int aac_adapter_check_health(struct aac_dev *dev)
+ {
+- if (unlikely(pci_channel_offline(dev->pdev)))
++ if (unlikely(aac_pci_offline(dev)))
+ return -1;
+
+ return (dev)->a_ops.adapter_check_health(dev);
+diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c
+index 3236240a4edd..b7588de4484e 100644
+--- a/drivers/scsi/aacraid/commsup.c
++++ b/drivers/scsi/aacraid/commsup.c
+@@ -673,7 +673,7 @@ int aac_fib_send(u16 command, struct fib *fibptr, unsigned long size,
+ return -ETIMEDOUT;
+ }
+
+- if (unlikely(pci_channel_offline(dev->pdev)))
++ if (unlikely(aac_pci_offline(dev)))
+ return -EFAULT;
+
+ if ((blink = aac_adapter_check_health(dev)) > 0) {
+@@ -773,7 +773,7 @@ int aac_hba_send(u8 command, struct fib *fibptr, fib_callback callback,
+
+ spin_unlock_irqrestore(&fibptr->event_lock, flags);
+
+- if (unlikely(pci_channel_offline(dev->pdev)))
++ if (unlikely(aac_pci_offline(dev)))
+ return -EFAULT;
+
+ fibptr->flags |= FIB_CONTEXT_FLAG_WAIT;
+--
+2.19.1
+
--- /dev/null
+From 4890b30697320c521581fcbe088eb2a8b6ee0e26 Mon Sep 17 00:00:00 2001
+From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Date: Mon, 4 Mar 2019 07:26:35 -0500
+Subject: scsi: mpt3sas: Fix kernel panic during expander reset
+
+[ Upstream commit c2fe742ff6e77c5b4fe4ad273191ddf28fdea25e ]
+
+During expander reset handling, the driver invokes kernel function
+scsi_host_find_tag() to obtain outstanding requests associated with the
+scsi host managed by the driver. Driver loops from tag value zero to hba
+queue depth to obtain the outstanding scmds. But when blk-mq is enabled,
+the block layer may return stale entry for one or more requests. This may
+lead to kernel panic if the returned value is inaccessible or the memory
+pointed by the returned value is reused.
+
+Reference of upstream discussion:
+
+ https://patchwork.kernel.org/patch/10734933/
+
+Instead of calling scsi_host_find_tag() API for each and every smid (smid
+is tag +1) from one to shost->can_queue, now driver will call this API (to
+obtain the outstanding scmd) only for those smid's which are outstanding at
+the driver level.
+
+Driver will determine whether this smid is outstanding at driver level by
+looking into it's corresponding MPI request frame, if its MPI request frame
+is empty, then it means that this smid is free and does not need to call
+scsi_host_find_tag() for it. By doing this, driver will invoke
+scsi_host_find_tag() for only those tags which are outstanding at the
+driver level.
+
+Driver will check whether particular MPI request frame is empty or not by
+looking into the "DevHandle" field. If this field is zero then it means
+that this MPI request is empty. For active MPI request DevHandle must be
+non-zero.
+
+Also driver will memset the MPI request frame once the corresponding scmd
+is processed (i.e. just before calling
+scmd->done function).
+
+Signed-off-by: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_base.c | 6 ++++++
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 12 ++++++++++++
+ 2 files changed, 18 insertions(+)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c
+index b59bba3e6516..8776330175e3 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
+@@ -3280,12 +3280,18 @@ mpt3sas_base_free_smid(struct MPT3SAS_ADAPTER *ioc, u16 smid)
+
+ if (smid < ioc->hi_priority_smid) {
+ struct scsiio_tracker *st;
++ void *request;
+
+ st = _get_st_from_smid(ioc, smid);
+ if (!st) {
+ _base_recovery_check(ioc);
+ return;
+ }
++
++ /* Clear MPI request frame */
++ request = mpt3sas_base_get_msg_frame(ioc, smid);
++ memset(request, 0, ioc->request_sz);
++
+ mpt3sas_base_clear_st(ioc, st);
+ _base_recovery_check(ioc);
+ return;
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+index 622832e55211..73d661a0ecbb 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -1474,11 +1474,23 @@ mpt3sas_scsih_scsi_lookup_get(struct MPT3SAS_ADAPTER *ioc, u16 smid)
+ {
+ struct scsi_cmnd *scmd = NULL;
+ struct scsiio_tracker *st;
++ Mpi25SCSIIORequest_t *mpi_request;
+
+ if (smid > 0 &&
+ smid <= ioc->scsiio_depth - INTERNAL_SCSIIO_CMDS_COUNT) {
+ u32 unique_tag = smid - 1;
+
++ mpi_request = mpt3sas_base_get_msg_frame(ioc, smid);
++
++ /*
++ * If SCSI IO request is outstanding at driver level then
++ * DevHandle filed must be non-zero. If DevHandle is zero
++ * then it means that this smid is free at driver level,
++ * so return NULL.
++ */
++ if (!mpi_request->DevHandle)
++ return scmd;
++
+ scmd = scsi_host_find_tag(ioc->shost, unique_tag);
+ if (scmd) {
+ st = scsi_cmd_priv(scmd);
+--
+2.19.1
+
--- /dev/null
+From 71f31272d2cebfdbbb23af9b31542c766735fada Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Thu, 14 Mar 2019 01:30:59 -0500
+Subject: scsi: qla4xxx: fix a potential NULL pointer dereference
+
+[ Upstream commit fba1bdd2a9a93f3e2181ec1936a3c2f6b37e7ed6 ]
+
+In case iscsi_lookup_endpoint fails, the fix returns -EINVAL to avoid NULL
+pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Acked-by: Manish Rangankar <mrangankar@marvell.com>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/scsi/qla4xxx/ql4_os.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
+index 575445c761b4..5dd3e4e01b10 100644
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -3204,6 +3204,8 @@ static int qla4xxx_conn_bind(struct iscsi_cls_session *cls_session,
+ if (iscsi_conn_bind(cls_session, cls_conn, is_leading))
+ return -EINVAL;
+ ep = iscsi_lookup_endpoint(transport_fd);
++ if (!ep)
++ return -EINVAL;
+ conn = cls_conn->dd_data;
+ qla_conn = conn->dd_data;
+ qla_conn->qla_ep = ep->dd_data;
+--
+2.19.1
+
--- /dev/null
+From 816e3bf1a84c16119aa417bc4824c38a3f49b803 Mon Sep 17 00:00:00 2001
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Tue, 26 Mar 2019 14:37:00 +0100
+Subject: scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element
+ RSCN
+
+[ Upstream commit c8206579175c34a2546de8a74262456278a7795a ]
+
+If an incoming ELS of type RSCN contains more than one element, zfcp
+suboptimally causes repeated erp trigger NOP trace records for each
+previously failed port. These could be ports that went away. It loops over
+each RSCN element, and for each of those in an inner loop over all
+zfcp_ports.
+
+The trigger to recover failed ports should be just the reception of some
+RSCN, no matter how many elements it has. So we can loop over failed ports
+separately, and only then loop over each RSCN element to handle the
+non-failed ports.
+
+The call chain was:
+
+ zfcp_fc_incoming_rscn
+ for (i = 1; i < no_entries; i++)
+ _zfcp_fc_incoming_rscn
+ list_for_each_entry(port, &adapter->port_list, list)
+ if (masked port->d_id match) zfcp_fc_test_link
+ if (!port->d_id) zfcp_erp_port_reopen "fcrscn1" <===
+
+In order the reduce the "flooding" of the REC trace area in such cases, we
+factor out handling the failed ports to be outside of the entries loop:
+
+ zfcp_fc_incoming_rscn
+ if (no_entries > 1) <===
+ list_for_each_entry(port, &adapter->port_list, list) <===
+ if (!port->d_id) zfcp_erp_port_reopen "fcrscn1" <===
+ for (i = 1; i < no_entries; i++)
+ _zfcp_fc_incoming_rscn
+ list_for_each_entry(port, &adapter->port_list, list)
+ if (masked port->d_id match) zfcp_fc_test_link
+
+Abbreviated example trace records before this code change:
+
+Tag : fcrscn1
+WWPN : 0x500507630310d327
+ERP want : 0x02
+ERP need : 0x02
+
+Tag : fcrscn1
+WWPN : 0x500507630310d327
+ERP want : 0x02
+ERP need : 0x00 NOP => superfluous trace record
+
+The last trace entry repeats if there are more than 2 RSCN elements.
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Reviewed-by: Jens Remus <jremus@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/s390/scsi/zfcp_fc.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/s390/scsi/zfcp_fc.c b/drivers/s390/scsi/zfcp_fc.c
+index f6c415d6ef48..5eb7aabe2d8b 100644
+--- a/drivers/s390/scsi/zfcp_fc.c
++++ b/drivers/s390/scsi/zfcp_fc.c
+@@ -239,10 +239,6 @@ static void _zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req, u32 range,
+ list_for_each_entry(port, &adapter->port_list, list) {
+ if ((port->d_id & range) == (ntoh24(page->rscn_fid) & range))
+ zfcp_fc_test_link(port);
+- if (!port->d_id)
+- zfcp_erp_port_reopen(port,
+- ZFCP_STATUS_COMMON_ERP_FAILED,
+- "fcrscn1");
+ }
+ read_unlock_irqrestore(&adapter->port_list_lock, flags);
+ }
+@@ -250,6 +246,7 @@ static void _zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req, u32 range,
+ static void zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req)
+ {
+ struct fsf_status_read_buffer *status_buffer = (void *)fsf_req->data;
++ struct zfcp_adapter *adapter = fsf_req->adapter;
+ struct fc_els_rscn *head;
+ struct fc_els_rscn_page *page;
+ u16 i;
+@@ -263,6 +260,22 @@ static void zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req)
+ no_entries = be16_to_cpu(head->rscn_plen) /
+ sizeof(struct fc_els_rscn_page);
+
++ if (no_entries > 1) {
++ /* handle failed ports */
++ unsigned long flags;
++ struct zfcp_port *port;
++
++ read_lock_irqsave(&adapter->port_list_lock, flags);
++ list_for_each_entry(port, &adapter->port_list, list) {
++ if (port->d_id)
++ continue;
++ zfcp_erp_port_reopen(port,
++ ZFCP_STATUS_COMMON_ERP_FAILED,
++ "fcrscn1");
++ }
++ read_unlock_irqrestore(&adapter->port_list_lock, flags);
++ }
++
+ for (i = 1; i < no_entries; i++) {
+ /* skip head and start with 1st element */
+ page++;
+--
+2.19.1
+
--- /dev/null
+From c48bdb876ec2968bfdfa24516b2270f63d3d0cdd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Wed, 6 Mar 2019 17:54:03 +0100
+Subject: serial: ar933x_uart: Fix build failure with disabled console
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 72ff51d8dd262d1fef25baedc2ac35116435be47 ]
+
+Andrey has reported on OpenWrt's bug tracking system[1], that he
+currently can't use ar93xx_uart as pure serial UART without console
+(CONFIG_SERIAL_8250_CONSOLE and CONFIG_SERIAL_AR933X_CONSOLE undefined),
+because compilation ends with following error:
+
+ ar933x_uart.c: In function 'ar933x_uart_console_write':
+ ar933x_uart.c:550:14: error: 'struct uart_port' has no
+ member named 'sysrq'
+
+So this patch moves all the code related to console handling behind
+series of CONFIG_SERIAL_AR933X_CONSOLE ifdefs.
+
+1. https://bugs.openwrt.org/index.php?do=details&task_id=2152
+
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jiri Slaby <jslaby@suse.com>
+Cc: Andrey Batyiev <batyiev@gmail.com>
+Reported-by: Andrey Batyiev <batyiev@gmail.com>
+Tested-by: Andrey Batyiev <batyiev@gmail.com>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/tty/serial/ar933x_uart.c | 24 ++++++++----------------
+ 1 file changed, 8 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/tty/serial/ar933x_uart.c b/drivers/tty/serial/ar933x_uart.c
+index db5df3d54818..3bdd56a1021b 100644
+--- a/drivers/tty/serial/ar933x_uart.c
++++ b/drivers/tty/serial/ar933x_uart.c
+@@ -49,11 +49,6 @@ struct ar933x_uart_port {
+ struct clk *clk;
+ };
+
+-static inline bool ar933x_uart_console_enabled(void)
+-{
+- return IS_ENABLED(CONFIG_SERIAL_AR933X_CONSOLE);
+-}
+-
+ static inline unsigned int ar933x_uart_read(struct ar933x_uart_port *up,
+ int offset)
+ {
+@@ -508,6 +503,7 @@ static const struct uart_ops ar933x_uart_ops = {
+ .verify_port = ar933x_uart_verify_port,
+ };
+
++#ifdef CONFIG_SERIAL_AR933X_CONSOLE
+ static struct ar933x_uart_port *
+ ar933x_console_ports[CONFIG_SERIAL_AR933X_NR_UARTS];
+
+@@ -604,14 +600,7 @@ static struct console ar933x_uart_console = {
+ .index = -1,
+ .data = &ar933x_uart_driver,
+ };
+-
+-static void ar933x_uart_add_console_port(struct ar933x_uart_port *up)
+-{
+- if (!ar933x_uart_console_enabled())
+- return;
+-
+- ar933x_console_ports[up->port.line] = up;
+-}
++#endif /* CONFIG_SERIAL_AR933X_CONSOLE */
+
+ static struct uart_driver ar933x_uart_driver = {
+ .owner = THIS_MODULE,
+@@ -700,7 +689,9 @@ static int ar933x_uart_probe(struct platform_device *pdev)
+ baud = ar933x_uart_get_baud(port->uartclk, 0, AR933X_UART_MAX_STEP);
+ up->max_baud = min_t(unsigned int, baud, AR933X_UART_MAX_BAUD);
+
+- ar933x_uart_add_console_port(up);
++#ifdef CONFIG_SERIAL_AR933X_CONSOLE
++ ar933x_console_ports[up->port.line] = up;
++#endif
+
+ ret = uart_add_one_port(&ar933x_uart_driver, &up->port);
+ if (ret)
+@@ -749,8 +740,9 @@ static int __init ar933x_uart_init(void)
+ {
+ int ret;
+
+- if (ar933x_uart_console_enabled())
+- ar933x_uart_driver.cons = &ar933x_uart_console;
++#ifdef CONFIG_SERIAL_AR933X_CONSOLE
++ ar933x_uart_driver.cons = &ar933x_uart_console;
++#endif
+
+ ret = uart_register_driver(&ar933x_uart_driver);
+ if (ret)
+--
+2.19.1
+
mm-add-try_get_page-helper-function.patch
mm-prevent-get_user_pages-from-overflowing-page-refcount.patch
fs-prevent-page-refcount-overflow-in-pipe_buf_get.patch
+arm-dts-bcm283x-fix-hdmi-hpd-gpio-pull.patch
+s390-limit-brk-randomization-to-32mb.patch
+net-ieee802154-fix-a-potential-null-pointer-derefere.patch
+ieee802154-hwsim-propagate-genlmsg_reply-return-code.patch
+net-stmmac-don-t-set-own-bit-too-early-for-jumbo-fra.patch
+qlcnic-avoid-potential-null-pointer-dereference.patch
+xsk-fix-umem-memory-leak-on-cleanup.patch
+staging-axis-fifo-add-config_of-dependency.patch
+staging-mt7621-pci-fix-build-without-pci-support.patch
+netfilter-nft_set_rbtree-check-for-inactive-element-.patch
+netfilter-bridge-set-skb-transport_header-before-ent.patch
+netfilter-fix-netfilter_xt_target_tee-dependencies.patch
+netfilter-ip6t_srh-fix-null-pointer-dereferences.patch
+s390-qeth-fix-race-when-initializing-the-ip-address-.patch
+arm-imx51-fix-a-leaked-reference-by-adding-missing-o.patch
+sc16is7xx-missing-unregister-delete-driver-on-error-.patch
+serial-ar933x_uart-fix-build-failure-with-disabled-c.patch
+kvm-arm64-reset-the-pmu-in-preemptible-context.patch
+kvm-arm-arm64-vgic-its-take-the-srcu-lock-when-writi.patch
+kvm-arm-arm64-vgic-its-take-the-srcu-lock-when-parsi.patch
+usb-dwc3-pci-add-support-for-comet-lake-pch-id.patch
+usb-gadget-net2280-fix-overrun-of-out-messages.patch
+usb-gadget-net2280-fix-net2280_dequeue.patch
+usb-gadget-net2272-fix-net2272_dequeue.patch
+arm-dts-pfla02-increase-phy-reset-duration.patch
+i2c-i801-add-support-for-intel-comet-lake.patch
+net-ks8851-dequeue-rx-packets-explicitly.patch
+net-ks8851-reassert-reset-pin-if-chip-id-check-fails.patch
+net-ks8851-delay-requesting-irq-until-opened.patch
+net-ks8851-set-initial-carrier-state-to-down.patch
+staging-rtl8188eu-fix-potential-null-pointer-derefer.patch
+staging-rtlwifi-rtl8822b-fix-to-avoid-potential-null.patch
+staging-rtl8712-uninitialized-memory-in-read_bbreg_h.patch
+staging-rtlwifi-fix-potential-null-pointer-dereferen.patch
+net-macb-add-null-check-for-pclk-and-hclk.patch
+net-sched-don-t-dereference-a-goto_chain-to-read-the.patch
+arm-dts-imx6qdl-fix-typo-in-imx6qdl-icore-rqs.dtsi.patch
+drm-tegra-hub-fix-dereference-before-check.patch
+nfs-fix-a-typo-in-nfs_init_timeout_values.patch
+net-xilinx-fix-possible-object-reference-leak.patch
+net-ibm-fix-possible-object-reference-leak.patch
+net-ethernet-ti-fix-possible-object-reference-leak.patch
+drm-fix-drm_release-and-device-unplug.patch
+gpio-aspeed-fix-a-potential-null-pointer-dereference.patch
+drm-meson-fix-invalid-pointer-in-meson_drv_unbind.patch
+drm-meson-uninstall-irq-handler.patch
+arm-davinci-fix-build-failure-with-allnoconfig.patch
+scsi-mpt3sas-fix-kernel-panic-during-expander-reset.patch
+scsi-aacraid-insure-we-don-t-access-pcie-space-durin.patch
+scsi-qla4xxx-fix-a-potential-null-pointer-dereferenc.patch
+usb-usb251xb-fix-to-avoid-potential-null-pointer-der.patch
+leds-trigger-netdev-fix-refcnt-leak-on-interface-ren.patch
+x86-realmode-don-t-leak-the-trampoline-kernel-addres.patch
+usb-u132-hcd-fix-resource-leak.patch
+ceph-fix-use-after-free-on-symlink-traversal.patch
+scsi-zfcp-reduce-flood-of-fcrscn1-trace-records-on-m.patch
+x86-mm-don-t-exceed-the-valid-physical-address-space.patch
+libata-fix-using-dma-buffers-on-stack.patch
+gpio-of-fix-of_gpiochip_add-error-path.patch
+nvme-multipath-relax-ana-state-check.patch
+perf-machine-update-kernel-map-address-and-re-order-.patch
+kconfig-mn-conf-handle-backspace-h-key.patch
+iommu-amd-reserve-exclusion-range-in-iova-domain.patch
+ptrace-take-into-account-saved_sigmask-in-ptrace-get.patch
+leds-pca9532-fix-a-potential-null-pointer-dereferenc.patch
+leds-trigger-netdev-use-memcpy-in-device_name_store.patch
--- /dev/null
+From f1437f6d1b7575f274887bf57e0a83fbbf0e8f7d Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 4 Mar 2019 20:43:00 +0100
+Subject: staging: axis-fifo: add CONFIG_OF dependency
+
+[ Upstream commit 1beea6204e2304dd11600791d8dad8e7350af6ad ]
+
+When building without CONFIG_OF, the compiler loses track of the flow
+control in axis_fifo_probe(), and thinks that many variables are used
+without an initialization even though we actually leave the function
+before the first use:
+
+drivers/staging/axis-fifo/axis-fifo.c: In function 'axis_fifo_probe':
+drivers/staging/axis-fifo/axis-fifo.c:900:5: error: 'rxd_tdata_width' may be used uninitialized in this function [-Werror=maybe-uninitialized]
+ if (rxd_tdata_width != 32) {
+ ^
+drivers/staging/axis-fifo/axis-fifo.c:907:5: error: 'txd_tdata_width' may be used uninitialized in this function [-Werror=maybe-uninitialized]
+ if (txd_tdata_width != 32) {
+ ^
+drivers/staging/axis-fifo/axis-fifo.c:914:5: error: 'has_tdest' may be used uninitialized in this function [-Werror=maybe-uninitialized]
+ if (has_tdest) {
+ ^
+drivers/staging/axis-fifo/axis-fifo.c:919:5: error: 'has_tid' may be used uninitialized in this function [-Werror=maybe-uninitialized]
+
+When CONFIG_OF is set, this does not happen, and since the driver cannot
+work without it, just add that option as a Kconfig dependency.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/staging/axis-fifo/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/axis-fifo/Kconfig b/drivers/staging/axis-fifo/Kconfig
+index 687537203d9c..d9725888af6f 100644
+--- a/drivers/staging/axis-fifo/Kconfig
++++ b/drivers/staging/axis-fifo/Kconfig
+@@ -3,6 +3,7 @@
+ #
+ config XIL_AXIS_FIFO
+ tristate "Xilinx AXI-Stream FIFO IP core driver"
++ depends on OF
+ default n
+ help
+ This adds support for the Xilinx AXI-Stream
+--
+2.19.1
+
--- /dev/null
+From f489a709ea758f61aea66350c54884293fa9ff14 Mon Sep 17 00:00:00 2001
+From: Maxim Zhukov <mussitantesmortem@gmail.com>
+Date: Sat, 9 Mar 2019 12:54:00 +0300
+Subject: staging, mt7621-pci: fix build without pci support
+
+[ Upstream commit 90cd9bed5adb3e3bd4d3ac4cbcecbc4a8028bbaf ]
+
+Add depends on PCI for PCI_MT7621
+
+Signed-off-by: Maxim Zhukov <mussitantesmortem@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/staging/mt7621-pci/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/mt7621-pci/Kconfig b/drivers/staging/mt7621-pci/Kconfig
+index d33533872a16..c8fa17cfa807 100644
+--- a/drivers/staging/mt7621-pci/Kconfig
++++ b/drivers/staging/mt7621-pci/Kconfig
+@@ -1,6 +1,7 @@
+ config PCI_MT7621
+ tristate "MediaTek MT7621 PCI Controller"
+ depends on RALINK
++ depends on PCI
+ select PCI_DRIVERS_GENERIC
+ help
+ This selects a driver for the MediaTek MT7621 PCI Controller.
+--
+2.19.1
+
--- /dev/null
+From 035cfa459fe0a57c37cf19a11e171b0865362c5d Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Wed, 20 Mar 2019 12:21:35 -0500
+Subject: staging: rtl8188eu: Fix potential NULL pointer dereference of kcalloc
+
+[ Upstream commit 7671ce0d92933762f469266daf43bd34d422d58c ]
+
+hwxmits is allocated via kcalloc and not checked for failure before its
+dereference. The patch fixes this problem by returning error upstream
+in rtl8723bs, rtl8188eu.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Acked-by: Mukesh Ojha <mojha@codeaurora.org>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/staging/rtl8188eu/core/rtw_xmit.c | 9 +++++++--
+ drivers/staging/rtl8188eu/include/rtw_xmit.h | 2 +-
+ drivers/staging/rtl8723bs/core/rtw_xmit.c | 14 +++++++-------
+ drivers/staging/rtl8723bs/include/rtw_xmit.h | 2 +-
+ 4 files changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/staging/rtl8188eu/core/rtw_xmit.c b/drivers/staging/rtl8188eu/core/rtw_xmit.c
+index 2130d78e0d9f..dd9b02d316f3 100644
+--- a/drivers/staging/rtl8188eu/core/rtw_xmit.c
++++ b/drivers/staging/rtl8188eu/core/rtw_xmit.c
+@@ -178,7 +178,9 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
+
+ pxmitpriv->free_xmit_extbuf_cnt = num_xmit_extbuf;
+
+- rtw_alloc_hwxmits(padapter);
++ res = rtw_alloc_hwxmits(padapter);
++ if (res == _FAIL)
++ goto exit;
+ rtw_init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry);
+
+ for (i = 0; i < 4; i++)
+@@ -1502,7 +1504,7 @@ s32 rtw_xmit_classifier(struct adapter *padapter, struct xmit_frame *pxmitframe)
+ return res;
+ }
+
+-void rtw_alloc_hwxmits(struct adapter *padapter)
++s32 rtw_alloc_hwxmits(struct adapter *padapter)
+ {
+ struct hw_xmit *hwxmits;
+ struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
+@@ -1511,6 +1513,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
+
+ pxmitpriv->hwxmits = kcalloc(pxmitpriv->hwxmit_entry,
+ sizeof(struct hw_xmit), GFP_KERNEL);
++ if (!pxmitpriv->hwxmits)
++ return _FAIL;
+
+ hwxmits = pxmitpriv->hwxmits;
+
+@@ -1518,6 +1522,7 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
+ hwxmits[1] .sta_queue = &pxmitpriv->vi_pending;
+ hwxmits[2] .sta_queue = &pxmitpriv->be_pending;
+ hwxmits[3] .sta_queue = &pxmitpriv->bk_pending;
++ return _SUCCESS;
+ }
+
+ void rtw_free_hwxmits(struct adapter *padapter)
+diff --git a/drivers/staging/rtl8188eu/include/rtw_xmit.h b/drivers/staging/rtl8188eu/include/rtw_xmit.h
+index 788f59c74ea1..ba7e15fbde72 100644
+--- a/drivers/staging/rtl8188eu/include/rtw_xmit.h
++++ b/drivers/staging/rtl8188eu/include/rtw_xmit.h
+@@ -336,7 +336,7 @@ s32 rtw_txframes_sta_ac_pending(struct adapter *padapter,
+ void rtw_init_hwxmits(struct hw_xmit *phwxmit, int entry);
+ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter);
+ void _rtw_free_xmit_priv(struct xmit_priv *pxmitpriv);
+-void rtw_alloc_hwxmits(struct adapter *padapter);
++s32 rtw_alloc_hwxmits(struct adapter *padapter);
+ void rtw_free_hwxmits(struct adapter *padapter);
+ s32 rtw_xmit(struct adapter *padapter, struct sk_buff **pkt);
+
+diff --git a/drivers/staging/rtl8723bs/core/rtw_xmit.c b/drivers/staging/rtl8723bs/core/rtw_xmit.c
+index edb678190b4b..16291de5c0d9 100644
+--- a/drivers/staging/rtl8723bs/core/rtw_xmit.c
++++ b/drivers/staging/rtl8723bs/core/rtw_xmit.c
+@@ -260,7 +260,9 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
+ }
+ }
+
+- rtw_alloc_hwxmits(padapter);
++ res = rtw_alloc_hwxmits(padapter);
++ if (res == _FAIL)
++ goto exit;
+ rtw_init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry);
+
+ for (i = 0; i < 4; i++) {
+@@ -2144,7 +2146,7 @@ s32 rtw_xmit_classifier(struct adapter *padapter, struct xmit_frame *pxmitframe)
+ return res;
+ }
+
+-void rtw_alloc_hwxmits(struct adapter *padapter)
++s32 rtw_alloc_hwxmits(struct adapter *padapter)
+ {
+ struct hw_xmit *hwxmits;
+ struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
+@@ -2155,10 +2157,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
+
+ pxmitpriv->hwxmits = rtw_zmalloc(sizeof(struct hw_xmit) * pxmitpriv->hwxmit_entry);
+
+- if (pxmitpriv->hwxmits == NULL) {
+- DBG_871X("alloc hwxmits fail!...\n");
+- return;
+- }
++ if (!pxmitpriv->hwxmits)
++ return _FAIL;
+
+ hwxmits = pxmitpriv->hwxmits;
+
+@@ -2204,7 +2204,7 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
+
+ }
+
+-
++ return _SUCCESS;
+ }
+
+ void rtw_free_hwxmits(struct adapter *padapter)
+diff --git a/drivers/staging/rtl8723bs/include/rtw_xmit.h b/drivers/staging/rtl8723bs/include/rtw_xmit.h
+index a75b668d09a6..021c72361fbb 100644
+--- a/drivers/staging/rtl8723bs/include/rtw_xmit.h
++++ b/drivers/staging/rtl8723bs/include/rtw_xmit.h
+@@ -486,7 +486,7 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter);
+ void _rtw_free_xmit_priv (struct xmit_priv *pxmitpriv);
+
+
+-void rtw_alloc_hwxmits(struct adapter *padapter);
++s32 rtw_alloc_hwxmits(struct adapter *padapter);
+ void rtw_free_hwxmits(struct adapter *padapter);
+
+
+--
+2.19.1
+
--- /dev/null
+From 40bf4447ee276604f7dcfc11db565757fbb99b96 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 21 Mar 2019 09:26:38 +0300
+Subject: staging: rtl8712: uninitialized memory in read_bbreg_hdl()
+
+[ Upstream commit 22c971db7dd4b0ad8dd88e99c407f7a1f4231a2e ]
+
+Colin King reported a bug in read_bbreg_hdl():
+
+ memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz);
+
+The problem is that "val" is uninitialized.
+
+This code is obviously not useful, but so far as I can tell
+"pcmd->cmdcode" is never GEN_CMD_CODE(_Read_BBREG) so it's not harmful
+either. For now the easiest fix is to just call r8712_free_cmd_obj()
+and return.
+
+Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel")
+Reported-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/staging/rtl8712/rtl8712_cmd.c | 10 +---------
+ drivers/staging/rtl8712/rtl8712_cmd.h | 2 +-
+ 2 files changed, 2 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/staging/rtl8712/rtl8712_cmd.c b/drivers/staging/rtl8712/rtl8712_cmd.c
+index b1dfe9f46619..63bc811681d9 100644
+--- a/drivers/staging/rtl8712/rtl8712_cmd.c
++++ b/drivers/staging/rtl8712/rtl8712_cmd.c
+@@ -159,17 +159,9 @@ static u8 write_macreg_hdl(struct _adapter *padapter, u8 *pbuf)
+
+ static u8 read_bbreg_hdl(struct _adapter *padapter, u8 *pbuf)
+ {
+- u32 val;
+- void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj *pcmd);
+ struct cmd_obj *pcmd = (struct cmd_obj *)pbuf;
+
+- if (pcmd->rsp && pcmd->rspsz > 0)
+- memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz);
+- pcmd_callback = cmd_callback[pcmd->cmdcode].callback;
+- if (!pcmd_callback)
+- r8712_free_cmd_obj(pcmd);
+- else
+- pcmd_callback(padapter, pcmd);
++ r8712_free_cmd_obj(pcmd);
+ return H2C_SUCCESS;
+ }
+
+diff --git a/drivers/staging/rtl8712/rtl8712_cmd.h b/drivers/staging/rtl8712/rtl8712_cmd.h
+index 9181bb6b04c3..a101a0a50955 100644
+--- a/drivers/staging/rtl8712/rtl8712_cmd.h
++++ b/drivers/staging/rtl8712/rtl8712_cmd.h
+@@ -152,7 +152,7 @@ enum rtl8712_h2c_cmd {
+ static struct _cmd_callback cmd_callback[] = {
+ {GEN_CMD_CODE(_Read_MACREG), NULL}, /*0*/
+ {GEN_CMD_CODE(_Write_MACREG), NULL},
+- {GEN_CMD_CODE(_Read_BBREG), &r8712_getbbrfreg_cmdrsp_callback},
++ {GEN_CMD_CODE(_Read_BBREG), NULL},
+ {GEN_CMD_CODE(_Write_BBREG), NULL},
+ {GEN_CMD_CODE(_Read_RFREG), &r8712_getbbrfreg_cmdrsp_callback},
+ {GEN_CMD_CODE(_Write_RFREG), NULL}, /*5*/
+--
+2.19.1
+
--- /dev/null
+From da06070ec33ba3adb0ef3f8aab823c03f7729b40 Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Wed, 20 Mar 2019 10:42:32 -0500
+Subject: staging: rtlwifi: Fix potential NULL pointer dereference of kzalloc
+
+[ Upstream commit 6a8ca24590a2136921439b376c926c11a6effc0e ]
+
+phydm.internal is allocated using kzalloc which is used multiple
+times without a check for NULL pointer. This patch avoids such a
+scenario by returning 0, consistent with the failure case.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/staging/rtlwifi/phydm/rtl_phydm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/staging/rtlwifi/phydm/rtl_phydm.c b/drivers/staging/rtlwifi/phydm/rtl_phydm.c
+index 9930ed954abb..4cc77b2016e1 100644
+--- a/drivers/staging/rtlwifi/phydm/rtl_phydm.c
++++ b/drivers/staging/rtlwifi/phydm/rtl_phydm.c
+@@ -180,6 +180,8 @@ static int rtl_phydm_init_priv(struct rtl_priv *rtlpriv,
+
+ rtlpriv->phydm.internal =
+ kzalloc(sizeof(struct phy_dm_struct), GFP_KERNEL);
++ if (!rtlpriv->phydm.internal)
++ return 0;
+
+ _rtl_phydm_init_com_info(rtlpriv, ic, params);
+
+--
+2.19.1
+
--- /dev/null
+From 5186ca5a3ed4aca26adf1d32235484fe86d98d9c Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Wed, 20 Mar 2019 12:02:49 -0500
+Subject: staging: rtlwifi: rtl8822b: fix to avoid potential NULL pointer
+ dereference
+
+[ Upstream commit d70d70aec9632679dd00dcc1b1e8b2517e2c7da0 ]
+
+skb allocated via dev_alloc_skb can fail and return a NULL pointer.
+This patch avoids such a scenario and returns, consistent with other
+invocations.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/staging/rtlwifi/rtl8822be/fw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/staging/rtlwifi/rtl8822be/fw.c b/drivers/staging/rtlwifi/rtl8822be/fw.c
+index a40396614814..c1ed52df05f0 100644
+--- a/drivers/staging/rtlwifi/rtl8822be/fw.c
++++ b/drivers/staging/rtlwifi/rtl8822be/fw.c
+@@ -741,6 +741,8 @@ void rtl8822be_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished)
+ u1_rsvd_page_loc, 3);
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ memcpy((u8 *)skb_put(skb, totalpacketlen), &reserved_page_packet,
+ totalpacketlen);
+
+--
+2.19.1
+
--- /dev/null
+From df9a02df76f22dc064965fd3283692f72d94d0d4 Mon Sep 17 00:00:00 2001
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+Date: Thu, 31 Jan 2019 11:04:19 +0200
+Subject: usb: dwc3: pci: add support for Comet Lake PCH ID
+
+[ Upstream commit 7ae622c978db6b2e28b4fced6ecd2a174492059d ]
+
+This patch simply adds a new PCI Device ID
+
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/usb/dwc3/dwc3-pci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c
+index fdc6e4e403e8..8cced3609e24 100644
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -29,6 +29,7 @@
+ #define PCI_DEVICE_ID_INTEL_BXT_M 0x1aaa
+ #define PCI_DEVICE_ID_INTEL_APL 0x5aaa
+ #define PCI_DEVICE_ID_INTEL_KBP 0xa2b0
++#define PCI_DEVICE_ID_INTEL_CMLH 0x02ee
+ #define PCI_DEVICE_ID_INTEL_GLK 0x31aa
+ #define PCI_DEVICE_ID_INTEL_CNPLP 0x9dee
+ #define PCI_DEVICE_ID_INTEL_CNPH 0xa36e
+@@ -305,6 +306,9 @@ static const struct pci_device_id dwc3_pci_id_table[] = {
+ { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_MRFLD),
+ (kernel_ulong_t) &dwc3_pci_mrfld_properties, },
+
++ { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_CMLH),
++ (kernel_ulong_t) &dwc3_pci_intel_properties, },
++
+ { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_SPTLP),
+ (kernel_ulong_t) &dwc3_pci_intel_properties, },
+
+--
+2.19.1
+
--- /dev/null
+From a6264939e7d03fccd9a3060c2576bbeda23ca92f Mon Sep 17 00:00:00 2001
+From: Guido Kiener <guido@kiener-muenchen.de>
+Date: Mon, 18 Mar 2019 09:18:34 +0100
+Subject: usb: gadget: net2272: Fix net2272_dequeue()
+
+[ Upstream commit 091dacc3cc10979ab0422f0a9f7fcc27eee97e69 ]
+
+Restore the status of ep->stopped in function net2272_dequeue().
+
+When the given request is not found in the endpoint queue
+the function returns -EINVAL without restoring the state of
+ep->stopped. Thus the endpoint keeps blocked and does not transfer
+any data anymore.
+
+This fix is only compile-tested, since we do not have a
+corresponding hardware. An analogous fix was tested in the sibling
+driver. See "usb: gadget: net2280: Fix net2280_dequeue()"
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Guido Kiener <guido.kiener@rohde-schwarz.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/net2272.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/gadget/udc/net2272.c b/drivers/usb/gadget/udc/net2272.c
+index b77f3126580e..c2011cd7df8c 100644
+--- a/drivers/usb/gadget/udc/net2272.c
++++ b/drivers/usb/gadget/udc/net2272.c
+@@ -945,6 +945,7 @@ net2272_dequeue(struct usb_ep *_ep, struct usb_request *_req)
+ break;
+ }
+ if (&req->req != _req) {
++ ep->stopped = stopped;
+ spin_unlock_irqrestore(&ep->dev->lock, flags);
+ return -EINVAL;
+ }
+--
+2.19.1
+
--- /dev/null
+From 11f1b8aaf714ddfcb33ed363c98b68ff1f2c1c7f Mon Sep 17 00:00:00 2001
+From: Guido Kiener <guido@kiener-muenchen.de>
+Date: Mon, 18 Mar 2019 09:18:33 +0100
+Subject: usb: gadget: net2280: Fix net2280_dequeue()
+
+[ Upstream commit f1d3fba17cd4eeea20397f1324b7b9c69a6a935c ]
+
+When a request must be dequeued with net2280_dequeue() e.g. due
+to a device clear action and the same request is finished by the
+function scan_dma_completions() then the function net2280_dequeue()
+does not find the request in the following search loop and
+returns the error -EINVAL without restoring the status ep->stopped.
+Thus the endpoint keeps blocked and does not receive any data
+anymore.
+This fix restores the status and does not issue an error message.
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Guido Kiener <guido.kiener@rohde-schwarz.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/net2280.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c
+index c57046b1da0e..ee872cad5270 100644
+--- a/drivers/usb/gadget/udc/net2280.c
++++ b/drivers/usb/gadget/udc/net2280.c
+@@ -1273,9 +1273,9 @@ static int net2280_dequeue(struct usb_ep *_ep, struct usb_request *_req)
+ break;
+ }
+ if (&req->req != _req) {
++ ep->stopped = stopped;
+ spin_unlock_irqrestore(&ep->dev->lock, flags);
+- dev_err(&ep->dev->pdev->dev, "%s: Request mismatch\n",
+- __func__);
++ ep_dbg(ep->dev, "%s: Request mismatch\n", __func__);
+ return -EINVAL;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From ff5a733777203a3e041b442d8d386326aa467169 Mon Sep 17 00:00:00 2001
+From: Guido Kiener <guido@kiener-muenchen.de>
+Date: Tue, 19 Mar 2019 19:12:03 +0100
+Subject: usb: gadget: net2280: Fix overrun of OUT messages
+
+[ Upstream commit 9d6a54c1430647355a5e23434881b2ca3d192b48 ]
+
+The OUT endpoint normally blocks (NAK) subsequent packets when a
+short packet was received and returns an incomplete queue entry to
+the gadget driver. Thereby the gadget driver can detect a short packet
+when reading queue entries with a length that is not equal to a
+multiple of packet size.
+
+The start_queue() function enables receiving OUT packets regardless of
+the content of the OUT FIFO. This results in a race: With the current
+code, it's possible that the "!ep->is_in && (readl(&ep->regs->ep_stat)
+& BIT(NAK_OUT_PACKETS))" test in start_dma() will fail, then a short
+packet will be received, and then start_queue() will call
+stop_out_naking(). That's what we don't want (OUT naking gets turned
+off while there is data in the FIFO) because then the next driver
+request might receive a mixture of old and new packets.
+
+With the patch, this race can't occur because the FIFO's state is
+tested after we know that OUT naking is already turned on, and OUT
+naking is stopped only when both of the conditions are met. This
+ensures that all received data is delivered to the gadget driver,
+which can detect a short packet now before new packets are appended
+to the last short packet.
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Guido Kiener <guido.kiener@rohde-schwarz.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/net2280.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c
+index b02ab2a8d927..c57046b1da0e 100644
+--- a/drivers/usb/gadget/udc/net2280.c
++++ b/drivers/usb/gadget/udc/net2280.c
+@@ -866,9 +866,6 @@ static void start_queue(struct net2280_ep *ep, u32 dmactl, u32 td_dma)
+ (void) readl(&ep->dev->pci->pcimstctl);
+
+ writel(BIT(DMA_START), &dma->dmastat);
+-
+- if (!ep->is_in)
+- stop_out_naking(ep);
+ }
+
+ static void start_dma(struct net2280_ep *ep, struct net2280_request *req)
+@@ -907,6 +904,7 @@ static void start_dma(struct net2280_ep *ep, struct net2280_request *req)
+ writel(BIT(DMA_START), &dma->dmastat);
+ return;
+ }
++ stop_out_naking(ep);
+ }
+
+ tmp = dmactl_default;
+--
+2.19.1
+
--- /dev/null
+From f34031b664c2292f1cbd3d6c3ee130b162a7d8ea Mon Sep 17 00:00:00 2001
+From: Mukesh Ojha <mojha@codeaurora.org>
+Date: Tue, 26 Mar 2019 13:42:22 +0530
+Subject: usb: u132-hcd: fix resource leak
+
+[ Upstream commit f276e002793cdb820862e8ea8f76769d56bba575 ]
+
+if platform_driver_register fails, cleanup the allocated resource
+gracefully.
+
+Signed-off-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/usb/host/u132-hcd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/host/u132-hcd.c b/drivers/usb/host/u132-hcd.c
+index 5b8a3d9530c4..5cac83aaeac3 100644
+--- a/drivers/usb/host/u132-hcd.c
++++ b/drivers/usb/host/u132-hcd.c
+@@ -3202,6 +3202,9 @@ static int __init u132_hcd_init(void)
+ printk(KERN_INFO "driver %s\n", hcd_name);
+ workqueue = create_singlethread_workqueue("u132");
+ retval = platform_driver_register(&u132_platform_driver);
++ if (retval)
++ destroy_workqueue(workqueue);
++
+ return retval;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From dd5cb2a60aa9121b9509485a2b1f95a42580a012 Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Wed, 20 Mar 2019 10:27:11 -0500
+Subject: usb: usb251xb: fix to avoid potential NULL pointer dereference
+
+[ Upstream commit 41f00e6e9e55546390031996b773e7f3c1d95928 ]
+
+of_match_device in usb251xb_probe can fail and returns a NULL pointer.
+The patch avoids a potential NULL pointer dereference in this scenario.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Reviewed-by: Richard Leitner <richard.leitner@skidata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/usb/misc/usb251xb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/misc/usb251xb.c b/drivers/usb/misc/usb251xb.c
+index a6efb9a72939..5f7734c729b1 100644
+--- a/drivers/usb/misc/usb251xb.c
++++ b/drivers/usb/misc/usb251xb.c
+@@ -601,7 +601,7 @@ static int usb251xb_probe(struct usb251xb *hub)
+ dev);
+ int err;
+
+- if (np) {
++ if (np && of_id) {
+ err = usb251xb_get_ofdata(hub,
+ (struct usb251xb_data *)of_id->data);
+ if (err) {
+--
+2.19.1
+
--- /dev/null
+From 0bcb56ef0119929e8fdcecc0d99cc1ff6977f0ba Mon Sep 17 00:00:00 2001
+From: Ralph Campbell <rcampbell@nvidia.com>
+Date: Mon, 25 Mar 2019 17:18:17 -0700
+Subject: x86/mm: Don't exceed the valid physical address space
+
+[ Upstream commit 92c77f7c4d5dfaaf45b2ce19360e69977c264766 ]
+
+valid_phys_addr_range() is used to sanity check the physical address range
+of an operation, e.g., access to /dev/mem. It uses __pa(high_memory)
+internally.
+
+If memory is populated at the end of the physical address space, then
+__pa(high_memory) is outside of the physical address space because:
+
+ high_memory = (void *)__va(max_pfn * PAGE_SIZE - 1) + 1;
+
+For the comparison in valid_phys_addr_range() this is not an issue, but if
+CONFIG_DEBUG_VIRTUAL is enabled, __pa() maps to __phys_addr(), which
+verifies that the resulting physical address is within the valid physical
+address space of the CPU. So in the case that memory is populated at the
+end of the physical address space, this is not true and triggers a
+VIRTUAL_BUG_ON().
+
+Use __pa(high_memory - 1) to prevent the conversion from going beyond
+the end of valid physical addresses.
+
+Fixes: be62a3204406 ("x86/mm: Limit mmap() of /dev/mem to valid physical addresses")
+Signed-off-by: Ralph Campbell <rcampbell@nvidia.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Craig Bergstrom <craigb@google.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Fengguang Wu <fengguang.wu@intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Hans Verkuil <hans.verkuil@cisco.com>
+Cc: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sander Eikelenboom <linux@eikelenboom.it>
+Cc: Sean Young <sean@mess.org>
+
+Link: https://lkml.kernel.org/r/20190326001817.15413-2-rcampbell@nvidia.com
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ arch/x86/mm/mmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
+index 1e95d57760cf..b69f7d428443 100644
+--- a/arch/x86/mm/mmap.c
++++ b/arch/x86/mm/mmap.c
+@@ -230,7 +230,7 @@ bool mmap_address_hint_valid(unsigned long addr, unsigned long len)
+ /* Can we access it for direct reading/writing? Must be RAM: */
+ int valid_phys_addr_range(phys_addr_t addr, size_t count)
+ {
+- return addr + count <= __pa(high_memory);
++ return addr + count - 1 <= __pa(high_memory - 1);
+ }
+
+ /* Can we access it through mmap? Must be a valid physical address: */
+--
+2.19.1
+
--- /dev/null
+From 4d78990414ce4f569bf7b2aa5021a46a553d98af Mon Sep 17 00:00:00 2001
+From: Matteo Croce <mcroce@redhat.com>
+Date: Tue, 26 Mar 2019 21:30:46 +0100
+Subject: x86/realmode: Don't leak the trampoline kernel address
+
+[ Upstream commit b929a500d68479163c48739d809cbf4c1335db6f ]
+
+Since commit
+
+ ad67b74d2469 ("printk: hash addresses printed with %p")
+
+at boot "____ptrval____" is printed instead of the trampoline addresses:
+
+ Base memory trampoline at [(____ptrval____)] 99000 size 24576
+
+Remove the print as we don't want to leak kernel addresses and this
+statement is not needed anymore.
+
+Fixes: ad67b74d2469d9b8 ("printk: hash addresses printed with %p")
+Signed-off-by: Matteo Croce <mcroce@redhat.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20190326203046.20787-1-mcroce@redhat.com
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ arch/x86/realmode/init.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c
+index d10105825d57..47d097946872 100644
+--- a/arch/x86/realmode/init.c
++++ b/arch/x86/realmode/init.c
+@@ -20,8 +20,6 @@ void __init set_real_mode_mem(phys_addr_t mem, size_t size)
+ void *base = __va(mem);
+
+ real_mode_header = (struct real_mode_header *) base;
+- printk(KERN_DEBUG "Base memory trampoline at [%p] %llx size %zu\n",
+- base, (unsigned long long)mem, size);
+ }
+
+ void __init reserve_real_mode(void)
+--
+2.19.1
+
--- /dev/null
+From e177f40645a0585e500c058a222d4de476d44e14 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= <bjorn.topel@intel.com>
+Date: Wed, 13 Mar 2019 15:15:49 +0100
+Subject: xsk: fix umem memory leak on cleanup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 044175a06706d516aa42874bb44dbbfc3c4d20eb ]
+
+When the umem is cleaned up, the task that created it might already be
+gone. If the task was gone, the xdp_umem_release function did not free
+the pages member of struct xdp_umem.
+
+It turned out that the task lookup was not needed at all; The code was
+a left-over when we moved from task accounting to user accounting [1].
+
+This patch fixes the memory leak by removing the task lookup logic
+completely.
+
+[1] https://lore.kernel.org/netdev/20180131135356.19134-3-bjorn.topel@gmail.com/
+
+Link: https://lore.kernel.org/netdev/c1cb2ca8-6a14-3980-8672-f3de0bb38dfd@suse.cz/
+Fixes: c0c77d8fb787 ("xsk: add user memory registration support sockopt")
+Reported-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Björn Töpel <bjorn.topel@intel.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ include/net/xdp_sock.h | 1 -
+ net/xdp/xdp_umem.c | 19 +------------------
+ 2 files changed, 1 insertion(+), 19 deletions(-)
+
+diff --git a/include/net/xdp_sock.h b/include/net/xdp_sock.h
+index 7161856bcf9c..c2c10cc9ffa0 100644
+--- a/include/net/xdp_sock.h
++++ b/include/net/xdp_sock.h
+@@ -34,7 +34,6 @@ struct xdp_umem {
+ u32 headroom;
+ u32 chunk_size_nohr;
+ struct user_struct *user;
+- struct pid *pid;
+ unsigned long address;
+ refcount_t users;
+ struct work_struct work;
+diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c
+index bfe2dbea480b..a3b037fbfecd 100644
+--- a/net/xdp/xdp_umem.c
++++ b/net/xdp/xdp_umem.c
+@@ -152,9 +152,6 @@ static void xdp_umem_unaccount_pages(struct xdp_umem *umem)
+
+ static void xdp_umem_release(struct xdp_umem *umem)
+ {
+- struct task_struct *task;
+- struct mm_struct *mm;
+-
+ xdp_umem_clear_dev(umem);
+
+ if (umem->fq) {
+@@ -169,21 +166,10 @@ static void xdp_umem_release(struct xdp_umem *umem)
+
+ xdp_umem_unpin_pages(umem);
+
+- task = get_pid_task(umem->pid, PIDTYPE_PID);
+- put_pid(umem->pid);
+- if (!task)
+- goto out;
+- mm = get_task_mm(task);
+- put_task_struct(task);
+- if (!mm)
+- goto out;
+-
+- mmput(mm);
+ kfree(umem->pages);
+ umem->pages = NULL;
+
+ xdp_umem_unaccount_pages(umem);
+-out:
+ kfree(umem);
+ }
+
+@@ -312,7 +298,6 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
+ if (size_chk < 0)
+ return -EINVAL;
+
+- umem->pid = get_task_pid(current, PIDTYPE_PID);
+ umem->address = (unsigned long)addr;
+ umem->props.chunk_mask = ~((u64)chunk_size - 1);
+ umem->props.size = size;
+@@ -328,7 +313,7 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
+
+ err = xdp_umem_account_pages(umem);
+ if (err)
+- goto out;
++ return err;
+
+ err = xdp_umem_pin_pages(umem);
+ if (err)
+@@ -347,8 +332,6 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
+
+ out_account:
+ xdp_umem_unaccount_pages(umem);
+-out:
+- put_pid(umem->pid);
+ return err;
+ }
+
+--
+2.19.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
