--- /dev/null
+From 7f13098686f08be9a08119777289e0825d89acf1 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 21 Dec 2018 12:06:58 +0300
+Subject: ALSA: compress: prevent potential divide by zero bugs
+
+[ Upstream commit 678e2b44c8e3fec3afc7202f1996a4500a50be93 ]
+
+The problem is seen in the q6asm_dai_compr_set_params() function:
+
+ ret = q6asm_map_memory_regions(dir, prtd->audio_client, prtd->phys,
+ (prtd->pcm_size / prtd->periods),
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ prtd->periods);
+
+In this code prtd->pcm_size is the buffer_size and prtd->periods comes
+from params->buffer.fragments. If we allow the number of fragments to
+be zero then it results in a divide by zero bug. One possible fix would
+be to use prtd->pcm_count directly instead of using the division to
+re-calculate it. But I decided that it doesn't really make sense to
+allow zero fragments.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/compress_offload.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
+index 53cd5d69293e9..307344452b5c0 100644
+--- a/sound/core/compress_offload.c
++++ b/sound/core/compress_offload.c
+@@ -500,7 +500,8 @@ static int snd_compress_check_input(struct snd_compr_params *params)
+ {
+ /* first let's check the buffer parameter's */
+ if (params->buffer.fragment_size == 0 ||
+- params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
++ params->buffer.fragments > INT_MAX / params->buffer.fragment_size ||
++ params->buffer.fragments == 0)
+ return -EINVAL;
+
+ /* now codec parameters */
+--
+2.19.1
+
--- /dev/null
+From 7ef4a1c9a3da515adb1b779ad7f7bb0adaa5958f Mon Sep 17 00:00:00 2001
+From: Silvio Cesare <silvio.cesare@gmail.com>
+Date: Tue, 15 Jan 2019 04:27:27 +0100
+Subject: ASoC: imx-audmux: change snprintf to scnprintf for possible overflow
+
+[ Upstream commit c407cd008fd039320d147088b52d0fa34ed3ddcb ]
+
+Change snprintf to scnprintf. There are generally two cases where using
+snprintf causes problems.
+
+1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
+In this case, if snprintf would have written more characters than what the
+buffer size (SIZE) is, then size will end up larger than SIZE. In later
+uses of snprintf, SIZE - size will result in a negative number, leading
+to problems. Note that size might already be too large by using
+size = snprintf before the code reaches a case of size += snprintf.
+
+2) If size is ultimately used as a length parameter for a copy back to user
+space, then it will potentially allow for a buffer overflow and information
+disclosure when size is greater than SIZE. When the size is used to index
+the buffer directly, we can have memory corruption. This also means when
+size = snprintf... is used, it may also cause problems since size may become
+large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
+configuration.
+
+The solution to these issues is to use scnprintf which returns the number of
+characters actually written to the buffer, so the size variable will never
+exceed SIZE.
+
+Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
+Cc: Timur Tabi <timur@kernel.org>
+Cc: Nicolin Chen <nicoleotsuka@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Xiubo Li <Xiubo.Lee@gmail.com>
+Cc: Fabio Estevam <fabio.estevam@nxp.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Greg KH <greg@kroah.com>
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/imx-audmux.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/sound/soc/fsl/imx-audmux.c b/sound/soc/fsl/imx-audmux.c
+index 46f9beb6b273b..57d581d05de19 100644
+--- a/sound/soc/fsl/imx-audmux.c
++++ b/sound/soc/fsl/imx-audmux.c
+@@ -86,49 +86,49 @@ static ssize_t audmux_read_file(struct file *file, char __user *user_buf,
+ if (!buf)
+ return -ENOMEM;
+
+- ret = snprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n",
++ ret = scnprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n",
+ pdcr, ptcr);
+
+ if (ptcr & IMX_AUDMUX_V2_PTCR_TFSDIR)
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "TxFS output from %s, ",
+ audmux_port_string((ptcr >> 27) & 0x7));
+ else
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "TxFS input, ");
+
+ if (ptcr & IMX_AUDMUX_V2_PTCR_TCLKDIR)
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "TxClk output from %s",
+ audmux_port_string((ptcr >> 22) & 0x7));
+ else
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "TxClk input");
+
+- ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n");
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n");
+
+ if (ptcr & IMX_AUDMUX_V2_PTCR_SYN) {
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "Port is symmetric");
+ } else {
+ if (ptcr & IMX_AUDMUX_V2_PTCR_RFSDIR)
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "RxFS output from %s, ",
+ audmux_port_string((ptcr >> 17) & 0x7));
+ else
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "RxFS input, ");
+
+ if (ptcr & IMX_AUDMUX_V2_PTCR_RCLKDIR)
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "RxClk output from %s",
+ audmux_port_string((ptcr >> 12) & 0x7));
+ else
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "RxClk input");
+ }
+
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "\nData received from %s\n",
+ audmux_port_string((pdcr >> 13) & 0x7));
+
+--
+2.19.1
+
--- /dev/null
+From 94217c27297076d9ffb8efdee0750922bf488db6 Mon Sep 17 00:00:00 2001
+From: Rander Wang <rander.wang@linux.intel.com>
+Date: Tue, 18 Dec 2018 16:24:54 +0800
+Subject: ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field
+
+[ Upstream commit 906a9abc5de73c383af518f5a806f4be2993a0c7 ]
+
+For some reason this field was set to zero when all other drivers use
+.dynamic = 1 for front-ends. This change was tested on Dell XPS13 and
+has no impact with the existing legacy driver. The SOF driver also works
+with this change which enables it to override the fixed topology.
+
+Signed-off-by: Rander Wang <rander.wang@linux.intel.com>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/broadwell.c | 2 +-
+ sound/soc/intel/haswell.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/intel/broadwell.c b/sound/soc/intel/broadwell.c
+index 0e550f14028f1..4aba2286a5aba 100644
+--- a/sound/soc/intel/broadwell.c
++++ b/sound/soc/intel/broadwell.c
+@@ -168,7 +168,7 @@ static struct snd_soc_dai_link broadwell_rt286_dais[] = {
+ .stream_name = "Loopback",
+ .cpu_dai_name = "Loopback Pin",
+ .platform_name = "haswell-pcm-audio",
+- .dynamic = 0,
++ .dynamic = 1,
+ .codec_name = "snd-soc-dummy",
+ .codec_dai_name = "snd-soc-dummy-dai",
+ .trigger = {SND_SOC_DPCM_TRIGGER_POST, SND_SOC_DPCM_TRIGGER_POST},
+diff --git a/sound/soc/intel/haswell.c b/sound/soc/intel/haswell.c
+index 3981982674ac9..0efd574d37706 100644
+--- a/sound/soc/intel/haswell.c
++++ b/sound/soc/intel/haswell.c
+@@ -146,7 +146,7 @@ static struct snd_soc_dai_link haswell_rt5640_dais[] = {
+ .stream_name = "Loopback",
+ .cpu_dai_name = "Loopback Pin",
+ .platform_name = "haswell-pcm-audio",
+- .dynamic = 0,
++ .dynamic = 1,
+ .codec_name = "snd-soc-dummy",
+ .codec_dai_name = "snd-soc-dummy-dai",
+ .trigger = {SND_SOC_DPCM_TRIGGER_POST, SND_SOC_DPCM_TRIGGER_POST},
+--
+2.19.1
+
--- /dev/null
+From 3aa0d9461e81a314030955b0341a1910680d3f19 Mon Sep 17 00:00:00 2001
+From: Chaitanya Tata <chaitanya.tata@bluwirelesstechnology.com>
+Date: Sat, 19 Jan 2019 03:17:47 +0530
+Subject: cfg80211: extend range deviation for DMG
+
+[ Upstream commit 93183bdbe73bbdd03e9566c8dc37c9d06b0d0db6 ]
+
+Recently, DMG frequency bands have been extended till 71GHz, so extend
+the range check till 20GHz (45-71GHZ), else some channels will be marked
+as disabled.
+
+Signed-off-by: Chaitanya Tata <Chaitanya.Tata@bluwireless.co.uk>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/reg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/wireless/reg.c b/net/wireless/reg.c
+index 306464b3acdbb..2f1b39577a848 100644
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -688,7 +688,7 @@ static bool reg_does_bw_fit(const struct ieee80211_freq_range *freq_range,
+ * definitions (the "2.4 GHz band", the "5 GHz band" and the "60GHz band"),
+ * however it is safe for now to assume that a frequency rule should not be
+ * part of a frequency's band if the start freq or end freq are off by more
+- * than 2 GHz for the 2.4 and 5 GHz bands, and by more than 10 GHz for the
++ * than 2 GHz for the 2.4 and 5 GHz bands, and by more than 20 GHz for the
+ * 60 GHz band.
+ * This resolution can be lowered and should be considered as we add
+ * regulatory rule support for other "bands".
+@@ -703,7 +703,7 @@ static bool freq_in_rule_band(const struct ieee80211_freq_range *freq_range,
+ * with the Channel starting frequency above 45 GHz.
+ */
+ u32 limit = freq_khz > 45 * ONE_GHZ_IN_KHZ ?
+- 10 * ONE_GHZ_IN_KHZ : 2 * ONE_GHZ_IN_KHZ;
++ 20 * ONE_GHZ_IN_KHZ : 2 * ONE_GHZ_IN_KHZ;
+ if (abs(freq_khz - freq_range->start_freq_khz) <= limit)
+ return true;
+ if (abs(freq_khz - freq_range->end_freq_khz) <= limit)
+--
+2.19.1
+
--- /dev/null
+From 2340c300ada46bbcb199c862c445fe73686c1695 Mon Sep 17 00:00:00 2001
+From: "Kristian H. Kristensen" <hoegsberg@gmail.com>
+Date: Wed, 19 Dec 2018 08:57:41 -0800
+Subject: drm/msm: Unblock writer if reader closes file
+
+[ Upstream commit 99c66bc051e7407fe0bf0607b142ec0be1a1d1dd ]
+
+Prevents deadlock when fifo is full and reader closes file.
+
+Signed-off-by: Kristian H. Kristensen <hoegsberg@chromium.org>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_rd.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_rd.c b/drivers/gpu/drm/msm/msm_rd.c
+index 9a78c48817c6a..909a52b21ebe7 100644
+--- a/drivers/gpu/drm/msm/msm_rd.c
++++ b/drivers/gpu/drm/msm/msm_rd.c
+@@ -103,7 +103,9 @@ static void rd_write(struct msm_rd_state *rd, const void *buf, int sz)
+ char *fptr = &fifo->buf[fifo->head];
+ int n;
+
+- wait_event(rd->fifo_event, circ_space(&rd->fifo) > 0);
++ wait_event(rd->fifo_event, circ_space(&rd->fifo) > 0 || !rd->open);
++ if (!rd->open)
++ return;
+
+ n = min(sz, circ_space_to_end(&rd->fifo));
+ memcpy(fptr, ptr, n);
+@@ -192,7 +194,10 @@ static int rd_open(struct inode *inode, struct file *file)
+ static int rd_release(struct inode *inode, struct file *file)
+ {
+ struct msm_rd_state *rd = inode->i_private;
++
+ rd->open = false;
++ wake_up_all(&rd->fifo_event);
++
+ return 0;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 3c459549eefa0ffacce2bef596423fb7ca0450e9 Mon Sep 17 00:00:00 2001
+From: Thomas Falcon <tlfalcon@linux.ibm.com>
+Date: Thu, 24 Jan 2019 11:17:01 -0600
+Subject: ibmveth: Do not process frames after calling napi_reschedule
+
+[ Upstream commit e95d22c69b2c130ccce257b84daf283fd82d611e ]
+
+The IBM virtual ethernet driver's polling function continues
+to process frames after rescheduling NAPI, resulting in a warning
+if it exhausted its budget. Do not restart polling after calling
+napi_reschedule. Instead let frames be processed in the following
+instance.
+
+Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmveth.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c
+index 427a6674d237b..f0301b1ff56cb 100644
+--- a/drivers/net/ethernet/ibm/ibmveth.c
++++ b/drivers/net/ethernet/ibm/ibmveth.c
+@@ -1085,7 +1085,6 @@ static int ibmveth_poll(struct napi_struct *napi, int budget)
+ int frames_processed = 0;
+ unsigned long lpar_rc;
+
+-restart_poll:
+ while (frames_processed < budget) {
+ if (!ibmveth_rxq_pending_buffer(adapter))
+ break;
+@@ -1154,7 +1153,6 @@ static int ibmveth_poll(struct napi_struct *napi, int budget)
+ napi_reschedule(napi)) {
+ lpar_rc = h_vio_signal(adapter->vdev->unit_address,
+ VIO_IRQ_DISABLE);
+- goto restart_poll;
+ }
+ }
+
+--
+2.19.1
+
--- /dev/null
+From d3ddfbe09bd96a949db509972e83ab4c33599bb1 Mon Sep 17 00:00:00 2001
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Mon, 7 Jan 2019 19:44:51 +0100
+Subject: KVM: nSVM: clear events pending from svm_complete_interrupts() when
+ exiting to L1
+
+[ Upstream commit 619ad846fc3452adaf71ca246c5aa711e2055398 ]
+
+kvm-unit-tests' eventinj "NMI failing on IDT" test results in NMI being
+delivered to the host (L1) when it's running nested. The problem seems to
+be: svm_complete_interrupts() raises 'nmi_injected' flag but later we
+decide to reflect EXIT_NPF to L1. The flag remains pending and we do NMI
+injection upon entry so it got delivered to L1 instead of L2.
+
+It seems that VMX code solves the same issue in prepare_vmcs12(), this was
+introduced with code refactoring in commit 5f3d5799974b ("KVM: nVMX: Rework
+event injection and recovery").
+
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/svm.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index 2e0c64a08549c..a29d59e205d39 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -2431,6 +2431,14 @@ static int nested_svm_vmexit(struct vcpu_svm *svm)
+ kvm_mmu_reset_context(&svm->vcpu);
+ kvm_mmu_load(&svm->vcpu);
+
++ /*
++ * Drop what we picked up for L2 via svm_complete_interrupts() so it
++ * doesn't end up in L1.
++ */
++ svm->vcpu.arch.nmi_injected = false;
++ kvm_clear_exception_queue(&svm->vcpu);
++ kvm_clear_interrupt_queue(&svm->vcpu);
++
+ return 0;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 969bc289baa2ab5a83dc2b373920d5db595fa40d Mon Sep 17 00:00:00 2001
+From: Balaji Pothunoori <bpothuno@codeaurora.org>
+Date: Mon, 21 Jan 2019 12:30:43 +0530
+Subject: mac80211: don't initiate TDLS connection if station is not associated
+ to AP
+
+[ Upstream commit 7ed5285396c257fd4070b1e29e7b2341aae2a1ce ]
+
+Following call trace is observed while adding TDLS peer entry in driver
+during TDLS setup.
+
+Call Trace:
+[<c1301476>] dump_stack+0x47/0x61
+[<c10537d2>] __warn+0xe2/0x100
+[<fa22415f>] ? sta_apply_parameters+0x49f/0x550 [mac80211]
+[<c1053895>] warn_slowpath_null+0x25/0x30
+[<fa22415f>] sta_apply_parameters+0x49f/0x550 [mac80211]
+[<fa20ad42>] ? sta_info_alloc+0x1c2/0x450 [mac80211]
+[<fa224623>] ieee80211_add_station+0xe3/0x160 [mac80211]
+[<c1876fe3>] nl80211_new_station+0x273/0x420
+[<c170f6d9>] genl_rcv_msg+0x219/0x3c0
+[<c170f4c0>] ? genl_rcv+0x30/0x30
+[<c170ee7e>] netlink_rcv_skb+0x8e/0xb0
+[<c170f4ac>] genl_rcv+0x1c/0x30
+[<c170e8aa>] netlink_unicast+0x13a/0x1d0
+[<c170ec18>] netlink_sendmsg+0x2d8/0x390
+[<c16c5acd>] sock_sendmsg+0x2d/0x40
+[<c16c6369>] ___sys_sendmsg+0x1d9/0x1e0
+
+Fixing this by allowing TDLS setup request only when we have completed
+association.
+
+Signed-off-by: Balaji Pothunoori <bpothuno@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 6ba5240dd61da..ffe319309d033 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1194,6 +1194,10 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev,
+ sta->sta.tdls = true;
+ }
+
++ if (sta->sta.tdls && sdata->vif.type == NL80211_IFTYPE_STATION &&
++ !sdata->u.mgd.associated)
++ return -EINVAL;
++
+ err = sta_apply_parameters(local, sta, params);
+ if (err) {
+ sta_info_free(local, sta);
+--
+2.19.1
+
--- /dev/null
+From e2ed419124860131ddc75e4dc8bc5a9512f18738 Mon Sep 17 00:00:00 2001
+From: Bob Copeland <me@bobcopeland.com>
+Date: Thu, 17 Jan 2019 16:32:42 -0500
+Subject: mac80211: fix miscounting of ttl-dropped frames
+
+[ Upstream commit a0dc02039a2ee54fb4ae400e0b755ed30e73e58c ]
+
+In ieee80211_rx_h_mesh_fwding, we increment the 'dropped_frames_ttl'
+counter when we decrement the ttl to zero. For unicast frames
+destined for other hosts, we stop processing the frame at that point.
+
+For multicast frames, we do not rebroadcast it in this case, but we
+do pass the frame up the stack to process it on this STA. That
+doesn't match the usual definition of "dropped," so don't count
+those as such.
+
+With this change, something like `ping6 -i0.2 ff02::1%mesh0` from a
+peer in a ttl=1 network no longer increments the counter rapidly.
+
+Signed-off-by: Bob Copeland <bobcopeland@fb.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/rx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index ea3b139875218..ccb822aa62258 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2179,7 +2179,9 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
+ skb_set_queue_mapping(skb, q);
+
+ if (!--mesh_hdr->ttl) {
+- IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
++ if (!is_multicast_ether_addr(hdr->addr1))
++ IEEE80211_IFSTA_MESH_CTR_INC(ifmsh,
++ dropped_frames_ttl);
+ goto out;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 4456ae701a8f8574b92eb5c07c0e12ba43589268 Mon Sep 17 00:00:00 2001
+From: Atsushi Nemoto <atsushi.nemoto@sord.co.jp>
+Date: Mon, 21 Jan 2019 17:26:41 +0900
+Subject: net: altera_tse: fix connect_local_phy error path
+
+[ Upstream commit 17b42a20d7ca59377788c6a2409e77569570cc10 ]
+
+The connect_local_phy should return NULL (not negative errno) on
+error, since its caller expects it.
+
+Signed-off-by: Atsushi Nemoto <atsushi.nemoto@sord.co.jp>
+Acked-by: Thor Thayer <thor.thayer@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/altera/altera_tse_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/altera/altera_tse_main.c b/drivers/net/ethernet/altera/altera_tse_main.c
+index 2eb6404755b1f..c1b599c521953 100644
+--- a/drivers/net/ethernet/altera/altera_tse_main.c
++++ b/drivers/net/ethernet/altera/altera_tse_main.c
+@@ -706,8 +706,10 @@ static struct phy_device *connect_local_phy(struct net_device *dev)
+
+ phydev = phy_connect(dev, phy_id_fmt, &altera_tse_adjust_link,
+ priv->phy_iface);
+- if (IS_ERR(phydev))
++ if (IS_ERR(phydev)) {
+ netdev_err(dev, "Could not attach to PHY\n");
++ phydev = NULL;
++ }
+
+ } else {
+ int ret;
+--
+2.19.1
+
--- /dev/null
+From 81a3fcca7517b5e0309ebb5b9112741575d7f791 Mon Sep 17 00:00:00 2001
+From: Varun Prakash <varun@chelsio.com>
+Date: Sat, 12 Jan 2019 22:14:30 +0530
+Subject: scsi: csiostor: fix NULL pointer dereference in
+ csio_vport_set_state()
+
+[ Upstream commit fe35a40e675473eb65f2f5462b82770f324b5689 ]
+
+Assign fc_vport to ln->fc_vport before calling csio_fcoe_alloc_vnp() to
+avoid a NULL pointer dereference in csio_vport_set_state().
+
+ln->fc_vport is dereferenced in csio_vport_set_state().
+
+Signed-off-by: Varun Prakash <varun@chelsio.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/csiostor/csio_attr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/csiostor/csio_attr.c b/drivers/scsi/csiostor/csio_attr.c
+index 065a87ace623b..22b800b5ac7ff 100644
+--- a/drivers/scsi/csiostor/csio_attr.c
++++ b/drivers/scsi/csiostor/csio_attr.c
+@@ -582,12 +582,12 @@ csio_vport_create(struct fc_vport *fc_vport, bool disable)
+ }
+
+ fc_vport_set_state(fc_vport, FC_VPORT_INITIALIZING);
++ ln->fc_vport = fc_vport;
+
+ if (csio_fcoe_alloc_vnp(hw, ln))
+ goto error;
+
+ *(struct csio_lnode **)fc_vport->dd_data = ln;
+- ln->fc_vport = fc_vport;
+ if (!fc_vport->node_name)
+ fc_vport->node_name = wwn_to_u64(csio_ln_wwnn(ln));
+ if (!fc_vport->port_name)
+--
+2.19.1
+
--- /dev/null
+From e9207d1689c7a5077d310d2644ec510b8aff0184 Mon Sep 17 00:00:00 2001
+From: Tomonori Sakita <tomonori.sakita@sord.co.jp>
+Date: Mon, 21 Jan 2019 17:34:16 +0900
+Subject: serial: fsl_lpuart: fix maximum acceptable baud rate with
+ over-sampling
+
+[ Upstream commit 815d835b7ba46685c316b000013367dacb2b461b ]
+
+Using over-sampling ratio, lpuart can accept baud rate upto uartclk / 4.
+
+Signed-off-by: Tomonori Sakita <tomonori.sakita@sord.co.jp>
+Signed-off-by: Atsushi Nemoto <atsushi.nemoto@sord.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/fsl_lpuart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c
+index 839e65da4d3f7..f18551ea5ba51 100644
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -1426,7 +1426,7 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios,
+ }
+
+ /* ask the core to calculate the divisor */
+- baud = uart_get_baud_rate(port, termios, old, 50, port->uartclk / 16);
++ baud = uart_get_baud_rate(port, termios, old, 50, port->uartclk / 4);
+
+ spin_lock_irqsave(&sport->port.lock, flags);
+
+--
+2.19.1
+
netlink-trim-skb-to-alloc-size-to-avoid-msg_trunc.patch
libceph-handle-an-empty-authorize-reply.patch
scsi-libsas-fix-rphy-phy_identifier-for-phys-with-end-devices-attached.patch
+drm-msm-unblock-writer-if-reader-closes-file.patch
+asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch
+alsa-compress-prevent-potential-divide-by-zero-bugs.patch
+usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch
+usb-gadget-potential-null-dereference-on-allocation-.patch
+asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch
+mac80211-fix-miscounting-of-ttl-dropped-frames.patch
+serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch
+scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch
+net-altera_tse-fix-connect_local_phy-error-path.patch
+sfc-suppress-duplicate-nvmem-partition-types-in-efx_.patch
+ibmveth-do-not-process-frames-after-calling-napi_res.patch
+mac80211-don-t-initiate-tdls-connection-if-station-i.patch
+cfg80211-extend-range-deviation-for-dmg.patch
+kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch
--- /dev/null
+From bb89ece55cec6219da8c30ae560fe3789601aae9 Mon Sep 17 00:00:00 2001
+From: Edward Cree <ecree@solarflare.com>
+Date: Tue, 22 Jan 2019 19:02:17 +0000
+Subject: sfc: suppress duplicate nvmem partition types in efx_ef10_mtd_probe
+
+[ Upstream commit 3366463513f544c12c6b88c13da4462ee9e7a1a1 ]
+
+Use a bitmap to keep track of which partition types we've already seen;
+ for duplicates, return -EEXIST from efx_ef10_mtd_probe_partition() and
+ thus skip adding that partition.
+Duplicate partitions occur because of the A/B backup scheme used by newer
+ sfc NICs. Prior to this patch they cause sysfs_warn_dup errors because
+ they have the same name, causing us not to expose any MTDs at all.
+
+Signed-off-by: Edward Cree <ecree@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/ef10.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c
+index 010009d640174..84a17b41313c9 100644
+--- a/drivers/net/ethernet/sfc/ef10.c
++++ b/drivers/net/ethernet/sfc/ef10.c
+@@ -3407,22 +3407,25 @@ static const struct efx_ef10_nvram_type_info efx_ef10_nvram_types[] = {
+ { NVRAM_PARTITION_TYPE_LICENSE, 0, 0, "sfc_license" },
+ { NVRAM_PARTITION_TYPE_PHY_MIN, 0xff, 0, "sfc_phy_fw" },
+ };
++#define EF10_NVRAM_PARTITION_COUNT ARRAY_SIZE(efx_ef10_nvram_types)
+
+ static int efx_ef10_mtd_probe_partition(struct efx_nic *efx,
+ struct efx_mcdi_mtd_partition *part,
+- unsigned int type)
++ unsigned int type,
++ unsigned long *found)
+ {
+ MCDI_DECLARE_BUF(inbuf, MC_CMD_NVRAM_METADATA_IN_LEN);
+ MCDI_DECLARE_BUF(outbuf, MC_CMD_NVRAM_METADATA_OUT_LENMAX);
+ const struct efx_ef10_nvram_type_info *info;
+ size_t size, erase_size, outlen;
++ int type_idx = 0;
+ bool protected;
+ int rc;
+
+- for (info = efx_ef10_nvram_types; ; info++) {
+- if (info ==
+- efx_ef10_nvram_types + ARRAY_SIZE(efx_ef10_nvram_types))
++ for (type_idx = 0; ; type_idx++) {
++ if (type_idx == EF10_NVRAM_PARTITION_COUNT)
+ return -ENODEV;
++ info = efx_ef10_nvram_types + type_idx;
+ if ((type & ~info->type_mask) == info->type)
+ break;
+ }
+@@ -3435,6 +3438,13 @@ static int efx_ef10_mtd_probe_partition(struct efx_nic *efx,
+ if (protected)
+ return -ENODEV; /* hide it */
+
++ /* If we've already exposed a partition of this type, hide this
++ * duplicate. All operations on MTDs are keyed by the type anyway,
++ * so we can't act on the duplicate.
++ */
++ if (__test_and_set_bit(type_idx, found))
++ return -EEXIST;
++
+ part->nvram_type = type;
+
+ MCDI_SET_DWORD(inbuf, NVRAM_METADATA_IN_TYPE, type);
+@@ -3463,6 +3473,7 @@ static int efx_ef10_mtd_probe_partition(struct efx_nic *efx,
+ static int efx_ef10_mtd_probe(struct efx_nic *efx)
+ {
+ MCDI_DECLARE_BUF(outbuf, MC_CMD_NVRAM_PARTITIONS_OUT_LENMAX);
++ DECLARE_BITMAP(found, EF10_NVRAM_PARTITION_COUNT);
+ struct efx_mcdi_mtd_partition *parts;
+ size_t outlen, n_parts_total, i, n_parts;
+ unsigned int type;
+@@ -3491,11 +3502,13 @@ static int efx_ef10_mtd_probe(struct efx_nic *efx)
+ for (i = 0; i < n_parts_total; i++) {
+ type = MCDI_ARRAY_DWORD(outbuf, NVRAM_PARTITIONS_OUT_TYPE_ID,
+ i);
+- rc = efx_ef10_mtd_probe_partition(efx, &parts[n_parts], type);
+- if (rc == 0)
+- n_parts++;
+- else if (rc != -ENODEV)
++ rc = efx_ef10_mtd_probe_partition(efx, &parts[n_parts], type,
++ found);
++ if (rc == -EEXIST || rc == -ENODEV)
++ continue;
++ if (rc)
+ goto fail;
++ n_parts++;
+ }
+
+ rc = efx_mtd_add(efx, &parts[0].common, n_parts, sizeof(*parts));
+--
+2.19.1
+
--- /dev/null
+From 9899b69ac809a0867ec351af6279aebe2a2336a8 Mon Sep 17 00:00:00 2001
+From: Zeng Tao <prime.zeng@hisilicon.com>
+Date: Wed, 26 Dec 2018 19:22:00 +0800
+Subject: usb: dwc3: gadget: Fix the uninitialized link_state when udc starts
+
+[ Upstream commit 88b1bb1f3b88e0bf20b05d543a53a5b99bd7ceb6 ]
+
+Currently the link_state is uninitialized and the default value is 0(U0)
+before the first time we start the udc, and after we start the udc then
+ stop the udc, the link_state will be undefined.
+We may have the following warnings if we start the udc again with
+an undefined link_state:
+
+WARNING: CPU: 0 PID: 327 at drivers/usb/dwc3/gadget.c:294 dwc3_send_gadget_ep_cmd+0x304/0x308
+dwc3 100e0000.hidwc3_0: wakeup failed --> -22
+[...]
+Call Trace:
+[<c010f270>] (unwind_backtrace) from [<c010b3d8>] (show_stack+0x10/0x14)
+[<c010b3d8>] (show_stack) from [<c034a4dc>] (dump_stack+0x84/0x98)
+[<c034a4dc>] (dump_stack) from [<c0118000>] (__warn+0xe8/0x100)
+[<c0118000>] (__warn) from [<c0118050>](warn_slowpath_fmt+0x38/0x48)
+[<c0118050>] (warn_slowpath_fmt) from [<c0442ec0>](dwc3_send_gadget_ep_cmd+0x304/0x308)
+[<c0442ec0>] (dwc3_send_gadget_ep_cmd) from [<c0445e68>](dwc3_ep0_start_trans+0x48/0xf4)
+[<c0445e68>] (dwc3_ep0_start_trans) from [<c0446750>](dwc3_ep0_out_start+0x64/0x80)
+[<c0446750>] (dwc3_ep0_out_start) from [<c04451c0>](__dwc3_gadget_start+0x1e0/0x278)
+[<c04451c0>] (__dwc3_gadget_start) from [<c04452e0>](dwc3_gadget_start+0x88/0x10c)
+[<c04452e0>] (dwc3_gadget_start) from [<c045ee54>](udc_bind_to_driver+0x88/0xbc)
+[<c045ee54>] (udc_bind_to_driver) from [<c045f29c>](usb_gadget_probe_driver+0xf8/0x140)
+[<c045f29c>] (usb_gadget_probe_driver) from [<bf005424>](gadget_dev_desc_UDC_store+0xac/0xc4 [libcomposite])
+[<bf005424>] (gadget_dev_desc_UDC_store [libcomposite]) from[<c023d8e0>] (configfs_write_file+0xd4/0x160)
+[<c023d8e0>] (configfs_write_file) from [<c01d51e8>] (__vfs_write+0x1c/0x114)
+[<c01d51e8>] (__vfs_write) from [<c01d5ff4>] (vfs_write+0xa4/0x168)
+[<c01d5ff4>] (vfs_write) from [<c01d6d40>] (SyS_write+0x3c/0x90)
+[<c01d6d40>] (SyS_write) from [<c0107400>] (ret_fast_syscall+0x0/0x3c)
+
+Signed-off-by: Zeng Tao <prime.zeng@hisilicon.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/gadget.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index a1ab837691911..8daf7145b3046 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -1641,6 +1641,7 @@ static int dwc3_gadget_start(struct usb_gadget *g,
+
+ /* begin to receive SETUP packets */
+ dwc->ep0state = EP0_SETUP_PHASE;
++ dwc->link_state = DWC3_LINK_STATE_SS_DIS;
+ dwc3_ep0_out_start(dwc);
+
+ dwc3_gadget_enable_irq(dwc);
+--
+2.19.1
+
--- /dev/null
+From e996a99e8bf2dd2fb1811e3a3f46189f8039a92c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 21 Dec 2018 23:42:52 +0300
+Subject: usb: gadget: Potential NULL dereference on allocation error
+
+[ Upstream commit df28169e1538e4a8bcd8b779b043e5aa6524545c ]
+
+The source_sink_alloc_func() function is supposed to return error
+pointers on error. The function is called from usb_get_function() which
+doesn't check for NULL returns so it would result in an Oops.
+
+Of course, in the current kernel, small allocations always succeed so
+this doesn't affect runtime.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_sourcesink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_sourcesink.c b/drivers/usb/gadget/function/f_sourcesink.c
+index 45b41d1cfd19d..ecfd9e71a0d50 100644
+--- a/drivers/usb/gadget/function/f_sourcesink.c
++++ b/drivers/usb/gadget/function/f_sourcesink.c
+@@ -1149,7 +1149,7 @@ static struct usb_function *source_sink_alloc_func(
+
+ ss = kzalloc(sizeof(*ss), GFP_KERNEL);
+ if (!ss)
+- return NULL;
++ return ERR_PTR(-ENOMEM);
+
+ ss_opts = container_of(fi, struct f_ss_opts, func_inst);
+
+--
+2.19.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
