--- /dev/null
+From 4f2ab5e1d13d6aa77c55f4914659784efd776eb4 Mon Sep 17 00:00:00 2001
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+Date: Tue, 5 Feb 2019 16:29:40 +0000
+Subject: ALSA: compress: Fix stop handling on compressed capture streams
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+commit 4f2ab5e1d13d6aa77c55f4914659784efd776eb4 upstream.
+
+It is normal user behaviour to start, stop, then start a stream
+again without closing it. Currently this works for compressed
+playback streams but not capture ones.
+
+The states on a compressed capture stream go directly from OPEN to
+PREPARED, unlike a playback stream which moves to SETUP and waits
+for a write of data before moving to PREPARED. Currently however,
+when a stop is sent the state is set to SETUP for both types of
+streams. This leaves a capture stream in the situation where a new
+start can't be sent as that requires the state to be PREPARED and
+a new set_params can't be sent as that requires the state to be
+OPEN. The only option being to close the stream, and then reopen.
+
+Correct this issues by allowing snd_compr_drain_notify to set the
+state depending on the stream direction, as we already do in
+set_params.
+
+Fixes: 49bb6402f1aa ("ALSA: compress_core: Add support for capture streams")
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/sound/compress_driver.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/include/sound/compress_driver.h
++++ b/include/sound/compress_driver.h
+@@ -176,7 +176,11 @@ static inline void snd_compr_drain_notif
+ if (snd_BUG_ON(!stream))
+ return;
+
+- stream->runtime->state = SNDRV_PCM_STATE_SETUP;
++ if (stream->direction == SND_COMPRESS_PLAYBACK)
++ stream->runtime->state = SNDRV_PCM_STATE_SETUP;
++ else
++ stream->runtime->state = SNDRV_PCM_STATE_PREPARED;
++
+ wake_up(&stream->runtime->sleep);
+ }
+
--- /dev/null
+From foo@baz Sun Feb 10 13:12:02 CET 2019
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 30 Jan 2019 11:39:41 -0800
+Subject: dccp: fool proof ccid_hc_[rt]x_parse_options()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9b1f19d810e92d6cdc68455fbc22d9f961a58ce1 ]
+
+Similarly to commit 276bdb82dedb ("dccp: check ccid before dereferencing")
+it is wise to test for a NULL ccid.
+
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.0.0-rc3+ #37
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:ccid_hc_tx_parse_options net/dccp/ccid.h:205 [inline]
+RIP: 0010:dccp_parse_options+0x8d9/0x12b0 net/dccp/options.c:233
+Code: c5 0f b6 75 b3 80 38 00 0f 85 d6 08 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 45 b8 4c 8b b8 f8 07 00 00 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 95 08 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b
+kobject: 'loop5' (0000000080f78fc1): kobject_uevent_env
+RSP: 0018:ffff8880a94df0b8 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: ffff8880858ac723 RCX: dffffc0000000000
+RDX: 0000000000000100 RSI: 0000000000000007 RDI: 0000000000000001
+RBP: ffff8880a94df140 R08: 0000000000000001 R09: ffff888061b83a80
+R10: ffffed100c370752 R11: ffff888061b83a97 R12: 0000000000000026
+R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
+FS: 0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f0defa33518 CR3: 000000008db5e000 CR4: 00000000001406e0
+kobject: 'loop5' (0000000080f78fc1): fill_kobj_path: path = '/devices/virtual/block/loop5'
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ dccp_rcv_state_process+0x2b6/0x1af6 net/dccp/input.c:654
+ dccp_v4_do_rcv+0x100/0x190 net/dccp/ipv4.c:688
+ sk_backlog_rcv include/net/sock.h:936 [inline]
+ __sk_receive_skb+0x3a9/0xea0 net/core/sock.c:473
+ dccp_v4_rcv+0x10cb/0x1f80 net/dccp/ipv4.c:880
+ ip_protocol_deliver_rcu+0xb6/0xa20 net/ipv4/ip_input.c:208
+ ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:234
+ NF_HOOK include/linux/netfilter.h:289 [inline]
+ NF_HOOK include/linux/netfilter.h:283 [inline]
+ ip_local_deliver+0x1f0/0x740 net/ipv4/ip_input.c:255
+ dst_input include/net/dst.h:450 [inline]
+ ip_rcv_finish+0x1f4/0x2f0 net/ipv4/ip_input.c:414
+ NF_HOOK include/linux/netfilter.h:289 [inline]
+ NF_HOOK include/linux/netfilter.h:283 [inline]
+ ip_rcv+0xed/0x620 net/ipv4/ip_input.c:524
+ __netif_receive_skb_one_core+0x160/0x210 net/core/dev.c:4973
+ __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083
+ process_backlog+0x206/0x750 net/core/dev.c:5923
+ napi_poll net/core/dev.c:6346 [inline]
+ net_rx_action+0x76d/0x1930 net/core/dev.c:6412
+ __do_softirq+0x30b/0xb11 kernel/softirq.c:292
+ run_ksoftirqd kernel/softirq.c:654 [inline]
+ run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646
+ smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
+ kthread+0x357/0x430 kernel/kthread.c:246
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
+Modules linked in:
+---[ end trace 58a0ba03bea2c376 ]---
+RIP: 0010:ccid_hc_tx_parse_options net/dccp/ccid.h:205 [inline]
+RIP: 0010:dccp_parse_options+0x8d9/0x12b0 net/dccp/options.c:233
+Code: c5 0f b6 75 b3 80 38 00 0f 85 d6 08 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 45 b8 4c 8b b8 f8 07 00 00 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 95 08 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b
+RSP: 0018:ffff8880a94df0b8 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: ffff8880858ac723 RCX: dffffc0000000000
+RDX: 0000000000000100 RSI: 0000000000000007 RDI: 0000000000000001
+RBP: ffff8880a94df140 R08: 0000000000000001 R09: ffff888061b83a80
+R10: ffffed100c370752 R11: ffff888061b83a97 R12: 0000000000000026
+R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
+FS: 0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f0defa33518 CR3: 0000000009871000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/ccid.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/dccp/ccid.h
++++ b/net/dccp/ccid.h
+@@ -202,7 +202,7 @@ static inline void ccid_hc_tx_packet_rec
+ static inline int ccid_hc_tx_parse_options(struct ccid *ccid, struct sock *sk,
+ u8 pkt, u8 opt, u8 *val, u8 len)
+ {
+- if (ccid->ccid_ops->ccid_hc_tx_parse_options == NULL)
++ if (!ccid || !ccid->ccid_ops->ccid_hc_tx_parse_options)
+ return 0;
+ return ccid->ccid_ops->ccid_hc_tx_parse_options(sk, pkt, opt, val, len);
+ }
+@@ -214,7 +214,7 @@ static inline int ccid_hc_tx_parse_optio
+ static inline int ccid_hc_rx_parse_options(struct ccid *ccid, struct sock *sk,
+ u8 pkt, u8 opt, u8 *val, u8 len)
+ {
+- if (ccid->ccid_ops->ccid_hc_rx_parse_options == NULL)
++ if (!ccid || !ccid->ccid_ops->ccid_hc_rx_parse_options)
+ return 0;
+ return ccid->ccid_ops->ccid_hc_rx_parse_options(sk, pkt, opt, val, len);
+ }
--- /dev/null
+From foo@baz Sun Feb 10 12:58:17 CET 2019
+From: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Date: Wed, 30 Jan 2019 06:59:00 -0800
+Subject: enic: fix checksum validation for IPv6
+
+From: Govindarajulu Varadarajan <gvaradar@cisco.com>
+
+[ Upstream commit 7596175e99b3d4bce28022193efd954c201a782a ]
+
+In case of IPv6 pkts, ipv4_csum_ok is 0. Because of this, driver does
+not set skb->ip_summed. So IPv6 rx checksum is not offloaded.
+
+Signed-off-by: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cisco/enic/enic_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -1065,7 +1065,7 @@ static void enic_rq_indicate_buf(struct
+ * CHECSUM_UNNECESSARY.
+ */
+ if ((netdev->features & NETIF_F_RXCSUM) && tcp_udp_csum_ok &&
+- ipv4_csum_ok)
++ (ipv4_csum_ok || ipv6))
+ skb->ip_summed = CHECKSUM_UNNECESSARY;
+
+ if (vlan_stripped)
--- /dev/null
+From 9509941e9c534920ccc4771ae70bd6cbbe79df1c Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Sat, 12 Jan 2019 02:39:05 +0100
+Subject: fuse: call pipe_buf_release() under pipe lock
+
+From: Jann Horn <jannh@google.com>
+
+commit 9509941e9c534920ccc4771ae70bd6cbbe79df1c upstream.
+
+Some of the pipe_buf_release() handlers seem to assume that the pipe is
+locked - in particular, anon_pipe_buf_release() accesses pipe->tmp_page
+without taking any extra locks. From a glance through the callers of
+pipe_buf_release(), it looks like FUSE is the only one that calls
+pipe_buf_release() without having the pipe locked.
+
+This bug should only lead to a memory leak, nothing terrible.
+
+Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1971,10 +1971,13 @@ static ssize_t fuse_dev_splice_write(str
+
+ ret = fuse_dev_do_write(fc, &cs, len);
+
++ pipe_lock(pipe);
+ for (idx = 0; idx < nbuf; idx++) {
+ struct pipe_buffer *buf = &bufs[idx];
+ buf->ops->release(pipe, buf);
+ }
++ pipe_unlock(pipe);
++
+ out:
+ kfree(bufs);
+ return ret;
--- /dev/null
+From a2ebba824106dabe79937a9f29a875f837e1b6d4 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 16 Jan 2019 10:27:59 +0100
+Subject: fuse: decrement NR_WRITEBACK_TEMP on the right page
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit a2ebba824106dabe79937a9f29a875f837e1b6d4 upstream.
+
+NR_WRITEBACK_TEMP is accounted on the temporary page in the request, not
+the page cache page.
+
+Fixes: 8b284dc47291 ("fuse: writepages: handle same page rewrites")
+Cc: <stable@vger.kernel.org> # v3.13
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -1844,7 +1844,7 @@ static bool fuse_writepage_in_flight(str
+ spin_unlock(&fc->lock);
+
+ dec_bdi_stat(bdi, BDI_WRITEBACK);
+- dec_zone_page_state(page, NR_WRITEBACK_TEMP);
++ dec_zone_page_state(new_req->pages[0], NR_WRITEBACK_TEMP);
+ bdi_writeout_inc(bdi);
+ fuse_writepage_free(fc, new_req);
+ fuse_request_free(new_req);
--- /dev/null
+From 97e1532ef81acb31c30f9e75bf00306c33a77812 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 16 Jan 2019 10:27:59 +0100
+Subject: fuse: handle zero sized retrieve correctly
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 97e1532ef81acb31c30f9e75bf00306c33a77812 upstream.
+
+Dereferencing req->page_descs[0] will Oops if req->max_pages is zero.
+
+Reported-by: syzbot+c1e36d30ee3416289cc0@syzkaller.appspotmail.com
+Tested-by: syzbot+c1e36d30ee3416289cc0@syzkaller.appspotmail.com
+Fixes: b2430d7567a3 ("fuse: add per-page descriptor <offset, length> to fuse_req")
+Cc: <stable@vger.kernel.org> # v3.9
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1645,7 +1645,6 @@ static int fuse_retrieve(struct fuse_con
+ req->in.h.nodeid = outarg->nodeid;
+ req->in.numargs = 2;
+ req->in.argpages = 1;
+- req->page_descs[0].offset = offset;
+ req->end = fuse_retrieve_end;
+
+ index = outarg->offset >> PAGE_CACHE_SHIFT;
+@@ -1660,6 +1659,7 @@ static int fuse_retrieve(struct fuse_con
+
+ this_num = min_t(unsigned, num, PAGE_CACHE_SIZE - offset);
+ req->pages[req->num_pages] = page;
++ req->page_descs[req->num_pages].offset = offset;
+ req->page_descs[req->num_pages].length = this_num;
+ req->num_pages++;
+
--- /dev/null
+From foo@baz Sun Feb 10 12:47:17 CET 2019
+From: Rundong Ge <rdong.ge@gmail.com>
+Date: Sat, 2 Feb 2019 14:29:35 +0000
+Subject: net: dsa: slave: Don't propagate flag changes on down slave interfaces
+
+From: Rundong Ge <rdong.ge@gmail.com>
+
+[ Upstream commit 17ab4f61b8cd6f9c38e9d0b935d86d73b5d0d2b5 ]
+
+The unbalance of master's promiscuity or allmulti will happen after ifdown
+and ifup a slave interface which is in a bridge.
+
+When we ifdown a slave interface , both the 'dsa_slave_close' and
+'dsa_slave_change_rx_flags' will clear the master's flags. The flags
+of master will be decrease twice.
+In the other hand, if we ifup the slave interface again, since the
+slave's flags were cleared the 'dsa_slave_open' won't set the master's
+flag, only 'dsa_slave_change_rx_flags' that triggered by 'br_add_if'
+will set the master's flags. The flags of master is increase once.
+
+Only propagating flag changes when a slave interface is up makes
+sure this does not happen. The 'vlan_dev_change_rx_flags' had the
+same problem and was fixed, and changes here follows that fix.
+
+Fixes: 91da11f870f0 ("net: Distributed Switch Architecture protocol support")
+Signed-off-by: Rundong Ge <rdong.ge@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/slave.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/dsa/slave.c
++++ b/net/dsa/slave.c
+@@ -140,10 +140,14 @@ static void dsa_slave_change_rx_flags(st
+ struct dsa_slave_priv *p = netdev_priv(dev);
+ struct net_device *master = p->parent->dst->master_netdev;
+
+- if (change & IFF_ALLMULTI)
+- dev_set_allmulti(master, dev->flags & IFF_ALLMULTI ? 1 : -1);
+- if (change & IFF_PROMISC)
+- dev_set_promiscuity(master, dev->flags & IFF_PROMISC ? 1 : -1);
++ if (dev->flags & IFF_UP) {
++ if (change & IFF_ALLMULTI)
++ dev_set_allmulti(master,
++ dev->flags & IFF_ALLMULTI ? 1 : -1);
++ if (change & IFF_PROMISC)
++ dev_set_promiscuity(master,
++ dev->flags & IFF_PROMISC ? 1 : -1);
++ }
+ }
+
+ static void dsa_slave_set_rx_mode(struct net_device *dev)
--- /dev/null
+From foo@baz Sun Feb 10 12:47:17 CET 2019
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 1 Feb 2019 13:23:38 -0800
+Subject: net: systemport: Fix WoL with password after deep sleep
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 8dfb8d2cceb76b74ad5b58cc65c75994329b4d5e ]
+
+Broadcom STB chips support a deep sleep mode where all register
+contents are lost. Because we were stashing the MagicPacket password
+into some of these registers a suspend into that deep sleep then a
+resumption would not lead to being able to wake-up from MagicPacket with
+password again.
+
+Fix this by keeping a software copy of the password and program it
+during suspend.
+
+Fixes: 83e82f4c706b ("net: systemport: add Wake-on-LAN support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 25 ++++++++++---------------
+ drivers/net/ethernet/broadcom/bcmsysport.h | 2 ++
+ 2 files changed, 12 insertions(+), 15 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -397,7 +397,6 @@ static void bcm_sysport_get_wol(struct n
+ struct ethtool_wolinfo *wol)
+ {
+ struct bcm_sysport_priv *priv = netdev_priv(dev);
+- u32 reg;
+
+ wol->supported = WAKE_MAGIC | WAKE_MAGICSECURE;
+ wol->wolopts = priv->wolopts;
+@@ -405,11 +404,7 @@ static void bcm_sysport_get_wol(struct n
+ if (!(priv->wolopts & WAKE_MAGICSECURE))
+ return;
+
+- /* Return the programmed SecureOn password */
+- reg = umac_readl(priv, UMAC_PSW_MS);
+- put_unaligned_be16(reg, &wol->sopass[0]);
+- reg = umac_readl(priv, UMAC_PSW_LS);
+- put_unaligned_be32(reg, &wol->sopass[2]);
++ memcpy(wol->sopass, priv->sopass, sizeof(priv->sopass));
+ }
+
+ static int bcm_sysport_set_wol(struct net_device *dev,
+@@ -425,13 +420,8 @@ static int bcm_sysport_set_wol(struct ne
+ if (wol->wolopts & ~supported)
+ return -EINVAL;
+
+- /* Program the SecureOn password */
+- if (wol->wolopts & WAKE_MAGICSECURE) {
+- umac_writel(priv, get_unaligned_be16(&wol->sopass[0]),
+- UMAC_PSW_MS);
+- umac_writel(priv, get_unaligned_be32(&wol->sopass[2]),
+- UMAC_PSW_LS);
+- }
++ if (wol->wolopts & WAKE_MAGICSECURE)
++ memcpy(priv->sopass, wol->sopass, sizeof(priv->sopass));
+
+ /* Flag the device and relevant IRQ as wakeup capable */
+ if (wol->wolopts) {
+@@ -1760,12 +1750,17 @@ static int bcm_sysport_suspend_to_wol(st
+ unsigned int timeout = 1000;
+ u32 reg;
+
+- /* Password has already been programmed */
+ reg = umac_readl(priv, UMAC_MPD_CTRL);
+ reg |= MPD_EN;
+ reg &= ~PSW_EN;
+- if (priv->wolopts & WAKE_MAGICSECURE)
++ if (priv->wolopts & WAKE_MAGICSECURE) {
++ /* Program the SecureOn password */
++ umac_writel(priv, get_unaligned_be16(&priv->sopass[0]),
++ UMAC_PSW_MS);
++ umac_writel(priv, get_unaligned_be32(&priv->sopass[2]),
++ UMAC_PSW_LS);
+ reg |= PSW_EN;
++ }
+ umac_writel(priv, reg, UMAC_MPD_CTRL);
+
+ /* Make sure RBUF entered WoL mode as result */
+--- a/drivers/net/ethernet/broadcom/bcmsysport.h
++++ b/drivers/net/ethernet/broadcom/bcmsysport.h
+@@ -11,6 +11,7 @@
+ #ifndef __BCM_SYSPORT_H
+ #define __BCM_SYSPORT_H
+
++#include <linux/ethtool.h>
+ #include <linux/if_vlan.h>
+
+ /* Receive/transmit descriptor format */
+@@ -679,6 +680,7 @@ struct bcm_sysport_priv {
+ unsigned int crc_fwd:1;
+ u16 rev;
+ u32 wolopts;
++ u8 sopass[SOPASS_MAX];
+ unsigned int wol_irq_disabled:1;
+
+ /* MIB related fields */
fs-epoll-drop-ovflist-branch-prediction.patch
exec-load_script-don-t-blindly-truncate-shebang-stri.patch
thermal-hwmon-inline-helpers-when-config_thermal_hwmon-is-not-set.patch
+dccp-fool-proof-ccid_hc_x_parse_options.patch
+skge-potential-memory-corruption-in-skge_get_regs.patch
+net-systemport-fix-wol-with-password-after-deep-sleep.patch
+net-dsa-slave-don-t-propagate-flag-changes-on-down-slave-interfaces.patch
+enic-fix-checksum-validation-for-ipv6.patch
+alsa-compress-fix-stop-handling-on-compressed-capture-streams.patch
+fuse-call-pipe_buf_release-under-pipe-lock.patch
+fuse-decrement-nr_writeback_temp-on-the-right-page.patch
+fuse-handle-zero-sized-retrieve-correctly.patch
--- /dev/null
+From foo@baz Sun Feb 10 13:12:02 CET 2019
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 1 Feb 2019 11:28:16 +0300
+Subject: skge: potential memory corruption in skge_get_regs()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 294c149a209c6196c2de85f512b52ef50f519949 ]
+
+The "p" buffer is 0x4000 bytes long. B3_RI_WTO_R1 is 0x190. The value
+of "regs->len" is in the 1-0x4000 range. The bug here is that
+"regs->len - B3_RI_WTO_R1" can be a negative value which would lead to
+memory corruption and an abrupt crash.
+
+Fixes: c3f8be961808 ("[PATCH] skge: expand ethtool debug register dump")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/skge.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/skge.c
++++ b/drivers/net/ethernet/marvell/skge.c
+@@ -152,8 +152,10 @@ static void skge_get_regs(struct net_dev
+ memset(p, 0, regs->len);
+ memcpy_fromio(p, io, B3_RAM_ADDR);
+
+- memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1,
+- regs->len - B3_RI_WTO_R1);
++ if (regs->len > B3_RI_WTO_R1) {
++ memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1,
++ regs->len - B3_RI_WTO_R1);
++ }
+ }
+
+ /* Wake on Lan only supported on Yukon chips with rev 1 or above */
projects / thirdparty / kernel / stable-queue.git / commitdiff
