--- /dev/null
+From ca588385fc7d81bba28019063dda628394eb06f9 Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Tue, 5 Feb 2019 10:07:07 -0800
+Subject: ARC: uacces: remove lp_start, lp_end from clobber list
+
+[ Upstream commit d5e3c55e01d8b1774b37b4647c30fb22f1d39077 ]
+
+Newer ARC gcc handles lp_start, lp_end in a different way and doesn't
+like them in the clobber list.
+
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/include/asm/uaccess.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arc/include/asm/uaccess.h b/arch/arc/include/asm/uaccess.h
+index 57387b567f34..f077a419cb51 100644
+--- a/arch/arc/include/asm/uaccess.h
++++ b/arch/arc/include/asm/uaccess.h
+@@ -209,7 +209,7 @@ __arc_copy_from_user(void *to, const void __user *from, unsigned long n)
+ */
+ "=&r" (tmp), "+r" (to), "+r" (from)
+ :
+- : "lp_count", "lp_start", "lp_end", "memory");
++ : "lp_count", "memory");
+
+ return n;
+ }
+@@ -438,7 +438,7 @@ __arc_copy_to_user(void __user *to, const void *from, unsigned long n)
+ */
+ "=&r" (tmp), "+r" (to), "+r" (from)
+ :
+- : "lp_count", "lp_start", "lp_end", "memory");
++ : "lp_count", "memory");
+
+ return n;
+ }
+@@ -658,7 +658,7 @@ static inline unsigned long __arc_clear_user(void __user *to, unsigned long n)
+ " .previous \n"
+ : "+r"(d_char), "+r"(res)
+ : "i"(0)
+- : "lp_count", "lp_start", "lp_end", "memory");
++ : "lp_count", "memory");
+
+ return res;
+ }
+@@ -691,7 +691,7 @@ __arc_strncpy_from_user(char *dst, const char __user *src, long count)
+ " .previous \n"
+ : "+r"(res), "+r"(dst), "+r"(src), "=r"(val)
+ : "g"(-EFAULT), "r"(count)
+- : "lp_count", "lp_start", "lp_end", "memory");
++ : "lp_count", "memory");
+
+ return res;
+ }
+--
+2.19.1
+
--- /dev/null
+From d7048a0e10c9008b00d8afd0c80b9b5c3d84db7a Mon Sep 17 00:00:00 2001
+From: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Date: Mon, 21 Jan 2019 14:42:42 +0100
+Subject: ARM: 8824/1: fix a migrating irq bug when hotplug cpu
+
+[ Upstream commit 1b5ba350784242eb1f899bcffd95d2c7cff61e84 ]
+
+Arm TC2 fails cpu hotplug stress test.
+
+This issue was tracked down to a missing copy of the new affinity
+cpumask for the vexpress-spc interrupt into struct
+irq_common_data.affinity when the interrupt is migrated in
+migrate_one_irq().
+
+Fix it by replacing the arm specific hotplug cpu migration with the
+generic irq code.
+
+This is the counterpart implementation to commit 217d453d473c ("arm64:
+fix a migrating irq bug when hotplug cpu").
+
+Tested with cpu hotplug stress test on Arm TC2 (multi_v7_defconfig plus
+CONFIG_ARM_BIG_LITTLE_CPUFREQ=y and CONFIG_ARM_VEXPRESS_SPC_CPUFREQ=y).
+The vexpress-spc interrupt (irq=22) on this board is affine to CPU0.
+Its affinity cpumask now changes correctly e.g. from 0 to 1-4 when
+CPU0 is hotplugged out.
+
+Suggested-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/Kconfig | 1 +
+ arch/arm/include/asm/irq.h | 1 -
+ arch/arm/kernel/irq.c | 62 --------------------------------------
+ arch/arm/kernel/smp.c | 2 +-
+ 4 files changed, 2 insertions(+), 64 deletions(-)
+
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index 34e1569a11ee..3a0277c6c060 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -1475,6 +1475,7 @@ config NR_CPUS
+ config HOTPLUG_CPU
+ bool "Support for hot-pluggable CPUs"
+ depends on SMP
++ select GENERIC_IRQ_MIGRATION
+ help
+ Say Y here to experiment with turning CPUs off and on. CPUs
+ can be controlled through /sys/devices/system/cpu.
+diff --git a/arch/arm/include/asm/irq.h b/arch/arm/include/asm/irq.h
+index 1bd9510de1b9..cae4df39f02e 100644
+--- a/arch/arm/include/asm/irq.h
++++ b/arch/arm/include/asm/irq.h
+@@ -24,7 +24,6 @@
+ #ifndef __ASSEMBLY__
+ struct irqaction;
+ struct pt_regs;
+-extern void migrate_irqs(void);
+
+ extern void asm_do_IRQ(unsigned int, struct pt_regs *);
+ void handle_IRQ(unsigned int, struct pt_regs *);
+diff --git a/arch/arm/kernel/irq.c b/arch/arm/kernel/irq.c
+index 1d45320ee125..900c591913d5 100644
+--- a/arch/arm/kernel/irq.c
++++ b/arch/arm/kernel/irq.c
+@@ -31,7 +31,6 @@
+ #include <linux/smp.h>
+ #include <linux/init.h>
+ #include <linux/seq_file.h>
+-#include <linux/ratelimit.h>
+ #include <linux/errno.h>
+ #include <linux/list.h>
+ #include <linux/kallsyms.h>
+@@ -119,64 +118,3 @@ int __init arch_probe_nr_irqs(void)
+ return nr_irqs;
+ }
+ #endif
+-
+-#ifdef CONFIG_HOTPLUG_CPU
+-static bool migrate_one_irq(struct irq_desc *desc)
+-{
+- struct irq_data *d = irq_desc_get_irq_data(desc);
+- const struct cpumask *affinity = irq_data_get_affinity_mask(d);
+- struct irq_chip *c;
+- bool ret = false;
+-
+- /*
+- * If this is a per-CPU interrupt, or the affinity does not
+- * include this CPU, then we have nothing to do.
+- */
+- if (irqd_is_per_cpu(d) || !cpumask_test_cpu(smp_processor_id(), affinity))
+- return false;
+-
+- if (cpumask_any_and(affinity, cpu_online_mask) >= nr_cpu_ids) {
+- affinity = cpu_online_mask;
+- ret = true;
+- }
+-
+- c = irq_data_get_irq_chip(d);
+- if (!c->irq_set_affinity)
+- pr_debug("IRQ%u: unable to set affinity\n", d->irq);
+- else if (c->irq_set_affinity(d, affinity, false) == IRQ_SET_MASK_OK && ret)
+- cpumask_copy(irq_data_get_affinity_mask(d), affinity);
+-
+- return ret;
+-}
+-
+-/*
+- * The current CPU has been marked offline. Migrate IRQs off this CPU.
+- * If the affinity settings do not allow other CPUs, force them onto any
+- * available CPU.
+- *
+- * Note: we must iterate over all IRQs, whether they have an attached
+- * action structure or not, as we need to get chained interrupts too.
+- */
+-void migrate_irqs(void)
+-{
+- unsigned int i;
+- struct irq_desc *desc;
+- unsigned long flags;
+-
+- local_irq_save(flags);
+-
+- for_each_irq_desc(i, desc) {
+- bool affinity_broken;
+-
+- raw_spin_lock(&desc->lock);
+- affinity_broken = migrate_one_irq(desc);
+- raw_spin_unlock(&desc->lock);
+-
+- if (affinity_broken)
+- pr_warn_ratelimited("IRQ%u no longer affine to CPU%u\n",
+- i, smp_processor_id());
+- }
+-
+- local_irq_restore(flags);
+-}
+-#endif /* CONFIG_HOTPLUG_CPU */
+diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
+index e42be5800f37..08ce9e36dc5a 100644
+--- a/arch/arm/kernel/smp.c
++++ b/arch/arm/kernel/smp.c
+@@ -218,7 +218,7 @@ int __cpu_disable(void)
+ /*
+ * OK - migrate IRQs away from this CPU
+ */
+- migrate_irqs();
++ irq_migrate_all_off_this_cpu();
+
+ /*
+ * Flush user cache and TLB mappings, and then remove this CPU
+--
+2.19.1
+
--- /dev/null
+From 0a41df032cd31a063296ba9410691e79582d5edb Mon Sep 17 00:00:00 2001
+From: Yizhuo <yzhai003@ucr.edu>
+Date: Fri, 25 Jan 2019 22:32:20 -0800
+Subject: ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be
+ uninitialized
+
+[ Upstream commit dc30e70391376ba3987aeb856ae6d9c0706534f1 ]
+
+In function omap4_dsi_mux_pads(), local variable "reg" could
+be uninitialized if function regmap_read() returns -EINVAL.
+However, it will be used directly in the later context, which
+is potentially unsafe.
+
+Signed-off-by: Yizhuo <yzhai003@ucr.edu>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap2/display.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-omap2/display.c b/arch/arm/mach-omap2/display.c
+index 6ab13d18c636..cde86d1199cf 100644
+--- a/arch/arm/mach-omap2/display.c
++++ b/arch/arm/mach-omap2/display.c
+@@ -115,6 +115,7 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes)
+ u32 enable_mask, enable_shift;
+ u32 pipd_mask, pipd_shift;
+ u32 reg;
++ int ret;
+
+ if (dsi_id == 0) {
+ enable_mask = OMAP4_DSI1_LANEENABLE_MASK;
+@@ -130,7 +131,11 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes)
+ return -ENODEV;
+ }
+
+- regmap_read(omap4_dsi_mux_syscon, OMAP4_DSIPHY_SYSCON_OFFSET, ®);
++ ret = regmap_read(omap4_dsi_mux_syscon,
++ OMAP4_DSIPHY_SYSCON_OFFSET,
++ ®);
++ if (ret)
++ return ret;
+
+ reg &= ~enable_mask;
+ reg &= ~pipd_mask;
+--
+2.19.1
+
--- /dev/null
+From 87b41f26545fd2c63ac68ba9d6e301b468b34d4a Mon Sep 17 00:00:00 2001
+From: Vladimir Murzin <vladimir.murzin@arm.com>
+Date: Wed, 20 Feb 2019 11:43:05 +0000
+Subject: arm64: Relax GIC version check during early boot
+
+[ Upstream commit 74698f6971f25d045301139413578865fc2bd8f9 ]
+
+Updates to the GIC architecture allow ID_AA64PFR0_EL1.GIC to have
+values other than 0 or 1. At the moment, Linux is quite strict in the
+way it handles this field at early boot stage (cpufeature is fine) and
+will refuse to use the system register CPU interface if it doesn't
+find the value 1.
+
+Fixes: 021f653791ad17e03f98aaa7fb933816ae16f161 ("irqchip: gic-v3: Initial support for GICv3")
+Reported-by: Chase Conklin <Chase.Conklin@arm.com>
+Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/head.S | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
+index 0382eba4bf7b..6299a8a361ee 100644
+--- a/arch/arm64/kernel/head.S
++++ b/arch/arm64/kernel/head.S
+@@ -478,8 +478,7 @@ CPU_LE( bic x0, x0, #(3 << 24) ) // Clear the EE and E0E bits for EL1
+ /* GICv3 system register access */
+ mrs x0, id_aa64pfr0_el1
+ ubfx x0, x0, #24, #4
+- cmp x0, #1
+- b.ne 3f
++ cbz x0, 3f
+
+ mrs_s x0, ICC_SRE_EL2
+ orr x0, x0, #ICC_SRE_EL2_SRE // Set ICC_SRE_EL2.SRE==1
+--
+2.19.1
+
--- /dev/null
+From ebd7162e559a662494ffa409c323ccb4c0d1314e Mon Sep 17 00:00:00 2001
+From: Bard liao <yung-chuan.liao@linux.intel.com>
+Date: Sun, 17 Feb 2019 21:23:47 +0800
+Subject: ASoC: topology: free created components in tplg load error
+
+[ Upstream commit 304017d31df36fb61eb2ed3ebf65fb6870b3c731 ]
+
+Topology resources are no longer needed if any element failed to load.
+
+Signed-off-by: Bard liao <yung-chuan.liao@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-topology.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
+index c1e76feb3529..824f4d7fc41f 100644
+--- a/sound/soc/soc-topology.c
++++ b/sound/soc/soc-topology.c
+@@ -1770,6 +1770,7 @@ int snd_soc_tplg_component_load(struct snd_soc_component *comp,
+ struct snd_soc_tplg_ops *ops, const struct firmware *fw, u32 id)
+ {
+ struct soc_tplg tplg;
++ int ret;
+
+ /* setup parsing context */
+ memset(&tplg, 0, sizeof(tplg));
+@@ -1783,7 +1784,12 @@ int snd_soc_tplg_component_load(struct snd_soc_component *comp,
+ tplg.bytes_ext_ops = ops->bytes_ext_ops;
+ tplg.bytes_ext_ops_count = ops->bytes_ext_ops_count;
+
+- return soc_tplg_load(&tplg);
++ ret = soc_tplg_load(&tplg);
++ /* free the created components if fail to load topology */
++ if (ret)
++ snd_soc_tplg_component_remove(comp, SND_SOC_TPLG_INDEX_ALL);
++
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(snd_soc_tplg_component_load);
+
+--
+2.19.1
+
--- /dev/null
+From c5fe03ac40ae7f2d86ce613f3d7e24569ec60f01 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 14 Feb 2019 16:20:15 +0000
+Subject: assoc_array: Fix shortcut creation
+
+[ Upstream commit bb2ba2d75a2d673e76ddaf13a9bd30d6a8b1bb08 ]
+
+Fix the creation of shortcuts for which the length of the index key value
+is an exact multiple of the machine word size. The problem is that the
+code that blanks off the unused bits of the shortcut value malfunctions if
+the number of bits in the last word equals machine word size. This is due
+to the "<<" operator being given a shift of zero in this case, and so the
+mask that should be all zeros is all ones instead. This causes the
+subsequent masking operation to clear everything rather than clearing
+nothing.
+
+Ordinarily, the presence of the hash at the beginning of the tree index key
+makes the issue very hard to test for, but in this case, it was encountered
+due to a development mistake that caused the hash output to be either 0
+(keyring) or 1 (non-keyring) only. This made it susceptible to the
+keyctl/unlink/valid test in the keyutils package.
+
+The fix is simply to skip the blanking if the shift would be 0. For
+example, an index key that is 64 bits long would produce a 0 shift and thus
+a 'blank' of all 1s. This would then be inverted and AND'd onto the
+index_key, incorrectly clearing the entire last word.
+
+Fixes: 3cb989501c26 ("Add a generic associative array implementation.")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/assoc_array.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/lib/assoc_array.c b/lib/assoc_array.c
+index 5cd093589c5a..3b46c5433b7a 100644
+--- a/lib/assoc_array.c
++++ b/lib/assoc_array.c
+@@ -781,9 +781,11 @@ all_leaves_cluster_together:
+ new_s0->index_key[i] =
+ ops->get_key_chunk(index_key, i * ASSOC_ARRAY_KEY_CHUNK_SIZE);
+
+- blank = ULONG_MAX << (level & ASSOC_ARRAY_KEY_CHUNK_MASK);
+- pr_devel("blank off [%zu] %d: %lx\n", keylen - 1, level, blank);
+- new_s0->index_key[keylen - 1] &= ~blank;
++ if (level & ASSOC_ARRAY_KEY_CHUNK_MASK) {
++ blank = ULONG_MAX << (level & ASSOC_ARRAY_KEY_CHUNK_MASK);
++ pr_devel("blank off [%zu] %d: %lx\n", keylen - 1, level, blank);
++ new_s0->index_key[keylen - 1] &= ~blank;
++ }
+
+ /* This now reduces to a node splitting exercise for which we'll need
+ * to regenerate the disparity table.
+--
+2.19.1
+
--- /dev/null
+From d025d0a84ddd4e8c06478fa42649e1fb6c5a9ca6 Mon Sep 17 00:00:00 2001
+From: Steve Longerbeam <slongerbeam@gmail.com>
+Date: Tue, 16 Oct 2018 17:31:40 -0700
+Subject: gpu: ipu-v3: Fix CSI offsets for imx53
+
+[ Upstream commit bb867d219fda7fbaabea3314702474c4eac2b91d ]
+
+The CSI offsets are wrong for both CSI0 and CSI1. They are at
+physical address 0x1e030000 and 0x1e038000 respectively.
+
+Fixes: 2ffd48f2e7 ("gpu: ipu-v3: Add Camera Sensor Interface unit")
+
+Signed-off-by: Steve Longerbeam <slongerbeam@gmail.com>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/ipu-v3/ipu-common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c
+index 0c51b1dde494..df295a0ce87d 100644
+--- a/drivers/gpu/ipu-v3/ipu-common.c
++++ b/drivers/gpu/ipu-v3/ipu-common.c
+@@ -762,8 +762,8 @@ static struct ipu_devtype ipu_type_imx53 = {
+ .cpmem_ofs = 0x07000000,
+ .srm_ofs = 0x07040000,
+ .tpm_ofs = 0x07060000,
+- .csi0_ofs = 0x07030000,
+- .csi1_ofs = 0x07038000,
++ .csi0_ofs = 0x06030000,
++ .csi1_ofs = 0x06038000,
+ .ic_ofs = 0x06020000,
+ .disp0_ofs = 0x06040000,
+ .disp1_ofs = 0x06048000,
+--
+2.19.1
+
--- /dev/null
+From ec8cbcc9464600ef1176bb757f3aa63b31fe4973 Mon Sep 17 00:00:00 2001
+From: Alexander Shiyan <shc_work@mail.ru>
+Date: Thu, 20 Dec 2018 11:06:38 +0300
+Subject: gpu: ipu-v3: Fix i.MX51 CSI control registers offset
+
+[ Upstream commit 2c0408dd0d8906b26fe8023889af7adf5e68b2c2 ]
+
+The CSI0/CSI1 registers offset is at +0xe030000/+0xe038000 relative
+to the control module registers on IPUv3EX.
+This patch fixes wrong values for i.MX51 CSI0/CSI1.
+
+Fixes: 2ffd48f2e7 ("gpu: ipu-v3: Add Camera Sensor Interface unit")
+
+Signed-off-by: Alexander Shiyan <shc_work@mail.ru>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/ipu-v3/ipu-common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c
+index 5030cba4a581..0c51b1dde494 100644
+--- a/drivers/gpu/ipu-v3/ipu-common.c
++++ b/drivers/gpu/ipu-v3/ipu-common.c
+@@ -746,8 +746,8 @@ static struct ipu_devtype ipu_type_imx51 = {
+ .cpmem_ofs = 0x1f000000,
+ .srm_ofs = 0x1f040000,
+ .tpm_ofs = 0x1f060000,
+- .csi0_ofs = 0x1f030000,
+- .csi1_ofs = 0x1f038000,
++ .csi0_ofs = 0x1e030000,
++ .csi1_ofs = 0x1e038000,
+ .ic_ofs = 0x1e020000,
+ .disp0_ofs = 0x1e040000,
+ .disp1_ofs = 0x1e048000,
+--
+2.19.1
+
--- /dev/null
+From d74f1b3a27e8f1d8748f2859018e3817e844fa81 Mon Sep 17 00:00:00 2001
+From: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Date: Tue, 5 Feb 2019 16:42:53 +0530
+Subject: i2c: cadence: Fix the hold bit setting
+
+[ Upstream commit d358def706880defa4c9e87381c5bf086a97d5f9 ]
+
+In case the hold bit is not needed we are carrying the old values.
+Fix the same by resetting the bit when not needed.
+
+Fixes the sporadic i2c bus lockups on National Instruments
+Zynq-based devices.
+
+Fixes: df8eb5691c48 ("i2c: Add driver for Cadence I2C controller")
+Reported-by: Kyle Roeschley <kyle.roeschley@ni.com>
+Acked-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Tested-by: Kyle Roeschley <kyle.roeschley@ni.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-cadence.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c
+index 84deed6571bd..6d32e6da3110 100644
+--- a/drivers/i2c/busses/i2c-cadence.c
++++ b/drivers/i2c/busses/i2c-cadence.c
+@@ -378,8 +378,10 @@ static void cdns_i2c_mrecv(struct cdns_i2c *id)
+ * Check for the message size against FIFO depth and set the
+ * 'hold bus' bit if it is greater than FIFO depth.
+ */
+- if (id->recv_count > CDNS_I2C_FIFO_DEPTH)
++ if ((id->recv_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag)
+ ctrl_reg |= CDNS_I2C_CR_HOLD;
++ else
++ ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD;
+
+ cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET);
+
+@@ -436,8 +438,11 @@ static void cdns_i2c_msend(struct cdns_i2c *id)
+ * Check for the message size against FIFO depth and set the
+ * 'hold bus' bit if it is greater than FIFO depth.
+ */
+- if (id->send_count > CDNS_I2C_FIFO_DEPTH)
++ if ((id->send_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag)
+ ctrl_reg |= CDNS_I2C_CR_HOLD;
++ else
++ ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD;
++
+ cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET);
+
+ /* Clear the interrupts in interrupt status register. */
+--
+2.19.1
+
--- /dev/null
+From 75091cc1bd3cfe60a5425ad09bbd1afad46612f5 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Thu, 7 Feb 2019 14:39:40 -0800
+Subject: Input: matrix_keypad - use flush_delayed_work()
+
+[ Upstream commit a342083abe576db43594a32d458a61fa81f7cb32 ]
+
+We should be using flush_delayed_work() instead of flush_work() in
+matrix_keypad_stop() to ensure that we are not missing work that is
+scheduled but not yet put in the workqueue (i.e. its delay timer has not
+expired yet).
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/matrix_keypad.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/input/keyboard/matrix_keypad.c b/drivers/input/keyboard/matrix_keypad.c
+index c64d87442a62..2e12e31f45c5 100644
+--- a/drivers/input/keyboard/matrix_keypad.c
++++ b/drivers/input/keyboard/matrix_keypad.c
+@@ -220,7 +220,7 @@ static void matrix_keypad_stop(struct input_dev *dev)
+ keypad->stopped = true;
+ spin_unlock_irq(&keypad->lock);
+
+- flush_work(&keypad->work.work);
++ flush_delayed_work(&keypad->work);
+ /*
+ * matrix_keypad_scan() will leave IRQs enabled;
+ * we should disable them now.
+--
+2.19.1
+
--- /dev/null
+From 06a893586c3742dd70ad259c994ecab8969d39e5 Mon Sep 17 00:00:00 2001
+From: Gabriel Fernandez <gabriel.fernandez@st.com>
+Date: Sat, 16 Feb 2019 21:10:16 -0800
+Subject: Input: st-keyscan - fix potential zalloc NULL dereference
+
+[ Upstream commit 2439d37e1bf8a34d437573c086572abe0f3f1b15 ]
+
+This patch fixes the following static checker warning:
+
+drivers/input/keyboard/st-keyscan.c:156 keyscan_probe()
+error: potential zalloc NULL dereference: 'keypad_data->input_dev'
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Gabriel Fernandez <gabriel.fernandez@st.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/st-keyscan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/input/keyboard/st-keyscan.c b/drivers/input/keyboard/st-keyscan.c
+index de7be4f03d91..ebf9f643d910 100644
+--- a/drivers/input/keyboard/st-keyscan.c
++++ b/drivers/input/keyboard/st-keyscan.c
+@@ -153,6 +153,8 @@ static int keyscan_probe(struct platform_device *pdev)
+
+ input_dev->id.bustype = BUS_HOST;
+
++ keypad_data->input_dev = input_dev;
++
+ error = keypad_matrix_key_parse_dt(keypad_data);
+ if (error)
+ return error;
+@@ -168,8 +170,6 @@ static int keyscan_probe(struct platform_device *pdev)
+
+ input_set_drvdata(input_dev, keypad_data);
+
+- keypad_data->input_dev = input_dev;
+-
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ keypad_data->base = devm_ioremap_resource(&pdev->dev, res);
+ if (IS_ERR(keypad_data->base))
+--
+2.19.1
+
--- /dev/null
+From fd47047cdc4d3ec4a8baad7a2833c4b78e429f66 Mon Sep 17 00:00:00 2001
+From: Li RongQing <lirongqing@baidu.com>
+Date: Tue, 19 Feb 2019 13:12:40 +0800
+Subject: mac80211_hwsim: propagate genlmsg_reply return code
+
+[ Upstream commit 17407715240456448e4989bee46ffc93991add83 ]
+
+genlmsg_reply can fail, so propagate its return code
+
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
+index 0d1abcfec003..0f582117b0e3 100644
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -3002,7 +3002,7 @@ static int hwsim_get_radio_nl(struct sk_buff *msg, struct genl_info *info)
+ goto out_err;
+ }
+
+- genlmsg_reply(skb, info);
++ res = genlmsg_reply(skb, info);
+ break;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 511c96a278c67054621e55aa6ca74fbb701cf41f Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 21 Feb 2019 22:42:01 +0800
+Subject: mdio_bus: Fix use-after-free on device_register fails
+
+[ Upstream commit 6ff7b060535e87c2ae14dd8548512abfdda528fb ]
+
+KASAN has found use-after-free in fixed_mdio_bus_init,
+commit 0c692d07842a ("drivers/net/phy/mdio_bus.c: call
+put_device on device_register() failure") call put_device()
+while device_register() fails,give up the last reference
+to the device and allow mdiobus_release to be executed
+,kfreeing the bus. However in most drives, mdiobus_free
+be called to free the bus while mdiobus_register fails.
+use-after-free occurs when access bus again, this patch
+revert it to let mdiobus_free free the bus.
+
+KASAN report details as below:
+
+BUG: KASAN: use-after-free in mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
+Read of size 4 at addr ffff8881dc824d78 by task syz-executor.0/3524
+
+CPU: 1 PID: 3524 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xfa/0x1ce lib/dump_stack.c:113
+ print_address_description+0x65/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
+ fixed_mdio_bus_init+0x283/0x1000 [fixed_phy]
+ ? 0xffffffffc0e40000
+ ? 0xffffffffc0e40000
+ ? 0xffffffffc0e40000
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f6215c19c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
+RBP: 00007f6215c19c70 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6215c1a6bc
+R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004
+
+Allocated by task 3524:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
+ kmalloc include/linux/slab.h:545 [inline]
+ kzalloc include/linux/slab.h:740 [inline]
+ mdiobus_alloc_size+0x54/0x1b0 drivers/net/phy/mdio_bus.c:143
+ fixed_mdio_bus_init+0x163/0x1000 [fixed_phy]
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 3524:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
+ slab_free_hook mm/slub.c:1409 [inline]
+ slab_free_freelist_hook mm/slub.c:1436 [inline]
+ slab_free mm/slub.c:2986 [inline]
+ kfree+0xe1/0x270 mm/slub.c:3938
+ device_release+0x78/0x200 drivers/base/core.c:919
+ kobject_cleanup lib/kobject.c:662 [inline]
+ kobject_release lib/kobject.c:691 [inline]
+ kref_put include/linux/kref.h:67 [inline]
+ kobject_put+0x146/0x240 lib/kobject.c:708
+ put_device+0x1c/0x30 drivers/base/core.c:2060
+ __mdiobus_register+0x483/0x560 drivers/net/phy/mdio_bus.c:382
+ fixed_mdio_bus_init+0x26b/0x1000 [fixed_phy]
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8881dc824c80
+ which belongs to the cache kmalloc-2k of size 2048
+The buggy address is located 248 bytes inside of
+ 2048-byte region [ffff8881dc824c80, ffff8881dc825480)
+The buggy address belongs to the page:
+page:ffffea0007720800 count:1 mapcount:0 mapping:ffff8881f6c02800 index:0x0 compound_mapcount: 0
+flags: 0x2fffc0000010200(slab|head)
+raw: 02fffc0000010200 0000000000000000 0000000500000001 ffff8881f6c02800
+raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881dc824c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff8881dc824c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff8881dc824d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff8881dc824d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8881dc824e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: 0c692d07842a ("drivers/net/phy/mdio_bus.c: call put_device on device_register() failure")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mdio_bus.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
+index 88cb4592b6fb..ccefba7af960 100644
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -267,7 +267,6 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner)
+ err = device_register(&bus->dev);
+ if (err) {
+ pr_err("mii_bus %s failed to register\n", bus->id);
+- put_device(&bus->dev);
+ return -EINVAL;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 82b2ab4c056b865279b143316fba3150c1040b04 Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Sat, 16 Feb 2019 00:20:54 +0300
+Subject: net: mv643xx_eth: disable clk on error path in
+ mv643xx_eth_shared_probe()
+
+[ Upstream commit e928b5d6b75e239feb9c6d5488974b6646a0ebc8 ]
+
+If mv643xx_eth_shared_of_probe() fails, mv643xx_eth_shared_probe()
+leaves clk enabled.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mv643xx_eth.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c
+index 4182290fdbcf..82f080a5ed5c 100644
+--- a/drivers/net/ethernet/marvell/mv643xx_eth.c
++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c
+@@ -2884,7 +2884,7 @@ static int mv643xx_eth_shared_probe(struct platform_device *pdev)
+
+ ret = mv643xx_eth_shared_of_probe(pdev);
+ if (ret)
+- return ret;
++ goto err_put_clk;
+ pd = dev_get_platdata(&pdev->dev);
+
+ msp->tx_csum_limit = (pd != NULL && pd->tx_csum_limit) ?
+@@ -2892,6 +2892,11 @@ static int mv643xx_eth_shared_probe(struct platform_device *pdev)
+ infer_hw_params(msp);
+
+ return 0;
++
++err_put_clk:
++ if (!IS_ERR(msp->clk))
++ clk_disable_unprepare(msp->clk);
++ return ret;
+ }
+
+ static int mv643xx_eth_shared_remove(struct platform_device *pdev)
+--
+2.19.1
+
--- /dev/null
+From 94d49368c98fd106010d4159ef1b60cedcc5a68c Mon Sep 17 00:00:00 2001
+From: Mao Wenan <maowenan@huawei.com>
+Date: Fri, 22 Feb 2019 14:57:23 +0800
+Subject: net: set static variable an initial value in atl2_probe()
+
+[ Upstream commit 4593403fa516a5a4cffe6883c5062d60932cbfbe ]
+
+cards_found is a static variable, but when it enters atl2_probe(),
+cards_found is set to zero, the value is not consistent with last probe,
+so next behavior is not our expect.
+
+Signed-off-by: Mao Wenan <maowenan@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/atheros/atlx/atl2.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/atheros/atlx/atl2.c b/drivers/net/ethernet/atheros/atlx/atl2.c
+index 2ff465848b65..097a0bf592ab 100644
+--- a/drivers/net/ethernet/atheros/atlx/atl2.c
++++ b/drivers/net/ethernet/atheros/atlx/atl2.c
+@@ -1338,13 +1338,11 @@ static int atl2_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ {
+ struct net_device *netdev;
+ struct atl2_adapter *adapter;
+- static int cards_found;
++ static int cards_found = 0;
+ unsigned long mmio_start;
+ int mmio_len;
+ int err;
+
+- cards_found = 0;
+-
+ err = pci_enable_device(pdev);
+ if (err)
+ return err;
+--
+2.19.1
+
--- /dev/null
+From 663878cede037eaf6705741e81e671c833dbbf12 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 15 Feb 2019 12:16:51 -0800
+Subject: net: systemport: Fix reception of BPDUs
+
+[ Upstream commit a40061ea2e39494104602b3048751341bda374a1 ]
+
+SYSTEMPORT has its RXCHK parser block that attempts to validate the
+packet structures, unfortunately setting the L2 header check bit will
+cause Bridge PDUs (BPDUs) to be incorrectly rejected because they look
+like LLC/SNAP packets with a non-IPv4 or non-IPv6 Ethernet Type.
+
+Fixes: 4e8aedfe78c7 ("net: systemport: Turn on offloads by default")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c
+index 143b9a384af8..53b3c1a5851c 100644
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -126,6 +126,10 @@ static int bcm_sysport_set_rx_csum(struct net_device *dev,
+
+ priv->rx_chk_en = !!(wanted & NETIF_F_RXCSUM);
+ reg = rxchk_readl(priv, RXCHK_CONTROL);
++ /* Clear L2 header checks, which would prevent BPDUs
++ * from being received.
++ */
++ reg &= ~RXCHK_L2_HDR_DIS;
+ if (priv->rx_chk_en)
+ reg |= RXCHK_EN;
+ else
+--
+2.19.1
+
--- /dev/null
+From 9b35c44b07e7072fe34133e31f77cc47187876d2 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 19 Feb 2019 22:53:50 +0100
+Subject: phonet: fix building with clang
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 6321aa197547da397753757bd84c6ce64b3e3d89 ]
+
+clang warns about overflowing the data[] member in the struct pnpipehdr:
+
+net/phonet/pep.c:295:8: warning: array index 4 is past the end of the array (which contains 1 element) [-Warray-bounds]
+ if (hdr->data[4] == PEP_IND_READY)
+ ^ ~
+include/net/phonet/pep.h:66:3: note: array 'data' declared here
+ u8 data[1];
+
+Using a flexible array member at the end of the struct avoids the
+warning, but since we cannot have a flexible array member inside
+of the union, each index now has to be moved back by one, which
+makes it a little uglier.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Rémi Denis-Courmont <remi@remlab.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/phonet/pep.h | 5 +++--
+ net/phonet/pep.c | 32 ++++++++++++++++----------------
+ 2 files changed, 19 insertions(+), 18 deletions(-)
+
+diff --git a/include/net/phonet/pep.h b/include/net/phonet/pep.h
+index b669fe6dbc3b..98f31c7ea23d 100644
+--- a/include/net/phonet/pep.h
++++ b/include/net/phonet/pep.h
+@@ -63,10 +63,11 @@ struct pnpipehdr {
+ u8 state_after_reset; /* reset request */
+ u8 error_code; /* any response */
+ u8 pep_type; /* status indication */
+- u8 data[1];
++ u8 data0; /* anything else */
+ };
++ u8 data[];
+ };
+-#define other_pep_type data[1]
++#define other_pep_type data[0]
+
+ static inline struct pnpipehdr *pnp_hdr(struct sk_buff *skb)
+ {
+diff --git a/net/phonet/pep.c b/net/phonet/pep.c
+index 850a86cde0b3..f6aa532bcbf6 100644
+--- a/net/phonet/pep.c
++++ b/net/phonet/pep.c
+@@ -131,7 +131,7 @@ static int pep_indicate(struct sock *sk, u8 id, u8 code,
+ ph->utid = 0;
+ ph->message_id = id;
+ ph->pipe_handle = pn->pipe_handle;
+- ph->data[0] = code;
++ ph->error_code = code;
+ return pn_skb_send(sk, skb, NULL);
+ }
+
+@@ -152,7 +152,7 @@ static int pipe_handler_request(struct sock *sk, u8 id, u8 code,
+ ph->utid = id; /* whatever */
+ ph->message_id = id;
+ ph->pipe_handle = pn->pipe_handle;
+- ph->data[0] = code;
++ ph->error_code = code;
+ return pn_skb_send(sk, skb, NULL);
+ }
+
+@@ -207,7 +207,7 @@ static int pep_ctrlreq_error(struct sock *sk, struct sk_buff *oskb, u8 code,
+ struct pnpipehdr *ph;
+ struct sockaddr_pn dst;
+ u8 data[4] = {
+- oph->data[0], /* PEP type */
++ oph->pep_type, /* PEP type */
+ code, /* error code, at an unusual offset */
+ PAD, PAD,
+ };
+@@ -220,7 +220,7 @@ static int pep_ctrlreq_error(struct sock *sk, struct sk_buff *oskb, u8 code,
+ ph->utid = oph->utid;
+ ph->message_id = PNS_PEP_CTRL_RESP;
+ ph->pipe_handle = oph->pipe_handle;
+- ph->data[0] = oph->data[1]; /* CTRL id */
++ ph->data0 = oph->data[0]; /* CTRL id */
+
+ pn_skb_get_src_sockaddr(oskb, &dst);
+ return pn_skb_send(sk, skb, &dst);
+@@ -271,17 +271,17 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb)
+ return -EINVAL;
+
+ hdr = pnp_hdr(skb);
+- if (hdr->data[0] != PN_PEP_TYPE_COMMON) {
++ if (hdr->pep_type != PN_PEP_TYPE_COMMON) {
+ net_dbg_ratelimited("Phonet unknown PEP type: %u\n",
+- (unsigned int)hdr->data[0]);
++ (unsigned int)hdr->pep_type);
+ return -EOPNOTSUPP;
+ }
+
+- switch (hdr->data[1]) {
++ switch (hdr->data[0]) {
+ case PN_PEP_IND_FLOW_CONTROL:
+ switch (pn->tx_fc) {
+ case PN_LEGACY_FLOW_CONTROL:
+- switch (hdr->data[4]) {
++ switch (hdr->data[3]) {
+ case PEP_IND_BUSY:
+ atomic_set(&pn->tx_credits, 0);
+ break;
+@@ -291,7 +291,7 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb)
+ }
+ break;
+ case PN_ONE_CREDIT_FLOW_CONTROL:
+- if (hdr->data[4] == PEP_IND_READY)
++ if (hdr->data[3] == PEP_IND_READY)
+ atomic_set(&pn->tx_credits, wake = 1);
+ break;
+ }
+@@ -300,12 +300,12 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb)
+ case PN_PEP_IND_ID_MCFC_GRANT_CREDITS:
+ if (pn->tx_fc != PN_MULTI_CREDIT_FLOW_CONTROL)
+ break;
+- atomic_add(wake = hdr->data[4], &pn->tx_credits);
++ atomic_add(wake = hdr->data[3], &pn->tx_credits);
+ break;
+
+ default:
+ net_dbg_ratelimited("Phonet unknown PEP indication: %u\n",
+- (unsigned int)hdr->data[1]);
++ (unsigned int)hdr->data[0]);
+ return -EOPNOTSUPP;
+ }
+ if (wake)
+@@ -317,7 +317,7 @@ static int pipe_rcv_created(struct sock *sk, struct sk_buff *skb)
+ {
+ struct pep_sock *pn = pep_sk(sk);
+ struct pnpipehdr *hdr = pnp_hdr(skb);
+- u8 n_sb = hdr->data[0];
++ u8 n_sb = hdr->data0;
+
+ pn->rx_fc = pn->tx_fc = PN_LEGACY_FLOW_CONTROL;
+ __skb_pull(skb, sizeof(*hdr));
+@@ -505,7 +505,7 @@ static int pep_connresp_rcv(struct sock *sk, struct sk_buff *skb)
+ return -ECONNREFUSED;
+
+ /* Parse sub-blocks */
+- n_sb = hdr->data[4];
++ n_sb = hdr->data[3];
+ while (n_sb > 0) {
+ u8 type, buf[6], len = sizeof(buf);
+ const u8 *data = pep_get_sb(skb, &type, &len, buf);
+@@ -738,7 +738,7 @@ static int pipe_do_remove(struct sock *sk)
+ ph->utid = 0;
+ ph->message_id = PNS_PIPE_REMOVE_REQ;
+ ph->pipe_handle = pn->pipe_handle;
+- ph->data[0] = PAD;
++ ph->data0 = PAD;
+ return pn_skb_send(sk, skb, NULL);
+ }
+
+@@ -815,7 +815,7 @@ static struct sock *pep_sock_accept(struct sock *sk, int flags, int *errp)
+ peer_type = hdr->other_pep_type << 8;
+
+ /* Parse sub-blocks (options) */
+- n_sb = hdr->data[4];
++ n_sb = hdr->data[3];
+ while (n_sb > 0) {
+ u8 type, buf[1], len = sizeof(buf);
+ const u8 *data = pep_get_sb(skb, &type, &len, buf);
+@@ -1106,7 +1106,7 @@ static int pipe_skb_send(struct sock *sk, struct sk_buff *skb)
+ ph->utid = 0;
+ if (pn->aligned) {
+ ph->message_id = PNS_PIPE_ALIGNED_DATA;
+- ph->data[0] = 0; /* padding */
++ ph->data0 = 0; /* padding */
+ } else
+ ph->message_id = PNS_PIPE_DATA;
+ ph->pipe_handle = pn->pipe_handle;
+--
+2.19.1
+
--- /dev/null
+From 8e8edb5115ebc2615e61f10a3cf981fd7a2a8bbb Mon Sep 17 00:00:00 2001
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Sat, 9 Feb 2019 02:01:01 +0100
+Subject: pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins
+
+[ Upstream commit c17abcfa93bf0be5e48bb011607d237ac2bfc839 ]
+
+Fix the mismatch between the "sdxc_d13_1_a" pin group definition from
+meson8b_cbus_groups and the entry in sdxc_a_groups ("sdxc_d0_13_1_a").
+This makes it possible to use "sdxc_d13_1_a" in device-tree files to
+route the MMC data 1..3 pins to GPIOX_1..3.
+
+Fixes: 0fefcb6876d0d6 ("pinctrl: Add support for Meson8b")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/meson/pinctrl-meson8b.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/meson/pinctrl-meson8b.c b/drivers/pinctrl/meson/pinctrl-meson8b.c
+index b505b87661f8..07c4153e6f3d 100644
+--- a/drivers/pinctrl/meson/pinctrl-meson8b.c
++++ b/drivers/pinctrl/meson/pinctrl-meson8b.c
+@@ -656,7 +656,7 @@ static const char * const sd_a_groups[] = {
+
+ static const char * const sdxc_a_groups[] = {
+ "sdxc_d0_0_a", "sdxc_d13_0_a", "sdxc_d47_a", "sdxc_clk_a",
+- "sdxc_cmd_a", "sdxc_d0_1_a", "sdxc_d0_13_1_a"
++ "sdxc_cmd_a", "sdxc_d0_1_a", "sdxc_d13_1_a"
+ };
+
+ static const char * const pcm_a_groups[] = {
+--
+2.19.1
+
--- /dev/null
+From e69b39e45b660201ab047f34a6c9eac2ff025bd3 Mon Sep 17 00:00:00 2001
+From: Stefan Haberland <sth@linux.ibm.com>
+Date: Wed, 21 Nov 2018 12:39:47 +0100
+Subject: s390/dasd: fix using offset into zero size array error
+
+[ Upstream commit 4a8ef6999bce998fa5813023a9a6b56eea329dba ]
+
+Dan Carpenter reported the following:
+
+The patch 52898025cf7d: "[S390] dasd: security and PSF update patch
+for EMC CKD ioctl" from Mar 8, 2010, leads to the following static
+checker warning:
+
+ drivers/s390/block/dasd_eckd.c:4486 dasd_symm_io()
+ error: using offset into zero size array 'psf_data[]'
+
+drivers/s390/block/dasd_eckd.c
+ 4458 /* Copy parms from caller */
+ 4459 rc = -EFAULT;
+ 4460 if (copy_from_user(&usrparm, argp, sizeof(usrparm)))
+ ^^^^^^^
+The user can specify any "usrparm.psf_data_len". They choose zero by
+mistake.
+
+ 4461 goto out;
+ 4462 if (is_compat_task()) {
+ 4463 /* Make sure pointers are sane even on 31 bit. */
+ 4464 rc = -EINVAL;
+ 4465 if ((usrparm.psf_data >> 32) != 0)
+ 4466 goto out;
+ 4467 if ((usrparm.rssd_result >> 32) != 0)
+ 4468 goto out;
+ 4469 usrparm.psf_data &= 0x7fffffffULL;
+ 4470 usrparm.rssd_result &= 0x7fffffffULL;
+ 4471 }
+ 4472 /* alloc I/O data area */
+ 4473 psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL
+ | GFP_DMA);
+ 4474 rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL
+ | GFP_DMA);
+ 4475 if (!psf_data || !rssd_result) {
+
+kzalloc() returns a ZERO_SIZE_PTR (0x16).
+
+ 4476 rc = -ENOMEM;
+ 4477 goto out_free;
+ 4478 }
+ 4479
+ 4480 /* get syscall header from user space */
+ 4481 rc = -EFAULT;
+ 4482 if (copy_from_user(psf_data,
+ 4483 (void __user *)(unsigned long)
+ usrparm.psf_data,
+ 4484 usrparm.psf_data_len))
+
+That all works great.
+
+ 4485 goto out_free;
+ 4486 psf0 = psf_data[0];
+ 4487 psf1 = psf_data[1];
+
+But now we're assuming that "->psf_data_len" was at least 2 bytes.
+
+Fix this by checking the user specified length psf_data_len.
+
+Fixes: 52898025cf7d ("[S390] dasd: security and PSF update patch for EMC CKD ioctl")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/block/dasd_eckd.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
+index dac2f6883e28..80a43074c2f9 100644
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -4023,6 +4023,14 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp)
+ usrparm.psf_data &= 0x7fffffffULL;
+ usrparm.rssd_result &= 0x7fffffffULL;
+ }
++ /* at least 2 bytes are accessed and should be allocated */
++ if (usrparm.psf_data_len < 2) {
++ DBF_DEV_EVENT(DBF_WARNING, device,
++ "Symmetrix ioctl invalid data length %d",
++ usrparm.psf_data_len);
++ rc = -EINVAL;
++ goto out;
++ }
+ /* alloc I/O data area */
+ psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL | GFP_DMA);
+ rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL | GFP_DMA);
+--
+2.19.1
+
--- /dev/null
+From 1b057d64bee1d3f7238613901064bc66f341b89b Mon Sep 17 00:00:00 2001
+From: Anoob Soman <anoob.soman@citrix.com>
+Date: Wed, 13 Feb 2019 13:21:39 +0800
+Subject: scsi: libiscsi: Fix race between iscsi_xmit_task and
+ iscsi_complete_task
+
+[ Upstream commit 79edd00dc6a96644d76b4a1cb97d94d49e026768 ]
+
+When a target sends Check Condition, whilst initiator is busy xmiting
+re-queued data, could lead to race between iscsi_complete_task() and
+iscsi_xmit_task() and eventually crashing with the following kernel
+backtrace.
+
+[3326150.987523] ALERT: BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
+[3326150.987549] ALERT: IP: [<ffffffffa05ce70d>] iscsi_xmit_task+0x2d/0xc0 [libiscsi]
+[3326150.987571] WARN: PGD 569c8067 PUD 569c9067 PMD 0
+[3326150.987582] WARN: Oops: 0002 [#1] SMP
+[3326150.987593] WARN: Modules linked in: tun nfsv3 nfs fscache dm_round_robin
+[3326150.987762] WARN: CPU: 2 PID: 8399 Comm: kworker/u32:1 Tainted: G O 4.4.0+2 #1
+[3326150.987774] WARN: Hardware name: Dell Inc. PowerEdge R720/0W7JN5, BIOS 2.5.4 01/22/2016
+[3326150.987790] WARN: Workqueue: iscsi_q_13 iscsi_xmitworker [libiscsi]
+[3326150.987799] WARN: task: ffff8801d50f3800 ti: ffff8801f5458000 task.ti: ffff8801f5458000
+[3326150.987810] WARN: RIP: e030:[<ffffffffa05ce70d>] [<ffffffffa05ce70d>] iscsi_xmit_task+0x2d/0xc0 [libiscsi]
+[3326150.987825] WARN: RSP: e02b:ffff8801f545bdb0 EFLAGS: 00010246
+[3326150.987831] WARN: RAX: 00000000ffffffc3 RBX: ffff880282d2ab20 RCX: ffff88026b6ac480
+[3326150.987842] WARN: RDX: 0000000000000000 RSI: 00000000fffffe01 RDI: ffff880282d2ab20
+[3326150.987852] WARN: RBP: ffff8801f545bdc8 R08: 0000000000000000 R09: 0000000000000008
+[3326150.987862] WARN: R10: 0000000000000000 R11: 000000000000fe88 R12: 0000000000000000
+[3326150.987872] WARN: R13: ffff880282d2abe8 R14: ffff880282d2abd8 R15: ffff880282d2ac08
+[3326150.987890] WARN: FS: 00007f5a866b4840(0000) GS:ffff88028a640000(0000) knlGS:0000000000000000
+[3326150.987900] WARN: CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033
+[3326150.987907] WARN: CR2: 0000000000000078 CR3: 0000000070244000 CR4: 0000000000042660
+[3326150.987918] WARN: Stack:
+[3326150.987924] WARN: ffff880282d2ad58 ffff880282d2ab20 ffff880282d2abe8 ffff8801f545be18
+[3326150.987938] WARN: ffffffffa05cea90 ffff880282d2abf8 ffff88026b59cc80 ffff88026b59cc00
+[3326150.987951] WARN: ffff88022acf32c0 ffff880289491800 ffff880255a80800 0000000000000400
+[3326150.987964] WARN: Call Trace:
+[3326150.987975] WARN: [<ffffffffa05cea90>] iscsi_xmitworker+0x2f0/0x360 [libiscsi]
+[3326150.987988] WARN: [<ffffffff8108862c>] process_one_work+0x1fc/0x3b0
+[3326150.987997] WARN: [<ffffffff81088f95>] worker_thread+0x2a5/0x470
+[3326150.988006] WARN: [<ffffffff8159cad8>] ? __schedule+0x648/0x870
+[3326150.988015] WARN: [<ffffffff81088cf0>] ? rescuer_thread+0x300/0x300
+[3326150.988023] WARN: [<ffffffff8108ddf5>] kthread+0xd5/0xe0
+[3326150.988031] WARN: [<ffffffff8108dd20>] ? kthread_stop+0x110/0x110
+[3326150.988040] WARN: [<ffffffff815a0bcf>] ret_from_fork+0x3f/0x70
+[3326150.988048] WARN: [<ffffffff8108dd20>] ? kthread_stop+0x110/0x110
+[3326150.988127] ALERT: RIP [<ffffffffa05ce70d>] iscsi_xmit_task+0x2d/0xc0 [libiscsi]
+[3326150.988138] WARN: RSP <ffff8801f545bdb0>
+[3326150.988144] WARN: CR2: 0000000000000078
+[3326151.020366] WARN: ---[ end trace 1c60974d4678d81b ]---
+
+Commit 6f8830f5bbab ("scsi: libiscsi: add lock around task lists to fix
+list corruption regression") introduced "taskqueuelock" to fix list
+corruption during the race, but this wasn't enough.
+
+Re-setting of conn->task to NULL, could race with iscsi_xmit_task().
+iscsi_complete_task()
+{
+ ....
+ if (conn->task == task)
+ conn->task = NULL;
+}
+
+conn->task in iscsi_xmit_task() could be NULL and so will be task.
+__iscsi_get_task(task) will crash (NullPtr de-ref), trying to access
+refcount.
+
+iscsi_xmit_task()
+{
+ struct iscsi_task *task = conn->task;
+
+ __iscsi_get_task(task);
+}
+
+This commit will take extra conn->session->back_lock in iscsi_xmit_task()
+to ensure iscsi_xmit_task() waits for iscsi_complete_task(), if
+iscsi_complete_task() wins the race. If iscsi_xmit_task() wins the race,
+iscsi_xmit_task() increments task->refcount
+(__iscsi_get_task) ensuring iscsi_complete_task() will not iscsi_free_task().
+
+Signed-off-by: Anoob Soman <anoob.soman@citrix.com>
+Signed-off-by: Bob Liu <bob.liu@oracle.com>
+Acked-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libiscsi.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
+index 009a2ef829d6..0fdc8c417035 100644
+--- a/drivers/scsi/libiscsi.c
++++ b/drivers/scsi/libiscsi.c
+@@ -1448,7 +1448,13 @@ static int iscsi_xmit_task(struct iscsi_conn *conn)
+ if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx))
+ return -ENODATA;
+
++ spin_lock_bh(&conn->session->back_lock);
++ if (conn->task == NULL) {
++ spin_unlock_bh(&conn->session->back_lock);
++ return -ENODATA;
++ }
+ __iscsi_get_task(task);
++ spin_unlock_bh(&conn->session->back_lock);
+ spin_unlock_bh(&conn->session->frwd_lock);
+ rc = conn->session->tt->xmit_task(task);
+ spin_lock_bh(&conn->session->frwd_lock);
+--
+2.19.1
+
--- /dev/null
+From 5ee06cd33773481fbce4c8db4c553aacc9d2894e Mon Sep 17 00:00:00 2001
+From: John Garry <john.garry@huawei.com>
+Date: Fri, 15 Feb 2019 00:37:57 +0800
+Subject: scsi: libsas: Fix rphy phy_identifier for PHYs with end devices
+ attached
+
+[ Upstream commit ffeafdd2bf0b280d67ec1a47ea6287910d271f3f ]
+
+The sysfs phy_identifier attribute for a sas_end_device comes from the rphy
+phy_identifier value.
+
+Currently this is not being set for rphys with an end device attached, so
+we see incorrect symlinks from systemd disk/by-path:
+
+root@localhost:~# ls -l /dev/disk/by-path/
+total 0
+lrwxrwxrwx 1 root root 9 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0 -> ../../sdb
+lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part1 -> ../../sdb1
+lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part2 -> ../../sdb2
+lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part3 -> ../../sdc3
+
+Indeed, each sas_end_device phy_identifier value is 0:
+
+root@localhost:/# more sys/class/sas_device/end_device-0\:0\:2/phy_identifier
+0
+root@localhost:/# more sys/class/sas_device/end_device-0\:0\:10/phy_identifier
+0
+
+This patch fixes the discovery code to set the phy_identifier. With this,
+we now get proper symlinks:
+
+root@localhost:~# ls -l /dev/disk/by-path/
+total 0
+lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy10-lun-0 -> ../../sdg
+lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy11-lun-0 -> ../../sdh
+lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy2-lun-0 -> ../../sda
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy2-lun-0-part1 -> ../../sda1
+lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0 -> ../../sdb
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0-part1 -> ../../sdb1
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0-part2 -> ../../sdb2
+lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0 -> ../../sdc
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part1 -> ../../sdc1
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part2 -> ../../sdc2
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part3 -> ../../sdc3
+lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy5-lun-0 -> ../../sdd
+lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0 -> ../../sde
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part1 -> ../../sde1
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part2 -> ../../sde2
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part3 -> ../../sde3
+lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0 -> ../../sdf
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part1 -> ../../sdf1
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part2 -> ../../sdf2
+lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part3 -> ../../sdf3
+
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Reported-by: dann frazier <dann.frazier@canonical.com>
+Signed-off-by: John Garry <john.garry@huawei.com>
+Reviewed-by: Jason Yan <yanaijie@huawei.com>
+Tested-by: dann frazier <dann.frazier@canonical.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libsas/sas_expander.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
+index 12886f96b286..7be581f7c35d 100644
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -818,6 +818,7 @@ static struct domain_device *sas_ex_discover_end_dev(
+ rphy = sas_end_device_alloc(phy->port);
+ if (!rphy)
+ goto out_free;
++ rphy->identify.phy_identifier = phy_id;
+
+ child->rphy = rphy;
+ get_device(&rphy->dev);
+@@ -845,6 +846,7 @@ static struct domain_device *sas_ex_discover_end_dev(
+
+ child->rphy = rphy;
+ get_device(&rphy->dev);
++ rphy->identify.phy_identifier = phy_id;
+ sas_fill_in_rphy(child, rphy);
+
+ list_add_tail(&child->disco_list_node, &parent->port->disco_list);
+--
+2.19.1
+
stm-class-fix-an-endless-loop-in-channel-allocation.patch
crypto-caam-fixed-handling-of-sg-list.patch
crypto-ahash-fix-another-early-termination-in-hash-walk.patch
+gpu-ipu-v3-fix-i.mx51-csi-control-registers-offset.patch
+gpu-ipu-v3-fix-csi-offsets-for-imx53.patch
+s390-dasd-fix-using-offset-into-zero-size-array-erro.patch
+arm-omap2-variable-reg-in-function-omap4_dsi_mux_pad.patch
+input-matrix_keypad-use-flush_delayed_work.patch
+team-avoid-complex-list-operations-in-team_nl_cmd_op.patch
+i2c-cadence-fix-the-hold-bit-setting.patch
+input-st-keyscan-fix-potential-zalloc-null-dereferen.patch
+arm-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch
+assoc_array-fix-shortcut-creation.patch
+scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch
+scsi-libsas-fix-rphy-phy_identifier-for-phys-with-en.patch
+net-systemport-fix-reception-of-bpdus.patch
+pinctrl-meson-meson8b-fix-the-sdxc_a-data-1.3-pins.patch
+net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch
+asoc-topology-free-created-components-in-tplg-load-e.patch
+arm64-relax-gic-version-check-during-early-boot.patch
+tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch
+arc-uacces-remove-lp_start-lp_end-from-clobber-list.patch
+phonet-fix-building-with-clang.patch
+mac80211_hwsim-propagate-genlmsg_reply-return-code.patch
+mdio_bus-fix-use-after-free-on-device_register-fails.patch-26729
+net-set-static-variable-an-initial-value-in-atl2_pro.patch
+tmpfs-fix-uninitialized-return-value-in-shmem_link.patch
--- /dev/null
+From 42133293dc97f30e37d814582583b780662cfca3 Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Mon, 11 Feb 2019 21:59:51 -0800
+Subject: team: avoid complex list operations in team_nl_cmd_options_set()
+
+[ Upstream commit 2fdeee2549231b1f989f011bb18191f5660d3745 ]
+
+The current opt_inst_list operations inside team_nl_cmd_options_set()
+is too complex to track:
+
+ LIST_HEAD(opt_inst_list);
+ nla_for_each_nested(...) {
+ list_for_each_entry(opt_inst, &team->option_inst_list, list) {
+ if (__team_option_inst_tmp_find(&opt_inst_list, opt_inst))
+ continue;
+ list_add(&opt_inst->tmp_list, &opt_inst_list);
+ }
+ }
+ team_nl_send_event_options_get(team, &opt_inst_list);
+
+as while we retrieve 'opt_inst' from team->option_inst_list, it could
+be added to the local 'opt_inst_list' for multiple times. The
+__team_option_inst_tmp_find() doesn't work, as the setter
+team_mode_option_set() still calls team->ops.exit() which uses
+->tmp_list too in __team_options_change_check().
+
+Simplify the list operations by moving the 'opt_inst_list' and
+team_nl_send_event_options_get() into the nla_for_each_nested() loop so
+that it can be guranteed that we won't insert a same list entry for
+multiple times. Therefore, __team_option_inst_tmp_find() can be removed
+too.
+
+Fixes: 4fb0534fb7bb ("team: avoid adding twice the same option to the event list")
+Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message")
+Reported-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com
+Reported-by: syzbot+68ee510075cf64260cc4@syzkaller.appspotmail.com
+Cc: Jiri Pirko <jiri@resnulli.us>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Reviewed-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/team/team.c | 27 +++++----------------------
+ 1 file changed, 5 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index 33ffb573fd67..267a90423154 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -247,17 +247,6 @@ static void __team_option_inst_mark_removed_port(struct team *team,
+ }
+ }
+
+-static bool __team_option_inst_tmp_find(const struct list_head *opts,
+- const struct team_option_inst *needle)
+-{
+- struct team_option_inst *opt_inst;
+-
+- list_for_each_entry(opt_inst, opts, tmp_list)
+- if (opt_inst == needle)
+- return true;
+- return false;
+-}
+-
+ static int __team_options_register(struct team *team,
+ const struct team_option *option,
+ size_t option_count)
+@@ -2447,7 +2436,6 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info)
+ int err = 0;
+ int i;
+ struct nlattr *nl_option;
+- LIST_HEAD(opt_inst_list);
+
+ team = team_nl_team_get(info);
+ if (!team)
+@@ -2463,6 +2451,7 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info)
+ struct nlattr *opt_attrs[TEAM_ATTR_OPTION_MAX + 1];
+ struct nlattr *attr;
+ struct nlattr *attr_data;
++ LIST_HEAD(opt_inst_list);
+ enum team_option_type opt_type;
+ int opt_port_ifindex = 0; /* != 0 for per-port options */
+ u32 opt_array_index = 0;
+@@ -2566,23 +2555,17 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info)
+ if (err)
+ goto team_put;
+ opt_inst->changed = true;
+-
+- /* dumb/evil user-space can send us duplicate opt,
+- * keep only the last one
+- */
+- if (__team_option_inst_tmp_find(&opt_inst_list,
+- opt_inst))
+- continue;
+-
+ list_add(&opt_inst->tmp_list, &opt_inst_list);
+ }
+ if (!opt_found) {
+ err = -ENOENT;
+ goto team_put;
+ }
+- }
+
+- err = team_nl_send_event_options_get(team, &opt_inst_list);
++ err = team_nl_send_event_options_get(team, &opt_inst_list);
++ if (err)
++ break;
++ }
+
+ team_put:
+ team_nl_team_put(team);
+--
+2.19.1
+
--- /dev/null
+From 4a2ff7d4d3d4f25440c78faa6eb13bb77d225957 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Thu, 21 Feb 2019 08:48:09 -0800
+Subject: tmpfs: fix link accounting when a tmpfile is linked in
+
+[ Upstream commit 1062af920c07f5b54cf5060fde3339da6df0cf6b ]
+
+tmpfs has a peculiarity of accounting hard links as if they were
+separate inodes: so that when the number of inodes is limited, as it is
+by default, a user cannot soak up an unlimited amount of unreclaimable
+dcache memory just by repeatedly linking a file.
+
+But when v3.11 added O_TMPFILE, and the ability to use linkat() on the
+fd, we missed accommodating this new case in tmpfs: "df -i" shows that
+an extra "inode" remains accounted after the file is unlinked and the fd
+closed and the actual inode evicted. If a user repeatedly links
+tmpfiles into a tmpfs, the limit will be hit (ENOSPC) even after they
+are deleted.
+
+Just skip the extra reservation from shmem_link() in this case: there's
+a sense in which this first link of a tmpfile is then cheaper than a
+hard link of another file, but the accounting works out, and there's
+still good limiting, so no need to do anything more complicated.
+
+Link: http://lkml.kernel.org/r/alpine.LSU.2.11.1902182134370.7035@eggly.anvils
+Fixes: f4e0c30c191 ("allow the temp files created by open() to be linked to")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Reported-by: Matej Kupljen <matej.kupljen@gmail.com>
+Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/shmem.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/mm/shmem.c b/mm/shmem.c
+index d902b413941a..183ed4dae219 100644
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -2299,10 +2299,14 @@ static int shmem_link(struct dentry *old_dentry, struct inode *dir, struct dentr
+ * No ordinary (disk based) filesystem counts links as inodes;
+ * but each new link needs a new dentry, pinning lowmem, and
+ * tmpfs dentries cannot be pruned until they are unlinked.
++ * But if an O_TMPFILE file is linked into the tmpfs, the
++ * first link must skip that, to get the accounting right.
+ */
+- ret = shmem_reserve_inode(inode->i_sb);
+- if (ret)
+- goto out;
++ if (inode->i_nlink) {
++ ret = shmem_reserve_inode(inode->i_sb);
++ if (ret)
++ goto out;
++ }
+
+ dir->i_size += BOGO_DIRENT_SIZE;
+ inode->i_ctime = dir->i_ctime = dir->i_mtime = CURRENT_TIME;
+--
+2.19.1
+
--- /dev/null
+From df666876dbba59998336c91a1093631c69bd7dbe Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Fri, 22 Feb 2019 22:35:32 -0800
+Subject: tmpfs: fix uninitialized return value in shmem_link
+
+[ Upstream commit 29b00e609960ae0fcff382f4c7079dd0874a5311 ]
+
+When we made the shmem_reserve_inode call in shmem_link conditional, we
+forgot to update the declaration for ret so that it always has a known
+value. Dan Carpenter pointed out this deficiency in the original patch.
+
+Fixes: 1062af920c07 ("tmpfs: fix link accounting when a tmpfile is linked in")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Cc: Matej Kupljen <matej.kupljen@gmail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/shmem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mm/shmem.c b/mm/shmem.c
+index 183ed4dae219..f11aec40f2e1 100644
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -2293,7 +2293,7 @@ static int shmem_create(struct inode *dir, struct dentry *dentry, umode_t mode,
+ static int shmem_link(struct dentry *old_dentry, struct inode *dir, struct dentry *dentry)
+ {
+ struct inode *inode = d_inode(old_dentry);
+- int ret;
++ int ret = 0;
+
+ /*
+ * No ordinary (disk based) filesystem counts links as inodes;
+--
+2.19.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
