--- /dev/null
+From 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 9 Nov 2018 11:59:45 +0100
+Subject: ALSA: oss: Use kvzalloc() for local buffer allocations
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 upstream.
+
+PCM OSS layer may allocate a few temporary buffers, one for the core
+read/write and another for the conversions via plugins. Currently
+both are allocated via vmalloc(). But as the allocation size is
+equivalent with the PCM period size, the required size might be quite
+small, depending on the application.
+
+This patch replaces these vmalloc() calls with kvzalloc() for covering
+small period sizes better. Also, we use "z"-alloc variant here for
+addressing the possible uninitialized access reported by syzkaller.
+
+Reported-by: syzbot+1cb36954e127c98dd037@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/oss/pcm_oss.c | 6 +++---
+ sound/core/oss/pcm_plugin.c | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -1062,8 +1062,8 @@ static int snd_pcm_oss_change_params_loc
+ runtime->oss.channels = params_channels(params);
+ runtime->oss.rate = params_rate(params);
+
+- vfree(runtime->oss.buffer);
+- runtime->oss.buffer = vmalloc(runtime->oss.period_bytes);
++ kvfree(runtime->oss.buffer);
++ runtime->oss.buffer = kvzalloc(runtime->oss.period_bytes, GFP_KERNEL);
+ if (!runtime->oss.buffer) {
+ err = -ENOMEM;
+ goto failure;
+@@ -2328,7 +2328,7 @@ static void snd_pcm_oss_release_substrea
+ {
+ struct snd_pcm_runtime *runtime;
+ runtime = substream->runtime;
+- vfree(runtime->oss.buffer);
++ kvfree(runtime->oss.buffer);
+ runtime->oss.buffer = NULL;
+ #ifdef CONFIG_SND_PCM_OSS_PLUGINS
+ snd_pcm_oss_plugin_clear(substream);
+--- a/sound/core/oss/pcm_plugin.c
++++ b/sound/core/oss/pcm_plugin.c
+@@ -66,8 +66,8 @@ static int snd_pcm_plugin_alloc(struct s
+ return -ENXIO;
+ size /= 8;
+ if (plugin->buf_frames < frames) {
+- vfree(plugin->buf);
+- plugin->buf = vmalloc(size);
++ kvfree(plugin->buf);
++ plugin->buf = kvzalloc(size, GFP_KERNEL);
+ plugin->buf_frames = frames;
+ }
+ if (!plugin->buf) {
+@@ -191,7 +191,7 @@ int snd_pcm_plugin_free(struct snd_pcm_p
+ if (plugin->private_free)
+ plugin->private_free(plugin);
+ kfree(plugin->buf_channels);
+- vfree(plugin->buf);
++ kvfree(plugin->buf);
+ kfree(plugin);
+ return 0;
+ }
--- /dev/null
+From 9f2df09a33aa2c76ce6385d382693f98d7f2f07e Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 2 Nov 2018 15:48:42 -0700
+Subject: bfs: add sanity check at bfs_fill_super()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 9f2df09a33aa2c76ce6385d382693f98d7f2f07e upstream.
+
+syzbot is reporting too large memory allocation at bfs_fill_super() [1].
+Since file system image is corrupted such that bfs_sb->s_start == 0,
+bfs_fill_super() is trying to allocate 8MB of continuous memory. Fix
+this by adding a sanity check on bfs_sb->s_start, __GFP_NOWARN and
+printf().
+
+[1] https://syzkaller.appspot.com/bug?id=16a87c236b951351374a84c8a32f40edbc034e96
+
+Link: http://lkml.kernel.org/r/1525862104-3407-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+71c6b5d68e91149fc8a4@syzkaller.appspotmail.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Tigran Aivazian <aivazian.tigran@gmail.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/bfs/inode.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/fs/bfs/inode.c
++++ b/fs/bfs/inode.c
+@@ -350,7 +350,8 @@ static int bfs_fill_super(struct super_b
+
+ s->s_magic = BFS_MAGIC;
+
+- if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end)) {
++ if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end) ||
++ le32_to_cpu(bfs_sb->s_start) < BFS_BSIZE) {
+ printf("Superblock is corrupted\n");
+ goto out1;
+ }
+@@ -359,9 +360,11 @@ static int bfs_fill_super(struct super_b
+ sizeof(struct bfs_inode)
+ + BFS_ROOT_INO - 1;
+ imap_len = (info->si_lasti / 8) + 1;
+- info->si_imap = kzalloc(imap_len, GFP_KERNEL);
+- if (!info->si_imap)
++ info->si_imap = kzalloc(imap_len, GFP_KERNEL | __GFP_NOWARN);
++ if (!info->si_imap) {
++ printf("Cannot allocate %u bytes\n", imap_len);
+ goto out1;
++ }
+ for (i = 0; i < BFS_ROOT_INO; i++)
+ set_bit(i, info->si_imap);
+
--- /dev/null
+From d1fe6ad6f6bd61c84788d3a7b11e459a439c6169 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Thu, 8 Nov 2018 16:08:29 +0100
+Subject: brcmfmac: fix reporting support for 160 MHz channels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+commit d1fe6ad6f6bd61c84788d3a7b11e459a439c6169 upstream.
+
+Driver can report IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ so it's
+important to provide valid & complete info about supported bands for
+each channel. By default no support for 160 MHz should be assumed unless
+firmware reports it for a given channel later.
+
+This fixes info passed to the userspace. Without that change userspace
+could try to use invalid channel and fail to start an interface.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Cc: stable@vger.kernel.org
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6098,7 +6098,8 @@ static int brcmf_construct_chaninfo(stru
+ * for subsequent chanspecs.
+ */
+ channel->flags = IEEE80211_CHAN_NO_HT40 |
+- IEEE80211_CHAN_NO_80MHZ;
++ IEEE80211_CHAN_NO_80MHZ |
++ IEEE80211_CHAN_NO_160MHZ;
+ ch.bw = BRCMU_CHAN_BW_20;
+ cfg->d11inf.encchspec(&ch);
+ chaninfo = ch.chspec;
--- /dev/null
+From e7a6994d043a1e31d5b17706a22ce33d2a3e4cdc Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Wed, 31 Oct 2018 14:05:26 +0100
+Subject: can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb is accessed out of bounds
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit e7a6994d043a1e31d5b17706a22ce33d2a3e4cdc upstream.
+
+If the "struct can_priv::echo_skb" is accessed out of bounds would lead
+to a kernel crash. Better print a sensible warning message instead and
+try to recover.
+
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -480,7 +480,11 @@ struct sk_buff *__can_get_echo_skb(struc
+ {
+ struct can_priv *priv = netdev_priv(dev);
+
+- BUG_ON(idx >= priv->echo_skb_max);
++ if (idx >= priv->echo_skb_max) {
++ netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n",
++ __func__, idx, priv->echo_skb_max);
++ return NULL;
++ }
+
+ if (priv->echo_skb[idx]) {
+ /* Using "struct canfd_frame::len" for the frame
--- /dev/null
+From 7da11ba5c5066dadc2e96835a6233d56d7b7764a Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Wed, 31 Oct 2018 14:15:13 +0100
+Subject: can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 7da11ba5c5066dadc2e96835a6233d56d7b7764a upstream.
+
+Prior to echoing a successfully transmitted CAN frame (by calling
+can_get_echo_skb()), CAN drivers have to put the CAN frame (by calling
+can_put_echo_skb() in the transmit function). These put and get function
+take an index as parameter, which is used to identify the CAN frame.
+
+A driver calling can_get_echo_skb() with a index not pointing to a skb
+is a BUG, so add an appropriate error message.
+
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -479,6 +479,8 @@ EXPORT_SYMBOL_GPL(can_put_echo_skb);
+ struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr)
+ {
+ struct can_priv *priv = netdev_priv(dev);
++ struct sk_buff *skb = priv->echo_skb[idx];
++ struct canfd_frame *cf;
+
+ if (idx >= priv->echo_skb_max) {
+ netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n",
+@@ -486,21 +488,20 @@ struct sk_buff *__can_get_echo_skb(struc
+ return NULL;
+ }
+
+- if (priv->echo_skb[idx]) {
+- /* Using "struct canfd_frame::len" for the frame
+- * length is supported on both CAN and CANFD frames.
+- */
+- struct sk_buff *skb = priv->echo_skb[idx];
+- struct canfd_frame *cf = (struct canfd_frame *)skb->data;
+- u8 len = cf->len;
+-
+- *len_ptr = len;
+- priv->echo_skb[idx] = NULL;
+-
+- return skb;
++ if (!skb) {
++ netdev_err(dev, "%s: BUG! Trying to echo non existing skb: can_priv::echo_skb[%u]\n",
++ __func__, idx);
++ return NULL;
+ }
+
+- return NULL;
++ /* Using "struct canfd_frame::len" for the frame
++ * length is supported on both CAN and CANFD frames.
++ */
++ cf = (struct canfd_frame *)skb->data;
++ *len_ptr = cf->len;
++ priv->echo_skb[idx] = NULL;
++
++ return skb;
+ }
+
+ /*
--- /dev/null
+From 200f5c49f7a2cd694436bfc6cb0662b794c96736 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Wed, 31 Oct 2018 11:08:21 +0100
+Subject: can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 200f5c49f7a2cd694436bfc6cb0662b794c96736 upstream.
+
+This patch replaces the use of "struct can_frame::can_dlc" by "struct
+canfd_frame::len" to access the frame's length. As it is ensured that
+both structures have a compatible memory layout for this member this is
+no functional change. Futher, this compatibility is documented in a
+comment.
+
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -483,11 +483,14 @@ struct sk_buff *__can_get_echo_skb(struc
+ BUG_ON(idx >= priv->echo_skb_max);
+
+ if (priv->echo_skb[idx]) {
++ /* Using "struct canfd_frame::len" for the frame
++ * length is supported on both CAN and CANFD frames.
++ */
+ struct sk_buff *skb = priv->echo_skb[idx];
+- struct can_frame *cf = (struct can_frame *)skb->data;
+- u8 dlc = cf->can_dlc;
++ struct canfd_frame *cf = (struct canfd_frame *)skb->data;
++ u8 len = cf->len;
+
+- *len_ptr = dlc;
++ *len_ptr = len;
+ priv->echo_skb[idx] = NULL;
+
+ return skb;
--- /dev/null
+From a4310fa2f24687888ce80fdb0e88583561a23700 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Wed, 31 Oct 2018 10:37:46 +0100
+Subject: can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb()
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit a4310fa2f24687888ce80fdb0e88583561a23700 upstream.
+
+This patch factors out all non sending parts of can_get_echo_skb() into
+a seperate function __can_get_echo_skb(), so that it can be re-used in
+an upcoming patch.
+
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 36 +++++++++++++++++++++++++-----------
+ include/linux/can/dev.h | 1 +
+ 2 files changed, 26 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -476,14 +476,7 @@ void can_put_echo_skb(struct sk_buff *sk
+ }
+ EXPORT_SYMBOL_GPL(can_put_echo_skb);
+
+-/*
+- * Get the skb from the stack and loop it back locally
+- *
+- * The function is typically called when the TX done interrupt
+- * is handled in the device driver. The driver must protect
+- * access to priv->echo_skb, if necessary.
+- */
+-unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx)
++struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr)
+ {
+ struct can_priv *priv = netdev_priv(dev);
+
+@@ -494,13 +487,34 @@ unsigned int can_get_echo_skb(struct net
+ struct can_frame *cf = (struct can_frame *)skb->data;
+ u8 dlc = cf->can_dlc;
+
+- netif_rx(priv->echo_skb[idx]);
++ *len_ptr = dlc;
+ priv->echo_skb[idx] = NULL;
+
+- return dlc;
++ return skb;
+ }
+
+- return 0;
++ return NULL;
++}
++
++/*
++ * Get the skb from the stack and loop it back locally
++ *
++ * The function is typically called when the TX done interrupt
++ * is handled in the device driver. The driver must protect
++ * access to priv->echo_skb, if necessary.
++ */
++unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx)
++{
++ struct sk_buff *skb;
++ u8 len;
++
++ skb = __can_get_echo_skb(dev, idx, &len);
++ if (!skb)
++ return 0;
++
++ netif_rx(skb);
++
++ return len;
+ }
+ EXPORT_SYMBOL_GPL(can_get_echo_skb);
+
+--- a/include/linux/can/dev.h
++++ b/include/linux/can/dev.h
+@@ -163,6 +163,7 @@ void can_change_state(struct net_device
+
+ void can_put_echo_skb(struct sk_buff *skb, struct net_device *dev,
+ unsigned int idx);
++struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr);
+ unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx);
+ void can_free_echo_skb(struct net_device *dev, unsigned int idx);
+
--- /dev/null
+From ed72bc8bcb9277061e753faf300b20f97323761c Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Tue, 18 Sep 2018 11:40:39 +0200
+Subject: can: flexcan: handle tx-complete CAN frames via rx-offload infrastructure
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit ed72bc8bcb9277061e753faf300b20f97323761c upstream.
+
+Current flexcan driver will put TX-ECHO in regular unsorted way, in
+this case TX-ECHO can come after the response to the same TXed message.
+In some cases, for example for J1939 stack, things will break.
+This patch is using new rx-offload API to put the messages just in the
+right place.
+
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/flexcan.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -775,8 +775,11 @@ static irqreturn_t flexcan_irq(int irq,
+
+ /* transmission complete interrupt */
+ if (reg_iflag1 & FLEXCAN_IFLAG_MB(priv->tx_mb_idx)) {
++ u32 reg_ctrl = priv->read(®s->mb[FLEXCAN_TX_MB].can_ctrl);
++
+ handled = IRQ_HANDLED;
+- stats->tx_bytes += can_get_echo_skb(dev, 0);
++ stats->tx_bytes += can_rx_offload_get_echo_skb(&priv->offload,
++ 0, reg_ctrl << 16);
+ stats->tx_packets++;
+ can_led_event(dev, CAN_LED_EVENT_TX);
+
--- /dev/null
+From d788905f68fd4714c82936f6f7f1d3644d7ae7ef Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Tue, 18 Sep 2018 11:40:41 +0200
+Subject: can: flexcan: use can_rx_offload_queue_sorted() for flexcan_irq_bus_*()
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit d788905f68fd4714c82936f6f7f1d3644d7ae7ef upstream.
+
+Currently, in case of bus error, driver will generate error message and put
+in the tail of the message queue. To avoid confusions, this change should
+place the bus related messages in proper order.
+
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/flexcan.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -550,9 +550,13 @@ static int flexcan_start_xmit(struct sk_
+ static void flexcan_irq_bus_err(struct net_device *dev, u32 reg_esr)
+ {
+ struct flexcan_priv *priv = netdev_priv(dev);
++ struct flexcan_regs __iomem *regs = priv->regs;
+ struct sk_buff *skb;
+ struct can_frame *cf;
+ bool rx_errors = false, tx_errors = false;
++ u32 timestamp;
++
++ timestamp = priv->read(®s->timer) << 16;
+
+ skb = alloc_can_err_skb(dev, &cf);
+ if (unlikely(!skb))
+@@ -599,17 +603,21 @@ static void flexcan_irq_bus_err(struct n
+ if (tx_errors)
+ dev->stats.tx_errors++;
+
+- can_rx_offload_queue_tail(&priv->offload, skb);
++ can_rx_offload_queue_sorted(&priv->offload, skb, timestamp);
+ }
+
+ static void flexcan_irq_state(struct net_device *dev, u32 reg_esr)
+ {
+ struct flexcan_priv *priv = netdev_priv(dev);
++ struct flexcan_regs __iomem *regs = priv->regs;
+ struct sk_buff *skb;
+ struct can_frame *cf;
+ enum can_state new_state, rx_state, tx_state;
+ int flt;
+ struct can_berr_counter bec;
++ u32 timestamp;
++
++ timestamp = priv->read(®s->timer) << 16;
+
+ flt = reg_esr & FLEXCAN_ESR_FLT_CONF_MASK;
+ if (likely(flt == FLEXCAN_ESR_FLT_CONF_ACTIVE)) {
+@@ -639,7 +647,7 @@ static void flexcan_irq_state(struct net
+ if (unlikely(new_state == CAN_STATE_BUS_OFF))
+ can_bus_off(dev);
+
+- can_rx_offload_queue_tail(&priv->offload, skb);
++ can_rx_offload_queue_sorted(&priv->offload, skb, timestamp);
+ }
+
+ static inline struct flexcan_priv *rx_offload_to_priv(struct can_rx_offload *offload)
--- /dev/null
+From f164d0204b1156a7e0d8d1622c1a8d25752befec Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Sat, 27 Oct 2018 10:36:54 +0200
+Subject: can: hi311x: Use level-triggered interrupt
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit f164d0204b1156a7e0d8d1622c1a8d25752befec upstream.
+
+If the hi3110 shares the SPI bus with another traffic-intensive device
+and packets are received in high volume (by a separate machine sending
+with "cangen -g 0 -i -x"), reception stops after a few minutes and the
+counter in /proc/interrupts stops incrementing. Bus state is "active".
+Bringing the interface down and back up reconvenes the reception. The
+issue is not observed when the hi3110 is the sole device on the SPI bus.
+
+Using a level-triggered interrupt makes the issue go away and lets the
+hi3110 successfully receive 2 GByte over the course of 5 days while a
+ks8851 Ethernet chip on the same SPI bus handles 6 GByte of traffic.
+
+Unfortunately the hi3110 datasheet is mum on the trigger type. The pin
+description on page 3 only specifies the polarity (active high):
+http://www.holtic.com/documents/371-hi-3110_v-rev-kpdf.do
+
+Cc: Mathias Duckeck <m.duckeck@kunbus.de>
+Cc: Akshay Bhat <akshay.bhat@timesys.com>
+Cc: Casey Fitzpatrick <casey.fitzpatrick@timesys.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/devicetree/bindings/net/can/holt_hi311x.txt | 2 +-
+ drivers/net/can/spi/hi311x.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/Documentation/devicetree/bindings/net/can/holt_hi311x.txt
++++ b/Documentation/devicetree/bindings/net/can/holt_hi311x.txt
+@@ -18,7 +18,7 @@ Example:
+ reg = <1>;
+ clocks = <&clk32m>;
+ interrupt-parent = <&gpio4>;
+- interrupts = <13 IRQ_TYPE_EDGE_RISING>;
++ interrupts = <13 IRQ_TYPE_LEVEL_HIGH>;
+ vdd-supply = <®5v0>;
+ xceiver-supply = <®5v0>;
+ };
+--- a/drivers/net/can/spi/hi311x.c
++++ b/drivers/net/can/spi/hi311x.c
+@@ -760,7 +760,7 @@ static int hi3110_open(struct net_device
+ {
+ struct hi3110_priv *priv = netdev_priv(net);
+ struct spi_device *spi = priv->spi;
+- unsigned long flags = IRQF_ONESHOT | IRQF_TRIGGER_RISING;
++ unsigned long flags = IRQF_ONESHOT | IRQF_TRIGGER_HIGH;
+ int ret;
+
+ ret = open_candev(net);
--- /dev/null
+From a43608fa77213ad5ac5f75994254b9f65d57cfa0 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Wed, 24 Oct 2018 10:27:12 +0200
+Subject: can: raw: check for CAN FD capable netdev in raw_sendmsg()
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit a43608fa77213ad5ac5f75994254b9f65d57cfa0 upstream.
+
+When the socket is CAN FD enabled it can handle CAN FD frame
+transmissions. Add an additional check in raw_sendmsg() as a CAN2.0 CAN
+driver (non CAN FD) should never see a CAN FD frame. Due to the commonly
+used can_dropped_invalid_skb() function the CAN 2.0 driver would drop
+that CAN FD frame anyway - but with this patch the user gets a proper
+-EINVAL return code.
+
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/can/raw.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -745,18 +745,19 @@ static int raw_sendmsg(struct socket *so
+ } else
+ ifindex = ro->ifindex;
+
+- if (ro->fd_frames) {
++ dev = dev_get_by_index(sock_net(sk), ifindex);
++ if (!dev)
++ return -ENXIO;
++
++ err = -EINVAL;
++ if (ro->fd_frames && dev->mtu == CANFD_MTU) {
+ if (unlikely(size != CANFD_MTU && size != CAN_MTU))
+- return -EINVAL;
++ goto put_dev;
+ } else {
+ if (unlikely(size != CAN_MTU))
+- return -EINVAL;
++ goto put_dev;
+ }
+
+- dev = dev_get_by_index(sock_net(sk), ifindex);
+- if (!dev)
+- return -ENXIO;
+-
+ skb = sock_alloc_send_skb(sk, size + sizeof(struct can_skb_priv),
+ msg->msg_flags & MSG_DONTWAIT, &err);
+ if (!skb)
--- /dev/null
+From 55059f2b7f868cd43b3ad30e28e18347e1b46ace Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Tue, 18 Sep 2018 11:40:38 +0200
+Subject: can: rx-offload: introduce can_rx_offload_get_echo_skb() and can_rx_offload_queue_sorted() functions
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit 55059f2b7f868cd43b3ad30e28e18347e1b46ace upstream.
+
+Current CAN framework can't guarantee proper/chronological order
+of RX and TX-ECHO messages. To make this possible, drivers should use
+this functions instead of can_get_echo_skb().
+
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/rx-offload.c | 46 +++++++++++++++++++++++++++++++++++++++++
+ include/linux/can/rx-offload.h | 4 +++
+ 2 files changed, 50 insertions(+)
+
+--- a/drivers/net/can/rx-offload.c
++++ b/drivers/net/can/rx-offload.c
+@@ -209,6 +209,52 @@ int can_rx_offload_irq_offload_fifo(stru
+ }
+ EXPORT_SYMBOL_GPL(can_rx_offload_irq_offload_fifo);
+
++int can_rx_offload_queue_sorted(struct can_rx_offload *offload,
++ struct sk_buff *skb, u32 timestamp)
++{
++ struct can_rx_offload_cb *cb;
++ unsigned long flags;
++
++ if (skb_queue_len(&offload->skb_queue) >
++ offload->skb_queue_len_max)
++ return -ENOMEM;
++
++ cb = can_rx_offload_get_cb(skb);
++ cb->timestamp = timestamp;
++
++ spin_lock_irqsave(&offload->skb_queue.lock, flags);
++ __skb_queue_add_sort(&offload->skb_queue, skb, can_rx_offload_compare);
++ spin_unlock_irqrestore(&offload->skb_queue.lock, flags);
++
++ can_rx_offload_schedule(offload);
++
++ return 0;
++}
++EXPORT_SYMBOL_GPL(can_rx_offload_queue_sorted);
++
++unsigned int can_rx_offload_get_echo_skb(struct can_rx_offload *offload,
++ unsigned int idx, u32 timestamp)
++{
++ struct net_device *dev = offload->dev;
++ struct net_device_stats *stats = &dev->stats;
++ struct sk_buff *skb;
++ u8 len;
++ int err;
++
++ skb = __can_get_echo_skb(dev, idx, &len);
++ if (!skb)
++ return 0;
++
++ err = can_rx_offload_queue_sorted(offload, skb, timestamp);
++ if (err) {
++ stats->rx_errors++;
++ stats->tx_fifo_errors++;
++ }
++
++ return len;
++}
++EXPORT_SYMBOL_GPL(can_rx_offload_get_echo_skb);
++
+ int can_rx_offload_irq_queue_err_skb(struct can_rx_offload *offload, struct sk_buff *skb)
+ {
+ if (skb_queue_len(&offload->skb_queue) >
+--- a/include/linux/can/rx-offload.h
++++ b/include/linux/can/rx-offload.h
+@@ -41,6 +41,10 @@ int can_rx_offload_add_timestamp(struct
+ int can_rx_offload_add_fifo(struct net_device *dev, struct can_rx_offload *offload, unsigned int weight);
+ int can_rx_offload_irq_offload_timestamp(struct can_rx_offload *offload, u64 reg);
+ int can_rx_offload_irq_offload_fifo(struct can_rx_offload *offload);
++int can_rx_offload_queue_sorted(struct can_rx_offload *offload,
++ struct sk_buff *skb, u32 timestamp);
++unsigned int can_rx_offload_get_echo_skb(struct can_rx_offload *offload,
++ unsigned int idx, u32 timestamp);
+ int can_rx_offload_irq_queue_err_skb(struct can_rx_offload *offload, struct sk_buff *skb);
+ void can_rx_offload_reset(struct can_rx_offload *offload);
+ void can_rx_offload_del(struct can_rx_offload *offload);
--- /dev/null
+From 4530ec36bb1e0d24f41c33229694adacda3d5d89 Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Tue, 18 Sep 2018 11:40:40 +0200
+Subject: can: rx-offload: rename can_rx_offload_irq_queue_err_skb() to can_rx_offload_queue_tail()
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit 4530ec36bb1e0d24f41c33229694adacda3d5d89 upstream.
+
+This function has nothing todo with error.
+
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/flexcan.c | 4 ++--
+ drivers/net/can/rx-offload.c | 5 +++--
+ include/linux/can/rx-offload.h | 3 ++-
+ 3 files changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -599,7 +599,7 @@ static void flexcan_irq_bus_err(struct n
+ if (tx_errors)
+ dev->stats.tx_errors++;
+
+- can_rx_offload_irq_queue_err_skb(&priv->offload, skb);
++ can_rx_offload_queue_tail(&priv->offload, skb);
+ }
+
+ static void flexcan_irq_state(struct net_device *dev, u32 reg_esr)
+@@ -639,7 +639,7 @@ static void flexcan_irq_state(struct net
+ if (unlikely(new_state == CAN_STATE_BUS_OFF))
+ can_bus_off(dev);
+
+- can_rx_offload_irq_queue_err_skb(&priv->offload, skb);
++ can_rx_offload_queue_tail(&priv->offload, skb);
+ }
+
+ static inline struct flexcan_priv *rx_offload_to_priv(struct can_rx_offload *offload)
+--- a/drivers/net/can/rx-offload.c
++++ b/drivers/net/can/rx-offload.c
+@@ -255,7 +255,8 @@ unsigned int can_rx_offload_get_echo_skb
+ }
+ EXPORT_SYMBOL_GPL(can_rx_offload_get_echo_skb);
+
+-int can_rx_offload_irq_queue_err_skb(struct can_rx_offload *offload, struct sk_buff *skb)
++int can_rx_offload_queue_tail(struct can_rx_offload *offload,
++ struct sk_buff *skb)
+ {
+ if (skb_queue_len(&offload->skb_queue) >
+ offload->skb_queue_len_max)
+@@ -266,7 +267,7 @@ int can_rx_offload_irq_queue_err_skb(str
+
+ return 0;
+ }
+-EXPORT_SYMBOL_GPL(can_rx_offload_irq_queue_err_skb);
++EXPORT_SYMBOL_GPL(can_rx_offload_queue_tail);
+
+ static int can_rx_offload_init_queue(struct net_device *dev, struct can_rx_offload *offload, unsigned int weight)
+ {
+--- a/include/linux/can/rx-offload.h
++++ b/include/linux/can/rx-offload.h
+@@ -45,7 +45,8 @@ int can_rx_offload_queue_sorted(struct c
+ struct sk_buff *skb, u32 timestamp);
+ unsigned int can_rx_offload_get_echo_skb(struct can_rx_offload *offload,
+ unsigned int idx, u32 timestamp);
+-int can_rx_offload_irq_queue_err_skb(struct can_rx_offload *offload, struct sk_buff *skb);
++int can_rx_offload_queue_tail(struct can_rx_offload *offload,
++ struct sk_buff *skb);
+ void can_rx_offload_reset(struct can_rx_offload *offload);
+ void can_rx_offload_del(struct can_rx_offload *offload);
+ void can_rx_offload_enable(struct can_rx_offload *offload);
--- /dev/null
+From 1a37bd823891568f8721989aed0615835632d81a Mon Sep 17 00:00:00 2001
+From: "Y.C. Chen" <yc_chen@aspeedtech.com>
+Date: Wed, 3 Oct 2018 14:57:47 +0800
+Subject: drm/ast: change resolution may cause screen blurred
+
+From: Y.C. Chen <yc_chen@aspeedtech.com>
+
+commit 1a37bd823891568f8721989aed0615835632d81a upstream.
+
+The value of pitches is not correct while calling mode_set.
+The issue we found so far on following system:
+- Debian8 with XFCE Desktop
+- Ubuntu with KDE Desktop
+- SUSE15 with KDE Desktop
+
+Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com>
+Cc: <stable@vger.kernel.org>
+Tested-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ast/ast_mode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/ast/ast_mode.c
++++ b/drivers/gpu/drm/ast/ast_mode.c
+@@ -568,6 +568,7 @@ static int ast_crtc_do_set_base(struct d
+ }
+ ast_bo_unreserve(bo);
+
++ ast_set_offset_reg(crtc);
+ ast_set_start_address_crt1(crtc, (u32)gpu_addr);
+
+ return 0;
--- /dev/null
+From 7989b9ee8bafe5cc625381dd0c3c4586de27ca26 Mon Sep 17 00:00:00 2001
+From: "Y.C. Chen" <yc_chen@aspeedtech.com>
+Date: Tue, 30 Oct 2018 11:34:46 +0800
+Subject: drm/ast: fixed cursor may disappear sometimes
+
+From: Y.C. Chen <yc_chen@aspeedtech.com>
+
+commit 7989b9ee8bafe5cc625381dd0c3c4586de27ca26 upstream.
+
+Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com>
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ast/ast_mode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ast/ast_mode.c
++++ b/drivers/gpu/drm/ast/ast_mode.c
+@@ -1255,7 +1255,7 @@ static int ast_cursor_move(struct drm_cr
+ ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xc7, ((y >> 8) & 0x07));
+
+ /* dummy write to fire HWC */
+- ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xCB, 0xFF, 0x00);
++ ast_show_cursor(crtc);
+
+ return 0;
+ }
--- /dev/null
+From 5478ad10e7850ce3d8b7056db05ddfa3c9ddad9a Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Thu, 15 Nov 2018 11:42:16 +0100
+Subject: drm/ast: Remove existing framebuffers before loading driver
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit 5478ad10e7850ce3d8b7056db05ddfa3c9ddad9a upstream.
+
+If vesafb attaches to the AST device, it configures the framebuffer memory
+for uncached access by default. When ast.ko later tries to attach itself to
+the device, it wants to use write-combining on the framebuffer memory, but
+vesefb's existing configuration for uncached access takes precedence. This
+results in reduced performance.
+
+Removing the framebuffer's configuration before loding the AST driver fixes
+the problem. Other DRM drivers already contain equivalent code.
+
+Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1112963
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: <stable@vger.kernel.org>
+Tested-by: Y.C. Chen <yc_chen@aspeedtech.com>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Tested-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ast/ast_drv.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/drivers/gpu/drm/ast/ast_drv.c
++++ b/drivers/gpu/drm/ast/ast_drv.c
+@@ -60,8 +60,29 @@ static const struct pci_device_id pciidl
+
+ MODULE_DEVICE_TABLE(pci, pciidlist);
+
++static void ast_kick_out_firmware_fb(struct pci_dev *pdev)
++{
++ struct apertures_struct *ap;
++ bool primary = false;
++
++ ap = alloc_apertures(1);
++ if (!ap)
++ return;
++
++ ap->ranges[0].base = pci_resource_start(pdev, 0);
++ ap->ranges[0].size = pci_resource_len(pdev, 0);
++
++#ifdef CONFIG_X86
++ primary = pdev->resource[PCI_ROM_RESOURCE].flags & IORESOURCE_ROM_SHADOW;
++#endif
++ drm_fb_helper_remove_conflicting_framebuffers(ap, "astdrmfb", primary);
++ kfree(ap);
++}
++
+ static int ast_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ {
++ ast_kick_out_firmware_fb(pdev);
++
+ return drm_get_pci_dev(pdev, ent, &driver);
+ }
+
--- /dev/null
+From 21556350ade3cb5d7afecc8b3544e56431d21695 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Wed, 14 Nov 2018 19:34:40 +0200
+Subject: drm/i915: Disable LP3 watermarks on all SNB machines
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 21556350ade3cb5d7afecc8b3544e56431d21695 upstream.
+
+I have a Thinkpad X220 Tablet in my hands that is losing vblank
+interrupts whenever LP3 watermarks are used.
+
+If I nudge the latency value written to the WM3 register just
+by one in either direction the problem disappears. That to me
+suggests that the punit will not enter the corrsponding
+powersave mode (MPLL shutdown IIRC) unless the latency value
+in the register matches exactly what we read from SSKPD. Ie.
+it's not really a latency value but rather just a cookie
+by which the punit can identify the desired power saving state.
+On HSW/BDW this was changed such that we actually just write
+the WM level number into those bits, which makes much more
+sense given the observed behaviour.
+
+We could try to handle this by disallowing LP3 watermarks
+only when vblank interrupts are enabled but we'd first have
+to prove that only vblank interrupts are affected, which
+seems unlikely. Also we can't grab the wm mutex from the
+vblank enable/disable hooks because those are called with
+various spinlocks held. Thus we'd have to redesigne the
+watermark locking. So to play it safe and keep the code
+simple we simply disable LP3 watermarks on all SNB machines.
+
+To do that we simply zero out the latency values for
+watermark level 3, and we adjust the watermark computation
+to check for that. The behaviour now matches that of the
+g4x/vlv/skl wm code in the presence of a zeroed latency
+value.
+
+v2: s/USHRT_MAX/U32_MAX/ for consistency with the types (Chris)
+
+Cc: stable@vger.kernel.org
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Acked-by: Chris Wilson <chris@chris-wilson.co.uk>
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101269
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103713
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181114173440.6730-1-ville.syrjala@linux.intel.com
+(cherry picked from commit 03981c6ebec4fc7056b9b45f847393aeac90d060)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_pm.c | 41 +++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_pm.c
++++ b/drivers/gpu/drm/i915/intel_pm.c
+@@ -2500,6 +2500,9 @@ static uint32_t ilk_compute_spr_wm(const
+ uint32_t method1, method2;
+ int cpp;
+
++ if (mem_value == 0)
++ return U32_MAX;
++
+ if (!intel_wm_plane_visible(cstate, pstate))
+ return 0;
+
+@@ -2523,6 +2526,9 @@ static uint32_t ilk_compute_cur_wm(const
+ {
+ int cpp;
+
++ if (mem_value == 0)
++ return U32_MAX;
++
+ if (!intel_wm_plane_visible(cstate, pstate))
+ return 0;
+
+@@ -2540,6 +2546,9 @@ static uint32_t ilk_compute_fbc_wm(const
+ {
+ int cpp;
+
++ if (mem_value == 0)
++ return U32_MAX;
++
+ if (!intel_wm_plane_visible(cstate, pstate))
+ return 0;
+
+@@ -2981,6 +2990,34 @@ static void snb_wm_latency_quirk(struct
+ intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency);
+ }
+
++static void snb_wm_lp3_irq_quirk(struct drm_i915_private *dev_priv)
++{
++ /*
++ * On some SNB machines (Thinkpad X220 Tablet at least)
++ * LP3 usage can cause vblank interrupts to be lost.
++ * The DEIIR bit will go high but it looks like the CPU
++ * never gets interrupted.
++ *
++ * It's not clear whether other interrupt source could
++ * be affected or if this is somehow limited to vblank
++ * interrupts only. To play it safe we disable LP3
++ * watermarks entirely.
++ */
++ if (dev_priv->wm.pri_latency[3] == 0 &&
++ dev_priv->wm.spr_latency[3] == 0 &&
++ dev_priv->wm.cur_latency[3] == 0)
++ return;
++
++ dev_priv->wm.pri_latency[3] = 0;
++ dev_priv->wm.spr_latency[3] = 0;
++ dev_priv->wm.cur_latency[3] = 0;
++
++ DRM_DEBUG_KMS("LP3 watermarks disabled due to potential for lost interrupts\n");
++ intel_print_wm_latency(dev_priv, "Primary", dev_priv->wm.pri_latency);
++ intel_print_wm_latency(dev_priv, "Sprite", dev_priv->wm.spr_latency);
++ intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency);
++}
++
+ static void ilk_setup_wm_latency(struct drm_i915_private *dev_priv)
+ {
+ intel_read_wm_latency(dev_priv, dev_priv->wm.pri_latency);
+@@ -2997,8 +3034,10 @@ static void ilk_setup_wm_latency(struct
+ intel_print_wm_latency(dev_priv, "Sprite", dev_priv->wm.spr_latency);
+ intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency);
+
+- if (IS_GEN6(dev_priv))
++ if (IS_GEN6(dev_priv)) {
+ snb_wm_latency_quirk(dev_priv);
++ snb_wm_lp3_irq_quirk(dev_priv);
++ }
+ }
+
+ static void skl_setup_wm_latency(struct drm_i915_private *dev_priv)
--- /dev/null
+From 4c62bd9cea7bcf10292f7e4c57a2bca332942697 Mon Sep 17 00:00:00 2001
+From: Andrew Price <anprice@redhat.com>
+Date: Mon, 8 Oct 2018 07:52:43 -0500
+Subject: gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd
+
+From: Andrew Price <anprice@redhat.com>
+
+commit 4c62bd9cea7bcf10292f7e4c57a2bca332942697 upstream.
+
+When alloc_percpu() fails, sdp gets freed but sb->s_fs_info still points
+to the same address. Move the assignment after that error check so that
+s_fs_info can only point to a valid sdp or NULL, which is checked for
+later in the error path, in gfs2_kill_super().
+
+Reported-by: syzbot+dcb8b3587445007f5808@syzkaller.appspotmail.com
+Signed-off-by: Andrew Price <anprice@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/ops_fstype.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/gfs2/ops_fstype.c
++++ b/fs/gfs2/ops_fstype.c
+@@ -72,13 +72,13 @@ static struct gfs2_sbd *init_sbd(struct
+ if (!sdp)
+ return NULL;
+
+- sb->s_fs_info = sdp;
+ sdp->sd_vfs = sb;
+ sdp->sd_lkstats = alloc_percpu(struct gfs2_pcpu_lkstats);
+ if (!sdp->sd_lkstats) {
+ kfree(sdp);
+ return NULL;
+ }
++ sb->s_fs_info = sdp;
+
+ set_bit(SDF_NOJOURNALID, &sdp->sd_flags);
+ gfs2_tune_init(&sdp->sd_tune);
--- /dev/null
+From a05a14049999598a3bb6fab12db6b768a0215522 Mon Sep 17 00:00:00 2001
+From: Vladimir Zapolskiy <vz@mleia.com>
+Date: Fri, 2 Nov 2018 15:39:43 +0200
+Subject: gpio: don't free unallocated ida on gpiochip_add_data_with_key() error path
+
+From: Vladimir Zapolskiy <vz@mleia.com>
+
+commit a05a14049999598a3bb6fab12db6b768a0215522 upstream.
+
+The change corrects the error path in gpiochip_add_data_with_key()
+by avoiding to call ida_simple_remove(), if ida_simple_get() returns
+an error.
+
+Note that ida_simple_remove()/ida_free() throws a BUG(), if id argument
+is negative, it allows to easily check the correctness of the fix by
+fuzzing the return value from ida_simple_get().
+
+Fixes: ff2b13592299 ("gpio: make the gpiochip a real device")
+Cc: stable@vger.kernel.org # v4.6+
+Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -1166,7 +1166,7 @@ int gpiochip_add_data(struct gpio_chip *
+ gdev->descs = kcalloc(chip->ngpio, sizeof(gdev->descs[0]), GFP_KERNEL);
+ if (!gdev->descs) {
+ status = -ENOMEM;
+- goto err_free_gdev;
++ goto err_free_ida;
+ }
+
+ if (chip->ngpio == 0) {
+@@ -1298,8 +1298,9 @@ err_free_label:
+ kfree(gdev->label);
+ err_free_descs:
+ kfree(gdev->descs);
+-err_free_gdev:
++err_free_ida:
+ ida_simple_remove(&gpio_ida, gdev->id);
++err_free_gdev:
+ /* failures here can mean systems won't boot... */
+ pr_err("%s: GPIOs %d..%d (%s) failed to register\n", __func__,
+ gdev->base, gdev->base + gdev->ngpio - 1,
--- /dev/null
+From f39f8688888ae74fa8deae2d01289b69b4727394 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Tue, 16 Oct 2018 17:07:35 -0700
+Subject: Input: synaptics - avoid using uninitialized variable when probing
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit f39f8688888ae74fa8deae2d01289b69b4727394 upstream.
+
+synaptics_detect() does not check whether sending commands to the
+device succeeds and instead relies on getting unique data from the
+device. Let's make sure we seed entire buffer with zeroes to make sure
+we will not use garbage on stack that just happen to be 0x47.
+
+Reported-by: syzbot+13cb3b01d0784e4ffc3f@syzkaller.appspotmail.com
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/synaptics.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -99,9 +99,7 @@ static int synaptics_mode_cmd(struct psm
+ int synaptics_detect(struct psmouse *psmouse, bool set_properties)
+ {
+ struct ps2dev *ps2dev = &psmouse->ps2dev;
+- u8 param[4];
+-
+- param[0] = 0;
++ u8 param[4] = { 0 };
+
+ ps2_command(ps2dev, param, PSMOUSE_CMD_SETRES);
+ ps2_command(ps2dev, param, PSMOUSE_CMD_SETRES);
--- /dev/null
+From 5d041c46ccb9b48acc110e214beff5e2789311df Mon Sep 17 00:00:00 2001
+From: Luca Coelho <luciano.coelho@intel.com>
+Date: Wed, 17 Oct 2018 08:35:15 +0300
+Subject: iwlwifi: mvm: don't use SAR Geo if basic SAR is not used
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+commit 5d041c46ccb9b48acc110e214beff5e2789311df upstream.
+
+We can't use SAR Geo if basic SAR is not enabled, since the SAR Geo
+tables define offsets in relation to the basic SAR table in use.
+
+To fix this, make iwl_mvm_sar_init() return one in case WRDS is not
+available, so we can skip reading WGDS entirely.
+
+Fixes: a6bff3cb19b7 ("iwlwifi: mvm: add GEO_TX_POWER_LIMIT cmd for geographic tx power table")
+Cc: stable@vger.kernel.org # 4.12+
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 36 +++++++++++++++++++++-------
+ 1 file changed, 28 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -997,6 +997,11 @@ static int iwl_mvm_sar_get_ewrd_table(st
+ return -ENOENT;
+ }
+
++static int iwl_mvm_sar_get_wgds_table(struct iwl_mvm *mvm)
++{
++ return -ENOENT;
++}
++
+ static int iwl_mvm_sar_geo_init(struct iwl_mvm *mvm)
+ {
+ return 0;
+@@ -1023,8 +1028,11 @@ static int iwl_mvm_sar_init(struct iwl_m
+ IWL_DEBUG_RADIO(mvm,
+ "WRDS SAR BIOS table invalid or unavailable. (%d)\n",
+ ret);
+- /* if not available, don't fail and don't bother with EWRD */
+- return 0;
++ /*
++ * If not available, don't fail and don't bother with EWRD.
++ * Return 1 to tell that we can't use WGDS either.
++ */
++ return 1;
+ }
+
+ ret = iwl_mvm_sar_get_ewrd_table(mvm);
+@@ -1037,9 +1045,13 @@ static int iwl_mvm_sar_init(struct iwl_m
+ /* choose profile 1 (WRDS) as default for both chains */
+ ret = iwl_mvm_sar_select_profile(mvm, 1, 1);
+
+- /* if we don't have profile 0 from BIOS, just skip it */
++ /*
++ * If we don't have profile 0 from BIOS, just skip it. This
++ * means that SAR Geo will not be enabled either, even if we
++ * have other valid profiles.
++ */
+ if (ret == -ENOENT)
+- return 0;
++ return 1;
+
+ return ret;
+ }
+@@ -1229,11 +1241,19 @@ int iwl_mvm_up(struct iwl_mvm *mvm)
+ iwl_mvm_unref(mvm, IWL_MVM_REF_UCODE_DOWN);
+
+ ret = iwl_mvm_sar_init(mvm);
+- if (ret)
+- goto error;
++ if (ret == 0) {
++ ret = iwl_mvm_sar_geo_init(mvm);
++ } else if (ret > 0 && !iwl_mvm_sar_get_wgds_table(mvm)) {
++ /*
++ * If basic SAR is not available, we check for WGDS,
++ * which should *not* be available either. If it is
++ * available, issue an error, because we can't use SAR
++ * Geo without basic SAR.
++ */
++ IWL_ERR(mvm, "BIOS contains WGDS but no WRDS\n");
++ }
+
+- ret = iwl_mvm_sar_geo_init(mvm);
+- if (ret)
++ if (ret < 0)
+ goto error;
+
+ iwl_mvm_leds_sync(mvm);
--- /dev/null
+From 82715ac71e6b94a2c2136e31f3a8e6748e33aa8c Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Wed, 3 Oct 2018 11:16:54 +0300
+Subject: iwlwifi: mvm: fix regulatory domain update when the firmware starts
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 82715ac71e6b94a2c2136e31f3a8e6748e33aa8c upstream.
+
+When the firmware starts, it doesn't have any regulatory
+information, hence it uses the world wide limitations. The
+driver can feed the firmware with previous knowledge that
+was kept in the driver, but the firmware may still not
+update its internal tables.
+
+This happens when we start a BSS interface, and then the
+firmware can change the regulatory tables based on our
+location and it'll use more lenient, location specific
+rules. Then, if the firmware is shut down (when the
+interface is brought down), and then an AP interface is
+created, the firmware will forget the country specific
+rules.
+
+The host will think that we are in a certain country that
+may allow channels and will try to teach the firmware about
+our location, but the firmware may still not allow to drop
+the world wide limitations and apply country specific rules
+because it was just re-started.
+
+In this case, the firmware will reply with MCC_RESP_ILLEGAL
+to the MCC_UPDATE_CMD. In that case, iwlwifi needs to let
+the upper layers (cfg80211 / hostapd) know that the channel
+list they know about has been updated.
+
+This fixes https://bugzilla.kernel.org/show_bug.cgi?id=201105
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 8 ++++++--
+ drivers/net/wireless/intel/iwlwifi/mvm/nvm.c | 5 ++---
+ 2 files changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -328,8 +328,12 @@ struct ieee80211_regdomain *iwl_mvm_get_
+ goto out;
+ }
+
+- if (changed)
+- *changed = (resp->status == MCC_RESP_NEW_CHAN_PROFILE);
++ if (changed) {
++ u32 status = le32_to_cpu(resp->status);
++
++ *changed = (status == MCC_RESP_NEW_CHAN_PROFILE ||
++ status == MCC_RESP_ILLEGAL);
++ }
+
+ regd = iwl_parse_nvm_mcc_info(mvm->trans->dev, mvm->cfg,
+ __le32_to_cpu(resp->n_channels),
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c
+@@ -732,9 +732,8 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm,
+ }
+
+ IWL_DEBUG_LAR(mvm,
+- "MCC response status: 0x%x. new MCC: 0x%x ('%c%c') change: %d n_chans: %d\n",
+- status, mcc, mcc >> 8, mcc & 0xff,
+- !!(status == MCC_RESP_NEW_CHAN_PROFILE), n_channels);
++ "MCC response status: 0x%x. new MCC: 0x%x ('%c%c') n_chans: %d\n",
++ status, mcc, mcc >> 8, mcc & 0xff, n_channels);
+
+ exit:
+ iwl_free_resp(&cmd);
--- /dev/null
+From ec484d03ef0df8d34086b95710e355a259cbe1f2 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Thu, 16 Aug 2018 13:25:48 +0300
+Subject: iwlwifi: mvm: support sta_statistics() even on older firmware
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit ec484d03ef0df8d34086b95710e355a259cbe1f2 upstream.
+
+The oldest firmware supported by iwlmvm do support getting
+the average beacon RSSI. Enable the sta_statistics() call
+from mac80211 even on older firmware versions.
+
+Fixes: 33cef9256342 ("iwlwifi: mvm: support beacon statistics for BSS client")
+Cc: stable@vger.kernel.org # 4.2+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -4189,10 +4189,6 @@ static void iwl_mvm_mac_sta_statistics(s
+ sinfo->filled |= BIT(NL80211_STA_INFO_SIGNAL_AVG);
+ }
+
+- if (!fw_has_capa(&mvm->fw->ucode_capa,
+- IWL_UCODE_TLV_CAPA_RADIO_BEACON_STATS))
+- return;
+-
+ /* if beacon filtering isn't on mac80211 does it anyway */
+ if (!(vif->driver_flags & IEEE80211_VIF_BEACON_FILTER))
+ return;
--- /dev/null
+From 604d415e2bd642b7e02c80e719e0396b9d4a77a6 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 22 Oct 2018 09:24:27 -0700
+Subject: llc: do not use sk_eat_skb()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 604d415e2bd642b7e02c80e719e0396b9d4a77a6 upstream.
+
+syzkaller triggered a use-after-free [1], caused by a combination of
+skb_get() in llc_conn_state_process() and usage of sk_eat_skb()
+
+sk_eat_skb() is assuming the skb about to be freed is only used by
+the current thread. TCP/DCCP stacks enforce this because current
+thread holds the socket lock.
+
+llc_conn_state_process() wants to make sure skb does not disappear,
+and holds a reference on the skb it manipulates. But as soon as this
+skb is added to socket receive queue, another thread can consume it.
+
+This means that llc must use regular skb_unlink() and kfree_skb()
+so that both producer and consumer can safely work on the same skb.
+
+[1]
+BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
+BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:43 [inline]
+BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:967 [inline]
+BUG: KASAN: use-after-free in kfree_skb+0xb7/0x580 net/core/skbuff.c:655
+Read of size 4 at addr ffff8801d1f6fba4 by task ksoftirqd/1/18
+
+CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.0-rc8+ #295
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c4/0x2b6 lib/dump_stack.c:113
+ print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
+ atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
+ refcount_read include/linux/refcount.h:43 [inline]
+ skb_unref include/linux/skbuff.h:967 [inline]
+ kfree_skb+0xb7/0x580 net/core/skbuff.c:655
+ llc_sap_state_process+0x9b/0x550 net/llc/llc_sap.c:224
+ llc_sap_rcv+0x156/0x1f0 net/llc/llc_sap.c:297
+ llc_sap_handler+0x65e/0xf80 net/llc/llc_sap.c:438
+ llc_rcv+0x79e/0xe20 net/llc/llc_input.c:208
+ __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913
+ __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023
+ process_backlog+0x218/0x6f0 net/core/dev.c:5829
+ napi_poll net/core/dev.c:6249 [inline]
+ net_rx_action+0x7c5/0x1950 net/core/dev.c:6315
+ __do_softirq+0x30c/0xb03 kernel/softirq.c:292
+ run_ksoftirqd+0x94/0x100 kernel/softirq.c:653
+ smpboot_thread_fn+0x68b/0xa00 kernel/smpboot.c:164
+ kthread+0x35a/0x420 kernel/kthread.c:246
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413
+
+Allocated by task 18:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
+ kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
+ kmem_cache_alloc_node+0x144/0x730 mm/slab.c:3644
+ __alloc_skb+0x119/0x770 net/core/skbuff.c:193
+ alloc_skb include/linux/skbuff.h:995 [inline]
+ llc_alloc_frame+0xbc/0x370 net/llc/llc_sap.c:54
+ llc_station_ac_send_xid_r net/llc/llc_station.c:52 [inline]
+ llc_station_rcv+0x1dc/0x1420 net/llc/llc_station.c:111
+ llc_rcv+0xc32/0xe20 net/llc/llc_input.c:220
+ __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913
+ __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023
+ process_backlog+0x218/0x6f0 net/core/dev.c:5829
+ napi_poll net/core/dev.c:6249 [inline]
+ net_rx_action+0x7c5/0x1950 net/core/dev.c:6315
+ __do_softirq+0x30c/0xb03 kernel/softirq.c:292
+
+Freed by task 16383:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
+ kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
+ __cache_free mm/slab.c:3498 [inline]
+ kmem_cache_free+0x83/0x290 mm/slab.c:3756
+ kfree_skbmem+0x154/0x230 net/core/skbuff.c:582
+ __kfree_skb+0x1d/0x20 net/core/skbuff.c:642
+ sk_eat_skb include/net/sock.h:2366 [inline]
+ llc_ui_recvmsg+0xec2/0x1610 net/llc/af_llc.c:882
+ sock_recvmsg_nosec net/socket.c:794 [inline]
+ sock_recvmsg+0xd0/0x110 net/socket.c:801
+ ___sys_recvmsg+0x2b6/0x680 net/socket.c:2278
+ __sys_recvmmsg+0x303/0xb90 net/socket.c:2390
+ do_sys_recvmmsg+0x181/0x1a0 net/socket.c:2466
+ __do_sys_recvmmsg net/socket.c:2484 [inline]
+ __se_sys_recvmmsg net/socket.c:2480 [inline]
+ __x64_sys_recvmmsg+0xbe/0x150 net/socket.c:2480
+ do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8801d1f6fac0
+ which belongs to the cache skbuff_head_cache of size 232
+The buggy address is located 228 bytes inside of
+ 232-byte region [ffff8801d1f6fac0, ffff8801d1f6fba8)
+The buggy address belongs to the page:
+page:ffffea000747dbc0 count:1 mapcount:0 mapping:ffff8801d9be7680 index:0xffff8801d1f6fe80
+flags: 0x2fffc0000000100(slab)
+raw: 02fffc0000000100 ffffea0007346e88 ffffea000705b108 ffff8801d9be7680
+raw: ffff8801d1f6fe80 ffff8801d1f6f0c0 000000010000000b 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8801d1f6fa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+ ffff8801d1f6fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff8801d1f6fb80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff8801d1f6fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8801d1f6fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/llc/af_llc.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -730,7 +730,6 @@ static int llc_ui_recvmsg(struct socket
+ struct sk_buff *skb = NULL;
+ struct sock *sk = sock->sk;
+ struct llc_sock *llc = llc_sk(sk);
+- unsigned long cpu_flags;
+ size_t copied = 0;
+ u32 peek_seq = 0;
+ u32 *seq, skb_len;
+@@ -855,9 +854,8 @@ static int llc_ui_recvmsg(struct socket
+ goto copy_uaddr;
+
+ if (!(flags & MSG_PEEK)) {
+- spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags);
+- sk_eat_skb(sk, skb);
+- spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags);
++ skb_unlink(skb, &sk->sk_receive_queue);
++ kfree_skb(skb);
+ *seq = 0;
+ }
+
+@@ -878,9 +876,8 @@ copy_uaddr:
+ llc_cmsg_rcv(msg, skb);
+
+ if (!(flags & MSG_PEEK)) {
+- spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags);
+- sk_eat_skb(sk, skb);
+- spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags);
++ skb_unlink(skb, &sk->sk_receive_queue);
++ kfree_skb(skb);
+ *seq = 0;
+ }
+
--- /dev/null
+From cb5d21946d2a2f4687c482ab4604af1d29dac35a Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 15 Nov 2018 15:03:24 -0800
+Subject: MAINTAINERS: Add Sasha as a stable branch maintainer
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit cb5d21946d2a2f4687c482ab4604af1d29dac35a upstream.
+
+Sasha has somehow been convinced into helping me with the stable kernel
+maintenance. Codify this slip in good judgement before he realizes what
+he really signed up for :)
+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ MAINTAINERS | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -12662,6 +12662,7 @@ F: arch/alpha/kernel/srm_env.c
+
+ STABLE BRANCH
+ M: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
++M: Sasha Levin <sashal@kernel.org>
+ L: stable@vger.kernel.org
+ S: Supported
+ F: Documentation/process/stable-kernel-rules.rst
--- /dev/null
+From 61448479a9f2c954cde0cfe778cb6bec5d0a748d Mon Sep 17 00:00:00 2001
+From: Dmitry Vyukov <dvyukov@google.com>
+Date: Fri, 26 Oct 2018 15:03:12 -0700
+Subject: mm: don't warn about large allocations for slab
+
+From: Dmitry Vyukov <dvyukov@google.com>
+
+commit 61448479a9f2c954cde0cfe778cb6bec5d0a748d upstream.
+
+Slub does not call kmalloc_slab() for sizes > KMALLOC_MAX_CACHE_SIZE,
+instead it falls back to kmalloc_large().
+
+For slab KMALLOC_MAX_CACHE_SIZE == KMALLOC_MAX_SIZE and it calls
+kmalloc_slab() for all allocations relying on NULL return value for
+over-sized allocations.
+
+This inconsistency leads to unwanted warnings from kmalloc_slab() for
+over-sized allocations for slab. Returning NULL for failed allocations is
+the expected behavior.
+
+Make slub and slab code consistent by checking size >
+KMALLOC_MAX_CACHE_SIZE in slab before calling kmalloc_slab().
+
+While we are here also fix the check in kmalloc_slab(). We should check
+against KMALLOC_MAX_CACHE_SIZE rather than KMALLOC_MAX_SIZE. It all kinda
+worked because for slab the constants are the same, and slub always checks
+the size against KMALLOC_MAX_CACHE_SIZE before kmalloc_slab(). But if we
+get there with size > KMALLOC_MAX_CACHE_SIZE anyhow bad things will
+happen. For example, in case of a newly introduced bug in slub code.
+
+Also move the check in kmalloc_slab() from function entry to the size >
+192 case. This partially compensates for the additional check in slab
+code and makes slub code a bit faster (at least theoretically).
+
+Also drop __GFP_NOWARN in the warning check. This warning means a bug in
+slab code itself, user-passed flags have nothing to do with it.
+
+Nothing of this affects slob.
+
+Link: http://lkml.kernel.org/r/20180927171502.226522-1-dvyukov@gmail.com
+Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
+Reported-by: syzbot+87829a10073277282ad1@syzkaller.appspotmail.com
+Reported-by: syzbot+ef4e8fc3a06e9019bb40@syzkaller.appspotmail.com
+Reported-by: syzbot+6e438f4036df52cbb863@syzkaller.appspotmail.com
+Reported-by: syzbot+8574471d8734457d98aa@syzkaller.appspotmail.com
+Reported-by: syzbot+af1504df0807a083dbd9@syzkaller.appspotmail.com
+Acked-by: Christoph Lameter <cl@linux.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slab.c | 4 ++++
+ mm/slab_common.c | 12 ++++++------
+ 2 files changed, 10 insertions(+), 6 deletions(-)
+
+--- a/mm/slab.c
++++ b/mm/slab.c
+@@ -3670,6 +3670,8 @@ __do_kmalloc_node(size_t size, gfp_t fla
+ struct kmem_cache *cachep;
+ void *ret;
+
++ if (unlikely(size > KMALLOC_MAX_CACHE_SIZE))
++ return NULL;
+ cachep = kmalloc_slab(size, flags);
+ if (unlikely(ZERO_OR_NULL_PTR(cachep)))
+ return cachep;
+@@ -3705,6 +3707,8 @@ static __always_inline void *__do_kmallo
+ struct kmem_cache *cachep;
+ void *ret;
+
++ if (unlikely(size > KMALLOC_MAX_CACHE_SIZE))
++ return NULL;
+ cachep = kmalloc_slab(size, flags);
+ if (unlikely(ZERO_OR_NULL_PTR(cachep)))
+ return cachep;
+--- a/mm/slab_common.c
++++ b/mm/slab_common.c
+@@ -971,18 +971,18 @@ struct kmem_cache *kmalloc_slab(size_t s
+ {
+ int index;
+
+- if (unlikely(size > KMALLOC_MAX_SIZE)) {
+- WARN_ON_ONCE(!(flags & __GFP_NOWARN));
+- return NULL;
+- }
+-
+ if (size <= 192) {
+ if (!size)
+ return ZERO_SIZE_PTR;
+
+ index = size_index[size_index_elem(size)];
+- } else
++ } else {
++ if (unlikely(size > KMALLOC_MAX_CACHE_SIZE)) {
++ WARN_ON(1);
++ return NULL;
++ }
+ index = fls(size - 1);
++ }
+
+ #ifdef CONFIG_ZONE_DMA
+ if (unlikely((flags & GFP_DMA)))
--- /dev/null
+From ff09d7ec9786be4ad7589aa987d7dc66e2dd9160 Mon Sep 17 00:00:00 2001
+From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
+Date: Fri, 26 Oct 2018 15:09:01 -0700
+Subject: mm/memory.c: recheck page table entry with page table lock held
+
+From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+
+commit ff09d7ec9786be4ad7589aa987d7dc66e2dd9160 upstream.
+
+We clear the pte temporarily during read/modify/write update of the pte.
+If we take a page fault while the pte is cleared, the application can get
+SIGBUS. One such case is with remap_pfn_range without a backing
+vm_ops->fault callback. do_fault will return SIGBUS in that case.
+
+cpu 0 cpu1
+mprotect()
+ptep_modify_prot_start()/pte cleared.
+.
+. page fault.
+.
+.
+prep_modify_prot_commit()
+
+Fix this by taking page table lock and rechecking for pte_none.
+
+[aneesh.kumar@linux.ibm.com: fix crash observed with syzkaller run]
+ Link: http://lkml.kernel.org/r/87va6bwlfg.fsf@linux.ibm.com
+Link: http://lkml.kernel.org/r/20180926031858.9692-1-aneesh.kumar@linux.ibm.com
+Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: Ido Schimmel <idosch@idosch.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memory.c | 34 ++++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -3697,10 +3697,36 @@ static int do_fault(struct vm_fault *vmf
+ struct vm_area_struct *vma = vmf->vma;
+ int ret;
+
+- /* The VMA was not fully populated on mmap() or missing VM_DONTEXPAND */
+- if (!vma->vm_ops->fault)
+- ret = VM_FAULT_SIGBUS;
+- else if (!(vmf->flags & FAULT_FLAG_WRITE))
++ /*
++ * The VMA was not fully populated on mmap() or missing VM_DONTEXPAND
++ */
++ if (!vma->vm_ops->fault) {
++ /*
++ * If we find a migration pmd entry or a none pmd entry, which
++ * should never happen, return SIGBUS
++ */
++ if (unlikely(!pmd_present(*vmf->pmd)))
++ ret = VM_FAULT_SIGBUS;
++ else {
++ vmf->pte = pte_offset_map_lock(vmf->vma->vm_mm,
++ vmf->pmd,
++ vmf->address,
++ &vmf->ptl);
++ /*
++ * Make sure this is not a temporary clearing of pte
++ * by holding ptl and checking again. A R/M/W update
++ * of pte involves: take ptl, clearing the pte so that
++ * we don't have concurrent modification by hardware
++ * followed by an update.
++ */
++ if (unlikely(pte_none(*vmf->pte)))
++ ret = VM_FAULT_SIGBUS;
++ else
++ ret = VM_FAULT_NOPAGE;
++
++ pte_unmap_unlock(vmf->pte, vmf->ptl);
++ }
++ } else if (!(vmf->flags & FAULT_FLAG_WRITE))
+ ret = do_read_fault(vmf);
+ else if (!(vma->vm_flags & VM_SHARED))
+ ret = do_cow_fault(vmf);
--- /dev/null
+From cdcefe6bd9df754f528ffc339d3cc143cea4ddf6 Mon Sep 17 00:00:00 2001
+From: Rajat Jain <rajatja@google.com>
+Date: Mon, 29 Oct 2018 15:17:01 -0700
+Subject: mmc: sdhci-pci: Try "cd" for card-detect lookup before using NULL
+
+From: Rajat Jain <rajatja@google.com>
+
+commit cdcefe6bd9df754f528ffc339d3cc143cea4ddf6 upstream.
+
+Problem:
+
+The card detect IRQ does not work with modern BIOS (that want
+to use _DSD to provide the card detect GPIO to the driver).
+
+Details:
+
+The mmc core provides the mmc_gpiod_request_cd() API to let host drivers
+request the gpio descriptor for the "card detect" pin.
+This pin is specified in the ACPI for the SDHC device:
+
+ * Either as a resource using _CRS. This is a method used by legacy BIOS.
+ (The driver needs to tell which resource index).
+
+ * Or as a named property ("cd-gpios"/"cd-gpio") in _DSD (which internally
+ points to an entry in _CRS). This way, the driver can lookup using a
+ string. This is what modern BIOS prefer to use.
+
+This API finally results in a call to the following code:
+
+struct gpio_desc *acpi_find_gpio(..., const char *con_id,...)
+{
+...
+ /* Lookup gpio (using "<con_id>-gpio") in the _DSD */
+...
+ if (!acpi_can_fallback_to_crs(adev, con_id))
+ return ERR_PTR(-ENOENT);
+...
+ /* Falling back to _CRS is allowed, Lookup gpio in the _CRS */
+...
+}
+
+Note that this means that if the ACPI has _DSD properties, the kernel
+will never use _CRS for the lookup (Because acpi_can_fallback_to_crs()
+will always be false for any device hat has _DSD entries).
+
+The SDHCI driver is thus currently broken on a modern BIOS, even if
+BIOS provides both _CRS (for index based lookup) and _DSD entries (for
+string based lookup). Ironically, none of these will be used for the
+lookup currently because:
+
+* Since the con_id is NULL, acpi_find_gpio() does not find a matching
+ entry in DSDT. (The _DSDT entry has the property name = "cd-gpios")
+
+* Because ACPI contains DSDT entries, thus acpi_can_fallback_to_crs()
+ returns false (because device properties have been populated from
+ _DSD), thus the _CRS is never used for the lookup.
+
+Fix:
+
+Try "cd" for lookup in the _DSD before falling back to using NULL so
+as to try looking up in the _CRS.
+
+I've tested this patch successfully with both Legacy BIOS (that
+provide only _CRS method) as well as modern BIOS (that provide both
+_CRS and _DSD). Also the use of "cd" appears to be fairly consistent
+across other users of this API (other MMC host controller drivers).
+
+Link: https://lkml.org/lkml/2018/9/25/1113
+Signed-off-by: Rajat Jain <rajatja@google.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Fixes: f10e4bf6632b ("gpio: acpi: Even more tighten up ACPI GPIO lookups")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-pci-core.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-pci-core.c
++++ b/drivers/mmc/host/sdhci-pci-core.c
+@@ -1607,8 +1607,13 @@ static struct sdhci_pci_slot *sdhci_pci_
+ host->mmc->caps2 |= MMC_CAP2_NO_PRESCAN_POWERUP;
+
+ if (slot->cd_idx >= 0) {
+- ret = mmc_gpiod_request_cd(host->mmc, NULL, slot->cd_idx,
++ ret = mmc_gpiod_request_cd(host->mmc, "cd", slot->cd_idx,
+ slot->cd_override_level, 0, NULL);
++ if (ret && ret != -EPROBE_DEFER)
++ ret = mmc_gpiod_request_cd(host->mmc, NULL,
++ slot->cd_idx,
++ slot->cd_override_level,
++ 0, NULL);
+ if (ret == -EPROBE_DEFER)
+ goto remove;
+
--- /dev/null
+From df132eff463873e14e019a07f387b4d577d6d1f9 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 29 Oct 2018 23:10:29 +0800
+Subject: sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit df132eff463873e14e019a07f387b4d577d6d1f9 upstream.
+
+If a transport is removed by asconf but there still are some chunks with
+this transport queuing on out_chunk_list, later an use-after-free issue
+will be caused when accessing this transport from these chunks in
+sctp_outq_flush().
+
+This is an old bug, we fix it by clearing the transport of these chunks
+in out_chunk_list when removing a transport in sctp_assoc_rm_peer().
+
+Reported-by: syzbot+56a40ceee5fb35932f4d@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sctp/associola.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/net/sctp/associola.c
++++ b/net/sctp/associola.c
+@@ -497,8 +497,9 @@ void sctp_assoc_set_primary(struct sctp_
+ void sctp_assoc_rm_peer(struct sctp_association *asoc,
+ struct sctp_transport *peer)
+ {
+- struct list_head *pos;
+- struct sctp_transport *transport;
++ struct sctp_transport *transport;
++ struct list_head *pos;
++ struct sctp_chunk *ch;
+
+ pr_debug("%s: association:%p addr:%pISpc\n",
+ __func__, asoc, &peer->ipaddr.sa);
+@@ -562,7 +563,6 @@ void sctp_assoc_rm_peer(struct sctp_asso
+ */
+ if (!list_empty(&peer->transmitted)) {
+ struct sctp_transport *active = asoc->peer.active_path;
+- struct sctp_chunk *ch;
+
+ /* Reset the transport of each chunk on this list */
+ list_for_each_entry(ch, &peer->transmitted,
+@@ -584,6 +584,10 @@ void sctp_assoc_rm_peer(struct sctp_asso
+ sctp_transport_hold(active);
+ }
+
++ list_for_each_entry(ch, &asoc->outqueue.out_chunk_list, list)
++ if (ch->transport == peer)
++ ch->transport = NULL;
++
+ asoc->peer.transport_count--;
+
+ sctp_transport_free(peer);
--- /dev/null
+From 4458bba09788e70e8fb39ad003f087cd9dfbd6ac Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Date: Sat, 8 Sep 2018 01:42:58 +0900
+Subject: selinux: Add __GFP_NOWARN to allocation at str_read()
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+commit 4458bba09788e70e8fb39ad003f087cd9dfbd6ac upstream.
+
+syzbot is hitting warning at str_read() [1] because len parameter can
+become larger than KMALLOC_MAX_SIZE. We don't need to emit warning for
+this case.
+
+[1] https://syzkaller.appspot.com/bug?id=7f2f5aad79ea8663c296a2eedb81978401a908f0
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+ac488b9811036cea7ea0@syzkaller.appspotmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/ss/policydb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/selinux/ss/policydb.c
++++ b/security/selinux/ss/policydb.c
+@@ -1099,7 +1099,7 @@ static int str_read(char **strp, gfp_t f
+ if ((len == 0) || (len == (u32)-1))
+ return -EINVAL;
+
+- str = kmalloc(len + 1, flags);
++ str = kmalloc(len + 1, flags | __GFP_NOWARN);
+ if (!str)
+ return -ENOMEM;
+
arm-8767-1-add-support-for-building-arm-kernel-with-clang.patch
bus-arm-cci-remove-unnecessary-unreachable.patch
arm-trusted_foundations-do-not-use-naked-function.patch
+usb-core-fix-hub-port-connection-events-lost.patch
+usb-dwc3-gadget-fix-isoc-trb-type-on-unaligned-transfers.patch
+usb-dwc3-gadget-properly-check-last-unaligned-zero-chain-trb.patch
+usb-dwc3-core-clean-up-ulpi-device.patch
+xhci-add-check-for-invalid-byte-size-error-when-uas-devices-are-connected.patch
+usb-xhci-fix-timeout-for-transition-from-rexit-to-u0.patch
+alsa-oss-use-kvzalloc-for-local-buffer-allocations.patch
+maintainers-add-sasha-as-a-stable-branch-maintainer.patch
+mmc-sdhci-pci-try-cd-for-card-detect-lookup-before-using-null.patch
+gpio-don-t-free-unallocated-ida-on-gpiochip_add_data_with_key-error-path.patch
+iwlwifi-mvm-support-sta_statistics-even-on-older-firmware.patch
+iwlwifi-mvm-fix-regulatory-domain-update-when-the-firmware-starts.patch
+iwlwifi-mvm-don-t-use-sar-geo-if-basic-sar-is-not-used.patch
+brcmfmac-fix-reporting-support-for-160-mhz-channels.patch
+tools-power-cpupower-fix-compilation-with-static-true.patch
+v9fs_dir_readdir-fix-double-free-on-p9stat_read-error.patch
+selinux-add-__gfp_nowarn-to-allocation-at-str_read.patch
+input-synaptics-avoid-using-uninitialized-variable-when-probing.patch
+bfs-add-sanity-check-at-bfs_fill_super.patch
+sctp-clear-the-transport-of-some-out_chunk_list-chunks-in-sctp_assoc_rm_peer.patch
+gfs2-don-t-leave-s_fs_info-pointing-to-freed-memory-in-init_sbd.patch
+llc-do-not-use-sk_eat_skb.patch
+mm-don-t-warn-about-large-allocations-for-slab.patch
+mm-memory.c-recheck-page-table-entry-with-page-table-lock-held.patch
+tcp-do-not-release-socket-ownership-in-tcp_close.patch
+drm-i915-disable-lp3-watermarks-on-all-snb-machines.patch
+drm-ast-change-resolution-may-cause-screen-blurred.patch
+drm-ast-fixed-cursor-may-disappear-sometimes.patch
+drm-ast-remove-existing-framebuffers-before-loading-driver.patch
+can-dev-can_get_echo_skb-factor-out-non-sending-code-to-__can_get_echo_skb.patch
+can-dev-__can_get_echo_skb-replace-struct-can_frame-by-canfd_frame-to-access-frame-length.patch
+can-dev-__can_get_echo_skb-don-t-crash-the-kernel-if-can_priv-echo_skb-is-accessed-out-of-bounds.patch
+can-dev-__can_get_echo_skb-print-error-message-if-trying-to-echo-non-existing-skb.patch
+can-rx-offload-introduce-can_rx_offload_get_echo_skb-and-can_rx_offload_queue_sorted-functions.patch
+can-rx-offload-rename-can_rx_offload_irq_queue_err_skb-to-can_rx_offload_queue_tail.patch
+can-flexcan-use-can_rx_offload_queue_sorted-for-flexcan_irq_bus_.patch
+can-flexcan-handle-tx-complete-can-frames-via-rx-offload-infrastructure.patch
+can-raw-check-for-can-fd-capable-netdev-in-raw_sendmsg.patch
+can-hi311x-use-level-triggered-interrupt.patch
--- /dev/null
+From 8873c064d1de579ea23412a6d3eee972593f142b Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 1 Oct 2018 23:24:26 -0700
+Subject: tcp: do not release socket ownership in tcp_close()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 8873c064d1de579ea23412a6d3eee972593f142b upstream.
+
+syzkaller was able to hit the WARN_ON(sock_owned_by_user(sk));
+in tcp_close()
+
+While a socket is being closed, it is very possible other
+threads find it in rtnetlink dump.
+
+tcp_get_info() will acquire the socket lock for a short amount
+of time (slow = lock_sock_fast(sk)/unlock_sock_fast(sk, slow);),
+enough to trigger the warning.
+
+Fixes: 67db3e4bfbc9 ("tcp: no longer hold ehash lock while calling tcp_get_info()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/sock.h | 1 +
+ net/core/sock.c | 2 +-
+ net/ipv4/tcp.c | 11 +++--------
+ 3 files changed, 5 insertions(+), 9 deletions(-)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1452,6 +1452,7 @@ static inline void lock_sock(struct sock
+ lock_sock_nested(sk, 0);
+ }
+
++void __release_sock(struct sock *sk);
+ void release_sock(struct sock *sk);
+
+ /* BH context may only use the following locking interface. */
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2242,7 +2242,7 @@ static void __lock_sock(struct sock *sk)
+ finish_wait(&sk->sk_lock.wq, &wait);
+ }
+
+-static void __release_sock(struct sock *sk)
++void __release_sock(struct sock *sk)
+ __releases(&sk->sk_lock.slock)
+ __acquires(&sk->sk_lock.slock)
+ {
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2217,16 +2217,10 @@ adjudge_to_death:
+ sock_hold(sk);
+ sock_orphan(sk);
+
+- /* It is the last release_sock in its life. It will remove backlog. */
+- release_sock(sk);
+-
+-
+- /* Now socket is owned by kernel and we acquire BH lock
+- * to finish close. No need to check for user refs.
+- */
+ local_bh_disable();
+ bh_lock_sock(sk);
+- WARN_ON(sock_owned_by_user(sk));
++ /* remove backlog if any, without releasing ownership. */
++ __release_sock(sk);
+
+ percpu_counter_inc(sk->sk_prot->orphan_count);
+
+@@ -2295,6 +2289,7 @@ adjudge_to_death:
+ out:
+ bh_unlock_sock(sk);
+ local_bh_enable();
++ release_sock(sk);
+ sock_put(sk);
+ }
+ EXPORT_SYMBOL(tcp_close);
--- /dev/null
+From 9de9aa45e9bd67232e000cca42ceb134b8ae51b6 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Tue, 16 Oct 2018 11:56:26 +0300
+Subject: tools/power/cpupower: fix compilation with STATIC=true
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+commit 9de9aa45e9bd67232e000cca42ceb134b8ae51b6 upstream.
+
+Rename duplicate sysfs_read_file into cpupower_read_sysfs and fix linking.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Thomas Renninger <trenn@suse.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/power/cpupower/bench/Makefile | 2 +-
+ tools/power/cpupower/lib/cpufreq.c | 2 +-
+ tools/power/cpupower/lib/cpuidle.c | 2 +-
+ tools/power/cpupower/lib/cpupower.c | 4 ++--
+ tools/power/cpupower/lib/cpupower_intern.h | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/tools/power/cpupower/bench/Makefile
++++ b/tools/power/cpupower/bench/Makefile
+@@ -9,7 +9,7 @@ endif
+ ifeq ($(strip $(STATIC)),true)
+ LIBS = -L../ -L$(OUTPUT) -lm
+ OBJS = $(OUTPUT)main.o $(OUTPUT)parse.o $(OUTPUT)system.o $(OUTPUT)benchmark.o \
+- $(OUTPUT)../lib/cpufreq.o $(OUTPUT)../lib/sysfs.o
++ $(OUTPUT)../lib/cpufreq.o $(OUTPUT)../lib/cpupower.o
+ else
+ LIBS = -L../ -L$(OUTPUT) -lm -lcpupower
+ OBJS = $(OUTPUT)main.o $(OUTPUT)parse.o $(OUTPUT)system.o $(OUTPUT)benchmark.o
+--- a/tools/power/cpupower/lib/cpufreq.c
++++ b/tools/power/cpupower/lib/cpufreq.c
+@@ -28,7 +28,7 @@ static unsigned int sysfs_cpufreq_read_f
+
+ snprintf(path, sizeof(path), PATH_TO_CPU "cpu%u/cpufreq/%s",
+ cpu, fname);
+- return sysfs_read_file(path, buf, buflen);
++ return cpupower_read_sysfs(path, buf, buflen);
+ }
+
+ /* helper function to write a new value to a /sys file */
+--- a/tools/power/cpupower/lib/cpuidle.c
++++ b/tools/power/cpupower/lib/cpuidle.c
+@@ -319,7 +319,7 @@ static unsigned int sysfs_cpuidle_read_f
+
+ snprintf(path, sizeof(path), PATH_TO_CPU "cpuidle/%s", fname);
+
+- return sysfs_read_file(path, buf, buflen);
++ return cpupower_read_sysfs(path, buf, buflen);
+ }
+
+
+--- a/tools/power/cpupower/lib/cpupower.c
++++ b/tools/power/cpupower/lib/cpupower.c
+@@ -15,7 +15,7 @@
+ #include "cpupower.h"
+ #include "cpupower_intern.h"
+
+-unsigned int sysfs_read_file(const char *path, char *buf, size_t buflen)
++unsigned int cpupower_read_sysfs(const char *path, char *buf, size_t buflen)
+ {
+ int fd;
+ ssize_t numread;
+@@ -95,7 +95,7 @@ static int sysfs_topology_read_file(unsi
+
+ snprintf(path, sizeof(path), PATH_TO_CPU "cpu%u/topology/%s",
+ cpu, fname);
+- if (sysfs_read_file(path, linebuf, MAX_LINE_LEN) == 0)
++ if (cpupower_read_sysfs(path, linebuf, MAX_LINE_LEN) == 0)
+ return -1;
+ *result = strtol(linebuf, &endp, 0);
+ if (endp == linebuf || errno == ERANGE)
+--- a/tools/power/cpupower/lib/cpupower_intern.h
++++ b/tools/power/cpupower/lib/cpupower_intern.h
+@@ -3,4 +3,4 @@
+ #define MAX_LINE_LEN 4096
+ #define SYSFS_PATH_MAX 255
+
+-unsigned int sysfs_read_file(const char *path, char *buf, size_t buflen);
++unsigned int cpupower_read_sysfs(const char *path, char *buf, size_t buflen);
--- /dev/null
+From 22454b79e6de05fa61a2a72d00d2eed798abbb75 Mon Sep 17 00:00:00 2001
+From: Dennis Wassenberg <dennis.wassenberg@secunet.com>
+Date: Tue, 13 Nov 2018 14:40:34 +0100
+Subject: usb: core: Fix hub port connection events lost
+
+From: Dennis Wassenberg <dennis.wassenberg@secunet.com>
+
+commit 22454b79e6de05fa61a2a72d00d2eed798abbb75 upstream.
+
+This will clear the USB_PORT_FEAT_C_CONNECTION bit in case of a hub port reset
+only if a device is was attached to the hub port before resetting the hub port.
+
+Using a Lenovo T480s attached to the ultra dock it was not possible to detect
+some usb-c devices at the dock usb-c ports because the hub_port_reset code
+will clear the USB_PORT_FEAT_C_CONNECTION bit after the actual hub port reset.
+Using this device combo the USB_PORT_FEAT_C_CONNECTION bit was set between the
+actual hub port reset and the clear of the USB_PORT_FEAT_C_CONNECTION bit.
+This ends up with clearing the USB_PORT_FEAT_C_CONNECTION bit after the
+new device was attached such that it was not detected.
+
+This patch will not clear the USB_PORT_FEAT_C_CONNECTION bit if there is
+currently no device attached to the port before the hub port reset.
+This will avoid clearing the connection bit for new attached devices.
+
+Signed-off-by: Dennis Wassenberg <dennis.wassenberg@secunet.com>
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -2815,7 +2815,9 @@ static int hub_port_reset(struct usb_hub
+ USB_PORT_FEAT_C_BH_PORT_RESET);
+ usb_clear_port_feature(hub->hdev, port1,
+ USB_PORT_FEAT_C_PORT_LINK_STATE);
+- usb_clear_port_feature(hub->hdev, port1,
++
++ if (udev)
++ usb_clear_port_feature(hub->hdev, port1,
+ USB_PORT_FEAT_C_CONNECTION);
+
+ /*
--- /dev/null
+From 08fd9a82fda86529bb2f2af3c2f7cb657b4d3066 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Mon, 27 Aug 2018 18:30:16 +0300
+Subject: usb: dwc3: core: Clean up ULPI device
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 08fd9a82fda86529bb2f2af3c2f7cb657b4d3066 upstream.
+
+If dwc3_core_init_mode() fails with deferred probe,
+next probe fails on sysfs with
+
+sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:11.0/dwc3.0.auto/dwc3.0.auto.ulpi'
+
+To avoid this failure, clean up ULPI device.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -1276,6 +1276,7 @@ static int dwc3_probe(struct platform_de
+
+ err5:
+ dwc3_event_buffers_cleanup(dwc);
++ dwc3_ulpi_exit(dwc);
+
+ err4:
+ dwc3_free_scratch_buffers(dwc);
--- /dev/null
+From 2fc6d4be35fb1e262f209758e25bfe2b7a113a7f Mon Sep 17 00:00:00 2001
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+Date: Wed, 1 Aug 2018 09:37:34 +0300
+Subject: usb: dwc3: gadget: fix ISOC TRB type on unaligned transfers
+
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+
+commit 2fc6d4be35fb1e262f209758e25bfe2b7a113a7f upstream.
+
+When chaining ISOC TRBs together, only the first ISOC TRB should be of
+type ISOC_FIRST, all others should be of type ISOC. This patch fixes
+that.
+
+Fixes: c6267a51639b ("usb: dwc3: gadget: align transfers to wMaxPacketSize")
+Cc: <stable@vger.kernel.org> # v4.11+
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -1088,7 +1088,7 @@ static void dwc3_prepare_one_trb_sg(stru
+ /* Now prepare one extra TRB to align transfer size */
+ trb = &dep->trb_pool[dep->trb_enqueue];
+ __dwc3_prepare_one_trb(dep, trb, dwc->bounce_addr,
+- maxp - rem, false, 0,
++ maxp - rem, false, 1,
+ req->request.stream_id,
+ req->request.short_not_ok,
+ req->request.no_interrupt);
+@@ -1120,7 +1120,7 @@ static void dwc3_prepare_one_trb_linear(
+ /* Now prepare one extra TRB to align transfer size */
+ trb = &dep->trb_pool[dep->trb_enqueue];
+ __dwc3_prepare_one_trb(dep, trb, dwc->bounce_addr, maxp - rem,
+- false, 0, req->request.stream_id,
++ false, 1, req->request.stream_id,
+ req->request.short_not_ok,
+ req->request.no_interrupt);
+ } else if (req->request.zero && req->request.length &&
+@@ -1136,7 +1136,7 @@ static void dwc3_prepare_one_trb_linear(
+ /* Now prepare one extra TRB to handle ZLP */
+ trb = &dep->trb_pool[dep->trb_enqueue];
+ __dwc3_prepare_one_trb(dep, trb, dwc->bounce_addr, 0,
+- false, 0, req->request.stream_id,
++ false, 1, req->request.stream_id,
+ req->request.short_not_ok,
+ req->request.no_interrupt);
+ } else {
--- /dev/null
+From ba3a51ac32ebcf8d0a54b37f1af268ad8a31c52f Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Thu, 2 Aug 2018 20:17:16 -0700
+Subject: usb: dwc3: gadget: Properly check last unaligned/zero chain TRB
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit ba3a51ac32ebcf8d0a54b37f1af268ad8a31c52f upstream.
+
+Current check for the last extra TRB for zero and unaligned transfers
+does not account for isoc OUT. The last TRB of the Buffer Descriptor for
+isoc OUT transfers will be retired with HWO=0. As a result, we won't
+return early. The req->remaining will be updated to include the BUFSIZ
+count of the extra TRB, and the actual number of transferred bytes
+calculation will be wrong.
+
+To fix this, check whether it's a short or zero packet and the last TRB
+chain bit to return early.
+
+Fixes: c6267a51639b ("usb: dwc3: gadget: align transfers to wMaxPacketSize")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2249,7 +2249,7 @@ static int __dwc3_cleanup_done_trbs(stru
+ * with one TRB pending in the ring. We need to manually clear HWO bit
+ * from that TRB.
+ */
+- if ((req->zero || req->unaligned) && (trb->ctrl & DWC3_TRB_CTRL_HWO)) {
++ if ((req->zero || req->unaligned) && !(trb->ctrl & DWC3_TRB_CTRL_CHN)) {
+ trb->ctrl &= ~DWC3_TRB_CTRL_HWO;
+ return 1;
+ }
--- /dev/null
+From a5baeaeabcca3244782a9b6382ebab6f8a58f583 Mon Sep 17 00:00:00 2001
+From: Aaron Ma <aaron.ma@canonical.com>
+Date: Fri, 9 Nov 2018 17:21:21 +0200
+Subject: usb: xhci: fix timeout for transition from RExit to U0
+
+From: Aaron Ma <aaron.ma@canonical.com>
+
+commit a5baeaeabcca3244782a9b6382ebab6f8a58f583 upstream.
+
+This definition is used by msecs_to_jiffies in milliseconds.
+According to the comments, max rexit timeout should be 20ms.
+Align with the comments to properly calculate the delay.
+
+Verified on Sunrise Point-LP and Cannon Lake.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-hub.c | 4 ++--
+ drivers/usb/host/xhci.h | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/host/xhci-hub.c
++++ b/drivers/usb/host/xhci-hub.c
+@@ -941,7 +941,7 @@ static u32 xhci_get_port_status(struct u
+ time_left = wait_for_completion_timeout(
+ &bus_state->rexit_done[wIndex],
+ msecs_to_jiffies(
+- XHCI_MAX_REXIT_TIMEOUT));
++ XHCI_MAX_REXIT_TIMEOUT_MS));
+ spin_lock_irqsave(&xhci->lock, flags);
+
+ if (time_left) {
+@@ -955,7 +955,7 @@ static u32 xhci_get_port_status(struct u
+ } else {
+ int port_status = readl(port_array[wIndex]);
+ xhci_warn(xhci, "Port resume took longer than %i msec, port status = 0x%x\n",
+- XHCI_MAX_REXIT_TIMEOUT,
++ XHCI_MAX_REXIT_TIMEOUT_MS,
+ port_status);
+ status |= USB_PORT_STAT_SUSPEND;
+ clear_bit(wIndex, &bus_state->rexit_ports);
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -1684,7 +1684,7 @@ struct xhci_bus_state {
+ * It can take up to 20 ms to transition from RExit to U0 on the
+ * Intel Lynx Point LP xHCI host.
+ */
+-#define XHCI_MAX_REXIT_TIMEOUT (20 * 1000)
++#define XHCI_MAX_REXIT_TIMEOUT_MS 20
+
+ static inline unsigned int hcd_index(struct usb_hcd *hcd)
+ {
--- /dev/null
+From 81c99089bce693b94b775b6eb888115d2d540086 Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <dominique.martinet@cea.fr>
+Date: Mon, 27 Aug 2018 15:12:05 +0900
+Subject: v9fs_dir_readdir: fix double-free on p9stat_read error
+
+From: Dominique Martinet <dominique.martinet@cea.fr>
+
+commit 81c99089bce693b94b775b6eb888115d2d540086 upstream.
+
+p9stat_read will call p9stat_free on error, we should only free the
+struct content on success.
+
+There also is no need to "p9stat_init" st as the read function will
+zero the whole struct for us anyway, so clean up the code a bit while
+we are here.
+
+Link: http://lkml.kernel.org/r/1535410108-20650-1-git-send-email-asmadeus@codewreck.org
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/9p/vfs_dir.c | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+--- a/fs/9p/vfs_dir.c
++++ b/fs/9p/vfs_dir.c
+@@ -76,15 +76,6 @@ static inline int dt_type(struct p9_wsta
+ return rettype;
+ }
+
+-static void p9stat_init(struct p9_wstat *stbuf)
+-{
+- stbuf->name = NULL;
+- stbuf->uid = NULL;
+- stbuf->gid = NULL;
+- stbuf->muid = NULL;
+- stbuf->extension = NULL;
+-}
+-
+ /**
+ * v9fs_alloc_rdir_buf - Allocate buffer used for read and readdir
+ * @filp: opened file structure
+@@ -145,12 +136,10 @@ static int v9fs_dir_readdir(struct file
+ rdir->tail = n;
+ }
+ while (rdir->head < rdir->tail) {
+- p9stat_init(&st);
+ err = p9stat_read(fid->clnt, rdir->buf + rdir->head,
+ rdir->tail - rdir->head, &st);
+ if (err) {
+ p9_debug(P9_DEBUG_VFS, "returned %d\n", err);
+- p9stat_free(&st);
+ return -EIO;
+ }
+ reclen = st.size+2;
--- /dev/null
+From d9193efba84fe4c4aa22a569fade5e6ca971f8af Mon Sep 17 00:00:00 2001
+From: Sandeep Singh <sandeep.singh@amd.com>
+Date: Fri, 9 Nov 2018 17:21:19 +0200
+Subject: xhci: Add check for invalid byte size error when UAS devices are connected.
+
+From: Sandeep Singh <sandeep.singh@amd.com>
+
+commit d9193efba84fe4c4aa22a569fade5e6ca971f8af upstream.
+
+Observed "TRB completion code (27)" error which corresponds to Stopped -
+Length Invalid error(xhci spec section 4.17.4) while connecting USB to
+SATA bridge.
+
+Looks like this case was not considered when the following patch[1] was
+committed. Hence adding this new check which can prevent
+the invalid byte size error.
+
+[1] ade2e3a xhci: handle transfer events without TRB pointer
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Sandeep Singh <sandeep.singh@amd.com>
+cc: Nehal Shah <Nehal-bakulchandra.Shah@amd.com>
+cc: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-ring.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -2335,6 +2335,7 @@ static int handle_tx_event(struct xhci_h
+ goto cleanup;
+ case COMP_RING_UNDERRUN:
+ case COMP_RING_OVERRUN:
++ case COMP_STOPPED_LENGTH_INVALID:
+ goto cleanup;
+ default:
+ xhci_err(xhci, "ERROR Transfer event for unknown stream ring slot %u ep %u\n",
projects / thirdparty / kernel / stable-queue.git / commitdiff
