autosel fixes for 4.14

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.14/arm-dts-bcm283x-fix-hdmi-hpd-gpio-pull.patch b/queue-4.14/arm-dts-bcm283x-fix-hdmi-hpd-gpio-pull.patch
new file mode 100644 (file)
index 0000000..3b475d4
--- /dev/null
+++ b/queue-4.14/arm-dts-bcm283x-fix-hdmi-hpd-gpio-pull.patch
@@ -0,0 +1,35 @@
+From f32335d2535ebbe59ef1065d7a37380b36ac4932 Mon Sep 17 00:00:00 2001
+From: Helen Koike <helen.koike@collabora.com>
+Date: Mon, 4 Mar 2019 18:48:37 -0300
+Subject: ARM: dts: bcm283x: Fix hdmi hpd gpio pull
+
+[ Upstream commit 544e784188f1dd7c797c70b213385e67d92005b6 ]
+
+Raspberry pi board model B revison 2 have the hot plug detector gpio
+active high (and not low as it was in the dts).
+
+Signed-off-by: Helen Koike <helen.koike@collabora.com>
+Fixes: 49ac67e0c39c ("ARM: bcm2835: Add VC4 to the device tree.")
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts b/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts
+index 4bc70efe43d6..3178a5664942 100644
+--- a/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts
++++ b/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts
+@@ -93,7 +93,7 @@
+ };
+ 
+ &hdmi {
+-      hpd-gpios = <&gpio 46 GPIO_ACTIVE_LOW>;
++      hpd-gpios = <&gpio 46 GPIO_ACTIVE_HIGH>;
+ };
+ 
+ &uart0 {
+-- 
+2.19.1
+

diff --git a/queue-4.14/arm-dts-imx6qdl-fix-typo-in-imx6qdl-icore-rqs.dtsi.patch b/queue-4.14/arm-dts-imx6qdl-fix-typo-in-imx6qdl-icore-rqs.dtsi.patch
new file mode 100644 (file)
index 0000000..c768069
--- /dev/null
+++ b/queue-4.14/arm-dts-imx6qdl-fix-typo-in-imx6qdl-icore-rqs.dtsi.patch
@@ -0,0 +1,42 @@
+From b38401c6eea64a1843cbbc9e4a72f9d90fa052ab Mon Sep 17 00:00:00 2001
+From: Masanari Iida <standby24x7@gmail.com>
+Date: Tue, 19 Mar 2019 01:30:09 +0900
+Subject: ARM: dts: imx6qdl: Fix typo in imx6qdl-icore-rqs.dtsi
+
+[ Upstream commit 41b37f4c0fa67185691bcbd30201cad566f2f0d1 ]
+
+This patch fixes a spelling typo.
+
+Signed-off-by: Masanari Iida <standby24x7@gmail.com>
+Fixes: cc42603de320 ("ARM: dts: imx6q-icore-rqs: Add Engicam IMX6 Q7 initial support")
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6qdl-icore-rqs.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/imx6qdl-icore-rqs.dtsi b/arch/arm/boot/dts/imx6qdl-icore-rqs.dtsi
+index 7ca291e9dbdb..80f1b3fb6abc 100644
+--- a/arch/arm/boot/dts/imx6qdl-icore-rqs.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-icore-rqs.dtsi
+@@ -222,7 +222,7 @@
+       pinctrl-2 = <&pinctrl_usdhc3_200mhz>;
+       vmcc-supply = <&reg_sd3_vmmc>;
+       cd-gpios = <&gpio1 1 GPIO_ACTIVE_LOW>;
+-      bus-witdh = <4>;
++      bus-width = <4>;
+       no-1-8-v;
+       status = "okay";
+ };
+@@ -233,7 +233,7 @@
+       pinctrl-1 = <&pinctrl_usdhc4_100mhz>;
+       pinctrl-2 = <&pinctrl_usdhc4_200mhz>;
+       vmcc-supply = <&reg_sd4_vmmc>;
+-      bus-witdh = <8>;
++      bus-width = <8>;
+       no-1-8-v;
+       non-removable;
+       status = "okay";
+-- 
+2.19.1
+

diff --git a/queue-4.14/arm-dts-pfla02-increase-phy-reset-duration.patch b/queue-4.14/arm-dts-pfla02-increase-phy-reset-duration.patch
new file mode 100644 (file)
index 0000000..0dd7e78
--- /dev/null
+++ b/queue-4.14/arm-dts-pfla02-increase-phy-reset-duration.patch
@@ -0,0 +1,48 @@
+From ec17cba559bc1aae50432eacee480c305a5a5457 Mon Sep 17 00:00:00 2001
+From: Marco Felsch <m.felsch@pengutronix.de>
+Date: Mon, 4 Mar 2019 11:49:40 +0100
+Subject: ARM: dts: pfla02: increase phy reset duration
+
+[ Upstream commit 032f85c9360fb1a08385c584c2c4ed114b33c260 ]
+
+Increase the reset duration to ensure correct phy functionality. The
+reset duration is taken from barebox commit 52fdd510de ("ARM: dts:
+pfla02: use long enough reset for ethernet phy"):
+
+  Use a longer reset time for ethernet phy Micrel KSZ9031RNX. Otherwise a
+  small percentage of modules have 'transmission timeouts' errors like
+
+  barebox@Phytec phyFLEX-i.MX6 Quad Carrier-Board:/ ifup eth0
+  warning: No MAC address set. Using random address 7e:94:4d:02:f8:f3
+  eth0: 1000Mbps full duplex link detected
+  eth0: transmission timeout
+  T eth0: transmission timeout
+  T eth0: transmission timeout
+  T eth0: transmission timeout
+  T eth0: transmission timeout
+
+Cc: Stefan Christ <s.christ@phytec.de>
+Cc: Christian Hemp <c.hemp@phytec.de>
+Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
+Fixes: 3180f956668e ("ARM: dts: Phytec imx6q pfla02 and pbab01 support")
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi
+index d81b0078a100..25b0704c6054 100644
+--- a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi
+@@ -89,6 +89,7 @@
+       pinctrl-names = "default";
+       pinctrl-0 = <&pinctrl_enet>;
+       phy-mode = "rgmii";
++      phy-reset-duration = <10>; /* in msecs */
+       phy-reset-gpios = <&gpio3 23 GPIO_ACTIVE_LOW>;
+       phy-supply = <&vdd_eth_io_reg>;
+       status = "disabled";
+-- 
+2.19.1
+

diff --git a/queue-4.14/ceph-fix-use-after-free-on-symlink-traversal.patch b/queue-4.14/ceph-fix-use-after-free-on-symlink-traversal.patch
new file mode 100644 (file)
index 0000000..d69cf0d
--- /dev/null
+++ b/queue-4.14/ceph-fix-use-after-free-on-symlink-traversal.patch
@@ -0,0 +1,42 @@
+From 5353b7012932e086bd517182c05c60cef6207f4b Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue, 26 Mar 2019 01:38:58 +0000
+Subject: ceph: fix use-after-free on symlink traversal
+
+[ Upstream commit daf5cc27eed99afdea8d96e71b89ba41f5406ef6 ]
+
+free the symlink body after the same RCU delay we have for freeing the
+struct inode itself, so that traversal during RCU pathwalk wouldn't step
+into freed memory.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ fs/ceph/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
+index a1492bdc6d03..f2b722f0df5d 100644
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -520,6 +520,7 @@ static void ceph_i_callback(struct rcu_head *head)
+       struct inode *inode = container_of(head, struct inode, i_rcu);
+       struct ceph_inode_info *ci = ceph_inode(inode);
+ 
++      kfree(ci->i_symlink);
+       kmem_cache_free(ceph_inode_cachep, ci);
+ }
+ 
+@@ -551,7 +552,6 @@ void ceph_destroy_inode(struct inode *inode)
+               ceph_put_snap_realm(mdsc, realm);
+       }
+ 
+-      kfree(ci->i_symlink);
+       while ((n = rb_first(&ci->i_fragtree)) != NULL) {
+               frag = rb_entry(n, struct ceph_inode_frag, node);
+               rb_erase(n, &ci->i_fragtree);
+-- 
+2.19.1
+

diff --git a/queue-4.14/drm-meson-fix-invalid-pointer-in-meson_drv_unbind.patch b/queue-4.14/drm-meson-fix-invalid-pointer-in-meson_drv_unbind.patch
new file mode 100644 (file)
index 0000000..8700dc8
--- /dev/null
+++ b/queue-4.14/drm-meson-fix-invalid-pointer-in-meson_drv_unbind.patch
@@ -0,0 +1,47 @@
+From a3da310e32e10af277d406dbe0be0997415480d4 Mon Sep 17 00:00:00 2001
+From: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Date: Fri, 22 Mar 2019 15:26:56 +0000
+Subject: drm/meson: Fix invalid pointer in meson_drv_unbind()
+
+[ Upstream commit 776e78677f514ecddd12dba48b9040958999bd5a ]
+
+meson_drv_bind() registers a meson_drm struct as the device's privdata,
+but meson_drv_unbind() tries to retrieve a drm_device. This may cause a
+segfault on shutdown:
+
+[ 5194.593429] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000197
+ ...
+[ 5194.788850] Call trace:
+[ 5194.791349]  drm_dev_unregister+0x1c/0x118 [drm]
+[ 5194.795848]  meson_drv_unbind+0x50/0x78 [meson_drm]
+
+Retrieve the right pointer in meson_drv_unbind().
+
+Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller")
+Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Acked-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190322152657.13752-1-jean-philippe.brucker@arm.com
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_drv.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c
+index 5deb44ac6791..1a1b0b9cf1fa 100644
+--- a/drivers/gpu/drm/meson/meson_drv.c
++++ b/drivers/gpu/drm/meson/meson_drv.c
+@@ -294,8 +294,8 @@ static int meson_drv_bind(struct device *dev)
+ 
+ static void meson_drv_unbind(struct device *dev)
+ {
+-      struct drm_device *drm = dev_get_drvdata(dev);
+-      struct meson_drm *priv = drm->dev_private;
++      struct meson_drm *priv = dev_get_drvdata(dev);
++      struct drm_device *drm = priv->drm;
+ 
+       drm_dev_unregister(drm);
+       drm_kms_helper_poll_fini(drm);
+-- 
+2.19.1
+

diff --git a/queue-4.14/drm-meson-uninstall-irq-handler.patch b/queue-4.14/drm-meson-uninstall-irq-handler.patch
new file mode 100644 (file)
index 0000000..640c692
--- /dev/null
+++ b/queue-4.14/drm-meson-uninstall-irq-handler.patch
@@ -0,0 +1,56 @@
+From 8e8833ac289896cd10a30f35cc36ee11051aeaea Mon Sep 17 00:00:00 2001
+From: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Date: Fri, 22 Mar 2019 15:26:57 +0000
+Subject: drm/meson: Uninstall IRQ handler
+
+[ Upstream commit 2d8f92897ad816f5dda54b2ed2fd9f2d7cb1abde ]
+
+meson_drv_unbind() doesn't unregister the IRQ handler, which can lead to
+use-after-free if the IRQ fires after unbind:
+
+[   64.656876] Unable to handle kernel paging request at virtual address ffff000011706dbc
+...
+[   64.662001] pc : meson_irq+0x18/0x30 [meson_drm]
+
+I'm assuming that a similar problem could happen on the error path of
+bind(), so uninstall the IRQ handler there as well.
+
+Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller")
+Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Acked-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190322152657.13752-2-jean-philippe.brucker@arm.com
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_drv.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c
+index 1a1b0b9cf1fa..0608243c3387 100644
+--- a/drivers/gpu/drm/meson/meson_drv.c
++++ b/drivers/gpu/drm/meson/meson_drv.c
+@@ -277,10 +277,12 @@ static int meson_drv_bind_master(struct device *dev, bool has_components)
+ 
+       ret = drm_dev_register(drm, 0);
+       if (ret)
+-              goto free_drm;
++              goto uninstall_irq;
+ 
+       return 0;
+ 
++uninstall_irq:
++      drm_irq_uninstall(drm);
+ free_drm:
+       drm_dev_unref(drm);
+ 
+@@ -298,6 +300,7 @@ static void meson_drv_unbind(struct device *dev)
+       struct drm_device *drm = priv->drm;
+ 
+       drm_dev_unregister(drm);
++      drm_irq_uninstall(drm);
+       drm_kms_helper_poll_fini(drm);
+       drm_fbdev_cma_fini(priv->fbdev);
+       drm_mode_config_cleanup(drm);
+-- 
+2.19.1
+

diff --git a/queue-4.14/gpio-aspeed-fix-a-potential-null-pointer-dereference.patch b/queue-4.14/gpio-aspeed-fix-a-potential-null-pointer-dereference.patch
new file mode 100644 (file)
index 0000000..913d86e
--- /dev/null
+++ b/queue-4.14/gpio-aspeed-fix-a-potential-null-pointer-dereference.patch
@@ -0,0 +1,34 @@
+From c4eaf8055eaa2c7c1d817e2ef3064ca4caddf7e3 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Sun, 24 Mar 2019 18:10:02 -0500
+Subject: gpio: aspeed: fix a potential NULL pointer dereference
+
+[ Upstream commit 6cf4511e9729c00a7306cf94085f9cc3c52ee723 ]
+
+In case devm_kzalloc, the patch returns ENOMEM to avoid potential
+NULL pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/gpio/gpio-aspeed.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpio/gpio-aspeed.c b/drivers/gpio/gpio-aspeed.c
+index f03fe916eb9d..f6d1bda8a802 100644
+--- a/drivers/gpio/gpio-aspeed.c
++++ b/drivers/gpio/gpio-aspeed.c
+@@ -861,6 +861,8 @@ static int __init aspeed_gpio_probe(struct platform_device *pdev)
+ 
+       gpio->offset_timer =
+               devm_kzalloc(&pdev->dev, gpio->chip.ngpio, GFP_KERNEL);
++      if (!gpio->offset_timer)
++              return -ENOMEM;
+ 
+       return aspeed_gpio_setup_irqs(gpio, pdev);
+ }
+-- 
+2.19.1
+

diff --git a/queue-4.14/gpio-of-fix-of_gpiochip_add-error-path.patch b/queue-4.14/gpio-of-fix-of_gpiochip_add-error-path.patch
new file mode 100644 (file)
index 0000000..2f70e1e
--- /dev/null
+++ b/queue-4.14/gpio-of-fix-of_gpiochip_add-error-path.patch
@@ -0,0 +1,48 @@
+From 1ae6e09dd1ebef6a6717fae830dfdfcf09e13df0 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Thu, 28 Mar 2019 14:13:47 +0100
+Subject: gpio: of: Fix of_gpiochip_add() error path
+
+[ Upstream commit f7299d441a4da8a5088e651ea55023525a793a13 ]
+
+If the call to of_gpiochip_scan_gpios() in of_gpiochip_add() fails, no
+error handling is performed.  This lead to the need of callers to call
+of_gpiochip_remove() on failure, which causes "BAD of_node_put() on ..."
+if the failure happened before the call to of_node_get().
+
+Fix this by adding proper error handling.
+
+Note that calling gpiochip_remove_pin_ranges() multiple times causes no
+harm: subsequent calls are a no-op.
+
+Fixes: dfbd379ba9b7431e ("gpio: of: Return error if gpio hog configuration failed")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib-of.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c
+index ee8c046cab62..d6ed4e891b34 100644
+--- a/drivers/gpio/gpiolib-of.c
++++ b/drivers/gpio/gpiolib-of.c
+@@ -499,7 +499,13 @@ int of_gpiochip_add(struct gpio_chip *chip)
+ 
+       of_node_get(chip->of_node);
+ 
+-      return of_gpiochip_scan_gpios(chip);
++      status = of_gpiochip_scan_gpios(chip);
++      if (status) {
++              of_node_put(chip->of_node);
++              gpiochip_remove_pin_ranges(chip);
++      }
++
++      return status;
+ }
+ 
+ void of_gpiochip_remove(struct gpio_chip *chip)
+-- 
+2.19.1
+

diff --git a/queue-4.14/iommu-amd-reserve-exclusion-range-in-iova-domain.patch b/queue-4.14/iommu-amd-reserve-exclusion-range-in-iova-domain.patch
new file mode 100644 (file)
index 0000000..72c8d89
--- /dev/null
+++ b/queue-4.14/iommu-amd-reserve-exclusion-range-in-iova-domain.patch
@@ -0,0 +1,98 @@
+From 0127197897eefa7c687921a5effb7a21eaf8c1fb Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Thu, 28 Mar 2019 11:44:59 +0100
+Subject: iommu/amd: Reserve exclusion range in iova-domain
+
+[ Upstream commit 8aafaaf2212192012f5bae305bb31cdf7681d777 ]
+
+If a device has an exclusion range specified in the IVRS
+table, this region needs to be reserved in the iova-domain
+of that device. This hasn't happened until now and can cause
+data corruption on data transfered with these devices.
+
+Treat exclusion ranges as reserved regions in the iommu-core
+to fix the problem.
+
+Fixes: be2a022c0dd0 ('x86, AMD IOMMU: add functions to parse IOMMU memory mapping requirements for devices')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Reviewed-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/iommu/amd_iommu.c       | 9 ++++++---
+ drivers/iommu/amd_iommu_init.c  | 7 ++++---
+ drivers/iommu/amd_iommu_types.h | 2 ++
+ 3 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index bd339bfe0d15..684f7cdd814b 100644
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -3127,21 +3127,24 @@ static void amd_iommu_get_resv_regions(struct device *dev,
+               return;
+ 
+       list_for_each_entry(entry, &amd_iommu_unity_map, list) {
++              int type, prot = 0;
+               size_t length;
+-              int prot = 0;
+ 
+               if (devid < entry->devid_start || devid > entry->devid_end)
+                       continue;
+ 
++              type   = IOMMU_RESV_DIRECT;
+               length = entry->address_end - entry->address_start;
+               if (entry->prot & IOMMU_PROT_IR)
+                       prot |= IOMMU_READ;
+               if (entry->prot & IOMMU_PROT_IW)
+                       prot |= IOMMU_WRITE;
++              if (entry->prot & IOMMU_UNITY_MAP_FLAG_EXCL_RANGE)
++                      /* Exclusion range */
++                      type = IOMMU_RESV_RESERVED;
+ 
+               region = iommu_alloc_resv_region(entry->address_start,
+-                                               length, prot,
+-                                               IOMMU_RESV_DIRECT);
++                                               length, prot, type);
+               if (!region) {
+                       pr_err("Out of memory allocating dm-regions for %s\n",
+                               dev_name(dev));
+diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
+index b97984a5ddad..91d7718625a6 100644
+--- a/drivers/iommu/amd_iommu_init.c
++++ b/drivers/iommu/amd_iommu_init.c
+@@ -1980,6 +1980,9 @@ static int __init init_unity_map_range(struct ivmd_header *m)
+       if (e == NULL)
+               return -ENOMEM;
+ 
++      if (m->flags & IVMD_FLAG_EXCL_RANGE)
++              init_exclusion_range(m);
++
+       switch (m->type) {
+       default:
+               kfree(e);
+@@ -2026,9 +2029,7 @@ static int __init init_memory_definitions(struct acpi_table_header *table)
+ 
+       while (p < end) {
+               m = (struct ivmd_header *)p;
+-              if (m->flags & IVMD_FLAG_EXCL_RANGE)
+-                      init_exclusion_range(m);
+-              else if (m->flags & IVMD_FLAG_UNITY_MAP)
++              if (m->flags & (IVMD_FLAG_UNITY_MAP | IVMD_FLAG_EXCL_RANGE))
+                       init_unity_map_range(m);
+ 
+               p += m->length;
+diff --git a/drivers/iommu/amd_iommu_types.h b/drivers/iommu/amd_iommu_types.h
+index f6b24c7d8b70..3054c0971759 100644
+--- a/drivers/iommu/amd_iommu_types.h
++++ b/drivers/iommu/amd_iommu_types.h
+@@ -369,6 +369,8 @@
+ #define IOMMU_PROT_IR 0x01
+ #define IOMMU_PROT_IW 0x02
+ 
++#define IOMMU_UNITY_MAP_FLAG_EXCL_RANGE       (1 << 2)
++
+ /* IOMMU capabilities */
+ #define IOMMU_CAP_IOTLB   24
+ #define IOMMU_CAP_NPCACHE 26
+-- 
+2.19.1
+

diff --git a/queue-4.14/kconfig-mn-conf-handle-backspace-h-key.patch b/queue-4.14/kconfig-mn-conf-handle-backspace-h-key.patch
new file mode 100644 (file)
index 0000000..06822dc
--- /dev/null
+++ b/queue-4.14/kconfig-mn-conf-handle-backspace-h-key.patch
@@ -0,0 +1,65 @@
+From db4a94d2ad0636f1dbaae4976025b3e8a8bdadf4 Mon Sep 17 00:00:00 2001
+From: Changbin Du <changbin.du@gmail.com>
+Date: Mon, 25 Mar 2019 15:16:47 +0000
+Subject: kconfig/[mn]conf: handle backspace (^H) key
+
+[ Upstream commit 9c38f1f044080392603c497ecca4d7d09876ff99 ]
+
+Backspace is not working on some terminal emulators which do not send the
+key code defined by terminfo. Terminals either send '^H' (8) or '^?' (127).
+But currently only '^?' is handled. Let's also handle '^H' for those
+terminals.
+
+Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ scripts/kconfig/lxdialog/inputbox.c | 3 ++-
+ scripts/kconfig/nconf.c             | 2 +-
+ scripts/kconfig/nconf.gui.c         | 3 ++-
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c
+index d58de1dc5360..510049a7bd1d 100644
+--- a/scripts/kconfig/lxdialog/inputbox.c
++++ b/scripts/kconfig/lxdialog/inputbox.c
+@@ -126,7 +126,8 @@ int dialog_inputbox(const char *title, const char *prompt, int height, int width
+                       case KEY_DOWN:
+                               break;
+                       case KEY_BACKSPACE:
+-                      case 127:
++                      case 8:   /* ^H */
++                      case 127: /* ^? */
+                               if (pos) {
+                                       wattrset(dialog, dlg.inputbox.atr);
+                                       if (input_x == 0) {
+diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
+index 003114779815..e8e1944fa09b 100644
+--- a/scripts/kconfig/nconf.c
++++ b/scripts/kconfig/nconf.c
+@@ -1048,7 +1048,7 @@ static int do_match(int key, struct match_state *state, int *ans)
+               state->match_direction = FIND_NEXT_MATCH_UP;
+               *ans = get_mext_match(state->pattern,
+                               state->match_direction);
+-      } else if (key == KEY_BACKSPACE || key == 127) {
++      } else if (key == KEY_BACKSPACE || key == 8 || key == 127) {
+               state->pattern[strlen(state->pattern)-1] = '\0';
+               adj_match_dir(&state->match_direction);
+       } else
+diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c
+index a64b1c31253e..0b63357f1d33 100644
+--- a/scripts/kconfig/nconf.gui.c
++++ b/scripts/kconfig/nconf.gui.c
+@@ -439,7 +439,8 @@ int dialog_inputbox(WINDOW *main_window,
+               case KEY_F(F_EXIT):
+               case KEY_F(F_BACK):
+                       break;
+-              case 127:
++              case 8:   /* ^H */
++              case 127: /* ^? */
+               case KEY_BACKSPACE:
+                       if (cursor_position > 0) {
+                               memmove(&result[cursor_position-1],
+-- 
+2.19.1
+

diff --git a/queue-4.14/kvm-arm-arm64-vgic-its-take-the-srcu-lock-when-parsi.patch b/queue-4.14/kvm-arm-arm64-vgic-its-take-the-srcu-lock-when-parsi.patch
new file mode 100644 (file)
index 0000000..5012cf8
--- /dev/null
+++ b/queue-4.14/kvm-arm-arm64-vgic-its-take-the-srcu-lock-when-parsi.patch
@@ -0,0 +1,99 @@
+From 2d651ed23384c2a440f34ffab0b2a23ccb1ee07b Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Tue, 19 Mar 2019 12:56:23 +0000
+Subject: KVM: arm/arm64: vgic-its: Take the srcu lock when parsing the
+ memslots
+
+[ Upstream commit 7494cec6cb3ba7385a6a223b81906384f15aae34 ]
+
+Calling kvm_is_visible_gfn() implies that we're parsing the memslots,
+and doing this without the srcu lock is frown upon:
+
+[12704.164532] =============================
+[12704.164544] WARNING: suspicious RCU usage
+[12704.164560] 5.1.0-rc1-00008-g600025238f51-dirty #16 Tainted: G        W
+[12704.164573] -----------------------------
+[12704.164589] ./include/linux/kvm_host.h:605 suspicious rcu_dereference_check() usage!
+[12704.164602] other info that might help us debug this:
+[12704.164616] rcu_scheduler_active = 2, debug_locks = 1
+[12704.164631] 6 locks held by qemu-system-aar/13968:
+[12704.164644]  #0: 000000007ebdae4f (&kvm->lock){+.+.}, at: vgic_its_set_attr+0x244/0x3a0
+[12704.164691]  #1: 000000007d751022 (&its->its_lock){+.+.}, at: vgic_its_set_attr+0x250/0x3a0
+[12704.164726]  #2: 00000000219d2706 (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
+[12704.164761]  #3: 00000000a760aecd (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
+[12704.164794]  #4: 000000000ef8e31d (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
+[12704.164827]  #5: 000000007a872093 (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
+[12704.164861] stack backtrace:
+[12704.164878] CPU: 2 PID: 13968 Comm: qemu-system-aar Tainted: G        W         5.1.0-rc1-00008-g600025238f51-dirty #16
+[12704.164887] Hardware name: rockchip evb_rk3399/evb_rk3399, BIOS 2019.04-rc3-00124-g2feec69fb1 03/15/2019
+[12704.164896] Call trace:
+[12704.164910]  dump_backtrace+0x0/0x138
+[12704.164920]  show_stack+0x24/0x30
+[12704.164934]  dump_stack+0xbc/0x104
+[12704.164946]  lockdep_rcu_suspicious+0xcc/0x110
+[12704.164958]  gfn_to_memslot+0x174/0x190
+[12704.164969]  kvm_is_visible_gfn+0x28/0x70
+[12704.164980]  vgic_its_check_id.isra.0+0xec/0x1e8
+[12704.164991]  vgic_its_save_tables_v0+0x1ac/0x330
+[12704.165001]  vgic_its_set_attr+0x298/0x3a0
+[12704.165012]  kvm_device_ioctl_attr+0x9c/0xd8
+[12704.165022]  kvm_device_ioctl+0x8c/0xf8
+[12704.165035]  do_vfs_ioctl+0xc8/0x960
+[12704.165045]  ksys_ioctl+0x8c/0xa0
+[12704.165055]  __arm64_sys_ioctl+0x28/0x38
+[12704.165067]  el0_svc_common+0xd8/0x138
+[12704.165078]  el0_svc_handler+0x38/0x78
+[12704.165089]  el0_svc+0x8/0xc
+
+Make sure the lock is taken when doing this.
+
+Fixes: bf308242ab98 ("KVM: arm/arm64: VGIC/ITS: protect kvm_read_guest() calls with SRCU lock")
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ virt/kvm/arm/vgic/vgic-its.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c
+index d72b8481f250..dc06f5e40041 100644
+--- a/virt/kvm/arm/vgic/vgic-its.c
++++ b/virt/kvm/arm/vgic/vgic-its.c
+@@ -704,8 +704,9 @@ static bool vgic_its_check_id(struct vgic_its *its, u64 baser, u32 id,
+       int l1_tbl_size = GITS_BASER_NR_PAGES(baser) * SZ_64K;
+       u64 indirect_ptr, type = GITS_BASER_TYPE(baser);
+       int esz = GITS_BASER_ENTRY_SIZE(baser);
+-      int index;
++      int index, idx;
+       gfn_t gfn;
++      bool ret;
+ 
+       switch (type) {
+       case GITS_BASER_TYPE_DEVICE:
+@@ -732,7 +733,8 @@ static bool vgic_its_check_id(struct vgic_its *its, u64 baser, u32 id,
+ 
+               if (eaddr)
+                       *eaddr = addr;
+-              return kvm_is_visible_gfn(its->dev->kvm, gfn);
++
++              goto out;
+       }
+ 
+       /* calculate and check the index into the 1st level */
+@@ -766,7 +768,12 @@ static bool vgic_its_check_id(struct vgic_its *its, u64 baser, u32 id,
+ 
+       if (eaddr)
+               *eaddr = indirect_ptr;
+-      return kvm_is_visible_gfn(its->dev->kvm, gfn);
++
++out:
++      idx = srcu_read_lock(&its->dev->kvm->srcu);
++      ret = kvm_is_visible_gfn(its->dev->kvm, gfn);
++      srcu_read_unlock(&its->dev->kvm->srcu, idx);
++      return ret;
+ }
+ 
+ static int vgic_its_alloc_collection(struct vgic_its *its,
+-- 
+2.19.1
+

diff --git a/queue-4.14/leds-pca9532-fix-a-potential-null-pointer-dereferenc.patch b/queue-4.14/leds-pca9532-fix-a-potential-null-pointer-dereferenc.patch
new file mode 100644 (file)
index 0000000..5e36246
--- /dev/null
+++ b/queue-4.14/leds-pca9532-fix-a-potential-null-pointer-dereferenc.patch
@@ -0,0 +1,47 @@
+From 647e8a584010ff53fef3e3db5aa56ae250527bd1 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Sat, 9 Mar 2019 00:04:11 -0600
+Subject: leds: pca9532: fix a potential NULL pointer dereference
+
+[ Upstream commit 0aab8e4df4702b31314a27ec4b0631dfad0fae0a ]
+
+In case of_match_device cannot find a match, return -EINVAL to avoid
+NULL pointer dereference.
+
+Fixes: fa4191a609f2 ("leds: pca9532: Add device tree support")
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/leds/leds-pca9532.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/leds/leds-pca9532.c b/drivers/leds/leds-pca9532.c
+index 7fea18b0c15d..7cb4d685a1f1 100644
+--- a/drivers/leds/leds-pca9532.c
++++ b/drivers/leds/leds-pca9532.c
+@@ -513,6 +513,7 @@ static int pca9532_probe(struct i2c_client *client,
+       const struct i2c_device_id *id)
+ {
+       int devid;
++      const struct of_device_id *of_id;
+       struct pca9532_data *data = i2c_get_clientdata(client);
+       struct pca9532_platform_data *pca9532_pdata =
+                       dev_get_platdata(&client->dev);
+@@ -528,8 +529,11 @@ static int pca9532_probe(struct i2c_client *client,
+                       dev_err(&client->dev, "no platform data\n");
+                       return -EINVAL;
+               }
+-              devid = (int)(uintptr_t)of_match_device(
+-                      of_pca9532_leds_match, &client->dev)->data;
++              of_id = of_match_device(of_pca9532_leds_match,
++                              &client->dev);
++              if (unlikely(!of_id))
++                      return -EINVAL;
++              devid = (int)(uintptr_t) of_id->data;
+       } else {
+               devid = id->driver_data;
+       }
+-- 
+2.19.1
+

diff --git a/queue-4.14/libata-fix-using-dma-buffers-on-stack.patch b/queue-4.14/libata-fix-using-dma-buffers-on-stack.patch
new file mode 100644 (file)
index 0000000..baa1195
--- /dev/null
+++ b/queue-4.14/libata-fix-using-dma-buffers-on-stack.patch
@@ -0,0 +1,87 @@
+From 5b77b8bf95f4d154adeb4331ca247ddb1f0e0802 Mon Sep 17 00:00:00 2001
+From: raymond pang <raymondpangxd@gmail.com>
+Date: Thu, 28 Mar 2019 12:19:25 +0000
+Subject: libata: fix using DMA buffers on stack
+
+[ Upstream commit dd08a8d9a66de4b54575c294a92630299f7e0fe7 ]
+
+When CONFIG_VMAP_STACK=y, __pa() returns incorrect physical address for
+a stack virtual address. Stack DMA buffers must be avoided.
+
+Signed-off-by: raymond pang <raymondpangxd@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/ata/libata-zpodd.c | 34 ++++++++++++++++++++++++----------
+ 1 file changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c
+index b3ed8f9953a8..173e6f2dd9af 100644
+--- a/drivers/ata/libata-zpodd.c
++++ b/drivers/ata/libata-zpodd.c
+@@ -52,38 +52,52 @@ static int eject_tray(struct ata_device *dev)
+ /* Per the spec, only slot type and drawer type ODD can be supported */
+ static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev)
+ {
+-      char buf[16];
++      char *buf;
+       unsigned int ret;
+-      struct rm_feature_desc *desc = (void *)(buf + 8);
++      struct rm_feature_desc *desc;
+       struct ata_taskfile tf;
+       static const char cdb[] = {  GPCMD_GET_CONFIGURATION,
+                       2,      /* only 1 feature descriptor requested */
+                       0, 3,   /* 3, removable medium feature */
+                       0, 0, 0,/* reserved */
+-                      0, sizeof(buf),
++                      0, 16,
+                       0, 0, 0,
+       };
+ 
++      buf = kzalloc(16, GFP_KERNEL);
++      if (!buf)
++              return ODD_MECH_TYPE_UNSUPPORTED;
++      desc = (void *)(buf + 8);
++
+       ata_tf_init(dev, &tf);
+       tf.flags = ATA_TFLAG_ISADDR | ATA_TFLAG_DEVICE;
+       tf.command = ATA_CMD_PACKET;
+       tf.protocol = ATAPI_PROT_PIO;
+-      tf.lbam = sizeof(buf);
++      tf.lbam = 16;
+ 
+       ret = ata_exec_internal(dev, &tf, cdb, DMA_FROM_DEVICE,
+-                              buf, sizeof(buf), 0);
+-      if (ret)
++                              buf, 16, 0);
++      if (ret) {
++              kfree(buf);
+               return ODD_MECH_TYPE_UNSUPPORTED;
++      }
+ 
+-      if (be16_to_cpu(desc->feature_code) != 3)
++      if (be16_to_cpu(desc->feature_code) != 3) {
++              kfree(buf);
+               return ODD_MECH_TYPE_UNSUPPORTED;
++      }
+ 
+-      if (desc->mech_type == 0 && desc->load == 0 && desc->eject == 1)
++      if (desc->mech_type == 0 && desc->load == 0 && desc->eject == 1) {
++              kfree(buf);
+               return ODD_MECH_TYPE_SLOT;
+-      else if (desc->mech_type == 1 && desc->load == 0 && desc->eject == 1)
++      } else if (desc->mech_type == 1 && desc->load == 0 &&
++                 desc->eject == 1) {
++              kfree(buf);
+               return ODD_MECH_TYPE_DRAWER;
+-      else
++      } else {
++              kfree(buf);
+               return ODD_MECH_TYPE_UNSUPPORTED;
++      }
+ }
+ 
+ /* Test if ODD is zero power ready by sense code */
+-- 
+2.19.1
+

diff --git a/queue-4.14/net-ethernet-ti-fix-possible-object-reference-leak.patch b/queue-4.14/net-ethernet-ti-fix-possible-object-reference-leak.patch
new file mode 100644 (file)
index 0000000..decf530
--- /dev/null
+++ b/queue-4.14/net-ethernet-ti-fix-possible-object-reference-leak.patch
@@ -0,0 +1,53 @@
+From b3dc7525022eac058272c2c7693f9a45f2a8b14d Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Fri, 22 Mar 2019 11:04:09 +0800
+Subject: net: ethernet: ti: fix possible object reference leak
+
+[ Upstream commit 75eac7b5f68b0a0671e795ac636457ee27cc11d8 ]
+
+The call to of_get_child_by_name returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/net/ethernet/ti/netcp_ethss.c:3661:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3654, but without a corresponding object release within this function.
+./drivers/net/ethernet/ti/netcp_ethss.c:3665:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3654, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Wingman Kwok <w-kwok2@ti.com>
+Cc: Murali Karicheri <m-karicheri2@ti.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: netdev@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/netcp_ethss.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/ti/netcp_ethss.c b/drivers/net/ethernet/ti/netcp_ethss.c
+index 28cb38af1a34..ff7a71ca0b13 100644
+--- a/drivers/net/ethernet/ti/netcp_ethss.c
++++ b/drivers/net/ethernet/ti/netcp_ethss.c
+@@ -3538,12 +3538,16 @@ static int gbe_probe(struct netcp_device *netcp_device, struct device *dev,
+ 
+       ret = netcp_txpipe_init(&gbe_dev->tx_pipe, netcp_device,
+                               gbe_dev->dma_chan_name, gbe_dev->tx_queue_id);
+-      if (ret)
++      if (ret) {
++              of_node_put(interfaces);
+               return ret;
++      }
+ 
+       ret = netcp_txpipe_open(&gbe_dev->tx_pipe);
+-      if (ret)
++      if (ret) {
++              of_node_put(interfaces);
+               return ret;
++      }
+ 
+       /* Create network interfaces */
+       INIT_LIST_HEAD(&gbe_dev->gbe_intf_head);
+-- 
+2.19.1
+

diff --git a/queue-4.14/net-ibm-fix-possible-object-reference-leak.patch b/queue-4.14/net-ibm-fix-possible-object-reference-leak.patch
new file mode 100644 (file)
index 0000000..898761c
--- /dev/null
+++ b/queue-4.14/net-ibm-fix-possible-object-reference-leak.patch
@@ -0,0 +1,40 @@
+From fad3c231ff383d8dde710456d7757ef14c3c6a38 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Fri, 22 Mar 2019 11:04:08 +0800
+Subject: net: ibm: fix possible object reference leak
+
+[ Upstream commit be693df3cf9dd113ff1d2c0d8150199efdba37f6 ]
+
+The call to ehea_get_eth_dn returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/net/ethernet/ibm/ehea/ehea_main.c:3163:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3154, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Douglas Miller <dougmill@linux.ibm.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: netdev@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ehea/ehea_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/ibm/ehea/ehea_main.c b/drivers/net/ethernet/ibm/ehea/ehea_main.c
+index 4878b7169e0f..30cbdf0fed59 100644
+--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c
++++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c
+@@ -3176,6 +3176,7 @@ static ssize_t ehea_probe_port(struct device *dev,
+ 
+       if (ehea_add_adapter_mr(adapter)) {
+               pr_err("creating MR failed\n");
++              of_node_put(eth_dn);
+               return -EIO;
+       }
+ 
+-- 
+2.19.1
+

diff --git a/queue-4.14/net-ks8851-delay-requesting-irq-until-opened.patch b/queue-4.14/net-ks8851-delay-requesting-irq-until-opened.patch
new file mode 100644 (file)
index 0000000..c60a2e7
--- /dev/null
+++ b/queue-4.14/net-ks8851-delay-requesting-irq-until-opened.patch
@@ -0,0 +1,94 @@
+From 385de85dcdc742717b6afcce968c87a37b6161ba Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 20 Mar 2019 15:02:00 +0100
+Subject: net: ks8851: Delay requesting IRQ until opened
+
+[ Upstream commit d268f31552794abf5b6aa5af31021643411f25f5 ]
+
+The ks8851 driver currently requests the IRQ before registering the
+net_device.  Because the net_device name is used as IRQ name and is
+still "eth%d" when the IRQ is requested, it's impossibe to tell IRQs
+apart if multiple ks8851 chips are present.  Most other drivers delay
+requesting the IRQ until the net_device is opened.  Do the same.
+
+The driver doesn't enable interrupts on the chip before opening the
+net_device and disables them when closing it, so there doesn't seem to
+be a need to request the IRQ already on probe.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: Frank Pavlic <f.pavlic@kunbus.de>
+Cc: Ben Dooks <ben.dooks@codethink.co.uk>
+Cc: Tristram Ha <Tristram.Ha@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/micrel/ks8851.c | 24 +++++++++++-------------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c
+index 546a79b9cb15..b8f20aa2b7ad 100644
+--- a/drivers/net/ethernet/micrel/ks8851.c
++++ b/drivers/net/ethernet/micrel/ks8851.c
+@@ -776,6 +776,15 @@ static void ks8851_tx_work(struct work_struct *work)
+ static int ks8851_net_open(struct net_device *dev)
+ {
+       struct ks8851_net *ks = netdev_priv(dev);
++      int ret;
++
++      ret = request_threaded_irq(dev->irq, NULL, ks8851_irq,
++                                 IRQF_TRIGGER_LOW | IRQF_ONESHOT,
++                                 dev->name, ks);
++      if (ret < 0) {
++              netdev_err(dev, "failed to get irq\n");
++              return ret;
++      }
+ 
+       /* lock the card, even if we may not actually be doing anything
+        * else at the moment */
+@@ -890,6 +899,8 @@ static int ks8851_net_stop(struct net_device *dev)
+               dev_kfree_skb(txb);
+       }
+ 
++      free_irq(dev->irq, ks);
++
+       return 0;
+ }
+ 
+@@ -1520,14 +1531,6 @@ static int ks8851_probe(struct spi_device *spi)
+       ks8851_read_selftest(ks);
+       ks8851_init_mac(ks);
+ 
+-      ret = request_threaded_irq(spi->irq, NULL, ks8851_irq,
+-                                 IRQF_TRIGGER_LOW | IRQF_ONESHOT,
+-                                 ndev->name, ks);
+-      if (ret < 0) {
+-              dev_err(&spi->dev, "failed to get irq\n");
+-              goto err_irq;
+-      }
+-
+       ret = register_netdev(ndev);
+       if (ret) {
+               dev_err(&spi->dev, "failed to register network device\n");
+@@ -1540,11 +1543,7 @@ static int ks8851_probe(struct spi_device *spi)
+ 
+       return 0;
+ 
+-
+ err_netdev:
+-      free_irq(ndev->irq, ks);
+-
+-err_irq:
+ err_id:
+       if (gpio_is_valid(gpio))
+               gpio_set_value(gpio, 0);
+@@ -1565,7 +1564,6 @@ static int ks8851_remove(struct spi_device *spi)
+               dev_info(&spi->dev, "remove\n");
+ 
+       unregister_netdev(priv->netdev);
+-      free_irq(spi->irq, priv);
+       if (gpio_is_valid(priv->gpio))
+               gpio_set_value(priv->gpio, 0);
+       regulator_disable(priv->vdd_reg);
+-- 
+2.19.1
+

diff --git a/queue-4.14/net-ks8851-dequeue-rx-packets-explicitly.patch b/queue-4.14/net-ks8851-dequeue-rx-packets-explicitly.patch
new file mode 100644 (file)
index 0000000..a687681
--- /dev/null
+++ b/queue-4.14/net-ks8851-dequeue-rx-packets-explicitly.patch
@@ -0,0 +1,76 @@
+From a108988a26846107d0558a0697bda6c250180a5c Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 20 Mar 2019 15:02:00 +0100
+Subject: net: ks8851: Dequeue RX packets explicitly
+
+[ Upstream commit 536d3680fd2dab5c39857d62a3e084198fc74ff9 ]
+
+The ks8851 driver lets the chip auto-dequeue received packets once they
+have been read in full. It achieves that by setting the ADRFE flag in
+the RXQCR register ("Auto-Dequeue RXQ Frame Enable").
+
+However if allocation of a packet's socket buffer or retrieval of the
+packet over the SPI bus fails, the packet will not have been read in
+full and is not auto-dequeued. Such partial retrieval of a packet
+confuses the chip's RX queue management:  On the next RX interrupt,
+the first packet read from the queue will be the one left there
+previously and this one can be retrieved without issues. But for any
+newly received packets, the frame header status and byte count registers
+(RXFHSR and RXFHBCR) contain bogus values, preventing their retrieval.
+
+The chip allows explicitly dequeueing a packet from the RX queue by
+setting the RRXEF flag in the RXQCR register ("Release RX Error Frame").
+This could be used to dequeue the packet in case of an error, but if
+that error is a failed SPI transfer, it is unknown if the packet was
+transferred in full and was auto-dequeued or if it was only transferred
+in part and requires an explicit dequeue. The safest approach is thus
+to always dequeue packets explicitly and forgo auto-dequeueing.
+
+Without this change, I've witnessed packet retrieval break completely
+when an SPI DMA transfer fails, requiring a chip reset. Explicit
+dequeueing magically fixes this and makes packet retrieval absolutely
+robust for me.
+
+The chip's documentation suggests auto-dequeuing and uses the RRXEF
+flag only to dequeue error frames which the driver doesn't want to
+retrieve. But that seems to be a fair-weather approach.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: Frank Pavlic <f.pavlic@kunbus.de>
+Cc: Ben Dooks <ben.dooks@codethink.co.uk>
+Cc: Tristram Ha <Tristram.Ha@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/micrel/ks8851.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c
+index 2fe96f1f3fe5..556666b0d756 100644
+--- a/drivers/net/ethernet/micrel/ks8851.c
++++ b/drivers/net/ethernet/micrel/ks8851.c
+@@ -526,9 +526,8 @@ static void ks8851_rx_pkts(struct ks8851_net *ks)
+               /* set dma read address */
+               ks8851_wrreg16(ks, KS_RXFDPR, RXFDPR_RXFPAI | 0x00);
+ 
+-              /* start the packet dma process, and set auto-dequeue rx */
+-              ks8851_wrreg16(ks, KS_RXQCR,
+-                             ks->rc_rxqcr | RXQCR_SDA | RXQCR_ADRFE);
++              /* start DMA access */
++              ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_SDA);
+ 
+               if (rxlen > 4) {
+                       unsigned int rxalign;
+@@ -559,7 +558,8 @@ static void ks8851_rx_pkts(struct ks8851_net *ks)
+                       }
+               }
+ 
+-              ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr);
++              /* end DMA access and dequeue packet */
++              ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_RRXEF);
+       }
+ }
+ 
+-- 
+2.19.1
+

diff --git a/queue-4.14/net-ks8851-reassert-reset-pin-if-chip-id-check-fails.patch b/queue-4.14/net-ks8851-reassert-reset-pin-if-chip-id-check-fails.patch
new file mode 100644 (file)
index 0000000..28d1193
--- /dev/null
+++ b/queue-4.14/net-ks8851-reassert-reset-pin-if-chip-id-check-fails.patch
@@ -0,0 +1,45 @@
+From a2fbbd0b3a125e12ecaf6f54e6b179ac8400ed88 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 20 Mar 2019 15:02:00 +0100
+Subject: net: ks8851: Reassert reset pin if chip ID check fails
+
+[ Upstream commit 761cfa979a0c177d6c2d93ef5585cd79ae49a7d5 ]
+
+Commit 73fdeb82e963 ("net: ks8851: Add optional vdd_io regulator and
+reset gpio") amended the ks8851 driver to briefly assert the chip's
+reset pin on probe. It also amended the probe routine's error path to
+reassert the reset pin if a subsequent initialization step fails.
+
+However the commit misplaced reassertion of the reset pin in the error
+path such that it is not performed if the check of the Chip ID and
+Enable Register (CIDER) fails. The error path is therefore slightly
+asymmetrical to the probe routine's body. Fix it.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: Frank Pavlic <f.pavlic@kunbus.de>
+Cc: Stephen Boyd <sboyd@codeaurora.org>
+Cc: Nishanth Menon <nm@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/micrel/ks8851.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c
+index 556666b0d756..546a79b9cb15 100644
+--- a/drivers/net/ethernet/micrel/ks8851.c
++++ b/drivers/net/ethernet/micrel/ks8851.c
+@@ -1545,9 +1545,9 @@ static int ks8851_probe(struct spi_device *spi)
+       free_irq(ndev->irq, ks);
+ 
+ err_irq:
++err_id:
+       if (gpio_is_valid(gpio))
+               gpio_set_value(gpio, 0);
+-err_id:
+       regulator_disable(ks->vdd_reg);
+ err_reg:
+       regulator_disable(ks->vdd_io);
+-- 
+2.19.1
+

diff --git a/queue-4.14/net-ks8851-set-initial-carrier-state-to-down.patch b/queue-4.14/net-ks8851-set-initial-carrier-state-to-down.patch
new file mode 100644 (file)
index 0000000..3e13cf1
--- /dev/null
+++ b/queue-4.14/net-ks8851-set-initial-carrier-state-to-down.patch
@@ -0,0 +1,54 @@
+From 67977a057cfa6fe6a24743129b3091c11f1878ab Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 20 Mar 2019 15:02:00 +0100
+Subject: net: ks8851: Set initial carrier state to down
+
+[ Upstream commit 9624bafa5f6418b9ca5b3f66d1f6a6a2e8bf6d4c ]
+
+The ks8851 chip's initial carrier state is down. A Link Change Interrupt
+is signaled once interrupts are enabled if the carrier is up.
+
+The ks8851 driver has it backwards by assuming that the initial carrier
+state is up. The state is therefore misrepresented if the interface is
+opened with no cable attached. Fix it.
+
+The Link Change interrupt is sometimes not signaled unless the P1MBSR
+register (which contains the Link Status bit) is read on ->ndo_open().
+This might be a hardware erratum. Read the register by calling
+mii_check_link(), which has the desirable side effect of setting the
+carrier state to down if the cable was detached while the interface was
+closed.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: Frank Pavlic <f.pavlic@kunbus.de>
+Cc: Ben Dooks <ben.dooks@codethink.co.uk>
+Cc: Tristram Ha <Tristram.Ha@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/micrel/ks8851.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c
+index b8f20aa2b7ad..7ddaa7d88f1d 100644
+--- a/drivers/net/ethernet/micrel/ks8851.c
++++ b/drivers/net/ethernet/micrel/ks8851.c
+@@ -849,6 +849,7 @@ static int ks8851_net_open(struct net_device *dev)
+       netif_dbg(ks, ifup, ks->netdev, "network device up\n");
+ 
+       mutex_unlock(&ks->lock);
++      mii_check_link(&ks->mii);
+       return 0;
+ }
+ 
+@@ -1510,6 +1511,7 @@ static int ks8851_probe(struct spi_device *spi)
+ 
+       spi_set_drvdata(spi, ks);
+ 
++      netif_carrier_off(ks->netdev);
+       ndev->if_port = IF_PORT_100BASET;
+       ndev->netdev_ops = &ks8851_netdev_ops;
+       ndev->irq = spi->irq;
+-- 
+2.19.1
+

diff --git a/queue-4.14/net-macb-add-null-check-for-pclk-and-hclk.patch b/queue-4.14/net-macb-add-null-check-for-pclk-and-hclk.patch
new file mode 100644 (file)
index 0000000..77986bb
--- /dev/null
+++ b/queue-4.14/net-macb-add-null-check-for-pclk-and-hclk.patch
@@ -0,0 +1,50 @@
+From 9f3aff9794d00c36ff0d84b58dd398d80356706e Mon Sep 17 00:00:00 2001
+From: Harini Katakam <harini.katakam@xilinx.com>
+Date: Wed, 20 Mar 2019 19:12:22 +0530
+Subject: net: macb: Add null check for PCLK and HCLK
+
+[ Upstream commit cd5afa91f078c0787be0a62b5ef90301c00b0271 ]
+
+Both PCLK and HCLK are "required" clocks according to macb devicetree
+documentation. There is a chance that devm_clk_get doesn't return a
+negative error but just a NULL clock structure instead. In such a case
+the driver proceeds as usual and uses pclk value 0 to calculate MDC
+divisor which is incorrect. Hence fix the same in clock initialization.
+
+Signed-off-by: Harini Katakam <harini.katakam@xilinx.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 9046993947cc..2287749de087 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -2817,14 +2817,20 @@ static int macb_clk_init(struct platform_device *pdev, struct clk **pclk,
+               *hclk = devm_clk_get(&pdev->dev, "hclk");
+       }
+ 
+-      if (IS_ERR(*pclk)) {
++      if (IS_ERR_OR_NULL(*pclk)) {
+               err = PTR_ERR(*pclk);
++              if (!err)
++                      err = -ENODEV;
++
+               dev_err(&pdev->dev, "failed to get macb_clk (%u)\n", err);
+               return err;
+       }
+ 
+-      if (IS_ERR(*hclk)) {
++      if (IS_ERR_OR_NULL(*hclk)) {
+               err = PTR_ERR(*hclk);
++              if (!err)
++                      err = -ENODEV;
++
+               dev_err(&pdev->dev, "failed to get hclk (%u)\n", err);
+               return err;
+       }
+-- 
+2.19.1
+

diff --git a/queue-4.14/net-sched-don-t-dereference-a-goto_chain-to-read-the.patch b/queue-4.14/net-sched-don-t-dereference-a-goto_chain-to-read-the.patch
new file mode 100644 (file)
index 0000000..6827cb2
--- /dev/null
+++ b/queue-4.14/net-sched-don-t-dereference-a-goto_chain-to-read-the.patch
@@ -0,0 +1,39 @@
+From cce4a27e9bca38dd3f702311c46acb6d14374e74 Mon Sep 17 00:00:00 2001
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Wed, 20 Mar 2019 15:00:15 +0100
+Subject: net/sched: don't dereference a->goto_chain to read the chain index
+
+[ Upstream commit fe384e2fa36ca084a456fd30558cccc75b4b3fbd ]
+
+callers of tcf_gact_goto_chain_index() can potentially read an old value
+of the chain index, or even dereference a NULL 'goto_chain' pointer,
+because 'goto_chain' and 'tcfa_action' are read in the traffic path
+without caring of concurrent write in the control path. The most recent
+value of chain index can be read also from a->tcfa_action (it's encoded
+there together with TC_ACT_GOTO_CHAIN bits), so we don't really need to
+dereference 'goto_chain': just read the chain id from the control action.
+
+Fixes: e457d86ada27 ("net: sched: add couple of goto_chain helpers")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ include/net/tc_act/tc_gact.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/tc_act/tc_gact.h b/include/net/tc_act/tc_gact.h
+index e82d93346b63..bb74ea83d57d 100644
+--- a/include/net/tc_act/tc_gact.h
++++ b/include/net/tc_act/tc_gact.h
+@@ -51,7 +51,7 @@ static inline bool is_tcf_gact_goto_chain(const struct tc_action *a)
+ 
+ static inline u32 tcf_gact_goto_chain_index(const struct tc_action *a)
+ {
+-      return a->goto_chain->index;
++      return READ_ONCE(a->tcfa_action) & TC_ACT_EXT_VAL_MASK;
+ }
+ 
+ #endif /* __NET_TC_GACT_H */
+-- 
+2.19.1
+

diff --git a/queue-4.14/net-xilinx-fix-possible-object-reference-leak.patch b/queue-4.14/net-xilinx-fix-possible-object-reference-leak.patch
new file mode 100644 (file)
index 0000000..01478f3
--- /dev/null
+++ b/queue-4.14/net-xilinx-fix-possible-object-reference-leak.patch
@@ -0,0 +1,50 @@
+From 0aa1a90b398569f6f8bf5967fa1c1e5d8e5c7829 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Fri, 22 Mar 2019 11:04:07 +0800
+Subject: net: xilinx: fix possible object reference leak
+
+[ Upstream commit fa3a419d2f674b431d38748cb58fb7da17ee8949 ]
+
+The call to of_parse_phandle returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/net/ethernet/xilinx/xilinx_axienet_main.c:1624:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1569, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Anirudha Sarangi <anirudh@xilinx.com>
+Cc: John Linn <John.Linn@xilinx.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Michal Simek <michal.simek@xilinx.com>
+Cc: netdev@vger.kernel.org
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+index e74e1e897864..d46dc8cd1670 100644
+--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+@@ -1575,12 +1575,14 @@ static int axienet_probe(struct platform_device *pdev)
+       ret = of_address_to_resource(np, 0, &dmares);
+       if (ret) {
+               dev_err(&pdev->dev, "unable to get DMA resource\n");
++              of_node_put(np);
+               goto free_netdev;
+       }
+       lp->dma_regs = devm_ioremap_resource(&pdev->dev, &dmares);
+       if (IS_ERR(lp->dma_regs)) {
+               dev_err(&pdev->dev, "could not map DMA regs\n");
+               ret = PTR_ERR(lp->dma_regs);
++              of_node_put(np);
+               goto free_netdev;
+       }
+       lp->rx_irq = irq_of_parse_and_map(np, 1);
+-- 
+2.19.1
+

diff --git a/queue-4.14/netfilter-bridge-set-skb-transport_header-before-ent.patch b/queue-4.14/netfilter-bridge-set-skb-transport_header-before-ent.patch
new file mode 100644 (file)
index 0000000..0ba6dbe
--- /dev/null
+++ b/queue-4.14/netfilter-bridge-set-skb-transport_header-before-ent.patch
@@ -0,0 +1,57 @@
+From 1381a0d20eda23b8cd120c62a98fb06f688b8762 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Wed, 13 Mar 2019 16:33:29 +0800
+Subject: netfilter: bridge: set skb transport_header before entering
+ NF_INET_PRE_ROUTING
+
+[ Upstream commit e166e4fdaced850bee3d5ee12a5740258fb30587 ]
+
+Since Commit 21d1196a35f5 ("ipv4: set transport header earlier"),
+skb->transport_header has been always set before entering INET
+netfilter. This patch is to set skb->transport_header for bridge
+before entering INET netfilter by bridge-nf-call-iptables.
+
+It also fixes an issue that sctp_error() couldn't compute a right
+csum due to unset skb->transport_header.
+
+Fixes: e6d8b64b34aa ("net: sctp: fix and consolidate SCTP checksumming code")
+Reported-by: Li Shuang <shuali@redhat.com>
+Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ net/bridge/br_netfilter_hooks.c | 1 +
+ net/bridge/br_netfilter_ipv6.c  | 2 ++
+ 2 files changed, 3 insertions(+)
+
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index 5fd283d9929e..89936e0d55c9 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -512,6 +512,7 @@ static unsigned int br_nf_pre_routing(void *priv,
+       nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr;
+ 
+       skb->protocol = htons(ETH_P_IP);
++      skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4;
+ 
+       NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb,
+               skb->dev, NULL,
+diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c
+index 5811208863b7..09d5e0c7b3ba 100644
+--- a/net/bridge/br_netfilter_ipv6.c
++++ b/net/bridge/br_netfilter_ipv6.c
+@@ -235,6 +235,8 @@ unsigned int br_nf_pre_routing_ipv6(void *priv,
+       nf_bridge->ipv6_daddr = ipv6_hdr(skb)->daddr;
+ 
+       skb->protocol = htons(ETH_P_IPV6);
++      skb->transport_header = skb->network_header + sizeof(struct ipv6hdr);
++
+       NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, state->net, state->sk, skb,
+               skb->dev, NULL,
+               br_nf_pre_routing_finish_ipv6);
+-- 
+2.19.1
+

diff --git a/queue-4.14/netfilter-nft_set_rbtree-check-for-inactive-element-.patch b/queue-4.14/netfilter-nft_set_rbtree-check-for-inactive-element-.patch
new file mode 100644 (file)
index 0000000..b43b2ca
--- /dev/null
+++ b/queue-4.14/netfilter-nft_set_rbtree-check-for-inactive-element-.patch
@@ -0,0 +1,49 @@
+From 993b7bee8b5db671e1f5b0814a5819853f5afc94 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 12 Mar 2019 12:10:59 +0100
+Subject: netfilter: nft_set_rbtree: check for inactive element after flag
+ mismatch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 05b7639da55f5555b9866a1f4b7e8995232a6323 ]
+
+Otherwise, we hit bogus ENOENT when removing elements.
+
+Fixes: e701001e7cbe ("netfilter: nft_rbtree: allow adjacent intervals with dynamic updates")
+Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ net/netfilter/nft_set_rbtree.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
+index d83a4ec5900d..6f3205de887f 100644
+--- a/net/netfilter/nft_set_rbtree.c
++++ b/net/netfilter/nft_set_rbtree.c
+@@ -224,10 +224,6 @@ static void *nft_rbtree_deactivate(const struct net *net,
+               else if (d > 0)
+                       parent = parent->rb_right;
+               else {
+-                      if (!nft_set_elem_active(&rbe->ext, genmask)) {
+-                              parent = parent->rb_left;
+-                              continue;
+-                      }
+                       if (nft_rbtree_interval_end(rbe) &&
+                           !nft_rbtree_interval_end(this)) {
+                               parent = parent->rb_left;
+@@ -236,6 +232,9 @@ static void *nft_rbtree_deactivate(const struct net *net,
+                                  nft_rbtree_interval_end(this)) {
+                               parent = parent->rb_right;
+                               continue;
++                      } else if (!nft_set_elem_active(&rbe->ext, genmask)) {
++                              parent = parent->rb_left;
++                              continue;
+                       }
+                       nft_rbtree_flush(net, set, rbe);
+                       return rbe;
+-- 
+2.19.1
+

diff --git a/queue-4.14/nfs-fix-a-typo-in-nfs_init_timeout_values.patch b/queue-4.14/nfs-fix-a-typo-in-nfs_init_timeout_values.patch
new file mode 100644 (file)
index 0000000..95a5499
--- /dev/null
+++ b/queue-4.14/nfs-fix-a-typo-in-nfs_init_timeout_values.patch
@@ -0,0 +1,34 @@
+From 9399a562d638b28f144ed8594063c790221f2a21 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Thu, 21 Mar 2019 17:57:56 -0400
+Subject: NFS: Fix a typo in nfs_init_timeout_values()
+
+[ Upstream commit 5a698243930c441afccec04e4d5dc8febfd2b775 ]
+
+Specifying a retrans=0 mount parameter to a NFS/TCP mount, is
+inadvertently causing the NFS client to rewrite any specified
+timeout parameter to the default of 60 seconds.
+
+Fixes: a956beda19a6 ("NFS: Allow the mount option retrans=0")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ fs/nfs/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/client.c b/fs/nfs/client.c
+index 7d6ddfd60271..a98d64a6eda5 100644
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -459,7 +459,7 @@ void nfs_init_timeout_values(struct rpc_timeout *to, int proto,
+       case XPRT_TRANSPORT_RDMA:
+               if (retrans == NFS_UNSPEC_RETRANS)
+                       to->to_retries = NFS_DEF_TCP_RETRANS;
+-              if (timeo == NFS_UNSPEC_TIMEO || to->to_retries == 0)
++              if (timeo == NFS_UNSPEC_TIMEO || to->to_initval == 0)
+                       to->to_initval = NFS_DEF_TCP_TIMEO * HZ / 10;
+               if (to->to_initval > NFS_MAX_TCP_TIMEOUT)
+                       to->to_initval = NFS_MAX_TCP_TIMEOUT;
+-- 
+2.19.1
+

diff --git a/queue-4.14/ptrace-take-into-account-saved_sigmask-in-ptrace-get.patch b/queue-4.14/ptrace-take-into-account-saved_sigmask-in-ptrace-get.patch
new file mode 100644 (file)
index 0000000..b9605a7
--- /dev/null
+++ b/queue-4.14/ptrace-take-into-account-saved_sigmask-in-ptrace-get.patch
@@ -0,0 +1,134 @@
+From 28f4991dda2ff28285bf14f961fefe8a4e3dba45 Mon Sep 17 00:00:00 2001
+From: Andrei Vagin <avagin@gmail.com>
+Date: Thu, 28 Mar 2019 20:44:13 -0700
+Subject: ptrace: take into account saved_sigmask in PTRACE{GET,SET}SIGMASK
+
+[ Upstream commit fcfc2aa0185f4a731d05a21e9f359968fdfd02e7 ]
+
+There are a few system calls (pselect, ppoll, etc) which replace a task
+sigmask while they are running in a kernel-space
+
+When a task calls one of these syscalls, the kernel saves a current
+sigmask in task->saved_sigmask and sets a syscall sigmask.
+
+On syscall-exit-stop, ptrace traps a task before restoring the
+saved_sigmask, so PTRACE_GETSIGMASK returns the syscall sigmask and
+PTRACE_SETSIGMASK does nothing, because its sigmask is replaced by
+saved_sigmask, when the task returns to user-space.
+
+This patch fixes this problem.  PTRACE_GETSIGMASK returns saved_sigmask
+if it's set.  PTRACE_SETSIGMASK drops the TIF_RESTORE_SIGMASK flag.
+
+Link: http://lkml.kernel.org/r/20181120060616.6043-1-avagin@gmail.com
+Fixes: 29000caecbe8 ("ptrace: add ability to get/set signal-blocked mask")
+Signed-off-by: Andrei Vagin <avagin@gmail.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ include/linux/sched/signal.h | 18 ++++++++++++++++++
+ kernel/ptrace.c              | 15 +++++++++++++--
+ 2 files changed, 31 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h
+index fbf86ecd149d..bcaba7e8ca6e 100644
+--- a/include/linux/sched/signal.h
++++ b/include/linux/sched/signal.h
+@@ -377,10 +377,20 @@ static inline void set_restore_sigmask(void)
+       set_thread_flag(TIF_RESTORE_SIGMASK);
+       WARN_ON(!test_thread_flag(TIF_SIGPENDING));
+ }
++
++static inline void clear_tsk_restore_sigmask(struct task_struct *tsk)
++{
++      clear_tsk_thread_flag(tsk, TIF_RESTORE_SIGMASK);
++}
++
+ static inline void clear_restore_sigmask(void)
+ {
+       clear_thread_flag(TIF_RESTORE_SIGMASK);
+ }
++static inline bool test_tsk_restore_sigmask(struct task_struct *tsk)
++{
++      return test_tsk_thread_flag(tsk, TIF_RESTORE_SIGMASK);
++}
+ static inline bool test_restore_sigmask(void)
+ {
+       return test_thread_flag(TIF_RESTORE_SIGMASK);
+@@ -398,6 +408,10 @@ static inline void set_restore_sigmask(void)
+       current->restore_sigmask = true;
+       WARN_ON(!test_thread_flag(TIF_SIGPENDING));
+ }
++static inline void clear_tsk_restore_sigmask(struct task_struct *tsk)
++{
++      tsk->restore_sigmask = false;
++}
+ static inline void clear_restore_sigmask(void)
+ {
+       current->restore_sigmask = false;
+@@ -406,6 +420,10 @@ static inline bool test_restore_sigmask(void)
+ {
+       return current->restore_sigmask;
+ }
++static inline bool test_tsk_restore_sigmask(struct task_struct *tsk)
++{
++      return tsk->restore_sigmask;
++}
+ static inline bool test_and_clear_restore_sigmask(void)
+ {
+       if (!current->restore_sigmask)
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index 84b1367935e4..f1c85b6c39ae 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -29,6 +29,7 @@
+ #include <linux/hw_breakpoint.h>
+ #include <linux/cn_proc.h>
+ #include <linux/compat.h>
++#include <linux/sched/signal.h>
+ 
+ /*
+  * Access another process' address space via ptrace.
+@@ -925,18 +926,26 @@ int ptrace_request(struct task_struct *child, long request,
+                       ret = ptrace_setsiginfo(child, &siginfo);
+               break;
+ 
+-      case PTRACE_GETSIGMASK:
++      case PTRACE_GETSIGMASK: {
++              sigset_t *mask;
++
+               if (addr != sizeof(sigset_t)) {
+                       ret = -EINVAL;
+                       break;
+               }
+ 
+-              if (copy_to_user(datavp, &child->blocked, sizeof(sigset_t)))
++              if (test_tsk_restore_sigmask(child))
++                      mask = &child->saved_sigmask;
++              else
++                      mask = &child->blocked;
++
++              if (copy_to_user(datavp, mask, sizeof(sigset_t)))
+                       ret = -EFAULT;
+               else
+                       ret = 0;
+ 
+               break;
++      }
+ 
+       case PTRACE_SETSIGMASK: {
+               sigset_t new_set;
+@@ -962,6 +971,8 @@ int ptrace_request(struct task_struct *child, long request,
+               child->blocked = new_set;
+               spin_unlock_irq(&child->sighand->siglock);
+ 
++              clear_tsk_restore_sigmask(child);
++
+               ret = 0;
+               break;
+       }
+-- 
+2.19.1
+

diff --git a/queue-4.14/qlcnic-avoid-potential-null-pointer-dereference.patch b/queue-4.14/qlcnic-avoid-potential-null-pointer-dereference.patch
new file mode 100644 (file)
index 0000000..0ddafdf
--- /dev/null
+++ b/queue-4.14/qlcnic-avoid-potential-null-pointer-dereference.patch
@@ -0,0 +1,33 @@
+From d716c672c57cefa1f89b9c140b8977b3c9c0a4b0 Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Thu, 14 Mar 2019 15:31:40 -0500
+Subject: qlcnic: Avoid potential NULL pointer dereference
+
+[ Upstream commit 5bf7295fe34a5251b1d241b9736af4697b590670 ]
+
+netdev_alloc_skb can fail and return a NULL pointer which is
+dereferenced without a check. The patch avoids such a scenario.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c
+index 7f7deeaf1cf0..da042bc520d4 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c
+@@ -1047,6 +1047,8 @@ int qlcnic_do_lb_test(struct qlcnic_adapter *adapter, u8 mode)
+ 
+       for (i = 0; i < QLCNIC_NUM_ILB_PKT; i++) {
+               skb = netdev_alloc_skb(adapter->netdev, QLCNIC_ILB_PKT_SIZE);
++              if (!skb)
++                      break;
+               qlcnic_create_loopback_buff(skb->data, adapter->mac_addr);
+               skb_put(skb, QLCNIC_ILB_PKT_SIZE);
+               adapter->ahw->diag_cnt = 0;
+-- 
+2.19.1
+

diff --git a/queue-4.14/s390-limit-brk-randomization-to-32mb.patch b/queue-4.14/s390-limit-brk-randomization-to-32mb.patch
new file mode 100644 (file)
index 0000000..09de5de
--- /dev/null
+++ b/queue-4.14/s390-limit-brk-randomization-to-32mb.patch
@@ -0,0 +1,47 @@
+From 320a0929b195892535f6c180a8ab7e6f412fca1b Mon Sep 17 00:00:00 2001
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Date: Mon, 4 Mar 2019 12:33:28 +0100
+Subject: s390: limit brk randomization to 32MB
+
+[ Upstream commit cd479eccd2e057116d504852814402a1e68ead80 ]
+
+For a 64-bit process the randomization of the program break is quite
+large with 1GB. That is as big as the randomization of the anonymous
+mapping base, for a test case started with '/lib/ld64.so.1 <exec>'
+it can happen that the heap is placed after the stack. To avoid
+this limit the program break randomization to 32MB for 64-bit and
+keep 8MB for 31-bit.
+
+Reported-by: Stefan Liebler <stli@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ arch/s390/include/asm/elf.h | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/arch/s390/include/asm/elf.h b/arch/s390/include/asm/elf.h
+index 1a61b1b997f2..3055c030f765 100644
+--- a/arch/s390/include/asm/elf.h
++++ b/arch/s390/include/asm/elf.h
+@@ -252,11 +252,14 @@ do {                                                             \
+ 
+ /*
+  * Cache aliasing on the latest machines calls for a mapping granularity
+- * of 512KB. For 64-bit processes use a 512KB alignment and a randomization
+- * of up to 1GB. For 31-bit processes the virtual address space is limited,
+- * use no alignment and limit the randomization to 8MB.
++ * of 512KB for the anonymous mapping base. For 64-bit processes use a
++ * 512KB alignment and a randomization of up to 1GB. For 31-bit processes
++ * the virtual address space is limited, use no alignment and limit the
++ * randomization to 8MB.
++ * For the additional randomization of the program break use 32MB for
++ * 64-bit and 8MB for 31-bit.
+  */
+-#define BRK_RND_MASK  (is_compat_task() ? 0x7ffUL : 0x3ffffUL)
++#define BRK_RND_MASK  (is_compat_task() ? 0x7ffUL : 0x1fffUL)
+ #define MMAP_RND_MASK (is_compat_task() ? 0x7ffUL : 0x3ff80UL)
+ #define MMAP_ALIGN_MASK       (is_compat_task() ? 0 : 0x7fUL)
+ #define STACK_RND_MASK        MMAP_RND_MASK
+-- 
+2.19.1
+

diff --git a/queue-4.14/s390-qeth-fix-race-when-initializing-the-ip-address-.patch b/queue-4.14/s390-qeth-fix-race-when-initializing-the-ip-address-.patch
new file mode 100644 (file)
index 0000000..547e58d
--- /dev/null
+++ b/queue-4.14/s390-qeth-fix-race-when-initializing-the-ip-address-.patch
@@ -0,0 +1,42 @@
+From f355fabc4e0bf64811397f50cc2353645d52baaa Mon Sep 17 00:00:00 2001
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Mon, 18 Mar 2019 16:40:55 +0100
+Subject: s390/qeth: fix race when initializing the IP address table
+
+[ Upstream commit 7221b727f0079a32aca91f657141e1de564d4b97 ]
+
+The ucast IP table is utilized by some of the L3-specific sysfs attributes
+that qeth_l3_create_device_attributes() provides. So initialize the table
+_before_ registering the attributes.
+
+Fixes: ebccc7397e4a ("s390/qeth: add missing hash table initializations")
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/s390/net/qeth_l3_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c
+index a19f2dc69e8a..d9830c86d0c1 100644
+--- a/drivers/s390/net/qeth_l3_main.c
++++ b/drivers/s390/net/qeth_l3_main.c
+@@ -3022,12 +3022,14 @@ static int qeth_l3_probe_device(struct ccwgroup_device *gdev)
+       struct qeth_card *card = dev_get_drvdata(&gdev->dev);
+       int rc;
+ 
++      hash_init(card->ip_htable);
++
+       if (gdev->dev.type == &qeth_generic_devtype) {
+               rc = qeth_l3_create_device_attributes(&gdev->dev);
+               if (rc)
+                       return rc;
+       }
+-      hash_init(card->ip_htable);
++
+       hash_init(card->ip_mc_htable);
+       card->options.layer2 = 0;
+       card->info.hwtrap = 0;
+-- 
+2.19.1
+

diff --git a/queue-4.14/sc16is7xx-missing-unregister-delete-driver-on-error-.patch b/queue-4.14/sc16is7xx-missing-unregister-delete-driver-on-error-.patch
new file mode 100644 (file)
index 0000000..13a5a10
--- /dev/null
+++ b/queue-4.14/sc16is7xx-missing-unregister-delete-driver-on-error-.patch
@@ -0,0 +1,55 @@
+From ab0dd7968ffa47d8749acd7b7279edea39c9e0aa Mon Sep 17 00:00:00 2001
+From: Mao Wenan <maowenan@huawei.com>
+Date: Fri, 8 Mar 2019 22:08:31 +0800
+Subject: sc16is7xx: missing unregister/delete driver on error in
+ sc16is7xx_init()
+
+[ Upstream commit ac0cdb3d990108df795b676cd0d0e65ac34b2273 ]
+
+Add the missing uart_unregister_driver() and i2c_del_driver() before return
+from sc16is7xx_init() in the error handling case.
+
+Signed-off-by: Mao Wenan <maowenan@huawei.com>
+Reviewed-by: Vladimir Zapolskiy <vz@mleia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/tty/serial/sc16is7xx.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c
+index a79f18edf2bd..e48523da47ac 100644
+--- a/drivers/tty/serial/sc16is7xx.c
++++ b/drivers/tty/serial/sc16is7xx.c
+@@ -1483,7 +1483,7 @@ static int __init sc16is7xx_init(void)
+       ret = i2c_add_driver(&sc16is7xx_i2c_uart_driver);
+       if (ret < 0) {
+               pr_err("failed to init sc16is7xx i2c --> %d\n", ret);
+-              return ret;
++              goto err_i2c;
+       }
+ #endif
+ 
+@@ -1491,10 +1491,18 @@ static int __init sc16is7xx_init(void)
+       ret = spi_register_driver(&sc16is7xx_spi_uart_driver);
+       if (ret < 0) {
+               pr_err("failed to init sc16is7xx spi --> %d\n", ret);
+-              return ret;
++              goto err_spi;
+       }
+ #endif
+       return ret;
++
++err_spi:
++#ifdef CONFIG_SERIAL_SC16IS7XX_I2C
++      i2c_del_driver(&sc16is7xx_i2c_uart_driver);
++#endif
++err_i2c:
++      uart_unregister_driver(&sc16is7xx_uart);
++      return ret;
+ }
+ module_init(sc16is7xx_init);
+ 
+-- 
+2.19.1
+

diff --git a/queue-4.14/scsi-qla4xxx-fix-a-potential-null-pointer-dereferenc.patch b/queue-4.14/scsi-qla4xxx-fix-a-potential-null-pointer-dereferenc.patch
new file mode 100644 (file)
index 0000000..bc339ec
--- /dev/null
+++ b/queue-4.14/scsi-qla4xxx-fix-a-potential-null-pointer-dereferenc.patch
@@ -0,0 +1,35 @@
+From c879ae8bc6b2a2c54413ff93a78407720b41d817 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Thu, 14 Mar 2019 01:30:59 -0500
+Subject: scsi: qla4xxx: fix a potential NULL pointer dereference
+
+[ Upstream commit fba1bdd2a9a93f3e2181ec1936a3c2f6b37e7ed6 ]
+
+In case iscsi_lookup_endpoint fails, the fix returns -EINVAL to avoid NULL
+pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Acked-by: Manish Rangankar <mrangankar@marvell.com>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/scsi/qla4xxx/ql4_os.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
+index 22dc70a2138e..630b7404843d 100644
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -3207,6 +3207,8 @@ static int qla4xxx_conn_bind(struct iscsi_cls_session *cls_session,
+       if (iscsi_conn_bind(cls_session, cls_conn, is_leading))
+               return -EINVAL;
+       ep = iscsi_lookup_endpoint(transport_fd);
++      if (!ep)
++              return -EINVAL;
+       conn = cls_conn->dd_data;
+       qla_conn = conn->dd_data;
+       qla_conn->qla_ep = ep->dd_data;
+-- 
+2.19.1
+

diff --git a/queue-4.14/scsi-zfcp-reduce-flood-of-fcrscn1-trace-records-on-m.patch b/queue-4.14/scsi-zfcp-reduce-flood-of-fcrscn1-trace-records-on-m.patch
new file mode 100644 (file)
index 0000000..0333d62
--- /dev/null
+++ b/queue-4.14/scsi-zfcp-reduce-flood-of-fcrscn1-trace-records-on-m.patch
@@ -0,0 +1,112 @@
+From 21befa74690c2395e5575a2fa5c6879fb02a3715 Mon Sep 17 00:00:00 2001
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Tue, 26 Mar 2019 14:37:00 +0100
+Subject: scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element
+ RSCN
+
+[ Upstream commit c8206579175c34a2546de8a74262456278a7795a ]
+
+If an incoming ELS of type RSCN contains more than one element, zfcp
+suboptimally causes repeated erp trigger NOP trace records for each
+previously failed port. These could be ports that went away.  It loops over
+each RSCN element, and for each of those in an inner loop over all
+zfcp_ports.
+
+The trigger to recover failed ports should be just the reception of some
+RSCN, no matter how many elements it has. So we can loop over failed ports
+separately, and only then loop over each RSCN element to handle the
+non-failed ports.
+
+The call chain was:
+
+  zfcp_fc_incoming_rscn
+    for (i = 1; i < no_entries; i++)
+      _zfcp_fc_incoming_rscn
+        list_for_each_entry(port, &adapter->port_list, list)
+          if (masked port->d_id match) zfcp_fc_test_link
+          if (!port->d_id) zfcp_erp_port_reopen "fcrscn1"   <===
+
+In order the reduce the "flooding" of the REC trace area in such cases, we
+factor out handling the failed ports to be outside of the entries loop:
+
+  zfcp_fc_incoming_rscn
+    if (no_entries > 1)                                     <===
+      list_for_each_entry(port, &adapter->port_list, list)  <===
+        if (!port->d_id) zfcp_erp_port_reopen "fcrscn1"     <===
+    for (i = 1; i < no_entries; i++)
+      _zfcp_fc_incoming_rscn
+        list_for_each_entry(port, &adapter->port_list, list)
+          if (masked port->d_id match) zfcp_fc_test_link
+
+Abbreviated example trace records before this code change:
+
+Tag            : fcrscn1
+WWPN           : 0x500507630310d327
+ERP want       : 0x02
+ERP need       : 0x02
+
+Tag            : fcrscn1
+WWPN           : 0x500507630310d327
+ERP want       : 0x02
+ERP need       : 0x00                 NOP => superfluous trace record
+
+The last trace entry repeats if there are more than 2 RSCN elements.
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Reviewed-by: Jens Remus <jremus@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/s390/scsi/zfcp_fc.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/s390/scsi/zfcp_fc.c b/drivers/s390/scsi/zfcp_fc.c
+index ca218c82321f..0c5fd722a72d 100644
+--- a/drivers/s390/scsi/zfcp_fc.c
++++ b/drivers/s390/scsi/zfcp_fc.c
+@@ -240,10 +240,6 @@ static void _zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req, u32 range,
+       list_for_each_entry(port, &adapter->port_list, list) {
+               if ((port->d_id & range) == (ntoh24(page->rscn_fid) & range))
+                       zfcp_fc_test_link(port);
+-              if (!port->d_id)
+-                      zfcp_erp_port_reopen(port,
+-                                           ZFCP_STATUS_COMMON_ERP_FAILED,
+-                                           "fcrscn1");
+       }
+       read_unlock_irqrestore(&adapter->port_list_lock, flags);
+ }
+@@ -251,6 +247,7 @@ static void _zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req, u32 range,
+ static void zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req)
+ {
+       struct fsf_status_read_buffer *status_buffer = (void *)fsf_req->data;
++      struct zfcp_adapter *adapter = fsf_req->adapter;
+       struct fc_els_rscn *head;
+       struct fc_els_rscn_page *page;
+       u16 i;
+@@ -264,6 +261,22 @@ static void zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req)
+       no_entries = be16_to_cpu(head->rscn_plen) /
+               sizeof(struct fc_els_rscn_page);
+ 
++      if (no_entries > 1) {
++              /* handle failed ports */
++              unsigned long flags;
++              struct zfcp_port *port;
++
++              read_lock_irqsave(&adapter->port_list_lock, flags);
++              list_for_each_entry(port, &adapter->port_list, list) {
++                      if (port->d_id)
++                              continue;
++                      zfcp_erp_port_reopen(port,
++                                           ZFCP_STATUS_COMMON_ERP_FAILED,
++                                           "fcrscn1");
++              }
++              read_unlock_irqrestore(&adapter->port_list_lock, flags);
++      }
++
+       for (i = 1; i < no_entries; i++) {
+               /* skip head and start with 1st element */
+               page++;
+-- 
+2.19.1
+

diff --git a/queue-4.14/serial-ar933x_uart-fix-build-failure-with-disabled-c.patch b/queue-4.14/serial-ar933x_uart-fix-build-failure-with-disabled-c.patch
new file mode 100644 (file)
index 0000000..499fa58
--- /dev/null
+++ b/queue-4.14/serial-ar933x_uart-fix-build-failure-with-disabled-c.patch
@@ -0,0 +1,102 @@
+From eaee0153c8be85cf643544148efff5af11a7c572 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Wed, 6 Mar 2019 17:54:03 +0100
+Subject: serial: ar933x_uart: Fix build failure with disabled console
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 72ff51d8dd262d1fef25baedc2ac35116435be47 ]
+
+Andrey has reported on OpenWrt's bug tracking system[1], that he
+currently can't use ar93xx_uart as pure serial UART without console
+(CONFIG_SERIAL_8250_CONSOLE and CONFIG_SERIAL_AR933X_CONSOLE undefined),
+because compilation ends with following error:
+
+ ar933x_uart.c: In function 'ar933x_uart_console_write':
+ ar933x_uart.c:550:14: error: 'struct uart_port' has no
+                               member named 'sysrq'
+
+So this patch moves all the code related to console handling behind
+series of CONFIG_SERIAL_AR933X_CONSOLE ifdefs.
+
+1. https://bugs.openwrt.org/index.php?do=details&task_id=2152
+
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jiri Slaby <jslaby@suse.com>
+Cc: Andrey Batyiev <batyiev@gmail.com>
+Reported-by: Andrey Batyiev <batyiev@gmail.com>
+Tested-by: Andrey Batyiev <batyiev@gmail.com>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/tty/serial/ar933x_uart.c | 24 ++++++++----------------
+ 1 file changed, 8 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/tty/serial/ar933x_uart.c b/drivers/tty/serial/ar933x_uart.c
+index decc7f3c1ab2..ed545a61413c 100644
+--- a/drivers/tty/serial/ar933x_uart.c
++++ b/drivers/tty/serial/ar933x_uart.c
+@@ -52,11 +52,6 @@ struct ar933x_uart_port {
+       struct clk              *clk;
+ };
+ 
+-static inline bool ar933x_uart_console_enabled(void)
+-{
+-      return IS_ENABLED(CONFIG_SERIAL_AR933X_CONSOLE);
+-}
+-
+ static inline unsigned int ar933x_uart_read(struct ar933x_uart_port *up,
+                                           int offset)
+ {
+@@ -511,6 +506,7 @@ static const struct uart_ops ar933x_uart_ops = {
+       .verify_port    = ar933x_uart_verify_port,
+ };
+ 
++#ifdef CONFIG_SERIAL_AR933X_CONSOLE
+ static struct ar933x_uart_port *
+ ar933x_console_ports[CONFIG_SERIAL_AR933X_NR_UARTS];
+ 
+@@ -607,14 +603,7 @@ static struct console ar933x_uart_console = {
+       .index          = -1,
+       .data           = &ar933x_uart_driver,
+ };
+-
+-static void ar933x_uart_add_console_port(struct ar933x_uart_port *up)
+-{
+-      if (!ar933x_uart_console_enabled())
+-              return;
+-
+-      ar933x_console_ports[up->port.line] = up;
+-}
++#endif /* CONFIG_SERIAL_AR933X_CONSOLE */
+ 
+ static struct uart_driver ar933x_uart_driver = {
+       .owner          = THIS_MODULE,
+@@ -703,7 +692,9 @@ static int ar933x_uart_probe(struct platform_device *pdev)
+       baud = ar933x_uart_get_baud(port->uartclk, 0, AR933X_UART_MAX_STEP);
+       up->max_baud = min_t(unsigned int, baud, AR933X_UART_MAX_BAUD);
+ 
+-      ar933x_uart_add_console_port(up);
++#ifdef CONFIG_SERIAL_AR933X_CONSOLE
++      ar933x_console_ports[up->port.line] = up;
++#endif
+ 
+       ret = uart_add_one_port(&ar933x_uart_driver, &up->port);
+       if (ret)
+@@ -752,8 +743,9 @@ static int __init ar933x_uart_init(void)
+ {
+       int ret;
+ 
+-      if (ar933x_uart_console_enabled())
+-              ar933x_uart_driver.cons = &ar933x_uart_console;
++#ifdef CONFIG_SERIAL_AR933X_CONSOLE
++      ar933x_uart_driver.cons = &ar933x_uart_console;
++#endif
+ 
+       ret = uart_register_driver(&ar933x_uart_driver);
+       if (ret)
+-- 
+2.19.1
+

diff --git a/queue-4.14/series b/queue-4.14/series
index 9d233b6d9eed606583ed540d6dcb7ee3ddac52f6..c4e98f4c28ac18a5db2d6e3b5d36c71e6af9d2b6 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -5,3 +5,45 @@ mm-make-page-ref-count-overflow-check-tighter-and-more-explicit.patch
 mm-add-try_get_page-helper-function.patch
 mm-prevent-get_user_pages-from-overflowing-page-refcount.patch
 fs-prevent-page-refcount-overflow-in-pipe_buf_get.patch
+arm-dts-bcm283x-fix-hdmi-hpd-gpio-pull.patch
+s390-limit-brk-randomization-to-32mb.patch
+qlcnic-avoid-potential-null-pointer-dereference.patch
+netfilter-nft_set_rbtree-check-for-inactive-element-.patch
+netfilter-bridge-set-skb-transport_header-before-ent.patch
+s390-qeth-fix-race-when-initializing-the-ip-address-.patch
+sc16is7xx-missing-unregister-delete-driver-on-error-.patch
+serial-ar933x_uart-fix-build-failure-with-disabled-c.patch
+kvm-arm-arm64-vgic-its-take-the-srcu-lock-when-parsi.patch
+usb-gadget-net2280-fix-overrun-of-out-messages.patch
+usb-gadget-net2280-fix-net2280_dequeue.patch
+usb-gadget-net2272-fix-net2272_dequeue.patch
+arm-dts-pfla02-increase-phy-reset-duration.patch
+net-ks8851-dequeue-rx-packets-explicitly.patch
+net-ks8851-reassert-reset-pin-if-chip-id-check-fails.patch
+net-ks8851-delay-requesting-irq-until-opened.patch
+net-ks8851-set-initial-carrier-state-to-down.patch
+staging-rtl8188eu-fix-potential-null-pointer-derefer.patch
+staging-rtlwifi-rtl8822b-fix-to-avoid-potential-null.patch
+staging-rtl8712-uninitialized-memory-in-read_bbreg_h.patch
+staging-rtlwifi-fix-potential-null-pointer-dereferen.patch
+net-macb-add-null-check-for-pclk-and-hclk.patch
+net-sched-don-t-dereference-a-goto_chain-to-read-the.patch
+arm-dts-imx6qdl-fix-typo-in-imx6qdl-icore-rqs.dtsi.patch
+nfs-fix-a-typo-in-nfs_init_timeout_values.patch
+net-xilinx-fix-possible-object-reference-leak.patch
+net-ibm-fix-possible-object-reference-leak.patch
+net-ethernet-ti-fix-possible-object-reference-leak.patch
+gpio-aspeed-fix-a-potential-null-pointer-dereference.patch
+drm-meson-fix-invalid-pointer-in-meson_drv_unbind.patch
+drm-meson-uninstall-irq-handler.patch
+scsi-qla4xxx-fix-a-potential-null-pointer-dereferenc.patch
+usb-usb251xb-fix-to-avoid-potential-null-pointer-der.patch
+usb-u132-hcd-fix-resource-leak.patch
+ceph-fix-use-after-free-on-symlink-traversal.patch
+scsi-zfcp-reduce-flood-of-fcrscn1-trace-records-on-m.patch
+libata-fix-using-dma-buffers-on-stack.patch
+gpio-of-fix-of_gpiochip_add-error-path.patch
+kconfig-mn-conf-handle-backspace-h-key.patch
+iommu-amd-reserve-exclusion-range-in-iova-domain.patch
+ptrace-take-into-account-saved_sigmask-in-ptrace-get.patch
+leds-pca9532-fix-a-potential-null-pointer-dereferenc.patch

diff --git a/queue-4.14/staging-rtl8188eu-fix-potential-null-pointer-derefer.patch b/queue-4.14/staging-rtl8188eu-fix-potential-null-pointer-derefer.patch
new file mode 100644 (file)
index 0000000..630e90f
--- /dev/null
+++ b/queue-4.14/staging-rtl8188eu-fix-potential-null-pointer-derefer.patch
@@ -0,0 +1,139 @@
+From 3a12cbbd1240d0e06f268bcd305c6f327d91986b Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Wed, 20 Mar 2019 12:21:35 -0500
+Subject: staging: rtl8188eu: Fix potential NULL pointer dereference of kcalloc
+
+[ Upstream commit 7671ce0d92933762f469266daf43bd34d422d58c ]
+
+hwxmits is allocated via kcalloc and not checked for failure before its
+dereference. The patch fixes this problem by returning error upstream
+in rtl8723bs, rtl8188eu.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Acked-by: Mukesh Ojha <mojha@codeaurora.org>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/staging/rtl8188eu/core/rtw_xmit.c    |  9 +++++++--
+ drivers/staging/rtl8188eu/include/rtw_xmit.h |  2 +-
+ drivers/staging/rtl8723bs/core/rtw_xmit.c    | 14 +++++++-------
+ drivers/staging/rtl8723bs/include/rtw_xmit.h |  2 +-
+ 4 files changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/staging/rtl8188eu/core/rtw_xmit.c b/drivers/staging/rtl8188eu/core/rtw_xmit.c
+index be2f46eb9f78..904b988ecc4e 100644
+--- a/drivers/staging/rtl8188eu/core/rtw_xmit.c
++++ b/drivers/staging/rtl8188eu/core/rtw_xmit.c
+@@ -188,7 +188,9 @@ s32        _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
+ 
+       pxmitpriv->free_xmit_extbuf_cnt = num_xmit_extbuf;
+ 
+-      rtw_alloc_hwxmits(padapter);
++      res = rtw_alloc_hwxmits(padapter);
++      if (res == _FAIL)
++              goto exit;
+       rtw_init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry);
+ 
+       for (i = 0; i < 4; i++)
+@@ -1573,7 +1575,7 @@ s32 rtw_xmit_classifier(struct adapter *padapter, struct xmit_frame *pxmitframe)
+       return res;
+ }
+ 
+-void rtw_alloc_hwxmits(struct adapter *padapter)
++s32 rtw_alloc_hwxmits(struct adapter *padapter)
+ {
+       struct hw_xmit *hwxmits;
+       struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
+@@ -1582,6 +1584,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
+ 
+       pxmitpriv->hwxmits = kcalloc(pxmitpriv->hwxmit_entry,
+                                    sizeof(struct hw_xmit), GFP_KERNEL);
++      if (!pxmitpriv->hwxmits)
++              return _FAIL;
+ 
+       hwxmits = pxmitpriv->hwxmits;
+ 
+@@ -1589,6 +1593,7 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
+       hwxmits[1] .sta_queue = &pxmitpriv->vi_pending;
+       hwxmits[2] .sta_queue = &pxmitpriv->be_pending;
+       hwxmits[3] .sta_queue = &pxmitpriv->bk_pending;
++      return _SUCCESS;
+ }
+ 
+ void rtw_free_hwxmits(struct adapter *padapter)
+diff --git a/drivers/staging/rtl8188eu/include/rtw_xmit.h b/drivers/staging/rtl8188eu/include/rtw_xmit.h
+index dd6b7a9a8d4a..1be4b478475a 100644
+--- a/drivers/staging/rtl8188eu/include/rtw_xmit.h
++++ b/drivers/staging/rtl8188eu/include/rtw_xmit.h
+@@ -342,7 +342,7 @@ s32 rtw_txframes_sta_ac_pending(struct adapter *padapter,
+ void rtw_init_hwxmits(struct hw_xmit *phwxmit, int entry);
+ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter);
+ void _rtw_free_xmit_priv(struct xmit_priv *pxmitpriv);
+-void rtw_alloc_hwxmits(struct adapter *padapter);
++s32 rtw_alloc_hwxmits(struct adapter *padapter);
+ void rtw_free_hwxmits(struct adapter *padapter);
+ s32 rtw_xmit(struct adapter *padapter, struct sk_buff **pkt);
+ 
+diff --git a/drivers/staging/rtl8723bs/core/rtw_xmit.c b/drivers/staging/rtl8723bs/core/rtw_xmit.c
+index 022f654419e4..91dab7f8a739 100644
+--- a/drivers/staging/rtl8723bs/core/rtw_xmit.c
++++ b/drivers/staging/rtl8723bs/core/rtw_xmit.c
+@@ -271,7 +271,9 @@ s32        _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
+               }
+       }
+ 
+-      rtw_alloc_hwxmits(padapter);
++      res = rtw_alloc_hwxmits(padapter);
++      if (res == _FAIL)
++              goto exit;
+       rtw_init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry);
+ 
+       for (i = 0; i < 4; i++) {
+@@ -2157,7 +2159,7 @@ s32 rtw_xmit_classifier(struct adapter *padapter, struct xmit_frame *pxmitframe)
+       return res;
+ }
+ 
+-void rtw_alloc_hwxmits(struct adapter *padapter)
++s32 rtw_alloc_hwxmits(struct adapter *padapter)
+ {
+       struct hw_xmit *hwxmits;
+       struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
+@@ -2168,10 +2170,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
+ 
+       pxmitpriv->hwxmits = (struct hw_xmit *)rtw_zmalloc(sizeof(struct hw_xmit) * pxmitpriv->hwxmit_entry);
+ 
+-      if (pxmitpriv->hwxmits == NULL) {
+-              DBG_871X("alloc hwxmits fail!...\n");
+-              return;
+-      }
++      if (!pxmitpriv->hwxmits)
++              return _FAIL;
+ 
+       hwxmits = pxmitpriv->hwxmits;
+ 
+@@ -2217,7 +2217,7 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
+ 
+       }
+ 
+-
++      return _SUCCESS;
+ }
+ 
+ void rtw_free_hwxmits(struct adapter *padapter)
+diff --git a/drivers/staging/rtl8723bs/include/rtw_xmit.h b/drivers/staging/rtl8723bs/include/rtw_xmit.h
+index 11571649cd2c..92236ca8a1ef 100644
+--- a/drivers/staging/rtl8723bs/include/rtw_xmit.h
++++ b/drivers/staging/rtl8723bs/include/rtw_xmit.h
+@@ -494,7 +494,7 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter);
+ void _rtw_free_xmit_priv (struct xmit_priv *pxmitpriv);
+ 
+ 
+-void rtw_alloc_hwxmits(struct adapter *padapter);
++s32 rtw_alloc_hwxmits(struct adapter *padapter);
+ void rtw_free_hwxmits(struct adapter *padapter);
+ 
+ 
+-- 
+2.19.1
+

diff --git a/queue-4.14/staging-rtl8712-uninitialized-memory-in-read_bbreg_h.patch b/queue-4.14/staging-rtl8712-uninitialized-memory-in-read_bbreg_h.patch
new file mode 100644 (file)
index 0000000..e981aa6
--- /dev/null
+++ b/queue-4.14/staging-rtl8712-uninitialized-memory-in-read_bbreg_h.patch
@@ -0,0 +1,67 @@
+From 45acd8e24db4cd7ef49f8a7c4ec29f1c3b0505d7 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 21 Mar 2019 09:26:38 +0300
+Subject: staging: rtl8712: uninitialized memory in read_bbreg_hdl()
+
+[ Upstream commit 22c971db7dd4b0ad8dd88e99c407f7a1f4231a2e ]
+
+Colin King reported a bug in read_bbreg_hdl():
+
+       memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz);
+
+The problem is that "val" is uninitialized.
+
+This code is obviously not useful, but so far as I can tell
+"pcmd->cmdcode" is never GEN_CMD_CODE(_Read_BBREG) so it's not harmful
+either.  For now the easiest fix is to just call r8712_free_cmd_obj()
+and return.
+
+Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel")
+Reported-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/staging/rtl8712/rtl8712_cmd.c | 10 +---------
+ drivers/staging/rtl8712/rtl8712_cmd.h |  2 +-
+ 2 files changed, 2 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/staging/rtl8712/rtl8712_cmd.c b/drivers/staging/rtl8712/rtl8712_cmd.c
+index 0104aced113e..ccda04e916c5 100644
+--- a/drivers/staging/rtl8712/rtl8712_cmd.c
++++ b/drivers/staging/rtl8712/rtl8712_cmd.c
+@@ -159,17 +159,9 @@ static u8 write_macreg_hdl(struct _adapter *padapter, u8 *pbuf)
+ 
+ static u8 read_bbreg_hdl(struct _adapter *padapter, u8 *pbuf)
+ {
+-      u32 val;
+-      void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj      *pcmd);
+       struct cmd_obj *pcmd  = (struct cmd_obj *)pbuf;
+ 
+-      if (pcmd->rsp && pcmd->rspsz > 0)
+-              memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz);
+-      pcmd_callback = cmd_callback[pcmd->cmdcode].callback;
+-      if (!pcmd_callback)
+-              r8712_free_cmd_obj(pcmd);
+-      else
+-              pcmd_callback(padapter, pcmd);
++      r8712_free_cmd_obj(pcmd);
+       return H2C_SUCCESS;
+ }
+ 
+diff --git a/drivers/staging/rtl8712/rtl8712_cmd.h b/drivers/staging/rtl8712/rtl8712_cmd.h
+index 67e9e910aef9..d10a59d4a550 100644
+--- a/drivers/staging/rtl8712/rtl8712_cmd.h
++++ b/drivers/staging/rtl8712/rtl8712_cmd.h
+@@ -152,7 +152,7 @@ enum rtl8712_h2c_cmd {
+ static struct _cmd_callback   cmd_callback[] = {
+       {GEN_CMD_CODE(_Read_MACREG), NULL}, /*0*/
+       {GEN_CMD_CODE(_Write_MACREG), NULL},
+-      {GEN_CMD_CODE(_Read_BBREG), &r8712_getbbrfreg_cmdrsp_callback},
++      {GEN_CMD_CODE(_Read_BBREG), NULL},
+       {GEN_CMD_CODE(_Write_BBREG), NULL},
+       {GEN_CMD_CODE(_Read_RFREG), &r8712_getbbrfreg_cmdrsp_callback},
+       {GEN_CMD_CODE(_Write_RFREG), NULL}, /*5*/
+-- 
+2.19.1
+

diff --git a/queue-4.14/staging-rtlwifi-fix-potential-null-pointer-dereferen.patch b/queue-4.14/staging-rtlwifi-fix-potential-null-pointer-dereferen.patch
new file mode 100644 (file)
index 0000000..9696a2d
--- /dev/null
+++ b/queue-4.14/staging-rtlwifi-fix-potential-null-pointer-dereferen.patch
@@ -0,0 +1,35 @@
+From 768e2c0b96d49a56a2dbed2d15b8f5897069c23f Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Wed, 20 Mar 2019 10:42:32 -0500
+Subject: staging: rtlwifi: Fix potential NULL pointer dereference of kzalloc
+
+[ Upstream commit 6a8ca24590a2136921439b376c926c11a6effc0e ]
+
+phydm.internal is allocated using kzalloc which is used multiple
+times without a check for NULL pointer. This patch avoids such a
+scenario by returning 0, consistent with the failure case.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/staging/rtlwifi/phydm/rtl_phydm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/staging/rtlwifi/phydm/rtl_phydm.c b/drivers/staging/rtlwifi/phydm/rtl_phydm.c
+index 85e490d3601f..cab563fefc34 100644
+--- a/drivers/staging/rtlwifi/phydm/rtl_phydm.c
++++ b/drivers/staging/rtlwifi/phydm/rtl_phydm.c
+@@ -191,6 +191,8 @@ static int rtl_phydm_init_priv(struct rtl_priv *rtlpriv,
+ 
+       rtlpriv->phydm.internal =
+               kzalloc(sizeof(struct phy_dm_struct), GFP_KERNEL);
++      if (!rtlpriv->phydm.internal)
++              return 0;
+ 
+       _rtl_phydm_init_com_info(rtlpriv, ic, params);
+ 
+-- 
+2.19.1
+

diff --git a/queue-4.14/staging-rtlwifi-rtl8822b-fix-to-avoid-potential-null.patch b/queue-4.14/staging-rtlwifi-rtl8822b-fix-to-avoid-potential-null.patch
new file mode 100644 (file)
index 0000000..e6a4249
--- /dev/null
+++ b/queue-4.14/staging-rtlwifi-rtl8822b-fix-to-avoid-potential-null.patch
@@ -0,0 +1,36 @@
+From 045f0a9f0e3f70f4afc60152f036878365356da0 Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Wed, 20 Mar 2019 12:02:49 -0500
+Subject: staging: rtlwifi: rtl8822b: fix to avoid potential NULL pointer
+ dereference
+
+[ Upstream commit d70d70aec9632679dd00dcc1b1e8b2517e2c7da0 ]
+
+skb allocated via dev_alloc_skb can fail and return a NULL pointer.
+This patch avoids such a scenario and returns, consistent with other
+invocations.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/staging/rtlwifi/rtl8822be/fw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/staging/rtlwifi/rtl8822be/fw.c b/drivers/staging/rtlwifi/rtl8822be/fw.c
+index acabb2470d55..02ca3157c5a5 100644
+--- a/drivers/staging/rtlwifi/rtl8822be/fw.c
++++ b/drivers/staging/rtlwifi/rtl8822be/fw.c
+@@ -752,6 +752,8 @@ void rtl8822be_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished)
+                     u1_rsvd_page_loc, 3);
+ 
+       skb = dev_alloc_skb(totalpacketlen);
++      if (!skb)
++              return;
+       memcpy((u8 *)skb_put(skb, totalpacketlen), &reserved_page_packet,
+              totalpacketlen);
+ 
+-- 
+2.19.1
+

diff --git a/queue-4.14/usb-gadget-net2272-fix-net2272_dequeue.patch b/queue-4.14/usb-gadget-net2272-fix-net2272_dequeue.patch
new file mode 100644 (file)
index 0000000..fb79d2b
--- /dev/null
+++ b/queue-4.14/usb-gadget-net2272-fix-net2272_dequeue.patch
@@ -0,0 +1,41 @@
+From 45fbc946456a8ff18f77748a7f69dc35eb302390 Mon Sep 17 00:00:00 2001
+From: Guido Kiener <guido@kiener-muenchen.de>
+Date: Mon, 18 Mar 2019 09:18:34 +0100
+Subject: usb: gadget: net2272: Fix net2272_dequeue()
+
+[ Upstream commit 091dacc3cc10979ab0422f0a9f7fcc27eee97e69 ]
+
+Restore the status of ep->stopped in function net2272_dequeue().
+
+When the given request is not found in the endpoint queue
+the function returns -EINVAL without restoring the state of
+ep->stopped. Thus the endpoint keeps blocked and does not transfer
+any data anymore.
+
+This fix is only compile-tested, since we do not have a
+corresponding hardware. An analogous fix was tested in the sibling
+driver. See "usb: gadget: net2280: Fix net2280_dequeue()"
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Guido Kiener <guido.kiener@rohde-schwarz.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/net2272.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/gadget/udc/net2272.c b/drivers/usb/gadget/udc/net2272.c
+index e0759a826b60..7fb31a3b53e6 100644
+--- a/drivers/usb/gadget/udc/net2272.c
++++ b/drivers/usb/gadget/udc/net2272.c
+@@ -958,6 +958,7 @@ net2272_dequeue(struct usb_ep *_ep, struct usb_request *_req)
+                       break;
+       }
+       if (&req->req != _req) {
++              ep->stopped = stopped;
+               spin_unlock_irqrestore(&ep->dev->lock, flags);
+               return -EINVAL;
+       }
+-- 
+2.19.1
+

diff --git a/queue-4.14/usb-gadget-net2280-fix-net2280_dequeue.patch b/queue-4.14/usb-gadget-net2280-fix-net2280_dequeue.patch
new file mode 100644 (file)
index 0000000..24a0878
--- /dev/null
+++ b/queue-4.14/usb-gadget-net2280-fix-net2280_dequeue.patch
@@ -0,0 +1,43 @@
+From 0ad07f0228c8fa992331d9b384ea30bfa7587af4 Mon Sep 17 00:00:00 2001
+From: Guido Kiener <guido@kiener-muenchen.de>
+Date: Mon, 18 Mar 2019 09:18:33 +0100
+Subject: usb: gadget: net2280: Fix net2280_dequeue()
+
+[ Upstream commit f1d3fba17cd4eeea20397f1324b7b9c69a6a935c ]
+
+When a request must be dequeued with net2280_dequeue() e.g. due
+to a device clear action and the same request is finished by the
+function scan_dma_completions() then the function net2280_dequeue()
+does not find the request in the following search loop and
+returns the error -EINVAL without restoring the status ep->stopped.
+Thus the endpoint keeps blocked and does not receive any data
+anymore.
+This fix restores the status and does not issue an error message.
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Guido Kiener <guido.kiener@rohde-schwarz.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/net2280.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c
+index a071ab0c163b..170327f84ea1 100644
+--- a/drivers/usb/gadget/udc/net2280.c
++++ b/drivers/usb/gadget/udc/net2280.c
+@@ -1277,9 +1277,9 @@ static int net2280_dequeue(struct usb_ep *_ep, struct usb_request *_req)
+                       break;
+       }
+       if (&req->req != _req) {
++              ep->stopped = stopped;
+               spin_unlock_irqrestore(&ep->dev->lock, flags);
+-              dev_err(&ep->dev->pdev->dev, "%s: Request mismatch\n",
+-                                                              __func__);
++              ep_dbg(ep->dev, "%s: Request mismatch\n", __func__);
+               return -EINVAL;
+       }
+ 
+-- 
+2.19.1
+

diff --git a/queue-4.14/usb-gadget-net2280-fix-overrun-of-out-messages.patch b/queue-4.14/usb-gadget-net2280-fix-overrun-of-out-messages.patch
new file mode 100644 (file)
index 0000000..1e83d75
--- /dev/null
+++ b/queue-4.14/usb-gadget-net2280-fix-overrun-of-out-messages.patch
@@ -0,0 +1,62 @@
+From aa5a5d3608714642539ca629c5b2e6fd46574653 Mon Sep 17 00:00:00 2001
+From: Guido Kiener <guido@kiener-muenchen.de>
+Date: Tue, 19 Mar 2019 19:12:03 +0100
+Subject: usb: gadget: net2280: Fix overrun of OUT messages
+
+[ Upstream commit 9d6a54c1430647355a5e23434881b2ca3d192b48 ]
+
+The OUT endpoint normally blocks (NAK) subsequent packets when a
+short packet was received and returns an incomplete queue entry to
+the gadget driver. Thereby the gadget driver can detect a short packet
+when reading queue entries with a length that is not equal to a
+multiple of packet size.
+
+The start_queue() function enables receiving OUT packets regardless of
+the content of the OUT FIFO. This results in a race: With the current
+code, it's possible that the "!ep->is_in && (readl(&ep->regs->ep_stat)
+& BIT(NAK_OUT_PACKETS))" test in start_dma() will fail, then a short
+packet will be received, and then start_queue() will call
+stop_out_naking(). That's what we don't want (OUT naking gets turned
+off while there is data in the FIFO) because then the next driver
+request might receive a mixture of old and new packets.
+
+With the patch, this race can't occur because the FIFO's state is
+tested after we know that OUT naking is already turned on, and OUT
+naking is stopped only when both of the conditions are met.  This
+ensures that all received data is delivered to the gadget driver,
+which can detect a short packet now before new packets are appended
+to the last short packet.
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Guido Kiener <guido.kiener@rohde-schwarz.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/net2280.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c
+index 9cbb061582a7..a071ab0c163b 100644
+--- a/drivers/usb/gadget/udc/net2280.c
++++ b/drivers/usb/gadget/udc/net2280.c
+@@ -870,9 +870,6 @@ static void start_queue(struct net2280_ep *ep, u32 dmactl, u32 td_dma)
+       (void) readl(&ep->dev->pci->pcimstctl);
+ 
+       writel(BIT(DMA_START), &dma->dmastat);
+-
+-      if (!ep->is_in)
+-              stop_out_naking(ep);
+ }
+ 
+ static void start_dma(struct net2280_ep *ep, struct net2280_request *req)
+@@ -911,6 +908,7 @@ static void start_dma(struct net2280_ep *ep, struct net2280_request *req)
+                       writel(BIT(DMA_START), &dma->dmastat);
+                       return;
+               }
++              stop_out_naking(ep);
+       }
+ 
+       tmp = dmactl_default;
+-- 
+2.19.1
+

diff --git a/queue-4.14/usb-u132-hcd-fix-resource-leak.patch b/queue-4.14/usb-u132-hcd-fix-resource-leak.patch
new file mode 100644 (file)
index 0000000..8a62c7c
--- /dev/null
+++ b/queue-4.14/usb-u132-hcd-fix-resource-leak.patch
@@ -0,0 +1,34 @@
+From d67a9458ad90baab5c42e1ea5c537e2255603c30 Mon Sep 17 00:00:00 2001
+From: Mukesh Ojha <mojha@codeaurora.org>
+Date: Tue, 26 Mar 2019 13:42:22 +0530
+Subject: usb: u132-hcd: fix resource leak
+
+[ Upstream commit f276e002793cdb820862e8ea8f76769d56bba575 ]
+
+if platform_driver_register fails, cleanup the allocated resource
+gracefully.
+
+Signed-off-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/usb/host/u132-hcd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/host/u132-hcd.c b/drivers/usb/host/u132-hcd.c
+index 65c0086e25ae..8d349230b2c7 100644
+--- a/drivers/usb/host/u132-hcd.c
++++ b/drivers/usb/host/u132-hcd.c
+@@ -3208,6 +3208,9 @@ static int __init u132_hcd_init(void)
+       printk(KERN_INFO "driver %s\n", hcd_name);
+       workqueue = create_singlethread_workqueue("u132");
+       retval = platform_driver_register(&u132_platform_driver);
++      if (retval)
++              destroy_workqueue(workqueue);
++
+       return retval;
+ }
+ 
+-- 
+2.19.1
+

diff --git a/queue-4.14/usb-usb251xb-fix-to-avoid-potential-null-pointer-der.patch b/queue-4.14/usb-usb251xb-fix-to-avoid-potential-null-pointer-der.patch
new file mode 100644 (file)
index 0000000..a5d61ee
--- /dev/null
+++ b/queue-4.14/usb-usb251xb-fix-to-avoid-potential-null-pointer-der.patch
@@ -0,0 +1,34 @@
+From c17b59803e4fcccd712fe867fdddf21ea7a4cf40 Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Wed, 20 Mar 2019 10:27:11 -0500
+Subject: usb: usb251xb: fix to avoid potential NULL pointer dereference
+
+[ Upstream commit 41f00e6e9e55546390031996b773e7f3c1d95928 ]
+
+of_match_device in usb251xb_probe can fail and returns a NULL pointer.
+The patch avoids a potential NULL pointer dereference in this scenario.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Reviewed-by: Richard Leitner <richard.leitner@skidata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
+---
+ drivers/usb/misc/usb251xb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/misc/usb251xb.c b/drivers/usb/misc/usb251xb.c
+index 135c91c434bf..ba8fcdb377e8 100644
+--- a/drivers/usb/misc/usb251xb.c
++++ b/drivers/usb/misc/usb251xb.c
+@@ -530,7 +530,7 @@ static int usb251xb_probe(struct usb251xb *hub)
+                                                          dev);
+       int err;
+ 
+-      if (np) {
++      if (np && of_id) {
+               err = usb251xb_get_ofdata(hub,
+                                         (struct usb251xb_data *)of_id->data);
+               if (err) {
+-- 
+2.19.1
+