--- /dev/null
+From 85108948c9ac18ff4714bae3cae9b7e076235ea1 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 21 Dec 2018 12:06:58 +0300
+Subject: ALSA: compress: prevent potential divide by zero bugs
+
+[ Upstream commit 678e2b44c8e3fec3afc7202f1996a4500a50be93 ]
+
+The problem is seen in the q6asm_dai_compr_set_params() function:
+
+ ret = q6asm_map_memory_regions(dir, prtd->audio_client, prtd->phys,
+ (prtd->pcm_size / prtd->periods),
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ prtd->periods);
+
+In this code prtd->pcm_size is the buffer_size and prtd->periods comes
+from params->buffer.fragments. If we allow the number of fragments to
+be zero then it results in a divide by zero bug. One possible fix would
+be to use prtd->pcm_count directly instead of using the division to
+re-calculate it. But I decided that it doesn't really make sense to
+allow zero fragments.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/compress_offload.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
+index 6163bf3e81776..2272aee128710 100644
+--- a/sound/core/compress_offload.c
++++ b/sound/core/compress_offload.c
+@@ -500,7 +500,8 @@ static int snd_compress_check_input(struct snd_compr_params *params)
+ {
+ /* first let's check the buffer parameter's */
+ if (params->buffer.fragment_size == 0 ||
+- params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
++ params->buffer.fragments > INT_MAX / params->buffer.fragment_size ||
++ params->buffer.fragments == 0)
+ return -EINVAL;
+
+ /* now codec parameters */
+--
+2.19.1
+
--- /dev/null
+From 055de0b6056e924b10d995c835538332eeeee151 Mon Sep 17 00:00:00 2001
+From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Date: Thu, 13 Dec 2018 18:42:57 +0300
+Subject: ARC: fix __ffs return value to avoid build warnings
+
+[ Upstream commit 4e868f8419cb4cb558c5d428e7ab5629cef864c7 ]
+
+| CC mm/nobootmem.o
+|In file included from ./include/asm-generic/bug.h:18:0,
+| from ./arch/arc/include/asm/bug.h:32,
+| from ./include/linux/bug.h:5,
+| from ./include/linux/mmdebug.h:5,
+| from ./include/linux/gfp.h:5,
+| from ./include/linux/slab.h:15,
+| from mm/nobootmem.c:14:
+|mm/nobootmem.c: In function '__free_pages_memory':
+|./include/linux/kernel.h:845:29: warning: comparison of distinct pointer types lacks a cast
+| (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1)))
+| ^
+|./include/linux/kernel.h:859:4: note: in expansion of macro '__typecheck'
+| (__typecheck(x, y) && __no_side_effects(x, y))
+| ^~~~~~~~~~~
+|./include/linux/kernel.h:869:24: note: in expansion of macro '__safe_cmp'
+| __builtin_choose_expr(__safe_cmp(x, y), \
+| ^~~~~~~~~~
+|./include/linux/kernel.h:878:19: note: in expansion of macro '__careful_cmp'
+| #define min(x, y) __careful_cmp(x, y, <)
+| ^~~~~~~~~~~~~
+|mm/nobootmem.c:104:11: note: in expansion of macro 'min'
+| order = min(MAX_ORDER - 1UL, __ffs(start));
+
+Change __ffs return value from 'int' to 'unsigned long' as it
+is done in other implementations (like asm-generic, x86, etc...)
+to avoid build-time warnings in places where type is strictly
+checked.
+
+As __ffs may return values in [0-31] interval changing return
+type to unsigned is valid.
+
+Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/include/asm/bitops.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arc/include/asm/bitops.h b/arch/arc/include/asm/bitops.h
+index 0352fb8d21b99..9623ae002f5b4 100644
+--- a/arch/arc/include/asm/bitops.h
++++ b/arch/arc/include/asm/bitops.h
+@@ -286,7 +286,7 @@ static inline __attribute__ ((const)) int __fls(unsigned long x)
+ /*
+ * __ffs: Similar to ffs, but zero based (0-31)
+ */
+-static inline __attribute__ ((const)) int __ffs(unsigned long word)
++static inline __attribute__ ((const)) unsigned long __ffs(unsigned long word)
+ {
+ if (!word)
+ return word;
+@@ -346,9 +346,9 @@ static inline __attribute__ ((const)) int ffs(unsigned long x)
+ /*
+ * __ffs: Similar to ffs, but zero based (0-31)
+ */
+-static inline __attribute__ ((const)) int __ffs(unsigned long x)
++static inline __attribute__ ((const)) unsigned long __ffs(unsigned long x)
+ {
+- int n;
++ unsigned long n;
+
+ asm volatile(
+ " ffs.f %0, %1 \n" /* 0:31; 31(Z) if src 0 */
+--
+2.19.1
+
--- /dev/null
+From 6101cb536867fcb042144faf395f8769ae5b0c41 Mon Sep 17 00:00:00 2001
+From: Silvio Cesare <silvio.cesare@gmail.com>
+Date: Sat, 12 Jan 2019 16:28:43 +0100
+Subject: ASoC: dapm: change snprintf to scnprintf for possible overflow
+
+[ Upstream commit e581e151e965bf1f2815dd94620b638fec4d0a7e ]
+
+Change snprintf to scnprintf. There are generally two cases where using
+snprintf causes problems.
+
+1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
+In this case, if snprintf would have written more characters than what the
+buffer size (SIZE) is, then size will end up larger than SIZE. In later
+uses of snprintf, SIZE - size will result in a negative number, leading
+to problems. Note that size might already be too large by using
+size = snprintf before the code reaches a case of size += snprintf.
+
+2) If size is ultimately used as a length parameter for a copy back to user
+space, then it will potentially allow for a buffer overflow and information
+disclosure when size is greater than SIZE. When the size is used to index
+the buffer directly, we can have memory corruption. This also means when
+size = snprintf... is used, it may also cause problems since size may become
+large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
+configuration.
+
+The solution to these issues is to use scnprintf which returns the number of
+characters actually written to the buffer, so the size variable will never
+exceed SIZE.
+
+Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Greg KH <greg@kroah.com>
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-dapm.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
+index 0aefed8ab0cf5..7e26d173da41c 100644
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -1943,19 +1943,19 @@ static ssize_t dapm_widget_power_read_file(struct file *file,
+ out = is_connected_output_ep(w, NULL);
+ }
+
+- ret = snprintf(buf, PAGE_SIZE, "%s: %s%s in %d out %d",
++ ret = scnprintf(buf, PAGE_SIZE, "%s: %s%s in %d out %d",
+ w->name, w->power ? "On" : "Off",
+ w->force ? " (forced)" : "", in, out);
+
+ if (w->reg >= 0)
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ " - R%d(0x%x) mask 0x%x",
+ w->reg, w->reg, w->mask << w->shift);
+
+- ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n");
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n");
+
+ if (w->sname)
+- ret += snprintf(buf + ret, PAGE_SIZE - ret, " stream %s %s\n",
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, " stream %s %s\n",
+ w->sname,
+ w->active ? "active" : "inactive");
+
+@@ -1968,7 +1968,7 @@ static ssize_t dapm_widget_power_read_file(struct file *file,
+ if (!p->connect)
+ continue;
+
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ " %s \"%s\" \"%s\"\n",
+ (rdir == SND_SOC_DAPM_DIR_IN) ? "in" : "out",
+ p->name ? p->name : "static",
+--
+2.19.1
+
--- /dev/null
+From d9c85adb8b70dcd43f973edc4b097d18f97f9fdf Mon Sep 17 00:00:00 2001
+From: Silvio Cesare <silvio.cesare@gmail.com>
+Date: Tue, 15 Jan 2019 04:27:27 +0100
+Subject: ASoC: imx-audmux: change snprintf to scnprintf for possible overflow
+
+[ Upstream commit c407cd008fd039320d147088b52d0fa34ed3ddcb ]
+
+Change snprintf to scnprintf. There are generally two cases where using
+snprintf causes problems.
+
+1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
+In this case, if snprintf would have written more characters than what the
+buffer size (SIZE) is, then size will end up larger than SIZE. In later
+uses of snprintf, SIZE - size will result in a negative number, leading
+to problems. Note that size might already be too large by using
+size = snprintf before the code reaches a case of size += snprintf.
+
+2) If size is ultimately used as a length parameter for a copy back to user
+space, then it will potentially allow for a buffer overflow and information
+disclosure when size is greater than SIZE. When the size is used to index
+the buffer directly, we can have memory corruption. This also means when
+size = snprintf... is used, it may also cause problems since size may become
+large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
+configuration.
+
+The solution to these issues is to use scnprintf which returns the number of
+characters actually written to the buffer, so the size variable will never
+exceed SIZE.
+
+Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
+Cc: Timur Tabi <timur@kernel.org>
+Cc: Nicolin Chen <nicoleotsuka@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Xiubo Li <Xiubo.Lee@gmail.com>
+Cc: Fabio Estevam <fabio.estevam@nxp.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Greg KH <greg@kroah.com>
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/imx-audmux.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/sound/soc/fsl/imx-audmux.c b/sound/soc/fsl/imx-audmux.c
+index fc57da341d610..136df38c4536c 100644
+--- a/sound/soc/fsl/imx-audmux.c
++++ b/sound/soc/fsl/imx-audmux.c
+@@ -86,49 +86,49 @@ static ssize_t audmux_read_file(struct file *file, char __user *user_buf,
+ if (!buf)
+ return -ENOMEM;
+
+- ret = snprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n",
++ ret = scnprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n",
+ pdcr, ptcr);
+
+ if (ptcr & IMX_AUDMUX_V2_PTCR_TFSDIR)
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "TxFS output from %s, ",
+ audmux_port_string((ptcr >> 27) & 0x7));
+ else
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "TxFS input, ");
+
+ if (ptcr & IMX_AUDMUX_V2_PTCR_TCLKDIR)
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "TxClk output from %s",
+ audmux_port_string((ptcr >> 22) & 0x7));
+ else
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "TxClk input");
+
+- ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n");
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n");
+
+ if (ptcr & IMX_AUDMUX_V2_PTCR_SYN) {
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "Port is symmetric");
+ } else {
+ if (ptcr & IMX_AUDMUX_V2_PTCR_RFSDIR)
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "RxFS output from %s, ",
+ audmux_port_string((ptcr >> 17) & 0x7));
+ else
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "RxFS input, ");
+
+ if (ptcr & IMX_AUDMUX_V2_PTCR_RCLKDIR)
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "RxClk output from %s",
+ audmux_port_string((ptcr >> 12) & 0x7));
+ else
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "RxClk input");
+ }
+
+- ret += snprintf(buf + ret, PAGE_SIZE - ret,
++ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
+ "\nData received from %s\n",
+ audmux_port_string((pdcr >> 13) & 0x7));
+
+--
+2.19.1
+
--- /dev/null
+From c91d93832e4def13b800454256339d11cf962944 Mon Sep 17 00:00:00 2001
+From: Rander Wang <rander.wang@linux.intel.com>
+Date: Tue, 18 Dec 2018 16:24:54 +0800
+Subject: ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field
+
+[ Upstream commit 906a9abc5de73c383af518f5a806f4be2993a0c7 ]
+
+For some reason this field was set to zero when all other drivers use
+.dynamic = 1 for front-ends. This change was tested on Dell XPS13 and
+has no impact with the existing legacy driver. The SOF driver also works
+with this change which enables it to override the fixed topology.
+
+Signed-off-by: Rander Wang <rander.wang@linux.intel.com>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/broadwell.c | 2 +-
+ sound/soc/intel/boards/haswell.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/intel/boards/broadwell.c b/sound/soc/intel/boards/broadwell.c
+index 3f8a1e10bed02..e5ca41ffa8908 100644
+--- a/sound/soc/intel/boards/broadwell.c
++++ b/sound/soc/intel/boards/broadwell.c
+@@ -191,7 +191,7 @@ static struct snd_soc_dai_link broadwell_rt286_dais[] = {
+ .stream_name = "Loopback",
+ .cpu_dai_name = "Loopback Pin",
+ .platform_name = "haswell-pcm-audio",
+- .dynamic = 0,
++ .dynamic = 1,
+ .codec_name = "snd-soc-dummy",
+ .codec_dai_name = "snd-soc-dummy-dai",
+ .trigger = {SND_SOC_DPCM_TRIGGER_POST, SND_SOC_DPCM_TRIGGER_POST},
+diff --git a/sound/soc/intel/boards/haswell.c b/sound/soc/intel/boards/haswell.c
+index 22558572cb9ca..de955c2e8c4e3 100644
+--- a/sound/soc/intel/boards/haswell.c
++++ b/sound/soc/intel/boards/haswell.c
+@@ -145,7 +145,7 @@ static struct snd_soc_dai_link haswell_rt5640_dais[] = {
+ .stream_name = "Loopback",
+ .cpu_dai_name = "Loopback Pin",
+ .platform_name = "haswell-pcm-audio",
+- .dynamic = 0,
++ .dynamic = 1,
+ .codec_name = "snd-soc-dummy",
+ .codec_dai_name = "snd-soc-dummy-dai",
+ .trigger = {SND_SOC_DPCM_TRIGGER_POST, SND_SOC_DPCM_TRIGGER_POST},
+--
+2.19.1
+
--- /dev/null
+From 72e0db1ba4bebe3d9b1fa42a4a0401a7907a242c Mon Sep 17 00:00:00 2001
+From: Chaitanya Tata <chaitanya.tata@bluwirelesstechnology.com>
+Date: Sat, 19 Jan 2019 03:17:47 +0530
+Subject: cfg80211: extend range deviation for DMG
+
+[ Upstream commit 93183bdbe73bbdd03e9566c8dc37c9d06b0d0db6 ]
+
+Recently, DMG frequency bands have been extended till 71GHz, so extend
+the range check till 20GHz (45-71GHZ), else some channels will be marked
+as disabled.
+
+Signed-off-by: Chaitanya Tata <Chaitanya.Tata@bluwireless.co.uk>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/reg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/wireless/reg.c b/net/wireless/reg.c
+index 50dffd183cc63..429abf4219064 100644
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -780,7 +780,7 @@ static bool reg_does_bw_fit(const struct ieee80211_freq_range *freq_range,
+ * definitions (the "2.4 GHz band", the "5 GHz band" and the "60GHz band"),
+ * however it is safe for now to assume that a frequency rule should not be
+ * part of a frequency's band if the start freq or end freq are off by more
+- * than 2 GHz for the 2.4 and 5 GHz bands, and by more than 10 GHz for the
++ * than 2 GHz for the 2.4 and 5 GHz bands, and by more than 20 GHz for the
+ * 60 GHz band.
+ * This resolution can be lowered and should be considered as we add
+ * regulatory rule support for other "bands".
+@@ -795,7 +795,7 @@ static bool freq_in_rule_band(const struct ieee80211_freq_range *freq_range,
+ * with the Channel starting frequency above 45 GHz.
+ */
+ u32 limit = freq_khz > 45 * ONE_GHZ_IN_KHZ ?
+- 10 * ONE_GHZ_IN_KHZ : 2 * ONE_GHZ_IN_KHZ;
++ 20 * ONE_GHZ_IN_KHZ : 2 * ONE_GHZ_IN_KHZ;
+ if (abs(freq_khz - freq_range->start_freq_khz) <= limit)
+ return true;
+ if (abs(freq_khz - freq_range->end_freq_khz) <= limit)
+--
+2.19.1
+
--- /dev/null
+From 2d1fac64848538fb279a4128bc97f0c027b4ca21 Mon Sep 17 00:00:00 2001
+From: "Kristian H. Kristensen" <hoegsberg@gmail.com>
+Date: Wed, 19 Dec 2018 08:57:41 -0800
+Subject: drm/msm: Unblock writer if reader closes file
+
+[ Upstream commit 99c66bc051e7407fe0bf0607b142ec0be1a1d1dd ]
+
+Prevents deadlock when fifo is full and reader closes file.
+
+Signed-off-by: Kristian H. Kristensen <hoegsberg@chromium.org>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_rd.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_rd.c b/drivers/gpu/drm/msm/msm_rd.c
+index 9a78c48817c6a..909a52b21ebe7 100644
+--- a/drivers/gpu/drm/msm/msm_rd.c
++++ b/drivers/gpu/drm/msm/msm_rd.c
+@@ -103,7 +103,9 @@ static void rd_write(struct msm_rd_state *rd, const void *buf, int sz)
+ char *fptr = &fifo->buf[fifo->head];
+ int n;
+
+- wait_event(rd->fifo_event, circ_space(&rd->fifo) > 0);
++ wait_event(rd->fifo_event, circ_space(&rd->fifo) > 0 || !rd->open);
++ if (!rd->open)
++ return;
+
+ n = min(sz, circ_space_to_end(&rd->fifo));
+ memcpy(fptr, ptr, n);
+@@ -192,7 +194,10 @@ static int rd_open(struct inode *inode, struct file *file)
+ static int rd_release(struct inode *inode, struct file *file)
+ {
+ struct msm_rd_state *rd = inode->i_private;
++
+ rd->open = false;
++ wake_up_all(&rd->fifo_event);
++
+ return 0;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From d8c3294ba0ab6a647d860a6d28720d299ac9a0f3 Mon Sep 17 00:00:00 2001
+From: Thomas Falcon <tlfalcon@linux.ibm.com>
+Date: Thu, 24 Jan 2019 11:17:01 -0600
+Subject: ibmveth: Do not process frames after calling napi_reschedule
+
+[ Upstream commit e95d22c69b2c130ccce257b84daf283fd82d611e ]
+
+The IBM virtual ethernet driver's polling function continues
+to process frames after rescheduling NAPI, resulting in a warning
+if it exhausted its budget. Do not restart polling after calling
+napi_reschedule. Instead let frames be processed in the following
+instance.
+
+Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmveth.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c
+index 61a9ab4fe047d..70b3253e7ed5e 100644
+--- a/drivers/net/ethernet/ibm/ibmveth.c
++++ b/drivers/net/ethernet/ibm/ibmveth.c
+@@ -1238,7 +1238,6 @@ static int ibmveth_poll(struct napi_struct *napi, int budget)
+ struct iphdr *iph;
+ u16 mss = 0;
+
+-restart_poll:
+ while (frames_processed < budget) {
+ if (!ibmveth_rxq_pending_buffer(adapter))
+ break;
+@@ -1336,7 +1335,6 @@ static int ibmveth_poll(struct napi_struct *napi, int budget)
+ napi_reschedule(napi)) {
+ lpar_rc = h_vio_signal(adapter->vdev->unit_address,
+ VIO_IRQ_DISABLE);
+- goto restart_poll;
+ }
+ }
+
+--
+2.19.1
+
--- /dev/null
+From f3ff193a4fdde8a1fc93d814bf4933c025f68e8e Mon Sep 17 00:00:00 2001
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Mon, 7 Jan 2019 19:44:51 +0100
+Subject: KVM: nSVM: clear events pending from svm_complete_interrupts() when
+ exiting to L1
+
+[ Upstream commit 619ad846fc3452adaf71ca246c5aa711e2055398 ]
+
+kvm-unit-tests' eventinj "NMI failing on IDT" test results in NMI being
+delivered to the host (L1) when it's running nested. The problem seems to
+be: svm_complete_interrupts() raises 'nmi_injected' flag but later we
+decide to reflect EXIT_NPF to L1. The flag remains pending and we do NMI
+injection upon entry so it got delivered to L1 instead of L2.
+
+It seems that VMX code solves the same issue in prepare_vmcs12(), this was
+introduced with code refactoring in commit 5f3d5799974b ("KVM: nVMX: Rework
+event injection and recovery").
+
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/svm.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index 7ce1a19d9d8bf..acbde1249b6f3 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -2388,6 +2388,14 @@ static int nested_svm_vmexit(struct vcpu_svm *svm)
+ kvm_mmu_reset_context(&svm->vcpu);
+ kvm_mmu_load(&svm->vcpu);
+
++ /*
++ * Drop what we picked up for L2 via svm_complete_interrupts() so it
++ * doesn't end up in L1.
++ */
++ svm->vcpu.arch.nmi_injected = false;
++ kvm_clear_exception_queue(&svm->vcpu);
++ kvm_clear_interrupt_queue(&svm->vcpu);
++
+ return 0;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 1f9d353409cd1e1b1bcc17389d6d0ffd21d9b0fa Mon Sep 17 00:00:00 2001
+From: Balaji Pothunoori <bpothuno@codeaurora.org>
+Date: Mon, 21 Jan 2019 12:30:43 +0530
+Subject: mac80211: don't initiate TDLS connection if station is not associated
+ to AP
+
+[ Upstream commit 7ed5285396c257fd4070b1e29e7b2341aae2a1ce ]
+
+Following call trace is observed while adding TDLS peer entry in driver
+during TDLS setup.
+
+Call Trace:
+[<c1301476>] dump_stack+0x47/0x61
+[<c10537d2>] __warn+0xe2/0x100
+[<fa22415f>] ? sta_apply_parameters+0x49f/0x550 [mac80211]
+[<c1053895>] warn_slowpath_null+0x25/0x30
+[<fa22415f>] sta_apply_parameters+0x49f/0x550 [mac80211]
+[<fa20ad42>] ? sta_info_alloc+0x1c2/0x450 [mac80211]
+[<fa224623>] ieee80211_add_station+0xe3/0x160 [mac80211]
+[<c1876fe3>] nl80211_new_station+0x273/0x420
+[<c170f6d9>] genl_rcv_msg+0x219/0x3c0
+[<c170f4c0>] ? genl_rcv+0x30/0x30
+[<c170ee7e>] netlink_rcv_skb+0x8e/0xb0
+[<c170f4ac>] genl_rcv+0x1c/0x30
+[<c170e8aa>] netlink_unicast+0x13a/0x1d0
+[<c170ec18>] netlink_sendmsg+0x2d8/0x390
+[<c16c5acd>] sock_sendmsg+0x2d/0x40
+[<c16c6369>] ___sys_sendmsg+0x1d9/0x1e0
+
+Fixing this by allowing TDLS setup request only when we have completed
+association.
+
+Signed-off-by: Balaji Pothunoori <bpothuno@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 67348d8ac35da..7349bf26ae7b3 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1228,6 +1228,10 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev,
+ if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
+ sta->sta.tdls = true;
+
++ if (sta->sta.tdls && sdata->vif.type == NL80211_IFTYPE_STATION &&
++ !sdata->u.mgd.associated)
++ return -EINVAL;
++
+ err = sta_apply_parameters(local, sta, params);
+ if (err) {
+ sta_info_free(local, sta);
+--
+2.19.1
+
--- /dev/null
+From 68e07a25650b7de0b47bdb756917fbea1ea636dd Mon Sep 17 00:00:00 2001
+From: Bob Copeland <me@bobcopeland.com>
+Date: Thu, 17 Jan 2019 16:32:42 -0500
+Subject: mac80211: fix miscounting of ttl-dropped frames
+
+[ Upstream commit a0dc02039a2ee54fb4ae400e0b755ed30e73e58c ]
+
+In ieee80211_rx_h_mesh_fwding, we increment the 'dropped_frames_ttl'
+counter when we decrement the ttl to zero. For unicast frames
+destined for other hosts, we stop processing the frame at that point.
+
+For multicast frames, we do not rebroadcast it in this case, but we
+do pass the frame up the stack to process it on this STA. That
+doesn't match the usual definition of "dropped," so don't count
+those as such.
+
+With this change, something like `ping6 -i0.2 ff02::1%mesh0` from a
+peer in a ttl=1 network no longer increments the counter rapidly.
+
+Signed-off-by: Bob Copeland <bobcopeland@fb.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/rx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index acacceec8cd86..833ad779659c8 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2340,7 +2340,9 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
+ skb_set_queue_mapping(skb, q);
+
+ if (!--mesh_hdr->ttl) {
+- IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
++ if (!is_multicast_ether_addr(hdr->addr1))
++ IEEE80211_IFSTA_MESH_CTR_INC(ifmsh,
++ dropped_frames_ttl);
+ goto out;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From f25f93c8dab10aadb29388ec9e51039e416e32f8 Mon Sep 17 00:00:00 2001
+From: Atsushi Nemoto <atsushi.nemoto@sord.co.jp>
+Date: Mon, 21 Jan 2019 17:26:41 +0900
+Subject: net: altera_tse: fix connect_local_phy error path
+
+[ Upstream commit 17b42a20d7ca59377788c6a2409e77569570cc10 ]
+
+The connect_local_phy should return NULL (not negative errno) on
+error, since its caller expects it.
+
+Signed-off-by: Atsushi Nemoto <atsushi.nemoto@sord.co.jp>
+Acked-by: Thor Thayer <thor.thayer@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/altera/altera_tse_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/altera/altera_tse_main.c b/drivers/net/ethernet/altera/altera_tse_main.c
+index fe644823ceaf9..bb51f124d8c7d 100644
+--- a/drivers/net/ethernet/altera/altera_tse_main.c
++++ b/drivers/net/ethernet/altera/altera_tse_main.c
+@@ -716,8 +716,10 @@ static struct phy_device *connect_local_phy(struct net_device *dev)
+
+ phydev = phy_connect(dev, phy_id_fmt, &altera_tse_adjust_link,
+ priv->phy_iface);
+- if (IS_ERR(phydev))
++ if (IS_ERR(phydev)) {
+ netdev_err(dev, "Could not attach to PHY\n");
++ phydev = NULL;
++ }
+
+ } else {
+ int ret;
+--
+2.19.1
+
--- /dev/null
+From fb86bdc96ad1343bf6de8ca088fbba4653aa3a52 Mon Sep 17 00:00:00 2001
+From: Varun Prakash <varun@chelsio.com>
+Date: Sat, 12 Jan 2019 22:14:30 +0530
+Subject: scsi: csiostor: fix NULL pointer dereference in
+ csio_vport_set_state()
+
+[ Upstream commit fe35a40e675473eb65f2f5462b82770f324b5689 ]
+
+Assign fc_vport to ln->fc_vport before calling csio_fcoe_alloc_vnp() to
+avoid a NULL pointer dereference in csio_vport_set_state().
+
+ln->fc_vport is dereferenced in csio_vport_set_state().
+
+Signed-off-by: Varun Prakash <varun@chelsio.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/csiostor/csio_attr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/csiostor/csio_attr.c b/drivers/scsi/csiostor/csio_attr.c
+index 2d1c4ebd40f91..6587f20cff1a1 100644
+--- a/drivers/scsi/csiostor/csio_attr.c
++++ b/drivers/scsi/csiostor/csio_attr.c
+@@ -582,12 +582,12 @@ csio_vport_create(struct fc_vport *fc_vport, bool disable)
+ }
+
+ fc_vport_set_state(fc_vport, FC_VPORT_INITIALIZING);
++ ln->fc_vport = fc_vport;
+
+ if (csio_fcoe_alloc_vnp(hw, ln))
+ goto error;
+
+ *(struct csio_lnode **)fc_vport->dd_data = ln;
+- ln->fc_vport = fc_vport;
+ if (!fc_vport->node_name)
+ fc_vport->node_name = wwn_to_u64(csio_ln_wwnn(ln));
+ if (!fc_vport->port_name)
+--
+2.19.1
+
--- /dev/null
+From 70fdf74a8c3adc4e877a59284ecd9dd6cb640ae3 Mon Sep 17 00:00:00 2001
+From: Tomonori Sakita <tomonori.sakita@sord.co.jp>
+Date: Mon, 21 Jan 2019 17:34:16 +0900
+Subject: serial: fsl_lpuart: fix maximum acceptable baud rate with
+ over-sampling
+
+[ Upstream commit 815d835b7ba46685c316b000013367dacb2b461b ]
+
+Using over-sampling ratio, lpuart can accept baud rate upto uartclk / 4.
+
+Signed-off-by: Tomonori Sakita <tomonori.sakita@sord.co.jp>
+Signed-off-by: Atsushi Nemoto <atsushi.nemoto@sord.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/fsl_lpuart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c
+index 8b5ec9386f0f4..1544a7cc76ff8 100644
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -1409,7 +1409,7 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios,
+ }
+
+ /* ask the core to calculate the divisor */
+- baud = uart_get_baud_rate(port, termios, old, 50, port->uartclk / 16);
++ baud = uart_get_baud_rate(port, termios, old, 50, port->uartclk / 4);
+
+ spin_lock_irqsave(&sport->port.lock, flags);
+
+--
+2.19.1
+
revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch
libceph-handle-an-empty-authorize-reply.patch
scsi-libsas-fix-rphy-phy_identifier-for-phys-with-end-devices-attached.patch
+drm-msm-unblock-writer-if-reader-closes-file.patch
+asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch
+alsa-compress-prevent-potential-divide-by-zero-bugs.patch
+thermal-int340x_thermal-fix-a-null-vs-is_err-check.patch
+usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch
+usb-gadget-potential-null-dereference-on-allocation-.patch
+asoc-dapm-change-snprintf-to-scnprintf-for-possible-.patch
+asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch
+arc-fix-__ffs-return-value-to-avoid-build-warnings.patch
+mac80211-fix-miscounting-of-ttl-dropped-frames.patch
+serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch
+scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch
+net-altera_tse-fix-connect_local_phy-error-path.patch
+sfc-suppress-duplicate-nvmem-partition-types-in-efx_.patch
+ibmveth-do-not-process-frames-after-calling-napi_res.patch
+mac80211-don-t-initiate-tdls-connection-if-station-i.patch
+cfg80211-extend-range-deviation-for-dmg.patch
+kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch
--- /dev/null
+From a919627faa376e337f5fec2242fb09cc661f9e83 Mon Sep 17 00:00:00 2001
+From: Edward Cree <ecree@solarflare.com>
+Date: Tue, 22 Jan 2019 19:02:17 +0000
+Subject: sfc: suppress duplicate nvmem partition types in efx_ef10_mtd_probe
+
+[ Upstream commit 3366463513f544c12c6b88c13da4462ee9e7a1a1 ]
+
+Use a bitmap to keep track of which partition types we've already seen;
+ for duplicates, return -EEXIST from efx_ef10_mtd_probe_partition() and
+ thus skip adding that partition.
+Duplicate partitions occur because of the A/B backup scheme used by newer
+ sfc NICs. Prior to this patch they cause sysfs_warn_dup errors because
+ they have the same name, causing us not to expose any MTDs at all.
+
+Signed-off-by: Edward Cree <ecree@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/ef10.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c
+index 063aca17e698b..79a1031c3ef77 100644
+--- a/drivers/net/ethernet/sfc/ef10.c
++++ b/drivers/net/ethernet/sfc/ef10.c
+@@ -4433,22 +4433,25 @@ static const struct efx_ef10_nvram_type_info efx_ef10_nvram_types[] = {
+ { NVRAM_PARTITION_TYPE_LICENSE, 0, 0, "sfc_license" },
+ { NVRAM_PARTITION_TYPE_PHY_MIN, 0xff, 0, "sfc_phy_fw" },
+ };
++#define EF10_NVRAM_PARTITION_COUNT ARRAY_SIZE(efx_ef10_nvram_types)
+
+ static int efx_ef10_mtd_probe_partition(struct efx_nic *efx,
+ struct efx_mcdi_mtd_partition *part,
+- unsigned int type)
++ unsigned int type,
++ unsigned long *found)
+ {
+ MCDI_DECLARE_BUF(inbuf, MC_CMD_NVRAM_METADATA_IN_LEN);
+ MCDI_DECLARE_BUF(outbuf, MC_CMD_NVRAM_METADATA_OUT_LENMAX);
+ const struct efx_ef10_nvram_type_info *info;
+ size_t size, erase_size, outlen;
++ int type_idx = 0;
+ bool protected;
+ int rc;
+
+- for (info = efx_ef10_nvram_types; ; info++) {
+- if (info ==
+- efx_ef10_nvram_types + ARRAY_SIZE(efx_ef10_nvram_types))
++ for (type_idx = 0; ; type_idx++) {
++ if (type_idx == EF10_NVRAM_PARTITION_COUNT)
+ return -ENODEV;
++ info = efx_ef10_nvram_types + type_idx;
+ if ((type & ~info->type_mask) == info->type)
+ break;
+ }
+@@ -4461,6 +4464,13 @@ static int efx_ef10_mtd_probe_partition(struct efx_nic *efx,
+ if (protected)
+ return -ENODEV; /* hide it */
+
++ /* If we've already exposed a partition of this type, hide this
++ * duplicate. All operations on MTDs are keyed by the type anyway,
++ * so we can't act on the duplicate.
++ */
++ if (__test_and_set_bit(type_idx, found))
++ return -EEXIST;
++
+ part->nvram_type = type;
+
+ MCDI_SET_DWORD(inbuf, NVRAM_METADATA_IN_TYPE, type);
+@@ -4489,6 +4499,7 @@ static int efx_ef10_mtd_probe_partition(struct efx_nic *efx,
+ static int efx_ef10_mtd_probe(struct efx_nic *efx)
+ {
+ MCDI_DECLARE_BUF(outbuf, MC_CMD_NVRAM_PARTITIONS_OUT_LENMAX);
++ DECLARE_BITMAP(found, EF10_NVRAM_PARTITION_COUNT);
+ struct efx_mcdi_mtd_partition *parts;
+ size_t outlen, n_parts_total, i, n_parts;
+ unsigned int type;
+@@ -4517,11 +4528,13 @@ static int efx_ef10_mtd_probe(struct efx_nic *efx)
+ for (i = 0; i < n_parts_total; i++) {
+ type = MCDI_ARRAY_DWORD(outbuf, NVRAM_PARTITIONS_OUT_TYPE_ID,
+ i);
+- rc = efx_ef10_mtd_probe_partition(efx, &parts[n_parts], type);
+- if (rc == 0)
+- n_parts++;
+- else if (rc != -ENODEV)
++ rc = efx_ef10_mtd_probe_partition(efx, &parts[n_parts], type,
++ found);
++ if (rc == -EEXIST || rc == -ENODEV)
++ continue;
++ if (rc)
+ goto fail;
++ n_parts++;
+ }
+
+ rc = efx_mtd_add(efx, &parts[0].common, n_parts, sizeof(*parts));
+--
+2.19.1
+
--- /dev/null
+From b7bf92f965fd568eb9c7a345d77ddcf8abda1502 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 17 Dec 2018 10:02:42 +0300
+Subject: thermal: int340x_thermal: Fix a NULL vs IS_ERR() check
+
+[ Upstream commit 3fe931b31a4078395c1967f0495dcc9e5ec6b5e3 ]
+
+The intel_soc_dts_iosf_init() function doesn't return NULL, it returns
+error pointers.
+
+Fixes: 4d0dd6c1576b ("Thermal/int340x/processor_thermal: Enable auxiliary DTS for Braswell")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/int340x_thermal/processor_thermal_device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/int340x_thermal/processor_thermal_device.c b/drivers/thermal/int340x_thermal/processor_thermal_device.c
+index ccc0ad02d0669..7f374ab5b1760 100644
+--- a/drivers/thermal/int340x_thermal/processor_thermal_device.c
++++ b/drivers/thermal/int340x_thermal/processor_thermal_device.c
+@@ -363,7 +363,7 @@ static int proc_thermal_pci_probe(struct pci_dev *pdev,
+ proc_priv->soc_dts = intel_soc_dts_iosf_init(
+ INTEL_SOC_DTS_INTERRUPT_MSI, 2, 0);
+
+- if (proc_priv->soc_dts && pdev->irq) {
++ if (!IS_ERR(proc_priv->soc_dts) && pdev->irq) {
+ ret = pci_enable_msi(pdev);
+ if (!ret) {
+ ret = request_threaded_irq(pdev->irq, NULL,
+--
+2.19.1
+
--- /dev/null
+From 083d2070c035bf1eb63bc04a7869d52e4866e88e Mon Sep 17 00:00:00 2001
+From: Zeng Tao <prime.zeng@hisilicon.com>
+Date: Wed, 26 Dec 2018 19:22:00 +0800
+Subject: usb: dwc3: gadget: Fix the uninitialized link_state when udc starts
+
+[ Upstream commit 88b1bb1f3b88e0bf20b05d543a53a5b99bd7ceb6 ]
+
+Currently the link_state is uninitialized and the default value is 0(U0)
+before the first time we start the udc, and after we start the udc then
+ stop the udc, the link_state will be undefined.
+We may have the following warnings if we start the udc again with
+an undefined link_state:
+
+WARNING: CPU: 0 PID: 327 at drivers/usb/dwc3/gadget.c:294 dwc3_send_gadget_ep_cmd+0x304/0x308
+dwc3 100e0000.hidwc3_0: wakeup failed --> -22
+[...]
+Call Trace:
+[<c010f270>] (unwind_backtrace) from [<c010b3d8>] (show_stack+0x10/0x14)
+[<c010b3d8>] (show_stack) from [<c034a4dc>] (dump_stack+0x84/0x98)
+[<c034a4dc>] (dump_stack) from [<c0118000>] (__warn+0xe8/0x100)
+[<c0118000>] (__warn) from [<c0118050>](warn_slowpath_fmt+0x38/0x48)
+[<c0118050>] (warn_slowpath_fmt) from [<c0442ec0>](dwc3_send_gadget_ep_cmd+0x304/0x308)
+[<c0442ec0>] (dwc3_send_gadget_ep_cmd) from [<c0445e68>](dwc3_ep0_start_trans+0x48/0xf4)
+[<c0445e68>] (dwc3_ep0_start_trans) from [<c0446750>](dwc3_ep0_out_start+0x64/0x80)
+[<c0446750>] (dwc3_ep0_out_start) from [<c04451c0>](__dwc3_gadget_start+0x1e0/0x278)
+[<c04451c0>] (__dwc3_gadget_start) from [<c04452e0>](dwc3_gadget_start+0x88/0x10c)
+[<c04452e0>] (dwc3_gadget_start) from [<c045ee54>](udc_bind_to_driver+0x88/0xbc)
+[<c045ee54>] (udc_bind_to_driver) from [<c045f29c>](usb_gadget_probe_driver+0xf8/0x140)
+[<c045f29c>] (usb_gadget_probe_driver) from [<bf005424>](gadget_dev_desc_UDC_store+0xac/0xc4 [libcomposite])
+[<bf005424>] (gadget_dev_desc_UDC_store [libcomposite]) from[<c023d8e0>] (configfs_write_file+0xd4/0x160)
+[<c023d8e0>] (configfs_write_file) from [<c01d51e8>] (__vfs_write+0x1c/0x114)
+[<c01d51e8>] (__vfs_write) from [<c01d5ff4>] (vfs_write+0xa4/0x168)
+[<c01d5ff4>] (vfs_write) from [<c01d6d40>] (SyS_write+0x3c/0x90)
+[<c01d6d40>] (SyS_write) from [<c0107400>] (ret_fast_syscall+0x0/0x3c)
+
+Signed-off-by: Zeng Tao <prime.zeng@hisilicon.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/gadget.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index b6037a0ae829b..557f08adf644e 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -1676,6 +1676,7 @@ static int dwc3_gadget_start(struct usb_gadget *g,
+
+ /* begin to receive SETUP packets */
+ dwc->ep0state = EP0_SETUP_PHASE;
++ dwc->link_state = DWC3_LINK_STATE_SS_DIS;
+ dwc3_ep0_out_start(dwc);
+
+ dwc3_gadget_enable_irq(dwc);
+--
+2.19.1
+
--- /dev/null
+From 8c1fe4d7636dbfa255afacde8ebef7f38501f152 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 21 Dec 2018 23:42:52 +0300
+Subject: usb: gadget: Potential NULL dereference on allocation error
+
+[ Upstream commit df28169e1538e4a8bcd8b779b043e5aa6524545c ]
+
+The source_sink_alloc_func() function is supposed to return error
+pointers on error. The function is called from usb_get_function() which
+doesn't check for NULL returns so it would result in an Oops.
+
+Of course, in the current kernel, small allocations always succeed so
+this doesn't affect runtime.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_sourcesink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_sourcesink.c b/drivers/usb/gadget/function/f_sourcesink.c
+index 67b2439899389..d7d095781be18 100644
+--- a/drivers/usb/gadget/function/f_sourcesink.c
++++ b/drivers/usb/gadget/function/f_sourcesink.c
+@@ -849,7 +849,7 @@ static struct usb_function *source_sink_alloc_func(
+
+ ss = kzalloc(sizeof(*ss), GFP_KERNEL);
+ if (!ss)
+- return NULL;
++ return ERR_PTR(-ENOMEM);
+
+ ss_opts = container_of(fi, struct f_ss_opts, func_inst);
+
+--
+2.19.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
