From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 15 Jan 2020 14:50:15 +0000 (+0100)
Subject: 4.19-stable patches
X-Git-Tag: v4.14.166~44
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=15701eb83fa54e14808a3d4c28a403c19386aa2f;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public-function.patch
	dccp-fix-memleak-in-__feat_register_sp.patch
	f2fs-check-if-file-namelen-exceeds-max-value.patch
	f2fs-check-memory-boundary-by-insane-namelen.patch
	f2fs-move-err-variable-to-function-scope-in-f2fs_fill_dentries.patch
	iwlwifi-dbg_ini-fix-memory-leak-in-alloc_sgtable.patch
	iwlwifi-pcie-fix-memory-leaks-in-iwl_pcie_ctxt_info_gen3_init.patch
	mac80211-do-not-send-layer-2-update-frame-before-authorization.patch
	media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-zr364xx_vidioc_querycap.patch
	rdma-fix-goto-target-to-release-the-allocated-memory.patch
---

diff --git a/queue-4.19/cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public-function.patch b/queue-4.19/cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public-function.patch
new file mode 100644
index 00000000000..41ebb82b002
--- /dev/null
+++ b/queue-4.19/cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public-function.patch
@@ -0,0 +1,166 @@
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: Dedy Lansky <dlansky@codeaurora.org>
+Date: Sun, 29 Jul 2018 14:59:16 +0300
+Subject: cfg80211/mac80211: make ieee80211_send_layer2_update a public function
+
+From: Dedy Lansky <dlansky@codeaurora.org>
+
+commit 30ca1aa536211f5ac3de0173513a7a99a98a97f3 upstream.
+
+Make ieee80211_send_layer2_update() a common function so other drivers
+can re-use it.
+
+Signed-off-by: Dedy Lansky <dlansky@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+[bwh: Backported to 4.19 as dependency of commit 3e493173b784
+ "mac80211: Do not send Layer 2 Update frame before authorization"]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/cfg80211.h |   11 +++++++++++
+ net/mac80211/cfg.c     |   48 ++----------------------------------------------
+ net/wireless/util.c    |   45 +++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 58 insertions(+), 46 deletions(-)
+
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -4734,6 +4734,17 @@ const u8 *cfg80211_find_vendor_ie(unsign
+ 				  const u8 *ies, int len);
+ 
+ /**
++ * cfg80211_send_layer2_update - send layer 2 update frame
++ *
++ * @dev: network device
++ * @addr: STA MAC address
++ *
++ * Wireless drivers can use this function to update forwarding tables in bridge
++ * devices upon STA association.
++ */
++void cfg80211_send_layer2_update(struct net_device *dev, const u8 *addr);
++
++/**
+  * DOC: Regulatory enforcement infrastructure
+  *
+  * TODO
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1096,50 +1096,6 @@ static int ieee80211_stop_ap(struct wiph
+ 	return 0;
+ }
+ 
+-/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */
+-struct iapp_layer2_update {
+-	u8 da[ETH_ALEN];	/* broadcast */
+-	u8 sa[ETH_ALEN];	/* STA addr */
+-	__be16 len;		/* 6 */
+-	u8 dsap;		/* 0 */
+-	u8 ssap;		/* 0 */
+-	u8 control;
+-	u8 xid_info[3];
+-} __packed;
+-
+-static void ieee80211_send_layer2_update(struct sta_info *sta)
+-{
+-	struct iapp_layer2_update *msg;
+-	struct sk_buff *skb;
+-
+-	/* Send Level 2 Update Frame to update forwarding tables in layer 2
+-	 * bridge devices */
+-
+-	skb = dev_alloc_skb(sizeof(*msg));
+-	if (!skb)
+-		return;
+-	msg = skb_put(skb, sizeof(*msg));
+-
+-	/* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID)
+-	 * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */
+-
+-	eth_broadcast_addr(msg->da);
+-	memcpy(msg->sa, sta->sta.addr, ETH_ALEN);
+-	msg->len = htons(6);
+-	msg->dsap = 0;
+-	msg->ssap = 0x01;	/* NULL LSAP, CR Bit: Response */
+-	msg->control = 0xaf;	/* XID response lsb.1111F101.
+-				 * F=0 (no poll command; unsolicited frame) */
+-	msg->xid_info[0] = 0x81;	/* XID format identifier */
+-	msg->xid_info[1] = 1;	/* LLC types/classes: Type 1 LLC */
+-	msg->xid_info[2] = 0;	/* XID sender's receive window size (RW) */
+-
+-	skb->dev = sta->sdata->dev;
+-	skb->protocol = eth_type_trans(skb, sta->sdata->dev);
+-	memset(skb->cb, 0, sizeof(skb->cb));
+-	netif_rx_ni(skb);
+-}
+-
+ static int sta_apply_auth_flags(struct ieee80211_local *local,
+ 				struct sta_info *sta,
+ 				u32 mask, u32 set)
+@@ -1508,7 +1464,7 @@ static int ieee80211_add_station(struct
+ 	}
+ 
+ 	if (layer2_update)
+-		ieee80211_send_layer2_update(sta);
++		cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
+ 
+ 	rcu_read_unlock();
+ 
+@@ -1610,7 +1566,7 @@ static int ieee80211_change_station(stru
+ 		if (test_sta_flag(sta, WLAN_STA_AUTHORIZED))
+ 			ieee80211_vif_inc_num_mcast(sta->sdata);
+ 
+-		ieee80211_send_layer2_update(sta);
++		cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
+ 	}
+ 
+ 	err = sta_apply_parameters(local, sta, params);
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -1919,3 +1919,48 @@ bool cfg80211_iftype_allowed(struct wiph
+ 	return false;
+ }
+ EXPORT_SYMBOL(cfg80211_iftype_allowed);
++
++/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */
++struct iapp_layer2_update {
++	u8 da[ETH_ALEN];	/* broadcast */
++	u8 sa[ETH_ALEN];	/* STA addr */
++	__be16 len;		/* 6 */
++	u8 dsap;		/* 0 */
++	u8 ssap;		/* 0 */
++	u8 control;
++	u8 xid_info[3];
++} __packed;
++
++void cfg80211_send_layer2_update(struct net_device *dev, const u8 *addr)
++{
++	struct iapp_layer2_update *msg;
++	struct sk_buff *skb;
++
++	/* Send Level 2 Update Frame to update forwarding tables in layer 2
++	 * bridge devices */
++
++	skb = dev_alloc_skb(sizeof(*msg));
++	if (!skb)
++		return;
++	msg = skb_put(skb, sizeof(*msg));
++
++	/* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID)
++	 * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */
++
++	eth_broadcast_addr(msg->da);
++	ether_addr_copy(msg->sa, addr);
++	msg->len = htons(6);
++	msg->dsap = 0;
++	msg->ssap = 0x01;	/* NULL LSAP, CR Bit: Response */
++	msg->control = 0xaf;	/* XID response lsb.1111F101.
++				 * F=0 (no poll command; unsolicited frame) */
++	msg->xid_info[0] = 0x81;	/* XID format identifier */
++	msg->xid_info[1] = 1;	/* LLC types/classes: Type 1 LLC */
++	msg->xid_info[2] = 0;	/* XID sender's receive window size (RW) */
++
++	skb->dev = dev;
++	skb->protocol = eth_type_trans(skb, dev);
++	memset(skb->cb, 0, sizeof(skb->cb));
++	netif_rx_ni(skb);
++}
++EXPORT_SYMBOL(cfg80211_send_layer2_update);
diff --git a/queue-4.19/dccp-fix-memleak-in-__feat_register_sp.patch b/queue-4.19/dccp-fix-memleak-in-__feat_register_sp.patch
new file mode 100644
index 00000000000..8cb0000e7db
--- /dev/null
+++ b/queue-4.19/dccp-fix-memleak-in-__feat_register_sp.patch
@@ -0,0 +1,39 @@
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Mon, 1 Apr 2019 09:35:54 +0800
+Subject: dccp: Fix memleak in __feat_register_sp
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit 1d3ff0950e2b40dc861b1739029649d03f591820 upstream.
+
+If dccp_feat_push_change fails, we forget free the mem
+which is alloced by kmemdup in dccp_feat_clone_sp_val.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: e8ef967a54f4 ("dccp: Registration routines for changing feature values")
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/feat.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/dccp/feat.c
++++ b/net/dccp/feat.c
+@@ -738,7 +738,12 @@ static int __feat_register_sp(struct lis
+ 	if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len))
+ 		return -ENOMEM;
+ 
+-	return dccp_feat_push_change(fn, feat, is_local, mandatory, &fval);
++	if (dccp_feat_push_change(fn, feat, is_local, mandatory, &fval)) {
++		kfree(fval.sp.vec);
++		return -ENOMEM;
++	}
++
++	return 0;
+ }
+ 
+ /**
diff --git a/queue-4.19/f2fs-check-if-file-namelen-exceeds-max-value.patch b/queue-4.19/f2fs-check-if-file-namelen-exceeds-max-value.patch
new file mode 100644
index 00000000000..6a342720244
--- /dev/null
+++ b/queue-4.19/f2fs-check-if-file-namelen-exceeds-max-value.patch
@@ -0,0 +1,34 @@
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: Sheng Yong <shengyong1@huawei.com>
+Date: Mon, 7 Jan 2019 15:02:34 +0800
+Subject: f2fs: check if file namelen exceeds max value
+
+From: Sheng Yong <shengyong1@huawei.com>
+
+commit 720db068634c91553a8e1d9a0fcd8c7050e06d2b upstream.
+
+Dentry bitmap is not enough to detect incorrect dentries. So this patch
+also checks the namelen value of a dentry.
+
+Signed-off-by: Gong Chen <gongchen4@huawei.com>
+Signed-off-by: Sheng Yong <shengyong1@huawei.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/dir.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/dir.c
++++ b/fs/f2fs/dir.c
+@@ -808,7 +808,8 @@ int f2fs_fill_dentries(struct dir_contex
+ 
+ 		/* check memory boundary before moving forward */
+ 		bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
+-		if (unlikely(bit_pos > d->max)) {
++		if (unlikely(bit_pos > d->max ||
++				le16_to_cpu(de->name_len) > F2FS_NAME_LEN)) {
+ 			f2fs_msg(sbi->sb, KERN_WARNING,
+ 				"%s: corrupted namelen=%d, run fsck to fix.",
+ 				__func__, le16_to_cpu(de->name_len));
diff --git a/queue-4.19/f2fs-check-memory-boundary-by-insane-namelen.patch b/queue-4.19/f2fs-check-memory-boundary-by-insane-namelen.patch
new file mode 100644
index 00000000000..d1be83a8ba6
--- /dev/null
+++ b/queue-4.19/f2fs-check-memory-boundary-by-insane-namelen.patch
@@ -0,0 +1,48 @@
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Wed, 14 Nov 2018 12:40:30 -0800
+Subject: f2fs: check memory boundary by insane namelen
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit 4e240d1bab1ead280ddf5eb05058dba6bbd57d10 upstream.
+
+If namelen is corrupted to have very long value, fill_dentries can copy
+wrong memory area.
+
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/dir.c |   12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/dir.c
++++ b/fs/f2fs/dir.c
+@@ -806,6 +806,17 @@ int f2fs_fill_dentries(struct dir_contex
+ 		de_name.name = d->filename[bit_pos];
+ 		de_name.len = le16_to_cpu(de->name_len);
+ 
++		/* check memory boundary before moving forward */
++		bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
++		if (unlikely(bit_pos > d->max)) {
++			f2fs_msg(sbi->sb, KERN_WARNING,
++				"%s: corrupted namelen=%d, run fsck to fix.",
++				__func__, le16_to_cpu(de->name_len));
++			set_sbi_flag(sbi, SBI_NEED_FSCK);
++			err = -EINVAL;
++			goto out;
++		}
++
+ 		if (f2fs_encrypted_inode(d->inode)) {
+ 			int save_len = fstr->len;
+ 
+@@ -826,7 +837,6 @@ int f2fs_fill_dentries(struct dir_contex
+ 		if (sbi->readdir_ra == 1)
+ 			f2fs_ra_node_page(sbi, le32_to_cpu(de->ino));
+ 
+-		bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
+ 		ctx->pos = start_pos + bit_pos;
+ 	}
+ out:
diff --git a/queue-4.19/f2fs-move-err-variable-to-function-scope-in-f2fs_fill_dentries.patch b/queue-4.19/f2fs-move-err-variable-to-function-scope-in-f2fs_fill_dentries.patch
new file mode 100644
index 00000000000..c510d5ac036
--- /dev/null
+++ b/queue-4.19/f2fs-move-err-variable-to-function-scope-in-f2fs_fill_dentries.patch
@@ -0,0 +1,47 @@
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Mon, 13 Jan 2020 23:20:07 +0000
+Subject: f2fs: Move err variable to function scope in f2fs_fill_dentries()
+
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+
+This is preparation for the following backported fixes.  It was done
+upstream as part of commit e1293bdfa01d "f2fs: plug readahead IO in
+readdir()", the rest of which does not seem suitable for stable.
+
+Cc: Jaegeuk Kim <jaegeuk@kernel.org>
+Cc: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/dir.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/f2fs/dir.c
++++ b/fs/f2fs/dir.c
+@@ -785,6 +785,7 @@ int f2fs_fill_dentries(struct dir_contex
+ 	struct f2fs_dir_entry *de = NULL;
+ 	struct fscrypt_str de_name = FSTR_INIT(NULL, 0);
+ 	struct f2fs_sb_info *sbi = F2FS_I_SB(d->inode);
++	int err = 0;
+ 
+ 	bit_pos = ((unsigned long)ctx->pos % d->max);
+ 
+@@ -807,7 +808,6 @@ int f2fs_fill_dentries(struct dir_contex
+ 
+ 		if (f2fs_encrypted_inode(d->inode)) {
+ 			int save_len = fstr->len;
+-			int err;
+ 
+ 			err = fscrypt_fname_disk_to_usr(d->inode,
+ 						(u32)de->hash_code, 0,
+@@ -829,7 +829,8 @@ int f2fs_fill_dentries(struct dir_contex
+ 		bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
+ 		ctx->pos = start_pos + bit_pos;
+ 	}
+-	return 0;
++out:
++	return err;
+ }
+ 
+ static int f2fs_readdir(struct file *file, struct dir_context *ctx)
diff --git a/queue-4.19/iwlwifi-dbg_ini-fix-memory-leak-in-alloc_sgtable.patch b/queue-4.19/iwlwifi-dbg_ini-fix-memory-leak-in-alloc_sgtable.patch
new file mode 100644
index 00000000000..39eebe0255b
--- /dev/null
+++ b/queue-4.19/iwlwifi-dbg_ini-fix-memory-leak-in-alloc_sgtable.patch
@@ -0,0 +1,30 @@
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Thu, 12 Sep 2019 23:23:27 -0500
+Subject: iwlwifi: dbg_ini: fix memory leak in alloc_sgtable
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit b4b814fec1a5a849383f7b3886b654a13abbda7d upstream.
+
+In alloc_sgtable if alloc_page fails, the alocated table should be
+released.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/dbg.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+@@ -547,6 +547,7 @@ static struct scatterlist *alloc_sgtable
+ 				if (new_page)
+ 					__free_page(new_page);
+ 			}
++			kfree(table);
+ 			return NULL;
+ 		}
+ 		alloc_size = min_t(int, size, PAGE_SIZE);
diff --git a/queue-4.19/iwlwifi-pcie-fix-memory-leaks-in-iwl_pcie_ctxt_info_gen3_init.patch b/queue-4.19/iwlwifi-pcie-fix-memory-leaks-in-iwl_pcie_ctxt_info_gen3_init.patch
new file mode 100644
index 00000000000..d565ab8a6a2
--- /dev/null
+++ b/queue-4.19/iwlwifi-pcie-fix-memory-leaks-in-iwl_pcie_ctxt_info_gen3_init.patch
@@ -0,0 +1,99 @@
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Fri, 27 Sep 2019 15:56:04 -0500
+Subject: iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit 0f4f199443faca715523b0659aa536251d8b978f upstream.
+
+In iwl_pcie_ctxt_info_gen3_init there are cases that the allocated dma
+memory is leaked in case of error.
+
+DMA memories prph_scratch, prph_info, and ctxt_info_gen3 are allocated
+and initialized to be later assigned to trans_pcie. But in any error case
+before such assignment the allocated memories should be released.
+
+First of such error cases happens when iwl_pcie_init_fw_sec fails.
+Current implementation correctly releases prph_scratch. But in two
+sunsequent error cases where dma_alloc_coherent may fail, such
+releases are missing.
+
+This commit adds release for prph_scratch when allocation for
+prph_info fails, and adds releases for prph_scratch and prph_info when
+allocation for ctxt_info_gen3 fails.
+
+Fixes: 2ee824026288 ("iwlwifi: pcie: support context information for 22560 devices")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c |   36 ++++++++++-----
+ 1 file changed, 25 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c
+@@ -102,13 +102,9 @@ int iwl_pcie_ctxt_info_gen3_init(struct
+ 
+ 	/* allocate ucode sections in dram and set addresses */
+ 	ret = iwl_pcie_init_fw_sec(trans, fw, &prph_scratch->dram);
+-	if (ret) {
+-		dma_free_coherent(trans->dev,
+-				  sizeof(*prph_scratch),
+-				  prph_scratch,
+-				  trans_pcie->prph_scratch_dma_addr);
+-		return ret;
+-	}
++	if (ret)
++		goto err_free_prph_scratch;
++
+ 
+ 	/* Allocate prph information
+ 	 * currently we don't assign to the prph info anything, but it would get
+@@ -116,16 +112,20 @@ int iwl_pcie_ctxt_info_gen3_init(struct
+ 	prph_info = dma_alloc_coherent(trans->dev, sizeof(*prph_info),
+ 				       &trans_pcie->prph_info_dma_addr,
+ 				       GFP_KERNEL);
+-	if (!prph_info)
+-		return -ENOMEM;
++	if (!prph_info) {
++		ret = -ENOMEM;
++		goto err_free_prph_scratch;
++	}
+ 
+ 	/* Allocate context info */
+ 	ctxt_info_gen3 = dma_alloc_coherent(trans->dev,
+ 					    sizeof(*ctxt_info_gen3),
+ 					    &trans_pcie->ctxt_info_dma_addr,
+ 					    GFP_KERNEL);
+-	if (!ctxt_info_gen3)
+-		return -ENOMEM;
++	if (!ctxt_info_gen3) {
++		ret = -ENOMEM;
++		goto err_free_prph_info;
++	}
+ 
+ 	ctxt_info_gen3->prph_info_base_addr =
+ 		cpu_to_le64(trans_pcie->prph_info_dma_addr);
+@@ -176,6 +176,20 @@ int iwl_pcie_ctxt_info_gen3_init(struct
+ 	iwl_set_bit(trans, CSR_GP_CNTRL, CSR_AUTO_FUNC_INIT);
+ 
+ 	return 0;
++
++err_free_prph_info:
++	dma_free_coherent(trans->dev,
++			  sizeof(*prph_info),
++			prph_info,
++			trans_pcie->prph_info_dma_addr);
++
++err_free_prph_scratch:
++	dma_free_coherent(trans->dev,
++			  sizeof(*prph_scratch),
++			prph_scratch,
++			trans_pcie->prph_scratch_dma_addr);
++	return ret;
++
+ }
+ 
+ void iwl_pcie_ctxt_info_gen3_free(struct iwl_trans *trans)
diff --git a/queue-4.19/mac80211-do-not-send-layer-2-update-frame-before-authorization.patch b/queue-4.19/mac80211-do-not-send-layer-2-update-frame-before-authorization.patch
new file mode 100644
index 00000000000..89c258e45d3
--- /dev/null
+++ b/queue-4.19/mac80211-do-not-send-layer-2-update-frame-before-authorization.patch
@@ -0,0 +1,101 @@
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 11 Sep 2019 16:03:05 +0300
+Subject: mac80211: Do not send Layer 2 Update frame before authorization
+
+From: Jouni Malinen <jouni@codeaurora.org>
+
+commit 3e493173b7841259a08c5c8e5cbe90adb349da7e upstream.
+
+The Layer 2 Update frame is used to update bridges when a station roams
+to another AP even if that STA does not transmit any frames after the
+reassociation. This behavior was described in IEEE Std 802.11F-2003 as
+something that would happen based on MLME-ASSOCIATE.indication, i.e.,
+before completing 4-way handshake. However, this IEEE trial-use
+recommended practice document was published before RSN (IEEE Std
+802.11i-2004) and as such, did not consider RSN use cases. Furthermore,
+IEEE Std 802.11F-2003 was withdrawn in 2006 and as such, has not been
+maintained amd should not be used anymore.
+
+Sending out the Layer 2 Update frame immediately after association is
+fine for open networks (and also when using SAE, FT protocol, or FILS
+authentication when the station is actually authenticated by the time
+association completes). However, it is not appropriate for cases where
+RSN is used with PSK or EAP authentication since the station is actually
+fully authenticated only once the 4-way handshake completes after
+authentication and attackers might be able to use the unauthenticated
+triggering of Layer 2 Update frame transmission to disrupt bridge
+behavior.
+
+Fix this by postponing transmission of the Layer 2 Update frame from
+station entry addition to the point when the station entry is marked
+authorized. Similarly, send out the VLAN binding update only if the STA
+entry has already been authorized.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c      |   14 ++++----------
+ net/mac80211/sta_info.c |    4 ++++
+ 2 files changed, 8 insertions(+), 10 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1410,7 +1410,6 @@ static int ieee80211_add_station(struct
+ 	struct sta_info *sta;
+ 	struct ieee80211_sub_if_data *sdata;
+ 	int err;
+-	int layer2_update;
+ 
+ 	if (params->vlan) {
+ 		sdata = IEEE80211_DEV_TO_SUB_IF(params->vlan);
+@@ -1454,18 +1453,12 @@ static int ieee80211_add_station(struct
+ 	    test_sta_flag(sta, WLAN_STA_ASSOC))
+ 		rate_control_rate_init(sta);
+ 
+-	layer2_update = sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
+-		sdata->vif.type == NL80211_IFTYPE_AP;
+-
+ 	err = sta_info_insert_rcu(sta);
+ 	if (err) {
+ 		rcu_read_unlock();
+ 		return err;
+ 	}
+ 
+-	if (layer2_update)
+-		cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
+-
+ 	rcu_read_unlock();
+ 
+ 	return 0;
+@@ -1563,10 +1556,11 @@ static int ieee80211_change_station(stru
+ 		sta->sdata = vlansdata;
+ 		ieee80211_check_fast_xmit(sta);
+ 
+-		if (test_sta_flag(sta, WLAN_STA_AUTHORIZED))
++		if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {
+ 			ieee80211_vif_inc_num_mcast(sta->sdata);
+-
+-		cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
++			cfg80211_send_layer2_update(sta->sdata->dev,
++						    sta->sta.addr);
++		}
+ 	}
+ 
+ 	err = sta_apply_parameters(local, sta, params);
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -1906,6 +1906,10 @@ int sta_info_move_state(struct sta_info
+ 			ieee80211_check_fast_xmit(sta);
+ 			ieee80211_check_fast_rx(sta);
+ 		}
++		if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
++		    sta->sdata->vif.type == NL80211_IFTYPE_AP)
++			cfg80211_send_layer2_update(sta->sdata->dev,
++						    sta->sta.addr);
+ 		break;
+ 	default:
+ 		break;
diff --git a/queue-4.19/media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-zr364xx_vidioc_querycap.patch b/queue-4.19/media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-zr364xx_vidioc_querycap.patch
new file mode 100644
index 00000000000..a241c514a5c
--- /dev/null
+++ b/queue-4.19/media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-zr364xx_vidioc_querycap.patch
@@ -0,0 +1,80 @@
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: Vandana BN <bnvandana@gmail.com>
+Date: Wed, 22 May 2019 04:34:15 -0400
+Subject: media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap
+
+From: Vandana BN <bnvandana@gmail.com>
+
+commit 5d2e73a5f80a5b5aff3caf1ec6d39b5b3f54b26e upstream.
+
+SyzKaller hit the null pointer deref while reading from uninitialized
+udev->product in zr364xx_vidioc_querycap().
+
+==================================================================
+BUG: KASAN: null-ptr-deref in read_word_at_a_time+0xe/0x20
+include/linux/compiler.h:274
+Read of size 1 at addr 0000000000000000 by task v4l_id/5287
+
+CPU: 1 PID: 5287 Comm: v4l_id Not tainted 5.1.0-rc3-319004-g43151d6 #6
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+  __dump_stack lib/dump_stack.c:77 [inline]
+  dump_stack+0xe8/0x16e lib/dump_stack.c:113
+  kasan_report.cold+0x5/0x3c mm/kasan/report.c:321
+  read_word_at_a_time+0xe/0x20 include/linux/compiler.h:274
+  strscpy+0x8a/0x280 lib/string.c:207
+  zr364xx_vidioc_querycap+0xb5/0x210 drivers/media/usb/zr364xx/zr364xx.c:706
+  v4l_querycap+0x12b/0x340 drivers/media/v4l2-core/v4l2-ioctl.c:1062
+  __video_do_ioctl+0x5bb/0xb40 drivers/media/v4l2-core/v4l2-ioctl.c:2874
+  video_usercopy+0x44e/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3056
+  v4l2_ioctl+0x14e/0x1a0 drivers/media/v4l2-core/v4l2-dev.c:364
+  vfs_ioctl fs/ioctl.c:46 [inline]
+  file_ioctl fs/ioctl.c:509 [inline]
+  do_vfs_ioctl+0xced/0x12f0 fs/ioctl.c:696
+  ksys_ioctl+0xa0/0xc0 fs/ioctl.c:713
+  __do_sys_ioctl fs/ioctl.c:720 [inline]
+  __se_sys_ioctl fs/ioctl.c:718 [inline]
+  __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:718
+  do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290
+  entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x7f3b56d8b347
+Code: 90 90 90 48 8b 05 f1 fa 2a 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff
+ff c3 90 90 90 90 90 90 90 90 90 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff
+ff 73 01 c3 48 8b 0d c1 fa 2a 00 31 d2 48 29 c2 64
+RSP: 002b:00007ffe005d5d68 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3b56d8b347
+RDX: 00007ffe005d5d70 RSI: 0000000080685600 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400884
+R13: 00007ffe005d5ec0 R14: 0000000000000000 R15: 0000000000000000
+==================================================================
+
+For this device udev->product is not initialized and accessing it causes a NULL pointer deref.
+
+The fix is to check for NULL before strscpy() and copy empty string, if
+product is NULL
+
+Reported-by: syzbot+66010012fd4c531a1a96@syzkaller.appspotmail.com
+Signed-off-by: Vandana BN <bnvandana@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+[bwh: Backported to 4.19: This function uses strlcpy() instead of strscpy()]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/zr364xx/zr364xx.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/zr364xx/zr364xx.c
++++ b/drivers/media/usb/zr364xx/zr364xx.c
+@@ -703,7 +703,8 @@ static int zr364xx_vidioc_querycap(struc
+ 	struct zr364xx_camera *cam = video_drvdata(file);
+ 
+ 	strlcpy(cap->driver, DRIVER_DESC, sizeof(cap->driver));
+-	strlcpy(cap->card, cam->udev->product, sizeof(cap->card));
++	if (cam->udev->product)
++		strlcpy(cap->card, cam->udev->product, sizeof(cap->card));
+ 	strlcpy(cap->bus_info, dev_name(&cam->udev->dev),
+ 		sizeof(cap->bus_info));
+ 	cap->device_caps = V4L2_CAP_VIDEO_CAPTURE |
diff --git a/queue-4.19/rdma-fix-goto-target-to-release-the-allocated-memory.patch b/queue-4.19/rdma-fix-goto-target-to-release-the-allocated-memory.patch
new file mode 100644
index 00000000000..b43222a4557
--- /dev/null
+++ b/queue-4.19/rdma-fix-goto-target-to-release-the-allocated-memory.patch
@@ -0,0 +1,34 @@
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Tue, 10 Sep 2019 17:21:19 -0500
+Subject: RDMA: Fix goto target to release the allocated memory
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit 4a9d46a9fe14401f21df69cea97c62396d5fb053 upstream.
+
+In bnxt_re_create_srq(), when ib_copy_to_udata() fails allocated memory
+should be released by goto fail.
+
+Fixes: 37cb11acf1f7 ("RDMA/bnxt_re: Add SRQ support for Broadcom adapters")
+Link: https://lore.kernel.org/r/20190910222120.16517-1-navid.emamdoost@gmail.com
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -1446,7 +1446,7 @@ struct ib_srq *bnxt_re_create_srq(struct
+ 			dev_err(rdev_to_dev(rdev), "SRQ copy to udata failed!");
+ 			bnxt_qplib_destroy_srq(&rdev->qplib_res,
+ 					       &srq->qplib_srq);
+-			goto exit;
++			goto fail;
+ 		}
+ 	}
+ 	if (nq)
diff --git a/queue-4.19/series b/queue-4.19/series
index 15de0a098eb..8ffee166436 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -3,3 +3,13 @@ hid-hidraw-fix-returning-epollout-from-hidraw_poll.patch
 hid-hidraw-uhid-always-report-epollout.patch
 ethtool-reduce-stack-usage-with-clang.patch
 fs-select-avoid-clang-stack-usage-warning.patch
+cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public-function.patch
+mac80211-do-not-send-layer-2-update-frame-before-authorization.patch
+f2fs-move-err-variable-to-function-scope-in-f2fs_fill_dentries.patch
+f2fs-check-memory-boundary-by-insane-namelen.patch
+f2fs-check-if-file-namelen-exceeds-max-value.patch
+media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-zr364xx_vidioc_querycap.patch
+iwlwifi-dbg_ini-fix-memory-leak-in-alloc_sgtable.patch
+iwlwifi-pcie-fix-memory-leaks-in-iwl_pcie_ctxt_info_gen3_init.patch
+rdma-fix-goto-target-to-release-the-allocated-memory.patch
+dccp-fix-memleak-in-__feat_register_sp.patch