--- /dev/null
+From c7f9fa207084abd6bb081a62c1637477fa8f86d3 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Date: Fri, 7 Jun 2019 11:02:01 +0200
+Subject: ARM: davinci: da850-evm: call regulator_has_full_constraints()
+
+[ Upstream commit 0c0c9b5753cd04601b17de09da1ed2885a3b42fe ]
+
+The BB expander at 0x21 i2c bus 1 fails to probe on da850-evm because
+the board doesn't set has_full_constraints to true in the regulator
+API.
+
+Call regulator_has_full_constraints() at the end of board registration
+just like we do in da850-lcdk and da830-evm.
+
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-davinci/board-da850-evm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm/mach-davinci/board-da850-evm.c b/arch/arm/mach-davinci/board-da850-evm.c
+index 8e4539f69fdc..3bdf0d588238 100644
+--- a/arch/arm/mach-davinci/board-da850-evm.c
++++ b/arch/arm/mach-davinci/board-da850-evm.c
+@@ -1479,6 +1479,8 @@ static __init void da850_evm_init(void)
+ if (ret)
+ pr_warn("%s: dsp/rproc registration failed: %d\n",
+ __func__, ret);
++
++ regulator_has_full_constraints();
+ }
+
+ #ifdef CONFIG_SERIAL_8250_CONSOLE
+--
+2.20.1
+
--- /dev/null
+From bfe771696f6c3eff89b5256c93a002b3a99da9b7 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Date: Fri, 7 Jun 2019 16:33:50 +0200
+Subject: ARM: davinci: da8xx: specify dma_coherent_mask for lcdc
+
+[ Upstream commit 68f2515bb31a664ba3e2bc1eb78dd9f529b10067 ]
+
+The lcdc device is missing the dma_coherent_mask definition causing the
+following warning on da850-evm:
+
+da8xx_lcdc da8xx_lcdc.0: found Sharp_LK043T1DG01 panel
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 1 at kernel/dma/mapping.c:247 dma_alloc_attrs+0xc8/0x110
+Modules linked in:
+CPU: 0 PID: 1 Comm: swapper Not tainted 5.2.0-rc3-00077-g16d72dd4891f #18
+Hardware name: DaVinci DA850/OMAP-L138/AM18x EVM
+[<c000fce8>] (unwind_backtrace) from [<c000d900>] (show_stack+0x10/0x14)
+[<c000d900>] (show_stack) from [<c001a4f8>] (__warn+0xec/0x114)
+[<c001a4f8>] (__warn) from [<c001a634>] (warn_slowpath_null+0x3c/0x48)
+[<c001a634>] (warn_slowpath_null) from [<c0065860>] (dma_alloc_attrs+0xc8/0x110)
+[<c0065860>] (dma_alloc_attrs) from [<c02820f8>] (fb_probe+0x228/0x5a8)
+[<c02820f8>] (fb_probe) from [<c02d3e9c>] (platform_drv_probe+0x48/0x9c)
+[<c02d3e9c>] (platform_drv_probe) from [<c02d221c>] (really_probe+0x1d8/0x2d4)
+[<c02d221c>] (really_probe) from [<c02d2474>] (driver_probe_device+0x5c/0x168)
+[<c02d2474>] (driver_probe_device) from [<c02d2728>] (device_driver_attach+0x58/0x60)
+[<c02d2728>] (device_driver_attach) from [<c02d27b0>] (__driver_attach+0x80/0xbc)
+[<c02d27b0>] (__driver_attach) from [<c02d047c>] (bus_for_each_dev+0x64/0xb4)
+[<c02d047c>] (bus_for_each_dev) from [<c02d1590>] (bus_add_driver+0xe4/0x1d8)
+[<c02d1590>] (bus_add_driver) from [<c02d301c>] (driver_register+0x78/0x10c)
+[<c02d301c>] (driver_register) from [<c000a5c0>] (do_one_initcall+0x48/0x1bc)
+[<c000a5c0>] (do_one_initcall) from [<c05cae6c>] (kernel_init_freeable+0x10c/0x1d8)
+[<c05cae6c>] (kernel_init_freeable) from [<c048a000>] (kernel_init+0x8/0xf4)
+[<c048a000>] (kernel_init) from [<c00090e0>] (ret_from_fork+0x14/0x34)
+Exception stack(0xc6837fb0 to 0xc6837ff8)
+7fa0: 00000000 00000000 00000000 00000000
+7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+7fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+---[ end trace 8a8073511be81dd2 ]---
+
+Add a 32-bit mask to the platform device's definition.
+
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-davinci/devices-da8xx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm/mach-davinci/devices-da8xx.c b/arch/arm/mach-davinci/devices-da8xx.c
+index 9a22d40602aa..24779504f489 100644
+--- a/arch/arm/mach-davinci/devices-da8xx.c
++++ b/arch/arm/mach-davinci/devices-da8xx.c
+@@ -706,6 +706,9 @@ static struct platform_device da8xx_lcdc_device = {
+ .id = 0,
+ .num_resources = ARRAY_SIZE(da8xx_lcdc_resources),
+ .resource = da8xx_lcdc_resources,
++ .dev = {
++ .coherent_dma_mask = DMA_BIT_MASK(32),
++ }
+ };
+
+ int __init da8xx_register_lcdc(struct da8xx_lcdc_platform_data *pdata)
+--
+2.20.1
+
--- /dev/null
+From ebb6fc40439db283bf6e4052c2517dc3e0c43f47 Mon Sep 17 00:00:00 2001
+From: "Mauro S. M. Rodrigues" <maurosr@linux.vnet.ibm.com>
+Date: Thu, 13 Jun 2019 16:25:40 -0300
+Subject: bnx2x: Check if transceiver implements DDM before access
+
+[ Upstream commit cf18cecca911c0db96b868072665347efe6df46f ]
+
+Some transceivers may comply with SFF-8472 even though they do not
+implement the Digital Diagnostic Monitoring (DDM) interface described in
+the spec. The existence of such area is specified by the 6th bit of byte
+92, set to 1 if implemented.
+
+Currently, without checking this bit, bnx2x fails trying to read sfp
+module's EEPROM with the follow message:
+
+ethtool -m enP5p1s0f1
+Cannot get Module EEPROM data: Input/output error
+
+Because it fails to read the additional 256 bytes in which it is assumed
+to exist the DDM data.
+
+This issue was noticed using a Mellanox Passive DAC PN 01FT738. The EEPROM
+data was confirmed by Mellanox as correct and similar to other Passive
+DACs from other manufacturers.
+
+Signed-off-by: Mauro S. M. Rodrigues <maurosr@linux.vnet.ibm.com>
+Acked-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 ++-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
+index 8aecd8ef6542..15a0850e6bde 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
+@@ -1562,7 +1562,8 @@ static int bnx2x_get_module_info(struct net_device *dev,
+ }
+
+ if (!sff8472_comp ||
+- (diag_type & SFP_EEPROM_DIAG_ADDR_CHANGE_REQ)) {
++ (diag_type & SFP_EEPROM_DIAG_ADDR_CHANGE_REQ) ||
++ !(diag_type & SFP_EEPROM_DDM_IMPLEMENTED)) {
+ modinfo->type = ETH_MODULE_SFF_8079;
+ modinfo->eeprom_len = ETH_MODULE_SFF_8079_LEN;
+ } else {
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h
+index b7d251108c19..7115f5025664 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h
+@@ -62,6 +62,7 @@
+ #define SFP_EEPROM_DIAG_TYPE_ADDR 0x5c
+ #define SFP_EEPROM_DIAG_TYPE_SIZE 1
+ #define SFP_EEPROM_DIAG_ADDR_CHANGE_REQ (1<<2)
++#define SFP_EEPROM_DDM_IMPLEMENTED (1<<6)
+ #define SFP_EEPROM_SFF_8472_COMP_ADDR 0x5e
+ #define SFP_EEPROM_SFF_8472_COMP_SIZE 1
+
+--
+2.20.1
+
--- /dev/null
+From 39fef8d0e6c9bcf2f58a208d334cb67037441e0b Mon Sep 17 00:00:00 2001
+From: Sean Nyekjaer <sean@geanix.com>
+Date: Tue, 7 May 2019 11:34:36 +0200
+Subject: can: mcp251x: add support for mcp25625
+
+[ Upstream commit 35b7fa4d07c43ad79b88e6462119e7140eae955c ]
+
+Fully compatible with mcp2515, the mcp25625 have integrated transceiver.
+
+This patch adds support for the mcp25625 to the existing mcp251x driver.
+
+Signed-off-by: Sean Nyekjaer <sean@geanix.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/spi/Kconfig | 5 +++--
+ drivers/net/can/spi/mcp251x.c | 25 ++++++++++++++++---------
+ 2 files changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/can/spi/Kconfig b/drivers/net/can/spi/Kconfig
+index 148cae5871a6..249d2db7d600 100644
+--- a/drivers/net/can/spi/Kconfig
++++ b/drivers/net/can/spi/Kconfig
+@@ -2,9 +2,10 @@ menu "CAN SPI interfaces"
+ depends on SPI
+
+ config CAN_MCP251X
+- tristate "Microchip MCP251x SPI CAN controllers"
++ tristate "Microchip MCP251x and MCP25625 SPI CAN controllers"
+ depends on HAS_DMA
+ ---help---
+- Driver for the Microchip MCP251x SPI CAN controllers.
++ Driver for the Microchip MCP251x and MCP25625 SPI CAN
++ controllers.
+
+ endmenu
+diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c
+index f3f05fea8e1f..d8c448beab24 100644
+--- a/drivers/net/can/spi/mcp251x.c
++++ b/drivers/net/can/spi/mcp251x.c
+@@ -1,5 +1,5 @@
+ /*
+- * CAN bus driver for Microchip 251x CAN Controller with SPI Interface
++ * CAN bus driver for Microchip 251x/25625 CAN Controller with SPI Interface
+ *
+ * MCP2510 support and bug fixes by Christian Pellegrin
+ * <chripell@evolware.org>
+@@ -41,7 +41,7 @@
+ * static struct spi_board_info spi_board_info[] = {
+ * {
+ * .modalias = "mcp2510",
+- * // or "mcp2515" depending on your controller
++ * // "mcp2515" or "mcp25625" depending on your controller
+ * .platform_data = &mcp251x_info,
+ * .irq = IRQ_EINT13,
+ * .max_speed_hz = 2*1000*1000,
+@@ -238,6 +238,7 @@ static const struct can_bittiming_const mcp251x_bittiming_const = {
+ enum mcp251x_model {
+ CAN_MCP251X_MCP2510 = 0x2510,
+ CAN_MCP251X_MCP2515 = 0x2515,
++ CAN_MCP251X_MCP25625 = 0x25625,
+ };
+
+ struct mcp251x_priv {
+@@ -280,7 +281,6 @@ static inline int mcp251x_is_##_model(struct spi_device *spi) \
+ }
+
+ MCP251X_IS(2510);
+-MCP251X_IS(2515);
+
+ static void mcp251x_clean(struct net_device *net)
+ {
+@@ -640,7 +640,7 @@ static int mcp251x_hw_reset(struct spi_device *spi)
+
+ /* Wait for oscillator startup timer after reset */
+ mdelay(MCP251X_OST_DELAY_MS);
+-
++
+ reg = mcp251x_read_reg(spi, CANSTAT);
+ if ((reg & CANCTRL_REQOP_MASK) != CANCTRL_REQOP_CONF)
+ return -ENODEV;
+@@ -821,9 +821,8 @@ static irqreturn_t mcp251x_can_ist(int irq, void *dev_id)
+ /* receive buffer 0 */
+ if (intf & CANINTF_RX0IF) {
+ mcp251x_hw_rx(spi, 0);
+- /*
+- * Free one buffer ASAP
+- * (The MCP2515 does this automatically.)
++ /* Free one buffer ASAP
++ * (The MCP2515/25625 does this automatically.)
+ */
+ if (mcp251x_is_2510(spi))
+ mcp251x_write_bits(spi, CANINTF, CANINTF_RX0IF, 0x00);
+@@ -832,7 +831,7 @@ static irqreturn_t mcp251x_can_ist(int irq, void *dev_id)
+ /* receive buffer 1 */
+ if (intf & CANINTF_RX1IF) {
+ mcp251x_hw_rx(spi, 1);
+- /* the MCP2515 does this automatically */
++ /* The MCP2515/25625 does this automatically. */
+ if (mcp251x_is_2510(spi))
+ clear_intf |= CANINTF_RX1IF;
+ }
+@@ -1007,6 +1006,10 @@ static const struct of_device_id mcp251x_of_match[] = {
+ .compatible = "microchip,mcp2515",
+ .data = (void *)CAN_MCP251X_MCP2515,
+ },
++ {
++ .compatible = "microchip,mcp25625",
++ .data = (void *)CAN_MCP251X_MCP25625,
++ },
+ { }
+ };
+ MODULE_DEVICE_TABLE(of, mcp251x_of_match);
+@@ -1020,6 +1023,10 @@ static const struct spi_device_id mcp251x_id_table[] = {
+ .name = "mcp2515",
+ .driver_data = (kernel_ulong_t)CAN_MCP251X_MCP2515,
+ },
++ {
++ .name = "mcp25625",
++ .driver_data = (kernel_ulong_t)CAN_MCP251X_MCP25625,
++ },
+ { }
+ };
+ MODULE_DEVICE_TABLE(spi, mcp251x_id_table);
+@@ -1260,5 +1267,5 @@ module_spi_driver(mcp251x_can_driver);
+
+ MODULE_AUTHOR("Chris Elston <celston@katalix.com>, "
+ "Christian Pellegrin <chripell@evolware.org>");
+-MODULE_DESCRIPTION("Microchip 251x CAN driver");
++MODULE_DESCRIPTION("Microchip 251x/25625 CAN driver");
+ MODULE_LICENSE("GPL v2");
+--
+2.20.1
+
--- /dev/null
+From aaa73c162a9566804024fa085bf4d542c2e12b8d Mon Sep 17 00:00:00 2001
+From: Sean Nyekjaer <sean@geanix.com>
+Date: Tue, 7 May 2019 11:34:37 +0200
+Subject: dt-bindings: can: mcp251x: add mcp25625 support
+
+[ Upstream commit 0df82dcd55832a99363ab7f9fab954fcacdac3ae ]
+
+Fully compatible with mcp2515, the mcp25625 have integrated transceiver.
+
+This patch add the mcp25625 to the device tree bindings documentation.
+
+Signed-off-by: Sean Nyekjaer <sean@geanix.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt b/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt
+index ee3723beb701..33b38716b77f 100644
+--- a/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt
++++ b/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt
+@@ -4,6 +4,7 @@ Required properties:
+ - compatible: Should be one of the following:
+ - "microchip,mcp2510" for MCP2510.
+ - "microchip,mcp2515" for MCP2515.
++ - "microchip,mcp25625" for MCP25625.
+ - reg: SPI chip select.
+ - clocks: The clock feeding the CAN controller.
+ - interrupt-parent: The parent interrupt controller.
+--
+2.20.1
+
--- /dev/null
+From 70d83271ca0a4ccee6d5d30515b01d22366696fd Mon Sep 17 00:00:00 2001
+From: Aaron Ma <aaron.ma@canonical.com>
+Date: Mon, 20 May 2019 22:09:10 -0700
+Subject: Input: elantech - enable middle button support on 2 ThinkPads
+
+[ Upstream commit aa440de3058a3ef530851f9ef373fbb5f694dbc3 ]
+
+Adding 2 new touchpad PNPIDs to enable middle button support.
+
+Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/mouse/elantech.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
+index 38edf8f5bf8a..15be3ee6cc50 100644
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -1187,6 +1187,8 @@ static const char * const middle_button_pnp_ids[] = {
+ "LEN2132", /* ThinkPad P52 */
+ "LEN2133", /* ThinkPad P72 w/ NFC */
+ "LEN2134", /* ThinkPad P72 */
++ "LEN0407",
++ "LEN0408",
+ NULL
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 38853ffeb3eb53c73828890a8973acc550cf8ec8 Mon Sep 17 00:00:00 2001
+From: Anson Huang <anson.huang@nxp.com>
+Date: Tue, 11 Jun 2019 17:50:44 -0700
+Subject: Input: imx_keypad - make sure keyboard can always wake up system
+
+[ Upstream commit ce9a53eb3dbca89e7ad86673d94ab886e9bea704 ]
+
+There are several scenarios that keyboard can NOT wake up system
+from suspend, e.g., if a keyboard is depressed between system
+device suspend phase and device noirq suspend phase, the keyboard
+ISR will be called and both keyboard depress and release interrupts
+will be disabled, then keyboard will no longer be able to wake up
+system. Another scenario would be, if a keyboard is kept depressed,
+and then system goes into suspend, the expected behavior would be
+when keyboard is released, system will be waked up, but current
+implementation can NOT achieve that, because both depress and release
+interrupts are disabled in ISR, and the event check is still in
+progress.
+
+To fix these issues, need to make sure keyboard's depress or release
+interrupt is enabled after noirq device suspend phase, this patch
+moves the suspend/resume callback to noirq suspend/resume phase, and
+enable the corresponding interrupt according to current keyboard status.
+
+Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/imx_keypad.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/input/keyboard/imx_keypad.c b/drivers/input/keyboard/imx_keypad.c
+index 2165f3dd328b..842c0235471d 100644
+--- a/drivers/input/keyboard/imx_keypad.c
++++ b/drivers/input/keyboard/imx_keypad.c
+@@ -530,11 +530,12 @@ static int imx_keypad_probe(struct platform_device *pdev)
+ return 0;
+ }
+
+-static int __maybe_unused imx_kbd_suspend(struct device *dev)
++static int __maybe_unused imx_kbd_noirq_suspend(struct device *dev)
+ {
+ struct platform_device *pdev = to_platform_device(dev);
+ struct imx_keypad *kbd = platform_get_drvdata(pdev);
+ struct input_dev *input_dev = kbd->input_dev;
++ unsigned short reg_val = readw(kbd->mmio_base + KPSR);
+
+ /* imx kbd can wake up system even clock is disabled */
+ mutex_lock(&input_dev->mutex);
+@@ -544,13 +545,20 @@ static int __maybe_unused imx_kbd_suspend(struct device *dev)
+
+ mutex_unlock(&input_dev->mutex);
+
+- if (device_may_wakeup(&pdev->dev))
++ if (device_may_wakeup(&pdev->dev)) {
++ if (reg_val & KBD_STAT_KPKD)
++ reg_val |= KBD_STAT_KRIE;
++ if (reg_val & KBD_STAT_KPKR)
++ reg_val |= KBD_STAT_KDIE;
++ writew(reg_val, kbd->mmio_base + KPSR);
++
+ enable_irq_wake(kbd->irq);
++ }
+
+ return 0;
+ }
+
+-static int __maybe_unused imx_kbd_resume(struct device *dev)
++static int __maybe_unused imx_kbd_noirq_resume(struct device *dev)
+ {
+ struct platform_device *pdev = to_platform_device(dev);
+ struct imx_keypad *kbd = platform_get_drvdata(pdev);
+@@ -574,7 +582,9 @@ static int __maybe_unused imx_kbd_resume(struct device *dev)
+ return ret;
+ }
+
+-static SIMPLE_DEV_PM_OPS(imx_kbd_pm_ops, imx_kbd_suspend, imx_kbd_resume);
++static const struct dev_pm_ops imx_kbd_pm_ops = {
++ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(imx_kbd_noirq_suspend, imx_kbd_noirq_resume)
++};
+
+ static struct platform_driver imx_keypad_driver = {
+ .driver = {
+--
+2.20.1
+
--- /dev/null
+From def6b366fb7ae21ce98d7470728071fb35361986 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 17 Jun 2019 21:34:14 +0800
+Subject: ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL
+
+[ Upstream commit 6f6a8622057c92408930c31698394fae1557b188 ]
+
+A similar fix to Patch "ip_tunnel: allow not to count pkts on tstats by
+setting skb's dev to NULL" is also needed by ip6_tunnel.
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip6_tunnel.h | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h
+index 1b1cf33cbfb0..2b6abd046087 100644
+--- a/include/net/ip6_tunnel.h
++++ b/include/net/ip6_tunnel.h
+@@ -149,9 +149,12 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb,
+ memset(skb->cb, 0, sizeof(struct inet6_skb_parm));
+ pkt_len = skb->len - skb_inner_network_offset(skb);
+ err = ip6_local_out(dev_net(skb_dst(skb)->dev), sk, skb);
+- if (unlikely(net_xmit_eval(err)))
+- pkt_len = -1;
+- iptunnel_xmit_stats(dev, pkt_len);
++
++ if (dev) {
++ if (unlikely(net_xmit_eval(err)))
++ pkt_len = -1;
++ iptunnel_xmit_stats(dev, pkt_len);
++ }
+ }
+ #endif
+ #endif
+--
+2.20.1
+
--- /dev/null
+From 75f77348b056ce0836db009ab0dfe152b9ea04f9 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Thu, 6 Jun 2019 11:58:07 +0100
+Subject: KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy
+
+[ Upstream commit 4729ec8c1e1145234aeeebad5d96d77f4ccbb00a ]
+
+kvm_device->destroy() seems to be supposed to free its kvm_device
+struct, but vgic_its_destroy() is not currently doing this,
+resulting in a memory leak, resulting in kmemleak reports such as
+the following:
+
+unreferenced object 0xffff800aeddfe280 (size 128):
+ comm "qemu-system-aar", pid 13799, jiffies 4299827317 (age 1569.844s)
+ [...]
+ backtrace:
+ [<00000000a08b80e2>] kmem_cache_alloc+0x178/0x208
+ [<00000000dcad2bd3>] kvm_vm_ioctl+0x350/0xbc0
+
+Fix it.
+
+Cc: Andre Przywara <andre.przywara@arm.com>
+Fixes: 1085fdc68c60 ("KVM: arm64: vgic-its: Introduce new KVM ITS device")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ virt/kvm/arm/vgic/vgic-its.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c
+index 1ebbf233de9a..6d64b2cb02ab 100644
+--- a/virt/kvm/arm/vgic/vgic-its.c
++++ b/virt/kvm/arm/vgic/vgic-its.c
+@@ -1466,6 +1466,7 @@ static void vgic_its_destroy(struct kvm_device *kvm_dev)
+ mutex_unlock(&its->its_lock);
+
+ kfree(its);
++ kfree(kvm_dev);/* alloc by kvm_ioctl_create_device, free by .destroy */
+ }
+
+ static int vgic_its_has_attr(struct kvm_device *dev,
+--
+2.20.1
+
--- /dev/null
+From 6935b2942424f8fe14ad674aea2d4cc3b7911412 Mon Sep 17 00:00:00 2001
+From: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
+Date: Tue, 28 May 2019 16:36:16 -0700
+Subject: mac80211: free peer keys before vif down in mesh
+
+[ Upstream commit 0112fa557c3bb3a002bc85760dc3761d737264d3 ]
+
+freeing peer keys after vif down is resulting in peer key uninstall
+to fail due to interface lookup failure. so fix that.
+
+Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
+index 7f902e69530f..5c347d3a92c9 100644
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -885,6 +885,7 @@ void ieee80211_stop_mesh(struct ieee80211_sub_if_data *sdata)
+
+ /* flush STAs and mpaths on this iface */
+ sta_info_flush(sdata);
++ ieee80211_free_keys(sdata, true);
+ mesh_path_flush_by_iface(sdata);
+
+ /* stop the beacon */
+--
+2.20.1
+
--- /dev/null
+From dbce5b4127dec0d23779e3464328188a5e12c697 Mon Sep 17 00:00:00 2001
+From: Thomas Pedersen <thomas@eero.com>
+Date: Fri, 24 May 2019 21:16:24 -0700
+Subject: mac80211: mesh: fix RCU warning
+
+[ Upstream commit 551842446ed695641a00782cd118cbb064a416a1 ]
+
+ifmsh->csa is an RCU-protected pointer. The writer context
+in ieee80211_mesh_finish_csa() is already mutually
+exclusive with wdev->sdata.mtx, but the RCU checker did
+not know this. Use rcu_dereference_protected() to avoid a
+warning.
+
+fixes the following warning:
+
+[ 12.519089] =============================
+[ 12.520042] WARNING: suspicious RCU usage
+[ 12.520652] 5.1.0-rc7-wt+ #16 Tainted: G W
+[ 12.521409] -----------------------------
+[ 12.521972] net/mac80211/mesh.c:1223 suspicious rcu_dereference_check() usage!
+[ 12.522928] other info that might help us debug this:
+[ 12.523984] rcu_scheduler_active = 2, debug_locks = 1
+[ 12.524855] 5 locks held by kworker/u8:2/152:
+[ 12.525438] #0: 00000000057be08c ((wq_completion)phy0){+.+.}, at: process_one_work+0x1a2/0x620
+[ 12.526607] #1: 0000000059c6b07a ((work_completion)(&sdata->csa_finalize_work)){+.+.}, at: process_one_work+0x1a2/0x620
+[ 12.528001] #2: 00000000f184ba7d (&wdev->mtx){+.+.}, at: ieee80211_csa_finalize_work+0x2f/0x90
+[ 12.529116] #3: 00000000831a1f54 (&local->mtx){+.+.}, at: ieee80211_csa_finalize_work+0x47/0x90
+[ 12.530233] #4: 00000000fd06f988 (&local->chanctx_mtx){+.+.}, at: ieee80211_csa_finalize_work+0x51/0x90
+
+Signed-off-by: Thomas Pedersen <thomas@eero.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
+index b2a27263d6ff..7f902e69530f 100644
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -1135,7 +1135,8 @@ int ieee80211_mesh_finish_csa(struct ieee80211_sub_if_data *sdata)
+ ifmsh->chsw_ttl = 0;
+
+ /* Remove the CSA and MCSP elements from the beacon */
+- tmp_csa_settings = rcu_dereference(ifmsh->csa);
++ tmp_csa_settings = rcu_dereference_protected(ifmsh->csa,
++ lockdep_is_held(&sdata->wdev.mtx));
+ RCU_INIT_POINTER(ifmsh->csa, NULL);
+ if (tmp_csa_settings)
+ kfree_rcu(tmp_csa_settings, rcu_head);
+@@ -1157,6 +1158,8 @@ int ieee80211_mesh_csa_beacon(struct ieee80211_sub_if_data *sdata,
+ struct mesh_csa_settings *tmp_csa_settings;
+ int ret = 0;
+
++ lockdep_assert_held(&sdata->wdev.mtx);
++
+ tmp_csa_settings = kmalloc(sizeof(*tmp_csa_settings),
+ GFP_ATOMIC);
+ if (!tmp_csa_settings)
+--
+2.20.1
+
--- /dev/null
+From 59ee94b54d7507f21e05a22835903bb7614a4f23 Mon Sep 17 00:00:00 2001
+From: Yibo Zhao <yiboz@codeaurora.org>
+Date: Fri, 14 Jun 2019 19:01:52 +0800
+Subject: mac80211: only warn once on chanctx_conf being NULL
+
+[ Upstream commit 563572340173865a9a356e6bb02579e6998a876d ]
+
+In multiple SSID cases, it takes time to prepare every AP interface
+to be ready in initializing phase. If a sta already knows everything it
+needs to join one of the APs and sends authentication to the AP which
+is not fully prepared at this point of time, AP's channel context
+could be NULL. As a result, warning message occurs.
+
+Even worse, if the AP is under attack via tools such as MDK3 and massive
+authentication requests are received in a very short time, console will
+be hung due to kernel warning messages.
+
+WARN_ON_ONCE() could be a better way for indicating warning messages
+without duplicate messages to flood the console.
+
+Johannes: We still need to address the underlying problem, but we
+ don't really have a good handle on it yet. Suppress the
+ worst side-effects for now.
+
+Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
+Signed-off-by: Yibo Zhao <yiboz@codeaurora.org>
+[johannes: add note, change subject]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/ieee80211_i.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index 8a690ebd7374..6708de10a3e5 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -1403,7 +1403,7 @@ ieee80211_get_sband(struct ieee80211_sub_if_data *sdata)
+ rcu_read_lock();
+ chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+
+- if (WARN_ON(!chanctx_conf)) {
++ if (WARN_ON_ONCE(!chanctx_conf)) {
+ rcu_read_unlock();
+ return NULL;
+ }
+--
+2.20.1
+
--- /dev/null
+From 73880de1d1becb01d81dc458c84ca8c45f2bc890 Mon Sep 17 00:00:00 2001
+From: Mariusz Tkaczyk <mariusz.tkaczyk@intel.com>
+Date: Thu, 13 Jun 2019 16:11:41 +0200
+Subject: md: fix for divide error in status_resync
+
+[ Upstream commit 9642fa73d073527b0cbc337cc17a47d545d82cd2 ]
+
+Stopping external metadata arrays during resync/recovery causes
+retries, loop of interrupting and starting reconstruction, until it
+hit at good moment to stop completely. While these retries
+curr_mark_cnt can be small- especially on HDD drives, so subtraction
+result can be smaller than 0. However it is casted to uint without
+checking. As a result of it the status bar in /proc/mdstat while stopping
+is strange (it jumps between 0% and 99%).
+
+The real problem occurs here after commit 72deb455b5ec ("block: remove
+CONFIG_LBDAF"). Sector_div() macro has been changed, now the
+divisor is casted to uint32. For db = -8 the divisior(db/32-1) becomes 0.
+
+Check if db value can be really counted and replace these macro by
+div64_u64() inline.
+
+Signed-off-by: Mariusz Tkaczyk <mariusz.tkaczyk@intel.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 36 ++++++++++++++++++++++--------------
+ 1 file changed, 22 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 21698eb671d7..765a16dab2e5 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -7296,9 +7296,9 @@ static void status_unused(struct seq_file *seq)
+ static int status_resync(struct seq_file *seq, struct mddev *mddev)
+ {
+ sector_t max_sectors, resync, res;
+- unsigned long dt, db;
+- sector_t rt;
+- int scale;
++ unsigned long dt, db = 0;
++ sector_t rt, curr_mark_cnt, resync_mark_cnt;
++ int scale, recovery_active;
+ unsigned int per_milli;
+
+ if (test_bit(MD_RECOVERY_SYNC, &mddev->recovery) ||
+@@ -7368,22 +7368,30 @@ static int status_resync(struct seq_file *seq, struct mddev *mddev)
+ * db: blocks written from mark until now
+ * rt: remaining time
+ *
+- * rt is a sector_t, so could be 32bit or 64bit.
+- * So we divide before multiply in case it is 32bit and close
+- * to the limit.
+- * We scale the divisor (db) by 32 to avoid losing precision
+- * near the end of resync when the number of remaining sectors
+- * is close to 'db'.
+- * We then divide rt by 32 after multiplying by db to compensate.
+- * The '+1' avoids division by zero if db is very small.
++ * rt is a sector_t, which is always 64bit now. We are keeping
++ * the original algorithm, but it is not really necessary.
++ *
++ * Original algorithm:
++ * So we divide before multiply in case it is 32bit and close
++ * to the limit.
++ * We scale the divisor (db) by 32 to avoid losing precision
++ * near the end of resync when the number of remaining sectors
++ * is close to 'db'.
++ * We then divide rt by 32 after multiplying by db to compensate.
++ * The '+1' avoids division by zero if db is very small.
+ */
+ dt = ((jiffies - mddev->resync_mark) / HZ);
+ if (!dt) dt++;
+- db = (mddev->curr_mark_cnt - atomic_read(&mddev->recovery_active))
+- - mddev->resync_mark_cnt;
++
++ curr_mark_cnt = mddev->curr_mark_cnt;
++ recovery_active = atomic_read(&mddev->recovery_active);
++ resync_mark_cnt = mddev->resync_mark_cnt;
++
++ if (curr_mark_cnt >= (recovery_active + resync_mark_cnt))
++ db = curr_mark_cnt - (recovery_active + resync_mark_cnt);
+
+ rt = max_sectors - resync; /* number of remaining sectors */
+- sector_div(rt, db/32+1);
++ rt = div64_u64(rt, db/32+1);
+ rt *= dt;
+ rt >>= 5;
+
+--
+2.20.1
+
--- /dev/null
+From 9129ac062e41c80ddde8c6b37e4f4a16d1590aac Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Tue, 11 Jun 2019 10:19:46 +0300
+Subject: mlxsw: spectrum: Disallow prio-tagged packets when PVID is removed
+
+[ Upstream commit 4b14cc313f076c37b646cee06a85f0db59cf216c ]
+
+When PVID is removed from a bridge port, the Linux bridge drops both
+untagged and prio-tagged packets. Align mlxsw with this behavior.
+
+Fixes: 148f472da5db ("mlxsw: reg: Add the Switch Port Acceptable Frame Types register")
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/reg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/reg.h b/drivers/net/ethernet/mellanox/mlxsw/reg.h
+index a01e6c0d0cd1..b2a745b579fd 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/reg.h
++++ b/drivers/net/ethernet/mellanox/mlxsw/reg.h
+@@ -935,7 +935,7 @@ static inline void mlxsw_reg_spaft_pack(char *payload, u8 local_port,
+ MLXSW_REG_ZERO(spaft, payload);
+ mlxsw_reg_spaft_local_port_set(payload, local_port);
+ mlxsw_reg_spaft_allow_untagged_set(payload, allow_untagged);
+- mlxsw_reg_spaft_allow_prio_tagged_set(payload, true);
++ mlxsw_reg_spaft_allow_prio_tagged_set(payload, allow_untagged);
+ mlxsw_reg_spaft_allow_tagged_set(payload, true);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 305856f22471741dbfb4ee02e6f3ebaa496f28ac Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 29 May 2019 14:52:19 +0200
+Subject: mwifiex: Fix possible buffer overflows at parsing bss descriptor
+
+[ Upstream commit 13ec7f10b87f5fc04c4ccbd491c94c7980236a74 ]
+
+mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in
+a couple places without checking the destination size. Since the
+source is given from user-space, this may trigger a heap buffer
+overflow.
+
+Fix it by putting the length check before performing memcpy().
+
+This fix addresses CVE-2019-3846.
+
+Reported-by: huangwen <huangwen@venustech.com.cn>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/scan.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
+index 78d59a67f7e1..674ad3405646 100644
+--- a/drivers/net/wireless/marvell/mwifiex/scan.c
++++ b/drivers/net/wireless/marvell/mwifiex/scan.c
+@@ -1236,6 +1236,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ }
+ switch (element_id) {
+ case WLAN_EID_SSID:
++ if (element_len > IEEE80211_MAX_SSID_LEN)
++ return -EINVAL;
+ bss_entry->ssid.ssid_len = element_len;
+ memcpy(bss_entry->ssid.ssid, (current_ptr + 2),
+ element_len);
+@@ -1245,6 +1247,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ break;
+
+ case WLAN_EID_SUPP_RATES:
++ if (element_len > MWIFIEX_SUPPORTED_RATES)
++ return -EINVAL;
+ memcpy(bss_entry->data_rates, current_ptr + 2,
+ element_len);
+ memcpy(bss_entry->supported_rates, current_ptr + 2,
+--
+2.20.1
+
--- /dev/null
+From 8c1b26d996d2b941a9bbbfb545d10105ad0483c9 Mon Sep 17 00:00:00 2001
+From: Lin Yi <teroincn@163.com>
+Date: Mon, 10 Jun 2019 10:16:56 +0800
+Subject: net :sunrpc :clnt :Fix xps refcount imbalance on the error path
+
+[ Upstream commit b96226148491505318228ac52624956bd98f9e0c ]
+
+rpc_clnt_add_xprt take a reference to struct rpc_xprt_switch, but forget
+to release it before return, may lead to a memory leak.
+
+Signed-off-by: Lin Yi <teroincn@163.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/clnt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
+index 244eac1bd648..de18a463ac96 100644
+--- a/net/sunrpc/clnt.c
++++ b/net/sunrpc/clnt.c
+@@ -2718,6 +2718,7 @@ int rpc_clnt_add_xprt(struct rpc_clnt *clnt,
+ xprt = xprt_iter_xprt(&clnt->cl_xpi);
+ if (xps == NULL || xprt == NULL) {
+ rcu_read_unlock();
++ xprt_switch_put(xps);
+ return -EAGAIN;
+ }
+ resvport = xprt->resvport;
+--
+2.20.1
+
--- /dev/null
+From b01b176601e1b467177446e41c0336e75780c799 Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <gnault@redhat.com>
+Date: Thu, 6 Jun 2019 18:04:00 +0200
+Subject: netfilter: ipv6: nf_defrag: accept duplicate fragments again
+
+[ Upstream commit 8a3dca632538c550930ce8bafa8c906b130d35cf ]
+
+When fixing the skb leak introduced by the conversion to rbtree, I
+forgot about the special case of duplicate fragments. The condition
+under the 'insert_error' label isn't effective anymore as
+nf_ct_frg6_gather() doesn't override the returned value anymore. So
+duplicate fragments now get NF_DROP verdict.
+
+To accept duplicate fragments again, handle them specially as soon as
+inet_frag_queue_insert() reports them. Return -EINPROGRESS which will
+translate to NF_STOLEN verdict, like any accepted fragment. However,
+such packets don't carry any new information and aren't queued, so we
+just drop them immediately.
+
+Fixes: a0d56cb911ca ("netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
+index e6114a6710e0..0b53d1907e4a 100644
+--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
+@@ -264,8 +264,14 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
+
+ prev = fq->q.fragments_tail;
+ err = inet_frag_queue_insert(&fq->q, skb, offset, end);
+- if (err)
++ if (err) {
++ if (err == IPFRAG_DUP) {
++ /* No error for duplicates, pretend they got queued. */
++ kfree_skb(skb);
++ return -EINPROGRESS;
++ }
+ goto insert_error;
++ }
+
+ if (dev)
+ fq->iif = dev->ifindex;
+@@ -303,8 +309,6 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
+ return -EINPROGRESS;
+
+ insert_error:
+- if (err == IPFRAG_DUP)
+- goto err;
+ inet_frag_kill(&fq->q);
+ err:
+ skb_dst_drop(skb);
+--
+2.20.1
+
--- /dev/null
+From 7e2258dd1bf79ff272fe2138ff6dcf7ce4ca15c7 Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <gnault@redhat.com>
+Date: Sun, 2 Jun 2019 15:13:47 +0200
+Subject: netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments
+
+[ Upstream commit a0d56cb911ca301de81735f1d73c2aab424654ba ]
+
+With commit 997dd9647164 ("net: IP6 defrag: use rbtrees in
+nf_conntrack_reasm.c"), nf_ct_frag6_reasm() is now called from
+nf_ct_frag6_queue(). With this change, nf_ct_frag6_queue() can fail
+after the skb has been added to the fragment queue and
+nf_ct_frag6_gather() was adapted to handle this case.
+
+But nf_ct_frag6_queue() can still fail before the fragment has been
+queued. nf_ct_frag6_gather() can't handle this case anymore, because it
+has no way to know if nf_ct_frag6_queue() queued the fragment before
+failing. If it didn't, the skb is lost as the error code is overwritten
+with -EINPROGRESS.
+
+Fix this by setting -EINPROGRESS directly in nf_ct_frag6_queue(), so
+that nf_ct_frag6_gather() can propagate the error as is.
+
+Fixes: 997dd9647164 ("net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
+index 1e1fa99b3243..e6114a6710e0 100644
+--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
+@@ -292,7 +292,11 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
+ skb->_skb_refdst = 0UL;
+ err = nf_ct_frag6_reasm(fq, skb, prev, dev);
+ skb->_skb_refdst = orefdst;
+- return err;
++
++ /* After queue has assumed skb ownership, only 0 or
++ * -EINPROGRESS must be returned.
++ */
++ return err ? -EINPROGRESS : 0;
+ }
+
+ skb_dst_drop(skb);
+@@ -480,12 +484,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
+ ret = 0;
+ }
+
+- /* after queue has assumed skb ownership, only 0 or -EINPROGRESS
+- * must be returned.
+- */
+- if (ret)
+- ret = -EINPROGRESS;
+-
+ spin_unlock_bh(&fq->q.lock);
+ inet_frag_put(&fq->q);
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From 7ff39dd2339663725de648f06bc855569eb3a018 Mon Sep 17 00:00:00 2001
+From: Chang-Hsien Tsai <luke.tw@gmail.com>
+Date: Sun, 19 May 2019 09:05:44 +0000
+Subject: samples, bpf: fix to change the buffer size for read()
+
+[ Upstream commit f7c2d64bac1be2ff32f8e4f500c6e5429c1003e0 ]
+
+If the trace for read is larger than 4096, the return
+value sz will be 4096. This results in off-by-one error
+on buf:
+
+ static char buf[4096];
+ ssize_t sz;
+
+ sz = read(trace_fd, buf, sizeof(buf));
+ if (sz > 0) {
+ buf[sz] = 0;
+ puts(buf);
+ }
+
+Signed-off-by: Chang-Hsien Tsai <luke.tw@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/bpf_load.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/samples/bpf/bpf_load.c b/samples/bpf/bpf_load.c
+index 97913e109b14..99e5a2f63e76 100644
+--- a/samples/bpf/bpf_load.c
++++ b/samples/bpf/bpf_load.c
+@@ -369,7 +369,7 @@ void read_trace_pipe(void)
+ static char buf[4096];
+ ssize_t sz;
+
+- sz = read(trace_fd, buf, sizeof(buf));
++ sz = read(trace_fd, buf, sizeof(buf) - 1);
+ if (sz > 0) {
+ buf[sz] = 0;
+ puts(buf);
+--
+2.20.1
+
crypto-talitos-rename-alternative-aead-algos.patch
+input-elantech-enable-middle-button-support-on-2-thi.patch
+samples-bpf-fix-to-change-the-buffer-size-for-read.patch
+staging-iio-ad7150-fix-threshold-mode-config-bit.patch
+mac80211-mesh-fix-rcu-warning.patch
+mac80211-free-peer-keys-before-vif-down-in-mesh.patch
+mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch
+netfilter-ipv6-nf_defrag-fix-leakage-of-unqueued-fra.patch
+netfilter-ipv6-nf_defrag-accept-duplicate-fragments-.patch
+dt-bindings-can-mcp251x-add-mcp25625-support.patch
+can-mcp251x-add-support-for-mcp25625.patch
+input-imx_keypad-make-sure-keyboard-can-always-wake-.patch
+kvm-arm-arm64-vgic-fix-kvm_device-leak-in-vgic_its_d.patch
+mlxsw-spectrum-disallow-prio-tagged-packets-when-pvi.patch
+arm-davinci-da850-evm-call-regulator_has_full_constr.patch
+arm-davinci-da8xx-specify-dma_coherent_mask-for-lcdc.patch
+mac80211-only-warn-once-on-chanctx_conf-being-null.patch
+md-fix-for-divide-error-in-status_resync.patch
+bnx2x-check-if-transceiver-implements-ddm-before-acc.patch
+ip6_tunnel-allow-not-to-count-pkts-on-tstats-by-pass.patch
+net-sunrpc-clnt-fix-xps-refcount-imbalance-on-the-er.patch
--- /dev/null
+From 69a065d0ba8f3bac48477f312a193ca73a2d82e3 Mon Sep 17 00:00:00 2001
+From: Melissa Wen <melissa.srw@gmail.com>
+Date: Sat, 18 May 2019 22:04:56 -0300
+Subject: staging:iio:ad7150: fix threshold mode config bit
+
+[ Upstream commit df4d737ee4d7205aaa6275158aeebff87fd14488 ]
+
+According to the AD7150 configuration register description, bit 7 assumes
+value 1 when the threshold mode is fixed and 0 when it is adaptive,
+however, the operation that identifies this mode was considering the
+opposite values.
+
+This patch renames the boolean variable to describe it correctly and
+properly replaces it in the places where it is used.
+
+Fixes: 531efd6aa0991 ("staging:iio:adc:ad7150: chan_spec conv + i2c_smbus commands + drop unused poweroff timeout control.")
+Signed-off-by: Melissa Wen <melissa.srw@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/iio/cdc/ad7150.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/staging/iio/cdc/ad7150.c b/drivers/staging/iio/cdc/ad7150.c
+index 50a5b0c2cc7b..7ab95efcf1dc 100644
+--- a/drivers/staging/iio/cdc/ad7150.c
++++ b/drivers/staging/iio/cdc/ad7150.c
+@@ -6,6 +6,7 @@
+ * Licensed under the GPL-2 or later.
+ */
+
++#include <linux/bitfield.h>
+ #include <linux/interrupt.h>
+ #include <linux/device.h>
+ #include <linux/kernel.h>
+@@ -129,7 +130,7 @@ static int ad7150_read_event_config(struct iio_dev *indio_dev,
+ {
+ int ret;
+ u8 threshtype;
+- bool adaptive;
++ bool thrfixed;
+ struct ad7150_chip_info *chip = iio_priv(indio_dev);
+
+ ret = i2c_smbus_read_byte_data(chip->client, AD7150_CFG);
+@@ -137,21 +138,23 @@ static int ad7150_read_event_config(struct iio_dev *indio_dev,
+ return ret;
+
+ threshtype = (ret >> 5) & 0x03;
+- adaptive = !!(ret & 0x80);
++
++ /*check if threshold mode is fixed or adaptive*/
++ thrfixed = FIELD_GET(AD7150_CFG_FIX, ret);
+
+ switch (type) {
+ case IIO_EV_TYPE_MAG_ADAPTIVE:
+ if (dir == IIO_EV_DIR_RISING)
+- return adaptive && (threshtype == 0x1);
+- return adaptive && (threshtype == 0x0);
++ return !thrfixed && (threshtype == 0x1);
++ return !thrfixed && (threshtype == 0x0);
+ case IIO_EV_TYPE_THRESH_ADAPTIVE:
+ if (dir == IIO_EV_DIR_RISING)
+- return adaptive && (threshtype == 0x3);
+- return adaptive && (threshtype == 0x2);
++ return !thrfixed && (threshtype == 0x3);
++ return !thrfixed && (threshtype == 0x2);
+ case IIO_EV_TYPE_THRESH:
+ if (dir == IIO_EV_DIR_RISING)
+- return !adaptive && (threshtype == 0x1);
+- return !adaptive && (threshtype == 0x0);
++ return thrfixed && (threshtype == 0x1);
++ return thrfixed && (threshtype == 0x0);
+ default:
+ break;
+ }
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
