--- /dev/null
+From 69e2ee73bed7fb58b4c782a0f80fd8142346c1e3 Mon Sep 17 00:00:00 2001
+From: Matthias Kaehlcke <mka@chromium.org>
+Date: Tue, 9 Jul 2019 15:44:50 -0700
+Subject: Bluetooth: btqca: Add a short delay before downloading the NVM
+
+[ Upstream commit 8059ba0bd0e4694e51c2ee6438a77b325f06c0d5 ]
+
+On WCN3990 downloading the NVM sometimes fails with a "TLV response
+size mismatch" error:
+
+[ 174.949955] Bluetooth: btqca.c:qca_download_firmware() hci0: QCA Downloading qca/crnv21.bin
+[ 174.958718] Bluetooth: btqca.c:qca_tlv_send_segment() hci0: QCA TLV response size mismatch
+
+It seems the controller needs a short time after downloading the
+firmware before it is ready for the NVM. A delay as short as 1 ms
+seems sufficient, make it 10 ms just in case. No event is received
+during the delay, hence we don't just silently drop an extra event.
+
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btqca.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
+index 0bbdfcef2aa84..a48a61f22f823 100644
+--- a/drivers/bluetooth/btqca.c
++++ b/drivers/bluetooth/btqca.c
+@@ -363,6 +363,9 @@ int qca_uart_setup_rome(struct hci_dev *hdev, uint8_t baudrate)
+ return err;
+ }
+
++ /* Give the controller some time to get ready to receive the NVM */
++ msleep(10);
++
+ /* Download NVM configuration */
+ config.type = TLV_TYPE_NVM;
+ snprintf(config.fwname, sizeof(config.fwname), "qca/nvm_%08x.bin",
+--
+2.20.1
+
--- /dev/null
+From 123b79c331482d3fa1b0efc2c7421e06c5630c5d Mon Sep 17 00:00:00 2001
+From: Fabian Henneke <fabian.henneke@gmail.com>
+Date: Mon, 15 Jul 2019 19:40:56 +0200
+Subject: Bluetooth: hidp: Let hidp_send_message return number of queued bytes
+
+[ Upstream commit 48d9cc9d85dde37c87abb7ac9bbec6598ba44b56 ]
+
+Let hidp_send_message return the number of successfully queued bytes
+instead of an unconditional 0.
+
+With the return value fixed to 0, other drivers relying on hidp, such as
+hidraw, can not return meaningful values from their respective
+implementations of write(). In particular, with the current behavior, a
+hidraw device's write() will have different return values depending on
+whether the device is connected via USB or Bluetooth, which makes it
+harder to abstract away the transport layer.
+
+Signed-off-by: Fabian Henneke <fabian.henneke@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hidp/core.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
+index b21fcc838784d..f6bffb3a95116 100644
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -101,6 +101,7 @@ static int hidp_send_message(struct hidp_session *session, struct socket *sock,
+ {
+ struct sk_buff *skb;
+ struct sock *sk = sock->sk;
++ int ret;
+
+ BT_DBG("session %p data %p size %d", session, data, size);
+
+@@ -114,13 +115,17 @@ static int hidp_send_message(struct hidp_session *session, struct socket *sock,
+ }
+
+ skb_put_u8(skb, hdr);
+- if (data && size > 0)
++ if (data && size > 0) {
+ skb_put_data(skb, data, size);
++ ret = size;
++ } else {
++ ret = 0;
++ }
+
+ skb_queue_tail(transmit, skb);
+ wake_up_interruptible(sk_sleep(sk));
+
+- return 0;
++ return ret;
+ }
+
+ static int hidp_send_ctrl_message(struct hidp_session *session,
+--
+2.20.1
+
--- /dev/null
+From 689f220518df4fcf846d5dcf68fcb45b06a47a51 Mon Sep 17 00:00:00 2001
+From: Luis Henriques <lhenriques@suse.com>
+Date: Fri, 19 Jul 2019 15:32:20 +0100
+Subject: ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr()
+
+[ Upstream commit 86968ef21596515958d5f0a40233d02be78ecec0 ]
+
+Calling ceph_buffer_put() in __ceph_setxattr() may end up freeing the
+i_xattrs.prealloc_blob buffer while holding the i_ceph_lock. This can be
+fixed by postponing the call until later, when the lock is released.
+
+The following backtrace was triggered by fstests generic/117.
+
+ BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
+ in_atomic(): 1, irqs_disabled(): 0, pid: 650, name: fsstress
+ 3 locks held by fsstress/650:
+ #0: 00000000870a0fe8 (sb_writers#8){.+.+}, at: mnt_want_write+0x20/0x50
+ #1: 00000000ba0c4c74 (&type->i_mutex_dir_key#6){++++}, at: vfs_setxattr+0x55/0xa0
+ #2: 000000008dfbb3f2 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: __ceph_setxattr+0x297/0x810
+ CPU: 1 PID: 650 Comm: fsstress Not tainted 5.2.0+ #437
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
+ Call Trace:
+ dump_stack+0x67/0x90
+ ___might_sleep.cold+0x9f/0xb1
+ vfree+0x4b/0x60
+ ceph_buffer_release+0x1b/0x60
+ __ceph_setxattr+0x2b4/0x810
+ __vfs_setxattr+0x66/0x80
+ __vfs_setxattr_noperm+0x59/0xf0
+ vfs_setxattr+0x81/0xa0
+ setxattr+0x115/0x230
+ ? filename_lookup+0xc9/0x140
+ ? rcu_read_lock_sched_held+0x74/0x80
+ ? rcu_sync_lockdep_assert+0x2e/0x60
+ ? __sb_start_write+0x142/0x1a0
+ ? mnt_want_write+0x20/0x50
+ path_setxattr+0xba/0xd0
+ __x64_sys_lsetxattr+0x24/0x30
+ do_syscall_64+0x50/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7ff23514359a
+
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/xattr.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
+index 0376db8a74f85..932c6cdc22d66 100644
+--- a/fs/ceph/xattr.c
++++ b/fs/ceph/xattr.c
+@@ -955,6 +955,7 @@ int __ceph_setxattr(struct inode *inode, const char *name,
+ struct ceph_inode_info *ci = ceph_inode(inode);
+ struct ceph_mds_client *mdsc = ceph_sb_to_client(inode->i_sb)->mdsc;
+ struct ceph_cap_flush *prealloc_cf = NULL;
++ struct ceph_buffer *old_blob = NULL;
+ int issued;
+ int err;
+ int dirty = 0;
+@@ -1023,13 +1024,15 @@ retry:
+ struct ceph_buffer *blob;
+
+ spin_unlock(&ci->i_ceph_lock);
+- dout(" preaallocating new blob size=%d\n", required_blob_size);
++ ceph_buffer_put(old_blob); /* Shouldn't be required */
++ dout(" pre-allocating new blob size=%d\n", required_blob_size);
+ blob = ceph_buffer_new(required_blob_size, GFP_NOFS);
+ if (!blob)
+ goto do_sync_unlocked;
+ spin_lock(&ci->i_ceph_lock);
++ /* prealloc_blob can't be released while holding i_ceph_lock */
+ if (ci->i_xattrs.prealloc_blob)
+- ceph_buffer_put(ci->i_xattrs.prealloc_blob);
++ old_blob = ci->i_xattrs.prealloc_blob;
+ ci->i_xattrs.prealloc_blob = blob;
+ goto retry;
+ }
+@@ -1045,6 +1048,7 @@ retry:
+ }
+
+ spin_unlock(&ci->i_ceph_lock);
++ ceph_buffer_put(old_blob);
+ if (lock_snap_rwsem)
+ up_read(&mdsc->snap_rwsem);
+ if (dirty)
+--
+2.20.1
+
--- /dev/null
+From d786e441b9f25853a4396bb609b4f4c7df0849e7 Mon Sep 17 00:00:00 2001
+From: Luis Henriques <lhenriques@suse.com>
+Date: Fri, 19 Jul 2019 15:32:21 +0100
+Subject: ceph: fix buffer free while holding i_ceph_lock in
+ __ceph_build_xattrs_blob()
+
+[ Upstream commit 12fe3dda7ed89c95cc0ef7abc001ad1ad3e092f8 ]
+
+Calling ceph_buffer_put() in __ceph_build_xattrs_blob() may result in
+freeing the i_xattrs.blob buffer while holding the i_ceph_lock. This can
+be fixed by having this function returning the old blob buffer and have
+the callers of this function freeing it when the lock is released.
+
+The following backtrace was triggered by fstests generic/117.
+
+ BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
+ in_atomic(): 1, irqs_disabled(): 0, pid: 649, name: fsstress
+ 4 locks held by fsstress/649:
+ #0: 00000000a7478e7e (&type->s_umount_key#19){++++}, at: iterate_supers+0x77/0xf0
+ #1: 00000000f8de1423 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: ceph_check_caps+0x7b/0xc60
+ #2: 00000000562f2b27 (&s->s_mutex){+.+.}, at: ceph_check_caps+0x3bd/0xc60
+ #3: 00000000f83ce16a (&mdsc->snap_rwsem){++++}, at: ceph_check_caps+0x3ed/0xc60
+ CPU: 1 PID: 649 Comm: fsstress Not tainted 5.2.0+ #439
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
+ Call Trace:
+ dump_stack+0x67/0x90
+ ___might_sleep.cold+0x9f/0xb1
+ vfree+0x4b/0x60
+ ceph_buffer_release+0x1b/0x60
+ __ceph_build_xattrs_blob+0x12b/0x170
+ __send_cap+0x302/0x540
+ ? __lock_acquire+0x23c/0x1e40
+ ? __mark_caps_flushing+0x15c/0x280
+ ? _raw_spin_unlock+0x24/0x30
+ ceph_check_caps+0x5f0/0xc60
+ ceph_flush_dirty_caps+0x7c/0x150
+ ? __ia32_sys_fdatasync+0x20/0x20
+ ceph_sync_fs+0x5a/0x130
+ iterate_supers+0x8f/0xf0
+ ksys_sync+0x4f/0xb0
+ __ia32_sys_sync+0xa/0x10
+ do_syscall_64+0x50/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7fc6409ab617
+
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/caps.c | 5 ++++-
+ fs/ceph/snap.c | 4 +++-
+ fs/ceph/super.h | 2 +-
+ fs/ceph/xattr.c | 11 ++++++++---
+ 4 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
+index 238d24348a98a..df95e39ccd45b 100644
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -1162,6 +1162,7 @@ static int __send_cap(struct ceph_mds_client *mdsc, struct ceph_cap *cap,
+ {
+ struct ceph_inode_info *ci = cap->ci;
+ struct inode *inode = &ci->vfs_inode;
++ struct ceph_buffer *old_blob = NULL;
+ struct cap_msg_args arg;
+ int held, revoking, dropping;
+ int wake = 0;
+@@ -1227,7 +1228,7 @@ static int __send_cap(struct ceph_mds_client *mdsc, struct ceph_cap *cap,
+ ci->i_requested_max_size = arg.max_size;
+
+ if (flushing & CEPH_CAP_XATTR_EXCL) {
+- __ceph_build_xattrs_blob(ci);
++ old_blob = __ceph_build_xattrs_blob(ci);
+ arg.xattr_version = ci->i_xattrs.version;
+ arg.xattr_buf = ci->i_xattrs.blob;
+ } else {
+@@ -1262,6 +1263,8 @@ static int __send_cap(struct ceph_mds_client *mdsc, struct ceph_cap *cap,
+
+ spin_unlock(&ci->i_ceph_lock);
+
++ ceph_buffer_put(old_blob);
++
+ ret = send_cap_msg(&arg);
+ if (ret < 0) {
+ dout("error sending cap msg, must requeue %p\n", inode);
+diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c
+index a7e763dac0385..29ed1688a1d3a 100644
+--- a/fs/ceph/snap.c
++++ b/fs/ceph/snap.c
+@@ -460,6 +460,7 @@ void ceph_queue_cap_snap(struct ceph_inode_info *ci)
+ struct inode *inode = &ci->vfs_inode;
+ struct ceph_cap_snap *capsnap;
+ struct ceph_snap_context *old_snapc, *new_snapc;
++ struct ceph_buffer *old_blob = NULL;
+ int used, dirty;
+
+ capsnap = kzalloc(sizeof(*capsnap), GFP_NOFS);
+@@ -536,7 +537,7 @@ void ceph_queue_cap_snap(struct ceph_inode_info *ci)
+ capsnap->gid = inode->i_gid;
+
+ if (dirty & CEPH_CAP_XATTR_EXCL) {
+- __ceph_build_xattrs_blob(ci);
++ old_blob = __ceph_build_xattrs_blob(ci);
+ capsnap->xattr_blob =
+ ceph_buffer_get(ci->i_xattrs.blob);
+ capsnap->xattr_version = ci->i_xattrs.version;
+@@ -579,6 +580,7 @@ update_snapc:
+ }
+ spin_unlock(&ci->i_ceph_lock);
+
++ ceph_buffer_put(old_blob);
+ kfree(capsnap);
+ ceph_put_snap_context(old_snapc);
+ }
+diff --git a/fs/ceph/super.h b/fs/ceph/super.h
+index 60b70f0985f67..46f600107cb5b 100644
+--- a/fs/ceph/super.h
++++ b/fs/ceph/super.h
+@@ -835,7 +835,7 @@ extern int ceph_getattr(const struct path *path, struct kstat *stat,
+ int __ceph_setxattr(struct inode *, const char *, const void *, size_t, int);
+ ssize_t __ceph_getxattr(struct inode *, const char *, void *, size_t);
+ extern ssize_t ceph_listxattr(struct dentry *, char *, size_t);
+-extern void __ceph_build_xattrs_blob(struct ceph_inode_info *ci);
++extern struct ceph_buffer *__ceph_build_xattrs_blob(struct ceph_inode_info *ci);
+ extern void __ceph_destroy_xattrs(struct ceph_inode_info *ci);
+ extern void __init ceph_xattr_init(void);
+ extern void ceph_xattr_exit(void);
+diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
+index 932c6cdc22d66..3a166f860b6cf 100644
+--- a/fs/ceph/xattr.c
++++ b/fs/ceph/xattr.c
+@@ -681,12 +681,15 @@ static int __get_required_blob_size(struct ceph_inode_info *ci, int name_size,
+
+ /*
+ * If there are dirty xattrs, reencode xattrs into the prealloc_blob
+- * and swap into place.
++ * and swap into place. It returns the old i_xattrs.blob (or NULL) so
++ * that it can be freed by the caller as the i_ceph_lock is likely to be
++ * held.
+ */
+-void __ceph_build_xattrs_blob(struct ceph_inode_info *ci)
++struct ceph_buffer *__ceph_build_xattrs_blob(struct ceph_inode_info *ci)
+ {
+ struct rb_node *p;
+ struct ceph_inode_xattr *xattr = NULL;
++ struct ceph_buffer *old_blob = NULL;
+ void *dest;
+
+ dout("__build_xattrs_blob %p\n", &ci->vfs_inode);
+@@ -717,12 +720,14 @@ void __ceph_build_xattrs_blob(struct ceph_inode_info *ci)
+ dest - ci->i_xattrs.prealloc_blob->vec.iov_base;
+
+ if (ci->i_xattrs.blob)
+- ceph_buffer_put(ci->i_xattrs.blob);
++ old_blob = ci->i_xattrs.blob;
+ ci->i_xattrs.blob = ci->i_xattrs.prealloc_blob;
+ ci->i_xattrs.prealloc_blob = NULL;
+ ci->i_xattrs.dirty = false;
+ ci->i_xattrs.version++;
+ }
++
++ return old_blob;
+ }
+
+ static inline int __get_request_mask(struct inode *in) {
+--
+2.20.1
+
--- /dev/null
+From 46569d9b25ab5994b2cc7234f63564a7e3f1550a Mon Sep 17 00:00:00 2001
+From: Luis Henriques <lhenriques@suse.com>
+Date: Fri, 19 Jul 2019 15:32:22 +0100
+Subject: ceph: fix buffer free while holding i_ceph_lock in fill_inode()
+
+[ Upstream commit af8a85a41734f37b67ba8ce69d56b685bee4ac48 ]
+
+Calling ceph_buffer_put() in fill_inode() may result in freeing the
+i_xattrs.blob buffer while holding the i_ceph_lock. This can be fixed by
+postponing the call until later, when the lock is released.
+
+The following backtrace was triggered by fstests generic/070.
+
+ BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
+ in_atomic(): 1, irqs_disabled(): 0, pid: 3852, name: kworker/0:4
+ 6 locks held by kworker/0:4/3852:
+ #0: 000000004270f6bb ((wq_completion)ceph-msgr){+.+.}, at: process_one_work+0x1b8/0x5f0
+ #1: 00000000eb420803 ((work_completion)(&(&con->work)->work)){+.+.}, at: process_one_work+0x1b8/0x5f0
+ #2: 00000000be1c53a4 (&s->s_mutex){+.+.}, at: dispatch+0x288/0x1476
+ #3: 00000000559cb958 (&mdsc->snap_rwsem){++++}, at: dispatch+0x2eb/0x1476
+ #4: 000000000d5ebbae (&req->r_fill_mutex){+.+.}, at: dispatch+0x2fc/0x1476
+ #5: 00000000a83d0514 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: fill_inode.isra.0+0xf8/0xf70
+ CPU: 0 PID: 3852 Comm: kworker/0:4 Not tainted 5.2.0+ #441
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
+ Workqueue: ceph-msgr ceph_con_workfn
+ Call Trace:
+ dump_stack+0x67/0x90
+ ___might_sleep.cold+0x9f/0xb1
+ vfree+0x4b/0x60
+ ceph_buffer_release+0x1b/0x60
+ fill_inode.isra.0+0xa9b/0xf70
+ ceph_fill_trace+0x13b/0xc70
+ ? dispatch+0x2eb/0x1476
+ dispatch+0x320/0x1476
+ ? __mutex_unlock_slowpath+0x4d/0x2a0
+ ceph_con_workfn+0xc97/0x2ec0
+ ? process_one_work+0x1b8/0x5f0
+ process_one_work+0x244/0x5f0
+ worker_thread+0x4d/0x3e0
+ kthread+0x105/0x140
+ ? process_one_work+0x5f0/0x5f0
+ ? kthread_park+0x90/0x90
+ ret_from_fork+0x3a/0x50
+
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/inode.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
+index f2b722f0df5d0..9bda8c7a80a05 100644
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -730,6 +730,7 @@ static int fill_inode(struct inode *inode, struct page *locked_page,
+ int issued = 0, implemented, new_issued;
+ struct timespec mtime, atime, ctime;
+ struct ceph_buffer *xattr_blob = NULL;
++ struct ceph_buffer *old_blob = NULL;
+ struct ceph_string *pool_ns = NULL;
+ struct ceph_cap *new_cap = NULL;
+ int err = 0;
+@@ -847,7 +848,7 @@ static int fill_inode(struct inode *inode, struct page *locked_page,
+ if ((ci->i_xattrs.version == 0 || !(issued & CEPH_CAP_XATTR_EXCL)) &&
+ le64_to_cpu(info->xattr_version) > ci->i_xattrs.version) {
+ if (ci->i_xattrs.blob)
+- ceph_buffer_put(ci->i_xattrs.blob);
++ old_blob = ci->i_xattrs.blob;
+ ci->i_xattrs.blob = xattr_blob;
+ if (xattr_blob)
+ memcpy(ci->i_xattrs.blob->vec.iov_base,
+@@ -993,8 +994,8 @@ static int fill_inode(struct inode *inode, struct page *locked_page,
+ out:
+ if (new_cap)
+ ceph_put_cap(mdsc, new_cap);
+- if (xattr_blob)
+- ceph_buffer_put(xattr_blob);
++ ceph_buffer_put(old_blob);
++ ceph_buffer_put(xattr_blob);
+ ceph_put_string(pool_ns);
+ return err;
+ }
+--
+2.20.1
+
--- /dev/null
+From e3ff8a4d600ed4560a382ecf8f32517204544ea6 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Wed, 14 Aug 2019 13:03:38 -0500
+Subject: cx82310_eth: fix a memory leak bug
+
+[ Upstream commit 1eca92eef18719027d394bf1a2d276f43e7cf886 ]
+
+In cx82310_bind(), 'dev->partial_data' is allocated through kmalloc().
+Then, the execution waits for the firmware to become ready. If the firmware
+is not ready in time, the execution is terminated. However, the allocated
+'dev->partial_data' is not deallocated on this path, leading to a memory
+leak bug. To fix this issue, free 'dev->partial_data' before returning the
+error.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cx82310_eth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/usb/cx82310_eth.c
+index 947bea81d9241..dfbdea22fbad9 100644
+--- a/drivers/net/usb/cx82310_eth.c
++++ b/drivers/net/usb/cx82310_eth.c
+@@ -175,7 +175,8 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf)
+ }
+ if (!timeout) {
+ dev_err(&udev->dev, "firmware not ready in time\n");
+- return -ETIMEDOUT;
++ ret = -ETIMEDOUT;
++ goto err;
+ }
+
+ /* enable ethernet mode (?) */
+--
+2.20.1
+
--- /dev/null
+From eead8b6d632d47ec0c1d467d7696a6fd7bda6489 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Tue, 13 Aug 2019 04:18:52 -0500
+Subject: cxgb4: fix a memory leak bug
+
+[ Upstream commit c554336efa9bbc28d6ec14efbee3c7d63c61a34f ]
+
+In blocked_fl_write(), 't' is not deallocated if bitmap_parse_user() fails,
+leading to a memory leak bug. To fix this issue, free t before returning
+the error.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
+index 76540b0e082d3..9e5cd18e7358c 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
+@@ -2777,8 +2777,10 @@ static ssize_t blocked_fl_write(struct file *filp, const char __user *ubuf,
+ return -ENOMEM;
+
+ err = bitmap_parse_user(ubuf, count, t, adap->sge.egr_sz);
+- if (err)
++ if (err) {
++ kvfree(t);
+ return err;
++ }
+
+ bitmap_copy(adap->sge.blocked_fl, t, adap->sge.egr_sz);
+ kvfree(t);
+--
+2.20.1
+
--- /dev/null
+From dec00efaad8c15569d854146d2f2292bb0ae1bf7 Mon Sep 17 00:00:00 2001
+From: Alexandre Courbot <acourbot@chromium.org>
+Date: Mon, 29 Jul 2019 14:33:35 +0900
+Subject: drm/mediatek: set DMA max segment size
+
+[ Upstream commit 070955558e820b9a89c570b91b1f21762f62b288 ]
+
+This driver requires imported PRIME buffers to appear contiguously in
+its IO address space. Make sure this is the case by setting the maximum
+DMA segment size to a more suitable value than the default 64KB.
+
+Signed-off-by: Alexandre Courbot <acourbot@chromium.org>
+Reviewed-by: Tomasz Figa <tfiga@chromium.org>
+Signed-off-by: CK Hu <ck.hu@mediatek.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_drm_drv.c | 35 ++++++++++++++++++++++++--
+ drivers/gpu/drm/mediatek/mtk_drm_drv.h | 2 ++
+ 2 files changed, 35 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+index 4a89cd2e4f1c5..034b50080304f 100644
+--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+@@ -185,6 +185,7 @@ static int mtk_drm_kms_init(struct drm_device *drm)
+ struct mtk_drm_private *private = drm->dev_private;
+ struct platform_device *pdev;
+ struct device_node *np;
++ struct device *dma_dev;
+ int ret;
+
+ if (!iommu_present(&platform_bus_type))
+@@ -242,7 +243,29 @@ static int mtk_drm_kms_init(struct drm_device *drm)
+ goto err_component_unbind;
+ }
+
+- private->dma_dev = &pdev->dev;
++ dma_dev = &pdev->dev;
++ private->dma_dev = dma_dev;
++
++ /*
++ * Configure the DMA segment size to make sure we get contiguous IOVA
++ * when importing PRIME buffers.
++ */
++ if (!dma_dev->dma_parms) {
++ private->dma_parms_allocated = true;
++ dma_dev->dma_parms =
++ devm_kzalloc(drm->dev, sizeof(*dma_dev->dma_parms),
++ GFP_KERNEL);
++ }
++ if (!dma_dev->dma_parms) {
++ ret = -ENOMEM;
++ goto err_component_unbind;
++ }
++
++ ret = dma_set_max_seg_size(dma_dev, (unsigned int)DMA_BIT_MASK(32));
++ if (ret) {
++ dev_err(dma_dev, "Failed to set DMA segment size\n");
++ goto err_unset_dma_parms;
++ }
+
+ /*
+ * We don't use the drm_irq_install() helpers provided by the DRM
+@@ -252,13 +275,16 @@ static int mtk_drm_kms_init(struct drm_device *drm)
+ drm->irq_enabled = true;
+ ret = drm_vblank_init(drm, MAX_CRTC);
+ if (ret < 0)
+- goto err_component_unbind;
++ goto err_unset_dma_parms;
+
+ drm_kms_helper_poll_init(drm);
+ drm_mode_config_reset(drm);
+
+ return 0;
+
++err_unset_dma_parms:
++ if (private->dma_parms_allocated)
++ dma_dev->dma_parms = NULL;
+ err_component_unbind:
+ component_unbind_all(drm->dev, drm);
+ err_config_cleanup:
+@@ -269,9 +295,14 @@ err_config_cleanup:
+
+ static void mtk_drm_kms_deinit(struct drm_device *drm)
+ {
++ struct mtk_drm_private *private = drm->dev_private;
++
+ drm_kms_helper_poll_fini(drm);
+ drm_atomic_helper_shutdown(drm);
+
++ if (private->dma_parms_allocated)
++ private->dma_dev->dma_parms = NULL;
++
+ component_unbind_all(drm->dev, drm);
+ drm_mode_config_cleanup(drm);
+ }
+diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.h b/drivers/gpu/drm/mediatek/mtk_drm_drv.h
+index c3378c452c0a0..445dd45e65ebc 100644
+--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.h
++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.h
+@@ -56,6 +56,8 @@ struct mtk_drm_private {
+ } commit;
+
+ struct drm_atomic_state *suspend_state;
++
++ bool dma_parms_allocated;
+ };
+
+ extern struct platform_driver mtk_ddp_driver;
+--
+2.20.1
+
--- /dev/null
+From 968eddfac10a06bcfca1bfa710b1433f6b59fa84 Mon Sep 17 00:00:00 2001
+From: Alexandre Courbot <acourbot@chromium.org>
+Date: Mon, 29 Jul 2019 14:33:34 +0900
+Subject: drm/mediatek: use correct device to import PRIME buffers
+
+[ Upstream commit 4c6f3196e6ea111c456c6086dc3f57d4706b0b2d ]
+
+PRIME buffers should be imported using the DMA device. To this end, use
+a custom import function that mimics drm_gem_prime_import_dev(), but
+passes the correct device.
+
+Fixes: 119f5173628aa ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
+Signed-off-by: Alexandre Courbot <acourbot@chromium.org>
+Signed-off-by: CK Hu <ck.hu@mediatek.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_drm_drv.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+index cada1c75c41cd..4a89cd2e4f1c5 100644
+--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+@@ -287,6 +287,18 @@ static const struct file_operations mtk_drm_fops = {
+ .compat_ioctl = drm_compat_ioctl,
+ };
+
++/*
++ * We need to override this because the device used to import the memory is
++ * not dev->dev, as drm_gem_prime_import() expects.
++ */
++struct drm_gem_object *mtk_drm_gem_prime_import(struct drm_device *dev,
++ struct dma_buf *dma_buf)
++{
++ struct mtk_drm_private *private = dev->dev_private;
++
++ return drm_gem_prime_import_dev(dev, dma_buf, private->dma_dev);
++}
++
+ static struct drm_driver mtk_drm_driver = {
+ .driver_features = DRIVER_MODESET | DRIVER_GEM | DRIVER_PRIME |
+ DRIVER_ATOMIC,
+@@ -298,7 +310,7 @@ static struct drm_driver mtk_drm_driver = {
+ .prime_handle_to_fd = drm_gem_prime_handle_to_fd,
+ .prime_fd_to_handle = drm_gem_prime_fd_to_handle,
+ .gem_prime_export = drm_gem_prime_export,
+- .gem_prime_import = drm_gem_prime_import,
++ .gem_prime_import = mtk_drm_gem_prime_import,
+ .gem_prime_get_sg_table = mtk_gem_prime_get_sg_table,
+ .gem_prime_import_sg_table = mtk_gem_prime_import_sg_table,
+ .gem_prime_mmap = mtk_drm_gem_mmap_buf,
+--
+2.20.1
+
--- /dev/null
+From 16241bea3753c2627d26a596b23c3372d9a591a0 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 31 Jul 2019 20:38:14 +0800
+Subject: gpio: Fix build error of function redefinition
+
+[ Upstream commit 68e03b85474a51ec1921b4d13204782594ef7223 ]
+
+when do randbuilding, I got this error:
+
+In file included from drivers/hwmon/pmbus/ucd9000.c:19:0:
+./include/linux/gpio/driver.h:576:1: error: redefinition of gpiochip_add_pin_range
+ gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name,
+ ^~~~~~~~~~~~~~~~~~~~~~
+In file included from drivers/hwmon/pmbus/ucd9000.c:18:0:
+./include/linux/gpio.h:245:1: note: previous definition of gpiochip_add_pin_range was here
+ gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name,
+ ^~~~~~~~~~~~~~~~~~~~~~
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 964cb341882f ("gpio: move pincontrol calls to <linux/gpio/driver.h>")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Link: https://lore.kernel.org/r/20190731123814.46624-1-yuehaibing@huawei.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/gpio.h | 24 ------------------------
+ 1 file changed, 24 deletions(-)
+
+diff --git a/include/linux/gpio.h b/include/linux/gpio.h
+index 8ef7fc0ce0f0c..b2f103b170a97 100644
+--- a/include/linux/gpio.h
++++ b/include/linux/gpio.h
+@@ -230,30 +230,6 @@ static inline int irq_to_gpio(unsigned irq)
+ return -EINVAL;
+ }
+
+-static inline int
+-gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name,
+- unsigned int gpio_offset, unsigned int pin_offset,
+- unsigned int npins)
+-{
+- WARN_ON(1);
+- return -EINVAL;
+-}
+-
+-static inline int
+-gpiochip_add_pingroup_range(struct gpio_chip *chip,
+- struct pinctrl_dev *pctldev,
+- unsigned int gpio_offset, const char *pin_group)
+-{
+- WARN_ON(1);
+- return -EINVAL;
+-}
+-
+-static inline void
+-gpiochip_remove_pin_ranges(struct gpio_chip *chip)
+-{
+- WARN_ON(1);
+-}
+-
+ static inline int devm_gpio_request(struct device *dev, unsigned gpio,
+ const char *label)
+ {
+--
+2.20.1
+
--- /dev/null
+From fe592e2e59e92a8c9db31111343172552a77abab Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Mon, 12 Aug 2019 18:04:44 +0200
+Subject: HID: cp2112: prevent sleeping function called from invalid context
+
+[ Upstream commit 2d05dba2b25ecb0f8fc3a0b4eb2232da6454a47b ]
+
+When calling request_threaded_irq() with a CP2112, the function
+cp2112_gpio_irq_startup() is called in a IRQ context.
+
+Therefore we can not sleep, and we can not call
+cp2112_gpio_direction_input() there.
+
+Move the call to cp2112_gpio_direction_input() earlier to have a working
+driver.
+
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-cp2112.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c
+index 4e940a096b2ac..abf1079457664 100644
+--- a/drivers/hid/hid-cp2112.c
++++ b/drivers/hid/hid-cp2112.c
+@@ -1149,8 +1149,6 @@ static unsigned int cp2112_gpio_irq_startup(struct irq_data *d)
+
+ INIT_DELAYED_WORK(&dev->gpio_poll_worker, cp2112_gpio_poll_callback);
+
+- cp2112_gpio_direction_input(gc, d->hwirq);
+-
+ if (!dev->gpio_poll) {
+ dev->gpio_poll = true;
+ schedule_delayed_work(&dev->gpio_poll_worker, 0);
+@@ -1198,6 +1196,12 @@ static int __maybe_unused cp2112_allocate_irq(struct cp2112_device *dev,
+ return PTR_ERR(dev->desc[pin]);
+ }
+
++ ret = cp2112_gpio_direction_input(&dev->gc, pin);
++ if (ret < 0) {
++ dev_err(dev->gc.parent, "Failed to set GPIO to input dir\n");
++ goto err_desc;
++ }
++
+ ret = gpiochip_lock_as_irq(&dev->gc, pin);
+ if (ret) {
+ dev_err(dev->gc.parent, "Failed to lock GPIO as interrupt\n");
+--
+2.20.1
+
--- /dev/null
+From 4357e7f3330f7563865ccd1d1302cb81ca2d858a Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Fri, 9 Aug 2019 01:58:08 +0000
+Subject: hv_netvsc: Fix a warning of suspicious RCU usage
+
+[ Upstream commit 6d0d779dca73cd5acb649c54f81401f93098b298 ]
+
+This fixes a warning of "suspicious rcu_dereference_check() usage"
+when nload runs.
+
+Fixes: 776e726bfb34 ("netvsc: fix RCU warning in get_stats")
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
+index eb92720dd1c4a..33c1f6548fb79 100644
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -1170,12 +1170,15 @@ static void netvsc_get_stats64(struct net_device *net,
+ struct rtnl_link_stats64 *t)
+ {
+ struct net_device_context *ndev_ctx = netdev_priv(net);
+- struct netvsc_device *nvdev = rcu_dereference_rtnl(ndev_ctx->nvdev);
++ struct netvsc_device *nvdev;
+ struct netvsc_vf_pcpu_stats vf_tot;
+ int i;
+
++ rcu_read_lock();
++
++ nvdev = rcu_dereference(ndev_ctx->nvdev);
+ if (!nvdev)
+- return;
++ goto out;
+
+ netdev_stats_to_stats64(t, &net->stats);
+
+@@ -1214,6 +1217,8 @@ static void netvsc_get_stats64(struct net_device *net,
+ t->rx_packets += packets;
+ t->multicast += multicast;
+ }
++out:
++ rcu_read_unlock();
+ }
+
+ static int netvsc_set_mac_addr(struct net_device *ndev, void *p)
+--
+2.20.1
+
--- /dev/null
+From cf9770f20fd1802c998b560aa28da0ea7d0e5863 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Sun, 18 Aug 2019 15:23:01 -0500
+Subject: IB/mlx4: Fix memory leaks
+
+[ Upstream commit 5c1baaa82cea2c815a5180ded402a7cd455d1810 ]
+
+In mlx4_ib_alloc_pv_bufs(), 'tun_qp->tx_ring' is allocated through
+kcalloc(). However, it is not always deallocated in the following execution
+if an error occurs, leading to memory leaks. To fix this issue, free
+'tun_qp->tx_ring' whenever an error occurs.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Acked-by: Leon Romanovsky <leonro@mellanox.com>
+Link: https://lore.kernel.org/r/1566159781-4642-1-git-send-email-wenwen@cs.uga.edu
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx4/mad.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c
+index d604b3d5aa3e4..c69158ccab822 100644
+--- a/drivers/infiniband/hw/mlx4/mad.c
++++ b/drivers/infiniband/hw/mlx4/mad.c
+@@ -1680,8 +1680,6 @@ tx_err:
+ tx_buf_size, DMA_TO_DEVICE);
+ kfree(tun_qp->tx_ring[i].buf.addr);
+ }
+- kfree(tun_qp->tx_ring);
+- tun_qp->tx_ring = NULL;
+ i = MLX4_NUM_TUNNEL_BUFS;
+ err:
+ while (i > 0) {
+@@ -1690,6 +1688,8 @@ err:
+ rx_buf_size, DMA_FROM_DEVICE);
+ kfree(tun_qp->ring[i].addr);
+ }
++ kfree(tun_qp->tx_ring);
++ tun_qp->tx_ring = NULL;
+ kfree(tun_qp->ring);
+ tun_qp->ring = NULL;
+ return -ENOMEM;
+--
+2.20.1
+
--- /dev/null
+From 052eef3a5cc5c172c49e8f8382c4f3e57ac34471 Mon Sep 17 00:00:00 2001
+From: Thomas Falcon <tlfalcon@linux.ibm.com>
+Date: Mon, 12 Aug 2019 16:13:06 -0500
+Subject: ibmveth: Convert multicast list size for little-endian system
+
+[ Upstream commit 66cf4710b23ab2adda11155684a2c8826f4fe732 ]
+
+The ibm,mac-address-filters property defines the maximum number of
+addresses the hypervisor's multicast filter list can support. It is
+encoded as a big-endian integer in the OF device tree, but the virtual
+ethernet driver does not convert it for use by little-endian systems.
+As a result, the driver is not behaving as it should on affected systems
+when a large number of multicast addresses are assigned to the device.
+
+Reported-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmveth.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c
+index 754dff4c1771e..880d925438c17 100644
+--- a/drivers/net/ethernet/ibm/ibmveth.c
++++ b/drivers/net/ethernet/ibm/ibmveth.c
+@@ -1618,7 +1618,7 @@ static int ibmveth_probe(struct vio_dev *dev, const struct vio_device_id *id)
+ struct net_device *netdev;
+ struct ibmveth_adapter *adapter;
+ unsigned char *mac_addr_p;
+- unsigned int *mcastFilterSize_p;
++ __be32 *mcastFilterSize_p;
+ long ret;
+ unsigned long ret_attr;
+
+@@ -1640,8 +1640,9 @@ static int ibmveth_probe(struct vio_dev *dev, const struct vio_device_id *id)
+ return -EINVAL;
+ }
+
+- mcastFilterSize_p = (unsigned int *)vio_get_attribute(dev,
+- VETH_MCAST_FILTER_SIZE, NULL);
++ mcastFilterSize_p = (__be32 *)vio_get_attribute(dev,
++ VETH_MCAST_FILTER_SIZE,
++ NULL);
+ if (!mcastFilterSize_p) {
+ dev_err(&dev->dev, "Can't find VETH_MCAST_FILTER_SIZE "
+ "attribute\n");
+@@ -1658,7 +1659,7 @@ static int ibmveth_probe(struct vio_dev *dev, const struct vio_device_id *id)
+
+ adapter->vdev = dev;
+ adapter->netdev = netdev;
+- adapter->mcastFilterSize = *mcastFilterSize_p;
++ adapter->mcastFilterSize = be32_to_cpu(*mcastFilterSize_p);
+ adapter->pool_config = 0;
+
+ netif_napi_add(netdev, &adapter->napi, ibmveth_poll, 16);
+--
+2.20.1
+
--- /dev/null
+From 8a31856b83b00ab77ee5cd9f68896f33bc671645 Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Tue, 20 Aug 2019 03:01:23 +0000
+Subject: Input: hyperv-keyboard: Use in-place iterator API in the channel
+ callback
+
+[ Upstream commit d09bc83640d524b8467a660db7b1d15e6562a1de ]
+
+Simplify the ring buffer handling with the in-place API.
+
+Also avoid the dynamic allocation and the memory leak in the channel
+callback function.
+
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/serio/hyperv-keyboard.c | 35 +++++----------------------
+ 1 file changed, 6 insertions(+), 29 deletions(-)
+
+diff --git a/drivers/input/serio/hyperv-keyboard.c b/drivers/input/serio/hyperv-keyboard.c
+index 55288a026e4e2..c137ffa6fdec8 100644
+--- a/drivers/input/serio/hyperv-keyboard.c
++++ b/drivers/input/serio/hyperv-keyboard.c
+@@ -245,40 +245,17 @@ static void hv_kbd_handle_received_packet(struct hv_device *hv_dev,
+
+ static void hv_kbd_on_channel_callback(void *context)
+ {
++ struct vmpacket_descriptor *desc;
+ struct hv_device *hv_dev = context;
+- void *buffer;
+- int bufferlen = 0x100; /* Start with sensible size */
+ u32 bytes_recvd;
+ u64 req_id;
+- int error;
+
+- buffer = kmalloc(bufferlen, GFP_ATOMIC);
+- if (!buffer)
+- return;
+-
+- while (1) {
+- error = vmbus_recvpacket_raw(hv_dev->channel, buffer, bufferlen,
+- &bytes_recvd, &req_id);
+- switch (error) {
+- case 0:
+- if (bytes_recvd == 0) {
+- kfree(buffer);
+- return;
+- }
+-
+- hv_kbd_handle_received_packet(hv_dev, buffer,
+- bytes_recvd, req_id);
+- break;
++ foreach_vmbus_pkt(desc, hv_dev->channel) {
++ bytes_recvd = desc->len8 * 8;
++ req_id = desc->trans_id;
+
+- case -ENOBUFS:
+- kfree(buffer);
+- /* Handle large packet */
+- bufferlen = bytes_recvd;
+- buffer = kmalloc(bytes_recvd, GFP_ATOMIC);
+- if (!buffer)
+- return;
+- break;
+- }
++ hv_kbd_handle_received_packet(hv_dev, desc, bytes_recvd,
++ req_id);
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From b33cfd15b7f55d5e8d1f4f1820153b0bc1a8e1a9 Mon Sep 17 00:00:00 2001
+From: Andrea Righi <andrea.righi@canonical.com>
+Date: Mon, 12 Aug 2019 20:43:02 +0200
+Subject: kprobes: Fix potential deadlock in kprobe_optimizer()
+
+[ Upstream commit f1c6ece23729257fb46562ff9224cf5f61b818da ]
+
+lockdep reports the following deadlock scenario:
+
+ WARNING: possible circular locking dependency detected
+
+ kworker/1:1/48 is trying to acquire lock:
+ 000000008d7a62b2 (text_mutex){+.+.}, at: kprobe_optimizer+0x163/0x290
+
+ but task is already holding lock:
+ 00000000850b5e2d (module_mutex){+.+.}, at: kprobe_optimizer+0x31/0x290
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #1 (module_mutex){+.+.}:
+ __mutex_lock+0xac/0x9f0
+ mutex_lock_nested+0x1b/0x20
+ set_all_modules_text_rw+0x22/0x90
+ ftrace_arch_code_modify_prepare+0x1c/0x20
+ ftrace_run_update_code+0xe/0x30
+ ftrace_startup_enable+0x2e/0x50
+ ftrace_startup+0xa7/0x100
+ register_ftrace_function+0x27/0x70
+ arm_kprobe+0xb3/0x130
+ enable_kprobe+0x83/0xa0
+ enable_trace_kprobe.part.0+0x2e/0x80
+ kprobe_register+0x6f/0xc0
+ perf_trace_event_init+0x16b/0x270
+ perf_kprobe_init+0xa7/0xe0
+ perf_kprobe_event_init+0x3e/0x70
+ perf_try_init_event+0x4a/0x140
+ perf_event_alloc+0x93a/0xde0
+ __do_sys_perf_event_open+0x19f/0xf30
+ __x64_sys_perf_event_open+0x20/0x30
+ do_syscall_64+0x65/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+ -> #0 (text_mutex){+.+.}:
+ __lock_acquire+0xfcb/0x1b60
+ lock_acquire+0xca/0x1d0
+ __mutex_lock+0xac/0x9f0
+ mutex_lock_nested+0x1b/0x20
+ kprobe_optimizer+0x163/0x290
+ process_one_work+0x22b/0x560
+ worker_thread+0x50/0x3c0
+ kthread+0x112/0x150
+ ret_from_fork+0x3a/0x50
+
+ other info that might help us debug this:
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(module_mutex);
+ lock(text_mutex);
+ lock(module_mutex);
+ lock(text_mutex);
+
+ *** DEADLOCK ***
+
+As a reproducer I've been using bcc's funccount.py
+(https://github.com/iovisor/bcc/blob/master/tools/funccount.py),
+for example:
+
+ # ./funccount.py '*interrupt*'
+
+That immediately triggers the lockdep splat.
+
+Fix by acquiring text_mutex before module_mutex in kprobe_optimizer().
+
+Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Naveen N. Rao <naveen.n.rao@linux.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: d5b844a2cf50 ("ftrace/x86: Remove possible deadlock between register_kprobe() and ftrace_run_update_code()")
+Link: http://lkml.kernel.org/r/20190812184302.GA7010@xps-13
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kprobes.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/kprobes.c b/kernel/kprobes.c
+index ec11bb986a8b4..c43bc2bc5b2ca 100644
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -483,6 +483,7 @@ static DECLARE_DELAYED_WORK(optimizing_work, kprobe_optimizer);
+ */
+ static void do_optimize_kprobes(void)
+ {
++ lockdep_assert_held(&text_mutex);
+ /*
+ * The optimization/unoptimization refers online_cpus via
+ * stop_machine() and cpu-hotplug modifies online_cpus.
+@@ -500,9 +501,7 @@ static void do_optimize_kprobes(void)
+ list_empty(&optimizing_list))
+ return;
+
+- mutex_lock(&text_mutex);
+ arch_optimize_kprobes(&optimizing_list);
+- mutex_unlock(&text_mutex);
+ }
+
+ /*
+@@ -513,6 +512,7 @@ static void do_unoptimize_kprobes(void)
+ {
+ struct optimized_kprobe *op, *tmp;
+
++ lockdep_assert_held(&text_mutex);
+ /* See comment in do_optimize_kprobes() */
+ lockdep_assert_cpus_held();
+
+@@ -520,7 +520,6 @@ static void do_unoptimize_kprobes(void)
+ if (list_empty(&unoptimizing_list))
+ return;
+
+- mutex_lock(&text_mutex);
+ arch_unoptimize_kprobes(&unoptimizing_list, &freeing_list);
+ /* Loop free_list for disarming */
+ list_for_each_entry_safe(op, tmp, &freeing_list, list) {
+@@ -537,7 +536,6 @@ static void do_unoptimize_kprobes(void)
+ } else
+ list_del_init(&op->list);
+ }
+- mutex_unlock(&text_mutex);
+ }
+
+ /* Reclaim all kprobes on the free_list */
+@@ -563,6 +561,7 @@ static void kprobe_optimizer(struct work_struct *work)
+ {
+ mutex_lock(&kprobe_mutex);
+ cpus_read_lock();
++ mutex_lock(&text_mutex);
+ /* Lock modules while optimizing kprobes */
+ mutex_lock(&module_mutex);
+
+@@ -590,6 +589,7 @@ static void kprobe_optimizer(struct work_struct *work)
+ do_free_cleaned_kprobes();
+
+ mutex_unlock(&module_mutex);
++ mutex_unlock(&text_mutex);
+ cpus_read_unlock();
+ mutex_unlock(&kprobe_mutex);
+
+--
+2.20.1
+
--- /dev/null
+From 7dc25d862ff8f32cd2ddbdf809ae07e78f3ab96c Mon Sep 17 00:00:00 2001
+From: Andrew Jones <drjones@redhat.com>
+Date: Thu, 22 Aug 2019 13:03:05 +0200
+Subject: KVM: arm/arm64: Only skip MMIO insn once
+
+[ Upstream commit 2113c5f62b7423e4a72b890bd479704aa85c81ba ]
+
+If after an MMIO exit to userspace a VCPU is immediately run with an
+immediate_exit request, such as when a signal is delivered or an MMIO
+emulation completion is needed, then the VCPU completes the MMIO
+emulation and immediately returns to userspace. As the exit_reason
+does not get changed from KVM_EXIT_MMIO in these cases we have to
+be careful not to complete the MMIO emulation again, when the VCPU is
+eventually run again, because the emulation does an instruction skip
+(and doing too many skips would be a waste of guest code :-) We need
+to use additional VCPU state to track if the emulation is complete.
+As luck would have it, we already have 'mmio_needed', which even
+appears to be used in this way by other architectures already.
+
+Fixes: 0d640732dbeb ("arm64: KVM: Skip MMIO insn after emulation")
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Andrew Jones <drjones@redhat.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ virt/kvm/arm/mmio.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/virt/kvm/arm/mmio.c b/virt/kvm/arm/mmio.c
+index 08443a15e6be8..3caee91bca089 100644
+--- a/virt/kvm/arm/mmio.c
++++ b/virt/kvm/arm/mmio.c
+@@ -98,6 +98,12 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run)
+ unsigned int len;
+ int mask;
+
++ /* Detect an already handled MMIO return */
++ if (unlikely(!vcpu->mmio_needed))
++ return 0;
++
++ vcpu->mmio_needed = 0;
++
+ if (!run->mmio.is_write) {
+ len = run->mmio.len;
+ if (len > sizeof(unsigned long))
+@@ -200,6 +206,7 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run,
+ run->mmio.is_write = is_write;
+ run->mmio.phys_addr = fault_ipa;
+ run->mmio.len = len;
++ vcpu->mmio_needed = 1;
+
+ if (!ret) {
+ /* We handled the access successfully in the kernel. */
+--
+2.20.1
+
--- /dev/null
+From fdbeee8ae5f7c7735122ffdb682d0ef801ea6fb7 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Wed, 14 Aug 2019 11:23:13 -0500
+Subject: lan78xx: Fix memory leaks
+
+[ Upstream commit b9cbf8a64865b50fd0f4a3915fa00ac7365cdf8f ]
+
+In lan78xx_probe(), a new urb is allocated through usb_alloc_urb() and
+saved to 'dev->urb_intr'. However, in the following execution, if an error
+occurs, 'dev->urb_intr' is not deallocated, leading to memory leaks. To fix
+this issue, invoke usb_free_urb() to free the allocated urb before
+returning from the function.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index b62c41114e34e..24b994c68bccd 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -3645,7 +3645,7 @@ static int lan78xx_probe(struct usb_interface *intf,
+ ret = register_netdev(netdev);
+ if (ret != 0) {
+ netif_err(dev, probe, netdev, "couldn't register the device\n");
+- goto out3;
++ goto out4;
+ }
+
+ usb_set_intfdata(intf, dev);
+@@ -3660,12 +3660,14 @@ static int lan78xx_probe(struct usb_interface *intf,
+
+ ret = lan78xx_phy_init(dev);
+ if (ret < 0)
+- goto out4;
++ goto out5;
+
+ return 0;
+
+-out4:
++out5:
+ unregister_netdev(netdev);
++out4:
++ usb_free_urb(dev->urb_intr);
+ out3:
+ lan78xx_unbind(dev, intf);
+ out2:
+--
+2.20.1
+
--- /dev/null
+From 399b98cb4716cbdc2e7cf126a2b683b0707be115 Mon Sep 17 00:00:00 2001
+From: Luis Henriques <lhenriques@suse.com>
+Date: Fri, 19 Jul 2019 15:32:19 +0100
+Subject: libceph: allow ceph_buffer_put() to receive a NULL ceph_buffer
+
+[ Upstream commit 5c498950f730aa17c5f8a2cdcb903524e4002ed2 ]
+
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ceph/buffer.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/ceph/buffer.h b/include/linux/ceph/buffer.h
+index 5e58bb29b1a36..11cdc7c60480f 100644
+--- a/include/linux/ceph/buffer.h
++++ b/include/linux/ceph/buffer.h
+@@ -30,7 +30,8 @@ static inline struct ceph_buffer *ceph_buffer_get(struct ceph_buffer *b)
+
+ static inline void ceph_buffer_put(struct ceph_buffer *b)
+ {
+- kref_put(&b->kref, ceph_buffer_release);
++ if (b)
++ kref_put(&b->kref, ceph_buffer_release);
+ }
+
+ extern int ceph_decode_buffer(struct ceph_buffer **b, void **p, void *end);
+--
+2.20.1
+
--- /dev/null
+From e56d3d3e27c5f47ff7329430476feafffe545c5c Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Wed, 14 Aug 2019 00:14:49 -0500
+Subject: liquidio: add cleanup in octeon_setup_iq()
+
+[ Upstream commit 6f967f8b1be7001b31c46429f2ee7d275af2190f ]
+
+If oct->fn_list.enable_io_queues() fails, no cleanup is executed, leading
+to memory/resource leaks. To fix this issue, invoke
+octeon_delete_instr_queue() before returning from the function.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/liquidio/request_manager.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/liquidio/request_manager.c b/drivers/net/ethernet/cavium/liquidio/request_manager.c
+index 1e0fbce86d608..55e8731264634 100644
+--- a/drivers/net/ethernet/cavium/liquidio/request_manager.c
++++ b/drivers/net/ethernet/cavium/liquidio/request_manager.c
+@@ -232,8 +232,10 @@ int octeon_setup_iq(struct octeon_device *oct,
+ }
+
+ oct->num_iqs++;
+- if (oct->fn_list.enable_io_queues(oct))
++ if (oct->fn_list.enable_io_queues(oct)) {
++ octeon_delete_instr_queue(oct, iq_no);
+ return 1;
++ }
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 6bc25851ebf0d587cce1b4bf1c166097c4363a0d Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Wed, 14 Aug 2019 13:56:43 -0500
+Subject: net: kalmia: fix memory leaks
+
+[ Upstream commit f1472cb09f11ddb41d4be84f0650835cb65a9073 ]
+
+In kalmia_init_and_get_ethernet_addr(), 'usb_buf' is allocated through
+kmalloc(). In the following execution, if the 'status' returned by
+kalmia_send_init_packet() is not 0, 'usb_buf' is not deallocated, leading
+to memory leaks. To fix this issue, add the 'out' label to free 'usb_buf'.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/kalmia.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/usb/kalmia.c b/drivers/net/usb/kalmia.c
+index ce0b0b4e3a57c..c677ec2bae183 100644
+--- a/drivers/net/usb/kalmia.c
++++ b/drivers/net/usb/kalmia.c
+@@ -117,16 +117,16 @@ kalmia_init_and_get_ethernet_addr(struct usbnet *dev, u8 *ethernet_addr)
+ status = kalmia_send_init_packet(dev, usb_buf, sizeof(init_msg_1)
+ / sizeof(init_msg_1[0]), usb_buf, 24);
+ if (status != 0)
+- return status;
++ goto out;
+
+ memcpy(usb_buf, init_msg_2, 12);
+ status = kalmia_send_init_packet(dev, usb_buf, sizeof(init_msg_2)
+ / sizeof(init_msg_2[0]), usb_buf, 28);
+ if (status != 0)
+- return status;
++ goto out;
+
+ memcpy(ethernet_addr, usb_buf + 10, ETH_ALEN);
+-
++out:
+ kfree(usb_buf);
+ return status;
+ }
+--
+2.20.1
+
--- /dev/null
+From 692ea5838ce7026e8ef7d90cf5f2c909966b35ff Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Wed, 14 Aug 2019 01:38:39 -0500
+Subject: net: myri10ge: fix memory leaks
+
+[ Upstream commit 20fb7c7a39b5c719e2e619673b5f5729ee7d2306 ]
+
+In myri10ge_probe(), myri10ge_alloc_slices() is invoked to allocate slices
+related structures. Later on, myri10ge_request_irq() is used to get an irq.
+However, if this process fails, the allocated slices related structures are
+not deallocated, leading to memory leaks. To fix this issue, revise the
+target label of the goto statement to 'abort_with_slices'.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
+index b171ed2015fe4..a0a555052d8ca 100644
+--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
++++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
+@@ -3922,7 +3922,7 @@ static int myri10ge_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ * setup (if available). */
+ status = myri10ge_request_irq(mgp);
+ if (status != 0)
+- goto abort_with_firmware;
++ goto abort_with_slices;
+ myri10ge_free_irq(mgp);
+
+ /* Save configuration space to be restored if the
+--
+2.20.1
+
--- /dev/null
+From 78dd4925401b59343d3499bbc9a220c137e2b8aa Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Sun, 11 Aug 2019 20:13:45 -0700
+Subject: net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx
+
+[ Upstream commit 125b7e0949d4e72b15c2b1a1590f8cece985a918 ]
+
+clang warns:
+
+drivers/net/ethernet/toshiba/tc35815.c:1507:30: warning: use of logical
+'&&' with constant operand [-Wconstant-logical-operand]
+ if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN)
+ ^ ~~~~~~~~~~~~
+drivers/net/ethernet/toshiba/tc35815.c:1507:30: note: use '&' for a
+bitwise operation
+ if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN)
+ ^~
+ &
+drivers/net/ethernet/toshiba/tc35815.c:1507:30: note: remove constant to
+silence this warning
+ if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN)
+ ~^~~~~~~~~~~~~~~
+1 warning generated.
+
+Explicitly check that NET_IP_ALIGN is not zero, which matches how this
+is checked in other parts of the tree. Because NET_IP_ALIGN is a build
+time constant, this check will be constant folded away during
+optimization.
+
+Fixes: 82a9928db560 ("tc35815: Enable StripCRC feature")
+Link: https://github.com/ClangBuiltLinux/linux/issues/608
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/toshiba/tc35815.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/toshiba/tc35815.c b/drivers/net/ethernet/toshiba/tc35815.c
+index cce9c9ed46aa9..9146068979d2c 100644
+--- a/drivers/net/ethernet/toshiba/tc35815.c
++++ b/drivers/net/ethernet/toshiba/tc35815.c
+@@ -1497,7 +1497,7 @@ tc35815_rx(struct net_device *dev, int limit)
+ pci_unmap_single(lp->pci_dev,
+ lp->rx_skbs[cur_bd].skb_dma,
+ RX_BUF_SIZE, PCI_DMA_FROMDEVICE);
+- if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN)
++ if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN != 0)
+ memmove(skb->data, skb->data - NET_IP_ALIGN,
+ pkt_len);
+ data = skb_put(skb, pkt_len);
+--
+2.20.1
+
--- /dev/null
+From 6af17a09477284cc51f54e4b10a01187f8a79316 Mon Sep 17 00:00:00 2001
+From: Fuqian Huang <huangfq.daxian@gmail.com>
+Date: Fri, 9 Aug 2019 13:35:39 +0800
+Subject: net: tundra: tsi108: use spin_lock_irqsave instead of spin_lock_irq
+ in IRQ context
+
+[ Upstream commit 8c25d0887a8bd0e1ca2074ac0c6dff173787a83b ]
+
+As spin_unlock_irq will enable interrupts.
+Function tsi108_stat_carry is called from interrupt handler tsi108_irq.
+Interrupts are enabled in interrupt handler.
+Use spin_lock_irqsave/spin_unlock_irqrestore instead of spin_(un)lock_irq
+in IRQ context to avoid this.
+
+Signed-off-by: Fuqian Huang <huangfq.daxian@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/tundra/tsi108_eth.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/tundra/tsi108_eth.c b/drivers/net/ethernet/tundra/tsi108_eth.c
+index c2d15d9c0c33b..455979e47424c 100644
+--- a/drivers/net/ethernet/tundra/tsi108_eth.c
++++ b/drivers/net/ethernet/tundra/tsi108_eth.c
+@@ -381,9 +381,10 @@ tsi108_stat_carry_one(int carry, int carry_bit, int carry_shift,
+ static void tsi108_stat_carry(struct net_device *dev)
+ {
+ struct tsi108_prv_data *data = netdev_priv(dev);
++ unsigned long flags;
+ u32 carry1, carry2;
+
+- spin_lock_irq(&data->misclock);
++ spin_lock_irqsave(&data->misclock, flags);
+
+ carry1 = TSI_READ(TSI108_STAT_CARRY1);
+ carry2 = TSI_READ(TSI108_STAT_CARRY2);
+@@ -451,7 +452,7 @@ static void tsi108_stat_carry(struct net_device *dev)
+ TSI108_STAT_TXPAUSEDROP_CARRY,
+ &data->tx_pause_drop);
+
+- spin_unlock_irq(&data->misclock);
++ spin_unlock_irqrestore(&data->misclock, flags);
+ }
+
+ /* Read a stat counter atomically with respect to carries.
+--
+2.20.1
+
--- /dev/null
+From ca09fdcd4a9b0f7ff2a802eea7916216f18bcf6a Mon Sep 17 00:00:00 2001
+From: Tho Vu <tho.vu.wh@rvc.renesas.com>
+Date: Fri, 16 Aug 2019 17:17:02 +0200
+Subject: ravb: Fix use-after-free ravb_tstamp_skb
+
+[ Upstream commit cfef46d692efd852a0da6803f920cc756eea2855 ]
+
+When a Tx timestamp is requested, a pointer to the skb is stored in the
+ravb_tstamp_skb struct. This was done without an skb_get. There exists
+the possibility that the skb could be freed by ravb_tx_free (when
+ravb_tx_free is called from ravb_start_xmit) before the timestamp was
+processed, leading to a use-after-free bug.
+
+Use skb_get when filling a ravb_tstamp_skb struct, and add appropriate
+frees/consumes when a ravb_tstamp_skb struct is freed.
+
+Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
+Signed-off-by: Tho Vu <tho.vu.wh@rvc.renesas.com>
+Signed-off-by: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
+Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index ce79af4a7f6fb..d73617cc3b159 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -1,6 +1,6 @@
+ /* Renesas Ethernet AVB device driver
+ *
+- * Copyright (C) 2014-2015 Renesas Electronics Corporation
++ * Copyright (C) 2014-2019 Renesas Electronics Corporation
+ * Copyright (C) 2015 Renesas Solutions Corp.
+ * Copyright (C) 2015-2016 Cogent Embedded, Inc. <source@cogentembedded.com>
+ *
+@@ -513,7 +513,10 @@ static void ravb_get_tx_tstamp(struct net_device *ndev)
+ kfree(ts_skb);
+ if (tag == tfa_tag) {
+ skb_tstamp_tx(skb, &shhwtstamps);
++ dev_consume_skb_any(skb);
+ break;
++ } else {
++ dev_kfree_skb_any(skb);
+ }
+ }
+ ravb_modify(ndev, TCCR, TCCR_TFR, TCCR_TFR);
+@@ -1576,7 +1579,7 @@ static netdev_tx_t ravb_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ DMA_TO_DEVICE);
+ goto unmap;
+ }
+- ts_skb->skb = skb;
++ ts_skb->skb = skb_get(skb);
+ ts_skb->tag = priv->ts_skb_tag++;
+ priv->ts_skb_tag &= 0x3ff;
+ list_add_tail(&ts_skb->list, &priv->ts_skb_list);
+@@ -1704,6 +1707,7 @@ static int ravb_close(struct net_device *ndev)
+ /* Clear the timestamp list */
+ list_for_each_entry_safe(ts_skb, ts_skb2, &priv->ts_skb_list, list) {
+ list_del(&ts_skb->list);
++ kfree_skb(ts_skb->skb);
+ kfree(ts_skb);
+ }
+
+--
+2.20.1
+
--- /dev/null
+net-tundra-tsi108-use-spin_lock_irqsave-instead-of-s.patch
+hv_netvsc-fix-a-warning-of-suspicious-rcu-usage.patch
+net-tc35815-explicitly-check-net_ip_align-is-not-zer.patch
+bluetooth-btqca-add-a-short-delay-before-downloading.patch
+bluetooth-hidp-let-hidp_send_message-return-number-o.patch
+ibmveth-convert-multicast-list-size-for-little-endia.patch
+gpio-fix-build-error-of-function-redefinition.patch
+drm-mediatek-use-correct-device-to-import-prime-buff.patch
+drm-mediatek-set-dma-max-segment-size.patch
+cxgb4-fix-a-memory-leak-bug.patch
+liquidio-add-cleanup-in-octeon_setup_iq.patch
+net-myri10ge-fix-memory-leaks.patch
+lan78xx-fix-memory-leaks.patch
+vfs-fix-page-locking-deadlocks-when-deduping-files.patch
+cx82310_eth-fix-a-memory-leak-bug.patch
+net-kalmia-fix-memory-leaks.patch
+wimax-i2400m-fix-a-memory-leak-bug.patch
+ravb-fix-use-after-free-ravb_tstamp_skb.patch
+kprobes-fix-potential-deadlock-in-kprobe_optimizer.patch
+hid-cp2112-prevent-sleeping-function-called-from-inv.patch
+input-hyperv-keyboard-use-in-place-iterator-api-in-t.patch
+tools-hv-kvp-eliminate-may-be-used-uninitialized-war.patch
+ib-mlx4-fix-memory-leaks.patch
+ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch
+ceph-fix-buffer-free-while-holding-i_ceph_lock-in-__.patch-14468
+ceph-fix-buffer-free-while-holding-i_ceph_lock-in-fi.patch
+kvm-arm-arm64-only-skip-mmio-insn-once.patch
+libceph-allow-ceph_buffer_put-to-receive-a-null-ceph.patch
--- /dev/null
+From f5992961535679a288a54578e6f1bd38fd06bcd6 Mon Sep 17 00:00:00 2001
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Mon, 19 Aug 2019 16:44:09 +0200
+Subject: Tools: hv: kvp: eliminate 'may be used uninitialized' warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 89eb4d8d25722a0a0194cf7fa47ba602e32a6da7 ]
+
+When building hv_kvp_daemon GCC-8.3 complains:
+
+hv_kvp_daemon.c: In function ‘kvp_get_ip_info.constprop’:
+hv_kvp_daemon.c:812:30: warning: ‘ip_buffer’ may be used uninitialized in this function [-Wmaybe-uninitialized]
+ struct hv_kvp_ipaddr_value *ip_buffer;
+
+this seems to be a false positive: we only use ip_buffer when
+op == KVP_OP_GET_IP_INFO and it is only unset when op == KVP_OP_ENUMERATE.
+
+Silence the warning by initializing ip_buffer to NULL.
+
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/hv/hv_kvp_daemon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/hv/hv_kvp_daemon.c b/tools/hv/hv_kvp_daemon.c
+index 0ef215061fb50..1b917eaffad8d 100644
+--- a/tools/hv/hv_kvp_daemon.c
++++ b/tools/hv/hv_kvp_daemon.c
+@@ -867,7 +867,7 @@ kvp_get_ip_info(int family, char *if_name, int op,
+ int sn_offset = 0;
+ int error = 0;
+ char *buffer;
+- struct hv_kvp_ipaddr_value *ip_buffer;
++ struct hv_kvp_ipaddr_value *ip_buffer = NULL;
+ char cidr_mask[5]; /* /xyz */
+ int weight;
+ int i;
+--
+2.20.1
+
--- /dev/null
+From 433d89a19f6a726fe742cde3596181e8d5c6dba1 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Sun, 11 Aug 2019 15:52:25 -0700
+Subject: vfs: fix page locking deadlocks when deduping files
+
+[ Upstream commit edc58dd0123b552453a74369bd0c8d890b497b4b ]
+
+When dedupe wants to use the page cache to compare parts of two files
+for dedupe, we must be very careful to handle locking correctly. The
+current code doesn't do this. It must lock and unlock the page only
+once if the two pages are the same, since the overlapping range check
+doesn't catch this when blocksize < pagesize. If the pages are distinct
+but from the same file, we must observe page locking order and lock them
+in order of increasing offset to avoid clashing with writeback locking.
+
+Fixes: 876bec6f9bbfcb3 ("vfs: refactor clone/dedupe_file_range common functions")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Bill O'Donnell <billodo@redhat.com>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/read_write.c | 49 +++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 41 insertions(+), 8 deletions(-)
+
+diff --git a/fs/read_write.c b/fs/read_write.c
+index d6f8bfb0f7942..38a8bcccf0dd0 100644
+--- a/fs/read_write.c
++++ b/fs/read_write.c
+@@ -1882,10 +1882,7 @@ int vfs_clone_file_range(struct file *file_in, loff_t pos_in,
+ }
+ EXPORT_SYMBOL(vfs_clone_file_range);
+
+-/*
+- * Read a page's worth of file data into the page cache. Return the page
+- * locked.
+- */
++/* Read a page's worth of file data into the page cache. */
+ static struct page *vfs_dedupe_get_page(struct inode *inode, loff_t offset)
+ {
+ struct address_space *mapping;
+@@ -1901,10 +1898,32 @@ static struct page *vfs_dedupe_get_page(struct inode *inode, loff_t offset)
+ put_page(page);
+ return ERR_PTR(-EIO);
+ }
+- lock_page(page);
+ return page;
+ }
+
++/*
++ * Lock two pages, ensuring that we lock in offset order if the pages are from
++ * the same file.
++ */
++static void vfs_lock_two_pages(struct page *page1, struct page *page2)
++{
++ /* Always lock in order of increasing index. */
++ if (page1->index > page2->index)
++ swap(page1, page2);
++
++ lock_page(page1);
++ if (page1 != page2)
++ lock_page(page2);
++}
++
++/* Unlock two pages, being careful not to unlock the same page twice. */
++static void vfs_unlock_two_pages(struct page *page1, struct page *page2)
++{
++ unlock_page(page1);
++ if (page1 != page2)
++ unlock_page(page2);
++}
++
+ /*
+ * Compare extents of two files to see if they are the same.
+ * Caller must have locked both inodes to prevent write races.
+@@ -1942,10 +1961,24 @@ int vfs_dedupe_file_range_compare(struct inode *src, loff_t srcoff,
+ dest_page = vfs_dedupe_get_page(dest, destoff);
+ if (IS_ERR(dest_page)) {
+ error = PTR_ERR(dest_page);
+- unlock_page(src_page);
+ put_page(src_page);
+ goto out_error;
+ }
++
++ vfs_lock_two_pages(src_page, dest_page);
++
++ /*
++ * Now that we've locked both pages, make sure they're still
++ * mapped to the file data we're interested in. If not,
++ * someone is invalidating pages on us and we lose.
++ */
++ if (!PageUptodate(src_page) || !PageUptodate(dest_page) ||
++ src_page->mapping != src->i_mapping ||
++ dest_page->mapping != dest->i_mapping) {
++ same = false;
++ goto unlock;
++ }
++
+ src_addr = kmap_atomic(src_page);
+ dest_addr = kmap_atomic(dest_page);
+
+@@ -1957,8 +1990,8 @@ int vfs_dedupe_file_range_compare(struct inode *src, loff_t srcoff,
+
+ kunmap_atomic(dest_addr);
+ kunmap_atomic(src_addr);
+- unlock_page(dest_page);
+- unlock_page(src_page);
++unlock:
++ vfs_unlock_two_pages(src_page, dest_page);
+ put_page(dest_page);
+ put_page(src_page);
+
+--
+2.20.1
+
--- /dev/null
+From fa620c986214ad9878ae31a61941f73267106c43 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Thu, 15 Aug 2019 15:29:51 -0500
+Subject: wimax/i2400m: fix a memory leak bug
+
+[ Upstream commit 44ef3a03252844a8753479b0cea7f29e4a804bdc ]
+
+In i2400m_barker_db_init(), 'options_orig' is allocated through kstrdup()
+to hold the original command line options. Then, the options are parsed.
+However, if an error occurs during the parsing process, 'options_orig' is
+not deallocated, leading to a memory leak bug. To fix this issue, free
+'options_orig' before returning the error.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wimax/i2400m/fw.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wimax/i2400m/fw.c b/drivers/net/wimax/i2400m/fw.c
+index a89b5685e68b3..4577ee5bbddd6 100644
+--- a/drivers/net/wimax/i2400m/fw.c
++++ b/drivers/net/wimax/i2400m/fw.c
+@@ -351,13 +351,15 @@ int i2400m_barker_db_init(const char *_options)
+ }
+ result = i2400m_barker_db_add(barker);
+ if (result < 0)
+- goto error_add;
++ goto error_parse_add;
+ }
+ kfree(options_orig);
+ }
+ return 0;
+
++error_parse_add:
+ error_parse:
++ kfree(options_orig);
+ error_add:
+ kfree(i2400m_barker_db);
+ return result;
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
