commit e0f8b8a65a473a8baa439cf865a694bbeb83fe90
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Feb 5 14:18:29 2020 +0000

    Linux 4.14.170

commit 5008c125d5535e7ff13085553b0ec55547ef72a3
Author: Jin Yao <yao.jin@linux.intel.com>
Date:   Wed Jan 8 03:17:45 2020 +0800

    perf report: Fix no libunwind compiled warning break s390 issue
    
    [ Upstream commit c3314a74f86dc00827e0945c8e5039fc3aebaa3c ]
    
    Commit 800d3f561659 ("perf report: Add warning when libunwind not
    compiled in") breaks the s390 platform. S390 uses libdw-dwarf-unwind for
    call chain unwinding and had no support for libunwind.
    
    So the warning "Please install libunwind development packages during the
    perf build." caused the confusion even if the call-graph is displayed
    correctly.
    
    This patch adds checking for HAVE_DWARF_SUPPORT, which is set when
    libdw-dwarf-unwind is compiled in.
    
    Fixes: 800d3f561659 ("perf report: Add warning when libunwind not compiled in")
    Signed-off-by: Jin Yao <yao.jin@linux.intel.com>
    Reviewed-by: Thomas Richter <tmricht@linux.ibm.com>
    Tested-by: Thomas Richter <tmricht@linux.ibm.com>
    Acked-by: Jiri Olsa <jolsa@redhat.com>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Andi Kleen <ak@linux.intel.com>
    Cc: Jin Yao <yao.jin@intel.com>
    Cc: Kan Liang <kan.liang@linux.intel.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Link: http://lore.kernel.org/lkml/20200107191745.18415-1-yao.jin@linux.intel.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e1404bf5369466ec41eb57852ccf5c24d5c69fe4
Author: Josef Bacik <josef@toxicpanda.com>
Date:   Fri Jan 31 09:31:05 2020 -0500

    btrfs: do not zero f_bavail if we have available space
    
    commit d55966c4279bfc6a0cf0b32bf13f5df228a1eeb6 upstream.
    
    There was some logic added a while ago to clear out f_bavail in statfs()
    if we did not have enough free metadata space to satisfy our global
    reserve.  This was incorrect at the time, however didn't really pose a
    problem for normal file systems because we would often allocate chunks
    if we got this low on free metadata space, and thus wouldn't really hit
    this case unless we were actually full.
    
    Fast forward to today and now we are much better about not allocating
    metadata chunks all of the time.  Couple this with d792b0f19711 ("btrfs:
    always reserve our entire size for the global reserve") which now means
    we'll easily have a larger global reserve than our free space, we are
    now more likely to trip over this while still having plenty of space.
    
    Fix this by skipping this logic if the global rsv's space_info is not
    full.  space_info->full is 0 unless we've attempted to allocate a chunk
    for that space_info and that has failed.  If this happens then the space
    for the global reserve is definitely sacred and we need to report
    b_avail == 0, but before then we can just use our calculated b_avail.
    
    Reported-by: Martin Steigerwald <martin@lichtvoll.de>
    Fixes: ca8a51b3a979 ("btrfs: statfs: report zero available if metadata are exhausted")
    CC: stable@vger.kernel.org # 4.5+
    Reviewed-by: Qu Wenruo <wqu@suse.com>
    Tested-By: Martin Steigerwald <martin@lichtvoll.de>
    Signed-off-by: Josef Bacik <josef@toxicpanda.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9b7a4bed4c7894442fd0f339b84e022a02174c5d
Author: Praveen Chaudhary <praveen5582@gmail.com>
Date:   Thu Jan 23 12:33:28 2020 -0800

    net: Fix skb->csum update in inet_proto_csum_replace16().
    
    [ Upstream commit 189c9b1e94539b11c80636bc13e9cf47529e7bba ]
    
    skb->csum is updated incorrectly, when manipulation for
    NF_NAT_MANIP_SRC\DST is done on IPV6 packet.
    
    Fix:
    There is no need to update skb->csum in inet_proto_csum_replace16(),
    because update in two fields a.) IPv6 src/dst address and b.) L4 header
    checksum cancels each other for skb->csum calculation. Whereas
    inet_proto_csum_replace4 function needs to update skb->csum, because
    update in 3 fields a.) IPv4 src/dst address, b.) IPv4 Header checksum
    and c.) L4 header checksum results in same diff as L4 Header checksum
    for skb->csum calculation.
    
    [ pablo@netfilter.org: a few comestic documentation edits ]
    Signed-off-by: Praveen Chaudhary <pchaudhary@linkedin.com>
    Signed-off-by: Zhenggen Xu <zxu@linkedin.com>
    Signed-off-by: Andy Stracner <astracner@linkedin.com>
    Reviewed-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 964646964ef4028148b5916f6ad5b55a2d9c9152
Author: Vasily Averin <vvs@virtuozzo.com>
Date:   Thu Jan 23 10:11:13 2020 +0300

    l2t_seq_next should increase position index
    
    [ Upstream commit 66018a102f7756cf72db4d2704e1b93969d9d332 ]
    
    if seq_file .next fuction does not change position index,
    read after some lseek can generate unexpected output.
    
    https://bugzilla.kernel.org/show_bug.cgi?id=206283
    Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b2fd13e9ced42f35deb3faa0b65966ec9fd237a4
Author: Vasily Averin <vvs@virtuozzo.com>
Date:   Thu Jan 23 10:11:08 2020 +0300

    seq_tab_next() should increase position index
    
    [ Upstream commit 70a87287c821e9721b62463777f55ba588ac4623 ]
    
    if seq_file .next fuction does not change position index,
    read after some lseek can generate unexpected output.
    
    https://bugzilla.kernel.org/show_bug.cgi?id=206283
    Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 772c96a03b0d0e45170cf8352078fcbf9ba9dd7c
Author: Finn Thain <fthain@telegraphics.com.au>
Date:   Thu Jan 23 09:07:26 2020 +1100

    net/sonic: Quiesce SONIC before re-initializing descriptor memory
    
    [ Upstream commit 3f4b7e6a2be982fd8820a2b54d46dd9c351db899 ]
    
    Make sure the SONIC's DMA engine is idle before altering the transmit
    and receive descriptors. Add a helper for this as it will be needed
    again.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Tested-by: Stan Johnson <userm57@yahoo.com>
    Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 36db400a662d4651a7987f0ec3598de03eb951a8
Author: Finn Thain <fthain@telegraphics.com.au>
Date:   Thu Jan 23 09:07:26 2020 +1100

    net/sonic: Fix receive buffer handling
    
    [ Upstream commit 9e311820f67e740f4fb8dcb82b4c4b5b05bdd1a5 ]
    
    The SONIC can sometimes advance its rx buffer pointer (RRP register)
    without advancing its rx descriptor pointer (CRDA register). As a result
    the index of the current rx descriptor may not equal that of the current
    rx buffer. The driver mistakenly assumes that they are always equal.
    This assumption leads to incorrect packet lengths and possible packet
    duplication. Avoid this by calling a new function to locate the buffer
    corresponding to a given descriptor.
    
    Fixes: efcce839360f ("[PATCH] macsonic/jazzsonic network drivers update")
    Tested-by: Stan Johnson <userm57@yahoo.com>
    Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3a8debf8b1ee9b3d87df1bdd86883717b793b9be
Author: Finn Thain <fthain@telegraphics.com.au>
Date:   Thu Jan 23 09:07:26 2020 +1100

    net/sonic: Use MMIO accessors
    
    [ Upstream commit e3885f576196ddfc670b3d53e745de96ffcb49ab ]
    
    The driver accesses descriptor memory which is simultaneously accessed by
    the chip, so the compiler must not be allowed to re-order CPU accesses.
    sonic_buf_get() used 'volatile' to prevent that. sonic_buf_put() should
    have done so too but was overlooked.
    
    Fixes: efcce839360f ("[PATCH] macsonic/jazzsonic network drivers update")
    Tested-by: Stan Johnson <userm57@yahoo.com>
    Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3c8a4483d801cb8fd8eaf74faacfd6eebece7139
Author: Finn Thain <fthain@telegraphics.com.au>
Date:   Thu Jan 23 09:07:26 2020 +1100

    net/sonic: Add mutual exclusion for accessing shared state
    
    [ Upstream commit 865ad2f2201dc18685ba2686f13217f8b3a9c52c ]
    
    The netif_stop_queue() call in sonic_send_packet() races with the
    netif_wake_queue() call in sonic_interrupt(). This causes issues
    like "NETDEV WATCHDOG: eth0 (macsonic): transmit queue 0 timed out".
    Fix this by disabling interrupts when accessing tx_skb[] and next_tx.
    Update a comment to clarify the synchronization properties.
    
    Fixes: efcce839360f ("[PATCH] macsonic/jazzsonic network drivers update")
    Tested-by: Stan Johnson <userm57@yahoo.com>
    Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5d47f5ed5a1a4d08cd889f5b5fcacc1c0285b5bd
Author: Madalin Bucur <madalin.bucur@oss.nxp.com>
Date:   Wed Jan 22 16:15:14 2020 +0200

    net: fsl/fman: rename IF_MODE_XGMII to IF_MODE_10G
    
    [ Upstream commit 457bfc0a4bf531487ecc3cf82ec728a5e114fb1e ]
    
    As the only 10G PHY interface type defined at the moment the code
    was developed was XGMII, although the PHY interface mode used was
    not XGMII, XGMII was used in the code to denote 10G. This patch
    renames the 10G interface mode to remove the ambiguity.
    
    Signed-off-by: Madalin Bucur <madalin.bucur@oss.nxp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 743bc2ab644f8d2c85f4021e1d2d72dd39d1ace8
Author: Madalin Bucur <madalin.bucur@oss.nxp.com>
Date:   Wed Jan 22 15:20:29 2020 +0200

    net/fsl: treat fsl,erratum-a011043
    
    [ Upstream commit 1d3ca681b9d9575ccf696ebc2840a1ebb1fd4074 ]
    
    When fsl,erratum-a011043 is set, adjust for erratum A011043:
    MDIO reads to internal PCS registers may result in having
    the MDIO_CFG[MDIO_RD_ER] bit set, even when there is no
    error and read data (MDIO_DATA[MDIO_DATA]) is correct.
    Software may get false read error when reading internal
    PCS registers through MDIO. As a workaround, all internal
    MDIO accesses should ignore the MDIO_CFG[MDIO_RD_ER] bit.
    
    Signed-off-by: Madalin Bucur <madalin.bucur@oss.nxp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5d45e8aa20fbb1097d6d1d6866c91aeb81941663
Author: Madalin Bucur <madalin.bucur@oss.nxp.com>
Date:   Wed Jan 22 15:20:28 2020 +0200

    powerpc/fsl/dts: add fsl,erratum-a011043
    
    [ Upstream commit 73d527aef68f7644e59f22ce7f9ac75e7b533aea ]
    
    Add fsl,erratum-a011043 to internal MDIO buses.
    Software may get false read error when reading internal
    PCS registers through MDIO. As a workaround, all internal
    MDIO accesses should ignore the MDIO_CFG[MDIO_RD_ER] bit.
    
    Signed-off-by: Madalin Bucur <madalin.bucur@oss.nxp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fcd0c0d36a58b9d99856de8aa6cde011e1134630
Author: Manish Chopra <manishc@marvell.com>
Date:   Wed Jan 22 01:43:38 2020 -0800

    qlcnic: Fix CPU soft lockup while collecting firmware dump
    
    [ Upstream commit 22e984493a41bf8081f13d9ed84def3ca8cfd427 ]
    
    Driver while collecting firmware dump takes longer time to
    collect/process some of the firmware dump entries/memories.
    Bigger capture masks makes it worse as it results in larger
    amount of data being collected and results in CPU soft lockup.
    Place cond_resched() in some of the driver flows that are
    expectedly time consuming to relinquish the CPU to avoid CPU
    soft lockup panic.
    
    Signed-off-by: Shahed Shaikh <shshaikh@marvell.com>
    Tested-by: Yonggen Xu <Yonggen.Xu@dell.com>
    Signed-off-by: Manish Chopra <manishc@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ce9ba09d135bb93652811783bce421be074fa5e4
Author: Hayes Wang <hayeswang@realtek.com>
Date:   Wed Jan 22 16:02:07 2020 +0800

    r8152: get default setting of WOL before initializing
    
    [ Upstream commit 9583a3638dc07cc1878f41265e85ed497f72efcb ]
    
    Initailization would reset runtime suspend by tp->saved_wolopts, so
    the tp->saved_wolopts should be set before initializing.
    
    Signed-off-by: Hayes Wang <hayeswang@realtek.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6f0f284b770a29d0094b4671e37ac0ee521903b6
Author: Michael Ellerman <mpe@ellerman.id.au>
Date:   Wed Jan 22 15:07:28 2020 +1100

    airo: Add missing CAP_NET_ADMIN check in AIROOLDIOCTL/SIOCDEVPRIVATE
    
    [ Upstream commit 78f7a7566f5eb59321e99b55a6fdb16ea05b37d1 ]
    
    The driver for Cisco Aironet 4500 and 4800 series cards (airo.c),
    implements AIROOLDIOCTL/SIOCDEVPRIVATE in airo_ioctl().
    
    The ioctl handler copies an aironet_ioctl struct from userspace, which
    includes a command. Some of the commands are handled in readrids(),
    where the user controlled command is converted into a driver-internal
    value called "ridcode".
    
    There are two command values, AIROGWEPKTMP and AIROGWEPKNV, which
    correspond to ridcode values of RID_WEP_TEMP and RID_WEP_PERM
    respectively. These commands both have checks that the user has
    CAP_NET_ADMIN, with the comment that "Only super-user can read WEP
    keys", otherwise they return -EPERM.
    
    However there is another command value, AIRORRID, that lets the user
    specify the ridcode value directly, with no other checks. This means
    the user can bypass the CAP_NET_ADMIN check on AIROGWEPKTMP and
    AIROGWEPKNV.
    
    Fix it by moving the CAP_NET_ADMIN check out of the command handling
    and instead do it later based on the ridcode. That way regardless of
    whether the ridcode is set via AIROGWEPKTMP or AIROGWEPKNV, or passed
    in using AIRORID, we always do the CAP_NET_ADMIN check.
    
    Found by Ilja by code inspection, not tested as I don't have the
    required hardware.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 33fc8d611378dc649f8c342596f7d3be52bdc941
Author: Michael Ellerman <mpe@ellerman.id.au>
Date:   Wed Jan 22 15:07:27 2020 +1100

    airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE
    
    [ Upstream commit d6bce2137f5d6bb1093e96d2f801479099b28094 ]
    
    The driver for Cisco Aironet 4500 and 4800 series cards (airo.c),
    implements AIROOLDIOCTL/SIOCDEVPRIVATE in airo_ioctl().
    
    The ioctl handler copies an aironet_ioctl struct from userspace, which
    includes a command and a length. Some of the commands are handled in
    readrids(), which kmalloc()'s a buffer of RIDSIZE (2048) bytes.
    
    That buffer is then passed to PC4500_readrid(), which has two cases.
    The else case does some setup and then reads up to RIDSIZE bytes from
    the hardware into the kmalloc()'ed buffer.
    
    Here len == RIDSIZE, pBuf is the kmalloc()'ed buffer:
    
            // read the rid length field
            bap_read(ai, pBuf, 2, BAP1);
            // length for remaining part of rid
            len = min(len, (int)le16_to_cpu(*(__le16*)pBuf)) - 2;
            ...
            // read remainder of the rid
            rc = bap_read(ai, ((__le16*)pBuf)+1, len, BAP1);
    
    PC4500_readrid() then returns to readrids() which does:
    
            len = comp->len;
            if (copy_to_user(comp->data, iobuf, min(len, (int)RIDSIZE))) {
    
    Where comp->len is the user controlled length field.
    
    So if the "rid length field" returned by the hardware is < 2048, and
    the user requests 2048 bytes in comp->len, we will leak the previous
    contents of the kmalloc()'ed buffer to userspace.
    
    Fix it by kzalloc()'ing the buffer.
    
    Found by Ilja by code inspection, not tested as I don't have the
    required hardware.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ffc1f3076eda033f86e9b0cb873788a01292f737
Author: Vincenzo Frascino <vincenzo.frascino@arm.com>
Date:   Fri Jan 10 12:28:07 2020 +0000

    tee: optee: Fix compilation issue with nommu
    
    [ Upstream commit 9e0caab8e0f96f0af7d1dd388e62f44184a75372 ]
    
    The optee driver uses specific page table types to verify if a memory
    region is normal. These types are not defined in nommu systems. Trying
    to compile the driver in these systems results in a build error:
    
      linux/drivers/tee/optee/call.c: In function ‘is_normal_memory’:
      linux/drivers/tee/optee/call.c:533:26: error: ‘L_PTE_MT_MASK’ undeclared
         (first use in this function); did you mean ‘PREEMPT_MASK’?
         return (pgprot_val(p) & L_PTE_MT_MASK) == L_PTE_MT_WRITEALLOC;
                                 ^~~~~~~~~~~~~
                                 PREEMPT_MASK
      linux/drivers/tee/optee/call.c:533:26: note: each undeclared identifier is
         reported only once for each function it appears in
      linux/drivers/tee/optee/call.c:533:44: error: ‘L_PTE_MT_WRITEALLOC’ undeclared
         (first use in this function)
         return (pgprot_val(p) & L_PTE_MT_MASK) == L_PTE_MT_WRITEALLOC;
                                                ^~~~~~~~~~~~~~~~~~~
    
    Make the optee driver depend on MMU to fix the compilation issue.
    
    Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
    [jw: update commit title]
    Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9da4de4d00cc926d98fb13d284104210122ae1fa
Author: Vladimir Murzin <vladimir.murzin@arm.com>
Date:   Mon Jan 20 15:07:46 2020 +0100

    ARM: 8955/1: virt: Relax arch timer version check during early boot
    
    [ Upstream commit 6849b5eba1965ceb0cad3a75877ef4569dd3638e ]
    
    Updates to the Generic Timer architecture allow ID_PFR1.GenTimer to
    have values other than 0 or 1 while still preserving backward
    compatibility. At the moment, Linux is quite strict in the way it
    handles this field at early boot and will not configure arch timer if
    it doesn't find the value 1.
    
    Since here use ubfx for arch timer version extraction (hyb-stub build
    with -march=armv7-a, so it is safe)
    
    To help backports (even though the code was correct at the time of writing)
    
    Fixes: 8ec58be9f3ff ("ARM: virt: arch_timers: enable access to physical timers")
    Acked-by: Marc Zyngier <maz@kernel.org>
    Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
    Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 49e509787b77e4991f89703f81a0f53d7739fc58
Author: Hannes Reinecke <hare@suse.de>
Date:   Thu Jan 16 11:20:53 2020 +0100

    scsi: fnic: do not queue commands during fwreset
    
    [ Upstream commit 0e2209629fec427ba75a6351486153a9feddd36b ]
    
    When a link is going down the driver will be calling fnic_cleanup_io(),
    which will traverse all commands and calling 'done' for each found command.
    While the traversal is handled under the host_lock, calling 'done' happens
    after the host_lock is being dropped.
    
    As fnic_queuecommand_lck() is being called with the host_lock held, it
    might well be that it will pick the command being selected for abortion
    from the above routine and enqueue it for sending, but then 'done' is being
    called on that very command from the above routine.
    
    Which of course confuses the hell out of the scsi midlayer.
    
    So fix this by not queueing commands when fnic_cleanup_io is active.
    
    Link: https://lore.kernel.org/r/20200116102053.62755-1-hare@suse.de
    Signed-off-by: Hannes Reinecke <hare@suse.de>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9c8c51176e9d3035f6e89b6664b4dd67a0873cbf
Author: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Date:   Mon Jan 13 09:32:46 2020 +0100

    vti[6]: fix packet tx through bpf_redirect()
    
    [ Upstream commit 95224166a9032ff5d08fca633d37113078ce7d01 ]
    
    With an ebpf program that redirects packets through a vti[6] interface,
    the packets are dropped because no dst is attached.
    
    This could also be reproduced with an AF_PACKET socket, with the following
    python script (vti1 is an ip_vti interface):
    
     import socket
     send_s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, 0)
     # scapy
     # p = IP(src='10.100.0.2', dst='10.200.0.1')/ICMP(type='echo-request')
     # raw(p)
     req = b'E\x00\x00\x1c\x00\x01\x00\x00@\x01e\xb2\nd\x00\x02\n\xc8\x00\x01\x08\x00\xf7\xff\x00\x00\x00\x00'
     send_s.sendto(req, ('vti1', 0x800, 0, 0))
    
    Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit adafa3c54b4ad81622a4508ed2c29cb1da46801b
Author: Matwey V. Kornilov <matwey@sai.msu.ru>
Date:   Mon Jan 6 16:09:08 2020 +0300

    ARM: dts: am335x-boneblack-common: fix memory size
    
    [ Upstream commit 5abd45ea0fc3060f7805e131753fdcbafd6c6618 ]
    
    BeagleBone Black series is equipped with 512MB RAM
    whereas only 256MB is included from am335x-bone-common.dtsi
    
    This leads to an issue with unusual setups when devicetree
    is loaded by GRUB2 directly.
    
    Signed-off-by: Matwey V. Kornilov <matwey@sai.msu.ru>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e99b5648c7a719e5bf4431ed59ab6e98485268e9
Author: Michael Chan <michael.chan@broadcom.com>
Date:   Fri Jan 17 00:32:46 2020 -0500

    bnxt_en: Fix ipv6 RFS filter matching logic.
    
    [ Upstream commit 6fc7caa84e713f7627e171ab1e7c4b5be0dc9b3d ]
    
    Fix bnxt_fltr_match() to match ipv6 source and destination addresses.
    The function currently only checks ipv4 addresses and will not work
    corrently on ipv6 filters.
    
    Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
    Signed-off-by: Michael Chan <michael.chan@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit dc2e1d86500c904f7a4f730ad0481bb42f2f6188
Author: Florian Fainelli <f.fainelli@gmail.com>
Date:   Thu Jan 16 12:55:48 2020 -0800

    net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec
    
    [ Upstream commit 8f1880cbe8d0d49ebb7e9ae409b3b96676e5aa97 ]
    
    With the implementation of the system reset controller we lost a setting
    that is currently applied by the bootloader and which configures the IMP
    port for 2Gb/sec, the default is 1Gb/sec. This is needed given the
    number of ports and applications we expect to run so bring back that
    setting.
    
    Fixes: 01b0ac07589e ("net: dsa: bcm_sf2: Add support for optional reset controller line")
    Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 95f5057bb1a300e840e697463003cb242fa491bd
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Tue Jan 7 21:07:35 2020 +0100

    wireless: wext: avoid gcc -O3 warning
    
    [ Upstream commit e16119655c9e6c4aa5767cd971baa9c491f41b13 ]
    
    After the introduction of CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE_O3,
    the wext code produces a bogus warning:
    
    In function 'iw_handler_get_iwstats',
        inlined from 'ioctl_standard_call' at net/wireless/wext-core.c:1015:9,
        inlined from 'wireless_process_ioctl' at net/wireless/wext-core.c:935:10,
        inlined from 'wext_ioctl_dispatch.part.8' at net/wireless/wext-core.c:986:8,
        inlined from 'wext_handle_ioctl':
    net/wireless/wext-core.c:671:3: error: argument 1 null where non-null expected [-Werror=nonnull]
       memcpy(extra, stats, sizeof(struct iw_statistics));
       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    In file included from arch/x86/include/asm/string.h:5,
    net/wireless/wext-core.c: In function 'wext_handle_ioctl':
    arch/x86/include/asm/string_64.h:14:14: note: in a call to function 'memcpy' declared here
    
    The problem is that ioctl_standard_call() sometimes calls the handler
    with a NULL argument that would cause a problem for iw_handler_get_iwstats.
    However, iw_handler_get_iwstats never actually gets called that way.
    
    Marking that function as noinline avoids the warning and leads
    to slightly smaller object code as well.
    
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Link: https://lore.kernel.org/r/20200107200741.3588770-1-arnd@arndb.de
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0a4b3ef53f0a237672b842b639284ac6ca6ef9b7
Author: Jouni Malinen <j@w1.fi>
Date:   Tue Jan 7 17:35:45 2020 +0200

    mac80211: Fix TKIP replay protection immediately after key setup
    
    [ Upstream commit 6f601265215a421f425ba3a4850a35861d024643 ]
    
    TKIP replay protection was skipped for the very first frame received
    after a new key is configured. While this is potentially needed to avoid
    dropping a frame in some cases, this does leave a window for replay
    attacks with group-addressed frames at the station side. Any earlier
    frame sent by the AP using the same key would be accepted as a valid
    frame and the internal RSC would then be updated to the TSC from that
    frame. This would allow multiple previously transmitted group-addressed
    frames to be replayed until the next valid new group-addressed frame
    from the AP is received by the station.
    
    Fix this by limiting the no-replay-protection exception to apply only
    for the case where TSC=0, i.e., when this is for the very first frame
    protected using the new key, and the local RSC had not been set to a
    higher value when configuring the key (which may happen with GTK).
    
    Signed-off-by: Jouni Malinen <j@w1.fi>
    Link: https://lore.kernel.org/r/20200107153545.10934-1-j@w1.fi
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2dbb6faebb94d6d5ae87e5ea6be9280c366393e1
Author: Orr Mazor <orr.mazor@tandemg.com>
Date:   Sun Dec 22 14:55:31 2019 +0000

    cfg80211: Fix radar event during another phy CAC
    
    [ Upstream commit 26ec17a1dc5ecdd8d91aba63ead6f8b5ad5dea0d ]
    
    In case a radar event of CAC_FINISHED or RADAR_DETECTED
    happens during another phy is during CAC we might need
    to cancel that CAC.
    
    If we got a radar in a channel that another phy is now
    doing CAC on then the CAC should be canceled there.
    
    If, for example, 2 phys doing CAC on the same channels,
    or on comptable channels, once on of them will finish his
    CAC the other might need to cancel his CAC, since it is no
    longer relevant.
    
    To fix that the commit adds an callback and implement it in
    mac80211 to end CAC.
    This commit also adds a call to said callback if after a radar
    event we see the CAC is no longer relevant
    
    Signed-off-by: Orr Mazor <Orr.Mazor@tandemg.com>
    Reviewed-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
    Link: https://lore.kernel.org/r/20191222145449.15792-1-Orr.Mazor@tandemg.com
    [slightly reformat/reword commit message]
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8f6b2439a2b939d92b25201e456c7949a1f8ba79
Author: Ganapathi Bhat <ganapathi.bhat@nxp.com>
Date:   Fri Dec 20 10:14:32 2019 +0000

    wireless: fix enabling channel 12 for custom regulatory domain
    
    [ Upstream commit c4b9d655e445a8be0bff624aedea190606b5ebbc ]
    
    Commit e33e2241e272 ("Revert "cfg80211: Use 5MHz bandwidth by
    default when checking usable channels"") fixed a broken
    regulatory (leaving channel 12 open for AP where not permitted).
    Apply a similar fix to custom regulatory domain processing.
    
    Signed-off-by: Cathy Luo <xiaohua.luo@nxp.com>
    Signed-off-by: Ganapathi Bhat <ganapathi.bhat@nxp.com>
    Link: https://lore.kernel.org/r/1576836859-8945-1-git-send-email-ganapathi.bhat@nxp.com
    [reword commit message, fix coding style, add a comment]
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f5929c9f3a52a6137b8c5ed2007a4cd725ab7aaf
Author: Kristian Evensen <kristian.evensen@gmail.com>
Date:   Mon Jan 13 14:57:40 2020 +0100

    qmi_wwan: Add support for Quectel RM500Q
    
    [ Upstream commit a9ff44f0e61d074f29770413fef6a5452be7b83e ]
    
    RM500Q is a 5G module from Quectel, supporting both standalone and
    non-standalone modes. The normal Quectel quirks apply (DTR and dynamic
    interface numbers).
    
    Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
    Acked-by: Bjørn Mork <bjorn@mork.no>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3403f8652c453536da61efba3236b531d63701b9
Author: Arnaud Pouliquen <arnaud.pouliquen@st.com>
Date:   Mon Jan 13 11:04:00 2020 +0100

    ASoC: sti: fix possible sleep-in-atomic
    
    [ Upstream commit ce780a47c3c01e1e179d0792df6b853a913928f1 ]
    
    Change mutex and spinlock management to avoid sleep
    in atomic issue.
    
    Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@st.com>
    Link: https://lore.kernel.org/r/20200113100400.30472-1-arnaud.pouliquen@st.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5c273c3a8bb00213dc6bfb3a1e941355bcdaa2d9
Author: Manfred Rudigier <manfred.rudigier@omicronenergy.com>
Date:   Wed Dec 4 11:40:26 2019 +0100

    igb: Fix SGMII SFP module discovery for 100FX/LX.
    
    [ Upstream commit 5365ec1aeff5b9f2962a9c9b31d63f9dad7e0e2d ]
    
    Changing the link mode should also be done for 100BaseFX SGMII modules,
    otherwise they just don't work when the default link mode in CTRL_EXT
    coming from the EEPROM is SERDES.
    
    Additionally 100Base-LX SGMII SFP modules are also supported now, which
    was not the case before.
    
    Tested with an i210 using Flexoptix S.1303.2M.G 100FX and
    S.1303.10.G 100LX SGMII SFP modules.
    
    Signed-off-by: Manfred Rudigier <manfred.rudigier@omicronenergy.com>
    Tested-by: Aaron Brown <aaron.f.brown@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0350ed7bccd87c9ce86c55f2c39b69d9f4c9a799
Author: Cambda Zhu <cambda@linux.alibaba.com>
Date:   Wed Nov 27 17:03:55 2019 +0800

    ixgbe: Fix calculation of queue with VFs and flow director on interface flap
    
    [ Upstream commit 4fad78ad6422d9bca62135bbed8b6abc4cbb85b8 ]
    
    This patch fixes the calculation of queue when we restore flow director
    filters after resetting adapter. In ixgbe_fdir_filter_restore(), filter's
    vf may be zero which makes the queue outside of the rx_ring array.
    
    The calculation is changed to the same as ixgbe_add_ethtool_fdir_entry().
    
    Signed-off-by: Cambda Zhu <cambda@linux.alibaba.com>
    Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ca60e5ca55b860dafda4937c5a9631e149cbbb90
Author: Radoslaw Tyl <radoslawx.tyl@intel.com>
Date:   Mon Nov 25 15:24:52 2019 +0100

    ixgbevf: Remove limit of 10 entries for unicast filter list
    
    [ Upstream commit aa604651d523b1493988d0bf6710339f3ee60272 ]
    
    Currently, though the FDB entry is added to VF, it does not appear in
    RAR filters. VF driver only allows to add 10 entries. Attempting to add
    another causes an error. This patch removes limitation and allows use of
    all free RAR entries for the FDB if needed.
    
    Fixes: 46ec20ff7d ("ixgbevf: Add macvlan support in the set rx mode op")
    Signed-off-by: Radoslaw Tyl <radoslawx.tyl@intel.com>
    Acked-by: Paul Menzel <pmenzel@molgen.mpg.de>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit aecd1fe0edacfd5d3ff3d4c0752bc89b83d13d72
Author: Lubomir Rintel <lkundrak@v3.sk>
Date:   Wed Dec 18 20:04:54 2019 +0100

    clk: mmp2: Fix the order of timer mux parents
    
    [ Upstream commit 8bea5ac0fbc5b2103f8779ddff216122e3c2e1ad ]
    
    Determined empirically, no documentation is available.
    
    The OLPC XO-1.75 laptop used parent 1, that one being VCTCXO/4 (65MHz), but
    thought it's a VCTCXO/2 (130MHz). The mmp2 timer driver, not knowing
    what is going on, ended up just dividing the rate as of
    commit f36797ee4380 ("ARM: mmp/mmp2: dt: enable the clock")'
    
    Link: https://lore.kernel.org/r/20191218190454.420358-3-lkundrak@v3.sk
    Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
    Acked-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Olof Johansson <olof@lixom.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 89f54ffd507359db9aef5e59e32312773fc72747
Author: Markus Theil <markus.theil@tu-ilmenau.de>
Date:   Tue Dec 3 19:06:44 2019 +0100

    mac80211: mesh: restrict airtime metric to peered established plinks
    
    [ Upstream commit 02a614499600af836137c3fbc4404cd96365fff2 ]
    
    The following warning is triggered every time an unestablished mesh peer
    gets dumped. Checks if a peer link is established before retrieving the
    airtime link metric.
    
    [ 9563.022567] WARNING: CPU: 0 PID: 6287 at net/mac80211/mesh_hwmp.c:345
                   airtime_link_metric_get+0xa2/0xb0 [mac80211]
    [ 9563.022697] Hardware name: PC Engines apu2/apu2, BIOS v4.10.0.3
    [ 9563.022756] RIP: 0010:airtime_link_metric_get+0xa2/0xb0 [mac80211]
    [ 9563.022838] Call Trace:
    [ 9563.022897]  sta_set_sinfo+0x936/0xa10 [mac80211]
    [ 9563.022964]  ieee80211_dump_station+0x6d/0x90 [mac80211]
    [ 9563.023062]  nl80211_dump_station+0x154/0x2a0 [cfg80211]
    [ 9563.023120]  netlink_dump+0x17b/0x370
    [ 9563.023130]  netlink_recvmsg+0x2a4/0x480
    [ 9563.023140]  ____sys_recvmsg+0xa6/0x160
    [ 9563.023154]  ___sys_recvmsg+0x93/0xe0
    [ 9563.023169]  __sys_recvmsg+0x7e/0xd0
    [ 9563.023210]  do_syscall_64+0x4e/0x140
    [ 9563.023217]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
    Link: https://lore.kernel.org/r/20191203180644.70653-1-markus.theil@tu-ilmenau.de
    [rewrite commit message]
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 852c2bb979257581311ed3baa7911d012532951f
Author: Dave Gerlach <d-gerlach@ti.com>
Date:   Wed Dec 11 22:03:14 2019 -0600

    soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot
    
    [ Upstream commit 03729cfa0d543bc996bf959e762ec999afc8f3d2 ]
    
    Any user of wkup_m3_ipc calls wkup_m3_ipc_get to get a handle and this
    checks the value of the static variable m3_ipc_state to see if the
    wkup_m3 is ready. Currently this is populated during probe before
    rproc_boot has been called, meaning there is a window of time that
    wkup_m3_ipc_get can return a valid handle but the wkup_m3 itself is not
    ready, leading to invalid IPC calls to the wkup_m3 and system
    instability.
    
    To avoid this, move the population of the m3_ipc_state variable until
    after rproc_boot has succeeded to guarantee a valid and usable handle
    is always returned.
    
    Reported-by: Suman Anna <s-anna@ti.com>
    Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
    Acked-by: Santosh Shilimkar <ssantosh@kernel.org>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f795e1f7b43490c482c9762287167aa64ce7f6f1
Author: Kishon Vijay Abraham I <kishon@ti.com>
Date:   Tue Dec 17 14:21:24 2019 +0530

    ARM: dts: beagle-x15-common: Model 5V0 regulator
    
    [ Upstream commit e17e7c498d4f734df93c300441e100818ed58168 ]
    
    On am57xx-beagle-x15, 5V0 is connected to P16, P17, P18 and P19
    connectors. On am57xx-evm, 5V0 regulator is used to get 3V6 regulator
    which is connected to the COMQ port. Model 5V0 regulator here in order
    for it to be used in am57xx-evm to model 3V6 regulator.
    
    Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 719e8e93e81e4398af2881388fb88000d3b76a1a
Author: Marek Szyprowski <m.szyprowski@samsung.com>
Date:   Wed Dec 11 15:52:17 2019 +0100

    ARM: dts: sun8i: a83t: Correct USB3503 GPIOs polarity
    
    [ Upstream commit 1c226017d3ec93547b58082bdf778d9db7401c95 ]
    
    Current USB3503 driver ignores GPIO polarity and always operates as if the
    GPIO lines were flagged as ACTIVE_HIGH. Fix the polarity for the existing
    USB3503 chip applications to match the chip specification and common
    convention for naming the pins. The only pin, which has to be ACTIVE_LOW
    is the reset pin. The remaining are ACTIVE_HIGH. This change allows later
    to fix the USB3503 driver to properly use generic GPIO bindings and read
    polarity from DT.
    
    Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Signed-off-by: Maxime Ripard <maxime@cerno.tech>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c7d812223d2241b331e60df738918f05b93173ac
Author: Lee Jones <lee.jones@linaro.org>
Date:   Mon Feb 3 13:21:30 2020 +0000

    media: si470x-i2c: Move free() past last use of 'radio'
    
    A pointer to 'struct si470x_device' is currently used after free:
    
      drivers/media/radio/si470x/radio-si470x-i2c.c:462:25-30: ERROR: reference
        preceded by free on line 460
    
    Shift the call to free() down past its final use.
    
    NB: Not sending to Mainline, since the problem does not exist there, it was
    caused by the backport of 2df200ab234a ("media: si470x-i2c: add missed
    operations in remove") to the stable trees.
    
    Cc: <stable@vger.kernel.org> # v3.18+
    Reported-by: kbuild test robot <lkp@intel.com>
    Reported-by: Julia Lawall <julia.lawall@lip6.fr>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 060af799ef5a17a4a6dc3e95c1bacb51fa6ebec7
Author: Michal Koutný <mkoutny@suse.com>
Date:   Thu Jan 9 16:05:59 2020 +0100

    cgroup: Prevent double killing of css when enabling threaded cgroup
    
    commit 3bc0bb36fa30e95ca829e9cf480e1ef7f7638333 upstream.
    
    The test_cgcore_no_internal_process_constraint_on_threads selftest when
    running with subsystem controlling noise triggers two warnings:
    
    > [  597.443115] WARNING: CPU: 1 PID: 28167 at kernel/cgroup/cgroup.c:3131 cgroup_apply_control_enable+0xe0/0x3f0
    > [  597.443413] WARNING: CPU: 1 PID: 28167 at kernel/cgroup/cgroup.c:3177 cgroup_apply_control_disable+0xa6/0x160
    
    Both stem from a call to cgroup_type_write. The first warning was also
    triggered by syzkaller.
    
    When we're switching cgroup to threaded mode shortly after a subsystem
    was disabled on it, we can see the respective subsystem css dying there.
    
    The warning in cgroup_apply_control_enable is harmless in this case
    since we're not adding new subsys anyway.
    The warning in cgroup_apply_control_disable indicates an attempt to kill
    css of recently disabled subsystem repeatedly.
    
    The commit prevents these situations by making cgroup_type_write wait
    for all dying csses to go away before re-applying subtree controls.
    When at it, the locations of WARN_ON_ONCE calls are moved so that
    warning is triggered only when we are about to misuse the dying css.
    
    Reported-by: syzbot+5493b2a54d31d6aea629@syzkaller.appspotmail.com
    Reported-by: Christian Brauner <christian.brauner@ubuntu.com>
    Signed-off-by: Michal Koutný <mkoutny@suse.com>
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 58e957b9c7c22e89188558c27437b6e9a2ddae3d
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Wed Jan 15 20:49:04 2020 +0300

    Bluetooth: Fix race condition in hci_release_sock()
    
    commit 11eb85ec42dc8c7a7ec519b90ccf2eeae9409de8 upstream.
    
    Syzbot managed to trigger a use after free "KASAN: use-after-free Write
    in hci_sock_bind".  I have reviewed the code manually and one possibly
    cause I have found is that we are not holding lock_sock(sk) when we do
    the hci_dev_put(hdev) in hci_sock_release().  My theory is that the bind
    and the release are racing against each other which results in this use
    after free.
    
    Reported-by: syzbot+eba992608adf3d796bcc@syzkaller.appspotmail.com
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ab84fd0d3dc83277d6ab7246a6b2cd45ba924367
Author: Zhenzhong Duan <zhenzhong.duan@gmail.com>
Date:   Mon Jan 13 11:48:42 2020 +0800

    ttyprintk: fix a potential deadlock in interrupt context issue
    
    commit 9a655c77ff8fc65699a3f98e237db563b37c439b upstream.
    
    tpk_write()/tpk_close() could be interrupted when holding a mutex, then
    in timer handler tpk_write() may be called again trying to acquire same
    mutex, lead to deadlock.
    
    Google syzbot reported this issue with CONFIG_DEBUG_ATOMIC_SLEEP
    enabled:
    
    BUG: sleeping function called from invalid context at
    kernel/locking/mutex.c:938
    in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 0, name: swapper/1
    1 lock held by swapper/1/0:
    ...
    Call Trace:
      <IRQ>
      dump_stack+0x197/0x210
      ___might_sleep.cold+0x1fb/0x23e
      __might_sleep+0x95/0x190
      __mutex_lock+0xc5/0x13c0
      mutex_lock_nested+0x16/0x20
      tpk_write+0x5d/0x340
      resync_tnc+0x1b6/0x320
      call_timer_fn+0x1ac/0x780
      run_timer_softirq+0x6c3/0x1790
      __do_softirq+0x262/0x98c
      irq_exit+0x19b/0x1e0
      smp_apic_timer_interrupt+0x1a3/0x610
      apic_timer_interrupt+0xf/0x20
      </IRQ>
    
    See link https://syzkaller.appspot.com/bug?extid=2eeef62ee31f9460ad65 for
    more details.
    
    Fix it by using spinlock in process context instead of mutex and having
    interrupt disabled in critical section.
    
    Reported-by: syzbot+2eeef62ee31f9460ad65@syzkaller.appspotmail.com
    Signed-off-by: Zhenzhong Duan <zhenzhong.duan@gmail.com>
    Cc: Arnd Bergmann <arnd@arndb.de>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Link: https://lore.kernel.org/r/20200113034842.435-1-zhenzhong.duan@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fb5e3b56c4c4cc7a83a5f8bd6e9869e53015e41c
Author: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Date:   Tue Nov 12 10:22:28 2019 +0100

    media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0
    
    commit 569bc8d6a6a50acb5fcf07fb10b8d2d461fdbf93 upstream.
    
    This fixes a syzbot failure since actlen could be uninitialized,
    but it was still used.
    
    Syzbot link:
    
    https://syzkaller.appspot.com/bug?extid=6bf9606ee955b646c0e1
    
    Reported-and-tested-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com
    
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Acked-by: Sean Young <sean@mess.org>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 03a8533d9d06b029dcc8bb818a6ca30db7782ab3
Author: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Date:   Tue Nov 12 10:22:24 2019 +0100

    media: gspca: zero usb_buf
    
    commit de89d0864f66c2a1b75becfdd6bf3793c07ce870 upstream.
    
    Allocate gspca_dev->usb_buf with kzalloc instead of kmalloc to
    ensure it is property zeroed. This fixes various syzbot errors
    about uninitialized data.
    
    Syzbot links:
    
    https://syzkaller.appspot.com/bug?extid=32310fc2aea76898d074
    https://syzkaller.appspot.com/bug?extid=99706d6390be1ac542a2
    https://syzkaller.appspot.com/bug?extid=64437af5c781a7f0e08e
    
    Reported-and-tested-by: syzbot+32310fc2aea76898d074@syzkaller.appspotmail.com
    Reported-and-tested-by: syzbot+99706d6390be1ac542a2@syzkaller.appspotmail.com
    Reported-and-tested-by: syzbot+64437af5c781a7f0e08e@syzkaller.appspotmail.com
    
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b7fae41e420f3db83466b9dcd26e06ae706b85ab
Author: Sean Young <sean@mess.org>
Date:   Sun Nov 10 11:15:37 2019 +0100

    media: af9005: uninitialized variable printked
    
    commit 51d0c99b391f0cac61ad7b827c26f549ee55672c upstream.
    
    If usb_bulk_msg() fails, actual_length can be uninitialized.
    
    Reported-by: syzbot+9d42b7773d2fecd983ab@syzkaller.appspotmail.com
    Signed-off-by: Sean Young <sean@mess.org>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2e0ebd897abc719448d9d10e3a7bbeac6294c30e
Author: Sean Young <sean@mess.org>
Date:   Sun Nov 10 11:04:40 2019 +0100

    media: digitv: don't continue if remote control state can't be read
    
    commit eecc70d22ae51225de1ef629c1159f7116476b2e upstream.
    
    This results in an uninitialized variable read.
    
    Reported-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com
    Signed-off-by: Sean Young <sean@mess.org>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4397069f236d9d9888f23c0ed814c403f80bfd1c
Author: Jan Kara <jack@suse.cz>
Date:   Thu Dec 12 11:30:03 2019 +0100

    reiserfs: Fix memory leak of journal device string
    
    commit 5474ca7da6f34fa95e82edc747d5faa19cbdfb5c upstream.
    
    When a filesystem is mounted with jdev mount option, we store the
    journal device name in an allocated string in superblock. However we
    fail to ever free that string. Fix it.
    
    Reported-by: syzbot+1c6756baf4b16b94d2a6@syzkaller.appspotmail.com
    Fixes: c3aa077648e1 ("reiserfs: Properly display mount options in /proc/mounts")
    CC: stable@vger.kernel.org
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 569ae81e2ed8eab6c3b99d7364ef129f8c21f193
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Jan 30 22:11:07 2020 -0800

    mm/mempolicy.c: fix out of bounds write in mpol_parse_str()
    
    commit c7a91bc7c2e17e0a9c8b9745a2cb118891218fd1 upstream.
    
    What we are trying to do is change the '=' character to a NUL terminator
    and then at the end of the function we restore it back to an '='.  The
    problem is there are two error paths where we jump to the end of the
    function before we have replaced the '=' with NUL.
    
    We end up putting the '=' in the wrong place (possibly one element
    before the start of the buffer).
    
    Link: http://lkml.kernel.org/r/20200115055426.vdjwvry44nfug7yy@kili.mountain
    Reported-by: syzbot+e64a13c5369a194d67df@syzkaller.appspotmail.com
    Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Vlastimil Babka <vbabka@suse.cz>
    Dmitry Vyukov <dvyukov@google.com>
    Cc: Michal Hocko <mhocko@kernel.org>
    Cc: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 08e4a312439c294b9753166537baf3cc0bd6bb07
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Sun Dec 15 01:09:03 2019 -0500

    ext4: validate the debug_want_extra_isize mount option at parse time
    
    commit 9803387c55f7d2ce69aa64340c5fdc6b3027dbc8 upstream.
    
    Instead of setting s_want_extra_size and then making sure that it is a
    valid value afterwards, validate the field before we set it.  This
    avoids races and other problems when remounting the file system.
    
    Link: https://lore.kernel.org/r/20191215063020.GA11512@mit.edu
    Cc: stable@kernel.org
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Reported-and-tested-by: syzbot+4a39a025912b265cacef@syzkaller.appspotmail.com
    Signed-off-by: Zubin Mithra <zsm@chromium.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 64700ad97eab8b533afd5dbfff22266b68900e35
Author: Dirk Behme <dirk.behme@de.bosch.com>
Date:   Tue Jan 21 16:54:39 2020 +0100

    arm64: kbuild: remove compressed images on 'make ARCH=arm64 (dist)clean'
    
    commit d7bbd6c1b01cb5dd13c245d4586a83145c1d5f52 upstream.
    
    Since v4.3-rc1 commit 0723c05fb75e44 ("arm64: enable more compressed
    Image formats"), it is possible to build Image.{bz2,lz4,lzma,lzo}
    AArch64 images. However, the commit missed adding support for removing
    those images on 'make ARCH=arm64 (dist)clean'.
    
    Fix this by adding them to the target list.
    Make sure to match the order of the recipes in the makefile.
    
    Cc: stable@vger.kernel.org # v4.3+
    Fixes: 0723c05fb75e44 ("arm64: enable more compressed Image formats")
    Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com>
    Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
    Reviewed-by: Masahiro Yamada <yamada.masahiro@socionext.com>
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 44d8703769f363593b41d51aeaac6ddeee8bc7da
Author: Vitaly Chikunov <vt@altlinux.org>
Date:   Tue Dec 24 20:20:29 2019 +0300

    tools lib: Fix builds when glibc contains strlcpy()
    
    commit 6c4798d3f08b81c2c52936b10e0fa872590c96ae upstream.
    
    Disable a couple of compilation warnings (which are treated as errors)
    on strlcpy() definition and declaration, allowing users to compile perf
    and kernel (objtool) when:
    
    1. glibc have strlcpy() (such as in ALT Linux since 2004) objtool and
       perf build fails with this (in gcc):
    
      In file included from exec-cmd.c:3:
      tools/include/linux/string.h:20:15: error: redundant redeclaration of ‘strlcpy’ [-Werror=redundant-decls]
         20 | extern size_t strlcpy(char *dest, const char *src, size_t size);
    
    2. clang ignores `-Wredundant-decls', but produces another warning when
       building perf:
    
        CC       util/string.o
      ../lib/string.c:99:8: error: attribute declaration must precede definition [-Werror,-Wignored-attributes]
      size_t __weak strlcpy(char *dest, const char *src, size_t size)
      ../../tools/include/linux/compiler.h:66:34: note: expanded from macro '__weak'
      # define __weak                 __attribute__((weak))
      /usr/include/bits/string_fortified.h:151:8: note: previous definition is here
      __NTH (strlcpy (char *__restrict __dest, const char *__restrict __src,
    
    Committer notes:
    
    The
    
     #pragma GCC diagnostic
    
    directive was introduced in gcc 4.6, so check for that as well.
    
    Fixes: ce99091 ("perf tools: Move strlcpy() from perf to tools/lib/string.c")
    Fixes: 0215d59 ("tools lib: Reinstate strlcpy() header guard with __UCLIBC__")
    Resolves: https://bugzilla.kernel.org/show_bug.cgi?id=118481
    Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
    Reviewed-by: Dmitry Levin <ldv@altlinux.org>
    Cc: Dmitry Levin <ldv@altlinux.org>
    Cc: Josh Poimboeuf <jpoimboe@redhat.com>
    Cc: kbuild test robot <lkp@intel.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: stable@vger.kernel.org
    Cc: Vineet Gupta <vineet.gupta1@synopsys.com>
    Link: http://lore.kernel.org/lkml/20191224172029.19690-1-vt@altlinux.org
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1fa12145cd03de637939c6bc1d4df9fbb6116e33
Author: Chanwoo Choi <cw00.choi@samsung.com>
Date:   Tue Nov 5 18:18:03 2019 +0900

    PM / devfreq: Add new name attribute for sysfs
    
    commit 2fee1a7cc6b1ce6634bb0f025be2c94a58dfa34d upstream.
    
    The commit 4585fbcb5331 ("PM / devfreq: Modify the device name as devfreq(X) for
    sysfs") changed the node name to devfreq(x). After this commit, it is not
    possible to get the device name through /sys/class/devfreq/devfreq(X)/*.
    
    Add new name attribute in order to get device name.
    
    Cc: stable@vger.kernel.org
    Fixes: 4585fbcb5331 ("PM / devfreq: Modify the device name as devfreq(X) for sysfs")
    Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 806dbe2dfa4855c97ec1da876fbd2fdfb61426f5
Author: Andres Freund <andres@anarazel.de>
Date:   Wed Jan 8 20:30:30 2020 -0800

    perf c2c: Fix return type for histogram sorting comparision functions
    
    commit c1c8013ec34d7163431d18367808ea40b2e305f8 upstream.
    
    Commit 722ddfde366f ("perf tools: Fix time sorting") changed - correctly
    so - hist_entry__sort to return int64. Unfortunately several of the
    builtin-c2c.c comparison routines only happened to work due the cast
    caused by the wrong return type.
    
    This causes meaningless ordering of both the cacheline list, and the
    cacheline details page. E.g a simple:
    
      perf c2c record -a sleep 3
      perf c2c report
    
    will result in cacheline table like
      =================================================
                 Shared Data Cache Line Table
      =================================================
      #
      #        ------- Cacheline ----------    Total     Tot  - LLC Load Hitm -  - Store Reference -  - Load Dram -     LLC  Total  - Core Load Hit -  - LLC Load Hit -
      # Index         Address  Node  PA cnt  records    Hitm  Total  Lcl    Rmt  Total  L1Hit  L1Miss     Lcl   Rmt  Ld Miss  Loads    FB    L1   L2     Llc      Rmt
      # .....  ..............  ....  ......  .......  ......  .....  .....  ...  ....   .....  ......  ......  ....  ......   .....  .....  ..... ...  ....     .......
    
            0  0x7f0d27ffba00   N/A       0       52   0.12%     13      6    7    12      12       0       0     7      14      40      4     16    0    0           0
            1  0x7f0d27ff61c0   N/A       0     6353  14.04%   1475    801  674   779     779       0       0   718    1392    5574   1299   1967    0  115           0
            2  0x7f0d26d3ec80   N/A       0       71   0.15%     16      4   12    13      13       0       0    12      24      58      1     20    0    9           0
            3  0x7f0d26d3ec00   N/A       0       98   0.22%     23     17    6    19      19       0       0     6      12      79      0     40    0   10           0
    
    i.e. with the list not being ordered by Total Hitm.
    
    Fixes: 722ddfde366f ("perf tools: Fix time sorting")
    Signed-off-by: Andres Freund <andres@anarazel.de>
    Tested-by: Michael Petlan <mpetlan@redhat.com>
    Acked-by: Jiri Olsa <jolsa@redhat.com>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Andi Kleen <ak@linux.intel.com>
    Cc: Namhyung Kim <namhyung@kernel.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: stable@vger.kernel.org # v3.16+
    Link: http://lore.kernel.org/lkml/20200109043030.233746-1-andres@anarazel.de
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit db4d8e42eca72d4c29192e793475c1e6a42908cf
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Tue Nov 19 17:41:31 2019 +0800

    crypto: pcrypt - Fix user-after-free on module unload
    
    [ Upstream commit 07bfd9bdf568a38d9440c607b72342036011f727 ]
    
    On module unload of pcrypt we must unregister the crypto algorithms
    first and then tear down the padata structure.  As otherwise the
    crypto algorithms are still alive and can be used while the padata
    structure is being freed.
    
    Fixes: 5068c7a883d1 ("crypto: pcrypt - Add pcrypt crypto...")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e3f5c2e99092f2e57886ac40c6fa62ffcf87ab1e
Author: Xiaochen Shen <xiaochen.shen@intel.com>
Date:   Sun Feb 2 06:00:53 2020 +0800

    x86/resctrl: Fix a deadlock due to inaccurate reference
    
    commit 334b0f4e9b1b4a1d475f803419d202f6c5e4d18e upstream.
    
    There is a race condition which results in a deadlock when rmdir and
    mkdir execute concurrently:
    
    $ ls /sys/fs/resctrl/c1/mon_groups/m1/
    cpus  cpus_list  mon_data  tasks
    
    Thread 1: rmdir /sys/fs/resctrl/c1
    Thread 2: mkdir /sys/fs/resctrl/c1/mon_groups/m1
    
    3 locks held by mkdir/48649:
     #0:  (sb_writers#17){.+.+}, at: [<ffffffffb4ca2aa0>] mnt_want_write+0x20/0x50
     #1:  (&type->i_mutex_dir_key#8/1){+.+.}, at: [<ffffffffb4c8c13b>] filename_create+0x7b/0x170
     #2:  (rdtgroup_mutex){+.+.}, at: [<ffffffffb4a4389d>] rdtgroup_kn_lock_live+0x3d/0x70
    
    4 locks held by rmdir/48652:
     #0:  (sb_writers#17){.+.+}, at: [<ffffffffb4ca2aa0>] mnt_want_write+0x20/0x50
     #1:  (&type->i_mutex_dir_key#8/1){+.+.}, at: [<ffffffffb4c8c3cf>] do_rmdir+0x13f/0x1e0
     #2:  (&type->i_mutex_dir_key#8){++++}, at: [<ffffffffb4c86d5d>] vfs_rmdir+0x4d/0x120
     #3:  (rdtgroup_mutex){+.+.}, at: [<ffffffffb4a4389d>] rdtgroup_kn_lock_live+0x3d/0x70
    
    Thread 1 is deleting control group "c1". Holding rdtgroup_mutex,
    kernfs_remove() removes all kernfs nodes under directory "c1"
    recursively, then waits for sub kernfs node "mon_groups" to drop active
    reference.
    
    Thread 2 is trying to create a subdirectory "m1" in the "mon_groups"
    directory. The wrapper kernfs_iop_mkdir() takes an active reference to
    the "mon_groups" directory but the code drops the active reference to
    the parent directory "c1" instead.
    
    As a result, Thread 1 is blocked on waiting for active reference to drop
    and never release rdtgroup_mutex, while Thread 2 is also blocked on
    trying to get rdtgroup_mutex.
    
    Thread 1 (rdtgroup_rmdir)   Thread 2 (rdtgroup_mkdir)
    (rmdir /sys/fs/resctrl/c1)  (mkdir /sys/fs/resctrl/c1/mon_groups/m1)
    -------------------------   -------------------------
                                kernfs_iop_mkdir
                                  /*
                                   * kn: "m1", parent_kn: "mon_groups",
                                   * prgrp_kn: parent_kn->parent: "c1",
                                   *
                                   * "mon_groups", parent_kn->active++: 1
                                   */
                                  kernfs_get_active(parent_kn)
    kernfs_iop_rmdir
      /* "c1", kn->active++ */
      kernfs_get_active(kn)
    
      rdtgroup_kn_lock_live
        atomic_inc(&rdtgrp->waitcount)
        /* "c1", kn->active-- */
        kernfs_break_active_protection(kn)
        mutex_lock
    
      rdtgroup_rmdir_ctrl
        free_all_child_rdtgrp
          sentry->flags = RDT_DELETED
    
        rdtgroup_ctrl_remove
          rdtgrp->flags = RDT_DELETED
          kernfs_get(kn)
          kernfs_remove(rdtgrp->kn)
            __kernfs_remove
              /* "mon_groups", sub_kn */
              atomic_add(KN_DEACTIVATED_BIAS, &sub_kn->active)
              kernfs_drain(sub_kn)
                /*
                 * sub_kn->active == KN_DEACTIVATED_BIAS + 1,
                 * waiting on sub_kn->active to drop, but it
                 * never drops in Thread 2 which is blocked
                 * on getting rdtgroup_mutex.
                 */
    Thread 1 hangs here ---->
                wait_event(sub_kn->active == KN_DEACTIVATED_BIAS)
                ...
                                  rdtgroup_mkdir
                                    rdtgroup_mkdir_mon(parent_kn, prgrp_kn)
                                      mkdir_rdt_prepare(parent_kn, prgrp_kn)
                                        rdtgroup_kn_lock_live(prgrp_kn)
                                          atomic_inc(&rdtgrp->waitcount)
                                          /*
                                           * "c1", prgrp_kn->active--
                                           *
                                           * The active reference on "c1" is
                                           * dropped, but not matching the
                                           * actual active reference taken
                                           * on "mon_groups", thus causing
                                           * Thread 1 to wait forever while
                                           * holding rdtgroup_mutex.
                                           */
                                          kernfs_break_active_protection(
                                                                   prgrp_kn)
                                          /*
                                           * Trying to get rdtgroup_mutex
                                           * which is held by Thread 1.
                                           */
    Thread 2 hangs here ---->             mutex_lock
                                          ...
    
    The problem is that the creation of a subdirectory in the "mon_groups"
    directory incorrectly releases the active protection of its parent
    directory instead of itself before it starts waiting for rdtgroup_mutex.
    This is triggered by the rdtgroup_mkdir() flow calling
    rdtgroup_kn_lock_live()/rdtgroup_kn_unlock() with kernfs node of the
    parent control group ("c1") as argument. It should be called with kernfs
    node "mon_groups" instead. What is currently missing is that the
    kn->priv of "mon_groups" is NULL instead of pointing to the rdtgrp.
    
    Fix it by pointing kn->priv to rdtgrp when "mon_groups" is created. Then
    it could be passed to rdtgroup_kn_lock_live()/rdtgroup_kn_unlock()
    instead. And then it operates on the same rdtgroup structure but handles
    the active reference of kernfs node "mon_groups" to prevent deadlock.
    The same changes are also made to the "mon_data" directories.
    
    This results in some unused function parameters that will be cleaned up
    in follow-up patch as the focus here is on the fix only in support of
    backporting efforts.
    
    Backporting notes:
    
    Since upstream commit fa7d949337cc ("x86/resctrl: Rename and move rdt
    files to a separate directory"), the file
    arch/x86/kernel/cpu/intel_rdt_rdtgroup.c has been renamed and moved to
    arch/x86/kernel/cpu/resctrl/rdtgroup.c.
    Apply the change against file arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
    for older stable trees.
    
    Fixes: c7d9aac61311 ("x86/intel_rdt/cqm: Add mkdir support for RDT monitoring")
    Suggested-by: Reinette Chatre <reinette.chatre@intel.com>
    Signed-off-by: Xiaochen Shen <xiaochen.shen@intel.com>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Reinette Chatre <reinette.chatre@intel.com>
    Reviewed-by: Tony Luck <tony.luck@intel.com>
    Acked-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/1578500886-21771-4-git-send-email-xiaochen.shen@intel.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit df57e8ba374ca0e3e6dec6633ce3ed2adfe0d9a8
Author: Xiaochen Shen <xiaochen.shen@intel.com>
Date:   Sun Feb 2 06:00:23 2020 +0800

    x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup
    
    commit 074fadee59ee7a9d2b216e9854bd4efb5dad679f upstream.
    
    There is a race condition in the following scenario which results in an
    use-after-free issue when reading a monitoring file and deleting the
    parent ctrl_mon group concurrently:
    
    Thread 1 calls atomic_inc() to take refcount of rdtgrp and then calls
    kernfs_break_active_protection() to drop the active reference of kernfs
    node in rdtgroup_kn_lock_live().
    
    In Thread 2, kernfs_remove() is a blocking routine. It waits on all sub
    kernfs nodes to drop the active reference when removing all subtree
    kernfs nodes recursively. Thread 2 could block on kernfs_remove() until
    Thread 1 calls kernfs_break_active_protection(). Only after
    kernfs_remove() completes the refcount of rdtgrp could be trusted.
    
    Before Thread 1 calls atomic_inc() and kernfs_break_active_protection(),
    Thread 2 could call kfree() when the refcount of rdtgrp (sentry) is 0
    instead of 1 due to the race.
    
    In Thread 1, in rdtgroup_kn_unlock(), referring to earlier rdtgrp memory
    (rdtgrp->waitcount) which was already freed in Thread 2 results in
    use-after-free issue.
    
    Thread 1 (rdtgroup_mondata_show)  Thread 2 (rdtgroup_rmdir)
    --------------------------------  -------------------------
    rdtgroup_kn_lock_live
      /*
       * kn active protection until
       * kernfs_break_active_protection(kn)
       */
      rdtgrp = kernfs_to_rdtgroup(kn)
                                      rdtgroup_kn_lock_live
                                        atomic_inc(&rdtgrp->waitcount)
                                        mutex_lock
                                      rdtgroup_rmdir_ctrl
                                        free_all_child_rdtgrp
                                          /*
                                           * sentry->waitcount should be 1
                                           * but is 0 now due to the race.
                                           */
                                          kfree(sentry)*[1]
      /*
       * Only after kernfs_remove()
       * completes, the refcount of
       * rdtgrp could be trusted.
       */
      atomic_inc(&rdtgrp->waitcount)
      /* kn->active-- */
      kernfs_break_active_protection(kn)
                                        rdtgroup_ctrl_remove
                                          rdtgrp->flags = RDT_DELETED
                                          /*
                                           * Blocking routine, wait for
                                           * all sub kernfs nodes to drop
                                           * active reference in
                                           * kernfs_break_active_protection.
                                           */
                                          kernfs_remove(rdtgrp->kn)
                                      rdtgroup_kn_unlock
                                        mutex_unlock
                                        atomic_dec_and_test(
                                                    &rdtgrp->waitcount)
                                        && (flags & RDT_DELETED)
                                          kernfs_unbreak_active_protection(kn)
                                          kfree(rdtgrp)
      mutex_lock
    mon_event_read
    rdtgroup_kn_unlock
      mutex_unlock
      /*
       * Use-after-free: refer to earlier rdtgrp
       * memory which was freed in [1].
       */
      atomic_dec_and_test(&rdtgrp->waitcount)
      && (flags & RDT_DELETED)
        /* kn->active++ */
        kernfs_unbreak_active_protection(kn)
        kfree(rdtgrp)
    
    Fix it by moving free_all_child_rdtgrp() to after kernfs_remove() in
    rdtgroup_rmdir_ctrl() to ensure it has the accurate refcount of rdtgrp.
    
    Backporting notes:
    
    Since upstream commit fa7d949337cc ("x86/resctrl: Rename and move rdt
    files to a separate directory"), the file
    arch/x86/kernel/cpu/intel_rdt_rdtgroup.c has been renamed and moved to
    arch/x86/kernel/cpu/resctrl/rdtgroup.c.
    Apply the change against file arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
    for older stable trees.
    
    Upstream commit 17eafd076291 ("x86/intel_rdt: Split resource group
    removal in two") moved part of resource group removal code from
    rdtgroup_rmdir_mon() into a separate function rdtgroup_ctrl_remove().
    Apply the change against original code base of rdtgroup_rmdir_mon() for
    older stable trees.
    
    Fixes: f3cbeacaa06e ("x86/intel_rdt/cqm: Add rmdir support")
    Suggested-by: Reinette Chatre <reinette.chatre@intel.com>
    Signed-off-by: Xiaochen Shen <xiaochen.shen@intel.com>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Reinette Chatre <reinette.chatre@intel.com>
    Reviewed-by: Tony Luck <tony.luck@intel.com>
    Acked-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/1578500886-21771-3-git-send-email-xiaochen.shen@intel.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d20edc0bca5577bab38acb5b190619c922ddebf8
Author: Xiaochen Shen <xiaochen.shen@intel.com>
Date:   Sun Feb 2 05:59:30 2020 +0800

    x86/resctrl: Fix use-after-free when deleting resource groups
    
    commit b8511ccc75c033f6d54188ea4df7bf1e85778740 upstream.
    
    A resource group (rdtgrp) contains a reference count (rdtgrp->waitcount)
    that indicates how many waiters expect this rdtgrp to exist. Waiters
    could be waiting on rdtgroup_mutex or some work sitting on a task's
    workqueue for when the task returns from kernel mode or exits.
    
    The deletion of a rdtgrp is intended to have two phases:
    
      (1) while holding rdtgroup_mutex the necessary cleanup is done and
      rdtgrp->flags is set to RDT_DELETED,
    
      (2) after releasing the rdtgroup_mutex, the rdtgrp structure is freed
      only if there are no waiters and its flag is set to RDT_DELETED. Upon
      gaining access to rdtgroup_mutex or rdtgrp, a waiter is required to check
      for the RDT_DELETED flag.
    
    When unmounting the resctrl file system or deleting ctrl_mon groups,
    all of the subdirectories are removed and the data structure of rdtgrp
    is forcibly freed without checking rdtgrp->waitcount. If at this point
    there was a waiter on rdtgrp then a use-after-free issue occurs when the
    waiter starts running and accesses the rdtgrp structure it was waiting
    on.
    
    See kfree() calls in [1], [2] and [3] in these two call paths in
    following scenarios:
    (1) rdt_kill_sb() -> rmdir_all_sub() -> free_all_child_rdtgrp()
    (2) rdtgroup_rmdir() -> rdtgroup_rmdir_ctrl() -> free_all_child_rdtgrp()
    
    There are several scenarios that result in use-after-free issue in
    following:
    
    Scenario 1:
    -----------
    In Thread 1, rdtgroup_tasks_write() adds a task_work callback
    move_myself(). If move_myself() is scheduled to execute after Thread 2
    rdt_kill_sb() is finished, referring to earlier rdtgrp memory
    (rdtgrp->waitcount) which was already freed in Thread 2 results in
    use-after-free issue.
    
    Thread 1 (rdtgroup_tasks_write)        Thread 2 (rdt_kill_sb)
    -------------------------------        ----------------------
    rdtgroup_kn_lock_live
      atomic_inc(&rdtgrp->waitcount)
      mutex_lock
    rdtgroup_move_task
      __rdtgroup_move_task
        /*
         * Take an extra refcount, so rdtgrp cannot be freed
         * before the call back move_myself has been invoked
         */
        atomic_inc(&rdtgrp->waitcount)
        /* Callback move_myself will be scheduled for later */
        task_work_add(move_myself)
    rdtgroup_kn_unlock
      mutex_unlock
      atomic_dec_and_test(&rdtgrp->waitcount)
      && (flags & RDT_DELETED)
                                           mutex_lock
                                           rmdir_all_sub
                                             /*
                                              * sentry and rdtgrp are freed
                                              * without checking refcount
                                              */
                                             free_all_child_rdtgrp
                                               kfree(sentry)*[1]
                                             kfree(rdtgrp)*[2]
                                           mutex_unlock
    /*
     * Callback is scheduled to execute
     * after rdt_kill_sb is finished
     */
    move_myself
      /*
       * Use-after-free: refer to earlier rdtgrp
       * memory which was freed in [1] or [2].
       */
      atomic_dec_and_test(&rdtgrp->waitcount)
      && (flags & RDT_DELETED)
        kfree(rdtgrp)
    
    Scenario 2:
    -----------
    In Thread 1, rdtgroup_tasks_write() adds a task_work callback
    move_myself(). If move_myself() is scheduled to execute after Thread 2
    rdtgroup_rmdir() is finished, referring to earlier rdtgrp memory
    (rdtgrp->waitcount) which was already freed in Thread 2 results in
    use-after-free issue.
    
    Thread 1 (rdtgroup_tasks_write)        Thread 2 (rdtgroup_rmdir)
    -------------------------------        -------------------------
    rdtgroup_kn_lock_live
      atomic_inc(&rdtgrp->waitcount)
      mutex_lock
    rdtgroup_move_task
      __rdtgroup_move_task
        /*
         * Take an extra refcount, so rdtgrp cannot be freed
         * before the call back move_myself has been invoked
         */
        atomic_inc(&rdtgrp->waitcount)
        /* Callback move_myself will be scheduled for later */
        task_work_add(move_myself)
    rdtgroup_kn_unlock
      mutex_unlock
      atomic_dec_and_test(&rdtgrp->waitcount)
      && (flags & RDT_DELETED)
                                           rdtgroup_kn_lock_live
                                             atomic_inc(&rdtgrp->waitcount)
                                             mutex_lock
                                           rdtgroup_rmdir_ctrl
                                             free_all_child_rdtgrp
                                               /*
                                                * sentry is freed without
                                                * checking refcount
                                                */
                                               kfree(sentry)*[3]
                                             rdtgroup_ctrl_remove
                                               rdtgrp->flags = RDT_DELETED
                                           rdtgroup_kn_unlock
                                             mutex_unlock
                                             atomic_dec_and_test(
                                                         &rdtgrp->waitcount)
                                             && (flags & RDT_DELETED)
                                               kfree(rdtgrp)
    /*
     * Callback is scheduled to execute
     * after rdt_kill_sb is finished
     */
    move_myself
      /*
       * Use-after-free: refer to earlier rdtgrp
       * memory which was freed in [3].
       */
      atomic_dec_and_test(&rdtgrp->waitcount)
      && (flags & RDT_DELETED)
        kfree(rdtgrp)
    
    If CONFIG_DEBUG_SLAB=y, Slab corruption on kmalloc-2k can be observed
    like following. Note that "0x6b" is POISON_FREE after kfree(). The
    corrupted bits "0x6a", "0x64" at offset 0x424 correspond to
    waitcount member of struct rdtgroup which was freed:
    
      Slab corruption (Not tainted): kmalloc-2k start=ffff9504c5b0d000, len=2048
      420: 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkjkkkkkkkkkkk
      Single bit error detected. Probably bad RAM.
      Run memtest86+ or a similar memory test tool.
      Next obj: start=ffff9504c5b0d800, len=2048
      000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
      010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
    
      Slab corruption (Not tainted): kmalloc-2k start=ffff9504c58ab800, len=2048
      420: 6b 6b 6b 6b 64 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkdkkkkkkkkkkk
      Prev obj: start=ffff9504c58ab000, len=2048
      000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
      010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
    
    Fix this by taking reference count (waitcount) of rdtgrp into account in
    the two call paths that currently do not do so. Instead of always
    freeing the resource group it will only be freed if there are no waiters
    on it. If there are waiters, the resource group will have its flags set
    to RDT_DELETED.
    
    It will be left to the waiter to free the resource group when it starts
    running and finding that it was the last waiter and the resource group
    has been removed (rdtgrp->flags & RDT_DELETED) since. (1) rdt_kill_sb()
    -> rmdir_all_sub() -> free_all_child_rdtgrp() (2) rdtgroup_rmdir() ->
    rdtgroup_rmdir_ctrl() -> free_all_child_rdtgrp()
    
    Backporting notes:
    
    Since upstream commit fa7d949337cc ("x86/resctrl: Rename and move rdt
    files to a separate directory"), the file
    arch/x86/kernel/cpu/intel_rdt_rdtgroup.c has been renamed and moved to
    arch/x86/kernel/cpu/resctrl/rdtgroup.c.
    
    Apply the change against file arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
    in older stable trees.
    
    Fixes: f3cbeacaa06e ("x86/intel_rdt/cqm: Add rmdir support")
    Fixes: 60cf5e101fd4 ("x86/intel_rdt: Add mkdir to resctrl file system")
    Suggested-by: Reinette Chatre <reinette.chatre@intel.com>
    Signed-off-by: Xiaochen Shen <xiaochen.shen@intel.com>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Reinette Chatre <reinette.chatre@intel.com>
    Reviewed-by: Tony Luck <tony.luck@intel.com>
    Acked-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/1578500886-21771-2-git-send-email-xiaochen.shen@intel.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 40642747dd9feab4912157882166c05722cec7b0
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Feb 1 16:26:45 2020 +0000

    vfs: fix do_last() regression
    
    commit 6404674acd596de41fd3ad5f267b4525494a891a upstream.
    
    Brown paperbag time: fetching ->i_uid/->i_mode really should've been
    done from nd->inode.  I even suggested that, but the reason for that has
    slipped through the cracks and I went for dir->d_inode instead - made
    for more "obvious" patch.
    
    Analysis:
    
     - at the entry into do_last() and all the way to step_into(): dir (aka
       nd->path.dentry) is known not to have been freed; so's nd->inode and
       it's equal to dir->d_inode unless we are already doomed to -ECHILD.
       inode of the file to get opened is not known.
    
     - after step_into(): inode of the file to get opened is known; dir
       might be pointing to freed memory/be negative/etc.
    
     - at the call of may_create_in_sticky(): guaranteed to be out of RCU
       mode; inode of the file to get opened is known and pinned; dir might
       be garbage.
    
    The last was the reason for the original patch.  Except that at the
    do_last() entry we can be in RCU mode and it is possible that
    nd->path.dentry->d_inode has already changed under us.
    
    In that case we are going to fail with -ECHILD, but we need to be
    careful; nd->inode is pointing to valid struct inode and it's the same
    as nd->path.dentry->d_inode in "won't fail with -ECHILD" case, so we
    should use that.
    
    Reported-by: "Rantala, Tommi T. (Nokia - FI/Espoo)" <tommi.t.rantala@nokia.com>
    Reported-by: syzbot+190005201ced78a74ad6@syzkaller.appspotmail.com
    Wearing-brown-paperbag: Al Viro <viro@zeniv.linux.org.uk>
    Cc: stable@kernel.org
    Fixes: d0cb50185ae9 ("do_last(): fetch directory ->i_mode and ->i_uid before it's too late")
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 713ff7e4d605c4dd1efd838e3f0092cd93733f0c
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Thu Dec 5 13:45:05 2019 +0800

    crypto: af_alg - Use bh_lock_sock in sk_destruct
    
    commit 37f96694cf73ba116993a9d2d99ad6a75fa7fdb0 upstream.
    
    As af_alg_release_parent may be called from BH context (most notably
    due to an async request that only completes after socket closure,
    or as reported here because of an RCU-delayed sk_destruct call), we
    must use bh_lock_sock instead of lock_sock.
    
    Reported-by: syzbot+c2f1558d49e25cc36e5e@syzkaller.appspotmail.com
    Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
    Fixes: c840ac6af3f8 ("crypto: af_alg - Disallow bind/setkey/...")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c662ea4fab81c530590c2be3e86e26313d047e3b
Author: Johan Hovold <johan@kernel.org>
Date:   Thu Nov 28 18:22:01 2019 +0100

    rsi: fix use-after-free on probe errors
    
    commit 92aafe77123ab478e5f5095878856ab0424910da upstream.
    
    The driver would fail to stop the command timer in most error paths,
    something which specifically could lead to the timer being freed while
    still active on I/O errors during probe.
    
    Fix this by making sure that each function starting the timer also stops
    it in all relevant error paths.
    
    Reported-by: syzbot+1d1597a5aa3679c65b9f@syzkaller.appspotmail.com
    Fixes: b78e91bcfb33 ("rsi: Add new firmware loading method")
    Cc: stable <stable@vger.kernel.org>     # 4.12
    Cc: Prameela Rani Garnepudi <prameela.j04cs@gmail.com>
    Cc: Amitkumar Karwar <amit.karwar@redpinesignals.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b4cdf5066ce23d1cc23c1dd4c71438e762c82581
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Jan 24 14:57:20 2020 -0800

    net_sched: ematch: reject invalid TCF_EM_SIMPLE
    
    [ Upstream commit 55cd9f67f1e45de8517cdaab985fb8e56c0bc1d8 ]
    
    It is possible for malicious userspace to set TCF_EM_SIMPLE bit
    even for matches that should not have this bit set.
    
    This can fool two places using tcf_em_is_simple()
    
    1) tcf_em_tree_destroy() -> memory leak of em->data
       if ops->destroy() is NULL
    
    2) tcf_em_tree_dump() wrongly report/leak 4 low-order bytes
       of a kernel pointer.
    
    BUG: memory leak
    unreferenced object 0xffff888121850a40 (size 32):
      comm "syz-executor927", pid 7193, jiffies 4294941655 (age 19.840s)
      hex dump (first 32 bytes):
        00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      backtrace:
        [<00000000f67036ea>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
        [<00000000f67036ea>] slab_post_alloc_hook mm/slab.h:586 [inline]
        [<00000000f67036ea>] slab_alloc mm/slab.c:3320 [inline]
        [<00000000f67036ea>] __do_kmalloc mm/slab.c:3654 [inline]
        [<00000000f67036ea>] __kmalloc_track_caller+0x165/0x300 mm/slab.c:3671
        [<00000000fab0cc8e>] kmemdup+0x27/0x60 mm/util.c:127
        [<00000000d9992e0a>] kmemdup include/linux/string.h:453 [inline]
        [<00000000d9992e0a>] em_nbyte_change+0x5b/0x90 net/sched/em_nbyte.c:32
        [<000000007e04f711>] tcf_em_validate net/sched/ematch.c:241 [inline]
        [<000000007e04f711>] tcf_em_tree_validate net/sched/ematch.c:359 [inline]
        [<000000007e04f711>] tcf_em_tree_validate+0x332/0x46f net/sched/ematch.c:300
        [<000000007a769204>] basic_set_parms net/sched/cls_basic.c:157 [inline]
        [<000000007a769204>] basic_change+0x1d7/0x5f0 net/sched/cls_basic.c:219
        [<00000000e57a5997>] tc_new_tfilter+0x566/0xf70 net/sched/cls_api.c:2104
        [<0000000074b68559>] rtnetlink_rcv_msg+0x3b2/0x4b0 net/core/rtnetlink.c:5415
        [<00000000b7fe53fb>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
        [<00000000e83a40d0>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
        [<00000000d62ba933>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
        [<00000000d62ba933>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328
        [<0000000088070f72>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917
        [<00000000f70b15ea>] sock_sendmsg_nosec net/socket.c:639 [inline]
        [<00000000f70b15ea>] sock_sendmsg+0x54/0x70 net/socket.c:659
        [<00000000ef95a9be>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330
        [<00000000b650f1ab>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384
        [<0000000055bfa74a>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417
        [<000000002abac183>] __do_sys_sendmsg net/socket.c:2426 [inline]
        [<000000002abac183>] __se_sys_sendmsg net/socket.c:2424 [inline]
        [<000000002abac183>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot+03c4738ed29d5d366ddf@syzkaller.appspotmail.com
    Cc: Cong Wang <xiyou.wangcong@gmail.com>
    Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ebb7fb7dfd657b65fd7d315b0c8709af94db535f
Author: Laura Abbott <labbott@fedoraproject.org>
Date:   Tue Sep 8 09:53:38 2015 -0700

    usb-storage: Disable UAS on JMicron SATA enclosure
    
    [ Upstream commit bc3bdb12bbb3492067c8719011576370e959a2e6 ]
    
    Steve Ellis reported incorrect block sizes and alignement
    offsets with a SATA enclosure. Adding a quirk to disable
    UAS fixes the problems.
    
    Reported-by: Steven Ellis <sellis@redhat.com>
    Cc: Pacho Ramos <pachoramos@gmail.com>
    Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5ed8ea1798f5585f81252fbbf49ddf50029de2a4
Author: Slawomir Pawlowski <slawomir.pawlowski@intel.com>
Date:   Tue Sep 17 09:20:48 2019 +0000

    PCI: Add DMA alias quirk for Intel VCA NTB
    
    [ Upstream commit 56b4cd4b7da9ee95778eb5c8abea49f641ebfd91 ]
    
    Intel Visual Compute Accelerator (VCA) is a family of PCIe add-in devices
    exposing computational units via Non Transparent Bridges (NTB, PEX 87xx).
    
    Similarly to MIC x200, we need to add DMA aliases to allow buffer access
    when IOMMU is enabled.
    
    Add aliases to allow computational unit access to host memory.  These
    aliases mark the whole VCA device as one IOMMU group.
    
    All possible slot numbers (0x20) are used, since we are unable to tell what
    slot is used on other side.  This quirk is intended for both host and
    computational unit sides.  The VCA devices have up to five functions: four
    for DMA channels and one additional.
    
    Link: https://lore.kernel.org/r/5683A335CC8BE1438C3C30C49DCC38DF637CED8E@IRSMSX102.ger.corp.intel.com
    Signed-off-by: Slawomir Pawlowski <slawomir.pawlowski@intel.com>
    Signed-off-by: Przemek Kitszel <przemyslawx.kitszel@intel.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5be2654a3fd996d423ca26fc6a48b9f1aa7199d2
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Tue Jan 7 21:43:59 2020 +0100

    atm: eni: fix uninitialized variable warning
    
    [ Upstream commit 30780d086a83332adcd9362281201cee7c3d9d19 ]
    
    With -O3, gcc has found an actual unintialized variable stored
    into an mmio register in two instances:
    
    drivers/atm/eni.c: In function 'discard':
    drivers/atm/eni.c:465:13: error: 'dma[1]' is used uninitialized in this function [-Werror=uninitialized]
       writel(dma[i*2+1],eni_dev->rx_dma+dma_wr*8+4);
                 ^
    drivers/atm/eni.c:465:13: error: 'dma[3]' is used uninitialized in this function [-Werror=uninitialized]
    
    Change the code to always write zeroes instead.
    
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c698d678854c08590c3d1964ecca1bfabc138950
Author: Dmitry Osipenko <digetx@gmail.com>
Date:   Mon Jan 6 04:51:54 2020 +0300

    gpio: max77620: Add missing dependency on GPIOLIB_IRQCHIP
    
    [ Upstream commit c5706c7defc79de68a115b5536376298a8fef111 ]
    
    Driver fails to compile in a minimized kernel's configuration because of
    the missing dependency on GPIOLIB_IRQCHIP.
    
     error: ‘struct gpio_chip’ has no member named ‘irq’
       44 |   virq = irq_find_mapping(gpio->gpio_chip.irq.domain, offset);
    
    Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
    Link: https://lore.kernel.org/r/20200106015154.12040-1-digetx@gmail.com
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e52f8ff34eaa49047c225a42c0a4d2976c4ab20c
Author: Krzysztof Kozlowski <krzk@kernel.org>
Date:   Sat Jan 4 15:31:43 2020 +0100

    net: wan: sdla: Fix cast from pointer to integer of different size
    
    [ Upstream commit 00c0688cecadbf7ac2f5b4cdb36d912a2d3f0cca ]
    
    Since net_device.mem_start is unsigned long, it should not be cast to
    int right before casting to pointer.  This fixes warning (compile
    testing on alpha architecture):
    
        drivers/net/wan/sdla.c: In function ‘sdla_transmit’:
        drivers/net/wan/sdla.c:711:13: warning:
            cast to pointer from integer of different size [-Wint-to-pointer-cast]
    
    Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d24cfcdb6285470316c71558722d30aa73c55be7
Author: Fenghua Yu <fenghua.yu@intel.com>
Date:   Thu Jan 2 13:27:06 2020 -0800

    drivers/net/b44: Change to non-atomic bit operations on pwol_mask
    
    [ Upstream commit f11421ba4af706cb4f5703de34fa77fba8472776 ]
    
    Atomic operations that span cache lines are super-expensive on x86
    (not just to the current processor, but also to other processes as all
    memory operations are blocked until the operation completes). Upcoming
    x86 processors have a switch to cause such operations to generate a #AC
    trap. It is expected that some real time systems will enable this mode
    in BIOS.
    
    In preparation for this, it is necessary to fix code that may execute
    atomic instructions with operands that cross cachelines because the #AC
    trap will crash the kernel.
    
    Since "pwol_mask" is local and never exposed to concurrency, there is
    no need to set bits in pwol_mask using atomic operations.
    
    Directly operate on the byte which contains the bit instead of using
    __set_bit() to avoid any big endian concern due to type cast to
    unsigned long in __set_bit().
    
    Suggested-by: Peter Zijlstra <peterz@infradead.org>
    Signed-off-by: Fenghua Yu <fenghua.yu@intel.com>
    Signed-off-by: Tony Luck <tony.luck@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b56f2a4a4327f609e30872e37eda6d73a6433ed2
Author: wuxu.wu <wuxu.wu@huawei.com>
Date:   Wed Jan 1 11:39:41 2020 +0800

    spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls
    
    [ Upstream commit 19b61392c5a852b4e8a0bf35aecb969983c5932d ]
    
    dw_spi_irq() and dw_spi_transfer_one concurrent calls.
    
    I find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,
    dw->len==4, and dw->tx_end==1.
    
    When tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one
    may concurrent visit dw_spi, so I think dw_spi structure lack of protection.
    
    Otherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,
    store dw rx/tx instructions and other cores handle irq load dw rx/tx
    instructions may out of order.
    
            [ 1025.321302] Call trace:
            ...
            [ 1025.321319]  __crash_kexec+0x98/0x148
            [ 1025.321323]  panic+0x17c/0x314
            [ 1025.321329]  die+0x29c/0x2e8
            [ 1025.321334]  die_kernel_fault+0x68/0x78
            [ 1025.321337]  __do_kernel_fault+0x90/0xb0
            [ 1025.321346]  do_page_fault+0x88/0x500
            [ 1025.321347]  do_translation_fault+0xa8/0xb8
            [ 1025.321349]  do_mem_abort+0x68/0x118
            [ 1025.321351]  el1_da+0x20/0x8c
            [ 1025.321362]  dw_writer+0xc8/0xd0
            [ 1025.321364]  interrupt_transfer+0x60/0x110
            [ 1025.321365]  dw_spi_irq+0x48/0x70
            ...
    
    Signed-off-by: wuxu.wu <wuxu.wu@huawei.com>
    Link: https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu.wu@huawei.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 60cf76ecde8c765bc7721a390bb59d08d129efe1
Author: Andreas Kemnade <andreas@kemnade.info>
Date:   Fri Dec 13 22:48:02 2019 +0100

    watchdog: rn5t618_wdt: fix module aliases
    
    [ Upstream commit a76dfb859cd42df6e3d1910659128ffcd2fb6ba2 ]
    
    Platform device aliases were missing so module autoloading
    did not work.
    
    Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
    Reviewed-by: Guenter Roeck <linux@roeck-us.net>
    Link: https://lore.kernel.org/r/20191213214802.22268-1-andreas@kemnade.info
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d2b24c965f8f91a8d4d284808201e8c1eb2c27dc
Author: David Engraf <david.engraf@sysgo.com>
Date:   Wed Nov 27 09:46:17 2019 +0100

    watchdog: max77620_wdt: fix potential build errors
    
    [ Upstream commit da9e3f4e30a53cd420cf1e6961c3b4110f0f21f0 ]
    
    max77620_wdt uses watchdog core functions. Enable CONFIG_WATCHDOG_CORE
    to fix potential build errors.
    
    Signed-off-by: David Engraf <david.engraf@sysgo.com>
    Reviewed-by: Guenter Roeck <linux@roeck-us.net>
    Link: https://lore.kernel.org/r/20191127084617.16937-1-david.engraf@sysgo.com
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit aba29b46dfea2367977a7bd06a2ccdead8bf48f9
Author: Tony Lindgren <tony@atomide.com>
Date:   Sun Dec 22 10:17:02 2019 -0800

    phy: cpcap-usb: Prevent USB line glitches from waking up modem
    
    [ Upstream commit 63078b6ba09e842f09df052c5728857389fddcd2 ]
    
    The micro-USB connector on Motorola Mapphone devices can be muxed between
    the SoC and the mdm6600 modem. But even when used for the SoC, configuring
    the PHY with ID pin grounded will wake up the modem from idle state. Looks
    like the issue is probably caused by line glitches.
    
    We can prevent the glitches by using a previously unknown mode of the
    GPIO mux to prevent the USB lines from being connected to the moden while
    configuring the USB PHY, and enable the USB lines after configuring the
    PHY.
    
    Note that this only prevents waking up mdm6600 as regular USB A-host mode,
    and does not help when connected to a lapdock. The lapdock specific issue
    still needs to be debugged separately.
    
    Cc: Merlijn Wajer <merlijn@wizzup.org>
    Cc: Pavel Machek <pavel@ucw.cz>
    Cc: Sebastian Reichel <sre@kernel.org>
    Acked-by: Pavel Machek <pavel@ucw.cz>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a30b232c18fa4736efa685f70cd00454a6e998d4
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Tue Nov 19 15:57:11 2019 +0100

    HID: ite: Add USB id match for Acer SW5-012 keyboard dock
    
    [ Upstream commit 8f18eca9ebc57d6b150237033f6439242907e0ba ]
    
    The Acer SW5-012 2-in-1 keyboard dock uses a Synaptics S91028 touchpad
    which is connected to an ITE 8595 USB keyboard controller chip.
    
    This keyboard has the same quirk for its rfkill / airplane mode hotkey as
    other keyboards with the ITE 8595 chip, it only sends a single release
    event when pressed and released, it never sends a press event.
    
    This commit adds this keyboards USB id to the hid-ite id-table, fixing
    the rfkill key not working on this keyboard.
    
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0f6f0693493719ff84c7ff5ae161605d86aed619
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Tue Nov 26 17:54:09 2019 -0800

    arc: eznps: fix allmodconfig kconfig warning
    
    [ Upstream commit 1928b36cfa4df1aeedf5f2644d0c33f3a1fcfd7b ]
    
    Fix kconfig warning for arch/arc/plat-eznps/Kconfig allmodconfig:
    
    WARNING: unmet direct dependencies detected for CLKSRC_NPS
      Depends on [n]: GENERIC_CLOCKEVENTS [=y] && !PHYS_ADDR_T_64BIT [=y]
      Selected by [y]:
      - ARC_PLAT_EZNPS [=y]
    
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Cc: Vineet Gupta <vgupta@synopsys.com>
    Cc: Ofer Levi <oferle@mellanox.com>
    Cc: linux-snps-arc@lists.infradead.org
    Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 108b4537f1a450a4b979857f3ad5113e485917ba
Author: Johan Hovold <johan@kernel.org>
Date:   Tue Dec 10 12:44:26 2019 +0100

    zd1211rw: fix storage endpoint lookup
    
    commit 2d68bb2687abb747558b933e80845ff31570a49c upstream.
    
    Make sure to use the current alternate setting when verifying the
    storage interface descriptors to avoid submitting an URB to an invalid
    endpoint.
    
    Failing to do so could cause the driver to misbehave or trigger a WARN()
    in usb_submit_urb() that kernels with panic_on_warn set would choke on.
    
    Fixes: a1030e92c150 ("[PATCH] zd1211rw: Convert installer CDROM device into WLAN device")
    Cc: stable <stable@vger.kernel.org>     # 2.6.19
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 419d0f93ac3c043c73b6387090cb3bee416e53fe
Author: Johan Hovold <johan@kernel.org>
Date:   Tue Dec 10 12:44:24 2019 +0100

    rtl8xxxu: fix interface sanity check
    
    commit 39a4281c312f2d226c710bc656ce380c621a2b16 upstream.
    
    Make sure to use the current alternate setting when verifying the
    interface descriptors to avoid binding to an invalid interface.
    
    Failing to do so could cause the driver to misbehave or trigger a WARN()
    in usb_submit_urb() that kernels with panic_on_warn set would choke on.
    
    Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
    Cc: stable <stable@vger.kernel.org>     # 4.4
    Cc: Jes Sorensen <Jes.Sorensen@redhat.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 684cf943bb4782b49a28de5f5d0d3bf97c152c4b
Author: Johan Hovold <johan@kernel.org>
Date:   Tue Dec 10 12:44:22 2019 +0100

    brcmfmac: fix interface sanity check
    
    commit 3428fbcd6e6c0850b1a8b2a12082b7b2aabb3da3 upstream.
    
    Make sure to use the current alternate setting when verifying the
    interface descriptors to avoid binding to an invalid interface.
    
    Failing to do so could cause the driver to misbehave or trigger a WARN()
    in usb_submit_urb() that kernels with panic_on_warn set would choke on.
    
    Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets")
    Cc: stable <stable@vger.kernel.org>     # 3.4
    Cc: Arend van Spriel <arend@broadcom.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2f4c65c23fcd208138836e1bd0aa3198a43d4c08
Author: Johan Hovold <johan@kernel.org>
Date:   Tue Dec 10 12:44:20 2019 +0100

    ath9k: fix storage endpoint lookup
    
    commit 0ef332951e856efa89507cdd13ba8f4fb8d4db12 upstream.
    
    Make sure to use the current alternate setting when verifying the
    storage interface descriptors to avoid submitting an URB to an invalid
    endpoint.
    
    Failing to do so could cause the driver to misbehave or trigger a WARN()
    in usb_submit_urb() that kernels with panic_on_warn set would choke on.
    
    Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices")
    Cc: stable <stable@vger.kernel.org>     # 2.6.39
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6a35190cc2ed47344e719694f1a99255ef0dc20a
Author: Eric Biggers <ebiggers@google.com>
Date:   Mon Dec 30 21:19:31 2019 -0600

    crypto: chelsio - fix writing tfm flags to wrong place
    
    commit bd56cea012fc2d6381e8cd3209510ce09f9de8c9 upstream.
    
    The chelsio crypto driver is casting 'struct crypto_aead' directly to
    'struct crypto_tfm', which is incorrect because the crypto_tfm isn't the
    first field of 'struct crypto_aead'.  Consequently, the calls to
    crypto_tfm_set_flags() are modifying some other field in the struct.
    
    Also, the driver is setting CRYPTO_TFM_RES_BAD_KEY_LEN in
    ->setauthsize(), not just in ->setkey().  This is incorrect since this
    flag is for bad key lengths, not for bad authentication tag lengths.
    
    Fix these bugs by removing the broken crypto_tfm_set_flags() calls from
    ->setauthsize() and by fixing them in ->setkey().
    
    Fixes: 324429d74127 ("chcr: Support for Chelsio's Crypto Hardware")
    Cc: <stable@vger.kernel.org> # v4.9+
    Cc: Atul Gupta <atul.gupta@chelsio.com>
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a2e73efbb3125dfe1e19cccd883f1721b342a760
Author: Lukas Wunner <lukas@wunner.de>
Date:   Thu Jan 16 13:14:01 2020 +0100

    serial: 8250_bcm2835aux: Fix line mismatch on driver unbind
    
    commit dc76697d7e933d5e299116f219c890568785ea15 upstream.
    
    Unbinding the bcm2835aux UART driver raises the following error if the
    maximum number of 8250 UARTs is set to 1 (via the 8250.nr_uarts module
    parameter or CONFIG_SERIAL_8250_RUNTIME_UARTS):
    
    (NULL device *): Removing wrong port: a6f80333 != fa20408b
    
    That's because bcm2835aux_serial_probe() retrieves UART line number 1
    from the devicetree and stores it in data->uart.port.line, while
    serial8250_register_8250_port() instead uses UART line number 0,
    which is stored in data->line.
    
    On driver unbind, bcm2835aux_serial_remove() uses data->uart.port.line,
    which contains the wrong number.  Fix it.
    
    The issue does not occur if the maximum number of 8250 UARTs is >= 2.
    
    Fixes: bdc5f3009580 ("serial: bcm2835: add driver for bcm2835-aux-uart")
    Signed-off-by: Lukas Wunner <lukas@wunner.de>
    Cc: stable@vger.kernel.org # v4.6+
    Cc: Martin Sperl <kernel@martin.sperl.org>
    Reviewed-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
    Tested-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
    Link: https://lore.kernel.org/r/912ccf553c5258135c6d7e8f404a101ef320f0f4.1579175223.git.lukas@wunner.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c6c4999a16f2af38ca4fb8cb57a86062d15961d1
Author: Malcolm Priestley <tvboxspy@gmail.com>
Date:   Wed Jan 8 21:41:36 2020 +0000

    staging: vt6656: Fix false Tx excessive retries reporting.
    
    commit 9dd631fa99dc0a0dfbd191173bf355ba30ea786a upstream.
    
    The driver reporting  IEEE80211_TX_STAT_ACK is not being handled
    correctly. The driver should only report on TSR_TMO flag is not
    set indicating no transmission errors and when not IEEE80211_TX_CTL_NO_ACK
    is being requested.
    
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
    Link: https://lore.kernel.org/r/340f1f7f-c310-dca5-476f-abc059b9cd97@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bba758d3f3b9d3295f191e42edc7bd9820f183a1
Author: Malcolm Priestley <tvboxspy@gmail.com>
Date:   Wed Jan 8 21:41:20 2020 +0000

    staging: vt6656: use NULLFUCTION stack on mac80211
    
    commit d579c43c82f093e63639151625b2139166c730fd upstream.
    
    It appears that the drivers does not go into power save correctly the
    NULL data packets are not being transmitted because it not enabled
    in mac80211.
    
    The driver needs to capture ieee80211_is_nullfunc headers and
    copy the duration_id to it's own duration data header.
    
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
    Link: https://lore.kernel.org/r/610971ae-555b-a6c3-61b3-444a0c1e35b4@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit abb33ca718674b7bc027dd16377b3553b44f4ee2
Author: Malcolm Priestley <tvboxspy@gmail.com>
Date:   Wed Jan 8 21:40:58 2020 +0000

    staging: vt6656: correct packet types for CTS protect, mode.
    
    commit d971fdd3412f8342747778fb59b8803720ed82b1 upstream.
    
    It appears that the driver still transmits in CTS protect mode even
    though it is not enabled in mac80211.
    
    That is both packet types PK_TYPE_11GA and PK_TYPE_11GB both use CTS protect.
    The only difference between them GA does not use B rates.
    
    Find if only B rate in GB or GA in protect mode otherwise transmit packets
    as PK_TYPE_11A.
    
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
    Link: https://lore.kernel.org/r/9c1323ff-dbb3-0eaa-43e1-9453f7390dc0@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 07219a4cf2fca988405fb835ef950191ec972dd8
Author: Colin Ian King <colin.king@canonical.com>
Date:   Tue Jan 14 18:16:04 2020 +0000

    staging: wlan-ng: ensure error return is actually returned
    
    commit 4cc41cbce536876678b35e03c4a8a7bb72c78fa9 upstream.
    
    Currently when the call to prism2sta_ifst fails a netdev_err error
    is reported, error return variable result is set to -1 but the
    function always returns 0 for success.  Fix this by returning
    the error value in variable result rather than 0.
    
    Addresses-Coverity: ("Unused value")
    Fixes: 00b3ed168508 ("Staging: add wlan-ng prism2 usb driver")
    Signed-off-by: Colin Ian King <colin.king@canonical.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200114181604.390235-1-colin.king@canonical.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6560fd66278fec045902010ff7b07878a13e501f
Author: Andrey Shvetsov <andrey.shvetsov@k2l.de>
Date:   Thu Jan 16 18:22:39 2020 +0100

    staging: most: net: fix buffer overflow
    
    commit 4d1356ac12f4d5180d0df345d85ff0ee42b89c72 upstream.
    
    If the length of the socket buffer is 0xFFFFFFFF (max size for an
    unsigned int), then payload_len becomes 0xFFFFFFF1 after subtracting 14
    (ETH_HLEN).  Then, mdp_len is set to payload_len + 16 (MDP_HDR_LEN)
    which overflows and results in a value of 2.  These values for
    payload_len and mdp_len will pass current buffer size checks.
    
    This patch checks if derived from skb->len sum may overflow.
    
    The check is based on the following idea:
    
    For any `unsigned V1, V2` and derived `unsigned SUM = V1 + V2`,
    `V1 + V2` overflows iif `SUM < V1`.
    
    Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Andrey Shvetsov <andrey.shvetsov@k2l.de>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200116172238.6046-1-andrey.shvetsov@microchip.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e1b4f5461f8b7f11d3882e2725f0fed2632ef02e
Author: Bin Liu <b-liu@ti.com>
Date:   Wed Dec 11 10:10:03 2019 -0600

    usb: dwc3: turn off VBUS when leaving host mode
    
    commit 09ed259fac621634d51cd986aa8d65f035662658 upstream.
    
    VBUS should be turned off when leaving the host mode.
    Set GCTL_PRTCAP to device mode in teardown to de-assert DRVVBUS pin to
    turn off VBUS power.
    
    Fixes: 5f94adfeed97 ("usb: dwc3: core: refactor mode initialization to its own function")
    Cc: stable@vger.kernel.org
    Signed-off-by: Bin Liu <b-liu@ti.com>
    Signed-off-by: Felipe Balbi <balbi@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2cb7f8d0e7512189b3b7ea287ffce36d7831897f
Author: Johan Hovold <johan@kernel.org>
Date:   Wed Jan 22 11:15:28 2020 +0100

    USB: serial: ir-usb: fix IrLAP framing
    
    commit 38c0d5bdf4973f9f5a888166e9d3e9ed0d32057a upstream.
    
    Commit f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework")
    switched to using the generic write implementation which may combine
    multiple write requests into larger transfers. This can break the IrLAP
    protocol where end-of-frame is determined using the USB short packet
    mechanism, for example, if multiple frames are sent in rapid succession.
    
    Fixes: f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework")
    Cc: stable <stable@vger.kernel.org>     # 2.6.35
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dc7692a8975be3e97a5e0df02ab619430eb3ead8
Author: Johan Hovold <johan@kernel.org>
Date:   Wed Jan 22 11:15:27 2020 +0100

    USB: serial: ir-usb: fix link-speed handling
    
    commit 17a0184ca17e288decdca8b2841531e34d49285f upstream.
    
    Commit e0d795e4f36c ("usb: irda: cleanup on ir-usb module") added a USB
    IrDA header with common defines, but mistakingly switched to using the
    class-descriptor baud-rate bitmask values for the outbound header.
    
    This broke link-speed handling for rates above 9600 baud, but a device
    would also be able to operate at the default 9600 baud until a
    link-speed request was issued (e.g. using the TCGETS ioctl).
    
    Fixes: e0d795e4f36c ("usb: irda: cleanup on ir-usb module")
    Cc: stable <stable@vger.kernel.org>     # 2.6.27
    Cc: Felipe Balbi <balbi@kernel.org>
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 172b7f71488cfcb1426790bdefe334b1487fb65c
Author: Johan Hovold <johan@kernel.org>
Date:   Wed Jan 22 11:15:26 2020 +0100

    USB: serial: ir-usb: add missing endpoint sanity check
    
    commit 2988a8ae7476fe9535ab620320790d1714bdad1d upstream.
    
    Add missing endpoint sanity check to avoid dereferencing a NULL-pointer
    on open() in case a device lacks a bulk-out endpoint.
    
    Note that prior to commit f4a4cbb2047e ("USB: ir-usb: reimplement using
    generic framework") the oops would instead happen on open() if the
    device lacked a bulk-in endpoint and on write() if it lacked a bulk-out
    endpoint.
    
    Fixes: f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework")
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Cc: stable <stable@vger.kernel.org>
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 98a23baf0794352313aeda5d7ebcfb867db05929
Author: Johan Hovold <johan@kernel.org>
Date:   Tue Dec 10 12:44:25 2019 +0100

    rsi_91x_usb: fix interface sanity check
    
    commit 3139b180906af43bc09bd3373fc2338a8271d9d9 upstream.
    
    Make sure to use the current alternate setting when verifying the
    interface descriptors to avoid binding to an invalid interface.
    
    Failing to do so could cause the driver to misbehave or trigger a WARN()
    in usb_submit_urb() that kernels with panic_on_warn set would choke on.
    
    Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver")
    Cc: stable <stable@vger.kernel.org>     # 3.15
    Cc: Fariya Fatima <fariyaf@gmail.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a79def80c7a478ac5b07d16998cf2fa52affa13b
Author: Johan Hovold <johan@kernel.org>
Date:   Tue Dec 10 12:44:23 2019 +0100

    orinoco_usb: fix interface sanity check
    
    commit b73e05aa543cf8db4f4927e36952360d71291d41 upstream.
    
    Make sure to use the current alternate setting when verifying the
    interface descriptors to avoid binding to an invalid interface.
    
    Failing to do so could cause the driver to misbehave or trigger a WARN()
    in usb_submit_urb() that kernels with panic_on_warn set would choke on.
    
    Fixes: 9afac70a7305 ("orinoco: add orinoco_usb driver")
    Cc: stable <stable@vger.kernel.org>     # 2.6.35
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>