commit 48a16935fdcdb0926ed5e743a9d8d238bbc9c243
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Mon Nov 25 15:54:52 2019 +0100

    Linux 4.4.203

commit f811dcf49abfcc96e93360db790d7e6b90ad4c91
Author: Pavel Tatashin <pasha.tatashin@soleen.com>
Date:   Tue Nov 19 17:10:06 2019 -0500

    arm64: uaccess: Ensure PAN is re-enabled after unhandled uaccess fault
    
    commit 94bb804e1e6f0a9a77acf20d7c70ea141c6c821e upstream.
    
    A number of our uaccess routines ('__arch_clear_user()' and
    '__arch_copy_{in,from,to}_user()') fail to re-enable PAN if they
    encounter an unhandled fault whilst accessing userspace.
    
    For CPUs implementing both hardware PAN and UAO, this bug has no effect
    when both extensions are in use by the kernel.
    
    For CPUs implementing hardware PAN but not UAO, this means that a kernel
    using hardware PAN may execute portions of code with PAN inadvertently
    disabled, opening us up to potential security vulnerabilities that rely
    on userspace access from within the kernel which would usually be
    prevented by this mechanism. In other words, parts of the kernel run the
    same way as they would on a CPU without PAN implemented/emulated at all.
    
    For CPUs not implementing hardware PAN and instead relying on software
    emulation via 'CONFIG_ARM64_SW_TTBR0_PAN=y', the impact is unfortunately
    much worse. Calling 'schedule()' with software PAN disabled means that
    the next task will execute in the kernel using the page-table and ASID
    of the previous process even after 'switch_mm()', since the actual
    hardware switch is deferred until return to userspace. At this point, or
    if there is a intermediate call to 'uaccess_enable()', the page-table
    and ASID of the new process are installed. Sadly, due to the changes
    introduced by KPTI, this is not an atomic operation and there is a very
    small window (two instructions) where the CPU is configured with the
    page-table of the old task and the ASID of the new task; a speculative
    access in this state is disastrous because it would corrupt the TLB
    entries for the new task with mappings from the previous address space.
    
    As Pavel explains:
    
      | I was able to reproduce memory corruption problem on Broadcom's SoC
      | ARMv8-A like this:
      |
      | Enable software perf-events with PERF_SAMPLE_CALLCHAIN so userland's
      | stack is accessed and copied.
      |
      | The test program performed the following on every CPU and forking
      | many processes:
      |
      |     unsigned long *map = mmap(NULL, PAGE_SIZE, PROT_READ|PROT_WRITE,
      |                               MAP_SHARED | MAP_ANONYMOUS, -1, 0);
      |     map[0] = getpid();
      |     sched_yield();
      |     if (map[0] != getpid()) {
      |             fprintf(stderr, "Corruption detected!");
      |     }
      |     munmap(map, PAGE_SIZE);
      |
      | From time to time I was getting map[0] to contain pid for a
      | different process.
    
    Ensure that PAN is re-enabled when returning after an unhandled user
    fault from our uaccess routines.
    
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Reviewed-by: Mark Rutland <mark.rutland@arm.com>
    Tested-by: Mark Rutland <mark.rutland@arm.com>
    Cc: <stable@vger.kernel.org>
    Fixes: 338d4f49d6f7 ("arm64: kernel: Add support for Privileged Access Never")
    Signed-off-by: Pavel Tatashin <pasha.tatashin@soleen.com>
    [will: rewrote commit message]
    [will: backport for 4.4.y stable kernels]
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 736d201a590941a95aefb037238f867ca7edbb20
Author: Huibin Hong <huibin.hong@rock-chips.com>
Date:   Wed Oct 10 11:00:32 2018 +0200

    spi: rockchip: initialize dma_slave_config properly
    
    [ Upstream commit dd8fd2cbc73f8650f651da71fc61a6e4f30c1566 ]
    
    The rxconf and txconf structs are allocated on the
    stack, so make sure we zero them before filling out
    the relevant fields.
    
    Signed-off-by: Huibin Hong <huibin.hong@rock-chips.com>
    Signed-off-by: Emil Renner Berthing <kernel@esmil.dk>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 344823879808142fe0fc9900f6e7ee77da7841e5
Author: Felix Fietkau <nbd@nbd.name>
Date:   Sat Oct 6 19:35:04 2018 +0200

    mac80211: minstrel: fix CCK rate group streams value
    
    [ Upstream commit 80df9be67c44cb636bbc92caeddad8caf334c53c ]
    
    Fixes a harmless underflow issue when CCK rates are actively being used
    
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 673f7373bd5860f0fbd3325f256131f73b9fc09a
Author: Thierry Reding <treding@nvidia.com>
Date:   Fri Sep 21 12:10:47 2018 +0200

    hwmon: (pwm-fan) Silence error on probe deferral
    
    [ Upstream commit 9f67f7583e77fe5dc57aab3a6159c2642544eaad ]
    
    Probe deferrals aren't actual errors, so silence the error message in
    case the PWM cannot yet be acquired.
    
    Signed-off-by: Thierry Reding <treding@nvidia.com>
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 08fdf5bd19bf13ff41714b6707b1ee690c650bfb
Author: Timothy E Baldwin <T.E.Baldwin99@members.leeds.ac.uk>
Date:   Mon Oct 8 19:26:48 2018 +0100

    ARM: 8802/1: Call syscall_trace_exit even when system call skipped
    
    [ Upstream commit f18aef742c8fbd68e280dff0a63ba0ca6ee8ad85 ]
    
    On at least x86 and ARM64, and as documented in the ptrace man page
    a skipped system call will still cause a syscall exit ptrace stop.
    
    Previous to this commit 32-bit ARM did not, resulting in strace
    being confused when seccomp skips system calls.
    
    This change also impacts programs that use ptrace to skip system calls.
    
    Fixes: ad75b51459ae ("ARM: 7579/1: arch/allow a scno of -1 to not cause a SIGILL")
    Signed-off-by: Timothy E Baldwin <T.E.Baldwin99@members.leeds.ac.uk>
    Signed-off-by: Eugene Syromyatnikov <evgsyr@gmail.com>
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Tested-by: Kees Cook <keescook@chromium.org>
    Tested-by: Eugene Syromyatnikov <evgsyr@gmail.com>
    Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 91a9d24e3f04b78e844a302177b753cd37ac3851
Author: Trent Piepho <tpiepho@impinj.com>
Date:   Thu Sep 20 19:18:34 2018 +0000

    spi: spidev: Fix OF tree warning logic
    
    [ Upstream commit 605b3bec73cbd74b4ac937b580cd0b47d1300484 ]
    
    spidev will make a big fuss if a device tree node binds a device by
    using "spidev" as the node's compatible property.
    
    However, the logic for this isn't looking for "spidev" in the
    compatible, but rather checking that the device is NOT compatible with
    spidev's list of devices.
    
    This causes a false positive if a device not named "rohm,dh2228fv", etc.
    binds to spidev, even if a means other than putting "spidev" in the
    device tree was used.  E.g., the sysfs driver_override attribute.
    
    Signed-off-by: Trent Piepho <tpiepho@impinj.com>
    Reviewed-by: Jan Kundrát <jan.kundrat@cesnet.cz>
    Tested-by: Jan Kundrát <jan.kundrat@cesnet.cz>
    Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6d49b0992d02f620a5356a6420dc4ce82a2705e5
Author: Marek Vasut <marex@denx.de>
Date:   Thu Oct 4 00:52:52 2018 +0200

    gpio: syscon: Fix possible NULL ptr usage
    
    [ Upstream commit 70728c29465bc4bfa7a8c14304771eab77e923c7 ]
    
    The priv->data->set can be NULL while flags contains GPIO_SYSCON_FEAT_OUT
    and chip->set is valid pointer. This happens in case the controller uses
    the default GPIO setter. Always use chip->set to access the setter to avoid
    possible NULL pointer dereferencing.
    
    Signed-off-by: Marek Vasut <marex@denx.de>
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit df3de9e92c3b0f268b0479c452b4710cf39380ff
Author: Bjorn Helgaas <bhelgaas@google.com>
Date:   Thu Sep 27 09:21:55 2018 -0500

    x86/kexec: Correct KEXEC_BACKUP_SRC_END off-by-one error
    
    [ Upstream commit 51fbf14f2528a8c6401290e37f1c893a2412f1d3 ]
    
    The only use of KEXEC_BACKUP_SRC_END is as an argument to
    walk_system_ram_res():
    
      int crash_load_segments(struct kimage *image)
      {
        ...
        walk_system_ram_res(KEXEC_BACKUP_SRC_START, KEXEC_BACKUP_SRC_END,
                            image, determine_backup_region);
    
    walk_system_ram_res() expects "start, end" arguments that are inclusive,
    i.e., the range to be walked includes both the start and end addresses.
    
    KEXEC_BACKUP_SRC_END was previously defined as (640 * 1024UL), which is the
    first address *past* the desired 0-640KB range.
    
    Define KEXEC_BACKUP_SRC_END as (640 * 1024UL - 1) so the KEXEC_BACKUP_SRC
    region is [0-0x9ffff], not [0-0xa0000].
    
    Fixes: dd5f726076cc ("kexec: support for kexec on panic using new system call")
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    CC: "H. Peter Anvin" <hpa@zytor.com>
    CC: Andrew Morton <akpm@linux-foundation.org>
    CC: Brijesh Singh <brijesh.singh@amd.com>
    CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    CC: Ingo Molnar <mingo@redhat.com>
    CC: Lianbo Jiang <lijiang@redhat.com>
    CC: Takashi Iwai <tiwai@suse.de>
    CC: Thomas Gleixner <tglx@linutronix.de>
    CC: Tom Lendacky <thomas.lendacky@amd.com>
    CC: Vivek Goyal <vgoyal@redhat.com>
    CC: baiyaowei@cmss.chinamobile.com
    CC: bhe@redhat.com
    CC: dan.j.williams@intel.com
    CC: dyoung@redhat.com
    CC: kexec@lists.infradead.org
    Link: http://lkml.kernel.org/r/153805811578.1157.6948388946904655969.stgit@bhelgaas-glaptop.roam.corp.google.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0e74fb6274ff2465205616997465d7b26b29a664
Author: Colin Ian King <colin.king@canonical.com>
Date:   Sat Oct 6 14:01:42 2018 -0400

    media: cx231xx: fix potential sign-extension overflow on large shift
    
    [ Upstream commit 32ae592036d7aeaabcccb2b1715373a68639a768 ]
    
    Shifting the u8 value[3] by an int can lead to sign-extension
    overflow. For example, if value[3] is 0xff and the shift is 24 then it
    is promoted to int and then the top bit is sign-extended so that all
    upper 32 bits are set.  Fix this by casting value[3] to a u32 before
    the shift.
    
    Detected by CoverityScan, CID#1016522 ("Unintended sign extension")
    
    Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
    
    Signed-off-by: Colin Ian King <colin.king@canonical.com>
    Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 560976f5b8d068d92251de339b2794aae5f59d76
Author: Tim Smith <tim.smith@citrix.com>
Date:   Mon Oct 8 12:15:40 2018 -0500

    GFS2: Flush the GFS2 delete workqueue before stopping the kernel threads
    
    [ Upstream commit 1eb8d7387908022951792a46fa040ad3942b3b08 ]
    
    Flushing the workqueue can cause operations to happen which might
    call gfs2_log_reserve(), or get stuck waiting for locks taken by such
    operations.  gfs2_log_reserve() can io_schedule(). If this happens, it
    will never wake because the only thing which can wake it is gfs2_logd()
    which was already stopped.
    
    This causes umount of a gfs2 filesystem to wedge permanently if, for
    example, the umount immediately follows a large delete operation.
    
    When this occured, the following stack trace was obtained from the
    umount command
    
    [<ffffffff81087968>] flush_workqueue+0x1c8/0x520
    [<ffffffffa0666e29>] gfs2_make_fs_ro+0x69/0x160 [gfs2]
    [<ffffffffa0667279>] gfs2_put_super+0xa9/0x1c0 [gfs2]
    [<ffffffff811b7edf>] generic_shutdown_super+0x6f/0x100
    [<ffffffff811b7ff7>] kill_block_super+0x27/0x70
    [<ffffffffa0656a71>] gfs2_kill_sb+0x71/0x80 [gfs2]
    [<ffffffff811b792b>] deactivate_locked_super+0x3b/0x70
    [<ffffffff811b79b9>] deactivate_super+0x59/0x60
    [<ffffffff811d2998>] cleanup_mnt+0x58/0x80
    [<ffffffff811d2a12>] __cleanup_mnt+0x12/0x20
    [<ffffffff8108c87d>] task_work_run+0x7d/0xa0
    [<ffffffff8106d7d9>] exit_to_usermode_loop+0x73/0x98
    [<ffffffff81003961>] syscall_return_slowpath+0x41/0x50
    [<ffffffff815a594c>] int_ret_from_sys_call+0x25/0x8f
    [<ffffffffffffffff>] 0xffffffffffffffff
    
    Signed-off-by: Tim Smith <tim.smith@citrix.com>
    Signed-off-by: Mark Syms <mark.syms@citrix.com>
    Signed-off-by: Bob Peterson <rpeterso@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit cc1c305ccaabf2b8ef7679cfe09fb3ca0b84dcd9
Author: Wenwen Wang <wang6495@umn.edu>
Date:   Thu Oct 4 11:44:02 2018 -0400

    media: isif: fix a NULL pointer dereference bug
    
    [ Upstream commit a26ac6c1bed951b2066cc4b2257facd919e35c0b ]
    
    In isif_probe(), there is a while loop to get the ISIF base address and
    linearization table0 and table1 address. In the loop body, the function
    platform_get_resource() is called to get the resource. If
    platform_get_resource() returns NULL, the loop is terminated and the
    execution goes to 'fail_nobase_res'. Suppose the loop is terminated at the
    first iteration because platform_get_resource() returns NULL and the
    execution goes to 'fail_nobase_res'. Given that there is another while loop
    at 'fail_nobase_res' and i equals to 0, one iteration of the second while
    loop will be executed. However, the second while loop does not check the
    return value of platform_get_resource(). This can cause a NULL pointer
    dereference bug if the return value is a NULL pointer.
    
    This patch avoids the above issue by adding a check in the second while
    loop after the call to platform_get_resource().
    
    Signed-off-by: Wenwen Wang <wang6495@umn.edu>
    Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 55b2c1ccb82143be1ed9e1922976dbe63917fe68
Author: He Zhe <zhe.he@windriver.com>
Date:   Sun Sep 30 00:45:53 2018 +0800

    printk: Give error on attempt to set log buffer length to over 2G
    
    [ Upstream commit e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e ]
    
    The current printk() is ready to handle log buffer size up to 2G.
    Give an explicit error for users who want to use larger log buffer.
    
    Also fix printk formatting to show the 2G as a positive number.
    
    Link: http://lkml.kernel.org/r/20181008135916.gg4kkmoki5bgtco5@pathway.suse.cz
    Cc: rostedt@goodmis.org
    Cc: linux-kernel@vger.kernel.org
    Suggested-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
    Signed-off-by: He Zhe <zhe.he@windriver.com>
    Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
    [pmladek: Fixed to the really safe limit 2GB.]
    Signed-off-by: Petr Mladek <pmladek@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4e132c761b445795133d3a94cbbe857ac695998a
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Fri Sep 21 13:21:31 2018 -0700

    backlight: lm3639: Unconditionally call led_classdev_unregister
    
    [ Upstream commit 7cea645ae9c5a54aa7904fddb2cdf250acd63a6c ]
    
    Clang warns that the address of a pointer will always evaluated as true
    in a boolean context.
    
    drivers/video/backlight/lm3639_bl.c:403:14: warning: address of
    'pchip->cdev_torch' will always evaluate to 'true'
    [-Wpointer-bool-conversion]
            if (&pchip->cdev_torch)
            ~~   ~~~~~~~^~~~~~~~~~
    drivers/video/backlight/lm3639_bl.c:405:14: warning: address of
    'pchip->cdev_flash' will always evaluate to 'true'
    [-Wpointer-bool-conversion]
            if (&pchip->cdev_flash)
            ~~   ~~~~~~~^~~~~~~~~~
    2 warnings generated.
    
    These statements have been present since 2012, introduced by
    commit 0f59858d5119 ("backlight: add new lm3639 backlight
    driver"). Given that they have been called unconditionally since
    then presumably without any issues, removing the always true if
    statements to fix the warnings without any real world changes.
    
    Link: https://github.com/ClangBuiltLinux/linux/issues/119
    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
    Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6c6ccfb816582ea3331f474dc545cb53e967f7f4
Author: Borislav Petkov <bp@suse.de>
Date:   Mon Oct 8 10:05:20 2018 +0200

    proc/vmcore: Fix i386 build error of missing copy_oldmem_page_encrypted()
    
    [ Upstream commit cf089611f4c446285046fcd426d90c18f37d2905 ]
    
    Lianbo reported a build error with a particular 32-bit config, see Link
    below for details.
    
    Provide a weak copy_oldmem_page_encrypted() function which architectures
    can override, in the same manner other functionality in that file is
    supplied.
    
    Reported-by: Lianbo Jiang <lijiang@redhat.com>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    CC: x86@kernel.org
    Link: http://lkml.kernel.org/r/710b9d95-2f70-eadf-c4a1-c3dc80ee4ebb@redhat.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d6767e1f8eedaf6c635ead453e91629885ce4f5c
Author: Shenghui Wang <shhuiw@foxmail.com>
Date:   Mon Oct 8 20:41:15 2018 +0800

    bcache: recal cached_dev_sectors on detach
    
    [ Upstream commit 46010141da6677b81cc77f9b47f8ac62bd1cbfd3 ]
    
    Recal cached_dev_sectors on cached_dev detached, as recal done on
    cached_dev attached.
    
    Update the cached_dev_sectors before bcache_device_detach called
    as bcache_device_detach will set bcache_device->c to NULL.
    
    Signed-off-by: Shenghui Wang <shhuiw@foxmail.com>
    Signed-off-by: Coly Li <colyli@suse.de>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c0dea2024671239aa31b4921e61fab67295d1517
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Oct 8 12:57:36 2018 +0200

    fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper()
    
    [ Upstream commit e5017716adb8aa5c01c52386c1b7470101ffe9c5 ]
    
    The "index + count" addition can overflow.  Both come directly from the
    user.  This bug leads to an information leak.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: Peter Malone <peter.malone@gmail.com>
    Cc: Philippe Ombredanne <pombredanne@nexb.com>
    Cc: Mathieu Malaterre <malat@debian.org>
    Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6fc10fb9663d45eaafc353bcfae09badb8585a7f
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Oct 8 12:57:36 2018 +0200

    fbdev: sbuslib: use checked version of put_user()
    
    [ Upstream commit d8bad911e5e55e228d59c0606ff7e6b8131ca7bf ]
    
    I'm not sure why the code assumes that only the first put_user() needs
    an access_ok() check.  I have made all the put_user() and get_user()
    calls checked.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: Philippe Ombredanne <pombredanne@nexb.com>
    Cc: Mathieu Malaterre <malat@debian.org>
    Cc: Peter Malone <peter.malone@gmail.com>,
    Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 682e2ea0ca94e4cd8d244fd6c276ab3f6d9c51ab
Author: Ronald Tschalär <ronald@innovation.ch>
Date:   Sun Sep 30 19:53:13 2018 -0700

    ACPI / SBS: Fix rare oops when removing modules
    
    [ Upstream commit 757c968c442397f1249bb775a7c8c03842e3e0c7 ]
    
    There was a small race when removing the sbshc module where
    smbus_alarm() had queued acpi_smbus_callback() for deferred execution
    but it hadn't been run yet, so that when it did run hc had been freed
    and the module unloaded, resulting in an invalid paging request.
    
    A similar race existed when removing the sbs module with regards to
    acpi_sbs_callback() (which is called from acpi_smbus_callback()).
    
    We therefore need to ensure no callbacks are pending or executing before
    the cleanups are done and the modules are removed.
    
    Signed-off-by: Ronald Tschalär <ronald@innovation.ch>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b88fa52436cf15db28e65b75e9ed6fc5a4d9b0ab
Author: Radu Solea <radu.solea@nxp.com>
Date:   Tue Oct 2 19:01:52 2018 +0000

    crypto: mxs-dcp - Fix AES issues
    
    [ Upstream commit fadd7a6e616b89c7f4f7bfa7b824f290bab32c3c ]
    
    The DCP driver does not obey cryptlen, when doing android CTS this
    results in passing to hardware input stream lengths which are not
    multiple of block size.
    
    Add a check to prevent future erroneous stream lengths from reaching the
    hardware and adjust the scatterlist walking code to obey cryptlen.
    
    Also properly copy-out the IV for chaining.
    
    Signed-off-by: Radu Solea <radu.solea@nxp.com>
    Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
    Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 33378afbd12b2e7f10b911dd2869b0ff7b21b1ed
Author: Radu Solea <radu.solea@nxp.com>
Date:   Tue Oct 2 19:01:50 2018 +0000

    crypto: mxs-dcp - Fix SHA null hashes and output length
    
    [ Upstream commit c709eebaf5c5faa8a0f140355f9cfe67e8f7afb1 ]
    
    DCP writes at least 32 bytes in the output buffer instead of hash length
    as documented. Add intermediate buffer to prevent write out of bounds.
    
    When requested to produce null hashes DCP fails to produce valid output.
    Add software workaround to bypass hardware and return valid output.
    
    Signed-off-by: Radu Solea <radu.solea@nxp.com>
    Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 429382a0177819b65b2ff641c04fbd557cbb848a
Author: Borislav Petkov <bp@suse.de>
Date:   Fri Oct 5 15:13:07 2018 +0200

    x86/olpc: Fix build error with CONFIG_MFD_CS5535=m
    
    [ Upstream commit fa112cf1e8bc693d5a666b1c479a2859c8b6e0f1 ]
    
    When building a 32-bit config which has the above MFD item as module
    but OLPC_XO1_PM is enabled =y - which is bool, btw - the kernel fails
    building with:
    
      ld: arch/x86/platform/olpc/olpc-xo1-pm.o: in function `xo1_pm_remove':
      /home/boris/kernel/linux/arch/x86/platform/olpc/olpc-xo1-pm.c:159: undefined reference to `mfd_cell_disable'
      ld: arch/x86/platform/olpc/olpc-xo1-pm.o: in function `xo1_pm_probe':
      /home/boris/kernel/linux/arch/x86/platform/olpc/olpc-xo1-pm.c:133: undefined reference to `mfd_cell_enable'
      make: *** [Makefile:1030: vmlinux] Error 1
    
    Force MFD_CS5535 to y if OLPC_XO1_PM is enabled.
    
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Cc: Lubomir Rintel <lkundrak@v3.sk>
    Cc: x86@kernel.org
    Link: http://lkml.kernel.org/r/20181005131750.GA5366@zn.tnic
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 12b6054e29f4254b79f17d5ac973271865606613
Author: Martin Kepplinger <martink@posteo.de>
Date:   Fri Oct 5 11:44:45 2018 -0700

    Input: st1232 - set INPUT_PROP_DIRECT property
    
    [ Upstream commit 20bbb312079494a406c10c90932e3c80837c9d94 ]
    
    This is how userspace checks for touchscreen devices most reliably.
    
    Signed-off-by: Martin Kepplinger <martink@posteo.de>
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9a8fb6b85ba142d0b02046eb30ee2c56e0607ec7
Author: Rami Rosen <ramirose@gmail.com>
Date:   Fri Oct 5 00:03:10 2018 +0300

    dmaengine: ioat: fix prototype of ioat_enumerate_channels
    
    [ Upstream commit f4d34aa8c887a8a2d23ef546da0efa10e3f77241 ]
    
    Signed-off-by: Rami Rosen <ramirose@gmail.com>
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f3ec47899154bd64ac393203a4b0e67691f9bc7f
Author: Olga Kornievskaia <kolga@netapp.com>
Date:   Thu Oct 4 14:45:00 2018 -0400

    NFSv4.x: fix lock recovery during delegation recall
    
    [ Upstream commit 44f411c353bf6d98d5a34f8f1b8605d43b2e50b8 ]
    
    Running "./nfstest_delegation --runtest recall26" uncovers that
    client doesn't recover the lock when we have an appending open,
    where the initial open got a write delegation.
    
    Instead of checking for the passed in open context against
    the file lock's open context. Check that the state is the same.
    
    Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0deab3d2d62d51aaa26971f641262d8e32c180a0
Author: Chung-Hsien Hsu <stanley.hsu@cypress.com>
Date:   Thu Sep 27 14:59:49 2018 +0000

    brcmfmac: fix full timeout waiting for action frame on-channel tx
    
    [ Upstream commit fbf07000960d9c8a13fdc17c6de0230d681c7543 ]
    
    The driver sends an action frame down and waits for a completion signal
    triggered by the received BRCMF_E_ACTION_FRAME_OFF_CHAN_COMPLETE event
    to continue the process. However, the action frame could be transmitted
    either on the current channel or on an off channel. For the on-channel
    case, only BRCMF_E_ACTION_FRAME_COMPLETE event will be received when
    the frame is transmitted, which make the driver always wait a full
    timeout duration. This patch has the completion signal be triggered by
    receiving the BRCMF_E_ACTION_FRAME_COMPLETE event for the on-channel
    case.
    
    This change fixes WFA p2p certification 5.1.19 failure.
    
    Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
    Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 45a948f3b3dfc905f8520837cb9e9c46c53fe865
Author: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
Date:   Thu Oct 4 15:34:45 2018 +0200

    mtd: physmap_of: Release resources on error
    
    [ Upstream commit ef0de747f7ad179c7698a5b0e28db05f18ecbf57 ]
    
    During probe, if there was an error the memory region and the memory
    map were not properly released.This can lead a system unusable if
    deferred probe is in use.
    
    Replace mem_request and map with devm_ioremap_resource
    
    Signed-off-by: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
    Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3983567fba3c597c81acab72ef071782103e369d
Author: Johan Hovold <johan@kernel.org>
Date:   Sun Sep 30 18:03:11 2018 +0200

    USB: serial: cypress_m8: fix interrupt-out transfer length
    
    [ Upstream commit 56445eef55cb5904096fed7a73cf87b755dfffc7 ]
    
    Fix interrupt-out transfer length which was being set to the
    transfer-buffer length rather than the size of the outgoing packet.
    
    Note that no slab data was leaked as the whole transfer buffer is always
    cleared before each transfer.
    
    Fixes: 9aa8dae7b1fa ("cypress_m8: use usb_fill_int_urb where appropriate")
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 54a1440e13e5fc7ed1b443deacf9630c25bd924c
Author: Cameron Kaiser <spectre@floodgap.com>
Date:   Tue Jul 31 07:39:21 2018 -0700

    KVM: PPC: Book3S PR: Exiting split hack mode needs to fixup both PC and LR
    
    [ Upstream commit 1006284c5e411872333967b1970c2ca46a9e225f ]
    
    When an OS (currently only classic Mac OS) is running in KVM-PR and makes a
    linked jump from code with split hack addressing enabled into code that does
    not, LR is not correctly updated and reflects the previously munged PC.
    
    To fix this, this patch undoes the address munge when exiting split
    hack mode so that code relying on LR being a proper address will now
    execute. This does not affect OS X or other operating systems running
    on KVM-PR.
    
    Signed-off-by: Cameron Kaiser <spectre@floodgap.com>
    Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3ab6458a1cdfdbf3f2a7e483c2c9ebe07d79040d
Author: Michael Pobega <mpobega@neverware.com>
Date:   Thu Oct 4 14:58:21 2018 -0400

    ALSA: hda/sigmatel - Disable automute for Elo VuPoint
    
    [ Upstream commit d153135e93a50cdb6f1b52e238909e9965b56056 ]
    
    The Elo VuPoint 15MX has two headphone jacks of which neither work by
    default. Disabling automute allows ALSA to work normally with the
    speakers & left headphone jack.
    
    Future pin configuration changes may be required in the future to get
    the right headphone jack working in tandem.
    
    Signed-off-by: Michael Pobega <mpobega@neverware.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c4503c8ec56d38c17052e2129668f3b454559c58
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Wed Oct 3 19:37:54 2018 -0700

    ata: ep93xx: Use proper enums for directions
    
    [ Upstream commit 6adde4a36f1b6a562a1057fbb1065007851050e7 ]
    
    Clang warns when one enumerated type is implicitly converted to another.
    
    drivers/ata/pata_ep93xx.c:662:36: warning: implicit conversion from
    enumeration type 'enum dma_data_direction' to different enumeration type
    'enum dma_transfer_direction' [-Wenum-conversion]
            drv_data->dma_rx_data.direction = DMA_FROM_DEVICE;
                                            ~ ^~~~~~~~~~~~~~~
    drivers/ata/pata_ep93xx.c:670:36: warning: implicit conversion from
    enumeration type 'enum dma_data_direction' to different enumeration type
    'enum dma_transfer_direction' [-Wenum-conversion]
            drv_data->dma_tx_data.direction = DMA_TO_DEVICE;
                                            ~ ^~~~~~~~~~~~~
    drivers/ata/pata_ep93xx.c:681:19: warning: implicit conversion from
    enumeration type 'enum dma_data_direction' to different enumeration type
    'enum dma_transfer_direction' [-Wenum-conversion]
            conf.direction = DMA_FROM_DEVICE;
                           ~ ^~~~~~~~~~~~~~~
    drivers/ata/pata_ep93xx.c:692:19: warning: implicit conversion from
    enumeration type 'enum dma_data_direction' to different enumeration type
    'enum dma_transfer_direction' [-Wenum-conversion]
            conf.direction = DMA_TO_DEVICE;
                           ~ ^~~~~~~~~~~~~
    
    Use the equivalent valued enums from the expected type so that Clang no
    longer warns about a conversion.
    
    DMA_TO_DEVICE = DMA_MEM_TO_DEV = 1
    DMA_FROM_DEVICE = DMA_DEV_TO_MEM = 2
    
    Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 74a73932b86186a801b5f6188c14872a9cc8e285
Author: Wei Yongjun <weiyongjun1@huawei.com>
Date:   Sat Sep 29 03:55:16 2018 +0000

    IB/mthca: Fix error return code in __mthca_init_one()
    
    [ Upstream commit 39f2495618c5e980d2873ea3f2d1877dd253e07a ]
    
    Fix to return a negative error code from the mthca_cmd_init() error
    handling case instead of 0, as done elsewhere in this function.
    
    Fixes: 80fd8238734c ("[PATCH] IB/mthca: Encapsulate command interface init")
    Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
    Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 957758e16f996f46e53227a0c5ab036bf5683c96
Author: Radoslaw Tyl <radoslawx.tyl@intel.com>
Date:   Mon Sep 24 09:24:20 2018 +0200

    ixgbe: Fix crash with VFs and flow director on interface flap
    
    [ Upstream commit 5d826d209164b0752c883607be4cdbbcf7cab494 ]
    
    This patch fix crash when we have restore flow director filters after reset
    adapter. In ixgbe_fdir_filter_restore() filter->action is outside of the
    rx_ring array, as it has a VF identifier in the upper 32 bits.
    
    Signed-off-by: Radoslaw Tyl <radoslawx.tyl@intel.com>
    Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a43519c4322f290d2fcb0bead44a9af392407ab6
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Thu Sep 20 16:30:25 2018 -0700

    mtd: rawnand: sh_flctl: Use proper enum for flctl_dma_fifo0_transfer
    
    [ Upstream commit e2bfa4ca23d9b5a7bdfcf21319fad9b59e38a05c ]
    
    Clang warns when one enumerated type is converted implicitly to another:
    
    drivers/mtd/nand/raw/sh_flctl.c:483:46: warning: implicit conversion
    from enumeration type 'enum dma_transfer_direction' to different
    enumeration type 'enum dma_data_direction' [-Wenum-conversion]
                    flctl_dma_fifo0_transfer(flctl, buf, rlen, DMA_DEV_TO_MEM) > 0)
                    ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~
    drivers/mtd/nand/raw/sh_flctl.c:542:46: warning: implicit conversion
    from enumeration type 'enum dma_transfer_direction' to different
    enumeration type 'enum dma_data_direction' [-Wenum-conversion]
                    flctl_dma_fifo0_transfer(flctl, buf, rlen, DMA_MEM_TO_DEV) > 0)
                    ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~
    2 warnings generated.
    
    Use the proper enums from dma_data_direction to satisfy Clang.
    
    DMA_MEM_TO_DEV = DMA_TO_DEVICE = 1
    DMA_DEV_TO_MEM = DMA_FROM_DEVICE = 2
    
    Reported-by: Nick Desaulniers <ndesaulniers@google.com>
    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
    Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
    Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 95ce46919f513a5226e76c4d0d2170d0ec8710c4
Author: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Date:   Thu Sep 27 13:40:58 2018 +0530

    powerpc/pseries: Fix how we iterate over the DTL entries
    
    [ Upstream commit 9258227e9dd1da8feddb07ad9702845546a581c9 ]
    
    When CONFIG_VIRT_CPU_ACCOUNTING_NATIVE is not set, we look up dtl_idx in
    the lppaca to determine the number of entries in the buffer. Since
    lppaca is in big endian, we need to do an endian conversion before using
    this in our calculation to determine the number of entries in the
    buffer. Without this, we do not iterate over the existing entries in the
    DTL buffer properly.
    
    Fixes: 7c105b63bd98 ("powerpc: Add CONFIG_CPU_LITTLE_ENDIAN kernel config option.")
    Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit eb6ad2c2713691db9d3a2fa084395b1d0fd0ccde
Author: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Date:   Thu Sep 27 13:40:57 2018 +0530

    powerpc/pseries: Fix DTL buffer registration
    
    [ Upstream commit db787af1b8a6b4be428ee2ea7d409dafcaa4a43c ]
    
    When CONFIG_VIRT_CPU_ACCOUNTING_NATIVE is not set, we register the DTL
    buffer for a cpu when the associated file under powerpc/dtl in debugfs
    is opened. When doing so, we need to set the size of the buffer being
    registered in the second u32 word of the buffer. This needs to be in big
    endian, but we are not doing the conversion resulting in the below error
    showing up in dmesg:
    
            dtl_start: DTL registration for cpu 0 (hw 0) failed with -4
    
    Fix this in the obvious manner.
    
    Fixes: 7c105b63bd98 ("powerpc: Add CONFIG_CPU_LITTLE_ENDIAN kernel config option.")
    Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e045a47841c9f0437b95196afd2bcdc949527fa8
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Sun Sep 30 20:47:38 2018 -0700

    cxgb4: Use proper enum in IEEE_FAUX_SYNC
    
    [ Upstream commit 258b6d141878530ba1f8fc44db683822389de914 ]
    
    Clang warns when one enumerated type is implicitly converted to another.
    
    drivers/net/ethernet/chelsio/cxgb4/cxgb4_dcb.c:390:4: warning: implicit
    conversion from enumeration type 'enum cxgb4_dcb_state' to different
    enumeration type 'enum cxgb4_dcb_state_input' [-Wenum-conversion]
                            IEEE_FAUX_SYNC(dev, dcb);
                            ^~~~~~~~~~~~~~~~~~~~~~~~
    drivers/net/ethernet/chelsio/cxgb4/cxgb4_dcb.h:70:10: note: expanded
    from macro 'IEEE_FAUX_SYNC'
                                                CXGB4_DCB_STATE_FW_ALLSYNCED);
                                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Use the equivalent value of the expected type to silence Clang while
    resulting in no functional change.
    
    CXGB4_DCB_STATE_FW_ALLSYNCED = CXGB4_DCB_INPUT_FW_ALLSYNCED = 3
    
    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
    Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5ae0133d65b32d41a47e620bc938be1d395bd698
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Sun Sep 30 20:51:43 2018 -0700

    cxgb4: Use proper enum in cxgb4_dcb_handle_fw_update
    
    [ Upstream commit 3b0b8f0d9a259f6a428af63e7a77547325f8e081 ]
    
    Clang warns when one enumerated type is implicitly converted to another.
    
    drivers/net/ethernet/chelsio/cxgb4/cxgb4_dcb.c:303:7: warning: implicit
    conversion from enumeration type 'enum cxgb4_dcb_state' to different
    enumeration type 'enum cxgb4_dcb_state_input' [-Wenum-conversion]
                             ? CXGB4_DCB_STATE_FW_ALLSYNCED
                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
    drivers/net/ethernet/chelsio/cxgb4/cxgb4_dcb.c:304:7: warning: implicit
    conversion from enumeration type 'enum cxgb4_dcb_state' to different
    enumeration type 'enum cxgb4_dcb_state_input' [-Wenum-conversion]
                             : CXGB4_DCB_STATE_FW_INCOMPLETE);
                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    2 warnings generated.
    
    Use the equivalent value of the expected type to silence Clang while
    resulting in no functional change.
    
    CXGB4_DCB_STATE_FW_INCOMPLETE = CXGB4_DCB_INPUT_FW_INCOMPLETE = 2
    CXGB4_DCB_STATE_FW_ALLSYNCED = CXGB4_DCB_INPUT_FW_ALLSYNCED = 3
    
    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
    Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d094c54945e3a0c247aa458e8322e35b8cb1cd00
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Oct 1 19:44:41 2018 +0300

    mei: samples: fix a signedness bug in amt_host_if_call()
    
    [ Upstream commit 185647813cac080453cb73a2e034a8821049f2a7 ]
    
    "out_buf_sz" needs to be signed for the error handling to work.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 208302af92112ff13cd47e2e6902fc365326c588
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Tue Sep 11 16:20:25 2018 -0700

    dmaengine: timb_dma: Use proper enum in td_prep_slave_sg
    
    [ Upstream commit 5e621f5d538985f010035c6f3e28c22829d36db1 ]
    
    Clang warns when implicitly converting from one enumerated type to
    another. Avoid this by using the equivalent value from the expected
    type.
    
    drivers/dma/timb_dma.c:548:27: warning: implicit conversion from
    enumeration type 'enum dma_transfer_direction' to different enumeration
    type 'enum dma_data_direction' [-Wenum-conversion]
                    td_desc->desc_list_len, DMA_MEM_TO_DEV);
                                            ^~~~~~~~~~~~~~
    1 warning generated.
    
    Reported-by: Nick Desaulniers <ndesaulniers@google.com>
    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
    Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1d6b58f039f159cc81ad7bdcb142c85f5ac988a1
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Tue Sep 11 16:40:20 2018 -0700

    dmaengine: ep93xx: Return proper enum in ep93xx_dma_chan_direction
    
    [ Upstream commit 9524d6b265f9b2b9a61fceb2ee2ce1c2a83e39ca ]
    
    Clang warns when implicitly converting from one enumerated type to
    another. Avoid this by using the equivalent value from the expected
    type.
    
    In file included from drivers/dma/ep93xx_dma.c:30:
    ./include/linux/platform_data/dma-ep93xx.h:88:10: warning: implicit
    conversion from enumeration type 'enum dma_data_direction' to different
    enumeration type 'enum dma_transfer_direction' [-Wenum-conversion]
                    return DMA_NONE;
                    ~~~~~~ ^~~~~~~~
    1 warning generated.
    
    Reported-by: Nick Desaulniers <ndesaulniers@google.com>
    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
    Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 97779e462452963e51b1c559da1d8bd807b4ab57
Author: Andrew Zaborowski <andrew.zaborowski@intel.com>
Date:   Mon Sep 24 18:10:22 2018 +0200

    nl80211: Fix a GET_KEY reply attribute
    
    [ Upstream commit efdfce7270de85a8706d1ea051bef3a7486809ff ]
    
    Use the NL80211_KEY_IDX attribute inside the NL80211_ATTR_KEY in
    NL80211_CMD_GET_KEY responses to comply with nl80211_key_policy.
    This is unlikely to affect existing userspace.
    
    Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c3f29441b1035c23f5ae1d775d2a09c97ceb6a04
Author: Jia-Ju Bai <baijiaju1990@gmail.com>
Date:   Sat Sep 15 11:04:40 2018 +0800

    usb: gadget: udc: fotg210-udc: Fix a sleep-in-atomic-context bug in fotg210_get_status()
    
    [ Upstream commit 2337a77c1cc86bc4e504ecf3799f947659c86026 ]
    
    The driver may sleep in an interrupt handler.
    The function call path (from bottom to top) in Linux-4.17 is:
    
    [FUNC] fotg210_ep_queue(GFP_KERNEL)
    drivers/usb/gadget/udc/fotg210-udc.c, 744:
            fotg210_ep_queue in fotg210_get_status
    drivers/usb/gadget/udc/fotg210-udc.c, 768:
            fotg210_get_status in fotg210_setup_packet
    drivers/usb/gadget/udc/fotg210-udc.c, 949:
            fotg210_setup_packet in fotg210_irq (interrupt handler)
    
    To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC.
    If possible, spin_unlock() and spin_lock() around fotg210_ep_queue()
    can be also removed.
    
    This bug is found by my static analysis tool DSAC.
    
    Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
    Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6a9820f17c104598a19ae93cfe6fbf58e937c2d7
Author: Simon Wunderlich <sw@simonwunderlich.de>
Date:   Mon Oct 1 17:26:59 2018 +0300

    ath9k: fix reporting calculated new FFT upper max
    
    [ Upstream commit 4fb5837ac2bd46a85620b297002c704e9958f64d ]
    
    Since the debug print code is outside of the loop, it shouldn't use the loop
    iterator anymore but instead print the found maximum index.
    
    Cc: Nick Kossifidis <mickflemm@gmail.com>
    Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e12df1dc496b986201586e3dc4ae03533c246651
Author: Ben Greear <greearb@candelatech.com>
Date:   Thu Sep 6 19:46:20 2018 +0300

    ath10k: fix vdev-start timeout on error
    
    [ Upstream commit 833fd34d743c728afe6d127ef7bee67e7d9199a8 ]
    
    The vdev-start-response message should cause the
    completion to fire, even in the error case.  Otherwise,
    the user still gets no useful information and everything
    is blocked until the timeout period.
    
    Add some warning text to print out the invalid status
    code to aid debugging, and propagate failure code.
    
    Signed-off-by: Ben Greear <greearb@candelatech.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 20cebfcc831224655050a9a1fe837997067e7179
Author: Trond Myklebust <trond.myklebust@hammerspace.com>
Date:   Sat Sep 8 22:09:48 2018 -0400

    SUNRPC: Fix priority queue fairness
    
    [ Upstream commit f42f7c283078ce3c1e8368b140e270755b1ae313 ]
    
    Fix up the priority queue to not batch by owner, but by queue, so that
    we allow '1 << priority' elements to be dequeued before switching to
    the next priority queue.
    The owner field is still used to wake up requests in round robin order
    by owner to avoid single processes hogging the RPC layer by loading the
    queues.
    
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8669a2782c055ac090fe51b672f669b73685b716
Author: Jaegeuk Kim <jaegeuk@kernel.org>
Date:   Tue Sep 25 15:25:21 2018 -0700

    f2fs: return correct errno in f2fs_gc
    
    [ Upstream commit 61f7725aa148ee870436a29d3a24d5c00ab7e9af ]
    
    This fixes overriding error number in f2fs_gc.
    
    Reviewed-by: Chao Yu <yuchao0@huawei.com>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e50b2964e3830b707fdadda1b4b47cd175672b42
Author: YueHaibing <yuehaibing@huawei.com>
Date:   Wed Sep 26 17:15:38 2018 +0800

    net: ovs: fix return type of ndo_start_xmit function
    
    [ Upstream commit eddf11e18dff0e8671e06ce54e64cfc843303ab9 ]
    
    The method ndo_start_xmit() is defined as returning an 'netdev_tx_t',
    which is a typedef for an enum type, so make sure the implementation in
    this driver has returns 'netdev_tx_t' value, and change the function
    return type to netdev_tx_t.
    
    Found by coccinelle.
    
    Signed-off-by: YueHaibing <yuehaibing@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5d784a2d4a0e302f51f6d96f44f5c21de47d6f19
Author: Jens Axboe <axboe@kernel.dk>
Date:   Wed Aug 7 12:20:52 2019 -0600

    libata: have ata_scsi_rw_xlat() fail invalid passthrough requests
    
    commit 2d7271501720038381d45fb3dcbe4831228fc8cc upstream.
    
    For passthrough requests, libata-scsi takes what the user passes in
    as gospel. This can be problematic if the user fills in the CDB
    incorrectly. One example of that is in request sizes. For read/write
    commands, the CDB contains fields describing the transfer length of
    the request. These should match with the SG_IO header fields, but
    libata-scsi currently does no validation of that.
    
    Check that the number of blocks in the CDB for passthrough requests
    matches what was mapped into the request. If the CDB asks for more
    data then the validated SG_IO header fields, error it.
    
    Reported-by: Krishna Ram Prakash R <krp@gtux.in>
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 642fa50e555d2cb7812cdc470257b0251a3947af
Author: Christoph Hellwig <hch@lst.de>
Date:   Tue Jan 31 16:57:29 2017 +0100

    block: introduce blk_rq_is_passthrough
    
    commit 57292b58ddb58689e8c3b4c6eadbef10d9ca44dd upstream.
    
    This can be used to check for fs vs non-fs requests and basically
    removes all knowledge of BLOCK_PC specific from the block layer,
    as well as preparing for removing the cmd_type field in struct request.
    
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Jens Axboe <axboe@fb.com>
    [only take the blkdev.h changes as we only want the function for backported
    patches - gregkh]
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b4ca3857b8e7bc876453c24ad0e76bf744ef8af0
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Sun Jul 21 22:19:56 2019 +0200

    fbdev: Ditch fb_edid_add_monspecs
    
    commit 3b8720e63f4a1fc6f422a49ecbaa3b59c86d5aaf upstream.
    
    It's dead code ever since
    
    commit 34280340b1dc74c521e636f45cd728f9abf56ee2
    Author: Geert Uytterhoeven <geert+renesas@glider.be>
    Date:   Fri Dec 4 17:01:43 2015 +0100
    
        fbdev: Remove unused SH-Mobile HDMI driver
    
    Also with this gone we can remove the cea_modes db. This entire thing
    is massively incomplete anyway, compared to the CEA parsing that
    drm_edid.c does.
    
    Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Tavis Ormandy <taviso@gmail.com>
    Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
    Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20190721201956.941-1-daniel.vetter@ffwll.ch
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 91b8ab30ff542397483f8095736cbfdd23582c5c
Author: Geert Uytterhoeven <geert+renesas@glider.be>
Date:   Fri Dec 4 17:01:43 2015 +0100

    fbdev: Remove unused SH-Mobile HDMI driver
    
    commit 34280340b1dc74c521e636f45cd728f9abf56ee2 upstream.
    
    As of commit 44d88c754e57a6d9 ("ARM: shmobile: Remove legacy SoC code
    for R-Mobile A1"), the SH-Mobile HDMI driver is no longer used.
    In theory it could still be used on R-Mobile A1 SoCs, but that requires
    adding DT support to the driver, which is not planned.
    
    Remove the driver, it can be resurrected from git history when needed.
    
    Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Acked-by: Simon Horman <horms+renesas@verge.net.au>
    Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9b309cbd6fedf493267751558e3181a0c8995d44
Author: Masami Hiramatsu <mhiramat@kernel.org>
Date:   Wed May 9 21:58:45 2018 +0900

    uprobes/x86: Prohibit probing on MOV SS instruction
    
    commit 13ebe18c94f5b0665c01ae7fad2717ae959f4212 upstream.
    
    Since MOV SS and POP SS instructions will delay the exceptions until the
    next instruction is executed, single-stepping on it by uprobes must be
    prohibited.
    
    uprobe already rejects probing on POP SS (0x1f), but allows probing on MOV
    SS (0x8e and reg == 2).  This checks the target instruction and if it is
    MOV SS or POP SS, returns -ENOTSUPP to reject probing.
    
    Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Acked-by: Oleg Nesterov <oleg@redhat.com>
    Cc: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
    Cc: Francis Deslauriers <francis.deslauriers@efficios.com>
    Cc: Alexei Starovoitov <ast@kernel.org>
    Cc: Steven Rostedt <rostedt@goodmis.org>
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: "H . Peter Anvin" <hpa@zytor.com>
    Cc: Yonghong Song <yhs@fb.com>
    Cc: Borislav Petkov <bp@suse.de>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: "David S . Miller" <davem@davemloft.net>
    Link: https://lkml.kernel.org/r/152587072544.17316.5950935243917346341.stgit@devbox
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7ea99b43ef29e13c77dea15332c2ad8f3216ee93
Author: Masami Hiramatsu <mhiramat@kernel.org>
Date:   Wed May 9 21:58:15 2018 +0900

    kprobes/x86: Prohibit probing on exception masking instructions
    
    commit ee6a7354a3629f9b65bc18dbe393503e9440d6f5 upstream.
    
    Since MOV SS and POP SS instructions will delay the exceptions until the
    next instruction is executed, single-stepping on it by kprobes must be
    prohibited.
    
    However, kprobes usually executes those instructions directly on trampoline
    buffer (a.k.a. kprobe-booster), except for the kprobes which has
    post_handler. Thus if kprobe user probes MOV SS with post_handler, it will
    do single-stepping on the MOV SS.
    
    This means it is safe that if it is used via ftrace or perf/bpf since those
    don't use the post_handler.
    
    Anyway, since the stack switching is a rare case, it is safer just
    rejecting kprobes on such instructions.
    
    Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
    Cc: Francis Deslauriers <francis.deslauriers@efficios.com>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: Alexei Starovoitov <ast@kernel.org>
    Cc: Steven Rostedt <rostedt@goodmis.org>
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: "H . Peter Anvin" <hpa@zytor.com>
    Cc: Yonghong Song <yhs@fb.com>
    Cc: Borislav Petkov <bp@suse.de>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: "David S . Miller" <davem@davemloft.net>
    Link: https://lkml.kernel.org/r/152587069574.17316.3311695234863248641.stgit@devbox
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 04b029c35949ab52b389f9b3ac06d3517eb8e035
Author: John Johansen <john.johansen@canonical.com>
Date:   Wed Jun 22 18:01:08 2016 -0700

    apparmor: fix module parameters can be changed after policy is locked
    
    commit 58acf9d911c8831156634a44d0b022d683e1e50c upstream.
    
    the policy_lock parameter is a one way switch that prevents policy
    from being further modified. Unfortunately some of the module parameters
    can effectively modify policy by turning off enforcement.
    
    split policy_admin_capable into a view check and a full admin check,
    and update the admin check to test the policy_lock parameter.
    
    Signed-off-by: John Johansen <john.johansen@canonical.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3e6dec86bcd4e8f39ab577431f346f6ad2b23af2
Author: John Johansen <john.johansen@canonical.com>
Date:   Fri Jul 25 04:01:56 2014 -0700

    apparmor: fix update the mtime of the profile file on replacement
    
    commit d671e890205a663429da74e1972e652bea4d73ab upstream.
    
    Signed-off-by: John Johansen <john.johansen@canonical.com>
    Acked-by: Seth Arnold <seth.arnold@canonical.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1c374c2c1a1a52cab1c1cd4260af0d77ffdc81f2
Author: John Johansen <john.johansen@canonical.com>
Date:   Sun Jun 8 11:20:54 2014 -0700

    apparmor: fix uninitialized lsm_audit member
    
    commit b6b1b81b3afba922505b57f4c812bba022f7c4a9 upstream.
    
    BugLink: http://bugs.launchpad.net/bugs/1268727
    
    The task field in the lsm_audit struct needs to be initialized if
    a change_hat fails, otherwise the following oops will occur
    
    BUG: unable to handle kernel paging request at 0000002fbead7d08
    IP: [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50
    PGD 1e3f35067 PUD 0
    Oops: 0002 [#1] SMP
    Modules linked in: pppox crc_ccitt p8023 p8022 psnap llc ax25 btrfs raid6_pq xor xfs libcrc32c dm_multipath scsi_dh kvm_amd dcdbas kvm microcode amd64_edac_mod joydev edac_core psmouse edac_mce_amd serio_raw k10temp sp5100_tco i2c_piix4 ipmi_si ipmi_msghandler acpi_power_meter mac_hid lp parport hid_generic usbhid hid pata_acpi mpt2sas ahci raid_class pata_atiixp bnx2 libahci scsi_transport_sas [last unloaded: tipc]
    CPU: 2 PID: 699 Comm: changehat_twice Tainted: GF          O 3.13.0-7-generic #25-Ubuntu
    Hardware name: Dell Inc. PowerEdge R415/08WNM9, BIOS 1.8.6 12/06/2011
    task: ffff8802135c6000 ti: ffff880212986000 task.ti: ffff880212986000
    RIP: 0010:[<ffffffff8171153e>]  [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50
    RSP: 0018:ffff880212987b68  EFLAGS: 00010006
    RAX: 0000000000020000 RBX: 0000002fbead7500 RCX: 0000000000000000
    RDX: 0000000000000292 RSI: ffff880212987ba8 RDI: 0000002fbead7d08
    RBP: ffff880212987b68 R08: 0000000000000246 R09: ffff880216e572a0
    R10: ffffffff815fd677 R11: ffffea0008469580 R12: ffffffff8130966f
    R13: ffff880212987ba8 R14: 0000002fbead7d08 R15: ffff8800d8c6b830
    FS:  00002b5e6c84e7c0(0000) GS:ffff880216e40000(0000) knlGS:0000000055731700
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000002fbead7d08 CR3: 000000021270f000 CR4: 00000000000006e0
    Stack:
     ffff880212987b98 ffffffff81075f17 ffffffff8130966f 0000000000000009
     0000000000000000 0000000000000000 ffff880212987bd0 ffffffff81075f7c
     0000000000000292 ffff880212987c08 ffff8800d8c6b800 0000000000000026
    Call Trace:
     [<ffffffff81075f17>] __lock_task_sighand+0x47/0x80
     [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50
     [<ffffffff81075f7c>] do_send_sig_info+0x2c/0x80
     [<ffffffff81075fee>] send_sig_info+0x1e/0x30
     [<ffffffff8130242d>] aa_audit+0x13d/0x190
     [<ffffffff8130c1dc>] aa_audit_file+0xbc/0x130
     [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50
     [<ffffffff81304cc2>] aa_change_hat+0x202/0x530
     [<ffffffff81308fc6>] aa_setprocattr_changehat+0x116/0x1d0
     [<ffffffff8130a11d>] apparmor_setprocattr+0x25d/0x300
     [<ffffffff812cee56>] security_setprocattr+0x16/0x20
     [<ffffffff8121fc87>] proc_pid_attr_write+0x107/0x130
     [<ffffffff811b7604>] vfs_write+0xb4/0x1f0
     [<ffffffff811b8039>] SyS_write+0x49/0xa0
     [<ffffffff8171a1bf>] tracesys+0xe1/0xe6
    
    Signed-off-by: John Johansen <john.johansen@canonical.com>
    Acked-by: Seth Arnold <seth.arnold@canonical.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 80989fa23c9f8766bb6c1dad6f673a77f860737a
Author: Peter Zijlstra <peterz@infradead.org>
Date:   Wed Apr 24 13:38:23 2019 +0200

    x86/atomic: Fix smp_mb__{before,after}_atomic()
    
    commit 69d927bba39517d0980462efc051875b7f4db185 upstream.
    
    Recent probing at the Linux Kernel Memory Model uncovered a
    'surprise'. Strongly ordered architectures where the atomic RmW
    primitive implies full memory ordering and
    smp_mb__{before,after}_atomic() are a simple barrier() (such as x86)
    fail for:
    
            *x = 1;
            atomic_inc(u);
            smp_mb__after_atomic();
            r0 = *y;
    
    Because, while the atomic_inc() implies memory order, it
    (surprisingly) does not provide a compiler barrier. This then allows
    the compiler to re-order like so:
    
            atomic_inc(u);
            *x = 1;
            smp_mb__after_atomic();
            r0 = *y;
    
    Which the CPU is then allowed to re-order (under TSO rules) like:
    
            atomic_inc(u);
            r0 = *y;
            *x = 1;
    
    And this very much was not intended. Therefore strengthen the atomic
    RmW ops to include a compiler barrier.
    
    NOTE: atomic_{or,and,xor} and the bitops already had the compiler
    barrier.
    
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Jari Ruusu <jari.ruusu@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d940eddc823283d943eca72dd6672577c6fd2156
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Wed Nov 13 21:28:31 2019 +0300

    net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size()
    
    commit a56dcc6b455830776899ce3686735f1172e12243 upstream.
    
    This code is supposed to test for negative error codes and partial
    reads, but because sizeof() is size_t (unsigned) type then negative
    error codes are type promoted to high positive values and the condition
    doesn't work as expected.
    
    Fixes: 332f989a3b00 ("CDC-NCM: handle incomplete transfer of MTU")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c581f60b988679a40e801f9adeb5accc4c118d99
Author: Jouni Hogander <jouni.hogander@unikie.com>
Date:   Wed Nov 13 12:08:01 2019 +0200

    slcan: Fix memory leak in error path
    
    commit ed50e1600b4483c049ce76e6bd3b665a6a9300ed upstream.
    
    This patch is fixing memory leak reported by Syzkaller:
    
    BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
      comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
      hex dump (first 32 bytes):
        73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
      backtrace:
        [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0
        [<0000000083306e66>] kvmalloc_node+0x3a/0xc0
        [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080
        [<0000000061a996c9>] slcan_open+0x3ae/0x9a0
        [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0
        [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0
        [<000000004de5a617>] tty_ioctl+0x48d/0x1590
        [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510
        [<0000000059068dbc>] ksys_ioctl+0x99/0xb0
        [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0
        [<0000000053d0332e>] do_syscall_64+0x16f/0x580
        [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
        [<000000008ea75434>] 0xffffffffffffffff
    
    Cc: Wolfgang Grandegger <wg@grandegger.com>
    Cc: Marc Kleine-Budde <mkl@pengutronix.de>
    Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
    Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Cc: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 905bf98eb3381615bda17951fddb48076588e0b5
Author: zhong jiang <zhongjiang@huawei.com>
Date:   Mon Nov 18 11:26:09 2019 +0800

    memfd: Use radix_tree_deref_slot_protected to avoid the warning.
    
    The commit eb4058d8daf8 ("memfd: Fix locking when tagging pins")
    introduces the following warning messages.
    
    *WARNING: suspicious RCU usage in memfd_wait_for_pins*
    
    It is because we still use radix_tree_deref_slot without read_rcu_lock.
    We should use radix_tree_deref_slot_protected instead in the case.
    
    Cc: stable@vger.kernel.org
    Fixes: eb4058d8daf8 ("memfd: Fix locking when tagging pins")
    Signed-off-by: zhong jiang <zhongjiang@huawei.com>
    Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 29d9c5714096a47ed8d2a1632e382c949b089563
Author: Kefeng Wang <wangkefeng.wang@huawei.com>
Date:   Sat Feb 23 12:33:27 2019 +0800

    Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto()
    
    commit 56897b217a1d0a91c9920cb418d6b3fe922f590a upstream.
    
    task A:                                task B:
    hci_uart_set_proto                     flush_to_ldisc
     - p->open(hu) -> h5_open  //alloc h5  - receive_buf
     - set_bit HCI_UART_PROTO_READY         - tty_port_default_receive_buf
     - hci_uart_register_dev                 - tty_ldisc_receive_buf
                                              - hci_uart_tty_receive
                                               - test_bit HCI_UART_PROTO_READY
                                                - h5_recv
     - clear_bit HCI_UART_PROTO_READY             while() {
     - p->open(hu) -> h5_close //free h5
                                                  - h5_rx_3wire_hdr
                                                   - h5_reset()  //use-after-free
                                                  }
    
    It could use ioctl to set hci uart proto, but there is
    a use-after-free issue when hci_uart_register_dev() fail in
    hci_uart_set_proto(), see stack above, fix this by setting
    HCI_UART_PROTO_READY bit only when hci_uart_register_dev()
    return success.
    
    Reported-by: syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com
    Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
    Reviewed-by: Jeremy Cline <jcline@redhat.com>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Cc: Ralph Siemsen <ralph.siemsen@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit eec0a9e1ca410b02de831b1795848e360672a9bc
Author: Loic Poulain <loic.poulain@intel.com>
Date:   Mon Apr 4 10:48:13 2016 +0200

    Bluetooth: hci_ldisc: Fix null pointer derefence in case of early data
    
    commit 84cb3df02aea4b00405521e67c4c67c2d525c364 upstream.
    
    HCI_UART_PROTO_SET flag is set before hci_uart_set_proto call. If we
    receive data from tty layer during this procedure, proto pointer may
    not be assigned yet, leading to null pointer dereference in rx method
    hci_uart_tty_receive.
    
    This patch fixes this issue by introducing HCI_UART_PROTO_READY flag in
    order to avoid any proto operation before proto opening and assignment.
    
    Signed-off-by: Loic Poulain <loic.poulain@intel.com>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Cc: Ralph Siemsen <ralph.siemsen@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 67f038ba9cb75fed99052f6e5b6f124a02db8162
Author: Kirill Tkhai <ktkhai@virtuozzo.com>
Date:   Mon Aug 27 18:29:29 2018 +0300

    fuse: use READ_ONCE on congestion_threshold and max_background
    
    [ Upstream commit 2a23f2b8adbe4bd584f936f7ac17a99750eed9d7 ]
    
    Since they are of unsigned int type, it's allowed to read them
    unlocked during reporting to userspace. Let's underline this fact
    with READ_ONCE() macroses.
    
    Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3670e11857f936ab56338f70145ec0842a680447
Author: Rob Herring <robh@kernel.org>
Date:   Thu Sep 13 13:12:40 2018 -0500

    arm64: dts: amd: Fix SPI bus warnings
    
    [ Upstream commit e9f0878c4b2004ac19581274c1ae4c61ae3ca70e ]
    
    dtc has new checks for SPI buses. Fix the warnings in node names.
    
    arch/arm64/boot/dts/amd/amd-overdrive.dtb: Warning (spi_bus_bridge): /smb/ssp@e1030000: node name for SPI buses should be 'spi'
    arch/arm64/boot/dts/amd/amd-overdrive-rev-b0.dtb: Warning (spi_bus_bridge): /smb/ssp@e1030000: node name for SPI buses should be 'spi'
    arch/arm64/boot/dts/amd/amd-overdrive-rev-b1.dtb: Warning (spi_bus_bridge): /smb/ssp@e1030000: node name for SPI buses should be 'spi'
    
    Cc: Brijesh Singh <brijeshkumar.singh@amd.com>
    Cc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
    Cc: Tom Lendacky <thomas.lendacky@amd.com>
    Signed-off-by: Rob Herring <robh@kernel.org>
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 101125811f5bbc7bc90940bb184e3db4802ed4cc
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Tue Sep 4 13:39:22 2018 +0300

    Bluetooth: L2CAP: Detect if remote is not able to use the whole MPS
    
    [ Upstream commit a5c3021bb62b970713550db3f7fd08aa70665d7e ]
    
    If the remote is not able to fully utilize the MPS choosen recalculate
    the credits based on the actual amount it is sending that way it can
    still send packets of MTU size without credits dropping to 0.
    
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d4740658aba1fdaf3b3de4ece52695b66bf27064
Author: Justin Ernst <justin.ernst@hpe.com>
Date:   Tue Sep 25 09:34:49 2018 -0500

    EDAC: Raise the maximum number of memory controllers
    
    [ Upstream commit 6b58859419554fb824e09cfdd73151a195473cbc ]
    
    We observe an oops in the skx_edac module during boot:
    
      EDAC MC0: Giving out device to module skx_edac controller Skylake Socket#0 IMC#0
      EDAC MC1: Giving out device to module skx_edac controller Skylake Socket#0 IMC#1
      EDAC MC2: Giving out device to module skx_edac controller Skylake Socket#1 IMC#0
      ...
      EDAC MC13: Giving out device to module skx_edac controller Skylake Socket#0 IMC#1
      EDAC MC14: Giving out device to module skx_edac controller Skylake Socket#1 IMC#0
      EDAC MC15: Giving out device to module skx_edac controller Skylake Socket#1 IMC#1
      Too many memory controllers: 16
      EDAC MC: Removed device 0 for skx_edac Skylake Socket#0 IMC#0
    
    We observe there are two memory controllers per socket, with a limit
    of 16. Raise the maximum number of memory controllers from 16 to 2 *
    MAX_NUMNODES (1024).
    
    [ bp: This is just a band-aid fix until we've sorted out the whole issue
      with the bus_type association and handling in EDAC and can get rid of
      this arbitrary limit. ]
    
    Signed-off-by: Justin Ernst <justin.ernst@hpe.com>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Acked-by: Russ Anderson <russ.anderson@hpe.com>
    Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
    Cc: linux-edac@vger.kernel.org
    Link: https://lkml.kernel.org/r/20180925143449.284634-1-justin.ernst@hpe.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 06da9c6f7c7e9aad4881cc300a616b98d88132e9
Author: YueHaibing <yuehaibing@huawei.com>
Date:   Wed Sep 26 17:06:29 2018 +0800

    net: smsc: fix return type of ndo_start_xmit function
    
    [ Upstream commit 6323d57f335ce1490d025cacc83fc10b07792130 ]
    
    The method ndo_start_xmit() is defined as returning an 'netdev_tx_t',
    which is a typedef for an enum type, so make sure the implementation in
    this driver has returns 'netdev_tx_t' value, and change the function
    return type to netdev_tx_t.
    
    Found by coccinelle.
    
    Signed-off-by: YueHaibing <yuehaibing@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit baa4ca05d975259dcea681dda16164c5779fabea
Author: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Date:   Fri Aug 31 18:37:43 2018 +0200

    ARM: tegra: apalis_t30: fix mmc1 cmd pull-up
    
    [ Upstream commit 1c997fe4becdc6fcbc06e23982ceb65621e6572a ]
    
    Fix MMC1 cmd pin pull-up causing issues on carrier boards without
    external pull-up.
    
    Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
    Signed-off-by: Thierry Reding <treding@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5aa891408eb1989b60f0c427ca87de31ec8bbaf7
Author: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Date:   Fri Aug 31 14:42:33 2018 +0200

    ARM: dts: tegra30: fix xcvr-setup-use-fuses
    
    [ Upstream commit 564706f65cda3de52b09e51feb423a43940fe661 ]
    
    There was a dot instead of a comma. Fix this.
    
    Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
    Signed-off-by: Thierry Reding <treding@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fdb5e9d2c2d3ad11b0a8edd6a2d6fc84aa87dc50
Author: Jason Yan <yanaijie@huawei.com>
Date:   Tue Sep 25 10:56:52 2018 +0800

    scsi: libsas: always unregister the old device if going to discover new
    
    [ Upstream commit 32c850bf587f993b2620b91e5af8a64a7813f504 ]
    
    If we went into sas_rediscover_dev() the attached_sas_addr was already insured
    not to be zero. So it's unnecessary to check if the attached_sas_addr is zero.
    
    And although if the sas address is not changed, we always have to unregister
    the old device when we are going to register a new one. We cannot just leave
    the device there and bring up the new.
    
    Signed-off-by: Jason Yan <yanaijie@huawei.com>
    CC: chenxiang <chenxiang66@hisilicon.com>
    CC: John Garry <john.garry@huawei.com>
    CC: Johannes Thumshirn <jthumshirn@suse.de>
    CC: Ewan Milne <emilne@redhat.com>
    CC: Christoph Hellwig <hch@lst.de>
    CC: Tomas Henzl <thenzl@redhat.com>
    CC: Dan Williams <dan.j.williams@intel.com>
    CC: Hannes Reinecke <hare@suse.com>
    Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
    Reviewed-by: Hannes Reinecke <hare@suse.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ac370e3d1f3b01519d2705cd5815d1c9d0a8812b
Author: Li Qiang <liq3ea@gmail.com>
Date:   Tue Sep 25 13:01:27 2018 -0600

    vfio/pci: Fix potential memory leak in vfio_msi_cap_len
    
    [ Upstream commit 30ea32ab1951c80c6113f300fce2c70cd12659e4 ]
    
    Free allocated vdev->msi_perm in error path.
    
    Signed-off-by: Li Qiang <liq3ea@gmail.com>
    Reviewed-by: Eric Auger <eric.auger@redhat.com>
    Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 76817839784fd1ea2efc9293c14979a43c834047
Author: zhong jiang <zhongjiang@huawei.com>
Date:   Thu Sep 20 10:29:13 2018 +0800

    misc: genwqe: should return proper error value.
    
    [ Upstream commit 02241995b004faa7d9ff628e97f24056190853f8 ]
    
    The function should return -EFAULT when copy_from_user fails. Even
    though the caller does not distinguish them. but we should keep backward
    compatibility.
    
    Signed-off-by: zhong jiang <zhongjiang@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit dcfef35ef1a7371129fa964cddb3cc54359243cc
Author: Laura Abbott <labbott@redhat.com>
Date:   Tue Sep 11 10:44:03 2018 -0700

    misc: kgdbts: Fix restrict error
    
    [ Upstream commit fa0218ef733e6f247a1a3986e3eb12460064ac77 ]
    
    kgdbts current fails when compiled with restrict:
    
    drivers/misc/kgdbts.c: In function ‘configure_kgdbts’:
    drivers/misc/kgdbts.c:1070:2: error: ‘strcpy’ source argument is the same as destination [-Werror=restrict]
      strcpy(config, opt);
      ^~~~~~~~~~~~~~~~~~~
    
    As the error says, config is being used in both the source and destination.
    Refactor the code to avoid the extra copy and put the parsing closer to
    the actual location.
    
    Signed-off-by: Laura Abbott <labbott@redhat.com>
    Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit cc3ec27ddebedbb76f8a3c586ecc3461e14a2cef
Author: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Date:   Fri Aug 10 15:44:57 2018 +0300

    usb: gadget: uvc: Only halt video streaming endpoint in bulk mode
    
    [ Upstream commit 8dbf9c7abefd5c1434a956d5c6b25e11183061a3 ]
    
    When USB requests for video data fail to be submitted, the driver
    signals a problem to the host by halting the video streaming endpoint.
    This is only valid in bulk mode, as isochronous transfers have no
    handshake phase and can't thus report a stall. The usb_ep_set_halt()
    call returns an error when using isochronous endpoints, which we happily
    ignore, but some UDCs complain in the kernel log. Fix this by only
    trying to halt the endpoint in bulk mode.
    
    Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Reviewed-by: Paul Elder <paul.elder@ideasonboard.com>
    Tested-by: Paul Elder <paul.elder@ideasonboard.com>
    Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e47af9e7c8f168a429df7ba111b907fffd6d253c
Author: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Date:   Fri Aug 10 15:42:03 2018 +0300

    usb: gadget: uvc: Factor out video USB request queueing
    
    [ Upstream commit 9d1ff5dcb3cd3390b1e56f1c24ae42c72257c4a3 ]
    
    USB requests for video data are queued from two different locations in
    the driver, with the same code block occurring twice. Factor it out to a
    function.
    
    Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Reviewed-by: Paul Elder <paul.elder@ideasonboard.com>
    Tested-by: Paul Elder <paul.elder@ideasonboard.com>
    Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 66fc927508a01f133ac164d637800c198834ab35
Author: Joel Pepper <joel.pepper@rwth-aachen.de>
Date:   Tue May 29 21:02:12 2018 +0200

    usb: gadget: uvc: configfs: Prevent format changes after linking header
    
    [ Upstream commit cb2200f7af8341aaf0c6abd7ba37e4c667c41639 ]
    
    While checks are in place to avoid attributes and children of a format
    being manipulated after the format is linked into the streaming header,
    the linked flag was never actually set, invalidating the protections.
    Update the flag as appropriate in the header link calls.
    
    Signed-off-by: Joel Pepper <joel.pepper@rwth-aachen.de>
    Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
    Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3adae6c6d3f4997f611751310b8df42166ea96d1
Author: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Date:   Thu Aug 2 00:14:00 2018 +0300

    usb: gadget: uvc: configfs: Drop leaked references to config items
    
    [ Upstream commit 86f3daed59bceb4fa7981d85e89f63ebbae1d561 ]
    
    Some of the .allow_link() and .drop_link() operations implementations
    call config_group_find_item() and then leak the reference to the
    returned item. Fix this by dropping those references where needed.
    
    Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ba863f0d77fb4af25355e28313f7735aff717aac
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Sat Sep 15 02:16:15 2018 -0400

    media: davinci: Fix implicit enum conversion warning
    
    [ Upstream commit 4158757395b300b6eb308fc20b96d1d231484413 ]
    
    Clang warns when one enumerated type is implicitly converted to another.
    
    drivers/media/platform/davinci/vpbe_display.c:524:24: warning: implicit
    conversion from enumeration type 'enum osd_v_exp_ratio' to different
    enumeration type 'enum osd_h_exp_ratio' [-Wenum-conversion]
                            layer_info->h_exp = V_EXP_6_OVER_5;
                                              ~ ^~~~~~~~~~~~~~
    1 warning generated.
    
    This appears to be a copy and paste error judging from the couple of
    lines directly above this statement and the way that height is handled
    in the if block above this one.
    
    Reported-by: Nick Desaulniers <ndesaulniers@google.com>
    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
    Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit af9f80fa1e5a5866bf511609c084434a14fd49af
Author: Jia-Ju Bai <baijiaju1990@gmail.com>
Date:   Sat Sep 1 07:44:09 2018 -0400

    media: pci: ivtv: Fix a sleep-in-atomic-context bug in ivtv_yuv_init()
    
    [ Upstream commit 8d11eb847de7d89c2754988c944d51a4f63e219b ]
    
    The driver may sleep in a interrupt handler.
    
    The function call paths (from bottom to top) in Linux-4.16 are:
    
    [FUNC] kzalloc(GFP_KERNEL)
    drivers/media/pci/ivtv/ivtv-yuv.c, 938:
            kzalloc in ivtv_yuv_init
    drivers/media/pci/ivtv/ivtv-yuv.c, 960:
            ivtv_yuv_init in ivtv_yuv_next_free
    drivers/media/pci/ivtv/ivtv-yuv.c, 1126:
            ivtv_yuv_next_free in ivtv_yuv_setup_stream_frame
    drivers/media/pci/ivtv/ivtv-irq.c, 827:
            ivtv_yuv_setup_stream_frame in ivtv_irq_dec_data_req
    drivers/media/pci/ivtv/ivtv-irq.c, 1013:
            ivtv_irq_dec_data_req in ivtv_irq_handler
    
    To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC.
    
    This bug is found by my static analysis tool DSAC.
    
    Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
    Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fce9612b5f495cc3051ead904c75157e37004071
Author: Dengcheng Zhu <dzhu@wavecomp.com>
Date:   Tue Sep 11 14:49:23 2018 -0700

    MIPS: kexec: Relax memory restriction
    
    [ Upstream commit a6da4d6fdf8bd512c98d3ac7f1d16bc4bb282919 ]
    
    We can rely on the system kernel and the dump capture kernel themselves in
    memory usage.
    
    Being restrictive with 512MB limit may cause kexec tool failure on some
    platforms.
    
    Tested-by: Rachel Mozes <rachel.mozes@intel.com>
    Reported-by: Rachel Mozes <rachel.mozes@intel.com>
    Signed-off-by: Dengcheng Zhu <dzhu@wavecomp.com>
    Signed-off-by: Paul Burton <paul.burton@mips.com>
    Patchwork: https://patchwork.linux-mips.org/patch/20568/
    Cc: pburton@wavecomp.com
    Cc: ralf@linux-mips.org
    Cc: linux-mips@linux-mips.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d1b548815f6127b60610ee1ce6fa0f2451ac7392
Author: Matthew Whitehead <tedheadster@gmail.com>
Date:   Fri Sep 21 17:20:40 2018 -0400

    x86/CPU: Use correct macros for Cyrix calls
    
    [ Upstream commit 03b099bdcdf7125d4a63dc9ddeefdd454e05123d ]
    
    There are comments in processor-cyrix.h advising you to _not_ make calls
    using the deprecated macros in this style:
    
      setCx86_old(CX86_CCR4, getCx86_old(CX86_CCR4) | 0x80);
    
    This is because it expands the macro into a non-functioning calling
    sequence. The calling order must be:
    
      outb(CX86_CCR2, 0x22);
      inb(0x23);
    
    From the comments:
    
     * When using the old macros a line like
     *   setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x88);
     * gets expanded to:
     *  do {
     *    outb((CX86_CCR2), 0x22);
     *    outb((({
     *        outb((CX86_CCR2), 0x22);
     *        inb(0x23);
     *    }) | 0x88), 0x23);
     *  } while (0);
    
    The new macros fix this problem, so use them instead.
    
    Signed-off-by: Matthew Whitehead <tedheadster@gmail.com>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Andy Lutomirski <luto@amacapital.net>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: "H. Peter Anvin" <hpa@zytor.com>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Jia Zhang <qianyue.zj@alibaba-inc.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Philippe Ombredanne <pombredanne@nexb.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Link: http://lkml.kernel.org/r/20180921212041.13096-2-tedheadster@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 819f6d97470d03571a5bf8aa663ddee2139c8bbd
Author: YueHaibing <yuehaibing@huawei.com>
Date:   Fri Sep 21 10:42:15 2018 +0800

    net: micrel: fix return type of ndo_start_xmit function
    
    [ Upstream commit 2b49117a5abee8478b0470cba46ac74f93b4a479 ]
    
    The method ndo_start_xmit() is defined as returning an 'netdev_tx_t',
    which is a typedef for an enum type, so make sure the implementation in
    this driver has returns 'netdev_tx_t' value, and change the function
    return type to netdev_tx_t.
    
    Found by coccinelle.
    
    Signed-off-by: YueHaibing <yuehaibing@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8f64a1a7ff428a5f43a87433f5a39b222ac0b32a
Author: Shahed Shaikh <Shahed.Shaikh@cavium.com>
Date:   Thu Sep 20 11:22:51 2018 -0700

    bnx2x: Ignore bandwidth attention in single function mode
    
    [ Upstream commit 75a110a1783ef8324ffd763b24f4ac268253cbca ]
    
    This is a workaround for FW bug -
    MFW generates bandwidth attention in single function mode, which
    is only expected to be generated in multi function mode.
    This undesired attention in SF mode results in incorrect HW
    configuration and resulting into Tx timeout.
    
    Signed-off-by: Shahed Shaikh <Shahed.Shaikh@cavium.com>
    Signed-off-by: Ariel Elior <ariel.elior@cavium.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9d8e2f352c16847d036001c5f8a8bc3440b18bb1
Author: Stefan Agner <stefan@agner.ch>
Date:   Sat Sep 15 21:38:24 2018 -0700

    cpufeature: avoid warning when compiling with clang
    
    [ Upstream commit c785896b21dd8e156326ff660050b0074d3431df ]
    
    The table id (second) argument to MODULE_DEVICE_TABLE is often
    referenced otherwise. This is not the case for CPU features. This
    leads to warnings when building the kernel with Clang:
      arch/arm/crypto/aes-ce-glue.c:450:1: warning: variable
        'cpu_feature_match_AES' is not needed and will not be emitted
        [-Wunneeded-internal-declaration]
      module_cpu_feature_match(AES, aes_init);
      ^
    
    Avoid warnings by using __maybe_unused, similar to commit 1f318a8bafcf
    ("modules: mark __inittest/__exittest as __maybe_unused").
    
    Fixes: 67bad2fdb754 ("cpu: add generic support for CPU feature based module autoloading")
    Signed-off-by: Stefan Agner <stefan@agner.ch>
    Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a6298e915763fa678bb10a2e90819974d852e6e3
Author: Rob Herring <robh@kernel.org>
Date:   Thu Sep 13 13:12:34 2018 -0500

    ARM: dts: ste: Fix SPI controller node names
    
    [ Upstream commit 2f967f9e9fa076affb711da1a8389b5d33814fc6 ]
    
    SPI controller nodes should be named 'spi' rather than 'ssp'. Fixing the
    name enables dtc SPI bus checks.
    
    Signed-off-by: Rob Herring <robh@kernel.org>
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 448d70e74bfa99bf242349321a8150ea3e9ffe08
Author: Linus Walleij <linus.walleij@linaro.org>
Date:   Tue Jul 3 10:30:03 2018 +0200

    ARM: dts: ux500: Fix LCDA clock line muxing
    
    [ Upstream commit ecde29569e3484e1d0a032bf4074449bce4d4a03 ]
    
    The "lcdaclk_b_1" group is muxed with the function "lcd"
    but needs a separate entry to be muxed in with "lcda"
    rather than "lcd".
    
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1c4ec0531ee38ea2cd3fc9a9ae691b9474bb3c4d
Author: Geert Uytterhoeven <geert+renesas@glider.be>
Date:   Tue Jun 26 09:50:09 2018 +0200

    ARM: dts: ux500: Correct SCU unit address
    
    [ Upstream commit 2f217d24ecaec2012e628d21e244eef0608656a4 ]
    
    The unit address of the Cortex-A9 SCU device node contains one zero too
    many.  Remove it.
    
    Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 68865d163c20cadeb5483e6f5d26c812c6d9f68e
Author: Grygorii Strashko <grygorii.strashko@ti.com>
Date:   Sat Sep 8 17:33:40 2018 -0500

    ARM: dts: am335x-evm: fix number of cpsw
    
    [ Upstream commit dcbf6b18d81bcdc51390ca1b258c17e2e13b7d0c ]
    
    am335x-evm has only one CPSW external port physically wired, but DT defines
    2 ext. ports. As result, PHY connection failure reported for the second
    ext. port.
    
    Update DT to reflect am335x-evm board HW configuration, and, while here,
    switch to use phy-handle instead of phy_id.
    
    Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7e15c978362559a8e0f9dc5bd0d0030dd980bf84
Author: Loic Poulain <loic.poulain@linaro.org>
Date:   Tue Sep 4 17:18:58 2018 +0200

    usb: chipidea: Fix otg event handler
    
    [ Upstream commit 59739131e0ca06db7560f9073fff2fb83f6bc2a5 ]
    
    At OTG work running time, it's possible that several events need to be
    addressed (e.g. ID and VBUS events). The current implementation handles
    only one event at a time which leads to ignoring the other one. Fix it.
    
    Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
    Signed-off-by: Peter Chen <peter.chen@nxp.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 945536fb45e8914f139ab381dd1e1ac8b82000b9
Author: YueHaibing <yuehaibing@huawei.com>
Date:   Wed Sep 19 18:50:17 2018 +0800

    net: amd: fix return type of ndo_start_xmit function
    
    [ Upstream commit fe72352e37ae8478f4c97975a9831f0c50f22e73 ]
    
    The method ndo_start_xmit() is defined as returning an 'netdev_tx_t',
    which is a typedef for an enum type, so make sure the implementation in
    this driver has returns 'netdev_tx_t' value, and change the function
    return type to netdev_tx_t.
    
    Found by coccinelle.
    
    Signed-off-by: YueHaibing <yuehaibing@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 166135e4cdaa3506ff26ee6208a807e9c0adf83c
Author: YueHaibing <yuehaibing@huawei.com>
Date:   Wed Sep 19 18:45:12 2018 +0800

    net: broadcom: fix return type of ndo_start_xmit function
    
    [ Upstream commit 0c13b8d1aee87c35a2fbc1d85a1f766227cf54b5 ]
    
    The method ndo_start_xmit() is defined as returning an 'netdev_tx_t',
    which is a typedef for an enum type, so make sure the implementation in
    this driver has returns 'netdev_tx_t' value, and change the function
    return type to netdev_tx_t.
    
    Found by coccinelle.
    
    Signed-off-by: YueHaibing <yuehaibing@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9431f720b8209d61d9701e410965e364bd88a501
Author: YueHaibing <yuehaibing@huawei.com>
Date:   Wed Sep 19 18:32:40 2018 +0800

    net: xilinx: fix return type of ndo_start_xmit function
    
    [ Upstream commit 81255af8d9d5565004792c295dde49344df450ca ]
    
    The method ndo_start_xmit() is defined as returning an 'netdev_tx_t',
    which is a typedef for an enum type, so make sure the implementation in
    this driver has returns 'netdev_tx_t' value, and change the function
    return type to netdev_tx_t.
    
    Found by coccinelle.
    
    Signed-off-by: YueHaibing <yuehaibing@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a2e4caeac47b47af044b9a7518cbb31e3ad1bf92
Author: YueHaibing <yuehaibing@huawei.com>
Date:   Wed Sep 19 18:23:39 2018 +0800

    net: toshiba: fix return type of ndo_start_xmit function
    
    [ Upstream commit bacade822524e02f662d88f784d2ae821a5546fb ]
    
    The method ndo_start_xmit() is defined as returning an 'netdev_tx_t',
    which is a typedef for an enum type, so make sure the implementation in
    this driver has returns 'netdev_tx_t' value, and change the function
    return type to netdev_tx_t.
    
    Found by coccinelle.
    
    Signed-off-by: YueHaibing <yuehaibing@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6aa5efca2ba003cbd99f3489a82ee8e69611bfcc
Author: Andreas Kemnade <andreas@kemnade.info>
Date:   Mon Sep 17 07:00:07 2018 +0200

    power: supply: twl4030_charger: disable eoc interrupt on linear charge
    
    [ Upstream commit 079cdff3d0a09c5da10ae1be35def7a116776328 ]
    
    This avoids getting woken up from suspend after power interruptions
    when the bci wrongly thinks the battery is full just because
    of input current going low because of low input power
    
    Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4e42816ac16bb15b58e3304b4c5036141cc38ef5
Author: Andreas Kemnade <andreas@kemnade.info>
Date:   Mon Sep 17 07:20:35 2018 +0200

    power: supply: twl4030_charger: fix charging current out-of-bounds
    
    [ Upstream commit 8314c212f995bc0d06b54ad02ef0ab4089781540 ]
    
    the charging current uses unsigned int variables, if we step back
    if the current is still low, we would run into negative which
    means setting the target to a huge value.
    Better add checks here.
    
    Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 657f4204b23c061fdc572c5fd249ac4a51f0c062
Author: Rob Herring <robh@kernel.org>
Date:   Thu Sep 13 15:16:22 2018 -0500

    libfdt: Ensure INT_MAX is defined in libfdt_env.h
    
    [ Upstream commit 53dd9dce6979bc54d64a3a09a2fb20187a025be7 ]
    
    The next update of libfdt has a new dependency on INT_MAX. Update the
    instances of libfdt_env.h in the kernel to either include the necessary
    header with the definition or define it locally.
    
    Cc: Russell King <linux@armlinux.org.uk>
    Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Cc: Paul Mackerras <paulus@samba.org>
    Cc: Michael Ellerman <mpe@ellerman.id.au>
    Cc: linux-arm-kernel@lists.infradead.org
    Cc: linuxppc-dev@lists.ozlabs.org
    Signed-off-by: Rob Herring <robh@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 092e18f0c326b7f36c42958a6549c1f0329a9efa
Author: Nathan Fontenot <nfont@linux.vnet.ibm.com>
Date:   Mon Sep 17 14:14:02 2018 -0500

    powerpc/pseries: Disable CPU hotplug across migrations
    
    [ Upstream commit 85a88cabad57d26d826dd94ea34d3a785824d802 ]
    
    When performing partition migrations all present CPUs must be online
    as all present CPUs must make the H_JOIN call as part of the migration
    process. Once all present CPUs make the H_JOIN call, one CPU is returned
    to make the rtas call to perform the migration to the destination system.
    
    During testing of migration and changing the SMT state we have found
    instances where CPUs are offlined, as part of the SMT state change,
    before they make the H_JOIN call. This results in a hung system where
    every CPU is either in H_JOIN or offline.
    
    To prevent this this patch disables CPU hotplug during the migration
    process.
    
    Signed-off-by: Nathan Fontenot <nfont@linux.vnet.ibm.com>
    Reviewed-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b5693ef77f1466bc30292f9728addebfad803e92
Author: Nicholas Piggin <npiggin@gmail.com>
Date:   Sat Sep 15 01:30:45 2018 +1000

    powerpc/64s/hash: Fix stab_rr off by one initialization
    
    [ Upstream commit 09b4438db13fa83b6219aee5993711a2aa2a0c64 ]
    
    This causes SLB alloation to start 1 beyond the start of the SLB.
    There is no real problem because after it wraps it stats behaving
    properly, it's just surprisig to see when looking at SLB traces.
    
    Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6eb5dfdd45645da7a023fea95865dab51a4f1a39
Author: Breno Leitao <leitao@debian.org>
Date:   Tue Aug 21 15:44:48 2018 -0300

    powerpc/iommu: Avoid derefence before pointer check
    
    [ Upstream commit 984ecdd68de0fa1f63ce205d6c19ef5a7bc67b40 ]
    
    The tbl pointer is being derefenced by IOMMU_PAGE_SIZE prior the check
    if it is not NULL.
    
    Just moving the dereference code to after the check, where there will
    be guarantee that 'tbl' will not be NULL.
    
    Signed-off-by: Breno Leitao <leitao@debian.org>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3b767de18989f8f13bbd3d944b791674a8a1416d
Author: Anton Vasilyev <vasilyev@ispras.ru>
Date:   Tue Aug 7 13:59:05 2018 +0300

    serial: mxs-auart: Fix potential infinite loop
    
    [ Upstream commit 5963e8a3122471cadfe0eba41c4ceaeaa5c8bb4d ]
    
    On the error path of mxs_auart_request_gpio_irq() is performed
    backward iterating with index i of enum type. Underline enum type
    may be unsigned char. In this case check (--i >= 0) will be always
    true and error handling goes into infinite loop.
    
    The patch changes the check so that it is valid for signed and unsigned
    types.
    
    Found by Linux Driver Verification project (linuxtesting.org).
    
    Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
    Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f94cdf46eabb7dc408327ea99708873bbd4258cd
Author: Sinan Kaya <okaya@kernel.org>
Date:   Fri Aug 10 04:32:11 2018 +0000

    PCI/ACPI: Correct error message for ASPM disabling
    
    [ Upstream commit 1ad61b612b95980a4d970c52022aa01dfc0f6068 ]
    
    If _OSC execution fails today for platforms without an _OSC entry, code is
    printing a misleading message saying disabling ASPM as follows:
    
      acpi PNP0A03:00: _OSC failed (AE_NOT_FOUND); disabling ASPM
    
    We need to ensure that platform supports ASPM to begin with.
    
    Reported-by: Michael Kelley <mikelley@microsoft.com>
    Signed-off-by: Sinan Kaya <okaya@kernel.org>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 83672bfe1cd59d39b0e7a87c66a53a4cbc0bc1db
Author: Julian Wiedmann <jwi@linux.ibm.com>
Date:   Mon Sep 17 17:36:06 2018 +0200

    s390/qeth: invoke softirqs after napi_schedule()
    
    [ Upstream commit 4d19db777a2f32c9b76f6fd517ed8960576cb43e ]
    
    Calling napi_schedule() from process context does not ensure that the
    NET_RX softirq is run in a timely fashion. So trigger it manually.
    
    This is no big issue with current code. A call to ndo_open() is usually
    followed by a ndo_set_rx_mode() call, and for qeth this contains a
    spin_unlock_bh(). Except for OSN, where qeth_l2_set_rx_mode() bails out
    early.
    Nevertheless it's best to not depend on this behaviour, and just fix
    the issue at its source like all other drivers do. For instance see
    commit 83a0c6e58901 ("i40e: Invoke softirqs after napi_reschedule").
    
    Fixes: a1c3ed4c9ca0 ("qeth: NAPI support for l2 and l3 discipline")
    Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 39bd6a7496fc9aca3a9611082e272b4e38c4dded
Author: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date:   Sat Jul 7 17:52:47 2018 +0000

    kernfs: Fix range checks in kernfs_get_target_path
    
    [ Upstream commit a75e78f21f9ad4b810868c89dbbabcc3931591ca ]
    
    The terminating NUL byte is only there because the buffer is
    allocated with kzalloc(PAGE_SIZE, GFP_KERNEL), but since the
    range-check is off-by-one, and PAGE_SIZE==PATH_MAX, the
    returned string may not be zero-terminated if it is exactly
    PATH_MAX characters long.  Furthermore also the initial loop
    may theoretically exceed PATH_MAX and cause a fault.
    
    Signed-off-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
    Acked-by: Tejun Heo <tj@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 709426fc57462a42618ac3d63db852b292d19e49
Author: Tomasz Figa <tomasz.figa@gmail.com>
Date:   Tue Jul 17 18:05:07 2018 +0200

    power: supply: max8998-charger: Fix platform data retrieval
    
    [ Upstream commit cb90a2c6f77fe9b43d1e3f759bb2f13fe7fa1811 ]
    
    Since the max8998 MFD driver supports instantiation by DT, platform data
    retrieval is handled in MFD probe and cell drivers should get use
    the pdata field of max8998_dev struct to obtain them.
    
    Fixes: ee999fb3f17f ("mfd: max8998: Add support for Device Tree")
    Signed-off-by: Tomasz Figa <tomasz.figa@gmail.com>
    Signed-off-by: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 52741990fa566179fa2cedce505f3e56e0a32433
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Sep 10 11:39:04 2018 +0300

    power: supply: ab8500_fg: silence uninitialized variable warnings
    
    [ Upstream commit 54baff8d4e5dce2cef61953b1dc22079cda1ddb1 ]
    
    If kstrtoul() fails then we print "charge_full" when it's uninitialized.
    The debug printk doesn't add anything so I deleted it and cleaned these
    two functions up a bit.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1f6a7105b15be93b5ee84039d8466fb6e7a61004
Author: Ganesh Goudar <ganeshgr@chelsio.com>
Date:   Fri Sep 14 14:36:27 2018 +0530

    cxgb4: Fix endianness issue in t4_fwcache()
    
    [ Upstream commit 0dc235afc59a226d951352b0adf4a89b532a9d13 ]
    
    Do not put host-endian 0 or 1 into big endian feild.
    
    Reported-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1a66e50c45e6abb6fc14509a44d2eb210f7f2957
Author: Ludovic Desroches <ludovic.desroches@microchip.com>
Date:   Thu Sep 13 14:42:13 2018 +0200

    pinctrl: at91: don't use the same irqchip with multiple gpiochips
    
    [ Upstream commit 0c3dfa176912b5f87732545598200fb55e9c1978 ]
    
    Sharing the same irqchip with multiple gpiochips is not a good
    practice. For instance, when installing hooks, we change the state
    of the irqchip. The initial state of the irqchip for the second
    gpiochip to register is then disrupted.
    
    Signed-off-by: Ludovic Desroches <ludovic.desroches@microchip.com>
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a05541487b89f3f8e475bce6f57543a64e13228d
Author: Dinh Nguyen <dinguyen@kernel.org>
Date:   Thu Sep 13 23:52:49 2018 -0500

    ARM: dts: socfpga: Fix I2C bus unit-address error
    
    [ Upstream commit cbbc488ed85061a765cf370c3e41f383c1e0add6 ]
    
    dtc has new checks for I2C buses. Fix the warnings in unit-addresses.
    
    arch/arm/boot/dts/socfpga_cyclone5_de0_sockit.dtb: Warning (i2c_bus_reg): /soc/i2c@ffc04000/adxl345@0: I2C bus unit address format error, expected "53"
    
    Signed-off-by: Rob Herring <robh@kernel.org>
    Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0b7600db547a532f8bf0b6a222c3eec73931febc
Author: Alan Modra <amodra@gmail.com>
Date:   Fri Sep 14 13:10:04 2018 +0930

    powerpc/vdso: Correct call frame information
    
    [ Upstream commit 56d20861c027498b5a1112b4f9f05b56d906fdda ]
    
    Call Frame Information is used by gdb for back-traces and inserting
    breakpoints on function return for the "finish" command.  This failed
    when inside __kernel_clock_gettime.  More concerning than difficulty
    debugging is that CFI is also used by stack frame unwinding code to
    implement exceptions.  If you have an app that needs to handle
    asynchronous exceptions for some reason, and you are unlucky enough to
    get one inside the VDSO time functions, your app will crash.
    
    What's wrong:  There is control flow in __kernel_clock_gettime that
    reaches label 99 without saving lr in r12.  CFI info however is
    interpreted by the unwinder without reference to control flow: It's a
    simple matter of "Execute all the CFI opcodes up to the current
    address".  That means the unwinder thinks r12 contains the return
    address at label 99.  Disabuse it of that notion by resetting CFI for
    the return address at label 99.
    
    Note that the ".cfi_restore lr" could have gone anywhere from the
    "mtlr r12" a few instructions earlier to the instruction at label 99.
    I put the CFI as late as possible, because in general that's best
    practice (and if possible grouped with other CFI in order to reduce
    the number of CFI opcodes executed when unwinding).  Using r12 as the
    return address is perfectly fine after the "mtlr r12" since r12 on
    that code path still contains the return address.
    
    __get_datapage also has a CFI error.  That function temporarily saves
    lr in r0, and reflects that fact with ".cfi_register lr,r0".  A later
    use of r0 means the CFI at that point isn't correct, as r0 no longer
    contains the return address.  Fix that too.
    
    Signed-off-by: Alan Modra <amodra@gmail.com>
    Tested-by: Reza Arbab <arbab@linux.ibm.com>
    Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit db70320a71fbd38a560335a47613ac33d61eb5a7
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date:   Tue Sep 11 11:42:06 2018 -0700

    llc: avoid blocking in llc_sap_close()
    
    [ Upstream commit 9708d2b5b7c648e8e0a40d11e8cea12f6277f33c ]
    
    llc_sap_close() is called by llc_sap_put() which
    could be called in BH context in llc_rcv(). We can't
    block in BH.
    
    There is no reason to block it here, kfree_rcu() should
    be sufficient.
    
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7c235b44dc99b4237fc0a54301eda60acc7a0af6
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Sep 10 11:37:45 2018 +0300

    pinctrl: at91-pio4: fix has_config check in atmel_pctl_dt_subnode_to_map()
    
    [ Upstream commit b97760ae8e3dc8bb91881c13425a0bff55f2bd85 ]
    
    Smatch complains about this condition:
    
            if (has_config && num_pins >= 1)
    
    The "has_config" variable is either uninitialized or true.  The
    "num_pins" variable is unsigned and we verified that it is non-zero on
    the lines before so we know "num_pines >= 1" is true.  Really, we could
    just check "num_configs" directly and remove the "has_config" variable.
    
    Fixes: 776180848b57 ("pinctrl: introduce driver for Atmel PIO4 controller")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9df76cb7ec80ff41298c0cfcc842ee3688e78b51
Author: Takashi Iwai <tiwai@suse.de>
Date:   Tue Aug 28 16:39:10 2018 +0200

    ALSA: intel8x0m: Register irq handler after register initializations
    
    [ Upstream commit 7064f376d4a10686f51c879401a569bb4babf9c6 ]
    
    The interrupt handler has to be acquired after the other resource
    initialization when allocated with IRQF_SHARED.  Otherwise it's
    triggered before the resource gets ready, and may lead to unpleasant
    behavior.
    
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 24293b23bca5c05b4e047daaed37d3d38d50a8dc
Author: Lao Wei <zrlw@qq.com>
Date:   Mon Jul 9 08:15:53 2018 -0400

    media: fix: media: pci: meye: validate offset to avoid arbitrary access
    
    [ Upstream commit eac7230fdb4672c2cb56f6a01a1744f562c01f80 ]
    
    Motion eye video4linux driver for Sony Vaio PictureBook desn't validate user-controlled parameter
    'vma->vm_pgoff', a malicious process might access all of kernel memory from user space by trying
    pass different arbitrary address.
    Discussion: http://www.openwall.com/lists/oss-security/2018/07/06/1
    
    Signed-off-by: Lao Wei <zrlw@qq.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit cdf4e8eae639d9fc085f974aa9958b8eaeb1fd02
Author: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Date:   Tue Aug 7 13:19:35 2018 +0100

    nvmem: core: return error code instead of NULL from nvmem_device_get
    
    [ Upstream commit ca6ac25cecf0e740d7cc8e03e0ebbf8acbeca3df ]
    
    nvmem_device_get() should return ERR_PTR() on error or valid pointer
    on success, but one of the code path seems to return NULL, so fix it.
    
    Reported-by: Niklas Cassel <niklas.cassel@linaro.org>
    Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b99fc345d90878bd4adbabdb2cb5800e30e11ff5
Author: Masami Hiramatsu <mhiramat@kernel.org>
Date:   Tue Sep 11 19:21:09 2018 +0900

    kprobes: Don't call BUG_ON() if there is a kprobe in use on free list
    
    [ Upstream commit cbdd96f5586151e48317d90a403941ec23f12660 ]
    
    Instead of calling BUG_ON(), if we find a kprobe in use on free kprobe
    list, just remove it from the list and keep it on kprobe hash list
    as same as other in-use kprobes.
    
    Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
    Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
    Cc: David S . Miller <davem@davemloft.net>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Naveen N . Rao <naveen.n.rao@linux.vnet.ibm.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Link: http://lkml.kernel.org/r/153666126882.21306.10738207224288507996.stgit@devbox
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3d7ff04aae05c93857604ae0910a4f329d1221ff
Author: Deepak Ukey <deepak.ukey@microchip.com>
Date:   Tue Sep 11 14:18:04 2018 +0530

    scsi: pm80xx: Fixed system hang issue during kexec boot
    
    [ Upstream commit 72349b62a571effd6faadd0600b8e657dd87afbf ]
    
    When the firmware is not responding, execution of kexec boot causes a system
    hang. When firmware assertion happened, driver get notified with interrupt
    vector updated in MPI configuration table. Then, the driver will read
    scratchpad register and set controller_fatal_error flag to true.
    
    Signed-off-by: Deepak Ukey <deepak.ukey@microchip.com>
    Signed-off-by: Viswas G <Viswas.G@microchip.com>
    Acked-by: Jack Wang <jinpu.wang@profitbricks.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 29e5cc0f417ba64281f7b41d3bb4eca5a7fbf1ea
Author: Deepak Ukey <deepak.ukey@microchip.com>
Date:   Tue Sep 11 14:18:03 2018 +0530

    scsi: pm80xx: Corrected dma_unmap_sg() parameter
    
    [ Upstream commit 76cb25b058034d37244be6aca97a2ad52a5fbcad ]
    
    For the function dma_unmap_sg(), the <nents> parameter should be number of
    elements in the scatter list prior to the mapping, not after the mapping.
    
    Signed-off-by: Deepak Ukey <deepak.ukey@microchip.com>
    Signed-off-by: Viswas G <Viswas.G@microchip.com>
    Acked-by: Jack Wang <jinpu.wang@profitbricks.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 103e46a0e177886ee41f78c4038b687fd088125f
Author: Oleksij Rempel <o.rempel@pengutronix.de>
Date:   Thu Aug 2 12:34:21 2018 +0200

    ARM: imx6: register pm_power_off handler if "fsl,pmic-stby-poweroff" is set
    
    [ Upstream commit 8148d2136002da2e2887caf6a07bbd9c033f14f3 ]
    
    One of the Freescale recommended sequences for power off with external
    PMIC is the following:
    ...
    3.  SoC is programming PMIC for power off when standby is asserted.
    4.  In CCM STOP mode, Standby is asserted, PMIC gates SoC supplies.
    
    See:
    http://www.nxp.com/assets/documents/data/en/reference-manuals/IMX6DQRM.pdf
    page 5083
    
    This patch implements step 4. of this sequence.
    
    Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9ddc4bd10d8acc37b9986be58cd1a4d1df1934a5
Author: George Kennedy <george.kennedy@oracle.com>
Date:   Wed Aug 29 11:38:16 2018 -0400

    scsi: sym53c8xx: fix NULL pointer dereference panic in sym_int_sir()
    
    [ Upstream commit 288315e95264b6355e26609e9dec5dc4563d4ab0 ]
    
    sym_int_sir() in sym_hipd.c does not check the command pointer for NULL before
    using it in debug message prints.
    
    Suggested-by: Matthew Wilcox <matthew.wilcox@oracle.com>
    Signed-off-by: George Kennedy <george.kennedy@oracle.com>
    Reviewed-by: Mark Kanda <mark.kanda@oracle.com>
    Acked-by: Matthew Wilcox <matthew.wilcox@oracle.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 79b1b5ec76bb3ca7186e9c6886b81399d573acf2
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Thu Jul 19 20:48:30 2018 -0500

    signal: Properly deliver SIGSEGV from x86 uprobes
    
    [ Upstream commit 4a63c1ffd384ebdce40aac9c997dab68379137be ]
    
    For userspace to tell the difference between an random signal
    and an exception, the exception must include siginfo information.
    
    Using SEND_SIG_FORCED for SIGSEGV is thus wrong, and it will result in
    userspace seeing si_code == SI_USER (like a random signal) instead of
    si_code == SI_KERNEL or a more specific si_code as all exceptions
    deliver.
    
    Therefore replace force_sig_info(SIGSEGV, SEND_SIG_FORCE, current)
    with force_sig(SIG_SEGV, current) which gets this right and is shorter
    and easier to type.
    
    Fixes: 791eca10107f ("uretprobes/x86: Hijack return address")
    Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit dc9c09f5edc5aeaa1e04bc63b15c56b81bb6ee92
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Thu Jul 19 20:33:53 2018 -0500

    signal: Properly deliver SIGILL from uprobes
    
    [ Upstream commit 55a3235fc71bf34303e34a95eeee235b2d2a35dd ]
    
    For userspace to tell the difference between a random signal and an
    exception, the exception must include siginfo information.
    
    Using SEND_SIG_FORCED for SIGILL is thus wrong, and it will result
    in userspace seeing si_code == SI_USER (like a random signal) instead
    of si_code == SI_KERNEL or a more specific si_code as all exceptions
    deliver.
    
    Therefore replace force_sig_info(SIGILL, SEND_SIG_FORCE, current)
    with force_sig(SIG_ILL, current) which gets this right and is
    shorter and easier to type.
    
    Fixes: 014940bad8e4 ("uprobes/x86: Send SIGILL if arch_uprobe_post_xol() fails")
    Fixes: 0b5256c7f173 ("uprobes: Send SIGILL if handle_trampoline() fails")
    Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit bbf66e0d4239f43434816e7d58746edc2e344257
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Thu Jul 19 19:47:27 2018 -0500

    signal: Always ignore SIGKILL and SIGSTOP sent to the global init
    
    [ Upstream commit 86989c41b5ea08776c450cb759592532314a4ed6 ]
    
    If the first process started (aka /sbin/init) receives a SIGKILL it
    will panic the system if it is delivered.  Making the system unusable
    and undebugable.  It isn't much better if the first process started
    receives SIGSTOP.
    
    So always ignore SIGSTOP and SIGKILL sent to init.
    
    This is done in a separate clause in sig_task_ignored as force_sig_info
    can clear SIG_UNKILLABLE and this protection should work even then.
    
    Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8f0c1696ecd01ede1539c4e6a3f2a6850216b4e9
Author: Daniel Silsby <dansilsby@gmail.com>
Date:   Wed Aug 29 23:32:56 2018 +0200

    dmaengine: dma-jz4780: Further residue status fix
    
    [ Upstream commit 83ef4fb7556b6a673f755da670cbacab7e2c7f1b ]
    
    Func jz4780_dma_desc_residue() expects the index to the next hw
    descriptor as its last parameter. Caller func jz4780_dma_tx_status(),
    however, applied modulus before passing it. When the current hw
    descriptor was last in the list, the index passed became zero.
    
    The resulting excess of reported residue especially caused problems
    with cyclic DMA transfer clients, i.e. ALSA AIC audio output, which
    rely on this for determining current DMA location within buffer.
    
    Combined with the recent and related residue-reporting fixes, spurious
    ALSA audio underruns on jz4770 hardware are now fixed.
    
    Signed-off-by: Daniel Silsby <dansilsby@gmail.com>
    Signed-off-by: Paul Cercueil <paul@crapouillou.net>
    Tested-by: Mathieu Malaterre <malat@debian.org>
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b8fac3d96f46cde91b64a1bead0a1cbfc40133be
Author: H. Nikolaus Schaller <hns@goldelico.com>
Date:   Tue Jul 31 09:11:14 2018 +0200

    ARM: dts: omap3-gta04: keep vpll2 always on
    
    [ Upstream commit 1ae00833e30c9b4af5cbfda65d75b1de12f74013 ]
    
    This is needed to make the display and venc work properly.
    Compare to omap3-beagle.dts.
    
    Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9f7ff806378540d67ca03acfc0e94a9be41022f8
Author: H. Nikolaus Schaller <hns@goldelico.com>
Date:   Tue Jul 31 09:11:12 2018 +0200

    ARM: dts: omap3-gta04: make NAND partitions compatible with recent U-Boot
    
    [ Upstream commit fa99c21ecb3cd4021a60d0e8bf880e78b5bd0729 ]
    
    Vendor defined U-Boot has changed the partition scheme a while ago:
    
    * kernel partition 6MB
    * file system partition uses the remainder up to end of the NAND
    * increased size of the environment partition (to get an OneNAND compatible base address)
    * shrink the U-Boot partition
    
    Let's be compatible (e.g. Debian kernel built from upstream).
    
    Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3a846792ca6d22072afc6104ea3b2e1865b6e0a9
Author: H. Nikolaus Schaller <hns@goldelico.com>
Date:   Tue Jul 31 09:11:09 2018 +0200

    ARM: dts: omap3-gta04: tvout: enable as display1 alias
    
    [ Upstream commit 8905592b6e50cec905e6c6035bbd36201a3bfac1 ]
    
    The omap dss susbystem takes the display aliases to find
    out which displays exist. To enable tv-out we must define
    an alias.
    
    Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 93d1d8095d1634c75ecd02b92024bec917c03a98
Author: H. Nikolaus Schaller <hns@goldelico.com>
Date:   Tue Jul 31 09:11:06 2018 +0200

    ARM: dts: omap3-gta04: give spi_lcd node a label so that we can overwrite in other DTS files
    
    [ Upstream commit fa0d7dc355c890725b6178dab0cc11b194203afa ]
    
    needed for device variants based on GTA04 board but with
    different display panel (driver).
    
    Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1cbb52c15fff0470a1ae20a3b58f47de21be55c9
Author: Rob Herring <robh@kernel.org>
Date:   Mon Aug 27 09:50:09 2018 -0500

    of: make PowerMac cache node search conditional on CONFIG_PPC_PMAC
    
    [ Upstream commit f6707fd6241e483f6fea2caae82d876e422bb11a ]
    
    Cache nodes under the cpu node(s) is PowerMac specific according to the
    comment above, so make the code enforce that.
    
    Signed-off-by: Rob Herring <robh@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1f2952dd752e0918e0a85eef0eb4ec343d17fffb
Author: Ding Xiang <dingxiang@cmss.chinamobile.com>
Date:   Thu Sep 6 12:19:19 2018 +0800

    mips: txx9: fix iounmap related issue
    
    [ Upstream commit c6e1241a82e6e74d1ae5cc34581dab2ffd6022d0 ]
    
    if device_register return error, iounmap should be called, also iounmap
    need to call before put_device.
    
    Signed-off-by: Ding Xiang <dingxiang@cmss.chinamobile.com>
    Reviewed-by: Atsushi Nemoto <anemo@mba.ocn.ne.jp>
    Signed-off-by: Paul Burton <paul.burton@mips.com>
    Patchwork: https://patchwork.linux-mips.org/patch/20476/
    Cc: ralf@linux-mips.org
    Cc: jhogan@kernel.org
    Cc: linux-mips@linux-mips.org
    Cc: linux-kernel@vger.kernel.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 62396b1bfec4764245d99d13f21504bc6cc68fd9
Author: Erik Stromdahl <erik.stromdahl@gmail.com>
Date:   Tue Sep 4 15:07:07 2018 +0300

    ath10k: wmi: disable softirq's while calling ieee80211_rx
    
    [ Upstream commit 37f62c0d5822f631b786b29a1b1069ab714d1a28 ]
    
    This is done in order not to trig the below warning in
    ieee80211_rx_napi:
    
    WARN_ON_ONCE(softirq_count() == 0);
    
    ieee80211_rx_napi requires that softirq's are disabled during
    execution.
    
    The High latency bus drivers (SDIO and USB) sometimes call the wmi
    ep_rx_complete callback from non softirq context, resulting in a trigger
    of the above warning.
    
    Calling ieee80211_rx_ni with softirq's already disabled (e.g., from
    softirq context) should be safe as the local_bh_disable and
    local_bh_enable functions (called from ieee80211_rx_ni) are fully
    reentrant.
    
    Signed-off-by: Erik Stromdahl <erik.stromdahl@gmail.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2792933670dd893796b6f159dc28c5b7d08d915b
Author: Colin Ian King <colin.king@canonical.com>
Date:   Thu Sep 6 11:41:52 2018 +0100

    ASoC: sgtl5000: avoid division by zero if lo_vag is zero
    
    [ Upstream commit 9ab708aef61f5620113269a9d1bdb1543d1207d0 ]
    
    In the case where lo_vag <= SGTL5000_LINE_OUT_GND_BASE, lo_vag
    is set to zero and later vol_quot is computed by dividing by
    lo_vag causing a division by zero error.  Fix this by avoiding
    a zero division and set vol_quot to zero in this specific case
    so that the lowest setting for i is correctly set.
    
    Signed-off-by: Colin Ian King <colin.king@canonical.com>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit adb5b0917f69970e48db91256e95f3df457388bb
Author: Stefan Wahren <stefan.wahren@i2se.com>
Date:   Tue Sep 4 19:29:09 2018 +0200

    net: lan78xx: Bail out if lan78xx_get_endpoints fails
    
    [ Upstream commit fa8cd98c06407b5798b927cd7fd14d30f360ed02 ]
    
    We need to bail out if lan78xx_get_endpoints() fails, otherwise the
    result is overwritten.
    
    Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet")
    Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
    Reviewed-by: Raghuram Chary Jallipalli <raghuramchary.jallipalli@microchip.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3b63b0c7ceaeba6eb00be9502179d6c634c8cb1f
Author: Larry Finger <Larry.Finger@lwfinger.net>
Date:   Mon Aug 20 13:48:31 2018 -0500

    rtl8187: Fix warning generated when strncpy() destination length matches the sixe argument
    
    [ Upstream commit 199ba9faca909e77ac533449ecd1248123ce89e7 ]
    
    In gcc8, when the 3rd argument (size) of a call to strncpy() matches the
    length of the first argument, the compiler warns of the possibility of an
    unterminated string. Using strlcpy() forces a null at the end.
    
    Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 321cf3b60eeec8f652a44fbcad7c1bdfbf0130ac
Author: Marcel Ziswiler <marcel@ziswiler.com>
Date:   Fri Aug 31 14:03:09 2018 +0200

    ARM: dts: pxa: fix power i2c base address
    
    [ Upstream commit 8a1ecc01a473b75ab97be9b36f623e4551a6e9ae ]
    
    There is one too many zeroes in the Power I2C base address. Fix this.
    
    Signed-off-by: Marcel Ziswiler <marcel@ziswiler.com>
    Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5b20928b65e2e6f76b212e7dec611e69f0d11c9e
Author: Patryk Małek <patryk.malek@intel.com>
Date:   Tue Aug 28 10:16:09 2018 -0700

    i40e: Prevent deleting MAC address from VF when set by PF
    
    [ Upstream commit 5907cf6c5bbe78be2ed18b875b316c6028b20634 ]
    
    To prevent VF from deleting MAC address that was assigned by the
    PF we need to check for that scenario when we try to delete a MAC
    address from a VF.
    
    Signed-off-by: Patryk Małek <patryk.malek@intel.com>
    Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0ef9b8f0b8ae00d0d1cacf370e39e167208e276c
Author: Patryk Małek <patryk.malek@intel.com>
Date:   Tue Aug 28 10:16:03 2018 -0700

    i40e: hold the rtnl lock on clearing interrupt scheme
    
    [ Upstream commit 5cba17b14182696d6bb0ec83a1d087933f252241 ]
    
    Hold the rtnl lock when we're clearing interrupt scheme
    in i40e_shutdown and in i40e_remove.
    
    Signed-off-by: Patryk Małek <patryk.malek@intel.com>
    Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4e86098dbd1b87722206f68a60273f465237b1a4
Author: Mitch Williams <mitch.a.williams@intel.com>
Date:   Mon Aug 20 08:12:30 2018 -0700

    i40e: use correct length for strncpy
    
    [ Upstream commit 7eb74ff891b4e94b8bac48f648a21e4b94ddee64 ]
    
    Caught by GCC 8. When we provide a length for strncpy, we should not
    include the terminating null. So we must tell it one less than the size
    of the destination buffer.
    
    Signed-off-by: Mitch Williams <mitch.a.williams@intel.com>
    Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 420cb453d1b65e809a660e35c538e87a6ac1bdd7
Author: Marek Szyprowski <m.szyprowski@samsung.com>
Date:   Fri Aug 3 12:55:32 2018 +0200

    ARM: dts: exynos: Fix sound in Snow-rev5 Chromebook
    
    [ Upstream commit 64858773d78e820003a94e5a7179d368213655d6 ]
    
    This patch adds missing properties to the CODEC and sound nodes, so the
    audio will work also on Snow rev5 Chromebook. This patch is an extension
    to the commit e9eefc3f8ce0 ("ARM: dts: exynos: Add missing clock and
    DAI properties to the max98095 node in Snow Chromebook")
    and commit 6ab569936d60 ("ARM: dts: exynos: Enable HDMI audio on Snow
    Chromebook").  It has been reported that such changes work fine on the
    rev5 board too.
    
    Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
    [krzk: Fixed typo in phandle to &max98090]
    Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 78dbc2d2bb0b96464a4af8182148d5fb6d1c45d7
Author: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
Date:   Sun Aug 19 22:20:23 2018 +0300

    MIPS: BCM47XX: Enable USB power on Netgear WNDR3400v3
    
    [ Upstream commit feef7918667b84f9d5653c501542dd8d84ae32af ]
    
    Setting GPIO 21 high seems to be required to enable power to USB ports
    on the WNDR3400v3. As there is already similar code for WNR3500L,
    make the existing USB power GPIO code generic and use that.
    
    Signed-off-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
    Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
    Signed-off-by: Paul Burton <paul.burton@mips.com>
    Patchwork: https://patchwork.linux-mips.org/patch/20259/
    Cc: Rafał Miłecki <zajec5@gmail.com>
    Cc: linux-mips@linux-mips.org
    Cc: linux-kernel@vger.kernel.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e6a06024e068c4795d1c2ab54614e8805fc02174
Author: Charles Keepax <ckeepax@opensource.cirrus.com>
Date:   Mon Aug 27 14:26:47 2018 +0100

    ASoC: dpcm: Properly initialise hw->rate_max
    
    [ Upstream commit e33ffbd9cd39da09831ce62c11025d830bf78d9e ]
    
    If the CPU DAI does not initialise rate_max, say if using
    using KNOT or CONTINUOUS, then the rate_max field will be
    initialised to 0. A value of zero in the rate_max field of
    the hardware runtime will cause the sound card to support no
    sample rates at all. Obviously this is not desired, just a
    different mechanism is being used to apply the constraints. As
    such update the setting of rate_max in dpcm_init_runtime_hw
    to be consistent with the non-DPCM cases and set rate_max to
    UINT_MAX if nothing is defined on the CPU DAI.
    
    Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0a7edede513d2e82472921dd17e0c5d215964726
Author: Bob Peterson <rpeterso@redhat.com>
Date:   Thu Aug 16 10:32:13 2018 -0500

    gfs2: Don't set GFS2_RDF_UPTODATE when the lvb is updated
    
    [ Upstream commit 4f36cb36c9d14340bb200d2ad9117b03ce992cfe ]
    
    The GFS2_RDF_UPTODATE flag in the rgrp is used to determine when
    a rgrp buffer is valid. It's cleared when the glock is invalidated,
    signifying that the buffer data is now invalid. But before this
    patch, function update_rgrp_lvb was setting the flag when it
    determined it had a valid lvb. But that's an invalid assumption:
    just because you have a valid lvb doesn't mean you have valid
    buffers. After all, another node may have made the lvb valid,
    and this node just fetched it from the glock via dlm.
    
    Consider this scenario:
    1. The file system is mounted with RGRPLVB option.
    2. In gfs2_inplace_reserve it locks the rgrp glock EX, but thanks
       to GL_SKIP, it skips the gfs2_rgrp_bh_get.
    3. Since loops == 0 and the allocation target (ap->target) is
       bigger than the largest known chunk of blocks in the rgrp
       (rs->rs_rbm.rgd->rd_extfail_pt) it skips that rgrp and bypasses
       the call to gfs2_rgrp_bh_get there as well.
    4. update_rgrp_lvb sees the lvb MAGIC number is valid, so bypasses
       gfs2_rgrp_bh_get, but it still sets sets GFS2_RDF_UPTODATE due
       to this invalid assumption.
    5. The next time update_rgrp_lvb is called, it sees the bit is set
       and just returns 0, assuming both the lvb and rgrp are both
       uptodate. But since this is a smaller allocation, or space has
       been freed by another node, thus adjusting the lvb values,
       it decides to use the rgrp for allocations, with invalid rd_free
       due to the fact it was never updated.
    
    This patch changes update_rgrp_lvb so it doesn't set the UPTODATE
    flag anymore. That way, it has no choice but to fetch the latest
    values.
    
    Signed-off-by: Bob Peterson <rpeterso@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 39b3ce44939aa75355357bfe0f2a23083a474e8f
Author: Takashi Iwai <tiwai@suse.de>
Date:   Tue Aug 28 12:49:43 2018 +0200

    ALSA: seq: Do error checks at creating system ports
    
    [ Upstream commit b8e131542b47b81236ecf6768c923128e1f5db6e ]
    
    snd_seq_system_client_init() doesn't check the errors returned from
    its port creations.  Let's do it properly and handle the error paths.
    
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8ad73373b8a7468d03f77fc78134e073a882f951
Author: Jay Foster <jayfoster@ieee.org>
Date:   Mon Aug 20 11:42:01 2018 +0200

    ARM: dts: at91/trivial: Fix USART1 definition for at91sam9g45
    
    [ Upstream commit 10af10db8c76fa5b9bf1f52a895c1cb2c0ac24da ]
    
    Fix a typo. No functional change made by this patch.
    
    Signed-off-by: Jay Foster <jayfoster@ieee.org>
    Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
    Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6d9c2f7832a917bb496a90e004beffb0beb9ba6f
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Aug 27 12:21:45 2018 +0300

    ALSA: pcm: signedness bug in snd_pcm_plug_alloc()
    
    [ Upstream commit 6f128fa41f310e1f39ebcea9621d2905549ecf52 ]
    
    The "frames" variable is unsigned so the error handling doesn't work
    properly.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit cca358eaa474087f4665d3a0fe149ae48e958506
Author: Marcus Folkesson <marcus.folkesson@gmail.com>
Date:   Fri Aug 24 22:24:40 2018 +0200

    iio: dac: mcp4922: fix error handling in mcp4922_write_raw
    
    [ Upstream commit 0833627fc3f757a0dca11e2a9c46c96335a900ee ]
    
    Do not try to write negative values and make sure that the write goes well.
    
    Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b827e2fa580bbada46fff51d712748bb4aa92208
Author: Eugen Hristev <eugen.hristev@microchip.com>
Date:   Thu Nov 14 12:59:26 2019 +0000

    mmc: sdhci-of-at91: fix quirk2 overwrite
    
    commit fed23c5829ecab4ddc712d7b0046e59610ca3ba4 upstream.
    
    The quirks2 are parsed and set (e.g. from DT) before the quirk for broken
    HS200 is set in the driver.
    The driver needs to enable just this flag, not rewrite the whole quirk set.
    
    Fixes: 7871aa60ae00 ("mmc: sdhci-of-at91: add quirk for broken HS200")
    Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
    Acked-by: Adrian Hunter <adrian.hunter@intel.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 69ab55f2bb3fc1c57d3107224e65aefc00b1276a
Author: Roman Gushchin <guro@fb.com>
Date:   Fri Nov 15 17:34:46 2019 -0800

    mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup()
    
    commit 0362f326d86c645b5e96b7dbc3ee515986ed019d upstream.
    
    An exiting task might belong to an offline cgroup.  In this case an
    attempt to grab a cgroup reference from the task can end up with an
    infinite loop in hugetlb_cgroup_charge_cgroup(), because neither the
    cgroup will become online, neither the task will be migrated to a live
    cgroup.
    
    Fix this by switching over to css_tryget().  As css_tryget_online()
    can't guarantee that the cgroup won't go offline, in most cases the
    check doesn't make sense.  In this particular case users of
    hugetlb_cgroup_charge_cgroup() are not affected by this change.
    
    A similar problem is described by commit 18fa84a2db0e ("cgroup: Use
    css_tryget() instead of css_tryget_online() in task_get_css()").
    
    Link: http://lkml.kernel.org/r/20191106225131.3543616-2-guro@fb.com
    Signed-off-by: Roman Gushchin <guro@fb.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Acked-by: Tejun Heo <tj@kernel.org>
    Reviewed-by: Shakeel Butt <shakeelb@google.com>
    Cc: Michal Hocko <mhocko@kernel.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f023333e92cb69472a0eaf8e2c41dab657770b33
Author: Roman Gushchin <guro@fb.com>
Date:   Fri Nov 15 17:34:43 2019 -0800

    mm: memcg: switch to css_tryget() in get_mem_cgroup_from_mm()
    
    commit 00d484f354d85845991b40141d40ba9e5eb60faf upstream.
    
    We've encountered a rcu stall in get_mem_cgroup_from_mm():
    
      rcu: INFO: rcu_sched self-detected stall on CPU
      rcu: 33-....: (21000 ticks this GP) idle=6c6/1/0x4000000000000002 softirq=35441/35441 fqs=5017
      (t=21031 jiffies g=324821 q=95837) NMI backtrace for cpu 33
      <...>
      RIP: 0010:get_mem_cgroup_from_mm+0x2f/0x90
      <...>
       __memcg_kmem_charge+0x55/0x140
       __alloc_pages_nodemask+0x267/0x320
       pipe_write+0x1ad/0x400
       new_sync_write+0x127/0x1c0
       __kernel_write+0x4f/0xf0
       dump_emit+0x91/0xc0
       writenote+0xa0/0xc0
       elf_core_dump+0x11af/0x1430
       do_coredump+0xc65/0xee0
       get_signal+0x132/0x7c0
       do_signal+0x36/0x640
       exit_to_usermode_loop+0x61/0xd0
       do_syscall_64+0xd4/0x100
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    The problem is caused by an exiting task which is associated with an
    offline memcg.  We're iterating over and over in the do {} while
    (!css_tryget_online()) loop, but obviously the memcg won't become online
    and the exiting task won't be migrated to a live memcg.
    
    Let's fix it by switching from css_tryget_online() to css_tryget().
    
    As css_tryget_online() cannot guarantee that the memcg won't go offline,
    the check is usually useless, except some rare cases when for example it
    determines if something should be presented to a user.
    
    A similar problem is described by commit 18fa84a2db0e ("cgroup: Use
    css_tryget() instead of css_tryget_online() in task_get_css()").
    
    Johannes:
    
    : The bug aside, it doesn't matter whether the cgroup is online for the
    : callers.  It used to matter when offlining needed to evacuate all charges
    : from the memcg, and so needed to prevent new ones from showing up, but we
    : don't care now.
    
    Link: http://lkml.kernel.org/r/20191106225131.3543616-1-guro@fb.com
    Signed-off-by: Roman Gushchin <guro@fb.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Acked-by: Tejun Heo <tj@kernel.org>
    Reviewed-by: Shakeel Butt <shakeeb@google.com>
    Cc: Michal Hocko <mhocko@kernel.org>
    Cc: Michal Koutn <mkoutny@suse.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 41ca23069f1215bfdc0961413ec5c819d4f93ad7
Author: Eric Auger <eric.auger@redhat.com>
Date:   Fri Nov 8 16:58:03 2019 +0100

    iommu/vt-d: Fix QI_DEV_IOTLB_PFSID and QI_DEV_EIOTLB_PFSID macros
    
    commit 4e7120d79edb31e4ee68e6f8421448e4603be1e9 upstream.
    
    For both PASID-based-Device-TLB Invalidate Descriptor and
    Device-TLB Invalidate Descriptor, the Physical Function Source-ID
    value is split according to this layout:
    
    PFSID[3:0] is set at offset 12 and PFSID[15:4] is put at offset 52.
    Fix the part laid out at offset 52.
    
    Fixes: 0f725561e1684 ("iommu/vt-d: Add definitions for PFSID")
    Signed-off-by: Eric Auger <eric.auger@redhat.com>
    Acked-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
    Cc: stable@vger.kernel.org # v4.19+
    Acked-by: Lu Baolu <baolu.lu@linux.intel.com>
    Signed-off-by: Joerg Roedel <jroedel@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 44b4e78bb3278e81ff48047871c935bbbbb5f280
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sun Nov 3 13:55:43 2019 -0500

    ecryptfs_lookup_interpose(): lower_dentry->d_parent is not stable either
    
    commit 762c69685ff7ad5ad7fee0656671e20a0c9c864d upstream.
    
    We need to get the underlying dentry of parent; sure, absent the races
    it is the parent of underlying dentry, but there's nothing to prevent
    losing a timeslice to preemtion in the middle of evaluation of
    lower_dentry->d_parent->d_inode, having another process move lower_dentry
    around and have its (ex)parent not pinned anymore and freed on memory
    pressure.  Then we regain CPU and try to fetch ->d_inode from memory
    that is freed by that point.
    
    dentry->d_parent *is* stable here - it's an argument of ->lookup() and
    we are guaranteed that it won't be moved anywhere until we feed it
    to d_add/d_splice_alias.  So we safely go that way to get to its
    underlying dentry.
    
    Cc: stable@vger.kernel.org # since 2009 or so
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c3c7cfbe975cf1b0b5f3c5fa7745851a4afa1053
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sun Nov 3 13:45:04 2019 -0500

    ecryptfs_lookup_interpose(): lower_dentry->d_inode is not stable
    
    commit e72b9dd6a5f17d0fb51f16f8685f3004361e83d0 upstream.
    
    lower_dentry can't go from positive to negative (we have it pinned),
    but it *can* go from negative to positive.  So fetching ->d_inode
    into a local variable, doing a blocking allocation, checking that
    now ->d_inode is non-NULL and feeding the value we'd fetched
    earlier to a function that won't accept NULL is not a good idea.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit af618124c69794bf215bf8cefb67890f95246ef8
Author: Oliver Neukum <oneukum@suse.com>
Date:   Fri Nov 15 11:35:05 2019 -0800

    Input: ff-memless - kill timer in destroy()
    
    commit fa3a5a1880c91bb92594ad42dfe9eedad7996b86 upstream.
    
    No timer must be left running when the device goes away.
    
    Signed-off-by: Oliver Neukum <oneukum@suse.com>
    Reported-and-tested-by: syzbot+b6c55daa701fc389e286@syzkaller.appspotmail.com
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/1573726121.17351.3.camel@suse.com
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d99926e1ae70fb604b6891b8b7efefe8f32a5f3f
Author: Henry Lin <henryl@nvidia.com>
Date:   Wed Nov 13 10:14:19 2019 +0800

    ALSA: usb-audio: not submit urb for stopped endpoint
    
    commit 528699317dd6dc722dccc11b68800cf945109390 upstream.
    
    While output urb's snd_complete_urb() is executing, calling
    prepare_outbound_urb() may cause endpoint stopped before
    prepare_outbound_urb() returns and result in next urb submitted
    to stopped endpoint. usb-audio driver cannot re-use it afterwards as
    the urb is still hold by usb stack.
    
    This change checks EP_FLAG_RUNNING flag after prepare_outbound_urb() again
    to let snd_complete_urb() know the endpoint already stopped and does not
    submit next urb. Below kind of error will be fixed:
    
    [  213.153103] usb 1-2: timeout: still 1 active urbs on EP #1
    [  213.164121] usb 1-2: cannot submit urb 0, error -16: unknown error
    
    Signed-off-by: Henry Lin <henryl@nvidia.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20191113021420.13377-1-henryl@nvidia.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 66aeb2294c223b8c7e098794466602c04c96affd
Author: Takashi Iwai <tiwai@suse.de>
Date:   Sat Nov 9 19:16:58 2019 +0100

    ALSA: usb-audio: Fix missing error check at mixer resolution test
    
    commit 167beb1756791e0806365a3f86a0da10d7a327ee upstream.
    
    A check of the return value from get_cur_mix_raw() is missing at the
    resolution test code in get_min_max_with_quirks(), which may leave the
    variable untouched, leading to a random uninitialized value, as
    detected by syzkaller fuzzer.
    
    Add the missing return error check for fixing that.
    
    Reported-and-tested-by: syzbot+abe1ab7afc62c6bb6377@syzkaller.appspotmail.com
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20191109181658.30368-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 602ff39cf2b646d4ddc2085e4715b0ada72e2875
Author: Oliver Neukum <oneukum@suse.com>
Date:   Thu Nov 14 11:16:01 2019 +0100

    ax88172a: fix information leak on short answers
    
    [ Upstream commit a9a51bd727d141a67b589f375fe69d0e54c4fe22 ]
    
    If a malicious device gives a short MAC it can elicit up to
    5 bytes of leaked memory out of the driver. We need to check for
    ETH_ALEN instead.
    
    Reported-by: syzbot+a8d4acdad35e6bbca308@syzkaller.appspotmail.com
    Signed-off-by: Oliver Neukum <oneukum@suse.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 329cb706daabb0fff52b4ca5256213f429221fa1
Author: Jouni Hogander <jouni.hogander@unikie.com>
Date:   Wed Nov 13 13:45:02 2019 +0200

    slip: Fix memory leak in slip_open error path
    
    [ Upstream commit 3b5a39979dafea9d0cd69c7ae06088f7a84cdafa ]
    
    Driver/net/can/slcan.c is derived from slip.c. Memory leak was detected
    by Syzkaller in slcan. Same issue exists in slip.c and this patch is
    addressing the leak in slip.c.
    
    Here is the slcan memory leak trace reported by Syzkaller:
    
    BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
      comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
      hex dump (first 32 bytes):
        73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
      backtrace:
        [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0
        [<0000000083306e66>] kvmalloc_node+0x3a/0xc0
        [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080
        [<0000000061a996c9>] slcan_open+0x3ae/0x9a0
        [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0
        [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0
        [<000000004de5a617>] tty_ioctl+0x48d/0x1590
        [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510
        [<0000000059068dbc>] ksys_ioctl+0x99/0xb0
        [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0
        [<0000000053d0332e>] do_syscall_64+0x16f/0x580
        [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
        [<000000008ea75434>] 0xfffffffffffffff
    
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Oliver Hartkopp <socketcan@hartkopp.net>
    Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
    Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>