Home Home > GIT Browse > SLE15-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-08-19 07:02:12 +0200
committerKernel Build Daemon <kbuild@suse.de>2019-08-19 07:02:12 +0200
commit47e0fc0a0f861f21431a8b4543f1e323b642e887 (patch)
treecae5eaf04c2b663af040241e6238da28b3701a12
parent011ff1dcce4cd37ee58b33e1ab3e22b1c8f5cc53 (diff)
parentad7168f4aa6804123e321c0c214978c1ab80f7f7 (diff)
Merge branch 'SLE15' into SLE15-AZURE
-rw-r--r--patches.drivers/ALSA-hda-Add-a-generic-reboot_notify.patch123
-rw-r--r--patches.drivers/ALSA-hda-Apply-workaround-for-another-AMD-chip-1022-.patch37
-rw-r--r--patches.drivers/ALSA-hda-Fix-a-memory-leak-bug.patch39
-rw-r--r--patches.drivers/ALSA-hda-Let-all-conexant-codec-enter-D3-when-reboot.patch50
-rw-r--r--patches.drivers/HID-sony-Fix-race-condition-between-rumble-and-devic.patch83
-rw-r--r--patches.drivers/Input-synaptics-enable-RMI-mode-for-HP-Spectre-X360.patch37
-rw-r--r--patches.drivers/drivers-pps-pps.c-clear-offset-flags-in-PPS_SETPARAM.patch54
-rw-r--r--patches.drivers/iio-adc-max9611-Fix-misuse-of-GENMASK-macro.patch36
-rw-r--r--patches.drivers/usb-usbfs-fix-double-free-of-usb-memory-upon-submitu.patch39
-rw-r--r--patches.drm/drm-silence-variable-conn-set-but-not-used.patch38
-rw-r--r--patches.fixes/crypto-ccp-Add-support-for-valid-authsize-values-les.patch139
-rw-r--r--patches.fixes/crypto-ccp-Fix-3DES-complaint-from-ccp-crypto-module.patch12
-rw-r--r--patches.fixes/crypto-ccp-Validate-buffer-lengths-for-copy-operatio.patch263
-rw-r--r--patches.fixes/crypto-ccp-gcm-use-const-time-tag-comparison.patch4
-rw-r--r--patches.fixes/mac80211-don-t-WARN-on-short-WMM-parameters-from-AP.patch52
-rw-r--r--patches.fixes/mac80211-don-t-warn-about-CW-params-when-not-using-t.patch54
-rw-r--r--series.conf14
17 files changed, 1066 insertions, 8 deletions
diff --git a/patches.drivers/ALSA-hda-Add-a-generic-reboot_notify.patch b/patches.drivers/ALSA-hda-Add-a-generic-reboot_notify.patch
new file mode 100644
index 0000000000..39ebe22668
--- /dev/null
+++ b/patches.drivers/ALSA-hda-Add-a-generic-reboot_notify.patch
@@ -0,0 +1,123 @@
+From 871b9066027702e6e6589da0e1edd3b7dede7205 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Wed, 14 Aug 2019 12:09:08 +0800
+Subject: [PATCH] ALSA: hda - Add a generic reboot_notify
+Git-commit: 871b9066027702e6e6589da0e1edd3b7dede7205
+Patch-mainline: v5.3-rc5
+References: bsc#1051510
+
+Make codec enter D3 before rebooting or poweroff can fix the noise
+issue on some laptops. And in theory it is harmless for all codecs
+to enter D3 before rebooting or poweroff, let us add a generic
+reboot_notify, then realtek and conexant drivers can call this
+function.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/hda_generic.c | 19 +++++++++++++++++++
+ sound/pci/hda/hda_generic.h | 1 +
+ sound/pci/hda/patch_conexant.c | 6 +-----
+ sound/pci/hda/patch_realtek.c | 11 +----------
+ 4 files changed, 22 insertions(+), 15 deletions(-)
+
+diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c
+index 8f2beb1f3ae4..5bf24fb819d2 100644
+--- a/sound/pci/hda/hda_generic.c
++++ b/sound/pci/hda/hda_generic.c
+@@ -6051,6 +6051,24 @@ void snd_hda_gen_free(struct hda_codec *codec)
+ }
+ EXPORT_SYMBOL_GPL(snd_hda_gen_free);
+
++/**
++ * snd_hda_gen_reboot_notify - Make codec enter D3 before rebooting
++ * @codec: the HDA codec
++ *
++ * This can be put as patch_ops reboot_notify function.
++ */
++void snd_hda_gen_reboot_notify(struct hda_codec *codec)
++{
++ /* Make the codec enter D3 to avoid spurious noises from the internal
++ * speaker during (and after) reboot
++ */
++ snd_hda_codec_set_power_to_all(codec, codec->core.afg, AC_PWRST_D3);
++ snd_hda_codec_write(codec, codec->core.afg, 0,
++ AC_VERB_SET_POWER_STATE, AC_PWRST_D3);
++ msleep(10);
++}
++EXPORT_SYMBOL_GPL(snd_hda_gen_reboot_notify);
++
+ #ifdef CONFIG_PM
+ /**
+ * snd_hda_gen_check_power_status - check the loopback power save state
+@@ -6078,6 +6096,7 @@ static const struct hda_codec_ops generic_patch_ops = {
+ .init = snd_hda_gen_init,
+ .free = snd_hda_gen_free,
+ .unsol_event = snd_hda_jack_unsol_event,
++ .reboot_notify = snd_hda_gen_reboot_notify,
+ #ifdef CONFIG_PM
+ .check_power_status = snd_hda_gen_check_power_status,
+ #endif
+diff --git a/sound/pci/hda/hda_generic.h b/sound/pci/hda/hda_generic.h
+index 35a670a71c42..5f199dcb0d18 100644
+--- a/sound/pci/hda/hda_generic.h
++++ b/sound/pci/hda/hda_generic.h
+@@ -332,6 +332,7 @@ int snd_hda_gen_parse_auto_config(struct hda_codec *codec,
+ struct auto_pin_cfg *cfg);
+ int snd_hda_gen_build_controls(struct hda_codec *codec);
+ int snd_hda_gen_build_pcms(struct hda_codec *codec);
++void snd_hda_gen_reboot_notify(struct hda_codec *codec);
+
+ /* standard jack event callbacks */
+ void snd_hda_gen_hp_automute(struct hda_codec *codec,
+diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
+index 93a303676aea..14298ef45b21 100644
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -166,11 +166,7 @@ static void cx_auto_reboot_notify(struct hda_codec *codec)
+ /* Turn the problematic codec into D3 to avoid spurious noises
+ from the internal speaker during (and after) reboot */
+ cx_auto_turn_eapd(codec, spec->num_eapds, spec->eapds, false);
+-
+- snd_hda_codec_set_power_to_all(codec, codec->core.afg, AC_PWRST_D3);
+- snd_hda_codec_write(codec, codec->core.afg, 0,
+- AC_VERB_SET_POWER_STATE, AC_PWRST_D3);
+- msleep(10);
++ snd_hda_gen_reboot_notify(codec);
+ }
+
+ static void cx_auto_free(struct hda_codec *codec)
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 8aaf1d9c55cf..e333b3e30e31 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -869,15 +869,6 @@ static void alc_reboot_notify(struct hda_codec *codec)
+ alc_shutup(codec);
+ }
+
+-/* power down codec to D3 at reboot/shutdown; set as reboot_notify ops */
+-static void alc_d3_at_reboot(struct hda_codec *codec)
+-{
+- snd_hda_codec_set_power_to_all(codec, codec->core.afg, AC_PWRST_D3);
+- snd_hda_codec_write(codec, codec->core.afg, 0,
+- AC_VERB_SET_POWER_STATE, AC_PWRST_D3);
+- msleep(10);
+-}
+-
+ #define alc_free snd_hda_gen_free
+
+ #ifdef CONFIG_PM
+@@ -5152,7 +5143,7 @@ static void alc_fixup_tpt440_dock(struct hda_codec *codec,
+ struct alc_spec *spec = codec->spec;
+
+ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
+- spec->reboot_notify = alc_d3_at_reboot; /* reduce noise */
++ spec->reboot_notify = snd_hda_gen_reboot_notify; /* reduce noise */
+ spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP;
+ codec->power_save_node = 0; /* avoid click noises */
+ snd_hda_apply_pincfgs(codec, pincfgs);
+--
+2.16.4
+
diff --git a/patches.drivers/ALSA-hda-Apply-workaround-for-another-AMD-chip-1022-.patch b/patches.drivers/ALSA-hda-Apply-workaround-for-another-AMD-chip-1022-.patch
new file mode 100644
index 0000000000..e705cc901d
--- /dev/null
+++ b/patches.drivers/ALSA-hda-Apply-workaround-for-another-AMD-chip-1022-.patch
@@ -0,0 +1,37 @@
+From de768ce45466f3009809719eb7b1f6f5277d9373 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 9 Aug 2019 11:23:00 +0200
+Subject: [PATCH] ALSA: hda - Apply workaround for another AMD chip 1022:1487
+Git-commit: de768ce45466f3009809719eb7b1f6f5277d9373
+Patch-mainline: v5.3-rc5
+References: bsc#1051510
+
+MSI MPG X570 board is with another AMD HD-audio controller (PCI ID
+1022:1487) and it requires the same workaround applied for X370, etc
+(PCI ID 1022:1457).
+
+Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=195303
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/hda_intel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index a6d8c0d77b84..99fc0917339b 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2508,6 +2508,9 @@ static const struct pci_device_id azx_ids[] = {
+ /* AMD, X370 & co */
+ { PCI_DEVICE(0x1022, 0x1457),
+ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_AMD_SB },
++ /* AMD, X570 & co */
++ { PCI_DEVICE(0x1022, 0x1487),
++ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_AMD_SB },
+ /* AMD Stoney */
+ { PCI_DEVICE(0x1022, 0x157a),
+ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB |
+--
+2.16.4
+
diff --git a/patches.drivers/ALSA-hda-Fix-a-memory-leak-bug.patch b/patches.drivers/ALSA-hda-Fix-a-memory-leak-bug.patch
new file mode 100644
index 0000000000..5b401274b4
--- /dev/null
+++ b/patches.drivers/ALSA-hda-Fix-a-memory-leak-bug.patch
@@ -0,0 +1,39 @@
+From cfef67f016e4c00a2f423256fc678a6967a9fc09 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Fri, 9 Aug 2019 23:29:48 -0500
+Subject: [PATCH] ALSA: hda - Fix a memory leak bug
+Git-commit: cfef67f016e4c00a2f423256fc678a6967a9fc09
+Patch-mainline: v5.3-rc5
+References: bsc#1051510
+
+In snd_hda_parse_generic_codec(), 'spec' is allocated through kzalloc().
+Then, the pin widgets in 'codec' are parsed. However, if the parsing
+process fails, 'spec' is not deallocated, leading to a memory leak.
+
+To fix the above issue, free 'spec' before returning the error.
+
+Fixes: 352f7f914ebb ("ALSA: hda - Merge Realtek parser code to generic parser")
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/hda_generic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c
+index 485edaba0037..8f2beb1f3ae4 100644
+--- a/sound/pci/hda/hda_generic.c
++++ b/sound/pci/hda/hda_generic.c
+@@ -6100,7 +6100,7 @@ static int snd_hda_parse_generic_codec(struct hda_codec *codec)
+
+ err = snd_hda_parse_pin_defcfg(codec, &spec->autocfg, NULL, 0);
+ if (err < 0)
+- return err;
++ goto error;
+
+ err = snd_hda_gen_parse_auto_config(codec, &spec->autocfg);
+ if (err < 0)
+--
+2.16.4
+
diff --git a/patches.drivers/ALSA-hda-Let-all-conexant-codec-enter-D3-when-reboot.patch b/patches.drivers/ALSA-hda-Let-all-conexant-codec-enter-D3-when-reboot.patch
new file mode 100644
index 0000000000..18dd8d5104
--- /dev/null
+++ b/patches.drivers/ALSA-hda-Let-all-conexant-codec-enter-D3-when-reboot.patch
@@ -0,0 +1,50 @@
+From 401714d9534aad8c24196b32600da683116bbe09 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Wed, 14 Aug 2019 12:09:07 +0800
+Subject: [PATCH] ALSA: hda - Let all conexant codec enter D3 when rebooting
+Git-commit: 401714d9534aad8c24196b32600da683116bbe09
+Patch-mainline: v5.3-rc5
+References: bsc#1051510
+
+We have 3 new lenovo laptops which have conexant codec 0x14f11f86,
+these 3 laptops also have the noise issue when rebooting, after
+letting the codec enter D3 before rebooting or poweroff, the noise
+disappers.
+
+Instead of adding a new ID again in the reboot_notify(), let us make
+this function apply to all conexant codec. In theory make codec enter
+D3 before rebooting or poweroff is harmless, and I tested this change
+on a couple of other Lenovo laptops which have different conexant
+codecs, there is no side effect so far.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/patch_conexant.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
+index f299f137eaea..93a303676aea 100644
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -163,15 +163,6 @@ static void cx_auto_reboot_notify(struct hda_codec *codec)
+ {
+ struct conexant_spec *spec = codec->spec;
+
+- switch (codec->core.vendor_id) {
+- case 0x14f12008: /* CX8200 */
+- case 0x14f150f2: /* CX20722 */
+- case 0x14f150f4: /* CX20724 */
+- break;
+- default:
+- return;
+- }
+-
+ /* Turn the problematic codec into D3 to avoid spurious noises
+ from the internal speaker during (and after) reboot */
+ cx_auto_turn_eapd(codec, spec->num_eapds, spec->eapds, false);
+--
+2.16.4
+
diff --git a/patches.drivers/HID-sony-Fix-race-condition-between-rumble-and-devic.patch b/patches.drivers/HID-sony-Fix-race-condition-between-rumble-and-devic.patch
new file mode 100644
index 0000000000..32d6cb9c24
--- /dev/null
+++ b/patches.drivers/HID-sony-Fix-race-condition-between-rumble-and-devic.patch
@@ -0,0 +1,83 @@
+From e0f6974a54d3f7f1b5fdf5a593bd43ce9206ec04 Mon Sep 17 00:00:00 2001
+From: Roderick Colenbrander <roderick@gaikai.com>
+Date: Fri, 2 Aug 2019 15:50:19 -0700
+Subject: [PATCH] HID: sony: Fix race condition between rumble and device remove.
+Git-commit: e0f6974a54d3f7f1b5fdf5a593bd43ce9206ec04
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+Valve reported a kernel crash on Ubuntu 18.04 when disconnecting a DS4
+gamepad while rumble is enabled. This issue is reproducible with a
+frequency of 1 in 3 times in the game Borderlands 2 when using an
+automatic weapon, which triggers many rumble operations.
+
+We found the issue to be a race condition between sony_remove and the
+final device destruction by the HID / input system. The problem was
+that sony_remove didn't clean some of its work_item state in
+"struct sony_sc". After sony_remove work, the corresponding evdev
+node was around for sufficient time for applications to still queue
+rumble work after "sony_remove".
+
+On pre-4.19 kernels the race condition caused a kernel crash due to a
+NULL-pointer dereference as "sc->output_report_dmabuf" got freed during
+sony_remove. On newer kernels this crash doesn't happen due the buffer
+now being allocated using devm_kzalloc. However we can still queue work,
+while the driver is an undefined state.
+
+This patch fixes the described problem, by guarding the work_item
+"state_worker" with an initialized variable, which we are setting back
+to 0 on cleanup.
+
+Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hid/hid-sony.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c
+index 93942063b51b..49dd2d905c7f 100644
+--- a/drivers/hid/hid-sony.c
++++ b/drivers/hid/hid-sony.c
+@@ -585,10 +585,14 @@ static void sony_set_leds(struct sony_sc *sc);
+ static inline void sony_schedule_work(struct sony_sc *sc,
+ enum sony_worker which)
+ {
++ unsigned long flags;
++
+ switch (which) {
+ case SONY_WORKER_STATE:
+- if (!sc->defer_initialization)
++ spin_lock_irqsave(&sc->lock, flags);
++ if (!sc->defer_initialization && sc->state_worker_initialized)
+ schedule_work(&sc->state_worker);
++ spin_unlock_irqrestore(&sc->lock, flags);
+ break;
+ case SONY_WORKER_HOTPLUG:
+ if (sc->hotplug_worker_initialized)
+@@ -2558,13 +2562,18 @@ static inline void sony_init_output_report(struct sony_sc *sc,
+
+ static inline void sony_cancel_work_sync(struct sony_sc *sc)
+ {
++ unsigned long flags;
++
+ if (sc->hotplug_worker_initialized)
+ cancel_work_sync(&sc->hotplug_worker);
+- if (sc->state_worker_initialized)
++ if (sc->state_worker_initialized) {
++ spin_lock_irqsave(&sc->lock, flags);
++ sc->state_worker_initialized = 0;
++ spin_unlock_irqrestore(&sc->lock, flags);
+ cancel_work_sync(&sc->state_worker);
++ }
+ }
+
+-
+ static int sony_input_configured(struct hid_device *hdev,
+ struct hid_input *hidinput)
+ {
+--
+2.16.4
+
diff --git a/patches.drivers/Input-synaptics-enable-RMI-mode-for-HP-Spectre-X360.patch b/patches.drivers/Input-synaptics-enable-RMI-mode-for-HP-Spectre-X360.patch
new file mode 100644
index 0000000000..c1f6aa33ec
--- /dev/null
+++ b/patches.drivers/Input-synaptics-enable-RMI-mode-for-HP-Spectre-X360.patch
@@ -0,0 +1,37 @@
+From 25f8c834e2a6871920cc1ca113f02fb301d007c3 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 12 Jul 2019 11:37:17 -0700
+Subject: [PATCH] Input: synaptics - enable RMI mode for HP Spectre X360
+Git-commit: 25f8c834e2a6871920cc1ca113f02fb301d007c3
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+The 2016 kabylake HP Spectre X360 (model number 13-w013dx) works much better
+with psmouse.synaptics_intertouch=1 kernel parameter, so let's enable RMI4
+mode automatically.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204115
+Reported-by: Nate Graham <pointedstick@zoho.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/input/mouse/synaptics.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
+index b1956ed4c0dd..46bbe99d6511 100644
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -182,6 +182,7 @@ static const char * const smbus_pnp_ids[] = {
+ "LEN2055", /* E580 */
+ "SYN3052", /* HP EliteBook 840 G4 */
+ "SYN3221", /* HP 15-ay000 */
++ "SYN323d", /* HP Spectre X360 13-w013dx */
+ NULL
+ };
+
+--
+2.16.4
+
diff --git a/patches.drivers/drivers-pps-pps.c-clear-offset-flags-in-PPS_SETPARAM.patch b/patches.drivers/drivers-pps-pps.c-clear-offset-flags-in-PPS_SETPARAM.patch
new file mode 100644
index 0000000000..f1a9697d61
--- /dev/null
+++ b/patches.drivers/drivers-pps-pps.c-clear-offset-flags-in-PPS_SETPARAM.patch
@@ -0,0 +1,54 @@
+From 5515e9a6273b8c02034466bcbd717ac9f53dab99 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Tue, 16 Jul 2019 16:30:09 -0700
+Subject: [PATCH] drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl
+Git-commit: 5515e9a6273b8c02034466bcbd717ac9f53dab99
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+The PPS assert/clear offset corrections are set by the PPS_SETPARAMS
+ioctl in the pps_ktime structs, which also contain flags. The flags are
+not initialized by applications (using the timepps.h header) and they
+are not used by the kernel for anything except returning them back in
+the PPS_GETPARAMS ioctl.
+
+Set the flags to zero to make it clear they are unused and avoid leaking
+uninitialized data of the PPS_SETPARAMS caller to other applications
+that have a read access to the PPS device.
+
+Link: http://lkml.kernel.org/r/20190702092251.24303-1-mlichvar@redhat.com
+Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Rodolfo Giometti <giometti@enneenne.com>
+Cc: Greg KH <greg@kroah.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/pps/pps.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/pps/pps.c b/drivers/pps/pps.c
+index 3a546ec10d90..22a65ad4e46e 100644
+--- a/drivers/pps/pps.c
++++ b/drivers/pps/pps.c
+@@ -152,6 +152,14 @@ static long pps_cdev_ioctl(struct file *file,
+ pps->params.mode |= PPS_CANWAIT;
+ pps->params.api_version = PPS_API_VERS;
+
++ /*
++ * Clear unused fields of pps_kparams to avoid leaking
++ * uninitialized data of the PPS_SETPARAMS caller via
++ * PPS_GETPARAMS
++ */
++ pps->params.assert_off_tu.flags = 0;
++ pps->params.clear_off_tu.flags = 0;
++
+ spin_unlock_irq(&pps->lock);
+
+ break;
+--
+2.16.4
+
diff --git a/patches.drivers/iio-adc-max9611-Fix-misuse-of-GENMASK-macro.patch b/patches.drivers/iio-adc-max9611-Fix-misuse-of-GENMASK-macro.patch
new file mode 100644
index 0000000000..15d62d6c9c
--- /dev/null
+++ b/patches.drivers/iio-adc-max9611-Fix-misuse-of-GENMASK-macro.patch
@@ -0,0 +1,36 @@
+From ae8cc91a7d85e018c0c267f580820b2bb558cd48 Mon Sep 17 00:00:00 2001
+From: Joe Perches <joe@perches.com>
+Date: Tue, 9 Jul 2019 22:04:17 -0700
+Subject: [PATCH] iio: adc: max9611: Fix misuse of GENMASK macro
+Git-commit: ae8cc91a7d85e018c0c267f580820b2bb558cd48
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+Arguments are supposed to be ordered high then low.
+
+Signed-off-by: Joe Perches <joe@perches.com>
+Fixes: 69780a3bbc0b ("iio: adc: Add Maxim max9611 ADC driver")
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/iio/adc/max9611.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/adc/max9611.c b/drivers/iio/adc/max9611.c
+index 917223d5ff5b..0e3c6529fc4c 100644
+--- a/drivers/iio/adc/max9611.c
++++ b/drivers/iio/adc/max9611.c
+@@ -83,7 +83,7 @@
+ #define MAX9611_TEMP_MAX_POS 0x7f80
+ #define MAX9611_TEMP_MAX_NEG 0xff80
+ #define MAX9611_TEMP_MIN_NEG 0xd980
+-#define MAX9611_TEMP_MASK GENMASK(7, 15)
++#define MAX9611_TEMP_MASK GENMASK(15, 7)
+ #define MAX9611_TEMP_SHIFT 0x07
+ #define MAX9611_TEMP_RAW(_r) ((_r) >> MAX9611_TEMP_SHIFT)
+ #define MAX9611_TEMP_SCALE_NUM 1000000
+--
+2.16.4
+
diff --git a/patches.drivers/usb-usbfs-fix-double-free-of-usb-memory-upon-submitu.patch b/patches.drivers/usb-usbfs-fix-double-free-of-usb-memory-upon-submitu.patch
new file mode 100644
index 0000000000..ed379a6a97
--- /dev/null
+++ b/patches.drivers/usb-usbfs-fix-double-free-of-usb-memory-upon-submitu.patch
@@ -0,0 +1,39 @@
+From c43f28dfdc4654e738aa6d3fd08a105b2bee758d Mon Sep 17 00:00:00 2001
+From: Gavin Li <git@thegavinli.com>
+Date: Sun, 4 Aug 2019 16:50:44 -0700
+Subject: [PATCH] usb: usbfs: fix double-free of usb memory upon submiturb error
+Git-commit: c43f28dfdc4654e738aa6d3fd08a105b2bee758d
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+Upon an error within proc_do_submiturb(), dec_usb_memory_use_count()
+gets called once by the error handling tail and again by free_async().
+Remove the first call.
+
+Signed-off-by: Gavin Li <git@thegavinli.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190804235044.22327-1-gavinli@thegavinli.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/core/devio.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
+index b265ab5405f9..9063ede411ae 100644
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1812,8 +1812,6 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
+ return 0;
+
+ error:
+- if (as && as->usbm)
+- dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
+ kfree(isopkt);
+ kfree(dr);
+ if (as)
+--
+2.16.4
+
diff --git a/patches.drm/drm-silence-variable-conn-set-but-not-used.patch b/patches.drm/drm-silence-variable-conn-set-but-not-used.patch
new file mode 100644
index 0000000000..69d4f567fb
--- /dev/null
+++ b/patches.drm/drm-silence-variable-conn-set-but-not-used.patch
@@ -0,0 +1,38 @@
+From bbb6fc43f131f77fcb7ae8081f6d7c51396a2120 Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Mon, 22 Jul 2019 15:14:46 -0400
+Subject: [PATCH] drm: silence variable 'conn' set but not used
+Git-commit: bbb6fc43f131f77fcb7ae8081f6d7c51396a2120
+Patch-mainline: v5.3-rc2
+References: bsc#1051510
+
+The "struct drm_connector" iteration cursor from
+"for_each_new_connector_in_state" is never used in atomic_remove_fb()
+which generates a compilation warning,
+
+Drivers/gpu/drm/drm_framebuffer.c: In function 'atomic_remove_fb':
+drivers/gpu/drm/drm_framebuffer.c:838:24: warning: variable 'conn' set
+but not used [-Wunused-but-set-variable]
+
+Silence it by marking "conn" __maybe_unused.
+
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/1563822886-13570-1-git-send-email-cai@lca.pw
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/drm_framebuffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_framebuffer.c
++++ b/drivers/gpu/drm/drm_framebuffer.c
+@@ -774,7 +774,7 @@ static int atomic_remove_fb(struct drm_f
+ struct drm_device *dev = fb->dev;
+ struct drm_atomic_state *state;
+ struct drm_plane *plane;
+- struct drm_connector *conn;
++ struct drm_connector *conn __maybe_unused;
+ struct drm_connector_state *conn_state;
+ int i, ret = 0;
+ unsigned plane_mask;
diff --git a/patches.fixes/crypto-ccp-Add-support-for-valid-authsize-values-les.patch b/patches.fixes/crypto-ccp-Add-support-for-valid-authsize-values-les.patch
new file mode 100644
index 0000000000..6d9c7f5637
--- /dev/null
+++ b/patches.fixes/crypto-ccp-Add-support-for-valid-authsize-values-les.patch
@@ -0,0 +1,139 @@
+From 9f00baf74e4b6f79a3a3dfab44fb7bb2e797b551 Mon Sep 17 00:00:00 2001
+From: Gary R Hook <gary.hook@amd.com>
+Date: Tue, 30 Jul 2019 16:05:24 +0000
+Subject: [PATCH] crypto: ccp - Add support for valid authsize values less than 16
+Git-commit: 9f00baf74e4b6f79a3a3dfab44fb7bb2e797b551
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+AES GCM encryption allows for authsize values of 4, 8, and 12-16 bytes.
+Validate the requested authsize, and retain it to save in the request
+context.
+
+Fixes: 36cf515b9bbe2 ("crypto: ccp - Enable support for AES GCM on v5 CCPs")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/crypto/ccp/ccp-crypto-aes-galois.c | 14 ++++++++++++++
+ drivers/crypto/ccp/ccp-ops.c | 26 +++++++++++++++++++++-----
+ include/linux/ccp.h | 2 ++
+ 3 files changed, 37 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/crypto/ccp/ccp-crypto-aes-galois.c b/drivers/crypto/ccp/ccp-crypto-aes-galois.c
+index d22631cb2bb3..02eba84028b3 100644
+--- a/drivers/crypto/ccp/ccp-crypto-aes-galois.c
++++ b/drivers/crypto/ccp/ccp-crypto-aes-galois.c
+@@ -58,6 +58,19 @@ static int ccp_aes_gcm_setkey(struct crypto_aead *tfm, const u8 *key,
+ static int ccp_aes_gcm_setauthsize(struct crypto_aead *tfm,
+ unsigned int authsize)
+ {
++ switch (authsize) {
++ case 16:
++ case 15:
++ case 14:
++ case 13:
++ case 12:
++ case 8:
++ case 4:
++ break;
++ default:
++ return -EINVAL;
++ }
++
+ return 0;
+ }
+
+@@ -104,6 +117,7 @@ static int ccp_aes_gcm_crypt(struct aead_request *req, bool encrypt)
+ memset(&rctx->cmd, 0, sizeof(rctx->cmd));
+ INIT_LIST_HEAD(&rctx->cmd.entry);
+ rctx->cmd.engine = CCP_ENGINE_AES;
++ rctx->cmd.u.aes.authsize = crypto_aead_authsize(tfm);
+ rctx->cmd.u.aes.type = ctx->u.aes.type;
+ rctx->cmd.u.aes.mode = ctx->u.aes.mode;
+ rctx->cmd.u.aes.action = encrypt;
+diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
+index 59f9849c3662..ef723e2722a8 100644
+--- a/drivers/crypto/ccp/ccp-ops.c
++++ b/drivers/crypto/ccp/ccp-ops.c
+@@ -622,6 +622,7 @@ static int ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q,
+
+ unsigned long long *final;
+ unsigned int dm_offset;
++ unsigned int authsize;
+ unsigned int jobid;
+ unsigned int ilen;
+ bool in_place = true; /* Default value */
+@@ -643,6 +644,21 @@ static int ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q,
+ if (!aes->key) /* Gotta have a key SGL */
+ return -EINVAL;
+
++ /* Zero defaults to 16 bytes, the maximum size */
++ authsize = aes->authsize ? aes->authsize : AES_BLOCK_SIZE;
++ switch (authsize) {
++ case 16:
++ case 15:
++ case 14:
++ case 13:
++ case 12:
++ case 8:
++ case 4:
++ break;
++ default:
++ return -EINVAL;
++ }
++
+ /* First, decompose the source buffer into AAD & PT,
+ * and the destination buffer into AAD, CT & tag, or
+ * the input into CT & tag.
+@@ -657,7 +673,7 @@ static int ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q,
+ p_tag = scatterwalk_ffwd(sg_tag, p_outp, ilen);
+ } else {
+ /* Input length for decryption includes tag */
+- ilen = aes->src_len - AES_BLOCK_SIZE;
++ ilen = aes->src_len - authsize;
+ p_tag = scatterwalk_ffwd(sg_tag, p_inp, ilen);
+ }
+
+@@ -839,19 +855,19 @@ static int ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q,
+
+ if (aes->action == CCP_AES_ACTION_ENCRYPT) {
+ /* Put the ciphered tag after the ciphertext. */
+- ccp_get_dm_area(&final_wa, 0, p_tag, 0, AES_BLOCK_SIZE);
++ ccp_get_dm_area(&final_wa, 0, p_tag, 0, authsize);
+ } else {
+ /* Does this ciphered tag match the input? */
+- ret = ccp_init_dm_workarea(&tag, cmd_q, AES_BLOCK_SIZE,
++ ret = ccp_init_dm_workarea(&tag, cmd_q, authsize,
+ DMA_BIDIRECTIONAL);
+ if (ret)
+ goto e_tag;
+- ret = ccp_set_dm_area(&tag, 0, p_tag, 0, AES_BLOCK_SIZE);
++ ret = ccp_set_dm_area(&tag, 0, p_tag, 0, authsize);
+ if (ret)
+ goto e_tag;
+
+ ret = crypto_memneq(tag.address, final_wa.address,
+- AES_BLOCK_SIZE) ? -EBADMSG : 0;
++ authsize) ? -EBADMSG : 0;
+ ccp_dm_free(&tag);
+ }
+
+diff --git a/include/linux/ccp.h b/include/linux/ccp.h
+index 7e9c991c95e0..43ed9e77cf81 100644
+--- a/include/linux/ccp.h
++++ b/include/linux/ccp.h
+@@ -173,6 +173,8 @@ struct ccp_aes_engine {
+ enum ccp_aes_mode mode;
+ enum ccp_aes_action action;
+
++ u32 authsize;
++
+ struct scatterlist *key;
+ u32 key_len; /* In bytes */
+
+--
+2.16.4
+
diff --git a/patches.fixes/crypto-ccp-Fix-3DES-complaint-from-ccp-crypto-module.patch b/patches.fixes/crypto-ccp-Fix-3DES-complaint-from-ccp-crypto-module.patch
index dbd56525c1..d086a0ff50 100644
--- a/patches.fixes/crypto-ccp-Fix-3DES-complaint-from-ccp-crypto-module.patch
+++ b/patches.fixes/crypto-ccp-Fix-3DES-complaint-from-ccp-crypto-module.patch
@@ -26,7 +26,7 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
-@@ -1230,6 +1230,9 @@ static int ccp_run_des3_cmd(struct ccp_c
+@@ -1265,6 +1265,9 @@ static int ccp_run_des3_cmd(struct ccp_c
int ret;
/* Error checks */
@@ -36,7 +36,7 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
if (!cmd_q->ccp->vdata->perform->des3)
return -EINVAL;
-@@ -1306,8 +1309,6 @@ static int ccp_run_des3_cmd(struct ccp_c
+@@ -1347,8 +1350,6 @@ static int ccp_run_des3_cmd(struct ccp_c
* passthru option to convert from big endian to little endian.
*/
if (des3->mode != CCP_DES3_MODE_ECB) {
@@ -45,9 +45,9 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
op.sb_ctx = cmd_q->sb_ctx;
ret = ccp_init_dm_workarea(&ctx, cmd_q,
-@@ -1320,12 +1321,8 @@ static int ccp_run_des3_cmd(struct ccp_c
- dm_offset = CCP_SB_BYTES - des3->iv_len;
- ccp_set_dm_area(&ctx, dm_offset, des3->iv, 0, des3->iv_len);
+@@ -1364,12 +1365,8 @@ static int ccp_run_des3_cmd(struct ccp_c
+ if (ret)
+ goto e_ctx;
- if (cmd_q->ccp->vdata->version == CCP_VERSION(3, 0))
- load_mode = CCP_PASSTHRU_BYTESWAP_NOOP;
@@ -59,7 +59,7 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
if (ret) {
cmd->engine_error = cmd_q->cmd_error;
goto e_ctx;
-@@ -1387,10 +1384,6 @@ static int ccp_run_des3_cmd(struct ccp_c
+@@ -1431,10 +1428,6 @@ static int ccp_run_des3_cmd(struct ccp_c
}
/* ...but we only need the last DES3_EDE_BLOCK_SIZE bytes */
diff --git a/patches.fixes/crypto-ccp-Validate-buffer-lengths-for-copy-operatio.patch b/patches.fixes/crypto-ccp-Validate-buffer-lengths-for-copy-operatio.patch
new file mode 100644
index 0000000000..85af63bc79
--- /dev/null
+++ b/patches.fixes/crypto-ccp-Validate-buffer-lengths-for-copy-operatio.patch
@@ -0,0 +1,263 @@
+From b698a9f4c5c52317db486b069190c7e3d2b97e7e Mon Sep 17 00:00:00 2001
+From: Gary R Hook <gary.hook@amd.com>
+Date: Wed, 7 Mar 2018 11:31:14 -0600
+Subject: [PATCH] crypto: ccp - Validate buffer lengths for copy operations
+Git-commit: b698a9f4c5c52317db486b069190c7e3d2b97e7e
+Patch-mainline: v4.17-rc1
+References: bsc#1051510
+
+The CCP driver copies data between scatter/gather lists and DMA buffers.
+The length of the requested copy operation must be checked against
+the available destination buffer length.
+
+Reported-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+Signed-off-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/crypto/ccp/ccp-ops.c | 108 +++++++++++++++++++++++++++++++------------
+ 1 file changed, 78 insertions(+), 30 deletions(-)
+
+--- a/drivers/crypto/ccp/ccp-ops.c
++++ b/drivers/crypto/ccp/ccp-ops.c
+@@ -178,14 +178,18 @@ static int ccp_init_dm_workarea(struct c
+ return 0;
+ }
+
+-static void ccp_set_dm_area(struct ccp_dm_workarea *wa, unsigned int wa_offset,
+- struct scatterlist *sg, unsigned int sg_offset,
+- unsigned int len)
++static int ccp_set_dm_area(struct ccp_dm_workarea *wa, unsigned int wa_offset,
++ struct scatterlist *sg, unsigned int sg_offset,
++ unsigned int len)
+ {
+ WARN_ON(!wa->address);
+
++ if (len > (wa->length - wa_offset))
++ return -EINVAL;
++
+ scatterwalk_map_and_copy(wa->address + wa_offset, sg, sg_offset, len,
+ 0);
++ return 0;
+ }
+
+ static void ccp_get_dm_area(struct ccp_dm_workarea *wa, unsigned int wa_offset,
+@@ -205,8 +209,11 @@ static int ccp_reverse_set_dm_area(struc
+ unsigned int len)
+ {
+ u8 *p, *q;
++ int rc;
+
+- ccp_set_dm_area(wa, wa_offset, sg, sg_offset, len);
++ rc = ccp_set_dm_area(wa, wa_offset, sg, sg_offset, len);
++ if (rc)
++ return rc;
+
+ p = wa->address + wa_offset;
+ q = p + len - 1;
+@@ -509,7 +516,9 @@ static int ccp_run_aes_cmac_cmd(struct c
+ return ret;
+
+ dm_offset = CCP_SB_BYTES - aes->key_len;
+- ccp_set_dm_area(&key, dm_offset, aes->key, 0, aes->key_len);
++ ret = ccp_set_dm_area(&key, dm_offset, aes->key, 0, aes->key_len);
++ if (ret)
++ goto e_key;
+ ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
+ CCP_PASSTHRU_BYTESWAP_256BIT);
+ if (ret) {
+@@ -528,7 +537,9 @@ static int ccp_run_aes_cmac_cmd(struct c
+ goto e_key;
+
+ dm_offset = CCP_SB_BYTES - AES_BLOCK_SIZE;
+- ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
++ ret = ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
++ if (ret)
++ goto e_ctx;
+ ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
+ CCP_PASSTHRU_BYTESWAP_256BIT);
+ if (ret) {
+@@ -556,8 +567,10 @@ static int ccp_run_aes_cmac_cmd(struct c
+ goto e_src;
+ }
+
+- ccp_set_dm_area(&ctx, 0, aes->cmac_key, 0,
+- aes->cmac_key_len);
++ ret = ccp_set_dm_area(&ctx, 0, aes->cmac_key, 0,
++ aes->cmac_key_len);
++ if (ret)
++ goto e_src;
+ ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
+ CCP_PASSTHRU_BYTESWAP_256BIT);
+ if (ret) {
+@@ -666,7 +679,9 @@ static int ccp_run_aes_gcm_cmd(struct cc
+ return ret;
+
+ dm_offset = CCP_SB_BYTES - aes->key_len;
+- ccp_set_dm_area(&key, dm_offset, aes->key, 0, aes->key_len);
++ ret = ccp_set_dm_area(&key, dm_offset, aes->key, 0, aes->key_len);
++ if (ret)
++ goto e_key;
+ ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
+ CCP_PASSTHRU_BYTESWAP_256BIT);
+ if (ret) {
+@@ -685,7 +700,9 @@ static int ccp_run_aes_gcm_cmd(struct cc
+ goto e_key;
+
+ dm_offset = CCP_AES_CTX_SB_COUNT * CCP_SB_BYTES - aes->iv_len;
+- ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
++ ret = ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
++ if (ret)
++ goto e_ctx;
+
+ ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
+ CCP_PASSTHRU_BYTESWAP_256BIT);
+@@ -777,7 +794,9 @@ static int ccp_run_aes_gcm_cmd(struct cc
+ goto e_dst;
+ }
+
+- ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
++ ret = ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
++ if (ret)
++ goto e_dst;
+
+ ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
+ CCP_PASSTHRU_BYTESWAP_256BIT);
+@@ -820,7 +839,9 @@ static int ccp_run_aes_gcm_cmd(struct cc
+ DMA_BIDIRECTIONAL);
+ if (ret)
+ goto e_tag;
+- ccp_set_dm_area(&tag, 0, p_tag, 0, AES_BLOCK_SIZE);
++ ret = ccp_set_dm_area(&tag, 0, p_tag, 0, AES_BLOCK_SIZE);
++ if (ret)
++ goto e_tag;
+
+ ret = memcmp(tag.address, final_wa.address, AES_BLOCK_SIZE);
+ ccp_dm_free(&tag);
+@@ -914,7 +935,9 @@ static int ccp_run_aes_cmd(struct ccp_cm
+ return ret;
+
+ dm_offset = CCP_SB_BYTES - aes->key_len;
+- ccp_set_dm_area(&key, dm_offset, aes->key, 0, aes->key_len);
++ ret = ccp_set_dm_area(&key, dm_offset, aes->key, 0, aes->key_len);
++ if (ret)
++ goto e_key;
+ ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
+ CCP_PASSTHRU_BYTESWAP_256BIT);
+ if (ret) {
+@@ -935,7 +958,9 @@ static int ccp_run_aes_cmd(struct ccp_cm
+ if (aes->mode != CCP_AES_MODE_ECB) {
+ /* Load the AES context - convert to LE */
+ dm_offset = CCP_SB_BYTES - AES_BLOCK_SIZE;
+- ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
++ ret = ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
++ if (ret)
++ goto e_ctx;
+ ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
+ CCP_PASSTHRU_BYTESWAP_256BIT);
+ if (ret) {
+@@ -1111,8 +1136,12 @@ static int ccp_run_xts_aes_cmd(struct cc
+ * big endian to little endian.
+ */
+ dm_offset = CCP_SB_BYTES - AES_KEYSIZE_128;
+- ccp_set_dm_area(&key, dm_offset, xts->key, 0, xts->key_len);
+- ccp_set_dm_area(&key, 0, xts->key, xts->key_len, xts->key_len);
++ ret = ccp_set_dm_area(&key, dm_offset, xts->key, 0, xts->key_len);
++ if (ret)
++ goto e_key;
++ ret = ccp_set_dm_area(&key, 0, xts->key, xts->key_len, xts->key_len);
++ if (ret)
++ goto e_key;
+ } else {
+ /* Version 5 CCPs use a 512-bit space for the key: each portion
+ * occupies 256 bits, or one entire slot, and is zero-padded.
+@@ -1121,9 +1150,13 @@ static int ccp_run_xts_aes_cmd(struct cc
+
+ dm_offset = CCP_SB_BYTES;
+ pad = dm_offset - xts->key_len;
+- ccp_set_dm_area(&key, pad, xts->key, 0, xts->key_len);
+- ccp_set_dm_area(&key, dm_offset + pad, xts->key, xts->key_len,
+- xts->key_len);
++ ret = ccp_set_dm_area(&key, pad, xts->key, 0, xts->key_len);
++ if (ret)
++ goto e_key;
++ ret = ccp_set_dm_area(&key, dm_offset + pad, xts->key,
++ xts->key_len, xts->key_len);
++ if (ret)
++ goto e_key;
+ }
+ ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
+ CCP_PASSTHRU_BYTESWAP_256BIT);
+@@ -1142,7 +1175,9 @@ static int ccp_run_xts_aes_cmd(struct cc
+ if (ret)
+ goto e_key;
+
+- ccp_set_dm_area(&ctx, 0, xts->iv, 0, xts->iv_len);
++ ret = ccp_set_dm_area(&ctx, 0, xts->iv, 0, xts->iv_len);
++ if (ret)
++ goto e_ctx;
+ ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
+ CCP_PASSTHRU_BYTESWAP_NOOP);
+ if (ret) {
+@@ -1285,12 +1320,18 @@ static int ccp_run_des3_cmd(struct ccp_c
+ dm_offset = CCP_SB_BYTES - des3->key_len; /* Basic offset */
+
+ len_singlekey = des3->key_len / 3;
+- ccp_set_dm_area(&key, dm_offset + 2 * len_singlekey,
+- des3->key, 0, len_singlekey);
+- ccp_set_dm_area(&key, dm_offset + len_singlekey,
+- des3->key, len_singlekey, len_singlekey);
+- ccp_set_dm_area(&key, dm_offset,
+- des3->key, 2 * len_singlekey, len_singlekey);
++ ret = ccp_set_dm_area(&key, dm_offset + 2 * len_singlekey,
++ des3->key, 0, len_singlekey);
++ if (ret)
++ goto e_key;
++ ret = ccp_set_dm_area(&key, dm_offset + len_singlekey,
++ des3->key, len_singlekey, len_singlekey);
++ if (ret)
++ goto e_key;
++ ret = ccp_set_dm_area(&key, dm_offset,
++ des3->key, 2 * len_singlekey, len_singlekey);
++ if (ret)
++ goto e_key;
+
+ /* Copy the key to the SB */
+ ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
+@@ -1318,7 +1359,10 @@ static int ccp_run_des3_cmd(struct ccp_c
+
+ /* Load the context into the LSB */
+ dm_offset = CCP_SB_BYTES - des3->iv_len;
+- ccp_set_dm_area(&ctx, dm_offset, des3->iv, 0, des3->iv_len);
++ ret = ccp_set_dm_area(&ctx, dm_offset, des3->iv, 0,
++ des3->iv_len);
++ if (ret)
++ goto e_ctx;
+
+ if (cmd_q->ccp->vdata->version == CCP_VERSION(3, 0))
+ load_mode = CCP_PASSTHRU_BYTESWAP_NOOP;
+@@ -1602,8 +1646,10 @@ static int ccp_run_sha_cmd(struct ccp_cm
+ }
+ } else {
+ /* Restore the context */
+- ccp_set_dm_area(&ctx, 0, sha->ctx, 0,
+- sb_count * CCP_SB_BYTES);
++ ret = ccp_set_dm_area(&ctx, 0, sha->ctx, 0,
++ sb_count * CCP_SB_BYTES);
++ if (ret)
++ goto e_ctx;
+ }
+
+ ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
+@@ -1903,7 +1949,9 @@ static int ccp_run_passthru_cmd(struct c
+ if (ret)
+ return ret;
+
+- ccp_set_dm_area(&mask, 0, pt->mask, 0, pt->mask_len);
++ ret = ccp_set_dm_area(&mask, 0, pt->mask, 0, pt->mask_len);
++ if (ret)
++ goto e_mask;
+ ret = ccp_copy_to_sb(cmd_q, &mask, op.jobid, op.sb_key,
+ CCP_PASSTHRU_BYTESWAP_NOOP);
+ if (ret) {
diff --git a/patches.fixes/crypto-ccp-gcm-use-const-time-tag-comparison.patch b/patches.fixes/crypto-ccp-gcm-use-const-time-tag-comparison.patch
index 2669c284ca..8f6df25061 100644
--- a/patches.fixes/crypto-ccp-gcm-use-const-time-tag-comparison.patch
+++ b/patches.fixes/crypto-ccp-gcm-use-const-time-tag-comparison.patch
@@ -21,9 +21,9 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
-@@ -832,7 +832,8 @@ static int ccp_run_aes_gcm_cmd(struct cc
+@@ -853,7 +853,8 @@ static int ccp_run_aes_gcm_cmd(struct cc
+ if (ret)
goto e_tag;
- ccp_set_dm_area(&tag, 0, p_tag, 0, AES_BLOCK_SIZE);
- ret = memcmp(tag.address, final_wa.address, AES_BLOCK_SIZE);
+ ret = crypto_memneq(tag.address, final_wa.address,
diff --git a/patches.fixes/mac80211-don-t-WARN-on-short-WMM-parameters-from-AP.patch b/patches.fixes/mac80211-don-t-WARN-on-short-WMM-parameters-from-AP.patch
new file mode 100644
index 0000000000..7e6bce328c
--- /dev/null
+++ b/patches.fixes/mac80211-don-t-WARN-on-short-WMM-parameters-from-AP.patch
@@ -0,0 +1,52 @@
+From 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Fri, 26 Jul 2019 15:47:58 -0700
+Subject: [PATCH] mac80211: don't WARN on short WMM parameters from AP
+Git-commit: 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+In a very similar spirit to commit c470bdc1aaf3 ("mac80211: don't WARN
+on bad WMM parameters from buggy APs"), an AP may not transmit a
+fully-formed WMM IE. For example, it may miss or repeat an Access
+Category. The above loop won't catch that and will instead leave one of
+the four ACs zeroed out. This triggers the following warning in
+drv_conf_tx()
+
+ wlan0: invalid CW_min/CW_max: 0/0
+
+and it may leave one of the hardware queues unconfigured. If we detect
+such a case, let's just print a warning and fall back to the defaults.
+
+Tested with a hacked version of hostapd, intentionally corrupting the
+IEs in hostapd_eid_wmm().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Link: https://lore.kernel.org/r/20190726224758.210953-1-briannorris@chromium.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/mac80211/mlme.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1872,6 +1872,16 @@ static bool ieee80211_sta_wmm_params(str
+ }
+ }
+
++ /* WMM specification requires all 4 ACIs. */
++ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
++ if (params[ac].cw_min == 0) {
++ sdata_info(sdata,
++ "AP has invalid WMM params (missing AC %d), using defaults\n",
++ ac);
++ return false;
++ }
++ }
++
+ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
+ mlme_dbg(sdata,
+ "WMM AC=%d acm=%d aifs=%d cWmin=%d cWmax=%d txop=%d uapsd=%d, downgraded=%d\n",
diff --git a/patches.fixes/mac80211-don-t-warn-about-CW-params-when-not-using-t.patch b/patches.fixes/mac80211-don-t-warn-about-CW-params-when-not-using-t.patch
new file mode 100644
index 0000000000..c00726a7bc
--- /dev/null
+++ b/patches.fixes/mac80211-don-t-warn-about-CW-params-when-not-using-t.patch
@@ -0,0 +1,54 @@
+From d2b3fe42bc629c2d4002f652b3abdfb2e72991c7 Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Wed, 17 Jul 2019 18:57:12 -0700
+Subject: [PATCH] mac80211: don't warn about CW params when not using them
+Git-commit: d2b3fe42bc629c2d4002f652b3abdfb2e72991c7
+Patch-mainline: v5.3-rc2
+References: bsc#1051510
+
+ieee80211_set_wmm_default() normally sets up the initial CW min/max for
+each queue, except that it skips doing this if the driver doesn't
+support ->conf_tx. We still end up calling drv_conf_tx() in some cases
+(e.g., ieee80211_reconfig()), which also still won't do anything
+useful...except it complains here about the invalid CW parameters.
+
+Let's just skip the WARN if we weren't going to do anything useful with
+the parameters.
+
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Link: https://lore.kernel.org/r/20190718015712.197499-1-briannorris@chromium.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/mac80211/driver-ops.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/net/mac80211/driver-ops.c b/net/mac80211/driver-ops.c
+index acd4afb4944b..c9a8a2433e8a 100644
+--- a/net/mac80211/driver-ops.c
++++ b/net/mac80211/driver-ops.c
+@@ -187,11 +187,16 @@ int drv_conf_tx(struct ieee80211_local *local,
+ if (!check_sdata_in_driver(sdata))
+ return -EIO;
+
+- if (WARN_ONCE(params->cw_min == 0 ||
+- params->cw_min > params->cw_max,
+- "%s: invalid CW_min/CW_max: %d/%d\n",
+- sdata->name, params->cw_min, params->cw_max))
++ if (params->cw_min == 0 || params->cw_min > params->cw_max) {
++ /*
++ * If we can't configure hardware anyway, don't warn. We may
++ * never have initialized the CW parameters.
++ */
++ WARN_ONCE(local->ops->conf_tx,
++ "%s: invalid CW_min/CW_max: %d/%d\n",
++ sdata->name, params->cw_min, params->cw_max);
+ return -EINVAL;
++ }
+
+ trace_drv_conf_tx(local, sdata, ac, params);
+ if (local->ops->conf_tx)
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index c2bf3543cb..de162368b3 100644
--- a/series.conf
+++ b/series.conf
@@ -15098,6 +15098,7 @@
patches.drivers/crypto-chelsio-Fix-src-buffer-dma-length.patch
patches.drivers/crypto-chelsio-Update-IV-before-sending-request-to-H.patch
patches.drivers/crypto-chelsio-Fix-iv-passed-in-fallback-path-for-rf.patch
+ patches.fixes/crypto-ccp-Validate-buffer-lengths-for-copy-operatio.patch
patches.drivers/crypto-arm-arm64-Fix-random-regeneration-of-S_shippe
patches.drivers/crypto-lrw-Free-rctx-ext-with-kzfree
patches.drivers/crypto-chelsio-don-t-leak-pointers-to-authenc-keys.patch
@@ -23392,6 +23393,7 @@
patches.suse/btrfs-fix-fsync-not-persisting-dentry-deletions-due-.patch
patches.suse/btrfs-add-missing-inode-version-ctime-and-mtime-upda.patch
patches.drivers/0022-drivers-rapidio-devices-rio_mport_cdev.c-NUL-termina.patch
+ patches.drivers/drivers-pps-pps.c-clear-offset-flags-in-PPS_SETPARAM.patch
patches.drivers/dmaengine-hsu-Revert-set-HSU_CH_MTSR-to-memory-width.patch
patches.drivers/0008-dmaengine-rcar-dmac-Reject-zero-length-slave-DMA-req.patch
patches.drivers/clk-qcom-Fix-Wunused-const-variable.patch
@@ -23427,6 +23429,7 @@
patches.drivers/Input-psmouse-fix-build-error-of-multiple-definition.patch
patches.drivers/Input-alps-fix-a-mismatch-between-a-condition-check-.patch
patches.fixes/0001-mac80211-fix-possible-memory-leak-in-ieee80211_assig.patch
+ patches.fixes/mac80211-don-t-warn-about-CW-params-when-not-using-t.patch
patches.drivers/bnx2x-Prevent-load-reordering-in-tx-completion-proce.patch
patches.drivers/be2net-Synchronize-be_update_queues-with-dev_watchdo.patch
patches.fixes/tcp-be-more-careful-in-tcp_fragment.patch
@@ -23443,6 +23446,7 @@
patches.drivers/ALSA-hda-Add-a-conexant-codec-entry-to-let-mute-led-.patch
patches.fixes/nvme-fix-memory-leak-caused-by-incorrect-subsystem-free.patch
patches.fixes/ACPI-IORT-Fix-off-by-one-check-in-iort_dev_find_its_.patch
+ patches.drm/drm-silence-variable-conn-set-but-not-used.patch
patches.drivers/scsi-ibmvfc-fix-WARN_ON-during-event-pool-release.patch
patches.fixes/drivers-base-introduce-kill_device.patch
patches.fixes/libnvdimm-bus-prevent-duplicate-device_unregister-calls.patch
@@ -23475,10 +23479,12 @@
patches.drivers/0013-HID-wacom-fix-bit-shift-for-Cintiq-Companion-2.patch
patches.drivers/HID-Add-quirk-for-HP-X1200-PIXART-OEM-mouse.patch
patches.drivers/hid-input-fix-a4tech-horizontal-wheel-custom-usage.patch
+ patches.drivers/HID-sony-Fix-race-condition-between-rumble-and-devic.patch
patches.fixes/bonding-Force-slave-speed-check-after-link-state-rec.patch
patches.drivers/sky2-Disable-MSI-on-ASUS-P6T.patch
patches.drivers/0003-can-rcar_canfd-fix-possible-IRQ-storm-on-high-load.patch
patches.drivers/0004-can-peak_usb-fix-potential-double-kfree_skb.patch
+ patches.fixes/mac80211-don-t-WARN-on-short-WMM-parameters-from-AP.patch
patches.drivers/0005-can-peak_usb-pcan_usb_fd-Fix-info-leaks-to-USB-devic.patch
patches.drivers/0006-can-peak_usb-pcan_usb_pro-Fix-info-leaks-to-USB-devi.patch
patches.drivers/mwifiex-fix-802.11n-WPA-detection.patch
@@ -23488,6 +23494,7 @@
patches.drivers/iwlwifi-mvm-fix-an-out-of-bound-access.patch
patches.drivers/hwmon-nct7802-Fix-wrong-detection-of-in4-presence.patch
patches.fixes/crypto-ccp-Fix-oops-by-properly-managing-allocated-s.patch
+ patches.fixes/crypto-ccp-Add-support-for-valid-authsize-values-les.patch
patches.fixes/crypto-ccp-Ignore-tag-length-when-decrypting-GCM-cip.patch
patches.drivers/ASoC-dapm-Fix-handling-of-custom_stop_condition-on-D.patch
patches.drivers/ALSA-hda-Don-t-override-global-PCM-hw-info-flag.patch
@@ -23498,11 +23505,18 @@
patches.drivers/mmc-cavium-Set-the-correct-dma-max-segment-size-for-.patch
patches.drivers/mmc-cavium-Add-the-missing-dma-unmap-when-the-dma-ha.patch
patches.drm/drm-vmwgfx-fix-memory-leak-when-too-many-retries-hav.patch
+ patches.drivers/Input-synaptics-enable-RMI-mode-for-HP-Spectre-X360.patch
patches.arch/kvm-fix-leak-vcpu-s-vmcs-value-into-other-pcpu
patches.drivers/usb-host-xhci-rcar-Fix-timeout-in-xhci_suspend.patch
patches.drivers/usb-yurex-Fix-use-after-free-in-yurex_delete.patch
+ patches.drivers/usb-usbfs-fix-double-free-of-usb-memory-upon-submitu.patch
patches.drivers/usb-iowarrior-fix-deadlock-on-disconnect.patch
+ patches.drivers/iio-adc-max9611-Fix-misuse-of-GENMASK-macro.patch
patches.fixes/driver_core-Fix_use-after-free_and_double_free_on_glue.patch
+ patches.drivers/ALSA-hda-Apply-workaround-for-another-AMD-chip-1022-.patch
+ patches.drivers/ALSA-hda-Fix-a-memory-leak-bug.patch
+ patches.drivers/ALSA-hda-Let-all-conexant-codec-enter-D3-when-reboot.patch
+ patches.drivers/ALSA-hda-Add-a-generic-reboot_notify.patch
patches.drivers/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_u.patch
patches.drivers/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-ch.patch