Home Home > GIT Browse > openSUSE-15.1
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-03-22 07:14:03 +0100
committerKernel Build Daemon <kbuild@suse.de>2019-03-22 07:14:03 +0100
commit25014fdcfbf95eb8b7bbfbd4175b7991c8af7a13 (patch)
tree8ca494e519ed7ff4c686e971bd99fb5243211647
parent9f3cd49430ced6f5c531363966c1e0e1f53cbaf0 (diff)
parent01b35ceeaab831bbfc3ecbbaa7b58df3adc537d9 (diff)
Merge branch 'SLE15' into SLE15-AZURErpm-4.12.14-5.24--sle15-updatesrpm-4.12.14-5.24
-rw-r--r--blacklist.conf2
-rw-r--r--config/ppc64le/default2
-rw-r--r--patches.fixes/0001-gro_cells-make-sure-device-is-up-in-gro_cells_receiv.patch127
-rw-r--r--patches.fixes/0001-l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch81
-rw-r--r--patches.fixes/0001-mlxsw-__mlxsw_sp_port_headroom_set-Fix-a-use-of-loca.patch54
-rw-r--r--patches.fixes/0001-net-mlx5-fix-uaccess-beyond-count-in-debugfs-read-wr.patch143
-rw-r--r--patches.fixes/0001-net-stmmac-Fix-a-race-in-EEE-enable-callback.patch65
-rw-r--r--patches.fixes/0001-net-stmmac-Use-mutex-instead-of-spinlock.patch226
-rw-r--r--patches.fixes/0001-net-stmmac-fix-broken-dma_interrupt-handling-for-mul.patch127
-rw-r--r--patches.fixes/0001-net-stmmac-handle-endianness-in-dwmac4_get_timestamp.patch42
-rw-r--r--patches.fixes/0001-net-thunderx-fix-NULL-pointer-dereference-in-nic_rem.patch76
-rw-r--r--patches.fixes/0001-tcp-handle-inet_csk_reqsk_queue_add-failures.patch63
-rw-r--r--series.conf10
13 files changed, 1017 insertions, 1 deletions
diff --git a/blacklist.conf b/blacklist.conf
index b3146fc46c..d8d0badb60 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -1011,3 +1011,5 @@ d57f3374ba4817f7c8d26fae8a13d20ac8d31b92 # Too intrusive locking rework
1dded9acf6dc9a34cd27fcf8815507e4e65b3c4f # Too intrusive locking rework
c28445fa06a3a54e06938559b9514c5a7f01c90f # Too intrusive locking rework
a9519defc771d574888ffe01e84747889152ec35 # Just typo fix in a comment
+c9e716eb9b3455a83ed7c5f5a81256a3da779a95 # Just to allow mounting ext2 with ancient kernels
+231fe82b5609c5d679f81073739c6132aaf166ea # Capitalization fix in kconfig
diff --git a/config/ppc64le/default b/config/ppc64le/default
index 521a0c1ac5..76e1cdefbc 100644
--- a/config/ppc64le/default
+++ b/config/ppc64le/default
@@ -4121,7 +4121,7 @@ CONFIG_INFINIBAND_SRPT=m
CONFIG_INFINIBAND_ISER=m
CONFIG_INFINIBAND_ISERT=m
CONFIG_INFINIBAND_RDMAVT=m
-# CONFIG_RDMA_RXE is not set
+CONFIG_RDMA_RXE=m
CONFIG_INFINIBAND_QEDR=m
CONFIG_INFINIBAND_BNXT_RE=m
CONFIG_EDAC_ATOMIC_SCRUB=y
diff --git a/patches.fixes/0001-gro_cells-make-sure-device-is-up-in-gro_cells_receiv.patch b/patches.fixes/0001-gro_cells-make-sure-device-is-up-in-gro_cells_receiv.patch
new file mode 100644
index 0000000000..e2a83bd3d6
--- /dev/null
+++ b/patches.fixes/0001-gro_cells-make-sure-device-is-up-in-gro_cells_receiv.patch
@@ -0,0 +1,127 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: gro_cells: make sure device is up in gro_cells_receive()
+Patch-mainline: v5.1-rc1
+Git-commit: 2a5ff07a0eb945f291e361aa6f6becca8340ba46
+References: git-fixes
+
+We keep receiving syzbot reports [1] that show that tunnels do not play
+the rcu/IFF_UP rules properly.
+
+At device dismantle phase, gro_cells_destroy() will be called
+only after a full rcu grace period is observed after IFF_UP
+has been cleared.
+
+This means that IFF_UP needs to be tested before queueing packets
+into netif_rx() or gro_cells.
+
+This patch implements the test in gro_cells_receive() because
+too many callers do not seem to bother enough.
+
+[1]
+BUG: unable to handle kernel paging request at fffff4ca0b9ffffe
+PGD 0 P4D 0
+Oops: 0000 [#1] PREEMPT SMP KASAN
+CPU: 0 PID: 21 Comm: kworker/u4:1 Not tainted 5.0.0+ #97
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: netns cleanup_net
+RIP: 0010:__skb_unlink include/linux/skbuff.h:1929 [inline]
+RIP: 0010:__skb_dequeue include/linux/skbuff.h:1945 [inline]
+RIP: 0010:__skb_queue_purge include/linux/skbuff.h:2656 [inline]
+RIP: 0010:gro_cells_destroy net/core/gro_cells.c:89 [inline]
+RIP: 0010:gro_cells_destroy+0x19d/0x360 net/core/gro_cells.c:78
+Code: 03 42 80 3c 20 00 0f 85 53 01 00 00 48 8d 7a 08 49 8b 47 08 49 c7 07 00 00 00 00 48 89 f9 49 c7 47 08 00 00 00 00 48 c1 e9 03 <42> 80 3c 21 00 0f 85 10 01 00 00 48 89 c1 48 89 42 08 48 c1 e9 03
+RSP: 0018:ffff8880aa3f79a8 EFLAGS: 00010a02
+RAX: 00ffffffffffffe8 RBX: ffffe8ffffc64b70 RCX: 1ffff8ca0b9ffffe
+RDX: ffffc6505cffffe8 RSI: ffffffff858410ca RDI: ffffc6505cfffff0
+RBP: ffff8880aa3f7a08 R08: ffff8880aa3e8580 R09: fffffbfff1263645
+R10: fffffbfff1263644 R11: ffffffff8931b223 R12: dffffc0000000000
+R13: 0000000000000000 R14: ffffe8ffffc64b80 R15: ffffe8ffffc64b75
+kobject: 'loop2' (000000004bd7d84a): kobject_uevent_env
+FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: fffff4ca0b9ffffe CR3: 0000000094941000 CR4: 00000000001406f0
+Call Trace:
+kobject: 'loop2' (000000004bd7d84a): fill_kobj_path: path = '/devices/virtual/block/loop2'
+ ip_tunnel_dev_free+0x19/0x60 net/ipv4/ip_tunnel.c:1010
+ netdev_run_todo+0x51c/0x7d0 net/core/dev.c:8970
+ rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:116
+ ip_tunnel_delete_nets+0x423/0x5f0 net/ipv4/ip_tunnel.c:1124
+ vti_exit_batch_net+0x23/0x30 net/ipv4/ip_vti.c:495
+ ops_exit_list.isra.0+0x105/0x160 net/core/net_namespace.c:156
+ cleanup_net+0x3fb/0x960 net/core/net_namespace.c:551
+ process_one_work+0x98e/0x1790 kernel/workqueue.c:2173
+ worker_thread+0x98/0xe40 kernel/workqueue.c:2319
+ kthread+0x357/0x430 kernel/kthread.c:246
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
+Modules linked in:
+CR2: fffff4ca0b9ffffe
+ [ end trace 513fc9c1338d1cb3 ]
+RIP: 0010:__skb_unlink include/linux/skbuff.h:1929 [inline]
+RIP: 0010:__skb_dequeue include/linux/skbuff.h:1945 [inline]
+RIP: 0010:__skb_queue_purge include/linux/skbuff.h:2656 [inline]
+RIP: 0010:gro_cells_destroy net/core/gro_cells.c:89 [inline]
+RIP: 0010:gro_cells_destroy+0x19d/0x360 net/core/gro_cells.c:78
+Code: 03 42 80 3c 20 00 0f 85 53 01 00 00 48 8d 7a 08 49 8b 47 08 49 c7 07 00 00 00 00 48 89 f9 49 c7 47 08 00 00 00 00 48 c1 e9 03 <42> 80 3c 21 00 0f 85 10 01 00 00 48 89 c1 48 89 42 08 48 c1 e9 03
+RSP: 0018:ffff8880aa3f79a8 EFLAGS: 00010a02
+RAX: 00ffffffffffffe8 RBX: ffffe8ffffc64b70 RCX: 1ffff8ca0b9ffffe
+RDX: ffffc6505cffffe8 RSI: ffffffff858410ca RDI: ffffc6505cfffff0
+RBP: ffff8880aa3f7a08 R08: ffff8880aa3e8580 R09: fffffbfff1263645
+R10: fffffbfff1263644 R11: ffffffff8931b223 R12: dffffc0000000000
+kobject: 'loop3' (00000000e4ee57a6): kobject_uevent_env
+R13: 0000000000000000 R14: ffffe8ffffc64b80 R15: ffffe8ffffc64b75
+FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: fffff4ca0b9ffffe CR3: 0000000094941000 CR4: 00000000001406f0
+
+Fixes: c9e6bc644e55 ("net: add gro_cells infrastructure")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/core/gro_cells.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+--- a/net/core/gro_cells.c
++++ b/net/core/gro_cells.c
+@@ -12,22 +12,36 @@ int gro_cells_receive(struct gro_cells *
+ {
+ struct net_device *dev = skb->dev;
+ struct gro_cell *cell;
++ int res;
+
+- if (!gcells->cells || skb_cloned(skb) || netif_elide_gro(dev))
+- return netif_rx(skb);
++ rcu_read_lock();
++ if (unlikely(!(dev->flags & IFF_UP)))
++ goto drop;
++
++ if (!gcells->cells || skb_cloned(skb) || netif_elide_gro(dev)) {
++ res = netif_rx(skb);
++ goto unlock;
++ }
+
+ cell = this_cpu_ptr(gcells->cells);
+
+ if (skb_queue_len(&cell->napi_skbs) > netdev_max_backlog) {
++drop:
+ atomic_long_inc(&dev->rx_dropped);
+ kfree_skb(skb);
+- return NET_RX_DROP;
++ res = NET_RX_DROP;
++ goto unlock;
+ }
+
+ __skb_queue_tail(&cell->napi_skbs, skb);
+ if (skb_queue_len(&cell->napi_skbs) == 1)
+ napi_schedule(&cell->napi);
+- return NET_RX_SUCCESS;
++
++ res = NET_RX_SUCCESS;
++
++unlock:
++ rcu_read_unlock();
++ return res;
+ }
+ EXPORT_SYMBOL(gro_cells_receive);
+
diff --git a/patches.fixes/0001-l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch b/patches.fixes/0001-l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch
new file mode 100644
index 0000000000..56e2c40645
--- /dev/null
+++ b/patches.fixes/0001-l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch
@@ -0,0 +1,81 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: l2tp: fix infoleak in l2tp_ip6_recvmsg()
+Patch-mainline: v5.1-rc1
+Git-commit: 163d1c3d6f17556ed3c340d3789ea93be95d6c28
+References: git-fixes
+
+Back in 2013 Hannes took care of most of such leaks in commit
+bceaa90240b6 ("inet: prevent leakage of uninitialized memory to user in recv syscalls")
+
+But the bug in l2tp_ip6_recvmsg() has not been fixed.
+
+syzbot report :
+
+BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
+CPU: 1 PID: 10996 Comm: syz-executor362 Not tainted 5.0.0+ #11
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x173/0x1d0 lib/dump_stack.c:113
+ kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600
+ kmsan_internal_check_memory+0x9f4/0xb10 mm/kmsan/kmsan.c:694
+ kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
+ _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
+ copy_to_user include/linux/uaccess.h:174 [inline]
+ move_addr_to_user+0x311/0x570 net/socket.c:227
+ ___sys_recvmsg+0xb65/0x1310 net/socket.c:2283
+ do_recvmmsg+0x646/0x10c0 net/socket.c:2390
+ __sys_recvmmsg net/socket.c:2469 [inline]
+ __do_sys_recvmmsg net/socket.c:2492 [inline]
+ __se_sys_recvmmsg+0x1d1/0x350 net/socket.c:2485
+ __x64_sys_recvmmsg+0x62/0x80 net/socket.c:2485
+ do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x63/0xe7
+RIP: 0033:0x445819
+
+Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f64453eddb8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
+RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445819
+RDX: 0000000000000005 RSI: 0000000020002f80 RDI: 0000000000000003
+RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c
+R13: 00007ffeba8f87af R14: 00007f64453ee9c0 R15: 20c49ba5e353f7cf
+
+Local variable description: ----addr@___sys_recvmsg
+Variable was created at:
+ ___sys_recvmsg+0xf6/0x1310 net/socket.c:2244
+ do_recvmmsg+0x646/0x10c0 net/socket.c:2390
+
+Bytes 0-31 of 32 are uninitialized
+Memory access of size 32 starts at ffff8880ae62fbb0
+Data copied to user address 0000000020000000
+
+Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/l2tp/l2tp_ip6.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -680,9 +680,6 @@ static int l2tp_ip6_recvmsg(struct sock
+ if (flags & MSG_OOB)
+ goto out;
+
+- if (addr_len)
+- *addr_len = sizeof(*lsa);
+-
+ if (flags & MSG_ERRQUEUE)
+ return ipv6_recv_error(sk, msg, len, addr_len);
+
+@@ -712,6 +709,7 @@ static int l2tp_ip6_recvmsg(struct sock
+ lsa->l2tp_conn_id = 0;
+ if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL)
+ lsa->l2tp_scope_id = inet6_iif(skb);
++ *addr_len = sizeof(*lsa);
+ }
+
+ if (np->rxopt.all)
diff --git a/patches.fixes/0001-mlxsw-__mlxsw_sp_port_headroom_set-Fix-a-use-of-loca.patch b/patches.fixes/0001-mlxsw-__mlxsw_sp_port_headroom_set-Fix-a-use-of-loca.patch
new file mode 100644
index 0000000000..7dec2bf154
--- /dev/null
+++ b/patches.fixes/0001-mlxsw-__mlxsw_sp_port_headroom_set-Fix-a-use-of-loca.patch
@@ -0,0 +1,54 @@
+From: Petr Machata <petrm@mellanox.com>
+Subject: mlxsw: __mlxsw_sp_port_headroom_set(): Fix a use of local variable
+Patch-mainline: v5.0-rc8
+Git-commit: 289460404f6947ef1c38e67d680be9a84161250b
+References: git-fixes
+
+The function-local variable "delay" enters the loop interpreted as delay
+in bits. However, inside the loop it gets overwritten by the result of
+mlxsw_sp_pg_buf_delay_get(), and thus leaves the loop as quantity in
+cells. Thus on second and further loop iterations, the headroom for a
+given priority is configured with a wrong size.
+
+Fix by introducing a loop-local variable, delay_cells. Rename thres to
+thres_cells for consistency.
+
+Fixes: f417f04da589 ("mlxsw: spectrum: Refactor port buffer configuration")
+Signed-off-by: Petr Machata <petrm@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+@@ -867,8 +867,9 @@ int __mlxsw_sp_port_headroom_set(struct
+ for (i = 0; i < IEEE_8021QAZ_MAX_TCS; i++) {
+ bool configure = false;
+ bool pfc = false;
++ u16 thres_cells;
++ u16 delay_cells;
+ bool lossy;
+- u16 thres;
+
+ for (j = 0; j < IEEE_8021QAZ_MAX_TCS; j++) {
+ if (prio_tc[j] == i) {
+@@ -882,10 +883,11 @@ int __mlxsw_sp_port_headroom_set(struct
+ continue;
+
+ lossy = !(pfc || pause_en);
+- thres = mlxsw_sp_pg_buf_threshold_get(mlxsw_sp, mtu);
+- delay = mlxsw_sp_pg_buf_delay_get(mlxsw_sp, mtu, delay, pfc,
+- pause_en);
+- mlxsw_sp_pg_buf_pack(pbmc_pl, i, thres + delay, thres, lossy);
++ thres_cells = mlxsw_sp_pg_buf_threshold_get(mlxsw_sp, mtu);
++ delay_cells = mlxsw_sp_pg_buf_delay_get(mlxsw_sp, mtu, delay,
++ pfc, pause_en);
++ mlxsw_sp_pg_buf_pack(pbmc_pl, i, thres_cells + delay_cells,
++ thres_cells, lossy);
+ }
+
+ return mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(pbmc), pbmc_pl);
diff --git a/patches.fixes/0001-net-mlx5-fix-uaccess-beyond-count-in-debugfs-read-wr.patch b/patches.fixes/0001-net-mlx5-fix-uaccess-beyond-count-in-debugfs-read-wr.patch
new file mode 100644
index 0000000000..78cf74756d
--- /dev/null
+++ b/patches.fixes/0001-net-mlx5-fix-uaccess-beyond-count-in-debugfs-read-wr.patch
@@ -0,0 +1,143 @@
+From: Jann Horn <jannh@google.com>
+Subject: net/mlx5: fix uaccess beyond "count" in debugfs read/write handlers
+Patch-mainline: v4.19-rc1
+Git-commit: 31e33a5b41bb158f27c30e13b12d6e5e6513ea05
+References: git-fixes
+
+In general, accessing userspace memory beyond the length of the supplied
+buffer in VFS read/write handlers can lead to both kernel memory corruption
+(via kernel_read()/kernel_write(), which can e.g. be triggered via
+sys_splice()) and privilege escalation inside userspace.
+
+In this case, the affected files are in debugfs (and should therefore only
+be accessible to root) and check that *pos is zero (which prevents the
+sys_splice() trick). Therefore, this is not a security fix, but rather a
+small cleanup.
+
+For the read handlers, fix it by using simple_read_from_buffer() instead of
+custom logic.
+For the write handler, add a check.
+
+changed in v2:
+ - also fix dbg_write()
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: Jann Horn <jannh@google.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 28 +++++-----------------
+ drivers/net/ethernet/mellanox/mlx5/core/debugfs.c | 21 +---------------
+ 2 files changed, 9 insertions(+), 40 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -1020,7 +1020,10 @@ static ssize_t dbg_write(struct file *fi
+ if (!dbg->in_msg || !dbg->out_msg)
+ return -ENOMEM;
+
+- if (copy_from_user(lbuf, buf, sizeof(lbuf)))
++ if (count < sizeof(lbuf) - 1)
++ return -EINVAL;
++
++ if (copy_from_user(lbuf, buf, sizeof(lbuf) - 1))
+ return -EFAULT;
+
+ lbuf[sizeof(lbuf) - 1] = 0;
+@@ -1224,21 +1227,12 @@ static ssize_t data_read(struct file *fi
+ {
+ struct mlx5_core_dev *dev = filp->private_data;
+ struct mlx5_cmd_debug *dbg = &dev->cmd.dbg;
+- int copy;
+-
+- if (*pos)
+- return 0;
+
+ if (!dbg->out_msg)
+ return -ENOMEM;
+
+- copy = min_t(int, count, dbg->outlen);
+- if (copy_to_user(buf, dbg->out_msg, copy))
+- return -EFAULT;
+-
+- *pos += copy;
+-
+- return copy;
++ return simple_read_from_buffer(buf, count, pos, dbg->out_msg,
++ dbg->outlen);
+ }
+
+ static const struct file_operations dfops = {
+@@ -1256,19 +1250,11 @@ static ssize_t outlen_read(struct file *
+ char outlen[8];
+ int err;
+
+- if (*pos)
+- return 0;
+-
+ err = snprintf(outlen, sizeof(outlen), "%d", dbg->outlen);
+ if (err < 0)
+ return err;
+
+- if (copy_to_user(buf, &outlen, err))
+- return -EFAULT;
+-
+- *pos += err;
+-
+- return err;
++ return simple_read_from_buffer(buf, count, pos, outlen, err);
+ }
+
+ static ssize_t outlen_write(struct file *filp, const char __user *buf,
+--- a/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c
+@@ -150,22 +150,14 @@ static ssize_t average_read(struct file
+ int ret;
+ char tbuf[22];
+
+- if (*pos)
+- return 0;
+-
+ stats = filp->private_data;
+ spin_lock_irq(&stats->lock);
+ if (stats->n)
+ field = div64_u64(stats->sum, stats->n);
+ spin_unlock_irq(&stats->lock);
+ ret = snprintf(tbuf, sizeof(tbuf), "%llu\n", field);
+- if (ret > 0) {
+- if (copy_to_user(buf, tbuf, ret))
+- return -EFAULT;
+- }
+
+- *pos += ret;
+- return ret;
++ return simple_read_from_buffer(buf, count, pos, tbuf, ret);
+ }
+
+ static ssize_t average_write(struct file *filp, const char __user *buf,
+@@ -442,9 +434,6 @@ static ssize_t dbg_read(struct file *fil
+ u64 field;
+ int ret;
+
+- if (*pos)
+- return 0;
+-
+ desc = filp->private_data;
+ d = (void *)(desc - desc->i) - sizeof(*d);
+ switch (d->type) {
+@@ -470,13 +459,7 @@ static ssize_t dbg_read(struct file *fil
+ else
+ ret = snprintf(tbuf, sizeof(tbuf), "0x%llx\n", field);
+
+- if (ret > 0) {
+- if (copy_to_user(buf, tbuf, ret))
+- return -EFAULT;
+- }
+-
+- *pos += ret;
+- return ret;
++ return simple_read_from_buffer(buf, count, pos, tbuf, ret);
+ }
+
+ static const struct file_operations fops = {
diff --git a/patches.fixes/0001-net-stmmac-Fix-a-race-in-EEE-enable-callback.patch b/patches.fixes/0001-net-stmmac-Fix-a-race-in-EEE-enable-callback.patch
new file mode 100644
index 0000000000..2626fa70e2
--- /dev/null
+++ b/patches.fixes/0001-net-stmmac-Fix-a-race-in-EEE-enable-callback.patch
@@ -0,0 +1,65 @@
+From: Jose Abreu <jose.abreu@synopsys.com>
+Subject: net: stmmac: Fix a race in EEE enable callback
+Patch-mainline: v5.0-rc8
+Git-commit: 8a7493e58ad688eb23b81e45461c5d314f4402f1
+References: git-fixes
+
+We are saving the status of EEE even before we try to enable it. This
+leads to a race with XMIT function that tries to arm EEE timer before we
+set it up.
+
+Fix this by only saving the EEE parameters after all operations are
+performed with success.
+
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Fixes: d765955d2ae0 ("stmmac: add the Energy Efficient Ethernet support")
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Cc: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 22 ++++++++++---------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+@@ -670,25 +670,27 @@ static int stmmac_ethtool_op_set_eee(str
+ struct ethtool_eee *edata)
+ {
+ struct stmmac_priv *priv = netdev_priv(dev);
++ int ret;
+
+- priv->eee_enabled = edata->eee_enabled;
+-
+- if (!priv->eee_enabled)
++ if (!edata->eee_enabled) {
+ stmmac_disable_eee_mode(priv);
+- else {
++ } else {
+ /* We are asking for enabling the EEE but it is safe
+ * to verify all by invoking the eee_init function.
+ * In case of failure it will return an error.
+ */
+- priv->eee_enabled = stmmac_eee_init(priv);
+- if (!priv->eee_enabled)
++ edata->eee_enabled = stmmac_eee_init(priv);
++ if (!edata->eee_enabled)
+ return -EOPNOTSUPP;
+-
+- /* Do not change tx_lpi_timer in case of failure */
+- priv->tx_lpi_timer = edata->tx_lpi_timer;
+ }
+
+- return phy_ethtool_set_eee(dev->phydev, edata);
++ ret = phy_ethtool_set_eee(dev->phydev, edata);
++ if (ret)
++ return ret;
++
++ priv->eee_enabled = edata->eee_enabled;
++ priv->tx_lpi_timer = edata->tx_lpi_timer;
++ return 0;
+ }
+
+ static u32 stmmac_usec2riwt(u32 usec, struct stmmac_priv *priv)
diff --git a/patches.fixes/0001-net-stmmac-Use-mutex-instead-of-spinlock.patch b/patches.fixes/0001-net-stmmac-Use-mutex-instead-of-spinlock.patch
new file mode 100644
index 0000000000..4733effc10
--- /dev/null
+++ b/patches.fixes/0001-net-stmmac-Use-mutex-instead-of-spinlock.patch
@@ -0,0 +1,226 @@
+From: Thierry Reding <treding@nvidia.com>
+Subject: net: stmmac: Use mutex instead of spinlock
+Patch-mainline: v4.18-rc1
+Git-commit: 29555fa3de865630570b5f53c847b953413daf1a
+References: git-fixes
+
+Some drivers, such as DWC EQOS on Tegra, need to perform operations that
+can sleep under this lock (clk_set_rate() in tegra_eqos_fix_speed()) for
+proper operation. Since there is no need for this lock to be a spinlock,
+convert it to a mutex instead.
+
+Fixes: e6ea2d16fc61 ("net: stmmac: dwc-qos: Add Tegra186 support")
+Reported-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Tested-by: Bhadram Varka <vbhadram@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac.h | 2 -
+ drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 12 +++----
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 31 ++++++++-----------
+ 3 files changed, 21 insertions(+), 24 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac.h
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac.h
+@@ -96,7 +96,7 @@ struct stmmac_priv {
+ struct net_device *dev;
+ struct device *device;
+ struct mac_device_info *hw;
+- spinlock_t lock;
++ struct mutex lock;
+
+ /* RX Queue */
+ struct stmmac_rx_queue rx_queue[MTL_MAX_RX_QUEUES];
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+@@ -390,13 +390,13 @@ stmmac_ethtool_set_link_ksettings(struct
+ ADVERTISED_10baseT_Half |
+ ADVERTISED_10baseT_Full);
+
+- spin_lock(&priv->lock);
++ mutex_lock(&priv->lock);
+
+ if (priv->hw->mac->pcs_ctrl_ane)
+ priv->hw->mac->pcs_ctrl_ane(priv->ioaddr, 1,
+ priv->hw->ps, 0);
+
+- spin_unlock(&priv->lock);
++ mutex_unlock(&priv->lock);
+
+ return 0;
+ }
+@@ -610,12 +610,12 @@ static void stmmac_get_wol(struct net_de
+ {
+ struct stmmac_priv *priv = netdev_priv(dev);
+
+- spin_lock_irq(&priv->lock);
++ mutex_lock(&priv->lock);
+ if (device_can_wakeup(priv->device)) {
+ wol->supported = WAKE_MAGIC | WAKE_UCAST;
+ wol->wolopts = priv->wolopts;
+ }
+- spin_unlock_irq(&priv->lock);
++ mutex_unlock(&priv->lock);
+ }
+
+ static int stmmac_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol)
+@@ -644,9 +644,9 @@ static int stmmac_set_wol(struct net_dev
+ disable_irq_wake(priv->wol_irq);
+ }
+
+- spin_lock_irq(&priv->lock);
++ mutex_lock(&priv->lock);
+ priv->wolopts = wol->wolopts;
+- spin_unlock_irq(&priv->lock);
++ mutex_unlock(&priv->lock);
+
+ return 0;
+ }
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -354,7 +354,6 @@ bool stmmac_eee_init(struct stmmac_priv
+ {
+ struct net_device *ndev = priv->dev;
+ int interface = priv->plat->interface;
+- unsigned long flags;
+ bool ret = false;
+
+ if ((interface != PHY_INTERFACE_MODE_MII) &&
+@@ -381,7 +380,7 @@ bool stmmac_eee_init(struct stmmac_priv
+ * changed).
+ * In that case the driver disable own timers.
+ */
+- spin_lock_irqsave(&priv->lock, flags);
++ mutex_lock(&priv->lock);
+ if (priv->eee_active) {
+ netdev_dbg(priv->dev, "disable EEE\n");
+ del_timer_sync(&priv->eee_ctrl_timer);
+@@ -389,11 +388,11 @@ bool stmmac_eee_init(struct stmmac_priv
+ tx_lpi_timer);
+ }
+ priv->eee_active = 0;
+- spin_unlock_irqrestore(&priv->lock, flags);
++ mutex_unlock(&priv->lock);
+ goto out;
+ }
+ /* Activate the EEE and start timers */
+- spin_lock_irqsave(&priv->lock, flags);
++ mutex_lock(&priv->lock);
+ if (!priv->eee_active) {
+ priv->eee_active = 1;
+ setup_timer(&priv->eee_ctrl_timer,
+@@ -410,7 +409,7 @@ bool stmmac_eee_init(struct stmmac_priv
+ priv->hw->mac->set_eee_pls(priv->hw, ndev->phydev->link);
+
+ ret = true;
+- spin_unlock_irqrestore(&priv->lock, flags);
++ mutex_unlock(&priv->lock);
+
+ netdev_dbg(priv->dev, "Energy-Efficient Ethernet initialized\n");
+ }
+@@ -789,13 +788,12 @@ static void stmmac_adjust_link(struct ne
+ {
+ struct stmmac_priv *priv = netdev_priv(dev);
+ struct phy_device *phydev = dev->phydev;
+- unsigned long flags;
+ int new_state = 0;
+
+ if (!phydev)
+ return;
+
+- spin_lock_irqsave(&priv->lock, flags);
++ mutex_lock(&priv->lock);
+
+ if (phydev->link) {
+ u32 ctrl = readl(priv->ioaddr + MAC_CTRL_REG);
+@@ -867,7 +865,7 @@ static void stmmac_adjust_link(struct ne
+ if (new_state && netif_msg_link(priv))
+ phy_print_status(phydev);
+
+- spin_unlock_irqrestore(&priv->lock, flags);
++ mutex_unlock(&priv->lock);
+
+ if (phydev->is_pseudo_fixed_link)
+ /* Stop PHY layer to call the hook to adjust the link in case
+@@ -4202,7 +4200,7 @@ int stmmac_dvr_probe(struct device *devi
+ (8 * priv->plat->rx_queues_to_use));
+ }
+
+- spin_lock_init(&priv->lock);
++ mutex_init(&priv->lock);
+
+ /* If a specific clk_csr value is passed from the platform
+ * this means that the CSR Clock Range selection cannot be
+@@ -4283,6 +4281,7 @@ int stmmac_dvr_remove(struct device *dev
+ priv->hw->pcs != STMMAC_PCS_TBI &&
+ priv->hw->pcs != STMMAC_PCS_RTBI)
+ stmmac_mdio_unregister(ndev);
++ mutex_destroy(&priv->lock);
+ free_netdev(ndev);
+
+ return 0;
+@@ -4300,7 +4299,6 @@ int stmmac_suspend(struct device *dev)
+ {
+ struct net_device *ndev = dev_get_drvdata(dev);
+ struct stmmac_priv *priv = netdev_priv(ndev);
+- unsigned long flags;
+
+ if (!ndev || !netif_running(ndev))
+ return 0;
+@@ -4308,7 +4306,7 @@ int stmmac_suspend(struct device *dev)
+ if (ndev->phydev)
+ phy_stop(ndev->phydev);
+
+- spin_lock_irqsave(&priv->lock, flags);
++ mutex_lock(&priv->lock);
+
+ netif_device_detach(ndev);
+ stmmac_stop_all_queues(priv);
+@@ -4329,7 +4327,7 @@ int stmmac_suspend(struct device *dev)
+ clk_disable(priv->plat->pclk);
+ clk_disable(priv->plat->stmmac_clk);
+ }
+- spin_unlock_irqrestore(&priv->lock, flags);
++ mutex_unlock(&priv->lock);
+
+ priv->oldlink = 0;
+ priv->speed = SPEED_UNKNOWN;
+@@ -4373,7 +4371,6 @@ int stmmac_resume(struct device *dev)
+ {
+ struct net_device *ndev = dev_get_drvdata(dev);
+ struct stmmac_priv *priv = netdev_priv(ndev);
+- unsigned long flags;
+
+ if (!netif_running(ndev))
+ return 0;
+@@ -4385,9 +4382,9 @@ int stmmac_resume(struct device *dev)
+ * from another devices (e.g. serial console).
+ */
+ if (device_may_wakeup(priv->device)) {
+- spin_lock_irqsave(&priv->lock, flags);
++ mutex_lock(&priv->lock);
+ priv->hw->mac->pmt(priv->hw, 0);
+- spin_unlock_irqrestore(&priv->lock, flags);
++ mutex_unlock(&priv->lock);
+ priv->irq_wake = 0;
+ } else {
+ pinctrl_pm_select_default_state(priv->device);
+@@ -4401,7 +4398,7 @@ int stmmac_resume(struct device *dev)
+
+ netif_device_attach(ndev);
+
+- spin_lock_irqsave(&priv->lock, flags);
++ mutex_lock(&priv->lock);
+
+ stmmac_reset_queues_param(priv);
+
+@@ -4420,7 +4417,7 @@ int stmmac_resume(struct device *dev)
+
+ stmmac_start_all_queues(priv);
+
+- spin_unlock_irqrestore(&priv->lock, flags);
++ mutex_unlock(&priv->lock);
+
+ if (ndev->phydev)
+ phy_start(ndev->phydev);
diff --git a/patches.fixes/0001-net-stmmac-fix-broken-dma_interrupt-handling-for-mul.patch b/patches.fixes/0001-net-stmmac-fix-broken-dma_interrupt-handling-for-mul.patch
new file mode 100644
index 0000000000..df765e3a5a
--- /dev/null
+++ b/patches.fixes/0001-net-stmmac-fix-broken-dma_interrupt-handling-for-mul.patch
@@ -0,0 +1,127 @@
+From: Niklas Cassel <niklas.cassel@axis.com>
+Subject: net: stmmac: fix broken dma_interrupt handling for multi-queues
+Patch-mainline: v4.16-rc1
+Git-commit: 5a6a0445d1edb28fc89fd12b49cda2d5114e2665
+References: git-fixes
+
+There is nothing that says that number of TX queues == number of RX
+queues. E.g. the ARTPEC-6 SoC has 2 TX queues and 1 RX queue.
+
+This code is obviously wrong:
+for (chan = 0; chan < tx_channel_count; chan++) {
+ struct stmmac_rx_queue *rx_q = &priv->rx_queue[chan];
+
+priv->rx_queue has size MTL_MAX_RX_QUEUES, so this will send an
+uninitialized napi_struct to __napi_schedule(), causing us to
+crash in net_rx_action(), because napi_struct->poll is zero.
+
+[12846.759880] Unable to handle kernel NULL pointer dereference at virtual address 00000000
+[12846.768014] pgd = (ptrval)
+[12846.770742] [00000000] *pgd=39ec7831, *pte=00000000, *ppte=00000000
+[12846.777023] Internal error: Oops: 80000007 [#1] PREEMPT SMP ARM
+[12846.782942] Modules linked in:
+[12846.785998] CPU: 0 PID: 161 Comm: dropbear Not tainted 4.15.0-rc2-00285-gf5fb5f2f39a7 #36
+[12846.794177] Hardware name: Axis ARTPEC-6 Platform
+[12846.798879] task: (ptrval) task.stack: (ptrval)
+[12846.803407] PC is at 0x0
+[12846.805942] LR is at net_rx_action+0x274/0x43c
+[12846.810383] pc : [<00000000>] lr : [<80bff064>] psr: 200e0113
+[12846.816648] sp : b90d9ae8 ip : b90d9ae8 fp : b90d9b44
+[12846.821871] r10: 00000008 r9 : 0013250e r8 : 00000100
+[12846.827094] r7 : 0000012c r6 : 00000000 r5 : 00000001 r4 : bac84900
+[12846.833619] r3 : 00000000 r2 : b90d9b08 r1 : 00000000 r0 : bac84900
+
+Since each DMA channel can be used for rx and tx simultaneously,
+the current code should probably be rewritten so that napi_struct is
+embedded in a new struct stmmac_channel.
+That way, stmmac_poll() can call stmmac_tx_clean() on just the tx queue
+where we got the IRQ, instead of looping through all tx queues.
+This is also how the xgbe driver does it (another driver for this IP).
+
+Fixes: c22a3f48ef99 ("net: stmmac: adding multiple napi mechanism")
+Signed-off-by: Niklas Cassel <niklas.cassel@axis.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 54 ++++++++++++++++++----
+ 1 file changed, 46 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -1987,22 +1987,60 @@ static void stmmac_set_dma_operation_mod
+ static void stmmac_dma_interrupt(struct stmmac_priv *priv)
+ {
+ u32 tx_channel_count = priv->plat->tx_queues_to_use;
+- int status;
++ u32 rx_channel_count = priv->plat->rx_queues_to_use;
++ u32 channels_to_check = tx_channel_count > rx_channel_count ?
++ tx_channel_count : rx_channel_count;
+ u32 chan;
++ bool poll_scheduled = false;
++ int status[channels_to_check];
+
+- for (chan = 0; chan < tx_channel_count; chan++) {
+- struct stmmac_rx_queue *rx_q = &priv->rx_queue[chan];
++ /* Each DMA channel can be used for rx and tx simultaneously, yet
++ * napi_struct is embedded in struct stmmac_rx_queue rather than in a
++ * stmmac_channel struct.
++ * Because of this, stmmac_poll currently checks (and possibly wakes)
++ * all tx queues rather than just a single tx queue.
++ */
++ for (chan = 0; chan < channels_to_check; chan++)
++ status[chan] = priv->hw->dma->dma_interrupt(priv->ioaddr,
++ &priv->xstats,
++ chan);
++
++ for (chan = 0; chan < rx_channel_count; chan++) {
++ if (likely(status[chan] & handle_rx)) {
++ struct stmmac_rx_queue *rx_q = &priv->rx_queue[chan];
+
+- status = priv->hw->dma->dma_interrupt(priv->ioaddr,
+- &priv->xstats, chan);
+- if (likely((status & handle_rx)) || (status & handle_tx)) {
+ if (likely(napi_schedule_prep(&rx_q->napi))) {
+ stmmac_disable_dma_irq(priv, chan);
+ __napi_schedule(&rx_q->napi);
++ poll_scheduled = true;
+ }
+ }
++ }
+
+- if (unlikely(status & tx_hard_error_bump_tc)) {
++ /* If we scheduled poll, we already know that tx queues will be checked.
++ * If we didn't schedule poll, see if any DMA channel (used by tx) has a
++ * completed transmission, if so, call stmmac_poll (once).
++ */
++ if (!poll_scheduled) {
++ for (chan = 0; chan < tx_channel_count; chan++) {
++ if (status[chan] & handle_tx) {
++ /* It doesn't matter what rx queue we choose
++ * here. We use 0 since it always exists.
++ */
++ struct stmmac_rx_queue *rx_q =
++ &priv->rx_queue[0];
++
++ if (likely(napi_schedule_prep(&rx_q->napi))) {
++ stmmac_disable_dma_irq(priv, chan);
++ __napi_schedule(&rx_q->napi);
++ }
++ break;
++ }
++ }
++ }
++
++ for (chan = 0; chan < tx_channel_count; chan++) {
++ if (unlikely(status[chan] & tx_hard_error_bump_tc)) {
+ /* Try to bump up the dma threshold on this failure */
+ if (unlikely(priv->xstats.threshold != SF_DMA_MODE) &&
+ (tc <= 256)) {
+@@ -2019,7 +2057,7 @@ static void stmmac_dma_interrupt(struct
+ chan);
+ priv->xstats.threshold = tc;
+ }
+- } else if (unlikely(status == tx_hard_error)) {
++ } else if (unlikely(status[chan] == tx_hard_error)) {
+ stmmac_tx_err(priv, chan);
+ }
+ }
diff --git a/patches.fixes/0001-net-stmmac-handle-endianness-in-dwmac4_get_timestamp.patch b/patches.fixes/0001-net-stmmac-handle-endianness-in-dwmac4_get_timestamp.patch
new file mode 100644
index 0000000000..5f4da7f27d
--- /dev/null
+++ b/patches.fixes/0001-net-stmmac-handle-endianness-in-dwmac4_get_timestamp.patch
@@ -0,0 +1,42 @@
+From: Alexandre Torgue <alexandre.torgue@st.com>
+Subject: net: stmmac: handle endianness in dwmac4_get_timestamp
+Patch-mainline: v5.0-rc8
+Git-commit: 4012e7d09d99b62d80046790657c0b0e32310d50
+References: git-fixes
+
+GMAC IP is little-endian and used on several kind of CPU (big or little
+endian). Main callbacks functions of the stmmac drivers take care about
+it. It was not the case for dwmac4_get_timestamp function.
+
+Fixes: ba1ffd74df74 ("stmmac: fix PTP support for GMAC4")
+Signed-off-by: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c
+@@ -238,15 +238,18 @@ static inline u64 dwmac4_get_timestamp(v
+ static int dwmac4_rx_check_timestamp(void *desc)
+ {
+ struct dma_desc *p = (struct dma_desc *)desc;
++ unsigned int rdes0 = le32_to_cpu(p->des0);
++ unsigned int rdes1 = le32_to_cpu(p->des1);
++ unsigned int rdes3 = le32_to_cpu(p->des3);
+ u32 own, ctxt;
+ int ret = 1;
+
+- own = p->des3 & RDES3_OWN;
+- ctxt = ((p->des3 & RDES3_CONTEXT_DESCRIPTOR)
++ own = rdes3 & RDES3_OWN;
++ ctxt = ((rdes3 & RDES3_CONTEXT_DESCRIPTOR)
+ >> RDES3_CONTEXT_DESCRIPTOR_SHIFT);
+
+ if (likely(!own && ctxt)) {
+- if ((p->des0 == 0xffffffff) && (p->des1 == 0xffffffff))
++ if ((rdes0 == 0xffffffff) && (rdes1 == 0xffffffff))
+ /* Corrupted value */
+ ret = -EINVAL;
+ else
diff --git a/patches.fixes/0001-net-thunderx-fix-NULL-pointer-dereference-in-nic_rem.patch b/patches.fixes/0001-net-thunderx-fix-NULL-pointer-dereference-in-nic_rem.patch
new file mode 100644
index 0000000000..0d1d3fb08f
--- /dev/null
+++ b/patches.fixes/0001-net-thunderx-fix-NULL-pointer-dereference-in-nic_rem.patch
@@ -0,0 +1,76 @@
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Subject: net: thunderx: fix NULL pointer dereference in nic_remove
+Patch-mainline: v4.20-rc5
+Git-commit: 24a6d2dd263bc910de018c78d1148b3e33b94512
+References: git-fixes
+
+Fix a possible NULL pointer dereference in nic_remove routine
+removing the nicpf module if nic_probe fails.
+The issue can be triggered with the following reproducer:
+
+$rmmod nicvf
+$rmmod nicpf
+
+[ 521.412008] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000014
+[ 521.422777] Mem abort info:
+[ 521.425561] ESR = 0x96000004
+[ 521.428624] Exception class = DABT (current EL), IL = 32 bits
+[ 521.434535] SET = 0, FnV = 0
+[ 521.437579] EA = 0, S1PTW = 0
+[ 521.440730] Data abort info:
+[ 521.443603] ISV = 0, ISS = 0x00000004
+[ 521.447431] CM = 0, WnR = 0
+[ 521.450417] user pgtable: 4k pages, 48-bit VAs, pgdp = 0000000072a3da42
+[ 521.457022] [0000000000000014] pgd=0000000000000000
+[ 521.461916] Internal error: Oops: 96000004 [#1] SMP
+[ 521.511801] Hardware name: GIGABYTE H270-T70/MT70-HD0, BIOS T49 02/02/2018
+[ 521.518664] pstate: 80400005 (Nzcv daif +PAN -UAO)
+[ 521.523451] pc : nic_remove+0x24/0x88 [nicpf]
+[ 521.527808] lr : pci_device_remove+0x48/0xd8
+[ 521.532066] sp : ffff000013433cc0
+[ 521.535370] x29: ffff000013433cc0 x28: ffff810f6ac50000
+[ 521.540672] x27: 0000000000000000 x26: 0000000000000000
+[ 521.545974] x25: 0000000056000000 x24: 0000000000000015
+[ 521.551274] x23: ffff8007ff89a110 x22: ffff000001667070
+[ 521.556576] x21: ffff8007ffb170b0 x20: ffff8007ffb17000
+[ 521.561877] x19: 0000000000000000 x18: 0000000000000025
+[ 521.567178] x17: 0000000000000000 x16: 000000000000010ffc33ff98 x8 : 0000000000000000
+[ 521.593683] x7 : 0000000000000000 x6 : 0000000000000001
+[ 521.598983] x5 : 0000000000000002 x4 : 0000000000000003
+[ 521.604284] x3 : ffff8007ffb17184 x2 : ffff8007ffb17184
+[ 521.609585] x1 : ffff000001662118 x0 : ffff000008557be0
+[ 521.614887] Process rmmod (pid: 1897, stack limit = 0x00000000859535c3)
+[ 521.621490] Call trace:
+[ 521.623928] nic_remove+0x24/0x88 [nicpf]
+[ 521.627927] pci_device_remove+0x48/0xd8
+[ 521.631847] device_release_driver_internal+0x1b0/0x248
+[ 521.637062] driver_detach+0x50/0xc0
+[ 521.640628] bus_remove_driver+0x60/0x100
+[ 521.644627] driver_unregister+0x34/0x60
+[ 521.648538] pci_unregister_driver+0x24/0xd8
+[ 521.652798] nic_cleanup_module+0x14/0x111c [nicpf]
+[ 521.657672] __arm64_sys_delete_module+0x150/0x218
+[ 521.662460] el0_svc_handler+0x94/0x110
+[ 521.666287] el0_svc+0x8/0xc
+[ 521.669160] Code: aa1e03e0 9102c295 d503201f f9404eb3 (b9401660)
+
+Fixes: 4863dea3fab0 ("net: Adding support for Cavium ThunderX network controller")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ drivers/net/ethernet/cavium/thunder/nic_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/cavium/thunder/nic_main.c
++++ b/drivers/net/ethernet/cavium/thunder/nic_main.c
+@@ -1441,6 +1441,9 @@ static void nic_remove(struct pci_dev *p
+ {
+ struct nicpf *nic = pci_get_drvdata(pdev);
+
++ if (!nic)
++ return;
++
+ if (nic->flags & NIC_SRIOV_ENABLED)
+ pci_disable_sriov(pdev);
+
diff --git a/patches.fixes/0001-tcp-handle-inet_csk_reqsk_queue_add-failures.patch b/patches.fixes/0001-tcp-handle-inet_csk_reqsk_queue_add-failures.patch
new file mode 100644
index 0000000000..38aeab73a5
--- /dev/null
+++ b/patches.fixes/0001-tcp-handle-inet_csk_reqsk_queue_add-failures.patch
@@ -0,0 +1,63 @@
+From: Guillaume Nault <gnault@redhat.com>
+Subject: tcp: handle inet_csk_reqsk_queue_add() failures
+Patch-mainline: v5.1-rc1
+Git-commit: 9d3e1368bb45893a75a5dfb7cd21fdebfa6b47af
+References: git-fixes
+
+Commit 7716682cc58e ("tcp/dccp: fix another race at listener
+dismantle") let inet_csk_reqsk_queue_add() fail, and adjusted
+{tcp,dccp}_check_req() accordingly. However, TFO and syncookies
+weren't modified, thus leaking allocated resources on error.
+
+Contrary to tcp_check_req(), in both syncookies and TFO cases,
+we need to drop the request socket. Also, since the child socket is
+created with inet_csk_clone_lock(), we have to unlock it and drop an
+extra reference (->sk_refcount is initially set to 2 and
+inet_csk_reqsk_queue_add() drops only one ref).
+
+For TFO, we also need to revert the work done by tcp_try_fastopen()
+(with reqsk_fastopen_remove()).
+
+Fixes: 7716682cc58e ("tcp/dccp: fix another race at listener dismantle")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/syncookies.c | 7 ++++++-
+ net/ipv4/tcp_input.c | 8 +++++++-
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/syncookies.c
++++ b/net/ipv4/syncookies.c
+@@ -216,7 +216,12 @@ struct sock *tcp_get_cookie_sock(struct
+ atomic_set(&req->rsk_refcnt, 1);
+ tcp_sk(child)->tsoffset = tsoff;
+ sock_rps_save_rxhash(child, skb);
+- inet_csk_reqsk_queue_add(sk, req, child);
++ if (!inet_csk_reqsk_queue_add(sk, req, child)) {
++ bh_unlock_sock(child);
++ sock_put(child);
++ child = NULL;
++ reqsk_put(req);
++ }
+ } else {
+ reqsk_free(req);
+ }
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -6373,7 +6373,13 @@ int tcp_conn_request(struct request_sock
+ af_ops->send_synack(fastopen_sk, dst, &fl, req,
+ &foc, TCP_SYNACK_FASTOPEN);
+ /* Add the child socket directly into the accept queue */
+- inet_csk_reqsk_queue_add(sk, req, fastopen_sk);
++ if (!inet_csk_reqsk_queue_add(sk, req, fastopen_sk)) {
++ reqsk_fastopen_remove(fastopen_sk, req, false);
++ bh_unlock_sock(fastopen_sk);
++ sock_put(fastopen_sk);
++ reqsk_put(req);
++ goto drop;
++ }
+ sk->sk_data_ready(sk);
+ bh_unlock_sock(fastopen_sk);
+ sock_put(fastopen_sk);
diff --git a/series.conf b/series.conf
index 5d60a377df..c8640bc5c0 100644
--- a/series.conf
+++ b/series.conf
@@ -12248,6 +12248,7 @@
patches.drivers/bnxt_en-Uninitialized-variable-in-bnxt_tc_parse_acti.patch
patches.drivers/bnxt_en-Don-t-print-Link-speed-1-no-longer-supported.patch
patches.drivers/virtio_net-Disable-interrupts-if-napi_complete_done-
+ patches.fixes/0001-net-stmmac-fix-broken-dma_interrupt-handling-for-mul.patch
patches.fixes/veth-set-peer-GSO-values.patch
patches.drivers/cxgb4-collect-on-chip-memory-information.patch
patches.drivers/cxgb4-collect-MC-memory-dump.patch
@@ -16754,6 +16755,7 @@
patches.drivers/qede-Support-flow-classification-to-the-VFs.patch
patches.drivers/qed-Support-drop-action-classification.patch
patches.drivers/bnx2x-Collect-the-device-debug-information-during-Tx.patch
+ patches.fixes/0001-net-stmmac-Use-mutex-instead-of-spinlock.patch
patches.drivers/qmi_wwan-apply-SET_DTR-quirk-to-the-SIMCOM-shared-de.patch
patches.drivers/net-hns3-Updates-RX-packet-info-fetch-in-case-of-mul.patch
patches.drivers/net-hns3-Add-support-for-tx_accept_tag2-and-tx_accep.patch
@@ -18172,6 +18174,7 @@
patches.drivers/net-hns3-Standardize-the-handle-of-return-value.patch
patches.fixes/xen-netfront-fix-queue-name-setting.patch
patches.fixes/wan-fsl_ucc_hdlc-use-IS_ERR_VALUE-to-check-return-va.patch
+ patches.fixes/0001-net-mlx5-fix-uaccess-beyond-count-in-debugfs-read-wr.patch
patches.drivers/brcmsmac-fix-wrap-around-in-conversion-from-constant
patches.drivers/rndis_wlan-potential-buffer-overflow-in-rndis_wlan_a
patches.drivers/libertas-fix-suspend-and-resume-for-SDIO-connected-c
@@ -19916,6 +19919,7 @@
patches.suse/0003-Btrfs-send-fix-infinite-loop-due-to-directory-rename.patch
patches.fixes/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch
patches.suse/usbnet-ipheth-fix-potential-recvmsg-bug-and-recvmsg-.patch
+ patches.fixes/0001-net-thunderx-fix-NULL-pointer-dereference-in-nic_rem.patch
patches.suse/rapidio-rionet-do-not-free-skb-before-reading-its-le.patch
patches.arch/s390-sles15-17-03-s390-qeth-fix-length-check-in-SNMP-processing.patch
patches.fixes/ixgbe-recognize-1000BaseLX-SFP-modules-as-1Gbps.patch
@@ -20825,7 +20829,10 @@
patches.fixes/mailbox-bcm-flexrm-mailbox-Fix-FlexRM-ring-flush-tim.patch
patches.fixes/mac80211-Free-mpath-object-when-rhashtable-insertion.patch
patches.fixes/mac80211-Restore-vif-beacon-interval-if-start-ap-fai.patch
+ patches.fixes/0001-mlxsw-__mlxsw_sp_port_headroom_set-Fix-a-use-of-loca.patch
+ patches.fixes/0001-net-stmmac-handle-endianness-in-dwmac4_get_timestamp.patch
patches.fixes/net-crypto-set-sk-to-NULL-when-af_alg_release.patch
+ patches.fixes/0001-net-stmmac-Fix-a-race-in-EEE-enable-callback.patch
patches.fixes/vhost-correctly-check-the-return-value-of-translate_.patch
patches.fixes/sky2-Increase-D3-delay-again.patch
patches.fixes/KEYS-allow-reaching-the-keys-quotas-exactly.patch
@@ -21008,8 +21015,10 @@
patches.fixes/tipc-fix-RDM-DGRAM-connect-regression.patch
patches.drivers/enic-fix-build-warning-without-CONFIG_CPUMASK_OFFSTA.patch
patches.fixes/0001-vxlan-Fix-GRO-cells-race-condition-between-receive-a.patch
+ patches.fixes/0001-tcp-handle-inet_csk_reqsk_queue_add-failures.patch
patches.fixes/bpf-fix-replace_map_fd_with_map_ptr-s-ldimm64-second.patch
patches.fixes/0001-vxlan-test-dev-flags-IFF_UP-before-calling-gro_cells.patch
+ patches.fixes/0001-gro_cells-make-sure-device-is-up-in-gro_cells_receiv.patch
patches.drivers/input-raspberrypi-ts-select-config_input_polldev.patch
patches.drivers/Input-elan_i2c-add-id-for-touchpad-found-in-Lenovo-s.patch
patches.drivers/Input-wacom_serial4-add-support-for-Wacom-ArtPad-II-.patch
@@ -21062,6 +21071,7 @@
patches.fixes/0001-net-mlx4_core-Fix-reset-flow-when-in-command-polling.patch
patches.fixes/0001-net-mlx4_core-Fix-locking-in-SRIOV-mode-when-switchi.patch
patches.fixes/0001-net-mlx4_core-Fix-qp-mtt-size-calculation.patch
+ patches.fixes/0001-l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch
patches.fixes/0001-pptp-dst_release-sk_dst_cache-in-pptp_sock_destruct.patch
patches.fixes/ACPI-device_sysfs-Avoid-OF-modalias-creation-for-rem.patch
patches.drm/0001-drm-etnaviv-NULL-vs-IS_ERR-buf-in-etnaviv_core_dump.patch