Add commits cc'd to stable, up to 5.5

...plus their obvious dependencies, and some follow-up fixes.
diff --git a/queue-3.16/6pack-mkiss-fix-possible-deadlock.patch b/queue-3.16/6pack-mkiss-fix-possible-deadlock.patch
new file mode 100644
index 0000000..dd2d68d
--- /dev/null
+++ b/queue-3.16/6pack-mkiss-fix-possible-deadlock.patch
@@ -0,0 +1,174 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 12 Dec 2019 10:32:13 -0800
+Subject: 6pack,mkiss: fix possible deadlock
+
+commit 5c9934b6767b16ba60be22ec3cbd4379ad64170d upstream.
+
+We got another syzbot report [1] that tells us we must use
+write_lock_irq()/write_unlock_irq() to avoid possible deadlock.
+
+[1]
+
+WARNING: inconsistent lock state
+5.5.0-rc1-syzkaller #0 Not tainted
+--------------------------------
+inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-R} usage.
+syz-executor826/9605 [HC1[1]:SC0[0]:HE0:SE1] takes:
+ffffffff8a128718 (disc_data_lock){+-..}, at: sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
+{HARDIRQ-ON-W} state was registered at:
+  lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
+  __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
+  _raw_write_lock_bh+0x33/0x50 kernel/locking/spinlock.c:319
+  sixpack_close+0x1d/0x250 drivers/net/hamradio/6pack.c:657
+  tty_ldisc_close.isra.0+0x119/0x1a0 drivers/tty/tty_ldisc.c:489
+  tty_set_ldisc+0x230/0x6b0 drivers/tty/tty_ldisc.c:585
+  tiocsetd drivers/tty/tty_io.c:2337 [inline]
+  tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2597
+  vfs_ioctl fs/ioctl.c:47 [inline]
+  file_ioctl fs/ioctl.c:545 [inline]
+  do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732
+  ksys_ioctl+0xab/0xd0 fs/ioctl.c:749
+  __do_sys_ioctl fs/ioctl.c:756 [inline]
+  __se_sys_ioctl fs/ioctl.c:754 [inline]
+  __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754
+  do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+  entry_SYSCALL_64_after_hwframe+0x49/0xbe
+irq event stamp: 3946
+hardirqs last  enabled at (3945): [<ffffffff87c86e43>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline]
+hardirqs last  enabled at (3945): [<ffffffff87c86e43>] _raw_spin_unlock_irq+0x23/0x80 kernel/locking/spinlock.c:199
+hardirqs last disabled at (3946): [<ffffffff8100675f>] trace_hardirqs_off_thunk+0x1a/0x1c arch/x86/entry/thunk_64.S:42
+softirqs last  enabled at (2658): [<ffffffff86a8b4df>] spin_unlock_bh include/linux/spinlock.h:383 [inline]
+softirqs last  enabled at (2658): [<ffffffff86a8b4df>] clusterip_netdev_event+0x46f/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:222
+softirqs last disabled at (2656): [<ffffffff86a8b22b>] spin_lock_bh include/linux/spinlock.h:343 [inline]
+softirqs last disabled at (2656): [<ffffffff86a8b22b>] clusterip_netdev_event+0x1bb/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:196
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+       CPU0
+       ----
+  lock(disc_data_lock);
+  <Interrupt>
+    lock(disc_data_lock);
+
+ *** DEADLOCK ***
+
+5 locks held by syz-executor826/9605:
+ #0: ffff8880a905e198 (&tty->legacy_mutex){+.+.}, at: tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
+ #1: ffffffff899a56c0 (rcu_read_lock){....}, at: mutex_spin_on_owner+0x0/0x330 kernel/locking/mutex.c:413
+ #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: spin_lock include/linux/spinlock.h:338 [inline]
+ #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: serial8250_interrupt+0x2d/0x1a0 drivers/tty/serial/8250/8250_core.c:116
+ #3: ffffffff8c104048 (&port_lock_key){-.-.}, at: serial8250_handle_irq.part.0+0x24/0x330 drivers/tty/serial/8250/8250_port.c:1823
+ #4: ffff8880a905e090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref+0x22/0x90 drivers/tty/tty_ldisc.c:288
+
+stack backtrace:
+CPU: 1 PID: 9605 Comm: syz-executor826 Not tainted 5.5.0-rc1-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x197/0x210 lib/dump_stack.c:118
+ print_usage_bug.cold+0x327/0x378 kernel/locking/lockdep.c:3101
+ valid_state kernel/locking/lockdep.c:3112 [inline]
+ mark_lock_irq kernel/locking/lockdep.c:3309 [inline]
+ mark_lock+0xbb4/0x1220 kernel/locking/lockdep.c:3666
+ mark_usage kernel/locking/lockdep.c:3554 [inline]
+ __lock_acquire+0x1e55/0x4a00 kernel/locking/lockdep.c:3909
+ lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
+ __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline]
+ _raw_read_lock+0x32/0x50 kernel/locking/spinlock.c:223
+ sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
+ sixpack_write_wakeup+0x25/0x340 drivers/net/hamradio/6pack.c:402
+ tty_wakeup+0xe9/0x120 drivers/tty/tty_io.c:536
+ tty_port_default_wakeup+0x2b/0x40 drivers/tty/tty_port.c:50
+ tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:387
+ uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:104
+ serial8250_tx_chars+0x495/0xaf0 drivers/tty/serial/8250/8250_port.c:1761
+ serial8250_handle_irq.part.0+0x2a2/0x330 drivers/tty/serial/8250/8250_port.c:1834
+ serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1820 [inline]
+ serial8250_default_handle_irq+0xc0/0x150 drivers/tty/serial/8250/8250_port.c:1850
+ serial8250_interrupt+0xf1/0x1a0 drivers/tty/serial/8250/8250_core.c:126
+ __handle_irq_event_percpu+0x15d/0x970 kernel/irq/handle.c:149
+ handle_irq_event_percpu+0x74/0x160 kernel/irq/handle.c:189
+ handle_irq_event+0xa7/0x134 kernel/irq/handle.c:206
+ handle_edge_irq+0x25e/0x8d0 kernel/irq/chip.c:830
+ generic_handle_irq_desc include/linux/irqdesc.h:156 [inline]
+ do_IRQ+0xde/0x280 arch/x86/kernel/irq.c:250
+ common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:607
+ </IRQ>
+RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:685 [inline]
+RIP: 0010:mutex_spin_on_owner+0x247/0x330 kernel/locking/mutex.c:579
+Code: c3 be 08 00 00 00 4c 89 e7 e8 e5 06 59 00 4c 89 e0 48 c1 e8 03 42 80 3c 38 00 0f 85 e1 00 00 00 49 8b 04 24 a8 01 75 96 f3 90 <e9> 2f fe ff ff 0f 0b e8 0d 19 09 00 84 c0 0f 85 ff fd ff ff 48 c7
+RSP: 0018:ffffc90001eafa20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffd7
+RAX: 0000000000000000 RBX: ffff88809fd9e0c0 RCX: 1ffffffff13266dd
+RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000000
+RBP: ffffc90001eafa60 R08: 1ffff11013d22898 R09: ffffed1013d22899
+R10: ffffed1013d22898 R11: ffff88809e9144c7 R12: ffff8880a905e138
+R13: ffff88809e9144c0 R14: 0000000000000000 R15: dffffc0000000000
+ mutex_optimistic_spin kernel/locking/mutex.c:673 [inline]
+ __mutex_lock_common kernel/locking/mutex.c:962 [inline]
+ __mutex_lock+0x32b/0x13c0 kernel/locking/mutex.c:1106
+ mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1121
+ tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
+ tty_release+0xb5/0xe90 drivers/tty/tty_io.c:1665
+ __fput+0x2ff/0x890 fs/file_table.c:280
+ ____fput+0x16/0x20 fs/file_table.c:313
+ task_work_run+0x145/0x1c0 kernel/task_work.c:113
+ exit_task_work include/linux/task_work.h:22 [inline]
+ do_exit+0x8e7/0x2ef0 kernel/exit.c:797
+ do_group_exit+0x135/0x360 kernel/exit.c:895
+ __do_sys_exit_group kernel/exit.c:906 [inline]
+ __se_sys_exit_group kernel/exit.c:904 [inline]
+ __x64_sys_exit_group+0x44/0x50 kernel/exit.c:904
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x43fef8
+Code: Bad RIP value.
+RSP: 002b:00007ffdb07d2338 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fef8
+RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
+RBP: 00000000004bf730 R08: 00000000000000e7 R09: ffffffffffffffd0
+R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
+R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
+
+Fixes: 6e4e2f811bad ("6pack,mkiss: fix lock inconsistency")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/hamradio/6pack.c | 4 ++--
+ drivers/net/hamradio/mkiss.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/hamradio/6pack.c
++++ b/drivers/net/hamradio/6pack.c
+@@ -685,10 +685,10 @@ static void sixpack_close(struct tty_str
+ {
+ 	struct sixpack *sp;
+ 
+-	write_lock_bh(&disc_data_lock);
++	write_lock_irq(&disc_data_lock);
+ 	sp = tty->disc_data;
+ 	tty->disc_data = NULL;
+-	write_unlock_bh(&disc_data_lock);
++	write_unlock_irq(&disc_data_lock);
+ 	if (!sp)
+ 		return;
+ 
+--- a/drivers/net/hamradio/mkiss.c
++++ b/drivers/net/hamradio/mkiss.c
+@@ -811,10 +811,10 @@ static void mkiss_close(struct tty_struc
+ {
+ 	struct mkiss *ax;
+ 
+-	write_lock_bh(&disc_data_lock);
++	write_lock_irq(&disc_data_lock);
+ 	ax = tty->disc_data;
+ 	tty->disc_data = NULL;
+-	write_unlock_bh(&disc_data_lock);
++	write_unlock_irq(&disc_data_lock);
+ 
+ 	if (!ax)
+ 		return;
diff --git a/queue-3.16/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch b/queue-3.16/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch
new file mode 100644
index 0000000..0acf475
--- /dev/null
+++ b/queue-3.16/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch
@@ -0,0 +1,49 @@
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Wed, 4 Dec 2019 02:54:27 +0100
+Subject: ACPI: PM: Avoid attaching ACPI PM domain to certain devices
+
+commit b9ea0bae260f6aae546db224daa6ac1bd9d94b91 upstream.
+
+Certain ACPI-enumerated devices represented as platform devices in
+Linux, like fans, require special low-level power management handling
+implemented by their drivers that is not in agreement with the ACPI
+PM domain behavior.  That leads to problems with managing ACPI fans
+during system-wide suspend and resume.
+
+For this reason, make acpi_dev_pm_attach() skip the affected devices
+by adding a list of device IDs to avoid to it and putting the IDs of
+the affected devices into that list.
+
+Fixes: e5cc8ef31267 (ACPI / PM: Provide ACPI PM callback routines for subsystems)
+Reported-by: Zhang Rui <rui.zhang@intel.com>
+Tested-by: Todd Brandt <todd.e.brandt@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/acpi/device_pm.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/device_pm.c
++++ b/drivers/acpi/device_pm.c
+@@ -1041,9 +1041,19 @@ static struct dev_pm_domain acpi_general
+  */
+ int acpi_dev_pm_attach(struct device *dev, bool power_on)
+ {
++	/*
++	 * Skip devices whose ACPI companions match the device IDs below,
++	 * because they require special power management handling incompatible
++	 * with the generic ACPI PM domain.
++	 */
++	static const struct acpi_device_id special_pm_ids[] = {
++		{"PNP0C0B", }, /* Generic ACPI fan */
++		{"INT3404", }, /* Fan */
++		{}
++	};
+ 	struct acpi_device *adev = ACPI_COMPANION(dev);
+ 
+-	if (!adev)
++	if (!adev || !acpi_match_device_ids(adev, special_pm_ids))
+ 		return -ENODEV;
+ 
+ 	if (dev->pm_domain)
diff --git a/queue-3.16/af_packet-set-defaule-value-for-tmo.patch b/queue-3.16/af_packet-set-defaule-value-for-tmo.patch
new file mode 100644
index 0000000..334dc10
--- /dev/null
+++ b/queue-3.16/af_packet-set-defaule-value-for-tmo.patch
@@ -0,0 +1,51 @@
+From: Mao Wenan <maowenan@huawei.com>
+Date: Mon, 9 Dec 2019 21:31:25 +0800
+Subject: af_packet: set defaule value for tmo
+
+commit b43d1f9f7067c6759b1051e8ecb84e82cef569fe upstream.
+
+There is softlockup when using TPACKET_V3:
+...
+NMI watchdog: BUG: soft lockup - CPU#2 stuck for 60010ms!
+(__irq_svc) from [<c0558a0c>] (_raw_spin_unlock_irqrestore+0x44/0x54)
+(_raw_spin_unlock_irqrestore) from [<c027b7e8>] (mod_timer+0x210/0x25c)
+(mod_timer) from [<c0549c30>]
+(prb_retire_rx_blk_timer_expired+0x68/0x11c)
+(prb_retire_rx_blk_timer_expired) from [<c027a7ac>]
+(call_timer_fn+0x90/0x17c)
+(call_timer_fn) from [<c027ab6c>] (run_timer_softirq+0x2d4/0x2fc)
+(run_timer_softirq) from [<c021eaf4>] (__do_softirq+0x218/0x318)
+(__do_softirq) from [<c021eea0>] (irq_exit+0x88/0xac)
+(irq_exit) from [<c0240130>] (msa_irq_exit+0x11c/0x1d4)
+(msa_irq_exit) from [<c0209cf0>] (handle_IPI+0x650/0x7f4)
+(handle_IPI) from [<c02015bc>] (gic_handle_irq+0x108/0x118)
+(gic_handle_irq) from [<c0558ee4>] (__irq_usr+0x44/0x5c)
+...
+
+If __ethtool_get_link_ksettings() is failed in
+prb_calc_retire_blk_tmo(), msec and tmo will be zero, so tov_in_jiffies
+is zero and the timer expire for retire_blk_timer is turn to
+mod_timer(&pkc->retire_blk_timer, jiffies + 0),
+which will trigger cpu usage of softirq is 100%.
+
+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
+Tested-by: Xiao Jiangfeng <xiaojiangfeng@huawei.com>
+Signed-off-by: Mao Wenan <maowenan@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/packet/af_packet.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -608,7 +608,8 @@ static int prb_calc_retire_blk_tmo(struc
+ 			msec = 1;
+ 			div = speed / 1000;
+ 		}
+-	}
++	} else
++		return DEFAULT_PRB_RETIRE_TOV;
+ 
+ 	mbits = (blk_size_in_bytes * 8) / (1024 * 1024);
+ 
diff --git a/queue-3.16/alsa-hda-ca0132-avoid-endless-loop.patch b/queue-3.16/alsa-hda-ca0132-avoid-endless-loop.patch
new file mode 100644
index 0000000..f3fbded
--- /dev/null
+++ b/queue-3.16/alsa-hda-ca0132-avoid-endless-loop.patch
@@ -0,0 +1,37 @@
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 13 Dec 2019 09:51:10 +0100
+Subject: ALSA: hda/ca0132 - Avoid endless loop
+
+commit cb04fc3b6b076f67d228a0b7d096c69ad486c09c upstream.
+
+Introduce a timeout to dspio_clear_response_queue() so that it won't
+be caught in an endless loop even if the hardware doesn't respond
+properly.
+
+Fixes: a73d511c4867 ("ALSA: hda/ca0132: Add unsol handler for DSP and jack detection")
+Link: https://lore.kernel.org/r/20191213085111.22855-3-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/pci/hda/patch_ca0132.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/pci/hda/patch_ca0132.c
++++ b/sound/pci/hda/patch_ca0132.c
+@@ -1271,13 +1271,14 @@ struct scp_msg {
+ 
+ static void dspio_clear_response_queue(struct hda_codec *codec)
+ {
++	unsigned long timeout = jiffies + msecs_to_jiffies(1000);
+ 	unsigned int dummy = 0;
+-	int status = -1;
++	int status;
+ 
+ 	/* clear all from the response queue */
+ 	do {
+ 		status = dspio_read(codec, &dummy);
+-	} while (status == 0);
++	} while (status == 0 && time_before(jiffies, timeout));
+ }
+ 
+ static int dspio_get_response_data(struct hda_codec *codec)
diff --git a/queue-3.16/alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch b/queue-3.16/alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch
new file mode 100644
index 0000000..4be48aa
--- /dev/null
+++ b/queue-3.16/alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch
@@ -0,0 +1,59 @@
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 18 Dec 2019 20:26:06 +0100
+Subject: ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code
+
+commit 0aec96f5897ac16ad9945f531b4bef9a2edd2ebd upstream.
+
+Jia-Ju Bai reported a possible sleep-in-atomic scenario in the ice1724
+driver with Infrasonic Quartet support code: namely, ice->set_rate
+callback gets called inside ice->reg_lock spinlock, while the callback
+in quartet.c holds ice->gpio_mutex.
+
+This patch fixes the invalid call: it simply moves the calls of
+ice->set_rate and ice->set_mclk callbacks outside the spinlock.
+
+Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Link: https://lore.kernel.org/r/5d43135e-73b9-a46a-2155-9e91d0dcdf83@gmail.com
+Link: https://lore.kernel.org/r/20191218192606.12866-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/pci/ice1712/ice1724.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/sound/pci/ice1712/ice1724.c
++++ b/sound/pci/ice1712/ice1724.c
+@@ -663,6 +663,7 @@ static int snd_vt1724_set_pro_rate(struc
+ 	unsigned long flags;
+ 	unsigned char mclk_change;
+ 	unsigned int i, old_rate;
++	bool call_set_rate = false;
+ 
+ 	if (rate > ice->hw_rates->list[ice->hw_rates->count - 1])
+ 		return -EINVAL;
+@@ -686,7 +687,7 @@ static int snd_vt1724_set_pro_rate(struc
+ 		 * setting clock rate for internal clock mode */
+ 		old_rate = ice->get_rate(ice);
+ 		if (force || (old_rate != rate))
+-			ice->set_rate(ice, rate);
++			call_set_rate = true;
+ 		else if (rate == ice->cur_rate) {
+ 			spin_unlock_irqrestore(&ice->reg_lock, flags);
+ 			return 0;
+@@ -694,12 +695,14 @@ static int snd_vt1724_set_pro_rate(struc
+ 	}
+ 
+ 	ice->cur_rate = rate;
++	spin_unlock_irqrestore(&ice->reg_lock, flags);
++
++	if (call_set_rate)
++		ice->set_rate(ice, rate);
+ 
+ 	/* setting master clock */
+ 	mclk_change = ice->set_mclk(ice, rate);
+ 
+-	spin_unlock_irqrestore(&ice->reg_lock, flags);
+-
+ 	if (mclk_change && ice->gpio.i2s_mclk_changed)
+ 		ice->gpio.i2s_mclk_changed(ice);
+ 	if (ice->gpio.set_pro_rate)
diff --git a/queue-3.16/alsa-pcm-avoid-possible-info-leaks-from-pcm-stream-buffers.patch b/queue-3.16/alsa-pcm-avoid-possible-info-leaks-from-pcm-stream-buffers.patch
new file mode 100644
index 0000000..5d19c99
--- /dev/null
+++ b/queue-3.16/alsa-pcm-avoid-possible-info-leaks-from-pcm-stream-buffers.patch
@@ -0,0 +1,39 @@
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 11 Dec 2019 16:57:42 +0100
+Subject: ALSA: pcm: Avoid possible info leaks from PCM stream buffers
+
+commit add9d56d7b3781532208afbff5509d7382fb6efe upstream.
+
+The current PCM code doesn't initialize explicitly the buffers
+allocated for PCM streams, hence it might leak some uninitialized
+kernel data or previous stream contents by mmapping or reading the
+buffer before actually starting the stream.
+
+Since this is a common problem, this patch simply adds the clearance
+of the buffer data at hw_params callback.  Although this does only
+zero-clear no matter which format is used, which doesn't mean the
+silence for some formats, but it should be OK because the intention is
+just to clear the previous data on the buffer.
+
+Reported-by: Lionel Koenig <lionel.koenig@gmail.com>
+Link: https://lore.kernel.org/r/20191211155742.3213-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/core/pcm_native.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -459,6 +459,10 @@ static int snd_pcm_hw_params(struct snd_
+ 	while (runtime->boundary * 2 <= LONG_MAX - runtime->buffer_size)
+ 		runtime->boundary *= 2;
+ 
++	/* clear the buffer for avoiding possible kernel info leaks */
++	if (runtime->dma_area)
++		memset(runtime->dma_area, 0, runtime->dma_bytes);
++
+ 	snd_pcm_timer_resolution_change(substream);
+ 	snd_pcm_set_state(substream, SNDRV_PCM_STATE_SETUP);
+ 
diff --git a/queue-3.16/alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch b/queue-3.16/alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch
new file mode 100644
index 0000000..6c74252
--- /dev/null
+++ b/queue-3.16/alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch
@@ -0,0 +1,49 @@
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 15 Jan 2020 21:37:33 +0100
+Subject: ALSA: seq: Fix racy access for queue timer in proc read
+
+commit 60adcfde92fa40fcb2dbf7cc52f9b096e0cd109a upstream.
+
+snd_seq_info_timer_read() reads the information of the timer assigned
+for each queue, but it's done in a racy way which may lead to UAF as
+spotted by syzkaller.
+
+This patch applies the missing q->timer_mutex lock while accessing the
+timer object as well as a slight code change to adapt the standard
+coding style.
+
+Reported-by: syzbot+2b2ef983f973e5c40943@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20200115203733.26530-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/core/seq/seq_timer.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/sound/core/seq/seq_timer.c
++++ b/sound/core/seq/seq_timer.c
+@@ -484,15 +484,19 @@ void snd_seq_info_timer_read(struct snd_
+ 		q = queueptr(idx);
+ 		if (q == NULL)
+ 			continue;
+-		if ((tmr = q->timer) == NULL ||
+-		    (ti = tmr->timeri) == NULL) {
+-			queuefree(q);
+-			continue;
+-		}
++		mutex_lock(&q->timer_mutex);
++		tmr = q->timer;
++		if (!tmr)
++			goto unlock;
++		ti = tmr->timeri;
++		if (!ti)
++			goto unlock;
+ 		snd_iprintf(buffer, "Timer for queue %i : %s\n", q->queue, ti->timer->name);
+ 		resolution = snd_timer_resolution(ti) * tmr->ticks;
+ 		snd_iprintf(buffer, "  Period time : %lu.%09lu\n", resolution / 1000000000, resolution % 1000000000);
+ 		snd_iprintf(buffer, "  Skew : %u / %u\n", tmr->skew, tmr->skew_base);
++unlock:
++		mutex_unlock(&q->timer_mutex);
+ 		queuefree(q);
+  	}
+ }
diff --git a/queue-3.16/alsa-usb-audio-add-implicit-fb-quirk-for-axe-fx-ii.patch b/queue-3.16/alsa-usb-audio-add-implicit-fb-quirk-for-axe-fx-ii.patch
new file mode 100644
index 0000000..0829c50
--- /dev/null
+++ b/queue-3.16/alsa-usb-audio-add-implicit-fb-quirk-for-axe-fx-ii.patch
@@ -0,0 +1,44 @@
+From: Alberto Aguirre <albaguirre@gmail.com>
+Date: Thu, 8 Dec 2016 00:36:48 -0600
+Subject: ALSA: usb-audio: add implicit fb quirk for Axe-Fx II
+
+commit 17f08b0d9aafccdb10038ab6dbd9ddb6433c13e2 upstream.
+
+The Axe-Fx II implicit feedback end point and the data sync endpoint
+are in different interface descriptors. Add quirk to ensure a sync
+endpoint is properly configured.
+
+Signed-off-by: Alberto Aguirre <albaguirre@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/usb/pcm.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -351,6 +351,15 @@ static int set_sync_ep_implicit_fb_quirk
+ 
+ 		alts = &iface->altsetting[1];
+ 		goto add_sync_ep;
++	case USB_ID(0x2466, 0x8003):
++		ep = 0x86;
++		iface = usb_ifnum_to_if(dev, 2);
++
++		if (!iface || iface->num_altsetting == 0)
++			return -EINVAL;
++
++		alts = &iface->altsetting[1];
++		goto add_sync_ep;
+ 	case USB_ID(0x1397, 0x0002):
+ 		ep = 0x81;
+ 		iface = usb_ifnum_to_if(dev, 1);
+@@ -360,6 +369,7 @@ static int set_sync_ep_implicit_fb_quirk
+ 
+ 		alts = &iface->altsetting[1];
+ 		goto add_sync_ep;
++
+ 	}
+ 	if (attr == USB_ENDPOINT_SYNC_ASYNC &&
+ 	    altsd->bInterfaceClass == USB_CLASS_VENDOR_SPEC &&
diff --git a/queue-3.16/alsa-usb-audio-fix-sync-ep-altsetting-sanity-check.patch b/queue-3.16/alsa-usb-audio-fix-sync-ep-altsetting-sanity-check.patch
new file mode 100644
index 0000000..c501961
--- /dev/null
+++ b/queue-3.16/alsa-usb-audio-fix-sync-ep-altsetting-sanity-check.patch
@@ -0,0 +1,37 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 14 Jan 2020 09:39:53 +0100
+Subject: ALSA: usb-audio: fix sync-ep altsetting sanity check
+
+commit 5d1b71226dc4d44b4b65766fa9d74492f9d4587b upstream.
+
+The altsetting sanity check in set_sync_ep_implicit_fb_quirk() was
+checking for there to be at least one altsetting but then went on to
+access the second one, which may not exist.
+
+This could lead to random slab data being used to initialise the sync
+endpoint in snd_usb_add_endpoint().
+
+Fixes: c75a8a7ae565 ("ALSA: snd-usb: add support for implicit feedback")
+Fixes: ca10a7ebdff1 ("ALSA: usb-audio: FT C400 sync playback EP to capture EP")
+Fixes: 5e35dc0338d8 ("ALSA: usb-audio: add implicit fb quirk for Behringer UFX1204")
+Fixes: 17f08b0d9aaf ("ALSA: usb-audio: add implicit fb quirk for Axe-Fx II")
+Fixes: 103e9625647a ("ALSA: usb-audio: simplify set_sync_ep_implicit_fb_quirk")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20200114083953.1106-1-johan@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/usb/pcm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -368,7 +368,7 @@ static int set_sync_ep_implicit_fb_quirk
+ add_sync_ep_from_ifnum:
+ 	iface = usb_ifnum_to_if(dev, ifnum);
+ 
+-	if (!iface || iface->num_altsetting == 0)
++	if (!iface || iface->num_altsetting < 2)
+ 		return -EINVAL;
+ 
+ 	alts = &iface->altsetting[1];
diff --git a/queue-3.16/alsa-usb-audio-simplify-set_sync_ep_implicit_fb_quirk.patch b/queue-3.16/alsa-usb-audio-simplify-set_sync_ep_implicit_fb_quirk.patch
new file mode 100644
index 0000000..c68b1c1
--- /dev/null
+++ b/queue-3.16/alsa-usb-audio-simplify-set_sync_ep_implicit_fb_quirk.patch
@@ -0,0 +1,94 @@
+From: Alberto Aguirre <albaguirre@gmail.com>
+Date: Wed, 18 Apr 2018 09:35:34 -0500
+Subject: ALSA: usb-audio: simplify set_sync_ep_implicit_fb_quirk
+
+commit 103e9625647ad74d201e26fb74afcd8479142a37 upstream.
+
+Signed-off-by: Alberto Aguirre <albaguirre@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/usb/pcm.c | 52 +++++++++++++++++++------------------------------
+ 1 file changed, 20 insertions(+), 32 deletions(-)
+
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -324,6 +324,7 @@ static int set_sync_ep_implicit_fb_quirk
+ 	struct usb_host_interface *alts;
+ 	struct usb_interface *iface;
+ 	unsigned int ep;
++	unsigned int ifnum;
+ 
+ 	/* Implicit feedback sync EPs consumers are always playback EPs */
+ 	if (subs->direction != SNDRV_PCM_STREAM_PLAYBACK)
+@@ -333,44 +334,23 @@ static int set_sync_ep_implicit_fb_quirk
+ 	case USB_ID(0x0763, 0x2030): /* M-Audio Fast Track C400 */
+ 	case USB_ID(0x0763, 0x2031): /* M-Audio Fast Track C600 */
+ 		ep = 0x81;
+-		iface = usb_ifnum_to_if(dev, 3);
+-
+-		if (!iface || iface->num_altsetting == 0)
+-			return -EINVAL;
+-
+-		alts = &iface->altsetting[1];
+-		goto add_sync_ep;
+-		break;
++		ifnum = 3;
++		goto add_sync_ep_from_ifnum;
+ 	case USB_ID(0x0763, 0x2080): /* M-Audio FastTrack Ultra */
+ 	case USB_ID(0x0763, 0x2081):
+ 		ep = 0x81;
+-		iface = usb_ifnum_to_if(dev, 2);
+-
+-		if (!iface || iface->num_altsetting == 0)
+-			return -EINVAL;
+-
+-		alts = &iface->altsetting[1];
+-		goto add_sync_ep;
+-	case USB_ID(0x2466, 0x8003):
++		ifnum = 2;
++		goto add_sync_ep_from_ifnum;
++	case USB_ID(0x2466, 0x8003): /* Fractal Audio Axe-Fx II */
+ 		ep = 0x86;
+-		iface = usb_ifnum_to_if(dev, 2);
+-
+-		if (!iface || iface->num_altsetting == 0)
+-			return -EINVAL;
+-
+-		alts = &iface->altsetting[1];
+-		goto add_sync_ep;
+-	case USB_ID(0x1397, 0x0002):
++		ifnum = 2;
++		goto add_sync_ep_from_ifnum;
++	case USB_ID(0x1397, 0x0002): /* Behringer UFX1204 */
+ 		ep = 0x81;
+-		iface = usb_ifnum_to_if(dev, 1);
+-
+-		if (!iface || iface->num_altsetting == 0)
+-			return -EINVAL;
+-
+-		alts = &iface->altsetting[1];
+-		goto add_sync_ep;
+-
++		ifnum = 1;
++		goto add_sync_ep_from_ifnum;
+ 	}
++
+ 	if (attr == USB_ENDPOINT_SYNC_ASYNC &&
+ 	    altsd->bInterfaceClass == USB_CLASS_VENDOR_SPEC &&
+ 	    altsd->bInterfaceProtocol == 2 &&
+@@ -385,6 +365,14 @@ static int set_sync_ep_implicit_fb_quirk
+ 	/* No quirk */
+ 	return 0;
+ 
++add_sync_ep_from_ifnum:
++	iface = usb_ifnum_to_if(dev, ifnum);
++
++	if (!iface || iface->num_altsetting == 0)
++		return -EINVAL;
++
++	alts = &iface->altsetting[1];
++
+ add_sync_ep:
+ 	subs->sync_endpoint = snd_usb_add_endpoint(subs->stream->chip,
+ 						   alts, ep, !subs->direction,
diff --git a/queue-3.16/arm-8950-1-ftrace-recordmcount-filter-relocation-types.patch b/queue-3.16/arm-8950-1-ftrace-recordmcount-filter-relocation-types.patch
new file mode 100644
index 0000000..8c9a100
--- /dev/null
+++ b/queue-3.16/arm-8950-1-ftrace-recordmcount-filter-relocation-types.patch
@@ -0,0 +1,125 @@
+From: Alex Sverdlin <alexander.sverdlin@nokia.com>
+Date: Wed, 8 Jan 2020 15:57:47 +0100
+Subject: ARM: 8950/1: ftrace/recordmcount: filter relocation types
+
+commit 927d780ee371d7e121cea4fc7812f6ef2cea461c upstream.
+
+Scenario 1, ARMv7
+=================
+
+If code in arch/arm/kernel/ftrace.c would operate on mcount() pointer
+the following may be generated:
+
+00000230 <prealloc_fixed_plts>:
+ 230:   b5f8            push    {r3, r4, r5, r6, r7, lr}
+ 232:   b500            push    {lr}
+ 234:   f7ff fffe       bl      0 <__gnu_mcount_nc>
+                        234: R_ARM_THM_CALL     __gnu_mcount_nc
+ 238:   f240 0600       movw    r6, #0
+                        238: R_ARM_THM_MOVW_ABS_NC      __gnu_mcount_nc
+ 23c:   f8d0 1180       ldr.w   r1, [r0, #384]  ; 0x180
+
+FTRACE currently is not able to deal with it:
+
+WARNING: CPU: 0 PID: 0 at .../kernel/trace/ftrace.c:1979 ftrace_bug+0x1ad/0x230()
+...
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.116-... #1
+...
+[<c0314e3d>] (unwind_backtrace) from [<c03115e9>] (show_stack+0x11/0x14)
+[<c03115e9>] (show_stack) from [<c051a7f1>] (dump_stack+0x81/0xa8)
+[<c051a7f1>] (dump_stack) from [<c0321c5d>] (warn_slowpath_common+0x69/0x90)
+[<c0321c5d>] (warn_slowpath_common) from [<c0321cf3>] (warn_slowpath_null+0x17/0x1c)
+[<c0321cf3>] (warn_slowpath_null) from [<c038ee9d>] (ftrace_bug+0x1ad/0x230)
+[<c038ee9d>] (ftrace_bug) from [<c038f1f9>] (ftrace_process_locs+0x27d/0x444)
+[<c038f1f9>] (ftrace_process_locs) from [<c08915bd>] (ftrace_init+0x91/0xe8)
+[<c08915bd>] (ftrace_init) from [<c0885a67>] (start_kernel+0x34b/0x358)
+[<c0885a67>] (start_kernel) from [<00308095>] (0x308095)
+---[ end trace cb88537fdc8fa200 ]---
+ftrace failed to modify [<c031266c>] prealloc_fixed_plts+0x8/0x60
+ actual: 44:f2:e1:36
+ftrace record flags: 0
+ (0)   expected tramp: c03143e9
+
+Scenario 2, ARMv4T
+==================
+
+ftrace: allocating 14435 entries in 43 pages
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:2029 ftrace_bug+0x204/0x310
+CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.5 #1
+Hardware name: Cirrus Logic EDB9302 Evaluation Board
+[<c0010a24>] (unwind_backtrace) from [<c000ecb0>] (show_stack+0x20/0x2c)
+[<c000ecb0>] (show_stack) from [<c03c72e8>] (dump_stack+0x20/0x30)
+[<c03c72e8>] (dump_stack) from [<c0021c18>] (__warn+0xdc/0x104)
+[<c0021c18>] (__warn) from [<c0021d7c>] (warn_slowpath_null+0x4c/0x5c)
+[<c0021d7c>] (warn_slowpath_null) from [<c0095360>] (ftrace_bug+0x204/0x310)
+[<c0095360>] (ftrace_bug) from [<c04dabac>] (ftrace_init+0x3b4/0x4d4)
+[<c04dabac>] (ftrace_init) from [<c04cef4c>] (start_kernel+0x20c/0x410)
+[<c04cef4c>] (start_kernel) from [<00000000>] (  (null))
+---[ end trace 0506a2f5dae6b341 ]---
+ftrace failed to modify
+[<c000c350>] perf_trace_sys_exit+0x5c/0xe8
+ actual:   1e:ff:2f:e1
+Initializing ftrace call sites
+ftrace record flags: 0
+ (0)
+ expected tramp: c000fb24
+
+The analysis for this problem has been already performed previously,
+refer to the link below.
+
+Fix the above problems by allowing only selected reloc types in
+__mcount_loc. The list itself comes from the legacy recordmcount.pl
+script.
+
+Link: https://lore.kernel.org/lkml/56961010.6000806@pengutronix.de/
+Fixes: ed60453fa8f8 ("ARM: 6511/1: ftrace: add ARM support for C version of recordmcount")
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ scripts/recordmcount.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/scripts/recordmcount.c
++++ b/scripts/recordmcount.c
+@@ -52,6 +52,10 @@
+ #define R_AARCH64_ABS64	257
+ #endif
+ 
++#define R_ARM_PC24		1
++#define R_ARM_THM_CALL		10
++#define R_ARM_CALL		28
++
+ static int fd_map;	/* File descriptor for file being modified. */
+ static int mmap_failed; /* Boolean flag. */
+ static char gpfx;	/* prefix for global symbol name (sometimes '_') */
+@@ -355,6 +359,18 @@ is_mcounted_section_name(char const *con
+ #define RECORD_MCOUNT_64
+ #include "recordmcount.h"
+ 
++static int arm_is_fake_mcount(Elf32_Rel const *rp)
++{
++	switch (ELF32_R_TYPE(w(rp->r_info))) {
++	case R_ARM_THM_CALL:
++	case R_ARM_CALL:
++	case R_ARM_PC24:
++		return 0;
++	}
++
++	return 1;
++}
++
+ /* 64-bit EM_MIPS has weird ELF64_Rela.r_info.
+  * http://techpubs.sgi.com/library/manuals/4000/007-4658-001/pdf/007-4658-001.pdf
+  * We interpret Table 29 Relocation Operation (Elf64_Rel, Elf64_Rela) [p.40]
+@@ -443,6 +459,7 @@ do_file(char const *const fname)
+ 		break;
+ 	case EM_ARM:	 reltype = R_ARM_ABS32;
+ 			 altmcount = "__gnu_mcount_nc";
++			 is_fake_mcount32 = arm_is_fake_mcount;
+ 			 break;
+ 	case EM_AARCH64:
+ 			 reltype = R_AARCH64_ABS64; gpfx = '_'; break;
diff --git a/queue-3.16/arm-8955-1-virt-relax-arch-timer-version-check-during-early-boot.patch b/queue-3.16/arm-8955-1-virt-relax-arch-timer-version-check-during-early-boot.patch
new file mode 100644
index 0000000..c89e54f
--- /dev/null
+++ b/queue-3.16/arm-8955-1-virt-relax-arch-timer-version-check-during-early-boot.patch
@@ -0,0 +1,42 @@
+From: Vladimir Murzin <vladimir.murzin@arm.com>
+Date: Mon, 20 Jan 2020 15:07:46 +0100
+Subject: ARM: 8955/1: virt: Relax arch timer version check during early boot
+
+commit 6849b5eba1965ceb0cad3a75877ef4569dd3638e upstream.
+
+Updates to the Generic Timer architecture allow ID_PFR1.GenTimer to
+have values other than 0 or 1 while still preserving backward
+compatibility. At the moment, Linux is quite strict in the way it
+handles this field at early boot and will not configure arch timer if
+it doesn't find the value 1.
+
+Since here use ubfx for arch timer version extraction (hyb-stub build
+with -march=armv7-a, so it is safe)
+
+To help backports (even though the code was correct at the time of writing)
+
+Fixes: 8ec58be9f3ff ("ARM: virt: arch_timers: enable access to physical timers")
+Acked-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arm/kernel/hyp-stub.S | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/arch/arm/kernel/hyp-stub.S
++++ b/arch/arm/kernel/hyp-stub.S
+@@ -144,10 +144,9 @@ ARM_BE8(orr	r7, r7, #(1 << 25))     @ HS
+ #if !defined(ZIMAGE) && defined(CONFIG_ARM_ARCH_TIMER)
+ 	@ make CNTP_* and CNTPCT accessible from PL1
+ 	mrc	p15, 0, r7, c0, c1, 1	@ ID_PFR1
+-	lsr	r7, #16
+-	and	r7, #0xf
+-	cmp	r7, #1
+-	bne	1f
++	ubfx	r7, r7, #16, #4
++	teq	r7, #0
++	beq	1f
+ 	mrc	p15, 4, r7, c14, c1, 0	@ CNTHCTL
+ 	orr	r7, r7, #3		@ PL1PCEN | PL1PCTEN
+ 	mcr	p15, 4, r7, c14, c1, 0	@ CNTHCTL
diff --git a/queue-3.16/asoc-wm8962-fix-lambda-value.patch b/queue-3.16/asoc-wm8962-fix-lambda-value.patch
new file mode 100644
index 0000000..4081557
--- /dev/null
+++ b/queue-3.16/asoc-wm8962-fix-lambda-value.patch
@@ -0,0 +1,39 @@
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+Date: Wed, 11 Dec 2019 19:57:22 +0800
+Subject: ASoC: wm8962: fix lambda value
+
+commit 556672d75ff486e0b6786056da624131679e0576 upstream.
+
+According to user manual, it is required that FLL_LAMBDA > 0
+in all cases (Integer and Franctional modes).
+
+Fixes: 9a76f1ff6e29 ("ASoC: Add initial WM8962 CODEC driver")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/1576065442-19763-1-git-send-email-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/soc/codecs/wm8962.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/codecs/wm8962.c
++++ b/sound/soc/codecs/wm8962.c
+@@ -2795,7 +2795,7 @@ static int fll_factors(struct _fll_div *
+ 
+ 	if (target % Fref == 0) {
+ 		fll_div->theta = 0;
+-		fll_div->lambda = 0;
++		fll_div->lambda = 1;
+ 	} else {
+ 		gcd_fll = gcd(target, fratio * Fref);
+ 
+@@ -2865,7 +2865,7 @@ static int wm8962_set_fll(struct snd_soc
+ 		return -EINVAL;
+ 	}
+ 
+-	if (fll_div.theta || fll_div.lambda)
++	if (fll_div.theta)
+ 		fll1 |= WM8962_FLL_FRAC;
+ 
+ 	/* Stop the FLL while we reconfigure */
diff --git a/queue-3.16/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch b/queue-3.16/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch
new file mode 100644
index 0000000..9955c49
--- /dev/null
+++ b/queue-3.16/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch
@@ -0,0 +1,41 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 28 Nov 2019 12:25:45 +0100
+Subject: batman-adv: Fix DAT candidate selection on little endian systems
+
+commit 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 upstream.
+
+The distributed arp table is using a DHT to store and retrieve MAC address
+information for an IP address. This is done using unicast messages to
+selected peers. The potential peers are looked up using the IP address and
+the VID.
+
+While the IP address is always stored in big endian byte order, this is not
+the case of the VID. It can (depending on the host system) either be big
+endian or little endian. The host must therefore always convert it to big
+endian to ensure that all devices calculate the same peers for the same
+lookup data.
+
+Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/batman-adv/distributed-arp-table.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/distributed-arp-table.c
++++ b/net/batman-adv/distributed-arp-table.c
+@@ -207,9 +207,11 @@ static uint32_t batadv_hash_dat(const vo
+ {
+ 	uint32_t hash = 0;
+ 	const struct batadv_dat_entry *dat = data;
++	__be16 vid;
+ 
+ 	hash = batadv_hash_bytes(hash, &dat->ip, sizeof(dat->ip));
+-	hash = batadv_hash_bytes(hash, &dat->vid, sizeof(dat->vid));
++	vid = htons(dat->vid);
++	hash = batadv_hash_bytes(hash, &vid, sizeof(vid));
+ 
+ 	hash += (hash << 3);
+ 	hash ^= (hash >> 11);
diff --git a/queue-3.16/block-fix-an-integer-overflow-in-logical-block-size.patch b/queue-3.16/block-fix-an-integer-overflow-in-logical-block-size.patch
new file mode 100644
index 0000000..c74b486
--- /dev/null
+++ b/queue-3.16/block-fix-an-integer-overflow-in-logical-block-size.patch
@@ -0,0 +1,112 @@
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 15 Jan 2020 08:35:25 -0500
+Subject: block: fix an integer overflow in logical block size
+
+commit ad6bf88a6c19a39fb3b0045d78ea880325dfcf15 upstream.
+
+Logical block size has type unsigned short. That means that it can be at
+most 32768. However, there are architectures that can run with 64k pages
+(for example arm64) and on these architectures, it may be possible to
+create block devices with 64k block size.
+
+For exmaple (run this on an architecture with 64k pages):
+
+Mount will fail with this error because it tries to read the superblock using 2-sector
+access:
+  device-mapper: writecache: I/O is not aligned, sector 2, size 1024, block size 65536
+  EXT4-fs (dm-0): unable to read superblock
+
+This patch changes the logical block size from unsigned short to unsigned
+int to avoid the overflow.
+
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ block/blk-settings.c            | 2 +-
+ drivers/md/dm-snap-persistent.c | 2 +-
+ drivers/md/raid0.c              | 2 +-
+ include/linux/blkdev.h          | 8 ++++----
+ 4 files changed, 7 insertions(+), 7 deletions(-)
+
+--- a/block/blk-settings.c
++++ b/block/blk-settings.c
+@@ -373,7 +373,7 @@ EXPORT_SYMBOL(blk_queue_max_segment_size
+  *   storage device can address.  The default of 512 covers most
+  *   hardware.
+  **/
+-void blk_queue_logical_block_size(struct request_queue *q, unsigned short size)
++void blk_queue_logical_block_size(struct request_queue *q, unsigned int size)
+ {
+ 	q->limits.logical_block_size = size;
+ 
+--- a/drivers/md/dm-snap-persistent.c
++++ b/drivers/md/dm-snap-persistent.c
+@@ -16,7 +16,7 @@
+ #include "dm-bufio.h"
+ 
+ #define DM_MSG_PREFIX "persistent snapshot"
+-#define DM_CHUNK_SIZE_DEFAULT_SECTORS 32	/* 16KB */
++#define DM_CHUNK_SIZE_DEFAULT_SECTORS 32U	/* 16KB */
+ 
+ #define DM_PREFETCH_CHUNKS		12
+ 
+--- a/drivers/md/raid0.c
++++ b/drivers/md/raid0.c
+@@ -88,7 +88,7 @@ static int create_strip_zones(struct mdd
+ 	char b[BDEVNAME_SIZE];
+ 	char b2[BDEVNAME_SIZE];
+ 	struct r0conf *conf = kzalloc(sizeof(*conf), GFP_KERNEL);
+-	unsigned short blksize = 512;
++	unsigned blksize = 512;
+ 
+ 	if (!conf)
+ 		return -ENOMEM;
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -284,6 +284,7 @@ struct queue_limits {
+ 	unsigned int		max_sectors;
+ 	unsigned int		max_segment_size;
+ 	unsigned int		physical_block_size;
++	unsigned int		logical_block_size;
+ 	unsigned int		alignment_offset;
+ 	unsigned int		io_min;
+ 	unsigned int		io_opt;
+@@ -292,7 +293,6 @@ struct queue_limits {
+ 	unsigned int		discard_granularity;
+ 	unsigned int		discard_alignment;
+ 
+-	unsigned short		logical_block_size;
+ 	unsigned short		max_segments;
+ 	unsigned short		max_integrity_segments;
+ 
+@@ -1017,7 +1017,7 @@ extern void blk_queue_max_discard_sector
+ 		unsigned int max_discard_sectors);
+ extern void blk_queue_max_write_same_sectors(struct request_queue *q,
+ 		unsigned int max_write_same_sectors);
+-extern void blk_queue_logical_block_size(struct request_queue *, unsigned short);
++extern void blk_queue_logical_block_size(struct request_queue *, unsigned int);
+ extern void blk_queue_physical_block_size(struct request_queue *, unsigned int);
+ extern void blk_queue_alignment_offset(struct request_queue *q,
+ 				       unsigned int alignment);
+@@ -1232,7 +1232,7 @@ static inline unsigned int queue_max_seg
+ 	return q->limits.max_segment_size;
+ }
+ 
+-static inline unsigned short queue_logical_block_size(struct request_queue *q)
++static inline unsigned queue_logical_block_size(struct request_queue *q)
+ {
+ 	int retval = 512;
+ 
+@@ -1242,7 +1242,7 @@ static inline unsigned short queue_logic
+ 	return retval;
+ }
+ 
+-static inline unsigned short bdev_logical_block_size(struct block_device *bdev)
++static inline unsigned int bdev_logical_block_size(struct block_device *bdev)
+ {
+ 	return queue_logical_block_size(bdev_get_queue(bdev));
+ }
diff --git a/queue-3.16/bonding-fix-bond_neigh_init.patch b/queue-3.16/bonding-fix-bond_neigh_init.patch
new file mode 100644
index 0000000..a7a98db
--- /dev/null
+++ b/queue-3.16/bonding-fix-bond_neigh_init.patch
@@ -0,0 +1,168 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Dec 2019 14:10:34 -0800
+Subject: bonding: fix bond_neigh_init()
+
+commit 9e99bfefdbce2e23ef37487a3bcb4adf90a791d1 upstream.
+
+1) syzbot reported an uninit-value in bond_neigh_setup() [1]
+
+ bond_neigh_setup() uses a temporary on-stack 'struct neigh_parms parms',
+ but only clears parms.neigh_setup field.
+
+ A stacked bonding device would then enter bond_neigh_setup()
+ and read garbage from parms->dev.
+
+ If we get really unlucky and garbage is matching @dev, then we
+ could recurse and eventually crash.
+
+ Let's make sure the whole structure is cleared to avoid surprises.
+
+2) bond_neigh_setup() can be called while another cpu manipulates
+ the master device, removing or adding a slave.
+ We need at least rcu protection to prevent use-after-free.
+
+Note: Prior code does not support a stack of bonding devices,
+      this patch does not attempt to fix this, and leave a comment instead.
+
+[1]
+
+BUG: KMSAN: uninit-value in bond_neigh_setup+0xa4/0x110 drivers/net/bonding/bond_main.c:3655
+CPU: 0 PID: 11256 Comm: syz-executor.0 Not tainted 5.4.0-rc8-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
+ __msan_warning+0x57/0xa0 mm/kmsan/kmsan_instr.c:245
+ bond_neigh_setup+0xa4/0x110 drivers/net/bonding/bond_main.c:3655
+ bond_neigh_init+0x216/0x4b0 drivers/net/bonding/bond_main.c:3626
+ ___neigh_create+0x169e/0x2c40 net/core/neighbour.c:613
+ __neigh_create+0xbd/0xd0 net/core/neighbour.c:674
+ ip6_finish_output2+0x149a/0x2670 net/ipv6/ip6_output.c:113
+ __ip6_finish_output+0x83d/0x8f0 net/ipv6/ip6_output.c:142
+ ip6_finish_output+0x2db/0x420 net/ipv6/ip6_output.c:152
+ NF_HOOK_COND include/linux/netfilter.h:294 [inline]
+ ip6_output+0x5d3/0x720 net/ipv6/ip6_output.c:175
+ dst_output include/net/dst.h:436 [inline]
+ NF_HOOK include/linux/netfilter.h:305 [inline]
+ mld_sendpack+0xebd/0x13d0 net/ipv6/mcast.c:1682
+ mld_send_cr net/ipv6/mcast.c:1978 [inline]
+ mld_ifc_timer_expire+0x116b/0x1680 net/ipv6/mcast.c:2477
+ call_timer_fn+0x232/0x530 kernel/time/timer.c:1404
+ expire_timers kernel/time/timer.c:1449 [inline]
+ __run_timers+0xd60/0x1270 kernel/time/timer.c:1773
+ run_timer_softirq+0x2d/0x50 kernel/time/timer.c:1786
+ __do_softirq+0x4a1/0x83a kernel/softirq.c:293
+ invoke_softirq kernel/softirq.c:375 [inline]
+ irq_exit+0x230/0x280 kernel/softirq.c:416
+ exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:536
+ smp_apic_timer_interrupt+0x48/0x70 arch/x86/kernel/apic/apic.c:1138
+ apic_timer_interrupt+0x2e/0x40 arch/x86/entry/entry_64.S:835
+ </IRQ>
+RIP: 0010:kmsan_free_page+0x18d/0x1c0 mm/kmsan/kmsan_shadow.c:439
+Code: 4c 89 ff 44 89 f6 e8 82 0d ee ff 65 ff 0d 9f 26 3b 60 65 8b 05 98 26 3b 60 85 c0 75 24 e8 5b f6 35 ff 4c 89 6d d0 ff 75 d0 9d <48> 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 0f 0b 0f 0b 0f
+RSP: 0018:ffffb328034af818 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
+RAX: 0000000000000000 RBX: ffffe2d7471f8360 RCX: 0000000000000000
+RDX: ffffffffadea7000 RSI: 0000000000000004 RDI: ffff93496fcda104
+RBP: ffffb328034af850 R08: ffff934a47e86d00 R09: ffff93496fc41900
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
+R13: 0000000000000246 R14: 0000000000000000 R15: ffffe2d7472225c0
+ free_pages_prepare mm/page_alloc.c:1138 [inline]
+ free_pcp_prepare mm/page_alloc.c:1230 [inline]
+ free_unref_page_prepare+0x1d9/0x770 mm/page_alloc.c:3025
+ free_unref_page mm/page_alloc.c:3074 [inline]
+ free_the_page mm/page_alloc.c:4832 [inline]
+ __free_pages+0x154/0x230 mm/page_alloc.c:4840
+ __vunmap+0xdac/0xf20 mm/vmalloc.c:2277
+ __vfree mm/vmalloc.c:2325 [inline]
+ vfree+0x7c/0x170 mm/vmalloc.c:2355
+ copy_entries_to_user net/ipv6/netfilter/ip6_tables.c:883 [inline]
+ get_entries net/ipv6/netfilter/ip6_tables.c:1041 [inline]
+ do_ip6t_get_ctl+0xfa4/0x1030 net/ipv6/netfilter/ip6_tables.c:1709
+ nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
+ nf_getsockopt+0x481/0x4e0 net/netfilter/nf_sockopt.c:122
+ ipv6_getsockopt+0x264/0x510 net/ipv6/ipv6_sockglue.c:1400
+ tcp_getsockopt+0x1c6/0x1f0 net/ipv4/tcp.c:3688
+ sock_common_getsockopt+0x13f/0x180 net/core/sock.c:3110
+ __sys_getsockopt+0x533/0x7b0 net/socket.c:2129
+ __do_sys_getsockopt net/socket.c:2144 [inline]
+ __se_sys_getsockopt+0xe1/0x100 net/socket.c:2141
+ __x64_sys_getsockopt+0x62/0x80 net/socket.c:2141
+ do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x45d20a
+Code: b8 34 01 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 8d 8b fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 6a 8b fb ff c3 66 0f 1f 84 00 00 00 00 00
+RSP: 002b:0000000000a6f618 EFLAGS: 00000212 ORIG_RAX: 0000000000000037
+RAX: ffffffffffffffda RBX: 0000000000a6f640 RCX: 000000000045d20a
+RDX: 0000000000000041 RSI: 0000000000000029 RDI: 0000000000000003
+RBP: 0000000000717cc0 R08: 0000000000a6f63c R09: 0000000000004000
+R10: 0000000000a6f740 R11: 0000000000000212 R12: 0000000000000003
+R13: 0000000000000000 R14: 0000000000000029 R15: 0000000000715b00
+
+Local variable description: ----parms@bond_neigh_init
+Variable was created at:
+ bond_neigh_init+0x8c/0x4b0 drivers/net/bonding/bond_main.c:3617
+ bond_neigh_init+0x8c/0x4b0 drivers/net/bonding/bond_main.c:3617
+
+Fixes: 9918d5bf329d ("bonding: modify only neigh_parms owned by us")
+Fixes: 234bcf8a499e ("net/bonding: correctly proxy slave neigh param setup ndo function")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Jay Vosburgh <j.vosburgh@gmail.com>
+Cc: Veaceslav Falico <vfalico@gmail.com>
+Cc: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/bonding/bond_main.c | 31 +++++++++++++++++++++----------
+ 1 file changed, 21 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3421,24 +3421,35 @@ static int bond_neigh_init(struct neighb
+ 	const struct net_device_ops *slave_ops;
+ 	struct neigh_parms parms;
+ 	struct slave *slave;
+-	int ret;
++	int ret = 0;
+ 
+-	slave = bond_first_slave(bond);
++	rcu_read_lock();
++	slave = bond_first_slave_rcu(bond);
+ 	if (!slave)
+-		return 0;
++		goto out;
+ 	slave_ops = slave->dev->netdev_ops;
+ 	if (!slave_ops->ndo_neigh_setup)
+-		return 0;
++		goto out;
+ 
+-	parms.neigh_setup = NULL;
++	/* TODO: find another way [1] to implement this.
++	 * Passing a zeroed structure is fragile,
++	 * but at least we do not pass garbage.
++	 *
++	 * [1] One way would be that ndo_neigh_setup() never touch
++	 *     struct neigh_parms, but propagate the new neigh_setup()
++	 *     back to ___neigh_create() / neigh_parms_alloc()
++	 */
++	memset(&parms, 0, sizeof(parms));
+ 	ret = slave_ops->ndo_neigh_setup(slave->dev, &parms);
+-	if (ret)
+-		return ret;
+ 
+-	if (!parms.neigh_setup)
+-		return 0;
++	if (ret)
++		goto out;
+ 
+-	return parms.neigh_setup(n);
++	if (parms.neigh_setup)
++		ret = parms.neigh_setup(n);
++out:
++	rcu_read_unlock();
++	return ret;
+ }
+ 
+ /*
diff --git a/queue-3.16/btrfs-abort-transaction-after-failed-inode-updates-in-create_subvol.patch b/queue-3.16/btrfs-abort-transaction-after-failed-inode-updates-in-create_subvol.patch
new file mode 100644
index 0000000..e34c4fd
--- /dev/null
+++ b/queue-3.16/btrfs-abort-transaction-after-failed-inode-updates-in-create_subvol.patch
@@ -0,0 +1,45 @@
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Fri, 6 Dec 2019 09:37:15 -0500
+Subject: btrfs: abort transaction after failed inode updates in create_subvol
+
+commit c7e54b5102bf3614cadb9ca32d7be73bad6cecf0 upstream.
+
+We can just abort the transaction here, and in fact do that for every
+other failure in this function except these two cases.
+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[bwh: Backported to 3.16:
+ - Add root as second argument to btrfs_abort_transaction()
+ - Adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/btrfs/ioctl.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -580,12 +580,18 @@ static noinline int create_subvol(struct
+ 
+ 	btrfs_i_size_write(dir, dir->i_size + namelen * 2);
+ 	ret = btrfs_update_inode(trans, root, dir);
+-	BUG_ON(ret);
++	if (ret) {
++		btrfs_abort_transaction(trans, root, ret);
++		goto fail;
++	}
+ 
+ 	ret = btrfs_add_root_ref(trans, root->fs_info->tree_root,
+ 				 objectid, root->root_key.objectid,
+ 				 btrfs_ino(dir), index, name, namelen);
+-	BUG_ON(ret);
++	if (ret) {
++		btrfs_abort_transaction(trans, root, ret);
++		goto fail;
++	}
+ 
+ 	ret = btrfs_uuid_tree_add(trans, root->fs_info->uuid_root,
+ 				  root_item.uuid, BTRFS_UUID_KEY_SUBVOL,
diff --git a/queue-3.16/btrfs-check-rw_devices-not-num_devices-for-balance.patch b/queue-3.16/btrfs-check-rw_devices-not-num_devices-for-balance.patch
new file mode 100644
index 0000000..b81017d
--- /dev/null
+++ b/queue-3.16/btrfs-check-rw_devices-not-num_devices-for-balance.patch
@@ -0,0 +1,88 @@
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Fri, 10 Jan 2020 11:11:24 -0500
+Subject: btrfs: check rw_devices, not num_devices for balance
+
+commit b35cf1f0bf1f2b0b193093338414b9bd63b29015 upstream.
+
+The fstest btrfs/154 reports
+
+  [ 8675.381709] BTRFS: Transaction aborted (error -28)
+  [ 8675.383302] WARNING: CPU: 1 PID: 31900 at fs/btrfs/block-group.c:2038 btrfs_create_pending_block_groups+0x1e0/0x1f0 [btrfs]
+  [ 8675.390925] CPU: 1 PID: 31900 Comm: btrfs Not tainted 5.5.0-rc6-default+ #935
+  [ 8675.392780] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba527-rebuilt.opensuse.org 04/01/2014
+  [ 8675.395452] RIP: 0010:btrfs_create_pending_block_groups+0x1e0/0x1f0 [btrfs]
+  [ 8675.402672] RSP: 0018:ffffb2090888fb00 EFLAGS: 00010286
+  [ 8675.404413] RAX: 0000000000000000 RBX: ffff92026dfa91c8 RCX: 0000000000000001
+  [ 8675.406609] RDX: 0000000000000000 RSI: ffffffff8e100899 RDI: ffffffff8e100971
+  [ 8675.408775] RBP: ffff920247c61660 R08: 0000000000000000 R09: 0000000000000000
+  [ 8675.410978] R10: 0000000000000000 R11: 0000000000000000 R12: 00000000ffffffe4
+  [ 8675.412647] R13: ffff92026db74000 R14: ffff920247c616b8 R15: ffff92026dfbc000
+  [ 8675.413994] FS:  00007fd5e57248c0(0000) GS:ffff92027d800000(0000) knlGS:0000000000000000
+  [ 8675.416146] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+  [ 8675.417833] CR2: 0000564aa51682d8 CR3: 000000006dcbc004 CR4: 0000000000160ee0
+  [ 8675.419801] Call Trace:
+  [ 8675.420742]  btrfs_start_dirty_block_groups+0x355/0x480 [btrfs]
+  [ 8675.422600]  btrfs_commit_transaction+0xc8/0xaf0 [btrfs]
+  [ 8675.424335]  reset_balance_state+0x14a/0x190 [btrfs]
+  [ 8675.425824]  btrfs_balance.cold+0xe7/0x154 [btrfs]
+  [ 8675.427313]  ? kmem_cache_alloc_trace+0x235/0x2c0
+  [ 8675.428663]  btrfs_ioctl_balance+0x298/0x350 [btrfs]
+  [ 8675.430285]  btrfs_ioctl+0x466/0x2550 [btrfs]
+  [ 8675.431788]  ? mem_cgroup_charge_statistics+0x51/0xf0
+  [ 8675.433487]  ? mem_cgroup_commit_charge+0x56/0x400
+  [ 8675.435122]  ? do_raw_spin_unlock+0x4b/0xc0
+  [ 8675.436618]  ? _raw_spin_unlock+0x1f/0x30
+  [ 8675.438093]  ? __handle_mm_fault+0x499/0x740
+  [ 8675.439619]  ? do_vfs_ioctl+0x56e/0x770
+  [ 8675.441034]  do_vfs_ioctl+0x56e/0x770
+  [ 8675.442411]  ksys_ioctl+0x3a/0x70
+  [ 8675.443718]  ? trace_hardirqs_off_thunk+0x1a/0x1c
+  [ 8675.445333]  __x64_sys_ioctl+0x16/0x20
+  [ 8675.446705]  do_syscall_64+0x50/0x210
+  [ 8675.448059]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
+  [ 8675.479187] BTRFS: error (device vdb) in btrfs_create_pending_block_groups:2038: errno=-28 No space left
+
+We now use btrfs_can_overcommit() to see if we can flip a block group
+read only.  Before this would fail because we weren't taking into
+account the usable un-allocated space for allocating chunks.  With my
+patches we were allowed to do the balance, which is technically correct.
+
+The test is trying to start balance on degraded mount.  So now we're
+trying to allocate a chunk and cannot because we want to allocate a
+RAID1 chunk, but there's only 1 device that's available for usage.  This
+results in an ENOSPC.
+
+But we shouldn't even be making it this far, we don't have enough
+devices to restripe.  The problem is we're using btrfs_num_devices(),
+that also includes missing devices. That's not actually what we want, we
+need to use rw_devices.
+
+The chunk_mutex is not needed here, rw_devices changes only in device
+add, remove or replace, all are excluded by EXCL_OP mechanism.
+
+Fixes: e4d8ec0f65b9 ("Btrfs: implement online profile changing")
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ add stacktrace, update changelog, drop chunk_mutex ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/btrfs/volumes.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -3248,7 +3248,11 @@ int btrfs_balance(struct btrfs_balance_c
+ 		}
+ 	}
+ 
+-	num_devices = fs_info->fs_devices->num_devices;
++	/*
++	 * rw_devices will not change at the moment, device add/delete/replace
++	 * are excluded by EXCL_OP
++	 */
++	num_devices = fs_info->fs_devices->rw_devices;
+ 	btrfs_dev_replace_lock(&fs_info->dev_replace);
+ 	if (btrfs_dev_replace_is_ongoing(&fs_info->dev_replace)) {
+ 		BUG_ON(num_devices < 1);
diff --git a/queue-3.16/btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch b/queue-3.16/btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch
new file mode 100644
index 0000000..edd668f
--- /dev/null
+++ b/queue-3.16/btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch
@@ -0,0 +1,50 @@
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Tue, 19 Nov 2019 13:59:35 -0500
+Subject: btrfs: do not call synchronize_srcu() in inode_tree_del
+
+commit f72ff01df9cf5db25c76674cac16605992d15467 upstream.
+
+Testing with the new fsstress uncovered a pretty nasty deadlock with
+lookup and snapshot deletion.
+
+Process A
+unlink
+ -> final iput
+   -> inode_tree_del
+     -> synchronize_srcu(subvol_srcu)
+
+Process B
+btrfs_lookup  <- srcu_read_lock() acquired here
+  -> btrfs_iget
+    -> find inode that has I_FREEING set
+      -> __wait_on_freeing_inode()
+
+We're holding the srcu_read_lock() while doing the iget in order to make
+sure our fs root doesn't go away, and then we are waiting for the inode
+to finish freeing.  However because the free'ing process is doing a
+synchronize_srcu() we deadlock.
+
+Fix this by dropping the synchronize_srcu() in inode_tree_del().  We
+don't need people to stop accessing the fs root at this point, we're
+only adding our empty root to the dead roots list.
+
+A larger much more invasive fix is forthcoming to address how we deal
+with fs roots, but this fixes the immediate problem.
+
+Fixes: 76dda93c6ae2 ("Btrfs: add snapshot/subvolume destroy ioctl")
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[bwh: Backported to 3.16: No fs_info variable was used here]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -5140,7 +5140,6 @@ static void inode_tree_del(struct inode
+ 	spin_unlock(&root->inode_lock);
+ 
+ 	if (empty && btrfs_root_refs(&root->root_item) == 0) {
+-		synchronize_srcu(&root->fs_info->subvol_srcu);
+ 		spin_lock(&root->inode_lock);
+ 		empty = RB_EMPTY_ROOT(&root->inode_tree);
+ 		spin_unlock(&root->inode_lock);
diff --git a/queue-3.16/btrfs-do-not-delete-mismatched-root-refs.patch b/queue-3.16/btrfs-do-not-delete-mismatched-root-refs.patch
new file mode 100644
index 0000000..dbda11f
--- /dev/null
+++ b/queue-3.16/btrfs-do-not-delete-mismatched-root-refs.patch
@@ -0,0 +1,40 @@
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Wed, 18 Dec 2019 17:20:29 -0500
+Subject: btrfs: do not delete mismatched root refs
+
+commit 423a716cd7be16fb08690760691befe3be97d3fc upstream.
+
+btrfs_del_root_ref() will simply WARN_ON() if the ref doesn't match in
+any way, and then continue to delete the reference.  This shouldn't
+happen, we have these values because there's more to the reference than
+the original root and the sub root.  If any of these checks fail, return
+-ENOENT.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/btrfs/root-tree.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/fs/btrfs/root-tree.c
++++ b/fs/btrfs/root-tree.c
+@@ -373,11 +373,13 @@ again:
+ 		leaf = path->nodes[0];
+ 		ref = btrfs_item_ptr(leaf, path->slots[0],
+ 				     struct btrfs_root_ref);
+-
+-		WARN_ON(btrfs_root_ref_dirid(leaf, ref) != dirid);
+-		WARN_ON(btrfs_root_ref_name_len(leaf, ref) != name_len);
+ 		ptr = (unsigned long)(ref + 1);
+-		WARN_ON(memcmp_extent_buffer(leaf, name, ptr, name_len));
++		if ((btrfs_root_ref_dirid(leaf, ref) != dirid) ||
++		    (btrfs_root_ref_name_len(leaf, ref) != name_len) ||
++		    memcmp_extent_buffer(leaf, name, ptr, name_len)) {
++			err = -ENOENT;
++			goto out;
++		}
+ 		*sequence = btrfs_root_ref_sequence(leaf, ref);
+ 
+ 		ret = btrfs_del_item(trans, tree_root, path);
diff --git a/queue-3.16/btrfs-do-not-leak-reloc-root-if-we-fail-to-read-the-fs-root.patch b/queue-3.16/btrfs-do-not-leak-reloc-root-if-we-fail-to-read-the-fs-root.patch
new file mode 100644
index 0000000..a31dd08
--- /dev/null
+++ b/queue-3.16/btrfs-do-not-leak-reloc-root-if-we-fail-to-read-the-fs-root.patch
@@ -0,0 +1,32 @@
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Fri, 6 Dec 2019 09:37:18 -0500
+Subject: btrfs: do not leak reloc root if we fail to read the fs root
+
+commit ca1aa2818a53875cfdd175fb5e9a2984e997cce9 upstream.
+
+If we fail to read the fs root corresponding with a reloc root we'll
+just break out and free the reloc roots.  But we remove our current
+reloc_root from this list higher up, which means we'll leak this
+reloc_root.  Fix this by adding ourselves back to the reloc_roots list
+so we are properly cleaned up.
+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/btrfs/relocation.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -4449,6 +4449,7 @@ int btrfs_recover_relocation(struct btrf
+ 				       reloc_root->root_key.offset);
+ 		if (IS_ERR(fs_root)) {
+ 			err = PTR_ERR(fs_root);
++			list_add_tail(&reloc_root->root_list, &reloc_roots);
+ 			goto out_free;
+ 		}
+ 
diff --git a/queue-3.16/btrfs-fix-infinite-loop-during-nocow-writeback-due-to-race.patch b/queue-3.16/btrfs-fix-infinite-loop-during-nocow-writeback-due-to-race.patch
new file mode 100644
index 0000000..9af02e0
--- /dev/null
+++ b/queue-3.16/btrfs-fix-infinite-loop-during-nocow-writeback-due-to-race.patch
@@ -0,0 +1,204 @@
+From: Filipe Manana <fdmanana@suse.com>
+Date: Wed, 11 Dec 2019 09:01:40 +0000
+Subject: Btrfs: fix infinite loop during nocow writeback due to race
+
+commit de7999afedff02c6631feab3ea726a0e8f8c3d40 upstream.
+
+When starting writeback for a range that covers part of a preallocated
+extent, due to a race with writeback for another range that also covers
+another part of the same preallocated extent, we can end up in an infinite
+loop.
+
+Consider the following example where for inode 280 we have two dirty
+ranges:
+
+  range A, from 294912 to 303103, 8192 bytes
+  range B, from 348160 to 438271, 90112 bytes
+
+and we have the following file extent item layout for our inode:
+
+  leaf 38895616 gen 24544 total ptrs 29 free space 13820 owner 5
+      (...)
+      item 27 key (280 108 200704) itemoff 14598 itemsize 53
+          extent data disk bytenr 0 nr 0 type 1 (regular)
+          extent data offset 0 nr 94208 ram 94208
+      item 28 key (280 108 294912) itemoff 14545 itemsize 53
+          extent data disk bytenr 10433052672 nr 81920 type 2 (prealloc)
+          extent data offset 0 nr 81920 ram 81920
+
+Then the following happens:
+
+1) Writeback starts for range B (from 348160 to 438271), execution of
+   run_delalloc_nocow() starts;
+
+2) The first iteration of run_delalloc_nocow()'s whil loop leaves us at
+   the extent item at slot 28, pointing to the prealloc extent item
+   covering the range from 294912 to 376831. This extent covers part of
+   our range;
+
+3) An ordered extent is created against that extent, covering the file
+   range from 348160 to 376831 (28672 bytes);
+
+4) We adjust 'cur_offset' to 376832 and move on to the next iteration of
+   the while loop;
+
+5) The call to btrfs_lookup_file_extent() leaves us at the same leaf,
+   pointing to slot 29, 1 slot after the last item (the extent item
+   we processed in the previous iteration);
+
+6) Because we are a slot beyond the last item, we call btrfs_next_leaf(),
+   which releases the search path before doing a another search for the
+   last key of the leaf (280 108 294912);
+
+7) Right after btrfs_next_leaf() released the path, and before it did
+   another search for the last key of the leaf, writeback for the range
+   A (from 294912 to 303103) completes (it was previously started at
+   some point);
+
+8) Upon completion of the ordered extent for range A, the prealloc extent
+   we previously found got split into two extent items, one covering the
+   range from 294912 to 303103 (8192 bytes), with a type of regular extent
+   (and no longer prealloc) and another covering the range from 303104 to
+   376831 (73728 bytes), with a type of prealloc and an offset of 8192
+   bytes. So our leaf now has the following layout:
+
+     leaf 38895616 gen 24544 total ptrs 31 free space 13664 owner 5
+         (...)
+         item 27 key (280 108 200704) itemoff 14598 itemsize 53
+             extent data disk bytenr 0 nr 0 type 1
+             extent data offset 0 nr 8192 ram 94208
+         item 28 key (280 108 208896) itemoff 14545 itemsize 53
+             extent data disk bytenr 10433142784 nr 86016 type 1
+             extent data offset 0 nr 86016 ram 86016
+         item 29 key (280 108 294912) itemoff 14492 itemsize 53
+             extent data disk bytenr 10433052672 nr 81920 type 1
+             extent data offset 0 nr 8192 ram 81920
+         item 30 key (280 108 303104) itemoff 14439 itemsize 53
+             extent data disk bytenr 10433052672 nr 81920 type 2
+             extent data offset 8192 nr 73728 ram 81920
+
+9) After btrfs_next_leaf() returns, we have our path pointing to that same
+   leaf and at slot 30, since it has a key we didn't have before and it's
+   the first key greater then the key that was previously the last key of
+   the leaf (key (280 108 294912));
+
+10) The extent item at slot 30 covers the range from 303104 to 376831
+    which is in our target range, so we process it, despite having already
+    created an ordered extent against this extent for the file range from
+    348160 to 376831. This is because we skip to the next extent item only
+    if its end is less than or equals to the start of our delalloc range,
+    and not less than or equals to the current offset ('cur_offset');
+
+11) As a result we compute 'num_bytes' as:
+
+    num_bytes = min(end + 1, extent_end) - cur_offset;
+              = min(438271 + 1, 376832) - 376832 = 0
+
+12) We then call create_io_em() for a 0 bytes range starting at offset
+    376832;
+
+13) Then create_io_em() enters an infinite loop because its calls to
+    btrfs_drop_extent_cache() do nothing due to the 0 length range
+    passed to it. So no existing extent maps that cover the offset
+    376832 get removed, and therefore calls to add_extent_mapping()
+    return -EEXIST, resulting in an infinite loop. This loop from
+    create_io_em() is the following:
+
+    do {
+        btrfs_drop_extent_cache(BTRFS_I(inode), em->start,
+                                em->start + em->len - 1, 0);
+        write_lock(&em_tree->lock);
+        ret = add_extent_mapping(em_tree, em, 1);
+        write_unlock(&em_tree->lock);
+        /*
+         * The caller has taken lock_extent(), who could race with us
+         * to add em?
+         */
+    } while (ret == -EEXIST);
+
+Also, each call to btrfs_drop_extent_cache() triggers a warning because
+the start offset passed to it (376832) is smaller then the end offset
+(376832 - 1) passed to it by -1, due to the 0 length:
+
+  [258532.052621] ------------[ cut here ]------------
+  [258532.052643] WARNING: CPU: 0 PID: 9987 at fs/btrfs/file.c:602 btrfs_drop_extent_cache+0x3f4/0x590 [btrfs]
+  (...)
+  [258532.052672] CPU: 0 PID: 9987 Comm: fsx Tainted: G        W         5.4.0-rc7-btrfs-next-64 #1
+  [258532.052673] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
+  [258532.052691] RIP: 0010:btrfs_drop_extent_cache+0x3f4/0x590 [btrfs]
+  (...)
+  [258532.052695] RSP: 0018:ffffb4be0153f860 EFLAGS: 00010287
+  [258532.052700] RAX: ffff975b445ee360 RBX: ffff975b44eb3e08 RCX: 0000000000000000
+  [258532.052700] RDX: 0000000000038fff RSI: 0000000000039000 RDI: ffff975b445ee308
+  [258532.052700] RBP: 0000000000038fff R08: 0000000000000000 R09: 0000000000000001
+  [258532.052701] R10: ffff975b513c5c10 R11: 00000000e3c0cfa9 R12: 0000000000039000
+  [258532.052703] R13: ffff975b445ee360 R14: 00000000ffffffef R15: ffff975b445ee308
+  [258532.052705] FS:  00007f86a821de80(0000) GS:ffff975b76a00000(0000) knlGS:0000000000000000
+  [258532.052707] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+  [258532.052708] CR2: 00007fdacf0f3ab4 CR3: 00000001f9d26002 CR4: 00000000003606f0
+  [258532.052712] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+  [258532.052717] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+  [258532.052717] Call Trace:
+  [258532.052718]  ? preempt_schedule_common+0x32/0x70
+  [258532.052722]  ? ___preempt_schedule+0x16/0x20
+  [258532.052741]  create_io_em+0xff/0x180 [btrfs]
+  [258532.052767]  run_delalloc_nocow+0x942/0xb10 [btrfs]
+  [258532.052791]  btrfs_run_delalloc_range+0x30b/0x520 [btrfs]
+  [258532.052812]  ? find_lock_delalloc_range+0x221/0x250 [btrfs]
+  [258532.052834]  writepage_delalloc+0xe4/0x140 [btrfs]
+  [258532.052855]  __extent_writepage+0x110/0x4e0 [btrfs]
+  [258532.052876]  extent_write_cache_pages+0x21c/0x480 [btrfs]
+  [258532.052906]  extent_writepages+0x52/0xb0 [btrfs]
+  [258532.052911]  do_writepages+0x23/0x80
+  [258532.052915]  __filemap_fdatawrite_range+0xd2/0x110
+  [258532.052938]  btrfs_fdatawrite_range+0x1b/0x50 [btrfs]
+  [258532.052954]  start_ordered_ops+0x57/0xa0 [btrfs]
+  [258532.052973]  ? btrfs_sync_file+0x225/0x490 [btrfs]
+  [258532.052988]  btrfs_sync_file+0x225/0x490 [btrfs]
+  [258532.052997]  __x64_sys_msync+0x199/0x200
+  [258532.053004]  do_syscall_64+0x5c/0x250
+  [258532.053007]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
+  [258532.053010] RIP: 0033:0x7f86a7dfd760
+  (...)
+  [258532.053014] RSP: 002b:00007ffd99af0368 EFLAGS: 00000246 ORIG_RAX: 000000000000001a
+  [258532.053016] RAX: ffffffffffffffda RBX: 0000000000000ec9 RCX: 00007f86a7dfd760
+  [258532.053017] RDX: 0000000000000004 RSI: 000000000000836c RDI: 00007f86a8221000
+  [258532.053019] RBP: 0000000000021ec9 R08: 0000000000000003 R09: 00007f86a812037c
+  [258532.053020] R10: 0000000000000001 R11: 0000000000000246 R12: 00000000000074a3
+  [258532.053021] R13: 00007f86a8221000 R14: 000000000000836c R15: 0000000000000001
+  [258532.053032] irq event stamp: 1653450494
+  [258532.053035] hardirqs last  enabled at (1653450493): [<ffffffff9dec69f9>] _raw_spin_unlock_irq+0x29/0x50
+  [258532.053037] hardirqs last disabled at (1653450494): [<ffffffff9d4048ea>] trace_hardirqs_off_thunk+0x1a/0x20
+  [258532.053039] softirqs last  enabled at (1653449852): [<ffffffff9e200466>] __do_softirq+0x466/0x6bd
+  [258532.053042] softirqs last disabled at (1653449845): [<ffffffff9d4c8a0c>] irq_exit+0xec/0x120
+  [258532.053043] ---[ end trace 8476fce13d9ce20a ]---
+
+Which results in flooding dmesg/syslog since btrfs_drop_extent_cache()
+uses WARN_ON() and not WARN_ON_ONCE().
+
+So fix this issue by changing run_delalloc_nocow()'s loop to move to the
+next extent item when the current extent item ends at at offset less than
+or equals to the current offset instead of the start offset.
+
+Fixes: 80ff385665b7fc ("Btrfs: update nodatacow code v2")
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -1283,7 +1283,11 @@ next_slot:
+ 				btrfs_file_extent_num_bytes(leaf, fi);
+ 			disk_num_bytes =
+ 				btrfs_file_extent_disk_num_bytes(leaf, fi);
+-			if (extent_end <= start) {
++			/*
++			 * If the extent we got ends before our current offset,
++			 * skip to the next extent.
++			 */
++			if (extent_end <= cur_offset) {
+ 				path->slots[0]++;
+ 				goto next_slot;
+ 			}
diff --git a/queue-3.16/btrfs-fix-removal-logic-of-the-tree-mod-log-that-leads-to.patch b/queue-3.16/btrfs-fix-removal-logic-of-the-tree-mod-log-that-leads-to.patch
new file mode 100644
index 0000000..496b2b8
--- /dev/null
+++ b/queue-3.16/btrfs-fix-removal-logic-of-the-tree-mod-log-that-leads-to.patch
@@ -0,0 +1,109 @@
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 6 Dec 2019 12:27:39 +0000
+Subject: Btrfs: fix removal logic of the tree mod log that leads to
+ use-after-free issues
+
+commit 6609fee8897ac475378388238456c84298bff802 upstream.
+
+When a tree mod log user no longer needs to use the tree it calls
+btrfs_put_tree_mod_seq() to remove itself from the list of users and
+delete all no longer used elements of the tree's red black tree, which
+should be all elements with a sequence number less then our equals to
+the caller's sequence number. However the logic is broken because it
+can delete and free elements from the red black tree that have a
+sequence number greater then the caller's sequence number:
+
+1) At a point in time we have sequence numbers 1, 2, 3 and 4 in the
+   tree mod log;
+
+2) The task which got assigned the sequence number 1 calls
+   btrfs_put_tree_mod_seq();
+
+3) Sequence number 1 is deleted from the list of sequence numbers;
+
+4) The current minimum sequence number is computed to be the sequence
+   number 2;
+
+5) A task using sequence number 2 is at tree_mod_log_rewind() and gets
+   a pointer to one of its elements from the red black tree through
+   a call to tree_mod_log_search();
+
+6) The task with sequence number 1 iterates the red black tree of tree
+   modification elements and deletes (and frees) all elements with a
+   sequence number less then or equals to 2 (the computed minimum sequence
+   number) - it ends up only leaving elements with sequence numbers of 3
+   and 4;
+
+7) The task with sequence number 2 now uses the pointer to its element,
+   already freed by the other task, at __tree_mod_log_rewind(), resulting
+   in a use-after-free issue. When CONFIG_DEBUG_PAGEALLOC=y it produces
+   a trace like the following:
+
+  [16804.546854] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI
+  [16804.547451] CPU: 0 PID: 28257 Comm: pool Tainted: G        W         5.4.0-rc8-btrfs-next-51 #1
+  [16804.548059] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
+  [16804.548666] RIP: 0010:rb_next+0x16/0x50
+  (...)
+  [16804.550581] RSP: 0018:ffffb948418ef9b0 EFLAGS: 00010202
+  [16804.551227] RAX: 6b6b6b6b6b6b6b6b RBX: ffff90e0247f6600 RCX: 6b6b6b6b6b6b6b6b
+  [16804.551873] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff90e0247f6600
+  [16804.552504] RBP: ffff90dffe0d4688 R08: 0000000000000001 R09: 0000000000000000
+  [16804.553136] R10: ffff90dffa4a0040 R11: 0000000000000000 R12: 000000000000002e
+  [16804.553768] R13: ffff90e0247f6600 R14: 0000000000001663 R15: ffff90dff77862b8
+  [16804.554399] FS:  00007f4b197ae700(0000) GS:ffff90e036a00000(0000) knlGS:0000000000000000
+  [16804.555039] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+  [16804.555683] CR2: 00007f4b10022000 CR3: 00000002060e2004 CR4: 00000000003606f0
+  [16804.556336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+  [16804.556968] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+  [16804.557583] Call Trace:
+  [16804.558207]  __tree_mod_log_rewind+0xbf/0x280 [btrfs]
+  [16804.558835]  btrfs_search_old_slot+0x105/0xd00 [btrfs]
+  [16804.559468]  resolve_indirect_refs+0x1eb/0xc70 [btrfs]
+  [16804.560087]  ? free_extent_buffer.part.19+0x5a/0xc0 [btrfs]
+  [16804.560700]  find_parent_nodes+0x388/0x1120 [btrfs]
+  [16804.561310]  btrfs_check_shared+0x115/0x1c0 [btrfs]
+  [16804.561916]  ? extent_fiemap+0x59d/0x6d0 [btrfs]
+  [16804.562518]  extent_fiemap+0x59d/0x6d0 [btrfs]
+  [16804.563112]  ? __might_fault+0x11/0x90
+  [16804.563706]  do_vfs_ioctl+0x45a/0x700
+  [16804.564299]  ksys_ioctl+0x70/0x80
+  [16804.564885]  ? trace_hardirqs_off_thunk+0x1a/0x20
+  [16804.565461]  __x64_sys_ioctl+0x16/0x20
+  [16804.566020]  do_syscall_64+0x5c/0x250
+  [16804.566580]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
+  [16804.567153] RIP: 0033:0x7f4b1ba2add7
+  (...)
+  [16804.568907] RSP: 002b:00007f4b197adc88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+  [16804.569513] RAX: ffffffffffffffda RBX: 00007f4b100210d8 RCX: 00007f4b1ba2add7
+  [16804.570133] RDX: 00007f4b100210d8 RSI: 00000000c020660b RDI: 0000000000000003
+  [16804.570726] RBP: 000055de05a6cfe0 R08: 0000000000000000 R09: 00007f4b197add44
+  [16804.571314] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4b197add48
+  [16804.571905] R13: 00007f4b197add40 R14: 00007f4b100210d0 R15: 00007f4b197add50
+  (...)
+  [16804.575623] ---[ end trace 87317359aad4ba50 ]---
+
+Fix this by making btrfs_put_tree_mod_seq() skip deletion of elements that
+have a sequence number equals to the computed minimum sequence number, and
+not just elements with a sequence number greater then that minimum.
+
+Fixes: bd989ba359f2ac ("Btrfs: add tree modification log functions")
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/btrfs/ctree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -418,7 +418,7 @@ void btrfs_put_tree_mod_seq(struct btrfs
+ 	for (node = rb_first(tm_root); node; node = next) {
+ 		next = rb_next(node);
+ 		tm = container_of(node, struct tree_mod_elem, node);
+-		if (tm->seq > min_seq)
++		if (tm->seq >= min_seq)
+ 			continue;
+ 		rb_erase(node, tm_root);
+ 		kfree(tm);
diff --git a/queue-3.16/btrfs-handle-enoent-in-btrfs_uuid_tree_iterate.patch b/queue-3.16/btrfs-handle-enoent-in-btrfs_uuid_tree_iterate.patch
new file mode 100644
index 0000000..57e6aa1
--- /dev/null
+++ b/queue-3.16/btrfs-handle-enoent-in-btrfs_uuid_tree_iterate.patch
@@ -0,0 +1,32 @@
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Fri, 6 Dec 2019 11:39:00 -0500
+Subject: btrfs: handle ENOENT in btrfs_uuid_tree_iterate
+
+commit 714cd3e8cba6841220dce9063a7388a81de03825 upstream.
+
+If we get an -ENOENT back from btrfs_uuid_iter_rem when iterating the
+uuid tree we'll just continue and do btrfs_next_item().  However we've
+done a btrfs_release_path() at this point and no longer have a valid
+path.  So increment the key and go back and do a normal search.
+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/btrfs/uuid-tree.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/uuid-tree.c
++++ b/fs/btrfs/uuid-tree.c
+@@ -333,6 +333,8 @@ again_search_slot:
+ 				}
+ 				if (ret < 0 && ret != -ENOENT)
+ 					goto out;
++				key.offset++;
++				goto again_search_slot;
+ 			}
+ 			item_size -= sizeof(subid_le);
+ 			offset += sizeof(subid_le);
diff --git a/queue-3.16/btrfs-remove-redundant-btrfs_release_path-from-btrfs_unlink_subvol.patch b/queue-3.16/btrfs-remove-redundant-btrfs_release_path-from-btrfs_unlink_subvol.patch
new file mode 100644
index 0000000..151e57a
--- /dev/null
+++ b/queue-3.16/btrfs-remove-redundant-btrfs_release_path-from-btrfs_unlink_subvol.patch
@@ -0,0 +1,30 @@
+From: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
+Date: Wed, 1 Aug 2018 11:32:31 +0800
+Subject: btrfs: Remove redundant btrfs_release_path from btrfs_unlink_subvol
+
+commit 5b7d687ad5913a56b6a8788435d7a53990b4176d upstream.
+
+Although it is safe to call this on already released paths with no locks
+held or extent buffers, removing the redundant btrfs_release_path is
+reasonable.
+
+Signed-off-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[bwh: Backported to 3.16 as dependency of commit d49d3287e74f
+ "btrfs: fix invalid removal of root ref"]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/btrfs/inode.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -4031,7 +4031,6 @@ int btrfs_unlink_subvol(struct btrfs_tra
+ 
+ 		leaf = path->nodes[0];
+ 		btrfs_item_key_to_cpu(leaf, &key, path->slots[0]);
+-		btrfs_release_path(path);
+ 		index = key.offset;
+ 	}
+ 	btrfs_release_path(path);
diff --git a/queue-3.16/btrfs-skip-log-replay-on-orphaned-roots.patch b/queue-3.16/btrfs-skip-log-replay-on-orphaned-roots.patch
new file mode 100644
index 0000000..80d6104
--- /dev/null
+++ b/queue-3.16/btrfs-skip-log-replay-on-orphaned-roots.patch
@@ -0,0 +1,75 @@
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Fri, 6 Dec 2019 09:37:17 -0500
+Subject: btrfs: skip log replay on orphaned roots
+
+commit 9bc574de590510eff899c3ca8dbaf013566b5efe upstream.
+
+My fsstress modifications coupled with generic/475 uncovered a failure
+to mount and replay the log if we hit a orphaned root.  We do not want
+to replay the log for an orphan root, but it's completely legitimate to
+have an orphaned root with a log attached.  Fix this by simply skipping
+replaying the log.  We still need to pin it's root node so that we do
+not overwrite it while replaying other logs, as we re-read the log root
+at every stage of the replay.
+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[bwh: Backported to 3.16:
+ - Pass fs_info->extent_root, instead of fs_info, as first argument to
+   btrfs_pin_extent_for_log_replay()
+ - Adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -4583,9 +4583,29 @@ again:
+ 		wc.replay_dest = btrfs_read_fs_root_no_name(fs_info, &tmp_key);
+ 		if (IS_ERR(wc.replay_dest)) {
+ 			ret = PTR_ERR(wc.replay_dest);
++
++			/*
++			 * We didn't find the subvol, likely because it was
++			 * deleted.  This is ok, simply skip this log and go to
++			 * the next one.
++			 *
++			 * We need to exclude the root because we can't have
++			 * other log replays overwriting this log as we'll read
++			 * it back in a few more times.  This will keep our
++			 * block from being modified, and we'll just bail for
++			 * each subsequent pass.
++			 */
++			if (ret == -ENOENT)
++				ret = btrfs_pin_extent_for_log_replay(
++							fs_info->extent_root,
++							log->node->start,
++							log->node->len);
+ 			free_extent_buffer(log->node);
+ 			free_extent_buffer(log->commit_root);
+ 			kfree(log);
++
++			if (!ret)
++				goto next;
+ 			btrfs_error(fs_info, ret, "Couldn't read target root "
+ 				    "for tree log recovery.");
+ 			goto error;
+@@ -4600,7 +4620,6 @@ again:
+ 						      path);
+ 		}
+ 
+-		key.offset = found_key.offset - 1;
+ 		wc.replay_dest->log_root = NULL;
+ 		free_extent_buffer(log->node);
+ 		free_extent_buffer(log->commit_root);
+@@ -4608,9 +4627,10 @@ again:
+ 
+ 		if (ret)
+ 			goto error;
+-
++next:
+ 		if (found_key.offset == 0)
+ 			break;
++		key.offset = found_key.offset - 1;
+ 	}
+ 	btrfs_release_path(path);
+ 
diff --git a/queue-3.16/can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch b/queue-3.16/can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch
new file mode 100644
index 0000000..4adce78
--- /dev/null
+++ b/queue-3.16/can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch
@@ -0,0 +1,38 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:32:31 +0100
+Subject: can: gs_usb: gs_usb_probe(): use descriptors of current altsetting
+
+commit 2f361cd9474ab2c4ab9ac8db20faf81e66c6279b upstream.
+
+Make sure to always use the descriptors of the current alternate setting
+to avoid future issues when accessing fields that may differ between
+settings.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/can/usb/gs_usb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -846,7 +846,7 @@ static int gs_usb_probe(struct usb_inter
+ 			     GS_USB_BREQ_HOST_FORMAT,
+ 			     USB_DIR_OUT|USB_TYPE_VENDOR|USB_RECIP_INTERFACE,
+ 			     1,
+-			     intf->altsetting[0].desc.bInterfaceNumber,
++			     intf->cur_altsetting->desc.bInterfaceNumber,
+ 			     hconf,
+ 			     sizeof(*hconf),
+ 			     1000);
+@@ -869,7 +869,7 @@ static int gs_usb_probe(struct usb_inter
+ 			     GS_USB_BREQ_DEVICE_CONFIG,
+ 			     USB_DIR_IN|USB_TYPE_VENDOR|USB_RECIP_INTERFACE,
+ 			     1,
+-			     intf->altsetting[0].desc.bInterfaceNumber,
++			     intf->cur_altsetting->desc.bInterfaceNumber,
+ 			     dconf,
+ 			     sizeof(*dconf),
+ 			     1000);
diff --git a/queue-3.16/can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from.patch b/queue-3.16/can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from.patch
new file mode 100644
index 0000000..9ad5bcd
--- /dev/null
+++ b/queue-3.16/can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from.patch
@@ -0,0 +1,71 @@
+From: Florian Faber <faber@faberman.de>
+Date: Thu, 26 Dec 2019 19:51:24 +0100
+Subject: can: mscan: mscan_rx_poll(): fix rx path lockup when returning from
+ polling to irq mode
+
+commit 2d77bd61a2927be8f4e00d9478fe6996c47e8d45 upstream.
+
+Under load, the RX side of the mscan driver can get stuck while TX still
+works. Restarting the interface locks up the system. This behaviour
+could be reproduced reliably on a MPC5121e based system.
+
+The patch fixes the return value of the NAPI polling function (should be
+the number of processed packets, not constant 1) and the condition under
+which IRQs are enabled again after polling is finished.
+
+With this patch, no more lockups were observed over a test period of ten
+days.
+
+Fixes: afa17a500a36 ("net/can: add driver for mscan family & mpc52xx_mscan")
+Signed-off-by: Florian Faber <faber@faberman.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/can/mscan/mscan.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/can/mscan/mscan.c
++++ b/drivers/net/can/mscan/mscan.c
+@@ -412,13 +412,12 @@ static int mscan_rx_poll(struct napi_str
+ 	struct net_device *dev = napi->dev;
+ 	struct mscan_regs __iomem *regs = priv->reg_base;
+ 	struct net_device_stats *stats = &dev->stats;
+-	int npackets = 0;
+-	int ret = 1;
++	int work_done = 0;
+ 	struct sk_buff *skb;
+ 	struct can_frame *frame;
+ 	u8 canrflg;
+ 
+-	while (npackets < quota) {
++	while (work_done < quota) {
+ 		canrflg = in_8(&regs->canrflg);
+ 		if (!(canrflg & (MSCAN_RXF | MSCAN_ERR_IF)))
+ 			break;
+@@ -439,18 +438,18 @@ static int mscan_rx_poll(struct napi_str
+ 
+ 		stats->rx_packets++;
+ 		stats->rx_bytes += frame->can_dlc;
+-		npackets++;
++		work_done++;
+ 		netif_receive_skb(skb);
+ 	}
+ 
+-	if (!(in_8(&regs->canrflg) & (MSCAN_RXF | MSCAN_ERR_IF))) {
+-		napi_complete(&priv->napi);
+-		clear_bit(F_RX_PROGRESS, &priv->flags);
+-		if (priv->can.state < CAN_STATE_BUS_OFF)
+-			out_8(&regs->canrier, priv->shadow_canrier);
+-		ret = 0;
++	if (work_done < quota) {
++		if (likely(napi_complete_done(&priv->napi, work_done))) {
++			clear_bit(F_RX_PROGRESS, &priv->flags);
++			if (priv->can.state < CAN_STATE_BUS_OFF)
++				out_8(&regs->canrier, priv->shadow_canrier);
++		}
+ 	}
+-	return ret;
++	return work_done;
+ }
+ 
+ static irqreturn_t mscan_isr(int irq, void *dev_id)
diff --git a/queue-3.16/can-slip-protect-tty-disc_data-in-write_wakeup-and-close-with-rcu.patch b/queue-3.16/can-slip-protect-tty-disc_data-in-write_wakeup-and-close-with-rcu.patch
new file mode 100644
index 0000000..57037f8
--- /dev/null
+++ b/queue-3.16/can-slip-protect-tty-disc_data-in-write_wakeup-and-close-with-rcu.patch
@@ -0,0 +1,106 @@
+From: Richard Palethorpe <rpalethorpe@suse.com>
+Date: Tue, 21 Jan 2020 14:42:58 +0100
+Subject: can, slip: Protect tty->disc_data in write_wakeup and close with RCU
+
+commit 0ace17d56824165c7f4c68785d6b58971db954dd upstream.
+
+write_wakeup can happen in parallel with close/hangup where tty->disc_data
+is set to NULL and the netdevice is freed thus also freeing
+disc_data. write_wakeup accesses disc_data so we must prevent close from
+freeing the netdev while write_wakeup has a non-NULL view of
+tty->disc_data.
+
+We also need to make sure that accesses to disc_data are atomic. Which can
+all be done with RCU.
+
+This problem was found by Syzkaller on SLCAN, but the same issue is
+reproducible with the SLIP line discipline using an LTP test based on the
+Syzkaller reproducer.
+
+A fix which didn't use RCU was posted by Hillf Danton.
+
+Fixes: 661f7fda21b1 ("slip: Fix deadlock in write_wakeup")
+Fixes: a8e83b17536a ("slcan: Port write_wakeup deadlock fix from slip")
+Reported-by: syzbot+017e491ae13c0068598a@syzkaller.appspotmail.com
+Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
+Cc: Wolfgang Grandegger <wg@grandegger.com>
+Cc: Marc Kleine-Budde <mkl@pengutronix.de>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Tyler Hall <tylerwhall@gmail.com>
+Cc: linux-can@vger.kernel.org
+Cc: netdev@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: syzkaller@googlegroups.com
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/can/slcan.c | 12 ++++++++++--
+ drivers/net/slip/slip.c | 12 ++++++++++--
+ 2 files changed, 20 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/can/slcan.c
++++ b/drivers/net/can/slcan.c
+@@ -346,9 +346,16 @@ static void slcan_transmit(struct work_s
+  */
+ static void slcan_write_wakeup(struct tty_struct *tty)
+ {
+-	struct slcan *sl = tty->disc_data;
++	struct slcan *sl;
++
++	rcu_read_lock();
++	sl = rcu_dereference(tty->disc_data);
++	if (!sl)
++		goto out;
+ 
+ 	schedule_work(&sl->tx_work);
++out:
++	rcu_read_unlock();
+ }
+ 
+ /* Send a can_frame to a TTY queue. */
+@@ -640,10 +647,11 @@ static void slcan_close(struct tty_struc
+ 		return;
+ 
+ 	spin_lock_bh(&sl->lock);
+-	tty->disc_data = NULL;
++	rcu_assign_pointer(tty->disc_data, NULL);
+ 	sl->tty = NULL;
+ 	spin_unlock_bh(&sl->lock);
+ 
++	synchronize_rcu();
+ 	flush_work(&sl->tx_work);
+ 
+ 	/* Flush network side */
+--- a/drivers/net/slip/slip.c
++++ b/drivers/net/slip/slip.c
+@@ -452,9 +452,16 @@ static void slip_transmit(struct work_st
+  */
+ static void slip_write_wakeup(struct tty_struct *tty)
+ {
+-	struct slip *sl = tty->disc_data;
++	struct slip *sl;
++
++	rcu_read_lock();
++	sl = rcu_dereference(tty->disc_data);
++	if (!sl)
++		goto out;
+ 
+ 	schedule_work(&sl->tx_work);
++out:
++	rcu_read_unlock();
+ }
+ 
+ static void sl_tx_timeout(struct net_device *dev)
+@@ -885,10 +892,11 @@ static void slip_close(struct tty_struct
+ 		return;
+ 
+ 	spin_lock_bh(&sl->lock);
+-	tty->disc_data = NULL;
++	rcu_assign_pointer(tty->disc_data, NULL);
+ 	sl->tty = NULL;
+ 	spin_unlock_bh(&sl->lock);
+ 
++	synchronize_rcu();
+ 	flush_work(&sl->tx_work);
+ 
+ 	/* VSV = very important to remove timers */
diff --git a/queue-3.16/chardev-avoid-potential-use-after-free-in-chrdev_open.patch b/queue-3.16/chardev-avoid-potential-use-after-free-in-chrdev_open.patch
new file mode 100644
index 0000000..4f8f9e5
--- /dev/null
+++ b/queue-3.16/chardev-avoid-potential-use-after-free-in-chrdev_open.patch
@@ -0,0 +1,92 @@
+From: Will Deacon <will@kernel.org>
+Date: Thu, 19 Dec 2019 12:02:03 +0000
+Subject: chardev: Avoid potential use-after-free in 'chrdev_open()'
+
+commit 68faa679b8be1a74e6663c21c3a9d25d32f1c079 upstream.
+
+'chrdev_open()' calls 'cdev_get()' to obtain a reference to the
+'struct cdev *' stashed in the 'i_cdev' field of the target inode
+structure. If the pointer is NULL, then it is initialised lazily by
+looking up the kobject in the 'cdev_map' and so the whole procedure is
+protected by the 'cdev_lock' spinlock to serialise initialisation of
+the shared pointer.
+
+Unfortunately, it is possible for the initialising thread to fail *after*
+installing the new pointer, for example if the subsequent '->open()' call
+on the file fails. In this case, 'cdev_put()' is called, the reference
+count on the kobject is dropped and, if nobody else has taken a reference,
+the release function is called which finally clears 'inode->i_cdev' from
+'cdev_purge()' before potentially freeing the object. The problem here
+is that a racing thread can happily take the 'cdev_lock' and see the
+non-NULL pointer in the inode, which can result in a refcount increment
+from zero and a warning:
+
+  |  ------------[ cut here ]------------
+  |  refcount_t: addition on 0; use-after-free.
+  |  WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0
+  |  Modules linked in:
+  |  CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22
+  |  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+  |  RIP: 0010:refcount_warn_saturate+0x6d/0xf0
+  |  Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08
+  |  RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282
+  |  RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000
+  |  RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798
+  |  RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039
+  |  R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700
+  |  R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700
+  |  FS:  00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000
+  |  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+  |  CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0
+  |  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+  |  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+  |  Call Trace:
+  |   kobject_get+0x5c/0x60
+  |   cdev_get+0x2b/0x60
+  |   chrdev_open+0x55/0x220
+  |   ? cdev_put.part.3+0x20/0x20
+  |   do_dentry_open+0x13a/0x390
+  |   path_openat+0x2c8/0x1470
+  |   do_filp_open+0x93/0x100
+  |   ? selinux_file_ioctl+0x17f/0x220
+  |   do_sys_open+0x186/0x220
+  |   do_syscall_64+0x48/0x150
+  |   entry_SYSCALL_64_after_hwframe+0x44/0xa9
+  |  RIP: 0033:0x7f3b87efcd0e
+  |  Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4
+  |  RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
+  |  RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e
+  |  RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c
+  |  RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000
+  |  R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e
+  |  R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000
+  |  ---[ end trace 24f53ca58db8180a ]---
+
+Since 'cdev_get()' can already fail to obtain a reference, simply move
+it over to use 'kobject_get_unless_zero()' instead of 'kobject_get()',
+which will cause the racing thread to return -ENXIO if the initialising
+thread fails unexpectedly.
+
+Cc: Hillf Danton <hdanton@sina.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Reported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/char_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/char_dev.c
++++ b/fs/char_dev.c
+@@ -348,7 +348,7 @@ static struct kobject *cdev_get(struct c
+ 
+ 	if (owner && !try_module_get(owner))
+ 		return NULL;
+-	kobj = kobject_get(&p->kobj);
++	kobj = kobject_get_unless_zero(&p->kobj);
+ 	if (!kobj)
+ 		module_put(owner);
+ 	return kobj;
diff --git a/queue-3.16/dm-btree-increase-rebalance-threshold-in-__rebalance2.patch b/queue-3.16/dm-btree-increase-rebalance-threshold-in-__rebalance2.patch
new file mode 100644
index 0000000..3101e5b
--- /dev/null
+++ b/queue-3.16/dm-btree-increase-rebalance-threshold-in-__rebalance2.patch
@@ -0,0 +1,62 @@
+From: Hou Tao <houtao1@huawei.com>
+Date: Tue, 3 Dec 2019 19:42:58 +0800
+Subject: dm btree: increase rebalance threshold in __rebalance2()
+
+commit 474e559567fa631dea8fb8407ab1b6090c903755 upstream.
+
+We got the following warnings from thin_check during thin-pool setup:
+
+  $ thin_check /dev/vdb
+  examining superblock
+  examining devices tree
+    missing devices: [1, 84]
+      too few entries in btree_node: 41, expected at least 42 (block 138, max_entries = 126)
+  examining mapping tree
+
+The phenomenon is the number of entries in one node of details_info tree is
+less than (max_entries / 3). And it can be easily reproduced by the following
+procedures:
+
+  $ new a thin pool
+  $ presume the max entries of details_info tree is 126
+  $ new 127 thin devices (e.g. 1~127) to make the root node being full
+    and then split
+  $ remove the first 43 (e.g. 1~43) thin devices to make the children
+    reblance repeatedly
+  $ stop the thin pool
+  $ thin_check
+
+The root cause is that the B-tree removal procedure in __rebalance2()
+doesn't guarantee the invariance: the minimal number of entries in
+non-root node should be >= (max_entries / 3).
+
+Simply fix the problem by increasing the rebalance threshold to
+make sure the number of entries in each child will be greater
+than or equal to (max_entries / 3 + 1), so no matter which
+child is used for removal, the number will still be valid.
+
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Acked-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/md/persistent-data/dm-btree-remove.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/persistent-data/dm-btree-remove.c
++++ b/drivers/md/persistent-data/dm-btree-remove.c
+@@ -203,7 +203,13 @@ static void __rebalance2(struct dm_btree
+ 	struct btree_node *right = r->n;
+ 	uint32_t nr_left = le32_to_cpu(left->header.nr_entries);
+ 	uint32_t nr_right = le32_to_cpu(right->header.nr_entries);
+-	unsigned threshold = 2 * merge_threshold(left) + 1;
++	/*
++	 * Ensure the number of entries in each child will be greater
++	 * than or equal to (max_entries / 3 + 1), so no matter which
++	 * child is used for removal, the number will still be not
++	 * less than (max_entries / 3).
++	 */
++	unsigned int threshold = 2 * (merge_threshold(left) + 1);
+ 
+ 	if (nr_left + nr_right < threshold) {
+ 		/*
diff --git a/queue-3.16/dm-thin-metadata-add-support-for-a-pre-commit-callback.patch b/queue-3.16/dm-thin-metadata-add-support-for-a-pre-commit-callback.patch
new file mode 100644
index 0000000..fa241ef
--- /dev/null
+++ b/queue-3.16/dm-thin-metadata-add-support-for-a-pre-commit-callback.patch
@@ -0,0 +1,99 @@
+From: Nikos Tsironis <ntsironis@arrikto.com>
+Date: Wed, 4 Dec 2019 16:07:41 +0200
+Subject: dm thin metadata: Add support for a pre-commit callback
+
+commit ecda7c0280e6b3398459dc589b9a41c1adb45529 upstream.
+
+Add support for one pre-commit callback which is run right before the
+metadata are committed.
+
+This allows the thin provisioning target to run a callback before the
+metadata are committed and is required by the next commit.
+
+Signed-off-by: Nikos Tsironis <ntsironis@arrikto.com>
+Acked-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+[bwh: Backported to 3.16:
+ - Open-code pmd_write_{lock_in_core,unlock}()
+ - Adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/md/dm-thin-metadata.c | 29 +++++++++++++++++++++++++++++
+ drivers/md/dm-thin-metadata.h |  7 +++++++
+ 2 files changed, 36 insertions(+)
+
+--- a/drivers/md/dm-thin-metadata.c
++++ b/drivers/md/dm-thin-metadata.c
+@@ -198,6 +198,15 @@ struct dm_pool_metadata {
+ 	bool fail_io:1;
+ 
+ 	/*
++	 * Pre-commit callback.
++	 *
++	 * This allows the thin provisioning target to run a callback before
++	 * the metadata are committed.
++	 */
++	dm_pool_pre_commit_fn pre_commit_fn;
++	void *pre_commit_context;
++
++	/*
+ 	 * Reading the space map roots can fail, so we read it into these
+ 	 * buffers before the superblock is locked and updated.
+ 	 */
+@@ -784,6 +793,14 @@ static int __commit_transaction(struct d
+ 	 */
+ 	BUILD_BUG_ON(sizeof(struct thin_disk_superblock) > 512);
+ 
++	if (pmd->pre_commit_fn) {
++		r = pmd->pre_commit_fn(pmd->pre_commit_context);
++		if (r < 0) {
++			DMERR("pre-commit callback failed");
++			return r;
++		}
++	}
++
+ 	r = __write_changed_details(pmd);
+ 	if (r < 0)
+ 		return r;
+@@ -844,6 +861,8 @@ struct dm_pool_metadata *dm_pool_metadat
+ 	pmd->fail_io = false;
+ 	pmd->bdev = bdev;
+ 	pmd->data_block_size = data_block_size;
++	pmd->pre_commit_fn = NULL;
++	pmd->pre_commit_context = NULL;
+ 
+ 	r = __create_persistent_data_objects(pmd, format_device);
+ 	if (r) {
+@@ -1789,6 +1808,16 @@ int dm_pool_register_metadata_threshold(
+ 	return r;
+ }
+ 
++void dm_pool_register_pre_commit_callback(struct dm_pool_metadata *pmd,
++					  dm_pool_pre_commit_fn fn,
++					  void *context)
++{
++	down_write(&pmd->root_lock);
++	pmd->pre_commit_fn = fn;
++	pmd->pre_commit_context = context;
++	up_write(&pmd->root_lock);
++}
++
+ int dm_pool_metadata_set_needs_check(struct dm_pool_metadata *pmd)
+ {
+ 	int r;
+--- a/drivers/md/dm-thin-metadata.h
++++ b/drivers/md/dm-thin-metadata.h
+@@ -213,6 +213,13 @@ int dm_pool_register_metadata_threshold(
+ int dm_pool_metadata_set_needs_check(struct dm_pool_metadata *pmd);
+ bool dm_pool_metadata_needs_check(struct dm_pool_metadata *pmd);
+ 
++/* Pre-commit callback */
++typedef int (*dm_pool_pre_commit_fn)(void *context);
++
++void dm_pool_register_pre_commit_callback(struct dm_pool_metadata *pmd,
++					  dm_pool_pre_commit_fn fn,
++					  void *context);
++
+ /*----------------------------------------------------------------*/
+ 
+ #endif
diff --git a/queue-3.16/do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch b/queue-3.16/do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch
new file mode 100644
index 0000000..d7b21bf
--- /dev/null
+++ b/queue-3.16/do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch
@@ -0,0 +1,70 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 26 Jan 2020 09:29:34 -0500
+Subject: do_last(): fetch directory ->i_mode and ->i_uid before it's too late
+
+commit d0cb50185ae942b03c4327be322055d622dc79f6 upstream.
+
+may_create_in_sticky() call is done when we already have dropped the
+reference to dir.
+
+Fixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/namei.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -843,7 +843,8 @@ static int may_linkat(struct path *link)
+  * may_create_in_sticky - Check whether an O_CREAT open in a sticky directory
+  *			  should be allowed, or not, on files that already
+  *			  exist.
+- * @dir: the sticky parent directory
++ * @dir_mode: mode bits of directory
++ * @dir_uid: owner of directory
+  * @inode: the inode of the file to open
+  *
+  * Block an O_CREAT open of a FIFO (or a regular file) when:
+@@ -859,18 +860,18 @@ static int may_linkat(struct path *link)
+  *
+  * Returns 0 if the open is allowed, -ve on error.
+  */
+-static int may_create_in_sticky(struct dentry * const dir,
++static int may_create_in_sticky(umode_t dir_mode, kuid_t dir_uid,
+ 				struct inode * const inode)
+ {
+ 	if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) ||
+ 	    (!sysctl_protected_regular && S_ISREG(inode->i_mode)) ||
+-	    likely(!(dir->d_inode->i_mode & S_ISVTX)) ||
+-	    uid_eq(inode->i_uid, dir->d_inode->i_uid) ||
++	    likely(!(dir_mode & S_ISVTX)) ||
++	    uid_eq(inode->i_uid, dir_uid) ||
+ 	    uid_eq(current_fsuid(), inode->i_uid))
+ 		return 0;
+ 
+-	if (likely(dir->d_inode->i_mode & 0002) ||
+-	    (dir->d_inode->i_mode & 0020 &&
++	if (likely(dir_mode & 0002) ||
++	    (dir_mode & 0020 &&
+ 	     ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) ||
+ 	      (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) {
+ 		return -EACCES;
+@@ -2944,6 +2945,8 @@ static int do_last(struct nameidata *nd,
+ 		   int *opened, struct filename *name)
+ {
+ 	struct dentry *dir = nd->path.dentry;
++	kuid_t dir_uid = dir->d_inode->i_uid;
++	umode_t dir_mode = dir->d_inode->i_mode;
+ 	int open_flag = op->open_flag;
+ 	bool will_truncate = (open_flag & O_TRUNC) != 0;
+ 	bool got_write = false;
+@@ -3102,7 +3105,7 @@ finish_open:
+ 		error = -EISDIR;
+ 		if (d_is_dir(nd->path.dentry))
+ 			goto out;
+-		error = may_create_in_sticky(dir,
++		error = may_create_in_sticky(dir_mode, dir_uid,
+ 					     d_backing_inode(nd->path.dentry));
+ 		if (unlikely(error))
+ 			goto out;
diff --git a/queue-3.16/ext4-check-for-directory-entries-too-close-to-block-end.patch b/queue-3.16/ext4-check-for-directory-entries-too-close-to-block-end.patch
new file mode 100644
index 0000000..4bb7869
--- /dev/null
+++ b/queue-3.16/ext4-check-for-directory-entries-too-close-to-block-end.patch
@@ -0,0 +1,34 @@
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 2 Dec 2019 18:02:13 +0100
+Subject: ext4: check for directory entries too close to block end
+
+commit 109ba779d6cca2d519c5dd624a3276d03e21948e upstream.
+
+ext4_check_dir_entry() currently does not catch a case when a directory
+entry ends so close to the block end that the header of the next
+directory entry would not fit in the remaining space. This can lead to
+directory iteration code trying to access address beyond end of current
+buffer head leading to oops.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20191202170213.4761-3-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/ext4/dir.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/ext4/dir.c
++++ b/fs/ext4/dir.c
+@@ -78,6 +78,11 @@ int __ext4_check_dir_entry(const char *f
+ 		error_msg = "rec_len is too small for name_len";
+ 	else if (unlikely(((char *) de - buf) + rlen > size))
+ 		error_msg = "directory entry overrun";
++	else if (unlikely(((char *) de - buf) + rlen >
++			  size - EXT4_DIR_REC_LEN(1) &&
++			  ((char *) de - buf) + rlen != size)) {
++		error_msg = "directory entry too close to block end";
++	}
+ 	else if (unlikely(le32_to_cpu(de->inode) >
+ 			le32_to_cpu(EXT4_SB(dir->i_sb)->s_es->s_inodes_count)))
+ 		error_msg = "inode out of bounds";
diff --git a/queue-3.16/ext4-update-c-mtime-on-truncate-up.patch b/queue-3.16/ext4-update-c-mtime-on-truncate-up.patch
new file mode 100644
index 0000000..0e5775e
--- /dev/null
+++ b/queue-3.16/ext4-update-c-mtime-on-truncate-up.patch
@@ -0,0 +1,39 @@
+From: Eryu Guan <guaneryu@gmail.com>
+Date: Tue, 28 Jul 2015 15:08:41 -0400
+Subject: ext4: update c/mtime on truncate up
+
+commit 911af577de4e444622d46500c1f9a37ab4335d3a upstream.
+
+Commit 3da40c7b0898 ("ext4: only call ext4_truncate when size <= isize")
+introduced a bug that c/mtime is not updated on truncate up.
+
+Fix the issue by setting c/mtime explicitly in the truncate up case.
+
+Note that ftruncate(2) is not affected, so you won't see this bug using
+truncate(1) and xfs_io(1).
+
+Signed-off-by: Zirong Lang <zorro.lang@gmail.com>
+Signed-off-by: Eryu Guan <guaneryu@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/ext4/inode.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -4843,6 +4843,14 @@ int ext4_setattr(struct dentry *dentry,
+ 				error = ext4_orphan_add(handle, inode);
+ 				orphan = 1;
+ 			}
++			/*
++			 * Update c/mtime on truncate up, ext4_truncate() will
++			 * update c/mtime in shrink case below
++			 */
++			if (!shrink) {
++				inode->i_mtime = ext4_current_time(inode);
++				inode->i_ctime = inode->i_mtime;
++			}
+ 			down_write(&EXT4_I(inode)->i_data_sem);
+ 			EXT4_I(inode)->i_disksize = attr->ia_size;
+ 			rc = ext4_mark_inode_dirty(handle, inode);
diff --git a/queue-3.16/fix-built-in-early-load-intel-microcode-alignment.patch b/queue-3.16/fix-built-in-early-load-intel-microcode-alignment.patch
new file mode 100644
index 0000000..ce1636c
--- /dev/null
+++ b/queue-3.16/fix-built-in-early-load-intel-microcode-alignment.patch
@@ -0,0 +1,50 @@
+From: Jari Ruusu <jari.ruusu@gmail.com>
+Date: Sun, 12 Jan 2020 15:00:53 +0200
+Subject: Fix built-in early-load Intel microcode alignment
+
+commit f5ae2ea6347a308cfe91f53b53682ce635497d0d upstream.
+
+Intel Software Developer's Manual, volume 3, chapter 9.11.6 says:
+
+ "Note that the microcode update must be aligned on a 16-byte boundary
+  and the size of the microcode update must be 1-KByte granular"
+
+When early-load Intel microcode is loaded from initramfs, userspace tool
+'iucode_tool' has already 16-byte aligned those microcode bits in that
+initramfs image.  Image that was created something like this:
+
+ iucode_tool --write-earlyfw=FOO.cpio microcode-files...
+
+However, when early-load Intel microcode is loaded from built-in
+firmware BLOB using CONFIG_EXTRA_FIRMWARE= kernel config option, that
+16-byte alignment is not guaranteed.
+
+Fix this by forcing all built-in firmware BLOBs to 16-byte alignment.
+
+[ If we end up having other firmware with much bigger alignment
+  requirements, we might need to introduce some method for the firmware
+  to specify it, this is the minimal "just increase the alignment a bit
+  to account for this one special case" patch    - Linus ]
+
+Signed-off-by: Jari Ruusu <jari.ruusu@gmail.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Luis Chamberlain <mcgrof@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[bwh: Backported to 3.16: adjust filename, context, indentation]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ firmware/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/firmware/Makefile
++++ b/firmware/Makefile
+@@ -156,7 +156,7 @@ quiet_cmd_fwbin = MK_FW   $@
+ 		  PROGBITS=$(if $(CONFIG_ARM),%,@)progbits;		     \
+ 		  echo "/* Generated by firmware/Makefile */"		> $@;\
+ 		  echo "    .section .rodata"				>>$@;\
+-		  echo "    .p2align $${ASM_ALIGN}"			>>$@;\
++		  echo "    .p2align 4"					>>$@;\
+ 		  echo "_fw_$${FWSTR}_bin:"				>>$@;\
+ 		  echo "    .incbin \"$(2)\""				>>$@;\
+ 		  echo "_fw_end:"					>>$@;\
diff --git a/queue-3.16/ftrace-avoid-potential-division-by-zero-in-function-profiler.patch b/queue-3.16/ftrace-avoid-potential-division-by-zero-in-function-profiler.patch
new file mode 100644
index 0000000..e9c4597
--- /dev/null
+++ b/queue-3.16/ftrace-avoid-potential-division-by-zero-in-function-profiler.patch
@@ -0,0 +1,45 @@
+From: Wen Yang <wenyang@linux.alibaba.com>
+Date: Fri, 3 Jan 2020 11:02:48 +0800
+Subject: ftrace: Avoid potential division by zero in function profiler
+
+commit e31f7939c1c27faa5d0e3f14519eaf7c89e8a69d upstream.
+
+The ftrace_profile->counter is unsigned long and
+do_div truncates it to 32 bits, which means it can test
+non-zero and be truncated to zero for division.
+Fix this issue by using div64_ul() instead.
+
+Link: http://lkml.kernel.org/r/20200103030248.14516-1-wenyang@linux.alibaba.com
+
+Fixes: e330b3bcd8319 ("tracing: Show sample std dev in function profiling")
+Fixes: 34886c8bc590f ("tracing: add average time in function to function profiler")
+Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ kernel/trace/ftrace.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -595,8 +595,7 @@ static int function_stat_show(struct seq
+ 
+ #ifdef CONFIG_FUNCTION_GRAPH_TRACER
+ 	seq_printf(m, "    ");
+-	avg = rec->time;
+-	do_div(avg, rec->counter);
++	avg = div64_ul(rec->time, rec->counter);
+ 
+ 	/* Sample standard deviation (s^2) */
+ 	if (rec->counter <= 1)
+@@ -613,7 +612,8 @@ static int function_stat_show(struct seq
+ 		 * Divide only 1000 for ns^2 -> us^2 conversion.
+ 		 * trace_print_graph_duration will divide 1000 again.
+ 		 */
+-		do_div(stddev, rec->counter * (rec->counter - 1) * 1000);
++		stddev = div64_ul(stddev,
++				  rec->counter * (rec->counter - 1) * 1000);
+ 	}
+ 
+ 	trace_seq_init(&s);
diff --git a/queue-3.16/gpio-fix-error-message-on-out-of-range-gpio-in-lookup-table.patch b/queue-3.16/gpio-fix-error-message-on-out-of-range-gpio-in-lookup-table.patch
new file mode 100644
index 0000000..82d45d6
--- /dev/null
+++ b/queue-3.16/gpio-fix-error-message-on-out-of-range-gpio-in-lookup-table.patch
@@ -0,0 +1,42 @@
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 27 Nov 2019 10:59:19 +0100
+Subject: gpio: Fix error message on out-of-range GPIO in lookup table
+
+commit d935bd50dd14a7714cbdba9a76435dbb56edb1ae upstream.
+
+When a GPIO offset in a lookup table is out-of-range, the printed error
+message (1) does not include the actual out-of-range value, and (2)
+contains an off-by-one error in the upper bound.
+
+Avoid user confusion by also printing the actual GPIO offset, and
+correcting the upper bound of the range.
+While at it, use "%u" for unsigned int.
+
+Sample impact:
+
+    -requested GPIO 0 is out of range [0..32] for chip e6052000.gpio
+    +requested GPIO 0 (45) is out of range [0..31] for chip e6052000.gpio
+
+Fixes: 2a3cf6a3599e9015 ("gpiolib: return -ENOENT if no GPIO mapping exists")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20191127095919.4214-1-geert+renesas@glider.be
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpio/gpiolib.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -2743,8 +2743,9 @@ static struct gpio_desc *gpiod_find(stru
+ 
+ 		if (chip->ngpio <= p->chip_hwnum) {
+ 			dev_err(dev,
+-				"requested GPIO %d is out of range [0..%d] for chip %s\n",
+-				idx, chip->ngpio, chip->label);
++				"requested GPIO %u (%u) is out of range [0..%u] for chip %s\n",
++				idx, p->chip_hwnum, chip->ngpio - 1,
++				chip->label);
+ 			return ERR_PTR(-EINVAL);
+ 		}
+ 
diff --git a/queue-3.16/gpiolib-fix-up-emulated-open-drain-outputs.patch b/queue-3.16/gpiolib-fix-up-emulated-open-drain-outputs.patch
new file mode 100644
index 0000000..5386ad7
--- /dev/null
+++ b/queue-3.16/gpiolib-fix-up-emulated-open-drain-outputs.patch
@@ -0,0 +1,39 @@
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Sat, 7 Dec 2019 16:20:18 +0000
+Subject: gpiolib: fix up emulated open drain outputs
+
+commit 256efaea1fdc4e38970489197409a26125ee0aaa upstream.
+
+gpiolib has a corner case with open drain outputs that are emulated.
+When such outputs are outputting a logic 1, emulation will set the
+hardware to input mode, which will cause gpiod_get_direction() to
+report that it is in input mode. This is different from the behaviour
+with a true open-drain output.
+
+Unify the semantics here.
+
+Suggested-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpio/gpiolib.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -273,6 +273,14 @@ int gpiod_get_direction(const struct gpi
+ 	chip = gpiod_to_chip(desc);
+ 	offset = gpio_chip_hwgpio(desc);
+ 
++	/*
++	 * Open drain emulation using input mode may incorrectly report
++	 * input here, fix that up.
++	 */
++	if (test_bit(FLAG_OPEN_DRAIN, &desc->flags) &&
++	    test_bit(FLAG_IS_OUT, &desc->flags))
++		return 0;
++
+ 	if (!chip->get_direction)
+ 		return status;
+ 
diff --git a/queue-3.16/hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch b/queue-3.16/hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch
new file mode 100644
index 0000000..f9e132f
--- /dev/null
+++ b/queue-3.16/hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch
@@ -0,0 +1,47 @@
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 10 Dec 2019 16:26:11 -0500
+Subject: HID: Fix slab-out-of-bounds read in hid_field_extract
+
+commit 8ec321e96e056de84022c032ffea253431a83c3c upstream.
+
+The syzbot fuzzer found a slab-out-of-bounds bug in the HID report
+handler.  The bug was caused by a report descriptor which included a
+field with size 12 bits and count 4899, for a total size of 7349
+bytes.
+
+The usbhid driver uses at most a single-page 4-KB buffer for reports.
+In the test there wasn't any problem about overflowing the buffer,
+since only one byte was received from the device.  Rather, the bug
+occurred when the HID core tried to extract the data from the report
+fields, which caused it to try reading data beyond the end of the
+allocated buffer.
+
+This patch fixes the problem by rejecting any report whose total
+length exceeds the HID_MAX_BUFFER_SIZE limit (minus one byte to allow
+for a possible report index).  In theory a device could have a report
+longer than that, but if there was such a thing we wouldn't handle it
+correctly anyway.
+
+Reported-and-tested-by: syzbot+09ef48aa58261464b621@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/hid/hid-core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -248,6 +248,12 @@ static int hid_add_field(struct hid_pars
+ 	offset = report->size;
+ 	report->size += parser->global.report_size * parser->global.report_count;
+ 
++	/* Total size check: Allow for possible report index byte */
++	if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) {
++		hid_err(parser->device, "report is too long\n");
++		return -1;
++	}
++
+ 	if (!parser->local.usage_index) /* Ignore padding fields */
+ 		return 0;
+ 
diff --git a/queue-3.16/hid-hid-input-clear-unmapped-usages.patch b/queue-3.16/hid-hid-input-clear-unmapped-usages.patch
new file mode 100644
index 0000000..da4cacb
--- /dev/null
+++ b/queue-3.16/hid-hid-input-clear-unmapped-usages.patch
@@ -0,0 +1,68 @@
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Sat, 7 Dec 2019 13:05:18 -0800
+Subject: HID: hid-input: clear unmapped usages
+
+commit 4f3882177240a1f55e45a3d241d3121341bead78 upstream.
+
+We should not be leaving half-mapped usages with potentially invalid
+keycodes, as that may confuse hidinput_find_key() when the key is located
+by index, which may end up feeding way too large keycode into the VT
+keyboard handler and cause OOB write there:
+
+BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline]
+BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
+BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
+Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722
+...
+ kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
+ kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
+ input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118
+ input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145
+ input_pass_values drivers/input/input.c:949 [inline]
+ input_set_keycode+0x290/0x320 drivers/input/input.c:954
+ evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882
+ evdev_do_ioctl drivers/input/evdev.c:1150 [inline]
+
+Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Tested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/hid/hid-input.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -947,9 +947,15 @@ static void hidinput_configure_usage(str
+ 	}
+ 
+ mapped:
+-	if (device->driver->input_mapped && device->driver->input_mapped(device,
+-				hidinput, field, usage, &bit, &max) < 0)
+-		goto ignore;
++	if (device->driver->input_mapped &&
++	    device->driver->input_mapped(device, hidinput, field, usage,
++					 &bit, &max) < 0) {
++		/*
++		 * The driver indicated that no further generic handling
++		 * of the usage is desired.
++		 */
++		return;
++	}
+ 
+ 	set_bit(usage->type, input->evbit);
+ 
+@@ -1008,9 +1014,11 @@ mapped:
+ 		set_bit(MSC_SCAN, input->mscbit);
+ 	}
+ 
+-ignore:
+ 	return;
+ 
++ignore:
++	usage->type = 0;
++	usage->code = 0;
+ }
+ 
+ void hidinput_hid_event(struct hid_device *hid, struct hid_field *field, struct hid_usage *usage, __s32 value)
diff --git a/queue-3.16/hid-hidraw-fix-returning-epollout-from-hidraw_poll.patch b/queue-3.16/hid-hidraw-fix-returning-epollout-from-hidraw_poll.patch
new file mode 100644
index 0000000..2e83aaa
--- /dev/null
+++ b/queue-3.16/hid-hidraw-fix-returning-epollout-from-hidraw_poll.patch
@@ -0,0 +1,40 @@
+From: Marcel Holtmann <marcel@holtmann.org>
+Date: Wed, 4 Dec 2019 03:37:13 +0100
+Subject: HID: hidraw: Fix returning EPOLLOUT from hidraw_poll
+
+commit 9f3b61dc1dd7b81e99e7ed23776bb64a35f39e1a upstream.
+
+When polling a connected /dev/hidrawX device, it is useful to get the
+EPOLLOUT when writing is possible. Since writing is possible as soon as
+the device is connected, always return it.
+
+Right now EPOLLOUT is only returned when there are also input reports
+are available. This works if devices start sending reports when
+connected, but some HID devices might need an output report first before
+sending any input reports. This change will allow using EPOLLOUT here as
+well.
+
+Fixes: 378b80370aa1 ("hidraw: Return EPOLLOUT from hidraw_poll")
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+[bwh: Backported to 3.16: s/EPOLL/POLL/g]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/hid/hidraw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/hidraw.c
++++ b/drivers/hid/hidraw.c
+@@ -265,10 +265,10 @@ static unsigned int hidraw_poll(struct f
+ 
+ 	poll_wait(file, &list->hidraw->wait, wait);
+ 	if (list->head != list->tail)
+-		return POLLIN | POLLRDNORM | POLLOUT;
++		return POLLIN | POLLRDNORM;
+ 	if (!list->hidraw->exist)
+ 		return POLLERR | POLLHUP;
+-	return 0;
++	return POLLOUT | POLLWRNORM;
+ }
+ 
+ static int hidraw_open(struct inode *inode, struct file *file)
diff --git a/queue-3.16/hid-hidraw-uhid-always-report-epollout.patch b/queue-3.16/hid-hidraw-uhid-always-report-epollout.patch
new file mode 100644
index 0000000..040f0b9
--- /dev/null
+++ b/queue-3.16/hid-hidraw-uhid-always-report-epollout.patch
@@ -0,0 +1,62 @@
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Fri, 10 Jan 2020 15:32:51 +0100
+Subject: HID: hidraw, uhid: Always report EPOLLOUT
+
+commit 9e635c2851df6caee651e589fbf937b637973c91 upstream.
+
+hidraw and uhid device nodes are always available for writing so we should
+always report EPOLLOUT and EPOLLWRNORM bits, not only in the cases when
+there is nothing to read.
+
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Fixes: be54e7461ffdc ("HID: uhid: Fix returning EPOLLOUT from uhid_char_poll")
+Fixes: 9f3b61dc1dd7b ("HID: hidraw: Fix returning EPOLLOUT from hidraw_poll")
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+[bwh: Backported to 3.16:
+ - Use unsigned int type instead of __poll_t
+ - s/EPOLL/POLL/g]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/hid/hidraw.c | 7 ++++---
+ drivers/hid/uhid.c   | 5 +++--
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/hid/hidraw.c
++++ b/drivers/hid/hidraw.c
+@@ -262,13 +262,14 @@ out:
+ static unsigned int hidraw_poll(struct file *file, poll_table *wait)
+ {
+ 	struct hidraw_list *list = file->private_data;
++	unsigned int mask = POLLOUT | POLLWRNORM; /* hidraw is always writable */
+ 
+ 	poll_wait(file, &list->hidraw->wait, wait);
+ 	if (list->head != list->tail)
+-		return POLLIN | POLLRDNORM;
++		mask |= POLLIN | POLLRDNORM;
+ 	if (!list->hidraw->exist)
+-		return POLLERR | POLLHUP;
+-	return POLLOUT | POLLWRNORM;
++		mask |= POLLERR | POLLHUP;
++	return mask;
+ }
+ 
+ static int hidraw_open(struct inode *inode, struct file *file)
+--- a/drivers/hid/uhid.c
++++ b/drivers/hid/uhid.c
+@@ -720,13 +720,14 @@ unlock:
+ static unsigned int uhid_char_poll(struct file *file, poll_table *wait)
+ {
+ 	struct uhid_device *uhid = file->private_data;
++	unsigned int mask = POLLOUT | POLLWRNORM; /* uhid is always writable */
+ 
+ 	poll_wait(file, &uhid->waitq, wait);
+ 
+ 	if (uhid->head != uhid->tail)
+-		return POLLIN | POLLRDNORM;
++		mask |= POLLIN | POLLRDNORM;
+ 
+-	return POLLOUT | POLLWRNORM;
++	return mask;
+ }
+ 
+ static const struct file_operations uhid_fops = {
diff --git a/queue-3.16/hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch b/queue-3.16/hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch
new file mode 100644
index 0000000..f83862e
--- /dev/null
+++ b/queue-3.16/hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch
@@ -0,0 +1,29 @@
+From: Marcel Holtmann <marcel@holtmann.org>
+Date: Wed, 4 Dec 2019 03:43:55 +0100
+Subject: HID: uhid: Fix returning EPOLLOUT from uhid_char_poll
+
+commit be54e7461ffdc5809b67d2aeefc1ddc9a91470c7 upstream.
+
+Always return EPOLLOUT from uhid_char_poll to allow polling /dev/uhid
+for writable state.
+
+Fixes: 1f9dec1e0164 ("HID: uhid: allow poll()'ing on uhid devices")
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+[bwh: Backported to 3.16: s/EPOLL/POLL/g]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/hid/uhid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/uhid.c
++++ b/drivers/hid/uhid.c
+@@ -726,7 +726,7 @@ static unsigned int uhid_char_poll(struc
+ 	if (uhid->head != uhid->tail)
+ 		return POLLIN | POLLRDNORM;
+ 
+-	return 0;
++	return POLLOUT | POLLWRNORM;
+ }
+ 
+ static const struct file_operations uhid_fops = {
diff --git a/queue-3.16/hidraw-return-epollout-from-hidraw_poll.patch b/queue-3.16/hidraw-return-epollout-from-hidraw_poll.patch
new file mode 100644
index 0000000..6a7b3f0
--- /dev/null
+++ b/queue-3.16/hidraw-return-epollout-from-hidraw_poll.patch
@@ -0,0 +1,33 @@
+From: Fabian Henneke <fabian.henneke@gmail.com>
+Date: Tue, 9 Jul 2019 13:03:37 +0200
+Subject: hidraw: Return EPOLLOUT from hidraw_poll
+
+commit 378b80370aa1fe50f9c48a3ac8af3e416e73b89f upstream.
+
+Always return EPOLLOUT from hidraw_poll when a device is connected.
+This is safe since writes are always possible (but will always block).
+
+hidraw does not support non-blocking writes and instead always calls
+blocking backend functions on write requests. Hence, so far, a call to
+poll never returned EPOLLOUT, which confuses tools like socat.
+
+Signed-off-by: Fabian Henneke <fabian.henneke@gmail.com>
+In-reply-to: <CA+hv5qkyis03CgYTWeWX9cr0my-d2Oe+aZo+mjmWRXgjrGqyrw@mail.gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+[bwh: Backported to 3.16: s/EPOLL/POLL/]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/hid/hidraw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/hidraw.c
++++ b/drivers/hid/hidraw.c
+@@ -265,7 +265,7 @@ static unsigned int hidraw_poll(struct f
+ 
+ 	poll_wait(file, &list->hidraw->wait, wait);
+ 	if (list->head != list->tail)
+-		return POLLIN | POLLRDNORM;
++		return POLLIN | POLLRDNORM | POLLOUT;
+ 	if (!list->hidraw->exist)
+ 		return POLLERR | POLLHUP;
+ 	return 0;
diff --git a/queue-3.16/hwmon-adt7475-make-volt2reg-return-same-reg-as-reg2volt-input.patch b/queue-3.16/hwmon-adt7475-make-volt2reg-return-same-reg-as-reg2volt-input.patch
new file mode 100644
index 0000000..f6e71c6
--- /dev/null
+++ b/queue-3.16/hwmon-adt7475-make-volt2reg-return-same-reg-as-reg2volt-input.patch
@@ -0,0 +1,39 @@
+From: Luuk Paulussen <luuk.paulussen@alliedtelesis.co.nz>
+Date: Fri, 6 Dec 2019 12:16:59 +1300
+Subject: hwmon: (adt7475) Make volt2reg return same reg as reg2volt input
+
+commit cf3ca1877574a306c0207cbf7fdf25419d9229df upstream.
+
+reg2volt returns the voltage that matches a given register value.
+Converting this back the other way with volt2reg didn't return the same
+register value because it used truncation instead of rounding.
+
+This meant that values read from sysfs could not be written back to sysfs
+to set back the same register value.
+
+With this change, volt2reg will return the same value for every voltage
+previously returned by reg2volt (for the set of possible input values)
+
+Signed-off-by: Luuk Paulussen <luuk.paulussen@alliedtelesis.co.nz>
+Link: https://lore.kernel.org/r/20191205231659.1301-1-luuk.paulussen@alliedtelesis.co.nz
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/hwmon/adt7475.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/hwmon/adt7475.c
++++ b/drivers/hwmon/adt7475.c
+@@ -268,9 +268,10 @@ static inline u16 volt2reg(int channel,
+ 	long reg;
+ 
+ 	if (bypass_attn & (1 << channel))
+-		reg = (volt * 1024) / 2250;
++		reg = DIV_ROUND_CLOSEST(volt * 1024, 2250);
+ 	else
+-		reg = (volt * r[1] * 1024) / ((r[0] + r[1]) * 2250);
++		reg = DIV_ROUND_CLOSEST(volt * r[1] * 1024,
++					(r[0] + r[1]) * 2250);
+ 	return clamp_val(reg, 0, 1023) & (0xff << 2);
+ }
+ 
diff --git a/queue-3.16/ib-mlx4-avoid-executing-gid-task-when-device-is-being-removed.patch b/queue-3.16/ib-mlx4-avoid-executing-gid-task-when-device-is-being-removed.patch
new file mode 100644
index 0000000..a0d4edd
--- /dev/null
+++ b/queue-3.16/ib-mlx4-avoid-executing-gid-task-when-device-is-being-removed.patch
@@ -0,0 +1,51 @@
+From: Moni Shoua <monis@mellanox.com>
+Date: Thu, 21 Aug 2014 14:28:42 +0300
+Subject: IB/mlx4: Avoid executing gid task when device is being removed
+
+commit 4bf9715f184969dc703bde7be94919995024a6a9 upstream.
+
+When device is being removed (e.g during VPI port link type change
+from ETH to IB), tasks for gid table changes should not be executed.
+
+Flush the current queue of tasks and block further tasks from entering the queue.
+
+Signed-off-by: Moni Shoua <monis@mellanox.com>
+Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/infiniband/hw/mlx4/main.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/infiniband/hw/mlx4/main.c
++++ b/drivers/infiniband/hw/mlx4/main.c
+@@ -1395,6 +1395,9 @@ static void update_gids_task(struct work
+ 	int err;
+ 	struct mlx4_dev	*dev = gw->dev->dev;
+ 
++	if (!gw->dev->ib_active)
++		return;
++
+ 	mailbox = mlx4_alloc_cmd_mailbox(dev);
+ 	if (IS_ERR(mailbox)) {
+ 		pr_warn("update gid table failed %ld\n", PTR_ERR(mailbox));
+@@ -1425,6 +1428,9 @@ static void reset_gids_task(struct work_
+ 	int err;
+ 	struct mlx4_dev	*dev = gw->dev->dev;
+ 
++	if (!gw->dev->ib_active)
++		return;
++
+ 	mailbox = mlx4_alloc_cmd_mailbox(dev);
+ 	if (IS_ERR(mailbox)) {
+ 		pr_warn("reset gid table failed\n");
+@@ -2363,6 +2369,9 @@ static void mlx4_ib_remove(struct mlx4_d
+ 	struct mlx4_ib_dev *ibdev = ibdev_ptr;
+ 	int p;
+ 
++	ibdev->ib_active = false;
++	flush_workqueue(wq);
++
+ 	mlx4_ib_close_sriov(ibdev);
+ 	mlx4_ib_mad_cleanup(ibdev);
+ 	ib_unregister_device(&ibdev->ib_dev);
diff --git a/queue-3.16/ib-mlx4-follow-mirror-sequence-of-device-add-during-device-removal.patch b/queue-3.16/ib-mlx4-follow-mirror-sequence-of-device-add-during-device-removal.patch
new file mode 100644
index 0000000..72c7727
--- /dev/null
+++ b/queue-3.16/ib-mlx4-follow-mirror-sequence-of-device-add-during-device-removal.patch
@@ -0,0 +1,54 @@
+From: Parav Pandit <parav@mellanox.com>
+Date: Thu, 12 Dec 2019 11:12:13 +0200
+Subject: IB/mlx4: Follow mirror sequence of device add during device removal
+
+commit 89f988d93c62384758b19323c886db917a80c371 upstream.
+
+Current code device add sequence is:
+
+ib_register_device()
+ib_mad_init()
+init_sriov_init()
+register_netdev_notifier()
+
+Therefore, the remove sequence should be,
+
+unregister_netdev_notifier()
+close_sriov()
+mad_cleanup()
+ib_unregister_device()
+
+However it is not above.
+Hence, make do above remove sequence.
+
+Fixes: fa417f7b520ee ("IB/mlx4: Add support for IBoE")
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Link: https://lore.kernel.org/r/20191212091214.315005-3-leon@kernel.org
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+[bwh: Backported to 3.16: No need to call mlx4_ib_diag_cleanup()]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/drivers/infiniband/hw/mlx4/main.c
++++ b/drivers/infiniband/hw/mlx4/main.c
+@@ -2372,15 +2372,16 @@ static void mlx4_ib_remove(struct mlx4_d
+ 	ibdev->ib_active = false;
+ 	flush_workqueue(wq);
+ 
+-	mlx4_ib_close_sriov(ibdev);
+-	mlx4_ib_mad_cleanup(ibdev);
+-	ib_unregister_device(&ibdev->ib_dev);
+ 	if (ibdev->iboe.nb.notifier_call) {
+ 		if (unregister_netdevice_notifier(&ibdev->iboe.nb))
+ 			pr_warn("failure unregistering notifier\n");
+ 		ibdev->iboe.nb.notifier_call = NULL;
+ 	}
+ 
++	mlx4_ib_close_sriov(ibdev);
++	mlx4_ib_mad_cleanup(ibdev);
++	ib_unregister_device(&ibdev->ib_dev);
++
+ 	mlx4_qp_release_range(dev, ibdev->steer_qpn_base,
+ 			      ibdev->steer_qpn_count);
+ 	kfree(ibdev->ib_uc_qpns_bitmap);
diff --git a/queue-3.16/iio-buffer-align-the-size-of-scan-bytes-to-size-of-the-largest.patch b/queue-3.16/iio-buffer-align-the-size-of-scan-bytes-to-size-of-the-largest.patch
new file mode 100644
index 0000000..3b1d935
--- /dev/null
+++ b/queue-3.16/iio-buffer-align-the-size-of-scan-bytes-to-size-of-the-largest.patch
@@ -0,0 +1,60 @@
+From: =?UTF-8?q?Lars=20M=C3=B6llendorf?= <lars.moellendorf@plating.de>
+Date: Fri, 13 Dec 2019 14:50:55 +0100
+Subject: iio: buffer: align the size of scan bytes to size of the largest
+ element
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 883f616530692d81cb70f8a32d85c0d2afc05f69 upstream.
+
+Previous versions of `iio_compute_scan_bytes` only aligned each element
+to its own length (i.e. its own natural alignment). Because multiple
+consecutive sets of scan elements are buffered this does not work in
+case the computed scan bytes do not align with the natural alignment of
+the first scan element in the set.
+
+This commit fixes this by aligning the scan bytes to the natural
+alignment of the largest scan element in the set.
+
+Fixes: 959d2952d124 ("staging:iio: make iio_sw_buffer_preenable much more general.")
+Signed-off-by: Lars Möllendorf <lars.moellendorf@plating.de>
+Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/iio/industrialio-buffer.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/industrialio-buffer.c
++++ b/drivers/iio/industrialio-buffer.c
+@@ -478,7 +478,7 @@ static int iio_compute_scan_bytes(struct
+ {
+ 	const struct iio_chan_spec *ch;
+ 	unsigned bytes = 0;
+-	int length, i;
++	int length, i, largest = 0;
+ 
+ 	/* How much space will the demuxed element take? */
+ 	for_each_set_bit(i, mask,
+@@ -491,6 +491,7 @@ static int iio_compute_scan_bytes(struct
+ 			length = ch->scan_type.storagebits / 8;
+ 		bytes = ALIGN(bytes, length);
+ 		bytes += length;
++		largest = max(largest, length);
+ 	}
+ 	if (timestamp) {
+ 		ch = iio_find_channel_from_si(indio_dev,
+@@ -502,7 +503,10 @@ static int iio_compute_scan_bytes(struct
+ 			length = ch->scan_type.storagebits / 8;
+ 		bytes = ALIGN(bytes, length);
+ 		bytes += length;
++		largest = max(largest, length);
+ 	}
++
++	bytes = ALIGN(bytes, largest);
+ 	return bytes;
+ }
+ 
diff --git a/queue-3.16/input-aiptek-fix-endpoint-sanity-check.patch b/queue-3.16/input-aiptek-fix-endpoint-sanity-check.patch
new file mode 100644
index 0000000..c3f191a
--- /dev/null
+++ b/queue-3.16/input-aiptek-fix-endpoint-sanity-check.patch
@@ -0,0 +1,43 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Jan 2020 11:59:32 -0800
+Subject: Input: aiptek - fix endpoint sanity check
+
+commit 3111491fca4f01764e0c158c5e0f7ced808eef51 upstream.
+
+The driver was checking the number of endpoints of the first alternate
+setting instead of the current one, something which could lead to the
+driver binding to an invalid interface.
+
+This in turn could cause the driver to misbehave or trigger a WARN() in
+usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without endpoints")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Vladis Dronov <vdronov@redhat.com>
+Link: https://lore.kernel.org/r/20191210113737.4016-3-johan@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/input/tablet/aiptek.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/input/tablet/aiptek.c
++++ b/drivers/input/tablet/aiptek.c
+@@ -1820,14 +1820,14 @@ aiptek_probe(struct usb_interface *intf,
+ 	input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0);
+ 
+ 	/* Verify that a device really has an endpoint */
+-	if (intf->altsetting[0].desc.bNumEndpoints < 1) {
++	if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
+ 		dev_err(&intf->dev,
+ 			"interface has %d endpoints, but must have minimum 1\n",
+-			intf->altsetting[0].desc.bNumEndpoints);
++			intf->cur_altsetting->desc.bNumEndpoints);
+ 		err = -EINVAL;
+ 		goto fail3;
+ 	}
+-	endpoint = &intf->altsetting[0].endpoint[0].desc;
++	endpoint = &intf->cur_altsetting->endpoint[0].desc;
+ 
+ 	/* Go set up our URB, which is called when the tablet receives
+ 	 * input.
diff --git a/queue-3.16/input-gtco-fix-endpoint-sanity-check.patch b/queue-3.16/input-gtco-fix-endpoint-sanity-check.patch
new file mode 100644
index 0000000..aba5a70
--- /dev/null
+++ b/queue-3.16/input-gtco-fix-endpoint-sanity-check.patch
@@ -0,0 +1,55 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Jan 2020 12:00:18 -0800
+Subject: Input: gtco - fix endpoint sanity check
+
+commit a8eeb74df5a6bdb214b2b581b14782c5f5a0cf83 upstream.
+
+The driver was checking the number of endpoints of the first alternate
+setting instead of the current one, something which could lead to the
+driver binding to an invalid interface.
+
+This in turn could cause the driver to misbehave or trigger a WARN() in
+usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 162f98dea487 ("Input: gtco - fix crash on detecting device without endpoints")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Vladis Dronov <vdronov@redhat.com>
+Link: https://lore.kernel.org/r/20191210113737.4016-5-johan@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/input/tablet/gtco.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+--- a/drivers/input/tablet/gtco.c
++++ b/drivers/input/tablet/gtco.c
+@@ -886,18 +886,14 @@ static int gtco_probe(struct usb_interfa
+ 	}
+ 
+ 	/* Sanity check that a device has an endpoint */
+-	if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
++	if (usbinterface->cur_altsetting->desc.bNumEndpoints < 1) {
+ 		dev_err(&usbinterface->dev,
+ 			"Invalid number of endpoints\n");
+ 		error = -EINVAL;
+ 		goto err_free_urb;
+ 	}
+ 
+-	/*
+-	 * The endpoint is always altsetting 0, we know this since we know
+-	 * this device only has one interrupt endpoint
+-	 */
+-	endpoint = &usbinterface->altsetting[0].endpoint[0].desc;
++	endpoint = &usbinterface->cur_altsetting->endpoint[0].desc;
+ 
+ 	/* Some debug */
+ 	dev_dbg(&usbinterface->dev, "gtco # interfaces: %d\n", usbinterface->num_altsetting);
+@@ -984,7 +980,7 @@ static int gtco_probe(struct usb_interfa
+ 	input_dev->dev.parent = &usbinterface->dev;
+ 
+ 	/* Setup the URB, it will be posted later on open of input device */
+-	endpoint = &usbinterface->altsetting[0].endpoint[0].desc;
++	endpoint = &usbinterface->cur_altsetting->endpoint[0].desc;
+ 
+ 	usb_fill_int_urb(gtco->urbinfo,
+ 			 gtco->usbdev,
diff --git a/queue-3.16/input-keyspan-remote-fix-control-message-timeouts.patch b/queue-3.16/input-keyspan-remote-fix-control-message-timeouts.patch
new file mode 100644
index 0000000..232833d
--- /dev/null
+++ b/queue-3.16/input-keyspan-remote-fix-control-message-timeouts.patch
@@ -0,0 +1,58 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Jan 2020 10:38:57 -0800
+Subject: Input: keyspan-remote - fix control-message timeouts
+
+commit ba9a103f40fc4a3ec7558ec9b0b97d4f92034249 upstream.
+
+The driver was issuing synchronous uninterruptible control requests
+without using a timeout. This could lead to the driver hanging on probe
+due to a malfunctioning (or malicious) device until the device is
+physically disconnected. While sleeping in probe the driver prevents
+other devices connected to the same hub from being added to (or removed
+from) the bus.
+
+The USB upper limit of five seconds per request should be more than
+enough.
+
+Fixes: 99f83c9c9ac9 ("[PATCH] USB: add driver for Keyspan Digital Remote")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20200113171715.30621-1-johan@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/input/misc/keyspan_remote.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/input/misc/keyspan_remote.c
++++ b/drivers/input/misc/keyspan_remote.c
+@@ -344,7 +344,8 @@ static int keyspan_setup(struct usb_devi
+ 	int retval = 0;
+ 
+ 	retval = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
+-				 0x11, 0x40, 0x5601, 0x0, NULL, 0, 0);
++				 0x11, 0x40, 0x5601, 0x0, NULL, 0,
++				 USB_CTRL_SET_TIMEOUT);
+ 	if (retval) {
+ 		dev_dbg(&dev->dev, "%s - failed to set bit rate due to error: %d\n",
+ 			__func__, retval);
+@@ -352,7 +353,8 @@ static int keyspan_setup(struct usb_devi
+ 	}
+ 
+ 	retval = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
+-				 0x44, 0x40, 0x0, 0x0, NULL, 0, 0);
++				 0x44, 0x40, 0x0, 0x0, NULL, 0,
++				 USB_CTRL_SET_TIMEOUT);
+ 	if (retval) {
+ 		dev_dbg(&dev->dev, "%s - failed to set resume sensitivity due to error: %d\n",
+ 			__func__, retval);
+@@ -360,7 +362,8 @@ static int keyspan_setup(struct usb_devi
+ 	}
+ 
+ 	retval = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
+-				 0x22, 0x40, 0x0, 0x0, NULL, 0, 0);
++				 0x22, 0x40, 0x0, 0x0, NULL, 0,
++				 USB_CTRL_SET_TIMEOUT);
+ 	if (retval) {
+ 		dev_dbg(&dev->dev, "%s - failed to turn receive on due to error: %d\n",
+ 			__func__, retval);
diff --git a/queue-3.16/input-sur40-fix-interface-sanity-checks.patch b/queue-3.16/input-sur40-fix-interface-sanity-checks.patch
new file mode 100644
index 0000000..34c52ff
--- /dev/null
+++ b/queue-3.16/input-sur40-fix-interface-sanity-checks.patch
@@ -0,0 +1,33 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Jan 2020 12:01:27 -0800
+Subject: Input: sur40 - fix interface sanity checks
+
+commit 6b32391ed675827f8425a414abbc6fbd54ea54fe upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+This in turn could cause the driver to misbehave or trigger a WARN() in
+usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: bdb5c57f209c ("Input: add sur40 driver for Samsung SUR40 (aka MS Surface 2.0/Pixelsense)")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Vladis Dronov <vdronov@redhat.com>
+Link: https://lore.kernel.org/r/20191210113737.4016-8-johan@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/input/touchscreen/sur40.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/sur40.c
++++ b/drivers/input/touchscreen/sur40.c
+@@ -357,7 +357,7 @@ static int sur40_probe(struct usb_interf
+ 	int error;
+ 
+ 	/* Check if we really have the right interface. */
+-	iface_desc = &interface->altsetting[0];
++	iface_desc = interface->cur_altsetting;
+ 	if (iface_desc->desc.bInterfaceClass != 0xFF)
+ 		return -ENODEV;
+ 
diff --git a/queue-3.16/ixgbevf-remove-limit-of-10-entries-for-unicast-filter-list.patch b/queue-3.16/ixgbevf-remove-limit-of-10-entries-for-unicast-filter-list.patch
new file mode 100644
index 0000000..dc19f9c
--- /dev/null
+++ b/queue-3.16/ixgbevf-remove-limit-of-10-entries-for-unicast-filter-list.patch
@@ -0,0 +1,34 @@
+From: Radoslaw Tyl <radoslawx.tyl@intel.com>
+Date: Mon, 25 Nov 2019 15:24:52 +0100
+Subject: ixgbevf: Remove limit of 10 entries for unicast filter list
+
+commit aa604651d523b1493988d0bf6710339f3ee60272 upstream.
+
+Currently, though the FDB entry is added to VF, it does not appear in
+RAR filters. VF driver only allows to add 10 entries. Attempting to add
+another causes an error. This patch removes limitation and allows use of
+all free RAR entries for the FDB if needed.
+
+Fixes: 46ec20ff7d ("ixgbevf: Add macvlan support in the set rx mode op")
+Signed-off-by: Radoslaw Tyl <radoslawx.tyl@intel.com>
+Acked-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
+@@ -1465,11 +1465,6 @@ static int ixgbevf_write_uc_addr_list(st
+ 	struct ixgbe_hw *hw = &adapter->hw;
+ 	int count = 0;
+ 
+-	if ((netdev_uc_count(netdev)) > 10) {
+-		pr_err("Too many unicast filters - No Space\n");
+-		return -ENOSPC;
+-	}
+-
+ 	if (!netdev_uc_empty(netdev)) {
+ 		struct netdev_hw_addr *ha;
+ 		netdev_for_each_uc_addr(ha, netdev) {
diff --git a/queue-3.16/kernel-trace-fix-do-not-unregister-tracepoints-when-register.patch b/queue-3.16/kernel-trace-fix-do-not-unregister-tracepoints-when-register.patch
new file mode 100644
index 0000000..b70f0c8
--- /dev/null
+++ b/queue-3.16/kernel-trace-fix-do-not-unregister-tracepoints-when-register.patch
@@ -0,0 +1,41 @@
+From: Kaitao Cheng <pilgrimtao@gmail.com>
+Date: Tue, 31 Dec 2019 05:35:30 -0800
+Subject: kernel/trace: Fix do not unregister tracepoints when register
+ sched_migrate_task fail
+
+commit 50f9ad607ea891a9308e67b81f774c71736d1098 upstream.
+
+In the function, if register_trace_sched_migrate_task() returns error,
+sched_switch/sched_wakeup_new/sched_wakeup won't unregister. That is
+why fail_deprobe_sched_switch was added.
+
+Link: http://lkml.kernel.org/r/20191231133530.2794-1-pilgrimtao@gmail.com
+
+Fixes: 478142c39c8c2 ("tracing: do not grab lock in wakeup latency function tracing")
+Signed-off-by: Kaitao Cheng <pilgrimtao@gmail.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ kernel/trace/trace_sched_wakeup.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_sched_wakeup.c
++++ b/kernel/trace/trace_sched_wakeup.c
+@@ -567,7 +567,7 @@ static void start_wakeup_tracer(struct t
+ 	if (ret) {
+ 		pr_info("wakeup trace: Couldn't activate tracepoint"
+ 			" probe to kernel_sched_migrate_task\n");
+-		return;
++		goto fail_deprobe_sched_switch;
+ 	}
+ 
+ 	wakeup_reset(tr);
+@@ -585,6 +585,8 @@ static void start_wakeup_tracer(struct t
+ 		printk(KERN_ERR "failed to start wakeup tracer\n");
+ 
+ 	return;
++fail_deprobe_sched_switch:
++	unregister_trace_sched_switch(probe_wakeup_sched_switch, NULL);
+ fail_deprobe_wake_new:
+ 	unregister_trace_sched_wakeup_new(probe_wakeup, NULL);
+ fail_deprobe:
diff --git a/queue-3.16/kobject-export-kobject_get_unless_zero.patch b/queue-3.16/kobject-export-kobject_get_unless_zero.patch
new file mode 100644
index 0000000..53fff61
--- /dev/null
+++ b/queue-3.16/kobject-export-kobject_get_unless_zero.patch
@@ -0,0 +1,51 @@
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 23 Mar 2017 01:37:01 +0100
+Subject: kobject: Export kobject_get_unless_zero()
+
+commit c70c176ff8c3ff0ac6ef9a831cd591ea9a66bd1a upstream.
+
+Make the function available for outside use and fortify it against NULL
+kobject.
+
+CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ include/linux/kobject.h | 2 ++
+ lib/kobject.c           | 5 ++++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/include/linux/kobject.h
++++ b/include/linux/kobject.h
+@@ -107,6 +107,8 @@ extern int __must_check kobject_rename(s
+ extern int __must_check kobject_move(struct kobject *, struct kobject *);
+ 
+ extern struct kobject *kobject_get(struct kobject *kobj);
++extern struct kobject * __must_check kobject_get_unless_zero(
++						struct kobject *kobj);
+ extern void kobject_put(struct kobject *kobj);
+ 
+ extern const void *kobject_namespace(struct kobject *kobj);
+--- a/lib/kobject.c
++++ b/lib/kobject.c
+@@ -581,12 +581,15 @@ struct kobject *kobject_get(struct kobje
+ 	return kobj;
+ }
+ 
+-static struct kobject * __must_check kobject_get_unless_zero(struct kobject *kobj)
++struct kobject * __must_check kobject_get_unless_zero(struct kobject *kobj)
+ {
++	if (!kobj)
++		return NULL;
+ 	if (!kref_get_unless_zero(&kobj->kref))
+ 		kobj = NULL;
+ 	return kobj;
+ }
++EXPORT_SYMBOL(kobject_get_unless_zero);
+ 
+ /*
+  * kobject_cleanup - free kobject resources.
diff --git a/queue-3.16/kvm-x86-host-feature-ssbd-doesn-t-imply-guest-feature.patch b/queue-3.16/kvm-x86-host-feature-ssbd-doesn-t-imply-guest-feature.patch
new file mode 100644
index 0000000..5686f9e
--- /dev/null
+++ b/queue-3.16/kvm-x86-host-feature-ssbd-doesn-t-imply-guest-feature.patch
@@ -0,0 +1,44 @@
+From: Jim Mattson <jmattson@google.com>
+Date: Fri, 13 Dec 2019 16:15:15 -0800
+Subject: kvm: x86: Host feature SSBD doesn't imply guest feature
+ SPEC_CTRL_SSBD
+
+commit 396d2e878f92ec108e4293f1c77ea3bc90b414ff upstream.
+
+The host reports support for the synthetic feature X86_FEATURE_SSBD
+when any of the three following hardware features are set:
+  CPUID.(EAX=7,ECX=0):EDX.SSBD[bit 31]
+  CPUID.80000008H:EBX.AMD_SSBD[bit 24]
+  CPUID.80000008H:EBX.VIRT_SSBD[bit 25]
+
+Either of the first two hardware features implies the existence of the
+IA32_SPEC_CTRL MSR, but CPUID.80000008H:EBX.VIRT_SSBD[bit 25] does
+not. Therefore, CPUID.(EAX=7,ECX=0):EDX.SSBD[bit 31] should only be
+set in the guest if CPUID.(EAX=7,ECX=0):EDX.SSBD[bit 31] or
+CPUID.80000008H:EBX.AMD_SSBD[bit 24] is set on the host.
+
+Fixes: 0c54914d0c52a ("KVM: x86: use Intel speculation bugs and features as derived in generic x86 code")
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: Jacob Xu <jacobhxu@google.com>
+Reviewed-by: Peter Shier <pshier@google.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Reported-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[bwh: Backported to 3.16: adjust indentation]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/x86/kvm/cpuid.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -400,7 +400,8 @@ static inline int __do_cpuid_ent(struct
+ 				entry->edx |= F(SPEC_CTRL);
+ 			if (boot_cpu_has(X86_FEATURE_STIBP))
+ 				entry->edx |= F(INTEL_STIBP);
+-			if (boot_cpu_has(X86_FEATURE_SSBD))
++			if (boot_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) ||
++			    boot_cpu_has(X86_FEATURE_AMD_SSBD))
+ 				entry->edx |= F(SPEC_CTRL_SSBD);
+ 			/*
+ 			 * We emulate ARCH_CAPABILITIES in software even
diff --git a/queue-3.16/libertas-don-t-exit-from-lbs_ibss_join_existing-with-rcu-read-lock.patch b/queue-3.16/libertas-don-t-exit-from-lbs_ibss_join_existing-with-rcu-read-lock.patch
new file mode 100644
index 0000000..14236a0
--- /dev/null
+++ b/queue-3.16/libertas-don-t-exit-from-lbs_ibss_join_existing-with-rcu-read-lock.patch
@@ -0,0 +1,33 @@
+From: Nicolai Stange <nstange@suse.de>
+Date: Tue, 14 Jan 2020 11:39:02 +0100
+Subject: libertas: don't exit from lbs_ibss_join_existing() with RCU read lock
+ held
+
+commit c7bf1fb7ddca331780b9a733ae308737b39f1ad4 upstream.
+
+Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
+descriptor") introduced a bounds check on the number of supplied rates to
+lbs_ibss_join_existing().
+
+Unfortunately, it introduced a return path from within a RCU read side
+critical section without a corresponding rcu_read_unlock(). Fix this.
+
+Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor")
+Signed-off-by: Nicolai Stange <nstange@suse.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+[bwh: Backported to 3.16: adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/wireless/libertas/cfg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/libertas/cfg.c
++++ b/drivers/net/wireless/libertas/cfg.c
+@@ -1855,6 +1855,7 @@ static int lbs_ibss_join_existing(struct
+ 		rates_max = rates_eid[1];
+ 		if (rates_max > MAX_RATES) {
+ 			lbs_deb_join("invalid rates");
++			rcu_read_unlock();
+ 			goto out;
+ 		}
+ 		rates = cmd.bss.rates;
diff --git a/queue-3.16/libertas-make-lbs_ibss_join_existing-return-error-code-on-rates.patch b/queue-3.16/libertas-make-lbs_ibss_join_existing-return-error-code-on-rates.patch
new file mode 100644
index 0000000..0ee7b0b
--- /dev/null
+++ b/queue-3.16/libertas-make-lbs_ibss_join_existing-return-error-code-on-rates.patch
@@ -0,0 +1,37 @@
+From: Nicolai Stange <nstange@suse.de>
+Date: Tue, 14 Jan 2020 11:39:03 +0100
+Subject: libertas: make lbs_ibss_join_existing() return error code on rates
+ overflow
+
+commit 1754c4f60aaf1e17d886afefee97e94d7f27b4cb upstream.
+
+Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
+descriptor") introduced a bounds check on the number of supplied rates to
+lbs_ibss_join_existing() and made it to return on overflow.
+
+However, the aforementioned commit doesn't set the return value accordingly
+and thus, lbs_ibss_join_existing() would return with zero even though it
+failed.
+
+Make lbs_ibss_join_existing return -EINVAL in case the bounds check on the
+number of supplied rates fails.
+
+Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor")
+Signed-off-by: Nicolai Stange <nstange@suse.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+[bwh: Backported to 3.16: adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/wireless/libertas/cfg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/libertas/cfg.c
++++ b/drivers/net/wireless/libertas/cfg.c
+@@ -1856,6 +1856,7 @@ static int lbs_ibss_join_existing(struct
+ 		if (rates_max > MAX_RATES) {
+ 			lbs_deb_join("invalid rates");
+ 			rcu_read_unlock();
++			ret = -EINVAL;
+ 			goto out;
+ 		}
+ 		rates = cmd.bss.rates;
diff --git a/queue-3.16/locks-print-unsigned-ino-in-proc-locks.patch b/queue-3.16/locks-print-unsigned-ino-in-proc-locks.patch
new file mode 100644
index 0000000..b29caf5
--- /dev/null
+++ b/queue-3.16/locks-print-unsigned-ino-in-proc-locks.patch
@@ -0,0 +1,27 @@
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Sun, 22 Dec 2019 20:45:28 +0200
+Subject: locks: print unsigned ino in /proc/locks
+
+commit 98ca480a8f22fdbd768e3dad07024c8d4856576c upstream.
+
+An ino is unsigned, so display it as such in /proc/locks.
+
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/locks.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/locks.c
++++ b/fs/locks.c
+@@ -2488,7 +2488,7 @@ static void lock_get_status(struct seq_f
+ 				inode->i_sb->s_id, inode->i_ino);
+ #else
+ 		/* userspace relies on this representation of dev_t ;-( */
+-		seq_printf(f, "%d %02x:%02x:%ld ", fl_pid,
++		seq_printf(f, "%d %02x:%02x:%lu ", fl_pid,
+ 				MAJOR(inode->i_sb->s_dev),
+ 				MINOR(inode->i_sb->s_dev), inode->i_ino);
+ #endif
diff --git a/queue-3.16/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch b/queue-3.16/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch
new file mode 100644
index 0000000..0800a96
--- /dev/null
+++ b/queue-3.16/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch
@@ -0,0 +1,168 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 6 Jan 2020 12:30:48 -0800
+Subject: macvlan: do not assume mac_header is set in macvlan_broadcast()
+
+commit 96cc4b69581db68efc9749ef32e9cf8e0160c509 upstream.
+
+Use of eth_hdr() in tx path is error prone.
+
+Many drivers call skb_reset_mac_header() before using it,
+but others do not.
+
+Commit 6d1ccff62780 ("net: reset mac header in dev_start_xmit()")
+attempted to fix this generically, but commit d346a3fae3ff
+("packet: introduce PACKET_QDISC_BYPASS socket option") brought
+back the macvlan bug.
+
+Lets add a new helper, so that tx paths no longer have
+to call skb_reset_mac_header() only to get a pointer
+to skb->data.
+
+Hopefully we will be able to revert 6d1ccff62780
+("net: reset mac header in dev_start_xmit()") and save few cycles
+in transmit fast path.
+
+BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline]
+BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:251 [inline]
+BUG: KASAN: use-after-free in macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277
+Read of size 4 at addr ffff8880a4932401 by task syz-executor947/9579
+
+CPU: 0 PID: 9579 Comm: syz-executor947 Not tainted 5.5.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x197/0x210 lib/dump_stack.c:118
+ print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
+ __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
+ kasan_report+0x12/0x20 mm/kasan/common.c:639
+ __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:145
+ __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline]
+ mc_hash drivers/net/macvlan.c:251 [inline]
+ macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277
+ macvlan_queue_xmit drivers/net/macvlan.c:520 [inline]
+ macvlan_start_xmit+0x402/0x77f drivers/net/macvlan.c:559
+ __netdev_start_xmit include/linux/netdevice.h:4447 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4461 [inline]
+ dev_direct_xmit+0x419/0x630 net/core/dev.c:4079
+ packet_direct_xmit+0x1a9/0x250 net/packet/af_packet.c:240
+ packet_snd net/packet/af_packet.c:2966 [inline]
+ packet_sendmsg+0x260d/0x6220 net/packet/af_packet.c:2991
+ sock_sendmsg_nosec net/socket.c:639 [inline]
+ sock_sendmsg+0xd7/0x130 net/socket.c:659
+ __sys_sendto+0x262/0x380 net/socket.c:1985
+ __do_sys_sendto net/socket.c:1997 [inline]
+ __se_sys_sendto net/socket.c:1993 [inline]
+ __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1993
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x442639
+Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007ffc13549e08 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442639
+RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003
+RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 0000000000403bb0 R14: 0000000000000000 R15: 0000000000000000
+
+Allocated by task 9389:
+ save_stack+0x23/0x90 mm/kasan/common.c:72
+ set_track mm/kasan/common.c:80 [inline]
+ __kasan_kmalloc mm/kasan/common.c:513 [inline]
+ __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
+ kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527
+ __do_kmalloc mm/slab.c:3656 [inline]
+ __kmalloc+0x163/0x770 mm/slab.c:3665
+ kmalloc include/linux/slab.h:561 [inline]
+ tomoyo_realpath_from_path+0xc5/0x660 security/tomoyo/realpath.c:252
+ tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
+ tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822
+ tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129
+ security_inode_getattr+0xf2/0x150 security/security.c:1222
+ vfs_getattr+0x25/0x70 fs/stat.c:115
+ vfs_statx_fd+0x71/0xc0 fs/stat.c:145
+ vfs_fstat include/linux/fs.h:3265 [inline]
+ __do_sys_newfstat+0x9b/0x120 fs/stat.c:378
+ __se_sys_newfstat fs/stat.c:375 [inline]
+ __x64_sys_newfstat+0x54/0x80 fs/stat.c:375
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 9389:
+ save_stack+0x23/0x90 mm/kasan/common.c:72
+ set_track mm/kasan/common.c:80 [inline]
+ kasan_set_free_info mm/kasan/common.c:335 [inline]
+ __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
+ kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
+ __cache_free mm/slab.c:3426 [inline]
+ kfree+0x10a/0x2c0 mm/slab.c:3757
+ tomoyo_realpath_from_path+0x1a7/0x660 security/tomoyo/realpath.c:289
+ tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
+ tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822
+ tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129
+ security_inode_getattr+0xf2/0x150 security/security.c:1222
+ vfs_getattr+0x25/0x70 fs/stat.c:115
+ vfs_statx_fd+0x71/0xc0 fs/stat.c:145
+ vfs_fstat include/linux/fs.h:3265 [inline]
+ __do_sys_newfstat+0x9b/0x120 fs/stat.c:378
+ __se_sys_newfstat fs/stat.c:375 [inline]
+ __x64_sys_newfstat+0x54/0x80 fs/stat.c:375
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8880a4932000
+ which belongs to the cache kmalloc-4k of size 4096
+The buggy address is located 1025 bytes inside of
+ 4096-byte region [ffff8880a4932000, ffff8880a4933000)
+The buggy address belongs to the page:
+page:ffffea0002924c80 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0
+raw: 00fffe0000010200 ffffea0002846208 ffffea00028f3888 ffff8880aa402000
+raw: 0000000000000000 ffff8880a4932000 0000000100000001 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8880a4932300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8880a4932380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff8880a4932400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+                   ^
+ ffff8880a4932480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8880a4932500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: b863ceb7ddce ("[NET]: Add macvlan driver")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/macvlan.c    | 2 +-
+ include/linux/if_ether.h | 8 ++++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -162,7 +162,7 @@ static void macvlan_broadcast(struct sk_
+ 			      struct net_device *src,
+ 			      enum macvlan_mode mode)
+ {
+-	const struct ethhdr *eth = eth_hdr(skb);
++	const struct ethhdr *eth = skb_eth_hdr(skb);
+ 	const struct macvlan_dev *vlan;
+ 	struct sk_buff *nskb;
+ 	unsigned int i;
+--- a/include/linux/if_ether.h
++++ b/include/linux/if_ether.h
+@@ -28,6 +28,14 @@ static inline struct ethhdr *eth_hdr(con
+ 	return (struct ethhdr *)skb_mac_header(skb);
+ }
+ 
++/* Prefer this version in TX path, instead of
++ * skb_reset_mac_header() + eth_hdr()
++ */
++static inline struct ethhdr *skb_eth_hdr(const struct sk_buff *skb)
++{
++	return (struct ethhdr *)skb->data;
++}
++
+ int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr);
+ 
+ extern ssize_t sysfs_format_mac(char *buf, const unsigned char *addr, int len);
diff --git a/queue-3.16/macvlan-use-skb_reset_mac_header-in-macvlan_queue_xmit.patch b/queue-3.16/macvlan-use-skb_reset_mac_header-in-macvlan_queue_xmit.patch
new file mode 100644
index 0000000..4bb4ec4
--- /dev/null
+++ b/queue-3.16/macvlan-use-skb_reset_mac_header-in-macvlan_queue_xmit.patch
@@ -0,0 +1,46 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 14 Jan 2020 13:00:35 -0800
+Subject: macvlan: use skb_reset_mac_header() in macvlan_queue_xmit()
+
+commit 1712b2fff8c682d145c7889d2290696647d82dab upstream.
+
+I missed the fact that macvlan_broadcast() can be used both
+in RX and TX.
+
+skb_eth_hdr() makes only sense in TX paths, so we can not
+use it blindly in macvlan_broadcast()
+
+Fixes: 96cc4b69581d ("macvlan: do not assume mac_header is set in macvlan_broadcast()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Jurgen Van Ham <juvanham@gmail.com>
+Tested-by: Matteo Croce <mcroce@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/macvlan.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -162,7 +162,7 @@ static void macvlan_broadcast(struct sk_
+ 			      struct net_device *src,
+ 			      enum macvlan_mode mode)
+ {
+-	const struct ethhdr *eth = skb_eth_hdr(skb);
++	const struct ethhdr *eth = eth_hdr(skb);
+ 	const struct macvlan_dev *vlan;
+ 	struct sk_buff *nskb;
+ 	unsigned int i;
+@@ -345,10 +345,11 @@ static int macvlan_queue_xmit(struct sk_
+ 	const struct macvlan_dev *dest;
+ 
+ 	if (vlan->mode == MACVLAN_MODE_BRIDGE) {
+-		const struct ethhdr *eth = (void *)skb->data;
++		const struct ethhdr *eth = skb_eth_hdr(skb);
+ 
+ 		/* send to other bridge ports directly */
+ 		if (is_multicast_ether_addr(eth->h_dest)) {
++			skb_reset_mac_header(skb);
+ 			macvlan_broadcast(skb, port, dev, MACVLAN_MODE_BRIDGE);
+ 			goto xmit_world;
+ 		}
diff --git a/queue-3.16/mmc-sdhci-fix-minimum-clock-rate-for-v3-controller.patch b/queue-3.16/mmc-sdhci-fix-minimum-clock-rate-for-v3-controller.patch
new file mode 100644
index 0000000..5941c52
--- /dev/null
+++ b/queue-3.16/mmc-sdhci-fix-minimum-clock-rate-for-v3-controller.patch
@@ -0,0 +1,50 @@
+From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= <mirq-linux@rere.qmqm.pl>
+Date: Wed, 15 Jan 2020 10:54:35 +0100
+Subject: mmc: sdhci: fix minimum clock rate for v3 controller
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 2a187d03352086e300daa2044051db00044cd171 upstream.
+
+For SDHCIv3+ with programmable clock mode, minimal clock frequency is
+still base clock / max(divider). Minimal programmable clock frequency is
+always greater than minimal divided clock frequency. Without this patch,
+SDHCI uses out-of-spec initial frequency when multiplier is big enough:
+
+mmc1: mmc_rescan_try_freq: trying to init card at 468750 Hz
+[for 480 MHz source clock divided by 1024]
+
+The code in sdhci_calc_clk() already chooses a correct SDCLK clock mode.
+
+Fixes: c3ed3877625f ("mmc: sdhci: add support for programmable clock mode")
+Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/ffb489519a446caffe7a0a05c4b9372bd52397bb.1579082031.git.mirq-linux@rere.qmqm.pl
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/mmc/host/sdhci.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -2945,11 +2945,13 @@ int sdhci_add_host(struct sdhci_host *ho
+ 	if (host->ops->get_min_clock)
+ 		mmc->f_min = host->ops->get_min_clock(host);
+ 	else if (host->version >= SDHCI_SPEC_300) {
+-		if (host->clk_mul) {
+-			mmc->f_min = (host->max_clk * host->clk_mul) / 1024;
++		if (host->clk_mul)
+ 			mmc->f_max = host->max_clk * host->clk_mul;
+-		} else
+-			mmc->f_min = host->max_clk / SDHCI_MAX_DIV_SPEC_300;
++		/*
++		 * Divided Clock Mode minimum clock rate is always less than
++		 * Programmable Clock Mode minimum clock rate.
++		 */
++		mmc->f_min = host->max_clk / SDHCI_MAX_DIV_SPEC_300;
+ 	} else
+ 		mmc->f_min = host->max_clk / SDHCI_MAX_DIV_SPEC_200;
+ 
diff --git a/queue-3.16/mod_devicetable-fix-phy-module-format.patch b/queue-3.16/mod_devicetable-fix-phy-module-format.patch
new file mode 100644
index 0000000..a77da0f
--- /dev/null
+++ b/queue-3.16/mod_devicetable-fix-phy-module-format.patch
@@ -0,0 +1,40 @@
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Thu, 19 Dec 2019 23:24:47 +0000
+Subject: mod_devicetable: fix PHY module format
+
+commit d2ed49cf6c13e379c5819aa5ac20e1f9674ebc89 upstream.
+
+When a PHY is probed, if the top bit is set, we end up requesting a
+module with the string "mdio:-10101110000000100101000101010001" -
+the top bit is printed to a signed -1 value. This leads to the module
+not being loaded.
+
+Fix the module format string and the macro generating the values for
+it to ensure that we only print unsigned types and the top bit is
+always 0/1. We correctly end up with
+"mdio:10101110000000100101000101010001".
+
+Fixes: 8626d3b43280 ("phylib: Support phy module autoloading")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ include/linux/mod_devicetable.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/mod_devicetable.h
++++ b/include/linux/mod_devicetable.h
+@@ -497,9 +497,9 @@ struct platform_device_id {
+ 
+ #define MDIO_MODULE_PREFIX	"mdio:"
+ 
+-#define MDIO_ID_FMT "%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d"
++#define MDIO_ID_FMT "%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u"
+ #define MDIO_ID_ARGS(_id) \
+-	(_id)>>31, ((_id)>>30) & 1, ((_id)>>29) & 1, ((_id)>>28) & 1,	\
++	((_id)>>31) & 1, ((_id)>>30) & 1, ((_id)>>29) & 1, ((_id)>>28) & 1, \
+ 	((_id)>>27) & 1, ((_id)>>26) & 1, ((_id)>>25) & 1, ((_id)>>24) & 1, \
+ 	((_id)>>23) & 1, ((_id)>>22) & 1, ((_id)>>21) & 1, ((_id)>>20) & 1, \
+ 	((_id)>>19) & 1, ((_id)>>18) & 1, ((_id)>>17) & 1, ((_id)>>16) & 1, \
diff --git a/queue-3.16/namei-allow-restricted-o_creat-of-fifos-and-regular-files.patch b/queue-3.16/namei-allow-restricted-o_creat-of-fifos-and-regular-files.patch
new file mode 100644
index 0000000..590334f
--- /dev/null
+++ b/queue-3.16/namei-allow-restricted-o_creat-of-fifos-and-regular-files.patch
@@ -0,0 +1,229 @@
+From: Salvatore Mesoraca <s.mesoraca16@gmail.com>
+Date: Thu, 23 Aug 2018 17:00:35 -0700
+Subject: namei: allow restricted O_CREAT of FIFOs and regular files
+
+commit 30aba6656f61ed44cba445a3c0d38b296fa9e8f5 upstream.
+
+Disallows open of FIFOs or regular files not owned by the user in world
+writable sticky directories, unless the owner is the same as that of the
+directory or the file is opened without the O_CREAT flag.  The purpose
+is to make data spoofing attacks harder.  This protection can be turned
+on and off separately for FIFOs and regular files via sysctl, just like
+the symlinks/hardlinks protection.  This patch is based on Openwall's
+"HARDEN_FIFO" feature by Solar Designer.
+
+This is a brief list of old vulnerabilities that could have been prevented
+by this feature, some of them even allow for privilege escalation:
+
+CVE-2000-1134
+CVE-2007-3852
+CVE-2008-0525
+CVE-2009-0416
+CVE-2011-4834
+CVE-2015-1838
+CVE-2015-7442
+CVE-2016-7489
+
+This list is not meant to be complete.  It's difficult to track down all
+vulnerabilities of this kind because they were often reported without any
+mention of this particular attack vector.  In fact, before
+hardlinks/symlinks restrictions, fifos/regular files weren't the favorite
+vehicle to exploit them.
+
+[s.mesoraca16@gmail.com: fix bug reported by Dan Carpenter]
+  Link: https://lkml.kernel.org/r/20180426081456.GA7060@mwanda
+  Link: http://lkml.kernel.org/r/1524829819-11275-1-git-send-email-s.mesoraca16@gmail.com
+[keescook@chromium.org: drop pr_warn_ratelimited() in favor of audit changes in the future]
+[keescook@chromium.org: adjust commit subjet]
+Link: http://lkml.kernel.org/r/20180416175918.GA13494@beast
+Signed-off-by: Salvatore Mesoraca <s.mesoraca16@gmail.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Suggested-by: Solar Designer <solar@openwall.com>
+Suggested-by: Kees Cook <keescook@chromium.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ Documentation/sysctl/fs.txt | 36 +++++++++++++++++++++++++
+ fs/namei.c                  | 53 ++++++++++++++++++++++++++++++++++---
+ include/linux/fs.h          |  2 ++
+ kernel/sysctl.c             | 18 +++++++++++++
+ 4 files changed, 106 insertions(+), 3 deletions(-)
+
+--- a/Documentation/sysctl/fs.txt
++++ b/Documentation/sysctl/fs.txt
+@@ -34,7 +34,9 @@ Currently, these files are in /proc/sys/
+ - overflowgid
+ - pipe-user-pages-hard
+ - pipe-user-pages-soft
++- protected_fifos
+ - protected_hardlinks
++- protected_regular
+ - protected_symlinks
+ - suid_dumpable
+ - super-max
+@@ -182,6 +184,24 @@ applied.
+ 
+ ==============================================================
+ 
++protected_fifos:
++
++The intent of this protection is to avoid unintentional writes to
++an attacker-controlled FIFO, where a program expected to create a regular
++file.
++
++When set to "0", writing to FIFOs is unrestricted.
++
++When set to "1" don't allow O_CREAT open on FIFOs that we don't own
++in world writable sticky directories, unless they are owned by the
++owner of the directory.
++
++When set to "2" it also applies to group writable sticky directories.
++
++This protection is based on the restrictions in Openwall.
++
++==============================================================
++
+ protected_hardlinks:
+ 
+ A long-standing class of security issues is the hardlink-based
+@@ -202,6 +222,22 @@ This protection is based on the restrict
+ 
+ ==============================================================
+ 
++protected_regular:
++
++This protection is similar to protected_fifos, but it
++avoids writes to an attacker-controlled regular file, where a program
++expected to create one.
++
++When set to "0", writing to regular files is unrestricted.
++
++When set to "1" don't allow O_CREAT open on regular files that we
++don't own in world writable sticky directories, unless they are
++owned by the owner of the directory.
++
++When set to "2" it also applies to group writable sticky directories.
++
++==============================================================
++
+ protected_symlinks:
+ 
+ A long-standing class of security issues is the symlink-based
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -723,6 +723,8 @@ static inline void put_link(struct namei
+ 
+ int sysctl_protected_symlinks __read_mostly = 0;
+ int sysctl_protected_hardlinks __read_mostly = 0;
++int sysctl_protected_fifos __read_mostly;
++int sysctl_protected_regular __read_mostly;
+ 
+ /**
+  * may_follow_link - Check symlink following for unsafe situations
+@@ -837,6 +839,45 @@ static int may_linkat(struct path *link)
+ 	return -EPERM;
+ }
+ 
++/**
++ * may_create_in_sticky - Check whether an O_CREAT open in a sticky directory
++ *			  should be allowed, or not, on files that already
++ *			  exist.
++ * @dir: the sticky parent directory
++ * @inode: the inode of the file to open
++ *
++ * Block an O_CREAT open of a FIFO (or a regular file) when:
++ *   - sysctl_protected_fifos (or sysctl_protected_regular) is enabled
++ *   - the file already exists
++ *   - we are in a sticky directory
++ *   - we don't own the file
++ *   - the owner of the directory doesn't own the file
++ *   - the directory is world writable
++ * If the sysctl_protected_fifos (or sysctl_protected_regular) is set to 2
++ * the directory doesn't have to be world writable: being group writable will
++ * be enough.
++ *
++ * Returns 0 if the open is allowed, -ve on error.
++ */
++static int may_create_in_sticky(struct dentry * const dir,
++				struct inode * const inode)
++{
++	if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) ||
++	    (!sysctl_protected_regular && S_ISREG(inode->i_mode)) ||
++	    likely(!(dir->d_inode->i_mode & S_ISVTX)) ||
++	    uid_eq(inode->i_uid, dir->d_inode->i_uid) ||
++	    uid_eq(current_fsuid(), inode->i_uid))
++		return 0;
++
++	if (likely(dir->d_inode->i_mode & 0002) ||
++	    (dir->d_inode->i_mode & 0020 &&
++	     ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) ||
++	      (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) {
++		return -EACCES;
++	}
++	return 0;
++}
++
+ static __always_inline int
+ follow_link(struct path *link, struct nameidata *nd, void **p)
+ {
+@@ -3057,9 +3098,15 @@ finish_open:
+ 		return error;
+ 	}
+ 	audit_inode(name, nd->path.dentry, 0);
+-	error = -EISDIR;
+-	if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
+-		goto out;
++	if (open_flag & O_CREAT) {
++		error = -EISDIR;
++		if (d_is_dir(nd->path.dentry))
++			goto out;
++		error = may_create_in_sticky(dir,
++					     d_backing_inode(nd->path.dentry));
++		if (unlikely(error))
++			goto out;
++	}
+ 	error = -ENOTDIR;
+ 	if ((nd->flags & LOOKUP_DIRECTORY) && !d_can_lookup(nd->path.dentry))
+ 		goto out;
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -61,6 +61,8 @@ extern struct inodes_stat_t inodes_stat;
+ extern int leases_enable, lease_break_time;
+ extern int sysctl_protected_symlinks;
+ extern int sysctl_protected_hardlinks;
++extern int sysctl_protected_fifos;
++extern int sysctl_protected_regular;
+ 
+ struct buffer_head;
+ typedef int (get_block_t)(struct inode *inode, sector_t iblock,
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -1653,6 +1653,24 @@ static struct ctl_table fs_table[] = {
+ 		.extra2		= &one,
+ 	},
+ 	{
++		.procname	= "protected_fifos",
++		.data		= &sysctl_protected_fifos,
++		.maxlen		= sizeof(int),
++		.mode		= 0600,
++		.proc_handler	= proc_dointvec_minmax,
++		.extra1		= &zero,
++		.extra2		= &two,
++	},
++	{
++		.procname	= "protected_regular",
++		.data		= &sysctl_protected_regular,
++		.maxlen		= sizeof(int),
++		.mode		= 0600,
++		.proc_handler	= proc_dointvec_minmax,
++		.extra1		= &zero,
++		.extra2		= &two,
++	},
++	{
+ 		.procname	= "suid_dumpable",
+ 		.data		= &suid_dumpable,
+ 		.maxlen		= sizeof(int),
diff --git a/queue-3.16/neighbour-remove-neigh_cleanup-method.patch b/queue-3.16/neighbour-remove-neigh_cleanup-method.patch
new file mode 100644
index 0000000..e1ca97b
--- /dev/null
+++ b/queue-3.16/neighbour-remove-neigh_cleanup-method.patch
@@ -0,0 +1,63 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Dec 2019 12:23:21 -0800
+Subject: neighbour: remove neigh_cleanup() method
+
+commit f394722fb0d0f701119368959d7cd0ecbc46363a upstream.
+
+neigh_cleanup() has not been used for seven years, and was a wrong design.
+
+Messing with shared pointer in bond_neigh_init() without proper
+memory barriers would at least trigger syzbot complains eventually.
+
+It is time to remove this stuff.
+
+Fixes: b63b70d87741 ("IPoIB: Use a private hash table for path lookup in xmit path")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3431,19 +3431,10 @@ static int bond_neigh_init(struct neighb
+ 		return 0;
+ 
+ 	parms.neigh_setup = NULL;
+-	parms.neigh_cleanup = NULL;
+ 	ret = slave_ops->ndo_neigh_setup(slave->dev, &parms);
+ 	if (ret)
+ 		return ret;
+ 
+-	/*
+-	 * Assign slave's neigh_cleanup to neighbour in case cleanup is called
+-	 * after the last slave has been detached.  Assumes that all slaves
+-	 * utilize the same neigh_cleanup (true at this writing as only user
+-	 * is ipoib).
+-	 */
+-	n->parms->neigh_cleanup = parms.neigh_cleanup;
+-
+ 	if (!parms.neigh_setup)
+ 		return 0;
+ 
+--- a/include/net/neighbour.h
++++ b/include/net/neighbour.h
+@@ -71,7 +71,6 @@ struct neigh_parms {
+ 	struct net_device *dev;
+ 	struct neigh_parms *next;
+ 	int	(*neigh_setup)(struct neighbour *);
+-	void	(*neigh_cleanup)(struct neighbour *);
+ 	struct neigh_table *tbl;
+ 
+ 	void	*sysctl_table;
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -103,9 +103,6 @@ static int neigh_blackhole(struct neighb
+ 
+ static void neigh_cleanup_and_release(struct neighbour *neigh)
+ {
+-	if (neigh->parms->neigh_cleanup)
+-		neigh->parms->neigh_cleanup(neigh);
+-
+ 	__neigh_notify(neigh, RTM_DELNEIGH, 0);
+ 	neigh_release(neigh);
+ }
diff --git a/queue-3.16/net-sonic-add-mutual-exclusion-for-accessing-shared-state.patch b/queue-3.16/net-sonic-add-mutual-exclusion-for-accessing-shared-state.patch
new file mode 100644
index 0000000..e7612f0
--- /dev/null
+++ b/queue-3.16/net-sonic-add-mutual-exclusion-for-accessing-shared-state.patch
@@ -0,0 +1,148 @@
+From: Finn Thain <fthain@telegraphics.com.au>
+Date: Thu, 23 Jan 2020 09:07:26 +1100
+Subject: net/sonic: Add mutual exclusion for accessing shared state
+
+commit 865ad2f2201dc18685ba2686f13217f8b3a9c52c upstream.
+
+The netif_stop_queue() call in sonic_send_packet() races with the
+netif_wake_queue() call in sonic_interrupt(). This causes issues
+like "NETDEV WATCHDOG: eth0 (macsonic): transmit queue 0 timed out".
+Fix this by disabling interrupts when accessing tx_skb[] and next_tx.
+Update a comment to clarify the synchronization properties.
+
+Fixes: efcce839360f ("[PATCH] macsonic/jazzsonic network drivers update")
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/ethernet/natsemi/sonic.c | 49 ++++++++++++++++++++--------
+ drivers/net/ethernet/natsemi/sonic.h |  1 +
+ 2 files changed, 36 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/ethernet/natsemi/sonic.c
++++ b/drivers/net/ethernet/natsemi/sonic.c
+@@ -50,6 +50,8 @@ static int sonic_open(struct net_device
+ 	if (sonic_debug > 2)
+ 		printk("sonic_open: initializing sonic driver.\n");
+ 
++	spin_lock_init(&lp->lock);
++
+ 	for (i = 0; i < SONIC_NUM_RRS; i++) {
+ 		struct sk_buff *skb = netdev_alloc_skb(dev, SONIC_RBSIZE + 2);
+ 		if (skb == NULL) {
+@@ -194,8 +196,6 @@ static void sonic_tx_timeout(struct net_
+  *   wake the tx queue
+  * Concurrently with all of this, the SONIC is potentially writing to
+  * the status flags of the TDs.
+- * Until some mutual exclusion is added, this code will not work with SMP. However,
+- * MIPS Jazz machines and m68k Macs were all uni-processor machines.
+  */
+ 
+ static int sonic_send_packet(struct sk_buff *skb, struct net_device *dev)
+@@ -203,7 +203,8 @@ static int sonic_send_packet(struct sk_b
+ 	struct sonic_local *lp = netdev_priv(dev);
+ 	dma_addr_t laddr;
+ 	int length;
+-	int entry = lp->next_tx;
++	int entry;
++	unsigned long flags;
+ 
+ 	if (sonic_debug > 2)
+ 		printk("sonic_send_packet: skb=%p, dev=%p\n", skb, dev);
+@@ -226,6 +227,10 @@ static int sonic_send_packet(struct sk_b
+ 		return NETDEV_TX_OK;
+ 	}
+ 
++	spin_lock_irqsave(&lp->lock, flags);
++
++	entry = lp->next_tx;
++
+ 	sonic_tda_put(dev, entry, SONIC_TD_STATUS, 0);       /* clear status */
+ 	sonic_tda_put(dev, entry, SONIC_TD_FRAG_COUNT, 1);   /* single fragment */
+ 	sonic_tda_put(dev, entry, SONIC_TD_PKTSIZE, length); /* length of packet */
+@@ -235,10 +240,6 @@ static int sonic_send_packet(struct sk_b
+ 	sonic_tda_put(dev, entry, SONIC_TD_LINK,
+ 		sonic_tda_get(dev, entry, SONIC_TD_LINK) | SONIC_EOL);
+ 
+-	/*
+-	 * Must set tx_skb[entry] only after clearing status, and
+-	 * before clearing EOL and before stopping queue
+-	 */
+ 	wmb();
+ 	lp->tx_len[entry] = length;
+ 	lp->tx_laddr[entry] = laddr;
+@@ -263,6 +264,8 @@ static int sonic_send_packet(struct sk_b
+ 
+ 	SONIC_WRITE(SONIC_CMD, SONIC_CR_TXP);
+ 
++	spin_unlock_irqrestore(&lp->lock, flags);
++
+ 	return NETDEV_TX_OK;
+ }
+ 
+@@ -275,9 +278,21 @@ static irqreturn_t sonic_interrupt(int i
+ 	struct net_device *dev = dev_id;
+ 	struct sonic_local *lp = netdev_priv(dev);
+ 	int status;
++	unsigned long flags;
++
++	/* The lock has two purposes. Firstly, it synchronizes sonic_interrupt()
++	 * with sonic_send_packet() so that the two functions can share state.
++	 * Secondly, it makes sonic_interrupt() re-entrant, as that is required
++	 * by macsonic which must use two IRQs with different priority levels.
++	 */
++	spin_lock_irqsave(&lp->lock, flags);
++
++	status = SONIC_READ(SONIC_ISR) & SONIC_IMR_DEFAULT;
++	if (!status) {
++		spin_unlock_irqrestore(&lp->lock, flags);
+ 
+-	if (!(status = SONIC_READ(SONIC_ISR) & SONIC_IMR_DEFAULT))
+ 		return IRQ_NONE;
++	}
+ 
+ 	do {
+ 		if (status & SONIC_INT_PKTRX) {
+@@ -292,11 +307,12 @@ static irqreturn_t sonic_interrupt(int i
+ 			int td_status;
+ 			int freed_some = 0;
+ 
+-			/* At this point, cur_tx is the index of a TD that is one of:
+-			 *   unallocated/freed                          (status set   & tx_skb[entry] clear)
+-			 *   allocated and sent                         (status set   & tx_skb[entry] set  )
+-			 *   allocated and not yet sent                 (status clear & tx_skb[entry] set  )
+-			 *   still being allocated by sonic_send_packet (status clear & tx_skb[entry] clear)
++			/* The state of a Transmit Descriptor may be inferred
++			 * from { tx_skb[entry], td_status } as follows.
++			 * { clear, clear } => the TD has never been used
++			 * { set,   clear } => the TD was handed to SONIC
++			 * { set,   set   } => the TD was handed back
++			 * { clear, set   } => the TD is available for re-use
+ 			 */
+ 
+ 			if (sonic_debug > 2)
+@@ -398,7 +414,12 @@ static irqreturn_t sonic_interrupt(int i
+ 		/* load CAM done */
+ 		if (status & SONIC_INT_LCD)
+ 			SONIC_WRITE(SONIC_ISR, SONIC_INT_LCD); /* clear the interrupt */
+-	} while((status = SONIC_READ(SONIC_ISR) & SONIC_IMR_DEFAULT));
++
++		status = SONIC_READ(SONIC_ISR) & SONIC_IMR_DEFAULT;
++	} while (status);
++
++	spin_unlock_irqrestore(&lp->lock, flags);
++
+ 	return IRQ_HANDLED;
+ }
+ 
+--- a/drivers/net/ethernet/natsemi/sonic.h
++++ b/drivers/net/ethernet/natsemi/sonic.h
+@@ -320,6 +320,7 @@ struct sonic_local {
+ 	unsigned int next_tx;          /* next free TD */
+ 	struct device *device;         /* generic device */
+ 	struct net_device_stats stats;
++	spinlock_t lock;
+ };
+ 
+ #define TX_TIMEOUT (3 * HZ)
diff --git a/queue-3.16/net-sonic-fix-receive-buffer-handling.patch b/queue-3.16/net-sonic-fix-receive-buffer-handling.patch
new file mode 100644
index 0000000..954c7ae
--- /dev/null
+++ b/queue-3.16/net-sonic-fix-receive-buffer-handling.patch
@@ -0,0 +1,106 @@
+From: Finn Thain <fthain@telegraphics.com.au>
+Date: Thu, 23 Jan 2020 09:07:26 +1100
+Subject: net/sonic: Fix receive buffer handling
+
+commit 9e311820f67e740f4fb8dcb82b4c4b5b05bdd1a5 upstream.
+
+The SONIC can sometimes advance its rx buffer pointer (RRP register)
+without advancing its rx descriptor pointer (CRDA register). As a result
+the index of the current rx descriptor may not equal that of the current
+rx buffer. The driver mistakenly assumes that they are always equal.
+This assumption leads to incorrect packet lengths and possible packet
+duplication. Avoid this by calling a new function to locate the buffer
+corresponding to a given descriptor.
+
+Fixes: efcce839360f ("[PATCH] macsonic/jazzsonic network drivers update")
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/ethernet/natsemi/sonic.c | 35 ++++++++++++++++++++++++----
+ drivers/net/ethernet/natsemi/sonic.h |  5 ++--
+ 2 files changed, 33 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/natsemi/sonic.c
++++ b/drivers/net/ethernet/natsemi/sonic.c
+@@ -423,6 +423,21 @@ static irqreturn_t sonic_interrupt(int i
+ 	return IRQ_HANDLED;
+ }
+ 
++/* Return the array index corresponding to a given Receive Buffer pointer. */
++static int index_from_addr(struct sonic_local *lp, dma_addr_t addr,
++			   unsigned int last)
++{
++	unsigned int i = last;
++
++	do {
++		i = (i + 1) & SONIC_RRS_MASK;
++		if (addr == lp->rx_laddr[i])
++			return i;
++	} while (i != last);
++
++	return -ENOENT;
++}
++
+ /*
+  * We have a good packet(s), pass it/them up the network stack.
+  */
+@@ -442,6 +457,16 @@ static void sonic_rx(struct net_device *
+ 
+ 		status = sonic_rda_get(dev, entry, SONIC_RD_STATUS);
+ 		if (status & SONIC_RCR_PRX) {
++			u32 addr = (sonic_rda_get(dev, entry,
++						  SONIC_RD_PKTPTR_H) << 16) |
++				   sonic_rda_get(dev, entry, SONIC_RD_PKTPTR_L);
++			int i = index_from_addr(lp, addr, entry);
++
++			if (i < 0) {
++				WARN_ONCE(1, "failed to find buffer!\n");
++				break;
++			}
++
+ 			/* Malloc up new buffer. */
+ 			new_skb = netdev_alloc_skb(dev, SONIC_RBSIZE + 2);
+ 			if (new_skb == NULL) {
+@@ -463,7 +488,7 @@ static void sonic_rx(struct net_device *
+ 
+ 			/* now we have a new skb to replace it, pass the used one up the stack */
+ 			dma_unmap_single(lp->device, lp->rx_laddr[entry], SONIC_RBSIZE, DMA_FROM_DEVICE);
+-			used_skb = lp->rx_skb[entry];
++			used_skb = lp->rx_skb[i];
+ 			pkt_len = sonic_rda_get(dev, entry, SONIC_RD_PKTLEN);
+ 			skb_trim(used_skb, pkt_len);
+ 			used_skb->protocol = eth_type_trans(used_skb, dev);
+@@ -472,13 +497,13 @@ static void sonic_rx(struct net_device *
+ 			lp->stats.rx_bytes += pkt_len;
+ 
+ 			/* and insert the new skb */
+-			lp->rx_laddr[entry] = new_laddr;
+-			lp->rx_skb[entry] = new_skb;
++			lp->rx_laddr[i] = new_laddr;
++			lp->rx_skb[i] = new_skb;
+ 
+ 			bufadr_l = (unsigned long)new_laddr & 0xffff;
+ 			bufadr_h = (unsigned long)new_laddr >> 16;
+-			sonic_rra_put(dev, entry, SONIC_RR_BUFADR_L, bufadr_l);
+-			sonic_rra_put(dev, entry, SONIC_RR_BUFADR_H, bufadr_h);
++			sonic_rra_put(dev, i, SONIC_RR_BUFADR_L, bufadr_l);
++			sonic_rra_put(dev, i, SONIC_RR_BUFADR_H, bufadr_h);
+ 		} else {
+ 			/* This should only happen, if we enable accepting broken packets. */
+ 			lp->stats.rx_errors++;
+--- a/drivers/net/ethernet/natsemi/sonic.h
++++ b/drivers/net/ethernet/natsemi/sonic.h
+@@ -273,8 +273,9 @@
+ #define SONIC_NUM_RDS   SONIC_NUM_RRS /* number of receive descriptors */
+ #define SONIC_NUM_TDS   16            /* number of transmit descriptors */
+ 
+-#define SONIC_RDS_MASK  (SONIC_NUM_RDS-1)
+-#define SONIC_TDS_MASK  (SONIC_NUM_TDS-1)
++#define SONIC_RRS_MASK  (SONIC_NUM_RRS - 1)
++#define SONIC_RDS_MASK  (SONIC_NUM_RDS - 1)
++#define SONIC_TDS_MASK  (SONIC_NUM_TDS - 1)
+ 
+ #define SONIC_RBSIZE	1520          /* size of one resource buffer */
+ 
diff --git a/queue-3.16/net-sonic-quiesce-sonic-before-re-initializing-descriptor-memory.patch b/queue-3.16/net-sonic-quiesce-sonic-before-re-initializing-descriptor-memory.patch
new file mode 100644
index 0000000..34e61b5
--- /dev/null
+++ b/queue-3.16/net-sonic-quiesce-sonic-before-re-initializing-descriptor-memory.patch
@@ -0,0 +1,87 @@
+From: Finn Thain <fthain@telegraphics.com.au>
+Date: Thu, 23 Jan 2020 09:07:26 +1100
+Subject: net/sonic: Quiesce SONIC before re-initializing descriptor memory
+
+commit 3f4b7e6a2be982fd8820a2b54d46dd9c351db899 upstream.
+
+Make sure the SONIC's DMA engine is idle before altering the transmit
+and receive descriptors. Add a helper for this as it will be needed
+again.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/ethernet/natsemi/sonic.c | 25 +++++++++++++++++++++++++
+ drivers/net/ethernet/natsemi/sonic.h |  3 +++
+ 2 files changed, 28 insertions(+)
+
+--- a/drivers/net/ethernet/natsemi/sonic.c
++++ b/drivers/net/ethernet/natsemi/sonic.c
+@@ -103,6 +103,24 @@ static int sonic_open(struct net_device
+ 	return 0;
+ }
+ 
++/* Wait for the SONIC to become idle. */
++static void sonic_quiesce(struct net_device *dev, u16 mask)
++{
++	struct sonic_local * __maybe_unused lp = netdev_priv(dev);
++	int i;
++	u16 bits;
++
++	for (i = 0; i < 1000; ++i) {
++		bits = SONIC_READ(SONIC_CMD) & mask;
++		if (!bits)
++			return;
++		if (irqs_disabled() || in_interrupt())
++			udelay(20);
++		else
++			usleep_range(100, 200);
++	}
++	WARN_ONCE(1, "command deadline expired! 0x%04x\n", bits);
++}
+ 
+ /*
+  * Close the SONIC device
+@@ -120,6 +138,9 @@ static int sonic_close(struct net_device
+ 	/*
+ 	 * stop the SONIC, disable interrupts
+ 	 */
++	SONIC_WRITE(SONIC_CMD, SONIC_CR_RXDIS);
++	sonic_quiesce(dev, SONIC_CR_ALL);
++
+ 	SONIC_WRITE(SONIC_IMR, 0);
+ 	SONIC_WRITE(SONIC_ISR, 0x7fff);
+ 	SONIC_WRITE(SONIC_CMD, SONIC_CR_RST);
+@@ -159,6 +180,9 @@ static void sonic_tx_timeout(struct net_
+ 	 * put the Sonic into software-reset mode and
+ 	 * disable all interrupts before releasing DMA buffers
+ 	 */
++	SONIC_WRITE(SONIC_CMD, SONIC_CR_RXDIS);
++	sonic_quiesce(dev, SONIC_CR_ALL);
++
+ 	SONIC_WRITE(SONIC_IMR, 0);
+ 	SONIC_WRITE(SONIC_ISR, 0x7fff);
+ 	SONIC_WRITE(SONIC_CMD, SONIC_CR_RST);
+@@ -638,6 +662,7 @@ static int sonic_init(struct net_device
+ 	 */
+ 	SONIC_WRITE(SONIC_CMD, 0);
+ 	SONIC_WRITE(SONIC_CMD, SONIC_CR_RXDIS);
++	sonic_quiesce(dev, SONIC_CR_ALL);
+ 
+ 	/*
+ 	 * initialize the receive resource area
+--- a/drivers/net/ethernet/natsemi/sonic.h
++++ b/drivers/net/ethernet/natsemi/sonic.h
+@@ -109,6 +109,9 @@
+ #define SONIC_CR_TXP            0x0002
+ #define SONIC_CR_HTX            0x0001
+ 
++#define SONIC_CR_ALL (SONIC_CR_LCAM | SONIC_CR_RRRA | \
++		      SONIC_CR_RXEN | SONIC_CR_TXP)
++
+ /*
+  * SONIC data configuration bits
+  */
diff --git a/queue-3.16/net-sonic-return-netdev_tx_ok-if-failed-to-map-buffer.patch b/queue-3.16/net-sonic-return-netdev_tx_ok-if-failed-to-map-buffer.patch
new file mode 100644
index 0000000..3b92630
--- /dev/null
+++ b/queue-3.16/net-sonic-return-netdev_tx_ok-if-failed-to-map-buffer.patch
@@ -0,0 +1,34 @@
+From: Mao Wenan <maowenan@huawei.com>
+Date: Thu, 5 Sep 2019 09:57:12 +0800
+Subject: net: sonic: return NETDEV_TX_OK if failed to map buffer
+
+commit 6e1cdedcf0362fed3aedfe051d46bd7ee2a85fe1 upstream.
+
+NETDEV_TX_BUSY really should only be used by drivers that call
+netif_tx_stop_queue() at the wrong moment. If dma_map_single() is
+failed to map tx DMA buffer, it might trigger an infinite loop.
+This patch use NETDEV_TX_OK instead of NETDEV_TX_BUSY, and change
+printk to pr_err_ratelimited.
+
+Fixes: d9fb9f384292 ("*sonic/natsemi/ns83829: Move the National Semi-conductor drivers")
+Signed-off-by: Mao Wenan <maowenan@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/ethernet/natsemi/sonic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/natsemi/sonic.c
++++ b/drivers/net/ethernet/natsemi/sonic.c
+@@ -221,9 +221,9 @@ static int sonic_send_packet(struct sk_b
+ 
+ 	laddr = dma_map_single(lp->device, skb->data, length, DMA_TO_DEVICE);
+ 	if (!laddr) {
+-		printk(KERN_ERR "%s: failed to map tx DMA buffer.\n", dev->name);
++		pr_err_ratelimited("%s: failed to map tx DMA buffer.\n", dev->name);
+ 		dev_kfree_skb(skb);
+-		return NETDEV_TX_BUSY;
++		return NETDEV_TX_OK;
+ 	}
+ 
+ 	sonic_tda_put(dev, entry, SONIC_TD_STATUS, 0);       /* clear status */
diff --git a/queue-3.16/net-sonic-use-mmio-accessors.patch b/queue-3.16/net-sonic-use-mmio-accessors.patch
new file mode 100644
index 0000000..32a4e7b
--- /dev/null
+++ b/queue-3.16/net-sonic-use-mmio-accessors.patch
@@ -0,0 +1,61 @@
+From: Finn Thain <fthain@telegraphics.com.au>
+Date: Thu, 23 Jan 2020 09:07:26 +1100
+Subject: net/sonic: Use MMIO accessors
+
+commit e3885f576196ddfc670b3d53e745de96ffcb49ab upstream.
+
+The driver accesses descriptor memory which is simultaneously accessed by
+the chip, so the compiler must not be allowed to re-order CPU accesses.
+sonic_buf_get() used 'volatile' to prevent that. sonic_buf_put() should
+have done so too but was overlooked.
+
+Fixes: efcce839360f ("[PATCH] macsonic/jazzsonic network drivers update")
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/ethernet/natsemi/sonic.h | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ethernet/natsemi/sonic.h
++++ b/drivers/net/ethernet/natsemi/sonic.h
+@@ -342,30 +342,30 @@ static void sonic_tx_timeout(struct net_
+    as far as we can tell. */
+ /* OpenBSD calls this "SWO".  I'd like to think that sonic_buf_put()
+    is a much better name. */
+-static inline void sonic_buf_put(void* base, int bitmode,
++static inline void sonic_buf_put(u16 *base, int bitmode,
+ 				 int offset, __u16 val)
+ {
+ 	if (bitmode)
+ #ifdef __BIG_ENDIAN
+-		((__u16 *) base + (offset*2))[1] = val;
++		__raw_writew(val, base + (offset * 2) + 1);
+ #else
+-		((__u16 *) base + (offset*2))[0] = val;
++		__raw_writew(val, base + (offset * 2) + 0);
+ #endif
+ 	else
+-	 	((__u16 *) base)[offset] = val;
++		__raw_writew(val, base + (offset * 1) + 0);
+ }
+ 
+-static inline __u16 sonic_buf_get(void* base, int bitmode,
++static inline __u16 sonic_buf_get(u16 *base, int bitmode,
+ 				  int offset)
+ {
+ 	if (bitmode)
+ #ifdef __BIG_ENDIAN
+-		return ((volatile __u16 *) base + (offset*2))[1];
++		return __raw_readw(base + (offset * 2) + 1);
+ #else
+-		return ((volatile __u16 *) base + (offset*2))[0];
++		return __raw_readw(base + (offset * 2) + 0);
+ #endif
+ 	else
+-		return ((volatile __u16 *) base)[offset];
++		return __raw_readw(base + (offset * 1) + 0);
+ }
+ 
+ /* Inlines that you should actually use for reading/writing DMA buffers */
diff --git a/queue-3.16/net-stmmac-16kb-buffer-must-be-16-byte-aligned.patch b/queue-3.16/net-stmmac-16kb-buffer-must-be-16-byte-aligned.patch
new file mode 100644
index 0000000..041dca9
--- /dev/null
+++ b/queue-3.16/net-stmmac-16kb-buffer-must-be-16-byte-aligned.patch
@@ -0,0 +1,30 @@
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+Date: Wed, 18 Dec 2019 11:17:41 +0100
+Subject: net: stmmac: 16KB buffer must be 16 byte aligned
+
+commit 8605131747e7e1fd8f6c9f97a00287aae2b2c640 upstream.
+
+The 16KB RX Buffer must also be 16 byte aligned. Fix it.
+
+Fixes: 7ac6653a085b ("stmmac: Move the STMicroelectronics driver")
+Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/ethernet/stmicro/stmmac/common.h | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/common.h
++++ b/drivers/net/ethernet/stmicro/stmmac/common.h
+@@ -270,9 +270,8 @@ struct dma_features {
+ 	unsigned int enh_desc;
+ };
+ 
+-/* GMAC TX FIFO is 8K, Rx FIFO is 16K */
+-#define BUF_SIZE_16KiB 16384
+-/* RX Buffer size must be < 8191 and multiple of 4/8/16 bytes */
++/* RX Buffer size must be multiple of 4/8/16 bytes */
++#define BUF_SIZE_16KiB 16368
+ #define BUF_SIZE_8KiB 8188
+ #define BUF_SIZE_4KiB 4096
+ #define BUF_SIZE_2KiB 2048
diff --git a/queue-3.16/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch b/queue-3.16/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch
new file mode 100644
index 0000000..17ce557
--- /dev/null
+++ b/queue-3.16/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch
@@ -0,0 +1,29 @@
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Mon, 6 Jan 2020 11:09:22 +0800
+Subject: net: stmmac: dwmac-sunxi: Allow all RGMII modes
+
+commit 52cc73e5404c7ba0cbfc50cb4c265108c84b3d5a upstream.
+
+Allow all the RGMII modes to be used. This would allow us to represent
+the hardware better in the device tree with RGMII_ID where in most
+cases the PHY's internal delay for both RX and TX are used.
+
+Fixes: af0bd4e9ba80 ("net: stmmac: sunxi platform extensions for GMAC in Allwinner A20 SoC's")
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c
+@@ -78,7 +78,7 @@ static int sun7i_gmac_init(struct platfo
+ 	 * rate, which then uses the auto-reparenting feature of the
+ 	 * clock driver, and enabling/disabling the clock.
+ 	 */
+-	if (gmac->interface == PHY_INTERFACE_MODE_RGMII) {
++	if (phy_interface_mode_is_rgmii(gmac->interface)) {
+ 		clk_set_rate(gmac->tx_clk, SUN7I_GMAC_GMII_RGMII_RATE);
+ 		clk_prepare_enable(gmac->tx_clk);
+ 		gmac->clk_enabled = 1;
diff --git a/queue-3.16/net-stmmac-enable-16kb-buffer-size.patch b/queue-3.16/net-stmmac-enable-16kb-buffer-size.patch
new file mode 100644
index 0000000..b724c27
--- /dev/null
+++ b/queue-3.16/net-stmmac-enable-16kb-buffer-size.patch
@@ -0,0 +1,30 @@
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+Date: Wed, 18 Dec 2019 11:17:42 +0100
+Subject: net: stmmac: Enable 16KB buffer size
+
+commit b2f3a481c4cd62f78391b836b64c0a6e72b503d2 upstream.
+
+XGMAC supports maximum MTU that can go to 16KB. Lets add this check in
+the calculation of RX buffer size.
+
+Fixes: 7ac6653a085b ("stmmac: Move the STMicroelectronics driver")
+Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -904,7 +904,9 @@ static int stmmac_set_bfsize(int mtu, in
+ {
+ 	int ret = bufsize;
+ 
+-	if (mtu >= BUF_SIZE_4KiB)
++	if (mtu >= BUF_SIZE_8KiB)
++		ret = BUF_SIZE_16KiB;
++	else if (mtu >= BUF_SIZE_4KiB)
+ 		ret = BUF_SIZE_8KiB;
+ 	else if (mtu >= BUF_SIZE_2KiB)
+ 		ret = BUF_SIZE_4KiB;
diff --git a/queue-3.16/net_sched-fix-datalen-for-ematch.patch b/queue-3.16/net_sched-fix-datalen-for-ematch.patch
new file mode 100644
index 0000000..a9d2e13
--- /dev/null
+++ b/queue-3.16/net_sched-fix-datalen-for-ematch.patch
@@ -0,0 +1,45 @@
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Wed, 22 Jan 2020 15:42:02 -0800
+Subject: net_sched: fix datalen for ematch
+
+commit 61678d28d4a45ef376f5d02a839cc37509ae9281 upstream.
+
+syzbot reported an out-of-bound access in em_nbyte. As initially
+analyzed by Eric, this is because em_nbyte sets its own em->datalen
+in em_nbyte_change() other than the one specified by user, but this
+value gets overwritten later by its caller tcf_em_validate().
+We should leave em->datalen untouched to respect their choices.
+
+I audit all the in-tree ematch users, all of those implement
+->change() set em->datalen, so we can just avoid setting it twice
+in this case.
+
+Reported-and-tested-by: syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com
+Reported-by: syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/sched/ematch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/ematch.c
++++ b/net/sched/ematch.c
+@@ -266,12 +266,12 @@ static int tcf_em_validate(struct tcf_pr
+ 				}
+ 				em->data = (unsigned long) v;
+ 			}
++			em->datalen = data_len;
+ 		}
+ 	}
+ 
+ 	em->matchid = em_hdr->matchid;
+ 	em->flags = em_hdr->flags;
+-	em->datalen = data_len;
+ 
+ 	err = 0;
+ errout:
diff --git a/queue-3.16/netfilter-arp_tables-init-netns-pointer-in-xt_tgchk_param-struct.patch b/queue-3.16/netfilter-arp_tables-init-netns-pointer-in-xt_tgchk_param-struct.patch
new file mode 100644
index 0000000..5fcc661
--- /dev/null
+++ b/queue-3.16/netfilter-arp_tables-init-netns-pointer-in-xt_tgchk_param-struct.patch
@@ -0,0 +1,146 @@
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 27 Dec 2019 01:33:10 +0100
+Subject: netfilter: arp_tables: init netns pointer in xt_tgchk_param struct
+
+commit 1b789577f655060d98d20ed0c6f9fbd469d6ba63 upstream.
+
+We get crash when the targets checkentry function tries to make
+use of the network namespace pointer for arptables.
+
+When the net pointer got added back in 2010, only ip/ip6/ebtables were
+changed to initialize it, so arptables has this set to NULL.
+
+This isn't a problem for normal arptables because no existing
+arptables target has a checkentry function that makes use of par->net.
+
+However, direct users of the setsockopt interface can provide any
+target they want as long as its registered for ARP or UNPSEC protocols.
+
+syzkaller managed to send a semi-valid arptables rule for RATEEST target
+which is enough to trigger NULL deref:
+
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+RIP: xt_rateest_tg_checkentry+0x11d/0xb40 net/netfilter/xt_RATEEST.c:109
+[..]
+ xt_check_target+0x283/0x690 net/netfilter/x_tables.c:1019
+ check_target net/ipv4/netfilter/arp_tables.c:399 [inline]
+ find_check_entry net/ipv4/netfilter/arp_tables.c:422 [inline]
+ translate_table+0x1005/0x1d70 net/ipv4/netfilter/arp_tables.c:572
+ do_replace net/ipv4/netfilter/arp_tables.c:977 [inline]
+ do_arpt_set_ctl+0x310/0x640 net/ipv4/netfilter/arp_tables.c:1456
+
+Fixes: add67461240c1d ("netfilter: add struct net * to target parameters")
+Reported-by: syzbot+d7358a458d8a81aee898@syzkaller.appspotmail.com
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/ipv4/netfilter/arp_tables.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -480,11 +480,12 @@ static int mark_source_chains(const stru
+ 	return 1;
+ }
+ 
+-static inline int check_target(struct arpt_entry *e, const char *name)
++static int check_target(struct arpt_entry *e, struct net *net, const char *name)
+ {
+ 	struct xt_entry_target *t = arpt_get_target(e);
+ 	int ret;
+ 	struct xt_tgchk_param par = {
++		.net       = net,
+ 		.table     = name,
+ 		.entryinfo = e,
+ 		.target    = t->u.kernel.target,
+@@ -502,8 +503,9 @@ static inline int check_target(struct ar
+ 	return 0;
+ }
+ 
+-static inline int
+-find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
++static int
++find_check_entry(struct arpt_entry *e, struct net *net, const char *name,
++		 unsigned int size)
+ {
+ 	struct xt_entry_target *t;
+ 	struct xt_target *target;
+@@ -519,7 +521,7 @@ find_check_entry(struct arpt_entry *e, c
+ 	}
+ 	t->u.kernel.target = target;
+ 
+-	ret = check_target(e, name);
++	ret = check_target(e, net, name);
+ 	if (ret)
+ 		goto err;
+ 	return 0;
+@@ -617,7 +619,9 @@ static inline void cleanup_entry(struct
+ /* Checks and translates the user-supplied table segment (held in
+  * newinfo).
+  */
+-static int translate_table(struct xt_table_info *newinfo, void *entry0,
++static int translate_table(struct net *net,
++			   struct xt_table_info *newinfo,
++			   void *entry0,
+                            const struct arpt_replace *repl)
+ {
+ 	struct arpt_entry *iter;
+@@ -692,7 +696,7 @@ static int translate_table(struct xt_tab
+ 	/* Finally, each sanity check must pass */
+ 	i = 0;
+ 	xt_entry_foreach(iter, entry0, newinfo->size) {
+-		ret = find_check_entry(iter, repl->name, repl->size);
++		ret = find_check_entry(iter, net, repl->name, repl->size);
+ 		if (ret != 0)
+ 			break;
+ 		++i;
+@@ -1100,7 +1104,7 @@ static int do_replace(struct net *net, c
+ 		goto free_newinfo;
+ 	}
+ 
+-	ret = translate_table(newinfo, loc_cpu_entry, &tmp);
++	ret = translate_table(net, newinfo, loc_cpu_entry, &tmp);
+ 	if (ret != 0)
+ 		goto free_newinfo;
+ 
+@@ -1287,7 +1291,8 @@ compat_copy_entry_from_user(struct compa
+ 	}
+ }
+ 
+-static int translate_compat_table(struct xt_table_info **pinfo,
++static int translate_compat_table(struct net *net,
++				  struct xt_table_info **pinfo,
+ 				  void **pentry0,
+ 				  const struct compat_arpt_replace *compatr)
+ {
+@@ -1356,7 +1361,7 @@ static int translate_compat_table(struct
+ 	repl.num_counters = 0;
+ 	repl.counters = NULL;
+ 	repl.size = newinfo->size;
+-	ret = translate_table(newinfo, entry1, &repl);
++	ret = translate_table(net, newinfo, entry1, &repl);
+ 	if (ret)
+ 		goto free_newinfo;
+ 
+@@ -1412,7 +1417,7 @@ static int compat_do_replace(struct net
+ 		goto free_newinfo;
+ 	}
+ 
+-	ret = translate_compat_table(&newinfo, &loc_cpu_entry, &tmp);
++	ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp);
+ 	if (ret != 0)
+ 		goto free_newinfo;
+ 
+@@ -1685,7 +1690,7 @@ struct xt_table *arpt_register_table(str
+ 	loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
+ 	memcpy(loc_cpu_entry, repl->entries, repl->size);
+ 
+-	ret = translate_table(newinfo, loc_cpu_entry, repl);
++	ret = translate_table(net, newinfo, loc_cpu_entry, repl);
+ 	duprintf("arpt_register_table: translate table gives %d\n", ret);
+ 	if (ret != 0)
+ 		goto out_free;
diff --git a/queue-3.16/netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch b/queue-3.16/netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch
new file mode 100644
index 0000000..0b506b0
--- /dev/null
+++ b/queue-3.16/netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch
@@ -0,0 +1,126 @@
+From: Florian Westphal <fw@strlen.de>
+Date: Sat, 11 Jan 2020 23:19:53 +0100
+Subject: netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct
+
+commit 212e7f56605ef9688d0846db60c6c6ec06544095 upstream.
+
+An earlier commit (1b789577f655060d98d20e,
+"netfilter: arp_tables: init netns pointer in xt_tgchk_param struct")
+fixed missing net initialization for arptables, but turns out it was
+incomplete.  We can get a very similar struct net NULL deref during
+error unwinding:
+
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+RIP: 0010:xt_rateest_put+0xa1/0x440 net/netfilter/xt_RATEEST.c:77
+ xt_rateest_tg_destroy+0x72/0xa0 net/netfilter/xt_RATEEST.c:175
+ cleanup_entry net/ipv4/netfilter/arp_tables.c:509 [inline]
+ translate_table+0x11f4/0x1d80 net/ipv4/netfilter/arp_tables.c:587
+ do_replace net/ipv4/netfilter/arp_tables.c:981 [inline]
+ do_arpt_set_ctl+0x317/0x650 net/ipv4/netfilter/arp_tables.c:1461
+
+Also init the netns pointer in xt_tgdtor_param struct.
+
+Fixes: add67461240c1d ("netfilter: add struct net * to target parameters")
+Reported-by: syzbot+91bdd8eece0f6629ec8b@syzkaller.appspotmail.com
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+[bwh: Backported to 3.16:
+ - __arpt_unregister_table() has not been split out of
+   arpt_unregister_table()
+ - Add "net" parameter to arpt_unregister_table() and update its only
+   caller in arptable_filter.c]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/include/linux/netfilter_arp/arp_tables.h
++++ b/include/linux/netfilter_arp/arp_tables.h
+@@ -51,7 +51,7 @@ extern void *arpt_alloc_initial_table(co
+ extern struct xt_table *arpt_register_table(struct net *net,
+ 					    const struct xt_table *table,
+ 					    const struct arpt_replace *repl);
+-extern void arpt_unregister_table(struct xt_table *table);
++extern void arpt_unregister_table(struct net *, struct xt_table *table);
+ extern unsigned int arpt_do_table(struct sk_buff *skb,
+ 				  unsigned int hook,
+ 				  const struct net_device *in,
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -602,12 +602,13 @@ static inline int check_entry_size_and_h
+ 	return 0;
+ }
+ 
+-static inline void cleanup_entry(struct arpt_entry *e)
++static void cleanup_entry(struct arpt_entry *e, struct net *net)
+ {
+ 	struct xt_tgdtor_param par;
+ 	struct xt_entry_target *t;
+ 
+ 	t = arpt_get_target(e);
++	par.net      = net;
+ 	par.target   = t->u.kernel.target;
+ 	par.targinfo = t->data;
+ 	par.family   = NFPROTO_ARP;
+@@ -706,7 +707,7 @@ static int translate_table(struct net *n
+ 		xt_entry_foreach(iter, entry0, newinfo->size) {
+ 			if (i-- == 0)
+ 				break;
+-			cleanup_entry(iter);
++			cleanup_entry(iter, net);
+ 		}
+ 		return ret;
+ 	}
+@@ -1051,7 +1052,7 @@ static int __do_replace(struct net *net,
+ 	/* Decrease module usage counts and free resource */
+ 	loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()];
+ 	xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
+-		cleanup_entry(iter);
++		cleanup_entry(iter, net);
+ 
+ 	xt_free_table_info(oldinfo);
+ 	if (copy_to_user(counters_ptr, counters,
+@@ -1118,7 +1119,7 @@ static int do_replace(struct net *net, c
+ 
+  free_newinfo_untrans:
+ 	xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
+-		cleanup_entry(iter);
++		cleanup_entry(iter, net);
+  free_newinfo:
+ 	xt_free_table_info(newinfo);
+ 	return ret;
+@@ -1431,7 +1432,7 @@ static int compat_do_replace(struct net
+ 
+  free_newinfo_untrans:
+ 	xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
+-		cleanup_entry(iter);
++		cleanup_entry(iter, net);
+  free_newinfo:
+ 	xt_free_table_info(newinfo);
+ 	return ret;
+@@ -1708,7 +1709,7 @@ out:
+ 	return ERR_PTR(ret);
+ }
+ 
+-void arpt_unregister_table(struct xt_table *table)
++void arpt_unregister_table(struct net *net, struct xt_table *table)
+ {
+ 	struct xt_table_info *private;
+ 	void *loc_cpu_entry;
+@@ -1720,7 +1721,7 @@ void arpt_unregister_table(struct xt_tab
+ 	/* Decrease module usage counts and free resources */
+ 	loc_cpu_entry = private->entries[raw_smp_processor_id()];
+ 	xt_entry_foreach(iter, loc_cpu_entry, private->size)
+-		cleanup_entry(iter);
++		cleanup_entry(iter, net);
+ 	if (private->number > private->initial_entries)
+ 		module_put(table_owner);
+ 	xt_free_table_info(private);
+--- a/net/ipv4/netfilter/arptable_filter.c
++++ b/net/ipv4/netfilter/arptable_filter.c
+@@ -54,7 +54,7 @@ static int __net_init arptable_filter_ne
+ 
+ static void __net_exit arptable_filter_net_exit(struct net *net)
+ {
+-	arpt_unregister_table(net->ipv4.arptable_filter);
++	arpt_unregister_table(net, net->ipv4.arptable_filter);
+ }
+ 
+ static struct pernet_operations arptable_filter_net_ops = {
diff --git a/queue-3.16/netfilter-bridge-make-sure-to-pull-arp-header-in.patch b/queue-3.16/netfilter-bridge-make-sure-to-pull-arp-header-in.patch
new file mode 100644
index 0000000..d9ad846
--- /dev/null
+++ b/queue-3.16/netfilter-bridge-make-sure-to-pull-arp-header-in.patch
@@ -0,0 +1,108 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Dec 2019 14:43:39 -0800
+Subject: netfilter: bridge: make sure to pull arp header in
+ br_nf_forward_arp()
+
+commit 5604285839aaedfb23ebe297799c6e558939334d upstream.
+
+syzbot is kind enough to remind us we need to call skb_may_pull()
+
+BUG: KMSAN: uninit-value in br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665
+CPU: 1 PID: 11631 Comm: syz-executor.1 Not tainted 5.4.0-rc8-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
+ __msan_warning+0x64/0xc0 mm/kmsan/kmsan_instr.c:245
+ br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665
+ nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
+ nf_hook_slow+0x18b/0x3f0 net/netfilter/core.c:512
+ nf_hook include/linux/netfilter.h:260 [inline]
+ NF_HOOK include/linux/netfilter.h:303 [inline]
+ __br_forward+0x78f/0xe30 net/bridge/br_forward.c:109
+ br_flood+0xef0/0xfe0 net/bridge/br_forward.c:234
+ br_handle_frame_finish+0x1a77/0x1c20 net/bridge/br_input.c:162
+ nf_hook_bridge_pre net/bridge/br_input.c:245 [inline]
+ br_handle_frame+0xfb6/0x1eb0 net/bridge/br_input.c:348
+ __netif_receive_skb_core+0x20b9/0x51a0 net/core/dev.c:4830
+ __netif_receive_skb_one_core net/core/dev.c:4927 [inline]
+ __netif_receive_skb net/core/dev.c:5043 [inline]
+ process_backlog+0x610/0x13c0 net/core/dev.c:5874
+ napi_poll net/core/dev.c:6311 [inline]
+ net_rx_action+0x7a6/0x1aa0 net/core/dev.c:6379
+ __do_softirq+0x4a1/0x83a kernel/softirq.c:293
+ do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1091
+ </IRQ>
+ do_softirq kernel/softirq.c:338 [inline]
+ __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:190
+ local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
+ rcu_read_unlock_bh include/linux/rcupdate.h:688 [inline]
+ __dev_queue_xmit+0x38e8/0x4200 net/core/dev.c:3819
+ dev_queue_xmit+0x4b/0x60 net/core/dev.c:3825
+ packet_snd net/packet/af_packet.c:2959 [inline]
+ packet_sendmsg+0x8234/0x9100 net/packet/af_packet.c:2984
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg net/socket.c:657 [inline]
+ __sys_sendto+0xc44/0xc70 net/socket.c:1952
+ __do_sys_sendto net/socket.c:1964 [inline]
+ __se_sys_sendto+0x107/0x130 net/socket.c:1960
+ __x64_sys_sendto+0x6e/0x90 net/socket.c:1960
+ do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x45a679
+Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f0a3c9e5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000045a679
+RDX: 000000000000000e RSI: 0000000020000200 RDI: 0000000000000003
+RBP: 000000000075bf20 R08: 00000000200000c0 R09: 0000000000000014
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0a3c9e66d4
+R13: 00000000004c8ec1 R14: 00000000004dfe28 R15: 00000000ffffffff
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:149 [inline]
+ kmsan_internal_poison_shadow+0x5c/0x110 mm/kmsan/kmsan.c:132
+ kmsan_slab_alloc+0x97/0x100 mm/kmsan/kmsan_hooks.c:86
+ slab_alloc_node mm/slub.c:2773 [inline]
+ __kmalloc_node_track_caller+0xe27/0x11a0 mm/slub.c:4381
+ __kmalloc_reserve net/core/skbuff.c:141 [inline]
+ __alloc_skb+0x306/0xa10 net/core/skbuff.c:209
+ alloc_skb include/linux/skbuff.h:1049 [inline]
+ alloc_skb_with_frags+0x18c/0xa80 net/core/skbuff.c:5662
+ sock_alloc_send_pskb+0xafd/0x10a0 net/core/sock.c:2244
+ packet_alloc_skb net/packet/af_packet.c:2807 [inline]
+ packet_snd net/packet/af_packet.c:2902 [inline]
+ packet_sendmsg+0x63a6/0x9100 net/packet/af_packet.c:2984
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg net/socket.c:657 [inline]
+ __sys_sendto+0xc44/0xc70 net/socket.c:1952
+ __do_sys_sendto net/socket.c:1964 [inline]
+ __se_sys_sendto+0x107/0x130 net/socket.c:1960
+ __x64_sys_sendto+0x6e/0x90 net/socket.c:1960
+ do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: c4e70a87d975 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+[bwh: Backported to 3.16: adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/bridge/br_netfilter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bridge/br_netfilter.c
++++ b/net/bridge/br_netfilter.c
+@@ -850,6 +850,9 @@ static unsigned int br_nf_forward_arp(co
+ 		nf_bridge_pull_encap_header(skb);
+ 	}
+ 
++	if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr))))
++		return NF_DROP;
++
+ 	if (arp_hdr(skb)->ar_pln != 4) {
+ 		if (IS_VLAN_ARP(skb))
+ 			nf_bridge_push_encap_header(skb);
diff --git a/queue-3.16/netfilter-ctnetlink-netns-exit-must-wait-for-callbacks.patch b/queue-3.16/netfilter-ctnetlink-netns-exit-must-wait-for-callbacks.patch
new file mode 100644
index 0000000..6b330d7
--- /dev/null
+++ b/queue-3.16/netfilter-ctnetlink-netns-exit-must-wait-for-callbacks.patch
@@ -0,0 +1,71 @@
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 15 Nov 2019 12:39:23 +0100
+Subject: netfilter: ctnetlink: netns exit must wait for callbacks
+
+commit 18a110b022a5c02e7dc9f6109d0bd93e58ac6ebb upstream.
+
+Curtis Taylor and Jon Maxwell reported and debugged a crash on 3.10
+based kernel.
+
+Crash occurs in ctnetlink_conntrack_events because net->nfnl socket is
+NULL.  The nfnl socket was set to NULL by netns destruction running on
+another cpu.
+
+The exiting network namespace calls the relevant destructors in the
+following order:
+
+1. ctnetlink_net_exit_batch
+
+This nulls out the event callback pointer in struct netns.
+
+2. nfnetlink_net_exit_batch
+
+This nulls net->nfnl socket and frees it.
+
+3. nf_conntrack_cleanup_net_list
+
+This removes all remaining conntrack entries.
+
+This is order is correct. The only explanation for the crash so ar is:
+
+cpu1: conntrack is dying, eviction occurs:
+ -> nf_ct_delete()
+   -> nf_conntrack_event_report \
+     -> nf_conntrack_eventmask_report
+       -> notify->fcn() (== ctnetlink_conntrack_events).
+
+cpu1: a. fetches rcu protected pointer to obtain ctnetlink event callback.
+      b. gets interrupted.
+ cpu2: runs netns exit handlers:
+     a runs ctnetlink destructor, event cb pointer set to NULL.
+     b runs nfnetlink destructor, nfnl socket is closed and set to NULL.
+cpu1: c. resumes and trips over NULL net->nfnl.
+
+Problem appears to be that ctnetlink_net_exit_batch only prevents future
+callers of nf_conntrack_eventmask_report() from obtaining the callback.
+It doesn't wait of other cpus that might have already obtained the
+callbacks address.
+
+I don't see anything in upstream kernels that would prevent similar
+crash: We need to wait for all cpus to have exited the event callback.
+
+Fixes: 9592a5c01e79dbc59eb56fa ("netfilter: ctnetlink: netns support")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/netfilter/nf_conntrack_netlink.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3225,6 +3225,9 @@ static void __net_exit ctnetlink_net_exi
+ 
+ 	list_for_each_entry(net, net_exit_list, exit_list)
+ 		ctnetlink_net_exit(net);
++
++	/* wait for other cpus until they are done with ctnl_notifiers */
++	synchronize_rcu();
+ }
+ 
+ static struct pernet_operations ctnetlink_net_ops = {
diff --git a/queue-3.16/netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch b/queue-3.16/netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch
new file mode 100644
index 0000000..637676f
--- /dev/null
+++ b/queue-3.16/netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch
@@ -0,0 +1,134 @@
+From: Florian Westphal <fw@strlen.de>
+Date: Sun, 15 Dec 2019 03:49:25 +0100
+Subject: netfilter: ebtables: compat: reject all padding in matches/watchers
+
+commit e608f631f0ba5f1fc5ee2e260a3a35d13107cbfe upstream.
+
+syzbot reported following splat:
+
+BUG: KASAN: vmalloc-out-of-bounds in size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
+BUG: KASAN: vmalloc-out-of-bounds in compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
+Read of size 4 at addr ffffc900004461f4 by task syz-executor267/7937
+
+CPU: 1 PID: 7937 Comm: syz-executor267 Not tainted 5.5.0-rc1-syzkaller #0
+ size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
+ compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
+ compat_do_replace+0x344/0x720 net/bridge/netfilter/ebtables.c:2249
+ compat_do_ebt_set_ctl+0x22f/0x27e net/bridge/netfilter/ebtables.c:2333
+ [..]
+
+Because padding isn't considered during computation of ->buf_user_offset,
+"total" is decremented by fewer bytes than it should.
+
+Therefore, the first part of
+
+if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))
+
+will pass, -- it should not have.  This causes oob access:
+entry->next_offset is past the vmalloced size.
+
+Reject padding and check that computed user offset (sum of ebt_entry
+structure plus all individual matches/watchers/targets) is same
+value that userspace gave us as the offset of the next entry.
+
+Reported-by: syzbot+f68108fed972453a0ad4@syzkaller.appspotmail.com
+Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/bridge/netfilter/ebtables.c | 33 ++++++++++++++++-----------------
+ 1 file changed, 16 insertions(+), 17 deletions(-)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1855,7 +1855,7 @@ static int ebt_buf_count(struct ebt_entr
+ }
+ 
+ static int ebt_buf_add(struct ebt_entries_buf_state *state,
+-		       void *data, unsigned int sz)
++		       const void *data, unsigned int sz)
+ {
+ 	if (state->buf_kern_start == NULL)
+ 		goto count_only;
+@@ -1889,7 +1889,7 @@ enum compat_mwt {
+ 	EBT_COMPAT_TARGET,
+ };
+ 
+-static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
++static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
+ 				enum compat_mwt compat_mwt,
+ 				struct ebt_entries_buf_state *state,
+ 				const unsigned char *base)
+@@ -1966,22 +1966,23 @@ static int compat_mtw_from_user(struct c
+  * return size of all matches, watchers or target, including necessary
+  * alignment and padding.
+  */
+-static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
++static int ebt_size_mwt(const struct compat_ebt_entry_mwt *match32,
+ 			unsigned int size_left, enum compat_mwt type,
+ 			struct ebt_entries_buf_state *state, const void *base)
+ {
++	const char *buf = (const char *)match32;
+ 	int growth = 0;
+-	char *buf;
+ 
+ 	if (size_left == 0)
+ 		return 0;
+ 
+-	buf = (char *) match32;
+-
+-	while (size_left >= sizeof(*match32)) {
++	do {
+ 		struct ebt_entry_match *match_kern;
+ 		int ret;
+ 
++		if (size_left < sizeof(*match32))
++			return -EINVAL;
++
+ 		match_kern = (struct ebt_entry_match *) state->buf_kern_start;
+ 		if (match_kern) {
+ 			char *tmp;
+@@ -2018,22 +2019,18 @@ static int ebt_size_mwt(struct compat_eb
+ 		if (match_kern)
+ 			match_kern->match_size = ret;
+ 
+-		/* rule should have no remaining data after target */
+-		if (type == EBT_COMPAT_TARGET && size_left)
+-			return -EINVAL;
+-
+ 		match32 = (struct compat_ebt_entry_mwt *) buf;
+-	}
++	} while (size_left);
+ 
+ 	return growth;
+ }
+ 
+ /* called for all ebt_entry structures. */
+-static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
++static int size_entry_mwt(const struct ebt_entry *entry, const unsigned char *base,
+ 			  unsigned int *total,
+ 			  struct ebt_entries_buf_state *state)
+ {
+-	unsigned int i, j, startoff, new_offset = 0;
++	unsigned int i, j, startoff, next_expected_off, new_offset = 0;
+ 	/* stores match/watchers/targets & offset of next struct ebt_entry: */
+ 	unsigned int offsets[4];
+ 	unsigned int *offsets_update = NULL;
+@@ -2121,11 +2118,13 @@ static int size_entry_mwt(struct ebt_ent
+ 			return ret;
+ 	}
+ 
+-	startoff = state->buf_user_offset - startoff;
++	next_expected_off = state->buf_user_offset - startoff;
++	if (next_expected_off != entry->next_offset)
++		return -EINVAL;
+ 
+-	if (WARN_ON(*total < startoff))
++	if (*total < entry->next_offset)
+ 		return -EINVAL;
+-	*total -= startoff;
++	*total -= entry->next_offset;
+ 	return 0;
+ }
+ 
diff --git a/queue-3.16/netfilter-ebtables-convert-bug_ons-to-warn_ons.patch b/queue-3.16/netfilter-ebtables-convert-bug_ons-to-warn_ons.patch
new file mode 100644
index 0000000..00ca11f
--- /dev/null
+++ b/queue-3.16/netfilter-ebtables-convert-bug_ons-to-warn_ons.patch
@@ -0,0 +1,103 @@
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 19 Feb 2018 01:24:53 +0100
+Subject: netfilter: ebtables: convert BUG_ONs to WARN_ONs
+
+commit fc6a5d0601c5ac1d02f283a46f60b87b2033e5ca upstream.
+
+All of these conditions are not fatal and should have
+been WARN_ONs from the get-go.
+
+Convert them to WARN_ONs and bail out.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/bridge/netfilter/ebtables.c | 27 ++++++++++++++++++---------
+ 1 file changed, 18 insertions(+), 9 deletions(-)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1603,7 +1603,8 @@ static int compat_match_to_user(struct e
+ 	int off = ebt_compat_match_offset(match, m->match_size);
+ 	compat_uint_t msize = m->match_size - off;
+ 
+-	BUG_ON(off >= m->match_size);
++	if (WARN_ON(off >= m->match_size))
++		return -EINVAL;
+ 
+ 	if (copy_to_user(cm->u.name, match->name,
+ 	    strlen(match->name) + 1) || put_user(msize, &cm->match_size))
+@@ -1630,7 +1631,8 @@ static int compat_target_to_user(struct
+ 	int off = xt_compat_target_offset(target);
+ 	compat_uint_t tsize = t->target_size - off;
+ 
+-	BUG_ON(off >= t->target_size);
++	if (WARN_ON(off >= t->target_size))
++		return -EINVAL;
+ 
+ 	if (copy_to_user(cm->u.name, target->name,
+ 	    strlen(target->name) + 1) || put_user(tsize, &cm->match_size))
+@@ -1858,7 +1860,8 @@ static int ebt_buf_add(struct ebt_entrie
+ 	if (state->buf_kern_start == NULL)
+ 		goto count_only;
+ 
+-	BUG_ON(state->buf_kern_offset + sz > state->buf_kern_len);
++	if (WARN_ON(state->buf_kern_offset + sz > state->buf_kern_len))
++		return -EINVAL;
+ 
+ 	memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz);
+ 
+@@ -1871,7 +1874,8 @@ static int ebt_buf_add_pad(struct ebt_en
+ {
+ 	char *b = state->buf_kern_start;
+ 
+-	BUG_ON(b && state->buf_kern_offset > state->buf_kern_len);
++	if (WARN_ON(b && state->buf_kern_offset > state->buf_kern_len))
++		return -EINVAL;
+ 
+ 	if (b != NULL && sz > 0)
+ 		memset(b + state->buf_kern_offset, 0, sz);
+@@ -1949,8 +1953,10 @@ static int compat_mtw_from_user(struct c
+ 	pad = XT_ALIGN(size_kern) - size_kern;
+ 
+ 	if (pad > 0 && dst) {
+-		BUG_ON(state->buf_kern_len <= pad);
+-		BUG_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad);
++		if (WARN_ON(state->buf_kern_len <= pad))
++			return -EINVAL;
++		if (WARN_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad))
++			return -EINVAL;
+ 		memset(dst + size_kern, 0, pad);
+ 	}
+ 	return off + match_size;
+@@ -2001,7 +2007,8 @@ static int ebt_size_mwt(struct compat_eb
+ 		if (ret < 0)
+ 			return ret;
+ 
+-		BUG_ON(ret < match32->match_size);
++		if (WARN_ON(ret < match32->match_size))
++			return -EINVAL;
+ 		growth += ret - match32->match_size;
+ 		growth += ebt_compat_entry_padsize();
+ 
+@@ -2116,7 +2123,8 @@ static int size_entry_mwt(struct ebt_ent
+ 
+ 	startoff = state->buf_user_offset - startoff;
+ 
+-	BUG_ON(*total < startoff);
++	if (WARN_ON(*total < startoff))
++		return -EINVAL;
+ 	*total -= startoff;
+ 	return 0;
+ }
+@@ -2246,7 +2254,8 @@ static int compat_do_replace(struct net
+ 	state.buf_kern_len = size64;
+ 
+ 	ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
+-	BUG_ON(ret < 0);	/* parses same data again */
++	if (WARN_ON(ret < 0))
++		goto out_unlock;
+ 
+ 	vfree(entries_tmp);
+ 	tmp.entries_size = size64;
diff --git a/queue-3.16/netfilter-fix-a-use-after-free-in-mtype_destroy.patch b/queue-3.16/netfilter-fix-a-use-after-free-in-mtype_destroy.patch
new file mode 100644
index 0000000..e752149
--- /dev/null
+++ b/queue-3.16/netfilter-fix-a-use-after-free-in-mtype_destroy.patch
@@ -0,0 +1,36 @@
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Fri, 10 Jan 2020 11:53:08 -0800
+Subject: netfilter: fix a use-after-free in mtype_destroy()
+
+commit c120959387efa51479056fd01dc90adfba7a590c upstream.
+
+map->members is freed by ip_set_free() right before using it in
+mtype_ext_cleanup() again. So we just have to move it down.
+
+Reported-by: syzbot+4c3cc6dbe7259dbf9054@syzkaller.appspotmail.com
+Fixes: 40cd63bf33b2 ("netfilter: ipset: Support extensions which need a per data destroy function")
+Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/netfilter/ipset/ip_set_bitmap_gen.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/ipset/ip_set_bitmap_gen.h
++++ b/net/netfilter/ipset/ip_set_bitmap_gen.h
+@@ -66,12 +66,12 @@ mtype_destroy(struct ip_set *set)
+ 	if (SET_WITH_TIMEOUT(set))
+ 		del_timer_sync(&map->gc);
+ 
+-	ip_set_free(map->members);
+ 	if (set->dsize) {
+ 		if (set->extensions & IPSET_EXT_DESTROY)
+ 			mtype_ext_cleanup(set);
+ 		ip_set_free(map->extensions);
+ 	}
++	ip_set_free(map->members);
+ 	kfree(map);
+ 
+ 	set->data = NULL;
diff --git a/queue-3.16/netfilter-ipset-avoid-null-deref-when-ipset_attr_lineno-is-present.patch b/queue-3.16/netfilter-ipset-avoid-null-deref-when-ipset_attr_lineno-is-present.patch
new file mode 100644
index 0000000..982895d
--- /dev/null
+++ b/queue-3.16/netfilter-ipset-avoid-null-deref-when-ipset_attr_lineno-is-present.patch
@@ -0,0 +1,56 @@
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 8 Jan 2020 10:59:38 +0100
+Subject: netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present
+
+commit 22dad713b8a5ff488e07b821195270672f486eb2 upstream.
+
+The set uadt functions assume lineno is never NULL, but it is in
+case of ip_set_utest().
+
+syzkaller managed to generate a netlink message that calls this with
+LINENO attr present:
+
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+RIP: 0010:hash_mac4_uadt+0x1bc/0x470 net/netfilter/ipset/ip_set_hash_mac.c:104
+Call Trace:
+ ip_set_utest+0x55b/0x890 net/netfilter/ipset/ip_set_core.c:1867
+ nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229
+ netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
+ nfnetlink_rcv+0x1ba/0x460 net/netfilter/nfnetlink.c:563
+
+pass a dummy lineno storage, its easier than patching all set
+implementations.
+
+This seems to be a day-0 bug.
+
+Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Reported-by: syzbot+34bd2369d38707f3f4a7@syzkaller.appspotmail.com
+Fixes: a7b4f989a6294 ("netfilter: ipset: IP set core support")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/netfilter/ipset/ip_set_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -1549,6 +1549,7 @@ ip_set_utest(struct sock *ctnl, struct s
+ 	struct ip_set *set;
+ 	struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
+ 	int ret = 0;
++	u32 lineno;
+ 
+ 	if (unlikely(protocol_failed(attr) ||
+ 		     attr[IPSET_ATTR_SETNAME] == NULL ||
+@@ -1565,7 +1566,7 @@ ip_set_utest(struct sock *ctnl, struct s
+ 		return -IPSET_ERR_PROTOCOL;
+ 
+ 	read_lock_bh(&set->lock);
+-	ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0);
++	ret = set->variant->uadt(set, tb, IPSET_TEST, &lineno, 0, 0);
+ 	read_unlock_bh(&set->lock);
+ 	/* Userspace can't trigger element to be re-added */
+ 	if (ret == -EAGAIN)
diff --git a/queue-3.16/netfilter-nf_tables-missing-sanitization-in-data-from-userspace.patch b/queue-3.16/netfilter-nf_tables-missing-sanitization-in-data-from-userspace.patch
new file mode 100644
index 0000000..f3f503b
--- /dev/null
+++ b/queue-3.16/netfilter-nf_tables-missing-sanitization-in-data-from-userspace.patch
@@ -0,0 +1,75 @@
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 15 May 2017 11:17:29 +0100
+Subject: netfilter: nf_tables: missing sanitization in data from userspace
+
+commit 71df14b0ce094be46d105b5a3ededd83b8e779a0 upstream.
+
+Do not assume userspace always sends us NFT_DATA_VALUE for bitwise and
+cmp expressions. Although NFT_DATA_VERDICT does not make any sense, it
+is still possible to handcraft a netlink message using this incorrect
+data type.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/netfilter/nft_bitwise.c | 19 ++++++++++++++-----
+ net/netfilter/nft_cmp.c     | 12 ++++++++++--
+ 2 files changed, 24 insertions(+), 7 deletions(-)
+
+--- a/net/netfilter/nft_bitwise.c
++++ b/net/netfilter/nft_bitwise.c
+@@ -86,16 +86,25 @@ static int nft_bitwise_init(const struct
+ 	err = nft_data_init(NULL, &priv->mask, &d1, tb[NFTA_BITWISE_MASK]);
+ 	if (err < 0)
+ 		return err;
+-	if (d1.len != priv->len)
+-		return -EINVAL;
++	if (d1.len != priv->len) {
++		err = -EINVAL;
++		goto err1;
++	}
+ 
+ 	err = nft_data_init(NULL, &priv->xor, &d2, tb[NFTA_BITWISE_XOR]);
+ 	if (err < 0)
+-		return err;
+-	if (d2.len != priv->len)
+-		return -EINVAL;
++		goto err1;
++	if (d2.len != priv->len) {
++		err = -EINVAL;
++		goto err2;
++	}
+ 
+ 	return 0;
++err2:
++	nft_data_uninit(&priv->xor, d2.type);
++err1:
++	nft_data_uninit(&priv->mask, d1.type);
++	return err;
+ }
+ 
+ static int nft_bitwise_dump(struct sk_buff *skb, const struct nft_expr *expr)
+--- a/net/netfilter/nft_cmp.c
++++ b/net/netfilter/nft_cmp.c
+@@ -201,10 +201,18 @@ nft_cmp_select_ops(const struct nft_ctx
+ 	if (err < 0)
+ 		return ERR_PTR(err);
+ 
++	if (desc.type != NFT_DATA_VALUE) {
++		err = -EINVAL;
++		goto err1;
++	}
++
+ 	if (desc.len <= sizeof(u32) && op == NFT_CMP_EQ)
+ 		return &nft_cmp_fast_ops;
+-	else
+-		return &nft_cmp_ops;
++
++	return &nft_cmp_ops;
++err1:
++	nft_data_uninit(&data, desc.type);
++	return ERR_PTR(-EINVAL);
+ }
+ 
+ static struct nft_expr_type nft_cmp_type __read_mostly = {
diff --git a/queue-3.16/netfilter-nf_tables-validate-nft_data_value-after-nft_data_init.patch b/queue-3.16/netfilter-nf_tables-validate-nft_data_value-after-nft_data_init.patch
new file mode 100644
index 0000000..f95db03
--- /dev/null
+++ b/queue-3.16/netfilter-nf_tables-validate-nft_data_value-after-nft_data_init.patch
@@ -0,0 +1,55 @@
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri, 6 Dec 2019 22:09:14 +0100
+Subject: netfilter: nf_tables: validate NFT_DATA_VALUE after nft_data_init()
+
+commit 0d2c96af797ba149e559c5875c0151384ab6dd14 upstream.
+
+Userspace might bogusly sent NFT_DATA_VERDICT in several netlink
+attributes that assume NFT_DATA_VALUE. Moreover, make sure that error
+path invokes nft_data_release() to decrement the reference count on the
+chain object.
+
+Fixes: 96518518cc41 ("netfilter: add nftables")
+Fixes: 0f3cd9b36977 ("netfilter: nf_tables: add range expression")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+[bwh: Backported to 3.16:
+ - Drop changes in nft_get_set_elem(), nft_range
+ - Call nft_data_uninit() instead of nft_data_release()
+ - Adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/net/netfilter/nft_bitwise.c
++++ b/net/netfilter/nft_bitwise.c
+@@ -86,7 +86,7 @@ static int nft_bitwise_init(const struct
+ 	err = nft_data_init(NULL, &priv->mask, &d1, tb[NFTA_BITWISE_MASK]);
+ 	if (err < 0)
+ 		return err;
+-	if (d1.len != priv->len) {
++	if (d1.type != NFT_DATA_VALUE || d1.len != priv->len) {
+ 		err = -EINVAL;
+ 		goto err1;
+ 	}
+@@ -94,7 +94,7 @@ static int nft_bitwise_init(const struct
+ 	err = nft_data_init(NULL, &priv->xor, &d2, tb[NFTA_BITWISE_XOR]);
+ 	if (err < 0)
+ 		goto err1;
+-	if (d2.len != priv->len) {
++	if (d2.type != NFT_DATA_VALUE || d2.len != priv->len) {
+ 		err = -EINVAL;
+ 		goto err2;
+ 	}
+--- a/net/netfilter/nft_cmp.c
++++ b/net/netfilter/nft_cmp.c
+@@ -84,6 +84,12 @@ static int nft_cmp_init(const struct nft
+ 	if (desc.len > U8_MAX)
+ 		return -ERANGE;
+ 
++	if (desc.type != NFT_DATA_VALUE) {
++		err = -EINVAL;
++		nft_data_uninit(&priv->data, desc.type);
++		return err;
++	}
++
+ 	priv->len = desc.len;
+ 	return 0;
+ }
diff --git a/queue-3.16/pinctrl-baytrail-clear-interrupt-triggering-from-pins-that-are-in.patch b/queue-3.16/pinctrl-baytrail-clear-interrupt-triggering-from-pins-that-are-in.patch
new file mode 100644
index 0000000..022bde0
--- /dev/null
+++ b/queue-3.16/pinctrl-baytrail-clear-interrupt-triggering-from-pins-that-are-in.patch
@@ -0,0 +1,90 @@
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Mon, 23 Feb 2015 14:53:11 +0200
+Subject: pinctrl: baytrail: Clear interrupt triggering from pins that are in
+ GPIO mode
+
+commit 95f0972c7e4cbf3fc68160131c5ac2f033481d00 upstream.
+
+If the pin is already configured as GPIO and it has any of the triggering
+flags set, we may get spurious interrupts depending on the state of the
+pin.
+
+Prevent this by clearing the triggering flags on such pins. However, if the
+pin is also configured as "direct IRQ" we leave the flags as is. Otherwise
+it will prevent interrupts that are routed directly to IO-APIC.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+[bwh: Backported to 3.16:
+ - Add definition of BYT_DIRECT_IRQ_EN
+ - Adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/drivers/pinctrl/pinctrl-baytrail.c
++++ b/drivers/pinctrl/pinctrl-baytrail.c
+@@ -44,6 +44,7 @@
+ 
+ /* BYT_CONF0_REG register bits */
+ #define BYT_IODEN		BIT(31)
++#define BYT_DIRECT_IRQ_EN	BIT(27)
+ #define BYT_TRIG_NEG		BIT(26)
+ #define BYT_TRIG_POS		BIT(25)
+ #define BYT_TRIG_LVL		BIT(24)
+@@ -160,6 +161,19 @@ static void __iomem *byt_gpio_reg(struct
+ 	return vg->reg_base + reg_offset + reg;
+ }
+ 
++static void byt_gpio_clear_triggering(struct byt_gpio *vg, unsigned offset)
++{
++	void __iomem *reg = byt_gpio_reg(&vg->chip, offset, BYT_CONF0_REG);
++	unsigned long flags;
++	u32 value;
++
++	spin_lock_irqsave(&vg->lock, flags);
++	value = readl(reg);
++	value &= ~(BYT_TRIG_POS | BYT_TRIG_NEG | BYT_TRIG_LVL);
++	writel(value, reg);
++	spin_unlock_irqrestore(&vg->lock, flags);
++}
++
+ static u32 byt_get_gpio_mux(struct byt_gpio *vg, unsigned offset)
+ {
+ 	/* SCORE pin 92-93 */
+@@ -213,14 +227,8 @@ static int byt_gpio_request(struct gpio_
+ static void byt_gpio_free(struct gpio_chip *chip, unsigned offset)
+ {
+ 	struct byt_gpio *vg = to_byt_gpio(chip);
+-	void __iomem *reg = byt_gpio_reg(&vg->chip, offset, BYT_CONF0_REG);
+-	u32 value;
+-
+-	/* clear interrupt triggering */
+-	value = readl(reg);
+-	value &= ~(BYT_TRIG_POS | BYT_TRIG_NEG | BYT_TRIG_LVL);
+-	writel(value, reg);
+ 
++	byt_gpio_clear_triggering(vg, offset);
+ 	pm_runtime_put(&vg->pdev->dev);
+ }
+ 
+@@ -496,6 +504,21 @@ static void byt_gpio_irq_init_hw(struct
+ {
+ 	void __iomem *reg;
+ 	u32 base, value;
++	int i;
++
++	/*
++	 * Clear interrupt triggers for all pins that are GPIOs and
++	 * do not use direct IRQ mode. This will prevent spurious
++	 * interrupts from misconfigured pins.
++	 */
++	for (i = 0; i < vg->chip.ngpio; i++) {
++		value = readl(byt_gpio_reg(&vg->chip, i, BYT_CONF0_REG));
++		if ((value & BYT_PIN_MUX) == byt_get_gpio_mux(vg, i) &&
++		    !(value & BYT_DIRECT_IRQ_EN)) {
++			byt_gpio_clear_triggering(vg, i);
++			dev_dbg(&vg->pdev->dev, "disabling GPIO %d\n", i);
++		}
++	}
+ 
+ 	/* clear interrupt status trigger registers */
+ 	for (base = 0; base < vg->chip.ngpio; base += 32) {
diff --git a/queue-3.16/pinctrl-baytrail-really-serialize-all-register-accesses.patch b/queue-3.16/pinctrl-baytrail-really-serialize-all-register-accesses.patch
new file mode 100644
index 0000000..580257d
--- /dev/null
+++ b/queue-3.16/pinctrl-baytrail-really-serialize-all-register-accesses.patch
@@ -0,0 +1,260 @@
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 19 Nov 2019 16:46:41 +0100
+Subject: pinctrl: baytrail: Really serialize all register accesses
+
+commit 40ecab551232972a39cdd8b6f17ede54a3fdb296 upstream.
+
+Commit 39ce8150a079 ("pinctrl: baytrail: Serialize all register access")
+added a spinlock around all register accesses because:
+
+"There is a hardware issue in Intel Baytrail where concurrent GPIO register
+ access might result reads of 0xffffffff and writes might get dropped
+ completely."
+
+Testing has shown that this does not catch all cases, there are still
+2 problems remaining
+
+1) The original fix uses a spinlock per byt_gpio device / struct,
+additional testing has shown that this is not sufficient concurent
+accesses to 2 different GPIO banks also suffer from the same problem.
+
+This commit fixes this by moving to a single global lock.
+
+2) The original fix did not add a lock around the register accesses in
+the suspend/resume handling.
+
+Since pinctrl-baytrail.c is using normal suspend/resume handlers,
+interrupts are still enabled during suspend/resume handling. Nothing
+should be using the GPIOs when they are being taken down, _but_ the
+GPIOs themselves may still cause interrupts, which are likely to
+use (read) the triggering GPIO. So we need to protect against
+concurrent GPIO register accesses in the suspend/resume handlers too.
+
+This commit fixes this by adding the missing spin_lock / unlock calls.
+
+The 2 fixes together fix the Acer Switch 10 SW5-012 getting completely
+confused after a suspend resume. The DSDT for this device has a bug
+in its _LID method which reprograms the home and power button trigger-
+flags requesting both high and low _level_ interrupts so the IRQs for
+these 2 GPIOs continuously fire. This combined with the saving of
+registers during suspend, triggers concurrent GPIO register accesses
+resulting in saving 0xffffffff as pconf0 value during suspend and then
+when restoring this on resume the pinmux settings get all messed up,
+resulting in various I2C busses being stuck, the wifi no longer working
+and often the tablet simply not coming out of suspend at all.
+
+Fixes: 39ce8150a079 ("pinctrl: baytrail: Serialize all register access")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+[bwh: Backported to 3.16:
+ - Drop changes in functions that don't exist here
+ - Delete local pointers to byt_gpio that become unused
+ - Adjust filename, context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/drivers/pinctrl/pinctrl-baytrail.c
++++ b/drivers/pinctrl/pinctrl-baytrail.c
+@@ -140,13 +140,14 @@ struct byt_gpio {
+ 	struct gpio_chip		chip;
+ 	struct irq_domain		*domain;
+ 	struct platform_device		*pdev;
+-	spinlock_t			lock;
+ 	void __iomem			*reg_base;
+ 	struct pinctrl_gpio_range	*range;
+ };
+ 
+ #define to_byt_gpio(c)	container_of(c, struct byt_gpio, chip)
+ 
++static DEFINE_RAW_SPINLOCK(byt_lock);
++
+ static void __iomem *byt_gpio_reg(struct gpio_chip *chip, unsigned offset,
+ 				 int reg)
+ {
+@@ -167,11 +168,11 @@ static void byt_gpio_clear_triggering(st
+ 	unsigned long flags;
+ 	u32 value;
+ 
+-	spin_lock_irqsave(&vg->lock, flags);
++	raw_spin_lock_irqsave(&byt_lock, flags);
+ 	value = readl(reg);
+ 	value &= ~(BYT_TRIG_POS | BYT_TRIG_NEG | BYT_TRIG_LVL);
+ 	writel(value, reg);
+-	spin_unlock_irqrestore(&vg->lock, flags);
++	raw_spin_unlock_irqrestore(&byt_lock, flags);
+ }
+ 
+ static u32 byt_get_gpio_mux(struct byt_gpio *vg, unsigned offset)
+@@ -196,7 +197,7 @@ static int byt_gpio_request(struct gpio_
+ 	u32 value, gpio_mux;
+ 	unsigned long flags;
+ 
+-	spin_lock_irqsave(&vg->lock, flags);
++	raw_spin_lock_irqsave(&byt_lock, flags);
+ 
+ 	/*
+ 	 * In most cases, func pin mux 000 means GPIO function.
+@@ -218,7 +219,7 @@ static int byt_gpio_request(struct gpio_
+ 			 "pin %u forcibly re-configured as GPIO\n", offset);
+ 	}
+ 
+-	spin_unlock_irqrestore(&vg->lock, flags);
++	raw_spin_unlock_irqrestore(&byt_lock, flags);
+ 
+ 	pm_runtime_get(&vg->pdev->dev);
+ 
+@@ -244,7 +245,7 @@ static int byt_irq_type(struct irq_data
+ 	if (offset >= vg->chip.ngpio)
+ 		return -EINVAL;
+ 
+-	spin_lock_irqsave(&vg->lock, flags);
++	raw_spin_lock_irqsave(&byt_lock, flags);
+ 	value = readl(reg);
+ 
+ 	/* For level trigges the BYT_TRIG_POS and BYT_TRIG_NEG bits
+@@ -259,7 +260,7 @@ static int byt_irq_type(struct irq_data
+ 	else if (type & IRQ_TYPE_LEVEL_MASK)
+ 		__irq_set_handler_locked(d->irq, handle_level_irq);
+ 
+-	spin_unlock_irqrestore(&vg->lock, flags);
++	raw_spin_unlock_irqrestore(&byt_lock, flags);
+ 
+ 	return 0;
+ }
+@@ -267,25 +268,23 @@ static int byt_irq_type(struct irq_data
+ static int byt_gpio_get(struct gpio_chip *chip, unsigned offset)
+ {
+ 	void __iomem *reg = byt_gpio_reg(chip, offset, BYT_VAL_REG);
+-	struct byt_gpio *vg = to_byt_gpio(chip);
+ 	unsigned long flags;
+ 	u32 val;
+ 
+-	spin_lock_irqsave(&vg->lock, flags);
++	raw_spin_lock_irqsave(&byt_lock, flags);
+ 	val = readl(reg);
+-	spin_unlock_irqrestore(&vg->lock, flags);
++	raw_spin_unlock_irqrestore(&byt_lock, flags);
+ 
+ 	return val & BYT_LEVEL;
+ }
+ 
+ static void byt_gpio_set(struct gpio_chip *chip, unsigned offset, int value)
+ {
+-	struct byt_gpio *vg = to_byt_gpio(chip);
+ 	void __iomem *reg = byt_gpio_reg(chip, offset, BYT_VAL_REG);
+ 	unsigned long flags;
+ 	u32 old_val;
+ 
+-	spin_lock_irqsave(&vg->lock, flags);
++	raw_spin_lock_irqsave(&byt_lock, flags);
+ 
+ 	old_val = readl(reg);
+ 
+@@ -294,23 +293,22 @@ static void byt_gpio_set(struct gpio_chi
+ 	else
+ 		writel(old_val & ~BYT_LEVEL, reg);
+ 
+-	spin_unlock_irqrestore(&vg->lock, flags);
++	raw_spin_unlock_irqrestore(&byt_lock, flags);
+ }
+ 
+ static int byt_gpio_direction_input(struct gpio_chip *chip, unsigned offset)
+ {
+-	struct byt_gpio *vg = to_byt_gpio(chip);
+ 	void __iomem *reg = byt_gpio_reg(chip, offset, BYT_VAL_REG);
+ 	unsigned long flags;
+ 	u32 value;
+ 
+-	spin_lock_irqsave(&vg->lock, flags);
++	raw_spin_lock_irqsave(&byt_lock, flags);
+ 
+ 	value = readl(reg) | BYT_DIR_MASK;
+ 	value &= ~BYT_INPUT_EN;		/* active low */
+ 	writel(value, reg);
+ 
+-	spin_unlock_irqrestore(&vg->lock, flags);
++	raw_spin_unlock_irqrestore(&byt_lock, flags);
+ 
+ 	return 0;
+ }
+@@ -318,12 +316,11 @@ static int byt_gpio_direction_input(stru
+ static int byt_gpio_direction_output(struct gpio_chip *chip,
+ 				     unsigned gpio, int value)
+ {
+-	struct byt_gpio *vg = to_byt_gpio(chip);
+ 	void __iomem *reg = byt_gpio_reg(chip, gpio, BYT_VAL_REG);
+ 	unsigned long flags;
+ 	u32 reg_val;
+ 
+-	spin_lock_irqsave(&vg->lock, flags);
++	raw_spin_lock_irqsave(&byt_lock, flags);
+ 
+ 	reg_val = readl(reg) | BYT_DIR_MASK;
+ 	reg_val &= ~(BYT_OUTPUT_EN | BYT_INPUT_EN);
+@@ -333,7 +330,7 @@ static int byt_gpio_direction_output(str
+ 	else
+ 		writel(reg_val & ~BYT_LEVEL, reg);
+ 
+-	spin_unlock_irqrestore(&vg->lock, flags);
++	raw_spin_unlock_irqrestore(&byt_lock, flags);
+ 
+ 	return 0;
+ }
+@@ -345,7 +342,7 @@ static void byt_gpio_dbg_show(struct seq
+ 	unsigned long flags;
+ 	u32 conf0, val, offs;
+ 
+-	spin_lock_irqsave(&vg->lock, flags);
++	raw_spin_lock_irqsave(&byt_lock, flags);
+ 
+ 	for (i = 0; i < vg->chip.ngpio; i++) {
+ 		const char *pull_str = NULL;
+@@ -406,7 +403,7 @@ static void byt_gpio_dbg_show(struct seq
+ 
+ 		seq_puts(s, "\n");
+ 	}
+-	spin_unlock_irqrestore(&vg->lock, flags);
++	raw_spin_unlock_irqrestore(&byt_lock, flags);
+ }
+ 
+ static int byt_gpio_to_irq(struct gpio_chip *chip, unsigned offset)
+@@ -444,10 +441,10 @@ static void byt_irq_ack(struct irq_data
+ 	unsigned offset = irqd_to_hwirq(d);
+ 	void __iomem *reg;
+ 
+-	spin_lock(&vg->lock);
++	raw_spin_lock(&byt_lock);
+ 	reg = byt_gpio_reg(&vg->chip, offset, BYT_INT_STAT_REG);
+ 	writel(BIT(offset % 32), reg);
+-	spin_unlock(&vg->lock);
++	raw_spin_unlock(&byt_lock);
+ }
+ 
+ static void byt_irq_unmask(struct irq_data *d)
+@@ -459,7 +456,7 @@ static void byt_irq_unmask(struct irq_da
+ 	void __iomem *reg;
+ 	u32 value;
+ 
+-	spin_lock_irqsave(&vg->lock, flags);
++	raw_spin_lock_irqsave(&byt_lock, flags);
+ 
+ 	reg = byt_gpio_reg(&vg->chip, offset, BYT_CONF0_REG);
+ 	value = readl(reg);
+@@ -482,7 +479,7 @@ static void byt_irq_unmask(struct irq_da
+ 
+ 	writel(value, reg);
+ 
+-	spin_unlock_irqrestore(&vg->lock, flags);
++	raw_spin_unlock_irqrestore(&byt_lock, flags);
+ }
+ 
+ static void byt_irq_mask(struct irq_data *d)
+@@ -613,8 +610,6 @@ static int byt_gpio_probe(struct platfor
+ 	if (IS_ERR(vg->reg_base))
+ 		return PTR_ERR(vg->reg_base);
+ 
+-	spin_lock_init(&vg->lock);
+-
+ 	gc = &vg->chip;
+ 	gc->label = dev_name(&pdev->dev);
+ 	gc->owner = THIS_MODULE;
diff --git a/queue-3.16/pinctrl-baytrail-relax-gpio-request-rules.patch b/queue-3.16/pinctrl-baytrail-relax-gpio-request-rules.patch
new file mode 100644
index 0000000..31dad02
--- /dev/null
+++ b/queue-3.16/pinctrl-baytrail-relax-gpio-request-rules.patch
@@ -0,0 +1,96 @@
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Mon, 23 Feb 2015 14:53:10 +0200
+Subject: pinctrl: baytrail: Relax GPIO request rules
+
+commit f8323b6bb2cc7d26941d4838dd4375952980a88a upstream.
+
+Zotac ZBOX PI320, a Baytrail based mini-PC, has power button connected to a
+GPIO pin and it is exposed to the operating system as Windows 8 button
+array. This is implemented in Linux as a driver using gpio_keys.
+
+However, BIOS on this particula machine forgot to mux the pin to be a GPIO
+instead of native function, which results following message to be seen on
+the console:
+
+ byt_gpio INT33FC:02: pin 16 cannot be used as GPIO.
+
+This causes power button to not work as the driver was not able to request
+the GPIO it needs.
+
+So instead of completely preventing this we allow turning the pin as GPIO
+but issue warning that something might be wrong.
+
+Reported-by: Benjamin Adler <benadler@gmx.net>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+[bwh: Backported to 3.16: adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/pinctrl/pinctrl-baytrail.c | 35 +++++++++++++++---------
+ 1 file changed, 22 insertions(+), 13 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-baytrail.c
++++ b/drivers/pinctrl/pinctrl-baytrail.c
+@@ -160,40 +160,49 @@ static void __iomem *byt_gpio_reg(struct
+ 	return vg->reg_base + reg_offset + reg;
+ }
+ 
+-static bool is_special_pin(struct byt_gpio *vg, unsigned offset)
++static u32 byt_get_gpio_mux(struct byt_gpio *vg, unsigned offset)
+ {
+ 	/* SCORE pin 92-93 */
+ 	if (!strcmp(vg->range->name, BYT_SCORE_ACPI_UID) &&
+ 		offset >= 92 && offset <= 93)
+-		return true;
++		return 1;
+ 
+ 	/* SUS pin 11-21 */
+ 	if (!strcmp(vg->range->name, BYT_SUS_ACPI_UID) &&
+ 		offset >= 11 && offset <= 21)
+-		return true;
++		return 1;
+ 
+-	return false;
++	return 0;
+ }
+ 
+ static int byt_gpio_request(struct gpio_chip *chip, unsigned offset)
+ {
+ 	struct byt_gpio *vg = to_byt_gpio(chip);
+ 	void __iomem *reg = byt_gpio_reg(chip, offset, BYT_CONF0_REG);
+-	u32 value;
+-	bool special;
++	u32 value, gpio_mux;
+ 
+ 	/*
+ 	 * In most cases, func pin mux 000 means GPIO function.
+ 	 * But, some pins may have func pin mux 001 represents
+-	 * GPIO function. Only allow user to export pin with
+-	 * func pin mux preset as GPIO function by BIOS/FW.
++	 * GPIO function.
++	 *
++	 * Because there are devices out there where some pins were not
++	 * configured correctly we allow changing the mux value from
++	 * request (but print out warning about that).
+ 	 */
+ 	value = readl(reg) & BYT_PIN_MUX;
+-	special = is_special_pin(vg, offset);
+-	if ((special && value != 1) || (!special && value)) {
+-		dev_err(&vg->pdev->dev,
+-			"pin %u cannot be used as GPIO.\n", offset);
+-		return -EINVAL;
++	gpio_mux = byt_get_gpio_mux(vg, offset);
++	if (WARN_ON(gpio_mux != value)) {
++		unsigned long flags;
++
++		spin_lock_irqsave(&vg->lock, flags);
++		value = readl(reg) & ~BYT_PIN_MUX;
++		value |= gpio_mux;
++		writel(value, reg);
++		spin_unlock_irqrestore(&vg->lock, flags);
++
++		dev_warn(&vg->pdev->dev,
++			 "pin %u forcibly re-configured as GPIO\n", offset);
+ 	}
+ 
+ 	pm_runtime_get(&vg->pdev->dev);
diff --git a/queue-3.16/pinctrl-baytrail-rework-interrupt-handling.patch b/queue-3.16/pinctrl-baytrail-rework-interrupt-handling.patch
new file mode 100644
index 0000000..f05a6d1
--- /dev/null
+++ b/queue-3.16/pinctrl-baytrail-rework-interrupt-handling.patch
@@ -0,0 +1,175 @@
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Mon, 23 Feb 2015 14:53:12 +0200
+Subject: pinctrl: baytrail: Rework interrupt handling
+
+commit 31e4329f99062a06dca5a493bb4495a63b2dc6ba upstream.
+
+Instead of handling everything in the driver's first level interrupt
+handler, we can take advantage of already existing flow handlers that are
+provided by the IRQ core.
+
+This changes the functionality a bit also. Previously the driver looped
+over pending interrupts in a single loop, restarting the loop if some
+interrupt changed state. This caused problem with Lenovo Thinkpad 10
+digitizer that it was not able to deassert the interrupt before the driver
+disabled the interrupt for good (looplimit was exhausted).
+
+Rework the interrupt handling logic a bit so that we provide proper mask,
+ack and unmask operations in terms of Baytrail GPIO hardware and loop over
+pending interrupts only once. If the interrupt remains asserted the first
+level handler will be re-triggered automatically.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+[bwh: Backported to 3.16 as dependency of commit 39ce8150a079
+ "pinctrl: baytrail: Serialize all register access":
+ - Adjust filename, context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/pinctrl/pinctrl-baytrail.c | 100 +++++++++++++----------
+ 1 file changed, 56 insertions(+), 44 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-baytrail.c
++++ b/drivers/pinctrl/pinctrl-baytrail.c
+@@ -251,23 +251,13 @@ static int byt_irq_type(struct irq_data
+ 	 */
+ 	value &= ~(BYT_TRIG_POS | BYT_TRIG_NEG | BYT_TRIG_LVL);
+ 
+-	switch (type) {
+-	case IRQ_TYPE_LEVEL_HIGH:
+-		value |= BYT_TRIG_LVL;
+-	case IRQ_TYPE_EDGE_RISING:
+-		value |= BYT_TRIG_POS;
+-		break;
+-	case IRQ_TYPE_LEVEL_LOW:
+-		value |= BYT_TRIG_LVL;
+-	case IRQ_TYPE_EDGE_FALLING:
+-		value |= BYT_TRIG_NEG;
+-		break;
+-	case IRQ_TYPE_EDGE_BOTH:
+-		value |= (BYT_TRIG_NEG | BYT_TRIG_POS);
+-		break;
+-	}
+ 	writel(value, reg);
+ 
++	if (type & IRQ_TYPE_EDGE_BOTH)
++		__irq_set_handler_locked(d->irq, handle_edge_irq);
++	else if (type & IRQ_TYPE_LEVEL_MASK)
++		__irq_set_handler_locked(d->irq, handle_level_irq);
++
+ 	spin_unlock_irqrestore(&vg->lock, flags);
+ 
+ 	return 0;
+@@ -421,54 +411,75 @@ static void byt_gpio_irq_handler(unsigne
+ 	struct irq_data *data = irq_desc_get_irq_data(desc);
+ 	struct byt_gpio *vg = irq_data_get_irq_handler_data(data);
+ 	struct irq_chip *chip = irq_data_get_irq_chip(data);
+-	u32 base, pin, mask;
++	u32 base, pin;
+ 	void __iomem *reg;
+-	u32 pending;
++	unsigned long pending;
+ 	unsigned virq;
+-	int looplimit = 0;
+ 
+ 	/* check from GPIO controller which pin triggered the interrupt */
+ 	for (base = 0; base < vg->chip.ngpio; base += 32) {
+-
+ 		reg = byt_gpio_reg(&vg->chip, base, BYT_INT_STAT_REG);
+-
+-		while ((pending = readl(reg))) {
+-			pin = __ffs(pending);
+-			mask = BIT(pin);
+-			/* Clear before handling so we can't lose an edge */
+-			writel(mask, reg);
+-
++		pending = readl(reg);
++		for_each_set_bit(pin, &pending, 32) {
+ 			virq = irq_find_mapping(vg->domain, base + pin);
+ 			generic_handle_irq(virq);
+-
+-			/* In case bios or user sets triggering incorretly a pin
+-			 * might remain in "interrupt triggered" state.
+-			 */
+-			if (looplimit++ > 32) {
+-				dev_err(&vg->pdev->dev,
+-					"Gpio %d interrupt flood, disabling\n",
+-					base + pin);
+-
+-				reg = byt_gpio_reg(&vg->chip, base + pin,
+-						   BYT_CONF0_REG);
+-				mask = readl(reg);
+-				mask &= ~(BYT_TRIG_NEG | BYT_TRIG_POS |
+-					  BYT_TRIG_LVL);
+-				writel(mask, reg);
+-				mask = readl(reg); /* flush */
+-				break;
+-			}
+ 		}
+ 	}
+ 	chip->irq_eoi(data);
+ }
+ 
++static void byt_irq_ack(struct irq_data *d)
++{
++	struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
++	struct byt_gpio *vg = to_byt_gpio(gc);
++	unsigned offset = irqd_to_hwirq(d);
++	void __iomem *reg;
++
++	reg = byt_gpio_reg(&vg->chip, offset, BYT_INT_STAT_REG);
++	writel(BIT(offset % 32), reg);
++}
++
+ static void byt_irq_unmask(struct irq_data *d)
+ {
++	struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
++	struct byt_gpio *vg = to_byt_gpio(gc);
++	unsigned offset = irqd_to_hwirq(d);
++	unsigned long flags;
++	void __iomem *reg;
++	u32 value;
++
++	spin_lock_irqsave(&vg->lock, flags);
++
++	reg = byt_gpio_reg(&vg->chip, offset, BYT_CONF0_REG);
++	value = readl(reg);
++
++	switch (irqd_get_trigger_type(d)) {
++	case IRQ_TYPE_LEVEL_HIGH:
++		value |= BYT_TRIG_LVL;
++	case IRQ_TYPE_EDGE_RISING:
++		value |= BYT_TRIG_POS;
++		break;
++	case IRQ_TYPE_LEVEL_LOW:
++		value |= BYT_TRIG_LVL;
++	case IRQ_TYPE_EDGE_FALLING:
++		value |= BYT_TRIG_NEG;
++		break;
++	case IRQ_TYPE_EDGE_BOTH:
++		value |= (BYT_TRIG_NEG | BYT_TRIG_POS);
++		break;
++	}
++
++	writel(value, reg);
++
++	spin_unlock_irqrestore(&vg->lock, flags);
+ }
+ 
+ static void byt_irq_mask(struct irq_data *d)
+ {
++	struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
++	struct byt_gpio *vg = to_byt_gpio(gc);
++
++	byt_gpio_clear_triggering(vg, irqd_to_hwirq(d));
+ }
+ 
+ static int byt_irq_reqres(struct irq_data *d)
+@@ -493,6 +504,7 @@ static void byt_irq_relres(struct irq_da
+ 
+ static struct irq_chip byt_irqchip = {
+ 	.name = "BYT-GPIO",
++	.irq_ack = byt_irq_ack,
+ 	.irq_mask = byt_irq_mask,
+ 	.irq_unmask = byt_irq_unmask,
+ 	.irq_set_type = byt_irq_type,
diff --git a/queue-3.16/pinctrl-baytrail-serialize-all-register-access.patch b/queue-3.16/pinctrl-baytrail-serialize-all-register-access.patch
new file mode 100644
index 0000000..834bfc2
--- /dev/null
+++ b/queue-3.16/pinctrl-baytrail-serialize-all-register-access.patch
@@ -0,0 +1,83 @@
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Tue, 4 Aug 2015 15:03:14 +0300
+Subject: pinctrl: baytrail: Serialize all register access
+
+commit 39ce8150a079e3ae6ed9abf26d7918a558ef7c19 upstream.
+
+There is a hardware issue in Intel Baytrail where concurrent GPIO register
+access might result reads of 0xffffffff and writes might get dropped
+completely.
+
+Prevent this from happening by taking the serializing lock in all places
+where it is possible that more than one thread might be accessing the
+hardware concurrently.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+[bwh: Backported to 3.16: adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/pinctrl/pinctrl-baytrail.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-baytrail.c
++++ b/drivers/pinctrl/pinctrl-baytrail.c
+@@ -194,6 +194,9 @@ static int byt_gpio_request(struct gpio_
+ 	struct byt_gpio *vg = to_byt_gpio(chip);
+ 	void __iomem *reg = byt_gpio_reg(chip, offset, BYT_CONF0_REG);
+ 	u32 value, gpio_mux;
++	unsigned long flags;
++
++	spin_lock_irqsave(&vg->lock, flags);
+ 
+ 	/*
+ 	 * In most cases, func pin mux 000 means GPIO function.
+@@ -207,18 +210,16 @@ static int byt_gpio_request(struct gpio_
+ 	value = readl(reg) & BYT_PIN_MUX;
+ 	gpio_mux = byt_get_gpio_mux(vg, offset);
+ 	if (WARN_ON(gpio_mux != value)) {
+-		unsigned long flags;
+-
+-		spin_lock_irqsave(&vg->lock, flags);
+ 		value = readl(reg) & ~BYT_PIN_MUX;
+ 		value |= gpio_mux;
+ 		writel(value, reg);
+-		spin_unlock_irqrestore(&vg->lock, flags);
+ 
+ 		dev_warn(&vg->pdev->dev,
+ 			 "pin %u forcibly re-configured as GPIO\n", offset);
+ 	}
+ 
++	spin_unlock_irqrestore(&vg->lock, flags);
++
+ 	pm_runtime_get(&vg->pdev->dev);
+ 
+ 	return 0;
+@@ -266,7 +267,15 @@ static int byt_irq_type(struct irq_data
+ static int byt_gpio_get(struct gpio_chip *chip, unsigned offset)
+ {
+ 	void __iomem *reg = byt_gpio_reg(chip, offset, BYT_VAL_REG);
+-	return readl(reg) & BYT_LEVEL;
++	struct byt_gpio *vg = to_byt_gpio(chip);
++	unsigned long flags;
++	u32 val;
++
++	spin_lock_irqsave(&vg->lock, flags);
++	val = readl(reg);
++	spin_unlock_irqrestore(&vg->lock, flags);
++
++	return val & BYT_LEVEL;
+ }
+ 
+ static void byt_gpio_set(struct gpio_chip *chip, unsigned offset, int value)
+@@ -435,8 +444,10 @@ static void byt_irq_ack(struct irq_data
+ 	unsigned offset = irqd_to_hwirq(d);
+ 	void __iomem *reg;
+ 
++	spin_lock(&vg->lock);
+ 	reg = byt_gpio_reg(&vg->chip, offset, BYT_INT_STAT_REG);
+ 	writel(BIT(offset % 32), reg);
++	spin_unlock(&vg->lock);
+ }
+ 
+ static void byt_irq_unmask(struct irq_data *d)
diff --git a/queue-3.16/pkt_sched-fq-avoid-hang-when-quantum-0.patch b/queue-3.16/pkt_sched-fq-avoid-hang-when-quantum-0.patch
new file mode 100644
index 0000000..f93a631
--- /dev/null
+++ b/queue-3.16/pkt_sched-fq-avoid-hang-when-quantum-0.patch
@@ -0,0 +1,40 @@
+From: Kenneth Klette Jonassen <kennetkl@ifi.uio.no>
+Date: Tue, 3 Feb 2015 17:49:18 +0100
+Subject: pkt_sched: fq: avoid hang when quantum 0
+
+commit 3725a269815ba6dbb415feddc47da5af7d1fac58 upstream.
+
+Configuring fq with quantum 0 hangs the system, presumably because of a
+non-interruptible infinite loop. Either way quantum 0 does not make sense.
+
+Reproduce with:
+sudo tc qdisc add dev lo root fq quantum 0 initial_quantum 0
+ping 127.0.0.1
+
+Signed-off-by: Kenneth Klette Jonassen <kennetkl@ifi.uio.no>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/sched/sch_fq.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/sched/sch_fq.c
++++ b/net/sched/sch_fq.c
+@@ -687,8 +687,14 @@ static int fq_change(struct Qdisc *sch,
+ 	if (tb[TCA_FQ_FLOW_PLIMIT])
+ 		q->flow_plimit = nla_get_u32(tb[TCA_FQ_FLOW_PLIMIT]);
+ 
+-	if (tb[TCA_FQ_QUANTUM])
+-		q->quantum = nla_get_u32(tb[TCA_FQ_QUANTUM]);
++	if (tb[TCA_FQ_QUANTUM]) {
++		u32 quantum = nla_get_u32(tb[TCA_FQ_QUANTUM]);
++
++		if (quantum > 0)
++			q->quantum = quantum;
++		else
++			err = -EINVAL;
++	}
+ 
+ 	if (tb[TCA_FQ_INITIAL_QUANTUM])
+ 		q->initial_quantum = nla_get_u32(tb[TCA_FQ_INITIAL_QUANTUM]);
diff --git a/queue-3.16/pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch b/queue-3.16/pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch
new file mode 100644
index 0000000..d54f038
--- /dev/null
+++ b/queue-3.16/pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch
@@ -0,0 +1,42 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 6 Jan 2020 06:10:39 -0800
+Subject: pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM
+
+commit d9e15a2733067c9328fb56d98fe8e574fa19ec31 upstream.
+
+As diagnosed by Florian :
+
+If TCA_FQ_QUANTUM is set to 0x80000000, fq_deueue()
+can loop forever in :
+
+if (f->credit <= 0) {
+  f->credit += q->quantum;
+  goto begin;
+}
+
+... because f->credit is either 0 or -2147483648.
+
+Let's limit TCA_FQ_QUANTUM to no more than 1 << 20 :
+This max value should limit risks of breaking user setups
+while fixing this bug.
+
+Fixes: afe4fd062416 ("pkt_sched: fq: Fair Queue packet scheduler")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Diagnosed-by: Florian Westphal <fw@strlen.de>
+Reported-by: syzbot+dc9071cc5a85950bdfce@syzkaller.appspotmail.com
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to 3.16: Drop call to NL_SET_ERR_MSG_MOD() as extack is
+ not supported.]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/net/sched/sch_fq.c
++++ b/net/sched/sch_fq.c
+@@ -690,7 +690,7 @@ static int fq_change(struct Qdisc *sch,
+ 	if (tb[TCA_FQ_QUANTUM]) {
+ 		u32 quantum = nla_get_u32(tb[TCA_FQ_QUANTUM]);
+ 
+-		if (quantum > 0)
++		if (quantum > 0 && quantum <= (1 << 20))
+ 			q->quantum = quantum;
+ 		else
+ 			err = -EINVAL;
diff --git a/queue-3.16/platform-x86-asus-wmi-fix-keyboard-brightness-cannot-be-set-to-0.patch b/queue-3.16/platform-x86-asus-wmi-fix-keyboard-brightness-cannot-be-set-to-0.patch
new file mode 100644
index 0000000..71a8a9a
--- /dev/null
+++ b/queue-3.16/platform-x86-asus-wmi-fix-keyboard-brightness-cannot-be-set-to-0.patch
@@ -0,0 +1,36 @@
+From: Jian-Hong Pan <jian-hong@endlessm.com>
+Date: Mon, 30 Dec 2019 16:30:45 +0800
+Subject: platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0
+
+commit 176a7fca81c5090a7240664e3002c106d296bf31 upstream.
+
+Some of ASUS laptops like UX431FL keyboard backlight cannot be set to
+brightness 0. According to ASUS' information, the brightness should be
+0x80 ~ 0x83. This patch fixes it by following the logic.
+
+Fixes: e9809c0b9670 ("asus-wmi: add keyboard backlight support")
+Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
+Reviewed-by: Daniel Drake <drake@endlessm.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/platform/x86/asus-wmi.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/platform/x86/asus-wmi.c
++++ b/drivers/platform/x86/asus-wmi.c
+@@ -386,13 +386,7 @@ static void kbd_led_update(struct work_s
+ 
+ 	asus = container_of(work, struct asus_wmi, kbd_led_work);
+ 
+-	/*
+-	 * bits 0-2: level
+-	 * bit 7: light on/off
+-	 */
+-	if (asus->kbd_led_wk > 0)
+-		ctrl_param = 0x80 | (asus->kbd_led_wk & 0x7F);
+-
++	ctrl_param = 0x80 | (asus->kbd_led_wk & 0x7F);
+ 	asus_wmi_set_devstate(ASUS_WMI_DEVID_KBD_BACKLIGHT, ctrl_param, NULL);
+ }
+ 
diff --git a/queue-3.16/platform-x86-hp-wmi-make-buffer-for-hpwmi_feature2_query-128-bytes.patch b/queue-3.16/platform-x86-hp-wmi-make-buffer-for-hpwmi_feature2_query-128-bytes.patch
new file mode 100644
index 0000000..5ca4cae
--- /dev/null
+++ b/queue-3.16/platform-x86-hp-wmi-make-buffer-for-hpwmi_feature2_query-128-bytes.patch
@@ -0,0 +1,38 @@
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 17 Dec 2019 20:06:04 +0100
+Subject: platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes
+
+commit 133b2acee3871ae6bf123b8fe34be14464aa3d2c upstream.
+
+At least on the HP Envy x360 15-cp0xxx model the WMI interface
+for HPWMI_FEATURE2_QUERY requires an outsize of at least 128 bytes,
+otherwise it fails with an error code 5 (HPWMI_RET_INVALID_PARAMETERS):
+
+Dec 06 00:59:38 kernel: hp_wmi: query 0xd returned error 0x5
+
+We do not care about the contents of the buffer, we just want to know
+if the HPWMI_FEATURE2_QUERY command is supported.
+
+This commits bumps the buffer size, fixing the error.
+
+Fixes: 8a1513b4932 ("hp-wmi: limit hotkey enable")
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1520703
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/platform/x86/hp-wmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/hp-wmi.c
++++ b/drivers/platform/x86/hp-wmi.c
+@@ -309,7 +309,7 @@ static int __init hp_wmi_bios_2008_later
+ 
+ static int __init hp_wmi_bios_2009_later(void)
+ {
+-	int state = 0;
++	u8 state[128];
+ 	int ret = hp_wmi_perform_query(HPWMI_FEATURE2_QUERY, 0, &state,
+ 				       sizeof(state), sizeof(state));
+ 	if (!ret)
diff --git a/queue-3.16/powerpc-irq-fix-stack-overflow-verification.patch b/queue-3.16/powerpc-irq-fix-stack-overflow-verification.patch
new file mode 100644
index 0000000..28d6862
--- /dev/null
+++ b/queue-3.16/powerpc-irq-fix-stack-overflow-verification.patch
@@ -0,0 +1,45 @@
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Mon, 9 Dec 2019 06:19:08 +0000
+Subject: powerpc/irq: fix stack overflow verification
+
+commit 099bc4812f09155da77eeb960a983470249c9ce1 upstream.
+
+Before commit 0366a1c70b89 ("powerpc/irq: Run softirqs off the top of
+the irq stack"), check_stack_overflow() was called by do_IRQ(), before
+switching to the irq stack.
+In that commit, do_IRQ() was renamed __do_irq(), and is now executing
+on the irq stack, so check_stack_overflow() has just become almost
+useless.
+
+Move check_stack_overflow() call in do_IRQ() to do the check while
+still on the current stack.
+
+Fixes: 0366a1c70b89 ("powerpc/irq: Run softirqs off the top of the irq stack")
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/e033aa8116ab12b7ca9a9c75189ad0741e3b9b5f.1575872340.git.christophe.leroy@c-s.fr
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/powerpc/kernel/irq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/irq.c
++++ b/arch/powerpc/kernel/irq.c
+@@ -471,8 +471,6 @@ void __do_irq(struct pt_regs *regs)
+ 
+ 	trace_irq_entry(regs);
+ 
+-	check_stack_overflow();
+-
+ 	/*
+ 	 * Query the platform PIC for the interrupt & ack it.
+ 	 *
+@@ -504,6 +502,8 @@ void do_IRQ(struct pt_regs *regs)
+ 	irqtp = hardirq_ctx[raw_smp_processor_id()];
+ 	sirqtp = softirq_ctx[raw_smp_processor_id()];
+ 
++	check_stack_overflow();
++
+ 	/* Already there ? */
+ 	if (unlikely(curtp == irqtp || curtp == sirqtp)) {
+ 		__do_irq(regs);
diff --git a/queue-3.16/quota-fix-wrong-condition-in-is_quota_modification.patch b/queue-3.16/quota-fix-wrong-condition-in-is_quota_modification.patch
new file mode 100644
index 0000000..3b8025a
--- /dev/null
+++ b/queue-3.16/quota-fix-wrong-condition-in-is_quota_modification.patch
@@ -0,0 +1,42 @@
+From: Chao Yu <yuchao0@huawei.com>
+Date: Wed, 11 Sep 2019 17:36:50 +0800
+Subject: quota: fix wrong condition in is_quota_modification()
+
+commit 6565c182094f69e4ffdece337d395eb7ec760efc upstream.
+
+Quoted from
+commit 3da40c7b0898 ("ext4: only call ext4_truncate when size <= isize")
+
+" At LSF we decided that if we truncate up from isize we shouldn't trim
+  fallocated blocks that were fallocated with KEEP_SIZE and are past the
+ new i_size.  This patch fixes ext4 to do this. "
+
+And generic/092 of fstest have covered this case for long time, however
+is_quota_modification() didn't adjust based on that rule, so that in
+below condition, we will lose to quota block change:
+- fallocate blocks beyond EOF
+- remount
+- truncate(file_path, file_size)
+
+Fix it.
+
+Link: https://lore.kernel.org/r/20190911093650.35329-1-yuchao0@huawei.com
+Fixes: 3da40c7b0898 ("ext4: only call ext4_truncate when size <= isize")
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ include/linux/quotaops.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/quotaops.h
++++ b/include/linux/quotaops.h
+@@ -21,7 +21,7 @@ static inline struct quota_info *sb_dqop
+ /* i_mutex must being held */
+ static inline bool is_quota_modification(struct inode *inode, struct iattr *ia)
+ {
+-	return (ia->ia_valid & ATTR_SIZE && ia->ia_size != inode->i_size) ||
++	return (ia->ia_valid & ATTR_SIZE) ||
+ 		(ia->ia_valid & ATTR_UID && !uid_eq(ia->ia_uid, inode->i_uid)) ||
+ 		(ia->ia_valid & ATTR_GID && !gid_eq(ia->ia_gid, inode->i_gid));
+ }
diff --git a/queue-3.16/r8152-add-missing-endpoint-sanity-check.patch b/queue-3.16/r8152-add-missing-endpoint-sanity-check.patch
new file mode 100644
index 0000000..ea0db1c
--- /dev/null
+++ b/queue-3.16/r8152-add-missing-endpoint-sanity-check.patch
@@ -0,0 +1,32 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 14 Jan 2020 09:27:29 +0100
+Subject: r8152: add missing endpoint sanity check
+
+commit 86f3f4cd53707ceeec079b83205c8d3c756eca93 upstream.
+
+Add missing endpoint sanity check to probe in order to prevent a
+NULL-pointer dereference (or slab out-of-bounds access) when retrieving
+the interrupt-endpoint bInterval on ndo_open() in case a device lacks
+the expected endpoints.
+
+Fixes: 40a82917b1d3 ("net/usb/r8152: enable interrupt transfer")
+Cc: hayeswang <hayeswang@realtek.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/usb/r8152.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -3425,6 +3425,9 @@ static int rtl8152_probe(struct usb_inte
+ 		return -ENODEV;
+ 	}
+ 
++	if (intf->cur_altsetting->desc.bNumEndpoints < 3)
++		return -ENODEV;
++
+ 	usb_reset_device(udev);
+ 	netdev = alloc_etherdev(sizeof(struct r8152));
+ 	if (!netdev) {
diff --git a/queue-3.16/scsi-enclosure-fix-stale-device-oops-with-hot-replug.patch b/queue-3.16/scsi-enclosure-fix-stale-device-oops-with-hot-replug.patch
new file mode 100644
index 0000000..0ab2bac
--- /dev/null
+++ b/queue-3.16/scsi-enclosure-fix-stale-device-oops-with-hot-replug.patch
@@ -0,0 +1,41 @@
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+Date: Wed, 8 Jan 2020 17:21:32 -0800
+Subject: scsi: enclosure: Fix stale device oops with hot replug
+
+commit 529244bd1afc102ab164429d338d310d5d65e60d upstream.
+
+Doing an add/remove/add on a SCSI device in an enclosure leads to an oops
+caused by poisoned values in the enclosure device list pointers.  The
+reason is because we are keeping the enclosure device across the enclosed
+device add/remove/add but the current code is doing a
+device_add/device_del/device_add on it.  This is the wrong thing to do in
+sysfs, so fix it by not doing a device_del on the enclosure device simply
+because of a hot remove of the drive in the slot.
+
+[mkp: added missing email addresses]
+
+Fixes: 43d8eb9cfd0a ("[SCSI] ses: add support for enclosure component hot removal")
+Link: https://lore.kernel.org/r/1578532892.3852.10.camel@HansenPartnership.com
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Reported-by: Luo Jiaxing <luojiaxing@huawei.com>
+Tested-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/misc/enclosure.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/misc/enclosure.c
++++ b/drivers/misc/enclosure.c
+@@ -364,10 +364,9 @@ int enclosure_remove_device(struct enclo
+ 		cdev = &edev->component[i];
+ 		if (cdev->dev == dev) {
+ 			enclosure_remove_links(cdev);
+-			device_del(&cdev->cdev);
+ 			put_device(dev);
+ 			cdev->dev = NULL;
+-			return device_add(&cdev->cdev);
++			return 0;
+ 		}
+ 	}
+ 	return -ENODEV;
diff --git a/queue-3.16/scsi-fnic-fix-invalid-stack-access.patch b/queue-3.16/scsi-fnic-fix-invalid-stack-access.patch
new file mode 100644
index 0000000..7da0bac
--- /dev/null
+++ b/queue-3.16/scsi-fnic-fix-invalid-stack-access.patch
@@ -0,0 +1,119 @@
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 7 Jan 2020 21:15:49 +0100
+Subject: scsi: fnic: fix invalid stack access
+
+commit 42ec15ceaea74b5f7a621fc6686cbf69ca66c4cf upstream.
+
+gcc -O3 warns that some local variables are not properly initialized:
+
+drivers/scsi/fnic/vnic_dev.c: In function 'fnic_dev_hang_notify':
+drivers/scsi/fnic/vnic_dev.c:511:16: error: 'a0' is used uninitialized in this function [-Werror=uninitialized]
+  vdev->args[0] = *a0;
+  ~~~~~~~~~~~~~~^~~~~
+drivers/scsi/fnic/vnic_dev.c:691:6: note: 'a0' was declared here
+  u64 a0, a1;
+      ^~
+drivers/scsi/fnic/vnic_dev.c:512:16: error: 'a1' is used uninitialized in this function [-Werror=uninitialized]
+  vdev->args[1] = *a1;
+  ~~~~~~~~~~~~~~^~~~~
+drivers/scsi/fnic/vnic_dev.c:691:10: note: 'a1' was declared here
+  u64 a0, a1;
+          ^~
+drivers/scsi/fnic/vnic_dev.c: In function 'fnic_dev_mac_addr':
+drivers/scsi/fnic/vnic_dev.c:512:16: error: 'a1' is used uninitialized in this function [-Werror=uninitialized]
+  vdev->args[1] = *a1;
+  ~~~~~~~~~~~~~~^~~~~
+drivers/scsi/fnic/vnic_dev.c:698:10: note: 'a1' was declared here
+  u64 a0, a1;
+          ^~
+
+Apparently the code relies on the local variables occupying adjacent memory
+locations in the same order, but this is of course not guaranteed.
+
+Use an array of two u64 variables where needed to make it work correctly.
+
+I suspect there is also an endianness bug here, but have not digged in deep
+enough to be sure.
+
+Fixes: 5df6d737dd4b ("[SCSI] fnic: Add new Cisco PCI-Express FCoE HBA")
+Fixes: mmtom ("init/Kconfig: enable -O3 for all arches")
+Link: https://lore.kernel.org/r/20200107201602.4096790-1-arnd@arndb.de
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/scsi/fnic/vnic_dev.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/scsi/fnic/vnic_dev.c
++++ b/drivers/scsi/fnic/vnic_dev.c
+@@ -445,26 +445,26 @@ int vnic_dev_soft_reset_done(struct vnic
+ 
+ int vnic_dev_hang_notify(struct vnic_dev *vdev)
+ {
+-	u64 a0, a1;
++	u64 a0 = 0, a1 = 0;
+ 	int wait = 1000;
+ 	return vnic_dev_cmd(vdev, CMD_HANG_NOTIFY, &a0, &a1, wait);
+ }
+ 
+ int vnic_dev_mac_addr(struct vnic_dev *vdev, u8 *mac_addr)
+ {
+-	u64 a0, a1;
++	u64 a[2] = {};
+ 	int wait = 1000;
+ 	int err, i;
+ 
+ 	for (i = 0; i < ETH_ALEN; i++)
+ 		mac_addr[i] = 0;
+ 
+-	err = vnic_dev_cmd(vdev, CMD_MAC_ADDR, &a0, &a1, wait);
++	err = vnic_dev_cmd(vdev, CMD_MAC_ADDR, &a[0], &a[1], wait);
+ 	if (err)
+ 		return err;
+ 
+ 	for (i = 0; i < ETH_ALEN; i++)
+-		mac_addr[i] = ((u8 *)&a0)[i];
++		mac_addr[i] = ((u8 *)&a)[i];
+ 
+ 	return 0;
+ }
+@@ -489,15 +489,15 @@ void vnic_dev_packet_filter(struct vnic_
+ 
+ void vnic_dev_add_addr(struct vnic_dev *vdev, u8 *addr)
+ {
+-	u64 a0 = 0, a1 = 0;
++	u64 a[2] = {};
+ 	int wait = 1000;
+ 	int err;
+ 	int i;
+ 
+ 	for (i = 0; i < ETH_ALEN; i++)
+-		((u8 *)&a0)[i] = addr[i];
++		((u8 *)&a)[i] = addr[i];
+ 
+-	err = vnic_dev_cmd(vdev, CMD_ADDR_ADD, &a0, &a1, wait);
++	err = vnic_dev_cmd(vdev, CMD_ADDR_ADD, &a[0], &a[1], wait);
+ 	if (err)
+ 		printk(KERN_ERR
+ 			"Can't add addr [%02x:%02x:%02x:%02x:%02x:%02x], %d\n",
+@@ -507,15 +507,15 @@ void vnic_dev_add_addr(struct vnic_dev *
+ 
+ void vnic_dev_del_addr(struct vnic_dev *vdev, u8 *addr)
+ {
+-	u64 a0 = 0, a1 = 0;
++	u64 a[2] = {};
+ 	int wait = 1000;
+ 	int err;
+ 	int i;
+ 
+ 	for (i = 0; i < ETH_ALEN; i++)
+-		((u8 *)&a0)[i] = addr[i];
++		((u8 *)&a)[i] = addr[i];
+ 
+-	err = vnic_dev_cmd(vdev, CMD_ADDR_DEL, &a0, &a1, wait);
++	err = vnic_dev_cmd(vdev, CMD_ADDR_DEL, &a[0], &a[1], wait);
+ 	if (err)
+ 		printk(KERN_ERR
+ 			"Can't del addr [%02x:%02x:%02x:%02x:%02x:%02x], %d\n",
diff --git a/queue-3.16/scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch b/queue-3.16/scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch
new file mode 100644
index 0000000..63608dc
--- /dev/null
+++ b/queue-3.16/scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch
@@ -0,0 +1,32 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 3 Dec 2019 12:45:09 +0300
+Subject: scsi: iscsi: qla4xxx: fix double free in probe
+
+commit fee92f25777789d73e1936b91472e9c4644457c8 upstream.
+
+On this error path we call qla4xxx_mem_free() and then the caller also
+calls qla4xxx_free_adapter() which calls qla4xxx_mem_free().  It leads to a
+couple double frees:
+
+drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->chap_dma_pool' double freed
+drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->fw_ddb_dma_pool' double freed
+
+Fixes: afaf5a2d341d ("[SCSI] Initial Commit of qla4xxx")
+Link: https://lore.kernel.org/r/20191203094421.hw7ex7qr3j2rbsmx@kili.mountain
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/scsi/qla4xxx/ql4_os.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -4269,7 +4269,6 @@ static int qla4xxx_mem_alloc(struct scsi
+ 	return QLA_SUCCESS;
+ 
+ mem_alloc_error_exit:
+-	qla4xxx_mem_free(ha);
+ 	return QLA_ERROR;
+ }
+ 
diff --git a/queue-3.16/scsi-sd-clear-sdkp-protection_type-if-disk-is-reformatted-without.patch b/queue-3.16/scsi-sd-clear-sdkp-protection_type-if-disk-is-reformatted-without.patch
new file mode 100644
index 0000000..b38194d
--- /dev/null
+++ b/queue-3.16/scsi-sd-clear-sdkp-protection_type-if-disk-is-reformatted-without.patch
@@ -0,0 +1,39 @@
+From: Xiang Chen <chenxiang66@hisilicon.com>
+Date: Thu, 9 Jan 2020 09:12:24 +0800
+Subject: scsi: sd: Clear sdkp->protection_type if disk is reformatted without
+ PI
+
+commit 465f4edaecc6c37f81349233e84d46246bcac11a upstream.
+
+If an attached disk with protection information enabled is reformatted
+to Type 0 the revalidation code does not clear the original protection
+type and subsequent accesses will keep setting RDPROTECT/WRPROTECT.
+
+Set the protection type to 0 if the disk reports PROT_EN=0 in READ
+CAPACITY(16).
+
+[mkp: commit desc]
+
+Fixes: fe542396da73 ("[SCSI] sd: Ensure we correctly disable devices with unknown protection type")
+Link: https://lore.kernel.org/r/1578532344-101668-1-git-send-email-chenxiang66@hisilicon.com
+Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/scsi/sd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -1910,8 +1910,10 @@ static int sd_read_protection_type(struc
+ 	u8 type;
+ 	int ret = 0;
+ 
+-	if (scsi_device_protection(sdp) == 0 || (buffer[12] & 1) == 0)
++	if (scsi_device_protection(sdp) == 0 || (buffer[12] & 1) == 0) {
++		sdkp->protection_type = 0;
+ 		return ret;
++	}
+ 
+ 	type = ((buffer[12] >> 1) & 7) + 1; /* P_TYPE 0 = Type 1 */
+ 
diff --git a/queue-3.16/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch b/queue-3.16/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch
new file mode 100644
index 0000000..009107f
--- /dev/null
+++ b/queue-3.16/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch
@@ -0,0 +1,91 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sat, 4 Jan 2020 14:15:02 +0800
+Subject: sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY
+
+commit be7a7729207797476b6666f046d765bdf9630407 upstream.
+
+This patch is to fix a memleak caused by no place to free cmd->obj.chunk
+for the unprocessed SCTP_CMD_REPLY. This issue occurs when failing to
+process a cmd while there're still SCTP_CMD_REPLY cmds on the cmd seq
+with an allocated chunk in cmd->obj.chunk.
+
+So fix it by freeing cmd->obj.chunk for each SCTP_CMD_REPLY cmd left on
+the cmd seq when any cmd returns error. While at it, also remove 'nomem'
+label.
+
+Reported-by: syzbot+107c4aff5f392bf1517f@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/sctp/sm_sideeffect.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/net/sctp/sm_sideeffect.c
++++ b/net/sctp/sm_sideeffect.c
+@@ -1327,8 +1327,10 @@ static int sctp_cmd_interpreter(sctp_eve
+ 			/* Generate an INIT ACK chunk.  */
+ 			new_obj = sctp_make_init_ack(asoc, chunk, GFP_ATOMIC,
+ 						     0);
+-			if (!new_obj)
+-				goto nomem;
++			if (!new_obj) {
++				error = -ENOMEM;
++				break;
++			}
+ 
+ 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
+ 					SCTP_CHUNK(new_obj));
+@@ -1350,7 +1352,8 @@ static int sctp_cmd_interpreter(sctp_eve
+ 			if (!new_obj) {
+ 				if (cmd->obj.chunk)
+ 					sctp_chunk_free(cmd->obj.chunk);
+-				goto nomem;
++				error = -ENOMEM;
++				break;
+ 			}
+ 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
+ 					SCTP_CHUNK(new_obj));
+@@ -1397,8 +1400,10 @@ static int sctp_cmd_interpreter(sctp_eve
+ 
+ 			/* Generate a SHUTDOWN chunk.  */
+ 			new_obj = sctp_make_shutdown(asoc, chunk);
+-			if (!new_obj)
+-				goto nomem;
++			if (!new_obj) {
++				error = -ENOMEM;
++				break;
++			}
+ 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
+ 					SCTP_CHUNK(new_obj));
+ 			break;
+@@ -1727,11 +1732,17 @@ static int sctp_cmd_interpreter(sctp_eve
+ 			break;
+ 		}
+ 
+-		if (error)
++		if (error) {
++			cmd = sctp_next_cmd(commands);
++			while (cmd) {
++				if (cmd->verb == SCTP_CMD_REPLY)
++					sctp_chunk_free(cmd->obj.chunk);
++				cmd = sctp_next_cmd(commands);
++			}
+ 			break;
++		}
+ 	}
+ 
+-out:
+ 	/* If this is in response to a received chunk, wait until
+ 	 * we are done with the packet to open the queue so that we don't
+ 	 * send multiple packets in response to a single request.
+@@ -1742,8 +1753,5 @@ out:
+ 	} else if (local_cork)
+ 		error = sctp_outq_uncork(&asoc->outqueue);
+ 	return error;
+-nomem:
+-	error = -ENOMEM;
+-	goto out;
+ }
+ 
diff --git a/queue-3.16/series b/queue-3.16/series
index 04a6049..023b478 100644
--- a/queue-3.16/series
+++ b/queue-3.16/series
@@ -1,5 +1,7 @@
 mwifiex-fix-unbalanced-locking-in-mwifiex_process_country_ie.patch
 libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
+libertas-don-t-exit-from-lbs_ibss_join_existing-with-rcu-read-lock.patch
+libertas-make-lbs_ibss_join_existing-return-error-code-on-rates.patch
 mwifiex-fix-probable-memory-corruption-while-processing-tdls-frame.patch
 mwifiex-fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch
 cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public.patch
@@ -7,6 +9,8 @@
 x86-microcode-amd-add-support-for-fam17h-microcode-loading.patch
 ext4-wait-for-existing-dio-workers-in-ext4_alloc_file_blocks.patch
 ext4-only-call-ext4_truncate-when-size-isize.patch
+ext4-update-c-mtime-on-truncate-up.patch
+quota-fix-wrong-condition-in-is_quota_modification.patch
 ext4-fix-races-between-page-faults-and-hole-punching.patch
 ext4-move-unlocked-dio-protection-from-ext4_alloc_file_blocks.patch
 ext4-fix-races-between-buffered-io-and-collapse-insert-range.patch
@@ -54,3 +58,154 @@
 dm-flakey-fix-reads-to-be-issued-if-drop_writes-configured.patch
 dm-flakey-check-for-null-arg_name-in-parse_features.patch
 x86-pti-efi-broken-conversion-from-efi-to-kernel-page-table.patch
+batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch
+netfilter-ctnetlink-netns-exit-must-wait-for-callbacks.patch
+taskstats-fix-data-race.patch
+dm-btree-increase-rebalance-threshold-in-__rebalance2.patch
+dm-thin-metadata-add-support-for-a-pre-commit-callback.patch
+pinctrl-baytrail-relax-gpio-request-rules.patch
+pinctrl-baytrail-clear-interrupt-triggering-from-pins-that-are-in.patch
+pinctrl-baytrail-rework-interrupt-handling.patch
+pinctrl-baytrail-serialize-all-register-access.patch
+pinctrl-baytrail-really-serialize-all-register-accesses.patch
+netfilter-nf_tables-missing-sanitization-in-data-from-userspace.patch
+netfilter-nf_tables-validate-nft_data_value-after-nft_data_init.patch
+netfilter-bridge-make-sure-to-pull-arp-header-in.patch
+hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch
+gpio-fix-error-message-on-out-of-range-gpio-in-lookup-table.patch
+neighbour-remove-neigh_cleanup-method.patch
+bonding-fix-bond_neigh_init.patch
+af_packet-set-defaule-value-for-tmo.patch
+acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch
+scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch
+staging-gigaset-fix-general-protection-fault-on-probe.patch
+staging-gigaset-fix-illegal-free-on-probe-errors.patch
+staging-gigaset-add-endpoint-type-sanity-check.patch
+usb-core-urb-fix-urb-structure-initialization-function.patch
+usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch
+usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch
+usb-idmouse-fix-interface-sanity-checks.patch
+usb-adutux-fix-interface-sanity-check.patch
+usb-atm-ueagle-atm-add-missing-endpoint-check.patch
+staging-rtl8188eu-fix-interface-sanity-check.patch
+staging-rtl8712-fix-interface-sanity-check.patch
+gpiolib-fix-up-emulated-open-drain-outputs.patch
+virtio-balloon-fix-managed-page-counts-when-migrating-pages-between.patch
+hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch
+xhci-handle-some-xhci_trust_tx_length-quirks-cases-as-default.patch
+xhci-make-sure-interrupts-are-restored-to-correct-state.patch
+usb-dwc3-pci-add-pci-id-for-intel-braswell.patch
+usb-dwc3-pci-add-support-for-intel-sunrise-point-pch.patch
+usb-dwc3-pci-add-support-for-intel-broxton-soc.patch
+usb-dwc3-pci-add-id-for-one-more-intel-broxton-platform.patch
+usb-dwc3-pci-add-intel-kabylake-pci-id.patch
+usb-dwc3-pci-add-intel-gemini-lake-pci-id.patch
+usb-dwc3-pci-add-intel-cannonlake-pci-ids.patch
+usb-dwc3-pci-add-support-for-intel-icelake.patch
+usb-dwc3-pci-add-support-for-comet-lake-pch-id.patch
+usb-dwc3-pci-add-support-for-intel-elkhart-lake-devices.patch
+usb-dwc3-pci-add-support-for-tigerlake-devices.patch
+usb-dwc3-pci-add-id-for-the-intel-comet-lake-h-variant.patch
+tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch
+ib-mlx4-avoid-executing-gid-task-when-device-is-being-removed.patch
+ib-mlx4-follow-mirror-sequence-of-device-add-during-device-removal.patch
+hid-hid-input-clear-unmapped-usages.patch
+btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch
+btrfs-fix-removal-logic-of-the-tree-mod-log-that-leads-to.patch
+btrfs-abort-transaction-after-failed-inode-updates-in-create_subvol.patch
+btrfs-handle-enoent-in-btrfs_uuid_tree_iterate.patch
+btrfs-skip-log-replay-on-orphaned-roots.patch
+btrfs-do-not-leak-reloc-root-if-we-fail-to-read-the-fs-root.patch
+btrfs-fix-infinite-loop-during-nocow-writeback-due-to-race.patch
+btrfs-remove-redundant-btrfs_release_path-from-btrfs_unlink_subvol.patch
+btrfs-do-not-delete-mismatched-root-refs.patch
+btrfs-check-rw_devices-not-num_devices-for-balance.patch
+ext4-check-for-directory-entries-too-close-to-block-end.patch
+powerpc-irq-fix-stack-overflow-verification.patch
+6pack-mkiss-fix-possible-deadlock.patch
+tcp-do-not-send-empty-skb-from-tcp_write_xmit.patch
+alsa-pcm-avoid-possible-info-leaks-from-pcm-stream-buffers.patch
+alsa-hda-ca0132-avoid-endless-loop.patch
+asoc-wm8962-fix-lambda-value.patch
+tty-link-tty-and-port-before-configuring-it-as-console.patch
+usb-ehci-do-not-return-epipe-when-hub-is-disconnected.patch
+usbip-fix-error-path-of-vhci_recv_ret_submit.patch
+kvm-x86-host-feature-ssbd-doesn-t-imply-guest-feature.patch
+net-stmmac-16kb-buffer-must-be-16-byte-aligned.patch
+net-stmmac-enable-16kb-buffer-size.patch
+netfilter-ebtables-convert-bug_ons-to-warn_ons.patch
+netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch
+platform-x86-hp-wmi-make-buffer-for-hpwmi_feature2_query-128-bytes.patch
+mod_devicetable-fix-phy-module-format.patch
+x86-efistub-disable-paging-at-mixed-mode-entry.patch
+alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch
+locks-print-unsigned-ino-in-proc-locks.patch
+netfilter-arp_tables-init-netns-pointer-in-xt_tgchk_param-struct.patch
+tty-always-relink-the-port.patch
+usb-core-fix-check-for-duplicate-endpoints.patch
+usb-core-add-endpoint-blacklist-quirk.patch
+usb-quirks-blacklist-duplicate-ep-on-sound-devices-usbpre2.patch
+usb-musb-dma-correct-parameter-passed-to-irq-handler.patch
+can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch
+can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from.patch
+tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch
+vxlan-fix-tos-value-before-xmit.patch
+tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not.patch
+ftrace-avoid-potential-division-by-zero-in-function-profiler.patch
+staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch
+kernel-trace-fix-do-not-unregister-tracepoints-when-register.patch
+kobject-export-kobject_get_unless_zero.patch
+chardev-avoid-potential-use-after-free-in-chrdev_open.patch
+sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch
+vlan-vlan_changelink-should-propagate-errors.patch
+net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch
+pkt_sched-fq-avoid-hang-when-quantum-0.patch
+pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch
+macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch
+netfilter-ipset-avoid-null-deref-when-ipset_attr_lineno-is-present.patch
+ixgbevf-remove-limit-of-10-entries-for-unicast-filter-list.patch
+scsi-sd-clear-sdkp-protection_type-if-disk-is-reformatted-without.patch
+scsi-enclosure-fix-stale-device-oops-with-hot-replug.patch
+hidraw-return-epollout-from-hidraw_poll.patch
+hid-hidraw-fix-returning-epollout-from-hidraw_poll.patch
+hid-hidraw-uhid-always-report-epollout.patch
+input-aiptek-fix-endpoint-sanity-check.patch
+input-gtco-fix-endpoint-sanity-check.patch
+input-sur40-fix-interface-sanity-checks.patch
+platform-x86-asus-wmi-fix-keyboard-brightness-cannot-be-set-to-0.patch
+iio-buffer-align-the-size-of-scan-bytes-to-size-of-the-largest.patch
+usb-serial-simple-add-motorola-solutions-tetra-mtp3xxx-and-mtp85xx.patch
+netfilter-fix-a-use-after-free-in-mtype_destroy.patch
+netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch
+alsa-usb-audio-add-implicit-fb-quirk-for-axe-fx-ii.patch
+alsa-usb-audio-simplify-set_sync_ep_implicit_fb_quirk.patch
+alsa-usb-audio-fix-sync-ep-altsetting-sanity-check.patch
+usb-serial-opticon-fix-control-message-timeouts.patch
+r8152-add-missing-endpoint-sanity-check.patch
+usb-core-hub-improved-device-recognition-on-remote-wakeup.patch
+fix-built-in-early-load-intel-microcode-alignment.patch
+alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch
+scsi-fnic-fix-invalid-stack-access.patch
+block-fix-an-integer-overflow-in-logical-block-size.patch
+macvlan-use-skb_reset_mac_header-in-macvlan_queue_xmit.patch
+input-keyspan-remote-fix-control-message-timeouts.patch
+usb-serial-suppress-driver-bind-attributes.patch
+usb-serial-ch341-handle-unbound-port-at-reset_resume.patch
+usb-serial-io_edgeport-handle-unbound-ports-on-urb-completion.patch
+usb-serial-io_edgeport-add-missing-active-port-sanity-check.patch
+usb-serial-keyspan-handle-unbound-ports.patch
+usb-serial-quatech2-handle-unbound-ports.patch
+hwmon-adt7475-make-volt2reg-return-same-reg-as-reg2volt-input.patch
+arm-8950-1-ftrace-recordmcount-filter-relocation-types.patch
+mmc-sdhci-fix-minimum-clock-rate-for-v3-controller.patch
+arm-8955-1-virt-relax-arch-timer-version-check-during-early-boot.patch
+can-slip-protect-tty-disc_data-in-write_wakeup-and-close-with-rcu.patch
+net-sonic-return-netdev_tx_ok-if-failed-to-map-buffer.patch
+net-sonic-add-mutual-exclusion-for-accessing-shared-state.patch
+net-sonic-use-mmio-accessors.patch
+net-sonic-fix-receive-buffer-handling.patch
+net-sonic-quiesce-sonic-before-re-initializing-descriptor-memory.patch
+net_sched-fix-datalen-for-ematch.patch
+namei-allow-restricted-o_creat-of-fifos-and-regular-files.patch
+do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch
+vfs-fix-do_last-regression.patch
diff --git a/queue-3.16/staging-gigaset-add-endpoint-type-sanity-check.patch b/queue-3.16/staging-gigaset-add-endpoint-type-sanity-check.patch
new file mode 100644
index 0000000..3a1e867
--- /dev/null
+++ b/queue-3.16/staging-gigaset-add-endpoint-type-sanity-check.patch
@@ -0,0 +1,48 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 2 Dec 2019 09:56:10 +0100
+Subject: staging: gigaset: add endpoint-type sanity check
+
+commit ed9ed5a89acba51b82bdff61144d4e4a4245ec8a upstream.
+
+Add missing endpoint-type sanity checks to probe.
+
+This specifically prevents a warning in USB core on URB submission when
+fuzzing USB descriptors.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191202085610.12719-4-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[bwh: Backported to 3.16: adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/isdn/gigaset/usb-gigaset.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/isdn/gigaset/usb-gigaset.c
++++ b/drivers/isdn/gigaset/usb-gigaset.c
+@@ -713,6 +713,12 @@ static int gigaset_probe(struct usb_inte
+ 
+ 	endpoint = &hostif->endpoint[0].desc;
+ 
++	if (!usb_endpoint_is_bulk_out(endpoint)) {
++		dev_err(&interface->dev, "missing bulk-out endpoint\n");
++		retval = -ENODEV;
++		goto error;
++	}
++
+ 	buffer_size = le16_to_cpu(endpoint->wMaxPacketSize);
+ 	ucs->bulk_out_size = buffer_size;
+ 	ucs->bulk_out_endpointAddr = endpoint->bEndpointAddress;
+@@ -732,6 +738,12 @@ static int gigaset_probe(struct usb_inte
+ 
+ 	endpoint = &hostif->endpoint[1].desc;
+ 
++	if (!usb_endpoint_is_int_in(endpoint)) {
++		dev_err(&interface->dev, "missing int-in endpoint\n");
++		retval = -ENODEV;
++		goto error;
++	}
++
+ 	ucs->busy = 0;
+ 
+ 	ucs->read_urb = usb_alloc_urb(0, GFP_KERNEL);
diff --git a/queue-3.16/staging-gigaset-fix-general-protection-fault-on-probe.patch b/queue-3.16/staging-gigaset-fix-general-protection-fault-on-probe.patch
new file mode 100644
index 0000000..95dce06
--- /dev/null
+++ b/queue-3.16/staging-gigaset-fix-general-protection-fault-on-probe.patch
@@ -0,0 +1,37 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 2 Dec 2019 09:56:08 +0100
+Subject: staging: gigaset: fix general protection fault on probe
+
+commit 53f35a39c3860baac1e5ca80bf052751cfb24a99 upstream.
+
+Fix a general protection fault when accessing the endpoint descriptors
+which could be triggered by a malicious device due to missing sanity
+checks on the number of endpoints.
+
+Reported-by: syzbot+35b1c403a14f5c89eba7@syzkaller.appspotmail.com
+Fixes: 07dc1f9f2f80 ("[PATCH] isdn4linux: Siemens Gigaset drivers - M105 USB DECT adapter")
+Cc: Hansjoerg Lipp <hjlipp@web.de>
+Cc: Tilman Schmidt <tilman@imap.cc>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191202085610.12719-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[bwh: Backported to 3.16: adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/isdn/gigaset/usb-gigaset.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/isdn/gigaset/usb-gigaset.c
++++ b/drivers/isdn/gigaset/usb-gigaset.c
+@@ -693,6 +693,11 @@ static int gigaset_probe(struct usb_inte
+ 		return -ENODEV;
+ 	}
+ 
++	if (hostif->desc.bNumEndpoints < 2) {
++		dev_err(&interface->dev, "missing endpoints\n");
++		return -ENODEV;
++	}
++
+ 	dev_info(&udev->dev, "%s: Device matched ... !\n", __func__);
+ 
+ 	/* allocate memory for our device state and initialize it */
diff --git a/queue-3.16/staging-gigaset-fix-illegal-free-on-probe-errors.patch b/queue-3.16/staging-gigaset-fix-illegal-free-on-probe-errors.patch
new file mode 100644
index 0000000..46ecd3e
--- /dev/null
+++ b/queue-3.16/staging-gigaset-fix-illegal-free-on-probe-errors.patch
@@ -0,0 +1,44 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 2 Dec 2019 09:56:09 +0100
+Subject: staging: gigaset: fix illegal free on probe errors
+
+commit 84f60ca7b326ed8c08582417493982fe2573a9ad upstream.
+
+The driver failed to initialise its receive-buffer pointer, something
+which could lead to an illegal free on late probe errors.
+
+Fix this by making sure to clear all driver data at allocation.
+
+Fixes: 2032e2c2309d ("usb_gigaset: code cleanup")
+Cc: Tilman Schmidt <tilman@imap.cc>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191202085610.12719-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[bwh: Backported to 3.16: adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/isdn/gigaset/usb-gigaset.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/isdn/gigaset/usb-gigaset.c
++++ b/drivers/isdn/gigaset/usb-gigaset.c
+@@ -578,8 +578,7 @@ static int gigaset_initcshw(struct cards
+ {
+ 	struct usb_cardstate *ucs;
+ 
+-	cs->hw.usb = ucs =
+-		kmalloc(sizeof(struct usb_cardstate), GFP_KERNEL);
++	cs->hw.usb = ucs = kzalloc(sizeof(struct usb_cardstate), GFP_KERNEL);
+ 	if (!ucs) {
+ 		pr_err("out of memory\n");
+ 		return -ENOMEM;
+@@ -591,9 +590,6 @@ static int gigaset_initcshw(struct cards
+ 	ucs->bchars[3] = 0;
+ 	ucs->bchars[4] = 0x11;
+ 	ucs->bchars[5] = 0x13;
+-	ucs->bulk_out_buffer = NULL;
+-	ucs->bulk_out_urb = NULL;
+-	ucs->read_urb = NULL;
+ 	tasklet_init(&cs->write_tasklet,
+ 		     gigaset_modem_fill, (unsigned long) cs);
+ 
diff --git a/queue-3.16/staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch b/queue-3.16/staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch
new file mode 100644
index 0000000..a8875c6
--- /dev/null
+++ b/queue-3.16/staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch
@@ -0,0 +1,28 @@
+From: Michael Straube <straube.linux@gmail.com>
+Date: Sat, 28 Dec 2019 15:37:25 +0100
+Subject: staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21
+
+commit 58dcc5bf4030cab548d5c98cd4cd3632a5444d5a upstream.
+
+This device was added to the stand-alone driver on github.
+Add it to the staging driver as well.
+
+Link: https://github.com/lwfinger/rtl8188eu/commit/b9b537aa25a8
+Signed-off-by: Michael Straube <straube.linux@gmail.com>
+Link: https://lore.kernel.org/r/20191228143725.24455-1-straube.linux@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+@@ -61,6 +61,7 @@ static struct usb_device_id rtw_usb_id_t
+ 	{USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */
+ 	{USB_DEVICE(0x2001, 0x331B)}, /* D-Link DWA-121 rev B1 */
+ 	{USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */
++	{USB_DEVICE(0x2357, 0x0111)}, /* TP-Link TL-WN727N v5.21 */
+ 	{USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
+ 	{USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */
+ 	{}	/* Terminating entry */
diff --git a/queue-3.16/staging-rtl8188eu-fix-interface-sanity-check.patch b/queue-3.16/staging-rtl8188eu-fix-interface-sanity-check.patch
new file mode 100644
index 0000000..e3c631a
--- /dev/null
+++ b/queue-3.16/staging-rtl8188eu-fix-interface-sanity-check.patch
@@ -0,0 +1,32 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:47:50 +0100
+Subject: staging: rtl8188eu: fix interface sanity check
+
+commit 74ca34118a0e05793935d804ccffcedd6eb56596 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: c2478d39076b ("staging: r8188eu: Add files for new driver - part 20")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191210114751.5119-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/staging/rtl8188eu/os_dep/usb_intf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+@@ -141,7 +141,7 @@ static struct dvobj_priv *usb_dvobj_init
+ 	phost_conf = pusbd->actconfig;
+ 	pconf_desc = &phost_conf->desc;
+ 
+-	phost_iface = &usb_intf->altsetting[0];
++	phost_iface = usb_intf->cur_altsetting;
+ 	piface_desc = &phost_iface->desc;
+ 
+ 	pdvobjpriv->NumInterfaces = pconf_desc->bNumInterfaces;
diff --git a/queue-3.16/staging-rtl8712-fix-interface-sanity-check.patch b/queue-3.16/staging-rtl8712-fix-interface-sanity-check.patch
new file mode 100644
index 0000000..cf83e9a
--- /dev/null
+++ b/queue-3.16/staging-rtl8712-fix-interface-sanity-check.patch
@@ -0,0 +1,33 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:47:51 +0100
+Subject: staging: rtl8712: fix interface sanity check
+
+commit c724f776f048538ecfdf53a52b7a522309f5c504 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191210114751.5119-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/staging/rtl8712/usb_intf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8712/usb_intf.c
++++ b/drivers/staging/rtl8712/usb_intf.c
+@@ -269,7 +269,7 @@ static uint r8712_usb_dvobj_init(struct
+ 	pdev_desc = &pusbd->descriptor;
+ 	phost_conf = pusbd->actconfig;
+ 	pconf_desc = &phost_conf->desc;
+-	phost_iface = &pintf->altsetting[0];
++	phost_iface = pintf->cur_altsetting;
+ 	piface_desc = &phost_iface->desc;
+ 	pdvobjpriv->nr_endpoint = piface_desc->bNumEndpoints;
+ 	if (pusbd->speed == USB_SPEED_HIGH) {
diff --git a/queue-3.16/taskstats-fix-data-race.patch b/queue-3.16/taskstats-fix-data-race.patch
new file mode 100644
index 0000000..d0d58ab
--- /dev/null
+++ b/queue-3.16/taskstats-fix-data-race.patch
@@ -0,0 +1,96 @@
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Wed, 9 Oct 2019 13:48:09 +0200
+Subject: taskstats: fix data-race
+
+commit 0b8d616fb5a8ffa307b1d3af37f55c15dae14f28 upstream.
+
+When assiging and testing taskstats in taskstats_exit() there's a race
+when setting up and reading sig->stats when a thread-group with more
+than one thread exits:
+
+write to 0xffff8881157bbe10 of 8 bytes by task 7951 on cpu 0:
+ taskstats_tgid_alloc kernel/taskstats.c:567 [inline]
+ taskstats_exit+0x6b7/0x717 kernel/taskstats.c:596
+ do_exit+0x2c2/0x18e0 kernel/exit.c:864
+ do_group_exit+0xb4/0x1c0 kernel/exit.c:983
+ get_signal+0x2a2/0x1320 kernel/signal.c:2734
+ do_signal+0x3b/0xc00 arch/x86/kernel/signal.c:815
+ exit_to_usermode_loop+0x250/0x2c0 arch/x86/entry/common.c:159
+ prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
+ syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
+ do_syscall_64+0x2d7/0x2f0 arch/x86/entry/common.c:299
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+read to 0xffff8881157bbe10 of 8 bytes by task 7949 on cpu 1:
+ taskstats_tgid_alloc kernel/taskstats.c:559 [inline]
+ taskstats_exit+0xb2/0x717 kernel/taskstats.c:596
+ do_exit+0x2c2/0x18e0 kernel/exit.c:864
+ do_group_exit+0xb4/0x1c0 kernel/exit.c:983
+ __do_sys_exit_group kernel/exit.c:994 [inline]
+ __se_sys_exit_group kernel/exit.c:992 [inline]
+ __x64_sys_exit_group+0x2e/0x30 kernel/exit.c:992
+ do_syscall_64+0xcf/0x2f0 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fix this by using smp_load_acquire() and smp_store_release().
+
+Reported-by: syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com
+Fixes: 34ec12349c8a ("taskstats: cleanup ->signal->stats allocation")
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+Acked-by: Marco Elver <elver@google.com>
+Reviewed-by: Will Deacon <will@kernel.org>
+Reviewed-by: Andrea Parri <parri.andrea@gmail.com>
+Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
+Link: https://lore.kernel.org/r/20191009114809.8643-1-christian.brauner@ubuntu.com
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ kernel/taskstats.c | 30 +++++++++++++++++++-----------
+ 1 file changed, 19 insertions(+), 11 deletions(-)
+
+--- a/kernel/taskstats.c
++++ b/kernel/taskstats.c
+@@ -591,25 +591,33 @@ static int taskstats_user_cmd(struct sk_
+ static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk)
+ {
+ 	struct signal_struct *sig = tsk->signal;
+-	struct taskstats *stats;
++	struct taskstats *stats_new, *stats;
+ 
+-	if (sig->stats || thread_group_empty(tsk))
+-		goto ret;
++	/* Pairs with smp_store_release() below. */
++	stats = smp_load_acquire(&sig->stats);
++	if (stats || thread_group_empty(tsk))
++		return stats;
+ 
+ 	/* No problem if kmem_cache_zalloc() fails */
+-	stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
++	stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
+ 
+ 	spin_lock_irq(&tsk->sighand->siglock);
+-	if (!sig->stats) {
+-		sig->stats = stats;
+-		stats = NULL;
++	stats = sig->stats;
++	if (!stats) {
++		/*
++		 * Pairs with smp_store_release() above and order the
++		 * kmem_cache_zalloc().
++		 */
++		smp_store_release(&sig->stats, stats_new);
++		stats = stats_new;
++		stats_new = NULL;
+ 	}
+ 	spin_unlock_irq(&tsk->sighand->siglock);
+ 
+-	if (stats)
+-		kmem_cache_free(taskstats_cache, stats);
+-ret:
+-	return sig->stats;
++	if (stats_new)
++		kmem_cache_free(taskstats_cache, stats_new);
++
++	return stats;
+ }
+ 
+ /* Send pid data out on exit */
diff --git a/queue-3.16/tcp-do-not-send-empty-skb-from-tcp_write_xmit.patch b/queue-3.16/tcp-do-not-send-empty-skb-from-tcp_write_xmit.patch
new file mode 100644
index 0000000..5d948bf
--- /dev/null
+++ b/queue-3.16/tcp-do-not-send-empty-skb-from-tcp_write_xmit.patch
@@ -0,0 +1,51 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 12 Dec 2019 12:55:29 -0800
+Subject: tcp: do not send empty skb from tcp_write_xmit()
+
+commit 1f85e6267caca44b30c54711652b0726fadbb131 upstream.
+
+Backport of commit fdfc5c8594c2 ("tcp: remove empty skb from
+write queue in error cases") in linux-4.14 stable triggered
+various bugs. One of them has been fixed in commit ba2ddb43f270
+("tcp: Don't dequeue SYN/FIN-segments from write-queue"), but
+we still have crashes in some occasions.
+
+Root-cause is that when tcp_sendmsg() has allocated a fresh
+skb and could not append a fragment before being blocked
+in sk_stream_wait_memory(), tcp_write_xmit() might be called
+and decide to send this fresh and empty skb.
+
+Sending an empty packet is not only silly, it might have caused
+many issues we had in the past with tp->packets_out being
+out of sync.
+
+Fixes: c65f7f00c587 ("[TCP]: Simplify SKB data portion allocation with NETIF_F_SG.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Christoph Paasch <cpaasch@apple.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Cc: Jason Baron <jbaron@akamai.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/ipv4/tcp_output.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -1992,6 +1992,14 @@ static bool tcp_write_xmit(struct sock *
+ 		    unlikely(tso_fragment(sk, skb, limit, mss_now, gfp)))
+ 			break;
+ 
++		/* Argh, we hit an empty skb(), presumably a thread
++		 * is sleeping in sendmsg()/sk_stream_wait_memory().
++		 * We do not want to send a pure-ack packet and have
++		 * a strange looking rtx queue with empty packet(s).
++		 */
++		if (TCP_SKB_CB(skb)->end_seq == TCP_SKB_CB(skb)->seq)
++			break;
++
+ 		TCP_SKB_CB(skb)->when = tcp_time_stamp;
+ 
+ 		if (unlikely(tcp_transmit_skb(sk, skb, 1, gfp)))
diff --git a/queue-3.16/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch b/queue-3.16/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch
new file mode 100644
index 0000000..b4cc6a1
--- /dev/null
+++ b/queue-3.16/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch
@@ -0,0 +1,43 @@
+From: Pengcheng Yang <yangpc@wangsu.com>
+Date: Mon, 30 Dec 2019 17:54:41 +0800
+Subject: tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK
+
+commit c9655008e7845bcfdaac10a1ed8554ec167aea88 upstream.
+
+When we receive a D-SACK, where the sequence number satisfies:
+	undo_marker <= start_seq < end_seq <= prior_snd_una
+we consider this is a valid D-SACK and tcp_is_sackblock_valid()
+returns true, then this D-SACK is discarded as "old stuff",
+but the variable first_sack_index is not marked as negative
+in tcp_sacktag_write_queue().
+
+If this D-SACK also carries a SACK that needs to be processed
+(for example, the previous SACK segment was lost), this SACK
+will be treated as a D-SACK in the following processing of
+tcp_sacktag_write_queue(), which will eventually lead to
+incorrect updates of undo_retrans and reordering.
+
+Fixes: fd6dad616d4f ("[TCP]: Earlier SACK block verification & simplify access to them")
+Signed-off-by: Pengcheng Yang <yangpc@wangsu.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/ipv4/tcp_input.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -1713,8 +1713,11 @@ tcp_sacktag_write_queue(struct sock *sk,
+ 		}
+ 
+ 		/* Ignore very old stuff early */
+-		if (!after(sp[used_sacks].end_seq, prior_snd_una))
++		if (!after(sp[used_sacks].end_seq, prior_snd_una)) {
++			if (i == 0)
++				first_sack_index = -1;
+ 			continue;
++		}
+ 
+ 		used_sacks++;
+ 	}
diff --git a/queue-3.16/tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not.patch b/queue-3.16/tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not.patch
new file mode 100644
index 0000000..70c5667
--- /dev/null
+++ b/queue-3.16/tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not.patch
@@ -0,0 +1,35 @@
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Thu, 2 Jan 2020 22:02:41 -0500
+Subject: tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not
+ defined
+
+commit b8299d362d0837ae39e87e9019ebe6b736e0f035 upstream.
+
+On some archs with some configurations, MCOUNT_INSN_SIZE is not defined, and
+this makes the stack tracer fail to compile. Just define it to zero in this
+case.
+
+Link: https://lore.kernel.org/r/202001020219.zvE3vsty%lkp@intel.com
+
+Fixes: 4df297129f622 ("tracing: Remove most or all of stack tracer stack size from stack_max_size")
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ kernel/trace/trace_stack.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/kernel/trace/trace_stack.c
++++ b/kernel/trace/trace_stack.c
+@@ -182,6 +182,11 @@ check_stack(unsigned long ip, unsigned l
+ 	local_irq_restore(flags);
+ }
+ 
++/* Some archs may not define MCOUNT_INSN_SIZE */
++#ifndef MCOUNT_INSN_SIZE
++# define MCOUNT_INSN_SIZE 0
++#endif
++
+ static void
+ stack_trace_call(unsigned long ip, unsigned long parent_ip,
+ 		 struct ftrace_ops *op, struct pt_regs *pt_regs)
diff --git a/queue-3.16/tty-always-relink-the-port.patch b/queue-3.16/tty-always-relink-the-port.patch
new file mode 100644
index 0000000..b475db7
--- /dev/null
+++ b/queue-3.16/tty-always-relink-the-port.patch
@@ -0,0 +1,33 @@
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Date: Fri, 27 Dec 2019 17:44:34 +0000
+Subject: tty: always relink the port
+
+commit 273f632912f1b24b642ba5b7eb5022e43a72f3b5 upstream.
+
+If the serial device is disconnected and reconnected, it re-enumerates
+properly but does not link it. fwiw, linking means just saving the port
+index, so allow it always as there is no harm in saving the same value
+again even if it tries to relink with the same port.
+
+Fixes: fb2b90014d78 ("tty: link tty and port before configuring it as console")
+Reported-by: Kenneth R. Crudup <kenny@panix.com>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Link: https://lore.kernel.org/r/20191227174434.12057-1-sudipm.mukherjee@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/tty/tty_port.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/tty/tty_port.c
++++ b/drivers/tty/tty_port.c
+@@ -49,8 +49,7 @@ void tty_port_link_device(struct tty_por
+ {
+ 	if (WARN_ON(index >= driver->num))
+ 		return;
+-	if (!driver->ports[index])
+-		driver->ports[index] = port;
++	driver->ports[index] = port;
+ }
+ EXPORT_SYMBOL_GPL(tty_port_link_device);
+ 
diff --git a/queue-3.16/tty-link-tty-and-port-before-configuring-it-as-console.patch b/queue-3.16/tty-link-tty-and-port-before-configuring-it-as-console.patch
new file mode 100644
index 0000000..b85d792
--- /dev/null
+++ b/queue-3.16/tty-link-tty-and-port-before-configuring-it-as-console.patch
@@ -0,0 +1,65 @@
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Date: Thu, 12 Dec 2019 13:16:02 +0000
+Subject: tty: link tty and port before configuring it as console
+
+commit fb2b90014d782d80d7ebf663e50f96d8c507a73c upstream.
+
+There seems to be a race condition in tty drivers and I could see on
+many boot cycles a NULL pointer dereference as tty_init_dev() tries to
+do 'tty->port->itty = tty' even though tty->port is NULL.
+'tty->port' will be set by the driver and if the driver has not yet done
+it before we open the tty device we can get to this situation. By adding
+some extra debug prints, I noticed that:
+
+6.650130: uart_add_one_port
+6.663849: register_console
+6.664846: tty_open
+6.674391: tty_init_dev
+6.675456: tty_port_link_device
+
+uart_add_one_port() registers the console, as soon as it registers, the
+userspace tries to use it and that leads to tty_open() but
+uart_add_one_port() has not yet done tty_port_link_device() and so
+tty->port is not yet configured when control reaches tty_init_dev().
+
+Further look into the code and tty_port_link_device() is done by
+uart_add_one_port(). After registering the console uart_add_one_port()
+will call tty_port_register_device_attr_serdev() and
+tty_port_link_device() is called from this.
+
+Call add tty_port_link_device() before uart_configure_port() is done and
+add a check in tty_port_link_device() so that it only links the port if
+it has not been done yet.
+
+Suggested-by: Jiri Slaby <jslaby@suse.com>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Link: https://lore.kernel.org/r/20191212131602.29504-1-sudipm.mukherjee@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/tty/serial/serial_core.c | 1 +
+ drivers/tty/tty_port.c           | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/serial_core.c
++++ b/drivers/tty/serial/serial_core.c
+@@ -2639,6 +2639,7 @@ int uart_add_one_port(struct uart_driver
+ 		lockdep_set_class(&uport->lock, &port_lock_key);
+ 	}
+ 
++	tty_port_link_device(port, drv->tty_driver, uport->line);
+ 	uart_configure_port(drv, state, uport);
+ 
+ 	/*
+--- a/drivers/tty/tty_port.c
++++ b/drivers/tty/tty_port.c
+@@ -49,7 +49,8 @@ void tty_port_link_device(struct tty_por
+ {
+ 	if (WARN_ON(index >= driver->num))
+ 		return;
+-	driver->ports[index] = port;
++	if (!driver->ports[index])
++		driver->ports[index] = port;
+ }
+ EXPORT_SYMBOL_GPL(tty_port_link_device);
+ 
diff --git a/queue-3.16/tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch b/queue-3.16/tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch
new file mode 100644
index 0000000..0ab8057
--- /dev/null
+++ b/queue-3.16/tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch
@@ -0,0 +1,64 @@
+From: Leo Yan <leo.yan@linaro.org>
+Date: Wed, 27 Nov 2019 22:15:43 +0800
+Subject: tty: serial: msm_serial: Fix lockup for sysrq and oops
+
+commit 0e4f7f920a5c6bfe5e851e989f27b35a0cc7fb7e upstream.
+
+As the commit 677fe555cbfb ("serial: imx: Fix recursive locking bug")
+has mentioned the uart driver might cause recursive locking between
+normal printing and the kernel debugging facilities (e.g. sysrq and
+oops).  In the commit it gave out suggestion for fixing recursive
+locking issue: "The solution is to avoid locking in the sysrq case
+and trylock in the oops_in_progress case."
+
+This patch follows the suggestion (also used the exactly same code with
+other serial drivers, e.g. amba-pl011.c) to fix the recursive locking
+issue, this can avoid stuck caused by deadlock and print out log for
+sysrq and oops.
+
+Fixes: 04896a77a97b ("msm_serial: serial driver for MSM7K onboard serial peripheral.")
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+Reviewed-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
+Link: https://lore.kernel.org/r/20191127141544.4277-2-leo.yan@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/tty/serial/msm_serial.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/msm_serial.c
++++ b/drivers/tty/serial/msm_serial.c
+@@ -857,6 +857,7 @@ static void msm_console_write(struct con
+ 	struct msm_port *msm_port;
+ 	int num_newlines = 0;
+ 	bool replaced = false;
++	int locked = 1;
+ 
+ 	BUG_ON(co->index < 0 || co->index >= UART_NR);
+ 
+@@ -869,7 +870,13 @@ static void msm_console_write(struct con
+ 			num_newlines++;
+ 	count += num_newlines;
+ 
+-	spin_lock(&port->lock);
++	if (port->sysrq)
++		locked = 0;
++	else if (oops_in_progress)
++		locked = spin_trylock(&port->lock);
++	else
++		spin_lock(&port->lock);
++
+ 	if (msm_port->is_uartdm)
+ 		reset_dm_count(port, count);
+ 
+@@ -906,7 +913,9 @@ static void msm_console_write(struct con
+ 		msm_write(port, *bf, msm_port->is_uartdm ? UARTDM_TF : UART_TF);
+ 		i += num_chars;
+ 	}
+-	spin_unlock(&port->lock);
++
++	if (locked)
++		spin_unlock(&port->lock);
+ }
+ 
+ static int __init msm_console_setup(struct console *co, char *options)
diff --git a/queue-3.16/usb-adutux-fix-interface-sanity-check.patch b/queue-3.16/usb-adutux-fix-interface-sanity-check.patch
new file mode 100644
index 0000000..402889b
--- /dev/null
+++ b/queue-3.16/usb-adutux-fix-interface-sanity-check.patch
@@ -0,0 +1,33 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:25:59 +0100
+Subject: USB: adutux: fix interface sanity check
+
+commit 3c11c4bed02b202e278c0f5c319ae435d7fb9815 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 03270634e242 ("USB: Add ADU support for Ontrak ADU devices")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191210112601.3561-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/misc/adutux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/misc/adutux.c
++++ b/drivers/usb/misc/adutux.c
+@@ -682,7 +682,7 @@ static int adu_probe(struct usb_interfac
+ 	init_waitqueue_head(&dev->read_wait);
+ 	init_waitqueue_head(&dev->write_wait);
+ 
+-	iface_desc = &interface->altsetting[0];
++	iface_desc = interface->cur_altsetting;
+ 
+ 	/* set up the endpoint information */
+ 	for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
diff --git a/queue-3.16/usb-atm-ueagle-atm-add-missing-endpoint-check.patch b/queue-3.16/usb-atm-ueagle-atm-add-missing-endpoint-check.patch
new file mode 100644
index 0000000..654dc51
--- /dev/null
+++ b/queue-3.16/usb-atm-ueagle-atm-add-missing-endpoint-check.patch
@@ -0,0 +1,86 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:25:58 +0100
+Subject: USB: atm: ueagle-atm: add missing endpoint check
+
+commit 09068c1ad53fb077bdac288869dec2435420bdc4 upstream.
+
+Make sure that the interrupt interface has an endpoint before trying to
+access its endpoint descriptors to avoid dereferencing a NULL pointer.
+
+The driver binds to the interrupt interface with interface number 0, but
+must not assume that this interface or its current alternate setting are
+the first entries in the corresponding configuration arrays.
+
+Fixes: b72458a80c75 ("[PATCH] USB: Eagle and ADI 930 usb adsl modem driver")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191210112601.3561-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/atm/ueagle-atm.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/atm/ueagle-atm.c
++++ b/drivers/usb/atm/ueagle-atm.c
+@@ -2167,10 +2167,11 @@ resubmit:
+ /*
+  * Start the modem : init the data and start kernel thread
+  */
+-static int uea_boot(struct uea_softc *sc)
++static int uea_boot(struct uea_softc *sc, struct usb_interface *intf)
+ {
+-	int ret, size;
+ 	struct intr_pkt *intr;
++	int ret = -ENOMEM;
++	int size;
+ 
+ 	uea_enters(INS_TO_USBDEV(sc));
+ 
+@@ -2195,6 +2196,11 @@ static int uea_boot(struct uea_softc *sc
+ 	if (UEA_CHIP_VERSION(sc) == ADI930)
+ 		load_XILINX_firmware(sc);
+ 
++	if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
++		ret = -ENODEV;
++		goto err0;
++	}
++
+ 	intr = kmalloc(size, GFP_KERNEL);
+ 	if (!intr) {
+ 		uea_err(INS_TO_USBDEV(sc),
+@@ -2211,8 +2217,7 @@ static int uea_boot(struct uea_softc *sc
+ 	usb_fill_int_urb(sc->urb_int, sc->usb_dev,
+ 			 usb_rcvintpipe(sc->usb_dev, UEA_INTR_PIPE),
+ 			 intr, size, uea_intr, sc,
+-			 sc->usb_dev->actconfig->interface[0]->altsetting[0].
+-			 endpoint[0].desc.bInterval);
++			 intf->cur_altsetting->endpoint[0].desc.bInterval);
+ 
+ 	ret = usb_submit_urb(sc->urb_int, GFP_KERNEL);
+ 	if (ret < 0) {
+@@ -2227,6 +2232,7 @@ static int uea_boot(struct uea_softc *sc
+ 	sc->kthread = kthread_create(uea_kthread, sc, "ueagle-atm");
+ 	if (IS_ERR(sc->kthread)) {
+ 		uea_err(INS_TO_USBDEV(sc), "failed to create thread\n");
++		ret = PTR_ERR(sc->kthread);
+ 		goto err2;
+ 	}
+ 
+@@ -2241,7 +2247,7 @@ err1:
+ 	kfree(intr);
+ err0:
+ 	uea_leaves(INS_TO_USBDEV(sc));
+-	return -ENOMEM;
++	return ret;
+ }
+ 
+ /*
+@@ -2604,7 +2610,7 @@ static int uea_bind(struct usbatm_data *
+ 	if (ret < 0)
+ 		goto error;
+ 
+-	ret = uea_boot(sc);
++	ret = uea_boot(sc, intf);
+ 	if (ret < 0)
+ 		goto error_rm_grp;
+ 
diff --git a/queue-3.16/usb-core-add-endpoint-blacklist-quirk.patch b/queue-3.16/usb-core-add-endpoint-blacklist-quirk.patch
new file mode 100644
index 0000000..0daeac2
--- /dev/null
+++ b/queue-3.16/usb-core-add-endpoint-blacklist-quirk.patch
@@ -0,0 +1,119 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 3 Feb 2020 16:38:28 +0100
+Subject: USB: core: add endpoint-blacklist quirk
+
+commit 73f8bda9b5dc1c69df2bc55c0cbb24461a6391a9 upstream.
+
+Add a new device quirk that can be used to blacklist endpoints.
+
+Since commit 3e4f8e21c4f2 ("USB: core: fix check for duplicate
+endpoints") USB core ignores any duplicate endpoints found during
+descriptor parsing.
+
+In order to handle devices where the first interfaces with duplicate
+endpoints are the ones that should have their endpoints ignored, we need
+to add a blacklist.
+
+Tested-by: edes <edes@gmx.net>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20200203153830.26394-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/core/config.c  | 11 +++++++++++
+ drivers/usb/core/quirks.c  | 32 ++++++++++++++++++++++++++++++++
+ drivers/usb/core/usb.h     |  3 +++
+ include/linux/usb/quirks.h |  3 +++
+ 4 files changed, 49 insertions(+)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -222,6 +222,7 @@ static int usb_parse_endpoint(struct dev
+ 		struct usb_host_interface *ifp, int num_ep,
+ 		unsigned char *buffer, int size)
+ {
++	struct usb_device *udev = to_usb_device(ddev);
+ 	unsigned char *buffer0 = buffer;
+ 	struct usb_endpoint_descriptor *d;
+ 	struct usb_host_endpoint *endpoint;
+@@ -263,6 +264,16 @@ static int usb_parse_endpoint(struct dev
+ 		goto skip_to_next_endpoint_or_interface_descriptor;
+ 	}
+ 
++	/* Ignore blacklisted endpoints */
++	if (udev->quirks & USB_QUIRK_ENDPOINT_BLACKLIST) {
++		if (usb_endpoint_is_blacklisted(udev, ifp, d)) {
++			dev_warn(ddev, "config %d interface %d altsetting %d has a blacklisted endpoint with address 0x%X, skipping\n",
++					cfgno, inum, asnum,
++					d->bEndpointAddress);
++			goto skip_to_next_endpoint_or_interface_descriptor;
++		}
++	}
++
+ 	endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints];
+ 	++ifp->desc.bNumEndpoints;
+ 
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -318,6 +318,38 @@ static const struct usb_device_id usb_am
+ 	{ }  /* terminating entry must be last */
+ };
+ 
++/*
++ * Entries for blacklisted endpoints that should be ignored when parsing
++ * configuration descriptors.
++ *
++ * Matched for devices with USB_QUIRK_ENDPOINT_BLACKLIST.
++ */
++static const struct usb_device_id usb_endpoint_blacklist[] = {
++	{ }
++};
++
++bool usb_endpoint_is_blacklisted(struct usb_device *udev,
++		struct usb_host_interface *intf,
++		struct usb_endpoint_descriptor *epd)
++{
++	const struct usb_device_id *id;
++	unsigned int address;
++
++	for (id = usb_endpoint_blacklist; id->match_flags; ++id) {
++		if (!usb_match_device(udev, id))
++			continue;
++
++		if (!usb_match_one_id_intf(udev, intf, id))
++			continue;
++
++		address = id->driver_info;
++		if (address == epd->bEndpointAddress)
++			return true;
++	}
++
++	return false;
++}
++
+ static bool usb_match_any_interface(struct usb_device *udev,
+ 				    const struct usb_device_id *id)
+ {
+--- a/drivers/usb/core/usb.h
++++ b/drivers/usb/core/usb.h
+@@ -29,6 +29,9 @@ extern int usb_deauthorize_device(struct
+ extern int usb_authorize_device(struct usb_device *);
+ extern void usb_detect_quirks(struct usb_device *udev);
+ extern void usb_detect_interface_quirks(struct usb_device *udev);
++extern bool usb_endpoint_is_blacklisted(struct usb_device *udev,
++		struct usb_host_interface *intf,
++		struct usb_endpoint_descriptor *epd);
+ extern int usb_remove_device(struct usb_device *udev);
+ 
+ extern int usb_get_device_descriptor(struct usb_device *dev,
+--- a/include/linux/usb/quirks.h
++++ b/include/linux/usb/quirks.h
+@@ -62,4 +62,7 @@
+ /* Hub needs extra delay after resetting its port. */
+ #define USB_QUIRK_HUB_SLOW_RESET		BIT(14)
+ 
++/* device has blacklisted endpoints */
++#define USB_QUIRK_ENDPOINT_BLACKLIST		BIT(15)
++
+ #endif /* __LINUX_USB_QUIRKS_H */
diff --git a/queue-3.16/usb-core-fix-check-for-duplicate-endpoints.patch b/queue-3.16/usb-core-fix-check-for-duplicate-endpoints.patch
new file mode 100644
index 0000000..224dcab
--- /dev/null
+++ b/queue-3.16/usb-core-fix-check-for-duplicate-endpoints.patch
@@ -0,0 +1,124 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 19 Dec 2019 17:10:16 +0100
+Subject: USB: core: fix check for duplicate endpoints
+
+commit 3e4f8e21c4f27bcf30a48486b9dcc269512b79ff upstream.
+
+Amend the endpoint-descriptor sanity checks to detect all duplicate
+endpoint addresses in a configuration.
+
+Commit 0a8fd1346254 ("USB: fix problems with duplicate endpoint
+addresses") added a check for duplicate endpoint addresses within a
+single alternate setting, but did not look for duplicate addresses in
+other interfaces.
+
+The current check would also not detect all duplicate addresses when one
+endpoint is as a (bi-directional) control endpoint.
+
+This specifically avoids overwriting the endpoint entries in struct
+usb_device when enabling a duplicate endpoint, something which could
+potentially lead to crashes or leaks, for example, when endpoints are
+later disabled.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20191219161016.6695-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/core/config.c | 70 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 58 insertions(+), 12 deletions(-)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -169,9 +169,58 @@ static const unsigned short super_speed_
+ 	[USB_ENDPOINT_XFER_INT] = 1024,
+ };
+ 
+-static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
+-    int asnum, struct usb_host_interface *ifp, int num_ep,
+-    unsigned char *buffer, int size)
++static bool endpoint_is_duplicate(struct usb_endpoint_descriptor *e1,
++		struct usb_endpoint_descriptor *e2)
++{
++	if (e1->bEndpointAddress == e2->bEndpointAddress)
++		return true;
++
++	if (usb_endpoint_xfer_control(e1) || usb_endpoint_xfer_control(e2)) {
++		if (usb_endpoint_num(e1) == usb_endpoint_num(e2))
++			return true;
++	}
++
++	return false;
++}
++
++/*
++ * Check for duplicate endpoint addresses in other interfaces and in the
++ * altsetting currently being parsed.
++ */
++static bool config_endpoint_is_duplicate(struct usb_host_config *config,
++		int inum, int asnum, struct usb_endpoint_descriptor *d)
++{
++	struct usb_endpoint_descriptor *epd;
++	struct usb_interface_cache *intfc;
++	struct usb_host_interface *alt;
++	int i, j, k;
++
++	for (i = 0; i < config->desc.bNumInterfaces; ++i) {
++		intfc = config->intf_cache[i];
++
++		for (j = 0; j < intfc->num_altsetting; ++j) {
++			alt = &intfc->altsetting[j];
++
++			if (alt->desc.bInterfaceNumber == inum &&
++					alt->desc.bAlternateSetting != asnum)
++				continue;
++
++			for (k = 0; k < alt->desc.bNumEndpoints; ++k) {
++				epd = &alt->endpoint[k].desc;
++
++				if (endpoint_is_duplicate(epd, d))
++					return true;
++			}
++		}
++	}
++
++	return false;
++}
++
++static int usb_parse_endpoint(struct device *ddev, int cfgno,
++		struct usb_host_config *config, int inum, int asnum,
++		struct usb_host_interface *ifp, int num_ep,
++		unsigned char *buffer, int size)
+ {
+ 	unsigned char *buffer0 = buffer;
+ 	struct usb_endpoint_descriptor *d;
+@@ -208,13 +257,10 @@ static int usb_parse_endpoint(struct dev
+ 		goto skip_to_next_endpoint_or_interface_descriptor;
+ 
+ 	/* Check for duplicate endpoint addresses */
+-	for (i = 0; i < ifp->desc.bNumEndpoints; ++i) {
+-		if (ifp->endpoint[i].desc.bEndpointAddress ==
+-		    d->bEndpointAddress) {
+-			dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n",
+-			    cfgno, inum, asnum, d->bEndpointAddress);
+-			goto skip_to_next_endpoint_or_interface_descriptor;
+-		}
++	if (config_endpoint_is_duplicate(config, inum, asnum, d)) {
++		dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n",
++				cfgno, inum, asnum, d->bEndpointAddress);
++		goto skip_to_next_endpoint_or_interface_descriptor;
+ 	}
+ 
+ 	endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints];
+@@ -481,8 +527,8 @@ static int usb_parse_interface(struct de
+ 		if (((struct usb_descriptor_header *) buffer)->bDescriptorType
+ 		     == USB_DT_INTERFACE)
+ 			break;
+-		retval = usb_parse_endpoint(ddev, cfgno, inum, asnum, alt,
+-		    num_ep, buffer, size);
++		retval = usb_parse_endpoint(ddev, cfgno, config, inum, asnum,
++				alt, num_ep, buffer, size);
+ 		if (retval < 0)
+ 			return retval;
+ 		++n;
diff --git a/queue-3.16/usb-core-hub-improved-device-recognition-on-remote-wakeup.patch b/queue-3.16/usb-core-hub-improved-device-recognition-on-remote-wakeup.patch
new file mode 100644
index 0000000..9116a20
--- /dev/null
+++ b/queue-3.16/usb-core-hub-improved-device-recognition-on-remote-wakeup.patch
@@ -0,0 +1,61 @@
+From: Keiya Nobuta <nobuta.keiya@fujitsu.com>
+Date: Thu, 9 Jan 2020 14:14:48 +0900
+Subject: usb: core: hub: Improved device recognition on remote wakeup
+
+commit 9c06ac4c83df6d6fbdbf7488fbad822b4002ba19 upstream.
+
+If hub_activate() is called before D+ has stabilized after remote
+wakeup, the following situation might occur:
+
+         __      ___________________
+        /  \    /
+D+   __/    \__/
+
+Hub  _______________________________
+          |  ^   ^           ^
+          |  |   |           |
+Host _____v__|___|___________|______
+          |  |   |           |
+          |  |   |           \-- Interrupt Transfer (*3)
+          |  |    \-- ClearPortFeature (*2)
+          |   \-- GetPortStatus (*1)
+          \-- Host detects remote wakeup
+
+- D+ goes high, Host starts running by remote wakeup
+- D+ is not stable, goes low
+- Host requests GetPortStatus at (*1) and gets the following hub status:
+  - Current Connect Status bit is 0
+  - Connect Status Change bit is 1
+- D+ stabilizes, goes high
+- Host requests ClearPortFeature and thus Connect Status Change bit is
+  cleared at (*2)
+- After waiting 100 ms, Host starts the Interrupt Transfer at (*3)
+- Since the Connect Status Change bit is 0, Hub returns NAK.
+
+In this case, port_event() is not called in hub_event() and Host cannot
+recognize device. To solve this issue, flag change_bits even if only
+Connect Status Change bit is 1 when got in the first GetPortStatus.
+
+This issue occurs rarely because it only if D+ changes during a very
+short time between GetPortStatus and ClearPortFeature. However, it is
+fatal if it occurs in embedded system.
+
+Signed-off-by: Keiya Nobuta <nobuta.keiya@fujitsu.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20200109051448.28150-1-nobuta.keiya@fujitsu.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/core/hub.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -1125,6 +1125,7 @@ static void hub_activate(struct usb_hub
+ 			 * PORT_OVER_CURRENT is not. So check for any of them.
+ 			 */
+ 			if (udev || (portstatus & USB_PORT_STAT_CONNECTION) ||
++			    (portchange & USB_PORT_STAT_C_CONNECTION) ||
+ 			    (portstatus & USB_PORT_STAT_OVERCURRENT) ||
+ 			    (portchange & USB_PORT_STAT_C_OVERCURRENT))
+ 				set_bit(port1, hub->change_bits);
diff --git a/queue-3.16/usb-core-urb-fix-urb-structure-initialization-function.patch b/queue-3.16/usb-core-urb-fix-urb-structure-initialization-function.patch
new file mode 100644
index 0000000..1aee8be
--- /dev/null
+++ b/queue-3.16/usb-core-urb-fix-urb-structure-initialization-function.patch
@@ -0,0 +1,30 @@
+From: Emiliano Ingrassia <ingrassia@epigenesys.com>
+Date: Wed, 27 Nov 2019 17:03:55 +0100
+Subject: usb: core: urb: fix URB structure initialization function
+
+commit 1cd17f7f0def31e3695501c4f86cd3faf8489840 upstream.
+
+Explicitly initialize URB structure urb_list field in usb_init_urb().
+This field can be potentially accessed uninitialized and its
+initialization is coherent with the usage of list_del_init() in
+usb_hcd_unlink_urb_from_ep() and usb_giveback_urb_bh() and its
+explicit initialization in usb_hcd_submit_urb() error path.
+
+Signed-off-by: Emiliano Ingrassia <ingrassia@epigenesys.com>
+Link: https://lore.kernel.org/r/20191127160355.GA27196@ingrassia.epigenesys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/core/urb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/core/urb.c
++++ b/drivers/usb/core/urb.c
+@@ -40,6 +40,7 @@ void usb_init_urb(struct urb *urb)
+ 	if (urb) {
+ 		memset(urb, 0, sizeof(*urb));
+ 		kref_init(&urb->kref);
++		INIT_LIST_HEAD(&urb->urb_list);
+ 		INIT_LIST_HEAD(&urb->anchor_list);
+ 	}
+ }
diff --git a/queue-3.16/usb-dwc3-pci-add-id-for-one-more-intel-broxton-platform.patch b/queue-3.16/usb-dwc3-pci-add-id-for-one-more-intel-broxton-platform.patch
new file mode 100644
index 0000000..200efac
--- /dev/null
+++ b/queue-3.16/usb-dwc3-pci-add-id-for-one-more-intel-broxton-platform.patch
@@ -0,0 +1,34 @@
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Fri, 1 Apr 2016 17:13:10 +0300
+Subject: usb: dwc3: pci: add ID for one more Intel Broxton platform
+
+commit 1ffb4d5cc78a3a99109ff0808ce6915de07a0588 upstream.
+
+BXT-M is a Intel Broxton SoC based platform with unique PCI ID.
+
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+[bwh: Backported to 3.16: adjust context, indentation]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/dwc3/dwc3-pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -34,6 +34,7 @@
+ #define PCI_DEVICE_ID_INTEL_SPTLP	0x9d30
+ #define PCI_DEVICE_ID_INTEL_SPTH	0xa130
+ #define PCI_DEVICE_ID_INTEL_BXT		0x0aaa
++#define PCI_DEVICE_ID_INTEL_BXT_M	0x1aaa
+ #define PCI_DEVICE_ID_INTEL_APL		0x5aaa
+ 
+ struct dwc3_pci {
+@@ -194,6 +195,7 @@ static const struct pci_device_id dwc3_p
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTLP), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTH), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT), },
++	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT_M), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_APL), },
+ 	{  }	/* Terminating Entry */
+ };
diff --git a/queue-3.16/usb-dwc3-pci-add-id-for-the-intel-comet-lake-h-variant.patch b/queue-3.16/usb-dwc3-pci-add-id-for-the-intel-comet-lake-h-variant.patch
new file mode 100644
index 0000000..620de07
--- /dev/null
+++ b/queue-3.16/usb-dwc3-pci-add-id-for-the-intel-comet-lake-h-variant.patch
@@ -0,0 +1,42 @@
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Thu, 12 Dec 2019 12:37:13 +0300
+Subject: usb: dwc3: pci: add ID for the Intel Comet Lake -H variant
+
+commit 3c3caae4cd6e122472efcf64759ff6392fb6bce2 upstream.
+
+The original ID that was added for Comet Lake PCH was
+actually for the -LP (low power) variant even though the
+constant for it said CMLH. Changing that while at it.
+
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Link: https://lore.kernel.org/r/20191212093713.60614-1-heikki.krogerus@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[bwh: Backported to 3.16:
+ - No properties support
+ - Adjust context, indentation]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/dwc3/dwc3-pci.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -37,7 +37,8 @@
+ #define PCI_DEVICE_ID_INTEL_BXT_M	0x1aaa
+ #define PCI_DEVICE_ID_INTEL_APL		0x5aaa
+ #define PCI_DEVICE_ID_INTEL_KBP		0xa2b0
+-#define PCI_DEVICE_ID_INTEL_CMLH	0x02ee
++#define PCI_DEVICE_ID_INTEL_CMLLP	0x02ee
++#define PCI_DEVICE_ID_INTEL_CMLH	0x06ee
+ #define PCI_DEVICE_ID_INTEL_GLK		0x31aa
+ #define PCI_DEVICE_ID_INTEL_CNPLP	0x9dee
+ #define PCI_DEVICE_ID_INTEL_CNPH	0xa36e
+@@ -200,6 +201,7 @@ static const struct pci_device_id dwc3_p
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BSW), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BYT), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), },
++	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CMLLP), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CMLH), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTLP), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTH), },
diff --git a/queue-3.16/usb-dwc3-pci-add-intel-cannonlake-pci-ids.patch b/queue-3.16/usb-dwc3-pci-add-intel-cannonlake-pci-ids.patch
new file mode 100644
index 0000000..745dc4b
--- /dev/null
+++ b/queue-3.16/usb-dwc3-pci-add-intel-cannonlake-pci-ids.patch
@@ -0,0 +1,37 @@
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Fri, 1 Apr 2016 17:13:13 +0300
+Subject: usb: dwc3: pci: add Intel Cannonlake PCI IDs
+
+commit 682179592e48fa66056fbad1a86604be4992f885 upstream.
+
+Intel Cannonlake PCH has the same DWC3 than Intel
+Sunrisepoint. Add the new IDs to the supported devices.
+
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+[bwh: Backported to 3.16: adjust context, indentation]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/dwc3/dwc3-pci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -38,6 +38,8 @@
+ #define PCI_DEVICE_ID_INTEL_APL		0x5aaa
+ #define PCI_DEVICE_ID_INTEL_KBP		0xa2b0
+ #define PCI_DEVICE_ID_INTEL_GLK		0x31aa
++#define PCI_DEVICE_ID_INTEL_CNPLP	0x9dee
++#define PCI_DEVICE_ID_INTEL_CNPH	0xa36e
+ 
+ struct dwc3_pci {
+ 	struct device		*dev;
+@@ -201,6 +203,8 @@ static const struct pci_device_id dwc3_p
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_APL), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_KBP), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_GLK), },
++	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CNPLP), },
++	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CNPH), },
+ 	{  }	/* Terminating Entry */
+ };
+ MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
diff --git a/queue-3.16/usb-dwc3-pci-add-intel-gemini-lake-pci-id.patch b/queue-3.16/usb-dwc3-pci-add-intel-gemini-lake-pci-id.patch
new file mode 100644
index 0000000..3efb5ad
--- /dev/null
+++ b/queue-3.16/usb-dwc3-pci-add-intel-gemini-lake-pci-id.patch
@@ -0,0 +1,35 @@
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Fri, 1 Apr 2016 17:13:12 +0300
+Subject: usb: dwc3: pci: add Intel Gemini Lake PCI ID
+
+commit 8f8983a5683623b62b339d159573f95a1fce44f3 upstream.
+
+Intel Gemini Lake SoC has the same DWC3 than Broxton. Add
+the new ID to the supported Devices.
+
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+[bwh: Backported to 3.16: adjust context, indentation]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/dwc3/dwc3-pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -37,6 +37,7 @@
+ #define PCI_DEVICE_ID_INTEL_BXT_M	0x1aaa
+ #define PCI_DEVICE_ID_INTEL_APL		0x5aaa
+ #define PCI_DEVICE_ID_INTEL_KBP		0xa2b0
++#define PCI_DEVICE_ID_INTEL_GLK		0x31aa
+ 
+ struct dwc3_pci {
+ 	struct device		*dev;
+@@ -199,6 +200,7 @@ static const struct pci_device_id dwc3_p
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT_M), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_APL), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_KBP), },
++	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_GLK), },
+ 	{  }	/* Terminating Entry */
+ };
+ MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
diff --git a/queue-3.16/usb-dwc3-pci-add-intel-kabylake-pci-id.patch b/queue-3.16/usb-dwc3-pci-add-intel-kabylake-pci-id.patch
new file mode 100644
index 0000000..53491e1
--- /dev/null
+++ b/queue-3.16/usb-dwc3-pci-add-intel-kabylake-pci-id.patch
@@ -0,0 +1,35 @@
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Fri, 1 Apr 2016 17:13:11 +0300
+Subject: usb: dwc3: pci: add Intel Kabylake PCI ID
+
+commit 4491ed5042f0419b22a4b08331adb54af31e2caa upstream.
+
+Intel Kabylake PCH has the same DWC3 than Intel
+Sunrisepoint. Add the new ID to the supported devices.
+
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+[bwh: Backported to 3.16: adjust context, indentation]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/dwc3/dwc3-pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -36,6 +36,7 @@
+ #define PCI_DEVICE_ID_INTEL_BXT		0x0aaa
+ #define PCI_DEVICE_ID_INTEL_BXT_M	0x1aaa
+ #define PCI_DEVICE_ID_INTEL_APL		0x5aaa
++#define PCI_DEVICE_ID_INTEL_KBP		0xa2b0
+ 
+ struct dwc3_pci {
+ 	struct device		*dev;
+@@ -197,6 +198,7 @@ static const struct pci_device_id dwc3_p
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT_M), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_APL), },
++	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_KBP), },
+ 	{  }	/* Terminating Entry */
+ };
+ MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
diff --git a/queue-3.16/usb-dwc3-pci-add-pci-id-for-intel-braswell.patch b/queue-3.16/usb-dwc3-pci-add-pci-id-for-intel-braswell.patch
new file mode 100644
index 0000000..c0f6170
--- /dev/null
+++ b/queue-3.16/usb-dwc3-pci-add-pci-id-for-intel-braswell.patch
@@ -0,0 +1,36 @@
+From: Alan Cox <alan@linux.intel.com>
+Date: Wed, 24 Sep 2014 10:40:25 +0300
+Subject: usb: dwc3: pci: Add PCI ID for Intel Braswell
+
+commit 7d643664ea559b36188cae264047ce3c9bfec3a2 upstream.
+
+The device controller is the same but it has different PCI ID. Add this new
+ID to the driver's list of supported IDs.
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/dwc3/dwc3-pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -30,6 +30,7 @@
+ #define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3	0xabcd
+ #define PCI_DEVICE_ID_INTEL_BYT		0x0f37
+ #define PCI_DEVICE_ID_INTEL_MRFLD	0x119e
++#define PCI_DEVICE_ID_INTEL_BSW		0x22B7
+ 
+ struct dwc3_pci {
+ 	struct device		*dev;
+@@ -183,6 +184,7 @@ static const struct pci_device_id dwc3_p
+ 		PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS,
+ 				PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3),
+ 	},
++	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BSW), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BYT), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), },
+ 	{  }	/* Terminating Entry */
diff --git a/queue-3.16/usb-dwc3-pci-add-support-for-comet-lake-pch-id.patch b/queue-3.16/usb-dwc3-pci-add-support-for-comet-lake-pch-id.patch
new file mode 100644
index 0000000..f646d56
--- /dev/null
+++ b/queue-3.16/usb-dwc3-pci-add-support-for-comet-lake-pch-id.patch
@@ -0,0 +1,35 @@
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+Date: Thu, 31 Jan 2019 11:04:19 +0200
+Subject: usb: dwc3: pci: add support for Comet Lake PCH ID
+
+commit 7ae622c978db6b2e28b4fced6ecd2a174492059d upstream.
+
+This patch simply adds a new PCI Device ID
+
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+[bwh: Backported to 3.16:
+ - No properties support
+ - Adjust context, indentation]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/dwc3/dwc3-pci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -37,6 +37,7 @@
+ #define PCI_DEVICE_ID_INTEL_BXT_M	0x1aaa
+ #define PCI_DEVICE_ID_INTEL_APL		0x5aaa
+ #define PCI_DEVICE_ID_INTEL_KBP		0xa2b0
++#define PCI_DEVICE_ID_INTEL_CMLH	0x02ee
+ #define PCI_DEVICE_ID_INTEL_GLK		0x31aa
+ #define PCI_DEVICE_ID_INTEL_CNPLP	0x9dee
+ #define PCI_DEVICE_ID_INTEL_CNPH	0xa36e
+@@ -197,6 +198,7 @@ static const struct pci_device_id dwc3_p
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BSW), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BYT), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), },
++	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CMLH), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTLP), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTH), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT), },
diff --git a/queue-3.16/usb-dwc3-pci-add-support-for-intel-broxton-soc.patch b/queue-3.16/usb-dwc3-pci-add-support-for-intel-broxton-soc.patch
new file mode 100644
index 0000000..12f4ee5
--- /dev/null
+++ b/queue-3.16/usb-dwc3-pci-add-support-for-intel-broxton-soc.patch
@@ -0,0 +1,36 @@
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Wed, 21 Oct 2015 14:37:04 +0300
+Subject: usb: dwc3: pci: add support for Intel Broxton SOC
+
+commit b4c580a43d520b7812c0fd064fbab929ce2f1da0 upstream.
+
+PCI IDs for Broxton based platforms.
+
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+[bwh: Backported to 3.16: adjust context, indentation]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/dwc3/dwc3-pci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -33,6 +33,8 @@
+ #define PCI_DEVICE_ID_INTEL_BSW		0x22B7
+ #define PCI_DEVICE_ID_INTEL_SPTLP	0x9d30
+ #define PCI_DEVICE_ID_INTEL_SPTH	0xa130
++#define PCI_DEVICE_ID_INTEL_BXT		0x0aaa
++#define PCI_DEVICE_ID_INTEL_APL		0x5aaa
+ 
+ struct dwc3_pci {
+ 	struct device		*dev;
+@@ -191,6 +193,8 @@ static const struct pci_device_id dwc3_p
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTLP), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTH), },
++	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT), },
++	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_APL), },
+ 	{  }	/* Terminating Entry */
+ };
+ MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
diff --git a/queue-3.16/usb-dwc3-pci-add-support-for-intel-elkhart-lake-devices.patch b/queue-3.16/usb-dwc3-pci-add-support-for-intel-elkhart-lake-devices.patch
new file mode 100644
index 0000000..1bba546
--- /dev/null
+++ b/queue-3.16/usb-dwc3-pci-add-support-for-intel-elkhart-lake-devices.patch
@@ -0,0 +1,35 @@
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+Date: Mon, 11 Jun 2018 11:21:12 +0300
+Subject: usb: dwc3: pci: Add Support for Intel Elkhart Lake Devices
+
+commit dbb0569de852fb4576d6f62078d515f989a181ca upstream.
+
+This patch simply adds a new PCI Device ID
+
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+[bwh: Backported to 3.16:
+ - No properties support
+ - Adjust context, indentation]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/dwc3/dwc3-pci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -42,6 +42,7 @@
+ #define PCI_DEVICE_ID_INTEL_CNPLP	0x9dee
+ #define PCI_DEVICE_ID_INTEL_CNPH	0xa36e
+ #define PCI_DEVICE_ID_INTEL_ICLLP	0x34ee
++#define PCI_DEVICE_ID_INTEL_EHLLP	0x4b7e
+ 
+ struct dwc3_pci {
+ 	struct device		*dev;
+@@ -209,6 +210,7 @@ static const struct pci_device_id dwc3_p
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CNPLP), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CNPH), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICLLP), },
++	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_EHLLP), },
+ 	{  }	/* Terminating Entry */
+ };
+ MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
diff --git a/queue-3.16/usb-dwc3-pci-add-support-for-intel-icelake.patch b/queue-3.16/usb-dwc3-pci-add-support-for-intel-icelake.patch
new file mode 100644
index 0000000..738c242
--- /dev/null
+++ b/queue-3.16/usb-dwc3-pci-add-support-for-intel-icelake.patch
@@ -0,0 +1,34 @@
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Thu, 15 Jun 2017 12:57:30 +0300
+Subject: usb: dwc3: pci: add support for Intel IceLake
+
+commit 00908693c481f7298adf8cf4d2ff3dfbea8c375f upstream.
+
+PCI IDs for Intel IceLake.
+
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+[bwh: Backported to 3.16: adjust context, indentation]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/dwc3/dwc3-pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -40,6 +40,7 @@
+ #define PCI_DEVICE_ID_INTEL_GLK		0x31aa
+ #define PCI_DEVICE_ID_INTEL_CNPLP	0x9dee
+ #define PCI_DEVICE_ID_INTEL_CNPH	0xa36e
++#define PCI_DEVICE_ID_INTEL_ICLLP	0x34ee
+ 
+ struct dwc3_pci {
+ 	struct device		*dev;
+@@ -205,6 +206,7 @@ static const struct pci_device_id dwc3_p
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_GLK), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CNPLP), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CNPH), },
++	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICLLP), },
+ 	{  }	/* Terminating Entry */
+ };
+ MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
diff --git a/queue-3.16/usb-dwc3-pci-add-support-for-intel-sunrise-point-pch.patch b/queue-3.16/usb-dwc3-pci-add-support-for-intel-sunrise-point-pch.patch
new file mode 100644
index 0000000..b8764e3
--- /dev/null
+++ b/queue-3.16/usb-dwc3-pci-add-support-for-intel-sunrise-point-pch.patch
@@ -0,0 +1,36 @@
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Thu, 18 Dec 2014 16:39:14 +0200
+Subject: usb: dwc3: pci: add support for Intel Sunrise Point PCH
+
+commit 84a2b61b6eb94036093531cdabc448dddfbae45a upstream.
+
+Add PCI IDs for Intel Sunrise Point PCH.
+
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/dwc3/dwc3-pci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -31,6 +31,8 @@
+ #define PCI_DEVICE_ID_INTEL_BYT		0x0f37
+ #define PCI_DEVICE_ID_INTEL_MRFLD	0x119e
+ #define PCI_DEVICE_ID_INTEL_BSW		0x22B7
++#define PCI_DEVICE_ID_INTEL_SPTLP	0x9d30
++#define PCI_DEVICE_ID_INTEL_SPTH	0xa130
+ 
+ struct dwc3_pci {
+ 	struct device		*dev;
+@@ -187,6 +189,8 @@ static const struct pci_device_id dwc3_p
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BSW), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BYT), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), },
++	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTLP), },
++	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTH), },
+ 	{  }	/* Terminating Entry */
+ };
+ MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
diff --git a/queue-3.16/usb-dwc3-pci-add-support-for-tigerlake-devices.patch b/queue-3.16/usb-dwc3-pci-add-support-for-tigerlake-devices.patch
new file mode 100644
index 0000000..a509bf4
--- /dev/null
+++ b/queue-3.16/usb-dwc3-pci-add-support-for-tigerlake-devices.patch
@@ -0,0 +1,35 @@
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+Date: Wed, 13 Dec 2017 16:03:22 +0200
+Subject: usb: dwc3: pci: add support for TigerLake Devices
+
+commit b3649dee5fbb0f6585010e6e9313dfcbb075b22b upstream.
+
+This patch adds the necessary PCI ID for TGP-LP devices.
+
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+[bwh: Backported to 3.16:
+ - No properties support
+ - Adjust context, indentation]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/dwc3/dwc3-pci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -43,6 +43,7 @@
+ #define PCI_DEVICE_ID_INTEL_CNPH	0xa36e
+ #define PCI_DEVICE_ID_INTEL_ICLLP	0x34ee
+ #define PCI_DEVICE_ID_INTEL_EHLLP	0x4b7e
++#define PCI_DEVICE_ID_INTEL_TGPLP	0xa0ee
+ 
+ struct dwc3_pci {
+ 	struct device		*dev;
+@@ -211,6 +212,7 @@ static const struct pci_device_id dwc3_p
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CNPH), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICLLP), },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_EHLLP), },
++	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_TGPLP), },
+ 	{  }	/* Terminating Entry */
+ };
+ MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
diff --git a/queue-3.16/usb-ehci-do-not-return-epipe-when-hub-is-disconnected.patch b/queue-3.16/usb-ehci-do-not-return-epipe-when-hub-is-disconnected.patch
new file mode 100644
index 0000000..04737e6
--- /dev/null
+++ b/queue-3.16/usb-ehci-do-not-return-epipe-when-hub-is-disconnected.patch
@@ -0,0 +1,81 @@
+From: Erkka Talvitie <erkka.talvitie@vincit.fi>
+Date: Wed, 11 Dec 2019 10:08:39 +0200
+Subject: USB: EHCI: Do not return -EPIPE when hub is disconnected
+
+commit 64cc3f12d1c7dd054a215bc1ff9cc2abcfe35832 upstream.
+
+When disconnecting a USB hub that has some child device(s) connected to it
+(such as a USB mouse), then the stack tries to clear halt and
+reset device(s) which are _already_ physically disconnected.
+
+The issue has been reproduced with:
+
+CPU: IMX6D5EYM10AD or MCIMX6D5EYM10AE.
+SW: U-Boot 2019.07 and kernel 4.19.40.
+
+CPU: HP Proliant Microserver Gen8.
+SW: Linux version 4.2.3-300.fc23.x86_64
+
+In this situation there will be error bit for MMF active yet the
+CERR equals EHCI_TUNE_CERR + halt. Existing implementation
+interprets this as a stall [1] (chapter 8.4.5).
+
+The possible conditions when the MMF will be active + halt
+can be found from [2] (Table 4-13).
+
+Fix for the issue is to check whether MMF is active and PID Code is
+IN before checking for the stall. If these conditions are true then
+it is not a stall.
+
+What happens after the fix is that when disconnecting a hub with
+attached device(s) the situation is not interpret as a stall.
+
+[1] [https://www.usb.org/document-library/usb-20-specification, usb_20.pdf]
+[2] [https://www.intel.com/content/dam/www/public/us/en/documents/
+     technical-specifications/ehci-specification-for-usb.pdf]
+
+Signed-off-by: Erkka Talvitie <erkka.talvitie@vincit.fi>
+Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/ef70941d5f349767f19c0ed26b0dd9eed8ad81bb.1576050523.git.erkka.talvitie@vincit.fi
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/host/ehci-q.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/ehci-q.c
++++ b/drivers/usb/host/ehci-q.c
+@@ -40,6 +40,10 @@
+ 
+ /*-------------------------------------------------------------------------*/
+ 
++/* PID Codes that are used here, from EHCI specification, Table 3-16. */
++#define PID_CODE_IN    1
++#define PID_CODE_SETUP 2
++
+ /* fill a qtd, returning how much of the buffer we were able to queue up */
+ 
+ static int
+@@ -199,7 +203,7 @@ static int qtd_copy_status (
+ 	int	status = -EINPROGRESS;
+ 
+ 	/* count IN/OUT bytes, not SETUP (even short packets) */
+-	if (likely (QTD_PID (token) != 2))
++	if (likely(QTD_PID(token) != PID_CODE_SETUP))
+ 		urb->actual_length += length - QTD_LENGTH (token);
+ 
+ 	/* don't modify error codes */
+@@ -215,6 +219,13 @@ static int qtd_copy_status (
+ 		if (token & QTD_STS_BABBLE) {
+ 			/* FIXME "must" disable babbling device's port too */
+ 			status = -EOVERFLOW;
++		/*
++		 * When MMF is active and PID Code is IN, queue is halted.
++		 * EHCI Specification, Table 4-13.
++		 */
++		} else if ((token & QTD_STS_MMF) &&
++					(QTD_PID(token) == PID_CODE_IN)) {
++			status = -EPROTO;
+ 		/* CERR nonzero + halt --> stall */
+ 		} else if (QTD_CERR(token)) {
+ 			status = -EPIPE;
diff --git a/queue-3.16/usb-idmouse-fix-interface-sanity-checks.patch b/queue-3.16/usb-idmouse-fix-interface-sanity-checks.patch
new file mode 100644
index 0000000..ad6e7e7
--- /dev/null
+++ b/queue-3.16/usb-idmouse-fix-interface-sanity-checks.patch
@@ -0,0 +1,32 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:26:00 +0100
+Subject: USB: idmouse: fix interface sanity checks
+
+commit 59920635b89d74b9207ea803d5e91498d39e8b69 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191210112601.3561-4-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/misc/idmouse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/misc/idmouse.c
++++ b/drivers/usb/misc/idmouse.c
+@@ -342,7 +342,7 @@ static int idmouse_probe(struct usb_inte
+ 	int result;
+ 
+ 	/* check if we have gotten the data or the hid interface */
+-	iface_desc = &interface->altsetting[0];
++	iface_desc = interface->cur_altsetting;
+ 	if (iface_desc->desc.bInterfaceClass != 0x0A)
+ 		return -ENODEV;
+ 
diff --git a/queue-3.16/usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch b/queue-3.16/usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch
new file mode 100644
index 0000000..71064e7
--- /dev/null
+++ b/queue-3.16/usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch
@@ -0,0 +1,100 @@
+From: Pete Zaitcev <zaitcev@redhat.com>
+Date: Wed, 4 Dec 2019 20:39:41 -0600
+Subject: usb: mon: Fix a deadlock in usbmon between mmap and read
+
+commit 19e6317d24c25ee737c65d1ffb7483bdda4bb54a upstream.
+
+The problem arises because our read() function grabs a lock of the
+circular buffer, finds something of interest, then invokes copy_to_user()
+straight from the buffer, which in turn takes mm->mmap_sem. In the same
+time, the callback mon_bin_vma_fault() is invoked under mm->mmap_sem.
+It attempts to take the fetch lock and deadlocks.
+
+This patch does away with protecting of our page list with any
+semaphores, and instead relies on the kernel not close the device
+while mmap is active in a process.
+
+In addition, we prohibit re-sizing of a buffer while mmap is active.
+This way, when (now unlocked) fault is processed, it works with the
+page that is intended to be mapped-in, and not some other random page.
+Note that this may have an ABI impact, but hopefully no legitimate
+program is this wrong.
+
+Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
+Reported-by: syzbot+56f9673bb4cdcbeb0e92@syzkaller.appspotmail.com
+Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
+Fixes: 46eb14a6e158 ("USB: fix usbmon BUG trigger")
+Link: https://lore.kernel.org/r/20191204203941.3503452b@suzdal.zaitcev.lan
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/mon/mon_bin.c | 32 +++++++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+--- a/drivers/usb/mon/mon_bin.c
++++ b/drivers/usb/mon/mon_bin.c
+@@ -1034,12 +1034,18 @@ static long mon_bin_ioctl(struct file *f
+ 
+ 		mutex_lock(&rp->fetch_lock);
+ 		spin_lock_irqsave(&rp->b_lock, flags);
+-		mon_free_buff(rp->b_vec, rp->b_size/CHUNK_SIZE);
+-		kfree(rp->b_vec);
+-		rp->b_vec  = vec;
+-		rp->b_size = size;
+-		rp->b_read = rp->b_in = rp->b_out = rp->b_cnt = 0;
+-		rp->cnt_lost = 0;
++		if (rp->mmap_active) {
++			mon_free_buff(vec, size/CHUNK_SIZE);
++			kfree(vec);
++			ret = -EBUSY;
++		} else {
++			mon_free_buff(rp->b_vec, rp->b_size/CHUNK_SIZE);
++			kfree(rp->b_vec);
++			rp->b_vec  = vec;
++			rp->b_size = size;
++			rp->b_read = rp->b_in = rp->b_out = rp->b_cnt = 0;
++			rp->cnt_lost = 0;
++		}
+ 		spin_unlock_irqrestore(&rp->b_lock, flags);
+ 		mutex_unlock(&rp->fetch_lock);
+ 		}
+@@ -1211,13 +1217,21 @@ mon_bin_poll(struct file *file, struct p
+ static void mon_bin_vma_open(struct vm_area_struct *vma)
+ {
+ 	struct mon_reader_bin *rp = vma->vm_private_data;
++	unsigned long flags;
++
++	spin_lock_irqsave(&rp->b_lock, flags);
+ 	rp->mmap_active++;
++	spin_unlock_irqrestore(&rp->b_lock, flags);
+ }
+ 
+ static void mon_bin_vma_close(struct vm_area_struct *vma)
+ {
++	unsigned long flags;
++
+ 	struct mon_reader_bin *rp = vma->vm_private_data;
++	spin_lock_irqsave(&rp->b_lock, flags);
+ 	rp->mmap_active--;
++	spin_unlock_irqrestore(&rp->b_lock, flags);
+ }
+ 
+ /*
+@@ -1229,16 +1243,12 @@ static int mon_bin_vma_fault(struct vm_a
+ 	unsigned long offset, chunk_idx;
+ 	struct page *pageptr;
+ 
+-	mutex_lock(&rp->fetch_lock);
+ 	offset = vmf->pgoff << PAGE_SHIFT;
+-	if (offset >= rp->b_size) {
+-		mutex_unlock(&rp->fetch_lock);
++	if (offset >= rp->b_size)
+ 		return VM_FAULT_SIGBUS;
+-	}
+ 	chunk_idx = offset / CHUNK_SIZE;
+ 	pageptr = rp->b_vec[chunk_idx].pg;
+ 	get_page(pageptr);
+-	mutex_unlock(&rp->fetch_lock);
+ 	vmf->page = pageptr;
+ 	return 0;
+ }
diff --git a/queue-3.16/usb-musb-dma-correct-parameter-passed-to-irq-handler.patch b/queue-3.16/usb-musb-dma-correct-parameter-passed-to-irq-handler.patch
new file mode 100644
index 0000000..4505a72
--- /dev/null
+++ b/queue-3.16/usb-musb-dma-correct-parameter-passed-to-irq-handler.patch
@@ -0,0 +1,31 @@
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Mon, 16 Dec 2019 10:18:43 -0600
+Subject: usb: musb: dma: Correct parameter passed to IRQ handler
+
+commit c80d0f4426c7fdc7efd6ae8d8b021dcfc89b4254 upstream.
+
+The IRQ handler was passed a pointer to a struct dma_controller, but the
+argument was then casted to a pointer to a struct musb_dma_controller.
+
+Fixes: 427c4f333474 ("usb: struct device - replace bus_id with dev_name(), dev_set_name()")
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Tested-by: Artur Rojek <contact@artur-rojek.eu>
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Link: https://lore.kernel.org/r/20191216161844.772-2-b-liu@ti.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/musb/musbhsdma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/musb/musbhsdma.c
++++ b/drivers/usb/musb/musbhsdma.c
+@@ -396,7 +396,7 @@ struct dma_controller *dma_controller_cr
+ 	controller->controller.channel_abort = dma_channel_abort;
+ 
+ 	if (request_irq(irq, dma_controller_irq, 0,
+-			dev_name(musb->controller), &controller->controller)) {
++			dev_name(musb->controller), controller)) {
+ 		dev_err(dev, "request_irq %d failed!\n", irq);
+ 		dma_controller_destroy(&controller->controller);
+ 
diff --git a/queue-3.16/usb-quirks-blacklist-duplicate-ep-on-sound-devices-usbpre2.patch b/queue-3.16/usb-quirks-blacklist-duplicate-ep-on-sound-devices-usbpre2.patch
new file mode 100644
index 0000000..2cd3834
--- /dev/null
+++ b/queue-3.16/usb-quirks-blacklist-duplicate-ep-on-sound-devices-usbpre2.patch
@@ -0,0 +1,142 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 3 Feb 2020 16:38:29 +0100
+Subject: USB: quirks: blacklist duplicate ep on Sound Devices USBPre2
+
+commit bdd1b147b8026df0e4260b387026b251d888ed01 upstream.
+
+This device has a broken vendor-specific altsetting for interface 1,
+where endpoint 0x85 is declared as an isochronous endpoint despite being
+used by interface 2 for audio capture.
+
+Device Descriptor:
+  bLength                18
+  bDescriptorType         1
+  bcdUSB               2.00
+  bDeviceClass          239 Miscellaneous Device
+  bDeviceSubClass         2
+  bDeviceProtocol         1 Interface Association
+  bMaxPacketSize0        64
+  idVendor           0x0926
+  idProduct          0x0202
+  bcdDevice            1.00
+  iManufacturer           1 Sound Devices
+  iProduct                2 USBPre2
+  iSerial                 3 [...]
+  bNumConfigurations      1
+
+[...]
+
+    Interface Descriptor:
+      bLength                 9
+      bDescriptorType         4
+      bInterfaceNumber        1
+      bAlternateSetting       3
+      bNumEndpoints           2
+      bInterfaceClass       255 Vendor Specific Class
+      bInterfaceSubClass      0
+      bInterfaceProtocol      0
+      iInterface              0
+      Endpoint Descriptor:
+        bLength                 7
+        bDescriptorType         5
+        bEndpointAddress     0x85  EP 5 IN
+        bmAttributes            5
+          Transfer Type            Isochronous
+          Synch Type               Asynchronous
+          Usage Type               Data
+        wMaxPacketSize     0x0126  1x 294 bytes
+        bInterval               1
+
+[...]
+
+    Interface Descriptor:
+      bLength                 9
+      bDescriptorType         4
+      bInterfaceNumber        2
+      bAlternateSetting       1
+      bNumEndpoints           1
+      bInterfaceClass         1 Audio
+      bInterfaceSubClass      2 Streaming
+      bInterfaceProtocol      0
+      iInterface              0
+      AudioStreaming Interface Descriptor:
+        bLength                 7
+        bDescriptorType        36
+        bDescriptorSubtype      1 (AS_GENERAL)
+        bTerminalLink           4
+        bDelay                  1 frames
+        wFormatTag         0x0001 PCM
+      AudioStreaming Interface Descriptor:
+        bLength                26
+        bDescriptorType        36
+        bDescriptorSubtype      2 (FORMAT_TYPE)
+        bFormatType             1 (FORMAT_TYPE_I)
+        bNrChannels             2
+        bSubframeSize           2
+        bBitResolution         16
+        bSamFreqType            6 Discrete
+        tSamFreq[ 0]         8000
+        tSamFreq[ 1]        16000
+        tSamFreq[ 2]        24000
+        tSamFreq[ 3]        32000
+        tSamFreq[ 4]        44100
+        tSamFreq[ 5]        48000
+      Endpoint Descriptor:
+        bLength                 9
+        bDescriptorType         5
+        bEndpointAddress     0x85  EP 5 IN
+        bmAttributes            5
+          Transfer Type            Isochronous
+          Synch Type               Asynchronous
+          Usage Type               Data
+        wMaxPacketSize     0x0126  1x 294 bytes
+        bInterval               4
+        bRefresh                0
+        bSynchAddress           0
+        AudioStreaming Endpoint Descriptor:
+          bLength                 7
+          bDescriptorType        37
+          bDescriptorSubtype      1 (EP_GENERAL)
+          bmAttributes         0x01
+            Sampling Frequency
+          bLockDelayUnits         2 Decoded PCM samples
+          wLockDelay         0x0000
+
+Since commit 3e4f8e21c4f2 ("USB: core: fix check for duplicate
+endpoints") USB core ignores any duplicate endpoints found during
+descriptor parsing, but in this case we need to ignore the first
+instance in order to avoid breaking the audio capture interface.
+
+Fixes: 3e4f8e21c4f2 ("USB: core: fix check for duplicate endpoints")
+Reported-by: edes <edes@gmx.net>
+Tested-by: edes <edes@gmx.net>
+Link: https://lore.kernel.org/r/20200201105829.5682c887@acme7.acmenet
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20200203153830.26394-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/core/quirks.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -206,6 +206,10 @@ static const struct usb_device_id usb_qu
+ 	{ USB_DEVICE(0x0904, 0x6103), .driver_info =
+ 			USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL },
+ 
++	/* Sound Devices USBPre2 */
++	{ USB_DEVICE(0x0926, 0x0202), .driver_info =
++			USB_QUIRK_ENDPOINT_BLACKLIST },
++
+ 	/* Keytouch QWERTY Panel keyboard */
+ 	{ USB_DEVICE(0x0926, 0x3333), .driver_info =
+ 			USB_QUIRK_CONFIG_INTF_STRINGS },
+@@ -325,6 +329,7 @@ static const struct usb_device_id usb_am
+  * Matched for devices with USB_QUIRK_ENDPOINT_BLACKLIST.
+  */
+ static const struct usb_device_id usb_endpoint_blacklist[] = {
++	{ USB_DEVICE_INTERFACE_NUMBER(0x0926, 0x0202, 1), .driver_info = 0x85 },
+ 	{ }
+ };
+ 
diff --git a/queue-3.16/usb-serial-ch341-handle-unbound-port-at-reset_resume.patch b/queue-3.16/usb-serial-ch341-handle-unbound-port-at-reset_resume.patch
new file mode 100644
index 0000000..9c61836
--- /dev/null
+++ b/queue-3.16/usb-serial-ch341-handle-unbound-port-at-reset_resume.patch
@@ -0,0 +1,35 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Jan 2020 10:50:22 +0100
+Subject: USB: serial: ch341: handle unbound port at reset_resume
+
+commit 4d5ef53f75c22d28f490bcc5c771fcc610a9afa4 upstream.
+
+Check for NULL port data in reset_resume() to avoid dereferencing a NULL
+pointer in case the port device isn't bound to a driver (e.g. after a
+failed control request at port probe).
+
+Fixes: 1ded7ea47b88 ("USB: ch341 serial: fix port number changed after resume")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/serial/ch341.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/ch341.c
++++ b/drivers/usb/serial/ch341.c
+@@ -571,9 +571,13 @@ static int ch341_tiocmget(struct tty_str
+ static int ch341_reset_resume(struct usb_serial *serial)
+ {
+ 	struct usb_serial_port *port = serial->port[0];
+-	struct ch341_private *priv = usb_get_serial_port_data(port);
++	struct ch341_private *priv;
+ 	int ret;
+ 
++	priv = usb_get_serial_port_data(port);
++	if (!priv)
++		return 0;
++
+ 	/* reconfigure ch341 serial port after bus-reset */
+ 	ch341_configure(serial->dev, priv);
+ 
diff --git a/queue-3.16/usb-serial-io_edgeport-add-missing-active-port-sanity-check.patch b/queue-3.16/usb-serial-io_edgeport-add-missing-active-port-sanity-check.patch
new file mode 100644
index 0000000..03f0646
--- /dev/null
+++ b/queue-3.16/usb-serial-io_edgeport-add-missing-active-port-sanity-check.patch
@@ -0,0 +1,62 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Jan 2020 10:50:24 +0100
+Subject: USB: serial: io_edgeport: add missing active-port sanity check
+
+commit 1568c58d11a7c851bd09341aeefd6a1c308ac40d upstream.
+
+The driver receives the active port number from the device, but never
+made sure that the port number was valid. This could lead to a
+NULL-pointer dereference or memory corruption in case a device sends
+data for an invalid port.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/serial/io_edgeport.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/serial/io_edgeport.c
++++ b/drivers/usb/serial/io_edgeport.c
+@@ -1666,7 +1666,8 @@ static void edge_break(struct tty_struct
+ static void process_rcvd_data(struct edgeport_serial *edge_serial,
+ 				unsigned char *buffer, __u16 bufferLength)
+ {
+-	struct device *dev = &edge_serial->serial->dev->dev;
++	struct usb_serial *serial = edge_serial->serial;
++	struct device *dev = &serial->dev->dev;
+ 	struct usb_serial_port *port;
+ 	struct edgeport_port *edge_port;
+ 	__u16 lastBufferLength;
+@@ -1771,9 +1772,8 @@ static void process_rcvd_data(struct edg
+ 
+ 			/* spit this data back into the tty driver if this
+ 			   port is open */
+-			if (rxLen) {
+-				port = edge_serial->serial->port[
+-							edge_serial->rxPort];
++			if (rxLen && edge_serial->rxPort < serial->num_ports) {
++				port = serial->port[edge_serial->rxPort];
+ 				edge_port = usb_get_serial_port_data(port);
+ 				if (edge_port && edge_port->open) {
+ 					dev_dbg(dev, "%s - Sending %d bytes to TTY for port %d\n",
+@@ -1783,8 +1783,8 @@ static void process_rcvd_data(struct edg
+ 							rxLen);
+ 					edge_port->port->icount.rx += rxLen;
+ 				}
+-				buffer += rxLen;
+ 			}
++			buffer += rxLen;
+ 			break;
+ 
+ 		case EXPECT_HDR3:	/* Expect 3rd byte of status header */
+@@ -1819,6 +1819,8 @@ static void process_rcvd_status(struct e
+ 	__u8 code = edge_serial->rxStatusCode;
+ 
+ 	/* switch the port pointer to the one being currently talked about */
++	if (edge_serial->rxPort >= edge_serial->serial->num_ports)
++		return;
+ 	port = edge_serial->serial->port[edge_serial->rxPort];
+ 	edge_port = usb_get_serial_port_data(port);
+ 	if (edge_port == NULL) {
diff --git a/queue-3.16/usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch b/queue-3.16/usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch
new file mode 100644
index 0000000..a28dcaf
--- /dev/null
+++ b/queue-3.16/usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch
@@ -0,0 +1,46 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:26:01 +0100
+Subject: USB: serial: io_edgeport: fix epic endpoint lookup
+
+commit 7c5a2df3367a2c4984f1300261345817d95b71f8 upstream.
+
+Make sure to use the current alternate setting when looking up the
+endpoints on epic devices to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191210112601.3561-5-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/serial/io_edgeport.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/serial/io_edgeport.c
++++ b/drivers/usb/serial/io_edgeport.c
+@@ -2859,16 +2859,18 @@ static int edge_startup(struct usb_seria
+ 	response = 0;
+ 
+ 	if (edge_serial->is_epic) {
++		struct usb_host_interface *alt;
++
++		alt = serial->interface->cur_altsetting;
++
+ 		/* EPIC thing, set up our interrupt polling now and our read
+ 		 * urb, so that the device knows it really is connected. */
+ 		interrupt_in_found = bulk_in_found = bulk_out_found = false;
+-		for (i = 0; i < serial->interface->altsetting[0]
+-						.desc.bNumEndpoints; ++i) {
++		for (i = 0; i < alt->desc.bNumEndpoints; ++i) {
+ 			struct usb_endpoint_descriptor *endpoint;
+ 			int buffer_size;
+ 
+-			endpoint = &serial->interface->altsetting[0].
+-							endpoint[i].desc;
++			endpoint = &alt->endpoint[i].desc;
+ 			buffer_size = usb_endpoint_maxp(endpoint);
+ 			if (!interrupt_in_found &&
+ 			    (usb_endpoint_is_int_in(endpoint))) {
diff --git a/queue-3.16/usb-serial-io_edgeport-handle-unbound-ports-on-urb-completion.patch b/queue-3.16/usb-serial-io_edgeport-handle-unbound-ports-on-urb-completion.patch
new file mode 100644
index 0000000..0fee93d
--- /dev/null
+++ b/queue-3.16/usb-serial-io_edgeport-handle-unbound-ports-on-urb-completion.patch
@@ -0,0 +1,41 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Jan 2020 10:50:23 +0100
+Subject: USB: serial: io_edgeport: handle unbound ports on URB completion
+
+commit e37d1aeda737a20b1846a91a3da3f8b0f00cf690 upstream.
+
+Check for NULL port data in the shared interrupt and bulk completion
+callbacks to avoid dereferencing a NULL pointer in case a device sends
+data for a port device which isn't bound to a driver (e.g. due to a
+malicious device having unexpected endpoints or after an allocation
+failure on port probe).
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/serial/io_edgeport.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/io_edgeport.c
++++ b/drivers/usb/serial/io_edgeport.c
+@@ -638,7 +638,7 @@ static void edge_interrupt_callback(stru
+ 			if (txCredits) {
+ 				port = edge_serial->serial->port[portNumber];
+ 				edge_port = usb_get_serial_port_data(port);
+-				if (edge_port->open) {
++				if (edge_port && edge_port->open) {
+ 					spin_lock(&edge_port->ep_lock);
+ 					edge_port->txCredits += txCredits;
+ 					spin_unlock(&edge_port->ep_lock);
+@@ -1775,7 +1775,7 @@ static void process_rcvd_data(struct edg
+ 				port = edge_serial->serial->port[
+ 							edge_serial->rxPort];
+ 				edge_port = usb_get_serial_port_data(port);
+-				if (edge_port->open) {
++				if (edge_port && edge_port->open) {
+ 					dev_dbg(dev, "%s - Sending %d bytes to TTY for port %d\n",
+ 						__func__, rxLen,
+ 						edge_serial->rxPort);
diff --git a/queue-3.16/usb-serial-keyspan-handle-unbound-ports.patch b/queue-3.16/usb-serial-keyspan-handle-unbound-ports.patch
new file mode 100644
index 0000000..3e810a6
--- /dev/null
+++ b/queue-3.16/usb-serial-keyspan-handle-unbound-ports.patch
@@ -0,0 +1,33 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Jan 2020 10:50:25 +0100
+Subject: USB: serial: keyspan: handle unbound ports
+
+commit 3018dd3fa114b13261e9599ddb5656ef97a1fa17 upstream.
+
+Check for NULL port data in the control URB completion handlers to avoid
+dereferencing a NULL pointer in the unlikely case where a port device
+isn't bound to a driver (e.g. after an allocation failure on port
+probe()).
+
+Fixes: 0ca1268e109a ("USB Serial Keyspan: add support for USA-49WG & USA-28XG")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/serial/keyspan.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/keyspan.c
++++ b/drivers/usb/serial/keyspan.c
+@@ -962,6 +962,10 @@ static void usa67_glocont_callback(struc
+ 	for (i = 0; i < serial->num_ports; ++i) {
+ 		port = serial->port[i];
+ 		p_priv = usb_get_serial_port_data(port);
++		if (!p_priv)
++			continue;
++		if (!p_priv)
++			continue;
+ 
+ 		if (p_priv->resend_cont) {
+ 			dev_dbg(&port->dev, "%s - sending setup\n", __func__);
diff --git a/queue-3.16/usb-serial-opticon-fix-control-message-timeouts.patch b/queue-3.16/usb-serial-opticon-fix-control-message-timeouts.patch
new file mode 100644
index 0000000..f6597e2
--- /dev/null
+++ b/queue-3.16/usb-serial-opticon-fix-control-message-timeouts.patch
@@ -0,0 +1,34 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Jan 2020 18:22:13 +0100
+Subject: USB: serial: opticon: fix control-message timeouts
+
+commit 5e28055f340275a8616eee88ef19186631b4d136 upstream.
+
+The driver was issuing synchronous uninterruptible control requests
+without using a timeout. This could lead to the driver hanging
+on open() or tiocmset() due to a malfunctioning (or malicious) device
+until the device is physically disconnected.
+
+The USB upper limit of five seconds per request should be more than
+enough.
+
+Fixes: 309a057932ab ("USB: opticon: add rts and cts support")
+Cc: Martin Jansen <martin.jansen@opticon.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/serial/opticon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/opticon.c
++++ b/drivers/usb/serial/opticon.c
+@@ -116,7 +116,7 @@ static int send_control_msg(struct usb_s
+ 	retval = usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0),
+ 				requesttype,
+ 				USB_DIR_OUT|USB_TYPE_VENDOR|USB_RECIP_INTERFACE,
+-				0, 0, buffer, 1, 0);
++				0, 0, buffer, 1, USB_CTRL_SET_TIMEOUT);
+ 	kfree(buffer);
+ 
+ 	if (retval < 0)
diff --git a/queue-3.16/usb-serial-quatech2-handle-unbound-ports.patch b/queue-3.16/usb-serial-quatech2-handle-unbound-ports.patch
new file mode 100644
index 0000000..90034a0
--- /dev/null
+++ b/queue-3.16/usb-serial-quatech2-handle-unbound-ports.patch
@@ -0,0 +1,47 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Jan 2020 15:35:26 +0100
+Subject: USB: serial: quatech2: handle unbound ports
+
+commit 9715a43eea77e42678a1002623f2d9a78f5b81a1 upstream.
+
+Check for NULL port data in the modem- and line-status handlers to avoid
+dereferencing a NULL pointer in the unlikely case where a port device
+isn't bound to a driver (e.g. after an allocation failure on port
+probe).
+
+Note that the other (stubbed) event handlers qt2_process_xmit_empty()
+and qt2_process_flush() would need similar sanity checks in case they
+are ever implemented.
+
+Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/serial/quatech2.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/serial/quatech2.c
++++ b/drivers/usb/serial/quatech2.c
+@@ -872,7 +872,10 @@ static void qt2_update_msr(struct usb_se
+ 	u8 newMSR = (u8) *ch;
+ 	unsigned long flags;
+ 
++	/* May be called from qt2_process_read_urb() for an unbound port. */
+ 	port_priv = usb_get_serial_port_data(port);
++	if (!port_priv)
++		return;
+ 
+ 	spin_lock_irqsave(&port_priv->lock, flags);
+ 	port_priv->shadowMSR = newMSR;
+@@ -900,7 +903,10 @@ static void qt2_update_lsr(struct usb_se
+ 	unsigned long flags;
+ 	u8 newLSR = (u8) *ch;
+ 
++	/* May be called from qt2_process_read_urb() for an unbound port. */
+ 	port_priv = usb_get_serial_port_data(port);
++	if (!port_priv)
++		return;
+ 
+ 	if (newLSR & UART_LSR_BI)
+ 		newLSR &= (u8) (UART_LSR_OE | UART_LSR_BI);
diff --git a/queue-3.16/usb-serial-simple-add-motorola-solutions-tetra-mtp3xxx-and-mtp85xx.patch b/queue-3.16/usb-serial-simple-add-motorola-solutions-tetra-mtp3xxx-and-mtp85xx.patch
new file mode 100644
index 0000000..310b5f5
--- /dev/null
+++ b/queue-3.16/usb-serial-simple-add-motorola-solutions-tetra-mtp3xxx-and-mtp85xx.patch
@@ -0,0 +1,206 @@
+From: =?UTF-8?q?Jer=C3=B3nimo=20Borque?= <jeronimo@borque.com.ar>
+Date: Thu, 9 Jan 2020 12:23:34 -0300
+Subject: USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 260e41ac4dd3e5acb90be624c03ba7f019615b75 upstream.
+
+Add device-ids for the Motorola Solutions TETRA radios MTP3xxx series
+and MTP85xx series
+
+$ lsusb -vd 0cad:
+
+Bus 001 Device 009: ID 0cad:9015 Motorola CGISS TETRA PEI interface
+Device Descriptor:
+  bLength                18
+  bDescriptorType         1
+  bcdUSB               2.00
+  bDeviceClass            0
+  bDeviceSubClass         0
+  bDeviceProtocol         0
+  bMaxPacketSize0        64
+  idVendor           0x0cad Motorola CGISS
+  idProduct          0x9015
+  bcdDevice           24.16
+  iManufacturer           1
+  iProduct                2
+  iSerial                 0
+  bNumConfigurations      1
+  Configuration Descriptor:
+    bLength                 9
+    bDescriptorType         2
+    wTotalLength       0x0037
+    bNumInterfaces          2
+    bConfigurationValue     1
+    iConfiguration          3
+    bmAttributes         0x80
+      (Bus Powered)
+    MaxPower              500mA
+    Interface Descriptor:
+      bLength                 9
+      bDescriptorType         4
+      bInterfaceNumber        0
+      bAlternateSetting       0
+      bNumEndpoints           2
+      bInterfaceClass       255 Vendor Specific Class
+      bInterfaceSubClass      0
+      bInterfaceProtocol      0
+      iInterface              0
+      Endpoint Descriptor:
+        bLength                 7
+        bDescriptorType         5
+        bEndpointAddress     0x81  EP 1 IN
+        bmAttributes            2
+          Transfer Type            Bulk
+          Synch Type               None
+          Usage Type               Data
+        wMaxPacketSize     0x0040  1x 64 bytes
+        bInterval               0
+      Endpoint Descriptor:
+        bLength                 7
+        bDescriptorType         5
+        bEndpointAddress     0x01  EP 1 OUT
+        bmAttributes            2
+          Transfer Type            Bulk
+          Synch Type               None
+          Usage Type               Data
+        wMaxPacketSize     0x0040  1x 64 bytes
+        bInterval               0
+    Interface Descriptor:
+      bLength                 9
+      bDescriptorType         4
+      bInterfaceNumber        1
+      bAlternateSetting       0
+      bNumEndpoints           2
+      bInterfaceClass       255 Vendor Specific Class
+      bInterfaceSubClass      0
+      bInterfaceProtocol      0
+      iInterface              0
+      Endpoint Descriptor:
+        bLength                 7
+        bDescriptorType         5
+        bEndpointAddress     0x82  EP 2 IN
+        bmAttributes            2
+          Transfer Type            Bulk
+          Synch Type               None
+          Usage Type               Data
+        wMaxPacketSize     0x0040  1x 64 bytes
+        bInterval               0
+      Endpoint Descriptor:
+        bLength                 7
+        bDescriptorType         5
+        bEndpointAddress     0x02  EP 2 OUT
+        bmAttributes            2
+          Transfer Type            Bulk
+          Synch Type               None
+          Usage Type               Data
+        wMaxPacketSize     0x0040  1x 64 bytes
+        bInterval               0
+
+Bus 001 Device 010: ID 0cad:9013 Motorola CGISS TETRA PEI interface
+Device Descriptor:
+  bLength                18
+  bDescriptorType         1
+  bcdUSB               2.00
+  bDeviceClass            0
+  bDeviceSubClass         0
+  bDeviceProtocol         0
+  bMaxPacketSize0        64
+  idVendor           0x0cad Motorola CGISS
+  idProduct          0x9013
+  bcdDevice           24.16
+  iManufacturer           1
+  iProduct                2
+  iSerial                 0
+  bNumConfigurations      1
+  Configuration Descriptor:
+    bLength                 9
+    bDescriptorType         2
+    wTotalLength       0x0037
+    bNumInterfaces          2
+    bConfigurationValue     1
+    iConfiguration          3
+    bmAttributes         0x80
+      (Bus Powered)
+    MaxPower              500mA
+    Interface Descriptor:
+      bLength                 9
+      bDescriptorType         4
+      bInterfaceNumber        0
+      bAlternateSetting       0
+      bNumEndpoints           2
+      bInterfaceClass       255 Vendor Specific Class
+      bInterfaceSubClass      0
+      bInterfaceProtocol      0
+      iInterface              0
+      Endpoint Descriptor:
+        bLength                 7
+        bDescriptorType         5
+        bEndpointAddress     0x81  EP 1 IN
+        bmAttributes            2
+          Transfer Type            Bulk
+          Synch Type               None
+          Usage Type               Data
+        wMaxPacketSize     0x0200  1x 512 bytes
+        bInterval               0
+      Endpoint Descriptor:
+        bLength                 7
+        bDescriptorType         5
+        bEndpointAddress     0x01  EP 1 OUT
+        bmAttributes            2
+          Transfer Type            Bulk
+          Synch Type               None
+          Usage Type               Data
+        wMaxPacketSize     0x0200  1x 512 bytes
+        bInterval               0
+    Interface Descriptor:
+      bLength                 9
+      bDescriptorType         4
+      bInterfaceNumber        1
+      bAlternateSetting       0
+      bNumEndpoints           2
+      bInterfaceClass       255 Vendor Specific Class
+      bInterfaceSubClass      0
+      bInterfaceProtocol      0
+      iInterface              0
+      Endpoint Descriptor:
+        bLength                 7
+        bDescriptorType         5
+        bEndpointAddress     0x82  EP 2 IN
+        bmAttributes            2
+          Transfer Type            Bulk
+          Synch Type               None
+          Usage Type               Data
+        wMaxPacketSize     0x0200  1x 512 bytes
+        bInterval               0
+      Endpoint Descriptor:
+        bLength                 7
+        bDescriptorType         5
+        bEndpointAddress     0x02  EP 2 OUT
+        bmAttributes            2
+          Transfer Type            Bulk
+          Synch Type               None
+          Usage Type               Data
+        wMaxPacketSize     0x0200  1x 512 bytes
+        bInterval               0
+
+Signed-off-by: Jerónimo Borque <jeronimo@borque.com.ar>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/serial/usb-serial-simple.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/usb-serial-simple.c
++++ b/drivers/usb/serial/usb-serial-simple.c
+@@ -89,6 +89,8 @@ DEVICE(moto_modem, MOTO_IDS);
+ #define MOTOROLA_TETRA_IDS()			\
+ 	{ USB_DEVICE(0x0cad, 0x9011) },	/* Motorola Solutions TETRA PEI */ \
+ 	{ USB_DEVICE(0x0cad, 0x9012) },	/* MTP6550 */ \
++	{ USB_DEVICE(0x0cad, 0x9013) },	/* MTP3xxx */ \
++	{ USB_DEVICE(0x0cad, 0x9015) },	/* MTP85xx */ \
+ 	{ USB_DEVICE(0x0cad, 0x9016) }	/* TPG2200 */
+ DEVICE(motorola_tetra, MOTOROLA_TETRA_IDS);
+ 
diff --git a/queue-3.16/usb-serial-suppress-driver-bind-attributes.patch b/queue-3.16/usb-serial-suppress-driver-bind-attributes.patch
new file mode 100644
index 0000000..64778b2
--- /dev/null
+++ b/queue-3.16/usb-serial-suppress-driver-bind-attributes.patch
@@ -0,0 +1,36 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 16 Jan 2020 17:07:05 +0100
+Subject: USB: serial: suppress driver bind attributes
+
+commit fdb838efa31e1ed9a13ae6ad0b64e30fdbd00570 upstream.
+
+USB-serial drivers must not be unbound from their ports before the
+corresponding USB driver is unbound from the parent interface so
+suppress the bind and unbind attributes.
+
+Unbinding a serial driver while it's port is open is a sure way to
+trigger a crash as any driver state is released on unbind while port
+hangup is handled on the parent USB interface level. Drivers for
+multiport devices where ports share a resource such as an interrupt
+endpoint also generally cannot handle individual ports going away.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/serial/usb-serial.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/usb-serial.c
++++ b/drivers/usb/serial/usb-serial.c
+@@ -1337,6 +1337,9 @@ static int usb_serial_register(struct us
+ 		return -EINVAL;
+ 	}
+ 
++	/* Prevent individual ports from being unbound. */
++	driver->driver.suppress_bind_attrs = true;
++
+ 	usb_serial_operations_init(driver);
+ 
+ 	/* Add this device to our list of devices */
diff --git a/queue-3.16/usbip-fix-error-path-of-vhci_recv_ret_submit.patch b/queue-3.16/usbip-fix-error-path-of-vhci_recv_ret_submit.patch
new file mode 100644
index 0000000..a04869a
--- /dev/null
+++ b/queue-3.16/usbip-fix-error-path-of-vhci_recv_ret_submit.patch
@@ -0,0 +1,67 @@
+From: Suwan Kim <suwan.kim027@gmail.com>
+Date: Fri, 13 Dec 2019 11:30:55 +0900
+Subject: usbip: Fix error path of vhci_recv_ret_submit()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit aabb5b833872524eaf28f52187e5987984982264 upstream.
+
+If a transaction error happens in vhci_recv_ret_submit(), event
+handler closes connection and changes port status to kick hub_event.
+Then hub tries to flush the endpoint URBs, but that causes infinite
+loop between usb_hub_flush_endpoint() and vhci_urb_dequeue() because
+"vhci_priv" in vhci_urb_dequeue() was already released by
+vhci_recv_ret_submit() before a transmission error occurred. Thus,
+vhci_urb_dequeue() terminates early and usb_hub_flush_endpoint()
+continuously calls vhci_urb_dequeue().
+
+The root cause of this issue is that vhci_recv_ret_submit()
+terminates early without giving back URB when transaction error
+occurs in vhci_recv_ret_submit(). That causes the error URB to still
+be linked at endpoint list without “vhci_priv".
+
+So, in the case of transaction error in vhci_recv_ret_submit(),
+unlink URB from the endpoint, insert proper error code in
+urb->status and give back URB.
+
+Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Signed-off-by: Suwan Kim <suwan.kim027@gmail.com>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20191213023055.19933-3-suwan.kim027@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[bwh: Backported to 3.16: adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/staging/usbip/vhci_rx.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/staging/usbip/vhci_rx.c
++++ b/drivers/staging/usbip/vhci_rx.c
+@@ -88,16 +88,21 @@ static void vhci_recv_ret_submit(struct
+ 	usbip_pack_pdu(pdu, urb, USBIP_RET_SUBMIT, 0);
+ 
+ 	/* recv transfer buffer */
+-	if (usbip_recv_xbuff(ud, urb) < 0)
+-		return;
++	if (usbip_recv_xbuff(ud, urb) < 0) {
++		urb->status = -EPROTO;
++		goto error;
++	}
+ 
+ 	/* recv iso_packet_descriptor */
+-	if (usbip_recv_iso(ud, urb) < 0)
+-		return;
++	if (usbip_recv_iso(ud, urb) < 0) {
++		urb->status = -EPROTO;
++		goto error;
++	}
+ 
+ 	/* restore the padding in iso packets */
+ 	usbip_pad_iso(ud, urb);
+ 
++error:
+ 	if (usbip_dbg_flag_vhci_rx)
+ 		usbip_dump_urb(urb);
+ 
diff --git a/queue-3.16/vfs-fix-do_last-regression.patch b/queue-3.16/vfs-fix-do_last-regression.patch
new file mode 100644
index 0000000..405b4ab
--- /dev/null
+++ b/queue-3.16/vfs-fix-do_last-regression.patch
@@ -0,0 +1,58 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 1 Feb 2020 16:26:45 +0000
+Subject: vfs: fix do_last() regression
+
+commit 6404674acd596de41fd3ad5f267b4525494a891a upstream.
+
+Brown paperbag time: fetching ->i_uid/->i_mode really should've been
+done from nd->inode.  I even suggested that, but the reason for that has
+slipped through the cracks and I went for dir->d_inode instead - made
+for more "obvious" patch.
+
+Analysis:
+
+ - at the entry into do_last() and all the way to step_into(): dir (aka
+   nd->path.dentry) is known not to have been freed; so's nd->inode and
+   it's equal to dir->d_inode unless we are already doomed to -ECHILD.
+   inode of the file to get opened is not known.
+
+ - after step_into(): inode of the file to get opened is known; dir
+   might be pointing to freed memory/be negative/etc.
+
+ - at the call of may_create_in_sticky(): guaranteed to be out of RCU
+   mode; inode of the file to get opened is known and pinned; dir might
+   be garbage.
+
+The last was the reason for the original patch.  Except that at the
+do_last() entry we can be in RCU mode and it is possible that
+nd->path.dentry->d_inode has already changed under us.
+
+In that case we are going to fail with -ECHILD, but we need to be
+careful; nd->inode is pointing to valid struct inode and it's the same
+as nd->path.dentry->d_inode in "won't fail with -ECHILD" case, so we
+should use that.
+
+Reported-by: "Rantala, Tommi T. (Nokia - FI/Espoo)" <tommi.t.rantala@nokia.com>
+Reported-by: syzbot+190005201ced78a74ad6@syzkaller.appspotmail.com
+Wearing-brown-paperbag: Al Viro <viro@zeniv.linux.org.uk>
+Fixes: d0cb50185ae9 ("do_last(): fetch directory ->i_mode and ->i_uid before it's too late")
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/namei.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -2945,8 +2945,8 @@ static int do_last(struct nameidata *nd,
+ 		   int *opened, struct filename *name)
+ {
+ 	struct dentry *dir = nd->path.dentry;
+-	kuid_t dir_uid = dir->d_inode->i_uid;
+-	umode_t dir_mode = dir->d_inode->i_mode;
++	kuid_t dir_uid = nd->inode->i_uid;
++	umode_t dir_mode = nd->inode->i_mode;
+ 	int open_flag = op->open_flag;
+ 	bool will_truncate = (open_flag & O_TRUNC) != 0;
+ 	bool got_write = false;
diff --git a/queue-3.16/virtio-balloon-fix-managed-page-counts-when-migrating-pages-between.patch b/queue-3.16/virtio-balloon-fix-managed-page-counts-when-migrating-pages-between.patch
new file mode 100644
index 0000000..13a6cef
--- /dev/null
+++ b/queue-3.16/virtio-balloon-fix-managed-page-counts-when-migrating-pages-between.patch
@@ -0,0 +1,153 @@
+From: David Hildenbrand <david@redhat.com>
+Date: Wed, 11 Dec 2019 12:11:52 +0100
+Subject: virtio-balloon: fix managed page counts when migrating pages between
+ zones
+
+commit 63341ab03706e11a31e3dd8ccc0fbc9beaf723f0 upstream.
+
+In case we have to migrate a ballon page to a newpage of another zone, the
+managed page count of both zones is wrong. Paired with memory offlining
+(which will adjust the managed page count), we can trigger kernel crashes
+and all kinds of different symptoms.
+
+One way to reproduce:
+1. Start a QEMU guest with 4GB, no NUMA
+2. Hotplug a 1GB DIMM and online the memory to ZONE_NORMAL
+3. Inflate the balloon to 1GB
+4. Unplug the DIMM (be quick, otherwise unmovable data ends up on it)
+5. Observe /proc/zoneinfo
+  Node 0, zone   Normal
+    pages free     16810
+          min      24848885473806
+          low      18471592959183339
+          high     36918337032892872
+          spanned  262144
+          present  262144
+          managed  18446744073709533486
+6. Do anything that requires some memory (e.g., inflate the balloon some
+more). The OOM goes crazy and the system crashes
+  [  238.324946] Out of memory: Killed process 537 (login) total-vm:27584kB, anon-rss:860kB, file-rss:0kB, shmem-rss:00
+  [  238.338585] systemd invoked oom-killer: gfp_mask=0x100cca(GFP_HIGHUSER_MOVABLE), order=0, oom_score_adj=0
+  [  238.339420] CPU: 0 PID: 1 Comm: systemd Tainted: G      D W         5.4.0-next-20191204+ #75
+  [  238.340139] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu4
+  [  238.341121] Call Trace:
+  [  238.341337]  dump_stack+0x8f/0xd0
+  [  238.341630]  dump_header+0x61/0x5ea
+  [  238.341942]  oom_kill_process.cold+0xb/0x10
+  [  238.342299]  out_of_memory+0x24d/0x5a0
+  [  238.342625]  __alloc_pages_slowpath+0xd12/0x1020
+  [  238.343024]  __alloc_pages_nodemask+0x391/0x410
+  [  238.343407]  pagecache_get_page+0xc3/0x3a0
+  [  238.343757]  filemap_fault+0x804/0xc30
+  [  238.344083]  ? ext4_filemap_fault+0x28/0x42
+  [  238.344444]  ext4_filemap_fault+0x30/0x42
+  [  238.344789]  __do_fault+0x37/0x1a0
+  [  238.345087]  __handle_mm_fault+0x104d/0x1ab0
+  [  238.345450]  handle_mm_fault+0x169/0x360
+  [  238.345790]  do_user_addr_fault+0x20d/0x490
+  [  238.346154]  do_page_fault+0x31/0x210
+  [  238.346468]  async_page_fault+0x43/0x50
+  [  238.346797] RIP: 0033:0x7f47eba4197e
+  [  238.347110] Code: Bad RIP value.
+  [  238.347387] RSP: 002b:00007ffd7c0c1890 EFLAGS: 00010293
+  [  238.347834] RAX: 0000000000000002 RBX: 000055d196a20a20 RCX: 00007f47eba4197e
+  [  238.348437] RDX: 0000000000000033 RSI: 00007ffd7c0c18c0 RDI: 0000000000000004
+  [  238.349047] RBP: 00007ffd7c0c1c20 R08: 0000000000000000 R09: 0000000000000033
+  [  238.349660] R10: 00000000ffffffff R11: 0000000000000293 R12: 0000000000000001
+  [  238.350261] R13: ffffffffffffffff R14: 0000000000000000 R15: 00007ffd7c0c18c0
+  [  238.350878] Mem-Info:
+  [  238.351085] active_anon:3121 inactive_anon:51 isolated_anon:0
+  [  238.351085]  active_file:12 inactive_file:7 isolated_file:0
+  [  238.351085]  unevictable:0 dirty:0 writeback:0 unstable:0
+  [  238.351085]  slab_reclaimable:5565 slab_unreclaimable:10170
+  [  238.351085]  mapped:3 shmem:111 pagetables:155 bounce:0
+  [  238.351085]  free:720717 free_pcp:2 free_cma:0
+  [  238.353757] Node 0 active_anon:12484kB inactive_anon:204kB active_file:48kB inactive_file:28kB unevictable:0kB iss
+  [  238.355979] Node 0 DMA free:11556kB min:36kB low:48kB high:60kB reserved_highatomic:0KB active_anon:152kB inactivB
+  [  238.358345] lowmem_reserve[]: 0 2955 2884 2884 2884
+  [  238.358761] Node 0 DMA32 free:2677864kB min:7004kB low:10028kB high:13052kB reserved_highatomic:0KB active_anon:0B
+  [  238.361202] lowmem_reserve[]: 0 0 72057594037927865 72057594037927865 72057594037927865
+  [  238.361888] Node 0 Normal free:193448kB min:99395541895224kB low:73886371836733356kB high:147673348131571488kB reB
+  [  238.364765] lowmem_reserve[]: 0 0 0 0 0
+  [  238.365101] Node 0 DMA: 7*4kB (U) 5*8kB (UE) 6*16kB (UME) 2*32kB (UM) 1*64kB (U) 2*128kB (UE) 3*256kB (UME) 2*512B
+  [  238.366379] Node 0 DMA32: 0*4kB 1*8kB (U) 2*16kB (UM) 2*32kB (UM) 2*64kB (UM) 1*128kB (U) 1*256kB (U) 1*512kB (U)B
+  [  238.367654] Node 0 Normal: 1985*4kB (UME) 1321*8kB (UME) 844*16kB (UME) 524*32kB (UME) 300*64kB (UME) 138*128kB (B
+  [  238.369184] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
+  [  238.369915] 130 total pagecache pages
+  [  238.370241] 0 pages in swap cache
+  [  238.370533] Swap cache stats: add 0, delete 0, find 0/0
+  [  238.370981] Free swap  = 0kB
+  [  238.371239] Total swap = 0kB
+  [  238.371488] 1048445 pages RAM
+  [  238.371756] 0 pages HighMem/MovableOnly
+  [  238.372090] 306992 pages reserved
+  [  238.372376] 0 pages cma reserved
+  [  238.372661] 0 pages hwpoisoned
+
+In another instance (older kernel), I was able to observe this
+(negative page count :/):
+  [  180.896971] Offlined Pages 32768
+  [  182.667462] Offlined Pages 32768
+  [  184.408117] Offlined Pages 32768
+  [  186.026321] Offlined Pages 32768
+  [  187.684861] Offlined Pages 32768
+  [  189.227013] Offlined Pages 32768
+  [  190.830303] Offlined Pages 32768
+  [  190.833071] Built 1 zonelists, mobility grouping on.  Total pages: -36920272750453009
+
+In another instance (older kernel), I was no longer able to start any
+process:
+  [root@vm ~]# [  214.348068] Offlined Pages 32768
+  [  215.973009] Offlined Pages 32768
+  cat /proc/meminfo
+  -bash: fork: Cannot allocate memory
+  [root@vm ~]# cat /proc/meminfo
+  -bash: fork: Cannot allocate memory
+
+Fix it by properly adjusting the managed page count when migrating if
+the zone changed. The managed page count of the zones now looks after
+unplug of the DIMM (and after deflating the balloon) just like before
+inflating the balloon (and plugging+onlining the DIMM).
+
+We'll temporarily modify the totalram page count. If this ever becomes a
+problem, we can fine tune by providing helpers that don't touch
+the totalram pages (e.g., adjust_zone_managed_page_count()).
+
+Please note that fixing up the managed page count is only necessary when
+we adjusted the managed page count when inflating - only if we
+don't have VIRTIO_BALLOON_F_DEFLATE_ON_OOM. With that feature, the
+managed page count is not touched when inflating/deflating.
+
+Reported-by: Yumei Huang <yuhuang@redhat.com>
+Fixes: 3dcc0571cd64 ("mm: correctly update zone->managed_pages")
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: Jiang Liu <liuj97@gmail.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Igor Mammedov <imammedo@redhat.com>
+Cc: virtualization@lists.linux-foundation.org
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+[bwh: Backported to 3.16: Deflate-on-OOM is not supported at all so don't
+ check that flag]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/drivers/virtio/virtio_balloon.c
++++ b/drivers/virtio/virtio_balloon.c
+@@ -403,6 +403,16 @@ static int virtballoon_migratepage(struc
+ 
+ 	get_page(newpage); /* balloon reference */
+ 
++	/*
++	  * When we migrate a page to a different zone and adjusted the
++	  * managed page count when inflating, we have to fixup the count of
++	  * both involved zones.
++	  */
++	if (page_zone(page) != page_zone(newpage)) {
++		adjust_managed_page_count(page, 1);
++		adjust_managed_page_count(newpage, -1);
++	}
++
+ 	/* balloon's page migration 1st step  -- inflate "newpage" */
+ 	spin_lock_irqsave(&vb_dev_info->pages_lock, flags);
+ 	balloon_page_insert(newpage, mapping, &vb_dev_info->pages);
diff --git a/queue-3.16/vlan-vlan_changelink-should-propagate-errors.patch b/queue-3.16/vlan-vlan_changelink-should-propagate-errors.patch
new file mode 100644
index 0000000..08105b0
--- /dev/null
+++ b/queue-3.16/vlan-vlan_changelink-should-propagate-errors.patch
@@ -0,0 +1,46 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 7 Jan 2020 01:42:25 -0800
+Subject: vlan: vlan_changelink() should propagate errors
+
+commit eb8ef2a3c50092bb018077c047b8dba1ce0e78e3 upstream.
+
+Both vlan_dev_change_flags() and vlan_dev_set_egress_priority()
+can return an error. vlan_changelink() should not ignore them.
+
+Fixes: 07b5b17e157b ("[VLAN]: Use rtnl_link API")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/8021q/vlan_netlink.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/net/8021q/vlan_netlink.c
++++ b/net/8021q/vlan_netlink.c
+@@ -92,11 +92,13 @@ static int vlan_changelink(struct net_de
+ 	struct ifla_vlan_flags *flags;
+ 	struct ifla_vlan_qos_mapping *m;
+ 	struct nlattr *attr;
+-	int rem;
++	int rem, err;
+ 
+ 	if (data[IFLA_VLAN_FLAGS]) {
+ 		flags = nla_data(data[IFLA_VLAN_FLAGS]);
+-		vlan_dev_change_flags(dev, flags->flags, flags->mask);
++		err = vlan_dev_change_flags(dev, flags->flags, flags->mask);
++		if (err)
++			return err;
+ 	}
+ 	if (data[IFLA_VLAN_INGRESS_QOS]) {
+ 		nla_for_each_nested(attr, data[IFLA_VLAN_INGRESS_QOS], rem) {
+@@ -107,7 +109,9 @@ static int vlan_changelink(struct net_de
+ 	if (data[IFLA_VLAN_EGRESS_QOS]) {
+ 		nla_for_each_nested(attr, data[IFLA_VLAN_EGRESS_QOS], rem) {
+ 			m = nla_data(attr);
+-			vlan_dev_set_egress_priority(dev, m->from, m->to);
++			err = vlan_dev_set_egress_priority(dev, m->from, m->to);
++			if (err)
++				return err;
+ 		}
+ 	}
+ 	return 0;
diff --git a/queue-3.16/vxlan-fix-tos-value-before-xmit.patch b/queue-3.16/vxlan-fix-tos-value-before-xmit.patch
new file mode 100644
index 0000000..bfda408
--- /dev/null
+++ b/queue-3.16/vxlan-fix-tos-value-before-xmit.patch
@@ -0,0 +1,34 @@
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Thu, 2 Jan 2020 17:23:45 +0800
+Subject: vxlan: fix tos value before xmit
+
+commit 71130f29979c7c7956b040673e6b9d5643003176 upstream.
+
+Before ip_tunnel_ecn_encap() and udp_tunnel_xmit_skb() we should filter
+tos value by RT_TOS() instead of using config tos directly.
+
+vxlan_get_route() would filter the tos to fl4.flowi4_tos but we didn't
+return it back, as geneve_get_v4_rt() did. So we have to use RT_TOS()
+directly in function ip_tunnel_ecn_encap().
+
+Fixes: 206aaafcd279 ("VXLAN: Use IP Tunnels tunnel ENC encap API")
+Fixes: 1400615d64cf ("vxlan: allow setting ipv6 traffic class")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/vxlan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -1904,7 +1904,7 @@ static void vxlan_xmit_one(struct sk_buf
+ 			return;
+ 		}
+ 
+-		tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
++		tos = ip_tunnel_ecn_encap(RT_TOS(tos), old_iph, skb);
+ 		ttl = ttl ? : ip4_dst_hoplimit(&rt->dst);
+ 
+ 		err = vxlan_xmit_skb(vxlan->vn_sock, rt, skb,
diff --git a/queue-3.16/x86-efistub-disable-paging-at-mixed-mode-entry.patch b/queue-3.16/x86-efistub-disable-paging-at-mixed-mode-entry.patch
new file mode 100644
index 0000000..1993674
--- /dev/null
+++ b/queue-3.16/x86-efistub-disable-paging-at-mixed-mode-entry.patch
@@ -0,0 +1,41 @@
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Tue, 24 Dec 2019 14:29:09 +0100
+Subject: x86/efistub: Disable paging at mixed mode entry
+
+commit 4911ee401b7ceff8f38e0ac597cbf503d71e690c upstream.
+
+The EFI mixed mode entry code goes through the ordinary startup_32()
+routine before jumping into the kernel's EFI boot code in 64-bit
+mode. The 32-bit startup code must be entered with paging disabled,
+but this is not documented as a requirement for the EFI handover
+protocol, and so we should disable paging explicitly when entering
+the kernel from 32-bit EFI firmware.
+
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Cc: Arvind Sankar <nivedita@alum.mit.edu>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: https://lkml.kernel.org/r/20191224132909.102540-4-ardb@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/x86/boot/compressed/head_64.S | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/x86/boot/compressed/head_64.S
++++ b/arch/x86/boot/compressed/head_64.S
+@@ -216,6 +216,11 @@ ENTRY(efi32_stub_entry)
+ 	leal	efi32_config(%ebp), %eax
+ 	movl	%eax, efi_config(%ebp)
+ 
++	/* Disable paging */
++	movl	%cr0, %eax
++	btrl	$X86_CR0_PG_BIT, %eax
++	movl	%eax, %cr0
++
+ 	jmp	startup_32
+ ENDPROC(efi32_stub_entry)
+ #endif
diff --git a/queue-3.16/xhci-handle-some-xhci_trust_tx_length-quirks-cases-as-default.patch b/queue-3.16/xhci-handle-some-xhci_trust_tx_length-quirks-cases-as-default.patch
new file mode 100644
index 0000000..1377a18
--- /dev/null
+++ b/queue-3.16/xhci-handle-some-xhci_trust_tx_length-quirks-cases-as-default.patch
@@ -0,0 +1,50 @@
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Wed, 11 Dec 2019 16:20:06 +0200
+Subject: xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default
+ behaviour.
+
+commit 7ff11162808cc2ec66353fc012c58bb449c892c3 upstream.
+
+xhci driver claims it needs XHCI_TRUST_TX_LENGTH quirk for both
+Broadcom/Cavium and a Renesas xHC controllers.
+
+The quirk was inteded for handling false "success" complete event for
+transfers that had data left untransferred.
+These transfers should complete with "short packet" events instead.
+
+In these two new cases the false "success" completion is reported
+after a "short packet" if the TD consists of several TRBs.
+xHCI specs 4.10.1.1.2 say remaining TRBs should report "short packet"
+as well after the first short packet in a TD, but this issue seems so
+common it doesn't make sense to add the quirk for all vendors.
+
+Turn these events into short packets automatically instead.
+
+This gets rid of the  "The WARN Successful completion on short TX for
+slot 1 ep 1: needs XHCI_TRUST_TX_LENGTH quirk" warning in many cases.
+
+Reported-by: Eli Billauer <eli.billauer@gmail.com>
+Reported-by: Ard Biesheuvel <ardb@kernel.org>
+Tested-by: Eli Billauer <eli.billauer@gmail.com>
+Tested-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20191211142007.8847-6-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/host/xhci-ring.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -2345,7 +2345,8 @@ static int handle_tx_event(struct xhci_h
+ 	case COMP_SUCCESS:
+ 		if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) == 0)
+ 			break;
+-		if (xhci->quirks & XHCI_TRUST_TX_LENGTH)
++		if (xhci->quirks & XHCI_TRUST_TX_LENGTH ||
++		    ep_ring->last_td_was_short)
+ 			trb_comp_code = COMP_SHORT_TX;
+ 		else
+ 			xhci_warn_ratelimited(xhci,
diff --git a/queue-3.16/xhci-make-sure-interrupts-are-restored-to-correct-state.patch b/queue-3.16/xhci-make-sure-interrupts-are-restored-to-correct-state.patch
new file mode 100644
index 0000000..53ae495
--- /dev/null
+++ b/queue-3.16/xhci-make-sure-interrupts-are-restored-to-correct-state.patch
@@ -0,0 +1,61 @@
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Wed, 11 Dec 2019 16:20:07 +0200
+Subject: xhci: make sure interrupts are restored to correct state
+
+commit bd82873f23c9a6ad834348f8b83f3b6a5bca2c65 upstream.
+
+spin_unlock_irqrestore() might be called with stale flags after
+reading port status, possibly restoring interrupts to a incorrect
+state.
+
+If a usb2 port just finished resuming while the port status is read
+the spin lock will be temporary released and re-acquired in a separate
+function. The flags parameter is passed as value instead of a pointer,
+not updating flags properly before the final spin_unlock_irqrestore()
+is called.
+
+Fixes: 8b3d45705e54 ("usb: Fix xHCI host issues on remote wakeup.")
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20191211142007.8847-7-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/host/xhci-hub.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/host/xhci-hub.c
++++ b/drivers/usb/host/xhci-hub.c
+@@ -580,7 +580,7 @@ static u32 xhci_get_port_status(struct u
+ 		struct xhci_bus_state *bus_state,
+ 		__le32 __iomem **port_array,
+ 		u16 wIndex, u32 raw_port_status,
+-		unsigned long flags)
++		unsigned long *flags)
+ 	__releases(&xhci->lock)
+ 	__acquires(&xhci->lock)
+ {
+@@ -670,12 +670,12 @@ static u32 xhci_get_port_status(struct u
+ 			xhci_set_link_state(xhci, port_array, wIndex,
+ 					XDEV_U0);
+ 
+-			spin_unlock_irqrestore(&xhci->lock, flags);
++			spin_unlock_irqrestore(&xhci->lock, *flags);
+ 			time_left = wait_for_completion_timeout(
+ 					&bus_state->rexit_done[wIndex],
+ 					msecs_to_jiffies(
+ 						XHCI_MAX_REXIT_TIMEOUT_MS));
+-			spin_lock_irqsave(&xhci->lock, flags);
++			spin_lock_irqsave(&xhci->lock, *flags);
+ 
+ 			if (time_left) {
+ 				slot_id = xhci_find_slot_id_by_port(hcd,
+@@ -834,7 +834,7 @@ int xhci_hub_control(struct usb_hcd *hcd
+ 			break;
+ 		}
+ 		status = xhci_get_port_status(hcd, bus_state, port_array,
+-				wIndex, temp, flags);
++				wIndex, temp, &flags);
+ 		if (status == 0xffffffff)
+ 			goto error;
+ 
diff --git a/upstream-head b/upstream-head
index 65a384f..f9213df 100644
--- a/upstream-head
+++ b/upstream-head
@@ -1 +1 @@
-e42617b825f8073569da76dc4510bfa019b1c35a
+d5226fa6dbae0569ee43ecfc08bdcd6770fc4755