more patches
diff --git a/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch b/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch
new file mode 100644
index 0000000..7711a7e
--- /dev/null
+++ b/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch
@@ -0,0 +1,59 @@
+From 627ead724eff33673597216f5020b72118827de4 Mon Sep 17 00:00:00 2001
+From: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com>
+Date: Thu, 28 Nov 2019 15:58:29 +0530
+Subject: ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data()
+
+From: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com>
+
+commit 627ead724eff33673597216f5020b72118827de4 upstream.
+
+kmemleak reported backtrace:
+    [<bbee0454>] kmem_cache_alloc_trace+0x128/0x260
+    [<6677f215>] i2c_acpi_install_space_handler+0x4b/0xe0
+    [<1180f4fc>] i2c_register_adapter+0x186/0x400
+    [<6083baf7>] i2c_add_adapter+0x4e/0x70
+    [<a3ddf966>] intel_gmbus_setup+0x1a2/0x2c0 [i915]
+    [<84cb69ae>] i915_driver_probe+0x8d8/0x13a0 [i915]
+    [<81911d4b>] i915_pci_probe+0x48/0x160 [i915]
+    [<4b159af1>] pci_device_probe+0xdc/0x160
+    [<b3c64704>] really_probe+0x1ee/0x450
+    [<bc029f5a>] driver_probe_device+0x142/0x1b0
+    [<d8829d20>] device_driver_attach+0x49/0x50
+    [<de71f045>] __driver_attach+0xc9/0x150
+    [<df33ac83>] bus_for_each_dev+0x56/0xa0
+    [<80089bba>] driver_attach+0x19/0x20
+    [<cc73f583>] bus_add_driver+0x177/0x220
+    [<7b29d8c7>] driver_register+0x56/0xf0
+
+In i2c_acpi_remove_space_handler(), a leak occurs whenever the
+"data" parameter is initialized to 0 before being passed to
+acpi_bus_get_private_data().
+
+This is because the NULL pointer check in acpi_bus_get_private_data()
+(condition->if(!*data)) returns EINVAL and, in consequence, memory is
+never freed in i2c_acpi_remove_space_handler().
+
+Fix the NULL pointer check in acpi_bus_get_private_data() to follow
+the analogous check in acpi_get_data_full().
+
+Signed-off-by: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com>
+[ rjw: Subject & changelog ]
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/bus.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/acpi/bus.c
++++ b/drivers/acpi/bus.c
+@@ -158,7 +158,7 @@ int acpi_bus_get_private_data(acpi_handl
+ {
+ 	acpi_status status;
+ 
+-	if (!*data)
++	if (!data)
+ 		return -EINVAL;
+ 
+ 	status = acpi_get_data(handle, acpi_bus_private_data_handler, data);
diff --git a/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch b/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch
new file mode 100644
index 0000000..7691036
--- /dev/null
+++ b/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch
@@ -0,0 +1,53 @@
+From b9ea0bae260f6aae546db224daa6ac1bd9d94b91 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Wed, 4 Dec 2019 02:54:27 +0100
+Subject: ACPI: PM: Avoid attaching ACPI PM domain to certain devices
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit b9ea0bae260f6aae546db224daa6ac1bd9d94b91 upstream.
+
+Certain ACPI-enumerated devices represented as platform devices in
+Linux, like fans, require special low-level power management handling
+implemented by their drivers that is not in agreement with the ACPI
+PM domain behavior.  That leads to problems with managing ACPI fans
+during system-wide suspend and resume.
+
+For this reason, make acpi_dev_pm_attach() skip the affected devices
+by adding a list of device IDs to avoid to it and putting the IDs of
+the affected devices into that list.
+
+Fixes: e5cc8ef31267 (ACPI / PM: Provide ACPI PM callback routines for subsystems)
+Reported-by: Zhang Rui <rui.zhang@intel.com>
+Tested-by: Todd Brandt <todd.e.brandt@linux.intel.com>
+Cc: 3.10+ <stable@vger.kernel.org> # 3.10+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/device_pm.c |   12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/device_pm.c
++++ b/drivers/acpi/device_pm.c
+@@ -1102,9 +1102,19 @@ static void acpi_dev_pm_detach(struct de
+  */
+ int acpi_dev_pm_attach(struct device *dev, bool power_on)
+ {
++	/*
++	 * Skip devices whose ACPI companions match the device IDs below,
++	 * because they require special power management handling incompatible
++	 * with the generic ACPI PM domain.
++	 */
++	static const struct acpi_device_id special_pm_ids[] = {
++		{"PNP0C0B", }, /* Generic ACPI fan */
++		{"INT3404", }, /* Fan */
++		{}
++	};
+ 	struct acpi_device *adev = ACPI_COMPANION(dev);
+ 
+-	if (!adev)
++	if (!adev || !acpi_match_device_ids(adev, special_pm_ids))
+ 		return -ENODEV;
+ 
+ 	if (dev->pm_domain)
diff --git a/alsa-pcm-oss-avoid-potential-buffer-overflows.patch b/alsa-pcm-oss-avoid-potential-buffer-overflows.patch
new file mode 100644
index 0000000..2156367
--- /dev/null
+++ b/alsa-pcm-oss-avoid-potential-buffer-overflows.patch
@@ -0,0 +1,64 @@
+From 4cc8d6505ab82db3357613d36e6c58a297f57f7c Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 4 Dec 2019 15:48:24 +0100
+Subject: ALSA: pcm: oss: Avoid potential buffer overflows
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 4cc8d6505ab82db3357613d36e6c58a297f57f7c upstream.
+
+syzkaller reported an invalid access in PCM OSS read, and this seems
+to be an overflow of the internal buffer allocated for a plugin.
+Since the rate plugin adjusts its transfer size dynamically, the
+calculation for the chained plugin might be bigger than the given
+buffer size in some extreme cases, which lead to such an buffer
+overflow as caught by KASAN.
+
+Fix it by limiting the max transfer size properly by checking against
+the destination size in each plugin transfer callback.
+
+Reported-by: syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191204144824.17801-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/oss/linear.c |    2 ++
+ sound/core/oss/mulaw.c  |    2 ++
+ sound/core/oss/route.c  |    2 ++
+ 3 files changed, 6 insertions(+)
+
+--- a/sound/core/oss/linear.c
++++ b/sound/core/oss/linear.c
+@@ -107,6 +107,8 @@ static snd_pcm_sframes_t linear_transfer
+ 		}
+ 	}
+ #endif
++	if (frames > dst_channels[0].frames)
++		frames = dst_channels[0].frames;
+ 	convert(plugin, src_channels, dst_channels, frames);
+ 	return frames;
+ }
+--- a/sound/core/oss/mulaw.c
++++ b/sound/core/oss/mulaw.c
+@@ -269,6 +269,8 @@ static snd_pcm_sframes_t mulaw_transfer(
+ 		}
+ 	}
+ #endif
++	if (frames > dst_channels[0].frames)
++		frames = dst_channels[0].frames;
+ 	data = (struct mulaw_priv *)plugin->extra_data;
+ 	data->func(plugin, src_channels, dst_channels, frames);
+ 	return frames;
+--- a/sound/core/oss/route.c
++++ b/sound/core/oss/route.c
+@@ -57,6 +57,8 @@ static snd_pcm_sframes_t route_transfer(
+ 		return -ENXIO;
+ 	if (frames == 0)
+ 		return 0;
++	if (frames > dst_channels[0].frames)
++		frames = dst_channels[0].frames;
+ 
+ 	nsrcs = plugin->src_format.channels;
+ 	ndsts = plugin->dst_format.channels;
diff --git a/appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch b/appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch
new file mode 100644
index 0000000..223116b
--- /dev/null
+++ b/appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch
@@ -0,0 +1,124 @@
+From 9804501fa1228048857910a6bf23e085aade37cc Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 14 Mar 2019 13:47:59 +0800
+Subject: appletalk: Fix potential NULL pointer dereference in unregister_snap_client
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit 9804501fa1228048857910a6bf23e085aade37cc upstream.
+
+register_snap_client may return NULL, all the callers
+check it, but only print a warning. This will result in
+NULL pointer dereference in unregister_snap_client and other
+places.
+
+It has always been used like this since v2.6
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to <4.15: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/atalk.h |    2 +-
+ net/appletalk/aarp.c  |   15 ++++++++++++---
+ net/appletalk/ddp.c   |   20 ++++++++++++--------
+ 3 files changed, 25 insertions(+), 12 deletions(-)
+
+--- a/include/linux/atalk.h
++++ b/include/linux/atalk.h
+@@ -107,7 +107,7 @@ static __inline__ struct elapaarp *aarp_
+ #define AARP_RESOLVE_TIME	(10 * HZ)
+ 
+ extern struct datalink_proto *ddp_dl, *aarp_dl;
+-extern void aarp_proto_init(void);
++extern int aarp_proto_init(void);
+ 
+ /* Inter module exports */
+ 
+--- a/net/appletalk/aarp.c
++++ b/net/appletalk/aarp.c
+@@ -879,15 +879,24 @@ static struct notifier_block aarp_notifi
+ 
+ static unsigned char aarp_snap_id[] = { 0x00, 0x00, 0x00, 0x80, 0xF3 };
+ 
+-void __init aarp_proto_init(void)
++int __init aarp_proto_init(void)
+ {
++	int rc;
++
+ 	aarp_dl = register_snap_client(aarp_snap_id, aarp_rcv);
+-	if (!aarp_dl)
++	if (!aarp_dl) {
+ 		printk(KERN_CRIT "Unable to register AARP with SNAP.\n");
++		return -ENOMEM;
++	}
+ 	setup_timer(&aarp_timer, aarp_expire_timeout, 0);
+ 	aarp_timer.expires  = jiffies + sysctl_aarp_expiry_time;
+ 	add_timer(&aarp_timer);
+-	register_netdevice_notifier(&aarp_notifier);
++	rc = register_netdevice_notifier(&aarp_notifier);
++	if (rc) {
++		del_timer_sync(&aarp_timer);
++		unregister_snap_client(aarp_dl);
++	}
++	return rc;
+ }
+ 
+ /* Remove the AARP entries associated with a device. */
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1912,9 +1912,6 @@ static unsigned char ddp_snap_id[] = { 0
+ EXPORT_SYMBOL(atrtr_get_dev);
+ EXPORT_SYMBOL(atalk_find_dev_addr);
+ 
+-static const char atalk_err_snap[] __initconst =
+-	KERN_CRIT "Unable to register DDP with SNAP.\n";
+-
+ /* Called by proto.c on kernel start up */
+ static int __init atalk_init(void)
+ {
+@@ -1929,17 +1926,22 @@ static int __init atalk_init(void)
+ 		goto out_proto;
+ 
+ 	ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv);
+-	if (!ddp_dl)
+-		printk(atalk_err_snap);
++	if (!ddp_dl) {
++		pr_crit("Unable to register DDP with SNAP.\n");
++		goto out_sock;
++	}
+ 
+ 	dev_add_pack(&ltalk_packet_type);
+ 	dev_add_pack(&ppptalk_packet_type);
+ 
+ 	rc = register_netdevice_notifier(&ddp_notifier);
+ 	if (rc)
+-		goto out_sock;
++		goto out_snap;
++
++	rc = aarp_proto_init();
++	if (rc)
++		goto out_dev;
+ 
+-	aarp_proto_init();
+ 	rc = atalk_proc_init();
+ 	if (rc)
+ 		goto out_aarp;
+@@ -1953,11 +1955,13 @@ out_proc:
+ 	atalk_proc_exit();
+ out_aarp:
+ 	aarp_cleanup_module();
++out_dev:
+ 	unregister_netdevice_notifier(&ddp_notifier);
+-out_sock:
++out_snap:
+ 	dev_remove_pack(&ppptalk_packet_type);
+ 	dev_remove_pack(&ltalk_packet_type);
+ 	unregister_snap_client(ddp_dl);
++out_sock:
+ 	sock_unregister(PF_APPLETALK);
+ out_proto:
+ 	proto_unregister(&ddp_proto);
diff --git a/appletalk-set-error-code-if-register_snap_client-failed.patch b/appletalk-set-error-code-if-register_snap_client-failed.patch
new file mode 100644
index 0000000..9256e73
--- /dev/null
+++ b/appletalk-set-error-code-if-register_snap_client-failed.patch
@@ -0,0 +1,33 @@
+From c93ad1337ad06a718890a89cdd85188ff9a5a5cc Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 30 Apr 2019 19:34:08 +0800
+Subject: appletalk: Set error code if register_snap_client failed
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit c93ad1337ad06a718890a89cdd85188ff9a5a5cc upstream.
+
+If register_snap_client fails in atalk_init,
+error code should be set, otherwise it will
+triggers NULL pointer dereference while unloading
+module.
+
+Fixes: 9804501fa122 ("appletalk: Fix potential NULL pointer dereference in unregister_snap_client")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/appletalk/ddp.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1928,6 +1928,7 @@ static int __init atalk_init(void)
+ 	ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv);
+ 	if (!ddp_dl) {
+ 		pr_crit("Unable to register DDP with SNAP.\n");
++		rc = -ENOMEM;
+ 		goto out_sock;
+ 	}
+ 
diff --git a/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch b/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch
new file mode 100644
index 0000000..f6bdaca
--- /dev/null
+++ b/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch
@@ -0,0 +1,40 @@
+From 315cee426f87658a6799815845788fde965ddaad Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@linux.com>
+Date: Mon, 30 Sep 2019 23:31:47 +0300
+Subject: ar5523: check NULL before memcpy() in ar5523_cmd()
+
+From: Denis Efremov <efremov@linux.com>
+
+commit 315cee426f87658a6799815845788fde965ddaad upstream.
+
+memcpy() call with "idata == NULL && ilen == 0" results in undefined
+behavior in ar5523_cmd(). For example, NULL is passed in callchain
+"ar5523_stat_work() -> ar5523_cmd_write() -> ar5523_cmd()". This patch
+adds ilen check before memcpy() call in ar5523_cmd() to prevent an
+undefined behavior.
+
+Cc: Pontus Fuchs <pontus.fuchs@gmail.com>
+Cc: Kalle Valo <kvalo@codeaurora.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: David Laight <David.Laight@ACULAB.COM>
+Cc: stable@vger.kernel.org
+Signed-off-by: Denis Efremov <efremov@linux.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ar5523/ar5523.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ar5523/ar5523.c
++++ b/drivers/net/wireless/ath/ar5523/ar5523.c
+@@ -255,7 +255,8 @@ static int ar5523_cmd(struct ar5523 *ar,
+ 
+ 	if (flags & AR5523_CMD_FLAG_MAGIC)
+ 		hdr->magic = cpu_to_be32(1 << 24);
+-	memcpy(hdr + 1, idata, ilen);
++	if (ilen)
++		memcpy(hdr + 1, idata, ilen);
+ 
+ 	cmd->odata = odata;
+ 	cmd->olen = olen;
diff --git a/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch b/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch
new file mode 100644
index 0000000..67eb4a3
--- /dev/null
+++ b/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch
@@ -0,0 +1,37 @@
+From 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f Mon Sep 17 00:00:00 2001
+From: Pawel Harlozinski <pawel.harlozinski@linux.intel.com>
+Date: Tue, 12 Nov 2019 14:02:36 +0100
+Subject: ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report
+
+From: Pawel Harlozinski <pawel.harlozinski@linux.intel.com>
+
+commit 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f upstream.
+
+Check for existance of jack before tracing.
+NULL pointer dereference has been reported by KASAN while unloading
+machine driver (snd_soc_cnl_rt274).
+
+Signed-off-by: Pawel Harlozinski <pawel.harlozinski@linux.intel.com>
+Link: https://lore.kernel.org/r/20191112130237.10141-1-pawel.harlozinski@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/soc-jack.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/sound/soc/soc-jack.c
++++ b/sound/soc/soc-jack.c
+@@ -69,10 +69,9 @@ void snd_soc_jack_report(struct snd_soc_
+ 	unsigned int sync = 0;
+ 	int enable;
+ 
+-	trace_snd_soc_jack_report(jack, mask, status);
+-
+ 	if (!jack)
+ 		return;
++	trace_snd_soc_jack_report(jack, mask, status);
+ 
+ 	codec = jack->codec;
+ 	dapm =  &codec->dapm;
diff --git a/can-slcan-fix-use-after-free-read-in-slcan_open.patch b/can-slcan-fix-use-after-free-read-in-slcan_open.patch
new file mode 100644
index 0000000..d8601d1
--- /dev/null
+++ b/can-slcan-fix-use-after-free-read-in-slcan_open.patch
@@ -0,0 +1,65 @@
+From 9ebd796e24008f33f06ebea5a5e6aceb68b51794 Mon Sep 17 00:00:00 2001
+From: Jouni Hogander <jouni.hogander@unikie.com>
+Date: Wed, 27 Nov 2019 08:40:26 +0200
+Subject: can: slcan: Fix use-after-free Read in slcan_open
+
+From: Jouni Hogander <jouni.hogander@unikie.com>
+
+commit 9ebd796e24008f33f06ebea5a5e6aceb68b51794 upstream.
+
+Slcan_open doesn't clean-up device which registration failed from the
+slcan_devs device list. On next open this list is iterated and freed
+device is accessed. Fix this by calling slc_free_netdev in error path.
+
+Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was
+identified in slip_open by syzboz. Same bug is in slcan.c. Here is the
+trace from the Syzbot slip report:
+
+__dump_stack lib/dump_stack.c:77 [inline]
+dump_stack+0x197/0x210 lib/dump_stack.c:118
+print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
+__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
+kasan_report+0x12/0x20 mm/kasan/common.c:634
+__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
+sl_sync drivers/net/slip/slip.c:725 [inline]
+slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
+tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
+tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
+tiocsetd drivers/tty/tty_io.c:2334 [inline]
+tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
+vfs_ioctl fs/ioctl.c:46 [inline]
+file_ioctl fs/ioctl.c:509 [inline]
+do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
+ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
+__do_sys_ioctl fs/ioctl.c:720 [inline]
+__se_sys_ioctl fs/ioctl.c:718 [inline]
+__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
+do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
+entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: ed50e1600b44 ("slcan: Fix memory leak in error path")
+Cc: Wolfgang Grandegger <wg@grandegger.com>
+Cc: Marc Kleine-Budde <mkl@pengutronix.de>
+Cc: David Miller <davem@davemloft.net>
+Cc: Oliver Hartkopp <socketcan@hartkopp.net>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
+Cc: linux-stable <stable@vger.kernel.org> # >= v5.4
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/slcan.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/can/slcan.c
++++ b/drivers/net/can/slcan.c
+@@ -615,6 +615,7 @@ err_free_chan:
+ 	sl->tty = NULL;
+ 	tty->disc_data = NULL;
+ 	clear_bit(SLF_INUSE, &sl->flags);
++	slc_free_netdev(sl->dev);
+ 	free_netdev(sl->dev);
+ 
+ err_exit:
diff --git a/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch b/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch
new file mode 100644
index 0000000..3fc653f
--- /dev/null
+++ b/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch
@@ -0,0 +1,58 @@
+From 918c1fe9fbbe46fcf56837ff21f0ef96424e8b29 Mon Sep 17 00:00:00 2001
+From: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+Date: Wed, 23 Oct 2019 09:57:14 +0800
+Subject: cpuidle: Do not unset the driver if it is there already
+
+From: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+
+commit 918c1fe9fbbe46fcf56837ff21f0ef96424e8b29 upstream.
+
+Fix __cpuidle_set_driver() to check if any of the CPUs in the mask has
+a driver different from drv already and, if so, return -EBUSY before
+updating any cpuidle_drivers per-CPU pointers.
+
+Fixes: 82467a5a885d ("cpuidle: simplify multiple driver support")
+Cc: 3.11+ <stable@vger.kernel.org> # 3.11+
+Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+[ rjw: Subject & changelog ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpuidle/driver.c |   15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/drivers/cpuidle/driver.c
++++ b/drivers/cpuidle/driver.c
+@@ -60,24 +60,23 @@ static inline void __cpuidle_unset_drive
+  * __cpuidle_set_driver - set per CPU driver variables for the given driver.
+  * @drv: a valid pointer to a struct cpuidle_driver
+  *
+- * For each CPU in the driver's cpumask, unset the registered driver per CPU
+- * to @drv.
+- *
+- * Returns 0 on success, -EBUSY if the CPUs have driver(s) already.
++ * Returns 0 on success, -EBUSY if any CPU in the cpumask have a driver
++ * different from drv already.
+  */
+ static inline int __cpuidle_set_driver(struct cpuidle_driver *drv)
+ {
+ 	int cpu;
+ 
+ 	for_each_cpu(cpu, drv->cpumask) {
++		struct cpuidle_driver *old_drv;
+ 
+-		if (__cpuidle_get_cpu_driver(cpu)) {
+-			__cpuidle_unset_driver(drv);
++		old_drv = __cpuidle_get_cpu_driver(cpu);
++		if (old_drv && old_drv != drv)
+ 			return -EBUSY;
+-		}
++	}
+ 
++	for_each_cpu(cpu, drv->cpumask)
+ 		per_cpu(cpuidle_drivers, cpu) = drv;
+-	}
+ 
+ 	return 0;
+ }
diff --git a/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch b/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch
new file mode 100644
index 0000000..056e20b
--- /dev/null
+++ b/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch
@@ -0,0 +1,43 @@
+From 746c908c4d72e49068ab216c3926d2720d71a90d Mon Sep 17 00:00:00 2001
+From: Christian Lamparter <chunkeey@gmail.com>
+Date: Thu, 31 Oct 2019 17:14:38 +0100
+Subject: crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr
+
+From: Christian Lamparter <chunkeey@gmail.com>
+
+commit 746c908c4d72e49068ab216c3926d2720d71a90d upstream.
+
+This patch fixes a crash that can happen during probe
+when the available dma memory is not enough (this can
+happen if the crypto4xx is built as a module).
+
+The descriptor window mapping would end up being free'd
+twice, once in crypto4xx_build_pdr() and the second time
+in crypto4xx_destroy_sdr().
+
+Fixes: 5d59ad6eea82 ("crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/amcc/crypto4xx_core.c |    6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/crypto/amcc/crypto4xx_core.c
++++ b/drivers/crypto/amcc/crypto4xx_core.c
+@@ -399,12 +399,8 @@ static u32 crypto4xx_build_sdr(struct cr
+ 		dma_alloc_coherent(dev->core_dev->device,
+ 			dev->scatter_buffer_size * PPC4XX_NUM_SD,
+ 			&dev->scatter_buffer_pa, GFP_ATOMIC);
+-	if (!dev->scatter_buffer_va) {
+-		dma_free_coherent(dev->core_dev->device,
+-				  sizeof(struct ce_sd) * PPC4XX_NUM_SD,
+-				  dev->sdr, dev->sdr_pa);
++	if (!dev->scatter_buffer_va)
+ 		return -ENOMEM;
+-	}
+ 
+ 	sd_array = dev->sdr;
+ 
diff --git a/crypto-user-fix-memory-leak-in-crypto_report.patch b/crypto-user-fix-memory-leak-in-crypto_report.patch
new file mode 100644
index 0000000..ef2cbbd
--- /dev/null
+++ b/crypto-user-fix-memory-leak-in-crypto_report.patch
@@ -0,0 +1,36 @@
+From ffdde5932042600c6807d46c1550b28b0db6a3bc Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Fri, 4 Oct 2019 14:29:16 -0500
+Subject: crypto: user - fix memory leak in crypto_report
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit ffdde5932042600c6807d46c1550b28b0db6a3bc upstream.
+
+In crypto_report, a new skb is created via nlmsg_new(). This skb should
+be released if crypto_report_alg() fails.
+
+Fixes: a38f7907b926 ("crypto: Add userspace configuration API")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/crypto_user.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/crypto/crypto_user.c
++++ b/crypto/crypto_user.c
+@@ -221,8 +221,10 @@ static int crypto_report(struct sk_buff
+ 	info.nlmsg_flags = 0;
+ 
+ 	err = crypto_report_alg(alg, &info);
+-	if (err)
++	if (err) {
++		kfree_skb(skb);
+ 		return err;
++	}
+ 
+ 	return nlmsg_unicast(crypto_nlsk, skb, NETLINK_CB(in_skb).portid);
+ }
diff --git a/drm-i810-prevent-underflow-in-ioctl.patch b/drm-i810-prevent-underflow-in-ioctl.patch
new file mode 100644
index 0000000..4b3aa30
--- /dev/null
+++ b/drm-i810-prevent-underflow-in-ioctl.patch
@@ -0,0 +1,43 @@
+From 4f69851fbaa26b155330be35ce8ac393e93e7442 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 4 Oct 2019 13:22:51 +0300
+Subject: drm/i810: Prevent underflow in ioctl
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 4f69851fbaa26b155330be35ce8ac393e93e7442 upstream.
+
+The "used" variables here come from the user in the ioctl and it can be
+negative.  It could result in an out of bounds write.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Link: https://patchwork.freedesktop.org/patch/msgid/20191004102251.GC823@mwanda
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i810/i810_dma.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i810/i810_dma.c
++++ b/drivers/gpu/drm/i810/i810_dma.c
+@@ -723,7 +723,7 @@ static void i810_dma_dispatch_vertex(str
+ 	if (nbox > I810_NR_SAREA_CLIPRECTS)
+ 		nbox = I810_NR_SAREA_CLIPRECTS;
+ 
+-	if (used > 4 * 1024)
++	if (used < 0 || used > 4 * 1024)
+ 		used = 0;
+ 
+ 	if (sarea_priv->dirty)
+@@ -1043,7 +1043,7 @@ static void i810_dma_dispatch_mc(struct
+ 	if (u != I810_BUF_CLIENT)
+ 		DRM_DEBUG("MC found buffer that isn't mine!\n");
+ 
+-	if (used > 4 * 1024)
++	if (used < 0 || used > 4 * 1024)
+ 		used = 0;
+ 
+ 	sarea_priv->dirty = 0x7f;
diff --git a/inet-protect-against-too-small-mtu-values.patch b/inet-protect-against-too-small-mtu-values.patch
new file mode 100644
index 0000000..d172ec6
--- /dev/null
+++ b/inet-protect-against-too-small-mtu-values.patch
@@ -0,0 +1,176 @@
+From foo@baz Tue 17 Dec 2019 09:44:32 PM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Dec 2019 20:43:46 -0800
+Subject: inet: protect against too small mtu values.
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 501a90c945103e8627406763dac418f20f3837b2 ]
+
+syzbot was once again able to crash a host by setting a very small mtu
+on loopback device.
+
+Let's make inetdev_valid_mtu() available in include/net/ip.h,
+and use it in ip_setup_cork(), so that we protect both ip_append_page()
+and __ip_append_data()
+
+Also add a READ_ONCE() when the device mtu is read.
+
+Pairs this lockless read with one WRITE_ONCE() in __dev_set_mtu(),
+even if other code paths might write over this field.
+
+Add a big comment in include/linux/netdevice.h about dev->mtu
+needing READ_ONCE()/WRITE_ONCE() annotations.
+
+Hopefully we will add the missing ones in followup patches.
+
+[1]
+
+refcount_t: saturated; leaking memory.
+WARNING: CPU: 0 PID: 9464 at lib/refcount.c:22 refcount_warn_saturate+0x138/0x1f0 lib/refcount.c:22
+Kernel panic - not syncing: panic_on_warn set ...
+CPU: 0 PID: 9464 Comm: syz-executor850 Not tainted 5.4.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x197/0x210 lib/dump_stack.c:118
+ panic+0x2e3/0x75c kernel/panic.c:221
+ __warn.cold+0x2f/0x3e kernel/panic.c:582
+ report_bug+0x289/0x300 lib/bug.c:195
+ fixup_bug arch/x86/kernel/traps.c:174 [inline]
+ fixup_bug arch/x86/kernel/traps.c:169 [inline]
+ do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267
+ do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286
+ invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
+RIP: 0010:refcount_warn_saturate+0x138/0x1f0 lib/refcount.c:22
+Code: 06 31 ff 89 de e8 c8 f5 e6 fd 84 db 0f 85 6f ff ff ff e8 7b f4 e6 fd 48 c7 c7 e0 71 4f 88 c6 05 56 a6 a4 06 01 e8 c7 a8 b7 fd <0f> 0b e9 50 ff ff ff e8 5c f4 e6 fd 0f b6 1d 3d a6 a4 06 31 ff 89
+RSP: 0018:ffff88809689f550 EFLAGS: 00010286
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffffffff815e4336 RDI: ffffed1012d13e9c
+RBP: ffff88809689f560 R08: ffff88809c50a3c0 R09: fffffbfff15d31b1
+R10: fffffbfff15d31b0 R11: ffffffff8ae98d87 R12: 0000000000000001
+R13: 0000000000040100 R14: ffff888099041104 R15: ffff888218d96e40
+ refcount_add include/linux/refcount.h:193 [inline]
+ skb_set_owner_w+0x2b6/0x410 net/core/sock.c:1999
+ sock_wmalloc+0xf1/0x120 net/core/sock.c:2096
+ ip_append_page+0x7ef/0x1190 net/ipv4/ip_output.c:1383
+ udp_sendpage+0x1c7/0x480 net/ipv4/udp.c:1276
+ inet_sendpage+0xdb/0x150 net/ipv4/af_inet.c:821
+ kernel_sendpage+0x92/0xf0 net/socket.c:3794
+ sock_sendpage+0x8b/0xc0 net/socket.c:936
+ pipe_to_sendpage+0x2da/0x3c0 fs/splice.c:458
+ splice_from_pipe_feed fs/splice.c:512 [inline]
+ __splice_from_pipe+0x3ee/0x7c0 fs/splice.c:636
+ splice_from_pipe+0x108/0x170 fs/splice.c:671
+ generic_splice_sendpage+0x3c/0x50 fs/splice.c:842
+ do_splice_from fs/splice.c:861 [inline]
+ direct_splice_actor+0x123/0x190 fs/splice.c:1035
+ splice_direct_to_actor+0x3b4/0xa30 fs/splice.c:990
+ do_splice_direct+0x1da/0x2a0 fs/splice.c:1078
+ do_sendfile+0x597/0xd00 fs/read_write.c:1464
+ __do_sys_sendfile64 fs/read_write.c:1525 [inline]
+ __se_sys_sendfile64 fs/read_write.c:1511 [inline]
+ __x64_sys_sendfile64+0x1dd/0x220 fs/read_write.c:1511
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x441409
+Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007fffb64c4f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441409
+RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000005
+RBP: 0000000000073b8a R08: 0000000000000010 R09: 0000000000000010
+R10: 0000000000010001 R11: 0000000000000246 R12: 0000000000402180
+R13: 0000000000402210 R14: 0000000000000000 R15: 0000000000000000
+Kernel Offset: disabled
+Rebooting in 86400 seconds..
+
+Fixes: 1470ddf7f8ce ("inet: Remove explicit write references to sk/inet in ip_append_data")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netdevice.h |    5 +++++
+ include/net/ip.h          |    5 +++++
+ net/core/dev.c            |    3 ++-
+ net/ipv4/devinet.c        |    5 -----
+ net/ipv4/ip_output.c      |   14 +++++++++-----
+ 5 files changed, 21 insertions(+), 11 deletions(-)
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -1537,6 +1537,11 @@ struct net_device {
+ 	unsigned char		if_port;
+ 	unsigned char		dma;
+ 
++	/* Note : dev->mtu is often read without holding a lock.
++	 * Writers usually hold RTNL.
++	 * It is recommended to use READ_ONCE() to annotate the reads,
++	 * and to use WRITE_ONCE() to annotate the writes.
++	 */
+ 	unsigned int		mtu;
+ 	unsigned short		type;
+ 	unsigned short		hard_header_len;
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -558,4 +558,9 @@ extern int sysctl_icmp_msgs_burst;
+ int ip_misc_proc_init(void);
+ #endif
+ 
++static inline bool inetdev_valid_mtu(unsigned int mtu)
++{
++	return likely(mtu >= IPV4_MIN_MTU);
++}
++
+ #endif	/* _IP_H */
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -5723,7 +5723,8 @@ static int __dev_set_mtu(struct net_devi
+ 	if (ops->ndo_change_mtu)
+ 		return ops->ndo_change_mtu(dev, new_mtu);
+ 
+-	dev->mtu = new_mtu;
++	/* Pairs with all the lockless reads of dev->mtu in the stack */
++	WRITE_ONCE(dev->mtu, new_mtu);
+ 	return 0;
+ }
+ 
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -1326,11 +1326,6 @@ skip:
+ 	}
+ }
+ 
+-static bool inetdev_valid_mtu(unsigned int mtu)
+-{
+-	return mtu >= IPV4_MIN_MTU;
+-}
+-
+ static void inetdev_send_gratuitous_arp(struct net_device *dev,
+ 					struct in_device *in_dev)
+ 
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -1112,13 +1112,17 @@ static int ip_setup_cork(struct sock *sk
+ 	rt = *rtp;
+ 	if (unlikely(!rt))
+ 		return -EFAULT;
+-	/*
+-	 * We steal reference to this route, caller should not release it
+-	 */
+-	*rtp = NULL;
++
+ 	cork->fragsize = ip_sk_use_pmtu(sk) ?
+-			 dst_mtu(&rt->dst) : rt->dst.dev->mtu;
++			 dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu);
++
++	if (!inetdev_valid_mtu(cork->fragsize))
++		return -ENETUNREACH;
++
+ 	cork->dst = &rt->dst;
++	/* We stole this route, caller should not release it. */
++	*rtp = NULL;
++
+ 	cork->length = 0;
+ 	cork->ttl = ipc->ttl;
+ 	cork->tos = ipc->tos;
diff --git a/jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch b/jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch
new file mode 100644
index 0000000..2de854f
--- /dev/null
+++ b/jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch
@@ -0,0 +1,49 @@
+From add3efdd78b8a0478ce423bb9d4df6bd95e8b335 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 5 Nov 2019 17:44:07 +0100
+Subject: jbd2: Fix possible overflow in jbd2_log_space_left()
+
+From: Jan Kara <jack@suse.cz>
+
+commit add3efdd78b8a0478ce423bb9d4df6bd95e8b335 upstream.
+
+When number of free space in the journal is very low, the arithmetic in
+jbd2_log_space_left() could underflow resulting in very high number of
+free blocks and thus triggering assertion failure in transaction commit
+code complaining there's not enough space in the journal:
+
+J_ASSERT(journal->j_free > 1);
+
+Properly check for the low number of free blocks.
+
+CC: stable@vger.kernel.org
+Reviewed-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20191105164437.32602-1-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/jbd2.h |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/jbd2.h
++++ b/include/linux/jbd2.h
+@@ -1340,7 +1340,7 @@ static inline int jbd2_space_needed(jour
+ static inline unsigned long jbd2_log_space_left(journal_t *journal)
+ {
+ 	/* Allow for rounding errors */
+-	unsigned long free = journal->j_free - 32;
++	long free = journal->j_free - 32;
+ 
+ 	if (journal->j_committing_transaction) {
+ 		unsigned long committing = atomic_read(&journal->
+@@ -1349,7 +1349,7 @@ static inline unsigned long jbd2_log_spa
+ 		/* Transaction + control blocks */
+ 		free -= committing + (committing >> JBD2_CONTROL_BLOCKS_SHIFT);
+ 	}
+-	return free;
++	return max_t(long, free, 0);
+ }
+ 
+ /*
diff --git a/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch b/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch
new file mode 100644
index 0000000..2abbd74
--- /dev/null
+++ b/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch
@@ -0,0 +1,51 @@
+From de1fca5d6e0105c9d33924e1247e2f386efc3ece Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 18 Nov 2019 12:23:00 -0500
+Subject: KVM: x86: do not modify masked bits of shared MSRs
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit de1fca5d6e0105c9d33924e1247e2f386efc3ece upstream.
+
+"Shared MSRs" are guest MSRs that are written to the host MSRs but
+keep their value until the next return to userspace.  They support
+a mask, so that some bits keep the host value, but this mask is
+only used to skip an unnecessary MSR write and the value written
+to the MSR is always the guest MSR.
+
+Fix this and, while at it, do not update smsr->values[slot].curr if
+for whatever reason the wrmsr fails.  This should only happen due to
+reserved bits, so the value written to smsr->values[slot].curr
+will not match when the user-return notifier and the host value will
+always be restored.  However, it is untidy and in rare cases this
+can actually avoid spurious WRMSRs on return to userspace.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Tested-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -235,13 +235,14 @@ int kvm_set_shared_msr(unsigned slot, u6
+ 	struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu);
+ 	int err;
+ 
+-	if (((value ^ smsr->values[slot].curr) & mask) == 0)
++	value = (value & mask) | (smsr->values[slot].host & ~mask);
++	if (value == smsr->values[slot].curr)
+ 		return 0;
+-	smsr->values[slot].curr = value;
+ 	err = wrmsrl_safe(shared_msrs_global.msrs[slot], value);
+ 	if (err)
+ 		return 1;
+ 
++	smsr->values[slot].curr = value;
+ 	if (!smsr->registered) {
+ 		smsr->urn.on_user_return = kvm_on_user_return;
+ 		user_return_notifier_register(&smsr->urn);
diff --git a/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch b/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch
new file mode 100644
index 0000000..b4e0c3b
--- /dev/null
+++ b/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch
@@ -0,0 +1,43 @@
+From 433f4ba1904100da65a311033f17a9bf586b287e Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 4 Dec 2019 10:28:54 +0100
+Subject: KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 433f4ba1904100da65a311033f17a9bf586b287e upstream.
+
+The bounds check was present in KVM_GET_SUPPORTED_CPUID but not
+KVM_GET_EMULATED_CPUID.
+
+Reported-by: syzbot+e3f4897236c4eeb8af4f@syzkaller.appspotmail.com
+Fixes: 84cffe499b94 ("kvm: Emulate MOVBE", 2013-10-29)
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/cpuid.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -332,7 +332,7 @@ static inline int __do_cpuid_ent(struct
+ 
+ 	r = -E2BIG;
+ 
+-	if (*nent >= maxnent)
++	if (WARN_ON(*nent >= maxnent))
+ 		goto out;
+ 
+ 	do_cpuid_1_ent(entry, function, index);
+@@ -575,6 +575,9 @@ out:
+ static int do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 func,
+ 			u32 idx, int *nent, int maxnent, unsigned int type)
+ {
++	if (*nent >= maxnent)
++		return -E2BIG;
++
+ 	if (type == KVM_GET_EMULATED_CPUID)
+ 		return __do_cpuid_ent_emulated(entry, func, idx, nent, maxnent);
+ 
diff --git a/lib-raid6-fix-awk-build-warnings.patch b/lib-raid6-fix-awk-build-warnings.patch
new file mode 100644
index 0000000..009d71d
--- /dev/null
+++ b/lib-raid6-fix-awk-build-warnings.patch
@@ -0,0 +1,38 @@
+From 702600eef73033ddd4eafcefcbb6560f3e3a90f7 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Fri, 6 Dec 2019 16:26:00 +0100
+Subject: lib: raid6: fix awk build warnings
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 702600eef73033ddd4eafcefcbb6560f3e3a90f7 upstream.
+
+Newer versions of awk spit out these fun warnings:
+	awk: ../lib/raid6/unroll.awk:16: warning: regexp escape sequence `\#' is not a known regexp operator
+
+As commit 700c1018b86d ("x86/insn: Fix awk regexp warnings") showed, it
+turns out that there are a number of awk strings that do not need to be
+escaped and newer versions of awk now warn about this.
+
+Fix the string up so that no warning is produced.  The exact same kernel
+module gets created before and after this patch, showing that it wasn't
+needed.
+
+Link: https://lore.kernel.org/r/20191206152600.GA75093@kroah.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/raid6/unroll.awk |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/raid6/unroll.awk
++++ b/lib/raid6/unroll.awk
+@@ -13,7 +13,7 @@ BEGIN {
+ 	for (i = 0; i < rep; ++i) {
+ 		tmp = $0
+ 		gsub(/\$\$/, i, tmp)
+-		gsub(/\$\#/, n, tmp)
++		gsub(/\$#/, n, tmp)
+ 		gsub(/\$\*/, "$", tmp)
+ 		print tmp
+ 	}
diff --git a/media-radio-wl1273-fix-interrupt-masking-on-release.patch b/media-radio-wl1273-fix-interrupt-masking-on-release.patch
new file mode 100644
index 0000000..75ef2f1
--- /dev/null
+++ b/media-radio-wl1273-fix-interrupt-masking-on-release.patch
@@ -0,0 +1,40 @@
+From 1091eb830627625dcf79958d99353c2391f41708 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 10 Oct 2019 10:13:32 -0300
+Subject: media: radio: wl1273: fix interrupt masking on release
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1091eb830627625dcf79958d99353c2391f41708 upstream.
+
+If a process is interrupted while accessing the radio device and the
+core lock is contended, release() could return early and fail to update
+the interrupt mask.
+
+Note that the return value of the v4l2 release file operation is
+ignored.
+
+Fixes: 87d1a50ce451 ("[media] V4L2: WL1273 FM Radio: TI WL1273 FM radio driver")
+Cc: stable <stable@vger.kernel.org>     # 2.6.38
+Cc: Matti Aaltonen <matti.j.aaltonen@nokia.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/radio/radio-wl1273.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/media/radio/radio-wl1273.c
++++ b/drivers/media/radio/radio-wl1273.c
+@@ -1142,8 +1142,7 @@ static int wl1273_fm_fops_release(struct
+ 	if (radio->rds_users > 0) {
+ 		radio->rds_users--;
+ 		if (radio->rds_users == 0) {
+-			if (mutex_lock_interruptible(&core->lock))
+-				return -EINTR;
++			mutex_lock(&core->lock);
+ 
+ 			radio->irq_flags &= ~WL1273_RDS_EVENT;
+ 
diff --git a/mm-shmem.c-cast-the-type-of-unmap_start-to-u64.patch b/mm-shmem.c-cast-the-type-of-unmap_start-to-u64.patch
new file mode 100644
index 0000000..5cdd8fd
--- /dev/null
+++ b/mm-shmem.c-cast-the-type-of-unmap_start-to-u64.patch
@@ -0,0 +1,73 @@
+From aa71ecd8d86500da6081a72da6b0b524007e0627 Mon Sep 17 00:00:00 2001
+From: Chen Jun <chenjun102@huawei.com>
+Date: Sat, 30 Nov 2019 17:58:11 -0800
+Subject: mm/shmem.c: cast the type of unmap_start to u64
+
+From: Chen Jun <chenjun102@huawei.com>
+
+commit aa71ecd8d86500da6081a72da6b0b524007e0627 upstream.
+
+In 64bit system. sb->s_maxbytes of shmem filesystem is MAX_LFS_FILESIZE,
+which equal LLONG_MAX.
+
+If offset > LLONG_MAX - PAGE_SIZE, offset + len < LLONG_MAX in
+shmem_fallocate, which will pass the checking in vfs_fallocate.
+
+	/* Check for wrap through zero too */
+	if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0))
+		return -EFBIG;
+
+loff_t unmap_start = round_up(offset, PAGE_SIZE) in shmem_fallocate
+causes a overflow.
+
+Syzkaller reports a overflow problem in mm/shmem:
+
+  UBSAN: Undefined behaviour in mm/shmem.c:2014:10
+  signed integer overflow: '9223372036854775807 + 1' cannot be represented in type 'long long int'
+  CPU: 0 PID:17076 Comm: syz-executor0 Not tainted 4.1.46+ #1
+  Hardware name: linux, dummy-virt (DT)
+  Call trace:
+     dump_backtrace+0x0/0x2c8 arch/arm64/kernel/traps.c:100
+     show_stack+0x20/0x30 arch/arm64/kernel/traps.c:238
+     __dump_stack lib/dump_stack.c:15 [inline]
+     ubsan_epilogue+0x18/0x70 lib/ubsan.c:164
+     handle_overflow+0x158/0x1b0 lib/ubsan.c:195
+     shmem_fallocate+0x6d0/0x820 mm/shmem.c:2104
+     vfs_fallocate+0x238/0x428 fs/open.c:312
+     SYSC_fallocate fs/open.c:335 [inline]
+     SyS_fallocate+0x54/0xc8 fs/open.c:239
+
+The highest bit of unmap_start will be appended with sign bit 1
+(overflow) when calculate shmem_falloc.start:
+
+    shmem_falloc.start = unmap_start >> PAGE_SHIFT.
+
+Fix it by casting the type of unmap_start to u64, when right shifted.
+
+This bug is found in LTS Linux 4.1.  It also seems to exist in mainline.
+
+Link: http://lkml.kernel.org/r/1573867464-5107-1-git-send-email-chenjun102@huawei.com
+Signed-off-by: Chen Jun <chenjun102@huawei.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Qian Cai <cai@lca.pw>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/shmem.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -2077,7 +2077,7 @@ static long shmem_fallocate(struct file
+ 		}
+ 
+ 		shmem_falloc.waitq = &shmem_falloc_waitq;
+-		shmem_falloc.start = unmap_start >> PAGE_SHIFT;
++		shmem_falloc.start = (u64)unmap_start >> PAGE_SHIFT;
+ 		shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT;
+ 		spin_lock(&inode->i_lock);
+ 		inode->i_private = &shmem_falloc;
diff --git a/mtd-spear_smi-fix-write-burst-mode.patch b/mtd-spear_smi-fix-write-burst-mode.patch
new file mode 100644
index 0000000..12e89ae
--- /dev/null
+++ b/mtd-spear_smi-fix-write-burst-mode.patch
@@ -0,0 +1,107 @@
+From 69c7f4618c16b4678f8a4949b6bb5ace259c0033 Mon Sep 17 00:00:00 2001
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+Date: Tue, 22 Oct 2019 16:58:59 +0200
+Subject: mtd: spear_smi: Fix Write Burst mode
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+commit 69c7f4618c16b4678f8a4949b6bb5ace259c0033 upstream.
+
+Any write with either dd or flashcp to a device driven by the
+spear_smi.c driver will pass through the spear_smi_cpy_toio()
+function. This function will get called for chunks of up to 256 bytes.
+If the amount of data is smaller, we may have a problem if the data
+length is not 4-byte aligned. In this situation, the kernel panics
+during the memcpy:
+
+    # dd if=/dev/urandom bs=1001 count=1 of=/dev/mtd6
+    spear_smi_cpy_toio [620] dest c9070000, src c7be8800, len 256
+    spear_smi_cpy_toio [620] dest c9070100, src c7be8900, len 256
+    spear_smi_cpy_toio [620] dest c9070200, src c7be8a00, len 256
+    spear_smi_cpy_toio [620] dest c9070300, src c7be8b00, len 233
+    Unhandled fault: external abort on non-linefetch (0x808) at 0xc90703e8
+    [...]
+    PC is at memcpy+0xcc/0x330
+
+The above error occurs because the implementation of memcpy_toio()
+tries to optimize the number of I/O by writing 4 bytes at a time as
+much as possible, until there are less than 4 bytes left and then
+switches to word or byte writes.
+
+Unfortunately, the specification states about the Write Burst mode:
+
+        "the next AHB Write request should point to the next
+	incremented address and should have the same size (byte,
+	half-word or word)"
+
+This means ARM architecture implementation of memcpy_toio() cannot
+reliably be used blindly here. Workaround this situation by update the
+write path to stick to byte access when the burst length is not
+multiple of 4.
+
+Fixes: f18dbbb1bfe0 ("mtd: ST SPEAr: Add SMI driver for serial NOR flash")
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: Boris Brezillon <boris.brezillon@collabora.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Reviewed-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/devices/spear_smi.c |   38 +++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 37 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/devices/spear_smi.c
++++ b/drivers/mtd/devices/spear_smi.c
+@@ -595,6 +595,26 @@ static int spear_mtd_read(struct mtd_inf
+ 	return 0;
+ }
+ 
++/*
++ * The purpose of this function is to ensure a memcpy_toio() with byte writes
++ * only. Its structure is inspired from the ARM implementation of _memcpy_toio()
++ * which also does single byte writes but cannot be used here as this is just an
++ * implementation detail and not part of the API. Not mentioning the comment
++ * stating that _memcpy_toio() should be optimized.
++ */
++static void spear_smi_memcpy_toio_b(volatile void __iomem *dest,
++				    const void *src, size_t len)
++{
++	const unsigned char *from = src;
++
++	while (len) {
++		len--;
++		writeb(*from, dest);
++		from++;
++		dest++;
++	}
++}
++
+ static inline int spear_smi_cpy_toio(struct spear_smi *dev, u32 bank,
+ 		void __iomem *dest, const void *src, size_t len)
+ {
+@@ -617,7 +637,23 @@ static inline int spear_smi_cpy_toio(str
+ 	ctrlreg1 = readl(dev->io_base + SMI_CR1);
+ 	writel((ctrlreg1 | WB_MODE) & ~SW_MODE, dev->io_base + SMI_CR1);
+ 
+-	memcpy_toio(dest, src, len);
++	/*
++	 * In Write Burst mode (WB_MODE), the specs states that writes must be:
++	 * - incremental
++	 * - of the same size
++	 * The ARM implementation of memcpy_toio() will optimize the number of
++	 * I/O by using as much 4-byte writes as possible, surrounded by
++	 * 2-byte/1-byte access if:
++	 * - the destination is not 4-byte aligned
++	 * - the length is not a multiple of 4-byte.
++	 * Avoid this alternance of write access size by using our own 'byte
++	 * access' helper if at least one of the two conditions above is true.
++	 */
++	if (IS_ALIGNED(len, sizeof(u32)) &&
++	    IS_ALIGNED((uintptr_t)dest, sizeof(u32)))
++		memcpy_toio(dest, src, len);
++	else
++		spear_smi_memcpy_toio_b(dest, src, len);
+ 
+ 	writel(ctrlreg1, dev->io_base + SMI_CR1);
+ 
diff --git a/net-bridge-deny-dev_set_mac_address-when-unregistering.patch b/net-bridge-deny-dev_set_mac_address-when-unregistering.patch
new file mode 100644
index 0000000..eab9f69
--- /dev/null
+++ b/net-bridge-deny-dev_set_mac_address-when-unregistering.patch
@@ -0,0 +1,76 @@
+From foo@baz Wed 18 Dec 2019 01:37:17 PM CET
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Tue, 3 Dec 2019 16:48:06 +0200
+Subject: net: bridge: deny dev_set_mac_address() when unregistering
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit c4b4c421857dc7b1cf0dccbd738472360ff2cd70 ]
+
+We have an interesting memory leak in the bridge when it is being
+unregistered and is a slave to a master device which would change the
+mac of its slaves on unregister (e.g. bond, team). This is a very
+unusual setup but we do end up leaking 1 fdb entry because
+dev_set_mac_address() would cause the bridge to insert the new mac address
+into its table after all fdbs are flushed, i.e. after dellink() on the
+bridge has finished and we call NETDEV_UNREGISTER the bond/team would
+release it and will call dev_set_mac_address() to restore its original
+address and that in turn will add an fdb in the bridge.
+One fix is to check for the bridge dev's reg_state in its
+ndo_set_mac_address callback and return an error if the bridge is not in
+NETREG_REGISTERED.
+
+Easy steps to reproduce:
+ 1. add bond in mode != A/B
+ 2. add any slave to the bond
+ 3. add bridge dev as a slave to the bond
+ 4. destroy the bridge device
+
+Trace:
+ unreferenced object 0xffff888035c4d080 (size 128):
+   comm "ip", pid 4068, jiffies 4296209429 (age 1413.753s)
+   hex dump (first 32 bytes):
+     41 1d c9 36 80 88 ff ff 00 00 00 00 00 00 00 00  A..6............
+     d2 19 c9 5e 3f d7 00 00 00 00 00 00 00 00 00 00  ...^?...........
+   backtrace:
+     [<00000000ddb525dc>] kmem_cache_alloc+0x155/0x26f
+     [<00000000633ff1e0>] fdb_create+0x21/0x486 [bridge]
+     [<0000000092b17e9c>] fdb_insert+0x91/0xdc [bridge]
+     [<00000000f2a0f0ff>] br_fdb_change_mac_address+0xb3/0x175 [bridge]
+     [<000000001de02dbd>] br_stp_change_bridge_id+0xf/0xff [bridge]
+     [<00000000ac0e32b1>] br_set_mac_address+0x76/0x99 [bridge]
+     [<000000006846a77f>] dev_set_mac_address+0x63/0x9b
+     [<00000000d30738fc>] __bond_release_one+0x3f6/0x455 [bonding]
+     [<00000000fc7ec01d>] bond_netdev_event+0x2f2/0x400 [bonding]
+     [<00000000305d7795>] notifier_call_chain+0x38/0x56
+     [<0000000028885d4a>] call_netdevice_notifiers+0x1e/0x23
+     [<000000008279477b>] rollback_registered_many+0x353/0x6a4
+     [<0000000018ef753a>] unregister_netdevice_many+0x17/0x6f
+     [<00000000ba854b7a>] rtnl_delete_link+0x3c/0x43
+     [<00000000adf8618d>] rtnl_dellink+0x1dc/0x20a
+     [<000000009b6395fd>] rtnetlink_rcv_msg+0x23d/0x268
+
+Fixes: 43598813386f ("bridge: add local MAC address to forwarding table (v2)")
+Reported-by: syzbot+2add91c08eb181fea1bf@syzkaller.appspotmail.com
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_device.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/bridge/br_device.c
++++ b/net/bridge/br_device.c
+@@ -198,6 +198,12 @@ static int br_set_mac_address(struct net
+ 	if (!is_valid_ether_addr(addr->sa_data))
+ 		return -EADDRNOTAVAIL;
+ 
++	/* dev_set_mac_addr() can be called by a master device on bridge's
++	 * NETDEV_UNREGISTER, but since it's being destroyed do nothing
++	 */
++	if (dev->reg_state != NETREG_REGISTERED)
++		return -EBUSY;
++
+ 	spin_lock_bh(&br->lock);
+ 	if (!ether_addr_equal(dev->dev_addr, addr->sa_data)) {
+ 		/* Mac address will be changed in br_stp_change_bridge_id(). */
diff --git a/pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch b/pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch
new file mode 100644
index 0000000..1f54095
--- /dev/null
+++ b/pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch
@@ -0,0 +1,58 @@
+From a322b3377f4bac32aa25fb1acb9e7afbbbbd0137 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Mon, 5 Aug 2019 18:27:10 +0200
+Subject: pinctrl: samsung: Fix device node refcount leaks in init code
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit a322b3377f4bac32aa25fb1acb9e7afbbbbd0137 upstream.
+
+Several functions use for_each_child_of_node() loop with a break to find
+a matching child node.  Although each iteration of
+for_each_child_of_node puts the previous node, but early exit from loop
+misses it.  This leads to leak of device node.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 9a2c1c3b91aa ("pinctrl: samsung: Allow grouping multiple pinmux/pinconf nodes")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/samsung/pinctrl-samsung.c |   10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/samsung/pinctrl-samsung.c
++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c
+@@ -291,6 +291,7 @@ static int samsung_dt_node_to_map(struct
+ 						&reserved_maps, num_maps);
+ 		if (ret < 0) {
+ 			samsung_dt_free_map(pctldev, *map, *num_maps);
++			of_node_put(np);
+ 			return ret;
+ 		}
+ 	}
+@@ -758,8 +759,10 @@ static struct samsung_pmx_func *samsung_
+ 		if (!of_get_child_count(cfg_np)) {
+ 			ret = samsung_pinctrl_create_function(dev, drvdata,
+ 							cfg_np, func);
+-			if (ret < 0)
++			if (ret < 0) {
++				of_node_put(cfg_np);
+ 				return ERR_PTR(ret);
++			}
+ 			if (ret > 0) {
+ 				++func;
+ 				++func_cnt;
+@@ -770,8 +773,11 @@ static struct samsung_pmx_func *samsung_
+ 		for_each_child_of_node(cfg_np, func_np) {
+ 			ret = samsung_pinctrl_create_function(dev, drvdata,
+ 						func_np, func);
+-			if (ret < 0)
++			if (ret < 0) {
++				of_node_put(func_np);
++				of_node_put(cfg_np);
+ 				return ERR_PTR(ret);
++			}
+ 			if (ret > 0) {
+ 				++func;
+ 				++func_cnt;
diff --git a/powerpc-allow-64bit-vdso-__kernel_sync_dicache-to-work-across-ranges-4gb.patch b/powerpc-allow-64bit-vdso-__kernel_sync_dicache-to-work-across-ranges-4gb.patch
new file mode 100644
index 0000000..c19e240
--- /dev/null
+++ b/powerpc-allow-64bit-vdso-__kernel_sync_dicache-to-work-across-ranges-4gb.patch
@@ -0,0 +1,46 @@
+From f9ec11165301982585e5e5f606739b5bae5331f3 Mon Sep 17 00:00:00 2001
+From: Alastair D'Silva <alastair@d-silva.org>
+Date: Mon, 4 Nov 2019 13:32:54 +1100
+Subject: powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB
+
+From: Alastair D'Silva <alastair@d-silva.org>
+
+commit f9ec11165301982585e5e5f606739b5bae5331f3 upstream.
+
+When calling __kernel_sync_dicache with a size >4GB, we were masking
+off the upper 32 bits, so we would incorrectly flush a range smaller
+than intended.
+
+This patch replaces the 32 bit shifts with 64 bit ones, so that
+the full size is accounted for.
+
+Signed-off-by: Alastair D'Silva <alastair@d-silva.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20191104023305.9581-3-alastair@au1.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/vdso64/cacheflush.S |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/vdso64/cacheflush.S
++++ b/arch/powerpc/kernel/vdso64/cacheflush.S
+@@ -39,7 +39,7 @@ V_FUNCTION_BEGIN(__kernel_sync_dicache)
+ 	subf	r8,r6,r4		/* compute length */
+ 	add	r8,r8,r5		/* ensure we get enough */
+ 	lwz	r9,CFG_DCACHE_LOGBLOCKSZ(r10)
+-	srw.	r8,r8,r9		/* compute line count */
++	srd.	r8,r8,r9		/* compute line count */
+ 	crclr	cr0*4+so
+ 	beqlr				/* nothing to do? */
+ 	mtctr	r8
+@@ -56,7 +56,7 @@ V_FUNCTION_BEGIN(__kernel_sync_dicache)
+ 	subf	r8,r6,r4		/* compute length */
+ 	add	r8,r8,r5
+ 	lwz	r9,CFG_ICACHE_LOGBLOCKSZ(r10)
+-	srw.	r8,r8,r9		/* compute line count */
++	srd.	r8,r8,r9		/* compute line count */
+ 	crclr	cr0*4+so
+ 	beqlr				/* nothing to do? */
+ 	mtctr	r8
diff --git a/quota-check-that-quota-is-not-dirty-before-release.patch b/quota-check-that-quota-is-not-dirty-before-release.patch
new file mode 100644
index 0000000..b313874
--- /dev/null
+++ b/quota-check-that-quota-is-not-dirty-before-release.patch
@@ -0,0 +1,85 @@
+From df4bb5d128e2c44848aeb36b7ceceba3ac85080d Mon Sep 17 00:00:00 2001
+From: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>
+Date: Thu, 31 Oct 2019 10:39:20 +0000
+Subject: quota: Check that quota is not dirty before release
+
+From: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>
+
+commit df4bb5d128e2c44848aeb36b7ceceba3ac85080d upstream.
+
+There is a race window where quota was redirted once we drop dq_list_lock inside dqput(),
+but before we grab dquot->dq_lock inside dquot_release()
+
+TASK1                                                       TASK2 (chowner)
+->dqput()
+  we_slept:
+    spin_lock(&dq_list_lock)
+    if (dquot_dirty(dquot)) {
+          spin_unlock(&dq_list_lock);
+          dquot->dq_sb->dq_op->write_dquot(dquot);
+          goto we_slept
+    if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) {
+          spin_unlock(&dq_list_lock);
+          dquot->dq_sb->dq_op->release_dquot(dquot);
+                                                            dqget()
+							    mark_dquot_dirty()
+							    dqput()
+          goto we_slept;
+        }
+So dquot dirty quota will be released by TASK1, but on next we_sleept loop
+we detect this and call ->write_dquot() for it.
+XFSTEST: https://github.com/dmonakhov/xfstests/commit/440a80d4cbb39e9234df4d7240aee1d551c36107
+
+Link: https://lore.kernel.org/r/20191031103920.3919-2-dmonakhov@openvz.org
+CC: stable@vger.kernel.org
+Signed-off-by: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/quota_global.c  |    2 +-
+ fs/quota/dquot.c         |    2 +-
+ include/linux/quotaops.h |   10 ++++++++++
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/fs/ocfs2/quota_global.c
++++ b/fs/ocfs2/quota_global.c
+@@ -714,7 +714,7 @@ static int ocfs2_release_dquot(struct dq
+ 
+ 	mutex_lock(&dquot->dq_lock);
+ 	/* Check whether we are not racing with some other dqget() */
+-	if (atomic_read(&dquot->dq_count) > 1)
++	if (dquot_is_busy(dquot))
+ 		goto out;
+ 	/* Running from downconvert thread? Postpone quota processing to wq */
+ 	if (current == osb->dc_task) {
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -472,7 +472,7 @@ int dquot_release(struct dquot *dquot)
+ 
+ 	mutex_lock(&dquot->dq_lock);
+ 	/* Check whether we are not racing with some other dqget() */
+-	if (atomic_read(&dquot->dq_count) > 1)
++	if (dquot_is_busy(dquot))
+ 		goto out_dqlock;
+ 	mutex_lock(&dqopt->dqio_mutex);
+ 	if (dqopt->ops[dquot->dq_id.type]->release_dqblk) {
+--- a/include/linux/quotaops.h
++++ b/include/linux/quotaops.h
+@@ -54,6 +54,16 @@ static inline struct dquot *dqgrab(struc
+ 	atomic_inc(&dquot->dq_count);
+ 	return dquot;
+ }
++
++static inline bool dquot_is_busy(struct dquot *dquot)
++{
++	if (test_bit(DQ_MOD_B, &dquot->dq_flags))
++		return true;
++	if (atomic_read(&dquot->dq_count) > 1)
++		return true;
++	return false;
++}
++
+ void dqput(struct dquot *dquot);
+ int dquot_scan_active(struct super_block *sb,
+ 		      int (*fn)(struct dquot *dquot, unsigned long priv),
diff --git a/quota-fix-livelock-in-dquot_writeback_dquots.patch b/quota-fix-livelock-in-dquot_writeback_dquots.patch
new file mode 100644
index 0000000..f9a933e
--- /dev/null
+++ b/quota-fix-livelock-in-dquot_writeback_dquots.patch
@@ -0,0 +1,49 @@
+From 6ff33d99fc5c96797103b48b7b0902c296f09c05 Mon Sep 17 00:00:00 2001
+From: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>
+Date: Thu, 31 Oct 2019 10:39:19 +0000
+Subject: quota: fix livelock in dquot_writeback_dquots
+
+From: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>
+
+commit 6ff33d99fc5c96797103b48b7b0902c296f09c05 upstream.
+
+Write only quotas which are dirty at entry.
+
+XFSTEST: https://github.com/dmonakhov/xfstests/commit/b10ad23566a5bf75832a6f500e1236084083cddc
+
+Link: https://lore.kernel.org/r/20191031103920.3919-1-dmonakhov@openvz.org
+CC: stable@vger.kernel.org
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/quota/dquot.c |    9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -604,7 +604,7 @@ EXPORT_SYMBOL(dquot_scan_active);
+ /* Write all dquot structures to quota files */
+ int dquot_writeback_dquots(struct super_block *sb, int type)
+ {
+-	struct list_head *dirty;
++	struct list_head dirty;
+ 	struct dquot *dquot;
+ 	struct quota_info *dqopt = sb_dqopt(sb);
+ 	int cnt;
+@@ -617,9 +617,10 @@ int dquot_writeback_dquots(struct super_
+ 		if (!sb_has_quota_active(sb, cnt))
+ 			continue;
+ 		spin_lock(&dq_list_lock);
+-		dirty = &dqopt->info[cnt].dqi_dirty_list;
+-		while (!list_empty(dirty)) {
+-			dquot = list_first_entry(dirty, struct dquot,
++		/* Move list away to avoid livelock. */
++		list_replace_init(&dqopt->info[cnt].dqi_dirty_list, &dirty);
++		while (!list_empty(&dirty)) {
++			dquot = list_first_entry(&dirty, struct dquot,
+ 						 dq_dirty);
+ 			/* Dirty and inactive can be only bad dquot... */
+ 			if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) {
diff --git a/rdma-qib-validate-show-store-callbacks-before-calling-them.patch b/rdma-qib-validate-show-store-callbacks-before-calling-them.patch
new file mode 100644
index 0000000..24a1abb
--- /dev/null
+++ b/rdma-qib-validate-show-store-callbacks-before-calling-them.patch
@@ -0,0 +1,48 @@
+From 7ee23491b39259ae83899dd93b2a29ef0f22f0a7 Mon Sep 17 00:00:00 2001
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Thu, 7 Nov 2019 08:50:25 +0530
+Subject: RDMA/qib: Validate ->show()/store() callbacks before calling them
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+commit 7ee23491b39259ae83899dd93b2a29ef0f22f0a7 upstream.
+
+The permissions of the read-only or write-only sysfs files can be
+changed (as root) and the user can then try to read a write-only file or
+write to a read-only file which will lead to kernel crash here.
+
+Protect against that by always validating the show/store callbacks.
+
+Link: https://lore.kernel.org/r/d45cc26361a174ae12dbb86c994ef334d257924b.1573096807.git.viresh.kumar@linaro.org
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/qib/qib_sysfs.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/infiniband/hw/qib/qib_sysfs.c
++++ b/drivers/infiniband/hw/qib/qib_sysfs.c
+@@ -301,6 +301,9 @@ static ssize_t qib_portattr_show(struct
+ 	struct qib_pportdata *ppd =
+ 		container_of(kobj, struct qib_pportdata, pport_kobj);
+ 
++	if (!pattr->show)
++		return -EIO;
++
+ 	return pattr->show(ppd, buf);
+ }
+ 
+@@ -312,6 +315,9 @@ static ssize_t qib_portattr_store(struct
+ 	struct qib_pportdata *ppd =
+ 		container_of(kobj, struct qib_pportdata, pport_kobj);
+ 
++	if (!pattr->store)
++		return -EIO;
++
+ 	return pattr->store(ppd, buf, len);
+ }
+ 
diff --git a/rtlwifi-rtl8192de-fix-missing-callback-that-tests-for-hw-release-of-buffer.patch b/rtlwifi-rtl8192de-fix-missing-callback-that-tests-for-hw-release-of-buffer.patch
new file mode 100644
index 0000000..fab3fac
--- /dev/null
+++ b/rtlwifi-rtl8192de-fix-missing-callback-that-tests-for-hw-release-of-buffer.patch
@@ -0,0 +1,72 @@
+From 3155db7613edea8fb943624062baf1e4f9cfbfd6 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Mon, 11 Nov 2019 13:40:45 -0600
+Subject: rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 3155db7613edea8fb943624062baf1e4f9cfbfd6 upstream.
+
+In commit 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for
+new drivers"), a callback needed to check if the hardware has released
+a buffer indicating that a DMA operation is completed was not added.
+
+Fixes: 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for new drivers")
+Cc: Stable <stable@vger.kernel.org>	# v3.18+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8192de/sw.c  |    1 +
+ drivers/net/wireless/rtlwifi/rtl8192de/trx.c |   17 +++++++++++++++++
+ drivers/net/wireless/rtlwifi/rtl8192de/trx.h |    2 ++
+ 3 files changed, 20 insertions(+)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8192de/sw.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192de/sw.c
+@@ -242,6 +242,7 @@ static struct rtl_hal_ops rtl8192de_hal_
+ 	.led_control = rtl92de_led_control,
+ 	.set_desc = rtl92de_set_desc,
+ 	.get_desc = rtl92de_get_desc,
++	.is_tx_desc_closed = rtl92de_is_tx_desc_closed,
+ 	.tx_polling = rtl92de_tx_polling,
+ 	.enable_hw_sec = rtl92de_enable_hw_security_config,
+ 	.set_key = rtl92de_set_key,
+--- a/drivers/net/wireless/rtlwifi/rtl8192de/trx.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192de/trx.c
+@@ -863,6 +863,23 @@ u32 rtl92de_get_desc(u8 *p_desc, bool is
+ 	return ret;
+ }
+ 
++bool rtl92de_is_tx_desc_closed(struct ieee80211_hw *hw,
++			       u8 hw_queue, u16 index)
++{
++	struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw));
++	struct rtl8192_tx_ring *ring = &rtlpci->tx_ring[hw_queue];
++	u8 *entry = (u8 *)(&ring->desc[ring->idx]);
++	u8 own = (u8)rtl92de_get_desc(entry, true, HW_DESC_OWN);
++
++	/* a beacon packet will only use the first
++	 * descriptor by defaut, and the own bit may not
++	 * be cleared by the hardware
++	 */
++	if (own)
++		return false;
++	return true;
++}
++
+ void rtl92de_tx_polling(struct ieee80211_hw *hw, u8 hw_queue)
+ {
+ 	struct rtl_priv *rtlpriv = rtl_priv(hw);
+--- a/drivers/net/wireless/rtlwifi/rtl8192de/trx.h
++++ b/drivers/net/wireless/rtlwifi/rtl8192de/trx.h
+@@ -740,6 +740,8 @@ bool rtl92de_rx_query_desc(struct ieee80
+ void rtl92de_set_desc(struct ieee80211_hw *hw, u8 *pdesc, bool istx,
+ 		      u8 desc_name, u8 *val);
+ u32 rtl92de_get_desc(u8 *pdesc, bool istx, u8 desc_name);
++bool rtl92de_is_tx_desc_closed(struct ieee80211_hw *hw,
++			       u8 hw_queue, u16 index);
+ void rtl92de_tx_polling(struct ieee80211_hw *hw, u8 hw_queue);
+ void rtl92de_tx_fill_cmddesc(struct ieee80211_hw *hw, u8 *pdesc,
+ 			     bool b_firstseg, bool b_lastseg,
diff --git a/rtlwifi-rtl8192de-fix-missing-code-to-retrieve-rx-buffer-address.patch b/rtlwifi-rtl8192de-fix-missing-code-to-retrieve-rx-buffer-address.patch
new file mode 100644
index 0000000..ef08301
--- /dev/null
+++ b/rtlwifi-rtl8192de-fix-missing-code-to-retrieve-rx-buffer-address.patch
@@ -0,0 +1,46 @@
+From 0e531cc575c4e9e3dd52ad287b49d3c2dc74c810 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Mon, 11 Nov 2019 13:40:44 -0600
+Subject: rtlwifi: rtl8192de: Fix missing code to retrieve RX buffer address
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 0e531cc575c4e9e3dd52ad287b49d3c2dc74c810 upstream.
+
+In commit 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for
+new drivers"), a callback to get the RX buffer address was added to
+the PCI driver. Unfortunately, driver rtl8192de was not modified
+appropriately and the code runs into a WARN_ONCE() call. The use
+of an incorrect array is also fixed.
+
+Fixes: 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for new drivers")
+Cc: Stable <stable@vger.kernel.org> # 3.18+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8192de/trx.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8192de/trx.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192de/trx.c
+@@ -844,13 +844,15 @@ u32 rtl92de_get_desc(u8 *p_desc, bool is
+ 			break;
+ 		}
+ 	} else {
+-		struct rx_desc_92c *pdesc = (struct rx_desc_92c *)p_desc;
+ 		switch (desc_name) {
+ 		case HW_DESC_OWN:
+-			ret = GET_RX_DESC_OWN(pdesc);
++			ret = GET_RX_DESC_OWN(p_desc);
+ 			break;
+ 		case HW_DESC_RXPKT_LEN:
+-			ret = GET_RX_DESC_PKT_LEN(pdesc);
++			ret = GET_RX_DESC_PKT_LEN(p_desc);
++			break;
++		case HW_DESC_RXBUFF_ADDR:
++			ret = GET_RX_DESC_BUFF_ADDR(p_desc);
+ 			break;
+ 		default:
+ 			RT_ASSERT(false, "ERR rxdesc :%d not process\n",
diff --git a/rtlwifi-rtl8192de-fix-missing-enable-interrupt-flag.patch b/rtlwifi-rtl8192de-fix-missing-enable-interrupt-flag.patch
new file mode 100644
index 0000000..1613b53
--- /dev/null
+++ b/rtlwifi-rtl8192de-fix-missing-enable-interrupt-flag.patch
@@ -0,0 +1,67 @@
+From 330bb7117101099c687e9c7f13d48068670b9c62 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Mon, 11 Nov 2019 13:40:46 -0600
+Subject: rtlwifi: rtl8192de: Fix missing enable interrupt flag
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 330bb7117101099c687e9c7f13d48068670b9c62 upstream.
+
+In commit 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for
+new drivers"), the flag that indicates that interrupts are enabled was
+never set.
+
+In addition, there are several places when enable/disable interrupts
+were commented out are restored. A sychronize_interrupts() call is
+removed.
+
+Fixes: 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for new drivers")
+Cc: Stable <stable@vger.kernel.org>	# v3.18+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8192de/hw.c |    9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8192de/hw.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192de/hw.c
+@@ -1206,6 +1206,7 @@ void rtl92de_enable_interrupt(struct iee
+ 
+ 	rtl_write_dword(rtlpriv, REG_HIMR, rtlpci->irq_mask[0] & 0xFFFFFFFF);
+ 	rtl_write_dword(rtlpriv, REG_HIMRE, rtlpci->irq_mask[1] & 0xFFFFFFFF);
++	rtlpci->irq_enabled = true;
+ }
+ 
+ void rtl92de_disable_interrupt(struct ieee80211_hw *hw)
+@@ -1215,7 +1216,7 @@ void rtl92de_disable_interrupt(struct ie
+ 
+ 	rtl_write_dword(rtlpriv, REG_HIMR, IMR8190_DISABLED);
+ 	rtl_write_dword(rtlpriv, REG_HIMRE, IMR8190_DISABLED);
+-	synchronize_irq(rtlpci->pdev->irq);
++	rtlpci->irq_enabled = false;
+ }
+ 
+ static void _rtl92de_poweroff_adapter(struct ieee80211_hw *hw)
+@@ -1386,7 +1387,7 @@ void rtl92de_set_beacon_related_register
+ 
+ 	bcn_interval = mac->beacon_interval;
+ 	atim_window = 2;
+-	/*rtl92de_disable_interrupt(hw);  */
++	rtl92de_disable_interrupt(hw);
+ 	rtl_write_word(rtlpriv, REG_ATIMWND, atim_window);
+ 	rtl_write_word(rtlpriv, REG_BCN_INTERVAL, bcn_interval);
+ 	rtl_write_word(rtlpriv, REG_BCNTCFG, 0x660f);
+@@ -1406,9 +1407,9 @@ void rtl92de_set_beacon_interval(struct
+ 
+ 	RT_TRACE(rtlpriv, COMP_BEACON, DBG_DMESG,
+ 		 "beacon_interval:%d\n", bcn_interval);
+-	/* rtl92de_disable_interrupt(hw); */
++	rtl92de_disable_interrupt(hw);
+ 	rtl_write_word(rtlpriv, REG_BCN_INTERVAL, bcn_interval);
+-	/* rtl92de_enable_interrupt(hw); */
++	rtl92de_enable_interrupt(hw);
+ }
+ 
+ void rtl92de_update_interrupt_mask(struct ieee80211_hw *hw,
diff --git a/series b/series
index dabf4e5..b621d06 100644
--- a/series
+++ b/series
@@ -10,3 +10,42 @@
 tty-vt-keyboard-reject-invalid-keycodes.patch
 can-slcan-fix-use-after-free-read-in-slcan_open.patch
 jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch
+drm-i810-prevent-underflow-in-ioctl.patch
+kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch
+crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch
+crypto-user-fix-memory-leak-in-crypto_report.patch
+rdma-qib-validate-show-store-callbacks-before-calling-them.patch
+kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch
+appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch
+appletalk-set-error-code-if-register_snap_client-failed.patch
+staging-rtl8188eu-fix-interface-sanity-check.patch
+staging-rtl8712-fix-interface-sanity-check.patch
+staging-gigaset-fix-general-protection-fault-on-probe.patch
+staging-gigaset-fix-illegal-free-on-probe-errors.patch
+staging-gigaset-add-endpoint-type-sanity-check.patch
+xhci-increase-sts_halt-timeout-in-xhci_suspend.patch
+usb-atm-ueagle-atm-add-missing-endpoint-check.patch
+usb-idmouse-fix-interface-sanity-checks.patch
+usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch
+usb-adutux-fix-interface-sanity-check.patch
+usb-core-urb-fix-urb-structure-initialization-function.patch
+usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch
+mtd-spear_smi-fix-write-burst-mode.patch
+rtlwifi-rtl8192de-fix-missing-code-to-retrieve-rx-buffer-address.patch
+rtlwifi-rtl8192de-fix-missing-callback-that-tests-for-hw-release-of-buffer.patch
+rtlwifi-rtl8192de-fix-missing-enable-interrupt-flag.patch
+lib-raid6-fix-awk-build-warnings.patch
+asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch
+ar5523-check-null-before-memcpy-in-ar5523_cmd.patch
+media-radio-wl1273-fix-interrupt-masking-on-release.patch
+cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch
+acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch
+acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch
+pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch
+powerpc-allow-64bit-vdso-__kernel_sync_dicache-to-work-across-ranges-4gb.patch
+quota-check-that-quota-is-not-dirty-before-release.patch
+quota-fix-livelock-in-dquot_writeback_dquots.patch
+mm-shmem.c-cast-the-type-of-unmap_start-to-u64.patch
+net-bridge-deny-dev_set_mac_address-when-unregistering.patch
+tcp-md5-fix-potential-overestimation-of-tcp-option-space.patch
+inet-protect-against-too-small-mtu-values.patch
diff --git a/staging-gigaset-add-endpoint-type-sanity-check.patch b/staging-gigaset-add-endpoint-type-sanity-check.patch
new file mode 100644
index 0000000..3820681
--- /dev/null
+++ b/staging-gigaset-add-endpoint-type-sanity-check.patch
@@ -0,0 +1,51 @@
+From ed9ed5a89acba51b82bdff61144d4e4a4245ec8a Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 2 Dec 2019 09:56:10 +0100
+Subject: staging: gigaset: add endpoint-type sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit ed9ed5a89acba51b82bdff61144d4e4a4245ec8a upstream.
+
+Add missing endpoint-type sanity checks to probe.
+
+This specifically prevents a warning in USB core on URB submission when
+fuzzing USB descriptors.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191202085610.12719-4-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/isdn/gigaset/usb-gigaset.c |   12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/isdn/gigaset/usb-gigaset.c
++++ b/drivers/isdn/gigaset/usb-gigaset.c
+@@ -713,6 +713,12 @@ static int gigaset_probe(struct usb_inte
+ 
+ 	endpoint = &hostif->endpoint[0].desc;
+ 
++	if (!usb_endpoint_is_bulk_out(endpoint)) {
++		dev_err(&interface->dev, "missing bulk-out endpoint\n");
++		retval = -ENODEV;
++		goto error;
++	}
++
+ 	buffer_size = le16_to_cpu(endpoint->wMaxPacketSize);
+ 	ucs->bulk_out_size = buffer_size;
+ 	ucs->bulk_out_epnum = usb_endpoint_num(endpoint);
+@@ -732,6 +738,12 @@ static int gigaset_probe(struct usb_inte
+ 
+ 	endpoint = &hostif->endpoint[1].desc;
+ 
++	if (!usb_endpoint_is_int_in(endpoint)) {
++		dev_err(&interface->dev, "missing int-in endpoint\n");
++		retval = -ENODEV;
++		goto error;
++	}
++
+ 	ucs->busy = 0;
+ 
+ 	ucs->read_urb = usb_alloc_urb(0, GFP_KERNEL);
diff --git a/staging-gigaset-fix-general-protection-fault-on-probe.patch b/staging-gigaset-fix-general-protection-fault-on-probe.patch
new file mode 100644
index 0000000..a83e87d
--- /dev/null
+++ b/staging-gigaset-fix-general-protection-fault-on-probe.patch
@@ -0,0 +1,40 @@
+From 53f35a39c3860baac1e5ca80bf052751cfb24a99 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 2 Dec 2019 09:56:08 +0100
+Subject: staging: gigaset: fix general protection fault on probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 53f35a39c3860baac1e5ca80bf052751cfb24a99 upstream.
+
+Fix a general protection fault when accessing the endpoint descriptors
+which could be triggered by a malicious device due to missing sanity
+checks on the number of endpoints.
+
+Reported-by: syzbot+35b1c403a14f5c89eba7@syzkaller.appspotmail.com
+Fixes: 07dc1f9f2f80 ("[PATCH] isdn4linux: Siemens Gigaset drivers - M105 USB DECT adapter")
+Cc: stable <stable@vger.kernel.org>     # 2.6.17
+Cc: Hansjoerg Lipp <hjlipp@web.de>
+Cc: Tilman Schmidt <tilman@imap.cc>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191202085610.12719-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/isdn/gigaset/usb-gigaset.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/isdn/gigaset/usb-gigaset.c
++++ b/drivers/isdn/gigaset/usb-gigaset.c
+@@ -693,6 +693,11 @@ static int gigaset_probe(struct usb_inte
+ 		return -ENODEV;
+ 	}
+ 
++	if (hostif->desc.bNumEndpoints < 2) {
++		dev_err(&interface->dev, "missing endpoints\n");
++		return -ENODEV;
++	}
++
+ 	dev_info(&udev->dev, "%s: Device matched ... !\n", __func__);
+ 
+ 	/* allocate memory for our device state and initialize it */
diff --git a/staging-gigaset-fix-illegal-free-on-probe-errors.patch b/staging-gigaset-fix-illegal-free-on-probe-errors.patch
new file mode 100644
index 0000000..f9e9981
--- /dev/null
+++ b/staging-gigaset-fix-illegal-free-on-probe-errors.patch
@@ -0,0 +1,47 @@
+From 84f60ca7b326ed8c08582417493982fe2573a9ad Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 2 Dec 2019 09:56:09 +0100
+Subject: staging: gigaset: fix illegal free on probe errors
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 84f60ca7b326ed8c08582417493982fe2573a9ad upstream.
+
+The driver failed to initialise its receive-buffer pointer, something
+which could lead to an illegal free on late probe errors.
+
+Fix this by making sure to clear all driver data at allocation.
+
+Fixes: 2032e2c2309d ("usb_gigaset: code cleanup")
+Cc: stable <stable@vger.kernel.org>     # 2.6.33
+Cc: Tilman Schmidt <tilman@imap.cc>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191202085610.12719-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/isdn/gigaset/usb-gigaset.c |    6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/isdn/gigaset/usb-gigaset.c
++++ b/drivers/isdn/gigaset/usb-gigaset.c
+@@ -579,8 +579,7 @@ static int gigaset_initcshw(struct cards
+ {
+ 	struct usb_cardstate *ucs;
+ 
+-	cs->hw.usb = ucs =
+-		kmalloc(sizeof(struct usb_cardstate), GFP_KERNEL);
++	cs->hw.usb = ucs = kzalloc(sizeof(struct usb_cardstate), GFP_KERNEL);
+ 	if (!ucs) {
+ 		pr_err("out of memory\n");
+ 		return -ENOMEM;
+@@ -592,9 +591,6 @@ static int gigaset_initcshw(struct cards
+ 	ucs->bchars[3] = 0;
+ 	ucs->bchars[4] = 0x11;
+ 	ucs->bchars[5] = 0x13;
+-	ucs->bulk_out_buffer = NULL;
+-	ucs->bulk_out_urb = NULL;
+-	ucs->read_urb = NULL;
+ 	tasklet_init(&cs->write_tasklet,
+ 		     gigaset_modem_fill, (unsigned long) cs);
+ 
diff --git a/staging-rtl8188eu-fix-interface-sanity-check.patch b/staging-rtl8188eu-fix-interface-sanity-check.patch
new file mode 100644
index 0000000..1921cbb
--- /dev/null
+++ b/staging-rtl8188eu-fix-interface-sanity-check.patch
@@ -0,0 +1,36 @@
+From 74ca34118a0e05793935d804ccffcedd6eb56596 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:47:50 +0100
+Subject: staging: rtl8188eu: fix interface sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 74ca34118a0e05793935d804ccffcedd6eb56596 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: c2478d39076b ("staging: r8188eu: Add files for new driver - part 20")
+Cc: stable <stable@vger.kernel.org>     # 3.12
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191210114751.5119-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8188eu/os_dep/usb_intf.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+@@ -86,7 +86,7 @@ static struct dvobj_priv *usb_dvobj_init
+ 	phost_conf = pusbd->actconfig;
+ 	pconf_desc = &phost_conf->desc;
+ 
+-	phost_iface = &usb_intf->altsetting[0];
++	phost_iface = usb_intf->cur_altsetting;
+ 	piface_desc = &phost_iface->desc;
+ 
+ 	pdvobjpriv->NumInterfaces = pconf_desc->bNumInterfaces;
diff --git a/staging-rtl8712-fix-interface-sanity-check.patch b/staging-rtl8712-fix-interface-sanity-check.patch
new file mode 100644
index 0000000..e5b22bc
--- /dev/null
+++ b/staging-rtl8712-fix-interface-sanity-check.patch
@@ -0,0 +1,36 @@
+From c724f776f048538ecfdf53a52b7a522309f5c504 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:47:51 +0100
+Subject: staging: rtl8712: fix interface sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit c724f776f048538ecfdf53a52b7a522309f5c504 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel")
+Cc: stable <stable@vger.kernel.org>     # 2.6.37
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191210114751.5119-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8712/usb_intf.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8712/usb_intf.c
++++ b/drivers/staging/rtl8712/usb_intf.c
+@@ -268,7 +268,7 @@ static uint r8712_usb_dvobj_init(struct
+ 	pdev_desc = &pusbd->descriptor;
+ 	phost_conf = pusbd->actconfig;
+ 	pconf_desc = &phost_conf->desc;
+-	phost_iface = &pintf->altsetting[0];
++	phost_iface = pintf->cur_altsetting;
+ 	piface_desc = &phost_iface->desc;
+ 	pdvobjpriv->nr_endpoint = piface_desc->bNumEndpoints;
+ 	if (pusbd->speed == USB_SPEED_HIGH) {
diff --git a/tcp-md5-fix-potential-overestimation-of-tcp-option-space.patch b/tcp-md5-fix-potential-overestimation-of-tcp-option-space.patch
new file mode 100644
index 0000000..eadf33d
--- /dev/null
+++ b/tcp-md5-fix-potential-overestimation-of-tcp-option-space.patch
@@ -0,0 +1,46 @@
+From foo@baz Wed 18 Dec 2019 01:37:17 PM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Dec 2019 10:10:15 -0800
+Subject: tcp: md5: fix potential overestimation of TCP option space
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9424e2e7ad93ffffa88f882c9bc5023570904b55 ]
+
+Back in 2008, Adam Langley fixed the corner case of packets for flows
+having all of the following options : MD5 TS SACK
+
+Since MD5 needs 20 bytes, and TS needs 12 bytes, no sack block
+can be cooked from the remaining 8 bytes.
+
+tcp_established_options() correctly sets opts->num_sack_blocks
+to zero, but returns 36 instead of 32.
+
+This means TCP cooks packets with 4 extra bytes at the end
+of options, containing unitialized bytes.
+
+Fixes: 33ad798c924b ("tcp: options clean up")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_output.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -693,8 +693,9 @@ static unsigned int tcp_established_opti
+ 			min_t(unsigned int, eff_sacks,
+ 			      (remaining - TCPOLEN_SACK_BASE_ALIGNED) /
+ 			      TCPOLEN_SACK_PERBLOCK);
+-		size += TCPOLEN_SACK_BASE_ALIGNED +
+-			opts->num_sack_blocks * TCPOLEN_SACK_PERBLOCK;
++		if (likely(opts->num_sack_blocks))
++			size += TCPOLEN_SACK_BASE_ALIGNED +
++				opts->num_sack_blocks * TCPOLEN_SACK_PERBLOCK;
+ 	}
+ 
+ 	return size;
diff --git a/tty-vt-keyboard-reject-invalid-keycodes.patch b/tty-vt-keyboard-reject-invalid-keycodes.patch
new file mode 100644
index 0000000..09c9933
--- /dev/null
+++ b/tty-vt-keyboard-reject-invalid-keycodes.patch
@@ -0,0 +1,52 @@
+From b2b2dd71e0859436d4e05b2f61f86140250ed3f8 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 22 Nov 2019 12:42:20 -0800
+Subject: tty: vt: keyboard: reject invalid keycodes
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit b2b2dd71e0859436d4e05b2f61f86140250ed3f8 upstream.
+
+Do not try to handle keycodes that are too big, otherwise we risk doing
+out-of-bounds writes:
+
+BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline]
+BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
+BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
+Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722
+...
+ kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
+ kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
+ input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118
+ input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145
+ input_pass_values drivers/input/input.c:949 [inline]
+ input_set_keycode+0x290/0x320 drivers/input/input.c:954
+ evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882
+ evdev_do_ioctl drivers/input/evdev.c:1150 [inline]
+
+In this case we were dealing with a fuzzed HID device that declared over
+12K buttons, and while HID layer should not be reporting to us such big
+keycodes, we should also be defensive and reject invalid data ourselves as
+well.
+
+Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191122204220.GA129459@dtor-ws
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/keyboard.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/vt/keyboard.c
++++ b/drivers/tty/vt/keyboard.c
+@@ -1358,7 +1358,7 @@ static void kbd_event(struct input_handl
+ 
+ 	if (event_type == EV_MSC && event_code == MSC_RAW && HW_RAW(handle->dev))
+ 		kbd_rawcode(value);
+-	if (event_type == EV_KEY)
++	if (event_type == EV_KEY && event_code <= KEY_MAX)
+ 		kbd_keycode(event_code, value, HW_RAW(handle->dev));
+ 
+ 	spin_unlock(&kbd_event_lock);
diff --git a/usb-adutux-fix-interface-sanity-check.patch b/usb-adutux-fix-interface-sanity-check.patch
new file mode 100644
index 0000000..631b320
--- /dev/null
+++ b/usb-adutux-fix-interface-sanity-check.patch
@@ -0,0 +1,36 @@
+From 3c11c4bed02b202e278c0f5c319ae435d7fb9815 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:25:59 +0100
+Subject: USB: adutux: fix interface sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3c11c4bed02b202e278c0f5c319ae435d7fb9815 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 03270634e242 ("USB: Add ADU support for Ontrak ADU devices")
+Cc: stable <stable@vger.kernel.org>     # 2.6.19
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191210112601.3561-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/adutux.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/misc/adutux.c
++++ b/drivers/usb/misc/adutux.c
+@@ -686,7 +686,7 @@ static int adu_probe(struct usb_interfac
+ 	init_waitqueue_head(&dev->read_wait);
+ 	init_waitqueue_head(&dev->write_wait);
+ 
+-	iface_desc = &interface->altsetting[0];
++	iface_desc = &interface->cur_altsetting[0];
+ 
+ 	/* set up the endpoint information */
+ 	for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
diff --git a/usb-atm-ueagle-atm-add-missing-endpoint-check.patch b/usb-atm-ueagle-atm-add-missing-endpoint-check.patch
new file mode 100644
index 0000000..8eaeb3e
--- /dev/null
+++ b/usb-atm-ueagle-atm-add-missing-endpoint-check.patch
@@ -0,0 +1,90 @@
+From 09068c1ad53fb077bdac288869dec2435420bdc4 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:25:58 +0100
+Subject: USB: atm: ueagle-atm: add missing endpoint check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 09068c1ad53fb077bdac288869dec2435420bdc4 upstream.
+
+Make sure that the interrupt interface has an endpoint before trying to
+access its endpoint descriptors to avoid dereferencing a NULL pointer.
+
+The driver binds to the interrupt interface with interface number 0, but
+must not assume that this interface or its current alternate setting are
+the first entries in the corresponding configuration arrays.
+
+Fixes: b72458a80c75 ("[PATCH] USB: Eagle and ADI 930 usb adsl modem driver")
+Cc: stable <stable@vger.kernel.org>     # 2.6.16
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191210112601.3561-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/atm/ueagle-atm.c |   18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/atm/ueagle-atm.c
++++ b/drivers/usb/atm/ueagle-atm.c
+@@ -2167,10 +2167,11 @@ resubmit:
+ /*
+  * Start the modem : init the data and start kernel thread
+  */
+-static int uea_boot(struct uea_softc *sc)
++static int uea_boot(struct uea_softc *sc, struct usb_interface *intf)
+ {
+-	int ret, size;
+ 	struct intr_pkt *intr;
++	int ret = -ENOMEM;
++	int size;
+ 
+ 	uea_enters(INS_TO_USBDEV(sc));
+ 
+@@ -2195,6 +2196,11 @@ static int uea_boot(struct uea_softc *sc
+ 	if (UEA_CHIP_VERSION(sc) == ADI930)
+ 		load_XILINX_firmware(sc);
+ 
++	if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
++		ret = -ENODEV;
++		goto err0;
++	}
++
+ 	intr = kmalloc(size, GFP_KERNEL);
+ 	if (!intr) {
+ 		uea_err(INS_TO_USBDEV(sc),
+@@ -2211,8 +2217,7 @@ static int uea_boot(struct uea_softc *sc
+ 	usb_fill_int_urb(sc->urb_int, sc->usb_dev,
+ 			 usb_rcvintpipe(sc->usb_dev, UEA_INTR_PIPE),
+ 			 intr, size, uea_intr, sc,
+-			 sc->usb_dev->actconfig->interface[0]->altsetting[0].
+-			 endpoint[0].desc.bInterval);
++			 intf->cur_altsetting->endpoint[0].desc.bInterval);
+ 
+ 	ret = usb_submit_urb(sc->urb_int, GFP_KERNEL);
+ 	if (ret < 0) {
+@@ -2227,6 +2232,7 @@ static int uea_boot(struct uea_softc *sc
+ 	sc->kthread = kthread_create(uea_kthread, sc, "ueagle-atm");
+ 	if (IS_ERR(sc->kthread)) {
+ 		uea_err(INS_TO_USBDEV(sc), "failed to create thread\n");
++		ret = PTR_ERR(sc->kthread);
+ 		goto err2;
+ 	}
+ 
+@@ -2241,7 +2247,7 @@ err1:
+ 	kfree(intr);
+ err0:
+ 	uea_leaves(INS_TO_USBDEV(sc));
+-	return -ENOMEM;
++	return ret;
+ }
+ 
+ /*
+@@ -2604,7 +2610,7 @@ static int uea_bind(struct usbatm_data *
+ 	if (ret < 0)
+ 		goto error;
+ 
+-	ret = uea_boot(sc);
++	ret = uea_boot(sc, intf);
+ 	if (ret < 0)
+ 		goto error_rm_grp;
+ 
diff --git a/usb-core-urb-fix-urb-structure-initialization-function.patch b/usb-core-urb-fix-urb-structure-initialization-function.patch
new file mode 100644
index 0000000..d7e95aa
--- /dev/null
+++ b/usb-core-urb-fix-urb-structure-initialization-function.patch
@@ -0,0 +1,34 @@
+From 1cd17f7f0def31e3695501c4f86cd3faf8489840 Mon Sep 17 00:00:00 2001
+From: Emiliano Ingrassia <ingrassia@epigenesys.com>
+Date: Wed, 27 Nov 2019 17:03:55 +0100
+Subject: usb: core: urb: fix URB structure initialization function
+
+From: Emiliano Ingrassia <ingrassia@epigenesys.com>
+
+commit 1cd17f7f0def31e3695501c4f86cd3faf8489840 upstream.
+
+Explicitly initialize URB structure urb_list field in usb_init_urb().
+This field can be potentially accessed uninitialized and its
+initialization is coherent with the usage of list_del_init() in
+usb_hcd_unlink_urb_from_ep() and usb_giveback_urb_bh() and its
+explicit initialization in usb_hcd_submit_urb() error path.
+
+Signed-off-by: Emiliano Ingrassia <ingrassia@epigenesys.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191127160355.GA27196@ingrassia.epigenesys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/urb.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/core/urb.c
++++ b/drivers/usb/core/urb.c
+@@ -40,6 +40,7 @@ void usb_init_urb(struct urb *urb)
+ 	if (urb) {
+ 		memset(urb, 0, sizeof(*urb));
+ 		kref_init(&urb->kref);
++		INIT_LIST_HEAD(&urb->urb_list);
+ 		INIT_LIST_HEAD(&urb->anchor_list);
+ 	}
+ }
diff --git a/usb-idmouse-fix-interface-sanity-checks.patch b/usb-idmouse-fix-interface-sanity-checks.patch
new file mode 100644
index 0000000..b23e015
--- /dev/null
+++ b/usb-idmouse-fix-interface-sanity-checks.patch
@@ -0,0 +1,36 @@
+From 59920635b89d74b9207ea803d5e91498d39e8b69 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:26:00 +0100
+Subject: USB: idmouse: fix interface sanity checks
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 59920635b89d74b9207ea803d5e91498d39e8b69 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191210112601.3561-4-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/idmouse.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/misc/idmouse.c
++++ b/drivers/usb/misc/idmouse.c
+@@ -342,7 +342,7 @@ static int idmouse_probe(struct usb_inte
+ 	int result;
+ 
+ 	/* check if we have gotten the data or the hid interface */
+-	iface_desc = &interface->altsetting[0];
++	iface_desc = interface->cur_altsetting;
+ 	if (iface_desc->desc.bInterfaceClass != 0x0A)
+ 		return -ENODEV;
+ 
diff --git a/usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch b/usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch
new file mode 100644
index 0000000..71f5b14
--- /dev/null
+++ b/usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch
@@ -0,0 +1,104 @@
+From 19e6317d24c25ee737c65d1ffb7483bdda4bb54a Mon Sep 17 00:00:00 2001
+From: Pete Zaitcev <zaitcev@redhat.com>
+Date: Wed, 4 Dec 2019 20:39:41 -0600
+Subject: usb: mon: Fix a deadlock in usbmon between mmap and read
+
+From: Pete Zaitcev <zaitcev@redhat.com>
+
+commit 19e6317d24c25ee737c65d1ffb7483bdda4bb54a upstream.
+
+The problem arises because our read() function grabs a lock of the
+circular buffer, finds something of interest, then invokes copy_to_user()
+straight from the buffer, which in turn takes mm->mmap_sem. In the same
+time, the callback mon_bin_vma_fault() is invoked under mm->mmap_sem.
+It attempts to take the fetch lock and deadlocks.
+
+This patch does away with protecting of our page list with any
+semaphores, and instead relies on the kernel not close the device
+while mmap is active in a process.
+
+In addition, we prohibit re-sizing of a buffer while mmap is active.
+This way, when (now unlocked) fault is processed, it works with the
+page that is intended to be mapped-in, and not some other random page.
+Note that this may have an ABI impact, but hopefully no legitimate
+program is this wrong.
+
+Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
+Reported-by: syzbot+56f9673bb4cdcbeb0e92@syzkaller.appspotmail.com
+Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
+Fixes: 46eb14a6e158 ("USB: fix usbmon BUG trigger")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191204203941.3503452b@suzdal.zaitcev.lan
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/mon/mon_bin.c |   32 +++++++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+--- a/drivers/usb/mon/mon_bin.c
++++ b/drivers/usb/mon/mon_bin.c
+@@ -1034,12 +1034,18 @@ static long mon_bin_ioctl(struct file *f
+ 
+ 		mutex_lock(&rp->fetch_lock);
+ 		spin_lock_irqsave(&rp->b_lock, flags);
+-		mon_free_buff(rp->b_vec, rp->b_size/CHUNK_SIZE);
+-		kfree(rp->b_vec);
+-		rp->b_vec  = vec;
+-		rp->b_size = size;
+-		rp->b_read = rp->b_in = rp->b_out = rp->b_cnt = 0;
+-		rp->cnt_lost = 0;
++		if (rp->mmap_active) {
++			mon_free_buff(vec, size/CHUNK_SIZE);
++			kfree(vec);
++			ret = -EBUSY;
++		} else {
++			mon_free_buff(rp->b_vec, rp->b_size/CHUNK_SIZE);
++			kfree(rp->b_vec);
++			rp->b_vec  = vec;
++			rp->b_size = size;
++			rp->b_read = rp->b_in = rp->b_out = rp->b_cnt = 0;
++			rp->cnt_lost = 0;
++		}
+ 		spin_unlock_irqrestore(&rp->b_lock, flags);
+ 		mutex_unlock(&rp->fetch_lock);
+ 		}
+@@ -1211,13 +1217,21 @@ mon_bin_poll(struct file *file, struct p
+ static void mon_bin_vma_open(struct vm_area_struct *vma)
+ {
+ 	struct mon_reader_bin *rp = vma->vm_private_data;
++	unsigned long flags;
++
++	spin_lock_irqsave(&rp->b_lock, flags);
+ 	rp->mmap_active++;
++	spin_unlock_irqrestore(&rp->b_lock, flags);
+ }
+ 
+ static void mon_bin_vma_close(struct vm_area_struct *vma)
+ {
++	unsigned long flags;
++
+ 	struct mon_reader_bin *rp = vma->vm_private_data;
++	spin_lock_irqsave(&rp->b_lock, flags);
+ 	rp->mmap_active--;
++	spin_unlock_irqrestore(&rp->b_lock, flags);
+ }
+ 
+ /*
+@@ -1229,16 +1243,12 @@ static int mon_bin_vma_fault(struct vm_a
+ 	unsigned long offset, chunk_idx;
+ 	struct page *pageptr;
+ 
+-	mutex_lock(&rp->fetch_lock);
+ 	offset = vmf->pgoff << PAGE_SHIFT;
+-	if (offset >= rp->b_size) {
+-		mutex_unlock(&rp->fetch_lock);
++	if (offset >= rp->b_size)
+ 		return VM_FAULT_SIGBUS;
+-	}
+ 	chunk_idx = offset / CHUNK_SIZE;
+ 	pageptr = rp->b_vec[chunk_idx].pg;
+ 	get_page(pageptr);
+-	mutex_unlock(&rp->fetch_lock);
+ 	vmf->page = pageptr;
+ 	return 0;
+ }
diff --git a/usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch b/usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch
new file mode 100644
index 0000000..1678c30
--- /dev/null
+++ b/usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch
@@ -0,0 +1,50 @@
+From 7c5a2df3367a2c4984f1300261345817d95b71f8 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:26:01 +0100
+Subject: USB: serial: io_edgeport: fix epic endpoint lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 7c5a2df3367a2c4984f1300261345817d95b71f8 upstream.
+
+Make sure to use the current alternate setting when looking up the
+endpoints on epic devices to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver")
+Cc: stable <stable@vger.kernel.org>     # 2.6.21
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191210112601.3561-5-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/io_edgeport.c |   10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/serial/io_edgeport.c
++++ b/drivers/usb/serial/io_edgeport.c
+@@ -2854,16 +2854,18 @@ static int edge_startup(struct usb_seria
+ 	response = 0;
+ 
+ 	if (edge_serial->is_epic) {
++		struct usb_host_interface *alt;
++
++		alt = serial->interface->cur_altsetting;
++
+ 		/* EPIC thing, set up our interrupt polling now and our read
+ 		 * urb, so that the device knows it really is connected. */
+ 		interrupt_in_found = bulk_in_found = bulk_out_found = false;
+-		for (i = 0; i < serial->interface->altsetting[0]
+-						.desc.bNumEndpoints; ++i) {
++		for (i = 0; i < alt->desc.bNumEndpoints; ++i) {
+ 			struct usb_endpoint_descriptor *endpoint;
+ 			int buffer_size;
+ 
+-			endpoint = &serial->interface->altsetting[0].
+-							endpoint[i].desc;
++			endpoint = &alt->endpoint[i].desc;
+ 			buffer_size = usb_endpoint_maxp(endpoint);
+ 			if (!interrupt_in_found &&
+ 			    (usb_endpoint_is_int_in(endpoint))) {
diff --git a/x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch b/x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch
new file mode 100644
index 0000000..a3630c7
--- /dev/null
+++ b/x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch
@@ -0,0 +1,53 @@
+From 7e8ce0e2b036dbc6617184317983aea4f2c52099 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Mon, 2 Sep 2019 22:52:52 +0800
+Subject: x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 7e8ce0e2b036dbc6617184317983aea4f2c52099 upstream.
+
+The AMD FCH USB XHCI Controller advertises support for generating PME#
+while in D0.  When in D0, it does signal PME# for USB 3.0 connect events,
+but not for USB 2.0 or USB 1.1 connect events, which means the controller
+doesn't wake correctly for those events.
+
+  00:10.0 USB controller [0c03]: Advanced Micro Devices, Inc. [AMD] FCH USB XHCI Controller [1022:7914] (rev 20) (prog-if 30 [XHCI])
+        Subsystem: Dell FCH USB XHCI Controller [1028:087e]
+        Capabilities: [50] Power Management version 3
+                Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA PME(D0+,D1-,D2-,D3hot+,D3cold+)
+
+Clear PCI_PM_CAP_PME_D0 in dev->pme_support to indicate the device will not
+assert PME# from D0 so we don't rely on it.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203673
+Link: https://lore.kernel.org/r/20190902145252.32111-1-kai.heng.feng@canonical.com
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/pci/fixup.c |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/arch/x86/pci/fixup.c
++++ b/arch/x86/pci/fixup.c
+@@ -555,6 +555,17 @@ static void twinhead_reserve_killing_zon
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x27B9, twinhead_reserve_killing_zone);
+ 
+ /*
++ * Device [1022:7914]
++ * When in D0, PME# doesn't get asserted when plugging USB 2.0 device.
++ */
++static void pci_fixup_amd_fch_xhci_pme(struct pci_dev *dev)
++{
++	dev_info(&dev->dev, "PME# does not work under D0, disabling it\n");
++	dev->pme_support &= ~(PCI_PM_CAP_PME_D0 >> PCI_PM_CAP_PME_SHIFT);
++}
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x7914, pci_fixup_amd_fch_xhci_pme);
++
++/*
+  * Broadwell EP Home Agent BARs erroneously return non-zero values when read.
+  *
+  * See http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v4-spec-update.html
diff --git a/xhci-increase-sts_halt-timeout-in-xhci_suspend.patch b/xhci-increase-sts_halt-timeout-in-xhci_suspend.patch
new file mode 100644
index 0000000..2be8423
--- /dev/null
+++ b/xhci-increase-sts_halt-timeout-in-xhci_suspend.patch
@@ -0,0 +1,43 @@
+From 7c67cf6658cec70d8a43229f2ce74ca1443dc95e Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Wed, 11 Dec 2019 16:20:05 +0200
+Subject: xhci: Increase STS_HALT timeout in xhci_suspend()
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 7c67cf6658cec70d8a43229f2ce74ca1443dc95e upstream.
+
+I've recently observed failed xHCI suspend attempt on AMD Raven Ridge
+system:
+kernel: xhci_hcd 0000:04:00.4: WARN: xHC CMD_RUN timeout
+kernel: PM: suspend_common(): xhci_pci_suspend+0x0/0xd0 returns -110
+kernel: PM: pci_pm_suspend(): hcd_pci_suspend+0x0/0x30 returns -110
+kernel: PM: dpm_run_callback(): pci_pm_suspend+0x0/0x150 returns -110
+kernel: PM: Device 0000:04:00.4 failed to suspend async: error -110
+
+Similar to commit ac343366846a ("xhci: Increase STS_SAVE timeout in
+xhci_suspend()") we also need to increase the HALT timeout to make it be
+able to suspend again.
+
+Cc: <stable@vger.kernel.org> # 5.2+
+Fixes: f7fac17ca925 ("xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()")
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20191211142007.8847-5-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -898,7 +898,7 @@ static void xhci_disable_port_wake_on_bi
+ int xhci_suspend(struct xhci_hcd *xhci, bool do_wakeup)
+ {
+ 	int			rc = 0;
+-	unsigned int		delay = XHCI_MAX_HALT_USEC;
++	unsigned int		delay = XHCI_MAX_HALT_USEC * 2;
+ 	struct usb_hcd		*hcd = xhci_to_hcd(xhci);
+ 	u32			command;
+