remove applied patches and added a new one

17 files changed, 97 insertions, 1043 deletions

diff --git a/alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch b/alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch
deleted file mode 100644
index 131ab0d..0000000
--- a/alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From d60229d84846a8399257006af9c5444599f64361 Mon Sep 17 00:00:00 2001
-From: Colin Ian King <colin.king@canonical.com>
-Date: Fri, 22 Nov 2019 13:13:54 +0000
-Subject: ALSA: cs4236: fix error return comparison of an unsigned integer
-
-From: Colin Ian King <colin.king@canonical.com>
-
-commit d60229d84846a8399257006af9c5444599f64361 upstream.
-
-The return from pnp_irq is an unsigned integer type resource_size_t
-and hence the error check for a positive non-error code is always
-going to be true.  A check for a non-failure return from pnp_irq
-should in fact be for (resource_size_t)-1 rather than >= 0.
-
-Addresses-Coverity: ("Unsigned compared against 0")
-Fixes: a9824c868a2c ("[ALSA] Add CS4232 PnP BIOS support")
-Signed-off-by: Colin Ian King <colin.king@canonical.com>
-Link: https://lore.kernel.org/r/20191122131354.58042-1-colin.king@canonical.com
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- sound/isa/cs423x/cs4236.c |    3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/sound/isa/cs423x/cs4236.c
-+++ b/sound/isa/cs423x/cs4236.c
-@@ -293,7 +293,8 @@ static int snd_cs423x_pnp_init_mpu(int d
- 	} else {
- 		mpu_port[dev] = pnp_port_start(pdev, 0);
- 		if (mpu_irq[dev] >= 0 &&
--		    pnp_irq_valid(pdev, 0) && pnp_irq(pdev, 0) >= 0) {
-+		    pnp_irq_valid(pdev, 0) &&
-+		    pnp_irq(pdev, 0) != (resource_size_t)-1) {
- 			mpu_irq[dev] = pnp_irq(pdev, 0);
- 		} else {
- 			mpu_irq[dev] = -1;	/* disable interrupt */
diff --git a/alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch b/alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch
deleted file mode 100644
index 68158e5..0000000
--- a/alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 0aec96f5897ac16ad9945f531b4bef9a2edd2ebd Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Wed, 18 Dec 2019 20:26:06 +0100
-Subject: ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code
-
-From: Takashi Iwai <tiwai@suse.de>
-
-commit 0aec96f5897ac16ad9945f531b4bef9a2edd2ebd upstream.
-
-Jia-Ju Bai reported a possible sleep-in-atomic scenario in the ice1724
-driver with Infrasonic Quartet support code: namely, ice->set_rate
-callback gets called inside ice->reg_lock spinlock, while the callback
-in quartet.c holds ice->gpio_mutex.
-
-This patch fixes the invalid call: it simply moves the calls of
-ice->set_rate and ice->set_mclk callbacks outside the spinlock.
-
-Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com>
-Cc: <stable@vger.kernel.org>
-Link: https://lore.kernel.org/r/5d43135e-73b9-a46a-2155-9e91d0dcdf83@gmail.com
-Link: https://lore.kernel.org/r/20191218192606.12866-1-tiwai@suse.de
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- sound/pci/ice1712/ice1724.c |    9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
---- a/sound/pci/ice1712/ice1724.c
-+++ b/sound/pci/ice1712/ice1724.c
-@@ -663,6 +663,7 @@ static int snd_vt1724_set_pro_rate(struc
- 	unsigned long flags;
- 	unsigned char mclk_change;
- 	unsigned int i, old_rate;
-+	bool call_set_rate = false;
- 
- 	if (rate > ice->hw_rates->list[ice->hw_rates->count - 1])
- 		return -EINVAL;
-@@ -686,7 +687,7 @@ static int snd_vt1724_set_pro_rate(struc
- 		 * setting clock rate for internal clock mode */
- 		old_rate = ice->get_rate(ice);
- 		if (force || (old_rate != rate))
--			ice->set_rate(ice, rate);
-+			call_set_rate = true;
- 		else if (rate == ice->cur_rate) {
- 			spin_unlock_irqrestore(&ice->reg_lock, flags);
- 			return 0;
-@@ -694,12 +695,14 @@ static int snd_vt1724_set_pro_rate(struc
- 	}
- 
- 	ice->cur_rate = rate;
-+	spin_unlock_irqrestore(&ice->reg_lock, flags);
-+
-+	if (call_set_rate)
-+		ice->set_rate(ice, rate);
- 
- 	/* setting master clock */
- 	mclk_change = ice->set_mclk(ice, rate);
- 
--	spin_unlock_irqrestore(&ice->reg_lock, flags);
--
- 	if (mclk_change && ice->gpio.i2s_mclk_changed)
- 		ice->gpio.i2s_mclk_changed(ice);
- 	if (ice->gpio.set_pro_rate)
diff --git a/ata-libahci_platform-export-again-ahci_platform_-en-dis-able_phys.patch b/ata-libahci_platform-export-again-ahci_platform_-en-dis-able_phys.patch
deleted file mode 100644
index 1c70992..0000000
--- a/ata-libahci_platform-export-again-ahci_platform_-en-dis-able_phys.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 84b032dbfdf1c139cd2b864e43959510646975f8 Mon Sep 17 00:00:00 2001
-From: Florian Fainelli <f.fainelli@gmail.com>
-Date: Tue, 10 Dec 2019 10:53:44 -0800
-Subject: ata: libahci_platform: Export again ahci_platform_<en/dis>able_phys()
-
-From: Florian Fainelli <f.fainelli@gmail.com>
-
-commit 84b032dbfdf1c139cd2b864e43959510646975f8 upstream.
-
-This reverts commit 6bb86fefa086faba7b60bb452300b76a47cde1a5
-("libahci_platform: Staticize ahci_platform_<en/dis>able_phys()") we are
-going to need ahci_platform_{enable,disable}_phys() in a subsequent
-commit for ahci_brcm.c in order to properly control the PHY
-initialization order.
-
-Also make sure the function prototypes are declared in
-include/linux/ahci_platform.h as a result.
-
-Cc: stable@vger.kernel.org
-Reviewed-by: Hans de Goede <hdegoede@redhat.com>
-Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/ata/libahci_platform.c |    6 ++++--
- include/linux/ahci_platform.h  |    2 ++
- 2 files changed, 6 insertions(+), 2 deletions(-)
-
---- a/drivers/ata/libahci_platform.c
-+++ b/drivers/ata/libahci_platform.c
-@@ -49,7 +49,7 @@ static struct scsi_host_template ahci_pl
-  * RETURNS:
-  * 0 on success otherwise a negative error code
-  */
--static int ahci_platform_enable_phys(struct ahci_host_priv *hpriv)
-+int ahci_platform_enable_phys(struct ahci_host_priv *hpriv)
- {
- 	int rc, i;
- 
-@@ -77,6 +77,7 @@ disable_phys:
- 	}
- 	return rc;
- }
-+EXPORT_SYMBOL_GPL(ahci_platform_enable_phys);
- 
- /**
-  * ahci_platform_disable_phys - Disable PHYs
-@@ -84,7 +85,7 @@ disable_phys:
-  *
-  * This function disables all PHYs found in hpriv->phys.
-  */
--static void ahci_platform_disable_phys(struct ahci_host_priv *hpriv)
-+void ahci_platform_disable_phys(struct ahci_host_priv *hpriv)
- {
- 	int i;
- 
-@@ -96,6 +97,7 @@ static void ahci_platform_disable_phys(s
- 		phy_exit(hpriv->phys[i]);
- 	}
- }
-+EXPORT_SYMBOL_GPL(ahci_platform_disable_phys);
- 
- /**
-  * ahci_platform_enable_clks - Enable platform clocks
---- a/include/linux/ahci_platform.h
-+++ b/include/linux/ahci_platform.h
-@@ -22,6 +22,8 @@ struct ata_port_info;
- struct ahci_host_priv;
- struct platform_device;
- 
-+int ahci_platform_enable_phys(struct ahci_host_priv *hpriv);
-+void ahci_platform_disable_phys(struct ahci_host_priv *hpriv);
- int ahci_platform_enable_clks(struct ahci_host_priv *hpriv);
- void ahci_platform_disable_clks(struct ahci_host_priv *hpriv);
- int ahci_platform_enable_resources(struct ahci_host_priv *hpriv);
diff --git a/bluetooth-delete-a-stray-unlock.patch b/bluetooth-delete-a-stray-unlock.patch
deleted file mode 100644
index 132ce70..0000000
--- a/bluetooth-delete-a-stray-unlock.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From df66499a1fab340c167250a5743931dc50d5f0fa Mon Sep 17 00:00:00 2001
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Tue, 19 Nov 2019 09:17:05 +0300
-Subject: Bluetooth: delete a stray unlock
-
-From: Dan Carpenter <dan.carpenter@oracle.com>
-
-commit df66499a1fab340c167250a5743931dc50d5f0fa upstream.
-
-We used to take a lock in amp_physical_cfm() but then we moved it to
-the caller function.  Unfortunately the unlock on this error path was
-overlooked so it leads to a double unlock.
-
-Fixes: a514b17fab51 ("Bluetooth: Refactor locking in amp_physical_cfm")
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- net/bluetooth/l2cap_core.c |    4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
---- a/net/bluetooth/l2cap_core.c
-+++ b/net/bluetooth/l2cap_core.c
-@@ -4878,10 +4878,8 @@ void __l2cap_physical_cfm(struct l2cap_c
- 	BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
- 	       chan, result, local_amp_id, remote_amp_id);
- 
--	if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
--		l2cap_chan_unlock(chan);
-+	if (chan->state == BT_DISCONN || chan->state == BT_CLOSED)
- 		return;
--	}
- 
- 	if (chan->state != BT_CONNECTED) {
- 		l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
diff --git a/chardev-avoid-potential-use-after-free-in-chrdev_open.patch b/chardev-avoid-potential-use-after-free-in-chrdev_open.patch
new file mode 100644
index 0000000..056f1f7
--- /dev/null
+++ b/chardev-avoid-potential-use-after-free-in-chrdev_open.patch
@@ -0,0 +1,96 @@
+From 68faa679b8be1a74e6663c21c3a9d25d32f1c079 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Thu, 19 Dec 2019 12:02:03 +0000
+Subject: chardev: Avoid potential use-after-free in 'chrdev_open()'
+
+From: Will Deacon <will@kernel.org>
+
+commit 68faa679b8be1a74e6663c21c3a9d25d32f1c079 upstream.
+
+'chrdev_open()' calls 'cdev_get()' to obtain a reference to the
+'struct cdev *' stashed in the 'i_cdev' field of the target inode
+structure. If the pointer is NULL, then it is initialised lazily by
+looking up the kobject in the 'cdev_map' and so the whole procedure is
+protected by the 'cdev_lock' spinlock to serialise initialisation of
+the shared pointer.
+
+Unfortunately, it is possible for the initialising thread to fail *after*
+installing the new pointer, for example if the subsequent '->open()' call
+on the file fails. In this case, 'cdev_put()' is called, the reference
+count on the kobject is dropped and, if nobody else has taken a reference,
+the release function is called which finally clears 'inode->i_cdev' from
+'cdev_purge()' before potentially freeing the object. The problem here
+is that a racing thread can happily take the 'cdev_lock' and see the
+non-NULL pointer in the inode, which can result in a refcount increment
+from zero and a warning:
+
+  |  ------------[ cut here ]------------
+  |  refcount_t: addition on 0; use-after-free.
+  |  WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0
+  |  Modules linked in:
+  |  CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22
+  |  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+  |  RIP: 0010:refcount_warn_saturate+0x6d/0xf0
+  |  Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08
+  |  RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282
+  |  RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000
+  |  RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798
+  |  RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039
+  |  R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700
+  |  R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700
+  |  FS:  00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000
+  |  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+  |  CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0
+  |  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+  |  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+  |  Call Trace:
+  |   kobject_get+0x5c/0x60
+  |   cdev_get+0x2b/0x60
+  |   chrdev_open+0x55/0x220
+  |   ? cdev_put.part.3+0x20/0x20
+  |   do_dentry_open+0x13a/0x390
+  |   path_openat+0x2c8/0x1470
+  |   do_filp_open+0x93/0x100
+  |   ? selinux_file_ioctl+0x17f/0x220
+  |   do_sys_open+0x186/0x220
+  |   do_syscall_64+0x48/0x150
+  |   entry_SYSCALL_64_after_hwframe+0x44/0xa9
+  |  RIP: 0033:0x7f3b87efcd0e
+  |  Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4
+  |  RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
+  |  RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e
+  |  RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c
+  |  RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000
+  |  R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e
+  |  R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000
+  |  ---[ end trace 24f53ca58db8180a ]---
+
+Since 'cdev_get()' can already fail to obtain a reference, simply move
+it over to use 'kobject_get_unless_zero()' instead of 'kobject_get()',
+which will cause the racing thread to return -ENXIO if the initialising
+thread fails unexpectedly.
+
+Cc: Hillf Danton <hdanton@sina.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Reported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/char_dev.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/char_dev.c
++++ b/fs/char_dev.c
+@@ -354,7 +354,7 @@ static struct kobject *cdev_get(struct c
+ 
+ 	if (owner && !try_module_get(owner))
+ 		return NULL;
+-	kobj = kobject_get(&p->kobj);
++	kobj = kobject_get_unless_zero(&p->kobj);
+ 	if (!kobj)
+ 		module_put(owner);
+ 	return kobj;
diff --git a/gpiolib-fix-up-emulated-open-drain-outputs.patch b/gpiolib-fix-up-emulated-open-drain-outputs.patch
deleted file mode 100644
index a67b9a3..0000000
--- a/gpiolib-fix-up-emulated-open-drain-outputs.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 256efaea1fdc4e38970489197409a26125ee0aaa Mon Sep 17 00:00:00 2001
-From: Russell King <rmk+kernel@armlinux.org.uk>
-Date: Sat, 7 Dec 2019 16:20:18 +0000
-Subject: gpiolib: fix up emulated open drain outputs
-
-From: Russell King <rmk+kernel@armlinux.org.uk>
-
-commit 256efaea1fdc4e38970489197409a26125ee0aaa upstream.
-
-gpiolib has a corner case with open drain outputs that are emulated.
-When such outputs are outputting a logic 1, emulation will set the
-hardware to input mode, which will cause gpiod_get_direction() to
-report that it is in input mode. This is different from the behaviour
-with a true open-drain output.
-
-Unify the semantics here.
-
-Cc: <stable@vger.kernel.org>
-Suggested-by: Linus Walleij <linus.walleij@linaro.org>
-Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
-Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/gpio/gpiolib.c |    8 ++++++++
- 1 file changed, 8 insertions(+)
-
---- a/drivers/gpio/gpiolib.c
-+++ b/drivers/gpio/gpiolib.c
-@@ -147,6 +147,14 @@ int gpiod_get_direction(const struct gpi
- 	chip = gpiod_to_chip(desc);
- 	offset = gpio_chip_hwgpio(desc);
- 
-+	/*
-+	 * Open drain emulation using input mode may incorrectly report
-+	 * input here, fix that up.
-+	 */
-+	if (test_bit(FLAG_OPEN_DRAIN, &desc->flags) &&
-+	    test_bit(FLAG_IS_OUT, &desc->flags))
-+		return 0;
-+
- 	if (!chip->get_direction)
- 		return status;
- 
diff --git a/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch b/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch
deleted file mode 100644
index 00285b9..0000000
--- a/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch
+++ /dev/null
@@ -1,170 +0,0 @@
-From foo@baz Sat 11 Jan 2020 09:44:46 AM CET
-From: Eric Dumazet <edumazet@google.com>
-Date: Mon, 6 Jan 2020 12:30:48 -0800
-Subject: macvlan: do not assume mac_header is set in macvlan_broadcast()
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit 96cc4b69581db68efc9749ef32e9cf8e0160c509 ]
-
-Use of eth_hdr() in tx path is error prone.
-
-Many drivers call skb_reset_mac_header() before using it,
-but others do not.
-
-Commit 6d1ccff62780 ("net: reset mac header in dev_start_xmit()")
-attempted to fix this generically, but commit d346a3fae3ff
-("packet: introduce PACKET_QDISC_BYPASS socket option") brought
-back the macvlan bug.
-
-Lets add a new helper, so that tx paths no longer have
-to call skb_reset_mac_header() only to get a pointer
-to skb->data.
-
-Hopefully we will be able to revert 6d1ccff62780
-("net: reset mac header in dev_start_xmit()") and save few cycles
-in transmit fast path.
-
-BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline]
-BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:251 [inline]
-BUG: KASAN: use-after-free in macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277
-Read of size 4 at addr ffff8880a4932401 by task syz-executor947/9579
-
-CPU: 0 PID: 9579 Comm: syz-executor947 Not tainted 5.5.0-rc4-syzkaller #0
-Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
-Call Trace:
- __dump_stack lib/dump_stack.c:77 [inline]
- dump_stack+0x197/0x210 lib/dump_stack.c:118
- print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
- __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
- kasan_report+0x12/0x20 mm/kasan/common.c:639
- __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:145
- __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline]
- mc_hash drivers/net/macvlan.c:251 [inline]
- macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277
- macvlan_queue_xmit drivers/net/macvlan.c:520 [inline]
- macvlan_start_xmit+0x402/0x77f drivers/net/macvlan.c:559
- __netdev_start_xmit include/linux/netdevice.h:4447 [inline]
- netdev_start_xmit include/linux/netdevice.h:4461 [inline]
- dev_direct_xmit+0x419/0x630 net/core/dev.c:4079
- packet_direct_xmit+0x1a9/0x250 net/packet/af_packet.c:240
- packet_snd net/packet/af_packet.c:2966 [inline]
- packet_sendmsg+0x260d/0x6220 net/packet/af_packet.c:2991
- sock_sendmsg_nosec net/socket.c:639 [inline]
- sock_sendmsg+0xd7/0x130 net/socket.c:659
- __sys_sendto+0x262/0x380 net/socket.c:1985
- __do_sys_sendto net/socket.c:1997 [inline]
- __se_sys_sendto net/socket.c:1993 [inline]
- __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1993
- do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
- entry_SYSCALL_64_after_hwframe+0x49/0xbe
-RIP: 0033:0x442639
-Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
-RSP: 002b:00007ffc13549e08 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
-RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442639
-RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003
-RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
-R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
-R13: 0000000000403bb0 R14: 0000000000000000 R15: 0000000000000000
-
-Allocated by task 9389:
- save_stack+0x23/0x90 mm/kasan/common.c:72
- set_track mm/kasan/common.c:80 [inline]
- __kasan_kmalloc mm/kasan/common.c:513 [inline]
- __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
- kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527
- __do_kmalloc mm/slab.c:3656 [inline]
- __kmalloc+0x163/0x770 mm/slab.c:3665
- kmalloc include/linux/slab.h:561 [inline]
- tomoyo_realpath_from_path+0xc5/0x660 security/tomoyo/realpath.c:252
- tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
- tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822
- tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129
- security_inode_getattr+0xf2/0x150 security/security.c:1222
- vfs_getattr+0x25/0x70 fs/stat.c:115
- vfs_statx_fd+0x71/0xc0 fs/stat.c:145
- vfs_fstat include/linux/fs.h:3265 [inline]
- __do_sys_newfstat+0x9b/0x120 fs/stat.c:378
- __se_sys_newfstat fs/stat.c:375 [inline]
- __x64_sys_newfstat+0x54/0x80 fs/stat.c:375
- do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
- entry_SYSCALL_64_after_hwframe+0x49/0xbe
-
-Freed by task 9389:
- save_stack+0x23/0x90 mm/kasan/common.c:72
- set_track mm/kasan/common.c:80 [inline]
- kasan_set_free_info mm/kasan/common.c:335 [inline]
- __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
- kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
- __cache_free mm/slab.c:3426 [inline]
- kfree+0x10a/0x2c0 mm/slab.c:3757
- tomoyo_realpath_from_path+0x1a7/0x660 security/tomoyo/realpath.c:289
- tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
- tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822
- tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129
- security_inode_getattr+0xf2/0x150 security/security.c:1222
- vfs_getattr+0x25/0x70 fs/stat.c:115
- vfs_statx_fd+0x71/0xc0 fs/stat.c:145
- vfs_fstat include/linux/fs.h:3265 [inline]
- __do_sys_newfstat+0x9b/0x120 fs/stat.c:378
- __se_sys_newfstat fs/stat.c:375 [inline]
- __x64_sys_newfstat+0x54/0x80 fs/stat.c:375
- do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
- entry_SYSCALL_64_after_hwframe+0x49/0xbe
-
-The buggy address belongs to the object at ffff8880a4932000
- which belongs to the cache kmalloc-4k of size 4096
-The buggy address is located 1025 bytes inside of
- 4096-byte region [ffff8880a4932000, ffff8880a4933000)
-The buggy address belongs to the page:
-page:ffffea0002924c80 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0
-raw: 00fffe0000010200 ffffea0002846208 ffffea00028f3888 ffff8880aa402000
-raw: 0000000000000000 ffff8880a4932000 0000000100000001 0000000000000000
-page dumped because: kasan: bad access detected
-
-Memory state around the buggy address:
- ffff8880a4932300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
- ffff8880a4932380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
->ffff8880a4932400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-                   ^
- ffff8880a4932480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
- ffff8880a4932500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-
-Fixes: b863ceb7ddce ("[NET]: Add macvlan driver")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: syzbot <syzkaller@googlegroups.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/macvlan.c    |    2 +-
- include/linux/if_ether.h |    8 ++++++++
- 2 files changed, 9 insertions(+), 1 deletion(-)
-
---- a/drivers/net/macvlan.c
-+++ b/drivers/net/macvlan.c
-@@ -233,7 +233,7 @@ static void macvlan_broadcast(struct sk_
- 			      struct net_device *src,
- 			      enum macvlan_mode mode)
- {
--	const struct ethhdr *eth = eth_hdr(skb);
-+	const struct ethhdr *eth = skb_eth_hdr(skb);
- 	const struct macvlan_dev *vlan;
- 	struct sk_buff *nskb;
- 	unsigned int i;
---- a/include/linux/if_ether.h
-+++ b/include/linux/if_ether.h
-@@ -28,6 +28,14 @@ static inline struct ethhdr *eth_hdr(con
- 	return (struct ethhdr *)skb_mac_header(skb);
- }
- 
-+/* Prefer this version in TX path, instead of
-+ * skb_reset_mac_header() + eth_hdr()
-+ */
-+static inline struct ethhdr *skb_eth_hdr(const struct sk_buff *skb)
-+{
-+	return (struct ethhdr *)skb->data;
-+}
-+
- int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr);
- 
- extern ssize_t sysfs_format_mac(char *buf, const unsigned char *addr, int len);
diff --git a/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch b/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch
deleted file mode 100644
index 8b1f00a..0000000
--- a/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From foo@baz Sat 11 Jan 2020 09:52:53 AM CET
-From: Chen-Yu Tsai <wens@csie.org>
-Date: Mon, 6 Jan 2020 11:09:22 +0800
-Subject: net: stmmac: dwmac-sunxi: Allow all RGMII modes
-
-From: Chen-Yu Tsai <wens@csie.org>
-
-[ Upstream commit 52cc73e5404c7ba0cbfc50cb4c265108c84b3d5a ]
-
-Allow all the RGMII modes to be used. This would allow us to represent
-the hardware better in the device tree with RGMII_ID where in most
-cases the PHY's internal delay for both RX and TX are used.
-
-Fixes: af0bd4e9ba80 ("net: stmmac: sunxi platform extensions for GMAC in Allwinner A20 SoC's")
-Signed-off-by: Chen-Yu Tsai <wens@csie.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c
-+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c
-@@ -78,7 +78,7 @@ static int sun7i_gmac_init(struct platfo
- 	 * rate, which then uses the auto-reparenting feature of the
- 	 * clock driver, and enabling/disabling the clock.
- 	 */
--	if (gmac->interface == PHY_INTERFACE_MODE_RGMII) {
-+	if (phy_interface_mode_is_rgmii(gmac->interface)) {
- 		clk_set_rate(gmac->tx_clk, SUN7I_GMAC_GMII_RGMII_RATE);
- 		clk_prepare_enable(gmac->tx_clk);
- 		gmac->clk_enabled = 1;
diff --git a/regulator-ab8500-remove-ab8505-usb-regulator.patch b/regulator-ab8500-remove-ab8505-usb-regulator.patch
deleted file mode 100644
index 18450dd..0000000
--- a/regulator-ab8500-remove-ab8505-usb-regulator.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 99c4f70df3a6446c56ca817c2d0f9c12d85d4e7c Mon Sep 17 00:00:00 2001
-From: Stephan Gerhold <stephan@gerhold.net>
-Date: Wed, 6 Nov 2019 18:31:24 +0100
-Subject: regulator: ab8500: Remove AB8505 USB regulator
-
-From: Stephan Gerhold <stephan@gerhold.net>
-
-commit 99c4f70df3a6446c56ca817c2d0f9c12d85d4e7c upstream.
-
-The USB regulator was removed for AB8500 in
-commit 41a06aa738ad ("regulator: ab8500: Remove USB regulator").
-It was then added for AB8505 in
-commit 547f384f33db ("regulator: ab8500: add support for ab8505").
-
-However, there was never an entry added for it in
-ab8505_regulator_match. This causes all regulators after it
-to be initialized with the wrong device tree data, eventually
-leading to an out-of-bounds array read.
-
-Given that it is not used anywhere in the kernel, it seems
-likely that similar arguments against supporting it exist for
-AB8505 (it is controlled by hardware).
-
-Therefore, simply remove it like for AB8500 instead of adding
-an entry in ab8505_regulator_match.
-
-Fixes: 547f384f33db ("regulator: ab8500: add support for ab8505")
-Cc: Linus Walleij <linus.walleij@linaro.org>
-Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
-Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
-Link: https://lore.kernel.org/r/20191106173125.14496-1-stephan@gerhold.net
-Signed-off-by: Mark Brown <broonie@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/regulator/ab8500.c       |   17 -----------------
- include/linux/regulator/ab8500.h |    1 -
- 2 files changed, 18 deletions(-)
-
---- a/drivers/regulator/ab8500.c
-+++ b/drivers/regulator/ab8500.c
-@@ -1099,23 +1099,6 @@ static struct ab8500_regulator_info
- 		.update_val_idle	= 0x82,
- 		.update_val_normal	= 0x02,
- 	},
--	[AB8505_LDO_USB] = {
--		.desc = {
--			.name           = "LDO-USB",
--			.ops            = &ab8500_regulator_mode_ops,
--			.type           = REGULATOR_VOLTAGE,
--			.id             = AB8505_LDO_USB,
--			.owner          = THIS_MODULE,
--			.n_voltages     = 1,
--			.volt_table	= fixed_3300000_voltage,
--		},
--		.update_bank            = 0x03,
--		.update_reg             = 0x82,
--		.update_mask            = 0x03,
--		.update_val		= 0x01,
--		.update_val_idle	= 0x03,
--		.update_val_normal	= 0x01,
--	},
- 	[AB8505_LDO_AUDIO] = {
- 		.desc = {
- 			.name		= "LDO-AUDIO",
---- a/include/linux/regulator/ab8500.h
-+++ b/include/linux/regulator/ab8500.h
-@@ -38,7 +38,6 @@ enum ab8505_regulator_id {
- 	AB8505_LDO_AUX6,
- 	AB8505_LDO_INTCORE,
- 	AB8505_LDO_ADC,
--	AB8505_LDO_USB,
- 	AB8505_LDO_AUDIO,
- 	AB8505_LDO_ANAMIC1,
- 	AB8505_LDO_ANAMIC2,
diff --git a/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch b/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch
deleted file mode 100644
index 403bb2a..0000000
--- a/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From foo@baz Sat 11 Jan 2020 09:52:53 AM CET
-From: Xin Long <lucien.xin@gmail.com>
-Date: Sat, 4 Jan 2020 14:15:02 +0800
-Subject: sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY
-
-From: Xin Long <lucien.xin@gmail.com>
-
-[ Upstream commit be7a7729207797476b6666f046d765bdf9630407 ]
-
-This patch is to fix a memleak caused by no place to free cmd->obj.chunk
-for the unprocessed SCTP_CMD_REPLY. This issue occurs when failing to
-process a cmd while there're still SCTP_CMD_REPLY cmds on the cmd seq
-with an allocated chunk in cmd->obj.chunk.
-
-So fix it by freeing cmd->obj.chunk for each SCTP_CMD_REPLY cmd left on
-the cmd seq when any cmd returns error. While at it, also remove 'nomem'
-label.
-
-Reported-by: syzbot+107c4aff5f392bf1517f@syzkaller.appspotmail.com
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Signed-off-by: Xin Long <lucien.xin@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/sctp/sm_sideeffect.c |   28 ++++++++++++++++++----------
- 1 file changed, 18 insertions(+), 10 deletions(-)
-
---- a/net/sctp/sm_sideeffect.c
-+++ b/net/sctp/sm_sideeffect.c
-@@ -1329,8 +1329,10 @@ static int sctp_cmd_interpreter(sctp_eve
- 			/* Generate an INIT ACK chunk.  */
- 			new_obj = sctp_make_init_ack(asoc, chunk, GFP_ATOMIC,
- 						     0);
--			if (!new_obj)
--				goto nomem;
-+			if (!new_obj) {
-+				error = -ENOMEM;
-+				break;
-+			}
- 
- 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
- 					SCTP_CHUNK(new_obj));
-@@ -1352,7 +1354,8 @@ static int sctp_cmd_interpreter(sctp_eve
- 			if (!new_obj) {
- 				if (cmd->obj.chunk)
- 					sctp_chunk_free(cmd->obj.chunk);
--				goto nomem;
-+				error = -ENOMEM;
-+				break;
- 			}
- 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
- 					SCTP_CHUNK(new_obj));
-@@ -1399,8 +1402,10 @@ static int sctp_cmd_interpreter(sctp_eve
- 
- 			/* Generate a SHUTDOWN chunk.  */
- 			new_obj = sctp_make_shutdown(asoc, chunk);
--			if (!new_obj)
--				goto nomem;
-+			if (!new_obj) {
-+				error = -ENOMEM;
-+				break;
-+			}
- 			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
- 					SCTP_CHUNK(new_obj));
- 			break;
-@@ -1729,11 +1734,17 @@ static int sctp_cmd_interpreter(sctp_eve
- 			break;
- 		}
- 
--		if (error)
-+		if (error) {
-+			cmd = sctp_next_cmd(commands);
-+			while (cmd) {
-+				if (cmd->verb == SCTP_CMD_REPLY)
-+					sctp_chunk_free(cmd->obj.chunk);
-+				cmd = sctp_next_cmd(commands);
-+			}
- 			break;
-+		}
- 	}
- 
--out:
- 	/* If this is in response to a received chunk, wait until
- 	 * we are done with the packet to open the queue so that we don't
- 	 * send multiple packets in response to a single request.
-@@ -1744,8 +1755,5 @@ out:
- 	} else if (local_cork)
- 		error = sctp_outq_uncork(&asoc->outqueue);
- 	return error;
--nomem:
--	error = -ENOMEM;
--	goto out;
- }
- 
diff --git a/series b/series
index 425ba6d..27ac010 100644
--- a/series
+++ b/series
@@ -1,15 +1 @@
-alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch
-taskstats-fix-data-race.patch
-ata-libahci_platform-export-again-ahci_platform_-en-dis-able_phys.patch
-gpiolib-fix-up-emulated-open-drain-outputs.patch
-alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch
-bluetooth-delete-a-stray-unlock.patch
-regulator-ab8500-remove-ab8505-usb-regulator.patch
-tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch
-net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch
-sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch
-tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch
-vlan-vlan_changelink-should-propagate-errors.patch
-vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch
-vxlan-fix-tos-value-before-xmit.patch
-macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch
+chardev-avoid-potential-use-after-free-in-chrdev_open.patch
diff --git a/taskstats-fix-data-race.patch b/taskstats-fix-data-race.patch
deleted file mode 100644
index 03beef9..0000000
--- a/taskstats-fix-data-race.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From 0b8d616fb5a8ffa307b1d3af37f55c15dae14f28 Mon Sep 17 00:00:00 2001
-From: Christian Brauner <christian.brauner@ubuntu.com>
-Date: Wed, 9 Oct 2019 13:48:09 +0200
-Subject: taskstats: fix data-race
-
-From: Christian Brauner <christian.brauner@ubuntu.com>
-
-commit 0b8d616fb5a8ffa307b1d3af37f55c15dae14f28 upstream.
-
-When assiging and testing taskstats in taskstats_exit() there's a race
-when setting up and reading sig->stats when a thread-group with more
-than one thread exits:
-
-write to 0xffff8881157bbe10 of 8 bytes by task 7951 on cpu 0:
- taskstats_tgid_alloc kernel/taskstats.c:567 [inline]
- taskstats_exit+0x6b7/0x717 kernel/taskstats.c:596
- do_exit+0x2c2/0x18e0 kernel/exit.c:864
- do_group_exit+0xb4/0x1c0 kernel/exit.c:983
- get_signal+0x2a2/0x1320 kernel/signal.c:2734
- do_signal+0x3b/0xc00 arch/x86/kernel/signal.c:815
- exit_to_usermode_loop+0x250/0x2c0 arch/x86/entry/common.c:159
- prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
- syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
- do_syscall_64+0x2d7/0x2f0 arch/x86/entry/common.c:299
- entry_SYSCALL_64_after_hwframe+0x44/0xa9
-
-read to 0xffff8881157bbe10 of 8 bytes by task 7949 on cpu 1:
- taskstats_tgid_alloc kernel/taskstats.c:559 [inline]
- taskstats_exit+0xb2/0x717 kernel/taskstats.c:596
- do_exit+0x2c2/0x18e0 kernel/exit.c:864
- do_group_exit+0xb4/0x1c0 kernel/exit.c:983
- __do_sys_exit_group kernel/exit.c:994 [inline]
- __se_sys_exit_group kernel/exit.c:992 [inline]
- __x64_sys_exit_group+0x2e/0x30 kernel/exit.c:992
- do_syscall_64+0xcf/0x2f0 arch/x86/entry/common.c:296
- entry_SYSCALL_64_after_hwframe+0x44/0xa9
-
-Fix this by using smp_load_acquire() and smp_store_release().
-
-Reported-by: syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com
-Fixes: 34ec12349c8a ("taskstats: cleanup ->signal->stats allocation")
-Cc: stable@vger.kernel.org
-Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
-Acked-by: Marco Elver <elver@google.com>
-Reviewed-by: Will Deacon <will@kernel.org>
-Reviewed-by: Andrea Parri <parri.andrea@gmail.com>
-Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
-Link: https://lore.kernel.org/r/20191009114809.8643-1-christian.brauner@ubuntu.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- kernel/taskstats.c |   30 +++++++++++++++++++-----------
- 1 file changed, 19 insertions(+), 11 deletions(-)
-
---- a/kernel/taskstats.c
-+++ b/kernel/taskstats.c
-@@ -591,25 +591,33 @@ static int taskstats_user_cmd(struct sk_
- static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk)
- {
- 	struct signal_struct *sig = tsk->signal;
--	struct taskstats *stats;
-+	struct taskstats *stats_new, *stats;
- 
--	if (sig->stats || thread_group_empty(tsk))
--		goto ret;
-+	/* Pairs with smp_store_release() below. */
-+	stats = smp_load_acquire(&sig->stats);
-+	if (stats || thread_group_empty(tsk))
-+		return stats;
- 
- 	/* No problem if kmem_cache_zalloc() fails */
--	stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
-+	stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
- 
- 	spin_lock_irq(&tsk->sighand->siglock);
--	if (!sig->stats) {
--		sig->stats = stats;
--		stats = NULL;
-+	stats = sig->stats;
-+	if (!stats) {
-+		/*
-+		 * Pairs with smp_store_release() above and order the
-+		 * kmem_cache_zalloc().
-+		 */
-+		smp_store_release(&sig->stats, stats_new);
-+		stats = stats_new;
-+		stats_new = NULL;
- 	}
- 	spin_unlock_irq(&tsk->sighand->siglock);
- 
--	if (stats)
--		kmem_cache_free(taskstats_cache, stats);
--ret:
--	return sig->stats;
-+	if (stats_new)
-+		kmem_cache_free(taskstats_cache, stats_new);
-+
-+	return stats;
- }
- 
- /* Send pid data out on exit */
diff --git a/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch b/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch
deleted file mode 100644
index 8542639..0000000
--- a/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From foo@baz Sat 11 Jan 2020 09:52:53 AM CET
-From: Pengcheng Yang <yangpc@wangsu.com>
-Date: Mon, 30 Dec 2019 17:54:41 +0800
-Subject: tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK
-
-From: Pengcheng Yang <yangpc@wangsu.com>
-
-[ Upstream commit c9655008e7845bcfdaac10a1ed8554ec167aea88 ]
-
-When we receive a D-SACK, where the sequence number satisfies:
-	undo_marker <= start_seq < end_seq <= prior_snd_una
-we consider this is a valid D-SACK and tcp_is_sackblock_valid()
-returns true, then this D-SACK is discarded as "old stuff",
-but the variable first_sack_index is not marked as negative
-in tcp_sacktag_write_queue().
-
-If this D-SACK also carries a SACK that needs to be processed
-(for example, the previous SACK segment was lost), this SACK
-will be treated as a D-SACK in the following processing of
-tcp_sacktag_write_queue(), which will eventually lead to
-incorrect updates of undo_retrans and reordering.
-
-Fixes: fd6dad616d4f ("[TCP]: Earlier SACK block verification & simplify access to them")
-Signed-off-by: Pengcheng Yang <yangpc@wangsu.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv4/tcp_input.c |    5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -1731,8 +1731,11 @@ tcp_sacktag_write_queue(struct sock *sk,
- 		}
- 
- 		/* Ignore very old stuff early */
--		if (!after(sp[used_sacks].end_seq, prior_snd_una))
-+		if (!after(sp[used_sacks].end_seq, prior_snd_una)) {
-+			if (i == 0)
-+				first_sack_index = -1;
- 			continue;
-+		}
- 
- 		used_sacks++;
- 	}
diff --git a/tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch b/tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch
deleted file mode 100644
index 13191e1..0000000
--- a/tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 0e4f7f920a5c6bfe5e851e989f27b35a0cc7fb7e Mon Sep 17 00:00:00 2001
-From: Leo Yan <leo.yan@linaro.org>
-Date: Wed, 27 Nov 2019 22:15:43 +0800
-Subject: tty: serial: msm_serial: Fix lockup for sysrq and oops
-
-From: Leo Yan <leo.yan@linaro.org>
-
-commit 0e4f7f920a5c6bfe5e851e989f27b35a0cc7fb7e upstream.
-
-As the commit 677fe555cbfb ("serial: imx: Fix recursive locking bug")
-has mentioned the uart driver might cause recursive locking between
-normal printing and the kernel debugging facilities (e.g. sysrq and
-oops).  In the commit it gave out suggestion for fixing recursive
-locking issue: "The solution is to avoid locking in the sysrq case
-and trylock in the oops_in_progress case."
-
-This patch follows the suggestion (also used the exactly same code with
-other serial drivers, e.g. amba-pl011.c) to fix the recursive locking
-issue, this can avoid stuck caused by deadlock and print out log for
-sysrq and oops.
-
-Fixes: 04896a77a97b ("msm_serial: serial driver for MSM7K onboard serial peripheral.")
-Signed-off-by: Leo Yan <leo.yan@linaro.org>
-Reviewed-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
-Link: https://lore.kernel.org/r/20191127141544.4277-2-leo.yan@linaro.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/tty/serial/msm_serial.c |   13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
---- a/drivers/tty/serial/msm_serial.c
-+++ b/drivers/tty/serial/msm_serial.c
-@@ -860,6 +860,7 @@ static void __msm_console_write(struct u
- 	int num_newlines = 0;
- 	bool replaced = false;
- 	void __iomem *tf;
-+	int locked = 1;
- 
- 	if (is_uartdm)
- 		tf = port->membase + UARTDM_TF;
-@@ -872,7 +873,13 @@ static void __msm_console_write(struct u
- 			num_newlines++;
- 	count += num_newlines;
- 
--	spin_lock(&port->lock);
-+	if (port->sysrq)
-+		locked = 0;
-+	else if (oops_in_progress)
-+		locked = spin_trylock(&port->lock);
-+	else
-+		spin_lock(&port->lock);
-+
- 	if (is_uartdm)
- 		reset_dm_count(port, count);
- 
-@@ -908,7 +915,9 @@ static void __msm_console_write(struct u
- 		iowrite32_rep(tf, buf, 1);
- 		i += num_chars;
- 	}
--	spin_unlock(&port->lock);
-+
-+	if (locked)
-+		spin_unlock(&port->lock);
- }
- 
- static void msm_console_write(struct console *co, const char *s,
diff --git a/vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch b/vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch
deleted file mode 100644
index 9d76130..0000000
--- a/vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From foo@baz Sat 11 Jan 2020 09:29:05 AM CET
-From: Eric Dumazet <edumazet@google.com>
-Date: Tue, 7 Jan 2020 01:42:24 -0800
-Subject: vlan: fix memory leak in vlan_dev_set_egress_priority
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit 9bbd917e0bec9aebdbd0c8dbc966caec15eb33e9 ]
-
-There are few cases where the ndo_uninit() handler might be not
-called if an error happens while device is initialized.
-
-Since vlan_newlink() calls vlan_changelink() before
-trying to register the netdevice, we need to make sure
-vlan_dev_uninit() has been called at least once,
-or we might leak allocated memory.
-
-BUG: memory leak
-unreferenced object 0xffff888122a206c0 (size 32):
-  comm "syz-executor511", pid 7124, jiffies 4294950399 (age 32.240s)
-  hex dump (first 32 bytes):
-    00 00 00 00 00 00 61 73 00 00 00 00 00 00 00 00  ......as........
-    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
-  backtrace:
-    [<000000000eb3bb85>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
-    [<000000000eb3bb85>] slab_post_alloc_hook mm/slab.h:586 [inline]
-    [<000000000eb3bb85>] slab_alloc mm/slab.c:3320 [inline]
-    [<000000000eb3bb85>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549
-    [<000000007b99f620>] kmalloc include/linux/slab.h:556 [inline]
-    [<000000007b99f620>] vlan_dev_set_egress_priority+0xcc/0x150 net/8021q/vlan_dev.c:194
-    [<000000007b0cb745>] vlan_changelink+0xd6/0x140 net/8021q/vlan_netlink.c:126
-    [<0000000065aba83a>] vlan_newlink+0x135/0x200 net/8021q/vlan_netlink.c:181
-    [<00000000fb5dd7a2>] __rtnl_newlink+0x89a/0xb80 net/core/rtnetlink.c:3305
-    [<00000000ae4273a1>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3363
-    [<00000000decab39f>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5424
-    [<00000000accba4ee>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
-    [<00000000319fe20f>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
-    [<00000000d51938dc>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
-    [<00000000d51938dc>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328
-    [<00000000e539ac79>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917
-    [<000000006250c27e>] sock_sendmsg_nosec net/socket.c:639 [inline]
-    [<000000006250c27e>] sock_sendmsg+0x54/0x70 net/socket.c:659
-    [<00000000e2a156d1>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330
-    [<000000008c87466e>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384
-    [<00000000110e3054>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417
-    [<00000000d71077c8>] __do_sys_sendmsg net/socket.c:2426 [inline]
-    [<00000000d71077c8>] __se_sys_sendmsg net/socket.c:2424 [inline]
-    [<00000000d71077c8>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424
-
-Fixe: 07b5b17e157b ("[VLAN]: Use rtnl_link API")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: syzbot <syzkaller@googlegroups.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/8021q/vlan.h         |    1 +
- net/8021q/vlan_dev.c     |    3 ++-
- net/8021q/vlan_netlink.c |    9 +++++----
- 3 files changed, 8 insertions(+), 5 deletions(-)
-
---- a/net/8021q/vlan.h
-+++ b/net/8021q/vlan.h
-@@ -109,6 +109,7 @@ int vlan_check_real_dev(struct net_devic
- void vlan_setup(struct net_device *dev);
- int register_vlan_dev(struct net_device *dev);
- void unregister_vlan_dev(struct net_device *dev, struct list_head *head);
-+void vlan_dev_uninit(struct net_device *dev);
- bool vlan_dev_inherit_address(struct net_device *dev,
- 			      struct net_device *real_dev);
- 
---- a/net/8021q/vlan_dev.c
-+++ b/net/8021q/vlan_dev.c
-@@ -639,7 +639,8 @@ static int vlan_dev_init(struct net_devi
- 	return 0;
- }
- 
--static void vlan_dev_uninit(struct net_device *dev)
-+/* Note: this function might be called multiple times for the same device. */
-+void vlan_dev_uninit(struct net_device *dev)
- {
- 	struct vlan_priority_tci_mapping *pm;
- 	struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
---- a/net/8021q/vlan_netlink.c
-+++ b/net/8021q/vlan_netlink.c
-@@ -154,10 +154,11 @@ static int vlan_newlink(struct net *src_
- 		return -EINVAL;
- 
- 	err = vlan_changelink(dev, tb, data);
--	if (err < 0)
--		return err;
--
--	return register_vlan_dev(dev);
-+	if (!err)
-+		err = register_vlan_dev(dev);
-+	if (err)
-+		vlan_dev_uninit(dev);
-+	return err;
- }
- 
- static inline size_t vlan_qos_map_size(unsigned int n)
diff --git a/vlan-vlan_changelink-should-propagate-errors.patch b/vlan-vlan_changelink-should-propagate-errors.patch
deleted file mode 100644
index cac3776..0000000
--- a/vlan-vlan_changelink-should-propagate-errors.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From foo@baz Sat 11 Jan 2020 09:52:53 AM CET
-From: Eric Dumazet <edumazet@google.com>
-Date: Tue, 7 Jan 2020 01:42:25 -0800
-Subject: vlan: vlan_changelink() should propagate errors
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit eb8ef2a3c50092bb018077c047b8dba1ce0e78e3 ]
-
-Both vlan_dev_change_flags() and vlan_dev_set_egress_priority()
-can return an error. vlan_changelink() should not ignore them.
-
-Fixes: 07b5b17e157b ("[VLAN]: Use rtnl_link API")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/8021q/vlan_netlink.c |   10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
---- a/net/8021q/vlan_netlink.c
-+++ b/net/8021q/vlan_netlink.c
-@@ -92,11 +92,13 @@ static int vlan_changelink(struct net_de
- 	struct ifla_vlan_flags *flags;
- 	struct ifla_vlan_qos_mapping *m;
- 	struct nlattr *attr;
--	int rem;
-+	int rem, err;
- 
- 	if (data[IFLA_VLAN_FLAGS]) {
- 		flags = nla_data(data[IFLA_VLAN_FLAGS]);
--		vlan_dev_change_flags(dev, flags->flags, flags->mask);
-+		err = vlan_dev_change_flags(dev, flags->flags, flags->mask);
-+		if (err)
-+			return err;
- 	}
- 	if (data[IFLA_VLAN_INGRESS_QOS]) {
- 		nla_for_each_nested(attr, data[IFLA_VLAN_INGRESS_QOS], rem) {
-@@ -107,7 +109,9 @@ static int vlan_changelink(struct net_de
- 	if (data[IFLA_VLAN_EGRESS_QOS]) {
- 		nla_for_each_nested(attr, data[IFLA_VLAN_EGRESS_QOS], rem) {
- 			m = nla_data(attr);
--			vlan_dev_set_egress_priority(dev, m->from, m->to);
-+			err = vlan_dev_set_egress_priority(dev, m->from, m->to);
-+			if (err)
-+				return err;
- 		}
- 	}
- 	return 0;
diff --git a/vxlan-fix-tos-value-before-xmit.patch b/vxlan-fix-tos-value-before-xmit.patch
deleted file mode 100644
index 301261c..0000000
--- a/vxlan-fix-tos-value-before-xmit.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From foo@baz Sat 11 Jan 2020 09:44:46 AM CET
-From: Hangbin Liu <liuhangbin@gmail.com>
-Date: Thu, 2 Jan 2020 17:23:45 +0800
-Subject: vxlan: fix tos value before xmit
-
-From: Hangbin Liu <liuhangbin@gmail.com>
-
-[ Upstream commit 71130f29979c7c7956b040673e6b9d5643003176 ]
-
-Before ip_tunnel_ecn_encap() and udp_tunnel_xmit_skb() we should filter
-tos value by RT_TOS() instead of using config tos directly.
-
-vxlan_get_route() would filter the tos to fl4.flowi4_tos but we didn't
-return it back, as geneve_get_v4_rt() did. So we have to use RT_TOS()
-directly in function ip_tunnel_ecn_encap().
-
-Fixes: 206aaafcd279 ("VXLAN: Use IP Tunnels tunnel ENC encap API")
-Fixes: 1400615d64cf ("vxlan: allow setting ipv6 traffic class")
-Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/vxlan.c |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/net/vxlan.c
-+++ b/drivers/net/vxlan.c
-@@ -1798,7 +1798,7 @@ static void vxlan_xmit_one(struct sk_buf
- 			return;
- 		}
- 
--		tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
-+		tos = ip_tunnel_ecn_encap(RT_TOS(tos), old_iph, skb);
- 		ttl = ttl ? : ip4_dst_hoplimit(&rt->dst);
- 
- 		err = vxlan_xmit_skb(vxlan->vn_sock, rt, skb,