more patches

16 files changed, 789 insertions, 0 deletions

diff --git a/alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch b/alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch
new file mode 100644
index 0000000..d839f10
--- /dev/null
+++ b/alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch
@@ -0,0 +1,50 @@
+From 706ad6746a66546daf96d4e4a95e46faf6cf689a Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Sun, 3 Nov 2019 00:09:20 +0900
+Subject: ALSA: bebob: fix to detect configured source of sampling clock for Focusrite Saffire Pro i/o series
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 706ad6746a66546daf96d4e4a95e46faf6cf689a upstream.
+
+For Focusrite Saffire Pro i/o, the lowest 8 bits of register represents
+configured source of sampling clock. The next lowest 8 bits represents
+whether the configured source is actually detected or not just after
+the register is changed for the source.
+
+Current implementation evaluates whole the register to detect configured
+source. This results in failure due to the next lowest 8 bits when the
+source is connected in advance.
+
+This commit fixes the bug.
+
+Fixes: 25784ec2d034 ("ALSA: bebob: Add support for Focusrite Saffire/SaffirePro series")
+Cc: <stable@vger.kernel.org> # v3.16+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Link: https://lore.kernel.org/r/20191102150920.20367-1-o-takashi@sakamocchi.jp
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/bebob/bebob_focusrite.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/firewire/bebob/bebob_focusrite.c
++++ b/sound/firewire/bebob/bebob_focusrite.c
+@@ -28,6 +28,8 @@
+ #define SAFFIRE_CLOCK_SOURCE_SPDIF		1
+ 
+ /* clock sources as returned from register of Saffire Pro 10 and 26 */
++#define SAFFIREPRO_CLOCK_SOURCE_SELECT_MASK	0x000000ff
++#define SAFFIREPRO_CLOCK_SOURCE_DETECT_MASK	0x0000ff00
+ #define SAFFIREPRO_CLOCK_SOURCE_INTERNAL	0
+ #define SAFFIREPRO_CLOCK_SOURCE_SKIP		1 /* never used on hardware */
+ #define SAFFIREPRO_CLOCK_SOURCE_SPDIF		2
+@@ -184,6 +186,7 @@ saffirepro_both_clk_src_get(struct snd_b
+ 		map = saffirepro_clk_maps[1];
+ 
+ 	/* In a case that this driver cannot handle the value of register. */
++	value &= SAFFIREPRO_CLOCK_SOURCE_SELECT_MASK;
+ 	if (value >= SAFFIREPRO_CLOCK_SOURCE_COUNT || map[value] < 0) {
+ 		err = -EIO;
+ 		goto end;
diff --git a/alsa-hda-ca0132-fix-possible-workqueue-stall.patch b/alsa-hda-ca0132-fix-possible-workqueue-stall.patch
new file mode 100644
index 0000000..92b3c7e
--- /dev/null
+++ b/alsa-hda-ca0132-fix-possible-workqueue-stall.patch
@@ -0,0 +1,41 @@
+From 15c2b3cc09a31620914955cb2a89c277c18ee999 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 5 Nov 2019 14:43:16 +0100
+Subject: ALSA: hda/ca0132 - Fix possible workqueue stall
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 15c2b3cc09a31620914955cb2a89c277c18ee999 upstream.
+
+The unsolicited event handler for the headphone jack on CA0132 codec
+driver tries to reschedule the another delayed work with
+cancel_delayed_work_sync().  It's no good idea, unfortunately,
+especially after we changed the work queue to the standard global
+one; this may lead to a stall because both works are using the same
+global queue.
+
+Fix it by dropping the _sync but does call cancel_delayed_work()
+instead.
+
+Fixes: 993884f6a26c ("ALSA: hda/ca0132 - Delay HP amp turnon.")
+BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1155836
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191105134316.19294-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_ca0132.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_ca0132.c
++++ b/sound/pci/hda/patch_ca0132.c
+@@ -4415,7 +4415,7 @@ static void hp_callback(struct hda_codec
+ 	/* Delay enabling the HP amp, to let the mic-detection
+ 	 * state machine run.
+ 	 */
+-	cancel_delayed_work_sync(&spec->unsol_hp_work);
++	cancel_delayed_work(&spec->unsol_hp_work);
+ 	queue_delayed_work(codec->bus->workq, &spec->unsol_hp_work,
+ 			   msecs_to_jiffies(500));
+ 	cb->tbl->block_report = 1;
diff --git a/can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch b/can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch
new file mode 100644
index 0000000..4932e27
--- /dev/null
+++ b/can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch
@@ -0,0 +1,93 @@
+From 3cb3eaac52c0f145d895f4b6c22834d5f02b8569 Mon Sep 17 00:00:00 2001
+From: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be>
+Date: Tue, 1 Oct 2019 09:40:36 +0200
+Subject: can: c_can: c_can_poll(): only read status register after status IRQ
+
+From: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be>
+
+commit 3cb3eaac52c0f145d895f4b6c22834d5f02b8569 upstream.
+
+When the status register is read without the status IRQ pending, the
+chip may not raise the interrupt line for an upcoming status interrupt
+and the driver may miss a status interrupt.
+
+It is critical that the BUSOFF status interrupt is forwarded to the
+higher layers, since no more interrupts will follow without
+intervention.
+
+Thanks to Wolfgang and Joe for bringing up the first idea.
+
+Signed-off-by: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be>
+Cc: Wolfgang Grandegger <wg@grandegger.com>
+Cc: Joe Burmeister <joe.burmeister@devtank.co.uk>
+Fixes: fa39b54ccf28 ("can: c_can: Get rid of pointless interrupts")
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/c_can/c_can.c |   25 ++++++++++++++++++++-----
+ drivers/net/can/c_can/c_can.h |    1 +
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/can/c_can/c_can.c
++++ b/drivers/net/can/c_can/c_can.c
+@@ -96,6 +96,9 @@
+ #define BTR_TSEG2_SHIFT		12
+ #define BTR_TSEG2_MASK		(0x7 << BTR_TSEG2_SHIFT)
+ 
++/* interrupt register */
++#define INT_STS_PENDING		0x8000
++
+ /* brp extension register */
+ #define BRP_EXT_BRPE_MASK	0x0f
+ #define BRP_EXT_BRPE_SHIFT	0
+@@ -1021,10 +1024,16 @@ static int c_can_poll(struct napi_struct
+ 	u16 curr, last = priv->last_status;
+ 	int work_done = 0;
+ 
+-	priv->last_status = curr = priv->read_reg(priv, C_CAN_STS_REG);
+-	/* Ack status on C_CAN. D_CAN is self clearing */
+-	if (priv->type != BOSCH_D_CAN)
+-		priv->write_reg(priv, C_CAN_STS_REG, LEC_UNUSED);
++	/* Only read the status register if a status interrupt was pending */
++	if (atomic_xchg(&priv->sie_pending, 0)) {
++		priv->last_status = curr = priv->read_reg(priv, C_CAN_STS_REG);
++		/* Ack status on C_CAN. D_CAN is self clearing */
++		if (priv->type != BOSCH_D_CAN)
++			priv->write_reg(priv, C_CAN_STS_REG, LEC_UNUSED);
++	} else {
++		/* no change detected ... */
++		curr = last;
++	}
+ 
+ 	/* handle state changes */
+ 	if ((curr & STATUS_EWARN) && (!(last & STATUS_EWARN))) {
+@@ -1075,10 +1084,16 @@ static irqreturn_t c_can_isr(int irq, vo
+ {
+ 	struct net_device *dev = (struct net_device *)dev_id;
+ 	struct c_can_priv *priv = netdev_priv(dev);
++	int reg_int;
+ 
+-	if (!priv->read_reg(priv, C_CAN_INT_REG))
++	reg_int = priv->read_reg(priv, C_CAN_INT_REG);
++	if (!reg_int)
+ 		return IRQ_NONE;
+ 
++	/* save for later use */
++	if (reg_int & INT_STS_PENDING)
++		atomic_set(&priv->sie_pending, 1);
++
+ 	/* disable all interrupts and schedule the NAPI */
+ 	c_can_irq_control(priv, false);
+ 	napi_schedule(&priv->napi);
+--- a/drivers/net/can/c_can/c_can.h
++++ b/drivers/net/can/c_can/c_can.h
+@@ -176,6 +176,7 @@ struct c_can_priv {
+ 	struct net_device *dev;
+ 	struct device *device;
+ 	atomic_t tx_active;
++	atomic_t sie_pending;
+ 	unsigned long tx_dir;
+ 	int last_status;
+ 	u16 (*read_reg) (const struct c_can_priv *priv, enum reg index);
diff --git a/can-gs_usb-gs_can_open-prevent-memory-leak.patch b/can-gs_usb-gs_can_open-prevent-memory-leak.patch
new file mode 100644
index 0000000..5ceb1e6
--- /dev/null
+++ b/can-gs_usb-gs_can_open-prevent-memory-leak.patch
@@ -0,0 +1,32 @@
+From fb5be6a7b4863ecc44963bb80ca614584b6c7817 Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Thu, 19 Sep 2019 21:44:38 -0500
+Subject: can: gs_usb: gs_can_open(): prevent memory leak
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit fb5be6a7b4863ecc44963bb80ca614584b6c7817 upstream.
+
+In gs_can_open() if usb_submit_urb() fails the allocated urb should be
+released.
+
+Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/gs_usb.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -617,6 +617,7 @@ static int gs_can_open(struct net_device
+ 					   rc);
+ 
+ 				usb_unanchor_urb(urb);
++				usb_free_urb(urb);
+ 				break;
+ 			}
+ 
diff --git a/can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch b/can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch
new file mode 100644
index 0000000..4d6d603
--- /dev/null
+++ b/can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch
@@ -0,0 +1,80 @@
+From de280f403f2996679e2607384980703710576fed Mon Sep 17 00:00:00 2001
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+Date: Tue, 8 Oct 2019 10:35:44 +0200
+Subject: can: peak_usb: fix a potential out-of-sync while decoding packets
+
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+
+commit de280f403f2996679e2607384980703710576fed upstream.
+
+When decoding a buffer received from PCAN-USB, the first timestamp read in
+a packet is a 16-bit coded time base, and the next ones are an 8-bit
+offset to this base, regardless of the type of packet read.
+
+This patch corrects a potential loss of synchronization by using a
+timestamp index read from the buffer, rather than an index of received
+data packets, to determine on the sizeof the timestamp to be read from the
+packet being decoded.
+
+Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
+Fixes: 46be265d3388 ("can: usb: PEAK-System Technik PCAN-USB specific part")
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/peak_usb/pcan_usb.c |   17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb.c
+@@ -108,7 +108,7 @@ struct pcan_usb_msg_context {
+ 	u8 *end;
+ 	u8 rec_cnt;
+ 	u8 rec_idx;
+-	u8 rec_data_idx;
++	u8 rec_ts_idx;
+ 	struct net_device *netdev;
+ 	struct pcan_usb *pdev;
+ };
+@@ -551,10 +551,15 @@ static int pcan_usb_decode_status(struct
+ 	mc->ptr += PCAN_USB_CMD_ARGS;
+ 
+ 	if (status_len & PCAN_USB_STATUSLEN_TIMESTAMP) {
+-		int err = pcan_usb_decode_ts(mc, !mc->rec_idx);
++		int err = pcan_usb_decode_ts(mc, !mc->rec_ts_idx);
+ 
+ 		if (err)
+ 			return err;
++
++		/* Next packet in the buffer will have a timestamp on a single
++		 * byte
++		 */
++		mc->rec_ts_idx++;
+ 	}
+ 
+ 	switch (f) {
+@@ -637,10 +642,13 @@ static int pcan_usb_decode_data(struct p
+ 
+ 	cf->can_dlc = get_can_dlc(rec_len);
+ 
+-	/* first data packet timestamp is a word */
+-	if (pcan_usb_decode_ts(mc, !mc->rec_data_idx))
++	/* Only first packet timestamp is a word */
++	if (pcan_usb_decode_ts(mc, !mc->rec_ts_idx))
+ 		goto decode_failed;
+ 
++	/* Next packet in the buffer will have a timestamp on a single byte */
++	mc->rec_ts_idx++;
++
+ 	/* read data */
+ 	memset(cf->data, 0x0, sizeof(cf->data));
+ 	if (status_len & PCAN_USB_STATUSLEN_RTR) {
+@@ -695,7 +703,6 @@ static int pcan_usb_decode_msg(struct pe
+ 		/* handle normal can frames here */
+ 		} else {
+ 			err = pcan_usb_decode_data(&mc, sl);
+-			mc.rec_data_idx++;
+ 		}
+ 	}
+ 
diff --git a/can-peak_usb-fix-slab-info-leak.patch b/can-peak_usb-fix-slab-info-leak.patch
new file mode 100644
index 0000000..f5786e5
--- /dev/null
+++ b/can-peak_usb-fix-slab-info-leak.patch
@@ -0,0 +1,39 @@
+From f7a1337f0d29b98733c8824e165fca3371d7d4fd Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 23 Oct 2019 10:27:05 +0200
+Subject: can: peak_usb: fix slab info leak
+
+From: Johan Hovold <johan@kernel.org>
+
+commit f7a1337f0d29b98733c8824e165fca3371d7d4fd upstream.
+
+Fix a small slab info leak due to a failure to clear the command buffer
+at allocation.
+
+The first 16 bytes of the command buffer are always sent to the device
+in pcan_usb_send_cmd() even though only the first two may have been
+initialised in case no argument payload is provided (e.g. when waiting
+for a response).
+
+Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core")
+Cc: stable <stable@vger.kernel.org>     # 3.4
+Reported-by: syzbot+863724e7128e14b26732@syzkaller.appspotmail.com
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_core.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+@@ -732,7 +732,7 @@ static int peak_usb_create_dev(struct pe
+ 	dev = netdev_priv(netdev);
+ 
+ 	/* allocate a buffer large enough to send commands */
+-	dev->cmd_buf = kmalloc(PCAN_USB_MAX_CMD_LEN, GFP_KERNEL);
++	dev->cmd_buf = kzalloc(PCAN_USB_MAX_CMD_LEN, GFP_KERNEL);
+ 	if (!dev->cmd_buf) {
+ 		err = -ENOMEM;
+ 		goto lbl_free_candev;
diff --git a/can-usb_8dev-fix-use-after-free-on-disconnect.patch b/can-usb_8dev-fix-use-after-free-on-disconnect.patch
new file mode 100644
index 0000000..8ced081
--- /dev/null
+++ b/can-usb_8dev-fix-use-after-free-on-disconnect.patch
@@ -0,0 +1,36 @@
+From 3759739426186a924675651b388d1c3963c5710e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 1 Oct 2019 12:29:14 +0200
+Subject: can: usb_8dev: fix use-after-free on disconnect
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3759739426186a924675651b388d1c3963c5710e upstream.
+
+The driver was accessing its driver data after having freed it.
+
+Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices")
+Cc: stable <stable@vger.kernel.org>     # 3.9
+Cc: Bernd Krumboeck <b.krumboeck@gmail.com>
+Cc: Wolfgang Grandegger <wg@grandegger.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/usb_8dev.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/can/usb/usb_8dev.c
++++ b/drivers/net/can/usb/usb_8dev.c
+@@ -1016,9 +1016,8 @@ static void usb_8dev_disconnect(struct u
+ 		netdev_info(priv->netdev, "device disconnected\n");
+ 
+ 		unregister_netdev(priv->netdev);
+-		free_candev(priv->netdev);
+-
+ 		unlink_all_urbs(priv);
++		free_candev(priv->netdev);
+ 	}
+ 
+ }
diff --git a/ceph-fix-use-after-free-in-__ceph_remove_cap.patch b/ceph-fix-use-after-free-in-__ceph_remove_cap.patch
new file mode 100644
index 0000000..57e2611
--- /dev/null
+++ b/ceph-fix-use-after-free-in-__ceph_remove_cap.patch
@@ -0,0 +1,73 @@
+From ea60ed6fcf29eebc78f2ce91491e6309ee005a01 Mon Sep 17 00:00:00 2001
+From: Luis Henriques <lhenriques@suse.com>
+Date: Fri, 25 Oct 2019 14:05:24 +0100
+Subject: ceph: fix use-after-free in __ceph_remove_cap()
+
+From: Luis Henriques <lhenriques@suse.com>
+
+commit ea60ed6fcf29eebc78f2ce91491e6309ee005a01 upstream.
+
+KASAN reports a use-after-free when running xfstest generic/531, with the
+following trace:
+
+[  293.903362]  kasan_report+0xe/0x20
+[  293.903365]  rb_erase+0x1f/0x790
+[  293.903370]  __ceph_remove_cap+0x201/0x370
+[  293.903375]  __ceph_remove_caps+0x4b/0x70
+[  293.903380]  ceph_evict_inode+0x4e/0x360
+[  293.903386]  evict+0x169/0x290
+[  293.903390]  __dentry_kill+0x16f/0x250
+[  293.903394]  dput+0x1c6/0x440
+[  293.903398]  __fput+0x184/0x330
+[  293.903404]  task_work_run+0xb9/0xe0
+[  293.903410]  exit_to_usermode_loop+0xd3/0xe0
+[  293.903413]  do_syscall_64+0x1a0/0x1c0
+[  293.903417]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+This happens because __ceph_remove_cap() may queue a cap release
+(__ceph_queue_cap_release) which can be scheduled before that cap is
+removed from the inode list with
+
+	rb_erase(&cap->ci_node, &ci->i_caps);
+
+And, when this finally happens, the use-after-free will occur.
+
+This can be fixed by removing the cap from the inode list before being
+removed from the session list, and thus eliminating the risk of an UAF.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/caps.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -913,6 +913,11 @@ void __ceph_remove_cap(struct ceph_cap *
+ 
+ 	dout("__ceph_remove_cap %p from %p\n", cap, &ci->vfs_inode);
+ 
++	/* remove from inode's cap rbtree, and clear auth cap */
++	rb_erase(&cap->ci_node, &ci->i_caps);
++	if (ci->i_auth_cap == cap)
++		ci->i_auth_cap = NULL;
++
+ 	/* remove from session list */
+ 	spin_lock(&session->s_cap_lock);
+ 	/*
+@@ -939,11 +944,6 @@ void __ceph_remove_cap(struct ceph_cap *
+ 	cap->ci = NULL;
+ 	spin_unlock(&session->s_cap_lock);
+ 
+-	/* remove from inode list */
+-	rb_erase(&cap->ci_node, &ci->i_caps);
+-	if (ci->i_auth_cap == cap)
+-		ci->i_auth_cap = NULL;
+-
+ 	if (removed)
+ 		ceph_put_cap(mdsc, cap);
+ 
diff --git a/drm-radeon-fix-si_enable_smc_cac-failed-issue.patch b/drm-radeon-fix-si_enable_smc_cac-failed-issue.patch
new file mode 100644
index 0000000..d30ab33
--- /dev/null
+++ b/drm-radeon-fix-si_enable_smc_cac-failed-issue.patch
@@ -0,0 +1,33 @@
+From 2c409ba81be25516afe05ae27a4a15da01740b01 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 30 Oct 2019 10:21:28 -0400
+Subject: drm/radeon: fix si_enable_smc_cac() failed issue
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 2c409ba81be25516afe05ae27a4a15da01740b01 upstream.
+
+Need to set the dte flag on this asic.
+
+Port the fix from amdgpu:
+5cb818b861be114 ("drm/amd/amdgpu: fix si_enable_smc_cac() failed issue")
+
+Reviewed-by: Yong Zhao <yong.zhao@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/si_dpm.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/radeon/si_dpm.c
++++ b/drivers/gpu/drm/radeon/si_dpm.c
+@@ -1952,6 +1952,7 @@ static void si_initialize_powertune_defa
+ 		case 0x682C:
+ 			si_pi->cac_weights = cac_weights_cape_verde_pro;
+ 			si_pi->dte_data = dte_data_sun_xt;
++			update_dte_from_pl2 = true;
+ 			break;
+ 		case 0x6825:
+ 		case 0x6827:
diff --git a/dump_stack-avoid-the-livelock-of-the-dump_lock.patch b/dump_stack-avoid-the-livelock-of-the-dump_lock.patch
new file mode 100644
index 0000000..4136ce2
--- /dev/null
+++ b/dump_stack-avoid-the-livelock-of-the-dump_lock.patch
@@ -0,0 +1,47 @@
+From 5cbf2fff3bba8d3c6a4d47c1754de1cf57e2b01f Mon Sep 17 00:00:00 2001
+From: Kevin Hao <haokexin@gmail.com>
+Date: Tue, 5 Nov 2019 21:16:57 -0800
+Subject: dump_stack: avoid the livelock of the dump_lock
+
+From: Kevin Hao <haokexin@gmail.com>
+
+commit 5cbf2fff3bba8d3c6a4d47c1754de1cf57e2b01f upstream.
+
+In the current code, we use the atomic_cmpxchg() to serialize the output
+of the dump_stack(), but this implementation suffers the thundering herd
+problem.  We have observed such kind of livelock on a Marvell cn96xx
+board(24 cpus) when heavily using the dump_stack() in a kprobe handler.
+Actually we can let the competitors to wait for the releasing of the
+lock before jumping to atomic_cmpxchg().  This will definitely mitigate
+the thundering herd problem.  Thanks Linus for the suggestion.
+
+[akpm@linux-foundation.org: fix comment]
+Link: http://lkml.kernel.org/r/20191030031637.6025-1-haokexin@gmail.com
+Fixes: b58d977432c8 ("dump_stack: serialize the output from dump_stack()")
+Signed-off-by: Kevin Hao <haokexin@gmail.com>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/dump_stack.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/lib/dump_stack.c
++++ b/lib/dump_stack.c
+@@ -44,7 +44,12 @@ retry:
+ 		was_locked = 1;
+ 	} else {
+ 		local_irq_restore(flags);
+-		cpu_relax();
++		/*
++		 * Wait for the lock to release before jumping to
++		 * atomic_cmpxchg() in order to mitigate the thundering herd
++		 * problem.
++		 */
++		do { cpu_relax(); } while (atomic_read(&dump_lock) != -1);
+ 		goto retry;
+ 	}
+ 
diff --git a/iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch b/iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch
new file mode 100644
index 0000000..1a23715
--- /dev/null
+++ b/iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch
@@ -0,0 +1,40 @@
+From 24e1eb5c0d78cfb9750b690bbe997d4d59170258 Mon Sep 17 00:00:00 2001
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Date: Tue, 8 Oct 2019 17:15:37 +0300
+Subject: iio: imu: adis16480: make sure provided frequency is positive
+
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+
+commit 24e1eb5c0d78cfb9750b690bbe997d4d59170258 upstream.
+
+It could happen that either `val` or `val2` [provided from userspace] is
+negative. In that case the computed frequency could get a weird value.
+
+Fix this by checking that neither of the 2 variables is negative, and check
+that the computed result is not-zero.
+
+Fixes: e4f959390178 ("iio: imu: adis16480 switch sampling frequency attr to core support")
+Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/imu/adis16480.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/imu/adis16480.c
++++ b/drivers/iio/imu/adis16480.c
+@@ -266,8 +266,11 @@ static int adis16480_set_freq(struct iio
+ 	struct adis16480 *st = iio_priv(indio_dev);
+ 	unsigned int t;
+ 
++	if (val < 0 || val2 < 0)
++		return -EINVAL;
++
+ 	t =  val * 1000 + val2 / 1000;
+-	if (t <= 0)
++	if (t == 0)
+ 		return -EINVAL;
+ 
+ 	t = 2460000 / t;
diff --git a/mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch b/mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch
new file mode 100644
index 0000000..2b80ffc
--- /dev/null
+++ b/mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch
@@ -0,0 +1,57 @@
+From abaed0112c1db08be15a784a2c5c8a8b3063cdd3 Mon Sep 17 00:00:00 2001
+From: Michal Hocko <mhocko@suse.com>
+Date: Tue, 5 Nov 2019 21:16:40 -0800
+Subject: mm, vmstat: hide /proc/pagetypeinfo from normal users
+
+From: Michal Hocko <mhocko@suse.com>
+
+commit abaed0112c1db08be15a784a2c5c8a8b3063cdd3 upstream.
+
+/proc/pagetypeinfo is a debugging tool to examine internal page
+allocator state wrt to fragmentation.  It is not very useful for any
+other use so normal users really do not need to read this file.
+
+Waiman Long has noticed that reading this file can have negative side
+effects because zone->lock is necessary for gathering data and that a)
+interferes with the page allocator and its users and b) can lead to hard
+lockups on large machines which have very long free_list.
+
+Reduce both issues by simply not exporting the file to regular users.
+
+Link: http://lkml.kernel.org/r/20191025072610.18526-2-mhocko@kernel.org
+Fixes: 467c996c1e19 ("Print out statistics in relation to fragmentation avoidance to /proc/pagetypeinfo")
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Reported-by: Waiman Long <longman@redhat.com>
+Acked-by: Mel Gorman <mgorman@suse.de>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: Waiman Long <longman@redhat.com>
+Acked-by: Rafael Aquini <aquini@redhat.com>
+Acked-by: David Rientjes <rientjes@google.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Roman Gushchin <guro@fb.com>
+Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Cc: Jann Horn <jannh@google.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/vmstat.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/vmstat.c
++++ b/mm/vmstat.c
+@@ -1444,7 +1444,7 @@ static int __init setup_vmstat(void)
+ #endif
+ #ifdef CONFIG_PROC_FS
+ 	proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
+-	proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
++	proc_create("pagetypeinfo", 0400, NULL, &pagetypeinfo_file_ops);
+ 	proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
+ 	proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
+ #endif
diff --git a/netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch b/netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch
new file mode 100644
index 0000000..157d819
--- /dev/null
+++ b/netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch
@@ -0,0 +1,47 @@
+From 30b7244d79651460ff114ba8f7987ed94c86b99a Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sat, 24 Aug 2019 17:49:55 +0300
+Subject: netfilter: ipset: Fix an error code in ip_set_sockfn_get()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 30b7244d79651460ff114ba8f7987ed94c86b99a upstream.
+
+The copy_to_user() function returns the number of bytes remaining to be
+copied.  In this code, that positive return is checked at the end of the
+function and we return zero/success.  What we should do instead is
+return -EFAULT.
+
+Fixes: a7b4f989a629 ("netfilter: ipset: IP set core support")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipset/ip_set_core.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -1885,8 +1885,9 @@ ip_set_sockfn_get(struct sock *sk, int o
+ 		}
+ 
+ 		req_version->version = IPSET_PROTOCOL;
+-		ret = copy_to_user(user, req_version,
+-				   sizeof(struct ip_set_req_version));
++		if (copy_to_user(user, req_version,
++				 sizeof(struct ip_set_req_version)))
++			ret = -EFAULT;
+ 		goto done;
+ 	}
+ 	case IP_SET_OP_GET_BYNAME: {
+@@ -1943,7 +1944,8 @@ ip_set_sockfn_get(struct sock *sk, int o
+ 	}	/* end of switch(op) */
+ 
+ copy:
+-	ret = copy_to_user(user, data, copylen);
++	if (copy_to_user(user, data, copylen))
++		ret = -EFAULT;
+ 
+ done:
+ 	vfree(data);
diff --git a/netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch b/netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch
new file mode 100644
index 0000000..8545e5b
--- /dev/null
+++ b/netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch
@@ -0,0 +1,60 @@
+From 250367c59e6ba0d79d702a059712d66edacd4a1a Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 31 Oct 2019 11:06:24 +0100
+Subject: netfilter: nf_tables: Align nft_expr private data to 64-bit
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 250367c59e6ba0d79d702a059712d66edacd4a1a upstream.
+
+Invoking the following commands on a 32-bit architecture with strict
+alignment requirements (such as an ARMv7-based Raspberry Pi) results
+in an alignment exception:
+
+ # nft add table ip test-ip4
+ # nft add chain ip test-ip4 output { type filter hook output priority 0; }
+ # nft add rule  ip test-ip4 output quota 1025 bytes
+
+Alignment trap: not handling instruction e1b26f9f at [<7f4473f8>]
+Unhandled fault: alignment exception (0x001) at 0xb832e824
+Internal error: : 1 [#1] PREEMPT SMP ARM
+Hardware name: BCM2835
+[<7f4473fc>] (nft_quota_do_init [nft_quota])
+[<7f447448>] (nft_quota_init [nft_quota])
+[<7f4260d0>] (nf_tables_newrule [nf_tables])
+[<7f4168dc>] (nfnetlink_rcv_batch [nfnetlink])
+[<7f416bd0>] (nfnetlink_rcv [nfnetlink])
+[<8078b334>] (netlink_unicast)
+[<8078b664>] (netlink_sendmsg)
+[<8071b47c>] (sock_sendmsg)
+[<8071bd18>] (___sys_sendmsg)
+[<8071ce3c>] (__sys_sendmsg)
+[<8071ce94>] (sys_sendmsg)
+
+The reason is that nft_quota_do_init() calls atomic64_set() on an
+atomic64_t which is only aligned to 32-bit, not 64-bit, because it
+succeeds struct nft_expr in memory which only contains a 32-bit pointer.
+Fix by aligning the nft_expr private data to 64-bit.
+
+Fixes: 96518518cc41 ("netfilter: add nftables")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: stable@vger.kernel.org # v3.13+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/netfilter/nf_tables.h |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -365,7 +365,8 @@ struct nft_expr_ops {
+  */
+ struct nft_expr {
+ 	const struct nft_expr_ops	*ops;
+-	unsigned char			data[];
++	unsigned char			data[]
++		__attribute__((aligned(__alignof__(u64))));
+ };
+ 
+ static inline void *nft_expr_priv(const struct nft_expr *expr)
diff --git a/perf-tools-fix-time-sorting.patch b/perf-tools-fix-time-sorting.patch
new file mode 100644
index 0000000..2ab59da
--- /dev/null
+++ b/perf-tools-fix-time-sorting.patch
@@ -0,0 +1,46 @@
+From 722ddfde366fd46205456a9c5ff9b3359dc9a75e Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Tue, 5 Nov 2019 00:27:11 +0100
+Subject: perf tools: Fix time sorting
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+commit 722ddfde366fd46205456a9c5ff9b3359dc9a75e upstream.
+
+The final sort might get confused when the comparison is done over
+bigger numbers than int like for -s time.
+
+Check the following report for longer workloads:
+
+  $ perf report -s time -F time,overhead --stdio
+
+Fix hist_entry__sort() to properly return int64_t and not possible cut
+int.
+
+Fixes: 043ca389a318 ("perf tools: Use hpp formats to sort final output")
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Reviewed-by: Andi Kleen <ak@linux.intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Michael Petlan <mpetlan@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: stable@vger.kernel.org # v3.16+
+Link: http://lore.kernel.org/lkml/20191104232711.16055-1-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/hist.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/util/hist.c
++++ b/tools/perf/util/hist.c
+@@ -1050,7 +1050,7 @@ void hists__collapse_resort(struct hists
+ 	}
+ }
+ 
+-static int hist_entry__sort(struct hist_entry *a, struct hist_entry *b)
++static int64_t hist_entry__sort(struct hist_entry *a, struct hist_entry *b)
+ {
+ 	struct perf_hpp_fmt *fmt;
+ 	int64_t cmp = 0;
diff --git a/series b/series
index 2436e62..6e9ccbe 100644
--- a/series
+++ b/series
@@ -1,3 +1,18 @@
 cdc-ncm-handle-incomplete-transfer-of-mtu.patch
 net-fix-data-race-in-neigh_event_send.patch
 nfc-netlink-fix-double-device-reference-drop.patch
+alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch
+alsa-hda-ca0132-fix-possible-workqueue-stall.patch
+mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch
+dump_stack-avoid-the-livelock-of-the-dump_lock.patch
+perf-tools-fix-time-sorting.patch
+drm-radeon-fix-si_enable_smc_cac-failed-issue.patch
+ceph-fix-use-after-free-in-__ceph_remove_cap.patch
+iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch
+netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch
+netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch
+can-usb_8dev-fix-use-after-free-on-disconnect.patch
+can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch
+can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch
+can-gs_usb-gs_can_open-prevent-memory-leak.patch
+can-peak_usb-fix-slab-info-leak.patch